Inside Cyber Warfare Part 13

Even with a bulletproofed network, it's important to remember that while the Kremlin provides open and global Internet access to its citizens, it also collects and controls all of the data originating within its borders.

A recent interview with Anton Nosik, the editor-in-chief of the Russian news website BFM.ru, was published in the Russian online newspaper the New Times. In it, Nosik spoke of SORM-2 (System of Operation Research Measures), which copies every byte of Internet traffic coming from Russian households and businesses and sends it to the Federal Security Service (FSB) via a redundant array of inexpensive disks (RAID).

Nosik also pointed out that the Kremlin either owns the pipes (Rostelekom, Transtelekom, and Elektrotelekom) or controls the licenses of every communications channel in Russia. This degree of control may work against the Russian Federation if an international body determines that it could have acted to stop cyber attacks originating from within its borders but didn't.

The Kremlin and the Russian Internet.

One of the most difficult questions that the Project Grey Goose team faced in investigating the cyber war between Russian and Georgia was whether there was evidence of Russian government involvement. Our key finding in October 2008 was: We a.s.sess with high confidence that the Russian government will likely continue its practice of distancing itself from the Russian nationalistic hacker community thus gaining deniability while pa.s.sively supporting and enjoying the strategic benefits of their actions.

While forum members are quite open about their targets and methods, we were unable in this round of collection/a.n.a.lysis to find any references to state organizations guiding or directing attacks. There are several possible explanations as to why this is the case.

There was no external involvement or direction from State organizations.

Our collection efforts were not far-reaching or deep enough to identify these connections.

Involvement by State organizations was done in an entirely non-attributable way.

The situation has since changed. In February 2009, the Russian media reported a story that has provided new evidence pointing to how the Russian government sponsors and pays leaders of Russian youth organizations to engage in information operations, up to and including hacking, to silence or suppress opposition groups.

Nas.h.i.+.

Nas.h.i.+ (http://nas.h.i.+.su) is short for Molodezhnoye demokraticheskoye antifas.h.i.+stskoye dvizhenye "Nas.h.i.+" (translation, "Youth Democratic Anti-Fascist Movement 'Ours!'"). Its logo is shown in Figure 7-9. It was formed in 2005 to either counter the possibility of another youth revolt like the 2004 Orange Revolution in Ukraine or counter a growing interest in n.a.z.ism in Russia. Funding for the group purportedly comes from Russian business owners; however, there has been widespread speculation that it receives government funding as well, which has been strengthened in recent days by the Anna Bukovskaya story (related later in this section).

Figure 7-9. The Nas.h.i.+ logo One of the most important supporters of Nas.h.i.+ is Vladislav Surkov, the first deputy chief of the presidential staff and, more importantly, a man who has the ear of Russian Prime Minister Vladmir Putin.

Surkov intends to use Nas.h.i.+ to enforce the Kremlin's will regarding RUNET communications, i.e., "Ensure the domination of pro-Kremlin views on the Internet" (published by The New Times Online in Russian, February 16, 2009). That's easier said then done, particularly since that effort was tried and abandoned about 10 years ago by RUNET co-founder Anton Nosek.

Surkov has a new plan that involves the enlistment of Russian youth organizations, including Nas.h.i.+ and United Russia. He has organized a March 2009 conference with about 20 key people in the Russian blogging community, as well as leaders of the aforementioned youth organizations, some of whom include: Maksim Abrakhimov, the Voronezh commissar of the Nas.h.i.+ movement and blogger Mariya Drokova, Nas.h.i.+ commissar and recipient of the Order for Services to the Fatherland Second Cla.s.s medal for her "energetic" work in the area of youth policy Mariya Sergeyeva, leader of the United Russia youth wing Young Guard Samson Sholademi, popular Russian blogger Darya Mitina, former state duma deputy and Russian Communist Youth Union leader Other attendees included Russian spin doctors who specialize in controlling the messages communicated via the blogosphere. The objective was a straightforward Information Operation: The aim of the conference is to work out a strategy for information campaigns on the Internet. It is formulated like this: "To every challenge there should be a response, or better still, two responses simultaneously."

A source who is familiar with the process of preparations for the meeting explained: If the opposition launches an Internet publication, the Kremlin should respond by launching two projects.

If a user turns up on LiveJournal talking about protests in Vladivostok, 10 Kremlin spin doctors should access his blog and try to persuade the audience that everything that was written is lies.

Although this campaign concerns internal Russian politics, it demonstrates the IO model that the Kremlin uses across the board, including what happened in Georgia in August 2008 thanks to the influence of Vladislov Surkov. His strategies were captured in the book Chronicles of Information War (Yevropa publis.h.i.+ng house, Moscow, 2009), written by two Kremlin spin doctors, Maksim Zharov and Timofey Shevyakov. The following is from the book's introduction: Net wars have always been an internal peculiarity of the Internet-and were of no interest to anyone in real life. The five-day war showed that the Net is a front just like the traditional media, and a front that is much faster to respond and much larger in scale. August 2008 was the starting point of the virtual reality of conflicts and the moment of recognition of the need to wage war in the information field too.

Confirmation on the relations.h.i.+p between Nas.h.i.+ and the Kremlin came on April 10, 2009, when Nas.h.i.+ commissar Aleksandr Kuznetsov entered the nation of Georgia en route to Tbilisi to conduct an anti-government rally with 15 or 20 other Nas.h.i.+ members scheduled for April 16. Kuznetsov was arrested at the border, and during his interrogation he produced a letter from the Russian Duma's Committee on Youth Affairs, requesting Russian officials along the way from Moscow to Tskhinvali to a.s.sist the "Moscow-Tskhinvali-Tbilisi Motorcade" in its mission. Nas.h.i.+ founder Vasili Yakemenko currently heads that committee.

In Vladimir Socor's report of this event for the Eurasia Daily Monitor (April 17, 2009), he writes that Kuznetsov's statements provide corroboration for earlier reports that Nas.h.i.+ is funded by First Deputy Chief of Presidential Staff Vladislav Surkov.

The Kremlin Spy for Hire Program.

Anna Bukovskaya is a Nas.h.i.+ member and St. Petersburg activist who was paid by the Kremlin to spy on opposition political youth movements, according to an article in the Moscow Times (February 6, 2009): Anna Bukovskaya, a St. Petersburg activist with the pro-Kremlin Nas.h.i.+ youth group, said she coordinated a group of 30 young people who infiltrated branches of the banned National Bolshevik Party, Youth Yabloko and United Civil Front in Moscow, St. Petersburg, Voronezh and six other cities.

The agents informed Bukovskaya, who pa.s.sed the information to senior Nas.h.i.+ official Dmitry Golubyatnikov, who in turn contacted 'Surkov's people' in the Kremlin, Bukovskaya told the Moscow Times. Vladislav Surkov is President Dmitry Medvedev's first deputy chief of staff.

The agents provided information on planned and past events together with pictures and personal information on activists and leaders, including their contact numbers, Bukovskaya said by telephone from St. Petersburg.

They were paid 20,000 rubles ($550) per month, while she received 40,000 rubles per month, she said.

Bukovskaya provided more details during an interview on Russian Ren TV (February 4, 2009): [Bukovskaya] The project was to become more aggressive, i.e., videos and photos to compromise the opposition, data from their computers; and, as a separate track, the dispatch of provocateurs.

In other words, computer espionage was part of the services Nas.h.i.+ provided, which isn't surprising, since Konstantin Goloskov, one of the Russian hackers who acknowledged launching distributed denial of service (DDoS) attacks against Estonia, was a commissar in Nas.h.i.+.

In March 2008, Nas.h.i.+ hackers were accused of orchestrating a series of DDoS attacks against the Russian newspaper Kommersant. A Nas.h.i.+ spokesperson denied that the group was involved.

In October 2007, another Russian youth movement known as The Eurasian Movement of the Youth (ESM) launched a DDoS attack against the president of Ukraine's website, shutting it down for three days. Furthermore, both Nas.h.i.+ and the ESM partic.i.p.ated in protests against the Estonian emba.s.sy in Moscow in May 2007.

The blog Windows on Eurasia (May 31, 2007) points to evidence that the FSB guides and encourages youth hackers such as the ESM to act on behalf of Russian government interests. For example, in early 2007, the ESM (http://www.axisglobe.com/article.asp?article=1419) threatened to disable the website of the Ukrainian Security Service: ESM, the Russian radical youth organization that has been using sophisticated computer a.s.sets capable of disrupting a government computer network and eager to do so for political reasons, also vowed to disable the website of the Ukrainian Security Service (http://www.axisglobe.com/article.asp?article=444), SBU, in the near future, unless Yushchenko dismisses Valentyn Nalyvaychenko, SBU's pro-NATO chief.

Russian journalist Andrei Soldatov wrote about the relations.h.i.+p between the FSB and Russian hackers in an article for Novaya Gazeta (May 31, 2007), beginning with Russian students from the Tomsk region attacking the Chechen news website KavkazCenter.com in 2002. Following the attack, the regional FSB office in Tomsk issued a special press release that said, "[T]he actions of the students do not contradict Russian law but rather is an expression of political orientation and worthy of respect" (Google translation from the Russian).

Soldatov also refers to the National Anti-terrorism Committee (NAC), which was established in 2006 by Vladmir Putin and chaired by Nikolay Patrushev, the director of the FSB, as having an interest in utilizing members of the Russian hacker community when it was in its interest to do so.

Sergei Markov, Estonia, and Nas.h.i.+.

On March 3, 2009, Sergei Markov, a state duma deputy and member of the Unified Russia party, partic.i.p.ated in a panel discussion with Russian and US experts, including James Lewis of the Center for Strategic and International Studies, about information warfare in the 21st century. During that discussion, Markov stunned everyone present by announcing that it was his a.s.sistant who started the Estonia cyber attacks in 2007. The following quote comes from Radio Free Europe, which broke the story on March 6, 2009, on its website: "Markov, a political a.n.a.lyst who has long been one of Vladimir Putin's glibbest defenders, went on to explain that this a.s.sistant happened to be in 'one of the unrecognized republics' during the dispute with Estonia and had decided on his own that 'something bad had to be done to these fascists.' So he went ahead and launched a cyberwar.

"'Turns out it was purely a reaction from civil society,' Markov reportedly said, adding ominously, 'and, incidentally, such things will happen more and more.'"

Markov, a supporter of the Nas.h.i.+ youth movement, attended its second annual Innovation Forum on July 21, 2008-one day after the President of Georgia's website came under a DDoS attack and 19 days before Russia's invasion of Georgia.

A Three-Tier Model of Command and Control.

It's understandable to want to find a telltale piece of evidence that conclusively links the Kremlin with the actions of its hackers. However, it's important to realize that in the anonymous workings of the Internet, such a goal is not only naive, but it also doesn't accurately represent the relations.h.i.+ps that have been built over the years between Russian politicians and organized youth a.s.sociations.

The historical evidence presented in this chapter points to a three-tiered model (Figure 7-10) that establishes command and control by the Kremlin through Nas.h.i.+ and other groups whose members.h.i.+p includes hackers, resulting in an organized yet open call for unaffiliated hackers to join in. Russian organized crime provides a protected platform from which these attacks can then be planned and launched. And all of this occurs while providing a cover of plausible deniability to the state. It's actually quite an impressive accomplishment from a strategic point of view.

Figure 7-10. Three-tier model of command and control for RF nonstate hackers The infrastructure-which not only makes those attacks possible but provides the environment for Russian hackers to thrive-is developed and owned by Russian organized crime interests such as Rove Digital, McColo, Atrivo/Intercage, ESTDomains, and others. We'll further explore the longstanding relations.h.i.+p between the Kremlin and Russian organized crime in Chapter 8.

Chapter 8. Organized Crime in Cybers.p.a.ce.

Card: I need guarantees.

Card: what if you change the pa.s.s and don't give any info? I've been on the *** several years now. It's a resource for carders.

7: I know, I am on there, too.

7: if you take my info into account and work a little, you can get a lot more money.

Card: I see.

7: I just think it's a pretty dangerous thing-there are some big guys behind this money-they don't ask who you are and why you are doing this. They'll just break both your arms.

-English translation of ICQ discussion between two hackers negotiating a fee for stolen card data.

Whether you think the Russian mafia or the Chinese Triads are involved in cyber attacks really depends on how closely you align cyber crime with other forms of cyber conflict. As I stated earlier, I believe that no such distinction should exist. Cyber crime is perpetrated by an attack on a network, just as is done in acts of cyber espionage or computer network exploitation (CNE). The malware used to gain access to backend databases is the same. In many cases, the same hackers are involved in cyber crime and geopolitical attacks on foreign government websites, as is the case with one of the two hackers quoted above.

The hacker identified as "7" was also a member of the StopGeorgia.ru forum, albeit under a different alias, and directly partic.i.p.ated in attacks on Georgian government websites. 7 is also the one who inferred the involvement of the Russian mafia in underground cyber transactions such as the one from which that quote came (i.e., "...there are some big guys behind this money-they don't ask who you are and why you are doing this. They'll just break both your arms.").

a.s.sa.s.sination in the Russian Federation is a very real threat, and US intelligence agencies believe that elements of Russian organized crime have infiltrated the police force. That is why, the argument goes, so many a.s.sa.s.sinations remain unsolved.

US law enforcement and intelligence agencies have been investigating Russian organized crime since the 1990s. According to one of my contact's at one of the three-letter agencies, they were making some excellent progress in establis.h.i.+ng links between members of organized crime and Russia's political leaders.h.i.+p.

Once 9/11 happened, that research was halted, as everyone was transferred to counter-terrorism, which pretty much dominated things until 2007.

2007 was the year that the Russian Business Network (RBN) rose to prominence as a high-profit, low-risk criminal enterprise selling "bulletproof" services to anyone willing to pay its fee. Its business model of earning high profits with almost zero risk of being caught made the RBN the darling of the Russian underworld.

Then, in November 2007, the RBN seemed to vanish (Figure 8-1).

Figure 8-1. 06 NOV 07 drop in traffic at AS40989 One thing that organized crime has always s.h.i.+ed away from is the spotlight of media attention, and the RBN was getting a lot of it. One of the reporters responsible for penning story after story on their antics was Brian Krebs of the Was.h.i.+ngton Post. On October 13, 2007, three separate articles appeared on the Post's Security Fix blog, written by Krebs.

Krebs's first article appeared in the main section of the Post, where he described the role of the RBN as a criminal services provider, referring to at what the time were recently published reports from Internet security firms Verisign, Symantec, and SecureWorks.

In a follow-up article on the Security Fix blog, Krebs went into much more detail, naming the upstream providers that the RBN relied on to provide its Internet connectivity: Tiscali.uk, SBT Telecom, Aki Mon Telecom, and Nevacon LTD (Figure 8-2).

Figure 8-2. Map of companies providing network services to the RBN He also traced its history back to 2004, when it was known as "Too Coin Software" and "Value Dot," and then walked his readers forward to its present iteration: Nearly every major advancement in computer viruses or worms over the past two years has emanated from or sent stolen consumer data back to servers at RBN, including such notable pieces of malware as Gozi (http://www.secureworks.com/research/threats/gozi/?threat=gozi), Grab, Haxdoor (http://www.f-secure.com/v-descs/haxdoor.shtml), Metaphisher (http://research.sunbelt-software.com/threatdisplay.aspx?name=PWS-Banker&threatid=41413), Mpack (http://blog.was.h.i.+ngtonpost.com/securityfix/2007/06/the_mother_of_all_exploits_1.html), Ordergun (http://www.symantec.com/enterprise/security_response/weblog/2006/11/handling_todays_tough_security.html), Pinch (http://pandalabs.pandasecurity.com/archive/PINCH_2C00_-THE-TROJAN-CREATOR.aspx), Rustock, s.n.a.t.c.h, Torpig (http://www.sophos.com/virusinfo/a.n.a.lyses/trojtorpiga.html), and URsnif (http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=58752). The price for these malware products often includes software support, and usually some virus writers guarantee that the custom version created for the buyer will evade detection by anti-virus products for some period of time.

David Bizeul is a French security researcher who has written one of the best reports on the RBN to date (see Figure 8-3). He summed up its business focus quite succinctly: The RBN offers a complete infrastructure to achieve malicious activities. It is a cyber crime service provider. Whatever the activity is-phis.h.i.+ng, malware hosting, gambling, p.o.r.nography...the RBN will offer the convenient solution to fulfill it.

Figure 8-3. The RBN-a crime service provider In any attempt to understand the influence of Russian organized crime in the cyber threat domain, a key distinction must be made between organized crime in Russia and elsewhere.

In the United States, the FBI and other agencies focus on how criminals may be infiltrating or, at the very least, influencing government offices. In Russia, the government infiltrates organized crime and establishes a reciprocal business relations.h.i.+p. The government provides protection in exchange for favors. Favors may range from making money to using a gang to implement state interests.

Richard Palmer made a similar case in his testimony before the House Banking Committee (September 21, 1999), wherein he explained how Russia is governed by the rule of "understandings" rather than the rule of law. According to Palmer, who spent 11 years with the Directorate of Operations at CIA, businesses operating inside the Russian Federation quickly learn that when it comes to collecting on bad debts or enforcing contracts, it's faster and cheaper to engage Russian criminals than wait for the Russian court system to take care of it. Unfortunately, the flip side of that equation is also true: it's sometimes cheaper to have the person you owe money to killed than to repay a debt.

In the case of the RBN, once media attention became frequent enough, the FBI sent several officials to Moscow to meet with its counterparts in the Federal Security Service (FSB). The purpose of the meeting was to share information about the criminal activities of certain individuals a.s.sociated with the RBN and how the Kremlin might want to remove such a presence from the Russian Internet. The Russian security officers excused themselves, and when they returned approximately a half hour later, they informed the FBI officials that they must be mistaken, that no such domains existed on RuNet.

Back at the US emba.s.sy in Moscow, the FBI discovered that the more public domains formerly a.s.sociated with the RBN had been migrated to new IP addresses.

That's why it appeared that the RBN suddenly dropped from view. In reality it never went away; it just slipped back under the radar, away from any further media spotlight.

A Subtle Threat.

Tell Krebs nice job on Atrivo, but if he's thinking of doing McColo next, he's pus.h.i.+ng his luck.

Investigating the Russian mob is one thing, but when an investigation may hurt profits, that's another, much more dangerous matter entirely. Shortly after his September 2008 coverage of Atrivo, Krebs received the aforementioned anonymous threat.

Atrivo is an interesting case study for this book because it ill.u.s.trates one of the problems yet to be addressed in cyber conflicts. What happens when a country is being attacked by malware that sits on a server within its own borders?

Atrivo/Intercage.

Atrivo, also known as Intercage, was a Concord, CA-based company that specialized in providing networks for spammers and other bad actors to use, many of which were a.s.sociated with the Russian Business Network.

The RBN relied heavily on two networks hosted by Atrivo: UkrTeleGroup, which routed traffic through the Ukraine; and HostFresh, which routed traffic through Hong Kong and China.

A report by iDefense named Atrivo as having the highest concentration of malicious activity of any hosting company in the world.

Thanks to the concentrated efforts of independent researchers such as Jart Armin and James McQuaid, as well as Brian Krebs's reporting of their work, Atrivo was dropped by its upstream providers and was effectively put out of business on September 22, 2008.