During March-April 2018, dozens of Russian diplomats were expelled; hundreds of Russian Troll Factory- related accounts banned; new travel and economic sanctions levied and more are expected. While Russia did expel diplomats symmetrically, it explores options for an asymmetric response ranging from intellectual property violations to cyberattacks.
Blows Targeting Russia
In March 2018, 25 countries and NATO expelled dozens of Russian diplomats (intelligence officers) over an ex-spy poisoning case in the UK (Figure 1). *1 The US closed Russia's Seattle Consulate, and in response Russia proportionally expelled the same number of diplomats and are closing the US Consulate in St. Petersburg.
On 15 March 2018, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) put five Russian entities and 19 individuals under sanctions for significant malicious cyber-enabled activities. This was prompted in part by the NotPetya attack and other cyber events. But the main focus was on the Internet Research Agency (IRA, also known as “Russian Troll Factory”) actors.
On 3 April 2018, Facebook and Instagram banned over 200 accounts which were connected to IRA. Most of the ban affected Russian-speaking accounts. Many were media-related and one was a Moscow local government account. According to Facebook, they “removed this latest set of Pages and accounts solely because they were controlled by the IRA, but not based on the content.”*2 Later in April, Reddit will join Twitter and Facebook in identifying and freezing IRA-related accounts.*3
On 6 April 2018, Trump's administration unleashed a new round of US-Ukraine related sanctions on Russia. This action resulted in Russian oligarchs losing close to $12 Billion in capitalization, and additionally, the Russian ruble lost part of its value.*4
Currently, new sanctions are being discussed and it is probable that the next round of sanctions will be in relation to the Russian collaboration of Syria’s use of chemical weapon against their opposition. Radical measures are being discussed to include placing Russia on the designated Foreign Terrorist Organizations (FTOs) list.
There are no signs of Russia stepping back. Publically Trump is sending signals that he desires a good relationship with Russia, yet both countries are using de-escalation mechanisms to avoid direct military conflict in Syria and other areas of the World.
Russia is and has been on a long-term trajectory to expand its influence. This strategy involves military actions and cyber operations to encompass: supporting rogue regimes of North Korea, Iran, Syria, and Venezuela; not abandoning their foothold in the Crimea; and, or dethroning Assad in Syria. So until these Russian diplomatic philosophies remain intact, relationships with the West will continue to deteriorate.
Russian Possible Response and Cyber
Russian actions and possible counter-actions are divided into five (5) important categories (diplomatic, kinetic, economic, information, and cyber):
1) Diplomatic actions included symmetric expulsion of Western diplomats. Russia is not cooperating in the investigations of chemical weapon use in Duma, Syria and with the ex-spy poisoning in the UK. Russia is trying to win new friends in Turkey and Austria.
2) Kinetic actions include continuation of low-scale military conflict in the Ukraine, successful expansion of Assad-controlled territories in Syria, and possible military bases in Sudan and other African countries.
3) Economic actions include expanding existing Russian programs of supporting entities under sanctions. Russia has a prepared bill to potentially target reciprocally Western corporations, and even to abolish Western patents and trademarks in Russia.*5 So far Russia is cautious with these measures as they are likely to backfire; but some steps in this direction are being initiated.
4) Information war includes continuation of the active information campaign towards the West. Dana White, the Chief US Pentagon Spokesperson noted that there was a 2,000 percent increase in Russian troll activity following the Syrian airstrikes.*6 At the same time, Russia has tighten the control over their Internet. On 16 April 2018, Russian censor agency banned Telegram messenger which refused to provide encryption keys. By 17 April 2018, the number of banned IPs grew to 16 million as Telegram started using Amazon and Google cloud services.*7 The Russian censor agency currently is threatening to audit and potentially ban Facebook, unless Facebook moves Russian users data to Russia and deletes unwanted information.*8
5) A cyber response from Russia is also likely as part of asymmetric information war. Wapack Labs does not have much of immediate visibility into the current Russian APT moves, but we observe some inclinations from Russian hackers and we are learning much from the discovered Russian APT activities during the last 2-3 years.
Russia remains a save heaven for financially-motivated hackers that target other countries.
Both Russian APT groups and criminal hackers are using phishing and social engineering methods. For example, in April 2018, Wapack Labs reported how Russian spammers found a way to abuse the legitimate Email Report form for Google Analytics.*9
As Russia begins to censor Telegram messenger, several high profile Russian officials are publicly switching to ICQ. ICQ messenger is still popular among many hackers in different countries and is being controlled by Russia to offer valuable information regarding the cyber underground.
Russia is blamed for escalating cyber attacks as it became clear that Russia had a concerning foothold in the energy sector and in their networking equipment. US reported that since at least March 2016, Russian government cyber actors have targeted government entities and multiple US critical infrastructure sectors; including the energy, nuclear and other.*10
And a joint alert issued on 16 April 2018 by the Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), and the United Kingdom's National Cyber Security Centre (NCSC) warns that Russian state-sponsored cyber actors are actively targeting home and enterprise routers. This alert provides an overview of Russian APT activity beginning in 2015 and ongoing in 2016 and 2017. Hacked devices ranged from small home routers to ISP-grade routers and firewalls, with attackers trying to hoard as many systems as possible. Attack vectors include Telnet, TFTP, SNMP, and SMI — protocols often found on routers, known to include vulnerabilities and easy to corrupt configuration options (see the Indicators table for the recorded IP indicators).*11
Relationships between Russia and the US constantly deteriorate and de-escalation mechanisms have only partially successful. In 2018, Russian information campaigns are of a concern (Russian Trolls); Russian state-sponsored hackers continue to be active; and new methods of spoofing and social engineering are being developed. Russian campaigns were discovered to compromise the US energy sector and networking infrastructure (routers). This prompted the US government to share information and help the wide range of industries to pay more attention. Wapack Labs will continue to monitor new Russian TTPs.
For questions or comments regarding this report, please contact the lab directly at 603-606-1246 or firstname.lastname@example.org
*2 newsroom.fb.com/news/2018/04/authenticity-matters/ “Authenticity Matters: The IRA Has No Place on Facebook”
*3 www.reddit.com/wiki/suspiciousaccounts and www.reddit.com/r/announcements/comments/8bb85p/reddits_2017_transparency_report_and_suspec t/
*4 bloomberg.com/news/articles/2018-04-09/russia-s-richest-lose-16-billion-in-selloff-over-u-s- sanctions
*5 sozd.parliament.gov.ru/bill/441399-7 [in Russian]
*6 www.dailymail.co.uk/news/article-5615877/Russian-troll-activity-increases-2-000-Syrian- airstrikes.html
*7 www.bleepingcomputer.com/news/government/russia-bans-18-million-amazon-and-google-ips-in- attempt-to-block-telegram/
*8 iz.ru/733380/siuzanna-farizova/so-svobodoi-vse-khorosho-s-otvetstvennostiu-plokho [in Russian]
*9 ctac-01.tac.wapacklabs.com/f5-w-68747470733a2f2f31302e302e312e3532$$/IR-18-095- 001_Russian_Spam_from_Google_Analytics
*10 www.us-cert.gov/ncas/alerts/TA18-074A Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. March 15, 2018