Ukraine at D+476: Difficult fighting and complex cyber activity.
N2K logoJun 15, 2023

Security firms analyze fresh Russian cyber activity, and the situation of Russia's hacktivist auxiliaries has become murky.

Ukraine at D+476: Difficult fighting and complex cyber activity.

Ukrainian forces push further against Russian defenses, but their gains have so far been slow, measured in hundreds of meters. Russian missile strikes against Ukrainian civilian targets continue.

President Putin has publicly meditated that he may be moved to protect Russia by seizing more Ukrainian territory to establish a protective buffer along Russia's (claimed) borders. This seems an empty threat. Russia has shown little restraint in its war against Ukraine, Mr. Putin's forces have been unable to hold all the ground they've taken, and their control over the territories they've illegally annexed remains shaky and contested.

The ongoing dispute between the Wagner Group and Russia's Ministry of Defense.

The UK's Ministry of Defence sees July 1st as an inflection point in the ongoing quarrel between Mr. Prigozhin's Wagner Group mercenaries and The Russian Ministry of Defense. "On 10 June 2023, the Russian MoD demanded that members of ‘volunteers formations’ such as Wagner Group sign contracts directly with the MoD, a move explicitly endorsed by President Putin on TV on 13 June 2023. For several months, Wagner owner Yevgeny Prigozhin has been aiming vitriolic criticism at the MoD hierarchy but deferred to Putin’s authority. However, despite Putin’s comments, on 14 June 2023 Prigozhin said that, ‘none of Wagner's fighters are ready to go down the path of shame again. That's why they will not sign the contracts’. Prigozhin’s rhetoric is evolving into defiance of broader sections of the Russian establishment. 01 July 2023, the deadline for the volunteers to sign contracts, is likely to be a key way-point in the feud."

President Putin has strongly and publicly supported his Defense Minister's decision to require private military corporations to sign contracts placing them in a more regularized relationship with the Ministry and its command structure.

Shuckworm collects intelligence (and may support targeting). 

The Symantec Threat Hunter Team, part of Broadcom, released a long form article discussing the long term behavior of the Russian APT Shuckworm (also known as Garmaredon or Armageddon). Shuckworm seems recently to have targeted Ukraine’s security services, military, and government organizations with a view to establishing long-term persistence for continuing intelligence collection. Symantec writes, “In some cases, the Russian group succeeded in staging long-running intrusions, lasting for as long as three months. The attackers repeatedly attempted to access and steal sensitive information such as reports about the deaths of Ukrainian service members, reports from enemy engagements and air strikes, arsenal inventory reports, training reports, and more.” Shuckworm constantly evolves its tools to evade detection and throw off defenders’ attempts to profile the threat actor. Although Shuckworm has been active against Ukrainian networks since 2014, its most recent attacks in February and March of 2023 are of particular interest: they scan a victim’s network for files that could contain sensitive Ukrainian military information and could possibly be used to target kinetic strikes against Ukrainian units. 

The APT is known to use phishing emails to gain initial access to its targets. Those emails use topics like armed conflict, criminal proceedings, and protection of children as phishbait to induce the victim to download a malicious attachment. Shuckworm has been observed “using a new PowerShell script in order to spread its custom backdoor malware, Pterodo, via USB.” The PowerShell creates a file whose name itself (and that name is usually in Ukrainian, sometimes in English) is designed to induce the victim to open it. Once downloaded, that file then copies itself onto all removable storage media found on the device, the better to enable lateral movement across devices of different networks. Symantec’s researchers note that Shuckworm uses legitimate services, like Telegram, as its command-and-control infrastructure. 

(Added, 11:00 PM ET, June 15th, 2023. Erich Kron, Security Awareness Advocate at KnowBe4, thinks USB devices represent an underappreciated risk:

"Many organizations forget about the threat that USB devices pose to organizations. Because USB storage is portable by nature and is often used to share files and other information between individuals, it makes a great medium for distributing malware within networks. Just because the device wasn't picked up in a parking lot or a staircase, it does not mean that it can't be weaponized to expand an infection within an organization. This approach can help get around network segmentation and can be very prolific.

"The use of e-mail phishing for the initial attack vector is certainly nothing new, as it's often recognized as the most common way to gain initial network access. The use of already built or included tools such as PowerShell can help disguise the activities of the bad actors and blend into normal day-to-day operations.

"To protect against these attacks, organizations should seriously consider whether the risk of using USB devices is worth it and ensure that antivirus software is scanning these portable devices any time they are plugged into a computer. In addition, because email phishing is once again a top attack vector, organizations should educate and train their users to spot and report phishing attempts. This approach is especially effective if the education is coupled with simulated attacks to help employees practice the art of spotting these, without putting the organization at risk.")

The GRU's Cadet Blizzard operation.

Microsoft researchers have now identified a cluster of cyberattacks as the work of a GRU unit Microsoft has named "Cadet Blizzard." Redmond thinks that Cadet Blizzard, formerly tracked as  DEV-0586 has been operating since 2020. They associate the unit with last year's WhisperGate wiper attacks against Ukrainian targets, and they note that in recent months the threat actor has been associated with influence operations.

Cadet Blizzard isn't the only GRU threat actor working against Ukraine. "Microsoft assesses that Cadet Blizzard operations are associated with the Russian General Staff Main Intelligence Directorate (GRU) but are separate from other known and more established GRU-affiliated groups such as Forest Blizzard (STRONTIUM) and Seashell Blizzard (IRIDIUM)." Compared to Forest Blizzard and Seashell Blizzard, Microsoft assesses Cadet Blizzard as generally less effective than it better-known institutional siblings. Still, it's enjoyed a modest level of success.

Stolen credentials have typically provided Cadet Blizzard with its access to targets. In the initial phases of Russia's war, the threat actor attacked a range of Ukrainian targets, which Microsoft listed as:

  • "Government services"
  • "Law enforcement"
  • "Non-profit/non-governmental organization"
  • "IT service providers/consulting"
  • "Emergency services"

That activity ran roughly from February through June of 2022, at which time Cadet Blizzard became relatively quiet until the early months of 2023. Microsoft writes, "A month before Russia invaded Ukraine, Cadet Blizzard foreshadowed future destructive activity when it created and deployed WhisperGate, a destructive capability that wipes Master Boot Records (MBRs), against Ukrainian government organizations. Cadet Blizzard is also linked to the defacements of several Ukrainian organization websites, as well as multiple operations, including the hack-and-leak forum known as 'Free Civilian'.”

KillNet teases a three-pronged attack on SWIFT.

On June 14th the Russian hacktivist auxiliary KillNet reposted to its Telegram channel a story from Russian media producer Mash. The story predicted that KillNet, REvil, and Anonymous Sudan would conduct a “massive attack against the Western banking system. The number one mission is to paralyze SWIFT.” (SWIFT is the electronic system widely used by banks for fund transfers.) KillMilk woofed that the attack would occur today, June 15th, but so far no further information regarding the attack has been released. Anonymous Sudan's participation in these announcements seems to further indicate that the group is at least closely tied to, if not actually simply a subsidiary of, the KillNet organization.

Devil Sec flips the script on Russia?

In other hacktivist news, Devil Sec, which recently openly partnered with KillNet, has begun targeting Russian citizens and companies. On June 13th they released a post that asked, rhetorically, “What do you think that we turn the tables and tomorrow all Russian companies will be hacked and hit with ransom viruses?” How this comports with Devil Sec's ally KillNet's professed intolerance of any cyber crime or other attacks against Russia or Russia's sphere of influence remains unclear. Devil Sec has since used the cheeky and suggestive tags #Op Russia, and F*** Russia when posting information stolen from that country. Devil Sec has also posted an image of an allegedly hacked webpage of AXIOMA group, an investment and analysis firm that operates globally, including inside Russia and the nations of the CIS.