Activities of the Russian armed forces on the front of information warfare – case study and involvement of a non-state actor CyberBerkut

Introduction

Information operations conducted by Russian Federation against its political adversaries are often portrayed – especially in media – as well coordinated multi-level tasks performed and planned by highly specialized entities gathered in a centralized state’s command structure and managed directly by the Kremlin. Such a description helps understand strategic and long-term goals that Russian Federation is trying to achieve in regard to disinformation and propaganda activities. However, it does not help much to understand many phenomenons in the above-mentioned fields on the operational level and the ways they are functioning on on-going basis, before they become part of well-established disinformation and propaganda apparatus. In-depth analysis of some of the Russian influence operations allows to make an assessment that the Kremlin is orchestrating hacktivist-like or civil-like groups and movements which perform various tasks in relatively independent way (to some point) and that are gradually and cautiously embedded in highly sophisticated state-run structure once they prove their usefulness. One of such a group is “CyberBerkut” (“КиберБеркут”) operating since 2014 r. against post-Yanukovych Ukraine and trying to delegitimize its legally elected authorities as well as to undermine the country’s position in the eyes of Western allies. 

Origins and profile

First activites of CyberBerkut were observed in march 2014 as a part of broader hostile Russian operation against Ukraine in the wake of illegal annexation of Crimean peninsula and the invasion on eastern Ukraine. At that time the group conducted several hostile operations in cyberspace aimed at disrupting the functioning of the Ukrainian state. Those activities included, among others, distributed denial-of-service attacks (DDoS), network intrusions, DNS hijacks and data destruction. The group positioned itself as pro-Russian hacktivist grassroot organization formed by Ukrainian citizens unhappy with pro-democratic changes in the country. However, the level of CyberBerkut’s organizational capacity and  coordination of activities with Russian military and political offensive call alleged non-state nature of the group into question. Although it’s difficult to prove a clear and direct link between the Kremlin and CyberBerkut it seems more than likely that there are strong indirect ties between both and CyberBerkut plays a subordinate role in this relation. Analysis shows that both target overlapping between the group and other entities engaged in specific Russian operations as well as tools and information used by the group in those operations may likely be imposed from above. There is evidence that CyberBerkut coordinated its activities with APT28 group which is considered by experts to be curated by the Main Intelligence Directorate of the General Staff of the Russian Armed Forces (GRU). The degree of such coordination allows to assume that the same handler (be it a person or an institution) is supervising both entities to ensure a certain level of work and information flow. 

Given the nature of the Russian hybrid warfare, which is extensively exploiting vague attribution in many ways and areas, CyberBerkut should serve as an example of weaponization of the concept of the grassroot movement to legitimize hostile, state-runed activities in cyberspace. However it is possible that in the initial stage it was granted by the state supervisor a certain level of independence in its actions and therefore could be considered as “non-state” (yet still controlled). Such a move could give the group a space to develop its natural strong points. There is a major shift in CyberBerkut’s modus operandi that could back such a claim – in late 2014 the group started to focus more on data leakages rather than on targeting IT infrastructure and performing cyberattacks. Since then it specialized in information operations aimed at public opinion and in some cases individual voices relevant for the public debate in Ukraine and abroad. The group became successful enough to get media coverage and become recognizable in both Russia and Ukraine as well as among Western experts. 

The group maintained a high level of consistency regarding the main target despite being active for a relatively long time which in other cases could naturally lead to burnout or changing the main area of interest. Since the very beginning, CyberBerkut’s operations have focused primarily on Ukraine or were aimed at Ukraine in the broader international context, regardless of the nature of those operations (be it cyber attacks or information-oriented activities). Most of the group’s recorded activities were performed within the first two years of existence, however it remained active for the whole time until now, although with significantly lower intensity, in line with intensity of the Russian aggression towards Ukraine. It is likely that once the conflict intensifies CyberBerkut will activate more as well.  

Most characteristic tactic of the group in recent years were data leakages. Unlike many other hacktivist groups interested in gaining credibility among a broad audience and therefore support for whatever cause, CyberBerkut does not provide information on how and when it obtained leaked information. Thus it is legitimate to assume that at least some of the leaked information and documents were not obtained by the group itself. Also it is impossible to assess the significance of many of those documents as well as their authenticity. This leads to the conclusion that either the group does not attach much importance to the (dis)information it spreads as long as it realizes specific objectives or it is simply provided with materials coming from third parties and CyberBerkut as such has no capacity to verify the information. Most likely it is the mixture of both, which indicates the group’s role in the Russian disinformation apparatus as a center of distribution of specific anti-Ukrainian narratives.

Capacities

It is difficult to assess CyberBerkut’s capabilities and exact scope of activities it could potentially perform on its own. Taking into account already conducted tasks, one could draw the general conclusion that the group can easily choose tools and tactics from a relatively huge armory depending on current objectives. However historical analysis gives a more nuanced answer – although the total scope of all analyzed activities since 2014 can be seen as broad (ranging from relatively complex operations targeting infrastructure in cyberspace to leakage of poorly fabricated documents) in fact the operations were rather limited to specific areas (either cyber, or information) once they were in motion. Given the fact that the group relatively early moved towards information operations, it brings the analysts to another conclusion, that technical capacities of CyberBerkut might be limited at the moment and that around fall of 2014 the group consciously changed its profile towards information-oriented operations. The reasons for this change need further investigation, but there are two possible explanations:

1. either the group experienced outflow of skilled technical operators and was unable to fill out the gap or
2. a strategic decision was made to change the profile and specialize in distribution of disinformation. 

There are several explanations why the group would change its profile, but all are hypothetical and could not be verified at this point. It is possible that CyberBerkut was meant to serve from some point as a front organization diverting attention of media and public opinion from other groups like APT28. Despite difficulties in assessing CyberBerkut’s technical capacities and exact role in the Russia-runed influence campaigns and operations, it is quite clear that the group is well organized and able to coordinate its activities with other pro-Russian or Russian groups as well as Russian state as such. These include for example quasi-republics established and supported by the Kremlin in eastern Ukraine, especially the so-called “Donetsk National Republic” (DNR). Given the fact that occupied part of Donetsk Oblast remain inaccessible for international observers and Ukrainian military, while it is openly supported and controlled by Russia, it seems very unlikely that CyberBerkut, which managed to shoot propaganda videos there, has no ties to local puppet authorities  

Narratives, techniques and targets 

Narratives spread by CyberBerkut range in terms of topics but the analysis shows that most of them are aimed at striking fear in the audience (see Appendix 1). According to well examined Russian tactics, fear, as primal emotion, prevails many or even most of the other cognitive and emotional reactions and instigates instant and compulsive actions, the so called fight-or-flight response. In real life these would either result in avoiding the source of fear (flight) or attempts to mitigate or eliminate it (fight). In case of information operations runed in state-controlled propaganda media as well as in cyberspace, where objects of influence are in most cases deprived of any possible reaction, fear leads to frustration which is then channeled in rather passive, yet still meaningful ways, like inflaming hatred and granting support for extremist movements or authoritarian political regimes, which are presented as those “really” controlling the situation (often in opposition to allegedly impotent democratic systems). Thus it is beneficial to Russia to maintain a certain level of fear among the audiences in a constant manner with the help of well crafted (i.e. appealing) narratives. One of such examples is the conspiracy theory that the US is “encircling” several nations and states with secret labs producing chemical and/or biological weapons. CyberBerkut played out this narrative too, although adapted to Ukrainian context, claiming that Ukrainian special forces – supervised by the US military specialists – try to biologically contaminate some area in the so called “DNR” inhabited by civilians with radioactive waste. The group posted a list with names of American military personnel, allegedly involved in the plot, though without pointing out how and where it obtained the information. 

Given example is the typical CyberBerkut’s leak operation, where source and reliability of information cannot be proved, yet it does not necessarily matter much since the effect is measured in terms of psychological response within the audience rather than convincing the unconvinced ones with reliable and authentic materials. Another, more sophisticated example is the hack and leak type of operation. In this case the group tries to hack some target, obtain real information and use it in a certain way. It is worth to note, that the hacked target may not actually provide the attacker with much useful information at all – already the fact that it was hacked may be used to legitimize forged and fake information distributed afterwards. The main goal of hack and leak operations is to discredit the target (its motivation and capabilities) and often to ridicule it. This was the case of an operation conducted by CyberBerkut in 2015 against the Ukrainian Information Army, serving as a part of Ukrainian Ministry Information Policy. CyberBerkut managed to get access to several emails of the UIA and posted them online. Experts believe that the emails are authentic and should be considered as an excerpt of broader communication between UIA staffers. Since the leaked messages stressed out efforts of UIA members to artificially boost their social media outreach it was meant to diminish their real outreach and portray the organization as incapable of building natural support for their cause.    

Targeting Ukrainin state institutions is typical for CyberBerkut and the group managed to build a relatively big portfolio of such victims already within the first two years of existence. At the beginning the group used its technical capacities to disrupt functioning of the institutions and therefore undermine their reliability during the most intensive period of Russian offensive, both in terms of military activities and propaganda ones. Several DDoS attacks were aimed, among others, at Ukraine’s Prime Minister’s website and Ukrainian Central Election Commission (CEC). Apart from damaging the reputation of the CEC with DDoS attack, targeting it on several other levels (network intrusion, data acquisition, software destruction) could also potentially influence the turnout of the presidential elections conducted after pro-Russian president Yanukovych was ousted and fled to Russia and thus could give the Kremlin arguments to undermine democratic choice of Ukrainian people and play the issue both internationally and domestically to diminish the mandate of the new Ukrainian elites. 

CyberBerkut targets non-state organizations and actors as well. In 2014 the group conducted a DDoS attack against PrivatBank, owned by Ukrainian oligarch Igor Kolomoyskyi at that time. The same year Kolomoyskyi was appointed by the Ukrainin government as a governor of Dnipropetrovsk Oblast and supported territorial integrity of Ukraine in the face of Russian aggression. The operation was conducted with the help of a botnet for hire. In May and November 2015 CyberBerkut tried to compromise NGO Open Society Foundation with data leak. Leaked documents were supposed to prove major mismanagement in the Ukrainian Ministry of Finances and tried to tie it with George Soros, American billionaire and founder of Open Society, who openly criticized Russian regime and V. Putin personally. Targeting Soros CyberBerkut used indirectly one of the well known Russian vectors of influence, which portrays Russia as a besieged fortress under attack of corrupt Western liberal elites evoking “colour revolutions”. Also independent journalists actively investigating Russian aggression and interference in Ukraine were targeted by CyberBerut. A bright example of such an action is the operation against David Satter in 2016, a US journalist whose stolen emails were leaked as a consequence of a phishing attack. Leaked messages contained information on alleged involvement of National Endowment for Democracy (NED) in Ukrainian revolution. NED is a US grant-making foundation providing financial support to non-governmental organizations around the world. One of the main sources of financing of NED are the US Government agencies. By leaking Satter’s emails CyberBerkut tried to play similar vector as in case of Soros, “proving” that the US finances ani-Russian revolutions. 

Table with exemplary targets distinguished by sectors and types of attack

“Fake” beheading of James Foley – case study

To better understand the nature of CyberBerkut’s operations and the group’s capabilities regarding distribution of produced disinformation it is worth to examine the case of allegedly staged beheading of the US war correspondent James Foley who was captured and murdered by ISIS in Syria in 2014. The story of Foley immediately went viral and was covered by most influential media in the world since it concerned the first US citizen murdered by the ISIS terrorists and it was brutal by the nature of the event itself but also due to the importance that ISIS propagandists attached to this case. The execution was carried out by Mohammed Emwazi (a.k.a. Jihadi John), filmed and released by ISIS to spread group’s hateful messaging. It was well prepared in terms of propaganda as well as in terms of technical standards.

Few days after release, some media reported that according to “an international forensic science company which has worked for police forces across Britain” the recorded moment of beheading was likely staged since there was no blood coming from Foley’s cut throat. It is possible that ISIS decided to soften the video at this point to safeguard messaging that could suffer when combined with too much brutality. At the same time anonymous experts from the mentioned company claimed that “no one is disputing that at some point an execution occurred”.

The forensic analysis focused on technical details of the footage and  did not deny that the beheading actually took place, while the media presented the topic in a rather sensational way. This helped to pave the way for sophisticated information operation runed consequently by CyberBerkut against the US in regard to the current political situation in Ukraine. 

  Example of media coverage of the forensic experts findings, The Economic Times

Almost a year after ISIS released their video, CyberBerkut published in July 2015 documents allegedly belonging to one of the senator John McCain’s staffers. The group claims that during his visit to Ukraine in 2015, which really took place, McCain came together with some associate whose device was supposedly compromised and CyberBerkut got access to confidential documents. The key finding of the group was a video allegedly proving that Foley’s beheading was staged in a much more sophisticated way than it was reported by the media in 2014. The video shows a film crew equipped with professional lights and cameras in some place looking like a studio and two men resembling Emwazi and Foley, standing in front of the green screen which is widely used to display digitally added backgrounds. The video is silent and looks as if the crew was rehearsing the execution. The association with the ISIS-released video is obvious. This suggests that the whole beheading could be staged and took place somewhere else than Syria. Later on CyberBerkut released quasi-forensic and analytical-like video in which the group, frame by frame, tried to prove that the whole beheading was faked. This was meant to legitimize the first video and enhance messaging that McCain was involved in staging the case.   

Two details combined with well-suited hints leaked by CyberBerkut suggest that the video could be shot in the US. First of all two members of the crew wear caps which are not very popular outside the US. Second, one of the crew members seems to be female, since her hair is in a ponytail. It is almost impossible that ISIS propagandists, due to their fundamentalist muslim believes, would allow any woman to participate in this kind of activity. Also contextual material added to the leaked footage makes the audience believe it has something to do with the US. The group used a piece by Jeffrey Stein, a former intelligence officer in Vietnam and a long-standing expert in security matters, who published his column in The Washington Post. The piece titled CIA unit’s wacky idea: Depict Saddam as gay comes from 2010 and describes plans of the CIA revealed by anonymous employees of the Agency to target Saddam Hussien with a smear campaign prior to the Iraqi invasion. Among others, there was a vague plan to stage a video of poor quality showing Hussein in a compromising situation and distribute it among Iraqis. It gives general idea how some groups within the CIA could think regarding psychological warfare at that time, however it mostly stresses incapability of the Agency in this matter and shows ignorance of some of its employees rather than reveals well crafted plot. These aspects are ignored in the messaging of CyberBerkut though. The main goal of CyberBerkut was in this case to portray the US as a country ready to release fake information to justify its aggression against other countries, like Iraq. The logical consequence of such a reasoning was the conclusion that the same could happen in the case of Ukraine.  

A frame from video footage allegedly found on John McCain’s staffer leaked by CyberBerkut

The campaign was very successful in terms of outreach. Leaked information was distributed by many media (including local ones) and CyberBerkut was named several times gaining worldwide credibility and recognition as a hacktivist group. The distribution model of this campaign was typical for Russian disinformation and influence operations. First it appeared on CyberBerkut website, which remains a niche source of information and by no means can be considered reliable. Then it was published by Paul Joseph Watson, associate of Alex Jones whose InfoWars website distributes far-right conspiracy theories, which are often in line with Russian propaganda. From there it quickly spread on several blogs, tech-focused websites, media, local media, social media (see Appendix 2) and other community-driven-like websites, which gather like-minded users seeking for “alternative to the mainstream, independent” sources. All they became amplifiers of disinformative influence and provided credibility to the operation. One of the examples is Polish local newspaper Gazeta Wrocławska, which not only amplified CyberBerkut’s messaging taken from Watson, but even ignored his original comment in English and stated misleadingly that Watson believed the US created ISIS. The newspaper did not even try to assess the credibility of the material leaving it to the readers. 

Screenshot from Gazeta Wrocławska website, highlighted pieces by INFO OPS POLSKA

This information is still easily available online, although it’s been six years since it was first released. For all this time it was and is affecting unaware Internet users with a narrative that the US is plotting against other countries and is ready to go for a war without significant reasons. While it may be difficult to prove direct and short term effects of such a messaging, it may have serious long term consequences, when the US will be confronted with another international crisis which will require resolute action and broader political (both national and international) support. The messaging harms the “interventionist” approach as a concept as well as prominent American political figures engaged in strengthening the position of the US as a global leader, like John McCain who advocated for intervention in Syria and actively supported Ukraine in the face of Russian aggression. The aim here is to depict the US and its political elites as irresponsible and evil and to develop among international public option aversion – on emotional, irrational level – to the US in general to more easily undermine American foreing policy in the future.  

Brand appropriation and the question of attribution 

As mentioned in previous sections, CyberBerkut seems not to care much about its credibility as a hacktivist organization. Unlike most independent groups that gather ideologically motivated hacktivists, CyberBerkut puts very little – if any – effort to convince target audience(s) to the group’s intentions by providing any reliable information on how and where it gathers leaked data. Putting aside discussion whether such a move would put the group at any risk in terms of operational security, it would definitely let analysts to assess to some extent organizational outreach and capacities. This in turn could provide more insight into the group’s influence on people all over cyberspace and possibly give an idea how to profile its active supporters and whether they’re able to conduct specific types of operations. Broad support for CyberBerkut’s activities would also legitimize the group and serve as a valuable asset in terms of marketing. However there is not much information of this kind, which is likely a conscious move made by the group’s management/supervisors to cover traces linking CyberBerkut with Russia as the main provider of data and orders and create an illusion of support from Ukrainian citizens, while real support seems scarce.

Nevertheless the group seems aware that at least facade kind of brand is needed to justify political activity in the cyberspace and since CyberBerkut is not willing to reveal its capacities and motivation as well as it seemingly does not want to spend time and resources on building own trusted brand, it has just used already existing one. In the logo – which first and foremost misleadingly refers Ukraine due to the Ukrainian flag used there and to the loyal to the former president Yanukovych police special unit Berkut –  CyberBerkut refers directly to Anonymous movement using the slogan “We do not forget, we do not forgive” (Мы не забудем, мы не простим). Anonymous seems like a natural choice for the group willing to hide its own structure. Anonymous movement is a world-wide recognizable group of hacktivists, which manage to remain vague for most of the public opinion due to its loose structure and rather general goals. Yet it is easy to recognize thanks to the iconic mask of Guy Fawkes used extensively by the group members and supporters. They operate globally and have no single center of command or any similar structure. Thus it makes it relatively easy to establish a branch within the movement. Also the fact that Anonymous are considered anti-establishment, anti-corruption and being in opposition to states in general makes it attractive for CyberBerkut, which may want to hide its ties with Russia for many reasons.

Surprisingly, despite all the evidence indicating close ties of CyberBerkut to Russia and puppet authorities of so called “DNR” this relatively primitive branding works pretty well. Most of the available sources refer to the group as “hacktivist”, “online community” or “Russian hackers” often adding “pro-Russian”, but not always. Also cybersecurity experts are cautious and rarely – if ever – give clear answers regarding the attribution issue due to technical difficulties in providing enough empirical evidence without exposing their own capabilities and due to the complex nature of cyberspace. Yet the observation and analysis of CyberBerkut activity over the last seven years provide enough data to make an assessment that the group was most likely established by Russia-owned or Russia-controlled entities with an intention of creating the illusion that the group is a grassroot-like organisation acting voluntarily against Ukraine. Such a structure gives the Kremlin a free hand in case it would be necessary to cut it off, while safeguards most of the operational propaganda and disinformation activities. 

Summary

CyberBerkut is a hacktivist-like group most likely managed by Russia-owned or Russia-controlled entities or institutions linked to the Kremlin. It appeared on the surface in 2014 in the face of Russian annexation of Crimea and invasion on eastern Ukraine as a part of a broader hybrid. The group is well organized and until late 2014 had a certain level of technical capacities allowing it to disrupt Ukrainian public institutions in cyberspace. From that time CyberBerkut specialized in information operation – especially in data leak – rather than targeting physical infrastructure. For most of the time the group’s main targets were Ukrainian public and state institutions, although other types of actors (NGOs, private entities, journalists) involved in Ukrainian fight against Russian aggression were hit as well. CyberBerkut spreads toxic anti-Ukrainian narratives and plants them carefully in cyberspace on a regular basis, but the group is also capable of planning, preparing and conducting sophisticated and tailored influence operations like it did in 2015 in case of beheading of war correspondent James Foley. CyberBerkut exploits the Internet to hide its ties to Russia and position itself as an Internet community, although analysis shows it is most likely well embedded in Russian state propaganda and disinformation machine. The degree of the cooperation with Russian state and other Russia-controlled hacker groups indicates the state character of CyberBerkut despite non-state branding used by the group.  

Report by: INFO OPS Poland Foundation and Res Publica – Civic Resilience Center

                     https://infoops.pl/                                                  https://respublica.lt/  

Appendix 1 – exemplary narratives divided by topics/areas spread by the group in years 2014-2018 and later. 

Appendix 2 – excerpt from comment section (top comments as at July 21, 2021)  under Paul Joseph Watson’s video Staged ISIS Beheading Video Released by Russian Hackers published on YouTube on July 13, 2015. 

Pushing narratives through comment sections – regardless of the media – with the help of artificially made and mostly anonymous accounts is typical for Russian influence operations. It is meant to create the illusion of broader public support for some ideas and therefore put real users under pressure to start to think in a similar way due to the groupthink phenomenon. Successfully pushed narratives start to live their “own lives” at some point and become expressed by real users as their own views and opinions influencing new stratas of users both in cyberspace and in the physical world (e.g. friends and family).