Ukraine at D+295: Cold weather and reconstitution.

Russian missile strikes against Ukrainian infrastructure continue, according to Al Jazeera and others. The BBC notes that Kherson has been particularly hard hit, with multiple-rocket-launcher barrages that have left the city without power. Other Ukrainian cities farther from the front have sustained a fresh round of strikes by longer-ranged missiles and loitering drones. The AP puts today's tally at about sixty missiles launched against Ukrainian cities. Some of those were intercepted by air defenses, but others struck their intended targets.

The US has announced plans to deliver Patriot air defense missiles to Ukrainian forces; these are effective against a wide range of threats, including ballistic and cruise missiles. Moscow's not happy about that, warning yesterday that the US faced unspecified "consequences" if it followed through on this particular promise to Kyiv, Military Times reports. Foreign Ministry spokeswoman said that the arrival of Patriots would constitute "“another provocative move by the US.”  The US Army has already been providing Ukrainian units with battalion-level combined arms training at its Grafenwoehr Training Area in Germany.

Ukrainian drones are active against Russian targets in occupied Crimea, TASS discloses in the midst of an otherwise panglossian account of the Russian patriotic resolve and economic development the peninsula (taken by Russian invasion in 2014) is said to display. Task & Purpose offers some commentary on this drone campaign.

Going on the tactical defensive.

Russian forces continue to prepare large complexes of field fortifications. The UK's Ministry of Defence thinks this old-fashioned and ineffectual. "As shown by imagery, in recent weeks, Russian forces have continued to expend considerable effort to construct extensive defensive positions along the front line. They have likely prioritised the northern sector around the town of Svatove. The Russian constructions follow traditional military plans for entrenchment, largely unchanged since the Second World War. Such constructions are likely to be vulnerable to modern, precision indirect strikes. The construction of major defensive lines is further illustration of Russia’s reversion to positional warfare that has been largely abandoned by most modern Western militaries in recent decades."

Digging in isn't foolish, and all armies still do it, but what the MoD calls Russia's "reversion to positional warfare" is emblematic of incapacity for effective mobile action. The Washington Post this morning ran an account of the fate of the 200th Motorized Rifle Brigade, wrecked in operations against Kharkiv, but formerly reckoned among Russia's best trained and equipped regular formations. The story points to ways in which systemic problems (endemic corruption, strategic miscalculations and a Kremlin failure to grasp the true capabilities of its own military or those of its adversary") can have direct, local effects. The Post's story argues that the case of the 200th MRB is emblematic of Russia's war. "After months of ceding territory and losing thousands of troops, Putin is now trying to salvage his grandiose aims with an entire force that resembles the 200th: badly depleted, significantly demoralized, and backfilled with inexperienced conscripts."

The AP reports that various experts think colder weather, and the more solidly frozen ground it will bring, should make it easier to maneuver combat vehicles cross-country, and thus that either or both sides could resume the offensive in January or February. The troops will still be cold and uncomfortable, but they'll also be more mobile. Senior Ukrainian officers predicted, in an interview with the Economist, that Russia could be expected to resume the offensive in February. Not only would the ground be firmer, but the remainder of the 300,000 former soldiers recalled during the partial mobilization will have completed such training as the Russian army can give them, and will probably be moved to the front. The Ukrainian officers also caution against underestimating Russian combat capability.

One consideration that will inevitably limit Russian operations is the growing shortage of ammunition, which the Russian army has been expending at rates not seen since the World Wars. As Task & Purpose observes, probably no army in the world, even ones with a better industrial base than Russia enjoys, could sustain the rates of artillery fire Russian forces have maintained since the invasion began in February.

GPS disruptions reported in Russian cities.

Wired reports that GPS signals are being jammed in some Russian cities. Russian electronic warfare operations have periodically disrupted GPS during the present war. The motive in this case may be interference with GPS-guided Ukrainian drones and missiles that have recently struck military targets inside Russia.

A new cyberespionage campaign hits Ukraine.

Mandiant yesterday morning issued a report on activity it was observing in Russia’s hybrid war against Ukraine. It’s a supply-chain attack in which Trojanized Windows 10 installers are being distributed to Ukrainian targets. The researchers track the activity as UNC4166, and they note that there seems to be an overlap between this round of attacks and the target list of Ukrainian organizations against which the GRU deployed wipers early in the war. The company writes, "“We believe that the operation was intended to target Ukrainian entities, due to the language pack used and the website used to distribute it. The use of trojanized ISOs is novel in espionage operations and included anti-detection capabilities indicates that the actors behind this activity are security conscious and patient, as the operation would have required a significant time and resources to develop and wait for the ISO to be installed on a network of interest.”

Mandiant says, “While our analysts do not have enough info to attribute this operation to a previously tracked group, it has been active at organizations that were previously targeted by GRU related clusters with wipers at the outset of the war. Of note, UNC4166 has actively targeted organizations that were historically victims of disruptive wiper attacks that Mandiant associates with APT28.”

APT28 has also been tracked as Fancy Bear, a GRU crew, and this recent activity is consistent with a cyberespionage campaign, concentrating as it appears to have done on information theft.

John Hultquist, Head of Intelligence Analysis at Mandiant, emphasizes that this is a supply chain attack, and in that respect at least reminiscent of the SolarWinds operation. He said in emailed comments, “Though it’s hardly as technically sophisticated as SolarWinds, this operation is similar in that it appears to be designed to compromise a large set of potential targets who can then be winnowed down for targets of interest. In this case those targets are the Ukrainian government. We can’t afford to ignore the supply chain. It can be used like a sledgehammer or it can be used like a scalpel.”

NSA warns against dismissing Russian offensive cyber capabilities.

It's now a commonplace, and correct, observation that Russian cyber operations have fallen far short of prewar expectations. But US NSA Cybersecurity Director Rob Joyce warns against complacency. CyberScoop quotes him as saying, during a press briefing on the release of NSA's 2022 retrospective, “I would not encourage anyone to be complacent or be unconcerned about the threats to the energy sector globally. As the war progresses there’s certainly the opportunities for increasing pressure on Russia at the tactical level, which is going to cause them to reevaluate, try different strategies to extricate themselves.”

The mention of the energy sector is significant, as it had been expected to be a principal target of Russian cyber operators. They had shown the ability to interrupt service across portions of the Ukrainian grid in 2015 and 2016, but those cyberattacks haven't been reprised in the present war. This isn't due to any tenderness about civilian suffering or indiscriminate targeting, either, as the drumfire of Russian missile strikes demonstrates. Some of the failure of Russian cyber operators to show up is certainly due to effective Ukrainian defense, but a complete explanation remains a matter for speculation.

The NSA Cybersecurity Year in Review Report summarized the agency's work during Russia's war against Ukraine as follows:

"As Russia invaded Ukraine in early 2022 and the U.S. held Russia accountable, intelligence indicated that the Russian government was exploring options for potential cyberattacks against the U.S., including its critical infrastructure sectors. NSA, CISA, and FBI issued Cybersecurity Advisories in January, February, and April to heighten awareness of the threat and promote understanding of Russian state-sponsored and cybercriminal tactics, techniques, and procedures (TTPs) so that net defenders could strengthen their defenses. Through operational collaboration with Defense Industrial Base companies and their service providers, NSA’s Cybersecurity Collaboration Center (CCC) played a leading role in protecting key critical infrastructure sectors. The CCC conducted more than 2,000 bidirectional exchanges in the first four months of 2022, sharing NSA’s insights, actionable information on Russian cyber TTPs, and building a more fulsome intelligence picture with industry’s help. Throughout the conflict in Ukraine, NSA has provided foreign signals intelligence insights that have aided U.S. Government leaders, NATO and the U.S. European Command (EUCOM). It has also provided cryptographic security products to meet unplanned emergent requirements and to support urgent missions. It has rapidly deployed more than 150 communications security (COMSEC) devices to support mission operations during the global crisis."