Are we heading for a new “Cyber Cold War”?

Posted on : 28-11-2014 | By : john.vincent | In : Cyber Security

Tags: , , , , , , , , , , , ,


For a while now the Chinese have been the focal point of attention when it comes to nation state sponsored espionage (and, not without reason). However, the latest report from the fastest growing cyber security company, FireEye, delves for the first time into the threat Russia poses in cyber space.

The report looks at a group named as APT28, which FireEye are tracking, and explores how they are organised together with the methods employed. We start with a few key themes from this research.

The first point to note is that the characteristics of APT28 are very different. Unlike other China based threat actors, FireEye did not find evidence that they were interested in widespread Intellectual Property theft or gaining from stealing financial account information. What they did observe was a skilled group collecting intelligence on defence, espionage and geopolitical issues with targets that would benefit the Russian government, including;

  • Georgia – Russia potentially seeking to gain intelligence about political and security affairs
  • Eastern Europe governments/military – these targets would provide Russia with valuable insights an ability to predict policymaker intentions
  • European security organisations – targeting individuals affiliated to provide intelligence, particularly during periods of increased tension

Evidence of APT28 has been around since 2007, and has evolved significantly over that period, suggesting a high level of skill within an organised development environment. Over 96% of the malware samples attributed to APT28 were compiled during the working week and within a timeframe which parallels the working week in Moscow and St Petersburg.

 Indicators in APT28 malware suggest that the group consists of Russian speakers operating during business hours in Russia’s major cities

The tools are suggestive of the group’s skills, ambitions, and identity. APT28 is most likely supported by a group of developers creating tools intended for long-term use and versatility, who make an effort to obfuscate their activity. This suggests that APT28 receives direct ongoing financial and other resources from a well-established organization, most likely a nation state government.

The report goes into a lot of detail about the mechanisms used by these cyber criminals, the whole “malware ecosystem” and the commonly used tools with colourful names such as Sourface, Eviltoss, Chopstick and Oldbait. It provide a great, although somewhat disconcerting, insight into the techniques.

Of course, not everyone is convinced of the threat that there has been a step change in activity, with many IT analysts (particular in Russia) more inclined to blame the spike in attack reports on the media and cybersecurity companies exploiting clients’ fears. That said, one of Russia’s foremost experts on domestic security services, Andrei Soldatov, said the pattern of the attacks did indicate a possible state sponsored covert cyber war offensive.

In a twist on this analysis, Russia recently announce that it is actually recruiting  for new dedicated cyber-forces in the army, with an investment upfront of US$ 500 million (roughly £315m), according to Sergei Shoigu, Russia’s Minister of Defence.

Within the main tasks of the new division will be monitoring and processing of information coming from the abroad, as well as stepping up the fight against cyber threats and attacks. As part of these plans, the Russian government plans to accelerate training of programmers, mathematicians, engineers, cryptographer, interpreters and other staff, who will be asked to sign a contract for service in Russian army.

There does seem to have been a shift to unconventional, information based warfare techniques. A recent report by the US Army Special Operations Command on the subject states;

The challenge is hybrid warfare combining conventional, irregular, and asymmetric means, to include the persistent manipulation of political and ideological conflict

The report outlines techniques used across a number of nation states, including Russia, China and Iran, with the latter apparently also mobilising significant resources to weaken adversaries’ with the objective of gaining military superiority as well as countering external actions. Indeed, Iran have been blamed for a cyber attack on the Navy and Marine Corp computer networks (as well as backing the Syrian Electronic Army cyber group).

It seems that the soldiers of the future may well spend less time dealing with the likes of Sergeant Hartman (“Full Metal Jacket”) and more training in the relative comfort of cyber space.