Russia’s 2019 cyber attack against Georgia followed by full-spectrum propaganda effort

Kremlin unleashed multi-channel counter-messaging campaign after high-confidence attribution of attack to Russia’s GRU

@DFRLab
DFRLab
8 min readApr 23, 2020

--

(Source: GGigitashvili_/DFRLab)

This research is published as part of #ElectionWatch Georgia 2020, a collaboration between the DFRLab and ON.ge supported by the EWMI/USAID. You can also read it in Georgian.

The Kremlin has responded to an investigation that found Russia responsible for a cyber attack in Georgia in October 2019 by denying any responsibility and accusing Georgia and its Western partners of Russophobia.

A joint investigation led by Georgia, the United States, and the United Kingdom found Russia’s Main Intelligence Directorate (GRU) responsible for conducting the massive cyber attack against Georgia. The results of the investigation were announced on February 20, 2020. Georgia’s Foreign Ministry said that the cyber attack aimed to undermine the country’s national security and disrupt the proper functioning of state institutions.

After the results of the investigation were published, the Kremlin launched a multichannel strategy using official diplomatic channels, Kremlin-funded media, and fringe outlets to reach the largest possible audience with its version of the story. Georgian pro-Kremlin outlets also accused Georgian authorities of obstructing the chances of political normalization between Russia and Georgia. The strategy of using multiple channels to spread the same narrative often derives from the understanding that readers are more apt to assume that a piece of information received from several sources is based on various perspectives and is more likely to be true.

The cyber attack was carried out on October 28, 2019, and resulted in about 15,000 websites being temporarily disabled. The list of affected websites included the official websites of the Presidency of Georgia, various courts, local municipalities, and civil society organizations. The work of several TV channels was interrupted as well.

The British National Cyber Security Centre (NCSC) assessed with “the highest level of probability” that the attack was conducted by the GRU’s Sandworm cyberwarfare team. The same unit has been found responsible for four different cyber attacks against Ukraine in the past several years, including BlackEnergy in 2015, Industroyer in 2016, NotPetya in 2017, and BadRabbit in 2017. Around 20 countries, including the United States, Canada, and the United Kingdom, condemned Russia’s latest act of cyber aggression against Georgia, stressing that it was part of the Kremlin’s long-running campaign to destabilize Georgia and an attempt to sow discord ahead of 2020 Georgian parliamentary elections.

While the technical aspects that led to this attribution have not been publicly revealed, it is important to note that the UK assessed its confidence with the attribution to the Russian GRU at “95+” percent probability. The United States reached a similarly unambiguous assessment, while a host of other allies have backed the attribution. Moreover, Russia has routinely exploited the unavailability of hard, supporting evidence in public attributions of cyber attacks — a deliberate exclusion typically intended to preserve analytical tradecraft and serve as a shield of plausible deniability.

Russian Ministry of Foreign Affairs and politicians dismiss investigation findings

The Russian Ministry of Foreign Affairs (MFA) was the first to dismiss the findings of the investigation, calling the charges politically motivated and chastising Georgia for unduly demonizing Russia. The MFA ruled out the existence of any evidence proving involvement of official Russian structures in hacking of the Georgian servers and emphasized that the United States, the United Kingdom, and Georgia “were suspiciously” unanimous in their accusations against Russia. Russia’s Deputy Foreign Ministers Andrey Rudenko and Grigory Karasin claimed that Russia has no intention to interfere in Georgia’s internal affairs, and that all the charges were nothing but anti-Russian propaganda.

One Russian deputy at the State Duma, Anton Morozov, offered another misleading explanation of why Georgia would unfairly accuse Russia of carrying out the cyber attack: to suppress growing pro-Russian sentiment among Georgians. He went on to say that the majority of Georgian citizens want friendly relations with Russia, but “officials in Tbilisi are doing everything to artificially separate the two nations.“ Various Russian fringe media portals republished Morozov’s comments.

Various media portals posted Morozov’s comments. (Source, left to right, top to bottom: Polit Ekspert/archive; Nation News/archive; Media Repost/archive; Imag.one/archive; Federal News Agency/archive; Economy Today/archive)

Morozov’s claim about creating discord between the two countries is ironic: if anything creates discord between Georgia and Russia, it is the latter’s occupation of Georgian territories. According to an NDI survey, only 21 percent of Georgians believed that the country would benefit from better relations with Russia in 2019, down from 30 percent in 2015. Moreover, 31 percent of Georgians said that potential Russian military aggression is the top security threat. As a result, public support for Georgia’s integration into NATO is high, at 74 percent.

Russian diplomatic social media accounts amplify MFA narratives

After Georgia’s Western allies condemned the cyber attack, Russian diplomatic social media accounts entered into play to reproach these countries. Russia has long employed its diplomatic social media accounts to disseminate disinformation and attack its critics as well as to troll Western governments. In this particular case, the Russian Embassy in the United States published a Facebook post on February 22, 2020, saying that “groundless accusations” against Russia related to the attack are disappointing, but not surprising. The embassy blamed U.S. diplomats of “resorting to the methods of tabloid journalists in their work” and accused Washington of neglecting international norms and law.

One day prior, the Russian Embassy in Canada tweeted that Canada, Georgia, and the United States spread “Russophobic lies and fakes.” The accusation of Russophobia is a common strategy used by the Kremlin to deflect criticism. The DFRLab has previously showed that the official use of the word “Russophobia” exploded after the annexation of Crimea in 2014, especially in the context of attacking foreign criticism of the Russian government. Recently, the Kremlin has denied accusations that it spread disinformation about the ongoing COVID-19 pandemic, claiming that the accusations, despite mounting evidence, amount to nothing more than Russophobia.

Russia’s diplomatic social media accounts amplified the MFA’s denial of Russia carrying out the cyber attack and pushed anti-Georgian and anti-West narratives. (Source: Embassy of Russia in Canada/archive, left; Embassy of Russia in the United States/archive, middle; Embassy of Russia in the United Kingdom/archive, right)

The Russian Embassy in the United Kingdom wrote on Twitter that the United Kingdom was trying to “keep the image of hostile Russia on life support.” The embassy suggested that British authorities should collaborate with Russia on “#cybersecurity — one of the matters of mutual interest.”

These messages conveyed through diplomatic social media accounts are hypocritical. Between 2006 and 2016, Kremlin-affiliated groups perpetrated 14 cyber attacks against various countries. Under these circumstances, it seems highly unlikely that the United Kingdom, the United States, or any of its allies, for that matter, would cooperate with Russian in the cybersecurity field.

RT and Sputnik come into play

The next steps in the Kremlin’s full-spectrum propaganda response were instituted by the large Kremlin-funded outlets, RT and Sputnik. On February 22, 2020, RT suggested that Western countries — primarily the United States — initiated the “so-called investigation” with the aim of defaming Russia and that Washington deceived Georgia by providing false investigative results. RT quoted a “pundit,” Yuri Rogulev, who claimed without evidence that the West was using a well-known propaganda mechanism by incessantly repeating lies in an effort to make them come true.

Sputnik Georgia interviewed information security expert Vitaliy Vekhov, who claimed that if the GRU carried out cyber attacks against Georgia, it would have been implemented on a much more professional level. Without presenting any evidence, he went on to say that the attack was carried out by a commercial entity financed by political forces with a specific political agenda in Georgia. He also said that one should consider the possibility that the Georgian government itself gave the green light for the attack, only to blame it later on someone else — i.e., Russia.

Sputnik Georgia also published a video titled, “the West launched a new information war against Russia,” with subtitles saying that after accusing Russia of executing this cyber attack, U.S. intelligence also prepared a report claiming Russia was helping Trump in his reelection bid. Sputnik Abkhazia interviewed tech journalist Aleksandr Maiyarevskii, who assessed that the cyber attack was an act of hooliganism rather than a state-sponsored act. He claimed the GRU could not have carried out this attack, as it had not targeted Georgia’s critical infrastructure, which he considers the GRU’s prime targets in Georgia.

Georgia has never denied the involvement of U.S. and British representatives in this investigation. Moreover, their participation was crucial as Georgia lacks the technical capabilities to investigate a massive cyber attack of this nature on its own. As for the targets, while the attack did not target Georgia’s critical infrastructure, it did intend to undermine the country’s sovereignty and sow discord ahead of parliamentary elections — a goal aligned with the GRU’s strategic interests.

Russian fringe media outlets join in

Russian fringe media portals picked up the narrative about the West using this cyber attack as a political weapon against Russia. Voennoe Obozreniye claimed that the United States wanted to use the “alleged cyber attack“ to justify additional military assistance for Georgia. The author speculates that after the attack, the United States would promise military aid to Georgia and Washington would help Tbilisi launch a military provocation against Russia. The United States has promised Georgia only capacity building and technical assistance to help strengthen public institutions and guard the country from cyber threats.

On February 21, 2020, Mirovoe Obozrenie published an interview with pro-Kremlin expert Mikhail Sinelnikov-Orishak, who suggested that both Georgia and the United States use Russia as a scapegoat. One day earlier, Pravdo Ryb published an interview with another pro-Kremlin political expert, Anatoly Wasserman, who asserted that the majority of cyber attacks in the world are carried out by U.S. intelligence agencies, which subsequently try to shift the blame on their opponents.

Pro-Kremlin fringe media portals amplified Russia’s plausible deniability narratives over cyber attacks. (Source: Mirovoe Obozrenie/archive, left; Voennoe Oborenie/archive, middle; Pravdo Ryb/archive, right)

Pro-Kremlin Georgian media outlets pick up anti-Western narratives

The Kremlin’s influence agents in Georgia also spread anti-Western rhetoric related to the cyber attack. On March 2, the pro-Kremlin Georgian outlet Saqinform published an article suggesting that, by accusing Russia, the United States and Georgia tried to prevent the participation of Russian Foreign Minister Sergey Lavrov in the Council of Europe’s ministerial meeting in Tbilisi.

On February 26, Georgian authorities made a decision to transfer the Council of Europe ministerial meeting to Strasbourg, France. One of the main reasons for the change in location was the fear that the Russian delegation would face large protests in Tbilisi. Considering this willingness to organize the event in Georgia, it is unlikely that Georgian authorities would be interested in antagonizing people against Russia by accusing Russia of conducting the cyber attack sans evidence.

The experience of several post-Soviet countries has shown that Russia sees key political events such as elections as fertile ground to influence political processes. To that end, Moscow uses overt and covert tactics to interfere in Georgia’s electoral process. A 2019 report by the U.S. Agency for International Development and the East-West Management Institute found that Georgia’s political institutions are highly vulnerable to Russian influence operations, particularly ahead of the 2020 elections.

In this case, Moscow was able to mobilize multichannel, full-spectrum propaganda immediately after the investigation’s findings became public. The use of a range of diverse media sources, coupled with the reinforcement of its plausible deniability arguments, is designed to create the impression that Russia’s version of events is more authoritative. Ironically, Russia’s over-reliance on this two-pronged approach has rendered the strategy painfully transparent.

Givi Gigitashvili is Research Assistant, Caucasus, with the Digital Forensic Research Lab.

Follow along on Twitter for more in-depth analysis from our #DigitalSherlocks.

--

--

@DFRLab
DFRLab

@AtlanticCouncil's Digital Forensic Research Lab. Catalyzing a global network of digital forensic researchers, following conflicts in real time.