The Russian ICC (IX): APT groups

russian-malware-analysis-temp-770x513We have talked so far about the main services that make up the Russian intelligence community in its cyber domain and we will continue to describe in successive posts the rest of the complex Russian ecosystem but, where are the allegedly Russian APTs? Groups known to everyone, such as APT28 (FancyBear, Sofacy …) or APT29 (CozyBear, The Dukes …), must be somehow related to this community … if they are not part of it, right?... Leer Más

The Russian ICC (VIII): GRU

gru_emblemThe only major Russian service which, as we have indicated, is not a direct heir of the KGB is the GRU (Glavnoye Razvedyvatelnoye Upravlenie), military unit 44388, whose aim is to provide intelligence to the Ministry of Defense, the military leadership and Russian armed forces as a whole. This service is dedicated to military intelligence, from strategic to operational, working not only in an exclusive sense of defense, but also encompassing other aspects such as politics or economy linked to the military sphere, and especially foreign intelligence – sometimes with the SVR. Since 1996, it has been entrusted with the mission of acquiring information on ecology and the environment. In order to execute these tasks, the GRU has all kinds of capabilities, from IMINT to HUMINT, through OSINT and, of course, SIGINT, capabilities that give it a sphere of action and international influence and that allow the GRU to “act in any point of the world where the need might arise, “according to statements by General Valentin Vladimirovich Korabelnikov, in an interview granted in 2006, when he was Director of GRU.... Leer Más

The Russian ICC (VII): FSO

e1470_fsoAnother of the heirs of the FAPSI is the FSO (Federal’naya Sluzhba Okhrani), identified in [1] as military unit 32152 and headed since May of this year by Major General Dmitry Kochnev (his predecessor, Evgeny Murov, was General of the Army, two ranks higher, and this in the Russian services is very important). Murov obtained very important FAPSI attributions: with more than 20,000 troops today (supposedly, since it is classified information, and various sources speak of more than 50,000), the FSO inherited and expanded the KGB’s Ninth Address, with responsibility for the protection of governmental “goods”, in the broadest sense of the word. For example, the Presidential Security Service, the PBS-Putin’s bodyguards, or control of the famous Russian nuclear briefcase depend on the FSO, as well as the operation of a secure network for the transmission of election results, GAS Vybory (Information is, obviously, an asset to be protected). Specifically, from a cyber point of view, this service has assumed, among other capacities, those associated with strategic SIGINT, the guarantee of exploitation of state systems – especially regarding its protection against foreign services – and the security of National classified information ([2]), which includes presidential communications: the FSO provides secure communications at a very high level, for example between the Kremlin and the main Russian military commanders, giving it enormous control power for the control of information …... Leer Más

The Russian ICC (VI): SVR

150px-svrlogoThe SVR (Sluzhba Vneshney Razvedki) was the first heir of the KGB with its own entity, inheriting the attributions of the First General Directorate; is responsible for Russian foreign intelligence, providing the national authorities with intelligence that can benefit Russia in different areas that have evolved from the military and defense (especially the 1990s) to technological, industrial, scientific and economic areas. To achieve this goal the SVR is based primarily on HUMINT capabilities, both open and clandestine, theoretically relying on the GRU -which we will see in a coming post- for its signals intelligence needs.

In this SIGINT area the SVR works together with the GRU in strategic intelligence (at least in theory, since the rivalry between Russian agencies is well known: let us remember the “joint” operation of the SVR with the GRU of the SIGINT station in Lourdes, Cuba), as opposed to the more operative intelligence of the FSB; the main objective of the SVR, irrespective of the discipline used, is the acquisition of information and development of intelligence about the capabilities, actions, plans, intentions… both real and potential of third countries against the vital interests of the Russian Federation (as we have mentioned, even economic ones).

[Read more…]

The Russian ICC (V): FSB

As we have indicated in previous posts, the FSB (Federal’nya Sluzhba Bezopasnosti) is the main heir of the KGB and the FAPSI; directed by Army General Alexander Bortnikov, whose breadth of responsibilities and power in Russia are undoubtedly marked by Vladimir Putin himself, a former director of the Service who, upon becoming President of the country, greatly strengthened the capabilities of the FSB -and its budget- as well as the presence of former Service members in the whole of Russian society. The FSB not only works in areas directly associated with intelligence and counterintelligence, but also reaches aspects such as social or electronic surveillance.... Leer Más

The Russian ICC (IV): A bit of history: FAPSI

fapsiWhen talking about Russia in the area of cybersecurity or, more specifically, information warfare, we must by force mention the FAPSI (Federal Agency of Government Communication and Information), operative between 1991 and 2003 and considered the Russian equivalent to the US NSA (Roland Heickerö, Emerging Cyber Threats and Russian Views on Information Warfare and Information Operations. FOI. Swedish Defense Research Agency, March, 2010.), which inherited the attributions and capabilities of the 8th (encrypted) and the 16th (Decryption and interception) General Directorates of the KGB. Among its functions there was the figure (cryptology and cryptanalysis), the interception of communications and even the incident response capabilities as a CERT. In 2003 this powerful agency was dissolved by the Russian government, possibly because of corruption, although it also shows that an agency with more than 50,000 people was becoming a great uncontrollable monster, as it was with the KGB at the time. After transforming the Special Information and Communications Service, an agency heir to the FAPSI that lasted only five months, its attributions were distributed among the four large Russian services, the GRU and the KGB derivatives: SVR, FSB and FSO. Each of these services has different attributions, although they obviously share capabilities, information, tactics or interests … or compete among them. In fact, in his Putin’s Hydra: Inside Russia’s Intelligence Services, and European Council on Foreign Relations, May 2016, Mark Galeotti presents us with a curious graphic summary of the roles of the Russian intelligence community, from which we then select only the main services – at least in our cyber sphere:
[Read more…]

The Russian ICC (III): the Community

Undoubtedly, many people mentally associate intelligence or Russian secret services – to be exact, Soviet – to the KGB (Komitet gosudárstvennoy bezopásnosti, Committee for State Security). Unfortunately for the followers of Bond, the KGB, the Soviet-Russian secret service par excellence, was dismantled at the beginning of the 1990s by Mikhail Gorbachev, probably because he had become a powerful monster in terms of attributions, skills and knowledge, but, especially for its alleged involvement in the failed coup d’état of August 1991. Its power was distributed mainly among three different agencies: FSB (Federal Security Service), SVR (Foreign Intelligence Service) and FSO (Federal Protection Service), who joined the historical rival of the KGB, the GRU (General Intelligence Directorate), the Russian military intelligence service that survived the fall of the USSR (perhaps because of the support for the Soviet president during the coup, unlike the KGB). SIGINT attributions focused on an agency called FAPSI, equivalent to the US NSA, dismantled in 2003 and whose power, as in the KGB, was distributed among the different Russian services.... Leer Más

The Russian ICC (II). Context: Russia

Before talking about the Russian ICC, we must know that Russia is the largest country with the most kilometers (more than 20,000) in the world; it has the largest reserves of energy and mineral resources in the world still to be exploited, making it the largest energy superpower, as well as the world’s largest reserve of forest resources, and also has a quarter of the world’s unfrozen water.

From a cyber perspective, Russia is alleged to be the only country to have carried out combined (physical and logical) military action against another country (Georgia, August 2008) or has degraded critical infrastructure of a third party by cyber approach (Estonia, 2007). Their military and intelligence potential in this area is undoubted, as are their “physical” or traditional capabilities. The intelligence services are heavily involved in politics – as it happens, it is public that Vladimir Putin was an agent of the KGB and director of the FSB – or in the public or private sector, and they also maintain close relations – always supposed – with organized crime.
[Read more…]

The Russian ICC (I). Introduction: the Russians are coming!

We often talk about Russian APTs, Russian malware, Russian groups … But who are the “Russians”? We will analyze, in a series of posts, who “the Russians” really are, what Russia is (from the point of view of intelligence and security), what their services are – and their APTs -, what relations they have with the rest of the Ecosystem in the Russian information war, what objectives they have, what information they are looking for, etc. In short, we will try to get to know the Russian Cyber Intelligence Community a little better, to these supposedly Russian threats that we find all the time in different organizations.

Of course, all the information collected here was obtained from public sources and represents no more than private opinions, interpretations, analyses, issues … surely all of them wrong because … what exactly is attribution?

Let’s begin: as it could not be any other way (otherwise we would not be dedicating a series) one of the main actors in the field of (cyber) intelligence is Russia; perhaps this is currently the country that most sophisticated in its attacks: targeted, stealthy and technically brilliant, with very high rates of persistence due to the complexity of detection (of course, with the permission of the United States …). Russian APTs are often well-identified with the information they need, where it is, and who handles it, and so they focus on the exact theft of such data, as we said in the most secretive way possible.
[Read more…]

Uncle Sam

Snowden, PRISM, NSA… words, or buzzwords, that we’re used to listen in the media, specially during the last months. You know: when talking about technology, spying -of course, using “cyber” prefix- and some acronyms to get a slot in prime time :) I didn’t want to write about sensationalism, but at the end I could not resist: during holidays you have too spare time to read newspapers :)... Leer Más