Cyber Warfare
Russia mobilises an elite band of cyber warriors
Since the 2015 hack of France’s TV5Monde, the Kremlin-backed APT 28 has become bolder in its choice of targets
February 23, 2017 by:
Sam Jones
It was an early dinner by Parisian standards, 8.40pm, on a mild spring evening at Prunier, an opulent seafood restaurant near the Arc de Triomphe. Amid the hum of conversation, the cracking of shellfish and the gentle chinking of glasses, Yves Bigot missed the insistent ringing. “Then I saw — multiple missed calls, SMS messages, emails, the whole shebang,” he recalls. “Both my phones were going berserk.”
Frantic staff at TV5Monde’s nearby offices had been trying to get in touch with their boss. Something had gone terribly wrong.
It was April 9 2015, and the channels across TV5Monde’s network, the world’s largest francophone broadcaster, began switching off, one by one. Hundreds of television screens at its headquarters, from the lobby to its broadcast galleries, had fallen silent. In its basement, the TV network’s servers were being systematically erased, digital piece by digital piece.
As he scrolled through panicked emails, Mr Bigot, the broadcaster’s director-general, opened a picture message on his phone. A colleague had taken screengrabs from the channel’s website and social media accounts: in place of the usual turquoise signage was the
shahada — the Muslim profession of faith — written in white on black. Above it: “CyberCaliphate. Je suIS IS”.
Surrounded by squads of heavily armed counterterror police, a team of engineers worked through the night to save the network. They did so by a hair’s breadth.
In the days that followed the expected
claim from Isis of responsibility for the attack never arrived. Cyber intelligence agents were on site for weeks conducting a forensic search to identify the culprits. Two months later, ANSSI, France’s cyber security agency, briefed Mr Bigot. The attack had not been the work of the Islamist group at all. Instead they believed responsibility lay with a group known as APT 28. They were Russian.
Attack on the DNC
A year later, in the spring of 2016 during the US election campaign, APT 28 would initiate an even more audacious operation. The
group hacked
the Democratic National Committee, releasing thousands of files to discredit Hillary Clinton and calling into question the sanctity of the US democratic system.
APT 28's hacking of Democratic National Committee files damaged Hillary Clinton's presidential campaign © AFP
The scale of the attack shocked the US, if not the entire western security community. But for those familiar with APT 28’s evolution, and the shift in its operations represented by the attack on TV5Monde, it came as no surprise.
“The curtain is still being pulled back,” says Shawn Henry, a former assistant director of the Federal Bureau of Investigation, now president of CrowdStrike, the cyber security company drafted in to defend the DNC. “People still don’t understand the implications and the impact of these types of attack . . . We’re further away from [security in cyber space], in the US, than we were eight years ago.”
The Financial Times has spoken to more than a dozen leading professionals with close knowledge of APT 28’s activities — including senior intelligence and military officials, as well as civilian
cyber security experts who have first-hand experience of the group’s hacks.
Officials in the US, UK, Israel and Germany have all told the FT that they believe APT 28 is run by Russia’s sprawling military intelligence arm, the GRU. Moscow has consistently denied any connection to APT 28.
CrowdStrike president Shawn Henry: 'We’re further away from [security in cyber space], in the US, than we were eight years ago' © Bloomberg
Many fear the group’s activities are far from over. Cyber attacks on Nato are up 60 per cent in the past year, according to one official at the alliance. Attacks against EU institutions are up 20 per cent, says one senior security source at the commission.
The trail of evidence left by these attacks, while far from comprehensive, goes some way toward indicating the way Russia under President Vladimir Putin sees the world, and how the modern Russian state must secure its place within it. It is one of tactical opportunism and flexibility, but also deep and considered strategic commitments, lines of attack and influence, that have been years in development.
- $100,000 - Cost to hackers of mounting a ‘zero-day’ attack on a system’s unpatched flaws
APT 28 has already compromised the computers of
political parties in both France and Germany, which have national
elections this year, says one senior industry analyst who declined to be named. Since the DNC hack, it has initiated “several” significant new operations, he adds. And hacked dozens of non-governmental organisations targeting most of the aid organisations working in Syria, including those providing information about casualties, according to a senior western security official. Russia claims forces there are fighting terrorism. The west insists Moscow’s bombing is done solely in support of the Assad regime. Independent information from the conflict is critical to establishing who is telling the truth.
“Putin and his team are the heirs of the Tsarist, and particularly the Communist secret services,” says Chris Donnelly, founder of the Institute for Statecraft and former adviser to successive Nato secretaries-general. “Their understanding is one of permanent conflict with the west in which information has always been a very important issue. Influence and subversion and the whole issue of what they call active measures, or dirty tricks, anything short of declared war, is there to be run.”
Kremlin connections
A forensic analysis of high-profile hacks suggests APT 28 has been active for at least a decade, hitting some of the most sensitive military and diplomatic organisations in the west. According to cyber security analysts, previous targets have included Academi, the private military company formerly known as Blackwater; US defence and intelligence contractor
SAIC; the French and Hungarian defence ministries; Nato military attachés; the Organisation for Security and Co-operation in Europe; and the US State Department.
Its coding and technical capability is “top level”, says one British security official. But more distinctive is the group’s mastery of phishing attacks — sophisticated fake emails with realistic, but infected attachments. The FT was shown samples of some of the lures used by the group. In 2010, for example, Nato military attachés in Ankara were sent emails purporting to be from colleagues, with Excel files attached containing a list of their Nato peers’ contact details. The trick proved effective and was repeated two years later when APT 28 sent a tweaked version — a list of contact details for senior British military figures — to embassies across London featuring the names and contact details of their spouses, for added realism.
By opening the files, recipients would unwittingly install APT 28’s malware on to their computers. From those initial small digital bridgeheads, the group spread its surveillance tools across target networks, often giving it access to classified material and opportunities to cause immense damage.
Costin Raiu, head of global research at Moscow-based cyber security firm Kaspersky Labs, says APT 28’s resources distinguish it from other hacking groups. What sets it apart, Mr Raiu says, is the number of “zero day” attacks — operations which exploit flaws in software unknown to the manufacturer — that it carries out at a cost to the group of well over $100,000 a time. In 2015, the group carried out six known zero-day attacks.
- $300m - Russia’s annual spend on its ‘cyber army’ of about 1,000, people, according to Kommersant
The group’s activities can be traced back to 2007 by analysing the code in its malware but it was not until 2014 that the scale of its work became too difficult to disguise. “[That] was when we got our first real foothold on the infrastructure this group was operating,” says Laura Galante, director of global intelligence at FireEye.
By taking samples of the hackers’ malware, essentially their digital fingerprints, the cyber security group compiled a history of the group’s activities. It was FireEye that first dubbed the group APT — advanced persistent threat — 28 in a 2014 report. Other cyber security and tech companies have conjured even more elaborate monikers for the group: Sofacy, Strontium and Fancy Bear among them.
The evidence, collected from hundreds of historical incidents involving APT 28, points towards Russia. “There is a decade-old professional effort behind this, with at least two different sets of minds in the operation. One a tool development effort and one researching what the targets look like and orchestrating the operations,” says Ms Galante, adding that it has all the hallmarks of classic spycraft.
Spycraft in the digital age
French intelligence agencies that investigated the TV5Monde case have stopped short of drawing a firm line between the group and the Kremlin.
Regardless the ANSSI concluded that the TV5Monde assault was a work of considerable sophistication. Beginning in January 2015, just days after the attack on the Paris office of the satirical magazine Charlie Hebdo, APT 28 mapped out the interlocking computer networks and broadcasting hardware that formed the backbone of TV5Monde’s systems. The endeavour would have required telecommunications engineers, skilled coders and, to plan and execute it, tacticians. There were at least seven different “vectors” of entry, ANSSI found. APT 28 even hacked into the third-party companies that supplied TV5Monde with their hardware, implanting malware into the automatic cameras being used in the TV station’s studios.
Increased security around the TV5Monde office after the April 2015 cyber attack on its network © EPA
The attack was only thwarted by luck. TV5Monde had 10 IT specialists working that evening instead of the usual two because of the launch of a new channel earlier that day. It was one of the extras who identified the internal server APT 28 was using to orchestrate its rampage. He ran down to the basement and yanked its cabling out of the sockets. “He’s kind of a hero here,” says Mr Bigot.
The crucial question, though, is why APT 28 shifted from years of covert, if predictable, intelligence gathering to a riskier operation of aggression, sabotage and manipulation. The attack on TV5Monde, says Mr Bigot, “was like a demo tape”.
Kremlinologists and the western intelligence community are still divided on the timing of Russia’s altered course in relations with the west: some date it to Kiev’s Maidan revolution in 2014 and subsequent invasion of eastern Ukraine; some see a slower-burning breakdown, with Moscow’s paranoia exacerbated by years of freewheeling
US foreign policy and enthusiasm for regime change; a smaller group see an ever wider arc in which Russia is reasserting its Soviet, even Tsarist, geopolitical behaviour.
Russia’s military does not tend to talk of cyber warfare, as the west does, in tightly proscribed, legally measured actions, but rather discusses the broader concept of an information war — a concept that precedes the Soviet era — in which the toolkit has been brought up to speed for the digital era.
On Wednesday, Russian defence minister Sergei Shoigu confirmed the existence of “information troops”, rumoured for years but long denied by officials. “Propaganda must be smart, literate and effective,” he told the lower house of parliament. Russia spends $300m annually on its “cyber army” of about 1,000 people annually, according to the Kommersant business newspaper.
Andrei Soldatov, co-author of
The Red Web, says the Kremlin has long seen cyber security as part of a broader concept of information warfare. “They really believe they are under some sort of siege,” Mr Soldatov says. “They believe that they lost the first Chechen war thanks to journalists, so when they are in a crisis, the first thing they need to do is control the information space.”
Russia analysts say there is a structural dynamic to the rise in APT 28’s activity. In 2013, Mr Putin ordered a modernisation of the way Russia controls its operations abroad. It created the National Defence Control Centre, designed to co-ordinate everything from propaganda, economic influence and intelligence through to conventional military operations.
“When they are looking at all these forms of conflict and competition now, they do so with a unified coherent view of how they should play things,” says Mr Donnelly. “It’s a militarised conception of how to operate.”
It has catapulted the GRU into a central role in Russia’s engagement with its adversaries. “The GRU has become very significant,” says James Sherr, associate fellow at the Chatham House think-tank. “And if you’re very significant then in the Russian system you expand.”
It is a volatile situation. Real-world tensions between Russia and Nato are running high in militarised zones like the Baltic and the Black Sea. “Cyber space,” jokes a recently retired senior British general, “is the new Balkans.”
No ‘back to normal’: How TV5Monde imposed digital detox after attack
For the first six months after APT 28’s attack on TV5Monde, the broadcaster went back to a pre-digital era.
There was just one secure computer on each floor. Staff had to queue, rarely less than 20 of them in the line, just to check their emails. Messaging services like Skype were banned. People could not use external flash drives. Uploaded files had to be rigorously decontaminated first.
Yves Bigot, TV5Monde’s director-general, has found a new vocation as an evangelist for cyber security. There is still no obvious motive for why the broadcaster was hit. That should be a warning to any large modern company, says Mr Bigot, anyone, in any industry, is a target.
He has few words of comfort. “The digital world is supposed to be fun and easy and cool and natural. But now it’s just the opposite,” he says.
When the network’s staff are abroad, their passwords change every time they log in. Phones cannot be plugged into computers to charge batteries. “What it comes down to basically is, we won’t go back to normal ever again, whatever normal is.”
Mr Bigot says TV5Monde is lucky. It has learnt and adapted. Other businesses will have to do so too. But many are still hesitating.
“Other companies I speak to understand they have to do something,” he says.
“But it’s like when you’re driving. The accident is never going to be you because you’re careful and you’re a good driver and you don’t drink. Until it has happened to you . . . you don’t take it seriously.”