Last week, the IT security firm Trend Micro shined a light on yet another case of alleged Russian cyber espionage as part of a report on Operation Pawn Storm. This report was just the most recent in a series of research papers by companies all over the world dating back to 2007 detailing the tools, techniques, and targets of cyber threat actors with reported connections to Russia.
It is no secret that the security situation in Europe and the world has deteriorated significantly in the last two years due to Russia’s conflict with Ukraine and the resulting tensions with the West. These frictions have clearly translated into increased cyber activity as well, with the Estonian Information System Authority stating publicly that “the number of incidents related to foreign special services has increased significantly” in 2014. The Lithuanian Ministry of Defense has also partially attributed a rise in Russian cyber espionage to the crisis in Ukraine even before the illegal occupation and annexation of Crimea, while the US Office of the Director of National Intelligence has identified Russia as among its most capable adversaries in cyberspace. In this context, it is worthwhile to take a closer look at the publicly identified subjects of these assessments.
Before continuing, it is important to note that none of the following activities have been absolutely conclusively attributed to any specific Russian individuals or agencies, but are based on accumulated evidence such as targets, language use, hours of operation, and numerous other factors.
In addition to Operation Pawn Storm/APT28, some of the most high-profile cases of alleged Russian cyber espionage directed at political, military, and diplomatic targets include Turla/Snake/Uroburos, Red October/Cloud Atlas, the Dukes (the subject of a previous blog post), and Quedagh. There is a considerable amount of overlap as well as variety among these groups, which are often referred to as “advanced persistent threats” (APTs). To better understand their tactics, it is useful to keep in mind ENISA’s overview of the stages of targeted attack workflow: reconnaissance, weaponization, delivery, exploitation, installation, command-and-control, and actions on objectives.
Typically, security companies’ analyses of Russian APT groups assert that they begin with “spear-phishing” e-mails that either contain documents or URL links. Once opened or clicked, the documents or websites usually exploit software vulnerabilities to download and run malicious code on the target device. Next, if the targets have been identified as sufficiently interesting, the initial droppers connect to command-and-control servers via the internet to receive more complex payloads with greater functionality, which can then be used to steal information—or even alter/ delete it. Some of these actors have shared initial infection tools or gone after the same vulnerabilities. However, there are many specialties among these APT groups as well. Among other idiosyncrasies, Operation Pawn Storm was particularly good at faking Outlook Web Access (OWA) to get user credentials. Quedagh used a malware kit typically associated with criminals to gain an initial foothold in target systems and achieve plausible deniability. Red October contained a piece of code to create a foolproof way to regain access to the target system even after removal. And finally, Turla, perhaps the most technically complex and insidious of them all, used several zero-day vulnerabilities that left even the best prepared organizations virtually defenseless against intrusion.
What, then, are the strategic implications of these allegedly Russian incursions at the tactical level? While the list of targets published by security companies are usually quite extensive, almost every campaign has had an identifiable focus on Russia’s near abroad as well the United States and NATO/ EU member states. Often, international organizations themselves were also specifically targeted. Clearly, cyber espionage has taken its place among the set of tools that Russia relies on for achieving its strategic interests, including power projection and hegemony in the former Soviet space as well as a return to parity with the West and to great power status at the international level. Russian cyber capabilities have clearly advanced far beyond the widely publicized use of DDoS attacks during the Bronze Soldier Crisis in Estonia in 2007 and the Russo-Georgian War of 2008. These developments mirror the wider modernization of its armed forces that began in the aftermath of the Georgian occupation. Furthermore, cyber capabilities also fit well into the wider framework of the Gerasimov Doctrine of asymmetrical warfare and both support and enable other aspects of Russia’s toolkit, especially information warfare. Finally, Russia’s liberal application of malicious code reflects—and perhaps even motivates—its increasingly emboldened aggressiveness in international affairs. No aspects of these considerations bode well for European security or for a rule-based and sovereignty-respecting international order more broadly.
Interestingly, however, it appears that Russia has also shown remarkable restraint in its cyber operations. In none of the examined cases has there been mention of alteration or deletion of data, meaning that the APT actors have stolen information without directly damaging or destroying networked devices. This is especially relevant given the prevalence of vulnerabilities in industrial control systems, whose destruction could cause massive economic damage and even loss of life. Of course, there have also been major purportedly Russian espionage campaigns against a variety of critical infrastructure sectors as well. It is not entirely out of the question that, in addition to collecting information, Russian APT actors have also engaged in battlefield preparation in the form of planting logic bombs or leaving backdoors into the control systems of electrical grids, transportation systems, and medical networks of strategic adversaries. One can only hope that such restraint, if that is indeed the case, will continue—and not just on the part of the Russians.