Russian cyberattacks have become an established aspect of the Kremlin’s military strategy. Western states will need to develop their cyber defense capacity and create a coordinated deterrence system to prevent further strikes.
In a nutshell
- State-backed cyberattacks from Russia pose a rising threat to critical Western infrastructure
- Affected states risk striking back at the wrong attacker if they incorrectly identify perpetrators
- The U.S. and the EU will need to create a cohesive deterrence strategy to mitigate cybersecurity risks
Recently, the Russian cyber-espionage group Turla carried out attacks against more than 35 countries by accessing the tools of the Iranian OilRig hacker group. This false-flag offensive has highlighted two significant security challenges for the West: the sophisticated capabilities of Russian state-supported cyber groups, and the problematic identification of the original attacker, which is an essential precondition for conducting counterstrikes to deter further attacks. International calls for treaties and international norms for restraining and regulating state-sponsored cyber operations have gained in urgency, especially since Russian and Chinese cyber isolationist policies are fragmenting the global internet.
The recent cyberattacks of the Turla group (also known as Waterbug or Venomous Bear) demonstrated a level of sophistication and concealment unseen so far, making it harder than ever to identify the perpetrators. Its modified Neuron malware, which operates on Microsoft Windows platforms by targeting mail and web servers, was able to evade detection methods for intrusions in other countries’ networks.
Western intelligence services have ranked Russia and Iran – along with China and North Korea – as the most dangerous actors for state-supported cyberattacks on critical infrastructures, organizations and high-tech companies. Russian state-supported hacker groups have also been assessed as the fastest acting; they need less than 20 minutes to penetrate laterally a target organization network after the initial breach. Russian state-sponsored hackers are almost eight times faster on average than their fastest North Korean competitors.
Turla’s cloaked cyberattacks are not a new problem. Hacker groups have repeatedly attempted to obscure their identity or pose as another group. It took months of forensic investigations and international collaboration between the United Kingdom’s National Cyber Security Centre (NCSC) and the Cybersecurity Directorate of the U.S. National Security Agency (NSA) before it could be determined that Turla was responsible for the attacks – which mostly targeted the Middle East, but also the United Kingdom. The Iranian hacker group OilRig (also known as APT34) was not aware that Turla had accessed its tools.
A decade ago, Russian hacker groups were primarily linked with transnational criminal organizations targeting Western banks and financial institutions with theft and blackmail. However, the state-backed cyberattacks in Estonia during the bilateral conflict of 2007 and in Georgia during the 2008 conflict highlighted that cyberwarfare had become an additional dimension of Russian military operations. Since then, NATO and Western defense ministries have been tracking and analyzing Russian cyber offensives as part of the country’s hybrid warfare strategy. The perpetrators can act on their own, as “patriotic hackers,” or be employed by Russia’s secret services or related departments, such as the defense ministry’s intelligence services (GRU).
The Russian state has symbiotic ties with the cybercrime world. Much like Western countries, the Kremlin cannot compete with regular private-sector salaries. But it can offer other incentives such as legal immunity and intelligence support. Russian cybercriminal groups operate in relative impunity as long as they do not attack targets in Russia. Moscow profits from these links. It can distance itself from groups operating under nonofficial flags and does not have to offer them the costly and comprehensive protection required for official intelligence officers.
In recent years, aggressive operations to potentially disrupt key Western infrastructure and propagate disinformation to influence political decision-making have gained importance as compared to conventional espionage. Russian and Chinese state-supported hackers are also increasingly seeking to gain access to telecommunication services, which offer a broad base for impacting public mood.
In 2017, Russian state-sponsored hacker groups reportedly gained access to U.S. power companies.
Russia’s cyberattack on Ukraine’s electricity networks in December 2015 was the first strike against a country’s energy system. In 2017, the Russian state-sponsored hacker groups Energetic Bear (also known as Dragonfly, Koala and Iron Liberty) and Sandworm reportedly gained access to the Supervisory Control and Data Acquisition (SCADA) centers of individual U.S. power companies, in addition to critical infrastructure in Ukraine. They were also able to cause disruptions at an oil and gas plant in Saudi Arabia with Triton malware.
Ukraine has become a test bed for Russia’s hacker groups. In October 2018, Dutch Defense Minister Ank Bijleveld declared that Russia and the Netherlands were in a state of cyberwar. Her comments followed the expulsion of four military intelligence officers involved in the hack of the Organisation for the Prohibition of Chemical Weapons (OPCW) in The Hague, which was analyzing the chemical used in the attempted assassination of Sergei Skripal and his daughter in the United Kingdom.
Interference in elections
The most brazen campaign of the Russian hacker group Fancy Bear (or APT28), with ties to the GRU, has been the 2016 breach of the computers of the Democratic National Committee (DNC) in the United States. After three years of investigation, the U.S. Senate Intelligence Committee concluded in July 2019 that Russia’s cyber interference in the presidential elections in all 50 states was more far-reaching than previously assumed. The initial underestimation of the scope of Russia’s cyber operations and subsequent lack of reaction was described as a “cascading intelligence failure.” Although no evidence was found that votes were changed in voting machines, Russian hackers were “in a position to delete or change voter data.”
Russian state-supported cyber groups also stand accused of influencing other foreign elections, like France in 2017, Macedonia in 2018 and the European Parliament elections in May 2019. An EU review determined the presence of coordinated Russian cyber interference and information warfare with “continued and sustained” disinformation efforts to “suppress turnout and influence voter preferences” by exploiting divisive public debates on migration, sovereignty, and other issues.
For the U.S. and EU member states, there are two options to strengthen cybersecurity, but there is little consensus on which is the best path forward.
The U.S. has stepped up its defense against cyberattacks and developed strategies for retaliatory offensives and preemptive cyber strikes in addition to its cyber espionage campaigns.
From a defense standpoint, it is more complicated than ever to assess if a cyber intrusion is “merely” an espionage campaign or a full-scale disruption attack. Based on lessons from the Cold War era, the clear conclusion is that purely defensive strategies are insufficient for deterring state-supported cyberattackers and shifting their cost-benefit ratio. In the cyber age, the defense needs to be buttressed by deterrence strategies. The U.S., the United Kingdom, France, and Germany have all developed their cyber counterstrike capacities. Amid escalating geopolitical rivalries, however, an immediate cyber counterattack risks targeting the wrong country. Attributing sophisticated state-sponsored cyberattacks is often a matter of months-long cyber forensic investigations and international collaboration. It can even take years before the real cyberattacker is pinpointed. The problem of attribution could easily lead to geopolitical escalation if an uninvolved party is targeted with a hasty counterstrike.
The problem of attribution could easily lead to geopolitical escalation if an uninvolved party is targeted.
The U.S. has reportedly gone a step further and preventively planted a potentially crippling malware for a “persistent presence” inside the Russian electricity networks. According to the New York Times, this “defensive forward strategy” will guarantee that “Russia will pay the price” if it attacks the U.S.
President Donald Trump has denied the reports and called the New York Times’ allegations a “virtual act of treason.” Whether this is true or not, cyber deterrence cannot be compared to the mutually assured destruction doctrine of the Cold War nuclear arms race. The current low-intensity cyber battle between the U.S. and Russia could further escalate and impact other countries.
Russia itself is increasingly the victim of cybercrime. Its internet users have gone from 35 million (25 percent of the population) in 2007 to 92.8 million (76 percent of its population) in 2018. According to official data, Russian companies lost 116 billion rubles ($1.85 billion) in 2017 due to cyberattacks. In 2018, Russia’s intelligence services identified 4.3 billion cyberattacks against critical national information infrastructure, 17 thousand of which were deemed severe threats. Russian state-owned companies incurred collateral damage after the devastating WannaCry and NotPetya cyberattacks in 2017 and 2018, also linked to Russian state-supported hacker groups.
At their first meeting in 2017, U.S. President Donald Trump and Russian President Vladimir Putin reportedly agreed to establish an “impenetrable cybersecurity unit” but rejected the idea shortly after. In the same year, UN efforts to build norms and draw red lines in cyberwarfare also came to nothing. Since then, two competing institutions responsible for establishing standards coexist within the UN and they have reached different conclusions on how to respond proportionately to hacking. This lack of coordinated action highlights the increasing fragmentation of the global internet and the diverging strategic interests of great powers. As a result, the UN Group of Government Experts (GGE) – experts from 25 countries working to establish cyber norms – has also encountered resistance.
A global cyber treaty could still materialize.
Some form of global cyber treaty could still materialize. In 2015, Russia and China agreed not to attack each other with cyber offensives that could “disturb public order” or interfere with the internal affairs of the state. But any bilateral cyber treaty between the U.S. and Russia would be a confidence-building measure rather than an arms control treaty since implementation could hardly be monitored. It would be impossible to verify every critical SCADA (a computer system for gathering analyzing real-time data), router, server, data storage facility, cloud, or USB stick. (The latter is thought to have been used to infect an Iranian uranium enrichment facility with the Stuxnet malware in 2010.) A confidence-building measure, which depends on mutual trust, would not provide the same protection as an arms control treaty based on an intrusive inspection regime. Considering the suspicions underlying the current cyber relations between Moscow and Washington – or Brussels – trust-based agreements would be of limited use.
The Kremlin sees offensive cyber operations as a crucial instrument for espionage and a threat to critical Western infrastructure. By highlighting systemic vulnerabilities, Russia hints at the damage it could cause in an eventual conflict. Short-term, cyberattacks have proven effective in influencing public opinion and sowing political discord in Western democracies. Past successes, however, could lead to unexpected geopolitical countermeasures for Moscow. Russia’s cyber interference in the last U.S. presidential elections has caused a political earthquake that is likely to set the tone of bilateral relations for years.
Even European countries have reacted to Russia’s cyber aggression with various measures, including retaliative strikes. The crisis has also made it more difficult for the U.S. and the EU to align their foreign policies vis-a-vis Russia, especially after the 2014 annexation of Crimea. But even if a more cooperative relationship between the West and Russia is established, the Kremlin will not reassess the cost-benefit of its offensive cyber operations as long as the EU lacks a collective political will to tackle the issue. Unwillingness to address the threat at the EU level and the resulting absence of strategic deterrence have encouraged the Kremlin to maintain and increase its cyberwarfare against Europe.
Russia’s increasing assertiveness is also linked with its plans to build a national Russian Internet (RuNet) that would restrict its citizens’ online freedom, much like China’s Great Internet Firewall. If Vladimir Putin’s May 2019 “Internet Isolation Bill” and RuNet prove successful, the Kremlin could be encouraged to intensify its offensive abroad since perceived domestic vulnerabilities would be reduced thanks to decoupling from the global internet.
The arms race of new disruptive digitalization and AI technologies will continue. As internet users increase by another 2 or 3 billion people in the years ahead, and billions of applications of the Internet of Things are introduced in the global markets, escalation of digital warfare worldwide is practically certain. New technologies like blockchain and encryption could enhance Western countries’ defense capabilities. However, Russia’s latest encrypted attacks also show that technological advancement can make cyber offensives stealthier and deadlier.