15 May 2023

The Five Bears: Russia’s Offensive Cyber Capabilities

OSCAR ROSENGREN

The Five Bears constitute an integral part of Russia’s offensive capabilities. Russian state-sponsored Advanced Persistent Threat (APT) groups are part of a network, making Russia one of the strongest actors in cyberspace today [source]. A combination of advanced tools and solid infrastructures enable sophisticated operations of unprecedented levels targeting nations in war and peacetime.

However, even though at the forefront of war-fighting capabilities in the digital environment, the 2022 war in Ukraine suggests a limited significance of offensive cyber operations than estimated. Cyber operations alone have yet to prove sufficient to gain strategic advantages on the physical battlefield. Still, since the digital environment does not know state borders, the Russian APT actors make up an evolving threat on a global scale not only in terms of espionage but physical disturbance calling for proportionate counter- and preventive measures among nations in both peacetime and war.

2.0. Background

Since at least the 1990s, Russia has engaged in a wide range of hostile cyber operations, from espionage to sabotage. Since at least 1996, starting with the Moonlight Maze attacks [source], malicious cyber operations linked to Russia have developed into a complex network of threat actors and operations. Today, Russian state-sponsored threat actors constitute a broad network of skilful groups conducting operations ranging from espionage to sabotage on a global scale. Furthermore, offensive cyber operations are acceptable to achieve foreign policy and security objectives by deterring adversaries, controlling escalation and prosecuting conflicts [source]. Hence, Russia’s offensive cyber capabilities make up a crucial element in its global power strategy.

2.1. Disclaimer

Attribution is a very complex issue. Groups often change their toolsets or exchange them with other groups. Therefore, be aware that information published here may quickly need to be updated or altered based on evolving information. Moreover, cyber security companies and antivirus vendors use different names for the same threat actors and often refer to the reports and group names of each other. However, it is difficult to keep track of the different terms and naming schemes, but below are additional lists of known alternative names for each group.
2.2. Terminology

APT: “An APT uses continuous, clandestine, and sophisticated hacking techniques to gain access to a system and remain inside for a prolonged period of time, with potentially destructive consequences” [source].

Phishing: Phishing is a type of social engineering attack often used to steal user data, including login credentials and credit card numbers [source].

Spear-phishing: Spear phishing is an email or electronic communications scam targeting a specific individual, organisation or business [source].

Zero-day: A zero-day vulnerability is an unknown exploit that exposes a vulnerability in software or hardware and can create complicated problems well before anyone realises something is wrong [source].

Supply chain: A digital supply chain is a set of processes that use advanced technologies and better insights into the functions of each stakeholder along the chain to let each participant make better decisions about the sources of materials they need, the demand for their products and all the relationship in between [source].

Trojan: A malicious program that is downloaded and installed on a computer that appears harmless [source].

3.0. The Russian APT Ecosystem

Russian state-sponsored APT actors use sophisticated cyber capabilities to target adversaries’ critical infrastructure in the global arena. Hostile actors have showed sophisticated tradecraft and cyber capabilities, maintaining a persistent and undetected presence in compromised environments [source]. Conducting malicious cyber activities ranging from cyber espionage attempts to suppress political and social media activity, information theft, and harming international adversaries, the Russian government is utilising its APT network to exercise power [source].

3.1. Prominent threat actors
3.1.1. Fancy Bear

Most known for its attempts to interfere with the 2016 US presidential election, Fancy Bear is a well-resourced and persistent adversary linked to Russia’s Main Intelligence Directorate (GRU) Main Special Service Center (GTsSS) Unit 26165 [source; source]. The group has been attributed to hostile operations in Europe and the US, with an increasing focus towards targets in the east, including China [source]. Fancy Bear has been active since at least 2004 [source].

No comments: