30 June 2018

Part Two: Wargaming Moscow’s Virtual Battlefield


Response: The U.S. has responded to Russian activity in cyberspace through diplomatic measures, such as the expulsion of intelligence officials from Russian consulates in the country, economic methods, such as targeted sanctions, and legal actions, such as indictments of government personnel, criminal proxies and contracting entities that enable Russian network intrusions and influence operations. But indictments of Russian hackers often do not result in their eventual incarceration, given the protections provided to them by the Kremlin. Therefore, the more realistic intentions of U.S. indictments are to publicly name alleged perpetrators and impose increasing costs on them to travel or continue clandestine work.


U.S. indictments and even arrests of Russian cybercriminals increased significantly in 2017, and this trend is likely to continue as a method of undermining Russian cyber intrusions as law enforcement agencies around the world begin to better coordinate across national jurisdictions. In December 2017, the U.S. Treasury Department sanctioned two Russian intelligence agencies, the FSB and the GRU, in coordination with two known Russian cybercriminals, Evgeniy Bogachev – the alleged creator of the GamerOver Zeus botnet, an expansive network of between 500,000 to a million compromised computers – and Alesksey Belan, for their cyber activity. Bogachev has also been reported to drain bank accounts while letting FSB officers access the same computers to search for sensitive information, including on U.S. arms reportedly being funneled to Syrian rebels from Turkey and top-secret les on Ukraine’s intelligence directorate, the SBU. The U.S. Justice Department later revealed charges against Belan in March 2017, alongside a Canadian national and two FSB officers – Dukuchaev and Igor Sushchin – for breaching Yahoo’s servers to steal information from at least 500 million accounts beginning in January 2014.

Russia has seemingly retaliated against U.S. indictments of its cyber operators by leaking the identities of U.S. cyber spies. In April 2017, a suspected Kremlin-linked group calling itself the Shadow Brokers released a cache of alleged NSA hacking tools and the details of a May 2013 hack of the Dubai-based EastNets SWIFT service bureau, exposing the names of several alleged NSA employees in the process. The Shadow Brokers then reportedly exposed another former NSA hacker in public statements. The doxing, or leaking, of NSA hackers is designed to impede current and former U.S. cyber operators from traveling and engaging in clandestine operations abroad – particularly should targeted countries, including allies, take legal action against the individuals for their involvement in NSA operations.

To further respond to covert Russian aggression in cyberspace, the U.S. may look to target the offshore accounts of Russian oligarchs, including Russian President Vladimir Putin, by either diminishing them or revealing them to the Russian public. In May 2017, there were a series of anti- corruption protests in Russia as a result of documents revealing bribery and opulence – including by Russian Prime Minister Dmitry Medvedev. The information was found within the compromised email accounts of Russian officials leaked by an anonymous collective known as Shaltai Boltai, Russian for “Humpty Dumpty.” But this risks normalizing hack-and-leak tactics among governments. Instead of engaging in tit-for-tat cyber warfare, the U.S. and its allies could formally freeze the assets of Russian oligarchs in the West in order to get the full attention of the Kremlin.

The U.S. has begun securing the supply chain of IT services sourced from Russia-based companies given the authoritarian influence the Kremlin holds in the country. In September 2017, the DHS issued a binding directive compelling the U.S. federal government to begin the removal of all Moscow- based Kaspersky anti-virus products from their computer systems, citing concern about the “ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks.” It was later reported that Israeli spies watched as Kaspersky software installed on an NSA employee’s personal computer was used to steal mishandled NSA hacking tools in 2015.

“Antivirus (A/V) programs – the primary product of Kaspersky – are essentially software tools that reside on your computer and have access to all files and programs on that computer. The A/V software scans for signatures of malicious software, known as malware, and removes or neutralizes it, and sends a report of what it has done back to the A/V company, in this case, Kaspersky. But this could be used for nefarious purposes. Instead of scanning for malware, it could scan for documents that say ‘proprietary’ or ‘confidential’ or ‘secret’ or any other term of interest, and send them back to the company.”

“The problem isn’t really Kaspersky, it’s the nature of the Russian state and how its agencies operate. They see the Russian private sector as an extension of their power. Unless that changes, which is unlikely, Russian companies with access to Western data and networks are going to struggle to be trusted.”

“The U.S. has struggled for a decade with how to respond to cyberattacks. If an attack produces an effect equivalent to a kinetic weapon, destroying physical infrastructure or harming American citizens, the nature of the response is clear. But when the attacks do not involve force (or its cyber equivalent), as is the case with espionage or the kind of information warfare the Russians are using now, how to respond is unclear. One question American policymakers will ask about a response to Russian hacking is how we will control the risk of escalation without being ineffective. Unplugging a few servers will not end Russian action, but unplugging many servers may lead to broader conflict. When facing an opponent who is nimbler in decision-making, less bound by law, and more willing to take risks, the chance of escalation is greater.”

Looking Ahead: Although the threat of a catastrophic cyberattack against U.S. critical infrastructure orchestrated by Moscow remains plausible, such an operation would likely spark open conflict, given its escalatory nature. However, Russia has already demonstrated its willingness to overstep such bounds in neighboring countries, leveraging disruptive cyber operations in concert with traditional military and intelligence operations, such as against Estonia in April 2007, Georgia in July 2008 and Ukraine in March 2014. Russia has also conducted network intrusions into the systems managing the Ukrainian power grid, causing temporary outages in December 2015 and December 2016. Perhaps most concerning was the GRU’s June 2017 disruptive NotPetya attack targeting Ukraine – and those that do business in the country – spreading to victims in North and South America, Asia and Europe. In February 2018, the Trump administration formally attributed the attack to Russia’s military, calling it “the most destructive and costly cyber-attack in history.” Such acts may indicate Russia’s willingness to expand its disruptive cyber operations against U.S. critical infrastructure in the near future.

“There’s a foreign intelligence motivation in Russia to understand how America uses its critical infrastructure. That therefore leads me to the dangerous possibility that Russia is attempting to understand U.S. critical infrastructure such that is they ever wanted to, they might then hold it at risk. And in so doing, to hold the U.S. and its people at risk. It is a latent possibility, and we shouldn’t discount it.”

Original analysis by Levi Maxey

No comments: