The sprawling SolarWinds hack by suspected Russian state-backed hackers is the latest sign of Moscow’s growing resolve and improving technical ability to cause disruption and conduct espionage at a global scale in cyberspace.
The hack, which compromised parts of the U.S. government as well as tech companies, a hospital and a university, adds to a string of increasingly sophisticated and ever more brazen online intrusions, demonstrating how cyber operations have become a key plank in Russia’s confrontation with the West, analysts and officials say.
Moscow’s relations with the West continue to sour, and the Kremlin sees the cyber operations as a cheap and effective way to achieve its geopolitical goals, analysts say. Russia, they say, is therefore unlikely to back off from such tactics, even while facing U.S. sanctions or countermeasures.
“For a country that already perceives itself as being in conflict with the West practically in every domain except open military clashes, there is no incentive to leave any field that can offer an advantage,” said Keir Giles, senior consulting fellow at Chatham House think tank.
The scope of Russia’s cyber operations has grown in tandem with Moscow’s global ambitions: from cyberattacks on neighboring Estonia in 2007 to election interference in the U.S. and France a decade later, to SolarWinds, seen as one of the worst known hacks of federal computer systems.
“We can definitely see that Russia is stepping on the gas on cyber operations,” said Sven Herpig, a former German government cybersecurity official and expert at German independent public-policy think tank Stiftung Neue Verantwortung. “The development of new tools, the division of labor, the creation of attack platforms, has all increased in sophistication over the years,” he said.
Jamil Jaffer, a former White House and Justice Department official, said that cyber operations have become “a significant part of [Russia’s] play.”
“It’s allowed them to level up,” said Mr. Jaffer, senior vice president at IronNet Cybersecurity.
Russia has consistently denied engaging in state-backed hacking campaigns, including SolarWinds, maintaining that the country isn’t conducting offensive cyber operations. In September, Russian President Vladimir Putin proposed a reset of U.S.-Russia information-security relations.
“Russia is not involved in such attacks, particularly in [SolarWinds]. We state this officially and resolutely,” Kremlin spokesman Dmitry Peskov said recently. “Any allegations of Russia being involved are absolutely groundless and appear to be the continuation of a kind of blind Russophobia,” he said.
But analysts say that Moscow has added hacking to its arsenal of so-called gray-area activities — a type of warfare that stops short of actual shooting — alongside disinformation campaigns and the use of “little green men,” the masked soldiers in green uniforms who appeared with Russian arms on Ukrainian territory in 2014.
Jeffrey Edmonds, a former White House and Central Intelligence Agency official who studies Russia at CNA, a nonprofit research organization that advises the Pentagon, said that Russia’s cyber operations have numerous simultaneous goals, including gathering intelligence, testing capabilities, preparing for potential conflict by mapping adversaries’ critical infrastructure and laying the groundwork for cyber negotiations.
Such operations are a relatively inexpensive and effective way to conduct geopolitics, said Bilyana Lilly, researcher at think tank Rand Corp. That is crucial for Russia, which is facing considerable economic and demographic challenges and whose economy is smaller than Italy’s. A 2012 article in an official Russian military journal said that the “complete destruction of the information infrastructures” of the U.S. or Russia could be carried out by just one battalion of 600 “info warriors” at a price tag of $100 million.
Responding to Moscow’s increased cyber activity has been a challenge. Washington’s retaliation measures — sanctions, property seizures, diplomatic expulsions, even the cyber equivalent of warning shots — appear to have done little to deter hacks.
“Russia doesn’t see sanctions as an instrument of pressure but as an instrument of punishment,” said Pavel Sharikov, senior fellow at the Russian Academy of Sciences’s Institute for U.S. and Canadian Studies. “The Russian government says, ‘Yes we understand that you don’t like what we are doing, but we don’t really care.'”
In recent years, so-called information confrontation has become an established part of Russia’s military doctrine, according to a paper co-written by Rand’s Ms. Lilly. In 2019, Gen. Valery Gerasimov, Russia’s General Staff chief, said that in modern warfare, cyberspace “provides opportunities for remote, covert influence not only on critical information infrastructures, but also on the population of the country, directly influencing national security.”
Russia’s use of hacking to advance its geopolitical agenda initially focused mainly on targets in ex-Soviet countries. A 2007 cyberattack in Estonia disabled websites of the government, banks and newspapers. Later attacks in Ukraine and Georgia knocked out power supplies, disrupted media outlets and targeted election infrastructure, officials said.
More recently, Russian state-backed hackers set their sights on the West. In 2014, they penetrated the State Department’s unclassified email system and a White House computer server and stole President Barack Obama’s unclassified schedule, U.S. officials said. In 2015, they got into the German parliament, according to German officials, in what experts see as the most significant hack in the country’s history.
Since its interference in the 2016 U.S. elections, Russia has been accused of attacks on the French elections and the Pyeongchang Winter Olympics and the costly NotPetya malware attacks on corporate networks. This year, Western governments accused Russia of cyber espionage against targets related to coronavirus vaccines. Russia has denied involvement.
As the operations have grown in scope, Russian hackers’ technical abilities have improved, experts say.
In the 2007 Estonia attack, hackers used a relatively crude tool called “distributed denial-of-service” which knocked websites offline by flooding them with data, and did little to hide their trail, with some of their IP addresses located in Russia.
More recent operations have used new reconnaissance tools and methods to cloak operations, including false flag tactics, to make it appear that another country was responsible.
In 2018, federal officials said that state-sponsored Russian hackers broke into supposedly secure, “air-gapped” or isolated networks owned by U.S. electric utilities. In the SolarWinds hack, intruders stealthily used a routine software update to gain access to hundreds of U.S. government and corporate systems undetected for months.
Still, some former U.S. officials said Russia is far from flawless in the cybersphere.
“They’re not 10 feet tall. They are detectable,” said former senior CIA official Steven Hall, who oversaw U.S. intelligence operations in the former Soviet Union and Eastern Europe.
Ultimately, how sophisticated Russia is in the cyber realm remains to be seen, said Bruce Potter, chief information security officer at cybersecurity firm Expel. Nations are reluctant to deploy their best cyber tools because doing so would cause countries and companies to rapidly patch a vulnerability.
“They just put down enough to get the job done,” he said. “And they get the job done.”