10 January 2023

China-Russia Report


The Russian intelligence community’s 2022 failures start at the top, with Vladimir Putin, the “King of the Spies,” to borrow Mark Galeotti’s framing. While Putin was a longstanding KGB counterintelligence officer, the war exposed Vladimir Putin’s misunderstanding of fundamental elements of power, including 21st century espionage. As The Report wrote in early March 2022:

“Putin tried to conceal his plans from everyone – Western technical intelligence, potential Western spies in the Russian policymaking and security apparatus, and, apparently, the Russian military. Putin’s attempts to conceal the invasion failed utterly; he valued secrecy over operational efficiency but obtained neither. Indeed, the 69-year-old, like many intelligence officers from the pre-digital age, seems to have failed to grasp how technology – satellites, cellphones, computers, cameras, etc – has produced a revolution in intelligence affairs.”

Putin’s obsession with secrecy, while useful in many intelligence and counterintelligence contexts, proved disastrous for coordinating a complex, joint operation.

The FSB’s blunders in preparing the invasion of Ukraine

Vladimir Putin’s disastrous decision to invade Ukraine largely reflected his own profound misjudgments, but Russia’s intelligence services were hardly blameless. Most “intelligence failures” are actually policymaking errors, as decision makers often cherry-pick intelligence to confirm their biases or simply ignore unpleasant information. Putin’s decades-long denial of a separate Ukrainian sovereignty and identify certainly left him predisposed to accept estimates of an easy invasion. Russian security services, however, especially the Federal Security Service (FSB)’s Fifth Service, eagerly confirmed Putin’s biases, aggravating the most significant military disaster in Russian history since at least the Soviet invasion of Afghanistan in 1979.

The FSB, more than any other Russian security service, bears the brunt of the blame for Moscow’s disastrous invasion of Ukraine. The FSB is Russia’s chief domestic intelligence service but leads security efforts in countries formerly in the Soviet Union; it is also arguably the most powerful actor in the Russian intelligence ecosystem. Acting on inaccurate information from the FSB’s Fifth Service and poor campaign plans, columns of Russia’s Rosgvardia national guard entered Ukraine without substantial armored protection. The result was a bloodbath: Rosgvardia units are essentially riot police and their lightly-armored vehicles were easily picked apart by Ukrainian soldiers employing Javelins, NLAWs, and other heavy weapons.

The Rosgvardia foul-up was a symptom of a far larger problem: the FSB’s overconfidence. According to reporting from the Washington Post, FSB officers spent their final pre-invasion days preparing accommodations in Kyiv. The Russian military’s war plans proved wildly unrealistic due to faulty, overconfident FSB estimates, as stout Ukrainian resistance first prevented Russian forces from capturing Kyiv then drove the invaders back in the later phases of the war.

In response to the FSB Fifth Department’s failures, Putin reportedly jailed its director, Colonel-General Sergei Beseda, although later reporting suggests Beseda is still active. While Putin is primarily responsible for the analytical (not to mention moral) failures that drove Russia’s invasion of Ukraine, the FSB’s failure shaped the crucial, initial stages of a war that is degrading the Russian intelligence complex.

Russia’s porous SIGINT defenses and overestimated offensive capabilities

Russia’s force structures, or the siloviki, have long enjoyed a enjoyed a reputation as one of the world’s most capable cyber actors. It seems increasingly likely that their capabilities were overestimated before the war and are only getting worse, however. Russian signals intelligence (SIGINT), or “cyber” defensive capabilities have long been regarded as relatively porous, which the war seems to have confirmed: Western security services enjoyed extraordinary, near-real time insight into Russian war planning as high-ranking commanders reportedly discussed war plans on non-secure networks. Moreover, an onslaught of Russian offensive cyberattacks against Ukraine and, potentially, other Western targets, have not materialized despite fears. While Russian cyber knowhow, especially offensive capabilities, shouldn’t be dismissed, there’s a growing body of evidence suggesting that Russia’s SIGINT abilities are less advanced than feared before the war. Finally, with some reports finding over 30% of Russian IT professionals have fled the country, Russia’s cyber capabilities will likely deteriorate further.

Signals intelligence (SIGINT), refers to intelligence collected from electronic transmissions that can be collected by ships, planes, ground sites, or satellites; communications intelligence (COMINT), or information gleaned from communications intercepts (such as phone calls, emails, etc), is a subset of SIGINT. Russian security services have been a very active player in SIGINT, particularly offensive SIGINT: they very likely implanted the “agent.btz” malware which infiltrated the US Central Command’s computer systems in 2008; engaged in an audacious hack-and-release campaign in 2016 after listening to the requests of a US Presidential candidate, potentially altering the election’s outcome; and broke into Treasury and Commerce Department email systems.

Despite this storied (some would say sordid) history of offensive cyber operations, Russian SIGINT defenses are extremely porous and, in some cases, nearly non-existent. Non-state actors such as Bellingcat have been able to acquire incriminating information about Navalny’s FSB stalkers by simply purchasing the data for a small fee from data merchants, while Vladimir Putin’s talk at the St. Petersburg International Economic Forum was delayed by over 100 minutes due to hackers. It doesn’t take much creativity to imagine how a vastly more capable state actor, such as Ukraine, might take advantage of Russia’s extremely porous cyber defenses. Indeed, Ramzan Kadyrov, the brutal warlord of Russia’s Chechnya, reportedly revealed Russia’s invasion plans on an open phone line, providing critical tactical intelligence about the impending invasion. Astonishingly, Russian military forces continued to use unsecured communication devices and lines after the invasion, creating targeting opportunities for Ukrainian military intelligence.

While Russia’s defensive cyber capabilities have failed to meet even low external expectations, its cyber offensive capabilities in the post-invasion period have, so far, proved less fearsome than originally anticipated. On February 15th, a little over a week before the invasion, Ukrainian government websites and banks were shut down by a cyberattack, presumably from Russia. This attack was noxious but appears to have done little to nothing to degrade Ukraine’s ability to resist. Russian cyber forces also reportedly attempted – and failed – to knock out a section of the Ukrainian power grid that would have caused an electricity blackout for 2 million people. Finally, the Russian military’s kinetic attacks on the Ukrainian electricity grid are not only heinous but may also reveal Russia’s offensive SIGINT weaknesses: instead of employing inexpensive cyber capabilities, Russian armed forces are depleting their scarce precision-guided munitions inventory and firing missiles at Ukrainian electricity infrastructure.

Gavin Wilde’s outstanding deep dive into Russian cyber warfare for Carnegie provides highly credible explanations for Moscow’s cyber shortcomings. First, Russian cybercommands may be optimized for counterpropaganda, not offensive cyber operations. Wilde also hypothesizes that Russia’s premier offensive cyber capacities are housed within agencies focused on intelligence and subversion – not combined-arms warfare. Finally, Wilde writes that pervasive optimism bias in the run-up to the invasion may have inhibited Moscow’s cyber performance, as Russian planners believed they could capture vast portions of Ukraine intact. Intriguingly, Wilde found “The FSB likely held an institutional view of Ukraine as part of its own home turf, potentially disinclining it from damaging crucial Ukrainian infrastructure that Russia would itself require in an invasion and occupation.”


Finally, the mass exodus of Russian IT professionals may be the most profound and damaging consequence of the war for Russian SIGINT, and the Russian intelligence ecosystem more broadly. Some reporting suggests 3-in-10 Russian IT professionals have fled for other countries, taking with them valuable skills, institutional knowledge and, in some cases, classified intelligence. Russia intelligence’s remaining IT workforce will likely have fewer personnel to accomplish more tasks due to the war, impairing its SIGINT efficiency.

Let’s be clear: Russia possesses significant cyber capabilities, especially offensive capabilities, and can do real damage to the United States and its allies, friends, and partners. Russian hacking groups have successfully breached US critical infrastructure, including the infamous Colonial Pipeline hack in May 2021. Still, Russia’s poor wartime cyber efforts and the exodus of Russian IT professionals, along with the centrality of technology in 21st century espionage, raise questions about Russia’s ability to keep pace with the world’s leading technological and intelligence powers.

The SVR is burning its most exquisite capabilities

Perhaps the most damaging outcome of the war on Russian intelligence is the rapid erosion of spy networks controlled by the Foreign Intelligence Service (SVR), Russia’s premier civilian intelligence service. The war is attriting some of Russia’s most exquisite intelligence capabilities, such as Russian intelligence officers operating under deep cover and Western moles working for Russia.


Intelligence officers operating under non-official cover (NOC) are among an intelligence service’s most valuable assets: unlike intelligence officers operating under official cover, typically at an embassy, NOCs do not enjoy diplomatic immunity and have no official ties with their government, placing them at severe risk if uncovered. Consequently, NOCs are typically highly skilled and extraordinarily committed to their mission, while their actions can be denied by their government (with varying degrees of plausibility). Russian security services, continuing Soviet traditions, have employed NOCs operating under illegal cover, such as the infamous Anna Chapman spy ring.

Putin’s invasion of Ukraine is pressuring their NOC assets. Wartime requirements have increased the tempo of Russian intelligence operations, while Western countries’ expulsion of Russian intelligence officers operating under official cover is reducing the ability of the SVR to run assets via “normal” channels, via its embassies and consulates. Accordingly, the SVR has been forced to lean heavily on its NOC assets, substantially raising their probability of detection and detention.


While cultivating NOCs and their spies is costly and takes years or even decades to develop, the invasion may have dismantled key Russian spy networks in a matter of months, as several Russian NOCs and at least one very high-ranking Russian mole in German intelligence have been arrested. Moreover, since counterintelligence investigations often take months or even years before action is taken, Western security services are likely in the intermediate or closing stages of more arrests or operational neutralization.

While much intelligence data is non-public, for obvious reasons, public evidence suggests it has been a very difficult year for Russian intelligence officers and their agents. In June, Dutch authorities refused entry to a Russian NOC posing as a Brazilian but secretly working for Russia’s military intelligence service, the GRU, sending him back to Brazil, where he was sentenced to 15 years imprisonment. In late November, Swedish authorities raided the house of a Russian couple believed to be tied to the GRU; the couple may also have handled two brothers in the Swedish force structures who are accused of spying for Moscow over a 10-year period. Norway, meanwhile, has arrested a Russian man purportedly researching Arctic policy but allegedly spying for Russian security services, while several Russian citizens have been detained for flying drones near Norway’s critical oil and gas infrastructure. Austrian authorities are also investigating a Greek national who very likely spied for Russia for years, as a search of his home uncovered specialized equipment.

Other arrests and captures may be even more significant. An alleged, high-ranking mole in Germany’s Federal Intelligence Service technical reconnaissance department was arrested by German counterintelligence authorities on December 21st after reportedly passing classified information to Moscow. The agent was very likely one of Russia’s most valuable sources until his capture.

The series of arrests and captures was very likely the product of efficient counterintelligence work by Western security services. Still, the scope and significance of these Western arrests could raise fears in Moscow that Western intelligence has achieved technical access to Russian secrets or, potentially even worse for Moscow, burrowed its own mole or network of moles inside Russian intelligence. With Vladimir Putin’s immoral, ruinous, and reckless war leading to the deaths of tens of thousands of Russians and Ukrainians, and plunging countless more in Russia, Ukraine, and beyond into poverty and squalor, it would not be a surprise if a Russians, acting out of patriotic duty, stood up to undercut Putin’s war and restore peace by cooperating with Western intelligence.


While it’s impossible to publicly measure trends in intelligence, due to its secretive nature, Russian spy networks do appear to be suffering blows in some of their highest priority theaters. Moreover, because counterintelligence operations take months, years, or even longer, 2023 could see further unraveling of Russian spy networks, although some of these results may not become public for a long time.

This is no time for triumphalism: a note of caution about Russian and Chinese security services

While 2022 exposed weaknesses in the Russian intelligence community, Russian security services remain formidable. The SVR remains expert in human intelligence; the GRU’s brazen attacks in the Czech Republic and Salisbury, England demonstrate it remains capable of blunt, unsubtle force; and the FSB is unimpressive but probably effective and loyal enough to suppress domestic protests and any elite move against Putin. While the Russian intelligence complex has performed poorly in 2022, it would be unwise to assume it is incapable of adaption. Russian security services may overhaul practices or scale back unachievable ambitions. An underrated risk is that Putin will seek to intervene even more openly in Western elections, including via energy and economic levers. Putin and the Russian force structures are down, not out.

Other lessons must be applied to constrain the sharp power of another, much more capable competitor: the People’s Republic of China. It would be a mistake to assume that Chinese intelligence is overrated just because Russian efforts failed miserably in 2022: PRC intelligence services draw from vastly more resources than their Russian counterparts, are extraordinarily capable cyber actors, and have different ways, means and ends.

Still, lessons learned from Russia’s invasion of Ukraine could limit PRC HUMINT in potential wartime contingencies. While fears of being accused of warmongering may have prevented Washington and Brussels from expelling suspected Russian intelligence officers prior to the invasion, post-invasion expulsions are clearly degrading Russian intelligence operations. Consequently, if the People’s Republic of China ever appears likely to invade Taiwan, or apply other significant coercive measures, the US and its allies, friends, and partners should move to expel suspected PRC intelligence officers before military hostilities commence. This measure would not be without drawbacks and risks, but it could symbolically signal resolve and substantively degrade the PRC’s ability to collect intelligence and conduct covert actions ahead of a potential conflict.

Although PRC HUMINT networks are traditionally less reliant on embassies than Russia’s, they are still significant. Encouragingly, Beijing’s zero-COVID policy very likely degraded its human intelligence collection efforts (and, interestingly, may have been a contributing factor in the arrest of some Chinese assets seeking to steal Russian military technology). As Chinese spy networks emerge from zero-COVID restrictions, however, they may increasingly rely on embassies to reconstitute dormant assets. While there is little near-term risk of a PRC invasion of Taiwan, Washington, Brussels, and other like-minded partners may be able to limit future PRC HUMINT operations by expelling intelligence officers operating under diplomatic cover.

Finally, judging from public arrests made throughout 2021, Russian security services, especially the GRU, were very active in Europe ahead of the invasion. As many noted at the time, this was an obvious potential early warning indicator. Similarly, any sudden spike in PRC military intelligence operational tempo would be notable, particularly if accompanied by other warning indicators that John Culver and others have written about.

No comments: