THREE WEEKS AFTER the martial arts bout, street protests broke out in Moscow. The results of parliamentary elections were viewed as rigged to favor Putin’s party. These protests did not involve the majority of the country; rather it was primarily liberal, urban, younger people who had thought their country had moved on but were now told they were instead going back to Putin. The protests humiliated the Russian leader but also scared him.
Putin’s fears of regime change had been heightened by events in Libya and indeed across the Middle East and North Africa, where the “Arab Spring” was under way. Mass protests seemed capable of toppling corrupt, decrepit regimes. In March 2012, Putin would win his election comfortably, taking him back to the presidency by stressing he would keep the country strong and stable and avoid a return to the 1990s. But the events of the previous year had left a deep mark. The Putin who returned as president was a different Putin from the one who had left. In his first period as president he had uneasily straddled the hard-line forces, suspicious of the West, and those who felt Russia needed to modernize. Now he sided with the former. It took too long for the West to understand this change.
Putin and his allies blamed a hidden hand for guiding the protests in Moscow and the Middle East—and that was America and the CIA. This was the familiar belief—going back to Soviet days—that US intelligence was interfering and subverting. It was also convenient to blame protests on outside support rather than acknowledge genuine domestic disillusionment. But many in Russia’s intelligence services, like Putin himself, had a conspiratorial worldview, which meant they genuinely believed this theory. US secretary of state Hillary Clinton’s remarks during the December 2011 Moscow protests touched a nerve. “We are supportive of the rights and aspirations of the Russian people to be able to make progress and realize a better future for themselves,” she said, a set of comments probably seen as doing no more than reflecting the disappointment in Washington at Putin’s planned return. But Putin interpreted this as a “signal” to protesters. “We all understand the organizers are acting according to a well-known scenario,” he noted. The same tricks Washington had used in Ukraine and Georgia and the “Color Revolutions” were being used to meddle in Russia’s domestic political affairs, he believed. Putin would have his revenge for that. And he would do it through his own judo slam, turning his opponents’ strength against them.
The West was working through domestic puppets, in Putin’s eyes, like Russian NGOs. Mike McFaul had arrived as the new US ambassador in December 2011. Since he had long-established contacts with democracy promotion groups, his appointment was immediately portrayed as part of the master plan to foment revolution. McFaul, one of the architects of the reset, would become the victim of its failure as a campaign of harassment against him intensified. He initially thought the claims of American subversion were just talk. But by the end of his difficult time as ambassador, he would realize Putin genuinely believed the United States was engaged in trying to subvert his grip on power. There is something like a “deep state” in Russia, largely made up of current and former spies, and Putin believed the equivalent group in America was determined to maintain conflict with Moscow. Putin is said to enjoy watching House of Cards, a drama about devious manipulation in American politics. He is also said to recommend it to people in order to understand America, believing it is an accurate reflection of how Washington works. Drama and fiction—especially spy fiction—often shape how countries think of how the world really works and what their adversaries are up to. That has certainly been the case with the West and Russia.
SPY FEVER RESURFACED in Moscow. In May 2013, an FSB officer pulled the baseball cap off a dejected American diplomat in front of TV cameras to reveal a poor-quality blond wig underneath. The FSB said the third secretary at the US embassy had been caught carrying a map, compass, cash, and a letter offering $100,000 up front and $1 million a year to spy for America. The recipient was told to go to a cafe and open a new Gmail account and send an email to a specified address. His target was alleged to be a member of the Russian security service who worked on the North Caucasus, whom he perhaps was meeting under the cover of liaison discussions about counterterrorism.
Russia’s enemies now had a new weapon alongside spies, the Kremlin believed, and that was the internet. When Putin took over at the end of the 1990s, his focus had been on bringing mainstream media like TV channels under tighter state control. The internet was largely left alone. Bloggers like Alexei Navalny had made their names exposing corruption. But 2011 had been the turning point. Popular uprisings that swept away authoritarian regimes in Tunisia and Egypt were described (only partly accurately) as “Twitter and Facebook revolutions.” Silicon Valley and its friends claimed the new tools were allowing ordinary people to communicate and challenge power. The Kremlin realized this could be a threat and began to exert more control over the “information space.” There was more surveillance and filtering of internet traffic. Social media companies—domestic and foreign—were put under more pressure, as TV had been before. Putin would make clear his thinking with a telling remark at a public forum. The internet had been originally developed as a “CIA project” and “special services” remained at the center of it, he said. The internet, he believed, was a tool of subversion to spread “Western” values.
Putin’s case was aided by a surprise arrival at Moscow airport in 2013. Former NSA contractor Edward Snowden was on the run, having disclosed details of some of the surveillance agency’s most secret programs. Escaping Hong Kong, he found himself stranded in Moscow. In Washington, the Obama administration was frustrated with Moscow’s sheltering of a fugitive whom it wanted back much more than it publicly let on (it forced the president of Bolivia’s plane to land because of suspicions he might be smuggling Snowden out of Russia). In discussions in the White House, the CIA cautioned that the chances of Russia handing Snowden over were low—partly as that would risk making Moscow look like a risky place to go if you were a defector. There is no evidence that Snowden wanted to stay in Moscow or had been a Russian agent. He was motivated by his own libertarian ideology. But Putin knew how to take advantage of an opportunity that had fallen into his lap. Snowden exposed the vast power of America’s NSA and Britain’s GCHQ to tap global communications as well as the apparent complicity of American technology firms that handed over user data through programs like PRISM (on the basis of secret legal orders). The disclosures were ammunition to the claim that the “free global internet” was actually a Western surveillance machine. A dependence on Western technology led to vulnerability. The answer was to assert domestic control. The Snowden revelations also caused real damage to America’s relationship with some of its closest allies. That was because the NSA was revealed to have been spying on friends as well as enemies. One particularly damaging story was that the NSA had been listening to German chancellor Angela Merkel’s cell phone. There was something curious about that story. It was one of the only revelations at the time that had details of a particular target rather than the PowerPoint presentations and the like that Snowden downloaded. Senior US intelligence officials from the time had a theory that this revelation came not from Snowden but the Russians. Possibly by some other intelligence-gathering operations, they had gathered the information and then pushed it out during the Snowden deluge of stories as a so-called active measure to damage US-German relations. If so, it worked. The central front in the conflict between the West and Russia was changing—away from military competition and even traditional espionage to something new.
IN FEBRUARY 2013, a military newspaper published a speech by the Russian chief of the General Staff, Valery Gerasimov. A new era of warfare had dawned, he explained. It involved “political, economic, informational, humanitarian and other non-military measures”—supplemented by “covert military measures,” including the use of information. The article would lead to discussion, sometimes misguided, about a “Gerasimov doctrine” and hybrid warfare. What was often missed was that it was written
not as a template for Russian warfare but as an explanation of what Russia thought it was being subjected to already by the West. Russia was a besieged fortress—and it needed to learn how to fight back.
The distinction between war and peace was becoming blurred. Conflicts would no longer begin with a declaration of war followed by tanks rumbling across Europe. Victory in “hybrid warfare” would belong to those who could use nontraditional means to achieve their objectives. Information was a weapon that could be deployed to destabilize a country short of traditional force. And so Russia began to mobilize. Some of this had nothing to do with espionage and covert action. In October 2014 it was announced that Russia Today (rebranded RT) would launch a dedicated channel in the United Kingdom. That summer Putin had said the aim of the network had been “to try to break the Anglo-Saxon monopoly on the global information streams.”
When protests began in Ukraine in February 2014, Russia attributed them to Facebook and Western covert influence. The West failed to understand how far Putin would go to prevent Ukraine from being pulled out of Russia’s orbit and into that of the EU. Putin improvised rapidly and intervened. In the crisis—and especially the seizure of Crimea—the Kremlin was able to implement and road test elements of its new doctrine of hybrid warfare. Information and propaganda campaigns were launched, along with covert action. In some cases, action was not very covert. Men in uniform began to appear in Crimea who were christened “Little Green Men.” The Russians denied they were their troops when it was obvious they were. It was an example of a new form of brazenness.
Putin was right in thinking the West would not go to war, but he failed to see it would respond with sanctions that isolated Russia. That fueled Putin’s nationalist agenda and allowed him to pressure oligarchs to decide whether their priority was their houses in London or their loyalty to him. In Ukraine and also in his intervention in Syria to save his ally President Assad, Putin was succeeding in making sure Russia could not be ignored. But at a price for his own country.
GETTING INSIDE THE mind of your adversary is a key ambition of spies. In Putin’s case, senior British spies say it is particularly hard since there are very few decision makers around him who matter (although the CIA may have been able to get at least one source close to Putin through one of his advisers). Russian expertise had atrophied in Washington and London since the end of the Cold War. But the same was also true for Putin. He had an enormous intelligence apparatus but the man at its center had very little feel for how the West really worked. His mind-set remained that of the young KGB officer in Dresden. The goal of Putin was to ensure stability at home and in the near abroad, and deal with those trying to undermine it. Because he believed the West was trying to undermine his grip, he believed it had become vital to keep the West off balance and divide it.
And so by 2014 Russia saw itself engaged in an ongoing conflict with the West—one below the threshold of war and fought with spies, hackers, and information. The West still thought of a simple distinction between war and peace and was slow to understand that things were changing. One side was engaged in this conflict—the other had not even realized it had begun. “We fail to appreciate their doctrine—partly as we don’t want to face up to what that means,” says one of Britain’s most senior spies.
IN THE PERIOD after the Ghost Stories investigation, Russia remained fuzzy and out of focus in the eyes of Western policy makers. Counterterrorism was still the overriding priority for the FBI. Even within counterintelligence, resources were shifting toward China. Russia specialists warned this might be a mistake. The view of Russian espionage in Washington and London was that Moscow had a traditional way of doing things—always had and always would. But from 2012, Moscow was innovating in a way that was being missed. In the CIA, one of those who worked in Russia House who had been skeptical of the “reset bullshit” remembers the period from 2012 as a bit like the late 1990s when it came to the threat from Al Qaeda and terrorism. The warning lights were blinking red. But no one outside their small world was listening. “What did we do about it?” one person deep in Russia operations during those years asks of US policy. “Zero. Nothing.” There was a failure of imagination, just as there had been with terrorism. One place where the warning signs were most clear was online.
CYBERSPACE IS THE natural home to hybrid warfare. It allows just enough remoteness and deniability—what some call implausible deniability—to make it easier for one country to act against another without moving to full-scale conflict. And this was one area where the Russian spies were highly capable. Cyberspace would prove to be one of the key ways in which Russia would reinvigorate its intelligence capabilities and push them in new directions.
The end of the Cold War had coincided with the internet’s spread (almost to the day, since the World Wide Web had been released to the general public the same month as the 1991 coup in the USSR). America was the dominant player. But Russia had niche skills—it had always prided itself on its mathematical training—and a new generation who came of age in the chaotic Russia of the 1990s would find a home in the darker regions of the wild west of the Web. There is a narrative that links Russian cyber activity primarily with criminal hackers. The story is that hackers were recruited by organized crime gangs who were told by the state they could steal what they wanted abroad as long as they did not cause trouble at home. A bit like the oligarchs, they were tolerated so long as they understood their place and occasionally did a favor when ordered. This is true. But it overlooks another story. The real high-end Russian cyber espionage has always been carried out not by criminal hackers but by Moscow’s spy agencies.
In 1996, a young US Air Force cyber expert named Kevin Mandia was asked to respond to what turned out to be the first cyber espionage campaign to steal American military secrets. It was code-named “Moonlight Maze.” “Everything went back to Moscow,” Mandia told me years later. “They spoke Russian. They hacked out of Moscow.” It had been carried out by hackers within the FSB (which eventually absorbed much of the KGB’s signals intelligence capabilities). That same group—code-named “Turla”—would breach the US military in a serious incident in 2008 code-named “Buckshot Yankee,” when a soldier inserted an infected USB left by the Russians in a parking lot abroad. The code worked its way deep into classified systems and took more than a year to clear out. This group remains the most advanced, stealthy cyber-espionage threat actor, one that often eludes those trying to track its movements. Its aim for many years was simple—steal classified information.
This was the traditional world of stealing secrets, but Russia was also learning how to employ digital techniques to have real-world effects. In Estonia in 2007 the Baltic country’s institutions were subjected to massive denial-of-service attacks after a row with Russia. In Georgia the following year, Russia combined cyber and information operations with regular warfare. But it was from 2014 that Russia pushed the boundaries in Ukraine, hacking and then leaking information. Surveillance technology picked up an American diplomat’s angry private comments about Europeans, which were spread on social media. The Russians even took a power station off-line for a few hours in a carefully controlled act to test destructive capability. Ukraine was a testing ground but Russia was also beginning to deploy its more aggressive tactics farther afield.
MANDIA, NOW RUNNING a large private-sector cyber defense company, got a call from one of his “first responders” in mid-August 2014. They were responding to a breach at a government agency and they thought their boss would be interested. Mandia had been watching Russian government hackers back to the mid-1990s. “The rules of engagement never changed. So you’re talking about a twenty-year run where it’s the same behaviors,” he says. But that August something was happening. APT 28 (APT standing for Advanced Persistent Threat)—the GRU—was becoming more aggressive and looser. He even started to see APT 29—the normally stealthy SVR hackers—getting noisier. Usually, when these hackers realized they were being observed, they disappeared and went quiet. But
now they were not bothering to hide their tracks. That summer he also saw several universities compromised with the aim of stealing the emails of professors critical to Putin. That strayed from the traditional targeting he had seen before. “Suddenly, their rules of engagement had changed,” Mandia says. “It was another warning sign. The unraveling of a known situation.” Those who had watched closely over an extended period, whether in Russia House of the CIA or like Mandia in the cyber world, could tell that something was changing. The NSA maintained what one official at the time calls a “caretaker” capacity on Russia. Despite the agency’s huge size, this was a tiny group that acted as a tripwire. If they saw something significant, they could ring an alarm bell. From 2014 onward, the small group was ringing the bell as loud as it could, the former official says, but no one acted on that knowledge.
In February 2015, Mandia’s team saw some strange traffic coming out of a French TV network—it seemed to be linked to APT 28. Little did they know that this would result two months later in Europe getting a major wake-up call.
APRIL 8 WAS a big day for the French TV network TV5Monde. The network had just launched a new international channel. Ministers had been in attendance. There was a party at a fancy restaurant in Paris that evening to celebrate. At 8:40 p.m., just as Yves Bigot, the director general of the network, was being served his appetizers, his phone lit up with calls and texts. He excused himself from his guests. He was given some bewildering news from the office. All twelve of the network’s channels had gone black. They had been taken off the air.
The technical team from the channel battled to work out what was going on. As each second passed they could see more critical systems were being corrupted. No one could understand why. “We were a couple of hours from having the whole station gone for good,” Bigot later told me in his smart Paris office. Fortunately, the launch of the new channel meant their engineers were on hand and one was able to cut off the connection through which the attack was coming from the internet. The phrase “cyber attack” is often used loosely for some minor breach or attempted breach of a system. But in this case it really had been an attack. And it soon became clear it was a highly sophisticated one. The attackers had first penetrated the channel months earlier to carry out reconnaissance. They had used multiple points of entry, even going through the Netherlands-based system used to remotely control the TV cameras in the studio. They had then designed bespoke computer code to destroy the hardware that controlled the TV station’s operations before unleashing it on April 8. The result was devastating. The company had to return to fax machines and wait months before it could reconnect to the internet. The cost was in the millions of euros. But one British intelligence source says the strike could have been even worse, if those behind it had wanted that. But who was behind it and why?
Russians Among Us Page 32