Ukraine at D+13: Looking for victory in rubble.
N2K logoMar 9, 2022

Russia's advance remains stalled in the face of resistance and logistical failure, but bombardment of cities intensifies. Sanctions edge Russia closer to default, and the world remains wary of and alert for a cyber campaign against critical infrastructure.

Ukraine at D+13: Looking for victory in rubble.

Ukrainian President Zelenskyy addressed the British House of Commons by video link yesterday. He thanked the UK for its support, and struck a deliberately Churchillian note: "We will not give up, and we will not lose. We will fight to the end in the sea, in the air. We will fight for our land, whatever the costs. We will fight in the forests, in the fields, on the shores, in the streets." He asked for more support: "Please increase the pressure of sanctions against this country, and please recognise this country as a terrorist state," he said. "And please make sure that our Ukrainian skies are safe. Please make sure that you do what needs to be done and what is stipulated by the greatness of your country." His broader appeal was to "civilized countries." The Telegraph reports that the MPs gave him a standing ovation.

"Western" nations (which include a number of geographically Eastern nations) have increased their sanctions against Russia, moving to block or at least significantly limit Russian oil and gas exports. Augmenting these formal sanctions has been a widespread exit of private companies from Russian markets. That exit extends across many, perhaps most, sectors. The effect on the Russian economy is already significant. Markets Insider reports that Fitch has cut its rating of Russian debt from B to C, and warned that default on Russian sovereign debt is "imminent."

Combat failures and a renewed emphasis on destruction of civilian targets.

Russian tactics in the war against Ukraine seem to have shifted decisively in the direction of attacking civilians and reducing cities to rubble as its conventional forces in the northern part of the country remain stalled and roadbound. That failure has been ascribed to a combination of Russian logistical failures and stiff Ukrainian resistance. The Guardian points out that Russian failure to take Kyiv and subdue Kharkiv has obscured the relatively better progress its forces have made in the south, but even there the advance has been far slower and less successful than expected. Mariupol, for example, on the southern Sea of Azov, east of Crimea, hasn't yet fallen, although it has been reduced to what the Ukrainian foreign minister calls "apocalyptic" conditions as Russian forces there continue to violate their own negotiated humanitarian cease-fire and continue to close roads and attack refugees.

The US estimates (with due regard for the difficulty of battle damage assessment under even the best of conditions) that the Russians have lost between two- and four-thousand killed so far in the first two weeks of their war. It's a "low-confidence" estimate, US Defense Intelligence Agency director Lieutenant General Scott Berrier told Congress, but it represents the best informed opinion. By the standards of a modern army those figures, even at the low-end, are high. (The US lost 2,461 dead during twenty years of war in Afghanistan, notes.) US Intelligence Community leaders have told Congress that Russian President Putin has been surprised by his force's poor performance, having overestimated their capability and underestimated Ukraine's will and capacity for effective defense. Nonetheless, they think Mr. Putin is unlikely to cut his losses, to "be deterred." Betting on form, they expect him to double down on indiscriminate terror as he did earlier in Georgia and Chechnya. Bloomberg summarizes what the probable Russian endgame looks like, quoting Carnegie fellow Thomas de Waal, “They wanted Crimea 2014, but they got Chechnya 1994."

Observers point out that Russian training and doctrine emphasize avoiding urban combat, and that Russia will face difficulty as the fighting moves into cities proper. (Finding urban combat difficult is not a uniquely or even distinctively Russian problem. Modern armies in general would wherever possible avoid fighting in cities. But Russian forces seem even worse prepared than most.) That might not matter so much at this stage as it would have if Russian plans for quick decapitation of Ukraine's government had succeeded. If the goal is now destruction as opposed to occupation, that can be done with long-range fires better than it can be done with infantry or armor.

Noncombatants remain the primary targets of heavy Russian fires. The UK's Ministry of Defence tweeted in its regular public situation report last night, "More than 2,000,000 refugees have reportedly been forced from their homes as a result of President Putin’s attack on. The UN have reported that there have already been 1,207 civilian casualties since the Russian invasion began on 24 February. As with previous such estimates, the true figures are likely to be significantly higher and will continue to climb as long as Russian operations continue." The MoD this morning added the news that Russian forces again, for the third time, had violated their own cease-fire to attack refugees fleeing invested cities: "Russian forces have reportedly disrupted humanitarian corridors established in Mariupol and Sumy. This is the third successive day President Putin’s forces have breached their own ceasefire agreements. Shelling and small-arms fire were reported throughout the day although it is likely some civilians have been able to successfully flee the besieged cities. Those civilians forced to remain continue to suffer from shortages of power, food and water exacerbated by heavy Russian shelling."

Cyber operations in Russia's war against Ukraine.

The cyber phases of Russia's hybrid war continue to be far more limited and restrained than most had expected. An analysis in the Washington Post argues that this was to be expected, that offensive cyber operations have never been a war-winner, and that therefore Russia's mingy DDoS and defacement attacks were about what we should have expected. There's something to the analysts' skepticism concerning cyber not being decisive. But then, it's not usually the case that a particular capability in a particular domain is decisive. No one would seriously question the combat value of air power, but it would be difficult to make the case, pace Billy Mitchell, that air power alone has ever been decisive. And simple lack of decisive effect wouldn't seem to rule out the use of any capability. The analysts point out that earlier Russian disruptions of the Ukrainian power grid were temporary and relatively quickly remediated. But disruption of a grid, even if it lasts only a matter of hours, could be of considerable value in supporting a tactical operation. So the mystery remains: why hasn't Russia so far executed the disruptive attacks it's shown itself capable of, or the destructive capabilities that in all probability it has.

For all that, US and European policymakers continue to watch for a significant increase in the Russian cyber threat, waiting, as the Record puts it, for the other shoe to drop. In the EU, Reuters reports, the telecommunications ministers of the twenty-seven members have called upon Europe to establish an emergency fund that would be used to respond to major cyberattacks. Citing the war in Ukraine, the ministers, who will meet today to discuss the proposal, said, "The current geopolitical landscape and its impacts in cyberspace strengthen the need for the EU to fully prepare to face large-scale cyberattacks. Such a fund will directly contribute to this objective,"

The US Intelligence Community's recently released Annual Threat Report, for example, published as Russia was completing its preparations to invade Ukraine, highlights the threat in cyberspace and suggests that Russia would wish to avoid direct, kinetic combat with the US. "We assess that Russia does not want a direct conflict with U.S. forces," the Report said. "Russia seeks an accommodation with the United States on mutual noninterference in both countries’ domestic affairs and U.S. recognition of Russia’s claimed sphere of influence over much of the former Soviet Union." In cyber proper, even excluding the related problem of what the ODNI calls "malign influence," the Report says:

"Russia is particularly focused on improving its ability to target critical infrastructure, including underwater cables and industrial control systems, in the United States as well as in allied and partner countries, because compromising such infrastructure improves and demonstrates its ability to damage infrastructure during a crisis.

"Russia is also using cyber operations to attack entities it sees as working to undermine its interests or threaten the stability of the Russian Government. Russia attempts to hack journalists and organizations worldwide that investigate Russian Government activity and in several instances, has leaked their information."

Ransomware, privateering, and criminal threats to critical infrastructure.

Conti appears to have shrugged off the recent reputational hit it took from doxing by a Ukrainian researcher who infiltrated its chats, and privateering is likely to continue for the foreseeable future what the GRU and its Bear colleagues might attempt.

Mark Carrigan, SVP of Process Safety and OT Cybersecurity at Hexagon PPM, wrote to describe the state of play with respect to threats against critical infrastructure in general:

"Between the recent warnings about BlackByte ransomware activity and cyber attackers' increased focus on critical infrastructure due to the intense geopolitical conflict we're seeing, it's no surprise that RagnarLocker has entered the conversation in a major way. This group has been known to change its tools, techniques and procedures (TTPs) to stay hidden, silently encrypting files to steal valuable data. That 52 critical national infrastructure (CNI) entities across 10 sectors have been compromised by this group is without a doubt a cause for alarm...but it shouldn't be surprising. Criminals feed off of easy targets and attacking Windows XP provides plenty of opportunity. 

"In times of intense warfare and geopolitical tension, the command, control and logistics of the adversary are likely to be top targets. It's time for operators of critical infrastructure to focus on resilience and ensure they have robust response plans in place to fight this ever-expanding threat. Owners and operators must create a plan to upgrade end of life systems that act as easy targets. What we see often is that owners/operators continue to struggle with generating a full inventory of devices and operating systems in their production networks. The tools are available today to get 100% visibility into the software and firmware versions of these systems, along with much more useful data, whether they are on the network or ‘islanded.’ Mitigating this extensive threat starts with generating a full inventory to know what you have and also ensure you are capturing offline backups of the configuration files of these critical systems so that if you were to get hit, you would have the ability to restore operations faster and safely. These highly-sophisticated cyber threats aren’t going away any time soon and companies large and small are in the cross-hairs. For OT/ICS security managers, 2022 should be the year of resilience."

Tim Erlin, VP of Strategy at Tripwire, wrote, in response to a question about attribution, to offer caution against confusing tools with actors. The same attack tools can be, and have been used by many different groups. “It’s a mistake to conflate the tool used with the actor executing that tool," he wrote. "There are certainly cases where the threat actor and the tool are closely associated, but without clear evidence, it’s an assumption. The Ragnar Locker tool does include code to avoid countries that are part of the Commonwealth of Independent States, which includes Russia among others.”

An Atlantic Council session on dark money and sanctions enforcement.

Yesterday the Atlantic Council held a long interview with US Senator Sheldon Whitehouse (Democrat of Rhode Island) on the challenges of enforcing sanctions against those who use "dark money." The dark economy is made up of difficult-to-trace funds held by criminals, oligarchs, tax evaders, and others who wish to shield their wealth from hostile scrutiny.

The Atlantic Council's Julia Friedlander asked him why the dark economy was, as the Senator claimed, a national security challenge as opposed to a law enforcement problem, an issue of tax evasion, Senator Whitehouse framed his answer in terms of a "clash of civilizations," where the contending civilizations represented what he called "rule-of-law countries" and "non-rule-of-law countries." These map, in a rough-and-ready way, to democracies and authoritarian states respectively, with Vladimir Putin's Russia being the leading non-rule-of-law regime. Since dark money is laundered through and cached in rule-of-law countries (especially, Senator Whitehouse said, the US and the UK), "We’re giving a lot of aid and comfort to our enemies. The enemies are hiding their gains as dark money."

Senator Whitehouse sees an attack on the dark economy as essential to constraining President Putin's Russia, who "enables and has in turn been enabled by a crew of corrupt oligarchs. That little cabal we need to disrupt. They led to the invasion of Ukraine. Disrupting them will put pressure on Putin."

There's been resistance to doing something about dark money prompted by reflexive private-sector resistance to regulation and public-sector protectiveness about agency equities, but Senator Whitehouse says he's seen considerable recent progress in overcoming both. “It’s not a do-gooder thing," he said. "It’s a national security thing.” He would like to see more involvement of the Intelligence Community, and he hopes for passage of legislation that would enhance Executive authority to take preemptive action that would "seize or freeze" illicit foreign assets at once, and then work through the time-consuming legal forfeiture process. We should try, he argued, to make it as unacceptable to run opaque financial systems as it is to use child labor.