The development of information and communication technologies and the creation of the Internet in particular represent a formidable progress for humanity. This technological evolution is bringing about new prospects in terms of education and circulation of knowledge, communication, and human and economic development. However, certain players have quickly identified the potential of the Internet and information technology networks for pursuing and undertaking malicious and belligerent activities.
Thus, it is common knowledge that many states build digital arsenals. The official objective is to develop the capabilities required to defend their information technology networks. Yet, most of the time, a second and less honourable objective is hidden behind this security imperative: the development of offensive capabilities to carry out operations against individuals and groups, and also other states. For around a decade, these clandestine confrontations have even given rise to a veritable information technology war in which many states accuse one another of directly or indirectly carrying out large-scale cyber operations. This was the case, for example, with the DDoS attacks against Estonia, Lithuania and Georgia, and even with the Stuxnet virus. Discovered in 2010, the Stuxnet virus, which targeted the Iranian nuclear programme and led to the destruction of several centrifuges at the Natanz facility, is believed to have been designed by the United States National Security Agency (NSA) in collaboration with the Israel Defense Forces. Another milestone was the Snowden revelations in 2013 which brought to light certain digital surveillance capabilities that the American government probably would have preferred to keep secret.
The year 2016 marked a historic watershed in this regard: The secret digital activities of two of the main military and digital powers in the world were brought out publicly. These revelations were unprecedented; they not only involved the usual allegations of state responsibility for one operation or another, but also actually lifted off the veil over the organisation and operation of the digital capabilities of some states.
On the one hand, in the middle of summer 2016, hackers calling themselves the Shadow Brokers chose to announce that they had stolen several cyberweapons belonging to the Equation Group and published evidence of the link between the Equation Group and the NSA. With these revelations, the pieces of a bigger puzzle, notably involving the Edward Snowden revelations, came together. They enabled the company Kaspersky to retrace the digital activities of the Equation Group and bring them to light. On the other hand, Wing and online publication by WikiLeaks of documents from the United States Democratic Party marked the beginning of a series of events that eventually brought the cyber activities of the Federal Security Service of the Russian Federation (FSB) and the Main Intelligence Agency (GRU), two Russian intelligence services, out into the open.
These two events warrant two comments. First, it is interesting to note that these revelations and the spotlighting of the activities of the two groups occurred in a very short period of time. Thus, the two major military and digital powers that are the United States and Russia, which for several years have advocated adopting measures to curtail aggressive digital behaviour, were caught red-handed at the same time. This situation may ultimately lead to a diplomatic and international draw for these two nations. The second comment concerns the instigators of these revelations. On the one hand, there was the Russian company Kaspersky, which did most of the work of analysing the tools of the Equation Group and revealed the extent of American activities. On the other hand, American cybersecurity companies, particularly Crowdstrike, lifted the veil over the activities of the Russian intelligence services. The key role played by Kaspersky and Crowdstrike in these revelations also shows the importance of the private sector. This role shall be revisited later.
Some 27 years after the fall of the Berlin Wall, the fall of the USSR and the end of the Cold War, the revelations on the cyber activities conducted on behalf of the United States and Russia through various groups bore an uncanny resemblance to the secret activities conducted by the two blocs through proxy groups. What is to be learned from these revelations? What are their consequences on an international level?
THE EQUATION GROUP: THE DIGITAL TOOLBOX OF THE NSA
On 13 August 2016, hackers calling themselves the Shadow Brokers announced on their Twitter accounts that they had posted on Pastebin a great deal of data belonging to the Equation Group, a group of individuals supposedly working on behalf of the NSA. These revelations were accompanied by the auction of certain files stolen from the Equation Group. Two sets of two documents in two different PGP-encrypted files were available on the Pastebin account of the Shadow Brokers. A first file named <eqgrp-free-file.tar.xz.gpg> whose encryption key was disclosed on the Pastebin page itself served to prove the authenticity of the files offered by the Shadow Brokers. The second file <eqgrp_auction_file.tar.xz.asc> was freely available for download, but only to the highest bidder in the auction would be sent the decryption key.
The Equation Group from which the cyberweapons auctioned by the Shadow Brokers were stolen had already gained some notoriety in the past. The Russian cybersecurity company Kaspersky had actually already attributed certain cyber operations to this group, naming the Equation Group due to its penchant for using strong encryption protocols. The methods used by the group include a specific method for implementing the RC5 and RC6 encryption algorithms that is more efficient on certain hardware than the usual method and thus boosts stealth. A nearly identical implementation was found in the tools revealed by the Shadow Brokers. This attested to the authenticity of the tools posted.
The Kaspersky revelations on the Equation Group date back to February 2015 and the publication of the document Equation Group: Questions and Answers. The Kaspersky teams examined 500 cyber operations conducted by the Equation Group in 42 different states. They stated that there could have been as many as several tens of thousands of infections given the self-destruct protocol used, which made them difficult to search for and identify.
This analysis brought to light the different malware families used by the Equation Group. Kaspersky also identified a link between different types of malware from the Equation Group and other known types of malware, including Stuxnet. It showed, among other things, strong links between its tools and Stuxnet (methods and exploits used) and indicated that in all likelihood the Equation Group and the developers of Stuxnet were the same or at least worked in close collaboration.
After the discovery of the leak, the NSA would have activated its own sensors to detect the use of these tools by third parties, particularly Chinese and Russian agencies. Moreover, The Intercept took the opportunity to publish never-before-released documents supplied by Edward Snowden describing one of the tools and explaining to operators how to trace its use with the help of a 16-character string, thus illustrating the use of sensors. This initiative would have allowed the NSA to identify the foreign services that had obtained the stolen tools one way or another, but it seems that this was not the case.
The revelations of the Shadow Brokers and the auction of the tools in August 2016 were part of the work of Kaspersky and did not constitute hitherto unpublished revelations since they essentially reproduced those already made in 2015. While not never-before-released, they nonetheless incited Kaspersky to gradually put together the pieces of the puzzle. This led to the discovery of the American digital arsenal.
Today, neither the American government nor the NSA has acknowledged its link to the Equation Group. However, the different revelations and analyses have left little room for doubt. Thus, it is very likely that the people hiding behind the Equation Group are working on behalf of the NSA. While these links now appear indisputable, future revelations and analyses will have to identify their legal and organisational reality and, more broadly, the nature of the Equation Group. Does it consist of isolated hackers, or is it an organised group working indirectly for the NSA, or even a division of the NSA? What degree of control do the NSA and the American government exert over its activities? As long as these questions go unanswered, it will remain impossible to legally attribute the behaviour of the Equation Group to the United States and render it liable, or even adopt countermeasures under international law in response.
Another question to be posed concerning the revelations of the Shadow Brokers on the actions of the NSA and the Equation Group: Who is hiding behind the Shadow Brokers group? In a series of tweets published just after the August 2016 revelations, Edward Snowden suggested that Russia was involved in these revelations. Reuters put forward a similar analysis. Some wanted to see the hand of the Russian Federation behind these revelations intended to undermine the American image and spotlight its aggressive behaviour in the digital world. Some went so far as to suggest that these revelations were linked to the hackings of the Democratic Party and concurrent revelations, which had occurred a month before.
FANCY BEAR AND COZY BEAR: THE DIGITAL ARMED DIVISIONS OF THE RUSSIAN INTELLIGENCE SERVICES
On 22 July 2016, 19,252 emails and 8,034 attachments stolen from the Democratic National Committee (DNC), the governing body of the United States Democratic Party, were published on the WikiLeaks website. This document leak occurred during the 2016 presidential election primaries. Thus, it disrupted the internal voting process and led certain party executives to resign. The Democratic Party was already aware of the hacking and the fact that some documents had been stolen a few months before they were published on WikiLeaks. It then turned to the American cybersecurity company Crowdstrike to investigate this hacking. In June 2016, Crowdstrike published its conclusions: The hacking was the work of two different groups called Cozy Bear and Fancy Bear (these groups shall be revisited later), which acted separately yet simultaneously in the information technology networks of the Democratic Party. Moreover, these two groups did not limit themselves to the hacking of the Democratic Party, since they also targeted the Republican Party (though to a lesser extent) and other institutions and think tanks, always in the context of the American elections.
On 7 October 2016, the Department of Homeland Security and the Office of the Director of National Intelligence published a joint report affirming that they were convinced that the government of the Russian Federation was responsible for various hackings and the online publication of the documents of the Democratic Party. On 10 October 2016, the White House announced that the American government was going to adopt a proportionate response to the Russian hackings. The response of the American government took two different forms. First, it adopted new sanctions against Russia and certain individuals. Moreover, on 29 December 2016, the President of the United States announced his decision to expel 35 Russian diplomats from the United States in response to the hackings and attempts at interfering with the American electoral process. These diplomats left United States territory on 1 January 2017. Second, it would seem that the United States used extrajudicial measures, including cyber operations against Russian interests, although to date it has not officially acknowledged them. In late October 2016, Ukrainian hackers calling themselves Cyber Hunta hacked email accounts associated with Vladislav Surkov, a close advisor to the Russian President, and published certain emails and documents online. These emails and documents featured proof of Russian involvement in the separatist movements in eastern Ukraine. Some commentators see this as the American response to the hacking of the Democratic Party. For the time being, the United States has not confirmed this hypothesis.
Now that the events that led to the revelations concerning Fancy Bear and Cozy Bear have been briefly described, the identity of these two groups shall be revisited. Crowdstrike concluded that there were two groups that had already been identified in previous hackings whose targets included American institutions, universities, think tanks and NGOs. They were believed to be linked to the Russian intelligence services. In a joint report, the Federal Bureau of Investigation and the Department of Homeland Security identified and analysed the modus operandi of these two groups for the different hackings that beset the 2016 American presidential election. This report supplemented the report published on 7 October 2016, in which they had officially attributed these hackings to these two groups, and by extension to the Russian Federation.
Cozy Bear is linked to APT 29. The signature of this group has already been identified by different cybersecurity companies as part of several hackings. In addition to Cozy Bear, this group is also sometimes called CozyCar, the Dukes or CozyDuke. It is a group of hackers that is probably linked to the Federal Security Service of the Russian Federation (FSB [former KGB]). This group is believed to be responsible for hackings that targeted American institutions including the White House, the State Department and the Joint Chiefs of Staff.
Fancy Bear is linked to APT 28, also called Pawn Storm, the Sofacy Group, Sednit or Strontium in the context of other hackings. This group is believed to be linked to the Main Intelligence Directorate of the armed forces of the Russian Federation (GRU). It is considered to be responsible for hackings that targeted the Bundestag (German parliament), TV5Monde, the White House and more recently the Organization for Security and Co-operation in Europe (OSCE).
According to the report published by the Federal Bureau of Investigation and the Department of Homeland Security, these two groups use two different techniques to access their targets’ data. APT 29 is known for using spearphishing techniques combining phishing and social-engineering tactics. Through this technique, it spreads URL links to sites hosting malicious scripts that, once executed by the targets, compromise their computers by installing remote access tools (RATs). APT 28 is known for using sites mimicking the appearance of legitimate sites to trap users and obtain their login credentials. Once they have gained access to the target computers, these two groups use a fairly similar modus operandi to extract data and draw useful information from them.
Concerning the hacking of the Democratic Party, APT 28 would have conducted a phishing campaign by email in spring 2016, inviting the targeted users to enter their password on a fake website imitating the website of their email service, and would then have gained access to the emails and documents of the Democratic Party. This example illustrates the probable lack of coordination between these two groups, or else a desire to cover their tracks and hide the reality of their cooperation. Last question: Is it possible to know (as for the Equation Group) who is hiding behind Fancy Bear and Cozy Bear? Are they FSB and GRU agents or individuals working independently, alone or within organised groups, and acting under a certain degree of control on the part of these intelligence agencies? This question remains unanswered today. However, it must be answered to allow other states, particularly the United States, to attribute the actions of these groups to the Russian Federation and render it internationally liable.
CONSEQUENCES OF THE REVELATIONS ON THE EQUATION GROUP, FANCY BEAR AND COZY BEAR
The United States and the Russian Federation, two of the most important digital and military powers in the 21st century, have long been believed to be responsible for a large number of offensive operations in cyberspace. However, the 2016 revelations marked a turning point.
First, they offered an unprecedented glimpse into the overall organisation and modus operandi of the cyberattack programmes of the United States and the Russian Federation. They lifted a little bit more of the veil over the extent of the cyber operations that these two countries conduct by putting together the pieces of a giant puzzle, demonstrating how these states deliberately, and with complete impunity for the moment, conduct cyber operations targeting other states.
Second, these revelations showed how these two states have today incorporated the digital domain into their military arsenal and extrajudicial measures. They illustrated, among other things, how these two states respond to cyber operations, using a combination of cyber and non-cyber responses, including sanctions and extrajudicial measures.
Third, these revelations were also a signal sent to other states concerning their digital capabilities and the extent of the operations that they carry out. The hacking of the Democratic Party and the attempts at interfering with the American elections, whose actual effects are difficult to assess, were a strong signal sent to other states with regard to the risks concerning their own upcoming elections. Thus, some have already expressed their concern regarding the elections of major importance planned for 2017, particularly the French presidential election, the Iranian presidential election and the German legislative elections.
Moreover, this risk particularly resonated in certain countries in Eastern Europe. The DDoS attacks against Estonia in 2007, believed to have been conducted by the Russian Federation, revived certain fears in these countries over the risks of Russian interference with their home affairs. The year 2016 probably heightened these fears for two reasons: On the one hand, the American example simultaneously serves as a reminder that such a scenario is always possible and reveals the extent of Russian capabilities; on the other hand, the new President of the United States, Donald Trump, has indicated that he would probably not automatically come to the aid of the Baltic states in the event of Russian interference. The recent announcement of the hacking of the OSCE is not going to lower the tension.
Fourth, the spotlighting of the malicious, even belligerent, digital activities of these two nations demonstrated that they are very far from respecting the principles of peaceful use that they put forward at the international level. Indeed, today, the United States and the Russian Federation pride themselves on being states that drive the development of a safe cyberspace used peacefully by states. Thus, they have been weakened by these revelations on an international level. Indeed, the situation is similar to the one that followed the Edward Snowden revelations. While they have never been duped, other states now have means of rendering these two states politically liable. This opens up new opportunities for them. The People’s Republic of China, often considered to be an aggressive state at the digital level, has moved into the background. A clear decrease in Chinese cyberattacks against American interests has been observed following the different discussions held by these two countries on this subject. Thus, China could play upon this seemingly virtuous behaviour, and the weakening of Russia and the United States, to position itself as a major player in these matters and advance its own agenda. For their part, France and the European states could also exploit the weakening of Russia and the United States to take advantage of that situation and push for their positions in the current negotiations.
Fifth, these revelations allowed certain states to render the states concerned liable in terms of credibility and politics. However, for the time being, they have not allowed them to render the states concerned legally liable, nor have they justified, among other things, sanctions and extrajudicial measures against these states. The next step, which is still very hypothetical, would be the attribution of these cyberattacks backed by irrefutable evidence.
Sixth and finally, these revelations showed the central role played by non-state players acting directly or indirectly as proxies for these states. The revelations were analysed and supported by the work of teams from two private companies: the Russian company Kaspersky for the revelations concerning the NSA and the American company Crowdstrike for the revelations concerning the FSB and the GRU. Moreover, these revelations did not directly expose the activities of the intelligence agencies of these states. Rather, they exposed the activities of “groups”, which probably consist of isolated individuals as well as organised groups acting on behalf of these agencies, or even divisions of these agencies. Thus, it may be observed how non-state players, isolated individuals or individuals assembled in a group are major players in these states’ strategy of influence in cyberspace. The revelations concerning the Equation Group were made by hackers calling themselves the Shadow Brokers, who are suspected of being linked to the Russian Federation, while the attackers who hacked the emails of an advisor to the Russian President are believed to be linked to the NSA. Consequently, it must be concluded that a genuine confrontation between the United States and Russia, which is simultaneously taking direct and indirect forms, and in which non-state stakeholders are playing a central role, is taking place in cyberspace.