Ukraine at D+461: More cross-border operations.
N2K logoMay 31, 2023

Drones hit Russian targets, although Russian strikes against Ukraine remain far more common. In cyberspace, the lines separating hacktivists from criminals from intelligence services continue to blur.

Ukraine at D+461: More cross-border operations.

After unusually heavy Russian missile strikes against Ukrainian cities (seventeen, during the month of May alone, Reuters counts), drones (almost certainly Ukrainian drones) struck targets inside Russia. Those targets included oil refineries in the vicinity of Novorossiisk and Krasnodar. The Guardian reports, "Drones attacked two oil refineries just 40-50 miles (65-80 km) east of Russia’s biggest oil export terminals on Wednesday, sparking a fire at one and causing no damage to the other, according to Russian officials. At around 2am BST a drone struck the Afipsky oil refinery in Russia’s Krasnodar region, causing a fire which was later extinguished, Governor Veniamin Kondratyev said. Another drone crashed into the Ilsky refinery, which lies around 40 miles east of Novorossiisk."

More spectacularly, three drones (said to be the survivors of a flight of eight, five of which were either shot down or diverted by Russian defenses) hit a wealthy residential area of Moscow. President Putin called it terrorism, an "attempt to frighten Russians." Ukrainian officials said that, while they welcomed the attack against Moscow and looked forward to more of the same, Ukraine wasn't involved in the strike. (All deliberate or even reckless strikes against civilian targets violate norms of armed conflict.) The drones involved are said to be UJ-22s, a propeller-driven Ukrainian-produced UAV. By cruise missile standards the UJ-22 is a popgun: its payload is twenty kilograms, or somewhat less than a single 155mm high explosive shell. It cruises at 75 miles per hour and is claimed to have a range of 500 miles.

The strike against Moscow, which the Kremlin said did negligible damage, has prompted two public reactions within Russia. Official media are taking the line that the strikes are an occasion for heightened solidarity and shared sacrifice, and merit a kind of somber welcome. Nationalist milbloggers on the other hand are outraged, condemning the Russian military for what the bloggers see as negligence and ineptitude with respect to air defense. Wagner Group capo Prigozhin was among those in full cry, calling for a harder war and excoriating official softness: "You, the Defense Ministry, have done nothing to launch an offensive. How dare you to allow the drones to reach Moscow?” The milbloggers may have a point: it ought not to be that difficult to knock down a UJ-22. The strike was embarrassing, and may motivate Russia to redeploy air defense systems from the front to positions from which they can protect potential domestic targets.

The US, concerned about escalation, officially opposes cross-border attacks by Ukraine. British Foreign Secretary Cleverly, however, said after the drone attacks that Ukraine “has a right” to project power “beyond its own borders” as it resists Russia's invasion.

Lack of strategic clarity and loss of initiative.

The UK's Ministry of Defence in this morning's situation report discussed Russia's difficulty maintaining the initiative. "Since the start of May 2023, Russia has increasingly ceded the initiative in the conflict and is reacting to Ukrainian action rather than actively progressing towards its own war aims. During May 2023, Russia has launched 20 nights of one-way-attack uncrewed aerial vehicle and cruise missile attacks deep inside Ukraine. Russia has had little success in its likely aims of neutralising Ukraine’s improved air defences and destroying Ukrainian counter-attack forces. On the ground, it has redeployed security forces to react to partisan attacks inside western Russia. Operationally, Russian commanders are likely attempting to generate reserve forces and position them where they believe a Ukrainian counter-attack will occur. However, this has probably been undermined by uncommitted forces instead being sent to fill gaps in the front line around Bakhmut."

Motivations: criminal and hacktivist.

Trend Micro describes the recent activity of Void Rabisu, "a malicious actor believed to be associated with the RomCom backdoor." It's a Russian or at least a Russophone gang, and until the last few months its activities and motivations have generally been assumed to be straightforwardly criminal, motivated by financial gain and on the lookout for the main chance. Also known as "Tropical Scorpius," Void Rabisu has been associated with the Cuba ransomware operation (closely linked with Russian intelligence services), and since late 2022 the gang's targeting has increasingly matched Russian state interests. Trend Micro writes, "Void Rabisu’s associated RomCom backdoor was reported to have been used in attacks against the Ukrainian government and military: In a campaign in December 2022, a fake version of the Ukrainian army’s DELTA situational awareness website was used to lure targets into installing the RomCom backdoor." The target selection is that of an intelligence service; the TTPs are those of a criminal gang. "Normally, this kind of brazen attack would be thought to be the work of a nation state-sponsored actor, but in this case, the indicators clearly pointed towards Void Rabisu, and some of the tactics, techniques, and procedures (TTPs) used were typically associated with cybercrime." Trend Micro thinks that Void Rabisu's targeting has been connected to Russian strategic goals since October of 2022. The group's evolution shows the continued blurring of lines between hacktivists, intelligence services, and criminal gangs. Of those three, in Russia's case, the intelligence services are clearly in the saddle.

We received comment on the RomCom backdoor and its use in the wild from some industry experts.

Dror Liwer, co-founder of cybersecurity company Coro, wrote, “It has become standard operating procedure for threat actors that develop sophisticated attack methods for political purposes to monetize these techniques by either using them themselves for commercial purposes, or making them available for a fee on the dark web once their political usefulness has been maximized. The fact that a threat actor has political motivations should not lull us into a false sense of security. The techniques developed will end up in the market targeting businesses and individuals for profit.”

James McQuiggan, security awareness advocate at KnowBe4, said, “The updated RomCom malware continues to escalate and improve its evasion tactics, and organizations must keep EDRs and antimalware systems current. If they have a SOC or MSSP, they’ll want to monitor all downloads to their endpoints to ensure they do not contain malicious software. Cybercriminals leverage known applications to trick users into believing they're downloading the latest and greatest extension, plugin, or AI software. Users must ensure they're downloading from reputable sites; if unsure, it's better to be safe than sorry and not use that site.”