Pages

19 May 2015

Russian Cyber War Techniques in the Ukraine Described

James J. Coyle
May 18, 2015

Hackers have consistently used low-level cyberwarfare tactics to advance Russian goals in Ukraine.

A dedicated group of hackers successfully infected the email systems of the Ukrainian military, counterintelligence, border patrol and local police. The hackers use a spear-phishing attack in which malware is hidden in an attachment that appears to be an official Ukrainian government email.

For the most part, the technologies are not advanced but the attacks have been persistent. Lookingglass, a cybersecurity firm, suspects the Russian Federal Security Service (FSB) is the culprit behind the virus dubbed Operation Armageddon.

The Russian government is likely behind an even more dangerous virus. Since 2010, BAE Systems has been monitoring the activities of malware they dubbed Snake, and numerous digital footprints point to the Russian Bear. Moscow time-zone stamps were left in the code and Russian names are written into the software.

Other clues point to the Kremlin. “It’s unlikely to be hacktivists who made this. The level of sophistication is too high. It is very well written—and extremely stealthy,” observed Dave Garfield, BAE’s managing director for cybersecurity.

According to the IT security company Symantec, Snake has infected dozens of computers in the office of Ukraine’s prime minister and at least 10 Ukrainian embassies since 2012. Snake was used against the Belgian Ministry of Foreign Affairs to access documents on the Ukraine crisis.

The malware establishes a “digital beachhead” that allows its operators to deliver malicious code to the targeted networks. The implications are far-reaching: “Russia not only now has complete informational dominance in Ukraine,” anintelligence analyst told the Financial Times, “it also has effective control of the country’s digital systems, too. It has set the stage.”

Another hacker group in Russia exploited a security flaw in Microsoft Windows software to spy on NATO, Ukraine and several other targets. Dubbed Sandworm Team after researchers discovered references in the code to the Dune series of science-fiction novels, the group used a “zero day” attack—a flaw in the software that has not been previously identified and for which there is no pre-existing fix—which is usually associated with deep pockets. In Ukraine, the malware wastargeted at regional governments, another clue that the hackers were not criminals.

So far, Russian cyberattacks have been relatively low-key. There’s an obvious reason why: The Kremlin already has access to Ukrainian telecommunications. Russia built the system. Even the system Ukraine uses to monitor the activities of its own citizens, System for Operative Investigative Activities, or SORM, was originally developed by the Russian KGB.

When Russia invaded Crimea, it gained access to the national telephone company’s operations center on the peninsula. If the Russian government wanted to shut down Ukraine’s power and telecommunications, it could do so easily. “And there’s nothing that Ukraine could do to stop it,” said Jeffrey Carr, CEO of the cybersecurity firm TAIA Global.

Cyber activity was used kinetically as Russia seized Crimea. Ukrainian law enforcement agencies reported Russian cyberattacks had collapsed the communication systems of almost all Ukrainian forces that could pose a danger to the invading Russian troops. Mobile telephone services were blocked, Russian naval ships jammed radio communications, Crimean government websites were knocked offline, telecommunications offices were raided and cables were cut.

“Russia has cutting-edge electronic warfare equipment and personnel trained in proper EW/SIGINT doctrine [what they called Radio-Electronic Combat] and Ukraine is playing catch-up. A generation’s worth of neglect of the Ministry of Defense and the security services by Kyiv…cannot be made good in a few months,” said John Schindler, an expert on information warfare.

U.S. technology is also vulnerable: Russia claims (and the Pentagon denies) that it used its control of the cyberbattlefield to intercept a U.S. drone as it patrolled Crimean skies on March 14, 2014.

Cyberattacks have increased in frequency around the time of military action, possibly indicating that the attacks are part of the overall offensive. The number of callbacks—computer communications showing someone is hacking a computer—to Russia increased as the turmoil rose.

Russia controls the airwaves, the phone lines and the computers. The Ukrainian government needs to rebuild its telecommunications network using non-Russian companies and technology. In the short term, U.S. diplomats and military trainers in Ukraine should avoid using Ukrainian communications. The United States also needs to harden its communications to avoid incidents such as the rumored drone intercept.

In the long term, the United States must face the reality that it is engaged in a decades-long contest for the Eurasian heartland and will have to adjust its tactics accordingly. Cyberwarfare is merely the latest battlefield in which politics is pursued by other means.

James J. Coyle is a research fellow at the Atlantic Council and the director of global education at Chapman University. This article first appeared on the Atlantic Council site.

No comments:

Post a Comment