Ukraine at D+12: Roadbound and stalled, Russian army turns to indiscriminate fires. Low-level hacking continues.
N2K logoMar 8, 2022

Russian maneuver shortcomings prompt a firepower intensive war. Negotiations continue despite Moscow's ultimatum, but without obvious effect. Hacktivism, privateering, and influence operations mark the cyber phases of Mr. Putin's war.

Ukraine at D+12: Roadbound and stalled, Russian army turns to indiscriminate fires. Low-level hacking continues.

The Russian army continues to exhibit surprising tactical and operational shortfalls. Its roadbound heavy forces, even as slow-moving as they've proved to be, have clearly already outrun their logistic support. Having been unable to capture key Ukrainian cities, they've turned to heavy and indiscriminate targeting of civilians despite a second negotiated round of cease-fires. Some casual and accidental brutality inevitably accompanies every modern war, but Russian attacks against cities and the refugees trying to flee them seem for the most part to be an intentional and indeed deliberate attempt to redress Russian combat failure.

The nearly two-million Ukrainian refugees are the ones suffering, but there's a much smaller but still significant outflow of Russians seeking to escape the effects of the war. We heard yesterday that Russians were entering Finland to get out ahead of a feared declaration of martial law, and now reports out of Georgia indicate that Russians have been entering that country in the hope of escaping the effects of international sanctions against Moscow.

The UK's Ministry of Defence yesterday afternoon tweeted an update on Russia's war against Ukraine, and took particular notice of Moscow's attempts to control information. "Russia is increasingly restricting domestic social media access to limit negative coverage of Russia’s invasion of Ukraine. This will further confine the information space and make it increasingly difficult for the Russian population to gain access to anything other than the Russian state’s official view. This indicates the Kremlin’s concern over the Russian population’s attitude to the conflict." Early this morning the MoD added a spot report: "Ukrainian resistance against a Russian offensive towards Kyiv endures around the nearby towns of Hostomel, Bucha, Vorzel and Irpin. Russia continues to directly target evacuation corridors, resulting in the death of several civilians whilst trying to evacuate Irpin. Due to heavy fighting in the town, it has reportedly been without heat, water or electricity for several days."

The current state of Russo-Ukrainian negotiations.

Russian President Putin continues to stand by his "demands," which include permanent disarmament and neutralization of Ukraine, formal cession of Crimea to Russia, and independence for Luhansk and Donetsk. Ukrainian President Zelenskyy has dismissed those demands as an unacceptable ultimatum, and says that Ukraine will continue to resist. The Telegraph observes that plans for a puppet regime in Kyiv appear to have been silently dropped, but that's unlikely to count as a concession sufficient to attract Ukrainian submission. It's worth noting that negotiations between Russian and Ukrainian representatives continue, although without much result (the cease-fires agreed to are violated within hours by Russian forces). Al Jazeera reports that the two countries' foreign ministers will meet soon in Turkey for high-level talks. Early in the course of its war Russia had insisted on Ukrainian surrender as a precondition of negotiations. That hard line is clearly no longer operative, but it's probably driven more by Russian operational failure than by any prodding of humanitarian conscience.

Russia seems to be looking for some foreign fighters (but Ukraine seems to have found its own).

The Guardian cites sources in the US Department of Defense to the effect that Russia is recruiting Syrian mercenaries to fight in Ukraine, a development the Pentagon finds "noteworthy," presumably because it indicates uncertainty about Russian forces' ability to attain their objectives without external reinforcements. Even Belarusian support seems shaky. According to the Atlantic Council:

"Reports continue to surface showing that Belarusians are joining Ukrainians to fight against Russia. On March 5, a Belarusian volunteer in Kyiv, Vadzim Prakopyeu, reported that 200 Belarusians are currently fighting with the Ukrainian Armed Forces, and an additional 300 volunteers are planning to join the Foreign Legion. These claims are supported by online videos of Belarusian volunteers holding drills in Ukraine.

"According to the Belarusian opposition, there are signs that the Belarusian army is avoiding direct confrontation with the Ukrainians. According to Franak Viačorka, a senior advisor to Belarusian opposition leader Sviatlana Tsikhanouskaya, the Belarusian forces were supposed to enter Ukraine in late February, “but something went wrong.” These claims are supported by the recent resignation of Deputy Defense Minister Major General Viktor Gulevich. He reportedly resigned on March 6 due to not being able to “support the current Russian invasion of Ukraine.” According to Tsikhanouskaya, Lukashenka has effectively ceded the control of the Belarusian military to the Kremlin."

Influence operations: the advantage still seems to go to Ukraine, as Russian efforts look inward.

Moscow is recycling implausible and unsupported claims that Ukraine is attempting to create a "dirty bomb," that is, a radiological catastrophe, by mining a research reactor in Kharkiv. Sputnik maintains that Russian forces are actually the heroes in Kharkiv, having secured the reactor and prevented the disaster the Ukrainians had prepared. Russian government-controlled media are also claiming that Ukraine is attempting to conceal a large-scale biowar program it's been operating with US support and collusion. Neither of these seem to have any international legs, but then the audience is probably a domestic one.

Russian domestic influence operations continue to rely heavily on censorship. There are also some signs of direct intimidation of journalists. Reporters in Odessa say they've received menacing emails from odezzarus@protonmail[dot]com. The Atlantic Council describes what appears to be a coordinated campaign of intimidation:

"The email’s subject line stated, 'your chance to be saved.' The message urged outlets to give up anti-Russian activities and place a pro-Kremlin banner on their websites spelling Odesa with a “Z” instead of an 's.' The letter Z has become a symbol adopted by Russian President Vladimir Putin’s supporters to express solidarity with the invasion, as Russian forces have used the Z marking on their military equipment, likely to avoid so-called friendly fire incidents. The email claimed that these actions would 'soften the inevitable punishment for Nazi involvement.' 

The next day, Odesa journalist Konstantin Gak said he received a second email from the same sender. The email included multiple Z’s and claimed local journalists bear personal responsibility for the 'betrayal of Russian identity' and 'dissemination of Nazi propaganda.' The sender claimed 'redemption' is inevitable and to 'soften the sentence,' journalists should 'riot.'"

Even the most assiduous propagandists seem to have trouble finding good help nowadays:

"Gak noticed that the sender forgot to delete a part of the email that provided instructions for how to compose the message. According to the instructions, senders are told, 'add here a few paragraphs on local specifics,' 'these emails should be disseminated every day to crush the morale,' 'send emails individually, not to a list,' and 'think about painful dots to push on.' These instructions suggest the emails could be part of a broader campaign to threaten Ukrainian journalists.

The biggest obstacle to a successful Russian information campaign, however, apart from persuasion being inherently harder to achieve than confusion, may be the pervasive availability of social media and a large international journalistic presence in Ukraine. Unusual Western openness with intelligence, notably used for what some have called "prebunking," the anticipation of Russian disinformation themes and the release of fact-checks before the disinformation finds its legs, seems also to have played a part.

Assessing the effects of hacktivism and cyber operations in the hybrid war.

A report late last week from Check Point Software gives a timely reminder that in any war, and in a hybrid war especially, early reports and claims should be treated with cautious skepticism. That applies to claims on behalf of both sides. Here are a few such early reports, which may or may eventually be confirmed.

Inside Cyber Warfare reports that operators at Ukraine’s Defense Intelligence Service Cyber Operations Unit penetrated networks at Russia's Beloyarsk Nuclear Power Plant. The incident, which is so far unconfirmed by other sources, is said to have been confined to information collection.

Anonymous claims to have hacked into Russian television feeds and interrupted their programming with footage of the war against Ukraine. According to Computing, the hacktivist collective sees their action as a way of bypassing state control of media to bring home to the Russian public the facts of the war being waged on their behalf.

Elon Musk tweeted that some of the Starlink terminals his company has provided to Ukraine are being jammed. "Some Starlink terminals near conflict areas were being jammed for several hours at a time. Our latest software update bypasses the jamming," he wrote, adding, "Am curious to see what’s next!" In general, however, Ukrainian Internet service appears to have for the most part remained up. That's either because, Defense One speculates, Ukraine got good at hardening its infrastructure, or because Russia needs that Internet for its own operations and prospective occupation.

Who's helping Russia defend its networks, and who's assisting them in recovering from cyberattacks? Huawei, the Indian news service WION reports. Australian Defence Minister Dutton, the Daily Mail says, has criticized Huawei for working on behalf of Russia, and accused Moscow and Beijing of having concluded an "unholy alliance."

Privateering: Conti, Ragnar Locker, and (probably) others.

The Conti gang, which has publicly pledged its allegiance to Mr. Putin's war, has shrugged off the reputational damage it sustained when it was infiltrated by a Ukrainian hacker who released records of the gang's internal chatter. eSentire has published an extensive account of Conti's history and an assessment of its current capabilities. Attacks the group conducted against Western targets may have represented a contribution to Russian battlespace preparation.

The US FBI updated its alert concerning Ragnar Locker yesterday. "As of January 2022, the FBI has identified at least 52 entities across 10 critical infrastructure sectors affected by RagnarLocker ransomware, including entities in the critical manufacturing, energy, financial services, government, and information technology sectors." Ragnar Locker was composed by Russophone coders, and MITRE notes that Ragnar Locker doesn't encrypt files if it determines that its target is in either Russia or the Near Abroad. This makes it likely that its operators have enjoyed a privateer's immunity from Russian authorities.

Tim Erlin, VP of Strategy at Tripwire, commented on the difficulty of fending off this sort of attack:

“While it may seem like ransomware is unavoidable, and being prepared to respond to an infection is important, there are preventive measures that organizations can take to reduce the risk of becoming a victim.

"Ransomware doesn’t magically appear on your systems. Attackers have to find a way to install their preferred flavor of ransomware on your systems, and shutting down common attack vectors will reduce the risk. Ensure that your systems are securely configured, and as free from vulnerabilities as possible. Attackers will take advantage of insecurely configured and vulnerable systems. A non-critical system may provide the attacker with an initial foothold from which they can expand. Phishing is another common attack vector. Training users and implementing strong anti-phishing measures can help. Finally, attackers rarely encrypt the first system they compromise. They need to encrypt sensitive data to have an impact. Advanced organizations may choose to implement capabilities like integrity monitoring to detect lateral movement inside the network that other tools might miss.”