Wednesday, May 7, 2014

An Assessment of Cybersecurity Environment in Russian Federation

An Assessment of Cybersecurity Environment in Russian Federation

Glenn Ford, Timothy Casassa, Zack Rich

Table of Contents
1.    Executive Summary   
2.    Cybersecurity Strategy Overview   
3.    Russian Federation Cybersecurity Policy   
3.1    Government Content Control   
3.2    Federal Data Security   
3.3    Internet Borders   
4.    Cybersecurity Geopolitical Objectives   
5.    Cybersecurity Paradigm   
6.    Cybersecurity Resources   
6.1    Cybersecurity Structure of Russian Federation   
6.2    Three-tier model of Command & Control   
7.    Organized Crime and Cybercrime   
7.1    Online Fraud   
7.2    Spam   
7.3    DoS Attacks   
7.4    Russian Business Network   
7.5    Cyberespionage and Theft of Intellectual Property   
8.    International Cyber Law   
9.    National Cyber Law   
10.    United States Challenges to Russia’s Cyber Strategy   
10.1    U.S.-Russian Mistrust   
10.2    Moving Forward   
11.    Conclusion   

  1. Executive Summary

This report will evaluate and present for discussion a set of issues relevant to today's cybersecurity environment of the Russian Federation (see Appendix A: Country Profile of Russian Federation). It will assess the Russian Federation’s cybersecurity on (a) strategy; (b) policies; (c) geopolitical objectives; (d) resources; (e) cybercrime; (f) interactions with international laws on cyberactivity; (g) domestic laws on cyberactivity; and (h) cybersecurity challenges to the United States.
The Russian Federation presents a serious threat to other nations in cyberspace because their policy is oriented around information warfare, in contrast with the common Western paradigm of treating cybertechnologies as tools for the common good. Russian cyberpolicy is designed to give the Federation the upper hand in foreign and domestic conflicts, granting them information superiority in military actions, counterintelligence, and in control of the Russian population. The means they use to enact this policy include government agencies acting on enforceable legislation, nationalist organizations supported by the Kremlin, and individual hacktivists and cybercriminals who are directed by the nationalist organizations. Russian legislation on cybercrime does not extend to crimes committed outside of Russian borders, enabling cybercriminals on the Russian Internet to engage in a wide range of illegal activities including spamming, fraud, and intellectual property theft.
To date, the Russian Federation has resisted joining in on international legislation against cybercrime that would enable information-sharing and cybercriminal manhunts across Russian borders. They have passed laws to improve their own security, mandating national identification numbers for Internet registration, enabling Russian law enforcement to demand information from ISPs and other computer services, and forbidding same services from cooperating with foreign law enforcement. In light of their recent attacks on Ukraine and Georgia and well as a history of conflict with all Western powers, there is a strong trend of distrust between the United States and the Russian Federation. A diplomatic solution would be most helpful in reducing the threat the Russian Federation presents to the United States and would improve the cybersecurity of both nations.
  1. Cybersecurity Strategy Overview

The Russian Federation’s cybersecurity strategy is to leverage computer networking technologies as tools of war and espionage, serving the interests of the State in maintaining control over the Russian population and gaining an advantage in political or military struggles with other nations. The full extent of their capabilities is not known, but they have access to the resources of multiple government agencies, non-governmental supporting agencies, probable links to organized crime, and a body of unaffiliated Russian hacktivists as detailed below.
  1. Russian Federation Cybersecurity Policy

The object of the Russian Federation’s information assurance policy is threefold. First, the Russian Federation aims to maintain a fairly strict level of content control over all Russian websites and social networks in order to maintain the integrity of Russian society and prevent subversion by foreign powers. Second, they must have absolute security over governmental data. Third and last, they attempt to make and hold national borders in cyberspace in opposition to the Western paradigm of a free and open transnational internet (Smith, 2014).
    1. Government Content Control

Concern about information content control predates the growth of internet use in the Russian Federation. One of the major landmarks in the development of the current Russian information policy paradigm was the first Russo-Chechen War. The mostly unrestricted private Russian media coverage of refugees, wounded people, destruction, and the mistakes of the military greatly reduced the credibility of the Yeltsin administration, and is believed to have been a factor in the ultimate failure of the Russian military (Koltsova, 2000). Since then, the Russian leadership has kept much tighter control over the media coverage of its activities, starting with the second Chechen War and continuing to the present day. By controlling the media, they control public opinion, and by controlling public opinion, they control the level of commitment that the citizens of Russia have towards their nation and their leaders. This control over media extends to news blogs and social media sites, such as VK and Facebook (Guildford, 2013, p. 5-8). Organizations such as the Foundation for Effective Politics (FEP) can work to present an illusion of public consensus by having its members post en masse expressing a particular viewpoint on a particular subject on Russian blog posts or VK threads (Carr, 2011, p. 209). Public protest against the activities of the government can be silenced through Denial of Service (DoS) attacks ("Hacking Attacks Hit," 2012) or spam attacks ("Russian Twitter Political", 2011). All of these activities will, in theory, prevent revolutionary thinking from destabilizing the Russian establishment.
    1. Federal Data Security

The Russian Federation aspires to keep its federal data secure. In July 2013, the Federal Protective Service (FSO) made global news by making a bulk order for electric typewriters for the Kremlin. Sources justified this switch to “old technology” by citing concerns about insecure digital data storage in light of the Snowden and WikiLeaks scandals ("Kremlin Security Agency", 2013). The FSO understands that one of the major weaknesses of digital data storage is that digital information is vulnerable to bulk collection and modification. It is simply more difficult to maintain real confidentiality, integrity, and availability through computer media than it is through physical media. Additionally, when waging information warfare, the Russian leadership maintains a degree of deniability and privacy by acting through private agencies, including the FEP, the Russian Business Network (RBN), and the Nashi (Carr, 2011, p. 115-129). So far this strategy has largely been effective in keeping allegations of dubious cyberactivities by the Russian government from being proven.
    1. Internet Borders

Real content control and personal security is made more difficult to uphold if Russian networks are entirely globally accessible. Therefore, the Russian Federation attempts to maintain a facsimile of its national borders in cyberspace. There are many aspects to this policy - for example, they have rejected the Council of Europe Convention on Cybercrime policy for international law enforcement against cybercrime, on the grounds that it would impede on their national sovereignty (Carr, 2011, 35). Also, they have encouraged “patriotic” hackers in Russia to target foreign information systems in support of Russian military or political actions (Carr, 2011, p. 115). Additionally, they have refused to purchase hardware constructed by U.S. defense contractors out of concern for secret backdoors and switches, and encouraged the use within their country of Russian-made hardware and software that they largely do not export to other nations (Carr, 2011, p. 162). The Russian Federation’s aim is to create a fairly strong divide between the Russian Internet (RuNet) and the greater World Wide Web, without resorting to extreme measures such as a national firewall.
  1. Cybersecurity Geopolitical Objectives

In the execution of its cybersecurity policies, Russian Federation’s efforts tend towards one of two ends - suppressing public dissidence and supporting the Russian military. Various private groups and unaffiliated nationalistic hackers in Russia participate in accomplishing both objectives. In 2007, several Estonian government websites were hit with DoS attacks and shut down after it moved a Soviet war memorial in Tallinn, a move condemned by the Kremlin ("Estonia Hit by", 2007). In 2011, Russian Twitter users talking about ongoing protests were spammed by a massive amount of pro-government messages that are presumed to have been generated by a botnet ("Russian Twitter Political", 2011). These are examples of information warfare used for domestic support, perpetuating ideals endorsed by the Kremlin that reinforce the current state of Russia and discourage dissonant thought. Cyberattacks were made in support of the Russian military during the Russo-Georgian War (Lomidze, 2011) and later the annexation of Crimea (Rietveld & Diederek, 2014), taking down government and news sites on both occasion. These are examples of information warfare used for military support, preventing information counterattacks and limiting possible sources of information to those controlled by the Russian Federation.
  1. Cybersecurity Paradigm

An important detail to consider in any discussion of Russian cyberwarfare policy is how the Russian leadership perceives cyberspace, and how that differs from how the United States and other Western powers perceive the same. Fears of “color revolutions” (e.g. the Orange Revolution) that are supported by the United States persist in Russia as an artifact of generations of international conflict (Carr, 2011, p. 211). Additionally, in light of the effects of the media on Russian military efforts, such as the first Russo-Chechen War, the Russian leadership does not make a distinction between information war and physical war. They advocate the creation of an international agreement treating infoweapons similarly to WMDs (Carr, 2011, p. 171).
Not to be underestimated is the way in which computer technology has proliferated across Russia. Over the last decade, the use of the Internet in the Russian Federation has increased at a rapid pace. From 2006 to 2013, the number of Russians using the Internet at least once a week increased from 10% to 55% (see Appendix B, Figure 1: Internet Use in Russia) (Adomanis, 2013). According to a Yandex study, a monthly Internet audience of Russia is 61.2 million people over the age of 18 (see Appendix C, Figure 2: Growth of the Monthly Internet Audience) (Yandex, 2013, p. 2). In 2013, Aleksey Navalny, a prominent Russian blogger who blogs about the corruption of the Russian Federation and Vladimir Putin, stated that “the Kremlin is worried - worried about Arab Spring, London riots, unrest in the North Caucasus, likely attempts to subvert the 2014 Sochi Winter Olympics and, of course, the unprecedented social media-borne anti-Putin demonstrations across Russia” (Smith, 2012). The booming Russian Internet enables social activists, such as Navalny, and challenges the status quo of the Russian Federation.
Fear of revolution, information control, and Internet growth foster a defensive attitude towards cybersecurity. Russian leaders are treating cyberspace as another front in the Russian Federation’s ongoing conflicts with the rest of the world, instead of a means of improving society through information sharing, as is common in the West.
  1. Cybersecurity Resources

Cybersecurity resources of the Russian Federation are highly organized, structurally compartmentalized, and are controlled by the Kremlin and its affiliated agencies. To protect its national interests, the Russian Federation relies on hackers and hacker groups, who directly and indirectly report to the Kremlin. Russia’s economic and geopolitical environment led to an increase in cybercrime, cyberespionage, and theft of intellectual property.
    1. Cybersecurity Structure of Russian Federation

The Russian Federation has developed a highly compartmentalized and organized a national cybersecurity structure (see Appendix D, Figure 3: Russian Federation Cybersecurity Structure). The Federal Security Service (FSB), subordinate to the Russian President, is the largest organization involved in cybersecurity. Federal Law No. 40-FZ, On the Federal Security Service, assigned the FSB a responsibility to protect Russia’s information systems and critical infrastructure (Carr, 2013, p. 220). Top-level government agencies include Federal Security Organizations (FSOs), Ministry of Education and Science Organizations, Ministry of Defense Organizations, FSB Organizations, Ministry of Internal Affairs Organizations, and Ministry of Communications Organizations (see Appendix E: Cybersecurity Resources of Russian Federation) (Carr, 2013, p. 221).
    1. Three-tier model of Command & Control

Three-tier model of Command and Control (C&C) represents a hierarchical relationship between the Kremlin, National youth associations, and Russian hacktivists (see Appendix F, Figure 4: Three-tier Model of C&C for Russian Federation Non-state Hackers). According to this model, the Kremlin established a C&C of unaffiliated Russian hackers through Nashi and other youth hacker groups (Carr, 2013, p. 119). This model is highly organized, efficient, and provides the infrastructure for the Russian hackers to thrive. Carr described how the three-tier model of C&C is deployed by a number of Russian hacker groups, including Rove Digital, McColo, Atrivo/Intercage, ESTDomains, and others. Services offered by Nashi and its affiliated hacker groups include computer espionage and DoS attacks, such as the 2007 DoS attacks on Estonian government infrastructure (Russinovich, 2013). Additionally, the Kremlin created the FEP, an organization tasked to protect Kremlin and respond to anti-Kremlin protests via Internet operations (Carr, 2013, p. 163-164).
  1. Organized Crime and Cybercrime

Russia has an established group of elite hackers who are able to write new viruses and malware. Russia inherited an advanced Science, Technology, Engineering, and Mathematics (STEM) education system from the Soviet Union era, leading to many young people in modern Russia possessing strong computing skills. Since few opportunities are being offered in the Russian IT sector, many of these over-educated and highly-skilled individuals turn to cybercrime, mainly hacking, as a source of income (Bizeul, 2007, p. 4).
In 2011, the Russian cybercrime market had a net revenue of $2.3 billion, doubling from 2010 (Group-IB, 2011, p. 6. The Russian cybercrime market can be categorized into 3 key categories: (a) Online Fraud; (b) Spam; and (c) DoS Attacks (see Appendix G, Table 1: Quantitative Assessment of the Russian Cybercrime Market and Appendix H, Figure 5: State of the Russian Cybercrime Market) (Group-IB, 2011, p. 8).
    1. Online Fraud

Over the last few years, there has been an increased number of attacks on the banking industry. Russian-made banking malware includes Carberp, Hodprot, Shiz, Lurk, Spy.Ranbyus, and Qhost. Attackers typically exploit: (a) Remote access; (b) Automatic substitution; (c) Loading of payment orders; (d) Web injects; and (e) Phishing attacks. (Group-IB, 2011, p. 8-9). In 2011, Yevgeniy Anikin, a Russian citizen, stole $9.5 million from the accounts of WorldPay, a payment processing unit of Royal Bank of Scotland (RBS) by hacking servers of American branches of RBS (Group-IB, 2011, p. 17).
    1. Spam

Over the last few years Russian-based spam was mainly monetized via affiliate programs. The most popular ways to profit from affiliate programs is via sale of counterfeit drugs, pirated software, and knockoffs of accessories, such as clothing and/or watches (see Appendix I, Table 2: Pricing of Russian Spam and Related Services) (Group-IB, 2011, p. 10). One of the most notorious Russian spammers is Oleg Nikolayenko, arrested by the FBI in Las Vegas in November of 2010. Nikolayenko created a Mega-D botnet, which distributed spam using a botnet of about 510,000 infected computers (Group-IB, 2011, p. 16).
    1. DoS Attacks

DoS attacks in Russia have been declining since late 2010. In 2011 and thereafter, Russian banking sector witnessed a sharp decrease in the number of DoS attacks since there are better technologies to detect and prevent DoS attacks. The main target of DoS attacks are Internet Retailers (E-Commerce). An average DoS attack in 2011 used 10,000 nodes during an attack (Group-IB, 2011, p. 11). Russian hacker groups have capability to create all types of DoS attacks, including UDP flood attack, TCP flood attack, TCP SYN flood attack, Smurf attack, and ICMP flood (Trend Micro, 2012, p. 12).
    1. Russian Business Network

RBN is a criminal service provider that provides infrastructure for illegal activities, such as phishing schemes, malware hosting, gambling, and child pornography (see Appendix J, Figure 6: Cybercrime Activities of RBN) (Bizeul, 2007, p. 5). In 2006, about half of all phishing incidents worldwide relied on RBN's infrastructure. From 2005 to 2007, nearly every major computer virus and worm either used and/or sent data to the RBN servers. Some of the decade’s most notorious malware, such as Gozi, Grab, Haxdoor, Metaphisher, Mpack, Ordergun, Pinch, Rustock, Snatch, Torpig, and URsnif, relied on RBN servers (Krebs, 2007). In November, 2007, RBN caught attention of mass media, and shortly after attention of the FBI, RBN went ‘underground’ and the traffic of RBN disappeared (see Appendix K, Figure 7: RBN Traffic Drop in 11/2007). RBN slipped under the radar away from the public spotlight (Carr, 2013, p. 122).
    1. Cyberespionage and Theft of Intellectual Property

Russian cyberespionage began in 2005 and has been growing ever since. In January, 2014, CrowdStrike, a U.S. cybersecurity research firm, gathered evidence that the Russian Federation conducted massive global cyberespionage on hundreds of U.S., European, and Asian companies. Some of the victims of Russian cyberespionage are: (a) European energy and technology companies, defense contractors, and government agencies; (b) U.S. healthcare providers; and (c) U.S., European, and Middle Eastern manufacturing and construction firms. According to Dmitri Alperovitch, a CTO of CrowdStrike, Russian cyberespionage is “motivated by the Russian government's interest in helping its industry maintain competitiveness in key areas of national importance” (Finkle, 2014). Cyberespionage benefits Russia by providing the government with access to intellectual property and cutting-edge research worldwide.
  1. International Cyber Law

The Russian Federation desires to have a treaty regime that deals with cyber warfare similar to that of Weapons of Mass Destruction (WMD). This contradicts the US approach, which is to limit cyberwarfare through Mutual Legal Assistance Treaties (MLATs). MLATs are used between two countries to have an agreement on how to gather and exchange information in order to enforce criminal and public laws. The US strategy using MLATs would be to have individual agreements for cyber activities such as law enforcement and extradition treaties. Vladislav P. Sherstyuk, deputy secretary of the Russian Security Council, in a March 27, 2009 speech, outlined Russia’s stand to disarm in cyberspace by proposing a treaty that would ban a country from covertly embedding malicious code or circuitry that could later be activated in the event of a kinetic conflict or war (Markoff & Kramer, 2009). An argument the Russian Federation has made against MLATs discussed by Carr is “International legal acts regulating relations arising in the process of combating cybercrime and cyberterrorism must not contain norms violating such immutable principles of international law as noninterference in the internal affairs of other states, and the sovereignty of the latter” (Carr, 2011, p. 34-35).
  1. National Cyber Law

The Russian Federation Security Council released the first Information Security Doctrine in September, 2000. The document was Russia’s first attempt to provide an official government stance on information security for the public, government, and military sectors. The Security Council has released updates since the first version to help identify research areas and support the transition of Russia to an information society (Carr, 2011, p. 218). The Information Security Doctrine found that existing Russian law was inadequate for the Russian Federation’s information security requirements ("Information Security Doctrine," 2008). These findings caused the Russian Federation to pass a number of laws and amendments to resolve the nation’s lack of security as defined in the doctrine. In 2009, Federal Law number 149-FZ, On Information, Information Technologies, and Information Protection, was amended to mandate national identification numbers for Internet registration and that ISP and other computer services provide the government with all information and data during an investigation. The Russian public perceived this as a threat to Internet freedom, since the government could now identify who posted critical comments on social media (Carr, 2011, p. 218).
Federal Law Number 152-FZ, On Personal Data, denies Russian ISP and computer services from providing foreign nations with data on any Russian subject except in a few rare cases such as when needed to protect a person’s life, health or vital interests. In essence, this law protects Russian Internet activity, such as cybercrime and distributed denial of service (DDoS) attacks, from foreign law enforcement (Carr, 2011, p. 219).
The amendments to the FSB Law, under Article 15, allows security forces of FSB to be assigned “to public authorities, enterprises, institution, and organizations irrespective of ownership, with the consent of their managers in the manner prescribed by the President of Russia, leaving their military service” (Carr, 2011, p. 219). This gives an incredible amount of control and oversight on all matters to the Kremlin. Carr also discussed how all Internet connections are controlled by the Russian Federation as is all Internet infrastructure. This further solidifies the government’s ability to monitor all internet activity and control how the Internet infrastructure is implemented and used.
  1. United States Challenges to Russia’s Cyber Strategy

Recent geopolitical events occurring in Ukraine/Crimea is causing tensions in the U.S.-Russia diplomatic relationship. Cyberwarfare has occurred in Ukraine, with Russia being the main suspect in a new rootkit ‘Uroburos’ used in a campaign called Snake. Forensic analysts were able to determine the developers of this malware developed in a Moscow time zone and used fragments of Russian text in the code providing further evidence of Russian involvement. The Snake campaign has crippled the Ukrainian/Crimean telecommunications in conjunction with militia attacks to the sector. The Snake campaign has led to infections of the Kiev government networks and other critical organizations, with BAE Systems having identified 32 cases in the Ukraine, but has spread globally (Paganini, 2014). Nigel Inkster, who was the Director of Operations and Intelligence for the United Kingdom Secret Intelligence Service (MI6), said, “The list of suspects boils down to one” (Lemanski, 2014), referring to Russia. On March 16, 2014, NATO’s home page and cyberdefense center web page came under cyberattack by pro-Russian Ukrainian hackers (Musil, 2014).
These new challenges are being monitored by the U.S. and other countries to learn how Russia uses cyberwarfare. Catherine Lotrionte, director of the Institute for Law, Science, and Global Security at Georgetown University, was interviewed by NPR and said, “...watching how the Russia-Ukraine conflict rolls out will tell us a lot about the practice that states are going to be conducting in the cyber realm when it comes to conflict and what rules they're comfortable with accepting or not” (Auster, 2014). With the lessons learned from monitoring cyberwarfare being performed, the U.S. can develop policies and procedures on how to counter and mitigate the Russian strategies.
    1. U.S.-Russian Mistrust

In an NBC Meet the Press interview on March 23, 2014, House Intelligence Committee Chairman Mike Rogers, discussing Edward Snowden, said “[he] was a thief who we believe had some help [and most of what Snowden stole] had nothing to do with privacy. Our Army, Navy, Air Force, Marines have been incredibly harmed by the data that he has taken with him and we believe now is in the hands of nation states”. The most accusing statement Rogers made was when he said, “There’s a reason he ended up in the hands, the loving arms, of an FSB agent in Moscow. I don't think that's a coincidence….I don't think it was a gee-whiz luck event that he ended up in Moscow under the handling of the FSB” (Curry, 2014).
The ongoing history of mistrust is a major problem in the U.S.-Russia relations in developing cyberdefense partnerships. In order to effectively control cyberconflict it is essential the U.S. and Russia begin to cooperate. This can begin with investment in confidence-building and further transparency to address emerging cybersecurity threats. The goals are similar between both states but the plans to achieve them are diametrically opposed. Given the history of mistrust, the divergence of national security approaches, and failed cybersecurity dialog in the past, it is a difficult challenge. However, dialog at the 2013 G8 Summit in Northern Ireland and U.S.-Russian Cooperation on Information and Communications Technology Security (ICTS) is a positive sign of cybersecurity cooperation. The U.S. and Russia are both targets of cyberattacks and cyberespionage and would benefit from cooperation. Transparency still needs to be worked on as both nations have accused the other of cyberespionage. This can be done with a cyberdefense partnership and is vital to reduce risk and improve U.S. and Russia’s cybersecurity (Ibrahim, 2013).
Frank J. Cilluffo, director of the Homeland Security Policy Institute testified before Congress and in his report he lists Russia as one of the major cyberactors, advanced enough to infiltrate critical infrastructure (CI) but unlikely to initiate a cyberattack of that level. However Mr. Cilluffo made it clear that further cybersecurity actions need to be done to protect the CI for National Security (see Appendix L, Figure 7: Cyberthreats to the U.S. Homeland) (Cilluffo, 2013).
Jeffrey Carr, in his Digital Dao blog, stated that Russia is the most dangerous cyber adversary to the United States. Carr’s justification includes facts that: (a) Russia is the only nation engaged in military action with a cyberwarfare component in the Russian-Georgian War of August, 2008; (b) Russia is the only nation that has engaged in cyberattacks that disrupted the critical infrastructure of an entire nation during the cyberattacks on Estonia in 2007; (c) Russia has developed both military and civilian cyberwarfare infrastructure; and (d) Russian cyber operations are rarely discovered, which is a true measure of success (Digital Dao, 2011).
    1. Moving Forward

In the United States, the FBI, state and local law enforcement face an ever-growing cybercrime challenge, much of which originates with technology and organized crime groups from Russia which are protected by Russian laws recently changed by the Russian Federation. In July, 2011, President Obama outlined the U.S. Strategy to combat transnational cybercrime ("Strategy to Combat", 2011). Its primary purpose is to encourage more international cooperation, but Russian law protects those in Russia from international law for cybercrimes. The White House discussed the need for better cooperation in their published Fact Sheet for the U.S.-Russian Cooperation on ICTS ("Fact sheet: U.S.-Russian," 2013). Further work is needed by the U.S. and Russia to increase transparency.
  1. Conclusion

The Russian Federation’s cyberpolicy is markedly more aggressive than most first-world nations, with a higher degree censorship directed at the Russian populace and a greater focus on cyberattacks directed at other countries. Also, lax Russian law enforcement enables a surfeit of cybercrime. Their resources are varied, ranging from government agencies to private enterprises to criminal networks and individual hacktivists. These resources are demonstrably effective in achieving their policy objectives, to the extent that the United States is increasingly concerned about Russian cyberaggression. In the past ten years, the Russian Federation has engaged in multiple acts of cyberwar against its neighbors, and is suspected to have committed acts of cyberespionage against the United States. Attempts to diplomatically resolve cyberspace issues between the Russian Federation and the rest of the world have so far been unsuccessful. There is a lot of work that needs to be done to improve cyberrelations between Russia and the United States, but at least both nations realize that to fully succeed in their own national cybersecurity goals there must be further cooperation and transparency.


Adomanis, M. (2013, May 18). Russia's Internet Use is Exploding. Forbes, Retrieved from
Auster, B. (2014, March 14). U.S. Monitors For Cyber Operations in Crimea Standoff. Retrieved from
Bizeul, D. (2007, November 11). Russian Business Network Study. Retrieved from
Carr, J. (2011). Inside Cyber Warfare: Mapping the Cyber Underworld. (2nd ed.). Sebastopol, CA: O'Reilly Media.
Cilluffo, F. (2013, March 20). Cyber Threats from China, Russia and Iran: Protecting American Critical Infrastructure. Retrieved from Testimony March 2013.pdf
Curry, T. (2014, January 18). House Intelligence Chairman Hints at Russian Help in Snowden Leaks. Retrieved from
Digital Dao. (2011, June 29). 7 Reasons Why China Isn't the World's Biggest Cyber Threat (and Who Is) . Retrieved from
Estonia Hit by Moscow Cyber War. (2007, May 17). Retrieved from
Fact Sheet: U.S.-Russian Cooperation on Information and Communications Technology Security. (2013, June 17). Retrieved from
Finkle, J. (2014, January 22). Russia Hacked Hundreds of Western, Asian Companies: Security Firm. Reuters. Retrieved from
Guildford, M. (2013, July 30). Cyber Security and Internet Protest. Retrieved from
Group-IB. (2011). State and Trends of the Russian Digital Crime Market. Retrieved from
Hacking Attacks Hit Russian Political Sites. (2012, December 5). BBC News Technology. Retrieved from
Ibrahim, K. (2013, July 17). From Arms Race to Cyber-Space: U.S.-Russian Relations and The Prospects of Cyber Warfare. Retrieved from
Information Security Doctrine of the Russian Federation. (2008, December 29). Retrieved from!OpenDocument
Koltsova, E. (2000). Change in the Coverage of the Chechen Wars: Reasons and Consequences. Retrieved from
Krebs, B. (2007, October 13). Mapping the Russian Business Network. Retrieved from
Kremlin Security Agency To Buy Typewriters To Avoid Leaks. (2013, August 11). Retrieved from
Lemanski, D. (2014, March 09). Russia Mounts Cyber Attack on Computer Networks in Ukraine. Retrieved from
Lomidze, I. (2011). [Powerpoint Presentation]. Retrieved from 2011/GITI2011_3.pdf
Markoff, J., & Kramer, A. (2009, June 27). U.S. and Russia Differ on a Treaty for Cyberspace. Retrieved from
Musil, S. (2014, March 17). Ukrainian Hackers Claim Takedown of NATO Web Sites. Retrieved from
Paganini, P. (2014, March 11). Crimea – The Russian Cyber Strategy to Hit Ukraine. Retrieved from
Rietveld, P., & Diederek, P. (2014, March 15).The Crimean Cyber-Troubles Ramp-Up. Retrieved from
Rosstat (2013). Russia 2013 Statistical Pocketbook. Retrieved from website:
Russian Twitter Political Protests Swamped by Spam. (2011, December 9). Retrieved from
Russinovich, M. (2013, February). Trojan Horse: The Widespread Use of International Cyber-espionage As a Weapon. Retrieved from
Smith, D. (2012). Russian Cyber Operations. Informally Published Manuscript, Potomac Institute for Policy Studies, Retrieved from Cyber Operations.pdf
Smith, D. (2014). Russian Cyber Capabilities, Policy and Practice. Retrieved from
Strategy to Combat Transnational Organized Crime. (2011, July 25). Retrieved from
Trend Micro. (2012). Trend Micro Incorporated Research Paper: Russian Underground 101. Retrieved from
Yandex. (2013). Development of the Internet in Russia’s Regions. Retrieved from


Country Profile of Russian Federation

Area: 17098.2 thousand sq. km. (largest country in the world)
Population as of 2012: 143.1 million
Population density: 8.4 people per 1 sq. km.
Capital city: Moscow
GDP: $2.015 trillion

Number of organizations performing R&D: 3682 in 2012
Personnel engaged in R&D: about 735,000 people in 2012
Share of organizations using information and communication technologies: 93.8%
Number of institutions with postgraduate education (doctorial courses): 608 in 2011
Number of post-graduate (doctorial courses): 4562 in 2011
Number of organizations engaged in modern technological production: 1028 in 2011
(Rosstat, 2013)


Figure 1: Internet Use in Russia (Adomanis, 2013)

Figure 2: Growth of the Monthly Internet Audience (Yandex, 2013, p. 2)


Russia cyber_structure.png
Figure 3: Russian Federation Cybersecurity Structure (Carr, 2011, p. 221)


Cybersecurity Resources of Russian Federation

Organization Name:
Origination Profile:
Federal Service for Technical and Export Control (FSTEC)—Military Unit (Vch) 96010
FSTEC is subordinate to the Russian Ministry of Defense (MOD). FSTEC concentrates of information security and protection of sensitive technology, such as government’s telecommunication networks. FSTEC closely cooperates with the FSB and exercises its authority by issuing compliance licenses, developing countermeasures to threats, monitoring infrastructure, etc.
5th Central Research and Testing Institute of the Russian Defense Ministry (5th TSNIII)—Military Unit (Vch) 33872
5th TSNIII is the largest MOD’s institute on Electronic Warfare (EW). Publishes its own publications regarding information security. Organization employs a staff of 2,000 people, with 200 of them possessing PhDs.
18th Central Research Institute of the Russian Defense Ministry (18th CRI MOD)—Military Unit (Vch) 11135
18th CRI MOD is the main research center involved in signals intelligence. Organization works with mobile devices, Supervisory Control and Data Acquisition (SCADA), among others. Vch 11135 is a unit’s testing laboratory.
27th Central Research Institute of the Russian Defense Ministry (27th CRI MOD)—Military Unit (Vch) 01168
27th CRI MOD is the main institute on information technology and C&C systems. It was founded in 1954 and known for recruiting personnel from top military academies and top education institutions, such as prestigious Moscow State University (MGU).
Internal Security Services: Federal Security Service (FSB), Ministry of Interior (MVD), and Federal Security Organization (FSO)
MVD and FSB, and FSO are Russia’s leading organizations to domestic stability. All 3 organizations have Internet and cybersecurity-related departments. All three organizations possess offensive capabilities.
Federal Security Service Information Security Center (FSB ISC)—Military
Unit (Vch) 64829
FSB ISC conducts counterintelligence operations involving Russia’s Internet (RuNet). FSB ISC monitors and analyzes all Internet activity on the RuNet cyberspace. Organization is legally authorized to conduct legal investigations and, as needed, prosecute Russian citizens.
Russian Federal Security Service Center for Electronic Surveillance of
Communications (FSB TSRRSS)—Military Unit (Vch) 71330
FSB TSRRSS is tasked with operating and processing all electronic communication. FSB TSRRSS reports directly to the FSB Director. Organization’s structure and details are mainly classified.
FSB Administrative Centers for Information Security
The FSB oversees handling of sensitive and confidential data within the Russian government and related private enterprises. The FSB is composed of 2 components (Center
for Licensing, Certification, and Protection of State Secrets, and Communications
Security Center). The FSB has the authority to control RF’s encryption technologies and to regulate public and private sectors in terms of security standards.
Russian Interior Ministry Center E (MVD Center E)
MVD Center E is the main organization tasked with fighting terrorism. Emphasis of the organization is placed on fighting extremist organizations and combating religious/ethnic extremism.
Russian Interior Ministry Cyber Crimes Directorate (MVD Directorate K)
MVD Directorate K is responsible for investigating fighting against cybercrime and other illegal activity in the RuNet. MVD Directorate K works closely with FSB and other law enforcement officials.
Russian Federal Security Organization (FSO)—Military Unit (Vch) 32152
FSO is tasked with securing RF’s Federal domain by protecting it from foreign intelligence services and other threats. In 2008, Vladimir Putin, Russian President, tasked FSO to develop secure Internet connection for the Federal government.
Russian Federation Ministry of Communications and
Mass Communications (Minsvyaz)
Minsvyaz is tasked with suppressing political revolts on public networks. Presidential Decree No. 724, passed in May of 2008, assigned Minsvyaz the authority to develop government’s policy and regulations in the following sectors: information technology, telecommunications, mass media, publishing and printing, and processing of personal data (PII).
Roskomnadzor is responsible for issuing licenses for telecommunications, information technology, and mass media providers. Roskomnadzor has the power to enforce and prosecute violators.
(Car, 2013, p. 224-238)


Figure 4: Three-tier Model of C&C for Russian Federation Non-state Hackers (Carr, 2011, p. 119)

Table 1: Quantitative Assessment of the Russian Cybercrime Market (Group-IB, 2011, p. 7)


Figure 5: State of the Russian Cybercrime Market (Group-IB, 2011, p. 6)

Table 2: Pricing of Russian Spam and Related Services (Trend Micro, 2012, p. 11)


Figure 6: Cybercrime Activities of RBN (Bizeul, 2007, p. 5)

Figure 7: RBN Traffic Drop in 11/2007

No comments:

Post a Comment