Russia has been refining its cyber capabilities against its neighbors and Western targets since 2007. Exploitations and disinformation campaigns seek to test Western responses and undermine legitimacy.
This essay examines attacks against the US and Western Europe found in academic, journalistic, and professional sources. We analyze Russian tactics, justifications and motivations for warfare, and conclude with recommendations for cognitive security.
Attacks against America have evolved from espionage to influence campaigns seeking to sabotage democratic processes (Lipton, Sanger, & Shane, 2016). Since at least 2015, Russian-backed cyber syndicates tested America’s cyber-defenses and information environment. The State Department was persistently attacked to the point of system closure in order to expel intruders (Lipton, Sanger, & Shane, 2016). The White House, Pentagon, IRS, and Joint Chiefs of Staff were deceived into transmitting information while disguising command and control messages to avoid detection (Lipton, Sanger, & Shane, 2016). Such exploits coincided with spear phishing Presidential campaign officials.
Besides media hacking, Russian trolls manipulated social media and related algorithms to define political narratives (Borthwick, 2015). User-sharing proliferated fake news implants and headlines. After dense social networks were penetrated and connected, it was hard for the truth to catch up (Borthwick, 2015). Dozens of fake twitter accounts spread a false story about a chemical factory explosion in Louisiana, targeting specific groups to produce maximum notice. A Wikipedia page and cloned websites doctored the video footage (Chen, 2015).
The extensive success of such disinformation was made possible through sophisticated state-run troll factories. The Internet Research Agency is a notorious source that deploys pro-Kremlin propaganda under fake identities to create illusions of massive support and interested news consumers (Chen, 2015). Russian-owned media reinforce these deceptions to ensure bogus stories gain traction (Watts, 2017). Such activities have exposed the fragility of news discovery systems within the US (Borthwick, 2015). National responses to media hacking clearly underestimated this significance (Lipton, Sanger, & Shane, 2016).
Initial cyber exploitation against America served as test runs for interfering in the 2016 election. While both political parties were hacked through computer network operations, Democratic National Committee (DNC) hacks were chosen for exploitation. This decision emerged from an understanding that Trump would be a better candidate for Russo-American relations than Clinton (Office of the Director of National Intelligence [ODNI], 2017). Thus the election was weaponized in the context of larger geo-political competition (Inkster, 2016).
The DNC was hacked by two Russian cyber organizations. APT28 (FancyBear) had links to Russia’s main Intelligence directorate (GRU) and penetrated the DNC network in April of 2016. APT 29 (CozyBear) had intruded for over a year under the direction of the FSB (Inkster, 2016). Both groups used malware to enter the network independently. A plethora of email correspondence was subsequently leaked through Wiki-leaks and DC-Leak by the GRU’s “Guccifer” persona before being spread throughout mass media (ODNI, 2017).
Officials were not the only targets of election sabotage. Russia attained and sustained access to electoral boards despite not actually affecting vote tallies (ODNI, 2017). Hackers gained access to the Illinois state voter database, compromising over 90,000 personal records (Riley & Robertson, 2017). Additionally, 37 states reported traces of hackers (Riley & Robertson, 2017). The Obama Administration suspected Russia was trying to delete voter registrations or slow vote counting to undercut election confidence (Riley & Robertson, 2017). After warning Russia, hacking continued unabated.
While cyber-attacks surrounding the 2016 election appear significant, they were merely espionage mechanisms that served a larger information operations campaign. Upon revelations that a Clinton victory appeared imminent, Putin ordered an influence crusade. Years of preparation through meticulous cyber-attacks provided ammunition for exploitation and an ability to remain plausibly de th niable (ODNI, 2017).
Leaks served to defame the less favorable candidate. Leak sites claimed to be uncovering corruption and fostering transparency. Their attraction became a powerful tool for guiding pro-Russian narratives by broadcasting compromising information on designated foes (Weisburd, Watts, & Berger, 2016). While such sites may not be consumers of Kremlin propaganda, the results of leaks reveal them as pushers (Weisburd, Watts, & Berger, 2016).
Leaks also supported an influence campaign enabled through trolls and bots on social media platforms. The overarching goal was to divide the left while making Republicans look united (Bertrand, 2016). Many troll factories were likely orchestrated by the Kremlin to produce pro-Trump propaganda (Bertrand, 2016). Numerous fake accounts had a history of being pro-Kremlin before the campaign while it’s apparent English was not their first language (Collison, 2016).
Researchers determined that a program created 75% of pro-Trump posts, bots provided 15% of Trump followers, and Russian-backed memes appeared in over 25,000 posts (Fox-Brewster, 2016). Memes by phony users also produced phony posts that triggered controversial topics and iconographic depictions of Trump to affect the tone of the election (Schreckinger, 2017). Hackers, honeypots, and hecklers enhanced trolling operations to influence Americans (especially right-wing voters) through people-to-people engagement (Weisburd, Watts, & Berger, 2016). Concurrently, Pro-Russian media, like Russia Today and Sputnik, reinforced influential leaks and false narratives to ensure a level of relevance (ODNI, 2017).
Outside election meddling, cyber-attacks and influence campaigns have persisted. Hours after a Trump victory, CozyBear sparked a surge of malware-laden email attacks against individuals in think tanks, universities, NGOs, and the federal government (Franceschi-Bicchierai, 2016). Trolls/bots within social media continue to vigorously endorse Russian-friendly topics and attempt to sow discord and division within our society while posing as Americans (Lysenko, 2017a).
Democratic institutions may not be the only target of Kremlin exploits, as revealed by multiple reports of Russian-linked cyber probes. Computer network operations breach dozens of power plants as hackers search for vulnerabilities within the power grid (Riley, Dlouhy, & Gruley, 2017). Hackers also infiltrate companies that manufacture control systems within the power industry (Riley, Dlouhy, & Gruley, 2017), including the Ukrainian electrical grid (Riley, Dlouhy, & Gruley, 2017). The absence of operational damage could indicate the presence of backdoors into systems for future disruption (Riley, Dlouhy, & Gruley).
Russian cyber and informational abuses against America highlight several critical questions. First, why in the midst of election meddling and gaining access to voter systems, has Russian intelligence refrained from disrupting voting results? Russian hackers appear to have either failed in this attempt, were deterred after being warned, or simply hacked systems for amusement. Second, has American counter-intelligence been so disregarded in recent years amidst the information revolution that our security and governance are at the mercy of Russian will? Third, does Russian interest in critical infrastructure vulnerabilities serve as a catalyst for greater conflict? Finally, how can we anticipate what lies ahead in terms of Russian cyber-tactics against America?
Russian pursuit of domestic interference in European countries through cyber-attacks and disinformation is similarly prevalent. The same groups that sought to interfere in the US election have also ensured that espionage and sabotage exist closer to home.
The Warsaw Stock Exchange was breached in 2015, as attackers stole data, made multiple client logins public, and opened systems for other cyber criminals to abuse (Riley, 2015). The attack was a false flag by Russian hackers claiming to be Muslim militants angry over Polish support of anti-ISIS bombings (Riley, 2015). In addition, Russian hackers targeted Germany’s largest steelmaking blast furnace with malware (Riley, 2015).
Also in 2015, evidence revealed hacking attempts on Dutch government computers as a means to extract a report concerning the shoot-down of Malaysia Airlines Flight 17 over Ukraine in 2014 (Windrem, 2016). The report concluded that a Russian missile fired by pro-Russian rebels caused the crash (Windrem, 2016).
Finally, France’s TV5Monde and its 12 affiliates were taken off the air following the launch of a new channel (Corera, 2016). Its network was penetrated four months earlier through seven points of entry that identified broadcasting processes and installed malware to corrupt operational hardware (Corera, 2016). Following initial sabotage, the station’s website was defaced, feeds were hijacked for days, and a sham hacking group titled the Cyber Caliphate claimed credit (Corera, 2016). Indications are that Cyber Caliphate is a false flag for APT28, disguised to mask Russian espionage efforts, provoke terror anxiety, and sow discord (Schindler, 2016). A running tally of similar instances may be found at euvsdisinfo.edu.
European politics are also an area of interest for Russian cyber-attacks and information operations campaigns. Moscow strategically backs attempts to influence Western elections in favor of candidates with policies more friendly to the Kremlin, while defacing candidates it regards as adversarial. The UK has evidence of Russian infiltration and exploitation of top officials’ accounts related to elections and the Brexit referendum (Forster, 2017). Norway’s Labour Party also suffered hacks who effects remain unclear (NTB, 2017).
Germany may be deemed a more important mark for Russian cyber-attacks. In 2015, APT28 hacked the Bundestag, penetrating the networks of Chancellor Merkel’s Christian Democratic party and other lawmakers (Shalal, 2017). Motivations were to spoil Merkel’s reelection prospects in response to sanctions against Putin’s associates following the annexation of Crimea (Windrem, 2016). Russian disinformation targeted another candidate, Martin Schulz, with a false story that charged his father with running a Nazi concentration camp (Shalal, 2017).
Spain became a casualty of Russian information warfare as well. Putin’s online disruption apparatus worked behind the scenes of the Catalonian independence movement, seeking to equate the situation as a crisis similar to the Crimean annexation (Alandete, 2017). Russian trolls depict Spain as repressive by planting false stories of suppression and imminent civil war (Alandete, 2017). Russian officials reinforce this by hosting referendum sites and further spreading misleading stories through its media outlets (Alandete, 2017). These efforts create divisiveness designed to undermine European democracy.
Perhaps most comparable to American election meddling is the interference in the recent French presidential election. Cyber-attacks were inflicted against Macron’s campaign to include thousands of attempted malware hacks, the purging of internal information, and a DDoS attack on the website (Noack, 2017). Fingerprints including IP addresses and malware were nearly identical to those used against the DNC (Noack, 2017). APT28 sent tainted emails to campaign officials, eventually retrieving private data (Auchard& Felix, 2017). Official documents were intermixed with counterfeit documents before being leaked to the public and disseminated in far-right forums (Auchard & Felix, 2017). The overall aim was to sow doubt and misinformation as a means to discredit Macron in favor of the more Russian friendly candidate, Le Pen (Noack, 2017).
Russian information warfare against Europe yields important insights. Primarily, we can see how Russia uses propaganda to distort reality. Russian oligarchs see people as poor distinguishers between true and false information such that when swarmed with information, they tend to ignore credibility (Marechal, 2017). Thus, the utilization of familiar but false themes, statements backed by false evidence, and a facade of objectivity, enable propaganda to alter mindsets (Marechal, 2017). This method serves goals of inciting domestic division and questioning the legitimacy of Western (or rather anti-Russian) institutions.
Secondly, influence is becoming democratized with the Internet, challenging traditional media’s roles as agenda setters and gate keepers (Waltzman, 2017). Amidst the dwindling importance of traditional journalism and the prevalence of opinion pieces and social media sharing, false narratives are easily implanted and taken at face value. Rumors spread like wildfire, prompting mob-like reactions and inspiring unconventional effects. Russia gambles on such means to delegitimize adversarial opponents and institutions while promoting its own image.
Finally, German efforts to defend against and prevent Russian cyber/information war have demonstrated that social media companies can limit but not erase the impact of fake news (Allan, 2017). Facebook targeted thousands of fake accounts, limited click-bait spam, set up a reporting mechanism, expanded partnerships, and trained officials on web security issues before and during the election (Allan, 2017). While somewhat effective, false narratives still swam amidst the platform’s surfs.
Having identified Russian information warfare effects against the West as inciting domestic turmoil in favor of boosting its own position, it’s important to understand defensive options. In order to productively resist Russian aggression and develop counter-measures, we need to first evaluate the aggressor and related competencies (Lysenko, 2017b). We will analyze the findings to identify common Russian tactics and targets as a means to understand larger operations and strategy. This analysis will further illuminate Russian motivations for such pursuits and help us develop potential solutions.
Before tactics can effectively support larger information warfare objectives, targets must be determined, which in turn affect how and what tactics will be carried out. Traditionally, Russian hackers have pursued Western political parties, defense industries, intelligence units, foreign and defense ministries, military units, churches, academia, governmental agencies, energy sectors, intergovernmental organizations, and media outlets (Hacquebord, 2017). Overall, Russia has selected 200 distinctive targets covering 39 states with primary targets comprising government officials and secondary foci covering members of civil society (Hulcoop, Scott-Railton, Tanchak, Brooks, & Diebert, 2017).
Governmental targets make sense for political goals, but why regular citizens? An animated civil society serves as a significant contradiction to authoritarian rule (Hulcoop et al., 2017). Since this condition threatens powerful elites in non-democratic regimes, espionage activities are directed against civil societies to limit influence and changes to the status quo (Hulcoop et al., 2017). While originally a mechanism for subduing internal movements, the same method assists foreign attempts in achieving political objectives.
Tactically, Russian cyber-organizations like APT28 actively conduct espionage and influence campaigns though social engineering lures, credential phishing, malware, and false flag operations (Hacquebord, 2017). They attack a designated target from multiple sides, using alternate methods simultaneously to achieve a final goal (Hacquebord, 2017). These groups, through their intelligence agency backing, have enormous resources compared to low costs. This ratio enables long-winded campaigns to be pursued and huge amounts of data to be collected (Hacquebord, 2017).
A prevailing modus operandi consists of credentialed phishing attacks that work to entrap even the most sophisticated and cautious webmail users. Posing as primary applications, they are in reality social lures (Hacquebord, 2017). Spear-phishing is also prevalent. Email links of relevant events bait users to click. Once a hacker is into a targeted computer, further infiltration of the network infrastructure can obtain control of other nodes (Hacquebord, 2017). Finally, watering holes, or compromised sites that are visited and often linked to legitimate sites, manipulate web browsers while open (Hacquebord, 2017).
Once information is obtained, damning portions are leaked to sow public doubt or assist in character assassinations. This method is pretty straightforward. Yet, recent tactics of tainted leaks achieve more harmful results. Tainted leaks and phishing may prove even more effective. This combination can subvert targets within civil society, scattering misinformation and suspicion (Hulcoop et al., 2017).
Finally, troll factory tactics resemble people-to people messaging, directly engaging users who fit a demographic as a means for further exploitation. Troll ringleader accounts manage organized provocations by stifling or smearing individuals who possess authority in targeted domains of interest to Russian policy (Weisburd, Watts, & Berger, 2016). Once a target is nominated, volunteer hecklers join in with various motivations for and approaches to harassment (Weisburd, Watts, & Berger, 2016).
Operationally, the synchronization of tactics on an array of targets turns the assets of open societies (pluralism, expression, and diversity) against themselves (Lysenko, 2017b). This timed orchestration entails subtly changing foreign public opinion through a variety of information channels. Thus if malicious information is scrupulously implanted into standard information streams without attributable or physical detection, and those implants provoke fears or anxieties, cognitive hacking is enabled (Marechal, 2017).
From a strategic perspective, information operations that include cyber and influence pursuits abroad are combined with surveillance and censorship at home in a continuous pursuit (Marechal, 2017). This persistent approach can prove to be most advantageous against the West, which normally pursues information operations in support of conventional hostilities (Marechal, 2017). Beyond incessant operations, Russian information operations are systematic, economical, asymmetric, and supported by a whole-of-nation approach (Marechal, 2017). Thus, information operations is synonymous with cyber-security and indistinguishable from Russian national security. This integration occurs because achieving national security goals consists of influencing the resources (to include informational) of the opposing side (Lysenko, 2017b).
Upon qualitative analysis of Russian cyber and information campaigns against the West, it is important to uncover foundational motivations for the Kremlin’s pursuit of information warfare. There is no better place to look than at the intentions of Russia’s leader, Vladimir Putin.
Putin’s existential war against the West emanates from an understanding that the fall of the Soviet Union is widely regarded as one of the largest geo-political tragedies of the 20th century (Lysenko, 2017a). This bitter nostalgia strengthens the will to restore Russian preeminence at any cost. Evidence of this mindset was illuminated during the Munich Security Conference, where Putin blamed the West for most problems facing the globe today (Lysenko, 2017a). Following the Arab Spring and Presidential election protests in Russia, Putin blamed the US (and necessarily Secretary of State Clinton) for instigating domestic and pro-Western movements, declaring such tactics as personal affronts on national sovereignty (Dorell, 2017).
Concurrently, Putin sees the information revolution and America’s large role in it, as a component of western expansionism (Lysenko, 2017a). This realist disposition regards the Internet as a direct threat to Russian power and legitimacy. In response, the Kremlin seeks to restrain the Internet at home while unleashing it against adversaries abroad. Putin is convinced that the US thwarts Russian progress through soft power mechanisms like the media, so he responds with non-linear information war that substitutes for conventional means (Inkster, 2016).
We continue to search for other explanations of Russian strategic aims. Volodymyr Lysenko argues that Russia predicts an imminent depletion of financial resources in the near future, making it difficult for a Putin regime to continually survive amidst sanctions, low oil prices, persistent economic challenges, and extreme independence on oil and gas (Collision, 2016). He asserts that promising economic conditions in 2012 drastically dropped following the 2014 Ukrainian conflict, causing the Kremlin to blame the US for subsequent problems (Collision, 2016). According to this perspective, Russia sees cyber-related efforts as a suitable retort to Western influence and an effective tool from a state that understands it cannot compete conventionally with the West (Windrem, 2016). In this pursuit, elusive and precise cyber/information attacks against center of gravity targets culminate to challenge a NATO strategy of deterrence and collective security.
In order to change its strategic situation, Russia must therefore re-launch its image abroad through influence crusading. An overarching narrative flows from the top (Putin) down through the media to the grassroots, promoting the notion that Russia is misconstrued as a superpower while Western states are the genuine corrupt actors in the world (Jaitner, 2015). This obliges efforts that seek to divide electorates and ensure leaders possess murky mandates to govern (Weisburd, Watts, & Berger, 2016).
Such inflicted political turmoil has the potential to erode or dissolve EU membership and break up NATO, enabling Russia to reassert its power (Watts, 2017). Hence, undermined confidence in democratic governance, political fractures, and eroded trust between citizens and leaders can be combined with the popularization of Russian policy agendas and a growing mistrust over information sources (Weisburd, Watts, & Berger, 2016). In the end, Russia hopes the gamble of adjusting political outcomes by affecting political perceptions will: (a) force the West to accept strategic defeat through the West being forced to accept strategic defeat; or (b) otherwise accommodate Russia’s global ascension and the aggressions that reinforce it.
Based on our review of Russian cyber and informational exploits, analysis of outcomes, linkages between tactics and strategies, and larger motivations for pursuing information war, the Kremlin appears obstinately on this course for the near future. Recent history reveals an asymmetric advantage that the West has been unable to adequately defend against, and perhaps even comprehend. Therefore we need to take measures to bolster protection against the exploitation of institutions that represent Western values and principles.
Electoral systems must be free from potential manipulation. Western governments need to guarantee the cyber-security of machines or take them offline (Schneier, 2016). Direct prevention methods at the micro level should be formulated to thwart computer network attacks for espionage, sabotage, and disinformation purposes. Firewalls help, but other means are needed to reduce attack surfaces. Actions could include employees using corporate VPNs for email access, consolidating email servers and reducing domain names, multiple factor authentications for webmail, loaner computers for travel, and trustworthy third parties for software updates and penetration tests (Hacquebord, 2017).
We must also seek solutions that limit the effects of disinformation. This effort starts with leaders recognizing and publishing Russian exploits as they are discovered. Overt exposure of Russian methodology goes a long way in limiting the effectiveness of false narratives. Investigations should identify who is targeted in hacks, why they were chosen as targets, what information has been stolen, and the extent of related penetration.
Educational campaigns in both public and private institutions can also pay dividends. A media scoring system which rates sources for accuracy can illuminate the extent of disinformation, especially if adopted by social-media platforms (Watts, 2017). These measures can construct a holistic approach of situational awareness and collaboration among civil society, professionals, government, and media to proactively and systematically shape a hardy information environment.
As a result, cognitive security can give the West an advantage in the arms race of influence (Marechal, 2017). By protecting against the manipulation of cognitive biases within sizable populations, the Western information environment may prove resilient enough to deter future exploitations.
Alandete, D. (2017). How Russian news networks are using Catalonia to destabilize Europe. EL PAIS, September 25, 2017.
Allan, R. (2017). Update on German Elections. Facebook, September 27, 2017.
Auchard, E., and Felix, B. (2017). French candidate Macron claims massive hack as emails leaked. Reuters, May 6, 2017.
Bertrand, N. (2016). It looks like Russia hired internet trolls to pose as pro-Trump Americans. Business Insider, July 27, 2016.
Borthwick, J. (2015). Media hacking. Render-from-betaworks, March 7, 2015.
Chen, A. (2015). The Agency. The New York Times Magazine, June 2, 2015.
Collison, C. (2016). Cybersecurity and the US election: Volodymyr Lysenko discusses Russia’s role ahead of vote. The University of Washington Herbert J. Ellison Center for Russian, East European and Central Asian Studies, October 25, 2016.
Corera, G. (2016). How France’s TV5 was almost destroyed by ‘Russian hackers’. BBC, October 10, 2016.
Dorell, O. (2017). Alleged Russian political meddling documented in 27 countries since 2004. USA TODAY, September 7, 2017.
Forster, K. (2017). Clear evidence Russia interfered in 2015 UK election, says former Labour minister. The Independent, February 21, 2017.
Fox-Brewster, T. (2016). Donald Trump’s Instagram Following Is Full Of Bots And Russians. Forbes, November 7, 2016.
Franceschi-Bicchierai, L. (2016). Russian Hackers Launch Targeted Cyberattacks Hours After Trump’s Win.Motherboard, November 10, 2016.
Hacquebord, F. (2017). Two Years of Pawn Storm: Examining an Increasingly Relevant Threat. TrendLabs Research Paper.
Hulcoop, A., Scott-Railton, J., Tanchak, P., Brooks, M., and Deibert, R. (2017). Tainted Leaks: Disinformation and Phishing With a Russian Nexus. Report by The Citizen Lab, the Munk School of Global Affairs, University of Toronto, May 25, 2017.
Inkster, N. (2016). Information Warfare and the US Presidential Election. Survival, 58(5), p. 23-32.
Jaitner, M. (2015). Russian Information Warfare: Lessons from Ukraine. . In Cyber War In Perspective: Russian Aggression Against Ukraine. NATO CCDCOE, Tallinn, Estonia.
Lysenko, V. (2017a). Russian cyber meddling into American presidential election.
Lysenko, V. (2017b). Roots of the Russian online aggression.
Lipton, E., Sanger, D.E., and Shane, S. (2016). The Perfect Weapon: How Russian Cyberpower Invaded the U.S. The New York Times, December 13, 2016.
Maréchal, N. (2017). Networked authoritarianism and the geopolitics of information: Understanding Russian Internet policy. Media and Communication, 5(1), 29-41.
Noack, R. (2017). Cyberattack on French presidential front-runner bears Russian ‘fingerprints,’ research group says. The Washington Post, April 25, 2017.
NTB/The Local (2017). Norway’s Labour Party was hacked by Russia: report. February 3, 2017.
Office of the Director of National Intelligence. (2017). Assessing Russian Activities and Intentions in Recent US Elections. Intelligence Community Assessment ICA 2017-01D, 6 January 2017.
Riley, M. (2015). Cyberspace becomes second front in Russia’s clash with NATO. Bloomberg Technology, October 15, 2015.
Riley, M. and Robertson, J. (2017). Russian Cyber Hacks on U.S. Electoral System Far Wider Than Previously Known.Bloomberg Politics, June 13, 2017.
Riley, M., Dlouhy, J.A., and Gruley, B. (2017). Russians Are Suspects in Nuclear Site Hackings, Sources Say. Bloomberg Politics, July 6, 2017.
Schindler, J.R. (2016). False Flags: The Kremlins Hidden Cyber Hand. Observer, June 18, 2016.
Schreckinger, B. (2017). World War Meme: How a group of anonymous keyboard commandos conquered the internetfor Donald Trump—and plans to deliver Europe to the far right. POLITICO Magazine, March/April 2017.
Schneier, B. (2016). By November, Russian hackers could target voting machines. The Washington Post, July 27, 2016.
Shalal, A. (2017). Germany challenges Russia over alleged cyberattacks. Reuters, May 4, 2017.
Waltzman, R. (2017). The Weaponization of Information.Testimony presented before the Senate Armed Services Committee, Subcommittee on Cybersecurity on April 27, 2017.
Watts, C. (2017). Clint Watts’ Testimony [before the Senate’s intelligence committee on Russia’s interference in U.S. politics]: Russia’s Info War on the U.S. Started in 2014. The Daily Beast, March 30, 2017.
Weisburd, A., Watts, C., and Berger, J.M. (2016). Trolling for Trump: How Russia Is Trying to Destroy Our Democracy. War on the Rocks, November 6, 2016.
Windrem, R. (2016). Timeline: Ten Years of Russian Cyber Attacks on Other Nations. NBC News, December 18, 2016.