May 7, 2012

TSG IntelBrief: Russia’s Increasing Cyber Threat


As of early May 2012, Russia's offensive cyber capabilities appear to be growing increasingly sophisticated with a worldwide target set. In February of this year, the U.S. Director of National Intelligence, James Clapper, warned the Senate Select Committee on Intelligence about systematic intrusions of U.S. Government networks and the resulting exfiltration of sensitive data by hackers based in Russia. This cautionary testimony followed a November 2011 National Counterintelligence Executive report that explicitly cited Russia as a main culprit in efforts to electronically steal sensitive information from allegedly secure computer systems. The Federal Bureau of Investigation considers cybercrime to be one of the most serious threats to the U.S. and officials have stated that it may soon surpass terrorism on that scale. Although difficult to accurately gauge, estimates of the cost of Russian cyber theft to the U.S. economy already range into US$ hundreds of billions of dollars.

Russia has a long and well-established history of exploiting the cyber domain for a host of nefarious activities that include cybercrime, espionage, and coordinated cyberattacks. In 1999, for example, an attempt to penetrate Department of Defense networks — an effort known as Operation Moonlight Maze — saw confidential defense technology research systematically extracted and transferred to proxies in Russia. (Whether this operation had formal links to the Russian government remains in dispute.) In 2008, defense officials reported suspicions that Russian intelligence services had targeted classified military systems for collection with malware implanted on an infected thumb drive. Dubbed the "Agent.btz" worm, the malware's discovery led to a massive defense network cleanup program called Buckshot Yankee.


A Cyber Act of War?

In the Spring of 2007, the government of Estonia's decision to move a Soviet-era war memorial statue triggered a series of denial of service attacks on government, financial, media and other websites, temporarily crippling the country's digital infrastructure. The attacks appeared to have originated in Russia, although ethnic Russians living in Estonia were also implicated.  While many security analysts likened the event more to a "cyber riot" or form of political "hactivism," the Estonian government viewed the incident as a national security crisis and raised the issue of responding to cyberattack as an act of war within NATO common defense mechanisms. The Russian government denied involvement; at the same time, it also declined to cooperate in investigating the incident when requested by Estonia under a Mutual Legal Assistance Treaty.  

Soon after the Estonian incident, a cyberattack on Georgian government websites was unleashed in 2008 in conjunction with a Russian military incursion across the border.  As it was coupled with an aggressive military operation, many saw this electronic bombardment as one of the first clear instances of cyberwar between nation states. The timing of the attacks strongly suggested government coordination.  

The Russian Business Network (RBN) is a well-known online organized crime ring that offers web hosting services for such criminal enterprises as child pornography; produces and distributes malware that can be used for identity theft or industrial espionage; and offers denial of service attack capabilities for rent through its networks of hijacked computers known as botnets. There has been some speculation on use of RBN's botnets and other services for both the Estonian and Georgian incidents, either by patriotic Russians in the private sector or by government organizations under the direction of the Kremlin. Although direct coordination is difficult to attribute, at the very least, the continued existence of the RBN may suggest the Russian government turns a blind eye to its operations. Reportedly based in St. Petersburg, the enterprise has evolved over time so that it now includes transnational crime syndicates and non-state actors within its network. In addition to the threat it poses to economic security, there is growing concern that these groups also have the technological capability to attack U.S. critical infrastructure, possible at the tasking of the Kremlin.


The Rocky Path to International Cooperation on Cybercrime

For the past decade, Russia has been one of the most vocal supporters of an arms control treaty and/or a United Nations convention to ban the use of "information weapons." These proposals are in keeping with what experts see as an expression of the Russian perspective on freedom of information, which it views as a threat to the state. Consistent with this outlook, Moscow supports a cybersecurity doctrine that emphasizes government control over online communications.

In general, however, the proposals ignore the threats to national sovereignty posed by international cybercrime. The Council of Europe Convention on Cybercrime, possibly the only existing structure that does directly address this threat, conspicuously lacks Russia as a state party to the treaty. Other criticisms of the Russian proposals include the absence of clear prescriptions for holding states accountable for attacks that have been launched from within their own borders. The U.S. favors a less restrictive, international norm-building and law-enforcement approach to cybersecurity and does not support internet repression (although several prominent U.S. lawmakers have called for measures that some have called dangerously restrictive).

An agreement between the U.S. and Russia was recently announced that would use the Cold War's Nuclear Risk Reduction Center messaging system as a confidence and security building measure in the cyber arena. Used today to send announcements of upcoming arms control inspections and exercises, the system would allow governments to communicate directly in the event of a major cyber incident that presented a threat to national security (such commonplace cybercrime activity such as identity theft would presumably not meet that threshold).

While increasing international cooperation in dealing with the insidious cyber assaults conducted by international criminal syndicates is a positive step, reaching agreement on the limits of government-based offensive cyberwar capabilities is likely to prove as complex ? and ultimately as elusive ? as that involving other unconventional weaponry.




Also available: TSG Specialized Reports: The Soufan Group's world-class network of intelligence analysts produces specialized geopolitical and risk assessment products tailored to the unique needs of our clients in the public and private sectors. We welcome the opportunity to discuss your requirements and explore how our intelligence services can assist you in achieving your strategic objectives. For more information, please contact us at:

Screen Shot 2013-10-21 at 9.32.42 AM