Minions vs. GRU

[Music] attention [Music] [Music] thank you foreign Okay cool so the talk I'm going to be giving is uh it's titled minions versus Gru or the Gru and I want to be discussing sort of uh what the role is of Civilian Volunteers in cyber War and uh sort of probably the image they have of themselves is something like this but the reality is it's it's not even this which would be at least benign um it's a it's a bit more uh complex and nuanced and um actually a bit dangerous but of course uh the problem is that the the people who are suffering are actually not the opposition in this case um the role of civilians has basically been to cause problems for the people who are actually trying to do something so why am I going to tell you this well I'm a grug and what I've been doing for the last decade I've been doing cyber for 20 something years now but for the last decade or so a lot of what I focused on has been research where I do a lot of um reading and mostly talking to people and listening and discussing and finding out how they work uh what they do what's useful um sort of learning and understanding from people who are engaged in operations at multiple different levels on the defensive side on the offensive side um in you know companies versus in small groups versus when they're operating individually or whatever so a sort of um I'm speaking here from a position of having discussed with a large number of people who have uh first hand insight into what's going on and I've synthesized that sort of trying to bring that out now in a cohesive narrative and we will see if I succeed and the approach that we're going to go through is basically a brief introduction to um not you I don't know if you guys are familiar with this but uh there's actually a war going on in Ukraine um and there's been a cyber component so we're going to be talking about uh sort of why this war is unique uh why there is cyber and War and what cyber and War does uh we're going to be talking about the sort of the players the hacks that they've done the lessons that can be learned uh you know bearing in mind of course that in the middle of awards are not the ideal time to draw conclusions based on public and uh you know hearsay information you know we're going to we're going to look at what we can um and then sort of close it out and I should also point out that this overview I think is out of order but anyway we're going to be hitting these topics if not necessarily in this order and uh this image is here to let you know that there are things that seem one way but they're not now it's about uh deceptional stuff okay so if you take nothing else away right this is what you should remember do not allow civilian volunteers to hack inside your area of operations right it is not what you want they are the opposite of what is useful if you are trying to run a war um I will get into more details on how and why and let's go so very quickly we need to sort of um just go over like there's multiple layers of War uh this is not necessarily relevant but it's important to know uh when we're doing analysis so you've got the Strategic layer which is sort of um the broader understanding of like what you're trying to do and uh where you need to be in order to do it or sort of the objectives you need to have to achieve those ultimate goals then you've got sort of operational which is the how do you take your things to the places they need to be to do the stuff that you want or how do you uh like how do you achieve the objectives that you want to achieve with the resources that you have and then we sort of have the Tactical which is the like what do you do once you get there like what what do you do to actually achieve those objectives and um as you can see like with these three layers basically uh the higher up the more influence the state needs to have and what's happening and as it goes lower down um it sort of it becomes a smaller scale thing and people can get involved and so sort of the takeaway from this is that where the civilian volunteers get involved is at the Tactical layer which is sort of not really the most useful layer to have people just show up in particularly if they're not integrated into the previous layers um so about the war this is a valuable uh cauldron of um basically like an experiment to see what happens in a real peer competition with cyber where there's a significant part of uh the war is actually taking place in cyber a large part of that is actually information operations and the ukrainians have been absolutely smashing it on that one the ukrainians are just dominating and um it'll be interesting to look at why I think there are a number of cool reasons one of them is that the ukrainians are led by a sort of like a young comedian who has a smartphone and is clued in and comedians are useful because the instrument that the comedian plays is the audience you know they they learn to connect with people and uh sort of interact and get reactions out of them that's incredibly useful if you are trying to do information operations um anyway I actually do not have time to go into this so the um the majority of the Cyber effects that we saw were actually during that initial Invasion phase particularly during the first day um this was done by Russia where they were able to successfully uh isolate and they were able to isolate the commanders and they were able to disrupt the command and control channels uh this was very effective in disrupting control and um also immobilization but the Russians were unable to exploit this for a number of reasons um but you know that's the important thing to remember is it was successful but then um that wasn't sufficient in itself um since then cyber has not been particularly tightly integrated into operations and part of that is an inflexible Force structure that the Russians have where the operational control um at the like the actual thin edge of the wedge does not have control over cyber operations that's done from back in headquarters so there's this disconnect and stuff but there's sort of a lot of different reasons right like maybe there's nothing useful to hack like what exactly are you supposed to do with the DDOS that's going to fill um you know a tanks diesel like that's not going to help uh there's not a lot of cyber that you can do that's going to help in artillery barrages um you know it could be that there's no strategic direction or there's no resources so no one cares you know like there's any number of reasons and we don't know and uh the reason this is important is it's important not to draw lessons just because something hasn't happened doesn't mean it's um you know it shouldn't happen during this phase it's not an indictment of cyber that it hasn't been used it simply says in these contacts with these circumstances it hasn't been used so it's important to sort of not try and draw too many lessons um what we've seen in terms of actual use has been very tactical right it was the use of you know deny degrade disrupt uh targeting of government systems critical National infrastructure was targeted once and it failed but generally speaking it was this initial short sharp strike and then pretty much nothing there's been a lot of Espionage there's been um some other attacks that have happened the the major cyber attacks that have happened have been outside of Ukraine as more of a signaling effort which we will get to in many minutes but with that sort of said you know like that's the Cyber that we have had in the war so far uh let's talk about cyber war and before we go on I just want to interject for a minute because what you're referring to as cyber war is in fact cyber War as I've recently taken to calling it cyber plus War so cyber is not a war fighting domain unto itself um the problem with the term cyber war is it sort of creates the idea of a conflict domain that exists in isolation of everything else right like if you talk about air War you don't assume that there's like no infantry involved or that the the Navy doesn't matter anymore you know it's it's part of an integrated operation there's an entire thing going on including the state behind it itself being actively involved in many ways to prosecute that war it's not done in isolation and similarly cyber war will not be done in isolation it's not a thing that can just happen that doesn't exist as a platonic ideal it is something that has to be part of you know a complete balanced War um and what that means of course is that Wars will now have cyber elements and we're starting to see that we've seen um it hasn't really been talked about but in uh no go on karabakh that was quite a lot of cyber stuff that went on it was very interesting we're going to be seeing a lot more in the future so it's valuable to know about that so let's start talking about you know where cyber fits in war and that's easy so when we think about creating a warfighting capability inside cyberspace for part of our strategic intent and we're looking at doing a global effects integration and like I mean what the [ __ ] if it's called like The Art of War why are there no drawings right like this is rubbish um instead I think uh probably the most important thing to remember is that cyber attacks are not attacks all right like no one dies nothing gets blown up like it's not actually that big a deal in like the middle of a war it is something that could be used to uh augment or supplement or assist with another attack but in and of itself it's not an attack um you know and and similarly you can't really say like uh this addressed a bit of the the legal thing but you know if people are participating in a DDOS against Russia does that mean that they've become combatants on the one hand yes they're now participating in the war but on the other hand it's not really an attack so no they're participating in a crime um it's not part of a war Okay so let's talk about what actual cyber warfare is and a big caveat up front is this is wrong like the taxonomy I'm about to give you is not uh a it's not used anywhere um I don't think it's absolutely correct but I do think it's useful I think it is uh valuable to use these uh these stages to sort of understand how civilians can participate in what's actually happening and these are the three things so we have Espionage information and effects um Espionage is basically collecting information or perhaps subtle sorts of influence um that can be done sort of stealthily and whatever but it's it's not visible you know it's something that happens uh covertly and in the shadows it's heavy on stealth it's just not an exciting thing that's going to get reported on uh information operations on the other hand tend not to be treated as cyber because they're basically what PR companies do or marketing or whatever they do not have um the sort of like offensive cyber operations uh bling going on but they are very very useful um particularly strategically in terms of making sure that your allies remain on board so you know an information operation will help you sort of shape the information environment which will then hopefully lead to influencing the behavior of the target audience and the big one of course is the effect operations which um like even this terminology is a little bit out of favor now but again the idea here is just to be able to understand that you've got like um stealthy stuff that no one knows about talking about stuff which no one cares about and then actually doing things which look cool and um those are sort of like the three groups and the effects are the stuff that like looks really cool and the idea is that somehow it will help you in some way that's the overall goal um but Espionage is actually useful like out of all of this stuff it's the most boring but it's also the most valuable like you can actually do things with it um it actually directly helps you prosecute a war um information operations again really really important being able to shape the behavior of your opposition and your allies absolutely vital to being able to win a war like you want it so that um your allies stay on your side and that your enemy sort of lose uh lose heart and don't want to keep fighting anymore like that's what you're going for and then you've got effects which um I mean they're a lot more exciting than just grapping through someone's emails to see like if there's anything interesting uh these sort of things like they seem really cool you've got your DDOS you've got your defacements you've got like putting stuff on someone else's TV or playing things from hacked radios or you know whatever like all of this stuff is just it's flashy and it's cool and you know it's not that useful uh unless it's part of an actual operation so where does that leave us well we've got cyber we've got war and who do we have playing in uh the Cyber War that's actually going on right now so if we look at the Players um they sort of fall into two groups you've got your state actors on the one hand and you also have non-state actors so the state actors are by and large not that interesting um sort of to look at like if they do good stuff but most of the time what they're doing is espionage there's very few who are involved in actual effects operations um and of course the reason for that is as we've talked about like it's because Espionage is actually very useful so uh when we're talking about State actors we're talking typically about State security forces and I'm going to hit next and hope that I have a slide but yeah look at that okay so um basically on the Ukrainian side we've got the sbu which is sort of like uh the KGB but not uh the gur which is like the gru but not basically so you've got your uh State intelligence service you've got your military intelligence service there's also the police who have some degree of uh cyber capability particularly because uh a not insignificant not insignificant number of them used to be cyber criminals who have been sort of coerced into working so they do have some capability and they have um historically at least they've wanted to participate as far as I know they are not doing that they are not um conducting their own cyber operations but you know don't quote me on that one as far as I know the Cyber operations are being done only by uh sbu gur and any contractors or whatever that they might have working for them just like NSA has got Raytheon and so on the other hand um you know in in the Red Corner we have Russia who has um the primary uh sort of operator in this uh this war so far has been the gru they've done all the effects they do a lot of the Espionage um I guess as FSB is trying to wash their hands of it because they don't want to be tainted um with you know the catastrophe but um yeah FSB sort of has control of Espionage over the near abroad I'm not sure if you guys are familiar with the way that you know Russia considers its uh former satellite States this might be a bit foreign to you I know that the baltics is very far away from um you know Ukraine and stuff so anyway I'll skip over that but yeah like basically you don't get svr operating in Ukraine very much because it's not part of their agreement um the one interesting thing is that Russia also has cyber criminals in particular Conti who have uh begun working for the state and uh what's become I think quite interesting is that the way that their operations have evolved show increased integration with State operations particularly the the state command structure um and I really hope I've got slides on that okay non-state actors on the other hand is where we've got this huge mess [Music] um so we've got like the Ukrainian aligned non-state actress starting with the I.T cyber Army and so briefly about the I.T cyber Army um when Ukraine was initially invaded they panicked as one does being invaded and everyone who had a half reasonably sounding idea and pitched it to the government basically got greenlighted so this guy came up with the idea of starting a sort of like volunteer force of cyber hacker operator types who would come and help Ukraine cyber hacker operate and like that was okay so they basically put out this call and said hey you know everyone please come and help us and um that attracted quite a lot of people they did show up to help and there was a lot of DDOS there were a lot of defacement um there were a bunch of cyber criminals who got involved and sort of what what this reflected was um there's this dichotomy between uh so you basically have two types of followers that you get on these things as uh the sympathizers and supporters so sympathizers show up and they're like I feel strongly about this this is really important to me but um you know it's getting on past eight o'clock and I've got a thing so you know I'm here to show my support but I won't be here and then you know like not showing up the next week and so on where supporters are sort of more consistent and uh we saw that with basically the the sort of level of activity and the number of people involved the early phases of the war particularly in the first two weeks uh two or three weeks so a lot of activity and then it sort of died off fairly rapidly um basically the the criminals got bored and stopped doing defacements all the people doing DDOS sort of had other better things to do at their time um there's still a lot of people involved but it is uh a lot smaller than it was before they are not necessarily more skilled now than they used to be but I'm not going to go deeply into the organization of uh the it Army because one of the most important things about the it Army is the media coverage that they have gotten because the media coverage does not accurately reflect the reality of what they're doing it has had the effect of attracting more volunteers and since the it Army has been causing problems the um like their operations and the coverage that they've received has caused issues for actual legitimate real operations that are being done by you know Ukraine and their allies so more volunteers has actually just made things worse so the coverage you know it represented what was happening uh it showed that it made more people show up brought in more sympathizers uh and it ended up alerting the Russians and it caused a huge shift in the security posture of Russian um systems so for you know the the first month or so while all of this coverage is going on Russians started getting a lot more secure like they worked hard they you know um like we can go into basically like when there was a DDOS going on it meant that there was no traffic that could be sent from you know a legitimate cyber operators who are trying to hack something if there was low hanging fruit and it got uh grabbed by some random person in the U.S who then did a defacement it meant that that access was not available to legitimate operators who might have been able to do something much more useful with it um it meant that people who had low hanging fruit were motivated to go and secure things because they saw all the media coverage of what was going on and they didn't want to get hacked so certain things that could have been hit they were shut off um again things like the you know um there's a friend of mine and we were in a discussion and someone said basically like um but you know all of those attacks is useful like it's noise you can hide in the noise you know they won't be able to see you and the my friend was like yeah it's noise for me too like I can't see anyway like it it it covers everyone like noise is noise it's not useful it's just a problem and that sort of the thing that I think has not been understood uh particularly uh outside of the media and also in um don't leave I can see you on the camera okay so it hasn't been understood by analysts and I'm not gonna name where this is from but this is a very very relevant quote beca