Ukraine at D+357: Combined arms failure.
N2K logoFeb 16, 2023

As the first anniversary of Russia's war approaches, observers take stock of Moscow's cyber campaigns and see them as having fallen short of expectations.

Ukraine at D+357: Combined arms failure.

Fighting continues in Ukraine's eastern provinces, and Russian forces have launched a further wave of Kalibr cruise missiles against Ukrainian targets, Al Jazeera reports. A number of these were shot down by Ukrainian air defenses, but some found their targets.

The first year of the war has been tough on Russian armor. The International Institute for Strategic Studies (IISS) estimates that Russia has lost about half of its first-line tanks, and isn't able to produce them fast enough to keep the forces supplied. Russia’s tank losses are running at roughly three times Ukraine's: between 2000 and 2300 Russian tanks have been lost compared to 700 Ukrainian tanks. “They’re producing and reactivating nowhere near enough to compensate for those loss rates. Their current armoured fleet at the front is about half the size it was at the start of the war,” an IISS research fellow told Reuters.

The Russian attempt to take Vuhledar, widely regarded as the opening move in a more general Russian spring offensive, is now perceived as a costly failure, one which, as the New York Times puts it, puts Russian combat capability into question. Why is Moscow failing? Wagner Group capo Prigozhin blames it on the bureaucracy. Presumably if he were in charge and unleashed, he'd do better.

Russian combat aviation may not be preparing for an offensive after all.

The UK's Ministry of Defence doubts recent reports that Russian Aerospace Forces are preparing for a larger combat role in Ukraine. "The Russian Aerospace Forces (VKS) continue to deploy a similar number of aircraft in support of the Ukraine operation as they have for many months. Russian sortie rates have increased over the last week, following several weeks of quieter activity. Air activity is now roughly in line with the average daily rate seen since summer 2022. Overall, Russian air power continues to significantly underperform in the war, constrained by a continued high threat from Ukrainian air defences and dispersed basing due to the threat of strikes against Russian airfields. Russian combat jets operate almost exclusively over Russian-held territory, preventing them from carrying out their key strike role effectively. Across Russia, the VKS likely maintains a largely intact fleet of approximately 1,500 crewed military aircraft, despite losing over 130 since the start of the invasion. However, it is unlikely that the VKS is currently preparing for a dramatically expanded air campaign as under the current battlefield circumstances it would likely suffer unsustainable aircraft losses."

Assessing the cyber phase of Russia's war at the first anniversary of the invasion approaches.

The approach of the first anniversary of Russia's invasion of Ukraine has prompted a number of retrospective assessments of the cyber phases of Russia's war. The Washington Post cites expert opinion that sees a general Russian failure to integrate its cyber efforts into a more general combined arms operation. This failure has led Russia's cyber campaigns to be far less effective than expected. Dmitri Alperovitch, executive chair of the Silverado Policy Accelerator, told the Post, “For cyber to be effective on a battlefield, it has to be deeply integrated into conventional military plans. They’ve utterly failed in achieving any tactical or strategic successes, Viasat aside, which actually was a combined arms operation with significant effects.” And, despite the efforts of Russia's cybercriminal auxiliaries, large-scale and devastating cyberattacks against nations sympathetic to Ukraine have also fallen short of expectations. CISA Director Easterly said, “I think all of us were surprised, somewhat, that there have not been more significant attacks outside of Ukraine."

In a report issued this morning, Fog of War: How the Ukraine Conflict Transformed the Cyber Threat Landscape, Google's Threat Analysis Group, Mandiant, and Trust & Safety groups offered an appreciation of how the cyber phases of the war have developed. The researchers organize their findings under three major headings:

  1. "Russian government-backed attackers have engaged in an aggressive, multi-pronged effort to gain a decisive wartime advantage in cyberspace, often with mixed results." The analysts see Russia's cyber campaign as falling into five broad phases:
  2. Phase 1 began in 2019 and ran through January of 2022, and consisted of "strategic cyber espionage and pre-positioning."
  3. Phase 2, between February and April 2022, saw "initial destructive cyber operations and military invasion."
  4. Phase 3, which extended from May through July of 2022, was marked by "sustained targeting and attacks."
  5. Phase 4, in August and September of 2022, saw Russia "maintaining footholds for strategic advantage."
  6. Phase 5, a "renewed campaign of destructive attacks," took place from October through December of this past year.
  7. "Moscow has leveraged the full spectrum of IO – from overt state-backed media to covert platforms and accounts – to shape public perception of the war." Influence operations have been prominent throughout the war, with Russia's three broad goals being to undermine Ukraine's government, degrade international support for Ukraine, and maintain domestic Russian support for the war.
  8. "The invasion has triggered a notable shift in the Eastern European cybercriminal ecosystem that will likely have long term implications for both coordination between criminal groups and the scale of cybercrime worldwide." There's more specialization, and more use of criminal tools by state-directed actors.

Google expects to see a continuation of all three aspects of Russia's cyber operations for the duration of the war.

Google makes no pretense of neutrality in the war, which it directly calls Russian "aggression." These passages are the most striking of the report:

"One of the most pressing challenges, however, is that the Ukrainian government is under near-constant digital attack. Shortly after the invasion, we expanded eligibility for Project Shield, our free protection against distributed denial of service attacks (DDoS), so that Ukrainian government websites and embassies worldwide could stay online and continue to offer critical services.

"We continue to provide direct assistance to the Ukrainian government and critical infrastructure entities under the Cyber Defense Assistance Collaborative — including compromise assessments, incident response services, shared cyber threat intelligence, and security transformation services — to help detect, mitigate and defend against cyber attacks. In addition, we continue to implement protections for users and track and disrupt cyber threats to help raise awareness among the security community and high-risk users and maintain information quality.

"This level of collective defense – between governments, companies and security stakeholders across the world – is unprecedented in scope. We wanted to share what we have learned with the global security community to help prepare better defenses for the future."

Russian cyber operations have so far fallen short of prewar expectations and may well continue to do so, but Google thinks that the war has shown that cyber operations are likely to remain an enduring feature of future wars.

Killnet's attempt to rally hacktivists and criminals to the cause of Russia.

Flashpoint offers an update on the Infinity criminal-to-criminal marketplace which Killnet, the Russian cybercriminal auxiliary, has opened to attract more talent to the Russian cause. It continues to offer strong financial incentives to those willing to work for the Kremlin. One interesting conclusion the researchers arrive at is that Infinity's rules are much less fastidious about permitting financially-motivated crime against Russian organizations than other Russian criminal fora have been. “Notably, the forum does not seem to discourage members from selling data breached from Russian entities—such as malware logs or passports—which traditionally is frowned upon or downright forbidden on most Russian-speaking forums."