Numerous cyber-attacks were widely reported throughout 2017. These attacks, sometimes attributed to state-sponsored actors (also referred to as Advanced Persistent Threats [APTs]) or ordinary cyber-criminals, have been seen to hit a wide range of targets. While the APTs and successful attacks against big firms tend to be what is primarily reported on, the more garden variety of cyber-crime is often left untouched.Connectivity makes anyone a potential victim for cyber-crime, however there is still a methodology behind choosing the target. This methodology will vary based on the type of actor, their motivations and the type of attack they are choosing to execute.
The tactics, techniques and procedures (TTPs) used by each actor, whether state-sponsored or lone wolf, will differ to meet their needs. These needs are driven by their motivations and the circumstance from which they are operating. Each actor will have their own methodology on how they choose their targets, dictated by a variety of circumstances. Due to the scale, Russia will act as the primary case study. This is due to the unique set of circumstances that threat actors within the Russian community find themselves.
These circumstances will first be explored, contextualizing the world in which Russian cyber-actors find themselves. Looking to both APTs and the individual actors within the Russian cyber community, the interconnectedness between these two markedly different groups will be explored. Once this connection has been established, the focus will shift to discussing the methodology of targeting and the motivations behind these choices.
It needs to be noted that to some of the sources used in this work are primary resources. Due to their nature and to protect the author’s access within these communities, these sources will be referred to as Underground Community 1, 2 and so on. The sourcing will, when possible, have been shared with the editors to maintain academic integrity.
For malicious actors, Russia’s cyber realm (the RuNet) is a unique place to operate within. It is an environment in which Russia’s many security services operate, each with their own visibility within the Internet, both at home and and abroad.
This visibility is helped by the law signed in 2014 by President Vladimir Putin requiring foreign technology firms to store Russian client data on servers located within the territory of the Russian Federation. While there are many foreign firms operating within Russia, this is a particularly important law that appears to specifically target social media firms, such as Facebook and Twitter. Already, LinkedIn has been blocked in Russia due to non-compliance, while other firms have either begun data migration or asked for additional time in order to study the feasibility of doing such a data transfer. Requiring local data storage for Russian clients benefits the government, as it allows them to break from being dependent upon foreign technology firms, requiring these companies to now invest in Russia, employing locals and providing more control over Russian data.
Visibility is further maintained due to legal requirements for local telecommunication companies to install the System for Operative Investigative Activities, or SORM, to allow for the surveillance of telephone and Internet communications. While in place in various iterations since 1995, the newest variant, SORM-3, was required to have been fully implemented by March 2015 and allows the Russian security services to track a great deal of online activity, including:
- IP addresses;
- Logins to email and instant messaging services;
- Phone numbers;
- MAC addresses of the equipment;
- User location;
- Protocol code for application level data;
- IP addresses for application data layer;
- Ports for application data layer;
- URLs for application data layer;
Access to all of this information, coupled with local data storage gives Russia’s security services a rather complete picture of domestic Internet usage, making the tracking of targets of interest rather simple. There are some means an individual can take to limit the accessibility of some of this information, but it is beyond the capabilities of the majority of Russians.
Enter the Russian hacker, who has all, or at the least the majority, of this information accessible by the state.This means that should they do anything to break Russian law, the security services will be able to locate even a skilled hacker. However, the Russian hacker community, like the Internet space they operate within, is unique. There are only a handful of hacker forums in which this community gathers to discuss the latest developments in cyber-security and to sell malware, network access and a variety of other goods and services, including credit card numbers, addresses and other personally identifiable information (PII). However, the rules of many of these websites specifically state that activities must conform to the Criminal Code of the Russian Federation or other Commonwealth of Independent States (CIS) countries and Uzbekistan.
Furthermore, many forums also state that any malware or service offered on the forum cannot target the Russian-speaking world, often with sellers stating that their products do not work, explaining that part of the installation process is performing either a language check or country check on the device to determine its location. If pre-selected regions and their corresponding languages (Russia, Belarus, Ukraine, Kazakhstan) are found, the malware simply will not execute its functionality. The fact that these communities avoid targeting Ukraine is a rather interesting element, that would suggest there is a significant Ukrainian presence within the Russian-language forums. However, this element is only seen on the malware and services being offered on the forums, showing a significant differentiation between individual actors and the state.
These forums, while a haven for illicit activity by the Russian speaking hacker community, are also a useful tool for the Russian government. Many, if not all the forums, are believed to actually be run by the security services, or at least heavily monitored by them. Being heavily involved within the communities greatly benefits the Russian government. It independently develops Russian capabilities within a confined set of rules that are in place to protect Russia from domestic cyber-criminals. This allows for the government to approach the best within the communities, either to purchase the tools they develop, or to hire them as contractors. If contacted by the security services to provide some form of service, there are, of course, several caveats that the individual would need to observe. Perhaps the most important is that they will do as instructed. There is very little wiggle room for a Russian hacker if approached by the state to say no, as the security services have evidence gathered through the forums of their illegal activity, even if they never hit targets in the Russian Federation.
However, it is not unheard of for the authorities to arrest hackers. The creator of the notorious Andromeda botnet, and a high profile member of the hacker community, including being a forum administrator in a top tier community, Ar3s (or Ар3с in Russian) was arrested in Belarus following a multinational take down of the botnet. This arrest occurred on November 29, 2017, but the announcement was not made until December 4, 2017. These few days prompted a great deal of speculation within the Russian hacker community about where Ar3s was. While the arrested individual was a Belarusian citizen, those within the community did not seem overly concerned about the fate of the hacker, as it was viewed as unlikely that he would be extradited somewhere from Belarus. Instead, much of the panic that surrounded this was what data was available to the authorities that would be shared by Belarus with foreign governments given their role as a forum administrator. Ar3s represents a high profile arrest within the Russian hacking community.
Second, and perhaps less tangible but still important, the state is able to claim that there are ‘patriotic hackers.’ The coercive nature of their recruitment ultimately becomes irrelevant, as these actors technically operate outside the security services and are doing their ‘patriotic duty’ for their country. This fits a long-standing element of how Russia operates, particularly given the challenges of attribution. Data exfiltration, while being potentially severely damaging to the target, can be considered by other states to be acceptable, as they would conduct similar operations as well. The line gets drawn when the damage transcends data exfiltration if the actor conducting the operation is officially with the state. This is where the ‘patriotic’ hacker is useful, as they are technically not a state actor, and their attack can be passed off as the actions of a patriotically minded individual, acting independently of the state.
This creates an interesting dynamic between the best of the criminal community and the government. One exists because the other allows them to, providing certain conditions are met, while the other is able to conduct operations where the term ‘patriotic hacker’ can be thrown around and not be entirely false. It is a dynamic driven by semi-forced cooperation between the state and the hacker community, where both elements benefit.
Targeting in cyber is concurrently simple and complex, with both APTs and cyber-criminals having their preferred targets. On one hand, the APT’s are state-sponsored and as such, will focus their efforts more on targeting that fits within the state’s tactical, operational or strategic objectives, focusing on a myriad of targets that are geared towards impacting the opponent, with prime targets being critical infrastructure. An example of this is the cyber-attacks against Ukraine’s power grid that occured in 2015 and 2016. The complexity of the target’s systems and the security measures in place are not really considered a problem, as the state has provided them the time and resources to find solutions to these operational challenges.
On the other hand are the cyber-criminals. They are personally motivated, looking to reap financial rewards in the most efficient manner possible. There are those who prefer to create and sell malware in various underground communities to those who would rather purchase these tools and utilize them. For example, a popular Android banking Trojan (a piece of malware that targets mobile banking applications by putting in login overlays aboard the real application, providing the attacker with login credentials) dubbed Red Alert 2.0 has been for sale since May 2017 in an underground community, which has received a great deal of praise for its functionality, constant updates and customer service. While receiving constant updates, the talent pool to develop such malware is significantly smaller than those willing to spend their money to get tools to conduct their attacks. The cyber-criminal will typically be less discriminating in whom they target, often going for the easiest method of targeting. This would involve conducting various forms of reconnaissance against wide swaths of the Internet in an effort to identify easily exploitable networks in addition to conducting wide-spread phishing campaigns. This would allow them to then exfiltrate sensitive, yet lucrative data, deploy ransomware (malicious software which demands payment, typically in less traceable cryptocurrency, for the release of data held hostage through encryption) or conduct other malicious acts on the compromised system or network. The focus is more on targets of opportunity rather than planned campaigns.
This of course, says nothing of the activity of what can be best described as cyber-gangs. These groups make use of sophisticated techniques in a similar fashion to APTs that primarily appear to be targeting banks, effectively pulling off cyber-heists. Cobalt is an example of one such group, which in their most recent attack targeted the Russian Central Bank. Utilizing longer attack timelines more commonly seen in APT attacks, the group changes its TTPs which makes both detection and attribution difficult. Cobalt and groups like them, however, represent a different side of Russian cyber-crime, in that they do not avoid targeting Russia. Instead, they often use Russia as their testing ground before expanding their attacks against other nations.
As stated before, APTs often hit targets that fit within the state’s national interest, looking to gain a strategic advantage in the larger conflict. Russian APTs have widely been attributed with attacking targets in the United States and Ukraine through a variety of means, but especially focusing on critical infrastructure. While critical infrastructure is widely understood to include things such as institutions and entities that a country requires to function, there has been some discussion amongst security professionals about whether social media should be included in this definition. Should this be included in a definition, it would dramatically change the threshold for escalation in conflict. Furthermore, there is an important distinction between the use of social media and targeted attacks on critical infrastructure; social media is used as a means of influence and does not require systems to be compromised to achieve affect, instead relying on the believability of content being pushed, which would make the use of social media related more to psychological operations (PSYOPS) rather than cyber-attacks. This is compared to the real compromise of networks, in which systems are taken down to limit the capabilities of the target nation, as well as to inject false inputs or exfiltrate data. As such, when discussing APT specific-targeting, the focus will remain on instances when networks have been compromised.
Ukraine is an obvious location for Russian state-sponsored actors to target. As they do not need to conform to the unofficial ban on targeting the Former Soviet Union (FSU), being protected by the state as such attacks are ordered, they have successfully struck Ukraine a number of times. These include the targeted attacks on the power grid in 2015 and 2016. However, more recent attacks have been less discriminatory in their targeting, instead going for more widespread economic impact. Such examples include NotPetya and BadRabbit, which, while still hitting transportation, airports, seaports and government ministries, have also impacted more innocuous targets, including the ‘Rost’ grocery store in Kharkiv, Ukraine. It must of course be noted that neither NotPetya nor BadRabbit have been officially attributed to Russian attackers, though the timing of the attacks, which coincided with dates near national holidays in Ukraine, coupled with the ongoing conflict, make both attacks likely connected to Russia.
This suggests that Russian APTs have adapted their targeting preferences. Instead of simply picking a singular high value target and retaining a degree of predictability as occurred with the power grid attacks (note that at this time there has been no reported direct attack on Ukraine’s power grid in 2017), the threat actors have taken a more shotgun-style approach to their targeting. Now, any entity in Ukraine can be hit as the methodology for choosing targets has changed. While the intent may still be to impact critical infrastructure and government institutions, it has now become less apparent, with such institutions impacted alongside the more everyday services that civil society would use. It is indicative of evolving TTPs while still impacting targets that serve Russian interests, such as attempting to erode the public’s trust in the current Ukrainian government.
While APTs have been evolving their targeting, Russian cyber-criminals have remained relatively similar in how they pick their targets. Of course, they evolve their attack methodologies as new vulnerabilities are exposed, making use of new tools to exploit these vulnerabilities. For example, CVE-2017-11882 (allowing an attacker to run code through a memory vulnerability in Microsoft Office), made public in mid November 2017, was a popular topic of discussion and sale of fully undetectable (FUD) versions of this exploit across multiple Russian underground forums.
However, these threat actors act differently than APTs, often being motivated by financial gains that are afforded to them. As such, there targets are often focused on how they can make the most money in as short a time as possible. These attacks do not fit the strategic goals of Russia, and as such as can see targets being hit around the world with little to no pattern being discernable. Such attacks include the mundane ransomware attacks to collecting credit card information through a variety of methods such as point-of-sale malware (infecting Point-of-Sale systems that then pass the card information on to the attacker).
Actors utilizing these methods often tend to be lone wolves, utilizing phishing campaigns to try to get as many infections as possible to quickly earn money. However, they are not like the more sophisticated groups such as Cobalt that often plan larger attacks against financial institutions and corporations rather than individual people. These attacks tend to take longer to execute, requiring infiltration into networks with stronger protections, usually being single objective operations. While the motivation appears the same, the methodology in their attack, along with the singular focus on a target allow for a higher payday.
Vulnerabilities continue to be found in software. With each update meant to fix problems, new areas are inevitably focused on to find new vulnerabilities. Both APTs and ordinary criminals want to find such exploits and conduct operations to advance the interests of the state or make as much money as quickly as they can by making use of these vulnerabilities before they are discovered and largely patched. With Russian APTs working in the interests of the government, they will likely continue their attacks against their opponents to put Russia at an advantage. They share the same ecosystem with their more criminally-oriented counterparts, who, so long as they do not hit targets in the Russian-speaking world, can act with relative impunity. These criminals are able to aid the government when called upon, being put in a position where their criminal activity can place them behind bars. It affords the Russian security services a ready supply of people that are available for contract work, bringing in their experience to target a wide variety of entities and ability to approach problems in a different manner.
With varying skill levels amongst the criminal community, the pool the government can pull from is limited. However, the underground communities are not just marketplaces. There are numerous discussions occurring about the latest exploits, and an exchange of best practices utilized by the various actors. The best practices of those within the community are openly shared as experiences are passed around, leading to new ideas and malware. The RuNet is effectively leveraged by both the security services and the criminal elements to allow for the development of threats originating from Russia. This does not, however, mean the RuNet is more dangerous than any other Internet environment. It is merely a reflection of Russia where “nothing is true and everything is possible.”