Ukraine at D+243: Dirty bomb disinfo.
N2K logoOct 25, 2022

Russia braces for Ukraine's counteroffensive in Kherson and the Donbas. Bellingcat describes the Russian targeting cell responsible for the recent long-range strike campaign. CERT-UA warns of phishing emails from the Cuba ransomware group. And SpaceX says it will continue to deliver Starlink connectivity to Ukraine.

Ukraine at D+243: Dirty bomb disinfo.

Russia has sought to evacuate civilians from Kherson as it braces for Ukraine's offensive in the south. Despite some signs of withdrawal from Kherson, the Telegraph and others report Ukraine's view that Russia intends to fight for the occupied city and province. The recapture of Kherson would effectively isolate Russian-occupied Crimea. The civilian evacuations are not necessarily a humanitarian gesture; many reports of the evacuations characterize them as forcible deportation. Evidence of Russian attempts to pull in and stiffen defensive lines, coupled with a military-to-military outreach to NATO countries, suggests to experts, ERR reports, that Moscow is looking for a breather that would allow it to rebuild its forces and resume the offensive.

Consequences of failure to achieve air superiority (and of running out of artillery ammunition).

Russia's failure to achieve air superiority is beginning to tell, the UK's Ministry of Defence said in this morning's situation report. "There have been at least 23 verified losses of Russia’s Ka-52 HOKUM attack helicopter in Ukraine since the invasion. This represents over 25% of the Russian Air Force’s in-service fleet of 90 Ka-52s, and nearly half of Russia’s total helicopter losses in Ukraine. Russian attack helicopters have likely suffered particular attrition from Ukrainian man-portable air defence systems (MANPADS), while the helicopters frequently operate with less consistent top-cover from combat jets than they would expect under Russian military doctrine. Russia is still failing to maintain adequate air superiority in order to reliably carry out effective fixed wing close air support near the front line, and its artillery ammunition is running low. Russian commanders are likely increasingly resorting to conducting high-risk attack helicopter missions as one of the few options available to provide close support for troops in combat." MANPADS are short-range, shoulder-fired anti-aircraft missiles. Inability to provide either effective close-air support or indirect fire support (that is, artillery support) has become a growing problem for Russian forces attempting to hold onto the Ukrainian territory seized in the opening days of the war.

Dirty bomb disinformation.

Chief of the Russian General Staff Valery Gerasimov has joined Defense Minister Shoigu in making calls to his Western counterparts. His line is the same: Ukraine, Russia insists, is getting ready to use radiological weapons ("dirty bombs") in its fight against the Russian invaders. No one he's calling is buying it any more than the various defense ministers believed Mr. Shoigu. No one believes Ukraine is preparing dirty bombs, but the accusation has aroused suspicion that Russia is preparing a provocation which it intends to blame on Ukraine. Dmytro Kuleba, Ukraine's Foreign Minister, tweeted his government's response: "Russian lies about Ukraine allegedly planning to use a ‘dirty bomb’ are as absurd as they are dangerous. Firstly, Ukraine is a committed NPT member: we neither have any ‘dirty bombs’, nor plan to acquire any. Secondly, Russians often accuse others of what they plan themselves."

The Wall Street Journal reports that NATO has warned Russia against escalation, and especially against staging a provocation that would provide a pretext for its own use of nuclear weapons. “We have seen in the past that the Russians have, on occasion, blamed others for things that they were planning to do,” the Journal quotes US National Security Council Coordinator for Strategic Communication John Kirby as saying. The US Department of Defense officially dismissed the Russian accusations against Ukraine as false, but also noted that the US had so far not observed serious Russian preparations to use nuclear weapons in its war.

Both the Telegraph and Task & Purpose have accessible explanations of what a dirty bomb is: it's a device designed to injure through radioactive debris, not blast, heat or fragmentation. It is more a terror and an area denial weapon than it is a serious battlefield system.

Russian targeting practices.

Russia is increasingly dependent on Iranian loitering weapons--"kamikaze drones"--for terror strikes against Ukrainian infrastructure and civilian populations. Bellingcat has published a profile of the Russian targeting cells it says are responsible for directing drone and missile strikes:

"Phone metadata shows contacts between these individuals and their superiors spiked shortly before many of the high-precision Russian cruise missile strikes that have killed hundreds and deprived millions in Ukraine of access to electricity and heating. The group, which works from two locations – one at the Ministry of Defence headquarters in Moscow and another at the Admiralty headquarters in St. Petersburg – is buried deep within the Russian Armed Forces’ vast “Main Computation Centre of the General Staff”, often abbreviated as ГВЦ (GVC). 

"Most members identified by Bellingcat and partners are young men and women, including one husband-and-wife couple, many with IT and even computer-gaming backgrounds. Some also worked at Russia’s military command centre in Damascus in the period between 2016 and 2021, a timeframe during which Russia deployed cruise missiles in Syria. Others are recipients of various military awards, including from Russian President, Vladimir Putin."

That Russia has targeting cells isn't surprising. Every modern military has some group or groups that serve this function. The apparent connection between those doing the targeting in Ukraine and those who did it in Syria is suggestive and interesting, at least insofar as both campaigns were marked by a disregard for civilian life and safety.

But much of what's been written about Russian long-range strikes overstates the accuracy of the weapons being employed. The Iranian-produced Shahed drones are guided, it's believed, by either GLONASS or GPS waypoints, and are generally thought not to be remotely piloted. A good fraction of the missiles remaining in Russia's arsenals, including many that have been used in recent strikes, have been either anti-ship or air-defense missiles employed in a secondary land attack role, and such weapons do not have the accuracy of, for example, the US Tomahawk or Hellfire systems. Russian official sources give their accuracy, presumably their circular error probable, at between five and fifty meters. It would be surprising if they in fact were so accurate. But they don't need to be. The civilian targets the Russian missiles have been hit are: 1) large, 2) stationary, 3) in a known location, and 4) surrounded by civilians. If the purpose is terror, then fifty meters is more than close enough for GVC work.

Bellingcat's report, assuming its accuracy, and Bellingcat has a good track record in this regard, is an interesting example of the power and reach of open source intelligence, the latest such to emerge during Russia's war.

CERT-UA warns of Cuba ransomware group phishing campaign.

The Computer Emergency Response Team of Ukraine (CERT-UA) warns that it's observed phishing emails that misrepresent themselves as coming from the Press Service of the General Staff of the Armed Forces of Ukraine. The emails invite the recipients to follow a link and download a document, "Наказ_309.pdf," that is, "Order_309.pdf," but victims are then taken to a page that informs them they need to update their pdf reader. The link is malicious, BleepingComputer reports, and performing the bogus update installs the RomCom remote access Trojan (RAT) on behalf of the Cuba ransomware group. Cuba has recently been active in the present war, hitting targets in Montenegro last month.

BlackBerry researchers describe RomCom's capabilities as follows: "Main RomCom functionalities include, but are not limited to, gathering system information (disk and files information enumeration), and information about locally installed applications and memory processes. It also takes screenshots and transmits collected data to the hardcoded command-and-control (C2). If a special command is received, it supports auto-deletion from the victim's machine." Thus RomCom can function both as an espionage tool and a wiper. Dmitry Bestuzhev, Threat Researcher, BlackBerry, shared some comment on this activity:

"This campaign is a good example of the blurred line between cybercrime-motivated threat actors and targeted attack threat actors. In the past, both groups acted independently, relying on different tooling. Today, targeted attack threat actors rely more on traditional tooling, making attribution harder. The threat actor behind RomCom has actively developed and tested new techniques, switching between targets. We will closely monitor its activities. It's been a quite effective packing malware inside of MSI packages. It helps to bypass AV detection. However, in the case of the RomCom threat actors, those are additionally digitally signed. That adds an additional layer of evasion". 

SpaceX will continue to provision Ukraine's Internet, even without US funding.

CNN reports that SpaceX founder Elon Musk said, on Sunday, that his company intends to keep providing Starlink services to Ukraine even if the US Defense Department declines to fund it. He had earlier suggested that it was becoming difficult and expensive to continue those services. “'Before [the Department of Defense] even came back with an answer, I told @FedorovMykhailo that SpaceX would not turn off Starlink even if DoD refused to provide funding,' Musk tweeted Sunday evening, referencing talks with Mykhailo Fedorov, Ukraine’s vice prime minister and minister of digital transformation," CNN says.