Security Experts:

Russian Outsourcing Provides Plausible Deniability for State-Sponsored Hacking

Last week, Russian president Vladimir Putin apparently conceded that patriotic Russian hackers may have been involved in the DNC hacks last year. "If they are patriotically minded, they start making their contributions - which are right, from their point of view - to the fight against those who say bad things about Russia."

Putin served in the KGB, Russia's primary security agency, for 16 years, leaving with the rank of Lieutenant Colonel in 1991. He understands international intelligence and espionage. When he suggested the DNC hacks could have been done by patriotic Russian hackers, it was almost a taunt: I know the truth; you know the truth; but you cannot prove anything.

The reality is that all nations have their own 'patriotic hackers'. The US has The Jester (@th3j35t3r), who describes himself as a 'hacktivist for good'. In 2012, he DDoS'd John Young's Cryptocomb, calling it a 'treasonous site'. While the site was down, it responded with the message, "Cryptocomb will be back after the state sponsored attack ends."

Russian Hacking

This is the dilemma caused by 'patriotic hackers'. Was Jester sponsored by the US government? Almost certainly not. Is he tolerated by the US government? Almost certainly yes. At what point, if ever, does tolerance become sponsorship? It is this imponderable that Russia uses with great efficacy.

Yesterday, threat detection firm Cybereason posted the latest of its analyses on nation-state hackers -- this one on Russia. Putin's comments are mainstream to the Russian methodology for state hacking: plausible deniability by outsourcing state activities to private hacking groups.

While outsourcing hacking now seems to be common practice for many nations, Cybereason suggests that Russia has been doing it longer, and does it better. "The maturity of the Russian approach allows for considerable advances in oversight for these types of operations in addition to more creative uses of the outsourced labor," writes the Cybereason Intelligence Group.

This, suggests Cybereason, has been happening for more than a decade; or at least since the Russian Federal Security Service (FSB, formerly the KGB) used its "long standing ties to Russian national criminal and hacktivist communities... with the large scale DDoSing of Estonia."

The effect of this formal/informal relationship between the state and cybercriminals has developed a sophisticated and semi-protected criminal industry. Provided that the hackers do not break the rules, they will be tolerated: patriotic hacking is tolerated and even guided while internal cybercriminal activity is not. This is tantamount to Russian hackers being able to hack the Five Eyes nations and Europe with a degree of impunity provided they do not embarrass the state.

It also means that outsourced Russian hackers are able to mix business and personal profit. In March 2017, the US DoJ believed it had sufficient evidence to charge both the FSB handlers and the outsourced criminals Alexsey Belan and Karim Baratov over the Yahoo hacks. But, writes Cybereason, "Belan was using his official task, gain access to Yahoo accounts for FSB intelligence and counterintelligence purposes, and using it to turn a profit by manipulating search algorithms to drive web traffic and credit card skimming."

Russia, it continues, "has the most technically advanced and bold cybercriminal community in the world and are more than capable of causing significant damage with whomever they attack from countries to corporations."

But it is not all plain sailing. Not all the private actors reside in Russia. As they become increasingly emboldened and sophisticated, and can now use crypto currencies to hide their tracks, the FSB's ability to coerce them diminishes. Nationalism and patriotism may not sufficiently temper profit in the future -- or, as Cybereason puts it, 'emboldened actors will occasionally bite the hand that feeds them.'

"Russia's model," concludes Cybereason, "while effective in the short run has the significant potential to be a revisiting of the proxy groups used by both the Soviet Union and the United States during the Cold War. Short term goals may be accomplished, but the long-term ramifications are harder to predict and often end up outweighing the short-term gains. Given the global strike capability that hackers in cyber space have, it is far more likely that this proxy war will have a far more reaching and international impact than the last round."

Meanwhile, this 'proxy' cyberwarfare provides all nations with plausible deniability. Attribution in cyberspace is almost impossible. Only the intelligence agencies with physical assets and the ability to directly eavesdrop on suspects will know the truth -- and they can never publicly declare those assets for fear of losing them. Putin plays this plausible deniability card with aplomb.

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.