6 BATTLES OF THE CYBER BEARS
Putin’s CYBER BEARS
In late July 2016, after the news of the DNC hack hit the headlines, two groups came to the center of attention after nearly a decade of engaging in attacks on perceived adversaries of the Russian government. These two groups carried the names given to them by the American cyber security firm CrowdStrike and thus the world would be introduced to two designations for Russian hackers: “FANCY BEAR” and “COZY BEAR.” These cryptonyms were assigned to hacking threats under the term “Advanced Persistent Threats” or APTs. APTs are often associated with nation-state actors because of the level of sophistication and resources needed to conduct persistent attacks on a given target. The weapon of choice for APTs is malware. Malware is malicious computer software, such as viruses or tools that can be inserted or introduced to a target’s computer. There are estimated to be just over a hundred APTs working hostile missions through cyberspace as of August 2016. ATPs include attacks by nation-state actors, cyber criminals, hacktivists (activists who use hacking as a tool of protest), and cyber mercenaries.
CYBER BEARS are what we will call the conglomeration of several Russian intelligence agencies, nationalist militias, criminal contractor cyber warfare units, and the malware weapons these groups use in cyberwarfare. The CYBER BEARS—so called due to Crowdstrike’s BEAR designation for the DNC hackers—have conducted numerous hacking and black political propaganda operations in states that came into conflict with Russia, including Estonia, Georgia, Lithuania, Kyrgyzstan, Crimea and Ukraine. COZY BEAR, FANCY BEAR, VENOUMOUS BEAR are specific cyber infection threats that have been traced to Russian intelligence, whereas CRIMINAL BEAR is the collective name for all Russian criminal hackers. MILITIA BEARS are pro-Russian nationalist hackers who pile onto Russian Intelligence attacks that become public.
Clusters of CYBER BEAR attacks occurred most often alongside tense geopolitical backdrops associated uniquely in line with the interest of one country, Russia. Whether it was retaliation in Lithuania or Estonia, data blinding operations in Georgia, or flipping the switches on power plants in Ukraine in an attempt to undermine confidence in the government, the CYBER BEARS attacks leave plenty of marks and footprints for cyber security companies and intelligence agencies to examine.
The history of the attacks of the CYBER BEARS demonstrates advanced abilities to create code-on-the-fly and to adapt to the security environment of their target in a way that few independent or lone attackers would be able to maintain due to the complexity of the attack alone. They are also believed to be associated with thousands of attempted penetrations of U.S. Defense and industry computers as well as cyber theft and internet fraud operations. Collectively, the BEARS are the definition of a national cyber threat.
The Advanced Persistent Threats
The key characteristics of classifying an entity an APT is that they are:
• Advanced: The development skill for APTs is advanced enough to both develop their own tool kit and capable of using existing advanced tools with ease.
• Persistent: The Adversary is goal-oriented in the attack and is driven to achieve the mission. This can often indicate a nation-state actor who has been given orders to acquire specified information.
• Threat: The Adversary is organized, funded, motivated. There is a high level of intent to these attacks. Unlike malware that simply seeks to find any vulnerability and is cast like one would throw a fishing net, APTs are focused on a target until a mission is attained.
APTs are not actually groups of people but a description of the malware toolkits used by hackers. By examining the malware samples and correlating the metadata (the background information embedded in code) of the attacks you can discover much about the real world people on the other end in a way that code cannot tell you. By scrutinizing when malware kits are compiled, you can discover where development operations leading up to an attack occur. In most toolkits attributed to Russian hacking groups, the timecodes on their digital metadata occurs in one of the two Eastern hemisphere time zones of UTC+3 or UTC+4, indicating Eastern Europe and/or Western Russia as a likely development zone. Then there are sometimes tags in the code that indicate a similarity only found in a batch of malware like the “Sandworm” group, whose attacks were identified by a cyber security firm who noticed the code was laced with references to Frank Herbert’s book Dune.
These clues help forensic investigators piece together not only the story of a particular infection, but the trajectory of development by hackers who do not reveal themselves by name but by deed.
For example, CyberBerkut, a group of pro-Russian hackivists almost wholly focused on anti-Ukraine activity, includes subgroups who will announce their attacks as well as their ideology. CyberBerkut’s methods, tools, and remnants can be examined in the open, allowing investigators to attribute CyberBerkut’s contribution to the known attacks as they look for additional threats by groups who have aims beyond Ukraine. The same has been true for the APT29 malware sets known as COZY BEAR (aka “The Dukes”). The Finnish cybersecurity firm F-Secure found a series of malware sets that varied according to their version of development and improvements over time.
For example, private Russian hacker Dmytro Oleksiuk created a set of malware called BlackEnergy1 in 2007 to stop up networks through DDoS (distributed denial-of-service) attacks, where millions of pieces of emails or data to a single IP address create a massive internet traffic jam that stops all data flows.1 This malware was used by a group of Russian hackers in 2008 to overwhelm the Georgian internet. In 2010 a second variant, BlackEnergy2, emerged, containing more advanced malware tools inside. Finally, Russian intelligence took it and developed BlackEnergy3. Sandworm used a malware kit named BlackEnergy3 (the 3rd variant, or 3.0) to attack power plants in Ukraine.
In order to keep track of Advanced Persistent Threats (APTs) cyber firms designate the APTs with easily-remembered names associated with clustered behavior. They are also known by a variety of other names depending on the firms who have detected and catalogued their malware and activities. According to Richard Bejtlich of Mandiant, a cyber security firm associated with FireEye, and a former USAF information warfare agency operative, the practice came from US Air Force analysts who were working with civilians and needed a way to discuss the attacks with civilians.2
APTs work by using a combination of code, social engineering (asking innocent questions and getting secrets), and common human errors to achieve their goals. They are capable of adapting to the most up-to-date security systems. As a persistent threat, they require constant vigilance on the part of security firms, developers, governments, institutions, and private enterprise. The tools these groups use are constantly evolving, even as security firms track their development and create patches to protect from their intrusion.
Zero Day
A Zero-day (or written 0day) is a vulnerability in code that has remained undetected until it becomes active, giving a target zero days to manage the effects of the vulnerability. If discovered first by hackers, then the target organization is at risk unless the hacker is friendly and working for them (called a White Hat hacker). If the hacker is from a malicious group (Black Hat hackers) the hacker can exploit the vulnerability until they are detected by cyber security experts.
Many hackers develop “0day exploits” and can either use them directly or sell them. Sales of 0day exploits are lucrative business on the black-market via the Dark Web. In order to find these holes in security, hackers have to develop a comprehensive profile of the target to include what email systems are used, what operating systems are in play, and what proprietary computer systems are in use. For the Democratic National Committee hack they used a custom computer system created by NGP VAN, a specialist computer company that helps Progressive non-profits. Malware samples discussed in the CrowdStrike report on the hack showed that the attackers were custom coding components to be used for that specific attack on that specific software to get a very specific result—Watergate 2.0.3
After detecting hacking activity, the victim often helps security companies and government agencies to determine the attacker’s origin or backers. APTs from China tend to focus only on Chinese government interests, which could include activities of its neighbors, or as seen in the past few years the Chinese buildup in the South China Sea. Some well-documented APTs developed by China include Blue Termite, The Elderwood Platform, Hidden Lynx, Deep Panda, and Putter Panda (APT2). Computer security authorities have identified APT1 as departments of the Chinese People’s Liberation Army (PLA) and also carries the APT name, “PLA Unit 61398.” It is well known for its focus on U.S. technology firms.
The Iranians are often labeled under APT names associated with Kittens. Rocket Kitten, for instance was credited in August of 2016 for cracking the Telegram encryption, constituting a threat to dissidents in or related to Iran. Other groups included Flying Kitten, Magic Kitten, and Clever Kitten just to name a few.
The Russians, similar to the Chinese, focus on Eastern Europe, NATO forces, the United States, and opposition to Russian interests. These attacks range from hits on a power station in Ukraine to an attack on the World Anti-Doping Agency in August 2016. While many firms do not directly attribute attacks to nation states capriciously, they do reveal the metadata patterns that indicate Russian or Chinese involvement, including examples of the OS the hackers used to compile the malware, IP ranges associated with spear-phishing-waterhole attacks, to the domain names used to spoof the target into clicking on hot links. Unlike Russian cyber criminals, Russian government APTs are focused almost purely on cyber espionage.
Criminal APTs or CRIMINAL BEARS, like Anunak/Carbanak and BuhTrap clearly focus on banking institutions across the world. First detected in December 2013, Carbanak stole well over a $1 billion in strikes against U.S. retailers, including office retailer Staples. They use very similar methods to other APTs, such as spear-phishing campaigns. Spearphishing is a malicious, fraudulent email that appears to come from a trusted source. It generally contains a hyperlink to a false sign-in page to enter your passwords, credit card, or other information. It could also be a direct link to a virus.
Like the nation-state actors, the Carbanak method of stealing financial data exploits malware with a backdoor that replicates itself as “svhost.exe” before it connects to a command-and-control server to download more files and begin probing for more vulnerabilities. The APT can then download additional tools to take control over the infected computer, including keylogging, as well as capturing data from screen captures, microphones, and video cameras. Carbanak has even documented their operations in video form to evaluate the process and train others. The data that this group seeks to exfiltrate may go beyond financial information alone, but the primary goal has been to steal funds via fraudulent transactions.
From Mechanical Hacks to Cyber Theft
In the height of the cold war, Russia learned to make the leap from manual intercept of printed media to the computer age well before the internet existed. Between 1978–1984 the KGB carried out an audacious electronic intelligence operation that preceded the CYBER BEARS antics. A select group of special technicians had intercepted a shipment of American IBM Selectric II and Selectric III electrical typewriters en route to the American embassy in Moscow and the US Consulate in St Petersburg. The KGB inserted devices called the Selectric Bug into sixteen of the typewriters.4 The special electrical device was embedded in a hollow aluminum bar that would capture the impact of the rotating print ball as it struck the paper. As a typist struck the keys, the bug would transmit each keystroke to a nearby listening post via a short-distance radio signal. The NSA countered this by deploying a special team to Moscow and inspected all of the Embassy’s computers, encoding machines and typewriters. Code named GUNMAN, the NSA team eventually found the bugs and replaced the typewriters with secure ones in secret.5 Still, the KGB’s early awareness of the advance in print technology led them to implement one of the very first keystroke detection systems before computers became commonplace. With this corporate knowledge in hand, the KGB was well ahead of the curve in intercept technology, an aptitude they would soon come to command in the computer age.
Cyber intelligence collection operations didn’t start in the 21st century, they preceded the rise of Putin. During the period where Vladimir Putin was just taking the reins from the former KGB under the leadership of Boris Yeltsin, the NSA and the Department of Defense’s Information Operations Response Cell noted a series of sophisticated computer penetrations, accessed through research university servers. The hackers were stealing sensitive information, but what was noteworthy was the seemingly random nature of the hacks and the peculiar nature of the sensitive information. Author Fred Kaplan detailed this hack, and numerous others, called MOONLIGHT MAZE in his brilliant book Dark Territory: The Secret History of Cyber War. The hack was tracked back to Russia after decrypts found that the hacker was using a Cyrillic, Russian language, keyboard. The classified materials stolen about obscure scientific programs perfectly matched discussion topics at recent conferences in the United States attended by Russian scientists. The Russian would attend a conference, realize that it held more secrets, and task the CYBER BEARS to steal the research. The Russian Academy of Sciences in Moscow submitted hack requests and the KGB, now FSB, acquired the 5.5GB of classified materials.6
Russia didn’t sit on its laurels by stealing American scientific data. For more than ten years, volunteer militia hackers and cyber criminals carried out limited, and on occasion, full-scale cyber warfare on its neighbors in Europe. There is an arms race in the cyber weapons world as nation-state and freelance hackers seek to push the technology envelope. By 2016 the history of Russia’s attacks showed proficiency at destroying enemies with cyber strikes.
First Steps in Cyber Campaigns
The first step is to establish a target organization or individual. Second would be to find out how and where to compromise the target’s IT systems with the least amount of effort possible and without being detected. This will most often start with examining the publicly-posted employee rosters at a company, organization, or government office. Next will be a scour on social media sites like Facebook, LinkedIn, Twitter, Google, or even simply within the agency of the target.7
The target or targets are subjected to an email spear-phishing campaign. Spearphishing is a technique that seeks to fool a target into clicking on links or opening email attachments in emails the target would expect to receive. For example, if a State Department official was expected to attend a conference on a UN refugee program, they might receive an email with the title “Schedule for the Refugee Committee” with an attached document or link. If it is a link instead of an attachment, the target might take a look at the link before clicking, but the reasonable-looking link will lead to a spoofed site that has just returned malware back to their computer. Once that malware is installed, it may do a number of things depending on the intent of its coding. The first function it is likely to perform is to breach.
The APT countermeasure system tracks not only the malware toolkits themselves, but the source of origin and related resources, including IP addresses of the remote Command-and-Control servers (C2), or in some cases metadata found in the compiled tools used by the threat actors. In addition, a pattern of behavior in what the hackers steal can help indicate further distinctions on the group behind the malware infection. For instance, nation-state hackers acting on behalf of Russia and China do not typically engage in financial theft but focus on espionage targets, even if that target is a private enterprise.
In the case of the attacks on the DNC, the company CrowdStrike identified two actors in separate breaches on the servers used. The two found were identified as “FancyBear” and “CozyBear” by CrowdStrike, but elsewhere they have other names depending on the security firm who encounters their activities. FancyBear is also commonly known as APT28 or Sofacy. CozyBear is commonly known as APT29.
APT 28—FANCY BEAR Russian State Security/Covert External Intelligence (FSB/SVR)
APT28 is a group that goes by many names, depending on who has discovered them. In order to learn the character of this group it helps to look at all the cases investigated on the range of names the group gets assigned. Along with the naming of the group, different firms also name the malware and conflicting names can occur for the same toolset. FireEye calls them APT28, CrowdStrike named them FancyBear, Trend Micro has called them Operation Pawn Storm, Microsoft Security Intelligence Report calls them STRONTIUM,8 Secure Works tagged them as TG-4127. They’ve also been called Sednit (by Eset), Tsar Team (iSight) and Sofacy Group. Despite these names the methodology and toolset is distinct and shows a deployment sophistication that truly qualifies as an advanced and persistent threat; it is considered one of the most potent threats in the list of known APTs.
Security authorities first discovered the group in 2007. Their attacks have included a range of Eastern European countries including Ukraine, Georgia, Poland, to the south at Pakistan and further west to the United States and France. They have been linked to the GRU. They were even tied to attacks on the Russian all-girl band Pussy Riot.9
Typosquatters and Watering Holes
Many hackers establish typosquatting websites. These are where a false “squatter” website is installed on the actual location of a known website or where they buy a URL that is nearly identical to a well known website but where fat-fingered “typos” occur (e.g. Microsift.com, Amaxon.com). Hence “Typosquatter.” Another technique to gather login, password or financial information from a targeted victim is to establish or insert malicious viruses into a targeted site. Many typosquatters are Watering Hole sites—decoy or fraudulent websites that are loaded with malware and used to lure targets via spear-phishing emails to download their payload. To fool computer users into following these links, the site would need to look relevant or identical to the target’s working interest, and include very up-to-date information, whether it be a bombing attack in Iraq mentioned in an email to the Vatican Embassy in Iraq, or schedule and coordination information sent to Hungary. In many cases, the malicious domain is very similar to the real domain.
Trend Micro examined four cases in the “Operation Pawn Storm” attacks and found these examples.
Hackers sent a series of emails to the Hungarian Ministry of Defense supposedly inviting them to the world’s largest Defense exhibit held in Paris each year, Eurosatory. The hacker’s email included links to “eurosatory2014.com.” The link led to a false site that stole the user’s information. So the technique is to deceive the employee into thinking the website is legitimate if they have attended the conference before or are aware of upcoming participation.10
A staff member of the Organization for Security and Cooperation in Europe in Vienna was victim of an attempt at phishing. A link in an email sent to employees was to “vice-news.com” even though Vice News is found at “news.vice.com.” To lure an employee at SAIC, hackers used a link aimed at “Future Forces 2014” which pointed to “natoexhibitionff14.com” when the real exhibition website is “natoexhibition.org”11 The purpose was to lure the personnel to give up their webmail log in credentials so the hackers can walk through the front door. For instance, the OSCE’s real OWA domain is “login-in.osce.org” an extension of “osce.org”. The phishing account purchased to steal credentials was “login-in-osce.org” In the case of SAIC, the OWA domain was “webmail.saic.com” related to “saic.com”. The phishing account purchased was “webmail-saic.com.”12
Fancy Bear also targeted Academi, the infamous company formerly known as Blackwater. The link sent to them was meant to look like it came from “tolonews.com,” when in fact it came from “tolonevvs.com,” which was infected and part of the phishing campaign. As with the pattern above, the real email server was a very close misspelling that may have passed a casual glance, “academl” instead of “academi.com.”
In the case of a German company, attackers went so far as to buy an SSL certificate to mask their heist. SSL certificates are sold to allow a vendor to establish a secure connection to the buyer’s browser. Trend Micro says they were able to warn the target and avoid attack only because of early detection.13 Trend Micro engaged the attackers by sending fake credentials through these webmail login pages. Attackers responded “within minutes” of the intentional “leaking” of these fake accounts and began attempting unauthorized access. After an initial login check came from the site itself, they noticed additional login attempts that came next from Latvia (46.166.162.90) and the United States (192.154.110.244).14
Once the hackers are in they deploy a range of tools to take control of the infected computer and begin efforts to gain data to download—credit cards, photos, or bitcoins, they steal it all.
In a Trend Micro assessment from August 2015, APT28, aka “Pawn Storm,” focused 25 percent of its targeting efforts on the Ukraine, followed by the United States at 19 percent. When it came to attacks by sector, the emphasis shifted depending on the country. In Russia 23 percent of attacks targeted Media, followed by 17 percent on Diplomacy, then Activism at 15 percent. By contrast, the Ukrainian sectors struck were 18 percent Military, 18 percent Media, 16 percent Government. For the United States the sectors were even clearer, with Military at 35 percent, Defense at 22 percent, and Government at 8 percent. Attacks on American media were at 7 percent.15
APT 29—COZY BEAR Russian Military Intelligence (GRU)
Like its companion Russian cyber groups, APT29 has its own tool set and methods of attack. In operation since 2008, CrowdStrike named the group COZY BEAR. It is also known as Cozy Duke by Mandiant. Before it struck the DNC, targets of APT29 included the U.S. State Department, U.S. Joint Chiefs of Staff, and the White House. The group has developed a tool kit commonly labeled “The Dukes.” One tool set called Hammertoss or Hammerduke, even uses steganography (encrypted data or messages within a photograph) via images posted on Twitter. They usually gain access to computers through Spearphishing.
In a September 2015 study on APT29 attacks, Finnish cyber security firm F-Secure found several samples of APT29 activity in Chechnya between 2008 and 2015.16 Though F-Secure calls them “The Dukes,” other firms have also named and tracked these toolkits. For example, the one toolkit has been named “SeaDaddy” as found in the DNC breach. Similarly, “HammerDuke” is the same toolkit as “HammerToss” tracked by FireEye. Their targets have been Chechnya, the Ukraine, and the United States. Most of their operations occur in the UTC+3, UTC+4 time zones so they too indicated Russian origins.
According to F-Secure’s analysis of PinchDuke, the first samples were found in November 2008 on Turkish websites hosting Chechen materials. One of the sites was labeled as a “Chechan [sic] Information Center;” the other site contained a section on Chechnya.17
Venomous Bear18 was identified by Crowdstrike (and nicknamed Uroburous (Snake), Epic Turla, SnakeNet, Waterbug, and Red October) first in 2008.19
This group is best known for the notorious cyberattack on U.S. Central Command in 2008. This attack was called “Worst Breach of U.S. Military Computers in History.” Though the Pentagon says no data was lost because the transmission of data was interrupted, it transformed how the military would use thumb drives as well as its defensive posture.
The attack was likely due to an infected USB flash drive inserted into a U.S. military laptop. In order to engage the rest of its programming, the malware had to communicate to a C2 server. When it tried to do so, NSA’s Advanced Network Operations (ANO) team detected the malware. As a result, DOD issued a worldwide ban on thumb drives. Another result of this breach by Agent.btz was the creation of the U.S. Cyber Command. DOD also responded with the launch of “Operation Buckshot Yankee”20 which aimed to both clean all infected machines and protect the “digital beachhead” as Deputy Defense Secretary William Lynn III called it. The breach was so severe that NSA’s famous Tailored Access Operations (TAO), the elite cyber attack squad team, worked to counter the threat.21
Like the other APTs, this group uses spear-phishing to trick the target into opening a pdf attachment with malware or into clicking a link to a waterhole site. Like the APT28 and APT29 attacks, the Venomous Bear attacks used attachments to emails that were carefully targeted and worded to get the target to open either the attached PDF that then activated “Trojan.Winpbot” and “Trojan.Turla” according to a Symantec report examining the group’s attack.22 The “Trojan.Turla” is used to exfiltrate data.
According to CrowdStrike’s Global Threat Report, Venomous Bear has been targeting government agencies, NGOs, energy firms, tech firms, and educational organizations.23
Attacks of the CYBER BEARS
Estonia: Unleashing the Cyber Bears.
Russia views the Baltic States, the countries that border it on the Western frontier, as nations that should be in their sphere of political and economic influence rather than oriented toward Western Europe. The nations of Lithuania, Estonia, Latvia felt left behind to suffer for more than five decades under Soviet domination. When they got the chance, they quickly aligned themselves with America and the rest of Europe, and joined NATO. The pain of this was especially sharp in Estonia.
Estonia sits just to the Southwest of St. Petersburg on the Baltic and Russia has long considered it along with Lithuania, Latvia as rogue satellites. Reclaiming them would give Putin a bridge to its enclave of Kaliningrad, a small province of Russia north of Poland that is separated by the Baltic States. A Russian-dominated Baltic region would also push NATO back to the Polish frontier. Many believed that the 1940 seizure of Estonia and its “liberation” by the Soviet Union in 1944 was part of Russia’s tsarist desire to control the satellite states in its backyard. As many as 320,000 Estonians are ethnic Russians, and 40 percent of the population is considered “foreign.” The Russian populations of Estonia came during the Soviet occupation or were born there. Upon independence, the Estonians decided that Russians and other non-Estonian peoples would be considered émigrés and not nationals. Putin’s Russia took a dim view to the treatment of their ethnic brothers that would turn dark in 2007.
The Estonian break with Russia would come to a head when the government attempted to remove a bronze military monument to Russian soldiers lost in World War II. This dark grey statue of a young, chisel-chinned, highly-decorated Russian soldier, rifle slung over his back, helmet in hand, head lowered out of respect to the dead ,once stood in the center of the Estonian capital of Tallinn. It was a beautiful piece of art work, but ever since the Soviets reoccupied in 1944, the monument stood as a hated symbol of their Communist and post-communist hegemony. After independence in 1991 Estonia sought ways to remove the monument without antagonizing the local Russian population.
In 2007 Estonia was one of the most wired countries in the world. Its 1.3 million inhabitants fully integrated the internet into their daily lives using computers, tablets, and smartphones which made them the highest per-capita users of online technology in Europe and the Middle East regions. Estonia wired itself for global access to make it favorable to European markets. Marketing campaigns touted Estonia’s global interconnectedness, its small but growing economy, and its 2004 acceptance into NATO.
When the protests broke out, the Bronze statue was vandalized. Blood red paint was routinely thrown on it. The new imperial Russia was not amused. The opposition to the monument culminated in a series of riots that led to a greater, even more monumental event in the history of European political warfare. Estonia was attacked, but not one bullet was fired and not one person was injured. The CYBER BEARS were tasked to punish the nation as a whole. They did so by sending an entire European nation back to the pre-internet age.24
On April 26, 2007 a massive, covert barrage of cyberattacks struck the computers of Estonia. A series of “Denial-of-Service” attacks blocked up the servers that distributed web traffic and completely shut down all internet access to the nation. The sites targeted included the Estonian president, the Parliament, the ministries, three news outlets, political party sites and two banks.25 In order to stop the attack, countermeasures blocked all international traffic, which allowed the site traffic to return to normal levels.
Estonia conducted an investigation and later charged a 20-year-old Estonian, Dmitri Galushkevich for his role in the DoS attacks. He stated that his attack was inspired as a protest against removing the Bronze Soldier. He pleaded guilty. As he had no previous criminal record he was fined €110 and released.26 Despite his admission of starting the first DoS hack, many firms have concluded that cyber militias working under the direction of the Russian government quickly jumped onto the initial DoS attack and expanded it to the extent that it shut down the country’s internet.
The Bears Went Down To Georgia
Since 1988 when the people of Ossetia, an enclave in Southern Georgia asked for more autonomous authority, the independent central government asserted its control in a tug of war with Russia. Georgia had declared its independence from the Soviet Union in 1991 and shortly after South Ossetia declared its independence from Georgia. Ossetians had been seeking to increase their autonomy for years, but under the new Georgian President Zvaid Garmskhurdia it was clear Georgia was not going to give up this territory as it sought independence for itself. Ossetia had been an oblast, or province, under the Soviet system since 1923.27 After Garmskhurdia was deposed in December 1991, Eduard Shevardadze became the new Georgian leader and by mid–1992 a ceasefire agreement accompanied another agreement to leave Georgia in substantial control over South Ossetia.28
However, the South Ossetians are supported largely by Russia, and this tension boiled up over Georgian control in 2004 and again in 2008. In August 2008, Russia and Georgia clashed in South Ossetia and Abkhazia after years of tensions. When Georgian troops sought to enter South Ossetia they were outmaneuvered and outflanked by the Russian-backed forces. In five days, the combined Ossetian and Russian forces defeated the Georgian forces.29
During the clash Russia hit Georgia with a campaign of hybrid warfare that included massive cyberattacks on the websites of the officials, ministries, and other sites. Their campaign against Georgia started three weeks before the August 7, 2008 assault on Ossetia.30 On July 20, 2008, Georgian president’s office suffered a denial-of-service attack that shut down the website. As the conflict ensued, Russia used its cyber assets to both send pro-Russian messages aimed at the former soviet state and render the online resources of the Georgians useless. On August 8, 2008, hackers used an early variant of BlackEnergy malware to conduct distributed denial-of-service (DDoS) attacks against Georgian government websites as Russian forces invaded.31 This is perhaps first time combat has joined with cyber warfare operations. The aim of the attacks was to shape public opinion and control Georgian communications.
The coordination of the attacks was well planned and well targeted to gain the maximum effect of creating a digital outage for Georgian authorities, including stopping the ability to get their messages out to seek support. Georgia was blindsided and blinded at the same time. Analysts later determined that Russian nationalists who had received advanced warning conducted the attacks. Russia recruited these hackers via social media forums. The use of patriot hackers in this operation would set the pace for future hands-off operations. Russia’s use of hackers and cyber militias under a nationalistic banner proved effective over the Georgian authorities.32
Pro-Russian websites were launched during the war in South Ossetia. Unlike the attacks on Estonia, the attacks on Georgia’s cyber systems used botnets, waves of self-replicating cyber agents, to engage in a distributed attack. As of 2016, the Cyber Bears APT28 and APT29 continue peripheral attacks on Georgia with spear-phishing campaigns aimed at the administration and military.33
Lithuania Under Attack: June 2008
In 2008, the Lithuanian Parliament passed a series of amendments that aimed to prohibit the display the symbols of both Nazi Germany and the Soviet Union. This would include depictions of Nazi or Soviet leaders and Nazi or Soviet symbols, including the swastika and the hammer and sickle.34
In response to this law, more than three hundred websites suffered both vandalism and DoS attacks.35 Most of the sites were co-located with the server host.36 Hackers defaced the websites with anti-Lithuanian messages images of the Soviet hammer and sickle.37 The sites affected included Lithuanian Socialist Democratic Party, the Securities and Exchange Commission, government agencies, and private enterprises.
Though officials in Lithuania said they could not prove the attacks were conducted or orchestrated by Russia, it was clear the attacks were tied to the laws passed banning Soviet symbols. The government said the attacks came from an array of computers from outside the country.
Kyrgyzstan: January 18, 2009
On January 17, 2009, an official of the Kyrgyzstan government informed the United States that the Manas Air Force Base outside of Bishkek would close. The United States had been using the base since December 2001 as part of the effort in Afghanistan. The official said that the base closure would come in days as a result of Russian pressure. Just a month before, Russia’s top general Nikolai Makarov accused the United States of planning to expand its number of bases in the region.
To drive their point home, a series of DoS attacks hit the country’s two main internet service providers in Kyrgyzstan, essentially knocking out the internet, websites, and email for the country.38 Though there are no conclusive reports that definitively name the responsible party, many firms state the attack appeared to be tied to the decision to let the U.S. use the Bishkek base as a logistics center for the war in Afghanistan. The attacks were attributed to “cyber militias” much like the attacks in the Russo-Georgian conflict just a few months before.
Despite being in operation for nearly eight years, on February 3, 2009 Kyrgyzstan President Bakiyev announced the base would close. This was a major victory for Russian control over Central Asia. After Kyrgyzstan complied with Russia’s demands it received a multimillion-dollar aid package.39
Ukraine Power knocked out by Sandworm: December 23, 2015
Three Ukrainian power companies came under attack by the Sandworm tool set after employees downloaded BlackEnergy3 malware packages. According to an investigation by Robert M. Lee, former U.S. Air Force cyber warfare operations officer and co-founder of Dragos Security, the infections started in spring of 2015.
Attackers engaged in a spear-phishing campaign using infected Word documents aimed at system administrators and IT staff at the facilities. The targets who opened the Word document saw a prompt asking them to click to “enable macros,” which installed the BlackEnergy3 malware. It is notable that macros had been in decline until the time of this attack, but were now on the rise.40 After the malware successfully installed, it began to scan around for paths to the supervisory control and data acquisition networks, SCADA, which would allow them to take control of the plant’s control systems.41 All of this would be exceptionally risky at many power plants, but it turned out the Ukrainian security was above average and even outclassed many U.S. facilities. The networks were all very well segregated via firewalls but the CYBER BEARS stole in anyway.42
One of the plant operators stated he saw the attackers control one of the computer terminals and successfully search for the panel that would control circuit breakers. The attacker began to take down the power grid in front of his eyes. Though he tried to take control of the computer it was too late. The attackers locked him out and continued its task of shutting down around thirty electrical substations.
After the breach, the attackers used an eraser program called “KillDisk,” which wiped out major sectors of files, corrupted master boot records, and essentially rendered the systems useless without taking them offline and replacing them. The attackers reconfigured the backup generators in a manner that disabled them so the repair crew had to tough it out in the dark.
To top this off, they didn’t do this just once, the attackers hit three power stations simultaneously belonging to the Ukrainian power company Kyivoblenergo in the Ivano-Frankivsk Region.43 They also struck Prykarpatyaoblenergo with an outage that affected 80,000, as well as the Chernivtsioblenergo station.44 In total, an estimated 225,000 people were affected for nearly six hours. The companies restored power by going back to manual control. Power had to be restored manually since many systems were fried by the “KillDisk” deletions.
To make all of this more complicated, a Telephone Denial-of-Service (TDoS) attack on the telephone system flooded the circuits with bogus calls, which prevented citizens from alerting the power companies about outages.
The Warsaw Stock Exchange aka The Cyber Caliphate False Flag Attack #1: October 24, 2014
After the website for the Warsaw Stock Exchange went offline for two hours, a Pastebin message screamed to the world, “Today, we HACKED Warsaw Stock Exchange!” and “To be continued! Allahu Akbar!” Authorities initially credited the Cyber Caliphate, a hacker group that claims its allegiance to ISIS and works in association with the United Cyber Caliphate groups. The message posted on Pastbin, an online bulletin board said the hack was in retaliation for Polish bombing of the “Islamic State.”45
Initially, many accepted that ISIS-affiliated hackers were responsible, but the techniques, tools, and more importantly digital footprints suggested the attackers came from Russia. This is old spycraft technique called a False Flag operation: A deception where one entity is blamed for the actions of another. The false flag cover didn’t last, as forensic analysts demonstrated that Russian hackers had posed as ISIS and let them take the blame.46 It was later revealed that the hackers stole details on investors and the stock exchange’s network, including credentials for authorization to access customer accounts.47
The TV5 Monde Attack, aka The Cyber Caliphate False Flag #2
On the evening of April 9, 2015 at 10:00 pm the French TV channel TV5 Monde experienced a cyberattack that resulted in the suspension of their broadcast, as hackers infiltrated their internal systems and social media profiles. First, the website crashed, then emails went down.48 Helene Zemmour, digital director for the station said it all went down in a “synchronized manner.” CNN reported, “Shortly after the beginning of the attack our internal computer system fell and other programs followed.”
The defaced pages were relabeled by the Cyber Caliphate with “Je Suis ISIS” tagged on them, recalling to the pro-Charlie Hebdo rally cry, “Je Suis Charlie.” However, the fake Cyber Caliphate website was in fact on a server with an IP belonging to APT28. Security firms picked up on this and the consensus began to develop that suggested the attack was that of a nation-state actor. Due to a combination of notable similarities to APT28, Cyber Caliphate was ruled out as the attacker. The threat was beyond the capabilities of the ISIS’s hacker wannabees.
In more practical terms, Wassim Nasr, on France24, noticed the Arabic of the claims was barely real Arabic. On France 24, he pointed out improper use of the language in several areas, notably in the Bismillah phrases common from ISIS where “and” was used in a manner no Arabic speaker would.49 They most likely came from Google Translate. Unwitting ISIS-affiliated groups still took credit for the attack and their fan boys attribute it to the Cyber Caliphate Army.
The channel and social media accounts were reclaimed by the next afternoon. TV5 director Yves Bigot said the security had been recently checked. One CNN anchor even said, “once again terrorism has targeted freedom of expression.”
No One is Immune
On May 20, 2015, APT28 hit the German Bundestag and started to steal data from servers after launching the Sofacy malware on the systems. After the attack, the Bundestag director Horst Risse advised the other staff to avoid opening files or links via email.50 In August 2015, APT28 launched a spear-phishing effort at EFF, the Electronic Frontier Foundation. The group attempted to use email to lure targets to a spoofed site at “electronicfrontierfoundation.org”. The official site for EFF is at “eff.org”. Oracle fixed the Java zero-day.51
On July 21, 2016, on the eve of the Olympic games in Rio De Janiero, the World Anti-Doping Agency or WADA recommended banning the entirety of Russian athletes from the 2016 Olympic games.52 WADA believed that there was a systematic national effort to use and conceal illegal doping agents from the agency. WADA reached a compromise with the Russian Olympic team in which 70 percent of Russian athletes could participate, though 110 could not. Although it appeared that the matter was resolved, the CYBER BEARS unloaded on WADA with a massive FANCY BEAR spear-phishing campaign.
On August 15, 2016, stakeholders in WADA were notified of an email campaign aiming to spear-phish the members by getting them to click bogus websites that looked like official WADA portals. The watering hole domains had been recently purchased on August 8, 2016 along with additional domains not used in the strikes, but perhaps held for future targeting. The domains were registered to the users as if they were in Riva, Latvia. The URLs were “wada-awa.org” and “wada-arna.org,” which were not affiliated with the organization.
FireEye and ThreatConnect53 have tied APT28 to the WADA attack.54 However, as with the DNC, the TV5Monde, and the Warsaw Stock Exchange hacks, this one was suddenly claimed by someone else. In this case the claim emanated from a Twitter account named “Anonymous Poland” and the handle @anpoland. Like Guccifer 2.0, this new Twitter channel had no back history, suggesting it was a sock puppet account created just for the operation.
Targets of the attack included athlete Yuliya Stepanova, who had her emails hacked after she stepped forward as a whistleblower on the Russian doping scandal. She personally drew the ire of Putin who referred to her as a “Judas.” It wasn’t surprising that Russian authorities would want to retaliate as they have long shown a state interest in the success of their athletes, even if by banned or controversial methods. Grigory Rodchenkov was director of an anti-doping lab that helped Russian athletes cheat WADA controls. Rodchenkov claims that a Russian intelligence officer was assigned to observe his lab to find out what happened to athlete urine samples.55
Numerous other Russian hacks struck government, diplomatic, and civilian websites in the U.S. as well. In December 2014, Russian hackers breached the account of a well-known U.S. military correspondent. As a result, the attackers took the contact information from that breach and went on to attack fifty-five other employees of a major U.S. newspaper.56 In January, 2015 three popular YouTube bloggers interviewed President Barack Obama at the White House. Four days later they were targets of a Gmail phishing attack.
The Office Monkeys Campaign
In October of 2014, some White House staffers received an email with a video attachment of a zip file with an executable file. “Office Monkeys” was the title and it featured not only a video clip of a chimpanzee with suit and tie, it also featured the CozyDuke toolkit from APT29 equipped to open up the exploits necessary to get to the intended data.
The White House attack came as a result of a similar breach at the State Department just weeks before. In that case a staffer clicked on a fake link in an email referring to “administrative matters.”57 The resulting data gained at the State Department allowed attackers to map out an approach to White House attack vectors. The White House breach resulted in unclassified but perhaps sensitive information being compromised, including emails of President Barack Obama’s schedule.58
The CYBER BEARS also conducted spear-phishing campaign on the U.S. Joint Chiefs, aimed at the U.S. military’s joint staff. The entry malware was disguised as coworker emails. The resulting breach shut the system down for ten days, during which time four thousand staffers were offline.
Estonia: Unleashing the Cyber Bears.
Russia views the Baltic States, the countries that border it on the Western frontier, as nations that should be in their sphere of political and economic influence rather than oriented toward Western Europe. The nations of Lithuania, Estonia, Latvia felt left behind to suffer for more than five decades under Soviet domination. When they got the chance, they quickly aligned themselves with America and the rest of Europe, and joined NATO. The pain of this was especially sharp in Estonia.
Estonia sits just to the Southwest of St. Petersburg on the Baltic and Russia has long considered it along with Lithuania, Latvia as rogue satellites. Reclaiming them would give Putin a bridge to its enclave of Kaliningrad, a small province of Russia north of Poland that is separated by the Baltic States. A Russian-dominated Baltic region would also push NATO back to the Polish frontier. Many believed that the 1940 seizure of Estonia and its “liberation” by the Soviet Union in 1944 was part of Russia’s tsarist desire to control the satellite states in its backyard. As many as 320,000 Estonians are ethnic Russians, and 40 percent of the population is considered “foreign.” The Russian populations of Estonia came during the Soviet occupation or were born there. Upon independence, the Estonians decided that Russians and other non-Estonian peoples would be considered émigrés and not nationals. Putin’s Russia took a dim view to the treatment of their ethnic brothers that would turn dark in 2007.
The Estonian break with Russia would come to a head when the government attempted to remove a bronze military monument to Russian soldiers lost in World War II. This dark grey statue of a young, chisel-chinned, highly-decorated Russian soldier, rifle slung over his back, helmet in hand, head lowered out of respect to the dead ,once stood in the center of the Estonian capital of Tallinn. It was a beautiful piece of art work, but ever since the Soviets reoccupied in 1944, the monument stood as a hated symbol of their Communist and post-communist hegemony. After independence in 1991 Estonia sought ways to remove the monument without antagonizing the local Russian population.
In 2007 Estonia was one of the most wired countries in the world. Its 1.3 million inhabitants fully integrated the internet into their daily lives using computers, tablets, and smartphones which made them the highest per-capita users of online technology in Europe and the Middle East regions. Estonia wired itself for global access to make it favorable to European markets. Marketing campaigns touted Estonia’s global interconnectedness, its small but growing economy, and its 2004 acceptance into NATO.
When the protests broke out, the Bronze statue was vandalized. Blood red paint was routinely thrown on it. The new imperial Russia was not amused. The opposition to the monument culminated in a series of riots that led to a greater, even more monumental event in the history of European political warfare. Estonia was attacked, but not one bullet was fired and not one person was injured. The CYBER BEARS were tasked to punish the nation as a whole. They did so by sending an entire European nation back to the pre-internet age.24
On April 26, 2007 a massive, covert barrage of cyberattacks struck the computers of Estonia. A series of “Denial-of-Service” attacks blocked up the servers that distributed web traffic and completely shut down all internet access to the nation. The sites targeted included the Estonian president, the Parliament, the ministries, three news outlets, political party sites and two banks.25 In order to stop the attack, countermeasures blocked all international traffic, which allowed the site traffic to return to normal levels.
Estonia conducted an investigation and later charged a 20-year-old Estonian, Dmitri Galushkevich for his role in the DoS attacks. He stated that his attack was inspired as a protest against removing the Bronze Soldier. He pleaded guilty. As he had no previous criminal record he was fined €110 and released.26 Despite his admission of starting the first DoS hack, many firms have concluded that cyber militias working under the direction of the Russian government quickly jumped onto the initial DoS attack and expanded it to the extent that it shut down the country’s internet.
The Bears Went Down To Georgia
Since 1988 when the people of Ossetia, an enclave in Southern Georgia asked for more autonomous authority, the independent central government asserted its control in a tug of war with Russia. Georgia had declared its independence from the Soviet Union in 1991 and shortly after South Ossetia declared its independence from Georgia. Ossetians had been seeking to increase their autonomy for years, but under the new Georgian President Zvaid Garmskhurdia it was clear Georgia was not going to give up this territory as it sought independence for itself. Ossetia had been an oblast, or province, under the Soviet system since 1923.27 After Garmskhurdia was deposed in December 1991, Eduard Shevardadze became the new Georgian leader and by mid–1992 a ceasefire agreement accompanied another agreement to leave Georgia in substantial control over South Ossetia.28
However, the South Ossetians are supported largely by Russia, and this tension boiled up over Georgian control in 2004 and again in 2008. In August 2008, Russia and Georgia clashed in South Ossetia and Abkhazia after years of tensions. When Georgian troops sought to enter South Ossetia they were outmaneuvered and outflanked by the Russian-backed forces. In five days, the combined Ossetian and Russian forces defeated the Georgian forces.29
During the clash Russia hit Georgia with a campaign of hybrid warfare that included massive cyberattacks on the websites of the officials, ministries, and other sites. Their campaign against Georgia started three weeks before the August 7, 2008 assault on Ossetia.30 On July 20, 2008, Georgian president’s office suffered a denial-of-service attack that shut down the website. As the conflict ensued, Russia used its cyber assets to both send pro-Russian messages aimed at the former soviet state and render the online resources of the Georgians useless. On August 8, 2008, hackers used an early variant of BlackEnergy malware to conduct distributed denial-of-service (DDoS) attacks against Georgian government websites as Russian forces invaded.31 This is perhaps first time combat has joined with cyber warfare operations. The aim of the attacks was to shape public opinion and control Georgian communications.
The coordination of the attacks was well planned and well targeted to gain the maximum effect of creating a digital outage for Georgian authorities, including stopping the ability to get their messages out to seek support. Georgia was blindsided and blinded at the same time. Analysts later determined that Russian nationalists who had received advanced warning conducted the attacks. Russia recruited these hackers via social media forums. The use of patriot hackers in this operation would set the pace for future hands-off operations. Russia’s use of hackers and cyber militias under a nationalistic banner proved effective over the Georgian authorities.32
Pro-Russian websites were launched during the war in South Ossetia. Unlike the attacks on Estonia, the attacks on Georgia’s cyber systems used botnets, waves of self-replicating cyber agents, to engage in a distributed attack. As of 2016, the Cyber Bears APT28 and APT29 continue peripheral attacks on Georgia with spear-phishing campaigns aimed at the administration and military.33
Lithuania Under Attack: June 2008
In 2008, the Lithuanian Parliament passed a series of amendments that aimed to prohibit the display the symbols of both Nazi Germany and the Soviet Union. This would include depictions of Nazi or Soviet leaders and Nazi or Soviet symbols, including the swastika and the hammer and sickle.34
In response to this law, more than three hundred websites suffered both vandalism and DoS attacks.35 Most of the sites were co-located with the server host.36 Hackers defaced the websites with anti-Lithuanian messages images of the Soviet hammer and sickle.37 The sites affected included Lithuanian Socialist Democratic Party, the Securities and Exchange Commission, government agencies, and private enterprises.
Though officials in Lithuania said they could not prove the attacks were conducted or orchestrated by Russia, it was clear the attacks were tied to the laws passed banning Soviet symbols. The government said the attacks came from an array of computers from outside the country.
Kyrgyzstan: January 18, 2009
On January 17, 2009, an official of the Kyrgyzstan government informed the United States that the Manas Air Force Base outside of Bishkek would close. The United States had been using the base since December 2001 as part of the effort in Afghanistan. The official said that the base closure would come in days as a result of Russian pressure. Just a month before, Russia’s top general Nikolai Makarov accused the United States of planning to expand its number of bases in the region.
To drive their point home, a series of DoS attacks hit the country’s two main internet service providers in Kyrgyzstan, essentially knocking out the internet, websites, and email for the country.38 Though there are no conclusive reports that definitively name the responsible party, many firms state the attack appeared to be tied to the decision to let the U.S. use the Bishkek base as a logistics center for the war in Afghanistan. The attacks were attributed to “cyber militias” much like the attacks in the Russo-Georgian conflict just a few months before.
Despite being in operation for nearly eight years, on February 3, 2009 Kyrgyzstan President Bakiyev announced the base would close. This was a major victory for Russian control over Central Asia. After Kyrgyzstan complied with Russia’s demands it received a multimillion-dollar aid package.39
Ukraine Power knocked out by Sandworm: December 23, 2015
Three Ukrainian power companies came under attack by the Sandworm tool set after employees downloaded BlackEnergy3 malware packages. According to an investigation by Robert M. Lee, former U.S. Air Force cyber warfare operations officer and co-founder of Dragos Security, the infections started in spring of 2015.
Attackers engaged in a spear-phishing campaign using infected Word documents aimed at system administrators and IT staff at the facilities. The targets who opened the Word document saw a prompt asking them to click to “enable macros,” which installed the BlackEnergy3 malware. It is notable that macros had been in decline until the time of this attack, but were now on the rise.40 After the malware successfully installed, it began to scan around for paths to the supervisory control and data acquisition networks, SCADA, which would allow them to take control of the plant’s control systems.41 All of this would be exceptionally risky at many power plants, but it turned out the Ukrainian security was above average and even outclassed many U.S. facilities. The networks were all very well segregated via firewalls but the CYBER BEARS stole in anyway.42
One of the plant operators stated he saw the attackers control one of the computer terminals and successfully search for the panel that would control circuit breakers. The attacker began to take down the power grid in front of his eyes. Though he tried to take control of the computer it was too late. The attackers locked him out and continued its task of shutting down around thirty electrical substations.
After the breach, the attackers used an eraser program called “KillDisk,” which wiped out major sectors of files, corrupted master boot records, and essentially rendered the systems useless without taking them offline and replacing them. The attackers reconfigured the backup generators in a manner that disabled them so the repair crew had to tough it out in the dark.
To top this off, they didn’t do this just once, the attackers hit three power stations simultaneously belonging to the Ukrainian power company Kyivoblenergo in the Ivano-Frankivsk Region.43 They also struck Prykarpatyaoblenergo with an outage that affected 80,000, as well as the Chernivtsioblenergo station.44 In total, an estimated 225,000 people were affected for nearly six hours. The companies restored power by going back to manual control. Power had to be restored manually since many systems were fried by the “KillDisk” deletions.
To make all of this more complicated, a Telephone Denial-of-Service (TDoS) attack on the telephone system flooded the circuits with bogus calls, which prevented citizens from alerting the power companies about outages.
The Warsaw Stock Exchange aka The Cyber Caliphate False Flag Attack #1: October 24, 2014
After the website for the Warsaw Stock Exchange went offline for two hours, a Pastebin message screamed to the world, “Today, we HACKED Warsaw Stock Exchange!” and “To be continued! Allahu Akbar!” Authorities initially credited the Cyber Caliphate, a hacker group that claims its allegiance to ISIS and works in association with the United Cyber Caliphate groups. The message posted on Pastbin, an online bulletin board said the hack was in retaliation for Polish bombing of the “Islamic State.”45
Initially, many accepted that ISIS-affiliated hackers were responsible, but the techniques, tools, and more importantly digital footprints suggested the attackers came from Russia. This is old spycraft technique called a False Flag operation: A deception where one entity is blamed for the actions of another. The false flag cover didn’t last, as forensic analysts demonstrated that Russian hackers had posed as ISIS and let them take the blame.46 It was later revealed that the hackers stole details on investors and the stock exchange’s network, including credentials for authorization to access customer accounts.47
The TV5 Monde Attack, aka The Cyber Caliphate False Flag #2
On the evening of April 9, 2015 at 10:00 pm the French TV channel TV5 Monde experienced a cyberattack that resulted in the suspension of their broadcast, as hackers infiltrated their internal systems and social media profiles. First, the website crashed, then emails went down.48 Helene Zemmour, digital director for the station said it all went down in a “synchronized manner.” CNN reported, “Shortly after the beginning of the attack our internal computer system fell and other programs followed.”
The defaced pages were relabeled by the Cyber Caliphate with “Je Suis ISIS” tagged on them, recalling to the pro-Charlie Hebdo rally cry, “Je Suis Charlie.” However, the fake Cyber Caliphate website was in fact on a server with an IP belonging to APT28. Security firms picked up on this and the consensus began to develop that suggested the attack was that of a nation-state actor. Due to a combination of notable similarities to APT28, Cyber Caliphate was ruled out as the attacker. The threat was beyond the capabilities of the ISIS’s hacker wannabees.
In more practical terms, Wassim Nasr, on France24, noticed the Arabic of the claims was barely real Arabic. On France 24, he pointed out improper use of the language in several areas, notably in the Bismillah phrases common from ISIS where “and” was used in a manner no Arabic speaker would.49 They most likely came from Google Translate. Unwitting ISIS-affiliated groups still took credit for the attack and their fan boys attribute it to the Cyber Caliphate Army.
The channel and social media accounts were reclaimed by the next afternoon. TV5 director Yves Bigot said the security had been recently checked. One CNN anchor even said, “once again terrorism has targeted freedom of expression.”
No One is Immune
On May 20, 2015, APT28 hit the German Bundestag and started to steal data from servers after launching the Sofacy malware on the systems. After the attack, the Bundestag director Horst Risse advised the other staff to avoid opening files or links via email.50 In August 2015, APT28 launched a spear-phishing effort at EFF, the Electronic Frontier Foundation. The group attempted to use email to lure targets to a spoofed site at “electronicfrontierfoundation.org”. The official site for EFF is at “eff.org”. Oracle fixed the Java zero-day.51
On July 21, 2016, on the eve of the Olympic games in Rio De Janiero, the World Anti-Doping Agency or WADA recommended banning the entirety of Russian athletes from the 2016 Olympic games.52 WADA believed that there was a systematic national effort to use and conceal illegal doping agents from the agency. WADA reached a compromise with the Russian Olympic team in which 70 percent of Russian athletes could participate, though 110 could not. Although it appeared that the matter was resolved, the CYBER BEARS unloaded on WADA with a massive FANCY BEAR spear-phishing campaign.
On August 15, 2016, stakeholders in WADA were notified of an email campaign aiming to spear-phish the members by getting them to click bogus websites that looked like official WADA portals. The watering hole domains had been recently purchased on August 8, 2016 along with additional domains not used in the strikes, but perhaps held for future targeting. The domains were registered to the users as if they were in Riva, Latvia. The URLs were “wada-awa.org” and “wada-arna.org,” which were not affiliated with the organization.
FireEye and ThreatConnect53 have tied APT28 to the WADA attack.54 However, as with the DNC, the TV5Monde, and the Warsaw Stock Exchange hacks, this one was suddenly claimed by someone else. In this case the claim emanated from a Twitter account named “Anonymous Poland” and the handle @anpoland. Like Guccifer 2.0, this new Twitter channel had no back history, suggesting it was a sock puppet account created just for the operation.
Targets of the attack included athlete Yuliya Stepanova, who had her emails hacked after she stepped forward as a whistleblower on the Russian doping scandal. She personally drew the ire of Putin who referred to her as a “Judas.” It wasn’t surprising that Russian authorities would want to retaliate as they have long shown a state interest in the success of their athletes, even if by banned or controversial methods. Grigory Rodchenkov was director of an anti-doping lab that helped Russian athletes cheat WADA controls. Rodchenkov claims that a Russian intelligence officer was assigned to observe his lab to find out what happened to athlete urine samples.55
Numerous other Russian hacks struck government, diplomatic, and civilian websites in the U.S. as well. In December 2014, Russian hackers breached the account of a well-known U.S. military correspondent. As a result, the attackers took the contact information from that breach and went on to attack fifty-five other employees of a major U.S. newspaper.56 In January, 2015 three popular YouTube bloggers interviewed President Barack Obama at the White House. Four days later they were targets of a Gmail phishing attack.
The Office Monkeys Campaign
In October of 2014, some White House staffers received an email with a video attachment of a zip file with an executable file. “Office Monkeys” was the title and it featured not only a video clip of a chimpanzee with suit and tie, it also featured the CozyDuke toolkit from APT29 equipped to open up the exploits necessary to get to the intended data.
The White House attack came as a result of a similar breach at the State Department just weeks before. In that case a staffer clicked on a fake link in an email referring to “administrative matters.”57 The resulting data gained at the State Department allowed attackers to map out an approach to White House attack vectors. The White House breach resulted in unclassified but perhaps sensitive information being compromised, including emails of President Barack Obama’s schedule.58
The CYBER BEARS also conducted spear-phishing campaign on the U.S. Joint Chiefs, aimed at the U.S. military’s joint staff. The entry malware was disguised as coworker emails. The resulting breach shut the system down for ten days, during which time four thousand staffers were offline.
OPERATION WATERSNAKE
An example of the extent of the FSB and GRU covert cyber collection and exploitation was the exposure of what was most likely a Russian State Security & Navy Intelligence covert operation to monitor, exploit and hack targets within the central United States from Russian merchant ships equipped with advanced hacking hardware and tools. The US Coast guard boarded the merchant ship SS Chem Hydra and in it they found wireless intercept equipment associated with Russian hacking teams. Apparently the vessel had personnel on board who were tasked to collect intelligence on wireless networks and attempt hackings on regional computer networks in the heartland of America.59
The Criminal Bears, Militia Bears and Others
Berzerk Bear, VooDoo Bear, Boulder Bear: CrowdStrike identified a group that has been active since 2004 as “Berzerk Bear” and tied the group to Russian Intelligence Services. The aim of this group is information theft,60 and it has shown a flexibility to write tools appropriate to its mission. Berzerk Bear was active during the 2008 Russo-Georgian conflict, acting against Georgian websites. However, without extensive reports detailing the attacks, it is hard to tie these names to a larger matrix of attacks that are chronicled by malware tracking firms.
CyberBerkut: The group known as CyberBerkut is different than the APT threats from the Russians. These Pro-Russians from Ukraine have been launching their anti-Ukrainian DDoS attacks since 2014. In addition to DDos attacks, CyberBerkut employs data exfiltration and disinformation to attack its target.61 Although the group’s attacks have largely been aimed at discrediting the Ukrainian government, it has also been noted that CyberBerkut only aims its attacks at members of NATO. They have a website and have been quasi-public in a manner resembling Anonymous. They have even engaged in conspiracy theories related to the murder of James Foley by posting a staged video meant to resemble the famous video with Jihadi John and Foley.
Putin’s Professional Troll Farm
Several internet hoaxes spread on social media and caused panic in around the country in the fall and winter of 2014. The first came after an explosion at a Louisiana chemical plant in September, then later an Ebola outbreak, and a police shooting of an unarmed black woman in Atlanta in December. None of these events, however, actually happened.62 But this was not immediately clear in any of the cases. During the chemical plant hoax, for example, posts inundated social media, residents received frantic text messages, fake CNN screenshots went viral, and clone news sites appeared.63 In each instance, reporter Adrian Chen discovered, a Russian group known as The Internet Research Agency concocted the elaborate hoaxes. Online, these pro-Russia, anti-everyone paid staffers are known as the “Trolls from Olgino.”64
Chen traveled to the Russian city of St. Petersburg and reported extensively on the so-called “troll farms” for a June 2015 article titled “The Agency” in The New York Times magazine. He wrote that the agency had become known for “employing hundreds of Russians to post pro-Kremlin propaganda online under fake identities, including on Twitter, in order to create the illusion of a massive army of supporters.”65
Analysts suspect that Putin business associate Engeny Prigozhin runs the agency. Chen identifies him as “an oligarch restaurateur called ‘the Kremlin’s chef’ in the independent press for his lucrative government contracts and his close relationship with Putin.”66 The Times quoted former employees as saying that the agency had “industrialized the art of trolling.”67 Chen wrote, “The point was to weave propaganda seamlessly into what appeared to be the nonpolitical musings of an everyday person.”68 In an interview with PBS NewsHour, Chen said the purpose was “to kind of pollute the Internet, to make it an unreliable source for people, and so that normal Russians who might want to learn about opposition leaders or another side of things from the Kremlin narrative will just not be able to trust it.”69
A year before Chen reported on the Internet Research Agency, Max Seddon reported for BuzzFeed about leaked emails that showed the agency had begun a project to flood social media and the “comments” sections of popular American websites such as Politico, The Huffington Post and Fox News, pushing themes such as “American Dream” and “I Love Russia.” BuzzFeed reports one project team member, Svetlana Boiko cited fears that news organizations and internet commenters were not writing positively of Russia. In a strategy document, Boiko wrote that non-Russian media were “currently actively forming a negative image of the Russian Federation in the eyes of the global community.”70
After the Ukrainian crisis began, followed by the Russian annexation of Crimea from Ukraine in March 2014, BuzzFeed reported an increase in Pro-Kremlin internet activity, which Seddon writes, “suggests Russia wants to encourage dissent in America at the same time as stifling it at home.”71 The documents show that each day, the “trolls” were expected to comment on news articles fifty times, tweet fifty times from ten accounts, and post three times on six Facebook accounts.72
After WikiLeaks released the leaked DNC emails in July, Chen, now a staff writer at The New Yorker, wrote that since his original article there appeared to be decreased activity at the Internet Research Agency. But he did notice a trend in some of the Twitter accounts that continued to post. He writes, “But some continued, and toward the end of last year I noticed something interesting: many had begun to promote right-wing news outlets, portraying themselves as conservative voters who were, increasingly, fans of Donald Trump.”73
ТЕЛЕГРАМКанал с обзорами, анонсами новинок и книжными подборками
Книжный Вестник
Бот для удобного поиска книг (если не нашлось на сайте)
Поиск книг
Свежие любовные романы в удобных форматах
Любовные романы
О психологии, саморазвитии и личностном росте
Саморазвитие
Детективы и триллеры, все новинки
Детективы
Фантастика и фэнтези, все новинки
Фантастика
Отборные классические книги
Классика
ВКОНТАКТЕБиблиотека с любовными романами, которая наверняка придётся по вкусу женской части аудитории
Любовные романы
Библиотека с фантастикой и фэнтези, а также смежных жанров
Фантастика
Самые популярные книги в формате фб2
Топ фб2
книги