A proxy war is underway in cyberspace, according to I.T. security analysts, and it is pitting numerous foreign institutions against Russian-speaking cyber militias beholden to President Vladimir Putin.
As has been evidenced by a steady wave of sophisticated cyberattacks targeting nation states and private sector organizations whose policies run counter to that of Moscow, Fox News is told groups of patriotic Eastern European hackers are using cyberattacks as a means to achieve Russia’s geopolitical goals.
Intelligence sources with knowledge of these cyberattacks tell Fox News the cyber militias are acting on behalf of the Putin regime. Furthermore, Fox is told security analysts have found evidence that Russian government-linked individuals have distributed cyberattack tools to these groups via underground web forums.
Over the last two years, analysts have researched web-based attacks leveraged against NATO, France’s TV5Monde, segments of the Polish financial sector, and the Dutch Safety Board – which concluded that doomed Malaysia Airlines flight 17 was actually brought down by a Russian-made missile. Researchers found evidence that each of those cyberattacks was carried out by different Russian-speaking cyber militias.
“We see this confluence of motive, where what looks like some recycled criminal malware has been upgraded in a sophisticated way,” said Keith Smith, vice president of threat intelligence for Colorado-based cybersecurity firm root9B. “A lot of people suspect that that's Russia’s attempt to force us as analysts to ascribe to a criminal organization what is in fact the actions of a nation state – Russia.”
The United States is in these hackers’ crosshairs as well. As economic sanctions were leveled against Russia after its incursion into Crimea and Eastern Ukraine, the cyber militias began widespread attacks aimed at U.S. government officials and segments of the financial and defense sectors. The hack attacks were in furtherance of a campaign dubbed “Operation Pawn Storm” by cybersecurity firm Trend Micro.
The Office of the Director of National Intelligence declined to comment on this activity, but in congressional testimony last year, DNI James Clapper publicly acknowledged the pervasiveness of Russian cyber activity aimed at the United States.
“The Silicon Valley of talent that exists in the world on a cyberattack and cybercrime perspective exists in Eastern Europe,” according to Trend Micro chief cybersecurity officer Tom Kellermann. “Most of those actors – who are the best hackers in the world, period – are beholden and pay homage to the legacy and the power of the former Russian and Soviet regime. They do so by acting out patriotically.”
Perhaps the most dramatic show of patriotic Russian cyber aggression came on December 23 when some 800,000 Ukrainians were left in the dark following a widespread power outage.
Soon after the incident, researchers at U.S. cyber intelligence firm iSight Partners found evidence that the blackout was the result of a cyber intrusion by one such patriotic hacking militia. The culprit, as determined by iSight’s analysis, was likely a Russian-speaking group dubbed “Sandworm Team,” whose name comes from its references to the science fiction series “Dune.”
ISight drew its conclusion after a piece of malicious computer code was found on the Ukrainian Power Authority’s system. That destructive malware, known as BlackEnergy3, is unique to that particular hacking group, according to iSight.
Sandworm has been implicated by the company for having carried out numerous cyberattacks with Russian interests in mind; most notably, attacks carried out against the Ukrainian government and NATO in 2014. And according to iSight officials, the group is one of many.
“We are actively monitoring seven different cyber espionage groups right now that we believe are of Russian origin,” said Steve Ward, iSight Partners senior director.
Researchers have found that the attackers utilized wiper malware to disable Ukrainian Power Authority computer systems, which is similar in nature to the destructive malware used in the 2014 cyberattack on Sony Pictures. But what makes the December hack on the Ukrainian grid a watershed moment, according to researchers, is the combination of the destructive component and the actual target of the attack.
According to Trend Micro’s Tom Kellermann, the December 23 incident is the first instance in which a specifically directed cyberattack was used to take down the energy sector in a given nation state.
And while experts argue that achieving a similar result against the U.S. power grid would be a far more complex task, nonetheless, this recent cyber-induced blackout has added fuel to already loud concerns over hackers’ mounting abilities to cause physical harm and destruction.
“You're seeing this cyber manifestation of attacks that can change, alter and diminish your physical reality,” said Kellermann. “What you have in cyberspace right now is a free fire zone.”
Matthew Dean is Fox News Channel's Department of Justice & Federal Law Enforcement producer. Follow him on Twitter @MattFirewall.
Catherine Herridge is an award-winning Chief Intelligence correspondent for FOX News Channel (FNC) based in Washington, D.C. She covers intelligence, the Justice Department and the Department of Homeland Security. Herridge joined FNC in 1996 as a London-based correspondent.