1 September 2014

The Russian Snake


As far as Moscow is concerned, using cyber as a warlike offensive tool is the normative first step in a general attack. After Estonia and Georgia, the Ukraine now experiences it first hand

The prevailing view in the West is that Russia possesses cutting-edge information warfare and electronic warfare capabilities. Experience has shown that Russia does not hesitate to put these capabilities to use as required. 
As far back as 2007, during the confrontation between Russia and Estonia whose trigger was the relocating of the Unknown Soldier Monument from the center of Tallinn, the Estonian capital, to the outskirts, Russian elements staged a substantial DDoS (Distributed Denial of Service) attack against Estonia. The actual involvement of the Russian government in this conflict, named by some parties (who went just a little too far) “The First Cyber War”, remains unclear. 

The attack against Estonia was a small but sufficient example of the axiom according to which in the era of information it is safe to assume that any military confrontation or political tension will include offensive cybernetic elements: damaging or disrupting of information systems or damaging of critical infrastructure/utility systems and processes through the computers controlling them. That was the case during the South Ossetia war in 2008, when Russian and Georgian forces clashed under controversial circumstances. During that conflict, too, pro-Russian cybernetic attacks staged by “unknown sources” disrupted on-line services and websites of the Georgian government as well as the media and banks. A DDoS attack was even staged against Internet services in Georgia generally. At the time, Georgian sources reported that the civilian cellular communication systems and the communication system of the Georgian Army were attacked as well. The use of cyberspace against Georgia had several objectives such as collection of intelligence and disruption of vital processes, but information warfare was also one of those objectives. 

The Russians were not satisfied with the results they achieved in the cyber dimension against Georgia, and in recent years there has been much debating about cybernetic strength as an essential element of the Russian strategy. In late 2011, the Russian Ministry of Defense published a document outlining the fundamentals of Russia’s military cybernetic strategy, titled “Conceptual Views on the Activity of the Russian Armed Forces in Cyberspace”. In January 2013, a presidential decree assigned the responsibility for the development and implementation of Russia’s national cybernetic defense policy to the Federal Security Service (FSB). 
The initiatives taken since then by the Russian military, government, defense industries and research institutions indicate that Russia has abandoned its past official policy, which called for the demilitarization of cyberspace. 

Not surprisingly, the recent political-military tension between Russia and the Ukraine led to cybernetic warfare activity, among other things. One should bear in mind that the tension between Russia and the independent Ukrainian state had existed since the disintegration of the USSR, and has erupted through the responses to the Orange Revolution of 2004, as well as during the elections to the presidency of the Ukraine. 

What is the Tail-Devouring Serpent? 

As it turns out, the current activity began long before the demonstrations. According to a report published recently by BAE Systems and GData of Germany, Russia was allegedly already involved in an on-going cybernetic espionage operation that lasted several years. The code segment revealed recently includes the string “Ur0bUr()sGotyOu#”, and that was how it came to be known as Uroboros – an ancient Greek symbol in the shape of a serpent or dragon that swallows its own tail. Uroboros (also known as Operation Turla or Snake) is a rootkit program (a “stealth” program with access to computer authorizations) designed to hack into Windows 32/64 bit computers and made up of two code segments: a driver and an encrypted virtual file system. Both elements are characterized by a very high code level, they have stealth capability and are extremely difficult to identify. Jointly, they are used for espionage by extracting information from the infected computer and sending it, in encrypted form, to the command and control computers. Uroboros was designed to operate in the peer-to-peer method, namely – several infected computers communicate with one another and are controlled by another computer. The complexity of the code indicates that is was probably produced by an organization with time on its hands, highly trained personnel, a lot of money and an interest in espionage. In other words – a state stands behind Uroboros. 

Why did Russia Become the Chief Suspect? 

The primary evidence is the high degree of similarity between Uroboros and an older espionage campaign designated Agent.BTZ, which infected computers of US CENTCOM. When that espionage campaign was discovered in 2008, as it appeared to be excessively elaborate and complex, it caused the US military to launch a defensive operation designated “Buckshot Yankee”. The American Deputy Secretary of Defense at the time, William J. Lynn III, described the incident as follows in a constitutive article from 2010: “This previously classified incident was the most significant breach of US military computers ever, and it served as an important wake-up call. The Pentagon’s operation to counter the attack, known as ‘Operation Buckshot Yankee’, marked a turning point in US cyber defense strategy.” 

The classified incident Lynn refers to is, of course, the discovery of Agent.BTZ within the most confidential networks of the US military. The uncovering of the espionage operation within the military networks also led to the establishment of US Cyber Command (CYBERCOM), as yet another addition to a long line of American security and intelligence organizations involved in cyber. According to the Kaspersky Lab Company, to this date more than 400,000 computers were infected by Agent.BTZ and its various versions. 

Back to Uroboros - it is interesting to note that before the Uroboros installs itself into the target computer, it searches for a version of Agent.BTZ, and if such a version is found – it will not activate itself. Additionally, the code contains indications of the use of the Russian language and the time used in the code is consistent with Moscow time. The researchers of BAE found that in 2014 alone there were 20 variants of the attack, 14 in the Ukraine, 2 in Lithuania, 2 in Georgia, 1 in Hungary and 1 in Italy. In 2013, only 8 variants were found in Georgia and 9 in Lithuania, out of a total of 24. One of the things that remain a mystery is whether the snake can be used not just for espionage but also for offensive operations in the infected computers, such as destroying information and rendering the computers inoperable. American experts on Russian thinking note that it is reasonable to assume that the snake had been developed for dual use – both espionage and attack. One should bear in mind that all of this evidence is circumstantial, and that it is augmented by the timing of additional attacks by Russia against the Ukraine. 

Russia in Cyberspace 

In the context of the current Russian-Ukrainian confrontation, all of the parties involved use disinformation (Дезинформация) extensively. This has led to substantial difficulties in evaluating reality. The evidence gathered thus far with regard to Russian activity in cyberspace includes: EW operations (disruption of radio, telephone and cellular communication systems, including actual cutting of communication cables), DDoS attacks against Ukrainian media and website defacement, psychological warfare through cybernetic means (for example, publicizing the E-Mail correspondence of one of the revolution leaders in an attempt to sully his image), and physical takeover of media sites. 

The case of Uroboros is probably the only example of cyber operations in the context of the current conflict. The Uroboros case should be viewed in the context of the broader global picture: when sophisticated cyber espionage operations are uncovered, they indicate the increasing use of clandestine operations in cyberspace by states. On the other hand, most of the activities Russia initiates in cyberspace in the context of its international confrontations are associated with information warfare: a range of defensive and offensive operations intended to promote the Russian narrative and shape public opinion. According to the Russian concept, the “West” is a hostile agent that uses the Internet in order to damage opponent regimes from within. The Russian elite regards the present pro-Western protest in the Ukraine as the direct continuation of the western information campaigns that led to the Arab uprisings in 2011. This topic received much attention in Russia, as opposed to the silent response in the Western countries. ž 

Ram Levi is CEO of Konfidas, a cyber consultant to the National Council for R&D at the Ministry of Science & Technology and a senior research fellow at the Yuval Ne'eman Workshop for Science, Technology & Security at Tel-Aviv University 

Lior Tabansky is studying for a doctoral degree in political science at Tel-Aviv University and serves as a senior research fellow at the Yuval Ne'eman Workshop for Science, Technology & Security at Tel-Aviv University

No comments: