The primary focus of this article is Russian cyber-operational strategy in Eastern Europe, particularly in Ukraine and Estonia. It is interesting to go back and review these events in light of recent revelations and media attention to Russian influence in the American arena. It briefly touches on past Russian cyber operations as well as the strategies, mindset, and approach of Russian intelligence and military agencies in the cyber theatre.

Narrative and Information: Russian Cyber Operations in Eastern Europe

We live in an increasingly interconnected world. The internet not only has changed how information is shared but has demonstrably affected politics across the world. The Arab Spring and the rise of nationalism across the West have both been shaped largely by the internet. The anonymity of the digital world, while a boon to those fighting oppression, is a neutral tool that can be used by anyone with access. The internet has also created an entirely new theatre for intelligence and military services, and Russia has perhaps been the most effective state operator in this theatre so far.

Wars and elections are won not only by bullets and votes but by perception and information, and the internet provides an avenue for states to control perception both at home and abroad. The Russian government’s recent conflicts in Eastern Europe serve as a case study for their overarching strategy on synthesising the new technology of the internet with the old desire to exert influence beyond the country’s borders. The Putin regime’s use of semi-legitimate and clandestine cyber operations to exert influence over former Soviet Bloc countries in Eastern Europe reflects a long-standing strategic approach to advancing its interests through the control of the narrative surrounding a conflict.

Modern Russia, like the former Soviet Union, places an emphasis on intelligence work’s strategic role in protecting and advancing its interests. Similarly to how the United States’ cyber operations (Stuxnet, etc) reflect general US strategy, i.e. highly targeted and patient, Russia’s use of cyber operations reflect longstanding Russian and Soviet strategic values. Historically, Russia (and the Soviet Union) has sought to gather as much information about its interests as possible, even when action is not likely to be carried out in the near future. Soviet planning was granular to the point of mapping the layout of individual buildings on tactical maps. Russian attempts to infiltrate and penetrate Eastern European and Western computer networks illustrate a shared strategic belief: information is power, and preparation is crucial.

Another important facet of traditional Russia and Soviet political strategy, both domestic and international, revolves around information. Similarly to how the KGB utilised various methods to control the flow and veracity of information, from spying to false flags to censorship, the Russian state’s overall use of cyber operations primarily focuses on how information and public opinion can be manipulated to advance state interests. Attacks that cause real-world damage happen, but are used to supplement the primary goal of manipulation by causing fear among a populace, spreading misinformation, or paralysing decision making.

Russia has had a long-standing strategic interest in controlling Eastern European countries as a buffer against invasion. In the present day, this means prioritising the use of Eastern Europe as a barrier against an encroaching and aggressive NATO. This interest manifests itself via Russian actions intended to increase its influence among Eastern European countries, particularly Ukraine and the Baltic countries, and especially to isolate these countries from NATO as much as possible. Russia has long since cohesively integrated new technologies into its strategy for maintaining control in an operational theatre, and the use of cyber operations in Eastern Europe simply continues this tradition. These operations, like their parallel KGB techniques, ultimately are rooted in the control and weaponisation of information. These operations are various and include propaganda campaigns via social media and targeted hacking of Eastern European ministries and officials, to name a few.

Rather than examining these attacks on a country-by-country basis, a holistic approach to analysis provides a more comprehensive review of the overarching strategy and use of cyber operations by Russia throughout the former Soviet Bloc. This strategy can thus be characterised by three overarching forms of Russian cyber operations: semi-legitimate operations focused on the control of a narrative, targeted penetration of computer networks in order to gather information, and direct attacks on infrastructure to generate confusion and fear. All of these are predicated on the belief of information as a powerful tool to advance Russian interests and can be used as a covert tool in hybrid warfare.

I. Semi-legitimate operations: Trolls, Social Media, and Controlling the Narrative

Propaganda and careful control of the narrative around conflict have long been crucial components of the Russian approach to political control and influence, both at home and abroad. In the past, influence over media like newspapers and television were all an actor needed to control the information a populace received. Now the internet has provided a radically different system through which people can receive and spread information: social media. Social media has increased the ability of individual citizens to create and share content without going through channels easily controllable top-down by a state actor or a news mogul. In Russia, however, the two are combined, as state control over the media has provided the state with the ability to legitimize social media propaganda via broadcasting it on news networks. It has become more difficult for Russia to determine exactly what information its citizens receive, but the anonymous and decentralised nature of social media has actually made it easier for Russian security services to reach populations outside of its borders. It is possible that Russia has capitalised on the development of social media as a strategic tool for narrative control perhaps more effectively than any other state.

Social media has thus became the favoured method by which the Russian state can inject propaganda into a narrative in order to shape it. The ability to hide the source and intentions of posters means that the propaganda is easy to disguise and therefore effective. The Putin regime has capitalised on this and systematically attempts to control social media narrative surrounding topics of interest to the regime and state. This is perhaps best exemplified by the so-called “Trolls of Olgino,” a nickname for workers at a social media ‘factory’ near St. Petersburg. The Olgino facility, in which workers take 12 hour shifts constantly pumping pro-Putin and pro-Russian stances on social media while disguised as normal posters, is an extremely sophisticated and efficient propaganda operation intent on shaping the narrative surrounding strategically important Russian interests.

Two additional points give credence to the idea that the Olgino facility has played a significant role in the dissemination of pro-Russian information. First, unsubstantiated anti-Ukrainian social media content is generally quickly picked up and reported on by state-controlled media in Russia and broadcast across Crimea on television, therefore legitimising it. This would be in line with traditional Soviet and Russian holistic intelligence strategy in which multiple technologies and avenues of attack are used in conjunction with each other in order to produce the strongest possible effect. Russian-controlled legitimate media outlets have also played a role in Estonia and contributed to an increasingly polarised political environment between ethnic Estonians and ethnic Russians living in Estonia as part of a broader “infowar” that Russia has been engaged in since the 2007 Estonian cyber-crisis.

Secondly, the Olgino troll factory has been directly implicated in producing pro-Russian content in the Ukrainian conflict, and a direct link between the Olgino facility and the Russian government has been uncovered due to Vyacheslav Volodin, a high-ranking adviser to Putin. Volodin has already been sanctioned by both the European Union and the United States for his political role in the annexation of Crimea, and his ability to coordinate between the regime and the Olgino facility would explain the uptick in pro-Russian posts. The end result of the Olgino facility’s social media propaganda in the Ukraine has been an increasingly polarized and volatile Ukrainian political climate, which gives Russia a greater ability to operate covertly. Through the lens of the Ukrainian conflict, we can see how Russian social media manipulation has served larger geopolitical interests in a subtle yet tangible way. This serves as an example of larger Russian attitudes towards conflict, namely that information and public discourse is treated as another front which can be won or lost.

II. Infowar: The Power of Information Access

Russian operations are not limited to social media propaganda campaigns. Indeed, just as the security services did not limit themselves to media manipulation in the Soviet period, their modern incarnations regularly operate outside of the law in order to advance both long- and short-term strategic interests. One form of these clandestine cyber operations has been the use of hacking, specifically the use of hacking to gain access to opposition’s computer networks and information. These attacks are appealing because Russia can maintain plausible deniability as definitively proving attribution is difficult. Maintaining plausible deniability has been a large concern of the Putin regime, and this concern manifests also in the use of cyber operations. There are several front groups that claim and execute the hacks, but their direction and strategy comes from the Russian security apparatus itself, evidenced by the fact that the hacks done by these front groups closely match the geopolitical interests of the Russian state.

The two most significant front groups with definitive ties to the Russian security services are Fancy Bear (aka APT28) and Cozy Bear (aka APT29) — these groups are affiliated with others, such as “The Dukes,” but these other groups are likely direct subsidiaries or contractors working for the security services. Both groups utilise sophisticated and professional techniques in order to gain access to large numbers of targeted computer networks, particularly the networks of actors that are opposed to Russia either politically or economically. The groups, especially Fancy Bear, have attacked and infiltrated a large number of countries in the former Soviet Bloc, including Poland, Ukraine, Hungary, and the Baltics.

Once a target has been penetrated, the hackers’ purpose is twofold. First, as with traditional signals intelligence, the Russian government becomes privy to the information and plans of opposition — the benefits to this access are obvious and range from improved military planning to an increased ability to plan for and mitigate opposition political action. The second purpose of gaining access is the ability of Russian security services to access information that may not be politically important but could be embarrassing or damaging to opposition groups if it were to be leaked. This second responsibility makes sense in the context of the larger desire to control the narrative surrounding a political conflict, and clearly elevates the position of the Russian government in this regard.

The information accessed by these hacking groups has been used in several different ways, all advancing Russia’s geopolitical interests. The most prominent examples of the information actually being used have occurred in Ukraine, due to the fact that Ukraine is Russia’s “hottest” conflict in Eastern Europe. The situation in Ukraine serves as the best example of Russian abilities and strategies in regards to hacking as part of a larger information war. The leaked call between US government officials talking about the Ukrainian conflict — and simultaneously disparaging the EU — serves as an excellent example of the selective release of information in order to damage the opposition’s narrative while advancing Russia’s preferred narrative.

The effect of this release and releases like it are difficult to measure, nevertheless the releases definitely helped Russia shape the public narrative in Ukraine regarding the conflict. Distracting conversation away from Russian actions falls in line with traditional Soviet-era intelligence policy regarding information: confusion works just as well as convincing. Forged documents have also been used and released in order to control the narrative of the conflict. These forgeries are legitimized in two ways. First, Russian groups are usually in a position where they have access to legitimate documents. Second, there are far more genuine leaks than fraudulent ones — people generally assume that the documents in question are legitimate. By the time the fraud has come out, the documents have already entered into the public consciousness and therefore altered the narrative.

Just as with the Russian regime’s use of social media propaganda, we continue to see an overarching strategy that contains many parallels with traditional Russian intelligence work in regards to advancing it’s interests. The transnational reach of Russian hacking groups simply means that they are now able to utilise narrative strategies traditionally meant for domestic use on the international stage.

III. Ghost in the Shell: From Cyber Operations to Real-World Effect

The last thematic aspect of Russian cyber operations in Eastern Europe has been the use of hacking to damage or disrupt infrastructure. Usually, this is digital infrastructure such as government or opposition websites rather than physical infrastructure, but this is more likely due to lack of political will to escalate or broaden the conflict than to Russia’s inability to damage real-world infrastructure. These hacks are still primarily driven to shape the narrative and information in a conflict. An early example of this kind of hacking was the 2007 Estonian cyber-crisis. After a political spat between Russia and Estonia revolving around the relocation of a statue, many websites in Estonian cyberspace were temporarily taken offline. While the actual effects were minimal, the operation was meant to degrade Estonians’ trust in their government’s ability to protect them while simultaneously creating fear among Estonian leaders. In this way, it could be seen as a warning both to Estonia and to other former Soviet Bloc countries to not interfere with Russia.

Estonia suffered from another attack in 2013. The website for a train service was hacked and a false cessation of services notice was posted, with the reason given being a nearby NATO exercise. The actual cessation never took place, but simply trying to disrupt the lives of Estonians and trying to shift the blame to NATO exercises illustrates the motivation behind the attacks. If one views these types of hacking attacks through the lens of information warfare, this attempt by the Russian government fits in with their overall strategy to information warfare to advance their geopolitical interests. Estonia’s creation of a Russian-language news station (as an alternative to state-controlled media emanating from Russia) serves as an interesting response to the increasing divide between ethnic Estonians and ethnic Russians in Estonia. With the new station, Estonia hopes to provide a Russian-language outlet without the ability of the Russian government to hijack and shape the narrative in Estonia.

Ukraine has also been the target of more active hacks. For example, there have been extensive DDoS attacks (attacks that overload a website or computer network) against the Ukrainian government, but these are very similar to the 2007 Estonia hacks. However, other attacks have been more serious — including one that took down parts of the Ukrainian electrical grid, likely with the motivation to disrupt the lives of Ukrainians and cause them to lost trust in the Ukranian government. The attacks typically coincided with important events in the conflict and generally seemed to be motivated by a desire to spread insecurity and confusion among the population.

A more insidious attack on the Kyiv government’s legitimacy is found in the 2014 Ukrainian election. While no actual votes were falsified, the website displaying real-time vote tallies was hacked and displayed inflated numbers for a pro-Putin candidate. The (false) results were immediately broadcast on Russian television networks, therefore legitimising them. The hack was quickly discovered and fixed, but this provides an insight into the multi-pronged and concerted efforts used by the Putin regime to advance its interests in narrative control with both traditional as well as social media. An attack with plausible deniability shifts the focus in a particular way, while state media outlets then report on them as positively as possible in order to legitimise them and disorient the populace.

The more active attacks in Ukraine, in contrast with those facing Estonia, likely reflect the difference in seriousness of conflict in the two countries as well as Estonia’s NATO membership. NATO membership likely dissuades more direct Russian cyber operations due to the deterrence factor of a possible NATO reaction.

Russian cyber operations take many forms, but all seek to control the narrative, a longstanding facet of the Russian approach to intelligence work. Through a combination of semi-legitimate and clandestine activities, in tandem with state-controlled media, Russia can exert influence over former Soviet Bloc countries cheaply and anonymously by shaping and directing the narrative surrounding conflicts. Additionally, there is evidence of the direct involvement of Putin’s advisers or the Russian security apparatus in these operations, indicating that this methodology enjoys favour at the highest levels of governance in Russia. While the Soviet regime was forced to largely confine their propaganda machine to their own borders due to an inability to control media internationally, social media has provided an outlet in which Russian propaganda can be disseminated abroad. Illegal hacks allow them maintain plausible deniability while serving to strengthen propaganda or manufacture it. The assumed high-level backing of this policy, along with its apparent effectiveness, indicates that cyber operations will continue to be fully integrated into the larger strategic and geopolitical interests of the Russian state.

This piece was originally written in late 2016, before the news of Russian trolls, social media manipulation, and hacking became hot topics in the American domestic political climate. It has since undergone minor edits for spelling and writing style, but no significant content has been added since news broke about Russian interference in the US Presidential Election of 2016.