U.S. Secretary of State Mike Pompeo said in Dec 2020 that Russia was responsible for a cyber attack that embedded malicious code inside U.S. government software systems and those of other governments and companies across the world. The Kremlin has always denied Moscow’s involvement in cyber attacks against the West. It has said that Russia had nothing to do with this latest assault.
Microsoft has said the UK and six other countries outside the US have been affected by a suspected Russian hacking attack that US authorities have warned poses a grave risk to government and private networks. Brad Smith, Microsoft’s chief legal counsel, said the company had uncovered 40 customers, including government agencies, thinktanks, NGOs and IT companies, who were “targeted more precisely and compromised” after the hackers had gained initial access earlier this year. Eighty per cent were in the US, including, it is feared, agencies responsible for the US nuclear weapons stockpile. But the remainder were spread out across other countries. “This includes Canada and Mexico in North America; Belgium, Spain and the United Kingdom in Europe; and Israel and the UAE in the Middle East,” Smith said. “It’s certain that the number and location of victims will keep growing.”
The attack appears to have started when an updated popular IT network management tool called Orion, made by SolarWinds, was compromised from March this year. Around 18,000 customers installed the compromised update, many of whom were in the US federal government. Of these, at least 40 were then selected by the attackers for further exploitation, including the US Treasury and Department of Commerce, where emails are thought to have been read, and the National Telecommunications and Information Administration.
Some cyber researchers have suggested that Russia’s SVR foreign intelligence service may have been behind the latest attack. In 2018, Dutch media cited unnamed intelligence officials as saying the AIVD, the Dutch intelligence agency, had linked a Russian hacking group known as “Cozy Bear” or APT29 (advanced persistent threat 29) to the SVR. The AIVD did not comment. The Washington Post cited sources on Dec. 13 as saying the United States had identified “Cozy Bear” as being responsible for the latest cyber attack referred to by Pompeo.
The Kremlin has said many times it wants to improve ties with the United States, which are at a post-Cold War low and strained by issues from Ukraine to Syria. But it also openly views the United States as Russia’s main geopolitical adversary and as a threat to its national security. President Vladimir Putin has accused Washington of starting a new arms race and NATO of moving military infrastructure closer to Russia’s borders, and has complained about U.S. sanctions, part of what Putin casts as an attempt to hold Russia back economically and technologically.
America’s greatest vulnerability is its continued inability to acknowledge the extent of its adversaries’ capabilities when it comes to cyber threats, says Ian Bremmer, founder and president of leading political risk firm Eurasia Group. The adversarial states in question are what U.S. intelligence agencies call the “big four”: Russia, China, North Korea, and Iran.” We’re vulnerable because we continue to underestimate the capabilities in those countries.
“Despite advances in cybersecurity, cyber espionage continues to offer threat actors a relatively low-cost, high-yield avenue of approach to a wide spectrum of intellectual property,” it said. “We anticipate that China, Russia, and Iran will remain aggressive and capable collectors of sensitive US economic information and technologies, particularly in cyberspace. All will almost certainly continue to deploy significant resources and a wide array of tactics to acquire intellectual proper .
Moscow has used cyber operations to collect intellectual property data from U.S. energy, healthcare, and technology companies. Moscow’s military modernization efforts also likely will be a motivating factor for Russia to steal U.S. intellectual property. An aggressive and capable collector of sensitive U.S. technologies, Russia uses cyberspace as one of many methods for obtaining the necessary know-how and technology to grow and modernize its economy. Obtaining sensitive U.S. defense industry data could provide Moscow with economic (e.g. in foreign military sales) and security advantages as Russia continues to strengthen and modernize its military forces. Indeed, Russian cyber actors are continuing to develop their cyber tradecraft—such as using open-source hacking tools that minimize forensic connections to Russia.
Russia’s Approach to Cyber Warfare
Russian military theorists generally do not use the terms cyber or cyberwarfare. Instead, they conceptualize cyber operations within the broader framework of information warfare, a holistic concept that includes computer network operations, electronic warfare, psychological operations, and information operations. According to the Military Doctrine of the Russian Federation (2010), one of the features of modern military conflicts is “the prior implementation of measures of information warfare in order to achieve political objectives without the utilization of military force and, subsequently, in the interest of shaping a favourable response from the world community to the utilization of military force.”
Russian military thinkers on information operations IO and asymmetric military tactics, Col. S.G. Chekinov (Res.) and Lt. Gen. S.A. Bogdanov (Ret.), observed that information could be used to disorganize governance, organize anti-government protests, delude adversaries, influence public opinion, and reduce an opponent’s will to resist.
An analysis by the Defense Intelligence Agency in 2017 outlines Russia’s view of “Information Countermeasures” or IPb (informatsionnoye protivoborstvo) as “strategically decisive and critically important to control its domestic populace and influence adversary states”, dividing ‘Information Countermeasures’ into two categories of “Informational-Technical” and “Informational-Psychological” groups. The former encompasses network operations relating to defense, attack, and exploitation and the latter to “attempts to change people’s behavior or beliefs in favor of Russian governmental objectives.”
Offensive cyber is thus relegated to a supporting—albeit significant—role in helping the state achieve information dominance in all the stages of conflict. Offensive cyber is playing a greater role in conventional Russian military operations. During the contingencies in Georgia and Ukraine, Russia employed cyber as a conventional force enabler.
Hacktivists and cyber-criminal syndicates have been a central feature of Russian offensive cyber operations, because of the anonymity they afford and the ease with which they can be mobilized. Cyber hacking groups, or advanced persistent threat (APT) groups, have become a
central part of Russia’s cyber IO toolkit. While direct links to the Russian government are difficult to prove conclusively (and the Russian government denies that it sponsors any hacker groups), there are a number of groups whose activities closely align with Kremlin and Russian military objectives.
Russia’s Cyber Warfare operations
Cyberwarfare by Russia includes denial of service attacks, hacker attacks, dissemination of disinformation and propaganda, participation of state-sponsored teams in political blogs, internet surveillance using SORM technology, persecution of cyber-dissidents and other active measures. According to investigative journalist Andrei Soldatov, Some of these activities were coordinated by the Russian signals intelligence, which was part of the FSB and formerly a part of the 16th KGB department.
Russian spies launched a global cyber war to interfere with three elections, the Olympics, the MH17 investigation and the hunt for the men behind the Skripal attack in Salisbury. The Kremlin has been accused of using its agents to ‘foster instability’ in democracies around the world as their operations over the past three years were laid bare. Targets included the metro and airports in Ukraine, police in Malaysia investigating claims the Russians shot down MH17 killing 300 passengers and even the emails of a small UK TV station.
It has been claimed that Russian security services organized a number of denial of service attacks as a part of their cyber-warfare against other countries, such as the 2007 cyberattacks on Estonia and the 2008 cyberattacks on Russia, South Ossetia, Georgia, and Azerbaijan. The DDoS attacks against Estonia during April and May 2007 constitute the first large-scale coordinated use of cyber by Russia to affect a strategic outcome in a neighboring state.
In April 2007, following a diplomatic row with Russia over a Soviet war memorial, Estonia was targeted by a series of cyberattacks on financial, media, and government websites which were taken down by an enormous volume of spam being transmitted by botnets in what is called a distributed denial-of-service attack. Online banking was made inaccessible, government employees were suddenly unable to communicate via e-mail, and media outlets could not distribute news. The attacks reportedly came from Russian IP addresses, online instructions were in Russian, and Estonian officials traced the systems controlling the cyberattacks back to Russia.A year after the attack NATO founded the Cooperative Cyber Defence Centre of Excellence in Tallinn as a direct consequence of the attacks
Georgia’s military intervention in South Ossetia on August 7, ostensibly to prevent Ossetian shelling of Georgian territory, prompted Russia to mount a large-scale land, air, and sea invasion of Georgia on the following day (August 8). As Russian military forces moved into South
Ossetia, a slew of DDoS attacks took down Georgia’s information infrastructure, cutting off government communications and defacing government websites. Georgian banks, transportation companies, and private telecommunications providers were also attacked, disrupting services.
On 20 July 2008, the website of the Georgian president, Mikheil Saakashvili, was rendered inoperable for twenty-four hours by a series of denial of service attacks. Shortly after, the website of the National Bank of Georgia and the parliament were attacked by hackers who plastered images of Mikheil Saakashvili and former Nazi leader Adolf Hitler. During the war, many Georgian government servers were attacked and brought down, reportedly hindering communication and the dissemination of crucial information. According to technical experts, this is the first recorded instance in history of cyberattacks coinciding with an armed conflict.
Russian hackers have utilized spear phishing, malware, DDoS attacks, telephone denial of service (TDoS) attacks, and other forms of cyber disruption and espionage to conduct a steady drumbeat of cyberattacks targeting Ukraine’s government, military, telecommunications, and private-sector information technology infrastructure.
In March 2014, a Russian cyber weapon called Snake or “Ouroboros” was reported to have created havoc on Ukrainian government systems. The Snake tool kit began spreading into Ukrainian computer systems in 2010. It performed Computer Network Exploitation (CNE), as well as highly sophisticated Computer Network Attacks (CNA).
From 2014 to 2016, according to CrowdStrike, the Russian APT Fancy Bear used Android malware to target the Ukrainian Army’s Rocket Forces and Artillery. They distributed an infected version of an Android app whose original purpose was to control targeting data for the D-30 Howitzer artillery. The app, used by Ukrainian officers, was loaded with the X-Agent spyware and posted online on military forums. CrowdStrike claims the attack was successful, with more than 80% of Ukrainian D-30 Howitzers destroyed, the highest percentage loss of any artillery pieces in the army (a percentage that had never been previously reported and would mean the loss of nearly the entire arsenal of the biggest artillery piece of the Ukrainian Armed Forces.). According to the Ukrainian army, this number is incorrect and that losses in artillery weapons “were way below those reported” and that these losses “have nothing to do with the stated cause”.
The U.S. government concluded after a study that a cyber attack caused a power outage in Ukraine which left more than 200,000 people temporarily without power. The Russian hacking group Sandworm or the Russian government were possibly behind the malware attack on the Ukrainian power grid as well as a mining company and a large railway operator in December 2015.
US & UK
The United States and Britain in 2018 accused Russia of launching cyber attacks on computer routers, firewalls and other networking equipment used by government agencies, businesses and critical infrastructure operators around the globe. Network infrastructure consists of interconnected devices designed to transport communications needed for data, applications, services, and multi-media. Routers and firewalls are the focus of this alert; however, many other devices exist in the network, such as switches, load-balancers, intrusion detection systems, etc.
Since 2015, the U.S. Government received information from multiple sources—including private and public sector cybersecurity research organizations and allies—that cyber actors are exploiting large numbers of enterprise-class and SOHO/residential routers and switches worldwide. The U.S. Government assesses that cyber actors supported by the Russian government carried out this worldwide campaign. These operations enable espionage and intellectual property theft that supports the Russian Federation’s national security and economic goals. In April 2015, CNN reported that “Russian hackers” had “penetrated sensitive parts of the White House” computers in “recent months.” It was said that the FBI, the Secret Service, and other U.S. intelligence agencies categorized the attacks as “among the most sophisticated attacks ever launched against U.S. government systems.
In 2018, the United States Computer Emergency Response Team released an alert warning that the Russian government was executing “a multi-stage intrusion campaign by Russian government cyber actors who targeted small commercial facilities’ networks where they staged malware, conducted spear phishing, and gained remote access into energy sector networks.” It further noted that “[a]fter obtaining access, the Russian government cyber actors conducted network reconnaissance, moved laterally, and collected information pertaining to Industrial Control Systems.” The hacks targeted at least a dozen U.S. power plants, in addition to water processing, aviation, and government facilities
In 2016, the release of hacked emails belonging to the Democratic National Committee, John Podesta, and Colin Powell, among others, through DCLeaks and WikiLeaks was said by private sector analysts and US intelligence services to have been of Russian origin. Also, in December 2016, Republicans and Democrats on the Senate Committee on Armed Services called for “a special select committee to investigate Russian attempts to influence the presidential election”
Projecting Soft power
In addition to the instances we have cited of Russia employing its cyber capabilities to deter, compel, or disorient its adversaries, the Kremlin also uses cyber in a soft power sense—to disseminate pro-Russian propaganda and undermine popular support for adversary governments, write Michael Connell and Sarah Vogler in Russia’s Approach to Cyber Warfare.
Its efforts in this regard fall into three broad categories:
1. The use of state-funded, pro-Russian news media sites, such as Sputnik and RT (formerly Russia Today)
2. Spreading adverse or misleading information on foreign governments and institutions via leaks of documents that often were obtained via hackers, spear phishing, or other forms of cyber espionage
3. Russia’s use of internet “trolls” (i.e., individuals paid to create fake blogs and online profiles to swamp news comment sections with misleading, false, or pro-Russian points of view)
Hackers “aligned with Russian security interests” have been engaged in a sustained campaign to compromise news websites in Poland and Lithuania to plant false stories aimed at discrediting Nato, according to a new report in August 2020. Part of the campaign – labelled “Ghostwriter” – involved gaining access to news sites publishing systems, deleting stories and replacing them with false news that sought to delegitimise the transatlantic alliance. Emails purporting to be from a local news service with links to the doctored articles were then sent out to other media and public institutions in an attempt to disseminate the fakes and give them further credibility. John Hultquist, senior director of intelligence analysis at Mandiant, said: “The method of hacking media sites to push fabricated narratives is a powerful one,” and added that he expected it to recur in Europe and the US “as a means to alter perception there”.
In the run up to the referendum on the United Kingdom exiting the European Union (“Brexit”), Prime Minister David Cameron suggested that Russia “might be happy” with a positive Brexit vote, while the Remain campaign accused the Kremlin of secretly backing a positive Brexit vote. In December 2016, Ben Bradshaw MP claimed in Parliament that Russia had interfered in the Brexit referendum campaign.
The primary cyber tools that Russia employs for soft power IO are hacker groups and internet trolls. Hacker groups provide Russia with a covert, non-attributable option for acquiring data and documents that can be used in disinformation campaigns and information operations. They conduct a range of cyber activities, from DDoS attacks and cyber espionage to data/document exfiltration and digital sabotage. Documents exfiltrated by the hacker groups are released to the public either via such platforms as WikiLeaks or official news media sites. The documents often contain embarrassing personal information about foreign political or opposition leaders, expose dubious state policies or business practices, or contain information that discredits a government or institutions, write Michael Connell and Sarah Vogler .
For example, the hacker groups described as APT 28 (also known as Fancy Bear and Sofacy) and APT 29 (also known as Cozy Bear) are believed to be the groups behind the 2016 leaks of documents from the Democratic National Committee (DNC) servers. These groups are believed to be the cyber components of Russia’s military intelligence agency (GRU) and state security services (FSB), respectively. In the past, APT 28 has targeted Ministries of Defense all over Europe and is believed to be the group that targeted the Georgian military during the 2008 Russo-Georgian war. APT 29 has been caught accessing the U.S. White House, State Department, and Joint Chiefs of Staff unclassified websites
References and Resources also include: