The Russia Threat Brief

This special report captures insights into the capabilities and intent of the Russian Federation, with a special focus on the cyber domain. Our objective: provide insights that are actionable for business and government leaders seeking to mitigate risks through informed decisions.

Background:

Russia should be considered a kleptocracy, where the rule of law exists as long as it supports the objectives of the state and the ruling oligarchs. All U.S. businesses should exercise extreme caution before doing business in or with Russia.

In regards to Russia’s ability to inflict harm on the U.S., it remains a nuclear power with a large arsenal of weapons capable of destroying any nation in the world, including ours. Deterrence should keep us off an escalation ladder and mitigate that threat. The other major threat to the U.S. and our interests are those of information warfare.

Russia’s information warfare attacks include cyber attacks but also coordinated media campaigns and diplomatic efforts which can be combined with extensive espionage activities to achieve Russian objectives.

Russian intent seems to be to weaken any western institution it can. The most significant examples are the coordinated social media and cyber attacks attacking western elections. But other smaller scale attacks are also motivated by this goal, including cyber attacks against the website and systems of the International Olympic Committee.

The Russian Economy:

Russia has undergone significant changes since the collapse of the Soviet Union, moving from a centrally planned economy towards a more market-based system. Both economic growth and reform have stalled in recent years, however, and Russia remains a predominantly statist economy with a high concentration of wealth in officials’ hands. Economic reforms in the 1990s privatized most industry, with notable exceptions in the energy, transportation, banking, and defense-related sectors. The protection of property rights is still weak, and the state continues to interfere in the free operation of the private sector.

Russia is one of the world’s leading producers of oil and natural gas, and is also a top exporter of metals such as steel and primary aluminum. Russia is heavily dependent on the movement of world commodity prices as reliance on commodity exports makes it vulnerable to boom and bust cycles that follow the volatile swings in global prices. The economy, which had averaged 7% growth during the 1998-2008 period as oil prices rose rapidly, has seen diminishing growth rates since then due to the exhaustion of Russia’s commodity-based growth model.

A combination of falling oil prices, international sanctions, and structural limitations pushed Russia into a deep recession in 2015, with GDP falling by close by 2.8%. The downturn continued through 2016, with GDP contracting another 0.2%, but was reversed in 2017 as world demand picked up. Government support for import substitution has increased recently in an effort to diversify the economy away from extractive industries.

Economically Russia is much weaker than most imagine. Although they are the largest nation in terms of size and are rich in natural resources, their GDP is one tenth the size of China. However, Russia uses its position as a petrolium superpower plus its military and intelligence strengths and information warfare capabilities to ensure the punch far beyond their weight.

Russian Geopolitical Objectives and Actions:

All indications are that Russian President Vladimir Putin will rely on an assertive and opportunistic foreign policy to shape influence beyond Russia’s borders and enable Russia to punch beyond their weight. Internally he will resort to increasingly authoritarian tactics to maintain control amid challenges to his rule.

Although Moscow may seek cooperations with the U.S. in some areas that advance their interests, we do not see many of those areas developing at this time. At this point their geopolitical objectives are focused on destablization and attacks against western institutions. We expect Russia will continue to use a variety of aggressive tactics to bolster their standing as a strategic player on the world stage. They will seek to undermine any actions of the U.S. and do the same for the Euro-Atlantic relationships.

Putin’s range of options are expanded because of the nature of the Russian legal system. The legal system exists but is under the control of Putin and the Oligarchs. The highly personalized nature of the Russian political system enables Putin to act decisively to defend Russian interests and to pursue opportunities he views as enhancing Russian prestige and power abroad.

Expect Russia to compete with the U.S. most aggressively in Europe and Eurasia, while applying less intense pressure in other areas where they can take opportunities as they arise.

Russia will use a range of relatively low-cost tools to advance foreign policy objectives, including influence campaigns, economic coercion, cyber operations, multilateral forums, and measured military force. Russia’s slow economic growth is unlikely to constrain Russian foreign policy or by itself trigger concessions from Moscow in Ukraine, Syria, or elsewhere in the next year.

Russian Military:

The Russian Military includes the Armed Forces plus the Federal Security Service (FSB)’s Border Troops, The National Guard, The Ministry of Internal Affairs (MVD), the Federal Protective Service (FSO) the Foreign Intelligence Service (SVR), the military Intelligence (GRU) and many civil defense organizations.

The Federal Security Service (FSB) is a descendent of the old KGB and reports to President Putin. It is a military service just like the armed forces.

In 2018, Russia will continue to modernize, develop, and field a wide range of advanced nuclear, conventional, and asymmetric capabilities to balance its perception of a strategic military inferiority vis-a-vis the U.S.

We also expect that the Russian Military will continue to use its resources (including the GRU) to support and sometimes lead cyber operations. The same is true of the FSB, which operates independently but is very capable of cyber espionage and attack.

The Russian Cyber Threat:

The Russian Cyber Threat is best considered as an element of overall political objectives, since it is most powerful when executed in a coordinated way with military and diplomatic moves as part of a strategic information warfare campaign. But independent cyber operations coming from Russia, including from Russian criminal groups, are also significant risks to be mitigated.

Russian criminal syndicates, the most famous of which is known as the Russian Business Network, invest hundreds of millions of dollars in conducting research and development to enable criminal cyber attacks. Why? Because it pays off. We can expect criminals operating in places unreachable by western law enforcement to continue to attack U.S. business interests to gain unauthorized access to systems and to seek any way possible to defraud for their gain.

These same criminals have been shown to work in conjunction with the government when required. For example, during Russian state sanctioned attacks against Estonia in 2007 non-state actors played key roles. This was seen again during the 2008 Russo-Georgian war. Of note for U.S. businesses, in both cases many companies and organizations were impacted proving the correlation of cyber with military operations would pose new risks to business interests.

This new risk to businesses from Russia’s cyber operations was more recently noted in the Petya Ransomware and NotPetya Malware attacks of 2016 and 2017. These attacks were designed to target a particular foe of Russia, the Ukraine. However, the sloppy code did not restrict itself to the intended target, resulting in global economic damage considered to be over $1.2 billion dollars in economic damage.

The U.S. Intelligence Community’s Worldwide Threat Assessment for 2018 predicts that Russia will conduct bolder and more disruptive cyber operations during the coming years, most likely using new capabilities against Ukraine. Expect the Russian government to keep building on their current capabilities and to continue to aim them against Ukrainian energy distribution networks. They will also continue hack-and-leak influence operations, distributed denial of service attacks and false flag operations. 

Russia is also expected to continue operations against U.S. business and government interests inside the U.S. Over the next year Russia can be expected to continue to probe U.S. critical infrastructures both to gain intelligence and to position to attack should they have an interest.

Russian Influence Campaigns:

As mentioned above, cyber is just one element of Russian information operations. When Russia conducts influence campaigns they use cyber, but also traditional espionage, military operations, diplomatic, press and media operations including ad buys and extensive use of social media.

Russian influence campaigns will remain a significant threat to U.S. interests including business interests as they are low-cost, relatively low-risk, and usually offer enough plausible deniability to make it hard to bring key players to justice for the actions. These operations enable Russian leaders to retaliate against adversaries, silence dissidents at home and abroad, shape foreign perceptions and influence their own internal population and populations of other nations as well.

Russian intelligence services will continue efforts to disseminate false information via Russian state-controlled media and covert online personas about U.S. activities to encourage anti-U.S. political views. Russia seeks to create wedges that reduce trust and confidence in Western institutions and processes and weaken U.S. partnerships with other open nations, especially those in NATO. Specific objectives also include a role back of sanctions placed on Russia after the annexation of the Crimea.

Expect that Russia will continue to use propaganda, social media, false-flag personas, sympathetic spokespeople, and other means of influence to try to exacerbate social and political fissures in the U.S.

Economic and Industrial Espionage Threat against the US and US Companies:

Russia was singled out by the National Counterintelligence and Security Center as one of the top three most capable nations at conducting cyber espionage (the other two being China and Iran, and DPRK being a close forth). Russia maintains a very well resourced capability and will continue to target sensitive U.S. economic information and technologies through cyberspace. 

The threat to U.S. technology from Russia will continue over the coming years as Moscow attempts to bolster an economy struggling with endemic corruption, state control, and a loss of talent departing for jobs abroad. Moscow’s military modernization efforts also likely will be a motivating factor for Russia to steal U.S. intellectual property. An aggressive and capable collector of sensitive U.S. technologies, Russia uses cyberspace as one of many methods for obtaining the necessary know-how and technology to grow and modernize its economy. Other methods include the following:

  • Use of Russian commercial and academic enterprises that interact with the West;
  • Recruitment of Russian immigrants with advanced technical skills by the Russian intelligence services; and
  • Russian intelligence penetration of public and private enterprises, which enable the government to obtain sensitive technical information from industry.

Russia uses cyber operations as an instrument of intelligence collection to inform its decision- making and benefit its economic interests. Experts contend that Russia needs to enact structural reforms, including economic diversification into sectors such as technology, to achieve the higher rate of gross domestic product growth publicly called for by Russian President Putin. In support of that goal, Russian intelligence services have conducted sophisticated and large-scale hacking operations to collect sensitive U.S. business and technology information. In addition, Moscow uses a range of other intelligence collection operations to steal valuable economic data:

  • In 2016, the hacker “Eas7” confided to Western press that she had collaborated with the Russian Federal Security Service (FSB) on economic espionage missions. She estimated that “among the good hackers, at least half works (sic) for government structures,” suggesting Moscow employs cyber criminals as a way to make such operations plausibly deniable.
  • Moscow has used cyber operations to collect intellectual property data from U.S. energy, healthcare, and technology companies. For example, Russian Government hackers last year compromised dozens of U.S. energy firms, including their operational networks. This activity could be driven by multiple objectives, including collecting intelligence, developing accesses for disruptive purposes, and providing sensitive U.S. intellectual property to Russian companies.
  • Since at least 2007, the Russian state- sponsored cyber program APT28 has routinely collected intelligence on defense and geopolitical issues, including those relating to the United States and Western Europe. Obtaining sensitive U.S. defense industry data could provide Moscow with economic (e.g. in foreign military sales) and security advantages as Russia continues to strengthen and modernize its military forces.

We believe that Russia will continue to conduct aggressive cyber operations during the next year against the United States and its allies as part of a global intelligence collection program focused on furthering its security interests. Although cyber operations are just one element of Russia’s multipronged approach to information collection, they give Russia’s intelligence services a more agile and cost-efficient tool to accomplish Moscow’s objectives. Indeed, Russian cyber actors are continuing to develop their cyber tradecraft—such as using open-source hacking tools that minimize forensic connections to Russia.

As a recent example of how Russia operates: In March 2017, the United States Department of Justice indicted two FSB officials and their Russian cybercriminal conspirators on computer hacking and conspiracy charges related to the collection of emails of U.S. and European employees of transportation and financial services firms. The charges included conspiring to engage in economic espionage and theft of trade secrets.

 

Overall Assessment:

Russia is a formidable competitor to U.S. interests and will continue to punch above its weight and will leverage cyber espionage to gain insights into those they want to exert pressure on, including U.S. corporate leaders. Cyber attacks will be done in coordination with diplomatic and military operations and U.S. busineses can easily be collateral damage to these attacks as in the NotPetya attacks. Cyber attacks against U.S. infrastructure and corporations are a threat as well.

Our Recommendations:

Raise your defenses against cyber crime. There are many things that businesses can do that make it harder to have secrets stolen, and most of these things are low cost.  Kick start your actions with our list of best practices, available here:

Additionally, U.S. businesses should exercise extreme caution in entering into business relationships with Russia.

Current Intelligence On The Russian Cyber Threat

Cyberwar predictions for 2019: The stakes have been raised

Before the internet era, geopolitical tensions drove traditional espionage, and periodically erupted into warfare. Nowadays, cyberspace not only houses a treasure-trove of commercially and politically sensitive information, but can also provide access to control systems for critical civil and military infrastructure. It’s therefore no surprise to find nation-state cyber activity high on… Read more

The Most Dangerous People on the Internet in 2018

This year thankfully avoided any world-breaking ransomware attacks like NotPetya. It even had some small victories, like GitHub beating back the biggest DDoS attack in history. Still, online threats are manifold, lurking and evolving, making the internet a more hostile place than ever. The biggest threats online continued to mirror the biggest threats in… Read more

US Treasury sanctions Russians for hacking and election meddling

The US government isn’t done taking action against Russians accused of hacking and interference campaigns. The Treasury Department has leveled sanctions against 16 current and former GRU intelligence officers (some of whom were targeted in earlier indictments) for their involvement in multiple campaigns against the US, including the Democratic National Committee hacks, World Anti-Doping Agency hacks and election… Read more

Russian Cyberspies Build ‘Go’ Version of Their Trojan

The Russian-linked cyber-espionage group Sofacy has developed a new version of their Zebrocy tool using the Go programming language, Palo Alto Networks security researchers warn. The first-stage malware was initially analyzed in April this year, and has been observed in numerous attacks in October and November. Last month, however, the researchers… Read more

How Russia’s online influence campaign engaged with millions for years

Russian efforts to influence U.S. politics and sway public opinion were consistent and, as far as engaging with target audiences, largely successful, according to a new report from Oxford’s Computational Propaganda Project. Based on data provided to Congress by Facebook, Instagram, Google and Twitter, the study paints a portrait of the… Read more

Russia-Linked Phishing Attacks Hit Government Agencies on Four Continents

A recent campaign attributed to the Russian cyber-espionage group Sofacy hit government agencies in four continents in an attempt to infect them with malware, Palo Alto Networks security researchers say. Also known as APT28, Fancy Bear, Pawn Storm, Sednit and Strontium, the Russian state-sponsored hacking group has been focusing on… Read more

Why Microsoft is fighting to stop a cyber world war

Two days last year finally woke the world up to the dangers of cyberwarfare, according to Microsoft’s President Brad Smith: 12 May and 26 June. On 12 May the WannaCry ransomware attack created havoc by encrypting PCs across the world and costing billions to repair the damage. Just over a month later… Read more

Ukraine Accuses Russia of Cyberattack on Judiciary Systems

Ukraine has once again accused Russian intelligence services of launching cyberattacks against one of its government organizations. Ukrainian security service SBU announced that its employees blocked an attempt by Russian special services to breach information and telecommunications systems used by the country’s judiciary. According to the SBU, the attack started with a… Read more

NATO Practicing Cyber-Warfare Games

To address the growing concern of cyber-warfare, NATO has launched the “Cyber Coalition 2018” in Estonia. The exercise is a “War Game” focused on defense and counter-attack in the arena of digital battle. The activity is taking place just 50 kilometres (30 miles) from the border with Russia, seen by… Read more

The state of cyberwarfare: 2 things you need to know

Cybersecurity headlines in recent years have been dominated by companies losing money by being hacked and leaking the data of millions of customers. But today, cybersecurity is moving beyond the financial impact to concerns over public safety, national security, and even cyberwarfare. To understand the state of cyberwar and its… Read more

2019 Security And Defence Predictions

It’s the time of the year for cybersecurity predictions. This time, Suzanne Spaulding, former DHS Under Secretary and Nozomi Networks advisor believes that in 2019, provides her insights. The things that have been holding back Russia, China, North Korea and Iran from a critical infrastructure attack on the U.S. could… Read more

Russian Hackers Have Just Shown Their First Sign Of Interest In Brexit

A groups of hackers believed by American intelligence to be controlled by a Russian spy agency has launched its first attacks with Brexit as a focus. Known as Fancy Bear, the hackers have previously stolen files from the Democratic National Committee in the U.S. They often use recent events, like the… Read more

Sofacy APT Takes Aim with Novel ‘Cannon’ Trojan

The Sofacy APT group is back, with a new second-stage custom malware payload that researchers have dubbed “Cannon.” A campaign against several government entities around the globe, including in North America, Europe and a former Soviet state, came in waves during late October and early November, according to Palo Alto’s Unit… Read more

UK ‘wholly’ unprepared to stop devastating cyber-attack, MPs warn

UK ministers are failing to act with “a meaningful sense of purpose or urgency” in the face of a growing cyber threat to the UK’s critical national infrastructure (CNI), a parliamentary committee has warned. The joint committee on national security strategy said at a time when states such as Russia were expanding… Read more

Russian APT comes back to life with new US spear-phishing campaign

A Russian state-sponsored cyber-espionage group has come back to life after a one-year period of inactivity with a relative large spear-phishing campaign that has targeted both the US government and private sector. The hacking group is known in infosec circles as Cozy Bear, APT29, The Dukes, or PowerDuke, and is… Read more

WebCobra Malware Uses Victims’ Computers to Mine Cryptocurrency

McAfee Labs researchers have discovered new Russian malware, dubbed WebCobra, which harnesses victims’ computing power to mine for cryptocurrencies. WebCobra silently drops and installs the Cryptonight miner or Claymore’s Zcash miner, depending on the architecture WebCobra finds. This cryptocurrency mining malware is uncommon in that it drops a different miner depending… Read more

The US has a cyberattack ready if Russia interferes with 2018 midterm elections

The Pentagon and the US intelligence community plan to launch a counter-cyberattack on Russia if the country interferes with US midterm elections, according to a recent report from the Center for Public Integrity. In preparation, US military hackers have already been given permission to access Russian cybersystems necessary to complete the attack,… Read more

Destructive Cyberattacks Spiked in Q3

New data gathered from more than three dozen providers of incident response services reveals a disturbing increase in the past quarter of destructive cyberattacks targeting US organizations. It is not clear whether the attacks—many of them from countries like China, Russia, and North Korea—are a response to the current geopolitical… Read more

How To Prevent Your Business Becoming Collateral Damage Of Geopolitical Cyber Conflict

Mention cyberwarfare and most businesses tend to sigh and move on to something less weighted down with the baggage of hyperbole. This is a huge mistake. While there are plenty of opinions out there as to what the concept of cyberwarfare should mean in theory, in the real-world the distinctions… Read more

Should You Be Afraid of Election Hacking? Here’s What Experts Say

After Election Day two years ago, one thing became clear: foreign powers, notably Russia, had attempted to interfere in the American democratic process. They used various methods, and had varying degrees of success. Whether those efforts had a decisive impact is less certain. But such a brazen assault on U.S.… Read more