Russian Cyber Warfare Capabilities in 2014 (We aren't in Georgia anymore)

Ukrainian hackers
deface Russian newspaper

Russia's latest offensive against Ukraine over Crimea has revealed how little Russian expertise the U.S. has (see this New York Times article) as well as the failure of the U.S. Intelligence Community to anticipate Russian military actions against Georgia in 2008 and Ukraine in 2014 (See former DCI Michael Hayden here).

I've worked closely with a recently retired Russia analyst from the IC for the past six years and he has confirmed to me that since the end of the Cold War, Russia has never been a high priority for U.S. policymakers. Indeed, no one has wanted to be bothered by potentially problematic briefings about Russia.

You can see the end result of that knowledge gap in just about every article that has come out recently describing Russia's "Cyber Playbook". They all describe the same tactics that I and other researchers have written about six years ago. Unfortunately, Russia's past tactics in Estonia and Georgia do not even come close to adequately describing their tactical options with Ukraine. Here's a few reasons why:

No more Nashi
In 2008, the Russian government had been fostering and financing the Nashi youth organization for the past three years. Nashi members were involved in the Estonia cyber attacks of 2007, Georgian gov't websites in 2008 and targeted individual Georgian supporters in 2009. Today, the Nashi as it existed under Vladislav Surkov and Vasily Yakemenko is no more. And the same could be said for Surkov and Yakemenko thanks to Putin after he replaced Dmitry Medvedev as President.

Russian hackers aren't all supporting the Russian gov't on Ukraine
Back in 2008, Russian hacker forums were actively recruiting volunteers for attacks against Georgia. Not so today. In fact, I've been told that many Russian hackers are angry with Putin and are supporting their Ukrainian friends. Others, like @Rucyborg on Twitter, are trying to embarrass the Putin administration by breaching servers that contain sensitive information about the dealings of the Russian government such as this incident reported by the Hindustan Times.

New Russian Military Doctrine published in 2010
Russia published its 2010 military doctrine which acknowledged the "intensification of the role of information warfare" and assigned as a task to "develop forces and resources for information warfare."

Funding for dual-use Information Security R&D
Since 2010, Russia like the U.S., China and other countries has made dual use information security research and development a top priority at dozens of top research institutes and universities. Such research includes but isn't limited to:

• intrusion models
• information system attack assessment models
• security protection profiles
• operating system vulnerabilities
• electronic warfare capabilities that target automated systems from airborne platforms. 

Russian Military and Security Services Hacker Training
At least twelve institutes provide world-class instruction to their graduates in dual use information security and electronic warfare technologies, who are then hired by the Security Services and Ministry of Defense for offensive and defensive operations. Some of those institutes are included in the below graphic which was Taia Global's depiction of Russia's cyber security organization in 2011.

Copyright 2011 Taia Global Inc. All Rights Reserved

My point with this article is not to say that the Russian government doesn't still have the capability to use proxies the way that it did in 2008 and before. I'm sure that it does, however it has invested large sums of money to give its military and security services capabilities that are far beyond what they had in 2008. If you want to properly assess a threat, you need to understand your adversary's intent, capability and opportunity. The U.S. government has not kept current on Russian technical advancements which means that we cannot estimate capability accurately. In fact, the National Commission for the Review of the Research and Development Programs of the U.S. Intelligence Community. released its findings late last year after a two year study and its very first finding was:

The Commission found a limited effort by the IC to discern and exploit the strategic R&—especially non-military R&D—intentions and capabilities of our adversaries,and to counter our adversaries‘ theft or purchase of U.S. technology. 

Bottom line: We can't afford to continue to belong to the "Mile-wide" club when it comes to Russian capabilities. We need to do better.

Russia v Ukraine: Exploring the Cyber Side of the Conflict

Source: CNN.com

Until now, the only example of cyber warfare where cyber was a component of a military invasion has been the Russia-Georgia war of August 2008. Today, we are seeing cyber attacks play a significant role in the increasing tension between Russia and Ukraine.

Russian hackers who are sympathetic to the Ukrainian people have just leaked 1,000 documents related to the operations of Russian defense contractor Rosoboronexport and are promising to leak more data from other Russian companies.

A Russian contact has told me that a member of Putin's Cabinet has authorized cyber mercenaries to hack into WiFi and telecommunications services in Ukraine to collect credentials and install malware on mobile phones.

Reuters reported the head of Ukraine's Security Service Valentyn Nalivaichenko as saying "I confirm that an IP-telephonic attack is under way on mobile phones of members of Ukrainian parliament for the second day in row."

Korsun Konstiantyn, head of the Ukrainian Information Security Group has been attempting to form a civilian cyber defense force in anticipation of a military action by Russia. He posted the following message to his LinkedIn group: "In connection with the Russian military intervention against Ukraine ask everyone who has the technical ability to resist the enemy in the information war, contact me in PM and be ready for battle. Will communicate with the security forces and to work together against an external enemy."

My contact has informed me that the SVR will be involved in cyber attacks against Ukrainian targets. And it would certainly utilize graduates from the Voronezh Hacking School, a secret school that's part of the Voronezh Military Radio-electronics Institute; an organization that Taia Global reported on in 2011 and continues to monitor.

The Russian military and security services are well-equipped and trained to engage in offensive cyber operations ranging from social media manipulation and control to targeting automatic systems (i.e., industrial control systems) from an airborne platform. 

Due to the importance of this conflict, I've decided to allocate a large portion of our Suits and Spooks event in April to expert discussion on the cyber and kinetic components of the Russia - Ukraine conflict. Speakers will include Kos Konstiantyn (quoted above) via Skype, Dr. Anna Vassilieva,
Director, Russian Studies Program at Monterey Institute of International Studies, and other to be invited guests. 

Tomorrow I'll be participating on a panel at the Harvard International Law Journal Symposium to speak on this issue and the question of when cyber attacks rise to the level that justifies armed response. I should have the Suits and Spooks website updated with our Russia-Ukraine intensive by this weekend. Please feel free to contact me with any questions or if you have information to share.

Six Cryptographers Whose Work on Dual EC DRBG Were Deemed Without Merit by RSA Chief Art Coviello

"When, last September, it became possible that concerns raised in 2007 might have merit as part of a strategy of exploitation, NIST as the relevant standards body issued new guidance to stop the use of this algorithm. We immediately acted upon that guidance, notified our customers, and took steps to remove the algorithm from use." - Art Coviello RSAC 2014 Keynote speech

Three things about Art Coviello's keynote speech today jumped out at me:

1. He attempted to paint NSA as the sole bad guy in the Dual EC DRBG debacle. 
2. He carefully avoided any mention of why RSA trusted the NSA in 2004 when the agency wasn't trusted by RSA even five years earlier.
3. He believed that the published warnings of six independent and respected cryptographers in 2006 and 2007 had no merit.

It's the last bullet point that this blog post is about. I've listed the research papers published in 2006 and 2007 which described the same weakness (aka backdoor) in Dual EC DRBG; the encryption algorithm that the NSA was pushing for RSA to incorporate into its BSAFE product as a default in 2004. This body of work is what Coviello chose to ignore at the time and for another six years until The New York Times broke the story in September 2013; the same body of work that Coviello today was referring to when he said "that concerns raised in 2007 might have merit".

Comments on Dual-EC-DRBG/NIST SP 800-90, Draft December 2005 by Kristian Gjøsteen* (March 16, 2006)
Abstract: "We analyse the Dual-EC deterministic pseudo-random bit generator (DRBG) proposed in draft of NIST SP 800-90 published December 2005. The generator consists of two parts, one that generates a sequence of points and one that extracts a bit string from the point sequence. We show that the first part is essentially cryptographically sound, while the second is not."

*Associate professor at The Norwegian University of Science and Technology, Department of Mathematical Sciences.

Cryptanalysis of the Dual Elliptic Curve Pseudorandom Generator
Berry Schoenmakers and Andrey Sidorenko
Dept. of Mathematics and Computer Science, TU Eindhoven,
P.O. Box 513, 5600 MB Eindhoven, The Netherlands.
berry@win.tue.nl, a.sidorenko@tue.nl
29 May 2006

"The Dual Elliptic Curve Pseudorandom Generator (DEC PRG) is proposed by Barker and Kelsey [2].
It is claimed (see Section 10.3.1 of [2]) that the pseudorandom generator is secure unless the adversary can solve the elliptic curve discrete logarithm problem (ECDLP) for the corresponding elliptic curve.
The claim is supported only by an informal discussion. No security reduction is given, that is, it is not shown that an adversary that breaks the pseudorandom generator implies a solver for the ECDLP.
Our experimental results and also empirical argument show that the DEC PRG is insecure. The attack does not imply solving the ECDLP for the corresponding elliptic curve. The attack is very efficient. It can be run on an ordinary PC. Actually, the generator is insecure because pseudorandom bits are extracted from points of the elliptic curve improperly."

On the Possibility of a Back Door in the NIST SP800-90 Dual Ec Prng by Dan Shumow and Niels Ferguson (Microsoft)

Bruce Schneier "Did NSA Put a Secret Backdoor in New Encryption Standard?" Wired, November 15, 2007.

Art Coviello failed to explain why the work of any of the above researchers didn't merit an investigation into the algorithm which the NSA wanted him to adopt two years earlier. I hope that RSA customers pay attention to Art Coviello's clumsy attempt to whitewash RSA's responsibility in this matter and find other, more trustworthy vendors to take their business to.

Credit Suisse, BAE Systems and a workshop on Cognitive Biases

The new Suits and Spooks website now features an in-depth look at highlights of our upcoming event at Fort Mason in San Francisco including:

• an early look at the agenda
• our speakers and topics
• plus a game-themed workshop on how to identify cognitive biases

Two exceptional panels featuring security executives from Credit Suisse and BAE Systems will discuss industry-specific threats.

Register before March 10th and save $200 off the standard rate. Plus, if you register before March 1st, the Cognitive Biases workshop will be included free of charge.

The Way-Back Machine on Mandiant and APT: Not a Who After All

Kaspersky's latest report about The Mask reminded me that Mandiant never did issue a statement re-defining APT as a what and not a who as Richard Bejtlich and I and some other Mandiant executives discussed by phone on February 21, 2013. Now that a year has almost passed without any acknowledgment, I thought it would be fun to go back in time and see how the gospel according to Mandiant on "the APT" used to go:

[Source]

Here is a wonderfully prophetic quote by Rob Lee from a comment that he left on my Feb 28, 2011 blog post "Is APT a Who or a What?":

In the end, I might end up being one of the original “hackers” from MIT arguing over a term that became something else over time. And that is ok. I do feel that we aren’t there yet and we can still educate when we have a chance.

Rob gets an "A" for his prophetic abilities but an "F" for his past dogmatism.

Then there's Richard Bejtlich who got into more heated arguments over the Who v What categorization than anyone else I know.

The following quote came from a lengthy back and forth debate that Richard had with a commenter on his January 16, 2010 blog post "What is APT and What Does It Want?":

On April 15, 2010 Richard corrected Dan Geer's interpretation of APT from an article that Dan published called "Advanced Persistant Threat". Richard received notice of Dan's article from several people because back then anyone who didn't follow the Mandiant line of "APT is a Who, not a What" was immediately piled on and "educated" (to use Rob Lee's term). Anyway, Dan wrote: "Let us define the term for the purpose of this article as follows: A targeted effort to obtain or change information by means that are difficult to discover, difficult to remove, and difficult to attribute." 

Richard, while agreeing with most of Dan's article, couldn't let the word "effort" go un-corrected, and wrote: 

"That describes APT's methodology, but APT is not an effort -- it's a proper noun, i.e., a specific party."

Back in 2010, Richard, Mandiant and other long-time cybersecurity professionals were convinced that cyber crime groups didn't steal intellectual property. They saw the problem in clear-cut, stark terms. Eastern Europeans and Russians stole from banks. Chinese groups stole intellectual property. And all you Gh0stbusters out there better keep those two streams separate. Some of us knew back then that was bullshit and said so but we were a tiny minority.

In "Answering APT Misconceptions", Richard writes:

"Unfortunately, there's plenty of Tweeting and blogging by people who refuse to understand what is happening or are not capable of understanding what is happening."

 "Myth 2. APT is "not new." Reality: APT is only new to people who have not been involved with the problem. If you look solely at offender and motive, and exclude defender, means, and opportunity, you're likely to think APT is not new; you'd be wrong. Just performing an Attribution Using 20 Characteristics exercise helps demonstrate that APT is not like organized crime or other structured attackers."

It's OK to be wrong.

I'm not hammering Rob Lee and Richard Bejtlich because they were wrong about how they defined APT. I've been wrong more times than I've been right, just like I've failed more times than I've succeeded. There's nothing wrong with being wrong assuming that you weren't behaving maliciously. 

The lesson to take from this is to not be dogmatic about what an elephant looks like when you can't see the entire elephant. We do that all too often as an industry. And when the time has come (and past) that you've been proven wrong, it doesn't hurt to acknowledge that fact to those people who you deemed "not capable of understanding" your own flawed view of the world.

What We've Spent The Last Year Working On

Resolved, that Privacy is a benefit of and dependent upon a strong National Security Apparatus. For or Against?

Join The Debate: Feb 27th

The Suits and Spooks Security Town Hall on Feb 27th is shaping up to become an amazing event thanks to so many exceptional people who have agreed to be panelists. The debate will be moderated by Ted Schlein, who will also present closing remarks and Ajay Royan will open the evening with his unique take on the subject matter.

Complete information along with speaker bios is available at the all-new Suits and Spooks website. We're already 50% sold out so act soon if you want to be a part of this exciting evening. All of the ticket sales will go to one of four charitable foundations so I'm still looking for companies who'd like to join Taia Global, Silent Circle, and Mithril as sponsors.

Register with this link or call toll-free 855-777-8242

Select Your Foundation

NSA Cryptologic Museum Foundation CIA Officers Memorial Foundation American Civil Liberties Union Electronic Frontier Foundation