Russia and nation-state hacking tactics: A report from Cybereason Intelligence Group
Policy versus Happenstance: Russia’s Dedicated Policy of Strategic Ambiguity
In our latest report, Cybereason Intelligence Group examines Russia and the tactics and procedures they use to conduct global attacks on nations and corporations. An earlier report issued by Cybereason Intelligence Group focused on China and a new breed of cyber privateer leading the increase in nation states contracting private companies to accomplish intelligence operations. These groups operate with incredible sophistication, while enjoying a cloak of semi-protected “status” for their malicious activities.
From China to Russia
The Russian Security Services (formerly the KGB) have long standing ties to Russian national criminal and hacktivist communities. A decade ago, the Russian state demonstrated its reach into these informal communities with the large scale DDoSing of Estonia.
More recently, the US Justice Department unsealed an indictment stating
“The FSB (The Russian Federal Security Service – the main investigative spy agency in Russia) officer defendants, Dmitry Dokuchaev and Igor Sushchin, protected, directed, facilitated and paid criminal hackers to collect information through computer intrusions in the U.S. and elsewhere. In the present case, they worked with co-defendants Alexsey Belan and Karim Baratov to obtain access to the email accounts of thousands of individuals.”
This programmatic effort by the Kremlin has been long standing and differs significantly from the likes of China and India.
This trend is relatively new and accelerating in China where the security community is observing a shift in the activities of groups that freelance for the state. BoyuSec (and others like them) are expanding their entrepreneurial activities by contracting with private companies.
Given their relationship with government, these companies likely have tacit permission to operate against foreign entities as long as the activity doesn’t produce significant issues for the government. That tacit permission is promoting the growth of a vibrant, cottage industry of legitimized hackers for hire
No longer do companies need to go to the Dark Web to gain an unfair advantage over their competition, they simply need to search Baidu for the dozens of companies offering these services. Furthermore, the capabilities that were once indicative of a Nation State actor are now an affordable commodity for the private sector.
While both the organized, calculated outsourcing of the Russians, and the entrepreneurial outgrowth of necessity within China’s civilian service allow the respective states to:
The maturity of the Russian approach allows for considerable advances in oversight for these types of operations in addition to more creative uses of the outsourced labor. Unlike in China, where this small industry is an evolution of a permissive and unregulated environment or North Korea where all actions are highly regulated and the State attempts to control every facet of online activity, the Kremlin has actively sought to create operating procedures and create a decision framework for how to employ their underground elements.
Despite the efficacy that Russia has thus far enjoyed, this approach carries significant risks that should reduce the number of countries that seek to copy this model.
Additionally, in Russia’s case the ability to control these groups moving forward is eroding. With the advent of crypto currencies and the globalization of hacking operations, Russia’s ability to coerce hackers working with them diminishes. Nationalism is unlikely to be enough going forward to keep these advanced groups operating within “acceptable” bounds for the FSB. While these risks manifest in the approach we see others taking, thus far they have created a structure that produces more significant checks on the activity of these private actors. Also, without exception, everywhere else we have observed this activity, the actors have exclusively resided within the host country, make it far easier to apply coercive force should the actors cross one of the many ambiguous lines that governs these relationships.
Russia’s model while effective in the short run has the significant potential to be a revisiting of the proxy groups used by both the Soviet Union and the United States during the Cold War. Short term goals may be accomplished, but the long-term ramifications are harder to predict and often end up outweighing the short-term gains. Given the global strike capability that hackers in cyber space have, it is far more likely that this proxy war will have a far more reaching and international impact than the last round.