When Russian cyber operations targeted the West

This is part five of a series, ‘Lessons from the first cyberwar.’ Read part one, part two, part three and part four.

After gaining initial exposure to cyber operations against Ukraine and Georgia, Russia began expanding its targeting of Western states, especially following Putin’s first invasion of Ukraine in 2014. Russia wanted to promote instability in Western democracies and to undermine the credibility of the democratic processes, according to former US ambassador to Russia Mike McFaul. 

Following the illegal annexation of Crimea, Russia engaged in smaller-scale distributed-denial-of-service (DDoS) attacks to take out websites. However, it would grow bolder in its attacks against the West. In 2015, German investigators found that hackers had successfully breached the computer network of the Bundestag, the German parliament. 

This was considered the most significant cyberattack in German history due to the importance of the targeted institution, as Germany believed that Russia wanted to steal information to disrupt its democratic elections. In 2016, there was a cyberattack on the Christian Democratic Union (CDU), the political party then led by Chancellor Angela Merkel. 

The attackers targeted the CDU to gain access to sensitive information. The primary objective was to acquire account names and passwords of party members, which would grant access to internal communications and potentially confidential data. However, the attack was not successful. But it continued to show Russia that it could wage cyber war against the West without fear of retribution.

Russia has been implicated in a series of cyberattacks against the UK, targeting various sectors. The UK has been one of Ukraine’s strongest Western backers since Russia’s first invasion in 2014. One of the major cyber operations attributed to Russia was organized by the Federal Security Service (FSB).

The UK Government has identified the FSB’s Center 18, and its unit Star Blizzard, as being responsible for sustained attempts to interfere in UK politics. This included spear phishing attacks on parliamentarians in a range of political parties from 2015 onwards, hacks of UK–US trade documents before the 2019 general election, and breaches of think tanks and civil society organizations. The attacks aimed to undermine trust in UK politics and democratic processes and leak secret documents.

In 2014, Russian hackers launched an industrial sabotage campaign by targeting oil and gas companies in the West. 

The United States has borne the brunt of major Russian cyberattacks since Russia invaded Ukraine. The most notorious incident occurred in 2016 when there was interference in the US presidential election with Russian hackers breaching the Democratic National Committee and leaking sensitive information to WikiLeaks.

The global reach of Russian cyber operations was evident in 2017 with the NotPetya attack, which initially targeted Ukraine but caused considerable collateral damage to US and other Western companies. The White House press secretary’s office reported that the cyberattack was connected to the Russian goal of destabilizing Ukraine. 

Tariq Ahmad, UK Minister for Cybersecurity at the Foreign Office, described the attack as “reckless,” emphasizing its blatant disrespect for Ukrainian sovereignty. He highlighted the vast financial impact of the attack, noting that it cost European organizations hundreds of millions of pounds.

NotPetya showed that even though Ukraine is the epicenter for Russia’s cyber aggression, the impact of this cyber war is global. Helping to defend Ukraine in cyberspace will defend all of the West. In 2018, the US energy grid and other critical infrastructure sectors faced targeted attacks from Russian Government hackers, prompting a joint government alert between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). 

The hackers also targeted vendors and smaller companies with weaker defenses, using techniques such as spear phishing as stepping stones to gain access to more significant networks and install malware. 

Once inside, the hackers observed and learned how the computer systems worked, gaining greater insight into how power plants work and transmit data. Russia’s goal from the hack was to showcase its growing cyber power and demonstrate its ability to hack critical infrastructure in the US.

With no strong response to deter future attacks – despite the fact that hacking critical infrastructure in the West was considered to be crossing red lines – Russia would only grow bolder with its cyberattacks.

A sophisticated espionage campaign was discovered in 2020: the SolarWinds hack, which allowed Russian hackers access to numerous companies and US Government agencies through compromised IT management software. The SolarWinds cyberattack remained unnoticed for several months while the company distributed software updates embedded with the hackers’ code to its clients globally.

This attack enabled hackers to gain access to various US Government networks, including those operated by the Department of Homeland Security and the Treasury Department. The US Government followed up after the attack with sanctions against Russia. Through a routine software update, Russia had conducted “one of the most effective cyber-espionage campaigns of all time,” according to Alex Stamos, director of the Internet Observatory at Stanford University. 

US and European governments began grappling with the uncertainty regarding cyber red lines, and this intensified in the wake of the SolarWinds breach. In response to the attack, Marcus Willett, a former senior cyber advisor to Britain’s digital intelligence agency GCHQ, cautioned the US to be reserved in its response to Russia’s “surgical” espionage campaign. 

Russian threat actors have long exploited the lack of clarity in cyber security policy and have continued to leverage this ambiguity further. 

In May 2021, Colonial Pipeline was hit with a ransomware attack by a Russian criminal group that impacted the pipeline’s IT systems. 

The attack was so devastating it led to jet fuel shortages for airlines and created long queues at petrol stations and a spike in gasoline prices. People were rushing to fill plastic bags with gasoline, and the government had to issue a warning for people to only use containers intended for use with fuel. Several US states had to declare a state of emergency. 

Supply chain attacks, such as the Colonial Pipeline incident, often exploit vulnerabilities in a component within an organization’s network. Tracking all application components and potential software vulnerabilities is challenging even for large organizations.

In response, the Biden Administration issued an executive order to US agencies in May 2021 requiring them to enhance their cybersecurity, including adopting software bills of materials (SBOMs). SBOMs assist in identifying and updating software components, thus enabling quicker responses to vulnerabilities, and assisting buyers in assessing product risks.

A month later, JBS Foods, a major meat processing company, fell victim to a ransomware attack by a Russia-based group, forcing all nine of its beef plants to close temporarily. The attack also affected its poultry and pork processing plants in the US. This shutdown had serious implications for the meat supply chain in the US, with concerns about potential shortages and spikes in meat prices.

The White House placed the blame for the attack on Russia and said it was “considering all options regarding how to respond”

However, Russia continued its pattern of bold cyberattacks that were never followed by a strong response from the West.

NEXT: Cyber warfare following Russia’s full-scale invasion of Ukraine (2022 – present)

David Kirichenko is a Ukrainian-American security engineer and freelance journalist. Since Russia’s full-scale invasion of Ukraine in 2022 he has taken a civilian activist role.

These articles are excerpted, with kind permission, from a report he presented at the UK Parliament on February 20 on behalf of the Henry Jackson Society.