Russian Cyber actors use plausibly deniable outlets to disguise hacks

By Philip Ingram MBE

The UK’s National Cyber Security Centre (NCSC) and US National Security Agency (NSA) have said that the Turla group, a suspected Russia-based hacking group, have been disguising their activities by adopting and using techniques used by suspected Iran-based hacking groups.  Effectively masking who was really responsible for hacks. Why would a Russian based group do this?

On 27th April 2007 a massive deliberate denial of service attack was launched against Estonia, causing government webservices, banks and much more to fail.  The attack lasted 3 weeks. Whilst suspicion was laid at the feet of the Russians, they denied involvement as they have done with attacks in Georgia and Ukraine. The sophistication of many of these attacks suggest the only possible perpetrator is a major actor with the resources that many believe are only available to states.

With Cyber space not being regulated in the same way as Land, Maritime, Air or space when it comes to international actions relating to war with an equivalent of the Geneva Conventions and Protocols or an Outer Space Treaty, cyberwar and state sponsored cyber attacks are unregulated in international law. To avoid political embarrassment and the possibility of political repercussions the use of a plausibly deniable outlet is key, as without substantive proof there can never be substantive repercussions.

Sun Tzu the infamous Chinese 6th century general and philosopher said in his book the Art of War, “All warfare is based on deception. Hence, when we are able to attack, we must seem unable; when using our forces, we must appear inactive; when we are near, we must make the enemy believe we are far away; when far away, we must make him believe we are near.”  The Russians have a doctrine called маскировка (maskirovka) which is all about ‘masking’ or deception and is central to all they do; they follow the philosophy laid down by Sun Tzu allowing them to interfere overseas but be able to deny it. We saw this with the attack on Sergei Skripal in Salisbury last year.

We keep hearing of cyber-attacks from Iran, a closed country with little access to western academia and training, yet they can mount some of the most sophisticated cyber incidents.  We hear the same of North Korea, who should have zero access to technology, academia, and extremely controlled access to the internet. However one has to ask why in 2017, TransTelekom, a major Russian telecommunications company that owns one of the world’s largest networks of fibre optic cables and is a full subsidiary of Russian national railway operator, Russian Railways who are owned by the Russian Federation put a fast internet connection into North Korea.

Around the same time, the North Koreans went from having a small nuclear capability with short-range missiles that failed more often than not, to have a hydrogen bomb capability with ICBMs that worked more often than not.  No one has explained how that technological advance happened so quickly in a country under strict international sanctions.  We have to remember, North Korea got blamed for the Sony Hack and the WannaCry attack of 2017, could it have been a proxy using a plausibly deniable outlet?  The why is because they can and want to maintain the ability to influence global activities without repercussions. Why do I suggest this? That is simple, they have history and a doctrine, tried and tested over many years, they also have a paranoia about anti Russian global sentiment reinforcing that inherent need to ‘do something’. Cyber space provided that perfect environment. A smudge of what could be a Russian fingerprint sits over many incidents. Not enough for real proof, but something that always seems to be there.

What is not unusual is that this technique of pretending to be someone else, using a plausibly deniable proxy identity is not that new however, we are likely to be coming more aware of it, have better analytical tools so that the intelligence agencies can be bolder at calling it out.  What is of concern is using a plausibly deniable proxy identity could also be used to instigate state sponsored terrorism, especially when online recruiting and radicalisation is so prevalent.

This joint statement today is a clear message to all potential threat actors across the globe from the UKs GCHQ and the US NSA saying, “we are watching you.”