This automatically-generated transcript is taken from the IT Pro Podcast episode 'The changing face of cyber warfare’. We apologise for any errors.
Rory Bathgate
Hi, I'm Rory Bathgate.
Jane McCallion
And I'm Jane McCallion.
Rory
And you're listening to the IT Pro podcast, where today we're discussing cyber warfare.
Jane
It’s been over a year since Russia’s unprovoked invasion of Ukraine, and in that time cyber warfare in the region has seen a marked increase. Ukrainian government networks, as well as civilian targets, have been hit with a range of cyber attacks including spear phishing, wiper malware, and leaks of sensitive data.
Rory
Google recorded a 250% increase in Russian cyber attacks against Ukraine in 2022 compared to 2020. NATO members have also been impacted by online criminal activity, with ransomware targeting Poland and the UK’s National Cyber Security Centre urging vigilance against the continued threat posed by Russian-sponsored groups.
Jane
Today, we're speaking to Daniel Thanos, head of Arctic Wolf Labs, to explore the practices of Russian and Russian state-sponsored threat actors, and what is being done to stop them.
Daniel Thanos
Yes, absolutely. When it comes to, within the context of the Ukrainian and Russian war, it's an act of cyber war against each other. It's interesting in that previously, groups that would have been working together or individually been working together within the ransomware context have actually split apart. So for example, we had the Conti leaks, this was a very famous somewhat state-affiliated ransomware group with the Russian government, but they had a lot of Ukrainian members. And as a result of the of the war, some of them leaked all the internal communications and tradecraft in disagreement, obviously, with the war and disagreement with Conti's statements saying that they're gonna be kind of supporting the Russian state as it persecuted this war. So there's definitely been impacts in terms of the ransomware operators themselves. And because they're not purely Russian, per se. That's one impact for sure. The other impact, of course, has been just as you've mentioned there's been a lot of attacks happening back and forth between Ukraine and Russia. The Ukrainians are highly skilled in this area, they have been able to penetrate and leak a lot of information about Russian military personnel operations, the government itself, and create a flood of embarrassing information. They've also been very active in what I call the info war space that's basically, you know, hacking with the purpose of disseminating information to the population, especially Russia as much as you can. Give them the fact that to some degree they're cocooned from reality, they only get the reality that their government chooses to deliver to them. So a lot of cyber operations are kind of involved in, you know, getting the truth to them as well. And on the Russian side, of course, it's just business as usual in the sense that they've always tried to attack critical infrastructure in Ukraine, some of the first instances of successful cyber attacks against the power system, for example, have happened in Ukraine, and that was even before the war. And all of those activities obviously have only increased. And they are, the Russians are first-tier cyber warfare operators, and that that activity has not, has not ceased, we saw the wiper activities, as you mentioned, and obviously they're gonna continue to take those opportunities as are available. However, what has also happened in the war, there's been a real big escalation in kinetic attacks against critical infrastructure. So it's now not that they're bothering to do things in the in the cyber realm, they're literally bombing the infrastructure, and of course that also impacts the cyber realm because you have less and less systems online when you don't have power. So obviously they're taking a very different tactic there. But one interesting angle that I do see in all of this though, essentially the satellites system that's been provided to them by Starlink. That's a big game changer, because that's really hard to attack because it's mobile and you can set those up anywhere. And so to some degree that's become like a communication backbone in Ukraine. And so I'm curious to see if Russian cyber actors try to attack that, or try to target it accordingly as well in the process.
Rory
In defining some of this wider context, you've talked about state sponsored groups. I was wondering if for those who don't know, you could lay out some of the differences between other threat actor groups, ransomware groups, such as maybe LockBit, and state sponsored groups. You mentioned Conti, we've also seen Sandworm and a great deal of threat actors in and around cyber, yes.
Daniel
Yeah, there's also folks we've done some recent research on and published on our website called Karakurt too. These names are popping up everywhere and they're metastasizing. But here's the thing, the best analogy that I like to use is this kind of like piracy of old. And what do I mean by that? So, you know, going back many years to the to the age of pirates and privateers. Usually, what would happen is one country would essentially issue a licence to pirates, as long as they pirated the opposing country, right? And so these were kind of one man's privateer was another person's pirate. So, it's kind of the same way here too. So what happens is that you have ransomware groups, to some degree, because they're allowed to operate with impunity. A lot of the Russian-based groups one way or the other, they do have, they basically have licence. So they're basically privateers on the high cyber seas. And just like pirates of old they like to build brand and notoriety, because that increases their likelihood of collecting their ransom. Because when people realise that they're potent, they're serious, when they say "I have your data, I will leak it", they have the notoriety. And that's how they kind of get get their payout. Now, some groups are more closely-affiliated to the government than others. And that could be because quite literally, you might have members of the group that it's kind of like their moonlighting job. They literally they can be folks that are involved in state cyber operations, but by night this is like their freelance gig, and they're just part of the ransomware gangs and it's just understood that they're kind of allowed to do that to create more revenue for themselves. Other ransomware groups maintain affiliation because they're being directed, kind of loosely directed by a state actor. So it's like, "geez, we would really like it if you could go cause some havoc in some key sectors against these target states", right? And so they will kind of get like some loose guidance, or some suggestions that they act on. Some of them just like Conti in the beginning they kind of viewed themselves, I guess, as more like hacktivists, or an arm of the Russian warfare operation. So obviously, there must have been key individuals there that were very closely affiliated and had relationships. Now, with that said, I will tell you that the nature of the threat is metastasising. And there's, because of the war there's just like many other young men, people in these groups are fleeing Russia. Not all of them want to be part of this conflict. And they're going out into other countries, we're seeing evidence of new groups being established, we see evidence, recent evidence of basically anonymous-type ransomware attacks where it's like, they're not raising the black flag and saying, "I'm this group or that group". They're just anonymous, and they're still like asking for ransom. And what that tells me is there we may be seeing because of threats becoming more diffuse, and they're operating in countries where they don't necessarily have free sanction, they have to be a little bit more careful. So they're not looking to draw as much attention, but it's almost like their trade and they've got to apply it, and they've got to make their money. So we're seeing already beginning to see evidence of that, no branding or nothing just just anonymous attacks, but they're still looking to kind of collect their collective ransom. And they're demanding less. So that again, that could be because you're seeing more freelance activities as the threat kind of becomes more ubiquitous.
Jane
See, that's interesting you say that, because I was going to ask if there been a change in say, the volume of cyber attacks coming from Russia based on the fact that there has now been conscription of young men for the past few months, some of whom will definitely have been members of these cyber gangs, if you will. Is it then that the volume is the same, but the people have moved? Or that people who may have been say, more part of these patriotic hacking groups are now off doing freelance extortion on the side while they're in other nations? What impact are you seeing?
Daniel
Yeah, so let's look at the trend. When the when the war first started, definitely there was a, I would say there was a reduction in activity for sure. We saw that in our incident response business, there's levels of predictability and they were trending. And it went down, it went down because I think there was a lot of initial focus with these groups joining, as you said, cyber patriot groups or again a lot of them, I believe a lot of these folks kind of moonlight and they actually do work in government cyber operations. Or they can be military affiliated. And so obviously their focus changed, but now as the war is kind of dragging on, I think we're seeing a lot of people pivot back to having to make their money. So activity has started to trend up again. But I think what's happening is the threats are just becoming more distributed, more diffuse, because I think they're just like everyone else as we mentioned before, you have a lot of a lot of talent and malicious talent in this area leaving the country. And they're just setting up shop elsewhere, and they're now beginning to organise themselves. There's also a lot of specialisation happening, and that's been happening even before the war in Ukraine where people that actually execute the ransomware attacks are different than the people that get initial access, the initial access brokers. And then the people that develop the tools, the malicious tools, basically rent it to help to the people that do the attacks. So this specialisation has been happening for a while, I think to some degree now, this is like only going to accelerate it as well. And the activity is basically going up again, and I think it's just because it took time, that there was a big distraction in this war. But now I think a lot of folks are going back into their trade, if you will, back to their craft. And as they leave the country, and they just self-organise in different ways they have to be a little bit more stealthy in terms of not attracting as much attention. Because again, they don't have that free sanction to do whatever they want. So it's just that the nature of the threat changes, and the nature of their operational security changes. But now it's going up again. And then even within Russia itself, for the people that are there that are more state-affiliated or outright just work for the state. Yeah, I believe as the sanctions start to really bite and decoupling between Russia and the West increases, and depending on the trajectory of the war and Russian losses and challenges you may see the Russians also pivot back to increased operations, focused on disruptive and disrupting attacks as well.
Jane
I want to talk tactics a little bit, so going back to something that you said a little bit earlier on, which is that there's been a drop in cyber attacks and kind of a move to more kinetic attacks. When the cyber war was being theorised about before the invasion of Ukraine actually happened, two of the big theories were that a physical traditional kinetic war would be preceded potentially by a big uptick in cyber attacks to kind of prepare the ground. And also potentially even that critical infrastructure would be hit by crippling cyber attacks, to kind of mean that you then don't need to worry about hitting a power station or whatever, because it's already offline. Now, it sounds to an extent that what you're saying is that's not really what happened, that this cyber war in reality is quite different to what was theorised. Is that sort of a fair assessment?
Daniel
I think the outcome that the Russians certainly wanted happen differently. What I will tell you is if you talk to people that have been involved in the Ukrainian CERT, the folks that are actually involved in the cyber defence of Ukraine, they have thwarted a lot of attacks. And they continue to do so every day. So I think there's also been like, let's be frank, the Western world has also surged in resources and expertise to, to help Ukraine in this in this realm, too. So, and there's been a lot of volunteer effort as well. So my statement on that would be: if the Russians could have caused havoc that way,they would have. But what you don't always get in the news is the unsuccessful attempts. So I have no doubt that they attempted many things, but I also have no doubt that Ukraine was well prepared. Because cyber warfare has now become a standard doctrine, and it is a preceding tactic before you go into full kinetic warfare. So electronic warfare is like an older version of this, but it's the same thing, it's based on the same doctrine. So you know, before you go bomb someone, you scramble their communications, you bring down their communications, you scramble their radar. It's much the same thing within in the cyber realm as well, because more and more systems have become computerised. And the best way to catch your enemy in a situation where they can't respond is to attack them on the cyber realm, because it's cheap, and it's effective. Now, the other issue is that what I attack with the cyber realm usually does mean I can recover. So just going back to my experience, I've done security for critical infrastructure and I was involved with a few US presidential commissions in this area, and what I will tell you is that there's a very narrow set of cyber attacks that are possible that can actually harm physical infrastructure, especially in the power grid. And that's pretty hard to execute. Most of the attacks that you're going to get, your enemy is able to within a certain period of time recover from it. And usually what you're doing is, when you're attacking, it's just that you want a certain window where there's confusion, things are down, then you're taking kinetic action, then you're out again. And usually you're not going to get to repeat that attack. Because once your enemy has figured out what you did, usually those methods are not available to you again. Now in the case of Ukraine, because they've already endured a lot of these attacks and attempts, I think they were well positioned to be able to defend themselves against the onslaught of things that I'm sure the Russians repeatedly tried. And we saw some things get through with the wiper attacks and whatnot. But if you attack someone enough, what you're doing is you're encouraging them to build defences. So it's kind of like exercising a muscle, right? If you force someone to use it, they're they're going to increase their capabilities.
Rory
You've talked a bit about some of the attacks on critical national infrastructure with things like wiper attacks. I was wondering if there was a difference in tactics with the attacks that we've seen on Ukrainian businesses in the region, or whether there's a really kind of a shared tactic there?
Daniel
Yeah, at the end of the day these tactics are all shared. So all that's a different is essentially the payload that I'm delivering. So if my objective is different, so my objective is to exfiltrate information, it's not that I need to kind of burn the place down on my way out. If my objective is destructive, then obviously I'm going to wipe your servers, I'm going to try to do as much damage. So what I'm trying to do is essentially, I'm trying to impact your availability. So in the security industry, we like to talk about confidentiality, integrity, and availability, it's like this triad of security. And so if my objective is to essentially bring down a system and do a disruptive attack, what really I'm doing is I'm just trying to impact your availability, right? If my objective is to steal information with the intent of causing you reputational damage, or using that in an info war campaign of some type, because information I've stolen is somehow embarrassing to you, or kind of degrades trust in you or your institutions. That's an attack on your confidentiality. And if I'm trying to attack a system, such that I'm injecting false data to cause it to process something wrong, or kind of lose trust in it. That's like attacking the integrity of a system. And those are kind of like the kind of ways you can think about it.
Jane
So we've spoken a lot about what's happening between Russia and Ukraine. Now obviously, while NATO as an organisation and NATO countries are not involved in the war itself, they're supplying a lot of support to Ukraine. So when it comes to cyber attacks that are coming out of Russia, are they also targeting NATO organisations, whether that is governmental or private businesses, or whatever? Or are they just focusing all their efforts on Ukraine?
Daniel
So two comments on that. First thing is even before the war in Ukraine, Russia has been a prolific threat actor, they've always targeted NATO countries. They've targeted them for the purposes of espionage, they've targeted them for the purposes of causing disruption through their ransomware affiliates. And that doctrine hasn't changed, right? They also target for the purpose of again, information warfare, causing confusion in your enemy, that doctrine hasn't changed. So that they will continue to target even now, so if they've targeted before the war they're going to continue to target during the war and so that won't change. What happened though is, like we discussed before, in the initial stages I think they just got really, really focused on their target which was Ukraine and they really focused their operations there. Because the government there in Russia was thinking that they could blitzkrieg their way through Ukraine, and basically just decapitate the government to take over the country. Now, as that hasn't happened, and thank God it hasn't because of the bravery of the Ukrainian people. But as that hasn't happened they, to some degree, they have to continue to sustain their national security objectives, and even in the face of this war. So their intelligence programmes aren't going to change, their intelligence programmes against NATO aren't going to change, they're only going to intensify. Because now as a result of this war, and as a result of their disastrous policies, they're going to get exactly what they didn't want which is an expansion of NATO. So NATO now is going to become an even bigger threat to them, and so you can you can be guaranteed that they're going to only increase their cyber operations against it. And they're gonna have to increase their intelligence gathering now. So and they're going to have to, as per their policy in the past, they love causing division and disunity within the alliance. And so they're going to be executing cyber backed espionage, to find ways to do that, to find what are the divisions when it comes to Europe? I have no doubt that they're trying to collect intelligence around whether they cause an energy crisis, or what's going on with energy planning. All of these things are going to be levers that they need or leverage that they need to try to, at some point or another, try to negotiate something and try to meet some of the objectives they have in mind when it comes to Ukraine. And they know that, I have to believe that most people in Russia understand that they're not going to be able to conquer Ukraine, but they're going to have to figure out a way to meet some of the objectives they had in mind. And the only way to do that is to is to create divisions in the alliance, exploit divisions in the alliance, and they're going to have to collect a great deal of intel to figure out how to do that across many non-obvious sources. So that means there's going to be an increase in cyber operations, not necessarily destructive. They're going to be more focused on just day in and day out espionage and intelligence gathering.
Rory
I'm curious, you mentioned sanctions earlier, you talked a bit about that. Sanctions were some of the earliest actions that were taken against Russia, and some were even specifically targeted to cut funding for Russian threat actors. Are these working currently? And what other methods are currently being used to tackle Russian threat actors?
Daniel
Yeah, that's a great question. And there's definitely a cyber angle to it as well. I think, again, just me reading the information that I'm sure other people have read. Initially, it hasn't had as broad of an impact, I think, as many anticipated. And that's just because of the complexities of our globalised economy. So as we tried to kind of tighten the screws on Russia, really what we did was we caused the price of gas and oil to go higher. So there are still people that, even if you're let's say cutting down the size of their market, if the product that they're selling is still going up in value, even if they have a smaller market to sell to, because make no mistake there's still people buying Russian gas and oil. And I'm sure there's even people that are trying to find ways to like skirt sanctions, there's been some interesting research out there by a lot of security researchers observing Russian ships getting to certain countries and then turning off their transponders, and the ship goes somewhere, it docks and then it kind of goes back to Russia. And that ship happens to be something that can transport oil or gas, there's a lot of that activity. So going on, I mean, we've pushed the price of gas higher because of this war. So overall, I think we know that it didn't create as much impact as anticipated. But the other thing too is sanctions take time to really take hold. When sanctions were initially issued, they weren't as severe as the ladder that's been growing, the ladder of sanctions. Because I guess the intent in that area is essentially, to try to try to get them to think about their behaviour and see if you can kind of change that behaviour, but obviously it's not changing. And so therefore that ladder keeps going up. The other issue too, is that it will take time to investigate and find all of the sanction evaders and the systems of evasions that they're setting up, because I have to believe that the Russian government clearly understood what would happen in regards to sanctions, should they take the actions that they took, and I'm sure they are had already built an extensive network to help in in establishing various types of evasions. These things are very sophisticated. And especially when you throw in things crypto and all of these emerging FinTech things into the mix, there's just, there's a network of possibilities that are out there that they can use. And the other thing too, to understand as well is that the a lot of the oligarchy is kind of one and the same with the state. And their companies and their networks, when required, are used in service of the state. And it took a lot of time to even get a lot of governments to go after specific oligarchs, and go after their assets, and go after their companies. So there's still a lot of things to be done in that realm as well. So we're not really necessarily seeing the full effect of sanctions yet, because from the point of declaring a sanction, to the point of enforcing a sanction, those are two different things. All that stuff takes a lot of time, and it takes a lot of investigation to figure out all the evasions that are happening there, and then it takes a lot of diplomacy. Because when you have large countries like India still buying Russian gas and oil, and you have large markets like China, which is happy this is happening because now they're getting Russian gas at awesome discounts, you have to begin to strong arm there too. So it's basically like, you need to create consequences for those that continue to support this warlord.
Jane
So Daniel, in the round what has all of this taught us about the nature and potential severity of cyber warfare? What can our listeners learn from all of this?
Daniel
I think it's like anything else that is kind of new and we have theories of it, but then we discover it in practice. I think the most important takeaway is that, we have a tendency sometimes to overestimate, and underestimate threats. And usually the truth is going to be somewhere in between, so if you're imagining a worst case scenario, it's usually not quite that, but if you're also imagining a best case scenario, it's not going to be that. The truth is always going to lie somewhere in between. Especially for critical infrastructure, there's a lot of things that need to happen in order for you to get successful attacks in those areas. And usually, unless these things have been pre-planned for years, and there's still physical components to these attacks and insiders, and a whole bunch of things that you need to do to score impact. So I like to use the Stuxnet example of old, when we successfully impacted the Iranian nuclear programme and really screwed around with centrifuges, that operation was not a spur of the moment response. It was probably a good one to two years of planning and development, and it required inside access and physical access. So that's why it was more in the realm of intelligence agencies and national security agencies, strong components within espionage and so on and so forth, executed these things. So it's not the same as cyber warfare mirroring what happens in a battlefield, which is like "I'm loading up a shell, I'm aiming some artillery to a certain latitude and longitude and firing the shell". So cyber warfare is not as kinetic, in the sense of it's not as fast acting as some would believe. Real cyber warfare takes time, and it takes a lot of planning to be to be executed, and of course its impact can be quite wide. But I think it's cyber warfare that has wider impacts or more constant impact, is like a lot of these ransomware attacks because definitely, they can be disruptive, we've seen that with colonial gas in the US which was a minor operator, but critical to the supply chain. They didn't have the capabilities to defend themselves. And they caused shortages and impact. They didn't destroy infrastructure, per se, but they caused serious impact. And even something like that, it takes time to plan and execute those things. So it's not like a spur of the moment type action.
Rory
Well, Daniel, thanks so much for being on the show.
Daniel
It was a real pleasure to be here. Thank you for some great thoughtful questions.
Rory
As always, you can find links to all of the topics we've spoken about today in the show notes and even more on our website at itpro.co.uk.
Jane
You can also follow us on social media, as well as subscribe to our daily newsletter. Don't forget to subscribe to the IT Pro Podcast wherever you find podcasts. And if you're enjoying the show, why not tell a friend or colleague about us?
Rory
We'll be back next week with more from the world of it. But until then, goodbye.
Jane
Goodbye.
