Though hardly as sexy-sounding as SMERSH, the Stalin-era Soviet counterintelligence organization – much puffed up by Ian Fleming in his James Bond novels – the designator "APT28" may refer to a Russian, or at least Moscow-linked, outfit with truly mass disruptive capabilities in cyberspace. SMERSH was an acronym for smyert shpionam (roughly, "death to spies"), while APT refers to the "advanced, persistent threat" that the FireEye cyber security firm has studied so closely – in particular its activities before and during the Russo-Ukrainian conflict. And what is known thus far about APT28 is most troubling.
In Ukraine, the group – its capabilities are clearly beyond the capacity of any individual – has launched disruptive attacks on critical infrastructure, as well as on Internet connectivity. Government and military communications have also been targeted. The key tool – but hardly the only one – is Uroburos, malware that infects and takes over machines, exfiltrates sensitive data, passes false commands, and causes shutdowns. Interestingly, the scope, scale, and specific targeting engaged in against Ukraine mirror quite closely the patterns of cyber attack witnessed during the Russo-Georgian War of 2008.
Russia is alleged to be involved in a range of other recent high-profile cyber incidents as well. Last October, the White House admitted its information systems had been hacked – with Moscow-friendly perpetrators being the prime suspects. And in January of this year, the pro-Russian group Cyber Berkut ("special police") got into German Chancellor Angela Merkel’s and other German government sites, disrupting them and leaving messages criticizing German support for the Kiev government of Ukraine. These hacktivist incidents were in some respects like the cyber attacks on Estonia in 2007 – but that earlier case was more far-ranging, mounting costly strikes against banking and other economic targets as well.
And it is in the realm of economic cyberwar that the Russians have been concentrating of late, according to Kevin Mandia, founder of the cyber security firm Mandiant. Just before the opening of the G20 summit meeting in Brisbane, Australia last November, Mandia made the point explicitly that the Russian government was "actively condoning cyber attacks on Western retail and banking businesses." Expanding on his remarks, Mandia made clear that his conclusion was based on the inference that, given strict controls over cyberspace-based activities in and from Russia, it would stretch the limits of credulity to believe that Moscow was unaware of these hacks.
Circumstantial evidence abounds as well – but as yet there is nothing that would stand up in a criminal court as proving Russian culpability beyond a reasonable doubt. And so a form of covert cyber warfare, with costly economic implications, continues to unfold. Much as groups of pro-Russian insurgents – including, it seems, many actual Russian soldiers – have been fighting in eastern Ukraine, with Moscow all the while denying involvement. We live now in an age of shadow wars, real and virtual.
It is thought that the Russians were engaging in covert cyber action of a very sophisticated sort as far back as the spring of 1998, when an extended series of deep intrusions into U.S. defense information systems began – and continued, the public record suggests, for quite some time. I was involved in some of the investigation into this matter, which was initially labeled "Moonlight Maze," and so can only refer readers to what has been openly reported. But the key point here is that there was a strong sense, even back then when the Russians were still reeling from the effects of the dissolution of the Soviet Union, that their cyber capabilities were quite substantial.
It is ironic that, just a few years prior to the Moonlight Maze episode, the Russians asked for a meeting to be held between a few of their top cyber people and some from the United States. The ostensible idea being to establish a process for avoiding hostile "incidents in cyberspace." The Russian delegation was headed by a four-star admiral who probably had in mind the analogy with preventing "incidents at sea." I was on the American team, and found the Russians’ ideas quite sensible – including their call to consider the possibility of crafting behavior-based forms of arms control in cyberspace. There is no way to prevent the spread of information technology that can be used for cyber warfare; but there can be agreement not to use these capabilities aggressively, or against civilian targets, etc. The Russian idea was akin to the controls that exist today over chemical and biological weapons – many nations can make them, but virtually all covenant never to use them.
I was very taken by the idea of cyber arms control, and recommended in my report on the meeting that the United States pursue these talks further. My recommendation was, to put it mildly, hooted down in the Pentagon where the view was that the Russians were afraid of us and were just trying to buy time because they were so far behind. Well, that was nearly twenty years ago. If the Russians were behind then – and I sincerely doubt it – they certainly are not now. Indeed, Russia is a cyber power of the first order, like China and a few others. And, like China, its cyber security capabilities are quite robust – much more so than American cyber defenses.
Ever since that fateful first Russo-American meeting of cyber specialists, the Russians have occasionally raised the prospect of cyber arms control at the United Nations. We have routinely rebuffed such suggestions. But perhaps it is time, all these years later, to reconsider the possibility of behavior-based agreements to limit cyberwar. After all, by now we know for sure the Russians are not making such proposals out of fear.