Cyber (GRU) (II): historical SIGINT

The GRU, Military Unit 44388, obtains and processes intelligence from multiple disciplines, including IMINT, SATINT and, of course OSINT, with information needs linked to the military, political, technological, economic and ecological/energy fields ([1]). It was already indicated in the article dedicated to the GRU, within the series on the Russian Cyberintelligence Community, that the Sixth Directorate of the GRU has historically had the SIGINT (COMINT and ELINT) attributions of the Service. An excellent description of these attributions can be found in [2]; in the image, the historical structure of the GRU:

The Sixth Directorate, which reports directly to the Service’s Deputy Director for Technical Affairs, was divided into four divisions [Read more…]

(Cyber) GRU (I): Introduction

As we already mentioned in the post about it, within the series on the Russian Cyberintelligence Community, the GRU (GU) is the most opaque of the Russian services, maintaining almost intact its Soviet heritage against the “westernized” FSB o SVR: in fact, the structure and operation of the Service has not been especially well known, being the main reference [1] until rather recently. Beyond specific data of operations without a clear attribution, or the identities of its Director and Deputy Directors -no secret-, little or nothing was known about the Service. However, and certainly very much in spite of the GRU, in 2018 there are – up to now – three facts that give a radical turn to this opacity: [Read more…] (in English)

Yesterday, CCN-CERT published the communiqué related to the re-launch of the group, a forum that brings together the response teams to Spanish incidents or areas of action in Spain, and whose objective is to centralize the exchange of information and facilitate coordination between these very teams.  currently consists of more than twenty teams and, as indicated in the press release, public and private actors from different sectors are represented, with different objectives … but they have many points in common; the main one, by definition, to provide a response capability to a given community. And that capability today cannot work if it is intended to operate independently and isolated from other teams: it necessarily requires direct collaboration with third parties. Beyond forums such as FIRST or TF-CSIRT, we believe that a point that enables collaboration between CSIRT and areas of action in Spain is more than interesting and necessary. [Read more…]

The tools of the gods

Today at SAW we are not going to talk about security but about religion. About the true religion, the good one: about Unix. And about its gods: Kernighan, Ritchie, Thompson … we could cite a few. And about the tools that, in the seventies, these gods sent to us poor mortals, like the manna fallen from heaven for the chosen people.

The thing is that these gods created a real operating system, with some technically wonderful tools and a very simple philosophy: simple capabilities that combined make complex tasks. Perfection. Life is Unix running a script. More than forty years have gone by and we, poor mortals who were the chosen people, what have we done all this time? Trying to dishonor that divine legacy with artificial and useless layers (“of abstraction”, they call them, to try to make sense of them) that introduce two unnecessary problems in any “modern” technological environment: complexity, and therefore probability of error, and slowness.

Exemplary is the “true” executable, in line with the story recently commented by Rob Pike on Twitter:

$ >mytrue;chmod +x mytrue
$ ./mytrue
$ echo $?

A program whose only purpose is to always return 0. An empty executable. EMPTY. There can be nothing simpler that works, and has been for forty years … well, that’s where we mortals come in. Year 2018:

[Read more…]

The Russian ICC (XVIII). Conclusions

For a few months we have published a series of posts about Russian cyber intelligence in SecurityArtWork, which we hope you have liked and they have helped you to better understand Russian capabilities, groups, structures, APT… without a doubt, Russia has been and continues to be one of the main players in the field of security, intelligence and defense (and of course in cybersecurity, cyber intelligence and cyber defense … or cyber things in general) and, as such, we must know it well if we work on these issues.

As we have seen in this series, Russia is a world power in many fields (as was the USSR in its day) and still retains Soviet reminiscences; the “Cold War Mode”, which we have referred to in different posts, perfectly defines its current cyber strategy and the management of information that the country has historically done, which are applied in this broad concept of information warfare which we have also referred to on many occasions, significantly different from the West, and which includes propaganda or deception, to give just a few examples. If Russia is your mother and your mother is in danger you will do whatever is necessary to save her. Period. No further discussion.
[Read more…]

The Russian ICC (XVII): objectives. Spain

The First General Directorate of the KGB was responsible for all operations of the service outside the USSR; this Directorate included departments focused on different geographical areas of the world, which were the operational nucleus of the General Directorate and were responsible, among other things, for the duties of almost all KGB-linked companies operating outside Soviet territory. And within these geographical departments, the Fifth was concerned with France, Italy, the Netherlands, Ireland … and Spain. Certainly we did not reach the level of the United States and Canada (First Department, exclusively occupied by these two countries) but we were not very far, perhaps on a second level. For different reasons that have obviously changed over the years, since the Civil War until now Spain has been a historical objective (not the most important, but relevant) for Soviet intelligence and now it is still so for Russian intelligence: from the NKVD during its lifetime to the current services, obviously passing through the KGB from the middle to the end of the last century. Exactly the same as the USSR, or Russia today, it also is and has been an important objective for the West: for example, we have only to read something about the operation Mari, in the 60s ([2]).

A good example of Russian activities in Spain in the 1970s and 1980s is SOVHISPAN. This Spanish Soviet consignee, founded in 1971 and operating until 1993, took advantage of the strategic situation of the Canary Islands in order to deploy a capacity to supply Soviet vessels operating on African coasts or to make technical stops on transatlantic voyages (passenger or scientific). At first sight, an interesting business relationship between two countries and a spectacular source of income for the Islands, with direct flights between Las Palmas and Moscow operated, among others, by Aeroflot. But also a perfect cover for the KGB and GRU and their interests in Spain: from the delivery of the Sahara or the arrival of democracy, to the use of Canarian independence as a possible destabilizing element to prevent Spain from entering NATO. The Spanish services were no stranger to this situation, and led to the expulsion of Soviets accused of espionage; it is estimated that between 1977 and 1985 at least fifteen KGB and GRU agents were expelled from Spain, some of them directly related to SOVHISPAN, such as the company’s own CEO, Yuri Bitchkov (1981).

Neither years ago, as we have already indicated, nor nowadays, with different information needs: Spain is not the priority objective of Russian intelligence. To give some examples, in NATO we are a medium power compared with countries like France or Germany, we are geographically far from Moscow ([1]), we cannot destabilize Mother Russia by our influence in the area of Eastern Europe nor by our energy reserves, we do not have a military capability that poses a real threat to Russian borders (but on the other hand, we are in NATO) … However, not being the priority objective does not mean not being an objective; we must consider Spain as a significant objective today for Russian interests, as the entire NATO or “West” continue to be ([3]). And for this it is not necessary to go back to the last century and to the activities of SOVHISPAN: more recently different cases of Russian espionage against Spain have been identified that have jumped to the public opinion. At the end of 2010, two members of the Russian embassy in Spain were expelled from the country accused of espionage (in fact, everything was more discreet: they were invited to leave the national territory for actions outside their diplomatic status…), which Russia reacted as usual, expelling two Spanish diplomats from Moscow. It was also spread throughout the general press the arrest of a former member of the CNI in 2007 who had been identified as a double agent who sold sensitive information to Russian services until 2004; the first man convicted of treason in democracy, who is still in prison today.

But what does Russian intelligence look for in Spain? In terms of Russian information needs, seen earlier in this series, we again identify four major areas of interest for Russian services in Spain or, generalizing, anywhere in the world: scientific-technical intelligence, political intelligence and diplomatic, military intelligence and economic intelligence; we include the “ecological” (energy) area as being of special interest in almost all of them. We will analyze each of these areas in the current Spanish scenario, both in the Public Administration and in companies, starting from the fact that, on paper and formally, Spain and Russia have had an agreement for years for the mutual protection of classified information, especially political, military, technical-military and economic information ([5]). These areas ring a bell, don’t they? It is also true that this agreement explicitly refers to information “exchanged in the course of cooperation”, not “non-exchanged” information…

Let us focus first on the Public Administration; the Autonomous Administrations (much less the local ones) need not be a Russian target, at least habitual, although it is necessary to remember that in certain cases it could be interesting for Russia to accede to autonomic information. If this were the case, the Autonomous Communities with the greatest potential interest for Russia could be Catalonia, Valencia, Andalusia and the Canary Islands, and for obvious reasons the Community of Madrid. In all these Communities there are Russian Consulates (in some of them, honorary consuls). This has a simple explanation: on the Catalan coast, on the Costa del Sol, in the Valencian Community and in the archipelago is where more Russian citizens are concentrated (Barcelona is the city and Alicante is the province of Spain with more Russian population). In this way, occasionally and potentially, as always – it might be interesting for Russian intelligence to access a medical history of a citizen of this nationality who is being treated in a Spanish hospital, to give an example, so that the areas with more chances of being a specific target would be those cited.

But beyond occasional interests, if we talk about the Spanish Public Administration, it is necessary to look at the General State Administration (AGE), a presumed key objective for Russia, as a presumed key objective for the services of any country in the world; all the Ministries that make up the AGE are a Russian target. The AGE obviously has a political and diplomatic interest, one of the basic needs of Russian intelligence, and even some of its Ministries have a scientific-technical interest (Defense, Development, Education …) or economic interest; the Ministry of Defense deserves a separate mention, with the addition of military interest for Russian intelligence. In fact, according to the CCN-CERT the main Russian objectives in Spain are governmental; but although all Spanish Ministries are an objective, for different reasons, there may be some that are more than others … what could be the main objectives? Perhaps, only perhaps, the following – with its corresponding formal denomination: Presidency, Foreign Affairs, Defense, Interior and Economy. Why these five? Because of the sensitivity of the data they manage, they would be of any foreign service in general: not in vain was the CDGAI (Government Delegate Commission for Intelligence Affairs formed [4]).

Apart from Secretariats, Directorates General, etc., each Ministry has different Public Organisms linked; focusing on the previous five, within the Presidential dependents the key objective by definition will surely be the National Intelligence Center, the main actor of Spanish intelligence, or the Department of Homeland Security, of course far above other agencies such as the BOE or National Heritage. In the case of Foreign Affairs, the main objectives could be the AECID (Spanish Agency for International Cooperation for Development) or the Center for International Studies – a good part of the rest are cultural centers – while if we speak of Defense, everything is a potential Russian target: from INTA or DGAM to ISFAS (although this one is certainly less interesting than the first two). For the Interior, the Police, the Civil Guard or Penitentiary Institutions can be especially sensitive – let us remember the vast ecosystem of Russian intelligence and its relations with third parties – and finally, in Economics, perhaps the biggest focus of interest are organizations such as the CDTI or CSIC, for the scientific-technical advantage that their information can bring to Russian services and companies.

Apart from their own Administration special mention should also be made of the public companies (or semi-public) ascribed. In the Inventory of Entities of the State Public Sector (INVESPE), all the mercantile companies belonging to Ministries are listed. We have more than 150 public companies ranging from some with so little potential interest – in this context – such as “Zona Franca, SL” or ” Compañía Española de Tabaco en Rama, S.A.”, both ascribed to the Treasury, to others that may be a clear objective, as ISDEFE, S.A. (Defense) or INCIBE, S.A. (Industry).In this case, in companies’, the interests of Russian intelligence will not be so focused on politics and diplomacy, but will focus on scientific-technical and economic espionage, as they will in private business; for this reason, special mention may be made here of companies affiliated to particular ministries participating in multi-million euro projects, such as Development, for economic and technical espionage of which they may be subject (and not only Russian).

If we move onto the private sphere, that of companies, political or military espionage obviously lose strength in favor of the scientific-technical and economic espionage in different sectors – as we have said, likewise in the public enterprise – : Russian companies compete in large competitions with Spanish ones and their services will have a legitimate interest in favoring them, as well as the interest in obtaining a direct technical advantage through the theft of information. One of the main sectors of interest can be energy, main Russian driving force, so we can speak of the companies of this sector as a clear objective; without going any further, let us remember Lukoil’s interest in entering REPSOL severely a few years ago. All the major Spanish energy companies would enter in this group (without naming any, surely we all know them), as well as other companies directly or indirectly linked to the sector.

But beyond energy, when we talked about the Russian information needs a few posts ago we referred to other sectors marked as key by its National Security Strategy: ICT, biomedicine, pharmacy, nuclear technology, nanotechnology … in short, leading sectors that can advance a country in a meaningful way. Nothing strange either for Russian services or for any other country, of course. Companies in these sectors will be a potential target of Russian intelligence, as they surely will be for many other services: their research, projects, patents … are worth a lot of money. A relationship of Spanish companies in each of these sectors is no secret, and by consulting open sources we can get a rough idea of possible objectives in Spain with all details.

A particularly interesting area is that of scientific-technical espionage in companies linked to Defense, a possible target of both civil intelligence and Russian military intelligence. Here, the General Directorate of Armament and Material (DGAM) has some six hundred companies registered in its catalog; the data is classified, but one has only to consult WikiPedia to obtain an interesting list of companies in this sector; if we leave aside more classic companies and focus on technology (beware, not just computing, there are many interesting technologies for Defense … and especially faces, objects of Russian interest) we get a juicy business relationship in this area. Or even more simple: we can go to, for example, web pages of associations that bring together the companies of the sector where, in some case, in addition to providing the list of associates – something obvious – they are classified according to different parameters, such as the number of employees: thus we can easily identify Spanish companies working on technologies for the Defense sector or related to, for example, less than fifty workers. What does this mean? That we have an excellent list of interesting companies for Russian services but that are also small in size, which a priori – does not have to be so, and hopefully it is not – may imply that they are soft targets; to give us an idea, these companies work in environments as varied and interesting as the manufacturing of warships, military nanophotonics or submarine electronics…

In short, Spain has been and remains a target of Russian intelligence, not the highest priority but perhaps for sure at a second level; so it is not surprising that Russian services, or the Russian APTs, have Spain as their target, both in the Public Administration (priority) and in the private sector (biomedicine, ICT, defense…), looking for information aligned with their needs, of course always allegedly. As an example, if in the Targeted Cyberattacks Logbook of Kaspersky we select cyber espionage or information theft campaigns that had Spain in the Top 10 of its objectives we will find five, of which three are Turla, Agent.BTZ and Crouching Yeti. They ring a bell, right? Out of curiosity, the other two are Spanish-speaking: Machete and Careto. Other works clearly speak of Spain as a relevant target for APT28 ([6]), MiniDuke ([7], [8]) or Energetic Bear [9], to give just a few examples of allegedly Russian APTs that have impacted on our country. In fact, in its EMEA reports, FireEye indicates that in this area, Spain moved from tenth position in APT detection in 2014 to the third in 2015 ([10]), which shows that it is in the spotlight of different actors not just Russians.

To conclude this section, two comments. First of all, it should be recalled that the objectives identified here are by no means exhaustive; although these may be priorities, let us remember the capacity and voracity of Russian services and their broad information needs: few organizations whose information has political or economic value should consider Russia a distant threat – nor other actors. Secondly, everything reflected in this post has been extracted from public sources and in many cases are strictly personal opinions, as almost always…

[1] Javier Morales, Eric Pardo. Rusia en la estrategia de seguridad nacional 2013. UNISCI Discussion Papers, número 35. Mayo, 2014.
[2] Claudio Reig. El espía que burló a Moscú. Ed. Abril, 2017.
[3] Mira Milosevich-Juaristi. ¿Por qué Rusia es una amenaza existencial para Europa?. Real Instituto Elcano. Julio, 2015.
[4] Gobierno de España. Real Decreto 1886/2011, de 30 de diciembre, por el que se establecen las Comisiones Delegadas del Gobierno. BOE 315, de 31 de diciembre de 2011.
[5] Gobierno de España. Acuerdo entre el Gobierno del Reino de España y el Gobierno de la Federación de Rusia sobre la protección mutua de la información clasificada. BOE 312, de 26 de diciembre de 2014.
[6] Razvan Benchea y otros. APT28 Under the Scope. A Journey into Exfiltrating Intelligence and Government Information. BitDefender. 2015.
[7] F-Secure. The Dukes. 7 years of Russian cyberespionage. F-Secure Labs Threat Intelligence. September, 2015.
[8] Costin Raiu, Igor Soumenkov, Kurt Baumgartner, Vitaly Kamluk. The MiniDuke Mystery: PDF 0-day Government Spy Assembler 0x29A Micro Backdoor. Kaspersky Lab. February, 2013.
[9] Symantec. Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Symantec Security Response. July, 2014.
[10] Álvaro García. APT. Evolución de las tácticas. Situación de España en el panorama europeo. IX Jornadas STIC CCN-CERT. Diciembre, 2015.

The Russian ICC (XVI): objectives. Countries

Any country in the world is a potential target of Russian-or non-Russian-espionage. As an example, infiltration in America has historically been high, not only in the United States, a country of highest priority for Russian intelligence, but also throughout Latin America.

However, the maintenance of a large ecosystem of intelligence is not cheap – although it is certain that, thanks to the particularities and relations of the Russian services, it is not as expensive as it would be in other circumstances. So as in any country, Russians should prioritize their usual activities and interests, leaving for temporary occasions those temporary objectives: for example, the Middle East (Syria, Iran …) can be considered in the list of these temporary objectives, for reasons of security —counterterrorism— as well as economic —customers or suppliers of basic goods for Russia.

In addition to these, countries such as Australia or New Zealand, technologically developed and close to the West —not from the physical point of view, of course —are also targets of Russia for different reasons, such as industrial espionage. We have highlighted in gray the target countries of Russian espionage:

[Read more…]

The Russian ICC (XV): objectives. Information needs

Let us recapitulate: so far we have made several entries concerning the Russian ICC, in which we have contextualized Russian intelligence, we have described its different services with cyber attributions and have analyzed, as far as possible, their relations with third parties, thus describing the complex ecosystem of intelligence in Russia. With this ecosystem already described (we had to stop at some point), we will now try to analyze the objectives of this intelligence, its information needs: what is Russia looking for and where?

A bit of history: Vasili Mitrokhin was a KGB archivist who, after the dissolution of the USSR, defected and collaborated with the British MI6; the material exfiltrated by Mitrokhin, which gave rise to several books that are known together as “the Mitrokhin archive”, revealed among many other secrets that the Soviet leader Mikhail Gorbachev already considered industrial espionage as a key aspect for economic survival and for the restructuring of the country. This became clear after the dissolution of the USSR, so that in accordance with its legal basis ([3]), the objective of Russian intelligence has been to gather information in the political, economic, military, scientific, technical and ecological fields to support the economic development and scientific-technical and military progress of the Russian Federation; even the GRU has entrusted the acquisition of military, political-military, technological-military and economic-military information. In other words, Russia is concerned about its defense, both military and economic, from the Soviet era (from Mitrokhin’s information) to Russia at the end of the last century. Something, on the other hand, completely logical in any modern country. [Read more…]

The Russian ICC (XIV): The intelligence ecosystem. Cybercrime

The relations of the Kremlin (by extension, of its intelligence services) with “classic” organized crime, with Russian mafias, is a fact more or less proven. Without going any further, in documents leaked by WikiLeaks the Spanish prosecutor Jose Grinda directly links the Russian mafia with the intelligence services of the country.

But beyond these leaks of WikiLeaks and their degree of reliability, in public reports – in this case, of the very prosecutor – this relationship has been officially and openly revealed [1], saying, verbatim: “[…]part of the FSB, which has implemented an organized crime regime in certain spheres of Russian power through the increased control of organized crime, a thesis that was already supported by the late Litvinenko“. In other words, Alexander Litvinenko’s theses are assumed that Russian services completely control the country’s mafia groups, gaining a mutual benefit from this relationship.

Let us remember that Litvinenko, a former agent of the KGB and the FSB, was murdered with Polonio 210 after his harsh criticism of the FSB and its activities outside of any legislation, a murder by which the UK attempted to extradite former FSO officer Andrey Lugovoy, who happens to enjoy immunity in Russia for being a member of the Duma. Of the history of Litvinenko, and of his special collaboration with the Spanish Justice and services, you can obtain an excellent vision in [2].

It is to be expected that the relations of the Russian services with organized crime, of which we already gave traces of its origin in the post of this series on the ecosystem of intelligence, extend into the field of technology, to what we call cybercrime – or organized cybercrime; always in a hypothetical way, of course … In fact, it is officially the opposite: the FSB, within its police powers has mandated activities against cybercrime, according to some analysts even replacing with its 16th Directorate, which we have already spoken about in previous posts, to the famous Directorate K of the Russian Ministry of the Interior ([6]), which officially investigates cybercrime and illegal technology-related activities in Russia. Let us also remember that this FSB Directorate has CNA capabilities, which may be activated against cybercriminals whenever it is interesting for Mother Russia … in any case, at least on paper, the two Directorates of both agencies complement each other perfectly in their activities against technological delinquency ([3]).

It is a fact that the Russian government, through both the FSB and the Directorate K of its Ministry of the Interior, has taken steps to combat criminal activity on the Internet, although it is also true that such efforts have focused more on combating such activities when they have impacted against Russian interests that, when originating in Russia, have impacted against foreign interests.

As an example, in [10] we analyze some of the press releases published in 2016 by the FSB in this sense: in total, three notes to report:

  • The arrest of an organized Russian group that had stolen several million euros from Russian banks (June).
  • The discovery of a harmful code (unspecified source) that had compromised different governmental, military, research … Russian organizations (July).
  • The warning to the Russian government and citizenship regarding massive cyberattacks against their infrastructures from foreign services, an attack that ultimately did not occur or was completely mitigated by Russian capabilities (December).

As we see, the main actions were aimed at protecting Russia and its interests (obviously, by the way) rather than collaborating with third parties to mitigate problems originating in Russia, but also – without an official press release – it is public knowledge that in November of last year the FSB detained the group behind the bank malware Dyre, of Russian origin but with victims from almost all over the world … except from Russia.

The last of the most notorious activities of the Service during the past year, also without an associated press release, was the arrest of Sergey Mikhaylov and Ruslan Stoyanov in December, both related in one way or another, past or present, with government units specialized in the fight against cybercrime, although such detention does not seem to be related to such a struggle: the official accusation speaks, quite simply, of “betrayal”, which can be interpreted in many ways (it even points to its collaboration with the CIA or FBI), not all positive in order to demonstrate the interest of the Russian authorities to combat crime in the RuNET.

Historically, Russia has been the cradle of very high technical capabilities, capabilities that can be used for good or for bad. We spoke in an earlier post of the establishment of relations of Russian services with their ecosystem of intelligence and the situation lived at the end of last century. Extrapolating this situation to the cyber sphere, it is easy to understand how Russian technical skills can be easily oriented towards non-legal businesses, to what we call cybercrime: from spam or phishing to child pornography, through falsification and sale of official documents. A general review of Russian cybercrime may be reflected in [11].

And as for the relationship between intelligence and organized crime in this cyber domain, at the end of the last century, in the Moonlight Maze operation, there was talk of possible relations between the FSB and cybercriminals to cover certain activities in which services should not be involved directly.

If we want to talk about Russian cybercrime, it is obligatory to refer to the RBN (Russian Business Network), perfectly analyzed in [4], perhaps the most complete study on it, where the RBN is defined as “a complete infrastructure for the provision of harmful services, further indicating that “there is not a single legitimate client in the RBN”; no comment. In short, a provider of solutions for crime, adjusted to the needs of its customers … and disappeared (or not) in November 2007. Chapter 8 of [3] summarizes the curious story of this “disappearance”, in the opinion of many a simple restructuring of the RBN to make their activities less visible. Some of the main operators of the RBN have had close relations with the Russian services: it is public knowledge that at least one of them, Alexandr Boykov, was Lieutenant Colonel of the service ([5]).

In addition, some analysts defend the symbiotic relationship between RBN, patriotic hackers and the Russian government or services ([8], [9], works already referenced in previous posts in this series). This relationship is based on the permissiveness of the former in relation to criminal activities provided they are executed outside of Russia in exchange for the support of the latter when a situation requires: Georgia, Estonia … In other words: we will let you work but do not bother our compatriots; and if we need you, you have to lend us a hand. Remember: nobody says no to the FSB. In fact, some analysts defend the hypothesis that the FSB can commute prison sentences in exchange for active collaboration; honestly speaking, it offers those imputed for cybercrime freedom in exchange for “special” jobs (although it is also true that this has been popularly said of many other services).

The last example that has come to light and reveals the close relationship – potential, potential… – between cybercrime and Russian intelligence is perhaps the Yahoo hacking in 2014, which according to the US Department of Justice is attributed to the Direct collaboration of the FSB with individual actors associated with cybercrime (DoJ press release, [7], published in March 2017). It was an official accusation of relations between Russian services and organized crime groups, coming from nothing more and nothing less than the US government (with two alleged FSB agents cited with photo, first and last names, Dmitry Aleksandrovich Dokuchaev and Igor Anatolyevich Sushchin, among the most wanted in the cyber field by the FBI), and as always with the corresponding official denial of the Russian government.

The FBI also accuses Evgeniy Bogachev, the most wanted cyber-criminal and for whom offers a reward of three million dollars, not only for activities associated with economic crime (he is the creator of Gameover Zeus and Cryptolocker), but also for the possible interference – operated by the FSB – in the US electoral process. Another proof of this potential relationship? Negative information provided by the US government? Who knows … In short, we sense, although we cannot be sure, that there is a direct relationship between cybercrime and intelligence services in Russia, as there seems to be a relationship between these services and classic organized crime. Possibly yes, or possibly not, as almost always in this war…

[1] José Grinda González. Regulación nacional e internacional del crimen organizado. Experiencia de la Fiscalía Anticorrupción. Fiscalía General del Estado. España. Septiembre, 2015.
[2] Cruz Morcillo, Pablo Muñoz. Palabra de Vor. Espasa, 2010.
[3] Jeffrey Carr. Inside Cyber Warfare: Mapping the Cyber Underworld. O’Reilly, 2011.
[4] David Bizeul. Russian Business Network Study. November, 2007.
[5] Casimir C. Carey III. NATO’s Options for Defensive Cyber Against Non-State Actors. United States Army War College. April, 2013.
[6] Timothy Thomas. Russia’s Information Warfare Strategy: Can the Nation Cope in Future Conflicts?. The Journal of Slavic Military Studies. Volume 27, Issue 1. 2014.
[7] US DoJ. U.S. Charges Russian FSB Officers and Their Criminal Conspirators for Hacking Yahoo and Millions of Email Accounts. March, 2017.
[8] Viktor Nagy. The geostrategic struggle in cyberspace between the United States, China, and Russia. AARMS. Vol. 11, No. 1 (2012) 13–26.
[9] Jeffrey Carr. Project Grey Goose Phase II Report: The evolving state of cyber warfare. Greylogic, 2009.
[10] Filip Kovacevic. Security Threats to Russia: The Analysis of the 2016 FSB Press Releases (Part 3 – Hacking & Other Challenges). Enero, 2017.
[11] Brian Krebbs. Spam Nation: The Inside Story of Organized Cybercrime-from Global Epidemic to Your Front Door. Sourcebooks, 2014.

The Russian ICC (XIII): The intelligence ecosystem. Patriotic hackers

The concept of patriotic hacker can be understood as the attacker, in the cyber field, whose activities support in one way or another his country in a real conflict, directed against the enemy of the state ([1]). Along with China, Russia has been perhaps one of the countries that has most empowered these groups, active for years in conflicts such as Kosovo (1999), Estonia (2007) or Georgia (2008). In Spain, if there has ever been something similar and in any case not state sponsored, it could be linked to small actions in the network against the environment of ETA after the murder of Miguel Angel Blanco (1997), perhaps at odds between hacktivism and patriotic hackers (this would give for an interesting debate), but in any case very far from the activities of patriotic groups in other conflicts or countries.

In Russia, different groups have been identified that could be called Kremlin-related groups (from Chaos Hackers Crew in 1999 to Cyber Berkut, active in the conflict with Ukraine) and their actions, groups that have focused their activities on defacements and, in particular, in DDoS attacks against targets that have been considered contrary to Russian interests. From each of the operations of these groups there is literature and more literature. An excellent summary of the most notorious can be found in [8]. As early as 1994, in the First Chechen War, some patriotic groups used the incipient web for PSYOP, at that time with Chechen victory, a victory that would change sides later (1999) in the Second Chechen War ([3]). Years later, in 2007, Russia launches a cyber-attack against Estonia that stops the operation of the online banking of the main Estonian banks, blocks access to the media and interrupts communications of the emergency services ([4]); but there are no deaths or injuries on either side, unlike what happens a little later (2008) in Georgia, where there is a hybrid attack- the first known case in history – consisting of cyber-attacks and an armed invasion. A conflict in which different groups arise that encourage attack – in particular, through DDoS on the websites that support the opposite side. These denial attacks differed from those launched against Estonia: not only were they injecting large volumes of traffic or requests against the target, but also using more sophisticated techniques, such as using certain SQL statements to introduce additional load into this objective, thus amplifying the impact caused.

At about the same time as Georgia’s, Lithuania gets its turn, also in 2008 and, as in Estonia, in response to political decisions that their Russian neighbors do not like. In this case the Lithuanian government decides to remove the communist symbols associated with the former USSR, which causes denial of service attacks and defacements of web pages to locate in them the hammer and the sickle. A few months after the actions in Lithuania, attacks on Kyrgyzstan begin, already in 2009 and again after political decisions that the Russians do not like, now regarding the use of an air base of the country by the Americans, key for the American deployment in Afghanistan. In this case it is about DDoS attacks against major ISPs in the country, which further degraded the already precarious Kyrgyz infrastructures, originated in Russian addresses but, according to some experts, with much more doubt in the attribution than other attacks of the same type suffered previously by other countries. Also in 2009 Kazakhstan, another former Soviet Republic – and therefore of prime interest for Russian intelligence – suffers DDoS attacks following statements by its President criticizing Russia.

Finally, as early as 2014, The Ukraine becomes another example of a hybrid war, as it happened in Georgia years ago, and an excellent example of the Russian concept of information warfare, with attacks not only by DDos, but especially by disinformation through social networks: VKontakte, supposedly under the control of Russian services (we spoke before about their relationship with companies, technological or not). It is the most used social network in Ukraine, which offers an unbeatable opportunity to put in practice this disinformation ([6]). For different reasons, including the duration of the conflict itself, The Ukraine is an excellent example of the role of patriotic hackers on both sides (Cyber Berkut on the Russian side and RUH8 on the Ukrainian side), supporting traditional military interventions, putting into practice Information warfare, psychological operations, DDoS, attacks on critical infrastructures …

The presence and operations of Russian patriotic hackers seems indisputable. The question is to know what relationship these groups have and their actions with the Kremlin and its services, if any, and the degree of control the Russian government may have over them … and even its relationship with other actors of interest to Russian intelligence, such as organized crime, which we will discuss in the next post of the series. Actions such as those executed against Ukrainian servers in 2014 by Cyber Berkut showed TTPs very similar to those previously used in Estonia or Georgia, which would link these actions not only to properly organized groups, but would also lead to a possible link with The Kremlin, following the hypothetical attribution of these last actions with the Russian government ([2]).In [9] an interesting analysis is made of the relationship between patriotic hackers, cybercrime and Russian intelligence during the armed conflict with Georgia in 2008. In addition, in the tense relations between Russia and Georgia, there is another hypothetical proof, especially peculiar at least, of the link between attacks, patriotic hackers and Russian services: in 2011, the Georgian government CERT ([7]), before a case of allegedly Russian espionage, decides to voluntarily compromise a computer with the malware used by the attackers, put a lure file on it and in turn to trojanize said file with remote control software. When the attacker exfiltrated the honeypot, the CERT was able to take control of his computer, recording videos of his activities, making captures from his webcam and analyzing his hard disk, in which emails were supposedly found between a controller – from the FSB, so the evil tongues of some analysts say, who knows … – and the attacker, exchanging information of objectives and information needs and instructions on how to use the harmful code.

Regardless of the relations of the Russian services with groups of patriotic hackers, the infiltration or the degree of control over them, what is certain is that in certain cases the FSB has publicly avoided exercising its police duties in order to pursue a priori criminal activities by Russian patriotic hackers: in 2002, Tomsk students launched a denial of service attack against the Kavkaz-Tsentr portal, which housed information on Chechnya annoying for the Russians. The local FSB office issued a press release in which it referred to these actions of the attackers as a legitimate “expression of their position as citizens, worthy of respect” ([5]). And what is indisputable is that after decisions made by a sovereign government that may be contrary to the interests of the Russian government or simply to their opinion, that government suffers more or less severe attacks – depending on the importance of that decision – against its technological infrastructures, at least in areas especially relevant to Russian intelligence and government such as the former Soviet Republics. Of course, attacks that are difficult to reliably link to the Russian government or patriotic hackers of this country, but they occur in any case.

Finally, one more detail: Russian patriotic hackers have not only executed actions against third countries, but also operated within the RUNet. One of the most well-known cases is that of Hell, acting against Russian liberal movements: opponents of the government, journalists, bloggers … and of which there have been signs of their connection with the FSB (let’s remember, internal intelligence) specifically with the CIS of this service. In 2015 Sergei Maksimov, allegedly Hell, is tried and convicted in Germany for falsification, harassment and information theft. Although facing three years in prison, the sentence imposed is minimal. Was Maksimov really Hell? Were there any links between this identity and the FSB? Was Hell part of the FSB itself, unit 64829 of this service? Nor do we know, nor will probably ever know, as perhaps we do not know whether Nashi, a patriotic youth organization born under the protection of the Kremlin – this we do know, as it is public – organized DDoS attacks not only against Estonia in 2007, but also against Russian journalists opposed to Putin’s policies, and also tried to turn to journalists and bloggers for their support in anti-deposit activities in the Russian government … at least that is what the emails stolen by Anonymous- allegedly, as always, from Kristina Potupchik, spokesperson for Nashi at the time and later “promoted” to Internet project manager of the Kremlin, say (this is also public).

[1] Johan Sigholm. Non-State Actors in Cyberspace Operations. In Cyber Warfare (Ed. Jouko Vankka). National Defence University, Department of Military Technology. Series 1. Number 34. Helsinki, Finland, 2013.
[2] ThreatConnect. Belling the BEAR. Octubre, 2016.
[3] Kenneth Geers. Cyberspace and the changing nature of warfare. SC Magazine. July, 2008.
[4] David E. McNabb. Vladimir Putin and Russian Imperial Revival. CRC Press, 2015.
[5] Athina Karatzogianni (ed.). Violence and War in Culture and the Media: Five Disciplinary Lenses. Routledge, 2013.
[6] Andrew Foxall. Putin’s Cyberwar: Russia’s Statecraft in the Fifth Domain. Russia Studies Centre Policy Paper, no. 9. May, 2016.
[7] CERT-Georgia. Cyber Espionage against Georgian Government. CERT-Georgia. 2011.
[8] William C. Ashmore. Impact of Alleged Russian Cyber Attacks. In Baltic Security and Defence Review. Volume 11. 2009.
[9] Jeffrey Carr. Project Grey Goose Phase II Report: The evolving state of cyber warfare. Greylogic, 2009.

Image courtesy of Zavtra.RU