Rank and File Corrupted: Uncertain Attribution and Corruption in Russia’s Military Cyber Units

September 22, 2020

This article is part of the CSIS executive education program Understanding the Russian Military Today.

Corruption has riddled the ranks of the Russian military for decades, persisting in operations, maintenance and personnel. Last year, chief military prosecutor Valery Petrov stated that the damage from corruption in Russia’s military totaled seven billion rubles in 2018.

What might corruption look like if it infected Russia’s elite military cyber units? It is important to understand this because of its implications for how victims of cyber-attacks ought to respond: whereas officially sanctioned acts engender a governmental response, corruption is a private act that instead requires a response by law enforcement and lawyers. For example, would we be able to identify a cyber-attack attributed to Advanced Persistent Threat (APT) 28—a Russian cyber espionage group—as the act of a single individual or group of individuals acting corruptly, thereby requiring a law enforcement response? Or would the act be seen as instigated by the Russian government, requiring instead a government response?

Several factors unique to the cyber domain make it difficult to differentiate between individuals acting corruptly on their own behalf and the same individuals genuinely pursuing Russia’s military cyber objectives. These factors include the plausible deniability of cyber-attacks, the mix of public and private tools leveraged by groups, and the historical relationship between hackers engaged in traditional cybercrime, and those supporting Russian state objectives.

The Russian military is credited with dozens of high-profile cyber-attacks on targets around the world from the White House to industrial control systems. The attacks employ a variety of tools and methods but generally follow the cyber-attack life cycle. First comes the initial compromise. In the case of APT 28, this is commonly accomplished through phishing operations or with the use of stolen credentials. After the initial compromise, actors establish a foothold and escalate privileges. This is followed by a period of internal reconnaissance allowing the actors to then move laterally and maintain presence to complete the mission.

Members of a cyber unit acting corruptly would also have access to the tools and infrastructure needed for each stage of an attack. It is also likely that they would be able to access hosts compromised as the result of earlier military efforts. The ability to pick a new target or leverage existing compromised hosts significantly expands the potential scope of abuse while simultaneously complicating attribution efforts.

People choose to act corruptly for a variety of reasons. For the purpose of this piece, let’s assume members of a Russian military cyber unit are financially motivated to carry out cyber-attacks. They have access to some of the most sophisticated malware and tools in the world. Using an array of publicly and privately available tools they can compromise targets ranging from financial institutions to online retailers and their customers. Furthermore, they have options for the type of attack to launch—be it a ransomware campaign, building and monetizing a botnet, or leveraging preexisting compromised hosts. The type of attack and tools used will also complicate attribution because each could conceivably support either criminal or state objectives.

For example, BlackEnergy 2, a rewritten iteration of the BlackEnergy malware kit that made the news for its use in the 2008 Russian-Georgian War, can be used for both. By conducting distributed denial of service (DDoS) attacks, collecting banking information for Ukrainian and Russian financial institutions, or promoting psychological influence operations, it can further Russian governmental objectives or be turned to cybercrime to extract funds for private gain.

It is likely that any individuals acting corruptly participate in criminal online activities outside of the work they do in support of Russian military objectives. They have a presence in online forums and groups. They are aware of current trends and demands in the continually changing criminal underground. On occasion they freelance. They use tactics, techniques, and procedures associated with the Russian military cyber units as well as some of their own honed from years of hacking experience. This will also complicate attribution efforts.

In the case of launching a financially motivated cyber-attack, members of the Russian military acting corruptly have options. They can choose to work together from start to completion or they can partner with others at different phases of the attack to maximize profits.

For example, let us consider a scenario where they decide to monetize a botnet. (A botnet is a network of infected machines under the control of a single operator. Botnets can be used for political and financial gain. Both state and non-state actors operate large botnets.) They have the tools and skills to amass a large botnet of their own, they can work with cybercriminals to leverage preexisting infrastructure, or they can access a botnet under the control of the Russian military. This is not farfetched—in 2018, the U.S. Justice Department took actions to disrupt a botnet of infected routers and network storage devices controlled by APT 28.

Once they have decided to monetize a botnet, there are a few more decisions to make. How will they monetize it? Will they seek assistance? They can offer a DDoS attack for hire service, organize ad click fraud campaigns, or sell access to the botnet to other criminals. Control of the botnet gives access to account login and password information for hundreds of thousands, if not millions, of accounts. The accounts include banking and financial institutions, loyalty programs, retail accounts and more. To profit from the access they then need to turn the account information into funds or material goods.

To do this they may choose to partner with cybercriminals who specialize in cashing out accounts. Another option is to sell access to the botnet and malware logs. The logs contain a lot of information—what is important here is that they include account login information that buyers can use in their own fraud schemes. For example, there are actors who advertise their skills turning malware logs and account information into money and products from specific retailers such as Apple, eBay, and Microsoft. The individuals acting corruptly will combine their knowledge of the criminal underground with their expertise and skills learned in the military cyber unit to maximize their take.

Next, let us say they decide to partner with an actor from a cybercrime forum to quickly maximize takings by cashing out retail accounts. The individuals in the Russian military will handle the transfer of funds from bank accounts and financial institutions. They will be careful to stay away from targets in Russia to avoid the notice of Russian authorities. The cybercriminal specializes in turning malware logs and compromised accounts into money and goods by engaging in ecommerce retail fraud—specifically, returns fraud.

Refund and returns fraud are popular topics on cybercrime forums and a large problem for retailers. It is estimated that the U.S. retail industry lost $27 billion in returns fraud in 2019. There are many variations of this crime but, in short, bad actors purchase a product and then claim they never received it or return a different item in its place. In the first scenario, bad actors keep the item and receive the refund. However, before requesting the refund they update the payment instrument associated with the account. This means the refund issued by the retailer does not go back to the compromised payment instrument but rather to a payment instrument of the bad actors’ choosing. This allows them to transfer funds from the compromised account to their own payment instrument.

Generous refund and returns policies allow bad actors to exploit this loophole at scale. Cybercriminals offer services and guides to execute this type of fraud. In some variations, bad actors exploit additional vulnerabilities to receive a refund worth more than 100 percent of the order total. For example, select retailers offer additional refunds to compensate customers for a poor shopping experience. Other examples include manipulating shipping charges to exaggerate return shipping costs. Bad actors receive a refund for the exaggerated return shipping costs—even when they do not return the item or return a different item. To do this, they use fake tracking IDs to defraud retailer systems. In these situations, the bad actors keep the items they ordered, receive a refund for the items, and receive an additional refund.

The cooperation between members of the Russian military and the cybercriminal complicates attribution as there will be multiple indicators pointing to each. In this example, we are assuming a single group is acting corruptly. It is entirely possible, however, that other members of the Russian military—acting in their official capacity or acting corruptly—could seek to leverage the same tools and infrastructure. This means that multiple individuals with different motivations could access the same infected hosts to use in attacks on different targets. The targets could be political, financial or both. Members of the Russian military will use a mix of similar tactics, techniques, and procedures—all of which will complicate attribution efforts, as will the frequent use of contractors. How would observers differentiate between an attack carried out by APT 28 and corrupt individuals monetizing APT 28’s resources?

Finally, the last step in our scenario is for those acting corruptly to move the newly acquired funds into the financial market. A variety of financial tools and institutions inside and outside of Russia are available. Options include transferring funds to a foreign bank account, using cryptocurrencies, or capitalizing on loose banking controls in Russia to cash out prepaid cards. In this example the corrupt individuals were careful to avoid defrauding Russian citizens, so all the stolen funds were originally located outside of Russia.

The tools and infrastructure of Russia’s military cyber units are unique compared to other defense equipment in that they can be reused, sold, and exploited multiple times for financial gain. After a host is compromised, it can be exploited repeatedly.

With so much potential for abuse, what technical oversight is there for Russia’s military cyber units? (Bearing in mind that members of elite units will have the skills and inside knowledge to cover their tracks and evade detection—and that Russian internal oversight is weak and might not catch such criminal activity.)

Those responsible for hunting cybercriminals use key indicators of attribution to identify bad actors: tradecraft, infrastructure, malware, and intent. In our scenario, attribution is difficult. The key indicators point to both potential Russian military involvement and traditional, financial ecommerce crime. The tradecraft is a combination of tactics, techniques, and procedures used by the Russian military cyber units, as well as individual skills refined by years of experience that are unique to each actor. The infrastructure and malware are associated with both the Russian military and criminal activity. Intent is difficult to determine.

At the same time, historical evidence does not point to the Russian military using their infrastructure for overt financial gain nor is there a strong case for cybercriminals colluding with the Russian military to carry out traditional cybercrime. Would an observer be able to identify this activity as corruption or would they conclude the activity signals a shift in Russian strategy? (For example, North Korean hackers have been accused of stealing and laundering millions of dollars for the state.)

In our example, there are indicators suggesting the malicious activity is an act of the Russian military. However, there are also several indicators that the fraud is the work of a cybercriminal with an unclear connection to the military. With this mixed evidence, what is an appropriate response from the victims? Is it the responsibility of a victimized company to seek legal action against a hacker using malicious cyber infrastructure built by the Russian military? Should this be a civil case? The answer is unclear; each case and attack will be different. Furthermore, in cases where there is suspected Russian military involvement, should there be a government response? Should there be sanctions?

And if there are sanctions, would the Russian government admit the activity was the result of undetected corruption in their ranks or would they accept the new round of sanctions? In any case, the Russian government is unlikely to extradite the individuals involved to face charges for computer crimes.

Corruption in Russia’s military cyber units will be difficult to detect. The same cyber tools and infrastructure built by Russia’s military can be manipulated to create a steady cash flow of fraudulent funds to corrupt individuals. Plausible deniability and conflicting indicators of attribution will make it difficult to identify members of a military cyber unit acting corruptly. The implications of this corruption will extend far beyond Russia. The U.S. government and its allies should work with private sector partners to create a consistent policy response to cyberattacks. The policy must account for a wide range of cyberattacks and include clear guidelines for action to deter cybercriminals.

Teyloure Ring is a threat intelligence program manager at a large technology company. Statements included here are the author’s personal views and do not necessarily reflect the views of her employer or of CSIS.

CSIS does not take specific policy positions. Accordingly, all views, positions, and conclusions expressed in this publication should be understood to be solely those of the author(s).