School children in the ‘50s and ‘60s routinely hunkered down under their desks and lugged empty Clorox bottles to class to store water, all in preparation for the day that the Soviet Union would hurl a nuclear missile their way.
For the better part of 40 years - from the time the ink dried on the Truman Doctrine until Soviet Communism took its dying breath - what kept the worst nightmares of those little schoolchildren from coming true, was an uneasy Cold War “peace” fostered by mutual deterrence as two heavily, but roughly equally, armed superpowers, the U.S. and the USSR, huffed and puffed at each other across the world's stage.
Once the Soviet Union split apart in 1991, outspent by an America eager to crush communism and shift the balance of power, Russia was left with a substantial nuclear arsenal, a shattered economy and very little muscle left to flex – its superpower status on the wane as the country focused primarily on rebuilding its economy. But the memory of its former glory and once formidable strength lingered.
Which is why it's not surprising that Russian President Vladimir Putin has seemingly seized the opportunity to re-establish his country as a superpower, not by accumulating arms or pioneering space exploration, but rather by gaining dominance in the bold new frontier of cyberspace.
“Russia currently appears to be heavily investing in cyber-weapons – and making rapid progress in this area – because it enables them to compensate for limitations in the size of their economy and demographics,” says Nick Bilogorskiy, cybersecurity strategist at Juniper Networks.
It is not the only country dominating in cyberspace, of course. “According to classification by the World Economic Forum, the cyber superpowers are the United States, China, Russia, Israel and the United Kingdom,” says Leonid Shtilman, executive chairman at Silverfort. “Two other notable players are Iran and North Korea.”
But Russia has successfully leveraged its investments in mathematics and computer algorithms to distinguish itself in cyberweaponry. “I have no doubts that they are capable of attacking the vital infrastructure of the enemy, as they probably showed in Georgia and Ukraine,” says Shtilman.
And it may be the most driven by the cyber superpower wannabes.
During a riveting discussion at the Council on Foreign Relations in 2016, panelists noted that Russia is driven by a deep longing for respect and desire to regain its previous status as a nation to be reckoned with.
Those goals were likely never in reach for the country using a conventional military no matter how big its nuclear stores grew. So reduced was Russia as a military might that in a 2012 debate with GOP presidential opponent Mitt Romney, President Obama mocked the former Massachusetts governor for calling the nation the U.S.'s “number one geopolitical foe.”
“And the 1980s are now calling to ask for their foreign policy back,” Obama famously said. Both men were likely right. While the former president might have been on the money to dismiss any kind of call for arms acceleration to combat the Russian threat, the country most certainly hadn't left its menace back in the ‘80s.
In fact, by the time Obama uttered those remarks, which effectively shut down Romney's candidacy, Russia likely had already begun to formulate its cyber plans. “I have clear eyes on this. I'm not going to wear rose-colored glasses when it comes to Russia, or Putin,” Romney responded to Obama. “And I'm certainly not going to say to him, I'll give you more flexibility after the election. After the election, he'll get more backbone.”
Good idea. Teeming with criminals of all stripes and a certain lawlessness in the decades after the Soviet Union broke apart, Russia had a fertile pool of hacker-types and shady cyber miscreants to choose from – and very little reason not to cultivate them as assets aligned with its intelligence units. It also found itself under the leadership of a man – Putin – who had “clear eyes” as to where Russia's opportunities lay.
“Offensive cyber capabilities offer an opportunity for interested nations to be ‘leaders' on a new battlefield at a reasonable cost compared to aircraft carriers and jet fighters. Russia has certainly taken this approach,” says Eric Lundbohm, CMO at Veracity Industrial Networks. “While there are nine nuclear countries, U.S. intelligence officials reported in January 2017 that more than 30 countries are developing offensive cyberattack capabilities.”
If there were any doubts that the nation was successfully asserting itself as a cyber threat, they were laid to rest in mid-2016 when evidence began to surface that Russia was meddling in the U.S. election process – first in a series of hacks by very active APT groups Cozy Bear and Fancy Bear targeting the Democratic National Committee (DNC) and Democratic interests and then as part of an influence campaign leveraging social media and marshaling bots to disseminate false and divisive information to opposing political factions within the U.S.
The infiltrations were identified by CrowdStrike as the work of Cozy Bear (aka CozyDuke or APT 29) and Fancy Bear (aka Sofacyor APT 28), working separately. The former, which CrowdStrike Co-founder and CTO Dimitri Alperovitch wrote in a detailed blog post was likely affiliated with Russia's military intelligence service, the GRU, accessed the DNC network in summer 2015 where it monitored email and chat. But it wasn't until Fancy Bear, which Alperovitch said could be a surrogate of the Federal Security Service, formerly led by Putin, hacked into the network and nicked two files in April 2017 that the DNC was alerted to the intrusion.
“We've had lots of experience with both of these actors attempting to target our customers in the past and know them well,” wrote Alperovich, who said CrowdStrike's incident response team was called in by the DNC. “In fact, our team considers them some of the best adversaries out of all the numerous nation-state, criminal and hacktivist/terrorist groups we encounter on a daily basis.”
He called the group's tradecraft “superb” with “operational security second to none.” He said the groups' “extensive usage of ‘living-off-the-land' techniques enables them to easily bypass many security solutions they encounter.”
And CrowdStrike was, in fact, able to identify “advanced methods consistent with nation-state level capabilities including deliberate targeting and ‘access management' tradecraft – both groups were constantly going back into the environment to change out their implants, modify persistent methods, move to new Command & Control channels and perform other tasks to try to stay ahead of being detected.”
Both Cozy Bear and Fancy Bear have been involved in “extensive political and economic espionage” for Russia and have close ties to the country's intelligence services, he said. Cozy Bear hackers were behind intrusions at the White House, U.S. Joint Chiefs of Staff and a particularly gnarly hack at the State Department.
Revelations soon followed that Russian hackers had penetrated systems at the DSCC and other organizations. Pilfered emails from the Democratic hacks, leaked steadily by WikiLeaks and meant to do damage to candidate Hillary Clinton, became a source of heated discussion and concern for the remainder of the campaign, with Clinton denouncing Russian interference as she debated opponent Donald Trump, the presumptive intended benefactor of the meddling.
Leaking damaging emails, though, proved to be one prong of a bigger Soviet era-styled influence campaign – the likes of which would have made Nikita Kruschev proud – with a decidedly modern technological twist.
“A significant component of Russia's cyberwarfare strategy is to spread pro-Russian propaganda. The Internet Research Agency (IRA) is a Russian company based in Saint Petersburg that has more than 1,000 paid bloggers engaging in online influence operations on behalf of the Russian government,” says Bilogorskiy. “The group is known to have a ‘troll' factory in Olgino that aims to influence public opinion via fake accounts on Twitter and Facebook.”
Russia, he says, “often uses decoys as part of their psychological warfare doctrine called ‘maskirovka,' which means ‘masking' and alludes to keeping the enemy guessing, hiding your intentions and denying your activities.”
They've effectively applied “the same approach in the cyber world,” he says.
Indeed, that's what the country did for a while in the U.S., both during the election and in the months after.
Facebook- along with other online platforms - came under fire after the social media giant revealed an internal investigation found that a Russian troll farm bought ads from the social media giant and apparently planted them, some in targeted markets, “to focus on amplifying divisive social and political messages across the ideological spectrum — touching on topics from LGBT matters to race issues to immigration to gun rights,” company CSO Alex Stamos wrote in a blog post at the time.
What followed was a cascade of revelations that Russian operatives and bots had placed fake news articles and organized events on sketchy news sites to further sow discord among Americans on the right and left politically. And they promoted movements and initiatives meant to nurture dissent – for instance, tweeting out the hashtag #ReleasetheMemo, encouraging the release of House Intelligence Committee talking points that allegedly detailed the FBI's abuse of the FISA court when it obtained a surveillance warrant on a member of the Trump campaign known to have had interactions with Russian operatives.
After taking a pounding for their role in the influence campaign, tech companies took measures to be more transparent – identifying ads and stories generated by Russian sites.
Bears on the offensive
More recently, Fancy Bear has been caught nosing around U.S. defense contractors, actively exploiting weak spots in the email systems of defense contract workers to access top secret information on U.S. defense technology, including drones.
Just as they did with former Clinton Campaign Manager John Podesta and members of the DNC, Fancy Bear tricked employees at companies like Boeing, Lockheed Martin, General Atomics, Raytheon Co., and Airbus Group into handing over their credentials, the Associated Press (AP) found after reviewing 19,000 lines of email phishing data from SecureWorks that had been generated by the hackers and after interviewing 31 of the 87 attack targets.
“The programs that they appear to target and the people who work on those programs are some of the most forward-leaning, advanced technologies,” the AP quoted former Director of National Intelligence (DNI) Senior Adviser Charles Sowell, who reviewed the list of names for the AP. “And if those programs are compromised in any way, then our competitive advantage and our defense is compromised.”
Noting that “employees working on sensitive projects like militarized drones, rockets, missiles, etc. should expect to be targeted by nation-state level attackers,” Obsidian Security CTO and Co-founder Ben Johnson says “the fact that Fancy Bear is targeting personal Gmail accounts highlights how the security perimeter has dissolved.”
Russia takes on the world
Intelligence sources from allies around the world show a hyperactive Russian cyber force bent on causing chaos, sowing divide and upending democratic institutions and principles.
As they jaunt from country to country, they leave their digital fingerprints everywhere.
“Russian hackers are known to be associated in the past with a number of high-profile malware, such as BlackEnergy, CozyBear, EnergeticBear, Sandworm, Uroburos Snake and Pawn Storm,” says Bilogorskiy. “Russian entities have been accused of attacking the democratic process in several countries – including the U.S., France and Mexico – in an attempt to influence elections, and appears to be continuing with this strategy in 2018.”
A Russian hacking group, he says, “is credited with the successful breach of power stations in Ukraine, as well as the ‘Nuclear17' cyberattack of nuclear power stations in the United States” and were likely “behind two of the biggest ransom worms of 2017: Petya and BadRabbit.”
Ahead of a bipartisan report expected from the Senate Intelligence Committee on Russia's attempts to upend democratic processes in 19 countries, a report from Sen. Ben Cardin, D-Md., casts light on what it calls Putin's “relentless assault to undermine democracy and the rule of law in Europe and the United States.”
The Cardin report paints Putin as a power-multiplying leader of a waning superpower who has tapped internal security services and outside forces to conduct “malign influence campaigns” within the country and in the West.
Influence campaigns often start at the local level, the report said, noting that “the German Marshall Fund's Alliance for Securing Democracy found that the Russian government has used cyberattacks, disinformation, and financial influence campaigns to meddle in the internal affairs of at least 27 European and North American countries since 2004.”
The report also cites a former employee of a Russian troll farm as saying that “staff on the ‘foreign desk' were responsible for meddling in other countries' elections.”
Israel's discovery that Russian hackers had used Kaspersky Lab's antivirus software to search computers worldwide for information on U.S. intelligence programs prompted the U.S. government in September to ban the company's software from all federal agencies.
Russia's efforts were uncovered by the country's intelligence officers who hacked into Kaspersky's networks and spied on the Russian spies in real time.
While it's not known the extent of the information the hackers gleaned, the sources told the New York Times that they did successfully pilfer classified data from the home computer of a National Security Agency (NSA) worker outfitted with Kaspersky AV software.
Crime and punishment
Individual countries have taken steps to counter what they see as Russia's intrusion and attempted influence within their borders.
Efforts to disrupt the French presidential election in May 2017 by releasing documents from Emmanuel Macron's En Marche! campaign, shortly before a mandatory media blackout, were rebuffed in part by “cyber deception.”
The timing of the attack helped thwart it, “but also there were clear indications the Macron campaign was proactive vs. reactive. We need to shift the cost from a defender to an attacker: the defender needs to protect 100 doors, while the attacker needs only 1 door to be unlocked,” says Aleksandr Yampolskiy, co-founder and CEO of SecurityScorecard, “The Macron campaign was clever around what they did. The head of Macron's digital team, Mounir Mahjoubi went on record to describe that they used a ‘deception technology' technique - which creates decoy fake documents, websites etc. - so that it's hard for an attacker to determine which one is real - that's very clever.”
The U.S. response has been more muddied. Russia's efforts prompted a federal investigation, headed first by former FBI Director James Comey then picked up by Special Counsel Robert Mueller, as well as at least three Congressional probes. Before leaving office, Obama slapped sanctions on Russia for its cyber assault on the U.S., closing Russia's diplomatic properties in Maryland and New York and sending staff packing. Putin responded in early 2017 by booting 755 members of the U.S. diplomatic staff in retaliation for Congress-approved sanctions against Russia, which Trump signed into law.
The Cardin report slaps the U.S. for “a lack of urgency and self-imposed constraints by the current State Department leadership” that has left the Global Engagement Center, whose mandate in December 2016 was expanded to include “‘foreign state and non-state propaganda and disinformation efforts' that target the U.S. and its interests,” a low priority, understaffed and without real leadership.
“The Administration's lackadaisical approach to staffing these positions and providing leadership to U.S. efforts to fight Kremlin disinformation stands in sharp contrast to the accelerating nature of the threat,” the report said. “As one GEC official put it, ‘‘every week we spend on process is a week the Russians are spending on operations.'''
In a moment of self-reflective candor, the White House seemed to recognize at the end of last year that the U.S. “has done too little to deter Putin's assaults,” the report said, citing a December 2017 a National Security Strategy that admitted, ‘‘‘U.S. efforts to counter the exploitation of information by rivals have been tepid and fragmented. U.S. efforts have lacked a sustained focus and have been hampered by the lack of properly trained professionals.''
Yet the administration let the White House announced in January that it wouldn't follow through with additional sanctions yet, ostensibly because the sanctions are working.
“Given the long time frames generally associated with major defense deals, the results of this effort are only beginning to become apparent,” Politico quoted a State Department spokesperson as saying. “From that perspective, if the law is working, sanctions on specific entities or individuals will not need to be imposed because the legislation is, in fact, serving as a deterrent.”
As that statement was being released, officials at the highest level of government – CIA Director Mike Pompeo, Secretary of State Rex Tillerson, and Defense Secretary James Mattis -- all separately indicated that Russia was continuing its cyber attacks against the U.S. and warned of likely interference in the 2018 midterm election.
After infighting on the House Intelligence Committee over the release of the memo, Sen. John McCain, R-Ariz., chastised fellow lawmakers. “If we continue to undermine our own rule of law, we are doing Putin's job for him,” McCain, who is battling a brain tumor, said in a statement, noting that “Russia employed the same tactics it has used to influence elections around the world, from France and Germany to Ukraine, Montenegro and beyond.”
To ignore or downplay Russia's actions is to open the U.S. and others up to future attacks that cause long-lasting damage.
“Is Russia placing a high priority on cyber? You bet. It's their best shot to have one layer of parity with the United States,” says Lundbohn. “It's also uncharted warfare where the damage inflicted can be substantial and equally debilitating to physical attacks.”
It seems that Russia is still causing nightmares for those Cold War children, who are now running the U.S. government and military. Just like in the ‘50s and ‘60s, though, ducking under their desks isn't going to help.
