On the morning of 24 November 2015 an F-16 operated by the Turkish Air Force dropped into position behind a Russian Su-24 Fencer and dispatched an air-to-air Sidewinder missile that sliced into the Russian aircraft, sending it smoking toward the ground. The pilot and weapons officer ejected from the aircraft as it plummeted toward the Syrian desert. The pilot was killed by small arms fire from rebel forces on the ground in direct contravention of the Geneva Convention. The weapons officer was rescued by Russian forces, while the pilot’s body was recovered by Turkey, and later returned to Russia. As the Sukhoi came crashing down, the political and diplomatic engines of both countries kicked into full swing. Russia proclaimed the attack a “stab in the back”; Turkey protested that the Russian aircraft had violated its airspace, and had issued numerous warnings that the aircraft change course. As images of the smoking aircraft streaked across news outlets and the fallout percolated across the international community, cyber operations began.
Both Turkey and Russia appear to have leveraged hacktivist-style attacks against the opposing side; while grassroots hacktivist activity potentially could have been a factor, the targeting and impact of cyber attacks following this escalation in physical conflict are closely aligned to the interests of both states. In particular, the activity observed targeting Turkey conforms with the ideas conveyed by General Valery Gerasimov in 2013 in Voyenno-Promyshlennyy Kurier (VPK). These ideas, which can be the subject of a lengthy tome on modern Russian military doctrine, effectively encapsulate the concept of hybrid action in order to accomplish the objectives of the Russian Federation. His writings describe how modern conflict may be instigated by any number of directed capabilities such as roving gangs of “little green men,” pro-Russian rebel forces, or gangsters/unions/motorcycle gangs/disgruntled workers—perhaps even hacktivist actors deliberately inciting some domestic complications?
The conflict between Russia and Turkey began well before the pilot of the F-16 armed the AIM-9 Sidewinder; the Russians had been attacking ethnic Turkish rebels known as the Turkmen, who opposed Bashar al-Assad, for some time. Syrian aircraft had reportedly violated Turkish airspace numerous times, and the rhetoric of Recep Tayyip Erdogan had done nothing to pacify the situation. Shortly after the incident, Russian Federal Security Service (FSB) had raided and shut down numerous Turkish bank branches in the Russian Federation, detained Turkish travelers, stopped Turkish vehicles from crossing into Russia, and denied Turkish trade ships from entering Russian ports. Turkey followed suit by blocking Russian ships from sailing toward the Mediterranean Sea and the Black Sea for failing to meet the necessary “sailing criteria”. Around this time, CrowdStrike observed Distributed Denial of Service (DDoS) attacks targeting Turkish state-owned banks, government sites, and hacking forums. Soon hacktivists operating under Anonymous-style monikers began targeting the Turkish root DNS and threatening to destroy the banking infrastructure claiming that they buy oil from ISIS, amongst other rhetoric.
In January 2016, attacks targeting Russian banking infrastructure and the FSB were observed. This back and forth of hacktivist-style attacks continues today. CrowdStrike has observed the apparent targeting of Turkish critical infrastructure by Russia-associated intrusion actors. Most recently, personally identifiable information for nearly 50 million Turkish citizens was leaked to the Internet with a telling message:
“Who would have imagined that backwards ideologies, cronyism and rising religious extremism in Turkey would lead to a crumbling and vulnerable technical infrastructure?” and “Do something about Erdogan! He is destroying your country beyond recognition.”
These attacks occurring under the guise of hacktivism demonstrate the increasing role that the interconnected world plays in the affairs of nation-states. While these attacks may be a subtle way for opposing countries with tightly linked economies to draw blood against each other without escalating to full-scale combat, hacktivist actors inciting fear, confusion, and unrest in a rival state align well with the concepts described by General Gerasimov as the pretext for direct engagement. This engagement might range from economic sanctions to armed combat. Whatever the eventual outcome, it is clear that the asymmetric use of cyber attacks by nation-states may occur in the shadows of targeted intrusion actors, or in open conflict by purported hacktivist groups acting on nationalistic agendas.