RUSSIA/CYBER CRIME: A SYNOPSIS OF RUSSIAN STATE SPONSORED AND OTHER CYBER OFFENSIVE (CRIMINAL) OPERATIONS
Russia has extensive programme of state-sponsored offensive cyber operations. External targets include foreign governments and big corporations, especially banks. FSB leads on cyber within Russian apparatus. Limited success in attacking top foreign targets like G7 governments, security services and IFIs but much more on second tier ones through IT back doors, using corporate and other visitors to Russia
FSB often uses coercion and blackmail to recruit most capable cyber operatives in Russia into its state sponsored programmes. Heavy use also, both wittingly and unwittingly, of CIS emigres working in western corporations and ethnic Russians employed by neighbouring governments e.g. Latvia
Example cited of successful Russian cyber operation targeting senior Western business visitor. Provided back door into important Western institutions.
Example given of US citizen of Russian origin approached by FSB and offered incentive of “investment” in his business when visiting Moscow.
Problems however for Russian authorities themselves in countering local hackers and cyber criminals, operating outside state control. Central Bank claims there were over 20 serious attacks on correspondent accounts held by CBR in 2015, comprising Roubles several billion in fraud
Some details given of leading non-state Russian cyber criminal groups
Speaking in June 2016, a number of Russian figures with a detailed knowledge of national cyber crime, both state-sponsored and otherwise, outlined the current situation in this area. A former senior intelligence officer divided Russian state-sponsored offensive cyber operations into four categories (in order of priority):- targeting foreign, especially western governments; penetrating leading foreign business corporations, especially banks; domestic monitoring of the elite; and attacking political opponents both at home and abroad. The former intelligence officer reported that the Federal Security Service (FSB) was the lead organization within the Russian state apparatus for cyber operations.
In terms of the success of Russian offensive cyber operations to date, a senior government figure reported that there had been only limited success in penetrating the ‘first tier’ foreign targets. These comprised western (especially G7 and NATO) governments, security and intelligence services and central banks, and the IFIs. To compensate for this shortfall, massive effort had been invested, with much greater success, in attacking the “secondary targets”, particularly western private banks and the governments of smaller states allied to the West. S/he mentioned Latvia in this regard. Hundreds of agents, either consciously cooperating with the FSB or whose personal and professional IT systems had been unwittingly compromised, were recruited. Many were people who had ethnic and family ties to Russia and/or had been incentivized financially to cooperate. Such people often would receive monetary inducements or contractual favours from the Russian state or its agents in return. This had created difficulties for parts of the Russian state apparatus in obliging/indulging them e.g. the Central Bank of Russia knowingly having to cover up for such agents’ money laundering operations through the Russian financial system.
In terms of the FSB’s recruitment of capable cyber operatives to carry out its, ideally deniable, offensive cyber operations, a Russian IT specialist with direct knowledge reported in June 2016 that this was often done using coercion and blackmail. In terms of ‘foreign’ agents, the FSB was approaching US citizens of Russian (Jewish) origin on business trips to Russia. In one case a US citizen of Russian ethnicity had been visiting Moscow to attract investors in his new information technology program. The FSB clearly knew this and had offered to provide seed capital to this person in return for them being able to access and modify his IP, with a view to targeting priority foreign targets by planting a Trojan virus in the software. The US visitor was told this was common practice. The FSB also had implied significant operational success as a result of installing cheap Russian IT games containing their own malware unwittingly by targets on their PCs and other platforms.
In a more advanced and successful FSB operation, an IT operator inside a leading Russian SOE, who previously had been employed on conventional (defensive) IT work there, had been under instruction for the last year to conduct an offensive cyber operation against a foreign director of the company. Although the latter was apparently an infrequent visitor to Russia, the FSB now successfully had penetrated his personal IT and through this had managed to access various important institutions in the West through the back door.
In terms of other technical IT platforms, an FSB cyber operative flagged up the ‘Telegram’ enciphered commercial system as having been of especial concern and therefore heavily targeted by the FSB, not least because it was used frequently by Russian internal political activists and oppositionists. His/her understanding was that the FSB now successfully had cracked this communications software and therefore it was no longer secure to use.
The senior Russian government figure cited above also reported that non-state sponsored cyber crime was becoming an increasing problem inside Russia for the government and authorities there. The Central Bank of Russia claimed that in 2015 alone there had been more than 20 attempts at serious cyber embezzlement of money from corresponding accounts held there, comprising several billions Roubles. More generally, s/he understood there were circa 15 major organised crime groups in the country involved in cyber crime, all of which continued to operate largely outside state and FSB control. These included the so-called ‘Anunak’, ‘Buktrap’ and ‘Metel’ organisations.