Joanthan discusses how Russian cyberwar capabilities are turning out to be different than expected in the Ukraine war, but not nonexistent. Moscow’s reported deployment of wipers indicate that Russia has developed capabilities in a different manner than we have, and that we make a mistake in assuming they would take the same path. Russia may also be holding back on attacking capabilities that it depends upon as much as the Ukrainians. He takes a deeper look at what we know so far.
Christian Whiton (00:00): Welcome back to Cyber Context, the podcast featuring Jonathan Moore, the Chief Technology Officer of SpiderOak. I’m Christian Whiton. Jonathan, we’ve had some new developments with the Ukraine war. When this war started, when Russia invaded Ukraine over a month ago, there were some hints of cyber activity, but not a lot of information. Some hints of activities against satellites, but again, awfully vague on the details. Can you bring us up to speed? What’s happened more recently, and have we gotten more information about what took place in the early phases of the war? Jonathan Moore (00:49): Well, I think we’ve got a little more, maybe not clarity on exactly what took place. I think to be clear, a lot of computers that might have been hacked have been blown up. And also, it’s very clear that the information we’re getting out from the Ukraine is very much driven by Ukrainian propaganda, and that’s totally appropriate. They show the Russian tanks they blow up, not the tanks of theirs that Russia blows up. And they haven’t really addressed the cyber impacts Russia has had on them. So we may have seen some of the opposite. So again, our information is limited, but we are getting a lot of really useful and interesting details. Jonathan Moore (01:33): And I think that we should also maybe briefly talk about the hacktivism and external stuff that’s been going on simultaneously, because some of that’s interesting as well. But to address the Russian question head on, there’s been a lot of questioning of, “Well, did Russia not have a cyber capability? Where is it? Did they not bring it? Is it held in reserve?” Something I have hypothesized, and I believe I probably mentioned this on the last time we talked, is that a lot of it has to do with us having a misunderstanding of what Russian cyber capabilities are. Not that they have a lack of capabilities, but they’ve developed them differently than we have. Jonathan Moore (02:17): I think additionally, there’s also a big disconnect from the analytical and pundit dream of the cyber war, the clean electronic war that didn’t leave bodies in the streets or buildings crumbling, where I think the analysis I’ve heard that makes a lot more sense to me is that there’s just war, and cyber is a component of a military campaign. And you may see cases where you do see cyber being the major engagement, but when you’re trying to literally have a land grab and overthrow a regime, of course, cyber is not going to be the only component involved. Jonathan Moore (02:58): So in the context of this war in the Ukraine, what we now know is that the Russians have deployed at least seven unique wipers. And so these are software they’ve built to be deployed to a device and cause that device to become nonfunctional, destroying any data that’s on it. And so we’ve seen six different wipers that are deployed against IT infrastructure, as well as a seventh, which is what was actually used in the Viasat attack. So to start there is the endpoints were terminals that had an embedded Linux operating system, and the adversary installed malware on those. It was a wiper that destroyed the system from within. It wasn’t just the configuration change or something like that. It was an active piece of malware that did that damage. Jonathan Moore (03:53): And that’s interesting because I believe that was actually a PowerPC architecture. They weren’t just taking something off the shelf and putting out there. It was a unique piece of software. And the way, generally, that attackers have done overall is that they found an improperly protected bit of infrastructure. They accessed that and then moved laterally through that network to gain ability to push updates to the modems and push this malware to it. So I think that’s an interesting kind of thing. And when we look at these, we look at these wipers that were done against the IT infrastructure, I think these are all very credible military targets and military attacks. It’s unfortunate there’s collateral damage, but there’s the infrastructure that was being used to defend Ukraine. It’s the infrastructure used by the civilian government to organize and command its troops. It’s the infrastructure used by those governments and those militaries to communicate and affect operations. Jonathan Moore (04:55): So I think what we’re seeing is a valid and restrained use of cyber in war, and I think what we were all looking for was, “Oh, hey, capabilities like we saw where the US disabled the Iranian air defense system, supposedly. Capabilities with stocks where there’s incredibly deep hacked malware that’s jumping air gaps and covertly destroying equipment.” We’re looking for things like flame that use novel cryptographic attacks against certificates to get a code signing certificate for Windows. And I think the US and some of its partner states have developed some incredibly … I was thinking it’s deep capabilities in cyber, but I think the way to look at it is not that Russia didn’t show up. The way to look at it is that Russia made different strategic decisions. Jonathan Moore (05:55): These capabilities must be developed far in advance. You can’t just be on Saturday being like, “I think I want to take down Iranian air defense,” and on Sunday do it. These take months’ or years’ worth of continual penetration, research development and understanding to enact. I mean, I don’t really know. Maybe they did make that decision overnight, but I think if you’re going to look in the average case, if you want to regularly have those kind of capabilities, it requires a sustained long-term investment. And the thing is that most of those investments, you’re never going to use. You’re holding there in case, right? And hopefully we’re not going to use any tactical, any nuclear weapons, and we’re developing those under the same kind of regime. But if you look at the capabilities that Russia has built, they’re very flexible, they’re very cheap, and they can be deployed in a lot of different environments. And so I think you’re looking at an investment that has a lot better short-term returns, and maybe just better returns on average for the average hour or dollar spend developing those capabilities. Jonathan Moore (06:58): So I think that the big picture here is that in terms of Russian’s capabilities, is that they absolutely have shown up with cyber capabilities. They’ve deployed them to meet their military and political goals, and they’ve actually done so with some restraint and effectiveness. I think what has surprised people that I think maybe is interesting to ask broader questions about is the fact that, “Why does the Ukraine have internet access at all? Why weren’t they able to deny communications across the area completely?” Some of that I think actually has turned out is that Russia actually needed to depend on those same capabilities to wage its campaign, but maybe there are other deeper questions there. Jonathan Moore (07:43): And I think that’s the area where we probably, as a community, should explore more and really understand some of these other things that seem like we would’ve expected Russia to go after, they didn’t. Is that because they didn’t want to upset the civilian population, because they to use those capabilities, or because they couldn’t take them down? I think we do have to realize that Ukraine had an awful lot of help from the west leading up to the war to secure the systems that they needed. And there are certainly stories of the heroic network operators in the Ukraine right now who are working 24/7 to keep those telecommunications systems up and running, to support the population and the government. Christian Whiton (08:23): Right. When you say, with the malware, with the wiping that was pushed through updates, to a layman like me, that actually sounds a little like SolarWinds, which I believe was attributed to Russia. I guess you never really know if it’s Russia or China behind these things. In anything that you’re seeing so far, are lessons learned from those more recent sophisticated hacks, like SolarWinds being used? Is that what was used with this wiping technology, or is it pretty separate? Jonathan Moore (08:54): Well, I think it’s both the same and very different. So in this case it was an internal management interface used an enterprise management tool to manage the fleet of modems that are operated in joint operations with their customers, right? So the customer buys or rents the modem, and Viasat helps to maintain that capability on premise with the customers. And SolarWinds is a management tool to be used by service providers who are doing outsourced IT and other kinds of things to help manage their customers’ IT infrastructure. So structurally, they’re the same in terms of the type of technology they apply and problems, but organizationally, they’re very different, being a tool that’s added on top of an existing product to allow a third party to manage your networks versus part of the first party capability. Jonathan Moore (09:53): But I think the big lesson is that supply chain attacks are going to be a serious threat going into the future. If we are able to make a significant impact on other kinds of malware spread through phishing campaigns or Excel macros or whatever the vector is for the malware, that adversaries are going to increasingly look to supply chain attacks. And I think what you can see, the power of them, we’ve seen this in the NotPetya was a supply chain attack. We’ve seen CCleaner as a supply chain attack. We’ve seen a large number of these supply chain attacks. They’re not the common case today, but what you see is when they are deployed, they have such a breadth in their attack that they can be incredibly effective, and the return on investment can be very high. Jonathan Moore (10:49): I think the downside of these supply chain attacks, the adversaries, is they tend to be less covert because you’re attacking an entire population simultaneously. So they’re not good for covert operations, but if you want to make a big effect quickly, these supply chain attacks are things we should be really concerned about. Christian Whiton (11:09): Hmm. With the exploit used, with the wiper used against Viasat, and you’re someone who spends a lot of time thinking about satellite security, communication, security encryption, is that something where they let their guard down and should have you think been aware that this vulnerability existed, or was it pretty unique the way it was done? Do you think we’re going to come out of this with a realization that our satellites need a lot better encryption and zero trust concept of design and just better security all around, or is it too early to draw conclusions? Jonathan Moore (11:50): Well, to be clear, this is an attack against the terrestrial terminals used in the satellite network, so the terminals that talk to the satellites, that live on the ground. But I think what is clear is that we really should be concerned about [inaudible 00:12:13]. I guess the thing was, this was not actually a very difficult attack. I mean, it showed planning and effort and a desire to succeed by the adversary, but it’s not like, “Wow, that was incredibly complex and novel.” It was a fairly standard set of you find your way into the network, you move laterally, and then you deploy against your target kind of strategy of attack. Jonathan Moore (12:40): So I think at that level, it is very typical of what you see in intrusions into IT systems and not special. The unique nature of it was the target, and the use of a wiper targeted to an IOT device. So I think there’s some unique aspects, but largely, it’s not exciting and interesting. And it shows the real dangers of centralized authority and not having strong controls around the application of that authority. We do need those, right? You do want the IT admins at your corporate network to be able to manage the computers they’re responsible for, and that involves a lot of centralization. But the controls around protecting that centralization are not adequate. The controls against protecting … A company is the thing that issues an update to their software, right? So that is an inherently centralized action, but the controls put around protecting those don’t look to be adequate in almost any environment. Christian Whiton (13:51): Are you surprised at all by the lack of at least obvious, old fashion, electronic warfare, or maybe it’s happening and just not making headlines. But- Jonathan Moore (14:01): [crosstalk 00:14:01] Christian Whiton (14:03): … jamming of radars and just jamming the micro transmissions. Jonathan Moore (14:07): We’re absolutely seeing that, but there’s some complications in it, right? So HawkEye 360 has a report, which you can go look at, about their detective GPS jamming in areas in which Russian military forces are active. The Ukrainian forces captured a Russian electronic warfare unit, and it has since been shipped off to the US to be analyzed. So that’s actually probably a huge loss for Russian capabilities in that the US now has electronic warfare units in their hands to take apart and really deeply understand. Jonathan Moore (14:49): So I think we absolutely have seen the EW out there in the field and lots of evidence of it, and even some of the artifacts. But I think there’s another side of the story is that one of the surprising things here is the level, and this goes back to this common thread of the logistical challenges that the Russian forces have had, and they have not been equipped with the latest secure comms equipment. They’ve actually very heavily relied on the Ukrainian civilian infrastructure, like literally making phone calls with burner phones back to Russia to report the death of a Russian general. And so we’ve gotten this very rich signals intelligence that the Ukraine is using well for propaganda and publishing these conversations, audio recorded to these conversations to show the failure of Russia. Jonathan Moore (15:45): I mean, again, it’s propaganda. So we have to take it, understand its intended message, but we’ve also seen other things where many of the Russian troops were just given consumer radios, and you can go to open source SDR listening stations around the world and get recordings of Russian troops asking for support. So, I mean, one of these things, coming back to that, is that the electronic warfares, they can’t use electronic warfare against the technologies they’re using for their own comms. So because they seem to have not supplied their troops with enough secure comms that can work even when the electronic warfare is active, there’s a lot of areas they’re not able to use it as much as well. Christian Whiton (16:31): It’s pretty amazing for an army with such a fearsome reputation and people who have a pretty strong reputation of using military technology aggressively, the idea of secure portable communications is nothing new, and it’s stunning that they’re in this position. You mentioned earlier hacktivism. Thinking back to World War II, a number of film producers who weren’t particularly known for leading virtuous lives or intense patriotism maybe before the war, during the war turned their good skills and deeds into propaganda for the US. The people like Frank Capra made films, Why We Fight, and there are a number of others who made patriotic and important films. Christian Whiton (17:23): So you think of creative people turning their skills to the use of one side in the war. I mean, is that how we should think of some of these hacktivists? Are some of them actually people who are engaged in ransomware and other forms of cyber attacks who are now helping the Ukrainians and attacking the Russians, or is it more sophisticated than that? Jonathan Moore (17:46): I mean, I think we’ve seen a couple of different groups. So there’s the cyber partisans out of, I believe, or, quote, unquote, out of Belarus, where it is not really clear, are one of the most interesting actors, and they seem like a genuine hacktivist group that has had actual real effects around the Russians’ ability to wage war. A card they played, I think more than once, has been to disrupt the automatic signaling on the Belarusian train system that has prevented … The Russian military depend very heavily on rail, I think largely as an artifact of the size of the country and its smaller population. And so by disrupting rail operations, they’re actually able to disrupt troop movements and cause significant delays in operations and even changes in plans. Jonathan Moore (18:40): So I think that’s one area they’re very interesting. They have a well organized campaign that seems to be having real effects. So there’s that kind of hacktivist group. There is state actors who are opposing the hacktivists. Those are hard to call out clearly, but actually, before I get to that, let me see the other side, which is there are then the Russian cyber criminals that are in some ways very literally the Russian cyber reservists who are being conscripted or voluntarily becoming activists and fighting for the cause of Russia. Jonathan Moore (19:23): And then in this case of the state actors, we’ve seen both hacktivists hacking some of these Russian cyber groups and dumping all of their information, dumping internal logs for years, doxing them, providing information on them. But then we’ve also seen other groups who have dumped very detailed dossiers on various actors and who they are and where they live and what their bank accounts are or whatever that sure looks like it might have been some state group, which just decided to leak this intelligence under the name of a hacktivist, which is right out of the Russians playbook. Guccifer 2.0 is generally well accepted to be Russian state actors leaking stuff as a hacktivist. So this is a common playbook that the various powers use these days, is when they want to leak something, they have a hacktivist leak it. Jonathan Moore (20:28): And then we’ve also seen the Ukrainian cyber reserves, or Foreign Legion, maybe, is a better way to put it, which they have had an open call for people to come contribute. And I think there has been a large amount of that. So you see a lot of people that are supporting the Ukraine in that way. And then there’s also all of these hacktivists, these Western hacktivists are non-aligned with Russia hacktivists, wherever they come from, hacking Russia. And I think that in some ways, tacitly, people or have seen they’ve been given tacit permission that it’s open season to hack Russia right now. Jonathan Moore (21:15): And so if you’re a professional in the InfoSec or IT community, or just a hobbyist, I don’t think it’s there’s any official word, but I think the community feels that it is tacitly acceptable now to just go hack Russia, and you’re not going to see repercussions for that, which from a policy standpoint, it’s actually very dangerous because there’s no deconfliction, and what are these people going to do when the war is over? Are they going to stop hacking, or are they going to and keep doing it because it was providing them some value, or are they going to keep doing it and move into the criminal regime, or who knows? Jonathan Moore (21:59): I mean, I think one of the lessons from the privateers of more of history was that when you decide you don’t want them to do it anymore, it’s very hard to get them to stop. So I think that’s going to be an interesting outcome of this. So we have those groups. We have, of course, Ukrainian government people doing their job. We have Russian government actors do their things. We have the hacktivists on both sides. We have the state actors pretending to be hacktivists, and then we have these reservists. So I think it’s a very big, complicated mess. And I’m sure there will be PhD theses and think tank pieces written about this for many years to come. Christian Whiton (22:49): Right. It’s funny when you mention privateers, I also think about that Robert De Niro movie, The Ronin. These are cold warriors who have all these skills developed during the Cold War and know ostensible enemy. So they don’t turn to good deeds. They turn, lamentably, to crime. It has a happy ending, though. With Russia’s own defenses, I guess we don’t know much about them, or maybe we do. A lot of people talk about how China and Russia have been pushed together more and more. Financially, they’re going to be more linked as a result of this war, as a result of the sanctions of the war. Christian Whiton (23:25): But I wonder if also China, being opportunistic, isn’t looking at this for lessons to apply if it wants to invade Taiwan, but might also be thinking, “Gee, if we ever need to invade Russia for all of those natural resources in the East, which are in a very thinly populated part of Russia, and what we thought was this amazing military might not be so strong,” or course they have a big nuclear deterrence. But who knows? Maybe that’s susceptible to hacking. I don’t know. Christian Whiton (23:51): If you’re a big malevolent power like China and looking at Russia, or frankly, if you’re the United States, and we’re thinking now, all right. So maybe Ukraine is little like the Spanish Civil War. It’s the warmup to something bigger that’s coming down the road. Are there lessons we’ve learned about what to use against Russia itself from this? Jonathan Moore (24:12): I mean, I think that’s definitely going out of my depth, but certainly as I’ve been trying to understand how this conflict is evolving from a cyber standpoint, I’ve read of a lot of other things. And I think the danger there is to assume that Russia’s capability in one type of war is going to be mirrored in another type of war, and I think that when you ask, “Can Russia defend itself?” I think that’s a very different question than, “Can it have a campaign in a foreign place?” It is built heavily out to defend itself. It has its internal rail system. It has its supply depots. Some of the logistics in supply chain problems, logistics problems it had will not exist if you were to try to invade them. Jonathan Moore (24:58): And in the same way, that’s the advantages that Ukraine has had, right? They don’t have a logistics problem because they’ve got all of their stuff set up where it needs to be, where Russia has to bring in fuel. It has to bring in food. It has to bring in force into the Ukraine. I think it would be dangerous to assume that we would see the same kind of response if we tried to in invade Russia. But again, I don’t really know. One lesson that seems to have come from this is that there’s been a lot of corruption in the way money was spent in the Russian military, and that they may not be as well equipped as they thought they were at the time, at least. Christian Whiton (25:34): Right. That’s right. Yes. It seems to be pretty epic. Perhaps, finally, as far as what hasn’t happened, or maybe what did happen, early in the war, there were some reports, and actually it was before the actual kinetic part of the war happened of distributed denial service attacks against Ukrainian government websites. Okay, big deal. So maybe for a day or two, you can’t get the info you wanted from the health ministry or whatever. Perhaps more seriously, there were reports of ATMs not working in Ukraine, but that seemed to be pretty limited. Have you heard anything more about that, or do you think that’s just a case where the banks are the ones that are actually the best defended? Jonathan Moore (26:19): I don’t think we’ve heard more, but it’s not clear that that’s how the Ukrainian economy is functioning right now. So I wouldn’t want to draw conclusions. If I were a Ukrainian citizen, would I depend on the banks working tomorrow? I probably wouldn’t. So maybe they’ve just shifted. I think one other area that we didn’t touch on that I think that reminded me of it, is one thing we have seen is the Russia or Russian aligned hackers repeatedly hacking Ukrainian news websites and things and posting fake stories about the Ukrainian surrender. None of them have seemed credible at all, and it’s not like it seems to be having an effect, but that’s another area which we see the deployment right now. I don’t know that the banks are never defended, I just wonder if people are changing the way they operate. Jonathan Moore (27:11): I mean, that is one of the things that we always have to remember is that where cyber is deeply integrated into our supply chains at a global scale. At a local scale, if you know your grocery store’s cash register stopped working, they can just take cash. If they can stock those shelves, they will take money. So I think it certainly can make operations less efficient, right? At a global scale, we can’t back away from IT, or we can’t back away from comms because it has made us so much more efficient. Jonathan Moore (27:45): And as we’re looking at drastically reshaping our energy economy, we’re looking at feeding a world of tens of billions of people in the middle of a decade, the efficiency gains that can be had through communications versus, “Well, I planted my grains, I harvested them, and I took them by cart to the market to sell them,” that’s a significantly less efficient system than, “Well, I know exactly where the demand is and what they want.” So I think IT infrastructure now, but that’s at the macro scale. I think in the micro scale, people can work things out. I mean, whether it’s a gift economy or barter, if they have food, they’re probably not going to let their citizens starve in this environment. Christian Whiton (28:31): Right. Probably why I should have a few silver coins in the safe and maybe a ham radio to communicate in the case of nuclear war. Jonathan Moore (28:40): Shortwave, shortwave. That way you can listen to- Christian Whiton (28:41): Shortwave. I think that is a- Jonathan Moore (28:42): A broadcast from the listening stations. Christian Whiton (28:44): That’s right. And you can get anywhere at night on shortwave, right? Jonathan Moore (28:47): When the atmosphere is right and you can bounce off the atmosphere, you can get to the other side of the world. Christian Whiton (28:53): That’s right. I think at the state department, we were trying to get North Korea from California at one point. Jonathan Moore (28:59): Yeah. Christian Whiton (29:00): All right. Well, that’s all the time we have for this episode of Cyber Context. That was Jonathan Moore, Chief Technology Officer of SpiderOak. I’m Christian Whiton. If you like what you heard, please subscribe to our podcast. We’ll be back again soon with another episode. Thanks.