Camouflaged Aggression: A Strategic Shift in Russia’s Cyber Activity

| Sarah Geary
Sarah Geary
SENIOR ANALYST, FIREEYE HORIZONS

Russian cyber operations are widely discussed and reported on today. Conversations frequently range from how the Russian government hacked the Democratic National Committee (DNC) to the utilization of Russian social media trolls for political influence. Often missing from the conversation, however, is how these operations fit into the overall context of Russian intelligence cyber operations, including the methods deployed and tactics used. 

When the historical context of Russian cyber operations is discussed, it is usually the pundits who claim that the specific operations are not stealthy enough to be attributed to the secretive Russian government, as traditional perceptions suggest they solely operate in the shadows. This is an inaccurate and outdated representation of Russian cyber operations. Those critics have ignored the widely accepted premise that tactics, techniques, and procedures evolve. By assuming Russia would operate in the same stealthy way now as it did five years ago, these critics overlook the major changes that have taken place since 2014. Understanding the larger picture of how Russian intelligence is shifting its tactics is helpful, not just for attribution purposes, but it also provides better insights into the possible motivations behind their activity. This understanding creates the opportunity to craft a more fitting response.

Since 2014, Russian intelligence has become noticeably more brazen in their cyber activity. In the past, Russian cyber actors were known for covering their tracks, but these actors often no longer edit network logs or delete lists of downloaded files. Instead, these Russian actors leave forensic clues that would be rather simple to clean up, as if attribution is no longer a concern.

Since 2014, Russian government cyber actors APT28 and APT29 have been observed staying and operating on a network even after detection. Instead of retreating as they did before, they exploit their target in full view of the investigators and jump from one computer to another – almost taunting the remediation team to respond.

Not only has recent Russian network exploitation tended to be louder and bolder, it has also increasingly supported Russian information operations, such as website defacement and the theft of information later leaked online. These information operations have only furthered public awareness of Russia’s network exploitation capabilities. Specific examples include targeting of the Ukrainian Central Election Commission website in 2014; the TV5 Monde website in 2015; and former White House Chief of Staff John Podesta’s emails in 2016, as well as the DNC and medical records of the World Anti-Doping Agency.

Multiple security professionals have expressed doubt that an adversary who knows how to be stealthy would practically leave a calling card during a covert operation. However, that would make sense if the adversary did not want the operation to be completely covert. Evidence signals that Russia wants to send a message – actually, multiple messages to multiple audiences.

As an illustration, Russia’s network and information operations continue to meddle with political elections in the U.S. and Europe. To the general public who is unwitting of Russia’s involvement, Russia is broadcasting that it is a friend to their worldview as well as a victim of false accusations by biased Western media. To the portion of the public that suspects Russia may be trying to interfere with elections, but does not know to what extent, Russia is undermining faith in the democratic process. To those who know what Russia is doing, especially government policymakers, Russia is demonstrating its strength and advertising its ability to act without consequence. Whether people believe Russia is behind the cyber attacks or not, the Russian government has crafted a self-serving narrative.

To the general public, Russia is taking advantage of the prevailing – and incorrect – view that cyber attribution is near impossible, leaving just enough room for doubt to make retaliation unpopular. If the general public believes their government does not have a strong case against Russia, it complicates that government’s deterrence options, as any response to a cyber provocation could cause the general public to condemn the actions, leading to political backlash within the United States.

To the experts and policymakers convinced of foreign interference, Russia is broadcasting its extensive cyber capabilities and its willingness to use them. This complements the activity Russia is pursuing outside of cyberspace as well, especially since its conflict with Ukraine began in 2014. For example, Russian information operations led the Ukrainian public to question who shot down the Malaysian Airlines Flight 17 and whether the “little green men” in Ukraine were an organic populist militant movement or Russian soldiers. While much of the Ukrainian public gave up trying to sort out what happened, those who knew the ground truth were forewarned about Russia’s strength and the lengths it would go to get its way.

Russia’s strategy of camouflaged aggression in cyberspace has worked thus far without many negative repercussions. Their intelligence agencies can show off and leave clues they formerly would have erased, knowing that the evidence of attribution presented for their cyber operations rarely engenders enough public confidence to allow policymakers to respond without potential political backlash. Even if the public were convinced that Russia was behind the cyber attacks, there is still no consensus about what the appropriate response should be.

Given the multiple messages motivating Russia’s cyber operations, an effective response should likewise include a strategic communications component. First, the skeptical portions of the public should be informed of Russia’s actions in cyberspace, including the evidence behind it. Second, the public needs to be assured that Russia cannot undermine democracy as long as there is awareness of Russian activities and critical consideration of political news. Third, once there is consensus around a deterrence strategy, it should be clearly conveyed to the Russian government what the consequences of unacceptable behavior will look like. Given that the Russian government has been conducting cyber operations in this brazen way for over two years, it is worth investing the time and effort into developing appropriate response policies.

The Author is Sarah Geary

Sarah Geary is a senior analyst on FireEye's Horizons team, which conducts strategic forecasting to anticipate risks posed by emerging technologies and geopolitical developments. She specializes in cyber deception and advanced analytic tradecraft. Prior to joining FireEye, Geary served nearly a decade in government, focusing mostly on cyber threat analysis.

Learn more about The Cipher's Network here