How Russian hackers are coming after you, personally
The Russian state runs a skilled, persistent, large-scale hacking operation. There are numerous examples of operations which have been painstakingly traced back to Russia, some of which have had world-changing effects.
But, can they get to you? And what can you do to protect yourself?
Russia engages in cyber warfare and cyber espionage, both of which can affect you.
What is cyber warfare and how does Russia engage in it?
The aim of cyber warfare is to inflict damage on an enemy country. This includes attacking, for example, power grids, news broadcasters and state departments, generally by forcing them offline. The same kind of damage could usually be achieved by conventional warfare (sending in an army, for example) but a well targeted and successful cyber warfare attack achieves it much more cheaply.
Russia has been linked to many kinds of directed cyber warfare attacks. They include the 2015 attack on Ukraine’s power grid which left over 200,000 people without power, the 2018 attacks against South Korea’s Winter Olympics infrastructure, and the attacks on Ukrainian governmental and business websites just prior to Russia’s invasion in February 2022.
Another aim of cyber warfare is political interference. Russia itself has a particular flavour for influencing democratic processes. Two of their successes in this field are the 2016 US presidential elections and the UK Brexit referendum of the same year. In both cases Russia was found to be engaging in tactics to alter public opinion, and indeed it was found that outcomes were likely affected as a result (leading to two destabilising events; the election of Donald Trump and the vote for the UK to leave the EU).
It’s obvious that these kinds of activities can have a significant impact on your life as an individual, because they affect a whole populace. But what about attacks on you personally?
How about cyber espionage?
Espionage refers to gathering of intelligence (usually political and military secrets) which you would not normally be allowed access to. Cyber espionage refers to whenever this is done via the internet or computer networks.
Russia’s cyber espionage activities have been linked to several high-profile attacks. In 2020, for example, the Russian intelligence service’s “Cozy Bear” group attacked several US government agencies (including the departments of Treasury, Commerce and Energy, and the National Nuclear Security Administration). It is assumed that this was to steal information.
Russia has also been known to engage in targeted attacks on prominent people and organisations. They use deceptive messages to encourage individuals to accidentally reveal secrets or install malicious software. This is known as spearphishing.
Russian military intelligence has been linked to high-profile spearphishing attacks such as those against the campaign of Emmanuel Macron in the 2017 French presidential election, and Hilary Clinton in the 2016 US presidential election. In both cases vast caches of private emails were revealed.
So are they after me personally?
There is good evidence that Russia engages in cyber warfare and cyber espionage on a very large scale. That certainly means that they are able to affect a lot of people, and cover a lot of ground. Despite that, techniques like the ones I mention above are relatively resource intensive, so it makes sense that such attacks would be primarily directed at high profile individuals, or those with access to high-value secrets. If you are suspected to have something that could be of operational value to Russia, then Russia seems to be willing to proportionally put the time in to attack you.
However, Russia has also been known to perform indiscriminate attacks, and those really could affect anyone.
Sandworm, VPNFilter and indiscriminate attacks which could affect you personally
VPNFilter is a piece of malware designed to infect small / home office routers and NAS drives. It allows an attacker to steal data, watch a target’s internet activities, or even destroy the infected device. Its creation has been linked to a Russian hacker group named “Fancy Bear”, which has been linked by US intelligence to the Russian military.
The two interesting things about VPNFilter are that it’s used against low-grade routers, and that attacks are indiscriminate. That is, the kinds of devices it can infect are the sort of devices found in a typical home. And, the hacker can randomly find a vulnerable device and infect it; they generally don’t know who they are attacking until they manage to get in. Together, that means that VPNFilter really could be used against you personally.
Sandworm is a cyber warfare and cyber espionage team linked to Russian military intelligence. In 2018 their widespread usage of VPNFilter was discovered and interrupted by the US government.
Sandworm’s use of VPNFilter may have been smart, but the malware still requires known vulnerabilities to get a foothold. That’s another reason why it’s so important that you always patch your devices to the latest firmware versions. It can also get into routers which are configured with default passwords — another thing to check for on your network. Once VPNFilter is in, it’s really difficult to get out, so the best protection is to make sure it can’t get in in the first place. Patching and default password changes really are the most basic precautions.
Cyclops Blink and the new era of malware
Since 2019, Sandworm appears to have switched to a more sophisticated replacement of VPNFilter after the latter was disrupted. The new software, named in a joint US/UK intelligence report as Cyclops Blink, is used in both targeted and indiscriminate attacks. It has the same kind of effect as VPNFilter, in that it can allow an attacker to download information, view internet traffic and capture credentials.
However, interestingly, the kinds of devices it attacks have jumped up a notch compared to VPNFilter. Whilst the latter could affect devices used in small-scale businesses and homes, Cyclops Blink has been found to infect WatchGuard devices. These are typically used by larger scale businesses.
It’s perhaps interesting to consider what drove Sandworm to attack larger businesses. It could be that Russian interests lead in that direction, or it could simply be opportunistic in that they were able to exploit a particular vulnerability in WatchGuard devices.
In conclusion
The Russian cyber warfare and cyber espionage machine is well-funded and smart. Its effects are felt around the world in attacks on high profile individuals, businesses and states. But it also performs hundreds of thousands of indiscriminate attacks on smaller targets — and these could include you.
The advice to users hasn’t changed. Make sure your devices are kept up to date. Keep your passwords long and complex, and always change them from the defaults. Learn about what constitutes a phishing attack and help yourself and others to learn how to spot a fake website.
Tom Colvin is CTO of Conseal Security, the mobile app security experts; and Apptaura, the app development specialists. Get in touch if I can help with any mobile security or development projects!
