8 June 2014

Kremlin alleged to wage cyber warfare on Kiev


June 5, 2014
By Sam Jones
Access blocked: Kiev may have struggled to know even the level of threat it faced

Russia’s physical invasion of Crimea may have begun in late February, in the days after the removal of Ukraine’s president Viktor Yanukovich, but the infiltration of Kiev’s computer systems began years before.

While only glimpses have yet emerged as to what the scope of hostilities in cyber space might be, most military analysts are in little doubt that the Ukraine crisis marks a key point in the so far limited history of cyber warfare.

As far as the intelligence services of the larger Nato-states are concerned – and many private sector security and cyber experts agree with them – the Kremlin is engaged in waging a sophisticated cyber campaign that the authorities in Kiev have struggled to even know about, let alone combat.

“A war in the shadows is in progress in a very active way,” says Jarno Limnell director of cyber security at Intel, who holds a doctorate in military science.

“Lots of things have been happening in Ukraine. In the future there will be a cyber element to every war. It’s already hard to imagine a conflict without a digital front to it. And that is certainly the case in Ukraine.”

Mr Limnell warns against misusing terms: “We should be very careful when we talk about cyber war,” he says. “Cyber activities have not produced a revolution in military affairs but an evolution.”

A remarkable thing about the cyber dimension to the Ukrainian conflict has been its lack of visibility. Some assumed early on that no cyber attacks were occurring. In the early days of Russia’s incursions, the communications of Ukrainian armed forces on the peninsula were not interrupted by far-flung hackers in Moscow basements but by soldiers with boltcutters.

Across the rest of Ukraine there were website defacements or attacks crippling access to service. The kind of acts of digital vandalism assumed to be the first-use weapons in the cyber arsenal, these were low-key or of limited duration.

Groups such as the pro-Russian “cyber Berkut” have had minimal impact.

Cyber Berkut attacked Nato’s websites in March with a large-scale “distributed denial of service”, or DDoS, assault (whereby multiple false requests for information by a network of hijacked computers overwhelms a website, making normal usage impossible).

Arbor Networks, which monitors DDoS attacks worldwide, has observed little activity directed against Ukrainian computer systems in recent months. The few such attacks on Ukraine are dwarfed by those seen elsewhere in the world, according to the company’s digital attack map.

When Russia invaded Georgia in 2008, the latter saw almost all of its internet services knocked out by denial of service attacks. Although unlinked to any recognised military action, in 2007, Estonia saw government, bank, and media websites over-run after the relocation of a Soviet-era war memorial, the Bronze Soldier of Tallinn.

Since 2010, BAE Applied Intelligence, the cyber security arm of the UK defence contractor, has monitored a virulent piece of malicious software – “malware” – in Ukrainian systems. BAE analysts dubbed it “Snake”, though it also goes by the names Ouroburos – the tail devouring serpent of Greek myth – and Sengoku – a Japanese word describing a time of civil strife.

Of the 56 samples of Snake malware BAE analysts were handed over the past four years, 32 came from Ukraine. Of those, 22 were reported in the past two years. BAE believes that dozens, if not hundreds, more systems will be infected

“There are all sorts of digital footprints left by the attackers” says Dave Garfield, managing director for cyber security at BAE. “It’s unlikely to be hacktivists who made this. The level of sophistication is too high. It is very well written – and extremely stealthy.”

Many markers point to Russia as the malware source – time stamps left in the code and Russian names, for example. Some observers express scepticism about using these to apportion blame, but western intelligence experts are quick to corroborate what the markers indicate.

Snake’s capabilities are widespread but fundamentally it is a highly sophisticated espionage tool. After it has infected a computer, it buries itself deep within the existing system, concealing itself from all but the most sophisticated scanning systems. It can exfiltrate whatever information its operators desire, from personal emails to military plans.

Military sources say there is little doubt that Russia is using such malware to obtain up-to-the-minute operational intelligence about what is going on in Ukraine and that it is using it effectively.

“Clearly, cyber was a huge part of what Russia has done,” General Philip Breedlove, Nato supreme allied commander Europe said in a public speech in Canada on May 6.

Snake, perhaps more worryingly, is a pathway for its operators to escalate events rapidly if they choose. According to BAE’s analysis, the malware is a “digital beachhead”, allowing its operators to deliver whatever other malicious code they wish to the heart of infected systems.

“Russia not only now has complete informational dominance in Ukraine”, says one intelligence analyst, “it also has effective control of the country’s digital systems, too. It has set the stage”

All of which perhaps underscores the point that in cyber space, just as in the real world, tactics follow an age-old playbook.

No comments: