Cyber Warfare In Russia

The recent internet laws have dramatically changed the internet landscape in Russia and will continue to do so for years to come. At the same time, Russia has a substantial history of conducting cyber warfare, which has also shaped its internet landscape. The Russian government has consistently pushed its political agenda with covert cyber operations in recent years. There are four major characterizations of the Russian cyber offensive.

The Russian cyber espionage machine primarily targets critical infrastructure in adversarial states. It focuses on the energy sector, nuclear industries, the commercial sector, aviation, manufacturing, and other critical infrastructure. The Russian attacks are well planned, often last for years, are highly targeted, and employ various methods, including social engineering and specially developed zero-day exploits. The majority of reported attacks on critical infrastructure and industrial control systems use spear phishing through supply chains as a means of initial compromise. Hackers tend to pick less secure third-party vendors that have trusted relationships with the targeted entities and use compromised third parties as a foothold to infiltrate the actual target.

In some cases, the Russian government executes cyberattacks without any particular strategic gain besides a show of power. As a result of diplomatic tension between Russia and Estonia in 2007, when the latter wanted to move the Bronze Soldier monument to the fallen Soviet soldiers of WW2, the public outcry in Russia was enormous. The massive DDoS attack that ensued rendered Estonia’s online banking, governmental email services, and media outlets unavailable. Other examples of Russian retaliation were the attacks against the World Anti-Doping Agency in 2016 and International Association of Athletics Federations (IAAF) in 2017. Russian hackers orchestrated these attacks as payback for the ban on the Russian Athletics Federation in international competitions, including the Olympics. The hackers obtained and published sensitive and private documents of international athletes. Olympic Destroyer, as the cyberattack against the IAAF is known, was not attributed directly to Russia, as it contains fingerprints of different state-sponsored APTs. However, it is likely that it may also be a product of Russian retaliation as most of its athletic team was banned from participating. The admitted athletes had to participate under the Olympic Flag and Olympic Anthem as any Russian attributes were barred.

The Russian government constantly attempts to disrupt and influence the political landscape in adversary states. This is usually carried out by hacking anti-Russian candidates and releasing private or confidential information, while promoting its allies, to destabilize the political stage. Another tactic used is an army of social media bots that spread fake news and misinformation. The government also attempts to breach anti-Russian parties and candidates. One of the most well-known examples is the hacking of the Democratic National Committee (DNC) during the United States general election in 2016. Russian threat actors successfully breached the DNC and released sensitive information about prominent candidates and party members. Another known case occurred in 2017, when hackers accessed systems of French Prime Minister Emmanuel Macron’s election campaign, releasing more than 20,000 emails that were posted across Twitter and Facebook.

Russia supports its military aggression with covert cyber operations to disrupt enemy communications and spread misinformation. During the Russo-Georgian War of 2008, Russia executed a massive denial-of-service attack on Georgian servers, targeting government and media infrastructure to prevent communication and crucial information distribution. During the annexation of Crimea and war in Donbass in 2014, Russian hackers successfully infiltrated the Ukrainian government network via the Turla rootkit, disrupting communication and exfiltrating crucial intelligence. Russia successfully infiltrated the Ukrainian Army’s Rocket Forces and Artillery with an infected mobile application. The original app was developed by the Ukrainian military to process targeting data and increase the artillery fire rate. The infected version of the application allowed the hackers to retrieve communication between Ukrainian forces and the location of their artillery batteries.

This was written by Andrey Yakovlev a Security Researcher at IntSights, focused on intelligence hunting from the Russian Dark Web. He is an experienced professional with nearly a decade of expertise in the cybersecurity field. Andrey specializes in threat discovery, computer forensics and behavioral analysis of Trojans.

The article has been published here for educational purposes only.