Russian disinformation techniques remain familiar: deny atrocities, and claim they're Ukrainian (or "Western") provocations. Internationally the misdirection seems to be failing.
Fire, yes. Maneuver? Not so much, but plenty of disinformation.
The British Ministry of Defence's situation map shows complete Russian withdrawal from the northern regions of Ukraine its forces had formerly occupied. The MoD's situation report explains, "In the north, Russian forces have now fully withdrawn from Ukraine to Belarus and Russia. At least some of these forces will be transferred to East Ukraine to fight in the Donbas. Many of these forces will require significant replenishment before being ready to deploy further east, with any mass redeployment from the north likely to take at least a week minimum. Russian shelling of cities in the east and south continues and Russian forces have advanced further south from the strategically important city of Izium which remains under their control."
Yesterday, rocket fire hit a civilian railroad station in the eastern Donbas city of Kramatorsk that was serving as an evacuation hub for refugees. Reports indicate that some 4000 people were in the station at the time of the strike, and that between thirty and fifty were killed, with a larger number maimed or wounded. Russia says they didn't do it, that the rocket fire was a Ukrainian provocation in which Kyiv killed its own citizens in order to discredit Russia.
Russian atrocities near Kyiv appear to have been planned, ordered, and reported.
Correlation of satellite imagery with intercepted radio traffic has led Germany's Bundesnachrichtendienst (BND), the foreign intelligence service, to conclude, as Der Spiegel puts it, "that such atrocities were part of the strategy of Putin's army." Paraphrasing sources who heard a BND briefing to the Bundestag, Spiegel writes, "Some of the intercepted traffic apparently matches the locations of bodies found along the main road through town. In one of them, a soldier apparently told another that they had just shot a person on a bicycle. That corresponds to the photo of the dead body lying next to a bicycle that has been shared around the world. In another intercepted conversation, a Russian soldier apparently said: "First you interrogate soldiers, then you shoot them." Some of those responsible for the atrocities are believed to be contract soldiers from the Wagner Group, an organization that acquired a reputation for war crimes during its deployment to Syria.
Microsoft disrupts GRU cyber operations.
Microsoft says it's blocked GRU cyber operations directed against US, European, and Ukrainian targets. Redmond calls the group "Strontium," in its metallic naming convention for threat groups, but the threat actor is also known as APT28 and, of course, Fancy Bear. The disruption was a familiar (and entirely praiseworthy) takedown. Microsoft explained, "On Wednesday April 6th, we obtained a court order authorizing us to take control of seven internet domains Strontium was using to conduct these attacks. We have since re-directed these domains to a sinkhole controlled by Microsoft, enabling us to mitigate Strontium’s current use of these domains and enable victim notifications."
This particular GRU campaign isn't the only one Microsoft has observed during Russia's war against Ukraine. Microsoft characterized Strontium's use of its now sinkholed infrastructure as follows: "
"Strontium was using this infrastructure to target Ukrainian institutions including media organizations. It was also targeting government institutions and think tanks in the United States and the European Union involved in foreign policy. We believe Strontium was attempting to establish long-term access to the systems of its targets, provide tactical support for the physical invasion and exfiltrate sensitive information. We have notified Ukraine’s government about the activity we detected and the action we’ve taken."
The CyberWire's continuing coverage of the unfolding crisis in Ukraine may be found here.