Ukraine at D+376: Pranking for the cause.
N2K logoMar 7, 2023

Russia and Ukraine swap drone strikes and continue the struggle for Bakhmut. A Russian threat actor pranks for disinfo.

Ukraine at D+376: Pranking for the cause.

Both sides swap minor drone attacks, the Wall Street Journal reports. Ukraine has normally not acknowledged cross-border operations in Russia proper, but a Ukrainian special operations unit has claimed to have coordinated drone strikes in the vicinity of the Russian city of Bryansk, the New York Times reports. "Intelligence forces of the special unit 'KRAKEN' destroyed the autonomous observation tower 'Grenadier' in the Bryansk region with the help of a kamikaze drone," the unit posted in its Telegram channel. Ukrinform reposted video of the strike (the video is undated, overproduced, and difficult to interpret). Members of the Russian Volunteer Corps, a Russian dissident group that claims to be fighting Mr. Putin's regime, is also said to be active around Bryansk.

Bakhmut agonistes.

The months' long, sanguinary battle for Bakhmut continues, Al Jazeera reports, as Ukraine moves additional forces to the city's defense, concentrating in the western sections of the city. This morning's situation report from the British Ministry of Defence again discussed the fight for Bakhmut. "The Ukrainian defence of Bakhmut continues to degrade forces on both sides. Over the weekend, Ukrainian forces likely stabilised their defensive perimeter following previous Russian advances into the north of the town. A Russian strike destroyed a bridge over the only paved supply road into Bakhmut still under Ukrainian control around 02 March. Muddy conditions are likely hampering Ukrainian resupply efforts as they increasingly resort to using unpaved tracks. Public disagreements between the Wagner Group and Russian Ministry of Defence over the allocation of munitions highlights the difficulty in sustaining the high levels of personnel and ammunition required to advance with their current tactics."

Cyberattacks briefly disrupt Russian websites and media outlets.

Anonymous claims to have resumed hacktivist actions against Russia, saying last Thursday that they were “currently involved in operations against the Russian Federation.” The Daily Beast reports that the Russian government site and five other government sites were down briefly Monday. ( is back up today.) The action appears to have been the now-customary nuisance-level hacktivist work of distributed denial-of-service (DDoS) and website defacements.

Meanwhile, TASS is authorized to disclose that a member of Russia's delegation to the United Nations has denounced what she characterizes as the West's use of Ukraine as a testing ground for cyber warfare. Her remarks are worth quoting at length:

"We believe the goal of attempts by the US and its allies to hype up the issue of ‘Russian hackers’ and ‘Russian cyberthreat’ is no longer a secret to anyone. The only goal is to conceal their own destructive activities in cyberspace, In fact, NATO countries openly seek to militarize cyberspace, actively increasing their offensive capabilities and improving ways to conduct cyberattacks. There is ample documentary evidence of this, including the public revelations of high-ranking officials’ public revelations of acts of cyber sabotage against Russia. After the start of the special military operation in Ukraine, Western nations launched a full-fledged campaign against Russia, seeking to test the strength of our economy, financial and energy sectors and crucial industries. Russia’s information facilities keep facing massive cyberattacks, which have increased tenfold since the launch of the special operation. The Western bloc actively recruits mercenary hackers and uses the information and communication potential of its allies and the private companies that it controls, deliberately involving users from all over the world into these criminal activities."

The diplomat, Irina Tyazhlova, delivered her remarks at a meeting of the United Nations open-ended working group on cybersecurity.

Disinformation, how may we help you?

Proofpoint this morning described an ongoing campaign by a "Russia-aligned threat actor," TA499 (also known as "Vovan" or "Lexus") to engage Western political and business leaders in voice or video calls. The calls are recorded, and they appear designed to gather raw material that can be used to produce content that would tend to discredit those who have publicly supported Ukraine. "The calls are almost certainly a pro-Russia propaganda effort designed to create negative political content about those who have spoken out against Russian President Vladimir Putin and, in the last year, opposed Russia’s invasion of Ukraine," Proofpoint summarizes, adding, "TA499 is not a threat to take lightly due to the damage such propaganda could have on the brand and public perception of those targeted as well as the perpetuation of disinformation."

TA499 clearly functions as an auxiliary of the Russian security and intelligence services, although how much direction and support it receives from its masters remains unclear. Proofpoint calls the group "an impersonation-based, patriotically motivated misinformation pair of actors aligned with the Russian state, adding: "The group has a record of targeting high-profile persons of interest that have spoken out about the Russian regime, in favor of sanctions against Russia, and against the detainment of well-known Russian opposition leader Alexei Navalny. While the level of official government support TA499 receives is unknown, the recordings are generally used to garner support and sympathy for the current Russian regime and their actions."

Engagement begins with emails inviting the target to join a call. The emails commonly impersonate a Ukrainian embassy. Should the target agree to a call, TA499 will use a video deepfake to impersonate a trusted interlocutor. One the target is induced to make a statement in the Ukrainian interest, the threat actor engages in what Proofpoint calls "antics" designed to fluster the target into doing or saying something embarrassing.

This is disinformation for the influencer age. "TA499 is a very public group that is garnering a fan following," Proofpoint concludes. "They have personas that not only post the material discussed in this report online but also perform reenactments on Russia state-sponsored media as well as attend conferences. With the war between Russia and Ukraine unlikely to end in the near-term and Ukraine continuing to garner support from organizations worldwide, Proofpoint assesses with high confidence that TA499 will attempt to continue with its campaigns in support of its influencer content and political agenda. TA499 is likely to reuse old or establish additional infrastructure in support of this activity." Think of their product as Jackass from Red Square, the Jerky Boys in geopolitical harness.