Ukraine at D+349: Renewed cyberespionage and local attacks.
N2K logoFeb 8, 2023

Two cyberespionage campaigns are in progress against Ukrainian targets as Russia seeks to make at least local gains before the next influx of Western arms into Ukraine's forces.

Ukraine at D+349: Renewed cyberespionage and local attacks.

Fighting remains intense in the vicinity of Bakhmut, with heavy casualties reported, according to Al Jazeera. Russian casualties appear to have been particularly heavy among the Wagner Group's mercenary formations, with their heavy consignment of poorly trained convicts. The Telegraph says that Ukrainian authorities are calling the Wagner Group troops "single-use soldiers" because of their employment in costly human-wave attacks. The Wall Street Journal observes that heavy local Russian attacks in the eastern Ukrainian provinces seem calculated to catch Ukrainian forces before they receive the large consignments of weapons promised by various NATO countries. Military.com reports that there's been a corresponding increase in Russian strikes against civilian targets, including hospitals and residential areas.

Not crossing the Dnipro.

Whatever form an eventual Russian winter offensive might take, it's unlikely to include an assault crossing of the Dnipro River. The UK's Ministry of Defence believes the cost and difficulty of such an operation render it unlikely. "Since Russia withdrew its forces from the west bank of the Dnipro in November 2022, skirmishing and reconnaissance has continued on the complex network of islands and waterways which make up the Dnipro delta. Russian forces have almost certainly used small boats to try to maintain a presence on key islands; Ukraine has successfully deployed long-range artillery to neutralise Russian outposts a number of times. Both sides have likely also deployed small groups on the Kinburn Spit, which commands the Dnipro Gulf. Both sides are likely aiming to maintain a presence in these areas to control maritime access to the strategically important river and to provide warning of any attempt by their adversaries to launch a major assault across the river. It is highly unlikely that Russia will attempt an assault crossing of the Dnipro: it would likely be extremely complex and costly."

New infostealer deployed against Ukraine.

Researchers at Symantec (a Broadcom company) have discovered a new Russian infostealer deployed against targets in Ukraine. "The Nodaria espionage group (aka UAC-0056) is using a new piece of information stealing malware against targets in Ukraine," their reports says. "The malware (Infostealer.Graphiron) is written in Go and is designed to harvest a wide range of information from the infected computer, including system information, credentials, screenshots, and files." In addition to being called UAC-0056, Nodaria has also been known as SaintBear, UNC2589, and TA471. 

Symantec doesn't link Nodaria with any specific Russian intelligence or security service, but they do say it's been active at least since March of 2021. Nodaria has specialized in collecting against Ukrainian organizations, with possibly some work against Georgia and Kyrgyzstan, so call it an organization that's been active against the former Soviet republics of the Near Abroad. Its most prominent action has, so far, been the WhisperGate wiper attacks that hit Ukraine in January 2022. Nodaria's typical attack technique begins with spearphishing emails that deliver a range of malicious payloads to the targets.

Wherever Nodaria fits into the Russian services' organization charts, Symantec thinks the group's range and level of activity probably makes it "one of the key players in Russia’s ongoing cyber campaigns against Ukraine."

CERT-UA warns of Remcos used in Russian cyberespionage campaign.

CERT-UA has issued a warning that Russian cyberespionage operators are using the legitimate remote management tool Remcos to establish a remote surveillance presence in its targets' systems. It's a phishing expedition that casts a broad net, with "mass distribution of e-mails, supposedly from JSC 'Ukrtelecom', with the subject 'Court claim against your personal account # 7192206443063763 dated: 06.02.2023' and an attachment in the form of RAR- archive 'court letter, information on debt.rar'." CERT-UA attributes the activity to a threat actor it tracks as UAC-0050.