ArchiveOODA Original

Sophisticated Cyber Espionage Exploits Russia and No One Says a Word

In mid-May 2021, Russia’s Federal Security Service (FSB)’s National Coordination Center for Computer Incidentspublished a joint report with Rostelecom-Solar, the cybersecurity arm of Russian telecom company Rostelecom, about a 2020 cyber espionage campaign that targeted Russian government agencies.  The publicly-available portion of the report disclosed stealthy cyber operations that targeted key individuals associated with “the federal executive branch (FOI) of the Russian Federation.”  Although details of the operation have been kept close hold, the report did cite that the main intent of the campaign was to completely compromise IT infrastructure for the purposes of stealing sensitive information to include “documentation from closed segments and email correspondence.” Of particular interest, the report cited the attackers’ knowledge of Russian antivirus firm Kaspersky Lab’s software as being helpful in collecting information about the network, though the company was  not aware of any vulnerabilities in its products that facilitated any compromise.

The report has garnered little attention, surprising given the obvious acknowledgement by the FSB that a suspected nation-state adversary successfully breached and stole data from federal executive bodies.  Per the report, the attack was unprecedented with the operators demonstrating advanced capabilities (speed and quality of their work), likely conducting detailed planning and surveillance before executing attacks that leveraged spearpshishing, exploiting vulnerabilities in web applications, and gaining access into the IT infrastructure of government contractors (e.g., mail servers, files servers, workstations), as attack vectors.  Notably, the attackers used cloud storage of two Russian technology firms – Yandex and Mail.ru – to help exfiltrate data.  The publicly-accessible parts of the report did not implicate any particular government, preferring to refer to the attackers as “cyber mercenaries pursuing the interests of a foreign state.”

The never-seen-in-the-wild-before malware and surreptitious nature of the breach certainly has all the characteristics of a state-driven effort, a hypothesis bolstered by the targets of the campaign, and the fact that it was an espionage effort against senior officials to steal sensitive data.  Once inside, the attackers executed actions consistent with other advanced persistent threat (APT) operations believed to be orchestrated by state actors: escalating privileges to maximize access and control and concealing their activities via the use of legitimate utilities within the systems, as maintaining persistent access of an exploited target is the hallmark of state espionage.  It would appear, and rightly so, that Russia experienced its own taste of state cyber malfeasance.

The release of the FSB-Solar report comes in between two major cyber incidents – namely, SolarWinds and Colonial Pipeline – believed to have been either conducted or condoned by Moscow.  Such severe attacks have routinely elicited condemnation from the U.S. government, with promises to hold perpetrating states responsible.  The latest incident against JBS USA is no different, with the White House reaching out directly to Moscow about its approach to Russian cyber criminals.  Moscow has long been considered one of the more aggressive players in cyberspace, suspected of engaging in everything from disruptive attacks to influence operations to election meddling.  The type of cyber espionage it suffered is almost a fitting retribution and a clear reminder that Russia can be breached, exploited, and embarrassed.

And that’s why this report raises both eyebrows and questions.  What prompted Moscow to allow the publishing of findings that expose Russia’s agencies as vulnerable and susceptible to savvy attackers as any other state?  Such a move might seem contrary to Russia’s self-promotion, and only threatens to reduce its vaunted “omnipotence” in the eyes of its adversaries, as well as its minions.  Perhaps more importantly, why has the report received little international attention? One would think that the big bad cyber actor receiving its comeuppance would have garnered more press, particularly from its numerous victims and especially from the United States media.  However, this has not been the case.  And while a Google search reveals several links about the story, much of it is rehashed and circular.

It can be argued that this report is a signal to the perpetrating state that its activities had been detected by Moscow.  However, most state cyber powers can likely uncover an attack at some point, and detection post-offense seems more consolatory than laudatory.  In many respects, this FSB-Solar report is reminiscent of one of the many cyber security vendors reporting on APTs, describing tactics, techniques, and procedures, and in this case, intimating attribution.  When looking at the timing of the report, its release a month after the U.S. government officially identified Moscow as the SolarWinds offender fits into this line of thinking.  But if valid, that speculation seems to be a bark lacking any conviction.  Moscow has yet to resort to using vendors or its telecoms as vehicles to level attribution, largely because it never needed to.  And its doubtful it does that here, especially since neither the report, nor official Kremlin statements, specifically accuse a state or cite state responsibility.

Could this then be Moscow’s attempt at simply unofficially responding to SolarWinds sanctions?  While plausible, Moscow does not have a track record of publicly “complaining” about cyber attacks generated against it by hostile foreign interests.  This would suggest that either Russia has never been targeted by state cyber espionage activities (doubtful), or that Moscow has kept it quiet and responded in manners and venues of its choosing (more likely).  Moreover, the lack of any substantial U.S. press coverage would make such a signal practically imperceptible.  If the SolarWinds hack was a clarion call; this report has is a weak whistle at best.  If meant to signal, such a move by Moscow would be one without an expected, or at least, intended result, which doesn’t seem to fit within the rubric of Russian strategic thinking.

In chess, Russian experts have historically dominated.  The end-game was always clear to the grandmasters even if their tactical movements seemed to befuddle their opponents.  Therefore, the publishing of this report is left up to tactical interpretation; is it an enticement designed to trap the opponent in a further exploitation attempt or a warning to deter him from further action?

The cyber powers-that-be continue to push and test the boundaries of what is done in cyberspace and how it’s done.  These states have benefitted from this glaring lack of clarity, which has unfortunately also impeded their abilities to understand attacks directed against them, and the intentions of the governments behind them.  Whether too complex or utterly mundane, what’s trying to be communicated with this report is not succeeding largely because misinterpretation and misunderstanding continues to be a hallmark of state cyber statecraft.  The most brilliant of plays go nowhere if they aren’t executed correctly.  Any chess player with their salt will tell you that.

Related Reading:

Cybersecurity Sensemaking: Strategic intelligence to inform your decisionmaking

The OODA leadership and analysts have decades of experience in understanding and mitigating cybersecurity threats and apply this real world practitioner knowledge in our research and reporting. This page on the site is a repository of the best of our actionable research as well as a news stream of our daily reporting on cybersecurity threats and mitigation measures. See: OODA Cybersecurity Sensemaking

From Solar Sunrise to Solar Winds: The Questionable Value of Two Decades of Cybersecurity Advice

While the Ware Report of 1970 codified the foundations of the computer security discipline, it was the President’s Commission on Critical Infrastructure Protection report of 1997 that expanded those requirements into recommendations for both discrete entities as well as the nascent communities that were growing in and around the Internet. Subsequent events that were the result of ignoring that advice in turn led to the creation of more reports, assessments, and studies that reiterate what was said before. If everyone agrees on what we should do, why do we seem incapable of doing it? Alternately, if we are doing what we have been told to do, and have not reduced the risks we face, are we asking people to do the wrong things?  See: From Solar Sunrise to Solar Winds: The Questionable Value of Two Decades of Cybersecurity Advice

If SolarWinds Is a Wake-Up Call, Who’s Really Listening?

As the U.S. government parses through the Solar Winds software supply chain breach, many questions still remain as to the motive, the entities targeted, and length of time suspected nation state attackers remained intrenched unseen by the victims.  The attack stands at the apex of similar breaches in not only the breadth of organizations compromised (~18,000), but how the attack was executed. See: If SolarWinds Is a Wake-Up Call, Who’s Really Listening?

Executive Level Action In Response to Ongoing Massive Attacks Leveraging Microsoft Vulnerabilities

This post provides executive level context and some recommendations regarding a large attack exploiting Microsoft Exchange, a system many enterprises use for mail, contact management, calendar/scheduling and some basic identity management functions. This attack is so large and damaging it is almost pushing the recent Solar Winds attacks off the headlines. Keep in mind that till this point, the Solar Winds attack was being called the biggest hack in history. So this is a signal that the damage from this one will also be huge. See: Executive Level Action In Response to Ongoing Massive Attacks Leveraging Microsoft Vulnerabilities

Emilio Iasiello

Emilio Iasiello

Emilio Iasiello has nearly 20 years’ experience as a strategic cyber intelligence analyst, supporting US government civilian and military intelligence organizations, as well as the private sector. He has delivered cyber threat presentations to domestic and international audiences and has published extensively in such peer-reviewed journals as Parameters, Journal of Strategic Security, the Georgetown Journal of International Affairs, and the Cyber Defense Review, among others. All comments and opinions expressed are solely his own.