Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Governance & Risk Management

Analysis: Can Russia's Cyber Destruction Appetite Be Curbed?

Indictments Are Just a First Step Toward a Crackdown
Analysis: Can Russia's Cyber Destruction Appetite Be Curbed?
NotPetya outbreak ground zero: Kiev-based servers hosting M.E.Doc software updates (Photo: Ukrainian police)

The U.S. indictment charging that six Russian GRU military intelligence officers were responsible for numerous cyberattacks highlights Moscow's seemingly unending appetite for online destruction (see: 6 Takeaways: Russian Spies Accused of Destructive Hacking).

See Also: On Demand | The Dark Side of AI: Unmasking its Threats and Navigating the Shadows of Cybersecurity in the Digital Age

The poster child for destruction is arguably the NotPetya wiper malware - disguised as ransomware - which was unleashed in 2017.

The malware outbreak began on May 27, 2017, via what security firm ESET has described as "a very stealthy and cunning backdoor" added to the source code of accountancy software called M.E.Doc, which is widely used in Ukraine. The backdoor allowed attackers to remotely push NotPetya onto all systems that had the software installed.

While ground zero for NotPetya was Ukraine, the malware quickly spread to Ukrainian business partners in many other countries, including Russia, Poland, Italy, Germany, Denmark, the United Kingdom and the United States (see: NotPetya: From Russian Intelligence, With Love).

NotPetya: Expertly Built

Jake Williams, a former member of the U.S. National Security Agency's elite hacking team, says NotPetya was expertly crafted and delivered on Moscow's geopolitical goals.

"It will not be easy to deter an adversary who is unscrupulous about poisoning its political opponents."
– James Andrew Lewis

"I respect the work of NotPetya," says Williams, who now runs the cybersecurity consultancy Rendition Infosec. "Any time you design something that has to run autonomously - that you deploy, and then it has to run autonomously - you have to be sure what that is, and is not, going to do. And I think honestly that NotPetya, from a technological standpoint, functioned exactly as they expected it to - and literally nothing else. It didn’t escape onto the internet."

'Too Little, Too Late'

Pressure is building on Russia as Western intelligence agencies have continued to shine a light on what they say are unacceptable intelligence activities to try to make those campaigns more costly and difficult to run. On Monday, for example, the U.K. government described Moscow's attempts to interfere in the 2020 Summer Olympics in Tokyo.

U.S. authorities have also sanctioned Russian individuals and organizations for cyberattacks. And in July, the EU issued its first-ever cyberattack sanctions, including those against Russia's GRU Unit 74455, over the NotPetya attack in July 2017 and the April 2018 attack against the Organization for the Prohibition of Chemical Weapons.

Whether indictments will help curb future attacks in the vein of NotPetya, however, remains to be seen.

Journalist Andy Greenberg, in his 2019 book "Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers," argued that 2018 sanctions against the GRU had already been "too little, too late." While the indictments unsealed Monday may no longer make the "little" point valid, he says multiple White House administrations have failed to act as decisively as they should, making attempts to deter Russia long overdue.

There have been follow-on Sandworm attacks for years, including attempts to disrupt this year's now-postponed Summer Olympics in Tokyo. The GRU allegedly did the same against the 2018 Winter Olympics in South Korea.

"First the Obama and then the Trump administration have been remiss and have been too slow to respond," Greenberg said in a presentation at the HIP Conference on Tuesday.

So far, nothing appears to have given Moscow pause.

Indictments: One Tool

James Andrew Lewis, director of the technology policy program at the Center for Strategic and International Studies in Washington, emphasizes that indictments are only one tool. "They are an essential first step, but they have to be part of a larger strategy of imposing consequences on Russia for its malicious behavior in cyberspace," he says. "Now the United States and its allies must determine what further actions against Russian hacking are appropriate."

Russia, of course, isn't alone in pushing boundaries. "While there are agreed-to, global norms for responsible state behavior in cyberspace, Russia, China and Iran routinely ignore them, and the best way to ensure norms are observed is to impose consequences when they are not," Lewis says.

But doing so may be difficult. "It will not be easy to deter an adversary who is unscrupulous about poisoning its political opponents," he says.

Destructive Attacks Remain Rare

Thankfully, destructive attacks online remain relatively rare.

"Destructive attacks can be quite hard to do effectively," Ciaran Martin said in a virtual presentation last week before the Russian indictment had been unsealed. Until Aug. 31, Martin served as CEO of the U.K.'s National Cyber Security Center - the public-facing arm of Britain's GCHQ intelligence agency.

"You can be a little bit cyber in a way you can't be a little bit nuclear," said Martin, who's a professor of practice in the management of public organizations at Oxford University's Blavatnik School of Government. "But to do sophisticated, destructive attacks takes time, money, skills and infrastructure. So, it tends to be done by nation-states. And ... nation-states - even adversarial ones - tend to act for the most part rationally and therefore they don't just throw these attacks around."

Martin says the impact of destructive attacks tends to be overhyped and cautions that doing so can lead to poor policymaking. But he also says that, in the rare cases in which these attacks are effective, their impact shouldn't be underestimated. In 2015, for example, the Sandworm attack against Ukraine led to 250,000 Ukrainians being without power for up to six hours in the middle of winter.

GRU's Edge: Operator Autonomy

Many nations have so-called cyber warfare capabilities. So why haven’t NotPetya-style attacks been more prevalent?

Numerous other nations likely have the ability to build and launch an attack such as NotPetya. But for whatever reason - likely because it's a line they've simply opted not to cross, Williams says - no one else except Russia has done so.

"When you take an apex predator like Russia in cyberspace, they have the technology to do practically anything against anyone else."
– Jake Williams

One thing that sets Russia apart from other nations isn't the quality of its hacking tools, but rather the autonomy afforded to groups such as the GRU, Williams says.

"Their intelligence operations are very decentralized from their executive, and so they function with a whole lot more autonomy," he says. "And when you take an apex predator like Russia in cyberspace, they have the technology to do practically anything against anyone else. So when you combine that with a little bit looser oversight, because they operate with so much more autonomy, that is where things get really scary."

News Desk Managing Editor Scott Ferguson contributed to this report.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.