CYBER SECURITY - A GEOPOLITICAL PERSPECTIVE

Introductory Presentation

Alex introduced the topic by noting that it would cover the misuse of technology - specifically hacking - and the political and human impact of that and started by giving a technicolour picture of what it looks like when crime, technology and geopolitics intersect. He then described the story of Maksim Yakubets:

​

“Maksim is 40 and he is very rich. He lives in Moscow. The FBI have placed a $5m ransom on his head on the grounds that he heads Evil Corps, a hacking organisation which has stolen more than $100million from western banks. He is in fact known in Russia as ‘the man who stole $100 million’. Maksim has the right connections. He is friendly with Putin's spokesman (Dmitri Peskov). He is married to the daughter of a senior FSB officer. Maksim is not a low-profile personality. He owns a Lamborghini in tasteful green and grey urban camouflage pattern - its number plate contains the Cyrillic letters BOP – ‘thief’ in Russian - and one of his associates has a pet lion cub. And there is zero chance of Yakubets, or his associates at REVIL, being extradited to the US. In part, this is because the cybercriminal groups based in Russia - in the low hundreds of individual hackers - serve a geopolitical purpose. They are a tool for the Kremlin to use to disrupt the West's open digital economy. And they are a repository of skills for the Kremlin to use - with plausible deniability - against Western infrastructure.”

Maksim is the most visible part of a whole industry - the ransomware industry - which has developed in Russia, Belarus and (until recently) the Ukraine over the past decade.  Today, 85% of criminal cyber-attacks on western companies are launched by groups based in Russia. Western companies are paying about $600m of ransoms to Russian criminal groups each year.

Alex then went on to set out some of the key trends on cyber ransomware:

We are almost 5 years on from the moment when Kremlin-backed criminal hackers unleashed NotPetYa, a malware which is estimated to have caused $10billion of damage commercially around the world. NotPetYa was conceived as a way of discouraging western companies from doing business in Ukraine. Since then, and you wouldn't guess this from the press, Western companies have become better at defending themselves from cyber attackers. From the summer of 2020, the overall severity and incidence of cyber-attacks on the corporate US had been declining steadily, at least for medium and large-sized companies. There are some good reasons for that:

​

• US companies have put in stronger digital perimeters. They have been encouraged to do this by their insurers. US companies find it difficult to be viable without cyber insurance. Their commercial partners often make this a condition of commercial contracts.

• Following the Presidential Order issued by Biden a year ago (12 May), US Government agencies directed more effort to dismantling the digital infrastructure of criminal cyber groups - including their payment channels.

• In the wake of the first face-to-face meeting between Biden and Putin in late 2021, the Kremlin warned ransomware hackers to stay away from US infrastructure. They did not want escalation.

• Conversely, cyber-attacks against European companies have been increasing as hackers look for easier targets, and ones where the political risk of retaliation against Russia is perceived by the Russian government to be lower.

So that is where the overall trends on cybercrime were going until this year. US trending down but still a massive problem, particularly for smaller companies. Europe trending up. Then Geopolitics intervened. On 24 February Russian forces invaded Ukraine. Cyber-attacks against Western companies (US and EU) slowed to almost a standstill - they have since resumed but at a much lower level. Suddenly the threat was paused. 

Two things happened in late February. The Kremlin probably directed cyber-criminal groups to focus entirely on disrupting Ukrainian infrastructure. And, conversely, the Ukrainian government began to use cyber offensively against Russia for the first time. Since its invasion of Ukraine, has been on the cyber defensive. For the first time in internet history they have suffered cyber attacks. The Ukrainian intelligence services, probably supported by western allies, have launched offensive cyber-attacks on Russian infrastructure. More damaging than this has been the surge in cyber-attacks by citizen hackers in the West. Anonymous - the grouping of citizen hackers in the west who like to term themselves "white hats", launched a series of hack and leak operations, publicising sensitive data from Russian government departments including personnel records. The Ukraine IT Army, coordinated by Ukraine's digital industry is now thought to be 30,000 strong. Its members receive a daily message identifying Russian Internet Protocol (IP) address ranges to target and vulnerability points to work on.

Russian victims of Distributed Denial Of Service (DDOS) attacks carried out by the Ukraine IT Army have included online payments systems, food and alcohol distribution networks (including the EGAIS (the Russian Unified State Automated Information System) portal which is crucial for the distribution of alcoholic beverages in Russia), aviation companies and government departments.  Anonymous now claims to have published more than 6 Terabytes of Russian data via DDoSecrets. Victims have included Elektrocentromontazh (ECM) the central organisation which designs and installs power generation facilities across Russia and leading Russian banks including the St Petersburg Social Commercial Bank. Anonymous’ termed all of this #OpRussia. Another example of crowd-sourcing the hacking was a US-based YouTube vlogger with 268,000 followers who video streamed on 28 April encouraging his followers to download an offensive cyber tool called “Liberator” and carry out offensive cyber-attacks against Russia using their own computer and a VPN. A dangerous precedent given that, in the UK and other Western countries, such activity is illegal. The YouTube video has been viewed 86,000 times.

So - for the moment - partly because of these factors, criminal cyber-attacks against western companies are paused. But - at some point in the future when Vladimir Putin decides that it suits his purpose - this will all change and we can expect a resurgence in cyber-attacks against western companies, particularly in Europe. This is because, for the moment, Putin does not want to escalate on cyber. He doesn't want cyber retaliation by Europe and the US when he is in the midst of a war. Once the war becomes more static, and negotiations start, however, we can expect him to reach for the cyber weaponry to remind the less resolute members of NATO of his ability to destabilise them.

When that moment will come is difficult to determine. We can guess that the military campaign will last until the end of 2022 and that a resurgence in cyber-attacks, particularly in Europe, will then take place.  

Alex concluded on a pessimistic note - by describing why that resurgence might be particularly damaging:

​

• Those Russian criminal groups have continued to collect points of cyber vulnerability - start points within western company IT systems for new ransomware attacks, even while their attention has been directed elsewhere. So, when they receive approval to re-start cyber-attacks against western companies, they will have a stock of cyber bridgeheads ready to exploit

• Those Russian cyber groups which survive the Ukraine crisis will have honed their skills and developed new techniques in their attacks on Ukraine. In Darwinian fashion, they will be stronger adversaries.

There is evidence that Russia is recruiting hackers from amongst its prison population, giving them the skills they need to go after western targets at scale.