Ukraine at D+147: Russian, Belarusian spearphishing.
N2K logoJul 21, 2022

Russia says it's expanding its territorial ambitions in Ukraine, and that NATO has no one but itself to blame for this. Ukraine undertakes a minor counteroffensive in Donetsk and continues to use HIMARS in an interdiction and counter-command-post role. Russian and Belarusian intelligence services make heavy use of spearphishing in their cyberespionage campaigns against Ukraine. US Cyber Command releases IOCs developed in cooperation with the Security Service of Ukraine.

Ukraine at D+147: Russian, Belarusian spearphishing.

This morning's situation report from the UK's Ministry of Defence describes more of the recent same. "Russian and separatist forces," a distinction without a difference, "continue to attempt small scale assaults along the Donbas front line. Russian forces are likely closing in on Ukraine’s second biggest power plant at Vuhlehirska, 50km north-east of Donetsk. Russia is prioritising the capture of critical national infrastructure, such as power plants." It's noteworthy that attacks against Ukrainian infrastructure have been, and continue to be, mostly conventional military assaults and not effective cyberattacks. "However, it is probably also attempting to break through at Vuhlehirska, as part of its efforts to regain momentum on the southern pincer of its advance towards the key cities of Kramatorsk and Sloviansk." Russia seems to be addressing some of its manpower shortages by running press gangs in territories it occupied, the Guardian reports.

Ukrainian forces, in addition to their counteroffensive in the Kherson region, made a small advance in the Donbas, retaking the town of Pavlivka in the Donetsk province. It's a local success, but the New York Times reports it as an important contribution to Ukrainian morale, demonstrating that units can retake ground they'd earlier been ejected from. Pavlivka itself is to a great extent ruined, buildings smashed by Russian artillery and subsequently looted by the Russian naval infantry ("marines") that occupied the town's wreckage.

Russia says its objectives are expanding (and that, Russia says, is NATO's fault).

In an interview with RIA Novosti, Russian Foreign Minister Lavrov said that NATO's provision of artillery to Ukrainian forces had caused Russia to expand its territorial objectives beyond the Donbas and into the southern regions along the Black Sea. Russia cannot, he said, tolerate long-range weapons in the hands of the Ukrainian government, as these threaten Russian territory. (The AP has a summary this morning of the rocket and cannon systems NATO members have shipped to Ukraine, and of the effect those systems are having on the battlefield. The rocket launchers have been HIMARS and MLRS; the cannons have been a variety of 155mm gun-howitzers. While the cannons come from different countries--the US, France, and Germany--they all fire standard NATO ammunition.) Thus the expansion of the war is NATO's fault, again. The New York Times has a useful, brief account of Moscow's shifting justifications for its war, and of the ways in which those justifications have been trimmed to fit battlefield realities.

"Massed artillery and war crimes" as Russia's core military capabilities.

It's clear at this point that Russian combat performance has fallen far short of both Russian and Western expectations. An essay in Foreign Policy traces battlefield failure to problems whose roots go back to Soviet-era corruption (senior officers raking off funds, influence established on the basis of cronyism and compromise, etc.) The essay summarizes the now obvious gap between image and reality:

"Before late February, Russia was seen as one of the military powerhouses of the world. With the world’s fifth-largest standing army, comprising 900,000 standing troops and 2 million reservists, and a defense budget of $65.9 billion, the might of the Russian military loomed over Eurasia and NATO at large.

"Fast-forward to today, and the reputation of the Russian military is defined by images of Ukrainian farmers stealing Russian tanks and an inability to cross basic river systems. Apparently the Russian military has trouble swimming, which bodes well for Finland. The only thing it seems to be good at are massed artillery and war crimes. And particularly embarrassing is the Russian ability to get its senior leadership killed—or sacked. So far, Russia has reportedly lost at least nine generals on the battlefield and plenty more at home as President Vladimir Putin continues his purge of generals. High defense spending and an aggressive foreign policy haven’t healed the serious issues that have plagued Russian military culture since the fall of the Soviet Union."

These would all be high-level problems, and there appears to be little in the lower levels of command and leadership that might compensate for such failings, which have expressed themselves on the battlefield in the form of logistical incompetence, manifestly low levels of collective training, and tactical ineptitude.

More spearphishing of Ukrainian targets.

Late yesterday Mandiant released a report on spearphishing campaigns in progress against Ukrainian targets. Two groups, one Russian, the other Belarusian, have been recently active. Their tactics are similar, but their operations are distinct:

  • "UNC1151 is a group that Mandiant assesses are sponsored by Belarus and have frequently used the access and information gained by their intrusions to support information operations tracked as “Ghostwriter.” Mandiant released a blog last year detailing our assessments on UNC1151, and they have continued to be very active in targeting Ukraine since the start of the Russian invasion, paralleling Belarus’s government’s enablement of Russia’s invasion."
  • "UNC2589 is believed to act in support of Russian government interest[s] and has been conducting extensive espionage collection in Ukraine. Notably, we assess UNC2589 is behind the January 14th disruptive attacks on Ukrainian entities with PAYWIPE (WHISPERGATE). Following the disruptive attack, UNC2589 has primarily targeted Ukraine, but has also been active against NATO member states in North America and Europe."

The Russian-aligned actor UNC2589 (Mandiant notes uncertainty about UNC2589's provenance, let alone its place in organization charts) uses evacuation-themed emails as its phishbait, as well as notes about wages and compensation. The Belarusian group, UNC1151 (believed to provide technical support for GhostWriter) uses a proffer of advice on how to shelter while under artillery fire as its phishbait.

US Cyber Command releases IOCs obtained from Ukrainian networks.

US Cyber Command's Cyber National Mission Force has released a large set of indicators of compromise (IOCs), twenty in all, obtained from Ukrainian networks. The IOCs are interesting and useful in themselves, but the release also indicates how closely US Cyber Command is working with its counterparts in the Security Service of Ukraine. The announcement from Fort Meade reads, in part, "Our Ukrainian partners are actively sharing malicious activity they find with us to bolster collective cyber security, just as we are sharing with them. We continue to have a strong partnership in cybersecurity between our two nations."