Ukraine at D+504: Spinning the mutiny.
N2K logoJul 13, 2023

Ukraine continues its slow progress on the ground, Russia continues to fire drones against civilian targets, and there appears to be a purge of senior Russian officers in progress.

Ukraine at D+504: Spinning the mutiny.

Russia continued waves of drone strikes against Ukrainian cities--and the targets are noncombatants, not military installations. Kyiv itself underwent a third straight night of attacks. Air defenses shot down all the Shahed drones used in the strikes, but falling debris injured some on the ground.

Ukraine's counteroffensive also continues, albeit deliberately. Nonetheless, it seems to be making progress. Al Jazeera's accounting says that in the five weeks of the counteroffensive Ukraine has undone six months of Russian gains.

Vehicle-borne improvised explosive devices.

The UK's Ministry of Defence reports some battlefield improvisation. "In June 2023, there have been several reports of Russian forces using antiquated armoured vehicles packed with several tonnes of explosives as vehicle-borne improvised explosive devices (VBIEDs). The crew likely bail out of the vehicle after setting it on its course. Most Russian VBIED cases have been reported around Marinka, near Donetsk city, and started days after Chechen units reinforced the area: there is a realistic possibility that Chechen forces are pioneering the tactic. There is a heritage of Chechen fighters being skilled in IED use, dating back to the Chechen Wars from the 1990s. Chechens fighting for Ukraine were also reported to have made similar VBIEDs in January 2023. Most of Russia’s VBIEDs have almost certainly detonated before they reached their target through a combination of anti-tank mines and direct fire, bringing into question the viability of the capability. However, these VBIEDs cause extremely large explosions, which are still likely to have a psychological effect on defending forces."

Russia resumes its pursuit of a "sovereign Internet."

In a renewed push for a protected and controllable sector of cyberspace, Russia is pursuing a "sovereign Internet." But the program faces difficulties, Scientific American reports. A test last week attempted to disconnect Russia's Internet from the rest of the world's. The Kremlin declared the trial a success, but outside observers conclude to the contrary that it ended in failure, producing widespread outages among Russian websites. The sovereign Internet isn't a simple or unitary project, but rather a system of technologies, deep packet inspection tools figuring prominently among them, that would give the government greater ability to cut off external (that is, international) connections, and monitor domestic traffic and content. There's also an element of autarky in the program, as Russia seeks to provide domestic alternatives to hardware and software that would otherwise be provided from foreign sources.

The GRU's offensive cyber tactics.

Russia has responded to Ukraine's counteroffensive with a surge in cyberattacks, CSO reports. The GRU isn't the only Russian service involved, but it's been a prominent player in these operations.

Mandiant has been tracking cyber operations by Russia's military intelligence service, the GRU (often known as Fancy Bear when it conducts cyberattacks), and its researchers have discerned a common, well-thought through and repeatable process underlying the GRU's approach. It sees a five-phase operational style:

  1. "Living on the Edge: Leveraging hard-to-detect compromised edge infrastructure such as routers, VPNs, firewalls, and mail servers to gain and regain initial access into targets."
  2. "Living off the Land: Using built-in tools such as operating system components or pre-installed software for reconnaissance, lateral movement and information theft on target networks, likely aiming to limit their malware footprint and evade detection.:
  3. "Going for the GPO: Creating persistent, privileged access from which wipers can be deployed via group policy objects (GPO) using a tried-and-true PowerShell script." 
  4. "Disrupt and Deny: Deploying “pure” wipers and other low-equity disruptive tools such as ransomware to fit a variety of contexts and scenarios."
  5. "Telegraphing 'Success': Amplifying the narrative of successful disruption via a series of hacktivist personas on Telegram, regardless of the actual impact of the operation."

The researchers see the "playbook" as systematizing some well-established approaches and combining them into an operational method that's effective, repeatable, and responsive. It yields, for all of its fixed and stereotypical structure, a paradoxical agility and adaptability that render cyber operations a practical combat support capability.

A probable Ukrainian false-flag operation.

A June 29th cyberattack against Russian satellite communications provider Dozor-Teleport ZAO was claimed online by an actor who identified himself as a member of the Wagner Group. The hack, which came five days after the Wagner Group stood down from its march on Moscow, was represented as a contribution to the mutiny. But the timing seems to have been off. Some of the activity antedated the Wagnerite action, and the actual wiper attack occurred after negotiations had brought an end to the incident. Bloomberg reports that there are more circumstantial signs of Ukrainian involvement in the action. For example, "news of the attack didn’t spread until Andriy Baranovych, a spokesman for a group of Ukrainian hackers named the Ukrainian Cyber Alliance, tweeted about it." (The Ukrainian Cyber Alliance is a hacktivist auxiliary working in Kyiv's interest.) If the cyberattack was a false flag operation, it was well-conceived as a contribution to doubt and mistrust in Russia.

A post-mutiny purge seems to be underway in Russia.

Russia's Defense Ministry says, according to the AP, that the Wagner Group is being disarmed, its troops turning in their weapons. These aren't only, or even primarily, small arms. "Among the weapons turned over were more than 2,000 pieces of equipment, such as tanks, rocket launchers, heavy artillery and air defense systems, along with over 2,500 metric tons of munitions and more than 20,000 firearms, the Defense Ministry said." The seizure of weapons and equipment, the Washington Post reports, is being spun for domestic consumption as a debunking of Wagner Group boss Prigozhin's claims to have been inadequately supplied. If he hadn't been adequately supplied, the state-run media say, then where did all that matériel come from? And some of it seems never to have even been used! It's a naive take, but maybe the spin will have legs on the home front.

Radio Free Europe | Radio Liberty reports that Major General Ivan Popov, the commander of the 58th Combined Arms Army currently fighting in Zaporizhzhya, has said he was summarily relieved after criticizing the Ministry of Defense for its conduct of the special military operation, The general described his firing in a series of audio posts to Telegram, which CNN summarized. General Popov complained specifically about the ways in which Russia is losing the artillery war due to “the lack of counter-battery combat, the absence of artillery reconnaissance stations and the mass deaths and injuries of our brothers from enemy artillery.” He claimed Defense Minister Shoigu personally dismissed him over the criticism he voiced. Popov explained, “I also raised a number of other problems and expressed it all at the highest level frankly and extremely harshly. I had no right to lie, therefore, I outlined all the problematic issues that exist today in the army in terms of combat work and support. As many commanders of divisional regiments said today, the servicemen of the armed forces of Ukraine could not break through our army from the front, (but) our senior commander hit us from the rear, treacherously and vilely decapitating the army at the most difficult and tense moment." The similarity of General Popov's complaint against the Defense Ministry and Wagner Group boss Prigozhin's denunciations is striking.

Stronger measures have been taken against other senior Russian officers. The Wall Street Journal reports that, "The Kremlin’s effort to weed out officers suspected of disloyalty is broader than publicly known, according to the people, who said at least 13 senior officers were detained for questioning, with some later released, and around 15 suspended from duty or fired." Among those being put to the question, sources say, is General Surovikin. The organs want to know more about his relationship with Mr. Prigozhin.

The hacktivist auxiliary, KillNet, has been recently quiescent insofar as hacking is concerned, but its members are engaging in a lot of chatter about the mutiny. The emerging consensus in KillNet channels is that the whole mutiny was a put-up job, organized by the government to facilitate a rotation of out-of-favor senior officers from their commands, to be replaced by more pliant generals. General Popov is more-or-less KillNet's hero: he, the chatter says, would know what to do about the Storm Shadow missiles the UK is sending Ukraine.

Well, OK, then.

So where is Colonel General Surovikin? Just resting, says Andrei Kartapolov, head of the State Duma Defence Committee. “Surovikin is currently resting. Not available for now,” Mr. Kartapolov explained, which is one way of putting it.