Russia is firmly established in the popular imagination as the hacker superpower (even if this is only partly true), and some in Moscow even seem to relish this. However, as June’s notPetya incident demonstrated, the Russians actually ought to be less comfortable about a brave new world of weaponised hacks and viruses.
As Russia’s guerrilla geopoliticians look for asymmetric ways of undermining their supposed rivals in the West, hacking seems to be a cheap, easy and effective instrument. From breaking into US Democrats’ emails to launching massive DDOS attacks (crashing systems with deluges of queries) on Estonia in 2007, Georgia in 2008 and Ukraine periodically but especially from 2014, this has indeed become a central instrument of Russian political war. It may not always have the intended effect – Moscow probably did not anticipate Donald Trump’s election, and its attempt to discredit France’s Emmanuel Macron with doctored leaks backfired – but it has certainly kept Russia in the headlines. For a Kremlin desperate to affirm that Russia matters in the world, it is tempting to suspect that no news is bad news.
The first reason why Moscow may want to think again is reputational. When notPetya first started ravaging Ukraine’s computer infrastructure, Kyiv blamed Moscow. To a considerable degree this was without any real evidence, just the flimsy basis that Russia undoubtedly hacks Ukraine frequently and that this was “clearly” timed to coincide with the country’s Constitution Day. This was, however, really a knee-jerk response – pretty much everything which goes wrong in Ukraine ends up blamed on Russian President Vladimir Putin somehow, it seems – but nonetheless it received a more receptive audience than it might, precisely because Russia does do this kind of thing.
Ironically, evidence would later begin to emerge suggesting a Russian dimension, although it is not yet possible to say whether it was a government initiative or carried out by self-tasking “patriotic hackers”. The fact that it specifically targeted the M. E. Doc accounting software adopted to replace the Russian-standard 1C package, banned by Kyiv, and that the apparent demand for ransoms appears to have been a masquerade, does suggest Ukraine was a specific target, and that the intent was disruption and not financial gain.
Nonetheless, Moscow now finds itself in a situation in which it is often blamed ahead of any proof, and regardless of whether that proof ever appears.
The second reason is practical. It is noteworthy that, having started by blazing through Ukraine’s systems, notPetya also spread into Russia, hitting Rosneft and Evraz, probably through their Ukrainian affiliates.
Russia has historically been less affected by malicious hacks and virtual crimes than comparable countries. In part, this reflects the informal understanding with Russia’s own hacker demi-monde: do what you want outside the country, but don’t mess at home. For a long time, this virtual ceasefire held. Besides, the real money was to be made in the West, and this was also where hackers felt the real tests of their skills were to be found.
For a variety of reasons, though, it has now broken down. There is more profit to be made at home. The security agencies not only demand favours from the hackers but even recruit them – sometimes as an alternative to prison – then the two-way relationships criminalise the very state agencies meant to control cyberspace. A new generation of hackers has little time for the Kremlin and its “patriotic hacker” script-kiddies (in other words, those who simply use off-the-shelf malware), and also sees more of an exciting challenge at home.
For these reasons, Russia’s government and business cyber defences are rather less robust than they might be, having relied so long on a degree of immunity. It was noteworthy that Russia suffered disproportionately from the recent WannaCry ransomware attack linked to North Korea. Pirated Windows systems and programmes – which are the most vulnerable because they cannot be updated properly – are in widespread use. Even the police reportedly relies on them. The central bank has also warned that the national Mir payment card, established as part of the country’s financial security strategy, may well be vulnerable to cyber attacks.
Meanwhile, there has been an upsurge in Chinese hacking of Russian companies for intellectual property theft (aerospace firms seem to be a particular target) and even domestic cracking of banking systems. It is worth noting that China, the US and even Turkey outstrip Russia as sources of cyber attacks, so an anarchic world in which black hat hackers (those who engage in illegal or malicious hacking) attack any system vulnerability they find would be an uncomfortable place for Russia.
This should also make those gung-ho Russian strategists who seem to relish the idea of fighting an undeclared virtual cyberwar with the West think twice. The capacity to persuade some technologically-challenged Democrat staffers to click on a link they ought not, or to exploit a weakness identified by the National Security Agency, does not represent evidence of some extraordinary cyber capacities.
Here’s the irony; while Russia may have all the evil hackers in the movies, in reality it is likely the US and other Western countries that have more formidable cyber weapons at their disposal. For some time, Russia has been lobbying for a UN-brokered global cybersecurity accord, but in a cynical way, seeking to retain its own freedom of operation and simply denying its clear role in such operations. It may well come to regret playing a role in the normalisation of hacking as politics and business by other means.
Mark Galeotti is a senior researcher at the Institute of International Relations Prague, a visiting fellow with the European Council on Foreign Relations, and the director of Mayak Intelligence. He blogs at In Moscow’s Shadows and tweets as @MarkGaleotti.