It seems that hardly a week goes by without some new cyber-attack being attributed to Fancy Bear, Cozy Bear, Grizzly Steppe, or some other cute-sounding Russian hacker collective. One the one hand, we have the DHS, FBI, and US-CERT attributing these attacks to the Russians. There are others, including those working in the cybersecurity profession, that are suggesting that the attackers are not agents of the Russian government, but merely opportunistic cyber-crime groups who are stealing data merely for it’s resale value on the Dark Web. Politically, the supporters of Hillary Clinton’s campaign generally support the theory of Russian intervention, at least in the last Presidential election. President Trump, and his supporters, would claim this is all “fake news.” So what is the truth about Russian attacks against the US, it’s NATO allies, the Ukraine, and other former Soviet-block nations?
The more I dug into this question, the more it looked like the Russians are indeed attempting to influence political affairs, not just in the US but all over the world. They are exploiting the networked world we live in, by leveraging their considerable skills in deploying cyber operations against the west.
A while ago I read the book The Sword and the Shield: The Mitrokhin Archive and the Secret History of the KGB. I recommend it to anyone who is interested in Russian espionage tactics, and how they apply to the activity we see coming from Russia today. In the days of the old KGB, their clandestine operations focused on gathering political, military, and signals intelligence about their perceived enemies, stealing scientific and technological information, running “illegals” (spies) in foreign countries, and something called “active measures.” Active measures were, operations carried out against targets in the press, radio, and television mass media, and focused on recruiting journalists and attempting to insert stories in the western press that showed the Soviet Union in a favorable light, or were designed to influence public opinion. Often active measures were employed in an attempt to influence elections and put candidates in power who were pro-Soviet. Sounds a little familiar, doesn’t it.
In the Internet connected world, active measures are easier than ever. The Russians can use the popular social media platforms, focusing on using Facebook, Twitter, and Wikileaks to advance their agenda. They also specialize in breaching emails accounts and networks using phishing attacks and social engineering. Sometimes the contents of these email breaches are later published on Wikileaks.
The main debate about whether this activity is sponsored by the Russian Government, or whether it is the actions of independent cybercrime groups hinges on the concept of “attribution.” The methods used by cyber-attackers are designed to obscure the source of the attacks through the use of VPNs and the TOR network. Pinpointing the actual source IP address, and through it the geographic location of the attacker, if often impossible.
Most countries have some sort of military or intelligence service based cyber-command group. Part of the problem with attributing exploits to the Russian government is that until recently, they tended to work with independent contractors who are also part of the Russian cyber-crime underground. This has given Russia plausible deniability. Recently though, it looks like this activity has come directly from the Russian intelligence services.
The companies and agencies that analyze these attacks are left parsing the code and looking for signatures and similarities in the code. These signatures allow them to make informed guesses about the source or attribution of these exploits. How these conclusions are derived is the source of the attribution debate.
In the next post, we will continue this investigation, and take a look at the active measures currently used by the Russian Government.
- Spy vs Spy vs Spy
- When is a Cyber Attack an Act of Cyber War?
- A History of Cyber Warfare – Part 1
- A History of Cyber Warfare – Part 2
- A History of Cyber Warfare – Part 3
- Wired.com – A Guide to Russia’s High Tech Tool Box for Subverting US Democracy
- US-CERT – April 16, 2018: Technical Alert (TA18-106A) – Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices
- US-CERT – March 15, 2018: Technical Alert (TA18-074A) – Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors
- The Sword and the Shield: The Mitrokhin Archive and the Secret History of the KGB