Ukraine at D+652: FSB and GRU cyber operations aim at influence.
the cyberwire logoDec 8, 2023

The Five Eyes jointly expose (and condemn) a long-running FSB cyberespionage and influence campaign.

Ukraine at D+652: FSB and GRU cyber operations aim at influence.

Waves of drones and guided missiles hit Ukrainian cities overnight. Radio Free Europe | Radio Liberty reports that air raid alerts sounded in Kyiv, Cherkasy, Kirovohrad, Kherson, Mykolayiv, Chernihiv, Poltava, Dnipropetrovsk, Zaporizhzhya, Donetsk, Kharkiv, and Sumy. In addition to Shahed drones, Russian forces used S-300 guided missiles (air defense weapons apparently repurposed for land attack) and Kh-101/Kh-555 cruise missiles.

The UK's Ministry of Defence assessed this morning that air defenses on both sides continue to inhibit crewed aircraft operations in the theater.

To no one's surprise, Vladimir Putin has announced he'll stand for reelection as Russia's president. The reelection theater is scheduled for March.

"Highly attritional" tactics.

"Highly attritional," is the Institute for the Study of War's assessment of Russian tactics across the front. That it, "Russian forces may be suffering losses along the entire front in Ukraine at a rate close to the rate at which Russia is currently generating new forces." Russia's attacks are now being led by dismounted infantry, in an apparent desire to reduce losses of combat vehicles.

Significant Russian losses are being incurred in defensive operations as well. "Ukrainian officials have notably indicated that Russian defensive efforts are resulting in significant casualties as well, with Ukrainian forces reportedly killing over 1,200 Russian personnel and wounding over 2,200 on the east (left) bank of Kherson Oblast between October 17 and November 17.Ukrainian forces continue counteroffensive operations in western Zaporizhia Oblast and are likely inflicting similar losses on defending Russian forces in this sector of the front."

Russia's crypto-mobilization is believed to be bringing in between 20,000 and 40,000 new troops each month. The current Russian casualty rate may be approaching those figures.

Update on FSB spearphishing by Star Blizzard.

The four other Eyes have joined their British colleagues in a cybersecurity advisory describing a spearphishing campaign run by an FSB operation they're calling Star Blizzard: Russian FSB Cyber Actor Star Blizzard Continues Worldwide Spear-phishing Campaigns. The Five Eyes agree that Star Blizzard (also known as SEABORGIUM, Callisto Group, TA446, COLDRIVER, TAG-53, or BlueCharlie) is "almost certainly subordinate to the Russian Federal Security Service (FSB) Centre 18." The advisory also includes advice on detection and mitigation.

The spearphishing campaign shows a distinct preference for personal email addresses, presumably because these are thought to be less securely controlled than organizational or corporate addresses. The emails begin with phishbait tailored to the recipients interests and from there work over time to build trust and rapport. The initial contact is benign. Only after a relationship is established with the target does Star Blizzard share a link that, if the target follows it, will lead to an FSB-controlled server displaying a page that mimics a legitimate service. The target will be invited to enter account credentials, and of course should the target do so, those credentials are compromised. From that point Star Blizzard uses those credentials to access the target's email and contacts list. The compromised account and its contacts list can then be used in subsequent phishing attacks. The process is similar to that used by intelligence services to recruit agents, transposed to cyberspace.

Since 2019, Star Blizzard has been active since 2019, and it's devoted most of its attention to the UK and the US, with other NATO countries and nations in Russia's Near Abroad also being targeted. The group has shown most interest in "academia, defense, governmental organizations, NGOs, think tanks and politicians." Much of its activity has been devoted to "hack-and-leak" operations intended to discredit selected individuals and organizations. The Wall Street Journal writes that naming the FSB and describing its activities are expected to make it more difficult for the Russian intelligence service to influence elections in the UK and other Western countries. The Russian embassy in London dismissed the advisory. “This futile move is yet another act of poorly staged drama,” the Russian mission tweeted.

Futile or not, one of the alleged aims of Star Blizzard is instructive: the Guardian reports that the FSB is collecting against, and seeking to disrupt, investigations into Russian war crimes in Ukraine.

Legal action against Star Blizzard's FSB operators.

The US and the UK have taken steps against the individuals and organizations involved in Star Blizzard. The State Department is offering up to $10 million under its Rewards for Justice Program "for information leading to the identification or location of any person who, while acting at the direction or under the control of a foreign government, engages in certain malicious cyber activities against U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act (CFAA)."

The State Department is particularly interested in the FSB personnel for whom the U.S. Justice Department has secured indictments. On Thursday "a federal grand jury in San Francisco returned an indictment on Tuesday charging two individuals with a campaign to hack into computer networks in the United States, the United Kingdom, other North Atlantic Treaty Organization member countries and Ukraine, all on behalf of the Russian government." The individuals named in the indictment are "Ruslan Aleksandrovich Peretyatko (Перетятько Руслан Александрович), an officer in Russia’s Federal Security Service (FSB) Center 18, Andrey Stanislavovich Korinets (Коринец Андрей Станиславович) and other unindicted conspirators employed a sophisticated spear phishing campaign to gain unauthorized, persistent access (i.e., 'hack') into victims’ computers and email accounts." Both gentlemen are presently out of reach, but, if apprehended and convicted, Mr. Peretratko faces up to five years in prison, Mr. Kornets up to ten.

Messrs. Peretyatko and Korinets have also been sanctioned by the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC), in coordination with its partners in the UK. "As a result of today’s action," the Department explained, "all property and interests in property of the individuals described above that are in the United States or in the possession or control of U.S. persons must be blocked and reported to OFAC. OFAC’s regulations generally prohibit all dealings by U.S. persons or within the United States (including transactions transiting the United States) that involve any property or interests in property of a blocked or designated person."

(Added, 10:15 AM ET, December 8th, 2023.) Adam Meyers, Head of Counter Adversary Operations at CrowdStrike, commented on the threat actor, which they've tracked as "Gossamer Bear." “Today, governments from the Five Eyes, publicly attributed Gossamer Bear to Center 18 of the Russian Federal Security Service (FSB) noting that the adversary intended to interfere in UK politics and democratic processes," he wrote in emailed comments. "As part of this coordinated action, the UK and U.S. sanctioned Russian nationals Ruslan Peretyatko and Andrey Korinets for direct and indirect involvement in GOSSAMER BEAR’s campaigns conducted from 2015 to 2022. The U.S. Department of Justice indicted those same individuals for their roles in malicious domain registration and spear-phishing campaigns."

Meyers and his team have been tracking the threat actor for ten years. "CrowdStrike has been tracking GOSSAMER BEAR since 2013. Originally, the threat actor conducted credential-collection campaigns that targeted governments, military, think tanks, and media entities with a particular focus on organizations with links to Ukraine. Since 2016, the adversary has targeted UK-specific government organizations. Recently, GOSSAMER BEAR likely used a pro-Russia media outlet to launder information acquired through collection operations. CrowdStrike applauds the collaboration of the Five Eyes to bring nefarious threat actors such as these to justice as acts like this highlight the criticality of information sharing across nations focused on maintaining the integrity of democracy.”

How the GRU faked celebrity videos in its Doppelgänger campaign.

The other major ongoing Russian influence operation, the GRU's Doppelgänger campaign, made use of videos recorded by celebrities on the Cameo service to misrepresent Ukrainian President Zelenskyy as a "corrupt drug addict," and urging him to seek help while warning the public to beware of him. Cameo offers users the opportunity to pay for a short bespoke video from a celebrity in which that celebrity offers some sort of greeting, encouragement, or other anodyne message. In this case the Russian military intelligence service set the messages and then staged them to push what it hoped would become a viral narrative.

Microsoft explained, "Unwitting American actors and others appear to have been asked, likely via video message platforms such as Cameo, to send a message to someone called 'Vladimir', pleading with him to seek help for substance abuse. The videos were then modified to include emojis, links and sometimes the logos of media outlets and circulated through social media channels to advance longstanding false Russian claims that the Ukrainian leader struggles with substance abuse." (The choice of "Vladimir" suggests that the Aquarium has a sense of humor, but they're skating on thin ice: Vladimir Vladimirovich Putin may not find the use of his first name as boffo as the boys and girls in Unit 54777 did.)

Microsoft draws one lesson from this campaign: Russian trolling didn't die with Mr. Prigozhin. "The August 2023 death of Russian businessman Yevgeny Prigozhin, who owned the Wagner Group and the infamous Internet Research Agency troll farm," Redmond observes, "led many to question the future of Russia’s influence and propaganda capabilities. However, since then, Microsoft has observed widespread influence operations by Russian actors that are not linked to Prigozhin, indicating that Russia has the capacity to continue prolific and sophisticated malign influence operations without him."

Killmilk says he's retiring.

The Record reported this morning that Killmilk, the high-profile albeit pseudonymous leader of the KillNet Russian hacktivist auxiliary, has announced his retirement. He Telegraphed his departure "with a smile and a calm soul," saying that his support of Russia's special military operation has taken a big toll on him. KillNet is now under new management by Deanon Club, if KillNet's Telegraph channel is to be believed. Deanon Club offered a chipper little meet-the-new-boss introduction, promising good things to come. And Killmilk? He says (implausibly, given that he's probably only thirty years old) he intends to spend more time with his grandchildren.