Know Your Adversary™: Russian APTs

by | May 14, 2020 | Blog

In the previous two articles in this series, we examined the Iranian and Nigerian Advanced Persistent Threats (APTs) under a sociohistorical lens in order to better understand the various drivers that instigate their threat activity. Today, we examine Russia under the same optic, to see if we can gain more insight than the traditional Technique, Tactic, and Procedure (TTP) game of whack-a-mole generally provides.

Russia has a proud and storied history of warlords and princes; duchies and Tsars. It also has an equally storied history of pogroms and purges; revolts and revolutions. Legends trace Russia’s origins to the outpost of a Viking tribe that later became the city of Novgorod in the 10th century, followed by its rise to a grand principality centered around Kiev a few centuries later. The most direct origin of the modern Russian state lies with the Grand Duchy of Moscow, also known as Muscovy. In the 16th century Grand Prince Ivan IV, also known as Ivan the Terrible, crowned himself Tsar of all Russias, a reference to the Caesars of ancient Rome, after successfully fighting off the Mongols and uniting a group of principalities under the Grand Duchy of Moscow. Tsar Peter the Great declared the creation of the Empire of Russia, under the Tsar, 200 years later.

Amid the ups and downs of a growing world power, real people lived mostly ordinary day-to-day lives. As part of his bid to maintain power over the sprawling empire, Tsar Peter the Great established Russia’s unique form of serfdom, binding the destinies of all the free peasants to the land that was owned, effectively enslaving them. Owners of land had power over all aspects of the lives of their human property: where they lived, where they went, what they grew, who they married. There was no easy way to escape this situation – the Tsar’s rule was absolute, by divine right. Russia was isolated from the rest of Europe due to their religious differences with the west, having been ideologically centered around Constantinople whereas western Europe orbited around Rome. Although the Great Schism in 1054 divided the Christian ideologies of the East and West, the two cities had academic and social discourse. In 1453, Constantinople fell to the Islamic Ottoman empire Russia assumed ideological control of Eastern Christianity, its primary conduit for exchange with the West was lost. As the Enlightenment ended serfdom throughout the Roman-centric Europe, Russia’s social system remained largely the same.

The backwards state of Russia’s feudal social system was made clear in 1856 in their defeat by the Ottomans, British, and French in the Crimean War. By 1861, 75 percent of the population of the Russian Empire were effectively property, bound to the fate of the land. Half of these were under the control of private landowners, and half by the state. That same year, Tsar Alexander II, realizing that it is “better to abolish serfdom from above, than to wait for that time when it starts to abolish itself from below,” issued an edict that began the emancipation of the serfs. The reforms were unprecedented, with land being granted to serfs as part of their emancipation. This did not sit well with the nobility, whose livelihoods depended on the serfs. Many of the same nobility were tired of the Tsar’s absolute power, and sought a more democratic form of government, at any cost. A series of assasination attempts were made from 1866 by nobility that culminated in the successful assassination of Tsar Alexander II in 1881.

The Tsar’s death led his heir, Nicholas I to roll back many of the reforms he blamed for his father’s death and crack down on insurgency. This led to the creation of “The Department for Protecting the Public Security and Order,” more commonly known by its short name Okhrana, “The Guard Department.” For over thirty years, this organization pursued its goals; namely identifying and combating political terrorism and revolutionary activity in order to keep the Tsar in power. With the imbalance inherent in Russian society, this was a nigh impossible task. While the Okhrana developed methodologies to monitor activities, behavior, and correspondence of insurgents and their organizations abroad and domestically, they were spread very thin. This led to some failures. In some cases, the department infiltrated and funded insurrectionist organizations and their publications. In the name of monitoring these perceived threats, they staffed and supported them, fanning the flames of revolution. During the beginning of the first World War, the Paris Okhrana office directed its operations against Germany, mounting countless disinformation campaigns.

The efforts of the Okhrana were in vain. The revolutionaries continued their activities, terrorizing the Tsar and his inner circle. The lives of the people did not noticeably improve after their emancipation, the Tsar continued to distance himself from the people, and over the period of 30 years, the insurgents successfully gained support from the greater Russian population. 1917 turned out to be a very tumultuous year for Russia, with two revolutions and an abdication, resulting in the end of the Tsar’s power and the creation of the Communist Soviet state. Now, depending on your perspective, either nobody was property or everyone was property.

The new Soviet government that took over Russia saw the continued need for a security organization to counter insurgency and spread Marxism globally. They turned to the methodologies developed by the Okhrana, iterating through various well-known security services, from the Cheka, to the NKVD, to the NKGB, to the most well known KGB. In addition, a new military intelligence organization was created, the GRU. The KGB had quite a reputation for efficiency and omniscience. They infiltrated countless criminal organizations, nonprofits, businesses, governments and political parties both inside and outside the Soviet Union with ease. They organized a series of disinformation campaigns, including the authoring of newspaper articles in the US claiming that the AIDS virus was developed in a US military laboratory as part of a biological weapons research project. The KGB excelled at monitoring and influencing perceived threats both passively and actively, succeeding where the Okhrana infiltrations had failed.

The Soviet Union fell just as the World Wide Web came to be in 1989. The KGB was split into two organizations, the internal security service known as the FSB and the foreign security service, known as the SVR. The GRU remained largely intact, aside from rising to greater prominence in order to fill the void left behind by the remains of the KGB. A protracted war in Chechnya in the mid 1990s took a further toll on morale. The government no longer had the appearance of stability that it had before. Those that had been training to work for the security service turned to this training in order to survive. Recognizing that the organizations that they had been trained to infiltrate were more lucrative places to earn a living, many turned to business and organized crime. The next fourteen years saw the slow rise of business oligarchs and mafia in Russia. Most of these were either aided by former intelligence officers, or were former intelligence officers themselves.

In 1999, Vladimir Putin came to power. He had spent much of his career in the KGB, and had watched the Soviet Union implode around him. Putin spent the early 1990s running an office in St Petersburg responsible for export control, international relations, and registration of businesses. He had a front row seat watching the oligarchs and mafia businessmen operate around and outright ignore regulations. He was made FSB director for three years before the Duma, the Russian legislature, appointed him Prime Minister. President Boris Yeltsin, the first Russian president after the USSR fell apart, soon resigned and Putin became president. He went about reorganizing the Russian governmental apparatus, gaining the support of both oligarchs and mafia.

In 2004, the Mydoom worm was released, seemingly commissioned by email spammers. The apparent primary function of the worm was to spread, utilize systems to send profitable spam emails, and ultimately perform coordinated attacks against targets that included technology companies such as SCO Group and Microsoft. Its origins seemed to point to Russia, both the source of the initial emails and the methodologies involved were not unlike that of a nation state security service — infiltrate the system, monitor, and get into position to co-opt in order to achieve your goals. These hybrid criminal/business schemes were so lucrative that entire organizations, like the Russian Business Network, were created to profit off of advertising and attacks via compromised hosts.

As a result of Putin’s reforms, the Russian government had regained its footing by 2007. Some of the brain drain that had occurred over the previous two decades had begun to reverse, and cyberattack methodologies used by criminals were soon applied to government targets. A row over the fate of a Soviet war memorial set off a cascade of events that led to a series of massively coordinated botnet-originated cyberattacks. These brought the communications and financial systems in Estonia to their knees. It is possible that the Russian Business Network or a similar organization was involved in these attacks, but there was also a well-coordinated attempt to make it appear to be a global, grassroots endeavor. The massive amount of traffic involved did not support this. Since then, there have been countless cyber and internet social attacks attributable to Russian origin, in particular, the various troll and disinformation campaigns of the Internet Research Agency.

Starting in 2019, the hacking group Digital Revolution began to leak documents from various FSB contractors. The documents revealed that contractors were tasked to develop software for targeted deanonymization of the TOR privacy network, as well as to develop a botnet capability for Internet of Things (IoT) devices, called Fronton. This botnet identifies and conducts password attacks against ubiquitous linux-based smart devices, cameras, and digital recorders, presumably for Distributed Denial of Service (DDoS) attacks and espionage. The SVR and GRU also have technology that continues to be developed, and was purported to have been deployed in places such as the Democratic National Committee in 2015, in order to achieve their goals.

Russia’s path to APT has been a long and storied one. It began with the fall of its feudal system and the resultant information gathering and disinformation campaigns on revolutionaries of the Okhrana. It advanced, with the Soviet security services building upon the successes and correcting the failures of the Okhrana. With the fall of the Soviet system and the rise of Russian criminal and business apparatuses, it had a digital renaissance. Through the rebirth and renewal of Russian espionage, threats originating in Russia tend to utilize and blend the criminal and the political, building on lessons from the past in order to achieve their goals. What technologies are the Russian government and organized crime going to attack next? Will we see a social media reboot of disinformation narrative news articles from the 1980s with SARS-CoV-2 replacing AIDS? As always, the best option is to know your adversary.