Ukraine at D+655: GRU phishes humanitarian aid organizations.
the cyberwire logoDec 11, 2023

Russia's military intelligence service is running a phishing campaign aimed at collecting against European humanitarian organizations.

Ukraine at D+655: GRU phishes humanitarian aid organizations.

The UK's Ministry of Defence (MoD) this morning described the intensity of combat in the vicinity of Avdiivka, which has continued unabated. "Over the last week, the Donetsk Oblast town of Avdiivka has continued to be the scene of the most intense combat on the front. As reflected in official Ukrainian public-release data, on some days approaching 40 per cent of all combat engagements have likely taken place in this small sector. The Russian offensives have continued to be characterised by largely dismounted infantry assaults, often by Shtorm-Z penal units. Ukrainian units have likely conducted successful local counterattacks, denying Russian forces full control of the village of Stepove. It is here that Russia is attempting one part of a pincer movement to envelop Avdiivka and its heavily defended industrial zone."

At the end of last week Russia's air force sent air-launched cruise-missiles carried by heavy strategic bombers against targets in Kyiv and elsewhere in central Ukraine. The UK's MoD reported, "On the night of 7 December 2023, the Russian Air Force conducted a major wave of strikes towards Kyiv and central Ukraine using its heavy bomber fleet, for the first time since 21 September 2023. These aircraft, highly likely Tu-95 BEAR H, likely launched at least 16 air-launched cruise missiles (ALCMs) from their typical operating area over the Caspian Sea. The missiles were highly likely AS-23a KODIAK, Russia's premier ALCM. Russia has almost certainly been stockpiling these missiles for use in the winter campaign. (3/5)This was probably the start of a more concerted campaign by Russia aimed at degrading Ukraine’s energy infrastructure. However, initial reports indicate the majority of these missiles were successfully intercepted by Ukrainian air defence. Despite at least one civilian reported killed, the damage currently appears to have been minimal."

Russia reiterates its war aims.

The Institute for the Study of War outlines a recent explanation of Russia's war aims. In short, they haven't changed. "Russian Foreign Ministry Spokesperson Maria Zakharova emphasized that Russia's maximalist objectives in Ukraine have not changed, repeating the Kremlin’s demand for full Ukrainian political capitulation and Kyiv’s acceptance of Russia’s military and territorial demands rather than suggesting any willingness to negotiate seriously. In a written interview with AFP on December 9, Zakharova claimed that a 'comprehensive, sustainable, and fair resolution' in Ukraine can only happen if the West stops 'pumping up the Armed Forces of Ukraine with weapons' and that Ukraine surrenders Russia’s claimed Ukrainian territory and "withdraws its troops," presumably from Ukrainian territory Russia claims to have annexed. Zakharova emphasized the Kremlin's longstanding claim that Russia invaded Ukraine for 'de-militarization,' 'denazification,' and to 'ensure the rights of Russian-speaking citizens' in Ukraine. The Kremlin has consistently used the term 'denazification' as code for the removal of the elected government of Ukraine and its replacement by some government the Kremlin regards as acceptable—i.e., regime change."

Campaign theater: Mr. Putin as the soldiers' choice.

President Putin formally announced Friday that he was standing for reelection (the curtain rises on the theater in March). His announcement came as he was awarding service members gold medals in a Kremlin ceremony. The military setting seemed, the Institute for the Study of War records, intended to suggest that Mr. Putin is the soldiers' choice, running at their earnest behest as leader, comrade, advocate, and benefactor. The staging also augurs that the invasion of Ukraine will be the central theme of the narrative surrounding his inevitable reelection.

GRU phishing campaign delivers Headlace malware.

IBM's X-Force reports that an apparent GRU operation, ITG05, is using Israel-Hamas-war-themed phishbait in a campaign that spreads the Headlace backdoor. "X-Force tracks ITG05 as a likely Russian state-sponsored group consisting of multiple activity clusters, sharing overlaps with industry-identified threat actor groups APT28, UAC-028, Fancy Bear and Forest Blizzard," the IBM advisory explains. Discovered in September by CERT-UA, Headlace has three components: a .CMD dropper, a .VBS launcher and a .BAT backdoor. 

The researchers have identified targets in thirteen different countries. The phishbait and the geographical targeting suggests to X-Force that ITG05 is interested in humanitarian aid organizations based for the most part in Europe. The attacks are tightly geolocated, designed to be opened only in the targeted countries. "It is unclear precisely how many entities were impacted by the campaign, but our analysis indicates that organizations in the following countries were targeted: Hungary, Türkiye, Australia, Poland, Belgium, Ukraine, Germany, Azerbaijan, Saudi Arabia, Kazakhstan, Italy, Latvia and Romania. Of note, all but one of the 13 nations featured in the geolocations perimeters for downloading Headlace are United Nations Human Rights Council members." The Human Rights Council is of interest to Russia because of the threat (as Russia's government perceives it) of that organization taking action to expose, condemn, or otherwise oppose Russian activity against the population of Ukraine. X-Force expects campaigns of this kind to continue.

Email campaign impersonates Ukraine's SSSCIP.

The threat group UAC-0050, operating under unclear control but showing signs of connections to Russian cybercriminal gangs, has been sending emails impersonating Ukraine's SSSCIP security service to Polish government officials, the Kyiv Independent reports. The malicious payload the emails are carrying includes, CERT-UA reports, the Remcos RAT and the Meduza Stealer.