Between Two Nerds: Russia's cyber war on wheat

A

Hello, everyone, this is Tom Uren. I'm here with another between two nerds with the Gruck. G', day, Gruck, how are you?

B

Good day, Tom. Fine, and yourself?

A

I'm well. This week's edition is brought to you by Tynes, who make a security automation platform that can do all kinds of UBT things. So, Gruk, one of the pieces I wrote about this week is it's almost just kind of a throwaway line from an ESET APT report for the last quarter, and it talks about how the Russian Sandworm Group, which is part of the gru, Russian military intelligence, how they'd conducted a number of wiper campaigns. And one thing was wipers. I thought people had given up on wipers. And then the second thing was it particularly pointed out the grain sector in Ukraine, and the report speculates that it's because grain is an important part of Ukraine's economy, and so they're trying to weaken the whole economy and. Well, okay, that sounds fair enough, I suppose, but I looked a bit further and already something like a quarter of arable land is lost to Ukraine because it's either close to the conflict zone or it's been landmined. So it's not safe to actually, like.

B

Right.

A

Drive a combine harvester over. Seems like a dangerous profession. And so, you know, I was like, well, what are you going to do to the grain sector?

B

Like, with like, 25%? That's right, yeah, that's. Yeah.

A

And also in the past, Russia has essentially blockaded Black Sea shipping. And so it seems like it at least at one time had very effective conventional ways of achieving the same effect. And now you're left with, I don't know what wiping Is there some one magic database, Right.

B

The one Excel spreadsheet that tracks all of the grain and it's not backed up and it's also running on a pirated copy of Windows. Yeah.

A

And it just struck me that if, you know, I'm a farmer or even someone in the logistics chain and I've got a huge tonnage of grain just sitting there, I'm just going to pick.

B

Up the phone, but it's not in your computer and you're going to go like, well, I guess, you know, I don't know what I should do. I'll just leave it to rot.

A

Yeah, that's right. That's absolutely not going to happen. You'll pick up the phone and you'll send it somewhere and someone at some point will figure it all out.

B

Oh, yeah, that's the 50 tons we have. For Indonesia. But I would caution against trying to read too much strategic coherence into everything that Russia does in cyber, because there's a lot of different motivations for conducting operations. So you might have the top leadership with their sort of grand vision that they then tell people to go and implement. But in the lower sectors, you have people who don't want to be reassigned, and so they don't want to be idle, for example. They don't want to be doing something that's not visible in some way. And given the sort of like the lax management environment or decentralized might be the nice way of putting it. There's quite a lot of individual initiative that can come up. So you can have managers who just say, like, let's do a bunch of stuff. And then I'm going to promote it as being an effective part of our cyber campaign and show that I've done more stuff than someone else, you know, and then none of us will be reassigned to the front lines. And simply because of that, those sort of different motivations at different layers and the ability to actually execute on those motivations, I think that assuming strategic coherence is risky, right? Like, it's just maybe they did it because that was the only thing they could break into. And it was coming up at the end of the quarter and they had. Well, they were looking at like the other teams that have been doing logistics, and they're like, oh, those guys have got like something really good. We better just wipe everything and say that we've like, interfered with 20% of the export capacity for grain.

A

Yeah, yeah. So one of the other nuggets of information I came across about the war is that there's been an increase over time in the number of attacks measured. I don't know, somehow, but a decrease in the number of serious attacks or critical attacks or something. And probably that first number, the number of attacks is very rubbery. Like, what do you define as an attack? But I think it's much harder to say this attack was critical or not, you know, about those ones, because when they're important, you know about them. And so the other thought I had was perhaps, well, they've gone to the, you know, air quotes, grain sector because they've run out of other better targets.

B

Right.

A

They're having less success and it's, well, let's, let's move down the priority list and, well, you know, we'll. We'll do what we can.

B

So they've expanded the number of personnel, like the number of teams operating, and there's going to be some amount of deconfliction. So the number of operational teams has grown and the number of targets has stayed static, or it's grown minimally. So if there's a team already doing the presidential office and you get stood up as a new unit, you can't do the presidential office because that's already taken by someone. So you look around and it's like, okay, well, the Minister of Agriculture doesn't have anyone going after him. Why don't we do that one? You know, it's still government, it's still important. There's an economic angle. Like, we can spin this as an important sector to target. And then, you know, the 50th team after that doesn't even get the Minister of Agriculture anymore. And they have to be like.

A

Minister of Recreation.

B

I think that's going to be a factor as well. Also, just naturally, some of the targets that were available at the beginning of the war are not going to be available now because they'll have been hardened. They'll be much more resilient. So even if you do gain access for a much shorter period of time, or maybe in optimizing for a wartime economy, that ministry or that organization has just been shut down. Like, it's no longer an important part. For example, like Bayraktar, where the Bayraktar drone was very important during the first couple of months, and now they've basically vanished because they're just not operationally useful. So if your job was to break into the Biraktar operations room and see what they're doing, you're not doing that anymore because it doesn't matter, right?

A

Yeah, yeah, yeah.

B

So I think trying to interpret too much of the strategy based on the reporting we get is it's going to be difficult because most of the stuff that comes out is when there's a wiper or some other destructive attack, right?

A

You see the ones that are splashy and cause effects of some sort, right?

B

That the spectaculars, the things that are, like, they show up. Like, you don't get a lot of reports of, like, oh, the SBU has announced that their internal database was compromised stealthily and secretly for six months. But now they've kicked the guys out. They think, like, that's not a. That's not coming out. Whereas, like, you know, the Minister of Sports and Recreation's office was wiped this weekend, and it'll be three days before they can recover. Like, that's going to be in the news. And so I think, yeah, like, trying to interpret the cyber war based Purely on that information is going to give you a very distorted view.

A

Right, right. Like this is just a small diversion. But once upon a time I met someone who was an Austrian government official, I think it was Austria, and they were at a cyber security conference and they gave me their card and it was Minister or the Department of Cybersecurity and Sports. So it's not unprecedent that they could go together.

B

One of the things that this ESIT report reminds me of is there's a piece I'm working on right now about the lessons learned that Russia has learned that we haven't. So it's a little bit provocative. But basically the idea is that the Russians are learning how to wage cyber war during attritional warfare, and the Ukrainians as well, obviously. But in the west, we're not necessarily drawing those same lessons. Like, we're looking at what they do and going like, oh, well, we would do a better skill issue. They just lack the capability to do it the way we would. And I think that that's a fundamental misunderstanding of the lessons that they've learned.

A

Yeah. So when you say better, what are you thinking of? So, for example, let me just set this up. I think at the beginning of the war, the Russians tried disrupting successfully, they disrupted viasat and I believe successfully also another telco at the same time.

B

And that was theoretically disrupted pretty much all of government as well at the same time.

A

Right, yeah. So that to me actually seems like a thought out, logical plan. Disrupt these things that will give us an advantage to our conventional forces. It just didn't pay off.

B

Absolutely.

A

So how would Western forces do any better, exactly?

B

Well, I think the Western forces would do the exact same thing, only they're maybe hit a little bit more military equipment than the Russians did. But I think, like, there's a whole bunch of things that go into it. Like, first of all, the strategy that the Russians were pursuing was a coup d', main. Like they were going to sort of chop off the head, take over the whole thing, and it's all over by Sunday and you can just go, all right, nothing to see here, move along, it's all over, go home. And so you can't be massively disruptive to all of society because that defeats the narrative that you're trying to play, you're trying to disseminate of, like, nothing has happened. It also interferes with your ability to communicate that nothing has happened and it's all over. So they were sort of limited in what they could do, and I think they did what they could do within the strategic parameters. I think they did it, you know, as effectively as any Western state would have done. Right.

A

But give or take 10 or 20%, not give or take five or ten fold.

B

Yeah, it's. It's like. I don't think it's orders of magnitude off.

A

Yep.

B

I think that it's. It's roughly in line with what you would have expected if the west was doing it. But obviously, because they had that strategic constraint of not completely disrupting all communications for everyone in the country, it meant that things that they couldn't disrupt, like Facebook or Instagram or Telegram, like, all of those communications still existed, and those were more important even for the military than, you know, their radios and their. And their satellite communications. So basically, they destroyed a part of infrastructure that wasn't critical to the war effort. It might have been for the first 12 hours, but then, you know, there was resilience, and they just said, oh, I can't send you an email. I will send you a direct message on Facebook, and that would work. So it sort of. And I think the thing that the Russians took from that is effects are not as effective as, you know, they're made out to be. Like, it's one of those things.

A

We pulled it off and it still didn't make any difference.

B

Right.

A

Is that the right lesson, though?

B

I think, yes, I honestly do, because I think that they pulled it off and given the strategy they were pursuing, it didn't fit with that strategy like it seemed to from the outside. Like, yes, we're going to disrupt their communications, but because you couldn't actually disrupt all of the communications, it couldn't actually do what it was supposed to do. But I think that any Western cyber operation is also going to have to be within the constraints of the overall strategy. Right. And so it doesn't. It might be a different strategy, but it's still going to have strategic constraints on what it can do. And you're going to have to say, like, can effects work within the parameters that we've set?

A

But, I mean, I think that the Russian, from a cyber perspective, I'd say, sure, it was a success. And if, you know, you shuffle the players on the board, and if it was a Western military, probably just a few Western militaries could do it. But, you know, and if they had the option of doing that kind of disruptive cyber operation in combination with the conventional military, I would say, yeah, go for it. That would probably be helpful.

B

It's not going to hurt. Like, it's almost Certainly going to be beneficial in some way.

A

Right, right. So it's. It's still worthwhile that you wouldn't say, bet all your horses or whatever.

B

This is our knockout blow. We're going to interfere with their satellite communication and the entire country will crumble.

A

Right.

B

Like that's, like, it's not the central pillar, but it's absolutely. You could say it's a load bearing portion. Right.

A

Yeah.

B

Maybe it's maybe a. It's an important part of a complete breakfast. You know, you've got the bowl of sugar and then like the three apples, the oranges, the whole wheat toast, the oat grains.

A

So I mean, the way you described it, it seems like the Russians have learned too much, that it's not important.

B

They might have overcorrected, that's for sure. But I think one of the other things is that it's a lot easier to do effects operations that have the sort of temporal aspect at the start of a war.

A

Yes.

B

Where there's less friction than it is on, like the third year, by like year three. If you're trying to coordinate that, this unit will get to this location within 10 hours and we'll be able to show up at precisely this time. That's not happening. The amount of friction and unpredictability, it's too difficult to make that sort of tight coordination that you would need. So I think that it affects. Are less useful, I think, as you go forward.

A

Yeah, I was thinking of Operation Midnight Hammer, which was the stealth bombers flying over Iran. And Secretary of Defense Pete Hegsesk made quite a lot of the coordination and the timing and doing this and doing that and. Yeah, I think that if you're in the middle of a war where things are very, very fluid, it's. It's very hard to plan that thing. And you can do it when. Now, I don't.

B

It's a surprise, sort of. Yeah.

A

I don't know if there was a cyber component of that. I think they mentioned something about it, but it was unclear whether it was actually, like, important or just for the. The fact of being able to say that there was a cyber component.

B

Yeah, I think. I think it's a sort of thing that you want to be part of it, even if it's, you know.

A

Yes. Yeah.

B

Like, do you need someone to carry the Gatorade for you, sir?

A

This is Cyber Gatorade. But anyway, so moving back the Cyber T Service.

B

But yeah. So, like, look, the lessons that they've learned is that intelligence integration is valuable all the time and Effects are hard to exploit. So I think that that was a sort of takeaway that they had. That shows up in that we're seeing a lot less effects overall. And when they do show up, they don't seem to have military applications because that coordination is just incredibly difficult. So I think what we're seeing is this other stuff, which is.

A

Yeah. So I guess in the case of the ESET destructive wiper attacks, it doesn't appear like they have any military application or orchestration.

B

Tenuous at best.

A

They're not linked to military operations. They just will deploy wipers to wipe things, try and disrupt stuff.

B

Yeah, yeah. Line go up, man. You want to. It's a measure. It's a metric that you can put on a spreadsheet and show that you're doing more this quarter than you did last quarter.

A

Yeah.

B

Right.

A

So over the last. When did it come out? Beginning of this month. There's this article in Lawfare, Stefan Sosanto and Victoria Garjos. Apologies, I've probably pronounced their names wrong. Have you read it? Do you have thoughts?

B

Yes, I do. I haven't read all of it in depth. I've read a few sections that stood out to me, and I'll say upfront, I don't agree with all of it, but I think it does raise some important points and it does highlight some issues that I think are not being addressed well elsewhere.

A

Yeah. So basically their argument is that Western militaries, and I think they're talking particularly about European militaries, are not prepared for the type of cyber operations that have, I guess, bubbled to the top or are consistently being carried out by Russia and Ukraine today. And so.

B

So, yeah, these are the things that, like, when I was writing my thesis, I called these routine cyber operations. So, like, during wartime, there are special things that you do if you're doing, like, an assault, but at other times it's like, oh, we need to fortify a sector and then do patrols. And that's just a thing that you do just as a standard thing. It's just routine. That's part of what you have to do, even though it's not part of an overall. There's no general saying, all right, make sure that second platoon goes out on a patrol today. That's not a directive that comes out. That's just understood as routine business as usual. Yeah. And so I think that that has developed that there's these sort of routine cyber operations that just happen, and they're not part of a broader strategic plan, they're just part of the. Here are things that we are going to do because we have to do something. And this is within the parameters of a thing that's.

A

Yeah, yeah. And what would you put in that category?

B

So a lot of it, I think, is these espionage operations that seem a little bit pointless. Right. Like there's the useful stuff where it's like you go after CCTVs or IP cameras or you go after like the municipal authorities that collect all the information about battle damage assessments.

A

Yep.

B

Buildings destroyed, civilians killed, infrastructure damaged, etc. Like, that sort of thing is just immediately useful. There's also stuff where you will have people who do forensics that you'll have close to the front, so that when you capture a mobile phone or an iPad or something, you can do forensics and say, all right, they're still logged into their Delta account. Let's exploit that to see some of the operational information. Or we can read their signal chats, because we can act like those are just sort of like useful things that you can do that are like tactical and immediate, but they're not necessarily part of a larger plan because it's a little bit serendipitous.

A

They're opportunistic.

B

Opportunistic. There you go. That's right. And then I think that there's stuff that happens because it has to happen, which is just like, we're going to break into banks maybe, or we're going to try and break into, like we're going to keep trying to break into the Ministry of Defense and it might not succeed, but we'll just keep trying it. Then they'll be like, we're going to break into some of the major companies because they're economic pillars of the country, but, like, they're not directly related to the war effort. But you wouldn't want to not know if someone asked about it, but you wouldn't really.

A

So you're talking about doing that for intelligence purposes or disruption purposes.

B

Intelligence, I think. And then you might do. It's the sort of thing that you could have in your back pocket where if the guys from the other team over start talking about, like, how many grain shipment supplies in Excel spreadsheets they've deleted, you can go, all right, like, we're going to go after like the number three economic powerhouse and wipe them.

A

Right.

B

And we'll see who comes out ahead. Right. Like it's. Yeah. So I disagree a little bit with some of the assessment that they have in this article by Stefan and Victoria, where basically they're suggesting that Ukraine has adopted a quantity over quality approach. And I think that that's a reflection of the bias of reporting. I think that the quality stuff that's being done doesn't appear in the public record because it's quality stuff. We wouldn't say that the NSA is doing a quantity over quality because we never actually see their quality work. Sorry, that's a bad analogy. But the point is when they're good and they're competent and you've got high quality cyber operations, they don't show up in newspapers. That's sort of the hallmark of a high quality cyber operation is that it's not reported on. So I think that this is a collection bias being reflected here. But they have brought up a very useful point which is they talk a little bit about how the Ukrainians have been able to operationalize the sort of hacktivist volunteer force that they've had to deal with. So you've had all these people who've showed up who want to do something and you can't recruit them because they're all over the world. You can't tell them to bugger off because you actually want them for various reasons, you want them involved for political reasons and so on. But you can't just leave them to do whatever because then you've got confliction issues, they're going to interfere. So there needs to be a way of managing them without managing them. And I think that this hits on it quite nicely. Where they've a lot of what's been done is sort of like co opting the high end groups and then having, I'll call it liaison officers with the other groups who can sort of make sure that they're focusing their efforts on that very critical Vladivostok shoe store. That's a linchpin of the Russian military effort because without boots no one's doing marching anywhere. Right? So it's you know, like there's basically there's people who can guide like the ddos and the, the wiping randos out of the way and then the people who are actually good, it's a little bit more focused and involved and there's a bit more of a, like won't someone rid me of this troublesome Russian Air Defense Ministry located at.

A

Well, one example that I wasn't aware of that they talk about a hacking group called Blackowl that ran a destructive campaign against a Russian drone supplier called Gascar. So according to Blackowl's Telegram channel, their attack on Gaskar resulted in the deletion and exfiltration of 47 terabytes of data and 10 terabytes of backups. So that is a sensational amount of data. But in terms of operational disruption, who knows? It then goes on. They also disabled Gascar's production line by wiping four ESXi platforms, 26 virtual servers, 200 timing stations and 20 microtick routers. So that seems like it would be useful.

B

That's a week. Yeah, but that's a week of disruption, maybe. That's a very annoying week for a bunch of system administrators who have to put everything back together.

A

It's an embarrassing week for them.

B

Right. And it might actually have because the reputational impacts in the military sector might interfere with their future sales, for example. But if you look at it from this Western perspective of like, that's not the sort of operation we would do. You know, we would go after the radars and we would go after military C2 and sort of like after three years. No, like, no, you wouldn't. Like that just wouldn't be on the table anymore. So just as we were discussing earlier about how this sort of effect, it's very hard to coordinate with it, Right. So, like, the value of an effect is being able to exploit it. So you create an effect and then it enables something else. You can exploit it, but that requires timing, and timing is very, very hard to do during wartime. So I think what you end up with is when people do effects, it's because they have nothing else that they can do that's valuable.

A

Right? Yeah. So the Black Owl gas car example seemed to me like, yes, this is something worth doing. If you've got no other way of. If you can't blow up that factory with a conventional weapon, well, yeah, you do this and you accept that it's less good. But if the other attack was never on the table, well, that's the best you've got. And it's also using sort of essentially free resources in the sense that was.

B

That was going to be. The other thing I said is it's like it costs you nothing. If it works, then you get something and if it doesn't work, it's not even like you've wasted resources. You've wasted like two hours of a liaison speaking with them, maybe a little bit more, you know, and he could do that on weekends. Or it costs nothing and maybe it gets you something.

A

Yeah.

B

So why the hell not? So, yeah, my, my feeling is that cyber is great. I don't think it's great for war. I think that where it is great for war is an espionage, because it can provide very good intelligence at that level, but not for effects. Like, I don't think effects are a great use of cyber.

A

Right. Yeah. I think the broader point was that people have all sorts of different motivations at different levels that are driven by different imperatives.

B

And because it's an environment that is lax enough to allow those people the sort of free rein to actually pursue those ideas or those motivations, it creates the sort of confusing output which doesn't have the strategic coherence that you would want if you're trying to interpret what's going on purely by the outputs. So you see these different things happen and you're trying to figure out what the plan is behind it. And it's hard because there's a dozen different plans all motivated by different things.

A

Yeah, yeah. BTN124. We actually spoke about how the Russian GRU, which is military intelligence, how their sabotage team got into hacking. And it seemed to be just like a random guy decided that, not a random guy, but a manager decided that he wanted a hacker on his team. He just said go for hack. And just the level of corruption and self serving and self enrichment was just amazing.

B

Yeah. So actually that reminds me, there's, there's a good story I have about a cop and like, it just, it goes a little bit into how these different motivations show up. So I've heard a story from like a friend of a friend, this was before the war, they were at a wedding in Russia and one of the friends of the brother in law was a policeman. And after a few drinks he starts talking about what it's like to be a Russian policeman in this like, rural area of Russia where like, it's a city, but it's not a big city. You will have things like you are required to solve a certain number of crimes per month. Like that's the metric that you're measured on.

A

Right.

B

And there's not necessarily that number of crimes that you can find or even solve. And so they do things like they will maybe if they're, they're running a bit short, they'll find a cousin, they'll pay him some money and they'll say like, go and stay at the DASHA for a couple of weeks and then they'll have his mother report him missing and then he can be found a week later. Boom, check done. Similarly, they'll have these arrangements with say, like, so he would be for the municipal police and there'd be like the highway police. And the highway police, if they've solved enough crimes for that month. And if they find evidence of something, like someone just dropped dead in the street, and it's sort of kind of on the line where it could be a highway or it could be municipal, but they've already done enough. Like, the highway's got enough. They will call up someone in the municipal and be like, hey, do you need one this month? Because we found one and you'll owe us for next month if we need one instead. So they've got these exchange networks to make sure that everyone has the right number, that they can meet their metrics. Even though what it's measuring is not something useful, I'm willing to bet that that exists in other parts. So I think that that sort of logic probably applies where there's the. Did you hack 30 companies this week like you were supposed to? And if you haven't, you might go to, like, the next team over and be like, hey, give us some of your spares. And I'll be like, okay, we've got, like, that. That mom and pop shoe store, and we've got, like a corner store. We can give you three of those. And, like, that'll get your numbers up. Yeah. So I'm. I'm hesitant to read too much into what we actually see just because I think there's a lot of, like, I think there's a lot of weird motivations going on.

A

Yeah. So one of the interesting things, like, which I don't know if it supports it or is just super speculative, is that Eset said that the wiper attacks occurred in June and September, which is exactly three months apart.

B

Right.

A

I was like, I mean, oh, crikey, we've got to meet our quarters goals.

B

Exactly. You're looking at it, you know, like, what do we sort. Well, we need at least, you know, $2 million worth of damage that we've done. That's right. What do we have on the book?

A

Books, you know, and so apparently the Russian financial year ends in December, so that would be the end of the second quarter and the end of the third quarter.

B

So there you go. Like, you can expect a bunch of wiper attacks next month.

A

December. Yeah. Unless they want to knock off early, in which case you'll get it between now.

B

Yeah, there you go. They're not going to be around all December. They're probably going to do it at the end of this month so they can take vacation. Thanks a lot, Tom.

A

Thanks, Scott.