The Russian ICC (XIII): The intelligence ecosystem. Patriotic hackers

The concept of patriotic hacker can be understood as the attacker, in the cyber field, whose activities support in one way or another his country in a real conflict, directed against the enemy of the state ([1]). Along with China, Russia has been perhaps one of the countries that has most empowered these groups, active for years in conflicts such as Kosovo (1999), Estonia (2007) or Georgia (2008). In Spain, if there has ever been something similar and in any case not state sponsored, it could be linked to small actions in the network against the environment of ETA after the murder of Miguel Angel Blanco (1997), perhaps at odds between hacktivism and patriotic hackers (this would give for an interesting debate), but in any case very far from the activities of patriotic groups in other conflicts or countries.

In Russia, different groups have been identified that could be called Kremlin-related groups (from Chaos Hackers Crew in 1999 to Cyber Berkut, active in the conflict with Ukraine) and their actions, groups that have focused their activities on defacements and, in particular, in DDoS attacks against targets that have been considered contrary to Russian interests. From each of the operations of these groups there is literature and more literature. An excellent summary of the most notorious can be found in [8]. As early as 1994, in the First Chechen War, some patriotic groups used the incipient web for PSYOP, at that time with Chechen victory, a victory that would change sides later (1999) in the Second Chechen War ([3]). Years later, in 2007, Russia launches a cyber-attack against Estonia that stops the operation of the online banking of the main Estonian banks, blocks access to the media and interrupts communications of the emergency services ([4]); but there are no deaths or injuries on either side, unlike what happens a little later (2008) in Georgia, where there is a hybrid attack- the first known case in history – consisting of cyber-attacks and an armed invasion. A conflict in which different groups arise that encourage attack – in particular, through DDoS on the websites that support the opposite side. These denial attacks differed from those launched against Estonia: not only were they injecting large volumes of traffic or requests against the target, but also using more sophisticated techniques, such as using certain SQL statements to introduce additional load into this objective, thus amplifying the impact caused.

At about the same time as Georgia’s, Lithuania gets its turn, also in 2008 and, as in Estonia, in response to political decisions that their Russian neighbors do not like. In this case the Lithuanian government decides to remove the communist symbols associated with the former USSR, which causes denial of service attacks and defacements of web pages to locate in them the hammer and the sickle. A few months after the actions in Lithuania, attacks on Kyrgyzstan begin, already in 2009 and again after political decisions that the Russians do not like, now regarding the use of an air base of the country by the Americans, key for the American deployment in Afghanistan. In this case it is about DDoS attacks against major ISPs in the country, which further degraded the already precarious Kyrgyz infrastructures, originated in Russian addresses but, according to some experts, with much more doubt in the attribution than other attacks of the same type suffered previously by other countries. Also in 2009 Kazakhstan, another former Soviet Republic – and therefore of prime interest for Russian intelligence – suffers DDoS attacks following statements by its President criticizing Russia.

Finally, as early as 2014, The Ukraine becomes another example of a hybrid war, as it happened in Georgia years ago, and an excellent example of the Russian concept of information warfare, with attacks not only by DDos, but especially by disinformation through social networks: VKontakte, supposedly under the control of Russian services (we spoke before about their relationship with companies, technological or not). It is the most used social network in Ukraine, which offers an unbeatable opportunity to put in practice this disinformation ([6]). For different reasons, including the duration of the conflict itself, The Ukraine is an excellent example of the role of patriotic hackers on both sides (Cyber Berkut on the Russian side and RUH8 on the Ukrainian side), supporting traditional military interventions, putting into practice Information warfare, psychological operations, DDoS, attacks on critical infrastructures …

The presence and operations of Russian patriotic hackers seems indisputable. The question is to know what relationship these groups have and their actions with the Kremlin and its services, if any, and the degree of control the Russian government may have over them … and even its relationship with other actors of interest to Russian intelligence, such as organized crime, which we will discuss in the next post of the series. Actions such as those executed against Ukrainian servers in 2014 by Cyber Berkut showed TTPs very similar to those previously used in Estonia or Georgia, which would link these actions not only to properly organized groups, but would also lead to a possible link with The Kremlin, following the hypothetical attribution of these last actions with the Russian government ([2]).In [9] an interesting analysis is made of the relationship between patriotic hackers, cybercrime and Russian intelligence during the armed conflict with Georgia in 2008. In addition, in the tense relations between Russia and Georgia, there is another hypothetical proof, especially peculiar at least, of the link between attacks, patriotic hackers and Russian services: in 2011, the Georgian government CERT ([7]), before a case of allegedly Russian espionage, decides to voluntarily compromise a computer with the malware used by the attackers, put a lure file on it and in turn to trojanize said file with remote control software. When the attacker exfiltrated the honeypot, the CERT was able to take control of his computer, recording videos of his activities, making captures from his webcam and analyzing his hard disk, in which emails were supposedly found between a controller – from the FSB, so the evil tongues of some analysts say, who knows … – and the attacker, exchanging information of objectives and information needs and instructions on how to use the harmful code.

Regardless of the relations of the Russian services with groups of patriotic hackers, the infiltration or the degree of control over them, what is certain is that in certain cases the FSB has publicly avoided exercising its police duties in order to pursue a priori criminal activities by Russian patriotic hackers: in 2002, Tomsk students launched a denial of service attack against the Kavkaz-Tsentr portal, which housed information on Chechnya annoying for the Russians. The local FSB office issued a press release in which it referred to these actions of the attackers as a legitimate “expression of their position as citizens, worthy of respect” ([5]). And what is indisputable is that after decisions made by a sovereign government that may be contrary to the interests of the Russian government or simply to their opinion, that government suffers more or less severe attacks – depending on the importance of that decision – against its technological infrastructures, at least in areas especially relevant to Russian intelligence and government such as the former Soviet Republics. Of course, attacks that are difficult to reliably link to the Russian government or patriotic hackers of this country, but they occur in any case.

Finally, one more detail: Russian patriotic hackers have not only executed actions against third countries, but also operated within the RUNet. One of the most well-known cases is that of Hell, acting against Russian liberal movements: opponents of the government, journalists, bloggers … and of which there have been signs of their connection with the FSB (let’s remember, internal intelligence) specifically with the CIS of this service. In 2015 Sergei Maksimov, allegedly Hell, is tried and convicted in Germany for falsification, harassment and information theft. Although facing three years in prison, the sentence imposed is minimal. Was Maksimov really Hell? Were there any links between this identity and the FSB? Was Hell part of the FSB itself, unit 64829 of this service? Nor do we know, nor will probably ever know, as perhaps we do not know whether Nashi, a patriotic youth organization born under the protection of the Kremlin – this we do know, as it is public – organized DDoS attacks not only against Estonia in 2007, but also against Russian journalists opposed to Putin’s policies, and also tried to turn to journalists and bloggers for their support in anti-deposit activities in the Russian government … at least that is what the emails stolen by Anonymous- allegedly, as always, from Kristina Potupchik, spokesperson for Nashi at the time and later “promoted” to Internet project manager of the Kremlin, say (this is also public).

References
[1] Johan Sigholm. Non-State Actors in Cyberspace Operations. In Cyber Warfare (Ed. Jouko Vankka). National Defence University, Department of Military Technology. Series 1. Number 34. Helsinki, Finland, 2013.
[2] ThreatConnect. Belling the BEAR. Octubre, 2016. https://www.threatconnect.com/blog/russia-hacks-bellingcat-mh17-investigation/
[3] Kenneth Geers. Cyberspace and the changing nature of warfare. SC Magazine. July, 2008.
[4] David E. McNabb. Vladimir Putin and Russian Imperial Revival. CRC Press, 2015.
[5] Athina Karatzogianni (ed.). Violence and War in Culture and the Media: Five Disciplinary Lenses. Routledge, 2013.
[6] Andrew Foxall. Putin’s Cyberwar: Russia’s Statecraft in the Fifth Domain. Russia Studies Centre Policy Paper, no. 9. May, 2016.
[7] CERT-Georgia. Cyber Espionage against Georgian Government. CERT-Georgia. 2011.
[8] William C. Ashmore. Impact of Alleged Russian Cyber Attacks. In Baltic Security and Defence Review. Volume 11. 2009.
[9] Jeffrey Carr. Project Grey Goose Phase II Report: The evolving state of cyber warfare. Greylogic, 2009.

Image courtesy of Zavtra.RU

The Russian ICC (XII): The intelligence ecosystem. Web brigades

The known Web Brigades (or G-team) are groups theoretically linked to the Russian government which participate in forums, social networks, blogs, information websites … to generate a positive image of Russia (and Putin in particular) in digital media. As rumors suggest, these groups are controlled by the FSB itself, although this is difficult to prove [1]. One of the most well-known cases of the use of web brigades to disseminate this information is the Olgino Trolls, a fairly large group of paid people – always theoretically – to promote Russian positions on national or international political issues.

The members of the web brigades even have defined guidelines to elaborate their comments and opinions ([4]), that mark for example the minimum number of words of each entry or the guidelines so as to go unnoticed in social networks, combining political opinions with other inconsequential ones about hobbies or travel; something that seems perfectly studied and orchestrated and in what will probably be invested large amounts of money, that perhaps comes from government-aligned groups… or the government itself. [Read more…]

The Russian ICC (XI): The intelligence ecosystem. Companies

When we talk about the relationship of Russian services with companies in the country, it is necessary to emphasize that these services are not interested in any type of organization, only those that can give coverage to the service or those that allow them to control, to a greater or lesser extent, a field of interest for Russia’s national interests – usually strategic companies for the nation – natural resources (gas and oil in particular), media, state monopolies created after the dismemberment of the USSR … As a curious fact in relation to state control in some areas, Russian law identifies strategic sectors or companies and it is the Russian law itself that defines how to invest in them, including foreign investment in these companies: foreign companies are prohibited from owning a strategic Russian company, unless expressly approved by the President. [Read more…]

The Russian ICC (X): the intelligence ecosystem

coat_of_arms_of_the_russian_federation-svgWe cannot conceive the Russian intelligence community, described in this series, as a set of services dependent on political or military power. The degree of penetration of these services throughout Russian society is very high, both officially and unofficially. It is no secret that former KGB or FSB officials occupy positions of responsibility in politics or big companies in the country. As a curiosity, in 2006 it was reported that 78% of the country’s top 1,000 politicians had worked for the Russian secret services [1]. So much so that these profiles have a proper name: siloviki, a term that comes to mean people in power. And it is no secret who is the most well-known siloviki: Vladimir Putin, President of the Russian Federation, who was agent of the KGB in the Soviet era and later Director of the FSB.

To understand this degree of penetration of Russian intelligence in certain organs of power it is necessary to go back especially to the 1990s. The dismemberment of the Soviet Union caused a chaotic situation in Russia, with high unemployment or poverty rates. Many people had lost their jobs – among them, it is estimated that 40% of the KGB (2) – and the easy exit for these citizens was obviously illegal. Many former members of the security forces, the army or the intelligence services ended up swelling the ranks of organized crime groups or working in the legal or illegal protection of oligarchs or mafia leaders. This transfer of specialized personnel to organized crime groups was not only the way of survival of these people, but also a considerable reinforcement of these groups, both in volume and quality: thanks to these new signings, many of them went from small, un-specialized small groups who used basic techniques of intimidation, to be converted in perfectly organized mafia groups, with better human and material resources and highly specialized tactics. And especially, with better relations with the Russian security, defense or intelligence services, the cradle of a good part of the new personnel of the mafia groups.

In this convulsive situation, it seemed that the most stable business was organized crime; for example, the number of homicides had tripled in 1995 compared to the 1988 figures. When the Russian Government began to privatize state enterprises and services, organized crime groups, with a lot of money and power, identified the opportunity to position themselves In these, which automatically not only increases their economic power, but also positions mafias in the front line of political power.

Let us recapitulate: organized crime maintained a close relationship with the security or intelligence services, since many of its members came from them, and also with the large privatized companies and therefore with national politics. A perfect combination to become a key piece for the country. The Russian Government was aware that, in order to return the country to a situation of relative normality, organized crime had to be compulsory. So much so that in 1994 Boris Yeltsin came to call Russia “the greatest mafia state in the world”.

But the arrival of Vladimir Putin to the government in 1999, tries to change this situation with two objectives: to return the control of the strategic assets to the state and to let the world know that the state controlled these assets again – and, therefore, Russia was a world power as was the USSR. It takes control of the main companies and command posts to oligarchs and criminals and places former KGB officers or their successor, the FSB, in the assurance that they all identified the same Mother Russia of which we have already spoken about in this series.

With a hard-handed dose, Vladimir Putin achieves his challenge and largely eliminates organized crime from strategic positions for the country; but the power acquired by the Mafia groups during the 1990s was too high, and trying to eliminate their activities altogether could even destabilize Russia [2], thus Putin should be content with removing them from these strategic positions but veiledly allow them to continue their illegal business.

Let’s look at the big spider web: Russian intelligence maintains connections with organized crime, gained in the 1990s, and widespread penetration in the country’s political (government) and economic (strategic enterprises) circles of power, gained in the first decade of this century. With this degree of infiltration into the power circles, Russian intelligence achieves two clear objectives: coverage and control (or collaboration, depending on the degree required in each case). This has been the case since the Soviet era and it is – coincidentally or not – in the Russian. In fact, until recently, a high percentage of senior Russian government officials were siloviki, although with Medvedev this percentage has been reduced and the siloviki have lost some of their power in politics, although they still constitute a relevant lobbying group (or several, as there are several “families” of siloviki). With the election of Medvedev as Russian Prime Minister, Putin reinforced the liberals (economists and lawyers, many of them from St. Petersburg) in front of the siloviki, headed by Sergei Ivanov, who was granted the Presidential Executive Office Headquarters; an interesting movement between two opposing clans that from that moment have a nexus of union almost unique: President Putin himself.

In addition to these circles of power, Russian services are closely related to citizen movements and even to the Russian Orthodox Church; although this last relation we are not going to describe – we are focusing on, or attempting to do so in a cyber environment – it does not fail to be a good indication of the extent to which there is a broad social penetration of intelligence in Russian society. And we will see that this penetration is not restricted to classical intelligence, but is automatically extrapolated to the cyber domain.

The relations of the Russian services with some of these actors are generally protected by the Law and can only cause ethical prejudices; however, in “unofficial” relationships legality is more than doubtful, not only with organized crime (in our case, with organized cybercrime) but also with movements like patriotic hackers, which have launched real offensive campaigns against the Russian homeland, perhaps covered by the country’s own services…

We will review in these next entries the relations of the Russian intelligence community, previously described, with the different actors relevant to that community, which allow it to increase its control and its acting capacities, especially unofficially.

References
[1] Alexander Klimburg, Heli Tirmaa-Klaar. Cybersecurity and cyberpower: concepts, conditions and capabilities for cooperation for action within the EU. Directorate-General for External Policies of the Union. Directorate B. Policy Department. European Parliament, 2011.

[2] Fred Burton, Scott Stewart. Russia and the Return of the FSB. Stratford Security Weekly. April, 2008.

The Russian ICC (IX): APT groups

russian-malware-analysis-temp-770x513We have talked so far about the main services that make up the Russian intelligence community in its cyber domain and we will continue to describe in successive posts the rest of the complex Russian ecosystem but, where are the allegedly Russian APTs? Groups known to everyone, such as APT28 (FancyBear, Sofacy …) or APT29 (CozyBear, The Dukes …), must be somehow related to this community … if they are not part of it, right?

These groups, APT28 and APT29 (we will call them that, although we take the opportunity to ask for an ISO standard for naming APT groups, which each have a dozen) are undoubtedly the best known in the Russian panorama, FireEye [5] and [6]. So, are they units of any of the Russian services listed above? Are they mercenaries who sell their work to the highest bidder? Are they organized groups that provide information in exchange for impunity? Are they the result of false flag operations of a third party? We neither know nor might ever know… However, as it is impossible, we will evaluate in this post, or at least try to (remember that attribution is always hypothetical, that’s why we like it so much ;) , some of the elements that allow us to relate these groups to the Russian services. There are more supposedly Russian groups, such as Turla; we’ll talk about them in another post…

APT28 and APT29

The first question we need to ask about these groups is whether they are really Russian; most technical indicators show that they are: from the hours and dates of compilation of their arsenal, coinciding in great part with the working hours of Moscow and Saint Petersburg, to the codification and languages used in good part of their artifacts. However, here we encounter the great problem of attribution, i.e., we approach it from artifacts left, voluntarily or involuntarily, by the attacker. Can a man from Cuenca know Russian – even colloquial -, change the time of his team to fix it in the schedule we referred to or configure the system in Russian? Without any problem. Could these groups be from Cuenca, then? Of course.

Although the technical indicators are easily alterable, they are what we have to work with; both in APT28 and in APT29 analysts identify not a man from Cuenca, but a structured group with separate responsibilities, with established development methodologies … something that we could call a malware factory. That is to say, a powerful organization is identified behind, an organization that could be an independent group, a unit of a particular service, a company … from Moscow, St. Petersburg or Cuenca.

Information needs, and therefore the objectives of these groups are more difficult to falsify than purely technical indicators (eye, but it is not impossible to do so); in the case of these groups, their victims are compatible with the information needs of the Russian government, which will be discussed in detail in this series of posts, both geographically and operationally. Falsifying this would be much more costly for a third party- we insist, but NOT impossible when we speak of an actor with many capacities, as a state; therefore, if the technical indicators point to Russia, the targets and victims point to Russia and the information needs reflected coincide with the supposedly Russian ones ([8]), the probability that APT28 and APT29 have Russian roots is HIGH. Can we confirm 100%? Of course not.

TTP

The usual tactics, techniques and procedures associated with APT29 go through the attack through phishing directed at the victim, with a link in the mail to download a dropper that, when executed, will in turn download a RAT; on the other hand, APT28 works more with the creation of fraudulent web pages similar in aspect to those of its objectives, with names of domains close to the legitimate ones, for theft of credentials. The APT28 arsenal is based mainly on the exploitation of Microsoft and Adobe products, as well as that of APT29, in both cases due to the popularity of these environments and therefore the success in its exploitation; however, APT28 uses more vulnerabilities without known exploits than APT29 ([2]) and its catalog is much larger than the latter, which could imply both a greater number of resources and a greater experience in the area of cyberspace on the part of APT28 than APT29, but on the contrary APT29 is very discreet and has a very high persistence target. In any case, both groups are technically excellent and their catalog of vulnerabilities rarely overlaps, denoting the separation (and competition) of both, and which would be compatible with the separation (and competition) of Russian services which we have already mentioned in this series of posts. In addition, some of the vulnerabilities exploited by APT28 and APT29 in their campaigns are also exploited by groups linked to cybercrime ([2]), which can range from a distraction maneuver to something that may reinforce the theory of close linkage between the Russian cyber-intelligence community and other actors in their environment, as discussed later in this series of posts.

In both cases, work methodologies, technical capacities, operational infrastructure and operational security (OPSEC) … indicate that APT28 and APT29 are not individual attackers or groups that are not well organized, but groups with a considerable amount of resources, stable in time and with a perfectly defined structure and operation. Supported by a state? Direct part of said state? In [8] we found an excellent analysis. The probability is HIGH, since few organizations can have these capabilities but, as always, we cannot confirm with certainty.

Goals

Among the objectives of APT28 are sectors such as aerospace, defense, energy, public administrations and media (remember the handling of information in Russian strategies and doctrines), with a special affection for the ministries of Defense and organizations of the former sectors linked to the military environment ([1]) that coincidentally reflect the interests of Russian military intelligence; In [5], a report where FireEye identifies this group as APT28, details some of the objectives – and of the victims – of APT28, emphasizing their operational interest in the areas close to the military and, in addition, their interest in the control of the information on issues relevant to Russia, somewhat aligned with the broad concept of Russian information warfare that we have referred in previous posts. APT28 does not address intellectual property theft, and in addition, compromised countries correspond to the main Russian geopolitical interests – which we will comment on in future posts – and the objectives are compatible with both the Russian origin of the group and the possible proximity of the same with the military field; in other words, APT28 and GRU share information needs and objectives, so maybe, just maybe, they have some kind of relationship. Is APT28 a GRU unit? We do not know. Is it an external group paid for by the GRU? We do not know. Is it a group from Cuenca? We do not know…

On the other hand, APT29 expands the objectives of its competitor, partially disconnecting them from the military to focus not only on this, but also in sectors such as pharmaceuticals, financial or technology, to mention just a few examples, as well as NGOs and even in criminal organizations ([7]). This last element is very significant, since it could reflect the police attributions, and thus the information needs, of the Russian FSB, while the attack on different NGOs implies – or may imply – political, economic or information control interests .
In line with a service like the FSB … or in line with a fake flag operation from Cuenca.

A recent example

Undoubtedly, the most recent case most rumored of alleged compromises by Russian APTs, this time by both APT28 and APT29, is the US Democratic National Committee (DNC) in 2016, and its potential influence on the results of the Election campaign, incident described to perfection in [3]; Crowdstrike revealed the presence of both groups in DNC systems, with greater persistence by APT29, and leaving their competitors among these groups: they do not share TTPs, nor vulnerabilities, nor resources … but sometimes they share goals. To the technical elements for the attribution to the Russian services, analyzed by companies like the previous one (and later reinforced by others like FireEye or Fidelis) the surprise appearance of Guccifer 2.0 is joined, a presumably false identity (a sockpuppet) compatible with the Russian military doctrine and completely aligned with the broad concept of information warfare that we have already mentioned and which includes deception, misinformation, etc. An excellent analysis of this sockpuppet and its potential relationship with a false GRU flag operation can be found in [4].

Conclusions

We have seen in this post that everything indicates that APT28 and APT29 are of Russian origin and possibly have the support of a government for its activities, two hypotheses of HIGH probability. The information needs of both groups are compatible with the information needs of the Russian government, and its objectives also coincide with the concerns of the Russian government in different areas. They do not share intelligence or arsenals, which would be compatible with the separation of the different Russian intelligence services if APT28 and APT29 were linked to some of them, but they do share objectives: the final result, intelligence, would be of higher quality. According to different analysts, APT28 may be related to Russian military intelligence, the GRU, while APT29 would be related to the FSB. It may be so. Or maybe not. Many times one comes to the conclusion that names like APT28, PawnStorm, APT29, Snake … are just the elegant way we have of saying FSB, GRU, FSO … when we do not have enough evidence to confirm the implication of these services in certain operations. In any case, if APT28 really corresponds to a unit of the GRU and APT29 with a unit of the FSB (or vice versa, as defended [9]) is something that we, of course, do not know for sure or think we can know in the short term: everything is a hypothesis. Perhaps, right now there is a man in Cuenca, very smart and organized, with many resources, listening to Radio Moscow to perfect a foreign language and configuring his computer with the St. Petersburg time zone while laughing at all the analysts of the world.

References

[1] Dmitri Alperovitch. Bears in the Midst: Intrusion into the Democratic National Committee. CrowdStrike. Junio, 2016. https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/
[2] RFSID. Running for Office: Russian APT Toolkits Revealed. Agosto, 2016. https://www.recordedfuture.com/russian-apt-toolkits/
[3] Eric Lipton, David E. Sanger, Scott Shane. The Perfect Weapon: How Russian Cyberpower Invaded the U.S. New York Times. Diciembre, 2016. http://www.nytimes.com/2016/12/13/us/politics/russia-hack-election-dnc.html
[4] Thomas Rid. All Signs Point to Russia Being Behind the DNC Hack. Motherboard. Julio, 2016. http://motherboard.vice.com/read/all-signs-point-to-russia-being-behind-the-dnc-hack
[5] FireEye. APT28: A window into Russia’s cyber espionage operations? FireEye. Octubre, 2014. https://www2.fireeye.com/apt28.html
[6] FireEye. HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group. FireEye. Julio, 2015. https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf
[7] F-Secure. THE DUKES. 7 years of Russian cyberespionage. F-Secure. Septiembre, 2015. https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf
[8] Jen Weedon. Beyond ‘Cyber War’: Russia’s Use of Strategic Cyber Espionage and Information Operations in Ukraine. Kenneth Geers (Ed.), Cyber War in Perspective: Russian Aggression against Ukraine. NATO CCD COE Publications. Tallinn. 2015.
[9] Malcolm Nance. The plot to hack America: How Putin’s cyberspies and WikiLeaks tried to steal the 2016 election. Sky horse Publishing, 2016.

Image courtesy of Indian Strategic Studies.

The Russian ICC (VIII): GRU

gru_emblemThe only major Russian service which, as we have indicated, is not a direct heir of the KGB is the GRU (Glavnoye Razvedyvatelnoye Upravlenie), military unit 44388, whose aim is to provide intelligence to the Ministry of Defense, the military leadership and Russian armed forces as a whole. This service is dedicated to military intelligence, from strategic to operational, working not only in an exclusive sense of defense, but also encompassing other aspects such as politics or economy linked to the military sphere, and especially foreign intelligence – sometimes with the SVR. Since 1996, it has been entrusted with the mission of acquiring information on ecology and the environment. In order to execute these tasks, the GRU has all kinds of capabilities, from IMINT to HUMINT, through OSINT and, of course, SIGINT, capabilities that give it a sphere of action and international influence and that allow the GRU to “act in any point of the world where the need might arise, “according to statements by General Valentin Vladimirovich Korabelnikov, in an interview granted in 2006, when he was Director of GRU.

The GRU is undoubtedly the most opaque of Russian services and arguably the best of them; it is a group that maintains certain Soviet reminiscences – remember that it survived the KGB – and even that it considers “westernized” other services like the FSB. As a matter of curiosity, the GRU recruits its agents among the “proletarian” classes, preferably personnel without knowledge of languages, and among its supposed tasks is to bury weapons in hostile territory to be able to use them in case of conflict. It does not have a counterintelligence service (a function carried out by the FSB) or a press office (actually, the GRU is no more than a General Directorate within the Russian Ministry of Defense) or an official website ([1]). Thanks to its work methods, it is the intelligence service that has had the least deserters in Soviet and Russian history.

The GRU was directed by General Igor Sergun until January 2016, but after the sudden death of the General (nothing mysterious, just a heart attack), since February 2016, General Igor Korobov is in command. In both cases they are General Lieutenants, three stars, in front of the Army Generals of the FSB or the FSO. Although the personnel and budget data of the GRU are obviously classified, it is estimated that more than 25,000 staff members make up this service. In relation to its annual budget, no significant information has been found in public sources, the data being always masked in general budgets of the Russian Ministry of Defense.

As indicated, the GRU is a General Directorate of the Russian Ministry of Defense. It is structured in fifteen directions ([2]), focusing the cyber capacities of the GRU in the Second Direction and in the Sixth Direction, as well as in the Eighth Department, responsible for the security of internal communications of the GRU. The Sixth Direction is responsible for electronic intelligence, and historically it has been an active group in this area, operating signal interception stations from Cuba to Vietnam, passing of course by legal residencies of the GRU in different countries. Apparently, this GRU Directorate has the closest capabilities, especially in the military field, which we call CNO, and is capable of intercepting signal information around the world. This Sixth Direction is composed of at least four divisions ([3]); The First Division is dedicated to SIGINT (in this one the GRU Decrypt Service is framed) and the Second to ELINT, while the Third Division is responsible for the maintenance of the interception equipment and the Fourth is focused on the permanent tracing of signals. The Second Division (which includes GRU Special Forces, Spetsnaz) has seven major divisions, three of which directly relate to SIGINT, encryption and communications security at a more operational level than the Second.

In addition to the GRU, the Russian Ministry of Defense has more capabilities focused on electronic warfare, cybersecurity or computer security with a complex structure, detailed structure in the excellent reference [4] that we have already cited in previous posts in this series. For example, Military Unit 11135, 18th CRI (Central Research Institute) is the main signal intelligence research capability of the Russian Ministry of Defense, including research and development in wireless devices, SCADA systems or electromagnetic protection systems. Also as a research institute is Unit 01168, 27th CRI, in this case in the field of information technologies and command and control systems.

References
[1] Konstantin Preobrazhensky. GRU: Obscure Part of Russian Intelligence. Journal of Defense Management. Volume 2. Issue 2. Marzo, 2012.
[2] Richard Bennett. Espionage: Spies and Secrets. Virgin Digital, 2012.
[3] Andrew Jones, Gerald L. Kovacich. Global Information Warfare: The New Digital Battlefield. Segunda edición. CRC Press, 2016.
[4] Jeffrey Car. Inside Cyber Warfare: Mapping the Cyber Underworld. 2nd Edition. O’Reilly, 2011.

The Russian ICC (VII): FSO

e1470_fsoAnother of the heirs of the FAPSI is the FSO (Federal’naya Sluzhba Okhrani), identified in [1] as military unit 32152 and headed since May of this year by Major General Dmitry Kochnev (his predecessor, Evgeny Murov, was General of the Army, two ranks higher, and this in the Russian services is very important). Murov obtained very important FAPSI attributions: with more than 20,000 troops today (supposedly, since it is classified information, and various sources speak of more than 50,000), the FSO inherited and expanded the KGB’s Ninth Address, with responsibility for the protection of governmental “goods”, in the broadest sense of the word. For example, the Presidential Security Service, the PBS-Putin’s bodyguards, or control of the famous Russian nuclear briefcase depend on the FSO, as well as the operation of a secure network for the transmission of election results, GAS Vybory (Information is, obviously, an asset to be protected). Specifically, from a cyber point of view, this service has assumed, among other capacities, those associated with strategic SIGINT, the guarantee of exploitation of state systems – especially regarding its protection against foreign services – and the security of National classified information ([2]), which includes presidential communications: the FSO provides secure communications at a very high level, for example between the Kremlin and the main Russian military commanders, giving it enormous control power for the control of information …

The Spetssvyaz is framed within the FSO since 2004 (previously belonging to the FSB), the Special Information and Communications Service (SSSI), which is currently considered by some analysts to be the Russian equivalent of the US NSA (Although the intelligence community of both countries are different and therefore the NSA allocations are spread among Russian agencies). This group develops the above-mentioned cyber powers of the Service and includes at least one Directorate for the management of civilian government communications, another for the management of military government communications, a General Directorate for information resources (apparently dedicated to the protection of information in itself, in its broadest sense) and another Directorate-General for Information Systems ([3]), dedicated to the protection of systems dealing with data. The Director of Spetssvyaz, Alexey Mironov, is also Deputy Director of the FSO, a young General, who was to replace Evgeny Murov at the helm of the service after his retirement … until GD Kochnev was appointed for that post; an unexpected action for many and of course unusual, especially because of Kochnev’s engagement …

A curiosity: the FSO ordered in 2013 the purchase of typewriters (yes, typewriters, good old-fashioned ones) after some scandals of data theft – assumptions – by third parties, to avoid leakage of information. Another curiosity: Spetssvyaz records Internet domains in an open way: kremlin.ru, gov.ru, ру.рф, da-medvedev.ru … Although we are attracted by the fact (not only by the fact itself, but also by some of the Registered domains) they are not the only ones that do it: services closer to us follow or have followed the same open philosophy … at least in some cases. We will speak in some registry post of certain “curious” domains, near and far from here :)

References

[1] Jeffrey Car. Inside Cyber Warfare: Mapping the Cyber Underworld. 2nd Edition. O’Reilly, 2011.
[2] President of the Russian Federation. Strategy for the national security of the Russian Federation up to 2020. Mayo, 2009.
[3] Jonathan Littell. The Security Organs of the Russian Federation. A brief history 1991-2005. Post-Soviet Armies Newsletter. Psan Publishing House, 2006.

The Russian ICC (VI): SVR

150px-svrlogoThe SVR (Sluzhba Vneshney Razvedki) was the first heir of the KGB with its own entity, inheriting the attributions of the First General Directorate; is responsible for Russian foreign intelligence, providing the national authorities with intelligence that can benefit Russia in different areas that have evolved from the military and defense (especially the 1990s) to technological, industrial, scientific and economic areas. To achieve this goal the SVR is based primarily on HUMINT capabilities, both open and clandestine, theoretically relying on the GRU -which we will see in a coming post- for its signals intelligence needs.

In this SIGINT area the SVR works together with the GRU in strategic intelligence (at least in theory, since the rivalry between Russian agencies is well known: let us remember the “joint” operation of the SVR with the GRU of the SIGINT station in Lourdes, Cuba), as opposed to the more operative intelligence of the FSB; the main objective of the SVR, irrespective of the discipline used, is the acquisition of information and development of intelligence about the capabilities, actions, plans, intentions… both real and potential of third countries against the vital interests of the Russian Federation (as we have mentioned, even economic ones).

[Read more…]

The Russian ICC (V): FSB

2000px-fsb-svg
As we have indicated in previous posts, the FSB (Federal’nya Sluzhba Bezopasnosti) is the main heir of the KGB and the FAPSI; directed by Army General Alexander Bortnikov, whose breadth of responsibilities and power in Russia are undoubtedly marked by Vladimir Putin himself, a former director of the Service who, upon becoming President of the country, greatly strengthened the capabilities of the FSB -and its budget- as well as the presence of former Service members in the whole of Russian society. The FSB not only works in areas directly associated with intelligence and counterintelligence, but also reaches aspects such as social or electronic surveillance.

Regarding the cyber domain, the FSB has a wide range of technical and regulatory powers: although it is a service dedicated to internal intelligence, it has authorization for external intelligence actions, theoretically coordinated with the SVR. Among others, he is responsible for the security of information at the federal level, something similar to a police force to use or at least to the Information Services -with the corresponding name in each case- of a police force. In this area it has the attributions – and obviously, capacities – SIGINT operative for the interception of communications in the State: since 1995, it has the legally constituted right to monitor telephone lines, open mails and monitor Internet traffic ([1]). The FSB operates the system called SORM for this purpose, to which Russian Internet service providers must facilitate the work by deploying capabilities that they must also pay out of pocket. This system is operated by an FSB group initially designated UKIB (Computer & Information Security Directorate), Directorate R, heir to the KGB and focused especially on the fight against cybercrime and terrorism. The successor of this Directorate is the Information Security Center (CIS) of the FSB, framed in the Counterintelligence Directorate (SKR), the Second Directorate of the FSB and also identified as the Military Unit (VCH) 64829 or the Center number 18. SORM, which we will speak about in other posts as an example of “collaboration” of companies with the Russian intelligence services, deals, like the FSB mainly does, with the interception of data in the “Russian Internet”, where CIS is responsible for surveillance and counterintelligence, also working closely with Directorate K of the Russian Ministry of the Interior, responsible for combating cybercrime ([2]).

A priori, these CIS surveillance and counterintelligence capacities should be focused on Russia, without directly impacting the outside of the country; however, even though the FSB and within it the CIS are focused on inner intelligence, its actions may be directed against that focus but against Russian interests outside its borders, including elements considered to be disturbing according to Russian criteria (this may include attack on terrorist objectives … or simply political) and even with police powers of investigation and prosecution of such elements.

The Center for Electronic Communications Surveillance (TsRRSS), identified as FSB unit 71330 and focused on ELINT, has electronic spying and cyberespionage capabilities (communications interception, decryption …). This Center (number 16) is hypothetically the main offensive capability of the FSB, including operations outside Russia, as opposed to groups such as the CIS, described above and focused especially on defensive and surveillance tasks. Its internal structure is classified, and its responsibilities include the operation and processing of electronic communications.

The Center for Special Communications and Information Protection (TsBISS) provides the FSB with protection against cyberattacks or third party intrusions. From this Center, there have been peculiar (or interesting) initiatives such as the request to prohibit services such as GMail, Hotmail or Skype in Russia, as their use may constitute a threat to national security. A comment by the Center’s director in 2011 which caused a great stir at the time in social networks but that, much more interesting than the relative turmoil on the privacy and freedom of the users, was the moment in which it was published, marked by facts as transcendent as Arab spring or the Russian legislative elections.

Another interesting group in the cyber environment within the FSB is the Communications Security Center (CBS FSB, Vch 43753), which is part of the Eighth Service Directorate and is responsible for the logical protection of government communications through product accreditation and certification of safety standards, a kind of equivalent to the Certification Office of the Spanish CNI. Also in this sense, TSLSZ (translated approximately as Center for Licensing, Certification and Protection of State Secrets) is the branch of the FSB in charge of enabling organizations to handle classified information, in this case something similar to the attributions of The National Security Office in the CNI.

Finally, as a group with no offensive capabilities, cyber training activities within the FSB are the responsibility of the Institute of Cryptography, Telecommunications and Information Technology (IKSI), in the Service Academy, which trains specialists in cybersecurity not only for the FSB but also for other Russian Services… or for industry.

To try to summarize this structure, a summary table of the main groups or centers directly related to SIGINT or CNO dependent on the FSB is shown below:

Center ID Unit Function
Center for Information Security FSB CIS 64829 SORM. Search and surveillance
Center for Electronic Surveillance of Communications FSB TSRRSS 71330 Attacking capacity/td>
Centre for the Security of Information and Special Communications TsBISS N/A Defense against foreign intrusions
Communications Security Center FSB CBS 43753 Accreditation of products and services
Center for Licensing, Certification and Protection of State Secrets FSB TSLSZ N/A Security clearance
Institute of Cryptography, Telecommunications and Computer Science IKSI N/A Training

Referencias
[1] Roland Heickerö. Industrial Espionage and Theft of Information. In Proceedings of the 14th European Conference on Cyber Warfare and Security. Nasser Abouzakhar (Ed.). University of Hertfordshire. Julio, 2015.
[2] Taia Global. Russian Federal Security Service (FSB) Internet Operations Against Ukraine. Taia Global, 2015.

The Russian ICC (IV): A bit of history: FAPSI

fapsiWhen talking about Russia in the area of cybersecurity or, more specifically, information warfare, we must by force mention the FAPSI (Federal Agency of Government Communication and Information), operative between 1991 and 2003 and considered the Russian equivalent to the US NSA (Roland Heickerö, Emerging Cyber Threats and Russian Views on Information Warfare and Information Operations. FOI. Swedish Defense Research Agency, March, 2010.), which inherited the attributions and capabilities of the 8th (encrypted) and the 16th (Decryption and interception) General Directorates of the KGB. Among its functions there was the figure (cryptology and cryptanalysis), the interception of communications and even the incident response capabilities as a CERT. In 2003 this powerful agency was dissolved by the Russian government, possibly because of corruption, although it also shows that an agency with more than 50,000 people was becoming a great uncontrollable monster, as it was with the KGB at the time. After transforming the Special Information and Communications Service, an agency heir to the FAPSI that lasted only five months, its attributions were distributed among the four large Russian services, the GRU and the KGB derivatives: SVR, FSB and FSO. Each of these services has different attributions, although they obviously share capabilities, information, tactics or interests … or compete among them. In fact, in his Putin’s Hydra: Inside Russia’s Intelligence Services, and European Council on Foreign Relations, May 2016, Mark Galeotti presents us with a curious graphic summary of the roles of the Russian intelligence community, from which we then select only the main services – at least in our cyber sphere:
[Read more…]