Ukraine at D+33: Negotiations resume as nuisance hacking rises.
N2K logoMar 29, 2022

Russia is concentrating on the Donbas as Ukraine stops advances elsewhere and negotiations resume in Instanbul. Nuisance-level hacking from both sides rises, with Russian DDoS and Ukrainian doxing.

Ukraine at D+33: Negotiations resume as nuisance hacking rises.

This morning's situation report from the UK's Ministry of Defense reports continued local Ukrainian advances and ongoing Russian attempts to reduce Mariupol by fire. "Ukrainian Forces have continued to conduct localised counter attacks to the north west of Kyiv - including at Irpen, Bucha and Hostomel. These attacks have had some success and the Russians have been pushed back from a number of positions. However, Russia still poses a significant threat to the city through their strike capability. Russian Forces have maintained their offensive on Mariupul with continuous heavy shelling of the city, however the centre of the city remains under Ukrainian control. Elsewhere, Russian Forces are maintaining blocking positions while attempting to reorganise and reset their forces."

Russian contract soldiers redeployed to Eastern Ukraine.

The Wagner Group is being redeployed to Eastern Ukraine, the UK's Ministry of Defence reported yesterday. "Russian Private Military Company the Wagner Group has deployed to eastern Ukraine. They are expected to deploy more than 1,000 mercenaries, including senior leaders of the organisation, to undertake combat operations. Due to heavy losses and a largely stalled invasion, Russia has highly likely been forced to reprioritise Wagner personnel for Ukraine at the expense of operations in Africa and Syria." That would be consistent with indications of Russia's ambitions having contracted to consolidation (by fire) of its hold on the two nominally separatist provinces of the Donbas, as Ukraine appears to enjoy continued local successes in its counteroffensives.

Victory seems indeed to have been defined down.

After some official and semi-official back-and-forth, with senior officers saying that successful accomplishment of initial objectives has enabled Russia to concentrate on its primary mission of liberating the Donbas, while senior civilian officials said there'd been no change of Russia's plans for the "de-nazification" of Ukraine, Russia appears to have decided to define victory down. Journalist and Atlantic Council Fellow Hanna Liubakova shared remarks by Defense Minister Shoigu: "Rhetoric changed in #Russia. [Russian] Defense Minister Sergei Shoigu called 'the liberation of Donbas' the main goal of Russia in the war in Ukraine. He also assured that new recruits would not be sent to 'hot spots'. Russia may now focus on creating a land corridor from Donbas to Crimea."

Army General Shoigu had disappeared for almost two weeks, prompting speculation that he was ill, under arrest, or otherwise out of favor. but he apparently resurfaced at the end of last week. Whatever's going on inside the Kremlin, there are still signs that President Putin is unhappy that his war has so far been less than fully successful. To call the Russian special military operation "successful" in its initial phases is to perceive progress few outside the Russian Defense Ministry can perceive. The AP reports that "Many observers say the shift in strategy could reflect President Vladimir Putin’s acknowledgment that his plan for a blitz in Ukraine has failed, forcing him to narrow his goals and change tactics amid a disastrous war that has turned Russia into a pariah and decimated its economy."

Negotiations resume.

Other statements from the Kremlin maintain that Russia's cessation of operations against Kyiv and Chernihiv are good-will gestures intended to serve as a sweetener in negotiations between Moscow and Kyiv. The AP this morning reported that Deputy Defense Minister Alexander Fomin said that Russia had decided to “'fundamentally ... cut back military activity in the direction of Kyiv and Chernihiv' to 'increase mutual trust and create conditions for further negotiations,'” a statement that most outside observers view as an attempt to make the best of operational failure as opposed to a conciliatory gesture. 

Ukrainian President Zelenskyy in a video address this weekend called for more Western aid and stronger sanctions against Russia. He also offered Russia a compromise, a return to the status quo ante bellum, to be followed by further negotiations over the future of the Donbas and Ukrainian neutralization.

Negotiations between Russia and Ukraine resumed in Istanbul today, the Guardian reports, after “a cold welcome and no handshake.” Host nation Turkey appealed for compromise and a cease-fire, but there seems to be, at least in the US State Department's estimation, little evidence that Russia is interested in compromise.

Elsewhere, Bloomberg reports that US President Biden said that his temperamental remarks about desiring Russian President Putin's removal from office were sincerely meant, but were an expression of outrage, not an announcement of a formal change in US policy. The US wants Russia to stop its war of aggression against Ukraine, but isn't pursuing regime change in Russia. Mr. Biden also said he didn't intend to take his remarks back. "I make no apologies," the New York Times quoted the President as saying.

Cyberattack takes down major Ukrainian Internet provider.

Reuters reports that Ukrtelecom, Ukraine's major telecom provider of both Internet connectivity and mobile service, sustained a major cyberattack yesterday. It was apparently a distributed denial-of-service attack that Ukrtelecom described as "temporary difficulties with the installation of new Internet sessions for Ukrtelecom customers." Netblocks confirmed that Ukrtelecom service had indeed been disrupted. "Confirmed: A major internet disruption has been registered across #Ukraine on national provider #Ukrtelecom; real-time network data show connectivity collapsing to 13% of pre-war levels; the provider reports issues assigning new sessions." Forbes quotes senior Ukrainian officials as saying they're presently unsure whether the attack was a conventional distributed denial-of-service attack or represented a deeper intrusion into Ukrtelecom's systems.

SSSCIP Ukraine, the State Service of Special Communications and Information Protection of Ukraine (also @dsszzi), was quick to attribute the incident to a Russian cyberattack. "Today, the enemy launched a powerful cyberattack against #Ukrtelecom’s IT-infrastructure," the agency tweeted yesterday. "According to Yurii Shchyhol, the Chairman of the @dsszzi, at the moment massive cyberattack against #Ukrtelecom is neutralized. Resuming services is under way." While SSSCIP says the attack has been "neutralized," Ukrtelecom is limiting service to the private sector and giving priority to Ukrainian military formations while full service is being restored. "In order to preserve its network infrastructure and to continue providing services to Ukraine’s Armed Forces and other military formations as well as to the customers, #Ukrtelecom has temporarily limited providing its services to the majority of private users and business-clients. The specialists from the @dsszzi promptly reacted to the situation, due to which the attack was repelled. And now #Ukrtelecom has an ability to begin restoring its services to the clients."

This seems to be the most significant Russian cyberattack since the opening hours of the invasion, but it still falls short of the disruptive attacks against Ukrainian infrastructure that have been widely expected.

GhostWriter reported to deploy Cobalt Strike against Ukrainian government targets.

GhostWriter, a threat actor associated with the Belarusian government, has been using spearphishing attacks to install Cobalt Strike Beacon in Ukrainian government systems. Security Affairs cites CERT-UA as the source of the report. Cobalt Strike is a common legitimate penetration-testing toolset that's been turned to illegitimate use by criminals and, as in this case, intelligence services.

Trickbot's role in Russia's war; Anonymous makes some large claims.

The Wall Street Journal has an account of a Ukrainian researcher's infiltration of chatter by the managers of the Trickbot banking Trojan. The group interpenetrates Conti's operators, and the chats disclosed show a similar commitment to Russia's war effort. They also indicate an interest in hitting Western targets, including US hospitals, but these should be taken with an appropriate grain of salt. Not only are the leaks so far unconfirmed by official sources, but criminals and privateers, like hacktivists, tend to crow large, their eagle mouth overloading their parakeet fundament.

A similar tendency is probably in evidence on the Ukrainian side, where hacktivists who claim allegiance to Anonymous, say they're working on a data dump from their compromise of construction firm Rostproekt. "Anonymous, the decentralized international activist and hacktivist collective, stays true to its promise of dumping 'huge' data that will 'blow Russia away' by leaking hacked Rostproekt," @LatestAnonPress tweeted.

Twitter has suspended some accounts associated with Anonymous, but Security Affairs reports that the hacktivist collective is saying that it's already counted coup against both the All-Russia State Television and Radio Broadcasting Company (VGTRK) and the Russian Central Bank.

Ukrainian intelligence services dox FSB officers.

Ukrainian intelligence services have released the names and addresses of six-hundred-twenty people they allege to be FSB officers. The Times reports that, "As well as names and addresses, the list includes details of agents’ cars such as their numberplates, their phone numbers and dates and places of birth." Some of the officers whose data were exposed, the Telegraph says, are believed to be operating in foreign countries including the UK. The data in the leaked files includes what appear to be entries in personnel files, like observations that one officer likes luxury cars, and that another drinks too much and has a propensity to violate traffic laws. The incident is an embarrassing black eye for the FSB, which has attracted President Putin's ire for what he retrospectively sees as misleadingly optimistic intelligence assessments of Ukrainian public opinion and will to resist a Russian invasion.

Conventional criminals continue to exploit sympathy for Ukraine in social engineering scams.

Criminals are taking advantage of widespread sympathy for Ukraine's experience under Russian aggression by preying upon people's desire to help out. The scams, Grid News says, include conventional donation scams (enabled by bogus alt-coin remittance systems) and more exotic appeals to those who would join the hacktivist IT Army that's formed under the uncertain direction of Kyiv to fight Russian interests. In the latter case, naive volunteer hacktivists have been induced to install malware in their devices after being convinced that, no, really, they're helping set up distributed denial-of-service attacks against Russian networks.

Grid points out one interesting feature of these criminal scams: they presuppose a degree of technological sophistication among the victims. "The fact that regular people far from Ukraine are getting involved in DDoS attacks and donating cryptocurrencies is a sign that the 'baseline technological knowledge for the majority of people is much higher than it ever has been,' said threat researcher Nick Biasini, head of outreach at security firm Cisco Talos. But a little knowledge can be a dangerous thing: It’s also given cybercriminals a way to capitalize on their efforts and prey on the public’s best intentions, especially those of the well-meaning amateur hackers joining in Ukraine’s cyber defense."