By Dalia Bankauskaitė and Simas Čelutka, for Integrity Initiative
On 18 January Lithuania encountered a cyberattack aimed at TV3.lt website, one of the most popular TV channels in Lithuania. The initial hackers’ IP address led to St Petersburg, Russia. Hackers inserted false information about the Minister of National Defence Raimundas Karoblis. Also, emails from the TV3.lt account with the attached false story containing a malicious code were sent to Lithuanian opinion leaders and information multipliers, among them the representatives of important governmental and state institutions, political figures and media organizations.
According to the false story, Mr Karoblis admitted himself to be gay and had been accused of sexual harassment by a well known Lithuanian radio journalist and a few diplomats. In contrast to previous cyberattacks against Lithuania, this false story was written in good Lithuanian.
The TV3.lt website removed the fake article within five minutes, and the National Cyber Security Center (NCSC) of Lithuania promptly started its investigation. Importantly, the cyberattack took place two days after Lithuania released the Magnitsky List: 49 names of Russian citizens banned from entering Lithuania.
On 29 January, NCSC presented its account of the cyber incident.
Brief review of the cyber operation
The object of cyber-incident investigation: defacement of the news portal (www.tv3[.]lt), publication of slanderous information and distribution of e-mails (containing malicious attachments) to targeted audience on 18 January 2018.
The investigation revealed that a false article was published by abusing the Content Management System (CMS) of tv3.lt website with the help of compromised admin accounts. Server and CMS logs (provided by tv3.lt specialists) allowed the investigators to conclude that the services of the TOR network were used for the defacement of the website. The determined logical IP addresses of the TOR nodes are linked to online activities of a foreign state-funded group. Discovery of earlier unauthorized logins allowed the investigators to conclude that login credentials had been intercepted significantly earlier than the defacement itself took place.
E-mails with an attachment containing a malicious code were sent to a targeted audience at 7.26 p.m. on the 18 January 2018. Spoofed sender address noreplay[@]tv3.lt was used.
Inspection of the e-mail header revealed that the sending server was located at 103.36.109[.]248. The spoofed e-mail address was imitating the actual tv3.lt news subscription address (noreply[@]tv3.lt), but contained a small error. Body of the letter contained an image, inquiries to which could be monitored by the sender (informing them on which recipients opened the letters). The letter had an attachment named Press release_18_01_18.doc (Figure).
The text inside the attachment Press release_18_01_18.doc contained false information about the Minister of National Defence Raimundas Karoblis and links to the press release on the defaced news website. The document also contained automated malicious code (using PowerShell command) which reaches out to a server on the Internet (88.99.132[.]118) to download the additional malicious payload. The malicious code is supposed to be downloaded by abusing the Dynamic Data Exchange (DDE) feature of the Microsoft Office software and thus accessing data from the other resources on the computer or on the network. The malicious code was injected into a hidden data field, description of which also shows an error message in Cyrillic (Russian) alphabet allowing investigators to assume that a Russian version of Microsoft Word software was used for the creation of the document. (Figure)
Every crime has its motive. What was the motive of this cyberattack?
This is not so much about the slanderous fake story itself – it was reported to cause a good laugh by the Lithuanian Defence Minister as well as the mainstream media and politically-aware society of Lithuania.
To paraphrase a Russian saying: Russian hackers and designers of cyberattacks are not as stupid as they might seem or one would like them to be. It’s obvious that the false story was meant to be spotted immediately. If the aim was to compromise the Defence Minister, much more sophisticated and effective measures could have been employed by the longstanding practices of the Russian intelligence services.
What, then, might have been the motive of this operation?
First. The email contained attachments with the virus (link sends email) (malicious code) and state institutions (luckily there were only few of them) opened them. The aim was to get access to a decision makers’ computer and phone data and enable to spy on the infected users. Malicious code, after delivering it to the system, could then exploit it. The cyber attackers played on the inherent inquisitiveness of human nature, inventing a sensational story to make the attachment more tempting to open.
Second. The attack was meant to test the resilience (link sends email) of Lithuanian information systems, to assess the speed and scope of reaction, and see how quickly false messages might spread and be received. News websites are a key source of reference for information in case of an emergency. What if then news websites contain lies, false information or disinformation? In such cases national security might be greatly compromised.
Third. Some analysts claim (link sends email) that the attack is the extension of the ZAPAD ‘17 military drill only by other means. The Kremlin has repeatedly and consistently shown that cyber aggression is deeply integrated into its strategies of conventional as well as non-conventional warfare. For example, during the ZAPAD ‘17 military exercises the so-called Russian radio-electronic combat forces turned off a large part of the Latvian mobile network (link sends email) and even GPS signals in the Norwegian air space (link sends email).
Fourth. Lithuania’s information environment is constantly exposed to larger or smaller cyberattacks from Russia. Just to name few of them aimed at the defence structures in Lithuania.
- In June 2015 a cyberattack of the similar pattern was carried out. During the international US-led military exercise “Saber strike” the website of the Joint Headquarters of the Lithuanian Army was hacked (link sends email) and the false story inserted that the NATO forces ran military exercise to annex the Kaliningrad region and that the Forest Brothers – Baltic partisans who waged a guerrilla war against the Soviet occupation of the three Baltic states during and after World War II – would attack Kaliningrad from Poland and Lithuania. Also, emails containing the false story were sent out to the Lithuanian media.
- In September 2017 a Facebook account of the Defence Minister was hacked (link sends email).
- In February 2017, emails accusing the German-led NATO battalion in Lithuania of sexually assaulting “Lisa (link sends email)” – a teenager who did not exist – were sent out to Lithuania’s political elite.
- In June 2017 Lithuania reported (link sends email) that Russian spyware software in three government office computers was detected, also prevented many attempts to break into computers.
Post Scriptum. How to think about Russian cyberattacks
Given these repeated cyberattacks coming from Russia, the question arises whether such provocations have become the new normal. It is crucial to understand that this and similar cyber attacks are not separate incidents. In fact, they are part of Kremlin’s comprehensive anti-Western revanchist strategy aimed at dissolving the US-led international order. For more than a decade, Moscow has used cyberwarfare against Western states, institutions, government agencies, think tanks, companies and critical infrastructure objects. Cyber hostility should be acknowledged as an integral element of Russia’s long-term goal to reestablish itself as a dominant player in worldwide geopolitical game. This thesis is corroborated by a pattern of events that occurred in the last decade or more.
During the wars Russia recently waged against sovereign neighboring states – Georgia (2008) and Ukraine (2014-present) – cyber attacks were used as conventional force enablers, helping Russian Armed Forces advance much more rapidly to achieve its tactical goals on the battlefield. In 2007, Estonia was briefly paralyzed by sustained DDoS (Distributed Denial of Service) attacks which were conducted in response to Estonia government’s decision to relocate a Soviet-era statue from the centre of Tallinn. In 2008, a number of Lithuania official websites were hacked into and defaced with Soviet signs and anti-Lithuanian slogans. The context of the operation was thematically similar to Estonia’s: Lithuanian parliament had banned the use of Nazi and Soviet symbols, such as the hammer and sickle, and the playing the Soviet Union anthem at public gatherings.
These instances clearly indicate that Russia sees itself as an inheritor of the USSR and Soviet legacy, disregarding the independence and sovereignty of Lithuania, Estonia, Ukraine, Georgia and other countries that were occupied by the USSR for 50 years. In 2004, Lithuania and Estonia became members of NATO and the European Union, thus obtaining security guarantees from transatlantic allies. So far, the Kremlin has refrained from using conventional forces against the Baltic states, yet it actively and consistently employs all other “hybrid” measures, including cyber offensive, to exert influence on these countries. Ukraine and Georgia, not yet members of NATO or the EU, have had to suffer a much more brutal offensive onslaught, which involved not only cyber, information and psychological warfare, but also military operations waged by Russian Armed Forces. Russian defence strategists consider cyber aggression to be a relatively cheap, “asymmetrical” element of warfare that can significantly disrupt its adversaries’ readiness and societal cohesion.
It is important to stress that Russian cyber hostility is directed not only against its immediate neighbors, but also against major Western states. In recent years (link sends email), Russian cyberattacks have been aimed at the French TV channel TV5Monde, the German parliament, a German steelmaker, the US State Department, the White House, the US Pentagon‘s Joinf Chiefs of Staff, Norwegian oil companies and many other objects. Last year, the West seemed to have finally woken up to the magnitude of the Russian threat, especially after Russia’s meddling in the US Presidential election, Brexit campaign and several major European elections. At this stage, it is vital to grasp the comprehensive nature of Kremlin’s anti-Western strategy and seek the most effective solutions to strengthen our cyber and digital capabilities as well as civic resilience, media literacy skills and societal cohesion.
By Dalia Bankauskaitė and Simas Čelutka, for Integrity Initiative
Dalia Bankauskaitė is Head of Media Programme at Vilnius Institute for Policy Analysis. Simas Čelutka is Head of European Security Programme at Vilnius Institute for Policy Analysis. Authors can be contacted via email: dalia.bankauskaite[at]vilniusinstitute.lt simas.celutka[at]vilniusinstitute.lt