Though they make up a small percentage of the overall threat landscape, attacks by nation-state-affiliated actors are among the most damaging. Some in the cybersecurity community believe these threat actors are too determined, sophisticated and unpredictable for most organizations to defend against.
A new report from Booz Allen Hamilton, however, suggests that actions taken by threat actors associated with Russia follow a series of predictable patterns and principles. That gives at-risk organizations a chance to better prepare for an attack. The research principles outlined in the report can apply to other state-affiliated advanced persistent threat (APT) groups.
The politics behind nation-state attacks
Knowing why you might be a target is the first step in defending against a nation-state threat. Most APT groups are affiliated with governments, and most governments make their long-term strategic goals publicly available.
“The specific significance of geopolitical developments on cyber operations is a blind spot in threat intelligence,” says Brad Stone, senior vice president in Booz Allen Hamilton’s cyber practice. “Organizations should see the value in thinking more critically about how geopolitical factors are impacting their cybersecurity and the need to integrate geopolitical intelligence into their cybersecurity capability.”
Kah-Kin Ho, senior director for EMEA Public Sector at FireEye, agrees that understanding politics is important as it informs CISOs not only of potential threat actors but helps direct strategic and operational decisions across the security function. “Both long-term aims and immediate geopolitics are equally important for CISOs to understand as they are essential components of strategic intelligence,” he says.
Ho adds that CISOs can use this information to justify investment in talent and countermeasures. It also helps them prioritize which threat detection alerts should be investigated and what threat hunting teams should look for.
CISOs often struggle to understand how geopolitical thinking determines whether they might be targeted. “Organizations often frame the question of, ‘Why would a state actor care about me?’ in terms that are far too narrow,” says Stone. “It’s rare that state adversaries have a grudge with a specific organization. Rather, they objectively see their targets as means to an end.”
“The first step is to create a holistic organizational profile by considering what you do, what information you possess, who you know, where you are located, and your services. Next, consider whether these more discrete organizational aspects are important to threat actors. Ultimately, you should build your risk modeling based on that understanding.”
Understanding the motives of Russian cyberattackers
Through its affiliated groups APT28 (Fancy Bear) and Sandworm (Quedagh/Voodoo Bear), Russia’s military intelligence agency (GRU) has launched cyberattacks against high-level targets in government, defense, media and other major organizations worldwide. Booz Allen Hamilton analyzed 200 cyber incidents associated with Russia spanning 15 years (2004 to 2019) and claims that it has found a link between the actions of these groups and the Russian Federation’s publicly announced approach to military policy. Its findings can guide organizations as they face similar geopolitical developments that impact risk profiles.
“Fundamentally, state-aligned adversaries are organizations tasked with responding to national mission requirements in a manner consistent with strategic doctrine,” said the report. “The GRU executes its mission using methods consistent with declared strategic concepts. By understanding why adversaries act, defenders can better anticipate when, where, and in what form those actions may occur and take deliberate action to mitigate their risk based on that insight.”
Booz Allen Hamilton claims that most of the actions by Russian-sponsored actions conform to a series of principles outlined in The Military Doctrine of the Russian Federation. Most recently updated in 2014, this official policy document outlines “external dangers” to the Russian Federation, actions that could be construed as “military threats,” and actions the Federation will take to “deter and prevent military conflict.”
The doctrine contains two sections that are critical to assessing GRU cyber operations and identifying the specific circumstances in which Russian Armed Forces would respond and how it will react. These sections help identify the circumstances where the Russian military is likely to conduct cyber operations. Organizations can use this information as a model to contextualize previous GRU cyber activity and predict future attacks.
Booz Allen Hamilton acknowledges that the GRU is not the only Russian government agency that conducts cyber operations, but it is the most documented and publicly implicated in cyberattacks. Governments around the world have produced evidence pointing to the GRU’s involvement in such operations.
State-sponsored cyberattacks follow military doctrine
Booz Allen Hamilton identified 23 principal actions and conditions in the doctrine that may precede an armed conflict, including:
- “External military risks,” such as unauthorized use of foreign military force adjacent to Russia or its allies or growth of ethnic, religious or cultural disagreements over territorial borders
- “Internal military risks," such as the undermining of Russian historical, spiritual and patriotic traditions or the provocation of Russian cultural strife
- “Military threats,” such as heightened combat readiness or the use of military force during exercises adjacent to Russia or its allies.
The report describes how the military can avoid or resolve conflicts by identifying and assessing potential risks and threats and responding appropriately. The GRU identifies risks through cyber espionage, network and communication monitoring, and data collection and theft, as well as other means. It might leak the data to destabilize potential risks.
“GRU operations should be considered as part of Russia’s vision of a long-term confrontation over beliefs, understanding and emotions that impact Russia’s ability to advance its policy vision and secure its strategic interests,” the report said.
For example, the GRU attempted to prevent Montenegro joining NATO in 2016 through the use of DDoS attacks on various media websites, non-governmental organizations (NGOs), political parties, and telecom companies. It also conducted a spear-phishing campaign targeting Montenegrin government members with military- and NATO-themed lures to gain “awareness of potential military risks and threats”.
Another notable example includes Russia’s attacks against the World Anti-Doping Agency () in the wake of a doping scandal. Banning athletes from sporting events could be interpreted as a threat to Russian culture, and so the APT groups undertook a series of military actions including the “manipulation of social or political environment” via social media disinformation and propaganda, “precise destructive attacks” via the OlympicDestroyer malware, and “widespread use of advanced weapons and technologies” to locally breach Wi-Fi networks used by WADA and US antidoping officials to steal officials’ credentials and access an anti-doping records database.
The Booz Allen Hamilton report maps other incidents — attacks on Ukraine, the Democratic National Committee (DNC) leaks, UK’s television’s Islam Channel, and the Gulf Cooperation Council alliance — to the principle conditions in the Military Doctrine that would cause Russia to act.
Where to find guidance on political motivation for APTs
CISOs don’t need to be experts in the complexities of international relations. They should, however, be aware enough create a global snapshot at regular intervals to evaluate and understand how geopolitical trends may impact their organization’s risk profile. They should also assess geopolitical risk when evaluating new acquisitions or mergers and expanding into new markets.
Retired Air Force Brigadier General Greg Touhill, former federal CISO of the US government and faculty member of Carnegie Mellon University’s Heinz College, says that larger companies, particularly those operating in the public sector or highly regulated areas, should invest in dedicated staff to monitor the political and legislative environment. “Successful CISOs have a strong relationship with their general counsel and have regular engagements to review the legislative and regulatory landscape. Forecasting what effects changes in political sentiment or leadership [may have] should be part of those conversations.”
FireEye’s Ho adds that if companies have a chief risk officer (CRO) then CISOs should collaborate with them as CROs evaluate different risks, of which geopolitical risk should certainly factor. He also advises strong partnership with the country’s security services as they can provide strategic and tactical warnings on potential adversaries’ activities.
It can be difficult for CISOs to communicate those risks to the business and board, who might find it difficult to understand why threat actors would target their business. “Once the CISO assesses that a cyber risk exists,” says Booz Allen Hamilton’s Stone, “it’s critical to communicate the potential impacts of that risk to different stakeholders in terms relevant to them. Collaboration with those stakeholders is crucial to precisely quantify the impact and drive institutional action with their buy-in.”
Ho adds that when assessing risks, CISOs should consider the Latin phrase “Cui bono,” which translates into ‘to whom is it a benefit’. “To whom is it a benefit if we were to suffer a breach resulting in destruction in property or loss of intellectual property given the tense geopolitical environment we find ourselves in? Answering the question will help direct investment in resources and countermeasures.”
When presenting this information, Ho advises CISOs couch their messaging in terms of business impact and real-world damage. “CISOs could say, ‘Last quarter we managed to detect and block two threat actor groups attributed to State A whose main modus operandi is to perform destructive cyberattacks on industrial control system used for oil and gas production. Had the adversaries’ operation been successful, it would have resulted in injuries and/or death to our field crew members and stopped oil production for at least two weeks resulting in $100 million in lost revenue.’”
Touhill adds that organizations shouldn’t be afraid to call on subject-matter experts or their peers to them understand and contextualize the risks or get the message across to the business. “When I was the DHS deputy assistant secretary and director of the National Cybersecurity & Communications Integration Center, I had a Fortune 10 business ask me to discuss cyber threats and risks to their board of directors. My presentation supported the information that CISO had previously given the board, giving them confidence in their CISO’s recommendations. Asking for help isn't a sign of weakness; it is a sign of wisdom.”
Must-reads for informing your security posture
Russia’s Military Doctrine is not the only political document CISOs should read to inform defenses. “States’ strategic priorities are often public, captured in strategic doctrine, and reaffirmed regularly through statements and overt noncyber policy," said the report. “By understanding those priorities, we may anticipate the targets and focus areas of state-sponsored operations, as well as contextualize active and completed operations.”
The People's Republic of China publishes its 5 Year Plans (5YP) that outline the economic development goals and the main drivers to achieve them. When China released the thirteenth 5YP in 2015, it also published its “Made in China 2025” policy, which laid out the key industries in which the Chinese government is focused on becoming a world leader. Crowdstrike has previously described these plans as “veritable shopping lists for Chinese intrusion groups” as they indicate which industries government-affiliated APT groups are likely to target and the kind of high-value intellectual property (IP) they want to take to further China’s political and economic goals.
In addition to policy documents that signal long-term national priorities, countries have diplomatic corps as well as state-owned or -funded media that routinely communicates policies or positions. These are excellent primary sources that can help inform organizations. Think tanks such as Carnegie Endowment for International Peace and the European Council on Foreign Relations also track and distill strategic foreign policy objectives.
CISOs should also be aware of more short-term political events that could affect their risk posture. For example, an agreement in 2015 between US President Obama and Chinese President Xi Jinping reduced the scale of attacks from China into the US. Groups affiliated with Iran often increase their activity during times of sanctions or tension with the US. Likewise, North Korea has upped its use of cryptomining malware to raise funds amid strict sanctions.