Cyber operations remain at the forefront of confrontations between the West and Moscow as relations continue to deteriorate. Russia asserted itself in 2007 with “patriotic hackers” launching a volley of distributed denial of service (DDoS) attacks on Estonian systems. Then in 2008, cyber attacks preceded the Russo-Georgian war, and again in 2014 before Russia's annexation of Crimea and large swaths of eastern Ukraine.
Throughout this period, Russian President Vladimir Putin and his Kremlin cohort have shown a capacity for hybrid warfare, a blend of conventional, irregular, and cyber warfare. The term describes a way of approaching geopolitical relations with subtle deception and information operations backed by military might. This is a modern twist on Soviet-era “active measures,” – intelligence agencies’ movement beyond mere collection into disinformation, subversion, and use of proxy organizations, political parties, and criminals to expand Russian influence. The term hybrid warfare can be so broadly applied that it almost becomes meaningless, but two of its central tenets – the use of proxies and cyber attacks for plausible deniability – are worth exploring in the Russian context.
So how does the Kremlin work through proxies in cyberspace, and what is the character of its relationships with those entities?
Sarah Geary, a senior analyst on FireEye’s Horizons team, argues “the Russian government itself is advanced in its cyber capabilities, but it also has access to Russian hackers, hacktivists, and the Russian media. These groups disseminate propaganda on behalf of Moscow, develop cyber tools for Russian intelligence agencies like the FSB and GRU, and hack into networks and databases in support of Russian security objectives.”
The involvement, according U.S. intelligence, of Russian state-sponsored groups in last year’s Democratic National Committee breach is apparent in the sanctions placed on Russian individuals and institutions in December. Not only are two Russian intelligence agencies, the FSB and the GRU, and their leadership listed, so are two individuals, Alesksey Belan and Evgeniy Bogachev for cybercrime, as well as three private institutions, for providing technical assistance to Russian intelligence.
Code from the Zeus malware, allegedly developed by Bogachev to steal banking credentials, appeared in a number of spear-phishing emails as part of Russia’s politicized hacking campaign. Known criminal infrastructure, such as King Servers, also acted as a launch pad for numerous political hacks in the United States, including the DNC breach. In another instance, the Kremlin’s technology conglomerate, Rostek, contracted Alexander Vyarya, a programmer working at the time for the Russian cybersecurity firm Qrator, to help amplify DDoS attacks, not mitigate them. Once he witnessed the disruptive program tested on Ukraine’s Defense Ministry, Vyarya fled to Finland, seeking asylum.
Geary argues, “Russian-language hackers are the main proxy group working with Russian intelligence on cyber operations. The government usually allows cybercriminals to operate from Russia as long as the criminals do not go after Russian targets. This impunity gives the government leverage over hackers for their cooperation in developing malware or pursuing targets Russian government targets.” For example, Dmitry Dokuchayev, a former criminal hacker known as Forb, agreed to work for the FSB in order to avoid prosecution for credit card fraud.
It is not clear, however, to what degree the Kremlin directs these proxy groups. Many of these examples are circumstantial – anyone can commandeer malware for their own use, hijack criminal infrastructure to launch attacks, or build an online persona to divert attention. These indicators do not, on their own, ascribe cyber operations to the Russian government, or their use of proxies. Ed Cabrera, the Chief Cybersecurity Officer at Trend Micro and former Chief Information Security Officer at the Secret Service, argues “it is too much of a gray area and we get into a trap by saying all of these cybercriminals and all this activity is all state-sponsored.”
This inability to adequately differentiate between criminal and government activity in cyberspace may be the strategic environment the Kremlin actively seeks. Cabrera argues that “maybe they encourage this gray area because it creates a level of doubt for those that might be attacked by Russian cyber espionage groups. In other words, keeping their adversaries on their toes.”
“Ultimately,” Cabrera maintains, “asking who is working for whom is the better question. With the amount of money being made by these cybercriminal groups, it could be a corruption issue as well as a political and espionage issue.” The possibility of corrupt officials with specific skills moonlighting as cybercriminals for extra income is high in any country, let alone Russia, a country governed through semi-official liaisons alongside burgeoning crime. Cabrera points out that “there have been proxies from a physical espionage perspective for years, either through companies, criminal groups, or other countries – it’s normal. It appears, however, to be a newer phenomenon to work with or through proxies in cyberspace.”
But while digital forensics alone are unable to adequately attribute proxies, both technical and traditional intelligence are capable of bridging the gap. Geary points out that “it is only by fleshing out the specific tactics, techniques, and procedures and cyber infrastructure of each proxy group, the relationships between the groups, and how the cyber operation fits in with their motivations that it becomes clearer who is ultimately behind a cyber incident.”
Ultimately, Geary maintains, “intelligence is key to attribution – particularly in this tangled web of Russian cyber proxies.”
Levi Maxey is a cyber and technology producer at The Cipher Brief. Follow him on Twitter @lemax13.
