January 3, 2012

TSG Atmospheric: Russian Cyberthreat: The New Red Army




The Russian civilian and military intelligence and security services are increasingly using cyber-attacks, HUMINT, and other intelligence collection operations to acquire economic, financial, and propriety data and technology to directly support Russia's economic development and energy security.

These attacks are broadly motivated by three factors:

•    The chronic requirement to obtain the intelligence the country desperately needs to drive  the economic diversification necessary for its long-term viability;

•    The enduring paranoia that the global economic system continues to be biased against Russia while favoring the US and other Western interests at Russia's expense;

•    Russia's continued – and thus far intractable – dependence on natural resources, especially oil and gas.

Two hundred industry executives representing the power, oil, gas, and water sectors from 12 Western countries, as well as China and Russia, were surveyed in 2010 about their experiences with the growing threat of cyber-attacks, and the results were alarming: 85% of respondents acknowledged they had experienced network intrusions.

The greatest cyber-threat was judged to have been the product of state-sponsored espionage, followed closely by the potential for electronic or network sabotage (known generally as e-sabotage).  The main actors were unsurprisingly and widely believed to be Chinese and Russian hackers, either working directly or indirectly for the state.

Meanwhile, Russia is rapidly developing capabilities for information warfare (IW) and information operations (IO).

Within the Russian Armed Forces, IW consists of electronic warfare, psychological operations, reconnaissance (intelligence), deception – otherwise known as Maskirovka – and the strangely named "mathematical programming impact."

The latter is thought to include the deliberate introduction of malware to networks and the imposition of system malfunctions or intrusions such as back-door functionalities and logic bombs.

The current definition of IW does not explicitly mention computer network operations (CNO) but the term 'mathematical programming impact' is likely to include offensive and defensive capabilities for computer and network exploitation, attack and defense.

Although the attack capabilities of the Russians appear to be more focused on economic espionage, we nonetheless believe their ability to disrupt the U.S. national infrastructure, banking, and economic operations—including those of the major oil and gas companies—is becoming increasingly significant, and needs to be examined.  This paper is set against this context.


On December 8, 2011, at the World Petroleum Congress (WPC) in Doha, Qatar, attendees received a detailed briefing that described expanding assaults by hackers against the information technology (IT) systems controlling the global energy sector, conducting industrial espionage, and threatening potential chaos through disruption of the global oil supply chains.  International Oil Company (IOC) executives warned that attacks were becoming more frequent and more carefully planned.

One major concern was the ability of hackers to control the complex valve and pipeline network, the disruption of which would lead to substantial loss of life and production, cause difficult-to-contain fires and loss of containment, wreak extensive environmental damage, and inevitably generate costly court cases.  Overall, the potential financial losses could be staggering.

As the world's energy production and distribution are largely controlled by computer networks, the secondary concern is that cyber espionage that could place vulnerable secrets of fuel production technology into the hands of rival companies.

According to Shell, there is evidence of an increasing number of attacks with clear commercial interests – those that focus on research and development – to gain competitive advantage.

The Stuxnet computer worm, which attacked Iranian centrifuges in 2010, substantially changed the paradigm for IOCs because it was the first demonstrably dangerous cyber-attack to have a significant impact on process control.  This has caused alarm bells to ring across those sectors that rely on computer-controlled processes; the U.S. in particular relies heavily on computer networks to control the supply of utilities to its population.

Hackers are playing the long game, with extended, silent collection operations, which precede attacks on a specific target within IOC operations using the data collected in the reconnaissance phase.  Hackers are thus showing a worrisome combination of patience and determination, as well as increased sophistication and coordination among multiple players.

There has been a discernible increase in multiple attack profiles intended to break into specific operation systems within IOCs.  We judge Shell has suffered from this type of attack, possibly connected to its environmental record, especially in West Africa.

The arrival of Duqu, a Stuxnet variant, is a concern as it is written to gather data to facilitate future cyber attacks.  The relevance to IOCs is that of continuity: other types of business can afford to shut down their IT systems to conduct network maintenance; IOCs in production cannot.

The grave concern of the WPC was that if hackers could attack a major or super-major IOC and halt operations, the resultant spike in oil price could be catastrophic, especially in the current economic climate.

Entrepreneurial hackers could use the oil options markets to profit from the price movements caused by disruption and make huge profits.  As an example, the threat by Iran to close the Straits of Hormuz – which would have the potential to choke off some 30-40% of the world's oil supply chain - led to an immediate spike of $3 in the oil price.

Some 80 million barrels of oil are processed through oil sector IT systems on a daily basis ($8 billion of revenue), and the disruption of this supply would be of even more significance.  This disruption has not happened yet, but the mere fact it was ventilated at the WPC shows at the very least that the potential has to be considered, along with appropriate cyber-defenses for IOCs.

The Attack on Illinois

On November 8, 2011 in Central Illinois, hackers managed to shut down a utility's water pump, and the federal investigators working on the case consider this to be the first identified foreign cyber attack on a U.S. industrial system.  Workers noticed problems with the software systems that controls the water supply system, and in an interview with Reuters, Joe Weiss, managing partner of Applied Control Solutions in Cupertino, California, said that further investigation found that a water pump had been damaged.

Hackers broke through the security controls of the network using authentication protocols that were stolen from a company that writes software used to control industrial systems.   According to Weiss: "An information technology services and computer repair company checked the computer logs of the system and determined the computer had been hacked into from a computer located in Russia."  Both the U.S. Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) are examining the case.

The motive of the attack is at this stage unclear.  Nonetheless, The Soufan Group views this as a potentially disturbing example of hostile cyber-reconnaissance; it is reasonable to assume that the hackers were likely "road-testing" their stolen protocols for further more debilitating attacks against similar utility targets at a time of their choosing.

In February 2011, then-CIA Director Leon Panetta said of a cyber attack in the U.S.: "I don't think there's any question but that this is a real national security threat that we have to pay attention to.  The Internet, the cyber arena … this is a vastly growing area of information that can be used and abused in a number of ways."

Panetta told the House Permanent Select Committee on Intelligence, "when it comes to national security, I think this represents the battleground for the future. I've often said that I think the potential for the next Pearl Harbor could very well be a cyber attack."

He continued that terrorists are determined to find a way to hack into the power grid system in the United States, which he said "brings down the financial system, brings down our government systems. You could paralyze this country."

He noted that extremists in Iran, Russia and China are developing "a significant capacity" to stage such an attack, and that "hundreds of thousands" of attempts are being made to infiltrate national security and critical infrastructure networks.  Illinois is a disturbing echo of his prediction.

The hacker attack brings into sharp focus the threat posed to Supervisory Control and Data Acquisition (SCADA) [right] and Distributed Control Systems (DCS).  SCADA and DCS are the vital computer networks that control the U.S. critical national infrastructure – including power and water, nuclear reactors and train movement.

In late November 2011, Michael Welch, the deputy assistant director of the FBI's Cyber Division, said hackers had accessed the infrastructure of three un-named U.S. cities by compromising their SCADA systems.  Welch was a keynote speaker at the Flemings Cyber Security conference in London, where he noted that hackers could theoretically have dumped sewage into a lake or shut off the power to a shopping mall.

According to Welch, the FBI Cyber Division is set to double in size by mid 2013, which highlights the importance being placed on the need to counter the threat.

The Russian Bear

The main Russian organizations responsible for offensive and defensive cyber capabilities are:

•  The Federal Protective Service or FSO (Federal'naya Sluzhba Okhrani); •  The Federal Security Service or FSB (Federal'naya Sluzhba Bezopasnosti); •  The Military Intelligence apparatus or GRU (Glavnoye Razvedyvatelnoye Upravleniye).

The FSO has some 20,000 - 30,000 service personnel as well as several thousand civilian personnel.  It can conduct surveillance operations without warrant, and is responsible for maintaining the Russian nuclear equivalent of the U.S. 'football.'  The FSO also provides secure communications circuits for the Kremlin leadership and the military high command ...


This is an excerpt from the full report released to clients.


For subscriptions and pricing, please email:

Screen Shot 2013-10-21 at 9.32.42 AM