Ukraine at D+259: Russian military takes responsibility for retreat.
N2K logoNov 10, 2022

Russia's retreat from Kherson represents a major setback. Threatened Russian interference with US elections did not materialize. An SVR phishing campaign is reported, and some security researchers warn that Russian hacktivist auxiliaries may grow more dangerous over time.

Ukraine at D+259: Russian military takes responsibility for retreat.

Russia's retreat from Kherson is seen as a strategic defeat.

US Undersecretary of Defense for Policy characterized Russia's withdrawal from Kherson as a "catastrophic strategic disaster." Undersecretary Colin H. Kahl said he couldn't predict what would happen with the tens of thousands of Russian troops who remain on Ukrainian territory, nor could he forecast the effect of coming winter weather on combat operations. "But I can say one thing with confidence, which is, Russia has already suffered a massive strategic failure," he added. "That's not going to change." Mr. Putin's goal of extinguishing Ukraine as an independent, sovereign country won't be achieved. "He's failed, and that's not going to change. A sovereign, independent, democratic Ukraine is going to endure.... Russia will emerge from this war weaker than it went in.... "They've … probably lost half of their main battle tanks," he said. 

The morning situation report from the UK's Ministry of Defence describes how the withdrawal is expected to unfold. "On 09 November 2022, Russian Defence Minister Sergey Shoygu ordered the withdrawal of Russian forces from the west bank of the Dnipro river in Kherson, southern Ukraine. General Sergei Surovikin, commander of the Russian forces in Ukraine, confirmed they will withdraw to defensive positions along the Dnipro River, citing re-supply issues as the primary reason for the decision. Russia’s ability to sustain its forces on the west bank of the Dnipro river had been placed under pressure by Ukrainian strikes on Russia’s resupply routes. In retreating, Russian forces have destroyed multiple bridges and likely laid mines to slow and delay advancing Ukrainian forces. The loss of Kherson’s west bank will likely prevent Russia from achieving its strategic aspiration of a land bridge reaching Odesa. With limited crossing points, Russian forces will be vulnerable in crossing the Dnipro River. It is likely that the withdrawal will take place over several days with defensive positions and artillery fires covering withdrawing forces."

For his part, President Putin has made no public comment on the retreat, allowing his defense minister and theater commander to do the public talking. The decision to withdraw has been framed as a professional military judgment, in large part to deflect blame from the president himself, the Telegraph observes. But, as a Washington Post op-ed points out, it's unlikely in the extreme that the withdrawal order was issued without direct presidential authorization. Mr. Shoigu, widely regarded as a costumed civilian, no soldier, and Mr. Putin's yes-man, is not one to take such a decision on his own authority.

The New York Times suggests that public announcement of the withdrawal was intended largely for domestic consumption, as operationally such an announcement makes little sense. The Times cites comment from two leaders of Russia's alternative military establishment, Chechen warlord Kardoyov and Wagner Group boss Prigozhin, both of whom have been critical of the generals, but who now express sympathetic understanding of the decision to withdraw. "Ramzan Kadyrov, the strongman ruler of the Russian republic of Chechnya, described it as a 'difficult but right choice between senseless sacrifices for the sake of high-profile statements and saving the priceless lives of soldiers.' Yevgeny Prigozhin, the business magnate who runs the private army known as the Wagner Group, said it was now important 'not to agonize, not to writhe in paranoia, but to draw conclusions and work on mistakes.'”

Not all the hard-war advocates in Russia are similarly mollified, however. One widely read war blogger described the decision to retreat as a "betrayal." Another called it the "greatest defeat since 1991," that is, since the collapse and disintegration of the Soviet Union.

No significant Russian cyberattacks observed against US election infrastructure.

Despite Yevgeny Prigozhin's recent avowal of a campaign to interfere with and disrupt US elections, and despite claims of a group styling itself "the Cyber Army of Russia" to have counted coup against US election sites, the actual effect of any Russian cyberattacks were negligible, Defense One reports. Some minor, unattributed distributed denial-of-service (DDoS) attacks were observed, but none of them affected voting infrastructure itself. The AP this morning offered a brief retrospective of Mr. Prigozhin's discussion of election meddling, quoting him as saying, Monday, "Gentlemen, we have interfered, are interfering and will interfere. Carefully, precisely, surgically and in our own way, as we know how to do. During our pinpoint operations, we will be removing both of the kidneys and the liver at once.” He was responding to a Russian media inquiry about US accusations of interference, and while it's surely possible he was expressing himself ironically, just yanking the Yankees' chain, the Yankees do indeed seem to have the goods on him. In any case there was no evidence of the sort of surgical cyber action Mr. Prigozhin promised.

FSB phishing impersonates Ukraine's SSSCIP.

Ukraine's State Service of Special Communications and Information Protection (SSSCIP) warned yesterday of a phishing campaign that's sending malicious emails impersonating the SSSCIP. "Specialists from the government's Computer Emergency Response Team of Ukraine CERT-UA have recorded a mass distribution of emails with malicious links allegedly under the name of the State Service of Special Communications and Information Protection of Ukraine. This activity is associated with the hacker group UAC-0010 (Armageddon)." As the warning goes on to note, Armageddon is associated with Russia's FSB. "The UAC-0010 (Armageddon) hacking group is associated with Russia’s Federal Security Service (FSB). They are among the most active groups that have been attacking Ukraine since the beginning of russia’s full-scale military invasion of Ukraine. Criminals are usually exploiting topics that are sensitive and important for Ukrainians." The most common payload the campaign delivers is an information-stealer.

A look at Cozy Bear's use of credential roaming.

Mandiant describes a cyberespionage campaign carried out earlier this year by APT29, Cozy Bear, a unit of Russia's SVR foreign intelligence service. Cozy Bear phished its way into a European diplomatic organization's networks and subsequently abused Windows' Credential Roaming feature. "The use of Credential Roaming in an organization allows attackers (and Red Teams) to abuse the saved credentials for the purposes of privilege escalation," Mandiant says. The report highlights four situations in which the technique can be effective:

  1. "An organization has not applied the September 2022 patch to each system where Credential Roaming is used."
  2. "An attacker gained Domain Administrator privileges in an organization where Credential Roaming is in use or was used in the past without proper clean-up."
  3. "An attacker has access to the cleartext password of a user where Credential Roaming is in use or was in use in the past."
  4. "An attacker has read access to the msPKIDPAPIMasterKeys attribute on a victim account, but does not have the cleartext password of the victim user."

A real threat lurking in the noise?

The ineffectuality of Russian cyber operations during the present war, at least since the initially successful wiper attacks in the opening hours of the Russian invasion, has been a recurring theme in reports on the hybrid war. Much of the visible part of Russia's cyber campaign has over the last few months been delivered by nominally independent hacktivist groups functioning as auxiliaries of the Russian intelligence and security organs. Some of the better known have been Xaknet, Killnet, Legion, and the Cyber Army of Russia. Their activities have been marked by large claims of successful actions (usually exceeding the reality) and intense expressions of Russian nationalist sentiment.

An essay in Cybernews, however, argues that the groups have the potential to grow in importance. Their numbers, for one thing, seem to be increasing. Researchers at CyberKnow are tracking eighty-four groups engaged in the war, thirty-six pro-Ukraine, forty-two pro-Russia, and six of uncertain loyalties. The Russian groups could grow more dangerous by improving their craft with practice, but also through augmentation by criminal gangs and the direct support of Russian intelligence services. And, of course, the intelligence services could use their auxiliaries for deniable or false-flag operations. It's too soon to declare the hacktivist auxiliaries a major threat, but they bear watching.