CYBER SECURITY - A GEOPOLITICAL PERSPECTIVE
25th April 2022
“Cyber features at the top of the risk register for many boards of companies and research institutions. The overwhelming majority of cyber-attacks on western companies are generated by criminal groups based in Russia and Belarus. This discussion will explore how Russia's invasion of the Ukraine has impacted the cyber threat and what cyber-attack trends we can expect to see over the next 6 months.”
The subject was introduced by Alex Creswell.
Alex retired from the British diplomatic service at the end of 2020 after 27 years in a variety of National Security roles often including a technology angle.
He led a division of GCHQ and was the Director of the 70-strong team of analysts (JIO) which provides the British Prime Minister’s daily intelligence briefing and writes strategic assessment papers for the National Security Council.
More recently, Alex was the FCO’s Head of Cyber and Technology, responsible for providing to the National Cyber Security Centre (NCSC) an important element of the UK’s operational defence against cyber threats.
Alex is now the public policy lead at Graphcore.
Alex introduced the topic by noting that it would cover the misuse of technology - specifically hacking - and the political and human impact of that and started by giving a technicolour picture of what it looks like when crime, technology and geopolitics intersect. He then described the story of Maksim Yakubets:
“Maksim is 40 and he is very rich. He lives in Moscow. The FBI have placed a $5m ransom on his head on the grounds that he heads Evil Corps, a hacking organisation which has stolen more than $100million from western banks. He is in fact known in Russia as ‘the man who stole $100 million’. Maksim has the right connections. He is friendly with Putin's spokesman (Dmitri Peskov). He is married to the daughter of a senior FSB officer. Maksim is not a low-profile personality. He owns a Lamborghini in tasteful green and grey urban camouflage pattern - its number plate contains the Cyrillic letters BOP – ‘thief’ in Russian - and one of his associates has a pet lion cub. And there is zero chance of Yakubets, or his associates at REVIL, being extradited to the US. In part, this is because the cybercriminal groups based in Russia - in the low hundreds of individual hackers - serve a geopolitical purpose. They are a tool for the Kremlin to use to disrupt the West's open digital economy. And they are a repository of skills for the Kremlin to use - with plausible deniability - against Western infrastructure.”
Maksim is the most visible part of a whole industry - the ransomware industry - which has developed in Russia, Belarus and (until recently) the Ukraine over the past decade. Today, 85% of criminal cyber-attacks on western companies are launched by groups based in Russia. Western companies are paying about $600m of ransoms to Russian criminal groups each year.
Alex then went on to set out some of the key trends on cyber ransomware:
We are almost 5 years on from the moment when Kremlin-backed criminal hackers unleashed NotPetYa, a malware which is estimated to have caused $10billion of damage commercially around the world. NotPetYa was conceived as a way of discouraging western companies from doing business in Ukraine. Since then, and you wouldn't guess this from the press, Western companies have become better at defending themselves from cyber attackers. From the summer of 2020, the overall severity and incidence of cyber-attacks on the corporate US had been declining steadily, at least for medium and large-sized companies. There are some good reasons for that:
US companies have put in stronger digital perimeters. They have been encouraged to do this by their insurers. US companies find it difficult to be viable without cyber insurance. Their commercial partners often make this a condition of commercial contracts.
Following the Presidential Order issued by Biden a year ago (12 May), US Government agencies directed more effort to dismantling the digital infrastructure of criminal cyber groups - including their payment channels.
In the wake of the first face-to-face meeting between Biden and Putin in late 2021, the Kremlin warned ransomware hackers to stay away from US infrastructure. They did not want escalation.
Conversely, cyber-attacks against European companies have been increasing as hackers look for easier targets, and ones where the political risk of retaliation against Russia is perceived by the Russian government to be lower.
So that is where the overall trends on cybercrime were going until this year. US trending down but still a massive problem, particularly for smaller companies. Europe trending up. Then Geopolitics intervened. On 24 February Russian forces invaded Ukraine. Cyber-attacks against Western companies (US and EU) slowed to almost a standstill - they have since resumed but at a much lower level. Suddenly the threat was paused.
Two things happened in late February. The Kremlin probably directed cyber-criminal groups to focus entirely on disrupting Ukrainian infrastructure. And, conversely, the Ukrainian government began to use cyber offensively against Russia for the first time. Since its invasion of Ukraine, has been on the cyber defensive. For the first time in internet history they have suffered cyber attacks. The Ukrainian intelligence services, probably supported by western allies, have launched offensive cyber-attacks on Russian infrastructure. More damaging than this has been the surge in cyber-attacks by citizen hackers in the West. Anonymous - the grouping of citizen hackers in the west who like to term themselves "white hats", launched a series of hack and leak operations, publicising sensitive data from Russian government departments including personnel records. The Ukraine IT Army, coordinated by Ukraine's digital industry is now thought to be 30,000 strong. Its members receive a daily message identifying Russian Internet Protocol (IP) address ranges to target and vulnerability points to work on.
Russian victims of Distributed Denial Of Service (DDOS) attacks carried out by the Ukraine IT Army have included online payments systems, food and alcohol distribution networks (including the EGAIS (the Russian Unified State Automated Information System) portal which is crucial for the distribution of alcoholic beverages in Russia), aviation companies and government departments. Anonymous now claims to have published more than 6 Terabytes of Russian data via DDoSecrets. Victims have included Elektrocentromontazh (ECM) the central organisation which designs and installs power generation facilities across Russia and leading Russian banks including the St Petersburg Social Commercial Bank. Anonymous’ termed all of this #OpRussia. Another example of crowd-sourcing the hacking was a US-based YouTube vlogger with 268,000 followers who video streamed on 28 April encouraging his followers to download an offensive cyber tool called “Liberator” and carry out offensive cyber-attacks against Russia using their own computer and a VPN. A dangerous precedent given that, in the UK and other Western countries, such activity is illegal. The YouTube video has been viewed 86,000 times.
So - for the moment - partly because of these factors, criminal cyber-attacks against western companies are paused. But - at some point in the future when Vladimir Putin decides that it suits his purpose - this will all change and we can expect a resurgence in cyber-attacks against western companies, particularly in Europe. This is because, for the moment, Putin does not want to escalate on cyber. He doesn't want cyber retaliation by Europe and the US when he is in the midst of a war. Once the war becomes more static, and negotiations start, however, we can expect him to reach for the cyber weaponry to remind the less resolute members of NATO of his ability to destabilise them.
When that moment will come is difficult to determine. We can guess that the military campaign will last until the end of 2022 and that a resurgence in cyber-attacks, particularly in Europe, will then take place.
Alex concluded on a pessimistic note - by describing why that resurgence might be particularly damaging:
Those Russian criminal groups have continued to collect points of cyber vulnerability - start points within western company IT systems for new ransomware attacks, even while their attention has been directed elsewhere. So, when they receive approval to re-start cyber-attacks against western companies, they will have a stock of cyber bridgeheads ready to exploit
Those Russian cyber groups which survive the Ukraine crisis will have honed their skills and developed new techniques in their attacks on Ukraine. In Darwinian fashion, they will be stronger adversaries.
There is evidence that Russia is recruiting hackers from amongst its prison population, giving them the skills they need to go after western targets at scale.
Three questions were posed to the tables, a summary of the discussions is presented below:
Discussion point 1:
What are the long-term implications of the current wave of "hacktivist" (cyber) attacks against Russian infrastructure and companies?
It was noted that in most countries hacking is a crime, but that in current attacks on a pariah nation there was likely little motivation to enforce this. However, with a change in the political climate it was felt that such an army of hackers would seek alternative challenges. It was felt that countries with early-developed IT systems such as many in the UK might become targets until updated. There was a general view that hackers could form a useful element of ongoing development of cyber-security and should be ‘encouraged’ into such roles.
Discussion point 2:
How can use of offensive cyber in warfare be regulated?
The general view was that cyber warfare could not be regulated there would be no point in regulation unless it is recognised and enforced in the countries where hacking takes place. Parallels were drawn with known breaches of the Geneva Convention, a more visible activity. Nuclear proliferation treaties might provide a model for a potential mechanism. However, regulation of servers by removing access for unethical uses was considered to be a possible avenue. Collective sanctions were felt to be a more viable method of achieving regulation of what was, essentially, an invisible activity.
It was felt that a focus on protecting critical infrastructure should be a priority.
Discussion point 3:
Should governments ban cyber ransom payments?
Although opinion was slightly divided, a general consensus was that banning ransom payments would be impractical and that it should be left to individuals to consider whether they should pay ransoms for commercial reasons. However, it was also considered that if a policy of non-payment could be made to work, then it might encourage criminals to consider other territories. A partial solution might be to legislate against the use of stolen data. It was considered that insurance needed to be considered, but that it should cover the cost of recovery rather than as a means of paying a ransom.
It was further suggested that legislating minimum requirements for cyber security in business, in a similar manner to Health and Safety, might be worthwhile and that a protection fund similar to that existing for pensions and coal mining subsidence might be considered.