Russian Cyber actors use plausibly deniable outlets to disguise hacks
By Philip Ingram MBE
The UK’s National Cyber Security Centre (NCSC) and US National Security Agency (NSA) have said that the Turla group, a suspected Russia-based hacking group, have been disguising their activities by adopting and using techniques used by suspected Iran-based hacking groups. Effectively masking who was really responsible for hacks. Why would a Russian based group do this?
On 27th April 2007 a massive deliberate denial of service attack was launched against Estonia, causing government webservices, banks and much more to fail. The attack lasted 3 weeks. Whilst suspicion was laid at the feet of the Russians, they denied involvement as they have done with attacks in Georgia and Ukraine. The sophistication of many of these attacks suggest the only possible perpetrator is a major actor with the resources that many believe are only available to states.
With Cyber space not being regulated in the same way as Land, Maritime, Air or space when it comes to international actions relating to war with an equivalent of the Geneva Conventions and Protocols or an Outer Space Treaty, cyberwar and state sponsored cyber attacks are unregulated in international law. To avoid political embarrassment and the possibility of political repercussions the use of a plausibly deniable outlet is key, as without substantive proof there can never be substantive repercussions.
Sun Tzu the infamous Chinese 6th century general and philosopher said in his book the Art of War, “All warfare is based on deception. Hence, when we are able to attack, we must seem unable; when using our forces, we must appear inactive; when we are near, we must make the enemy believe we are far away; when far away, we must make him believe we are near.” The Russians have a doctrine called маскировка (maskirovka) which is all about ‘masking’ or deception and is central to all they do; they follow the philosophy laid down by Sun Tzu allowing them to interfere overseas but be able to deny it. We saw this with the attack on Sergei Skripal in Salisbury last year.
We keep hearing of cyber-attacks from Iran, a closed country with little access to western academia and training, yet they can mount some of the most sophisticated cyber incidents. We hear the same of North Korea, who should have zero access to technology, academia, and extremely controlled access to the internet. However one has to ask why in 2017, TransTelekom, a major Russian telecommunications company that owns one of the world’s largest networks of fibre optic cables and is a full subsidiary of Russian national railway operator, Russian Railways who are owned by the Russian Federation put a fast internet connection into North Korea.
Around the same time, the North Koreans went from having a small nuclear capability with short-range missiles that failed more often than not, to have a hydrogen bomb capability with ICBMs that worked more often than not. No one has explained how that technological advance happened so quickly in a country under strict international sanctions. We have to remember, North Korea got blamed for the Sony Hack and the WannaCry attack of 2017, could it have been a proxy using a plausibly deniable outlet? The why is because they can and want to maintain the ability to influence global activities without repercussions. Why do I suggest this? That is simple, they have history and a doctrine, tried and tested over many years, they also have a paranoia about anti Russian global sentiment reinforcing that inherent need to ‘do something’. Cyber space provided that perfect environment. A smudge of what could be a Russian fingerprint sits over many incidents. Not enough for real proof, but something that always seems to be there.
What is not unusual is that this technique of pretending to be someone else, using a plausibly deniable proxy identity is not that new however, we are likely to be coming more aware of it, have better analytical tools so that the intelligence agencies can be bolder at calling it out. What is of concern is using a plausibly deniable proxy identity could also be used to instigate state sponsored terrorism, especially when online recruiting and radicalisation is so prevalent.
This joint statement today is a clear message to all potential threat actors across the globe from the UKs GCHQ and the US NSA saying, “we are watching you.”
When is all source intelligence not all source intelligence?
by Philip Ingram MBE
The intelligence game is a fickle one and on a BBC Radio Ulster debate on 8th October 2019 the real lack of understanding as to how fickle that game could be was brought home by Andrée Murphy, from the Falls Road based Relatives for Justice Organisation. She adeptly quoted all of the intelligence meetings and organisations that existed in Northern Ireland in the latter days of ‘The Troubles’ and made the understandable assumption that that meant the intelligence processes were joined up.
“If only they were,” is a cry I have heard on so many occasions and I refer to a continued lack of joined up process in my blog https://greyharemedia.com/dsei-makes-me-feel-cheated/ which talks of a time in Iraq in 2005 and 2006 and ably praised one capability that existed in Northern Ireland.
When Andrée talked of joint meetings and an All Source Intelligence cell what she assumed was they put everything on the table that all of the different organisation that were involved in the conflict in Northern Ireland and the higher up the meetings were chaired the more control there would be over the process.
I have had many ‘All Source’ Intelligence cells working for me over many years and the one thing that is consistent between all of them is that ‘all source’ does not mean all intelligence or knowledge of all sources providing intelligence and information. In reality, there isn’t one place in the country that is a single repository for every piece of intelligence that is coming from every source.
An ‘All Source’ intelligence cell is for many pieces of intelligence releasable at the classification of the lowest user of that cell. So, if it is collating releasable to NATO material, only information and intelligence releasable to NATO will be processed in that cell. In Northern Ireland there was information not able to be released by the Security Service to the Army, by the Army to the Police, by the Police to the Army and every combination.
Critical to this is understanding the intelligence cycle. Direct, Collect, Process, Disseminate – a simple cycle that hides huge complexities.
Direct informs what you want to know, what intelligence you need, what your priorities are, that will be different in a situation where you have the Army supporting the local police and the National Capability having operation oversight as was the case in Northern Ireland
Only the organisation doing the directing will set their objectives, one or two of them they may share with others but very very rarely all of them. Organisations often didn’t like to let other organisations know what they didn’t know and often didn’t share requirements.
Collect is tasking to capabilities capable of collecting the information needed to process it into intelligence. You can task assets you own and have control over and request support from assets others have, if you know about them, have authority to use them and get information from them and it fits with the priority of whoever is the ultimate owner of the assets. Clearly if an asset is undeclared you have no tasking capability over it at all; “you don’t know what you don’t know.”
You never have enough of your own assets to collect everything you need, and you never get all of the information or intelligence gleaned from someone else’s assets. When it comes to ownership of assets, especially sensitive assets their full capabilities are often hidden and usually classified in a way to keep them compartmentalised. This means only those that need to know are fully briefed.
Intelligence from HUMINT assets rarely reveals the source. In the early days and for at least half of the period called ‘The Troubles’, the RUC did not have personnel cleared to Top Secret level so that intelligence could not be shared with them. Even when clearances existed, not everything was shared.
You may have joint tasking groups, or tasking and coordination groups but that doesn’t mean that every asset is declared to those groups nor does it mean that every asset declared is made available. Politics between collection and intelligence capabilities is huge, usually because information and access are power, and organisations do not want to reveal their true capability and ultimately for them it is sadly an influence and budget game. I have been forced to play “my source is better than your source” games in operational theatres before, luckily outside the briefings my colleagues and I would sit down together and deconflict. (My sources were always the best).
The higher the level of any coordination group, the more the politics of each organisation represented comes into play, so rather than total exposure of operational intelligence matters, there is a dance off between different agencies seeking influence.
Even though I had clearances to a level higher in some areas than the General Officer Commanding Northern Ireland and many of his intelligence staff, because I was originally from Northern Ireland, there were areas I was not allowed into when I visited and capabilities I could and would never be briefed on. The reality was I never needed a full; operational briefing. There is no such thing as total visibility and that was accepted as a norm within this type of work.
The role of processing Intelligence is the remit of the All Source Cell. A slight misnomer in its title as it doesn’t process intelligence from every source that is out there, but it processes intelligence from every source it is authorised to receive information and intelligence from. That is a very subtle but important difference. It provides a baseline, with usually sufficient detail for the routine operations in hand and as a foundation for more complex operations where other, undeclared, compartmentalised information and intelligence can be used to develop the picture or amend the assessment or give that vital extra piece that enables a specialist operation.
Intelligence from sensitive sources is always kept compartmentalised unless it can be sufficiently anonymised so as not to give the source away. Even then its distribution is very carefully controlled. Often, even with written agreements to share everything, very sensitive intelligence is not shared with anyone outside an agreed names list.
The final bit of the cycle is dissemination. Intelligence is produced at various levels of classification and the general rule is disseminate what you can to the lowest possible level, however the reality was that that which came out at the lowest classifications gave little insight, the higher the level of classification the greater the insight, however, fewer people saw it and in almost every case it was never complete insight.
The RUC / PSNI will have had a few individuals cleared to the highest levels who will have had total visibility of all that the police were doing and some insight to higher level Army and MI5 activities, but not total insight. The same would be true for the Army and for the Security Service and not even political masters would have had complete oversight. In essence there were 3 stovepipes with limited cross over at certain levels, but most intelligence and intelligence operations remained within stovepipes and there were frequent stove pipes within stovepipes. Many intelligence operations never saw the light of exposure outside their particular pipe!
It is very easy for those who have never worked in the murky world of intelligence to think it is a panacea, an all seeing, well-oiled and coordinated beast with direction from the top. The murkiness is an accurate description and highlights the real lack of visibility there is up, down across and around intelligence operations.
The start of the road to better cooperation between intelligence providers only appeared in the post 9/11 era when the Joint Terrorism Analysis Centre was set up in London in June 2003. Prior to that and in Northern Ireland in particular a joined-up intelligence machinery, across the police, army and security service was a very tongue in cheek description of what really existed.
When looking for centrally coordinated conspiracies, consistency in the mechanisms that existed are needed. Unfortunately, those consistencies didn’t really exist, because they couldn’t really exist as the level of cooperation between different agencies was very mixed and usually quite shaky. Where there were gaps in intelligence and there are always many and were many in Northern Ireland, individuals made judgement calls to fill those gaps if needed. Almost certainly over the protracted period ‘The Troubles’ existed, some of those judgement calls were wrong at the time and possibly more were wrong with 2020 hindsight.
In dealing with terror and people hiding amongst the community, using innocents and communities as human camouflage as they operate outside the law, criticising judgement calls for those operating within the law, on partial information and intelligence is easy. Some, who should have operated within the law went too far as happens in every conflict and they should be brought to account for their actions. However, that number will be extremely small. Every terrorist operated outside the law, so it is hypocritical of anyone to criticise the machinery of state alone. Everyone who operated outside the law should be brought to justice for the sake of every victim and their families.
***Addendum*** I should have added this in the main body of the blog but it comes as an afterthought. Two things, the first is that the terror organisations had their own intelligence machinery, less structured, less oversight and ‘collection’ was based on uncorroborated sources often intimidated into providing information or information provided through rumour. How often did we hear of apologies for innocent lives being taken? That process is never questioned publicly! The second point is that the intelligence war, to the horror of the G/J3 community (they know who they are) I will say Intelligence operations, forced the terror organisations to culminate, they lost their ability to manoeuvre in the ‘military battlespace’ but weren’t ‘technically’ defeated militarily. However, in the end, almost every decision made, even at the highest levels, was known by the security forces, operations were being interdicted, individuals arrested, dissenters to the move to a political process who had a desire to maintain ‘the struggle’ were disproportionally arrested, (has anyone speculated as to why?). This wasn’t because of some new ‘magic’ intelligence capability or more joined up process the state had, it was because people within the communities where terrorists operated passed information on to the authorities. Why is this not exposed publicly? It isn’t, because these people still live in those communities, they are members, pillars, of the local society, they have normal lives and whilst they may not agree with politics, they agree less with terror and bloodshed. Their contribution will never be exposed until we, and the next generation are long gone, and that is right and appropriate for their and their families safety. Unfortunately violent bigotry remains. However, their contribution to the peace process will never be formally acknowledged. Ultimately, the intelligence machinery of the state could only work if people within target communities helped, and the people overall wanted peace.
The heart of Government Attacked – a few quick thoughts
by Philip Ingram MBE
3rd October 2019, whilst the Prime Minister is being quizzed on his latest Brexit proposals a few hundred meters away, a bright and chilly day in central London and a red Dennis Fire Engine comes to a gentle halt outside HM Treasury on Horse Guards Road in Westminster. There are armed police throughout the wider area, security staff on the door.
Next we see protesters unfurl a hose from the fire engine and climb on top of it pointing it at the entrance to the Treasury Building with the security staff no doubt wondering what was going on. A banner is unfurled on the side of the fire engine, stating “Stop Funding Climate Change” and then the vehicles pump is started an a red coloured liquid is sprayed towards the front entrance of the Treasury Building, some staining the sand stone façade before the hose popped from its nozzle and snaked around the back of the appliance, out of control, pumping 1800 litres of water with red dye all over the road, pavement and passers-by.
As this was happening, people continued to loiter not far from the entrance of the treasury building, there was no sign of a coordinated reaction, no sign of ‘Run, Hide, Tell’ from anyone. The police were not on the scene, there was no evidence of any reaction, bar bemusement, never mind a well-rehearsed security protocol anywhere. The press reaction is equally one of bemusement at a snaking hose rather than this being a successful attack.
This has to be one of the most worrying, highly visible attacks on our critical national infrastructure, the heart of government, the focus for economic stability in a tumultuous period, that has largely gone without any reaction or comment of substance. Is it right to say, “oh its ok its only those daft Extinction Rebellion types?” “It was only harmless red dyed water?” The harmless nature of the liquid was only known after the fact.
The total Metropolitan Police response was in two messages on Twitter as seen in the picture below:
The ‘Privately Owned’ fire engine could have been carrying so much more. It looks like its livery acted as a perfect disguise to get a vehicle capable of carrying a massive load into the heart of Government. 1800 litres of water would could have been replaced with 1800kg of explosives. The 1800 litres could have been some other harmful liquid, it could have been contaminated water, contaminated with dangerous or deadly chemicals.
This incident throws up so many questions. Did the door staff at the entrance to the Treasury building initiate a protocol commensurate with a possible hostile attack? Why were the doors open and a security guards head pops out before it being gently shut? Why was the building not immediately locked down until the threat could be ascertained? Where was the police response 50+m from the back of Downing Street and a few hundred metres from the Palace of Westminster? How did a vehicle with hostile intent get so close to a critical government building unchallenged? What are the lessons being pulled out of this and how will procedures change? And so many more.
If anything, we have to thank the @XRebellionUK team for highlighting a very real security loophole which I have no doubt will have been noticed by those with desires for a much more deadly intent. The whole reaction seems to have missed the potential for what could have been and smacks of complacency. Complacency never leads to a good outcome. Let’s hope those with more malicious intent don’t infiltrate the planned @XRebellionUK climate protests as it would seem an easy route given the reaction to this incident.
Recent Comments