Russian cyberwar advances military interests in Ukraine, report says

April 29, 2015, 10:45 AM UTC
APTOPIX Russia Victory Day
Russian troops march during the Victory Day Parade in Red Square in Moscow, Russia, Friday, May 9, 2014. Thousands of Russian troops marched on Red Square in the annual Victory Day parade in a proud display of the nation's military might amid escalating tensions over Ukraine. (AP Photo/Pavel Golovkin)
Photograph by Pavel Golovkin — AP

Cyberwar does not take place in vacuum. When a geopolitical showdown is underway, nation states have every incentive to advance their interests using digital means.

One of the latest examples? Russia hacking Ukrainian systems.

A report out of Arlington, Va.-based cyber security firm Lookingglass reveals a cyber campaign, allegedly Russian, waged against Ukrainian targets, such as the government, law enforcement, and military. The purpose of the state-sponsored espionage has apparently been to gather intelligence on its adversary, bolstering Russian war efforts.

The researchers dubbed the campaign “Operation Armageddon” after the nom de guerre of an author (according to file metadata) of the Microsoft Word documents used in the attacks. (Misspelled “Armagedon” in the “last saved by” field.) The attackers sent the documents to victims as attachments in targeted spear phishing emails.

“For the most part the technologies were not advanced,” says Jason Lewis, chief collection and intelligence office at Lookingglass. “It’s not super sophisticated, but it’s certainly persistent.”

The campaign has been active since the middle of 2013, according to the report. And it may have been catalyzed by trade talks between Ukraine and the European Union, which Russia condemned.

Lookingglass researchers worked with neither Ukraine nor Russia in its investigation, sourcing its materials rather from proprietary methods and through sites like VirusTotal, a public database where people can upload and scan files for known viruses. The firm’s researchers obtained 11 “lure” documents, files that serve to trick their recipients into clicking a malicious link or opening a malicious email attachment, that way.

Often, the researchers found, the hackers stole documents relevant to the outside conflict from victims’ machines, and then used those files to compromise future targets.

The crux of the report ties Russia’s kinetic tactics to its digital intrusions. When the researchers compared the timestamps on modified documents and malware to roughly 300 news events pertaining to Russo-Ukrainian relations, they noticed a correlation. When troops were preparing to move, cyber activity flared.

Once Ukraine’s interim President announced the start of an “anti-terrorist operation” against pro-Russian separatists in mid-April 2014, the conflict’s cyber activities significantly increased. From this point onwards, waves of cyber attacks from the Russians directly correlated with the timing of military events and were geared towards gathering intelligence to empower themselves on the physical battlefield – a digital method of espionage in its truest of forms.

A damning, though inconclusive, timeline of the attacks can be found in the report. (See page 5, available here.)

The Lookingglass researchers, convinced that Russia is the culprit, agree with the Security Service of Ukraine (SBU) that the Russian Federal Security Service (FSB, descendant of the KGB) is to blame. (SBU, too, has called out FSB as being responsible for recent phishing attacks.) “We’re highly confident that the claims the SBU made are accurate,” Lewis says. “We didn’t find any evidence to the contrary to dispute those claims.”

He admits, however: “A lot of it is circumstantial evidence—but this is a pattern that continues to occur throughout the campaign.” Lewis believes the timing of attacks and motivations are more than just a coincidence.

That nation states are using cyber attacks to achieve geopolitical ends should come as no surprise.

Last year, CrowdStrike associated Chinese cyber espionage campaigns with China’s movement into disputed territory in the South Pacific as well as with an ISIS-led takeover of an Iraqi oil refinery. The security firm FireEye (FEYE) found state actors using attack methods similar to those outlined above to target rebel forces during conflict in Syria. The security firm Cylance recently implicated Iran as having probed critical U.S. energy infrastructure, just prior to nuclear negotiations. And then, of course, there are the claims about Sony Pictures Entertainment and North Korea.

Espionage and cyber attacks can give countries that engage in the practice an upper hand in international affairs. “Nation states need to be able to asses how seriously people will take their threats and what they’ll do as result of a threat,” says Adam Meyers, vice president of intelligence at the security firm CrowdStrike, presenting a rationale for digital incursions. “It puts them in a better position to make a credible threat if they know what the response is going to be.”

(Although Meyers had not had time to assess the quality of the Lookingglass report’s attribution claims, he offered: “Russians are definitely known for making spelling errors for English words in their code.” He added, “spear phishing is certainly a favorite of nation state hackers.”)

Now that the report is public, Lewis hopes to exchange information with Ukrainian authorities next, he says. Though his team had earlier reached out to the Ukrainian computer emergency response team, known as CERT-UA, he says Lookingglass found it difficult to collaborate.

“Part of the problem is that the Russians are not interested in cooperating with anybody,” he says. “And in Ukraine finding a contact that’s trustworthy seems to be a challenge.”

“There are rumors of infiltration by Russian agents,” he clarifies, “so it’s hard to know if who you’re dealing with is actually Ukrainian.”

Indeed, recent reports suggest that Russian spies have penetrated deep inside Ukraine’s intelligence apparatus.

When Fortune spoke with Lewis on Tuesday afternoon, he had no updates as yet on the operation, which remains ongoing (although he did mention that his team has discovered more “lure” documents since releasing the report). He expects the attackers will change their tactics soon.

“There may be parts we haven’t uncovered yet,” Lewis says. “We hope by releasing indicators, other people can have a look.”

Read More

Artificial IntelligenceCryptocurrencyMetaverseCybersecurityTech Forward