Ukraine at D+42: Cyclops blinked.
N2K logoApr 7, 2022

Russia seeks to reconstitute maneuver forces after defeat and retreat in northern Ukraine, but the war's savagery continues unabated with air strikes and artillery used against civilians. The US says it preempted a major GRU cyber operation by taking down the Cyclops Blink botnet's command-and-control. The UN General Assembly will vote today on Russia's continued membership in the Human Rights Council.

Ukraine at D+42: Cyclops blinked.

The British Ministry of Defence, whose most recent situation map depicts Russian withdrawal from territory it had taken in the north of Ukraine, reports continued Russian airstrikes and artillery fire against cities in the eastern and southern regions. "Progressing offensive operations in eastern Ukraine is the main focus of Russian military forces," the MoD's situation report awkwardly put it this morning. That doesn't mean, as various trolls in the MoD's Twitter comment thread have been barking, that the Russian army is making progress, but rather that its pivot toward the Donbas continues. "Russian artillery and air strikes continue along the Donbas line of control." Note that artillery and air don't involve forces in contact; these attacks are delivered from a distance. The strikes are intended as persuasion through terror, and not as direct support of infantry or armored operations. "Russian strikes against infrastructure targets within the Ukrainian interior are likely intended to degrade the ability of the Ukrainian military to resupply and increase pressure on the Ukrainian government. Despite refocussing forces and logistics capabilities to support operations in the Donbas, Russian forces are likely to continue facing morale issues and shortages of supplies and personnel."

The US Department of Defense concurs. The Washington Post reports that the Pentagon's assessment is that Russian forces have completely left the environs of Kyiv and Cherniv.

US says it neutralized a major GRU botnet.

The US Department of Justice announced late yesterday that the command-and-control functionality of Cyclops Blink, a major GRU-run botnet afflicting WatchGuard firewalls and ASUS routers, had been taken down. The Department described the court-ordered act of lawfare as follows:

"The Justice Department today announced a court-authorized operation, conducted in March 2022, to disrupt a two-tiered global botnet of thousands of infected network hardware devices under the control of a threat actor known to security researchers as Sandworm, which the U.S. government has previously attributed to the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (the GRU). The operation copied and removed malware from vulnerable internet-connected firewall devices that Sandworm used for command and control (C2) of the underlying botnet. Although the operation did not involve access to the Sandworm malware on the thousands of underlying victim devices worldwide, referred to as “bots,” the disabling of the C2 mechanism severed those bots from the Sandworm C2 devices’ control."

Cyclops Blink had been publicly in British-American crosshairs since February 23rd, when the NCSC, CISA, the FBI, and NSA issued a joint advisory describing the malicious campaign. WatchGuard published remediations that same day, and ASUS followed suit shortly thereafter.

The New York Times points out that the takedown was pre-emptive, as Cyclops Blink had simply been staged, and not as far as is known actually been used. It could have been employed in a range of operations, from simple surveillance to destructive attacks. “Fortunately, we were able to disrupt this botnet before it could be used,” US Attorney General Garland said.

Meta disrupts Russian and Belarusian influence operations.

The Washington Post reported this morning that Facebook's corporate parent Meta had disrupted influence networks operated on behalf of the Russian and Belarusian governments:

"The social media giant disclosed the campaigns in a 27-page report, including efforts to falsely report Ukrainian users as breaking the rules and efforts to hack into the accounts of Ukrainian military personnel.

"'We continue to see operations from Belarus and Russia-linked actors target platforms across the Internet,' Facebook Head of Security Policy Nathaniel Gleicher said during a call with reporters. 'We know that determined adversaries like this will keep trying to come back.'

"Facebook, which last year changed its name to Meta, said it has been fighting efforts by Russian authorities to promote propaganda about the war, including false claims about Ukrainian military aggression in the region or blaming Western nations’ complicity in the war. The company said it gave fact-checkers in the region more resources and launched a special operations center with Russian and Ukrainian speakers to monitor war-related issues on the platform."

The Belarusian activity Facebook shut down included work by Ghostwriter. The company's Quarterly Adversarial Threat Report details the Russian and Belarusian operations and the steps Meta took against them. The report says, in part, "Government-linked actors from Russia and Belarus engaged in cyber espionage and covert influence operations online. This activity included interest in the Ukrainian telecom industry; both global and Ukrainian defense and energy sectors; tech platforms; and journalists and activists in Ukraine, Russia, and abroad."

Russia warns developing world's delegations at the UN.

The United Nations General Assembly will today vote on a US proposal to expel Russia from the body's Human Rights Council. Foreign Policy has obtained a letter the Russian delegation sent to the missions of developing countries in Africa, Asia, Latin America, and the Caribbean that cautioned them to vote against expulsion. Russia will regard abstention as a hostile act, essentially on a par with a vote for its expulsion. The vote will be taken later today; NPR is updating its story in real time.

Won't get around much anymore?

An arrest warrant on war crimes charges aimed at placing President Putin before the International Court of Justice probably wouldn't result in a collar (not without regime change, anyway) but it would inhibit Mr. Putin's travel plans. Newsweek points with concern to the possible (but of course largely unknown) effects of formal charges. For one thing, it would be more difficult for Mr. Putin to find a safe place to conduct negotiations with his Ukrainian counterpart. (On the other hand, the Russian president normally delegates negotiations to his staff.) For another thing, war crimes charges might well prompt a surge of popularity at home. Who are the foreigners to do this to our president?

Sanctions drive Russia closer to insolvency.

Russia at midweek offered payment in rubles against dollar-denominated bonds. The move, forced by US blocking of additional Russian dollar accounts, is generally seen as a possible sign of approaching Russian default. Banks refused to process about $650 million in payments, Bloomberg reports, which forced Russia to offer rubles instead. Both the US (according to Reuters) and the UK (according to the Telegraph) have substantially tightened financial sanctions.

The oligarchs haven't been forgotten, either. Forbes has a useful list of who's-who among the oligarchs, if you're keeping score at home.