Press play to listen to this article
In the online world, the West and Russia are already at loggerheads over Ukraine.
As government leaders scramble to come up with a diplomatic deal to avert all-out war in Ukraine, cybersecurity officials warn of a potential wave of Russia-backed cyberattacks that could destabilize NATO countries. Meanwhile, disinformation experts fret Moscow is pushing false narratives through Russian state-affiliated media to tee up a pretext for war by fueling claims that Kyiv or NATO members may soon attack Russian military targets.
The European Union’s cybersecurity agency ENISA and its in-house cyber response team CERT-EU on Monday released a joint warning saying they had “reported a substantial increase of cybersecurity threats for both private and public organisations across the EU.” The authorities “strongly encourage all public and private sector organisations in the EU to adopt a minimum set of cybersecurity best practices” to avoid getting hacked.
The EU warning follows similar messages from cyber agencies across the NATO bloc. The U.S.’s Cybersecurity and Infrastructure Security Agency (CISA) on Saturday advised organizations to buckle up for cyberattacks in a “Shields Up” advisory. The United Kingdom’s National Cyber Security Center (NCSC) released a similar warning at the end of January, as did the Netherlands and other national cybersecurity watchdogs in recent weeks.
“The Russian government has used cyber as a key component of their force projection over the last decade, including previously in Ukraine,” the American warning read.
Behind the series of warnings are increasingly intense attacks on Western infrastructure, especially in Europe and across member countries of NATO, officials said.
Cyber experts have pushed back against calling these disruptions and attacks “cyber war.” So far, no major real-world damage has been done via these digital attacks, though the Kremlin’s army of digital hackers has repeatedly targeted Ukrainian infrastructure since the 2014 conflict over Crimea.
But the pressure these attacks have put on Western governments and economies plays into the hand of adversaries like Russian President Vladimir Putin, security experts warn.
Russian actors have, in recent years, “used their offensive capabilities amid specific geopolitical developments of Russian interests … The escalating situation in Ukraine can possibly lead to spillover effects, which are likely to impact EU interests,” the EU Cybersecurity Agency and CERT-EU said in an earlier, classified Joint Rapid Report dated to the end of January and seen by POLITICO. The report flagged Russian hackers could disrupt Western countries — as happened when they brought down Ukrainian energy networks in 2015 and 2016 — and use cyberattacks and disinformation to influence public opinion and gain critical intelligence.
The European authorities warned about possible attacks from “at least five major threat actors attributed to Russia,” including hacking groups best known as Fancy Bear, Cozy Bear, Turla, Sandworm and Berserk Bear — all of which, except Sandworm, were last seen active in the EU in 2021. Cozy Bear is thought to be behind one of last year’s major incidents, the SolarWinds supply-chain attack that helped the group hack into networks across the world.
Moscow was already believed to be behind a series of attacks on Ukrainian government websites and organizations in January, which included spreading misinformation and malware that sought to wipe out data, according to Ukrainian security services and U.S. tech firm Microsoft.
Russian hacking groups have been linked to cyberattacks in the Baltics, Poland and Germany and across Europe in past years, and to major hacks like those carried out against the presidential campaign of Emmanuel Macron in 2017 and the German Bundestag in 2015.
Russia, good; the West, bad
As the threat of a Russian invasion of Ukraine has grown since December, the Kremlin has turned to its state-backed media outlets — many of which have extensive social media followings across the West — to sow the official narrative that Russia is peaceful and NATO countries are the aggressors.
A POLITICO review of accounts affiliated with Russian state media channels RT and Sputnik shows that talk of a fictitious attack against Russian-affiliated forces has gained ground since late January, and that these claims are being made in Western European languages. Such an attack — dubbed a “false flag attack” by Western security officials — could serve as a pretext for Russia to launch a military move against Ukraine.
On January 24, for instance, RT’s English website published an interview with a leading Russian-linked official from Ukraine’s disputed Donetsk region who warned that Kyiv was preparing to send in troops, wearing either Russian military uniforms or those of Kremlin-backed local militias, to carry out attacks on infrastructure targets like power stations and water supplies.
The Kremlin’s national media outlets have gone one step further, accusing the U.S. and its NATO allies of planning chemical weapons attacks on Ukrainian separatists — allegations that both Washington and other Western capitals deny.
“That is the one thread that feels more like a typical Russian info operation before some sort of kinetic action,” said Bret Schafer, head of the information-manipulation team at the German Marshall Fund’s Alliance for Securing Democracy, in reference to the Kremlin’s false-flag narratives.
“They are seeding the information space with the idea that if there is a sort of something that looks to be suspicious, like a false-flag thing, that would be the Ukrainians and the U.S., not Russia,” he added.
It’s not just Russia accusing others of fabricating possible attacks.
Earlier this month, senior U.S. officials also warned that the Kremlin may carry out false-flag operations — by way of false videos depicting deadly explosions shared widely via social media — as a pretext for war.
“We do have information that the Russians are likely to want to fabricate a pretext for an invasion, which, again, is right out of their playbook,” Pentagon spokesperson John Kirby told reporters on February 3. He did not provide specifics on what these operations may look like, and Moscow vehemently denied those allegations.
Still, Western agencies find themselves at a significant disadvantage when combating Kremlin-backed disinformation, as much of these false narratives are shared via government-affiliated news outlets with extensive budgets and social media followings, collectively, in the millions.
In contrast, most of the Western narratives have come directly from official spokespeople and press conferences that lack the same glitz as the well-orchestrated — and well-coordinated — Kremlin disinformation playbook, investing significant planning and funding to reach a massive online global audience.
“We don’t have the same operation as what the Russians do when it comes to info ops,” said a European official involved in tracking the Kremlin’s online tactics, who spoke on the condition of anonymity because he was not authorized to speak publicly.
“Moscow has been working on these operations for years,” he added. “What they are doing now surrounding the Ukrainian narratives is exactly why they spent so much time getting these networks in place.”
Matei Rosca contributed reporting.
This article is part of POLITICO Pro’s premium coverage of Cybersecurity and Data Protection. From the emerging threats of a volatile digital world to the legislation being shaped to protect business and citizens, across sectors. For a complimentary trial email [email protected] and mention Cyber.