Cyber Defense Review

Putin’s Cyber Strategy in Syria: Are Electronic Attacks Next?

By Austen Givens | November 17, 2015

The past few weeks have seen a remarkable shift in Syria. Russian fighter jets are bombing opponents of Syrian President Bashar al-Assad.[1] At least a few thousand Russian soldiers are now on Syrian soil.[2] And the Obama administration is scrambling to re-calibrate its policy positions toward Syria in light of these developments. Yet there is good reason to suspect that Russian plans for Syria go beyond the mere presence of conventional military forces. For the United States to begin managing the Russian presence in Syria effectively, it will soon have to come to terms with the prospect of Russian cyber attacks in Syria, as well.

Russia has refined a flexible template for its military incursions into other states in recent years. This template incorporates a prominent role for cyber attacks. The template consists of two general phases which can overlap chronologically in their execution. In the first phase, Russia launches a barrage of cyber attacks against the target nation. This is done in order to slow or disable the communications systems of the target nation, hamper coordination among the target’s defense forces, and potentially mask the movement of Russian troops and equipment. The second phase is the actual movement of Russian forces into the target nation itself. Cyber attacks may continue during this second phase, or gradually taper as Russian military forces become established inside the target nation.

Moscow successfully used the first phase of this template during a wave of cyber attacks on Estonia in 2007.  In April of that year, Estonian officials angered many Russians when they moved a controversial Soviet-era war memorial from the center of the Estonian capital, Tallinn.[3] Shortly after the memorial was re-located, Distributed Denial of Service (DDoS) attacks traced to Russia hit official Estonian websites, including those of the national parliament, businesses, and newspapers.[4] At one point, websites on the receiving end of Russia’s cyber attacks were hit with 1,000 times the amount of data requests that they receive on a normal day-to-day basis, paralyzing them or knocking them offline altogether.[5] Still other Estonian websites remained online, but were defaced during the time of the DDoS attacks.[6] The attacks significantly affected daily life in Estonia, largely because Estonia is one of the most wired nations on earth: some 98% of Estonian banking transactions take place online, a good proxy for understanding the country’s embrace of Internet-based technologies.[7] The 2007 cyber attacks sent a powerful political message to Estonian authorities—that Russia, and its interests, were a force to be reckoned with.

One year later, Russia again used its military incursion template in neighboring Georgia. In advance of Russian troops moving into the Georgian region of Abkhazia, DDoS attacks hit Georgian websites, at one point disabling the website of then-Georgian president Mikheil Saakashvili.[8] The website for the National Bank of Georgia was defaced during the attacks, as well.[9] At least one study suggests that the cyber attacks against Georgian websites significantly affected the Georgian government’s ability to respond to the cyber attacks themselves, specifically by impeding information sharing and coordination among government bodies, which are critical to organizing an effective response effort.[10]

Russia rolled out its template a third time during its invasion of Crimea in Ukraine last year. DDoS attacks traced to a pro-Russian group bombarded Ukrainian media.[11] Rumors circulated that Russia was jamming mobile phone services for Crimean parliamentarians.[12] Security firm BAE Systems reported that a piece of malware dubbed “Snake,” dormant for years on Ukrainian computer networks, was now roaring to life, potentially giving its controllers extensive access to compromised systems.[13]

Today, Moscow finds itself conducting military operations against opposition groups in Syria. Even before the civil war began there in 2011, Syria had an under-developed Internet infrastructure. Now, after four years of widespread destruction, that original limited Internet infrastructure has been degraded, limiting Russia’s potential ability to carry out cyber attacks against opposition groups inside Syria.

Syrian opposition fighters have to rely in large part on mobile networks located in neighboring Turkey for connectivity and communication.[14] Of course, the FSB, Russia’s foreign intelligence service, knows this. This means that mobile networks in southern Turkey are now enticing targets for Russian cyber attacks. Slowing or disabling these Turkish mobile networks will make it hard for Syrian opposition fighters communicate with one another and the outside world.[15] A cursory check of Shodan, a search engine for Supervisory Control and Data Acquisition (SCADA) systems, displays numerous Internet Protocol (IP) addresses for the networks of Turkcell, one of Turkey’s largest mobile phone providers.[16] The freely available nature of this information suggests that not only are southern Turkey’s mobile networks attractive targets for Russian cyber attacks, but they are vulnerable, too.

If the Obama administration is serious about supporting Syrian opposition groups, then it should anticipate Russian cyber attacks on these oppositions groups. It would be helpful for US intelligence agencies to monitor Internet network traffic patterns in southern Turkey and opposition-controlled areas of Syria. Slowdowns in this network traffic could be indications of a Russian-directed DDoS against communications networks used by Syrian regime opponents. Moreover, to the extent that the United States can offer opposition groups redundant communications equipment, this will go a long way toward ensuring that the Syrian opposition is at least able to coordinate its actions, even in the midst of Russian cyber attacks.

The Syrian civil war has entered a new phase of complexity, thanks to the presence of Russian military forces operating in support of the Assad regime. Moscow’s use of cyber attacks in recent years suggests strongly that it will use these attacks again as part of a broader organized campaign to defeat Syrian opposition groups. For the United States to support Syrian opposition groups effectively, it must plan for these cyber attacks now, and work with the Syrian opposition to mitigate their potential impacts.


[1] Anne Barnard and Thomas Erdbrink, “ISIS Makes Gains in Syria Territory Bombed by Russia,” The New York Times, October 9, 2015, accessed October 30, 2015,

[2] Stephen Blank, “The Real Reason Putin Is Sending Troops to Syria,” Newsweek, September 27, 2015, accessed October 30, 2015,

[3] Alison Lawlor Russell, Cyber Blockades (Washington, DC: Georgetown University Press, 2014), 75.

[4] Scheheradze Rehman, “Estonia’s Lessons in Cyberwarfare,” U.S. News and World Report, January 14, 2013, accessed October 30, 2015,

[5] Russell, 76.

[6] BBC News, “The cyber raiders hitting Estonia,” May 17, 2007, accessed October 30, 2015,

[7] “e-Estonia,”, ND, accessed October 30, 2015,

[8] John Markoff, “Before the Gunfire, Cyberattacks,” The New York Times, August 12, 2008, accessed October 30, 2015,

[9] Ibid.

[10] David Hollis, “Cyberwar Case Study: Georgia 2008,” Small Wars Journal, January 6, 2011, accessed October 30, 2015,, 5.

[11] Michael J. Schwartz, “DDoS Attacks Hit NATO, Ukrainian Media Outlets,” March 17, 2014, Information Week, accessed October 30, 2015,

[12] Franz-Stefan Gady, “Cyberwar in the Crimea?”, U.S. News and World Report, March 7, 2014, accessed October 30, 2015,

[13] David E. Sanger and Steven Erlanger, “Suspicion Falls on Russia as ‘Snake’ Cyberattacks Target Ukraine’s Government,” The New York Times, March 8, 2014, accessed October 30, 2014,

[14] Mohammed Al-Khatieb, “Seeking Internet access, Syrians turn to Turkey’s wireless network,” Al-Monitor, April 14, 2015, accessed October 30, 2015,

[15] Ibid.

[16] Shodan, ND, accessed October 30, 2015,