Home inFocus Russia: Inside the Enigma (Fall 2017) Cybercrime: Russian Tools to Infiltrate, Subvert, and Control

Cybercrime: Russian Tools to Infiltrate, Subvert, and Control

Paul M. Joyal Fall 2017
The relocation of the Bronze Soldier monument to the unknown Soviet war dead was a prextext to a Russian cyber attack on Estonia's parliament, banks, ministries, newspapers and broadcasters. The memorial, pictured here, in Tallinn in 2007. (Photo: Aleksei Verhovski)

Russia and its next generation warfare, sometimes called hybrid or non-linear warfare, understands cyberspace as a decisive arena for modern combat in which information can become weaponized. Chief of the Military General Staff Vladimir Garasimov explained this in a 2013 article titled “The Value of Science in Prediction.” Understanding that the line between war and peace had become blurred, he wrote:

Nonmilitary means of achieving military and strategic goals have grown and, in many cases, exceeded the power of weapons in their effectiveness… The information space opens wide asymmetrical possibilities for reducing the fighting potential of the enemy… It is necessary to perfect activities in the information space, including the defense of our own objects.

Gerasimov called for asymmetrical action that combines Special Forces and information warfare to create “a permanently operating front through the entire territory of the enemy state.” This is exactly what unfolded in Crimea.

Long-distance, contactless actions against the enemy are becoming the main means of achieving combat and operational goals. The defeat of the enemy’s objects is conducted throughout the entire depth of his territory. The differences between strategic, operational, and tactical levels, as well as between offensive and defensive operations, are being erased.

Garasimov’s views reflect those of that were first voiced by Vladimir Markomenko in 1997 in Nezevisimaya Gazeta. Then-deputy director of Russian Federal Agency of Government Communications and Information (FAPSI), Markomenko was the first Russian official voice to define Russian Information Warfare. He posited four components:

1. Destruction of the enemy’s command and control centers and electronic warfare against its information and telecommunications systems.

2. Electronic intelligence to intercept and decipher information flows transmitted via communications channels.

3. Hacking into the enemy’s information resources to steal, distort, or destroy the normal operations of these systems.

4. Psychological warfare to disseminate disinformation or tendentious information for influencing the opinions, intentions, and orientation of society and decision makers.

Russian Military Doctrine, published in Spring 2010, stressed the importance of information warfare during the initial phase of conflict, directed against enemy troops and populations. If the information dimension fails, the Russian military can resort to kinetic options.

In the 2008 invasion of Georgia, the first target for the Russian air force was the Harris Corporation military communication system co-located at the forward command base of the Georgian military. Georgia was quickly without the command and control of its forces and had to rely upon cell phones – that Russia easily intercepted. For Crimea, cell phone networks had already been disabled in Kiev at the outbreak of the Russia invasion and occupation of Ukraine to prevent communications among members of the government and to sow confusion. Today cyber attacks against Ukraine continue to be a constant feature with noted attacks on the electrical infrastructure of the country.

Russia’s Cyber Operations Principles

The use of the term “cyber war” is an unfortunate formulation because it stovepipes attention into a narrow spectrum of today’s conflict. Rather it is better to understand Cyber Operations within the spectrum of low intensity conflict or unconventional warfare, more precisely part of Information Warfare or Active Measures.

Information technology has lowered the barrier between war and peace, creating an opportunity for the re-emergence and adaption of traditional Soviet Active Measure doctrine to today’s cyber-information age. The Russian military has been developing an advanced information warfare doctrine since the mid-90’s in combination with highly accurate military weapons and non-military means of influence to disorganize the targeted state administration.

The ultimate objective of this so-called hybrid warfare is to achieve complete information dominance over the opponent within the “battle space,” which includes political/economic matters. It is designed to destroy state and societal institutions, create mass disorder, degrade the functioning of society and ultimately collapse the state. And most importantly, it seeks to achieve the most critical political and economic objectives without direct military contact with the opposing forces and without using high intensity armed combat – in which Russia cannot compete against Western military forces.

These principles have now been incorporated into Russia’s whole government and private sector formulation of hybrid or non-linear warfare. It has information warfare as the centerpiece of strategy. It should not be surprising that criminal organizations play an important role in its operational execution.

Criminal Hacking Groups

As was demonstrated in Estonia in 2007 (cyber only), and in the 2008 Russo-Georgian war (cyber and military), cyber-attacks bring with them an implicit psychological impact. In 2006, Estonia experienced the debilitating effects that can occur with Botnet Distributed Denial of Service (DDoS) cyber-attacks on banking and governmental networks.

Estonia suffered a 10-day attack on its Internet services, causing major disruption to its financial system. Estonia is commonly referred to as the world’s most Internet-connected country and it was paralyzed. This attack, while orchestrated by the Kremlin, was executed by criminal cyber organizations, illustrating that criminal organizations must be viewed as a Russian cyber army in reserve. They can execute operations while Russia can deny its active involvement.

In a further twist, criminal hackers hijacked American identities and software tools, using them in an attack on Georgian government websites during the Russia-Georgia war in 2008, according to The Wall Street Journal. Furthermore, they changed common Microsoft Corp. software into a cyber-weapon and collaborated on popular U.S.-based social-networking sites, including Twitter and Facebook Inc., to coordinate assaults on Georgian sites. Additionally, identification and credit-card information stolen from Americans was used to register nine of these attack sites, while one site was established using information stolen from a French citizen.

It is important to understand how Russian aggression preceded the attack. A significant number of Georgia’s Internet servers were eventually seized and taken under external control by hackers from late Thursday, August 7, 2008 forward. The StopGeorgia.com website posted instructions on how to attack 36 servers in Georgia. Its message was, “We the representatives of the Russian hako underground will not tolerate provocations by the Georgians in all its manifestations. We want to live in a free world, but exist in a free-aggression and Setevom space.” This web site was directly linked to individuals officially associated with RBN. Russia’s troops invaded Georgia on Friday, August 8. As Richard Weitz explained in World Politics Review in 2009:

The attackers did not conduct any preliminary surveying or mapping of sites, but instead immediately employed specially designed software to attack them. The graphic art used to deface one Georgian website was created in March 2006 but saved for use until the August 2008 campaign. The attackers also rapidly registered new domain names and established new Internet sites, further indicating they had already analyzed the target, written attack scripts, and perhaps even rehearsed the information warfare campaign…

In Estonia’s case, the cyber-attacks were preceded by riots and a constant haranguing by Russian-language web forums criticizing Estonia for relocating the Unknown Soldier statue, a Russian icon. These websites incited “patriots” to protect Mother Russia from the “F–cking Estonian Fascists” and called for vengeance by destroying the e-government and business systems – one of Estonia’s greatest achievements and an engine for its economic growth and efficiency. Messaging was used as the kindling to activate an army of hackavists to attack the Internet infrastructure with massive DDoS attacks.

As with all Russian military operations, and now combined arms hybrid strategy, Russian deception (maskarovka) operations contributed to Georgia’s overconfidence in its government. This included the manipulation of Georgian intelligence sources in the Russian military in the run up to the KavKaz Russian military exercise in the North Caucasus. Disinformation on Russian readiness capabilities prepared the groundwork for perception management or reflexive control of Georgian decision-making. The intelligence reported that Russia did not have the readiness or will to invade. This was a successful ruse to lure Georgia into false confidence.

An important propaganda messaging campaign accompanied these conflicts: the target country and certain elements were labeled “fascist” in the Russia media for both internal and external perception purposes. The term has an extremely negative connotation within the Russian population after years of Soviet propaganda surrounding its victory over the Nazis in “The Great Patriotic War.” It had a profound effect, providing Putin an effective means of bolstering domestic support for Russian covert cyber operations and political/military activities.

Cyber War on Infrastructure

Ukraine’s critical infrastructure suffered a series of assaults before Crimea was annexed.

Mobile phone and Internet connections were severely hampered by equipment installed immediately after the invasion by Russian Special Forces within Ukrtelecom networks in the Crimea region under control of Russia. Government websites were overwhelmed with DDoS attacks, social networks were corrupted, and Russian forces cut some of Ukraine’s phone and Internet cables. One of the first set of military objectives for Russian “green men” was to capture Ukrainian telephonic switches and install special technical devices to take control of the cell networks.

Estonia, Georgia and Crimea/Ukraine all illustrate how cyber warfare is best understood within the continuum of low-intensity conflict, specifically, information operations (IO) and information warfare (IW). Cyber can lead the way in the run up to war and be an integral part an information and kinetic war.

These cyber-attacks were conducted covertly, with cutouts, cyber criminals who were used for mobilizing patriotic youth, or other criminal organizations. It is for this reason cyber-attacks should be considered as an “Active Measure” according to Russian intelligence doctrine.

Terror as an Adjunct to Cyber Operations

While cyber operations clearly play a critical role, especially in initial phases of covert war, terror also plays a role during covert and overt phases of  conflict, including cyber attacks.

This past August, the Head of the Security Service of Ukraine (SBU), Pavlo Hrytsak told a Kiev briefing:

Russia’s FSB continues to deploy its sabotage groups to Ukrainian soil to commit terrorist attacks in our territory. Among their main targets are strategic infrastructure facilities, while another goal is the assassination of certain public and political figures. As a rule, they should be some high-profile personas, no matter their political affiliation – the ruling forces or the opposition. The aim is for the assassination of such figure to yield the expected public outcry…

He continued:

Over the last month, the Security Service exposed three such groups. In particular, in Kharkiv on July 17 we detained the leader and the main executor, the organizer of such a group, trained by the Main Directorate of the General Staff of the Russian armed forces. The group was instructed to assassinate several public figures and Ukrainian government officials. Subversive efforts are manifested in internal destabilization, the efforts of subversive reconnaissance groups, attempts to commit acts of sabotage and terrorist acts…

He concluded the press briefing with this:

I will only recall the last few key activities that the Russian Federation is engaged in, while constantly accusing Ukraine of violating Minsk agreements. It’s the attempts to incite and provide media support for pseudo rallies on ethnic grounds; systemic spins of fake news, such as about the supply of missile engines to North Korea and detentions in Crimea and in occupied areas of Donetsk and Luhansk regions of sabotage groups allegedly sent by the SBU.

Assassinations and Terrorist Bombings Destabilize Ukraine

Ukraine regularly experiences assassination and terrorist actions as the conflict continues in Eastern Ukraine. On December 19, 2014 members of the Ukrainian SBU arrested a suspected saboteur in central Kiev who, acting under instruction of her Russian superiors, had transported a powerful bomb from Luhansk under control of Russian-backed militants from the so-called “Luhansk People’s Republic.” She was picked up in Kiev’s busy center right after she left a handbag with a bomb inside. It was St. Nicholas Day when the area would have been filled with families with young children.

In one of the most high profile murders, Russian State Duma member Denis Voronenkov, expected to become an important witness in a treason trial against Russian-backed ex-president of Ukraine Viktor Yanukovych, was shot dead in the center of Kiev. The Prosecutor General of Ukraine asserted that the person who ordered the murder is now in Russia, has links to criminality, and has “live contacts” with the Russian special services. He added that “The executors were mainly citizens of Ukraine, most of them have been identified, and those with proven facts have been detained.”

In June 2017, a car bomb in the heart of Kiev shredded a black Mercedes being driven by senior intelligence leader, Col. Maksim Shapoval, chief of the Ukrainian military special-ops forces intelligence. This was merely the prelude to the main event: a massive, well-disciplined cyber-assault aimed to bring the Ukrainian state and society to a halt. A wide range of institutions including vast swaths of the private sector were targeted by cyber hacks, ransomware, and malware.

Flooding Social Media Outlets with Trolls

Russia continues to engage in global information and social media campaigns to shape international opinion around its invasion of Ukraine. It activated troll armies by recruiting and training a new cadre of online trolls that have been deployed to spread the Kremlin’s message on the comments section of top American and Western websites and media centers to promote a number of false narratives .These include the idea that the people of the Crimea, in a free and fair elections nearly unanimously voted for succession from Ukraine. Another described the ouster of President Viktor Yanukovitch as a coup by fascists.

A document on Russian structure and strategy for its army of trolls was leaked and reported in BuzzFeed by Max Seddon in 2014. The details are illuminating:

Foreign media are currently actively forming a negative image of the Russian Federation in the eyes of the global community. Additionally, the discussions formed by comments to those articles are also negative in tone. Like any brand formed by popular opinion, Russia has its supporters (‘brand advocates’) and its opponents. The main problem is that in the foreign Internet community, the ratio of supporters and opponents of Russia is about 20/80 respectively.

The document provided instructions to the trolls and detailed their expected workload each working day: They should post comments on news 50 times a day. Each blogger is required to maintain six Facebook accounts publishing a minimum three posts a day and participating in news groups at least twice a day. “By the end of the first month, they are expected to have won 500 subscribers and get at least five posts on each item a day. On Twitter, the bloggers are expected to manage 10 accounts with up to 2,000 followers and tweet 50 times a day.”

Target America

The timing and coordination of physical and cyber-attacks in Ukraine might have been a signal to the United States, which had embarrassed Russia in Syria. The United States had announced the day before the assassination of Shapoval and the cyber attacks that Syria was preparing a chemical-weapons attack, which American forces were prepared to disrupt.

Using attacks in Ukraine to send messages to America might not be as far-fetched as it seems. Even the renewed debates in the American news media and foreign-policy circles over the extent to which the Russian government should be, or should have been punished for its systematic interference in the 2016 U.S. presidential elections might have been a consideration for Russian actions. In truth, Russian cyber-attacks on the Democratic National Committee (DNC) are only the visible tip of the iceberg of Russia’s massive cyber campaign targeting American institutions. According to FBI agent Clint Watts in congressional testimony:

Hackers proliferated Western networks and could be spotted amongst recent data breaches and website defacements. In conjunction with these activities were honeypot accounts – attractive-looking women or passionate political partisans – that appeared to be befriending certain audience members through social engineering. Above all, the FBI observed hecklers, synchronized trolling accounts that would attack political targets using similar talking points and follower patterns. These accounts included overtly Kremlin supported sites that promoted Russian foreign-policy positions. These activities targeted key English-speaking audiences throughout Europe and North America. From this pattern of activities, it was clearly a deliberate, well-organized, well-resourced, well-funded, wide-ranging effort commanded by Russia.

The New York Times reported in September 2017 that hundreds of fake Facebook accounts and pages bought $100,000 in political ads during the presidential campaign last year. These fake accounts and pages were connected to a Russian company called the Internet Research Agency, a company well known for using troll accounts to post Kremlin-approved messages on social media and post comments on news websites. One Russian newspaper put the number of employees at 400, with a budget of at least 20 million rubles (roughly $400,000) a month as reported by an earlier NYT story. The ads were not directly about a particular candidate but the hot button issues associated with them.

On January 6, 2017 the Director of National Intelligence (DNI) released an unclassified version of the report: Assessing Russian Activities and Intentions in Recent U.S. Elections (ICA 2017-01D). Its findings concluded:

We assess Russian President Vladimir Putin ordered an influence campaign in 2016 aimed at the US presidential election. Russia’s goals were to undermine public faith in the US democratic process, denigrate Secretary Clinton, and harm her electability and potential presidency. We further assess Putin and the Russian Government developed a clear preference for President-elect Trump.

It also stated:

Moscow’s influence campaign followed a Russian messaging strategy that blends covert intelligence operations—such as cyber activity—with overt efforts by Russian government agencies, state-funded media, third-party intermediaries, and paid social media users or “trolls.”


Russia has the strategy, the intellectual and scientific capital, the will and the organization to implement and carry out cyber and information warfare on a global scale. It does not have the global military capabilities of the Soviet past and knows it cannot match the United States in a toe-to-toe confrontation. Russian use of political and economic subversion has increasingly become its favored method of seeking to exert control and influence over foreign governments, increasing its political influence operations not only in Ukraine but also throughout Europe and the United States. It is a cheaper and less risky option to re-establish itself as a world power. Russia is a superpower in its neighborhood and has additional effective means with this doctrine to extend its influence and project its power.

The controversy that grips the American political system and public life today illustrates the effectiveness of Russian capabilities, the overriding goal of which is to weaken the target country. And the United States is the main adversary. Today, our institutions are under attack, our trust in government is challenged, and our allies are filled with doubt. The pressing challenge of the day is how the United States and its people will respond to this new form of warfare against the United States and its allies.

Paul M. Joyal is managing director of law enforcement and public safety practice at National Strategies (NSI).