Cyber Defense Review

Putin’s Cyber Strategy in Syria: Are Electronic Attacks Next?

By Austen Givens | November 17, 2015

The past few weeks have seen a remarkable shift in Syria. Russian fighter jets are bombing opponents of Syrian President Bashar al-Assad.[1] At least a few thousand Russian soldiers are now on Syrian soil.[2] And the Obama administration is scrambling to re-calibrate its policy positions toward Syria in light of these developments. Yet there is good reason to suspect that Russian plans for Syria go beyond the mere presence of conventional military forces. For the United States to begin managing the Russian presence in Syria effectively, it will soon have to come to terms with the prospect of Russian cyber attacks in Syria, as well.

Russia has refined a flexible template for its military incursions into other states in recent years. This template incorporates a prominent role for cyber attacks. The template consists of two general phases which can overlap chronologically in their execution. In the first phase, Russia launches a barrage of cyber attacks against the target nation. This is done in order to slow or disable the communications systems of the target nation, hamper coordination among the target’s defense forces, and potentially mask the movement of Russian troops and equipment. The second phase is the actual movement of Russian forces into the target nation itself. Cyber attacks may continue during this second phase, or gradually taper as Russian military forces become established inside the target nation.

Moscow successfully used the first phase of this template during a wave of cyber attacks on Estonia in 2007.  In April of that year, Estonian officials angered many Russians when they moved a controversial Soviet-era war memorial from the center of the Estonian capital, Tallinn.[3] Shortly after the memorial was re-located, Distributed Denial of Service (DDoS) attacks traced to Russia hit official Estonian websites, including those of the national parliament, businesses, and newspapers.[4] At one point, websites on the receiving end of Russia’s cyber attacks were hit with 1,000 times the amount of data requests that they receive on a normal day-to-day basis, paralyzing them or knocking them offline altogether.[5] Still other Estonian websites remained online, but were defaced during the time of the DDoS attacks.[6] The attacks significantly affected daily life in Estonia, largely because Estonia is one of the most wired nations on earth: some 98% of Estonian banking transactions take place online, a good proxy for understanding the country’s embrace of Internet-based technologies.[7] The 2007 cyber attacks sent a powerful political message to Estonian authorities—that Russia, and its interests, were a force to be reckoned with.

One year later, Russia again used its military incursion template in neighboring Georgia. In advance of Russian troops moving into the Georgian region of Abkhazia, DDoS attacks hit Georgian websites, at one point disabling the website of then-Georgian president Mikheil Saakashvili.[8] The website for the National Bank of Georgia was defaced during the attacks, as well.[9] At least one study suggests that the cyber attacks against Georgian websites significantly affected the Georgian government’s ability to respond to the cyber attacks themselves, specifically by impeding information sharing and coordination among government bodies, which are critical to organizing an effective response effort.[10]

Russia rolled out its template a third time during its invasion of Crimea in Ukraine last year. DDoS attacks traced to a pro-Russian group bombarded Ukrainian media.[11] Rumors circulated that Russia was jamming mobile phone services for Crimean parliamentarians.[12] Security firm BAE Systems reported that a piece of malware dubbed “Snake,” dormant for years on Ukrainian computer networks, was now roaring to life, potentially giving its controllers extensive access to compromised systems.[13]

Today, Moscow finds itself conducting military operations against opposition groups in Syria. Even before the civil war began there in 2011, Syria had an under-developed Internet infrastructure. Now, after four years of widespread destruction, that original limited Internet infrastructure has been degraded, limiting Russia’s potential ability to carry out cyber attacks against opposition groups inside Syria.

Syrian opposition fighters have to rely in large part on mobile networks located in neighboring Turkey for connectivity and communication.[14] Of course, the FSB, Russia’s foreign intelligence service, knows this. This means that mobile networks in southern Turkey are now enticing targets for Russian cyber attacks. Slowing or disabling these Turkish mobile networks will make it hard for Syrian opposition fighters communicate with one another and the outside world.[15] A cursory check of Shodan, a search engine for Supervisory Control and Data Acquisition (SCADA) systems, displays numerous Internet Protocol (IP) addresses for the networks of Turkcell, one of Turkey’s largest mobile phone providers.[16] The freely available nature of this information suggests that not only are southern Turkey’s mobile networks attractive targets for Russian cyber attacks, but they are vulnerable, too.

If the Obama administration is serious about supporting Syrian opposition groups, then it should anticipate Russian cyber attacks on these oppositions groups. It would be helpful for US intelligence agencies to monitor Internet network traffic patterns in southern Turkey and opposition-controlled areas of Syria. Slowdowns in this network traffic could be indications of a Russian-directed DDoS against communications networks used by Syrian regime opponents. Moreover, to the extent that the United States can offer opposition groups redundant communications equipment, this will go a long way toward ensuring that the Syrian opposition is at least able to coordinate its actions, even in the midst of Russian cyber attacks.

The Syrian civil war has entered a new phase of complexity, thanks to the presence of Russian military forces operating in support of the Assad regime. Moscow’s use of cyber attacks in recent years suggests strongly that it will use these attacks again as part of a broader organized campaign to defeat Syrian opposition groups. For the United States to support Syrian opposition groups effectively, it must plan for these cyber attacks now, and work with the Syrian opposition to mitigate their potential impacts.

Footnotes

[1] Anne Barnard and Thomas Erdbrink, “ISIS Makes Gains in Syria Territory Bombed by Russia,” The New York Times, October 9, 2015, accessed October 30, 2015, http://www.nytimes.com/2015/10/10/world/middleeast/hussein-hamedani-iran-general-killed-in-syria.html.

[2] Stephen Blank, “The Real Reason Putin Is Sending Troops to Syria,” Newsweek, September 27, 2015, accessed October 30, 2015, http://www.newsweek.com/real-reason-putin-sending-troops-syria-376682.

[3] Alison Lawlor Russell, Cyber Blockades (Washington, DC: Georgetown University Press, 2014), 75.

[4] Scheheradze Rehman, “Estonia’s Lessons in Cyberwarfare,” U.S. News and World Report, January 14, 2013, accessed October 30, 2015, http://www.usnews.com/opinion/blogs/world-report/2013/01/14/estonia-shows-how-to-build-a-defense-against-cyberwarfare.

[5] Russell, 76.

[6] BBC News, “The cyber raiders hitting Estonia,” May 17, 2007, accessed October 30, 2015, http://news.bbc.co.uk/2/hi/europe/6665195.stm.

[7] “e-Estonia,” estonia.eu, ND, accessed October 30, 2015, http://estonia.eu/about-estonia/economy-a-it/e-estonia.html.

[8] John Markoff, “Before the Gunfire, Cyberattacks,” The New York Times, August 12, 2008, accessed October 30, 2015, http://www.nytimes.com/2008/08/13/technology/13cyber.html.

[9] Ibid.

[10] David Hollis, “Cyberwar Case Study: Georgia 2008,” Small Wars Journal, January 6, 2011, accessed October 30, 2015, http://smallwarsjournal.com/blog/journal/docs-temp/639-hollis.pdf, 5.

[11] Michael J. Schwartz, “DDoS Attacks Hit NATO, Ukrainian Media Outlets,” March 17, 2014, Information Week, accessed October 30, 2015, http://www.darkreading.com/attacks-and-breaches/ddos-attacks-hit-nato-ukrainian-media-outlets/d/d-id/1127742.

[12] Franz-Stefan Gady, “Cyberwar in the Crimea?”, U.S. News and World Report, March 7, 2014, accessed October 30, 2015, http://www.usnews.com/opinion/blogs/world-report/2014/03/07/russias-cyberwar-restraint-in-ukraine.

[13] David E. Sanger and Steven Erlanger, “Suspicion Falls on Russia as ‘Snake’ Cyberattacks Target Ukraine’s Government,” The New York Times, March 8, 2014, accessed October 30, 2014, http://www.nytimes.com/2014/03/09/world/europe/suspicion-falls-on-russia-as-snake-cyberattacks-target-ukraines-government.html.

[14] Mohammed Al-Khatieb, “Seeking Internet access, Syrians turn to Turkey’s wireless network,” Al-Monitor, April 14, 2015, accessed October 30, 2015, http://www.al-monitor.com/pulse/originals/2015/04/aleppo-rebel-control-internet-networks-syria-turkey.html.

[15] Ibid.

[16] Shodan, ND, accessed October 30, 2015, https://www.shodan.io/.



US Army Comments Policy
If you wish to comment, use the text box below. Army reserves the right to modify this policy at any time.

This is a moderated forum. That means all comments will be reviewed before posting. In addition, we expect that participants will treat each other, as well as our agency and our employees, with respect. We will not post comments that contain abusive or vulgar language, spam, hate speech, personal attacks, violate EEO policy, are offensive to other or similar content. We will not post comments that are spam, are clearly "off topic", promote services or products, infringe copyright protected material, or contain any links that don't contribute to the discussion. Comments that make unsupported accusations will also not be posted. The Army and the Army alone will make a determination as to which comments will be posted. Any references to commercial entities, products, services, or other non-governmental organizations or individuals that remain on the site are provided solely for the information of individuals using this page. These references are not intended to reflect the opinion of the Army, DoD, the United States, or its officers or employees concerning the significance, priority, or importance to be given the referenced entity, product, service, or organization. Such references are not an official or personal endorsement of any product, person, or service, and may not be quoted or reproduced for the purpose of stating or implying Army endorsement or approval of any product, person, or service.

Any comments that report criminal activity including: suicidal behaviour or sexual assault will be reported to appropriate authorities including OSI. This forum is not:

  • This forum is not to be used to report criminal activity. If you have information for law enforcement, please contact OSI or your local police agency.
  • Do not submit unsolicited proposals, or other business ideas or inquiries to this forum. This site is not to be used for contracting or commercial business.
  • This forum may not be used for the submission of any claim, demand, informal or formal complaint, or any other form of legal and/or administrative notice or process, or for the exhaustion of any legal and/or administrative remedy.

Army does not guarantee or warrant that any information posted by individuals on this forum is correct, and disclaims any liability for any loss or damage resulting from reliance on any such information. Army may not be able to verify, does not warrant or guarantee, and assumes no liability for anything posted on this website by any other person. Army does not endorse, support or otherwise promote any private or commercial entity or the information, products or services contained on those websites that may be reached through links on our website.

Members of the media are asked to send questions to the public affairs through their normal channels and to refrain from submitting questions here as comments. Reporter questions will not be posted. We recognize that the Web is a 24/7 medium, and your comments are welcome at any time. However, given the need to manage federal resources, moderating and posting of comments will occur during regular business hours Monday through Friday. Comments submitted after hours or on weekends will be read and posted as early as possible; in most cases, this means the next business day.

For the benefit of robust discussion, we ask that comments remain "on-topic." This means that comments will be posted only as it relates to the topic that is being discussed within the blog post. The views expressed on the site by non-federal commentators do not necessarily reflect the official views of the Army or the Federal Government.

To protect your own privacy and the privacy of others, please do not include personally identifiable information, such as name, Social Security number, DoD ID number, OSI Case number, phone numbers or email addresses in the body of your comment. If you do voluntarily include personally identifiable information in your comment, such as your name, that comment may or may not be posted on the page. If your comment is posted, your name will not be redacted or removed. In no circumstances will comments be posted that contain Social Security numbers, DoD ID numbers, OSI case numbers, addresses, email address or phone numbers. The default for the posting of comments is "anonymous", but if you opt not to, any information, including your login name, may be displayed on our site.

Thank you for taking the time to read this comment policy. We encourage your participation in our discussion and look forward to an active exchange of ideas.