Ukraine at D+88: Disinformation, old- and new-school.
N2K logoMay 23, 2022

Amid continuing high losses, Russia continues its firepower intensive war. Moscow complains of being a victim of sanctions and cyberattacks, and Russia maintains its mix of old- and new-school propaganda, from loudspeakers and posters stapled to telephone poles, to botnets adapted to tuning campaigns of coordinated inauthenticity.

Ukraine at D+88: Disinformation, old- and new-school.

This morning's situation report from the British Ministry of Defence (MoD) offered the MoD's assessment of the probable effect of high Russian casualties on public support for the war against Ukraine. "In the first three months of its ‘special military operation’, Russia has likely suffered a similar death toll to that experienced by the Soviet Union during its nine year war in Afghanistan," the report said, and it traced high casualties to poor training, planning, and command. "A combination of poor low-level tactics, limited air cover, a lack of flexibility, and a command approach which is prepared to reinforce failure and repeat mistakes has led to this high casualty rate, which continues to rise in the Donbas offensive. The Russian public has, in the past, proven sensitive to casualties suffered during wars of choice. As casualties suffered in Ukraine continue to rise they will become more apparent, and public dissatisfaction with the war and a willingness to voice it may grow."

On Saturday the MoD's situation report took up air superiority and the place of UAVs in achieving it. "The Russia-Ukraine war has seen Uncrewed Aerial Vehicles (UAVs) playing a pivotal role for both sides although they have suffered a high rate of attrition. UAVs have proved vulnerable both to being shot down and to electronic jamming. Russia has attempted to implement the concept of ‘Reconnaissance Strike’ it refined in Syria, which uses reconnaissance UAVs to identify targets to be struck by combat jets or artillery. Russia is likely experiencing a shortage of appropriate reconnaissance UAVs for this task, which is exacerbated by limitations in its domestic manufacturing capacity resulting from sanctions. Crewed Russian aircraft mostly continue to avoid conducting sorties over Ukrainian territory, likely because of the threat from intact Ukrainian air defence missiles systems. If Russia continues to lose UAVs at its current rate, Russian forces intelligence, surveillance and reconnaissance capability will be further degraded, negatively impacting operational effectiveness."

Sunday's MoD situation report concentrated on Russian deployment of its most modern armored fighting vehicles. "Russia’s only operational company of BMP-T Terminator tank support vehicles has likely been deployed to the Severodonetsk axis of the Donbas offensive. Their presence suggests that the Central Grouping of Forces (CGF) is involved in this attack, which is the only formation fielding this vehicle. CGF previously suffered heavy losses while failing to break through to eastern Kyiv in the first phase of the invasion. Russia developed Terminator after identifying the need to provide dedicated protection to main battle tanks it used during the Afghan and Chechen wars. The Severodonetsk area remains one of Russia’s immediate tactical priorities. However, with a maximum of ten Terminators deployed they are unlikely to have a significant impact on the campaign."

New loader identified in wiper campaigns.

The GRU's Sandworm group, ESET reports, has deployed a new version of its ArguePatch loader. ArguePatch had seen previous use in both Industroyer and CaddyWiper attacks against Ukrainian targets. "The new variant of ArguePatch – named so by the Computer Emergency Response Team of Ukraine (CERT-UA) and detected by ESET products as Win32/Agent.AEGY – now includes a feature to execute the next stage of an attack at a specified time. This bypasses the need for setting up a scheduled task in Windows and is likely intended to help the attackers stay under the radar."

President Putin complains of sanctions and cyberattacks, and vows to increase Russia's cybersecurity.

Reuters reports that on Friday President Putin complained to his security council that cyberattacks against Russia had increased. Mr. Putin also reprehended the way in which sanctions had affected the country's IT capabilities. "Restrictions on foreign IT, software and products have become one of the tools of sanctions pressure on Russia. A number of Western suppliers have unilaterally stopped technical support of their equipment in Russia." Russia needs, President Putin says, to shore up its cyber defenses, but he put a bold face on the situation, as Mashable quotes him: "Already today we can say that cyber aggression against us, as well as in general the sanctions attack on Russia, have failed,”

Russian disinformation in Ukraine.

Russian disinformation efforts against Ukraine have been both heavy and heavy-handed, in some cases using a playbook almost out of the 1930s. The New Yorker described them last week: "Russian armored vehicles drove along Melitopol’s central avenues with loudspeakers blaring, “'The military-civilian administration of Melitopol, in order to prevent law-breaking and to insure public order, temporarily prohibits rallies and demonstrations.'” Newsweek elaborates "Melitopol, a city in southern Ukraine, was one of the first sites of battle in the conflict and one of Russia's earliest successes. On Monday, The New Yorker reported that as Putin's forces stormed through the city in late February, soldiers posted flyers that declared the fighting was for 'the defense of Russia itself from those who have taken Ukraine hostage' and called for 'cooperation so that we can quickly turn this tragic page and move forward together.' Melitopol residents also found that Russian broadcasts had replaced their local radio programming; one played a speech by Putin on a loop. Meanwhile, an adviser to Mariupol Mayor Vadym Boychenko said Monday that Russia was offering to provide financial compensation to residents of the city if they blamed President Volodymyr Zelensky's military for destroyed housing or family deaths."

In general, Ukrainian messaging has been more effective and internationally successful. Russian messaging has found, principally, a domestic audience as Moscow's international isolation grows with the duration, brutality, and incompetence of its war. (A recent line, representative in its disconnection from reality, is Russian Foreign Ministry spokesperson Maria Zakharova, who as quoted by the Telegraph explained that the West didn't understand George Orwell's 1984 at all. It's not about totalitarianism in any sense. "This is a global fake," Ms Zakharova said. "He wrote about how liberalism would lead humanity into a dead end.”) Effective disinformation works when lies have a bodyguard of truth. Zelenskyy-as-Nazi lacks that.

Coordinated inauthenticity at scale.

Coordinated inauthentic behavior is a different matter. While many have seen, as the Record observes, the Fronton botnet as principally a tool for distributed denial-of-service attacks. While it certainly has that capability, it's more remarkable for its ability to create synthetic personae in social media and marshal them in campaigns that push specific lines of disinformation. The Russian FSB security service is believed to have purchased Fronton from a contractor, 0Day Technologies. Researchers at Nisos have studied Fronton and found that its real novelty lies elsewhere, in its ability to push disinformation.

"In March 2020, a hacktivist group called “Digital Revolution” claimed to have hacked a subcontractor to the FSB They claimed the hack occurred in April 2019. They released documents and contracts about a botnet system of Internet of Things (IoT) devices built by a contractor, 0day Technologies. This botnet is known by the codename Fronton (Фронтон). Media outlets went crazy. Headlines called it a tool that could be used to “turn off the Internet in a small country.” Most analyses assumed that the goal of the system was distributed denial of service (DDoS). A day later, another tranche of documents, images, and a video were released, with significantly less fanfare.

"Nisos research focused on that distribution of content. This release noted that DDoS “is only one of the many capabilities of the system.” Nisos analyzed the data and determined that Fronton is a system developed for coordinated inauthentic behavior on a massive scale. This system includes a web-based dashboard known as SANA that enables a user to formulate and deploy trending social media events en masse. The system creates these events that it refers to as Инфоповоды, “newsbreaks,” utilizing the botnet as a geographically distributed transport. SANA provides for the creation of social media persona accounts, including email and phone number provisioning. In addition, the system provides facilities for creating these newsbreaks on a schedule or reactive basis. Two example lists of posting source dictionaries were included in the data. One, involving comments around a squirrel statue in Almaty, Kazakhstan may have affected the reporting on a BBC story. As of April 2022, 0day technologies has changed its domain from 0day[.]ru to 0day[.]llc. An instance of the SANA system appears to be up at https://sana.0day[.]llc . Nisos assesses that this is possibly a testing or demo instance, and is not currently used by the FSB."

The Fronton toolkit enables not merely an array of coordinated posts, but also likes, reposts, and comments. And it provides feedback on the effectiveness of its operations in achieving reach, currency, and amplification, all of which can be used for the further tuning of disinformation campaigns. As the Hacker News points out, it's unclear whether Fronton has been used in active campaigns or whether it remains under development (or in reserve), but the botnet's capabilities are interesting.

Killnet crows large over Italian operations.

The Wall Street Journal reports that, even as Italian police sought to verify Killnet's claims of responsibility for attacks against various Italian websites, the Russian hacktivist group (at least a nominal, deniable, hacktivist group) claimed in its Telegram channels to have "killed Italy like a mosquito."

And Anonymous has taken official notice (in its decentralized, anarcho-syndicalist way). Infosecurity Magazine, for what it's worth, reports Anonymous claims that it's "declared war" on Killnet. "The #Anonymous collective is officially in cyber war against the pro-Russian hacker group #Killnet," the group tweeted, adding "R.I.P. killnet [dot] ru."