Ukraine at D+284: Microsoft's appreciation of the war's likely course.
N2K logoDec 5, 2022

With lines relatively static, Russia turns from ground combat to missile strikes (while the ammunition lasts), influence operations, and cyberattacks. Ukraine continues to enjoy EU and NATO support.

Ukraine at D+284: Microsoft's appreciation of the war's likely course.

Explosions are believed to have hit two Russian airbases well inside Russian territory and to the rear of the front. The Guardian reports that bases host Tu-95 and TU-22M long-range bombers of the kind used to mount long-range missile strikes against Ukraine. Circumstantially, the incidents suggest that Ukrainian diversionary forces are now operating in Russia itself. st

The front remains relatively unchanged, despite a strong Russian push against Bakhmut, and US sources foresee a "reduced tempo" of ground combat over the near term. US Director of National Intelligence Avril Haines sees Russia as expending ammunition at a very high and unsustainable rate. This conclusion is consistent with other assessments that see a shift in Russian emphasis to long-range strikes against Ukrainian infrastructure (also unsustainable) and cyberattacks against energy targets in particular.

Microsoft sees an intensification of Russian cyber operations against Ukraine.

Microsoft published an appreciation of Russian cyber operations on Saturday. It begins with a familiar assessment of Russian forces' conventional combat failure: "[I]in the wake of Russian battlefield losses to Ukraine this fall, Moscow has intensified its multi-pronged hybrid technology approach to pressure the sources of Kyiv’s military and political support, domestic and foreign." The report notes the combination of missile strikes, intensified information operations, and the extension of cyber attacks to targets outside Ukraine proper, notably Poland. Microsoft predicts two lines of coordinated attack, neither of which involves conventional ground combat:

"First, we can expect a continuation of Russia’s cyber offensive against Ukrainian critical infrastructure. We should also be prepared for the possibility that Russian military intelligence actors’ recent execution of a ransomware-style attack—known as Prestige—in Poland may be a harbinger of Russia further extending cyberattacks beyond the borders of Ukraine. Such cyber operations may target those countries and companies that are providing Ukraine with vital supply chains of aid and weaponry this winter.

"Second, we should also be prepared for cyber-enabled influence operations that target Europe to be conducted in parallel with cyber threat activity. Russia will seek to exploit cracks in popular support for Ukraine to undermine coalitions essential to Ukraine’s resilience, hoping to impair the humanitarian and military aid flowing to the region."

The GRU cyber operations unit Microsoft tracks as Iridium is likely to play a significant role in the next phases of the hybrid war. The group has a strong track record of attacks against civilian infrastructure (notably its disruption of sections of Ukraine's power grid in 2015 and 2016) and has also shown an indifference to the effects of its operations on others than the primary targets. Indeed, the effect of NotPetya on companies, especially logistics companies, in 2017 suggest that those effects were not so much unintended collateral damage as they were welcome side-benefits. Deployment of wiper malware during the present war has had mixed results and has in general fallen short of what Russian commanders might have wished, but it represents an ongoing threat. The group's recent deployment of Prestige ransomware against targets outside Ukraine suggests a continued willingness to hit countries that support Ukraine's cause.

Microsoft thinks the significance of Prestige has generally been underestimated. "Perhaps in part because the impact was successfully limited by the defenders and responders in this instance, international outcry against this new extension of the hybrid war beyond the borders of Ukraine has been muted," the report says. "Nevertheless, this attack highlights the continued risk of Russian destructive cyberattacks to European organizations which directly supply or transport humanitarian and military assistance to Ukraine."

"Cyber-enabled influence operations" Microsoft defines as "targeted, online information campaigns designed to shift public opinion through manipulative or subversive means." The company warns that these will involve the familiar troll-farming and attempts to amplify the Kremlin's talking points. In this case, however, the Russian goals have necessarily moved from confusion (as was seen in the 2016 efforts against the US elections) to persuasion, an inherently more difficult challenge. The big picture Moscow seeks to paint is that Ukrainian obduracy, enabled by the US and the UK, is the source of expected European misery during a winter in which Europe is likely to be short of energy. Messaging is expected to focus particularly on German public opinion, reckoned a softer target for historical reasons (including the presence of a large and presumably ambivalent Russian diaspora population) and because of Germany's greater dependence on Russian energy than are most other Western European countries.

Microsoft says it intends to follow an approach built around what it calls the "Four Ds:" Detect, Disrupt, Defense, and Deter. These are, Redmond says, inherently cooperative activities, and Microsoft says it "will be working with our customers and in support of democracies."

It's striking to see the extent to which Microsoft has signed on to the cause of Ukraine. Its support for Kyiv is clear and unambiguous, with no attempt to achieve even an appearance of neutrality or even-handedness.

International support for Ukrainian cyber operators.

The European Union has established a cyber laboratory in Kyiv to support Ukraine's armed forces. The EU explained the lab's purpose:

"With this support, Ukraine can build and further develop the cyber defence capacities of its armed forces to detect intrusions to the information systems, deal with cyberattacks and strengthen their overall capacity in the cybersecurity area.

"This cyber lab will provide training environment to test and strengthen the hands-on skills of military cyber defence professionals with realistic virtual scenarios and real-time simulations that help to identify, monitor and protect from future cyberattacks faster and more effectively."

The US Department of Defense continues to express satisfaction over cooperation between US Cyber Command and its Ukrainian counterparts, and the success that cooperation had in blunting the cyber phases of Russia's hybrid war.

And NATO is looking to its own capabilities. A major cyber exercise that began last week on the Atlantic Alliance's Cyber Range in Tallinn, Estonia, The exercise was threat-informed, and while using the customary fictional exercise scenario, was obviously directly concerned with the Russian threat. "Officials said they incorporated scenarios and lessons from the cyber attacks on Ukrainian infrastructure this year, including on power grids," Politico reports.

Bakhmut becomes a prestige objective.

Why is Russia investing so much in the capture of Bakhmut? It's become a central symbol of success in the Special Military Operation, the UK's Ministry of Defence (MoD) said Saturday. "Russian forces continue to invest a large element of their overall military effort and firepower along an approximately 15km long sector of entrenched front line around the Donetsk Oblast town of Bakhmut. Russia’s plan is likely to encircle the town with tactical advances to the north and south. In recent days, Russia has highly likely made small advances on the southern axis of this assault, where it is seeking to consolidate limited bridgeheads to the west of the boggy ground around the minor Bakhmutka River. Russia has prioritised Bakhmut as its main offensive effort since early August 2022. The capture of the town would have limited operational value although it would potentially allow Russia to threaten the larger urban areas of Kramatorsk and Sloviansk. However, the campaign has been disproportionately costly relative to these possible gains. There is a realistic possibility that Bakhmut’s capture has become primarily a symbolic, political objective for Russia."

Russian tactical air sortie rate falling.

High losses and poor visibility due to weather have combined to limit the usefulness of Russian tactical aviation since the highs it achieved in March. The MoD this morning reported, "In recent months, the number of sorties conducted by Russian tactical combat aircraft over Ukraine has reduced significantly. Russian aircraft now probably conducts tens of missions per day, compared to a high of up to 300 per day in March 2022. Russia has now lost over 60 fixed-wing aircraft in the conflict, likely including an additional Su-24M FENCER fighter-bomber and a Su-25 FROGFOOT ground attack aircraft last week. The decrease in sorties is likely a result of continued high threat from Ukrainian air defences, limitations on the flying hours available to Russian aircraft, and worsening weather. With Russia’s ground attack tactics largely reliant on visual identification and unguided munitions, the Russian air force will likely continue a low rate of ground attack operations through the poor winter weather."

Leaking poll results.

On Sunday morning the MoD offered an appreciation of Russian public opinion. "Recent polling suggests that Russian public support for the ‘special military operation’ is falling significantly. An independent Russian media outlet has claimed access to data collected by Russia’s Federal Protective Service for internal use. The data indicated 55 percent of Russians favour peace talks with Ukraine, with only 25 percent claiming to support continuing the conflict. These results are consistent with a separate October 2022 survey where 57 percent of respondents reported being in favour of talks. In April 2022, around 80 percent of Russians claimed to support the operation. Despite the Russian authorities’ efforts to enforce pervasive control of the information environment, the conflict has become increasingly tangible for many Russians since the September 2022 ‘partial mobilisation’. With Russia unlikely to achieve major battlefield successes in the next several months, maintaining even tacit approval of the war amongst the population is likely to be increasingly difficult for the Kremlin."

The Wilson Center has a more extensive account of internal polling, and the curious mixture it reveals of strong dissatisfaction and learned helplessness.

Wiper malware hits Russian targets.

Kaspersky has described a newly observed wiper, "CryWiper", a pseudoransomware Trojan the researchers think is designed to destroy data. It seems unlikely, in their judgment, that CryWipre is being deployed for financial gain. Although it displays a ransom demand with the customary Bitcoin wallet address, files overwritten by CryWiper are permanently unrecoverable. It focuses on databases, archives, and user documents, not on the victim's operating system. Kaspersky said in its Friday notice that so far it had observed CryWiper in use only against targets in Russia. Citing reports in Izvestia, Ars Technica says that CryWiper seems to have affected mostly "judicial courts" and "mayoral offices." No one is offering attribution, but the selection of targets would seem circumstantially to point to Ukrainian cyber operations.