It just may be that the recent Russian cyber attacks against the U.S. were not as unprovoked as it may have seemed. According to a recent report released by Russia’s Rostelecom-Solar, a national cybersecurity technology provider, together with the NCCCI (National Coordination Center for Computer Incidents), a major attack on Russian federal agencies by a nation-state took place at some point in 2020.
The original information on this attack is available only in Russian. If you go to the Rostelecom website where the story was published, you can only read it if you allow your browser to translate it. If you click the “English” version button provided, you will not get the story. This seems to indicate that this group was only interested in giving its partners, or other Russian companies and agencies, a heads-up in fear that this or similar attacks could take place again. The complete report on this incident, also available only in Russian, gives details that other enterprises can use to avoid being victims.
There is no clear date given for the nation-state attack described in the report. There is also no mention of the nation-state responsible for the attack. Russia has no shortage of adversaries who would take great delight in breaching their government networks. Among the most prominent, though, would be Ukraine and the U.S. Though no specific date is given, it would not surprise me to learn that an attack was launched by the U.S. intelligence community after the November election. Why? Because President Trump gave the intelligence community free rein to launch attacks as they saw fit, and they needed to take advantage of this freedom before the next administration began and, perhaps, took their freedom away.
So what exactly was this attack that so alarmed the Russian intelligence community? What about the attack made Russia decide to launch a major cyber counterattack against the U.S.? What attack vectors did the original attack use, and what did the attack accomplish?
Of course, no intelligence community is going to admit that they were totally out maneuvered by a rival intelligence agency. Everything is downplayed and the conclusion given to the public is that nothing much was accomplished by the attackers. My guess is that the report follows this template. It downplays the seriousness of the attack, but the fact that such a report was published at all indicates how serious the attack was.
The attackers followed a common path in compromising a government network. In fact, most hacks follow the same pattern. The sophistication lies in the details. They likely used a supply chain attack. They used well-designed emails to phish workers of contractors connected to government networks. Once on these networks, they laid low and studied the organization and learned about its concerns and operations. They learned which topics were being discussed in emails and used these topics in the phishing emails they sent to other agencies, probably from the email address within the organization that they controlled. These emails must have been well-designed because, according to the report, the key to gaining control of the networks was to get the targeted person to enable a macro on a document. It is not clear from the translation whether this refers to Microsoft Office documents, but since the Windows OS was named in the attack, this is likely the form of the attached document. Besides, no attachment is more widely used to spread malware than an Office document, as can be seen in this graph modified from Kaspersky,
Most people know not to enable a macro, so the victim must have been quite convinced of the document’s authenticity to take this step. The attackers also used weaponized apps to compromise end users. In short, they looked for vulnerable endpoints to compromise from a number of angles and, from these platforms, worked their way through the networks until they found and compromised a victim who had full administrative rights. At this point, they would have full control of an agency’s network. They could use this control to branch to other agency networks within the government. As they worked themselves through the networks, they would also see which software was being used and compromise it, when possible, by exploiting known and unknown (zero-day) vulnerabilities. Among the software compromised, according to the report, was Kaspersky antivirus, which they were able to disable. They also used some of its features to help them scan the networks. In fact, the report claims that the attackers used their klnagchk utility, which Kaspersky describes as a “utility used for analyzing Network Agent connection parameters”. The attackers extended their control to the mail server, Mail.ru, and the Yandex cloud, where they also stored some of the stolen data. It must be assumed that the attackers fully compromised a number of government agency networks and made off with vast amounts of important classified information.
There is no information on how long the attackers remained within the networks. However, since they used multiple angles to employ these compromises, they likely persisted even when it was assumed the threat had been removed. They could, in fact, still be within these networks. In short, the attack was likely devastating and resulted in an infuriated intelligence agency thirsting for revenge.
The Russian Response
There is one big problem in launching any cyber attack. When the victim discovers the attack and analyzes it, they, in effect, learn a new attack vector. In other words, the Russian intelligence community could use the information they gleaned from studying this attack to launch a counter attack against the U.S. or other adversary. Notice how spearphishing emails were recently used to hack USAID networks and how the supply chain vector was used in the SolarWinds attack.
There is a general agreement among countries that hacking is an acceptable form of intelligence gathering. There is also a general agreement that infrastructure cyber attacks that could result in civilian casualties should not be undertaken. The U.S. government may attribute the SolarWinds attack to Russia, and they may complain about it publicly, but, since no civilians were harmed, it’s more of a show for the public than anything else. Sure, they may put up some sanctions on firms and individuals but these are often done with a wink and a nod, and the suggestion that the offending nation should prepare itself for a similar attack.
The problem is that there is often a hazy border between an intelligence gathering hack and an attack that could result in civilian harm. If personal information gleaned from an intelligence attack was leaked to a private hacking group, those individuals whose information was compromised could suffer financial loses that may cause them harm. And don’t think there is a clear line between Russian state hackers and private hackers because there is not. Many government hackers moonlight as members of private hacking groups to make some extra cash. So when the Colonial Pipeline attack was performed, it was likely done so by individuals whose normal jobs were with Russian (or other Russian-speaking nation-state) intelligence. Did the Russian government know this? It’s hard to imagine that they didn’t. In fact, there is likely an informal relationship between these hacking groups and the Russian government. In an interview done in 2017, Michael Chertoff, former U.S. Secretary of Homeland Security, claimed that “the Russians are pretty much No. 1 in terms of using criminal organizations as partners,” The government will look the other way on their offences if these criminal groups help them in some of their missions or hand over any intelligence information they may stumble upon. The Russian government can rein in these groups at any time, however, they may have allowed the Colonial Pipeline attack to continue in order to show the U.S. intelligence community what they were capable of doing and in retaliation for an infrastructure attack on Russia’s power grid in 2019.
Yes, back in 2019, Russia warned the U.S. of an impending cyberwar if the U.S continued its intrusion into the Russian power grid. Surprisingly, the U.S. Cyber Command admitted they were doing this. The Command announced that they had placed “potentially crippling malware inside the Russian system at a depth and with an aggressiveness that had never been tried before.” Lest you think the Russians were totally innocent here, they had, one year earlier, deployed malware that could destroy industrial machinery in U.S. companies.
Now, Russia is being implicated in an attack on global meat processor, JBS. My investigation into the deep web site of the ransomware group responsible for this attack seems to indicate that the company paid a ransom, otherwise, they would be put on the group’s so-called, ‘Wall of Shame”, where they would be threatened with having their data exposed. President Biden is quoted as saying he is considering retaliation. The Russians, of course, say that they have no control over what a private hacking group does, but they offer to help with any investigation. Think of foxes and hen houses here. If they want to, the Russian government can make a show of cracking down on this ransomware group. This would be good to do before the upcoming summit between Biden and Putin. It’s unlikely much will happen to the members of this group except that they may be forced to re-establish themselves under a new name, but it would make for a good pre-summit show..
That said, I expect some retaliation from the U.S. intelligence community that would affect Russia in the same way the Colonial Pipeline and JSB hack affected the U.S, but I doubt if the Russian government would disclose such an attack because it would make them look bad. In such a case, it would be good marketing for the U.S. intelligence community to admit to, or at least report on, any attack that succeeds in disrupting Russian infrastructure. Of course, it’s unlikely that this would mark the end of the story.