It's Raining on Putin’s Victory Day Parade
Military and political setbacks threaten to rob Putin of the traditional patriotic May 9 boost. Could Russian hackers resort to cyber attacks in an attempt to project an image of strength?
Events already occurring in May 2023 illustrate the desperate situation Vladimir Putin’s government faces. Russian planners have scaled back the Victory Day holiday set for 9 May, usually an occasion to tout Russian military might and any geopolitical victories, amid battlefield losses and fears of a Ukrainian counterattack. However, Russian hackers have a history of conducting cyber operations pegged to this holiday, and despite the more subdued atmosphere, Russian asymmetric attacks against Ukraine and NATO members cannot be ruled out.
Victory Day parade on Red Square, 2014. Source: Kremlin[.]ru. Creative Commons
Little Cause to Boast on Victory Day
May 9 is Russia’s biggest national holiday, marking the anniversary of the Allied victory over Nazi Germany. Memory of that victory resonates with the population—nearly every family lost a member in that war—and has for decades served as a powerful legitimating factor for successive Soviet and Russian governments, as described in our recent posts “Putin: The Spy as Hero” and “Stymied in Ukraine, Putin’s Government Resorts to Sabotage and Panic-Mongering in the West.” Military parades take place in Moscow’s Red Square and throughout the country, and this year workers will have a four-day weekend. Russians sustained their patriotic fervor around this celebration over time: “Immortal Regiment” parades, in which ordinary citizens march bearing photographs of loved ones who died in World War II, began as a spontaneous movement in some cities in the 2010s but became institutionalized beginning in 2015. But in 2022, amid early setbacks in the war, independent journalists in several Russian cities reported a mix of patriotism and discomfort about the current war.
As May 9, 2023 approaches, Putin needs a victory to boast of, and it may not be much of an exaggeration to say that he sees his own domestic survival at stake. Putin allegedly threatened Defense Minister Sergey Shoigu with “dire consequences” for failure to seize the long-contested Ukrainian city of Bakhmut in time for the festivities, according to claims by Igor Sushko, a US-based Ukrainian commentator. For their part, Russian commentators fear that Ukraine will time a counter-offensive to ruin the holiday for Russia.
Military Disarray
The Russian military effort is in disarray and confusion. Despite the leading role his Wagner paramilitary group has played in the battle for the Ukrainian town of Bakhmut, Russian mercenary entrepreneur Yevgeniy Prigozhin did not receive an invitation to the Victory Day parade on Red Square and in fact has been under criminal investigation by Russia’s Federal Security Service (FSB), according to Russian human rights activist Vladimir Osechkin. Prigozhin, in turn, has claimed to have compromising information against military leaders.
Rival “clans” associated with Prigozhin, the Defense Ministry, and pro-war military bloggers such as Igor Girkin, who is likely backed by the FSB, appear to be battling each other even as they fight Ukraine. Prigozhin has appeared on videos threatening to abandon his Wagner group’s leading role in the battle for Bakhmut unless the Defense Ministry supplies it with more ammunition. Sushko summarized, “Right now, the Russian Game of Thrones is just backstabbing, scheming in the shadows, assassinations, and so on. But Bakhmut may turn out to be the catalyst to ignite a 'hot' civil war among the factions in Russia.” (For more on civil war scenarios, see our recent report “Russia After Putin.”
Ukrainian officials have said they would undertake an offensive sometime in May, after the spring mud dries out. However, unsettling developments have already been occurring. In the first three days of May alone, for example, numerous incidents within Russian territory illustrated Russia’s vulnerability.
On May 3, drones exploded above the Kremlin in Moscow in what Russian officials described as a Ukrainian attempt to assassinate Putin. Some analysts assess that the incident could be a fabricated provocation to justify further militarization of Russian society and harsher measures against its enemies, just as a rash of apartment bombings in Russia in 1999 helped Putin justify the brutal Second Chechen War . Images of the Kremlin drone explosion bring to mind the Reichstag Fire of 1933, which helped the Nazis consolidate power in Germany. By underlining the Defense Ministry’s failures to protect Moscow, the incident could strengthen the hand of rival factions, whether Prigozhin’s or Girkin’s. One Ukrainian analysis speculated that it could be intended to justify purging the Soviet military leadership, a “remake” of Stalin’s 1937 Great Terror. Telegram postings after the incident, with messages such as “Shoigu screwed everything” and “It’s time for Wagner to storm Moscow!” suggest that at least some Russian social media users have drawn that message.
Two explosions within one week have derailed cargo trains in Russia’s Bryansk region, highlighting the vulnerability of Russian infrastructure and supply chains.
Multiple fuel depots in Russia or Russian-occupied Crimea went up in flames, and explosions toppled electricity towers near Saint Petersburg.
Events on the diplomatic front also illustrated Russia’s isolation.
China surprisingly voted for a United Nations resolution that named Russia as an aggressor, an exception to China’s studied neutrality on the Russia-Ukraine war.
South Africa, a country that has avoiding criticizing Russia’s aggression in Ukraine, warned Putin that, due to an International Criminal Court arrest warrant against him, they would have to arrest him if he entered the country for a meeting of the BRICS group of countries in September.
Illustrating Putin’s sense of vulnerability, initial Kremlin announcements of the drone attacks on the Kremlin blamed them on Ukraine but did not specifically attribute them to the “collective West”; such an attribution would have required them to respond with an attack against the West, which would be escalatory. (More than a day later, the Kremlin spokesman did claim that the US masterminds all Ukrainian decisions). Tellingly, Russian state media have received guidelines to prepare the population for military setbacks during the Ukrainian counteroffensive.
Low-Key Holiday
Russian officials have scaled back the country’s usual May 9 celebrations this year. Russian state media have received guidelines to make "less fuss” than usual about the upcoming festivities. Heightened security concerns have kept Red Square closed off to the public since April 27. A Moscow-focused Telegram channel reported problems with GPS services that made it difficult to call taxis and plan routes. Governors in several Russian border regions and Russian occupation officials in Crimea have called off military parades. The “Immortal Regiment” event will be held online this year. (It had taken place online in 2020-2021 due to COVID-19 but was revived in some cities in 2022). Some analysts have said this caution results not only from fears for Russian citizens’ safety but also from fears of political or social unrest: participants might instead bring photos of people who died fighting Ukraine, and the crowd could begin to protest. In addition, the Russian military has lost so much military materiel that it has been pulling superannuated tanks out of storage; it may simply have no military equipment to spare for parades.
Cyber Responses Possible?
As mentioned above, Putin likely feels pressure to show at least some nominal victory by May 9 in order to shore up his own power within Russia. But Russia is beleaguered on all sides. Could a cyber attack give him the boost he probably feels he needs?
On May 3, distributed denial-of-service (DDoS) attacks hampered access to the parliamentary website in Sweden, a country that recently applied to join NATO. This appears to be a continuation of a long-term but not very harmful harassment campaign by pro-Kremlin hacktivists against Ukraine and its supporters. However, Russian state or pro-Kremlin criminal hackers have in the past undertaken more-serious cyber operations against Ukraine and its allies in the leadup to Victory Day. Some of these align with Russian strategic interests in disrupting society in adversary countries.
Ample Precedent for Cyber Operations Pegged to Victory Day
Russian hackers have a history of conducting cyber operations around this date. Many of these were carried out by cybercriminals or ostensibly independent hacktivists, but they align with Russian strategic priorities, suggesting the actors were at least making a show of patriotism, along the lines of “entrepreneurs of influence” and “spaghetti on the wall” actions described in our “Putin: Spy as Hero” report:
● 2007: Pro-Kremlin hacktivists and criminals launched DDoS attacks that crippled essential services of the digital-heavy government of Estonia after that country’s government toppled a statue of a Soviet soldier.
● 2012: DDoS attacks crippled the websites of opposition groups that had protested during Putin’s 2011-2012 re-election campaign, as part of a mopping-up operation against those groups.
● 2020: the Czech government warned that an “advanced adversary” was conducting cyber operations targeting hospitals, the Prague Airport, and the Health Ministry. The US Secretary of State highlighted the incidents, showing heightened global concern about health sector attacks after the COVID-19 outbreak. Analysts tentatively linked these campaigns, which used MBRLocker and coviper malware, to Russia. In addition, the Czech Interior Minister reported that threat actors had probed his ministry’s external email service, possibly in preparation for “something truly big.” These incidents occurred weeks after the Prague city government removed a statue of a Soviet general.
● 2021: On 27 April, the 14th anniversary of the attacks on Estonia, a Russian cyber extortion group called Babuk posted a sample of files stolen from the Metropolitan Police Department (MPD) in Washington DC, including information on the MPD’s efforts to defend the US Capitol building during the insurrection of 6 January 2021. Babuk’s message said, “We will continue to attack the state sector of the USA, FBI CSA [sic, likely referring to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency]....even larger attacks await you soon.” As if taunting the administration of US President Joe Biden, Babuk actors issued this claim on the very same day that MPD officer Michael Fanone testified about the physical and mental trauma he had suffered while trying to defend the US Congress on January 6 2021. When ransom talks broke down, Babuk actors subsequently released more stolen data, including police officers’ Social Security numbers and psychological evaluations. (The main Babuk actor, unmasked in early 2022 by an American researcher, posted a drunken video where he figuratively declared war on the United States and released computer code for exploiting a vulnerability in a popular virtual private network. As of August 2022 he appeared to be at large and enjoying legal impunity in Russia.
● 2021: On 6 May, Russian ransomware actors of the so-called DarkSide group breached and encrypted computer systems at Colonial Pipeline, the largest pipeline system for gasoline and other refined oil products in the United States. Citing fears of a dangerous malfunction of physical production systems, Colonial Pipeline suspended deliveries throughout the Eastern Seaboard. The resultant long lines and panic-buying at US gas stations briefly resembled the gas shortages of 1973 and 1979 that helped undermine the reputation of then-US President Jimmy Carter. US President Biden refrained from attributing the Colonial Pipeline operation to the Russian government, but the disruption to the US did align with Russian strategic priorities. Furthermore, apparent DarkSide successor groups continued to target fuel infrastructure in NATO countries, operations that also align with Russian strategic goals. While Russian law enforcement later arrested a man they said the US suspected in the attack, that arrest does not necessarily signal a true Russian crackdown on the group. By holding a hacker in prison, Russian authorities can prevent him from traveling and facing arrest abroad and can also pressure him to carry out operations for Russian intelligence agencies, as a Ukrainian cybersecurity official has suggested. As an Accenture Cyber Threat Intelligence report noted in June 2022, “While various “carrots” and “sticks” appear to motivate Russian hackers’ support for Russian strategic goals, “sticks” such as the threat of imprisonment have become more prominent since the leadup to the war with Ukraine.”
“An out-of-service gas pump due to panic buying after the Colonial Pipeline cyberattack at the Sunoco gas station in the Franklin Farm Village Shopping Center in the Franklin Farm section of Oak Hill, Fairfax County, Virginia,” 14 May 2021. Source: Famartin. Creative Commons.
● On May 9 2022, pro-Russian and pro-Ukrainian hackers engaged in cyber mockery against each other.
o Likely pro-Ukrainian hackers blocked Russian online TV networks and the RuTube video-streaming service and defaced the Russian online TV schedule page with the message "The blood of thousands of Ukrainians and hundreds of their killed children is on your hands. TV and the authorities are lying. No to war."
o On the same day, an online persona nicknamed “Sheriff” posted on an underground forum, offering to pay $50,000-$150,000 for login credentials for vpn1.colpipe.com, the website of Colonial Pipeline. “Sheriff” commented: “Love seeing these dirty ... americans scramble for supplies” [sic]. Researchers have identified “Sheriff” as Saint Petersburg resident Aleksandr Sikerin, an affiliate of the REvil ransomware group whose operations include allegedly include crippling the JBS meatpacking company on the eve of Memorial Day 2021. A man claiming to be “Sheriff”/Sikerin told journalists in late April 2022, “i hate americans and i also hate researchers.” The 9 May posting aligns with this rhetoric by reminding readers of America’s vulnerability to pipeline attacks like that of May 2021.
DDoS Operations Not Always a Mere Annoyance
DDoS attacks, usually seen as minor annoyances that unsophisticated actors can unleash using DDoS-for-hire services, also form part of the arsenal of Russian intelligence services. A Russian company called Zero Day Technologies had a government contract to produce a botnet called Fronton that can be used for DDoS; Russian software developer Alexander Vyarya said a Russian defense conglomerate tried to recruit him to work on DDoS tools for use against Ukraine or against Russia’s domestic opposition. (Added May 6: In 2016 Russian military hackers allegedly carried out DDoS attacks against the World Anti-Doping Agency that was investigating Russian sports doping). In addition, sophisticated hackers can use DDoS attacks to assess targets’ defensive capabilities or distract attention from other malicious activities.
Despite the precedent of cyber operations pegged to Victory Day, both state and pro-Kremlin hackers face continued pressure from Ukraine and Western governments as well as internal turmoil in Russian and global criminal communities that may hinder them from effective offensive operations. Incidents affecting Russian hackers in April and May 2023 include the alleged leaking of emails of a top Russian military hacker and reorganizations in the Killnet hacktivist group. These developments, as well as the shutdowns of nine widely used cryptocurrency exchanges and arrests of darknet market participants may hinder Russian cybercrime activities, at least in the short term. (Our recent “Stymied in Ukraine” discusses these developments further).
![Kremlin[.]ru](https://upload.wikimedia.org/wikipedia/commons/e/e8/Victory_Day_parade_on_Red_Square_%282490-41%29.jpg){kind=link}
The Stakes are High for Both Russia and Ukraine
Public perceptions of positive or negative momentum are important for international support. Ukrainian President Volodymyr Zelensky tirelessly appeals for international military and financial support; in April and early May this included a telephone call with Chinese President Xi Jinping and travel to Poland, Finland and the Netherlands. The battle for international public opinion and resultant financial support will partly hinge on Ukraine’s military performance in its expected counterattack. Ukrainian successes in the summer of 2022 caused a group of US legislators to abandon a proposal they had drafted in June 2022, urging President Biden to consider peace talks with Russia.
A US report from April 2023 found that US popular support for helping Ukraine, while still high, has slightly decreased after news reports saying the battle is stagnating. Public opinion in Russia too, though hard to assess, is something that the Putin regime seems to be very worried about, as discussed in our “Stymied in Ukraine” report. Hence, a bad Victory Day is bad news for Vladimir Putin.
August 11: Tweaked wording to clarify sourcing.
Another cyber incident related to this symbolic date occurred in 2016. "Ukrainian hackers of the anonymous cyber-group alliance FalconsFlame and Trinity launched an operation at 00:00 on May 9, 2016 coded #OpMay9. It involved 9+ successful hackings of the web sites of Donetsk People’s Republic (DPR) terrorist organization, Russian private military companies (PMC’s) operating under the protection of the FSB in Ukraine and Syria, as well as Russian web outlets disseminating aggressive anti-Ukrainian propaganda. On the defaced websites, the hackers left the hashtags #OpMay9 and #оп9Мая, as well as 3 short videos about the World War 2 and the contribution of the Ukrainian people in the victory over Nazism." (https://web.archive.org/web/20230409143252/https://informnapalm.org/en/ukrainian-hackers-opmay9/)