Start your day with intelligence. Get The OODA Daily Pulse.

The Ukraine crisis has shown that non-state groups and individuals are willing to enter the cyber fray in support of their political/ideological sides.  Whether it be concerned individuals or more organized groups like hacktivists supporting Ukraine and cyber crime gangs supporting Russia, non-state participants have engaged in various levels of cyber malfeasance. Their activities have targeted government, military, and civilian targets with attacks ranging in severity and longevity, though none have proven instrumental so far.  These cyber proxies have proven a willingness to engage with the same determination of state actors, even if their capabilities don’t necessarily reflect the same level of sophistication.

This isn’t really surprising.  Hacktivists and patriotic/nationalistic hackers are not a new phenomenon.  The former has been around as early as the 1980s, with the malware used to spread messages  of social and/or political protest. Similarly, patriotic/nationalistic hackers have been existent for nearly as long.  Perhaps some of the most notable nationalistic hacker activity occurred in 1999 when the United States accidentally bombed the Chinese embassy in Belgrade.  Chinese patriotic hackers executed attacks against U.S. government websites, defacing them with messages condemning the bombing.  Another larger Chinese patriotic hacker engagement occurred in 2001 when a Chinese aircraft and a U.S. spy plane collided in the air, killing the Chinese pilot.  This prompted what some consider to be the first “hacker war” between Chinese and U.S. hackers fighting it out in cyberspace in support of their respective governments.

Fast forward to 2007 when cyber attacks impacted Estonia when patriotic hackers not only escalated their involvement in the global political scene, but they also did so in a more organized fashion.  The Russian youth group Nashi (disbanded in 2013) executed a series of distributed denial-of-service (DDoS) attacks and causing several Estonian websites to crash. The attacks were in response to the government of Estonia’s decision to dismantle a Soviet-era monument.   While a representative of that youth group pressed that their actions were an act of civil disobedience, there were historically strong connections between the group and the Russian government.  The group was initially created under the Kremlin’s guidance, with evidence suggesting that it took its orders directly from the Presidential Administration during the time it was active.  That particular group dissolved when Moscow sought to have more centralized political control over such activities, thereby reducing the risk to which these proxy groups could expose the government.

Since the late 1990s, geopolitics have increasingly become a driver of hostilities between nation states and their non-state sympathizers.  Hostile cyber attacks have been influential in expressing one state’s views against another during periods of political tensions, as they have served as a signaling agent without crossing a threshold of destruction that could warrant more aggressive responses.  States have also used proxies – non-state entities closely aligned to their government benefactors – in this capacity as well, as they typically possess cyber capabilities, demonstrate unwavering loyalty, and provide at least one level of removal separating the government from proxy activities.  One thing has become abundantly clear: proxies provide another resource for states, and as such, states maintain some semblance of control over them, whether via direct order, through intelligence or military cut-outs, or allowing them to promulgate without restriction or interference.

States have always used proxies against other states for a variety of reasons and primarily as a means to escape the application of international law.  Perhaps no country better than Russia has demonstrated this, escalating their hybrid warfare strategy from “little green men” that helped quickly annex Crimea in 2014 to what is occurring today in Ukraine.  Moscow’s hybrid warfare concept addresses the entire “competition space” and includes a mélange of kinetic and non-kinetic subversive means to subdue the adversary and achieve greater geopolitical advantage as a result.  The interconnectivity of cyberspace has furthered the proxy war space due to its global reach, speed with which operations can be executed, and the affordability it provides operators therein to evade detection and identification.

From 2007 Estonia to the current crisis in Ukraine, states have leveraged proxies to their advantage, a norm that should continue as more geopolitical tensions and confrontations elicit the attention of the global community.  With increased attention being shown by hostile actors against critical infrastructures and industrial control systems, it is a matter of time before one of these proxies crosses the line, executes a damaging attack, or commits some level of malfeasance that transcends normal nuisance activities.  In this regard, the global community will have to consider if such an attack does not bear some state responsibility if the perpetrating group is such a proxy.

Cyber proxies have been operating far too long to be exempt from being held accountable for their activities.  While they technically may not be an official or agent of a government, the fact that a government benefits from their activities certainly suggests more than just a group trying to demonstrate nationalistic support.  In order to appropriately punish these actors, states will need to make a determination of the true relationship between the group and a government as not all proxy groups are equal. For example, there are “hacker-for-hire” groups that make money carrying out operations that ultimately benefit a state.  In these instances, it is clear that they are acting as contractor mercenaries rather than as full political/ideological loyalists of the government.  They are simply getting paid for their work.

However, this line blurs considerably when considering cyber criminals, some of whom have demonstrated loyalty to a state like Russia and who have a history of a tacit relationship in which both parties benefit from one another.  When a ransomware group like Conti publicly declares loyalty to a government at the start of a conflict, it bears questioning to what extent is this group, which has benefitted from Russia’s tacit approval of its operations, could fall in Moscow’s line of direction and control.  The answer to the question becomes more important if this entity deploys crippling attacks against key targets, acting less like a patriotic hacking group and more as an arm of the state.  Granted, this will require establishing a framework of acceptable criteria and thresholds of determining state responsibility for the effects caused by their proxies (something like the Atlantic Council has offered), but such an undertaking is increasing in importance the more cyber proxies join these geopolitical frays.

Critics will cite the difficulty of attribution when identifying proxies, no less their connection to a state.  However, this argument doesn’t hold up as firmly as some believe.  If governments are able to confidently publicly attribute the activities of shadowy cyber acts of espionage and disruption by the most advanced of state actors, they should be equally confident using the same tradecraft in making similar connections linking proxies with a benefactor government.  For example, a series of distributed denial-of-service attacks targeted the U.S. financial sector during Operation Ababil, originally believed to be a orchestrated by Muslim sympathizer hacking group was later identified as seven individuals working on behalf of Iran’s Islamic Revolutionary Guard Corps.  Certainly, this may be easier in some cases than others, but it’s nonetheless achievable.

Assigning some level of state responsibility via a “who benefits” perspective to proxy activities will provide governments with a means to combat this seemingly non-state threat with the same tools available to use against an offending state.  This includes use of sanctions, legal indictments, arrest and prosecution, and even “defend-forward” operations.  As evidenced thus far in Ukraine, the global community has come to Ukraine’s collective cyber defense and been successful in helping mitigate the effect of cyber attacks directed against it.  This type of international collective can be turned against cyber proxies as well, thereby impacting their ability to maneuver in and take advantage of cyberspace.

This by no means eliminates state use of cyber proxies, but successful countermeasures against them should reduce state’s reliance on them to commit cyber malfeasance because of plausible deniability.  What’s more, these types of proxies would be regarded extensions of the states themselves, making governments think twice about how these groups operate, especially if they are going to be held accountable for the actions that they commit.  And if a state denies ties to these proxies, they should be compelled to help identify and arrest them, or else suffer some form of economic or diplomatic punishment in consequence.

With more unified efforts in combating threats online, the more success has resulted.  If the Ukraine cyber effort is any kind of measuring stick, it shows that proactive collaboration takes the fight to the bad guys, keeping them off balance and guessing.  Reacting to cyber incidents is a thing of the past, so 2022.  Let’s keep it there.

Emilio Iasiello

About the Author

Emilio Iasiello

Emilio Iasiello has nearly 20 years’ experience as a strategic cyber intelligence analyst, supporting US government civilian and military intelligence organizations, as well as the private sector. He has delivered cyber threat presentations to domestic and international audiences and has published extensively in such peer-reviewed journals as Parameters, Journal of Strategic Security, the Georgetown Journal of International Affairs, and the Cyber Defense Review, among others. All comments and opinions expressed are solely his own.