Russian Cyber Operations. Scott Jasper
denial of service attacks against attacking machines.”56 Countermeasures must not themselves “affect the obligation to refrain from the threat or use of force.”57
Despite these well-established legal regimes, Rep. Dan Donovan framed the political dilemma in his statement that “we currently do not know when a cyber attack is an act of war.”58 The closest criteria offered by Secretary Lettre are actions in the cyber realm that “threaten our ability to respond as a military, threaten national security, or threaten national economic collapse.”59 However, Lettre pointed out each action would be discussed based on type and consequences. Likewise, the European Union (EU) declares that cyberattacks from hostile actors “can be considered an act of war that under the most serious of circumstances justifies a response with conventional weapons.”60 This obscurity shows that America, and its European partners, continue to lack a clearly defined threshold at which cyber operations are perceived as an act of war. It might not matter since the term war has been replaced by the term armed conflict for most international legal purposes.61 Accordingly, a solid international legal framework exists to govern how the United States and other countries should respond to cyber operations. Therefore, this book will draw on expert interpretations of the UN Charter, together with related customary international law, to classify Russian cyber operations and the methods allowed to counter them, with appropriate legal terms and references.
Technical Means
To retain anonymity and avoid attribution, malicious actors employ technical means for intrusion, evasion, and deception to prevent detection and verification, association of responsibility, and determination of intent. Attack vectors are methods for intrusion into an information asset. Examples of common attack vectors are phishing individuals and use of stolen credentials.62 Malicious actors are constantly refining social-engineering methods to trick users to click malicious links or attachments that contain malware or to provide their username and password for a protected website.63 Common tactics to make bogus emails appear authentic are using domains named to look valid yet with an intentional minor error (often only a single wrong letter or number) so as to deceive the target, adding subdomains under a valid domain, or disguising a website URL with a shortener.64 Credentials can also be stolen by keyloggers (used to monitor and log keystrokes) and password dumpers (used to obtain a hash or a clear-text password from the operating system).65 Attackers also compromise legitimate websites for what is known as a watering hole attack. Victims who routinely visit the site are tricked into activating pop-up alerts or are infected by embedded exploit kits that automatically scan their machines for vulnerabilities in an operating system or application. The exploit code in the kit takes advantage of the vulnerability, such as a coding flaw, to gain access to a system.66
Malicious actors also infect software-update processes with malware in what are termed software-supply-chain attacks. These attacks have recently been observed in destructive campaigns, in addition to nation-state espionage.67 Malware is malicious code intended to perform an unauthorized process and is inserted into a system to compromise the victim’s data, applications, or operating system.68 Attackers use polymorphic malware that changes its signature to evade detection. By making simple changes to the code, an entirely new binary signature is generated for the file.69 Polymorphic malware also changes its characteristics, such as file names or encryption keys, to become unrecognizable by common detection tools.70 Other techniques used by malware for evasion include encryption during execution, compression of the file, binding with a legitimate file, and increasing the size of the file.71 Obfuscation of the malware code, by encoding plain-text strings or adding junk functions, makes analysis difficult. Malware can also avoid detection in a sandbox, which is a virtual analytical environment, by detecting related registry keys, files, or processes.
The latest trend for the category of evasion is the use of fileless malware, which infects a system by inserting itself into memory instead of writing a file on the disk drive, making detection difficult because antimalware products search for static files that attempt to run on a machine’s local storage.72 Fileless malware attacks are estimated to account for 35 percent of all attacks in 2018 and are ten times more likely to succeed than file-based attacks.73 Threat actors can use scripting language such as Microsoft PowerShell to infect a system with fileless malware—for example, to retrieve and execute a ransomware payload into memory. PowerShell is normally used to automate administration tasks such as running background commands, checking services installed on the system, terminating processes, and managing configurations of systems and servers. Adversaries can use PowerShell to run an executable using the Start-Process cmdlet or to run a command locally or on a remote computer using the Invoke-Command cmdlet. Since PowerShell has resided in every Windows operating system since 2009, it is unlikely to be blocked outright by system policy.74 Hence, scripting languages such as PowerShell, JavaScript, VBScript, and PHP aid attackers in operations and perform tasks that otherwise would be manual. Scripts have replaced traditional code and corresponding traditional delivery mechanisms.75 They are also easy to obfuscate and thus difficult to detect. For instance, PowerShell can be obfuscated by command shortcuts, escape characters, or encoding functions.76 Its efficiency to run directly from memory makes it even stealthier. Attackers have also made malware more potent by adding self-propagating, worm-like functionality to cause widespread damage.77 Worms leverage software vulnerabilities to spread across networks in an automated fashion.78 In addition, attackers use legitimate administrative tools such as PsExec to move laterally across networks and either infect other systems or find valuable data.
The use of the category of deception can mislead others “while they are actively involved in competition with you, your interests, or your forces.”79 Deception causes ambiguity, confusion, or misunderstanding in adversary perceptions.80 Cyber deception effects for the attacker include “fail to observe (prevent the defender from detecting the attack), misdirect (focus the defender on a different attacker), and misattribute (induce the defender into thinking that the attacker is someone else).”81 An example of technical means for the classification of “fail to observe” are DDoS attacks that serve as a diversion. For the second classification of “misdirect,” attackers use false flag operations, where false claims or implanted evidence imply that a third party was responsible.82 For instance, Russian hackers belonging to APT28 cyber-espionage group took control of the television channel TV5Monde in France in April 2015 and posted jihadist messages supposedly by the Cyber Caliphate (linked to the terrorist group ISIS), most likely to cover its destructive tracks.83 Likewise, an implanted language string, time zone, or build environment used does not mean the attack originated from a certain actor. For example, Russian hackers from the Main Intelligence Directorate, the GRU, used North Korean IP addresses to make an attack on South Korea during the 2018 Winter Olympic Games look like the work of North Korean hackers.84 Finally, for the classification of “misattribute,” states employ proxies to divert or take the blame. Proxies are generally defined as “non-state actors with comparatively loose ties to governments.”85 Proxies in cyber space are normally found in patriotic hackers, criminal organizations, hacker groups, or advanced persistent threat (APT) groups. Adm. Michael Rogers, the former commander of US Cyber Command, testified that foreign governments’ use of criminals and other hackers gives them the “ability to say, it’s not us, its criminal groups.”86
Framework Application
James Clapper, former director of national intelligence, testified that “Russia is assuming a more assertive cyber posture based on its willingness to target critical infrastructure systems.”87 An examination of Russian cyber operations employed in a 2015 cyber incident targeting critical infrastructure in the energy sector in Ukraine demonstrates an application of the technical and legal framework for classification of the attack and any allowable response. The Russians were able to breach isolated power systems by the theft of field workers’ credentials and eventually cause damage to systems and