Despite the perceived breakneck pace of change since the start of the pandemic, many aspects of life remained the same. In 2017 a US Director of Intelligence paper explained how software supply chain attacks “circumvent traditional cyber defenses to compromise software to enable successful, rewarding, and stealthy methods to subvert large numbers of computers through a single attack”. Four years later, supply chain attacks are still a looming danger threatening all organizations using vendors.
Nation-state grade attacks are expertly using supply chain attacks to penetrate sensitive targets:
- Havex – A Russian state-sponsored actor installed a trojanized update on industrial control system vendor websites to deliver malware into industrial controlled environments. Havex, remote access Trojan, then delivered additional payloads to compromised systems.
- Kingslayer – A Russian state-sponsored actor installing a trojanized update on industrial control system vendor websites to deliver them malware into industrial controlled environments.
- ShadowHammer – An Asus PC upstate highly targeted espionage campaign that infected over a million, with a backdoor that allowed 583 targets to be infected with additional very stealthy malware payloads, identified through the target computer’s mac address.
Software supply chain attacks are a systemic complex problem that might require a complete rethink of the IT and supply ecosystem, but some measures can be taken in the meantime:
- On the supply chain side:
- Detect attacks at an early stage
- Improve governance through the built process
- Harden distribution mechanisms
- On the software consumer side, the focus should shift to damage limitation:
- Restrict internal connectivity
- Review network architecture and apply segmentation
- Review Managed service/software permission
However, as we all know, understanding the attacker’s motivation in addition to their techniques is key to establishing the most appropriate and effective defenses.
Though not the only active producer of nation-state grade attacks, Russia is today a hot topic in cyber threat defense circles, which warrants a closer look at known recent high profile attacks, an analysis of their motivation followed by an attempt to predict future offensives.
This will focus exclusively on nation-state attacks only, at the exclusion of terrorist and criminal groups, even though they can be used as proxies by the Kremlin when seeking to maintain plausible deniability while continuing to inflict damage.
What are Russia’s three main cyber-threat groups?
The three Russian State groups considered here are:
- FSB (Federal Security Service) – Russia’s internal security service that mainly focuses on Russia itself but also has a remit to destabilize and promote Russian interests within former USSR countries.
- GRU (Military Intelligence) – Russia’s military intelligence. Historically, they have been involved in world wars, cold wars, responsible for accessing, holding and maintaining details of critical infrastructure and potentially hostile countries. That infrastructure might include dams, power plants, water supplies, and other potential targets they might want to destroy or damage. Today, they use cyber to achieve the same goals.
- SVR (Foreign Intelligence) – Russia’s foreign intelligence service with a remit firmly in espionage and assumed to be behind the Solarwinds attack.
When investigating nation-state attacks, unnecessary complexity is added by the cyber community, as using an original name for a specific attack yields marketing benefits. As a result, the same attack might bear numerous names.
Analysis of Recent Known Russian Cyber Attacks
Let’s have a look at some of the most severe attacks:
- NotPetya: run by the GRU, a destructive attack initially targeting and destabilizing Ukraine before spreading globally and causing untold damage.
- Solarwind: believed to be run by the SVR. Focused on stealth and on acquiring very targeted intelligence motivated by espionage.
- BlackEnergy: believed to be run by GRU unit 74455, a destructive attack that took out the Ukrainian power grid.
- German Parliament: believed to be run by GRU unit 26165, an espionage intelligence-based campaign potentially geared toward understanding Germany’s critical infrastructure.
- In a similar vein, GRU ongoing prepositioning of cyber footholds, including the UK, Western Energy, and Critical Infrastructure Supply Chains, to allow ongoing surveillance and positioning for potentially destructive attacks should geopolitical situation changes warrant it.
- US Democratic Party hack: believed to be run by GRU units 74455 and 26265, driven by espionage and data theft but designed to effect political change and create chaos in the US political landscape
- Estonia / Georgia: believed to be run by the FSB, suspected involvement sometimes in support of ground troop movements, sometimes supporting local pushback against influence from Moscow.
Understanding these groups and their motivations is key to understanding why some attacks go one way, and some attacks unfold in a completely different way. Ultimately, that helps inform defense.
Regarding the SolarWinds attack, for example:
18,000 SolarWinds customers ended up downloading the malicious backdoor (a far cry from the media bloated headline of 300,000 customers). Of those 18 000, only fifty high-value targets were selected by the threat actor and hit with laser-focused attacks aimed at maintaining stealth.
Why were there so few actual end targets in the SolarWinds attack?
The goal of the attack was to gain several months of access to restricted systems at the heart of government and the industry. So, aside from potential diplomatic reasons to limit the US retaliation should they be discovered, resource availability had to be factored in as prolonged stealthy attacks consume considerable resources.
Unmistakably, the SolarWinds attack commander allocated the resources to achieve the attack’s goals. As the SVR ran it, it made sense that it focused on intelligence gathering from high-value targets.
A GRU-led attack could have had a vastly different anatomy. GRU motivation can lead a destructive offensive. With a similar initial execution, it would have generated a vastly different outcome. The GRU-led NotPetya attack targeting the supply chain through malicious software updates caused billions of dollars in damages. If carried out by the GRU, under different motivation, the SolarWinds attack could have taken down the US, and other government departments, and critical economic supply chains. When stealth is not a concern, the attacker can move far, far faster.
So understanding the attacker’s motivations is crucial to designing effective prevention.
Russia’s three primary objectives
Understanding Russian cyber-attack motivation is important in understanding the difference between espionage and destruction, but to really understand nation-state cyber attacks, we need to understand the nation-state itself.
There are three overarching Russian state objectives today:
- Reclaiming and securing Russia’s influence over former Soviet nations
- Regaining Russia’s worldwide recognition as a great power
- Portraying itself as a reliable actor and a successful economic, military, and political influence
Since the collapse of the Soviet Union, Russia is struggling to find its place in the global community, which leaves its leadership with a lingering desire to regain the influence and the power that it once had, in particular, over former Soviet states, perceived by Russia as its rightful sphere of influence.
In direct contention with Russia strategy’s goals is the United States’ core goals of promoting and protecting international order. Russia believes in order to win, the US and its allies must lose and that there are no unacceptable or illegitimate forms of deterrence or escalation management.
In their eyes, everything, from critical infrastructure and power, utilities, media, financial systems, and services, is fair game. And overall, Russia’s influence abroad is growing, ranging from interference in political processes and economic and energy exploitation, particularly in Africa, to ongoing espionage and media and propaganda manipulation.
What are the leading Russian cyber-threats expected in the near future?
Russia is constructing a closed national network scheduled to be completed by 2024.
This closed national network will allow them to define the territory where they fight and give them strength through home advantage. Compared to the Western world’s open Internet designed to share information freely, it affords Russia a significant strategic advantage.
Russia’s closed national network can be disconnected from the global Internet while remaining fully functional, providing communications for state administration, national economy, civil society, and the military. This grants Russia the ability to wage information warfare and launch cyber-attacks with relative impunity. Hence the recent successful disconnection scenarios tests, including a scenario that simulated a hostile cyber-attack from a foreign country.
Achieving this cyber-asymmetry is no mean feat. It relies on seven subsystems:
- Direct State ownership of technology assets
- State ownership of authentication and encryption
- Content censorship and restriction
- Targeted surveillance
- Cy-ops and information warfare
- Integration and management of the above six points
This approach is riddled with downsides, ranging from potentially weaker and more easily breakable encryption, less developed technologies, and connectivity, disincentive for innovation, the brain drain from Moscow to the West and navigating budget constraints in a relatively weak Russian economy.
It’s also creating huge data retention targets, which may become a really valuable target for the West and risk incurring disapproval from the international community.
What is your best cyber-security defense strategy against Russia?
Understanding the attacker’s motivation is the first step to select an accurate threat model to work with. An effective cyber-security defense strategy requires four key elements:
- Team: an experienced team, preferably with a proven attack background or one from a nation-state defense
- Methodology: an in-depth defense assessment from the attacker point-of-view
- Holistic approach: including all business segments, from HR to supply chain
- Automation: leveraging tech solutions
To discuss your own cyber-security defense requirements, get in touch with a HolistiCyber expert today.