- Joe Slowik, Senior Manager at Gigamon
Attribution to Russian GRU During 2016 Ukraine Cyber Attacks
In Episode 4 of Know Your Adversary™, we are joined by Gigamon Senior Manager Joe Slowik. Our discussion takes a look into the world of Russian nation-state hacking units, particularly the GRU and the SVR. We take a deep dive into the 2015 and 2016 cyber attacks against the Ukrainian power grid and review how Russia’s capabilities are increasing in sophistication, mainly through lateral hand-offs between the teams of hackers operating in IT and OT environments. We discuss the technical details of such operations and how enterprises can better defend themselves while considering the geopolitical ramifications, mainly that GRU tends to blatantly cause disruption and outages while SVR moves more “low and slow” for intelligence collection.
Here are some of the key takeaways from the episode:
Different teams with different skill sets were seen in the 2016 cyber attacks on the Ukraine power grid by Russian Unit 74455. This same level of growing maturity was not seen in the previous 2015 Ukraine power grid attack. In 2015, Russian hackers, known in the security industry as “Sandworm,” infiltrated a Ukrainian power grid and successfully “moved laterally” from the information technology environment to the operational technology environment that controlled the electrical grid. They caused a massive outage that became the first known successful cyber attack on a power grid. Then again, in 2016, they conducted the same operation. However, as they moved to the operational technology environment, it was clear a different set of operators were testing other tools that automated the exploitation process. While testing tools on a live OT production environment was not expert tradecraft, it nevertheless demonstrated Russia’s increasing desires to build this tradecraft in people and tools on multiple fronts of computer network exploitation teams.
Lessons for Protecting Enterprise:
- Visibility is still critical. If a security team can’t protect what they cannot see, critical infrastructure won’t have the chance to distinguish between different nation-state hacking units.
- MTTA and MTTR: Mean time to alert and respond should matter significantly for security teams depending on who the actor is. If it’s clear it’s the GRU, they have experience conducting disruptive attacks, and response should be immediate. However, if it’s the SVR, while the time to respond should be swift, they are probably operating for intelligence collection purposes and not likely to disrupt business operations by turning out the lights.