FSB deploys cyber units inside Europe (for years)

The cyber is coming from inside the EU

– Czech counterintelligence agency (BIS) together with Czech police (NCOZ) dissolved the FSB group in 2018.

– Several Russian citizen and several ethnic Russians who acquired Czech citizenship were ran by the FSB in Prague. They were watched by Czech intel for several years.

— Jakub Janda (@_JakubJanda) October 22, 2019

Czech counterintelligence (BIS) rolled up forward deployed FSB controlled hackers. The hackers were ethnic Russians and ethnic Russians with Czech citizenship. They ran two companies selling IT supplies as covers for their offensive cyber espionage activities. BIS had them under surveillance for several years, during which they learned that the hackers used computer equipment specially delivered by Russian Federation diplomatic vehicles.

The cyber espionage network was rolled up at the beginning of 2018. BIS says that this is not an isolated incident, there are FSB cyber units operating throughout Europe.

Full story: Respekta (Google translate) (archive)

FSB running active cyber cells in the EU

This is so cool! I have long suspected that forward deploying cyber forces is already (or should be soon), standard doctrine for many countries. Any country that can afford to station a couple people in another country, and who have the capacity to fill those roles, should be doing this already.

Russia is a bit unique in the composition of their cyber capacity which involves a complicated tangle of integrated public and private sector entities. The hackers arrested in Czech were not FSB officers operating under cover, but they were not recruited assets either. One clear demonstration of this is that they were all ethnic Russian. The best way to describe them is contractors. Contractors employed by FSB for offensive cyber espionage operations.

Using contractors for intelligence or military work is hardly new, and it should be no surprise that they are used for cyber as well. Indeed, all countries with cyber espionage capability employ some form of public private cooperation. Contractors are a major part of the USA’s cyber force.

Geolocation is meaningless in cyber

This group used equipment specially delivered by diplomatic pouch straight from Russia. I have two ideas on this (it could be one, or both, or neither): o

1. Security. The equipment started life in a known clean state and is protected against tampering to ensure the integrity of the system.
2. Monitoring. The FSB was leaving these guys alone with a long leash in a foreign country. It is reasonable to assume they would want to keep an eye on their contractors work.

Security is a bit weird because the hackers left their equipment in the shops, only operating from those premises. This was definitely a sound security tactic. Keeping illicit activity or incriminating evidence away from the house makes it a safe environment. Having the “work” equipment at a shared location also helps OPSEC, removing any highly visible direct links to any of the suspects. Not much good when the counterintelligence guys spend years on surveillance though.

An effective offensive cyber team has a very small footprint. An operator, or a team, can travel completely naked, acquiring everything they need from local stores. Conducting successful cyber operations does not dependent on heavy investments on infrastructure or whatever. Cyber capacity is:

People. Ideas. Hardware. In that order.

John Boyd

A nation state can distribute “second strike cyber capacity” throughout the world. Maintaining a resilient offensive cyber capacity is within the capability of any nation that has one. This is much easier because the logistical requirements for building a cyber threat group, and maintaining them are constant regardless of where they are in the world.

Why this matters

Several big takeaways from this one:

• Russia has FSB cyber cells operating across Europe. It is probably safe to assume that Europe is not the only place they have no official cover cyber espionage units.

• Cyber units can be sent to where they are most effective, and they can operate as intelligence assets. They can be dispersed for resilience against kinetic attacks. They can be stationed anywhere, they don’t have to operate from the country that sponsors them.

• The Internet makes geographical location (mostly) irrelevant. Because geolocation is irrelevant a GRU officer can attack a US target from a desk in Moscow. But, by the same notion, it means that a GRU officer can attack a US target from a bungalow in a tropical country. The targets are fixed in space, but there is no reason for the attackers to follow those rules.

Three short observations:

1. Operators can be contractors (TTPs don’t match sponsoring country).
2. Operators can move about the board freely.
3. Operators have no special logistical requirements.