The Cyber-Intelligence Nexus: Russia’s Use of Proxies

By Sarah Geary

Sarah Geary is a senior analyst on FireEye's Horizons team, which conducts strategic forecasting to anticipate risks posed by emerging technologies and geopolitical developments. She specializes in cyber deception and advanced analytic tradecraft. Prior to joining FireEye, Geary served nearly a decade in government, focusing mostly on cyber threat analysis.

What if network defenders knew that a cyber operation occurred during Moscow business hours, that it involved a Russian IP address, and that the cyber actors used a Cyrillic keyboard? Would those indicators by themselves be enough for attribution?  Given the Russian cyber environment, the answer is clearly “no.” Those indicators could be shared by any of the cyber actors in Russia, with or without the support of the Russian government, or by other worldwide actors trying to masquerade as Russians. 

The Russian government itself is advanced in its cyber capabilities, but it also has access to Russian hackers, hacktivists, and the Russian media.  These groups disseminate propaganda on behalf of Moscow, develop cyber tools for Russian intelligence agencies like the FSB and GRU, and hack into networks and databases in support of Russian security objectives. Russia’s use of such proxies complicates attribution after a cyber incident, making it harder to determine whom to respond to, constraining potential cyber deterrence against Russian entities.

“The Cipher Brief has become the most popular outlet for former intelligence officers; no media outlet is even a close second to The Cipher Brief in terms of the number of articles published by formers.” —Sept. 2018, Studies in Intelligence, Vol. 62

Access all of The Cipher Brief’s national security-focused expert insight by becoming a Cipher Brief Subscriber+ Member.


Categorized as:Tech/CyberTagged with:

Related Articles