27 December 2016

Putin’s Way of War

By MATT TAIT

In America and Ukraine, Russian intelligence used the same fundamental weapon: Our human weakness. 

This week, cybersecurity researchers produced compelling new evidence linking Russia’s GRU military intelligence service to the hacks of Democrats during the 2016 campaign.

The findings, released in an 11-page report by the firm CrowdStrike, showed that the same group of hackers who broke into the Democratic National Committee and Clinton campaign chairman John Podesta’s inbox had also backdoored a mobile app used by Ukrainian soldiers to target artillery, with devastating results.

Democrats, looking for proof that the Kremlin had indeed hacked the DNC, saw the report as partisan ammunition. The researchers were able to identify shared digital fingerprints to show that the same culprits were behind both set of intrusions, and thus connect the hacks to the GRU, Russia’s top military intel arm.

But that wasn’t the most interesting, or surprising, aspect of CrowdStrike’s report. What was stunning was how it revealed a level of detail into modern warfare that we have rarely, if ever seen before.

Welcome to war’s new normal.

The story of the Ukraine hacks begins in 2013, a full year before the country’s corrupt and widely despised president, Viktor Yanukovych, was ousted in a popular uprising, and the subsequent annexation of Crimea and invasion of Eastern Ukraine by Russia.

Yaroslav Shershuk, an officer attached to Ukraine’s 55th Artillery Brigade, was writing an app for his phone.

His unit still used aging Soviet-era D-30 howitzers, and entering targeting data into it was a manual process. It would take minutes, and it was prone to error. But with his new app Поправки-Д30, (“Correction D-30”), computing the correct inputs for the howitzer could be done accurately in just seconds and with just a few taps of a smartphone.

The unofficial app was so useful that Shershuk decided to share it online with his fellow officers, and it got some attention. According to Shershuk, eventually more than 9,000 artillery personnel were using it, and it was widely used by Ukrainian forces in training, and by artillery units deployed in Eastern Ukraine.

But Russia’s GRU military intelligence agency was paying attention, too.

In November, the world watched as Yanukovych walked away from a long-negotiated landmark agreement to bring Ukraine closer to the European Union, launching the so-called Euromaidan protests that would eventually oust him.

But away from the television cameras, someone was sharing a variant of Shershuk’s app on Ukrainian military forums that was harboring a dark secret. On its surface, the app acted as before, reducing the time to target and fire the howitzers. But hidden inside was the X-Agent malware -- one of the primary malware families used by Russia’s GRU military intelligence agency -- a variant of which would be later used in the hack of the DNC in the United States in 2016.

Officers using the backdoored version of Shershuk’s app would see no difference between it and the original, but in the modified edition, the hidden malware would secretly steal text messages, contacts lists, call-logs, and -- most devastatingly -- location data from the phone and broadcast it to Moscow’s spies, allowing Russia to spy from a distance, or expose and engage them militarily.

The operation was lethally successful. In the two years of war since, Ukraine’s artillery forces have taken heavy damage; more than 80 percent of the country’s D-30 howitzers were wiped out. Downloading the wrong app had led to real deaths.

CrowdStrike’s investigation gives rare insight into a category of cyber-warfare that is little known, and operates entirely in the shadows: the use of hacking to provide tactical battlefield intelligence, rather than foreign intelligence espionage or malware-based sabotage, such as destroying centrifuges (as in the case of Stuxnet) or remotely wiping entire computer networks (Saudi Aramco).

Russia is not alone in its use of cyber-enabled military operations. The United States undoubtedly uses many of the same techniques for tactical battlefield advantage, as former CIA director Michael Hayden hinted when he said during a symposium in April 2014: “We kill people based on metadata.” On the battlefield, the smartphone in your pocket might be convenient, but it might also be working against you, exposing your position for opposition forces to target and engage you.

It’s also a hard category of cyber-attacks to investigate. After all, when many computers all stop working suddenly, it’s not unreasonable to infer a cyber-attack took place. A thorough forensic investigation is an obvious next step. But it’s much less intuitive to begin a forensic investigation for malware in the remains of a smartphone when investigating a smoking crater in, say, Waziristan, Yemen or Eastern Ukraine.

It might not be possible in any case. The smartphone may be destroyed, and, by definition, the remains of the phone are in the middle of a warzone. Often, only the hackers and their military superiors will ever know of the pivotal role they played in a military campaign; a fact kept secret to preserve the hackers’ continued access and their effectiveness.

This is cyber-enabled hybrid warfare. Simple, but effective.

Like the Podesta and DNC hacks, the attack on Ukraine’s artillery personnel wasn’t especially sophisticated. Tricking Ukrainian officers into downloading the wrong app didn’t take some great feat of technical engineering to pull off. But like the DNC and Podesta hacks, it was a feat of social engineering: exploiting a desire for convenience to achieve a strategic goal.

The Democrats’ emails weren’t stolen so that Russia’s intelligence agencies could read them secretly in their heavily guarded headquarters; they were published to affect election media coverage and drive an outcome. In the hack of Ukrainian officers, the stolen location data was fed into a different domain as well: It was passed to the Russian military so that they could target and engage Ukrainian artillery positions.

For the Democrats, the consequence of being socially engineered was having to watch an election campaign derailed by wall-to-wall coverage of their private emails.

For officers in Ukraine, the consequences of their mistake were more final.

Matt Tait is CEO and founder of Capital Alpha Security, a UK-based cyber-security consultancy. Previously he has worked for Google’s Project Zero, U.S. cybersecurity firm iSEC Partners, and as an information security specialist at British Intelligence Agency GCHQ. 

No comments: