(U//FOUO) We assess that Russia would consider initiating a cyber attack against the Homeland if it perceived a US or NATO response to a possible Russian invasion of Ukraine threatened its long-term national security. Russia maintains a range of offensive cyber tools that it could employ against US networks—from low-level denials-of-service to destructive attacks targeting critical infrastructure. However, we assess that Russia’s threshold for conducting disruptive or destructive cyber attacks in the Homeland probably remains very high and we have not observed Moscow directly employ these types of cyber attacks against US critical infrastructure—notwithstanding cyber espionage and potential prepositioning operations in the past.
• (U) Russia’s cyber program is a key element of its broader view and military doctrine of “information confrontation”—a concept that values technical cyber operations and the psychological effects that can be achieved in an information environment, according to a 2021 NATO report. Moscow’s cyber operations are designed to provide flexible options that can be used in both peacetime and wartime to achieve desired end states. Russia almost certainly considers cyber attacks an acceptable option to respond to adversaries because it lacks symmetrical economic and diplomatic responses, according to the Intelligence Community’s 2021 Annual Threat Assessment.
• (U) Russia continues to target and gain access to critical infrastructure in the United States. During a campaign that started in March 2016, Russian Government cyber actors compromised US energy networks, conducting network reconnaissance and lateral movement, and collected information pertaining to industrial control systems, according to a Cybersecurity and Infrastructure Security Agency (CISA) alert. Separately, Russian state-sponsored cyber actors have successfully compromised routers, globally, and US state and local government networks, according to a CISA alert and a joint US-UK report.
• (U//FOUO) Russia has demonstrated the ability to conduct disruptive and destructive cyber attacks in other countries, using techniques that could be leveraged against US critical infrastructure networks. In both 2015 and 2016—progressively more capable year-over-year—Russian military intelligence (GRU) actors successfully launched cyber attacks against the Ukrainian power grid, temporarily interrupting the supply of power to hundreds of thousands of Ukrainians, according to a US indictment of GRU officers. In 2017, Russian actors used malware to target a Saudi Arabian refinery, infecting the safety systems and leading to the temporary shutdown of the plant, according to a Department of Treasury sanctions announcement.