Fancy Bears and SolarWinds: understanding Russia’s cyber policy

The military cyber policy of western nations depends on a strong understanding of the nature of the cyber threat from adversaries, not least Russia. Samuel Cranny-Evens looks at the drivers behind Russia’s aggressive cyberwarfare stance.

Russia’s annexation of the Crimean Peninsula in 2014 sent western analysts scrambling to understand a suddenly assertive and audacious Kremlin. Countless papers and commentaries discussed hybrid warfare, the erroneously named ‘Gerasimov Doctrine’, and grey zone tactics. Regardless of the name given to Russia’s approach to international relations, one thing was clear – the era of rapprochement between NATO and its former adversary was over, everything would now hinge on the ability of one to shape the actions of the other.

Russia’s senior military and intelligence officers had observed the US and its allies, and the way they conducted themselves abroad. Valery Gerasimov, Russia’s Chief of Staff made this clear in a 2013 speech: The Arab Spring, Ukraine’s Maidan protests, the Kosovo campaign were – in Russia’s view – orchestrated by the US and had led to the removal of friendly regimes in Russia’s near abroad. The fear naturally followed that similar regime change could be conducted in Russia, which combined with a host of historical fears and feelings of mistrust towards the west.

The resultant strategy is perhaps most accurately described by the scholar Dmitry Adamsky, who in 2018 described the Russian approach to international relations as one of cross-domain coercion. For Russia, the use of cyber-attacks as a strategic tool fits within the concept of information warfare or information struggle, Adamsky states.

Cyber is to be combined with electronic warfare, psychological operations and maskirovka, a historical element of Russian/Soviet military art that is intended to achieve deception, confusion, and implant disinformation into the enemy’s decision-making cycle whilst concealing Russia’s own intentions. The overall goal of an informational struggle is to sow discord and use the democratic nature of Russia’s adversaries against them, preventing any definitive and aggressive responses to Russian actions.

Russia’s key cyber attacks

By examining some of the key cyberattacks that have been attributed to Russia’s cyber operatives, it is possible to see the role that cyber plays in an informational struggle. For example, the 2020 attack against the US company SolarWinds, which became known in 2021, demonstrated the reach of Russian hackers, as well as their ability to conduct very refined attacks.

The breach was attributed to the SVR, Russia’s foreign intelligence service, which denied the attacks in May. The hack provided access to nine US federal agencies and a multitude of businesses including those in the energy sector, for over nine months. The SolarWinds example could be interpreted as an attempt at sabotage, to disrupt managerial capacity, with the added psychological element of undermining the credibility of US information technology providers.

The SolarWinds attack and many others are likely to have had an espionage element

Furthermore, Microsoft reported on 25 October that the Russian group NOBELIUM had been launching attacks against cloud service and managed service providers intending to gain access to the relationships that these providers have with governments, think tanks and companies. NOBELIUM is also known as Cozy Bear, or ATP29 and is the group associated with the SVR, believed to have conducted the SolarWinds attack. This shows how persistent the information struggle is for the Russian intelligence services and how even a successful attack is to be followed up with additional efforts.

The SolarWinds attack and many others are also likely to have had an espionage element, providing Russia’s intelligence services with access to competitors in the energy market and possibly to defence manufacturers and government agencies. This raises one important caveat about cyberattacks; they broadly fit into the pattern of international competition that has always existed between states. This led military historian Hew Strachan to express concern over describing cyberattacks as a form of warfare in a March 2021 episode of the Royal United Services Institute Western Way of War podcast.

//  Swedish Armed Forces currently operate 147 CB90s. Credit: Saab.

Influencing politics

Cyber for Russia forms part of a continuous shaping campaign designed to influence the political conversation. This has direct outputs such as the 2016 email account hack of the US Democratic Party, which led the CIA to conclude that Russia had deliberately intervened in the 2016 election to help Donald Trump become president.

In 2020, the UK’s government stated that Russian hackers had meddled in the 2019 General Election, and the Russian hacking group APT28 – otherwise known as Fancy Bear – was implicated in a 2017 hack and release of leaked documents in Emmanuel Macron’s presidential campaign.

Perhaps the most damaging result of these efforts has been the degradation of the reputation of the West’s democracies and the implication that they are not the pure institutions they were once thought to be. However, a blog posted by CSIS in 2020 observed that Russia has a long history of interfering in foreign elections, indicating that the current paradigm is more of a continuation than a decisive change in tack.

What has changed, is the tactics used by Russia’s cyber assets to achieve their outcomes. The primary approach appears to be the hack and leak, revealing embarrassing details about election competitors for leverage and then ‘fire hosing’ this information through social media channels to amplify and spread its effects.

Attempts to influence the outcome of a political campaign or reduce its legitimacy represent the strategic aspect of Russia’s information struggle, which holds that the borders between peace and war are blurred and that countries exist in a constant state of competition. In this sense, the use of cyber can be regarded as a shaping operation designed to impact an opponent’s thinking without resorting to physical force.

Below the level of international political competition, Russia has also demonstrated the ability to exert physical effects that could be related to a military campaign. In December 2015 a Ukrainian power grid was remotely taken offline by a cyber-attack that had gained access to the SCADA systems controlling the substations and denied power to 200,000 people. This attack was preceded by the 2007 attacks on Estonia that took much of the country’s banking system offline and was followed by an additional attack on Ukraine’s power supply in 2016.

Russia’s cyber goals

Overall, the goal of Russia’s information struggle has multiple simultaneous goals. It is designed to obfuscate and degrade the quality of information. This has the dual effect of damaging trust in the information audiences receive in the West as well as raising the prospect of restricted freedom in the use of the internet. It also allows Russia to exert some control over the narrative that is spun around its actions.

This aspect of the information struggle would likely become more prominent in the event of a war, wherein Russia would seek to present itself as the just and right cause thereby garnering international support. Aspects of this are apparent in Russia’s Syria campaign, which has routinely sought to deny the use of chemical weapons and loudly advertise the return of refugees to their homes.

Finally, there is a straightforward espionage element, which provides Russia’s intelligence services with a relatively safe and deniable means to access foreign systems to gain a greater understanding of the western system. The role of cyber is therefore clearly important to the Russian concept of information struggle but should be understood in the context of what Moscow perceives to be a constant state of competition.

//  CB90 can achieve speeds of 40 knots. Credit: Saab

// Main image: Russia’s use of cyber-attacks as a strategic tool fits within its concept of information warfare. Credit: Shutterstock: Olga_Y