Ukraine at D+629: Cyberespionage, and a tech exit.
N2K logoNov 15, 2023

Russian cyberespionage operations are exposed and described. Yandex prepares to sell its assets in Russia as that country's tech sector continues to be sorted out over the war.

Ukraine at D+629: Cyberespionage, and a tech exit.

With missile strikes against Ukrainian rear areas (Kyiv declared a nationwide air raid alert yesterday) and dismounted infantry assaults against Ukrainian positions around Kupyansk, Avdiivka, and Donetsk. Russia seems to be attempting to regain operational initiative. There's doubt, however, that they'll have the wherewithal to do so. The Institute for the Study of War (ISW) notes that Ukrainian pressure may be too much for the Russian assaults to achieve the general success they seem to be seeking. For its part, Ukraine now says its forces are across the Dnipro and operating east of that river. Kyiv had hitherto been slow to confirm its advance, although Russian milbloggers have been writing about it for some time.

The Russian government continues its policy of offering criminals remission of their sentences in exchange for service at the front. The BBC reports that one prominent murderer, Sergei Khadzhikurbanov, has been pardoned by President Putin for volunteering as a contract soldier in the war against Ukraine. Mr. Khadzhikurbanov had been sentenced to twenty years in prison for arranging the 2006 assassination of the prominent journalist Anna Politkovskaya. Ms Politikovskaya's work was regarded as troublesome by the regime.

Yandex NV will sell off its Russian assets.

Reuters reports that Yandex NV, commonly called the "Russian Google," has announced it will sell off its Russian assets. The company, which dominates the online advertising and taxi market in Russia (it could, with its taxi business, equally be called the "Russian Uber") has had difficulty with the Russian government since the invasion of Ukraine last year. (One of the company's founders called that invasion "barbaric," and the company has found compliance with government content guidelines difficult.) Yandex NV is formally based in Schiphol, the Netherlands, and since 2011 has traded on the Nasdaq under the ticker symbol YNDX. The sale is intended to recoup some value for shareholders and enable the company to move on from the Russian market, restructuring for less difficult international markets. Russia is believed to have avoided simply nationalizing Yandex for fear of exacerbating an already worrisome tech brain drain.

Cyberespionage campaign attributed to Russia's SVR.

Ukraine’s National Cyber Security Coordination Center (NCSCC) has published its analysis of a widespread cyberespionage campaign that, this past September, hit diplomatic targets in Azerbaijan, Greece, Romania and Italy. The foreign ministries of Azerbaijan and Italy were particularly hard hit. The campaign was widely regarded at the time as a Russian intelligence operation, and the NCSCC attributes it directly to APT29, Cozy Bear, a unit of Russia's SVR foreign intelligence service.

The phishbait was familiar: a BMW was offered for sale. The NCSCC gives the enemy service due props for intelligent social engineering: "APT29 ingeniously employed benign-looking lures in the form of enticing BMW car sale photos and documents, expertly crafted to draw in unsuspecting victims." And while the bait may have been old (still, however, effective), the phish hook was new. "The lure documents contained hidden, malicious content that exploited the WinRAR vulnerability, granting attackers access to the compromised systems." The SVR also made creative use of the legitimate Ngrok tool, which is used to provide temporary, public URLs during web development and testing. In this case it enabled them to communicate with infected targets in ways that can be difficult to detect.

In this case the intelligence goal seems only tangentially related to Russia's invasion of Ukraine, except insofar as trouble in the Near Abroad inevitably has repercussions for that war. The SVR appears to have been interested in Azerbaijan's intentions with respect to Nagorno-Karabakh, the province Azerbaijan has disputed with Armenia, and which Azerbaijan seized on September 19th and 20th of this year.

Cozy Bear has been implicated in several other high-profile incidents, including Russian intrusion into US targets related to the 2016 US elections, and the 2020 supply chain attack against SolarWinds users.

NTC Vulkan's infrastructure described.

Researchers at Censys have investigated and described infrastructure operated by NTC Vulkan, a contractor believed to work for Russia's intelligence services. In the course of their investigation they found considerable overlap between NTC Vulkan's offerings and those of another firm, Raccoon Security.

NTC Vulkan came to general attention when a former employee whose opposition to Russia's invasion of Ukraine turned whistleblower and revealed three tools he claimed his former employer had produced for its intelligence service customers. Censys describes those tools as follows:

  • "Scan or Scan-V – an internet-wide scanning tool designed to discover vulnerabilities for use in potential cyber operations
  • "Amesit or Amezit – “A framework used to control the online information environment and manipulate public opinion, enhance psychological operations, and…support IO and OT-related operations”
  • "Krystal-2B – a training platform for cyber attacks on critical infrastructure."