Russia Beefs up Its Offensive Cyber Capabilities

The Russian mass media (with a reference to the Reuters news agency) reported, on November 11, that Russian hackers launched a series of cyberattacks against analytical centers and think tanks inside the United States (Rosbalt.ru, November 11). This may have been carried out by the Moscow-backed “Cozy Bear” hacker group, previously accused of having infiltrated the Democratic Party National Committee’s e-mail servers.

Exponential growth in hacker attacks over the past several months has revived the belief that the world is being rapidly dragged into a “First Cyber War” (Ruspravda.info, accessed November 14). And the Russian Federation—which has intensified cyberattacks on its ideological opponents across the West—has come under mounting scrutiny.

This “cyber war” started much earlier, however. In fact, Russia effectively proclaimed it more than two decades ago. Previously, individual Russian hackers were lured either by lucre, as in 1994 and 1998 (when Citibank and Bank of America were chosen as targets), or motivated by revenge, such as in 1999 (when the computer servers of the North Atlantic Treaty Organization and the US Navy were targeted in response to NATO’s bombing of Serbia) (Sputnikipogrom.com, December 8, 2015). But today, Russian offensive cyberattacks have attained a qualitatively new level. Seemingly, the Kremlin is now trying to claim its “rightful place” near the top of the hierarchy of global cyber powers.

Highly planned, organized, coordinated and financed, these actions can no longer be ascribed to individuals with uncertain connections to the state. Rather, today’s Russian cyberattacks are being directly carried out by such powerful security-sector government institutions as the Federal Security Service (FSB) and the Ministry of Defense. This assertion is supported by analysis of new cyber-domain prerogatives granted to these institutions as well as legal-normative changes in Russia’s cyber security strategy within the past 16 years (see below).

Regarding the offensive component of Russian cyber security, the year 2000 (when the first Doctrine of Information Security was adopted) should be seen as a landmark event. Even though the document did not contain explicit reference to offensive actions as such, it nonetheless emphasized the necessity to protect Russian society from “detrimental” external information while simultaneously hailing “patriotism” and “Russian values.” The new Doctrine now being drafted (which is likely to be adopted in early 2017) enables Russia to act much more assertively and to “provide support to its allies.” Moreover, the draft document preaches “strengthening centralization in the domain of cyber security” and “upgrading information security in the Russian armed forces” (Scrf.gov.ru, November 14).

Undeniably, within less than a decade, Russia has been able to demonstrate an impressive increase in offensive capabilities. Notably, it has carried out numerous cyberattacks against relatively weak opponents, such as Estonia (2007), Georgia (2008), Kyrgyzstan (2009) and Ukraine (2014), as well as by targeting powerful actors, such as the United States and Germany (2016).

This success owes to a clear division of functions between the security services and the military. For example, two notoriously most powerful Russian hacker groups uncovered in recent months—Cozy Bear (allegedly coordinated by the FSB) and Fancy Bear (reportedly controlled by the Russian Ministry of Defense)—perform different but in many ways complementary tasks (Meduza.io, November 7).

Incidentally, this division of “responsibilities” occurred even before the outbreak of the Ukrainian crisis in late 2013–early 2014. So-called “research units” were notably given a boost in 2012. Personally “blessed” by Russian Defense Minister Sergei Shoygi, these units—particularly, the 6^th (Mil.ru, accessed November 14) and 7^th (Mil.ru, accessed November 14) research units—opened up a range of new possibilities for developing offensive cyber mechanisms under the umbrella of the Russian Armed Forces (see EDM, October 26).

The FSB, meanwhile, was granted the ability to initiate offensive cyber operations as early as 2008, when the “Kvant” Research Institute (established in 1978, and tasked with cyber-related issues) was transferred under its full command (Docs.cntd.ru, accessed November 14). Furthermore, on January 15, 2013, a special legislative act bestowed additional and even broader powers in the field of cyber security to the FSB (Vesti.ru, January 22, 2013). The FSB is now responsible for securing so-called “critical informational infrastructure” situated both in Russia and abroad (Kommersant.ru, January 22, 2013). Also, it has been convincingly argued that the FSB’s cyber arm supported a number of tests pertaining to the Remote Control System, meant to survey and track all activities on an infected device like a computer or a smartphone. The security service was also implicated in designing powerful distributed denial-of-service (DDoS) attacks (Meduza.io, September 3, 2015). The link between the FSB and the largest Russian mobile operator, MTS, was established when the former director of “Kvant,” Georgy Babakin (who had previously worked for the FSB for 15 years), was appointed to head MTS’s projects related to cyber security (Meduza.io, November 7, 2016).

The war against Ukraine engendered two new hacker groups that further illustrate Russia’s offensive cyber potential. The first one, known as “CyberBerkut,” was repeatedly accused of numerous cyberattacks against Ukraine, Germany, the United States and NATO. The second one, calling itself the “CyberCaliphate,” is said to be linked with the Islamic State—but this purported relationship seems rather dubious. More detailed analysis of capabilities demonstrated by the group suggests the involvement of a much more powerful and able actor(s)—i.e., a state government. Thus, many observers and specialists directly link the CyberCaliphate with the Kremlin (Novayagazeta.ru, June 18).

Reflecting on the offensive facets of Russian cyber operations and the nature of their success, what increasingly stands out is a flexibility in Moscow’s approach. Namely, Russia does not shy away from employing various operatives, ranging from known criminals to highly trained specialists working under the umbrella of the Russian government. This approach appears to be rather uncommon and perhaps even incomprehensible for many external players (especially for the Europeans). Moreover, Russian cyber operations should not be viewed as a separate or detached phenomenon. Rather, cyber hacking is a fundamental element of Russia’s broader information warfare operations, which exploit numerous artificially twisted historical, religious and cultural narratives (see EDM, October 24, 27). All this can make it particularly difficult for outside actors to identify or comprehend the Russian modus operandi in the cyber domain.