Russian Spies, War Ministers Reliant on Cybercrime in Pariah State

Russian Spies, War Ministers Reliant on Cybercrime in Pariah State

Russia’s diminishing position on the world stage has limited its physical options on the ground both for kinetic attacks and traditional spycraft — leaving Putin’s regime increasingly reliant on cybercrime to carry out its oppositional activities against Ukraine and the rest of the West.

Switzerland’s Federal Intelligence Service (FIS) released its 2023 security assessment on June 26 predicting that Russia will increasingly launch cyberattacks on critical infrastructure as part of its war strategy not just in Ukraine, but against NATO member states as well.

It also pointed to Moscow’s dwindling human spy apparatus — and few options for shoring it up — as driving an uptick in cyber activity.

Russia’s Cybercrime Spree, a Spark for WWIII?

Although neutral Switzerland maintains some distance from the direct impact of Russian cyberattacks, the FIS is concerned about follow-on affects within its borders.

Worryingly, the report assesses that cyberattacks on NATO-member state infrastructures could ultimately trigger the North American Treaty’s Article 5 commitments to join in war against any nation that attacks a member state. The FIS added that NATO has suggested in the past that a cyberattack on critical infrastructure could, in fact, be considered a trigger under Article 5, kicking off a third world war.

In late March, evidence was leaked by Russian contractor NTC Vulkan detailing how Russian intelligence agencies use private companies to launch cyber threat campaigns across the world. The documents included materials for trainings run by Vulkan on how to takeover railroads and power plants.

Cyber threats to critical infrastructure fall into two categories, according to the FIS report: direct cyber attacks against infrastructure; and ransomware attacks that could potentially hobble supply chains.

“Attacks against critical infrastructure have widespread impacts,” Timothy Morris, chief security advisor with Tanium tells Dark Reading. “Damage can run the gamut from disruptive inconveniences to economic stress to catastrophic life altering or threatening impacts. Also, collateral damage can happen with cyberattacks, as often happens with kinetic warfare.”

Dangerously, throughout the Russian war against Ukraine, many ransomware attacks against infrastructure are being carried out by non-state actor threat groups, making their actions often unpredictable. Erratic behavior by a threat group not directly affiliated with the Russian state could cause a miscalculation in attributing a cyberattack, or prompting unnecessary escalation of hostilities,” the FIS warned.

“The activities of non-state actors engaged in the war are still the main problem,” the report said. “The threat and the unpredictability which such activities give rise to should not be underestimated, even if these threat actors have so far attracted more attention by announcing their intentions that by carrying them out.”

The challenge in protecting critical infrastructure across multiple nations is a lack of common rules, according to John Anthony Smith, CEO of Conversant Group. 

“There are widely varying degrees of cyber defenses in place across these critical infrastructure sectors and entities, since the entities protecting critical infrastructure as well as providing oversight include both private and public sector organizations: no one agency or institution provides guidance, rules, or controls on how cybersecurity is conducted, tested, and configured,” Smith explains.

Russian Cyberespionage Supplants Real Spies

Russian cyber threat actors are also increasingly responsible for gathering intelligence in lieu of actual human operatives on the ground, according to the report. The FIS noted that the phenomenon dates as far back as 2018 and the attempted murder of Sergei Skripal, a former Russian intelligence officer living inside the UK and acting as a double agent for the West.

The poisoning started an expulsion of Russian diplomats and intelligence officers from throughout the world that has continued in force since the invasion of Ukraine in February 2022. Mistrust of Russian diplomats, many of whom were declared persona non grata by Western governments, will have a hard time recruiting and developing new sources and operating for years to come, the FIS added — meaning that cyber espionage and advanced persistent threats will have to fill the gap.

“The Russian leadership’s war of aggression against Ukraine has made the work of its intelligence services more important, but at the same time has made it harder to operate,” the FIS report said.

Callie Guenther, cyber threat researcher with Critical Start noted in response to the FIS assessment that the correlation between expelling spies and increased cyber espionage would be difficult to verify but sounds reasonable.

“While there’s no direct evidence linking the expulsion of spies to an uptick in digital espionage, it’s plausible that countries compensate for lost physical assets by enhancing their cyber intelligence efforts,” Guenther tells Dark Reading. “Increased digital espionage poses significant threats, potentially disrupting vital infrastructure and leading to serious societal and economic consequences, compromising national security, and even triggering an act of war.”

Russian Intelligence Eyeing AI and Machine Learning

The increasing digitization of information coupled with the capabilities of artificial intelligence and machine learning will lure cyberattackers to massive stashes of data stored by organizations like financial services providers, social media platforms, hotels, and critical infrastructure operators, the FIS warned.

The promise of accessing this breadth of sensitive data is also driving investments in AI and ML cyber threat intelligence capabilities by Russia, as well as by China and Iran, the FIS added.

Troves of stolen sensitive data could be used in a variety of ways by authoritarian governments, including to harass and intimidate opposition activists, interfere in elections, circumvent sanctions to buy and sell goods, and more the FIS report added.

Democracies are urged by the FIS to get ahead of Russian, Iranian, and Chinese intelligence services’ implementation of espionage AI and ML tools by starting to regulate now.

“For states governed by democracy and the rule of law, this means, among other things that there is an urgent need to legislators and supervisory bodies to take a detailed look at the use of these capabilities,” the report said.

It’s incumbent on the cybersecurity community to be aware of the emerging cybersecurity tools used in warfare, Darren Guccione, CEO of Keeper Security, explains to Dark Reading about the FIS assessment.

“Cybersecurity is both national and international security, and must be prioritized as such,” he says. “In the digital age, it’s clear that cyber and traditional warfare tactics will continue to converge as threat actors use cyberattacks to both support and supplement physical attacks.”