Russian Threat Actors: Useful Fools and Proxy Power

Welcome back to the cyber resilience brief. I’m your host, Tova Devoren. I’m Adrian, offensive cybersecurity engineer here at SafeBreach. Adrian, today we are kicking off a special series about Russian intelligence. We’ve had a lot of chatter in the industry over the past few months and frankly more than a little panic about the recent wave of attacks hitting Western critical infrastructure. We’re talking about MGM, Caesars, Qantas. The headlines keep trying to draw a straight line from these attacks right to the Kremlin. Right. It’s the classic Red Scare, Red Dawn narrative. It’s easy to be sucked in to believe that there’s a master plan orchestrated by a Russian general in Moscow. But new analysis challenges that narrative entirely. It reveals a landscape that’s far more complex and in many ways more dangerous than a simple direct link between the two. So, Adrianne, let’s start with the big question today. Are the groups attacking us, scattered spiders, scattered lapses, working for Russia? So the answer based on the exhaustive analysis we’ve done is no, not directly. Now that is a caveated answer, but our core finding is that there is no publicly known or suspected direct command and control connection between these English speaking groups and the Russian intelligence services like the FSB, which is their domestic security service, the SFR, as they say in Russian, the SVR, which is their overseas intelligence service, and nothing to do with Despicable Me and Minions, but GRU, the GRU, which is their military intelligence. These are all very active agencies. They do work together. They do overlap, but they do work independently. They have a range of abilities and they have serious cyber threat actor capabilities. I have to say there is something really tempting about imagining crew hacking into our system. So it’s too bad they can’t capitalize on that for PR purposes. But anyway, that sounds really interconnected and complicated if you’re interconnected and independent at the same time. I know this from my own corporate life. I can only imagine it on this scale. How do they do this without a direct phone line, no payroll, and no internal organization, or at least a different one than what we’re thinking? So across a range of theaters and a diverse selection of tradecraft, these intelligence agencies are very keen on actually proxy action. There’s a Russian phrase, and means useful fool. And there are many examples of this around the world at many levels in politics, which is outside of the scope of what we’re talking about today. But why expose your own intelligence officers when you can get a useful fool to take action for you, whether it’s in the cyber theater, whether it’s setting fire to a factory, whether it’s beating somebody up even all the way through to horrendously assassinating somebody? Why expose your own expensive officers when you can get somebody else to do that for you, either for free, scarily, or for very little money? Because I guess that lends a new meaning to the word intelligence. And if we’re talking about GRU, I guess we could think of them as minions, although poor minions. Maybe the next There is a new minions movie in development. Maybe that’s what it’s going to be about. But what we’ve got here is divergent motivation. The Russian state apparatus, cruising it’s the Russian state, they have geopolitical objectives. They want intelligence, military advantage, destabilization. Vladimir Putin’s key skill is disruption. He doesn’t build and create. It destroys and creates disruption. The groups we’re seeing causing chaos, the calm, scattered spider, shiny hunters, we’ve recently dived deeply into each of those. They want money in the notoriety. They’re not focused, these groups, on geopolitical objectives. So we’ve got intelligence agencies and useful fools who are fundamentally different beasts. Right. What do we mean by high indirect risk? And more importantly, if they aren’t working together, where does that high indirect risk come from? That’s exactly the nuance that we need to unpack. While there isn’t a direct link, there is a significant high probability in direct nexus. Now we’re talking about hypothesis testing here and how intelligence agencies work around the world, but we can establish that high probability indirect nexus through the operational workflow. What’s the operational workflow? So think of it as a supply chain, an operational workflow supply chain. Scattered Spider acts as the initial access broker. They are the ones kicking down the door. They specialize in exploiting human weakness. Once they’re inside, they need a way to monetize that access. It’s pay to play in this in this arena. They need a locker to put the data in and a gun to hold to the victim’s head. So that’s where the Russians come in? Precisely. They rely heavily on Russian affiliated ransomware as a service, RAS platforms. A great example is Black Cat, also known as Alfie. The dependency creates a critical strategic aperture. Well, aperture is an interesting word for us to use here. I mean, implies a window of visibility. How does that apply? Well, it does apply exactly because of that part of the analogy. Since cyber criminals are routing victim data and compromised network access through this Russian speaking criminal infrastructure, that infrastructure is plausibly subject to monitoring or co option by the FSB. And and there’s there’s lots of supporting intelligence from things like telegram channels showing that there is active connection between Black Cat and the FSB, domestic Russian security service. Interesting. So let me see if I could pick up what you’re putting down there. I’m thinking back to our episode that we did on the comm, right? Looking at everything we just talked about. We have teenagers in the west who are breaking into fortune one hundred or even fortune five hundred companies. They go in, they steal the data. They then upload it to a platform run by Russian criminals, presumably knowingly or unknowingly. It’s actually not clear. And then the Russian intelligence agencies are just sitting there watching the feed like it’s on Twitch. It’s the convergence and co option model. It’s exactly what they’re not only want, what they’re achieving. The Western groups supply the specialized initial access, which is a highly coveted commodity. That’s there’s good money in initial access brokering. The Russian state actors get potential access to high value intelligence derived from these breaches. You know, and I’m thinking back by the way, to the episode we also did on how hacking groups operate, where we’re assuming that they’re recruiting these views on Reddit and other forums in the way that we discussed about Conti. Am I right about that? Yeah. But we must all remember that intelligence agencies tell lies. They’re trained liars. They’re very good at it. They’re very skillful at it. And what they’re aiming for here, we mentioned earlier why burn and waste their own intelligence officers who could have a very expensive and will have a long career when they can use others. And what they’re looking for here is often referred to as plausible deniability. And what they want with plausible deniability is being able to say, well, nothing to do with us. We didn’t order this. We didn’t pay for it. We just benefited from what somebody else did, open source intelligence. When in fact, it’s not open source intelligence at all. It’s completely driven and engineered and coordinated by the Russian intelligence services. What they’re doing is, though they’re very smart, they’re outsourcing the riskiest phase of the espionage, which is the initial access and social engineering to foreign financially motivated actors. Okay. So we’re talking about outsourced intelligent, the useful fools, which is terrifying in and of itself. And then it’s also terrifying because we don’t have traditional attribution. Granted attribution from what I understand from all of our conversations is very difficult in general, but even so, even more so traditional attribution fails because we can’t sanction Russia for an attack launched by a kid in the UK, unless there’s concrete proof, which is exactly what they’re circumventing. Absolutely. An attribution in the cyber arena is not for the faint hearted. You need a range of intelligence sources, not just technical, including human, political, a lot of analysis. You need to be exploring hypothesis testing. It’s difficult and hard. It’s certainly very difficult commercially. There are people who attempt it, but often they have access to other intelligence sources. For our leaders who are security leaders, this changes how we have to think about breach and attack simulation. You can’t just simulate Russian APT or a cybercriminal. You have to simulate the hybrid threat. You have to simulate the TTPs tactics, techniques, procedures of a Western social engineer combined with the malware of a Russian state proxy. And that’s possible, but it’s slightly more of a challenge. It sounds like the past pace as usual is up to the challenge. So in future episodes in this arc, we are going to dig deeper into who these Western actors are and how we combat them. But before we wrap up this intro, what’s the one takeaway we have so far in terms of Russian intelligence services and their unique attributes as a threat actor in Crank? It’s that the threat isn’t a monolithic army. It’s a marketplace. And right now, Russian intelligence services are shopping in that marketplace using data stolen by people who might not even realize that they’re ultimately helping Russian intelligence. And you know, when we’re looking at CTEM, which Continuous Threat Exposure Management, which is a very wide space with a lot of different attributes and parts, or Breach and Attack Simulation, which is a specific part of that space, How does that play into these specific threat actors? I know that we’ll get into the TTPs later, but how do our simulations apply when it comes to these, this unique brand of threat actor? That’s a great question, Tova. Let’s unpack the word continuous in the concept. We’ve discussed it in the past. Let’s quickly refresh that there’s a range of regulation and legislation around the world. The Digital Operation Resilience Act in the EU, the Cyber Resilience Act, NIST two, the UK’s forthcoming Cyber Resilience and Security Act. These all are introducing a great concept, is requiring continuous testing and continuous activity. However, they haven’t reinvented the wheel. Continuous activity is how intelligence agencies have always worked. Intelligence agencies work to a thing called a collection plan, and their collection plan isn’t set by them. It’s set by their political masters, generally a hybrid of political people and military people. They fund the intelligence agency. They set the collection objectives, the targets. And here’s the problem, it’s why we get the phrase advanced persistent threat. If you’re on that list, and the intelligence agency is given funding, and often they’ve got unlimited funding, they will keep going until they succeed. They themselves are continuous. Therefore, that’s why emerging legislation around the world, Japan, Hong Kong, Europe, UK, is requiring the defender response to be continuous. Because these intelligence agencies, including the Russian intelligence agencies, operate against you twenty fourseven, three sixty five. They’re constantly probing. They’re constantly scanning. They’re constantly looking for advantage. They only have to be lucky once. Defenders have to be lucky all the time. And continuous threat exposure management, adversarial exposure management, continuous automated red teaming are how we go about reversing that adversary advantage and making life very difficult for these highly trained, hostile foreign nation state intelligence agencies. Of what that means for Russia in forthcoming episodes. Thank you, Adrian. We’re looking forward for our next episode in this series. In the meantime, listeners, stay safe. Stay safe with SafeReach. The cyber resilience brief is a SafeReach podcast, executive produced by Adrian Culley and Tova Devoren. Music produced by Sar Dressner. Hosted, edited, and compiled on Riverside. For more about SafeReach and how you can validate your security across your entire IT infrastructure, visit us at w w w dot safereach dot com. That’s w w w dot s a f e e r e a c h dot com.