The Kremlin’s cyber contractors. Their motives and risks

Image: Euromaidan Press 

Hybrid War

The Kremlin’s cyber army has become a formidable threat around the globe, with cyber attacks targeting not only states but also private companies. The cyberspace is still pretty much a free-for-all, with no mechanisms to hold states accountable for malicious attacks. However, the Kremlin’s contractors – private companies and individual hackers – will be the ones paying the price when a Russian cyber attack is unraveled. Here is what we know about the Kremlin’s cyber contractors, what drives them, and how they are uncovered.

How the Kremlin recruits hackers

By spreading its ideology of “spiritual moral values” combined with “patriotism” Moscow gains volunteers who wish to enforce these values both online and offline.

Recent footage of the Russian channel “Rain TV” (Dozhd) about cyber-vigilantes shows how deeply the Kremlin has incorporated the message “moral values are a matter of national security” into society.

These volunteering cyber-militants cooperate with Russian state institutions to point out “extremists” on the web. There is even a draft law of the ruling party “Yedinaya Rossiya” about the legitimization of their status and the hacking actions they undertake.

This measure is actually a step further to control the information space inside the country and to monitor the protest mood of the population.

One of the most efficient approaches is to find those hackers who “have problems with the law” and blackmail them.

Internationally, one of the motivation elements of the hacking groups working with the Kremlin is national pride, like in the case of “Fancy Bear” (known as APT28) who hacked the World Anti-Doping Agency and revealed US and UK athletes’ (so far legal) drug use. It was done with the purpose of revenge for banning Russian athletes from the Olympic and Paralympic Games for drug use.

Using patriotism is not the only method of the Kremlin to gain support from activists, including cyber-activists. Another way to build governmental “cyber-strength” is to encourage those having particular skills and talents.

By placing ads on social media sites, government-backed recruiters offer jobs to college students and professional coders.

One of the most efficient approaches is to find those hackers who “have problems with the law” and blackmail them. Thus, back in 2013 Russian deputy minister of defense, Gen. Oleg Ostapenko said that they were forming units called science squadrons and that they might include hackers with criminal histories. The same year, cyber-criminal Aleksey Belan was arrested in Greece on the request of the USA, but avoided extradition and fled to Russia. There he was trapped: he was forced to work for the FSB in order to avoid further criminal charges. On the order of the Russian intelligence and together with another “hacker for hire” who was from Canada, he conducted cyber-attacks against Yahoo.

Not only criminals are blackmailed but also those who act in good faith. The 2015-story of Mr. Vyarya – the coder who was put in a situation where he had to reject working for the Russian government, proves how cruel the methods of Russians can be.

Mr. Vyarya, who helped to secure the websites of opposition leaders and media channels, was “forced” to witness a DDOS attack done with the help of Bulgarian software which Russian military contracting company Rostec planned to buy. Following this cyber attack against Ukraine’s Defence Ministry, he was proposed to “run” and to improve this software. After he declined the job offer, he was forced to flee the country.

One more type of recruiting is to give tasks to the programmers without telling them what the purpose is, like in the case of a Ukrainian coder who had been paid to write customized malware without knowing its purpose, only later learning it was used in Russian hacking against Ukraine and other Western states.

Attribution of cyber-operations: how do we know it was the state?

Governments and private companies are increasingly likely to discover and attribute cyber operations. For a good assessment of a cyber attack, consideration should be given to who benefits from the attack and whether it could be a false flag operation. To properly attribute the attack, one has to consider the intelligence and the technical components of the operation.

Credible attribution implies that society trusts the attributors. In many cases, the attributors are intelligence services that do not tend to declassify their sources. Besides, “international cooperation is needed to discover every element in the chain of a cyber attack.” Example of such cooperation is the Five Eyes intelligence grouping, made up of the UK, the USA, Canada, Australia, and New Zealand, that attributed the devastating NotPetya attack to Russia and WannaCry to China.

Read more: Everything you need to know about the massive Petya cyberattack which started from Ukraine 

In 2018, the intelligence services of the US, the UK, and the Netherlands attributed cyber attacks against the World Anti-Doping Agency and the Organisation for the Prohibition of Chemical Weapons to Russia’s GRU-backed hacker group Fancy Bear (APT28), the group that became bolder after hacking France’s TV5 in 2015. Dutch intelligence was able to track the Russian hacking group “Cozy Bear.” This group is blamed for the attack against the Democratic National Committee. In these cases, concerned states were able to attribute and to share the findings with their societies, and it made the attribution credible. The evidence may not always be presented. But it does not mean that it does not exist.

Not only public services monitor the attacks; private companies report on Russia’s cyber-interference too. Thus, the above-mentioned “Cozy Bear” was first identified by the Russian-born Dmitry Alperovitch, co-founder of the US-firm CrowdStrike. The Dutch company Fox-IT identified the Russia-backed group “Turla” that used malware rootkit Snake to hack the German Bundestag end of 2018 and Belgian Ministry of Foreign Affairs in 2014. CrowdStrike helped investigate Gameover ZeuS cyber attacks, linked to a criminal with the nickname “lucky12345.” Gameover ZeuS aimed at stealing bank account data of the victims. After more than 10 years of tracking, thanks to common efforts of public institutions and private firms, the mastermind was identified. It was Evgeniy Bogachev, a resident of the Russian resort city Anapa. The investigators established that the network of Bogachev was involved in collecting information on Ukraine right before the Russian invasion in the country. Connecting many dots helped assume that he worked for the Kremlin.

The American IT-company FireEye and the Finnish F-Secure each published papers revealing Russian government-backed cyber operations. The first one – “APT28: A Window Into Russia’s Cyber Espionage Operations? (2014, complemented with new evidence in 2016) and the second – “The Dukes: 7 Years of Russian Cyber-Espionage” (2015).

Ukrainian cyber-security experts Viktor Zhora and Nikolay Koval were able to identify the malware that was used to load a graphic faking the results of the elections onto a Ukrainian election commission server. This fake image was then used by the Russian TV channels to spread lies that the “ultra-rights won Ukrainian parliamentary elections” in 2014.

The EU takes the position that “attribution to a state or a non-state actor remains a sovereign political decision based on all-source intelligence and should be established in accordance with international law of state responsibility.”

Outsourced Kremlin cyber-operations: what are the risks?

There are plenty of risks for the Kremlin and any other state that plans cyber-attacks using the money of its taxpayers. Firstly, cyber operations embroil such countries in real-world scandals that undermine rather than advance their own policy goals as well as weakens international cooperation on the issues of global importance. Secondly, cross-border operations are hard to control, and the mistakes done by hackers can escalate quickly. And thirdly, cyber-criminals may hit back – they may reveal the names of those for whom they work or leak any other information.

Risks for companies

IT firms who willingly accept the job offer originated in the Kremlin, compromise their overall commercial and reputational gains. Thus, in 2014, the Italian company Hacking Team” lost its export license because it sold iPhone hacking software to Advanced Monitoring, a Russian firm working with the FSB. Also, misleading information about who is behind certain public information campaigns can lead to social media pages with millions of followers being taken down, like in the case of Maffick Media.

Hacked emails of the Russian company Oday Technologies revealed that they helped Russian secret services to conduct their activities in the cyberspace. Such cooperation erodes trust in the company when revealed.

At the same, other Russian companies like Kaspersky Lab want to show that they “distance” themselves from the Kremlin after allegations of Kremlin spying.

Risks for IT specialists

Hacking for the state does not deprive these actions of their criminal nature. When the attacks are discovered, the state for which the hacker works denies its involvement. Despite public campaigns to recruit hackers, Moscow never admits that they work for the Russian government and abandons them when they get in trouble. The trouble can be of different sorts. Thus, hackers and their families undergo the risk of financial or legal consequences, and when they are “trapped” in Russia, they cannot travel to Europe for education, vacation or work.

Despite public campaigns to recruit hackers, Moscow never admits that they work for the Russian government and abandons them when they get in trouble.

In 2014, for the first time, a criminal case was open in the USA in regard to a Russia-backed high scale hacking operation. Two programmers, Karim Baratov, a Canadian of Kazakh origin, and the above-mentioned Latvian Alexey Belan, were paid by Dmitri Dokuchaev and Igor Sushchin, two Russian intelligence officers, to hack 6,000 and getting information about half a billion Yahoo accounts. The British intelligence MI-5 played the key role in the attribution of this attack played. “Hacker for hire” Baratov was sentenced for five years in prison whereas Belan has been put on the “most wanted list” in the USA. Dmitri Dokuchaev was arrested in Moscow on suspicion of sharing information with foreign intelligence.

When cyber-attacks get attributed, which happens often nowadays, the individuals undergo high risks of getting trapped between criminal charges and blackmailing, and the companies- of losing their reputation and licenses. Cyber-operations taint those working for the Kremlin; they embroil Russia in scandals with other states undermining international cooperation regarding issues of real, global importance.

This publication is made in the frames of the upcoming conference “Behind the Digital Curtain” by Brussels-based NGO Promote Ukraine.

Marta Barandiy is a Ph.D., International Lawyer, Brussels based analyst.

 

Read also:

Since you’re here – we have a favor to ask. Russia’s hybrid war against Ukraine is ongoing, but major news agencies have gone away. But we’re here to stay, and will keep on providing quality, independent, open-access information on Ukrainian reforms, Russia’s hybrid war, human rights violations, political prisoners, Ukrainian history, and more. We are a non-profit, don’t have any political sponsors, and never will. If you like what you see, please help keep us online with a donation!

Tags: ,