Lithuania is the latest country to announce that it has busted a Russian spy ring on its soil. The allegation that two of its citizens were spying for Russia comes a few weeks after the Dutch authorities rolled up another of the Kremlin’s “substantial espionage networks.” It’s been a tumultuous few months for President Putin’s overseas espionage operation, which keeps getting caught in the act.
It is unclear if a string of recent arrests blowing up Russia’s overseas missions is merely a coincidence, or whether there has been some kind of leak from inside Russia’s notorious intel agencies. “There is some penetration,” Andrei Soldatov, one of Russia’s best-informed trackers of the security agencies, told The Daily Beast. “Whether it’s relatively new or old, I don't know, but it looks like a big decision was made to use that penetration to slow down Russian offensive ops.”
By far the biggest discovery of a recent Russian overseas operation was the massive cyberattack against U.S. government and private company websites, revealed last month.
The unprecedented attack was first reported in early December by the computer security firm FireEye when its own systems were breached. Russian hackers broke into the networks of key U.S. government agencies, including the Commerce, Treasury and Homeland Security departments, as well numerous Fortune 500 companies. The intrusion occurred in February 2020, when malware was embedded in the software produced by the Austin-based IT management company SolarWinds during a routine update, which meant it could penetrate the government departments using SolarWinds without a direct hack.
Michael Daniel, who was coordinator of cybersecurity strategy on President Barack Obama’s National Security Council from 2012 to 2017, told The Daily Beast that this was yet more evidence that Russia’s operational tradecraft was “top-of-the-line,” but he did point out that it was a blow for them to see the hack detected.
“The operation ran for nine months before it was uncovered, but it is possible that they were hoping it would last much longer,” said Daniel, who is now CEO of the Cyber Threat Alliance.
Although U.S. authorities did not formally name Russia as the “likely” source of the cyberattack until almost a month after the news broke, journalists and cyber experts quickly attributed the attack to the Russian Foreign Intelligence Agency (SVR), which operates a hacker group called “Cozy Bear” or A.P.T. 29.
But the hype over the success of the SVR is overblown. The attack would have been a joint effort with Russia’s predominately domestic counterintelligence agency, the FSB, which has much more formidable cyber capabilities than the SVR. Cozy Bear has been implicated in numerous previous hacking incidents and is also linked to the FSB, which has been conducting aggressive cyber operations against the West for years.
As a counterintelligence agency, the FSB manages a system known as SORM, which carries out Russia’s powerful domestic cyber-surveillance. But under the Putin regime, the FSB’s operations have expanded to include intelligence-gathering and so-called active measures abroad, where its highly sophisticated computer technology and expertise has become an increasingly valuable weapon. Two subdivisions of the FSB, the 16th Center (Electronic Intelligence) and the 18th Center (Information Security), are reportedly responsible for foreign cyber-ops. The U.S. government has long been aware of the FSB's role in cyberattacks. When then-CIA Director John Brennan warned Russia to stop its election interference in August 2016, he telephoned the head of the FSB, Aleksandr Bortnikov.
Soldatov, whose book The Compatriots chronicles the work of Russian agents overseas, said the spy agencies often work together. “The FSB’s cyber capabilities are much bigger than the SVR’s. The FSB is also in a perfect position to recruit hackers, since the FSB as a law enforcement agency prosecutes cybercrimes. And it can rely on the expertise of private cyber companies, since the FSB is also a regulator of the cyber market in Russia, and everybody depends on the FSB. In cyberattacks against the West, the SVR’s role, as an intelligence collection agency, might be the target selection—identification and naming of the organizations of interest for the agency.”
In other words, while the SVR might set the intelligence goals, the FSB does the actual hacking, often using the expertise of hackers who flourish in Russia’s criminal underground.
Daniel, the former NSA adviser, noted: “The Russians are able to carry out cyberoperations so effectively because of their organizational capacity. They can combine their intelligence targetters with their technical experts to carry out cyberoperations that achieve their broader strategic objectives.”
He said it was it unlikely that the hacking was discovered through human intelligence, a view echoed in media reports. According to sources cited by CNN, the hackers probably alerted FireEye to their presence when they took an aggressive “calculated risk,” by moving laterally from email targets to more sensitive data.
The trail of this high-end cyberespionage operation may be traceable. According to the New York Times: “Some of the compromised SolarWinds software was engineered in Eastern Europe, and American investigators are now examining whether the incursion originated there, where Russian intelligence operatives are deeply rooted.” Hackers reportedly gained access to SolarWinds software though a product called TeamCity that is used by SolarWinds and produced by the Prague-based computer software company JetBrains. Founded by three Russians, JetBrains has offices in St. Petersburg and Moscow and is a client of a St. Petersburg consulting company, Digital Security, which has been sanctioned by the U.S. for its involvement in FSB cyberoperations.
Prague is known to be a center for Russia’s coordination of its intelligence operations. In October 2019, Czech intelligence officials announced that they had dismantled an FSB espionage network that used the server infrastructure of Prague computer companies for cyberattacks against the Czech Republic and NATO countries.
Despite the success of the hack, leaving a trail like that would have to go down as another FSB and SVR intelligence setback.
There is no doubt Russian spies working abroad have been on an embarrassing run. A SpyTalk tally for The Daily Beast counted up 14 Russian spies publicly expelled from seven countries during 2020, including agents exposed in Bulgaria, Colombia, and Slovakia as well as the Dutch espionage ring.
To be sure, SVR failures may pale in comparison with the FSB’s bungled poisoning of Alexei Navalny, who managed to trick an FSB officer into revealing details of the FSB operation to kill him during a recorded phone conversation. Or with clumsy missteps of the GRU (Russia’s military intelligence agency), in its attempts to kill Sergei Skripal in March 2018. But both the SVR and the FSB, along with the GRU suffer from the same flaws that characterize the Putin system of government: corruption, cronyism and inter-agency competition.
“The agencies have overlapping responsibilities (even the FSB is increasingly involved in foreign operations) and compete fiercely and ruthlessly to outshine the others. This is a carnivorous, cannibalistic system,” security expert Mark Galeotti has observed.
But for the SVR officers—who often occupy exalted diplomatic or business positions abroad and collect their intelligence from human sources—are supposed to appear above the fray. It’s hard to imagine that their pride in their organization’s image as a highly professional intelligence agency doesn’t suffer when intelligence failures occur. Or that they don't feel embarrassed when their counterparts in other agencies appear to the world as inept bunglers. Maybe this is why, according to the Russian newspaper Obshchaia gazeta, the SVR spent 15.6 million rubles (around $213,000) on almost 2,500 bottles of booze at its Yasenevo headquarters in 2020. (Louis Royer VSOP cognac is apparently an SVR favorite.)
SVR chief Sergei Naryshkin has made it clear that his agency is facing challenges, particularly with the U.S. He said in a long interview last November: “The U.S. intelligence services, above all the Central Intelligence Agency, are among the strongest intelligence services in the world. Our colleagues from the CIA are our main opponents.”
Despite these challenges, Naryshkin and his counterpart, FSB chief Aleksandr Bortnikov, manage to live the good life. In January 2018, a Russian website revealed that Bortnikov had a lavish residence outside St. Petersburg that he did not report in his official income declaration. And in December, Mediazona reported that Naryshkin and his family enjoy the largesse of a wealthy Azerbaijani businessman, God Nisanov, who owns numerous Moscow hotels and shopping centers. Naryshkin’s daughter Veronika flew on Nisanov’s private jet, a Gulfstream G65, on a visit to Baku and celebrated one of her birthdays on Nisanov’s luxury yacht. The Naryshkins also flew on Nisanov’s jet to Austria for a ski trip. Several years ago, when Veronika was only 23, she acquired, with the help of an Azerbaijani businessman close to Nisanov, a large Moscow apartment that was valued at 100 million rubles ($1.4M). Her father's annual salary at the time—Naryshkin was then chief of Putin's Presidential Administration—was five million rubles ($68,000).
With both Bortnikov and Naryshkin, these reports probably represent the tip of an iceberg. But, their underlings are not doing so well. The Russian online news site Glagol recently painted a grim picture of how rank and file security officers live: “The FSB, GRU, FSO [Federal Guard Service] and the SVR are not gods. In Russia, it is generally accepted that special people with outstanding moral and strong-willed qualities work in intelligence and state security. That for their work they receive decent remuneration and privileges inaccessible to ordinary citizens... The reality is different… There is no comradeship in the middle and lower ranks. If you get on the wrong track, no one will help—you are on your own. There is no trade union, no psychological help, but there is a polygraph and those who screw up the test will be dismissed retroactively without severance pay. The salaries are relatively small: 35-80 thousand rubles [$400-$1,000 a month]. Overwork, debt and calls from collectors in case of delay result in stress.”
Referring to an incident last month, when a CNN journalist made a surprise visit to the Moscow apartment of one of Navalny’s FSB poisoners who had been identified in a video posted by Navalny, Glagol noted: “It is no cause for surprise that the occupant lived in an ordinary, typical high-rise building and opened a cheap door painted with cheap green paint.”
As for Putin, a veteran of the KGB’s foreign intelligence service and a former FSB chief, his focus is on his services’ successes. Just days after Russia’s massive cyberattack on the U.S. came to light, Putin praised SVR officers for their “invaluable contribution to ensuring the country’s security,” and for carrying out “the most difficult assignments,” in a speech on the occasion of the 100th anniversary of the Russian foreign intelligence service on Dec. 20, 2020. He made a point of including the FSB: “All the personnel of Russia’s security agencies are comrades-in-arms of the Foreign Intelligence Service staff. And on this holiday, I would like to extend my warmest wishes to them too.” Referring to “the successes achieved by the counterintelligence agencies,” Putin said, “I offer my highest praise on these complicated and professional operations.”
Apparently, the latest round of intelligence exposures hasn’t upset the big man—at this point what does he have to lose from his dirty tricks being exposed? And maybe the SVR’s annual liquor bill will be a bit lower this year.