BSides Buffalo 2026: Four Years at War: Trends in Russian State Nexus Cyber Operations

Who am I? First of all, I guess we're here to talk about Russia. And that is, for all intents and purposes, who am I? All I do is Russia. My life is Russia, and as my colleague Patrick will attest, updates are Russia stuff. So, who is this random ass person, especially this Canadian who's talking to you about Russia? I spent many years living there. I have a degree from the Peter school to their foreign intelligence service and internal security service, but I am born in Canada, that's fine. So, what we're going to talk about today is are these six trends that I've determined found examined over the course of the Russo-Ukraine war. So, starting in 2022

till effectively present. So, we're going to run through the FSB, a uh that's their internal security service, the GRU, military intelligence, and how that breaks down into different missions throughout the different countries, so what if they send combat uh African command, etc. Uh initial access subgroups for the state-nexus uh threat actors, their use of malware as a service to support uh operational tempo, uh presidential administration is a weird but unique cyber enabled group that does not get enough coverage, and then sort of conclude with how they have become more battle-hardened than any of us actually want to admit. So, the FSB, the 18th center, who the hell is that? This is the center for the for

information security. Uh it's odd, information security, but they fall their mandate falls under counterintelligence. They have two named threat groups, so uh in Gamaredon group, and um Callisto. Gamaredon group is based out of Sevastopol. Uh Callisto, not fully clear where they're based, but they have links to the middle of nowhere in northern Russia. Then then along with that, they have two linked trackers. We're going to get into a bit more of these later when we get to the last workshops. Uh but those other two groups are uh Cold River which is linked to Callisto but distinct, and Invisible again linked to Gamaredon Group but distinct. Uh along with that, their mandate used to be just Ukraine as for Gamaredon Group.

And the FSB itself has grown over the years. What you we might always hear about them as the successor to the KGB. They're not. Or at least not in the sense that we would assume they are. They came and started doing hard internal security, and then after a budgetary battle, started trying to steal as much of the mandate of every other organization, every other security service within Russia that they could, including military intelligence, foreign intelligence, their version of the NSA that got shut down, half rolled into foreign intelligence, half rolled into the FSB. It's Russia, it's weird. You just sort of go with it. Along with that, they started incorporating information operations. So when I say information operations, by

Russian standards, information operations involves anything dealing with a laptop. But by our standards, this would be more your disinformation, misinformation, that style of operations, like more psychological operations rather than sort of a hands-on keyboard uh hacker style attack. Finally, the FSB sent an 18th Center. They're very unique in that they have a legal mandate to go into a Russian prison, pull over an arrested dude, and say, "You now work for me. Here's your desk. Here is your mission. Screw it up, and you get to go back. So, they have, along with that they can also go purchase services from criminals. So, they have a very robust, not only custom capability, but access to the uh

we'll call it more standard malware as a service tools that our friends in ransomware, for example, have. What we're seeing here is what the FSB's cyber operations look like. It's very convoluted. What we've been talking about for the most part, the 18th Center, that's under the first service. So, basically, to the far uh right of Yeah, all right. My right, your left of the uh screen. So, military unit 3443, I guess I don't know that one. Uh first service, uh military unit 64892. So, from there we start breaking it down, counterintelligence operations service into the YFSB. That's a regional office where you get Kamchatka. Uh next to that we have very fun second service. These guys are the door

kickers. Spet- uh Spetsnaz, Russian special forces, or uh FSB's uh special forces, rather. Sure you've heard in the news that about like internet access being current very currently a problem in uh in Russia. These are the guys who are running it. Their mandate is primarily counterterrorism. So, now you've got people without a background in how the internet is functioning telling the people who know how the internet functions what must be shut down, which is basically turn off the internet outside of state media and whitelist of applications. For example, that's a spoofing, which is I have no idea what the American equivalent to that would be. Uh Imagine trying to do any federal taxation thing in the US.

That's all that you have access to on the internet. The entire rest of it is shut down. So you that's all you have access to because there is an incredible hardliner saying the average Russian should not have access to the internet because Western propaganda. >> That's all I heard you say now. >> That's the point. >> So they Is this part of watching the services turning inward on the population as the war starts going poorly? >> Uh so no, it's not actually because of how anything in the war has nothing to do with the con- how the war is progressing possibly in a negative way. It's So their actual name is the protection of the constitutional order.

Constitutional order. If you actually read the Russian constitution, they lifted a lot of it from yours. So on paper, it sounds the same as here, but the actual person in charge has determined that my entire political structure is based around me, the leader, I am the sole arbiter of all inter-politic- interpersonal disputes within within the oligarchy. You want a decision in your uh fight over who gets to control the Russian version of Amazon, thou shalt come to me and I will tell you if you can go shove it or if you get to take a billy billions of dollars of Russian money every year. Those are the people who get to say you can maybe you can go online and file

for a new passport. Uh so from there, we start heading into uh The FSB also oddly controls Russian CERT. So just additional contents. But when you get to the far end, uh note uh 16th center, so unit 61608, that's where we get our FSB signals intelligence. So their actual foreign intelligence cyber-enabled foreign intelligence capability. And they are oddly creative compared to their counterparts elsewhere. So, Turla, for example, don't know if any of you remember it was 2017, uh ESET put out a bit on how they were using comments on Britney Spears' Instagram page for their C2. Who's going to go Who's going to go look on in Britney's comments? Nobody. So perhaps while I'm saying the FSB 18th Center is

the emerging power because over the course of the last year or so, I've sort of switched things a little bit. Maybe it's just the FSB as a whole. Why? They have become so omnipotent within the Russian security service architecture for cyber naval operations. And they've had that very big shift in mandate. So, Callisto, they had something an operation back in 2023 called a very a very British coup d'état, where it was an information operation target specifically targeting Scottish or British members of Parliament but going through a Scottish member of the National Party. It was a very weird one and for an internal internally focused When I say internally, perhaps I won't I should explain that as a near abroad.

By Russian standards, if you're in the former Soviet Union but not in NATO, you are considered internal. Everything else is external. So, for an internal counterintelligence service to focus on a NATO member for an information operation, that is a huge shift in their actual capacity. But then back in December, you had Sandworm say, "Static Tundra trying to uh dis- take take down our energy grid." That's very weird because the FSB has never done anything remotely destructive, even though they have had ICS-capable malware through the uh through the Static Tundra sort of chain of command up to Reserve Bank. They have had a malware called Hades, which is ICS capable but has not actually been used for a strike

capability. So, they're expanding and cutting into the turf of other organizations within and they don't talk. Yes, sir? >> Is it fair to say that if they have such control over the internet and they kind of work with these, you know, hacker groups that they pretty much control those hacker groups and they're part of the Russian kind of military apparatus or are they kind of still decentralized to a degree? >> Uh so, you're referring to the Second Service and the internet controlling? >> I'm talking about like, you know, third-party hacking groups, like the ones that most of us, you know, in the West would be considered they're the, you know, the criminals. Since they have

control of the internet in a large way, are those criminals known to the FSB and do they work with them, you know, constantly? >> So, it depends on your in the pen on the individual crime. So, I'll use for example, Evil Corp. You've all probably heard of Evil Corp, uh you're a spider, however, BitPaymer, Dridex, whatever malware family or group name you want to use, that is controlled by a specific individual called Maxim Yakubets. His father-in-law used to work for Second Service. He was a door kicker. Uh he has he Maybe you've seen the pictures of a horrendously wrapped uh Lambo driving around Central Moscow. That's him. He has a license to go into FSB

facilities and conduct operations on behalf of the FSB. My favorite example, however, that's just one individual. Back in 2020, there was a cy- a ransomware incident at the Royal Military College of Canada. Say we'll we'll say that the equivalent of West Point. They were breached. Data was posted on the DoppelSpider, so that would be Doppel Paymer data link site. I was able to verify the data because I had friends in the data. And suddenly gone. It was just removed. Now, I think I can assume that the government of Canada, Canadian Armed Forces, and the Military College are not going to negotiate and spend my tax dollars on a ransom payment. So, one of the things that I

have been working with in the past few follow up and something but something that I classify as the first right to read. They didn't necessarily realize what they had, but they were sharing it with their friends in the FSB or the GRU, depends on where they're as called Krysha uh protection however you want to phrase it to provide them that sort of get out of jail free, we're providing value, so don't don't touch us. Right back and call kind of thing. And their protection, their contacts basically said take it down. That's too valuable. Just kill it. Leave it alone. >> There's a lot to take in. >> Absolutely. >> Okay. So, I'm a little bit confused.

>> Yep. >> So, is it clear to those who know that the lines of responsibility are clear and one group does one thing and another group does something else or is there a turf war that goes on internally as to which groups do which activities and for which reasons or whatever right? >> Yeah. So, that that's >> Does that lead to Is that why this looks so damn confusing? >> Uh so, one of the things is confusing because I am TERRIBLE AT POWERPOINT. BUT YOU'RE ABSOLUTELY CORRECT. THERE ARE TURF WARS, but it's not within the FSB itself. Maybe a little bit, but there's something that most people who do studies, they call it the Bible.

It's a article by uh Dr. Mark Galeotti called Putin's Hydra. And it basically outlines how every security service functions within within the system itself and how they will literally bite each other's head off. Uh so, the best example that he gives in this through his own contacts, cuz he had he's deeply immersed in the Russian criminal world and intelligence services, is that within a foreign embassy, you're going to have your FSB, your GRU, and your SVR uh at individuals that are posted there. Some under true cover with the GRU the GRU, for example, perfectly allowed to have people under in uniform at say the US embassy because that's called a military attache. >> Right. >> But, the FSB and the SVR, those guys

might be under third political secretary or economic attache kind of nobody people, but they're there. They will intentionally feed They know each other >> Right. >> They will intentionally feed each other wrong information. >> Yeah. >> The entire purpose being they want to be they want their service to be the one to in the daily briefing to Putin, say, "GRU was wrong. Screw them. Give us more money." This is This is just budget. This is pure budget. >> Yeah. >> And it's >> See, the opposite of cooperation. >> Yeah. >> Yeah. Yeah. >> Now, and that's odd because you'd think, "We're at war. We need to work together." And they do in some cases. And that's where it gets really weird.

Hm. But, we'll get more into that in a little bit. Yeah. Uh so, what exactly is the relationship between the the threat actors and the organizations? So, we'll say we'll take the case of Meradong. So, that's them. That's the threat actor. They are the one They're the hands-on keyboard guys. We know who they are because the Ukrainian government has said they are persons 1 2 3 and 4 because they worked for us. And then when Crimea was annexed, they said no to Ukraine, didn't go home, stayed in Russia, joined the FSB. Basically, they came full kit. You And that's why I believe their initial malware set was actually Ukrainian tooling. So, back in 2013 when

the Marid on group became a group, they just annexation of Crimea happened and then maybe a month later, boom's up. And going after purely Ukraine. They don't target anybody else. They geofence their malware to only execute within the confines of Ukraine. But, where are they located? Crimea. Where Russia annexed. But then within the broader organizational structure of the FSB, they fall under counterintelligence operation services, which is part of the first service, which is just broadly counterintelligence. If that makes sense. Does that make sense? >> Well, yeah. I meant more like are they are they like How are these tagged groups being hired by the organization? >> are These are These are uniformed. >> Oh, okay.

>> Yeah. If it's named for the most part on here with the exception of say Wizard Spider and Indrik Spider, which are a little funkier, these would for the be uniformed individuals with the proper military rank cuz the FSB still has generals, colonels lieutenants sergeants etc. Is that clear? >> Yeah. >> So, I have two questions. One was Can I ask uh the other person's question to share? Uh it seems to me that for the the threat actor groups that are not government attributed, that those would just be in a non-official capacity, correct? So, those would be wash their hands with them if they don't want them. So, they can do what they want and they have no

official tie, correct? >> I mean, it's Russia. >> [laughter] >> And the other part is it seems with the trade war, uh it's that also they can choose to withhold it for a period that they when they want to re-induce it for strategy. So, that seems like another plausible alternative. Would you say so? >> Yeah, so like when you take the Royal Military College candidates that I talked about the data that I was able to that they had put on their website was a list of at the time current staff. And like uh military personnel that worked at the college and support staff at the college itself. But, some of the people that fall into

all of that include serving members of the Canadian Armed Forces. If you're that far in and you've encrypted the network of the military college, chances are you've got PII, you've got all the access to the entire student database as well. And this college trains the officer corps of the Canadian military. So, now all their PII that the military has the Russians have. It's like the old Cambridge in the US. Similar. >> So, in other words, what I was getting at is when they're fighting over who gets the wrong information. >> Ah, no, that that that can be anything. >> So, so what I'm saying is it it doesn't make sense for there to be withholding

for strategy. So, in other words, like we have it, but we're going to sit on it because now we need to give it at this time. >> Uh no, that that's more just that's very much just a pure instant gratification one-upmanship. So, like say GRU says Canada is doing X, Y, and Z and it's wrong because the FSB told them that they're doing X, Y, and Z, but they're really doing A, B, and C. Then the FSB will say in every No, Canada's doing this. Here's the proof. Cuz here's the real proof that we didn't have okay. It's it's just sort of how do we make them feel uh how for the FSB or the GRU, whichever

organization it is, cuz they all do this, how do we reduce their status? So, and they go it's all cyclical. So, the GRU in 20 2008 when Russia invaded Georgia, the GRU performed operationally well, but they still got screwed by a country of like 4 million people. And as a result, they fell out of favor. But, following the DNC hack, they started going way up in value because they had retooled, reimagined their capacity, and the FSB got screwed a bit because they're the ones who sort of screwed up by that in Ukraine. And it's a it's a very weird a a single bad event for I any of these organizations will ruin their reputation internally

to at least within the confines of the Kremlin. Public loves it. Russia's got this huge spy weird spy culture thing. It's it's insane. But, within the people who decide the budget, they do things quite differently. A screw up is effectively fatal for at least a year. >> And sometimes literally. >> Yeah. So now the GRU. What are you seeing here? Imagine the US divided. Each color is a different district, different military command. Pretty simple stuff. I will note though that the Leningrad, so the light blue, and the Moscow uh districts, those are brand new as of January 2024. That's going back to the Soviet period. So, their uh their their geographic regions of responsibility are

not necessarily clear. And I'm not quite sure yet if they follow the organ- the structure that the Soviet military did. So, if for example, if you were to rotate this to face Europe and sort of a more traditional map, and you sort of draw a line from Lenin uh the bottom left corner of the Leningrad district and sort of cut through Europe. So, you're going through northern Germany Netherlands Scandinavia Baltics, etc. So, Baltic Sea, black, uh, North, uh, North Sea, Scandinavia, all of that. I believe that is going to be your focus for the Leningrad district. Moscow, more central. The big enemies, your US threats, your French, your Germans. But, they also border Ukraine. So, it's just a

contact. They're also slightly occupied, they're too. So, now we're getting really confused. >> [laughter] >> Great. >> So, this is the I'm going to It's going to get smaller and smaller, so don't worry. This is the entirety of the GRU's as I have been able to piece together. Uh, so, the two sides, the two extremes, you got your academic stuff, that's your Xenotime uh Sandworm etc. ICS capacity, not much on them. I have that as a separate area. Don't worry about that, at least not for the purposes of this talk. Far side, the eighth director, your light blue, that's Ember Bear. Basically, kids fresh out of school who got told you're going to do cyber for

GRU Spetsnaz. And if you look at the FBI wanted poster, there's one dude who looks like he could beat the hell out of you, and the rest of them look like they just graduated and look terrible. But, that that's that. And then there's one random cyber And then there's one random dude from the Caucuses. He's connected to the cyber crime world. Don't worry about that. They're new, they're developing, they'll be a they'll be a thing for a while, but right now we don't care about that. We care about the green, the orange, and the purple. So, green, Fancy Bear. You're going to see two colors of green, light green and the pale green. That is

all I can find is pure Fancy Bear operations that I can't narrow down any more. But, the more vibrant green, that's the Zephyr unit. That's what I classify as an initial access subset, which is where we focus this idea of regionality. Orange is the cycle and psychological warfare. These are your misinformation, disinformation uh groups. They do much more of a I'm going to have a dedicated specialist for Japan, for example, who's an expert in Japanese culture, speaks the language, and can tailor absolutely everything that they do to promote the Coral Islands within Japan as Russian territory. Coral Islands are a disputed territory. So, it's an easy option. It's an easy thing to say. You will note that there are two

units, uh the 64th uh Special Service Center, and then the Center for Foreign Military Information Communication. I had to change the name I had to adapt how they were listed because both of those units have the same name. Tax records show that they work in that they are two distinct entities with two distinct commanding officers, and they work in the exact same building on the same floor, but they are separate units, and I can't figure out why because tax records only tell you so much. And then your purple, that's Sandworm. This is weird. They're weird a bit weirder in that I can't get I can barely I can get nothing from them into a region. It's all everything I can

find is Moscow. So, from there, and then go next step down. This is your military district level. So, you go back to that map. We're going from west to east in the country, so Leningrad, Moscow, down to the Black Sea and the Caucasus, then to the Urals, so the middle of Russia, and then eastern, which is covering Siberia and their Pacific coast. And now we start to see that wow, there's a lot of units that can actually be linked to individual districts. But you're going to see that these are all military unit numbered with very few names. Now why? That is because metal imaging, so you get a military metal, you get a metal in

Russia, there's an icon on it, a symbol. Every single one of these units has, if they're green, they've got crossed keys, Russian military iconography, encryption. Encryption stuff is fancy that. Purple. This one, uh, this unit I was able to find things to check first who did a similar methodology to me. Uh, they found this one. They've got, I can't remember what their metal is, but it is different. It's got a computer in it, but it's a more destructive computer network attack style, um, operation. But that unit seems to be more of a, uh, development, uh, tool development platform. Uh, but then once we get over into Central District, I can actually have a sort of a threat group.

So UAC 0063. Now why are they that? Cuz if you're familiar with nomenclature, UAC is UAC's, so Ukrainian government naming convention for threat actors. Why is the Central District which is not going to target Ukraine under here? Because they target the Tajik Embassy in Ukraine and then use that access to go all the way back to Tajik Foreign Affairs in their actual operating districts. So they can say, "Guys, look, don't send me to the front. I'm supporting the special military operation while doing my actual job." So we can we can see how regions play a role in targeting. Uh, so I I mentioned Japan, for example. Unit 03134 in the Eastern District. That's your Japan That's your Japanese

asset. Why do I know this? Because somebody posted on Contact yet that he was suing his commanding officer for wage arrears because they didn't And he said, "I just translate stuff into Japan all day. You You know you know, but my CEO didn't pay me." There's also job ads for them as well that say we're looking for Japanese cultural experts. Little suspicious, but hey. I'm Canadian. I'm not Russian. They can do what they want. >> How often do people move between units? >> Uh, so some So, the GRU psychological operations, they tend to have a bit less flexibility because they have uh so contract a lot more contractor-based uh activity, from what I can tell.

Uh, also many of the people who do the psych the psychological operations stuff, they can get sent there for their conscription service. Which is You You It sounds a little odd that you're going into Russian military intelligence and you're doing that as a conscript. But their their military intelligence or their intelligence community is much bigger than we would like to think, and they rely on a lot more highly replaceable people for the grunt Um, but within, say, the upper echelons, uh we've had who just got moved to the Security Council. He used to be the CEO for Fancy Bear. Then he went to Rostec to help run their MSP, which supports the FSB. And now he's in the Security Council as

a secretary as an assistant secretary. Like they can get They can get moved, but it depends on sort of your level. So, that one I have to stop talking about cuz I can go on and go on about initial access. I can go on and go on about them for hours cuz that's been my last 2 years of my life. And I'm not paying attention to the time. So, next, initial access subgroups. So, I call this forming constellations around models because we hear Fancy Bear, we hear Cozy Bear, we hear Sandworm etc. And we take all that activity and we just assume it's one thing. But, if we break it down as we saw in the org

chart and go down to the lower levels of the org chart, we have actual subgroups within them. So, for Fancy Bear, as I mentioned, Severance, and the two below that. Sandworm is very interesting. Hydra goes and Microsoft both come out and say Camasite, which I read as Bad Pilot, Microsoft's Bad Pilot campaign, is a literal initial access subgroup that basically have pipelines into deeper Sandworm operations. But, this particular pipeline doesn't focus on Ukraine, it focuses on the rest of the world. Cozy Bear. The SVR is the worst of the three because they actually have operational security and I can't find anything. So, I know there are subclusters because we have Mandiant saying, "Here are some

distinct uh five distinct um pipelines for initial access." And I go through them and I can can start piecing You look at the targeting and the targeting is different. So, with with uh Cozy Bear, you start looking at a different style of organization, not based on region, but based on specialization. So, within the SVR, you've got by my logic for how I view more general audience, an economic intelligence line, a a political intelligence line, and a science and technology line. So, the political intelligence line, that's that's sort of your more standard espionage. Economic intelligence line, if a bank opens in a a bank in any country acquires a new uh Sorry. If a new bank a foreign bank is

entering a new market, how does that change the economic landscape of that particular market? That's the SVR's job to find out. The science and tech line, they're there to steal your tech, your IP because they want it, and they're going to get it. Uh the FSB, however, is a little more interesting. You're going to see Gamaredon Group does not actually list is not actually listed as one of the the groups there. We've got InvisiBel, we've got Reserve FAM, we've got Turla. Why aren't they there? If virtually all of their operations seem to hand off to a additional group. [clears throat] Now, when I made this, Sequoia hadn't done their uh hadn't put out their three-round blog

post on Gamaredon Group. Now, we're because nobody had really been able to get the final stages of their malware. Uh Sequoia somehow they go through the whole process. Really interesting. Really great read if you're interested in Gamaredon Group's uh TTPs, but they don't target outside of Ukraine, so generally it doesn't matter. But they Gamaredon Group is known to hand off to InvisiBel and to Turla. Now, that's So, Gamaredon Group to InvisiBel based on my org chart, we're talking 18th center to 18th center. So, intra- group collaboration. But Gamaredon Group is 18th center, and Turla is 16th. We're talking very different. So, counterintelligence into SIGINT. Eset however uh earlier this year late last year, found Turla lost access in Ukraine, and

Gamaredon Group was one of Here you go. Have it. A very weird cooperation, but it is it goes back to that initial idea that I suggested at the beginning about FSB's 18th Center as an emerging power act. And within the Gamaredon Group itself being having found their niche as that initial access procurer for the FSB as a whole. Basically giving them job security because ultimately they're traitors to Ukraine. Can you really trust a traitor in the long run? And they are basically giving themselves job security and keeping themselves out of prison at the same time. So, Sandworm again that's that circle that circle and attack over Christmas. Uh that's where that weird Sandworm does initial access, but

Sandworm is who ESET and Dragos both said deployed the wipers or attempted to deploy the wipers rather on the Polish network. That one was again a bit weird. Next, uh we're going to go malware as a service to support operational tempo. So, you take APTs, state-nexus threat actors, custom tooling, living off the land, all that good stuff. All that happens. What else they do? They'll go on exploit, they'll go on XSS, and they will buy the same crap that every single normal ransomware actor has access to. Why? Because it's cheap and it works. Why Why blow custom malware when you can use when the SPR can use or anybody really can use Smoke Loader? It's regularly maintained,

decently priced, and constantly updated, and it works for everybody. So, use that, go wide, find the the machines that you want, and then from there I'll after them again with your left detectable tool in so you don't you hide in the noise. Who's going to you see a smoke loader detection? Who cares? That's that's day-to-day occurrence effectively for any major organization. But if it gets in, you basically do that initial sort of network constant net mapping. CozyBear, however, is very interesting. So, there's Emotet, everybody knows that, it's sort of run-of-the-mill info stealing. Octo 2 and Hermetic 1.0. Mobile malware. Very little has been done with Russian Nexus actors and mobile malware. And I don't really have an answer as to

why not, but outside of like just phishing, you've seen, for example, back in earlier this year there was the ASP stuff put up by Google. That stuff was targeting a Russian-focused security researcher, Kirill Damov. And they were trying to gain access to his Signal through his mobile device. And they didn't they succeeded because they're really good at social engineering. But we don't know what malware was deployed. We just know how they got on the phone. Or actually even they weren't successful getting on because Google and Kirill are tight-lipped about it. But Felis was well, I have an infrastructure as a service. I know that's not technically malware as a service, but I can't find examples of them using commodity

malware, but I can find examples of them buying infrastructure off a guy who also supplies infrastructure for performance-enhancing drugs in the asset of Russia. So, criminal operation, is it cyber or cyber-adjacent? We count that. >> Maybe it's another Rostec situation, you know? >> No, this guy is just gym rat. This guy is just pure gym rat and he sells his steroids on the side. From five sites for it and on the side takes takes some FSB money. So, the Presidential Administration, as they say. This is a organization that is not cyber enabled in the traditional sense. So, we're going to go from the smiling men to Coke addiction at level Tupac to Volodya on our side.

So, first we got Vladislav Surkov. He is, I would argue, the father of what we would consider pro-Russian activism. He runs So, I guess I'll step back. What is the Presidential Administration? This is the organization that's supported by the Canadian standards, this would be the Prime Minister's Office, the Privy Council. I know what the American equivalent would be, but whoever is supporting the President of the United States, that's this organization. >> [snorts] >> This These guys are not the heads. They're number two, second in command. Their focus is domestic policy. And in particular, youth policy. Why would Why are they cyber? Surkov was there in the early mid-2000s till about 2011, 2012-ish. Can anybody tell me what happened in

2007? That was cyber and activism-related. >> The Estonia attack? >> Yes. >> Nashi? >> Yes. Who? So, do you know what Nashi is? >> Yeah, it's the They're They're equivalent of the Weblos, the Boy Scouts. So. If you think >> We'll We'll go a little step further. Hit Hitler Youth. >> Hitler Youth? >> It really very much Hitler Youth. He started them. >> Yeah, Nashi did our stuff. That's what it >> Yes. So, Surkov is the one who started it. Now, Nashi itself not necessarily cyber enabled. And it's still not quite sure if they are the ones themselves who hit the button to start the DDoS attacks in the step group of Estonia, or if they're the

ones who paid the cyber criminals to do it. But that was started with him. >> Yeah. There's an article called an army of ones and zeros. And talking about Nashi and the downloadable uh DDoS attacks. Yeah. You didn't have to distribute it yourself. You put it out among all your I'll use the word people. You can actually get distributed that naturally distributed. Much harder to stop. And what >> There has been a far greater evolution to that and we get home and we get down to Kiriyenko and Faris. So uh the DDoS attack in Estonia actually led to a very interesting development within the cyber criminal world. Following Estonia 2008, Russian-based Georgia. As I mentioned earlier, the GRU

performed poorly or poorly-ish. But the there was a cyber-enabled component to that operate that attack as well. But it was grassroots. You go deep enough into uh the forums and exploit, you find individuals saying, "Here is a list of targets in Georgia. Just government websites. Let's go Let's go take them down." And you have an actual discussion between people, "Should we do this because they're Georgian? [ __ ] them. They attacked us. Go get them." A a very weird interaction between the cyber criminals and over do we do it or not. In the end, they did it. Some degree of success. But spurred on by that by Surkov's success in Estonia. He goes on, continued, goes on to work

in the Donbas after the annexation. And then we get into the man in the middle. Uh Vyacheslav Volodin. He uh he set up basically just I don't even do too much cyber stuff, but he did set the stage for Prigozhin's Internet Research Agency. So very Now he's the speaker of the house. He He just did the This was more of a weird intermediary for him. Now we go to and at the end, my favorite Kiriyenko. This dude is psychotic. He was actually prime minister of Russia before Putin at the age of 35. But he I'm sure we've all heard the group uh NoName05716. They like to DDoS anything and everything under the sun. Well, who runs

them? He provides the strategic direction under a nonprofit called the Center for Basically, he runs the center that monitors youth activity on the internet to prevent school shootings and extremism. It's a bunch of child psychologists and programmers. So, they run they set they run their malware called the Dossia. Distributed via the Telegram. Anybody can download it. Basically, you're just enslaving your device to their botnet. And they go. But there's leaderboards. They made it gamified. It's all the fun of League of Legends, but you get to earn money, too. You don't have to do anything. So, there's leaderboards, stickers, art. There's a whole weird Spanish language Russian hacker metal type Telegram channel within this weird ecosystem.

But they're huge and not in America. And it's a very How do I say? Psychotic. He also run provides the strategic direction to uh different organ uh information operations I'm sure you've heard of. Matryoshka CopyCop um Operation Overlord, and anything and everything that's targeting any Western election, the strategic direction on how to target it flows through him. Now, why do we care about this? Because the the other organizations, the FSB GRU FSB they have to prep an intel report, get it in front of the president. This is the president's administration. They have Kiriyenko has a direct line to Putin, so he can cut the [ __ ] and say, "Boss says we go after country X." So,

snap your fingers, off you go. Start your I&O, Social Design Agency. We need to do things X, Y, and Z. Start the Canada gave Ukraine billion dollars. Go DDoS them. And that that's the literal that they don't have to they can pivot far quicker than a standard intelligence agency because they have that direct access and insight with the boss. I'm getting tired. Okay. Running on I'm actually better this time than I did last time I did this. So, and we're going to get into Battle Harden Cyber. Who are these people? If you remember the 2018 off- uh attempted hack of the Office for the Prohibition of Chemical Weapons, that's these guys at the airport. Had the guy at the head with the head in

the square, that's a Russian diplomat from the embassy in uh the Netherlands. He has diplomatic immunity, so he doesn't get pictured. Uh cuz this I lifted this picture straight from the Dutch. I added the red circles. That's Fancy Bear. The one on the right, I believe, was uh also at one point also working with uh part of Sandworm. So, to answer your question before about movement between organizations, he was the one that guy was deployed to Brazil, that guy was deployed to Netherlands. Uh he's gone from Fancy Bear and Sandworm, and now he's a little higher up the chain of command, so they they do move through the uh command through the Information Operations Command, which runs both.

>> So, are you saying Fancy Bear is only four people? >> No. Two that So, the two Fancy Bear is more than that. Fancy Bear >> Okay, that's what I thought. >> Yeah, yeah. But, those two guys are in their own bird. Just forward to forward. The other two guys without their head circle, those are your unit 21995. Those are Novichok guys. Technically, they also have that They that They're the unit that has Ember Bear as their sort of side unit capability. Those are Those are the guys that'll poison your tea, shoot you with the poison >> umbrella. >> Yeah. >> [cough] >> Uh so, why are they battle hardened? Unlike the rest of us, they have With

the exception of Ukraine, they had 4 years of combining cyber operations with kinetic action in a total war scenario. So, what does that mean for us? They're better at than us. Currently, we have We have, at least from my perspective as a Canadian with Iran, we have used We can see cyber as used to support air strikes. But, we haven't got put boots on the ground. So, without boots on the ground, you don't have that ability to uh test how can cyber operations, which genetically don't change the battlefield, impact a more tactical action? They can do that. So, what we've seen, Sandworm, for example, will go after um utility companies for battle for battle assessment reports. So, see how

effective were our strikes? And then reorient. Did we destroy this one enough that it will take them long enough to repair to go target another one or should we go back to this one and hit it again while they're down, take out some more capacity, >> [snorts] >> make it take even longer to be fixed? At the end of the day, cyber strategic guys are on spot. But, we have They They are able to provide that inspiration for any adversary actor, or us, to take their lessons learned and go to get [ __ ] up. >> Yeah, I was I was just going to ask are we collaborating with Ukraine and their services to attempt any of this kind of stuff?

>> I I work at a bank, so >> [laughter] >> I hope so. >> Hey, we do. Like, I know like for example when Iran used the wiper attack in Albania, Cyber Command did a hunt forward operation to Albania to help and do something with that. But, that was more recovery certain from what I understand, helping Albania recover and do a network hunt on their networks to see is Iran still there. How does that help us? Well, it'll it gives us that trade those traces to see those indicators to take home and network within our own networks. But, can we how do we That doesn't help us combine it with a kinetic component. The effect of effect

>> I think the only example that I can think of is the US's interdiction in Venezuela, where we both had boots on the ground. It was combined with kinetic strikes to get a singular person, you know, out of the country. I think it's the only one that I can think of that would be somewhat similar. >> Even I don't I don't necessarily consider that because they also shot the generators as well. They But, from what I've understood and from the limited reporting that I have seen, it seems as though they did also go through the CCTV cameras to map out a route. So, that is an element of that use of cyber for tactical naval

operation. But, Ukraine for example, does things very different. Their hacktivist community takes goes after all open webcams for example in the country and says, "Oh guys, your logistics route the Russians can see it. Oh, they've got access to this webcam. And then they can just use it to time their strikes to go hit you in the middle of your convoy." So, what How can Ukraine change that? And then what have they been doing? They have been going after these webcams, leaving them open, and screwing with the Russians by either moving their stuff around, so it's not within the sight of the webcam, or just false flag stuff through the webcam and make Russia look at them.

So, the opportunities are there, but they're happening. We don't I don't see us actually incorporating them because we aren't actually engaged in war. And on one hand, that's great, but learning the growing pains of incorporating a new combined arms strategy into an actual conflict means they're at Russia's advantage in this context. All right, so All right, and actually got time. We're good. So, I can take more questions. >> So, you're working at Bank. This is all all informational. Right. This is your deep deep research and gear and how the bots do the company. How does it >> Uh So, I just sort of live my own little world of Russia stuff. >> Okay. >> And it it's out of uh So, I I work on

the strategic uh reporting. So, it's all like forecasting uh we're doing like uh scenario building, forecasting, and all that sort of stuff. So, my colleague Patrick, he's on the technical team. I take my stuff, hand it to him, and say, "These are the groups you need to care about." >> Cool. >> Yeah, and then basically, we have connections there. >> Yeah. >> Very cool. >> All right, so >> You Did you say that you used to live in Russia for a little bit? >> Yes. >> How was that? >> I felt safer there than anywhere I have in Canada. >> Really? >> I was So, I lived there 2012 to 2014. I graduated when Crimea

Shortly after Crimea was annexed, then there the annexation of Crimea completely ruined my master's thesis. >> So, you change it and change it has to be changed entirely on the day that I submitted it. >> Oh, jeez. >> So, yeah, not fun. But, uh the entire time when I was there, it was a very different Russia. I went in 2020, I went I I'd gone in 2017 and 2018. In '17, I lived up in up north in northern Russia. 18 I was just messing around, traveling around. It sh- You can feel the change. It still felt safe. But, the mentality was slowly changing a little bit. You could You could It felt a little tighter.

But, when I went in 2020, somehow I managed to get in the country during COVID, they uh it was fine. It had reversed slightly. That sort of state pressure with restrictions brought back that sort of mindset of 20 early 20 2010s Russia that I remembered. And but now, there's more Russians in my house than there are Canadians, and it's the attitudes, the views, it's changed dramatically. >> Interesting. >> Do you have any uh I mean, I know you're talking in broad strokes about the cyber perspective. Do you have any sense of what goes on between the Russian for actors on the technical side of that underground cyber network? >> Uh so, let's see. I'll go back to

This is the one that's going to be most clear. So, this guy, the uh Yevgeny Prigozhin. This is a middle of nowhere Siberian city that I've got on a cyber war chart. Why? Because there is a single case where a FS FSB operator in Tomsk went to a found a guy who was going through some weird drug withdrawals started going to places he shouldn't have been on the internet. And he was told by his operator by this operator, "Download these apps and start doing what I tell you to do." including go and try to burn down a helicopter at this base in Russia. All a lot of these underground spy networks are applying similar TTPs to

what that exhibit that one incident one incident in Tomsk uh showed. A similar style go do what we tell you to do. Now, in the case of say the UK or Europe where it's much more common, they're able to rely on Russian diaspora, organized crime, like Russian mafia not not just the more traditional Russian not Slav Russian Slav mafia, but also the Dag that Chechen mafia as well. Huge contacts. They have huge contacts they can leverage because they have those contacts back home. And it's basically an extension of Russian foreign policy. And that goes but that goes back to the Cold War. Even the church is on effectively under control of the FSB. And again, that's a Stalin era

thing that really hasn't changed. That is but that's a good question. >> Mostly. Okay so if uh there are any more questions, I'll have you take more off side, but uh we'll clear out of here so we clear out of here so the uh next can come in.