Ukraine at D+553: Drone war, hacktivism, and Infamous Chisel malware.
N2K logoAug 31, 2023

Russia and Ukraine continue their drone war as Ukraine pushes into Russian lines in Zaporizhzhia. The Five Eyes confirm Ukrainian reports of GRU cyberespionage. Russian hacktivist auxiliaries turn to Czech targets (and to X).

Ukraine at D+553: Drone war, hacktivism, and Infamous Chisel malware.

Ukrainian forces appear to have achieved local penetration of the main Russian defensive lines, the Telegraph reports. "Troops from the 82nd Air Assault Brigade were geolocated on the western outskirts of the Russian-held village of Verbove in the Zaporizhzhia region. This would mean that they had pushed through the 'Surovikin line', a nexus of mines, barriers and trenches put in place by the former commander of Russia’s invasion to thwart Ukraine’s counter-offensive." Video of the operation comes from Russian mil-bloggers, not from Ukrainian official sources. The Telegraph notes that the 82nd Air Assault Brigade was "armed and trained by Britain."

The Institute for the Study of War reads the advance as at most a reconnaissance-in-force, a setback for Russian forces, but not yet a breakthrough. "Geolocated footage published on August 30 shows Ukrainian infantry on the northwestern outskirts of Verbove, indicating that Russian control over the outskirts of the settlement is degraded. The footage, however, does not indicate that Ukrainian forces established control over the area at this time,"

The drone war.

Ukrainian drones have been used with increasing frequency against targets within Russia proper, the UK's Ministry of Defence wrote in today's situation report. "Overnight on the 29.30 August 2023, Russia experienced up to five separate strikes by one-way attack uncrewed aerial vehicles (OWA-UAV)--the largest attack on Russia since the start of the conflict. Explosions were recorded in Moscow, Bryansk, and Ryazan, as well as at Pskov airbase close to the Estonian border. The attack on Pskov likely damaged several Russian military transport aircraft. During August 2023 Russia experienced 25 separate drone attacks, almost certainly carried out by OVA-UAVs."

Russian air defences have found the strikes challenging. "Many of these UAVs have reached their targets, which likely means that Russian air defence is having difficulty detecting and destroying them. Russia is likely rethinking its air defence posture in the area between Ukraine and Moscow to better deal with these attacks." Increased dispersal is probably of only limited usefulness, and Russia will probably have to deploy more air defense systems in this area of operations. "Previous strikes against Russian military airbases have led to the dispersal of Russian aircraft to locations across Russia. However, the recent strikes against Soltsy and Pskov have demonstrated that the UAVs have significant reach, making further dispersal more challenging. It is likely that Russia will have to consider the addition of further air defence systems to airfields that it considers to be at risk from UAV attacks."

Russian state television is very exercised over the Ukrainian drone strikes. Vladimir Solovyov, for example, calls for local authorities to stop discussing the drone strikes ("Stop pretending to be bloggers!"), demands that everyone recognize that Russia is fully at war against NATO, urges the immediate expulsion of Western diplomats, and calls for massive retaliatory strikes (including specifically nuclear strikes) against Ukraine and the countries that sympathize with it. No more hand-wringing, take the gloves off, our patience is exhausted, etc.

The drones Ukraine has used against Russian military airfields with some success include systems supplied by Australia. Made largely of cardboard, according to the Telegraph they cost about $3500 each, which means that even having one shot down by an air defense missile counts as a win, since the missiles are orders of magnitude more expensive. They're small, but carry enough of a payload to be effective against soft targets like combat aircraft.

The airfield at Pskov is about 500 miles from the Ukrainian border, and the AP notes the possibility that the strike may have been launched from inside Russia. It couldn't confirm the drones' point of departure. Russian sources claim that two Ukrainian "saboteurs" were killed near Bryansk, which suggests that Ukrainian diversionary units may be operating well within Russian territory.

Investigation of the Wagner Group crash.

Russia's official, Potemkin investigation of the August 23rd crash that killed Yegeny Prigozhin continues, the Telegraph reports. “It is obvious that different versions are being considered, including the version - you know what we are talking about – let’s say, a deliberate atrocity,” Kremlin’s spokesman Dmitry Peskov said, counseling patience. “Let’s wait for the results of our Russian investigation.” The "deliberate atrocity" in Mr. Peskov formulation is sabotage by the Anglo-Saxons, but most other observers think the bombing was arranged by the Russian government to eliminate a mercenary captain who'd grown too dangerous.

Mr. Prigozhin, who addressed concerns about his own health and safety in a video he posted days before his death, was a man with many enemies who had for years, as the Wall Street Journal describes, taken elaborate and expensive steps to ensure his personal safety. His funeral fell far short of what would be expected for a Hero of Russia; his obsequies were buried below the fold, down in the clutter of daily news.

Seeking sources of supply.

Unlike the Second World War, the "Great Patriotic War," Russian forces are not being equipped with US weapons carried to Murmansk by British convoys, so they've got to get their matériel from somewhere. Increasingly, they're looking to North Korea, which ought to be an embarrassment to Russian industry. The US, UK, South Korea and Japan protested the ongoing arms-supply negotiations in a joint statement at the United Nations on the grounds that, as the Guardian explains, "any such deal would violate security council resolutions forbidding arms deals with North Korea, resolutions that Moscow itself had endorsed." The joint statement said, in part, “Russia is negotiating potential deals for significant quantities and multiple types of munitions from the DPRK to be used against Ukraine. These potential deals could also include the provision of raw materials that would assist Russia’s defence industrial base. Any such arm deals would be a serious violation of resolutions the security council adopted unanimously after the DPRK past nuclear tests and ballistic missile launches."

Five Eyes call out GRU cyberespionage campaign.

Early this morning the Five Eyes--the intelligence services of Australia, Canada, New Zealand, the United Kingdom, and the United States--issued a joint advisory providing further details on the malware, "Infamous Chisel," used in a GRU cyberespionage campaign first described early this month by Ukraine's SBU.

Infamous Chisel targets Android devices on behalf of Sandworm, the threat group associated with the GRU’s Main Centre for Special Technologies (GTsST). The US Cybersecurity and Infrastructure Security Agency (CISA) explains that "It performs periodic scanning of files and network information for exfiltration," including system and application configuration files. It "provides network backdoor access via a Tor (The Onion Router) hidden service and Secure Shell (SSH)," as well as other capabilities that include "network monitoring, traffic collection, SSH access, network scanning, and SCP file transfer." Infamous Chisel isn't sophisticated or well-crafted malware. The Five Eyes assess the malware's components as representing "low to medium sophistication." They "appear to have been developed with little regard to defense evasion or concealment of malicious activity." Its targets seem to have been mainly Ukrainian military devices.

The UK's National Cyber Security Centre (NCSC) framed the report as an instance of support for Ukraine. Paul Chichester, NCSC Director of Operations, said, “The exposure of this malicious campaign against Ukrainian military targets illustrates how Russia’s illegal war in Ukraine continues to play out in cyberspace. Our new report shares expert analysis of how this new malware operates and is the latest example of our work with allies in support of Ukraine’s staunch defence. The UK is committed to calling out Russian cyber aggression and we will continue to do so.”

Russian hacktivist auxiliaries hit Czech banks and the platform formerly known as Twitter.

NoName057 (16), the Russian hacktivist auxiliary, moved from operations against Poland to hit a similar target set in the Czech Republic. The Brno Daily today reported distributed denial-of-service (DDoS) attacks against Komercni banka, CSOB, Air Bank, Fio banka, Ceska Sporitelna, and the Prague stock exchange. Expats.cz adds Raiffeisen and Moneta Money Bank to the organizations targeted. These were nuisance-level attacks, representing no threat to the organizations' or their customers' data. NoName057 (16) says the attacks are intended to punish the victims' support for Ukraine, and to induce them to reconsider such support. Full service was restored at most sites within hours of the attack.

Anonymous Sudan, which is neither Sudanese nor Anonymous, but rather a hacktivist auxiliary answering to Russian intelligence services, yesterday disrupted the social media platform X in "about a dozen countries," the BBC reports. The nominal goal of the action was to get Mr. Elon Musk to open up Starlink service to Sudan. The hacktivists, stung by widespread suspicion that they're really a bunch of Russians, offered the BBC such evidence as images of passports to attest to their bona fides as for-real Sudanese. Judge for yourselves.