As Russia continues its assault on Ukraine, the Atlantic Council’s Digital Forensic Research Lab (DFRLab) is keeping a close eye on Russia’s movements across the military, cyber, and information domains. With more than seven years of experience monitoring the situation in Ukraine—as well as Russia’s use of propaganda and disinformation to undermine the United States, NATO, and the European Union—the DFRLab’s global team presents the latest installment of the Russian War Report.
Security
Russia escalates war by targeting cities across Ukraine
Tracking narratives
Russian deepfake attempt targeting Bayraktar drones CEO disrupted
Russia blames Ukrainian military intelligence for Kerch bridge explosion
Bulgaria investigates claims of involvement in Kerch bridge blast
Media policy
Russia adds Meta to its ‘terrorist’ organizations list, blocks EUvsDisinfo website
Russia escalates war by targeting cities across Ukraine
Russia escalated its war against Ukraine this week with missile attacks and airstrikes on cities across the country, including the first serious attack in the capital Kyiv in months. The Russian army reportedly launched at least ten missile strikes, nineteen airstrikes, and ninety artillery attacks targeting more than thirty settlements across Ukraine, including Zaporizhzhia, Dnipro, Odesa, Sloviansk, Novobakhmutivka, Sieversk, Bilohorivka, Nikopol, and Blahodativka, according a Facebook post from the Ukrainian General Staff. Russia shelled twenty-five settlements in the direction of the Pivdennyi Buh river, across the frontline, they added. In the direction of Novopavlivka and Zaporizhzhia, the Russian army shelled twenty villages, including Vuhledar, Novopil, Shakhtarske, Mali Scherbaky, Velyka Novosilka, Malynivka, and Mala Tokmachka. As a direct result of the strikes, five regions were left without power for days, while elsewhere the power supply was partially damaged, according to the Ukrainian state emergency service. It specified that Lviv, Poltava, Sumy, Kharkiv, and Ternopil regions were completely deprived of electricity.
According to a United Nations assesment, “Explosions were reportedly heard, and missiles and drones were reportedly intercepted in the western Khmelnytskyi, Lviv, and Rivne regions, in the northern Kyiv region, and in the southern Mykolaiv and Odesa regions, as well as in the central Dnipropetrovsk region.”
In the central Vinnytsia region, the Ladyzhyn thermal power plant was reportedly hit with Iranian-made Shahed drones. Soon after, the Ukrainian energy ministry stated that it was halting its electricity exports in order to stabilize its energy systems. This halt has a significant impact on Moldova, which purchases approximately one-third of its electricity from Ukraine, including twenty percent from Ukrhydroenergo and ten percent from Energoatom.
According to Serhiy Bratchuk, spokesperson for the Odesa military administration, Russian forces brought Iranian instructors to Dzankoi in Crimea, as well as Zaliznyy and Lanivtsi in Kherson, to train Russian forces on how to use the Shahed-136 kamikaze drones. This claim has not been independently confirmed.
In yet another signal of a broader escalation by Russia, on October 8 the Ukrainian ambassador in Belarus received a note accusing Ukraine of “preparing an attack on Belarus.” The letter can be interpreted as providing a pretext for attacks on Ukraine from Belarusian territory. On October 10, Belarusian President Alyaksandr Lukashenka announced Russia and Belarus had agreed to deploy a “joint regional group of forces.” This raises concerns about whether the northern fronts in the regions of Chernihiv and Kyiv would be reactivated.
Meanwhile, Moldova said Russian missiles that targeted Ukraine crossed Moldovan airspace, prompting the Foreign Ministry of Moldova to summon the Russian ambassador. Moldova also announced that it is considering the possibility of declaring a partial mobilization. Moldovan Minister of Defense Anatolie Nosatîi said that Moldova would have to close its airspace due to the launch of Russian missiles. Later in the day, however, the Moldovan Ministry of Defense denied that a Russian missile had entered the country’s airspace.
The Russian army continues to experience difficulties with new recruits and the mobilization process. According to Radio Free Europe/Radio Liberty journalist Mark Krutov, more than one hundred Russian conscripts from Bryansk allegedly refused to go to Ukraine, stating that they lacked training and new equipment. “One of the soldiers reached out to journalists with his complaints,” Krutov reported. “He says commanders told them they will be sent in a few days ‘to retake Lyman’, while only one man from the previous group of 100 mobilized soldiers sent to Ukraine returned.”
According to a report by Middle East Eye, “Money and menace are being used to recruit Muslims in the Caucasus….Parents in the deprived region are encouraging their sons to fight out of fear that local authorities could retaliate if they refuse.” The report stated that around one thousand Chechen fighters have lost their lives in Ukraine.
—Ruslan Trad, Resident Fellow for Security Research, Sofia, Bulgaria
Russian deepfake attempt targeting Bayraktar drones CEO disrupted
The Ukrainian defense ministry’s intelligence department (GUR) has claimed that Russian operatives used deepfake technology in an attempt to discredit Ukraine’s partnership with Turkey.
According to a GUR Telegram post from October 9, Russian intelligence services attempted to use deepfake technology to call Haluk Bayraktar, CEO of of Baykar Defense, the Turkish defense company providing Bayraktar drones to Ukraine. The GUR claimed that Russian intelligence services tried to impersonate Ukraine’s Prime Minister Denys Shmyhal in the video call with Bayraktar. However, instead of speaking with the Bayraktar executive, GUR said the Russian intelligence service was connected to an “equally fake” individual impersonating a Bayraktar employee. The GUR added that the Russian intelligence service made pronunciation errors when speaking in the Ukrainian language. Specifically, the speaker used the Ukrainian expression babyne lito (бабине літо, “Grandmother’s summer” or “Indian summer”), but used the Russian pronunciation bab’ye lyeto (бабьє лєто) instead.
The GUR stated that the purpose of the operation was to discredit the cooperation between Ukraine and Turkey. “At the end of the conversation, the Russian operatives were informed that they had been exposed and would be prosecuted,” it said.
There have been several instances of deepfakes used since the beginning of the Russian invasion. In the early days of the war, Kremlin supporters circulated a deepfake of Zelenskyy urging the Ukrainian military to surrender. The latest incident demonstrates how pro-Russian deepfakes have moved beyond recorded footage to livestream deepfakes, in which a synthetic face can overlay an individual’s face in real time, creating an additional illusion of authenticity.
—Eto Buziashvili, Research Associate, Tbilisi, Georgia
Russia blames Ukrainian military intelligence for Kerch bridge explosion
Russia’s Federal Security Service (FSB) claimed that a truck with explosive materials caused the detonation on the Kerch bridge on October 8, and accused Ukrainian military intelligence of carrying out what it called a “terrorist attack.” The blast resulted in two road spans partially collapsing and seven fuel tanks catching fire. The FSB said that four people were killed as a result of the explosion. On October 12, the FSB said it had detained eight people in connection with the incident, including five Russian citizens as well as three Ukrainian and Armenian nationals.
According to the FSB, explosives weighing 22.7 tons were camouflaged in plastic film rolls and sent from the Ukrainian port of Odesa to Bulgaria’s Ryse port in early August. They allege the cargo was sent to a Georgian port in Poti; from there it traveled to Yerevan and cleared customs at the Trans Alliance terminal. According to Russia’s version of events, the cargo left Yerevan on a Georgian registered DAF truck and crossed the Russia-Georgia border via the Upper Lars checkpoint on October 4. The FSB claimed that the truck was unloaded at the Armavir wholesale base in the Krasnodar region of Russia on October 6. The next day, the cargo was allegedly loaded on to a different vehicle, owned by a Russian citizen, and left for Simferpol. The explosion took place at 6:03am Moscow time on October 8.
On October 12, Kremlin-controlled media outlet Ria Novosti published a CCTV video on Telegram allegedly depicting Russian police inspecting the truck. The Telegram post included x-ray style photos from the customs checkpoint showing the contents of the truck. However, the truck seen in the CCTV video has at least two elements that are not visible in the x-ray image. The truck in the CCTV video has two front wheels, whereas the truck in the x-ray image does not. In addition, the truck seen on the CCTV camera has a spare wheel, and while the x-ray photo shows a holder for a spare wheel, it appears to be empty. This indicates that the CCTV video and x-ray photo depict different trucks, which Ria Novosti did not acknowledge.
On October 12, the Russian Telegram channel Baza published two x-ray photos of a truck, alongside another photo showing the contents of the truck. The photos were reportedly taken in Armenia. The DFRLab used Google reverse image search and found that both photos were first published in an article by Armenpress, which stated that according to Armenian customs control, the truck went through the customs clearance procedure “duly and legally and no risk factors were detected.” The article contained photos taken during the inspection, stating that the x-ray examination of the truck “did not reveal any risk factors”. The x-ray photos published by Ria Novosti and Baza appear to be similar, based on the placement of plastic rolls inside the truck. It is possible that Ria Novosti’s photo is also from Armenian customs control.
On October 10, the Baza Telegram channel also published a photo of a DAF truck with a Georgian license plate. The post claimed that the pictured truck was used to transport the explosives to Russia. On a same day, the Russian Telegram channel Mash Gor published another photo of a similar truck and claimed that Russian police were searching red DAF trucks with Georgian license plates and found the vehicle in Vladikavkaz, Russia. The post said there was no driver in the vehicle when police arrived, but soon after a driver appeared and was arrested. According to Armenpress, the arrested driver is Artur Terjanyan, a dual citizen of Armenia and Georgia.
Georgian and Bulgarian authorities have denied Russia’s accusation that the truck traveled through their territories.
—Givi Gigitashvili, Research Associate, Warsaw, Poland
Bulgaria investigates claims of involvement in Kerch bridge blast
Russian media outlets claimed that Bulgaria was complicit in the October 8 explosion targeting the Kerch bridge. While many details about the explosion are still unknown, and speculation is rife, pro-Kremlin media exploited the incident to spread rumors about the role of Bulgaria, a NATO member, in the attack. Bulgaria’s main intelligence agency DANS launched an investigation into Russian claims that the truck that blew up on the bridge came from Bulgaria. Investigations began immediately after the Kremlin released the claim, following an order by acting Prime Minister Galab Donev. The agency has also notified the Bulgarian prosecutor’s office.
Ukrainian analysts previously proposed three possible explanations for what happened, including mines detonating on the bridge, a truck bomb, or a rocket attack. While the cause of the blast has not been confirmed, a truck bomb is believed to be the most likely explanation.
In a meeting with Russian President Vladimir Putin, Alexander Bastrykin, head of the Russian Investigative Committee, announced that the route of the truck that allegedly blew up the Crimean bridge started in Bulgaria and then passed through Georgia, Armenia, North Ossetia, and Krasnodar. The European Commission spokesperson Peter Stano said Bastrykin’s words were unreliable. Kiril Petkov, former Bulgarian prime minister and leader of the We Continue the Change party, called on the caretaker government to reject the Kremlin’s suggestion that there was a Bulgarian connection to the bridge bombing. Meanwhile, Bulgaria’s pro-Russian political parties insisted on an investigation, prompting angry reactions in the media. This is not the first attempt by Russia to discredit Bulgaria.
Sofia is in a difficult position because of political differences over the provision of military aid to Ukraine; there is already evidence of Bulgarian weapons in Ukraine. However, the topic has become a major dividing line between political parties in the country, as pro-Kremlin politicians insist that Bulgaria should not be drawn into a war with Russia by providing weapons to Ukraine. In this context, the pro-Kremlin military channel Rybar alleged that Bulgaria had delivered a new shipment of weapons to Ukraine. The channel shared blurry photos, reportedly taken on October 9, of an Antonov An-124 aircraft at an airfield in the city of Burgas. Just one day earlier, the far-right Russian paramilitary group Rusich, which is accused of carrying out executions and war crimes in Ukraine, shared on its Telegram channel a photo of a Bulgarian and Polish passport with the text, “Different people, different countries, one goal.”
—Ruslan Trad, Resident Fellow for Security Research, Sofia, Bulgaria
Russia adds Meta to its ‘terrorist’ organizations list, blocks EUvsDisinfo website
On October 11, Russia added Meta, the parent company of Facebook, Instagram, and WhatsApp, to its list of terrorist and extremist organizations. While Facebook and Instagram are blocked in Russia, WhatsApp remains available.
The latest designation by Russia’s financial monitoring agency means that Russian citizens and companies who buy advertisements on Facebook or Instagram could face imprisonment on charges of “sponsoring extremism” or “terrorism.” According to the pro-Kremlin outlet Interfax, Russian law requires banks to freeze funds and stop serving citizens and organizations on the list.
Russian human rights lawyer Pavel Chikov reported that a Russian prosecutor’s office is already sending letters to Facebook and Instagram users “threatening administrative and criminal liability for posting posts on social networks.”
Russia declared Meta an extremist organization in March 2022. Following the Kremlin’s crackdown on Western social media platforms, Russian citizens have been using virtual private networks (VPNs) to bypass official bans and access the platforms. In light of the latest designation, it is possible that Russian citizens could face criminal charges for accessing Meta’s products through a VPN.
In addition, on October 8, Russian internet censor Roskomnadzor blocked the website of EUvsDisinfo, a counter-disinformation project of the European Union. For years, EUvsDisinfo has exposed the Kremlin disinformation campaigns. Roskomnadzor’s move is a continuation of the Russian policy to restrict Western online media and social networks in an attempt to suppress factual information about Russia’s war in Ukraine.
—Eto Buziashvili, Research Associate, Tbilisi, Georgia
Image: Ukrainian first responders attempt to quash a fire ignited by a Russian missile attack in Zaporizhzhia, October, 11, 2022. (Source: State Emergency Service of Ukraine via Reuters Connect)