As the threat from Putin's Russia escalates, the West is bracing itself for further cyber-attacks and disinformation campaigns. How sophisticated are its cyber-offensive capabilities and how might they be used?
In 1998, a cyber-attack unlike anything seen before was found to have ravaged US government systems over the course of two years, stealing vast troves of data. The resulting FBI investigation, dubbed Moonlight Maze, discovered the assault had targeted a number of academic institutions associated with US military and R&D efforts – and the evidence pointed to Russia.
The attack was so sophisticated that remnants of it were unearthed even 20 years later. Last year, security researchers at Kaspersky and Kings College London discovered a link between Moonlight Maze and Turla, the exploit used by a suspected Russian cyber-espionage group known to target government, military, technology, energy and commercial organisations.
As its capabilities continue to develop, Russia is thought to possess one of the accomplished cyber-arsenals in the world. Over time, its strategy has evolved from cyber-espionage and disinformation spreading to also include distributed denial of service (DDoS) attacks and cyber-assaults on critical national infrastructure such as power stations.
Indeed, a Russian group was thought to be responsible for the first-ever attack on an energy grid in Ukraine in 2015. Meanwhile, this year, the US traced a strike on its energy sector back to Moscow. In the UK, the National Cyber Security Centre (NCSC) is on high alert for attacks of a similar nature.
But more recently, the threat has elevated even further following tensions after the Salisbury poisoning and the US-led airstrike targeting Russian interests in Syria. So, what are Russia's aims and how can businesses and governments protect themselves from cyber-attacks perpetrated by the country?
Russia's aggressive approach goes back many years, but the nation's end goal has changed, says Ralph Echemendia, CEO of Seguru. “In the past, Russian hacking was almost always tied to financially motivated cyber-crime; today it centres around political gains.”
At the same time, Russia can draw from impressive resources: Its military culture breeds talented engineers able to perform increasingly damaging attacks. According to Echemendia, Russia is in a unique position, because the country doesn't necessarily have to spend more money to gain a higher level of resources.
“They have always benefitted from great engineering talent and this is ingrained into their culture from the Soviet days,” he says. “There are lots of intelligent minds with nothing to do, living in a cold place. They tend to sit inside for longer; we just don't have that cultural mentality in the West. This gives them an upper hand: they have the numbers and don't need the same budgets to get results.”
Meanwhile, in contrast to the West, Russia's media is largely state-controlled, Joseph Carson, chief security scientist at Thycotic, points out. “They don't have to respond and answer questions from the media, which gives them an advantage.”
At the same time, Russia's economy isn't strong when compared with many countries in the West. Too often, this motivates talented coders to turn to cyber-crime rather than entering the corporate market. “In Russia, there is no doubt that cyber-crime is more lucrative than working for a company,” Echemendia says. “Take, for example, if some kid in Russia finds a major hole, it could be sold on the dark web for well over a million dollars. There are very few times when people are moral enough to do anything else.”
So how do the Russian government and intelligence services recruit from this underground? It's done through specialist internet forums, according to Travis Farral, director of security strategy, Anomali. “Some forums are open and as people hone their initial talents and their abilities improve, they move onto harder to-get-into forums. It's a hierarchy and to get to the elite forums, you have to be a known quantity to high-level actors.
Within this structure, the government has its own interests and can recruit from these environments, he explains.
According to Echemendia, Russian state actors communicate working under a handle. “You know tricks to make yourself private. You never talk about what you are going to use the hack for – the majority of communication happens over encrypted channels.”
Russian ransomware industry
Of all the attack vectors coming out of Russia, ransomware is one of the most abundant. “There has always been a big ransomware industry coming out of Russia,” says Chris Boyd, malware analyst at Malwarebytes. He says: “Russians are much more aware of the fact that you don't come first by playing by the rules.”
It hasn't been prolific for more than 10 years, but spyware is also back on the scene, says Boyd. He warns: “It sits there very quietly and although it doesn't sound as fancy as ransomware, it really is getting the job done. I would like to know how much of this spyware comes from nation states.”
Boyd says suspected Russian attacks are also moving into sophisticated disinformation. He points out: “A couple of disinformation campaigns, malware and data slurping and you can create complete chaos.”
Then there are the troll farms, housed in St Petersburg, which taken advantage of social networks where they can plan influence. Russia's capabilities have increased in this area, as well as the nation's understanding of how to apply political influence. “They make it look like Russia isn't so bad, or they try to tap into strong sentiments around a particular issue,” says Farral.
A number of organisations are operating cyber-attacks and espionage out of the Russia, many of which are state-sponsored. Of these, says Jamal Elmellas, co-founder and CTO at Auriga Consulting: “The Federal Security Service (FSB) has a cyber-capability that when you scratch between the surface, is the hacking group the Shadow Brokers: EternalBlue is one of their jewels in the crown. They then created Petya and NotPetya which we saw hit Ukraine and the UK's NHS with ransomware.”
Fancy Bear, or APT28, is the known Russian cyber espionage group thought to be behind multiple state-sponsored attacks. Meanwhile Cozy Bear, or APT29, is the Russian hacker group believed to be affiliated with the country's intelligence services. Farral says: “While the state itself has interests, these groups have their own – and sometimes there is overlap.”
He cites the example of the Democratic National Committee (DNC) hacks known to have been perpetrated by Russia. “With the DNC hack, there was evidence that both groups had been in the organisation; one for some time before the other came in. This paints an interesting narrative – there may be competition between the two, reading between the lines.”
In some cases, Toni Gidwani, research director at ThreatConnect says: “You see different hacking groups going after the same target and interfering in each other's operations.”
Recently, groups such as Fancy Bear have been “incredibly busy” conducting more operations than seen before, says Ryan Kalember, SVP of cyber-security strategy at Proofpoint. “These groups are no longer as stealthy as they once were, which means they don't care if they are caught. Or, they are just busy and getting sloppy.”
Nation state attacks are notoriously hard to attribute. So, what do security researchers look for when pinning down a Russian cyber-assault?
Identifying a nation state attack is not easy, but it is possible to accurately guess, says Kalember. “From our perspective, when we say it's part of state-sponsored action we do so based on public research around tactics, techniques and procedures.”
Researchers have to look for things specific to certain organisations, says Farral, including malware with certain capabilities. “Those are the finger prints we can use for attribution,” he says.
However, finding the perpetrator is not always simple. “An IP address might not point to Russia, but someone might be using a VPN to cover their tracks,” Farral says. “Then we can narrow it down and come to a conclusion, for example, ‘we know this malware isn't open source so whoever has it is the only one'.”
But overall, Boyd concedes: “Even with detailed information, ultimately a lot of these things are guesswork. So, there has been a shift from ‘who did this', to ‘how did they do it' and ‘how can we address this to stop them from doing it again'?”
And sometimes attackers are only caught out when they make stupid mistakes. Guccifer 2.0, who claimed to be responsible for the DNC breach, was traced back to a Russian IP address when he forgot to use a VPN when sending an email.
Russia vs the West
Russia's intelligence agencies are developing exploits that can be used in cyber-warfare. Others, such as the UK's GCHQ, are almost certainly doing the same, experts say.
And, as the scale and sophistication of nation state offensives increases, cyber-defence is well-funded across the globe. For example, Boyd points to the UK's £1.9 billion five-year plan for cyber-defences including high level specialists to help combat attacks.
There are also suggestions that cyber-security companies in various countries are affiliated with – or at least work alongside – their governments. Last year, the Russian company Kaspersky's anti-virus software was found by Israeli intelligence officers to used for spying on the US. The firm's tools were quickly removed from government computers, but it led to questions about the likelihood of the company's involvement in state-sponsored cyber-espionage.
Of course, there are many explanations – and it is likely that UK companies are also cooperating with the government, at least to some extent. Across every nation, there is no doubt there is a level of cooperation in some way, Echemendia says. “The question becomes to what degree and what goes into weaponisation.”
It's a complex situation, and the solution to the Russian threat is not straight-forward. But cyber-security experts agree on one thing: It is essential that companies and governments invest in the skills required to identify and mitigate future attacks.
“With nation state attacks the main issue is detection,” says Echemendia. “We need more analysts who understand the organisation: Not just the technology side, but the business impact and day to day flow – that's the real solution.”