Ukraine at D+260: Kherson liberated.
N2K logoNov 12, 2022

Ukrainian forces have driven Russian troops back across the Dnipro River and liberated the city of Kherson. The GRU's Sandworm cyber operators have returned, with ransomware attacks against Ukrainian and Polish targets.

Ukraine at D+260: Kherson liberated.

Russia retreats from Kherson.

Russian forces completed their retreat from Kherson this morning, and that's confirmed by Russian sources, including TASS and Izvestia. Ukrainian forces are now in possession of the city, where, multiple reports say, they were greeted as liberators. (The Daily Beast describes, and photographs, "street parties" with which the citizens greeted the Ukrainian army.) Russian forces withdrew to the eastern bank of the Dnipro River (or the left bank, rivers conventionally being held to face downstream) under Ukrainian rocket fire, the Telegraph reports, dropping the permanent bridges as they made their way across by barge and temporary pontoon bridge. According to the Telegraph, appreciable numbers of wounded Russian troops were left behind, to the care of the enemy.

By all accounts the loss of Kherson amounts to a major defeat for Russia. The AP explains what was at stake in the city for Russia. It's a substantial provincial city, and it controls important lines of communication. Kherson's prewar population was 280,000, roughly the size of the US cities of St. Louis or Buffalo, or of Newcastle in the UK, or a little bigger than Hobart, in Australia, or Saskatoon, in Canada, and bigger than Wellington, New Zealand.

The Atlantic Council's assessment is representative: "If confirmed," the Council wrote yesterday, and the Ukrainian victory has indeed since been confirmed, "Russia’s retreat from Kherson will be a hugely significant development that could serve as a turning point for the entire war. In terms of military strategy, the loss of Kherson leaves Moscow with little chance of achieving its stated goal of occupying key port city Odesa and seizing Ukraine’s entire Black Sea coastline. Instead, Putin’s invading army will find itself confined to the eastern half of Ukraine up to the Dnipro River."

It also has significant political implications. The Atlantic Council summarizes the material and political capital Moscow has thrown into the oblast: "While Russia’s withdrawal will have a significant military impact, the loss of Kherson will resonate far beyond any immediate strategic implications. Kherson is the only regional capital captured by Russia since Putin launched his invasion almost nine months ago. The Kremlin has gone to great lengths to strengthen its grip on the city and surrounding region, ruthlessly crushing any potential opposition while imposing policies of russification and eradicating symbols of Ukrainian identity."

Moscow had proclaimed Kherson a permanent part of Russia during celebrations and ceremonies marking its annexation on September 30th. It's now lost, and with it major lines of communication into Russian occupied Crimea. Kremlin spokesman Dmitri Peskov said today, according to Reuters, that he had "nothing to add" to the Defense Ministry's statement (a simple if sober assertion that it had withdrawn to more defensible lines), but he did then add that "It [Kherson] is a subject of the Russian Federation - it is legally fixed and defined. There are no changes and there can be no changes." 

Russian strikes against Ukrainian infrastructure continue.

The UK's Ministry of Defence this morning described the ongoing Russian attempts to destroy Ukrainian civilian infrastructure as winter approaches. "Since 10 October, Russia has attacked Ukraine with a campaign of strikes targeting electric power infrastructure. To date, this action has come in waves. The most recent intense strikes were on 31 October, which involved targeting hydroelectric dam facilities for the first time. The strikes have resulted in widespread damage to transmission stations and power plants. Scheduled and emergency blackouts have become routine in parts of Ukraine, with Kyiv notably impacted. Recoverability varies, and the impacts of strikes are unlikely to be felt uniformly. Continued degradation of networks by Russian strikes will almost certainly have consequences for interlinked water and heating systems, that will be most significantly felt by the civilian population during winter, as demand increases. Russian strikes on power generation and transmission are having a disproportionate effect upon civilians in Ukraine, indiscriminately impacting critical functions such as healthcare and heating. The continued prioritisation of critical national infrastructure over military targets strongly implies Russian intent to strike at civilian morale."

Sandworm is back in Russia's hybrid war.

A familiar GRU cyber unit makes its presence felt in the war. Researchers at Microsoft report that Sandworm, the GRU threat actor the company tracks as Iridium, has deployed a new strain of ransomware, "Prestige," against targets in Poland and Ukraine. Prestige announced itself on October 11th in a series of coordinated attacks against targets in the transportation and related logistics sectors.

Microsoft, which acknowledges the cooperation of CERT-UA, Ukraine's cybersecurity organization, in the research, writes: "The Prestige campaign may highlight a measured shift in IRIDIUM’s destructive attack calculus, signaling increased risk to organizations directly supplying or transporting humanitarian or military assistance to Ukraine. More broadly, it may represent an increased risk to organizations in Eastern Europe that may be considered by the Russian state to be providing support relating to the war."

The attacks show a renewed willingness on the part of a Russian intelligence service to attempt disruption in addition to collection. Ransomware as a tactic is well-adapted to do both. The Washington Post quotes Mandiant researchers who see this approach as an attempt by the GRU to "have its cake and eat it, too." Mandiant senior analyst John Wolfram told the Post, “What that shows us is that the GRU was able to maintain access to a network of their specific choosing; launch an attack and have an effect on that network; maintain that access despite the wiper operation; and launch another wiper operation at a moment of their choosing." Russia had used wipers with some success early in the war, but those attacks soon ebbed. They may be returning.

Development of Ukraine's auxiliary cyber offensive force.

Trustwave's SpiderLabs has published an account of how Ukraine's IT Army developed from an ad hoc group of hackers into an auxiliary cyber force aligned with the country's military objectives. Their preferred tactic has been distributed denial-of-service (DDoS), an attack technique that lends itself to automation and employment by a range of collaborating attackers. Trustwave writes, "According to the information provided on the IT Army of Ukraine’s official website, the group has now become a well-organized operation with a coordinated team that includes experts from the following fields:

  • "Cyber ​​security experts who identify a potential target’s vulnerabilities
  • "Economists who identify targets that will significantly impact the enemy's economy
  • "Attack solution developers who update the software, allowing for more effective strikes
  • "Moderators who assist the IT Army by reading messages and passing important information to other members of the cyber collective for analysis and involvement in future campaigns"

Russian auxiliaries like Killnet have also mounted DDoS operations, and those have seldom risen above a nuisance level. The IT Army's DDoS campaigns may represent a higher form of nuisance, impeding, even briefly, Russian microeconomic activity in a larger economy that's already under considerable stress from sanctions and the demands of a difficult war. Trustwave's report concludes: "While we've seen a great deal of coordinated nation-state and Russian-sympathetic attackers in this conflict from the Russian side, the 'crowd-sourced' methodology of the IT Army of Ukraine is a somewhat unique technique. Its ability to coordinate resources on a massive scale is something that probably hasn't been seen since the early days of Anonymous vs. Scientology."

The EU prepares closer cooperation for cyber defense among its members.

The European Union yesterday announced its intention to prepare a cyber defense plan that would include closer cooperation among the EU's member states. The plan is motivated explicitly by concern over the threat from Russia. Reuters quotes EU foreign policy chief Josep Borrell as saying, "War is back to our borders and the Russia aggression against Ukraine is undermining peace and the international rule-based system globally. It affects us and we have to adapt our defence policies to this new environment."

The EU's plan has four broad elements:

  • "Act together for a stronger EU cyber defence."
  • "Secure the EU defence ecosystem."
  • "Invest in cyber defence capabilities."
  • "Partner to address common challenges."