Ukraine at D+445: Russian forces' tactical withdrawals around Bakhmut.
N2K logoMay 15, 2023

Ukrainian forces have, since Friday, conducted local attacks around Bakhmut, and have enjoyed some success, but it seems to early to call the the beginning of the spring offensive.

Ukraine at D+445: Russian forces' tactical withdrawals around Bakhmut.

Sources differ as to whether Ukraine's spring offensive has begun. Russian sources, including both officials and fractious milbloggers, say that it has, with the milbloggers in particular asserting that it began Friday around Bakhmut. Ukrainian official sources say it hasn't yet begun. They were seconded in this by US Defense officials, who said that recent combat operations in the Bakhmut zone have represented "shaping" as opposed to a full offensive. The New York Times has an overview of the local Ukrainian advances in and around the ruined city. Elsewhere in the theater, Russian drone and missile strikes continued, with civilian targets in Khmelnitsky hit hard. Ukrainian local authorities said the damage extended to "educational institutions, medical facilities, administrative buildings, industrial facilities, multi-story buildings, and private houses."

Wagner Group boss Prigozhin has continued his criticisms of Kremlin leadership, and some see his derisive references to an otherwise unnamed grandfather are not-so-veiled attacks on President Putin. The Telegraph reports speculation that Mr. Prigozhin has lofty personal political ambitions that may extend to the presidency of Russia itself.

The Washington Post reports that Mr. Prigozhin also appears in the Discord Papers leaks, which suggest that he's been in contact with Ukrainian intelligence services, offering to swap information about Russian army positions in exchange for certain Ukrainian withdrawals.

Russian tactical withdrawal near Bakhmut.

Whether a local operation or simply one phase of a larger attack, Ukrainian forces have made noticeable gains. Saturday morning the UK's Ministry of Defence (MoD) reported a Russian withdrawal from Bakhmut, abandoning their bridgehead over the Donets-Donbas Canal. "Over the last four days, elements of Russia’s 72nd Separate Motor Rifle Brigade (72 SMRB) likely withdrew in bad order from their positions on the southern flank of the Bakhmut operation. Ukrainian forces regained at least a kilometre of territory. The area has some tactical significance because it was a Russian bridgehead on the western side of the Donets-Donbas Canal, which marks the front line through parts of the sector. 72 SMRB is an element of Russia’s 3rd Army Corps, a formation created in Autumn 2023 [sic--an obvious typographical error in the situation report: the 3rd Army Corps was formed in August 2022] and dogged with allegations of poor morale and limited combat effectiveness. Its deployment to such a demanding and operationally important sector highlights Russia’s severe shortage of credible combat units."

The MoD expanded this assessment Sunday morning. "On paper, the Russian Combined Grouping of Forces (CGF) in Ukraine is similarly organised to the invasion force of 446 days ago. It still likely consists of over 200,000 personnel organised into around 70 combat regiments and brigades divided into five Groups of Forces. It still struggles with limited freedom to conduct air operations. However, in February 2022 it consisted of professional soldiers; was largely equipped with reasonably modern vehicles; and had been regularly exercised, aspiring to complex, joint operations. Now the force is mostly poorly trained mobilised reservists and increasingly reliant on antiquated equipment, with many of its units severely under-strength. It routinely only conducts very simple, infantry-based operations. Critically, it is unlikely that CGF has been able to generate a large, capable, mobile reserve to respond to emerging operational challenges. It is unlikely to be an organisation which will effectively cohere large-scale military effect along the 1,200 km front line under stress."

Ukrainian drone strike against Russian airbase.

This morning the MoD described the implications of a drone strike against a Russian airbase earlier this month. "On 03 May 2023, several uncrewed aerial vehicles (UAVs) struck Russia’s Seshcha Airbase, 150km north of the Ukrainian border. One An-124 heavy transport aircraft of Russia’s Military Transport Aviation (VTA) was likely damaged. Seshcha is a hub for the VTA in western Russia and has played a major role in enabling Russia’s invasion of Ukraine. Russia also uses the site to launch Iranian-produced one-way-attack UAVs towards Kyiv. The VTA is a well-resourced element of the Russian Air Force, essential for transport across the vast country. Russian leaders will be concerned that Russia’s air defences continue to be compromised, holding at risk key strategic assets such as VTA bases."

Anonymous Sudan looks like a Russian front operation.

Bloomberg reports that Anonymous Sudan, which represents itself as an Islamist Sudanese hacktivist collective, appears in fact to be a false-flag operation of Russian intelligence services. Research published in February by the Swedish cybersecurity firm Truesec concludes that Anonymous Sudan is instead in all probability a Russian operation directed at Sweden. Its aim is to interfere with Sweden's accession to NATO using a mix of nuisance-level distributed denial-of-service (DDoS) attacks and influence operations directed at Sweden's Muslim minority and at Turkish public opinion. The DDoS attacks, apart from the irritation they represent, lend verisimilitude to Anonymous Sudan's self-presentation as a hacktivist group: DDoS, after all, is along with website defacements, a common hacktivist tactic. But Anonymous Sudan displays, Truesec concludes, both a detailed, close knowledge of Sweden's political climate and a level of funding that far exceeds what's available to genuine hacktivist groups.

Bloomberg cites Katarzyna Zysk, a professor of international relations at the Norwegian Institute for Defence Studies in Oslo, who sees "the timing and organization of the attacks, the hackers’ knowledge of religious and political friction points in Sweden, and the attacks’ similarities to other Russian influence operations" have "led her to conclude that the group was controlled or guided by Russia’s intelligence services."

For its own part Anonymous Sudan has poo-pooed Truesec's report. They're not Russian, they say, but Russia has helped them in the past, and this is just their way of giving back. A look at the ongoing violence in Sudan would suggest that this is implausible: actual hacktivists, especially actual Sudanese Islamist hacktivists, would have more immediate concerns than doing a solid for Russian buddies.

Attribution and motivation of "RedStinger" remain murky.

The RedStinger campaign Malwarebytes described last week seems to have been active against both Ukrainian and Russian targets. A discussion in Cybernews notes that while the APT group (which the outlet refers to as "Red Stealer"), is known to have been active between 2020 and 2022 and seems to be Russian, its motivation is curious, as it has collected against targets on both sides of Russia's war with Ukraine. One possible explanation is that RedStinger was interested in quasi-domestic surveillance of officials in Ukrainian provinces illegally annexed by Russia. A report in SC Media observes "An example of the baffling diversity of the targets of Red Stinger’s attacks occurred in September last year when Russia held referendums in Luhansk, Donetsk, Zaporizhzhia and Kherson seeking support for its occupation. The group targeted several election officials involved in the Russian referendums, but during the same operation it also targeted a Ukrainian library in the city of Vinnytsia."

CISA summarizes Russian cyber offensives.

CISA, the US Cybersecurity and Infrastructure Security Agency, has published a compendium of its studies of "the Russian government’s malicious cyber activities." The most recent entry is last week's discussion of the Snake malware and its disruption by the Five Eyes. The oldest entry goes back to December 29, 2016, and covers the Grizzly Steppe operation conducted against US targets associated with the 2016 US elections. It's noteworthy that CISA's compendium addresses only Russian government malicious activity. The large and active Russian cyber underworld is outside the scope of the summary.