Ukraine at D+292: Successful brutality, but combat failure.
N2K logoDec 13, 2022

Why did Russian cyber ops fail? Maybe because of the same military incompetence and poor preparation that's characterized Russian kinetic combat operations.

Ukraine at D+292: Successful brutality, but combat failure.

Heavy fighting continues in the Donbas, but without appreciable Russian gains. Ukraine continues to execute effective, selective strikes against Russian rear areas, most recently an operation that rendered a key bridge near the southern city of Melitopol unusable by military traffic. The Guardian suggests that Ukraine is repeating the successful tactics that led to the recapture of Kherson this autumn. The bridge hit last night had been important to Russia's lines of communication into occupied Crimea. According to the Telegraph, absence of signs of a missile strike indicate that the attack may have been the work of Ukrainian special forces.

Ukrainian President Zelenskyy proposed a negotiated peace on the basis of Russia beginning its withdrawal from the territories it still occupies, the Guardian reports. Russia rejected such negotiations out of hand, and said that Kyiv needed to recognize reality, specifically that the occupied territories now form an integral part of Russia. "In response, Kremlin spokesperson Dmitry Peskov said Ukraine needed to accept new territorial 'realities', including that the Kherson, Zaporizhzhia, Donetsk and Luhansk provinces of Ukraine were Russia’s 'new subjects'." On troop withdrawals, Mr. Peskov explained Russia's position: "The Ukrainian side needs to take into account the realities that have developed during this time. And these realities indicate that new subjects have appeared in the Russian Federation. They appeared as a result of referendums that took place in these territories. Without taking these new realities into account, no kind of progress is possible." The referenda to which he referred are widely regarded as fraudulent and illegitimate, and have attracted little international recognition. There's "no question," Mr. Peskov said, of even the beginnings of a Russia withdrawal by the end of the year.

A number of reports quote US sources on Russia's high ammunition expenditure, and its consequent turn to decades-old ammunition stocks. While ammunition resupply is indeed a big problem for the Russian army, it would be easy to make too much of that army's use of old ammunition. If properly stored, ammunition can easily last in serviceable condition for half a century. (But note: "properly stored." If it's been carelessly or incompetently stored, it's not going to function reliably.)

President Putin cancels traditional end-of-year public press conference.

For the first time in ten years, Russian President Putin will not hold his annual end-of-year press conference. "On 12 December 2022, the Kremlin confirmed that President Vladimir Putin will not hold his traditional end-of-year press conference. This will be the first time in 10 years that Putin has not held the annual event, while the usual public phone-in also did not take place this year," the UK's Ministry of Defence (MoD) writes in this morning's situation report. The MoD's analysts think the cancellations are evidence that Moscow is concerned about losing control of the public narrative concerning its war. "The press conference has become a significant fixture in Putin’s calendar of public engagement and has frequently been used as an opportunity to demonstrate the supposed integrity of Putin. Although questions are almost certainly usually vetted in advance, the cancellation is likely due to increasing concerns about the prevalence of anti-war feeling in Russia. Kremlin officials are almost certainly extremely sensitive about the possibility that any event attended by Putin could be hijacked by unsanctioned discussion about the ‘special military operation’."

A phishing campaign in Ukrainian in-boxes.

The State Service for Special Communications and Information Protection of Ukraine warned citizens to be alert for a phishing campaign. The phishing email misrepresents itself as being from the State Emergency Service of Ukraine. The phishbait in the subject line is "How to recognize a kamikaze drone," which shows an attempt to trade upon recent widespread fears of Russian drone attacks. The bogus email address used is "morgunov.a@dsns[.]com[.]ua," and that domain was registered only a month ago, on November 8th.

The malicious payload is DolphinCape, whose main function "is to collect information about the computer (host name, user name, bit rate, OS version, values ​​of environment variables), launch EXE/DLL files, display a list of files and download them, as well as create and exfiltrate snapshots screen," the warning explains. This isn't the first phishing campaign to impersonate Ukrainian government agencies. Earlier efforts in October and November spoofed "the State Special Communications, the press service of the General Staff of the Armed Forces of Ukraine, the Security Service of Ukraine, and even...CERT-UA." There's no specific attribution in the warning, but circumstantially the DolphinCape campaign looks like a Russian operation. It serves Russian interests, and it's coordinated in at least a general way with a principal kinetic effort in Russia's war: indiscriminate drone attacks against civilian infrastructure.

The Record reports that the targets of the campaign are government agencies and rail transportation.

The enduring riddle of why Russian offensive cyber operations have failed in Ukraine.

The mingy phishing expedition the State Service for Special Communications and Information Protection of Ukraine describes has been typical of Russian cyber operations. Why should this be so?

A study, "Cyber Operations in Ukraine: Russia's Unmet Expectations," published by the Carnegie Endowment for International Peace offers the beginning of an answer to one of the most-discussed questions about Russia's war against Ukraine: why have Russian cyber operations fallen so far short of pre-war Western expectations? And so far short of Russian pre-war expectations. The author, Endowment senior fellow Gavin Wilde, argues that Western (particularly US) and Russian cyber doctrine are incommensurable. Russian doctrine avoids equivalents of the term "cyber," preferring to use the terms “information confrontation” or “information war/warfare.” Whereas US discussions of cyber operations normally concentrate on the technical integrity of networks (Wilde says), Russian doctrine considers a "range of operations—both technical and psychological, code and content—that can be deployed against adversarial systems and decisionmaking." He argues that analysts would do well to try to see the cyber phases of the hybrid war through Russian eyes, and to avoid reading Russian doctrine and intentions as if they represented a mirror-image of NATO thinking.

Wilde offers three hypotheses to explain Russian failure in cyberspace:

  1. "Russia’s Information Operations Troops—a rough analog to Western military cyber commands—remains in its infancy and appears optimized more for counterpropaganda than for offensive cyber operations. The operational command structure over offensive cyber operations, meanwhile, remains murky and is possibly more political than military in nature." Much of Russia's offensive cyber capability, Wilde argues, resided in criminal organizations that operated with the toleration, protection, and occasional direction of the state, and such auxiliaries have proven inadequate to operations against the harder targets an invasion would inevitably lead the enemy to present.
  2. The second hypothesis is related to the first. "Russia’s premier offensive cyber capacities are housed within agencies focused on intelligence and subversion—the key tool kits used against Ukraine since 2014—rather than combined-arms warfare."
  3. Finally, Russia simply botched its preparations for war. "Moscow’s secretive and poorly executed February 2022 invasion precluded optimal performance in the initial period of the war, which is particularly pivotal in Russian thinking about effectiveness in the information domain." That preparations were botched seems beyond dispute, but it seems unlikely that secrecy was an essential feature of that failure. Russia telegraphed offensive cyber operations against Ukraine as early as its attacks on its neighbor's power grid in 2015 and 2016. Indeed, those operations were a principal source of the West's high expectations (and fears) of Russian cyberattacks. As far as the invasion itself was concerned, if it was intended to have been a strategic or even an operational surprise, it was an unusually poorly kept secret. (We ourselves began covering Russia's war more than a month before the invasion itself: on January 12th, 2022, our first daily article on the crisis, "Warnings of Russian cyber activity as Moscow continues preparations to invade Ukraine," appeared, and we were far from being either the first or only news service to see the war coming.)

Wilde's summary concludes, "These three hypotheses—the infancy and putative focus of the VIO, the preponderance of cyber talent in the Russian national security ecosystem, and the pivotal nature of the initial period of war—share a common theme. Moscow’s information warfare thinking, its offensive cyber capabilities, and its organizational construct proved simply unfit for purpose in an event-driven, combined-arms campaign of the sort undertaken in February 2022."

The diagnosis of Russian failure is interesting, but some questions remain. Russian military thinking has, since Soviet times, devoted considerable attention to electronic warfare, and it seems curious that the recognition that cyber operations from one point of view represent simply the current technical state of electronic warfare should have so escaped the generals' attention. Soviet and then Russian electronic warfare had long been reckoned to be very good. On the other hand, Russian combined arms and specifically armored capabilities had also been rated highly, and both of these have failed spectacularly on the battlefield. It's possible that cyber is simply another region of military expertise where combat has exposed underlying and unexpected incompetence.