Russia will deny cyberattacks despite more US evidence

The US authorities are setting out stronger evidence of Russian interference

Russian Foreign Minister Sergey Lavrov yesterday dismissed the 'lack of evidence' in the indictment issued against alleged Russian 'trolls' at the request of Robert Mueller, the US special counsel investigating interference in the 2016 presidential election. The US indictment accuses the St Petersburg-based Internet Research Agency, its backers and staff of interfering in the election by running false social media accounts. This account of Russian trolling comes soon after US and UK accusations of Kremlin responsibility for a June 2017 cyberattack that disrupted computer systems in Ukraine and elsewhere.

What next

The revelations will hamper efforts to form a US-Russian working group to develop cybersecurity norms. Moscow will respond to US claims with flat denials and the development of more sophisticated capabilities to evade detection. Greater awareness of hacker groups' mixed criminal and political activities may help investigators track them.

Subsidiary Impacts

  • Private sector firms will play a growing role in attributing state-sponsored cyber attacks.
  • Governments will become increasingly reliant on private sector capabilities, whose distance can save them diplomatic embarrassment.
  • 'Exploits' made public could be used in hostile cyber operations.

Analysis

Officials in Moscow deny or laugh off allegations of Russian cyberwarfare and 'false flag' social media activity. This line of defence is helped by the difficulty of definitive attribution, and by the authorities' practice of farming out both kinds of activities to non-state actors. This gave President Vladimir Putin scope to shift from absolute denial to an admission in June 2017 that freelance hackers might have taken action against opponents of Russia, without Kremlin knowledge or approval (see RUSSIA/US: 'Freelance' hack claim to blunt US probe - June 2, 2017).

The argument that Western allegations lack substance is becoming harder to sustain as US statements on cyberattacks get tougher and the Mueller investigation digs up evidence. The indictment of the Internet Research Agency is likely to be only one of many lines of investigation.

'Troll factory' indictment

The name, address and activities of the Internet Research Agency have been public knowledge for more than a year, making it the worst kept secret of Russian covert operations (see RUSSIA: People may be persuaded by hacking revelations - October 17, 2017).

The February 16 indictment issued by a federal grand jury in Washington, DC put specific names to the agency's staff and outlines its organisational and funding arrangements:

  • Businessman Yevgeny Prigozhin and two companies he controls are said to have funded the Internet Research Agency; Prigozhin is already on the US sanctions list (see RUSSIA/SYRIA: Deal-making - June 27, 2017);
  • Staff members set up social media accounts using fake identities to conduct a campaign that included supporting Donald Trump's candidacy for the US presidency in 2016 and disparaging Democratic candidate Hillary Clinton, as well as attempting to suppress potential Clinton vote among ethnic minorities.
  • The campaign also involved purchases of online advertisements and the orchestration of political rallies on spurious themes in the United States.

The Internet Research Agency is also suspected of interfering in other electoral processes, and UK politicians are taking a hard look at alleged social media meddling in the Brexit campaign (see RUSSIA/UK: 'Trolls' get more attention - December 7, 2017).

Cyberwarfare

February 15 statements from the White House and the UK Foreign Office blame Russia directly for the June 2017 'NotPetya' cyberattack on Ukraine and other states. The US statement cited the Russian military as the perpetrator, implying involvement of the armed forces' intelligence service, the Main Intelligence Directorate (GRU).

The NotPetya incident initially affected Ukrainian accounting software but spread to become one of the most serious cyber attacks of 2017, hitting banks, energy companies, government offices and an airport in countries including India, the United States and Russia itself.

In just one of many impacts, Maersk, the world's largest shipping company, had to install 4,000 new servers and 45,000 computers at a cost of 250-300 million dollars.

NotPetya looked like a ransomware attack but this may have been a disguise

The cyberattack looked initially like a ransomware operation, where users find their data locked with a message to pay money in exchange for decryption. This made it look as though the perpetrators were criminals with no political affiliation or motivation.

Cyber experts at the UK National Cyber Security Centre believe the GRU was almost certainly responsible for the NotPetya attack. The same conclusion was drawn by the CIA with "high confidence" in November.

State, non-state or quasi-state

The Russian intelligence services are believed to contract out much of their cyber activities to a range of hacker groups.

The unorthodox nature of these contacts was illustrated with the arrest last year of Sergey Mikhailov and Dmitry Dokuchayev, officers with the Federal Security Service (FSB) employed in its elite Information Security Centre.

The arrests were reportedly conducted because the authorities believed US intelligence was being tipped off about Russian cyber operations by individuals with access to classified information. Both suspects were also reported to have overseen Shaltay-Boltay (Humpty Dumpty), a hacker group that blackmailed prominent Russians for profit rather than political ends (see RUSSIA: Arrests unlikely to derail cyberespionage - February 21, 2017).

Ukraine

Because of the ongoing conflict, Ukraine has repeatedly been targeted by hacker groups of Russian origin. Some see Ukraine as a testing ground for various methodologies -- perhaps even as a 'showcase' to demonstrate to the West what Russia is capable of.

The IT security company ESET suggested that a Russia-based hacker group called Sandworm (also known as TeleBots) carried out the NotPetya attack. Sandworm cut off power to hundreds of thousands of people in 2015 and 2016 through attacks on Ukrainian electric utilities.

Another group called CyberBerkut uses cyber attacks to discredit the Kyiv government. Researchers from the Citizen Lab have found links between CyberBerkut and the FancyBear group.

US election hacking

Fancy Bear (also known as Sofancy or APT 28) and Cozy Bear (also known as APT 29 or FancyDuke) came to public attention after being identified as having broken into US Democratic National Committee (DNC) computer networks ahead of the 2016 election.

Fancy Bear is thought to be controlled by the GRU, while Cozy Bear is linked to the FSB.

Crowdstrike, the firm which discovered the DNC intrusion, stated that the intrusions occurred at different times and the perpetrators appeared unaware of one another's actions. This points to adversarial relations between the GRU and the FSB, a domestic intelligence agency with no remit to operate abroad. Tracking inter-agency rivalries may help Western governments discover weaknesses and predict the nature of future attacks.

Russian intelligence agencies run separate rather than coordinated operations

Konstantin Kozlovsky, put on trial in Russia last year for alleged membership of a bank-hacking crime group, testified in December that he had been hired by the FSB to access DNC networks. While this has not been confirmed by the DNC or Crowdstrike, Kozlovsky claims he left a data signature in the DNC's servers to prove his involvement.

Reports recently surfaced indicating that the Dutch intelligence service penetrated Cozy Bear networks as long ago as 2014, tracked the group's activities and shared intelligence on DNC data theft with its US counterparts.

Shadow Brokers

The Shadow Brokers are one of the most mysterious hacker groups believed to be associated with Russia, and have since 2016 published hacking tools and computer exploits stolen from Equation Group, an elite hacking unit of the US National Security Agency (NSA).

The Shadow Brokers leaked an exploit associated with the NSA, called EternalBlue, in early 2017. This exploit has since been used in a number of ransomware operations, including by the authors of WannaCry, which targeted the UK National Health Service in May 2017 (see INTERNATIONAL:Vulnerability disclosure deeply divides - May 25, 2017).