How Russia changed its hacking tactics in 2014

In 2014, the Kremlin turned its eye to the West and decided to defend itself when it comes to global cyber warfare, experts claim. There’s something special about Russian hackers - they’re not very clever at disguising themselves but even despite that they manage to do significant damage. For example, leave 230,000 people without electricity.

This article was first published two years ago when many still couldn’t even imagine the Russian invasion of Ukraine. Experts, keeping a close eye on the Kremlin, signaled that the country had changed its course in 2014, after the successful annexation of Crimea.

Even though many think of Russian hackers as amateurs and call their cyber weapons just as weak as their artillery, they are pretty successful in spreading chaos and confusion.

By now, we know for sure that Russia correlates cyberattacks with its kinetic military operations with a strong focus on disinformation campaigns. We also know that the war in Ukraine caused a flood of amateurish ransomware. The Department of Justice is bracing for the possibility of more cyberattacks from Russia.

In the light of recent events in the cyber arena, we invite you to look back into recent history and learn how exactly Russian policy shifted back in 2014.

And here you can find more recent cyber war news.

“In 2014, Russia went after the West,” Christo Grozev, an investigator at the Bellingcat, told his panelist peers during the RightsCon 2020 summit. Before 2014, Russia exercised its hacking power only against opposition members, local activists, journalists, and Eastern European countries. But after the annexation of Crimea, it turned its attention to the West.

“Putin started behaving more like North Korea when you need to show that you are dangerous, that you are insane, unpredictable,” added Roman Dobrokhotov, the editor-in-chief at The Insider.

Experts agree that Russian hacking strategy changed course after 2014 when the Kremlin openly fomented a war in Eastern Ukraine.

What happened in 2014?

“Before 2014, Russia would engage in cyber war with countries it had an excuse for going against,” told Mr. Grozev from the Bellingcat.

As Russia annexed Crimea, plausible deniability, according to Grozev, totally disappeared, and Russia became a bad actor in the global arena. In the second half of 2014, MH17 was shot over Ukrainian territory that was controlled by pro-Russian rebels.

“Both the GRU and FSB started offering the solutions for sort of guarding the motherland in wartime. (...) Russia decided that this has no reputational cost, it just has to defend itself in global cyber warfare,” explained Mr. Grozev. GRU is the Organization of the Main Intelligence Administration in Russia, and FSB is the Russian Federal Security Service.

Roman Dobrokhotov explained that before 2014, Russian hackers targeted only activists, journalists, or other Russian enemies, such as the Baltic states.

“Since 2016, we see that almost every Western country became an object of Kremlin hackers, would it be GRU or FSB. They hacked Bundestag, Democratic National Committee in America, Emmanuel Macron in France, and almost all Eastern European countries. So this is not an ad hoc thing, this is a strategy, a policy for now,” explained editor-in-chief of the Insider.

After 2014, he reckons, Putin has changed his foreign policy strategy: “Before 2014, the unofficial strategy was to be more engaged in international institutions, like Russia is a part of the G8, etc. After that, Putin began behaving more like North Korea when you need to show that you are dangerous, that you are insane, unpredictable.”

Troops in the Maidan Square, Ukraine
Barricades at Euromaidan in Kiev, UkraineKyiv, Ukraine - February 23, 2014: Barricades at Euromaidan in Kiev, Ukraine

Ukraine is just a lab

Andy Greenberg, a senior writer at WIRED, told that Sandworm is a very good example of how Russia changed its course in 2014.

“First they attacked the Ukrainian Central Election Commission and tried to spoof the results of the elections in 2014. Then, in 2015, they hacked the Ukrainian power grid and caused the first-ever blackout triggered by hackers,” told Mr. Greenberg. Sandworm left about 260,000 people without electricity.

Russian hackers were also planting their seeds in the US power grid with the same malware to trigger a blackout if they decided they wanted to do that tactically.

“After hacking the Ukrainian election, they were planning to interfere in the US election. They seem to try things in Ukraine first. It’s their testing ground, where they are already at war, where they already kind of paid the cost of sanctions for physically invading the country,” told Mr. Greenberg.

“Like a Mexican shootout with Russian hackers”

Russian military makes more mistakes than any other entity or minority group, believes Mr. Grozev.

“For whatever reason, they leave their names, their selfies, they sign in to dating sites and forget to switch off geolocation. That has given us nuggets of information, based on which we can leverage them into more data,” told Mr. Grozev.

He explained how the Bellingcat investigators were able to build a huge database of Russian state-employed hackers, first by looking for some of their leaked personal data, then by associating it with license plates that were registered at the GRU hacking unit headquarters.

“We were able to get about 1,200 full IDs with personal data. That was our harvest. It is valuable data we have and maybe we are tracking some of them, who knows,” Mr. Grozev did not want to get into more details as the Bellingcat is about to publish another investigative piece in a week or so.

He became interested in the GRU hacking unit after his investigation of MH17, which continues to be a sore wound for Russia, the one thing that Russia is trying desperately to disown and disassociate itself from.

Woman holding a poster which says "Putin is a terrorist"
Kyiv, Ukraine - July 17, 2014: People place flowers at Dutch embassy in Kyiv after Malaysia Airlines Boeing 777 (Flight MH17) originating in Amsterdam crashed in Eastern Ukraine

“Every government agency, including the FSB and GRU hacking units, are trying to deliver tools for Russia to disassociate itself from MH17. And that includes trying to hack both the investigators, the journalists, the prosecution from the Netherlands and Malaysia and so on. That alone is such a grand project for GRU, that essentially all the people that work within this hacking unit at one point were involved in MH17 hacking attempts. It’s a very surreal situation. They are tracking us or trying to, and we are tracking them. It’s almost like a Mexican shootout situation. Let’s see who is better,” explained Mr. Grozev.

He and his colleagues were able to track Russian hackers not only to Kuala Lumpur but to a hotel across the street from the prosecution office of Malaysia. Hackers disclosed themselves by logging into a hotel wifi. “They are not subtle,” laughed Mr. Grozev.

Is that by design? “I think GRU, in general, is not subtle, not only the hacking department. You know how they went trying to poison the Skripals. They didn’t take enough care to hide themselves. When you have no reputational cost, you weaponize your fearsomeness, you try to scare the world. I don’t think they are leaving traces by design, they are just not scared because they are not going to be punished for that.”

Mr. Grozev explained that state-sponsored hackers are not punished for the screw-up, they are only punished for a betrayal.

“This leads to sloppiness, this leads to a lot of these young people just leaving traces. The password for Badin, the guy, who hacked the Bundestag, was badin1990,” he explained. Dmitry Badin was born in 1990.

Dobrokhotov added that most of the people from GRU get small wages and therefore are not motivated to do a good job: “If there are no incentives to be very careful, you wouldn’t be. They are not that motivated. (...) I don’t think that they really believe they are doing some important patriotic job. It is just because for some of them, it was the only possible career.”

Success story

Even though there are quite many funny things about Russian hackers, they are not just a laughing matter, experts believe.

Mr. Grozev said that the way they handled the hacked information on MH17 was a success.

“They found nothing that would put the investigations and the court proceedings in a bad light. They must have thought what to do with this? Ultimately they leaked it anyway. I have a theory. We see that it took away some of the protective witnesses’ trustin the sanctity of the information. A lot of witnesses that would have considered coming forward in the future are now going to have second thoughts,” explained Mr. Grozev.

On the other hand, Mr. Greenberg singled out Sandworm as a success story.

“They are very sophisticated and their successes have been unprecedented. They are the only hackers in the world that have caused a blackout not once, but twice, the second time using this piece of automated malware in the capital of Ukraine,” explained Mr. Greenberg.

He also mentioned the Petya malware, released in 2017. It swamped websites of Ukrainian governmental organizations, including ministries, electricity companies, banks, and media.

“It was essentially an attack that no one in Ukraine could have prevented. It was an automatic update, and before you know it, your computer and your network have been destroyed. That’s an actual innovation, and that worm spread around the world and cost ten billion dollars in damage. The GRU, you have to recognize what they have done,” told Mr. Greenberg.