Expert Commentary

Russia: Deception and Deniability

Rob Dannenberg
Former Head of Security, Goldman Sachs

In July, Rob Dannenberg, the former head of security at Goldman Sachs and a 24-year veteran of the CIA, discussed Russia’s cyber strategy of information warfare and the role of proxies in undermining attribution efforts, consequentially stemming victims’ political will to respond to provocations. Moving from the disruptive attack on the Ukrainian power grid all the way up to the most recent hack-and-leak attack on the Democratic National Committee, Dannenberg highlights the role of Russian sponsorship of proxy groups to maintain plausible deniability while furthering its policies in cyberspace.

Early in the afternoon of 23 December, hundreds of thousands of people in western Ukraine suddenly lost power as several Ukrainian power companies were the victims of a cyber attack allegedly perpetrated by a pro-Russian hacktivist group called Sandworm Team.  This was the first confirmed cyber attack to successfully take down a major power grid.  In addition to the inconvenience caused by loss of power in the middle of winter, the attack undermined confidence in the government of Ukrainian President Pyotr Poroshenko thus furthering a geopolitical goal of Russia. 

The attack took place in the context of already tense relations between the Ukraine and Russia following the March 2014 annexation by Moscow of the Crimea and Russian support to separatists in eastern Ukraine.  It also shortly followed a series of physical attacks by pro-Ukrainian activists on power towers and substations feeding power to Crimea, causing loss of power to nearly two million people there as well as to the Russian naval base at Sevastopol. 

Although attribution for the cyber attack has never been confirmed, part of the toolset used has been identified with Sandworm Team, which has previously been suspected of attacks against Ukrainian government officials and Polish targets, as well as EU and NATO targets. Because of the tools used, technical details of the targeting and exploitation methodologies, and the selection of targets, many experts have concluded the group has close ties to the Russian Intelligence Services. 

In the cyber context, proxies are private or non-state actors who use cyber tools to effect kinetic damage, disseminate propaganda and misinformation and/or conduct espionage against a third party to the benefit of a state.  The cyber proxy approach has many advantages, including plausible deniability, relatively low cost, little chance of political blowback, very little legal recourse for the target or victim, and the opportunity for a state actor to reinforce and exercise relationships with non-state actors that could be of use in a future conflict.  These proxy groups can be state-sponsored, state-sanctioned, state-supported, or a combination of all three.  Although one of the principal advantages of states using proxies is plausible deniability, Russia is capable of constructing cyber attacks in a way that already provides plausible deniability, in part due to information obtained through the traitor Edward Snowden.

The Sandworm Team attack is consistent with an increasing number of other cyber attacks by non-state actors or proxies with suspected ties to Russian intelligence or the government of Russia.  A partial list includes the May 2016 attack on the German Bundestag attributed to APT 28 also known as “Pawn Storm;” a series of Distributed Denial of Service (DDoS) attacks throughout the Crimean/Ukraine crisis against NATO, the Polish Government, and the Ukrainian Government attributed to “Cyber Berkut;” the attacks on Georgian Government websites and communications in June-August 2008 that preceded and coincided with the Russian invasion of Georgia; and the cyber attacks in April and May 2007 on a broad set of targets in Estonia. 

Since the imposition of economic sanctions on Russia by the U.S. and EU over Crimea, there have also been attacks on the White House, State Department, Department of Defense, U.S. financial sector, and NASDAQ.  European targets have included the Dutch Safety Board (investigating the downing of Malaysian Air Flight 17), French TV5 Monde, the Polish financial sector, and NATO. The proxies involved in the above also include Russian CyberCommand, Null Sector, Anonymous Ukraine, and APT 29.  Often signatures of these groups can be traced to countries with significant ethnic Russian populations or populations that are sympathetic to Russia and geographically proximate, such as Ukraine, Bulgaria, and Romania.

The use of cyber tools exercised by proxies against targets of interest to the Russian Federation is consistent with the mindset and approach of President Vladimir Putin, a trained career KGB officer well versed in the concepts of denial and deception and for whom the ends justify the means.  The use of proxies is also consistent with recent articulation of Russian military and hybrid war doctrine.  An article by current Russian General Staff Chief, General Valeriy Vasilievich Gerasimov, suggests the integration of the use of media, disinformation, concealed sources, disaffection of minorities, perception management, deception, and both psychological and cyber operations to effect a “whole of society” effort to create conditions for victory.  Russia’s 2010 military doctrine stresses the importance of information warfare during the initial phase of a conflict to weaken the command and control ability of the opponent.  This was certainly the case in the invasion and annexation of the Crimea and remains the case in the conflict in eastern Ukraine. 

Russia’s use of proxies in cyber space has not gone unnoticed by the U.S. Government. Director of National Intelligence James Clapper has testified, “…improving offensive tradecraft, the use of proxies, and the creation of cover organizations will hinder timely, high-confidence attribution of responsibility for state-sponsored cyber operations.” Cyber Command Chief Admiral Mike Rogers commented “…nation states [are] using surrogates as a way to overcome our abilities in attribution.”  The 2015 Worldwide Threat Assessment prepared by the U.S. Intelligence Community singles out Russia as one of the most sophisticated nation-state actors in cyber space, and that “unspecified Russian cyber actors” have developed the capability to target industrial control systems and thereby attack electric power grids, air-traffic control, and oil and gas distribution networks.

Under Putin, Russia has been steadily and consistently testing the boundaries of accepted international behavior with its activities against Ukraine, intervention in Syria, air and sea intrusions against NATO and Scandinavian states, snap military exercises, intelligence collection, and active measures campaigns.   The threat presented by Russia’s use of cyber proxies to achieve geopolitical results is real, and it is ominously correlated with military activity in the cases of the 2008 war with Georgia, the 2014 annexation of Crimea, and support to military operations in the Don Basin. 

In perhaps a hint of what is to come, and closer to Russia’s borders, Lithuania’s Foreign Minister said in 2015 that Russia has already started to deploy “hybrid warfare” tactics, including cyberattacks, against Lithuania.  This is in addition to a dramatic increase in pro-Russian agitation in cyber space and among the ethnic Russian populations in Estonia, Latvia, and Lithuania. 

After the announcement of sanctions against Russia, a very senior former Russian intelligence official told me that cyber activities against U.S. financial institutions should be interpreted as preparation of the battlefield, and that the U.S. must certainly understand the next conflict will not be limited to the land, air, sea, and space theaters but will also include cyberspace.  Speaking then of Russia’s reaction to economic sanctions, the official said Russia will reserve the right to respond to sanctions “asymmetrically” if required, including in cyberspace. Given the orientation of Russia’s current leadership, the extensive application of the use of cyber proxies and the integration of their use into a hybrid warfare doctrine, we should anticipate Russia increasingly applying this tool against the interests of the United States. 

The Author is Rob Dannenberg

Rob Dannenberg is a 24-year veteran of the CIA, where he served in several senior leadership positions, including chief of operations for the Counterterrorism Center, chief of the Central Eurasia Division and chief of the CIA’s Information Operations Center. Dannenberg is a member of the Board of Advisors to the Director of the National Counterterrorism Center and is a senior fellow at the GWU Center for Cyber and Homeland Security. He is now an independent consultant and speaker on... Read More

Learn more about The Cipher Brief's Network here.


Share your point of view

Your comment will be posted pending moderator approval. No ad hominem attacks will be posted. Your email address will not be published. Required fields are marked *