Research Saturday 6.13.20
Ep 139 | 6.13.20
The value of the why and the who.

Dave Bittner: Hello everyone, and welcome to the CyberWire's Research Saturday. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Nate Beach-Westmoreland: In strategic threat intelligence, what we're trying to get at is understanding the logic, preferences, motivations, and intentions of adversaries.

Dave Bittner: Our guests this week are Brad Stone and Nate Beach-Westmoreland from Booz Allen. The research we're discussing is titled, "Bearing Witness: Uncovering the Logic Behind Russian Military Cyber Operations."

Nate Beach-Westmoreland: So, the GRU is a threat group that has had a tremendous amount written about it over the past decade. It's possibly one of the most thoroughly covered adversaries out there.

Dave Bittner: That's Nate Beach-Westmoreland.

Nate Beach-Westmoreland: As we were looking back on everything that's been written about it, we realized that there's really no comprehensive big picture that gets at understanding why the attacks happened. Why are they in this particular form, at this particular time, against these particular targets? So, given the amount of public attribution that we'd seen about this adversary, I think at Booz Allen we saw that there was a real opportunity to dive deeply and with confidence into connecting all of these attacks and operations together in order to try to find some big picture. What is the logic of GRU operations?

Dave Bittner: Brad, what can you add to that?

Brad Stone: Yeah, I think just beyond the specific motivations of one group, it's also a reminder – there's a lot of debate in the threat intelligence community on the value of the why and the who. And in this case, we're trying to remind the readers and the entire community that understanding the motivation of your adversary is really important in this conversation. It gives a prioritization, and it gives an ability to think forwardly against your adversaries, to drive the decision making, as not only a set of executives, but across an entire ecosystem. So often, you know, cyber threat intelligence can be viewed as a commodified kind of tactical problem, and some of this is to help folks remember, you know, the need for that strategic threat intelligence to get a full view of the battlespace and to make the right decisions no matter what your organization's facing.

Dave Bittner: Let's just start off with some introductory stuff here. Can you sort of describe to us – give us the setup here. What are we talking about in general, when we start a discussion about Russia's GRU? 

Nate Beach-Westmoreland: So, the GRU, or the Main Intelligence Directorate of the Russian Armed Forces, is Russia's military intelligence and special forces agency. They exist essentially in order to monitor world events and to use covert actions in order to secure Russian military interests. When we're talking about this military doctrine, we are looking at what does the Russian military think is their purpose? What do they think are the general modes of operation they should be using in order to secure their interests, to advance the GRU, the Russian military's goals? So, those are the two things we're really talking about – the GRU and the Russian military doctrine, the organization and how they think about the world.

Dave Bittner: One of the things that you unpack here is you lay out an analytical framework for understanding the Russian military and how they go about conducting their cyber operations. Can we delve into that some? What are you describing here?

Nate Beach-Westmoreland: All right, so, approximately every five to ten years, the Russian military publishes this document – it's a publicly available document in English and Russian and all manners of languages – called "The Military Doctrine of the Russian Federation." This is a strategic planning document, not a playbook. It is an expression of the highest levels of the Russian military's leadership views of what is their organizational purpose? What are their strategic goals? In a thematic sense, how they think the military should be acting on those objectives.

Nate Beach-Westmoreland: On the surface, it's not really a shocking document about what they see as their goals. It's securing the Russian Federation from military threats. What gets interesting, I think, is what they define as military threat. And some of this stuff, when you look at the report, you say, oh, of course, the Russian military is concerned about, you know, military exercises near their borders or the rise of new governments on their borders that are unfavorable to the Russian government. That's not a surprise that the military would be concerned about that. But it sees other things as military concerns. They're concerned about the preservation of military – of patriotic, historical, national traditions. These are a military concern. 

Dave Bittner: Hmm.

Nate Beach-Westmoreland: So, the question is, why do they see some of these things that we don't traditionally think as military concerns, as stuff that the Russian military cares about? In the report, we mention something called "informational conflict." This is a core idea amongst Russian strategic planners – that international relations shouldn't be thought of in terms of, say, traditional military conflict with, you know, missiles, guns, bombs. It's more broadly a conflict over ideas, over perceptions, over political will. And you use all facets of government in order to secure perspectives, political will, emotions that are supportive or at least not pushing back against your ability to secure objectives. So, you may care about unfavorable governments on your border that may have armies, may have militaries that would oppose you, but you also care that, say, people no longer think of the Red Army in World War Two as being a great savior for Eastern Europe, because they might not want to work with the Russian government in the future if they think of Russia as being a dangerous, a threatening country.

Dave Bittner: In this declaration of military doctrine, are there any particular things that stand out that to our sensibilities, to our Western sensibilities that leave us scratching our heads, or seem odd or misplaced?

Nate Beach-Westmoreland: So, one thing that the Russians are concerned about is provocation of Russian political strife. Now, in the US, we are of course, as we've seen over the past few years, very concerned about what role Russia has had in, say, influencing political discourse in the United States. From the Russian perspective, they are equally concerned about that happening in Russia, affecting political discourse in the country. The difference is that the West sees, say, overt political groups, open-society organizations, democracy-promotion groups – things that are above board are considered acceptable. Whereas Russia conflates all manner of political jockeying, political influence to be unacceptable within Russia. So that's, for example, a big disconnect that we see between Russia and the United States.

Dave Bittner: Hmm. The report goes into several case studies – can we dig into one or two of those, use them as examples for some of the things you've outlined here?

Nate Beach-Westmoreland: Sure. So, for example, Russia really cares a lot about fair dealings in international relations. You know, the idea that it is a major threat to Russian interests if there's a failure to comply with international agreements and treaties. So, what does that mean? The International Monetary Fund, the IMF, has traditionally said that a country may not receive loans if they are refusing to pay back existing loans to other countries. So, in this case, Ukraine in December 2013 had taken a major loan from Russia in exchange for better gas prices, natural gas prices. And after the Ukrainian government fell in a revolution in 2014, the new government in Ukraine said this was an unfair deal, we refuse to pay back this loan. Russia became very displeased with this, and understanding Russia's displeasure about this loan gives a lot of clarity into a series of cyberattacks that would happen over the next several years in Ukraine.

Nate Beach-Westmoreland: So, for example, in 2016, Russia's GRU disrupted power in Kiev, the capital of Ukraine, through cyber means. This attack, taken on its own, appears to be just another Russian attempt to scare, demoralize, and upset the people of Ukraine. But when we place it in the geopolitical context, it starts to make a lot more sense. The malware used in this attack, called "CRASHOVERRIDE," worked on a timer. It was set to go off on December 17th, 2016. And if it would not go off on December 17th, it had a backup date of December 20th. Those two dates are exceedingly significant related to this energy loan between Ukraine and Russia. December 17th was the anniversary of the 2013 loan agreement being signed between Russia and Ukraine, and December 20th was the one year anniversary of Ukraine defaulting on that energy loan. The target, Kiev, further drove home the political aspect, the political signaling of this attack.

Dave Bittner: It's interesting to me, with this notion of hybrid warfare and how the cyber domain applies to that, does Russia's skills and capabilities in the cyber domain – does this provide them with an outsized amount of influence and capabilities relative to their size on the world stage?

Nate Beach-Westmoreland: So, Russia isn't unique in these capabilities. They may just be more aggressive and overt in using a combination of cyber capabilities, along with all the other capabilities of government in order to advance national interests. So, what we're talking about in the case of Russia is not just espionage, which so many other countries do in order to monitor problems around the world, but they're also combining it with information conflict. They're leaking documents, doing those leaks in combination with all those other capabilities of government.

Nate Beach-Westmoreland: So, for example, in May 2014, there was an election in Ukraine for the first new presidency of Ukraine after the Ukrainian revolution. We saw, on election night, a series of steps taken both in the cyber space and in the real-world space in order to advance narratives useful to the Russian government. The Russian government had tried to portray this new government in Ukraine as being hostile to Russian nationals, ethnic Russians inside of Ukraine, hostile to other non-ethnically Ukrainian minorities. And how did they do this in a combination of cyber and real-world means? The GRU – they attempted to sow doubt and fear that night by changing election results that were presented on the website of the Ukrainian Central Election Commission. They disrupted servers at the Ukrainian Central Election Commission, preventing them from determining the real results that evening. And then Russian-linked to media began announcing these fake results that were being plastered on the Central Election Commission's website. This resulted in a nearly twenty-four, forty-eight-hour delay in an ability to determine what the accurate results were, to communicate them to the public, and to convince the public that the Central Election Commission had their act together. Specifically, the fake results showed that a extreme hostile, violent, right-wing politician had somehow managed to take power in this election, so therefore the Russians were right, it appeared, that hostile Ukrainian nationalists had taken over the country and the Central Election Commission was now on its back foot trying to provide what the real situation was.

Dave Bittner: Now, obviously, as we head towards our election here in 2020 in the US, what are the lessons that we take away from this? Is this a cautionary tale? Is this a demonstration of efforts from the Russians to – a warning shot across our bow, if you will?

Nate Beach-Westmoreland: I think for election security generally, in countries that have difficult relations with Russia, it's – need to think about more generally about what is the end objective of these elections interference, and how Russia thinks about achieving those objectives. So there's a lot of discussion about, say, changing the actual vote totals through election machines, through voting machine hacking, and so forth. And that's really losing the sense of the big picture. It's not about, you know, trying to win an election by inserting fake vote totals that actually stick. It's about decreasing confidence in the electoral system. And so how did we see that in Ukraine? It's through just targeting the publicly available vote totals put on websites. So, in 2016, the Senate has said that the Russian operators were looking at, say, county websites, election commissions throughout the United States. The concern might be, well, the Russians are trying to change vote totals – like, the actual vote totals. But a much simpler and perhaps almost as useful tactic could have been, say, similar to the Central Election Commission in Ukraine, where you deface these websites. Website defacements are not a technically challenging thing to do, done by hacktivists, that easily the Russian government could do against at least some targets, election commissions in countries with difficult relations with Russia.

Brad Stone: And if I could build on that point, if I may... 

Dave Bittner: Yeah.

Brad Stone: ...As a call to arms, it's as much – when you start thinking about high-value assets, often, I think the mind goes to the complex and really nefarious, and a motivated, resourced, and patient organization will find the easiest approach. And I think that's – when the doctrine is understood and the objectives are understood, it really gives an extra perspective into that view of high-value assets, which whether – no matter what the mission or the objective is, is kind of critical. It's always easy for organizations to figure out, yeah, I have high-value data and things, but this article and paper is intended to help folks think broader about what they're trying to protect, and their adversaries', you know, utility in disrupting that. So, you know, we've talked about elections, but that's across the spectrum of things. And that's where it's really important to have that context, because without that context, it's just viewed as a cat-and-mouse game, when it's much more complex than that.

Dave Bittner: Well, let's wrap up with that. I mean, taking – gathering together all the information that you have, taking this high-level view, and the breadth of things that you've looked into here – what's the through-line here? What's the take-home in terms of what people need to take away from this report?

Nate Beach-Westmoreland:  What they need to take away is that geopolitical context matters. It's not just enough to understand how your adversary is conducting attacks, but to understand why they are conducting attacks. If you understand why attacks occur, you can predict what is coming next Buying an IoC feed can help you secure against known attacks, but by looking at why attacks occur, you can start to design your security posture around what you think will happen in the future. So, that's one key thing.

Nate Beach-Westmoreland: The other thing is we need to be spending more time looking for non-technical indications and warnings of state-linked activity. What the report shows is that hacking, quote unquote, is just one tool in a government's toolkit to advance their agendas and secure their interests. Now, diplomacy, military, state-backed media – these can all be the shark's fin above the water that can tell you cyber threat activity could be coming. In many of the examples in our paper, we saw the Russian government coming out and saying we are going to threaten various organizations with legal action. We are going to sue the IMF, the International Luge Federation, a French shipbuilding company, due to various conflicts. And each of these threats ended up preceding cyberattacks we believe were related to these disputes. So look for the non-technical indicators to find indications of future state-linked activity. 

Dave Bittner: Yeah, that's fascinating.

Brad Stone: Yeah, that non-technical part, Dave, is just really a critical element of this. And that's the idea, again, strategic threat intelligence. Everybody is challenged with not enough resources, not enough time. And so much of the industry is focused on accelerating response activities. But we hope folks read this report, they think of the broader picture, as Nate laid it out. Because this is what CISOs and executives need to think through as they formulate their defense. And we're all just trying to be more proactive. We're trying to be ahead of the threat and we're trying to prioritize our resources. So making sure that this context – the "why" – is such a critical element to help organizations get out of that constant reaction mode that all of us face, and really, in the end, is unsuccessful.

Dave Bittner: Our thanks to Brad Stone and Nate Beach-Westmoreland from Booz Allen for joining us. The research is titled, "Bearing Witness: Uncovering the Logic Behind Russian Military Cyber Operations." We'll have a link in the show notes.

Dave Bittner: Our thanks to Reservoir Labs for sponsoring this week's Research Saturday. Don't forget, you can learn all about them at

Dave Bittner: The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team working from home is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening.