Moonlight Maze: Russian Espionage, Hacking, and Cyber Warfare in the Lead-Up to the 2016 Election
This article covers Russian hacking, cyber warfare, and espionage efforts in the lead up to the 2016 election. It is the second installments in the series “Russian Intelligence and the series Russian Military Intelligence, Disinformation, and the 2016 U.S. Presidential Election.” While it is not necessary to read previous entries, it is recommended.
The first article provides definitions for the concepts “Active Measures” and “Disinformation” and provides a history past Russian interference efforts.
This article is an excerpt from my book, While We Slept: Vladimir Putin, Donald Trump, and the Corruption of American Democracy, available here.
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
A History of Russian Hacking and Cyber Warfare
In October of 1996, officials at NASA, the Department of Energy, the National Oceanic and Atmospheric Administration, the Environmental Protection Agency, the US Navy and the Air Force detected a series of mysterious cyber intrusions into their networks.
Later investigators discovered that vast amounts of data were being stolen from US government and military agencies in an operation they came to call Moonlight Maze. After years of investigation, the culprit was determined to be Russian intelligence.
A grim milestone had been passed. It was the first known example of state-on-state digital espionage in history.
In March of 1999, the FBI hosted officials from the Russian Ministry of Internal Affairs at a dinner in Washington, DC. During the meal, FBI agents requested assistance from their Russian counterparts to help them find the Moonlight Maze hacking ring they believed to be based in Moscow.
The Russians surprisingly agreed to help, and just under two weeks later several American investigators flew to Russia. The investigators were stunned when a general from the Russian Defense Ministry admitted that the hack had been committed by the Russian Academy of Sciences at the behest of Russian intelligence.
After assuring the visiting Americans that such activities would not be tolerated, the general conspicuously vanished the next day and the investigators were stonewalled for the rest of the trip. Though the Moonlight Maze hacking operations were briefly suspended during the American investigators trip to Moscow, they resumed two months after they returned to the US.
State sponsored cyber attacks have continued, in one form or another, almost continuously ever since.
The first decade of the 21st Century saw vast numbers of the global population gain access to the internet and profound changes to the nature of the internet itself. In the year 2000, 304 million people were online, by the end of the decade that number had swelled to nearly 2 billion.
On February 4th, 2004, a little known Harvard undergraduate named Mark Zuckerberg launched a social media website called “TheFacebook.” By 2006, what had become known as Facebook was made available to the general public and quickly became the most widely subscribed to social network on the planet.
2006 also saw the emergence of Twitter, and the purchase of YouTube by Google. The basic contours of the social media landscape were coming into focus. A year later, Apple released the first iPhone, inaugurating a device revolution that would allow people to access the internet from the palm of their hands.
2007 was also a landmark year in the history of cyber warfare.
In April, authorities in the formerly Soviet-occupied, Baltic country Estonia removed and relocated a controversial statue of a World War II era Red Army soldier from a central square in the capital city of Tallinn. For ethnic Estonians, the statue symbolized the post-War Soviet occupation. To Estonia’s Russian minority population, the statue represented the Soviet’s victory over Nazi Germany and its removal sparked outrage and protests.
Russian state media responded by calling the Estonian government fascist, a propaganda tactic later employed in to justify war against Ukraine.
A day after the removal, multiple Estonian websites were brought down by denial-of-service attacks, a simple means of overwhelming a website’s server. The targets included the Estonian presidency and parliament, nearly every major government ministry, Estonian political parties, half of the country’s major news sites and its two largest banks.
Three days into the relentless cyber assault, it became clear that the operation was not simply being conducted by a haphazard group of pro-Russian independent hacktivists.
Powerful cybercriminal organizations such as the misleadingly-named Russian Business Network, a criminal gang based out of St. Petersburg infamous for its online spam and fraud campaigns, were directing botnets of thousands of computers they had seized control of worldwide to contribute to the assault against Estonia’s online infrastructure.
The tactics the hackers employed also changed, from simply taking Estonian websites offline to defacing them with Nazi imagery, echoing Russian state propaganda.
As the majority of attacks originated out-of-country, Estonia’s cyber defenders responded by cutting the entire country off from all foreign web connections. It was a dramatic move, as Estonia was one of the most highly connected countries on the Earth. However, when they eventually restored the connections the attacks continued and expanded in sophistication.
On May 9th, the date Russia celebrates the Soviet victory over Nazi Germany, the attacks reached a crescendo. That day 58 Estonian websites were taken offline and one of the country’s largest banks, Hansabank, had its services interrupted for 90 minutes.
Given their diffuse nature, attributing exactly who was behind the attacks was a difficult question to definitively answer. Estonian government officials accused the Russian government of orchestrating the attacks. Others believed that the attacks represented a hybrid relationship between independent Russian hackers, cybercriminal organizations and the Russian government.
When Estonian diplomats approached NATO officials about invoking Article 4, which calls for the leaders of NATO member states to convene to discuss the security threats faced by a fellow member, they were rebuffed. It was the first of many messages sent to the Russians that they could engage in cyber attacks with impunity.
The next year, 2008, saw Russia further refine its offensive cyber capabilities. In August of that year, war broke out between Russia and Georgia over the breakaway provinces of South Ossetia and Abkhazia.
According to NATO analysts, what followed was the first example of Russia utilizing cyber and information warfare to complement conventional military operations.
On August 8th, a day after the conventional war began, 38 websites were struck by denial-of-service attacks. Institutions attacked included the Georgian President’s website, as well as those for the country’s parliament, supreme court, Ministry of Foreign Affairs, the Georgian National Bank and the US and UK embassies.
Cyber security professionals again traced the use of large, international botnets linked to the cybercriminal Russian Business Network, which both provided tantalizing clues of Russian state involvement but also muddied the waters when it came to direct attribution.
The Georgian War also had major repercussions for an institution that would play a central role in the events of 2016, Russia’s military spy agency the Main Intelligence Directorate, known as the GRU.
During the Cold War, the GRU was tasked with spreading Soviet influence in the developing world, while its operations in the West mainly consisted of stealing military secrets. The GRU survived the collapse of the Soviet Union intact, unlike the KGB which was divided into the FSB and SVR, the Russia’s respective domestic and foreign intelligence agencies.
By the conclusion of the Georgian War, Russian officials were disappointed with how the GRU conducted itself. While the Spetsnaz special forces under GRU command performed admirably, there was a widespread belief that the agency had provided faulty intelligence throughout the campaign.
As a result, Medvedev demoted the GRU in name and stripped the organization of some of its responsibilities, including transferring control over the Spetsnaz to a different military agency and dividing many of its intelligence responsibilities between the FSB and SVR.
Reforms in the GRU and the Development of Russian Hybrid Warfare
Despite these humiliations, what followed was a period of changing priorities and reform from which the GRU emerged as one of the premier hacking organizations in the world.
In 2011 the GRU’s chief Alexander Shlyakhturov was replaced by Igor Sergun, who ably guided the agency through a period of change and was adept at the all important task of managing his relationship with Putin.
During this period, the GRU also appears to have gone on a recruitment drive, establishing a “science company” in 2013 as part of a larger Russian Defense Ministry effort to recruit the top talent from Russia’s universities. These developments in the GRU occurred during a time in which Russian theories regarding information warfare began to mature.
In February 2013, the chief of staff of the Russian military General Valery Gerasimov wrote an article for the publication Military-Industrial Kurier entitled, “The Value of Science in Prediction.”
In it, Gerasimov describes the Kremlin’s understanding of the events of the Arab Spring and the Color Revolutions as regime changes orchestrated by the CIA. He notes that the 21st Century has seen a blurring of the distinction between war and peace.
Wars are rarely officially declared anymore. Advances in information technology allow wars to be waged continuously through information channels. This new form of warfare can be waged “throughout the entire depth of [the enemy’s] territory,” as opposed to just the frontlines of traditional conventional wars. In articulating this new version of hybrid, information warfare, Gerasimov provides insights that can be applied to Moscow’s offensive cyber activities of the recent past.
Russian Hybrid Warfare — Target Ukraine
The first major target of this new form of hybrid warfare was Ukraine.
Between 2013 and 2016, Russian intelligence appears to have used the online hacktivist community Anonymous as a means of spreading disinformation intended to discredit opposition figures in Ukraine. During this time, the group Anonymous Ukraine published over 100 posts on the website CyberGuerrilla which included 37 leaks consisting mostly of data pilfered from email inboxes.
While it is unknown how many of these posts were produced by actual Ukrainians and how many were produced by Russian intelligence, the presence of up to a dozen forgeries indicates professional tradecraft.
The careful placement of forgeries among real, stolen information was a practice as old as Russian intelligence itself. Experts came to believe that the Anonymous Ukraine leaks were the product of GRU Unit 74455, initially identified by cybersecurity professionals as “Sandworm.”
After large-scale protests in Kyiv swept Viktor Yanukovych from office, Putin responded by invading Eastern Ukraine and illegally annexing Crimea. The Russian invasion was as much psychological warfare as conventional, in that Putin brazenly denied it was happening, while it was happening, and many of the Russian soldiers involved did not wear identifying insignia’s, thus earning them the name “little green men.”
The GRU’s Unit 74455 assisted the invasion by sprinkling Ukrainian social media with forgeries and fake posts promoting Russian propaganda and exaggerating pro-Russian/Ukrainian separatist sentiments. While it appears that these posts received little attention, the Russians were honing their methods.
In the months after Yanukovych fled to Moscow, a pro-Russian hacker group calling itself CyberBerkut (in reference to the Berkut special police force that fired upon protestors in Kyiv’s Maidan square) began publishing posts online referring to pro-European Ukrainians as fascists and anonymously distributing forged emails supposedly between the Ukrainian military and American State Department suggesting the Ukrainian revolution was planned by the CIA.
In March of 2014, NATO announced that several of its websites had been targeted by denial-of-service attacks by a “Ukrainian hacker group,” CyberBerkut. Britain’s National Cyber Security Centre would later expose CyberBerkut as an online front for the GRU.
Among CyberBerkut’s methods was the selective leaking of the hacked private communications of Ukrainian opposition leaders, US diplomats, EU officials and others.
Three days before the Ukrainian Presidential election, CyberBerkut targeted Ukraine’s Central Election Commission, gaining access to its network, wiping dozens of its computers and disabling real time vote display. The hackers proceeded to leak photos of the Election commissioner’s passport and that of his wife, as well as his correspondence with Western officials in an attempt to falsely convey the idea that the West was meddling in Ukraine’s upcoming election.
After frantically troubleshooting in the days before the election, on election day itself the Commission’s IT administrators discovered that hackers had placed an image on the Commission’s website that falsely declared a far-right candidate had won the election. While they were able to prevent it from being publicly displayed, they weren’t able to stop Russian state television from reporting the falsified result in an apparent attempt to reinforce the GRU’s lie.
The morning following the election the Commission was again targeted by cyber attacks which attempted to prevent it from posting the legitimate election results.
While the initial cyber attacks conducted by the GRU in Ukraine were technically simple, consisting of data exfiltration and leaks, manipulating websites and wiping computers, by the end of 2015 there was unmistakable evidence that their cyber warfare capabilities were expanding beyond information warfare and into the physical destruction typically associated with conventional warfare.
On December 23rd, 2015, a highly sophisticated cyber attack took down a power plant Western Ukraine and plunged a quarter of a million Ukrainians into darkness for six hours in the dead of winter. Cyber security experts quickly named the culprit: Sandworm, which we know today to be GRU Unit 74455.
While much more technically advanced and potentially more devastating than information warfare, the hack against Ukraine’s physical energy infrastructure represented the kind of cyber warfare that the American security establishment felt more comfortable with.
After having developed malicious computer worms that physically destroyed their targets, an infamous example being Stuxnet which targeted and destroyed Iranian centrifuges used to separate nuclear material, American cyber warriors and defenders largely saw the risks posed by cyber war through this lens. Less attention was paid to the potential information, propaganda and psychological elements of cyber operations.
A year before the Ukrainian blackout, on November 14th, 2014, GRU Officer Ivan Sergeyivich Yermakov performed technical reconnaissance on the US nuclear power developer Westinghouse Electric Company (WEC), researching its employees and their backgrounds in the nuclear industry.
Between that time and January of 2015, Yermakov and others in his unit sent spear phishing emails which enabled them to steal employee log-in information of individuals involved in advanced nuclear reactor development and new reactor technology.
Yermakov’s intrusions were eventually discovered by American authorities, who noticed that the malware used in the Ukrainian power grid hack was being used against American targets.
The Department of Homeland Security issued an Industrial Control Systems (ICS) Alert warning potential targets of the ongoing sophisticated malware campaign. However, while American authorities were concerned with security of the country’s physical infrastructure, less attention was paid to the information cyber war being waged with increasing frequency and ferocity against institutions across the Western world.
Ukraine was only the beginning.
The GRU, the Islamic State, and the so-called “CyberCaliphate”
In addition to posing as pro-Russian Ukrainian hackers, the GRU also established a false flag hacktivist group ostensibly linked to the infamous terror organization the Islamic State called the CyberCaliphate.
The GRU’s use of the Islamic State as a front is indicative of the complex relationship between Russia and the terrorist group. The Russians key strategic ally in Syria was the brutal regime of Bashar al-Assad, which in theory would make the Russians the enemy of the Islamic State. The existence of the terrorist organization and the fears it aroused particularly in Europe and the United States, however, served several Russian propaganda and strategic goals.
Firstly, the existence of the Islamic State bolstered Russian arguments that the only alternative in Syria to Sunni jihadists was the Assad regime.
Second, by prolonging the Syrian Civil War, the Islamic State exacerbated the refugee crisis that was destabilizing the entire European unification project.
Third, the Islamic State’s well-publicized murders of the US citizens heightened fears and partisan tensions in the United States were used to attack the political fortunes of President Obama and his would-be successor Hillary Clinton.
The CyberCaliphate’s first known attack against a target based in the United States took place against the local news outlet the Albuquerque Journal. On Christmas eve 2014, roughly during the timeframe that the GRU was probing Westinghouse, in a separate operation the Albuquerque Journal’s website was hacked to feature Islamic State related images with the headline “Christmas Will Never Be Merry Any Longer.”
A similar attack using identical imagery was conducted on January 6th, 2015 against local Maryland television station WBOC 16.
Six days later, in the aftermath of the massacre at the satirical French publication Charlie Hebdo, the CyberCaliphate struck again, this time seizing control of US Central Commands twitter profile and posting the message, “AMERICAN SOLDIERS, WE ARE COMING, WATCH YOUR BACK. ISIS.”
This was the first of seven posts that used publicly available information to create the false impression US Central Command had itself been compromised, when in fact it was only their twitter profile.
Ten days after the CentCom stunt, on January 23rd, 2015, GRU hackers compromised the French television station TV5/Monde. The GRU spent months studying vulnerabilities within TV5/Monde’s network and implanting sophisticated malware in preparation for their ultimate attack.
In the meantime, their malicious activities continued unabated. On January 26th, GRU hackers seized control of Malaysia Airlines’ website and replaced its homepage with a facetious “404 — Plane Not Found,” message, presumably a crude reference to the twin aviation disasters suffered by the company the year before including the missing Flight 370 and Malaysia Airlines Flight 17, which was shot down over Ukraine only months later.
The GRU hackers hid their identities by writing, “Hacked by Lizard Squad, Official CyberCaliphate,” beneath a doctored photo of a pipe smoking lizard sporting a monocle.
The same day as the Malaysia Airlines website was defaced, the GRU sent spear phishing emails to three prominent YouTube personalities who had interviewed President Obama just four days earlier at the White House in what is known as an “island-hopping technique,” in which attackers focus on companies or individuals who are affiliated, but less secure, than their main target.
Just over two weeks later, on February 10th, the CyberCaliphate engaged in a frenzy of activity. First, they seized control of Newsweek’s twitter feed and posted documents allegedly leaked from the Defense Cyber Investigations Training Academy along with messages threatening Michelle Obama and her family, writing, “#CyberCaliphate Bloody Valentine’s Day #MichelleObama! We are watching you, your girls and your husband!”
At the same time, five US military spouses received threatening messages from the CyberCaliphate in which they were addressed by name and told, “We’re much closer than you can even imagine.”
To round out a busy day, the GRU registered and took live cyb3rc.com and posted a threat against the Pentagon, writing “We are destroying your national cybersecurity system from inside,” adding, “We know everything about you and your relatives and we’re much closer than you can ever imagine.”
The website proceeded to post a mix of public domain and possibly stolen documents from the Department of Defense.
In another instance that occurred in February 2015, GRU Unit 54777, described by Western intelligence as the GRU’s chief practitioners of psychological-warfare, sent a dozen US Senators an email from a fictional identity supposedly from a group called “Patriots of Ukraine.”
By this time, the Russian war in Ukraine’s eastern regions was approaching its second year. The message, poorly phrased and written in shoddy English, included a petition to “save” Ukraine and accused Ukrainian military officers of selling weapons to terrorists.
While the email hardly made a ripple in the Capitol, it was significant insofar as it marked the first known operation directed by the GRU’s new psy-ops unit against US politicians.
In addition to US politicians, primarily from the Democratic party, and US Diplomatic personnel, the group most targeted by the GRU were Russian, Ukrainian and international journalists. Starting in mid-2014, the Associated Press reports that over 200 journalists were targeted by GRU hackers.
In March of 2015, an openly gay Russian television broadcaster Pavel Lobkov was hacked. Months earlier, Lobkov revealed on Russian television that he was HIV-positive, at the time a groundbreaking admission to be made in Russia. Shortly thereafter, Lobkov’s private facebook messages, some-of-which were sexually explicit, were leaked online.
50 of the reporters targeted were from The New York Times, and another 50 were foreign correspondents based out of Moscow or Russian journalists working in the independent media. Many others worked for independent publications in Ukraine.
By the spring of 2015, the GRU’s hackers grew bolder still. On April 8th, nearly two and a half months after their initial incursion into the French broadcaster TV5/Monde during which time they carefully identified vulnerabilities, the GRU launched a devastating attack that placed Islamic State propaganda on the station’s affiliated social media accounts and took down its 11 channels being broadcast to over 50 million people in 200 countries and territories.
France, which had been recently subjected to several devastating Islamic State terrorist attacks, was shaken by the incident. The day after the attack the GRU, using a false online identity, posted a detailed but subtly misleading technical analysis of the attacks, blaming them on cyber jihadists. While the strange description initially confused French investigators looking into the incident, they eventually recognized it as being yet another part of an operation that marked the most devastating cyber attack against televised communications yet seen.
The TV5/Monde attack was followed by a similar GRU operation in which they briefly seized control of a UK-based TV station called the Islam Channel.
The GRU Targets Germany’s Political Leadership
That same month as the TV5/Monde attack, officials in the Bundestag, the German parliament, as well as members of German Chancellor Angela Merkel’s Bundestag office, were targeted with Spear Phishing emails ostensibly from the United Nations but in fact sent by the GRU.
The attack was conducted by Dmitriy Sergeyevich Badin, a then-24 year old GRU Officer in the elite hacking Unit 26165. Based on Komsomolsky Prospekt in Central Moscow, Unit 26165 was commanded by Viktor Netyksho, a mathematically gifted specialist in probabilistic functions and neural networks.
The Unit, also known as the 85th Main Center of the GRU Special Service, specializes in breaking encryption and computer network exploitation.
By early May, Badin’s efforts had paid off. GRU malware stole passwords and spread through the network, ultimately seizing control of the Bundestag’s IT infrastructure, paralyzing its online services and blocking access to its external website. The paralysis lasted for several days, during which time the Badin’s team exfiltrated 16 gigabytes of data.
Among the stolen data were the complete inboxes of multiple German parliamentarians. Merkel’s office was among those that were breached.
More aggressive than ever, international in scope and with a rapidly increasing operational pace of activity, Unit 26165 was now ready to embark upon its most daring mission yet, a cyber assault against the 2016 American election.
One of their early targets, among others, was the Democratic National Committee. Aat the time they attempted to breach the DNC’s server, however, evidence suggests that Netyksho’s hackers were unaware that they had been beaten to the punch. The DNC’s network had already been breached by another group of hackers linked to Russia’s foreign intelligence service, the SVR.
The next article in the series will examine Russian Military Intelligence’s breach of the Democratic National Committee.