Ukraine at D+489: An influence contest, post-mutiny.
N2K logoJun 28, 2023

The Russian National Guard looks like the organizational winner to emerge from the Wagner Group's mutiny. Moscow's influence operations will continue to portray Russia as united, stable, patriotic, and beset from abroad. Privateers and front groups operate in cyberspace on Russia's behalf.

Ukraine at D+489: An influence contest, post-mutiny.

Russia resumed missile strikes against Ukrainian cities, hitting Kramatorsk's crowded commercial district, killing at least four and wounding forty two, Radio Free Europe | Radio Liberty reports. The shops, hotels, and restaurants that were rubbled aren't military targets. Neither are the civilian injured and dead. The Telegraph's correspondent reads the strikes as a "missile terror campaign" intended to distract from the Wagner Group's abortive march on Moscow.

Lines of communication into Crimea.

The UK's Ministry of Defence in its morning situation report looks at last week's fighting in the vicinity of Crimea. "Early on the morning of 22 June 2023, Ukrainian Armed Forces struck the Chonhar road bridges between the Crimean Peninsula and Russian-occupied Kherson Oblast. These bridges service one of two main road supply routes between Crimea and Kherson. The route over the Chonhar bridges [is] the most direct route from Russia’s Crimean logistics hub at Dzhankoi and the Zaporizhzhia sector, where Russia is currently defending against a major Ukrainian offensive. The temporary closure of the route caused vital Russian logistics convoys to take at least 50% longer to reach the front via alternative routes." The urgent Russian recovery effort suggests the importance of the route to Russia's defense of the Ukrainian territory it occupies. "Reports indicate that Russian authorities almost certainly constructed a pontoon bridge replacement crossing within 24 hours of the attack; it is highly likely that crossings are limited to military traffic only. The speed with which an alternate crossing was constructed indicates how vital this route is to the Russian military efforts in occupied Ukraine."

Mr. Prigozhin is now in Belarus.

Yevgeny Prigozhin, whom President Putin has said won't be prosecuted for leading his Wagner Group out of the lines and toward Moscow, engaging (and killing) some Russian attack aviation enroute, has now arrived in Belarus. Belarus's President Lukashenka, has been talking up his own statesmanship in resolving the mutiny, says, according to the New York Times, that President Putin discussed the possibility of killing Mr. Prigozhin before he was persuaded to allow the Wagner Group boss to decamp to Belarus. President Lukashenka has offered the Wagner Group, the Washington Post reports, an abandoned military installation for its use. NATO members in Eastern Europe are watching for a possible reconstitution of the Wagner Group's combat forces in Belarus, from where they could operate against Ukraine or NATO itself.

Mr. Prigozhin may have believed himself to enjoy high-level military support for his war on the REMFs in the Ministry of Defense. The US Intelligence Community is said to believe that General Sergei Surovikin, until January of this year commander of Russian forces in Ukraine and since then one of General Gerasimov's deputies, was aware of the mutiny. Whether that awareness amounted to sympathy or support is unclear, but General Surovkin has been regarded as a friend of the Wagner Group within the Ministry of Defense. President Putin has dismissed accounts of General Surovkin's complicity as "gossip."

Speculation concerning who will ultimately benefit from the Wagner Group's mutiny (apart from the obvious Ukrainian beneficiaries) centers on the commander of Russia's National Guard, General Viktor Zolotov. The Guard was formed only in 2016, but its distant ancestry may be found in the troops of the old Soviet MVD. The National Guard answers directly to the President, and its mission is the suppression of popular revolts and other civic disorder. It's a military formation, not a police organization, and it seems likely to receive heavier equipment in the near future. President Putin has thanked General Zolotov for his role in securing Moscow. General Zolotov has been a leading voice in blaming "the West" for Mr. Prigozhin's mutiny.

The campaign for influence over Russian public opinion continues, with President Putin seeking to present an image of national unity, stability, and control. One surprising element of recent Presidential communications has been an open avowal of how much Russia has been paying the Wagner Group. He acknowledged what Russia has long resisted acknowledging, that the Wagner Group is fully funded by the Russian state. From May of last year through this May, Mr. Putin said the government had paid the Wagner Group the equivalent of a billion dollars. An additional billion went to Mr. Prigozhin's Concord catering company, which has been contracted to supply food to the Russian military. Mr. Putin rumbled a bit about the possibility of corruption. “I hope that no one stole anything or stole not much, but we will deal with all this,” the Post quotes him as saying.

"Purely an internal Russian matter."

But it's a Russian internal matter that the US is watching closely. That's the official reaction of the US Department of Defense to the Wagner Group's weekend mutiny. The US wants it understood, contra Mr. Putin, that the Americans had nothing to do with the mutiny, and that it remains committed to supporting Ukraine. The US is indeed on record as not being a fan of the Wagner Group, and American disapproval goes back to Wagner's activities early in the last decade in Africa and the Middle East. "Wherever they operate, they bring with them death, destruction, deceit, criminal activity," Pentagon Press Secretary Brigadier General Ryder said. "This is why the United States has designated them as a transnational criminal organization, and the U.S. government has imposed significant sanctions on Wagner actors and facilitators to include Africa." Some of the sanctions are new, Radio Free Europe | Radio Liberty reports, and target gold-mining and resource trading firms connected to the Wagner Group (and which themselves are connected to illicit trade in gold and other commodities).

Underscoring the continuing commitment to Ukraine, the US announced a new aid package amounting to some $500 million. It includes a familiar list of munitions and other matériel. Note the presence of mine- and obstacle-clearing equipment, and of air-delivered munitions:

  • "Additional munitions for Patriot air defense systems;
  • "Stinger anti-aircraft systems;
  • "Additional ammunition for High Mobility Artillery Rocket Systems (HIMARS);
  • "Demolitions munitions and systems for obstacle clearing;
  • "Mine clearing equipment;
  • "155mm and 105mm artillery rounds;
  • "30 Bradley Infantry Fighting Vehicles;
  • "25 Stryker Armored Personnel Carriers;
  • "Tube-Launched, Optically-Tracked, Wire-Guided (TOW) missiles;
  • "Javelin anti-armor systems;
  • "AT-4 anti-armor systems;
  • "Anti-armor rockets;
  • "High-speed Anti-radiation missiles (HARMs);
  • "Precision aerial munitions;
  • "Small arms and over 22 million rounds of small arms ammunition and grenades;
  • "Thermal imagery systems and night vision devices;
  • "Testing and diagnostic equipment to support vehicle maintenance and repair;
  • "Spare parts, generators, and other field equipment."

Ukrainian President Zelenskyy expressed his gratitude for the additional aid.

Switzerland expects Russia to increase cyberespionage as agent networks are disrupted.

Switzerland's Federal Intelligence Service warns that Russia can be expected to turn to cyberespionage as its human intelligence networks in Europe and North America are increasingly rolled up, and as the officers working under diplomatic cover who run those networks are declared persona non grata. "While the Russian intelligence services which operate abroad continue to pose the main threat in terms of espionage, their capabilities were undermined in many European states and in North America in 2018 (response to the attempted murder of Sergei Skripal) and in 2022 (response to the war against Ukraine), in some cases significantly. Large numbers of Russian intelligence officers working under diplomatic cover were expelled." Thus cyberespionage can serve as a "compensatory measure" when traditional espionage operators are expelled or otherwise denied access.

The fracturing of Conti, and the rise of its successors. 

The Global Initiative against Transnational Organized Crime released a report detailing the Conti cybercrime group’s fall from its prominent perch in the underworld following the gang’s declaration of support for Russia in the Ukraine-Russia war. “Two days after Conti pledged their support for the Russian invasion of Ukraine, things began to unravel for the group. A Twitter profile with the handle @ContiLeaks started leaking the ransomware group’s internal communication. Although there are conflicting reports on who was behind the leak – perhaps a Ukrainian security researcher or an affiliate against the war – the over 100 000 leaked files were dubbed the ‘Panama Papers of ransomware’. Over the coming months, Conti’s methodical and business-like approach disintegrated, although attacks continued, including on the networks of the Costa Rican state.” On May 19th 2023, it was reported that Conti’s websites were no longer working. 

The story doesn’t seem to end there however. IBM’s Security X-Force reported on June 27th that their tracking of the crypters who worked with Conti revealed that the group remains active, at least in fragmentary or rump forms. “One year on, ITG23 (Conti) has experienced many organizational changes, splintering into factions and forging new relationships. Despite these events, ITG23 crypters remain fundamental to tracking post-ITG23 factions and their activity; so much so that we believe identifying and tracking the crypters is just as important, if not even more so, than tracking the malware itself. Our research indicates that while ITG23 may have fractured apart after shutting down Conti, many of its various members continue to be very active — still communicating amongst themselves and using shared infrastructure.” Conti has fractured into what they call factions, which X-Force calls out as Royal, Quantum, Zeon, BlackBasta (this one a familiar name), and Silent Ransom. They’re all using Conti’s crypters. 

Conti represents an interesting case. Clearly motivated by financial gain, it was one of the clearest cases of a criminal organization recruited to serve a state. Effectively, Conti was a privateer, hitting targets in the Russian interest while it sought direct and immediate profit from its crime.

The "UserSec Collective" says it's recruiting hacktivists for the Russian cause. 

Turning from privateers to hacktivist auxiliaries, which are effectively front groups not motivated by direct profit from hacking, we see that UserSec has reported on its Telegram page that the group has formed a new group of pro-Russian hacktivists. Calling it the "UserSec Collective," they boast to have groups from Russia, India, Egypt, and other countries supporting the Russian cause. They also claim to have already carried out a mass cyber attack against many internet service providers, the details of which remain unreleased. A full list of the groups in the collective was posted this morning. It includes fifteen hacktivist groups (UserSec, TeslaBotnet, NetSide, Indian Cyber Force, Black Dragon Sec, ETUnit, Loyd Xelliship, BLOODNET, NET-WORKER, RILL OSINT, ChaosSec, Abbadon, DragonForce Malaysia, HostKillCrew, and Consistory Team) and one "media organization," Quantum Stellar Initiative. The UserSec Collective has so far claimed an attack against a French government visa site, france-visas[.]gouv[.]fr. View the communiques with appropriate skepticism: the UserSec Collective is as likely to represent grass roots hacktivism as Anonymous Sudan is to be either Anonymous or Sudanese.