4 November 2022

RUSSIA’S VAST CYBER WEB ENABLES DENIABILITY AND OBSCURITY—BUT NOT WITHOUT RISKS

Justin Sherman

The Russian government’s war on Ukraine has sparked renewed interest in Russian cyber proxies. Before the war began, headlines described “Russian-backed” hackers defacing Ukrainian websites; since then, analysts have continuously debated how much Russian President Vladimir Putin’s regime might turn to cybercriminals and other actors to help it attack Ukraine in cyberspace.

Describing every cyber operation coming from within Russia as a “Russian cyberattack” obscures the large, complex, and often opaque web of different cyber actors in Russia—each with varied relationships with the state. As I describe in a new Atlantic Council report, there are cybercriminals operating at the state’s direction, cybercriminals operating with state protection, patriotic hackers encouraged by propagandistic statements on television, front companies set up by the security services, and everything in between. Untangling this web shows many perceived and actual benefits for the Kremlin, such as deniability and obscurity—but it also underscores the risks Putin is running by leaning too heavily on this diverse cyber ecosystem.

The Roots of Russia’s Vast Cyber Ecosystem

Putin inherited a convoluted web of cyber actors—born from the chaos of post-Soviet collapse, the 1990s criminal (and cybercriminal) explosion, and an oversupply of technically talented individuals with few legitimate job prospects—and now actively cultivates it. Rather than cracking down, Putin allows cybercriminals and patriotic hackers to operate freely within Russia, so long as they follow a social contract of sorts: focus on foreign targets, do not undermine the Kremlin’s objectives, and answer to the state when asked.

The Federal Security Service, or FSB, Russia’s internal security agency with some foreign purview, recruits cybercriminals to carry out operations on its behalf. The Foreign Intelligence Service (SVR) sets up front organizations to conduct cyber and information operations against foreign targets. The Kremlin permits private military companies to operate around the world and to sell their military and protective services to foreign governments; at least one such company has developed a cyber unit.

All of this fits within a years-long Russian government emphasis on political warfare. The Soviet Union conducted political warfare–style operations under an umbrella of “active measures” against foreign and domestic targets. Akin to contemporary political warfare (a growing point of emphasis in Russian thinking), these active measures ranged from assassinating émigré leaders who participated in anti-Soviet activities to manufacturing and spreading the lie that the Pentagon started the AIDS epidemic. The parallels are not perfect, and the information environment today is very different than it was decades ago; the scale and speed of internet-enabled microtargeting alone, for example, is unprecedented. Regardless, the Russian security apparatus continues to emphasize many of the same Soviet-era ideas, such as deniability, covertness, and the use of proxies, which carry over to cyber operations.

While Putin inherited an ecosystem of both legitimate technology companies and technically talented individuals engaged in cybercrime, the regime has purposefully shaped this resource pool of Russian cyber actors to its own benefit, though not without accompanying risks.

The Spectrum of Russian Government Involvement

Putin does not control every single cyber operation that occurs within or comes out of Russia. As Candace Rondeaux writes, “The narrative of a grand chess master, whether Putin, a Kremlin insider, or [a] mercenary group, singlehandedly orchestrating Russia’s proxy warfare strategy is a useful fiction for the Kremlin.” Simply put, “Vladimir Putin is not omnipotent,” as journalist Julia Ioffe remarked in 2013. In reality, there are degrees of government involvement with most Russian cyber actors, whether through active financing, tacit approval, or another kind of engagement entirely. Some activity may be entrepreneurial by design, with nonstate hackers and developers auditioning their capabilities to capture the attention of the state. Not all is top-down, either, especially so in an “adhocracy” in which Putin is not a micromanager and instead encourages people to seize the initiative.

The FSB, SVR, and GRU (Russia’s military intelligence service) all have internal cyber units. Unlike the United States, Russia does not have a centralized cyber command. Oftentimes, these security agencies’ cyber teams launch operations from within Russia. At other times, state hackers have gone abroad to hack targets, such as when GRU Unit 26165 hackers traveled to The Hague in 2018, trying to hack into and disrupt the Organization for the Prohibition of Chemical Weapons’ investigation into the poisoning of Sergei Skripal and his daughter.

Moscow finances and directs operations through front organizations and websites used by the GRU, the SVR, and the FSB to spread disinformation. The Russian government also uses companies like Neobit and AST to technically support cyber and information operations, with some companies acting like contractors but in a covert capacity. In 2019, a Czech magazine reported that the Czech Security Information Service had shut down two private IT companies in early 2018 that were fronts for Russian government hackers, reportedly part of a broader international network.

The FSB and other agencies also recruit cybercriminal hackers to run operations, sometimes developing cooperative relationships while on other occasions literally hiring criminals to break into systems and steal information on the FSB’s behalf. The US Treasury Department stated in April 2021 that the FSB cultivated and coopted the ransomware group Evil Corp. Authorities allow the Russian cybercriminal apparatus to thrive for a variety of reasons, including the fact that cybercrime brings money into Russia (and lines the pockets of corrupt officials), while the talent base it cultivates gives the Kremlin proxies to tap as needed—as it has time and time again.

Other relationships abound. Positive Technologies, a Russian IT firm sanctioned by the US government, hosts conventions that the FSB and the GRU use as recruiting events. The government encourages patriotic hackers to go after foreign targets by merely going on TV or issuing a propagandistic statement. It taps law-abiding programmers working at legitimate tech companies on the shoulder to help develop capabilities. Mafia-style familial entanglements with the security services, like when a criminal hacker marries the daughter of a former FSB officer, even support the ecosystem.

Experts have published excellent research on cyber proxies, yet, in Russia’s case, questions remain about the exact nature of those relationships, as they sometimes defy the frequent assumption that proxy activity refers to a top-down hierarchical relationship, with the state as the primary actor. Considerable portions of Russia’s cybercriminal ecosystem operate with a sort of Darwinian entrepreneurialism, akin to the approach of Russian criminal enterprises and protective services in the 1990s. Criminals often have substantial agency to drive this activity. And when there are quasi-symbiotic relationships at play with the state—a local FSB official, for instance, taking money on the side to provide a “roof” (krysha) of protection for hackers—these relationships do not entirely follow top-down or state-dominated definitions.

A Web of Benefits—and Risks

From the Kremlin’s perspective, the web of Russian cyber actors offers real benefits. For starters, it enables deniability. Even if cyber operations are ultimately attributed to Moscow, the Kremlin has periods when it can deny knowledge of, association with, or responsibility for cyber and information activities. While the ongoing war in Ukraine is an example of (Western) government intelligence exposing Russian plans and activities in near real time, there are many prior instances when the state had plenty of time to deny cyber operations emanating from Russia before evidence emerged. Ambiguity about the relationship between the Russian government and various cyber actors—whether a GRU front company or a ransomware group working with an FSB officer—gives the Kremlin space, however small, to claim no involvement. Moscow can engage with other governments knowing that sometimes, its denials of involvement are true and in cases when they are not (such as when the government is, at a minimum, complicit in choosing not to investigate certain cyber operations), officials can lean into the ambiguity that surrounds its control over the Russian cyber web. Leveraging this extensive and opaque web of cyber actors also enables the Kremlin to make absurd demands of the United States, such as in June 2021, when Putin said that Russia would allow the extradition of cybercriminals to the United States, if the US government would agree to do the same for Russia.

Tapping into the cyber web also empowers Moscow to wage political warfare in what the West would call the “gray zone,” below the threshold of armed conflict. The Russian state has a history of operating in the sphere of political warfare, and recent Russian military thinking has carried this mindset into the modern age. Valery Gerasimov, chief of the General Staff of the Russian Armed Forces and first deputy defense minister, wrote an article in 2013 arguing that “the role of nonmilitary means of achieving political and strategic goals has grown, and, in many cases, they have exceeded the power of force of weapons in their effectiveness.” While often wrongly cited as the “Gerasimov doctrine,” when it is neither a doctrine nor binding, and often used to incorrectly argue that hybrid warfare is a new kind of Russian thinking, the article nonetheless recognized the importance of nonmilitary tactics in modern conflict. As Eugene Rumer explains, Russia’s foreign and military policy over the last two decades clearly emphasizes that “military power is the necessary enabler” of what many refer to as hybrid warfare, where “hybrid tools can be an instrument of risk management when hard power is too risky, costly, or impractical, but military power is always in the background.” Encouraging patriotic hackers to go after Ukrainian targets, creating great uncertainty in the Obama administration about how to respond to 2016 election interference, and similar actions are part and parcel of this approach.

Finally, the ability to tap into a nebulous web of cyber actors also means that the Kremlin can leverage capabilities without the need to constantly supervise everything, and may even boost Russia’s bottom line; while exact figures are hard to come by, cybercriminals are clearly bringing money into Russia, to the tune of hundreds of millions of dollars in ransomware revenue in 2021 alone. The front companies that run FSB, SVR, and GRU cyber and information operations ostensibly pay for many of those activities themselves. The Internet Research Agency and state-supporting companies like Neobit operate in an undefined zone, where Putin cronies spend state-granted wealth and the Russian government contracts nonstate support and capabilities. Then there are the many cybercriminals, patriotic hackers, legitimate Russian IT company employees, and others who may operate independently, but do so with the state’s permission, and may receive requests to redirect resources to government activities. The publicly available evidence is anecdotal, but these efforts sometimes cost the government next to nothing. In a 2017 case, the FSB paid a criminal about $100 “for each successful hack,” wired through PayPal, WebMoney, and other non-Russian online payment systems.

But there are also risks to Russia’s approach. While leveraging nonstate actors in the Russian cyber web saves the Kremlin resources in some cases, the government may have to deal with competence and discipline issues; cybercriminals might not operate with the same diligence as state hackers. Individual programmers recruited to develop capabilities for the state are likely untrained in Russian government methods of secrecy protection. Patriotic hackers might not use very sophisticated tools and instead rely on off-the-shelf capabilities posted on web forums (even if these hacks may be cover for state operations launched in tandem).

Dueling political and criminal dynamics can also generate internal fractions within hacker groups, which affects their ability to operate for the state. Leaked documents from the Russian hacker group Conti, for instance, highlighted divisions over the group’s official position on the war in Ukraine. The government itself might not coordinate operations very well either. Analysts already debate whether the GRU and the FSB coordinated the hack on the Democratic National Committee in 2016, and the Russian security services, in general, have a long history of turf wars and infighting. It is possible that multiple Russian security organizations—or even multiple units within a single Russian security organization—recruit hackers for overlapping purposes, such as developing information interception capabilities or launching destructive cyber operations that generate additional complexities.

There is also the risk of actors becoming so closely associated with the government that they create problems when they act in line with their own preferences—an actor or group may no longer be working with the Russian government, but others might assume otherwise. Individual Russian officers could face this problem internally when working with a cybercriminal outfit; the Russian government could also face this risk if a previously state-recruited hacker does something independently that generates international blowback.

Painting all cyber and information operations coming from within Russia as “Russian”—and treating the Russian cyber ecosystem as a monolith—glosses over the complexity of the web and the nuanced opportunities for the United States to understand and disrupt the incentive structures at play. It also erases the fact that the Kremlin receives both benefits and risks from using cyber power in this way. If the United States is to respond effectively to Russian cyber operations, it should begin by gaining a better understanding of this network.

No comments: