Hybrid Warfare/Criminal Nexus
By TorchStone VP, Scott Stewart
I recently had the opportunity to participate on a panel at a conference hosted by Sam Houston State University’s Institute for Homeland Security examining the threat to critical infrastructure in the U.S. posed by the hybrid warfare efforts of nation states and their criminal partners.
The topic was very timely, given that I believe one of the most significant emerging trends in the threat landscape today is the increased employment of petty criminals by Russia in its hybrid warfare efforts against the West.
Iran also has a long history of using or attempting to use criminals for hybrid warfare attacks in the U.S. and Europe, but there are indications their efforts in this area have been increasing in both scope and frequency.
In an October 8, threat update, Ken McCallum, the Director General of Britain’s MI5 noted: “The more eye-catching shift this year has been Russian state actors turning to proxies for their dirty work, including private intelligence operatives and criminals from both the UK and third countries.” He added, “Like the Russian services, Iranian state actors make extensive use of criminals as proxies—from international drug traffickers to low-level crooks.”
Sadly, despite this environment, most Americans and Europeans do not recognize the reality that they are being targeted daily by an array of authoritarian countries conducting hybrid warfare campaigns around the clock directed against them. In addition to Russia and Iran, other countries that are currently waging hybrid warfare against the West include China, North Korea, Cuba, Venezuela, and Yemen, among others.
What is Hybrid Warfare?
Hybrid warfare, sometimes referred to as unconventional warfare, or irregular warfare, is a form of warfare that uses a suite of shadowy methods to attack an adversary that falls short of a conventional military conflict. A quote from Chinese philosopher Sun Tzu often applied to hybrid warfare states, “The supreme art of war is to subdue the enemy without fighting.”
Like during the Cold War, the tools being used by adversarial countries and their proxies in hybrid warfare campaigns, in recent times, include:
- Economic Warfare – Conducted either to hurt an enemy economically or in the case of North Korea, to raise hard currency to sustain the regime.
- Information Warfare – Using tools such as disinformation and misinformation to mislead or otherwise influence the targeted population. There is currently a tremendous amount of information warfare being used in connection with the 2024 elections.
- Cyber Warfare – Using malware and hacks to interrupt services, damage infrastructure, or otherwise cause discontent and undercut the population’s confidence in their government. Cyber warfare is frequently used to support other methods, such as economic or information warfare.
- Kinetic Attacks – These can include sabotage, terrorism, and assassinations.
- Chemical Warfare – In addition to clandestine Russian attacks using agents like Novichok and North Korean assassinations using nerve agents, China is conducting a form of hybrid chemical warfare by facilitating the global synthetic drug trade.
The objectives of hybrid warfare attacks include causing distraction, confusion, or fear; discouragement, anger at the government, achieving retribution, or reducing the capacity of the targeted country to manufacture weapons components and systems.
While there is a lot of focus on cyber-attacks, physical attacks must not be ignored. Certainly, if an attacker can achieve their objective remotely with the stroke of a few computer keys, that is safer than traveling to the target country to conduct an operation in person, but some things simply can’t be done using cyber tools alone.
Note that criminal proxies can be used in almost all these methods of hybrid warfare, and in some hybrid warfare tactics, such as cyber warfare, criminal proxies have been used so extensively that it can be difficult to distinguish between cyber criminals and their state sponsors. The dividing lines have become very blurry.
Why Use Criminals?
Russians have long used cyber criminals and even mercenaries like Yevgeny Prigozhin’s Internet Research Agency in their cyber warfare efforts to provide some degree of plausible deniability.
However, when it came to kinetic hybrid warfare missions, such as acts of sabotage and assassinations, Russia has tended to rely upon government operatives such as those from the GRU’s Unit 29155. However, as operatives from those units have been publicly identified and doxxed, focusing more attention on them, their ability to operate has diminished. Hence, their an increasing reliance on criminals to conduct dirty jobs.
In the case of Iran, the use of criminals to conduct kinetic dirty jobs stems largely from their lack of ability to conduct them using internal resources. The Islamic Revolutionary Guard Corps (IRGC) has proved very competent at conducting irregular warfare in permissive environments such as Iraq and Lebanon but has struggled to operate in hostile environments with competent security services, such as those of Western countries.
Along with providing some degree of plausible deniability, it is often cheaper and easier to hire a criminal to conduct a job than to train and dispatch a government operative. There is also very little potential for blowback against the aggressor country if a criminal they hired is caught or killed during an operation.
Additionally, such criminals may be predisposed to violence and have few qualms about conducting illegal acts. Often, they are marginalized, angry at their government or society, and hungry for money, so paying them to conduct an attack is not difficult.
Recruiting Criminals
Criminals traditionally have been recruited in person. Some IRGC cases have been interesting in that they have used cutouts living in the West to contact the criminals. In one notable case from 2011, an IRGC general contacted his cousin, who was living in Texas, and asked him to reach out to the Mexican Los Zetas cartel and arrange for their gunmen to assassinate the Saudi Ambassador to the U.S. Fortunately, the man stumbled into a DEA informant instead of contacting legitimate Los Zetas members.
But this is not just a historical practice. In July, a Pakistani national was arrested and charged with working with the IRGC on a plot to attempt to hire criminals to assassinate former U.S. President Donald Trump.
While some countries undoubtedly do recruit criminals to conduct dirty jobs in person, it has become increasingly difficult. Hundreds of Russian intelligence officers have been expelled from embassies in Western countries in recent years, with heightened scrutiny focused on those remaining. Iranian intelligence officers have also been expelled from Western capitals, and those remaining have been placed under careful surveillance due to past plots.
Because of this, we are seeing a shift in which intelligence officers are using social media to identify, recruit, and operationalize criminals to conduct attacks. This practice mimics the way white supremacists, anarchists, and jihadists have used social media to recruit operatives to conduct attacks.
Using social media allows nation-state hybrid warfare actors far more reach than an intelligence officer on the ground could ever have, providing them with access to a wide array of potential operatives globally. The operatives can also be paid in cryptocurrency, making it even more difficult to trace their connection to the nation-state hiring them.
The Organized Crime and Corruption Reporting Project (OCCRP) recently published a detailed investigation of how this process of recruiting criminals for hybrid warfare attacks works.
Much like an operation designed to identify online sexual predators, the OCCRP established an attractive profile and began hanging out in a large pro-Russian Telegram channel. It did not take long for a Russian officer to take the bait and begin to attempt to recruit the subject for an attack using a Molotov cocktail. I highly recommend that anyone reading this take the time to read the fascinating report.
Such criminal operatives lack the tradecraft and training of professional nation-state officers, which means they will tend to conduct simple attacks against relatively soft targets. However, the ease with which these criminals can be recruited, as well as their sheer numbers, and the possibility of recruiting them for a minimal cost are concerning. It provides aggressors the ability to cause death by a thousand cuts rather than just a few major attacks and, as we’ve seen in the jihadist case, occasionally a simple attack can produce a very large body count.
A Discussion Caveat
While I do want to raise awareness, I do not want to create panic or hysteria. This is a very real threat—but it can be defeated by diligence and effort. Like any threat, these attacks will not appear out of a vacuum. They are the result of a process, the attack cycle, that can be observed—and thwarted.
In much the same way Western countries have adapted to the jihadist threat by encouraging collective vigilance—see something, say something—public awareness of the hybrid warfare/criminal nexus can serve to significantly mitigate its impact.