16 May 2020

RUSSIAN MILITARY CYBER OPERATIONS IN CONTEXT


Report analyzes risk in state-sponsored cyber operations

If you can figure out why a cyber attack may have occurred, you can better predict what’s next and act deliberately to manage risk to your organization. That’s a key takeaway from Booz Allen’s comprehensive new report, Bearing Witness: Uncovering the Logic Behind Russian Military Cyber Operations. The report details how the timing, targets, and impacts of Russia’s military intelligence agency—the GRU—has been linked to more than 200 espionage, disruption, and disinformation incidents and campaigns between 2004 and 2019.

Many organizations view cyber attacks as indiscriminate threats, but from financially driven “pray-and-spray” attacks to highly targeted attacks by state-aligned adversaries, there’s a motivated threat actor for every attack—even if it’s not immediately obvious to the victims. In this case, our report illustrates how GRU-linked operations directly responded to Russia’s concerns about specific geopolitical events and developments often by shaping beliefs and perceptions.

In this Q&A with the report’s authors, you’ll gain insights into GRU cyber operations, how to better understand the drivers behind those operations, and the value of “threat-centric risk management.”


What are some examples of how GRU attacks were influenced by specific events and larger strategic priorities?

From 2015 to 2017, the GRU repeatedly unleashed malware that wiped hard drives and twice disrupted local power distribution in Ukraine. According to Booz Allen’s assessment, these attacks were likely, in large part, a GRU response to Ukraine’s refusal to repay a geopolitically significant 2013 energy loan, compounded by a December 2015 IMF policy ruling that enabled Ukraine’s default. This contextual analysis better explains the motivating factors behind the attack than previous theories and directly ties to Russia’s strategic interest in enforced compliance with international agreements.

Also, in late 2016, the GRU repeatedly leaked documents from prominent U.S. democracy promotion groups. The spy agency’s personas and Russian state-linked media claimed the documents showed a vast illicit U.S. conspiracy to undermine elections in Russia and Eastern Europe. Our analysis showed the GRU sought to weaken then-emergent U.S. denunciations of Russia’s attempts to influence the 2016 U.S. presidential election. The leaks were framed to suggest a normative equivalence of all forms of foreign-linked political activity.

Who are the primary targets of the GRU’s cyber operations, and why?

The GRU’s immediate targets vary greatly, from sports organizations and religious figures to diplomats and critical infrastructure operators. Ultimately, the GRU seeks to influence specific groups (including cultural, ethnic, religious and national groups), policy elites (such as military and political leaders), and countries to be more open to—or at least less likely to oppose—Russian interests and policies. They do this through data leaks, disinformation campaigns, and targeted attacks against individuals or infrastructure intended to sway confidence and influence discourse.

“Whether by for-profit criminals or 'hacktivists' advancing an ideology, cyber activities are goal-oriented.”

Recognizing this risk, how should organizations change and evolve their cybersecurity approaches?

Cybersecurity teams need to track more overt state-linked actions, such as statements by diplomats and state-linked media and disinformation campaigns. These can signal a government’s goals, positions, and points of friction. For instance, in February 2020, several governments blamed the GRU for conducting cyber attacks on the Republic of Georgia. At the time of the attacks in October 2019, Booz Allen observed concurrent social media campaigns amplifying false narratives about hacktivist perpetrators and NATO’s relationship with Georgia, early public indications of the attribution, and likely motivations.

In addition, organizations should expand their focus beyond tracking easily measurable harms to larger strategic impacts. Consider how the GRU disrupted Ukraine’s first post-revolution presidential election in 2014. On election day, they leaked emails suggesting a conspiracy to help certain candidates, defaced the national election commission’s website with fake vote counts, and wiped associated systems. Russia’s cyber operations delayed the release of accurate vote totals for more than a day. Moreover, these tactics—and the amplification of fraudulent results by Russian media—introduced confusion and threatened public confidence in the legitimacy of the newly elected government.

Although public confidence is difficult to measure, the results of such a campaign can be significant. Imagine, for example, the impact of these kinds of coordinated cyber information operations on the November 2020 U.S. presidential election. On a smaller scale, we recently saw firsthand how the U.S. public and news media reacted to delays in Iowa’s Democratic Caucus results. 

How can organizations protect themselves considering rapidly changing geopolitical circumstances and cyber responses?

Whether by for-profit criminals or “hacktivists” advancing an ideology, cyber activities are goal-oriented. The goal for state actors conducting cyber operations is to bolster their national security and advance national interests. One approach to protect yourself is threat-centric risk management. It considers how operations against your organization would advance your adversary’s interests, with security strategies tailored to this understanding.

To implement threat-centric risk management, first create an organizational “profile.” It details your location(s), partners, customers, the information you possess, and so forth. Then consider your potential adversaries: Who are they? What do they want? How likely are they going to act on their objectives?

Once you’ve established those parameters, risk management activities can include:
Internal and external threat hunts focused on expected adversaries
Playbooks and security controls based on expected attacks
Tracking metrics to measure the impact of larger organizational decisions on your risk profile, including new lines of business, delivery models, and partnerships, or changes in your operating environment, such as political and social shifts

Learn more about state-sponsored cyber activity and threat-centric risk management by downloading the full Booz Allen report: Bearing Witness: Uncovering the Logic Behind Russian Military Cyber Operations.

No comments: