Vladimir Putin and the Little Green Men of the Internet

Russian President Vladimir Putin, in his weekend interview with NBC’s Megyn Kelly, said he was not the culprit behind the U.S. presidential election hacks of 2016 and argued the attacks could have been executed by anyone, even proud Russian patriots committing crimes against the Kremlin’s adversary without his personal knowledge.

The denials are reminiscent of Putin’s assurances during the spring of 2014, when the Russian President claimed the masked soldiers armed with Russian weapons appearing in Eastern Ukraine were simply “local self-defense forces.”  One year later, Putin admitted  Russian soldiers had essentially invaded Ukraine.

With Kelly, Putin appears to have applied a similarly thin denial to the 2016 U.S. election and the global intelligence consensus that there was intentional Kremlin interference, and it was approved personally by the president. Just as in 2014, Putin pushed back on the accusation that the Kremlin ordered the theft and publication of emails stolen from the Democratic National Committee and Clinton advisor John Podesta. But the Russian president surprised many when he offered Kelly a new explanation for the event: the hackers might have come from Russia, but if so, they were acting out of a sense of patriotism.

“Hackers are free people, just like artists who wake up in the morning in a good mood and start painting… The hackers are the same. They would wake up, read about something going on in inter-state relations, and if they feel patriotic they may try to contribute to the fight against those who speak badly about Russia.”

What’s the difference between a patriotic hacker and one that is clearly in the service of the Kremlin? Just like in any criminal case, it comes down to targets selected (motive), and tools used (evidence).

Private cybersecurity company Crowdstrike published last June the first portion of public evidence linking the DNC attackers to the Russian GRU, Russia’s military intelligence service.

“This adversary has a wide range of implants at their disposal, which have been developed over the course of many years and include Sofacy, X-Agent, X-Tunnel, WinIDS, Foozer and DownRange droppers, and even malware for Linux, OSX, IOS, Android and Windows Phones,” notes Crowdstrike in their report.

These are essentially GRU tools that have been left at the scene of various crimes, including phish attacks on France’s TV5 Monde and the German Bundestag in 2015. Crowdstrike’s analysis was corroborated by competing firms such as Fidelis and ThreatConnect.

The U.S. intelligence community eventually came to the same conclusion. In January, the Office of the Director of National Intelligence, or ODNI, released a report stating that the FBI, CIA, and NSA had “high confidence” that “Russian President Vladimir Putin ordered an influence campaign in 2016 aimed at the US presidential election.”

DNI has released multiple reports containing forensic evidence to back that up, one in December, (which was the subject of some criticism for throwing generic malware in with Russian specific malware) and a second one in February, generally described as a great improvement over the first. Both reports reconfirm the “high confidence” assessment the intelligence community first put forward. Both mention X-Agent.

A far more likely explanation than Putin’s patriot-hacker theory is also the more obvious one: they are no different from the brave “volunteers” the Kremlin unleashed on Crimea.

The actual operation to hack the DNC involved not only the GRU but also individuals that the GRU had hired or contracted, such as the so-called Esage Lab, which as Defense One reported in December, found itself on the State Department sanctions list for providing the GRU with “technical research and development.”

The Kremlin also uses criminal gangs for cyber support and “surge capacity” in some instances, such as the December offensive in Ukraine.

Some Russians are reportedly forced to provide the Kremlin with support once law enforcement discovers their other activities, which would make them not so much “patriotic” hackers as indentured.

Putin’s allegation simply does not fit with what observers and Russia experts in the West say they know about Putin’s government and how it operates. “While it's possible for non-RIS (Russian Intelligence Services) controlled hackers to choose their own targets independently, something as big as the DNC hack was certainly approved in the Kremlin,” said Mike Carpenter, senior director at the Biden Center for Diplomacy and Global Engagement at the University of Pennsylvania and a former deputy assistant secretary of defense for Russia, Ukraine, and Eurasia.

Outside of Putin, the overwhelming consensus is Russia’s government is working online against its adversaries in the same way that it succeeded in invading Crimea. They are attacking the enemy’s greatest weaknesses (in the case of democracies, their free and fair elections ) while avoiding direct confrontation. It’s a style of stealth warfare that blends together the hidden and the obvious and that goes by a variety of names such as hybrid war and the Gerasimov Doctrine, after Russian General Staff Gen. Valery Gerasimov who is, today, most closely associated with its ascendance.

Whatever you call it, it works. While NATO in recent years has devoted more attention to cybersecurity, that’s only one tactical portion of what is a much larger campaign with multiple dimensions that play off of the political divisions that dwell in the heart of modern democracies.

“To be blunt, these are tactics that NATO–still, in the final analysis, an alliance designed to deter and resist a mass, tank-led Soviet invasion–finds hard to know how to handle,” Russia researcher Mark Galeotti notes.

In other words, as long as it works, expect Russia’s patriotic (and undeclared) hacking to continue.