Ukraine at D+623: Russia's 2022 grid attacks as foreshadowing.

"Ukrainian forces continued counteroffensive operations near Bakhmut and in western Zaporizhia Oblast on November 8," the Institute for the Study of War (ISW) wrote yesterday, citing both Ukrainian and Russian sources. "The Ukrainian General Staff reported that Ukrainian forces continued offensive operations in the Melitopol (western Zaporizhia Oblast) and Bakhmut directions. Russian sources claimed that Ukrainian forces conducted assaults near Robotyne, Novoprokopivka (just south of Robotyne), and Verbove (9km east of Robotyne). Ukrainian President Volodymyr Zelensky stated during a video address to the Reuters NEXT conference in New York on November 8 that Ukrainian forces have a battlefield plan for 2024 that he cannot disclose. Zelensky stated that Ukrainian forces have several paths for future advances in southern Ukraine, eastern Ukraine, and Kherson Oblast. There are also plans to advance to specific occupied cities. Ukrainian forces continue counteroffensive operations without interruption in several sectors of the front, and Ukrainian officials continue to indicate that these operations will continue into this winter."

Maintaining air defense coverage.

The UK's Ministry of Defence assesses Russian air defenses as over-extended, with redeployment likely. "Following last week's reported losses of several Russian SA-21 long range Surface to Air Missile (SAM) systems, new analysis suggests that to maintain coverage over Ukraine, Russia will likely need to reallocate SAMs which are routinely protecting distant parts of Russia. Russia's premier long-range SAMs, such as SA-21, are capable of engaging targets at ranges of up to 400km. Positioned at strategically important locations, as well as along Russia’s borders, removing systems would almost certainly weaken Russia's air defence posture on its peripheries. The reallocation of strategic air defence assets would further demonstrate how the Ukraine conflict continues to overextend Russia’s military and strains its ability to retain baseline defences across its vast area."

More from the Russian milbloggers.

Disaffected hard-war milbloggers have continued to criticize Russian commanders. The ISW, following the milbloggers themselves, frames this as a map issue: the generals' maps don't coincide with the reality on the ground. The troops at the front have more accurate maps, but they're forced into assaults that seem designed to make the reality coincide with the rear echelon fantasy. This is perhaps most easily summed up for an American audience by saying that the milbloggers see the senior commanders and their staffs as lacking situational awareness. They have "formed a picture," as Napoleon would have said, and that picture is more important to them than the murky, difficult reality on the ground.

The milbloggers aren't, as far as we've seen, quoting Tolstoi, but their critique could be right out of that novelist's account in War and Peace of the Battle of Borodino, the decisive action of Napoleon's invasion of Russia. It's a story of clueless commanders, with Napoleon the worst of them, who are disconnected and ignorant of the futile slaughter going on behind their maps and staff reports. The general thinks he's maneuvering regiments and army corps. The reality is suffering individuals blundering around in desperation, killing one another under no direction, and to no purpose. All the rest is at best a fantasy, at worst a fever dream.

Sandworm and Ukraine's power grid: 2022 attacks.

Mandiant yesterday released a study of Sandworm's cyberattacks against Ukraine's electrical power grid last year. Sandworm, also known as Voodoo Bear, is a threat actor operated by the GRU's Unit 74455.

"While we were unable to identify the initial access vector into the IT environment," Mandiant wrote, "Sandworm gained access to the OT environment through a hypervisor that hosted a supervisory control and data acquisition (SCADA) management instance for the victim’s substation environment. Based on evidence of lateral movement, the attacker potentially had access to the SCADA system for up to three months." Those three months of preparation culminated in the exploitation, on October 10th, 2022, in the exploitation of end-of-life Hitachi Energy MicroSCADA control systems that brought the affected systems under Sandworm control, and which enabled the attackers to issue commands that tripped breakers in electrical power distribution substations. Two days later Sandworm deployed a new variant of CaddyWiper (discovered in Ukraine the previous March by ESET) which served both to damage the associated IT networks and to obscure its own operations. The attack was marked by living-off-the-land techniques, significant because they "decreased the time and resources required to conduct a cyber physical attack," and because they reduced the likelihood of detection. 

The Russian campaign stands out for several reasons. First, it was a successful attack against a widely deployed OT system. Such attacks have been rare, and have proven difficult to execute. Second, the cyberattacks coincided with a kinetic Russian missile campaign designed to cripple Ukrainian infrastructure as winter approached. Such coordination of cyberattack into a combined arms operation has also been rare, and difficult for Russian forces to achieve. Third, the attack showed both careful preparation and an ability to develop offensive tools quickly. And, finally, the attack showed what Russia is likely to attempt in its infrastructure disruption campaign during the winter of 2023 and 2024.