New joint TAG/Mandiant research on a hybrid Russian espionage/influence campaign (UNC5812) targeting potential Ukrainian military recruits with malware and spreading anti-mobilization narratives

cloud.google.com/blog/topics/th… UNC5812 is using the persona Civil Defense to (a) deliver commodity malware masked as software that claims to share crowdsourced locations of Ukrainian military recruiters and (b) solicit & share content it can use to discredit the 🇺🇦 military and its mobilization efforts.

Over a decade in the making: Sandworm is now APT44.

Below is a thread with some major takeaways and insights from our new report:

cloud.google.com/blog/topics/th… Also known commonly as the GRU’s Main Centre for Special Technologies (GTsST) or Unit 74455 - APT44 has been at it for the better part of 15 years. Publicly available images of its anniversary insignia place the unit’s formation in 2009.

Today, Mandiant is sharing research on the GRU’s Disruptive Playbook, drawn from insights into GRU’s full-spectrum cyber operations in Ukraine over the past year.

mandiant.com/resources/blog… The takeaway: The GRU has followed the same five phase disruptive playbook throughout the war. Alternatives have existed, but the GRU has opted for the same tradecraft on repeat. We assess that these choices are calculated adaptations to a wartime operating environment.

Grateful to @IISS_org for the opportunity to share some thoughts around the success of Ukraine’s cyber defense. At this stage of the war, Ukraine has decisively won the adaptation battle in cyberspace.

iiss.org/blogs/research… To understand Ukraine’s defensive success, we must account for the GRU’s approach to offensive cyber operations, firmly rooted in its information confrontation doctrine and the broad Russian definition of information warfare.

cna.org/reports/2021/0…