U.S. and Allies Blame Russia for Cyberattack on Republic of Georgia

The United States and its key allies on Thursday accused Russia’s main military intelligence agency of a broad cyberattack against the republic of Georgia in October that took out websites and interrupted television broadcasts, in a coordinated effort to deter Moscow from intervening in the 2020 presidential election in the United States.

The accusation, issued by Secretary of State Mike Pompeo, was particularly notable at a time when President Trump has been seeking to shift blame for interference in the 2016 election from Russia to Ukraine, a central element of his impeachment trial last month.

Russian military intelligence, known as the G.R.U., was one of the agencies implicated in the cyberoperations aimed at interfering in that election and in a 2017 attack that struck major companies around the world, including Merck, Federal Express and Maersk. That attack is considered one of the most destructive and expensive in history, causing billions of dollars in damage.

By comparison, the attack on Georgia in October was limited, and received only modest press coverage at the time. So it was a surprise when Mr. Pompeo’s statement on Thursday was backed up by simultaneous accusations from Britain, Australia and a host of European nations, all lending credence to the American conclusion that Russia’s Main Center for Special Technology, a unit with the G.R.U., was responsible.

For the first time, the State Department also linked the Russian military unit to a notorious Russian hacker group known as Sandworm, which is believed to be responsible for some of the most brazen cyberattacks around the world over the past decade.

“This action contradicts Russia’s attempts to claim it is a responsible actor in cyberspace and demonstrates a continuing pattern of reckless Russian G.R.U. cyberoperations against a number of countries,” Mr. Pompeo said of the attack on Georgia. “These operations aim to sow division, create insecurity and undermine democratic institutions.”

A senior administration official, who spoke on the condition of anonymity because he was not authorized to discuss the decision to name Russia, said it was notable that the accusation came from Mr. Pompeo — one of Mr. Trump’s most vociferous defenders but also a hawk on Russia’s use of hybrid warfare.

The official said the announcement was specifically meant as a warning to the Kremlin. It mirrors the National Security Agency’s move in 2018 to briefly shut down the Internet Research Agency, another Russian unit that operates outside the formal government structure and that had been involved in the attacks related to the last presidential election.

The decision to name the G.R.U., and its special cyberunit in particular, was part of a new strategy of calling out attackers in hopes of preventing future strikes, the official said.

But it is far from clear that the administration’s new “name and shame” effort, along with criminal prosecutions and counterattacks on Russian cyberunits, is successfully deterring attacks. Members of the G.R.U. were indicted in 2018 by Robert S. Mueller III as part of his investigation into Russian election interference.

Yet the attack in Georgia took place last fall, a year later, and involved techniques that American officials have been studying to determine if they might be used against the United States in the coming election.

Neither the United States nor its allies released any evidence used to establish how they tied the attacks to the G.R.U. That made it easier for the Russian Foreign Ministry to deny that Moscow was behind the assault. “Russia did not plan and is not planning to interfere in Georgia’s internal affairs in any way,” said the deputy foreign minister, Andrey Rudenko, according to the news site RIA.

There could be any number of reasons the United States has not released evidence. It may have wanted to avoid revealing its sources and methods, including getting inside Russian networks — though in the G.R.U. indictment, it was clear the United States was reading text messages and other communications of the agency’s officers. Under a relatively new American strategy for countering cyberattacks, called “persistent engagement,” the National Security Agency and United States Cyber Command, its military partner, operate inside adversary networks.

For years, Russia has tormented neighboring countries with targeted cyberattacks, including orchestrating two blackouts in Ukraine and broad online assaults on Estonian institutions. There were cyberattacks on Georgia in 2008, as part of a hybrid action in which Russia took control of some Russian-speaking parts of the country. It retains that control today.

The United States never formally attributed the cyberelement of those attacks to Russia, though outside experts say it was all part of a unified military operation that, in retrospect, was a crude but effective foreshadowing of Russian operations to come.

Mr. Trump has never publicly called out Russia for its cyberoperations. During the 2016 presidential debates, he argued that it was impossible to determine where a cyberattack originated — though that is exactly what his intelligence agencies and the State Department did in the Georgia case on Thursday.

Early in Mr. Trump’s administration, the White House cybercoordinator announced that there was evidence that Russia was the source of the NotPetya attack. That strike was aimed at crippling Ukraine but resulted in considerable collateral damage, including the shipping operations at Maersk and Federal Express.

During his now-famous July 25, 2019, telephone conversation with President Volodymyr Zelensky of Ukraine, Mr. Trump appeared to be seeking to deflect blame from Russia and its intelligence units for the attacks on the Democratic National Committee in 2016. “The server, they say Ukraine has it,” Mr. Trump said, according to a reconstructed transcript released by the White House last fall. In fact, the primary server — one of several — is blocks from the White House at the committee’s headquarters.

The attack on Georgia was a classic act of disruption, though relatively modest by current standards. It affected more than 2,000 government and privately run websites, interfered with government operations and interrupted television broadcasts, including that of the national television station.

In the attack, for example, the image of a former president of Georgia, Mikheil Saakashvili, was pasted to the home pages of many sites, with the caption, “I’ll be back.”

Mr. Saakashvili served two terms from 2004 to 2013. He gave up his Georgian citizenship in 2015 and is wanted in the country on criminal charges, which he says are politically motivated.

Vladimer Konstantinidi, a spokesman for Georgia’s Foreign Ministry, told reporters at a news briefing on Thursday, “The investigation conducted by the Georgian authorities, together with information gathered through cooperation with partners, concluded that this cyberattack was planned and carried out by the main division of the General Staff of the Armed Forces of the Russian Federation.”

Mr. Pompeo pledged to support Georgia and other nations threatened by cyberaggression from Russia. “The United States calls on Russia to cease this behavior in Georgia and elsewhere,” he said. “The stability of cyberspace depends on the responsible behavior of nations.”