Ukraine at D+385: Influence ops and espionage rise.

Fighting remains heavy in Bakhmut, where Ukraine is using First World War defensive tactics (and some First World War Maxim guns) against Russian First World War dismounted infantry tactics. The BBC summarizes, "And this is how the battle for Bakhmut is being fought, as winter turns to spring in 21st Century Europe. A 19th Century weapon still mows down men by the score in the black Ukrainian earth." The drones are still flying, but not so much when the weather is poor and the winds are high.

Both sides are said to be running low on ammunition, which is unsurprising given the very high rate at which they're expending ammunition. Ukraine's allies are moving ammunition and equipment to the country in preparation for a widely expected Ukrainian spring offensive, the New York Times reports.

Russian regulars competing for reputation with Russian mercenaries?

The UK's Ministry of Defence offers some speculation about the why Vuhledar became a Russian objective: the Russian army doesn't want to be upstaged by the Wagner Group's fighting in Bakhmut."Over the last week, Russian attempts to assault the Donetsk Oblast town of Vuhledar have almost certainly slowed. This follows repeated, extremely costly failed attacks over the previous three months. One factor in Russia’s heavy losses in this sector has been Ukraine’s successful adoption of Remote Anti-Armour Mine systems (RAAM). RAAM is a specialist artillery shell which scatters anti-armour mines up to 17km away from the firing unit. In some instances, Ukraine has launched the mines over and behind advancing Russian units, causing disarray when Russian vehicles attempt to withdraw. Russia’s only notable recent tactical success has been in the Bakhmut sector, which is dominated by Wagner Group mercenary forces, currently engaged in a public feud with the Russian Ministry of Defence. There is a realistic possibility that Russia’s MoD has been insistent in its drive for success in Vuhledar, partially because it wants its own success to compete with Wagner’s achievements."

Don't fear the Reaper.

Russia is looking in the Black Sea for the wreckage of the US drone Russian fighters forced down in international airspace on Tuesday, the Telegraph reports. US Defense Secretary Austin held a call with his Russian counterpart, Defense Minister Shoigu, during which Secretary Austin objected strongly to Russian conduct: "On March 15, Secretary of Defense Lloyd J. Austin III spoke by phone with Russian Minister of Defense Sergey Shoygu regarding recent unprofessional, dangerous, and reckless behavior by the Russian air force in international airspace over the Black Sea. Secretary Austin emphasized that the United States will continue to fly and to operate wherever international law allows."

US European Command has released video the drone captured of the interception. Russia claimed that the US MQ-9 Reaper uncrewed drone was operating inside a temporary extension of Russian sovereign territory. The drone was, Moscow said, “in violation of the boundaries of the temporary airspace use area, defined in order to carry out the special military operation, which has been conveyed to all airspace users and published in accordance to the international norms.” The charge is baseless: international norms make no provision for such temporary extensions of sovereignty. USAFE has published a map that shows how far away from Russian territory the MQ-9 actually was.

The incident has cyber implications. Should Russia be able to recover the MQ-9's wreckage, it would look for ways of extracting and exploiting data and data management systems the drone carried. US operators are said, the Washington Post reports, to have wiped the MQ-9's systems before bringing it down some fifty-six nautical miles off the Crimean coast. Getting to the wreckage will be difficult, as the drone sank in water that's between 4000 and 5000 feet deep. “We’ll work through recovery operations,” General Milley, chair of the US Joint Chiefs of Staff said. “It probably broke up. There’s probably not a lot to recover, frankly.”

"Winter Vivern" seems aligned with Russian objectives.

SentinelLabs reports on recent activity by a quiet and relatively overlooked APT tracked as "Winter Vivern." Their report this morning said: "Our analysis indicates that Winter Vivern’s activities are closely aligned with global objectives that support the interests of Belarus and Russia’s governments. The APT has targeted a variety of government organizations, and in a rare instance, a private telecommunication organization." Most of that espionage has been conducted against targets in Eastern Europe, and both CERT-UA and Poland's Central Bureau for Fighting Cybercrime (CBZC) are tracking the activity, which they characterize as "criminal." SentinelLabs adds, "The threat actor employs various tactics, such as phishing websites, credential phishing, and deployment of malicious documents, that are tailored to the targeted organization’s specific needs. This results in the deployment of custom loaders and malicious documents, which enable unauthorized access to sensitive systems and information." Some of that phishing involves impersonation of the CBZC itself.

Microsoft warns of a possible surge in Russian cyber operations.

Winter Vivern would seem to be just one indicator. Microsoft reports that, while Russian cyber operators have underperformed during the hybrid war, there are signs of a spike in both espionage and influence operations. "In 2023, Russia has stepped up its espionage attacks, targeting organizations in at least 17 European nations, mostly government agencies. Wiper attacks continue in Ukraine." Influence operations have shown an interesting shift in attention toward Moldova. In a longer report on lessons learned over the first year of Russia's warm Microsoft concludes with a warning that future Russian operations are likely to fall into two categories:

1. "Espionage purposes to understand military support and political deliberations of different nations in their commitment to the Ukrainian resistance."
2. "Potential hack-and-leak operations targeting key figures essential for support to Ukraine."

Boss Sandworm.

Wired has a profile of Colonel Evgenii Serebriakov, the GRU officer who's running the Russian military intelligence service's Sandworm unit. Sandworm has been a problem, with wipers, attacks on power distribution networks, and other capers, but it's also, Wired sniffs, a record of noisy stumbling around. "But after half a decade of the spy agency's botched operations, blown cover stories, and international indictments," Wired writes, "perhaps it's no surprise that pulling the mask off the man leading that highly destructive hacking group today reveals a familiar face."

Colonel Serebriakov was actually arrested in the Netherlands during a clumsy 2018 attempt to hack the Organization for the Prohibition of Chemical Weapons, the international organization then investigating the GRU's grisly attempt to use Novichok nerve agent to assassinate a GRU defector in the UK (the target and his daughter survived, an uninvolved British bystander did not). It's unclear why the Dutch authorities released Colonel Serebriakov for reasons that remain unclear. He's still under US indictment, although out of reach and working from some branch of the Aquarium.

That someone with Colonel Serebriakov's unintentionally very public record should turn up in charge of a major Russian cyber offensive unit shows, Mandiant's head of threat intelligence John Hultquist told Wired, something about the size of Russia's offensive cyber community. “This is someone from a notorious close-access operation, and then he shows up as the leader of another organization we know very well,” Hultquist said. “To a certain extent, it demonstrates how small this world is that we’re trying to keep tabs on. The same individuals show up again and again—and I mean the people with the actual hands on the keyboard. It speaks to the limited number of people in the field. We're still living in a world where talent is apparently limited to the point where we know the adversaries intimately.”