The Dangers of Russian Hacking

The attack began on April 27, 2007.   Friction between Russia and Estonia had been on the rise ever since Tallinn announced its intention to remove a Soviet-era war memorial from its capital square.  With nationalist feelings at play on both sides, tensions were high.  As the massive bronze statue was carted away, Estonians wondered: how would Russia respond?

They soon got their answer.  A series of massive cyber attacks, launched from Russian ISPs, targeted Estonian government, media and private businesses on the web.  Bank websites were hacked, government Internet services became inoperable, and several times, under the weight of the distributed denial of service (DDoS) attacks, the entire Estonian Internet was effectively shut down.  Urmas Paet, Estonia’s Foreign Minister, accused the Kremlin of direct involvement and warned “Russia is clearly testing NATO and the West”  (but Moscow denied involvement).   The barrage lasted for weeks, and even when it stopped, it took months for Estonia to fully recover.

The shield of the FSB, Russia's Federal Security Service

In the end, it was clear nearly all the attacks originated in Russia – some from government addresses – and appeared more coordinated than just a patriotic hack-attack.  Most agreed: the world had just witnessed the first genuine cyber skirmish.  Other attacks would follow – in Chechnya, in Kyrgyzstan, and perhaps most famous, the coordinated cyber attacks on Georgia, just weeks before that nation and Russia would be embroiled in actual war.

“The threat from China is overinflated, (and) the threat from Russia is underestimated,” says Jeffrey Carr, in an interview with VOA.  Mr. Carr is the author of the book “Inside Cyber Warfare,” and CEO of the web security firm Taia Global.  “Russia certainly has been more active than any other country in terms of combining cyber attacks, or cyber operations, with physical operations.  The Russia-Georgia war of 2008 was a perfect example of a combined kinetic and cyber operation.  And nobody else has ever done that – China has never done anything like that.”

It’s not exactly news to say that Russian and East European hackers are unusually skilled at writing malicious viruses, or that criminal groups like the “Russian Business Network” are good at organizing computer scams and attacks.  Perhaps as a result of very strong technical schooling, Russian hackers are frequently listed among the most sophisticated players on the scene.

What Carr says is worrisome is the closeness between these shadowy groups and official Russian security agencies, and Moscow’s seeming willingness to embrace cyber war as form of battle.  And Carr isn’t alone.

Even the U.S. military sees growing threats on the web.  This week, the Pentagon released its first ever full report on cyberspace, effectively declaring the Internet a legitimate field of battle.  While not targeting Russia specifically, the report’s authors caution that nations will increasingly be tempted to wage war online by using unofficial hacking groups in order to maintain deniability.  It’s a tactic Carr says his firm has documented before, one that he says connects the Russian Federal Security Service, or FSB, to organized illegal actors:

“We take a deep look at the organizations in the Russian government that are involved with information security – who are they, where was the training done, who are the people involved.  And then we look at who the actors are – those typically are Russian or Ukranian hackers.  In many cases we’ve found that they’re members of the Nashi, which is a very pro-Kremlin youth organization set up in 2005 by Vladislav Surkov, who is sort of the chief ideologue and is a very strong proponent of information warfare.  So this is how we build the case.”

Carr draws a difference between coordinated cyber war and what he calls “logic bombs” – computer programs created to wreak havoc on an opponent – of which the Stuxnet virus is only the most recent example.  The first documented “logic bomb” dates to the early 1980’s, when the CIA hid code in software used to control Soviet Russian gas pipelines, resulting in what one security official calls “…the most monumental nonnuclear explosion and fire ever seen from space.”  The apparent success of Stuxnet guarantees more of these viral “bombs” in the future.

There are Russians who are equally concerned about the spread of hostile actions on the web.  One of them is Evegeny Kaspersky, founder of the computer security firm Kaspersky Labs.

“I fear the ‘net will soon become a war zone,” he told editors at Der Spiegel in a recent interview.  Kaspersky says he now believes that a major power blackout that hit North America in 2003 was the result of a computer virus, and that with more critical national infrastructure connected to the web, the number of security targets has multiplied:

Kaspersky: In the Soviet days, we used to joke that an optimist learns English because he is hoping that the country will open up, that a pessimist learns Chinese because he’s afraid that the Chinese will conquer us, and that the realist learns to use a Kalashnikov. These days, the optimist learns Chinese, the pessimist learns Arabic…

SPIEGEL: And the realist…?

Kaspersky: …keeps practicing with his Kalashnikov. Seriously. Even the Americans are now openly saying that they would respond to a large scale, destructive Internet attack with a classic military strike. But what will they do if the cyber attack is launched against the United States from within their own country? Everything depends on computers these days: the energy supply, airplanes, trains.

Of course, identifying the source and sponsorship of any particular hack is notoriously difficult.  “Viruses unfortunately don’t carry ID cards,” winks Kaspersky.  Moreover, Russian authorities insist they’re committed to fighting illegal online activities and counter that various studies name China, not Russia, as the source for approximately 40% of all malicious Internet activity.

That may be, but because of the decentralized structure of the Internet, it’s extremely unlikely that spammers actually use their own computers or even networks in their nation.  Rather, they’re much more likely to use “zombie botnets” located in other countries – basically computers that have been infected and can be controlled by a hidden hacker.  So there’s a good chance many of those hack attacks that “originate” in China didn’t begin there.

Then why does China get so much of the blame for Internet attacks?  “Because it’s easier to blame China,” says Carr.  The fact that so many Eastern Europeans have been implicated or arrested for conducting cyber crime, he says, strongly suggests the real source of the attacks:

“They use servers in the Netherlands, they use servers all over the world.  They use servers in the U.S., China, many other countries.  You don’t use a server in your own country – it kind of defeats the purpose of plausible deniability on the Internet.  In my opinion it’s just naive to believe that China is so inefficient that they’re just going to use Chinese servers when they launch these attacks.  Any one of us can go online, pick any one of a half dozen Chinese ISP companies and, from Washington, D.C., buy server time.  We can set up an email account, we can set up a website, and we can start sending out emails in 24 hours or less which will resolve back to China.”

This isn’t to say that Russians don’t take the Internet seriously – far from it.  In 1998, the Kremlin created “Directorate K” – an official security branch of the Ministry of Internal Affairs focusing on the Internet and cyber crime.  The goal of Directorate K is clamp down on hackers, spammers, phishers and anyone else engaged in illegal activities online.  However, human rights activists say it’s actually taken on a different role – that of spying on and silencing critics.  In a recent report, Taia Global researchers note several examples of cooperation between Directorate K and the FSB in “supress(ing) domestic political dissent,” including shutting down websites, radio stations and others.

In addition to what seems (to some) like a cozy relationship between government and hackers, security analysts point to another security concern.  By law, any firm operating in Russia – foreign or domestic – must turn over all information demanded by the FSB.  That could be the owner of a website, an anonymous user’s identity and emails, or the source codes and encryption keys of services like Facebook or Skype.  Writing this April in DefenseTech, correspondent Kevin Coleman quotes an unnamed source as saying “This is a concerted effort by the FSB to get access to encryption keys needed to decrypt communications.”  Moreover, the FSB can request that certain bits of code be inserted and hidden in various operating systems, raising the potential worry of millions of devices unknowingly being used to gather information.

Laws like these aren’t unique to Russia, and it’s an unspoken assumption that every nation – including the United States – is engaging in shadowy activities of questionable legal status online.   But for analysts like Jeffrey Carr, what makes Russia a unique threat is both the size of its talented hacker pool and the close relationships between state agencies and hackers.   Addressing the problem will mean a close examination of just what products come from where, and who might have access to them:

“The biggest thing is emphasis on trusted supply chain.  Right now we’re at risk because so much of our (research and development) is being done in Russia.  Intel is a perfect example of a company that’s been in Russia for many years.  They’re completely owned, for lack of a better word, by the federal security service there.  There are no secrets.  And we’re using Intel chips in everything.  There are Russian software companies that have been acquired, or who’s products are being used in U.S. software – in industrial control systems, or may have to do with devices on mobile phones.  One of the programs used to read a Microsoft document on your BlackBerry is Russian software.”

It’s enough to make him stop and consider just how vulnerable a wired nation like the United States could be in the face of a directed, massive cyber attack controlled by a foreign government.