The Russian ICC (XV): objectives. Information needs

Let us recapitulate: so far we have made several entries concerning the Russian ICC, in which we have contextualized Russian intelligence, we have described its different services with cyber attributions and have analyzed, as far as possible, their relations with third parties, thus describing the complex ecosystem of intelligence in Russia. With this ecosystem already described (we had to stop at some point), we will now try to analyze the objectives of this intelligence, its information needs: what is Russia looking for and where?

A bit of history: Vasili Mitrokhin was a KGB archivist who, after the dissolution of the USSR, defected and collaborated with the British MI6; the material exfiltrated by Mitrokhin, which gave rise to several books that are known together as “the Mitrokhin archive”, revealed among many other secrets that the Soviet leader Mikhail Gorbachev already considered industrial espionage as a key aspect for economic survival and for the restructuring of the country. This became clear after the dissolution of the USSR, so that in accordance with its legal basis ([3]), the objective of Russian intelligence has been to gather information in the political, economic, military, scientific, technical and ecological fields to support the economic development and scientific-technical and military progress of the Russian Federation; even the GRU has entrusted the acquisition of military, political-military, technological-military and economic-military information. In other words, Russia is concerned about its defense, both military and economic, from the Soviet era (from Mitrokhin’s information) to Russia at the end of the last century. Something, on the other hand, completely logical in any modern country. [Read more…]

The Russian ICC (XIV): The intelligence ecosystem. Cybercrime

The relations of the Kremlin (by extension, of its intelligence services) with “classic” organized crime, with Russian mafias, is a fact more or less proven. Without going any further, in documents leaked by WikiLeaks the Spanish prosecutor Jose Grinda directly links the Russian mafia with the intelligence services of the country.

But beyond these leaks of WikiLeaks and their degree of reliability, in public reports – in this case, of the very prosecutor – this relationship has been officially and openly revealed [1], saying, verbatim: “[…]part of the FSB, which has implemented an organized crime regime in certain spheres of Russian power through the increased control of organized crime, a thesis that was already supported by the late Litvinenko“. In other words, Alexander Litvinenko’s theses are assumed that Russian services completely control the country’s mafia groups, gaining a mutual benefit from this relationship.

Let us remember that Litvinenko, a former agent of the KGB and the FSB, was murdered with Polonio 210 after his harsh criticism of the FSB and its activities outside of any legislation, a murder by which the UK attempted to extradite former FSO officer Andrey Lugovoy, who happens to enjoy immunity in Russia for being a member of the Duma. Of the history of Litvinenko, and of his special collaboration with the Spanish Justice and services, you can obtain an excellent vision in [2].

It is to be expected that the relations of the Russian services with organized crime, of which we already gave traces of its origin in the post of this series on the ecosystem of intelligence, extend into the field of technology, to what we call cybercrime – or organized cybercrime; always in a hypothetical way, of course … In fact, it is officially the opposite: the FSB, within its police powers has mandated activities against cybercrime, according to some analysts even replacing with its 16th Directorate, which we have already spoken about in previous posts, to the famous Directorate K of the Russian Ministry of the Interior ([6]), which officially investigates cybercrime and illegal technology-related activities in Russia. Let us also remember that this FSB Directorate has CNA capabilities, which may be activated against cybercriminals whenever it is interesting for Mother Russia … in any case, at least on paper, the two Directorates of both agencies complement each other perfectly in their activities against technological delinquency ([3]).

It is a fact that the Russian government, through both the FSB and the Directorate K of its Ministry of the Interior, has taken steps to combat criminal activity on the Internet, although it is also true that such efforts have focused more on combating such activities when they have impacted against Russian interests that, when originating in Russia, have impacted against foreign interests.

As an example, in [10] we analyze some of the press releases published in 2016 by the FSB in this sense: in total, three notes to report:

  • The arrest of an organized Russian group that had stolen several million euros from Russian banks (June).
  • The discovery of a harmful code (unspecified source) that had compromised different governmental, military, research … Russian organizations (July).
  • The warning to the Russian government and citizenship regarding massive cyberattacks against their infrastructures from foreign services, an attack that ultimately did not occur or was completely mitigated by Russian capabilities (December).

As we see, the main actions were aimed at protecting Russia and its interests (obviously, by the way) rather than collaborating with third parties to mitigate problems originating in Russia, but also – without an official press release – it is public knowledge that in November of last year the FSB detained the group behind the bank malware Dyre, of Russian origin but with victims from almost all over the world … except from Russia.

The last of the most notorious activities of the Service during the past year, also without an associated press release, was the arrest of Sergey Mikhaylov and Ruslan Stoyanov in December, both related in one way or another, past or present, with government units specialized in the fight against cybercrime, although such detention does not seem to be related to such a struggle: the official accusation speaks, quite simply, of “betrayal”, which can be interpreted in many ways (it even points to its collaboration with the CIA or FBI), not all positive in order to demonstrate the interest of the Russian authorities to combat crime in the RuNET.

Historically, Russia has been the cradle of very high technical capabilities, capabilities that can be used for good or for bad. We spoke in an earlier post of the establishment of relations of Russian services with their ecosystem of intelligence and the situation lived at the end of last century. Extrapolating this situation to the cyber sphere, it is easy to understand how Russian technical skills can be easily oriented towards non-legal businesses, to what we call cybercrime: from spam or phishing to child pornography, through falsification and sale of official documents. A general review of Russian cybercrime may be reflected in [11].

And as for the relationship between intelligence and organized crime in this cyber domain, at the end of the last century, in the Moonlight Maze operation, there was talk of possible relations between the FSB and cybercriminals to cover certain activities in which services should not be involved directly.

If we want to talk about Russian cybercrime, it is obligatory to refer to the RBN (Russian Business Network), perfectly analyzed in [4], perhaps the most complete study on it, where the RBN is defined as “a complete infrastructure for the provision of harmful services, further indicating that “there is not a single legitimate client in the RBN”; no comment. In short, a provider of solutions for crime, adjusted to the needs of its customers … and disappeared (or not) in November 2007. Chapter 8 of [3] summarizes the curious story of this “disappearance”, in the opinion of many a simple restructuring of the RBN to make their activities less visible. Some of the main operators of the RBN have had close relations with the Russian services: it is public knowledge that at least one of them, Alexandr Boykov, was Lieutenant Colonel of the service ([5]).

In addition, some analysts defend the symbiotic relationship between RBN, patriotic hackers and the Russian government or services ([8], [9], works already referenced in previous posts in this series). This relationship is based on the permissiveness of the former in relation to criminal activities provided they are executed outside of Russia in exchange for the support of the latter when a situation requires: Georgia, Estonia … In other words: we will let you work but do not bother our compatriots; and if we need you, you have to lend us a hand. Remember: nobody says no to the FSB. In fact, some analysts defend the hypothesis that the FSB can commute prison sentences in exchange for active collaboration; honestly speaking, it offers those imputed for cybercrime freedom in exchange for “special” jobs (although it is also true that this has been popularly said of many other services).

The last example that has come to light and reveals the close relationship – potential, potential… – between cybercrime and Russian intelligence is perhaps the Yahoo hacking in 2014, which according to the US Department of Justice is attributed to the Direct collaboration of the FSB with individual actors associated with cybercrime (DoJ press release, [7], published in March 2017). It was an official accusation of relations between Russian services and organized crime groups, coming from nothing more and nothing less than the US government (with two alleged FSB agents cited with photo, first and last names, Dmitry Aleksandrovich Dokuchaev and Igor Anatolyevich Sushchin, among the most wanted in the cyber field by the FBI), and as always with the corresponding official denial of the Russian government.

The FBI also accuses Evgeniy Bogachev, the most wanted cyber-criminal and for whom offers a reward of three million dollars, not only for activities associated with economic crime (he is the creator of Gameover Zeus and Cryptolocker), but also for the possible interference – operated by the FSB – in the US electoral process. Another proof of this potential relationship? Negative information provided by the US government? Who knows … In short, we sense, although we cannot be sure, that there is a direct relationship between cybercrime and intelligence services in Russia, as there seems to be a relationship between these services and classic organized crime. Possibly yes, or possibly not, as almost always in this war…

References
[1] José Grinda González. Regulación nacional e internacional del crimen organizado. Experiencia de la Fiscalía Anticorrupción. Fiscalía General del Estado. España. Septiembre, 2015.
[2] Cruz Morcillo, Pablo Muñoz. Palabra de Vor. Espasa, 2010.
[3] Jeffrey Carr. Inside Cyber Warfare: Mapping the Cyber Underworld. O’Reilly, 2011.
[4] David Bizeul. Russian Business Network Study. November, 2007. http://fatalsystemerrorbook.net/pdf/Bizuel_onRBN.pdf
[5] Casimir C. Carey III. NATO’s Options for Defensive Cyber Against Non-State Actors. United States Army War College. April, 2013.
[6] Timothy Thomas. Russia’s Information Warfare Strategy: Can the Nation Cope in Future Conflicts?. The Journal of Slavic Military Studies. Volume 27, Issue 1. 2014.
[7] US DoJ. U.S. Charges Russian FSB Officers and Their Criminal Conspirators for Hacking Yahoo and Millions of Email Accounts. https://www.justice.gov/opa/pr/us-charges-russian-fsb-officers-and-their-criminal-conspirators-hacking-yahoo-and-millions. March, 2017.
[8] Viktor Nagy. The geostrategic struggle in cyberspace between the United States, China, and Russia. AARMS. Vol. 11, No. 1 (2012) 13–26.
[9] Jeffrey Carr. Project Grey Goose Phase II Report: The evolving state of cyber warfare. Greylogic, 2009.
[10] Filip Kovacevic. Security Threats to Russia: The Analysis of the 2016 FSB Press Releases (Part 3 – Hacking & Other Challenges). https://www.newsbud.com/2017/01/12/security-threats-to-russia-the-analysis-of-the-2016-fsb-press-releases-part-3-hacking-other-challenges/. Enero, 2017.
[11] Brian Krebbs. Spam Nation: The Inside Story of Organized Cybercrime-from Global Epidemic to Your Front Door. Sourcebooks, 2014.

The Russian ICC (XIII): The intelligence ecosystem. Patriotic hackers

The concept of patriotic hacker can be understood as the attacker, in the cyber field, whose activities support in one way or another his country in a real conflict, directed against the enemy of the state ([1]). Along with China, Russia has been perhaps one of the countries that has most empowered these groups, active for years in conflicts such as Kosovo (1999), Estonia (2007) or Georgia (2008). In Spain, if there has ever been something similar and in any case not state sponsored, it could be linked to small actions in the network against the environment of ETA after the murder of Miguel Angel Blanco (1997), perhaps at odds between hacktivism and patriotic hackers (this would give for an interesting debate), but in any case very far from the activities of patriotic groups in other conflicts or countries.

In Russia, different groups have been identified that could be called Kremlin-related groups (from Chaos Hackers Crew in 1999 to Cyber Berkut, active in the conflict with Ukraine) and their actions, groups that have focused their activities on defacements and, in particular, in DDoS attacks against targets that have been considered contrary to Russian interests. From each of the operations of these groups there is literature and more literature. An excellent summary of the most notorious can be found in [8]. As early as 1994, in the First Chechen War, some patriotic groups used the incipient web for PSYOP, at that time with Chechen victory, a victory that would change sides later (1999) in the Second Chechen War ([3]). Years later, in 2007, Russia launches a cyber-attack against Estonia that stops the operation of the online banking of the main Estonian banks, blocks access to the media and interrupts communications of the emergency services ([4]); but there are no deaths or injuries on either side, unlike what happens a little later (2008) in Georgia, where there is a hybrid attack- the first known case in history – consisting of cyber-attacks and an armed invasion. A conflict in which different groups arise that encourage attack – in particular, through DDoS on the websites that support the opposite side. These denial attacks differed from those launched against Estonia: not only were they injecting large volumes of traffic or requests against the target, but also using more sophisticated techniques, such as using certain SQL statements to introduce additional load into this objective, thus amplifying the impact caused.

At about the same time as Georgia’s, Lithuania gets its turn, also in 2008 and, as in Estonia, in response to political decisions that their Russian neighbors do not like. In this case the Lithuanian government decides to remove the communist symbols associated with the former USSR, which causes denial of service attacks and defacements of web pages to locate in them the hammer and the sickle. A few months after the actions in Lithuania, attacks on Kyrgyzstan begin, already in 2009 and again after political decisions that the Russians do not like, now regarding the use of an air base of the country by the Americans, key for the American deployment in Afghanistan. In this case it is about DDoS attacks against major ISPs in the country, which further degraded the already precarious Kyrgyz infrastructures, originated in Russian addresses but, according to some experts, with much more doubt in the attribution than other attacks of the same type suffered previously by other countries. Also in 2009 Kazakhstan, another former Soviet Republic – and therefore of prime interest for Russian intelligence – suffers DDoS attacks following statements by its President criticizing Russia.

Finally, as early as 2014, The Ukraine becomes another example of a hybrid war, as it happened in Georgia years ago, and an excellent example of the Russian concept of information warfare, with attacks not only by DDos, but especially by disinformation through social networks: VKontakte, supposedly under the control of Russian services (we spoke before about their relationship with companies, technological or not). It is the most used social network in Ukraine, which offers an unbeatable opportunity to put in practice this disinformation ([6]). For different reasons, including the duration of the conflict itself, The Ukraine is an excellent example of the role of patriotic hackers on both sides (Cyber Berkut on the Russian side and RUH8 on the Ukrainian side), supporting traditional military interventions, putting into practice Information warfare, psychological operations, DDoS, attacks on critical infrastructures …

The presence and operations of Russian patriotic hackers seems indisputable. The question is to know what relationship these groups have and their actions with the Kremlin and its services, if any, and the degree of control the Russian government may have over them … and even its relationship with other actors of interest to Russian intelligence, such as organized crime, which we will discuss in the next post of the series. Actions such as those executed against Ukrainian servers in 2014 by Cyber Berkut showed TTPs very similar to those previously used in Estonia or Georgia, which would link these actions not only to properly organized groups, but would also lead to a possible link with The Kremlin, following the hypothetical attribution of these last actions with the Russian government ([2]).In [9] an interesting analysis is made of the relationship between patriotic hackers, cybercrime and Russian intelligence during the armed conflict with Georgia in 2008. In addition, in the tense relations between Russia and Georgia, there is another hypothetical proof, especially peculiar at least, of the link between attacks, patriotic hackers and Russian services: in 2011, the Georgian government CERT ([7]), before a case of allegedly Russian espionage, decides to voluntarily compromise a computer with the malware used by the attackers, put a lure file on it and in turn to trojanize said file with remote control software. When the attacker exfiltrated the honeypot, the CERT was able to take control of his computer, recording videos of his activities, making captures from his webcam and analyzing his hard disk, in which emails were supposedly found between a controller – from the FSB, so the evil tongues of some analysts say, who knows … – and the attacker, exchanging information of objectives and information needs and instructions on how to use the harmful code.

Regardless of the relations of the Russian services with groups of patriotic hackers, the infiltration or the degree of control over them, what is certain is that in certain cases the FSB has publicly avoided exercising its police duties in order to pursue a priori criminal activities by Russian patriotic hackers: in 2002, Tomsk students launched a denial of service attack against the Kavkaz-Tsentr portal, which housed information on Chechnya annoying for the Russians. The local FSB office issued a press release in which it referred to these actions of the attackers as a legitimate “expression of their position as citizens, worthy of respect” ([5]). And what is indisputable is that after decisions made by a sovereign government that may be contrary to the interests of the Russian government or simply to their opinion, that government suffers more or less severe attacks – depending on the importance of that decision – against its technological infrastructures, at least in areas especially relevant to Russian intelligence and government such as the former Soviet Republics. Of course, attacks that are difficult to reliably link to the Russian government or patriotic hackers of this country, but they occur in any case.

Finally, one more detail: Russian patriotic hackers have not only executed actions against third countries, but also operated within the RUNet. One of the most well-known cases is that of Hell, acting against Russian liberal movements: opponents of the government, journalists, bloggers … and of which there have been signs of their connection with the FSB (let’s remember, internal intelligence) specifically with the CIS of this service. In 2015 Sergei Maksimov, allegedly Hell, is tried and convicted in Germany for falsification, harassment and information theft. Although facing three years in prison, the sentence imposed is minimal. Was Maksimov really Hell? Were there any links between this identity and the FSB? Was Hell part of the FSB itself, unit 64829 of this service? Nor do we know, nor will probably ever know, as perhaps we do not know whether Nashi, a patriotic youth organization born under the protection of the Kremlin – this we do know, as it is public – organized DDoS attacks not only against Estonia in 2007, but also against Russian journalists opposed to Putin’s policies, and also tried to turn to journalists and bloggers for their support in anti-deposit activities in the Russian government … at least that is what the emails stolen by Anonymous- allegedly, as always, from Kristina Potupchik, spokesperson for Nashi at the time and later “promoted” to Internet project manager of the Kremlin, say (this is also public).

References
[1] Johan Sigholm. Non-State Actors in Cyberspace Operations. In Cyber Warfare (Ed. Jouko Vankka). National Defence University, Department of Military Technology. Series 1. Number 34. Helsinki, Finland, 2013.
[2] ThreatConnect. Belling the BEAR. Octubre, 2016. https://www.threatconnect.com/blog/russia-hacks-bellingcat-mh17-investigation/
[3] Kenneth Geers. Cyberspace and the changing nature of warfare. SC Magazine. July, 2008.
[4] David E. McNabb. Vladimir Putin and Russian Imperial Revival. CRC Press, 2015.
[5] Athina Karatzogianni (ed.). Violence and War in Culture and the Media: Five Disciplinary Lenses. Routledge, 2013.
[6] Andrew Foxall. Putin’s Cyberwar: Russia’s Statecraft in the Fifth Domain. Russia Studies Centre Policy Paper, no. 9. May, 2016.
[7] CERT-Georgia. Cyber Espionage against Georgian Government. CERT-Georgia. 2011.
[8] William C. Ashmore. Impact of Alleged Russian Cyber Attacks. In Baltic Security and Defence Review. Volume 11. 2009.
[9] Jeffrey Carr. Project Grey Goose Phase II Report: The evolving state of cyber warfare. Greylogic, 2009.

Image courtesy of Zavtra.RU

The Russian ICC (XII): The intelligence ecosystem. Web brigades

The known Web Brigades (or G-team) are groups theoretically linked to the Russian government which participate in forums, social networks, blogs, information websites … to generate a positive image of Russia (and Putin in particular) in digital media. As rumors suggest, these groups are controlled by the FSB itself, although this is difficult to prove [1]. One of the most well-known cases of the use of web brigades to disseminate this information is the Olgino Trolls, a fairly large group of paid people – always theoretically – to promote Russian positions on national or international political issues.

The members of the web brigades even have defined guidelines to elaborate their comments and opinions ([4]), that mark for example the minimum number of words of each entry or the guidelines so as to go unnoticed in social networks, combining political opinions with other inconsequential ones about hobbies or travel; something that seems perfectly studied and orchestrated and in what will probably be invested large amounts of money, that perhaps comes from government-aligned groups… or the government itself. [Read more…]

The Russian ICC (XI): The intelligence ecosystem. Companies

When we talk about the relationship of Russian services with companies in the country, it is necessary to emphasize that these services are not interested in any type of organization, only those that can give coverage to the service or those that allow them to control, to a greater or lesser extent, a field of interest for Russia’s national interests – usually strategic companies for the nation – natural resources (gas and oil in particular), media, state monopolies created after the dismemberment of the USSR … As a curious fact in relation to state control in some areas, Russian law identifies strategic sectors or companies and it is the Russian law itself that defines how to invest in them, including foreign investment in these companies: foreign companies are prohibited from owning a strategic Russian company, unless expressly approved by the President. [Read more…]

The Russian ICC (X): the intelligence ecosystem

coat_of_arms_of_the_russian_federation-svgWe cannot conceive the Russian intelligence community, described in this series, as a set of services dependent on political or military power. The degree of penetration of these services throughout Russian society is very high, both officially and unofficially. It is no secret that former KGB or FSB officials occupy positions of responsibility in politics or big companies in the country. As a curiosity, in 2006 it was reported that 78% of the country’s top 1,000 politicians had worked for the Russian secret services [1]. So much so that these profiles have a proper name: siloviki, a term that comes to mean people in power. And it is no secret who is the most well-known siloviki: Vladimir Putin, President of the Russian Federation, who was agent of the KGB in the Soviet era and later Director of the FSB.

To understand this degree of penetration of Russian intelligence in certain organs of power it is necessary to go back especially to the 1990s. The dismemberment of the Soviet Union caused a chaotic situation in Russia, with high unemployment or poverty rates. Many people had lost their jobs – among them, it is estimated that 40% of the KGB (2) – and the easy exit for these citizens was obviously illegal. Many former members of the security forces, the army or the intelligence services ended up swelling the ranks of organized crime groups or working in the legal or illegal protection of oligarchs or mafia leaders. This transfer of specialized personnel to organized crime groups was not only the way of survival of these people, but also a considerable reinforcement of these groups, both in volume and quality: thanks to these new signings, many of them went from small, un-specialized small groups who used basic techniques of intimidation, to be converted in perfectly organized mafia groups, with better human and material resources and highly specialized tactics. And especially, with better relations with the Russian security, defense or intelligence services, the cradle of a good part of the new personnel of the mafia groups.

In this convulsive situation, it seemed that the most stable business was organized crime; for example, the number of homicides had tripled in 1995 compared to the 1988 figures. When the Russian Government began to privatize state enterprises and services, organized crime groups, with a lot of money and power, identified the opportunity to position themselves In these, which automatically not only increases their economic power, but also positions mafias in the front line of political power.

Let us recapitulate: organized crime maintained a close relationship with the security or intelligence services, since many of its members came from them, and also with the large privatized companies and therefore with national politics. A perfect combination to become a key piece for the country. The Russian Government was aware that, in order to return the country to a situation of relative normality, organized crime had to be compulsory. So much so that in 1994 Boris Yeltsin came to call Russia “the greatest mafia state in the world”.

But the arrival of Vladimir Putin to the government in 1999, tries to change this situation with two objectives: to return the control of the strategic assets to the state and to let the world know that the state controlled these assets again – and, therefore, Russia was a world power as was the USSR. It takes control of the main companies and command posts to oligarchs and criminals and places former KGB officers or their successor, the FSB, in the assurance that they all identified the same Mother Russia of which we have already spoken about in this series.

With a hard-handed dose, Vladimir Putin achieves his challenge and largely eliminates organized crime from strategic positions for the country; but the power acquired by the Mafia groups during the 1990s was too high, and trying to eliminate their activities altogether could even destabilize Russia [2], thus Putin should be content with removing them from these strategic positions but veiledly allow them to continue their illegal business.

Let’s look at the big spider web: Russian intelligence maintains connections with organized crime, gained in the 1990s, and widespread penetration in the country’s political (government) and economic (strategic enterprises) circles of power, gained in the first decade of this century. With this degree of infiltration into the power circles, Russian intelligence achieves two clear objectives: coverage and control (or collaboration, depending on the degree required in each case). This has been the case since the Soviet era and it is – coincidentally or not – in the Russian. In fact, until recently, a high percentage of senior Russian government officials were siloviki, although with Medvedev this percentage has been reduced and the siloviki have lost some of their power in politics, although they still constitute a relevant lobbying group (or several, as there are several “families” of siloviki). With the election of Medvedev as Russian Prime Minister, Putin reinforced the liberals (economists and lawyers, many of them from St. Petersburg) in front of the siloviki, headed by Sergei Ivanov, who was granted the Presidential Executive Office Headquarters; an interesting movement between two opposing clans that from that moment have a nexus of union almost unique: President Putin himself.

In addition to these circles of power, Russian services are closely related to citizen movements and even to the Russian Orthodox Church; although this last relation we are not going to describe – we are focusing on, or attempting to do so in a cyber environment – it does not fail to be a good indication of the extent to which there is a broad social penetration of intelligence in Russian society. And we will see that this penetration is not restricted to classical intelligence, but is automatically extrapolated to the cyber domain.

The relations of the Russian services with some of these actors are generally protected by the Law and can only cause ethical prejudices; however, in “unofficial” relationships legality is more than doubtful, not only with organized crime (in our case, with organized cybercrime) but also with movements like patriotic hackers, which have launched real offensive campaigns against the Russian homeland, perhaps covered by the country’s own services…

We will review in these next entries the relations of the Russian intelligence community, previously described, with the different actors relevant to that community, which allow it to increase its control and its acting capacities, especially unofficially.

References
[1] Alexander Klimburg, Heli Tirmaa-Klaar. Cybersecurity and cyberpower: concepts, conditions and capabilities for cooperation for action within the EU. Directorate-General for External Policies of the Union. Directorate B. Policy Department. European Parliament, 2011.

[2] Fred Burton, Scott Stewart. Russia and the Return of the FSB. Stratford Security Weekly. April, 2008.

The Russian ICC (IX): APT groups

russian-malware-analysis-temp-770x513We have talked so far about the main services that make up the Russian intelligence community in its cyber domain and we will continue to describe in successive posts the rest of the complex Russian ecosystem but, where are the allegedly Russian APTs? Groups known to everyone, such as APT28 (FancyBear, Sofacy …) or APT29 (CozyBear, The Dukes …), must be somehow related to this community … if they are not part of it, right?

These groups, APT28 and APT29 (we will call them that, although we take the opportunity to ask for an ISO standard for naming APT groups, which each have a dozen) are undoubtedly the best known in the Russian panorama, FireEye [5] and [6]. So, are they units of any of the Russian services listed above? Are they mercenaries who sell their work to the highest bidder? Are they organized groups that provide information in exchange for impunity? Are they the result of false flag operations of a third party? We neither know nor might ever know… However, as it is impossible, we will evaluate in this post, or at least try to (remember that attribution is always hypothetical, that’s why we like it so much ;) , some of the elements that allow us to relate these groups to the Russian services. There are more supposedly Russian groups, such as Turla; we’ll talk about them in another post…

APT28 and APT29

The first question we need to ask about these groups is whether they are really Russian; most technical indicators show that they are: from the hours and dates of compilation of their arsenal, coinciding in great part with the working hours of Moscow and Saint Petersburg, to the codification and languages used in good part of their artifacts. However, here we encounter the great problem of attribution, i.e., we approach it from artifacts left, voluntarily or involuntarily, by the attacker. Can a man from Cuenca know Russian – even colloquial -, change the time of his team to fix it in the schedule we referred to or configure the system in Russian? Without any problem. Could these groups be from Cuenca, then? Of course.

Although the technical indicators are easily alterable, they are what we have to work with; both in APT28 and in APT29 analysts identify not a man from Cuenca, but a structured group with separate responsibilities, with established development methodologies … something that we could call a malware factory. That is to say, a powerful organization is identified behind, an organization that could be an independent group, a unit of a particular service, a company … from Moscow, St. Petersburg or Cuenca.

Information needs, and therefore the objectives of these groups are more difficult to falsify than purely technical indicators (eye, but it is not impossible to do so); in the case of these groups, their victims are compatible with the information needs of the Russian government, which will be discussed in detail in this series of posts, both geographically and operationally. Falsifying this would be much more costly for a third party- we insist, but NOT impossible when we speak of an actor with many capacities, as a state; therefore, if the technical indicators point to Russia, the targets and victims point to Russia and the information needs reflected coincide with the supposedly Russian ones ([8]), the probability that APT28 and APT29 have Russian roots is HIGH. Can we confirm 100%? Of course not.

TTP

The usual tactics, techniques and procedures associated with APT29 go through the attack through phishing directed at the victim, with a link in the mail to download a dropper that, when executed, will in turn download a RAT; on the other hand, APT28 works more with the creation of fraudulent web pages similar in aspect to those of its objectives, with names of domains close to the legitimate ones, for theft of credentials. The APT28 arsenal is based mainly on the exploitation of Microsoft and Adobe products, as well as that of APT29, in both cases due to the popularity of these environments and therefore the success in its exploitation; however, APT28 uses more vulnerabilities without known exploits than APT29 ([2]) and its catalog is much larger than the latter, which could imply both a greater number of resources and a greater experience in the area of cyberspace on the part of APT28 than APT29, but on the contrary APT29 is very discreet and has a very high persistence target. In any case, both groups are technically excellent and their catalog of vulnerabilities rarely overlaps, denoting the separation (and competition) of both, and which would be compatible with the separation (and competition) of Russian services which we have already mentioned in this series of posts. In addition, some of the vulnerabilities exploited by APT28 and APT29 in their campaigns are also exploited by groups linked to cybercrime ([2]), which can range from a distraction maneuver to something that may reinforce the theory of close linkage between the Russian cyber-intelligence community and other actors in their environment, as discussed later in this series of posts.

In both cases, work methodologies, technical capacities, operational infrastructure and operational security (OPSEC) … indicate that APT28 and APT29 are not individual attackers or groups that are not well organized, but groups with a considerable amount of resources, stable in time and with a perfectly defined structure and operation. Supported by a state? Direct part of said state? In [8] we found an excellent analysis. The probability is HIGH, since few organizations can have these capabilities but, as always, we cannot confirm with certainty.

Goals

Among the objectives of APT28 are sectors such as aerospace, defense, energy, public administrations and media (remember the handling of information in Russian strategies and doctrines), with a special affection for the ministries of Defense and organizations of the former sectors linked to the military environment ([1]) that coincidentally reflect the interests of Russian military intelligence; In [5], a report where FireEye identifies this group as APT28, details some of the objectives – and of the victims – of APT28, emphasizing their operational interest in the areas close to the military and, in addition, their interest in the control of the information on issues relevant to Russia, somewhat aligned with the broad concept of Russian information warfare that we have referred in previous posts. APT28 does not address intellectual property theft, and in addition, compromised countries correspond to the main Russian geopolitical interests – which we will comment on in future posts – and the objectives are compatible with both the Russian origin of the group and the possible proximity of the same with the military field; in other words, APT28 and GRU share information needs and objectives, so maybe, just maybe, they have some kind of relationship. Is APT28 a GRU unit? We do not know. Is it an external group paid for by the GRU? We do not know. Is it a group from Cuenca? We do not know…

On the other hand, APT29 expands the objectives of its competitor, partially disconnecting them from the military to focus not only on this, but also in sectors such as pharmaceuticals, financial or technology, to mention just a few examples, as well as NGOs and even in criminal organizations ([7]). This last element is very significant, since it could reflect the police attributions, and thus the information needs, of the Russian FSB, while the attack on different NGOs implies – or may imply – political, economic or information control interests .
In line with a service like the FSB … or in line with a fake flag operation from Cuenca.

A recent example

Undoubtedly, the most recent case most rumored of alleged compromises by Russian APTs, this time by both APT28 and APT29, is the US Democratic National Committee (DNC) in 2016, and its potential influence on the results of the Election campaign, incident described to perfection in [3]; Crowdstrike revealed the presence of both groups in DNC systems, with greater persistence by APT29, and leaving their competitors among these groups: they do not share TTPs, nor vulnerabilities, nor resources … but sometimes they share goals. To the technical elements for the attribution to the Russian services, analyzed by companies like the previous one (and later reinforced by others like FireEye or Fidelis) the surprise appearance of Guccifer 2.0 is joined, a presumably false identity (a sockpuppet) compatible with the Russian military doctrine and completely aligned with the broad concept of information warfare that we have already mentioned and which includes deception, misinformation, etc. An excellent analysis of this sockpuppet and its potential relationship with a false GRU flag operation can be found in [4].

Conclusions

We have seen in this post that everything indicates that APT28 and APT29 are of Russian origin and possibly have the support of a government for its activities, two hypotheses of HIGH probability. The information needs of both groups are compatible with the information needs of the Russian government, and its objectives also coincide with the concerns of the Russian government in different areas. They do not share intelligence or arsenals, which would be compatible with the separation of the different Russian intelligence services if APT28 and APT29 were linked to some of them, but they do share objectives: the final result, intelligence, would be of higher quality. According to different analysts, APT28 may be related to Russian military intelligence, the GRU, while APT29 would be related to the FSB. It may be so. Or maybe not. Many times one comes to the conclusion that names like APT28, PawnStorm, APT29, Snake … are just the elegant way we have of saying FSB, GRU, FSO … when we do not have enough evidence to confirm the implication of these services in certain operations. In any case, if APT28 really corresponds to a unit of the GRU and APT29 with a unit of the FSB (or vice versa, as defended [9]) is something that we, of course, do not know for sure or think we can know in the short term: everything is a hypothesis. Perhaps, right now there is a man in Cuenca, very smart and organized, with many resources, listening to Radio Moscow to perfect a foreign language and configuring his computer with the St. Petersburg time zone while laughing at all the analysts of the world.

References

[1] Dmitri Alperovitch. Bears in the Midst: Intrusion into the Democratic National Committee. CrowdStrike. Junio, 2016. https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/
[2] RFSID. Running for Office: Russian APT Toolkits Revealed. Agosto, 2016. https://www.recordedfuture.com/russian-apt-toolkits/
[3] Eric Lipton, David E. Sanger, Scott Shane. The Perfect Weapon: How Russian Cyberpower Invaded the U.S. New York Times. Diciembre, 2016. http://www.nytimes.com/2016/12/13/us/politics/russia-hack-election-dnc.html
[4] Thomas Rid. All Signs Point to Russia Being Behind the DNC Hack. Motherboard. Julio, 2016. http://motherboard.vice.com/read/all-signs-point-to-russia-being-behind-the-dnc-hack
[5] FireEye. APT28: A window into Russia’s cyber espionage operations? FireEye. Octubre, 2014. https://www2.fireeye.com/apt28.html
[6] FireEye. HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group. FireEye. Julio, 2015. https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf
[7] F-Secure. THE DUKES. 7 years of Russian cyberespionage. F-Secure. Septiembre, 2015. https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf
[8] Jen Weedon. Beyond ‘Cyber War’: Russia’s Use of Strategic Cyber Espionage and Information Operations in Ukraine. Kenneth Geers (Ed.), Cyber War in Perspective: Russian Aggression against Ukraine. NATO CCD COE Publications. Tallinn. 2015.
[9] Malcolm Nance. The plot to hack America: How Putin’s cyberspies and WikiLeaks tried to steal the 2016 election. Sky horse Publishing, 2016.

Image courtesy of Indian Strategic Studies.

The Russian ICC (VIII): GRU

gru_emblemThe only major Russian service which, as we have indicated, is not a direct heir of the KGB is the GRU (Glavnoye Razvedyvatelnoye Upravlenie), military unit 44388, whose aim is to provide intelligence to the Ministry of Defense, the military leadership and Russian armed forces as a whole. This service is dedicated to military intelligence, from strategic to operational, working not only in an exclusive sense of defense, but also encompassing other aspects such as politics or economy linked to the military sphere, and especially foreign intelligence – sometimes with the SVR. Since 1996, it has been entrusted with the mission of acquiring information on ecology and the environment. In order to execute these tasks, the GRU has all kinds of capabilities, from IMINT to HUMINT, through OSINT and, of course, SIGINT, capabilities that give it a sphere of action and international influence and that allow the GRU to “act in any point of the world where the need might arise, “according to statements by General Valentin Vladimirovich Korabelnikov, in an interview granted in 2006, when he was Director of GRU.

The GRU is undoubtedly the most opaque of Russian services and arguably the best of them; it is a group that maintains certain Soviet reminiscences – remember that it survived the KGB – and even that it considers “westernized” other services like the FSB. As a matter of curiosity, the GRU recruits its agents among the “proletarian” classes, preferably personnel without knowledge of languages, and among its supposed tasks is to bury weapons in hostile territory to be able to use them in case of conflict. It does not have a counterintelligence service (a function carried out by the FSB) or a press office (actually, the GRU is no more than a General Directorate within the Russian Ministry of Defense) or an official website ([1]). Thanks to its work methods, it is the intelligence service that has had the least deserters in Soviet and Russian history.

The GRU was directed by General Igor Sergun until January 2016, but after the sudden death of the General (nothing mysterious, just a heart attack), since February 2016, General Igor Korobov is in command. In both cases they are General Lieutenants, three stars, in front of the Army Generals of the FSB or the FSO. Although the personnel and budget data of the GRU are obviously classified, it is estimated that more than 25,000 staff members make up this service. In relation to its annual budget, no significant information has been found in public sources, the data being always masked in general budgets of the Russian Ministry of Defense.

As indicated, the GRU is a General Directorate of the Russian Ministry of Defense. It is structured in fifteen directions ([2]), focusing the cyber capacities of the GRU in the Second Direction and in the Sixth Direction, as well as in the Eighth Department, responsible for the security of internal communications of the GRU. The Sixth Direction is responsible for electronic intelligence, and historically it has been an active group in this area, operating signal interception stations from Cuba to Vietnam, passing of course by legal residencies of the GRU in different countries. Apparently, this GRU Directorate has the closest capabilities, especially in the military field, which we call CNO, and is capable of intercepting signal information around the world. This Sixth Direction is composed of at least four divisions ([3]); The First Division is dedicated to SIGINT (in this one the GRU Decrypt Service is framed) and the Second to ELINT, while the Third Division is responsible for the maintenance of the interception equipment and the Fourth is focused on the permanent tracing of signals. The Second Division (which includes GRU Special Forces, Spetsnaz) has seven major divisions, three of which directly relate to SIGINT, encryption and communications security at a more operational level than the Second.

In addition to the GRU, the Russian Ministry of Defense has more capabilities focused on electronic warfare, cybersecurity or computer security with a complex structure, detailed structure in the excellent reference [4] that we have already cited in previous posts in this series. For example, Military Unit 11135, 18th CRI (Central Research Institute) is the main signal intelligence research capability of the Russian Ministry of Defense, including research and development in wireless devices, SCADA systems or electromagnetic protection systems. Also as a research institute is Unit 01168, 27th CRI, in this case in the field of information technologies and command and control systems.

References
[1] Konstantin Preobrazhensky. GRU: Obscure Part of Russian Intelligence. Journal of Defense Management. Volume 2. Issue 2. Marzo, 2012.
[2] Richard Bennett. Espionage: Spies and Secrets. Virgin Digital, 2012.
[3] Andrew Jones, Gerald L. Kovacich. Global Information Warfare: The New Digital Battlefield. Segunda edición. CRC Press, 2016.
[4] Jeffrey Car. Inside Cyber Warfare: Mapping the Cyber Underworld. 2nd Edition. O’Reilly, 2011.

The Russian ICC (VII): FSO

e1470_fsoAnother of the heirs of the FAPSI is the FSO (Federal’naya Sluzhba Okhrani), identified in [1] as military unit 32152 and headed since May of this year by Major General Dmitry Kochnev (his predecessor, Evgeny Murov, was General of the Army, two ranks higher, and this in the Russian services is very important). Murov obtained very important FAPSI attributions: with more than 20,000 troops today (supposedly, since it is classified information, and various sources speak of more than 50,000), the FSO inherited and expanded the KGB’s Ninth Address, with responsibility for the protection of governmental “goods”, in the broadest sense of the word. For example, the Presidential Security Service, the PBS-Putin’s bodyguards, or control of the famous Russian nuclear briefcase depend on the FSO, as well as the operation of a secure network for the transmission of election results, GAS Vybory (Information is, obviously, an asset to be protected). Specifically, from a cyber point of view, this service has assumed, among other capacities, those associated with strategic SIGINT, the guarantee of exploitation of state systems – especially regarding its protection against foreign services – and the security of National classified information ([2]), which includes presidential communications: the FSO provides secure communications at a very high level, for example between the Kremlin and the main Russian military commanders, giving it enormous control power for the control of information …

The Spetssvyaz is framed within the FSO since 2004 (previously belonging to the FSB), the Special Information and Communications Service (SSSI), which is currently considered by some analysts to be the Russian equivalent of the US NSA (Although the intelligence community of both countries are different and therefore the NSA allocations are spread among Russian agencies). This group develops the above-mentioned cyber powers of the Service and includes at least one Directorate for the management of civilian government communications, another for the management of military government communications, a General Directorate for information resources (apparently dedicated to the protection of information in itself, in its broadest sense) and another Directorate-General for Information Systems ([3]), dedicated to the protection of systems dealing with data. The Director of Spetssvyaz, Alexey Mironov, is also Deputy Director of the FSO, a young General, who was to replace Evgeny Murov at the helm of the service after his retirement … until GD Kochnev was appointed for that post; an unexpected action for many and of course unusual, especially because of Kochnev’s engagement …

A curiosity: the FSO ordered in 2013 the purchase of typewriters (yes, typewriters, good old-fashioned ones) after some scandals of data theft – assumptions – by third parties, to avoid leakage of information. Another curiosity: Spetssvyaz records Internet domains in an open way: kremlin.ru, gov.ru, ру.рф, da-medvedev.ru … Although we are attracted by the fact (not only by the fact itself, but also by some of the Registered domains) they are not the only ones that do it: services closer to us follow or have followed the same open philosophy … at least in some cases. We will speak in some registry post of certain “curious” domains, near and far from here :)

References

[1] Jeffrey Car. Inside Cyber Warfare: Mapping the Cyber Underworld. 2nd Edition. O’Reilly, 2011.
[2] President of the Russian Federation. Strategy for the national security of the Russian Federation up to 2020. Mayo, 2009.
[3] Jonathan Littell. The Security Organs of the Russian Federation. A brief history 1991-2005. Post-Soviet Armies Newsletter. Psan Publishing House, 2006.

The Russian ICC (VI): SVR

150px-svrlogoThe SVR (Sluzhba Vneshney Razvedki) was the first heir of the KGB with its own entity, inheriting the attributions of the First General Directorate; is responsible for Russian foreign intelligence, providing the national authorities with intelligence that can benefit Russia in different areas that have evolved from the military and defense (especially the 1990s) to technological, industrial, scientific and economic areas. To achieve this goal the SVR is based primarily on HUMINT capabilities, both open and clandestine, theoretically relying on the GRU -which we will see in a coming post- for its signals intelligence needs.

In this SIGINT area the SVR works together with the GRU in strategic intelligence (at least in theory, since the rivalry between Russian agencies is well known: let us remember the “joint” operation of the SVR with the GRU of the SIGINT station in Lourdes, Cuba), as opposed to the more operative intelligence of the FSB; the main objective of the SVR, irrespective of the discipline used, is the acquisition of information and development of intelligence about the capabilities, actions, plans, intentions… both real and potential of third countries against the vital interests of the Russian Federation (as we have mentioned, even economic ones).

[Read more…]