Brief: Russian Threat Actors Respond to Military Mobilization

ZeroFox Dark Ops has observed dark web actors brokering methods to circumvent Russia's military mobilization as of October 10, 2022 and has released the following information.

Executive Summary

Deep and dark web actors have begun to broker methods to circumvent Russia’s partial military mobilization¹ announced in late September, including options for dodging the draft. Some of the services are likely attempts at scams or honeypots, and, in some cases, it is unlikely the actors are capable of delivering what they have promised. However, the speed with which these methods began to appear in underground channels demonstrates anxiety amongst the Russian-speaking threat actor community, which is openly discussing this topic in forums that usually ban such rhetoric. 

Details

As of September 21, 2022, general discussions on the vetted Russian-speaking xss[.]is community suddenly switched from the topic of the United States announcing rewards for any actionable information on cyber actors threatening the country to the partial mobilization announced in the Russian Federation. Previous posts on the thread featured opinions about the United States and the European Union (EU) being desperate in light of current economic and cyber threat developments. However, the mobilization announcement changed the tone of the forum completely, and threat actors began asking for help and soliciting various services to assist their scared, Russian-speaking counterparts.

Analyst Commentary

Significant forum activity and response were observed in Russian-speaking threat actor forums after President Vladimir Putin’s announcement in late September that 300,000 troops would be called into service. Multiple conjectures were made ranging from a possible second stage of mobilization upcoming in a few months to draft evasion techniques to work opportunities with the military in order to avoid active service.

In some cases, threads were observed being promptly closed by forum administrators due to increasing political chatter on the topic of mobilization. However, in other cases, significant back and forth occurred regarding various techniques for draft dodging, including obtaining a postponement of military service due to a positive HIV test.

In another chat, a user claimed that a specific column in the military ledger pertaining to each Russian male who has completed military service dubbed „ВУС“ („Военно-учётная специальность“ or „Declared military specialization”) is indicative of whether a person is going to be mobilized. Allegedly, holders of ВУС numbers beginning with 100, 106, 131, 166, 878, 879, 113, and 554 are currently being mobilized. While the usability of such data may be limited, it does provide information on attempts at document forgery on the part of Russian draft dodgers. If the ВУС number correlation is accurate, the post likely indicates that sensitive military policy information has been leaked to the Russian public.

This thread clearly indicates that escaping mobilization at the moment is difficult for Russian-speaking actors to achieve and that attempts to exploit naïve draft dodgers are likely underway in the Russian-speaking deep web ecosystem. Suggestions for draft dodging in these forums may represent sophisticated honeypot campaigns that could be reported to the Russian Ministry of Defense. An example of this was already identified shortly after mobilization was announced; flyers around Moscow offering residents a telephone number to contact for legal help to avoid the draft were observed in the city. It was later determined that this was a trap and that the number on the flyer actually directs callers to the Moscow Military Commissariat. 

Recommendations

ZeroFox Intelligence expects steadily-increasing disorder in the Russian segment of the deep web as the situation in the Russian Federation deteriorates, which is likely to impact cyber operations. It is well-known that this segment is the largest one in the cyber underground, and the entire cyber threat landscape might be subjected to increasingly significant changes; organizations should expect a shift in behavior and targeting as a result. In addition, organizations with physical operations or sales in EU states, particularly those with close geographic or cultural ties with Russia, should remain prepared for low-level cyber threat activity such as DDoS attacks, as this type of exploit still allows Russia to maintain plausible deniability. 

^{1 hXXps://www.cnbc[.]com/2022/09/21/russia-ukraine-war-putin-announces-partial-military-mobilization.html}