State-Sponsored Cyber Threats: Russia

Among the leading actors in state-sponsored cyber warfare, the Russian Federation stands out for its highly sophisticated and stealthy attacks on foreign governments and industries. Born out of an effort to monitor and control the flow of information within its borders following the breakup of the Soviet Union, Russia’s cyber operations have evolved into a disciplined, adept force in cyberspace.

Capabilities

While exact figures for the scope and scale of Russia’s cyber army are impossible to know, most experts estimate that the sophistication of Moscow’s cyber operations is rivaled only by that of the United States. While cybercrime syndicates undoubtedly play a role in directly or indirectly supporting Kremlin objectives, the perpetrators behind most of the advanced attacks in recent years have likely been Russian government organizations.

Historically, Russia’s trademark characteristic in cyber warfare is the false flag attack—one in which the attacker’s true identity is obfuscated and substituted for another identity in an effort to avoid accurate attribution. Russian hackers also appear to favor social engineering techniques such as spear phishing and watering hole attacks to induce privileged users to unwittingly download malware.

Backed by ample government resources, Russian hackers operating throughout the state security and intelligence services have proven themselves highly persistent when encountering resistance to intrusions. For example, rather than cease operations after being discovered in an extended campaign against the Ukrainian government in 2013, Russian hackers merely modified their tactics to avoid further detection. This behavior resonates with a recent and unprecedented trend in Russia’s cyber strategy, namely, a willingness to make their efforts known to their targets.

Victims

Russia’s state-sponsored cyber activities trace back to the first decade of post-Soviet independence when Kremlin cyber warriors carried out sabotage campaigns against pro-Chechen websites. Since then, Moscow’s victims have been largely confined to foreign governments. In 2007, Russia made international headlines when cybercriminal groups it had sponsored carried out a large-scale attack against neighboring Estonia amidst a political row, disabling the websites of various government ministries, political parties, banks, news agencies, and communications firms.

In 2008, Russia again entered the geopolitical spotlight during its invasion of Georgia. In the hours leading up to the attack, the country’s Internet experienced a crippling distributed denial of service (DDoS) attack. While Georgian authorities could not conclusively trace the origin of the attack to the Russian government, Georgian authorities and Western cybersecurity experts agreed that the perpetrator was either a Russian state entity or a criminal group operating with the approval and support the Russian government.

Several years later, US authorities discovered that Russian hackers had modified the malware used in the Georgian attack to infiltrate and commandeer the industrial control systems of US critical infrastructure. From 2011 to 2014, this Trojan—known as “Black Energy”—had remained undetected in the systems that control power grids, water distribution systems, and nuclear power plants.

As the conflict in Ukraine began to escalate in late 2013 and early 2014, a coordinated spear phishing campaign originating from Russia targeted government entities in Poland, Ukraine, and the European Union (EU). Spyware installed on targets’ computers would probe networks for valuable information on government activities and plans.

In 2014, Russian hackers infiltrated the internal unclassified systems of the US State Department, the White House, and other government agencies in what authorities considered one of the most advanced cyber attacks ever directed against the US government. In October 2014, security firms attributed two separate cyber espionage campaigns targeting NATO, EU, and Ukrainian government agencies to Russia. Attackers used phishing techniques to implant malware on victims’ computers, giving them access to sensitive systems and files.

Many suspect that Russia was also behind the attacks on French television station TV5 Monde in April 2015, when the station was taken off air and its website and social media pages defaced by a purportedly pro-Islamic State group calling itself the “CyberCaliphate.”

Motivations

Russia’s primary motivation in pursuing an offensive cyber strategy is to tip the scale of asymmetric information in its favor for purposes of geopolitical gain. Domestically, the Kremlin carefully curates a national image of Russia as a victim of the West and guarantor of security in the post-Soviet space. In order to support the credibility of that narrative, the Russian government must restrain the flow of information across and within its borders that challenges these notions. Simultaneously, it must propagate a pro-Russian message at home and abroad in order to dilute the prevailing anti-Russian sentiment in the world’s free media.

To be effective, both pursuits require that the Kremlin achieve deep visibility into the accumulated knowledge of Western governments. By gaining insight into the geopolitical strategies of Western powers, as well as their knowledge of Russian activities and capabilities, the Kremlin is better able to anticipate and counteract Western maneuvers with well formulated disinformation.

Outlook

As international public opinion of the Kremlin’s actions in the post-Soviet space continues to sour, Russia is likely to expand its cyber operations by developing innovative methods for infiltrating target networks, disabling systems, and stealing valuable political and military intelligence. Attacks on foreign governments are also likely to include infiltrations of the industrial control systems of critical infrastructure, as demonstrated by the Black Energy attack on the United States. This not only accomplishes the immediate objective of gaining a strategic advantage, it also serves to bolster Russia’s reputation as a highly capable state actor in cyberspace.

In keeping with the Kremlin’s demonstrated priorities and geopolitical objectives, Russia’s cyber operators will likely continue to pursue various forms of advanced information warfare. These may include attacks on media organizations as well as efforts to counter negative public perception through coordinated disinformation and promotion campaigns on the Internet. Whatever the form, the advanced technical prowess of Russia’s cyber operations will undoubtedly vex its targets for a long time to come.