Russian state in cyber spy claims
The Russian intelligence agency is actively using computer hackers to further the country’s foreign policy aims according to researchers working for the Finnish computer security company F-Secure.
The company claims that the Russians have been involved in a systematic cyber attack against specific foreign states including Chechnya, Ukraine, Georgia, Turkey and Poland – all regarded by Russian as key areas of influence – as well as targets in the US.
Staff working at F-Secure are monitoring a hacking organisation which the company calls “the Dukes”. They claim that they have proof that the hackers have been specifically focusing on targets on behalf of the Federal Security Bureau, the successor to the KGB.
It has been an open secret for some time that the Russian state uses hackers to further its foreign policy aims. As Sam Kiley, foreign affairs editor of Sky News said: “Cyber snooping and cyber war are with us to stay. I am never surprised when a state is alleged to be involved. It’s just bad luck for them when, or if, they get caught.”
The F-Secure research has for the first time supplied fairly concrete proof of a practice that has become widespread throughout the globe as revealed by Future Intelligence three years ago, when FI highlighted the activities of the Duke group among others.
A big clue for the the F-Secure researchers was the group’s work patterns. They say that the Russian hackers not only appear to use the same working hours as Russian civil servants but also appear to be based in the Moscow time zone area of Russia.
It is an area that includes both Moscow and St Petersburg, a city that has been linked to hacking activity from Russia for a number of years and was believed to have played host to the infamous Russian Business Network – a high-tech criminal enterprise and hosting organisation, claimed to operate under the protection of senior Russian political figures. Some commentators point out that the top figure on the St Petersburg political landscape was the current Russian President Vladimir Putin, who started his political career in the city administration before moving in to the secret service.
“By mapping the hours worked by the hackers who appear to mainly work from Monday to Friday – 9am and 7pm in the time zone – known as Moscow Standard Time, we’ve been able to connect both the technical means, the tools and the malware, to the operations and the tactics that have been used over the years and we have found a lot of clues,” said Artturi Lehtio, the chief researcher for F-Secure, and one of the authors of a report into the cyber spying called ‘The Dukes: seven years of Russian cyber espionage.
“Now we’ve been able to track the operational side and the software we are quite confident that this has to be a group that either has to be within the government or working directly for the government. We are confident that this is a Russian speaking group and a group that works from Russia.”
News of the attacks comes against a backdrop of sustained cyber activity in Russia where online vandalism and Ddos (distributed denial of service) attacks have now become commonplace and cyber attacks have become part of the fabric of politics with both government and opposition politicians accused of adopting them.
In mid-September, 2015 the websites of the Russian President and the Russian Electoral Commission came under a sustained hacking attack, which the sites narrowly survived according to a presidential spokesman.
“On Sunday, a very powerful hacking attack was made on the Russian president’s website. The defence system worked, even though it was not easy,” said Dmitry Peskov, the presidential press-secretary.
According to observers, the attack which took place on the same day as the Russian regional elections, was a response from opposition groups because they were only allowed to field candidates against the Government in one region.
“Yesterday someone attempted to hack our wesite and alter the data there making 50,000 requests per minute,” said Vladimir Churov, Chief of the Russian Electoral Commission. “They failed and we have already established the culprit – it’s a company based in San Francisco.”
Churov said that he plans to collect all the evidence and forward it to US law enforcement.
In his home country, Churov is often accused of turning a blind eye to the Russian government habit of rigging elections.
Many media outlets see this attack as a protest against Putin and the grip on power he wields.
Within the last two months Sergei Maksimov, a 41 year old Russian-born German national was convicted of attacking the websites of anti-government Russian bloggers and of opposition figures and Putin critics including Alexey Navalny.
Authorities in Bonn, Maksimov’s adopted home town, sentenced him to 400 hours of community service, a fine of €400 and a one and a half year suspended prison sentence for his role as ‘Hacker Hell’ – a pro-Putin cyber attacker.
There is no direct proof that Hell was working for the government, but recent reports in US papers have claimed that the Russian government pays “factories” of internet trolls.
A freelance journalist Lyudmila Savchuk, who claimed she worked in a Russian troll factory in St Petersburg writing pro-Putin comments on internet websites, recently successfully sued the agency that employed her over an employment dispute.
“The Russian state is endlessly building itself up, and it strengthens not its schools and hospitals but the institutions that fight the enemies they made up themselves,” says Anton Nossik, a Russian internet pioneer and one of the top industry experts . He adds that the FSB is known for using cybercrime. “One of their methods is just to pass the stuff that they obtained themselves to a dummy who then claims that he got it by hacking.”
A Russian living in the UK and intimately engaged on both sides of the Ukrainian-Russian conflict has been contacted by the CSRI. He declined to give his name. He said that trolling, website defacement and cyber attacks have become the norm for Russia : “Here politics is all about who has the biggest gun, and who is prepared to use it. In Russia anything goes, if you’ve got the capability to do something you just do it.”
According to the report from F-Secure, the interests of the Duke group are solely in gathering intelligence information from opponents of the Putin administration. The authors say Putin is protecting the group, which has been brazenly obtaining large amounts of data.
“Their 2015 campaigns take this to the extreme by apparently opting for speed and quantity over stealth and quality. In the most extreme case, the Dukes continued with their July 2015 CloudDuke campaign even after their activity had been outed by multiple security vendors. We therefore believe the Dukes’ primary mission to be so valuable to their benefactors that its continuation outweighs everything else.
“This apparent disregard for publicity suggests, in our opinion, that the benefactors of the Dukes is so powerful and so tightly connected to the group that they are able to operate with no apparent fear of repercussions on getting caught. We believe the only benefactor with the power to offer such comprehensive protection would be the government of the nation from which the group operates. We therefore believe the Dukes to work either within or directly for a government, thus ruling out the possibility of a criminal gang or another third party.”
Ironically, the F-Secure claims came on exactly the same day that Proofpoint, a rival security company in the US released a report detailing the activities of another hacking gang that targets the Russian military and telecom sectors believed to originate from China. Like the Duke attacks, this campaign is ongoing.
According to a paper written by Proofpoint, the attacks known as Advanced Persistent Threat or APT, are being aimed by the Chinese hackers at the Russians in pursuit of information from the Russian military and telecoms sectors.
The Proofpoint researchers recently observed a campaign which they say began in July 2015 – perhaps earlier – that has carried on since it was detected. The attack continued into August and is still going on.
“As a part of this campaign, we also observed attacks on Russian-speaking financial analysts working at global financial firms and covering telecom corporations in Russia, likely a result of collateral damage caused by the attackers targeting tactics,” adding this same attacker is also reported to have targeted various military installations in Central Asia in the past
The Proofpoint report also notes that activity from the group behind the attacks on the Russians seems to stretch back as far as 2013.