Russia’s 2019 cyberattack against Georgia was followed by a full-spectrum propaganda effort
The Kremlin unleashed a multi-channel counter-messaging campaign after it had been made clear Russia’s GRU was behind the attack.
June 2, 2020 - Givi Gigitashvili - Articles and Commentary
A joint investigation by Georgia, the United States, and the United Kingdom has concluded that Russia’s Main Intelligence Directorate (GRU) was responsible for a massive cyberattack against Georgia in October 2019. The results of the investigation were announced on February 20, 2020. Georgia’s Foreign Ministry has said that the cyberattack aimed to undermine the country’s national security and disrupt the proper functioning of state institutions.
The Kremlin has responded to an investigation that found Russia responsible for a cyberattack in Georgia in October 2019 by denying any responsibility and accusing Georgia and its Western partners of Russophobia. The Kremlin launched a multichannel strategy using official diplomatic channels, Kremlin-funded media, and fringe outlets to widely spread Russia’s narrative about the investigation. Within Georgia, pro-Kremlin outlets also accused the Georgian authorities of obstructing the chances of political normalisation between Russia and Georgia. This strategy of using multiple channels to spread the same narrative has become a staple of Russian disinformation efforts in recent years. It often derives from the understanding that readers are more apt to assume that a piece of information received from several sources is based on various perspectives and is more likely to be true.
The cyberattack was carried out on October 28, 2019, and resulted in around 15,000 websites being temporarily disabled. The list of affected websites included the official websites of the Presidency of Georgia, various courts, local municipalities, and civil society organisations. The work of several TV channels was interrupted as well.
The British National Cyber Security Centre (NCSC) assessed with “the highest level of probability” that the attack was conducted by the GRU’s Sandworm cyberwarfare team. The same unit has been deemed responsible for four different cyberattacks against Ukraine in the past several years, including BlackEnergy in 2015, Industroyer in 2016, NotPetya in 2017, and BadRabbit in 2017. Around 20 countries, including the United States, Canada, and the United Kingdom, condemned Russia’s latest act of cyber aggression against Georgia, stressing that it was part of the Kremlin’s long-running campaign to destabilise Georgia and an attempt to sow discord ahead of the 2020 Georgian parliamentary elections.
While the technical aspects that led to this attribution have not been publicly revealed, it is important to note that the United Kingdom assessed its confidence with the attribution to the Russian GRU at “95+” per cent probability. The United States reached a similarly unambiguous assessment, and a host of other allies have backed the attribution. Moreover, Russia has routinely exploited the unavailability of hard, supporting evidence in public attributions of cyberattacks — a deliberate exclusion typically intended to preserve analytical tradecraft and serve as a shield of plausible deniability.
Russian Ministry of Foreign Affairs and politicians dismiss investigation findings
The Russian Ministry of Foreign Affairs (MFA) was the first to dismiss the findings of the investigation, calling the charges politically motivated and chastising Georgia for unduly demonising Russia. The MFA ruled out the existence of any evidence proving involvement of official Russian structures in the hacking of the Georgian servers. It emphasised that the United States, the United Kingdom, and Georgia “were suspiciously” unanimous in their accusations against Russia. Russia’s Deputy Foreign Ministers Andrey Rudenko and Grigory Karasin claimed that Russia has no intention to interfere in Georgia’s internal affairs and that all the charges were nothing but anti-Russian propaganda.
One Russian deputy at the State Duma, Anton Morozov, offered another misleading explanation of why Georgia would unfairly accuse Russia of carrying out the cyberattack: to suppress growing pro-Russian sentiment among Georgians. He went on to say that the majority of Georgian citizens want friendly relations with Russia, but “officials in Tbilisi are doing everything to artificially separate the two nations.” Various Russian fringe media portals republished Morozov’s comments.
Morozov’s claim about creating discord between the two countries is ironic: if anything creates discord between Georgia and Russia, it is the latter’s occupation of Georgian territories. According to a National Democratic Institute survey, only 21 per cent of Georgians in 2019 believed that the country would benefit from better relations with Russia, down from 30 per cent in 2015. Moreover, 31 per cent of Georgians said that potential Russian military aggression is the top security threat. As a result, public support for Georgia’s integration into NATO is high at 74 per cent.
Russian diplomatic social media accounts amplify MFA narratives
After Georgia’s Western allies condemned the cyberattack, Russian diplomatic social media accounts began to reproach these countries. Russia has long employed its diplomatic social media accounts to disseminate disinformation and attack its critics, as well as to troll Western governments. In this particular case, the Russian Embassy in the United States published a Facebook post on February 22, 2020, saying that “groundless accusations” against Russia related to the attack are disappointing, but not surprising. The embassy blamed United States diplomats of “resorting to the methods of tabloid journalists in their work” and accused Washington of neglecting international norms and law.
One day prior, the Russian Embassy in Canada tweeted that Canada, Georgia, and the United States spread “Russophobic lies and fakes.” The accusation of Russophobia is a common strategy used by the Kremlin to deflect criticism. The DFRLab has previously shown hat the official use of the word “Russophobia” exploded after the annexation of Crimea in 2014, especially in the context of attacking foreign criticism of the Russian government. Recently, the Kremlin has also denied accusations that it spread disinformation about the ongoing COVID-19 pandemic, claiming that the accusations, despite mounting evidence, amount to nothing more than Russophobia.
The Russian Embassy in the United Kingdom wrote on Twitter that the United Kingdom was trying to “keep the image of hostile Russia on life support.” The embassy suggested that British authorities should collaborate with Russia on “#cybersecurity — one of the matters of mutual interest.”
These messages conveyed through diplomatic social media accounts are hypocritical. Between 2006 and 2016, Kremlin-affiliated groups perpetrated 14 cyberattacks against various countries. Under these circumstances, it seems highly unlikely that the United Kingdom, the United States, or any of its allies, for that matter, would cooperate with Russian in the cybersecurity field.
RT and Sputnik come into play
The next steps in the Kremlin’s full-spectrum propaganda response were instituted by the large Kremlin-funded outlets, RT and Sputnik. On February 22, 2020, RT suggested that Western countries — primarily the United States — initiated the “so-called investigation” with the aim of defaming Russia and that Washington deceived Georgia by providing false investigative results. RT quoted a “pundit,” Yuri Rogulev, who claimed without evidence that the West was using a well-known propaganda mechanism by incessantly repeating lies in an effort to make them come true.
Sputnik Georgia interviewed information security expert Vitaliy Vekhov, who claimed that if the GRU carried out cyberattacks against Georgia, it would have been implemented on a much more professional level. Without presenting any evidence, he went on to say that the attack was carried out by a commercial entity financed by political forces with a specific political agenda in Georgia. He also said that one should consider the possibility that the Georgian government itself gave the green light for the attack, only to blame it later on Russia.
Sputnik Georgia also published a video titled, “the West launched a new information war against Russia,” with subtitles, saying that after accusing Russia of executing this cyberattack, United States intelligence also prepared a report claiming Russia was helping Trump in his reelection bid. Sputnik Abkhazia interviewed tech journalist Aleksandr Maiyarevskii, who assessed that the cyberattack was an act of hooliganism rather than a state-sponsored act. He claimed the GRU could not have carried out this attack, as it had not targeted Georgia’s critical infrastructure, which he considers the GRU’s prime targets in Georgia.
Georgia has never denied the involvement of United States and British representatives in this investigation. Moreover, their participation was crucial as Georgia lacks the technical capabilities to investigate a cyberattack of this magnitude on its own. Furthermore, while the attack did not target Georgia’s critical infrastructure, it did intend to undermine the country’s sovereignty and sow discord ahead of parliamentary elections — a goal aligned with the GRU’s strategic interests.
Russian fringe media outlets join in
Russian fringe media portals have also picked up the narrative about the West using this cyberattack as a political weapon against Russia. Voennoe Obozreniye claimed that the United States wanted to use the “alleged cyberattack“ to justify additional military assistance for Georgia. The author speculated that after the attack, the United States would promise military aid to Georgia and Washington would help Tbilisi launch a military provocation against Russia. The United States has promised Georgia only capacity building and technical assistance to help strengthen public institutions and guard the country from cyber threats.
On February 21, 2020, Mirovoe Obozrenie published an interview with pro-Kremlin expert Mikhail Sinelnikov-Orishak, who suggested that both Georgia and the United States use Russia as a scapegoat. One day earlier, Pravdo Ryb published an interview with another pro-Kremlin political expert, Anatoly Wasserman, who asserted that the majority of cyberattacks in the world are carried out by United States intelligence agencies, which subsequently try to shift the blame on their opponents.
Pro-Kremlin Georgian media outlets pick up anti-Western narratives
The Kremlin’s influence agents in Georgia have also spread anti-Western rhetoric related to the cyberattack. On March 2, the pro-Kremlin Georgian outlet Saqinform published an article suggesting that, by accusing Russia, the United States and Georgia tried to prevent the participation of the Russian Foreign Minister Sergey Lavrov in the Council of Europe’s ministerial meeting in Tbilisi.
On February 26, Georgian authorities made a decision to transfer the Council of Europe ministerial meeting to Strasbourg, France. One of the main reasons for the change in location was the fear that the Russian delegation would face large protests in Tbilisi. Considering the effort put into organising the event in Georgia, it is unlikely that the Georgian authorities would be interested in provoking anti-Russian sentiment without evidence that Russia was responsible for the cyberattack.
The experience of several post-Soviet countries has shown that Russia sees key political events, such as elections, as fertile ground to influence political processes. To that end, Moscow has used overt and covert tactics to interfere in Georgia’s electoral process. A 2019 report by the U.S. Agency for International Development and the East-West Management Institute found that Georgia’s political institutions are highly vulnerable to Russian influence operations, particularly ahead of the 2020 elections.
In this case, Moscow was able to mobilise multichannel, full-spectrum propaganda immediately after the investigation’s findings became public. The use of a range of diverse media sources, coupled with the reinforcement of its plausible deniability arguments, is designed to create the impression that Russia’s version of events is more authoritative. Ironically, Russia’s over-reliance on this two-pronged approach has rendered the strategy painfully transparent.
This article first appeared on the DFRLab Medium platform.
Givi Gigitashvili is Research Assistant, Caucasus, with Atlantic Council’s Digital Forensic Research Lab.
Dear Readers - New Eastern Europe is a not-for-profit publication that has been publishing online and in print since 2011. Our mission is to shape the debate, enhance understanding, and further the dialogue surrounding issues facing the states that were once a part of the Soviet Union or under its influence. But we can only achieve this mission with the support of our donors. If you appreciate our work please consider making a donation.