What the Russians want: How Russia uses cyber attacks  and hybrid warfare to advance its interests.
By The CyberWire Staff
Mar 30, 2017

What the Russians want: How Russia uses cyber attacks and hybrid warfare to advance its interests.

What, exactly, do the Russians want? Their very active cyber operations obviously serve state goals, but what are those goals, and how can they inform a Western response?

ITSEF's second day opened with a panel on Russian hybrid warfare—a combination of cyberattack and information operations with both conventional and irregular military operations. Larry Hanauer, of the Intelligence and National Security Alliance, chaired a discussion among the Hoover Institution's Herb Lin, Lookout's Mike Murray, and LIFARS CEO Ondrej Krehel.

Policy driven by resentment.

Hanauer's opening question was open-ended: what are Russia's policy goals, and how does it use hybrid warfare to advance them? The panel was in agreement that the key to understanding Russian actions in cyberspace is to recognize them as driven by resentment. Lin called that resentment "longstanding." It stems from the collapse of the Soviet Union at the end of the Cold War and Russia's treatment internationally since then. Russian leaders and a substantial set of the Russian population views that treatment as disrespectful, contemptuous.

Russia has a very long tradition of using deception and propaganda, Lin said, and he added that the country doesn't draw clear lines between peace and war. "It's always war, even below the level of armed conflict." The long-term goal is restoration of Russia's place in the world. Creation of chaos through the dissemination of fake news and other information operations is simply battlespace preparation. Cyber, he added, gives you low-cost tools you didn't have before. "It's an attack on brainspace, and we're all in the attack surface."

Murray agreed, noting one current success of Russian information operations. We've been distracted from their intervention in Syria by news and fake news surrounding the US elections.

One of the more prominent features of the Russian way of cyber warfare is their willingness and ability to use criminal organizations for operational purposes. During the Cold War, Krehel explained, "if you did harm to the US, you were a hero." Among other possibilities, that harm could be reputational or it could be economic, and criminals are well-adapted to inflicting those kinds of harm. There's a view now, among Russian leaders, that they can expose personal information of essentially all Americans, and that this will yield a comprehensive picture of American finances down to the individual level. It's very important to the Russian government, Krehel observed, to understand what the US can afford, and what capabilities we're investing in, and all manner of data go into building up that picture. Lin: agreed that Russian espionage aggregates data in ways that render those data more valuable than the simple loss would impose on any single victim.

As a side note on the Russian President, the panel appeared to agree, as one member put it, that we now see one man, President Putin, who is able to use the resources of a modern nation-state to redress a deeply held personal grievance.

Chaos as statecraft.

This general orientation, according to Murray, can be encapsulated by noting that all war, to Russia, is about political ends. There's no separation of politics from the economy or business. The increase in chaos we see in Western news, information, and political culture is, from a Russian point of view, a desirable thing. 

And chaos serves tactical as well as strategic ends. Krehel expanded on this by asserting that Russia wants chaos because it doesn't have the funding, the financial resources, of, say, the US. Thus Russian security services hand intelligence over to criminal groups. "A normal government doesn't hand over its political agenda to criminal groups," he said, but Russia's does.

Murray offered an evocative story: "The number two guy in Russia has two pictures on his desk: one of Putin, and the other of Tupac Shakur." So there's a kind of gangster ethos at the highest levels. And whie using criminal gangs as cutouts also affords an obvious form of deniability, we shouldn't be deceived.

In response to Hanauer's question about who might be the leading cyber actors in the Russian government, Krehel said that they were the organizations one would expect, with the FSB and GRU occupying prominent positions. Different units within the government do cooperate—resource and manpower constraints make this inevitable—and in those services "loyalty is high, and rated very highly." 

You cheated them. Expect payback.

There's also a common motivation, and Russian information operations play into it, especially domestically. "Russia believes all of you in this room cheated them," Krehel said, and this theme is consciously exploited to the population as a whole, but particularly to the security services. "So the GRU's big objective is to cripple you financially. And then they want to make you look ridiculous."

Lin agreed. "That's an accurate picture of how it works on the ground. Russia is a thugocracy, a state of organized crime." He has seen reports (unconfirmed reports, he stressed, but he also clearly thought them plausible) that there are formal memoranda of understanding from the FSB to criminal gangs, outlining what the gangs can expect in return for services. "Other governments have done this, but it's a way of life in Russia. The line between intelligence services and gangs is very vague."

There's no such thing as a win-win, Lin said, in the Russian worldview. "To Russia, it's always win-lose." Hanauer noted that this seemed a point of difference between Russia and China, and Lin agreed. Where there have been agreements of a sort between the US and China moderate conduct in cyberspace, Lin thinks there's little evidence that such deterrent or confidence building agreements will have much effect in US-Russian relations.

Protect what's important? Everything's important (to the Russians).

Asked about defensive measures, Lin said that, "while there's a logic to saying, 'protect what's important,' to a good intelligence agency there's never too much data."

There are preferences for certain kinds of targets, which Krehel enumerated: first, oil, second, pharma, and a distant third, tech. Tech was less actively prospected because of Russian confidence that "they're so much better at tech than we are." Lin agreed, and said there was some basis for that confidence. "In the physics community, for example, we've long noted the sophistication of Russian physicists. They have great theoretical insight."

Humiliation as statecraft, and the commodity tools used to do it.

Murray said he'd recently heard someone lamenting that he missed the Chinese, who just stole without embarrassing you. "That says a lot about Russian operations."

Turning to the embarrassment inflicted during the US elections, Hanauer asked what kinds of tools the Russians were using for their attacks? Lin answered that the most consequential hack—Democratic Party operative John Podesta's email—was phishing, a very basic approach.

Krehel said that, during the run-up to the election, he observed the Democratic and Republican National Committee networks being equally pressured by the Russians, the former more successfully than the latter. The approach in both cases focused on human engineering.

The Russian services, Murray explained, focus on engineering end-to-end systems. "'PowerShell' is the magic word for Russian coding." There's an emphasis on the least common denominator—phishing, PowerShell, darkside commodity tools—in effect a startup mentality. "All their tools are malleable and in motion, all the time."

Critical infrastructure and acts of war.

Hanauer asked about the much-feared prospect of an attack on US critical infrastructure. Are we seeing, he asked, Russian attacks on US critical infrastructure? And if and when we do, would these be acts of war? "If they're not trying [to hit US critical infrastructure]" Lin said, "then someone over there should be fired." In Murray's view, "Everyone's trying to figure out the act-of-war line." He reviewed briefly the history of Russian attacks (a coordinated mix of criminal and intelligence service attacks) on the Ukrainian power grid. He thought Russia would be more circumspect about doing such things to the US grid because, of course, the US is potentially a more dangerous adversary than Ukraine. But he also thought that if the Russians came to believe such attacks would be useful, they wouldn't hesitate to undertake them.