9 May 2023

Russia’s IT squad


ANDY OWEN

The long expected Ukrainian offensive that will attempt to push Russia back from its territories will likely begin in the next few weeks. If this offensive makes gains in Crimea or the Donbas, Western leaders are braced for Vladimir Putin to respond with whatever he’s got left. Former Russian president Dmitry Medvedev has warned that Russia would use “absolutely any weapon” if Crimea were threatened and fears over nuclear escalation are increasing, as are concerns around NATO being dragged into direct conflict with Russia.

Yet, there are other weapons we should be equally worried about that have the potential to cause mass destruction. Though we may have missed it, they have already dragged NATO into direct conflict with Russia. The weapons are some of the most powerful cyberweapons the world has ever seen, and the conflict is in cyberspace, where a cyber war has been actively fought between the West and several hostile states over the last decade.

Cabinet Office minister Oliver Dowden recently warned of a threat to our critical national infrastructure from the “cyber equivalent of the Wagner Group” – the mercenary army responsible for some of Russia’s worst actions in Ukraine. This warning, made via an “official threat notice” from the National Cyber Security Centre (NCSC) was welcome, if a little belated. What Dowden did not mention, though, was that our cyber adversaries are likely to be using American weapons to cause their chaos.

Post 9/11, lawyers for the US National Security Agency (NSA) set about aggressively re-interpreting the Patriot Act. This allowed the NSA to rapidly develop and expand its capability for large-scale digital espionage. They sought out every vulnerability in every layer of the digital universe they could, and implanted themselves there. When they could not solve the problem internally, they reached out to the hacking community, often through a shady network of middlemen, to offer increasingly large bounty payments for what they needed. This created a huge black market in what are called cyber “zero days” (vulnerabilities in a piece of computer software that its creator was unaware of, allowing hackers to exploit it by altering a program, the data it collects and the computers – or even whole networks – using it).

As well as expanding their collection capabilities, the NSA received executive sign-off to develop its offensive capabilities. They could convert their digital espionage from observing and recording into attacking. tThe vulnerabilities they were exploiting for espionage could be injected with a payload that could physically destroy machines and the infrastructure they ran.

The first major use of an offensive capability came in 2007, with the Stuxnet attack by the US and Israel against Iran’s nuclear enrichment program. Stuxnet was a malicious computer worm that targeted the fast-spinning centrifuges needed to make enriched uranium to tear themselves apart. It allegedly destroyed over a fifth of Iran’s nuclear centrifuges before it was discovered in 2010.

After Stuxnet was identified, the former NSA director, Michael Hayden, predicted, “somebody just used a new weapon, and this new weapon will not be put back in the box.” Before Stuxnet, Iran budgeted around $76 million for its nascent cyber unit. After it they invested $1 billion into a new cyber army which is now the fourth biggest in the world. Iran found it far easier to develop cyber capabilities than nuclear weapons.

It did not take long for other countries to attempt what the US and Israel had done. In 2014, a worm was identified targeting industrial control software makers in Ukraine – commands embedded in the code included “die” and “turn off.” It was traced back to Russia. It then disappeared until resurfacing in on the eve of elections, when it attacked two local media companies as they were set to report on results.

These attacks however were only rehearsals for what came next. On Christmas Eve 2015, the Russians turned off the national grid in Ukraine. At this point, though, the Russians, and other potentially hostile nation states were years behind the US in their cyber capabilities. That all changed in 2016.

Two weeks into the DNC email leaks, just as Russia was stepping up its cyber operations against Western elections, a new Twitter account appeared in the name of a hacker group calling themselves the Shadow Brokers. It is still not known who is behind this group, but guesses seem split between an NSA insider and Russian hackers. The leaks from this group would close the gap in capabilities between the US and the rest.

The group claimed to have intercepted cyberweapons belonging to the NSA’s Office of Tailored Access Operations (TAO). Over a series of communications, the Shadow Brokers provided any hacker or nation state with the code needed to unleash mass destruction.

During the Cold War Americans spied on Russian technology and Russians spied on American technology. Now the whole world is using the same systems. The leaked NSA capabilities were focussed on exploiting Microsoft operating systems, Gmail and Hotmail, Apple and Android phones, and globally used microprocessors and industrial operating systems. All the systems that the US and its allies also relied on for communications, transportation, power, banking, commerce and health.

A month after its release by the Shadow Brokers, an exploit developed by the NSA for Windows systems called Eternal Blue propagated the WannaCry ransomware attack. The attack impacted the NHS in the UK and was estimated to have affected more than 300,000 computers across 150 countries. In 2017, the US and UK governments formally blamed North Korea for the attack.

In June 2017, the Russians targeted Ukraine, again using Eternal Blue, in what became known as the “nonPetya” global cyberattack after it spread out from its intended targets.

In January 2022, two months before the Russian invasion, about 70 government websites in Ukraine were taken offline by hackers. This was followed on February 15 by a large distributed denial-of-service (DDos) attack that brought down the websites of the defence ministry, army, and Ukraine’s two largest banks by flooding their servers with so many simultaneous requests that they were unable to respond. A third DDoS attack on 23 February again took down multiple Ukrainian government, military, and bank websites.

Russia is still regularly launching cyber-attacks using NSA designed tools in support of ground offensives or to compound the impacts of artillery or missile strikes, as well as stealing targeting information from everything from government intranet sites to cafe webcams.

Ukraine has created an “IT army” to fight against Russia’s cyberattacks. It has shown similarly formidable defensive strength and resilience in cyberspace as it has done on the physical battlefield. Ukraine has also been able to benefit from the experience of years of Russian attacks, as well as receiving significant support from Western governments and technology companies.

A leak of thousands of documents within days of the invasion of Ukraine by an anti-war whistleblower working at the Russian IT firm NTC Vulkan showed what Ukraine was up against. Vulcan’s work is linked to Russia’s federal security service (FSB); the operational and intelligence divisions of its armed forces (GRU); and Russia’s foreign intelligence organisation (SVR). One document links a Vulkan cyber-attack tool, codenamed Scan-V, with the hacking group Sandworm, which operates within the GRU and has twice caused blackouts in Ukraine and launched NotPetya. It scours systems for vulnerabilities, which are then logged for use in future attacks. A third details a Vulkan-built system, called Crystal-2V, which is a training program to train operatives to bring down rail, air, and sea infrastructure.

It is not just Ukraine, though, that is having to deal with the consequences of the leak. As New York Times cybersecurity journalist Nicole Perlroth points out in her This is How They Tell Me The World Ends, our adversaries have been stockpiling their own zero-days from the same black market that the NSA and other US and NATO intelligence agencies spawned and have mapped our digital topography in detail. And this topography has grown exponentially over recent years.

With the “internet of things” – the interconnection via the internet of computing devices embedded in everyday objects enabling them to send and receive data – we have created the world’s largest attack surface for these zero-days to exploit. In many cases, leveraging NSA tools, our adversaries are already inside our nuclear sites, national grids, communications, and health systems.

Last year an indictment unsealed in a district court in Kansas, indicated that three FSB officers tried to hide malware in software updates used by systems that control the equipment in power plants. They were accused of using spear-phishing (a targeted attack via email and the like intended to get its victims to share their information) and other tactics to home in on more than 3,300 specific people working in the energy industry. These targets worked at more than 500 different entities, including the US Nuclear Regulatory Commission.

In one instance, the officers are alleged to have compromised the business network of Wolf Creek Nuclear Operating Corp. in Kansas. The GRU operatives were mapping out the plant’s networks for a future attack like Stuxnet, but instead of safely destroying the Iranian centrifuges, this attack had the potential to affect a nuclear meltdown similar to that that occurred at the Chernobyl nuclear plant. The Russians had also targeted Cooper Nuclear Station in Nebraska, as well as doing “digital drive-bys” of chemical, oil, and gas operators in the US. The leaked Vulcan documents contain the details of a nuclear power station in Switzerland.

In a potential revenge attack for Stuxnet, Iranian hackers from the Islamic Revolutionary Guards Corps targeted the sluice gate of the Bowman Avenue Dam in New York State. The dam however is tiny, just 15 feet long and two and a half feet high. It is to stop a brook flooding nearby homes. It has limited potential to cause chaos.

It’s possible that hackers went after the Bowman Avenue Dam as a practice run for a more impactful strike against a major dam like the Hoover Dam. Another theory is that the hackers mistook the Bowman Avenue Dam in New York, with the more significant Arthur R. Bowman Dam in Oregon, which is 245 feet high, 800 feet long and holds 233,150 acre-feet of water. Even the most sophisticated cyber tools are only as effective as the human beings that program them.

We have become aware of the way in which Russia has been overtly subverting democracy via troll and BOT farms and hacker’s leaks, but at the same time the public has been largely unaware that they were infiltrating targets across the West that have potential to cause chaos. It is likely we do not know where they are still lurking, waiting for the instructions from Putin to escalate.

It has not all been one way though. As General Nakasone was confirmed director of the NSA and head of US Cyber Command in 2018, he decided to take the fight to Russia. In the months following his appointment Cyber Command began planting malware inside Russian systems, networks, and hardware at new levels of depth and with a new aggressiveness.

Cyber Command did this overtly – letting Russia know what they were doing and using the same logic of mutually assured destruction that avoided the use of nuclear weapons during the nuclear arms race. These actions have been supported by public outings of those foreign intelligence officers suspected of breaches and sanctions. An example of which was seen in 2021 when President Biden sanctioned Russia for its involvement in the SolarWinds hacking campaign.

This hack exploited vulnerabilities in US tech firm SolarWinds’ network monitoring software widely used by the US government, as well as flaws in Microsoft and VMware products. It allowed Russian hackers (most likely SVR) to access the networks of at least a dozen federal agencies (and the UK government) and 100 private sector groups for around a year, stealing enormous amounts of sensitive data.

In intelligence work you are encouraged to strike the right balance between inside and outside views. You should look at the particulars of any situation, but also ask, “how often do things like this happen in situations of this sort?” This sets a baseline that you then move up or down from—due, of course, to the particulars. For example, on the question of whether Putin will use nuclear weapons in Ukraine, the starting point for any forecast should be that Russia has never used them in the past and that, in fact, no-one has since 1945. Then move up from this low base level, rather than jumping to a high probability of their use, due to anchoring onto the escalating use of artillery and the pressure on Putin due to repeated defeats.

On the question of whether Putin will use cyber weapons to cause mass destruction in Ukraine and the West, the starting point for any forecast should be that Russia has regularly used such weapons and has positioned itself to do so again at an ever-greater scale.

It is easy and terrifying to imagine the impact of a nuclear weapon. As terrorists know, explosions are good for getting media attention. They are visual, leaving vivid imagery in their aftermath, scorched on the public’s imagination.

It is harder to envisage a threat invisibly lurking on the technology we will rely on every day, delivered from a foreign power into the smart and dumb devices sitting in our homes. A threat that can turn off the national grid in the middle of winter, crash the economy, paralyse vital equipment in hospitals, or even cause nuclear meltdown.

We need to make that imaginative leap. We need to push the government to move faster to counter this escalating threat.

Dowden has announced plans for more ambitious cyber resilience targets for all critical national infrastructure sectors to meet by 2025, as well as moves to bring private sector businesses working on critical infrastructure into the scope of resilience regulations. This is the bare minimum. We need to think bigger too, and push for global regulation.

We have the Geneva Conventions to limit the barbarity of war on the physical battlefield. The conventions and their commentaries regulate the conduct of armed conflict and seek to limit its effects. They protect the people not taking part in hostilities, the very people who bear the brunt of cyberattacks.

An equivalent set of conventions governing the use of cyber weapons is urgently needed. Britain should lead the call for such a set of conventions. It will be in our own interests to do so, and it might even repair some of the vast damage to our international reputation that has been in freefall since 2016, when cyberweapons undermined our democracy and set us on our current path.

No comments: