US and UK intelligence services conclude that President Putin is being badly served by his own intelligence services. Russian domestic security services appear to be increasing their surveillance of internal dissent. Ukrainian hacktivists continue to work against Russian interests.
Ukraine at D+35: Stalemate at best, reverses at worst, as Russia's war stalls.
The UK's Ministry of Defence, in its most recent situation report on Russia's war against Ukraine, describes stalled Russian maneuver and intensive Russian fire: "Despite Russian statements indicating an intended reduction of military activity around Chernihiv, significant Russian shelling and missile strikes have continued. Russian forces continue to hold positions to the east and west of Kyiv despite the withdrawal of a limited number of units. Heavy fighting will likely take place in the suburbs of the city in coming days. Heavy fighting continues in Mariupol, a key objective of Russian forces, however Ukrainian forces remain in control of the centre of the city."
UK and US intelligence services think Putin's been poorly served by his spooks and planners.
Speaking in Canberra this morning, GCHQ Director Jeremy Fleming said that President Putin had been poorly served by his intelligence services, but that at this point the intelligence and operational planning failures are evident to even the meanest understanding:
"And even though we believe Putin’s advisers are afraid to tell him the truth, what’s going on and the extent of these misjudgements must be crystal clear to the regime.
"This week, the Russian MOD stated publicly that they will drastically reduce combat operations around Kyiv and a city in the North. It looked like they have been forced to make a significant change.. But then they proceeded to launch attacks in both of those places. Mixed messages or deliberate misinformation – we’ll have to see how it unfolds."
US intelligence has reached a similar conclusion, and thinks that failures have raised tension between Mr. Putin and his Ministry of Defense, including Defense Minister Sergei Shoigu, who had been one of President Putin's long-time cronies and advisors. The New York Times quotes US Secretary of State Blinken: “With regard to President Putin, look, what I can tell you is this, and I said this before, one of the Achilles' heels of autocracies is that you don’t have people in those systems who speak truth to power or who have the ability to speak truth to power. And I think that is something that we’re seeing in Russia.”
Pentagon spokesman John Kirby concurred at a news conference yesterday. “We would concur with the conclusion that Mr. Putin has not been fully informed by his Ministry of Defense, at every turn over the last month. If Mr. Putin is misinformed or uninformed about what’s going on inside Ukraine, it’s his military, it’s his war, he chose it. And so the fact that he may not have all the context — that he may not fully understand the degree to which his forces are failing in Ukraine, that’s a little discomforting, to be honest with you.”
The White House also cited intelligence that suggests President Putin was unprepared for, and may still not appreciate, the damaging effects of sanctions on Russia's economy. Citing an official who spoke on condition of anonymity, the AP reports, "The intelligence community has concluded that Putin was unaware that his military had been using and losing conscripts in Ukraine. They also have determined he is not fully aware of the extent to which the Russian economy is being damaged by economic sanctions imposed by the U.S. and allies."
The findings demonstrate a “clear breakdown in the flow of accurate information” to Putin, and show that Putin’s senior advisers are “afraid to tell him the truth,” the official said.
The Telegraph has a rundown of reports and rumors of repercussions for Russian officials who's planning and reporting have served their President poorly.
Low morale, botched logistics, and poor tactical performance.
GCHQ director Fleming also spoke about the British signals intelligence agency's assessment of Russian small unit combat performance, and what he said isn't good (from the Russian point-of-view):
"[I]t increasingly looks like Putin has massively misjudged the situation. It’s clear he misjudged the resistance of the Ukrainian people. He underestimated the strength of the coalition his actions would galvanise. He under-played the economic consequences of the sanctions regime. He over-estimated the abilities of his military to secure a rapid victory. We’ve seen Russian soldiers – short of weapons and morale - refusing to carry out orders, sabotaging their own equipment and even accidentally shooting down their own aircraft."
There are other unexpected signs of tactical incapacity that suggest a surprisingly low level of training in Russia's army. The Washington Post describes widespread use of tree branches tied atop vehicles, which is, to judge from the accompanying photographs, an ineffective gesture in the direction of camouflage that's not hiding anything. Yolki palki, where are their camouflage nets? The Ukrainians seem to have some. But branches on trucks and tracks are the sort of thing soldiers do when they're worried about their safety and don't know any better. This is surprising: camouflage had long been considered a Russian strength, but here too that strength seems not to be finding expression at the unit level.
Logistical failure has become a defining feature of Mr. Putin's special military operation. Russian ground forces have shown themselves unable to move quickly, or in some cases even at all. They're roadbound, which some commentators attribute to mud, but European armies have dealt with mud forever, and it's no novelty in either Russia or Ukraine. Their supply convoys have been poorly protected. And the supply system as a whole seems ill-managed and poorly prepared. In some respects this may be a function of misguided doctrine concerning force structure. Russian combat troops (infantry, armor, and artillery) outnumber support troops (transportation, supply, etc.), as if Moscow's planners had decided to go all-in on tooth at the expense of tail.
But the tooth-to-tail metaphor is probably a misleading one. Logistical support makes combat possible; they're not there to deliver optional comforts that can be easily dispensed with. In the US Army, for example, support troops outnumber combat troops, and that's not because of softness, of a comfort-loving nation's desire to take its ice cream cones along with it. A US general a couple of decades ago expressed dissatisfaction with talk of how low the US tooth-to-tail ratio was. Talking about tooth-to-tail shows you don't get it, he said. It's not tooth-to-tail; it's fist-to-muscle, and the logistics are the muscle. Russia's experience, as described in the Washington Post, would seem to bear him out.
Russian cyber operators collect against domestic targets.
Citing research by Malwarebytes, BleepingComputer describes a large-scale phishing campaign directed against potential Russian dissidents. It seems to be an internal security measure intended to keep an eye on dissatisfaction with the war and to offer a measure of insurance against the possibility of insurrection or coup d'etat. A malicious RTF file attached to a phishing email carries either a CobaltStrike or PowerShell payload. Employees of certain agencies are of particular interest to the organs carrying out the campaign, and it's interesting to see how many of them work for either educational organizations or regional authorities:
- Portal of authorities of the Chuvash Republic Official Internet portal
- Russian Ministry of Internal Affairs
- ministry of education and science of the Republic of Altai
- Ministry of Education of the Stavropol Territory
- Minister of Education and Science of the Republic of North Ossetia-Alania
- Government of Astrakhan region
- Ministry of Education of the Irkutsk region
- Portal of the state and municipal service Moscow region
- Ministry of science and higher education of the Russian Federation
More details on the Viasat hack.
Viasat has provided more information on the cyberattack against ground terminals that knocked its satellite Internet service offline in Ukraine (and in other parts of Europe) during the early stages of the Russian invasion. The update reads, in part:
"On 24 February 2022, a multifaceted and deliberate cyber-attack against Viasat’s KA-SAT network resulted in a partial interruption of KA-SAT’s consumer-oriented satellite broadband service. While most users were unaffected by the incident, the cyber-attack did impact several thousand customers located in Ukraine and tens of thousands of other fixed broadband customers across Europe. This incident was localized to a single consumer-oriented partition of the KA-SAT network that is operated on Viasat’s behalf by a Eutelsat subsidiary, Skylogic, under a transition agreement Viasat signed with Eutelsat following Viasat’s purchase of Euro Broadband Infrastructure Sàrl ('EBI'), the wholesale broadband services business created as part of Viasat's former partnering arrangement with Eutelsat. The residential broadband modems affected use the 'Tooway' service brand. This cyber-attack did not impact Viasat’s directly managed mobility or government users on the KA-SAT satellite. Similarly, the cyber-attack did not affect users on other Viasat networks worldwide."
The company says it's working to fully restore service to affected customers, and that it's taking other steps to shore up its resilience. Those steps it's prudently not sharing, since it doesn't wish to give the attackers insight into Viasat's own defenses.
Ukrainian hacktivists say they can interfere with Russian geolocation.
Defense One reports that Ukrainian operators, hacktivists of the CyberPan Ukraine group, say they've found weaknesses in Russian tactical battle management systems that render them susceptible to disruption by interfering with their ability to use GLONASS signals. (GLONASS is the Russian equivalent of the more familiar US GPS.) They also hint that they're exploring ways of directly interfering with Russian artillery computers, and that they've identified some possibly exploitable weaknesses in those systems. This wouldn't be surprising: Russia did it to the Ukrainians a few years ago. During the early stages of the Donbas insurrection Russia fomented and supported, CrowdStrike reported that Russian operators were able to gain access to Ukrainian fire direction systems.
Data compromise at Rosaviatsia considered as possible hacktivism.
Russia's aviation authority, Rosaviatsia, is reported to have lost some 65 terabytes of data in an incident it sustained this week, Mentour Pilot reports. Business systems and records, including aircraft registration records, are said to have been affected. It's not clear exactly what the incident was, even whether it was a cyberattack or an accident, although Anonymous has claimed credit. Some sources in Russia are connecting the incident to IT problems induced by a recent change in agency leadership, but others, like Egnyte's Neil Jones, see hacktivism as a more probable explanation:
“The alleged cyber-attack on Russian Federal Air Transport Agency's (Rosaviatsia) 65 TB of sensitive documents, privileged files, aircraft registration data and e-mails by Anonymous Hacking Group show us that 'hacktivism' has not disappeared. Although details of this cyber-attack are still emerging, an effective incident response plan needs to account for potential attacks that originate from hacktivist organizations or even disgruntled employees, to prevent employees from reverting to data analysis via pen and paper. Best practices to reduce the likelihood of attacks such as Rosaviatsia include the following:
- "Restricting data access based on an end-users' 'business need to know';
- "Implementing technology that detects suspicious log-ins, particularly from unanticipated geographical regions.
- "Proactively stating your organization's position on key geo-political events, and updating positioning as conditions change. With the proliferation of just-in-time media content, I anticipate that this trend will continue.”
It's worth noting that, whatever the cause, safety of flight seems not to have been affected.
The potential for future cyberattacks.
Russia's war against Ukraine has yet to spill over, in significant ways, to other sections of cyberspace, but the US remains, C4ISR reports, on alert.
Google's Threat Analysis Group (TAG) has published an update on cyber threats in Eastern Europe. Some are criminal, and some are state-directed. Among the state-directed activity is an uptick in Chinese cyberespionage seeking to collect intelligence on the war.