A 1960s research project at the Advanced Research Projects Agency (ARPA) began a technology revolution never anticipated and the most significant paradigm change since the invention of movable type. Today, most communications and information operations take place on systems connected to the Internet infrastructure. Dependence on this infrastructure makes users vulnerable to hostile attacks by criminal enterprises and foreign intelligence and military organizations.
Russia stands out as one of the most significant threats. It has greatly expanded its cyber capabilities with respect to intelligence collection, espionage, and cyber warfare, and it engages in these activities on a continuing basis. Consistent with Soviet notions of combating ongoing threats from abroad and within, the present Russian regime also views the struggle over the “information space” as unending.
Offensive cyber operations play a large and increasing role in Russian military operations and in Russia’s strategic deterrence framework. While, for structural and doctrinal reasons, the Russian military and intelligence services were slow to embrace cyber operations, the government is working to bolster the offensive and defensive cyber capabilities of the armed forces and other security institutions. As Russia’s cyber operations grow at a pace and on a scale well beyond what has been widely reported, there is a great opportunity to use open-source information and data to understand the nature of these operations and the threat they constitute.
A central objective of the DARPA SocialCyber program is to utilize a comprehensive approach to understand the culture and the anthropology of the software development process with regard to malicious code and open-source software. Some of Russia’s cyber threats and operational components have resisted identification by traditional intelligence methods: the source data is not part of the usual collection regime, and the artificial intelligence (AI) analytical tools, such as those utilized for this study, rely on a major software development effort integral to the DARPA program. The present analysis looks at how malicious code is distributed, utilizing AI tools to search open-source source materials and extract and analyze the data obtained.
Margin Research has conducted a study of Russia’s cyber operations, hacker community, and open-source code, with a number of key findings:
- The Russian government sees the Internet both as a threat to regime security and a weapon to be used against its enemies. It generally does not use “cyber” in its doctrines, policy documents, and debates except in reference to Western concepts. Instead, Moscow orients much of its thinking around the notion of “information security” (informatisonnaya bezopastnost)—a much broader concept that includes technical elements like encryption but also includes the state’s ability to control and shape the overall information space. Hence, Russian actors often carry out cyber and information operations in tandem.
- Russia’s cyber operations fit under the “active measures” (aktivnye meropriyatiya) umbrella. For more than a century, Russia has used forgeries, disinformation, and falsehood-propagation alongside assassinations, sponsorship of coups, and other covert activities to project influence and undermine Russia’s perceived enemies. While the Internet and other technological advances brought profound changes, Russian cyber and information operations still emphasize deniability and blur the lines between public diplomacy and propaganda—key features of decades-old active measures.
- Russian military doctrine increasingly emphasizes cyber operations to project power and, conversely, the threat of foreign cyber and information operations to Russia. The 2008 Russia-Georgia War catalyzed Russia’s creation of an official offensive and defensive cyber operations unit; its 2010 Military Doctrine stated that “information warfare” was playing a greater role in military conflict. Since Putin came to power in December 1999, Moscow has carried out cyber operations before initiating armed military conflict to increase confusion, contribute to the “fog of war,” and assert control over the information environment.
- The Russian government uses a network of actors to support its capability development, talent cultivation, and cyber operations. This network includes government cyber units, principally in the Federal Security Service (FSB), Foreign Intelligence Service (SVR), and military intelligence agency (GRU). It also includes cybercriminals and individual developers recruited by the government, “entrepreneurial” hackers approaching the state, and government-created front companies. The government also leverages hackers with mafia-style familial connections to the security services, encourages patriotic hackers, weaponizes private military companies (PMCs), and uses private-sector conferences and gatherings to recruit talent. Understanding Russia’s cyber power requires understanding the numerous actors, including non-state actors, in this complex ecosystem.
- Companies like Positive Technologies, SecurityCode, Kaspersky, Infotecs, and Sberbank Technology play central roles in the Russian cybersecurity ecosystem. Positive Technologies has been sanctioned by the U.S. government for supporting Russian cyber operations and hosting events that the FSB and GRU use to recruit hackers. Infotecs is on the U.S. Entity List for enabling the malicious activity of Russian cyber actors. Their support for the state might be defensive or offensive; they may also simply act as vehicles through which Russian cyber talent is trained and Russian code is developed.
- Russia’s “brain drain” remains a persistent problem. It will likely weaken Russia’s ability to maintain an up-to-date, innovative technology sector and a cyber talent pool, at least in the near term.
Nonetheless, Russian universities continue to launch cybersecurity programs, the Russian military now has several, and the government remains intent on developing Russian domestic technology and influencing the global software base.
- Russia has demonstrated a wide range of cyber capabilities. These include phishing, DDoS attacks, password brute-force algorithms, ransomware, and malware to shut down electrical grid Supervisory Control and Data Acquisition (SCADA) systems. This enables Russia to inflict enormous damage on the financial sector and to break into systems abroad for surveillance purposes, ranging from hacks of the Georgian Ministry of Defense to the widespread SolarWinds espionage campaign against the United States. Moscow builds many of these capabilities in-house and has also turned to programmers at companies and cybercriminals to develop capabilities.
- Russia has expanded its focus on open-source software as a replacement for Western technology and to expand its global tech footprint—raising security risks for U.S. software. The Astra Linux operating system is key to Russia’s domestic tech development efforts, and since February 2022, Moscow has accelerated its efforts to remove Western software and hardware, replacing it with Russian technology. Lately, Russian companies have been discussing overseas expansion via software products; Russian developers are working on building an entire Russian technology stack based around Astra Linux; and the Russian government has been purchasing Chinese computers, requiring that Astra Linux is installed on those systems.
- The Margin Research team has developed a set of artificial intelligence (AI) tools to assist in the analysis of Russia’s cyber operations. This includes individuals engaged in open-source development in Russia, China, North Korea, and Iran in addition to the institutions and agencies supporting them. This extensive data collection and analysis on open-source software contributors enables specific code contributions within the Linux Kernel and those behind them. It has also enabled analysis of other Russian code outside Linux, such as software development kit (SDK) developer Pushwoosh, a Russian organization falsely presenting as U.S.-based.
The analysis of open-source software, social media, and those that create it is a useful way to identify suspicious cyber activity and malicious cyber operations, and the novel AI techniques developed by Margin Research support an analysis pipeline of Russian cyber operations and the actors involved. While prior analyses lacked the tools necessary to uncover such behavior, they also did not have access to the large body of data collected in the present effort. Going forward, it is essential to continue this critical line of research into the Russian cyber ecosystem, an area of increasing significance to U.S. national security.
The full report for this study can be downloaded below: