There is likely to be a purge in the coming weeks of the Russian military intelligence service (GRU or GU), responsible for several recent high-profile cyber attacks and an attempted assassination abroad.
It is possible that this will lead to a drop in the frequency of such attacks over the coming few months, particularly if there is a change of leadership within the service. But we do not anticipate a longer-term shift in the scope and extent of Russian cyber activity. This is even if the Western response to such attacks moves beyond publicly blaming the Kremlin to imposing economic sanctions, as seems likely.
There is little evidence to suggest that the GRU has been acting beyond its mandate from the Kremlin in recent months. Although it is unclear whether the service had direct orders to carry out an assassination attempt in the UK in March and a close-access hacking of the Organisation for the Prohibition of Chemical Weapons (OPCW) in the Netherlands in April. But a wholesale purge of the GRU that would damage its ability to perform operations overseas seems unlikely.
Despite questions being raised in the Kremlin over the GRU’s competency, its proven capabilities combined with an apparent tolerance for risk means that the service will probably remain the main perpetrator of cyber attacks by the Russian state over the coming year. This will sustain the high threat of disruption to Western institutions and businesses.
GRU's cyber capabilities
The GRU has opted for relatively unsophisticated types of cyber attack over the past three years. These include phishing attempts, malware and ransomware. The continued use of such operations is probably indicative of how effective they have been rather a reflection of the limitations of its capabilities. Indeed, the Estonian intelligence service reported last year that the GRU ‘likely possesses the finest technological and operational capabilities’ of all the Russian services.
There appears to be a pattern to some of the cyber attacks that the GRU and other Russian security services have committed over the past few years. Attempted hacks of the World Anti-Doping Agency (WADA) and OPCW demonstrate a willingness to use cyber activity to conceal previous state wrongdoing. In those cases, the hacks were probably to inhibit investigations into Russian cheating at the Sochi Olympics in 2014 and the assassination attempt in the UK in March 2018. Other attacks have targeted supply chains in an apparent effort to cause disruption to overseas targets, such as the Notpetya malware in 2017 which spread from Ukraine to Western firms and eventually governments.
Low impact of attribution
Russian cyber activity over the past year strongly suggests that public attribution will fail to deter the Kremlin as long as it is able to outright deny its involvement in attacks. In part this is probably because foreign intelligence services are unable to publicly provide evidence for their claims without compromising their own cyber capabilities or sources. The Kremlin’s disregard was most evident when it launched the Badrabbit ransomware attack in 2018, only seven months after the British government blamed it for the Notpetya attack.
At present the potential rewards for Russia for its offensive cyber operations abroad seem to far outweigh the risks. Beyond raising questions over the GRU’s tradecraft, the recent attribution has had little tangible impact, other than diplomatically embarrassing Russia. And if for example the GRU’s hacking of the OPCW was successful, it could have significantly disrupted the investigation into the attempted assassination. In this sense, it seems that the typical progression – attack, attribution and denial – is not diplomatically and economically costly enough to discourage the Kremlin from mounting attacks.
Next step sanctions
It seems that attribution will only be effective when Western governments follow it up with economic measures. But the longer the West delays imposing sanctions on Russia over cyber attacks, the less effective these are likely to be. High oil prices in recent months have gone some way to restoring the country’s financial reserves, and a US ratings agency said this year that the Russian state has grown more resilient over the past few years to economic restrictions. This has been by reducing government debt and limiting capital flight, probably lessening the political fallout for the administration of further sanctions.
There is a lack of domestic pressure on the government to seek sanctions relief and improve ties with the West more generally. Few people within the administration have publicly called for a rapprochement with the West beyond Aleksey Kudrin, an influential liberal politician who lacks support in the intelligence services. Indeed, a more confrontational stance between the West and Russia would probably boost President Putin’s currently low public support as it has done in the past.
Even if Russia had not improved its economic resilience, it seems plausible that sanctions over Russian cyber activity would be ineffective in getting the Kremlin to stop its operations. Sanctions appear to reinforce Putin’s domestic narrative that the West wants to suppress Russia. Cyber attacks are highly likely to remain a means to counter this as long as the US and EU continue to see containment as the only diplomatic option against Russia. This is probable given the lack of willingness to implement alternative responses, such as retaliatory cyber operations. And neither a change of leadership in the GRU nor the imposition of sanctions is likely to limit the disruptive scope of Russian attacks.