Russian Intelligence Services & the World Cup

As Russia prepares for the World Cup, attendees should prepare as well.  Attendees should pay particular attention to personal security, both physical and cyber.  Concerns about physical security and possible violence against attendees are the topic of discussion among many, especially in Britain.  However, protection of fans, athletes and reporters in cyberspace is just as large of a concern.

The Russian Federal Security Service (FSB) has been tasked with ensuring the IT infrastructure is secure.  The FSB is currently inspecting IT systems of hotels, resorts, World Cup facilities, and ISPs for vulnerabilities and malware.  Officials, within and outside Russia, see the prominence of the Word Cup as an attractive target for criminals and hackers to embarrass Russia.  Because of this, Russia is using all resources to prevent any cyber-attacks.  One tactic the FSB is employing is connecting IT infrastructures to their scanning and search networks.  This allows the FSB to conduct deep packet inspection of traffic traversing the network, essentially reading the headers and contents of everything accessed across the Internet.

This level of scrutiny by the FSB, Russia’s chief counter-intelligence and surveillance agency, may give some attendees cause for concern.  The concern only grows with the Roskomnadzor actions to block VPNs, Proxies and Anonymizers as it seeks to prevent use of the Telegram messaging app.  Russia has had trouble blocking the secure messaging app.  Russia moved to block the app early in April after Telegram refused to provide decryption keys to the FSB following the determination Telegram was used by terrorists during the 2017 St. Petersburg subway bombing killing 15 people.

Using a VPN to create a secure connection when using a hotel, café, or unknown network has become common practice for many travelers.  It provides greater protection than relying on SSL websites.  For business travelers, like reporters, corporate IT services typically provide VPN services to allow remote users access to company infrastructure.  With the FSB moving to block VPN access, it’s unclear how useful either commercial or private VPNs will be for attendees.  Without the ability to encrypt the connection, the FSB will have a much easier time following attendees online.

Of greater and longer lasting concern, may be Fancy Bear’s (APT28) tactics, techniques and procedures (TTP).  Fancy Bear has a long history of using spear-phishing techniques combined with spoofed websites to harvest login credentials from targets. Additionally, Fancy Bear has been known to use malicious sites and emails to install malware on to victim’s computers. Blocking VPN services makes Fancy Bear’s job easier.  Some in the cybersecurity and intelligence fields believe Fancy Bear, and the associated group Cozy Bear (APT29), are cyberwarfare teams of the GRU (Russia’s military intelligence) and FSB.  Certainly this, if true, would provide Fancy Bear the ability to compromise, via the FSB, the IT infrastructure used during the World Cup.

Fancy Bear has also demonstrated an ability to use less secure avenues to gain access to more secure systems as occurred in the TV5 Monde attack. They can also maintain persistence within the secure infrastructure both exfiltrating data and biding time for an attack opportunity.  Fancy Bear had access to TV5 Monde for two and a half months prior to launching their attack.  Cozy Bear had access to the democratic national committee network beginning in the summer of 2015 and remained there undetected until September.  Fancy Bear is constantly evolving techniques to attack devices, sometimes hacking legitimate tools in ways undetectable to users.

More on Fancy Bear’s history of attacks.

The same TTP could be used to infiltrate the Fourth Estate as they cover the games.  It could allow hackers a foothold, one that they could use for more nefarious purposes when the stakes are even higher.  The U.S. media, with looming mid-term elections, is a high value target.  Russia has sought in the past to discredit our institutions and interfere in our political process.  Nothing indicates they intend to stop.  The World Cup presents an opportunity for Fancy Bear, and possibly Russian intelligence, to infiltrate attendee devices and leverage that to infiltrate networks at home.  Overall, Russian intelligence services serve Russian State and Putin’s interests.  There exists an unusual opportunity for Russian intelligence to spy intensely on attendees and create persistence for their cyber-threats; extreme caution is demanded.

Publicly, the World Cup presents Putin an opportunity to demonstrate his power both on the domestic and world stages.  It is important the World Cup events go well, and the Russian national team does well.  Any violence toward attendees or sabotage of competitors will put Putin and Russia under even greater scrutiny by the world community; Putin already faces denunciation following the assassination of Sergei Skripal.  Criminals and terrorists will see the games as an opportunity further their agendas. Political opponents have an opportunity to embarrass and weaken Putin.  Putin must show Russia is capable of hosting world class events. That he is in control and all is well.  All the while leveraging all opportunities that spies, like Putin, understand are few and far between; quite the balancing act.

Tips for Cyber-safe World Cup Travel

  • Travel with a completely clean laptop. Freshly image the device before your departure only installing software you need for your trip, ensure no sensitive information travels with you, and wipe/re-image the device upon return before connecting it to a secure infrastructure (assume it’s been compromised).
  • Mobile devices face many of the same threats. Leave your primary phone/tablet at home.  Buy or rent a device for use in Russia, ensure no sensitive information travels with you on the device, and reimage it upon return.  If you must carry your main mobile(s), ensure they are protected with a strong password and can be remotely wiped, if lost.
  • Be sure to use anti-malware on both laptops and mobile devices. Avoid installing software “on-the-road” (install before you leave) and only install software from trusted sources.
  • Be wary of Wireless Access Points, avoid connecting to them if possible, only connect to networks you are confident are legitimate; Wi-Fi access points are easily impersonated.
  • Be alert to fake domains associated with the World Cup. Hackers set up hundreds of fake sites designed to steal log-in, personal and credit card information.  These sites are expertly designed to look and act like legitimate sites.
  • Avoid logging into to sites you don’t need to during your travels; skip checking banking accounts, that can wait until you are home. Assume all your communications are vulnerable to interception.

You must be logged in to post a comment Login