Geopolitics part 1: Russia

The age of Cyber-Warfare

Blog by  Eward Driehuis, Chief Research Officer

Last year saw the weaponization of malware becoming mainstream. Specifically, Wannacry and NotPetya attacks did vast amounts of damage. These attacks were essentially generic ransomware with one difference: apart from a few unverified claims, victims who paid the ransom did not get their files returned. With word spreading that these criminals couldn’t be trusted, ransom payments dwindled quickly. What was left was destruction. These actors no longer had financial motives and researchers frantically sought explanations. Nation state sponsored groups were the most plausible perpetrators, with North Korea being a prime suspect for Wannacry, and Russia for NotPetya. Advanced Persistent Threats (APTs) associated with nationstate sponsorship are now everybody’s problem. Geopolitics is an increasingly important factor in assessing the threat landscape with InfoSec professionals having to deal with destructive attacks with no monetary incentive, undertaken to support geopolitical goals. In 2018, geopolitical tensions increased and some of the greatest disruptions came from alleged nation state sponsored groups. The following chapter outlines the most relevant events identified.

Who are the ‘bad nations’?

Which countries constitute ‘adversary nations’ largely depends on where one lives. If you’re a NATO ally, it’s a handful of nations located in the eastern hemisphere, attributed with hacking for geopolitical purposes. There are no global standards for determining ‘adversary nations’ however APT hacking groups are widely deemed to be nation state sponsored. If we look at a list of these APTs, we see Russia and North Korea making the headlines and Iran increasing its capabilities over recent years. Vietnam appears to focus on local geopolitical aims while China has the most APT groups, all focusing on industrial espionage. We should be mindful of the fact that this report is written with a Western bias. Conversely, for those living in the eastern hemisphere USA, UK, Israel, France, Germany, Sweden and the Netherlands would likely be classified as APT ‘adversary nations’.

Russia-related activity

Russian nationals have been attributed with cyber-attacks since 2006. Over recent years the Russian government has been accused of both implicit and explicit involvement in numerous attacks and information warfare. The associated APT’s are APT28 and APT29, and 2018 saw many such attacks including those listed below:

January 2018

During the weekend of January 27, 2018 distributed denial of services (DDOS) attacks began targeting banks and government departments in the Netherlands. After several days they continued and, in many cases, caused severe interruption to retail payments and online banking.

A week earlier, a story broke that US authorities had been bragA week prior, a story had broken claiming US authorities had been ‘bragging’ over ‘friendly spy agencies having access to FSB net-works’. A Dutch article then reported that Dutch spies were hacking into the Russian spy office (APT29) and warning the US of potential DNC and other hacks. Many amateur cyber sleuths suspected the DDOS attacks were a coordinated retaliation by Russia. It later became apparent that the DDOS attacks were in fact executed by a Dutch teenager, who thought “it would be fun”. Claims of the Dutch hacking of the Russians has not been refuted however.

February 2018

In February 2018, Robert Mueller, special counsel investigating the 2016 Russian interference in the US election, indicted thirteen Russian nationals, accusing them of interfering in the 2016 US election. Twelve of the accused worked for the Internet Research Agency, a notorious Kremlin-linked Russian troll farm.

In the same month the White House blamed Russia for the NotPetya attack. NotPetya, although smaller than Wannacry, did infinitely more damage and is considered to be the most destructive cyber-attack to date.

March 2018

Many security researchers reported on Olympic Destroyer malware targeting the back-end servers of the South Korea Winter Olympics with destructive attacks. What was special about Olympic Destroyer was the numerous built-in false flags all pointing to Lazarus Group, thought to be connected to North Korea. Apparently, the attackers were attempting to sow confusion about their identities, pointing to a specific and plausible adversary. Again, there is a plausible narrative here given the humiliation faced by Russia on the global stage following the banning of most Russian athletes from the same Olympics for alleged doping abuse.

June 2018

Kaspersky’s Global Research and Analysis Team (GreAT) disclosesit is tracking attacks with Olympic Destroyer and APT28 / GRU (Russia’s top military intelligence service) footprints. The attacks are targeting ‘chemical threat prevention labs’. It is unknown if the motive was connected to the Salisbury poisonings however a plausible narrative emerged that the Russian cyber offensive failed, and months later Russia sent in operatives to carry out the Skripal poisoning. This narrative remains largely based on circumstantial evidence.

Geopolitics part 2: North-Korea & China

The geopolitics threats in the cyber landscape from North-Korea and China. Read the article here.

July 2018

Robert Mueller indicts twelve Russian nationals. The indictment details a complex effort by Russia’s top military intelligence service (the GRU) to sabotage the campaign of President Trump’s Democratic Party rival, Hillary Clinton. Three of the twelve were present in the October 2018 World Anti-doping Agency (WADA) and Organisation for the Prohibition of Chemical Weapons (OPCW) indictments and have been allegedly involved in both efforts.

October 2018

In October, the US indicted seven Russian nationals with espionage, relating to WADA the anti-doping agency, the 2016 Olympics and OPCW a chemical threat prevention laboratory. Earlier that day, the Dutch Ministry of Defense (MoD) held a press conference where it referred to four of the seven Russian nationals having been apprehended in April. The four men had travelled to the OPCW offices in the Netherlands and had attempted to hack into the WIFI. The OPCW investigated the Skripal poisoning, Syrian chemical warfare, and MH17. The four men were caught red-handed, their tools and laptops confiscated, and they were deported, since they held diplomatic passports. The MoD proceeded to disclose the tactics and procedures used, in detail. In a statement, seen by many is seen as a response to the information warfare, they disclosed GRU methods, including WIFI tools and fake passports. Bellingcat, the open source intelligence organisation, used these details to expose hundreds of alleged Russian agents.

Other activities of APT28

In 2018, various other events were attributed to APT28 that have no obvious connection to those mentioned above:

LoJax is a particularly dangerous tool. Allegedly used by APT28, it’s the first UEFI Rootkit detected in an attack and is used to gain persistent access outside of the visibility of the operating system.

Internet of Things botnet ‘VPNFilter’ is also suspected to be of APT28 origin. The botnet infects end-of life internet devices with default passwords and low security. The intent is unclear, although researchers have found clues in the malware having SCADA inspection capabilities. This indicates that it may be seeking the disruption of critical infrastructure in countries where cheap devices are used in critical environments.

Curious about part 2?

In the next part we describe the threats from China and North-Korea.

Read part 2 here

Also interesting for you…

Do you want to read everything about 2018? Download here the Annual Security Report 2018.

The geopolitics threats in the cyber landscape from North-Korea and China.


Read more blogs.