Russia and Cyberspace

Just as war is the continuation of politics by other means, for Russia, cyber operations are a continuation of intelligence operations enabled by other means. For decades, the Russian Federation, and before it the Soviet Union, has been a keen observer of developing intelligence and military tactics, which they are prone to adopt and adapt to a relatively contiguous strategy.

In his exposition on Russia’s spetsnaz (Спецназ), or Special Forces, retired Main Intelligence Directorate (GRU) officer Vladimir Kvachkov observed, “A new type of war has emerged, in which armed warfare has given up its decisive place in the achievement of military and political objectives of war to another kind of warfare — information warfare.”¹ Kvachkov elucidates two types of information warfare: (1) information-psychological warfare, which is “conducted in conditions of natural rivalry, i.e. always,” and (2) information technology warfare, which targets IT systems and is conducted “during wars and armed conflict.” This first definition of information warfare largely comports with Western conceptualizations of the same term. The second is what the West often refers to as either cyber or computer network warfare. In recent years, the Kremlin has begun to leverage both methods and has spawned a third, hybrid method between the two in the form cyber-enabled information operations. In Russian parlance, these psychological information operations are referred to as active measures.

Former KGB Major General Oleg Kalugin has described active measures (активные мероприятия) as actions taken by the then-Soviet Union to discredit geopolitical adversaries and “conquer world public opinion.”² Active measures are a key tenet in what is often referred to as “hybrid warfare” in the West, where non-military measures are used in concert with military measures to achieve a strategic objective. However, according to Russian doctrine they are used during times of peace and war.

In testimony to the Senate Select Committee on Intelligence in March 2017, King’s College London War Studies professor Thomas Rid described the historical evolution of Russian active measures well, saying they seek to exploit existing cracks in adversaries.³ He further identified three trends necessary to understand today’s circumstances. First, for the last 60 years, active measures have become the norm. Second, for the last 20 years, aggressive Russian digital espionage campaigns (i.e. hacking key targets to gather intelligence) have become commonplace. Third, in the last two years, we have seen the Kremlin merge these two trends in the form of cyber-enabled active measures, or—put simply—hacking and leaking.

Before exploring how strategy has evolved and manifested in the real world in recent years, it is important to note that, like cyber operations, active measures are not an end, but rather a means. Since the Soviet Era, the Kremlin has employed active measures in an attempt to achieve what the West calls “reflexive control” over adversaries, or the ability to alter an adversary’s perception of the world. Russian pursuit of reflexive control is the product of decades of psychological and mathematical research at Russian military universities on how best to manage and influence an opponent’s perception of the world. Crucially, distorting an adversary’s conception of reality not only influences that adversary’s decision-making calculus, but also makes it more predictable.

The General Staff of the Russian Armed Forces is led by General Valery Gerasimov. Like many Russian military strategists before him, Gerasimov is a keen observer of military and strategic trends in and out of combat. In 2014, he authored a short paper entitled “The Value of Science in Prediction,” in which he examines—in great detail—Western military strategy and outlines the current and future operational environment from his perspective.⁴ While the document should not be considered ironclad doctrine as some have dubbed it, it does, nonetheless, provide insight into the most powerful military minds in the Kremlin. Gerasimov notes that “the use of political, diplomatic, economic and other non-military measures in combination with the use of military forces” will normalize globally as a part of new, non-linear warfare.⁵ In short, Russia views the world as locked in ongoing and perpetual conflict between powers where the lines between war and peace are blurry at best and nonexistent at worst.

As Charles Bartles observes, “One of the most interesting aspects of Gerasimov’s article is his view of the relationship on the use of nonmilitary and military measures in war. The leveraging of all means of national power to achieve the state’s ends is nothing new for Russia, but now the Russian military is seeing war as being something much more than military conflict.”⁶ For Gerasimov, warfare has become decreasingly linear, and the previously well-defined space between wartime and peacetime has been blurred. To Gerasimov, “wars are no longer declared and, when they begin, unfold according to an unusual pattern.”⁷ Notably, Gerasimov’s long-term view appears to have been molded by observations of U.S. military strategy and action, particularly operations rightly and wrongly attributed to the U.S. in the Balkans in the 1990s and more recent actions in Libya.

Against that broader doctrinal backdrop, it’s important to draw back the curtain and provide insights on how the government of the Russian Federation leverages information and cyber capabilities as influential tools of state power in the digital age. From here, we will describe the major Russian threat actors, their capabilities and past operations, our analysis of where these teams may apply their capabilities in Latin America and the Caribbean, and the broader implications for the United States and its partners in the region.

A complex web of actors from intelligence agencies and the military to industry, criminal organizations, and the media underpins Russian cyber, information, and influence capacity. The pieces of this network have different―yet often overlapping and competing―roles, responsibilities, and influence in implementing cyber-enabled active measures against domestic and foreign adversaries.

The Russian foreign intelligence apparatus consists of the following three primary organizations. These agencies possess overlapping or unclear responsibilities or remits and compete with one another for political influence and funding.⁸

• The Main Intelligence Directorate (GRU)
• The Federal Security Service (FSB)
• The Foreign Intelligence Service (SVR)

The Main Intelligence Directorate (GRU)

The Main Intelligence Directorate (Главное Разведывательное Управление or GRU in Russian) is the sole intelligence agency surviving from the Soviet era. As the long-standing military intelligence agency, the GRU is primarily tasked with gathering military intelligence and conducting active measures, but plays a subsidiary role in political intelligence, economic intelligence, and counterintelligence.⁹

In the context of offensive cyber operations and cyber-enabled operations, the GRU is staffed with both network operators and information operators. Referred to variously as Sofacy, APT 28, and Fancy Bear in cybersecurity circles, the GRU’s network operators exhibit characteristics very similar to the National Security Agency in the United States: a very formal code environment with complex research into cyber vulnerabilities, exploits, and code development.¹⁰ The GRU contains Unit 26165, the group accused of compromising the U.S. DCCC and Hillary Clinton presidential campaign.¹¹

The GRU’s information operations team works closely with its network operators to disseminate stolen and sometimes fake information to the press and public. This group, which is separate from those gathering information, consists of regional experts to craft messaging and operational security specialists to obfuscate the source of messaging. Unit 74455, the unit accused of primarily orchestrating the dissemination of DCCC and Hillary Clinton campaign communications via Guccifer 2.0, DCLeaks, and other personas, also sits within the GRU.

In general, GRU teams target political opposition (domestically and internationally) and the fruits of their hacking activity often support in-house information operations. Cybersecurity firm Crowdstrike has assessed with a medium level of confidence that the team known as Fancy Bear or APT28 is the GRU.

The Federal Security Service (FSB)

The Federal Security Service (Федеральная Служба Безопасности or FSB in Russian) is the main successor to the Soviet-era KGB and is a jack-of-all-intelligence-trades, though its primary remit is in counterintelligence and political security.¹² Like the GRU, network and information operators sit within the agency, likely in the Second Division of FSB Center 18, also known as the FSB Center for Information Security.¹³

The agency’s network operators typically utilize a hacking toolkit with add-ons to customize the tool to a given mission.¹⁴ This suggests at least some internal code development and research expertise. The activity of the FSB’s information operators appears to display slightly different traits from that of their military counterparts. Where the GRU typically co-opts well-known brands on social media and works through traditional media, the FSB takes a noisier approach, creating and using a large number of fake social media accounts to spread information and leverages non-state actors, like the Internet Research Agency, to magnify messaging.¹⁵

The Foreign Intelligence Service (SVR)

The Foreign Intelligence Service (Служба Внешней Разведки or SVR in Russian) is Russia’s external intelligence agency. Despite its title and status as the primary foreign intelligence service, little evidence exists that the SVR is involved in cyber or cyber-enabled operations. Instead, the SVR focuses on the cultivation and maintenance of human intelligence networks.

Uncertain Teams—Energetic Bear, Palmetto Fusion, Sandworm Team

In addition to the known activities of the FSB and GRU, three teams—one no longer operating and two conducting active campaigns—have yet to be attributed to one of the two agencies, though it is assessed with a high level of confidence that the teams are Russian state actors. These teams are:

• Energetic Bear: Operating from the late 2000s until 2014, Energetic Bear conducted economic espionage on the oil and natural gas industry. In 2014, the group began gathering information on SCADA and industrial control system vulnerabilities and was exposed by threat researchers. It promptly ceased operations.¹⁶
• Palmetto Fusion: Operating from 2015 to present, the group consistently compromises or attempts to compromise critical infrastructure, focused primarily on energy utilities. Some threat researchers assess with low confidence that Palmetto Fusion is the same group of individuals as Energetic Bear, operating with new tools and techniques¹⁷
• Sandworm Team: Operating from 2015 to present, the Sandworm Team has repeatedly sabotaged the Ukrainian power grid.¹⁸ The NotPetya ransomware displayed operational traits led to the belief by some that the Sandworm Team developed and released the worm.¹⁹ Because NotPetya has been attributed by multiple intelligence agencies to the GRU, if the Sandworm Team developed and deployed NotPetya, it team likely resides within the GRU.²⁰ It is also likely that Sandworm operators perpetrated the 2018 attacks on the International Olympic Committee at the start of the Winter Games in Pyeongchang, South Korea, and other global sports governing bodies.

In 2017, in response to a question about Russian meddling in U.S. elections, Russian President Vladimir Putin denied state involvement but acquiesced that some “patriotic hackers” may have attempted to influence the American election. President Putin’s assertion that the Russian state played no role is deemed false with high confidence. However, it is nonetheless important to recognize the non-state groups that support the activity of the intelligence agencies. These “Patriotic Hackers” private, non-criminal groups include:

• Concord Consulting: Concord Consulting and Catering is an organization run by Yevgeny Prigozhin, one of President Putin’s closest confidants. Prigozhin and Concord Consulting provided the financial backing to the Internet Research Agency. Prigozhin also likely funds Wagner Group, the private military firm active in Syria.
• Internet Research Agency: This agency is the so-called “Russian Troll Farm” that targeted and scaled messaging to key constituents in swing states during the 2016 U.S. election.
• Digital Security: Accused of providing technical support to the FSB.
• Kvant Scientific Research Institute: Accused of providing technical support to the FSB.
• Kaspersky Labs: The relationship between the anti-virus and threat intelligence company and Russian security services is unclear.

In addition, the Russian cybercrime network sometimes works in support of Kremlin objectives. The exact level of coordination and direction exercised over these patriotic hackers is unclear from open-source research. However, activities likely fall somewhere on the spectrum between state-integrated and state-ignored:²¹

• State-integrated: The national government conducts the attack using integrated non-state and state resources.
• State-ordered: The national government directs the attack.
• State-coordinated: The national government coordinates attacks by suggesting operational details.
• State-shaped: The state provides some support, but third parties shape and control the operations.
• State-encouraged: The state encourages activity as a matter of policy, but third parties shape, conduct, and control the operations.
• State-ignored: The state knows about the activity but is unwilling to prevent it.

A shift in the tenor of Russian non-state cyber activity can be observed around the time the Russian Federation annexed the Crimean Peninsula in Ukraine. According to at least one observer, the pre-annexation attitude was one of state-ignorance. Around and following the culmination of the Sochi Olympics and the annexation of Crimea, the activities of the oligarch-led patriotic hackers followed a model of state shaping, coordination, or even integration much more closely.

Trends in Russian cyber activity over the past three years suggest that the Kremlin is, and has been, investing significantly in developing strategy, tactics, and tools to leverage cyber capability. A study conducted by Russian data security company Zecurion Analytics posits that the Kremlin controls а “top 5” cyber army. According to reports on the Zecurion study, the Kremlin dedicates approximately $300 million per year to offensive cyber forces and employs some 1,000 on-keyboard personnel.²² However, beyond Russian-authored reports that may or may not be Kremlin propaganda, experts have observed a steady increase in both the number and sophistication of Russian-originated cyber activity, suggesting that the Kremlin is investing in this space.

Russian state or state co-opted cyber capability generally follows a number of trends. First, a disproportionate number of attacks exploit vulnerabilities in Adobe Flash, Java, and Internet Explorer. Second, campaigns typically reuse vulnerabilities multiple times, relying on the poor patching practices of their targets. Third, while the tools vary depending on the agency in question, some tactics are generally consistent. For example, the process for compromising targets is often:

1. Sending a spearphishing email with a malicious attachment or with a spoofed URL (often using bit.ly or other link-shortening tools);
2. Getting the user to download an attachment or visit a compromised URL to install tailored exploit;
3. Using newly created access to install a dropper with malware, usually an implant with a Remote Access Tool (RAT);
4. Creating a link with attacker command and control computer infrastructure using RAT.

Finally, if the objective of the campaign is informational, Russian intelligence services have become adept at integrating their network operators with their information operators. What this means is that the knowledge gained via offensive computer network operations is seamlessly integrated into ongoing or new information operations.

While these process and trends generally hold true for Russian state and criminal actors, different teams display unique strengths and abilities as dictated by their mission sets, budgets, and human technical capacity. Figure 4 outlines the cyber and information capabilities of the most prominent actors introduced above.

Figure 4: Russian Actors and the Capabilities

Globally, Russia has leveraged cyber capability in three primary ways: (1) operational preparation of the environment (OPE), (2) cyber warfare, and (3) cyber-enabled influence operations. Here, we describe individual operations of each of these types, in order to help build understanding of how a Russian adversary might leverage cyberspace for strategic gain in Latin America and the Caribbean.

Operational Preparation of the Environment (OPE)

Like most tier-1 cyber powers, Russia engages in robust operational preparation of the environment (OPE), largely as a “just in case” exercise, not necessarily as a sign of impending military operations. Russian cyber operators, most likely from Sandworm team and Palmetto Fusion (likely both within the GRU), consistently develop access to key communications systems (military and civil) and critical infrastructure in adversaries they anticipate could one day engage in active hostilities. Because the high degree of research, time, and effort needed to create and maintain access in adversary critical infrastructure systems, Russia seeks to maintain access points should they wish to conduct cyber warfare (as described below) in the future.

In most cases, these accesses are largely benign and have not been used to create any disruption during peacetime. This type of operation is what has led to recent reporting in the United States regarding Russian cyber activity targeting energy and other critical infrastructure sectors.²³ It is also possibly the activity that led to an accidental blast furnace explosion in Germany.²⁴ However, access can go from benign to malicious rapidly, and most of the Russian cyber actors outlined above possess the tools and capability to rapidly escalate its actions to cyber warfare.

Cyber Warfare

The clearest case of intentional cyber warfare conducted by Russian services is currently taking place in Ukraine during ongoing kinetic hostilities. In Ukraine, Russian cyber warfare has taken two shapes: information operations and critical infrastructure attacks.

By targeting mobile networks, Wi-Fi, mobile phones, and other military and civilian communications networks, Russian actors are able to conduct extensive in-theatre information operations. In Ukraine, these activities have included:

• Psychological and friction operations against troops on the front lines—and their families—via direct text messages to individuals including things like:
  • “Your battalion commander has retreated. Take care of yourself.”
  • “You are encircled. Surrender. This is your last chance.”
  • “Ukrainian soldier, what are you doing here? Your family needs you alive.”
  • “You will not regain Donbas back. Further bloodshed is pointless.”
  • “Ukrainian soldier, it’s better to retreat alive than stay here and die.”²⁵
• Distributed Denial of Service (DDoS) attacks against government and non-government communication systems

In addition to compromising communications systems, Russian actors have demonstrated a proclivity for targeting critical national infrastructure systems for compromise and manipulation. This type of operation relies on the robust OPE described above. The most notable case in the Ukraine occurred during the 2015 and 2016 BlackEnergy attacks on its power grid, which shut power off to more than 200,000 Ukrainians during the cold winter months.

Cyber-Enabled Influence Operations

This final brand of operation, a cyber-enabled influence operation, is perhaps the most widely recognized Russian intelligence operation. While the well-documented activity around the 2016 U.S. presidential election elevated the profile of this tactic to the global political level, Russian intelligence services have engaged in similar information operations for the better part of a century, particularly in Eastern Europe.