History’s Lesson Regarding Russian Cyber Warfare

Moscow Station

Ten years ago this month, war erupted between Russia and Georgia after Georgian troops attacked South Ossetia and shelled the town of Tskhinvali, in response to alleged Russian provocations.

Russia justified its military action based on countering Georgia’s aggression- President Medvedev’s called the attack an attempted “genocide” against innocent civilians.  Seeking to discredit Georgia’s national sovereignty, Russia also portrayed the conflict as a proxy war against the U.S., the first of its kind since the end of the Cold War.

Russia blockaded the Georgian coast with its Black Sea Fleet, dispatched combat troops to Abkhazia to deter a Georgian attack, and conducted combat air missions against Georgian targets.  Using a justification which would be repeated when Russia annexed Crimea, Medvedev claimed there were regions where Russia has “privileged interests” to defend the rights of Russians wherever they might be located.  South Ossetia and Abkhazia declared their independence, and Russia created a “frozen conflict”, which would serve Russia’s national security strategy by indefinitely delaying Georgia’s NATO membership.

Russia’s application of hybrid warfare – a concurrent use of battlefield and cyber operations – was precedent setting.  Russia enhanced and enabled its extensive land, air, and sea attacks with sophisticated and synchronized cyberspace operations.   Russia’s cyber attacks against Georgia reflected a new level of complexity, which built on the massive DDoS attacks against Estonia the year before.

Three weeks before the war began, alleged Russian hackers attacked Georgia’s websites.  After first targeting the Georgian hacking community in an attempt to disable any potential counterattack, the hackers gained access to over fifty Georgian military and government networks, which were highly vulnerable.

The hackers shut down official sites in Gori, including some news sites, with denial of service attacks just prior to launching air combat operations.   Hackers hindered the Georgian Government’s ability to communicate, which coupled with Russia’s air, land and sea operations, degraded Georgia’s defenses considerably.    DDoS attacks against the Georgian government, including the President’s website, were well orchestrated.   On the day combat began, a website called “stopgeorgia.ru” went on line with a list of sites to attack, instructions on how to do so, and post-attack damage assessments.

The hackers’ target audience extended beyond Georgia’s domestic population.  The attackers also wanted to degrade Georgia’s ability to rally international support.  Attacks targeted Georgian media, communications companies, and transportation.  The National Bank of Georgia web site was replaced with pictures of twentieth century dictators.  Revisiting a modus operandi deployed effectively against Estonia in 2007, hackers used streams of botnets to shut down Georgian computers.

But while well-orchestrated, the attacks were far from perfect. The hackers revealed a detectable signature based on their presence in chat rooms prior to the attacks.  Following the same modus operandi as terrorists who plan attacks before executing them, the hackers mounted a surveillance operation against targets and conducted mock exercises before launching the actual attacks.

The attack was a gold mine for those who were closely studying Russian methods of attack and the lessons learned from Russia’s hybrid war against Georgia have implications for current U.S. strategy.

First, cyber operations cannot begin from a “cold start.”  Good cyber defense therefore, requires active collection in the networks where the attacks are being planned.  Keep in mind that the U.S. has detected massive Russian cyber intrusions into our social media and networking sites, energy infrastructure, political party committees, and voting installations.

Second, the lines between the public and private sectors are blurred and opaque in cyberspace. Malicious state and non-state actors maintain symbiotic, sometimes proxy relationships with hacker communities that conduct non-attributable cyber operations targeting an enemy state’s critical infrastructure, defense industry, and private sector writ large, sometimes on behalf of powerful benefactors or those with whom they shared an ideological affinity.

Third, effective cyber defense requires a holistic approach, a recognition that cyberspace is intertwined with other geographic domains where conflict can occur.

The U.S. needs a strategy to deter, defend, and counter Russia.  With less than 100 days before mid-term elections in the U.S., deterring another Kremlin cyber onslaught on our democratic process may not be fully possible.  State and local governments therefore need to harden voting installations and build a ‘right of boom’ incident response plan to shine the truth spotlight on any of Russia’s false narratives, which continue to penetrate our social media platforms.

Special Counsel Robert Mueller’s investigation has led to the successful indictment of a number of Russian intelligence officers and organizations, including an infamous, Kremlin-connected, “troll farm.”  In addition to sanctions and another round of diplomatic expulsions, President Donald Trump might also consider directing Cyber Command to target Russia’s hackers with an eye towards rendering their capability inert, but not before he takes the opportunity he missed during the Helsinki summit, to clearly warn Putin about the U.S.’ red line and his promise to enforce it.


Moscow Station

One Response

  1. Andre says:

    I appreciate the article and its description of what now appears as a crude and amateurish cyber attack by Russia on Georgia, at least compared with what we see today.

    However, I have to call attention to one or two points the author makes in his introductory paragraphs. Why was it necessary to describe the long standing South Ossetian attacks on Georgian villages north of Tskhinvali as “alleged?” Georgia finally acted, albeit ineptly, to restore its control over its internationally recognized sovereign territory after several weeks of intensifying attacks from the South Ossetian military, a military led by Russian officers and which was never constrained by Russian “peacekeepers.”

    Russian forces invaded Georgia far beyond the administrative boundaries and destroyed military bases, the Georgian Coast Guard, and pillaged and looted. The “frozen conflicts” were by no means a result of Saakashvili’s failed attempt to retake South Ossetia, but had been in place for many years, decades in fact, before. Not just in Georgia, but Karabakh, Transdnistria, and other flash points were kept on a simmering low boil by Russia but called “frozen conflicts” by the West.

    Nonetheless, it is very important that the author has reminded us that Russian cyber attacks date back to at least 2008. It is plausible that these attacks, as well as the Estonian “war memorial” attacks, were carried out in large part by independent actors, but this is certainly no longer the case, as well resourced and very capable state sponsored actors now take the lead.

    And in closing, I’d like to share a refrain from an Abkhaz observer, who said something like, “before ‘independence’ at least we were free, but now that we are ‘independent,’ we are no longer free.”

Leave a Reply

Related Articles