by Grey Hare Editor | Oct 21, 2019 | Articles
Russian Cyber actors use plausibly deniable outlets to disguise hacks
By Philip Ingram MBE
The UK’s National Cyber Security Centre (NCSC) and US National Security Agency (NSA) have said that the Turla group, a suspected Russia-based hacking group, have been disguising their activities by adopting and using techniques used by suspected Iran-based hacking groups. Effectively masking who was really responsible for hacks. Why would a Russian based group do this?
On 27th April 2007 a massive deliberate denial of service attack was launched against Estonia, causing government webservices, banks and much more to fail. The attack lasted 3 weeks. Whilst suspicion was laid at the feet of the Russians, they denied involvement as they have done with attacks in Georgia and Ukraine. The sophistication of many of these attacks suggest the only possible perpetrator is a major actor with the resources that many believe are only available to states.
With Cyber space not being regulated in the same way as Land, Maritime, Air or space when it comes to international actions relating to war with an equivalent of the Geneva Conventions and Protocols or an Outer Space Treaty, cyberwar and state sponsored cyber attacks are unregulated in international law. To avoid political embarrassment and the possibility of political repercussions the use of a plausibly deniable outlet is key, as without substantive proof there can never be substantive repercussions.
Sun Tzu the infamous Chinese 6th century general and philosopher said in his book the Art of War, “All warfare is based on deception. Hence, when we are able to attack, we must seem unable; when using our forces, we must appear inactive; when we are near, we must make the enemy believe we are far away; when far away, we must make him believe we are near.” The Russians have a doctrine called маскировка (maskirovka) which is all about ‘masking’ or deception and is central to all they do; they follow the philosophy laid down by Sun Tzu allowing them to interfere overseas but be able to deny it. We saw this with the attack on Sergei Skripal in Salisbury last year.
We keep hearing of cyber-attacks from Iran, a closed country with little access to western academia and training, yet they can mount some of the most sophisticated cyber incidents. We hear the same of North Korea, who should have zero access to technology, academia, and extremely controlled access to the internet. However one has to ask why in 2017, TransTelekom, a major Russian telecommunications company that owns one of the world’s largest networks of fibre optic cables and is a full subsidiary of Russian national railway operator, Russian Railways who are owned by the Russian Federation put a fast internet connection into North Korea.
Around the same time, the North Koreans went from having a small nuclear capability with short-range missiles that failed more often than not, to have a hydrogen bomb capability with ICBMs that worked more often than not. No one has explained how that technological advance happened so quickly in a country under strict international sanctions. We have to remember, North Korea got blamed for the Sony Hack and the WannaCry attack of 2017, could it have been a proxy using a plausibly deniable outlet? The why is because they can and want to maintain the ability to influence global activities without repercussions. Why do I suggest this? That is simple, they have history and a doctrine, tried and tested over many years, they also have a paranoia about anti Russian global sentiment reinforcing that inherent need to ‘do something’. Cyber space provided that perfect environment. A smudge of what could be a Russian fingerprint sits over many incidents. Not enough for real proof, but something that always seems to be there.
What is not unusual is that this technique of pretending to be someone else, using a plausibly deniable proxy identity is not that new however, we are likely to be coming more aware of it, have better analytical tools so that the intelligence agencies can be bolder at calling it out. What is of concern is using a plausibly deniable proxy identity could also be used to instigate state sponsored terrorism, especially when online recruiting and radicalisation is so prevalent.
This joint statement today is a clear message to all potential threat actors across the globe from the UKs GCHQ and the US NSA saying, “we are watching you.”
by Grey Hare Editor | Apr 27, 2018 | Articles
The Russian Bear leading the bald Trump eagle in a game of nuclear Jong
As the globe breathes a sigh of relief over the positive tones regarding a formal end to the Korean War and working towards a de-nuclearised Korean Peninsula, after the meeting between Kim Jong-un and Moon Jae-in, the North and South Korean leaders, we will start to see Donald Trump taking the credit for saving the world from a North Korean nuclear Armageddon. However, we have to ask is all as it seems?
It is very easy to see what we want to see, and a de-nuclearised Korean Peninsula is what we want to see in the same way George Bush and Tony Blair wanted to see Saddam Hussein’s Weapons of Mass Destruction (WMD), so they ensured the world saw that threat…….
We all know how Iraq has turned out because we didn’t open our eyes properly. The intelligence game is all about keeping our eyes open and acting as the conscience for decision makers. Sometimes they listen, often they don’t and when they don’t and it all goes wrong, the intelligence agencies get the blame, not the politicians who made the decisions.
As I look at the Korean issue, I want to start with Russia and ask some of the intelligence game questions.
65-year-old Vladimir Vladimirovich Putin (Влади́мир Влади́мирович Пу́тин) takes a long and global view of his vision to rebuild mother Russia in the image of the USSR but utilising his version of capitalist principals, not communism.
He has effectively been in power since 1999 when he was first Prime Minister of Russia, becoming President in 2000, engineering a break back to Prime Minister from 2008 – 2012 where his close ally Dmitry Medvedev became President, Putin has now been elected for his second 6-year term of this Presidency. He will be setting the conditions to ensure he can retain power long past this second term even if this means another ‘flip’ with Medvedev.
The ‘So What?’ from this is that Putin can afford to take a long-term view of what he wants to achieve for Russia and can use that longevity to bypass any sticky overseas opposition just by playing the long game. He knows perfectly well that the leaders of the countries that oppose him are in power for relatively short periods of time and have adversarial political systems which he can easily manipulate so that dealing with the Russian bear remains a relatively low priority.
Putin is an old-school Russian, almost genetically disposed to see conspiracy from the West aimed at destroying Russia. He hankers after the days of the cold war where things were easy but loves the power and wealth he has in post-Soviet Russia; he is a Russian nationalist almost to fanatical levels, but that is his role, after all, he is President.
As you would expect his politics have created domestic enemies and friends; the difference between them and western political allies and opposition is that they are on the whole hugely wealthy and in their own spheres, hugely influential. Like all wealthy influential people, they also have ambition. Those such as Roman Abramovich and Arkady Rotenberg keep their ambition in line with Putin’s and are considered as friends. Those such as Boris Berezovsky, Vladimir Gusinsky, and Mikhail Khodorkovsky are sent clear messages to toe the line or are exiled or imprisoned. That messaging, as we have seen, is delivered by Polonium 210 or Novichok.
Putin, whilst he is more than happy to ‘go it alone’ is very conscious that his fortune comes from global business and from his long-term view position and historical mistrust of the USA and other NATO countries, he wants to make political and global business alliances. He knows he can control the EU and USA from anti-Russian excesses; Trumps change of mind regarding additional sanctions against Russia whilst Nikki Haley, his Ambassador to the UN, was outlining when they would be implemented is one sign of this. Not quite the eagle has landed and more of the eagle has been warned. Germany signing a gas contract with Russia on the day they issued a statement of condemnation over the Salisbury Novichok attack is another.
Putin sees his route for alliances to be with non-NATO like-minded countries and when their economies are growing, even better. We have been seeing greater cooperation with China and India, we have seen tolerance of Iran and continued massive support for Assad in Syria, but it is China and India I am interested in here.
The South China Seas/Indian Ocean region is seeing the fastest growth of power projection military capabilities of anywhere in the world. India is developing their naval blue water capability, China is doing the same, Japan is responding with constitutional changes and expeditionary capabilities and the disputed Paracel and Spratley Islands are being militarised.
Xi Jinping’s economy continues to grow at almost 7% and he has cemented his political longevity in a way I am sure Putin is envious of. However, with only one-year difference in age, we have two P5 leaders with very long-term political stability and greater economic interaction, in 2015 Russia signed a $400 Bn 30-year natural gas supply agreement with China. They are natural global bedfellows and Russia’s courting of India makes them a natural focus for defence exports as they can pay!
Xi has been seen for a long time as Kim Jong Un’s only ‘ally’ and he is more like a great uncle trying to keep an errant, badly behaved distant nephew in check. However, Dan North from the North Korean Monitoring site 38North.org has identified a company called TransTelekom (ТрансТелеКо́m) has put a fast internet connection into North Korea alongside their older and much slower Chinese supplied connection. TransTelekom is a major Russian telecommunications company that owns one of the world’s largest networks of fibre optic cables. The company is a full subsidiary of Russian national railway operator, Russian Railways who are owned by the Russian Federation. Putin has his fingers in North Korea!
We have seen North Korea blamed for the sophisticated cyber-attack on Sony and the 2017 global WannaCry attack. At the same time, we see North Korea’s nuclear capability go from a warhead of less than 1Kt detonated in 2006 to in 2017 a warhead of an estimated 120-160 Kt exploded. His ballistic missile technology goes from short range to ICBM and failure most times to success most times, over an even shorter period of time. Where is North Korea getting its cyber training and awareness and where is it getting its newfound nuclear and missile know-how and technologies? What has Russia to gain from a relationship with North Korea? These questions have never been successfully answered.
And what of the young dictator, Kim Jong Un the man who starves his people, executes his relatives with anti-aircraft guns if he suspects them of being disloyal or if exiled, executes them in an international airport with VX, a deadly persistent military grade nerve agent? He has new friends who are helping his cyber capability and his missile technology. He has his Chinese ‘great uncle’ who has scolded him for poking Trump bald eagle with his ICBM nuclear stick. He has a need for investment and a pause in his nuclear programme, as his test site has collapsed. He has a long-term view just like Xi and Putin. He has, from his perspective, joined the ‘big boys club’ by getting the US President to come to him and showing the world his conventional and nuclear capabilities. He has given Putin an idea of what using a nerve agent as an assassins’ weapon is like. He has nothing to lose by having talks with Moon and Trump and everything to gain. He has a smug feeling in his belly.
The manoeuvring that is going on between Xi, Putin and Kim Jong Un, whilst it all seems to be separate and not interconnected, is likely to be just that, interconnected. What are Russia and China’s long-term goals and why are they playing with North Korea? There is a wider game at play here and it is probably 3 wider games, the Chinese one of global economic dominance, the Russian one of nationalistic resurgence and the North Korean one of sitting at the top table. The short-sighted view many Western countries will have of what is going on will force them to see what they want to, the cries for Trump to get the Nobel Peace Prize for ‘solving’ the North Korean issue have already started. There is a global alliance here and it may have something to do with the disputed islands in the South China Sea.
We just have to remember some recent historical examples of success and failure. The Chinese economy grows when everyone else’s recedes. Putin annexed Crimea successfully and has a strong foothold in Eastern Ukraine. He has turned Assad’s assumed demise into a winning home run. He has clearly demonstrated the power of маскировка (maskirovka) in influencing elections, referendums and political debates on both sides of the Atlantic. Kim Jong Un has got the President of the USA to come to him. We the West have a less successful record, the debacle of Iraq that resulted in the creation of ISIS and global terror, the failure in Afghanistan allowing the Taliban and ISIS-affiliated groups, to retake many of the areas soldiers blood was spilled to secure initially and Libya with the humanitarian disaster we see with refugees in the Mediterranean.
Who has the long-term vision and who sees what they want? Should we be worried? My view is, hell yes !!……….
Note: This blog is written by Philip Ingram MBE, a former British Army Intelligence Officer who has served in the Middle East and Cyprus. If you would like any further comment from Philip, please contact him by clicking HERE
by Grey Hare Editor | Apr 22, 2018 | Articles
Geopolitical manoeuvring and continued hybrid conflict – what will Putin do next?
As the rhetoric after the US, UK and French bombing of sites in Syria associated with their chemical warfare programme continues, what are we seeing happen with the Russian reaction and how is it likely to develop? Philip Ingram MBE a former senior British Intelligence officer gives his thoughts on the geopolitical manoeuvring and continued hybrid conflict we are seeing.
Putin, emboldened by his political successes at home built on nationalistic fervour and fear when his economy is collapsing and in any normal democratic country he would be held to account politically, we have seen him go on the international offensive.
Putin sees the political cracks in institutions around the world as opportunities and he influences them as any old spy would do, by sticking his knife into them and wiggling it. That knife just happens to be propaganda, fake news, data manipulation and information operations, what the Russians have enshrined in their doctrine, маскировка (maskirovka).
That маскировка is being used to good effect to try and throw off any association with the novichok agent attack on Sergi Skripal, the former Russian military intelligence officer, in Salisbury and the Syrian chlorine attack on Douma.
It has to be remembered that the primary audience for the маскировка campaign is domestic, attempting to make him look strong to his own people. His secondary audience is the increasing groups of conspiracy theorists who seem to believe anything that opposes a government or establishment view, no matter how incredible it sounds.
It is this group that acts as Putin’s voice – spreading the маскировка in their home territories and arguing its justification on social media outlets. They act as the маскировка knife in the institutional cracks across the West and turn it into a self-wiggling knife.
However, as his freedom to manoeuvre in the messaging battlespace is coming more constrained as the details around the Salisbury attack and the Douma attack become clearer, we are seeing the hint of a chink in Putin’s маскировка armour. More and more claims from his officials fall into the fanciful bracket and they begin to sound like ‘Comical Ali’, Saddam Hussein’s spokesman before and during the Gulf War. It is a shame many don’t see this and continue to let closed minds fall to continued маскировка.
So what next, or are we already seeing it? The word that springs to my mind is Kompromat, the threat to or deliberate exposure of compromising material. Unfortunately for President Trump, the whole Muller investigation puts him in an immediate position where he could be compromised. All Putin needs to do is say he had detailed discussions with Trump before his election and offered any help he could, and Trump would be sunk.
It is highly likely there is more and the indicator for this was US Ambassador to the United Nations Nikki Haley’s statement to the UN saying there would be increased sanctions against Russia, just to be told that for some unknown reason, President Trump had changed his mind and there would be no sanctions. The question why has to be asked? It is highly possible that Putin’s intelligence machinery will begin the slow drip feed of any Kompromat they have on Western figures over the coming months. The tabloids should be salivating.
The next possibility is to ramp up pressure on the West through increased Cyber-attacks. We have already seen Russia’s capability with the notPetya attack last year after North Korea was formally blamed for the earlier WannaCry attack. However, the relationship between North Korea and Russia is interesting and bears analysis as North Korea gives a plausibly deniable outlet for blame for Russian inspired attacks.
Dan North from the North Korean Monitoring site 38North.org has identified a company called TransTelekom (ТрансТелеКо́m) has put a fast internet connection into North Korea alongside their older and much slower Chinese supplied connection.
TransTelekom is a major Russian telecommunications company that owns one of the world’s largest networks of fibre optic cables. The company is a full subsidiary of Russian national railway operator, Russian Railways who are owned by the Russian Federation.
WannaCry occurred only a few months before this new connection was confirmed live and over a similar period, North Korean missiles went from failing most of the time to being successfully fired and over increasing ranges almost every time. How was their technology improving so fast? Why would the Russian state want to help Kim Jong Un?
What doesn’t fit with Russia using North Korea to execute cyber-attacks on the West, is the planned Kim Jong Un / Trump meeting, but I suspect this is not all it seems on the surface. However, there is always the potential to use Iran as a plausibly deniable outlet. Time and incidents will tell. With Kim Jong Un and Trump, that is a whole new article, but it is unlikely to be the miracle ‘seeing of the light’ we are all hoping for.
So what? We are likely to see a steady increase in cyber-attacks, using novel and sophisticated methodologies ranging from the carefully targeted to the global releases. The finger of blame from these attacks will likely be pointed at non-Russian actors who I argue, will fall into the plausibly deniable bracket.
Putin’s machinery will take care not to escalate global anti-Russian sentiment too much as they can’t afford retaliation. However, cyberspace is interesting as it is globally unregulated in warfare terms, unlike the Geneva Conventions and Protocols and Outer Space Treaty that regulate warfare in the Land, Maritime, Air and Space environments, cyberspace is a free-for-all environment.
Should escalation occur then the Russian machinery has the ability to refocus western countries into a domestic protection stance. That protection will be from a sustained series of extremist Islamist and increasing number of right-wing inspired terror attacks.
If we look at how many of the attackers in the UK over the past 2 years have been inspired, ranging from the Finsbury Park Mosque attack to the Palace of Westminster attack the internet has played a critical role in inspiring their terror.
The Russians have a clear history in Georgia, Ukraine and elsewhere of enabling terrorists and “freedom fighters” by whatever means to rise up against authority. Given the power of the internet and what is available in the Deep and Dark web but the power of how social media influences, it would be relatively straightforward for Russian inspired terror, prosecuted by plausibly deniable agents, to hit the streets of the UK and elsewhere. They have done it before elsewhere.
One thing is clear when dealing with Russia is that they plan long, use non-standard tactics, work in the area of subtleties and fight dirty. They love it for other people to take the blame and love the ability to manipulate our politically naïve and will see it like ‘shooting fish in a barrel.’ We are in interesting times but given Putin’s political longevity and domestic political unity compared to any western country, we are in very dangerous times and are currently on the back foot. Now is the time for a firm, coordinated and robust defence based on subtle offence. I suspect our democratic systems will not allow this; we are losing.
Note: This blog is written by Philip Ingram MBE, a former British Army Intelligence Officer who has served in the Middle East and Cyprus. If you would like any further comment from Philip, please contact him by clicking HERE
Recent Comments