Ukraine at D+5: Sanctions, sieges, and one very long column.
N2K logoMar 1, 2022

Russian forces continue their slow attempt to invest Ukraine's two largest cities, as sanctions against Moscow move from failed deterrence to effective punishment, an economic "war of attrition."

Ukraine at D+5: Sanctions, sieges, and one very long column.

Roughly half a million refugees are moving west, across Ukraine's borders, and the numbers are expected to increase. Russia continues its attempts to take major Ukrainian cities. Cyber operations in this hybrid war have so far failed to develop into the catastrophes that seemed well within Russian capabilities. (Where, for example, have been the attacks on the Ukrainian power grid, something Russia has shown itself capable of.)

Russia moves more forces against Kyiv and Kharkiv.

Commercial overhead imagery shows a very large "convoy" of Russian military vehicles headed for Kyiv. Military Times reports that the column was originally reported to be seventeen-miles long, but that its length was soon upgraded to some forty miles. It's been moving since early yesterday at least; why isn't it there, yet? The column's delayed arrival at Kyiv suggests several possibilities. The Russian army may have become road-bound, finding it difficult to move off-road for long distances. Or it may, and this is a related possibility, be having difficulty finding its way, perhaps because its geolocation services have been disrupted, or otherwise become unavailable. (Ukrainian work to disrupt to advance by taking the traditional step of removing road signs may be an indication that this is the case. The signs wouldn't be that important if GLONASS or GPS were up and working normally. And Google has suspended live traffic updates in Google Maps for the Ukrainian region, in what it characterizes as a safety measure--turn-by-turn navigation is still available. Russian columns can't use Google Maps? The difficulty in maneuvering across the ground is curious.) Or they may be having difficulty fueling their vehicles. In any case, slow-moving columns are notoriously vulnerable, and the Telegraph reports that Ukrainian forces have been able to exact a toll on the advancing Russian units. And the Russian difficulty in advancing against resistance is difficult to explain.

Both Kyiv and Kharkiv are under attack, with heavier artillery fire reported in Kharkiv. The New York Times reports an increase in civilian casualties.

Bilateral negotiations have no immediate result, but will resume later this week.

Yesterday's talks between Russian and Ukrainian representatives, held at a checkpoint in Ukraine near the Belarusian border, concluded without any result beyond an agreement to hold further meetings later this week, the New York Times reports. That had been generally expected; it's noteworthy that Russia is negotiating at all, since Moscow's going-in position had been that it would have nothing whatsoever to say to Kyiv until Ukraine laid down its weapons. A Russian spokesman did say he saw some possibility for both sides to find common ground.

"Binary narratives" travel better.

An op-ed in Izvestia offers some insight into the developing Russian line about negotiations with Ukraine: the war is very complex, Russia's needs and concerns are very real, and the world should look beyond shallow Ukrainian grandstanding and lazy Internet memes and come to grips with the (again) very complicated realities underlying Russia's security concerns. And a Ukrainian negotiator's deliberate breaches of protocol (he was wearing a t-shirt and a baseball cap, and was photogenically glaring at the Russian side) shouldn't sway a sober and realistic appreciation of those complicated and difficult realities. All of which is one way of framing brutal and unprovoked aggression.

What's particularly interesting is the Russian turn to complexity as a theme, which suggests that there's a growing realization that the line asserting that Ukraine is the aggressor (and is led, to boot, by a neo-Nazi junta) isn't finding legs. Contrast that with an assessment of Ukrainian President Zelenskyy's messaging, which has largely succeeded in presenting the war in clear, simple terms, all the more successful for being basically true. The Telegraph quotes social media observers as noting that "binary narratives," good versus evil, and not the inside baseball of the Minsk Accords and the allegedly recent provenance of an allegedly artificial nation, always do well in social media.

The UN General Assembly takes up Russia's war against Ukraine.

The General Assembly's emergency session opened in New York yesterday afternoon. According to Reuters, sentiment is running heavily against the Russian war.

Deutsche Welle reports that Russian Ambassador Nebenzya defended his country's actions by characterizing them as "self-defense" against Ukrainian aggression (and its alleged violations of the Minsk Accords) and therefore legitimate under the UN Charter. He also indulged in some utterly unconvincing statements, saying that "the Russian army does not pose a threat to the civilians of Ukraine, is not shelling civilian areas," when of course the Russian Army is obviously doing both. The Russian denials seem almost pro forma, offered without much serious intention of convincing anyone.

The General Assembly is expected to vote on Russia's war tomorrow. Cuba, Nicaragua, Iran, Syria, China, and possibly India are expected to either refuse to condemn Russia or at least abstain. Belarus, of course, is a docile appendage of Moscow, and will surely vote with its masters.

Two new pieces of malware found in use against Ukrainian targets.

ESET describes two new tools in use against Ukrainian targets: IsaacWiper and HermeticWizard. The former is a distinct strain of wiper, the latter a worm that spreads HermeticWiper. ESET is circumspect about attribution, writing, "ESET Research has not yet been able to attribute these attacks to a known threat actor," but circumstantially all signs point to Russia. The use of the malward coincided with the Russian invasion, and so far only infestations in Ukraine have been reported.

Dealing with WhisperGate and HermeticWiper.

The US Cybersecurity and Infrastructure Security Agency (CISA) and its FBI partners have continued to update the guidance they've issued on the wiper malware that's been observed in sporadic use against Ukrainian targets. The Globe and Mail reports that Canadian authorities are offering comparable advice to their country's own businesses.

Erich Kron, security awareness advocate at KnowBe4, noted that wipers masquerading as malware are nothing new, and that we can expect to see them again:

“There is no denying that part of modern warfare is taking place virtually. Cyberwarfare threatens communications and critical infrastructure just as much as traditional kinetic warfare does, only it can be done from thousands of miles away. Because these attacks often target victims through email phishing, these attacks could end up hitting inboxes almost anywhere, and the attackers may not even know it.

"This is not the first time data wiping malware has been disguised as ransomware. While falling victim to ransomware is bad enough, at least there is hope for data recovery. However, with these data wipers, there is no way to get the data back; even if the attackers demand a ransom, which will do nothing but help fund them in the future.

"Because these types of attacks most often start with a phishing email, it is critical that organizations remind employees of the dangers related to using email, and that they have a process in place to report suspected phishing attacks. The last thing an organization wants to do is to have an employee share a potentially malicious email with coworkers, in an effort to figure out if it is dangerous or not. In addition, because of the potential for this malware to miss its target and hit random inboxes, organizations, even those not at all related to the Ukraine and Russian conflict, should ensure they have backups that are tested and stored offline, and that their disaster recovery procedures are up to date and ready to be implemented quickly.”

The muted cyber phases of a hybrid war.

Russia had shown, in attacks on sections of the Ukrainian power grid going back to 2015, the ability to mount large-scale and destructive operations against its neighbor. But so far the cyberwar has been limited to relatively confined wiper attacks (which are cyberattacks proper) and influence operations (disinformation and trolling). The Washington Post describes the relatively quiet cyber front, and quotes Columbia University's Jason Healey as saying, "We imagined this orchestrated unleashing of violence in cyberspace, this ballet of attacks striking Ukraine in waves, and instead of that we have a brawl. And not even a very consequential brawl, just yet.” That could, of course, change.

Influence operations have been more extensive. Hacktivists claiming to be adherents of the Anonymous collective have taken down or defaced Russian media and government websites. SC Magazine eports that TASS, RIA Novosti, Kommersant, and Izvestiya, among others, have all been affected. Ukraine has also recruited an online "IT army" of volunteer hacktivists to take action against Russian interests.

Some of the response to both cyberattacks and influence operations has involved a public-private partnership, the New York Times reports, as companies follow governments' lead in opposing Russian operations against Ukraine. Microsoft has been openly rendering assistance to the Ukrainian government as Redmond explains in a blog post:

"All of us who work at Microsoft are following closely the tragic, unlawful and unjustified invasion of Ukraine. This has become both a kinetic and digital war, with horrifying images from across Ukraine as well as less visible cyberattacks on computer networks and internet-based disinformation campaigns. We are fielding a growing number of inquiries about these aspects and our work, and therefore we are putting in one place a short summary about them in this blog. This includes four areas: protecting Ukraine from cyberattacks; protection from state-sponsored disinformation campaigns; support for humanitarian assistance; and the protection of our employees.

"At the outset, it’s important to note that we are a company and not a government or a country. In times like this, it’s especially important for us to work in consultation with those in government and, in this instance, our efforts have involved constant and close coordination with the Ukrainian government, as well as with the European Union, European nations, the U.S. government, NATO and the United Nations."

Such cooperation isn't confined to the US. Bitdefender is working closely with Romania's National Cyber Security Directorate to help Ukraine against the Russian cyber threat. And CyberScoop summarizes the ways in which security companies are offering assistance to those threatened, in Ukraine and elsewhere.

Social media companies have also moved to restrict Russian access to their platforms, the AP reports, and to label material that can be traced to the Kremlin as deriving from Russian government sources.

Leaked files reveal Conti as a privateer (or at least a crew of FSB goons).

For its part, Russia has had the aid of some criminal gangs. 

Cybereason shared a screenshot from Conti's site with us yesterday afternoon. Surrounded by stolen data and an explanation written in an aren't-we-merry-dogs fashion ("If you are a client who declined the deal and did not find your data on cartel's website or did not find valuable files, this does not mean that we forgot about you, it only means that data was sold and therefore it did not publish in free access!") was this, labeled "WARNING" (capitals in the original):

"As a response to Western warmongering and American threats to use cyber warfare against citizens of Russian Federation, the Conti team is officially announcing that we will use our full capacity to deliver retaliatory measures in case the Western warmongers attempt to target critical infrastructure in Russia or any Russian-speaking region of the world. We do not ally with any government and we condemn the ongoing war. However, since the West is known to wage its wars primarily by targeting civilians, we will use our resources in order to strike back if the well being and safety of peaceful citizens will be at stake due to American cyber aggression."

The Verge, speaking with Hold Security, reports that the chat logs leaked from Conti were obtained by a legitimate Ukrainian researcher who infiltrated the gang, and not by a disaffected (if patriotic) criminal. Among the more interesting revelations in the chat logs are indications that Russia's FSB security service had Conti go after the muckraking news service Bellingcat.

Ken Westin, Director, Security Strategy at Cybereason, sees gangs like Conti as being in a difficult position:

"The Russian-based ransomware groups are stuck between a rock and hard place. They have been able to operate with impunity, targeting businesses outside of Russia. Now, if they disagree with the government, they become a target and can be brought down. The ransomware gangs don't operate in isolated environments—there is an entire infrastructure that is enabling them, from crypto exchanges, money launderers, and the hosting and technology providers. All of this can be brought down by the Russian government in a heartbeat.

"What we are seeing in the U.S. is historic, with groups like Anonymous and others actively involved in what would usually be criminal hacking, even though the U.S. government isn't granting people permission, we aren't exactly seeing anyone in the Biden Admin saying stand down."

Russian toleration and protection of cybercriminal gangs has played an important role in the gangs' success and survival, but Conti's experience may have moved other crews to trim in the direction of apolitical neutrality, SC Magazine reports, quoting the newly high-minded criminals of Conti rival Lockbit as follows:

"Our community consists of many nationalities of the world, most of our pentesters are from the CIS including Russians and Ukrainians, but we also have Americans, Englishmen, Chinese, French, Arabs, Jews, and many others in our team. Our programmers developers [sic] live permanently around the world in China, the United States, Canada, Russia and Switzerland. Our servers are located in the Netherlands and the Seychelles, we are all simple and peaceful people, we are all Earthlings. For us it is just business and we are all apolitical. We are only interested in money for our harmless and useful work," wrote LockBit in a message translated into eight different languages.... We will never, under any circumstances, take part in cyber-attacks on critical infrastructures of any country in the world or engage in any international conflicts."

Sanctions move from deterrence to economic "war of attrition."

Foreign Policy reviews the current state of sanctions against Russia. They're along the lines of those the US has levied against Iran, but less comprehensive. On the other hand, there's a great deal more international unanimity on the measures imposed against Russia. Even traditionally and proverbially neutral Switzerland has sanctioned Moscow over its invasion of Ukraine. The Foreign Policy essay sums up Russia's prospects like this:

"As U.S. and EU sanctions intensify, Russia’s economy will undoubtedly suffer. The country’s stock market and the ruble will plumb new lows, inflation will jump, and financial distress will set in. Living standards will fall, and economic disruption might pressure Putin to end the war. In such a hopeful scenario, Washington and others should be prepared to relieve some of the most draconian sanctions. But this is not an outcome the United States and its allies can count on. What Washington and others can count on, however, is that sanctions will worsen Russia’s position in its long-run competition with Western countries—reducing Moscow’s overall ability to fund its military and project power."

The International Institute of Finance predicts Russian default on its international debt unless the crisis in Ukraine is resolved soon. Should Russia default, as seems likely, the IIF sees a double-digit contraction in the country's economy as a likely result.

Russian countermeasures include a rule that foreign owners of Russian equities may not sell those equities to Russian citizens. This is a protective as opposed to punitive measure: Moscow's goal is to prevent the flight of capital, not to directly sanction foreign companies. But markets continue to punish Russian equities as investors come to regard Russian companies as uninvestable. A representative exchange traded fund (ETF), CSRU.L, which specializes in Russian stocks, has cratered, losing 50% of its value so far this week. A Russian-government "rainy-day fund" is, Reuters reports, seeking to stabilize share prices. The Kremlin has directed the Finance Ministry to use up to 1 trillion rubles (approximately $10.3 billion) from the National Wealth Fund to buy stocks.

Energy companies are divesting themselves of shares in Russian oil and gas producers, and logistics companies are exiting the Russian market. Maersk, the Loadstar reports, has suspended booking cargo ships to and from Russian ports. The sanctions are also affecting the legal sector, as Big Law reevaluates its relationships with Russian clients.

We heard some advice from a Russia expert, not-for-attribution, about the wisdom of investing in Russian companies. If you were thinking of buying Russian stock, he advised (and we paraphrase), then put the money you were planning to invest in a wastepaper basket and set it on fire. That way your money will at least do the work of heating the room, which is a better return on investment than any dividend or appreciation in share price you might hope for. The expert was a little extreme, but you see the guy's point.

For what it's worth, Russia says sanctions won't deflect it from its course in Ukraine, but that's whistling in the dark.

A brief kinetic explainer.

Russia has been widely reported to be using new and illegal weapons in Ukraine. The classes of weapons, however, are neither particularly new nor, probably, inherently illegal. Their indiscriminate use against civilian targets, however, probably is unlawful under the laws of armed conflict.

High explosive munitions like rocket warheads and artillery shells do most of their damage by fragmentation, the pieces of the casing around the high explosive that detonation throws off at lethal speeds. Thermobaric weapons (which some media reports are calling "vacuum bombs") are different: their lethality lies immediately in their blast. In a thermobaric device, the fuel, usually in the form of an aerosol or a highly volatile gas, is widely dispersed in a cloud, and then ignited. The oxidizer is provided by the surrounding atmosphere, and the blast is very intense. A number of militaries have had thermobaric weapons in their arsenals for many years.

"Cluster bombs," or "improved conventional munitions," have also been used for many years, by many armies. They, in contrast to thermobaric weapons, work their effects through fragmentation, and are designed to maximize that fragmentation. An improved conventional munition is a shell, bomb, or warhead that carries a large number of smaller explosive devices. They typically range in size from roughly a golf ball to a soft ball, and they're dispersed over the target when the bus that carries them opens. The effect is to significantly increase the density of the fragmentation around the target.

Both classes of weapons are problematic because of their potential for producing unnecessary suffering (particularly in the case of thermobaric devices, whose effects can be unusually cruel even by the coarse standards of conventional war) and for presenting an indiscriminate threat to non-combatants (especially the cluster munitions). A rule of thumb about duds is that they're dangerous, and that, the smaller the dud, the more sensitive it is to accidental detonation days or years after its deployment. Improved conventional munitions historically have had unusually high dud rates, and the submunitions they dispense are small. The Russian use of both weapons in built-up areas appears to have been recklessly heedless, and the cluster munitions will be killing people casually and unintentionally for years to come.

Two notes on usage. The small pieces of steel produced when a bomb or shell explodes are strictly speaking "fragmentation," not "shrapnel." Shrapnel was a specialized kind of artillery shell, now long obsolete, that hasn't been in most armies' bunkers since the 1950s, and even then it was obsolescent. "Missile" is usually reserved for a guided rocket. Unguided rockets, "free rockets," are typically called simply rockets. There may be some "guided missiles" falling on Kyiv and Kharkiv, but most of what's hitting the cities would be rockets. The most widely used Russian rocket artillery is the Grad ("Hail") 122mm multiple rocket launcher, and many of those are being used in Ukraine.