U.S. and UK officials are taking a more aggressive approach toward Russian cyber crime by publicly naming and shaming Russian Military Intelligence (GRU) for destructive and undermining criminal actions in cyber space.
The U.S. Department of Justice announced the indictment of seven GRU-related individuals for cyber-crimes that included hacking, wire fraud, identity theft and money laundering.
Also last week, the UK’s National Cyber Security Centre (NCSC) announced that the GRU was behind a campaign of ‘indiscriminate and reckless cyber attacks targeting political institutions, businesses, media and sport.’
The NCSC is part of the UK’s Government Communication Headquarters (GCHQ), which oversees the security of government agencies.
The Cipher Brief asked former GCHQ Director Conrad Prince for his expert thoughts on what this means and whether a more aggressive public naming of perpetrators by the UK and the U.S. will be enough to discourage Russia’s bad behavior in cyber.
The recent co-ordinated international exposure of cyber operations by Russia’s Military Intelligence, (GRU) represents a notable stepping-up in the Western response to hostile Russian action in cyberspace. But it can only be the precursor to other actions if we are to see a real impact on Russian behaviour. Meanwhile, the breadth and depth of GRU cyber activity has been clearly exposed, and this needs to prompt all sectors of society to look at what measures can be taken to protect against Russian attack.
Last week, we saw an intensive and co-ordinated international effort to draw attention to the scale and extent of hostile cyber operations conducted by Russia’s GRU. Britain’s National Cyber Security Centre (NCSC), part of the UK signals intelligence and cyber security agency, GCHQ, published information drawing together details of a wide range of GRU cyber operations. Some of these had previously been attributed to the agency, but others had not.
Taken together they show a broad and ambitious campaign, leveraging cyber for multiple effects, including disruption of critical national infrastructure, intelligence gathering, information operations, and malign attempts to influence the democratic process. This exposure has been reinforced by the Dutch government’s revelations of a GRU close access collection operation in the Hague, which was successfully disrupted. In parallel, the U.S. Justice Department has indicted seven GRU officers for illegal cyber activity, and strong statements have been made by NATO and the EU attacking unacceptable Russian behaviour in cyberspace.
This naming and shaming has attracted a lot of attention. On the part of the UK, it represents a ratcheting up in the willingness to call out Russia, off the back of the Salisbury poisonings.
This is a positive step. Perhaps for too long the UK had avoided publicly attributing state sponsored cyber attacks. Over the last year or so we have seen a shift in this approach, and Salisbury has accelerated that further. This is a necessary step. We must be up front about what the Russians are doing in cyber, if only to get the issue on the table. And being clear about the nature of the threat is a necessary precursor to further action.
Of course it seems highly unlikely that naming and shaming alone will do much to deter Russia from continuing its campaign of hostile cyber activity. The indications are that over the last few years Russia has become less concerned about being found out. And in some cases they may positively welcome attribution. To anyone who has being paying even cursory attention to this space, the reporting of the last few days should not come as much of a surprise. So the West needs to deploy a broad range of follow up action. This may not necessarily include action in cyberspace. There is no particular logic that dictates an offensive cyber act by Russia can best be responded to by Western cyber operations. In practice, other, more traditional, means are more relevant. We have seen the indictments in place, and sanctions are a further logical step.
In that sense there is nothing special about the cyber dimension. The West’s potential responses are the same as in any other case of bad behaviour. And they carry with them the same challenges of finding a way of really achieving the desired effect.
Alongside the strategic question of how to achieve a genuinely deterrent effect, is the more immediate one of what the latest revelations tell us about GRU cyber operations and what that might mean for governments, businesses and private citizens. The NCSC statement shows that the GRU’s targets are wide ranging – governments, political parties, international organisations, businesses, and private individuals. The GRU uses cyber operations in response to many different issues. And it leverages cyber to achieve the full spectrum of effect, including disruption of IT systems, intelligence gathering, conducting information operations against adversaries by stealing and exposing potentially damaging information, and seeking to influence political processes.
So the GRU has an extensive range of global targets. And of course the impact of its operations can go well beyond the intended victims, as in the NotPetya attacks of 2017. The GRU uses techniques ranging from the relatively simple (basic phishing attacks) to something more sophisticated, as in the attacks on global telecommunications routers. Defending against these attacks brings us back to the core security messages – including getting the basics right around firewalls, anti virus and patching, and ensuring people are on the look-out for phishing and other social engineering techniques. In many ways the GRU is using the same techniques and exploiting the same human weaknesses as cyber criminals or any other threat actors.
We must not underestimate the Russian threat (notwithstanding the apparent weaknesses in tradecraft of the GRU’s Dutch operation). The co-ordinated international response we have seen over the last few days is a welcome upping of the ante, and a clear demonstration of the West’s commitment to increasing the cost to Russia of its hostile cyber operations. But it feels like we have a long way to go to develop a really effective response that will achieve genuine deterrent effect.
