Genius hackers help Russia’s neighbors thwart cyber incursions


Russia’s cyber capabilities should not be underestimated but its NATO neighbors are more than capable of defending themselves against the Kremlin, Lithuania’s cyber chief says.

Nations neighboring Moscow’s empire constantly face cyberattacks originating from Russia. Everything from ransomware attacks to attempts at critical infrastructure is on the table.

As the war in Ukraine has demonstrated, military operations are often accompanied by cyber operations, prompting countries like Lithuania, a NATO and EU member, to develop tools and methods to defend against more numerous and better-resourced foes.

ADVERTISEMENT

One way to stand up to the challenge is by nurturing local talent and fostering partnerships with the most capable hackers, Liudas Ališauskas, the head of Lithuania’s National Cyber Security Centre (NCSC), thinks.

We sat down with Ališauskas to discuss how the frontline NATO member protects against Moscow’s hackers, whether Russia can still be seen as a major power after a year of disastrous warfare, and what little impact attacks from pro-Russian hacktivists such as Killnet actually have.

“We should be careful not to underestimate what Russia can do. It’s a large country with a large talent pool. Cybercrime is flourishing there, allowing a certain mindset to develop. However, that doesn’t mean we’re too weak to defend against them. Far from it.”

Ališauskas said.

Before Russia’s invasion of Ukraine started, some experts maintained that Eastern Europe was a testing ground for Russia’s offensive cyber tools. Would you agree?

It’s hard to say one way or the other. From an attacker’s perspective, the attack chain is often similar: intelligence gathering, system penetration, and privilege escalation. Since 99% of attacks are financially motivated, the end result is usually theft or encryption. I’d say 1% or less of all cyber operations are done with truly destructive intentions.

We are fully aware there are attempts at disrupting critical systems. We know that from our own experience and what our partners tell us. However, there are not too many gray zones on how Russia operates.

I’m not sure if Russia singles out any particular state to test out its cyber tools. They’re actively developing new tools, and the war in Ukraine only intensified their tenacity. Yet, Russia has its specific modus operandi, whether with tailor-made tools or mass-produced cyberattack software.

You said 99% of cyberattacks are financially motivated. Do you think, for example, ransomware gangs could maintain ties with Russian security services?

ADVERTISEMENT

It’s all about the money. The important question is what motivates red teamers [highly skilled offensive hackers, some of whom are legally employed by legitimate enterprises to test their systems’ defenses]. Most of them exhibit an almost genius-like understanding of their craft, and their skills are highly transferable.

It comes down to what motivates them: money or other aspects, such as curiosity. What we’re seeing is that Russia combines the two. On the one hand, skillful threat actors can operate with impunity in the cybercriminal underworld. On the other, the state can generously finance their activities.

Liudas Alisauskas
Liudas Ališauskas.

Many pro-Ukrainian nations suffered distributed denial-of-service (DDoS) attacks by pro-Russian hacktivist groups. Lithuania is no exception here. What could you say about the impact of such attacks?

Yes, we noticed them. Whether we like it or not, some people support what Russia is doing in Ukraine. It’s a fact of reality. However, these efforts are mostly crowd-supported and are very low-skilled. The tools at their disposal are very basic.

Even if they had access to offensive tools, most people involved don’t have the necessary skills to do that. Most pro-Russian hacktivist supporters follow simple guides their leaders share on social media.

So far, the most they could pull off were DDoS attacks. Be it as it may, such attacks are not the most threatening, and there are ample security measures to prevent them. In other words, Killnet won’t disrupt the supply of electricity.

They’re mostly showing off. Pro-Russian hacktivist attacks usually result in some downtime for public-facing websites. Yes, that may be an inconvenience, but it hardly impacts critical infrastructure itself or public services.

One of the pro-Russian hacktivists said that a lot of offensive cyber operations come from the Baltic states. Are you aware of the coordination between local hackers and the government?

No, I don’t know anything about that. All cyber operations in Lithuania and in NATO are purely defensive. There’s no legislation to govern offensive operations.

ADVERTISEMENT

Of course, if somebody is competent enough to carry out such operations, there’s hardly anything anyone can do about that. Can Lithuanians do that? Of course. There are a number of highly skilled people who can target any system they want. We have a lot of smart people here.

“Even if they had access to offensive tools, most people involved don’t have the necessary skills to do that. Most pro-Russian hacktivist supporters follow simple guides their leaders share on social media.”

Ališauskas explained.

Some pundits claim that Russia’s cyber operations since February 2022 show it’s lost its edge. Do you think Russia is still a cyber superpower?

Soldiers are hardened on the battlefield. If we’d look at how the Russian military performed since the beginning of the war, we’d see they are learning and adapting. Maybe not as fast as everyone expected, but they’re learning.

The same applies to the cyber realm. All sides are continuously monitoring each other, learning and reacting appropriately to the latest changes in the cyber battlefield.

We should be careful not to underestimate what Russia can do. It’s a large country with a large talent pool. Cybercrime is flourishing there, allowing a certain mindset to develop. However, that doesn’t mean we’re too weak to defend against them. Far from it.

Ukraine and other countries that support the Kyiv government notice an increasing number of attacks against critical infrastructure. Have you seen growing interest in Lithuanian infrastructure?

There’s no lack of attempts. However, our critical infrastructure enterprises are highly resilient, especially in the energy sector. Organizations are fully aware of the current situation and continuously monitor cyberspace, manage risks, and react proactively. The result is that we had zero blackouts caused by cyberattacks. I’m delighted with our gas and electricity utilities and infrastructure managers.

What’s the level of interplay between the NCSC and critical infrastructure companies?

I’d say a relatively high level. Our cyber defense effort is coordinated, and we oversee if our customers uphold the operational and technological requirements we set for them. While we have around 2,000 customers, energy companies and critical infrastructure operators have unique cybersecurity rules to follow.

ADVERTISEMENT

How does the state check if companies meet the requirements for cybersecurity?

Penetration testing. We have a breadth of targets that our team monitors. We’re trying to find vulnerabilities in their enterprise IT and industrial control systems, and determine whether the bugs we found are exploitable. We also get a lot of help from outside. Since Lithuania has coherent legislation for responsible disclosure, skilled citizens frequently reach out to inform us about potential bugs or vulnerabilities they’ve found.

NCSC receives five to ten notifications from citizen pentesters every month. People that voluntarily help us are of extraordinary talent and curiosity. Finding what they do takes a lot of will and effort, and we are grateful for that. We usually offer to attribute the findings to people who make them, but at least half of them want to stay anonymous.

What’s NCSC’s input to strengthen Ukraine’s cyber defense capabilities?

We started deepening cooperation between regional players before the full-scale war broke out. First, we have trained Ukrainian military officers in cyber resilience since 2020. We see that as a highly successful program that we want to continue.

Second, in 2021 we established the Regional Cyber Defense Center (RCDC), focusing on cyber threat intelligence and analysis. RCDC’s permanent board members are Lithuania, the US, Ukraine, Poland, and Georgia. There will be more. Additionally, international experts from other countries participate, sharing their expertise.

The center’s key strength is that we can compare notes. We all receive different types of attention from Russia and China. By comparing and analyzing these threats, we can put effort into preventing them from materializing.

A very welcome spillover effect is relationship building between cyber professionals. It’s one thing to have an official meeting and quite another when you can ring up a familiar person when in need.

ADVERTISEMENT