Life in the Baltic states is being lived on pins and needles these days.
Whether it’s an agreed upon — or imposed — peace settlement in Ukraine, there is growing concern in the political, military and intelligence communities that Russia will soon be free to focus all of its attention on the border with Latvia, Lithuania and Estonia.
Along with NATO allies, there are currently over 1,700 Canadian troops and aircrew dug in as part of a Western commitment to defend Latvia. More are planned and others are on standby should there be a crisis.
Last week, Canadian, Danish, Spanish, Polish, Italian, Swedish and Latvian troops conducted a major exercise at the Adazi training range, on the outskirts of the Latvian capital of Riga. The scenario they were rehearsing for was stark.
They practised defending the capital, 30 days into a hypothetical war with a fictitious, belligerent neighbour to the northeast.
No one says it’s Russia. It is only implied.
The conflict is a lot less hypothetical about 23 kilometres away, at the CERT.LV centre where a team of Latvian and Canadian cyberwarriors are waging a digital cold war.
CBC News was given an exclusive look at the joint centre where Canadians and Latvians conduct online threat-hunting operations and what they describe as “cyber dogfights” with Russian hackers and private hacktivists.
“Latvia has been the target of Russian cyber operations since their very beginning,” said Varis Teivans, deputy manager and a senior technical expert at CERT.LV, located at the Institute of Mathematics and Computer Science at the University of Latvia.
When Teivans says the very beginning, he’s referring to the 2006-07 timeframe when proxy groups affiliated with Russia’s security service — the FSB — launched denial-of-service attacks against public infrastructure in neighbouring Estonia.
Canadian Armed Forces in Latvia are working in co-ordination with NATO allies to fight off Russian cyber attacks on critical infrastructure like power grids and banking systems. CBC News was given exclusive access to the group’s headquarters.
He has witnessed the full evolution of Russia’s sprawling cyberwarfare capability, which — according to the Center for European Policy Analysis — encompasses not only FSB and Russia’s foreign intelligence service (SVR), but also Russian military intelligence (GU) and the presidential administration.
Over the years, Teivans said, Latvia has faced a number of attacks, the scale of which exploded in the run-up to the Kremlin’s full-scale invasion of Ukraine.
He said Russian targets have expanded from government institutions, such as border controls, power grids, defence and foreign relations, to deep into the country’s private sector — aiming at companies that are part of the national security supply chain.
“Supply chain attacks are something that is very, very frequent now, and in some cases, those attacks have increased sevenfold” since 2020, Teivans told CBC News in a recent interview.
Software development firms and logistics companies — because they’re heavily involved in military equipment movement — have become favourite targets in Latvia. The hackers are looking to either disrupt the company’s business or gather intelligence for future military operations, Teivans said.
The sheer scale of the attacks prompted Canada last year to deploy a five-person military team to augment the specialists at CERT.LV.
They work side-by-side at the university, which is housed in a dimly lit, old Soviet-style building. Behind banks of computer screens and with a giant, open-source, worldwide cyberattack threat monitor streaming in the background, Canadians working with the Latvians conduct what’s known as threat-hunting operations.
Through intelligence, they receive a tip that a company or system might be compromised — and they go hunting.
“Threat-hunting operations is something that we do together with Canadian Armed Forces and the [Canadian Centre for Cyber Security], and that has proved to be a great deterrence also for the threat actor. They’re not so effective anymore,” said Teivans.
It has, he said, sometimes been a thrilling experience catching hackers in the act, in real time.
“We’ve had some experience engaging in what you might call a cyber dogfight, if you will, where they know that we are after them and we know that they’re on a system,” Teivans said. “Each counterpart tries to kind of kick the cyber operators from the environment.”
Maj. Kiernan Broda-Milian, the Canadian officer aiding CERT.LV, shares Teivans’s awe, especially given the fact many of the Russian cyberwarriors and private hacktivists have grown more brazen and don’t seem to care if they’re caught.
“We can see everything and just the fact that we see these threat actors in real life — to me — is fascinating,” Broda-Milian said.
Broda-Milian sprinkled his descriptions of what he does with references to the Hollywood casino heist movie Ocean’s 11, saying it’s his job to stop the bandits before they get to the safe.
“Every operation you conduct here in Latvia is defensive in nature,” Broda-Milian said. “We are securing their networks and assuring their systems.”
How good are the Russians? Broda-Milian paused for a moment.
“In some cases, they are very good, very sophisticated,” he said, adding he and his team are working to “make sure it’s as hard as possible for them to do anything in Latvia.”
Broda-Milian also said their hosts “are capable of performing this work. But there are not enough cybersecurity professionals in Latvia, and then we both learn from each other.”
The Canadian team has been engaged in digital forensics in cases where intrusions have been detected. They essentially examine the techniques for telltale signs of who may have conducted the attack.
Teivans said they look for little mistakes. For example, one Russian hacker left behind signs because it was clear they were using a keyboard with cyrillic letters.
Both Teivans and Broda-Milian said an important side benefit of the Canadian presence is that the cyberhunting and forensics operations give a glimpse into Russian tactics that gets fed back to Ottawa in the form of threat intelligence.
That, in turn, helps protect Canadian critical infrastructure.