Hackers for Hire: Russian Hacktivism on the World Stage
After the 2016 U.S. presidential elections, every American became more aware of the importance of cybersecurity. More notably, they became aware that foreign actors were interfering in American politics. The country became more divided with every mention of Russia, and the effects of the Russian hack can still be felt in the polarized political environment to this day. What most Americans didn’t know was that a few months later, British cybersecurity authorities voiced their concerns that Russian bots and fake social media accounts had influenced the outcome of the Brexit referendum. After some examination, the link between the two situations became clear: both were information warfare operations conducted by Russian hacktivists.
“Hacktivist,” a term first used in 1989 by the hacker “Omega," defines an individual who conducts cyberattacks against private computer networks to further a political goal. They are generally unaffiliated with government entities and often use their skills to defy the actions of the state. Hackers first emerged in the late 1980s to seek profit from their operations. Modern hackers are decidedly different, having arisen not from the desire for money, but the desire for change. They are activists that can have immense impacts upon a state or community. Hacktivists are credited with assisting the 2010 Arab Spring movement by attacking Tunisian government websites, and were an essential component to revealing the billions of dollars tied up in the “Panama Papers.” International coverage of these successful hacktivist operations has resulted in a noticeable rise in hacktivist activity all over the world.
In addition to these cyber vigilantes, some hacktivist groups tend to operate in support of their state’s foreign policies. Some countries, such as Iran, North Korea, and China, have outsourced their cyber operations with limited success. Russia has also hired private actors to conduct cyber warfare against their cyber adversaries; unlike the groups in the other states mentioned, Russian hacktivists have been incredibly successful in their cyber operations, and are considered to be among the best hackers in the world. Where most hacktivist groups operate independently or receive some corollary funding from a discreet government agent, many Russian hacktivist groups are highly suspected to be associated with the security and information arm of the Russian government, the Federal Security Service (FSB).
According to Connell and Vogler in their paper “Russia’s Approach to Cyber Warfare”, Russia has specifically adjusted their cyber strategy so that independent hacktivist groups may play an incredibly large role in Russian information warfare. They are cost-effective (sometimes hackers will conduct operations free of charge, as long as the motivation or political goal aligns well with their interests), require little to no oversight (they operate independently and only require a target and desired effect), and have an incredibly high success rate. They can spread propaganda or disinformation, conduct a Distributed Denial of Service (DDoS) attack on a target website, create Trojans and malware, steal financial information, and store illegal or stolen information discreetly (learn more about these attacks here).
On numerous occasions, the Russian government has claimed that they played no part in cyber-attacks against other countries. The attribution problem, which has arisen from the tendency for cyber operations to be quick, discreet, and difficult to track, has prevented the international intelligence community from accurately finding the culprit of cyber attacks for many years. Hiring hacktivist groups to conduct operations for the FSB allows the Kremlin to order these attacks without repercussions on the international stage. When accused of actions of cyber warfare, they often assert that “patriotic hackers” were responsible. Although the international security community highly suspects the FSB has been contracting these hacktivists to conduct operations on their behalf, definitive proof of a connection is incredibly difficult to find. Communication with hacktivist groups is conducted through various platforms on the dark web, and payment can be completed through e-payment platforms such as Bitcoin. Thus, this tactic has proven to be incredibly effective. Hacktivists played a major role in the Russian attacks against Georgia, Ukraine, and the United States. The very first operation in which cyber attacks were a complementary component to a larger kinetic conflict would not have been so successful if Russia had not hired hacktivists.
The Georgian Conflict
The Russo-Ossetian war is well-known in the security community as the first conflict in which cyber operations were used to complement a larger kinetic conflict. The conflict began after years of negotiations regarding the sovereignty of the territories of South Ossetia and Abkhazia, both claimed by Georgia, broke down. This resulted in the armament of separatist groups, who received funding and weapons from Russia, and Russian military movement into both regions. Throughout the conflict, armed combat was accompanied by DDoS attacks against websites vital to the communications network of the Georgian government and military. Since the international security community was unable to discern the exact origin of the DDoS attacks, the Russian government denied responsibility for the actions and instead blamed the attacks on Russian hacktivists. Additionally, the hacktivists were employed to conduct an intensive disinformation campaign within the region; fake websites and social media accounts spread propaganda and misinformation regarding the nature of Georgia’s role in the conflict. As a result, the international community--and, more importantly, the citizens of the region--had no reliable account of what was happening until the conflict had already ended. A lack of definitive proof that the Russian government was involved in these cyber attacks and a general misunderstanding of the nature of the conflict allowed Russia to avoid punishment. Having witnessed the strain that Russian cyber attacks can have upon a government in a time of crisis, many Eastern European states began improving their cybersecurity strategies. Unfortunately, Ukraine realized in 2014 just how difficult it is to withstand attacks from Russian hacktivists when the government is in political turmoil.
The Crimean Crisis
After the Russo-Ossetian war, Ukraine began building up their cybersecurity in anticipation of a Russian attack. This attack eventually came during the 2014 Crimean crisis. Seizing the opportunity created by the Euromaidan protests, Russia employed an advanced disinformation and propaganda campaign. This campaign was accompanied by low-level espionage and disruption missions that targeted Ukrainian government officials through spear-phishing and malware. The propaganda was spread via bots and hackers on social media, much like the disinformation spread during the Russo-Ossetian war. A DDoS attack was also conducted against Ukrainian government websites, which resulted in the websites crashing for several hours before Ukrainian security officials were able to reject the bots from the servers. These operations ultimately undermined the 2014 Ukrainian elections as illegitimate and the Ukrainian military was blamed for numerous false-flag operations against various pro-Russia separatist groups. An investigation into the source of the hacks revealed that the attacks originated with Russian IP addresses; however, the Russian government once more claimed that Russian hacktivists unaffiliated with the government had been responsible for the information operations. Nevertheless, the international community refused to believe these claims, declared the Russian-sponsored referendum to be illegitimate, and denounced the Russian occupation of Crimea in a United Nations General Assembly resolution. Some actors, such as the United States and the European Union, recognized the threat that the Russian information warfare posed to their security, and placed sanctions on Russia. This further dissolved the already fragile tensions between Russia and the United States, and these tensions reached their lowest point since the end of the Cold War when Russian hacktivists hacked the 2016 U.S. Presidential Elections.
The Hacking of the United States Presidential Election
During the 2016 U.S. presidential election, several U.S. political entities, most notably the Democratic National Coalition (DNC), reported that they had been hacked. Soon after private information about Hillary Clinton’s presidential campaign was published on websites such as WikiLeaks and DCLeaks.com. Targeted ads and articles also began appearing on various social media platforms during the election, with many of them focusing on divisive political and social issues. The hacks and the ads were both easily traced back to Russian hacking groups with known affiliations to the Kremlin. The U.S. intelligence community determined, with high confidence, that Vladimir Putin had ordered the hacks and the divisive disinformation campaign. The discovery and attribution of the hacks resulted in immediate outrage from the U.S. population and ultimately caused further polarization along party lines.
The software and tactics used to conduct espionage on U.S. political entities were both rather simple, though thorough. The hacktivists employed by the Kremlin belonged to the group that the U.S. intelligence community refers to as “the Dukes.” The Dukes are well-known by the U.S. intelligence community; they have spent countless hours trying to remove the hacker group from public and private email servers all over the country. The hacktivists sent targeted emails containing malware to members of the DNC and other organizations. This practice is known as spear-phishing and often results in the target unknowingly installing viruses or malware to their computers. Once the malware has been installed to the computer, it can search for files, see the computer’s history, and access the internet. The hackers secured files through malware that was downloaded to the computers at the DNC, then revised and released the files in a way that would intentionally discredit the members of the Democratic National Coalition. This practice was perfected by Russia through employing it against their population; any entity that opposed the Kremlin or its policies were infiltrated, prostrated, and publicly shamed by “hacktivists.” The US political atmosphere remains tense years after the hacks were discovered, causing people to worry about how truly devastating hacktivist involvement in international politics can be.
Moving Forward: International Response and Action
The investigation and confirmation by the U.S. intelligence community of interference by the Kremlin and their hired hacktivists severely polarized the U.S. population. The government’s reaction, a ban on several Russian companies and individuals from conducting business in the United States, has been considered by many to be a “slap on the wrist.” Lack of a vehement response or clear policy direction highlights just how extensive the problem is on an international scale. Without the ability to punish hacktivist groups or the entities that employ them, the frequency and severity of cyber attacks will continue to grow globally.
The number of hacktivist groups worldwide has already increased since 2014, according to Dan Lohrmann. As a form of response to the “civilian” hacker groups used by the Kremlin to further their political goals, hacktivist groups in countries such as Ukraine and the U.S. have been created. Some, such as the Ukranian group led by a hacker known as “RUH8” (or “Roo-hate,” expressing the group’s disposition towards the Russian government), were formed with the sole purpose of counteracting Russian influence in their country’s politics after the Crimean Crisis. Others, like the Western hacktivist group “Anonymous” claim that their activities are protesting injustice and corruption where they see it occurring.
Though the cause supported by a hacktivist group may be noble, the strength and skill with which Russian hacktivist complete cyber operations has caused governments all over the world to take action against Russia and hackers in general. The international community has striven to address the growing concern that cybercrime and hacktivism pose through diplomacy and economic sanctions; however, creating resolute legislation or treaties has proven to be extremely difficult. NATO has reported that the sanctions placed upon Russia in response to the Crimean Crisis have been largely successful and have “inflicted damage on the Russian economy,” but Russian hacktivist activity and cybercrime continue to grow. As a new form of technological warfare, cyber warfare has no international norms that may govern the actions of actors. A lack of clear definitions, acceptable actions, and understood repercussions allow actors to continue using cyber warfare without punishment.
Experts have begun to fear that Russian hacktivism will extend beyond the borders of Russian foreign policy and cybercrime to become its own black market business. The U.S. security firm Taia Global has assessed that the 2014 hack of Sony Pictures by North Korea may have been conducted by paid Russian hacktivists. Documents leaked from the studio were traced to a Russian hacktivist with suspected ties to the FSB. This presents a harrowing possibility: states may, given the opportunity, hire Russian hacktivists to conduct cyber espionage missions on their behalf. Any situation in which states hire foreign nationals to conduct illegal activity in cyberspace would further complicate the attribution problem and make it much more difficult to stifle cybercrime across the globe.
If the international community truly wishes to combat cyber criminals and hacktivists on a global scale, then international laws, norms, and treaties must be set in place to govern the actions of cyber states. Although many experts such as Brian Mazanec assess that norms would be incredibly beneficial for all states suffering from hacktivist and cyber attacks, they also realize that the creation of these norms is highly unlikely under normal circumstances. Many of the worlds largest powers have no interest in creating constraining norms for cyber warfare, as the absence of these norms allows them to attack one another freely; however, the rise of state-sponsored hacktivism has brought the lawless free-for-all within cyberspace to a new turning point. Before hacktivists were deeply involved in international relations, the political and social climates of states were largely unaffected by its cybersecurity policies. After the 2016 election and the polarization of the United States population, a state’s cybersecurity policies became a priority for ordinary citizens in different countries all over the globe. The control over cyberspace that states once had is now threatened by hacktivism, and it is time to consider creating laws and norms that would constrain cyber activity for all actors. Although they may prevent the world’s largest cyber powers from using cyberspace to attack one another, it could also disrupt the startling trend of political polarity in democratic states by punishing the actors using bots and hacktivists to further their political goals.
Hacktivism has arisen from the continued proliferation of cyber weapons internationally. Although the 2008 Russo-Ossetian War, the 2014 Crimean Crisis, and the interference in the 2016 U.S. elections were all examples of successful Russian hacktivist operations, they certainly are not the only ones. Great Britain continues to grapple with the effects that Russian hacktivists had upon their political climate, and leaders all over the globe worry that their next elections will be undermined by Russian influence. With no laws, norms, or treaties governing cyberspace, the world waits impatiently for another Russian hacktivist to strike. Only two questions remain: Who will be the next target, and when will Russia strike next?