Just Who Are Russia's Cyber Warriors?

Western intelligence services and cyber security firms say they have identified two particular groups involved in the hack of the Democratic National Committee (DNC) that led to a series of embarrassing emails being leaked to the public ahead of the US presidential election.

The first group, known as APT 29, “Cozy Bear,” or “The Dukes,” penetrated the DNC in July 2015. It is believed to be linked to the FSB, the main successor agency to the KGB, the Soviet Union's sprawling intelligence outfit.

The second, which security experts call APT 28, or “Fancy Bear,” hacked in March 2016. Crowdstrike, the security firm hired by the DNC to investigate the hack, concluded it was linked to the Main Intelligence Directorate (GRU), the Russian ministry of defence's intelligence agency.

APT stands for Advanced Persistent Threat, a term cyber security experts use, to refer to known networks of hackers. Cozy and Fancy Bear are not the only ones linked to national governments. APT-1, for example, is believed to be a Chinese government operation.

How do they work?

Both Cozy Bear and Fancy Bear gained access to computers through a technique called “spear phishing,” where attackers use carefully tailored fake emails and websites to trick target individuals into uploading malware onto their computer systems.

But thinking of them as glorified bank scammers would be a big mistake, says Thomas Rid, the author of Rise of the Machines and an expert on espionage at King's College London.

In the DNC hacks, the emails they used were so carefully targeted and convincing that they achieved a success rate of one in seven emails.

“That’s not one in seven people who opened the email or clicked a link, that’s one in seven who actually typed in their passwords, a phenomenal success rate,” said Mr Rid. “It’s extremely sophisticated. Don’t think they wouldn’t fool you.”

So now Russia has divisions of nerds as well as tanks?

No one knows. The German intelligence services have estimated that Russia’s three main intelligence outfits, the FSB, GRU, and SVR (the foreign intelligence service, roughly Russia’s MI6), have up to 4,000 cyber agents. That's not an outlandish number, the United States said in 2014 it would seek to hire 6,000 such staff.

Between them they have targeted foreign political parties, the German parliament, defence companies, and media organisations.

But that doesn’t mean there are thousands of nerds wearing shoulder-board epaulettes. Much more likely, says Andrei Soldatov, co-author of The Red Web, is the use of “informal actors”, activists, criminal groups, and possibly even legitimate cyber tech firms, who are curated by and act for the state, but hold no formal rank or position.

Outsourcing is a tactic Russia has used elsewhere to create plausible deniability and lower the costs and risks of controversial overseas operations.

When Russian troops moved into Crimea and east Ukraine in 2014, they were preceded by nationalist activists who insist they were acting independently.

It also makes it difficult to build an accurate picture of the Russian cyber warfare programme. Given the information publicly available, says Mr Soldatov, it is difficult to see how intelligence agencies are so sure Fancy Bear is definitely the GRU, for example.

What about Mr Putin?

Dmitry Peskov, Vladimir Putin's spokesman, says US officials should "either stop talking about it or finally produce some evidence, otherwise it all begins to look unseemly."

However, it is generally believed that sophisticated cyber operations go up to the Kremlin, and strategic direction and final sign off on large scale operations like the one that targeted the DNC almost certainly sits with Mr Putin or one of his close advisors.

But most experts believe the Russian cyber programme is too big to be micro-managed by one man.

In fact, rival agencies appear to be running rival programmes, and they may not always be coordinating with one another.

APT 29, “Cozy Bear”, supposedly linked the FSB, for example, displayed a stealthy, low-profile modus operandi that you might associate with a civilian spy agency looking to gather intelligence.

They weren’t caught until APT 28, their presumably military colleagues, blundered in and set alarm bells ringing.

How does America fight back?

Barack Obama has promised to respond, but a tit-for-tat retaliation presents obvious risks.

For a start, it is not difficult to image how a war in cyberspace could spill into a war in the real world, said General Lord Richards, a former chief of the defence staff.

"You never really, quite know, where it's going to end up. Are they going to start having a go at our financial system, electricity?” he said on the BBC’s Today programme.

“You have got to be very, very careful and that is why he has been rather cagey, I think, in choosing his words the way he has," Lord Richards added.

And leaking politically compromising information related to the Russian government probably would not be as politically damaging to Vladimir Putin as it was to Hillary Clinton.

That’s partly because the Kremlin maintains a near monopoly on the Russian media landscape, and partly because many Russians have few illusions about their politicians.  

The Panama Papers, which revealed one of Mr Putin’s close friends had been handling suspiciously large sums of money, was largely greeted with a collective shrug, but also with the suspicion that it was a CIA operation trying to discredit the country’s leadership.
 
If anything, a mirror image response from Washington would confirm those suspicions, reinforcing the perception of Mr Putin is a strong leader defending the country against an aggressive US.

Telegraph

You Might Also Read:

Handbook Of Russian Information Warfare:

Bank Attack Hackers Use Russian Decoys:

Russian Military Was Behind Hacking Clinton Campaign:

Meet The Fancy Bears:

 

 

« What Happens If Criminals & Terrorists Get To Use AI
Rapid Detection Is Key To Cyber Attacks On Business »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

A-SIT Secure Information Technology Center

A-SIT Secure Information Technology Center

A-SIT was founded in 1999 as a registered nonprofit association and is established as a competence center for IT-Security.

TrustArc

TrustArc

TrustArc provide privacy compliance and risk management with integrated technology, consulting and TRUSTe certification solutions – addressing all phases of privacy program management.

SIGA

SIGA

SIGA provides cyber security solutions for Industrial Control Systems SCADA systems used in critical infrastructures and industrial processes.

Assured Enterprises

Assured Enterprises

Assured Enterprises provides comprehensive cyber risk identification, management and mitigation across all platforms.

TrainACE

TrainACE

TrainACE, is a professional computer training school offering courses in information technology with a focus on Advanced Security training.

Bavarian IT Security Cluster

Bavarian IT Security Cluster

The Bavarian IT Security Cluster works to build regional IT security competencies and increase the competitiveness and market opportunities of its member companies.

Wotan Monitoring

Wotan Monitoring

Wotan Monitoring is the software solution for fully automatic process monitoring, infrastructure monitoring and end-to-end monitoring.

3Elos

3Elos

3Elos operates in the Information Technology market with a focus on research, development, consulting, marketing and implementation of Information Security solutions.

MyCyberSecurity Clinic (MyCSC)

MyCyberSecurity Clinic (MyCSC)

MyCyberSecurity Clinic's main goal is toward establishing an international reference centre for excellence in the field of digital forensics and data recovery services.

Blockchain Research Institute (BRI)

Blockchain Research Institute (BRI)

Blockchain Research Institute (BRI) is an independent, global think-tank. We bring together the world’s top global researchers to undertake ground-breaking research on blockchain technology.

US-Africa Cybersecurity Group (USAFCG)

US-Africa Cybersecurity Group (USAFCG)

USAFCG provides cybersecurity consulting services and delivers training programs for capacity building in Africa.

Defensity

Defensity

Defensity offer bespoke & pre packaged IT Security Solutions for Small business to help companies reduce overall IT related risk.

CITRA - Information Security and Emergency Response

CITRA - Information Security and Emergency Response

CITRA is responsible for overseeing the telecommunications sector, monitoring and protecting the interests of users and service providers, and regulating the services of telecomms networks in Kuwait.

HarfangLab

HarfangLab

HarfangLab develops a hunting software to boost detection and neutralization of cyberattacks against companies endpoints.

Hawk AI

Hawk AI

Hawk AI’s mission is to help financial institutions detect financial crime more effectively and efficiently using AI to enhance rules and find anomalies.

Threat Con

Threat Con

Threat Con is a one of its kind event in Nepal, a series of annual international security conventions similar to the famous Black Hat and DEF CON conferences.