Russia/Ukraine Update - August 2023

August 25, 2023

The Russia/Ukraine war has been active for roughly 18 months, characterized by both physical and cyber warfare. Ukraine has continued its defensive strategies, while cybercriminal groups in support of each country have launched information-stealing and DDoS attacks. Russia is also dealing with internal struggles, including issues with the Wagner Group – a paramilitary organization and ally of Russian President Vladimir Putin.


Optiv’s Global Threat Intelligence Center (gTIC) has provided periodic updates on Russian and Ukrainian actions, as well as estimated cyber-related implications, in advisories and blog posts on February 4, February 22, February 24, June 30, August 25, September 29, October 31, November 29, December 20, March 02, 2023 and May 30, 2023. This update will provide information on the events of the previous 90 days and what we can expect looking forward.




Over the course of the previous 18 months, Russia-based threat actors have deployed wiper attacks, ransomware attacks and information-stealing attacks. Active groups over the previous 90 days include Shuckworm, Cadet Blizzard, Midnight Blizzard and NoName057(16).


In June 2023, security researchers with Microsoft linked a threat group, Cadet Blizzard (aka DEV-0586, UAC-0056) to Russia’s Main Directorate of the General Staff of the Armed Forces (GRU). Microsoft’s researchers have linked Cadet Blizzard to multiple cyberattacks, including the deployment of the WhisperGate wiper malware against Ukrainian organizations. The group is believed to have been active since at least 2020 and is a separate operation from other GRU-linked threat groups, including Forest Blizzard (aka Strontium, Fancy Bear, APT28) and Seashell Blizzard (aka Iridium, Sandworm). Cadet Blizzard has launched attacks against Ukraine, Eastern Europe, Central Asia and Latin America. Verticals targeted include technology and government, as well as institutions and organizations. Cadet Blizzard has previously gained initial access via vulnerabilities, such as the Confluence vulnerability, CVE-2021-20684 (CVSS 9.8), and Exchange vulnerabilities like CVE-2022-41040 (CVSS 8.8) and the ProxyShell flaws – CVE-2021-34473 (CVSS 9.8), CVE-2021-34523 (CVSS 9.8) and CVE-2021-31207 (CVSS 7.2). The group has employed the following tools and malware over the previous 18 months for persistence and lateral movement:


  • P0wnyShell – A basic, single-file PHP shell that can be used to execute commands.
  • PAS – A publicly available multifunctional PHP web shell that provides remote access and execution on target web servers.
  • reGeorg – A tool that uses web shells to create a SOCKS proxy for intranet penetration.
  • Impacket – An open-source collection of modules written in Python for programmatically constructing and manipulating network protocols.


Cadet Blizzard uses living-off-the-land (LOL or LOTL) techniques as much as possible, and they leverage tools like procdump Sysinternals to dump Local Security Authority Subsystem Service (LSASS) credentials. CERT-UA reported Cadet Blizzard for February 2023 attacks against government entities in an attempt to steal sensitive data. Cadet Blizzard has been observed conducting attacks and then going quiet for some time before returning with another attack. It is likely that the threat actors are using this time to improve their TTPs to gain persistence, evade detection, elevate privileges and move laterally.


In June 2023, security researchers with Symantec reported that Shuckworm (aka Gamaredon, Primitive Bear, Trident Ursa) has continued to launch cyberattacks against Ukraine, with recent victims including military and government organizations. Shuckworm sent phishing emails to gain initial access. According to Symantec, the malicious attachments often contained lures related to “armed conflicts, criminal proceedings, combating crime and protection of children.” Shuckworm has used a custom backdoor, Ptedero, to maintain persistence and download additional code. The group was observed targeting machines containing file names that Symantec claims appeared to be “sensitive military information.” It is likely that Shuckworm is responsible for obtaining information that could be of strategic interest to the Russian government and support Russian military efforts.


Also in June 2023, security researchers with Microsoft disclosed a spike in credential-stealing cyberattacks conducted by the Midnight Blizzard (aka Nobelium, Cozy Bear, The Dukes, APT29). The threat actors used “residential proxy services to obfuscate the source [IP address] of their attacks” and targeted verticals that included governments, technology companies, industrials and manufacturing.


CERT-UA warned of cyberattacks attributed to Forest Blizzard (aka Fancy Bear, APT28, FROZENLAKE) that included a phishing campaign targeting government bodies in Ukraine. The phishing emails featured the subject line, “Windows Update,” and purportedly contained Ukranian-language instructions to run a PowerShell command under the pretext of performing security updates. When victims ran the script, this executed a next-stage PowerShell script that collected basic system information.


In June 2023, security researchers with Sekoia reported that the pro-Russia hacktivist group, NoName057(16), had grown their DDoS attack toolkit, “DDoSia,” by more than 2,400%. NoName057 has been among the most prolific and active DDoS groups since the start of the Russian-Ukraine conflict. The group and their community have conducted DDoS attacks against European, Ukrainian and U.S. websites of government agencies, media companies and private companies.



Figure 1: Message published on the NoName057(16) Telegram Group claiming responsibility for targeting a NATO subsidiary


In July 2023, security researchers with Microsoft and CERT-UA warned of new attacks by the Russian APT group, Turla (aka Secret Blizzard, KRYPTON, UAC-0003), who has been observed targeting defense organizations with a new malware, DeliveryCheck (aka Capibar, GAMEDAY). The group conducted a phishing campaign with malicious Excel XLSM attachments. When a user enabled the malicious macros, this executed a PowerShell command—creating a scheduled task impersonating a Firefox browser updater. The task downloads the DeliveryCheck backdoor. The malware launches in memory, where it connects to the threat actor’s C2. The threat group was also observed dropping the Kazuar information-stealing backdoor that allows adversaries to launch JavaScript on the device and steal event log data, authentication tokens, cookies and credentials.



Wagner Group

The Wagner Group is a private military company founded by Yevgeny Prigozhin (aka “Putin’s Chef”). It became the Kremlin’s go-to group for operations he wanted to reject. The group has previously conducted actions on behalf of Russia, including in 2013 when Prigozhin ran the Internet Research Agency. This agency employed hundreds of people to participate in influence operations online, including in the U.S. leading up to the 2016 presidential election. In 2014, the Wagner Group battled the Ukrainian army in a revolt in Eastern Ukraine. In 2022, when Russia invaded Ukraine, the Wagner Group was called upon to fight on the ground against Ukrainian troops.


On June 30, 2023, the Russian satellite telecommunications company, Dozor-Teleport CJSC, confirmed that they had suffered a data breach and that “infrastructure on the side of the cloud provider was compromised.” The unnamed hackers claimed to have targeted the company and defaced four Russian websites in support of the Wagner Group's actions.



Figure 2: Screenshot from one of the defaced websites (Source: CyberScoop)


The hackers leaked nearly 700 files related to the organization. While the attack was believed to be in support of the Wagner Group’s actions against Russia, there is an Even Chance that the attack was conducted in support of Ukraine. A conflict between Russia’s military and its biggest private military group would be an advantage for Ukrainian troops. At the time of writing, the motive behind the attack is speculation and Unlikely to be confirmed.


Prigozhin recently took to social media to accuse Russian military leadership of providing the Wagner Group with insufficient weaponry and demonstrating incompetence and corruption. In June 2023, Prigozhin ordered the Wagner Group troops to advance on Moscow, calling for the resignation of top defense officials. Before reaching Moscow, Prigozhin ordered the troops to turn back and claimed that he did not want to harm Russian fighters. Putin stated in a press conference that Prigozhin would be charged for a coup attempt. However, an agreement was reached and Prigozhin was allegedly in negotiation to be exiled to Belarus.


On August 23, 2023, multiple news outlets began reporting that a private Embraer jet carrying Yevgeny Prigozhin had crashed northwest of Moscow—killing all 10 people on board, including Prigozhin. The flight data indicates that the plane reached an altitude of about 28,000 feet before it stopped transmitting tracking details. While the specific reason for the crash is not known at the time of writing, and Russian authorities are reportedly investigating the crash, many witnesses reported that the plane appeared to be missing a wing and they heard “explosions” prior to the plane’s dive toward the ground. Russia has not commented publicly about the crash. While the cause remains not known, Russia has a known history of “getting back at” those who they feel have wronged them in some way. Despite the proposed negotiation to exile Prigozhin to Belarus, there is an Even Chance that the crash was not accidental and was intended to permanently prevent Prigozhin from regrouping or posing any threat to Russia’s government.




In May 2023, security researchers with Kaspersky reported that the APT group, CloudWizard, had targeted “diplomatic and research organizations” involved in the region of the Russian-Ukrainian conflict. The group has reportedly not ceased operations since the start of the Russia-Ukraine war.


In August 2023, security researchers with SentinelLabs reported that the North Korean state-sponsored threat group, ScarCruft, was behind a hack of NPO Mashinostroyeniya, a Russian space rocket designer and intercontinental ballistic missile engineering organization. ScarCruft allegedly targeted the email server and IT systems and planted a Windows backdoor named OpenCarrot for remote access to the network. It is Likely that this attack was an attempt to advance North Korea’s missile development objectives.




The IT Army of Ukraine, which has nearly 10,000 volunteers, continues to be active against Russian organizations. While the group has been unable to target the Russian military specifically, due to their security and likelihood of being detected, the group has targeted several organizations and verticals that the Russian military relies on. The group operates and maintains a Telegram channel and an X (formerly known as Twitter) account and has proven adept at overwhelming the cyber defenses of Russian organizations, TV stations and government organizations.



Figure 3: IT Army of Ukraine’s X (formerly Twitter) account


Some of their victims have included the weather forecast that Russian military members relied on, the national rail company’s online ticketing service and payment system used to collect tolls, the websites used by alcohol production and distribution companies to register deliveries and the computerized licensing system used to approve meat and dairy products in Russia. The group also identified compromised cameras after the Ukrainian security agency, SBU, discovered that Russian hackers were using CCTV streams to spy on Ukrainian positions and to direct missiles.


In an interview in The Times, a leader of the IT Army of Ukraine using the alias “Joe,” claimed that the hacking groups enjoy showing the petty concerns of ordinary Russians. For example, when a Russian gas station launched a promotional two-for-one offer on hot dogs and burgers for app users, the IT Army of Ukraine took the app down. The hackers have worked to consistently remind Russian citizens that they are at war.


In June 2023, a Ukrainian hacking group, Cyber Anarchy Squad, announced on X (formerly known as Twitter) that they had successfully disrupted Russian banking services. The group claimed to have “blown up” InfoTel, a telecommunications company that supplied services to hundreds of companies—a quarter of which are banks. Security researcher Kevin Beaumont reported that the threat actors “remotely wiped the infrastructure” of the company. It took roughly two days for the company to restore BGP routing, with outages for organizations persisting as routers failed. Targeting the financial services vertical likely has a significant impact on the Russian economy.



Figure 4: Cyber Anarchy Squad’s X account


In July 2023, Ukrainian law enforcement successfully disrupted a bot farm where over 100 operators allegedly spread fake information related to the Russian invasion. As the investigation is ongoing, little information is available on the operation.


Ukraine has been relatively successful in defending against Russian cyberattacks, including preventing multiple wiper malware attacks on energy vertical organizations in 2022. Russia’s cyberattacks increased by 250% in 2022 against Ukraine and 300% against NATO countries. These attacks, while considered sophisticated in the first months of the war, have slowed and become less organized over time. With the technical assistance of Western allies, Ukraine has significantly boosted its continuous security monitoring capabilities, which has aided in detecting and preventing multiple cyberattacks from Russia. It is Likely that Ukraine will continue to improve its security posture over the next 12 months.


There has historically been a high level of solidarity between Russia-linked threat groups, which has contributed to the groups’ perceived sophistication and capabilities. However, the disagreements over support for the war, the leaks and the splits over the previous 12 months have likely challenged that belief. It is Likely that more threat actors will target Russia-based organizations over the next 12 months to steal sensitive information and launch malware-based attacks. Rumors of Russia absolving Russian cybercriminals of their crimes have circulated, which would Likely supply Russia with more cybercriminals to support their cyber efforts. There is an Even Chance that threat actors will shift to more English-language forums and marketplaces over the next 12 months as the war continues.




Despite reports that Russia-linked threat groups have not been as successful as expected, it is Likely that these groups will continue launching attacks against Ukraine and NATO countries over the next 12 months. This is Likely to include critical infrastructure verticals – energy, financial services, government, manufacturing and transportation – in destructive cyberattacks that include wiper and ransomware malware. There is an Even Chance that Russian President Putin will refocus efforts on cyberattacks as military actions face setbacks, including the loss of support from the Wagner Group, shifts in leadership and an ever-changing view of the countries’ strengths.


China and India also have a history of state-sponsored and/or APT attacks which have indirectly aligned or maintained suspicious neutrality towards Russia. While China-linked threat groups have a proven history of targeting the U.S. and other Western countries in espionage campaigns, there is an Even Chance that these groups could target countries of strategic interest to Russia over the next 12 months.


Threat actors are Likely to target known vulnerabilities, including older vulnerabilities of 2+ years, in widely used software and services to gain access to victim networks. This is Likely due to the success of compromise in employing the same techniques and utilizing minimal resources. Optiv’s gTIC assesses with High Confidence that DDoS attacks will remain an effective and relevant threat to organizations in countries that are openly opposed to Russian activity or in support of Ukraine.


In addition to multiple vulnerabilities, Optiv’s gTIC assesses it is Likely that cybercriminals and fringe state-sponsored campaigns will use common software and malware in the coming months, such as:


  • RDP
  • SMB/Samba
  • UPnP
  • Oracle WebLogic
  • Microsoft Exchange
  • Microsoft SharePoint
  • VMware vCenter, ESXi, vSphere, vAccess
  • VPN clients – Pulse Secure, Fortinet Fortigate, Citrix Gateway
  • Jenkins
  • Content management system (CMS) platforms
  • WordPress – Joomla!, Drupal, Magento, Adobe Commerce
  • Mimikatz
  • AdFind
  • AnyDesk
  • Rclone
  • Ngrok reverse proxy
  • Zoho ManageEngine
  • LogMeIn
  • TeamViewer


It is Likely that threat actors will continue to use the same tactics observed in cyberattacks attributed to Russia-linked and Russia-supporting groups.


Table 1: MITRE ATT&CK techniques observed in reported cyberattacks related to the group notated above


Tactic Technique Description
Reconnaissance T1595.002 Active Scanning: Vulnerability Scanning
T1589.001 Gather Victim Identity Information: Credentials
T1598 Phishing for Information
T1598.003 Phishing for Information: Spearphishing Link
Resource Development T1583.001 Acquire Infrastructure: Domains
T1583.006 Acquire Infrastructure: Web Services
T1608.001 Stage Capabilities: Upload Malware
T1584.001 Compromise Infrastructure: Domains
T1584.003 Compromise Infrastructure: Virtual Private Server
T1584.004 Compromise Infrastructure: Server
T1584.006 Compromise Infrastructure: Web Services
T1586.002 Compromise Accounts: Email Accounts
T1586.003 Compromise Accounts: Cloud Accounts
T1587.001 Develop Capabilities: Malware
T1587.003 Develop Capabilities: Digital Certificates
T1585.001 Establish Accounts: Social Media Accounts
T1588.001 Obtain Capabilities: Malware
T1588.002 Obtain Capabilities: Tool
Initial Access T1566.001 Phishing: Spearphishing Attachment
T1566.002 Phishing: Spearphishing Link
T1566.003 Phishing: Spearphishing via Service
T1190 Exploit Public-Facing Application
T1133 External Remote Services
T1195.002 Supply Chain Compromise: Compromise Software Supply Chain
T1199 Trusted Relationship
T1078 Valid Accounts
T1078.002 Valid Accounts: Domain Accounts
T1078.003 Valid Accounts: Local Accounts
T1078.004 Valid Accounts: Cloud Accounts
T1189 Drive-by Compromise
Execution T1059.001 Command and Scripting Interpreter: PowerShell
T1059.003 Command and Scripting Interpreter: Windows Command Shell
T1059.005 Command and Scripting Interpreter: Visual Basic
T1059.006 Command and Scripting Interpreter: Python
T1059.007 Command and Scripting Interpreter: JavaScript
T1059.009 Command and Scripting Interpreter: Cloud API
T1559.001 Inter-Process Communication: Component Object Model
T1559.002 Inter-Process Communication: Dynamic Data Exchange
T1106 Native API
T1053.005 Native API
T1204.001 User Execution: Malicious Link
T1204.002 User Execution: Malicious File
T1047 Windows Management Instrumentation
T1651 Cloud Administration Command
T1203 Exploitation for Client Execution
Persistence T547.001 Server Software Component: Web Shell
T1136.003 Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder
T1137 Boot or Logon Autostart Execution: Time Providers
T1137.002 Create Account: Local Account
T1098.001 Account Manipulation: Additional Cloud Credentials
T1098.002 Account Manipulation: Additional Email Delegate Permissions
T1098.003 Account Manipulation: Additional Cloud Roles
T1098.005 Account Manipulation: Device Registration
T1546.003 Event Triggered Execution: Windows Management Instrumentation Event Subscription
T1546.013 Event Triggered Execution: PowerShell Profile
T1546.015 Event Triggered Execution: Component Object Model Hijacking
T1556.007 Modify Authentication Process: Hybrid Identity
T1505.003 Server Software Component: Web Shell
T1037.001 Boot or Logon Initialization Scripts: Logon Script (Windows)
T1542.003 Pre-OS Boot: Bootkit
Privilege Escalation T1546.008 Event Triggered Execution: Accessibility Features
T1546.015 Event Triggered Execution: Component Object Model Hijacking
T1068 Exploitation for Privilege Escalation
T1134.001 Access Token Manipulation: Token Impersonation/Theft
T1134.002 Access Token Manipulation: Create Process with Token
Defense Evasion T1055 Process Injection
T1055.012 Process Injection: Process Hollowing
T1140 Deobfuscate/Decode Files or Information
T1564.003 Hide Artifacts: Hidden Window
T1562.001 Impair Defenses: Disable or Modify Tools
T1562.002 Impair Defenses: Disable Windows Event Logging
T1562.004 Impair Defenses: Disable or Modify System Firewall
T1070.004 Indicator Removal: File Deletion
T1070.006 Indicator Removal: Timestomp
T1070.008 Indicator Removal: Clear Mailbox Data
T1112 Modify Registry
T1121 Template Injection
T1027 Obfuscated Files or Information
T1027.001 Obfuscated Files or Information: Binary Padding
T1027.004 Obfuscated Files or Information: Compile After Delivery
T1027.005 Obfuscated Files or Information: Indicator Removal from Tools
T1027.010 Obfuscated Files or Information: Command Obfuscation
T1027.011 Obfuscated Files or Information: Fileless Storage
T1218.005 System Binary Proxy Execution: Mshta
T1218.011 System Binary Proxy Execution: Rundll32
T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control
T1484.002 Domain Policy Modification: Domain Trust Modification
T1553.002 Subvert Trust Controls: Code Signing
T1553.005 Subvert Trust Controls: Mark-of-the-Web Bypass
T1553.006 Subvert Trust Controls: Code Signing Policy Modification
T1036.001 Masquerading: Invalid Code Signature
T1036.004 Masquerading: Masquerade Task or Service
T1036.005 Masquerading: Match Legitimate Name or Location
T1211 Exploitation for Defense Evasion
T1150.004 Use Alternate Authentication Material: Web Session Cookie
T1014 Rootkit
Credential Access T1528 Steal Application Access Token
T1552.004 Unsecured Credentials: Private Keys
T1110 Brute Force
T1110.001 Brute Force: Password Guessing
T1110.003 Brute Force: Password Spraying
T1555.003 Credentials from Password Stores: Credentials from Web Browsers
T1555.004 Credentials from Password Stores: Windows Credential Manager
T1621 Multi-Factor Authentication Request Generation
T1606.001 Forge Web Credentials: Web Cookies
T1606.002 Forge Web Credentials: SAML Tokens
T1003.003 OS Credential Dumping: NTDS
T1003.006 OS Credential Dumping: DCSync
T1649 Steal or Forge Authentication Certificates
T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting
T1539 Steal Web Session Cookie
Discovery T1083 File and Directory Discovery
T1120 Peripheral Device Discovery
T1057 Process Discovery
T1082 System Information Discovery
T1016.001 System Network Configuration Discovery: Internet Connection Discovery
T1033 System Owner/User Discovery
T1087.001 Account Discovery: Local Account
T1087.002 Account Discovery: Domain Account
T1087.004 Account Discovery: Cloud Account
T1482 Domain Trust Discovery
T1069.001 Permission Groups Discovery: Local Groups
T1069.002 Permission Groups Discovery: Domain Groups
T1018 Remote System Discovery
T1040 Network Sniffing
T1615 Group Policy Discovery
T1201 Password Policy Discovery
T1012 Query Registry
T1049 System Network Connections Discovery
T1007 System Service Discovery
T1124 System Time Discovery
Lateral Movement T1534 Internal Spearphishing
T1080 Taint Shared Content
T1021.001 Remote Services: Remote Desktop Protocol
T1021.002 Remote Services: SMB/Windows Admin Shares
T1021.005 Remote Services: VNC
T1021.006 Remote Services: Windows Remote Management
T1021.007 Remote Services: Cloud Services
T1550.001 Use Alternate Authentication Material: Application Access Token
T1550.003 Use Alternate Authentication Material: Pass the Ticket
T1210 Exploitation of Remote Services
T1091 Replication Through Removable Media
T1570 Lateral Tool Transfer
Collection T1119 Automated Collection
T1074.001 Data Staged: Local Data Staging
T1074.002 Data Staged: Remote Data Staging
T1025 Data from Removable Media
T1113 Screen Capture
T1560 Archive Collected Data
T1560.001 Archive Collected Data: Archive via Utility
T1005 Data from Local System
T1213 Data from Information Repositories
T1213.002 Data from Information Repositories: SharePoint
T1213.003 Data from Information Repositories: Code Repositories
T1114.002 Email Collection: Remote Email Collection
T1039 Data from Network Shared Drive
T1123 Audio Capture
Command & Control T1132 Data Encoding
T1102 Web Service
T1102.002 Web Service: Bidirectional Communication
T1071.001 Application Layer Protocol: Web Protocols
T1071.003 Application Layer Protocol: Mail Protocols
T1568 Dynamic Resolution
T1105 Ingress Tool Transfers
T1001.001 Data Obfuscation: Junk Data
T1001.002 Data Obfuscation: Steganography
T1573 Encrypted Channel
T1573.001 Encrypted Channel: Symmetric Cryptography
T1092 Communication Through Removable Media
T1090.001 Proxy: Internal Proxy
T1090.003 Proxy: Multi-hop Proxy
T1090.004 Proxy: Domain Fronting
Exfiltration T1041 Exfiltration Over C2 Channel
T1048.002 Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
T1020 Automated Exfiltration
T1030 Data Transfer Size Limits
T1567 Exfiltration Over Web Service
T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage
Impact T1561 Disk Wipe
T1561.002 Disk Wipe: Disk Structure Wipe
T1486 Data Encrypted for Impact
T1485 Data Destruction
T1491.001 Defacement: Internal Defacement
T1498 Network Denial of Service
T1529 System Shutdown/Reboot
Intelligence Analyst | Optiv
Andi Ursry has over four years of experience in Threat Intelligence. Ursry began her career in the retail sector in Loss Prevention and Safety positions. She worked on-site to help stores mitigate risks. After seeing a shift toward cybercrime, she changed focus to cyber intelligence. Ursry’s research focuses on ransomware groups and their tactics.

Prior to joining Optiv, Ursry was a Cyber Threat Intelligence Analyst for a California-based cybersecurity company that specializes in digital risk. She earned a bachelor’s and master’s degree in criminal justice from Colorado Technical University, Online.

Optiv Security: Secure greatness.®

Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit