This the second in a three-part series on Russian cyberattacks and disinformation campaigns against the United States. The first article, published last week, asked if Russian disinformation was a form of hacking.

Last month saw several significant events that reveal the danger facing the American republic from digital warfare. October began with the President of United States issuing a threat of civil war in the event of his impeachment. Trump’s focus on this news was at least partly the result of Russian disinformation campaigns aimed at pitting Americans against one another and fomenting political chaos in the United States.

A week after Trump’s civil war threat, the United States Senate Select Committee on Intelligence released a detailed report on Russia’s 2016 election interference and other Russian “Active Measures” threats—targeted disinformation attacks and related cyberattacks that were specifically designed to undermine American democracy. October also witnessed dozens of cyberattacks on US targets. These included ransomware attacks that paralyzed at least two American hospitals.

A week after Trump’s civil war threat, the United States Senate Select Committee on Intelligence released a detailed report on Russia’s 2016 election interference and other Russian “Active Measures” threats—targeted disinformation attacks and related cyberattacks that were specifically designed to undermine American democracy.

Not all cyberattacks on US targets are Russian in origin, of course, and attribution is challenging. However, it’s clear that Russian security forces are regularly targeting American infrastructure, corporations and government institutions. Some of the worst state ransomware attacks originate from the Wizard Spider group, for example, which is based in Russia. As many in the US government and cybersecurity sector suspect, hacker gangs in Russia are often either directly controlled by the Russian government or working in a loose agreement with the government to further the state’s political agenda through moneymaking cybercrime.

Are These Attacks Random or Coordinated?

Are Russian cyberattacks, ransomware attacks and disinformation campaign simply random events? Or, are they part of Russia’s long-running, coordinated campaign aimed at destabilizing the political structure of the United States? Senator Richard Burr, Chairman of the Senate Committee, framed the issue by stating, “The American public, indeed all democratic societies, need to understand that malign actors are using old techniques with new platforms to undermine our democratic institutions.”

Georgetown Professor Roy Godson told the Senate Committee that Russian cyberattacks and disinformation campaign were made at “the coordinated direction by the centralized authoritarian hierarchy of a combination of overt and covert techniques that propagate Russian (formerly Soviet) ideas, political military preference and undermine those of their democratic adversaries.”

Georgetown Professor Roy Godson told the Senate Committee that Russian cyberattacks and disinformation campaign were made at “the coordinated direction by the centralized authoritarian hierarchy of a combination of overt and covert techniques that propagate Russian (formerly Soviet) ideas, political military preference and undermine those of their democratic adversaries.”

Former FBI counterintelligence and Cyber division agent Robert Anderson described the 2016 and looming 2020 election interference to CBS News as “A well-choreographed military operation with units that not only were set up specifically to hack in to obtain information, but other units that were used for psychological warfare were weaponizing that. This is not an operation that was just put together haphazardly.”

Not everyone who tracks this issue is so sure, however. Experts disagree on the existence of coordination in cyberattacks from Russia as well as the depth of such coordination. To gain more insights into this serious and complex issue, I spoke with a dozen or so cybersecurity professionals, many of whom served in government cybersecurity roles before entering private industry. Here are their views:

The Experts Weigh In: Yes, These Attack Vectors are Connected

Experts who believe in the coordination of Russian cyber and disinformation attacks include Charity Wright, a Cyber Threat Intelligence Analyst and at Intsights. Wright previously served in cyber intelligence roles in the US military. She noted, “They’re all tied together. They have these massive military and government sponsored groups and operations that are each specialized in a certain area and in a certain skill and tactics, and so they each have their own objectives. But altogether, they’re working toward the greater good of the [Russian] state.”

“They’re all tied together. They have these massive military and government sponsored groups and operations that are each specialized in a certain area and in a certain skill and tactics, and so they each have their own objectives. But altogether, they’re working toward the greater good of the [Russian] state.” – Charity Wright, a Cyber Threat Intelligence Analyst and at Intsights

Richard Henderson, Head of Global Threat Intelligence at Lastline, added, “Is it connected in ways that imply a coordinated effort by state agencies to target the west? Absolutely. There is definitely an overarching strategy by countries such as Russia to wage a low-level cyber war against western governments and corporations. It’s part of an overall strategy of asymmetric warfare.”

“I can see there is some connection between the two,” said Professor David Schwed, Director of the Cybersecurity Program at Yeshiva University. “For example, the DNC data breach occurred, which in turn may seem to further the disinformation campaign by falsely corroborating fake stories.” Aaron Turner, President & CSO of Highside, offered an informed opinion based upon years of facing off against Russia in cyberspace in industrial espionage and financial service fraud cases. As he put it, “They are rational actors with extensively-coordinated attack capabilities, putting together disparate data sources to help them build their strategy.”

Kristina Libby, an NYU Professor and EVP at Hypergiant, felt it would be foolhardy to think they are not connected. As she observed, “Russia is not merely attempting to subvert one area without interest in another. All systems are connected, and ransomware attacks and social media propaganda campaigns are each tactics against a bigger broader goal.”

“Russia is not merely attempting to subvert one area without interest in another. All systems are connected, and ransomware attacks and social media propaganda campaigns are each tactics against a bigger broader goal.” – Kristina Libby, an NYU Professor and EVP at Hypergiant

We do it to them, too, noted Dr. Greg Scott, a veteran cybersecurity consultant. He explained, “None of this is random. Opportunistic maybe, but not random. The Russians and Chinese and others engage in organized and coordinated attacks against the United States all the time. And we Americans do it to them—we may have started the information war with Stuxnet more than ten years ago.”

According to Mike Bittner, Associate Director of Digital Security and Operations at The Media Trust, It was the Soviet leader Nikita Khrushchev who signaled the overall strategy by saying that the USSR would ruin the US from the inside. Bittner remarked, “As bad actors ramp up their techniques and expand their operations, what might appear to be random incidents are in fact related.” Otavio Freire, CTO and President, SafeGuard Cyber, concurred, sharing that “disinformation and disruptive cyberattacks are all of a piece, though they may not be explicitly coordinated through one body. Indeed, decentralization is the defining characteristic of cyber conflict.”

“I believe it is part of a broader more sophisticated attack by the Russians to undermine democracies and move sentiment and control towards Russia,” said Catherine A. Allen, CEO of Shared Assessments.  Jeff Williams, co-founder and CTO at Contrast Security also spoke to the issue by saying, “Of course. All of these active measures are tied to fulfilling Vladimir Putin’s goal to increase power by disrupting others. Specifically, attacks on technology produce identity information, account access, and kompromat that can be used to create trusted proxies that seem to support their false narratives.”

No, They’re Most Likely Not Connected

Not all industry experts saw connections between Russian ransomware, cyberattacks and disinformation campaigns. As Morey J. Haber, CTO and CISO at BeyondTrust, explained, “I believe they are separate and conducted by two separate threat actors. Social media disinformation is designed to sway public opinion to the goals of the threat actor or cause social discord. There are no direct financial gains. Ransomware is financially motivated. The threat actors may be opportunistic or targeted, but their end goal is extortion.”

According to Andras Toth-Czifra, an Analyst at Flashpoint, “It depends on the objectives of the perpetrators of such campaigns. In cases where the goal is to sway public opinion related to a person or a group of individuals, an artificial story or precisely timed social media comment may achieve the desired effect.” He allowed, however, “It’s plausible that social media manipulation campaigns may be used in conjunction with the deployment of other factors, such as DDoS and malware, if the end result justifies the means from the perpetrator’s perspective.”

Stephanie Douglas, a former FBI agent who now works at Guidepost Solutions, was not so sure these attacks are coordinated. As she put it, “I would say they’re coordinated in that the US is probably their number one target.”

Stephanie Douglas, a former FBI agent who now works at Guidepost Solutions, was not so sure these attacks are coordinated. As she put it, “I would say they’re coordinated in that the US is probably their number one target.” She added, “I’m sure there is some coordination but to what extent that coordination goes across all the different Russian government entities? I couldn’t really speak to that, but I’m sure there is some coordination across—if for nothing else for de-confliction.” This is a useful insight. If it’s a government program, there has to be some coordination just to make sure organizations aren’t getting in each other’s way.

William Tsing, of Malwarebytes, offered his interpretation: “In the tactical sense, no they aren’t connected. In the strategic sense, possibly?  Cyber strategy experts have speculated that Russia’s primary political goal of its cyber intelligence operations is to sow chaos and disorder in NATO allied countries. Towards that end, both disinfo campaigns and ransomware infecting critical infrastructure are successful means.”

Adam Darrah, a former US national security professional who now serves as Director of Intelligence at Vigilante, felt the attacks are linked to the extent they help further Kremlin goals. However, as he put it, “There’s just no bandwidth from the Kremlin, in my opinion, to micromanage every single one of these data breaches of the system penetrations, ransomware attacks and disinformation campaigns.”

Adam Darrah, a former US national security professional who now serves as Director of Intelligence at Vigilante, felt the attacks are linked to the extent they help further Kremlin goals. However, as he put it, “There’s just no bandwidth from the Kremlin, in my opinion, to micromanage every single one of these data breaches of the system penetrations, ransomware attacks and disinformation campaigns.”

Based on his experience, Darrah felt that each separate group in the Russian government is working on its own. “To what extent they coordinate efforts across those three separate areas is probably very minimal cooperation because also, they’re competing for resources domestically.” He also offered a twist on this, noting, “They’re all trying to bring the biggest ‘dead mouse’ to their master to see who gets the most money, to be funded further in their efforts against us and against their own people, quite frankly.”

Yossi Naar, Chief Visionary Officer and Co-founder at Cybereason, added a slightly different perspective. “Sometimes it is coordinated,” he said. However, he further explained, “It’s also an effective way of boosting morale at home by advertising these actions and insinuating (or outright saying) that you’re responsible—something that is done by the Russians and usually aimed at the home audience.” Thus, the attacks might be directed at the US, but they’re done, at least in part, for domestic political reasons in Russia.

The third and final article in this series will deal with possible solutions to these challenges.