Russian hackers have sharply stepped up a campaign to disrupt EU elections in May, leaving EU officials and tech companies scrambling to muster a response.
Three senior diplomats said the bloc expected Russia-based organisations to attempt to try to influence the vote in 27 member states for new members of the European Parliament by hacking into institutions and spreading fake news.
“We know that they are already attempting to make mischief and, in turn, we are preparing for it,” said one diplomat on condition of anonymity.
US security officials are also concerned that Russian groups could use the vote as a testing ground for potential strategies that could be deployed in next year’s US elections, they added.
Cyber security experts say there has been a sudden uptick in Russian state-sponsored hacking activity against European governments, media and civil society organisations in recent months.
Ben Read, head of cyber espionage analysis at US cyber security company FireEye, said it had seen “extensive targeting of European media and governments” in the past six months.
“It’s mostly malicious targeting of foreign and defence ministries of Nato member states, but also German media, for instance,” he said.
EU officials say that the rise in nationalist, far-right and fringe groups across the bloc has increased the potential for disinformation efforts through social media, while a weakening of the three main party alliances that have dominated European politics in recent decades has made the ballot a critical vote on the future of the Union.
Brussels is scrambling to build up a bloc-wide early warning system of disinformation attacks in member states, although many diplomats are sceptical that it will be effective, given the wide range of views about Russia and the importance of anti-propaganda efforts across the EU.
In 2016, the EU, which does not have its own intelligence service, set up what it calls a “hybrid fusion cell” to gather information from member states on potential attacks including cyber hacks.
Staff at the hybrid fusion cell have used classified and open-source information to produce more than 100 assessments and briefings to share within the EU and its member states, according to an EU paper last year, but the bloc declined to disclose further information about the cell’s operations or findings.
Fabrice Pothier, a senior adviser on the Transatlantic Commission on Election Integrity, said that Macedonia’s referendum last year on changing its name was seen as an example of what might be in store for the EU election. Alleged Russian activities there ranged from paying people to protest, to organising online campaigns to boycott the vote.
“It’s never a straightforward one-tool strategy,” Mr Pothier said. “It’s quite diffuse.”
Mr Pothier added that those combating hacking and meddling saw alleged Russia-backed activities in Ukraine as a bellwether for strategies likely to be seen elsewhere.
“The testing ground for these kind of techniques is Ukraine,” he said. “There are clearly many gaps in our defences.”
Defence and security analysts have long warned that Moscow has been using Ukraine, and the simmering conflict in the country’s east, as a laboratory for new cyber warfare and psy-ops techniques.
“Western democracies are under threat from outside meddling, and Ukraine is the testing ground for this interference,” wrote former US assistant secretary of state David Kramer in an Atlantic Council report late last year. “The Russian Federation first tested many . . . strategies and techniques in Ukraine.”
The Russian government has consistently denied meddling in foreign elections or supporting hacking groups.
“It is like a sport to accuse Russia of interfering, whenever elections are held. It is starting to be ridiculous,” said one Kremlin official, adding that Vladimir Putin, Russia’s president, had made multiple attempts to establish joint organisations between Russia and western countries to combat hacking. “No single country can effectively stop hackers. We are all victims of it,” the official said.
FireEye has been tracking Russian hackers APT 28 since 2011.
APT28, which has been widely linked to the GRU, the Russian military intelligence directorate, has been singled out for its role in the hacks of the Democratic National Committee in the US in April 2016 and email leaks from French president Emmanuel Macron’s campaign team ahead of the French election in 2017.
Mr Read said the hackers functioned primarily as an intelligence agency for the Russian government, “which means they’re gathering geopolitical data and information to support Russian policy decision-making”.
The cyber security company has tracked increased activity by a second Russian hacking group, called the Sandworm Team, which has also been linked to the GRU.
FireEye found that this group had played a role in hacking of US election infrastructure, such as state voting boards, ahead of the 2016 presidential election.
“They are a bit more stealthy than APT28, but they’ve been targeting a lot of state and local governments in Europe, by spear phishing, particularly in Poland,” Mr Read said.
Spear phishing, the method being used by both groups to target EU institutions, is the practice of sending fake emails from a supposedly trusted sender to dupe individuals into revealing confidential information such as their email passwords.
Major tech companies, including Facebook, Google and Twitter, have also assembled specialist policy and cyber security teams across Europe ahead of the elections in May.
Nathaniel Gleicher, Facebook’s head of cyber security policy, said the company had recently identified and removed accounts of networks from Iran, Russia and Ukraine.
“There was a larger [takedown] that we did a month ago that involved newspapers designed to look like independent news organisations operating across the Baltics and eastern Europe that were being run by employees of Sputnik,” he said, referring to the Russian state-owned news outlet.
He added: “We took action on another network in Ukraine, where there are national elections coming up. The potential these are linked [to the European election] is certainly there.”
