The Russian ICC (III): the Community

Undoubtedly, many people mentally associate intelligence or Russian secret services – to be exact, Soviet – to the KGB (Komitet gosudárstvennoy bezopásnosti, Committee for State Security). Unfortunately for the followers of Bond, the KGB, the Soviet-Russian secret service par excellence, was dismantled at the beginning of the 1990s by Mikhail Gorbachev, probably because he had become a powerful monster in terms of attributions, skills and knowledge, but, especially for its alleged involvement in the failed coup d’état of August 1991. Its power was distributed mainly among three different agencies: FSB (Federal Security Service), SVR (Foreign Intelligence Service) and FSO (Federal Protection Service), who joined the historical rival of the KGB, the GRU (General Intelligence Directorate), the Russian military intelligence service that survived the fall of the USSR (perhaps because of the support for the Soviet president during the coup, unlike the KGB). SIGINT attributions focused on an agency called FAPSI, equivalent to the US NSA, dismantled in 2003 and whose power, as in the KGB, was distributed among the different Russian services.

151px-emblema_kgb-svgAfter the dismantling of the FAPSI, the four services listed above make up the bulk of the Russian intelligence community from the cyber point of view-at least the official one, as we will see in this series of posts. An excellent description of this intelligence community, as far as information security, SIGINT or CNO is concerned, can be found in chapter fifteen of the second edition of Jeffrey Car’s Inside Cyber Warfare: Mapping the Cyber Underworld (ed. O’Reilly, 2011).

To get an idea of the potential of Russian services it is necessary to talk about their budget. According to open sources (such as Julian Cooper’s The Funding of the Power Agencies of the Russian State. The Journal of Power Institutions in Post-Soviet Societies, Issue 6. 2007, or The Funding of the Power Agencies of the Russian State: An Update, 2005 to 2014 and Beyond. The Journal of Power Institutions in Post-Soviet Societies. Issue 16, 2014), in 2013 the budget for what the Russians call “Security Services” – a concept that includes the FSO, FSB (except the Border Service) and SVR – exceeded 4 billion euros. The distribution by service is classified, and obviously the budget of the GRU is included in the one corresponding to the Russian Ministry of Defense, with which it is completely unknown. This money joins the more than 300,000 people who work – again, classified data – in the different intelligence services.

To be able to compare these data with other services, here’s a curiosity: the budget corresponding to the CNI is estimated at about 240 million euros, seventeen times less than the Russian one, and its number of employees at about 2,500 people. Of course, comparisons are odious…

The Russian ICC (II). Context: Russia

Before talking about the Russian ICC, we must know that Russia is the largest country with the most kilometers (more than 20,000) in the world; it has the largest reserves of energy and mineral resources in the world still to be exploited, making it the largest energy superpower, as well as the world’s largest reserve of forest resources, and also has a quarter of the world’s unfrozen water.

From a cyber perspective, Russia is alleged to be the only country to have carried out combined (physical and logical) military action against another country (Georgia, August 2008) or has degraded critical infrastructure of a third party by cyber approach (Estonia, 2007). Their military and intelligence potential in this area is undoubted, as are their “physical” or traditional capabilities. The intelligence services are heavily involved in politics – as it happens, it is public that Vladimir Putin was an agent of the KGB and director of the FSB – or in the public or private sector, and they also maintain close relations – always supposed – with organized crime.
[Read more…]

The Russian ICC (I). Introduction: the Russians are coming!

We often talk about Russian APTs, Russian malware, Russian groups … But who are the “Russians”? We will analyze, in a series of posts, who “the Russians” really are, what Russia is (from the point of view of intelligence and security), what their services are – and their APTs -, what relations they have with the rest of the Ecosystem in the Russian information war, what objectives they have, what information they are looking for, etc. In short, we will try to get to know the Russian Cyber Intelligence Community a little better, to these supposedly Russian threats that we find all the time in different organizations.

Of course, all the information collected here was obtained from public sources and represents no more than private opinions, interpretations, analyses, issues … surely all of them wrong because … what exactly is attribution?

Let’s begin: as it could not be any other way (otherwise we would not be dedicating a series) one of the main actors in the field of (cyber) intelligence is Russia; perhaps this is currently the country that most sophisticated in its attacks: targeted, stealthy and technically brilliant, with very high rates of persistence due to the complexity of detection (of course, with the permission of the United States …). Russian APTs are often well-identified with the information they need, where it is, and who handles it, and so they focus on the exact theft of such data, as we said in the most secretive way possible.
[Read more…]

Uncle Sam

Snowden, PRISM, NSA… words, or buzzwords, that we’re used to listen in the media, specially during the last months. You know: when talking about technology, spying -of course, using “cyber” prefix- and some acronyms to get a slot in prime time :) I didn’t want to write about sensationalism, but at the end I could not resist: during holidays you have too spare time to read newspapers :)

Really, I don’t know where the news are… It’s a fact that USA, by NSA and other agencies, is spying us as much as they can… just like is a fact that dogs do bark. Yes, and? I have never understood the big surprise that everybody claims where talking about USA spying. Where is the surprise? Is really surprising that a country which a big technological capability uses it for its own good? Guys, I think in this world nobody is a charity nun… The problem is that here, in Spain, we don’t have a similar capability -and honestly, I don’t think we’ll be able to have one in short term-: we can snoop Tuenti :( And this is a big problem or, really, two big problems. The first one is that we rely on a third party to get information -information that is to be processed to get intelligence; yes, and the third party is obviously USA (what would you think, it was Andorra?) that today is our friend but tomorrow can be less friendly o, simply, cat have some interests that isn’t ours… And the second problem is that we are all vulnerable: in other words, we have to live with the fact that USA spy us when and how they want, and obviously this fact gives them an enviable advantage over us in any field. Spain is doubting about giving support to USA in, lets say, a military occupation of ACMECity? No problem: just before talking to us, US officials know all our points and can use this knowledge to convince us, in the best way, to get our support in almost anything… This is a problem for Spain, isn’t it? And worse: if we disagree we can unplug everything and go to plant potatoes, of course not using Microsoft products, not searching by Google, not sending information across Cisco routers and, finally, not touching anything that smells like American. Or much better, replacing the technology with Huawei and things like that… in this way we can involve in the spying game other countries that, of course, will respect our individual privacy and our global interests as a Nation… you know, don’t you? :)

IMHO the problem is not the fact that USA spy us to protect their interests: we can agree or we can’t, and lawyers, politicians, journalists… can talk for hours about ethics, international laws, privacy and things like that. But, being realistic, USA is doing the same that any country that can do that. It’s just so simple, and we, as I said before, can’t do that because we don’t have the required capabilities… If we had them, I hope we could do the same: to spy other countries. The real problem is a misuse of the information they get. A Service getting information to benefit its country (understanding “country” as government, companies, citizens…) is understandable, in spite of the fact that this can be bad for us, but if a Service do the same to defend the interests of an individual company, a particular or, worst, a politic party, this is, actors that can not be identified with a whole country, we are in front of a big and unjustified misuse of the information, IMHO. What did USA? I don’t know (somebody reading this who has more information about?) If USA is using the information for those particular interests, I don’t agree with them; if they use the information to defend their national interests or to get benefits over other countries, it’s OK for me. What do we complain about? About the fact that they *can* do that and we can’t? Let’s see, we are all in the security world and we all know that the war is harder than privacy laws, IT governance, compliance and so on. What we do think, that Google is giving us GMail in a free way, getting Gigabytes of free space to hold our mail? Gigabuytes, by the way, that as someone said, can only be stored in a SAN, a NAS or a NSA… :)

Now, the one million question: there is any light at the end of the tunnel? I think so, in spite that it’s only a single LED. Let’s assume that USA is spying us in its own benefit… what can we do? Two things, IMHO: to try to let them do it as less as possible -or to get more difficult to do- and to try that only USA spies us. In this blog we have said it before: let’s use national technology and services always that we can -and let’s make an effort to do it, because many times the comfortable way is to do just the opposite. And let’s use them always we are handling classified information. We can always find Spanish quality services, in almost any field I think… I doubt only when talking about products, in specific cases. In those cases, when we can’t use national technology, let’s use open technologies. And if we neither can use them, and we have to use products from other countries, let’s choose from countries that (at least today) are strategically close to us or that have interests as similar as possible with Spanish ones. In other words, I prefer to use Linksys just before of Huawei or Twitter before Weibo: as someone is going to spy to me, let’s USA to do it… they would do in any way… :)

Real Cloud Security

(Please note this post was originally published in the Spanish version of Security Art Work last 2nd Oct 2012)

Act I: The cloud

(In a small room we find the Chief Executive Officer (CEO), the Chief Security Officer (CSO) and the Chief Marketing Officer (CMO). The latter comes with a PC World magazine under his arm)

CMO: Blablablabla Cloud blablabla costs blablabla availability blablablabla Google.
CSO: Blablabla SLA blablabla, blablabla privacy, blablabla blablabla outsourcing, blablabla.
CEO: Blablablabla dollars, blablabla staff, IT blablabla servers. ¿Security? Blablablabla.
CSO: Blablabla, blablabla SOX, penalties, blablabla data theft blablabla, blablabla press. Blablabla impact and risk.
CMO: Insecure? Hahahaha, blablabla, blablabla and blablabla. CSO blablabla, distrust. Blabla, blabla, Gartner, blablabla?? Blablablabla. That does not happen.
CEO: blablablabla CIO, blablabla blablabla IT budget.
CSO: Alea jacta est.

Act II: Hunky-dory

(While the Chief Executive Officer looks at the Chief Marketing Officer tablet, they see the Chief Security Officer, who quickens the pace but is intercepted in the aisle)

CMO: Blablabla access, blablabla iPad, iPhone. Blablabla? CSO? Blablabla, this security guys blablabla. Access, blablabla, password blablabla, blablabla SSL.
CEO: Blablabla friendly, blabla, blablabla success. Blablablabla reason blabla costs, blablabla enterprise 2.0.
CSO: Pater Noster qui es in caelis, sanctificétur nomen Tuum

Act III: A small problem

(There is a problem in the Marshall Islands that has disabled the connection to the cloud provider, and althought it is not known yet, may have caused data loss)

CEO: Blablabla connection, blabla deletion, blablabla access. Blablablabla data, blablabla cloud!!
CMO: Blablablabla probability blabla blablablabla Gartner CIO, blabla CSO .
CSO: Blablabla risk, blablabla impact, blabla quality of service, blablabla Google.
CEO: Blablabla reputation, blablabla bussiness, blablabla Google!
CMO: …
CSO: …

Act IV: Choose Your Own Adventure

(Do you remember these books? ;)

Option #1

CSO: Blablabla backup, blabla fireproof, blablablabla recovery blablabla system.
CEO: Muacs.

Option #2

10 CEO: …
20 CMO: …
30 CSO: …
goto 10

Option #3

CSO: Blablablabla ¿CIO?
CIO: Blablabla, Terms of Service, blablablabla complaint, blablabla compensation, blablablabla.
CEO: Blablabla data, blablabla available blablabla #@!*& blablabla ten dollars.

Well, how did finished the adventure in the cloud?

If you’ve been able to continue this conversation, you might like this video that our colleague Adrian has found: