March 2020 — Booz Allen Hamilton analyzed 15 years worth, 2004-2019, of public documentation on activity by the GRU, Russia's military intelligence agency. Their report, Bearing Witness, is quite detailed, with 512 footnotes. Many organizations have analyzed the technology of the over 200 espionage, disruption, and disinformation incidents and campaigns. BAH was working on the psychology, the idea being that technical analysis tells us what has happened, while the psychology might provide some hints of what may happen in the future.
January 14 2014 —
Kaspersky Lab reported
that the Red October campaign had
infiltrated computer networks over the past five years
at diplomatic, government, and scientific research
It can steal data from the traditional target of workstations,
but also mobile devices including smartphones,
Cisco enterprise network equipment,
stealing data from USB devices and also recovering and
stealing their deleted files,
and from internal servers.
The attacks are under the control of center C&C servers
and are carefully customized for each victim.
that its exploits were written by Chinese hackers
while some modules were created by Russian speakers;
the C&C server domains were registered by identities
*.ru email addresses.
The target organizations are mostly in Eastern Europe,
the former USSR, and central Asia, but are also in
Western Europe and North America.
Targets include Tibetan activists and Asian
military and energy sector targets.
However, Kaspersky saw no evidence linking this to a
nation-state sponsored attack, the information would be
valuable to a nation-state but might be traded in the
underground and sold to the highest bidder.
In December of the same year the security firm Blue Coat reported what they called The Inception Framework, a sophisticated cyber espionage system directed at companies and other organizations operating in Russia. The companies are from Russia itself, Romania, Venezuela, and Mozambique. Embassies and other diplomatic offices in Romania, Paraguay, and Turkey have also been hit. Kaspersky Labs says that this is a variant of the Red October APT, and called it after a more recent movie, Cloud Atlas.
March-May 2014 — BAE Systems reported on a large-scale cyber espionage by Russia targeting systems around the world, predominantly Ukrainian government systems at first and then including NATO systems. The Atlantic Council reported in May "Russian Cyber Campaign Continues to Penetrate NATO Ministries".
July 2014 — Sentinel Labs reported and issued a more detailed analysis on what they named "Gyges", an advanced persistent threat that appeared to come from Russia and target government orgranizations. They had spotted it back in March. As they said, "Gyges is an early example of how advanced techniques and code developed by governments for espionage are effectively being repurposed, modularized and coupled with other malware to commit cybercrime." They believe "it was used as a "bus" or "carrier" for much more sophisticated attacks such as government data exfiltration. So we started digging, and eventually recovered government traces inside the "carrier" code, which we later connected to previous targeted attacks that used the same characteristics. At this point it became clear that the "carrier" code was originally developed as part of an espionage campaign." It exfiltrated its data by an SSL connection to a C&C (command and control) server in Russia, part of IP block 184.108.40.206/24. That was part of the SevStar Network AS35816, Lancom Ltd., Sevastopol, Russia.
November 2014 — Recorded Future reported on Russian governmental cyber-espionage against companies involved in industrial control systems, pharmaceuticals, defense, aviation, and petroleum. They identified Uroburous, Energetic Bear, and APT28 as three main advanced malware families being used by Russia for espionage. They are used in a coordinated fashion — while all three are used aggressively, you seldom find more than one on a target system.
Uroburous was named by GData, Kaspersky calls it Epic Turla, BAE Systems calls it Snake and SnakeNet. It has been around since 2008 and targets governments, embassies, the defence and pharmaceutical industries, and research and education. Kaspersky has analyzed a Linux backdoor component. Also see this analysis.
Energetic Bear was named by CrowdStrike, Kaspersky calls it Crouching Yeti, iSIGHT Partners calls it Koala Team, and Symatec calls it Dragonfly. It targets aviation, defense, energy, industrial control systems and petroleum pipelines.
APT28 was named by FireEye/Mandiant, iSIGHT Partners calls it Tsar Team, Eset calls it Sednet, CrowdStrike calls it Fancy Bear, Trend Micro calls it Operation Pawn Storm, and others call it Sofacy and Sednit and STRONTIUM and APT28. It targets NATO and Eastern European governments and military agencies, the defense industry, and "Russian adversaries" as the report puts it.
FireEye/Mandiant also named APT29 and its backdoor component HAMMERTOSS. They suspect that it is sponsored by the Russian government.
January 2015 — A group calling itself "CyberCaliphate", posing as associated with ISIS, hacked the French television broadcaster TV5 Monde. The U.S. Defense Intelligence Agency's Russia Military Power Report 2017 reported this, attributing it to an article on channelregister.co.uk.
June–July 2016 — A group posing as a hacker calling himself "Guccifer 2.0" claimed in early 2016 to have broken into Hillary Clinton's private e-mail server, and in June 2016 claimed to have broken into the Democratic National Committee's computer network. The messages claimed that Guccifer was Romanian, but several analysts pointed to inconsistencies within the writing, saying that it appeared to be from multiple people, some of them Russian.
CrowdStrike's analysis is that Fancy Bear is affiliated with the GRU, Главное Разведывательное Управление or Main Intelligence Department, the primary military intelligence service, while Cozy Bear is affiliated with FSB, Федеральная Служба Безопасности, the foreign intelligence service formerly known as KGB.
On 22 July 2016 WikiLeaks published 20,000 Democratic National Committee emails. Analysis immediately pointed to Russian involvement, an attempt by Russian to influence the coming U.S. election and make Donald Trump the U.S. President. The intrusions were further operations of Fancy Bear (see above) and another known Russian operation called Cozy Bear. It wasn't collaboration, both groups independently broke into DNC systems and stole the same data. The intrusions had been happening since the summer of 2015, and both were expelled from the system on 11-12 June. The emails were released at the end of the week before the Democratic National Convention.
13 August 2016 — A group calling itself the ShadowBrokers dumped an archive onto PasteBin containing what seemed to be NSA exploits used to attack systems from Cisco, Fortinet, and others. Securelist showed how an unusual implementation of RC5 and RC6 links that archive to the Equation Group (see more on that group below). According to a Reuters story, NSA believes that an employee or contractor left them on a publicly exposed computer. Investigators were assuming that the Shadow Brokers were affiliated with the Russian government.
30 September 2016 — Newsweek magazine published a story reporting on Donald Trump's violation of the U.S. trade embargo against Cuba. The magazine's web site was then hit with a DDoS attack linked to Russia. See the stories in the Talking Points Memo and in Dark Reading.
October 2016 — The U.S. Office of the Director of National Intelligence and the Department of Homeland Security announced that they were confident that the Russian government was behind intrusions into "U.S. political organizations", a reference to breaches at the Democratic National Committee and the Democratic Congressional Campaign Committee.
"U.S. government officially accuses Russia of
hacking campaign to interfere with elections"
Washington Post, October 7 2016
At the Wall Street Journal CEO Summit on 15 Nov 2016, Admiral Mike Rogers, the director of the National Security Agency, said: "There shouldn't be any doubt in anybody's mind. This was not something that was done casually. This was not something done by chance. This was not a target that was selected purely arbitrarily. [...] This was a conscious effort by a nation-state to attempt to achieve a specific effect." See reports in The Hill, The Washington Post, and The Wall Street Journal.
December 2016 — The Washington Post published a story about CrowdStrike's analysis of the link between the malware used in the DNC intrusion and that used to track an Android phone app used by the Ukrainian army during its fight against pro-Russian separatists in eastern Ukraine in 2014-2016.
CrowdStrike determined that the attackers were they group that they had initially called "Fancy Bear", which turned out to be the GRU, Russian military intelligence. The FBI is reported to have privately concluded that the GRU was behind the DNC hack, but to have said nothing publicly.
Washington Post, 22 Dec 2016
Russian interference in 2016 U.S. Presidential election
The U.S. intelligence community and the Department of Homeland Security concluded that Russian civilian and military intelligence services had attacked and penetrated U.S. government and private sector entities. They broke into Democratic National Committee servers in 2015 and 2016, and published stolen data on the Internet. Details from these documents dominated news coverage for several days immediately before the November 8th election, which Hillary Clinton appeared to be leading by a wide margin until the final week. U.S. intelligence and DHS labeled the activity as GRIZZLY STEPPE. On 29 December, President Obama announced sanctions against Russia. President-Elect Donald Trump, the beneficiary of the Russian hacking, first tried to dismiss and later downplayed the reports.
U.S. Office of the Director of National Intelligence
August 2017 — News stories were reporting on automated "bots" affecting opinion through blogs, Twitter, and Facebook, refining techniques for the 2018 U.S. elections.Russian
In 2017 we started seeing reports of
GPS spoofing by Russia
in central Moscow and in the Black Sea.
The U.S. Department of Transportation
issued a global maritime advisory.
New Scientist USA Today CNN Wired UK
July 2018 — USA Today reported that Russia had been meddling in 27 countries in Europe and North America since 2004. The action ranged from active cyberattacks to disinformation.
Attempted Russian interference in 2018 U.S. mid-term election
Several media outlets along with the U.S. Department of Defense istelf reported that the U.S. Cyber Command disrupted the activities of a Russian "troll factory" on the day of the 2018 U.S. mid-term election.