Ukraine at D+46: Russian redeployment and reconstitution continue.
N2K logoApr 11, 2022

Skirmishing in cyberspace continues as Russia seeks to reconstitute and redeploy its forces with more limited objectives in mind. Atrocities continue in what has become a firepower-intensive Russian campaign.

Ukraine at D+46: Russian redeployment and reconstitution continue.

In Saturday's situation report, the UK's Ministry of Defence "Russia continues to hit Ukrainian non-combatants, such as those killed in yesterday’s rocket strike on Kramatorsk railway station in eastern Ukraine. Russian operations continue to focus on the Donbas region, Mariupol and Mykolaiv, supported by continued cruise missile launches into Ukraine by Russian naval forces. Russian air activity is expected to increase in the south and east of Ukraine in support of this activity. However, Russian ambitions to establish a land corridor between Crimea and the Donbas continue to be thwarted by Ukrainian resistance."

Operations in the Donbas, as the week opens, appear to be following the firepower-heavy tactics used earlier in Russia's war. "Russian forces' prior use of phosphorous munitions in the Donetsk Oblast raises the possibility of their future employment in Mariupol as fighting for the city intensifies. Russian shelling has continued in the Donetsk and Luhansk regions, with Ukrainian forces repulsing several assaults resulting in the destruction of Russian tanks, vehicles, and artillery equipment. Russia’s continued reliance on unguided bombs decreases their ability to discriminate when targeting and conducting strikes while greatly increasing the risk of further civilian casualties."

Russian plans are now believed to include an assault against the city of Dnipro (until 2016 known as Dnipropetrovsk), the New York Times reports. Dnipro is west of the Donbas proper; its airport was hit with rocket fire over the weekend and is said to be out of operation.

Reconstituting Russian units after heavy combat losses.

On Sunday the MoD's appreciation of the Russian situation addressed Moscow's attempts to make good manpower shortages induced by its heavy losses in the fighting so far: "In response to mounting losses, the Russian armed forces seek to bolster troop numbers with personnel discharged from military service since 2012." It's not quite the "dad's army" of the Telegraph's headline, but the recall of conscript classes who completed their service as much as ten years ago indicates how much more manpower is needed in Ukraine than Russian estimates allowed for. The MoD adds that Moscow is looking to its satellites for more troops as well. "Efforts to generate more fighting power also include trying to recruit from the unrecognised Transnistria region of Moldova." Transnistria, detached from Moldova in 1992, is one of four frozen conflict zones under effective Russian control, the others being Abkhazia and South Ossetia (both detached from Georgia in 2008) and the Republic of Artsakh (detached from Azerbaijan in 1994). The independence of these regions has not received general international recognition, but they foreshadow the status Russia has in mind for Donetsk and Luhansk.

This would seem consistent with the somber and elegiac tone official Russian statements exhibited last week. The Guardian reports that Russia officially acknowledges 1351 killed in action. This is heavy enough, but far short of NATO estimates, which more than a week ago stood at roughly 15,000, and shorter still of Ukrainian estimates that put the number of Russian deaths at 18,900.

How effective the replacements will be is an open question. The active forces performed very badly, and Bloomberg quotes military analysts who observe, sensibly, that it seems unlikely that what amounts to an individual reserve would be as remotely combat ready as the active troops they're replacing.

Citing Ukrainian bad faith, Russia's Foreign Minister says military operations will henceforth continue during negotiations.

"After we became convinced that the Ukrainians were not planning to reciprocate, a decision was made that during the next rounds of talks, there would be no pause so long as a final agreement is not reached," Foreign Minister Lavrov said this weekend. He said that Russia had paused operations during earlier talks (a hiatus few outside observers were able to discern) but that Ukraine's failure to reciprocate had led to the present change in policy.

US National Security Advisor says atrocities were part of Russia's plan.

During an interview yesterday on ABC’s This Week, US National Security Advisor Jake Sullivan said that pre-war US intelligence estimates predicted that atrocity would be part of Russian policy in the event of an invasion of Ukraine. “We, in fact, before the war began, declassified intelligence and presented it indicating that there was a plan from the highest levels of the Russian government to target civilians who oppose the invasion, to cause violence against them, to organize efforts to brutalize them in order to try to terrorize the population and subjugate it," he said.

Frustration over unexpected combat failure and high losses also probably contributed to the carnage occupied towns experienced. “I think there certainly are cases where individual soldiers or individual units got frustrated because the Ukrainians were beating them back,” Sullivan said. “They had been told they were going to have a glorious victory and just ride into Kyiv without any opposition with the Ukrainians welcoming them. And when that didn’t happen, I do think some of these units engaged in these acts of brutality, these atrocities, these war crimes even without direction from above.”

More reports of deliberate massacre emerged over the weekend as Ukrainian forces retook possession of ground abandoned by retreating Russian forces. One particularly horrific account describes Russian forces firing on a convoy of civilian refugees whom the Russian troops had just waved through a checkpoint, and the rocket strike against the Kramatorsk railroad station continues to draw widespread outrage. Russian claims that their forces aren't using the Tochka-U system employed in the strike are belied by images of Russian Tochkas deploying through Belarus in the early stages of the war. An Atlantic Council report notes that at least one pro-Russian Telegram channel seemed to threaten refugees with an attack on the rail system as early as April 7th.

New Russian Commander appointed for the war against Ukraine.

General Aleksandr V. Dvornikov, whom the New York Times reports is best known for having ordered attacks against civilian targets during Russia's intervention on behalf of the Assad regime in Syria's civil war, has been appointed the top Russian battlefield commander in Ukraine. His appointment is thought to augur a similar approach to the next phase of Russia's war against Ukraine, as US National Security Advisor Sullivan told ABC's This Week. “This particular general has a resume that includes brutality against civilians in other theaters, in Syria, and we can expect more of the same in this theater,” he said. That, however, will represent continuity in Russian operations, not a departure.

General Dvornikov was already in command of Russia's Southern Military District, the Washington Post reports. His forces have been engaged against what's now become the Russian main objective. His appointment represents an attempt to create unity of command in the theater.

Russian commanders seek to keep troops away from dangerous sections of the Internet.

Ukraine's military intelligence service has posted a file to its Facebook account that purports to be an Russian document complaining Ukrainian online attempts to "influence on historical memory (distortion of historical facts of Russian history)” and “manipulate opinions,” and to “distribute false information about events and the situation” on the ground. If the document is genuine (and the Telegraph hasn't yet been able to authenticate it) it would also provide more evidence of disaffection and poor morale in the ranks. “Commanders of all ranks in a number of units have faced opposition from personnel expressing dissatisfaction with the conduct of the special military operation in Ukraine. The main sources of such information are from the internet.” The troops' Internet use also presents, according to the posted document, an OPSEC challenge that the Russian army intends to address: “In light of this, the ministry of defence in conjunction with colleagues at the centre for information countermeasures has decided to create an inter-agency commission for working with personnel on the internet; increase control of personnel and monitoring of changes in their moral-psychological conditions.”

YouTube kicks Duma TV off its platform.

Reuters reports that Duma TV, the streaming service run by Russia's parliament, has been removed from YouTube, which cited "a violation of YouTube's Terms of Service" as grounds for the expulsion. "If we find that an account violates our Terms of Service, we take appropriate action," Google said in an email to Reuters, framing the expulsion as a matter of compliance with applicable law, including sanctions against Russia. "Our teams are closely monitoring the situation for any updates and changes." Roskomnadzor says the decision is part of the Russophobic information war under which Russia currently suffers: "The American IT company adheres to a pronounced anti-Russian position in the information war unleashed by the West against our country."

CERT-UA warns of phishing campaign.

Ukraine's CERT has warned that a phishing campaign by the Armageddon threat group (also known as Actinium, Gamaredon, and Primitive Bear, and thought to represent a unit of Russia's FSB) is targeting "Ukrainian public authorities." The phishbait used is ironic but compelling: a document purporting to report Russian atrocities. The file has the lengthy and bureaucratic-sounding title "On cases of persecution and murder of Procurator’s Office officials by the Russian military in temporarily occupied areas."

Hacktivists hit Russian organizations.

The Anonymous-associated group that styles itself Network Battalion 65 (or NB65) has deployed compromised Conti ransomware code against Russian organizations. Bleeping Computer reports that the group (which has claimed actions against the document management service Tensor, space agency Roscosmos, and state-owned broadcaster VGTRK) is using the first leaked version of Conti ransomware. The group said, in a statement, that their expanded ransomware campaign is a direct reprisal for Russian atrocities at Bucha:

"After Bucha we elected to target certain companies, that may be civilian owned, but still would have an impact on Russias ability to operate normally. The Russian popular support for Putin's war crimes is overwhelming. From the very beginning we made it clear. We're supporting Ukraine. We will honor our word. When Russia ceases all hostilities in Ukraine and ends this ridiculous war NB65 will stop attacking Russian internet facing assets and companies.

"Until then, f**k em. 

"We will not be hitting any targets outside of Russia. Groups like Conti and Sandworm, along with other Russian APTs have been hitting the west for years with ransomware, supply chain hits (Solarwinds or defense contractors)... We figured it was time for them to deal with that themselves."

Bluliv profiled NB56 early in March. The group (or individual) is believed to have first surfaced (through Twitter) on February 26th, two days after the Russian invasion of Ukraine.

Cyberattacks in Finland may be a shot across Helsinki's bow.

Russia's war against Ukraine has made NATO membership attractive to some neutral European states, notably Finland and Sweden, both of whom, NATO Secretary General Stoltenberg said last week, would be welcome in the alliance. Newsweek reports that the prospect of new members of the Atlantic Alliance was poorly received in Russia's Duma, especially with respect to Finland. Vladimir Dzhabarov, a member of the Duma's upper house, said Finland's accession to NATO would be "a strategic mistake," Finland would then, Mr. Dzhabarov, said "become a target," and NATO membership would be "a terrible tragedy for the entire Finnish people." But he expressed confidence that "the Finns themselves will sign a card for the destruction of their country."

There's growing sentiment in Finland for seeking NATO membership, and Finland's Ministry of Defense is preparing to defend against a Russian military reaction should their country join the Atlantic Alliance.

On Friday, as Ukrainian President Zelenskyy addressed Finland's parliament, Bloomberg reports that websites operated by Finland’s Foreign and Defense Ministries were disrupted by a distributed denial-of-service (DDoS) attack. The attack was over quickly, in about an hour, and, while its timing suggests a Russian operation, Security Affairs says that Helsinki did not immediately attribute the attack to Russia. Yle News reports that the Ministry of Defense is investigating.

Mixed reviews for US preemptive measures against GRU botnets.

A Bloomberg op-ed notes that last week's US disabling of GRU command-and-control over malware deployed to corporate networks (announced Wednesday), while welcome as an "aggressive" defensive measure, and while covered by US Federal warrants, was nonetheless a risky move precisely because of its aggressive quality. The operation involved entering corporate networks without their owners' knowledge or cooperation. "What’s remarkable about this operation is the decision to surreptitiously enter companies’ computer networks," the piece argues. "It’s one thing to have the police show up to your house when you aren’t at home to investigate and detain an intruder. It’s another thing entirely to cart away the intruder and never tell you about it. While U.S. allies might not mind, corporations both foreign and domestic could be forgiven for being alarmed at the prospect of U.S. authorities secretly rummaging around in their computers hunting for malware, even if it’s for a good cause." One concern is that such actions could erode the public-private cooperation generally seen as essential to effective, whole-of-nation, defense against nation-state cyberattacks.

Russian disinformation sees domestic success but gains little traction abroad.

Russian domestic news seems to have succeeded in keeping up support at home for the war. Whether grief over losses (including grief over large numbers of dead retreating forces abandoned on the battlefield) will work for or against the Kremlin's line remains to be seen, but so far they seem to be succeeding in keeping rage high. When even Kremlin spokesman Peskov is denounced for disloyalty (admittedly from the very extreme point-of-view held by the strongly pro-Kremlin Chechen warlord Ramzan Kadyrov, who's characterized the war against Ukraine as a "jihad," that is, a religious obligation), moderation is unlikely to get much traction. And effective dissent seems even more remote.

Western governments and groups are looking for ways around pervasive censorship, Foreign Policy reports. The US is reported to be paying for StarLink terminals being delivered to Ukraine in a move designed to bolster the resilience of that country's Internet service.

"Pavel Morozov?" "Present, Teacher!" (Of course you are.)

Russian students are reporting their teachers to the organs if the teachers show insufficient enthusiasm for Russia's war against Ukraine, according to the Washington Post.

Preserving digital records in Ukraine.

In what amounts to a massive backup effort, librarians are working to preserve digital records of cultural or historical importance to Ukraine, the Washington Post reports.

Other digital archives are likely to prove important in the event war crimes charges are brought against Russian invaders and their commanders. Wired describes the work of an attorney in Chernivisti who's archiving social media posts that recount Russian atrocities in territories they've fought over or occupied.