Though officials in Lithuania said they could not prove the attacks were conducted or orchestrated by Russia, it was clear the attacks were tied to the laws passed banning Soviet symbols. The government said the attacks came from an array of computers from outside the country.

On January 17, 2009, an official of the Kyrgyzstan government informed the United States that the Manas Air Force Base outside of Bishkek would close. The United States had been using the base since December 2001 as part of the effort in Afghanistan. The official said that the base closure would come in days as a result of Russian pressure. Just a month before, Russia’s top general Nikolai Makarov accused the United States of planning to expand its number of bases in the region.

To drive their point home, a series of DoS attacks hit the country’s two main internet service providers in Kyrgyzstan, essentially knocking out the internet, websites, and email for the country.³⁸ Though there are no conclusive reports that definitively name the responsible party, many firms state the attack appeared to be tied to the decision to let the U.S. use the Bishkek base as a logistics center for the war in Afghanistan. The attacks were attributed to “cyber militias” much like the attacks in the Russo-Georgian conflict just a few months before.

Despite being in operation for nearly eight years, on February 3, 2009 Kyrgyzstan President Bakiyev announced the base would close. This was a major victory for Russian control over Central Asia. After Kyrgyzstan complied with Russia’s demands it received a multimillion-dollar aid package.³⁹

Ukraine Power knocked out by Sandworm: December 23, 2015

Three Ukrainian power companies came under attack by the Sandworm tool set after employees downloaded BlackEnergy3 malware packages. According to an investigation by Robert M. Lee, former U.S. Air Force cyber warfare operations officer and co-founder of Dragos Security, the infections started in spring of 2015.

Attackers engaged in a spear-phishing campaign using infected Word documents aimed at system administrators and IT staff at the facilities. The targets who opened the Word document saw a prompt asking them to click to “enable macros,” which installed the BlackEnergy3 malware. It is notable that macros had been in decline until the time of this attack, but were now on the rise.⁴⁰ After the malware successfully installed, it began to scan around for paths to the supervisory control and data acquisition networks, SCADA, which would allow them to take control of the plant’s control systems.⁴¹ All of this would be exceptionally risky at many power plants, but it turned out the Ukrainian security was above average and even outclassed many U.S. facilities. The networks were all very well segregated via firewalls but the CYBER BEARS stole in anyway.⁴²

One of the plant operators stated he saw the attackers control one of the computer terminals and successfully search for the panel that would control circuit breakers. The attacker began to take down the power grid in front of his eyes. Though he tried to take control of the computer it was too late. The attackers locked him out and continued its task of shutting down around thirty electrical substations.

After the breach, the attackers used an eraser program called “KillDisk,” which wiped out major sectors of files, corrupted master boot records, and essentially rendered the systems useless without taking them offline and replacing them. The attackers reconfigured the backup generators in a manner that disabled them so the repair crew had to tough it out in the dark.

To top this off, they didn’t do this just once, the attackers hit three power stations simultaneously belonging to the Ukrainian power company Kyivoblenergo in the Ivano-Frankivsk Region.⁴³ They also struck Prykarpatyaoblenergo with an outage that affected 80,000, as well as the Chernivtsioblenergo station.⁴⁴ In total, an estimated 225,000 people were affected for nearly six hours. The companies restored power by going back to manual control. Power had to be restored manually since many systems were fried by the “KillDisk” deletions.

To make all of this more complicated, a Telephone Denial-of-Service (TDoS) attack on the telephone system flooded the circuits with bogus calls, which prevented citizens from alerting the power companies about outages.

After the website for the Warsaw Stock Exchange went offline for two hours, a Pastebin message screamed to the world, “Today, we HACKED Warsaw Stock Exchange!” and “To be continued! Allahu Akbar!” Authorities initially credited the Cyber Caliphate, a hacker group that claims its allegiance to ISIS and works in association with the United Cyber Caliphate groups. The message posted on Pastbin, an online bulletin board said the hack was in retaliation for Polish bombing of the “Islamic State.”⁴⁵

Initially, many accepted that ISIS-affiliated hackers were responsible, but the techniques, tools, and more importantly digital footprints suggested the attackers came from Russia. This is old spycraft technique called a False Flag operation: A deception where one entity is blamed for the actions of another. The false flag cover didn’t last, as forensic analysts demonstrated that Russian hackers had posed as ISIS and let them take the blame.⁴⁶ It was later revealed that the hackers stole details on investors and the stock exchange’s network, including credentials for authorization to access customer accounts.⁴⁷

On the evening of April 9, 2015 at 10:00 pm the French TV channel TV5 Monde experienced a cyberattack that resulted in the suspension of their broadcast, as hackers infiltrated their internal systems and social media profiles. First, the website crashed, then emails went down.⁴⁸ Helene Zemmour, digital director for the station said it all went down in a “synchronized manner.” CNN reported, “Shortly after the beginning of the attack our internal computer system fell and other programs followed.”

The defaced pages were relabeled by the Cyber Caliphate with “Je Suis ISIS” tagged on them, recalling to the pro-Charlie Hebdo rally cry, “Je Suis Charlie.” However, the fake Cyber Caliphate website was in fact on a server with an IP belonging to APT28. Security firms picked up on this and the consensus began to develop that suggested the attack was that of a nation-state actor. Due to a combination of notable similarities to APT28, Cyber Caliphate was ruled out as the attacker. The threat was beyond the capabilities of the ISIS’s hacker wannabees.

In more practical terms, Wassim Nasr, on France24, noticed the Arabic of the claims was barely real Arabic. On France 24, he pointed out improper use of the language in several areas, notably in the Bismillah phrases common from ISIS where “and” was used in a manner no Arabic speaker would.⁴⁹ They most likely came from Google Translate. Unwitting ISIS-affiliated groups still took credit for the attack and their fan boys attribute it to the Cyber Caliphate Army.

The channel and social media accounts were reclaimed by the next afternoon. TV5 director Yves Bigot said the security had been recently checked. One CNN anchor even said, “once again terrorism has targeted freedom of expression.”

On May 20, 2015, APT28 hit the German Bundestag and started to steal data from servers after launching the Sofacy malware on the systems. After the attack, the Bundestag director Horst Risse advised the other staff to avoid opening files or links via email.⁵⁰ In August 2015, APT28 launched a spear-phishing effort at EFF, the Electronic Frontier Foundation. The group attempted to use email to lure targets to a spoofed site at “electronicfrontierfoundation.org”. The official site for EFF is at “eff.org”. Oracle fixed the Java zero-day.⁵¹