Cyberattacks and Narratives Published by Russian Disinformation Channels

  • By Carlos Galán Cordero and Javier Valencia Mtz. de AntoñanaRevue Défense Nationale  2024/8 n° 873)
  • Translated by Mohamed SAKHRI


The information war is a struggle to control or deny the confidentiality, integrity, and availability of information in all its forms, whether it be personal data, sensitive information, algorithms, etc. It occurs when one party in a conflict seeks to impose its propaganda on the media of its adversary and to influence how individuals or targeted populations interpret the information they access. To achieve this, the implicated actor may target the information itself or the wider individuals and groups that comprise its audience. Conversely, we speak of defensive information warfare when a party seeks to maintain desired states and retain the ability to freely collect, interpret, and/or learn from available information without external interference.

Russia’s Disinformation Warfare


In an increasingly digital and connected world, cyberattacks demonstrate daily their significant risks and the reality of their implications. Closely linked, as we will see, to disinformation and hybrid conflicts, their development not only damages the activity, image, or revenue of the media; while this may go unnoticed, it also affects the free dissemination of information, particularly due to the undeniable damage caused by distributed denial-of-service (DDoS) attacks on the information systems of the attacked countries, especially in the case of democratic states, one of whose fundamental pillars is freedom of expression and the dissemination of truthful and high-quality information.

In light of the constant increase in external and internal threats facing European democracies and the institutions supporting them, it is becoming increasingly important to recognize that disinformation campaigns can also constitute a cybersecurity issue. As is known, disinformation is another tool of cyberattacks. An example is its use, even before the start of “physical” warfare, as preparatory activity for the Russian invasion of Ukraine in 2022.

Russia views activities in cyberspace as a subset of a broader and more comprehensive framework, which it describes as “informational confrontation,” derived from the Russian understanding of state-to-state relations and, more specifically, a subset of the great powers’ influence struggle in the world. On December 7, 2023, the UK’s National Crime Agency discovered that Center 18 of the Federal Security Service (FSB) of Russia had been conducting a “hack and leak” cyber campaign for years to influence political processes.

However, attempts at manipulation have no geographical boundaries or unique origins. In recent years, Facebook and Twitter have attributed foreign influence operations to seven countries (China, India, Iran, Pakistan, Russia, Saudi Arabia, and Venezuela), which have used these platforms to influence global audiences. Social media has become a new instrument of geopolitical power, ushering in newcomers to this global order of disinformation that breaks with traditional hegemonies of international narrative.

Russian foreign policy is guided by the country’s strategic culture, consisting of widely held beliefs about geopolitical competitiveness and national security that are “unique to each state” and “do not change in response to environmental or structural changes.” Generally, these concepts are the result of a country’s historical events over a long period (sometimes centuries, even millennia). Examining the three cultural factors motivating Russia’s cyber operations—a sense of national paranoia, an external existential danger, and a cult of assertive action—will help us better understand these activities. However, Russian doctrine and policy documents do not explicitly refer to cyber operations. They do not use the term “cybersecurity,” but refer to “information security.” This term differs from the Western notion of “information security” (or, in short: infosec), in that it encompasses not only the protection of critical digital networks but also the cognitive integrity of society. Several reasons explain why Russian military thinkers use the term “cyber” when discussing Western threats and activities, but are reluctant to associate it with Russia’s capabilities and actions. Some authors believe this deliberate choice is linked to the negative connotations surrounding “cybernetics” from the Soviet era, as well as the importance of the term “information security” for Russia’s domestic policy.

Information Confrontation

is a constant and ongoing element, and all means may be used to gain superiority in this confrontation. Activities in cyberspace are one of many tools of warfare in the information environment, including psychological operations, electronic operations, etc. Indeed, cyberspace can be used for physical purposes (attacks against infrastructures) and cognitive purposes (attacks such as disinformation campaigns). As mentioned, from the Russian perspective, cyber warfare is just part of the overall concept of “informational confrontation”; it is no coincidence that the Russian Ministry of Defense itself describes informational confrontation as the clash of national interests and ideas in which superiority is sought by attacking the information infrastructure of the adversary while protecting one’s own similar objects of influence.

The Kremlin’s perception of information warfare is also a means to manipulate its own population and to attempt to win global public opinion through deception. Today, following the invasion of Ukraine, it is clear that Russia uses information as a tool of paramilitary warfare, aiming to delegitimize Ukraine’s sovereignty and dehumanize Ukrainians.

“Conventional and Hybrid Actions in Russia’s Invasion of Ukraine.”
Craisor-Constantin Ionita, Security and Defence Quarterly, August 2023.

While it is curious to note that current tactics bear some similarities to concepts from Soviet-era theories, in many respects, the Russian approach to informational confrontation is today unique, constantly adapting to new circumstances, new scenarios, and new technologies. For Russia, the amalgamation of cyberattacks and the proliferation of harmful online content, including disinformation, creates a convergence that offers unique opportunities and increases the human impact of cyber threats on vulnerable communities. It has been observed that the Russian Federation simultaneously coordinates destructive cyberattacks against its adversaries, while deploying disinformation campaigns designed to influence citizens.

Looking at recent history, it is not uncommon to find attacks carried out by Russia as part of disinformation campaigns and cyberattacks. The Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU) is a military intelligence agency perceived as “supporting” the FSB in cyber operations against Estonia in 2007 and Georgia in 2008, becoming particularly visible in offensive cyber operations. Thus, the GRU has assumed a leading role within the Russian special services in conducting activities in cyberspace, possessing the necessary resources to deploy both cyberattacks and disinformation campaigns.

The NoName057(16) Group


Since the beginning of the Russo-Ukrainian conflict in February 2022, several hacker groups from both sides have conducted cyberattacks against government entities and critical infrastructures of the adversary. Among these groups is the actor known as NoName057(16), a cyber-collective founded in March 2022 that conducts DDoS attacks primarily against government entities and critical infrastructures in European countries. This group has gained significant scale since May 2022, developing DDoS campaigns against Ukraine and the European countries supporting its government. NoName057(16) announces its campaigns on a Russian-speaking Telegram channel created in March 2022, and on a second channel established in August 2022, where all content is translated into English. It has also created a third group used by some of its members to disseminate information on the technical aspects related to DDoS campaigns, and a fourth where it provides instructions on how to use a custom tool available on GitHub (a collaborative platform for software development), called “DDosia,” to conduct DDoS attacks. The main motivations for their attacks are purely political and ideological: to support Russia in its conflict with Ukraine and to fight against its allies, those who support Ukraine in the conflict and disseminate “Western propaganda” against Russia.

NoName057(16) appears to collaborate with other pro-Russian cyber collectives such as Killnet and XakNet, and attention should be paid to the cooperation between these various self-proclaimed pro-Russian hacktivists that have emerged since the onset of the conflict between Russia and Ukraine. These groups share the same ideological foundations that guide their operations, the targets of their attacks, and in some cases, even the tools exploited. Additionally, as recently highlighted by an analysis published by Mandiant, a U.S. cybersecurity firm and a subsidiary of Google, some of these groups are linked to the aforementioned GRU.

NoName057(16) actively boasts about its successful DDoS attacks to its more than 14,000 followers on Telegram (a channel created on March 11, 2022) and silences those that were unsuccessful. The group’s most successful attacks render targeted sites inoperable for several hours, even days. In response to the attacks, operators of small local sites often resort to blocking requests from outside their country. In extreme cases, some website owners targeted by the group have canceled their domain registrations. In any case, the main sectors targeted by the attacks include public administrations, government entities, transportation, and financial institutions.

Pro-Russian Propaganda on Telegram


In recent years, Telegram has become one of the main platforms for disseminating Russian propaganda and disinformation, primarily due to the lack of censorship and weak content moderation. Although the service is very popular, especially in Ukraine and the Russian Federation, it is also widely used in other countries. However, pro-Russian channels broadcasting pro-Kremlin narratives also impact citizens in EU countries, and many Telegram channels we discovered reference one another or use shared texts.

To illustrate our point, we will examine some of the disinformation campaigns deployed by pro-Russian media in various EU countries.

Germany
On September 18, 2023, Reuters reported on a €400 million aid package to Ukraine, including ammunition, protective vehicles, and demining systems. One day later, many Telegram channels criticized this fact.

On September 21, 2023, the NoName057(16) group published a message on its Telegram channel criticizing Germany’s support for Ukraine: “Germany will transfer to Kiev 30,000 artillery shells of 155 mm, 480 AT2 anti-tank mines, and 200 MRAP [mines-resistant] armored vehicles as part of a new military assistance program to the criminal regime of Zelensky…” The message was also used to announce cyberattacks targeting various entities within the country, such as the Federal Office for Logistics and Mobility (BALM) and the road assistance association ADAC.

Content found from descriptor “AT2”

Belgium
On November 8, 2023, Hadja Lahbib, the current Belgian Foreign Minister, held a diplomatic meeting with her Ukrainian counterpart, Dmytro Kuleba, during which she expressed the full support of the Belgian government for the Ukrainian people.

On November 9, NoName057(16) posted the following message on Telegram: “The Belgian authorities, indifferent to their citizens’ problems and forgetting the crisis in their economy, have established a Support Fund for Ukraine […]. The head of the Belgian Foreign Ministry, Aja Lyabib, clarified that half the funds are allocated to military support for Bandera supporters, and the other half for civilian support (read: how they will be stolen by Zelensky’s crafty henchmen).” It launched a DDoS cyberattack against the Belgian Parliament.

Spain
On October 23, 2023, workers mobilized in Orense (Galicia) to demand better working conditions. This mobilization led to a tense demonstration that required the intervention of the national police.

On October 31, 2023, NoName057(16), via its Telegram channel, posted the following message: “Today we are once again conducting a cyberattack against Spanish websites in solidarity with the local firefighters protesting for their labor rights. […] They couldn’t care less about the firefighters risking their lives to save people! This is unacceptable!” The cyberattacks notably targeted the websites of mobile operator Orange España, the Autonomous Community of Galicia, the Prime Minister’s office, the Ministry of Justice, and the city of Lugo (Galicia).

Content found using the descriptor “Firefighters and emergency services on strike for four months in Spain”

France
On May 15, 2023, French President Emmanuel Macron announced his intention to train Ukrainian pilots and increase tank deliveries to Kiev. From that day, many pro-Russian channels criticized France’s support for Ukraine. On the same day, the group NoName057(16) posted a message stating: “Bandera Zelensky is continuing his march across Europe […] All problems in the country have been solved. Not really…” It then conducted a DDoS attack against the French Senate.

In September 2023, the group NoName057(16) attacked several French companies in retaliation for France’s training of Ukrainian pilots, including the banking group Crédit Agricole, the bus company Eurolines, the Rennes Metropolis transport service (STAR), the Nice Tram, and RATP.

Content found from the descriptor “Pilotes France”

Netherlands
In November 2023, Dutch Defense Minister Kajsa Ollongren promised to allocate €500 million to Ukraine for the purchase of ammunition after visiting Kharkiv and Kiev.

On the 4th, NoName057(16) posted the following message: “The Dutch Minister of Defense, Kajsa Ollongren, after visiting Kharkiv and Kiev, promised to allocate €500 million to Ukraine for the purchase of ammunition. And we promise not to leave the Dutch segment of the Internet undefended from our DDoS missiles.” It also conducted several DDoS attacks against the Dutch Railways (Nederlandse Spoorwegen).

Poland
On October 15, 2023, general elections were held in Poland. A few weeks before the elections, numerous pro-Russian channels on Telegram began discussing the possibility of unrest and “civil war” in the country, mainly due to the support given by the country to Ukrainian citizens.

On October 31, the NoName057(16) group posted the following message: “Polish carriers could go on strike and block all checkpoints at the Polish-Ukrainian border from November 3 until the end of the year. And recently, we cooperated on Russophobic plans together.” It also conducted several DDoS attacks against the website of the Polish Border Guard and the tax service.

Content found from the descriptor “K. Ollongren”

Conclusions
As demonstrated by the analysis in this article, the hypothesis regarding the relationship between Russia’s information and disinformation campaigns and the subsequent cyberattacks against the infrastructures of countries that have been able to demonstrate or adopt decisions contrary to Kremlin interests has been confirmed.

While the modus operandi is clear and appears to take the form of disinformation channels leading to subsequent cyberattacks using DDoS techniques, the timing can vary, with attacks occurring on the same day as actions or spanning several days. This may be explained by the different windows of opportunity to execute such cyberattacks on a given country’s infrastructure.

Thus, one recommendation that could be made would be to monitor transmission channels of pro-Russian narratives in order to anticipate potential cyberattacks against the infrastructures of certain countries, once peaks of derogatory or disinformative publications about these countries have been detected. The objectives of cyberattacks and the themes of disinformation would not necessarily coincide, as the former also depend on windows of opportunity to be successfully executed.

References

Bingle Morgan, « What is Information Warfare ? », The Henry M. Jackson School of International Studies– University of Washington, 25 septembre 2023 (https://jsis.washington.edu/news/what-is-information-warfare/).
[2]
European Union Agency for Cybersecurity, ENISA Threat Landscape 2022, 2022 (https://www.enisa.europa.eu/publications/enisa-threat-landscape-2022).
[3]
Barcelona Centre for International Affairs, « La palabra como arma : de la desinformación a la batalla global por la narrativa », septembre 2022 (https://www.cidob.org/).
[4]
UK Foreign Office, « UK Exposes Attempted Russian Cyber Interference in Politics and Democratic Processes », 7 décembre 2023 (https://www.gov.uk/).
[5]
Bradshaw Samantha et Howard Philip N., The Global Disinformation Order–2019 Global Inventory of Organised Social Media Manipulation, Working Paper 2019.2. Oxford, UK : Project on Computational Propaganda (https://demtech.oii.ox.ac.uk/wp-content/uploads/sites/12/2019/09/CyberTroop-Report19.pdf).
[6]
Desch Michael C., « Culture Clash : Assessing the Importance of Ideas in Security Studies », International Security, vol. 23, n° 1, p. 141-170.
[7]
Johnston Alastair Iain, « Thinking about Strategic Culture », International Security, vol. 19, n° 4, printemps 1995, p. 32-64.
[8]
Ministère des Affaires étrangères de la Fédération de Russie, Doctrine de la sécurité de l’information de la Fédération de Russie, 2016 ; Kukkola Juha, Ristolainen Mari et Nikkarila Juja-Pekka, Game Player : Facing the structural transformation of cyberspace, Finnish Defence Research Agency, p. 10 ; Popescu Nicu et Secrieru Stanislav (dir.), Hacks, Leaks and Disruptions–Russian Cyber Strategies, European Union Institute for Security Studies (EUISS), 2018, p. 17.
[9]
Kukkola J., Digital Soviet Union : the Russian National Segment of the Internet as a Closed National Network Shaped by Strategic Cultural Ideas (thèse), 2020, p. 184.
[10]
NATO Strategic Communications Centre for Excellence, Russia’s Strategy in Cyberspace, juin 2021 (https://stratcomcoe.org/cuploads/pfiles/Nato-Cyber-Report_11-06-2021-4f4ce.pdf).
[11]
Fedchenko Yevhen et Mohyla Kyiv, « Kill Chain Against Disinformation : How to Stop the Kremlin’s Genocidal Rhetoric on Ukraine », Stop Fake.org, 6 février 2022 (https://www.stopfake.org/).
[12]
Duguin Stéphane et Pavlova Pavlina, The Role of Cyber in the Russian war Against Ukraine : Its Impact and the Consequences for the Future of Armed Conflict, Parlement européen, septembre 2023 (https://www.europarl.europa.eu/).
[13]
Lilly B. et Cheravitch J., « The Past, Present and Future of Russia’s Cyber Strategy and Forces », in Jančárková T., Lindström L., Signoretti M., Tolga I. et Visky G. (dir.), 12th International Conference on Cyber Conflict, NATO CCDCOE Publications, 2020, p. 129-155, plus précisément p. 139-141 (https://ccdcoe.org/).
[14]
Lilly B et Cheravitch J., op. cit., p. 142-146.
[15]
Yarix Labs, « Analysis of the Russian-Speaking Threat Actor NoName 057(16) », 13 octobre 2022 (https://labs.yarix.com/2022/10/analysis-of-the-russian-speaking-threat-actor-noname-05716/).
[16]
Mandiant Intelligence, « Hacktivists Collaborate with GRU-sponsored APT28 », 23 septembre 2022 (https://www.mandiant.com/resources/blog/gru-rise-telegram-minions).
[17]
Yarix Labs, op. cit.
[18]
Bedovska Olga, « And “Telega” is still there : how Telegram-channels push pro-Russian narratives to the West », Opora, 25 septembre 2023 (https://www.oporaua.org/).
[19]
« Germany Announces 400 mln Euro Aid Package to Ukraine, but no Taurus Yet–Bild », Reuters, 18 septembre 2023 (https://www.reuters.com/article/ukraine-crisis-germany-idINL8N3AU52M/).
[20]
NoName057(16), post Telegram du 21 septembre 2023 (https://t.me/noname05716eng/2397?single).
[21]
Lahbid Hadja, post Twitter du 8 novembre 2023 (https://twitter.com/hadjalahbib/status/1722218671047929984).
[22]
NoName057(16), post Telegram du 9 novembre 2023 (https://t.me/noname05716_reserve/3531).
[23]
Lois Elisa, « Destrozos y tensión con la policía en una protesta de bomberos comarcales en Ourense », El País, 23 octobre 2023.
[24]
NoName057(16), post Telegram du 31 octobre 2023 (https://t.me/noname05716_reserve/3488).
[25]
Caulcutt Clea, « France to train Ukrainian fighter pilots », Polico, 15 mai 2023 (https://www.politico.eu/).
[26]
NoName057(16), post Telegram du 15 mai 2023 (https://t.me/noname05716eng/1419).
[27]
NoName057(16), post Telegram du 6 septembre 2023 (https://t.me/noname05716eng/2358?single).
[28]
« The Netherlands Promises Ukraine Ammunition Worth €500 Million », Ukrainska Pravda, 3 novembre 2023 (https://www.pravda.com.ua/eng/news/2023/11/3/7427050/).
[29]
NoName057(16), post Telegram du 4 novembre 2023 (https://t.me/noname05716eng/2532).
[30]
NoName057(16), post Telegram du 31 octobre 2023 (https://t.me/noname05716_reserve/3489).

Please subscribe to our page on Google News
SAKHRI Mohamed
SAKHRI Mohamed

I hold a Bachelor's degree in Political Science and International Relations in addition to a Master's degree in International Security Studies. Alongside this, I have a passion for web development. During my studies, I acquired a strong understanding of fundamental political concepts and theories in international relations, security studies, and strategic studies.

Articles: 15167

Leave a Reply

Your email address will not be published. Required fields are marked *