The Research Group on 'Economy-Security Linkages' FY2021－# 2
"Research Reports" are compiled by participants in research groups set up at the Japan Institute of International Affairs, and are designed to disseminate, in a timely fashion, the content of presentations made at research group meetings or analyses of current affairs. The "Research Reports" represent their authors' views. In addition to these "Research Reports", individual research groups will publish "Research Bulletins" covering the full range of the group's research themes.
The threat of cyber attacks has been increasing around the world in recent years. Attacks by Russia are considered particularly malicious and damaging, and are recognized as threats that disrupt the liberal order. Internationally, it can be said that the influence of Russian cyber attacks, information warfare, and influence operations came to be recognized in the "Russiagate" incident that occurred during the 2016 US presidential election; however, Russian cyber attacks have been carried out before and after this incident.
It has also become clear that amid the Covid-19 pandemic, Russia has been engaged in information warfare through cyber attacks and fake news in an attempt to create international circumstances favorable to its own interests. Numerous cases of cyber attacks were identified that plagued research institutes, universities, pharmaceutical companies, think tanks, and government agencies engaged in developing vaccines against the novel coronavirus. Furthermore, in December 2020, it was revealed that Russia had launched large-scale cyberattacks exploiting a vulnerability in SolarWinds' Orion software from around March. The attacks are said to have stolen important information from several US government agencies, local governments, and important private companies on an unimaginable scale, the worst attacks of their kind in US history. Uncovering the whole picture will reportedly take several years.
Japan cannot remain unafffected. In October 2020, the UK Foreign Office announced that Russia's Main Directorate of the General Staff of the Armed Forces (GRU) had conducted cyber reconnaissance against Tokyo Olympic and Paralympic organizations. In June 2021, it was made public that the Japanese Olympic Committee (JOC) had been damaged by an April 2020 cyber attack in which data stored on PCs and servers were rewritten and operations were suspended, leading to the replacement of approximately 60 PCs and servers at a cost of around 30 million yen.
Analyzing and responding to Russian cyber attacks is undoubtedly an urgent task. This paper clarifies the positioning and characteristics of cyber attacks in Russia, and examines future issues.
Positioning of the Cyber Domain in Russia
Information warfare and its role in cyber space are discussed in Russia in strategic policy documents such as the National Security Strategy (2015 and 2021 editions), Foreign Policy Concept (2016), Information Security Doctrine (2016), Military Doctrine (2014), and Conceptual Views on the Activities of the Armed Forces of the Russian Federation in the Information Space (2016). However, in Russia, cyber warfare and information technology warfare are only part of the overarching concept of information warfare and are positioned as methods used to gain an advantage in information conflict1. It should be noted that the term "cyber security" is not used in the Russian strategy papers; instead, the term "information security" is used, which covers securing both the digital and cognitive domains2.
In addition, cyber attacks are a vital part of Russia's "hybrid warfare."3. Hybrid warfare can be defined as a style of warfare that merges irregular and regular warfare by combining military intimidation and a variety of other means (political, economic, and diplomatic approaches, cyber attacks, propaganda and other tools of information and psychological warfare, terrorism, criminal acts, etc.) to achieve political purposes. Although it is by no means novel, hybrid warfare became strongly recognized as a threat to the world during the annexation of Crimea by Russia and the crisis in eastern Ukraine in 2014. Cyber attacks have great significance as an essential part of Russia's multi-domain operations.
Russia's hybrid warfare is not a strategy in and of itself but is instead a tactic, and it went from being a military concept to becoming part of the theorectical underpinning of Russian foreign policy after the annexation of Crimea4. This holds equally true for cyber attacks and for information warfare, which can be very effective when combined with cyber attacks.
Russian Cyber Attackers
Russia's cyber attacks and information warfare are carried out by a variety of actors, including those with ties to state organizations with specific intentions, criminal groups, patriots and private companies. Judging from recent trends, however, it can be said that cyber attacks by those connected to state organizations or criminal groups are particularly troublesome.
With regard to cyber attackers linked to state organizations, 15 cyber units with the strength of 1000 personnel have been established within the Russian Armed Forces. The cyber attackers which the world is most concerned about are those conducted by intelligence-affiliated organizations such as the GRU, the FSB (Federal Security Service) and the SVR (Foreign Intelligence Service). The scale and damage of their attacks are enormous, and there are countless examples.
APT 28 and other cyber attack groups under the command of the GRU have been active since 2008. They are believed to target the aerospace, defense, and energy sectors as well as government, media and domestic dissidents in hostile states and former Soviet republics. GRU is also said to have targeted the JOC in 2020. They have been making heavy use of phishing messages and spoofed websites to steal information and expose it widely to harm victims. This method makes it easier to establish the facts of the attacks, thereby leading to numerous criminal prosecutions.
Cyber groups such as Turla APT, said to be under the command of the FSB, and APT 29, said to be under the command of the SVR, have been internationally recognized since around 2014, and are characteristically known for large-scale cyber attacks such as those that struck the 2016 US presidential election and those directed at the US and elsewhere in 2020. They are thought to collect useful information for the Kremlin but, as they do not expose this information, their cyber attacks are rarely brought to light.
Numerous other government-related hackers have been identified5.
The cyber attacks by Russia-based cyber criminal groups have become serious problems in recent years. In particular, large-scale ransomware attacks in 2020 and 2021 by Russia-based "REvil" and "Darkside" gained prominence. The ransomware attacks on the Colonial Pipeline by Darkside in early May 2021 and on the world's largest meat wholesaler JBS (headquartered in Brazil but operating many large plants in the United States) by REvil at the end of May, as well as the supply chain ransomware attack by REvil that exploited a vulnerability in the VSA software of Kaseya, an IT systems management service provider, in early July caused especially serious damage.
While the United States has consistently demanded that the Russian government take responsibility for cyber attacks by Russia-based criminal groups, Russia has insisted that it has no relations with such groups and that there is no evidence of any connection. However, there are many experts who believe that the GRU and other intelligence services are connected to, and even payrolling, criminal groups, whose members when successfully prosecuted find their prison sentences significantly reduced6. The International Institute for Strategic Studies (IISS) in the UK has also noted that, due to a lack of funding for cyber attacks, states are also using cybercrime experts and patriotic hackers7.
Characteristics of Russian Cyber Attacks
The characteristics of Russian cyber attacks are as follows.
Firstly, state-sponsored cyber attacks have had especially severe impacts. Russia's first state-sponsored cyber attack is believed to be the 1996 Moonlight Maze aimed at intelligence on US weapons, but the large-scale cyberattacks on Estonia in 2007 and the cyberattacks on the US presidential election in 2016 were markedly devastating. Another characteristic is that there is no lateral or cooperative relationship between these hacker groups.
Secondly, their cyber attacks are the fastest in the world. They possess advanced skills and the ability to complete the operations from penetrating networks, seizing control of PCs and devices to taking systems down in as little as 18 minutes.
Thirdly, though, Russian cyber defense capability is so weak that it is believed to have been able only to respond in ways that imitate US defense methods. One notable episode in this regard came in the wake of repeated Russian cyber attacks against Georgia. The Georgia Computer Emergency Response Team (CERT) used cybertraps to fight back and completely exposed the Russian attackers8. This case of Georgia is a valuable example of offensive defense.
Fourthly, the nature of the attacks varies by purpose and target. This feature is all the more apparent in the context of hybrid warfare. When the purpose is to generate political confusion in Western countries, obtaining and disseminating information are conspicuous means. However, mainly in the attacks on former Soviet republics that Russia considers to be in its sphere of influence, cyber attacks are timed to coincide with military operations, or aimed at having a significantly punitive effect on the targeted countries. In these cases, attacks are often directed against critical infrastructure such as government facilities, online networks, power systems, and banking systems.
In place of conclusion
In this way, cyber attacks from Russia have had significant social and economic impacts worldwide by influencing politics in other countries and by installing ransomware while achieving synergistic effects through influence operations such as information warfare.
The Biden administration in the United States has taken a stern attitude toward Russia over cyber affairs. Cyber issues were an important issue at the first US-Russia summit meeting between President Biden and President Putin held on June 16, 2021. At that meeting, Biden presented Putin with a list of 16 critical infrastructure entities (chemicals, commercial facilities, communications, critical manufacturing, dams, defense industrial base, emergency services, energy, financial services, food and agriculture, government facilities, health care and public health, information technology, nuclear reactors/nuclear materials/nuclear waste, transportation systems, and water and wastewater systems), arguing that Russia should take responsibility for the cyber attacks from Russia and that such critical infrastructure should be excluded from attacks9. However, Putin reiterated his denial of the Russian government's involvement in cyber attacks, and stated at the press conference that most cyber attacks on Russia were carried out from the United States and Canada. While the wide gap between the two countries became clear, an agreement was reached on holding expert consultations between the two countries, and these were soon put into practice. This is an encouraging step toward international cooperation on cyber issues.
Japan will also need to tackle urgent issues of developing multifaceted cyber countermeasures while promoting international cooperation in the cyber domain. This would necessitate securing highly capable human resources in the cyber domain, and training white hackers in order to adopt more pro-active defense posture including offensive defense, while enhancing public awareness by expanding computer literacy capabilities and cyber education10.