After reading an incredibly eye-opening report entitled, “Russia: EMP Threat”  which dives into the post-soviet, contemporary doctrine of non-contact warfare (“the combined use of cyber viruses and hacking, physical attacks, non-nuclear EMP weapons, and ultimately nuclear HEMP attack against electric grids and critical infrastructures”), we decided to see if we could develop some signatures for the Hunter module that would find and track Russian criminal forums on the clear-net, looking for trending tradecraft. The Federation’s intelligence apparatus is well known to employ elite cyber criminals periodically for government initiatives and this is what sparked our curiosity. Could we develop custom signatures for our automation that would enumerate these key points of interest? What would we find? Ultimately, the answer was yes, we can use our proprietary signatures and automation to articulate trends in these criminal circles. Below, we will discuss some of these interesting findings from this preliminary research as well as lay some broader context behind the initial motivation for this endeavor.
Full disclosure – we have not had prior training as military analysts, but our team has been observing the technical capabilities of Russian cyber actors, for some time now. Moreover, observing Russian cyber aggressions against places like the Ukraine, resulting in real-world consequences like the annexation of the Crimean Peninsula also intensified our interests. The Ukraine has long been a testing ground for the Russian Federation’s cyber weapons , or as they call it, Information Warfare. While many of these recent intrusions into the IT systems of the West have been viewed solely as espionage, there are others that believe there is a far more sinister motivation behind these operations.
“Intrusions look less like isolated cases of theft and hacking and more like probing U.S. defenses and gauging Washington’s reactions—perhaps in preparation for an all-out cyber offensive that would include physical sabotage, radio frequency weapons, and ultimately nuclear HEMP attack .”
This was the primary motivation to begin down this path; to see if we could use our open-source capabilities and shed some light on this Russian information warfare onslaught.
Lastly, we leave the readers with supporting technical documentation in hopes to spur further discussion and analysis.
Russian Information Warfare
Russia views the cyber domain considerably different from the west, both from defensive and offensive perspectives. The federation sees the freedoms and connectivity that the internet brings as dangerous, potentially sewing dissention and democratic views within the regime. Understanding the mindset of the state, which is said to be a mindset of “worst case scenario,” provides a valuable lens for interpreting how the power structure would view adjacent events such as the toppling of governments in Georgia’s rose revolution, Ukraine’s orange revolution, and Kyrgyzstan’s tulip revolution , in association with the free-speech nature and connectivity of the internet.
Russia also sees cyberspace as a powerful vehicle to enhance offensive military and political objectives and have become proficient masters of this domain. The Russian ministry of Defense (MoD) plans to create a cyber deterrent akin to the devastation that thermal nuclear weapons would have on an adversary’s civilization. The MoD has an annual budget of ~250M for its cyber activities and invests this capital into initiatives like malware development to target all aspects of Western critical infrastructure (banking, power, defense, aviation, etc…) . This defense budget seems to be well spent as Russian cyber operators have a reputation that precedes them across the globe.
Hunting Tradecraft with a Russian Flavor
For our preliminary experiment, we wanted to see if we could take existing Cyber Mongol signatures and augment them slightly to find content hosted on Russian Criminal forums. There has long been lines drawn between Russian criminal groups and state sponsored operators such as APT 28, so we thought this might be a good place to start.
Using Cyber Mongol hunt signatures for direct system calls, Cobalt Strike binary object files (BOFs), process hollowing and process doppleganging, we hit the clear-net to see what we could turn up. All four signatures succeeded at turning up tradecraft being shared on Russian criminal sites. While our initial research had nowhere near the depth to find innovative APT tactics not yet articulated within the security community, it did prove without a doubt that advanced content which our cyber intelligence engine tracks within the security community is definitely being mirrored on criminally frequented platforms. One of these such platforms (www[.]xss[.]is) had continuous hits with all four of the signatures mentioned above. It also housed other tradecraft that our sensors aren’t tuned to ingest, such as software to create fake passports, carding tactics and other criminal aspects of the Russian underground.
While our findings were preliminary and quite raw, we were able to test a completely new application of our existing intelligence stack, with only minor tweaks to the signatures. Seeing on-trend content which our intelligence engine is currently tracking within the security community, being shared and discussed on Russian criminal forums has strengthened our existing stance that the cyber security ecosystem maintains influence over adversary tradecraft adoption. Moreover, knowing that groups like APT 28 have strong links to platforms such as this gives us new ideas on how to better harness and augment our open-source intelligence capabilities. Stay tuned for even bigger and better things to come.
1. Russia: EMP Threat
2. 2018 CEPA Report Chaos as a Strategy
3. The Russian Military in Contemporary Perspective
4. Analysis of the Cyber Attack on the Ukrainian Power Grid