Full Report
The Security Service of Ukraine (SBU or SSU) has exposed a novel espionage campaign suspected to be orchestrated by Russia's Federal Security Service (FSB) that involves recruiting Ukrainian minors for criminal activities under the guise of "quest games." Law enforcement officials said that it detained two FSB agent groups following a special operation in Kharkiv. These groups, per the agency,
Analysis Summary
# Threat Actor: FSB Recruitment Network (Children Agents)
## Attribution & Identity
* **Attributed to:** Russia's Federal Security Service (FSB).
* **Known Aliases/Groups:** Described as two separate agent groups operating in Kharkiv, consisting exclusively of minors aged 15 and 16.
* **Associations:** Associated with a "liaison" police officer from the Krasnodar region of Russia, who was charged in absentia.
## Activity Summary
The Security Service of Ukraine (SBU) exposed an espionage campaign orchestrated by the FSB involving the recruitment of Ukrainian minors. These minors were tasked with carrying out reconnaissance and sabotage activities under the pretense of participating in "quest games." The primary objective was to gather intelligence to facilitate Russian airstrikes. The SSU detained all members of these cells, including one organizer who faces life imprisonment.
## Tactics, Techniques & Procedures
- **Recruitment & Deception:** Recruiting minors (15-16 years old) using the guise of "quest games" to conceal subversive activities. (T1598.002: Spearphishing Link, though less direct, relates to creating deceptive lures).
- **Targeted Reconnaissance:** Providing minors with specific geographic coordinates.
- **Data Collection:** Instructed to reach locations, take photos and videos of targets, and provide general descriptions of the surrounding area.
- **Exfiltration:** Sharing reconnaissance results with the FSB via anonymous chats.
- **Sabotage/Strike Correction:** The gathered intelligence was explicitly used to coordinate and correct Russian airstrikes.
- **Targeting Facilities:** Detainees were found photographing air defense facilities.
## Targeting
- **Sectors:** Military/Defense (specifically Air Defense facilities).
- **Geography:** Kharkiv, Ukraine.
- **Victims:** The Ukrainian state and its critical defensive infrastructure.
## Tools & Infrastructure
- **Malware Families Used:** None specified in this physical espionage context.
- **Infrastructure (C2, domains, IPs):** Communications were managed through **anonymous chats** for intelligence exfiltration. No specific C2 domains or IPs were mentioned for this physical operation.
## Implications
This activity highlights a concerning trend of a state actor (FSB) exploiting vulnerable populations (minors) for kinetic and reconnaissance support in an active conflict zone, effectively employing human intelligence (HUMINT) assets disguised as children for critical military targeting. The effort successfully provided actionable intelligence used in airstrikes.
## Mitigations
- Increased vigilance and public awareness regarding unusual "game" or task-based requests targeting minors, especially those involving geographic data collection.
- Enhanced physical security monitoring around critical infrastructure, particularly air defense assets, to detect unauthorized photography or surveillance, even by individuals who appear non-threatening.
- Law enforcement action targeting local organizers and foreign liaisons (as demonstrated by the SBU successful detentions).