History’s Lesson Regarding Russian Cyber Warfare

By Daniel Hoffman, Former Senior Executive Service Officer, CIA

Hoffman served as a three-time station chief and a senior executive clandestine service officer with assignments included tours of duty in the former Soviet Union, Europe, and war zones in the Middle East and South Asia. Hoffman also served as director of the CIA's Middle East and North Africa Division. He is currently a national security analyst with Fox News.

Ten years ago this month, war erupted between Russia and Georgia after Georgian troops attacked South Ossetia and shelled the town of Tskhinvali, in response to alleged Russian provocations.

Russia justified its military action based on countering Georgia’s aggression- President Medvedev’s called the attack an attempted “genocide” against innocent civilians.  Seeking to discredit Georgia’s national sovereignty, Russia also portrayed the conflict as a proxy war against the U.S., the first of its kind since the end of the Cold War.

Russia blockaded the Georgian coast with its Black Sea Fleet, dispatched combat troops to Abkhazia to deter a Georgian attack, and conducted combat air missions against Georgian targets.  Using a justification which would be repeated when Russia annexed Crimea, Medvedev claimed there were regions where Russia has “privileged interests” to defend the rights of Russians wherever they might be located.  South Ossetia and Abkhazia declared their independence, and Russia created a “frozen conflict”, which would serve Russia’s national security strategy by indefinitely delaying Georgia’s NATO membership.

Russia’s application of hybrid warfare – a concurrent use of battlefield and cyber operations – was precedent setting.  Russia enhanced and enabled its extensive land, air, and sea attacks with sophisticated and synchronized cyberspace operations.   Russia’s cyber attacks against Georgia reflected a new level of complexity, which built on the massive DDoS attacks against Estonia the year before.

Three weeks before the war began, alleged Russian hackers attacked Georgia’s websites.  After first targeting the Georgian hacking community in an attempt to disable any potential counterattack, the hackers gained access to over fifty Georgian military and government networks, which were highly vulnerable.

The hackers shut down official sites in Gori, including some news sites, with denial of service attacks just prior to launching air combat operations.   Hackers hindered the Georgian Government’s ability to communicate, which coupled with Russia’s air, land and sea operations, degraded Georgia’s defenses considerably.    DDoS attacks against the Georgian government, including the President’s website, were well orchestrated.   On the day combat began, a website called “stopgeorgia.ru” went on line with a list of sites to attack, instructions on how to do so, and post-attack damage assessments.

The hackers’ target audience extended beyond Georgia’s domestic population.  The attackers also wanted to degrade Georgia’s ability to rally international support.  Attacks targeted Georgian media, communications companies, and transportation.  The National Bank of Georgia web site was replaced with pictures of twentieth century dictators.  Revisiting a modus operandi deployed effectively against Estonia in 2007, hackers used streams of botnets to shut down Georgian computers.

But while well-orchestrated, the attacks were far from perfect. The hackers revealed a detectable signature based on their presence in chat rooms prior to the attacks.  Following the same modus operandi as terrorists who plan attacks before executing them, the hackers mounted a surveillance operation against targets and conducted mock exercises before launching the actual attacks.

The attack was a gold mine for those who were closely studying Russian methods of attack and the lessons learned from Russia’s hybrid war against Georgia have implications for current U.S. strategy.

First, cyber operations cannot begin from a “cold start.”  Good cyber defense therefore, requires active collection in the networks where the attacks are being planned.  Keep in mind that the U.S. has detected massive Russian cyber intrusions into our social media and networking sites, energy infrastructure, political party committees, and voting installations.

Second, the lines between the public and private sectors are blurred and opaque in cyberspace. Malicious state and non-state actors maintain symbiotic, sometimes proxy relationships with hacker communities that conduct non-attributable cyber operations targeting an enemy state’s critical infrastructure, defense industry, and private sector writ large, sometimes on behalf of powerful benefactors or those with whom they shared an ideological affinity.

Third, effective cyber defense requires a holistic approach, a recognition that cyberspace is intertwined with other geographic domains where conflict can occur.

The U.S. needs a strategy to deter, defend, and counter Russia.  With less than 100 days before mid-term elections in the U.S., deterring another Kremlin cyber onslaught on our democratic process may not be fully possible.  State and local governments therefore need to harden voting installations and build a ‘right of boom’ incident response plan to shine the truth spotlight on any of Russia’s false narratives, which continue to penetrate our social media platforms.

Special Counsel Robert Mueller’s investigation has led to the successful indictment of a number of Russian intelligence officers and organizations, including an infamous, Kremlin-connected, “troll farm.”  In addition to sanctions and another round of diplomatic expulsions, President Donald Trump might also consider directing Cyber Command to target Russia’s hackers with an eye towards rendering their capability inert, but not before he takes the opportunity he missed during the Helsinki summit, to clearly warn Putin about the U.S.’ red line and his promise to enforce it.


Related Articles