Piret Pernik RKK/ICDS
Russia may be using different cyber tactics in Ukraine now than it did in Estonia and Georgia, but there is still a common trend: cooperation between its secret services and “patriotic hacktivists”.

In Estonia in 2007 and in Georgia in 2008 Russia used so-called “patriotic hacktivists” to support its political – and, in the case of Georgia, also military—objectives. However, since the current crisis began in Ukraine cyber attacks have not reached the same levels as seen in the previous cases. Early this month, cyber attacks (Distributed Denial of Service and defacement attacks, leaking of e-mails and phone conversations) against Ukrainian and Russian targets have been conducted; moreover, since mid-March, the attacks have intensified. So far no major attacks against critical infrastructure have occurred. But why not, then, and what tactics are being used by Russia this time around?

Two main groups supporting the Russian side in the conflict are Anonymous Ukraine (AnUkraine) and CyberBerkut. Both groups appear to be related to the Russian secret services, and seem to be linked somehow, while AnUkraine also has a close relationship with the Russian state media (e.g. the English-language news channel RT). This is similar to the Georgian case, where the activities of “patriotic hackers” were likely organized and coordinated by Russian secret services, as reported by cyber security experts who investigated the case.

Two lessons can be drawn so far from the Estonian, Georgian and Ukrainian cases. First, interstate political and military conflicts involve increasingly non-state actors; and lines between the actions of state entities and criminal groups engaged in illegal activities are increasingly blurred. Second, any future conflict is likely to have a cyber element, as notoriously observed by Vice Admiral Mike Rogers, the nominee to be next commander of the U.S. Cyber Command, who told to the US Congress that “clearly cyber will be an element of almost any crisis we’re going to see in the future.”

It is well known in the cyber community that Russia has developed very sophisticated cyber warfare capabilities (this was also acknowledged by Rogers). There is enough evidence to assume with a high probability that Russia uses actively cyber espionage tools for gathering intelligence. Last year it became public that the Finnish Ministry of Foreign Affairs had been over several years under cyber attack aimed at extracting intelligence. While the perpetrator could not be established with high confidentiality as is typical in case of cyber attacks, circumstantial evidence pointed again to the Russian intelligence services. In Georgia a long-term cyber espionage operation was detected and evidence points to the Russian Ministry of the Interior.
Moreover, security experts believe that a new version of the Snake virus called Ouroboros (after the serpent in Greek mythology), designed for espionage and possibly destruction of data and hardware, can be traced to Russia’s state entities. Since 2010, 14 attacks caused by Ouroboros have been recorded in Ukraine.

Why has Russia held off on strategic cyber attacks against Ukrainian critical infrastructure? First it does not need them, since it already applies military, political and economic pressure and tools of conventional information warfare. Russia’s actions in Crimea, Kiev and Eastern-Ukraine have prompted strong criticism from the West – accompanied by economic and financial sanctions, visa bans, and other measures, and it is not in Russia’s interest to antagonize the West further by major cyber attacks that would further hamper commercial relations with the West and impair its economy. Even though Russia does not adhere to international law and norms, it may hesitate to cross a red line by launching a strategic cyber attack that will cross the threshold of an “armed attack”.

Secondly, cyber weapons cannot be controlled as well as conventional weapons; there is always a risk that they may “escape” and cause collateral damage that Russia would want to avoid.

It is in Russia’s interest to maintain internet and telecommunications functions in Ukraine since they enable Russia to carry out espionage operations. According to Christopher Ahlberg, founder of Recorded Future, an American web intelligence company, since the web serves as an outlet for people to talk, “you can be 100 percent sure [Russians] can listen to the Ukrainians” and therefore it would not be smart to shut down the Internet and other electronic forms of communication. Technically it would be very difficult for Russia to completely shut down the Internet in Ukraine, as nearly all Ukrainian internet service providers (even including those that are subsidiaries of Russian firms) reach the outside world through connections to the West. Thus, Russia benefits from information collected through cyber espionage activities for its propaganda to foster its political and military ambitions in Ukraine.

Finally, even though AnUkraine and CyberBerkut appear to be related to Russian secret services, and even as states may be increasingly tempted to outsource cyber attacks to non-state actors (since it exempts them from responsibility for the attacks), there is no extensive grassroots movement within Russian hacker forums to mobilize voluntary attacks on designated targets. In contrast to the 2008 Georgian war, many Russian hackers are against Putin and support Ukraine.

While there is no doubt that Russia is actively using cyber tools against Ukraine, it is doing so in a clandestine manner. The most useful tool is espionage to gain information and the use of it for propaganda purposes. The present crisis indicates that while cyber tools can be used to advance political and military objectives, they cannot substitute for conventional hard and soft power tools such as military, political and economic pressure, information operations and propaganda, manipulations of citizenship policy, etc.

RKK/ICDS March 28 2014 (ICDS blog)

Märkmed: