Pages

6 March 2024

Smoke, Mirrors, and Self-Attribution: Ukraine’s Military Intelligence Service in Cyberspace

Stefan Soesanto

Hacktivist and Cybercriminals alike regularly self-attribute the cyber operations they are responsible for. Ransomware groups, for example, leave behind ransomware notes and set up leak sites, so victims know whom to pay and negotiate with. And Hacktivists have been using social media to even publicly claim ownership of campaigns that were conducted by someone else or have never taken place to begin with. Meanwhile, state-actors – in particular, military and intelligence agencies – have very rarely engaged in this kind of public self-attribution.[i] Instead, common practice has been to neither confirm nor deny responsibility for a cyber operation. The behaviour of Ukraine’s military intelligence service (GURMO) has broken that mould when they started to self-attribute cyber operations beginning in November 2023. Why did they make that change? Is GURMO’s self-attribution credible? And is it effective? To answers these questions, this article looks at eight news items GURMO published between November 23, 2023, to February 8, 2024, in which it either self-attributed or reported about cyberattacks by other pro-Ukrainian groups.

Between the start of the invasion in February 2022 to November 2023, no credible reports existed on GURMO’s activities in cyberspace. Meanwhile, Russia’s military intelligence service (GRU) has been highly visible on the global stage, being likely responsible for the Viasat hack on the day of the invasion and the destructive campaign again Kyivstar in December 2023.[ii]

It is unclear why GURMO decided to come out of the shadows. What we do know is that on November 23, 2023, GURMO self-attributed – for the first time ever – a cyber operation against Russia’s Federal Air Transport Agency (Rosaviatsia), which resulted in the exfiltration of “a large volume of confidential documents.”[iii] To proof operational success and highlight that Moscow’s aviation sector is “on the verge of collapse,” GURMO posted numerous incident figures it summarized from the stolen documents.[iv] Three weeks later, GURMO also announced that it hacked Russia’s Federal Tax Service and deployed malware on the agency’s 2,300+ regional servers.[v]

As of this writing though, it is unclear whether these two operations actually happened.[vi] According to Russian news outlet Novie Izvestia, many – if not all – of the aviation incident figures and documents GURMO stole, were leaked on Telegram and covered by Russian news outlets months prior.[vii] Similarly, Russia’s Federal Tax Service immediately denied that it was hacked and no complains of any operational disruptions have emerged in the attack’s aftermath.[viii] The timing of GURMO’s second self-attribution appears to have been likely a public tit-for-tat response, as it occurred a few hours after Russia’s GRU took out Kyivstar.

In a rather unusual move for an intelligence agency, GURMO also publish three news items in January 2024 to inform the public about the cyberattacks of pro-Ukrainian hacktivist groups. On January 19, GURMO praised a group known as Blackjack for stealing 1.2 terabytes of data of “a Russian state enterprise that performs all construction contracts” for the Russian Ministry of Defense.[ix] On January 23, GURMO highlighted a successful DDoS campaign by “unknown cyber volunteers in Russia” against the Russian internet provider Akado-telecom.[x] And on January 24, GURMO talked about a destructive cyberattack by “cyber volunteers-patriots from the group BO Team” that supposedly destroyed “280 servers” and “200 million gigabytes of data” belonging to the “Far Eastern Scientific Research Center [for] Space Hydrometeorology ‘Planet[a]’.”[xi]

In the case of Blackjack, we know that the group itself announced the breach on Telegram a day before with several screenshots as proof.[xii] By contrast, GURMO’s attribution of the DDoS campaign against Akado-telecom to “unknown cyber volunteers in Russia” is quite odd. In fact, the IT Army of Ukraine DDoS’d Akado three times: On December 30, January 4, and January 22, leaving its customers without internet access for days.[xiii] For GURMO to credit the last takedown to “unknown cyber volunteers in Russia” is not only wrong, but entirely dismisses the IT Army’s role. The attack by the BO Team against Planeta is probably GURMO’s most outlandish claim to date. No threat intelligence analyst seems to have ever heard of the BO Team, nor is there any evidence to suggest that the group a exists. An email to GURMO seeking clarification on the issue has far remained unanswered. It is also unclear where exactly the original reporting came from. For example, an article published by sprotyv.info on January 23, includes unedited and slightly larger screenshots than those posted by GURMO.[xiv] Strangely though, the article’s reference link for the BO Team, leads to an article about the IT Army which does not mention the BO Team at all.[xv]

GURMO’s latest three news articles on cyberattacks, go back to the service self-attributing campaigns. On January 27, GURMO informed the public that it conducted a cyberattack that “destroy[ed] the entire IT infrastructure of IPL Consulting, a company that implemented information systems in the [R]ussian industry.”[xvi] On January 30, GURMO took credit for a DDoS attack against “the server of the special communications of the Ministry of Defense of Russia.”[xvii] And on February 8, GURMO noted that “cybersecurity specialist of the Defence Intelligence Service” DDoS’d Russian servers running software that “reflash[es] DJI drones to meet the needs of combat operations [i.e., installing firmware updates].”[xviii]

The attack against IPL Consulting appears to be genuine. The screenshots GURMO posted show that they likely had root access and exfiltrated terabytes of data.[xix] However, Oleg Shakirov, PhD student at Johns Hopkins SAIS, notably pointed out that one of the screenshots prominently shows the VPN access credentials to servers at Inetec.[xx] Inetec is a company based in Croatia that specializes in robotics, servicing the nuclear, aerospace, and medical industry.[xxi] It is unknown why GURMO chose to highlight the VPN access credentials to a server belonging to a company based in the European Union.

The two other self-attributed campaigns are a bit odd as well. The DDoS campaign against the Ministry of Defense includes a screenshot showing GURMO using the UA Cyber Shield DDoS tool.[xxii] Notably, the developers of UA Cyber Shield have been working with the IT Army since at least April 2022.[xxiii] On October 1, 2023, UA Cyber Shield also revealed that they are part of the IT Army Kit developer team – an all-in-one DDoS installer kit that is the IT Army’s official go-to application.[xxiv]

On the second self-attributed DDoS campaign, the IT Army announced on Telegram on February 8, that it “was a part of the attack that [was] carried out on the enemy's DJI controllers firmware update server, which are widely used at the front.”[xxv] Given that the IT Army’s DDoS capacities are much larger than anything GURMO is likely able to leverage, it seems rather unusual for GURMO to take all the credit and not even mention the IT Army.

All in all, GURMO’s decision to publicly self-attribute multiple cyber operations and highlight a few campaigns conducted by pro-Ukrainian hacktivist groups is both confusing and smart. For the general public in Ukraine and abroad, it does not seem to matter whether these operations occurred or not, or whether they were effective or not. Any Ukrainian success story seems to effortlessly spread across social media and the Ukrainian media sphere for the purpose of stemming the tide in the information warfare space. Thus, seen from this angle, GURMO’s self-attribution is likely part of a morale boosting measure to showcase Ukrainian equivalence – if not dominance – in cyberspace. GURMO’s move might thus be somewhat connected to General Valery Zaluzhny’s comments to the Economist on November 1, 2023, that the war is at a stalemate.[xxvi]

GURMO’s self-attribution success is to a large degree enabled by (a) the absence of incident analysis and public reporting by threat intelligence companies, and (2) news outlets reposting and repackaging GURMO’s claims without any journalistic due diligence. From a warfighting point of view, these conditions seem to be ideal for self-attribution to facilitate tangible morale-boosting effects. Whether it creates any other positive or negative effects is currently unknown. For better or for worse, GURMO’s move to self-attribute could serve as a valuable case-study to figure out what self-attribution in cyberspace looks like, what it can and cannot do, and how to perfect it.

No comments:

Post a Comment