This research report outlines the patterns of Russian information warfare and, based on data gathered between 2018-early 2020, finds that Russian-attributed cyber actions were found to be present in 85 countries spanning a total of 6 continents and 16 world regions.
Since allegations arose of Russian state-sponsored actors targeting the U.S. 2016 presidential elections, the extent of Russian cyber interference has become increasingly publicized and discussed by the media. Despite its seeming novelty, it is important to note that this is not something new and has been going on since the 1990’s.[1] However, under president Vladimir Putin Russia has become one of the most prolific actors in cyberspace.
Russia’s information warfare is not a threat isolated to Europe and the U.S., rather it is a global strategy that affects each region of the world to varying degrees due to its sheer size, mass, and complexity. Russia’s approach to information warfare is holistic, and includes both cyber strikes and information operations as cohesive elements that work in tandem to achieve Russian foreign policy goals.[2] In addition, the Russian approach seeks to undermine not only an adversary’s armed forces, but also influence the target population’s perceptions in such a way that favors Russian interests.[3]
While cyber strikes only became possible in the 1990’s, information operations are a much older practice that the Kremlin has long used to accomplish its goals. Soviet leaders understood the value of information and how it could be used to influence the masses both at home and abroad.[4] Subsequently, the Russian Federation has been able to use the internet to increase the effectiveness of information warfare in a low cost way.[5]
In this paper, I will use the term “cyber strike” or “cyber operations” when describing the act of compromising or breaching a targets network or system. This includes both successful and unsuccessful attempts. I will use “information operation” in the context of social influence campaigns. I will use the term “information warfare” to refer to both. Further, while many cyber strikes carried out by Russian state-sponsored actors are aimed at domestic Russian targets, the purpose of this research paper is to analyze the foreign operations of these actors, so it does not address the domestic population.
Motivations and Goals
To comprehend Russia’s prolificacy in cyberspace, it is important to understand that the perception of threats, both physical and ideological, along with Russia’s history, heavily influence Russia’s foreign policy in cyberspace. Russia suffers from a situation that many other European nations do not, and that is a lack of natural geographical barriers that it can use to defend itself. This has been a constant problem that each leader has had to deal with. The first Tsar Ivan IV implemented the idea of offense as a good defense, an idea that would come to guide future generations of Russian and Soviet leaders in their foreign policy.[6] What Russia lacked in geographical defenses it created by expanding in all directions to form a buffer zone. A history of repeated invasions by foreign adversaries was used to justify this aggressive offensive strategy.[7]
The geographical problem is intertwined with and compounded by the notion that Russia is locked in a fierce competition with the West and that its actions are defensive in nature. Attitudes and actions by the US-led coalition towards Russia have made Russian strategists believe they are under siege.[8] This siege appears in both a physical and an ideological form. The former can be seen in events such as the war in Kosovo or the encroachment of Western supranational democratic institutions like the EU and particularly NATO into Russia’s traditional zone of influence.[9] Ideologically, Russian strategists view the spread of liberal norms emanating from the West as an increasingly problematic challenge to Moscow’s sovereignty.[10] Policymakers believe that the West is using propaganda to undermine Russian security domestically. For instance, they believe in Western involvement in the Color Revolutions, the protests following Putin’s re-election in 2012, and anti-Soviet sentiment in the Baltics.[11]
In addition to these perceived threats, Russian actions can be explained partly through a different understanding of warfare. Whereas the U.S. military has a concept of “phase zero,” Russian strategists view themselves in a permanent and protracted conflict.[12] This is particularly pertinent to cyberspace, where the Soviet-era strategy of “political warfare” has served as the basis for Russia’s current strategy of information warfare. [13] Outlined by the Prussian General Carl von Clausewitz, “political warfare” is the notion that a country must do everything in its power in a time of peace to promote its national policy objectives.[14] In this framework, the Russian Federation is working to improve its capabilities to dominate cyberspace abroad.
Russia’s long history as a global superpower is equally important. Following the dissolution of the Soviet Union and the subsequent weakening of Russian influence on the global stage, Russia now sees itself as a resurgent power and hopes to re-establish the global prestige once held by the Soviet Union. Russia hopes to achieve this by working with other nations to create a new polycentric world and establish itself as a powerful player with a central role in global conflicts. Expanding Russia’s global prolificacy also helps to increase Putin’s popularity,[15] despite recent research displaying increasingly negative views of Putin’s foreign policy.[16] Finally, Russian motives can be attributed to Russian domestic affairs and a need to distract from these pressing issues at home.
Although Russia stands at a strategic disadvantage vis-à-vis the U.S. and its allies, it has been able to use asymmetric tools in its arsenal to continue to push above its weight and reemerge as a global player. One of these tools is information warfare, which has been a cheap and effective way to accomplish Russian foreign policy objectives abroad.
Russia’s information warfare campaigns have impacted democracies, promoted extremism and dissatisfaction, supported anti-democratic leaders, and shaken the influence of the West. Russian actions abroad are widespread and their motivations are often opaque in nature. Russian strategies overlap across many countries and may serve multiple objectives. However, there are three clear overarching goals:
- Re-establishing Russian dominance in the post-soviet/imperial sphere of influence;
- Damaging the influence of Western democratic values, institutions, and systems in order to create a polycentric world model;
- Expanding Russia’s political, economic, and military hegemony globally to solidify Russia’s place as a major power.
To pursue these goals, Russia relies on hackers, its increasingly powerful intelligence community, the use of state-owned media (i.e. Russia Today, or RT, and Sputnik), troll farms, and bots.[17]
Re-establishing Russian Eurasia
Although the Russian Federation has increasingly global aspirations, information warfare is used first and foremost to establish Russian dominance in its former area of influence, which includes former Soviet and communist republics and territories previously part of the Russian Empire or under its influence.
Currently, Russia engages in what it calls “new-generation warfare” (NGW). NGW uses any methods of coercion, short of open conventional warfare, including information warfare, political pressure, and economic pressure.[18] This strategy is applied in the hopes that Russia can coerce NATO into slowing or even reversing its influence and expansion into Russia’s “near abroad.”
The states and territories being targeted are extremely vulnerable to Russian information warfare because of their historical, political, economic, cultural, ethnic, and religious ties to Russia and rampant corruption and economic hardship.
In addition, Russia is harnessing frozen conflicts in several countries (Ukraine, Georgia, Azerbaijan, and Moldova) to exert influence and power in these regions.[19] Russian information campaigns work to exacerbate tensions while promoting pro-Russian sentiment in these regions, capitalizing on the fledgling status of many of these countries’ political systems and democratic processes. Russia hopes to further stagnate development in these regions and stall their movement towards traditionally Western forms of democratic governments. These regions have also served as testing grounds for the tactics used by the Russian Federation elsewhere in the world.[20]
The War on Liberal Democracy and Western Dominance
Amid new and continuing global issues and conflicts, Russia wants to remain at the forefront of the creation and implementation of possible solutions. The Kremlin believes the U.S. and its allies are continuously working to isolate Russia and undermine Russian interests. These sentiments are perfectly stated in the National Security Strategy of the Russian Federation:
“The strengthening of Russia is taking place against a backdrop of new threats to national security that are of a multifarious and interconnected nature. The Russian Federation’s implementation of an independent foreign and domestic policy is giving rise to opposition from the U.S. and its allies, who are seeking to retain their dominance in world affairs. The policy of containing Russia that they are implementing envisions the exertion of political, economic, military, and informational pressure on it.[21]“
Russia’s policy not only communicates a responsibility to protect its citizens and Russian culture, but also to combat the U.S.-led unipolar system and persuade others to do the same.
In practice, Russia uses this strategy to justify its operations abroad. As an opponent of the U.S.-centric order, Russia paints itself as a sort of hero for those who are frustrated with the U.S.-led unipolar system. The U.S. Senate 2018 report on Russia’s actions outlines the real objectives and asymmetric cyber tactics of Putin’s regime. It argues that the regime’s overarching goal is the protection of its own power and stability through the expansion of Russian hegemony in various sectors.
Analysis of known Russian information operations in Western democracies illuminates three key overarching objectives: to discredit trusted democratic institutions, to divide the Western coalition, and to undermine the supranational organizations that uphold and promote these democratic values.[22] Following a short stint with democracy in the 1990’s that coincided with national embarrassment, soaring levels of poverty, widespread corruption, war, and instability; Putin has rebuilt the country without a vision of democracy. Modern Russia provides a model for an alternative form of governance, one that is focused on information sovereignty, and promotes traditionalism, nationalism, and authoritarianism. Western ideals and democratic values naturally run contrary to Putin’s own more autocratic vision. The current international order, upheld by the U.S. and its allies, is critical of modern Russia and united, hinders Putin’s ability to implement his agenda at home and abroad.[23] For this reason, the current international order is a constant hindrance and security threat to Putin’s form of government. In addition, Russia’s history of invasion from Western Europe motivates its distrust of the west and of NATO’s effect on global politics.[24]
In most Western democracies, racism and fears about immigration create fertile ground for manipulation. These fears have been targeted by Russian information campaigns to sway the outcome of elections.[25] European democracies and the U.S. face all forms of information warfare and free and fair elections are consistently targeted. Russia hopes to radicalize the populace in these countries, creating not only instability and polarization, but also weak governments. Large supranational blocks such as the EU can have a drastic impact on Russia’s economy by implementing sanctions and forming a collective front against potential military action. For this reason, a large part of Russia’s overarching international policy is focused on disrupting the unity between Western democracies.[26]
Reasserting Russia as a Global Power
Gaining back the global influence and prestige that the Soviet Union and the Russian Empire once held is a key priority for Putin. Under his watch, Russia has shown the Western coalition that it means business and that encroachment into Russia’s historical sphere of influence will not be tolerated. More recently Putin has set his sights to regions of the world where Russia has been absent since the dissolution of the Soviet Union.
Russia has built inroads and rediscovered old ones expanding its operations in the Middle East, Latin America, Asia, and Africa. In comparison to Russian operations in its near abroad, where its strategic and economic interests are more apparent, these far flung areas can be disregarded as unimportant to the Russian regime.[27] However, for Putin, this global expansion serves three key purposes. First, it serves to undermine the US/Western-led liberal order and the values that it promotes (i.e. economic openness, democratic accountability, and rule of law).[28] Building on the first, the second objective aims to bring more countries into Moscow’s orbit, creating a polycentric world where Russia is a global powerbroker.[29] Third, this expansion serves to expand and diversify Russia’s economic reach to avoid extensive reliance on Western trading partners.[30] The annexation of Crimea in 2014 demonstrated the dire effects US/Western-led sanctions could have on the Russian economy. Expanding Russia’s economic and political reach helps insulate Russia from these effects.
Information Operations: The Media Machine
Media that is backed by the Russian government and supported by Russian trolls and bots has become a key element of Russia’s information warfare campaign. They work to promote a version of world events that adheres to Russia’s foreign policy objectives by undermining both the Western-dominated post-Cold War international system and global democratic institutions. They have helped to bolster extremism on both sides of the political spectrum and worked in targeted ways to help in Russia’s foreign operations.
This media machine has a second, more sinister, objective. It seeks to not only provide an alternative narrative with a Russian version of events, but also to cause general confusion and question the whole notion of the truth.[31] It provides varying accounts of events, often based in truth, that work to sow discord and confusion.
Actors around the world have begun to use the Russian disinformation toolset to promote their own agendas and narratives.[32] There is a trend of growing distrust in traditional media sources, which leads to a blurring of fact and fiction[33] and offers a platform for populist candidates in many countries to target the free press. This chaos has worked to undermine journalism in these countries.
RT and Sputnik
RT and Sputnik are at the forefront of Russia’s international media machine. They adhere to the Kremlin’s agenda of sowing discord and promoting sentiment that favors Russia or in some way supports the Kremlin’s objectives or political stance. Currently, RT provides language services in Arabic, English, French, and Spanish. They also provide print news in Arabic, English, French, German, Russian, and Spanish. The following countries have television access to RT[34]:
RT’s global availability can be misleading because it has far fewer weekly viewers than CNN or BBC. Sputnik is the other group that makes up this powerful Russian international media machine. Sputnik provides print media[35] and is available in 32 languages.[36]
Despite a limited following in the traditional sense, RT and Sputnik have managed to create a platform for anti-establishment, populist figures.[37] They have also been extremely successful in the new social media climate, with RT and Sputnik articles being shared on platforms such as Twitter, Facebook, and YouTube. Russia has been able to create a highly effective propaganda machine and social media platforms have allowed Russian-backed media to spread further, faster, and to a much wider audience than previously possible.[38] They are also able to capitalize on American failures and mistakes, in an effort to draw attention away from Russia’s own actions.[39]
Trolls and Bots
In addition to a powerful international media apparatus, Russia also uses “troll factories” to disseminate disinformation through social media. The most well-known of these “troll factories” is located in Saint Petersburg and employs hundreds of workers.[40] “Troll factories” multiply the successfulness of Russian disinformation campaigns.[41] They work in tandem with Russian media to disseminate falsehoods and promote any material that supports the interests of the Kremlin.
Targeted Disinformation Campaigns
Due to the global reach of both the internet and Russia’s media outreach, there are few places that are not subject to a constant Russian information campaign spreading its own narrative of world events. This section will give an overview of some of the countries that suffer from targeted Russian disinformation campaigns and go into detail on several cases to show the complexity of Russian disinformation warfare.
Armenia
Armenia, a former Soviet Socialist Republic, has had close ties both economically and politically with Russia since the dissolution of the Soviet Union.[42] Armenian public opinion remains consistent with the Kremlin’s geopolitical agenda and Armenia welcomes Russian involvement in domestic and regional issues. Despite significant evidence that there is an active Russian disinformation campaign present in Armenia, authorities have not recognized this as a threat. [43]
Days before the parliamentary elections in April 2017, there was a significant spike in troll and bot activity.[44] This included the dissemination of a falsified USAID email implying that the U.S. was meddling in Armenia’s elections. The document was spread on Russian language Twitter accounts. Although the document was debunked by the U.S. embassy in Yerevan, it was corrected and shared again on Twitter along with the original document before the 2017 elections.[45] This helped further the Kremlin’s objective of portraying the U.S. as a threat.
Bulgaria and Moldova
Both Bulgaria and Moldova are two modern nation states that remain highly connected to their Soviet past. Russia’s disinformation campaigns have influenced both sides of the political spectrum in the region. In Bulgaria, the left-wing pro-Russian Bulgarian Socialist Party garners support through pro-Russian and anti-Western social media campaigns with Russian and Bulgarian sources. Similarly, in Moldova the pro-Russian Party of Socialists is supported by Russian social media and media campaigns.
Bulgaria is a member of the EU but still faces high levels of corruption. In addition, there are many in Bulgaria’s government who promote a pro-Russian agenda and capitalize on an idealized memory of their communist past.[46] Moldova has close ties to Russia both culturally and economically and has a frozen conflict in the eastern part of the country.[47] Both countries still have substantial internal support for Russian ideologies and policies, which can be attributed to shared history, culture and religion, and the ideological success of a glamorized Soviet/communist history. However, Russia is still involved with the promotion of disinformation through these countries’ media sources.[48] This technique is used to distract from internal issues, turn attention onto external issues, and keep the populace divided and the economy stagnant.
Ukraine
Ukraine has felt the brunt of Russian disinformation, manipulation, and cyber strikes since 2013. With the annexation of Crimea in 2014 and Russia’s support of the breakaway governments in the Donetsk and Luhansk regions in the southeast, Russia continues to influence and threaten Ukraine. There is new evidence that Ukraine is being used as a training ground for the disinformation campaigns and cyberattacks that Russia intends to use around the globe.[49] Ukraine is a unique case in that it possesses a distinct historical connection to Russia that often influences Russia’s actions and policies in the region. Importantly, Putin’s regime sees Ukraine as a cornerstone of the larger Russian world, inseparable through their shared history. This shared history begins with the anointing of Vladimir the Great in the 10th century and the establishment of Kiev as the first capital of the Russian people.[50]
The Russian government exploits two important elements in the Ukraine case. First, it exploits the ongoing Russian-backed struggle in the east of Ukraine which, along with Crimea, situates Russia as the defender of Russian peoples abroad. Second, Russia has used its media and troll armies to project a narrative favorable to Moscow. For example, Russian media maintains that the 2014 Ukrainian crisis was a Western-backed coup carried out by Ukrainian nationalists,[51] and that the downing of Malaysia Airlines Flight 17 was not Moscow’s doing but Kiev’s.[52] Both stories work to drive a wedge between ethnic Ukrainians and ethnic Russians in modern Ukraine. These efforts are designed to keep the country politically and culturally divided.
Ukraine is a top priority in reestablishing Russian dominance in Eurasia. It is highly likely that Russia will use an array of information tactics to continue to carry out divisive actions in this region in order to discredit the government in Kiev as incompetent and keep Ukraine economically and politically vulnerable.[53]
Czech Republic
There is substantial evidence that a Russian information operation was implemented during the Czech Republic’s presidential election at the beginning of 2018. Following the preliminary round of voting, Russia began a disinformation campaign framing the pro-European candidate Doctor Drahos as a pedophile who would open Czech borders to dangerous immigration, effectively using smear tactics and inciting xenophobic sentiments to help the incumbent candidate Miloš Zeman to win in the second round of voting.[54] Miloš Zeman, a pro-Russian, anti-EU, and nationalist candidate, was elected president once again.
This effective use of disinformation can be found in the neighboring countries of Hungary, Poland, and Slovakia as well.[55] Capitalizing on fears of rampant immigration and prejudice against those from predominantly Islamic countries, Russia has been able to stoke fears and promote extremism in central Europe, effectively influencing elections across Europe.[56]
Sweden
In recent years, Swedish authorities have seen an uptick in Russian information operations aimed at polarizing Swedish society, attempting to undermine stability, and spreading false news reports.[57] Russia is also taking advantage of the fears found in many European countries regarding immigration. Putin capitalizes on these fears and uses Sweden as an example of an unstable country. Russian media giants RT and Sputnik, along with Russian trolls, spearhead this type of dialogue.[58]
Russia hopes to use Sweden as an example to heighten fears of immigration in other European countries in order to empower anti-Western, nationalist, and anti-integration politics. Like the other cases, Russia hopes to weaken Sweden’s democratic institutions and push for radical politics in the country.
France
France is one of the founders of European Economic Union (the precursor to the EU) in 1957, and of NATO in 1949.[59] Currently, France is one of the most powerful nations in Europe militarily and economically and its central position in the both the EU and NATO make it a logical target for Russia. Like the rest of Europe, France experienced a rise in nationalistic and anti-EU rhetoric beginning in the 1980s.[60] This political climate is fertile ground for Russian information warfare.
France’s 2017 elections, like the 2016 elections in the U.S., were rife with Russian interference. Emanuel Macron, a centrist presidential candidate, was targeted by hackers that used spear phishing along with fake Facebook accounts in an attempt to gain information on Macron. An extensive amount of this information was released a day and a half before the election.[61] In addition, a Moscow based consultancy firm made false claims about the polls. Sputnik France and RT France, the French language versions of the media platforms controlled by the Kremlin, were also highly active in negatively portraying Macron.[62] Russian hackers created Twitter accounts targeting Macron with smear campaigns and fake news stories, accounts that also targeted other left-leaning candidates.[63] By aiming at a central bastion of the post-World War II order, Russia was hoping to place an anti-EU candidate into power there with the intention of destabilizing the EU and NATO.
Mexico
The reasons behind the increase of Russian influence in Mexico and other areas of Latin America revolve around Russia’s conflict with the U.S.. In response to the perceived U.S. encroachment into Russia’s “near abroad,” Russia seeks to increase its presence in the U.S. traditional zone of influence.[64] Russia aims to expand its economy and create problems for the U.S. by increasing anti-U.S. sentiment and instability in a country with close economic and geographic ties.
Russia exploits anti-U.S. sentiment through information operations in the region. Prior to Mexico’s 2018 presidential elections, RT en Español (the Spanish language version of Russia Today) had been gaining ground. RT en Español promoted an image of the U.S. as a threat to Mexican sovereignty and supported the democratic-socialist candidate Andres Manuel Lopez Obrador, who would go on to win the presidential election.[65] RT is available across Latin America and in 2014, Sputnik launched a Spanish radio and web-based news and entertainment service, also available across Latin America.[66]
The Philippines
Russia has worked to increase its influence in Southeast Asia politically and economically. In August of 2018 the Association of South East Asian Nations (ASEAN) nearly signed a deal with Russia on cybersecurity integration,[67] and Putin made his first ever visit to Singapore in November 2018 for the ASEAN Summit.[68] Russia’s growing prolificacy in the information space has spiked since 2017. For example, that year Sputnik signed a memorandum of understanding on news exchange with Malaysia’s official news agency, Bernama.[69]
In the Philippines, Russia formed an information dissemination partnership along with several other agreements. This included sending staff from the state-run Philippine News Agency employees to Russia, to be trained on information dissemination with Sputnik.[70] This increased cooperation, particularly in regards to the media, could allow countries to use Russia’s disinformation toolkit to curb opposition and hurt democratic processes at home.
There have been some reports of troll and bot activity on Facebook in the Philippines.[71] In January of 2019, Facebook shut down a series of pages linked to the Internet Research Agency. The pages cited so-called “experts” to give legitimacy and credibility to their falsified information.
Russia’s actions in the Philippines display Vladimir Putin’s wish to support strong, authoritarian-type leaders, wherever they are in the world. It also displays Russia’s hopes to expand into new areas of the globe.
Cyber Operations
This section describes Russia’s information warfare campaign in three ways. First, it contains a dataset of all publicly available information on Russian cyber operations around the globe. Second, this research brings together all Russian-attributed Advanced Persistent Threats (APTs) and shows their respective relationships to Russian intelligence services and military. Third, it gives an analysis of the intelligence/special services in Russia and the APTs we see in the data set. This was achieved with publicly available information from accredited news sources and official reports by cybersecurity tech firms.
I created the dataset underpinning this analysis in 2018-2020. The dataset includes all cyber strikes that took place between 2013 and 2019. Analysis begins in 2013 due to the geopolitical situation at the time and the timing of previous reports released on the topic. It also aligns with an address that President Putin gave to the St. Petersburg International Economic Forum. In this address, President Putin declared his intention to pivot eastward and expand into the Asia-Pacific region rather than capitalize upon Russia’s traditional markets in Europe. This was in the context of extreme political and economic tension between Russia and the EU in their separate bids to integrate Eastern European countries economically and politically. These competing interests can be seen in the attention placed on Ukraine, which Russia invaded the following year. In addition, Kaspersky Lab unearthed a massive global intelligence gathering campaign by a Russian threat actor in 2013. I wanted my research to begin after this large attack was exposed. The data set ends in January 2019, following the U.S. mid-term elections.
Global Targets
Russian-attributed cyber actions were found to be present in 85 countries spanning a total of 6 continents and 16 world regions: Central America, Central Asia, Eastern Africa, Eastern Asia, Eastern Europe, Northern America, Northern Europe, South America, Southeastern Asia, Southern Africa, Southern Asia, Southern Europe, Western Asia, and Western Europe. Despite most of the attacks being centered on Europe and the U.S., we also see the regions surrounding Russia being heavily targeted, including Central Asia, Western Asia, Southern Asia and Eastern Asia.
Special/military intelligence services of the Russian Federation
After the dissolution of the Soviet Union, the intelligence responsibilities of the KGB were divided into newly created branches of intelligence. This includes the Federal Security Service (FSB), the Foreign Intelligence Service (SVR), the Federal Protective Service (FSO) and the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GU), more commonly known by its Soviet era name, the Main Intelligence Directorate (GRU).[72] Each of these groups plays a role in Russian cyberspace but the FSO’s responsibilities and jurisdiction are domestically oriented and it is not believed to be affiliated with any Russian cyber actors. For this reason, the FSO is not included in this report.
The FSB, the SVR, and the GRU
These three organizations are believed to be connected to the most prominent Russian hacking groups.The FSB is responsible for counterintelligence, surveillance, and oversight in the Russian Federation; however, the FSB has become increasingly involved in foreign operations. The SVR carries out mostly human intelligence and its cyber capabilities are not comparable to the FSB or GRU. However, the SVR does work in coordination with the FSB and the GRU on cyber operations. The GRU is different from the other intelligence services because it is the intelligence service of the Russian armed forces. The GRU appears to be the most active group, with access to large amounts of resources to support its cyber operations. The GRU is believed to be the parent organization for APT28 and the Sandworm Team. The FSB was affiliated with the most APTs including Turla, APT29, Palmetto Fusion, and the Gamaredon Group. The SVR was only affiliated with APT29.
Russian-attributed Advanced Persistent Threats
In this section, I will give an analysis of each APT and the most common global targets of each group. My research revealed a total of ten Russian APT groups that differ in their affiliations and activity in foreign operations. In order to decide which APT is responsible for an attack, cybersecurity firms use different indicators, including in-depth analysis of the malware used and past operations carried out by that particular APT. It is important to note that a large portion of attacks were unattributed to a specific APT or branch of the intelligence services. Each APT targeted had overlapping targets but often differed in certain ways.
APT28/Fancy Bear
APT28 or Fancy Bear is the most well-known Russian APT and for good reason. In 2015, APT28 successfully breached the networks of the Pentagon and in 2016 those of the Democratic National Committee. Probably the most well-resourced Russian threat actor, they have been active since at least 2007 and are believed to be affiliated with the GRU. Thanks to the superior technological and operational capabilities of the GRU, their scope is global.[73] They have a large set of malware tools that they continually develop and expand.[74] They most often use a combination of spear phishing and registering fake domains to breach enemy systems.[75]
APT28 operations are present in almost every part of the globe. While they generally target NATO countries, there has been a transition into a more global outlook in the last couple of years. Particularly, cyber operations targeting countries in the Middle East and East Asia are on the rise.[76] APT28’s most common targets include foreign governments and defense industries. The most heavily targeted countries are the U.S., Germany, Turkey, the United Kingdom, Qatar, Poland, Switzerland, and Montenegro. The most highly targeted world regions are Western Asia, Western Europe, Northern America, Northern Europe, and Eastern Europe.
APT28 is believed to be connected to CyberBerkut[77] which is a pro-Russian group working out of Ukraine.[78] CyberBerkut’s agenda is more heavily focused on Ukraine compared to the more global scale of its parent/affiliated group APT28.
APT29/Cozy Bear
APT29 or Cozy Bear is believed to be connected to the SVR and the FSB and is one of the most sophisticated and well supported Russian APTs. APT29 has been active since as early as 2008.[79] In 2015, APT29 successfully breached the unclassified networks of the White House, the State Department, and U.S. Joint Chiefs of Staff.[80] APT29 appears to be more cautious in their operations than other APTs, making their campaigns harder to identify.[81] In addition they possess a large malware toolset that they are constantly expanding.[82] They generally use spear phishing to breach target networks.[83]
APT29 operations have a geographically large scope but they are most present in Northern America, Northern Europe, Eastern Europe, Western Europe, and Eastern and Western Asia. Their operations were present in a total of 31 countries with their most common targets being the U.S., Norway, Belgium, Georgia, Germany, Hungary, the Netherlands, South Korea, Spain, and Ukraine.
Unlike other Russian APTs, APT29 appears to collect intelligence to support diplomatic efforts. APT29 actively targeted Ukraine before the crisis in 2014 but afterwards there was a decrease in activity there because Ukraine was no longer relevant to APT29 in the same way.[84]
After carrying out attacks on U.S. think tanks and NGOs and the Norwegian and Dutch governments in 2016 and 2017 respectively, APT29 went dormant for about a year.[85] However, APT29 reemerged in late 2018 with renewed phishing campaigns targeting multiple sectors.[86]
Turla
Turla is believed to be an extremely sophisticated threat actor and has been active since 2004. Turla is believed to be a part of the FSB and much like APT29 is known to be cautious and patient in their operations.[87] Some experts say that the programming code used by Turla APT is more advanced than that used by APT28 and APT29.[88] Turla could also be affiliated with the “Red October” campaign that targets diplomats, military officials and nuclear researchers.[89]
Turla’s targets are mostly government- and defense-related, and in the past six years, their most common target was Germany. In 2017, Turla was able to hack their way into Department 2 of the German Foreign Office, which is responsible for Germany’s foreign policy both within the EU and with other countries of Europe, North America, Central Asia, and Russia.[90] They were also responsible for multiple campaigns in Switzerland and South Korea. Turla has shown an interest in Swiss defense technology by targeting both the Swiss Federal Department of Defense[91] and a defense contractor called Raug. Turla gained access to 23 GB of data on ammunition technology and aerospace technology, including drones.[92] Prior to the summit between U.S. president Donald Trump and the North Korean leader Kim Jong-Un, Turla targeted the government of South Korea.[93] Much like APT28 and APT29, Turla has targets around the globe. As well as having a presence in Western Europe and Eastern Asia, they are also heavily active in Western Asia, Central Asia, and Southern Asia.
Sandworm Team
The Sandworm Team is believed to be part of the GRU but unlike its counterpart APT28, the Sandworm Team’s targets are often energy related. The Sandworm Team uses a malware known as BlackEnergy that they continue to update and use to target energy-related infrastructure.
The Sandworm Team is most active in Ukraine.[94] Some of their most devastating attacks were in 2015 and 2016, when the Sandworm Team shut down the Ukrainian power grid.[95] In 2017, the Sandworm Team launched one of the most destructive attacks known to date called NotPetya, which was disguised as ransomware that actually wiped information from the systems in question.[96] NotPetya was meant to cripple the Ukranian financial system amidst the ongoing conflict between Kiev and separatists in the Donbass region in Eastern Ukraine.
The Sandworm Team has also been active in other parts of Eastern Europe and Western Asia. In 2015, the Sandworm Team used GreyEnergy malware, the successor to the BlackEnergy toolkit, to target a Polish energy company.[97] The Sandworm Team is known for being careful in hiding and defending their long term presence with compromised systems.[98] This means that future campaigns by the Sandworm Team could be equally if not more devastating than they were in Ukraine.
Palmetto Fusion
Palmetto Fusion is a relatively new APT that has been active since at least 2015 and is believed to be affiliated with the FSB.[99] Similar to Dragonfly and the Sandworm Team, their targets are predominantly energy-related, although far less is known about Palmetto Fusion. Their targets are spread out and include Ireland, the United Kingdom, Turkey, and the U.S. In 2017, they targeted nuclear power stations, other energy facilities, and manufacturing plants in the U.S.[100] The cybersecurity firm Dragos has determined with moderate confidence that Palmetto Fusion maintains ready access to disrupt electrical utilities and understands the environment necessary to develop disruptive capabilities among its infected targets.[101]
Gamaredon Group
The Gamaredon Group is a lesser-known threat actor which is believed to be tied to the FSB and which targets government entities in Ukraine.[102] In 2018, the Gamaredon Group launched coordinated cyberattacks on Ukrainian government agencies several days prior to the Russian seizure of Ukrainian ships and sailors in the sea of Azov.[103]
Guccifer 2.0
Guccifer 2.0 is the only group discussed that appears to no longer be active. Guccifer 2.0 was a persona believed to be created by GRU officers to target the 2016 U.S. elections.[104] The name Guccifer 2.0 was most likely used in an effort to disguise the Russian hacking effort by posing as a Romanian solo hacker. The original Guccifer was supposedly a Romanian hacker who was found guilty of hacking Hillary Clinton’s private e-mail.[105] It is unlikely that Guccifer 2.0 is actually a separate APT; instead it was probably a cover persona for a GRU-led operation targeting the 2016 elections.
Other Russian APTs
There are six other Russian APTs that have not yet been attributed to a particular branch of the Russian government. These five groups are Carbanak, Cloud Atlas, Dragonfly, Dragonfly 2.0, DustSquad, and Rasputin.
Energy Seekers: Dragonfly and Dragonfly 2.0
Dragonfly and Dragonfly 2.0 are two APTs that tend to focus mainly on energy-related targets. These groups are very similar, leading to some disagreement among cybersecurity analysts as to whether they are actually the same group. Despite an article by Symantec listing Dragonfly 2.0 as a resurgent Dragonfly[106], most cybersecurity experts have found enough evidence to believe that they are two separate groups.[107] Palmetto Fusion and Dragonfly also share many similarities, but again there are considerable differences that have led cybersecurity experts to label them as two entirely different groups.[108]
Dragonfly has been active since at least 2010 and focuses heavily on energy and industrial sectors.[109] They target areas all over the world but have been concentrated in Europe and the U.S. They use a combination of watering hole websites and phishing campaigns to target vendors of industrial control software to acquire access to power grid systems and manufacturing plants.[110] After several cybersecurity firms released reports on Dragonfly’s activity in 2014, the group disappeared.[111]
Dragonfly 2.0 emerged in late 2015 and launched a campaign targeting the Western energy sector.[112] These attacks included targets in the U.S., Switzerland, and Turkey.
The Others: Carbanak, Cloud Atlas, DustSquad, and Rasputin
This last group of threat actors is less known and has fewer targets than the other groups do. The Carbanak Group focuses on targets in Ukraine. In what appears to be a coordinated cyber-attack, the Carbanak Group targeted government and military entities before and during the seizure of Ukrainian sailors and ships in 2018.[113]
Cloud Atlas is believed to be the same actor that carried out the Red October campaign that was discovered by Kaspersky labs in January of 2013. Excluding targets inside Russia, targets inside Kazakhstan are the most prominent.[114]
DustSquad has been active since at least 2014 and targets diplomatic entities in Central Asia and Afghanistan.[115]
Rasputin is a threat actor that successfully breached the U.S. Election Assistance Commission in 2016.[116]
Conclusion
Supported by more than half a decade of economic growth, in 2007 Putin declared that the U.S. had overstepped its national boundaries, imposing economic, political, cultural and educational policies on other nations.[117] Since then, Russia’s government has proven that it will not adhere to the democratic norms that many had hoped it would embrace following the collapse of the Soviet Union. Instead, the Kremlin is moving to consolidate its authoritarian power at home while working to gain back the lost prestige and influence once held by the Soviet Union. The Kremlin believes that the main obstacle in achieving this is the U.S. and the international order it has largely created.
Locked in a struggle with the West reminiscent of the Cold-War, the Kremlin sees itself in a contest for influence in a world order that is working to curb Russian objectives. Putin seeks to use cyberspace to his advantage by using both cyber and information operations to level out the playing field. The Kremlin has been successful not only in applying cyber and information operations in tandem, but also in using them simultaneously with more conventional tools. The success of operations in Russia’s near abroad and of attacks on democratic institutions around the world point to the drastic effects of a holistic application of information warfare.
Based on recent history, it is difficult to imagine that Russian information warfare will dissipate anytime soon. Despite efforts to expose and prevent them, the largely ungoverned nature of the internet makes it easy to carry out information and cyber operations, often with little consequence. In the same vein, the internet provides a relatively cheap medium where the Kremlin can push above its weight vis-à-vis the West, while also adapting its toolkit to address the evolving situation. As long this geopolitical contest persists and the benefits continue to outweigh the drawbacks, the Kremlin’s information war will be common practice.
Endnotes
[1] Buchanan, B., The Modus Operandi and Toolbox of Russia and Other Autocracies for Undermining Democracies Throughout the World: Ben Buchanan Testifies before Senate Judiciary Sub-Committee on Crime and Terrorism (2017, March 16). https://www.wilsoncenter.org/article/the-modus-operandi-and-toolbox-russia-and-other-autocracies-for-undermining-democracies
[2] Connell, Michael, and Sarah Vogler, Russia’s Approach to Cyber Warfare. CNA analysis and Solutions (March 2017). https://www.cna.org/cna_files/pdf/DOP-2016-U-014231-1Rev.pdf.
[3] Tashev, Blagovest, Michael Purcell, and Brian McLaughlin, Russia’s Information Warfare: Exploring the Cognitive Dimension, in MCU Journal 10 no. 2 (Fall 2019). https://www.usmcu.edu/Portals/218/CAOCL/files/RussiasInformationWarfare_MCUJ_Fall2019.pdf?ver=2019-11-19-093543-040
[4] Gurganus, J., & Rumer, E., Russia’s Global Ambitions in Perspective (2019, February 20). https://carnegieendowment.org/2019/02/20/russia-s-global-ambitions-in-perspective-pub-78067
[5] Sherman, J., Arampatzis, A., & Cobaugh, P., An Assessment of Information Warfare as a Cybersecurity Issue (2018, June 18). https://www.realcleardefense.com/articles/2018/06/18/an_assessment_of_information_warfare_as_a_cybersecurity_issue_113541.html
[6] Marshall, T., Russia and the Curse of Geography (2015, October 31). https://www.theatlantic.com/international/archive/2015/10/russia-geography-ukraine-syria/413248/
[7] Marshall, T., Russia and the Curse of Geography. (2015, October 31). https://www.theatlantic.com/international/archive/2015/10/russia-
geography-ukraine-syria/413248/
[8] Blank, Stephen. Cyber War and Information War à La Russe – Understanding Cyber Conflict: 14 Analogies. Carnegie Endowment for International Peace. (2017, October 16). https://carnegieendowment.org/2017/10/16/cyber-war-and-information-war-la-russe-pub-73399
[9] Blank, Stephen. Cyber War and Information War à La Russe – Understanding Cyber Conflict: 14 Analogies. Carnegie Endowment for International Peace. (2017, October 16). https://carnegieendowment.org/2017/10/16/cyber-war-and-information-war-la-russe-pub-73399
[10] Ajir, Media, and Bethany Vailliant. Russian Information Warfare: Implications for Deterrence Theory., in Strategic Studies Quarterly 12, no. 3 (2018): 70-89.
[11] Ajir, Media, and Bethany Vailliant. Russian Information Warfare: Implications for Deterrence Theor, in Strategic Studies Quarterly 12, no. 3 (2018): 70-89.
[12] Blank, Stephen. Cyber War and Information War à La Russe – Understanding Cyber Conflict: 14 Analogies. Carnegie Endowment for International Peace (2017, October 16). https://carnegieendowment.org/2017/10/16/cyber-war-and-information-war-la-russe-pub-73399
[13] Blank, Stephen. Cyber War and Information War à La Russe – Understanding Cyber Conflict: 14 Analogies. Carnegie Endowment for International Peace (2017, October 16). https://carnegieendowment.org/2017/10/16/cyber-war-and-information-war-la-russe-pub-73399
[14] Blank, Stephen. Cyber War and Information War à La Russe – Understanding Cyber Conflict: 14 Analogies. Carnegie Endowment for International Peace (2017, October 16). https://carnegieendowment.org/2017/10/16/cyber-war-and-information-war-la-russe-pub-73399
[15] Taylor, Adam. Analysis | Is There a Link between Putin’s Approval Rating and Aggressive Russian Foreign Policy? Washington Post (2016, November 26). https://www.washingtonpost.com/world/2018/11/26/is-there-link-between-putins-approval-rating-aggressive-russian-foreign-policy/
[16] Balzer, Harley. Public Opinion Paradoxes? Russians Are Increasingly Dubious About the Costs of Putin’s Foreign Policies. Ponars Eurasia (2019, May). https://www.ponarseurasia.org/sites/default/files/policy-memos-pdf/Pepm595_Balzer_May2019_0.pdf
[17] Watts, Clint. Russia’s Active Measures Architecture: Task and Purpose. Alliance For Securing Democracy (blog) (2018, May 22). https://securingdemocracy.gmfus.org/russias-active-measures-architecture-task-and-purpose/
[18] Ulrich, Kühn. Russian Interests and Strategy – Preventing Escalation in the Baltics: A NATO Playbook. Carnegie Endowment for International Peace (2018, March 28). https://carnegieendowment.org/2018/03/28/russian-interests-and-strategy-pub-75880
[19] Ulrich, Kühn. Russian Interests and Strategy – Preventing Escalation in the Baltics: A NATO Playbook. Carnegie Endowment for International Peace (2018, March 28). https://carnegieendowment.org/2018/03/28/russian-interests-and-strategy-pub-75880
[20] Ulrich, Kühn. Russian Interests and Strategy – Preventing Escalation in the Baltics: A NATO Playbook. Carnegie Endowment for International Peace (2018, March 28). https://carnegieendowment.org/2018/03/28/russian-interests-and-strategy-pub-75880
[21]Russian National Security Strategy (2020, September 9). http://www.ieee.es/Galerias/fichero/OtrasPublicaciones/Internacional/2016/Russian-National-Security-Strategy-31Dec2015.pdf and http://static.kremlin.ru/media/events/files/ru/l8iXkR8XLAtxeilX7JK3XXy6Y0AsHD5v.pdf
[22] Sokolsky, R., & Stronski, P. The Return of Global Russia: An Analytical Framework. Carnegie Endowment for International Peace (2017, December 14). https://carnegieendowment.org/2017/12/14/return-of-global-russia-analytical-framework-pub-75003
[23] Kendall-Taylor, Andrea, and David Shullman. How Russia and China Undermine Democracy (2020, February 19). https://www.foreignaffairs.com/articles/china/2018-10-02/how-russia-and-china-undermine-democracy
[24] Ulrich, Kühn. Russian Interests and Strategy – Preventing Escalation in the Baltics: A NATO Playbook. Carnegie Endowment for International Peace (2018, March 28). https://carnegieendowment.org/2018/03/28/russian-interests-and-strategy-pub-75880
[25] Ioffe, Julia. The History of Russian Involvement in America’s Race Wars. The Atlantic (2017, October 21). https://www.theatlantic.com/international/archive/2017/10/russia-facebook-race/542796/
[26] Kirchick, James. Russia’s Plot against the West. POLITICO (2017, March 17). https://www.politico.eu/article/russia-plot-against-the-west-vladimir-putin-donald-trump-europe/
[27] Rumer, Eugene, and Andrew S. Weiss. Vladimir Putin’s Russia Goes Global. Carnegie Endowment for International Peace (2017, August 4). https://carnegieendowment.org/2017/08/04/vladimir-putin-s-russia-goes-global-pub-72736
[28] Rumer, Eugene, and Andrew S. Weiss. Vladimir Putin’s Russia Goes Global. Carnegie Endowment for International Peace (2017, August 4). https://carnegieendowment.org/2017/08/04/vladimir-putin-s-russia-goes-global-pub-72736
[29] Rumer, Eugene, and Andrew S. Weiss. Vladimir Putin’s Russia Goes Global. Carnegie Endowment for International Peace (2017, August 4). https://carnegieendowment.org/2017/08/04/vladimir-putin-s-russia-goes-global-pub-72736
[30] Borshchevskaya, Anna. Russian Strategic Intentions: A Strategic Multilayer Assessment (SMA) White Paper, 62-63 (2019, May 1). https://www.politico.com/f/?id=0000016b-a5a1-d241-adff-fdf908e00001
[31] Troianovski, A., & Warrick, J. How a powerful Russian propaganda machine chips away at Western notions of truth. Washington Post (2018, December 10). https://www.washingtonpost.com/graphics/2018/world/national-security/russian-propaganda-skripal-salisbury/
[32] Frenkel, S., Conger, K., & Roose, K. Russia’s Playbook for Social Media Disinformation Has Gone Global. The New York Times (2019, January 31). https://www.nytimes.com/2019/01/31/technology/twitter-disinformation-united-states-russia.html
[33] Troianovski, A., & Warrick, J. How a powerful Russian propaganda machine chips away at Western notions of truth. Washington Post (2018, December 10). https://www.washingtonpost.com/graphics/2018/world/national-security/russian-propaganda-skripal-salisbury/
[34] RT. Where to watch (2019, July 26). https://www.rt.com/where-to-watch/
[35] Sokolsky, R., & Stronski, P. The Return of Global Russia: An Analytical Framework. Carnegie Endowment for International Peace (2017, December 14). https://carnegieendowment.org/2017/12/14/return-of-global-russia-analytical-framework-pub-75003
[36] Sokolsky, R., & Stronski, P. The Return of Global Russia: An Analytical Framework. Carnegie Endowment for International Peace (2017, December 14). https://carnegieendowment.org/2017/12/14/return-of-global-russia-analytical-framework-pub-75003
[37] Rutenberg, J. RT, Sputnik and Russia’s New Theory of War. The New York Times (2017, September 13). https://www.nytimes.com/2017/09/13/magazine/rt-sputnik-and-russias-new-theory-of-war.html
[38] noodleremovernews. RT, Information War, and Billions of Views: Where do the numbers come from? Bellingcat (2017, January 11). https://www.bellingcat.com/news/uk-and-europe/2017/01/11/rt-infowar-billions-of-views/
[39] Leonor, A. A guide to Russian propaganda. Part 2: Whataboutism. Euromaidan Press (2016, August 31). http://euromaidanpress.com/2016/08/31/a-guide-to-russian-propaganda-part-2-whataboutism/
[40] Troianovski, A., & Warrick, J. How a powerful Russian propaganda machine chips away at Western notions of truth. Washington Post (2018, December 10). https://www.washingtonpost.com/graphics/2018/world/national-security/russian-propaganda-skripal-salisbury/
[41] Helmus, T. C., Bodine-Baron, E., Radin, A., Magnuson, M., Mendelsohn, J., Marcellino, W.,… Winkelman, Z. Russian Social Media Influence: Understanding Russian Propoganda in Eastern Europe (2018). https://www.rand.org/content/dam/rand/pubs/research_reports/RR2200/RR2237/RAND_RR2237.pdf
[42] Kremlin Watch. Armenia (2019, July). http://www.kremlinwatch.eu/countries-compared-states/armenia/
[43] Kremlin Watch. Armenia (2019, July). http://www.kremlinwatch.eu/countries-compared-states/armenia/
[44] Nimmo, B. Fakes, Bots, and Blockings in Armenia. Medium (2017, April 7). https://medium.com/dfrlab/fakes-bots-and-blockings-in-armenia-44a4c87ebc46
[45] Nimmo, B. Fakes, Bots, and Blockings in Armenia. Medium (2017, April 7). https://medium.com/dfrlab/fakes-bots-and-blockings-in-armenia-44a4c87ebc46
[46] Biray, Kurt. Communist Nostalgia in Eastern Europe: Longing for the Past. OpenDemocracy (2015, November 9). https://www.opendemocracy.net/can-europe-make-it/kurt-biray/communist-nostalgia-in-eastern-europe-longing-for-past
[47] Mallonee, Laura. Meet the People of a Soviet Country That Doesn’t Exist. Wired (2016, March 7). https://www.wired.com/2016/03/meet-people-transnistria-stuck-time-soviet-country-doesnt-exist/
[48] Devyatkov, Andrey. Dynamics of Russian Power in Moldova. Foreign Policy Research Institute (2017, March 27). https://www.fpri.org/article/2017/03/dynamics-russian-power-moldova/ . See also Tanev, Mario. Nearly 25% of Bulgarians Encounter Fake News on Daily Basis – Poll June 28, 2017.
[49] Greenberg, Andy. Everything We Know About Russia’s Election-Hacking Playbook. Wired (2017, June 9). https://www.wired.com/story/russia-election-hacking-playbook/
[50] Matyukhina, Natasha, and Olga Bugorkova. Medieval Prince Vladimir Deepens Russia-Ukraine Split. BBC News (2015, July 28, 2015). https://www.bbc.com/news/world-europe-33689641
[51] Yuhas, Alan. Russian Propaganda over Crimea and the Ukraine: How Does It Work? The Guardian (2014, March 17). https://www.theguardian.com/world/2014/mar/17/crimea-crisis-russia-propaganda-media
[52] Knight, A. Russia Deployed Its Trolls to Cover Up the Murder of 298 People on MH17. The Daily Beast (2019, May 31). https://www.thedailybeast.com/mh17-russia-deployed-its-trolls-to-cover-up-the-murder-of-298-people
[53] Greenberg, Andy. How An Entire Nation Became Russia’s Test Lab for Cyberwar. Wired (2017, June 20). https://www.wired.com/story/russian-hackers-attack-ukraine/
[54] Crosby, Alan. Fake News Kicks Into High Gear In Czech Presidential Runoff. RadioFreeEurope/RadioLiberty (2018, January 21). https://www.rferl.org/a/fake-news-kicks-into-highgear-czech-presidential-vote/28987922.html
[55] Győri, Lóránt, and Jonáš Syrovátka. Russian Propaganda in the Czech Republic, Slovakia and Hungary. Security and Human Rights Monitor (blog) (2019, December 10,). https://www.shrmonitor.org/russian-propaganda-in-the-czech-republic-slovakia-and-hungary/
[56] Šuplata, Milan, and Milan Nič. Russia’s Information War in Central Europe: New Trends and Counter-Measures. Globsec Policy Institute (2016, September 15). https://www.europeanvalues.net/wp-content/uploads/2016/09/russias_information_war_in_central_europe.pdf.
[57] Brattberg, Erik, and Tim Maurer. Russian Election Interference: Europe’s Counter to Fake News and Cyber Attacks. Carnegie Endowment for International Peace (2018, May 23). https://carnegieendowment.org/2018/05/23/russian-election-interference-europe-s-counter-to-fake-news-and-cyberattacks-pub-76435
[58] Brattberg, Erik, and Tim Maurer. Russian Election Interference: Europe’s Counter to Fake News and Cyber Attacks. Carnegie Endowment for International Peace (2018, May 23). https://carnegieendowment.org/2018/05/23/russian-election-interference-europe-s-counter-to-fake-news-and-cyberattacks-pub-76435
[59] NATO’s History. France NATO (2019, July 26). https://otan.delegfrance.org/NATO-s-history
[60] Pazzanese. In Europe, Nationalism Rising. Harvard Gazette (blog) (2017, February 27). https://news.harvard.edu/gazette/story/2017/02/in-europe-nationalisms-rising/
[61] Brattberg, Erik, and Tim Maurer. Russian Election Interference: Europe’s Counter to Fake News and Cyber Attacks. Carnegie Endowment for International Peace (2018, May 23). https://carnegieendowment.org/2018/05/23/russian-election-interference-europe-s-counter-to-fake-news-and-cyberattacks-pub-76435
[62] Brattberg, Erik, and Tim Maurer. Russian Election Interference: Europe’s Counter to Fake News and Cyber Attacks. Carnegie Endowment for International Peace (2018, May 23). https://carnegieendowment.org/2018/05/23/russian-election-interference-europe-s-counter-to-fake-news-and-cyberattacks-pub-76435
[63] Brattberg, Erik, and Tim Maurer. Russian Election Interference: Europe’s Counter to Fake News and Cyber Attacks. Carnegie Endowment for International Peace (2018, May 23). https://carnegieendowment.org/2018/05/23/russian-election-interference-europe-s-counter-to-fake-news-and-cyberattacks-pub-76435
[64] Gurganus, Julia, and Julia Gurganus. Russia: Playing a Geopolitical Game in Latin America. Carnegie Endowment for International Peace (2018, May 3). https://carnegieendowment.org/2018/05/03/russia-playing-geopolitical-game-in-latin-america-pub-76228.
[65] Salvo, David, and Stephanie De Leon. Russian Influence in Mexican and Colombian Elections. Alliance For Securing Democracy (blog). (2018, January 4). https://securingdemocracy.gmfus.org/russian-influence-in-mexican-and-colombian-elections/
[66]Gurganus, Julia, and Julia Gurganus. Russia: Playing a Geopolitical Game in Latin America. Carnegie Endowment for International Peace (2018, May 3). https://carnegieendowment.org/2018/05/03/russia-playing-geopolitical-game-in-latin-america-pub-76228.
[67] Geddie, John, and Manuel Mogato. Southeast Asia Seek Cybersecurity Deal with Russia after Series of Hacks. Reuters (2018, August 2). https://www.reuters.com/article/us-asean-singapore-russia-idUSKBN1KN0AI
[68] Chia, L. Russian President Vladimir Putin to make first visit to Singapore. CNA (2018, November 10). https://www.channelnewsasia.com/news/singapore/russia-vladimir-putin-in-singapore-visit-asean-summit-10916422
[69] Connelly, Aaron L, and Beba Cibralic. Russia’s Disinformation Game in Southeast Asia (2018, April 23). https://www.lowyinstitute.org/the-interpreter/russias-disinformation-game-southeast-asia
[70] Rappler Research Team. EXCLUSIVE: Russian disinformation system influences PH social media. Rappler (2019, January 22). http://www.rappler.com/newsbreak/investigative/221470-russian-disinformation-system-influences-philippine-social-media
[71] Rappler Research Team. EXCLUSIVE: Russian disinformation system influences PH social media. Rappler (2019, January 22). http://www.rappler.com/newsbreak/investigative/221470-russian-disinformation-system-influences-philippine-social-media
[72] Estonian Foreign Intelligence Service. International Security and Estonia (2018). https://www.valisluureamet.ee/pdf/raport-2018-ENG-web.pdf and Galeotti, Mark. The Spies Who Love Putin. The Atlantic (2017, January 17). https://www.theatlantic.com/international/archive/2017/01/fsb-kgb-putin/513272/
[73] Estonian Foreign Intelligence Service. International Security and Estonia (2018). https://www.valisluureamet.ee/pdf/raport-2018-ENG-web.pdf
[74] Alperovitch, D. Bears in the Midst: Intrusion into the Democratic National Committee (2020, June 5). https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/
[75] Alperovitch, D. Bears in the Midst: Intrusion into the Democratic National Committee (2020, June 5). https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/
[76] GReAT. A Slice of 2017 Sofacy Activity. Kaspersky (2018, February 20). https://securelist.com/a-slice-of-2017-sofacy-activity/83930/
[77] Bing, Chris. How Phishing Emails Sent by Russian Hackers Produce Propaganda. CyberScoop (2017, May 25). https://www.cyberscoop.com/citizen-lab-russia-hacks-apt28-propaganda/
[78] Unwala, Azhar and Ghori, Shaheen. Brandishing the Cybered Bear: Information War and the RussiaUkraine Conflict. Military Cyber Affairs: Vol. 1 : Iss. 1 , Article 7 (2018).
[79] F-Secure Labs Threat Intelligence. The Dukes: 7 years of Russian cyberespionage (n.d.). https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf
[80] Alperovitch, D. Bears in the Midst: Intrusion into the Democratic National Committee (2020, June 5). https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/
[81] Modderkolk, H. Russen faalden bij hackpogingen ambtenaren op Nederlandse ministeries. Volkskrant (2017, February 4). https://www.volkskrant.nl/gs-b77ff391
[82] F-Secure Labs Threat Intelligence. The Dukes: 7 years of Russian cyberespionage (n.d.). https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf
[83] F-Secure Labs Threat Intelligence. The Dukes: 7 years of Russian cyberespionage (n.d.). https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf
[84] F-Secure Labs Threat Intelligence. The Dukes: 7 years of Russian cyberespionage (n.d.). https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf
[85] Cimpanu, C. Russian APT comes back to life with new US spear-phishing campaign. ZDNet (n.d.). https://www.zdnet.com/article/russian-apt-comes-back-to-life-with-new-us-spear-phishing-campaign/
[86] Cimpanu, C. Russian APT comes back to life with new US spear-phishing campaign. ZDNet (n.d.). https://www.zdnet.com/article/russian-apt-comes-back-to-life-with-new-us-spear-phishing-campaign/
[87] Baumgartner, M., Beuth, P., Diehl, J., Esch, C. E., Gebauer, M., von Hammerstein, K.,Wiedmann-Schmidt, W. Cyber-Espionage Hits Berlin: The Breach from the East. Spiegel Online (2018, March 5). https://www.spiegel.de/international/germany/cyber-espionage-likely-from-russia-targets-german-government-a-1196520.html
[88] Baumgartner, M., Beuth, P., Diehl, J., Esch, C. E., Gebauer, M., von Hammerstein, K., Wiedmann-Schmidt, W. Cyber-Espionage Hits Berlin: The Breach from the East. Spiegel Online (2018, March 5). https://www.spiegel.de/international/germany/cyber-espionage-likely-from-russia-targets-german-government-a-1196520.html
[89] Baumgartner, M., Beuth, P., Diehl, J., Esch, C. E., Gebauer, M., von Hammerstein, K.,Wiedmann-Schmidt, W. Cyber-Espionage Hits Berlin: The Breach from the East. Spiegel Online (2018, March 5). https://www.spiegel.de/international/germany/cyber-espionage-likely-from-russia-targets-german-government-a-1196520.html
[90] Baumgartner, M., Beuth, P., Diehl, J., Esch, C. E., Gebauer, M., von Hammerstein, K., Wiedmann-Schmidt, W. Cyber-Espionage Hits Berlin: The Breach from the East. Spiegel Online (2018, March 5). https://www.spiegel.de/international/germany/cyber-espionage-likely-from-russia-targets-german-government-a-1196520.html
[91] Conseil fédéral, Chancellerie fédérale, Département fédéral de la défense, de la protection de la population et des sports, & Département fédéral des affaires étrangères. Cyberattaque contre l’administration fédérale identifiée. Des mesures ont été prise. (n.d.). https://www.admin.ch/gov/fr/accueil/documentation/communiques.msg-id-68135.html
[92] Kovacs, Eduard. Attack on Swiss Defense Firm Linked to Turla Cyberspies (2016, May 23). https://www.securityweek.com/attack-swiss-defense-firm-linked-turla-cyberspies
[93] Duffy, R. Chinese, Russian hacking groups spy on South Korea amid U.S.-North Korea peace talks. CyberScoop (2018, June 5). https://www.cyberscoop.com/chinese-russian-hacking-groups-spy-south-korea-amid-u-s-north-korea-peace-talks/
[94] Cherepanov, Anton. GreyEnergy: A Successor to BlackEnergy. White paper (2018, October). https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf
[95] Greenberg, A. How An Entire Nation Became Russia’s Test Lab for Cyberwar. Wired (2017, June 20). https://www.wired.com/story/russian-hackers-attack-ukraine/
[96] Nakashima, E. Russian military was behind ‘NotPetya’ cyberattack in Ukraine, CIA concludes. Washington Post (2018, January 12). https://www.washingtonpost.com/world/national-security/russian-military-was-behind-notpetya-cyberattack-in-ukraine-cia-concludes/2018/01/12/048d8506-f7ca-11e7-b34a-b85626af34ef_story.html
[97] Cherepanov, Anton. GreyEnergy: A Successor to BlackEnergy. White paper (2018, October). https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf
[98] Baumgartner, K., & Garnaeva, M. BE2 custom plugins, router abuse, and target profiles. Kaspersky (2014, November 3). https://securelist.com/be2-custom-plugins-router-abuse-and-target-profiles/67353/
[99] Greenberg, A. A Brief Tour of Russia’s Infrastructure Hacking Teams. Wired (2017, July 12). https://www.wired.com/story/russian-hacking-teams-infrastructure/
[100] Nakashima, Ellen. U.S. Officials Say Russian Government Hackers Have Penetrated Energy and Nuclear Company Business Networks. Washington Post (2017, July 8). https://www.washingtonpost.com/world/national-security/us-officials-say-russian-government-hackers-have-penetrated-energy-and-nuclear-company-business-networks/2017/07/08/bbfde9a2-638b-11e7-8adc-fea80e32bf47_story.html
[101] Dragos. Allanite | Dragos. Dragos (2019). https://dragos.com/resource/allanite/
[102] Gallagher, S. Ukraine detects new Pterodo backdoor malware, warns of Russian cyberattack. Ars Technica (2018, November 20). https://arstechnica.com/information-technology/2018/11/ukraine-detects-new-pterado-backdoor-malware-warns-of-russian-cyberattack/
[103] Tucker. Russia Launched Cyber Attacks Against Ukraine Before Ship Seizures, Firm Says. Nextgov.com (2018, December 8). https://www.nextgov.com/cybersecurity/2018/12/russia-launched-cyber-attacks-against-ukraine-ship-seizures-firm-says/153387/
[104] Sanger, D. E., Rutenberg, J., & Lipton, E. Tracing Guccifer 2.0’s Many Tentacles in the 2016 Election. The New York Times (2018, July 15). https://www.nytimes.com/2018/07/15/us/politics/guccifer-russia-mueller.html
[105] Kravets, D. Hacker Guccifer, who exposed Clinton’s use of private e-mail, gets 52 months. Ars Technica (2016, September 1). https://arstechnica.com/tech-policy/2016/09/hacker-guccifer-who-exposed-clintons-use-of-private-e-mail-gets-52-months/
[106] Symantec Threat Intelligence. Dragonfly: Western energy sector targeted by sophisticated attack group. Symantec (2017, October 20). https://www.symantec.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks
[107] MITRE ATT&CK. Group: Dragonfly 2.0, Berserk Bear – MITRE ATT&CKTM. MITRE ATT&CK (n.d.). https://attack.mitre.org/groups/G0074/
[108] Greenberg, A. A Brief Tour of Russia’s Infrastructure Hacking Teams. Wired (2017, July 12). https://www.wired.com/story/russian-hacking-teams-infrastructure/
[109] Kaspersky Lab ICS CERT. Energetic Bear/Crouching Yeti: Attacks on servers. Kaspersky (2018, April 23). https://securelist.com/energetic-bear-crouching-yeti/85345/
[110] Greenberg, A. A Brief Tour of Russia’s Infrastructure Hacking Teams. Wired (2017, July 12). https://www.wired.com/story/russian-hacking-teams-infrastructure/
[111] Greenberg, A. A Brief Tour of Russia’s Infrastructure Hacking Teams. Wired (2017, July 12). https://www.wired.com/story/russian-hacking-teams-infrastructure/
[112] Symantec Threat Intelligence. Dragonfly: Western energy sector targeted by sophisticated attack group. Symantec (2017, October 20). https://www.symantec.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks
[113] Tucker. Russia Launched Cyber Attacks Against Ukraine Before Ship Seizures, Firm Says. Nextgov.com (2018, December 8). https://www.nextgov.com/cybersecurity/2018/12/russia-launched-cyber-attacks-against-ukraine-ship-seizures-firm-says/153387/
[114] GReAT. Cloud Atlas: RedOctober APT is back in style. Kaspersky (2014, December 10). https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083/
[115] GReAT. Octopus-infested seas of Central Asia. Kaspersky (2018, October 15). https://securelist.com/octopus-infested-seas-of-central-asia/88200/
[116] Barysevich, A. Russian-Speaking Hacker Selling Access to the US Election Assistance Commission. Recorded Future (2016, December 15). https://www.recordedfuture.com/rasputin-eac-breach/
[117] Charbonneau, Louis. Putin Says U.S. Wants to Dominate World. Reuters (2007, February 10). https://www.reuters.com/article/us-russia-usa-idUSL1053774820070210
