A riddle wrapped in a mystery inside an enigma: an analysis of Russia’s cyber profile

Published by:
John
Published on:
September 9, 2016

In today’s geopolitical arena, battles are increasingly fought with bits instead of bullets, and bots instead of soldiers. While these covert operations largely remain behind the scenes, the result is often felt as an aftershock by the public. The list of casualties, which includes some of the biggest names in financial services, technology, defence and government, is growing exponentially. And to further blur the already murky waters surrounding the issue of attribution in cyber warfare, nation state actors aiming to achieve a degree of deniability now often employ proxies to engage in cyber espionage campaigns.

The Russian Federation remains a key actor in the fifth domain. Unlike some “noisy” actors in the cyber domain, the Russian government keeps a low profile, (unless, of course, they want people to know it was them). A “riddle wrapped in mystery inside an enigma”, a characterisation given to Russia by Winston Churchill in 1939, Russia continues to maintain its air of mystery and uncertainty. Where are the Russians and what are they up to?

A Brief History of Cyber-Attacks

Since the 1990s, Russia has engaged in a number of high profile cyber-attacks which have been publicly examined. Russia denies all culpability and there is little evidence that can be traced back to the Russian government. Instead, they prefer to use the term “political hacktivism” to point the finger at individuals or groups that are driven by a sense of patriotism and national identity.

Russia timeline - cyber attacks

If taken within the specific geopolitical context, all of the above incidents reveal a significant degree of culpability on Russia’s part. The government itself may not have acted directly in most cases, but it nevertheless likely encouraged, supported, or approved cyber operations by proxies.

Russia’s Tactics, Techniques and Procedures (TTPs)

Russia is home to many of the most complex and sophisticated cyber-attacks. One of Russia’s greatest cyber advantages is its wealth of human capital. Russia has a very high education rate, which combined with the Soviet legacy of prioritising math and science education, has created a large pool of technical specialists. However, the limited capability of the technology sector to absorb these computer-savvy individuals, in conjunction with the widespread corruption at all levels, creates a breeding ground for cyber-crime.

The majority of cyber-crime in Russia is financially motivated: phishing, whaling, carding, and extortion. The use of Trojans, ransomware, and spybots are also very common. In addition, political hacktivism is known to be particularly prevalent, which usually involves website defacement and Distributed Denial-of-Service (DDoS) attacks. While most cyber-attacks are aimed at Western entities, inward looking cyber-attacks are on the rise, primarily those involving the Russian government keeping an eye on its own population, and that of neighbouring countries.

Russia’s cyber capabilities are assessed to be very high. Russia’s TTPs include the delivery of weaponised email attachments containing malicious payloads, although government-affiliated groups have repeatedly displayed flexibility and adaptability when it comes to initial attack vectors, exploits, toolkits, data exfiltration techniques, and obfuscation methods. The example of the Turla Group with their satellite-based C & C mechanisms is reflective of Russian nation state proxies’ skills and capabilities.

Russia’s Motivations

Conventional wisdom holds that nation state actors engage in cyber activities for two reasons: to advance own strategic position and as a retaliatory action against a specific event. While this is accurate to an extent, it is also true that different nation state actors display different motivations. For instance, it is believed that Iran is using its sophisticated cyber capabilities to minimise Western influence, while at the same time establishing itself as a dominant power in the Middle East. China is said to engage in cyber exploitation to advance its technological innovation for state-related matters, such as the healthcare system.

Despite Russia’s motivations being exclusively viewed through the financial prism, it is argued that it is equally credible to claim that the Russians engage in cyberwarfare to further their geopolitical interests. The notion that Russia uses the fifth domain as an extension of the political and military arena is not new. Russia has repeatedly used cyber means to advance the country’s national interests – the brief timeline of events outlined above substantiates the fact. The financial aspect comes into play when one considers the fact that the government and intelligence agencies use organised criminal gangs and cyber-criminal groups as proxies, who are primarily driven by peer competition and financial gain.

Seven decades later, and Churchill’s famous quote is more relevant than ever. Russia’s cyber profiling remains incomplete due to the country’s almost surgical tactics and techniques. However, taking into consideration Russia’s trends, TTPs, and motivations we can make likely assessments as to the country’s whereabouts in the cyber domain.