Ukraine at D+131: Fighting shifts to Donetsk; cyberattacks hit Ukrainian energy firm.
N2K logoJul 5, 2022

Russia consolidates the ground it's taken in Luhansk, and prepares for another firepower-heavy offensive directed at the reduction of Donetsk. Ukrainian forces advance in the south and assume new defensive positions in the Donbas. A major Ukrainian energy provider reports a cyberattack by XakNet, but its consequences are unclear.

Ukraine at D+131: Fighting shifts to Donetsk; cyberattacks hit Ukrainian energy firm.

This morning's situation report from the British Ministry of Defence sees evidence of better Russian coordination in the capture of Lysychansk. "Russia’s relatively rapid capture of Lysychansk extends its control across virtually all of the territory of Luhansk Oblast, allowing it to claim substantive progress against the policy objective it presented as the immediate purpose of the war, namely ‘liberating’ the Donbas. Unlike in previous phases of the war, Russia has probably achieved reasonably effective co-ordination between at least two Groupings of Forces, the Central Grouping likely commanded by General-Colonel Alexandr Lapin and the Southern Grouping probably under the recently appointed General Sergei Surovikin." This is in some respects not surprising. The fight for Lyshchansk required little maneuver or fast mobile action. It was, rather, the reduction of a built-up area by artillery fire followed by slow occupation of the rubble. The report continues: "Ukrainian forces have likely largely withdrawn in good order, in line with existing plans. The Ukrainian held areas of Sieverodonetsk-Lyschansk consisted of a bulge or salient which Russian[s] could attack from three sides. There is a realistic possibility that Ukrainian forces will now be able to fall back to a more readily defendable, straightened front line. The battle for the Donbas has been characterised by slow rates of advance and Russia’s massed employment of artillery, levelling towns and cities in the process. The fighting in Donetsk Oblast will almost certainly continue in this manner."

Russian President Putin declared victory in Luhansk, saying, as quoted by the Guardian, that the forces “that took part in active hostilities and achieved success, victory” there “should rest, increase their combat capabilities." Some observers see this as a sideways acknowledgment that Russian troop losses have been heavy (which indeed seems to be the case, and steps toward industrial mobilization are consistent with heavy losses in matériel, too) but it strikes us as the kind of conventional well-done, rest, a leader offers at such moments. Mr. Putin has already told his forces to "press on," and follow-on operations seem to already be in progress. Reuters reports this morning that Russian artillery fire is being directed against cities in Donetsk, the other province that, with Luhansk, comprises the Donbas.

Saturday's situation report from the MoD concentrated on, first, the artillery slog in the Donbas, and second, on the repurposing of legacy anti-shipping missiles for land attack. "Russian forces continue to achieve minor advances around Lysychansk, with air and artillery strikes continuing in the district. Ukrainian forces probably continue to block Russian forces in the south-eastern outskirts of Lysychansk. Russia continues to employ air-launched anti-ship missiles in a secondary land attack role, likely because of dwindling stockpiles of more accurate modern weapons. Analysis of CCTV footage shows the missile that impacted the Kremenchuk shopping centre on 27 June 2022 was highly likely a Kh-32. This is an upgraded version of the Soviet era Kh-22 KITCHEN. Although the Kh-32 has several performance improvements over the Kh-22, it is still not optimised to accurately strike ground targets, especially in an urban environment. This greatly increases the likelihood of collateral damage when targeting built up areas. Further strikes on 30 June 2022 in Odesa Oblast likely involved Kh-22 KITCHEN missiles. These weapons are even less accurate and unsuitable for precision strikes and have almost certainly repeatedly caused civilian casualties in recent weeks."

On Monday the MoD's report concentrated on the Ukrainian withdrawals from most of Luhansk. "Ukrainian forces have withdrawn from Lysychansk, likely falling back to prepared defensive positions. Russia’s Ministry of Defence had earlier claimed to have completed the encirclement of Lysychansk and secured full control of the city. Fighting in and around the city in Luhansk Oblast has intensified over the past week with Russian forces making steady progress. The city was the last remaining major population centre in Luhansk Oblast under Ukrainian control. Russia’s focus will now almost certainly switch to capturing Donetsk Oblast, a large portion of which remain under the control of Ukrainian forces." The rest of the report considered the implications of Russia's war for Ukraine's harvest and global food supplies. "The fight for the Donbas has been grinding and attritional and this is highly unlikely to change in the coming weeks. With harvest underway, Russia’s invasion continues to have a devastating impact on Ukraine’s agricultural sector. The war has caused major disruption to the supply chains of seed and fertiliser which Ukrainian farmers rely on. Russia’s blockade of Odesa continues to severely constrain Ukraine’s grain exports. Because of this, Ukraine’s agricultural exports in 2022 are unlikely to be more than 35% of the 2021 total. Following its retreat from the Black Sea outpost of Snake Island, Russia misleadingly claimed that ‘the ball is now in Ukraine’s court’ in relation to improving grain exports. In reality, it is Russia’s disruption of Ukraine’s agricultural sector which continues to exacerbate the global food crisis."

That vote in Kherson may not matter much.

Sunday morning's report from the MoD reported plans for a referendum in Kherson in which the occupied region will be asked to join the Russian Federation. "Russian-backed officials have said they will hold a referendum on Kherson Oblast joining the Russian Federation by autumn 2022. Russia is likely prioritising a pseudo-constitutional vote in an attempt to legitimise its control of the region. On 28 June 2022, Ihor Kolykhaiev, the elected mayor of Kherson city, was arrested, highly likely in an attempt to suppress opposition to the occupation. However, widespread armed and peaceful resistance continues across occupied areas. Kherson is the region which has been brought under the new Russian occupation most comprehensively since February. Finding a constitutional solution for the occupation is likely a priority policy objective for Russia. It will highly likely be prepared to rig voting to achieve an acceptable result." The Telegraph reports that Russian occupation forces have installed a veteran FSB officer, Sergei Yeliseyev, as head of government in Kherson. His installation was accompanied by a triumphal post on Telegram: "Ukraine is forever in the past for the Kherson region. Russia is here forever," which is either an expression of confidence in that plebiscite or an avowal that the plebiscite is just window-dressing for a decision already taken. 

Cyberattack hits Ukrainian energy provider.

DTEK Group, Ukraine's largest private energy firm, an operator of power plants in various parts of Ukraine, Friday said that it had been the victim of a cyberattack. The attack, in CNN's account, had complicated goals. It aimed to, as DTEK put it, “'destabilize the technological processes' of its distribution and generation firms, spread propaganda about the company’s operations, and 'to leave Ukrainian consumers without electricity.'” XakNet ("HackNet"), a hacktivist organization that's transparently a GRU front (whatever its denials on Telegram may say), claimed last week to have penetrated DTEK's networks and published some screenshots as coup-counting evidence of its success, but the actual consequences of the operation, if any, remain unclear.

Vosvete IT, relying in part on information from Slovakia's National Security Authority, makes two points that seem to position the incident in the larger context of both lawfare and kinetic combat. "These cyber attacks on the consortium occurred just days after Rinat Akhmetov, one of the richest men in Ukraine and a shareholder of DTEK, sued Russia at the European Court of Human Rights for causing billions in damages to his assets," and they also occurred at about the same time Russian forces shelled a DTEK power plant in Kryvyi Rih, a mining and industrial city in the Dniepro region.

NATO's rapid cyber response capability.

The communiqué with which NATO closed its recent Madrid summit addressed the establishment of a rapid cyber response capability as an Alliance contribution to resilience, "a national responsibility and a collective commitment." The relevant paragraph reads, in part:

"We are enhancing our resilience, including through nationally-developed goals and implementation plans, guided by objectives developed by Allies together. We are also strengthening our energy security. We will ensure reliable energy supplies to our military forces. We will accelerate our adaptation in all domains, boosting our resilience to cyber and hybrid threats, and strengthening our interoperability. We will employ our political and military instruments in an integrated manner. We have endorsed a new chemical, biological, radiological and nuclear defence policy. We will significantly strengthen our cyber defences through enhanced civil-military cooperation. We will also expand partnership with industry. Allies have decided, on a voluntary basis and using national assets, to build and exercise a virtual rapid response cyber capability to respond to significant malicious cyber activities."

Adam Marrè, CISO at Arctic Wolf, offered some reactions to NATO's plans, in particular what will be involved in creating a rapid cyber response capability:

"As the declaration outlines, NATO currently faces cyber and other asymmetric threats from multiple nations. The announcement of this cyber rapid response capability is a recognition that we must do more to coordinate the efforts to combat ongoing and prepare for future nation-state conducted and/or sponsored cyber campaigns.

"A virtual rapid response cyber capability will greatly increase NATO’s capability to have a more coordinated and effective response to “significant malicious cyber activities.”

"This capability will likely be similar to the EU Cyber Rapid Response Teams (CRRT) that have already been created and have been deployed in the Ukraine conflict.

"The new NATO cyber response force will need to develop common cyber operations toolkits with incident detection, prevention, and response capabilities to have an effective coordinated response. 

"In addition, they will need to identify and select team members with different domains of expertise, including incident response, forensics, and vulnerability assessment, that can form cohesive and holistic teams that can rapidly deploy virtually.

"In this dynamic environment, business leaders should be prepared to experience direct and indirect attacks related to the current Ukraine conflict and future conflicts. 

"The NATO declaration mentions “strengthen[ing] our cyber defenses through enhanced civil-military cooperation” and “partnership with industry .”This means that when a civilian organization experiences an attack, they could be assisted and reinforced by the new NATO cyber response force. Business leaders, especially those in key industries such as energy and communications, would be wise to carefully consider how they would respond to such a situation and how they would cooperate. Conducting a tabletop scenario to work through the choices that would be presented in such a situation is an effective way to do this."

NCSC updates its guidance on preparing for a long-term Russian cyber campaign.

The UK's National Cyber Security Centre (NCSC) has updated its earlier guidance on preparing for the consequences of a long-running, extensive Russian cyber campaign. Both that original guidance and the recent update concentrate on recommending measures that can be sustained for a long period of time without exhausting security staff or otherwise degrading an organization's ability to operate. The update reinforces the original advice:

"So our initial concerns were well-founded. And while, to date, UK organisations have not experienced significant cyber attacks as a result of Russia’s invasion, now is not the time for complacency. The absence of successful cyber attacks doesn’t equate to a change in adversary capability or intent; indeed it may be evidence that our additional cyber defences are working effectively.

"Russia has not achieved the rapid military victory in Ukraine that President Putin expected and there’s no obvious end in sight. While we are not aware of any current specific threats to UK organisations, the cyber threat to the UK remains heightened, and we expect it to stay that way for some time. Accordingly, organisations should respond to this potentially protracted period of heightened cyber threat from Russia by maintaining a strengthened cyber posture."

And the update also addresses ways in which a heightened state of alert can be maintained for an indefinite period of time, in the face of a complicated threat whose outlines remain unclear:

"That is why we have published the new guidance on maintaining a strengthened cyber security posture in a sustainable way. It contains advice for business leaders and managers about how to manage the residual risk from an extended period of heightened cyber threat whilst prioritising staff wellbeing, and stresses the importance of:

  • "revisiting risk-based decisions to ensure defences are implemented in an efficient way for the long term
  • "empowering frontline staff to take decisions about prioritisation
  • "ensuring that workloads are spread across individuals and teams and that frontline staff can take breaks to recharge
  • "providing resources to managers and teams to recognise the signs of someone who is struggling".