Ukraine in the second year of Russia's war: Diplomacy, attrition, cyber ops.
N2K logoFeb 24, 2023

Russia continues to inflict casualties as it moves toward attrition tactics, but little ground is being gained.

Ukraine in the second year of Russia's war: Diplomacy, attrition, cyber ops.

The UK's Ministry of Defence sees a consistent Russian strategic goal, and change in tactics. It's focused now less on gaining and holding ground than it is exhausting Ukraine through attrition. "Since 2014 Russia’s strategic goal in Ukraine has highly likely been consistent: to control its neighbour. Over 2014-2021, it pursued this objective through subversion, by fomenting an undeclared war in the Donbas, and by annexing Crimea. On 24 February 2022, Russia pivoted to a new approach and launched a full-scale invasion which attempted to seize the whole country and depose its government. By April 2022, Russia realised this had failed, and focused on expanding and formalising its rule over the Donbas and the south. It has made slow and extremely costly progress. In recent weeks, Russia has likely changed its approach again. Its campaign now likely primarily seeks to degrade the Ukrainian military, rather than being focused on seizing substantial new territory. The Russian leadership is likely pursuing a long-term operation where they bank that Russia’s advantages in population and resources will eventually exhaust Ukraine."

A general move toward tactics of attrition.

An Atlantic Council piece reviews the plausible paths to victory remaining to Russia. They come down, basically, to these two: successful attrition, which seems unlikely, or a weakening of Western resolve to support Ukraine. Russian hopes of victory now seem to be founded on these.

The attrition of Ukrainian forces Russia seeks comes at a steep human cost and may not in any case be attainable. A New York Times op-ed essay describes Russian willingness to sacrifice its infantry in attempts to draw Ukrainian fire, thereby revealing Ukrainian positions, a kind of reconnaissance not by fire, but rather by exposure to fire. That Russian infantry has been squandered in futile advances against Ukrainian lines seems undeniable, but that this amounts to a targeting technique would be surprising, unless ammunition shortages are squeezing Russian artillery to the point that indiscriminate area fire at poorly located potential enemy positions is no longer feasible. The appreciation concludes: "The Russian command shows a high tolerance for losses and continues to push its troops forward, prepared or not. After this current offensive ends, it may be obvious to Russian leaders that the military cannot overcome its lack of trained crews, noncommissioned officers, junior officers, logisticians and other specialists who were casualties of the war’s early days. The transmission in the Russian Army’s engine has broken. Flooring the gas pedal with barely trained men and old tanks cannot force a shift into a higher gear."

The Hill quotes a senior US official as saying, on condition of anonymity, that “The one consistency of last year was that [allies] underestimated the Ukrainians and overestimated the Russians.”  Ukraine is expected to use the tanks and other equipment expected to arrive in the coming months for a major offensive against Russian forces, a mobik army capable of brutality and massed fire (as long as the ammunition can be kept coming), but not of effective maneuver or coordinated combined arms action.

UN condemnation and a peace proposal from China.

As had been expected, the United Nations General Assembly yesterday passed a non-binding resolution condemning Russia's invasion and calling for the withdrawal of Russian forces from Ukraine. The AP reports that the vote was one-hundred-forty-one to seven, with thirty-two abstentions. The seven nays were from Belarus, Nicaragua, Russia, Syria, North Korea, Eritrea and Mali.

China, which was among the thirty-two abstentions, called for an end to the war on more-or-less face-saving terms for Russia. A spokesman for Beijing's Foreign Ministry tweeted the proposal in the form of twelve points:

"Just issued China's Position on the Political Settlement of the #Ukraine Crisis. Key points:

  1. "Respecting the sovereignty of all countries.
  2. "Abandoning the Cold War mentality.
  3. "Ceasing hostilities.
  4. "Resuming peace talks.
  5. "Resolving the humanitarian crisis.
  6. "Protecting civilians and prisoners of war.
  7. "Keeping nuclear power plants safe.
  8. "Reducing strategic risks.
  9. "Facilitating grain exports.
  10. "Stopping unilateral sanctions.
  11. "Keeping industrial and supply chains stable.
  12. "Promoting post-conflict reconstruction."

The proposal has been coldly received by Ukraine and its Western allies, Bloomberg reports. The US response was representative: National Security Advisor Sullivan said the proposal should have stopped at Point 1, pointed out that Russia could end the war at any moment, and dismissed China as having no credibility on the issues in any case.

For their part, Ukrainian leaders promised a push for victory.

Intelligence in the present war.

Russia's war against Ukraine has seen some changes to intelligence practices, and some enduring trends and practices. The changes have been significantly affected by the unprecedented availability of open-source intelligence (OSINT), which has ranged from high-quality, commercially available overhead imagery to the discussion (and video collection) of troop movements in social media. The New York Times observes that the US has been unusually willing, by its own standards, to discuss openly intelligence that would normally be classified. In part this comes from a recognition of the potential such intelligence has to influence governments and public opinion, but it's also enabled by the range of OSINT readily available. That availability means, in part, that intelligence sources and methods are less likely to be compromised by such public discussion.

Ukrainian intelligence services are also benefiting from the rise of OSINT. But they've also been able to make, Scripps reports, extensive use of more traditional sources, including sources within the Russian forces themselves.

CISA advises increased vigilance on the first anniversary of Russia's war.

The US Cybersecurity and Infrastructure Security Agency (CISA) advised all organizations to stay alert for renewed, more intense Russian cyberattacks as the war against Ukraine enters its second year. "CISA assesses that the United States and European nations may experience disruptive and defacement attacks against websites in an attempt to sow chaos and societal discord on February 24, 2023, the anniversary of Russia's 2022 invasion of Ukraine," the agency said. "CISA urges organizations and individuals to increase their cyber vigilance in response to this potential threat." CISA draws particular attention to its DDoS Attack Guidance for Organizations and Federal Agencies and its Shields Up webpage.

CERT-UA reports current Russian cyberattacks were prepared in December 2021.

According to BleepingComputer, CERT-UA has detected cyberattacks this week against Ukrainian government networks that used a web shell installed in December 2021. A Russian threat actor tracked as Ember Bear (also known as UAC-0056 or Lorec53) used it to install three backdoors, CredPump, HoaxPen, and HoaxApe, in February 2022 as the invasion was imminent, and to have maintained a presence through this week. The State Service of Special Communications and Information Protection of Ukraine (SSSCIP) described the incident:

"Today, on February 23, an attack was detected on a number of websites of Ukrainian central and local authorities, resulting in a modification of the content of some of their webpages.

"Presently, in the framework of the United Response Team under the National Cybersecurity Coordination Center, experts from the SSSCIP, the Security Service of Ukraine and the Cyber Police are working together to isolate and investigate the cyber incident.

"So far, it is safe to say that the incident has not caused any essential system failures or disruptions in the operation of the public authorities. Operation of most of the information resources has been recovered already, and they are running and available as usual.

"Apparently, on the eve of the anniversary of the full-scale invasion, Russia is attempting to stay visible in cyberspace where it acts, traditionally, as a terrorist state by attacking civilian targets."

Ember Bear is generally believed responsible for the Whispergate wiper attacks conducted against Ukrainian targets at the outset of the war. The use of such wipers has been a defining feature of Russian intelligence services' cyber campaigns against Ukraine. Ars Technica summarizes recent research and concludes that, "Nowhere on the planet has ever been targeted with more specimens of data-destroying code in a single year."

How the war has changed the cyber underworld.

TRM, in a study of the "illicit blockchain ecosystem" as it's evolved under wartime circumstances, finds that the venerable Conti ransomware gang, dispersed in May of 2022, has resurfaced in the form of several splinter groups. The principal successor to Conti, TRM believes, is Karakurt. CoinBase reports that Karakurt, like its predecessor, has targeted healthcare organizations.

It's significant that Conti declared its adherence to the cause of Russia in the immediate wake of the invasion, and that shortly after that declaration a cybercriminal with allegiances that ran toward Ukraine doxed Conti. That doxing, along with hostile attention from law enforcement, is held to have precipitated Conti's occultation. This seems, the Register writes, to have been part of a more general disruption of the Russophone criminal underworld. That underworld isn't confined within the borders of Russia, but has extended to Russia, Ukraine, Belarus, the Baltics, and nations in the South Caucasus and Central Asia, all formerly parts of the Soviet Union. They had, by general agreement, tended to refrain from hitting targets in the former Soviet Union. A study by Recorded Future concludes that Russia's invasion of Ukraine appears to have changed that, fracturing gangland along national and political lines. "The so-called 'brotherhood' of Russian-speaking threat actors located in the CIS has been damaged by insider leaks and group splintering, due to declarations of nation-state allegiance both in support of and opposed to Russia’s war against Ukraine," Recorded Future writes, adding that there have also been perturbations in the criminal labor market. "Russia is experiencing a wave of IT 'brain drain' that will likely decentralize the organized cybercriminal threat landscape. In addition to brain drain, waves of military mobilization of Russia’s citizens are resulting in decreased activity on Russian-language dark web and special-access forums."

Air raid alerts sound in nine Russian cities; Russia blames hacking.

Meduza reports that missile alerts sounded in nine Russian cities on Wednesday. The cities affected were Pyatigorsk, Tyumen, Voronezh, Kazan, Nizhny Novgorod, Magnitogorsk, Stary Oskol, Ufa, and Novouralsk. Russia's Emergency Situations Ministry confirmed, in its Telegram channel, that the false alarms were broadcast over radio stations whose networks had been hacked, and should be disregarded. The alerts were also distributed by text messages. The Register reports that regional authorities in some of the affected cities blamed "collaborators of the Kyiv regime" for the incident.

In a separate incident, the Weekly Blitz reports that radio stations in Crimea were also hacked, in that case to interrupt programming with the Ukrainian national anthem.