11 July 2023

How the Wagner revolt could change Russia’s cyber operations


The developments in the Russian Federation in recent days have taken me by surprise. In just under two days, forces employed by the Wagner Group - the now-infamous mercenary outfit run by oligarch Evgeny Prigozhin and deployed by the Russian government for more than a year in the brutal battle for Bakhmut - crossed from bases in Ukraine into Russia to stage a mutiny.

Much remains unknown about these events, including exactly who knew about the attempted revolt ahead of time and what precisely Prigozhin's aims were. Regardless, the ongoing episode stands as one of the most incredible developments of the decade - perhaps of the century so far - with far-reaching implications for the regime of Vladimir Putin, the war in Ukraine, and Russia's role as a key driver of global insecurity.

Prigozhin's revolt has prompted Western commentators to ruminate primarily on the terrestrial military and political consequences of events. However, the resolution to the incident and the resultant, apparent instability of Russia's internal political conditions also has implications for global cybersecurity. In the short-term, these are likely to stem from Prigozhin's links to Russia's military intelligence apparatus, his patronage of the notorious Internet Research Agency, and the evolving information war that may come with his banishment to Minsk. In the long-term, shifts in the patronage dynamics that define Russian power politics suggest real possibilities for heightened cyber aggression that is nonetheless less coherent in its tie to Moscow's interests.

This said, it's not all bad news. Information continues to come out about who knew about Prigozhin's plans and even supported them. As Putin tries to stabilize his hold on power, it's entirely possible that those elites closest to the Wagner boss will be forced out of their jobs (or perhaps a third-story window), a process that indeed already appears to be underway.

This has a real potential to replace the hyper-aggressive cyber strategy to bolster information confrontation with the West - one favored by the GRU spy agency that most closely liaised with the Wagner Group - with an alternative perspective. This improves conditions for Western digital defenders along several lines, not the least of which is growing tactical know-how about Russian operations at a time when the Kremlin's mission control capabilities are being weakened.

Recap of the Wagner Group uprising in Russia

Calling Russia's military leadership "evil," Prigozhin's troops moved to occupy military headquarters and other facilities in the strategically important logistics hub of Rostov-on-Don. Almost as amazing as the fact of the armed rebellion on Russian soil, Wagner forces apparently took the southern city without firing a shot. Hours later, these same forces were then reported to have moved out toward Moscow, some 1,100km away. In less than a day, they occupied more positions in the city of Voronezh and are reported to have made it within 200km of Russia's capital.

Then, as suddenly as it started, the revolt was over. In a deal apparently brokered by Belarussian President Alexander Lukashenko, Wagner forces stood down, vacated Rostov-on-Don, and returned to their marshalling bases in occupied Ukraine. Prigozhin has since seemingly flown to Belarus in what Western analysts assume is a form of exile imposed by Vladimir Putin. Wagner troops are being offered amnesty and options for their next steps.
Critical context: Putin, Prigozhin, and divide to rule

From an outsider-looking-in perspective, events in Russia over the past two weeks are hard to explain at first glance. What could have precipitated an armed revolt by a favored crony of Vladimir Putin against the very government that Putin, the unquestionable strongman of Russia, controls? How could such a large non-state force deploy so many military assets so quickly against Russia's regular defense forces? What was the actual plan that Prigozhin was attempting to execute? While the reported 25,000 troops Wagner could deploy made stunning progress in advancing deep into Russian territory, the might of Russian regular forces would inevitably be sufficient to crush the revolt.

These and many other unanswered questions about the Wagner revolt means understanding critical context about the way in which Putin has run his dictatorship for the past two decades. Putin's approach to holding power domestically is remarkably similar to his foreign policy, which in the past decade has emphasized using any available mechanism of state power to divide foreign national interests and profit from the disruption that follows.

For instance, Russia regularly offers direct financial aid to fringe political parties like France's National Front to bolster a disruptive voice that would otherwise be marginalized in Western democracies. Disinformation campaigns have been used with equal conviction across the West, the developing world, and the post-Soviet sphere to build up favored political elements. Foreign reserve currencies have been used to fund militant forces in unstable nations like Libya and Sudan. The Kremlin's domination of energy markets and financial resources in certain regions of Asia have been used to bribe the leadership of countries like Kyrgyzstan into kowtowing to Russian interests.

Divide and rule is also the principle that drives Putin's control of his oligarchic autocracy, making him at once both a seemingly untouchable strongman and a leader uniquely vulnerable to domestic conspiracy. Like other dictators - Muammar Gaddafi, for instance, with his infamous web of competing paramilitary forces - Putin recognized long ago that his personal and political survival relies on no single domestic element becoming powerful enough to overthrow him.

One way to accomplish such a condition, while also building the kind of national power necessary to manipulate the general public into suffering the loss of certain liberties, is to create a multitude of actors that must consistently vie for relevance and power at the expense of one another. As scholars have often effectively illustrated, Putin has become particularly masterful at this tactic, regularly creating, ruthlessly manipulating, and disposing of Russia's elites - including Prigozhin - to feed his political designs. In 2007, for instance, he saw a threat to his re-election campaign in which two strongmen were attempting to maneuver different alternative candidates into position by ordering one to wiretap the other, only to then arrest the obliging party and distribute wealth to yet other sycophantic elites.

These dynamics play a critical role in understanding how shifting power conditions in Russia following Wagner's revolt might change the character of Russia's cybersecurity posture. While Moscow's ability to deploy cyber capabilities for malicious purposes is robust, the hyper-aggressive posture of Russia's primary hacking forces emerges from the politics of relevancy that Putin has enforced since the 2000s. At the same time, Russia's capacity to digitally interfere in Western information spaces has been built on the initiative of oligarchs - Prigozhin quite notably among them - more than under the auspices of conventional security services. As such, substantial changes to the way Putin's regime works are destined to alter the global cybersecurity landscape, even though the triggering events themselves are not cyber in nature.

The short-term cybersecurity outlook

Two clear immediate dimensions of the evolving situation might have a direct effect on cybersecurity futures. First, Prigozhin will need to rely on methods of funding for Wagner or whatever other form his business interests take now that he is being detached from direct Kremlin funding, which previously supported both his private military company (PMC) and paid for his catering business to supply food to Russia's military. The Wagner Group is active across Africa and has been accused of essentially looting local resources in countries like Central African Republic, but the PMC is far less present in these situations than the images of Prigozhin's troops in Bakhmut have led many to think.

Representing Russian interests, Wagner's activities in Africa are an attempt to leverage the power vacuum left by France's withdrawal from the region as the traditional Western power with influence. Their approach certainly includes coercion, bribery, and lucrative extractive dealings, but the method of engagement aligns with the divide-to-rule approach that governs all Russian foreign policy and thus requires only minimal military presence.

An obvious source of revenue is cybercrime and disinformation for hire. These are existing capacities for Prigozhin's business empire. He famously funded the Internet Research Agency (IRA), the troll farm and disinformation operator tied to more than two-dozen influence campaigns targeting the West since 2014. Indeed, while Prigozhin has broadly suggested that he was involved in election interference targeting the United States in years past, he recently made his involvement more explicit. In February of this year, he stated “I was never just the financier of the Internet Research Agency [...] I thought it up, I created it, I managed it for a long time.”

Of note, the IRA has been rapidly shut down in the wake of the revolt. While some may see this as a submissive move to unwind Prigozhin's interests from those of the state, evidence exists that the closure was forced. Russian security services conducted raids in the hours prior to the shuttering of the IRA, and the man who was attempting to sell assets on Prigozhin's behalf has now disappeared. Western analysts would do well to scrutinize apparent attempts to reconstitute the company on Prigozhin's part - or another's - as an indicator of such an intention to capitalize on a well-established capacity for cyber antagonism.

The less nebulous short-term implication of the Wagner revolt for digital security is the rapid evolution of the information conflict surrounding Ukraine, Russia, and European perspectives on the conflict. Now, the revolt gives the information war new dimensionality. Specifically, Prigozhin and other elites with substantial technological resources have an incentive to degrade the traditional narrative power of Putin's security state. Indeed, hackers apparently tied to Wagner have already targeted a major satellite provider in Russia - Dozor - to post support for the revolt across numerous websites. This is a continuation of Prigozhin's use - either directly or otherwise - of an extensive army of hackers, trolls, and propagandists for his own purposes. This force has been employed in information wars across Africa, Europe, and Asia, and has recently been leveraged to help Prigozhin bypass the information controls of the Russian state to influence both elites and the general public.

Importantly, Western planners and cyber defenders should not see only downsides for an embattled Russian state in this evolution of the information war. The degree to which the recent revolt played out largely on the internet - with information and rhetoric largely being fed to both Russian and global populations via Telegram, Twitter, and similar platforms - shows that the spread of influence beyond Russian networks remains a critical corollary of narrative control for those positioning themselves for the next stage of oligarch-politik.
Long-term cybersecurity implications of a shaken Russian bear

In the long-term, changes in both the optics and the behind-the-scenes maneuvers of power politics in Russia stand to shift the global cybersecurity landscape. Russia has sustained one of the most extensive and permissive cybercrime ecosystems in the world for more than two decades. The benefits of doing so have been enormous for oligarchs and, by proxy, for Putin.

Russian elites have padded their pockets to the tune of billions of dollars from cybercriminal enterprise, and Moscow's security services have regularly incorporated criminal capabilities into their hybrid warfighting techniques for interfering around the world. Significantly, the whole thing has worked in large part due to a set of norms enforced by the state and broadly observed by criminal actors. Specifically, don't disrupt or antagonize within Russian IP space and the state will look the other way on cyber transgressions (except in rare cases where they work against Moscow's interests).

Today, authority in Russia has likely become more diffuse than it has been for more than two decades. Again, Putin maintains a web of powerful subordinates spread across business, government, security services, the military, local politics and critical industries. Importantly, this web of subordinates only makes Putin powerful if Putin can manage and sustain their competition.

As some have noted, the idea that a regional governor, for instance, may be unwilling to take the Kremlin's call on key issues is suddenly realistic today where it would have been unthinkable months ago. The degradation of Putin's authority, if it cannot be recovered, means that Russian elites will likely increasingly - even if just occasionally - react to incentives for operation that don't line up with Moscow's interests.

In cyber terms, this may mean that the patrons of criminal enterprise in Russia will permit activity that runs counter to these state interests. A major ransomware attack in the West at a time where Putin is attempting to establish credibility to reach a favorable war-ending deal with Ukraine and NATO, for instance, would have been unlikely not long ago.

Additionally, the territorial sanctity of the Russian homeland in cyber terms may also become an untenable reality, as the expanding information war around the revolt sees an increasing volume of demonstrative harassment - e.g., the Dozor attack - and influence activities targeting domestic society. Traditional allies are already pulling back to arm's length, such as Kazakhstan who is holding a wanted cybersecurity expert for possible extradition to Washington even as Moscow has asked for the fugitive.

Beyond the very real ramifications of the shifting optics of power in Russia, a reshuffle of elites that play a role in shaping Moscow's security posture will also impact cybersecurity futures. An interesting development in the Wagner revolt episode is reporting that certain generals and possibly others within Russia's security establishments knew of Prigozhin's plot and supported it, even though they failed to speak out when the time came. There is even a picture from the hours of the revolt of Prigozhin in Rostov with Vladimir Alekseyev, the first deputy head of the GRU, Russia’s military intelligence service. On camera, Alekseyev seemed to align with Prigozhin, stating of military leader's that Wagner could "take them away."

It seems likely that a purge of sorts is underway, though Putin cannot act rapidly in all cases lest he be seen to have kowtowed to Prigozhin's demands. One prominent general has already gone missing, and others have been curiously absent from the spotlight. The role of the GRU, the agency that has directly overseen Wagner for years, in supporting the revolt in any form remains unclear.

From a cybersecurity perspective, the likelihood that the GRU will be diminished or placed under new leadership is interesting because the organization has largely been behind Russia's hyper-aggressive global digital interference operations over the past decade. As many have reported, the modern GRU substantially turned to hacking and social media-aided political interference following the Georgian war of 2008. There, Putin was embarrassed by failures in intelligence that led to Russian sloppiness on the battlefield and threatened the GRU with irrelevancy. In response, the GRU took a range of steps to aggressively support cyber operations and disinformation campaigns to bolster Russian interests abroad, including sponsoring the Wagner Group. Clearly, a shake-up and new direction could mean a changed character of Russian cyber engagement going forward.

This said, it's not clear what an impacted GRU and other leadership shuffles would exactly do for Russia's cyber posture. There is a reasonably solid basis for thinking that this tumult will be a plus for Western defenders and planners. This is because Russia's cyber operational prowess, extensive as it is in raw terms, mirrors its battlefield capabilities - tactically sound but operationally and strategically sloppy.

The SolarWinds attack is a great example of this dynamic wherein a sophisticated supply chain compromise went unleveraged by the FSB. Russian hackers often accomplish impressive and creative feats of malicious intrusion only for it to be underutilized for strategic gains. Cyber combined arms, in other words, is not a Russian strength, and the purge of established personnel in the GRU, the military, or elsewhere will simply cement this dynamic.
Geopolitics matter for cybersecurity risk assessment

On balance, cybersecurity audiences often under-assess the impact of major political events that don't have a clear cyber component on digital security futures. Recent events in Russia, still unfolding, cannot be seen in the same light.

Russia has been at the heart of malicious global cybersecurity activities across several dimensions for decades. Recognizing that the exact character of that dynamic stems directly from the unique divide-to-rule autocratic political system devised by Putin to build power and survive politically is critical for those attempting to chart future risk in the space. A recalcitrant oligarchy in Moscow may change many of the dynamics that have defined our understanding of Russian cyber posture for years, necessitating new approaches to deterrence and active defense. So too might a retrenchment of Putin's power via political reshuffling and the demotion of security actors like the GRU from their current positions of authority.

Either way, a shaken Russian bear means evolution for global cybersecurity. Only time will tell whether this evolution will be a positive and whether we will want to thank Evgeny Prigozhin for his mutiny.

No comments: