Claims of a cyber attacks, website defacements, sophisticated Russian malware, and even “cyberwar” have hit front pages since the conflict in Crimea heated up. With all the noise, it’s hard to know what has actually occurred, and even tougher to interpret the consequences of the potential activity. Here’s our take on the major cyber activities that have been reported throughout the Russia-Ukraine crisis.
We anticipate that Moscow will seek to avoid the international criticism of its purported network operations that accompanied the 2008 Georgia crisis and the 2007 incident in Estonia. Instead, we think Moscow is more likely to use narrowly focused, limited operations in support of strategic state objectives. The Russian government has long viewed operations in cyberspace as a complement to the variety of tools used to cultivate international opinion and garner domestic support. As the government matures this capability, we estimate that it will subtly integrate network operations into its pre-conflict, conflict, and post-conflict actions. This leaves us watching for indications of Russia’s ability to influence the media, policymakers, and its citizens’ opinions in addition to tracking reports of the latest cyber activity.
Reports of Advanced Malware (Snake/Uroboros) Potentially Used by the Russian Government
In early March, two research reports revealed a network exploitation campaign that analysts imply might be the work of the Russian government. The reports link the current activity, referred to as Uroboros, Snake, or Turla, to Agent.BTZ, the malware used in the massive network compromise that the Department of Defense experienced in 2008. After Agent.BTZ’s disclosure in 2008, many suspected that the compromise had been the work of the Russian government. These new reports link the Snake malware (a rootkit) to Agent.BTZ, and lay out the way that the two Snake variants operate. Researchers have found evidence of Snake, which provides “full remote access to the compromised system,” in the networks of Ukrainian government agencies prior to Yanukovych’s recent ouster, although the malware appeared more frequently as the anti-government protests continued.
Analysts’ View: This is far and away the most interesting cyber development that’s come out of the Crimea conflict—it may be a glimpse of long suspected, but rarely observed, Russian state cyber capabilities. The reports do not convincingly attribute Snake/Uroboros to Moscow, although they do imply Russian state sponsorship through a comparison to Agent.BTZ, mention of Russian language signifiers in the malware, and targeting consistent with Russian state interests. Based on the reports, Snake/Uroboros does not operate like the China-based threat actors we frequently encounter in our clients’ networks. The report describes Snake’s specific methods of blending in with other network traffic and the persistence with which it’s able to remain on a victim network, two traits that suggest an advanced capability. Like many in the research community, we’re following the leads identified in the reports, comparing it with our data, and holding off on any preliminary judgments about sponsorship and sophistication until we know more about this newly revealed campaign.
Ukrainian Politicians Phones Blocked, Damage to Ukrainian Telecom Cables
Multiple news agencies reported last week that Russian troops disrupted telecommunication networks in Ukraine. Ukraine’s security chief told the BBC that Russian forces “installed equipment” at Ukrtelecom, a Ukrainian telecom firm in Crimea, which “blocks [the security chief’s] phone, as well as the phones of other deputies, regardless of their political affiliation.” Ukrainian parliamentary members have also reported disrupted mobile phone service. Ukrtelecom officials told Reuters that armed men had trespassed onto their Crimean facilities last week and damaged fiber optic cables. Russian officials denied troop involvement.
Analyst’s view: We chalked these developments up to normal preparation of the battle space – that is, not really exciting if you’re looking for demonstrations of Moscow’s cyber capabilities, or if you’re searching for signs of a “cyber war.” Were these actions successful in hindering the Ukrainian response? Most likely, yes. The disrupted communications effectively limited the Ukrainian government’s ability to take effective action, while also restricting their visibility and organizational capacity. Targeting the phones of Ukrainian parliamentary members stymied the government officials from mobilizing a response to Moscow’s actions in Crimea, communicating with foreign allies, and taking actions that would placate pro-Russian Ukrainians and undermine Moscow.
Ukrainians Join the (Cyber) Action: Website Defacements
Website defacements seem to be the front where Ukrainians are starting to take action in cyberspace. In an opening salvo on March 2, Russia Today, Russia’s state-run television station, reported that the English language version of their website was defaced and “Nazi” had been substituted for the word “Russian.” On March 7, news outlets reported that the website of the Russian government’s official newspaper was defaced and taken offline, allegedly by supporters of the Ukrainian uprising (“KiberSotnya” or “CyberHundred”). First, the actors defaced the site with a blue-and-yellow background (the colors of Ukrainian flag) with a message reading “Pwned by CyberMaidan” (referring to the Ukrainian movement, “Maidan,” named after the square where protesters gathered). The website was then taken down and remained down for several hours. A Polish blog also identified some Russian defacements of Polish websites, which warned that Ukrainian Nazis had “come to power, and Poland is in danger.”
Analyst’s view: Defacements usually don’t take much technical sophistication to carry out and are frequently used by hacktivists to make a political statement; it’s standard fare. The methods used to take the Russian government website down post-defacement are not known. It is also possible the website was made unavailable while administrators fixed the defacement.
Russian victims, particularly state-owned or state-affiliated, may perceive this activity as grossly offensive given the import with which they treat official government sources of information. The Nazi-themed defacements on Russian websites were likely perceived as particularly unpleasant. In Georgia in 2008, Russian nationals defaced Georgian government websites and replaced President Saakashvili’s face with photos of Hitler.
The Nazi comparison extended to name calling when Russia publicly scolded source Ukraine’s UN envoy for justifying Ukrainian Nazi collaborators at the Security Council session. The Nazi theme has figured prominently in the Russia-Ukraine conflict, with many Russian activists likening pro-Ukraine demonstrators as far-right Nazis and fascists. This tactic is an attempt to discredit the Ukrainian opposition and associate the activists with highly historically charged memories.
DDOS Attacks—So 2007
Many news outlets have reported distributed denial of service (DDoS) attacks occurring as part of the Russia/Ukraine standoff, but the details are often sparse or nonexistent. Sometime last week Ukraine’s National Security and Defense Council reportedly suffered a massive denial of service attack that overwhelmed its servers for hours. The Ukrainian state-run news agency Ukrinform also claimed to fall victim to an attack, but little details are known. On March 4, both the New York Times and Tech Times reported an escalation of DDoS attacks in Ukraine and Russia against each other’s country’s websites, particularly around news media websites. Lastly, a Russian patriotic hacker group claimed on its Facebook page, that it had “attacked the websites” of pro-Ukraine government agencies and protest groups.
Analyst’s view: Denying access to websites, via DDoS attacks or other denial of service mechanisms, is a low-risk way of disrupting the information flow and silencing opponents. The world came to know politically motivated DDOS attacks in the 2007 incident in Estonia where Russian patriotic hackers DDOS’d government sites and the Estonian banking sector—effectively taking highly connected Estonia offline for days. Unfortunately there are very few published technical details around the nature of the tools being used, which make it difficult to characterize the nature of the activity further. While the targets and messages associated with this activity seem to coincide with Russia state objectives, we doubt Russian officials are actively sponsoring this activity. The DDOS attack against Estonia in 2007 was widely planned by Russian officials and a loud, ham-handed attempt to make a public statement via a DDOS attack doesn’t quite fit with the Kremlin’s often more subtle messaging.
Purported Compromise of Russian Government Networks Reveals Indian-Russian Defense Deals
On March 8, an Indian newspaper reported that “anonymous international hackers” had exploited Russian government communications to reveal sensitive defense deals with the Indian government. The report stated that India’s “technical intelligence agencies” had detected an intrusion that revealed documents about the Indian government’s dealings with Moscow regarding the “purchase, overhaul and repair of front-line fighter aircraft like the Sukhoi-30 MKI and the MiG-29.”
It doesn’t surprise us that Russian government networks have quickly become a target for the hacktivists who are allegedly at work here. We would love to know more about what network was compromised and the tools used to perpetrate the compromise. This story hasn’t gotten a lot of mainstream media coverage, but if Moscow’s defense networks have been compromised, this would be huge news. Leaked government documents could prove embarrassing for the Kremlin and likely reveal unsavory information about the inner workings of the government and its partners.