• Joe Slowik, Senior Manager at Gigamon

Attribution to Russian GRU During 2016 Ukraine Cyber Attacks

In Episode 4 of Know Your Adversary™, we are joined by Gigamon Senior Manager Joe Slowik. Our discussion takes a look into the world of Russian nation-state hacking units, particularly the GRU and the SVR. We take a deep dive into the 2015 and 2016 cyber attacks against the Ukrainian power grid and review how Russia’s capabilities are increasing in sophistication, mainly through lateral hand-offs between the teams of hackers operating in IT and OT environments. We discuss the technical details of such operations and how enterprises can better defend themselves while considering the geopolitical ramifications, mainly that GRU tends to blatantly cause disruption and outages while SVR moves more “low and slow” for intelligence collection.

Here are some of the key takeaways from the episode:

Different teams with different skill sets were seen in the 2016 cyber attacks on the Ukraine power grid by Russian Unit 74455. This same level of growing maturity was not seen in the previous 2015 Ukraine power grid attack. In 2015, Russian hackers, known in the security industry as “Sandworm,” infiltrated a Ukrainian power grid and successfully “moved laterally” from the information technology environment to the operational technology environment that controlled the electrical grid. They caused a massive outage that became the first known successful cyber attack on a power grid. Then again, in 2016, they conducted the same operation. However, as they moved to the operational technology environment, it was clear a different set of operators were testing other tools that automated the exploitation process. While testing tools on a live OT production environment was not expert tradecraft, it nevertheless demonstrated Russia’s increasing desires to build this tradecraft in people and tools on multiple fronts of computer network exploitation teams. 

Lessons for Protecting Enterprise: 

  1. Visibility is still critical. If a security team can’t protect what they cannot see, critical infrastructure won’t have the chance to distinguish between different nation-state hacking units. 
  2. MTTA and MTTR: Mean time to alert and respond should matter significantly for security teams depending on who the actor is. If it’s clear it’s the GRU, they have experience conducting disruptive attacks, and response should be immediate. However, if it’s the SVR, while the time to respond should be swift, they are probably operating for intelligence collection purposes and not likely to disrupt business operations by turning out the lights.
Adversary Research
Discovering the methods, motives and identity of threat actors to disrupt attacks 
Reputation Defense
Technical guidance for countering disinformation and slanderous attacks 
Trust & Safety
Intelligence to secure business operations and defend against fraud, abuse and e-crime 
TPRM Exposure
Adversary-centric intelligence to address supplier, M&A and investment risks 
Outside Intel
Research for defending outside the firewall that leverages tier 3 intelligence programs 
Executive Shield
Assessment of threats to key personnel with attribution and PII takedown  
Adversary Insights℠ Retainer
Annual retainers for client-driven inquiries and rapid-response research 
Intelligence Team as a Service
Collaborative engagement providing robust intelligence and tier 3 cyber analysts  
Event-Driven Intel Investigations
Multidimensional security fact-finding that delivers insights into adversary behavior 
On Demand Threat Research
Proactive and preventative investigations that reveal threat actor context and risk correlations 
Investment Zero Touch Diligence℠
Project-based discovery to assess risk for investments, IPO, Mergers and Acquisitions 
TPRM Zero Touch Diligence℠
Subscription assessment of external network hygiene, key personnel, and non-traditional business risks