Thu, Jul 15, 2021

A US-UK hacking probe offers a fresh approach against Russia

New Atlanticist by Justin Sherman

Cybersecurity Intelligence Rule of Law Russia Security & Defense United Kingdom United States and Canada

The logo of the GRU, Russia's Main Intelligence Directorate, is reflected in an eye in this picture illustration taken on October 4, 2018. Photo by Dado Ruvic/Retuers Illustration

As headlines pile up by the day about cyber hacks coming from within Russia, a recent United States-United Kingdom collaboration calling out wide-ranging Russian military hacking efforts might have been easy to miss. But it’s worth taking a closer look at a bold step by the transatlantic allies that will shape the future of global cyber diplomacy and defense. 

On July 1, the US National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency, and Federal Bureau of Investigation, along with the United Kingdom’s National Cyber Security Centre, issued a joint cybersecurity advisory on the Russian military intelligence agency, the GRU, hacking cloud environments worldwide.

The statement detailed how the GRU used Kubernetes, an open-source cloud management software originally developed by Google, “to conduct widespread, distributed, and anonymized brute force access attempts against hundreds of government and private-sector targets worldwide.” As expected, the Russian embassy in Washington denied that Russian government agencies had engaged in such attacks against US agencies and private businesses.

The advisory is noteworthy for several reasons. First, it is an example of international collaboration to publicly name the tactics, techniques, and procedures (TTPs) used in a foreign government’s cyber operations. Second, this public attribution arrives amid much discussion of Russian cyber activity and is likely to complicate US dialogue with Moscow to shape it. Third, it underscores the importance of the United States being carefully narrow about scoping its cyberspace “red lines” in talks with the Russian government.

Hundreds of targets

It was a detailed report: The agencies said the GRU directs a “significant amount” of its brute-force access activity (essentially, automatically guessing many passwords in a row) at organizations using Microsoft Office 365 cloud services, in addition to other service providers and on-premise email servers. The GRU has targeted hundreds of US and foreign organizations worldwide with these activities, the report said, naming at least nine types of entities among them: government and military organizations, political consultants and party organizations, defense contractors, energy companies, logistics companies, think tanks, higher education institutions, law firms, and media companies.

The document named specific TTPs used to identify those behind the campaign, covering everything from reconnaissance to code patterns to a command-and-control setup used by the GRU in these hacks.

“This brute force capability allows the 85th GTsSS [the Russian cyber unit also known as Fancy Bear] actors to access protected data, including email, and identify valid account credentials. Those credentials may then be used for a variety of purposes, including initial access, persistence, privilege escalation, and defense evasion,” the agencies wrote. “After gaining remote access, many well-known TTPs are combined to move laterally, evade defenses, and collect additional information within target networks.”

Displaying political will

First and foremost, the document is important as the product of international collaboration between multiple US intelligence and cybersecurity-focused agencies and the UK’s National Cyber Security Centre to protect against adversary cyber activity. Issuing such an advisory also publicly indicates to allies and partners, as well as the Russian government, that the countries’ intelligence organizations are cooperating on this issue set.

It details techniques used in an apparently ongoing campaign (which Rob Joyce, the NSA’s cybersecurity director, said is “on a global scale”), and provides multiple detection and mitigation options for organizations to better defend against these hacks. This information is essential given the apparent scope of the campaign.

Publicly attributing a widespread hacking campaign to a foreign state organization is, in many ways, a political decision. Calling out a government for cyber activity can affect the bilateral relationship and raises numerous questions about what kind of activity is called out and why; thus, electing to do so here indicates some degree of political will in the United States and the UK to publicly attribute these hacks to Russia.

The Kremlin likes to push the line that attributing cyber activity is nearly impossible—which fits into the high premium Moscow places on operational deniability. The advisory demonstrates how it can be done.

Complicating diplomacy

Second, such a public attribution will likely complicate diplomacy and cyber dialogues with Moscow. Cybersecurity was on the agenda at the Geneva meeting between President Joe Biden and Russian President Vladimir Putin on June 16, on the heels of a ransomware attack launched by cybercrime groups in Russia against Colonial Pipeline, the United States’ largest refined oil pipeline, as well as the large meat-processing company JBS. Biden said Russia bears some responsibility for cybercrimes committed from Russian soil.

But the Kremlin, as recently highlighted by a former Russia-based hacker, frequently looks the other way on operations conducted by non-state actors as long as such activities don’t target actors in Russia or undermine the regime’s objectives. For other activities conducted by non-state cyber groups, the state may have a range of involvement, from outright support to covert recruitment.

Out of the Geneva meeting, Putin and Biden agreed  to have future, lower-level cybersecurity talks. Since then, Biden has spoken by phone with Putin about cracking down on criminal cyber activity within Russia, after yet another ransomware attack from a criminal group, indicating that Washington may retaliate against Moscow. On Tuesday, the site for the Russia-based hacking group REvil disappeared, though it’s unclear whether responsibility lies with the United States, Russia, the ransomware group itself, or another factor entirely.

Now, after a public attribution of the ongoing Russian state cyber campaign, it is highly likely the Kremlin will accuse the United States of merely calling out Russia for activities (like non-destructive hacks of cloud systems) in which the US government engages, too.

Narrowing the scope of talks

This leads to a third takeaway from the US-UK advisory: Drawing red lines in cyberspace for the Kremlin requires a steady, precise hand. The potential for cooperation with the Putin regime on cybersecurity is low. Such dialogue languished under the Trump administration, and Biden’s team needs to revive it, as the outcome of the Geneva summit indicated. If the United States is to set red lines with Moscow—articulating the kinds of activities or targets the United States considers off-limits with more specifics and substance than Biden did in the brief Geneva meeting—its odds of success will improve if it moves both carefully and narrowly.

Biden administration officials have already indicated they have narrowed the scope of these preliminary discussions with Moscow: one senior official told Reuters that the administration is focused on curtailing “destructive” hacks as opposed to traditional espionage.

Meanwhile, the multiagency advisory did not say that the GRU’s hacks of cloud systems were destructive in nature. It also did not specify whether the hacks were likely to be laying the groundwork for future destructive cyber operations or just for traditional intelligence-gathering operations (though it did say the GRU was using the hacks to gather information).

Also unknown are the answers to the broader political questions: To what extent is the Biden administration going to continue publicly attributing these kinds of Russian espionage activities that, at least in this case, don’t appear to have destructive components? And to what extent is the advisory intended more as a defensive move—publicly indicating to the private sector and other governments the tactics, techniques, and procedures used by the GRU and offering ways to guard against ongoing hacks—versus a naming-and-shaming condemnation? Or is it both?

If the US government, with the support of some allies, is to mitigate national-security-damaging Russian cyber activity and influence the Kremlin’s behavior, the White House must develop answers to the broader strategic questions behind these public advisories.

Justin Sherman (@jshermcyber) is a nonresident fellow at the Atlantic Council’s Cyber Statecraft Initiative.

Further reading