Cyber-enabled disinformation campaign targeted US-Poland alliance
Polish authorities have blamed Russia for a cyberattack in April, which planted forged documents and news articles on various military and news websites.
July 29, 2020 - Givi Gigitashvili - Articles and Commentary
In April, Poland was targeted by a sophisticated disinformation attack that aimed to undermine Warsaw’s relationship with the United States. Although the Polish government has not presented technical evidence or intelligence data to link the disruption with specific actors, Stanisław Żaryn, the spokesman for the country’s ‘Minister-Special Services’, has argued that this particular operation corresponds closely with Russia’s broader disinformation activities in Poland.
In light of the Kremlin’s assertive foreign policy in post-Soviet space, Poland now views Russia as an “existential threat” to its security. Warsaw has sought to boost military ties with the United States in order to counterbalance this Russian threat. However, growing military cooperation between the US and Poland is perceived as a threat by the Kremlin, which strives to undermine the alliance. Against this backdrop, the timing of the cyberattack is significant. Since March, Poland has been hosting several thousand American soldiers as a part of the ‘Defender Europe 20’ military exercises, with major activities occurring throughout June. Although Defender Europe 20 was slated to be “the largest deployment of US-based forces to Europe in the more than 25 years,” NATO reduced the size of trainings and rolled back some of its activities due to the COVID-19 pandemic. Long before the outbreak, however, Russia denounced these military exercises along its western border, describing such events as a destabilising factor in the region.
On April 22nd, hackers compromised the Polish War Studies Academy (WSA) website and replaced pre-existing content with a fabricated letter, which was allegedly written by the Polish General Ryszard Parafianowicz. The forged letter condemned the “occupation of Poland” by the US and called for Polish soldiers to resist. Subsequently, emails were sent to various Polish and international institutions asking recipients to comment on the general’s letter. Hackers also replaced articles on Polish outlets Prawy.pl and Lewy.pl with pieces containing the fake letter. According to a Stanislav Zaryn, the main objective of this operation was to encourage anti-US sentiment in Poland.
Attributing this cyber attack to those responsible relies on investigating three main factors — technical, geopolitical, and intelligence data. The author of this article requested technical details of the attack from the Polish authorities but was denied as the intelligence data is not publicly available. Nevertheless, the DFRLab sought to find out whether geopolitical data could be used to validate the overall process that attributed this specific attack to Russia. This can be done by reviewing the Kremlin’s narratives against Poland and drawing parallels with previous cyber attacks targeting the country.
The overall context of the attack and past experiences
Russia has a long track record of launching cyber disruption operations against other countries. Consulting firm Booz Allen Hamilton recently analysed more than 200 Russian-led cyber incidents between 2004–19 in order to explore the logic behind the country’s cyber operations. The study revealed a direct connection between Russia’s cyber activities and its effort to counter external circumstances that are perceived to threaten the country’s military security. However, Russia’s responses to such circumstances are not always military. In line with its ‘hybrid warfare’ operational concept, the Kremlin often opts for non-kinetic, informational measures as a means of influencing the social and political environment of its adversaries. This also allows the country to largely avoid any risk of escalation. The Kremlin believes that such non-military measures can also be effective in achieving its regional security goals. As Russian Foreign Minister Sergey Lavrov vowed in February 2020, Russia “was not going to ignore the Defender Europe military exercises“ and would “react in a way that will not create unnecessary risks,”. At the same time, the minister stressed that “everything that we [Russia] do in response to NATO’s threats to our security we do exclusively on our own territory.”
The Military Doctrine of the Russian Federation published in 2014 defines the deployment of foreign military forces to territory adjacent to Russia as an external military risk. This could ultimately create conditions for armed conflict. Russia sees Defender Europe 20 as a military risk since the deployment of US soldiers in Poland potentially threatens Russia’s Kaliningrad exclave.
In the past, similar activities have encouraged the Kremlin to launch cyber attacks against Poland. After Russia annexed Crimea in 2014, NATO Supreme Allied Commander in Europe Philip Breedlove proposed expanding the alliance’s base in the Polish city of Szczecin. Shortly after his announcement, the cyber-espionage group Sednit, connected to Russia’s Main Intelligence Unit (GRU), attacked Polish websites managed by financial institutions and infected their systems with malware. In May 2018, the Polish Ministry of Defense announced plans to build a permanent US military base in Poland. This was followed by NATO’s Saber Strike military exercises in Poland, Latvia, and Lithuania. In response, Moscow openly expressed concerns regarding the military drills and GRU-linked actors ‘spear phished’ Polish government entities. This included the Ministry of Foreign Affairs, with malware simultaneously distributed on Poland’s Finance Ministry website.
These examples show that military exercises of foreign actors near Russia’s border sometimes lead to state-linked cyber activities. It also supports the argument that Russian actors may have been interested in orchestrating the latest cyber disruption against Poland amid the Defender Europe 20 trainings.
The April hack
On April 22nd, hackers compromised the War Studies Academy’s content management system and replaced pre-existing content with a fake letter allegedly written by the Polish Brigadier General Ryszard Parafianowicz. The letter criticised the ruling Law and Justice party (PiS) for participating “in various US scandals” and described the presence of US troops on Polish soil as a “so-called voluntary” and “forced […] occupation.”
Although the WSA functions as part of the Polish Ministry of National Defense, the incident did not affect the functioning of the ministry’s IT infrastructure nor its data processing.
Stanislaw Żaryn stated that this specific disinformation attack was “congruent with disinformation activities carried out by the Russian Federation against Poland.”
Analysing the attack
The DFRLab analysed key narratives mentioned in the fabricated letter and compared them with those circulated in Kremlin-funded Russian media that discussed Poland.
The fake letter contained several false narratives. The first stated “we [Poles] are under American so-called voluntary occupation which is, in fact, a forced one.” Pro-Kremlin actors frequently denounce the presence of US troops in Europe. Consequently, Russian propaganda actively seeks to encourage negative feelings among Europeans toward American military personnel deployed to the continent. Additionally, the DFRLab found several instances of Kremlin-funded media calling US troops in Poland “occupants.” Indeed, a 2018 Ria Novosti article claimed that the establishment of US military bases in Poland amounted to a soft occupation. According to the article, Poland has become the main regional foothold for the US Army, which would allow Washington to occupy the entirety of Eastern Europe. Another Ria Novosti article quoted Russian State Duma Deputy Alexander Sherin, who asserted that the plan to build “Fort Trump” in Poland simply shows that the US president is the true leader of Poland and that the fort itself would be a symbol of this occupation. Along similar lines, Gazeta.ru claimed last year that by inviting American troops to the country, Poland had given permission for this ‘voluntary occupation’.
All of these statements are crafted to undermine relations between the US and Poland. Poland is the closest ally of the United States in Eastern Europe and the two countries actively cooperate in various fields. This includes security, international organisations and the economy. Poland is also the leading trade partner for the United States in the region, and the US is Poland’s top non-EU investor. Russia’s aggression against Ukraine was a wake-up call for Poland to seek higher security guarantees from its NATO partners. Therefore, the US military presence in Poland is not a symbol of occupation, but rather a display of NATO support for the country amid heightened security concerns concerning Russia’s activities in neighboring countries.
Another claim made in the fabricated letter was that “carrying out Defender Europe 20 maneuvers near the Russian border is an obvious provocation.”Russia’s Ministry of Foreign Affairs called the Defender Europe 20 trainings an “aggressive act,” which could trigger further tensions in international politics. Along similar lines, Kremlin-funded RT dubbed Defender Europe 20 a “provocation against Russia” and asserted that the largest US exercises in Europe in 25 years would only result in the deterioration of the region’s security. The article went so far as to suggest that the exercise has nothing to do with ensuring security in Europe and that its sole purpose was to irritate Russia. Sputnik asserted that the massive deployment of the US Army to a peaceful and prosperous Europe was a “planned provocation.” Another Sputnik article suggested that, although Russia is not explicitly mentioned as a target of Defender Europe 20, the anti-Russian theme of the operation is no secret to anyone.
Poland, meanwhile, invited Russia to send its representatives to observe the Defender Europe 20 military exercises. This offer was declined by Moscow, as accepting would only complicate its narrative of being the target of the exercise.
The article also suggested that “the phobic disposition of the Polish leaders dominates common sense. This does not promote Poland’s security; our country is rather perceived as a battlefield.” Pro-Kremlin actors have voiced similar claims many times in the past. Vladimir Dzhabarov, Deputy Chairman of Russia’s Federation Council Committee on Foreign Affairs, mocked Poland for wanting to be a “US military base” rather than a “normal” country. Similarly, pro-Kremlin media outlet Tsargrad “uncovered” a US plan to allegedly turn Poland into Washington’s “main anti-Russia sheepdog” in Eastern Europe, ready to fulfill any command.
Kremlin actors routinely disparage governments that choose a closer partnership with the West. This is especially true in the case of former Soviet republics and satellite states. For example, Russia has questioned Ukraine’s right to exist as an independent country and calls Georgia a “colony of the West.” Similarly, Moscow has lamented that Poland is no longer under its sphere of influence and chose to align itself with the “rotten West.”
Hackers distributed the fake letter by publishing it on various news websites
After the fake letter appeared on the WSA website, articles with the headline “Scandalous letter from the Rector of the War Studies Academy: PiS politicians lead us to disaster” were published on the websites of two conservative Polish outlets, Prawy.pl and Lewy.pl. Remarkably, both articles were posted retrospectively; the Lewy.pl article was back-dated to February 2019 and the Prawy.pl report was back-dated to February 2020. The editors of both outlets denied that their editorial teams published the articles.
As it turned out, both websites were compromised, as hackers had replaced the old content with articles containing the fake letter.
The DFRLab used the analysis tool ‘CrowdTangle’ to check the spread of these two articles on Facebook and found that multiple users actively spread the pieces to various groups before they were removed. A CrowdTangle analysis showed that the article published on Prawy.pl was posted 114 times and garnered almost 3,500 interactions. Simultaneously, the article published on Lewy.pl was posted 36 times and was interacted with nearly 1,500 times. This suggests that the intentional spread of these articles on social media was part of the cyber-disruption operation.
Moreover, the CrowdTangle search showed a link to the old Prawy.pl article, which was posted on the group’s Facebook page on February 27, 2020. Hackers had replaced this old link with the fabricated letter. As a result, the new content was available through the old link, which the hackers used to post the letter to numerous Facebook groups.
The articles also appeared in two other Polish news sites, ono24.info and Podlasie 24, as well as English-language site The Duran. The Duran is registered in Cyprus and its director, Peter Lavelle, hosts a political talk show on Kremlin-funded RT. The Duran has previously published false information and its coverage is heavily pro-Kremlin. The DFRLab could not confirm whether The Duran published an English version of the article intentionally or whether hackers also compromised its website.
DFRLab analysis has shown that this recent attack and Russia’s longstanding disinformation efforts against Poland share a number of similarities. This specific cyberattack is being taken seriously by Polish authorities since hackers managed to compromise the WSA website, which formally operates under the Ministry of National Defense. It is possible that malicious actors were testing the resilience of the cybersecurity system of strategic state institutions, with the aim of causing more harm in future. Taking into consideration the specific circumstances in which the two previous and latest cyberattacks against Poland took place, however, Polish authorities should hopefully be able to better anticipate when and how adversaries might launch similar disruptions in the future.
This article first appeared on the DFRLab Medium platform.
Givi Gigitashvili is Research Assistant, Caucasus, with the Digital Forensic Research Lab and is based in Georgia.
Dear Readers - New Eastern Europe is a not-for-profit publication that has been publishing online and in print since 2011. Our mission is to shape the debate, enhance understanding, and further the dialogue surrounding issues facing the states that were once a part of the Soviet Union or under its influence. But we can only achieve this mission with the support of our donors. If you appreciate our work please consider making a donation.