Ukraine at D+39: Pivot to the Donbas and the Black Sea.

News of Russia's war against Ukraine is dominated, as the week opens, by accounts of atrocities that have come to light as Russian forces retreat from areas they'd occupied in the northern parts of the country around the capital.

An appreciation of the situation on the ground.

The UK's Ministry of Defence (MoD) sees a shortfall in Russian ability to suppress Ukrainian air defenses. "Over the last week, there has been a concentration of Russian air activity towards south eastern Ukraine, likely a result of Russia focusing its military operations in this area," the MoD tweeted. "Despite ongoing Russian efforts to diminish Ukrainian air defence capability, Ukraine continues to provide a significant challenge to Russian Air and Missile operations. As a result, Russian aircraft are still vulnerable to short and medium range air defence systems. Russia’s inability to find and destroy air defence systems has seriously hampered their efforts to gain broad control of the air, which in turn has significantly affected their ability to support the advance of their ground forces on a number of fronts." Suppression of enemy air defenses (SEAD) is an important, foreseeable mission, and it seems to be another one Russian planning either overlooked or took for granted.

Sunday morning's MoD situation report concentrated on the Black Sea. "Russian naval forces maintain their distant blockade of the Ukrainian coast in the Black Sea and Sea of Azov, preventing Ukrainian resupply by sea. Russia still retains the capability to attempt an amphibious landing but such an operation is likely to be increasingly high risk due to the time Ukrainian forces have had to prepare." (A distant blockade is one in which the blockading warships stay well off the coast, normally over the horizon from the shore.) Someone, it's not clear who, has lain mines in Black Sea. "Reported mines within the Black Sea pose a serious risk to maritime activity. Though the origin of such mines remains unclear and disputed, their presence is almost certainly due to Russian naval activity in the area and demonstrates how Russia's invasion of Ukraine is affecting neutral and civilian interests."

Russia has shifted its efforts to the Black Sea coast and the Donbas. The MoD reported last night that, "Heavy fighting has continued in Mariupol as Russian forces attempt to take the city. The city continues to be subject to intense, indiscriminate strikes but Ukrainian Forces maintain a staunch resistance, retaining control in central areas. Mariupol is almost certainly a key objective of the Russian invasion as it will secure a land corridor from Russia to the occupied territory of Crimea." Odessa, Ukraine's principal port, also came under fire on Sunday, AFP reports. A Russian Ministry of Defense statement said "This morning, high-precision sea and air-based missiles destroyed an oil refinery and three storage facilities for fuel and lubricants near the city of Odessa, from which fuel was supplied to a group of Ukrainian troops in the direction of Mykolaiv." Ukrainian sources report damage but no casualties.

This morning's update noted the Wagner Group's arrival in the Donbas, where the Russian army hopes to redress its failure elsewhere in the northern and eastern parts of Ukraine: "Russian forces are continuing to consolidate and reorganise as they refocus their offensive into the Donbas region in the east of Ukraine. Russian troops, including mercenaries from the Russian state-linked Wagner private military company, are being moved into the area."

Evidence of atrocities as Russian forces retreat from Kyiv.

The Telegraph, the Washington Post, the Guardian, the New York Times, the Associated Press, Time, and Newsweek, among others, report that large numbers of civilian dead were left behind by Russian forces as they retreated from the regions around Kyiv. British Prime Minister Boris Johnson's statement this Sunday about the atrocities in Bucha and elsewhere is both representative of official international reaction and worth quoting in full:

"Russia’s despicable attacks against innocent civilians in Irpin and Bucha are yet more evidence that Putin and his army are committing war crimes in Ukraine.

"No denial or disinformation from the Kremlin can hide what we all know to be the truth – Putin is desperate, his invasion is failing, and Ukraine’s resolve has never been stronger.

"I will do everything in my power to starve Putin’s war machine. We are stepping up our sanctions and military support, as well as bolstering our humanitarian support package to help those in need on the ground.

"The UK has been at the forefront of supporting the International Criminal Court’s investigation into atrocities committed in Ukraine, and the Justice Secretary has authorised additional financial support and the deployment of specialist investigators – we will not rest until justice is served."

Official Russian sources deny killing civilians. The atrocities, the Kremlin says, are provocations staged by the Ukrainian government. The official denial seems to have found few takers internationally, but RT reports that Russia is "scrambling" (as in scrambling interceptors, presumably) the UN Security Council today to address the crisis in Bucha. RT quotes a Telegram post by Russia's deputy permanent representative to the United Nations, Dmitry Polyansky, who described the situation as follows: “In light of the blatant provocation by Ukrainian radicals in Bucha, Russia has demanded a meeting of the UN Security Council to be convened on Monday, April 4. We will bring to light the presumptuous Ukrainian provocateurs and their Western patrons."

As senior members of the Russian government (including President Putin) are increasingly called "war criminals" (former International Criminal Court war crimes prosecutor Carla del Ponte's characterization is typical of informed international reaction to Russia's conduct of its war), TASS is authorized to disclose that "Russian Investigative Committee investigators have questioned more than 12,000 evacuees from the Donetsk and Lugansk people’s republics and recognized as victims of abuse nearly 9,000 of them, the IC’s press-service said on Friday following an on-site meeting IC chief Alexander Bastrykin held in Rostov-on-Don." Thus in Moscow's view the war criminals are Ukrainians (along with their patrons in London, Washington, etc.).

Reuters is direct in its reporting: the wire service's reporters in Bucha saw clear evidence of Russian atrocities after the Russian army retreated from the town.

Reports of atrocities prompt European consideration of additional sanctions.

Citing "clear indications" of Russian atrocities, French President Macron this morning said that further sanctions were in order, France24 reports. In this he joined earlier calls for more sanctions issued over the weekend by German and Italian leaders, who have asked for talks on expanded sanctions in response to the atrocities. Germany in particular had been hesitant about pursuing a comprehensive ban on Russian energy imports, and, while Berlin's Economy Minister Robert Habeck said that while an immediate embargo of oil and gas is not feasible, Germany in particular and Europe as a whole should eliminate its dependence on Russian energy as soon as possible. He added that progress in that direction had been "surprisingly swift." “This is the right way to go and one that damages Putin every day,” he told reporters. Defense Minister Christine Lambrecht said that the EU would have to discuss banning the import of Russian gas. "There has to be a response," she said. "Such crimes must not remain unanswered." The European Union is considering additional sanctions and is thought likely to enact them this week, but so far at least, according to Reuters, such sanctions packages won't include measures against energy imports.

While some gas continues to flow to the EU, Russia's energy exports have on balance already been significantly curtailed by sanctions, and one customer at least is benefiting. Bloomberg reports that China is preparing to step up to buy deeply discounted Russian natural gas that other countries have shunned.

Doxing: official and hacktivist.

The Main Intelligence Directorate of the Ukrainian Ministry of Defense has released what appears to be personal information on 620 people it claims are FSB officers working on Russia's war against Ukraine. The data exposed included names, phone numbers, addresses, vehicle license plates, SIM cards, date and location of birth, signatures, and passport numbers. Security Affairs points out that the authenticity of the data can't be confirmed.

Hacktivists associated with the Anonymous collective tweet that they've succeeded in doxing the Russian Orthodox Church. "Hackers leaked 15GB of data stolen from the Russian Orthodox Church's charitable wing & released roughly 57,500 emails via #DDoSecrets," Anonymous TV said. "#DDoSecrets noted that due to the nature of the data, at this time it is only being offered to journalists & researchers."

Informants report Russians who lack enthusiasm for Mr. Putin's war.

Telephone tip hotlines, websites, and Telegram channels have been established to encourage and enable "good citizens" to report those whom President Putin has described as "traitors." The Telegraph observes that it would be inaccurate to conclude the denunciations were explicable purely in terms of state pressure. The paper quotes OVD-Info, which the Telegraph describes as a "Russian human rights organization" to the effect that such denunciations arise also from a broad popular base of support, and an informant culture where the spirit of Pavlik Morozov still enjoys some persistence: "The denunciations are not just coming from pressure from the state. Ordinary people are getting involved in the repression too. This is being driven by ordinary Russians."

Possible Chinese cyber operations against Ukraine at the outset of Russia's war?

The Times reported late Friday that "More than 600 websites belonging to the defence ministry in Kyiv and other institutions suffered thousands of hacking attempts," and that "the campaign was co-ordinated by the Chinese government." The Times sources its story to sources in Ukraine's SBU, but the SBU has since denied any knowledge of such a Chinese operation, the Guardian reports. “The SBU has nothing to do with the findings of the Times. The Security Service of Ukraine does not currently have such data and no investigation is underway,” Kyiv's security service said. The Guardian also says that Britain's NCSC is investigating the claims: “The National Cyber Security Centre is investigating these allegations with our international partners.” While it's possible that China might have rendered some intelligence support to Russia during the run-up to the war, any Chinese cyberespionage operations that might be confirmed could equally well represent ordinary collection against targets in an international hotspot.

Cyber Front Z: a Russian influence troll farm.

Vice describes Cyber Front Z, a troll farm that hires "social commentators, spammers, content analysts, programmers, IT specialists, and designers" to run social media posts and other comments intended to advance Moscow's line concerning its war against Ukraine, and to do at scale, with fake personae deployed to give the impression of a mass movement. Cyber Front Z's home base and public face is on Telegram, but its trolls operate in other media. It's noteworthy that the Front's operators need to "fire up their VPNs" to gain access to other, largely blocked, social networks, and also noteworthy that the VPNs themselves are currently in bad odor with the Kremlin, wary as it is of the VPNs' reputation for anonymous circumvention of censorship.

Some Russian influence operations are more tightly focused. Vice reports elsewhere that Security Service of Ukraine (SBU) last week exposed a bot farm operating out of Dnipropetrovsk but, according to the SBU, remotely controlled from Russia. The bots were smishing Ukrainian soldiers with resistance-is-futile texts. "The outcome of events is predetermined! Be prudent and refuse to support nationalism and leaders of the country who discredited themselves and already fled the capital!!!" the texts said, with the triple-exclamation point emphasis in the original. The guy in whose apartment they found the trolls' server said he had no idea what was going on.

Western organizations remain on alert for a Russian cyber campaign.

Massive cyberattacks of the kind widely expected have yet to materialize, but Western intelligence services continue to warn that Russia can be expected to be keeping its options open in this respect. US Deputy National Security Advisor Anne Neuberger told NPR Friday, "We continue to see evolving intelligence, as we talked about last week, that the Russian government is exploring options. And we continue to, most importantly, double down in working closely with the private sector to share that sensitive threat intelligence and really try to create the urgency for action and the call to action to put in place the cybersecurity measures that would prevent that from being successful." She cautioned that there was no specific intelligence that such an attack was imminent, but that the private sector should take steps to increase its resilience should such attacks take place.

Neuberger noted that Russian scanning for vulnerabilities is being observed, and that, while such scanning is common (and not confined to Russia), the current war makes it prudent to take protective measures.

Warnings are also coming from the private sector. CyberCube advises insurance companies to give their exposure to cyber risk close attention, Insurance Journal reports, and Pre-Employ warns that remote work increases a business's risk of cyberattack.

Known Russian threat actors have been active in the theater of operations. Researchers at Malwarebytes report:

"UAC-0056 also known as SaintBear, UNC2589 and TA471 is a cyber espionage actor that has been active since early 2021 and has mainly targeted Ukraine and Georgia. The group is known to have performed a wiper attack in January 2022 on multiple Ukrainian government computers and websites.

"Earlier in March, Cert-UA reported UAC-0056 activity that targeted state organizations in Ukraine using malicious implants called GrimPlant, GraphSteel as well as CobaltStrike Beacon. Following up with that campaign, SOCPRIME and SentinelOne have reported some similar activities associated with this actor.

"In late March, the Malwarebytes Threat Intelligence Team identified new activity from this group that targeted several entities in Ukraine, including ICTV, a private TV channel. Unlike previous attacks that were trying to convince victims to open a url and download a first stage payload or distributing fake translation software, in this campaign the threat actor is using a spear phishing attack that contains macro-embedded Excel documents. In this blog post, we provide a technical analysis of this new campaign."

Data breaches and OSINT.

Unsecured Russian tactical communications appear to remain an important source of detailed information on the movements and condition of Russian units. Wired describes the intercepts and what they reveal.

The Verge reports that Yandex Food, a food-delivery subsidiary of the Russian Internet giant Yandex and (roughly speaking) Russia's equivalent of GrubHub or DoorDash, disclosed in early March that it had sustained a data breach that exposed customer information. The company blamed "the dishonest actions of an employee" for the leak, and reassured customers that their login credentials and payment information, at least, weren't compromised. About 58,000 diners were affected, and Roskomnadzor isn't happy. According to Reuters the information regulator has "restricted access to an online map that appeared on March 22 where the names, phone numbers and addresses of Yandex.Eda customers was exposed, and said Yandex faced a fine of up to 100,000 roubles ($1,020)." There's also woofing about a class action suit on behalf of injured diners.

The fine may be risibly low, but the data are interesting. Bellingcat has sifted through them and found that a lot of deliveries go to military and intelligence personnel. The GRU seldom appeared in the data, but the FSB was well-represented. Maybe the GRU has better opsec than its sister organ, or perhaps the military intelligence types just tend to brown-bag it. The data exposed betrayed both identities and, indirectly at least, affiliations. Particularly interesting are the instructions the purchasers gave the delivery people on how to get through the various checkpoints with the blini and kvass. “Go up to the three boom barriers near the blue booth and call. After the stop for bus 110 up to the end.” Or, as another diner wrote on his (her?) order, “Closed territory. Go up to the checkpoint. Call [number] ten minutes before you arrive!”

Well, what are you gonna do, droog? It's not like you can just walk over to McDonald's for that Happy Meal anymore.