West strikes back against Russian hackers

Calls for a strategy in Denmark, the UK prepares to black out Moscow if necessary

The West is joining forces against Russian cyberattacks. NATO Secretary General Jens Stoltenberg said in Brussels recently that the alliance treats hackings as threats that can lead to the invoking of Article 5 of the Washington Treaty, NATO’s bedrock principle that an attack on one country is the same as an attack on all, and retaliation. But the organisation will measure its response on a case-by-case basis and will act strictly according to international law.

The UK military brass’ standby position is in line with this thinking. According to the Sunday Times, London is prepared to launch a cyberattack against Moscow and leave the Russian capital without electricity in the event that Russia strikes against a western state first. Anonymous senior security sources say that if Russia strikes against any NATO state, Article 5 will be immediately invoked. According to the sources, due to the UK’s lack of conventional weapons to fight back against “the Kremlin’s aggression”, the British security services “are committed to activating offensive cyber capabilities, including blacking out the Kremlin”.

Meanwhile, in an interview with Danmarks Radio, Naser Khader, the new head of the Danish parliamentary committee on defence, specifically called for attacking Russia in cyberspace. According to Khader, it has already been established that Russia attacks all over the world so it is time to transition from a regime of defense to one of offense. Take this hacking group Fancy Bear, for example – they are closely affiliated with the Russian military intelligence, they meddled in the 2016 US presidential elections, so the first thing to do is to hack their database," Khader pointed out. He has complete confidence in the US agencies’ conclusions that Fancy Bear are financed by the Russian government.  

“The Russians claim that they had nothing to do with that, this is a private group, they say. But everyone knows that it is actually working for the Russian military intelligence. We have to show them that we will not stand for it,” Khader said. He believes that the measures should be carefully planned and that experts should develop offensive methods.

Henrik Dam Kristensen, a prominent member of Denmark’s Social Democratic Party and the incumbent first deputy speaker of the Danish parliament, concedes that Denmark cannot hide its head in the sand and should consider a possible cyberspace attack.

Last week, the UK, the Netherlands and the US accused Russia of having conducted cyberattacks against various organisations. They were backed by France and Germany. Alleged officers of Russia’s military intelligence agency (GRU) have been charged with conspiring to commit cyberattacks on the UK Foreign Office, the Organization for the Prohibition of Chemical Weapons (OPCW) and nuclear energy company Westinghouse, as well as several national anti-doping watchdogs and sporting federations.

According to the western governments, the Russian military intelligence agency GRU is behind the hacking campaign conducted by APT28. Also known as Fancy Bear, the group is believed to be specialising in cyberspace espionage and follow the orders of GRU.

Last week, Defense Secretary James Mattis said that Moscow people got caught with their equipment. “They have to pay the piper, they are going to have to be held to account. How we respond is a political decision by the nations involved,” Mattis said after a meeting with his NATO counterparts.

 

List of attacked organisations

The US Anti-Doping Agency (USADA), headquartered in Colorado Springs, Colorado.

The World Anti-Doping Agency (WADA), headquartered in Montreal, Canada;

The Canadian Centre for Ethics in Sport (CCES), headquartered in Ottawa, Canada.

The International Association of Athletics Federations (IAAF), headquartered in Monaco.

The Court of Arbitration for Sport (TAS/CAS), headquartered in Lausanne, Switzerland.

The Federation Internationale de Football Association (FIFA), headquartered in Zurich, Switzerland;

Westinghouse Electric Corporation based outside Pittsburgh, Pennsylvania.

The Organisation for the Prohibition of Chemical Weapons (OPCW), an organisation headquartered in The Hague, Netherlands, investigating the use of chemical weapons in Syria and the March 2018 poisoning of former GRU officer Sergei Skripal in the UK with a novichok nerve agent.

The Spiez Swiss Chemical Laboratory located in Spiez, Switzerland, an accredited laboratory of the OPCW that analysed the chemical agent connected to the poisoning of Sergei Skripal;

 

Who are Fancy Bear

The hacking group Fancy Bear (also known as APT28, Sofacy, Pawn storm, Sednit и Strontium) has been functioning since 2004. Most Western IT experts believe that the group is closely affiliated with the Russian intelligence services. According to ESET company, the hackers attack embassies and defence ministries of a number of countries. Cyber-security companies maintain that the hackers’ peak of activity is between 9 a.m. and 5 p.m. Moscow time.

On 13 May 2016, Hans-Georg Maasen, head of Germany’s domestic security agency, said that it was exactly this group that was behind the 2015 attacks on the Bundestag’s information system. The aim of the hacking was gathering confidential information about Germany.

On 8 April 2015, the French television station TV5 Monde fell victim to a cyberattack and stopped broadcasting for three hours. At first, the culprit was suspected to be CyberChaliphate, affiliated with the terrorists of the Islamic State, but it was later proved to be the Russians.

In August 2015, the group launched an attack on the information systems of the White House and NATO.

The Fancy Bear hackers attacked the website of the World Anti-Doping Agency (WADA) in August 2016 after it had published a report accusing Russia of running a doping programme.

In early November 2016, Microsoft reported an attack on the latest version of the Windows operational system.    

 

Attacks on Bulgaria

The Russian hackers, who most probably work for the Russian government, made attempts at spying on the public institutions of Bulgaria in the spring of 2015. So claim the experts of the FireEye cybersecurity firm based in California. The report is available on: https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf

The cyber security experts have ascertained that the hackers of the APT28 group registered two domains imitating internet addresses of popular news sites in Bulgaria. These are the internet page of Standart daily (the official address is standartnews.com, while the copy is standartnevvs.com) as well as the news portal Novinite.com (two copies of this address were found: novinitie.com and n0vinite.com). A snap scanner check shows that all three domains (standartnevvs.com, novinitie.com, n0vinite.com) were infected with malware.

The news about APT28’s activity and its possible connection with the Russian government is no news at all (the information emerged as early as the end of 2014). FireEye maintains that APT28 created a vast network of false domains approximating news websites and the websites of public institutions with the goal of disseminating malware via them and thus gathering information about internet users. According to FireEye experts, the way data is collected suggests particular interest in political developments in a given country. Several types of malware were used for data collection known among expert as Sourface, Eviltoss, and Chopstick.

  

US charges seven individuals with hacking

Four of the individuals busted in The Hague, along with other three Russians, have been indicted by Pennsylvania court for conspiring to and committing online espionage activity. The indicted in the US are Aleksei Morenets, Yevgeniy Serebriakov, Ivan Yermakov, Artem Malyshev, Dmitriy Badin, Oleg Sotnikov and Alexey Minin. Hackers Aleksei Morenets and Yevgeniy Serebriakov and their support agents Oleg Sotnikov and Alexey Minin were detained in the Nethrlands. They were officers of Unit 26165 of GRU (Russia’s main intelligence directorate), also known as APT28.

\On Thursday, the Netherlands defence ministry announced that four Russians were expelled from the country.  According to Dutch authorities, the Russians attempted a cyberattack on the Organization for the Prohibition of Chemical Weapons (OPCW), which is based in The Hague. This organisation is investigating the poisoning of Russian ex-spy Sergei Skripal and the allegations of chemical weapons deployment in Syria.

The four Russians were travelling with diplomatic passports and carried a lot of equipment designed for hacker attacks. The group comprised of two IT experts and two support agents. They accessed the wireless internet network used by the OPCW. When they were discovered the four tried to destroy part of the equipment. The diplomatic passports of the four Russians had consecutive serial numbers differing only by the last digit.

Among the most incriminating evidence is a taxi receipt allegedly seized from one of the detainees, Morenets. It shows that on 10 April he travelled from the main office of GRU in Moscow to Sheremetyevo international airport.

Similar articles