Inside Cyber Warfare

Jeffrey Carr

Part 13

Report Chapter

Even with a bulletproofed network, it's important to remember that while the Kremlin provides open and global Internet access to its citizens, it also collects and controls all of the data originating within its borders.

A recent interview with Anton Nosik, the editor-in-chief of the Russian news website, was published in the Russian online newspaper the New Times. In it, Nosik spoke of SORM-2 (System of Operation Research Measures), which copies every byte of Internet traffic coming from Russian households and businesses and sends it to the Federal Security Service (FSB) via a redundant array of inexpensive disks (RAID).

Nosik also pointed out that the Kremlin either owns the pipes (Rostelekom, Transtelekom, and Elektrotelekom) or controls the licenses of every communications channel in Russia. This degree of control may work against the Russian Federation if an international body determines that it could have acted to stop cyber attacks originating from within its borders but didn't.

The Kremlin and the Russian Internet.

One of the most difficult questions that the Project Grey Goose team faced in investigating the cyber war between Russian and Georgia was whether there was evidence of Russian government involvement. Our key finding in October 2008 was: We a.s.sess with high confidence that the Russian government will likely continue its practice of distancing itself from the Russian nationalistic hacker community thus gaining deniability while pa.s.sively supporting and enjoying the strategic benefits of their actions.

While forum members are quite open about their targets and methods, we were unable in this round of collection/a.n.a.lysis to find any references to state organizations guiding or directing attacks. There are several possible explanations as to why this is the case.

There was no external involvement or direction from State organizations.

Our collection efforts were not far-reaching or deep enough to identify these connections.

Involvement by State organizations was done in an entirely non-attributable way.

The situation has since changed. In February 2009, the Russian media reported a story that has provided new evidence pointing to how the Russian government sponsors and pays leaders of Russian youth organizations to engage in information operations, up to and including hacking, to silence or suppress opposition groups.


Nashi ( is short for Molodezhnoye demokraticheskoye antifashistskoye dvizhenye "Nashi" (translation, "Youth Democratic Anti-Fascist Movement 'Ours!'"). Its logo is shown in Figure 7-9. It was formed in 2005 to either counter the possibility of another youth revolt like the 2004 Orange Revolution in Ukraine or counter a growing interest in n.a.z.ism in Russia. Funding for the group purportedly comes from Russian business owners; however, there has been widespread speculation that it receives government funding as well, which has been strengthened in recent days by the Anna Bukovskaya story (related later in this section).

Figure 7-9. The Nashi logo One of the most important supporters of Nashi is Vladislav Surkov, the first deputy chief of the presidential staff and, more importantly, a man who has the ear of Russian Prime Minister Vladmir Putin.

Surkov intends to use Nashi to enforce the Kremlin's will regarding RUNET communications, i.e., "Ensure the domination of pro-Kremlin views on the Internet" (published by The New Times Online in Russian, February 16, 2009). That's easier said then done, particularly since that effort was tried and abandoned about 10 years ago by RUNET co-founder Anton Nosek.

Surkov has a new plan that involves the enlistment of Russian youth organizations, including Nashi and United Russia. He has organized a March 2009 conference with about 20 key people in the Russian blogging community, as well as leaders of the aforementioned youth organizations, some of whom include: Maksim Abrakhimov, the Voronezh commissar of the Nashi movement and blogger Mariya Drokova, Nashi commissar and recipient of the Order for Services to the Fatherland Second Cla.s.s medal for her "energetic" work in the area of youth policy Mariya Sergeyeva, leader of the United Russia youth wing Young Guard Samson Sholademi, popular Russian blogger Darya Mitina, former state duma deputy and Russian Communist Youth Union leader Other attendees included Russian spin doctors who specialize in controlling the messages communicated via the blogosphere. The objective was a straightforward Information Operation: The aim of the conference is to work out a strategy for information campaigns on the Internet. It is formulated like this: "To every challenge there should be a response, or better still, two responses simultaneously."

A source who is familiar with the process of preparations for the meeting explained: If the opposition launches an Internet publication, the Kremlin should respond by launching two projects.

If a user turns up on LiveJournal talking about protests in Vladivostok, 10 Kremlin spin doctors should access his blog and try to persuade the audience that everything that was written is lies.

Although this campaign concerns internal Russian politics, it demonstrates the IO model that the Kremlin uses across the board, including what happened in Georgia in August 2008 thanks to the influence of Vladislov Surkov. His strategies were captured in the book Chronicles of Information War (Yevropa publishing house, Moscow, 2009), written by two Kremlin spin doctors, Maksim Zharov and Timofey Shevyakov. The following is from the book's introduction: Net wars have always been an internal peculiarity of the Internet-and were of no interest to anyone in real life. The five-day war showed that the Net is a front just like the traditional media, and a front that is much faster to respond and much larger in scale. August 2008 was the starting point of the virtual reality of conflicts and the moment of recognition of the need to wage war in the information field too.

Confirmation on the relationship between Nashi and the Kremlin came on April 10, 2009, when Nashi commissar Aleksandr Kuznetsov entered the nation of Georgia en route to Tbilisi to conduct an anti-government rally with 15 or 20 other Nashi members scheduled for April 16. Kuznetsov was arrested at the border, and during his interrogation he produced a letter from the Russian Duma's Committee on Youth Affairs, requesting Russian officials along the way from Moscow to Tskhinvali to a.s.sist the "Moscow-Tskhinvali-Tbilisi Motorcade" in its mission. Nashi founder Vasili Yakemenko currently heads that committee.

In Vladimir Socor's report of this event for the Eurasia Daily Monitor (April 17, 2009), he writes that Kuznetsov's statements provide corroboration for earlier reports that Nashi is funded by First Deputy Chief of Presidential Staff Vladislav Surkov.

The Kremlin Spy for Hire Program.

Anna Bukovskaya is a Nashi member and St. Petersburg activist who was paid by the Kremlin to spy on opposition political youth movements, according to an article in the Moscow Times (February 6, 2009): Anna Bukovskaya, a St. Petersburg activist with the pro-Kremlin Nashi youth group, said she coordinated a group of 30 young people who infiltrated branches of the banned National Bolshevik Party, Youth Yabloko and United Civil Front in Moscow, St. Petersburg, Voronezh and six other cities.

The agents informed Bukovskaya, who pa.s.sed the information to senior Nashi official Dmitry Golubyatnikov, who in turn contacted 'Surkov's people' in the Kremlin, Bukovskaya told the Moscow Times. Vladislav Surkov is President Dmitry Medvedev's first deputy chief of staff.

The agents provided information on planned and past events together with pictures and personal information on activists and leaders, including their contact numbers, Bukovskaya said by telephone from St. Petersburg.

They were paid 20,000 rubles ($550) per month, while she received 40,000 rubles per month, she said.

Bukovskaya provided more details during an interview on Russian Ren TV (February 4, 2009): [Bukovskaya] The project was to become more aggressive, i.e., videos and photos to compromise the opposition, data from their computers; and, as a separate track, the dispatch of provocateurs.

In other words, computer espionage was part of the services Nashi provided, which isn't surprising, since Konstantin Goloskov, one of the Russian hackers who acknowledged launching distributed denial of service (DDoS) attacks against Estonia, was a commissar in Nashi.

In March 2008, Nashi hackers were accused of orchestrating a series of DDoS attacks against the Russian newspaper Kommersant. A Nashi spokesperson denied that the group was involved.

In October 2007, another Russian youth movement known as The Eurasian Movement of the Youth (ESM) launched a DDoS attack against the president of Ukraine's website, shutting it down for three days. Furthermore, both Nashi and the ESM partic.i.p.ated in protests against the Estonian in Moscow in May 2007.

The blog Windows on Eurasia (May 31, 2007) points to evidence that the FSB guides and encourages youth hackers such as the ESM to act on behalf of Russian government interests. For example, in early 2007, the ESM ( threatened to disable the website of the Ukrainian Security Service: ESM, the Russian radical youth organization that has been using sophisticated computer a.s.sets capable of disrupting a government computer network and eager to do so for political reasons, also vowed to disable the website of the Ukrainian Security Service (, SBU, in the near future, unless Yushchenko dismisses Valentyn Nalyvaychenko, SBU's pro-NATO chief.

Russian journalist Andrei Soldatov wrote about the relationship between the FSB and Russian hackers in an article for Novaya Gazeta (May 31, 2007), beginning with Russian students from the Tomsk region attacking the Chechen news website in 2002. Following the attack, the regional FSB office in Tomsk issued a special press release that said, "[T]he actions of the students do not contradict Russian law but rather is an expression of political orientation and worthy of respect" (Google translation from the Russian).

Soldatov also refers to the National Anti-terrorism Committee (NAC), which was established in 2006 by Vladmir Putin and chaired by Nikolay Patrushev, the director of the FSB, as having an interest in utilizing members of the Russian hacker community when it was in its interest to do so.

Sergei Markov, Estonia, and Nashi.

On March 3, 2009, Sergei Markov, a state duma deputy and member of the Unified Russia party, partic.i.p.ated in a panel discussion with Russian and US experts, including James Lewis of the Center for Strategic and International Studies, about information warfare in the 21st century. During that discussion, Markov stunned everyone present by announcing that it was his a.s.sistant who started the Estonia cyber attacks in 2007. The following quote comes from Radio Free Europe, which broke the story on March 6, 2009, on its website: "Markov, a political a.n.a.lyst who has long been one of Vladimir Putin's glibbest defenders, went on to explain that this a.s.sistant happened to be in 'one of the unrecognized republics' during the dispute with Estonia and had decided on his own that 'something bad had to be done to these fascists.' So he went ahead and launched a cyberwar.

"'Turns out it was purely a reaction from civil society,' Markov reportedly said, adding ominously, 'and, incidentally, such things will happen more and more.'"

Markov, a supporter of the Nashi youth movement, attended its second annual Innovation Forum on July 21, 2008-one day after the President of Georgia's website came under a DDoS attack and 19 days before Russia's invasion of Georgia.

A Three-Tier Model of Command and Control.

It's understandable to want to find a telltale piece of evidence that conclusively links the Kremlin with the actions of its hackers. However, it's important to realize that in the anonymous workings of the Internet, such a goal is not only naive, but it also doesn't accurately represent the relationships that have been built over the years between Russian politicians and organized youth a.s.sociations.

*** You are reading on ***

The historical evidence presented in this chapter points to a three-tiered model (Figure 7-10) that establishes command and control by the Kremlin through Nashi and other groups whose membership includes hackers, resulting in an organized yet open call for unaffiliated hackers to join in. Russian organized crime provides a protected platform from which these attacks can then be planned and launched. And all of this occurs while providing a cover of plausible deniability to the state. It's actually quite an impressive accomplishment from a strategic point of view.

In a follow-up article on the Security Fix blog, Krebs went into much more detail, naming the upstream providers that the RBN relied on to provide its Internet connectivity:, SBT Telecom, Aki Mon Telecom, and Nevacon LTD (Figure 8-2).

Figure 8-2. Map of companies providing network services to the RBN He also traced its history back to 2004, when it was known as "Too Coin Software" and "Value Dot," and then walked his readers forward to its present iteration: Nearly every major advancement in computer viruses or worms over the past two years has emanated from or sent stolen consumer data back to servers at RBN, including such notable pieces of malware as Gozi (, Grab, Haxdoor (, Metaphisher (, Mpack (, Ordergun (, Pinch (, Rustock, s.n.a.t.c.h, Torpig (, and URsnif ( The price for these malware products often includes software support, and usually some virus writers guarantee that the custom version created for the buyer will evade detection by anti-virus products for some period of time.

David Bizeul is a French security researcher who has written one of the best reports on the RBN to date (see Figure 8-3). He summed up its business focus quite succinctly: The RBN offers a complete infrastructure to achieve malicious activities. It is a cyber crime service provider. Whatever the activity is-phishing, malware hosting, gambling, p.o.r.nography...the RBN will offer the convenient solution to fulfill it.

Figure 8-3. The RBN-a crime service provider In any attempt to understand the influence of Russian organized crime in the cyber threat domain, a key distinction must be made between organized crime in Russia and elsewhere.

In the United States, the FBI and other agencies focus on how criminals may be infiltrating or, at the very least, influencing government offices. In Russia, the government infiltrates organized crime and establishes a reciprocal business relationship. The government provides protection in exchange for favors. Favors may range from making money to using a gang to implement state interests.

Richard Palmer made a similar case in his testimony before the House Banking Committee (September 21, 1999), wherein he explained how Russia is governed by the rule of "understandings" rather than the rule of law. According to Palmer, who spent 11 years with the Directorate of Operations at CIA, businesses operating inside the Russian Federation quickly learn that when it comes to collecting on bad debts or enforcing contracts, it's faster and cheaper to engage Russian criminals than wait for the Russian court system to take care of it. Unfortunately, the flip side of that equation is also true: it's sometimes cheaper to have the person you owe money to killed than to repay a debt.

In the case of the RBN, once media attention became frequent enough, the FBI sent several officials to Moscow to meet with its counterparts in the Federal Security Service (FSB). The purpose of the meeting was to share information about the criminal activities of certain individuals a.s.sociated with the RBN and how the Kremlin might want to remove such a presence from the Russian Internet. The Russian security officers excused themselves, and when they returned approximately a half hour later, they informed the FBI officials that they must be mistaken, that no such domains existed on RuNet.

Back at the US in Moscow, the FBI discovered that the more public domains formerly a.s.sociated with the RBN had been migrated to new IP addresses.

That's why it appeared that the RBN suddenly dropped from view. In reality it never went away; it just slipped back under the radar, away from any further media spotlight.

A Subtle Threat.

Tell Krebs nice job on Atrivo, but if he's thinking of doing McColo next, he's pushing his luck.

Investigating the Russian mob is one thing, but when an investigation may hurt profits, that's another, much more dangerous matter entirely. Shortly after his September 2008 coverage of Atrivo, Krebs received the aforementioned anonymous threat.

Atrivo is an interesting case study for this book because it ill.u.s.trates one of the problems yet to be addressed in cyber conflicts. What happens when a country is being attacked by malware that sits on a server within its own borders?


Atrivo, also known as Intercage, was a Concord, CA-based company that specialized in providing networks for spammers and other bad actors to use, many of which were a.s.sociated with the Russian Business Network.

The RBN relied heavily on two networks hosted by Atrivo: UkrTeleGroup, which routed traffic through the Ukraine; and HostFresh, which routed traffic through Hong Kong and China.

A report by iDefense named Atrivo as having the highest concentration of malicious activity of any hosting company in the world.

Thanks to the concentrated efforts of independent researchers such as Jart Armin and James McQuaid, as well as Brian Krebs's reporting of their work, Atrivo was dropped by its upstream providers and was effectively put out of business on September 22, 2008.

*** You are reading on ***

Popular Novel