As Russia’s aggression in Europe heats up, the Atlantic Council’s Digital Forensic Research Lab (DFRLab) is keeping a close eye on Moscow’s movements across the military, cyber, and information domains. With more than five years of experience monitoring the situation in Ukraine, as well as Russia’s use of propaganda and disinformation to undermine the United States, NATO, and the European Union (EU), DFRLab’s global team presents the latest installment of the Russian Hybrid Threats Report.
Russia: Tanks and artillery pieces on the move
Russia: Lavrov demands Romania and Bulgaria leave NATO
Ukraine: Russia threatens to recognize Donetsk and Luhansk as independent states
Ukraine: Cyberattacks and data breaches
Ukraine: Narratives of empty shelves and “witch hunts”
Germany: Kremlin outlets exploit resignation of navy chief
Belarus: Open-source evidence of new troop movements and military equipment
Belarus: Unconfirmed reports of “cyber-partisans” disrupting railway networks
The Baltic states and Poland: Kremlin narratives claim NATO is the actual aggressor
Georgia: Political groups push closeness with Russia
Russia: Tanks and artillery pieces on the move
Footage emerged on January 22 of T-80U main battle tanks parked outside Maslovka train station. Maslovska is located not far from the Pogonovo training grounds, less than three hundred kilometers from the Ukrainian border. The new video appears to correspond with eyewitness footage from several days earlier showing tanks and rocket artillery departing a train station adjacent to the 4th Tank Division base in Naro-Fominsk, not far from Moscow.
In the Siberian region of Tyumen, 2S7M 203mm Malka long-range artillery pieces were spotted moving westward by rail. The Malka has a range of thirty-seven to fifty-five kilometers.
—Michael Sheldon, DFRLab Research Assistant, Washington DC
Russia: Lavrov demands Romania and Bulgaria leave NATO
Russian Minister of Foreign Affairs Sergei Lavrov demanded on January 21 that NATO revert to its 1997 membership status agreement and expel member states Romania and Bulgaria. “We are talking about the withdrawal of foreign forces, equipment, and weapons,” Lavrov said, calling upon NATO to “return to its configuration as of 1997.” The next day, multiple Kremlin-controlled media outlets reported that Romania, Bulgaria, and NATO refused to comply with the demand.
—Nika Aleksejeva, DFRLab lead researcher, Riga, Latvia
Ukraine: Russia threatens to recognize Donetsk and Luhansk as independent states
On January 19, the Russian Communist Party submitted a draft resolution to the Duma, proposing that parliament submit a request to President Vladimir Putin to recognize the breakaway Ukrainian regions of Donetsk and Luhansk as sovereign states. The resolution states that recognition of these regions is needed to protect their inhabitants “from external threats and the implementation of a policy of genocide.” In response to this resolution, Duma Chairman Viacheslav Volodin wrote on his Telegram channel that parliament members from the ruling United Russia party were also concerned with the issue of protecting the lives of Russian citizens and compatriots living in Donetsk and Luhansk, prompting Volodin to hold consultations with party leaders to discuss the resolution.
Bolstering discussions about Donetsk and Luhansk independence may be aimed at putting additional pressure on Ukraine to make concessions to Russia. If Putin decides to recognize these regions as sovereign states, it would put an end to the 2014 and 2015 Minsk peace agreements in which Russia participated as a mediator between Ukrainian government authorities and the self-proclaimed republics. Recognition of the two breakaway regions could also lay the groundwork for Russia to deploy additional military troops there. The Ukrainian defense ministry estimates that there are currently thirty-five thousand separatist fighters and two thousand Russian regular forces in Donetsk and Luhansk, according to Reuters, though Russia disputes those tallies. Recognition of these territories would also trigger additional Western sanctions against Russia.
In 2008, Russia recognized the independence of two Georgian breakaway regions, Abkhazia and South Ossetia. Six years later, Russia signed treaties with them that allowed the Kremlin to increase its military presence in the regions by ten thousand troops. Just as Abkhazia and South Ossetia present a challenge to Georgian aspirations to join NATO and the EU, Russian recognition of Donetsk and Luhansk could create similar obstacles when it comes to Ukrainian integration into Euro-Atlantic institutions. Moskovskiy Komsomolets, an independent newspaper with close ties to the Kremlin, reported that sections of the draft resolution to recognize Donetsk and Luhansk as independent states were lifted from the 2008 resolution to recognize Abkhazia and South Ossetia.
—Givi Gigitashvili, DFRLab research associate, Warsaw, Poland
Ukraine: Cyberattacks and data breaches
Ukraine’s Ministry of Digital Transformation indicated on January 16 that Russia might be behind a January 14 cyberattack that targeted multiple government ministries, including the Ministry of Foreign Affairs, State Emergency Services, and the Cabinet of Ministers. Analysts from Microsoft noted that the malware identified on Ukrainian systems was designed to make target devices inoperable, suggesting the full scope of the attack remains unknown.
On January 22, an account named FreeCivilian published a database alleged to contain the personal data of two million Ukrainians. The structure of the leaked files bear a similarity to data processes used by Diia, a government service provider that manages documents like passports and COVID-19 vaccination certificates. The Ministry of Digital Transformation, which manages Diia, said the leak contained old records and called it a provocation to undermine the Ukrainian government. The press secretary of the Ukrainian Cyber Alliance activist group disputed the ministry’s claim, however, stating that initial evidence suggests the data breach occurred within the last several months.
The exact nature of the data in the leak has not yet been verified, but it has been widely discussed in Ukrainian media, potentially further eroding public trust in the Ukrainian government’s handling of personal data.
—Roman Osadchuk, Research Associate, Kyiv, Ukraine
Ukraine: Narratives of empty shelves and “witch hunts”
On January 20, Ukrainian opposition Member of Parliament Oleksiy Honcharenko published a photo of empty shelves in a Kyiv supermarket on his Telegram channel and speculated that shops are selling out because a recent address by Ukrainian President Volodymyr Zelenskyy inspired fear rather than maintaining public calm. However, other factors were already leading to empty shelves, including supply-chain issues and concerns that prices will rise after a recent government decision to regulate food prices. Despite the complexity of the situation, the pro-Kremlin news outlets RIA FAN, Lenta, and RIA all amplified Honcharenko’s narrative.
On January 22, the UK Foreign Office released a statement indicating that Russia planned to install a pro-Kremlin government in Ukraine. The United Kingdom named Ukrainian politician Yevhen Muraev as one of the leading candidates and listed four other former Ukrainian officials who allegedly maintain ties to Russian intelligence services. Muraev rejected the allegations and said that Russia has denied him entry to the country for four years. Mikhail Podolyak, an advisor in the Zelenskyy administration, commented that the information in the report was not news for Ukrainians who understand the country’s political spectrum. Pro-Kremlin media and actors tried to downplay the UK statement by calling it a “witch hunt” and a disinformation campaign.
—Roman Osadchuk, Research Associate, Kyiv, Ukraine
Germany: Kremlin outlets exploit resignation of navy chief
German Navy chief Kay-Achim Schönbach resigned on January 22 after publicly stating that Ukraine would never get Crimea back and that Putin “probably” deserved respect. He later tweeted that his remarks reflected personal opinion rather than German policy. A defense ministry spokesperson said Schönbach’s remarks “in no way correspond to the position of the Federal Ministry of Defense.” Ukraine summoned the German ambassador to Kyiv to protest Schönbach’s comments.
Both Kremlin-owned and pro-Kremlin media outlets exploited the incident to quickly spread false and misleading claims. The outlets claimed that Schönbach’s remarks simply reflect reality and that his resignation is a result of US pressure on Germany. Pro-Kremlin outlets also added that Ukraine had nothing to do with the resignation because it is not an independent state.
Additionally, the DFRLab observed pro-Kremlin outlets reporting that ordinary Germans support Schönbach’s remarks. These articles cited “[online] comments by German readers” as the basis for their stories. This may be a Russian influence tactic that has been documented previously. An investigation by Cardiff University researchers in 2021 found that pro-Kremlin trolls attempted to influence public opinion by leaving comments in support of Kremlin interests under Western news articles. These comments were then cited by Russian media to give the false impression that they represented German public opinion. In the Schönbach case, pro-Kremlin outlets cited the comment section of the German outlet Der Spiegel. Russian outlets referenced usernames like “Partytime” and “Bbz” and presented them as ordinary Germans. The current situation’s similarity with the influence operation identified by Cardiff University suggests that pro-Kremlin actors might be employing the same tactic.
—Eto Buziashvili, Research Associate, Tbilisi, Georgia
Belarus: Open-source evidence of new troop movements and military equipment
This past weekend, Russian military equipment from the Eastern Military District continued its steady flow into Belarus. A majority of the units arriving in Ukraine appeared to unload at a cluster of towns in Gomel Oblast, north of the Ukrainian capital of Kyiv. These towns, including Gomel, Rechitsa, Mazyr, and Yelsk, are not near established training grounds, and the Russian military appears to have established temporary camps in open fields across the region.
Open-source evidence continues to emerge suggesting an increase in Russia’s military buildup in Belarus. This week, there was a significant increase in the amount of air-defense systems observed moving towards Belarus. On January 23, new video suggested that a Pantsir missile system battery was on the move. The Pantsir is a self-propelled medium-range surface-to-air missile and anti-aircraft artillery system. On January 23 and 24, additional videos surfaced showing the likely movement of an S-400 Triumph anti-aircraft missile system from the Russian far east, potentially heading to Belarus. The DFRLab has previously tracked the movement of Russian materiel being transported along the same train route. According to open-source intelligence analysts, if S-400s were to become operational in Belarus, it will potentially create an anti-access/area denial scenario (A2/AD) that could prevent Ukrainian strategic and transport aircraft from operating over northwestern Ukraine.
Iskander short-range ballistic missiles arrived in Asipovichy in central Belarus after spending the past week moving by rail from the Russian far east, as reported by MotolkoHelp.
By January 21, thirty-three echelons carrying military equipment and soldiers arrived via train in Belarus under the guise of joint training exercises—though it’s notable that the number of transport units was higher than for any previous exercises. By comparison, during the ZAPAD 21 joint military exercises in September 2021, only twenty-nine Russian echelons were sent to Belarus. A Telegram channel run by Belarusian rail workers claimed that a total of two hundred trains with Russian soldiers and military equipment were expected to arrive in Belarus.
In addition, reports emerged this week that Russian troops were covering up hull numbers on military vehicles traveling through Belarus to discourage open-source tracking. Similar tactics were used by the Russian military in 2014.
Small protests were reported throughout the week in Belarus, showing growing discontent with Belarusian President Alyaksandr Lukashenka and Putin. Similar protests took place in Poland, where Belarusian communities held solidarity protests.
In response to the growing threat, the United States is considering deploying additional troops to the Baltic states and Eastern Europe. The United Kingdom is also considering sending “hundreds more” troops to NATO’s eastern flank.
—Lukas Andriukaitis, Associate Director, Brussels
Belarus: Unconfirmed reports of “cyber-partisans” disrupting railway networks
A pro-democracy Belarusian hacker group claimed on January 24 that it has infiltrated computer networks operated by the government-run Belarusian Railway. The Belarusian Cyber-Partisans announced they had encrypted Belarusian Railway’s “servers, databases and workstations to disrupt its operations,” slowing down railways transiting Russian troops through the country. The group is demanding that the government of Belarus release fifty political prisoners and force all Russian troops to leave the country. In exchange, the Cyber-Partisans would share encryption keys to return railway system operations back to normal.
At the time of this writing, it remained unclear whether the group had successfully infiltrated the train network or affected its operation. They have a history of attacking Belarusian government websites going back to the fall of 2020.
—Eto Buziashvili, Research Associate, Tbilisi, Georgia
The Baltic states and Poland: Kremlin narratives claim NATO is the actual aggressor
Kremlin-controlled media outlets are pushing narratives claiming the Baltic states and Poland are paranoid and Russophobic, and that Russia does not pose a real threat to any country right now.
For example, Estonian Prime Minister Kaja Kallas recently cited Russian aggression in an op-ed about the need to increase military spending. In response, the Kremlin-owned media outlet RIA Novosti posted an article stating that the claim of Russian aggression against the Baltic states is false, and that Estonia is using it as an excuse to place more NATO military equipment close to Russia’s borders.
Similarly, after the United States authorized the Baltic states to send US-produced military equipment to Ukraine, the Kremlin-controlled media outlet Izvestia reported that Lavrov accused US Secretary of State Antony Blinken of “promoting speculation about Russia preparing aggression against Ukraine.”
In Poland, the pro-Kremlin news outlet Gazeta.ru reported on Witold Modzelewski, a professor at Warsaw University who is often interviewed by pro-Kremlin media, saying that NATO invented the “Russian threat.”
Another narrative presented by Kremlin-controlled media portrayed the Baltic states and NATO as being hostile towards Russia. For example, Kremlin-owned news outlet TASS cited Maria Zakharova, spokeswoman for Russia’s Ministry of Foreign Affairs, as saying that the Baltic states supplying weapons to Ukraine could “push Kyiv to attempt to solve the conflict on its southeast [border] by force.”
Similarly, Pro-Kremlin outlets Lenta.ru and Regnum used an article by Sarah White, a senior research analyst at the Lexington Institute think tank, to suggest that in the case of a war with Russia, Poland and Lithuania will attempt to “neutralize Kaliningrad.” In the article, White talked about countering the military threat coming from Kaliningrad in purely defensive terms. But Lenta.ru’s and Regnum’s versions portrayed White’s analysis as a call for NATO to support Lithuania and Poland in “neutralizing Kaliningrad” with Patriot surface-to-air missile systems, F-35 fighter jets, and M1 Abrams tanks.
Multiple media outlets connected to Russia’s Internet Research Agency, including RIA FAN, Narodnie Novosti, Politika Segodnya, and Politpazl, pushed a somewhat new narrative, citing Russian TV host Vladimir Solovev as the source. Solovev reportedly referenced historical facts about the Russian empire buying Ukraine from the Polish-Lithuanian commonwealth, as well as the Baltic states from Sweden. Solovev allegedly made the argument, “If [Ukraine and the Baltic states] want freedom, they should return the money.” It is unclear when Solovev made such remarks, however. Previously, Kremlin-controlled media have expressed skepticism when the parliaments of Estonia, Latvia, and Lithuania discussed the idea that Russia should provide financial reparations for losses to the Baltic states caused by the Soviet occupation.
—Nika Aleksejeva, DFRLab lead researcher, Riga, Latvia
Georgia: Political groups push closeness with Russia
Georgian pro-Kremlin political groups are becoming more active pushing narratives about the country’s close relationship with Russia. On January 20, the Alliance of Patriots formed a new political bloc, the United Front of Georgian Patriots, and demanded that Georgia abandon its Euro-Atlantic integration foreign policy and declare its neutrality. The bloc also demanded that Georgia remove Article 78 from the Constitution of Georgia, which states: “Constitutional bodies shall take all measures within the scope of their competences to ensure the full integration of Georgia into the European Union and the North Atlantic Treaty Organization.”
The following day, the recently established pro-Kremlin Conservative Movement political party advocated for the country’s participation in the so-called 3+3 format, a regional cooperation platform proposed by Turkey and Russia after the 2021 Nagorno-Karabakh war. The Conservative Movement is affiliated with Alt-Info, the extremist news outlet that instigated violence against LGBT activists and journalists in July 2021. Alt-Info has been banned from Facebook multiple times for engaging in coordinated inauthentic behavior and hate speech. The party also organized an online conference with the members of the State Duma and announced plans for its leadership to visit Russia.
—Sopo Gelava, DFRLab research associate, Tbilisi, Georgia
Image: A woman walks past cadets of the self-proclaimed Donetsk People's Republic during the ceremony marking the anniversary of the fatal artillery shelling at a trolleybus stop, on January 22, 2015, for which both parties of the conflict in eastern Ukraine have accuse each other, in the rebel-controlled city of Donetsk, Ukraine, on January 22, 2022. Photo by Alexander Ermochenko/Reuters.