With Russian fingers apparently thrust into all manner of cybercrime and espionage, Western publics are trying to make sense of it all. But most news accounts do not include the key to deciphering Russian behavior in cyberspace. What drives Russia is its unique nexus of government, business, and crime, perpetuated by systemic corruption and glued together by the siloviki—literally, people of power, that is, the secret services.
Systemic corruption pervades everything in Russia, including law enforcement. Their power of arbitrary investigation is bolstered by a network of fellow operatives in every level of government and all manner of business, licit and illicit. Combined with exponential growth of the Internet, systemic corruption has propelled the siloviki into the dark world of cybercrime.
Russia offers an overflowing labor supply for cyber-mischief. It has maintained high education standards—many young Russians excel in math, physics, and computer science—without a commensurate growth in well-paying, above-board jobs. Combine that with an atmosphere of impunity, and Russian cybercrime has become big business. Oligarchs—rich only at the pleasure of the Kremlin—organize the effort and are more than happy to repay their political masters with cyber-favors.
This system provides some advantages to the siloviki. The use of cyber criminals affords plausible deniability to the regime. Attribution-obsessed Western researchers spin their wheels in the mud when their investigations dead-end at a non-descript building in suburban Saint Petersburg. The Russian state is behind it, but they rarely can prove it. Furthermore, the use of proxies is a cost-effective strategy. It is like having a reserve force that recruits, trains, develops cutting-edge technology, and buys equipment.
One of the earliest indications of Russian government cooperation with criminals was the 2007 cyberattack on Estonia. That country’s trouble began when it decided to relocate a Soviet war memorial away from Tallinn’s city center. Demonstrations and riots, fueled from abroad, were augmented by cyberattacks. Nearly two years later, Konstantin Goloskokov, a Kremlin youth group commissar, told the Financial Times that he and his comrades had mounted what he called a “cyber defense” and would do it again if the “motherland” required it. Make no mistake—the youth group Nashi was under the direction of Kremlin propaganda master Vladislav Surkov.
A year later, in 2008, Russia aimed the first combined kinetic and cyberattack at Georgia. Several American computer security researchers who track botnets said they saw clear evidence of a fishy Saint Petersburg-based criminal group known as the Russian Business Network (RBN) at work. RBN’s principals had close ties to the Russian government.
RBN was a prototype for Russia’s now-characteristic fusing of government, business, and online crime. It had been involved in phishing, writing and distributing malware, running botnets, directing denial of service attacks and selling child pornography. After the war on Georgia, RBN evaporated from the Internet but its remnants are still in business. Since 2008, relationships between siloviki and cyber-criminals have grown more complex and the technology more sophisticated. Yevgeniy Bogachev—author of the Zeus virus, Gameover Zeus botnet, and CryptoLocker ransomware—pilfered over $100 million from US financial institutions, companies, and government entities. In 2015, US authorities offered a $3 million reward for information leading to his capture, the largest in US history.
At some point, the Russian special services approached him and proposed a deal to spy for them in exchange for permission for him to continue electronic theft. The Ukrainian Interior Ministry, which cooperated with the FBI to track Bogachev, has described him as a hacker working under the supervision of a special unit of the FSB, though it’s unclear what he does. Meanwhile, Bogachev maintains a comfortable life in the southern resort town of Anapa, enjoying jaunts on the Black Sea on his luxurious yacht.
One of the best-known cases is Russia’s meddling in the US 2016 election. The US intelligence community has unequivocally fingered two Russian hacker groups, APT-28, also known as Fancy Bear, and APT-29, or Cozy Bear. The intelligence community explicitly links Fancy Bear to the GRU, Russia’s military intelligence agency. Interestingly, an information operations unit of the Russian armed forces posts a video that is remarkably like one posted on Fancy Bear’s website. The precise relationship among the GRU, APT-28, and the regular military remains unclear, but the fact that some of the groups meddling in American politics are tied to the GRU is not.
And this was not the first sighting of Fancy Bear. This group has attacked many Western government agencies, including the United States government, aerospace, defense and energy sectors, the German Bundestag, Emmanuel Macron’s campaign, and France’s TV5 Monde.
The attack on TV5 Monde illustrates another item from Fancy Bear’s repertoire—false flag operations. The attack was first thought to have been authored by a group called Cyber Caliphate, which scrawled slogans like Je suIS IS on TV5’s hijacked social media platforms. However, as French investigators dug deeper, they discovered Fancy Bear’s tactics, techniques, and procedures, an assessment with which the US government agreed.
Sometimes, cyber criminals and the siloviki are so tangled together as to be barely believable. Back in 2004, Dmitry Dokuchaev—then better known by his hacker handle, Forb—was a stolen credit card dealer who bragged to Vedomosti that he had successfully attacked several US government websites. Evidently, the FSB became interested in his talent and recruited him. He rose to the rank of major, unknown outside hacker and law enforcement circles.
Fast forward to January of this year, and Dokuchaev was led away in handcuffs, arrested along with Colonel Sergey Mikhailov, deputy head of the FSB’s Center for Information Security, and Ruslan Stoyanov of Kaspersky Lab. The trio is charged with state treason for allegedly tipping off US intelligence about Russia’s hacking into Democratic Party computers. Moscow rumors suggest that they may have led the Americans to King Servers, a bulletproof hosting service used by the GRU’s Fancy Bear group.
Not to be outdone, in March 2017, American prosecutors charged Dokuchaev, Mikhailov, and two others with compromising at least 500 million Yahoo accounts between 2014 and 2016. If these allegations are correct, the two FSB officers conducted their normal work, ratted out the GRU, informed for a US intelligence agency and hacked Yahoo, all at about the same time. This is a perfect summary of how the siloviki have become intertwined with cybercrime.
The interconnected relationship between the Russian government, particularly its security services, and criminal barons may be mind-boggling for many, but this is the reality of modern Russia today. We would be wise to follow Sun Tzu’s admonition to “know the enemy.” And this requires better all-source, contextual intelligence, which will enable us to push back proactively. Understanding that Russia is targeting the United States and the West’s critical infrastructure and democratic institutions, we must develop a comprehensive defense plan carefully coordinated with the transatlantic alliance. There’s little time to waste.
Khatuna Mshvidobadze is principal at Cyberlight Global Associates, adjunct professor of cyber security at Utica College, NY, and a senior fellow at the Georgian Foundation for Strategic and International Studies. She tweets @KhatunaMs.