Untangling the Web of Russia's Cyber Operations

7 MINS READApr 28, 2017 | 09:37 GMT
In a letter published April 12 in Russian media, a former cybersecurity expert described how the Kremlin recruited hackers to help with its cyber campaigns abroad in exchange for criminal immunity.
Forecast Highlights

  • If the Russian state falls into another period of crisis, the cyber operatives working for the Kremlin could turn against it, much as Moscow's criminal contacts have in the past.
  • Still, the benefits of hiring criminal hackers to conduct cyber operations abroad will continue to outweigh the risks for the Russian government.
  • As investigators around the world keep working to dismantle Moscow's hacking networks, digital meddling in foreign elections will remain a mainstay of Russian intelligence operations.

Russia's interest in foreign elections didn't end with the U.S. presidential race. Two days after the first round of the French presidential election on April 23, a cybersecurity firm based in Japan reported that Russian hackers had targeted Emmanuel Macron's campaign in the runup to the vote. Macron, one of two candidates who advanced to the runoff slated for May 7, had accused the Kremlin of discrediting his campaign, and his staff complained of constant, sophisticated phishing attempts throughout the race. Phishing, though not the most advanced technique, has proved highly effective for conducting criminal activity and espionage; the Kremlin allegedly used the same tactic to interfere in the U.S. vote. Recent developments have shed light on the apparent ties between Russia's state security apparatus and the world's most sophisticated cybercriminals.

Laying Out the System

On April 12, Russian media published a letter from Ruslan Stoyanov, a former security expert at Kaspersky Lab who is currently in prison in Russia on charges of treason. Stoyanov alleged in his letter that the Kremlin had recruited hackers to help with its various cyber campaigns in exchange for immunity from prosecution for their criminal exploits abroad. Allegations like Stoyanov's are difficult to confirm, but the pattern of activity outlined in his letter conforms to previous suspicions over Moscow's cyber strategy.

About a month before Stoyanov's letter surfaced, the U.S. Department of Justice indicted four individuals for their alleged involvement in stealing credentials from 500 million Yahoo accounts. Two of the four defendants are agents with Russia's Federal Security Services (FSB) who, according to the indictment, used their offices to protect two "hackers for hire" — Alexsey Belan and Karim Baratov. The hackers profited off the breach, incorporating it into their existing spamming campaign. Cooperating with the Kremlin, moreover, afforded the cybercriminals protection, just as Stoyanov later described; the circumstances surrounding Belan's escape from arrest in Europe in 2013 suggest he had official help. For the FSB, meanwhile, the intrusion offered access to information on figures of interest, including Russian journalists, government officials and high-profile businesspeople. One can imagine that this kind of intelligence collection may have also proved useful in Russia's efforts to influence the U.S. election, although no evidence has linked the two incidents.

A Symbiotic Relationship

Moscow's ties to the world of cybercrime are just the latest manifestation of a well-established trend. The Russian state has been entwined in crime since long before the dawn of the internet, often in a kind of symbiosis with criminal organizations. Under Soviet rule, for example, Russian officials generally turned a blind eye to smugglers, who then sold them contraband luxury goods. The black market was the closest thing to a free market for most of the Soviet era, and it offered the Kremlin a way to relieve pressure on the Soviet people and economy. But even after the liberal reforms of the late 1980s and the Soviet Union's collapse in 1991, Russian capitalism struggled to break free of its corrupt roots. The early post-Soviet years were a period of plunder. Criminals took advantage of the state's weakness to line their pockets. Then, as Russia regained its footing, the country's gangsters and bandits began to cooperate with the government — a pattern that has played out in several countries over the years.

Many of the most successful criminals to emerge during the 1990s were themselves a part of the crumbling Soviet system. Military personnel and KGB agents stationed around the world capitalized on their access to valuable arms and intelligence to keep themselves afloat as their government imploded. Soldiers and intelligence officers made the most of their precarious position by selling off state property — including, in at least one instance, a submarine — for their own profit. Viktor Bout, a former army linguist and officer in Russia's Military Intelligence Directorate (GRU), offers perhaps the most infamous example. Before his arrest in 2008, Bout had become one of the world's most prolific arms dealer, alternately preying on and working with the Kremlin to suit his business.

Today, Russia is enjoying a period of strength relative to the chaos of the 1990s. If history is any guide, however, its fortunes could easily change, and with them, the criminal class's allegiances. Stoyanov's letter warned of the danger that the hackers currently in the Kremlin's employ could turn against it one day.

U.S. Indictments of Russian Hackers

No Risk, No Reward

Notwithstanding the risks of hiring criminals, the ends of such an arrangement often justify the means. Relying on agents for hire to carry out certain operations may be an economic necessity for cash-strapped governments. As states vie for primacy — or at least strategic advantages — in the cyber realm, they have to compete to recruit the best people in the field. And they don't come cheap. The U.S. Department of Homeland Security suffers from high turnover in its cybersecurity leadership roles, in part because it can't keep up with the private sector's salary offerings. Peter Levashov, another Russian spammer arrested earlier this month, purportedly charged $500 dollars for every 1 million messages he sent, a rate that could have earned him up to $750,000 a day. The Russian government can never hope to match that pay. It can, however, offer other incentives to draw in experts like Levashov, including legal immunity.

Keeping cyber operatives off the books also affords governments a degree of plausible deniability. After all, listing one of the world's most notorious spammers on its payroll would reflect poorly on Russia's image, and on its tradecraft. Most countries with advanced intelligence capabilities maintain operatives under non-official cover. These agents don't receive the same protections that registered foreign officials enjoy, but by the same token, they don't attract the same scrutiny. Consequently, they have much more latitude to conduct sensitive operations. Creating and maintaining non-official cover is a daunting task, though, especially in the age of social media. An even safer bet for governments is to avoid establishing an official relationship with cyber mercenaries in the first place.

Common Practice

Russia isn't the only country reaping the economic and practical benefits of working with unofficial agents. China's intelligence services routinely recruit Chinese nationals living abroad and working in strategic sectors to conduct operations on their behalf. In January 2016, for example, U.S. authorities uncovered an industrial espionage scheme in which Chinese operatives apparently tried to poach Chinese-American scientists from GlaxoSmithKline PLC to start a rival company. The intelligence officials set up their recruits with their own firm in China, and in exchange, they received exfiltrated proprietary information — all without adding anyone to their payroll.

The Kremlin has every incentive to exploit its access to some of the world's most sophisticated hackers. And despite the damning allegations in Stoyanov's letter, the Russian government has so far maintained its plausible deniability, offering its word against that of a man in prison for treason. Though investigators in the United States and France will keep working to dismantle Moscow's hacker networks and arrest the architects behind them, digital interference in foreign elections will be a hallmark of Russian intelligence operations for years to come.

Connected Content

Regions & Countries

Article Search

Copyright © Stratfor Enterprises, LLC. All rights reserved.

Stratfor Worldview


To empower members to confidently understand and navigate a continuously changing and complex global environment.