Article

Understanding the cyber threat from Russia

Part one of our cyber war series: Over the past thirty years, the concept of cyber war has drifted from popular culture into political discourse and become the lens through which many prominent organizations perceive cyber risk.

In April 2018, Barclays Chairman John McFarlane claimed "our traditional defences are no longer adequate to protect [against cyberattacks]. This is war, and needs wartime, not peacetime, urgency."[1] Over the past thirty years, the concept of cyber war has drifted from popular culture into political discourse, and ultimately become the lens through which many prominent public and private organizations perceive cyber risk. Certainly escalating geopolitical tension and the devastating impact of cyberattacks such as WannaCry and Petya/Not Petya have made the prospect of conflict extending into the cyber domain appear closer than ever. Information security professionals are now expected to be foreign policy analysts, capable of interpreting and predicting the threat foreign states pose, and defending themselves accordingly. This article, the first in a short series, provides insights from MWR’s research, threat intelligence and investigations on cyber statecraft, beginning with Russia.

Are we at (cyber) war? And does it matter?

At MWR, we believe the concept of cyber war limits understanding of cybersecurity risk, and reduces our ability to respond effectively. It encourages a state of denial, where the absence of casualties leaves many victims, already struggling to comprehend cybersecurity, in a state of paralysis. This failure to respond, compounded by a fear of retaliation, has become “almost an invitation to [aggressors to] escalate more” says Thomas Rid, an academic.[2] It may even lead to a militarization of responses, where public and private organizations alike look to military minds to solve policy problems, and conflict becomes a fait accompli.[3]

Cyber has however brought about a revolutionary change in global relations, with states and organizations exposed to a range of harms that fall short of armed conflict.[4] This is described by academic Lucas Kello as a state of ‘unpeace’, or by journalist, David Sanger as the ‘new normal’ [5], where state actors exploit opportunities the cyber domain presents. By targeting organizations rather than states, taking care to avoid positive attribution, and calibrating the impact to fall short of war, they can pursue their foreign policy goals while denying their opponents the ability to respond effectively. The 2012 attack by Iranian hackers against Saudi Aramco, the world’s largest oil company, represents a high profile example, but Russia’s emerging pattern of activity in cyberspace suggests it is leading the way.

Russia – Architect of hybrid conflict

Valeray Gerasimov, General of Russia’s armed forces, is credited as the architect of the country’s hybrid tactics. The Gerasimov doctrine combines information operations and cyberattack with conventional levers to achieve Russia’s aggressive geopolitical goals, without risking armed conflict with its NATO opponents. His approach, tested and refined in attacks on Estonia, Georgia and Ukraine, has since been successfully deployed against the United States.

Key characteristics of Russia’s activity in cyberspace include establishing a foothold within critical industries, abuse of information platforms, and interference with democratic processes.

In 2018 the US Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), and the United Kingdom's National Cyber Security Centre (NCSC) warned that Russian state-sponsored cyber actors had compromised hundreds of thousands of network devices in key national infrastructure sectors, including telecommunications, power and utilities.[6] DHS later reported that Russian APT actor ENERGETIC BEAR had gained access to air gapped control rooms by abusing third party access to these environments.[7] MWR’s investigations indicate Russian actors have targeted smaller, apparently more vulnerable organizations in western countries within these industry verticals. They use publically available penetration testing tools and non-attributable malware to avoid positive attribution.

Russia’s aims are not necessarily destructive. Instead, the Kremlin seeks a foothold in organizations, partially to project power, but also in preparation for any escalation in hostilities. This creates a window of opportunity for defenders to hunt and remove attackers persisting within these networks.

There is also a clear trend towards the ‘weaponization’ of information. This often involves abuse of media outlets including social media platforms, to not only influence public opinion but also undermine credible sources. The Russian Internet Research Agency’s activity on Facebook is a prime example. While not a cybersecurity issue per se, the erosion of trust caused by Russian interference has undermined confidence in the independence of certain security research companies, when the need for reliable attribution has never been higher.

Finally, MWR notes the utilization of kompromat (compromising material) to undermine democratic processes. While Russia’s targets are its political opponents, recent cases demonstrate how public and private organizations could be impacted. In 2016, Russian actors leaked stolen emails from the Democratic National Committee intended to undermine Hilary Clinton’s candidacy as Democratic nominee, by drawing attention to her links to a US investment bank. Organizations should therefore recognize the risk of collateral damage in Russia’s attempts to destabilize its opponents.

What should organizations do to defend themselves?

  • While we’re not at (cyber) war, and the prospect of a devastating attack on critical infrastructure remains remote, organizations in targeted verticals can take the following steps to mitigate the threat from Russia:
  • Increase visibility across corporate environments at endpoint and network level, and proactively hunt for evidence of current/historic compromise.
  • Develop and utilize intelligence sharing platforms and relationships with law enforcement and cybersecurity agencies to enrich hunts and improve understanding of the latest TTPs.
  • Enumerate and secure remote third party access to your environment, to prevent compromise through your supply chain.
  • Factor Russia’s targeting of political opponents into your risk assessments, by evaluating your company and/or clients links to these organizations, and the potential impact of unauthorized information disclosure. Rehearse organizational response.
  • Media organizations and platforms should consider the specific risks posed by Russian actors involved in cyberattack and abuse of native product functionality.

 

 

Accreditations & Certificates

MWR is an accredited member of The Cyber Security Incident Response Scheme (CSIR) approved by CREST (Council of Registered Ethical Security Testers).
MWR is certified under the Cyber Incident Response (CIR) scheme to deal with sophisticated targeted attacks against networks of national significance.
We are certified to comply with ISO 9001 and 14001 in the UK, internationally accepted standards that outline how to put an effective quality and environmental management systems in place.
MWR is certified to comply with ISO 27001 to help ensure our client information is managed securely.
As an Approved Scanning Vendor MWR is approved by PCI SSC to conduct external vulnerability scanning services to PCI DSS Requirement 11.2.2.
We are members of the Council of Registered Ethical Security Testers (CREST), an organisation serving the needs of the information security sector.
MWR is a supplier to the Crown Commercial Service (CCS), which provides commercial and procurement services to the UK public sector.
MWR is a Qualified Security Assessor, meaning we have been qualified by PCI to validate other organisation's adherence to PCI DSS.
As members of CHECK we are measured against high standards set by NCSC for the services we provide to Her Majesty's Government.
MWR’s consultants hold Certified Simulated Attack Manager (CCSAM) and Certified Simulated Attack Specialist (CCSAS) qualifications and are authorized by CREST to perform STAR penetration testing services.