In June 2017 almost 50,000 computers across 130 countries operated by global Danish shipping and logistics conglomerate, Maersk, became infected with the ransomware NotPetya and shut down suddenly and without warning. However, it soon became clear that Maersk was not the only company infected. Other global companies such as American pharmaceutical giant Merck, American shipping company FedEx, and even Russian oil company Rosneft also were hit with the tailspin. Yet the main target of NotPetya — a ransomware outbreak that is widely alleged to have been created by the Russian state — is widely believed to have been Ukraine. Ukrainian banks, four hospitals in Kyiv, Kyiv’s Borispol airport, as well as Ukrainian energy firms Kyivenergo and Ukrenergo were amongst the companies affected.
What makes NotPetya so disruptive as a ransomware is that it demanded $300 in bitcoin for the decryption key for each infected hard drive, but in most cases simply wiped infected machines and their corresponding boot record, effectively rendering the damage to these systems irreversible. According to cybersecurity firm FireEye, this calling card is ubiquitous from the hacking group “Sandworm” that has been previously linked to Russia. In the past, Sandworm has targeted Ukrainian infrastructure, government ministries, and media. One of NotPetya’s infection tactics by hijacking an update mechanism of MeDoc (a widely used Ukrainian accounting software) also links the attack to Russia as the language used in the update mechanism hack was in Russian. Craig Williams, a Cisco researcher, also noted that NotPetya’s programmer “has a very clear idea who it wants to affect, and its businesses associated with the Ukrainian government… it’s very obvious this is a political statement.”
As of September 2017, FedEx reported a $300 million loss in its first quarter and attributed the loss mostly to the NotPetya virus. According to former Homeland Security advisor Tom Bossert, the ransomware resulted in more than $10 billion in total damages. In February 2018, the White House also reported that NotPetya was released by Russia’s military. In short, this cyber-attack was state-sponsored.
In Russia, the rise of telecommunications has led to an overwhelmingly large increase in the number of crimes committed. From 2001-2018, information communication technology crime (ICT crime) rose from 1,300 to 174,674. While this could have been attributed to the adoption of the internet by the general population, that rationale does not explain the 53 percent increase in ITC crime from 2018 to 2019. Moreover, Russian cybercrime is generally agreed upon as political in nature.
In 2018, The United States Secret Service continued to believe that Russian-speaking cybercriminals represented the most serious threat to global financial payment systems. This dual financial and political threat that Russian cybercrime represents includes a variety of different tactics such as direct state attacks — as in the case of NotPetya — and hybrid tactics — as seen in the usage of trolls during the 2016 US Presidential election cycle. According to James Clapper, the former U.S. Director of National Intelligence, Russia sees the threat in cyberspace to be constant, akin to the ongoing existential struggle harkening back to the Cold War. As its attacks grow increasingly aggressive, Russia is growing more confident in conducting cyber and espionage operations, which form an integral part of its grand military and political strategy.
Targets, Test Cases, and Tech-State Models
Over the past decade, there have been a few examples of large cyberattacks alleged to have originated with Russia that have targeted the functionality of a state. The first of these occurred in 2007 in Estonia after the Estonian government moved the Bronze Solider — a monument to the Soviet liberators of Tallinn — to the outskirts of the city from the center of Tallinn. This choice caused an uproar of anger and controversy amongst Russian language speakers and media in Estonia and sparked protests that resulted in 156 injured, one death and one thousand detained.
Over the next two weeks, Estonia was bombarded with cyberattacks that targeted banks, media outlets and government bodies. These cyberattacks were orchestrated by botnets sending massive waves of spam content, overwhelming servers. As this attack was reportedly the first to target a state, it meant that Estonian citizens could no longer access cash machines or their online banking information and that government workers could not communicate with one another. Because of the difficulty in identifying who was responsible (attributing the attack), Estonia has been unable to positively identify the attacker as the Russian government, though the attacks came from Russian IP addresses and online instructions were also in the Russian language. This attack was the first time a foreign actor has threatened another country’s national security through primarily cyber operations (cyberops).
A year later, a second large-scale cyberattack occurred in August 2008 during the Russo-Georgia War, which was remarkably coordinated with Russian military operations into South Ossetia. Although the 2008 Russian cyberops came at a much earlier time than the more advanced NotPetya attack of 2017 — and therefore lacked technical capacity in cyber warfare that has since been developed — the attacks still consisted of distributed denial of service (DDoS) attacks and website defacements. The attacks targeted and successfully impacted more than 50 websites linked to the Georgian government, media and financial sector. In fact, thirty-five percent of Georgia’s internet lost functionality during the attacks, the bulk of which took place between the eighth and tenth of August, coinciding with the Russian invasion of South Ossetia. While again, authorities have been unable to corroborate technical attribution yet, analysts agree that there is strong political and circumstantial evidence tying the operations to Russia.
The most recent high-profile cyberattack was the Russian interference in the 2016 U.S. presidential election cycle. Throughout the election process, Russian interference became prevalent at every level; state voter databases, the Hillary Clinton campaign, the Democratic Congressional Campaign Committee, the Democratic National Committee, the Marco Rubio campaign, and the Republican National Committee were all targeted and successfully hacked. The hackers then selectively released politically damaging information gained through the hacks, and spread propaganda on Twitter, Facebook, YouTube and Instagram. According to U.S. Intelligence, the goal was of this multi-faceted cyberattack was to firstly, damage the Clinton campaign, boost Trump’s chances, and sow overall discord in the US electoral process. In fact, Special Counsel Robert Mueller indicted 12 Russian intelligence officers for this cyberattack, making clear that the attack was coordinated and run by Fancy Bear, which refers to two specific units within the GRU: Unit 26165 and Unit 74455.
Combined with efforts to proliferate disinformation and foment social unrest through social media troll campaigns, the assault seems clearly designed to erode American’s trust and confidence in its institutions, political parties, and candidates, and to sow general discord in the American public. But why? What does Russia stand to gain from an Estonia, Georgia, or United States in disarray?
Rogue Reasoning
Due to the variety of the type of attacks, it is reasonable to ask what the goals and motivation behind them are. According to Group-IB, a Russian cybersecurity firm, the majority of state-sponsored threat actors focused on sabotage and espionage particularly against critical infrastructure such as power and nuclear plants, water, aviation and commerce. The short-term goals are obvious: in the case of Estonia, the disruption of banks and governing bodies in “retaliation” for the movement of the war memorial; in the case of Georgia, the disruption of the financial sector to distract and hamper Georgia’s response to the invasion of South Ossetia; and in the case of the U.S., the disruption of electoral and democratic systems. Yet the motivations for the attacks — in essence, why a cyberattack to disrupt civic order? — are more complex.
Some claim that Russia is intentionally acting as a rogue state in cyberspace. As such, Russia launches cyber-attacks and harbors cybercriminals with the aim of undermining international law and the domestic order of its rivals. As a rogue state, Russia’s primary goal is to cause instability in the world and to protect its own cybercriminals from U.S. extradition. While it has failed in the case Roman Seleznev, the founder of Russian criminal forum CarderPlanet.Ru, it has still maintained the security of Evgeniy Bogachev and Alexsey Belan, two cybercriminals on the Most Wanted CyberCriminals List. By protecting these criminals and their forums, Russia is not only actively enabling these criminals to continue their activity, but potentially also monopolizing their talents for their own state-sponsored crime.
Outside of instability, Russia is also motivated by national pride. This is, in a small part, verified by the hack of the World Anti-Doping Agency after the Olympics by ‘Fancy Bear’, in which Russia could not play a part due to doping allegations. Furthermore, Russian government-backed recruits also offer jobs to students and coders by posting on social media sites. Interestingly, Russian cyberattacks are generally reactive in nature, making any such attack unpredictable. This is again evident in the cases of Estonia, Georgia, and the US – where such attacks came suddenly and arose from alleged slights that Russia had experienced.
Ultimately, Moscow believes it stands to gain political and geostrategic leverage by disrupting social, civic, and governmental cohesion in its adversaries. In essence, Russia is using cyberspace to confuse, disorient, and divide its democratic adversaries’ citizenry. Confused, disoriented, and conflicted adversaries pose less of a threat to Russia and its interests. In the process, it weaponizes disinformation to erode the trust of foreign publics in democratic institutions and processes, further distracting them and hindering their governments to respond in a unified and coordinated way to Russian actions.
The benefits of this strategy — whether by design or accident — have certainly borne out in the cases of Georgia, Ukraine, and the United States. By distracting the Georgian response to the invasion of South Ossetia, Russia gained a tactical edge and sowed the seeds for further social upheaval against the Georgian government by an increasingly anti-Russian public. This is particularly visible given the riots in Georgia following the speech of a Russian MP in Russian within the Interparliamentary Assembly on Orthodoxy (IAO) when the MP sat in the speakers seat and would not speak in Georgian to the delegates. In Ukraine, Russia uses propaganda and disinformation to disrupt Ukraine’s transition to a democracy, pivot to the West, and response to the crisis in the Donbas region while solidifying the territorial gains it has made by annexing Crimea.
In the case of United States, Russia leveraged an already divided public by stoking public outrage and partisanship through disinformation, online trolling, and releasing damaging information on candidates from both parties, the effects of which are still being felt today. Moreover, the presence of a reckless U.S. President on the international stage has created fissures in long-standing American alliances in Europe and Asia, damaged U.S. credibility and international standing, and given Russia some measure of latitude to advance its regional interests. The most recent and perhaps most potent example of the latter is the U.S. withdrawal from Syria which not only allowed Russian forces to take their place and secure Russian influence in the region, but had the secondary effects of further aggravating Turkish-American relations, the dissolution of the Kurdish-U.S. alliance, and the subsequent defeat and withdrawal of the YPG.
By masking itself in cyberspace, Russia limits the likelihood of attribution — and therefore retaliation — for its actions. Russia also remains less affected by the methods its adversaries choose to retaliate. Although U.S. and European economic sanctions take their toll on the Russian economy, Europe remains reliant on Russian oil and gas. Due to Russia’s authoritarian state model and control of domestic media, it is able to withstand greater economic pain than democratic states without provoking the mass mobilization of Russians against the Kremlin. By the same token, if an adversary were to respond in-kind by attempting to hack and spread disinformation (something a traditional, international law-abiding state is unlikely to do), its effect on the Russian public would likely be limited, as Moscow lacks democratic checks against censorship and could counter by providing an alternative narrative through the state media.”
Moscow’s Methods and Capabilities
Russia’s increasingly assertive activities online beg the question, “How capable are Russian cyber operations?” This can, unfortunately, be challenging to ascertain, particularly given the struggle of positively attributing cybercrime to any one particular actor. However, by extrapolating attribution, experts are able to follow signals which hint at the extent of Russian capability in cyberspace. For example, the frequency and sophistication of recent large-scale attacks — particularly those that target governments — are so high and complex that it is clear that only an actor with the appropriate funding and support could sponsor it. Furthermore, particular signature codes, geolocation, and language used in these large-scale operations all point to Russia, particularly two of their better-known teams: Unit 26165 and Unit 74455 (also known as APT28 and APT 29).
Although this method of extrapolating attribution still leaves actors with the legal and ethical dilemma of retaliation, it does provide a better approximation of Russian capacity and capability in cyberspace. It can be said, then, with a high degree of confidence, that Russia has the means to successfully execute high-profile hacking, DDoS attacks, and cyber reconnaissance operations.
Other examples of Russian capability, according to intelligence sources, include their ability to disrupt critical U.S. infrastructure, including gas pipelines and power plants. This also precludes the ability to hack into private and government networks that might contain confidential technical information, military plans and private insight into government policies.
Russia’s activities in cyberspace go beyond what many foreign policy analysts deem as bad behavior. Not only do many of their operations cause massive damage, but Russia’s motivation to commit cybercrime and cyberwarfare also suggests that such attacks will continue unabated so long as the Russian state perceives itself as threatened. Past Russian cyberattacks have targeted a wide range of actors across widely ranging circumstances, but they all share one thing in common: they were all committed around the time that an actor spoke out against or allegedly acted in bad faith towards Russia.
Russian cyberattacks have resulted in billions of dollars in damages over the past decade, both impacting unlucky citizens of targeted foreign countries and the target countries themselves as well as disrupting global trade. Whether Russia attacks Estonia, Ukraine, Georgia or the United States – these actions in cyberspace toe the line of being too aggressive but do not quite reach the point where countries feel they can be absolutely sure of who is to blame. While some of these states, such as Estonia, have massively changed their approach to cybersecurity because of these attacks, others are not willing or able to do so. Ultimately, Moscow believes it stands to gain political and geostrategic leverage by disrupting social, civic, and governmental cohesion in its adversaries. This strategy has been effective in the past, and until it is proven to be ineffective, this will continue to plague the cyber landscape unless the West changes its behavior or improves its democratic and cyber defenses.
Gabriella Gricius
Director of Research
- Twitter: @ModernFledgling
- LinkedIn: Gabriella Gricius
All views expressed in this article are solely those of the author, and do not represent the views of The International Scholar or any other organization.
Banner photo provided using Standard Image License from DepositPhotos.com.