Cyber Espionage and Information Warfare in Russia
By John A. Farinelli
HISTORY OF RUSSIAN CYBER ESPIONAGE AND INFORMATION WARFARE
Where Russia may fall behind other countries around the world regarding military capabilities and combat resources, Russia’s continued cyber espionage and information warfare campaign has been developed to balance out power with the rest of the world. This technological battle, which is usually conducted remotely, without a spy ever leaving their home country (Terry, 2018) has become the future of warfare.
Russian cyber espionage and information warfare is a lasting method of thinking from the Soviet time of rule, as Soviet leaders understood the value of information and the power of influence (Cunningham, 2020). After the collapse of the Soviet Union, the methodology behind cyber espionage and information warfare in Russia evolved from a method to achieve political objectives to a modern way to plant seeds of doubt and distrust, confusion, distraction, polarization, and demoralization on their targets of attack (Porotsky, 2019). In addition to the Soviet way of thinking, Russia has developed strong methods of cyber espionage and information warfare out of necessity: as a way of protection. Due to their expansive border and lack of natural geographic barriers they have on their southern and western borders, these tactics were developed as geographical defenses in substitute of physical barriers.
While Russia’s history of cyber espionage and information warfare began relatively recently, their effects have not gone unnoticed by the United States and the rest of the world. Russia’s attacks on the United States began in 1996 with the Moonlight Maze attack. This was categorized as the first nation state sponsored cyber espionage campaigns and this effort involved the theft of classified information from the Department of Energy, NASA, the Department of Defense, defense contractors, and private sector entities. This initial attack badly compromised national security capabilities, strategies, and interests in the United States (Westby, 2020).
In 2008, the United States was once again attacked by the cyber espionage and information warfare capabilities of Russia in an attack by the group called Turla. This group attacked United States military systems using deception, back doors, rootkits, and infection of government websites (Westby, 2020).
More than five years later, one of the most recognizable attacks to the American public occurred in 2015, as a group called Cozy Bear hacked many United States government agencies. These included the email systems of White House, the Pentagon, and the Democratic National Committee (Westby, 2020). From 2014 through 2020, these attacks formed the basis of reports about the Russians interfering in the 2016 and 2020 United States Presidential Elections. The lack of a response to the interference from the United States government has set the dangerous precedent for what Russia is allowed to get away with, and how much they can get away with. If Russia can directly interfere in a major federal election without serious repercussions, what stops them from interfering in all elections in the United States to enact profound influence within the system.
These attacks have continued and persisted by Russia without any direct repercussions by the United States towards Russian entities and the Kremlin, I would consider developing newly protected voting machines from the threat of cyber-attacks and would instruct tech and news companies to coordinate with the government prior to elections in order to identify and stop any misinformation campaigns by the Russian government to influence our elections and threaten our democracy from within.
TYPES OF RUSSIAN CYBER ATTACKS
The Russian government has authorized three organizations to coordinate their hacking operations worldwide; each of which are connected to the most prominent Russian hacking groups, as cyber espionage has become one of the most effective ways to obtain secret information of other states (Terry, 2018). These three organizations include the FSB, the SVR, and the GRU.
The FSB is responsible for counterintelligence, surveillance, and oversight in Russia. The SVR is responsible for human intelligence and has limited cyber capabilities. Finally, the GRU is the most active group and has access to large amounts of resources to successfully execute the cyber espionage and information warfare (Cunningham, 2020).
Within these three organizations are the Advanced Persistent Threats which are the hacking groups that execute the hacking activities. The APTs included in the FSB organization are APT29 (also known as Cozy Bear), Turla, Palmetto Fusion, and the Gamaredon Group. APT29/Cozy Bear has been active since 2008 and is one of the most sophisticated Russian Advanced Persistent Threats (Cunningham, 2020). Their campaigns are harder to identify because they are more cautious in their operations, and they generally use spear phishing to breach networks (Cunningham, 2020). Turla has been active since 2004 and they are very cautious and patient in their operations as their targets are mostly government and defense related (Cunningham, 2020). The third and fourth groups included in the FSB organization are Palmetto Fusion, which has been active since 2015 and targets energy related industries, and the Gamaredon Group which targets government entities in Ukraine (Cunningham, 2020).
While the SVR organization conducts mostly human intelligence that is coordinated with the FSB hacking group, the advanced persistent threats included within the GRU hacking group include APT 28 (also known as Fancy Bear) and the Sandworm Team. APT28/Fancy Bear is the most well-known Russian Advanced Persistent Threat because they were the groups that breached the networks at the White House, Pentagon, and the Democratic National Committee in 2016 (Cunningham, 2020). This Russian interference in the electoral process has allowed cyber espionage to gain increased traction in government circles (Terry 2018). APT28/Fancy Bear uses a combination of spear phishing and registering fake domains to breach enemy systems (Alperovitch, 2016). Finally, APT28/Fancy Bear’s primary initiative is to collect intelligence on geopolitical and defense issues that are pertinent to Russian interests (Robert Landing Institute, 2020). The final group within GRU is the Sandworm Team. The Sandworm Team is most active in Ukraine and uses a malware known as BlackEnergy to target energy related infrastructure (Cunningham, 2020).
One major advanced persistent threat that is not categorized with any of the three major organizations is Seaborgium. Seaborgium uses social media platforms to target individuals. After establishing contact with the target individuals, Seaborgium delivers a malicious link to steal the credentials of that targeted individual (Lapienyte, 2022). With many methods of attack included within the Russian’s state sponsored hacking organizations, Russia is leading the way throughout in strong hacking programs, successful data stealing, and effective measures on how spread influence throughout the world. To prevent these threats on social media, I would be prudent to increase safeguards on our major tech applications to screen for Russian bots and news campaigns by placing more individuals in covert positions within companies to identify potential vulnerabilities.
RUSSIA’S MOTIVE FOR THE USE OF CYBER ESPIONAGE
Russia’s increased use of cyber is not an isolated threat. Russia’s cyber espionage and information warfare plan affects each region of the world due to its size, mass, and complexity (Cunningham, 2020).
After the execution of cyber-attacks, cyber espionage and continued use of information warfare since the late 1990s, Russia’s operations have impacted democracies, promoted extremism, supported anti-democratic leaders, and shaken the influence of the West (Cunningham 2020). While all these effects of Russian aggression are true, Conor Cunningham (2020) identifies three Russian goals for the continued use of cyber espionage and information warfare:
- Re-establishment of a united Russian Eurasia.
- The war on liberal democracy and western dominance, including NATO and the US.
- Reasserting Russia as a global power through the use of swift and severe cyber-attacks.
The unnerving part about the three Russian goals above is they have already been put into practice with the recent conflict in Ukraine. Through the war in Ukraine, both militarily and cyber, Russia is trying to unify their country, fight NATO and the west, and present themselves as one of the world’s dominant cyber leaders. Russian President Vladimir Putin has done so by waging cyber espionage and information warfare against Ukraine’s infrastructure, government, and financial systems (Walsh, 2022) swiftly and in short order. As the war has prolonged, the United States should remain hyper focused upon Russia’s showcase of powerful tools regarding cyber activities.
An area of continued focus should be on our energy since oil and gas prices have risen due to Russia’s impact on our energy network thru the war. This negative may present us with a positive opportunity to consider drastically increasing use of our own resources as an alternative to continued attacks on our energy by Russia.
The United States government identifies many different motives as to why Russia conducts cyber espionage and information warfare the way they do. More specifically, the Cybersecurity & Infrastructure Security Agency assesses that the Russian government “engages in malicious cyber activities to enable broad-scope cyber espionage, to suppress certain social and political activity, to steal intellectual property, and to harm regional and international adversaries (Cybersecurity & Infrastructure Security Agency, n.d.).
THE STATUS OF RUSSIAN CYBER ESPIONAGE AND INFORMATION WARFARE
The United States government categorizes that Russian hacking operations are targeting the United States organizations and industries, including: COVID-19 research, governments, election organizations, healthcare, pharmaceutical, defense, energy, video gaming, nuclear, commercial facilities, water, aviation, and critical manufacturing (Cybersecurity & Infrastructure Security Agency, n.d.). With energy prices in the United States at or near record highs, and with major elections coming in the near future, Russia’s cyber espionage and information warfare organizations could inflict serious cyber damage and cripple the United States’ energy grid, economy, and public trust in institutions and elections by conducting a serious cyber operation within the next few months and years. To thwart the potential of a serious cyber operation, I think it would be wise to begin holding Russia accountable for any cyber-attack they execute by responding swiftly and harshly with our own cyber capabilities to showcase our power and dominance in the field.
The biggest card in Russia’s cyber game is Ukraine. The United States’ Cybersecurity & Infrastructure Security Agency explains on “April 20, 2022, the cybersecurity authorities of the United States, Australia, Canada, New Zealand, and the United Kingdom released a joint Cybersecurity Advisory to warn organizations that Russia’s invasion of Ukraine could expose organizations both within and beyond the region to increased malicious cyber activity” (Cybersecurity & Infrastructure Security Agency, n.d.). Success in Ukraine is imperative to Russia, and with the west all being allies with Ukraine and NATO, it poses a unique situation for Russia. Do you continue to conduct cyber operations solely in Ukraine? Or do you expand operations to allied countries to weaken the entire region? Russia has been trying to label Ukraine and the Ukrainian government as the aggressor in the war in order to promote Russian goals in Ukraine (Smalley 2022), but instead Russia has been using cyber espionage and information warfare to promote their goals in Ukraine.
As the war in Ukraine continues, it would be expected to see Russia increase cyber espionage and information warfare attacks, taking the offensive on energy sectors and government operations if Russia continues to struggle taking over Ukraine. Ukraine has taken the burden of Russia cyber operations since 2013 and the worrisome part for the countries within the NATO alliance and around the rest of the world is that Ukraine has been being used as training ground for cyberattacks that Russia plans to use around the world (Cunningham 2020).
FUTURE RUSSIAN TARGETS, ATTACKS AND CAPABILITIES
Besides Ukraine being the prime Russian target, there are many other countries that are on Russia’s target list. These countries include Sweden, France, Mexico, and the Philippines.
Russia has been able to use cyber espionage and information warfare in Sweden by capitalizing on fears of immigration in order to weaken the country by empowering anti-Western and nationalist policies (Cunningham, 2020). France has become one of the most powerful countries in Europe and the EU and its economic position makes it an easy target for Russian operations (Cunningham, 2020). Russia has been targeting Mexico more so because of its neighbor to the north, the United States. Russia has been trying to penetrate the United States’ zone of influence and Mexico can be a country susceptible to Russian attacks because of its weak central government. Finally, the Philippines allow Russia to expand to different parts of the globe and exert influence in a new region of the world.
This exertion of influence cannot be possible without having future attacks and capabilities developed and ready to execute. According to experts, there are three hacks that experts fear the most: BlackEnergy, NotPeyta, and the Colonial Pipeline example.
BlackEnergy is a targeted critical infrastructure attack that has the capabilities to cripple a country’s economic grid. In 2015, Ukraine’s electric grid was hacked by BlackEnergy, leading to a blackout for 80,000 customers (Tidy, 2022).
NotPeyta is a cyberattack of uncontrollable destruction and was tested on Ukraine like most cyberattacks are by Russia. NotPeyta is the costliest cyber-attack in history and is embedded in a popular accounting software in the country, costing approximately $10 billion in damage as the attack spread across the world as it destroyed the computer systems of thousands of companies (Tidy, 2022). Analysts agree that attacks like this on a large scale “cause the greatest opportunity for mass chaos, economic instability, and even loss of life” (Tidy, 2022).
The Colonial Pipeline example is an attack on a specific organization of entity, which occurred in the United States in May 2021 when Russian hackers caused the important oil pipeline to shut down for a period of time. This attack led to panic across the United States and because of the alarm this hack caused, the company paid the hackers a $4.4 million ransom in bitcoin to get the systems up and running again (Tidy, 2022). This attack proved to be highly effective and would be devastating on the United States’ economy or energy grid if it happened on a larger scale.
It is difficult to imagine Russia’s cyber espionage and information warfare operations slowing down any time soon, as they have proved to be an effective way for them to challenge their adversaries without moving operational agents around the world. As such, the United States recognizes Russia’s capabilities and explains that “Russia continues to target critical infrastructure…and can demonstrate its ability to damage infrastructure during a crisis. Russia certainly considers cyber-attacks an acceptable option to deter adversaries, control escalation, and prosecute conflicts” (Cybersecurity & Infrastructure Security Agency, n.d.).
How could any country respond to these increased attacks by Russia? There are a few options. First, if a NATO country receives the brunt of a strong attack by the hands of Russia, Article 5 could be triggered, though highly unlikely because of potential war possibilities.
In her article, Jody Westby (2020) lays out four possibilities on how to limit and potentially stop cyber attacks and conflicts coming from Russia:
- The over-protection of critical infrastructure to prevent unnecessary destruction, harm, and suffering.
- The use of third-party cyber forces should be illegal.
- Countries must respect the neutrality of other countries and not transmit any attack through their critical infrastructure.
- Countries must assist one another in their investigation of cyber-criminal activities.
While these possibilities seem acceptable on the surface, I find them to be hard to implement in practice, because society today has a “watch your back before anyone else” mentality, while looking out for the best interests of your country before anyone else’s. Therefore, my recommendations to safeguard against Russian cyber-aggression would be to put her recommendation number one—the over-protection of critical infrastructure to prevent unnecessary destruction, harm, and suffering—in place to ensure that everything that keeps your society, energy grid, government, and economy running. Therefore, an over-protection of these key societal benchmarks would reduce the effects of potential Russian cyber-espionage or information warfare operations. While at the same time, this would allow a building of capabilities to combat Russia as cyber is at the heart of future warfare capabilities until the next evolution of technological services comes along.
- Alperovitch, D. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved from Bears in the Midst: Intrusion into the Democratic National Committee (outlookseries.com).
- Cunningham, C. (2020, November 12). A Russian Federation Information Warfare Primer. Retrieved from A Russian Federation Information Warfare Primer - The Henry M. Jackson School of International Studies (washington.edu).
- Cybersecurity & Infrastructure Security Agency. (n.d.). Russia Cyber Threat Overview and Advisories. Retrieved from Russia Cyber Threat Overview and Advisories | CISA.
- Lapientye, J. (2022, September 5). Russian Cyber-Espionage Gang Targets NATO, NGOs, and Think Tanks – Microsoft. Retrieved from Russian cyber-espionage gang targets NATO, NGOs, and think tanks – Microsoft | Cybernews.
- Porotsky, S. (2019, June 10). Analyzing Russian Information Warfare and Influence Operations. Retrieved from Analyzing Russian Information Warfare and Influence Operations - Global Security Review.
- Robert Lansing Institute. (2020, October 29). Cyber Espionage and Russia’s Intelligence Hack Activities. Retrieved from Cyber espionage and Russia’s intelligence hack activities - Robert Lansing Institute
- Smalley, S. (2022, March 3). Treasury Department Sanctions Alleged Russian Cyber-Espionage, Disinformation Sources. Retrieved from Treasury Department sanctions alleged Russian cyber-espionage, disinformation sources (cyberscoop.com)
- Terry, P. (2018, June 1). “Don’t Do as I Do” – The US Response to Russian and Chinese Cyber Espionage and Public International Law. Retrieved from “Don't Do as I Do”—The US Response to Russian and Chinese Cyber Espionage and Public International Law | German Law Journal | Cambridge Core.
- Tidy, J. (2022, March 22). The Three Russian Cyber-Attacks the West Most Fears. Retrieved from The three Russian cyber-attacks the West most fears - BBC News.
- Walsh, C. (2022, February 24). Wide Range of Possible Targets for Russian Cyber Strikes, from Infrastructure to Smartphones. Retrieved from Harvard cyber expert assesses Russia threat – Harvard Gazette.
- Westby, J. (2020, December 20). Russia Has Carried Out 20-Years of Cyber Attacks That Call for International Response. Retrieved from Russia Has Carried Out 20-Years Of Cyber Attacks That Call For International Response (forbes.com).