Cyberattacks and information operations with the aim to disrupt critical infrastructure and impact public opinion are constantly growing. With this respect, the MENA Research Center talked to Andrzej Kozłowski, Assistant professor at the University of Łódź, whose main areas of research are cybersecurity and information operations. The conversation has been carried out by Denys Kolesnyk, a French consultant and analyst, who has a particular interest in the operations in the cognitive domain.
Recently, I’ve read your article about Russian activities in the Ukrainian cyber and information space. So, let’s start with what are the Russian tactics and strategies in the cyber domain? How have they evolved over the past few years? And, finally, is there any regional particularity with regard to cyber operations?
First of all, I should note that I don’t observe any significant evolution. And, it’s important to highlight that Russia perceives the cyber attacks as a part of the broader conception of information warfare. It’s something that differentiates Russia from the Western world, where we mostly understand cybersecurity from the technical point of view, while the cognitive domain with strategic communication and information is separated from each other. And that’s not how the Russians see it.
They are not used to cybersecurity or cyberspace. The Russians pretend to use the terms information security, and information warfare and the cyber attacks are a part of it. But as I said, it’s just a part of it to achieve information dominance and information superiority because it’s the main aim of the Russians according to their doctrine.
Throughout all this time Russia has been focused on several aspects, and first and foremost — espionage. And espionage in the cyber domain gives enormous opportunities. In the more traditional human domain, Russia was also very active. Therefore, the Russians moved to cyberspace with these three main bodies of the Russian intelligence and counterintelligence system, namely GU (formerly known as GRU), SVR and FSB. Hence, cyber espionage became the main domain for them.
The second aspect is the attacks on critical infrastructure that happened even before the large-scale invasion. It should be understood that Ukraine has been a testing ground for Russian cyber tactics. The Russians tried many techniques and attacks, including those happening in 2015 and 2016 against Ukrainian power plants. These successful attempts caused short-term blackouts in the middle of winter, and, considering the harsh winters in Ukraine, the lack of energy posed significant problems for the people.
There have also been massive attacks aimed at paralyzing entire countries. For example, in 2007, there was a massive distributed denial-of-service (DDoS) attack to disrupt Estonia’s internal services, compelling Estonia to reconsider its political decision to move a Bronze statue dedicated to the Red Army to a different place.
In 2016, the NotPetya virus was used to disrupt Ukrainian systems, affecting many IT systems of airports, the Kyiv metropolitan, and both government and private sectors. Although these operations were initially successful, they eventually failed to achieve their long-term objectives. Lastly, we must also remember the role of information operations and the importance of hack-and-leak strategy in these efforts.
Hence, hacking into the systems of certain organizations to steal data, exfiltrate it, and later use it with fabricated or forged documents is a tactic used to influence decision-making processes. These manipulated documents are spread across the internet to sway certain processes or decisions.
During the large-scale invasion of Ukraine by Russia, the initial attacks included a massive salvo of wiper programs that aimed to disrupt and destroy data rather than steal it. They don’t try to remain invisible; their presence signals a clear intent to damage or destroy systems. This was the largest salvo ever seen in the history of cyber conflict so far.
Despite the scale of the attack, it largely failed to impact Ukrainian systems as planned because the Ukrainians defended well. Due to limited resources, Russia then shifted back to its specialized operations, focusing more on espionage rather than influence operations. This involved increased efforts in exfiltrating data and spying on IT systems to provide better intelligence for military operations and pre-planned conventional strikes.
But since, Russia has rebuilt its capabilities, including the destructive wiper programs, and has once again used them against critical infrastructure. They appear to be increasingly successful, as evidenced by a recent serious cyber attack against the Ukrainian mobile telecom network, which caused significant service disruptions and impacted ordinary citizens. Additionally, there have been attacks on other critical infrastructure, although details about these attacks, including their success and impact, are not publicly available.
We are witnessing more frequent and successful penetrations of Ukrainian systems. Moreover, Russian operations are also targeting Western countries, involving espionage and sabotage attempts aimed at derailing or delaying Western military support to Ukraine.
And to answer the last part of your question, I don’t think we can differentiate cyber operations by region because they generally serve the same strategic goals. These operations aim to gain unauthorized access to systems, and once access is achieved, the objectives can vary. The information can be stolen for espionage purposes, used to amplify information operations, or the data can be destroyed. The techniques are quite similar everywhere.
However, when it comes to information operations, there are clear differences. In the case of pure cyber operations, though, the strategies remain consistent.
Regarding Europe and specifically Poland, I’ve been monitoring activities for at least six months, and it seems that large-scale operations began in earnest after Russia’s full-scale invasion of Ukraine. In the Kaliningrad region, there is equipment capable of spoofing GPS signals, and there have been instances where this has disrupted GPS signals in almost half of Poland.
Can you elaborate on it? Why are they doing it? Does it really have an effect on the ground in Poland?
The easiest answer to your last question is that no, it’s not affecting ordinary Poles using GPS in Poland. However, the disruptions are not merely cyber capabilities but rather electronic warfare capabilities by the Russian Federation.
There are several interpretations of this issue because it’s occurring not only near the Kaliningrad region but also close to the Estonian border. Recently, we’ve heard that Finnair suspended flights to Tartu due to these GPS disruptions. The first interpretation is that it is part of hybrid activities against NATO countries. These activities are harmful to NATO nations but fall below the threshold of conventional war and armed attack as defined by UN documents. This is likely the first step in such a strategy.
Another interpretation is that these massive GPS disruptions are intended to protect against drones, specifically Ukrainian drones. While modern jets have alternative techniques to determine their location, GPS is still the most common system for commercial airlines and smaller engines. Therefore, these disruptions pose a real danger to flights, and accidents could potentially occur as a result.
The problem also lies in countering such actions. I am not certain if it is possible, for example, to disrupt these measures using non-kinetic tools — to disrupt the disruption, so to speak. I don’t know if it’s possible at all. Nevertheless, this is one of the harmful activities that Russia is directing against the West.
And actually, could you talk a bit more about Poland? What strategies does your country use to mitigate the Russian cyber threat and, more broadly, Russian information activities? What kind of legislative tools do you have, and what activities does the state undertake to address these issues and protect the country from such malign activities?
Regarding cyber attacks, I think we are managing quite well since there have been no significant successful attacks against Polish systems. This suggests that we are doing a good job.
One crucial decision by the government made two days before the large-scale invasion, was to escalate the alert level from Alpha, the lowest, to Charlie, the highest, before an incident occurred. Delta is the highest level, but it is only enforced once an incident has actually happened.
The Charlie level indicates that there is reliable information suggesting a potential cyber incident, posing a serious and significant threat to systems. This level imposes specific obligations on critical infrastructure administrators and public administration entities. These obligations include making employees aware of the threats, organizing information campaigns to enhance cyber defence, and ensuring that there is a 24/7 cybersecurity team ready to neutralize any threats.
Statistics from our CERT (Computer Emergency Response Team) indicate a significant spike in attempted cyber attacks. However, as I mentioned, there is no clear evidence of any significant successful Russian cyber attack.
However, we need to stress one thing. In March 2022, a month after the invasion, we experienced a disruption in our train system. Considering that the rail network is crucial for Poland’s economy, military aid to Ukraine, and refugee transportation, initial reports suggested it might be a Russian cyber attack. However, it was determined to be a malfunction of IT equipment.
We must remember that the goal of cyber attacks is often to cause equipment malfunctions. Sometimes it’s very difficult to determine if a malfunction is due to a technical issue or a cyber attack. In the case of the train problems, it was a technical malfunction, but a similar disruption could occur from a Russian cyber attack.
Unfortunately, Poland is less successful in combating information warfare. There are ongoing reforms, such as appointing a special advisor in the Ministry of Foreign Affairs to combat foreign disinformation and establishing a new center at NASK under the Ministry of Digital Affairs. However, I don’t see any coordination or a comprehensive system being built.
We lack media literacy programs, leaving people vulnerable to disinformation. What’s even more problematic is that some people, including authorities and experts, believe that because of our history with Russia, we are immune to Russian disinformation. However, Russian disinformation in Poland operates in different ways and continues to be a significant challenge.
There is also a Belarusian contribution to it, which is often disrespected by the Polish authorities and experts saying that Belarusian secret services and the propaganda and the cyber-attacks are almost the same as Russians, which is not true because they are working, they are cooperating closely, but still they are two different structures with different aims.
So we need to keep these factors in mind. Unfortunately, if you look at the statistical surveys showing support for Ukraine, it’s decreasing significantly. This decline isn’t solely due to Russian disinformation but also stems from harmful statements made by Ukrainian politicians. For instance, President Zelensky’s remarks at the United Nations implied that Poland was aiding Russia by blocking Ukrainian grain imports. Regrettably, active information operations are underway, and there seem to be no effective strategies to counter or halt them.
Perhaps you could provide some insight into the latest narratives being propagated by Russia in Poland within the framework of disinformation warfare?
In their disinformation campaigns, Russia and Belarus are currently pushing narratives related to a former Polish judge who defected to Belarus and is now acting as an influence agent. This isn’t just a typical troll factory or online operation; it involves the use of old KGB techniques, such as deploying agents of influence.
Pro-Russian channels on platforms like Telegram and Twitter are amplifying this narrative. The former judge also has his own social media accounts, including Twitter, Facebook, and Telegram. Interestingly, it appears that he may not be directly responsible for the content on these accounts, as there are numerous mistakes characteristic of non-native Polish speakers, making it relatively easy to identify. But this is the main narrative, of course.
There was also a narrative linked to the assassination attempt on Slovakian Prime Minister Robert Fico, suggesting involvement by Ukrainians or Americans.
Lastly, former protests have been exploited by Russian propaganda to portray the European Union as a threat to Polish farmers’ futures, even suggesting that Vladimir Putin could be a saviour for them, along with other anti-EU narratives. So, these are the three main narratives currently visible in the Polish infosphere.
After Hamas’ attack against Israel, the Israelis used various techniques to gather support from the population, similar to those employed by Ukraine during the Russian invasion. Can you provide insights into Iranian cyber information operations in general, and particularly in this context?
Yes, absolutely. After the Israeli Stuxnet attack against the Iranians that happened in 2010, Iran made significant investments in their cyber capabilities. As a result, one of the first successful cyber attacks carried out by Iranians occurred against the Saudi Aramco company in 2012. Later on, there were even attempts to target critical infrastructure in the United States.
It is interesting, however, that when Hamas attacked Israel, there was no significant prior cyber campaign, unlike what Russia had done against Ukraine. Despite possessing limited potential in the cyber domain, Hamas decided not to use it. However, following the attack, numerous Iranian groups and proxies, including Hezbollah and Hamas, along with others in the Middle East who are against Israel, decided to engage and join in cyber activities.
Nevertheless, most of these cyber attacks were relatively simple from a technical point of view. And given the fact that Israel maintains one of the highest levels of cyber defence, those attacks were mostly not harmful. But there were few successful attacks, and among them, there was the breach of systems belonging to a local government entity, which was then utilized for influence operations. Messages were sent to Israel, highlighting their presence and questioning the government’s ability to ensure security.
Additionally, there were information operations involving false websites soliciting blood donations for the victims of the attacks. One such website attempted to impersonate Israel’s largest hospital. In response to these attacks, Israel retaliated by targeting gas stations in Iran in December, causing temporary paralysis of their activities for a few hours.
While Iran remains the most active player in this conflict, its significance in cyber warfare is not as pronounced as in the case of a Russo-Ukrainian war.
What mechanisms does NATO have to enhance cooperation among member states in the cyber and information sphere? How has the inclusion of Cyber into the domains of warfare at a NATO Warsaw Summit in 2016 influenced the threshold when we can speak of a conventional conflict? And what criteria determine when cyberattacks cross the threshold of war?
NATO has opted to analyze each cyber operation on a case-by-case basis when considering the invocation of Article 5 or even Article 4 of the Washington Treaty. However, it’s crucial to recognize that these decisions are primarily political. It’s less about the scale and size of the attack, but more about the political will to act upon it.
Research by NATO and affiliated institutions typically focuses on the size, timing, and scale of attacks, but most importantly, the consequences. NATO has also decided that an accumulation of several cyber attacks, rather than one large attack, could trigger a response. These attacks could target critical infrastructure like dams, energy systems, transportation, and military facilities as part of a broader campaign.
NATO has tools such as the NATO Cyber Security Centre responsible for activities, designing, implementing and operating: Scientific and technical expertise, Supporting Acquisition; Maintenance and Sustainment; Conducting Operations and Incident Response. However, it’s important to remember that individual states have their own cyber capabilities, while NATO itself does not possess significant cyber capabilities.
NATO is increasingly accepting the concept of permanent engagement, which suggests that the distinction between peace and war in cyberspace is false. States are constantly engaged in low-level cyber activities that stay below the threshold of armed attack. This constant engagement often involves espionage, which has existed long before NATO and has never triggered Article 5 or Article 4 consultations.
And on a final note, do Middle Eastern countries like Turkey, Saudi Arabia, and Egypt have cyber and information operation capabilities and policies similar to those of Iran and Israel?
I don’t have specific knowledge about the capabilities of these countries. But what I can say is that they are very rich monarchies from the Gulf and have hired ex-NSA, ex-Cyber Command, or former intelligence and military personnel from the West for their own purposes. For instance, we know about the Pegasus scandal and other spyware issues. There were also hackers hired by the Gulf monarchies to achieve their strategic goals. This is quite common because they have a lot of money and can afford it.
There are also efforts in the United States to introduce laws to prevent this kind of situation. There are proposals to prohibit former NSA or US Cyber Command employees from working for certain autocratic countries like the Gulf monarchies.
All publishing rights and copyrights reserved to MENA Research Center.
