The UK’s Ministry of Defence continues to track Russia’s shift of its forces into Ukraine, as troops formerly occupying Georgia have been redeployed. “Russia is redeploying elements of its forces from Georgia to reinforce its invasion of Ukraine. Between 1,200 and 2,000 of these Russian troops are being reorganised into 3 x Battalion Tactical Groups.” That doesn’t seem to have been part of the force generation plan. “It is highly unlikely that Russia planned to generate reinforcements in this manner and it is indicative of the unexpected losses it has sustained during the invasion.” Syrian mercenaries are also arriving in Russia. The New York Times reports that the first contingent numbers about three hundred, which is roughly what’s thought to be the strength of Belarusian volunteer units the Washington Post says are fighting on Ukraine’s side.
Conscripts and volunteers distinguished.
Another so far largely untapped source of manpower is the draft, and yesterday President Putin signed the order for the regular spring conscription round. 134,500 young men will be called up for a mandatory year of military service, but the Russian government says they won’t be sent into combat. This is not as odd as it may seem. Russia draws a sharp distinction between volunteers (“contract soldiers”), who make up about 40% of its army, and conscripts, who comprise the remainder. Contract soldiers are the ones destined for combat; draftees would be used only under extraordinary circumstances. The distinction can’t be good for cohesion in the total force, but it’s well-established in Russian practice. Contract soldiers are not to be confused with mercenaries, like those in deniable private military companies like the Wagner Group. There have been reports of conscripts committed to combat in Ukraine, but the Russian Ministry of Defense says these are outliers, either soldiers deployed by mistake, or soldiers serving in rear area support organizations who became casualties in Ukrainian strikes.
Russia complains that Ukrainian attack helicopters hit an oil storage facility inside Russia.
Russia claims, and Ukraine neither confirms nor denies, that a predawn raid by Ukrainian attack helicopters into Russia destroyed an oil storage facility in Belgorod. And why shouldn’t they? Russia seems to be spinning the incident as evidence of Ukrainian aggression (the Wall Street Journal quotes Kremlin mouthpiece Dmitry Peskov as saying, “This is not something that can be perceived as creating comfortable conditions for the continuation of negotiations”) but that story will be difficult to sell internationally. An oil storage facility is a legitimate military target, and there’s no particular legal or moral reason an invading power should consider its own territory sacrosanct and immune from attack.
Command difficulties in Mr. Putin’s war.
Senior US officers tell the New York Times that they’ve been unable to identify a commander on the ground who’s running Russia’s war in Ukraine. This has led them to think that operations are being run directly from Moscow, by a small group of individuals believed to include President Putin, Defense Minister Shoigu, and General Staff Chief Gerasimov. Of the three, only General Gerasimov is a professional soldier, but the challenges such a command arrangement poses aren’t entirely issues of professional background. Simple distance is a problem: operational control is difficult to exercise from a distance of 500 miles, and tactical control is simply impossible. And command doctrine also presents its own problems: a strongly top-down system that relies upon detailed orders as opposed to effective (and truthful) communication of intent will inevitably be rigid and unable to adapt to friction on the ground.
Extensive internal censorship isn’t conducive to sound operational thinking, either. The Kremlin is also paying a price for the information control regime the Wilson Center describes. It can, and may already have, resulted in a kind of self-induced blindness that traps decision-makers inside the picture that their (frightened, subservient) subordinates paint for them.
Russia isn’t the only interested party to find itself encumbered with senior leaders who’ve been found wanting. The BBC reports that General Eric Vidaud, head of French military intelligence, is being removed from his post, apparently over failure to correctly anticipate Russian action against Ukraine. And in Ukraine itself, President Zelenskyy has stripped two generals of their rank, apparently on grounds of disloyalty. One of the officers so demoted, the Wall Street Journal reports, is the former head of internal security in the Security Service of Ukraine. Brigadier General Andriy Naumov “fled” the country shortly before the Russian invasion, and has been in the wind, in parts unknown, ever since.
Attempting to evolve rules of cyber conduct during a hot hybrid war.
A meeting this week of the United Nations’ “open-ended working group for security and the use of information and communications technologies,” a body established some time ago at the instigation of Russia, continued its deliberation concerning international norms of conduct in cyberspace. Bloomberg says the sessions were dominated by sharp Western criticism of Russian cyber aggression and misconduct and Russian rejoinders to the effect that it, and nobody else, is really the injured party in cyberspace. Vladimir Shin, the Russian representative, said that accusations of Russian cyber offensives were “completely unfounded,” and that he was confident he spoke for “the silent majority.”
The technique of unlikely insistence was also seen earlier this week in a statement issued by Russia’s Ministry of Foreign Affairs. Remarkable for mendacity even by the low standards of Russian diplomacy, it’s worth quoting in full as a distillation of Moscow’s talking points about its hybrid war:
“In the context of the special military operation launched to defend the Donetsk and Lugansk people’s republics and to demilitarise and denazify Ukraine, the United States and its satellites are waging a large-scale cyberattack against Russia. Advanced information and communication technologies are being used almost every day to attack government agencies, media outlets, critical infrastructure and vital facilities. The Kiev regime has announced international recruitment of anti-Russia IT professionals into “offensive cyber forces.” Daily malicious attacks against Russia number hundreds of thousands.
“Sophisticated cyber technologies are being used to capture the personal data of Russian citizens. A lot of fake news are posted online to disorient and demoralise Russian society, discredit the actions of the Russian Armed Forces and government agencies, encourage unlawful activities of the public, complicate the operation of our industrial sectors and sow fear and instability in the country.
“The unprecedented scale of these attacks and their close coordination clearly indicate that the cyberwar waged against Russia by Ukrainian special ICT operations centres trained by US and other NATO experts is being reinforced with anonymous hackers and trolls acting on orders from the Kiev regime’s Western mentors. In fact, this cyberwar is being waged by an army of cyber mercenaries who have been given concrete combat tasks that often border on terrorism.
“Concerned Russian agencies are effectively fighting back and repelling these attacks. The task of strengthening ICT security in the current conditions is becoming a priority aspect of reliably ensuring national security. Efforts will be redoubled at international venues, first of all at the UN, to promote relevant initiatives. Work will continue to strengthen the legal protection of Russian individuals and legal entities from malicious foreign cyber activities.
“Nobody must have any doubt that the cyber aggression being waged against Russia will have dramatic consequences for its inspirers and operators. The sources of these attacks will be identified, and the culprits will inevitably be called to account for their activities in accordance with the law.”
Alas, the only culprits likely to be called to account by Russia are those of its own citizens who run afoul of Roskomnadzor and the security organs.
In truth there are indeed hacktivists (or “anti-Russian IT professionals,” as Moscow puts it) working against Russia and in sympathy with Ukraine’s cause. Some of their activities are risky, posing as they do an implicit threat to software supply chains. Checkmarx describes more protestware, open-source code written to make an ancillary point (Russia get out, stop the war, down with Putin, etc.) in addition to performing its other functions. The latest protestware, like its predecessors, was found in two NPM packages widely used by developers, “styled-components” and “es5-ext.” The protestware is written with features intended to prevent it from executing anywhere other than on Russian devices, but it’s wishful thinking to assume that the safeguards will always and everywhere work as intended.
Waiting for major Russian cyber operations.
The widespread and damaging Russian cybercampaign against Ukrainian and Western targets that’s been widely expected has yet to appear, although Russian operators have maintained at least a continuous nuisance level of attacks against Ukrainian networks. But Western authorities continue to warn that such attacks are likely, and that organizations should prepare to withstand them. The US Cybersecurity and Infrastructure Security Agency’s (CISA) Shields Up alert is representative. The Register, talking to private sector experts, notes that Russian cyberattacks have increased over the past month, and that industry sees itself as having a narrow window in which it can improve its resilience to such attacks. ExtraHop CEO Patrick Dennis told the Register that he expects the rising effects of sanctions to increase the likelihood that Russia will retaliate in cyberspace against economic warfare it’s unable to counter in other ways.
Viasat terminals were hit by wiper malware.
SentinelLabs researchers have concluded that Russian wiper malware, specifically a variant they call AcidRain, was deployed against Viasat modems, and Viasat has substantially confirmed SentinelLabs’ analysis. “AcidRain is an ELF MIPS malware designed to wipe modems and routers,” the researchers explain. “We assess with medium-confidence that there are developmental similarities between AcidRain and a VPNFilter stage 3 destructive plugin. In 2018, the FBI and Department of Justice attributed the VPNFilter campaign to the Russian government.” AcidRain is the seventh wiper deployed against Ukraine since the beginning of its hybrid war, the others being WhisperKill, WhisperGate, HermeticWiper, IsaacWiper, CaddyWiper, and DoubleZero. The Viasat attack is noteworthy because it alone had significant spillover into operations outside Ukraine proper. It’s regarded as the most serious cyberattack of Russia’s war so far, and the most likely suspect is the GRU’s Sandworm APT.
Additional US Treasury sanctions.
The US Treasury Department yesterday announced new sanctions against Russian actors implicated in the war against Ukraine:
“Today, the Department of the Treasury’s Office of Foreign Assets Control (OFAC) is continuing to impose severe costs on the Russian Federation for its unprovoked and unjustified war against Ukraine by targeting operators in the Russian technology sector to prevent it from evading unprecedented multilateral sanctions and procure critical western technology. OFAC is designating 21 entities and 13 individuals as part of its crackdown on the Kremlin’s sanctions evasion networks and technology companies, which are instrumental to the Russian Federation’s war machine. Treasury has also determined that three new sectors of the Russian Federation economy are subject to sanctions pursuant to Executive Order 14024 (E.O. 14024). This allows Treasury [to] impose sanctions on any individual or entity determined to operate or have operated in any of those sectors. Today’s sanctions are a part of the Administration’s comprehensive response to Russia’s to restrict their access to resources, sectors of their economy that are essential to supplying and financing the continued invasion of Ukraine.”
The concentration on Russian sanctions-evasion networks, several of which involve connections through shell companies to front corporations based abroad, is striking, but Treasury is also including those responsible for earlier cyberattacks, notably the Triton attack against a Saudi petrochemical plant. It singles out the State Research Center of the Russian Federation (FGUP) Central Scientific Research Institute of Chemistry and Mechanics (Russian acronym “TsNIIKhM”) for particular mention as the source of the tools used in the Triton attack.
“Today, OFAC is taking further action against key TsNIIKhM employees who were present at the time of the attack. On March24, 2022, the Department of Justice unsealed the indictment of Evgeny Viktorovich Gladkikh (Gladkikh), who is an employee in TsNIIKhM’s Applied Development Center (ADC). Gladkikh is involved in ICS and supervisory control and data acquisition (SCADA) research and has extensive experience working network exploitation and penetration testing.
“Since at least 2017, ADC employees, including Gladkikh, prepared, supported, conducted, and conspired to conduct computer intrusions using ADC resources that targeted the energy facilities in the United States and elsewhere. Gladkikh, along with other TsNIIKhM and ADC employees, played a crucial role in the August 2017 Triton malware cyber-attack, specifically targeting the petrochemical facility’s safety instrumented systems, seeking to disrupt the facility’s cybersecurity systems, as well as the facility’s distributed controls systems. Gladkikh’s malicious cyber actions resulted in the facility undergoing an emergency shutdown on at least two occasions.”
Two executives are also being placed on OFAC’s list: Sergei Alekseevich Bobkov, TsNIIKhM’s General Director, and Deputy General Director Konstantin Vasilyevich Malevanyy.
The US Rewards for Justice program is particularly interested in Mr. Gladkikh, and is offering up to $10 million for information concerning the whereabouts of Evgeny Viktorovich.