Rozi Harsanyi assesses the possibility and potential implications of a pro-Russia hacktivist cyberattack on this year’s Eurovision Song Contest.
In preparation for this year’s Eurovision Song Contest in Liverpool, the host city made plans to implement the largest security operation in its history. While concertgoers have been reassured that risks to their physical safety remain low, MPs recently raised concerns related to cybersecurity; specifically, the potential of the contest becoming the target of Russia-affiliated hacker groups. Why would such an attack serve the Kremlin’s interests and what may its impact on the UK be?
Politicians’ fears were stoked by a near-incident at last year’s contest, where the voting system and performances were targeted by the KillNet hacker collective and its subgroup, Legion – an attack Italian police ultimately fended off. KillNet is the most active among a pro-Russia network of hacktivist communities that expanded rapidly in the wake of the Kremlin’s all-out war against Ukraine. While these collectives are not officially state-controlled, they are supportive of the invasion and motivated by the prospect of revenging perceived offences against Russia.
Given the importance of Eurovision in Russia’s state branding (along with other post-communist countries, it used it strategically to build a positive national image), it is easy to see why the European Broadcasting Union’s (EBU) decision to exclude it from the competition after its full-scale invasion of Ukraine may have triggered an attack. Russia became a regular participant in the contest in the 2000s and quickly reached a high profile, becoming one of the most successful entrants in the competition’s history.
As host in 2009, Russia spent over 30 million euros (a record at the time) on putting on a lavish event, conveying the image of a prosperous country in the middle of a global financial crisis. It has used Eurovision to try to improve its international reputation; its 2015 entry – a year after the invasion of Crimea – was a song about peace and acceptance.
Apart from taking revenge on the EBU, the key goal of the 2022 intervention, which involved distributed denial of service (DDoS) attacks that sought to overload websites with traffic in order to make them inaccessible, was to prevent a Ukrainian victory. This had been widely anticipated, especially as Ukraine had won in 2014 with a song about the 1944 deportation of Crimean Tatars – which, as its performer later admitted, was also a direct reference to the invasion of Crimea. The performances of Ukraine and Russia since 2014 have highlighted that despite Eurovision’s rules stating that the event ‘shall in no case be politicised’, it has arguably always reflected the geopolitics of the day.
When KillNet’s attack on the contest was averted, the group denied responsibility for it and launched a retaliatory operation against the websites of the Italian Senate and Ministry of Defense. They managed to make these sites temporarily unavailable, but failed to cause lasting harm. Their similarly limited success on other occasions – such as a DDoS attack against Lithuanian public services last summer, after the country refused to allow the transit of goods to Kaliningrad – reinforced experts’ perception of KillNet as more of a nuisance than a group capable of inflicting major damage.
However, the propaganda potential of even moderately impactful attacks should not be underestimated. In a domestic context, hacktivist groups shape Russians’ view of the war by bragging about their successes against the West, which are often exaggerated. They disseminate their messages to large followings on social media and produce attention-grabbing memes and announcement videos, which are regularly featured in Kremlin-friendly news outlets too.
Successful cyber-attacks also have implications in the international sphere. They seek to send a warning to Western audiences about Russian technological superiority and indicate that their support for Ukraine will have negative consequences. In contrast with traditional warfare, cyber-attacks have the benefit of being unlikely to attract a military response, making them a convenient and relatively low-risk tool for the Kremlin and its affiliated groups (while there is excessive evidence to the contrary, Russia continues to deny taking part in cyberwarfare against the West).
Despite last year’s failed attack, there are reasons why KillNet or other hacktivist groups may attempt to intervene in Eurovision again. Kalush Orchestra’s 2022 victory showed that Europe was united behind Kyiv and boosted Ukrainian morale; Russians therefore have an interest in preventing another Ukrainian win.
The fact that the UK is the second largest donor of military assistance to Ukraine and is organising the contest on its behalf could make the Liverpool event an even more likely target. As a global audience of over 160 million people is expected to follow the performances, a successful cyber operation would humiliate the UK on the international stage and serve as strong support for Russian propaganda narratives about Western weakness. Based on reports from last year, such an attack could prevent audiences from voting during the semi-finals and grand final and even disrupt the broadcast of the performances by overwhelming the competition’s network infrastructure.
There are signs the UK may face a more serious challenge in trying to secure the contest than Italy did last year. According to recent reports, KillNet has gained access to Titan Stealer, a novel kind of malicious software capable of appropriating sensitive information, as well as a new botnet of malware-infected computers hijacked by the group; each of these can facilitate more efficient attacks.
Less than a month before the 2023 event, the National Cyber Security Centre (NCSC) also issued an alert about the increasing threat from Russia-aligned hacker collectives, stating that their independence from the Kremlin’s operations makes them more dangerous and unpredictable. The announcement was unprecedented in marking the first instance the Centre publicly shared concerns about the risk Russian hacktivist groups pose to critical national infrastructure, indicating an improvement in their capabilities.
While it is unclear if the NCSC has intelligence about an impending attack on Eurovision, they have reassured MPs that they were working with the organisers on securing the event. Should a disruption still occur, it would give a significant boost to Russia’s domestic and international propaganda efforts and serve a major blow to the UK’s reputation.
By Rozi Harsanyi, Stakeholder and Engagement Officer, UK in a Changing Europe.