Intel Brief: Russia Online and On the Attack
By Anna Dunin for ISN
While massive hacking operations originating in Russia and targeting Central and Eastern European state institutions are not common (as far as the public knows), a recent increase in Russian hacking activity indicates that they will likely pose a significant security threat in the near future.
An attack on Poland in September seems to have been another one targeting a country involved in some kind of conflict or controversy with Russia, following Estonia in 2007 and Lithuania and Georgia in 2008. It is likely that disputes between Russia and its neighbors will continue to translate into cyber incidents in the future, as they have in the recent years, particularly as growing dependence on online services increases vulnerability of the civilian online infrastructure.
While these operations were not all-out attacks, it is likely that in some cases they were warnings or attempts to evaluate other states’ cybersecurity systems. It is likely that national governments as well as international alliances, such as NATO, will soon need to improve their methods of dealing with massive cyberattacks, following the steps of the US administration, which has already completed a cybersecurity review and is considering inclusion of the cyberattacks in laws of war and alliance agreements.
Poland
In mid October 2009, the Polish Internal Security Agency (ABW) informed the public that a month before external pagea simultaneous large hacking attack, which had originated in Russia, had targeted a range of government websites in the country. The attack took place immediately following Russian President Vladimir Putin’s visit to Poland to commemorate outbreak of the World War II and amid the heated debate in the Polish parliament regarding the Russian aggression on Poland in 1939 and the Katyń massacre.
Already months before the attack, when Poland and the Czech Republic signed a missile shield agreement with the US, external pagethe Kremlin threatened the two countries with an “asymmetric response” to the construction of the shield’s elements. While the details of the attack are classified, the deputy head of ABW Colonel Paweł Białek said that the Agency's cyberpatrols, which are in charge of protecting the cyberspace of more than 50 governmental and local agencies, external pagehad successfully averted the hacking attemptand that the public did not notice any disruptions.
The attack was not as serious as the one that targeted Estonia two years before, but it was likely a test the effectiveness of Polish cybersecurity. While minor attacks targeting various internet servers and websites, including those of state agencies are frequent, their scale and scope are much smaller than the one that targeted Poland in September.
Georgia
During the South Ossetia war in August 2008, external pageRussian hackers carried out a series of attacks on Georgian websites, which aided the country's military effort by severely disrupting Georgia’s communications capabilities. More than 20 sites, including those of Georgia’s president, the Defense Ministry, its banks as well as news websites were disabled for more than a week. While the investigation by a US-based nonprofit research institute, the US Cyber Consequences Unit, did not prove any direct link between the attacks and Kremlin, the timing of both military and cyber campaigns suggests that indirect coordination between the two was likely. The Russian and Turkish servers orchestrated a botnet attack which caused thousands of hijacked computers to try to access selected Georgian websites at once, effectively jamming them.
Estonia
The unprecedented scale of external pagecyberattacks which targeted Estonia for three weeksin April and May 2007 accounted for the first such incident targeting a state. Being one of the most advanced e-societies in Europe, where almost all transactions, ranging from e-voting to receiving exam results, can be done electronically, Estonia’s high dependence on computers and the internet made it more vulnerable to a hacking attack than other European states.
At the end of April 2007 tensions between Russia and Estonia were running tense. Following a dispute about the relocation of a statue of a Soviet soldier from the center of the Estonian capital, Tallinn, a cyberattack on a massive scale disabled websites of Estonia’s governmental agencies, political parties, banks, newspapers and companies as well as the operation of the country’s emergency number. The paralysis of the country's online banking systems brought a loss of €750 million ($1.1 billion) to the Estonian state, which translated into 3 percent of its GDP. The removal of the memorial on 27 April, which sparked massive protests by the Russian minority resulting in arrests and violent clashes, was a clear trigger for the attack.
The operation, external pageduring which selected websites experienced tens of thousands of visits, overcrowded their servers’ bandwidths, effectively jamming and disabling the websites. While the visits came from all over the world, during the initial phase of the attack the Estonian security officials were able to identify some of the internet addresses. They tracked many of the attacks to Russian websites, and some to Russia’s federal institutions.
NATO experts suggested that an attack on such massive scale could not have been carried out by a few hackers, and that there must have been coordination at the higher level. While the attacks began on 27 April, on the day the relocation of the Soviet statue, they peaked on 9 May, Russian Victory Day, which celebrates the defeat of the Nazi Germany, and when external pagePutin gave a speech attacking Estonia.
The attack caused an alarm within NATO: Such an offense targeting a single member could have significant security implications for entire alliance. While Estonia raised the issue within the EU and NATO, cyberwarfare against one of the Organization's members does not evoke the provisions of Article V of the NATO Treaty, as international agreements have not defined such action, despite causing severe damage to the operations of a state apparatus, as military action.
While it is difficult to prove clear role of the Russian government in the cyberattacks, the evidence discovered by NATO and the EU investigations as well as suggested by Estonia’s security officials external pagepoints to the involvement of the Russian state in at least coordination of these operations. Several cybersecurity experts indicated that some of the techniques used during the Estonia attack were beyond the capacity of ordinary hackers.
While Estonia did not prove that Russia’s government was behind the attacks, the latter’s refusal to cooperate and investigate the Russian websites involved in the hacking likely indicates that there was some involvement from the Russian side.
Young Russians have earned the reputation for hacking skills, likely mainly due to mass scale unemployment and growing availability of the internet in the country. The recent increase in the hacking activity originating from Russia, while mostly resulting in minor cyber vandalism, has also resulted in some high-profile operations. In 1999, external pagea series of attacks by Russian hackers disrupted NATO and Pentagon websites. This is not to even mention 'regular' credit card thefts, phishing activity as well as external pagedisrupting pro-Chechen or human rights or opposition websites in Russia.
Several Russian agencies, including the Federal Security Service (FSB) often employ hackers, who are considered among the best in the world. A known practice by FSB is giving the option of working for the agency instead of prosecution for hackers caught for cybercrimes.
Hackers are highly useful to state security agencies, as they can cause severe disruptions, but responsibility for their actions is easily deniable. Despite the accusations of the Russian cyberexperts that western press largely exaggerates the issue, the threat posed by these hackers to other states is likely a legitimate one.
An attack on Poland in September seems to have been another one targeting a country involved in some kind of conflict or controversy with Russia, following Estonia in 2007 and Lithuania and Georgia in 2008. It is likely that disputes between Russia and its neighbors will continue to translate into cyber incidents in the future, as they have in the recent years, particularly as growing dependence on online services increases vulnerability of the civilian online infrastructure.
While these operations were not all-out attacks, it is likely that in some cases they were warnings or attempts to evaluate other states’ cybersecurity systems. It is likely that national governments as well as international alliances, such as NATO, will soon need to improve their methods of dealing with massive cyberattacks, following the steps of the US administration, which has already completed a cybersecurity review and is considering inclusion of the cyberattacks in laws of war and alliance agreements.
Poland
In mid October 2009, the Polish Internal Security Agency (ABW) informed the public that a month before external pagea simultaneous large hacking attack, which had originated in Russia, had targeted a range of government websites in the country. The attack took place immediately following Russian President Vladimir Putin’s visit to Poland to commemorate outbreak of the World War II and amid the heated debate in the Polish parliament regarding the Russian aggression on Poland in 1939 and the Katyń massacre.
Already months before the attack, when Poland and the Czech Republic signed a missile shield agreement with the US, external pagethe Kremlin threatened the two countries with an “asymmetric response” to the construction of the shield’s elements. While the details of the attack are classified, the deputy head of ABW Colonel Paweł Białek said that the Agency's cyberpatrols, which are in charge of protecting the cyberspace of more than 50 governmental and local agencies, external pagehad successfully averted the hacking attemptand that the public did not notice any disruptions.
The attack was not as serious as the one that targeted Estonia two years before, but it was likely a test the effectiveness of Polish cybersecurity. While minor attacks targeting various internet servers and websites, including those of state agencies are frequent, their scale and scope are much smaller than the one that targeted Poland in September.
Georgia
During the South Ossetia war in August 2008, external pageRussian hackers carried out a series of attacks on Georgian websites, which aided the country's military effort by severely disrupting Georgia’s communications capabilities. More than 20 sites, including those of Georgia’s president, the Defense Ministry, its banks as well as news websites were disabled for more than a week. While the investigation by a US-based nonprofit research institute, the US Cyber Consequences Unit, did not prove any direct link between the attacks and Kremlin, the timing of both military and cyber campaigns suggests that indirect coordination between the two was likely. The Russian and Turkish servers orchestrated a botnet attack which caused thousands of hijacked computers to try to access selected Georgian websites at once, effectively jamming them.
Estonia
The unprecedented scale of external pagecyberattacks which targeted Estonia for three weeksin April and May 2007 accounted for the first such incident targeting a state. Being one of the most advanced e-societies in Europe, where almost all transactions, ranging from e-voting to receiving exam results, can be done electronically, Estonia’s high dependence on computers and the internet made it more vulnerable to a hacking attack than other European states.
At the end of April 2007 tensions between Russia and Estonia were running tense. Following a dispute about the relocation of a statue of a Soviet soldier from the center of the Estonian capital, Tallinn, a cyberattack on a massive scale disabled websites of Estonia’s governmental agencies, political parties, banks, newspapers and companies as well as the operation of the country’s emergency number. The paralysis of the country's online banking systems brought a loss of €750 million ($1.1 billion) to the Estonian state, which translated into 3 percent of its GDP. The removal of the memorial on 27 April, which sparked massive protests by the Russian minority resulting in arrests and violent clashes, was a clear trigger for the attack.
The operation, external pageduring which selected websites experienced tens of thousands of visits, overcrowded their servers’ bandwidths, effectively jamming and disabling the websites. While the visits came from all over the world, during the initial phase of the attack the Estonian security officials were able to identify some of the internet addresses. They tracked many of the attacks to Russian websites, and some to Russia’s federal institutions.
NATO experts suggested that an attack on such massive scale could not have been carried out by a few hackers, and that there must have been coordination at the higher level. While the attacks began on 27 April, on the day the relocation of the Soviet statue, they peaked on 9 May, Russian Victory Day, which celebrates the defeat of the Nazi Germany, and when external pagePutin gave a speech attacking Estonia.
The attack caused an alarm within NATO: Such an offense targeting a single member could have significant security implications for entire alliance. While Estonia raised the issue within the EU and NATO, cyberwarfare against one of the Organization's members does not evoke the provisions of Article V of the NATO Treaty, as international agreements have not defined such action, despite causing severe damage to the operations of a state apparatus, as military action.
While it is difficult to prove clear role of the Russian government in the cyberattacks, the evidence discovered by NATO and the EU investigations as well as suggested by Estonia’s security officials external pagepoints to the involvement of the Russian state in at least coordination of these operations. Several cybersecurity experts indicated that some of the techniques used during the Estonia attack were beyond the capacity of ordinary hackers.
While Estonia did not prove that Russia’s government was behind the attacks, the latter’s refusal to cooperate and investigate the Russian websites involved in the hacking likely indicates that there was some involvement from the Russian side.
Young Russians have earned the reputation for hacking skills, likely mainly due to mass scale unemployment and growing availability of the internet in the country. The recent increase in the hacking activity originating from Russia, while mostly resulting in minor cyber vandalism, has also resulted in some high-profile operations. In 1999, external pagea series of attacks by Russian hackers disrupted NATO and Pentagon websites. This is not to even mention 'regular' credit card thefts, phishing activity as well as external pagedisrupting pro-Chechen or human rights or opposition websites in Russia.
Several Russian agencies, including the Federal Security Service (FSB) often employ hackers, who are considered among the best in the world. A known practice by FSB is giving the option of working for the agency instead of prosecution for hackers caught for cybercrimes.
Hackers are highly useful to state security agencies, as they can cause severe disruptions, but responsibility for their actions is easily deniable. Despite the accusations of the Russian cyberexperts that western press largely exaggerates the issue, the threat posed by these hackers to other states is likely a legitimate one.