What if network defenders knew that a cyber operation occurred during Moscow business hours, that it involved a Russian IP address, and that the cyber actors used a Cyrillic keyboard? Would those indicators by themselves be enough for attribution? Given the Russian cyber environment, the answer is clearly “no.” Those indicators could be shared by any of the cyber actors in Russia, with or without the support of the Russian government, or by other worldwide actors trying to masquerade as Russians.
The Russian government itself is advanced in its cyber capabilities, but it also has access to Russian hackers, hacktivists, and the Russian media. These groups disseminate propaganda on behalf of Moscow, develop cyber tools for Russian intelligence agencies like the FSB and GRU, and hack into networks and databases in support of Russian security objectives. Russia’s use of such proxies complicates attribution after a cyber incident, making it harder to determine whom to respond to, constraining potential cyber deterrence against Russian entities.
Russia cannot be prevented from complicating attribution through proxy use. These proxy relationships are institutionalized and mutually beneficial for both Russia’s government and its proxies. Instead, the key to better attribution is intelligence – both technical and traditional. It is necessary to understand not just the bits and bytes of malware, but also Russian actors’ cyber tactics, techniques, and procedures, as well as proxies’ motivations and relationships .
Russian-language hackers are the main proxy group working with Russian intelligence on cyber operations. The government usually allows cybercriminals to operate from Russia as long as the criminals do not go after Russian targets. This impunity gives the government leverage over hackers for their cooperation in developing malware or pursuing Russian government targets.
For example, a 2014 report finds that Russian cyber actors–TEMP.Noble–elicited a Russian cybercriminal’s services to create malware and exploit frameworks, or relatively automated attack kits, for operations against Eastern European governments and NATO. Another example of Russian intelligence leveraging the Russian hacker community is BlackEnergy malware, which has been used by criminals since 2007 to establish botnets for distributed denial-of-service attacks against Estonian sites. BlackEnergy botnets were redirected to target Georgian and U.S. assets during Russia’s 2008 invasion of Georgia, and a new version of BlackEnergy malware was used in 2015 to attack Ukrainian power distribution utilities.
Similar to its use of criminal hackers as proxies, Russian also taps into the hacktivist community, benefiting from their expertise and networks as well as the plausible deniability of proxy use. Hacktivists themselves may seek out government sponsorship as top cover to limit liability and potentially for additional profit. Given how such a relationship can be mutually beneficial, it is likely that the ties between hacktivists and the Russian government will continue.
The allegedly pro-ISIS hacktivist group, CyberCaliphate, is a probable front for Russian government activity. Although most of CyberCaliphate’s operations were of limited sophistication and focused simply on bringing more attention to ISIS, the group’s ties to Russian intelligence surfaced when they compromised the French news channel TV5Monde and used the same infrastructure associated with APT28, the Russian group behind the Democratic National Committee hack.
The Russian media also acts as a government proxy, a relationship that recently has received significant coverage due to claims that Russian media meddled in the U.S. election. In January, the U.S. Intelligence Community released a report detailing close ties between the Russian government and RT, the news site formerly known as Russia Today. In the cyber domain, Russia’s influence extends into social media. In 2014, Moscow passed a law that grants the government greater oversight and influence over bloggers, requiring bloggers with over 3,000 daily readers to register with the government.
The Internet Research Agency (IRA) illustrates an even more direct tie between the government and social media. The IRA employs hundreds of Internet trolls who receive daily instructions from the Kremlin about which topics to promote in social media and what their opinion on topics should be.
Given that Russia is one of the most active sources of cyber threat activity in the world, honing intelligence on Russian actors in particular is crucial to cyber defense. It is only by fleshing out the specific tactics, techniques, and procedures and cyber infrastructure of each proxy group, the relationships between the groups, and how the cyber operation fits in with their motivations that it becomes clearer who ultimately is behind a cyber incident. Once attribution is better established, then network defenders can proceed more assertively with measures targeted to that specific actor to undermine ongoing cyber operations and deter future ones. Intelligence is key to attribution – particularly in this tangled web of Russian cyber proxies.