Ukraine at D+503: Support and cooperation, but no NATO membership, yet.
N2K logoJul 12, 2023

Ukraine gets closer ties to NATO, but not membership, yet, and the cyber phases of Russia's war show signs of renewed activity.

Ukraine at D+503: Support and cooperation, but no NATO membership, yet.

Ukraine continues its envelopment of Russian forces in the vicinity of Bakhmut, and Russia continues to hit Ukrainian cities with drone strikes.

Colonel General Surovikin's whereabouts remain unknown. The Aerospace Forces' chief of staff who also serves (or served) as Russian deputy commander in Ukraine hasn't been seen since the march on Moscow. The UK's Ministry of Defence reported this morning, that General Surovikin's boss has, however, resurfaced. in public "On 10 July 2023, Russian Chief of the General Staff General Valery Gerasimov made his first TV appearance since the abortive Wagner mutiny of 24 June 2023. Gerasimov was seen being briefed by video link by Russian Aerospace Forces Chief of Staff Colonel-General Viktor Afzalov. Afzalov has been in post for at least four years, but this is probably his first public appearance with Gerasimov. Afzalov is deputy to Commander-in-Chief Russian Aerospace Forces, General Sergei Surovikin. Afzalov’s increased public profile, while Surovikin’s whereabouts remains unclear, adds further weight to the hypothesis that Surovikin has been sidelined following the mutiny." General Gerasimov, along with Defense Minister Shoigu, had been prominent objects of Wagner Group discontent over the conduct of Russia's war.

NATO's summit concludes with promises of continuing and closer support of Ukraine, but no timetable for membership.

The NATO summit in Vilnius wrapped up with assurances that the Alliance's support for Ukraine would continue, and indeed grow closer. Kyiv was offered neither immediate membership in NATO nor a timetable for accession to the Atlantic Alliance (which disappointed Ukrainian leaders), but the support promised is indeed extensive, and Ukrainian President Zelenskyy expressed his gratitude to NATO.

The long communiqué issued at the end of the summit stressed the brutality and aggression of Russia's special military operation. It also drew attention to the role cyber operations played in Russia's strategy, and noted that the effects of those operations extended to the members of NATO and on to the larger world. "Russia has intensified its hybrid actions against NATO Allies and partners, including through proxies. This includes interference in democratic processes, political and economic coercion, widespread disinformation campaigns, malicious cyber activities, and illegal and disruptive activities of Russian intelligence services. We are enhancing the tools at our disposal to counter Russian hybrid actions and will ensure that the Alliance and Allies are prepared to deter and defend against hybrid attacks."

RomCom update.

Microsoft yesterday published an alert on activity by Storm-0978, also tracked as DEV-0978 and familiarly called "RomCom," after the name given the backdoor it commonly employs. "Microsoft has identified a phishing campaign conducted by the threat actor tracked as Storm-0978 targeting defense and government entities in Europe and North America. The campaign involved the abuse of CVE-2023-36884, which included a remote code execution vulnerability exploited before disclosure to Microsoft via Word documents, using lures related to the Ukrainian World Congress." As BleepingComputer observes, CVE-2023-368884 hasn't been fully patched, but mitigations are available. RomCom represents a mixture of symbiotic motives. It's a ransomware and extortion operation in pursuit of direct profit, but it also conducts cyberespionage, specializing in credential theft. The group is based in Russian and acts in Russia's interests.

"The price is reduced!!!" Act now!

Russian intelligence services prospecting diplomatic targets in Ukraine used an ad for a nicely-loaded, deeply-discounted, used BMW as phishbait to attract their prospects' eyes (and clicks). Palo Alto Networks' Unit 42 says the campaign, directed against twenty-two of the eighty embassies in Kyiv, was run by APT29, Cozy Bear, that is, Russia's SVR foreign intelligence service. The phish hooks were LNK files masquerading as images. The targeted diplomatic missions were those of Albania, Argentina, Canada, Cyprus, Denmark, Estonia, Greece, Iraq, Ireland, Kuwait, Kyrgyzstan, Latvia, Libya, the Netherlands, Norway, Slovakia, Spain, Sudan, Turkey, Turkmenistan, the United States, and Uzbekistan. The campaign's goal was espionage, collection against the embassies and their contacts.

The car itself was real, as was the innocent original version of the flyer. The black BMW 5-series sedan belongs to a Polish diplomat assigned to Kyiv, and he was indeed interested in selling it. Suspicions were aroused when he got calls inquiring about the price, which at €7500 was lower than the one he'd posted. Cozy Bear evidently reasoned that a lower price would attract more clicks. Reuters reports that the diplomat still has his car. He'll try to sell it when he gets back to Poland, because "After this situation, I don't want to have any more problems."

The phishbait represents a departure from that used in earlier campaigns. Those lured had tended to be more obviously diplomatic: invitations to embassy events, notes on humanitarian aid, and so on. Unit 42 concludes with a warning: "As the above campaigns show, diplomats should appreciate that APTs continually modify their approaches – including through spear phishing – to enhance their effectiveness. They will seize every opportunity to entice victims into compromise. Ukraine and its allies need to remain extra vigilant to the threat of cyber espionage, to ensure the security and confidentiality of their information."