RU Unconventional Operations

Introduction

Russia’s full-scale invasion of Ukraine on 24 February 2022 sent shockwaves around the world as states reacted to the return of high-intensity state-on-state conventional warfare on the European continent. Less attention has been paid to the unconventional aspects of this conflict – and yet, these are essential to understanding Russian actions and methods. The invasion itself can be seen as the intended culmination of a long unconventional campaign waged by Russia against Ukraine. The unconventional operations during the war have often been critical to Russia’s successive theories of victory, even as its conventional forces have failed to achieve their objectives on the battlefield. For those wishing to understand the Russian way of war and to learn lessons for their own defence, it is important to study this unconventional side of the conflict.

Unconventional warfare is defined for the purpose of this report as the conduct of covert and clandestine operations, psychological operations, subversion, sabotage, special operations and intelligence and counterintelligence activities aimed at contributing to a state’s military objectives. Describing these activities is complicated by the fact that Russian unconventional warfare fits within a distinct methodological tradition that uses precise but different terminology from other traditions. For example, in the US ‘unconventional warfare’ has a heavy weighting towards the sponsoring of non-state actors to overthrow a state. As shall be seen, the Russian attempt to subvert the Ukrainian state and thereby collapse resistance clearly fits within this concept of operations, but the combination of tools employed has a different weighting to what would normally be considered unconventional warfare. A consistent challenge in this special report is that Russian terminology for activities often has a very limited parallel in other traditions. On the whole – given that this is aimed at a NATO professional audience – this report uses British terms of art. Where it is necessary to use a specific Russian concept, this is explained.

The report comprises two parts. The first spans Russia’s preparations and intentions as regards unconventional operations in Ukraine. It describes Russia’s agent network for conducting unconventional warfare in Ukraine, built up over many years, and then outlines how this network was intended to be used to enable the occupation and annexation of the country. The second part discusses how Russia used unconventional operations in light of how the war actually unfolded, including the counterintelligence regime on the occupied territories and the employment of special forces and irregular forces during the fighting. This report does not explore Russian operations in detail from 2014–21 but is instead focused on the build-up and execution of unconventional operations in support of the invasion in 2022. The aim is to detail Russia’s forms and methods, to enable them to be disrupted, and to provide an unclassified basis for discussing indicators, warnings and countermeasures.

The evidence from this report comes from extensive interviews – conducted both prior to and during the conflict – throughout Ukraine’s Intelligence Community, Security Services and Law Enforcement agencies. The report also draws on a large volume of material either captured on the battlefield in Ukraine or obtained elsewhere from Russia’s special services and the organisations and entities with which they interact. The evidence set deals with Russian activities observed between July 2021 and February 2023. Owing to the sensitivity of much of the evidence this report often necessarily extrapolates from incidents where it is possible to describe specific details to general patterns in Russian forms and methods. Where these extrapolations are made the authors have ensured that there is a consistent picture reported between Ukrainian agencies, available documentary evidence, and have in many instances checked the conclusions with non-Ukrainian agencies which are familiar with the forms and methods identified.

Collection that targets organisations such as Russia’s special services is inherently fragmentary owing to the efforts these entities make to secure information on their activities. Writing about these subjects is further complicated by the sensitivities surrounding the evidence that has been collected and how it was obtained, which often prevents disclosure. The financial records of a front organisation for funding active measures, for example, may offer irrefutable evidence of an allegation that a body is funded by Russia’s special services. Declaring that such a document has been obtained, however, likely causes a change in funding arrangements disrupting future collection and will inevitably trigger an investigation by Russia’s special services into how such a document was obtained that may place a source at risk. A further methodological challenge is in being specific about the lessons to be drawn from a conflict. For instance, if a particular vulnerability is highlighted in Russian operations as implying a need to change the approaches of friendly services, this implies that friendly services adopt a similar form or use a similar method and potentially endangers their personnel. In navigating these dangers this report restricts its descriptions to general patterns and incidents rather than describing specific operations in detail. Where specific Russian activities are described, it is because it is deemed that the Russians know how such activities were identified. The report also focuses its analysis on the activities and vulnerabilities of the Russian conduct of unconventional warfare and does not describe how Russian successes or failures may require changes to the forms and methods of friendly services.

Therefore, this report is in places necessarily imprecise and far from comprehensive. Nevertheless, it is hoped that in outlining the scope and scale of Russia’s unconventional war against Ukraine, it will provide a useful resource for states that are targets of Russian unconventional operations to educate policymakers, strengthen societal resilience against Russian methods, disrupt Russian operations and prepare to deny the Russian special services opportunities in the event of hostilities. It is also hoped that understanding Russia’s unconventional operations will help to explain some of the more peculiar aspects of Russian decision-making and force employment of its conventional military during its full-scale invasion of Ukraine.

Setting the Theatre

The Russian plan for the occupation and annexation of Ukraine cannot be understood without appreciating the preconditions that Russia believed it had established through its protracted unconventional warfare against Kyiv. The strategy was premised on the orchestration of agents in place, built up over decades, but applied to a radically different policy from that for which most of Moscow’s assets had been recruited. As shall be detailed hereafter, Russia’s intended defeat mechanism was Ukraine’s internal destabilisation and disorganisation, which was supposed to disable the system of government and military command and control, undermine public trust in government institutions, reduce national stability and minimise aid to Ukraine from international partners. Under such conditions, the Russian military anticipated encountering little sustained or organised resistance.

The lack of proper logistics, the lack of fuel and ammunition, the vulnerability of long Russian convoys, poorly protected even from air raids, all indicate that Russia carried out the invasion as a military demonstration, without seriously considering the need to conduct full-fledged long-term combat operations. To a large extent, the small group of planners thought to repeat the success of the Crimean operation of 2014, which also made no sense from a military point of view and was planned based on the absence of military resistance from Ukraine. A vivid example of such neglect in February 2014 was the invasion of Ukrainian airspace by 11 Mi-24 combat helicopters and eight IL-76 military transport aircraft carrying Russian special forces to Crimea, which were not shot down by Ukrainian air defence only because the then leadership of the General Staff of the Ukrainian armed forces refused to give an order. Russian attempts to land Russian airborne forces (VDV) on airfields near Kyiv in February 2022 fits perfectly into the same logic.

This chapter, therefore, covers the structure of this agent network and how Russia intended to use it in the context of the full-scale invasion. Understanding why Russia thought it could succeed in this way is vital if such behaviour is to be deterred in the future.

Russia’s Agent Network

The FSB, which was deeply involved in the planning and execution of the invasion, appears to have been ordered to prepare plans to occupy Ukraine in July 2021. To do this the Fifth Service of the FSB took the 9th Section of the Department of Operational Information and turned it into a Directorate, increasing its staff from around two dozen personnel to over 200 reporting to Major General Igor Chumakov. The 9th Directorate was structured into oblast-facing sections along with thematic sections aimed at Ukraine’s parliament and another aimed at critical national infrastructure. The role of the Department for Operational Information is primarily planning, targeting and intelligence management: the assignment of priorities to handlers for their agents. The agents are not necessarily handled directly by the FSB Fifth Service. In the case of planning the occupation, therefore, the task of the 9th Directorate was not to establish and run an agent network, but rather to draw a detailed picture of the access achieved across Ukraine by Russia’s special services and then to plan how these existing agents were to be used during the invasion and subsequent occupation. Once this was done, it was necessary to provide instructions to agents’ established handlers as to what they were to ask their agents to do. This required meetings, and so in the autumn of 2021 Russian agents in Ukraine began to go on brief holidays at short notice to resorts in Turkey, Cyprus and Egypt where, coincidentally, they would meet with their handlers.

The preferred method of Russia’s special services is – where possible – to minimise the running of agents from Russia and instead to recruit senior agents in place who run their own networks. The method of using such senior agents (agent-gruppovod) who build up client networks was highly recommended in Soviet classified manuals and instructions of the First Chief Directorate of the KGB (foreign intelligence service), and has remained the practice of the SVR, FSB Fifth Service and the Main Directorate of the General Staff of the Armed Forces of the Russian Federation – hereafter referred to as the GRU. If these individuals are politically, economically or bureaucratically senior in the target country, then they can recruit people not as Russian agents but as their personal clients who therefore unwittingly advance Russian interests. This is a form of false flag recruitment (verbovka na chuzhoi flag) where an agent may believe that they are being tasked on behalf of an official of their own country even though the taskings are ultimately contrived in Moscow. In the case of Ukraine, several senior officials and politicians performed this role – as shall be detailed shortly – having links with the Russian special services stretching decades.

Internal destabilisation was attempted by agents of the Russian special services in Ukraine, including within the Ukrainian intelligence community, law enforcement agencies, other state authorities, political parties, public organisations and criminal organisations. Today, the Ukrainian intelligence community and its foreign partners have uncovered part of this agent network, which allows us to analyse the main tasks that the Russian leadership set for it, as well as to understand the main forms and methods it uses. At the same time, not all Russian agents and their operations have been exposed, and a significant part of Russia’s agents both in Ukraine and in other countries continue to actively operate.

Andriy Derkach was a People’s Deputy in the Ukrainian Parliament with a long history of working with the Russians and advancing policies that aligned with Russian interests. He graduated from the Academy of the FSK (now FSB) in Moscow in 1993 before returning to Ukraine. His father was a senior KGB officer and for many years also head of Ukraine’s SBU. For several years Derkach headed Energoatom, Ukraine’s state nuclear enterprise, during which time he signed several deals with Rosatom that created a dependency on the Russian nuclear industries. While this cannot be framed as espionage, the SBU was deeply concerned with his activities at that time and reported to then President Viktor Yushchenko about potential threats to Ukrainian national security. The head of Rosatom at that time was Sergei Kirienko, who is now first deputy head of the presidential administration of the Russian Federation and deeply involved in the coordination of Russian cross-government efforts on Ukraine’s occupied territories. It is believed by Ukraine’s intelligence community that influence on the Ukrainian nuclear energy industry in the interests of Russia and Rosatom was the main direction of Derkach’s pro-Russian activities before 2022. This would explain why Derkach is accused of being handled by Russia’s GRU, the primary responsibilities of which include the nuclear industry and Rosatom.

Ukraine’s nuclear energy infrastructure played a significant role in Russia’s invasion plan and its public narratives about the conflict. As one of the justifications for aggression, the Kremlin publicly identified the threat that Ukraine plans to create its own nuclear weapons, and therefore one of the tasks of the Russian ‘special military operation’ was the denuclearisation of Ukraine, which included the intent to seize all nuclear power plants (NPPs), as well as some nuclear research centres. To prepare for these operations, the Russian special services recruited employees of nuclear facilities, including from units responsible for the physical security of the facilities.

Derkach’s first exposure as a Russian agent emerged when he participated in campaigns of covert influence aimed at undermining relations between Ukraine and the US. Thus, in 2019–20, Derkach made public several documents (most probably forged), as well as audio recordings of President Petro Poroshenko’s conversations with then US Vice-President Joe Biden and Russian President Vladimir Putin, which suggested the presence of systematic US interference in the internal politics of Ukraine, and implied corrupt actions by high-ranking US officials in Ukraine. In 2020–21, the US Treasury Department imposed sanctions against Andriy Derkach for participating in a Russian foreign influence network, organising a disinformation campaign and meddling in US elections. According to the US government, at that time Derkach had been a Russian agent for over 10 years. In addition to Derkach, sanctions were also imposed on members of the Ukrainian parliament Oleksandr Dubinsky, Oleksandr Onishchenko, Prosecutor Kostyantyn Kulik, former Assistant to the Prosecutor General Andrii Telizhenko, and three other citizens of Ukraine. This group also tried to influence the US government. One of the tools of influence used for this purpose was an ‘anti-corruption group’ in the Ukrainian parliament, which was supposed to investigate the facts of corruption in the allocation of international aid to Ukraine. The ultimate goal of the anti-corruption investigation is believed to have been to stop or at least reduce international aid to Ukraine. Given Ukraine’s critical dependence on military-technical assistance from foreign partners, and above all assistance from the US, Russian special influence operations to worsen Ukraine’s relations with partner countries, and especially with the US, are a constant priority of the Russian special services.

In June 2022, the SBU made public the Derkach network, seizing a range of documents and outlining its assigned tasks. It appears that Derkach came under the control of the GRU in 2016 and was handled by General Vladimir Alekseev, the first deputy head of the service, and Admiral Igor Kostyukov, the head of the service. Derkach is alleged to have been tasked with the establishment of a network of private security firms which would assist in maintaining control in a number of towns by pathfinding and assisting Russian forces upon their arrival. For this purpose he is accused of receiving instalments of US$3–4 million per month from the GRU. Due to the need to preserve the secrecy of investigation, Ukrainian counterintelligence has not publicised additional information on what other functions Derkach had. At the same time it is clear that some of the most important Russian agents had close ties with Derkach and he could be directly involved in the recruitment of the most high-ranking Ukrainian officials in Russia’s agent network, in particular in the Ukrainian special services and parliament.

For example, SBU Major General Oleg Kulinich, detained by counterintelligence in June 2022, also worked as Andriy Derkach’s deputy at Energoatom in the past and is a close friend of his family. Kulinich, who worked in the office of the Head of the Security Service of Ukraine, is accused of transferring data constituting a state secret to the Russian special services, exerting influence on the higher state leadership of Ukraine, recruiting other employees of the special services, as well as aiding the capture of the south of Ukraine, in particular by suppressing the information available in Ukrainian intelligence collection about the preparation of the invasion of the mainland from the Crimean peninsula. The main task of the Kulinich group was to weaken the national security system, in particular, the ability of counterintelligence to effectively detect Russian agents and to mislead the top military and political leadership of Ukraine about the true state of internal and external threats, the collection and transmission of information to the Russian special services about the defence system of southern Ukraine, the location of military objects, and personal data of employees of the Ukrainian special services and members of their families, as well as undercover agents and assets of the Ukrainian special services that operated in the occupied territories and the territory of Russia.

As part of his tasks, Kulinich is alleged to have exerted influence on behalf of Russia to shape the adoption of personnel and management decisions in the SBU system and other state authorities of Ukraine. In particular, thanks to his influence, Brigadier General Andrii Naumov, who is also accused of treason, was appointed to the position of head of the Main Directorate of Internal Security of the SBU (which supervises all SBU employees and can carry out surveillance, wiretapping and other special measures against SBU officers as part of its investigations). It is noteworthy that, among other things, Ukrainian law enforcement agencies accuse General Naumov of passing on secret information about the security system of the Chornobyl NPP to the Russian special services, where Naumov worked in the management for a long time. This information was used by the Russian troops during the seizure of the Chornobyl NPP and when using the Chornobyl disaster exclusion zone to launch an attack on Kyiv. Using his influence, Kulinich tried to secure the appointment of Naumov to the post of First Deputy Head of the SBU. One of the motives was to take control of the Counterintelligence Department of the SBU. Naumov left Ukraine a few hours before the Russian invasion and was detained in June 2022 in Serbia while crossing the border for the undeclared importation of a large amount of cash. According to the investigation, Kulinich was in contact with ex-Secretary of the National Security and Defense Council of Ukraine and ex-Deputy Prime Minister of Ukraine Volodymyr Sivkovich (a former KGB employee who is under US sanctions), who fled Ukraine after the Revolution of Dignity and permanently lives in Moscow.

Among the other tasks that Major General Kulinich is alleged to have received from the FSB through Sivkovich was to exert influence on the higher political leadership of Ukraine to convince it of the need to abandon the course of joining NATO and to adopt a neutral status just prior to the invasion. Refusal to join NATO, according to the Russian special services’ plan, along with other Ukrainian concessions to Russia, should have been the impetus for anti-government protests, similar to the Revolution of Dignity in 2014, when President Yanukovych refused to integrate Ukraine into the EU. Mass protests were intended to simplify the task of the Russian special services to destabilise Ukraine internally and paralyse the system of state and military administration, providing the conditions for a Russian military invasion.

The task of setting the conditions for violent protest was exposed when, in January 2022, the Ministry of Internal Affairs arrested Colonel Yuriy Goluban of the Ukrainian National Police, formerly a member of the SBU’s Alpha unit, responsible for direct action. While serving in the Donetsk branch of SBU Alpha in 2014, Goluban had joined a pro-Russian militia, as part of the command of the Donetsk People’s Republic’s battalion ‘Vostok’. However, he successfully concealed these activities and later returned to Ukraine, joining the national police. Prior to the invasion, Ukrainian law enforcement accuses him of receiving money to organise protests in Kyiv and three other oblasts at which extreme right-wing symbols would be prevalent and in which the protesters would accuse the government of failing to confront the threat from Russia. The intent was to infiltrate these protests with paid criminals and agent provocateurs to spark violent confrontations with the police. The original idea was to present the protests as an attempted ‘far-right coup’ and to use them as a justification for the invasion. It was also intended to sow internal instability among the Ukrainian resistance.

At the same time, the Russians were setting the conditions for street violence and internal destabilisation under an openly pro-Russia flag, in a manner consistent with their preferred approach of supporting extremes against the centre to drive polarisation and therefore control. This activity is alleged to have been orchestrated by a group around Viktor Medvechuk, leader of the OPZZH Party, and fellow members of parliament including Viktor Chornyi and Ilya Kiva.

Before joining the pro-Russia camp in 2019, Kiva pretended to be a radical Ukrainian nationalist known for his aggressive Russophobia. Immediately after the Revolution of Dignity, Kiva joined the leadership of the paramilitary organisation Right Sector, and soon after joined the National Police of Ukraine, where he headed the Department of Anti-Drug Trafficking, as well as the trade union of the Ministry of Internal Affairs. In 2020, as part of Medvedchuk’s group, he created and headed the organisation Patriots for Life, which consisted mostly of representatives of martial arts clubs, criminals (including drug dealers) and former employees of special police units (including those who were dismissed for crimes during the Revolution of Dignity). The basis of the organisation was the representatives of the Combat Sambo Federation of Ukraine, the martial art of Soviet special bodies, whose honorary president was Viktor Medvedchuk himself. The task of the organisation is believed to have been to create provocations during mass events, as well as to radicalise the socio-political situation in Ukraine, including by provoking a violent confrontation with representatives of pro-Ukrainian organisations. After the Russian invasion of 2022, members of the organisation moved to illegal status and performed various tasks for the Russian special services in support of the Russian invasion. A similar model was also used by the Russians before the 2014 aggression, when the Oplot organisation, which also consisted of a mixture of athletes, criminals and law enforcement officers, was first used for violence against opponents of the Yanukovych regime, and later became the basis for the formation of Russian proxy forces in Donetsk. As with Derkach, Medvedchuk’s group also controlled security firms and detective agencies. Member of parliament Viktor Chornyi was responsible for this direction in the group.

That Naumov was travelling with a renowned smuggler when he was arrested crossing the Serbian border speaks to a much wider phenomenon in Russia’s agent networks in Ukraine. Beneath the senior agents in the Ukrainian government there was a large support apparatus. This apparatus has been used for a wide range of functions, from reconnaissance to basic movement of cash, equipment, or the setting up of safe houses. In some cases, this includes Ukrainian citizens who have a loyalty to Russia. In many cases, however, the individuals in question are paid agents drawn from organised criminal networks. For years prior to the full-scale invasion, the Ukrainian Border Guard Service noted close relationships between Russian officers and smuggler networks across all of Ukraine’s borders. Often, however, the support apparatus did not need to conduct such covert activity. The movement of cash, for example, was easily facilitated either through the diplomatic bag of Russia’s allies before the invasion, or simply through the large number of companies owned by Russian agents in Ukraine, some of whose workers could set up channels for siphoning money to operations. It is important to note that while the support apparatus was less important for Russia’s invasion plans, it persists and is a critical enabler of ongoing Russian activity on Ukrainian territory. The one body of ideologically committed agents supporting the invasion was the Russian Orthodox Church. Beyond its efforts to support Russian information operations, its priests were widely recruited and run by the Russian special services and their monasteries and churches used as safe houses for equipment and personnel. The use of religion as cover is not only a widely established method of the Russian special services but also creates its own protection mechanism because of the political sensitivities of state targeting of religious institutions. For this reason, it took some time for the Ukrainian state to move to constrain the activities of these parts of Russia’s support apparatus even after the invasion.

These various strands of effort were coordinated by Volodymyr Sivkovich, the former deputy head of Ukraine’s National Security and Defence Council, who fled to Russia in 2014. On 20 January 2022, US Secretary of State Antony Blinken specifically singled out Sivkovich as central to FSB plans to handle senior Ukrainian agents. Sivkovich appears to have functioned as the handler for these senior Ukrainian officials reporting directly to Igor Chumakov in the 9th Directorate of the FSB.

Assessing the Strengths and Weaknesses of the Network

Despite the extent of Russia’s efforts – only a fraction of which are outlined above – it is noteworthy that Russia failed to bring about the destabilisation its plan called for. Even with the presence of powerful agents in state authorities, as well as prepared structures that could be involved in internal destabilisation, Russia has not managed to foment an internal political crisis in Ukraine. First, it was not possible to achieve the main prerequisites for full-scale protests. Despite pressure and influence, President Volodymyr Zelenskyy did not agree to renounce Ukraine’s bid for membership of NATO and make other concessions to Russia unacceptable to the majority of Ukrainians. Second, as part of intelligence sharing, Western intelligence services transmitted to Ukraine not only information about Russia’s preparations for a military invasion, but also about Russian intentions to destabilise Ukraine internally, as well as about persons who directly participated in it. Public release of information about such intentions was also an important element of neutralising Russian efforts. Nevertheless, despite senior Russian intelligence officials recommending the invasion be delayed until the summer of 2022 because the necessary conditions were not met, Moscow proceeded with its invasion. Russia’s belief that it understood Ukrainian politics may have been bolstered by the number of senior former Ukrainian officials resident in Moscow who had a clear motive in telling the Kremlin to proceed. According to information held by the SBU, the following representatives of the Yanukovych regime also cooperate with the Russian special services on a regular basis: ex-Minister of Defence Pavlo Lebedev; ex-head of the SBU Oleksandr Yakymenko; ex-Minister of Internal Affairs Vitaly Zakharchenko; and Andriy Klyuev, ex-head of the Presidential Administration. During the years working in the Ukrainian government, such persons had practically unlimited opportunity to infiltrate their own agents in all state bodies and to extract whatever information interested them. Nevertheless, Moscow’s decision to proceed without the necessary preconditions suggests two things: first, that Russia’s agents were exaggerating their influence on the Ukrainian state; and, second, that the Russian special services had been ordered to facilitate an occupation to a timeline, not to assess its viability. In other words, that the next phase of Russia’s plan proceeded even though the previous phase had not yet succeeded speaks to a command-driven process from the top and an institutional culture of following orders rather than the provision of honest advice from Russia’s special services to the executive.

As we can see, until the last moment before the invasion, the Russian agents were preparing for the organisation of internal destabilisation, and the structures they created in Ukraine for this purpose were practically unprepared and unsuitable for use in the conditions of a long-term, full-scale military conflict – for example, as sabotage groups that could operate in the deep. Moreover, Russian military aggression and crimes against the civilian population have changed the attitude towards Russia not only among ordinary Ukrainians, but also among representatives of pro-Russian organisations. Even in the case of the Patriots for Life organisation, some members publicly condemned Russian aggression. Similar processes took place in 2014, when veteran structures created in Ukraine by the GRU (mostly along the lines of Dmitriy Sablin’s organisation ‘Boevoe bratstvo’) and the FSB (such as organisations of KGB special forces and organisations of Afghanistan veterans) after the start of the military conflict mostly remained loyal to Ukraine and even joined the armed forces.

The Russians recruited penetrations of the Ukrainian state at a senior level across its institutions. These penetrations were able to mobilise large numbers of subordinates to follow their instructions without necessarily knowing that they were working to further Russian interests. The networks centred on a core nucleus of senior officials who had interlinked histories and were mutually supporting. Yet, despite these successes, the FSB’s plans failed and it is important to understand why. Many had anticipated that the Ukrainian state would fragment from within. This did not happen, and many of these networks were disrupted or had key members detained.

A few observations about the Russian forms and methods employed reveals the strengths and vulnerabilities of their approach. It is likely that even these senior agents knew relatively little about the overall invasion plan, which was kept to a very small group of planners. While they may have surmised the overall thrust from what they were asked to do, it is not evident that they were read in. Most individuals who these principal agents controlled would have known much less. Prior to the invasion, it may be argued that the Russians maintained an extensive and robust network in Ukraine. Many conducting supportive tasks for the Russian special services would have thought they were following the instructions of a Ukrainian official. Those conducting illegal activities on behalf of Russian agents were often doing so under financial incentives. But the risk – hypothetically – for an employee of the national police in providing information to a Ukrainian official in another government department for a fee would be negligible and the financial reward potentially welcome. The problem for the Russians was that, first, the full-scale invasion fundamentally altered the context within which their unwitting agents, or agents recruited under false flags who lacked any ideological commitment to their cause, were judging the harms of operating under Russian control. The same police officer, for example, appreciating that the information they were asked to provide may be used to guide Russian tanks into Ukraine’s cities, may be less willing to have anything to do with the Russians and may see the risks of discovery as greater than the reward of some money. A criminal who previously saw little harm in acting as a courier across the Russo-Ukrainian border may nevertheless feel that they must protect their family if it is coming under air attack. Many of the networks therefore became unreliable in the early days of the invasion.

The unreliability of the networks would likely have mattered much less if the Russian military had secured its immediate objectives. In a scenario where the Russian military was in control of Ukrainian cities and Russia’s principal agents were issued clear instructions for their networks, it is likely that the risk–reward calculus would have seen significant levels of collaboration achieved. Instead, as Russian troops failed to take their objectives, many networks either froze in place to be activated later or dissolved, as members of the network lost any incentive to work with Russia and broke contact with their handlers. Many agents remained in place, enabling reconnaissance, but could offer little by way of disruption. Most of the FSB’s planning had been premised on physically controlling the terrain and there was a lack of command and control for the unwitting agents recruited previously in a scenario where the FSB did not have a physical presence on the ground. However, while the Russian plan unravelled, it was not entirely flawed. In the areas where the Russians did occupy the ground, they demonstrated that they could build up a sufficient body of collaborators to exert control and run a robust counterintelligence apparatus.

The Plan of Activation

Before detailing how Russia ended up using its agent network it is important to understand how it was intended to support the occupation of Ukraine. This is vital because, even though it differs from how events actually unfolded, the Russian invasion plan does not make sense without understanding Moscow’s intended defeat mechanism of the Ukrainian state. The difficulties experienced by the Russian military therefore cannot be understood without appreciating what Russian planners expected.

On 24 February 2022, when Russian forces moved over the border, troops of the Eastern Military District confronted a detachment of Ukraine’s national guard responsible for securing the Chornobyl NPP. Seeking instructions, the detachment contacted Valentin Vitter, head of the plant’s security, who advised them to surrender – both to save their own lives given the disparity in force between them and the Russians, and to prevent damage to the facility. The plant was seized within two hours without a fight. This was not an isolated incident but recurred throughout southern Ukraine in the first days of the war. A similar process was also simultaneously attempted across the entire Ukrainian government, but to less effect.

In the opening hours of the invasion, senior Russian officials phoned their Ukrainian counterparts to urge passivity to avoid bloodshed. Dmitry Kozak, for example, deputy chief of staff of the Russian Presidential Administration and head of the Committee for Transborder Cooperation intimately involved in the build-up of agent networks in Ukraine, phoned the Ukrainian Presidential Administration and urged surrender. On 25 February 2022, Putin publicly appealed to the Ukrainian military not to resist the Russian invasion, and instead to conduct a mutiny, to negotiate an end to the war with Russia. On 26 February, the Belarusian defence minister phoned his Ukrainian counterpart, Oleksiy Reznikov, and conveyed a Russian offer to accept Ukraine’s surrender from Sergei Shoigu. On 22 February, the Belarusian defence minister had been involved in Russia’s wider attempt to deceive the Ukrainian government as to its intentions, personally assuring Reznikov that he would not allow an invasion to proceed from Belarusian territory. Over the first three days of the invasion, all of Ukraine’s General Officers received text messages or phone calls, often from counterparts on the Russian side whom they knew personally, to urge their inactivity to prevent bloodshed. Ukrainian officers at the rank of colonel meanwhile almost all received text messages urging inactivity or surrender, though these did not originate from known contacts.

The reporting about this outreach has often suggested that this Russian activity was supposed to bring about surrender of the higher levels of the Ukrainian state. This is to misunderstand the defeat mechanism. While a total surrender of Ukraine would have been desirable, the actual process by which the Russians anticipated occupation of the country was premised on the paralysis of the central Ukrainian apparatus combined with localised surrender of isolated Ukrainian units. The Russians mistakenly appear to have projected on to Ukraine the same top-down command culture of their own forces. A large portion of the middle echelon of officials that were Russian agents simply stopped responding to messages early in the invasion or else abandoned their posts, severing chains of command from the central government to tactical units. The advocacy towards Ukrainian President Zelenskyy to leave Kyiv and a wide range of other proposals that emerged from the bureaucracy were largely aimed at imposing decision paralysis on the centre. Meanwhile, Russia’s agents tried to convince local commanders and officials not to resist. They did not do this by presenting themselves as speaking on behalf of the Russians, but instead cited the local disparity in forces and the desire to save Ukrainian lives. The aim was to slow down a decision to resist for long enough to allow Russian forces to occupy key strategic centres. Resistance in this framework would be sporadic and isolated. In this context, the model for the wider Russian invasion plan may be observed in southern Ukraine – where it proved much more successful. Furthermore, since the task of Russia’s agents was to isolate Ukrainian units through obstruction and encourage junior paralysis and surrender, many of them withdrew their work from the government rather than actively operating to participate in the occupation. The intent was that they would emerge once the territory was occupied, rather than engage in some sort of coup or direct action before occupation was achieved.

Indeed, that most Russian efforts were aimed at fixing and fragmenting resistance can be seen in the use of information and cyber attacks in the first days of the war. Rather than target critical national infrastructure or seek to inflict direct damage on Ukrainian systems – which was attempted later – the initial cyber attacks were largely aimed at communications systems that the Ukrainian state relied on. On the whole, they were unsuccessful because of the preparations made by the Ukrainian State Service for Special Communications and Information Protection. However, an example of a successful attack was against the company Viasat, which disrupted communications on the first day of the invasion, and highlights the primary object of much of these activities. The Russians were also partially successful in terms of information warfare, isolating Ukrainian communities through the release of misleading narratives aimed towards the mobilised civilians who the Ukrainian state armed to secure rear areas. These narratives emphasised the prevalence of sabotage groups and infiltrators: for example, the Russians started messages on Ukrainian social media calling for citizens to report suspicious markings on buildings. The result was a deluge of false positives swamping the capacity of Ukrainian law enforcement. This mirrored a persistent tactic from before the war whereby the Russian special services would make continual false bomb threats to Ukrainian law enforcement. Another consequence of amplifying paranoia was to instil fear into Territorial Defence Detachments and encourage incidents of friendly fire or at the very least slow down the movement of Ukrainian troops and officials through checkpoints.

A final critical element is that the one part of the Russian invasion plan where obstruction, isolation and negotiated capitulation could not be achieved in theory was Ukraine’s air defence system. Given the importance of projecting resupply and reinforcements by air into Ukraine, this had to be suppressed. Moreover, the striking of air defences and industry had a shock and awe value intended to encourage passivity. Thus, the one overtly planned conventional military component of the Russian campaign was the suppression and destruction of Ukraine’s air defences by the VKS and through a massive missile strike campaign using cruise and ballistic missiles. In the south, where older Ukrainian air defence systems were less mobile, this was largely successful. Elsewhere the Russians achieved the suppression and displacement of the air defences for several hours and, in some directions, it lasted for around 24 hours. Generally, however, the lack of appropriate training and equipment for this mission in the VKS meant that this effort failed and Ukrainian air defences recovered over the following two days. Given that Russia’s ground forces were intended to have occupied most of their key objectives within 72 hours, however, this would have been less problematic if the ground forces had not failed utterly to bypass or fight through Ukrainian troops.

One of the foremost causes of inaccuracy in pre-war military assessments of the likely trajectory of the fighting – both in NATO countries and in the Ukrainian military – stems from the assumption that the Russian forces would conduct a deliberate military offensive. For example, it was assumed that rail and logistics infrastructure would be targeted. Instead, because the aim was to fix and isolate Ukrainian units, there was very little attempt to destroy them in the first three days. The whole logic of the employment of forces was premised on the success of Russia’s unconventional operations and yet, as already discussed, the preconditions for that success in terms of the political destabilisation of Ukraine had not yet been achieved. There remains an unanswered question as to why the Russian leadership decided to begin the invasion without establishing the required preconditions. This may be understood as a strategic error of judgement by Putin personally.

The bulk of Russia’s planning focused on what to do after the invasion. The details of the counterintelligence regime on the occupied territories is covered in the next section as these were observable in operation in those areas that were captured. Nevertheless, there was an element of the occupation plan that did not come to pass – the occupation of Kyiv – which also includes the intended use of special forces in the original invasion plan. As already outlined, the Russians intended to occupy Kyiv within 72 hours. The intent was for initial units to secure the main routes into the city and for airborne troops to then be flown to Hostomel airfield and to move to secure key zones within the city. Within each city sector these forces would provide cordons to control the movement of the population. The conventional Russian forces would then transition to screening and isolating the city, controlling the countryside and preventing reinfiltration by Ukrainian conventional detachments.

Behind these troops were to come Russian Special Forces (SSO) and troops intended for repressive operations including the Rosgvardia – and in particular the Chechen Rosgvardia (Kadyrovtsy). The assignment of these troops to key roles on seized territory explains the relatively small level of infiltration and sabotage against military sites attempted in the opening phase of the conflict, which was anticipated as a standard element of Russian doctrine practised extensively in previous conflicts. Instead, most Spetsnaz deployed in conventional reconnaissance roles ahead of the battalion tactical groups, while special forces were largely intended to sweep in behind. The Russians were so confident that they would succeed in hours that their support apparatus had rented apartments around the key sites from which their special forces were supposed to operate in Kyiv.

Once in Kyiv, the plan included three interconnected directions of operation. The first was the use of local agents to guide Russian SSO in capturing the executive and parliamentary leadership of the country. These were likely to be given show trials. Separately, the Kadyrovtsy were to engage in the hunting down of the Ukrainians believed to be organisers of patriotic resistance and those associated with the Revolution of Dignity in 2014. This was anticipated to be a dirty war, comparable to the conflict with the Chechen rebels following the fall of Grozny in 2000. The third line of effort was to be the pacification of the population. This depended on the isolation of communities through the control of egress and ingress through natural choke points in civic infrastructure. Within these isolated areas, the Rosgvardia were to manage protests and acts of civil resistance. There would not necessarily need to be violent suppression of protests, but the organisers of such protests could be identified and subsequently targeted by the Kadyrovtsy.

A further task for SSO and VDV units was the seizure of Ukraine’s central bank, water and utilities, and the parliament. The intent was to allow Viktor Medvedchuk and other members of the Russian-aligned faction within the Ukrainian parliament to establish a movement for peace, to pass resolutions urging surrender to save lives and to save Ukraine, and thereafter to govern through the national parliament and through the regional parliaments and local administrations. The withdrawal of power, utilities and finance from regions that were considered problematic would be used to try and further isolate areas of persistent instability. Within this context, the foremost advocates for peace and therefore candidates for local government office throughout the country would be those officials who were part of the agent network.

The problems with this plan are succinctly summarised by Lieutenant General Reshetnikov of the SVR, who observed that ‘the miscalculations were mostly political, as well as military: underestimation of the enemy, misunderstanding of the mood and functioning of this territory. There were, most likely, unjustified hopes. We were going to enter Kyiv, Kharkov, to bring to power reasonable representatives of the Ukrainian state. But what happened, happened’. The following chapter concerns what happened in those areas that the Russians succeeded in occupying.

The Unconventional War in Ukraine

Having considered Russia’s preparations, the extent of its capabilities in Ukraine, and how it had conceptualised employing them, it is now possible to outline how these plans unfolded in practice and what can be learned about the forms and methods of the Russian special services when operating in the context of a large-scale conventional conflict. This should be considered in three parts: the functioning of the counterintelligence regime on the occupied territories; the use of special operations forces and irregular troops in combat; and the collection, analysis and dissemination of combat-relevant intelligence. This chapter will explore each of these topics in turn.

The Counterintelligence Regime on the Occupied Territories

The Russians implemented their occupation plan in the areas that they seized, allowing for the details of how it functioned in practice and its effectiveness to be studied. For each of the oblasts targeted for occupation, the FSB formed Temporary Operational Groups (TOGs) tasked with coordinating the occupation regime and its counterintelligence apparatus. Each TOG was commanded by an officer from the 9th Directorate of the Department of Operational Information of the FSB Fifth Service. The individual would usually be drawn from the section that had been tasked with targeting the oblast that they were to administer. In Ukraine these individuals operated under false names, which were usually generic. They would usually have a pair of deputies from the Fifth Service and beneath this core command group representatives from the other FSB services including counterintelligence, military counterintelligence and the FSB service responsible for the protection of infrastructure. They would also have a support staff. Each TOG was assigned detachments of Rosgvardia for cordoning and public order, Alpha detachments and other special forces troops for conducting raids, and troops including Chechen Rosgvardia detachments intended to conduct the elimination of high-value targets. This was a model that had been employed in and refined since the Second Chechen War.

The approach to establishing the occupation administration was systematic. In the first instance, Russian forces were tasked with seizing all forms of records. This included public health, education, housing, tax, police, electoral and local government records. One of the first acts upon seizing the Chornobyl and Zaporizhzhia NPPs was the seizing of all hard drives from these sites. It also included private records from utility companies, insurance providers and NGOs. This data would be used to build a map of who was supposed to live where, who they were related to and whether they had any connections with the Ukrainian state. The population was divided into five core categories:

1. Those deemed leaders of Ukrainian nationalism who were specified for physical liquidation on a high-priority target list, or for capture to enable show trials.

2. Those suspected of intending to support acts of resistance who needed to be recruited or suppressed including anyone associated with Ukrainian law enforcement, local government, the military or related to officials that were not actively collaborating.

3. Those who were deemed apathetic.

4. Those actively collaborating with Russian forces.

5. Individuals who were necessary for running critical national infrastructure and had to be controlled.

Within each town the TOG would appoint a garrison commander from the Russian military who would have an assigned detachment of garrison troops. These troops would occupy a building – usually the police or fire station – and set up facilities for detention, processing, interrogation and torture. The fact that the layout of these facilities is consistent throughout the country, and the equipment used in torture chambers, including specialised electrocution machines, were the same across multiple oblasts demonstrates that this was a systematic plan and not improvised sadism.

Within the occupied areas different parts of the counterintelligence apparatus would begin to carry out their assigned tasks. Civic leaders including the owners of public utilities, schools and factories would be summoned to meet with a representative from the TOG and told that they must either collaborate in continuing to discharge their duties while reporting to the TOG or, in the case of educational institutions, enforcing curriculum changes, or they must resign. Among teachers in particular, if a school head was removed, the position was often offered to other staff if they were prepared to collaborate. If no collaborators could be found or the loyalty of a collaborator was suspected then these staff were usually replaced by a Russian who, in the case of public utilities, was usually an FSB officer from the service responsible for the protection of infrastructure.

Another part of the occupation administration was the information isolation of the communities being targeted. This was done in three ways. First, the Russian military would jam the frequencies by which people in the occupied area could access Ukrainian television and radio. Second, the telecommunications infrastructure was severed from Ukrainian infrastructure and reconnected to Russian infrastructure, enabling monitoring of telecommunication and internet traffic. Third, listening posts and metadata analysis against cellular telephones was set up to monitor the communications of local residents, prioritising those who attempted to route calls or messages from the occupied territories to the rest of Ukraine.

At the same time, garrisons were tasked with conducting house-to-house sweeps. This involved military units inspecting houses to confirm that the records seized accurately recorded who was at each address. They also searched homes for insignia, medals or uniforms indicating whether residents had previously had connections with the Ukrainian state and examined photographs and other personal effects to confirm the relationships between residents.

The occupation administrations and garrisons were aided in their activities by members of local law enforcement and civil servants recruited before the war as agents of the Russian special services. It is important to note that some pre-war assessments anticipated that these individuals would essentially seize local governments and thereafter hand them over to the Russians. In practice, there were far fewer recruited agents, and these were much too junior to bring about such an effect in most towns. Of the 800 Russian agents identified in the occupied parts of Kharkiv oblast, for example, the majority were junior officials in local government including in departments such as the forestry commission. Fewer than 100 local law enforcement officers collaborated. The Russians did not expect these individuals to simply continue running the oblast. Instead, they provided a network of informants and enablers who could perform several important functions. First, they had alerted the Russians to where repositories of documents were and could provide vital local knowledge about the community and its environs. Second, by reporting on the conduct of officials who had remained in place but were not directly collaborating, they could flag to the occupation authorities those who were apathetic as compared to those who might be actively working with the Ukrainian state or with resistance networks. A head teacher who said they would teach the new modules supplied by the TOG, for example, would be reported by a recruited agent in the school if they did not comply. In practice – as in the previously occupied areas of Crimea, and Luhansk and Donetsk – collaborators were a relatively small group but played an enabling role. The important point is that the FSB did not expect or require as part of its planning that the majority – or even a significant part of the population – welcomes it. Based on its experiences in Chechnya, the planning assumption was that 8% of the population needed to collaborate, whether proactively or under coercion, to enable the counterintelligence regime to be effective. The Ukrainian intelligence community, based on assessments of those areas where the Russians did establish control, concluded that the FSB was broadly correct in its requirements for local support.

Control through such a small part of the population could be asserted through violence. It is important to understand how violence was used, as it was applied differently to different targets. First, for those on the high-priority target list identified as Ukrainian nationalists the intent was to kill or capture them – spearheaded by Chechen units and the FSB. Because the Russians did not overrun Kyiv, Odesa, central Kharkiv and other major cities, most of the individuals on this list were beyond Russia’s reach and have remained so throughout the war, reducing the prominence of these activities. For those in senior positions or responsible for critical national infrastructure who were not active collaborators, the Russians worked to build leverage over them. In most cases this was first achieved through direct intimidation. Mayors, for example, were often taken in for questioning and received beatings, only to be released. Additionally, many persons in this category had members of their family detained and tortured. It was usually made clear to the person who was a target for leverage that other members of their family could also be detained, or the detained family members tortured further, if they did not comply with Russian instructions. This was also done by targeting Ukrainian officials within Ukrainian-controlled territory who had family members on the occupied territories. Generally speaking, the purpose of torture was to build leverage, evident from both the communications sent by the TOG to the target and as the victim was not subjected to questioning during or after their torture, but was simply tortured and then released.

For those suspected of being involved or likely to become involved in resistance, the process was more protracted and the outcome more varied. Those with ties to the Ukrainian state were detained and went through a process of filtration. This would usually begin with interrogation. Occasionally initial interrogations would involve violence and in a majority of cases there was a threat of escalation if the individuals were subsequently found to be conspiring against the occupation administration. Initial interrogation questions appear to have been formulaic and basic. Nevertheless, by building a picture of backgrounds, the FSB was laying the groundwork for network analysis. For individuals of concern the interrogation process was often escalated with a second round, sometimes conducted under torture. Here, the interrogators made use of the electrocution equipment established in the detention facilities and the questions would move from basic formulas to a more detailed examination of the individual. Some would be released after this process; others would be moved to facilities elsewhere, or in Russia itself, for further rounds of interrogation. Part of the logic of this displacement was that, if suspects were released after being displaced, they would have been separated from their friends and family. Thus, when they returned, it would be unclear to Ukrainian resistance networks whether they had been doubled and were now informing. A condition of release was often the provision of routine reports to the FSB. Moreover, their support network and contacts could thereby be examined as they invariably made contact with their closer friends upon their return to try and seek assistance.

The process of filtration bore a remarkable resemblance to activities carried out under the Russian Ministry of Interior’s Directive 247 of 1994, a legally non-binding administrative decree issued during the First Chechen War which authorised the military to set up filtration points. Those passing through initial rounds of filtration would be documented and returned to their communities. Those deemed concerning could be detained and removed to filtration camps for further questioning and, in this process, separated from their families and support networks. Underpinning this system of repression in Ukraine was data. At the garrison level, most interrogation records and data were either held in separate databases or else were on paper or on laptops. They were not integrated datasets. Over time, however, as these case files on individuals expanded and as people were moved for interrogation, these files became more complex. Detainees describe how by their third interrogation it was evident that the questioning had shifted from formulaic questions, in the first round, to case-specific questions in the second round, and then questions that cross referenced with other’s case files by the third round. This cross referencing demonstrates that a counterintelligence indexing system was being used to build a network map of the population, allowing for interrogations to be crosschecked for consistency. By the time these datasets reached the TOG at the oblast level, there is evidence that data was ingested into ‘Spectrum’. Spectrum is the FSB’s digital architecture for its security and counterintelligence work on Russian territory. It ingests data from other Russian government bodies such as tax and court records, and police and border guards reports, as well as from other FSB systems such as ‘Magistral’, designed to harvest flight and shipping manifests, and SORM – the System for Operative Investigative Activities. Other sources of information include ‘PSKOV’, used for mobile phone tracking, billing and social media monitoring and ‘Sherlock’, an all-source database, including social media, mobile phone data and finances, which fuses various streams of government, commercially available and stolen data. Spectrum is essentially an app that functions as a portal to access several databases hosted on a range of commercially derived systems. Using Spectrum also allowed all FSB officers with the right permissions to draw on these interrogation reports and case files as the individuals moved around Russian-occupied territory or Russian territory. Thus, whereas when a suspect was detained their case file had to physically follow them, to be held by the detaining officers, the digitisation of the records ensured that the case files would always be available to FSB officers if an individual came to its attention again.

Another aspect of the campaign of intimidation and suppression was collective punishment. In many towns occupied by Russian forces, local citizens either filmed them and uploaded the videos on to social media or else passed details about Russian troop movements to friends, family and the Ukrainian state. This was collected by the Ukrainian military and used for artillery targeting. In response, Russian troops conducted sweeps of all residents and examined their phones to establish whether they were sharing information with the Ukrainian military. If they were, then these individuals were detained and interrogated, often tortured, and in many cases executed. It is also important to note that Russian troops tasked with this were often scared and not especially thorough in their checks, preferring to detain on suspicion rather than on the discovery of proof. Many innocent civilians were therefore detained, tortured and murdered.

The brutality of Russian troops was not confined to those areas where there were ongoing Ukrainian artillery strikes. Even in those areas where no strikes were taking place, acts of resistance would often lead to apparently random people being lifted for interrogation in numbers. In some communities this essentially led many residents not to go out except for essentials. Given that this pattern was repeated in many towns, it seems systematic and to follow a cruel logic that, if acts of resistance bring about collective punishment, then those wishing to resist must not only factor in the risk to themselves but also the risk to their families, friends and community. The collapse in local businesses, social spaces and community also has a secondary effect. In towns where repression fractured normal life, the Russian occupation administration came to control shops, food distribution and services. Access to these things could be controlled, creating another coercive lever to not only suppress opposition but also to encourage collaboration. Fracturing a community enabled calculations of self-interest to force the local population to interact with, depend on and enable against its will the perpetuation of control.

These processes – integrating data from the occupied territories into the systems supporting Russian domestic repression, and displacing people into Russia itself – are consistent with Russia’s intent to eventually annex the occupied territory. The process of annexation was to be the same as had been applied to Crimea. First, a proportion of the population would be recruited or coerced into collaborating in the running of the local administration. Second, the area would be secured from military threats by the Russian military and from resistance activities by the harsh repressive measures. Third, this security would enable the wider elements of the FSB and Russian state apparatus to move on to the territory including law enforcement. Fourth, the collaborators in the local administration would be appointed to positions in rural and dispersed parts of Russia and replaced with Russians to directly administer the territory. Finally, the territory would be annexed. This process was not fully implemented because of the poor progress of the Russian military but did begin to be put into effect in Mariupol and other towns out of range of Ukrainian indirect fire. Beyond this point it was assessed that while resistance and sporadic insurgency might continue – as in Chechnya – it would not pose a threat to Russian control.

The Irregulars

Prior to the invasion, the expectation was that Russia’s special forces would be employed in the conduct of strategic reconnaissance and special reconnaissance actions. As outlined, most of the relevant troops were instead held back to support the occupation administrations. When the occupation of much of the target territory failed, these troops were neither in position to fulfil their traditional role nor able to fulfil the role specified in the invasion plan. The actual employment of these troops therefore bears consideration.

Prior to the full-scale invasion of Ukraine, the number of Spetsnaz units in Russian formations had been expanding rapidly. Most military analysts anticipated that this would lead to Russian formations having a much stronger reconnaissance and direct action capability organic to their brigades. In the Second Chechen War, and in Syria, the Russian military had extensively employed Spetsnaz as reconnaissance troops to screen its advances and in other special forces roles. This was done for some formations during the invasion. For example, Spetsnaz punched into Kharkiv significantly ahead of the conventional forces. Although these formations could have been employed more widely in this way, the expansion of Spetsnaz units had contributed to a shortage of competent contract infantry for the wider Russian military – as most competent infantry had been pushed toward Spetsnaz and airborne units. For the invasion of Ukraine, the Kremlin limited the number of conscripts in its battalion tactical groups, while the size of the invasion force prevented the concentration of personnel from across the force to bring those units committed to their full complement. As a result, many Battlegroups were significantly under strength. Russian armoured personnel carriers often contained as few as three infantry. This may not have been a problem if the purpose of the Ground Force was to shock and awe the Ukrainians into folding, enabling the mechanisms of repression to get into Ukraine’s cities and establish control. Once the Russian military found itself in heavy fighting, however, the shortage of infantry became a serious problem. The lack of effective line infantry units caused Spetsnaz units to be deployed mostly as light infantry, which also led to a high level of casualties among these units. Far fewer Spetsnaz were therefore available for special forces missions.

Far from drawing away from this practice, the trend during the war has been for regular tasks to be taken over by irregular forces. The initial Russian invasion plan had envisaged the deployment of Chechen units to support the FSB in establishing the counterintelligence regime on the occupied territories. Once heavy fighting erupted these units were committed as assault troops on key axes, not least Mariupol. In a bid to stem casualties – especially among Russian assault forces – great efforts were put into mobilising battalions from the populations on the occupied territories of Donbas and Luhansk, largely commanded through parts of the Eighth Combined Arms Army. Casualties among these troops were excessive, especially when they were used to conduct mass infantry assaults against Ukrainian trenches in Donbas to fix and identify Ukrainian firing posts for more capable Russian assault troops moving in behind.

Another force that was rerolled was Wagner. The Wagner Group had a peripheral role in the initial invasion plan, largely orchestrating volunteers among Russian partners in Syria and Africa as part of an information campaign to suggest that Russia had widespread international support. Since the invasion was supposed to be quick, Wagner was not initially withdrawn from the range of commitments it held in Africa, and even expanded some of these tasks – as in Mali – during the early phase of the war. The disarray among Russian conventional forces following their setbacks in the opening weeks of the war made it immediately apparent that there would be a shortage of military specialists and assault troops. At first, this led to Wagner moving personnel from its wider deployments into Ukraine and, since then, has seen Wagner embark on massive recruitment drives, including in Russian prisons. Wagner has also spearheaded bringing skilled Russian personnel back into service – such as pilots – often with offers of significantly inflated salaries.

The prominence of Wagner and several other private irregular armies in the Russian forces bears scrutiny because most of these organisations originated as part of Russia’s special services. The Wagner Group emerged from a battalion of irregulars supported by the GRU in Donbas in 2014. In its operations in Africa and Syria, GRU officers would routinely embed into Wagner units, using them as cover or being the link with Russian conventional capabilities to enable Wagner forces. Given the political prominence of Yevgeny Prigozhyn, it would be inaccurate to say that Wagner remains entirely subordinate to the GRU. In fact, the GRU has often routed political recommendations to Putin through Prigozhyn rather than its own official chain of command. Instead, it would be fairer to say that the GRU and Wagner are strongly intertwined. Despite transcending the GRU’s chain of command, the supply of weapons and military equipment to Wagner is carried out by the structures of the Ministry of Defence of the Russian Federation through the 78th Special Reconnaissance Centre and the 22nd Special Forces Brigade of the GRU. Alongside Wagner are other organisations, often built around specific capabilities such as UAVs. A good example is PWC Redut, largely led by former Wagner personnel, but organised around reconnaissance, intelligence and sabotage missions, and commanded by a GRU officer previously responsible for Wagner’s intelligence operations. It is anticipated that the number of private military companies sponsored by arms of the Russian government and associated entities is likely to increase over the coming year.

The significance of special forces-enabled irregular units to the Russian military is exacerbated by the state of Russian industry. The Orlan-10 UAV, for example, has proven one of the most effective pieces of equipment in the Russian Army’s arsenal for ISR. Although it was developed by the conventional force, the manufacturer receives a significant proportion of its funding from the GRU. More importantly, the export-controlled microelectronics that the manufacturer needs must be procured illicitly through the front companies established and run by Russia’s special services. Another example is the procurement of loitering munitions from Iran. The burgeoning strategic relationship with Iran was initially enabled by outreach conducted and maintained by Russia’s special services with the Islamic Revolutionary Guards Corps. Given that Russian defence industry is increasingly dependent on these structures, who gets equipment in the Russian military is also partly determined by their connections with the irregular organisations. This resource allocation in turn determines who has the capabilities to own battlespace and problem sets in the field. In time, Russia’s conventional forces may reassert control. National mobilisation may reduce the dependence on irregular formations. For military specialisms, however, it is likely that the foreign currency and equipment available to these units will see their importance to the Russian war effort remain high.

While Russia’s conventional Spetsnaz have increasingly been used as assault troops, the practices of Spetsnaz controlled directly by the special services have arguably reverted to a more Soviet approach and away from the Western special forces model that Russia has attempted to develop over the past decade. This has seen the employment of Spetsnaz in more intimate collaboration with human intelligence.

Human Intelligence and Reconnaissance

The failure of Russian forces to occupy the target territory left a large body of agents in place. Similarly, for Ukraine, the overrunning of its territory saw a large part of the Ukrainian population stranded in areas under Russian control. This left in place the opportunity for resistance operations. Although the mechanisms for countering the threat from within Ukraine as compared with the counterintelligence regime on the occupied territories differ, the pressures on these Russian and Ukrainian networks have led to a similar prioritisation of tasks and adaptation.

The proportion of Ukraine’s population prepared to resist the invaders was and is high. Although the will to resist is a prerequisite, however, it is not sufficient in and of itself to make resistance effective. In the early days of the invasion, for example, there were organised peaceful demonstrations in several occupied towns and cities. These had no effect, and the organisers were subsequently targeted for suppression. There has been value in graffiti and other demonstrations of the continued existence of the resistance movement, but only in sustaining the movement itself, rather than in having any significant psychological effect on the enemy. The organisation of sabotage and similar direct action is possible but also largely ineffective unless coordinated across multiple areas and carried out at scale. Any such operations tend to lead to the capture or disruption of the networks involved. Direct action therefore is used sparingly for two purposes: destabilisation of the counterintelligence regime on the territory; and the synchronised disruption of Russian units ahead of conventional forces moving into an area. Indeed, in most cases, direct action has actually been carried out by the special forces of Ukraine’s special services who are assisted by the resistance movement in their ability to transit and operate in areas. As these personnel can withdraw after carrying out an action, they pose less of a risk to the unravelling of the networks in place.

The much more useful and persistent value of the resistance movement is for reconnaissance and intelligence gathering. If carried out using the appropriate tradecraft, this can be executed without causing networks to be routinely unravelled by the counterintelligence regime. In the early days of the conflict, human reporting enabled the targeting of Russian units with artillery. Over time, the persistent human intelligence network held together by the resistance movement has been critical to the accurate targeting of Russian command and control and logistics infrastructure using the long-range precision fires supplied by military technical assistance from Ukraine’s international partners. The details of how the resistance movement is run is clearly operationally sensitive and is not detailed here. Nevertheless, it bears emphasising that the skills for running such networks are primarily those of human intelligence handling and covert communications and that the personnel best suited to this activity are mainly drawn from the special services rather than from the military.

The Russian military has resorted to a similar prioritisation of tasks among its agent network inside of Ukraine. Direct action has not constituted the primary threat from these personnel, though it does occur. Instead, the value of this network has been in assisting with the targeting of both the Ukrainian military and critical national infrastructure, including the conduct of battle damage assessments of energy infrastructure. The existing agent apparatus provides a strong foundation for running such operations and often the targeting information can be passed by commercial encrypted messengers to Russian handlers in Europe or elsewhere before it is routed into Russia. Nevertheless, maintaining this activity does place a premium on human intelligence, covert communication and tradecraft. Reflecting this prioritisation there has been a restructuring within the GRU. Having suffered several exposures in recent years, especially surrounding the personnel of Unit 29155 responsible for sabotage and assassination, this unit has apparently been transferred out of the clandestine space. At the same time, Andrei Averianov – previously commanding 29155 – was promoted and assigned three units under his command with tasks similar to those of his previous centre. Averianov and his new units are part of the structure of the 5th Department of the GRU, which is responsible for human intelligence. It is important to note that in many respects this is a return to form after several years of trying to create a more Western-style special forces capability. According to extant GRU instruction manuals, special operations are best carried out by illegal intelligence assets, which makes special operations practitioners first and foremost human intelligence officers, who are also capable of organising direct action, rather than vice versa. Historically, the relationship between Spetsnaz and military intelligence was very close, and a significant number of GRU employees began their careers in Spetsnaz. The role of human intelligence is especially important for units directly subordinated to the GRU. Thus, some officers of Unit 29155, who were exposed and can no longer be used undercover, are now involved in remote recruitment and management of agent networks on the territory of Ukraine.

Overall, it may be said that the Russians do not have much trouble obtaining information about targets or locations. Their capacity to collect is significant. Assembling, analysing and disseminating this information, however, is a different matter. It is understood within the Ukrainian intelligence community that the GRU has established a targeting centre for coordinating its reconnaissance across Ukraine. Reports from human agents are routed to this centre for analysis. Here analysts produce a daily overview of detections, cross referenced with GRU geospatial intelligence and other collection methods. These digests are then either sent to the relevant military district command post and thereafter downwards to the fire control headquarters of a combined arms army and then to the artillery tactical group if the target was of a tactical nature, or to the VKS, Russian Black Sea Fleet headquarters in Sevastopol or Iskandr battalions for a deliberate long-range strike. The evidence suggests that the ingestion and analysis of detections by the targeting centre would work on a 24-hour cycle. The target packs then provided to the relevant echelon would be sent with limited contextual information to determine prioritisation – and targets were often struck in the order in which target packs were received rather than in an order reflecting the characteristics or value of the target. Often the distribution of these instructions and the target’s place in the series of tasks of the unit assigned to conduct the strike would take at least 24 hours. Sometimes this was much longer, especially where it required Russian naval assets to move to a position and launch Kalibr missiles. Furthermore, some targets struck were military installations many years ago, suggesting that there is a drive for the GRU to generate targets even when it does not have current intelligence. The result has been a persistent problem for the Russians with latency between their collection and their ability to strike targets. Despite the shortcomings of Russia’s targeting cycle, the fact that they have consistently found targets and have the means to strike them means that how to identify and break up these human reconnaissance networks is a key question for the rear area security of NATO conventional forces in the event of conflict.

Conclusion

In studying the forms and methods of Russia’s unconventional war against Ukraine, it is worth considering the strengths of the Russian special services, their systemic weaknesses and the extent to which they will remain a major threat in the future.

To begin with Russian strengths, it is evident that the Russian special services managed to recruit a large agent network in Ukraine prior to the invasion and that much of the support apparatus has remained viable after the invasion, providing a steady stream of human intelligence to Russian forces. The internal threat significantly constrained the political room for manoeuvre for the Ukrainian state prior to the conflict and this produced unfavourable conditions for preparing the population for war. There has, for many years, been a bias in many states to favour collection against Russian activities on their territories. The evidence from Ukraine strongly suggests that Russian subversion should be actively resisted and disrupted before it can build up the mutually supporting structure that existed in Ukraine. The Russian tendency to corrupt targets for recruitment and to recruit under a false flag appears to be an effective means of building large networks quickly, though the reliability of individual agents is arguably much less than those recruited for ideological reasons. The tendency to rely on a small number of elite agents who run their own networks also means that moving against these individuals has a disproportionate impact on Russian capabilities.

Indeed, it is important to acknowledge that the threats outlined in this report – of high-level recruitment and the build-up of a support apparatus – is not a problem limited to Ukraine. During the course of the conflict both a senior signals intelligence analyst in the BND and a senior counterintelligence officer in the BND have been uncovered as Russian agents. The same methods are used, to some effect, widely. And the consequences of failing to counter this activity are significant. In April 2022 the authors of this report highlighted the extensive discussions in the Russian special services regarding their capacity to destabilise Moldova, in order ‘for destabilisation and the broadening of the front to protect [protract] and expand the economic and political costs on the West’. The attempt to destabilise Moldova appears now to be being attempted. It is important that states are proactive in preventing Russia building up these capabilities in their countries and, where this has been achieved, actively closing down these networks.

Another strength of the Russian unconventional warfare capabilities is their systematic methodology for repression of occupied territories. Although crude and violent – having a terrible effect on the economy and quality of life in targeted areas – it does appear to be an effective method of constraining resistance activities to a manageable level and maintaining control. The evidence from Chechnya suggests that it may take a generation for resistance to be fully quashed, but that does not mean that resistance activities threaten the Russian position. It is also important to note that the digitised tools that have proven an effective enabler of this counterintelligence apparatus are exportable to other autocracies and may be a feature of Russia’s offer to elites in states where it wishes to maintain influence. For NATO forces, the strength of the counterintelligence regime strongly suggests that partnered resistance operations need to be calibrated towards reconnaissance rather than direct action unless the territory on which the resistance network is active is likely to be imminently liberated. Those interfacing with these networks need to prioritise skills in handling human agents and in covert communications if their networks are to remain survivable. Another key lesson is that any resistance network established prior to a conflict must be invisible to the bureaucracy of the state, or else it risks exposure through the capture of a state’s records.

However, there are also clearly considerable deficiencies in Russia’s approach to unconventional warfare. At a fundamental level the Russian special services lack self-awareness, or at least the honesty to report accurately about their own efforts. In the case of Ukraine, a plan was attempted that was critically dependent on unconventional methods when the preconditions for success had not yet been achieved. This reveals wider cultural problems in the Russian services. That they are directed to bring about an outcome without independently assessing the viability of the plan creates a reporting culture where officers are encouraged to have a significant optimism bias. Furthermore, there appears to be a systemic problem of overreporting one’s successes and concealing weaknesses to superiors. This is evidenced by the overly optimistic assessment of the proportion of Russia’s agent network that would be proactive in supporting Russia in the context of a full-scale invasion. The fact that this lack of self-awareness in the Russian services contributes to blunders can certainly be exploited by counterespionage officers, but is far from comforting as it leads to a situation in which the Russians are difficult to deter because they have an unrealistic estimation of the likelihood of their success.

Another significant vulnerability in Russia’s approach to unconventional warfare is that it is formulaic. When under pressure, the reaction has been to revert to tried and tested forms and methods from the Soviet period rather than to innovate. Furthermore, because of the scale at which these activities are attempted, once a particular form or method is exposed it tends to have been widely replicated allowing for the rapid detection of a wide range of unconnected activities. The Russian system does not appear to encourage treating each operation as bespoke. Although this does mean that Russian operations can scale quickly against an unsuspecting target, there is also a real vulnerability to an alert target because operations risk exposing one another.

Despite this tendency to revert under pressure to established forms and methods, there is considerable dynamism and entrepreneurialism among Russia’s special services. As demonstrated by Wagner or the restructuring of the GRU’s clandestine capabilities while in contact, the services are quick to seize on opportunities and have the policies and permissions to do so. This is exacerbated by the political dynamic behind their employment, which is perhaps best captured in Ian Kershaw’s phrase describing the animation of the Hitlerite state as ‘working towards the Fuhrer’. The special services are encouraged to develop operations consistent with their understanding of Putin’s intent and, depending upon which is closest to his will and is more successful, there flows resource and attention. This kind of internal competition also allows Putin to reward or punish service chiefs and officials without their ever feeling truly secure. These dynamics make the special services highly active and willing to accept risk. It also distorts analysis, encouraging exaggeration of both their prospects in reporting and a catastrophism in ascribing failure to the scale of adversary efforts. It encourages blame shifting internally, limiting accurate after-action reviews. The upshot is that, while the Russian services may have failed in Ukraine, this is unlikely to prevent their being central to the coercive activities of the Russian state in the future, and countering them will remain no less important.

Jack Watling is Senior Research Fellow for Land Warfare at the Royal United Services Institute. Jack works closely with the British military on the development of concepts of operation, assessments of the future operating environment, and conducts operational analysis of contemporary conflicts. ack’s PhD examined the evolution of Britain’s policy responses to civil war in the early 20th century. He has worked extensively on Ukraine, Iraq, Yemen, Mali, Rwanda and further afield. Jack is a Global Fellow at the Wilson Center in Washington, DC.

Oleksandr V Danylyuk served as the Special Adviser to the head of Ukraine’s Foreign Intelligence Service, and as an adviser to Ukraine’s Minister of Defence. He currently heads the Centre for Defence Reforms and is a coordinator of the NATO–Ukraine intergovernmental platform for early detection and countering hybrid threats. He is an Associate Fellow at RUSI.

Nick Reynolds is the Research Fellow for Land Warfare at RUSI. His research interests include land power, wargaming and simulation. Prior to joining RUSI, he worked for Constellis. He holds a BA in War Studies and an MA in Conflict, Security and Development from King’s College London.