Vladimir Putin launched an illegal, aggressive attack on Ukraine last week that has already killed dozens of soldiers and sent panic rippling through the world. Russian forces are air-striking cities all over Ukraine, with countless civilians in the firing line, as people flee the capital in Kyiv.
Cyberattacks have also begun to amplify the chaos and destruction: Wiper attacks hit a Ukrainian bank and the systems of Ukrainian government contractors in Latvia and Lithuania; Ukrainian government websites were knocked offline; and the Kyiv Post website has been under constant assault since Russia attacked.
While the exact culprits of these cyberattacks aren’t yet known, much of the public discussion about cyber threats has focused on Russia’s military and intelligence services: from stories of military cyberattacks to coverage of Ukrainian preparations against them.
The same has been replicated on the government side, with White House press briefings and other sessions dominated by discussion of Russian government agencies’ cyber capabilities.
Yet the Putin regime has a far more expansive web of nonstate actors, from cybercriminals to front organisations to patriotic hackers, that it can and has also leveraged to its advantage. Not acknowledging these threats ignores an enormous part of the damage Russia can inflict on Ukraine.
Without a doubt, the Russian state has sophisticated cyber capabilities with a track record of havoc. The SVR, Russia’s foreign intelligence service, has been linked to a number of espionage and data-pilfering campaigns, from the widespread SolarWinds breach in 2020 (whose victims ranged from government agencies to major corporations) to stealing information from Covid-19 vaccine developers.
For years, Russia’s military intelligence service, the GRU, has launched destructive cyberattacks, from the NotPetya ransomware that likely cost billions globally, to shutting off power grids in Ukraine, to, just last week, launching a distributed denial of service attack against Ukrainian banks and it defines ministry.
Moscow, however, can also unleash an even more expansive, complex, and often opaque web of proxies whose actors are happy to hack and attack on behalf of the regime. The Kremlin’s involvement with these groups varies and may fluctuate over time; it may finance, endorse, ignore, recruit, or use these actors on an ad hoc basis.
Part of the reason Moscow protects or turns a blind eye to cybercriminals is economic – cybercrime brings in a lot of money – but it’s also so the state can sway those actors to do its dirty bidding.
For instance, the Biden administration sanctioned Russia-based cybersecurity firm Positive Technologies in April 2021 for allegedly providing offensive hacking tools to Russian intelligence services. It also, the administration said, hosted “large-scale conventions” through which the FSB and GRU recruited hackers.
A Justice Department court filing made public in 2020, to give another example, includes Russian hacker Nikita Kislitsin describing how the FSB worked with an unnamed criminal hacker to gather “compromising information” on individuals.
The FSB and the Ministry of Defence recruit many such individuals and organisations to conduct cyber operations for them. And sometimes, it’s just about Putin letting hackers do their thing, and then celebrating their crimes. In 2007, pro-Kremlin youth group Nashi claimed responsibility for launching DDoS attacks on Estonia. Ten years later, Putin compared these kinds of “patriotic hackers” to “artists,” declaring that some might be joining “the justified fight against those speaking ill of Russia.”
If these threats seem confusing and overwhelming, that’s exactly the point, and that’s exactly what makes the threat against Ukraine so grave. This cyber proxy web affords Moscow deniability and obscurity, and the ability to launch combinations of operations and attacks without having the Russian flag clearly emblazoned on them.
Even if the hacks are ultimately linked to Moscow, there may be periods where the Russian government can deny involvement, and there are still populations abroad and at home who will believe the regime’s talking points.
In 2014 this (im)plausible deniability was part of the Putin regime’s invasion of Ukraine, with pro-Moscow hacking collectives like Cyber Berkut carrying out defacements in Ukraine (as Ukrainian groups also hacked Russian targets); the UK’s National Cyber Security Centre has said Cyber Berkut is linked to the GRU.
More alarming still is the fact that Russian state and proxy hackers aren’t just based in Russia. Increasingly, there are signs that Moscow is deploying, stationing or leveraging both state and proxy hackers overseas to launch operations from within other countries.
In 2018 a Czech Republic magazine broke a story alleging that Czech intelligence had identified two purported local IT companies that were set up to run cyber operations for Russia – and which even had their equipment delivered by Russian diplomatic vehicles.
It appears that Belarus is becoming a collaborator for Kremlin cyber operations, or at the very least a Russian government staging ground. Even on the information operations side, the infamous Internet Research Agency has opened unmarked offices in Ghana and Nigeria.
Nobody truly knows what the Russian government will or will not do to Ukraine in cyberspace, nor what nonstate entities might do of their own volition.
As Ciaran Martin, the founding chief executive of the UK’s National Cyber Security Centre laid out in an incisive Twitter thread this week, profoundly uncertain possibilities range from sophisticated hacks of Ukrainian and Western targets to Moscow completely ignoring cybercriminal activity emanating from Russia.
Further, I would add, it’s unclear to what extent past Russian conflicts will or will not be useful case studies for understanding Russia’s moves in the coming weeks.
All of that said, Ukraine, the US and the rest of Europe must look far beyond the Russian military and security services when assessing and preparing for Russian state cyber threats. The proxy web is central to the Kremlin’s cyber strategy and operations, and so is the Russian government’s deployment and leveraging of hackers based overseas.
That said, while many policy analysts in the US and Europe track Russian cyber proxy activity, much of the recent political conversation and media coverage has focused on the Russian military and on cyber activity coming out of Russia.
The American and European governments should continue using intelligence disclosures to publicly identify Russian proxies, in this case those operating in cyberspace. Deniability is important to the Kremlin, and the US and its allies and partners should work with Ukraine to undermine it where cyber proxies are concerned.
At the very least, public identification could make it easier to marshal the political will for a coordinated response – and in cases where intelligence cannot be disclosed, these governments should share those attributions behind the scenes.
On the cybersecurity defines side, this is an urgent reminder as ever to invest in not just defences but also mitigation to incidents. In light of the Putin regime’s brutal attack, international partners of Ukraine might also consider launching cyber operations of their own.
A complex, opaque, and entangled web of proxies can generate deniability, confusion, the need to fend off multiple ongoing attacks at once – and from the Kremlin’s perspective, that’s part of Russia’s cyber power, power the world can’t afford to ignore.
- A Wired report