Is Russia Restarting Damaging Cyberattacks?

By Josephine Wolff, Associate Professor at The Fletcher School at Tufts University

When Russia first invaded Ukraine in February, it seemed plausible that nearly every cyberattack in the news might be coming from the Russian government. After years of disruptive high-profile Russian cyberattacks, like those targeting the Ukrainian electric grid in 2015 and 2016, the NotPetya attack in 2017, and the SolarWinds compromise in 2020, it seemed almost inevitable that Russia could—and would—exercise its sophisticated cyber capabilities as part of the conflict. This idea was so firmly entrenched that when there was a seemingly unrelated February breach at Nvidia, rumors immediately spread that that Russia might be behind it.

Six months into the war, there hasn’t been a single significant, successful cyberattack to its name in that time. That’s probably partly because Ukraine and other countries have significantly ramped up their cyber defenses, and partly because threat intelligence about Russia’s cyber operations seems to have been very good so far, enabling governments and companies to proactively counter Russian malware—but it’s also partly because Russia’s cyber operations simply haven’t been living up to the country’s previous reputation for sophisticated, destructive cyberattacks.

And now that reputation may be starting to change. In late August, Montenegro suffered a cyberattack that infected 150 computers in 10 government institutions with a piece of malware called Zerodate. It’s not entirely clear how far-reaching the damage of the attacks has been, but the combination of ransomware and distributed denial-of-service seems to have had a fairly profound impact on day-to-day life in the country. The AP reported that compared to attempted cyberattacks directed at other Eastern European countries in recent months, “the attack against Montenegro’s infrastructure seemed more sustained and extensive, with targets including water supply systems, transportation services and online government services, among many others.” The country was also forced to switch its electrical utility to manual control, according to the AP.

Meanwhile, BalkanInsight reported this week that Montenegro’s judicial system has been forced to postpone trials because people were unable to access the necessary computer networks. According to that report, “Courts and the prosecution service are … working only offline, as are the State Property Administration, the Central Register of Business Entities and the fiscal system.”

After the attack began, the government’s Agency for National Security immediately blamed Russia, saying the motive was probably Montenegro’s decision to implement sanctions against Russia. Government official Dusan Polovic told the AP, “I can say with certainty that this attack that Montenegro is experiencing these days comes directly from Russia.” The Agency for National Security referred to the attacks as part of a “hybrid war” and said in a statement that “coordinated Russian services” were responsible.

But despite months of warnings that Russia might retaliate against sanctions by using cyberattacks, the reception of Montenegro’s attribution claim has been fairly skeptical. Most coverage of the attack points out that Montenegro’s government has offered no real evidence that Russia was behind the attack. That’s fair and worth noting, but governments regularly make attribution claims about cyberattacks without offering much by way of concrete evidence. (The White House’s 2018 statement attributing NotPetya to Russia, for instance, does not include any evidence.)

If it was the work of the Russian government, it’s perhaps a sign that Russia’s streak of unsuccessful cyber operations may actually be coming to an end. After all, compromising the computer systems used to operate a country’s electric grid, court system, and fiscal system—and sustaining that compromise for more than a week—is the work of hackers who know what they’re doing.

It’s just not clear that those hackers actually have any ties to the Russian government. The criminal group Cuba (which is not connected with the country) has claimed credit for the attacks, according to malware researchers at VX-Underground—though somewhat bafflingly for a ransomware organization, there has been no request for a ransom payment according to officials in Montenegro. Some researchers at security firm Profero have said that members of the Cuba group speak Russian, but those same researchers said they believed the group was not state-sponsored. Officials in Montenegro have also begun blaming the attack on the Cuba group but have not walked back their claims that it is part of coordinated hybrid warfare on the part of the Russian government.

A few months ago, when fear of Russian cyber capabilities was much higher, people might have more easily believed such claims. But now when we see a successful cyberattack that targets critical infrastructure, rather than jumping to the conclusion that Russia must be behind it, we seem to have a sense that such things might be beyond what the Russian government can actually manage. It’s a reminder of how much our ideas and beliefs about what countries are capable of in cyberspace are built on the public evidence of what they’ve done recently—after all, how else can we assess a nation’s cyber arsenal? It’s also a reminder, though, that even though the Russian government hasn’t necessarily managed to compromise a lot of critical infrastructure networks recently, it’s certainly not the only one with the means and the motive for doing so. Good cyber defenses are as important as ever—even if Russia may not be the main reason for implementing them.

This piece is republished from Slate.