How Russia adapted KGB ‘active measures’ to cyber operations, Part II

AP17053576128411.jpg

In this Saturday, May 7, 2016 file photo, Russian Defense Minister Sergei Shoigu salutes to his soldiers as he is driven along Red Square during a rehearsal for the Victory Day military parade in Moscow, Russia. Speaking to parliament Wednesday, Feb. 22, 2017 Shoigu said the military is receiving an array of new missiles, planes and tanks and also announced the creation of a dedicated information warfare troops. (AP Photo/Alexander Zemlianichenko, file)

This article is Part II of a two-part series previewing the U.S. House Permanent Select Committee on Intelligence’s hearing Monday on Russia. Part I looked at how active measures were created by and evolved with the Soviet security state, examples of historical active measures and key differences between U.S. and Russian worldviews that influence Russia’s tactics. Part II looks at the Post-Soviet evolution of Russian security services, the rise of the World Wide Web and how Russia has adapted historical active measures to cyber and information operations.

When referring to Russia’s interference in the 2016 presidential election, the media often refers to Russian hacking, information warfare or influence operations. But the title of Monday’s hearing references “active measures.”

The term, “active measures,” and what it refers to may be unfamiliar to many. Even those who are familiar with Russia’s Cold War use of the term and methods may not know the relation between historical active measures and today’s Russian cyber and information operations.

Ahead of Monday’s hearing – which could provide more details on the who, what, when, where and how of Russia’s activities in the 2016 election – revisiting the historical concept of active measures and examining how the Russians adapted active measures to cyber will provide a deeper, underlying why of Russia’s tactics.

The Fall of the KGB and the Rise of the Web

Following the collapse of the Soviet Union in 1991, new Russia President Boris Yeltsin undertook an ambitious reorganization of Russian security services. Most notably, Yeltsin split the KGB’s powerful capabilities among eight distinct organizations and set them in competition against one another in the belief this would produce better results, according to Russian journalists Andrei Soldatov and Irina Borogin.

In their book, The New Nobility, Soldatov and Borogin document the KGB’s decline immediately following the collapse of the Soviet Union and its rise again as the Federal Security Service (FSB), an organization they argue is more powerful today than the Soviet-era KGB ever was.

Of Yeltsin’s eight security organizations, the FSB remained most like its predecessor KGB in culture and capabilities, albeit without its former directive for foreign intelligence or all of its previous resources for counterespionage, counterterrorism, electronic eavesdropping and cryptography, secret underground facilities, physical security for Russian leadership, border guards or tax police.

Like the U.S. during the 1990s, the Russian government was quick to recognize the significance of the World Wide Web. For Russia, the Web presented potential with equal liability. The U.S. and Russia approached the Web differently, as Soldatov and Borogin explained on their website Agentura.ru:

The American government was concerned with a possible attack against the country’s infrastructure—power plants, nuclear stations, transport systems and so on. The Russian government took a different view. The Russian secret service was the direct successor of the KGB, poisoned by spymania and despite all of Boris Yeltsin’s reforms, stayed paranoid about the Americans. They were obsessed with a possible penetration (the uncovering—and then exploiting—of vulnerabilities in a system) and the stealing of government secrets by foreign intelligence agencies.

Whereas America viewed the Web as a potentially powerful tool for spreading Western ideals and values such as democracy, the Russian government held hearings as early as 1996 on ways to control it – primarily through censorship.

The eight entities created from the split of the KGB were called upon to protect Russian information online from external and internal enemies. The competing factions saw an opportunity to reassert their former influence and prominence.

Early FSB Electronic Active Measures

Throughout the 1990s, rebels in the state of Chechnya, who sought to secede from Russia, posed a serious and persistent threat. As throughout Soviet history, the Russian security state was tasked with protecting the country.

Through two wars – the first from 1994 to 1996 and the second from 1999 to 2000 – Chechen rebels proved savvy at adopting new technologies such as the Web for their political and informational purposes. Following Russia’s defeat in the first war, the loss was explained in the Kremlin as “unpreparedness in the information war,” according to Soldatov and Borogin.

Throughout the late 1990s, rebels created websites such as Kavkaz.org, which served to disseminate online propaganda to counter the propaganda of Russian state-controlled media. In ways, Kavkaz.org pioneered some of the information warfare techniques later terrorist groups, such as the Islamic State, would adopt, including the use of multimedia.

In this way, Russia faced terrorist online information warfare and had to formulate online counterterrorism strategies and tactics before the U.S. During this time, the Russians began pioneering the use of active measures through electronic means.

In July 1998, Yeltsin appointed Vladimir Putin to lead the FSB. A little more than a year later, on Aug. 31, 1999, Kavkaz.org suffered its first online distributed denial of service (DDoS) attack. Broadly speaking, a DDoS attack is analogous to an electronic form of sabotage, a well-known Soviet active measure.

The August 1999 DDoS wouldn’t be the last electronic or historical active measure Kavkaz.org, other Chechen websites or the Chechen rebels would face – including assassinations.

Four months later, on Dec. 31, 1999, Yeltsin resigned, and Putin became president.

Putin in the Kremlin: The FSB’s Return to Prominence

Putin inherited a country deeply disillusioned after a decade of unregulated – and highly corrupt – capitalism, a 1998 financial crisis and a constant threat of internal terrorism from Chechen separatists. These were just three of the formable challenges the new president faced.

From the beginning, Putin was dogged by critics and opponents – notably Alexander Litvinenko, who was assassinated with radioactive polonium in London by Russian intelligence agents in 2006. Litvinenko and dissidents alleged the Putin-led FSB had a hand in the September 1999 Moscow apartment bombings, a highly taboo topic in contemporary Russia that nonetheless may have “accelerated Putin’s rise to power,” according to a 2009 GQ article that interviewed Ex-KGB Agent turned Dissident Mikhail Trepashkin. The article was banned in Russia and censored on GQ’s U.S. website by parent company Conde Nast.

In 2003, Putin began slowly piecing together the former KGB by abolishing its competing organizations created by Yeltsin and allowing the FSB to reabsorb former capabilities, notably electronic eavesdropping, cryptography and border guards.

By 2008, Putin had finished his first two terms as president, during which he had made major moves to restore the FSB to its prior state of influence and capability. Soldatov and Borogin have argued that Putin’s “changes [to the FSB] are not a revival of the KGB,” since the Communist Party always controlled the KGB’s actions. Instead, the journalists argue, today’s FSB is more powerful than the KGB ever was, since it operates independently and without political oversight.

The FSB today does not publish its budget, again operates outside of Russia’s borders and employs a full-time staff estimated to number more than 200,000 – which doesn’t include so-called APS (apparatus of attached officers), which Soldatov and Borogin estimate in the thousands and characterize as an “army of hidden FSB officers,” who are officially retired but remain subordinated to FSB.

The APS, Soldatov and Borogin wrote, illustrates the old Russian maxim, “There is no such thing as a former KGB officer.”

Soldatov and Borogin wrote, “The mindset of Russia’s FSB has undeniably been shaped by tzarist and Soviet history. It is suspicious, inward-looking and clammish… a service deeply mired in the past.”

Now in his third term as president, Putin continues to fund and facilitate ever-bolder cyber and information operations, many of which draw clear parallels to historical KGB active measures in their goals, tactics and outcomes. In many instances, only the means and medium have changed.

Current Russian Information Operations and the Use of Cyber Proxies

In a Mar. 15 U.S. House hearing on information warfare and counter-propaganda, Timothy Thomas, a senior analyst at the Foreign Military Studies Office at Ft. Leavenworth and an expert on Russia, explained that the Russian “information warfare concept” includes two categories: information technical and information psychological. Cyber and social media have, Thomas said, “tended to blend the two and caused a significant change in how Russia views emerging trends and the character of warfare.”

Within that concept, Russia carries out operations via online tactics that mirror traditional active measures. For instance, Russia has historically used front groups to advance its political agenda and ideology at home and abroad. Beginning in the late 1990s, first under Putin’s directorship and later expanding into the 2000s under his presidency, the FSB has maintained ambiguous relationships with obscure hacking groups.

At first, the Kremlin or FSB would make indirect or passing public statements about the benefit, in the state’s interest, of a certain website disappearing. Days or weeks later, the website would suffer a DDoS attack or its hosting company would terminate its contract. The FSB and Kremlin, which provided no direct orders, could deny knowledge of and responsibility for the cyber operations.

CIA veteran Rob Dannenburg explained the advantages that proxies provide to nation-states, which include, “plausible deniability, relatively low cost, little chance of political blowback, very little legal recourse for the target or victim and the opportunity for a state actor to reinforce and exercise relationships with non-state actors that could be of use in a future conflict.”

The hacker proxies – who claim no official tie to the Russia government – use websites such as Informacia.ru and the Russian Business Network (RBN) as online gathering places. According to Soldatov and Borogin, it has been the hackers of Informacia.ru that have carried out many of the cyberattacks against Chechen rebel websites, as well as opposition media and political groups.

Soldatov and Borogin also “believe it possible that certain groups of these hackers were guided not by the security services, but by the administration of the president.”

RBN allegedly facilitated and carried out extensive cybercrime, such as spam, identity theft, phishing and malware distribution. It has operated for over a decade within Russia, largely with impunity. The Spamhaus Project, which tracked and publicly reported on RBN’s criminal activities for years, in 2013 suffered the then-largest DDoS attack in the history of the Internet. The hackers behind the Spamhaus cyberattack are unknown.

It’s unclear the extent to which Russian security services or the Kremlin might direct or employ the use of cyber proxies in geopolitical and military affairs. Over the past decade, nation-states who fell into conflict with Russia often found themselves under cyberattack – notably, Estonia in 2007 and the country of Georgia in 2008. The respective countries’ governments accuse Russia, but Russia denies involvement. The origin of the respective cyberattacks remains unknown.

In December 2015 and then again in December 2016, the Ukraine power grid suffered cyberattacks that used BlackEnergy malware. The BlackEnergy malware used in the Ukraine cyberattack has been known to exist in various forms since 2007. Based on cybersecurity experts’ past research, recent BlackEnergy variants appear to have been developed and used by a rogue element inside Russia that researchers have named Sandworm.

It’s unknown whether Sandworm is an official state organization or a cyber proxy allowed to operate with impunity. BlackEnergy has also been used by hackers whose affiliation with the Russian government or Sandworm is unclear. Experts note that BlackEnergy’s use in the Ukraine cyberattacks does not conclusively implicate Russia or Sandworm.

Disinformation and Propaganda Campaigns

Perhaps the most well-known historical examples of active measures are disinformation and propaganda.

By 2009, Vladimir Putin had become Prime Minister. That May, the Kremlin School of Bloggers was created.

According to Soldatov and Borogin, the school served as a “forum for teaching bloggers how to disseminate their views.” It was led by “political technologists,” some of whom had conducted propaganda campaigns during Putin’s time in the KGB. Upon graduation, bloggers carry out online propaganda campaigns supportive of the Kremlin’s political goals.

Kremlin-backed media outlets such as RT (Russia Today) and Sputnik now operate within the U.S. and U.K., providing “news” with a decidedly pro-Kremlin slant. The Kremlin heavily censors Russian and foreign media domestically – especially that critical to its leadership.

Between 2000 and 2009 – a time approximately spanning Putin’s first two terms in office (January 2000 to May 2008) – seventeen Russian journalists were murdered, and as of September 2009, only one of those cases had been prosecuted, according to the Committee to Protect Journalists.

Since the start of Putin’s third term in 2012, six more Russian journalists have been murdered – most after covering politically sensitive topics or criticizing the Kremlin. Three reported receiving death threats. The most recent occurred on Thursday.

Political Warfare, Cyber Operations and the 2016 U.S. Presidential Election

In January 2017, the U.S. intelligence community released a declassified version of its report on Russian interference in the 2016 U.S. presidential election. The Russian hacking of political organizations and leaking of stolen information to transparency organization WikiLeaks are direct cyber parallels to the active measure of political sabotage, a longtime KGB tactic.

In the years leading up to the 2016 election, Russia’s cyber proxies had engaged in increasingly bold political sabotage. Informacia.ru, according to Soldatov and Borogin, was the first site to publish two videos – one allegedly showing a British diplomat with prostitutes and a second allegedly showing an American diplomat with prostitutes.

The British diplomat was forced to resign, but the U.S. Ambassador to Russia at the time defended the American diplomat against what the U.S. State Department later called, after an investigation, a “fabricated montage.” It was not the first time that Russian hackers and a hostile Russian press had tried to sabotage the American diplomat and his work.

On the incidents, Soldatov and Borogin wrote, “Russia has had a long tradition of using compromising material to carry out such attacks, called kompromat. But it is highly unusual for one to be aimed at a diplomat.”

The hacks against U.S. political organizations and campaigns in 2015 and 2016 were even bolder. The U.S. intelligence community and multiple cybersecurity companies have independently linked the hacks to groups called Fancy Bear and Cozy Bear, both believed to be directly associated with Russian security services.

The recent electronic active measures represent one of Russia’s boldest cyber and information operations to date. It may, however, mark just the beginning of what’s to come.

Last month, Russian Defense Minister Sergei Shoigu announced the formation of a new military branch – information warfare – which has been tasked with creating and disseminating “intelligent, effective propaganda.”

Putin will seek his fourth term as president in 2018. In the Soviet tradition, he has already begun eliminating viable rivals to ensure a smooth path to victory.