Ukraine at D+165: Command failure, cyberattacks, and espionage.
N2K logoAug 8, 2022

Russia now appears to be reacting to Ukrainian battlefield moves as the initiative in the war appears to be shifting away from Moscow. The effectiveness of Ukraine's new rocket and cannon artillery seems to have be central to the reversal of Russian fortunes, as high casualty rates and widespread command failure in the Russian army continue during Russia's prolonged operational pause. ESET reviews Russian cyber operations during the war. Russia's FSB and Ukraine's SBU make arrests for espionage (and at least some of the espionage the FSB is charging was done on behalf of China.

Ukraine at D+165: Command failure, cyberattacks, and espionage.

On Saturday the UK's Ministry of Defence (MoD) reported on the shift of Russian forces to the southern front. "Russian forces are almost certainly massing in the south in anticipation of Ukraine’s counter-offensive or in preparation for a possible assault. Long convoys of Russian military trucks, tanks, towed artillery, and other weapons continue to move away from Ukraine’s Donbas region and are headed southwest. Equipment was also reported to be moving from Russian-occupied Melitopol, Berdiansk, Mariupol and from mainland Russia via the Kerch Bridge into Crimea. Battalion tactical groups (BTG), which comprise between 800 and 1,000 troops, have been deployed to Crimea and would almost certainly be used to support Russian troops in the Kherson region. On 02 August 2022, a new BTG had been deployed to Crimea and BTGs are also being re-deployed from Eastern Grouping of Forces. These will highly likely be sent into the Kherson region in the coming days.

Along that southern front Ukrainian forces continue their isolation of the battlefield. "In the mean Ukrainian forces are focusing their targeting on bridges, ammunition depots, and rail links with growing frequency in Ukraine’s southern regions. Including the strategically important railroad spur that links Kherson to Russian-occupied Crimea, almost certainly using a combination of block, damage, degrade, deny, destroy, and disrupt effects to try to affect Russia’s ability to logistically resupply." Ukrainska Pravda this morning reported claims by the Ukrainian Defense Ministry to have hit two key bridges near Kherson, the Antoniv and Kakhov bridges, with effective fire. The mayor of Melitopol (located in the southeast, between the Dnipro River and the Sea of Azov) yesterday posted to his Telegram feed that HIMARS strikes had inflicted damage on Russian forces deployed near his city.

In all, the war's center of gravity is shifting to the southern reaches of the Dnipro River. The British MoD closed its Saturday report with this assessment: "Russia’s war on Ukraine is about to enter a new phase, with the heaviest fighting shifting to a roughly 350km front line stretching southwest from near Zaporizhzhya to Kherson, paralleling the Dnieper River."

Crisis in command, crisis in the ranks.

In Sunday's situation report the MoD focused on what amounts to a Russian crisis in command. "The poor performance of Russia’s armed forces during its invasion of Ukraine has been costly for Russia’s military leadership, highly likely resulting in the dismissal of at least six Russian commanders since the start of hostilities in February 2022. The commanders of Russia’s Eastern and Western Military Districts have highly likely lost their commands. General-Colonel Aleksandr Chayko was dismissed as Commander of the Eastern Military District in May 2022. General-Colonel Aleksandr Zhuravlev, who has commanded the Western Military District since 2018, was absent from Russia’s Navy Day in St Petersburg on 31 July 2022 and has highly likely been replaced by General-Lieutenant Vladimir Kochetkov. General Aleksandr Vladimirovich Dvornikov," a man of unusually brutal reputation sent in to stiffen Russia's invasion, "has subsequently been removed after been given overall command of the operation in Ukraine, and General Sergei Surovikin has assumed command of the Southern Grouping of Forces from General Gennady Valeryevich Zhidko. These dismissals are compounded by at least 10 Russian Generals killed on the battlefield in Ukraine. The cumulative effect on consistency of command is likely contributing to Russian tactical and operational difficulties." Thus four senior dismissals and ten senior deaths.

The shortages of personnel in other ranks is being addressed, in part, by private military contractors. Citing dissident Russian media sources, the Kyiv Independent and others report that the Wagner Group in particular is working prisons, looking for about a thousand new contract soldiers who are being offered presidential pardons and a salary in exchange for their service. "Recruiters have already visited at least 17 prisons in 10 regions in Russia to hire prisoners and deploy them to the front lines, according to Russian media," the Kyiv Independent tweeted this morning. Reports from Russia Sitting, a charity that supports families of Russian convicts, says, according to the Telegraph, that "the Wagner Group had persuaded up to 1,000 Russian criminals from 17 prisons to sign up to fight in Ukraine." Wagner Group boss Vevgeny Prigozhin may have been personally involved in recruiting prisoners, but his spokesman disputes that claim. (By the way, the US State Department remains interested in chatting with any of Mr. Prigozhin's employees who might be interested in dishing on their boss. They'd especially like to hear from Internet Research Agency employees, but they'd probably be equally open to talking with Wagner Group people.)

What does it take to get a job with the Wagner Group? Well, you should be in decent physical condition (as demonstrated by a jailhouse test involving push-ups, sit-ups, and some other mainstays of physical training familiar to any soldier in just about any army), and you shouldn't be too old to hack it. You should also be willing to fight for Russia. The crime or crimes of which you've been convicted also matter. The Wagner Group prefers thieves and murderers (the applicant pool is composed of criminals in the ordinary sense of the word, not of political offenders). Those doing time for drug or sex offenses normally won't make the cut, but fit young thugs should step right up.

The Wagner Group is the most prominent of the private military contractors, but it's not the only one. Other companies in the sector include Shield, Slavic Corps, Patriot, and Redout. The Wagner Group is often described in the media as an "elite" organization, but that characterization should be received with a big grain of proverbial salt, at least nowadays. Its recruits receive perfunctory basic training before being shipped to the front. They do have a reputation for brutality, well-earned during their deployment to Syria, but a willingness to commit atrocities shouldn't be confused with "elite" status, certainly not if "elite" is understood to connote unusual combat effectiveness against an armed and organized adversary.

Scatterable mines deployed in Donetsk and Kramatorsk.

This morning the British MoD described the increased use by Russian forces of antipersonnel mines. "Russia is highly likely deploying anti-personnel mines to protect and deter freedom of movement along its defensive lines in the Donbas. These mines have the potential to inflict widespread casualties amongst both the military and the local civilian population. In Donetsk and Kramatorsk, Russia has highly likely attempted employment of PFM-1 and PFM-1S scatterable anti-personnel mines. Commonly called the ‘butterfly mine’, the PFM-1 series are deeply controversial, indiscriminate weapons. PFM-1s were used to devastating effect in the Soviet-Afghan War where they allegedly maimed high numbers of children who mistook them for toys."

Scatterable mines are dropped from aircraft or ejected from artillery or mortar shells. They're designed as an area-denial weapon. The PFM-1s, which have a plastic body and a relatively small explosive charge, are being pulled from Soviet-era stocks. Their age and their small size can be expected to give them a high dud rate, which will make them harder to clear when the war ends. "It is highly likely that the Soviet-era stock being used by Russia will have degraded over time and are now highly unreliable and unpredictable. This poses a threat to both the local population and humanitarian mine clearance operations."

A review of how cyber threats have shifted during Russia's war against Ukraine.

The opening phase of Russia's hybrid war was marked by a series of wiper attacks that at the time seemed to foreshadow a more extensive cyber campaign to come. That expected campaign has for the most part failed to materialize, but ESET's Threat Report T1 2002 offers some perspective on the early attacks and some of their sequelae and successor operations.

"On the eve of the Russian invasion of Ukraine, ESET researchers discovered new data-wiper malware deployed in Ukraine on that day, which was installed on hundreds of machines in at least five organizations in that country. The attack came just hours after a series of distributed denial-of-service (DDoS) onslaughts knocked several important Ukrainian websites offline. The data wiper was first spotted just before 17:00 local time (15:00 UTC), February 23.... ESET researchers assess with high confidence that the affected organizations were compromised well in advance of the wiper’s deployment based on these three findings:

  • "The attackers used a genuine code-signing certificate issued to a company called Hermetica Digital Ltd., issued on April 13, 2021. That is also the reason why ESET decided to name the malware HermeticWiper, as was suggested in a reply to ESET Research’s tweet.
  • "Initial access vectors varied from one organization to another, but the deployment of HermeticWiper through Group Policy Object (GPO) in at least one instance suggests the attackers had prior access to one of that victim’s Active Directory servers.
  • "Its compilation timestamp shows it was compiled on December 28, 2021. HermeticWiper overwrites several locations (such as master boot record and master file table) on compromised systems with random bytes; symbolic links and large files in My Documents and Desktop folders are overwritten with random bytes too. It recursively wipes folders and files in Windows, Program Files, Program Files(x86), PerfLogs, Boot, System Volume Information, and AppData folders. The wiper even wipes itself from the disk by overwriting its own file with random bytes. This anti-forensic measure is likely intended to prevent post-incident analysis. The machine is restarted; however, it will fail to boot because most files were wiped. ESET researchers believe that without backups, it is not possible to recover the impacted machines."

The early access and staging are significant insofar as they indicate Russian preparation for hybrid combat.

Another familiar attack failed, even with the malware in question being deployed in a new version. The Sandworm threat actor, also known as Voodoo Bear and for some time identified as Unit 74455 of the GRU, had been active with some success against sections of the Ukrainian power grid as early as 2015. It attempted to hit high-voltage electrical substations again in early April of this year, but without success.

"For over five years, ESET researchers have wondered why Industroyer, as sophisticated as it was, was never deployed again. This April, the wait was over, when we collaborated with CERT-UA to respond to a cyber-incident affecting an energy provider in Ukraine and helped to remediate and protect this critical infrastructure. This collaboration resulted not only in the disruption of the attack but also in the discovery of a new Industroyer variant, which we, together with CERT-UA, named Industroyer2. In this case, the Sandworm attackers made an attempt to deploy Industroyer2 against high-voltage electrical substations in Ukraine. In addition to Industroyer2, Sandworm used several destructive malware families including CaddyWiper, ORCSHRED, SOLOSHRED and AWFULSHRED. ESET researchers don’t know how attackers compromised the initial victim, nor how they moved from the IT network to the Industrial Control System (ICS) network. If successful, this attack could have left two million people without electricity, claimed Farid Safarov, Ukraine’s Deputy Minister of Energy."

FSB arrests director of Russian military research institute.

On Friday TASS was authorized to disclose that Dr. Alexander Shiplyuk, Director of the Institute of Theoretical and Applied Mechanics of the Russian Academy of Sciences’ Siberian Branch, was arrested by the FSB on charges of high treason. Dr. Shiplyk is a specialist in the physics of high-speed gas flows who had been working on research related to the development of propulsion systems for Russia's currently much-touted hypersonic missiles. He's the third member of the Siberian Branch to be detained on charges of high treason. Anatoly Maslov was arrested on June 27th, and Dmitry Kolker was taken into custody on June 30th (he died of pancreatic cancer in Lefortovo prison on July 2nd). Newsweek reports that Kolker was alleged to have provided state secrets to China; the specific treason of which Maslov and Shiplyuk are suspected isn't clear.

Ukraine's SBU shuts down Russian spy ring.

NV reports that Ukraine's security service, the SBU, "terminated the activities of a Russian intelligence network that provided information about the deployment and movement of units of the Armed Forces of Ukraine in Slovyansk, Kramatorsk and Pokrovsky districts of Donetsk Oblast." In addition to troop movements, the spy network is alleged to have assisted Russian forces in developing battle-damage assessment. "Currently, all of the accused spies have been informed of their charges of endangering Ukrainian national security," NV says.