Further details regarding the activities of a cyber espionage unit thought to be connected to the Russian Government have emerged in this period. The US based cyber security firm FireEye published a report on what it dubbed APT28 (Advanced Persistent Threat, the generic term for a cyber espionage threat group) on October 28. APT28 is thought to be the same unit that rival cyber security firm Trend Micro referred to as Sofacy/SEDNIT – the work of which it referred to as “Operation Pawn Storm” – while it is also reportedly connected to the creators of the Uroburos (aka. Turla) malware that we assessed in our coverage of August 14. FireEye states that the group has been active since the middle of 2007, from when it has sought to ascertain information from a variety of political, diplomatic, and military sources that correspond with Russia’s strategic geopolitical interests – a key factor in the decision to attribute the actions of the unit to the Russian state.
The report divides these targets into three main areas, the first of which is operations against
Beyond the alignment of these targets with Russian interests – and the lack of associated economic targets that so often characterise Chinese APT units – the presence of Russian language in significant portions of the code that was assessed, and evidence that the malware development corresponded to a conventional working day in theMoscow and St. Petersburg (GMT +4) time zone. Furthermore, other factors suggest a level of sophistication that normally eludes groups that are merely sponsored by and not directly connected to the state. These include the use of a long-term coding platform for the malware, and its built-in resistance to analysis that helped keep the operation clandestine for as long as it did. Though FireEye declined to further pursue the question of responsibility at an organisational level, the campaign is likely to have originated from units within the Federal Security Service (FSB) and its counterpart responsible for foreign intelligence and espionage, the ForeignIntelligence Service (SVR RF).
In a related development in this period, Russian President Vladimir Putin is set to sign a treaty on cyber security with his Chinese equivalent, Xi Jinping, early next month. Russia had previously signed a pact with the US designed to prevent escalation over issues of cyber security. However, further talks have been derailed in the wake of the political situation in Ukraine, and the decision to realign strategy closer to Beijing appears to have been made in response to the continuing stalemate. The Sino-Soviet pact is most likely primarily motivated by the joint desire to oppose US influence on the governance of the Internet and enforce sovereign authority over its management, which would in turn allow the two states to adhere to different standards relating to online privacy and freedom of expression.
Due to the divergent interests of the two powers, it is unlikely to involve a significant amount of cooperation regarding operational matters. The degree to which this is overstated in media reports reflects both states’ opposition to US cyber security policy and in actions in Iraq/Syria and Ukraine, and the associated desire to make a symbolic announcement of mutual support. Regardless, the degree of cooperation that is implied means a lower likelihood of cyber espionage or sabotage operations being targeted at one state by the other. Furthermore, while the enhanced capacity for technology transfer between the two states is also likely to expand future capability in this area, so this bilateral relationship remains an issue to watch in the long term.