Ukraine at D+610: Combat refusals.
N2K logoOct 27, 2023

The Russian army is pushing Storm-Z units forward under threat of harsh penalties. ESET offers a look at Russia's major players in the cyber phases of the war.

Ukraine at D+610: Combat refusals.

The Institute for the Study of War (ISW) believes that heavy Russian losses of vehicles in the attack on Avdiivka (more than a hundred vehicles have been destroyed, most of them tanks and other armored vehicles) will quickly tell against Russia's ability to mount further offenses.

The Russian army has pulled convicts from prisons to fill the ranks of the regular army. The BBC reports that the prisoners, nominal volunteers who are offered cash bonuses and remission of sentences upon completion of an 18-month tour, are for the most part being assigned to Storm-Z penal units. The practice of prison recruiting had been associated with the Wagner Group during its late heyday, but the Washington Post explains that the regular army has exploited prison manpower far more than the Wagner Group did: the Wagnerites took in about 50,000 prisoners; the Ministry of Defense has taken about 100,000. Such recruiting is seen as a way of bringing in much-needed manpower without resorting to another partial mobilization. The last partial mobilization motivated about 300,000 military-age men to leave the country.

The BBC reports that some Russian units fighting at Avdiivka have "mutinied"--actually the incidents seem to be combat refusals as opposed to full mutinies--and that some soldiers retreating or refusing to attack have been summarily executed under their officers' orders.

Ukrainian forces have made small advances on the east bank of the Dnipro River, and have "continued offensive operations near Bakhmut and in western Zaporizhia Oblast," the ISW reports.

A pause in air-launched cruise missile strikes.

"The Russian Airforce’s Long Range Aviation fleet (LRA) of heavy bombers has not conducted air launched cruise missile strikes into Ukraine for over a month, one of the longest gaps in such strikes since the conflict began," the UK's Ministry of Defence (MoD) writes. They appear to be running short of the cruise missiles, and to be husbanding their stocks for use against Ukrainian energy infrastructure over the winter. "While Russia is still able to utilise other strike capabilities, the LRA had been the primary method for conducting stand-off precision strikes. Russia almost certainly needed to reduce the frequency of its strikes to replenish its diminishing stockpile of AS-23a KODIAK cruise missiles. Russia will likely use any recently produced inventory LRA munitions to strike Ukrainian energy infrastructure over the winter. Russia will highly likely continue to supplement any such campaign with Iranian-designed one-way attack uncrewed aerial vehicle attacks."

Russian intelligence services' cyber operations in the hybrid war. 

ESET's APT Activity Report for the 2nd and 3rd quarter of 2023 matches unpatched vulnerabilities with government-sponsored offensive cyber operations. Unsurprisingly, Russian cyber activity retains its focus on Ukraine. The main Russian APT groups ESET tracks are Sandworm (operated by the GRU's Unit 74455, and also known as Voodoo Bear), Turla (associated with the FSB, and also known as Venomous Bear), Sednit (more familiarly known as Fancy Bear, and run by the GRU), and Gamaredon (an FSB operation, also known as Primitive Bear). ESET says that the greatest of these, from the Ukrainian perspective, is Gamaredon, "which significantly enhanced its data-collecting capabilities by redeveloping existing tools and deploying new ones."

  • Gamaredon. In April the group deployed a new version of its PteroSteal credential stealer, optimized for use against Outlook and The Bat! email clients. In June it introduced PteroCookie (which collects cookies from Opera and Firefox), PteroSig (which exfiltrates data stored in the Signal desktop app, and PteroGram (which does the same, but from the Telegram Desktop app). Two new tools appeared in August. PteroBleed exfiltrates indexedDB data from Opera, Chrome, and Edge browsers. "This tool specifically looks for data stored in this database by web versions of Telegram and WhatsApp applications," ESET says, "and for data that might be used by various Ukrainian military web services." The other tool that made its debut in August was PteroScout, used for reconnaissance in compromised systems. Gamaredon, it's worth noting, has long operated principally from Simferopol in occupied Crimea.

Gamaredon may be the group most active against Ukraine, but the others also have roles in the hybrid war.

  • Sandworm. This GRU outfit has made some puerile gestures in the direction of flying false flags (using, for example, Ukrainian versions of Russian names in filenames, and seeking to attribute sabotage operations to Ukraine's CERT-UA). More seriously, in April Sandworm used RoarBat, a malicious BAT script that uses WinRAR to move files to an archive, and then deletes the originals. A second version of RoarBat appeared in June, this variant optimized for wiping files used by media organizations. In July ESET observed Sandworm roll out a new variant of NikoWiper. Its wiper functionality was like that observed in the original version when it was used in October 2022 against a target in Ukraine's energy sector.
  • Turla. In July ESET observed a new command-and-control implant in use by this FSB group, "CAPIBAR." Turla deployed it against government targets in Ukraine, Greece, and Guyana.
  • Sednit. This GRU outfit specializes in spearphishing hostile governments. In June it was responsible for Operation RoundPress spearphishing campaign that exploited a cross-site-scripting vulnerability (CVE-2020-35730) in the Roundcube email server. Sednit's targets were government staff emails in Armenia, Tajikistan, and Ukraine. In August and September an advanced version of Operation RoundPress spearphished organizations in Croatia, Serbia, Greece, Poland, and Ukraine. Another August spearphishing campaign exploited the WinRAR vulnerability CVE-2022-38831. This operation used techniques previously used by criminals to phish for "political entities" in the European Union and Ukraine. Also in August Sednit pursued targets in Ukraine, Poland, and Czechia with spearphishing that exploited CVE-2023-23397, a Microsoft Outlook for Windows vulnerability. Finally, In September, a Sednit campaign relied on social engineering to inveigle targets into clicking a link that installed a malicious BAT script.

Prebunking disinformation.

The US State Department is attempting to "prebunk" Russian disinformation campaigns, the New York Times reports. Operating from the premise that disinformation is easier discredit and refute before it begins to spread through amplification in legitimate and semi-legitimate channels. The effort works by identifying disinformation operations in their earliest phases, and by exposing the fronts and agents of influence before they can begin repeating their themes. Prebunking is part refutation (addressing the false claims on their merits) and part transparency (identifying the fronts and trolls as such before they gain traction).

Russian hacktivist auxiliaries pester Australia for "Russophobia."

Cyber Daily reports that NoName057(16), specialists in nuisance-level distributed denial-of-service (DDoS) attacks, has put Australia on notice (NoName says) for its "Russophobic"contributions to Ukraine's war effort. The hacktivist auxiliary said it had hit sites belonging to Adelaide Bank’s netbank portal, the Transperth transport agency, the Administrative Appeals Tribunal’s online portal, and the Northern Territory Department of Infrastructure, Planning and Logistics.

The hacktivists' communique deplored Australia's decision to send a military aid package worth $12 million to Ukraine. The only effect the shipment will have, NoName said, will be to give the Russians more materiel to capture. And besides, it amounts to theft from the Australian taxpayers. “We are going to Australia for destroying (sic) portals of critical infrastructure!” It's an overstatement. Only the Transperth website sustained periodic and annoying disruption. The other three targets rode out the attack without much difficulty.