Cyberspace becomes 2nd front in Russia's clash with NATO
By MICHAEL RILEY AND JORDAN ROBERTSON | Bloomberg | Published: October 14, 2015
WASHINGTON — Russian computer attacks have become more brazen and more destructive as the country grows increasingly at odds with the United States and European nations over military goals first in Ukraine and now Syria.
Along with reported computer breaches of a French TV network and the White House, a number of attacks now being attributed to Russian hackers and some not previously disclosed have riveted intelligence officials as relations with Russia have deteriorated. These targets include the Polish stock market, the House of Representatives, a German steel plant that suffered severe damage and The New York Times.
U.S. officials worry that any attempt by the Russian government to use vulnerabilities in critical infrastructure like global stock exchanges, power grids and airports as pressure points against the West could lead to a broader conflict, according to two people familiar with the debate inside government and who asked to not to be named when discussing intelligence matters. When NATO officials met last week, they voiced alarm about Russia's rapid involvement in Syria, including the firing of cruise missiles, and vowed the biggest reinforcement of their collective defense since the end of the Cold War.
The Warsaw Stock Exchange is but one example of the heightened cyber-activity. Hackers who rifled the exchange last October, in a breach that set off alarms among Western intelligence agencies, proclaimed they were Muslim militants angry over Poland's support for a bombing campaign against the Islamic State.
"It's beginning," the group posted online in a file-sharing site called Pastebin, heavily used by the cyberunderground. "To be continued! Allahu Akbar!"
While stealing some data, the attackers also made dozens of client logins public, opening the exchange's systems to additional chaos from cybercriminals of all stripes. It was sabotage by crowd-sourcing.
Except the infiltrators weren't Islamic militants at all. Behind the smokescreen was a group of hackers with ties to the Russian government, according to three people familiar with the Polish investigation. The incident was viewed by Polish investigators as a stark warning to the country, a member of the North Atlantic Treaty Organization intent on driving a strong alliance response to Russia's moves in eastern Ukraine.
The attack on the exchange, which said in a statement to Bloomberg News that the trading platform wasn't affected, has prompted the Polish government to begin an upgrade of computer systems in government offices, the financial sector and hospitals, said one of the people.
As in other domains, Russians acting directly for the government or with its approval are testing the boundaries of the cyberbattlefield, according to an assessment by U.S. intelligence agencies. The attacks are often called state sponsored by security companies working to arrest the damage, though it is difficult to ascertain which ones might have been done by intelligence agencies and which ones by criminals with access to sophisticated tools hoping to curry government favor.
"They have let loose the hounds," said Tom Kellermann, chief security officer at Trend Micro, a Tokyo-based security firm.
Dmitry Peskov, a spokesman for the Kremlin, rejected suggestions that Russia is behind the attacks. "These are absolutely unsubstantiated allegations, which are often absurd," he said. "We also have been the targets of attacks, which again shows that everyone can just as easily be subject to such attacks. International cooperation is required to expose and deal with these threats. But unfortunately, we don't always see a constructive approach on this issue from our partners."
Russia is called America's biggest cyberthreat by U.S. Director of National Intelligence James Clapper, and it appears more willing than ever to push up against U.S. doctrine, which holds that destructive hacking attacks could be considered acts of war. So far, the U.S. has not made any public response to the suspected acts.
Cyberspace is a messy arena for fighting. Miscalculations, even by skilled operators, are common, fueling concerns about what could happen to essential infrastructure. And Russia is one of the few nations that intelligence officials say can successfully mask its identity in cyberspace, even from the National Security Agency.
The attacks, though, are mounting, leaving officials looking for ways to redraw lines that have already shifted significantly over the last 18 months.
Raising alarms in Europe, Russian hackers damaged a blast furnace early last year at a plant in Germany owned by ThyssenKrupp, the country's biggest steelmaker, according to four people familiar with the attack. In that case, malware found in the system had previously been tied to Russian espionage activity, but U.S. intelligence agencies have not linked the incident directly to the Russian government, said one person familiar with the matter.
Kilian Roetzer, a spokesman for ThyssenKrupp, denied any such attack occurred, as has every other company operating a blast furnace in Germany. A furnace attack was disclosed by the German government last year without naming any company or perpetrator.
In April, the same group that last year attacked the Warsaw stock exchange hit the operations of TV5Monde, according to security firms tracking the incidents. The attack shut down the major French television network on April 8 and 9, and restoring the system fully will cost of 15 million euros ($17 million), its executives estimate.
Russian hackers have stepped up surveillance of power grids and energy supply networks in the U.S., Europe and Canada, a provocative move given government sensitivity to tampering with essential infrastructure for millions of people, according to two people familiar with that activity.
U.S. authorities who spoke on condition of anonymity interpret it as a warning. "Russia is exceptionally skilled," said Mike Buratowski, vice president of cybersecurity services for Fidelis Cybersecurity. "If you see them, chances are it's a decision: Russia is OK with you seeing them, or wants you to see them."
Russian President Vladimir Putin has continued to pour money and manpower into the country's hacking forces since returning to the presidency in 2012, according to U.S. officials. "While I can't go into detail here, the Russian cyberthreat is more severe than we had previously assessed," Clapper told a congressional committee in February.
As economic sanctions have punished Russia for its aggression in Ukraine, the Russian leader has used a combination of regular and irregular cyberforces that are now jockeying for resources and accolades from Moscow, according to Jason Lewis, a former network exploitation specialist with the U.S. Defense Department.
"They're being successful. If you're doing something that's working, you're going to keep doing it," said Lewis, now chief collection and intelligence officer for LookingGlass Cyber Solutions Inc., based in Arlington, Virginia.
Hits by Russian hackers on the email systems of the White House and the State Department were disclosed earlier this year, but they represent only a fraction of the overall activity, according to government and private security specialists.
The same group that breached the Warsaw exchange and the French TV station recently penetrated the email system of the House of Representatives, giving Russia access to the communications of lawmakers, according to a person familiar with that investigation. Dan Weiser, a House spokesman, declined to comment, citing a general policy not to discuss information security systems.
And in July and August, U.S. government agencies were bombarded with poisoned e-mails loaded with malware sent by two different Russian hacking groups. Trend Micro's Kellermann said one of those waves targeted 2,000 senior officials, including at least one member of President Barack Obama's cabinet, as well as the personal email accounts of their spouses.
Another person familiar with the e-mails said the attacks were certain to be detected because of their profusion and the high ranks of the targets, but that did not make them totally unsuccessful. Investigators from the NSA and Department of Homeland Security spent hundreds of hours trying to contain the impact, hacking into servers controlling the attacks and scrubbing government networks, according to people familiar with their efforts.
The NSA and DHS declined to comment on the incidents or on Russia's possible cyber-activities.
Putin enjoys some significant advantages over his adversaries in cyberspace. Russia is home to the most sophisticated collection of cybercriminals anywhere in the world, and the government maintains close relationships with many of them, according to assessments by the Federal Bureau of Investigation and U.S. intelligence agencies.
Trend Micro says the group that attacked the Warsaw exchange -- nicknamed variously by cybersecurity companies as APT 28, Fancy Bear or Pawn Storm -- is most likely staffed by a loose confederation of the country's best criminal hackers. In some instances, they have better skills than the hackers employed by the Russian government, and they have become more motivated after events in Ukraine to help the government, Kellermann said.
"These guys have been untouchable for years and now they are coming back to the stable to pay homage," Kellermann said.
Warsaw exchange officials said the damage was limited. "The trading system of Warsaw Stock Exchange itself and data concerning the trading system were not jeopardized," Justyna Rachanska, an exchange spokeswoman, said in a statement. The breached systems, she said, included an investment simulator and a Web portal for managing the exchange's upgrade to a new trading system.
The stock exchange's web site was forced to shut down for about two hours, according to one of the people, and the hackers gained deep intelligence about the exchange's technology road map.
Poland's Internal Security Agency said information about the incident is classified and declined to comment.
Some private security experts say that APT 28 could be a specialized unit of the FSB, the Russian state security agency. The group has been linked to hacks of Putin's domestic opponents, including the rock group Pussy Riot, and counter- terrorism missions, tasks that would be natural for Russia's main intelligence agency.
APT 28 is using more than run-of-the-mill crimeware. A confidential analysis prepared by Google of one of the group's tools, known as X-Agent, described it as an extremely sophisticated version of a remote access tool, or RAT, that uses encryption and other techniques on par with U.S. hacking software.
Bloomberg News obtained a copy of Google's 41-page analysis, which shows how X-Agent users can swap in various modules for most any conceivable mission, much like the RATs used by the NSA's elite teams, according to a person familiar with that software.
The APT 28 group was also behind an attack last year on the New York Times, starting when hackers took over the personal email account of a Washington-based national security reporter and then targeted more than 50 other staff members, according to two people familiar with the investigation. The hackers failed to get into the paper's primary network, one of the people said. A spokeswoman for the company declined to comment on the incident.
A different group of Russian hackers hit the White House and State Department in incidents disclosed over the last year. That group is called APT 29 by cybersecurity company FireEye and called TEMP.Monkeys by ISight Partners, a cyber-intelligence company that works closely with the federal government. The name refers to monkey videos used in "spear-phishing" emails designed to get White House staffers to click on them.
"APT 29 employs some of the most sophisticated techniques we've seen," said Laura Galante, the director of FireEye's intelligence team that specializes in state-sponsored espionage.
"The fact that we're talking in detail about different Russian groups is pretty remarkable," Galante said. "China has always had lots of groups with distinct behaviors and victim types; we're now starting to understand Russian groups in a similar fashion. The uptick in activity over the last few years, especially since Ukraine, has provided us with more data points about potentially state-sponsored groups."
U.S. and European intelligence agencies have struggled in recent months to assess what they see as Russia's newly bellicose behavior in cyberspace.
Intelligence specialists say the hit on TV5Monde may have been a veiled anti-terrorism operation. Like the Warsaw intruders, the hackers claimed to be Islamic militants, the CyberCaliphate, and may have sought to identify other hackers who are actually sympathetic to that cause.
Over the last 18 months, Russian actors have increased the surveillance of electrical grids and pipeline networks throughout North America and Europe, gathering information on critical systems that could be used to launch devastating digital attacks, according to government alerts and cybersecurity firms. The deployed malware, known as Havex, was also found in the damaged German blast furnace, according to people familiar with the steel mill investigation.
The steel mill attack was a rare example of computers being used to cause physical destruction, carrying strong political overtones for the German government.
The hackers hijacked a computer that controlled the blast furnace, inserting malware that caused the machine to overheat and melt down, according to three people familiar with the incident and Germany's Federal Office for Information Security, or BSI, which disclosed the attack in November 2014 without linking it to Russia. The result was "massive damage," according to the BSI report.
Security specialists initially speculated the damage might have been an accident by hackers trying to gather data on how the mill operates, but details have since emerged that point to intentional destruction.
Sometime in late 2013 or early 2014, the hackers began by penetrating the mill's office computers with spear-phishing emails and social-engineering tricks against employees, according to a private-security specialist briefed on the attack. Then they found and tunneled through a trusted network connection that led to the factory floor. Finally, they broke into the digital controls for the blast furnace, tampering with a system of temperature sensors and motors that controlled gas flow. They remotely disabled the furnace's ability to shut down. The entire process took weeks.
Digital traces left in the system immediately pointed back to Russia, but not conclusively to the government itself, according to a U.S. intelligence assessment, as explained by a person familiar with that analysis.
The attack more than a year later of TV5Monde suggests such events will continue unless the U.S. and others can develop an effective response, said John Hultquist, head of cyber-espionage threat intelligence at ISight Partners.
"To anyone looking for signs that things are getting a lot worse, there are plenty of them out there," Hultquist said. "Everyone seems a lot less timid about using methods other than just intelligence collection now. They are simply more aggressive and less restrained."
Contributors: Tino Andresen in Dusseldorf and Henry Meyer in Moscow.