Russian Cyber Capabilities, Policy and Practice

Although most commentators on cyber threats to the United States appear fixated on China, we ignore Russia at our peril. “Unlike China,” Jeffrey Carr explains on his Digital Dao blog, “Russian cyber operations are rarely discovered, which is the true measure of a successful op.”

Russia—its government and a motley crew of sometimes government-sponsored but always government-connected cyber-criminals and youth group members—has integrated cyber operations into its military doctrine, has used cyber tools against enemies foreign and domestic, and is conducting strategic espionage against the United States. Moreover, it spares no diplomatic effort in trying to forge a path for its nefarious activities while resisting efforts to do anything constructive in the international arena.

To explain all this, it is necessary to set out two points about Russia: 1) Russia is characterized by a unique nexus of government, business, and crime; and 2) Russia takes a much broader approach to information operations than do most Western countries.

Corruption is the dominant characteristic of the current Russian polity. And with systemic corruption come opportunities for collusion on just about everything. The rule of law flies out the window, replaced by personal relationships and payoffs. Laws are enforced arbitrarily—what matters is one’s circle of friends.

The second point is that Russia holds a broad concept of information warfare, which includes intelligence, counterintelligence, deceit, disinformation, electronic warfare, debilitation of communications, degradation of navigation support, psychological pressure, degradation of information systems and propaganda. Computers are just among the many tools of information warfare, which is carried out 24 hours a day, seven days a week, in war and in peace. Seen this way, distributed denial of service (DDoS) attacks, cyber espionage, and Russia Today television are all related tools of information warfare.

Moreover, Russia’s way of kinetic war includes information warfare and it follows that information warfare against Russia will be considered warfare. The current Russian military doctrine calls for “prior implementation of measures of informational warfare in order to achieve political objectives without the utilization of military forces.”

Russia’s 2008 combined cyber and kinetic attack on Georgia was the first practical test of this doctrine. Although it was not fully successful, we must assume that the Russian military has studied the lessons learned, just as it has done for every other facet of its poor performance against Georgia. Given all the doctrinal attention paid to the subject, we must assume that Russia is honing far more sophisticated military cyber capabilities.

At home, Russia also has a concept of information security very different from Western countries. The September 2000 Doctrine of Information Security of the Russian Federation— released just eight months into Putin’s presidency—sets forth three objectives. Russia shares the first with just about every country in the world: to protect strategically important information. However, the second and third objectives set Russia apart, at least from democratic countries: to protect against deleterious foreign information and to inculcate in the people patriotism and values.

Another unique feature of the Russian approach is extensive reliance on youth groups such as the Kremlin-controlled Nashi and cyber-criminal syndicates such as the now invisible Russian Business Network (RBN). There are three reasons Russia sub-contracts some of its cyber work to youth groups and criminals.

• It is super cost-effective—imagine a reserve force that not only does not cost money, but actually makes money when not employed by the state.
• Without cost, it hones skills and specialization to a degree to which no government training program could aspire.
• The use of kids and criminals confounds the attribution problem. Even after extensive cyber forensics, attacks are not traced back to government computers. This is particularly confusing to many Westerners who cannot imagine a government so intertwined with crooks and punks.

And there are plenty of well-trained people to carry out these activities. Russia exhibits many characteristics of an extractive economy, while still enjoying the benefits of the quite good Soviet educational system. Great wealth is concentrated in the hands of a few, while many people with training in math, science and computers want for work.

The result is a thriving cyber-criminal industry. An excellent Trend Micro report literally catalogs the malware and services for sale or rent on the deep Runet, as the Russian portion of the Internet is known. This illustrates both the lawlessness that prevails on and around the Runet and the availability of talent for hire, including for hire by the Russian state.

Apparently rented botnets went to work against Estonia in 2007. The Estonian government had decided to move the “Bronze Soldier of Tallinn” statue from the city center to a military cemetery. Ethnic Russians and Russia took this as an offense—or at least as an excuse for trouble. Russian politicians arrived in Estonia to rile things up and some Russian language websites offered instructions about which Estonian websites to attack and how to do it. For a week in late April and early May, simple DDoS attacks were carried out, somewhat ineffectively. Then the professional botmasters went to work with DDoS attacks, threatening essential services, doing significant damage to the Estonian economy.

In 2008, it was Georgia’s turn in the first ever combined kinetic and cyber-attack. Many of the same techniques and computers involved against Estonia a year earlier resurfaced against Georgia.

Exhibiting remarkable insight on the part of the perpetrators, DDoS attacks on Georgian government websites, particularly the president’s website, began more than two weeks before the kinetic Russian invasion. On the day the kinetic war started, sites such as stopgeorgia.ru sprang up with a list of sites to attack, instructions on how to do it and even an after-action report page. It is instructive that all this was ready to go—surveys, probing, registrations, and instructions—on day one! An Internet blockade was traced to five autonomous systems—four in Russia and one in Turkey—all controlled by the criminal syndicate RBN.

When one considers the forensic evidence, geopolitical situation, timing, and the relationship between the government and the youth and criminal groups, it is not difficult to conclude that the Kremlin was behind it all.

Three years later, we learned that the Kremlin treats all enemies, foreign and domestic, the same. In the spring of 2011, again with many of the same techniques and computers employed against Estonia and Georgia, DDoS attacks were directed against websites generally associated with opposition to the Putin government. Among the targets were particularly meddlesome pages on the LiveJournal blog site, websites run by anti-corruption crusader Aleksey Navalny, and the Novaya Gazeta newspaper.

People’s Freedom Party leader Boris Nemtsov commented, “Hardly anyone could have done this other than the security services.”

The March-April attacks were apparently a dry run for the December 4 Duma elections. On the day of the elections, a number of websites generally associated with the opposition were taken down by DDoS attacks. However, the perpetrators apparently miscalculated the power of the Internet.

They appear to have been obsessed with a site called kartanarusheniy.ru, an interactive map of election violations, sponsored by the election watchdog Golos, which receives funds from the American National Endowment for Democracy. Kartanarusheniy itself was taken down, as were sites that linked to it or mentioned it. However, many other sites were untouched, indeed, one could read about the sites that were dark on the sites that remained up. It seems that a few DDoS attacks do not cow everybody as a few arrests and beatings used to do.

Social media and blog sites were very active right through the March 4, 2012 presidential election; however, the Kremlin’s botmasters were apparently called off altogether. Another indication that the government controls them is the discipline with which they all desisted. Had they been truly independent patriotic hackers, one would have expected at least a few of them to have persisted in their online hijinks.

“The infrastructure for political battle,” Navalny observed, “has become cheaper. Now you can just use your computer.” And the Kremlin is worried—worried about Arab Spring, London riots, unrest in the North Caucasus, likely attempts to subvert the 2014 Sochi Winter Olympics and, of course, the unprecedented social media-borne anti-Putin demonstrations across Russia.

Nonetheless, as a matter of domestic politics, the Putin government appears to be in a quandary. In July 2012, a law “for the protection of children” on the Internet was passed. Activists such as Navalny fear that the law will be used to stifle political opposition on the Runet.

Navalny was convicted on what were clearly bogus embezzlement charges, but allowed to run for the post of mayor of Moscow. Despite renewed DDoS attacks on LiveJournal, there did not appear to have been any major government or government-backed online skullduggery associated with the September 9, 2013 mayoral race. Perhaps the Kremlin is still trying to devise a workable strategy. Perhaps the certain victory of Kremlin favorite Sergei Sobyanin diminished the perceived need for one. More difficult to fathom is that soon after the election, Navalny was handed a five year suspended sentence, but he remains free and politically active. However, he has recently been targeted with further embezzlement charges.

Moscow’s online behavior as the 2014 Sochi Winter Olympics approach may afford a good indication of whether there has been any evolution with regard to the use of the Internet for internal repression. Meanwhile, there is no reason to believe that Russia’s external outlook has changed one iota.

Unsurprisingly, Russia’s diplomatic activities on the cyber front reflect its policies on information warfare and information security. While steadfastly refusing to sign the European Convention on Cybercrime, a highly effective international approach to cyber security challenges, it joined China and a few others in plying proposals aimed at enhancing information security—that is, shielding autocratic states from the free flow of information across the Internet. It has also joined with China, Iran, and the International Telecommunications Union leadership in a grab at Internet governance, most recently manifested at the December 2012 World Conference on International Telecommunications.

Meanwhile, Russia undertakes a major effort at strategic cyber espionage against the United States. It is strategic in the sense that it is not just a government’s spy agency trying to steal this or that bit of classified information or an enterprise conducting industrial espionage. Rather, it is a concerted effort to steal American intellectual property to achieve a level of technological development that Russia cannot achieve on its own. In this regard, it is worth repeating an October 2011 finding of the U.S. Counterintelligence Executive:

In sum, Russia—in its capabilities and its intent—presents a major cyber challenge to the United States. The only difference between it and China may be, as Jeffrey Carr points out, that it is seldom caught. And that, alone, may make it the number one cyber threat.