by Doug Bernard – WASHINGTON—Even in these times of incessant cyber-attacks and Internet hacks, the news took many security analysts by surprise – and led to the doors of the Kremlin.
Late in October, computer networks at the White House were breached by an outside group, causing disruptions throughout the entire system. White House officials were quick to point out that the hacked systems did not contain classified information, and moved swiftly to plug the security holes.
Still, the White House computer systems are among the most highly fortified in the world. So who was behind the successful and brazen attack?
The White House blames hackers tied to Moscow. And, coming on the heels of other reports of alleged Russian cyber-attacks targeting the governments of Germany, Ukraine among others, and military resources at NATO headquarters, the White House hack is raising alarm that one of the most serious threats to online security may not be coming from China, but from Russia.
“The Russians are a lot more sophisticated in terms of state-sponsored attacks than the Chinese,” says Darren Hayes, director of cyber-security at Pace University. “It’s of concern because often various traditional mechanisms used for stopping these types of attacks are rendered useless.”
Russian cyber moves
Russia was one of the first nations to move assertively into the digital sphere.
As far back as 1998, long before most nations even began thinking about cyber-security, the Kremlin directed “Directorate K,” a government agency, to begin operations to monitor and defend against hackers and spammers. In recent years, Directorate K has since taken on a greater offensive role in the digital arena.
In what is widely considered the first nationally coordinated cyber-attack against another nation, Russian hackers in 2007 launched waves of massive cyber-attacks against Estonia, effectively crippling the nation. One year later, a similar operation targeting Georgia was launched from Russian ISPs.
“Russia is clearly testing NATO and the West,” Urmas Paet, Estonia’s Foreign Minister, warned at the time.
“And that was before Ukraine,” said Hayes, an expert on Russia’s cyber activities. “Here, we’re seeing the convergence of military aggression – as we’ve seen what’s happened the last few days in Sweden for example – with cyber-attacks. The cyber-attacks can be just as devastating as an actual kinetic attack. They’re having tremendous success.”
Analysts say Russia’s moves are getting far less notice than China’s cyber exploits.
“The threat from China is overinflated, (and) the threat from Russia is underestimated,” said Jeffrey Carr, who heads the web security firm Taia Global and author of the book Inside Cyber Warfare. “Russia certainly has been more active than any other country in terms of combining cyber-attacks, or cyber-operations, with physical operations,” he told VOA. “The Russia-Georgia war of 2008 was a perfect example of a combined kinetic and cyber operation. And nobody else has ever done that – China has never done anything like that.”
Kurt Baumgartner is the Principal Security Researcher at the web-security firm Kaspersky Lab, and has been tracking various major malware Russian-speaking threats including “RedOctober”, “Epic Turla” and others. Two of those most recent threats, “Sandworm” and “Crouching Yeti,” have been linked back to Russia because of Russian language coding.
But Baumgartner said Kaspersky has not yet been able to definitively tie these attacks to sources in Russia.
“Cyber-espionage seems to be the name of the game,” he told VOA via email. “But, source attribution is practically impossible as cybercriminals have been known to use various techniques to keep themselves hidden (using different languages from their own in their code or work, constantly changing locations or working with a large organization of criminals.”
US eyes Russia
The cyber-threat posed by Russia may not be new, but it appears leaders in the U.S. intelligence and military communities see it as a growing problem.
Earlier this year, speaking before the House Permanent Select Committee on Intelligence, James Clapper, the U.S. Director of National Intelligence, spoke to what he sees as the unique threat that Russia poses in the digital world.
“Russia presents a range of challenges to U.S. cyber policy and network security,” Clapper told the committee. “Its Ministry of Defense is establishing its own cyber command, according to senior MOD officials, which will seek to perform many of the functions similar to those of the U.S. Cyber Command. Russian intelligence services continue to target U.S. and allied personnel with access to sensitive computer network information.”
Some months later, speaking at a conference in Austin, Texas, Clapper was more blunt.
“I worry a lot more about the Russians than China,” he said.
A DNI spokesperson told VOA via email that Clapper’s warning referred directly back to his cautionary statements made in public about Russian hacks.
Kaspersky’s Baumgartner point to what he calls a “learning effect” – that more advanced hackers tied back to Russia are apparently learning from each other, increasing the overall effectiveness of the attacks. However, he said that this learning effect does not definitively prove Moscow’s involvement.
“Functionality found in malware or techniques can be misleading,” he said via email. “It cannot be relied on to speculate that a specific campaign was operated out of one part of the world or another – analysis and identifying the source is much more complex than that.”
Russian officials have routinely denied any involvement in hacks that have been traced back to Russian ISPs. Several calls to the Russian embassy by VOA for comment were not returned.
And while many forensic analysts like Carr say that Russia’s capacity for cyber-attacks is technologically comparable to that of the U.S. or Israel – among the world’s most sophisticated hackers – finding definitive proof of Moscow’s involvement remains difficult.
“Viruses unfortunately don’t carry ID cards” Kaspersky, the Russian security specialist and founder of Kaspersky Lab, told Der Spiegel. Kaspersky was referring to the now-standard practice used even by amateur hackers to spread malware or launch attacks through a series of ISPs in various countries, thwarting efforts to trace the attack back to the source.
Pace University’s Darren Hayes also notes that another tactic employed by Moscow has been to use non-governmental groups, such as the pro-Putin “Nashi” youth movement, to carry out cyber-attacks, giving the government plausible deniability for involvement.
“It’s been long known that the Russian government isn’t afraid to use young hacker groups, not only for monetary uses but also for attacks related to political issues,” said Hayes. “When you use these younger hacking groups that aren’t employed by, but are connected to, the Russian government, then it gives them a way to distance themselves from these attacks and not be noted as the perpetrator.”
Russia’s Internet control
There’s another trend that troubles some analysts; namely what appears to be Russia’s expanding efforts to control the Internet within its borders and those companies doing business there.
Already, tech firms operating within Russia are required to comply with all requests about their products from the state Federal Security Service, known as the FSB. That can include providing sensitive information about the software design or registered users, or requests to insert new bits of code.
The Kremlin tightened restrictions this year on what bloggers can say and expanded search requests for user information. Several months later, another law required major foreign-owned services like Twitter and Facebook to register with the state Internet monitor Roskomnadzor as well as locate all servers handling and storing Russian data traffic within Russia’s borders.
Some analysts like Hayes see a parallel between what Russia is trying to accomplish with its cyber-strategy and its current broader, national goals on the world stage: namely, continuing efforts to probe Western defenses while destabilizing local neighbors.
“The effective counter-measures are more sanctions,” Hayes said. “These cyber-wars can be a lot more devastating financially and in terms of confidence than actual ground warfare sometimes. The U.S. needs to clearly define what cyber-warfare is, attribute it to various nations, and discuss repercussions for theft of intellectual property or money or just destructive attacks.”
Doug Bernard covers cyber-issues for VOA, focusing on Internet privacy, security and censorship circumvention. Previously he edited VOA’s “Digital Frontiers” blog, produced the “Daily Download” webcast and hosted “Talk to America”, for which he won the International Presenter of the Year award from the Association for International Broadcasting. He began his career at Michigan Public Radio, and has contributed to “The New York Times,” the “Christian Science Monitor,” SPIN and NPR, among others. You can follow him @dfrontiers.