Backgrounder: Russian Hacking

Russian Hacking


Unconventional warfare tactics are becoming increasingly popular in the digital age, and Russia is leading the way. “Hybrid warfare” involves using disinformation and cyber attacks to stir up unrest in the opposition country. The ultimate goal is to undermine the enemy by sowing dissension and weakening its social fabric vis-à-vis cyber espionage and the spread of propaganda.

Russia has achieved evident success using hybrid warfare to punish its neighbors and more recently weaken the US political system. As the U.S. became preoccupied with the rise of another geopolitical rival, Moscow developed a low-cost, high impact weapon with clandestine (political) potential. State-sponsored hackers from China were initially given more attention than Russian ones, as China took bigger risks and got caught more often. In fact, Obama and McCain’s position papers and internal communications were hacked by the Chinese in the 2008 presidential election cycle. However, no documents were published, as China-based hackers are more motivated by stealing intellectual property and information beneficial to economic activity, rather than impacting the democratic political process.

By contrast, Moscow prefers “doxing,” a method that involves publishing or broadcasting what hackers find, instead of merely breaking into systems to gather intelligence. Putin’s long-term goal looks beyond the US domestic sphere and more toward gaining political advantage internationally by undermining Western diplomatic, financial, and military linkages. While the U.S. has approached Chinese cyber espionage with a years-long series of diplomatic and legal efforts, dealing with Russia won’t be as easy. This new dynamic could easily be the beginnings of a ‘Second Cold War.’



Soviet Tactics Reworked for the Information Age

In 1982, Yuri Andropov, the chairman of the KGB at the time, oversaw foreign-intelligence operatives known as “active measures”, which aimed to influence people and events abroad to suit Russia’s objectives. For instance, in extensive notes made by KGB officer Vasili Mitrkhin, he described how the Soviet leadership saw Ronald Reagan as an implacable militarist and thus sought to popularize the slogan “Reagan Means War!” among Republican and Democratic National Committees to undermine his re-election. However, KGB efforts to create turmoil via front groups, forgeries, and other techniques fell flat as Reagan’s popularity remained solid.

Throughout the Cold War, Soviet intelligence officers sought to spread rumors about the US government’s involvement in Martin Luther King’s assassination, implicate the American intelligence community in the “creation” of the AIDs virus and support left-wing insurgencies throughout the US sphere of influence. Meanwhile, American intelligence used cash payments, propaganda, and violent measures to dissuade support for leftist parties in Italy, Guatemala, South Vietnam, and Nicaragua. While the CIA worked to overthrow communist regimes abroad, the FBI was responsible for keeping an eye on KGB-sponsored leftist groups at home. Thus, similar tactics of disinformation and propaganda were applied on both sides, with a truce eventually reached in the early 90s—an agreement that Russia has not abided by.

Sergey Tretyakov, a defected station chief for Russian Intelligence in New York wrote, “Nothing has changed” in 2008, “Russia is doing everything it can today to embarrass the U.S.” Still, President Vladimir Putin accuses U.S. of playing the same game, blaming Secretary of State Hillary Clinton for spurring anti-Kremlin activists into action, not to mention, the West’s support of anti-Moscow “color revolutions”. Further, Putin considers NGOs and civil society groups such as the National Endowment for Democracy, Human Rights Watch, and Amnesty International as ‘undesirable’ NGOs as well as thinly disguised instruments for regime change.

Hybrid warfare is thus the 21st century-equivalent of espionage and propaganda in the Cold War. Moreover, the enemy has since developed into ‘American hegemony’ following the collapse of the Soviet Union. Yet a new doctrine has also surfaced, as Russians began to realize the value of studying Western tools of soft power to not only counteract them at home, but also apply them abroad to achieve its own national objectives. In 2013, Valery Gerasimov, the Russian chief of general staff, published an article in the Military-Industrial Courier titled “The Value of Science in Prediction.” In this text, now dubbed as the “Gerasimov doctrine”, Gerasimov promoted the idea of hybrid war and suggested that wars in the future will be fought with a four-to-one ratio of non-military to military measures, whereby espionage, subversion, propaganda, and cyber attacks will take on an increasing importance.

Pavel Zolotarev, a retired Russian general, explained that Gerasimov’s method overcame the need for “grandfather-style methods” like scattering leaflets, throwing around printed materials, or manipulating the radio or television. With nuclear deterrence out of the way, the information space has expanded with new possibilities for unconventional warfare. Indeed, Putin—a former high ranking KGB official himself—has pursued disinformation tactics in today’s (post-)modern age with widespread success.


Timeline of Major Hacks and Events

The first major attack by Russian intelligence agencies occurred in 1996—in what investigators have named Operation Moonlight Maze. During this covert cyber attack, countless files, including weapons designs, were stolen from NASA, the US Navy, Air Force, and the National Oceanic Atmospheric Administration from a computer nicknamed “Baby Doe” at the Colorado School of Mines. According to a report issued after the discovery, if all the stolen files were to be printed out, it would form a tower as high as the obelisk of the Washington Monument.

However, the landmark event expanding state-sponsored cyber attacks from the security to political sphere took place in 2007, when Russia instigated a “distributed denial of service” (DDoS) assault on Estonia due to controversy over a statue of a WWII Soviet soldier that was being removed from the center of Tallinn. This was widely regarded as a punishment of the former satellite state’s ascension to NATO and warming relations with the West. Moreover, it demonstrated that Russia could paralyze an entire country without invading it, as then Minister of Defence Jaak Aaviksoo, described “This was the first time that a botnet threatened the national security of an entire nation.”

Less than a year later, in August 2008, the same tactics were applied in Georgia as 54 websites with ties to the government, media and banks came under attack due to territorial disputes in South Ossetia. Military information was stolen, while communication systems and the Internet broke down as Russian tanks and planes advanced into the disputed territory. Michael Sulmeyer, a former senior Pentagon official in charge of cyber policy under Obama describes it as “one of the first times you’ve seen conventional ground operations married with cyber activity.” These cyber assaults certainly gave Russia the upper hand, as Georgia and Estonia were left in a state of confusion and disarray.

The conflict in Georgia lasted just five days, and though it was an obvious military victory for Russia, it was also viewed as a “total defeat in the information space.”  As Zolotarev explains, the imagery of Russia shelling Georgia played on international media produced less than satisfactory propaganda outcomes for Russia, and thus pushed military generals to further study the use of media and other information to wage war on the information front. These newly refined tactics were then practiced in other theaters to drum up pro-Moscow sentiment during the annexation of Crimea and the Syrian civil war.

By 2014 and 2015, targets of Russian hacking gradually shifted westward, first sneaking into the networks of Hungary, Luxembourg, and Belgium, and then eventually to Russia’s multilateral adversaries such as NATO and the Office of Security Cooperation in Europe. This coincided with the rise of Russian state-backed hacking teams—Cozy Bear and Fancy Bear— and their infiltration of Washington. In June 2015, Defense Secretary Ash Carter confirmed that Russian hackers accessed an unclassified Pentagon network as well as sensitive parts of White House computer systems (including information about the President’s daily schedule).

As per doxing, (the now known culprit) Cozy Bear had published a private phone call between Victoria Nuland, US Assistant Secretary of State, and Geoffrey Pyatt, the US ambassador to Ukraine, in discussions to broker a deal in Ukraine on Youtube. Although US officials traced the mischief to Russian hackers, no penalty was issued other than official condemnation. As a result, Russian hacking efforts were emboldened. Fancy Bear targeted other Western hubs by publishing Islamist propaganda on France’s TV5Monde  and began snooping on politicians in the German Bundestag.

By summer of 2015, Cozy Bear had begun spear-phishing a long list of American government agencies, Washington non-profits and government contractors, including the Democratic National Committee’s network. Fancy Bear showed up in March 2016, first penetrating the computer of the DNC’s sister organization, the Democratic Congressional Campaign Committee.

In response to Russia’s perceived election interference, the Obama administration imposed further sanctions on Russia and declared Russian diplomats as persona non-grata in the U.S. However, Obama’s cautious attempt to avoid the appearance of bipartisanship (as the polls swung in favor of Clinton) and fear of an escalating cyber war failed to deflect further Russian hacking efforts.


The Rise of Fancy Bear and Cozy Bear

Fancy Bear is the name given to the Russian hacking team working for GRU (the external intelligence agency of the Russian military) among others, including APT 28, Strontium, and the Sofacy Group. Fancy Bear has been on the radar of security researchers for at least seven years, most notably for its disinformation campaigns in Georgia, Ukraine, and against NATO. Cozy Bear—also known as CozyDuke, the Dukes or APT 29—is Fancy Bear’s rival hacking team, and is believed to belong to a competing Russian intelligence service that has hacked the State Department, White House, and Joint Chiefs of Staff.

Digital forensics identifies Cozy Bear for its sense of humor, with regards to the adroit disguise of malicious files and interesting bait sent to their targets. Meanwhile, Fancy Bear is known for its customization and reconnaissance of targets and propensity for infecting files. The security firm FireEye have explained how they demonstrate “formal coding practices indicative of methodical, diligent programmers” with tools that security analysts have named ‘Sourface’, ‘Chopstick’ and ‘Eviltoss’ among others. Meanwhile, both groups employ zero-day exploits—flaws installed in popular software to secretly send data back to a network without the target’s knowledge. They are difficult to design, keep stable, and are expensive on the black market, which has made them a hallmark of state-sponsored hackers.

Similarities between the two groups thus include their sophisticated and expensive digital tools, shared interest in information of sensitive and strategic nature and high likelihood of state sponsorship. This indicates that both groups are comprised of advanced hackers who are more concerned with political as opposed to financial gain, with targets often linked to political, military, diplomatic and journalistic activity. While the Bears mainly concerned themselves with eastern European countries and multinationals in the past, their scope has broadened to include the West, at present.

Three days before the Democratic National Convention last summer, Wikileaks shared nearly 20,000 emails from the DNC’s internal network after Fancy Bear and Cozy Bear successfully hacked into the system. This culminated in the DNC scandal, whereby the Democratic establishment was exposed for their active endorsement Hillary Clinton’s campaign over the election of Bernie Sanders. As a result, Debbie Wasserman Schultz, chairwoman of the DNC and her top party aides resigned from their positions amidst populist anti-establishment fury.


Russia’s Motivations

Cozy Bear and Fancy Bears’ interests seemingly align with political objectives in Moscow. Putin’s top three motives could be summarized as follows: 1) undermine American democracy; 2) weaken the next American president; and 3) deliberately help elect Trump. So far, Russia’s hack-and-dox scheme has been successful on all three fronts. Russian interference not only raised doubts about the election, but also served as a distraction to sow confusion. All the while, disinformation or false information intended to discredit the true or official version of events has taken the U.S. by storm.

That being said, unlike Reagan’s re-election campaign in 1984, the political landscape of the 2016 elections was ripe for Russians to meddle in. This meant highly polarized parties, a fragmented society, and a fractured media environment. As Oleg Kluging, a former KGB general living in the U.S. accounts: “The goal is to deepen the splits.” Moreover, Evan Osnos and his colleagues at the New Yorker note, disinformation campaigns are “less a way to conjure something out of nothing than to stir a pot that is already bubbling.” Hence, the DNC attack would have had a limited impact if the U.S. had not already been marred by disarray and low levels of trust.

Still, they recognize that this “strategy is especially valuable when a country like Russia, which is considerably weaker than it was at the height of the Soviet era, is waging a geopolitical struggle with a stronger entity.” The Obama administration only learned of the DNC hacking nine months after the FBI first tried to notify the organization about the intrusion. While the October 7th declaration by the administration concluded with confidence that Russia was behind the DNC hack, it resorted to closely monitoring the line between “covert influence” and “adversely affecting the vote count.” Hillary’s lead in the race at the time reinforced Obama’s decision to not react strongly so as to delegitimize the race, (the DNC was infiltrated long before Trump won the Republican nomination) but the Russians had already achieved their goal by then.


US Response

By the time the US intelligence community began investigating the DNC hack, politics had taken the place of digital forensics. President Trump says that there is no evidence that Russian meddling had anything to do with his success, first describing the investigation as a “witch hunt” before grudgingly accepting the FBI probe. The DNC’s fumbling encounter with the FBI as well as both parties’ failure to grasp the scope initially paved the way for more future attacks. However, recognizing the fact that stakes are too high for the U.S. as a whole, a bipartisan alliance has formed to investigate the hacking—including Republican senators John McCain, Lindsey Graham and Democratic senators Chuck Schumer, Jack Reed. Moreover, a joint task force including the CIA, FBI, NSA and the financial crimes unit of Treasury Department was formed on Inauguration Day.

At a Senate Armed Services Committee hearing exploring the Pentagon’s cybersecurity strategy, Senator Jeanna Shaheen brought up the need to clarify the definition of what constitutes cyber warfare. Dr. Craig Fields, chairman of the Defense Advanced Research Projects Agency (DARPA), agrees that a common and coherent response is needed to help guard-off future attacks. In the past, senior Democrats have called for the declassification of intelligence assessments relating to the hack. Meanwhile, James Comey appealed to the Justice Department for more resources for the inquiry just days before he was fired by Trump.

As Washington busies itself with a sprawling and highly politicized counterintelligence operation, it is safe to say that Moscow is leading the 21st century war on information.

Back to Top


Lost your password?