Ukraine at D+118: Phishing for intelligence.
N2K logoJun 22, 2022

As Russia's brutal reduction of Ukrainian cities continues, cyber operations resurface in the form of phishing expeditions against Ukrainian targets.

Ukraine at D+118: Phishing for intelligence.

This morning's situation report from the UK's Ministry of Defence (MoD) offers a grim picture of Russia's war of attrition in Donetsk and Luhansk. "Heavy shelling continues as Russia pushes to envelop the Sieverodonetsk area via Izium in the north and Popasna in the south." Casualties appear to have grown so heavy that Russia is pushing reserve units into active service in the Donbas. "Russia is highly likely preparing to attempt to deploy a large number of reserve units to the Donbas. The Russian authorities have not released the overall number of military casualties in Ukraine since 25 March." And its nominal allies seem to have suffered the highest casualty rates of all. "However, the self-declared Donetsk People’s Republic (DPR) publishes casualty figures for DPR forces. As of 16 June, the DPR acknowledged 2128 military personnel killed in action, and 8897 wounded, since the start of 2022. The DPR casualty rate is equivalent to around 55 per cent of its original force, which highlights the extraordinary attrition Russian and pro-Russian forces are suffering in the Donbas. It is highly likely that DPR forces are equipped with outdated weapons and equipment. On both sides, the ability to generate and deploy reserve units to the front is likely becoming increasingly critical to the outcome of the war."

Fancy Bear sighted in Ukrainian in-boxes.

CERT-UA warned that APT28, the GRU operators familiarly known as Fancy Bear, have opened a renewed campaign of exploitation against systems still vulnerable to Follina, the Microsoft Microsoft Diagnostic Tool vulnerability tracked as CVE-2022-30190. Fancy Bear is running two distinct campaigns, Ukraine's SSSCIP warns, both of which use phishing as their mode of access. The phishbait appeals to two very different sets of fears. The first campaign, which Malwarebytes has also described, counts on an email recipient's fear of nuclear war (topical, given the ongoing Russian nuclear saber-rattling described by the Telegram). The malicious document, "Nuclear Terrorism A Very Real Threat," carries CredoMap malware as its payload, CERT-UA says. The other campaign uses a more proximate if less existential dread to induce the recipient to click: fear of the taxman. Anyone in wartime might be forgiven an understandable lapse of memory where paying taxes is concerned. The phishbait sample CERT-UA shares is sternly entitled "Imposition of penalties." and the malicious document carries a CobaltStrike beacon as its payload. The email's subject is "Notice of non-payment of tax." The goal of both campaigns appears to be espionage, although it's worth noting that CERT-UA sees the tax-themed campaign as directed against critical infrastructure.

Speculation about cyberattacks surrounds incidents at natural gas facilities.

It's to be expected in wartime that explosions at natural gas facilities should draw speculation that they were due to cyberattack. Two such incidents, one in Russia, the other in the US, are attracting such speculation, and both incidents highlight the difficulty in distinguishing accidents from physical sabotage or damaging cyberattack. It's also noteworthy that both incidents involve apparent problems with pressure sensors.

In Russia, an incident at the Urengoy Gas Pipeline is being attributed, as reported by Inside Cyber Warfare, to a cyberattack by Ukraine's GUR intelligence service. In this case, corruption is said to have played a part in leaving the system vulnerable to attack. "A key section of the data communications network of the gas pipeline that would transmit an alarm when the pipeline was operating outside of acceptable conditions was never connected by the contractor hired by Gazprom to install the system according to documents obtained by GUR hackers, and confirmed to Inside Cyber Warfare by one of the cyber operators involved in causing the explosion and fire at the Urengoy gas field last week."

In the US state of Texas,  Freeport LNG's Quintana Island plant experienced an explosion and fire on June 8th, and this incident also apparently involved an overpressurization condition, according to Control Global. The Washington Examiner reports that the GRU's Xenotime threat group (responsible for 2017's Triton/Trisis incident at a Saudi petrochemical plant; see Dragos's study for an analysis of that incident) had conducted reconnaissance of Freeport and other targets in February, around the time of Russia's invasion of Ukraine.

That there were incidents at both plants is clear, and that both sides in Russia's war against Ukraine had a motive to attack the plants is also clear. (Ukraine would gain from damage to Urgenoy, and Russia would gain from taking an LNG competitor off the market at a time when its own gas exports would have provided it with important leverage against Western economic sanctions.) It's not clear that the incidents were in fact attacks, and not accidents. They're suspicious, but then motive, means, and opportunity amount to correlation, and correlation isn't equivalent to causation.

Why Russian cyberattacks against Ukraine have fallen short of expectations.

An op-ed in the Washington Post summarizes what's becoming consensus opinion about Russia's failure to deliver the devastating cyberattacks that were generally expected during the run-up to war: Ukrainian resilience, with appropriate and well-applied assistance from the private sector, was able to fend the Russian operators off. "The close partnerships that have emerged between U.S. technology companies and Western cybersecurity agencies is one of the unheralded stories of the war. The public-private rift in the tech world that followed Edward Snowden’s revelations in 2013 appears largely to be over — because of the backlash against Russia’s attacks on the 2016 and 2020 U.S. presidential elections and, now, its unprovoked invasion of Ukraine."

War crimes investigations.

US Attorney General Merrick Garland was in Kyiv yesterday. The unheralded trip was for the purpose of meeting with Ukraine’s senior prosecutor, and for Attorney General Garland's announcement that the US was standing up what Garland called a “war crimes accountability team.” The Attorney General promised that the US would, the Washington Post reports, “pursue every avenue of accountability for those who commit war crimes and other atrocities in Ukraine.”

Deliberate, face-to-face mass murder has been reported in Ukrainian towns temporarily occupied by Russia (like Bucha), and such shootings will surely figure in war crimes investigations. So should the indiscriminate targeting of civilian populations by Russian artillery (acting in what Foreign Policy characterizes as a long tradition of brutality). The effects of the Russian way of war are vividly on display in the occupied southern city of Mariupol and the still-contested city of Mykolaiv.