29 June 2018

Wargaming Moscow’s Virtual Battlefield

Source Link

The U.S. – Russia relationship is a complicated one, to say the least. While investigations into potential collusion carry the headlines in Washington, there is a fragile balancing act going on behind the scenes. Take the gas and energy market as one small example. U.S. Energy Secretary Rick Perry is due to meet today with Russia’s Energy Minister Alexander Novak at the World Gas Conference in Washington. Despite the fact that tensions between the two nations are incredibly strained, the U.S. may need Russia’s support in it’s efforts to isolate Iran from the world oil market. 

This is the kind of day to day strategy that is still playing out on multiple levels as Intelligence experts warn that Russia is aggressively exercising its tools of influence across a broad range of domains. 

In part one of The Cipher Brief’s two-part special series on how Russia is building its virtual battlefield, we look at the tools and tactics that the Kremlin is employing and why they’re being so successful doing it. 

Bottom Line: Russian involvement in the information domain includes electronic warfare, espionage and active measures such as disinformation, propaganda, psychological pressure, destabilization of society and influence of foreign media. The aim is to sow doubt and division amongst strategically targeted societies with the longer-term objective of boosting Moscow’s comparative power and influence across the world stage.

Background: Russia is one of the oldest nation states operating in cyberspace, with Moscow leveraging cyber espionage as early as the 1990s. Russian attacks are not only technologically sophisticated, but also boldly aggressive, making Russia potentially the most dangerous advanced persistent threat (APT) in cyberspace. 

In September 1998, the U.S. Department of Defense discovered intrusions into its servers by what turned out to be a Kremlin-linked Turla group, dubbed operation Moonlight Maze, in one of the first examples of state-sponsored cyber espionage in history. Russia continues to leverage computer network intrusions as a pillar of its foreign intelligence collection, siphoning military, political and diplomatic secrets from secured government, commercial and personal computers around the world. 

Russian intelligence services, referred to in December 2016 as “Grizzly Steppe” by the U.S. Department of Homeland Security (DHS), have targeted American government organizations, critical infrastructure entities, think tanks, universities, political organizations and corporations leading to the theft of information. In March 2018, DHS attributed broad network intrusions into U.S. critical infrastructure to Russia. This campaign appears to align with the Kremlin-linked Dragonfly group’s espionage campaign targeting the U.S. energy sector since 2011. 

Russian government cyber espionage actors include the Federal Security Service (FSB) – operating particularly out of its 16th and 18th Centers – and to a lesser extent the Russian Foreign Intelligence Service (SVR). The FSB is commonly known among the cybersecurity industry as Turla, APT29, Cozy Bear and the Dukes. Notable FSB/SVR cyber espionage operations include intrusions detected in the networks of the State Department in November 2014, the White House in April 2015, and the U.S. Joint Chiefs of Staff in July 2015. The purview of the FSB is broad and includes both domestic and international intelligence collection and covert action, while the SVR typically engages in foreign-focused collection of strategic intelligence, such as the diplomatic communications of foreign ministries and intergovernmental organizations. 

Cyber operations that weaponize network intrusions are commonly conducted out of Russia’s General Staff of the Armed Forces Main Intelligence Directorate (GRU), particularly its Sixth Directorate and the Main Center for Special Technology (GTsST). The GRU is known among the cybersecurity industry as APT28, Sofacy, Fancy Bear and Pawn Storm. With a primary role of collecting military intelligence and covert in uence operations, many of the GRU’s targets are in aerospace, defense, energy, media and government sectors. Notable operations attributed to the GRU include intrusions detected in Ukraine’s artillery targeting software beginning in late 2014,France’s media channel TV5 Monde in April 2015, the German Bundestag in May 2015, the World Anti-Doping Agency in August 2016 and the International Olympic Committee in January 2018. 

There is a competitive relationship between the Kremlin’s security services, with little apparent information sharing or coordination to minimize detection of their network operations. An example of a lack of coordination between Russian services is the presence of both the FSB in the Democratic National Committee’s (DNC) networks going back to the summer of 2015 and later, a separate breach of the DNC by the GRU in April 2016 while the FSB was already operating within their networks. 

The Russian government is advanced in its cyber capabilities, but also has access to Russian criminal hackers and hacktivists. These groups develop cyber tools for Russian intelligence agencies and hack into networks and databases in support of Russian security objectives. Russia’s use of such proxies complicates attribution, making it harder to determine whom to respond to, constraining potential cyber deterrence against Russian entities. 

Russian-language hackers are the main proxy group working with Russian intelligence on cyber operations. The government has permitted cybercriminals to operate from Russia as long as the criminals do not go after Russian targets. This impunity gives the government leverage over hackers for their cooperation in developing malware or pursuing Russian government targets. For example, Dmitry Dokuchaev, a former criminal hacker known as Forb, agreed to work for the FSB in order to avoid prosecution for credit card fraud. 

To further muddy attribution, at times Moscow has portrayed its cyber operations as the work of others by leaving false flags such as foreign language comments behind or creating hacktivist pseudonyms such as Guccifer 2.0, CyberBerkut or the Cyber Caliphate. It is not clear, however, to what degree the Kremlin directs proxy cyber actors. Anyone can commandeer malware for their own use, hijack criminal infrastructure to launch attacks or build an online persona to divert attention. This inability to adequately differentiate between criminal and government activity in cyberspace may be the strategic environment the Kremlin actively seeks. It creates a level of plausible deniability that inhibits effective response to the Kremlin’s malign network operations – emboldening future actions. 

“Russian active measures include propaganda, media manipulation, disinformation, deception, use of forgery, funding of extremist and opposition groups, spreading conspiracy theories and rumor, cyber operations, espionage and even assassination. ‘Political influence’ is considered the most important part of an effective active measures campaign. Political influence involves using spies and cooperative contacts to directly promote Russian interest inside adversary countries. These individuals secretly working on behalf of Russia are called ‘agents of influence’.”

“Cybersecurity is based on trust, accountability and integrity of data. At the heart of the debate is whether cyberspace will enable free movement of people and ideas across national boundaries while serving as a commercial force multiplier, or instead become a hostile battleground, where nefarious state and non-state actors mount attacks that target the integrity of global cyberspace while seeking domestically to restrict their citizens’ freedom of expression.”

Issue: Disinformation, fake news and coordinated cyber operations have become part of a Russian security strategy to combat the West in soft areas of influence. Through such malicious acts, Moscow aims to deepen societal fissures in the West and weaken the West’s global credibility. 

Russian cyber-enabled information warfare takes advantage of the features of the modern internet: high levels of connectivity and anonymity, insensitivity to distance and national borders, democratized access to publishing capabilities, and inexpensive production and consumption of information content. Russia uses automated Twitter accounts to amplify one-sided messages, communicate with low cost and no accountability and reach large audiences with highly tailored messaging. Leading up to the 2016 U.S. elections – between September 1, 2016 and November 15, 2016 – Twitter identified nearly 36,700 Kremlin-linked accounts generating automated 1.4 million election-related tweets, which collectively received an estimated 288 million impressions. 

The Kremlin employs a network of paid trolls – most notably the Internet Research Agency – to amplify divisive opinions and misinformation with the aim of exploiting societies’ political flashpoints. Between 2015 and 2017, the troll farm reportedly posted about 80,000 times on Facebook – over 200 posts a day. Roughly 29 million people received the content in their news feeds and another 126 million may have been exposed to the Kremlin-directed disinformation through likes and shares. In February 2018, U.S. special counsel Robert Mueller announced indictments against 13 individuals and three entities in connection with the Internet Research Agency’s influence operations during the U.S. elections. A central pillar of Russia’s political interference across the West – including in Germany, France, Mexico, the United States and elsewhere – is weaponizing hacked information by tactically leaking it to the public and timing releases with rapid- re news cycles. Moscow amplifies its carefully crafted disinformation operations – known as Dezinformatsia in Russian – through both overt state- sponsored media, such as Russian news channels RT and Sputnik, and covert operations, such as weaponized hack-and-leak operations, cutouts and compromising material, or Kompromat in Russian. The goal of Kompromat – a very targeted form of disinformation tactic – is to smear the reputations of political opponents, discredit their voices and intimidate would-be critics under the threat of disclosing personal and salacious images, videos and documents – both real and doctored. 

‘The advantages of digital technology also enhance the ability to convey the appearance of truth. Technological advances allow Russia to doctor photographs, for example, in order to blackmail or discredit people. It can be done with more verisimilitude nowadays.’

“Russia was – and still is – successfully dividing us because we are failing to be a resilient national against our exploitable social fissures and preference for sensationalism. Russia uses social media platforms as an accelerant, but the platforms themselves are not why we have become so susceptible.”

“What Putin really wants to accomplish is the undermining of democracy itself. This is why elections, a part of the DNA of any democracy, are a particularly attractive target. If citizens believe the vote will be rigged or meddled with, due to either domestic or foreign actors, they may choose not to participate. Likewise, if another building block of democracy – a free press – is discredited, voters will be less informed and less able to accurately identify foreign election disruptions of all types. As a bonus, Russian citizens will be encouraged to positively compare the Russian system of government – despite it being authoritarian plutocracy – to the Western democracy, with the conclusion being that the Russian system is no more awed than any other.”

In Part Two of Wargaming Moscow’s Virtual Battlefield, The Cipher Brief addresses the response. What’s been done, has it been enough and will it ever be enough?

Original Cipher Brief Analysis by Levi Maxey

No comments: