Tuesday 22nd October 2019

BLOG SERIES: The Balkanisation of the Internet Part IV: From SORM to Sovereign: Russia’s digital surveillance and cybercrime

The fourth part of our “Balkanisation of the Internet” blog series examines how Russia is contributing to the Balkanisation of the Internet with its policy of digital sovereignty, which has ramifications for encryption standards and domestic cybercriminal activity. You can read the series’ previous posts on Brazilian and Indian data localisation policies here, as well as our Part 2 about GDPR, and Part I on the Origins of Balkanisation here.


Perhaps the most radical domestic process of Balkanisation since 2013 has been the series of policies undertaken by the Russian government. The Kremlin has justified major censorship programmes and data localisation policies as part of its right to “digital sovereignty”. Russia’s desire to not only control the computers and networks within its jurisdiction, but also the informational, cultural, political and social flows that pass through its physical infrastructure, contrasts sharply with the US-advocated model of a global, borderless internet administered by transnational bodies.

Russia increasingly perceives the global internet as a tool used to subvert its political authority and is looking at ways to wholly disconnect from it, in order to counter US influence as leveraged through social media and technology companies. The further emancipation of the Russian Internet (RuNet) from global networks will bring its own host of challenges for businesses looking to operate in Russia. These companies will have to comply with to these digital sovereignty policies, and face a greater threat from domestic malicious actors.

Russia’s digital surveillance

Russia’s digital sovereignty policies extend back to the early days of the Russian Federation, with interception programmes such as SORM (System for Operative Investigative Activities) implemented as early as 1995. SORM is a surveillance programme which requires internet service providers (ISPs) and telecommunications companies operating on Russian territory to install hardware that allows the FSB (the Federal Security Service, Russia’s premier security agency) to intercept any electronic communications without the need for a warrant. While its first instance, SORM-1 (1995), intercepted solely telephone traffic and mobile networks, SORM-2 (1998) included internet traffic and VoIP services, and SORM-3 (2014) was a comprehensive solution that gathers information from all communication media with additional capabilities for long-term storage. Recent findings by researchers illustrate the volume of information that SORM-3 intercepts. Wiretapping hardware used by the FSB was inadvertently leaking data online. This included mobile phone numbers of ISP clients, their logins, email addresses, network addresses, messenger numbers and even GPS coordinates transmitted by phones running outdated software.[1]

Following SORM-3, Russia’s 2016 Doctrine of Information Security established state sovereignty over what it calls the information sphere – meaning the cultural, social, economic, political information flowing through Russian infrastructure. This encompasses both internal informational threats (such as domestic dissent) and external informational threats (such as US social networks like Facebook and Twitter, which Putin dubbed “CIA projects”).[2] The 2018 “Digital Economy National Programme” further implemented legislation such as data localisation for all foreign companies operating in Russia. Crucially, it also outlined plans for an alternate Domain Name System (DNS) common to countries of the BRICS bloc, potentially signalling the rise of competing blocs of networks.

Figure 1: A user on a Russian cybercriminal forum discussing SORM (COPM, Система оперативно-разыскных мероприятий) and their effect on privacy

In April 2019, Russia conducted tests to disconnect the RuNet from the global internet by momentarily cutting off external traffic to Russian internet exchange points (IXPs), through which traffic is already centralised.[3] The Kremlin stated that the objective of the tests was to ensure the RuNet could function in the event of targeted large-scale international cyber attack. This showcased the most explicit espousal of Balkanisation to date. Although the capability may offer enhanced security when it is ready in 2021, it will hinder the operations of businesses in Russia reliant on cross-border data flows, particularly those that rely on encrypted services or VPNs. Recent demands by the FSB that Russian tech giant Yandex ought to hand over encryption keys for its user data are indicative of this conflict.[4]

Cybercriminals win, businesses lose

We anticipate that this national Balkanisation process will further encourage Russian cybercriminals to pursue domestic targets. Data localisation laws may also restrict companies’ ability to bolster cyber security standards in response to these threats. Russian cybercriminal networks – among the world’s most sophisticated – often discuss and organise their activities on the deep and dark webs, which will be relatively unaffected by the potential segregation of RuNet.

Figure 2: A user on a Russian deep web forum discussing the RuNet experiment, explaining that it will mean fewer sites are accessible to Russian users

Data from our repository of processed intelligence reports demonstrates that the proportion of domestic targeting by Russian cybercriminals has steadily increased over the past four years, corresponding with this Balkanisation process. This marks a significant change from the historic reticence of these groups to focus on Russian targets, typically to avoid the attention of domestic law enforcement services.

Figure 3: Orpheus data illustrates the steady rise in domestic targeting by Russian cybercriminal groups

One entity participating in this shift is Cobalt Group, a Russian-speaking organised cybercriminal group (OCG) which primarily targets Russian and Eastern European financial institutions using supply chain compromises, among other tactics. Although hampered by coordinated international law enforcement operations, including the arrest of their alleged leader in Spain in March 2018, we anticipate that data localisation policies and the resulting increasingly restricted cross-border data flows will hinder future efforts to combat this type of sophisticated actor. Balkanisation will allow such groups to continue third-party compromise attacks on businesses operating in Russia. The potential breakdown of international projects and cooperation caused by the fragmentation of the internet could leave national law enforcement agencies facing these sophisticated groups’ increasingly local targeting on their own.


Russia is currently one the main proponents of Balkanisation, with plans to build up the capacity to disconnect its national internet from the global one; establish a common DNS system with other BRICS countries; and further legitimise state intrusion into foreign businesses’ proprietary data. We assess that risk of third-party compromise and supply-chain attacks will increase for companies operating in this new sphere of “digital sovereignty”, and that Russian cybercriminal groups will be able to thrive as a result. Russia’s drive for further ideological and technical Balkanisation of the Internet will continue providing challenges for businesses and cyber threat intelligence firms alike.

[1] https://securityaffairs.co/wordpress/90588/intelligence/sorm-surveillance-leaking-data.html

[2] https://www.theguardian.com/world/2014/apr/24/vladimir-putin-web-breakup-internet-cia

[3] https://www.zdnet.com/article/putin-signs-runet-law-to-cut-russias-internet-off-from-rest-of-world/

[4] https://meduza.io/en/feature/2019/06/04/russian-tech-giant-facing-fsb-requests-for-its-encryption-keys-argues-law-enforcement-is-possible-without-violating-privacy

Get our latest cyber intelligence insights straight into your inbox

Fill out the short form below to subscribe to our newsletter so that you never miss out on our cyber intelligence insights and news.