Ukraine at D+28: Concerns about failure-driven escalation.

The UK's Ministry of Defence (MoD), in its regular situation updates, reports more Ukrainian success and Russian failure: "Ukraine is increasing pressure on Russian forces north-east of Kyiv. Russian forces along this axis are already facing considerable supply and morale issues. Ukrainian forces are carrying out successful counter attacks against Russian positions in towns on the outskirts of the capital, and have probably retaken Makariv and Moschun. There is a realistic possibility that Ukrainian forces are now able to encircle Russian units in Bucha and Irpin."

Other indications of Russian combat failure.

There are also signs of Russian difficulties in the southern part of Ukraine, where Russia had enjoyed more success than in other areas of operation. The brutal reduction of Mariupol continues, but the city has yet to fall. And the Telegraph reports satellite imagery that suggests Russia has withdrawn its helicopters from the airfield at Kherson, the only Ukrainian city of appreciable size Russia has taken.

Estimates of Russian casualties continue to rise. NATO estimates Russian combat deaths at between 7000 and 15, 000, up from US estimates offered earlier this week. The high casualty rates (estimates of wounded run two-to-three times those of killed-in-action) are due to surprisingly strong and effective Ukrainian resistance, but also indicate poor training, bad planning, and poor preparation in the Russian forces themselves. The high casualty rate among senior officers (at least five Russian generals are reliably estimated to have died in the four weeks of Russia's war) is one clear sign of poor leadership at lower levels. Senior officers, an essay in Task & Purpose argues, are finding themselves required to lead from the front, and lead by example, when they find they can't rely on subordinate leaders to accomplish their mission.

In another sign of combat failure, Russian communications are said to have been thoroughly compromised by Ukrainian signals intelligence operators. Foreign Policy says that the failure of encrypted tactical radios has led Russian troops to find field-expedient alternatives, like cell phones stolen from Ukrainian civilians. (This hardly seems a good alternative.) Some of the (alleged and unverified, but plausible) Ukrainian intercepts are revelatory. The Telegraph reports, "Half of a Russian column advancing on the city of Mykolaiv 'have frostbite on their feet' as troops are forced to sleep in freezing trenches due to a lack of tents, according to an alleged intercepted call. Audio purported to be from a call between a Russian officer and his superior lays bare the harsh conditions facing the invading force as the war drags into its fourth week." Weather in Kyiv is seasonal for early spring, with showers and temperatures between 32 and 61℉ (0 to 16℃). Frostbite proper occurs when temperatures fall below freezing (32℉ or 0℃) but other cold weather injuries (like immersion foot, which is probably the condition mentioned in the apparent intercepts) can and does occur at higher temperatures. Cold weather injury prevention is mostly a matter of proper equipment and attentive leadership ("When did you last change your socks, private?") and thus we see further signs of low military standards.

Bilateral talks between Russia and Ukraine make little progress.

Russian Foreign Minister Lavrov blames the US for failure to reach a negotiated end to the Special Military Operation. It is, he said, in the American interest that the war continue. “The talks are tough: the Ukrainian side has expressed its understanding of the things that need to be agreed on during the talks but it keeps changing its position and discards its own proposals,” Mr. Lavrov explained. "It’s hard to shake off the feeling that our American counterparts are holding them by the hand.” Essentially, had Washington not been filling Kyiv with false hopes (and Stingers and Javelins), Kyiv would have been reasonable and reached a sensible accommodation with Moscow.

Western sanctions were both unexpected and illegal, he added. “When the Central Bank’s reserves got frozen… not a single person who was predicting the kind of sanctions the West might use had thought it possible,” Lavrov said. “This is plain robbery.” 

It's worth noting (1) that Foreign Minister Lavrov scoffed at the very notion of a Russian invasion of Ukraine until hours before it happened, and (2) that the Foreign Minister in the first week of the war said there would be no negotiations until Ukraine laid down its weapons, establishing surrender and accession to Russia's demands as a precondition for talks. (Both positions have been inoperative for some time.)

Three summits are underway in Belgium: NATO, the EU, and the G7.

Western leaders are engaged in three emergency summits to discuss a common response to Russia's war against Ukraine. US Secretary of State Blinken says, according to the Washington Post, there's growing evidence of Russian war crimes in Ukraine. Reuters reports a general consensus that Western nations will provide more matériel and other assistance to Ukraine. Defense News says that the assistance will include chemical and biological defense measures.

Fear of escalation.

NATO is increasingly concerned that Russia might turn to special weapons (nuclear, biological, or chemical) as its invasion falters. Chemical weapons are likeliest to see use, and some see Russian disinformation about Ukrainian biowar programs (which only official Russia seems able to discern) as providing a pretext for such use. The Atlantic Council describes the latest iteration of that disinformation: members of the Duma say that Ukraine is developing weaponized pathogens that would affect only certain ethnic groups and regions:

"Sergey Leonov, Deputy Chairman of the State Duma Healthcare Committee, alleged that Ukraine is preparing biological weapons and claimed that Ukraine was researching 'regional infections aimed at Russian regions.' He mentioned 'Crimean fever' as an example, likely referencing Crimean-Congo hemorrhagic fever, which was first documented in Crimea in 1944. The World Health Organization has reported that Crimean-Congo hemorrhagic fever 'is endemic in all of Africa, the Balkans, the Middle East, and Asia,' contradicting Leonov’s statement. He also amplified the debunked claim that a recent spike in tuberculosis cases in separatist areas is connected to Ukrainian biolabs. Leonov stated that Ukraine is researching ethnicity-targeting biological weapons, another disinformation narrative that echoes the Soviet-era campaign Operation Infektion. Viruses cannot be controlled or restricted to targeting a specific region or ethnicity."

Ukraine has also objected to opinions expressed on Russian state-sponsored television that deploying tactical nuclear weapons on the battlefield would be an appropriate and proportionate response to Western sanctions. With Russia having said it's placed its nuclear forces on higher alert (it's unclear they've actually done so) the US has sought direct, commander-to-commander contact with senior Russian military leaders (a common confidence-building measure intended to reduce the risk of accidental war). But so far, the Washington Post reports, the Russians aren't picking up the phone. The New York Times says the White House has assembled a "Tiger Team" to prepare contingency plans against the possibility of Russian escalation.

Concerns persist that President Putin will take his revenge in cyberspace for sanctions.

Large-scale Russian cyberattacks against Western targets haven't so far materialized, but governments aren't prepared to drop their guard. It strikes many policymakers, Newsweek reports, that Russian President Putin may turn to cyberattacks as retaliation for Western sanctions. US Representative Jason Crow (Democrat, Colorado 6th District), a member of the the House Armed Services Subcommittee on Cyber, Innovative Technologies, and Information Systems, told Newsweek that "[Putin] will use the tools at his disposal to respond, and the biggest one that he has is cyber, so I think we can fully expect that there'll be cyberattacks on the United States and our allies in weeks and months ahead, I think we can expect Putin to come at our financial system and some of our critical infrastructure."

So far the cyberattack that disrupted Viasat service is the one cyber incident that's had significant effects beyond the borders of Ukraine, Wired reports. That attack remains under investigation, and hasn't been definitively attributed to Russia.

France 24 points out another possibility: Russian severing of undersea cables that carry much of the world's Internet traffic.

Russia has not departed from the line it took even before its invasion began. The Russian embassy to the US tweeted a representative statement back on February 18th: "We categorically reject these baseless statements of the administration and note that Russia has nothing to do with the mentioned events and in principle has never conducted and does not conduct any 'malicious' operations in cyberspace."

Wiper attacks reported continuing in Ukraine.

Eric Chien, security threat researcher at Symantec Threat Intelligence, says his team is seeing signs that wiper attacks, specifically using variants of HermeticWiper, are continuing against Ukrainian networks:

“Very anecdotal and while it hasn't really been in the news because it overall may not be material given the kinetic actions, the actual wiper attacks in Ukraine have not stopped. We just saw a variant of HermeticWiper deployed again yesterday on an organization we saw previously affected. And also on March 14, we saw a variant of HermeticWiper deployed on an organization that we also saw affected on the first day of the war. Communication with organizations in Ukraine is difficult, but our understanding is that for most of these organizations, they are far more impacted by the kinetic effects in their country.”

Russia also sustains cyberattacks.

Anonymous continues its nuisance-level hacktivism, most recently by hijacking printers to publish anti-war messages to Russian audiences. About 160 printers were compromised to send more than 40,000 messages into Russia, according to HackRead.

The IT Army of Ukraine, which is more militia than hacktivist collective, has been operating with more official direction. CNBC puts the total number of members of the IT Army as somewhat more than 311,000. “We want them to go to the Stone Age and we are pretty good at this,” one IT Army member said of the Russian enemy.

Shields Up.

"Shields Up" is a condition announced by the US Cybersecurity and Infrastructure Security Agency (CISA) to draw attention to a temporary period of high alert, associated with expectation of a connected wave of cyberattacks prompted by either a widespread vulnerability or an unusually active and capable threat actor. A CISA Shields Up announcement is meant to prompt organizations to enhance their security and resiliency by applying well-established best practices; CISA offers appropriate advice on the best practices.

The US Chamber of Commerce has published a private-sector version of Shields Up, advising businesses of what they should be aware of as the risk of Russian cyberattack mounts. We've heard from industry experts, who offer advice on how organizations should understand this period of heightened alert. Ric Longenecker, CISO at Open Systems, sees the White House and CISA warnings as intended to induce organizations to minimize their attack surface and monitor evolving threats: 

“Biden's plea to the private sector to harden cyber defenses is an important one, and one that enterprises should have anticipated based on continued federal recommendations to do so. Enterprises have been at a heightened risk since before the current global crisis and invasion of Ukraine, so defenses against cyberattack should already be at an all-time high. If you are still building up your defenses, you must realize that implementing more technology is not enough. You must also turn to people and processes. The people should be a dedicated, global team of security analysts that are monitoring for threats round-the-clock and the processes should be repeatable, real-time security missions that ensure a minimal attack surface."

Mark Manglicmot, Arctic Wolf's VP of Security Services, discusses what Shields Up should mean to companies:

"Companies need to act urgently to ensure they harden themselves in preparation for nation-state-sponsored cyber-attacks. They must urgently look to patch any devices with known vulnerabilities and communication to their employees the critical need to be on heightened alert for malicious links and attachments in suspicious emails.  

"The likelihood of a cyber-attack on key industries has sharply risen over the past few weeks. These industries include critical national infrastructure (both public and privately owned), hospitals, and financial centers. These industries must maximize their information-sharing partnerships to keep each other abreast of attack intelligence in real-time.  

"Finally, 24x7 monitoring to detect the earliest attack indicator must be in place and ready to respond both technically and as a business. The sensitivity of this monitoring must be at its most sensitive level. If companies feel they aren’t ready for a cyber-attack, the three most important things to do are patch known vulnerabilities, rapidly establish 24x7 security operations monitoring, and alert employees to be on the lookout for malicious emails (a.k.a. phishing). Being a resilient business and thus continuing to operate through a cyber-attack is the ultimate goal."