The Russian ICC (X): the intelligence ecosystem

coat_of_arms_of_the_russian_federation-svgWe cannot conceive the Russian intelligence community, described in this series, as a set of services dependent on political or military power. The degree of penetration of these services throughout Russian society is very high, both officially and unofficially. It is no secret that former KGB or FSB officials occupy positions of responsibility in politics or big companies in the country. As a curiosity, in 2006 it was reported that 78% of the country’s top 1,000 politicians had worked for the Russian secret services [1]. So much so that these profiles have a proper name: siloviki, a term that comes to mean people in power. And it is no secret who is the most well-known siloviki: Vladimir Putin, President of the Russian Federation, who was agent of the KGB in the Soviet era and later Director of the FSB.

To understand this degree of penetration of Russian intelligence in certain organs of power it is necessary to go back especially to the 1990s. The dismemberment of the Soviet Union caused a chaotic situation in Russia, with high unemployment or poverty rates. Many people had lost their jobs – among them, it is estimated that 40% of the KGB (2) – and the easy exit for these citizens was obviously illegal. Many former members of the security forces, the army or the intelligence services ended up swelling the ranks of organized crime groups or working in the legal or illegal protection of oligarchs or mafia leaders. This transfer of specialized personnel to organized crime groups was not only the way of survival of these people, but also a considerable reinforcement of these groups, both in volume and quality: thanks to these new signings, many of them went from small, un-specialized small groups who used basic techniques of intimidation, to be converted in perfectly organized mafia groups, with better human and material resources and highly specialized tactics. And especially, with better relations with the Russian security, defense or intelligence services, the cradle of a good part of the new personnel of the mafia groups.

In this convulsive situation, it seemed that the most stable business was organized crime; for example, the number of homicides had tripled in 1995 compared to the 1988 figures. When the Russian Government began to privatize state enterprises and services, organized crime groups, with a lot of money and power, identified the opportunity to position themselves In these, which automatically not only increases their economic power, but also positions mafias in the front line of political power.

Let us recapitulate: organized crime maintained a close relationship with the security or intelligence services, since many of its members came from them, and also with the large privatized companies and therefore with national politics. A perfect combination to become a key piece for the country. The Russian Government was aware that, in order to return the country to a situation of relative normality, organized crime had to be compulsory. So much so that in 1994 Boris Yeltsin came to call Russia “the greatest mafia state in the world”.

But the arrival of Vladimir Putin to the government in 1999, tries to change this situation with two objectives: to return the control of the strategic assets to the state and to let the world know that the state controlled these assets again – and, therefore, Russia was a world power as was the USSR. It takes control of the main companies and command posts to oligarchs and criminals and places former KGB officers or their successor, the FSB, in the assurance that they all identified the same Mother Russia of which we have already spoken about in this series.

With a hard-handed dose, Vladimir Putin achieves his challenge and largely eliminates organized crime from strategic positions for the country; but the power acquired by the Mafia groups during the 1990s was too high, and trying to eliminate their activities altogether could even destabilize Russia [2], thus Putin should be content with removing them from these strategic positions but veiledly allow them to continue their illegal business.

Let’s look at the big spider web: Russian intelligence maintains connections with organized crime, gained in the 1990s, and widespread penetration in the country’s political (government) and economic (strategic enterprises) circles of power, gained in the first decade of this century. With this degree of infiltration into the power circles, Russian intelligence achieves two clear objectives: coverage and control (or collaboration, depending on the degree required in each case). This has been the case since the Soviet era and it is – coincidentally or not – in the Russian. In fact, until recently, a high percentage of senior Russian government officials were siloviki, although with Medvedev this percentage has been reduced and the siloviki have lost some of their power in politics, although they still constitute a relevant lobbying group (or several, as there are several “families” of siloviki). With the election of Medvedev as Russian Prime Minister, Putin reinforced the liberals (economists and lawyers, many of them from St. Petersburg) in front of the siloviki, headed by Sergei Ivanov, who was granted the Presidential Executive Office Headquarters; an interesting movement between two opposing clans that from that moment have a nexus of union almost unique: President Putin himself.

In addition to these circles of power, Russian services are closely related to citizen movements and even to the Russian Orthodox Church; although this last relation we are not going to describe – we are focusing on, or attempting to do so in a cyber environment – it does not fail to be a good indication of the extent to which there is a broad social penetration of intelligence in Russian society. And we will see that this penetration is not restricted to classical intelligence, but is automatically extrapolated to the cyber domain.

The relations of the Russian services with some of these actors are generally protected by the Law and can only cause ethical prejudices; however, in “unofficial” relationships legality is more than doubtful, not only with organized crime (in our case, with organized cybercrime) but also with movements like patriotic hackers, which have launched real offensive campaigns against the Russian homeland, perhaps covered by the country’s own services…

We will review in these next entries the relations of the Russian intelligence community, previously described, with the different actors relevant to that community, which allow it to increase its control and its acting capacities, especially unofficially.

References
[1] Alexander Klimburg, Heli Tirmaa-Klaar. Cybersecurity and cyberpower: concepts, conditions and capabilities for cooperation for action within the EU. Directorate-General for External Policies of the Union. Directorate B. Policy Department. European Parliament, 2011.

[2] Fred Burton, Scott Stewart. Russia and the Return of the FSB. Stratford Security Weekly. April, 2008.

The Russian ICC (IX): APT groups

russian-malware-analysis-temp-770x513We have talked so far about the main services that make up the Russian intelligence community in its cyber domain and we will continue to describe in successive posts the rest of the complex Russian ecosystem but, where are the allegedly Russian APTs? Groups known to everyone, such as APT28 (FancyBear, Sofacy …) or APT29 (CozyBear, The Dukes …), must be somehow related to this community … if they are not part of it, right?

These groups, APT28 and APT29 (we will call them that, although we take the opportunity to ask for an ISO standard for naming APT groups, which each have a dozen) are undoubtedly the best known in the Russian panorama, FireEye [5] and [6]. So, are they units of any of the Russian services listed above? Are they mercenaries who sell their work to the highest bidder? Are they organized groups that provide information in exchange for impunity? Are they the result of false flag operations of a third party? We neither know nor might ever know… However, as it is impossible, we will evaluate in this post, or at least try to (remember that attribution is always hypothetical, that’s why we like it so much ;) , some of the elements that allow us to relate these groups to the Russian services. There are more supposedly Russian groups, such as Turla; we’ll talk about them in another post…

APT28 and APT29

The first question we need to ask about these groups is whether they are really Russian; most technical indicators show that they are: from the hours and dates of compilation of their arsenal, coinciding in great part with the working hours of Moscow and Saint Petersburg, to the codification and languages used in good part of their artifacts. However, here we encounter the great problem of attribution, i.e., we approach it from artifacts left, voluntarily or involuntarily, by the attacker. Can a man from Cuenca know Russian – even colloquial -, change the time of his team to fix it in the schedule we referred to or configure the system in Russian? Without any problem. Could these groups be from Cuenca, then? Of course.

Although the technical indicators are easily alterable, they are what we have to work with; both in APT28 and in APT29 analysts identify not a man from Cuenca, but a structured group with separate responsibilities, with established development methodologies … something that we could call a malware factory. That is to say, a powerful organization is identified behind, an organization that could be an independent group, a unit of a particular service, a company … from Moscow, St. Petersburg or Cuenca.

Information needs, and therefore the objectives of these groups are more difficult to falsify than purely technical indicators (eye, but it is not impossible to do so); in the case of these groups, their victims are compatible with the information needs of the Russian government, which will be discussed in detail in this series of posts, both geographically and operationally. Falsifying this would be much more costly for a third party- we insist, but NOT impossible when we speak of an actor with many capacities, as a state; therefore, if the technical indicators point to Russia, the targets and victims point to Russia and the information needs reflected coincide with the supposedly Russian ones ([8]), the probability that APT28 and APT29 have Russian roots is HIGH. Can we confirm 100%? Of course not.

TTP

The usual tactics, techniques and procedures associated with APT29 go through the attack through phishing directed at the victim, with a link in the mail to download a dropper that, when executed, will in turn download a RAT; on the other hand, APT28 works more with the creation of fraudulent web pages similar in aspect to those of its objectives, with names of domains close to the legitimate ones, for theft of credentials. The APT28 arsenal is based mainly on the exploitation of Microsoft and Adobe products, as well as that of APT29, in both cases due to the popularity of these environments and therefore the success in its exploitation; however, APT28 uses more vulnerabilities without known exploits than APT29 ([2]) and its catalog is much larger than the latter, which could imply both a greater number of resources and a greater experience in the area of cyberspace on the part of APT28 than APT29, but on the contrary APT29 is very discreet and has a very high persistence target. In any case, both groups are technically excellent and their catalog of vulnerabilities rarely overlaps, denoting the separation (and competition) of both, and which would be compatible with the separation (and competition) of Russian services which we have already mentioned in this series of posts. In addition, some of the vulnerabilities exploited by APT28 and APT29 in their campaigns are also exploited by groups linked to cybercrime ([2]), which can range from a distraction maneuver to something that may reinforce the theory of close linkage between the Russian cyber-intelligence community and other actors in their environment, as discussed later in this series of posts.

In both cases, work methodologies, technical capacities, operational infrastructure and operational security (OPSEC) … indicate that APT28 and APT29 are not individual attackers or groups that are not well organized, but groups with a considerable amount of resources, stable in time and with a perfectly defined structure and operation. Supported by a state? Direct part of said state? In [8] we found an excellent analysis. The probability is HIGH, since few organizations can have these capabilities but, as always, we cannot confirm with certainty.

Goals

Among the objectives of APT28 are sectors such as aerospace, defense, energy, public administrations and media (remember the handling of information in Russian strategies and doctrines), with a special affection for the ministries of Defense and organizations of the former sectors linked to the military environment ([1]) that coincidentally reflect the interests of Russian military intelligence; In [5], a report where FireEye identifies this group as APT28, details some of the objectives – and of the victims – of APT28, emphasizing their operational interest in the areas close to the military and, in addition, their interest in the control of the information on issues relevant to Russia, somewhat aligned with the broad concept of Russian information warfare that we have referred in previous posts. APT28 does not address intellectual property theft, and in addition, compromised countries correspond to the main Russian geopolitical interests – which we will comment on in future posts – and the objectives are compatible with both the Russian origin of the group and the possible proximity of the same with the military field; in other words, APT28 and GRU share information needs and objectives, so maybe, just maybe, they have some kind of relationship. Is APT28 a GRU unit? We do not know. Is it an external group paid for by the GRU? We do not know. Is it a group from Cuenca? We do not know…

On the other hand, APT29 expands the objectives of its competitor, partially disconnecting them from the military to focus not only on this, but also in sectors such as pharmaceuticals, financial or technology, to mention just a few examples, as well as NGOs and even in criminal organizations ([7]). This last element is very significant, since it could reflect the police attributions, and thus the information needs, of the Russian FSB, while the attack on different NGOs implies – or may imply – political, economic or information control interests .
In line with a service like the FSB … or in line with a fake flag operation from Cuenca.

A recent example

Undoubtedly, the most recent case most rumored of alleged compromises by Russian APTs, this time by both APT28 and APT29, is the US Democratic National Committee (DNC) in 2016, and its potential influence on the results of the Election campaign, incident described to perfection in [3]; Crowdstrike revealed the presence of both groups in DNC systems, with greater persistence by APT29, and leaving their competitors among these groups: they do not share TTPs, nor vulnerabilities, nor resources … but sometimes they share goals. To the technical elements for the attribution to the Russian services, analyzed by companies like the previous one (and later reinforced by others like FireEye or Fidelis) the surprise appearance of Guccifer 2.0 is joined, a presumably false identity (a sockpuppet) compatible with the Russian military doctrine and completely aligned with the broad concept of information warfare that we have already mentioned and which includes deception, misinformation, etc. An excellent analysis of this sockpuppet and its potential relationship with a false GRU flag operation can be found in [4].

Conclusions

We have seen in this post that everything indicates that APT28 and APT29 are of Russian origin and possibly have the support of a government for its activities, two hypotheses of HIGH probability. The information needs of both groups are compatible with the information needs of the Russian government, and its objectives also coincide with the concerns of the Russian government in different areas. They do not share intelligence or arsenals, which would be compatible with the separation of the different Russian intelligence services if APT28 and APT29 were linked to some of them, but they do share objectives: the final result, intelligence, would be of higher quality. According to different analysts, APT28 may be related to Russian military intelligence, the GRU, while APT29 would be related to the FSB. It may be so. Or maybe not. Many times one comes to the conclusion that names like APT28, PawnStorm, APT29, Snake … are just the elegant way we have of saying FSB, GRU, FSO … when we do not have enough evidence to confirm the implication of these services in certain operations. In any case, if APT28 really corresponds to a unit of the GRU and APT29 with a unit of the FSB (or vice versa, as defended [9]) is something that we, of course, do not know for sure or think we can know in the short term: everything is a hypothesis. Perhaps, right now there is a man in Cuenca, very smart and organized, with many resources, listening to Radio Moscow to perfect a foreign language and configuring his computer with the St. Petersburg time zone while laughing at all the analysts of the world.

References

[1] Dmitri Alperovitch. Bears in the Midst: Intrusion into the Democratic National Committee. CrowdStrike. Junio, 2016. https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/
[2] RFSID. Running for Office: Russian APT Toolkits Revealed. Agosto, 2016. https://www.recordedfuture.com/russian-apt-toolkits/
[3] Eric Lipton, David E. Sanger, Scott Shane. The Perfect Weapon: How Russian Cyberpower Invaded the U.S. New York Times. Diciembre, 2016. http://www.nytimes.com/2016/12/13/us/politics/russia-hack-election-dnc.html
[4] Thomas Rid. All Signs Point to Russia Being Behind the DNC Hack. Motherboard. Julio, 2016. http://motherboard.vice.com/read/all-signs-point-to-russia-being-behind-the-dnc-hack
[5] FireEye. APT28: A window into Russia’s cyber espionage operations? FireEye. Octubre, 2014. https://www2.fireeye.com/apt28.html
[6] FireEye. HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group. FireEye. Julio, 2015. https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf
[7] F-Secure. THE DUKES. 7 years of Russian cyberespionage. F-Secure. Septiembre, 2015. https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf
[8] Jen Weedon. Beyond ‘Cyber War’: Russia’s Use of Strategic Cyber Espionage and Information Operations in Ukraine. Kenneth Geers (Ed.), Cyber War in Perspective: Russian Aggression against Ukraine. NATO CCD COE Publications. Tallinn. 2015.
[9] Malcolm Nance. The plot to hack America: How Putin’s cyberspies and WikiLeaks tried to steal the 2016 election. Sky horse Publishing, 2016.

Image courtesy of Indian Strategic Studies.

The Russian ICC (VIII): GRU

gru_emblemThe only major Russian service which, as we have indicated, is not a direct heir of the KGB is the GRU (Glavnoye Razvedyvatelnoye Upravlenie), military unit 44388, whose aim is to provide intelligence to the Ministry of Defense, the military leadership and Russian armed forces as a whole. This service is dedicated to military intelligence, from strategic to operational, working not only in an exclusive sense of defense, but also encompassing other aspects such as politics or economy linked to the military sphere, and especially foreign intelligence – sometimes with the SVR. Since 1996, it has been entrusted with the mission of acquiring information on ecology and the environment. In order to execute these tasks, the GRU has all kinds of capabilities, from IMINT to HUMINT, through OSINT and, of course, SIGINT, capabilities that give it a sphere of action and international influence and that allow the GRU to “act in any point of the world where the need might arise, “according to statements by General Valentin Vladimirovich Korabelnikov, in an interview granted in 2006, when he was Director of GRU.

The GRU is undoubtedly the most opaque of Russian services and arguably the best of them; it is a group that maintains certain Soviet reminiscences – remember that it survived the KGB – and even that it considers “westernized” other services like the FSB. As a matter of curiosity, the GRU recruits its agents among the “proletarian” classes, preferably personnel without knowledge of languages, and among its supposed tasks is to bury weapons in hostile territory to be able to use them in case of conflict. It does not have a counterintelligence service (a function carried out by the FSB) or a press office (actually, the GRU is no more than a General Directorate within the Russian Ministry of Defense) or an official website ([1]). Thanks to its work methods, it is the intelligence service that has had the least deserters in Soviet and Russian history.

The GRU was directed by General Igor Sergun until January 2016, but after the sudden death of the General (nothing mysterious, just a heart attack), since February 2016, General Igor Korobov is in command. In both cases they are General Lieutenants, three stars, in front of the Army Generals of the FSB or the FSO. Although the personnel and budget data of the GRU are obviously classified, it is estimated that more than 25,000 staff members make up this service. In relation to its annual budget, no significant information has been found in public sources, the data being always masked in general budgets of the Russian Ministry of Defense.

As indicated, the GRU is a General Directorate of the Russian Ministry of Defense. It is structured in fifteen directions ([2]), focusing the cyber capacities of the GRU in the Second Direction and in the Sixth Direction, as well as in the Eighth Department, responsible for the security of internal communications of the GRU. The Sixth Direction is responsible for electronic intelligence, and historically it has been an active group in this area, operating signal interception stations from Cuba to Vietnam, passing of course by legal residencies of the GRU in different countries. Apparently, this GRU Directorate has the closest capabilities, especially in the military field, which we call CNO, and is capable of intercepting signal information around the world. This Sixth Direction is composed of at least four divisions ([3]); The First Division is dedicated to SIGINT (in this one the GRU Decrypt Service is framed) and the Second to ELINT, while the Third Division is responsible for the maintenance of the interception equipment and the Fourth is focused on the permanent tracing of signals. The Second Division (which includes GRU Special Forces, Spetsnaz) has seven major divisions, three of which directly relate to SIGINT, encryption and communications security at a more operational level than the Second.

In addition to the GRU, the Russian Ministry of Defense has more capabilities focused on electronic warfare, cybersecurity or computer security with a complex structure, detailed structure in the excellent reference [4] that we have already cited in previous posts in this series. For example, Military Unit 11135, 18th CRI (Central Research Institute) is the main signal intelligence research capability of the Russian Ministry of Defense, including research and development in wireless devices, SCADA systems or electromagnetic protection systems. Also as a research institute is Unit 01168, 27th CRI, in this case in the field of information technologies and command and control systems.

References
[1] Konstantin Preobrazhensky. GRU: Obscure Part of Russian Intelligence. Journal of Defense Management. Volume 2. Issue 2. Marzo, 2012.
[2] Richard Bennett. Espionage: Spies and Secrets. Virgin Digital, 2012.
[3] Andrew Jones, Gerald L. Kovacich. Global Information Warfare: The New Digital Battlefield. Segunda edición. CRC Press, 2016.
[4] Jeffrey Car. Inside Cyber Warfare: Mapping the Cyber Underworld. 2nd Edition. O’Reilly, 2011.

The Russian ICC (VII): FSO

e1470_fsoAnother of the heirs of the FAPSI is the FSO (Federal’naya Sluzhba Okhrani), identified in [1] as military unit 32152 and headed since May of this year by Major General Dmitry Kochnev (his predecessor, Evgeny Murov, was General of the Army, two ranks higher, and this in the Russian services is very important). Murov obtained very important FAPSI attributions: with more than 20,000 troops today (supposedly, since it is classified information, and various sources speak of more than 50,000), the FSO inherited and expanded the KGB’s Ninth Address, with responsibility for the protection of governmental “goods”, in the broadest sense of the word. For example, the Presidential Security Service, the PBS-Putin’s bodyguards, or control of the famous Russian nuclear briefcase depend on the FSO, as well as the operation of a secure network for the transmission of election results, GAS Vybory (Information is, obviously, an asset to be protected). Specifically, from a cyber point of view, this service has assumed, among other capacities, those associated with strategic SIGINT, the guarantee of exploitation of state systems – especially regarding its protection against foreign services – and the security of National classified information ([2]), which includes presidential communications: the FSO provides secure communications at a very high level, for example between the Kremlin and the main Russian military commanders, giving it enormous control power for the control of information …

The Spetssvyaz is framed within the FSO since 2004 (previously belonging to the FSB), the Special Information and Communications Service (SSSI), which is currently considered by some analysts to be the Russian equivalent of the US NSA (Although the intelligence community of both countries are different and therefore the NSA allocations are spread among Russian agencies). This group develops the above-mentioned cyber powers of the Service and includes at least one Directorate for the management of civilian government communications, another for the management of military government communications, a General Directorate for information resources (apparently dedicated to the protection of information in itself, in its broadest sense) and another Directorate-General for Information Systems ([3]), dedicated to the protection of systems dealing with data. The Director of Spetssvyaz, Alexey Mironov, is also Deputy Director of the FSO, a young General, who was to replace Evgeny Murov at the helm of the service after his retirement … until GD Kochnev was appointed for that post; an unexpected action for many and of course unusual, especially because of Kochnev’s engagement …

A curiosity: the FSO ordered in 2013 the purchase of typewriters (yes, typewriters, good old-fashioned ones) after some scandals of data theft – assumptions – by third parties, to avoid leakage of information. Another curiosity: Spetssvyaz records Internet domains in an open way: kremlin.ru, gov.ru, ру.рф, da-medvedev.ru … Although we are attracted by the fact (not only by the fact itself, but also by some of the Registered domains) they are not the only ones that do it: services closer to us follow or have followed the same open philosophy … at least in some cases. We will speak in some registry post of certain “curious” domains, near and far from here :)

References

[1] Jeffrey Car. Inside Cyber Warfare: Mapping the Cyber Underworld. 2nd Edition. O’Reilly, 2011.
[2] President of the Russian Federation. Strategy for the national security of the Russian Federation up to 2020. Mayo, 2009.
[3] Jonathan Littell. The Security Organs of the Russian Federation. A brief history 1991-2005. Post-Soviet Armies Newsletter. Psan Publishing House, 2006.

The Russian ICC (VI): SVR

150px-svrlogoThe SVR (Sluzhba Vneshney Razvedki) was the first heir of the KGB with its own entity, inheriting the attributions of the First General Directorate; is responsible for Russian foreign intelligence, providing the national authorities with intelligence that can benefit Russia in different areas that have evolved from the military and defense (especially the 1990s) to technological, industrial, scientific and economic areas. To achieve this goal the SVR is based primarily on HUMINT capabilities, both open and clandestine, theoretically relying on the GRU -which we will see in a coming post- for its signals intelligence needs.

In this SIGINT area the SVR works together with the GRU in strategic intelligence (at least in theory, since the rivalry between Russian agencies is well known: let us remember the “joint” operation of the SVR with the GRU of the SIGINT station in Lourdes, Cuba), as opposed to the more operative intelligence of the FSB; the main objective of the SVR, irrespective of the discipline used, is the acquisition of information and development of intelligence about the capabilities, actions, plans, intentions… both real and potential of third countries against the vital interests of the Russian Federation (as we have mentioned, even economic ones).

[Read more…]

The Russian ICC (V): FSB

2000px-fsb-svg
As we have indicated in previous posts, the FSB (Federal’nya Sluzhba Bezopasnosti) is the main heir of the KGB and the FAPSI; directed by Army General Alexander Bortnikov, whose breadth of responsibilities and power in Russia are undoubtedly marked by Vladimir Putin himself, a former director of the Service who, upon becoming President of the country, greatly strengthened the capabilities of the FSB -and its budget- as well as the presence of former Service members in the whole of Russian society. The FSB not only works in areas directly associated with intelligence and counterintelligence, but also reaches aspects such as social or electronic surveillance.

Regarding the cyber domain, the FSB has a wide range of technical and regulatory powers: although it is a service dedicated to internal intelligence, it has authorization for external intelligence actions, theoretically coordinated with the SVR. Among others, he is responsible for the security of information at the federal level, something similar to a police force to use or at least to the Information Services -with the corresponding name in each case- of a police force. In this area it has the attributions – and obviously, capacities – SIGINT operative for the interception of communications in the State: since 1995, it has the legally constituted right to monitor telephone lines, open mails and monitor Internet traffic ([1]). The FSB operates the system called SORM for this purpose, to which Russian Internet service providers must facilitate the work by deploying capabilities that they must also pay out of pocket. This system is operated by an FSB group initially designated UKIB (Computer & Information Security Directorate), Directorate R, heir to the KGB and focused especially on the fight against cybercrime and terrorism. The successor of this Directorate is the Information Security Center (CIS) of the FSB, framed in the Counterintelligence Directorate (SKR), the Second Directorate of the FSB and also identified as the Military Unit (VCH) 64829 or the Center number 18. SORM, which we will speak about in other posts as an example of “collaboration” of companies with the Russian intelligence services, deals, like the FSB mainly does, with the interception of data in the “Russian Internet”, where CIS is responsible for surveillance and counterintelligence, also working closely with Directorate K of the Russian Ministry of the Interior, responsible for combating cybercrime ([2]).

A priori, these CIS surveillance and counterintelligence capacities should be focused on Russia, without directly impacting the outside of the country; however, even though the FSB and within it the CIS are focused on inner intelligence, its actions may be directed against that focus but against Russian interests outside its borders, including elements considered to be disturbing according to Russian criteria (this may include attack on terrorist objectives … or simply political) and even with police powers of investigation and prosecution of such elements.

The Center for Electronic Communications Surveillance (TsRRSS), identified as FSB unit 71330 and focused on ELINT, has electronic spying and cyberespionage capabilities (communications interception, decryption …). This Center (number 16) is hypothetically the main offensive capability of the FSB, including operations outside Russia, as opposed to groups such as the CIS, described above and focused especially on defensive and surveillance tasks. Its internal structure is classified, and its responsibilities include the operation and processing of electronic communications.

The Center for Special Communications and Information Protection (TsBISS) provides the FSB with protection against cyberattacks or third party intrusions. From this Center, there have been peculiar (or interesting) initiatives such as the request to prohibit services such as GMail, Hotmail or Skype in Russia, as their use may constitute a threat to national security. A comment by the Center’s director in 2011 which caused a great stir at the time in social networks but that, much more interesting than the relative turmoil on the privacy and freedom of the users, was the moment in which it was published, marked by facts as transcendent as Arab spring or the Russian legislative elections.

Another interesting group in the cyber environment within the FSB is the Communications Security Center (CBS FSB, Vch 43753), which is part of the Eighth Service Directorate and is responsible for the logical protection of government communications through product accreditation and certification of safety standards, a kind of equivalent to the Certification Office of the Spanish CNI. Also in this sense, TSLSZ (translated approximately as Center for Licensing, Certification and Protection of State Secrets) is the branch of the FSB in charge of enabling organizations to handle classified information, in this case something similar to the attributions of The National Security Office in the CNI.

Finally, as a group with no offensive capabilities, cyber training activities within the FSB are the responsibility of the Institute of Cryptography, Telecommunications and Information Technology (IKSI), in the Service Academy, which trains specialists in cybersecurity not only for the FSB but also for other Russian Services… or for industry.

To try to summarize this structure, a summary table of the main groups or centers directly related to SIGINT or CNO dependent on the FSB is shown below:

Center ID Unit Function
Center for Information Security FSB CIS 64829 SORM. Search and surveillance
Center for Electronic Surveillance of Communications FSB TSRRSS 71330 Attacking capacity/td>
Centre for the Security of Information and Special Communications TsBISS N/A Defense against foreign intrusions
Communications Security Center FSB CBS 43753 Accreditation of products and services
Center for Licensing, Certification and Protection of State Secrets FSB TSLSZ N/A Security clearance
Institute of Cryptography, Telecommunications and Computer Science IKSI N/A Training

Referencias
[1] Roland Heickerö. Industrial Espionage and Theft of Information. In Proceedings of the 14th European Conference on Cyber Warfare and Security. Nasser Abouzakhar (Ed.). University of Hertfordshire. Julio, 2015.
[2] Taia Global. Russian Federal Security Service (FSB) Internet Operations Against Ukraine. Taia Global, 2015.

The Russian ICC (IV): A bit of history: FAPSI

fapsiWhen talking about Russia in the area of cybersecurity or, more specifically, information warfare, we must by force mention the FAPSI (Federal Agency of Government Communication and Information), operative between 1991 and 2003 and considered the Russian equivalent to the US NSA (Roland Heickerö, Emerging Cyber Threats and Russian Views on Information Warfare and Information Operations. FOI. Swedish Defense Research Agency, March, 2010.), which inherited the attributions and capabilities of the 8th (encrypted) and the 16th (Decryption and interception) General Directorates of the KGB. Among its functions there was the figure (cryptology and cryptanalysis), the interception of communications and even the incident response capabilities as a CERT. In 2003 this powerful agency was dissolved by the Russian government, possibly because of corruption, although it also shows that an agency with more than 50,000 people was becoming a great uncontrollable monster, as it was with the KGB at the time. After transforming the Special Information and Communications Service, an agency heir to the FAPSI that lasted only five months, its attributions were distributed among the four large Russian services, the GRU and the KGB derivatives: SVR, FSB and FSO. Each of these services has different attributions, although they obviously share capabilities, information, tactics or interests … or compete among them. In fact, in his Putin’s Hydra: Inside Russia’s Intelligence Services, and European Council on Foreign Relations, May 2016, Mark Galeotti presents us with a curious graphic summary of the roles of the Russian intelligence community, from which we then select only the main services – at least in our cyber sphere:
[Read more…]

The Russian ICC (III): the Community

Undoubtedly, many people mentally associate intelligence or Russian secret services – to be exact, Soviet – to the KGB (Komitet gosudárstvennoy bezopásnosti, Committee for State Security). Unfortunately for the followers of Bond, the KGB, the Soviet-Russian secret service par excellence, was dismantled at the beginning of the 1990s by Mikhail Gorbachev, probably because he had become a powerful monster in terms of attributions, skills and knowledge, but, especially for its alleged involvement in the failed coup d’état of August 1991. Its power was distributed mainly among three different agencies: FSB (Federal Security Service), SVR (Foreign Intelligence Service) and FSO (Federal Protection Service), who joined the historical rival of the KGB, the GRU (General Intelligence Directorate), the Russian military intelligence service that survived the fall of the USSR (perhaps because of the support for the Soviet president during the coup, unlike the KGB). SIGINT attributions focused on an agency called FAPSI, equivalent to the US NSA, dismantled in 2003 and whose power, as in the KGB, was distributed among the different Russian services.

151px-emblema_kgb-svgAfter the dismantling of the FAPSI, the four services listed above make up the bulk of the Russian intelligence community from the cyber point of view-at least the official one, as we will see in this series of posts. An excellent description of this intelligence community, as far as information security, SIGINT or CNO is concerned, can be found in chapter fifteen of the second edition of Jeffrey Car’s Inside Cyber Warfare: Mapping the Cyber Underworld (ed. O’Reilly, 2011).

To get an idea of the potential of Russian services it is necessary to talk about their budget. According to open sources (such as Julian Cooper’s The Funding of the Power Agencies of the Russian State. The Journal of Power Institutions in Post-Soviet Societies, Issue 6. 2007, or The Funding of the Power Agencies of the Russian State: An Update, 2005 to 2014 and Beyond. The Journal of Power Institutions in Post-Soviet Societies. Issue 16, 2014), in 2013 the budget for what the Russians call “Security Services” – a concept that includes the FSO, FSB (except the Border Service) and SVR – exceeded 4 billion euros. The distribution by service is classified, and obviously the budget of the GRU is included in the one corresponding to the Russian Ministry of Defense, with which it is completely unknown. This money joins the more than 300,000 people who work – again, classified data – in the different intelligence services.

To be able to compare these data with other services, here’s a curiosity: the budget corresponding to the CNI is estimated at about 240 million euros, seventeen times less than the Russian one, and its number of employees at about 2,500 people. Of course, comparisons are odious…

The Russian ICC (II). Context: Russia

Before talking about the Russian ICC, we must know that Russia is the largest country with the most kilometers (more than 20,000) in the world; it has the largest reserves of energy and mineral resources in the world still to be exploited, making it the largest energy superpower, as well as the world’s largest reserve of forest resources, and also has a quarter of the world’s unfrozen water.

From a cyber perspective, Russia is alleged to be the only country to have carried out combined (physical and logical) military action against another country (Georgia, August 2008) or has degraded critical infrastructure of a third party by cyber approach (Estonia, 2007). Their military and intelligence potential in this area is undoubted, as are their “physical” or traditional capabilities. The intelligence services are heavily involved in politics – as it happens, it is public that Vladimir Putin was an agent of the KGB and director of the FSB – or in the public or private sector, and they also maintain close relations – always supposed – with organized crime.
[Read more…]

The Russian ICC (I). Introduction: the Russians are coming!

We often talk about Russian APTs, Russian malware, Russian groups … But who are the “Russians”? We will analyze, in a series of posts, who “the Russians” really are, what Russia is (from the point of view of intelligence and security), what their services are – and their APTs -, what relations they have with the rest of the Ecosystem in the Russian information war, what objectives they have, what information they are looking for, etc. In short, we will try to get to know the Russian Cyber Intelligence Community a little better, to these supposedly Russian threats that we find all the time in different organizations.

Of course, all the information collected here was obtained from public sources and represents no more than private opinions, interpretations, analyses, issues … surely all of them wrong because … what exactly is attribution?

Let’s begin: as it could not be any other way (otherwise we would not be dedicating a series) one of the main actors in the field of (cyber) intelligence is Russia; perhaps this is currently the country that most sophisticated in its attacks: targeted, stealthy and technically brilliant, with very high rates of persistence due to the complexity of detection (of course, with the permission of the United States …). Russian APTs are often well-identified with the information they need, where it is, and who handles it, and so they focus on the exact theft of such data, as we said in the most secretive way possible.
[Read more…]