Search Results for: IoT

Analysis of Linux.Omni

8 de November de 2018 Por

Following our classification and analysis of the Linux and IoT threats currently active, in this article we are going to investigate a malware detected very recently in our honeypots, the Linux.Omni botnet. This botnet has particularly attracted our attention due to the numerous vulnerabilities included in its repertoire of infection (11 different in total), being able to determine, finally, that it is a new version of IoTReaper.

Analysis of the binary

The first thing that strikes us is the label given to the malware at the time of infection of the device, i.e., OMNI, because these last few weeks we were detecting OWARI, TOKYO, SORA, ECCHI… all of them versions of Gafgyt or Mirai and, which do not innovate much compared to what was reported in previous articles.

So, analyzing the method of infection, we find the following instructions:

As you can see, it is a fairly standard script and, therefore, imported from another botnet. Nothing new.

Although everything indicated that the sample would be a standard variant of Mirai or Gafgyt, we carried out the sample download. [Read more…]

Analysis of Linux.Haikai: inside the source code

8 de November de 2018 Por

A few days ago we got the source code of the Haikai malware, which corresponds to one of the many implementations carried out by the continuous recycling of source code belonging to different IoT botnets. Although we have not identified any new developments compared to previous IoT malware versions, it has allowed us to obtain a lot of information on techniques, improvements and authors.

It should also be noted that, according to different records obtained, this botnet has been in operation for most of the last month of June.

In the following lines the code will be analyzed, as well as the possible attributions and the implementations not referenced in the execution thread, which allow us to guess that the code is mutating in different lines in parallel for the same function.

So let’s start by analyzing the structure of the files. [Read more…]

Legal Notice

In accordance with Law 34/2002 of 11 July on information society services and electronic commerce we, inform you that the company S2 GRUPO DE INNOVACIÓN EN PROCESOS ORGANIZATIVOS, S.L.U. with N.I.F. number. B96863444 and registered office at Calle Ramiro de Maeztu, 7 Bajo, 46022 of Valencia, is registered in the Mercantile Registry of Valencia, Volume 6338, Book 3643, Sheet 91, Section 8, Page V-65794, entry 1. You can contact us at the addresses indicated in the “contact” section or by sending an email to the following email address: info@s2grupo.es

© S2 GRUPO, S.L.U. 2018. Total or partial reproduction is prohibited.

PRIVACY POLICY AND COOKIES POLICY

S2 GRUPO is committed to complying with current regulations regarding data protection and guaranteeing the security of your personal data. For this reason, the privacy policy of this website provides information about the treatments that are carried out.

POLICIES OF USE OF THE S2 GRUPO WEBSITE

GENERAL CONDITIONS OF USE OF THE WEBSITE

The terms and conditions set forth below regulate the access and use of the website www.securityartwork.es (hereinafter, the website), the website of S2 GRUPO DE INNOVACIÓN EN PROCESOS ORGANIZATIVOS, S.L.U. (hereinafter S2 GRUPO), whose registered office is at Calle Ramiro de Maeztu, nº 7 bajo, 46022, Valencia (Spain) Tel. 963110300, Fax 963106086 and with Tax Identification Number  B-96863444, and registered in the Mercantile Registry of Valencia, in volume 6338, Book 3643, Sheet 94, Page number V-65794, 6th inscription. The term “site or website” includes, but is not limited to , texts, graphics, images, animations, musical creations, videos, sounds, drawings, photographs, etc. are understood -with a delimitative but not limitative character-. included therein, and, in general, all creations expressed by any means or support, tangible or intangible, currently known or to be invented in the future, regardless of whether they are susceptible or not of intellectual property according to the Revised Text of the Intellectual Property Law or any regulation that may succeed it in the future.

The access to the site implies that the visitor acquires a series of rights and obligations, in order to guarantee the adequate enjoyment of the services and contents that are in it and that S2 GRUPO makes available to the user free of charge, unless the particular conditions that regulate a certain service or content accessible through the website stipulate that the user must pay an economic amount for the use and enjoyment thereof.

The visitor is aware that the access and use of the services and contents of the site is under his sole and exclusive responsibility.

The user status is acquired by accessing the website. The user will use the services and content exclusively for private purposes and/or by reason of his or her status as a client of S2 GRUPO, excluding any form of subsequent use of same for a profit or report of any direct or indirect benefit.

S2 GRUPO hereby informs users of the following general conditions of use, which are expressly and fully accepted by them for the mere fact of accessing the website and/or viewing the contents or using the services contained on the website.

If these general conditions are replaced by others in whole or in part, these new general conditions shall be deemed accepted in the same way as those set out above. However, the user of the website must access these general conditions on a regular basis to know the successive versions that are included here, although it is recommended that the user accesses them each time they intend to access or make use of the services and contents of the website.

In the event that the user does not accept these general conditions or, where applicable, the specific conditions that regulate the use of a certain service and/or content intended for users of the website and that said entity determines, the user must refrain from accessing the website.

S2 GRUPO may establish Particular Conditions for the use of certain contents and services, which must be known and accepted by the user prior to their use in accordance with the terms set forth in said Particular Conditions.

The user must establish the appropriate technical security measures to avoid unwanted actions in their information system, files and computer equipment used to access the Internet and, especially, the website, being aware that the Internet is not completely secure.

PURPOSE OF THE WEBSITE

Through access to the site, the user can enjoy the use of various content and services that will be offered either by S2 GRUPO or, where appropriate, by third-party providers under the conditions determined for them. In general, the services and contents offered through the website will be available in Spanish, without prejudice to the possibility – subject to S2 GRUPO – of accessing them in the other official regional languages, as well as in another language spoken in the European Union.

S2 GRUPO may modify unilaterally and without prior notice, the provision, configuration, content and services of the site, as well as the conditions of use thereof and access to the services provided, without prejudice to the provisions of the particular conditions governing the use of a specific service and/or content intended for the customers of S2 GRUPO and/or users of the website.

The cost of telephone consumption or any other type of expense for connecting to the website will be borne exclusively by the user.

RIGHTS AND OBLIGATIONS OF THE USER

The user will be able to:

  • Access free of charge and without prior authorization to the contents and services of the site available.
  • Make a correct and lawful use of the site, in accordance with current legislation, morals, good customs and public order.

Prohibitions

Under no circumstances may the user:

  • Access or use the services and contents of the site for illicit purposes, harmful to the rights and freedoms of third parties, or that may harm, damage or prevent in any way, access to them, to the detriment of S2 GRUPO, or third parties.
  • Use the services, in whole or in part, to promote, sell, contract, divulge advertising or information of their own or third parties’ without prior authorization of S2 GRUPO.
  • Enter information on the website or use the existing services in order to attempt -directly or indirectly- against the rights – and especially the fundamental rights and public liberties – of other users of the website or of S2 GRUPO; that incite or promote the performance of criminal, xenophobic, terrorist or degrading acts based on age, sex, religion or beliefs; or of a pornographic, obscene, violent nature or that violate the law, morals or good customs. For these purposes, information will be understood, to include, but not be limited to: texts, graphics, images, videos, sounds, drawings, photographs, data, notes, etc.
  • Include hyperlinks on their private or commercial web pages to this website that are not limited solely and exclusively to access to the home page of the website.
  • Use the services and contents offered through the site in a manner contrary to the general conditions of use and/or the particular conditions that regulate the use of a certain service and/or content, and to the detriment or impairment of the rights of other users.
  • Take any action that prevents or hinders access to the site by users, as well as hyperlinks to the services and content offered by S2 GRUPO or by third parties through the website.
  • Use the website as a way to access the Internet for the commission of illicit actions or contrary to current legislation, morality, good customs and public order.
  • Use any type of computer virus, code, software, computer program, computer equipment or telecommunications that may cause damage or unauthorized alterations of the contents, programs or systems accessible through the services and contents provided on the website or in the information systems, files and computer equipment of the users thereof; or unauthorized access to any content and/or services on the website.
  • Eliminate or modify in any way the protection or identification devices of S2 GRUPO or its legitimate owners that may contain the contents hosted on the website, or the symbols that S2 GRUPO or the legitimate third-party owners of the rights incorporate to their creations object of intellectual or industrial property existing on this website.
  • Include in websites of their responsibility or ownership “metatags” corresponding to trademarks, trade names or distinctive signs owned by S2 GRUPO.
  • Reproduce all or part of the website securityartwork.es in another website or web page. It will not be possible to frame the site www.securityartwork.es or the web pages accessible through it that hide or modify – delimitative but not limited to- content, advertising spaces and trademarks of S2 GRUPO or third parties, regardless of whether they involve acts of unfair competition or confusion.
  • Create frames within a website of their responsibility or ownership that reproduce the home page and/or the pages accessible through it, corresponding to this website without the prior authorization of S2 GRUPO.
  • Include in a website of their responsibility or property a hyperlink that generates a window or session of the navigation software used by a visitor, user or client of their website, which includes trademarks, trade names or distinctive signs of your property and through which the main website of www.securityartwork.es or any of the pages accessible through it is shown.
  • Use the trademark, trade names, as well as any other identifying sign that is subject to intellectual or industrial property rights, without the prior express written authorization of its owner.
  • Carry out any action that involves the reproduction, distribution, copying, rental, public communication, transformation or any other similar action involving the modification or alteration of all or part of the content and services of the site or the economic exploitation thereof, without the prior written authorization of S2 GRUPO, or of the third owner of the intellectual and industrial property rights that fall on the services or contents of the website and subject to the provisions of these general conditions or, where appropriate, special conditions that regulate the use of a service and/or content existing on the website.

RIGHTS AND OBLIGATIONS OF S2 GRUPO

S2 GRUPO reserves the following rights:

  • Modify the conditions of access to the page, technical or otherwise, unilaterally and without prior notice to users, without prejudice to the provisions of the particular conditions that regulate the use of a certain service and/or content intended for customers of S2 GRUPO and/or website users.
  • Establish specific conditions and, where appropriate, the requirement of a price or other requirements for access to certain services and/or content.
  • Limit, exclude or condition the access of users when all the guarantees of correct use of the site by them are not given in accordance with the obligations and prohibitions assumed by them.
  • End the provision of a service or content supply, without right to compensation, when it is unlawful or contrary to the conditions established for them, without prejudice to the provisions of the specific conditions that regulate the use of a particular service and/or content intended for users of the website.
  • Modify, delete or update all or part of the content or services offered through the site, without the need for prior notice, without prejudice to the provisions of the specific conditions that regulate the use of a particular service and/or content intended for users of the website.
  • Undertake any legal or judicial action that may be convenient for the protection of the rights of S2 GRUPO as well as third parties that provide their services or contents through the site, whenever appropriate.
  • Demand the compensation that could derive from the improper or illicit use of all or part of the services and content provided through the site.

S2 GRUPO’S EXEMPTION AND LIMITATION OF LIABILITY

S2 GRUPO is exempt from any type of liability for damages of any kind in the following cases:

  • Due to the impossibility or difficulties of connection to the communications network through which this website is accessible, regardless of the type of connection used by the user.
  • For the interruption, suspension or cancellation of access to the website, as well as for the availability and continuity of the operation of the site or of the services and/or contents therein, when this is due to a cause beyond the scope of control of S2 GRUPO, whether directly or indirectly from it.
  • S2 GRUPO assumes no responsibility for the services and contents, nor for the availability and conditions, technical or otherwise, of access to them, which are offered by third party service providers, especially with respect to the service providers of the information society. Service providers of the information are those natural or legal persons who provide the following services to the public: Transmission by a communication network of data provided by the recipient of the service, access services to that network, data storage or hosting services, provision of content or information, temporary copying of data requested by users, provision of links to content or search tools.
  • S2 GRUPO, at no time, assumes responsibility for any damages or losses that may be caused by the information, contents, products and services -with a delimiting but not limited character- provided, communicated, hosted, transmitted, exhibited or offered by third parties outside of S2 GRUPO -including the service providers of the information society- through a website that can be accessed through a link on this site.
  • The subsequent processing and use of personal data by third parties outside S2 GRUPO, as well as the relevance of the information requested by them.
  • The quality and speed of access to the site and the technical conditions that the user must meet in order to access the site and its services and/or contents.
  • S2 GRUPO will not be responsible for the delays or failures that may occur in the access and/or operation of the services and/or contents of the website, due to a case of Force Majeure. “Force majeure” shall mean all those causes that could not have been foreseen, or though foreseen were unavoidable, and which result in the breach of any of its obligations. These include, but are not limited to, strikes, both of their own workers and of other workers, insurrections or riots, as well as regulations dictated by any civil or military authority, natural disasters such as earthquakes, floods, lightning or fires, wars, lockouts or any other situation of force majeure.

The user of the site will be personally liable for damages of any kind caused to S2 GRUPO, directly or indirectly, for the breach of any of the obligations derived from these general conditions or other rules governing the use of the site.

INTELLECTUAL AND INDUSTRIAL PROPERTY

The content of this site is distributed under a Creative Commons license, according to which you can copy, distribute and publicly communicate content from the blog, and make derivative works from it, provided that you acknowledge the credits of the work through a hyperlink to the www.securityartwork.es page. You can obtain more details about the license and use of the contents of the blog through the following link or by sending an email to info@s2grupo.es.

Without prejudice to the above, the trademarks, trade names or distinctive signs that appear on the website are the property of S2 GRUPO, and are protected by the current industrial property laws. If the culpable or negligent act or omission is directly or indirectly attributable to the user of the website that causes the infringement of the intellectual and industrial property rights of S2 GRUPO or third parties – whether or not there is a benefit for the same – causes S2 GRUPO damages, losses, obligations of solidarity, expenses of any kind, sanctions, coercive measures, fines and other amounts arising or derived from any claim, demand, action, lawsuit or proceeding, be it civil, criminal or administrative, S2 GRUPO will have the right to address the user by all legal means at its disposal and claim any indemnifying amounts, including – but not limited to – moral and reputational damages, consequential damages and loss of profits, advertising or any other costs that may result in their compensation, amounts of penalties or convictions, interest on late payments, the cost of financing both amounts that may be incurred by the opposing party, court costs and the amount of the defense in any proceedings in which it could be sued for the above causes, for the damages and losses caused by their actions or omissions, without prejudice to exercise any other legal action that may correspond to them.

INFORMATION REQUEST

If you have any questions or suggestions regarding the above conditions of use please contact us at the following e-mail address: info@s2grupo.es

DURATION

The access, content and services offered through the site have, in principle, an indefinite duration. S2 Grupo, SLU, however, is authorized to terminate or suspend access, services and/or contents thereof at any time, without prejudice to the provisions of these General Conditions or, where applicable, the Specific Conditions governing the use of a certain service and/or content intended for users of the website.

COMPLETE AGREEMENT

These general conditions contain all the terms agreed upon by the parties with regard to the subject matter of the same and any declarations, commitments or promises, verbal, written or implicit, prior to these conditions in relation to the object of the same shall be considered as non-existent. The fact that any of the parties does not demand at any given time the respect of any of the conditions established in these general conditions or, where appropriate, particular conditions that regulate the use of a certain service and/or content intended for users of the website, cannot be interpreted by the other party as a waiver to demand further compliance.

NULLITY AND CANCELLATION

In the event that any clause of these general conditions or, where appropriate, particular conditions governing the use of a specific service and/or content intended for customers of S2 GRUPO and/or users of the website, is voidable or void, in its entirety or in part, this nullity or voidability will not affect the validity of other clauses thereof, which will remain in full force and effect, unless the party claiming to be null and void proves that without the clause that results null or voidable the purposes pursued by these Terms and Conditions cannot be fulfilled.

LEGISLATION

These general conditions are governed by Spanish law.

The tools of the gods

12 de April de 2018 Por

Today at SAW we are not going to talk about security but about religion. About the true religion, the good one: about Unix. And about its gods: Kernighan, Ritchie, Thompson … we could cite a few. And about the tools that, in the seventies, these gods sent to us poor mortals, like the manna fallen from heaven for the chosen people.

The thing is that these gods created a real operating system, with some technically wonderful tools and a very simple philosophy: simple capabilities that combined make complex tasks. Perfection. Life is Unix running a script. More than forty years have gone by and we, poor mortals who were the chosen people, what have we done all this time? Trying to dishonor that divine legacy with artificial and useless layers (“of abstraction”, they call them, to try to make sense of them) that introduce two unnecessary problems in any “modern” technological environment: complexity, and therefore probability of error, and slowness.

Exemplary is the “true” executable, in line with the story recently commented by Rob Pike on Twitter:


$ >mytrue;chmod +x mytrue
$ ./mytrue
$ echo $?
0
$

A program whose only purpose is to always return 0. An empty executable. EMPTY. There can be nothing simpler that works, and has been for forty years … well, that’s where we mortals come in. Year 2018:

[Read more…]

Analysis of Linux.Okiru

13 de March de 2018 Por

In keeping with our campaign of detection and documentation of IoT botnets, a few days ago we found another threat not classified before. It was first uploaded to the VirusTotal platform on November 3 and is only detected as malicious by 4 antiviruses.

During the article, two variants of the malware will be analyzed, which differ fundamentally in their propagation. The first one was detected in our honeypot systems (specifically for the SPARC architecture). The second one is a variant of the first, which was found under the Intel x86_64 architecture, and which the Netlab360 malware lab echoed a few days ago.

As no records of its identification were found, we decided to classify it as Linux.Okiru, due to the name of its binaries.
[Read more…]

The Russian ICC (XVIII). Conclusions

6 de February de 2018 Por

For a few months we have published a series of posts about Russian cyber intelligence in SecurityArtWork, which we hope you have liked and they have helped you to better understand Russian capabilities, groups, structures, APT… without a doubt, Russia has been and continues to be one of the main players in the field of security, intelligence and defense (and of course in cybersecurity, cyber intelligence and cyber defense … or cyber things in general) and, as such, we must know it well if we work on these issues.

As we have seen in this series, Russia is a world power in many fields (as was the USSR in its day) and still retains Soviet reminiscences; the “Cold War Mode”, which we have referred to in different posts, perfectly defines its current cyber strategy and the management of information that the country has historically done, which are applied in this broad concept of information warfare which we have also referred to on many occasions, significantly different from the West, and which includes propaganda or deception, to give just a few examples. If Russia is your mother and your mother is in danger you will do whatever is necessary to save her. Period. No further discussion.
[Read more…]

The Russian ICC (XVI): objectives. Countries

2 de February de 2018 Por

Any country in the world is a potential target of Russian-or non-Russian-espionage. As an example, infiltration in America has historically been high, not only in the United States, a country of highest priority for Russian intelligence, but also throughout Latin America.

However, the maintenance of a large ecosystem of intelligence is not cheap – although it is certain that, thanks to the particularities and relations of the Russian services, it is not as expensive as it would be in other circumstances. So as in any country, Russians should prioritize their usual activities and interests, leaving for temporary occasions those temporary objectives: for example, the Middle East (Syria, Iran …) can be considered in the list of these temporary objectives, for reasons of security —counterterrorism— as well as economic —customers or suppliers of basic goods for Russia.

In addition to these, countries such as Australia or New Zealand, technologically developed and close to the West —not from the physical point of view, of course —are also targets of Russia for different reasons, such as industrial espionage. We have highlighted in gray the target countries of Russian espionage:

[Read more…]

The Russian ICC (XV): objectives. Information needs

31 de January de 2018 Por

Let us recapitulate: so far we have made several entries concerning the Russian ICC, in which we have contextualized Russian intelligence, we have described its different services with cyber attributions and have analyzed, as far as possible, their relations with third parties, thus describing the complex ecosystem of intelligence in Russia. With this ecosystem already described (we had to stop at some point), we will now try to analyze the objectives of this intelligence, its information needs: what is Russia looking for and where?

A bit of history: Vasili Mitrokhin was a KGB archivist who, after the dissolution of the USSR, defected and collaborated with the British MI6; the material exfiltrated by Mitrokhin, which gave rise to several books that are known together as “the Mitrokhin archive”, revealed among many other secrets that the Soviet leader Mikhail Gorbachev already considered industrial espionage as a key aspect for economic survival and for the restructuring of the country. This became clear after the dissolution of the USSR, so that in accordance with its legal basis ([3]), the objective of Russian intelligence has been to gather information in the political, economic, military, scientific, technical and ecological fields to support the economic development and scientific-technical and military progress of the Russian Federation; even the GRU has entrusted the acquisition of military, political-military, technological-military and economic-military information. In other words, Russia is concerned about its defense, both military and economic, from the Soviet era (from Mitrokhin’s information) to Russia at the end of the last century. Something, on the other hand, completely logical in any modern country. [Read more…]

The Russian ICC (XIV): The intelligence ecosystem. Cybercrime

30 de January de 2018 Por

The relations of the Kremlin (by extension, of its intelligence services) with “classic” organized crime, with Russian mafias, is a fact more or less proven. Without going any further, in documents leaked by WikiLeaks the Spanish prosecutor Jose Grinda directly links the Russian mafia with the intelligence services of the country.

But beyond these leaks of WikiLeaks and their degree of reliability, in public reports – in this case, of the very prosecutor – this relationship has been officially and openly revealed [1], saying, verbatim: “[…]part of the FSB, which has implemented an organized crime regime in certain spheres of Russian power through the increased control of organized crime, a thesis that was already supported by the late Litvinenko“. In other words, Alexander Litvinenko’s theses are assumed that Russian services completely control the country’s mafia groups, gaining a mutual benefit from this relationship.

Let us remember that Litvinenko, a former agent of the KGB and the FSB, was murdered with Polonio 210 after his harsh criticism of the FSB and its activities outside of any legislation, a murder by which the UK attempted to extradite former FSO officer Andrey Lugovoy, who happens to enjoy immunity in Russia for being a member of the Duma. Of the history of Litvinenko, and of his special collaboration with the Spanish Justice and services, you can obtain an excellent vision in [2].

It is to be expected that the relations of the Russian services with organized crime, of which we already gave traces of its origin in the post of this series on the ecosystem of intelligence, extend into the field of technology, to what we call cybercrime – or organized cybercrime; always in a hypothetical way, of course … In fact, it is officially the opposite: the FSB, within its police powers has mandated activities against cybercrime, according to some analysts even replacing with its 16th Directorate, which we have already spoken about in previous posts, to the famous Directorate K of the Russian Ministry of the Interior ([6]), which officially investigates cybercrime and illegal technology-related activities in Russia. Let us also remember that this FSB Directorate has CNA capabilities, which may be activated against cybercriminals whenever it is interesting for Mother Russia … in any case, at least on paper, the two Directorates of both agencies complement each other perfectly in their activities against technological delinquency ([3]).

It is a fact that the Russian government, through both the FSB and the Directorate K of its Ministry of the Interior, has taken steps to combat criminal activity on the Internet, although it is also true that such efforts have focused more on combating such activities when they have impacted against Russian interests that, when originating in Russia, have impacted against foreign interests.

As an example, in [10] we analyze some of the press releases published in 2016 by the FSB in this sense: in total, three notes to report:

  • The arrest of an organized Russian group that had stolen several million euros from Russian banks (June).
  • The discovery of a harmful code (unspecified source) that had compromised different governmental, military, research … Russian organizations (July).
  • The warning to the Russian government and citizenship regarding massive cyberattacks against their infrastructures from foreign services, an attack that ultimately did not occur or was completely mitigated by Russian capabilities (December).

As we see, the main actions were aimed at protecting Russia and its interests (obviously, by the way) rather than collaborating with third parties to mitigate problems originating in Russia, but also – without an official press release – it is public knowledge that in November of last year the FSB detained the group behind the bank malware Dyre, of Russian origin but with victims from almost all over the world … except from Russia.

The last of the most notorious activities of the Service during the past year, also without an associated press release, was the arrest of Sergey Mikhaylov and Ruslan Stoyanov in December, both related in one way or another, past or present, with government units specialized in the fight against cybercrime, although such detention does not seem to be related to such a struggle: the official accusation speaks, quite simply, of “betrayal”, which can be interpreted in many ways (it even points to its collaboration with the CIA or FBI), not all positive in order to demonstrate the interest of the Russian authorities to combat crime in the RuNET.

Historically, Russia has been the cradle of very high technical capabilities, capabilities that can be used for good or for bad. We spoke in an earlier post of the establishment of relations of Russian services with their ecosystem of intelligence and the situation lived at the end of last century. Extrapolating this situation to the cyber sphere, it is easy to understand how Russian technical skills can be easily oriented towards non-legal businesses, to what we call cybercrime: from spam or phishing to child pornography, through falsification and sale of official documents. A general review of Russian cybercrime may be reflected in [11].

And as for the relationship between intelligence and organized crime in this cyber domain, at the end of the last century, in the Moonlight Maze operation, there was talk of possible relations between the FSB and cybercriminals to cover certain activities in which services should not be involved directly.

If we want to talk about Russian cybercrime, it is obligatory to refer to the RBN (Russian Business Network), perfectly analyzed in [4], perhaps the most complete study on it, where the RBN is defined as “a complete infrastructure for the provision of harmful services, further indicating that “there is not a single legitimate client in the RBN”; no comment. In short, a provider of solutions for crime, adjusted to the needs of its customers … and disappeared (or not) in November 2007. Chapter 8 of [3] summarizes the curious story of this “disappearance”, in the opinion of many a simple restructuring of the RBN to make their activities less visible. Some of the main operators of the RBN have had close relations with the Russian services: it is public knowledge that at least one of them, Alexandr Boykov, was Lieutenant Colonel of the service ([5]).

In addition, some analysts defend the symbiotic relationship between RBN, patriotic hackers and the Russian government or services ([8], [9], works already referenced in previous posts in this series). This relationship is based on the permissiveness of the former in relation to criminal activities provided they are executed outside of Russia in exchange for the support of the latter when a situation requires: Georgia, Estonia … In other words: we will let you work but do not bother our compatriots; and if we need you, you have to lend us a hand. Remember: nobody says no to the FSB. In fact, some analysts defend the hypothesis that the FSB can commute prison sentences in exchange for active collaboration; honestly speaking, it offers those imputed for cybercrime freedom in exchange for “special” jobs (although it is also true that this has been popularly said of many other services).

The last example that has come to light and reveals the close relationship – potential, potential… – between cybercrime and Russian intelligence is perhaps the Yahoo hacking in 2014, which according to the US Department of Justice is attributed to the Direct collaboration of the FSB with individual actors associated with cybercrime (DoJ press release, [7], published in March 2017). It was an official accusation of relations between Russian services and organized crime groups, coming from nothing more and nothing less than the US government (with two alleged FSB agents cited with photo, first and last names, Dmitry Aleksandrovich Dokuchaev and Igor Anatolyevich Sushchin, among the most wanted in the cyber field by the FBI), and as always with the corresponding official denial of the Russian government.

The FBI also accuses Evgeniy Bogachev, the most wanted cyber-criminal and for whom offers a reward of three million dollars, not only for activities associated with economic crime (he is the creator of Gameover Zeus and Cryptolocker), but also for the possible interference – operated by the FSB – in the US electoral process. Another proof of this potential relationship? Negative information provided by the US government? Who knows … In short, we sense, although we cannot be sure, that there is a direct relationship between cybercrime and intelligence services in Russia, as there seems to be a relationship between these services and classic organized crime. Possibly yes, or possibly not, as almost always in this war…

References
[1] José Grinda González. Regulación nacional e internacional del crimen organizado. Experiencia de la Fiscalía Anticorrupción. Fiscalía General del Estado. España. Septiembre, 2015.
[2] Cruz Morcillo, Pablo Muñoz. Palabra de Vor. Espasa, 2010.
[3] Jeffrey Carr. Inside Cyber Warfare: Mapping the Cyber Underworld. O’Reilly, 2011.
[4] David Bizeul. Russian Business Network Study. November, 2007. http://fatalsystemerrorbook.net/pdf/Bizuel_onRBN.pdf
[5] Casimir C. Carey III. NATO’s Options for Defensive Cyber Against Non-State Actors. United States Army War College. April, 2013.
[6] Timothy Thomas. Russia’s Information Warfare Strategy: Can the Nation Cope in Future Conflicts?. The Journal of Slavic Military Studies. Volume 27, Issue 1. 2014.
[7] US DoJ. U.S. Charges Russian FSB Officers and Their Criminal Conspirators for Hacking Yahoo and Millions of Email Accounts. https://www.justice.gov/opa/pr/us-charges-russian-fsb-officers-and-their-criminal-conspirators-hacking-yahoo-and-millions. March, 2017.
[8] Viktor Nagy. The geostrategic struggle in cyberspace between the United States, China, and Russia. AARMS. Vol. 11, No. 1 (2012) 13–26.
[9] Jeffrey Carr. Project Grey Goose Phase II Report: The evolving state of cyber warfare. Greylogic, 2009.
[10] Filip Kovacevic. Security Threats to Russia: The Analysis of the 2016 FSB Press Releases (Part 3 – Hacking & Other Challenges). https://www.newsbud.com/2017/01/12/security-threats-to-russia-the-analysis-of-the-2016-fsb-press-releases-part-3-hacking-other-challenges/. Enero, 2017.
[11] Brian Krebbs. Spam Nation: The Inside Story of Organized Cybercrime-from Global Epidemic to Your Front Door. Sourcebooks, 2014.

The Russian ICC (X): the intelligence ecosystem

22 de January de 2018 Por

coat_of_arms_of_the_russian_federation-svgWe cannot conceive the Russian intelligence community, described in this series, as a set of services dependent on political or military power. The degree of penetration of these services throughout Russian society is very high, both officially and unofficially. It is no secret that former KGB or FSB officials occupy positions of responsibility in politics or big companies in the country. As a curiosity, in 2006 it was reported that 78% of the country’s top 1,000 politicians had worked for the Russian secret services [1]. So much so that these profiles have a proper name: siloviki, a term that comes to mean people in power. And it is no secret who is the most well-known siloviki: Vladimir Putin, President of the Russian Federation, who was agent of the KGB in the Soviet era and later Director of the FSB.

To understand this degree of penetration of Russian intelligence in certain organs of power it is necessary to go back especially to the 1990s. The dismemberment of the Soviet Union caused a chaotic situation in Russia, with high unemployment or poverty rates. Many people had lost their jobs – among them, it is estimated that 40% of the KGB (2) – and the easy exit for these citizens was obviously illegal. Many former members of the security forces, the army or the intelligence services ended up swelling the ranks of organized crime groups or working in the legal or illegal protection of oligarchs or mafia leaders. This transfer of specialized personnel to organized crime groups was not only the way of survival of these people, but also a considerable reinforcement of these groups, both in volume and quality: thanks to these new signings, many of them went from small, un-specialized small groups who used basic techniques of intimidation, to be converted in perfectly organized mafia groups, with better human and material resources and highly specialized tactics. And especially, with better relations with the Russian security, defense or intelligence services, the cradle of a good part of the new personnel of the mafia groups.

In this convulsive situation, it seemed that the most stable business was organized crime; for example, the number of homicides had tripled in 1995 compared to the 1988 figures. When the Russian Government began to privatize state enterprises and services, organized crime groups, with a lot of money and power, identified the opportunity to position themselves In these, which automatically not only increases their economic power, but also positions mafias in the front line of political power.

Let us recapitulate: organized crime maintained a close relationship with the security or intelligence services, since many of its members came from them, and also with the large privatized companies and therefore with national politics. A perfect combination to become a key piece for the country. The Russian Government was aware that, in order to return the country to a situation of relative normality, organized crime had to be compulsory. So much so that in 1994 Boris Yeltsin came to call Russia “the greatest mafia state in the world”.

But the arrival of Vladimir Putin to the government in 1999, tries to change this situation with two objectives: to return the control of the strategic assets to the state and to let the world know that the state controlled these assets again – and, therefore, Russia was a world power as was the USSR. It takes control of the main companies and command posts to oligarchs and criminals and places former KGB officers or their successor, the FSB, in the assurance that they all identified the same Mother Russia of which we have already spoken about in this series.

With a hard-handed dose, Vladimir Putin achieves his challenge and largely eliminates organized crime from strategic positions for the country; but the power acquired by the Mafia groups during the 1990s was too high, and trying to eliminate their activities altogether could even destabilize Russia [2], thus Putin should be content with removing them from these strategic positions but veiledly allow them to continue their illegal business.

Let’s look at the big spider web: Russian intelligence maintains connections with organized crime, gained in the 1990s, and widespread penetration in the country’s political (government) and economic (strategic enterprises) circles of power, gained in the first decade of this century. With this degree of infiltration into the power circles, Russian intelligence achieves two clear objectives: coverage and control (or collaboration, depending on the degree required in each case). This has been the case since the Soviet era and it is – coincidentally or not – in the Russian. In fact, until recently, a high percentage of senior Russian government officials were siloviki, although with Medvedev this percentage has been reduced and the siloviki have lost some of their power in politics, although they still constitute a relevant lobbying group (or several, as there are several “families” of siloviki). With the election of Medvedev as Russian Prime Minister, Putin reinforced the liberals (economists and lawyers, many of them from St. Petersburg) in front of the siloviki, headed by Sergei Ivanov, who was granted the Presidential Executive Office Headquarters; an interesting movement between two opposing clans that from that moment have a nexus of union almost unique: President Putin himself.

In addition to these circles of power, Russian services are closely related to citizen movements and even to the Russian Orthodox Church; although this last relation we are not going to describe – we are focusing on, or attempting to do so in a cyber environment – it does not fail to be a good indication of the extent to which there is a broad social penetration of intelligence in Russian society. And we will see that this penetration is not restricted to classical intelligence, but is automatically extrapolated to the cyber domain.

The relations of the Russian services with some of these actors are generally protected by the Law and can only cause ethical prejudices; however, in “unofficial” relationships legality is more than doubtful, not only with organized crime (in our case, with organized cybercrime) but also with movements like patriotic hackers, which have launched real offensive campaigns against the Russian homeland, perhaps covered by the country’s own services…

We will review in these next entries the relations of the Russian intelligence community, previously described, with the different actors relevant to that community, which allow it to increase its control and its acting capacities, especially unofficially.

References
[1] Alexander Klimburg, Heli Tirmaa-Klaar. Cybersecurity and cyberpower: concepts, conditions and capabilities for cooperation for action within the EU. Directorate-General for External Policies of the Union. Directorate B. Policy Department. European Parliament, 2011.

[2] Fred Burton, Scott Stewart. Russia and the Return of the FSB. Stratford Security Weekly. April, 2008.