Russia and nation-state hacking tactics: A report from Cybereason Intelligence Group

Intel-Team-Cybereason
Post by: Cybereason Intelligence Group

Policy versus Happenstance: Russia’s Dedicated Policy of Strategic Ambiguity

In our latest report, Cybereason Intelligence Group examines Russia and the tactics and procedures they use to conduct global attacks on nations and corporations. An earlier report issued by Cybereason Intelligence Group focused on China and a new breed of cyber privateer leading the increase in nation states contracting private companies to accomplish intelligence operations. These groups operate with incredible sophistication, while enjoying a cloak of semi-protected “status” for their malicious activities.

From China to Russia

The Russian Security Services (formerly the KGB) have long standing ties to Russian national criminal and hacktivist communities. A decade ago, the Russian state demonstrated its reach into these informal communities with the large scale DDoSing of Estonia.

More recently, the US Justice Department unsealed an indictment stating

The FSB (The Russian Federal Security Service – the main investigative spy agency in Russia) officer defendants, Dmitry Dokuchaev and Igor Sushchin, protected, directed, facilitated and paid criminal hackers to collect information through computer intrusions in the U.S. and elsewhere. In the present case, they worked with co-defendants Alexsey Belan and Karim Baratov to obtain access to the email accounts of thousands of individuals.”

This programmatic effort by the Kremlin has been long standing and differs significantly from the likes of China and India.

This trend is relatively new and accelerating in China where the security community is observing a shift in the activities of groups that freelance for the state. BoyuSec (and others like them) are expanding their entrepreneurial activities by contracting with private companies.

Given their relationship with government, these companies likely have tacit permission to operate against foreign entities as long as the activity doesn’t produce significant issues for the government. That tacit permission is promoting the growth of a vibrant, cottage industry of legitimized hackers for hire

No longer do companies need to go to the Dark Web to gain an unfair advantage over their competition, they simply need to search Baidu for the dozens of companies offering these services. Furthermore, the capabilities that were once indicative of a Nation State actor are now an affordable commodity for the private sector.

While both the organized, calculated outsourcing of the Russians, and the entrepreneurial outgrowth of necessity within China’s civilian service allow the respective states to:

  • Rapidly expand capabilities in a short period
  • Increase plausible deniability of actions
  • Mitigate risk of detection
  • Gain technical expertise that they cannot recruit directly into the government
  • Decrease overall operational costs

The maturity of the Russian approach allows for considerable advances in oversight for these types of operations in addition to more creative uses of the outsourced labor. Unlike in China, where this small industry is an evolution of a permissive and unregulated environment or North Korea where all actions are highly regulated and the State attempts to control every facet of online activity, the Kremlin has actively sought to create operating procedures and create a decision framework for how to employ their underground elements.

  • Repeatedly over the last six years Russia has demonstrated the capability and utility of patriotic organizations in combined arms campaigns. The hybridization that results in the use of an open source malware kit to attack the Ukrainian power grid or patriotic hackers taking part in attacking a foreign government’s networks as part of a kinetic attack demonstrates the extent to which outsourcing can empower and obfuscate nation-state actions.
  • Furthermore, the crossing of official state sponsored hacking with cybercriminal outfits has created a specter of Russian state hacking that is far larger than their actual program. This hybridization of tools, actors, and missions has created one of the most potent and ill-defined advanced threats that the cybersecurity community faces. It has also created the most technically advanced and bold cybercriminal community in the world. When, as a criminal, your patronage is the internal security service that is charged with tracking and arresting cybercrime, your only concern becomes staying within their defined bounds of acceptable risk and not what global norms, laws, or even domestic Russian law states.
    • Even in the case of the Yahoo hack, Belan was using his official task, gain access to Yahoo accounts for FSB intelligence and Counterintelligence purposes, and using it to turn a profit by manipulating search algorithms to drive web traffic and credit card skimming.

Despite the efficacy that Russia has thus far enjoyed, this approach carries significant risks that should reduce the number of countries that seek to copy this model.

  1. International operations are hard to control
  2. Emboldened actors will occasionally bite the hand that feeds them
  3. Ubiquity of malicious activity attributed to a country reduces its ability to use hacking as signaling tool
  4. Mistakes by non-state actors can escalate quickly
  5. Military grade tools proliferate more quickly

Additionally, in Russia’s case the ability to control these groups moving forward is eroding. With the advent of crypto currencies and the globalization of hacking operations, Russia’s ability to coerce hackers working with them diminishes. Nationalism is unlikely to be enough going forward to keep these advanced groups operating within “acceptable” bounds for the FSB. While these risks manifest in the approach we see others taking, thus far they have created a structure that produces more significant checks on the activity of these private actors. Also, without exception, everywhere else we have observed this activity, the actors have exclusively resided within the host country, make it far easier to apply coercive force should the actors cross one of the many ambiguous lines that governs these relationships.

Russia’s model while effective in the short run has the significant potential to be a revisiting of the proxy groups used by both the Soviet Union and the United States during the Cold War. Short term goals may be accomplished, but the long-term ramifications are harder to predict and often end up outweighing the short-term gains. Given the global strike capability that hackers in cyber space have, it is far more likely that this proxy war will have a far more reaching and international impact than the last round.

 


 

Key Takeaways

  • There are many examples where Russia over the last six years has demonstrated the capability and utility of patriotic organizations in combined arms campaigns. The hybridization that results in the use of an open source malware kit to attack the Ukrainian power grid or patriotic hackers taking part in attacking a foreign government’s networks as part of a kinetic attack demonstrates the extent to which outsourcing can empower and obfuscate nation-state actions.
  • What you see is not always reality. Russia has been extremely resourceful in the past few years in creating a hacking engine that appears to be a lot larger than it is. Regardless of size, Russia has the most technically advanced and bold cybercriminal community in the world and are more than capable of causing significance damage with whomever they attack from countries to corporations.
  • Russia’s ability to control these private hacking groups is eroding. With the advent of crypto currencies and the globalization of hacking operations, Russia’s ability to coerce hackers working with them diminishes. Nationalism is unlikely to be enough going forward to keep these advanced groups operating within “acceptable” bounds for the Russian government. While these risks manifest in the approach we see others taking, thus far they have created a structure that produces more significant checks on the activity of these private actors.

 

Cybereason Intelligence Group was formed with the unique mission of providing context to the most sophisticated threat actors. The team’s primary purpose is to examine and explain the Who and the Why behind cyber attacks, so we can better prevent the How.