Hacker Profile: Russia

Key Takeaways

  • The Russian cyber threat landscape is made up of government agencies (FSB, GRU, and SVR) as well as criminal cyber gangs (REvil, DarkSide).

  • Russia targets critical infrastructure, interferes in democratic processes, runs disinformation campaigns, and extorts targets with information or ransomware.

  • There are dozens of devastating attacks from Russian actors, many of them targeted at the U.S. and neighboring former Soviet states.

The Russian Federation’s willingness to engage in offensive cyber operations has caused enormous harm, including massive financial losses, interruptions to the operation of critical infrastructure, and disruptions of crucial software supply chains. In this blog we discuss the Russian hacker ecosystem that has fueled this infamous global presence.

Russian Threat Actors

Over the past 20 years, Russia has increased its personnel, capabilities, and capacity to undertake a wide range of cyber operations. No single Russian security or intelligence agency has sole responsibility for cyber operations. 

Government actors:

  • FSB. The Federal Security Service (FSB) is Russia’s primary domestic security agency responsible for internal security and counterintelligence. Its missions include protecting Russia from foreign cyber operations and monitoring domestic criminal hackers. In recent years, the FSB has expanded its mission to include foreign intelligence collection and offensive cyber operations. Media reporting has documented close connections between the FSB and criminal and civilian hackers, which the FSB reportedly uses to staff its cyber units. The FSB recruits criminal hackers to work as contractors by offering them legal cover for their actions.

  • GRU. The Main Directorate of the General Staff, commonly referred to as the GRU, is Russia’s military intelligence agency. The GRU has been implicated in some of Russia’s most notorious and damaging cyber operations. The GRU’s style is known to be aggressive with lower proficiency / poor operational secrecy.. Fancy Bear (also known as APT28 or Tsar Team) is a Russian cyber espionage group that is attributed to the GRU.

  • SVR. The Foreign Intelligence Service (SVR) is Russia’s primary civilian foreign intelligence service. It is responsible for the collection of foreign intelligence using cyber methods. Most observers acknowledge the SVR operates with a strong emphasis on maintaining secrecy and avoiding detection. Most cyber operations reportedly linked to the SVR have focused on collecting intelligence as opposed to causing damage through cyberattacks. The SVR is also known to have high levels of technical expertise, often seeking to gain and retain access inside compromised networks. Cozy Bear (also known as APT29) is a group of hackers that is attributed to the SVR.

The visibility of Russia’s cyber operations has evolved over time with the gradual shift in leadership of those operations from the FSB to the GRU and most recently to the SVR.  The GRU brought with it a culture of aggression and recklessness and a high tolerance for operational risk that was unusual in the cyber domain.

More recently, increased activity from SVR has suggested a growing emphasis on long-term, covert cyberespionage operations. For instance, the SolarWinds compromise discovered in late 2020 went undetected for at least nine months, probably in large part because Russia exercised uncharacteristic restraint in targeting only a small subset of the victims that it had compromised. The GRU and Fancy Bear have been more inactive since 2018.

Russia is also home to one of the most active and potent cybercriminal communities in the world. “The key really is the lack of a law enforcement environment, the feeling that you can do almost anything and get away with it,” says Dmitri Alperovitch, a Russia-born U.S. citizen and co-founder and CTO of security firm CrowdStrike. “They were able to grow and evolve into organized enterprises.” These groups organize themselves as for-profit ransomware and extortion groups.

Criminal actors:

  • REvil is behind the ransomware attack on the meatpacking company JBS, the Kaseya ransomware attack, and a successful hack of Apple. REvil uses a “ransomware-as-a-service” model in which they grant subscribers access to ransomware developed by REvil, in return for a share of the ransom payments. 

  • DarkSide is another infamous Russian cybergang. They hit Colonial Pipeline with a ransomware attack, causing a shutdown of thousands of miles of a pipeline, to get a hefty payment of Bitcoin. The group has publicly stated that they prefer to target organizations that can afford to pay large ransoms instead of hospitals, schools, non-profits, and governments.

 

Tactics, Techniques, and Procedures (TTP)

Cyberwarfare by Russia includes denial of service attacks, zero-day attacks, dissemination of disinformation and propaganda, and internet surveillance.

Russia’s initial cyber operations primarily consisted of Distributed Denial of Service (DDoS) attacks and often relied on the recruitment of criminal and civilian hackers. The most notable early attack occurred in 2007 when Estonia was the target of a large-scale DDoS attack originating from Russian IP addresses. Estonian targets ranged from online banking and media outlets to government websites and email services.

Russia’s recent shift to more covert operations means that it is relying less heavily on techniques like traditional phishing and denial-of-service attacks. Instead, the focus is on more advanced intrusion tactics like credential harvesting, supply chain compromises, and infiltrating critical service provider platforms.

Notable Attacks from Russia

Russia’s main targets have been Ukraine and the United States. There are dozens upon dozens of cyber attacks originating from Russia; here are just a few:

  • In April 2007, Estonia was targeted by a series of cyberattacks on financial, media, and government websites which were taken down by an enormous volume of spam being transmitted by Russian botnets in a DDoS attack. 

  • In 2015, the Paris-based French broadcasting service TV5Monde was attacked by hackers who used malicious software to attack and destroy the network's systems and take all twelve of its channels off the air. The attack was linked to Fancy Bear, the GRU-affiliated hacker group.

  • Disruption of the Ukrainian power grid in 2015: Russia was credited with the first attack on a live power grid affecting over 225,000 people

  • The 2016 NotPetya attack is considered one of the worst cyberattacks ever. Originally targeting Ukraine, this encrypting virus spread all over the world. The attack is linked again to Fancy Bear.

  • Also in 2016, the release of hacked emails belonging to the Democratic National Committee through WikiLeaks was said to have been of Russian origin.

  • In 2020, Cozy Bear was behind the massive SolarWinds hack that compromised about 100 U.S. companies and a dozen government agencies.

  • In 2021, REvil hacks Kaseya Ltd and JBS.

 

Conclusion

The style of Russia’s offensive cyber operations has evolved with improving technical capabilities and the styles of the government agency leading cyber operations. Beginning with DDoS and phishing attacks in the GRU-led early days, Russia is now implementing covert sophisticated supply chain attacks under the SVR’s direction. 

In addition to state sponsored activity, Russia is home to the most dangerous organized cyber gangs in the world. Weak law enforcement and the opportunity for large revenue motivates a large cybercrime industry in Russia which results in many devastating attacks on foreign companies. 

Russia has been one of the foremost hacking threats in the world for decades. The volume of actors and the variety of their motives makes the Russian cyberthreat ecosystem perhaps the most dangerous and hard to defend.