By Bill Gertz
Cyber warfare and secret cyber intelligence-gathering operations by Russia pose a major threat to America, yet Moscow has managed to keep its activities largely secret while President Obama and his administration have failed to highlight the danger.
By contrast, two decades of aggressive Chinese military and intelligence cyber attacks that have caused serious damage to American security through the theft of government and private industry secrets have been given much more attention in both government and the private sector.
Less information has been made public about the nature and scope of Russian cyber activities, and the Obama administration has sought to avoid highlighting the threat over concerns doing so would upset its diplomacy-oriented national security strategy. The reliance on diplomatic solutions continues despite a major increase in threatening Russian activities, both cyber and conventional, including military aggression in Europe.
Moscow’s primary cyber war and spying agency is the Federal Security Service, known as FSB, that most closely resembles its Soviet predecessor agency, the KGB. The SVB foreign spy agency, along with the GRU military intelligence service, are the other two main actors behind aggressive covert and clandestine cyber warfare activities and intelligence gathering.
“The Russians are so good we don’t usually see them,” said James Lewis, a cyber expert at the Center for Strategic and International Studies.
Lewis noted that some of the Russian criminal groups are so good at cyber theft they tend to have more advanced capabilities than most governments.
“The FSB hackers do classic political military espionage, and it’s a tribute to their success that they got into State, DoD and White House networks last year,” Lewis said. “The frightening thing about those incidents is that it may have been practice events for new teams. They really are [our] peers in cyberspace.”
Obama and senior administration officials have made few references to Russian cyber activities that have included attacks on unclassified White House networks, and that were blamed for penetrations of the email system of the Pentagon’s Joint Staff last year, forcing the shutdown of all Joint Staff email for weeks.
Russian hackers also targeted the private email server of former Secretary of State Hillary Clinton. Emails released by the State Department in September included four fake emails identified as Russian-origin hacking attempts that were made against Clinton at her non-State Department email address. The phishing attempts involved fraudulent notices claiming to be from a police department that requested payment for traffic violations. The email instructed Clinton to download a file that analysts say contained malware that would allow remote access to her server.
Russian cyber activities are focused mainly on intelligence gathering and military reconnaissance of critical infrastructure networks as advance work for a future conflict, or what the military calls “preparation of the battle space.”
Director of National Intelligence James Clapper told Congress in 2015 that Russia had surpassed China as the premier cyber threat, although he declined to say why. “While I can’t go into detail here, the Russian cyber threat is more severe than we had previously assessed,” he said.
Clapper’s assessment was based on intelligence gathered by the NSA in the past two years indicating breakthroughs in advanced Russian cyber capabilities that are very difficult to trace and combine the capabilities of sophisticated Russian intelligence services with advanced Russian hackers in the private sector.
Russia inherited advanced cyber capabilities from the high-technology base left over from the Soviet Union. Under revanchist leader Vladimir Putin, a former KGB officer, cyber operations are being given greater prominence in Russian military and strategic doctrine as part of a strategy that seeks to carry out non-kinetic information warfare operations against the West. These operations are designed to remain below the threshold that could trigger a hot war.
Security researchers about 18 months ago found a surprising amount of prepositioned malware inside U.S. industrial control networks that was linked to Russian hackers. “As in real life, the Russians like to use puppets or cut-outs in their state activities,” one researcher said.
Other cyber attacks by Russians have been documented throughout Europe, in Georgia, Estonia, Lithuania, Sweden, and Finland.
Earlier this month, Hans-Georg Maassen, head of Germany’s BfV domestic intelligence agency, blamed Russian hackers for strikes on the German parliament, NATO members, and French television. “The campaigns being monitored by the BfV are generally about obtaining information, that is, spying,” he said. “However, Russian secret services have also shown a readiness to carry out sabotage.”
Still, high-profile Russian cyber attacks like those conducted by the Chinese have not been made public. Beijing’s military cyber warriors were blamed for the theft of 80 million health care records from Anthem last year. China was also linked to the compromise of Office of Personnel Management records for 22 million federal workers.
Russia has used cyber attacks in its military campaign in support of the Syrian government, providing U.S. intelligence agencies with an initial look at how the Russian military will integrate cyber operations into its forces.
The Syrian cyber attacks included the use of hackers, likely from the Russian government, to target Syrian opposition websites. In one case, the Russians used malware to erase data and provide false information to non-governmental organizations.
Perhaps the most significant Russian cyber operation took place in December when a sophisticated attack was carried out against three Ukrainian power companies, shutting down power in major portions of the country. Reports varied, but the attack turned out the lights for around 300,000 to 700,000 people.
Russia has been waging both covert paramilitary operations and information warfare against the country since Moscow seized the Crimean Peninsula in March 2014.
The electric grid shutdown has been called the first known cyber attack against an element of a state’s critical infrastructure, moving such a threat from the theoretical to the real.
The Ukrainian security service announced that the attack had been traced to an obvious source: Russia.
The link to the Russians was based on detection of a malicious software called BlackEnergy3 that was designed to attack industrial control systems. Evidence of the malware was said to be present on the compromised Ukrainian industrial control systems. The software has been linked to Russia and likely the Russian government. In addition, a coordinated campaign of telephone calls flooding the help desks of power companies was designed to distract system administrators from quickly restoring power.
Despite the clear links to Moscow, the Department of Homeland Security stated in a recent update to a security notice from its Industrial Control Systems-Cyber Emergency Response Team that “we cannot confirm a causal link between the power outage with the presence of the [BlackEnergy3] malware.”
The refusal to confirm a Russian link to the attack appears to be the latest example of the Obama administration refusing to blame foreign governments, in this case Russia, for cyber attacks. The administration similarly refused to place blame on China for the OPM hack.
In the case of the North Korean hack targeting Sony Pictures Entertainment, the administration initially sought to avoid blaming Pyongyang but was forced to relent and name the North Korean Reconnaissance General Bureau after the NSA penetrated North Korean hacker networks to confirm the attack.
The administration’s feckless approach to cyber attacks stems from its over-reliance on diplomacy as a national security tool. The State Department has promoted the idea of an agreement that would establish norms of behavior in cyberspace, such as not attacking infrastructure. The diplomatic approach is similar to a Russian and Chinese idea to broker an international non-aggression pact in cyberspace at the United Nations. Intelligence agencies in the United States have warned that China and Russia are using the non-aggression pact as part of a strategic deception campaign aimed at limiting U.S. cyber power with an agreement that neither state would follow.
A White House National Security Council spokesman had no immediate comment when asked about the lack of high-level American response to Russian hacking.
Russia has reorganized its military to facilitate cyber attacks, creating a cyber command within the Defense Ministry that will conduct cyber attacks as well as information operations like propaganda and injecting malware into enemy command and control networks. The Russian military also has a specialized unit for computer network attacks.
Clapper revealed in little-noticed written testimony that Russian hackers compromised supply chains used by unidentified U.S. critical infrastructure operators. The Russian operation caused customers involved in industrial control system networks to download malicious software “designed to facilitate exploitation directly from the vendors’ websites along with legitimate software updates,” Clapper said.
Clapper identified Russia in March as one of the leading nation-state cyber threats. “Russia is assuming a more assertive cyber posture based on its willingness to target critical infrastructure systems and conduct espionage operations even when detected and under increased public scrutiny,” he said.
“Russian cyber operations are likely to target U.S. interests to support several strategic objectives: intelligence gathering to support Russian decision making in the Ukraine and Syrian crises; influence operations to support military and political objectives; and continuing preparation of the cyber environment for future contingencies.”
This last goal is the reconnaissance function that has been detected in a number of U.S. critical infrastructure networks, raising alarms in the Pentagon.
Two U.S. military commanders, Adm. William E. Gortney, head of Northern Command, and Adm. Harry Harris, head of Pacific Command, wrote a letter to Defense Secretary Ash Carter in February warning about the threat to industrial control systems from malware, including the Russian-linked BlackEnergy.
“Many nefarious cyber payloads … and emerging ones have the potential to debilitate our [military] installations mission critical infrastructure,” they wrote.
Adm. Mike Rogers, commander of the Cyber Command and director of the National Security Agency, limited his comments in March on the Russian cyber threat to two sentences.
“Russia has very capable cyber operators who can and do work with speed, precision, and stealth,” Rogers testified to a Senate hearing. He noted an “overlap” between some of the world’s most sophisticated cyber criminals and Russian government hackers. The linkage “is of concern because Russian actions have posed challenges to the international order,” he added.
The problem with the administration’s policy of downplaying the Russian cyber threat is that the danger is increasing. Without greater public exposure, urgently needed steps to counter the threat will not be taken, either by the White House or Congress.
May 23, 2016