Russian cyber espionage threatens Estonian and Western security

Russia’s cyber espionage poses a major threat compared to most other countries as its special services have a long history of conducting cyber operations and are constantly exploring inventive new ways to breach information systems, develop malware and disguise their activities, while also continuing to use previously successful methods. They consistently invest resources in cyber capabilities and quickly learn from their mistakes, adapt their attack methods, replace exposed attack infrastructure, etc.

Examples of Russian special services’ cyber operations that were published in 2021:

• 2019–2021 Russian foreign intelligence (Sluzhba vneshney razvedki Rossiyskoy Federatsii; SVR) cyber espionage operation. SVR gained access to tens of thousands of information systems of targets through the US company SolarWinds. Other services were used in the attack. The stolen data mainly came from the US. The exact impact is still unknown. [1]
• 2017–2020 Russian military intelligence (Glavnoye (Razvedyvatelnoye) Upravlenie Generalnogo Shtaba Vooruzhonnyh Sil RF; GRU) cyber operation in France. [2]
• 2017–2021 Russian influence operations in Europe. [3]
• 2019–2021 Large-scale GRU cyber espionage operation to brute-force thousands of user passwords for Microsoft services. Both the public and private sectors were targeted. [4]
• 2021 Russian security service (Federalnaya sluzhba bezopasnosti RF; FSB) cyber espionage operations in Ukraine. [5]
• 2021 Repeated SVR phishing campaigns in the West. [6]

The targets of the Russian special services, on the other hand, still lack adequate cybersecurity measures and are more likely to address their shortcomings only after being affected by a cyber operation of significant impact. To date, the targets of cyber operations have unfortunately failed to understand the need to continually maintain and invest in cybersecurity.

Owing to the Russian special services’ activities, the Kremlin likely has a good overview of Western thinking, situational interpretations and concerns. This provides the decision-makers with suggestions on where and how to focus pressure to achieve their foreign policy goals.

Stages of a cyber espionage operation conducted by Russian special services

A simplified description of the stages of a cyber espionage operation conducted by Russian special services follows. It is a general description of the Russian special services’ cyber capabilities and does not apply to all Russian special services’ centres that are capable of conducting operations in cyberspace.

It is important to remember that information intended for internal use, which is not protected as strongly as state secrets, also often has high intelligence value. Holding a sufficient amount of internal information may ultimately be equivalent to having access to a state secret.

A cyber espionage operation is largely a series of automated processes. Human involvement is limited to, for example, establishing whether the targeted person and the information on the target’s devices are of interest. If not, the special services either delete their malware from the information system or use it to attack other targets of interest. In most cases, they employ various techniques to disguise their activities, such as using third-party devices to attack and gather information or breaking their malware down into components that are loaded into the targeted information systems at different times from different servers.

Memos marked for internal use often contain valuable information for Russia on how government agencies operate, cooperate, interpret events and make decisions.

What happens after a breach?

The Russian special services use many different types of malware in their cyber operations. We will describe a method that we observed on the personal computer of a former civil servant. 

The breach likely occurred when the person opened an attachment in a phishing email. The attachment only contained an initial malware component. The rest were downloaded to the computer from various locations on the internet. The malware components are like the pieces of a matryoshka doll. By opening each piece, the target launches the files inside it, which in turn transfers a new malware component performing another specific task. Once all of the malware is installed on the target’s computer, regular information transfers to a server controlled by the Russian special services will begin.

In our assessment, Russian special services will continue their cyber espionage operations against Estonia and other Western countries into the foreseeable future. It is a well-established and efficient method of espionage. Therefore, the cyber threat from Russia will remain, but it can be mitigated by implementing cybersecurity measures.