CyberWire Daily - The value of the why and the who. [Research Saturday]
Episode Date: June 13, 2020Proactive, efficient threat mitigation and risk management require understanding adversaries’ fundamental thought processes, not just their tools and methods. Cyber threat intelligence analysts comb...ed through 15 years (2004 to 2019) of public sources that have documented the activities of one prolific threat actor, Russia’s military intelligence agency, the GRU. Analysis shows that the timing, targets, and impacts of this activity mirrored Russian strategic concerns about specific events and developments. Joining us in this week's Research Saturday are Brad Stone & Nate Beach-Westmoreland from Booz Allen Hamilton to discuss their report and some of the 33 case studies presented in it. The research can be found here: Bearing Witness: Uncovering the Logic Behind Russian Military Cyber Operations Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and
analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface
with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust plus AI stops attackers
by hiding your attack surface,
making apps and IPs invisible,
eliminating lateral movement,
connecting users only to specific apps,
not the entire network,
continuously verifying every request
based on identity and context,
simplifying security management
with AI-powered automation,
and detecting threats using AI
to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
In strategic threat intelligence, what we're trying to get at is understanding the logic,
preferences, and motivations and intentions of adversaries.
Our guests this week are Brad Stone and Nate Beach-Westmoreland from Booz Allen.
The research we're discussing is titled Bearing Witness,
Uncovering the Logic Behind Russian Military Cyber Operations.
So the GRU is a threat group that has had a tremendous amount written about it over the past decade.
It's possibly one of the most thoroughly covered adversaries out there.
That's Nate Beach, Westmoreland.
As we were looking back on
everything that's been written about it, we realized that there's really no comprehensive
big picture that gets at understanding why did the attacks happen? Why are they in this particular
form at this particular time against these particular targets. So given the amount of
public attribution that we'd seen about this adversary, I think at Booz Allen, we saw that
there was a real opportunity to dive deeply and with confidence into connecting all of these
attacks and operations together in order to try to find some big picture. What is the logic of GRU operations?
Brad, what can you add to that? I think just beyond the specific motivations of one group,
it's also a reminder, and there's a lot of debate in the threat intelligence community on the value
of the why and the who. And in this case, we're trying to remind the readers and the entire
community that understanding the motivation of your adversary is really important in this
conversation. It gives a prioritization and it gives an ability to think forwardly against your
adversaries to drive the decision-making as not only a set of executives, but across an entire
to drive the decision-making as not only a set of executives, but across an entire ecosystem.
So often, cyber threat intelligence can be viewed as a commoditized kind of tactical problem.
And some of this is to help folks remember the need for that strategic threat intelligence to get a full view of the battle space and to make the right decisions,
no matter what your organization is facing.
Let's just start off with some introductory stuff here.
Can you sort of describe to us, give us the setup here?
What are we talking about in general when we start a discussion about Russia's GRU, or the Main Intelligence Directorate of the Russian Armed Forces, is Russia's military intelligence and special forces agency.
They exist essentially in order to monitor world events and to use covert actions in order to secure Russian military interests. When we're talking about this military
doctrine, we are looking at what does the Russian military think is their purpose?
What do they think are the general modes of operation they should be using in order to secure their interest to advance,
you know, the GRU, the Russian military's goals. So those are the two things we're really talking
about, the GRU and the Russian military doctrine, the organization and how they think about the
world. One of the things that you unpack here is you lay out an analytical framework for understanding
the Russian military and how they go about conducting their cyber operations.
Can we delve into that some?
What are you describing here?
All right.
So approximately every five to 10 years, the Russian military publishes this document.
It's a publicly available document in
English and Russian and all manners of languages called the Military Doctrine of the Russian
Federation. This is a strategic planning document, not a playbook. It is an expression of the highest
levels of the Russian military's leadership views of what is their organizational
purpose, what are their strategic goals, and in a thematic sense, how they think the military
should be acting on those objectives. On the surface, it's not really a shocking document
about what they see as their goals. It's securing the Russian Federation from military
threats. What gets interesting, I think, is what they define as military threats.
And some of the stuff, when you look at the report, you say, oh, of course, the Russian
military is concerned about military exercises near their borders or the rise of new governments on their borders that are unfavorable to the Russian government.
That's not a surprise that the military would be concerned about that.
But it sees other things as military concerns.
military concerns. They're concerned about the preservation of military, of patriotic, historical,
national traditions. These are a military concern. So the question is, why do they see some of these things that we don't traditionally think as military concerns as stuff that the
Russian military cares about.
In the report, we mentioned something called informational conflict.
This is a core idea amongst the Russian strategic planners that international relations shouldn't
be thought of in terms of, say, traditional military conflict with,
you know, missiles, guns, bombs. It's more broadly a conflict over ideas, over perceptions,
over political will. And you use all facets of government in order to secure perspectives,
of government in order to secure perspectives, political will, emotions that are supportive or at least not pushing back against your ability to secure objectives.
So you may care about unfavorable governments on your border that may have armies, may have
militaries that would oppose you, but you also care that, say, people no longer
think of the Red Army and World War II as being a great savior for Eastern Europe, because they
might not want to work with the Russian government in the future if they think of Russia as being a
dangerous, a threatening country. In this declaration of military doctrine, are there
any particular things that stand out to our sensibilities, to our Western sensibilities,
that leave us scratching our heads or seem odd or misplaced? So one thing that the Russians
are concerned about is provocation of Russian political strife.
Now, in the U.S., we, of course, as we've seen over the past few years, very concerned about what role Russia has had in, say, influencing political discourse in the United States.
United States. From the Russian perspective, they are equally concerned about that happening in Russia, affecting political discourse in the country. The difference is that the West sees,
say, overt political groups, open society organizations, democracy promotion groups,
things that are above board are considered acceptable, whereas Russia conflates
all manner of political jockeying, a political influence to be unacceptable within Russia.
So that's, for example, a big disconnect that we see between Russia and the United States.
that we see between Russia and the United States.
The report goes into several case studies.
Can we dig into one or two of those, use them as examples for some of the things you've outlined here?
Sure.
So, for example, Russia really cares a lot about fair dealings in international relations. You know, the idea that there's a major threat to Russian interests
if there's a failure to comply with international agreements and treaties.
So what does that mean?
The International Monetary Fund, the IMF,
has traditionally said that a country may not receive loans if they are refusing to pay
back existing loans to other countries. So in this case, Ukraine in December 2013 had taken a major loan from Russia in exchange for better gas prices, natural gas prices.
And after the Ukrainian government fell in a revolution in 2014, the new government in Ukraine said,
this was an unfair deal. We refuse to pay back this loan.
this was an unfair deal. We refuse to pay back this loan. Russia became very displeased with this. And understanding Russia's displeasure about this loan gives a lot of clarity into a
series of cyber attacks that would happen over the next several years in Ukraine. So, for example,
years in Ukraine. So, for example, in 2016, Russia's GRU disrupted power in Kiev, the capital of Ukraine, through cyber means. This attack, taken on its own, appears to be just another
Russian attempt to scare, demoralize, and upset the people of Ukraine. But when we place it in
the geopolitical context, it starts to make a lot more sense. The malware used in this attack
called Crash Override worked on a timer. It was set to go off on December 17, 2016.
It was set to go off on December 17, 2016.
And if it would not go off on December 17, it had a backup date of December 20.
Those two dates are exceedingly significant related to this energy loan between Ukraine and Russia. December 17 was the anniversary of the 2013 loan agreement being signed between Russia and Ukraine.
And December 20th was the one-year anniversary of Ukraine defaulting on that energy loan.
The target, Kiev, further drove home the political aspect, the political signaling of this attack.
It's interesting to me with this notion of hybrid warfare and how the cyber domain applies to that.
Does Russia's skills and capabilities in the cyber domain,
Does this provide them with an outsized amount of influence and capabilities relative to their size on the world stage?
So Russia isn't unique in these capabilities. in using a combination of cyber capabilities along with all the other capabilities of government in order to advance national interests. So what we're talking about in the case of Russia is
not just espionage, which so many other countries do in order to monitor problems around the world. But they're also combining it with
information conflict that, say, they're leaking documents, doing those leaks in combination with
all those other capabilities of government. So, for example, in May 2014, there was an election in Ukraine for the first new presidency of Ukraine after the Ukrainian Revolution.
We saw on election night a series of steps taken both in the cyber space and in the real world space in order to advance narratives useful to the Russian government.
in order to advance narratives useful to the Russian government.
The Russian government had tried to portray this new government in Ukraine as being hostile to Russian nationals, ethnic Russians inside of Ukraine,
hostile to other non-ethnically Ukrainian minorities.
And how did they do this in the combination of cyber and real-world means?
The GRU, they attempted to sow doubt and fear that night by changing election results that were presented on the website of the Ukrainian Central Election Commission.
They disrupted servers at the Ukrainian Central Election Commission, preventing them from determining the real results that evening. And then Russian-linked media began announcing these fake results that were being plastered on the Central Election Commission's website.
plastered on the Central Election Commission's website.
This resulted in a nearly 24, 48-hour delay in an ability to determine what the accurate results were,
to communicate them to the public, and convince the public that the Central Election Commission had their act together.
Specifically, the fake results showed that an extreme, hostile, violent right-wing politician had somehow managed to take power in this election.
So therefore, the Russians were right, it appeared,
that hostile Ukrainian nationalists had taken over the country.
And the Central Election Commission was now on its back foot trying to provide what the
real situation was.
Now, obviously, as we head towards our election here in 2020 in the U.S., what are the lessons that we take away from this?
Is this a cautionary tale?
Is this a demonstration of efforts from the Russians
to a warning shot across our bow, if you will?
I think for election security generally
in countries that have difficult relations with Russia,
it's need to think
about more generally about what is the end objective of these elections interference
and how Russia thinks about achieving those objectives.
So there's a lot of discussion about, say, changing the actual vote totals through election machines, through
voting machine hacking and so forth. And that's really losing the sense of the big picture. It's
not about trying to win an election by inserting fake vote totals that actually stick. It's about
decreasing confidence in the electoral system. And so how do we see that in Ukraine. It's about decreasing confidence in the electoral system. And so
how do we see that in Ukraine? It's through just targeting the publicly available vote totals put
on websites. So in 2016, the Senate has said that Russian operators were looking at, say,
county websites, election commissions throughout the United States. The concern might be, say, county websites, election commissions throughout the United States.
The concern might be, well, the Russians are trying to change vote totals, like the actual
vote totals, but a much simpler and perhaps almost as useful tactic could have been, say,
similar to the Central Election Commission in Ukraine, where you deface these websites. Website defacements
are not a technically challenging thing to do, done by hacktivists, that easily the Russian
government could do against at least some target election commissions in countries with difficult relations with Russia. And if I could build on that point from Nate's view the other day,
as a call to arms, it's as much a,
when you start thinking about high value assets,
often I think the mind goes to the complex and really nefarious
and a motivated, resourced, and patient organization
will find the easiest approach.
And I think that's when the doctrine is understood and the objectives are understood, it really gives an extra perspective into that view of high-value assets, which no matter what the mission or the objective is, is kind of critical.
It's always easy for organizations to figure out, yeah, I have value data, things, but
this article and paper is intended to help folks think broader about what they're trying
to protect and their adversaries' utility in disrupting that.
So we've talked about elections, but that's across the spectrum of things. And
that's where it's really important to have that context, because without that context,
it's just viewed as a cat and mouse game when it's much more complex than that.
Well, let's wrap up with that. I mean, gathering together all the information that you have,
taking this high level view and the breadth of things that you've looked into here, what's the through line here?
What's the take home in terms of what people need to take away from this report?
And what they need to take away is that geopolitical context matters.
Political context matters. It's not just enough to understand how your adversary is conducting attacks, but to understand why they are conducting attacks.
If you understand why attacks occur, you can start to design your security posture around what you think will happen in the future. So that's one key thing.
The other thing is we need to be spending more time looking for non-technical indications and
warnings of state-linked activity.
What the report shows is that hacking, quote-unquote, is just one tool in a government's
toolkit to advance their agendas and secure their interests. Now, diplomacy, military,
state-backed media, these can all be the shark's fin above the water that can tell you cyber threat activity could be coming.
Many of the examples in our paper we saw, you know, the Russian government coming out and saying
we are going to threaten various organizations with legal action. We are going to sue the IMF,
the International Luge Federation, a French shipbuilding company due to various conflicts.
And each of these threats ended up preceding cyber attacks
we believe were related to these disputes.
So look for the non-technical indicators
to find indications of future state-linked activity.
Yeah, that's fascinating.
That non-technical part, Dave, is just really a critical element of this.
And that's the idea of, again, strategic threat intelligence.
Everybody is challenged with not enough resources, not enough time.
And so much of the industry is focused on accelerating response activities.
But we hope folks read this report.
They think of the broader picture as Nate's laid it out.
Because this is what CISOs and executives need to think through as they formulate their defense.
And we're all just trying to be more proactive.
We're trying to be ahead of the threat, and we're trying to prioritize our resources.
So making sure that this context, the why, is such a critical element to help organizations get out of that constant reaction mode that all of us face and really, in the end, is unsuccessful.
is unsuccessful.
Our thanks to Brad Stone and Nate Beach-Westmoreland from Booz Allen for joining us.
The research is titled Bearing Witness,
Uncovering the Logic Behind Russian Military Cyber Operations.
We'll have a link in the show notes.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
365 with Black Cloak.
Learn more at blackcloak.io.
The Cyber Wire Research Saturday is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Valecki, Gina Johnson, Bennett Moe, Chris Russell, Thanks for listening.