The Russian Way of Cyberwar

Information, Disinformation and Influence

thaddeus t. grugq
Jan 10, 2017 · 5 min read

Theres good reason to believe the Russian intelligence agencies have just pulled off an amazing influence operation entirely within the cyber domain. This is a wonderful demonstration of cyber that encompasses many aspects of intelligence services (espionage, influence operations, disinformation/deception). These events show how Russia has combined their aggressive approach to intelligence operations with their increasingly sophisticated understanding of cyber.

Influence Operations

Influence operations are when an intelligence service attempts to influence events in another country (basically.) The Russians are past masters at executing these sorts of operations, although the results can be widely variable. In the 1990s they covertly contributed to a Canadian politician’s campaign. They funded anti nuclear organisations during the Cold War. They recruited journalists, politicians and others who could influence events or public opinion. For more Russian influence operations, read the Estonian intelligence service’s yearly reviews (start with 2015).

What Just Happened?

There are a number of events, so lets put them in an ordered timeline and examine what just happened.

  1. 2015–06-??: Russian Intelligence services penetrated the DNC and collected a large amount of information. [Collection]

Reading this trail of events it is easy to see how a blown operation was rapidly transitioned into an influence operation and a disinformation/deception campaign to mitigate the blowback. Given that the media is currently reporting that the cover hacker was responsible, and not Russian intelligence services after all, it seems the deception operation is working.

The following analysis is based heavily on the work done by @pwnallthethings, see this Twitter thread.

Thin Cover Story

The services that conducted the parallel cyber espionage operations were exposed by the CrowdStrike blog post and WashingtonPost story. The Russians original plan was probably to wash the documents by using WikiLeaks as a cut out (as they have allegedly done in the past). It is entirely possible that they had already leaked the documents to WikiLeaks. After the espionage op was blown and the Russians exposed as the source of any future DNC documents, they were forced to create a cover entity to provide plausible deniability. Welcome to the world: GUCCIFER2!

The cover, GUCCIFER2, is not a particularly good one. The GUCCIFER2 website has only a single entry, the one claiming responsibility for the DNC hack. There is no history of this entity existing before the operation began (the oldest Google result is the GUCCIFER2 website.) In future I expect that services will develop “cover” entities for use in times of crisis, just like they prepare safe houses before they need them. Note to agencies: preparing and maintaining cover hacker identities should now be considered standard tradecraft, part of “putting the plumbing in place.”

Writes Like a Russian

In particular, note this extremely unusual textual smiley face:

This is a Russian quirk using ))) instead of :) and placing them immediately after text. So, GUCCIFER2 is a Russian with excellent English.

Leaked Documents Passed an Elaborate Analysis Process

Intelligence services have a process for analyzing data that they collect and processing it into a deliverable (called “product.”) In the case of a cyber operation that involved the collection of a large number of documents (thousands, they boast) the only feasible approach will be to assign multiple analysts to the task. Clearly, the documents must be analyzed, sorted, and selected for use in other operations (or processed into a product to aid policymaker decision making.)

Lots of Virtual Machines

The leaked documents show signs of being opened and processed on multiple (virtual?) machines. These machines had different username configurations, including one with the Cyrillic language setting and a username of “Iron Felix,” the first head of the Soviet intelligence services (at that time known as the Cheka; modern Russian intelligence officers frequently call themselves chekists.)

Russian Language Settings

One of the documents provided to Gawker directly by the “lone hacker” GUCCIFER2 was processed on a system using the Russian language setting. The same document on the cover hacker’s website was not. Why would a single hacker process a document twice, once in Russian and once in English, and then leak both versions simultaneously? This difference suggests a team rather than a “lone hacker.”

Russian Favored Cracked Software

The software used during the analysis process was a cracked version of Office 2007, one that happens to be popular in Russian.

Summary

The WikiLeaks Connection

There are persistent rumors of Russian intelligence services have a close working relationship, or at least an understanding, with Wikileaks. Whether this is true or not, the Russian intelligence services have used WikiLeaks as a cut out in the past.

Alternate Competing Hypothesis

When conducting intelligence analysis, the alternative competing hypothesis method is one of the better ones to reduce cognitive errors. While there are a large number of easily controlled and spoofable data points, they are all consistent with a Russian actor. There may be another service that has worked to lay a false trail pointing to the Russians. If so they have successfully:

  • ran a fake Russian cyber espionage operation

It is fair to say that if this was not a Russian operation, someone went to tremendous trouble to conduct an operation that the Russians would have happily done themselves.

In Conclusion, Wow!

The Russian intelligences services are truly world class. After losing access to a strategic source of information, and being exposed, they managed to rapidly execute an influence operation and a deception operation to mitigate damage. This is very nimble and responsive, and demonstrates a deep understanding of cyber as an information domain.

My sincere thanks to @pwnallthethings for the investigative and analytic work.

Originally written before June 16th:

Only posted in Jan 11th, 2017 cause it seems like it is far past the point where the opinions and analysis of anyone actually matters.

Due to issues with white space, the base64 version is available here.

thaddeus t. grugq

Written by

Information Security Researcher :: keybase.io/grugq :: https://www.patreon.com/grugq