Today's D Brief: Russians fall back near Kharkiv; Army updates cyber training; Albania calls out Iran; Oath Keepers in the military; And a bit more.

Ukraine’s counteroffensive seems to be making surprising progress against Russian invaders sprawled along a roughly 50-kilometer stretch southeast of Kharkiv. That’s according to the Wall Street Journal’s roving correspondent, Yaroslav Trofimov, who is watching the “Balakliya-Izyum front as Russian military bloggers and analysts remain in doomsday mode,” he tweeted Wednesday morning. 

“Lots of videos of Russian POWs (including a lieutenant-colonel) and abandoned Russian positions” coming from that region, he writes, and notes, “The speed of the Ukrainian advance seems to have stunned everyone.” Russia also appears to be losing trucks and tanks at a familiar rate, almost akin to its failed sprint to Kyiv nearly six months ago. 

So, what’s the plan for Ukraine? Unclear precisely, of course. But analysts like Rob Lee point to this illustrated summary, which suggests perhaps obvious northeasterly intentions to break through Russian lines. (Lee started a tweet thread with updates related to the apparent offensive, and you can review that here.) 

The Brits say three main fronts are receiving the bulk of the action nationwide. That is, “in the north, near Kharkiv; in the east in the Donbas; and in the south in Kherson Oblast.” And those three pressure points are very likely posing problems for Russian officers trying to decide where to allay reserves to support an offensive in the Donbas, “or to defend against continued Ukrainian advances in the south.” And that suggests Ukraine’s recent progress appears to be pinching Russian commanders in a fairly efficient manner. 

Ukraine says it’s killed dozens of Russian military contractors around Kharkiv. “Individual units count more than 40 percent seriously wounded and killed,” according to the daily report from Ukraine’s general staff, which noted that, “The bodies of many of the dead have not been identified and are counted as missing.” However, Ukraine officials say they also shot down a Russian Ka-52 helicopter, which is possible; but folks like Lee aren’t quite convinced.

The International Atomic Energy Agency released its plan to safeguard Ukraine’s most imperiled nuclear facility, which Russian troops have forcibly occupied since the first days of the invasion. To begin, the plan calls for “the immediate establishment of a protection zone,” the IAEA’s Director General Rafael Mariano Grossi explained in a carefully-worded tweet thread Tuesday, shortly after the report’s release (PDF, here). 

A second opinion: Analysts at the Institute for the Study of War call the IAEA’s report “a coded condemnation of Russian moves that have created and are perpetuating the danger of nuclear disaster in Ukraine.”

  • By the way, the U.S. Air Force just tested an ICBM with three test re-entry vehicles, according to U.S. Strategic Command

Meanwhile in Washington, D.C., the Pentagon's top weapons buyer says the U.S. military needs to sign multiple-year contracts for bombs and missiles. Bill LaPlante, speaking Wednesday morning at the Defense News conference, said buying weapons in this way would incentivize companies to invest in factories. Follow our colleague Marcus Weisgerber on Twitter for the latest on that front. 

On the cyber front, Google says a cluster of hackers appears to be newly directing its attention at Ukraine, and their “activities seem closely aligned with Russian government-backed attackers.” At least some of these hackers appear to be “former members of the Conti cybercrime group repurposing their techniques to target Ukraine,” Google says. 

One of the delivery methods appears to have used Excel spreadsheets sent as attachments. Other “phishing emails were impersonating the National Cyber Police of Ukraine and contained a download link, urging targets to download an update for their operating system.” Read more, here

Apropos of nothing: This week we learned one of the chief torch-bearers for what’s been called postcolonial literature, Joseph Conrad, was born in Ukraine. (Noting because we’re re-reading “Heart of Darkness” this week after a two-decade hiatus from Conrad’s work; you can join us for free, via Project Gutenberg, here.)

Related reading: 

From Defense One

Army Updates Cyber Training After Some Graduates Weren’t Ready for Their Jobs // Lauren C. Williams: New classes and updated curriculum reflect evolving threats and lessons from the Ukraine war.

The Air & Space Brief // Jacqueline Feldscher: Space Command needs smarter satellites; The plan to buy wingman drones this decade; THC-positive recruits could get waivers to join. 

Election-Security Efforts Largely Successful, CISA Official Says // Edward Graham: CISA leader says public-private partnerships, better resource sharing are warding off threats to voting systems.

Welcome to this Wednesday edition of The D Brief, brought to you by Ben Watson and Jennifer Hlad. If you’re not already subscribed to The D Brief, you can do that here. And check out other Defense One newsletters here. On this day in 1776, the first documented submarine attack occurred near Governor’s Island, in the New York harbor. American soldier Ezra Lee attempted to creep up up on British ships in a rudimentary submersible known as the Turtle; his goal was to affix bombs to British ships under the cover of darkness in the early morning. But for a variety of reasons, the attack ultimately failed, as George Washington himself acknowledged, despite referring to it as “an effort of genius.” 

Join us: Defense One’s State of the Army virtual event begins at 11 a.m. with a conversation with Army Chief Gen. James McConville. The events continue with a preview of Project Convergence from Lt. Gen. Scott McKean—deputy commanding general of Army Futures Command—at 11:48, and also features a panel discussion on lessons learned from the Ukraine war, beginning at 12:32. Register here for the event (it’s free!).  

A bold new cyber precedent may be taking shape from the southern edge of NATO. Officials in Albania just severed diplomatic relations with Tehran following a recent alleged Iranian ransomware attack in mid-July—a hack-and-leak attack that analysts at the cybersecurity firm Mandiant say appears to illustrate Iran’s “increased tolerance of risk,” especially since Albania is a member of the 30-nation NATO alliance. Some parts of the malware deployed in July appear to have an operational history going back 10 years, which dates back to the first Iranian-attributed espionage cyber campaign.
“In cooperation with specialized partner agencies against cyber terrorism,” Albanian Prime Minister Edi Rama said in a statement Wednesday, “it was confirmed that, first, without a shadow of doubt, the July 15 attack on Albania was not an individual operation or a concerted action by independent criminal groups, but a State-sponsored aggression.” Those investigations “provided us with indisputable evidence that the cyberattack against our country was orchestrated and sponsored by the Islamic Republic of Iran,” Rama said. And the available evidence points to “the engagement of four groups that enacted the aggression—one of them being a notorious international cyber-terrorist group, which has been a perpetrator or co-perpetrator of earlier cyberattacks targeting Israel, Saudi Arabia, UAE, Jordan, Kuwait, and Cyprus.”
And that’s why “The Council of Ministers has decided on the severance of diplomatic relations with the Islamic Republic of Iran with immediate effect,” Rama said, and clarified that this means “all the diplomatic, technical and administrative, and security staff [must] leave within 24 hours the territory of the Republic of Albania.”
Minister Rama acknowledged this may seem to be an “extreme response,” but it’s “one that is unwanted but totally forced on us,” as well as being, from Albania’s perspective, “fully proportionate to the gravity and risk of the cyberattack that threatened to paralyze public services, erase digital systems and hack into State records, steal Government intranet electronic communication, and stir chaos and insecurity in the country.”
This is “one of the strongest diplomatic responses to cyberattacks I've ever seen,” wrote John Hultquist of the cybersecurity firm Mandiant, on Twitter. (Mandiant released its own report in early August that detailed the attack and how they arrived at Iran as the most likely culprit, here.) Cyber wonk Dmetri Alperovitch concurred, calling it “For sure the strongest official response to a cyberattack ever.”
White House POV: Iran must “be held accountable for this unprecedented cyber incident,” National Security Council Spokesperson Adrienne Watson said in a statement Wednesday. “Albania views impacted government networks as critical infrastructure,” she continued. “Malicious cyber activity by a State that intentionally damages critical infrastructure or otherwise impairs its use and operation to provide services to the public can have cascading domestic, regional, and global effects; pose an elevated risk of harm to the population; and may lead to escalation and conflict.”
“The United States will take further action to hold Iran accountable for actions that threaten the security of a U.S. ally and set a troubling precedent for cyberspace,” Watson vowed, though she stopped short of elaborating. Read on, here
What are some steps your organization should take to reduce the likelihood of ransomware incidents? Multiple U.S. federal agencies just teamed up to put their advice in one place. Read over it yourself, or send your IT directors to review the findings right here.
Some of the recommendations include: 

  • Maintain offline backups of data;
  • Review the security posture of third-party vendors;
  • Document and monitor external remote connections;
  • Mandate multi-factor authentication, and more.

Lastly: This week we learned there are more than 115 members of the U.S. military in the Oath Keepers, which was one of the three main  anti-government extremist groups involved in the insurrection at the U.S. Capitol. That number is from a new report by the Anti-Defamation League, which sorted through a Sept. 2021 database leak whose contents appear to have revealed that elected officials, law enforcement officers, military members, and first responders are among more than 38,000 names of registered members.
Overall, “More than 600 people from the Oath Keepers data leak were found to work in [those four public service] professions” listed above, the authors warn in their report—which is entitled, “Unmasking Extremism in Public Life.”
“When accounting for members of the armed forces, Virginia has the most,” including 15 in the military, and another six in law enforcement. California is second behind Virginia, in terms of military numbers (12); Texas ranks third, with 10 in the military; and North Carolina is next with nine.
When it comes to law enforcement, New York takes the cake with 45 members; Texas comes second at 33, followed by California again (see state size, e.g.) with 24. Review the data on your own, parsed state by state, here.
Related reading: