Ukraine at D+167: Strike, regrouping, and nuisance-level cyber ops.

This morning's situation report from the UK's Ministry of Defence focuses on Russian attempts to feed new manpower into its invasion. The report is skeptical with respect to how successful those attempts are likely to be. "Russian commanders highly likely continue to be faced with the competing operational priorities of reinforcing the Donbas offensive, and strengthening defences against anticipated Ukrainian counter attacks in the south. To support the Ukraine operation, Russia has almost certainly established a major new ground forces formation, 3rd Army Corps (3 AC), based out of Mulino, in Nizhny Novgorod Oblast east of Moscow. Russia likely plans to resource a large proportion of 3 AC from newly formed ‘volunteer’ battalions, which are being raised across the country, and which group together recruits from the same areas. Russian regional politicians have confirmed that potential 3 AC recruits are being offered lucrative cash bonuses once they deploy to Ukraine. Recruitment is open to men up to 50 years old and with only middle-school education. A Russian army corps typically consists of 15-20,000 troops, but it will probably be difficult for Russia to bring 3 AC up to this strength, given very limited levels of popular enthusiasm for volunteering for combat in Ukraine. 3 AC’s effect is unlikely to be decisive to the campaign."

Explosions at Russian airbase in Crimea.

The explosions at the Russian airbase near Novofederivka in occupied Crimea are being claimed by Ukraine. The New York Times reports that Ukrainian authorities have claimed the three large explosions that damaged the installation, and that they credited "partisans" with the success of the strike. Whether the attack was sabotage conducted by partisans on the ground or whether the partisans located the target and called in long-range fires is unclear. US sources say that the strike wasn't carried out by a Western-supplied system, and the Telegraph recounts speculation that the weapon used against the airbase was a repurposed Neptune anti-ship missile, a system produced in Ukraine. The strike is significant because it demonstrates that Ukraine has the ability to hit targets well behind Russian lines. Novofederivka is about 125 miles from the nearest areas under effective Ukrainian control.

Finland's parliament comes under cyberattack.

The website of Finland's parliament was unavailable yesterday as it came under a distributed denial-of-service (DDoS) attack. The attack is under investigation, but is believed to originate from Russia. Finnish news outlet Yle reports that the website was inaccessible between 2:30 PM and 10:00 PM local time. The threat actor behind the incident is believed, on the basis of claims in a hacktivist group's Telegram channel, to be a Russian group calling itself NoName057(16), and the motive is to harass Finland's government for its decision to seek NATO membership. "We decided to make a 'friendly' visit to neighbouring Finland, whose authorities are so eager to join Nato," the group said.

Killnet says its cyber operations will soon turn (literally) lethal.

Killmilk, the nom-de-hack used by the person or persons who claim to be the founder (or founders) of the nominally hacktivist group Killnet, has upped the ante on earlier promises to punish "the West" for its support of Ukraine, and especially for its provision of HIMARS rocket artillery. "In Russia, I will become a hero, and abroad, a criminal," Newsweek quotes Killmilk as saying in an interview posted to Gazeta.ru. He added, "Soon, I and Killnet will launch powerful attacks on European and American enterprises, which will indirectly lead to casualties. I will do my best to make these regions and countries answer for each of our soldiers."

Killnet had announced, last week, that it was undertaking a radically new form of cyberattack against targets it regarded as particularly objectionable, notably Lockheed Martin, which produces HIMARS, and against some unspecified system or subsystem of HIMARS itself. But so far nothing has materialized.

It's notable, perhaps, to see the repeated Russian theme, "we're not threatening nuclear war, but we're threatening nuclear war" surface in Killmilk's remarks. "We are crazy guys, but we see the boundaries and are not going to cross them," Killmilk said. "I don't think that because of several dozen human casualties, nuclear missiles will fly in the face of Lockheed Martin employees." That is, nice company you got here; shame if something happened to it.

Cyberattacks against a UK firm that's criticized Russia's war.

The Telegraph reports that Britain's National Cyber Security Center (NCSC) and Scotland Yard are investigating a series of denial-of-service (DDoS) attacks the alt-currency firm Currency.com has sustained since its founder criticized Russia's war at the end of February. Victor Prokopenya, the company's founder, said: “The cyber attack has been going on almost on a daily basis every day for the last three months. It’s like someone repeatedly trying to break down your front door.” He said his security team is convinced that the attack is Russian in origin. The NCSC believes that the operators behind the DDoS are privateers as opposed to Russian government organizations.

Not all criminal organizations are working for Russia.

Digital Shadows reports on a cybercriminal gang that's exhibiting some sympathy for the cause of Ukraine. DUMPS Forum, established in May of this year, and, Digital Shadows says, it looks a lot like other criminal fora. "DUMPS Forum appears to be the same as every other run-of-the-mill Russian language cybercriminal forum. There’s a section for trading illicit material, carding, malware, and establishing accesses to targeted networks. At present this forum is open to members without any vetting or registration process, however, there is an ongoing request for an invite system that may become the main method of gaining access if the forum builds its notoriety."  But DUMPS is different in the allegiances it declares. Posted to the forum is this opening statement: “Information services / leaks or other services on our forum are allowed in relation to only two states, these are the Russian Federation and Belarus. Topics that mention other countries are not allowed. This is the main rule of our forum.” Thus it's an anti-Russian (and anti-Belarusian) operation.

Digital Shadows characterizes DUMP as unusually "brazen," even going so far as to post what they claim is an overhead image showing their headquarters in a Kyiv apartment building. Who knows if that's true or just a goof, but the roof does have some demotic graffiti that reads, roughly, "Putin effed up."

DUMP may represent, if not exactly privateering, because it's unclear whether DUMP has anything like the virtual letter of marque Russian gangs enjoy, then perhaps patriotic banditry. Digital Shadows concludes, "DUMPS Forum likely has an important role to play in the ongoing Russia-Ukraine war; as a hub for hacktivists and patriotic cyber threat actors, as a symbol of resistance, and making a demonstrable difference on the cyber battlefield. Any success achieved by DUMPS Forum will however attract unwanted attention; the ban on Russian citizens visiting the forum highlights that the forum is already on the radar of the Russian state. It is also realistically possible that the success of DUMPS Forum may inspire other services looking to play a part in the ongoing conflict."

A linguistic note. DUMPS is written in Russian, and thus Digital Shadows speculates that it may be designed to appeal to disaffected hoods within Russia itself. It's easy, however, to underestimate the degree of mutual intelligibility found among the Slavic languages, and especially between Russian and Ukrainian, and the fact that it's written in Russian wouldn't represent much of an obstacle to speakers of Ukrainian. Anglophones may find this comparison useful: the English spoken in Scotland sounds different from the English spoken in Texas, but if you put a kid from Brodick with a kid from Marfa, they'd probably work it out.