Ukraine at D+431: Drone strikes and phishing expeditions.
N2K logoMay 1, 2023

Russia and Ukraine exchange drone strikes as Russia prepares to receive a Ukrainian offensive. CERT-UA warns of a GRU phishing expedition against Ukrainian government targets.

Ukraine at D+431: Drone strikes and phishing expeditions.

Russian missile attacks against Ukrainian cities resumed early this morning. Ukrainian officials say eighteen missiles in total were fired, fifteen of which, including all those aimed at Kyiv, were shot down. Casualties and damage from the latest strikes are still being assessed, Radio Free Europe | Radio Liberty reports, but an industrial facility in Pavlohrad is said to have been damaged. The Guardian puts casualties in the Pavlohrad strike at thirty-four injured.

Russia's official account of Friday's strikes asserts their precision, their discrimination, and their success. "Overnight, the Russian Air Force carried out a collective rocket strike using long-range high-precision weapons targeting temporary deployment sites of Ukrainian army reserve units," Reuters quotes Russian Defense Ministry spokesman Igor Konashenkov as saying at a press briefing. "The target of the strike was achieved. All designated facilities were struck. The advance of the enemy's reserves into combat zones was thwarted."

The UK's Ministry of Defence (M0D) thinks the missile strikes may indeed have represented an attempt to disrupt Ukraine's movement of reserves to the front, but disputes the operation's success. "In the early hours of 28 April 2023, Russia launched the first major wave of cruise missile strikes against Ukraine since early March 2023. Although Ukraine shot down most of the missiles, at least 25 civilians were killed. The attacks suggest a departure in Russia’s use of long-range strikes. The wave involved fewer missiles than those over the winter and was unlikely to have been targeting Ukraine’s energy infrastructure. There is a realistic possibility that Russia was attempting to intercept Ukrainian reserve units and military supplies recently provided to Ukraine." That the strikes were a military failure shows, the MoD concludes, at least two things. "Russia operates an inefficient targeting process and prioritises perceived military necessity over preventing collateral damage, including civilian deaths."

Ukraine says it shot down twenty-one of the twenty-three missiles Russia fired. The other two hit civilian dwellings in Uman and Dnipro. The anchor of Voice of America's Ukrainian service, Ostap Yarysh, soon after the strikes assessed the civilian death toll in Russia's most recent wave of long-range strikes as amounting to "at least 23." That number as of Saturday morning had reached twenty-five, the Guardian reports, and may rise more. Deutsche Welle recorded an interview with one of the strikes' survivors. Bridget Brink, US Ambassador to Ukraine, tweeted about last Friday's Russian strikes: "More lives tragically lost as Russia’s missiles hit another apartment building. Russia still hasn’t learned that its brutality only reinforces Ukrainian resolve and deepens our commitment to support [Ukraine] in the fight."

Ukraine struck Russia's naval installation at Sevastopol in occupied Crimea Saturday. The AP, citing Russian reports, says that four oil tanks at the port's fuel storage facility burned.

The current state of Russian defensive works.

The UK's MoD Monday morning situation report describes how Russian defensive preparations have taken shape since last summer. They're in many respects a tactical throwback to early 20th-century warfare. "Since summer 2022, Russia has constructed some of the most extensive systems of military defensive works seen anywhere in the world for many decades. These defences are not just near the current front lines but have also been dug deep inside areas Russia currently controls. Imagery shows that Russia has made a particular effort to fortify the northern border of occupied Crimea, including with a multi-layered defensive zone near the village of Medvedevka. Russia has also dug hundreds of miles of trenches well inside internationally recognised Russian territory including in the Belgorod and Kursk regions." The preparations are signs that Russia fears a Ukrainian offensive, but they also serve as propaganda of the deed. "The defences highlight Russian leaders’ deep concern that Ukraine could achieve a major breakthrough. However, some works have likely been ordered by local commanders and civil leaders in attempts to promote the official narrative that Russia is ‘threatened’ by Ukraine and NATO."

The Wagner Group demands more ammunition.

Yevgeny Prigozhin, in an interview published on April 29th, threatened to withdraw some of the Wagner Group's forces from Bakhmut if he didn't receive required ammunition from the Ministry of Defense. Radio Free Europe | Radio Liberty notes that Mr. Prigozhin has been publicly criticizing his ammunition supply for months. Nor was Mr. Prigozhin shy about pointing out what he takes to be the probable consequences of a Wagner Group withdrawal: "Prigozhin warned that a Wagner pullout from Bakhmut would lead to a Russian collapse along other parts of the 1,000-kilometer front."

Mr. Prigozhin is also quoted as saying that, without ammunition and fresh recruits, the Wagner Group would cease to exist. “Now, with regard to the need in general for shells at the front, what we want. Today we are coming to the point where Wagner is ending. Wagner, in a short period of time, will cease to exist. We will become history, nothing to worry about, things like this happen.” (The Telegraph says it's possible that he's "joking;" he's done that before.)

Harsher measures against indiscipline.

One of the defining features of General Gerasimov's command seems to be more draconian field punishment of Russian soldiers. The UK's MoD wrote, Sunday morning: "In recent months, Russian commanders have likely started punishing breaches in discipline by detaining the offending troops in ‘Zindans’ which are improvised cells consisting of holes in the ground covered with a metal grille. Multiple recent reports from Russian personnel give similar accounts of being placed in Zindans for misdemeanours including drunkenness and attempting to terminate their contracts. In the early months of the war, many Russian commanders took a relatively light touch in enforcing discipline, allowing those who refused to soldier to quietly return home. Since Autumn 2022, there have been multiple increasingly draconian initiatives to improve discipline in the force, especially since Chief of the General Staff Valery Gerasimov assumed command of the operation in January 2023."

Fresh phish from the GRU.

On Friday, April 28th, 2023, CERT-UA, Ukraine’s Computer Emergency Response Team, reported that Russian operators were sending phishing emails that misrepresent themselves as sending instructions on installing a Windows security update. “ The Computer Emergency Response Team of Ukraine (CERT-UA) says Russian hackers are targeting various government bodies in the country with malicious emails supposedly containing instructions on how to update Windows as a defense against cyber attacks,” BleepingComputer writes. “CERT-UA believes that the Russian state-sponsored hacking group APT28 (aka Fancy Bear) sent these emails and impersonated system administrators of the targeted government entities to make it easier to trick their targets.”

APT28 of course is associated with Russia’s military intelligence service, the GRU, and CERT-UA is both certain of, and unambiguous with respect to, that attribution. CERT-UA describes the attack process as follows: "During April 2023, the government computer emergency response team of Ukraine CERT-UA recorded cases of the distribution of e-mails with the subject 'Windows Update' among government bodies of Ukraine, sent, apparently, on behalf of system administrators of departments. At the same time, e-mail addresses of senders created on the public service '' can be formed using the employee's real surname and initials." The warning adds, "The sample letter contains 'instructions' in Ukrainian for 'updates to protect against hacker attacks', as well as graphical images of the process of launching a command line and executing a PowerShell command."

Should the victims follow the instructions in the email, they’ll find themselves installing a PowerShell script that simulates a Windows update while it in fact downloads a second malicious PowerShell payload in the background. That payload deploys information-harvesting malware that abuses the legitimate Mocky tool. CERT-UA concludes, "We recommend restricting the ability of users to launch PowerShell and monitor network connections to the Mocky service API."

The attack is interesting in a self-referential way: it exploits fear of Russian cyberattacks in order to accomplish exactly that: Russian cyberattacks.

(Added, 9:15 PM ET, May 3rd, 2023. Joe Gallop, Cyber Threat Intelligence Manager at Cofense, commented on how state threat groups conduct reconnaissance and establish persistence. "Many of the most advanced threat groups use phishing as a way to both gain initial access to targeted organizations, and to initiate reconnaissance on the nature or value of compromised workstations," he wrote in emailed comments. "In this case, the PowerShell script masquerading as a security update is looking for basic information about the compromised machine, with the intention of sending that information to the attackers via Mocky, a free API-mocking service. Even if that third-party service was not used by Ukrainian government organizations, it is likely that it was "trusted", in the sense that it would not be found on a blocklist before this attack. Free API services are prime resources for threat actors to use in funneling information in a way that doesn't disclose it's actual destination to the victim. For instance, throughout 2022, Cofense Intelligence identified an 800% rise in evasive phishing campaigns that abused the free Telegram bot API service to exfiltrate information. The number of such services is constantly increasing, giving threat actors even more options to hide their malicious activity."

An approach, however simple, that emulates legitimate processes, is likely to enjoy some level of success. "Threat actors (even advanced ones) have used security update themes in their phishing emails for decades. They will probably continue to do so for as long as legitimate security alerts are also delivered via email, and perhaps longer.")

KillNet’s ask-me-anything.

KillNet held an Ask Me Anything session on their telegram page on Saturday to answer questions about their new self-designation as a Private Military Hacking Company. The questions raised were mostly regarding how the PMHC will operate. When asked about the structure of their organizations, KillNet responded, “We created four sub-detachments consisting of former cybercriminals and former members of special services (not only from Russia). At the current time we are ready to not only defend the motherland, but also conduct computer network attacks and destruction of intruders of different levels throughout the world.” 

They also explained that the price per mission is going to depend on the complexity involved. When asked what kind of file sharing system they will be using, the response was “Skype.” KillNet also explained that they have very tight and trusting relationships with international specialists that provide them with 24/7 support in accomplishing their goals. Regarding their pricing, they explained that they could destroy the electrical infrastructure of Ukraine and Poland for a sum of 30 million dollars, adding that every destructive operation against electrical infrastructure costs money. (Note to President Putin: interestingly enough, they seem to be pricing missions in dollars not rubles.) 

The majority of the remaining questions were about their personal lives and education, and the offer of opportunities to learn more about being a hacker. KillNet ended their ask-me-anyting by explaining that their time of altruism is over: they’re done doing altruistic work like destroying civilian infrastructure for free. Their activity will not continue at its formerly high tempo, but they will continue to support Russia and its interests. They say they came to this line of work because they hate the Polish people and Ukrainians, but now they need to monetize their hate.