Inside Cyber Warfare - Jeffrey Carr [58]
The latest conflict involves Jihadist radical groups attempting to unseat the military leadership. The principal religion in the North Caucasus region is Islam, and young people in particular are becoming radicalized in the face of an oppressive and corrupt governing regime.
One of the loudest voices of the opposition movement is a website—Ingushetia.org, formerly Ingushetia.ru. One year ago, the owner of that website, Magomed Yevloyev, was arrested by police, ostensibly to answer some questions as part of an investigation. On the way to police headquarters, while seated in the back of a police car, Yevloyev was “accidentally” shot in the temple, according to the Interior Ministry of Ingushetia.
The Ingushetia.org website has experienced hacker attacks off and on since 2007, usually timed to its more controversial pronouncements, such as the “I have not voted” campaign launched during the 2007 Russian elections.
In July and August of 2009, DDoS attacks were launched against this website, coinciding with increasing tensions between the government and the opposition. On August 17, 2009, a suicide bomber driving a truck packed with explosives blew himself up near the Ingushetia police station, leaving 20 dead and 130 injured.
Not surprisingly, at least one C&C server involved in the DDoS attacks against Ingushetia.org is hosted on an IP address that is affiliated with Russian organized crime (the Russian Business Network, or RBN).
Russian investigative journalist Andrei Soldatov wrote about suspected Federal Security Service (FSB) involvement in cyber attacks in the region dating back to 2002 in an article that was published in Novaya Gazeta on May 31, 2007. He was fired from the paper in November 2008, reportedly as the result of financial pressure. Alternatively, it may have been that the FSB tired of his ceaseless investigations into their operations.
The Ingushetia.org attacks begin to paint a picture of a more sophisticated attack framework being adopted by the Kremlin against its political opponents:
The Kremlin, with the help of the FSB, targets opposition websites for attack.
Attack orders are passed down through political channels to Russian youth organizations whose members initiate the attack, which gains further momentum through crowd-sourcing.
Russian organized crime provides its international platform of servers from which these attacks are launched, which in some cases are servers hosted by badware providers in the United States.
The Predictive Role of Intelligence
The core responsibility of intelligence as a discipline is to provide state leadership with insight into what the emerging threats are before they manifest into an attack on the state.
This was already a difficult task when the only threats were physical. Today, intelligence agencies must also consider emerging threats in an entirely new dimension—cyberspace. To make it even more difficult, the generation of experts currently performing this mission are still trying to understand just what a threat in cyberspace looks like, or, even worse, what cyberspace is.
One approach—further addressed in Chapter 12—is to build a predictive model that depicts how most politically motivated cyber attacks develop.
Another is to mine the various forums, websites, chat rooms, and other channels where the cyber underground conducts its business. This is often a hit-and-miss proposition because the more experienced crews are aware that forums are being watched and use IRC chat or other more secure methods of communication. Sometimes, however, mistakes happen and astute intelligence-gathering operations can capitalize on those sources.
However, these are passive approaches to intelligence collection and analysis, and are not nearly sufficient to meet the IC’s responsibility to identify emerging threats before they occur.
What is needed in cyberspace is the