US Bracing for Bolder, More Brazen Russian Cyberattacks
Repeated failures by Russian cyberattacks and disinformation campaigns to inflict lasting damage during the Kremlin’s ongoing war against Ukraine is unlikely to dampen Moscow’s resolve and could instead spur a new wave of riskier efforts against a wider set of targets.
The assessment, from a variety of U.S. government agencies, comes as Russia’s invasion of Ukraine has dragged into a second year, with Ukraine and its Western backers preparing for Moscow to unleash a new round of cyber campaigns aimed at helping to change the trajectory of the battle on the ground.
“The weight of this conflict remains significant,” a spokesperson for U.S. Cyber Command told VOA, sharing information on the condition of anonymity due to the nature of the ongoing fight. “We anticipate their cyber activities may become bolder and look at broader targets.”
Officials at the National Security Agency have reached similar conclusions.
“If the conflict continues to not go well for Russia, there is some chance that Russia will be increasingly brazen in its cyberattacks on civilian infrastructure as we have already seen with their kinetic activity,” an NSA spokesperson told VOA, who like their Cyber Command counterpart spoke on the condition of anonymity.
Only Russia’s cyber wrath will likely not be limited to Ukraine.
“We anticipate that Russian actors will increasingly look outside of Ukraine’s territorial borders when planning and conducting operations, be it related to aid that Western countries are giving to Ukraine or to try to undermine Western unity with disinformation as the conflict drags on,” the NSA spokesperson added.
Russian cyber forces unprepared
Hardening such assessments is the reality that Russia’s hopes that it would be able to quickly topple Kyiv’s government failed to materialize, leaving Russia’s military planners fighting a war for which they were not prepared.
By late last year, Pentagon cyber officials were warning the Kremlin’s inability to anticipate a long war with Ukraine was not a problem relegated to the physical battlefield, but one that extended into both cyberspace and the information environment.
So, when Russia’s first salvo against Ukraine in cyberspace failed to land a decisive blow, the Kremlin’s cyber forces had few answers and continued to underperform.
“Russian cyber activities remained true to their established tradecraft, such as attempts to disrupt websites, extract Ukrainian data and trying to get a forward-facing presence on the internet. These TTP [tactics, techniques and procedures] weren’t a surprise for us at all,” the CYBERCOM spokesperson said.
And due to the decision by U.S. President Joe Biden to declassify some of the early intelligence on Russia’s invasion plans and share them with allies and partners, to include Ukraine, meant Kyiv was not surprised either.
“The U.S. government’s ability to provide information and intelligence to Russia’s invasion were the critical difference,” according to the CYBERCOM spokesperson.
“It was a game changer, which Russia might not have expected,” the spokesperson added, noting the sharing of cyber intelligence “remains an incredible weapon for Ukraine.”
So far, U.S. government agencies see few signs that Russia’s range of cyber actors have been able to adjust.
Unchanging tactics
Instead, both CYBERCOM and the NSA assess that despite what they describe as strategic and operational failure, Russia has stuck to its traditional cyber playbook, hoping the persistence will pay off.
“It doesn’t seem Russia has been able to accomplish widespread cyber disruptions to Ukrainian civil infrastructure thus far, but we know they are continuing to try to gain accesses that would allow them to do so,” the NSA spokesperson told VOA. “The longer Russia wages this war, the harder it will be on the Ukrainian people, and the more vulnerable they will be to destructive cyberattacks against critical infrastructure.”
Some of Washington’s assessments align with the findings of other Western countries.
“Russia’s influence operations in cyberspace have not had the expected effect,” Estonia’s Foreign Intelligence Service said in its report, released earlier this year.
“It is possible that specific cyberattacks against energy, water supply or other similar critical infrastructure, which would lead to long-term service interruptions, were not organized early on because Russia expected to achieve its military objectives quicker and wanted to maintain the support of the local population,” the Estonian report added.
But Estonian intelligence also cautions that Russia has not been looking to cyberspace just for an immediate impact.
The report cautioned that Russia often uses cyberattacks in a similar manner to its armed forces, with actions “wearing down Ukraine’s cyber defenders” in the hopes of eventually finding a weak link to exploit.
Estonia intelligence officials also noted expanded targeting, both with cyberattacks and influence operations, of countries supporting Ukraine, including Estonia, Latvia, Lithuania and Poland.
Some cybersecurity companies have also noted a shift.
Focus on Ukrainian allies
A report last month by Check Point Research (CPR) found that since September 2022, weekly cyberattacks targeting Ukraine dropped by 44%, while attacks targeting key NATO countries began to increase.
CPR found Estonia saw a 57% increase in cyberattacks related to Russia’s invasion of Ukraine. In Poland and Denmark, the number of such cyberattacks jumped by 31%, compared to an 11% increase in Britain and a 6% rise in the U.S.
According to CPR, many of the attacks involved the use of malware, though there was also a growing focus on influence operations and disinformation.
“The Kremlin uses its full disinformation ecosystem to spread and amplify multiple narratives across sources and platforms, including the heavy use of proxy websites,” a State Department spokesperson told VOA, noting Ukraine itself “remains a major target.”
As with Russian troop attacks and cyberattacks, Russia’s efforts in the information domain have often been aimed at wearing down audiences.
“The main idea here is just to over-exhaust people who are reading the news in order to make them actually puzzled at what actually happened,” Roman Osadchuk, a research associate at the Atlantic Council’s Digital Forensics Research Lab, said during a recent webinar.
Osadchuk further described Russia’s approach to confuse and overwhelm audiences as baking a “layer cake of falsehoods” in which one bit of disinformation is built on top on a previous disinformation campaign, which itself is based on yet an earlier disinformation campaign, which can make the falsehoods difficult to refute.
Many times, he said, Russia based these efforts on forged documents, which he said Moscow was producing on an “industrial level.”
Only success for Russia has not been consistent.
Mixed results
“Russian propaganda has been failing, especially in Ukraine,” said Ksenia Iliuk, a co-founder of LetsData, an information security company.
“The social polling of Ukrainians showed that despite all those enormous flows of propaganda and disinformation, almost 90% of Ukrainians fully believe in Ukrainian victory,” Iliuk said, speaking at the same webinar as Osadchuk. “Ukrainians were the ones who were just doing the most amazing things when it comes to pre-bunking, debunking and various forms of communication.”
However, Osadchuck and his colleagues at the Digital Forensics Research Lab caution that while Russia’s reputation as a disinformation champion has taken a hit, the Kremlin’s efforts remain dangerous.
“In Europe and North America, where support for Ukraine generally remains high, contentious debates persist over supplying Ukraine with advanced weaponry and additional funding, while attitudes toward Ukraine have become increasingly partisan in the United States,” they wrote in a report released ahead of the anniversary of the Russian invasion.
“In parts of Africa, anti-imperialist sentiment manifests itself paradoxically in favor of Russia, where it is often presented as a friend and ally in opposition to historic colonizers such as France, rather than as a 21st-century colonizer in its own right,” the report found. “These examples, and countless others, continue to present opportunities for Russia to increase its stature and influence while simultaneously eroding Ukraine’s.”
Russian cyber actors are also ramping up new campaigns or reviving old ones.
Renewed efforts
A report by the cybersecurity firm Proofpoint issued Tuesday warned that a Russian-aligned threat actor known by a number of names, including TA499, Vovan and Lexus, has been expanding a campaign using emails and video calls to create and spread negative narratives about “those who have spoken out against Russian President Vladimir Putin, and in the last year, opposed Russia’s invasion of Ukraine.”
Targets include high-profile North American or European government officials, chief executive officers at prominent companies and even celebrities, often by impersonating Ukrainian government officials or even the chief of staff for Russian opposition leader Alexei Navalny.
“TA499 is a very public group that is garnering a fan following,” the Proofpoint report warned.
Both U.S. CYBERCOM and the NSA told VOA they continue to work with a range of partners to detect Russian activity against Ukraine, as well as against allies, and share details that can stop cyberattacks before they happen, or at least allow for a quick response.
“We continue to see Russian attempts to gather information, data and accesses while indiscriminately trying to cause widespread cyber disruptions,” the CYBERCOM spokesperson said. “They haven’t been successful.”
And although such failures give officials and researchers some hope, there remains a sense of foreboding.
“I don’t think that this is a reflection on necessarily Russian cyber capabilities,” said Samantha Lewis, a threat intelligence analyst with the cybersecurity firm Recorded Future, during a recent webinar on Russia’s cyber operations.
“It is not necessarily a statement on Russian cyber forces not being able to do better, because I think that there is absolutely potential for that to happen in the future,” she added. “The ongoing threat that comes from not knowing how much has been reserved up to this point.”