Vladimir Putin launched an illegal, aggressive attack on Ukraine last night that has already killed dozens of soldiers and sent panic rippling through the world. Russian forces are air-striking cities all over Ukraine, with countless civilians in the firing line, as people flee the capital in Kyiv. Cyberattacks have also begun to amplify the chaos and destruction: Wiper attacks hit a Ukrainian bank and the systems of Ukrainian government contractors in Latvia and Lithuania; Ukrainian government websites were knocked offline; and the Kyiv Post website has been under constant assault since Russia attacked.
While the exact culprits of these cyberattacks aren’t yet known, much of the public discussion about cyber threats has focused on Russia’s military and intelligence services: from stories of military cyberattacks to coverage of Ukrainian preparations against them. The same has been replicated on the government side, with White House press briefings and other sessions dominated by discussion of Russian government agencies’ cyber capabilities. Yet the Putin regime has a far more expansive web of nonstate actors, from cybercriminals to front organizations to patriotic hackers, that it can and has also leveraged to its advantage. Not acknowledging these threats ignores an enormous part of the damage Russia can inflict on Ukraine.
Without a doubt, the Russian state has sophisticated cyber capabilities with a track record of havoc. The SVR, Russia’s foreign intelligence service, has been linked to a number of espionage and data-pilfering campaigns, from the widespread SolarWinds breach in 2020 (whose victims ranged from government agencies to major corporations) to stealing information from Covid-19 vaccine developers. For years, Russia’s military intelligence service, the GRU, has launched destructive cyberattacks, from the NotPetya ransomware that likely cost billions globally, to shutting off power grids in Ukraine, to, just last week, launching a distributed denial of service attack against Ukrainian banks and its defense ministry.
Moscow, however, can also unleash an even more expansive, complex, and often opaque web of proxies whose actors are happy to hack and attack on behalf of the regime. The Kremlin’s involvement with these groups varies and may fluctuate over time; it may finance, endorse, ignore, recruit, or use these actors on an ad hoc basis. Part of the reason Moscow protects or turns a blind eye to cybercriminals is economic—cybercrime brings in a lot of money—but it’s also so the state can sway those actors to do its dirty bidding.
For instance, the Biden administration sanctioned Russia-based cybersecurity firm Positive Technologies in April 2021 for allegedly providing offensive hacking tools to Russian intelligence services. It also, the administration said, hosted “large-scale conventions” through which the FSB and GRU recruited hackers. A Justice Department court filing made public in 2020, to give another example, includes Russian hacker Nikita Kislitsin describing how the FSB worked with an unnamed criminal hacker to gather “compromising information” on individuals. The FSB and the Ministry of Defense recruit many such individuals and organizations to conduct cyber operations for them. And sometimes, it’s just about Putin letting hackers do their thing, and then celebrating their crimes. In 2007, pro-Kremlin youth group Nashi claimed responsibility for launching DDoS attacks on Estonia. Ten years later, Putin compared these kinds of “patriotic hackers” to “artists,” declaring that some might be joining “the justified fight against those speaking ill of Russia.”
If these threats seem confusing and overwhelming, that’s exactly the point, and that’s exactly what makes the threat against Ukraine so grave. This cyber proxy web affords Moscow deniability and obscurity, and the ability to launch combinations of operations and attacks without having the Russian flag clearly emblazoned on them. Even if the hacks are ultimately linked to Moscow, there may be periods where the Russian government can deny involvement, and there are still populations abroad and at home who will believe the regime’s talking points. In 2014 this (im)plausible deniability was part of the Putin regime’s invasion of Ukraine, with pro-Moscow hacking collectives like Cyber Berkut carrying out defacements in Ukraine (as Ukrainian groups also hacked Russian targets); the UK’s National Cyber Security Center has said Cyber Berkut is linked to the GRU.
More alarming still is the fact that Russian state and proxy hackers aren’t just based in Russia. Increasingly, there are signs that Moscow is deploying, stationing, or leveraging both state and proxy hackers overseas to launch operations from within other countries. In 2018 a Czech Republic magazine broke a story alleging that Czech intelligence had identified two purported local IT companies that were set up to run cyber operations for Russia—and which even had their equipment delivered by Russian diplomatic vehicles. It appears that Belarus is becoming a collaborator for Kremlin cyber operations, or at the very least a Russian government staging ground. Even on the information operations side, the infamous Internet Research Agency has opened unmarked offices in Ghana and Nigeria.