Putin’s Eleven: Nation State Hacker Teams Uncovered


Before we discuss Russian nation state hacker teams, let’s look at how military branches have historically been born. On July 2, 1926, the United States Army established the Army Air Corps. After World War II it was determined that we were best served by a separate Air Force, and on September 18, 1947 the Air Force became America’s fifth service. On October 1, 2010 the Army Cyber Command (Army Cyber) was established and commanded by Major General Rhett A. Hernandez. United States Army Cyber Command’s mission is to direct and conduct integrated electronic warfare, information and cyberspace operations as authorized, or directed, to ensure freedom of action in and through cyberspace and the information environment, and to deny the same to our adversaries. It is only a matter of time before the Army Cyber Command becomes our sixth military branch. Much like the US has Special Operations teams – or ‘SpecOps’ – such as the Navy SEALs or Army Delta Force, we have Cyber SpecOps teams. So do our adversaries!


Nation State Hacker Teams: The Cyber Special Forces

Think of state sponsored or nation state actors as each country’s cyber special forces team. There are a few reasons that the nation state cyber teams can be more effective than hacktivists, terrorists or financial hackers. To start, they have permission to hack. This means they only have to hide from their remote adversary, and not local authorities; very much like the drone pilots in Nevada, operating behind enemy lines without the physical dangers. The approaches and techniques they use can be a bit louder and bolder without worrying about local authorities.  Furthermore, the only consideration they have for their target is while the attack is in process.  Often once the attack is over, it does not matter if the target knows of the attack and who the attackers are.  The nation’s response to accusations when called out is easy: Deny, Deny, Deny!

So when it comes to hacking, local authorities are all that matter. Just think of the 13 Russians indicted in February 2018, along with the most recent batch of 12 additional Russians in July 2018 indicted by Robert Mueller. So long as they don’t step into the US or allied countries, it just does not matter.

By virtue of not having to expend as much energy hiding, they spend less time on obfuscation and more time on their malicious intent. Moreover, in the event they conduct a cyber attack that is extremely high profile, they don’t have to run and lay low.


Russian Tradecraft

The Russian Nation State Hackers used a combination of technical and psychological tradecraft. Despite Robert Mueller’s identification of the attackers personally, there is little chance the indicted Russians will be extradited or suffer repercussions.  

State sponsored cyber hackers also benefit from functional teams. On NCIS, Abbey and McGee can hack into any and every type of system. If there is a lull in the plot – Hack Something! By the way, CBS, would it kill you to hire a subject matter expert so we don’t have to listen to nonsensical techno-babel? There’s no such thing as a “2048 bit firewall”.

In reality though, not every hacker is expert in everything. Complex compromises require teams of specialist subject matter experts that come together within different functional groups, each with a specified expertise.


The “Who” Behind Putin’s Eleven

First there is the strategy group. This group either identifies or receives orders on what or who to target for a cyber attack. Sometimes their target is very specific, such as the communications of the National Security Advisor, or it may be a broad mandate, such as demand for access to US critical infrastructure. Examples of critical infrastructure include election systems, power grids and water supplies. Other areas may include communications infrastructure like telephone carriers, radio and TV stations; healthcare infrastructure such as hospitals and blood banks; and transportation infrastructure that include roadways, airports, buses, and trains.

The strategy group will take the broad mandate and develop a specific strategy on how to implement it. For example, they would identify their target – let’s say a power station. To compromise the power station they may define the level of access required to accomplish their objective and specific person or persons to be personally targeted.

They may draw in the research group to perform information gathering and leg work. Prior to the strategy group formulating its approach, the research group investigates the options to identify and gather information on organizations, geographies, sites, systems, vendors, people, and more. This is used by the strategy group to develop the specific action plan.

With their mandates and plans in hand, other groups are brought in with specific functions and specialties. Lets take a closer look.


Specialized Cyber Special Forces

The Psychological Operations – or PsyOps – group whose work is focused on social engineering. Not all hackers operate with technology; there are also people hackers or social engineers. Often unsuspecting people are involved as part of the compromise effort. Think of the person who clicks on the malware laced email or the person who plugs in the USB stick they found in the parking lot. These examples are simple. A more advanced, real-life example is when a system administrator was identified and profiled. He turned out to be a fan of hobby trains and belonged to an associated forum. Though the organization systems that needed to be compromised were not vulnerable at the time, the cyber attackers did manage to compromise the hobby train site and collect the sys admin’s password, which happened to be the same as his company password.

In this case, they managed to spend over six months in the system stealing data and committing acts of cyber espionage. The compromise was only discovered after the damage irreversibly impacted the integrity of the company’s data dating six months back. At that point the affected organization did not know what were good data or bad data.  A horrible position to be in!

Thirdly, there is also the exploit development group. These guys are the folks who identify vulnerabilities, and weaponize them.

Another group consists of malware packagers. This is the team that takes an exploit and packages it up for delivery and dissemination. Just like in any sport in which you need to position yourself to be lined up before taking a shot, cyber exploits need specific circumstances to be properly executed. Typically there are existing dissemination frameworks that this team uses and adapts to their specific needs, however nation state hacker teams are known to develop their own dissemination framework as required. An example of the custom framework is StuxNet, where a unique and advanced framework was used to infiltrate Iranian nuclear centrifuges.

Then, there is the BotMaster. There may be instances where an exploit or cyber attack is disseminated, or data from an already implemented exploit is collected and forwarded via a BotNet. BotNets consist of many distributed systems that are already exploited and controlled by the BotMaster, where the user of the system is unaware.  BotNets can be used to disseminate or receive content. A nation-state may have their own BotNet or they may rent one from the various that are on the market – or a combination as required.

There is also a recruiter, the proverbial “Danny Ocean” who knows and is trusted by the different players to make sure the right resources are accessible as they are needed. Some of the hackers recruited are pure mercenary, while others need to be deceived. Often the recruit doesn’t know who they are working for. Interestingly enough, the recruiter may also be recruited themselves and be unaware of their employer.

Lastly, there is the buyer. The buyer has relationships with commercial exploit developers as well as a reach into the deep dark crevices of the dark web that exploit developers lurk in. This is how the state sponsored cyber-warriors have access to the best exploits, including zero-day exploits that the industry may not even be aware of. These exploits are purchased from commercial exploit developers authorized to sell to sanctioned groups, or on the dark web by the highest bidder. The dark web bidder is often anonymous and may be a country such as the US, Russia, China, North Korea, Iran or EU countries, among others. To do this they use Cryptocurrency, and lots of it. Usually, only nation states can afford to spend money on the juiciest exploits. And if you want exclusivity, then you will pay more. Nation states also have the resources to “get even” if the exploit seller does not respect their exclusivity.


Nation State Hacker Teams: Well-Funded & Well-Trained

Nation state Hacker teams are the best funded of all cyber attacker types. Hacking is expensive at this level. You need to be able to afford the rock stars, their support teams and infrastructure, tools, and exploits. Occasionally, they may need to bring in the “consultant” experts in a particular area, and these people cost money too. This type of operation needs management and is typically managed by a team of executive, director and manager ranks that are usually military. Though inexpensive compared to the cost of conventional troops and warfare, nation-state hacking teams still have a cost structure that can not be afforded by other Hacktivist, Terrorist or Financial groups.

With access to the broad resources with formal operational management, these teams are also the best trained. There is formal training, but also the training that comes from access to so many different approaches, techniques and other smart people. It drives up the expectations and operating tempo.

The best example of this “Putin’s Eleven” model is the 25 Russians Robert Mueller indicted for taking part in the compromise of the 2016 US elections that leveraged both technical and psyops efforts.  The 25 indicted Russians are representative of only two groups: “Fancy Bear” or APT28 and “Cozy Bear” or APT29. Moreover, these indictments may represent only the key players in the groups. It’s likely that many more were involved in support roles. The Russian nation state hacker teams are not your granddaddy’s spray and pray hackers.

In comparison to industry standard cyber security protection models, with roots dating back to medieval times, nation state hacker teams are organized, directed, well funded and use advanced techniques and the latest exploits to pinpoint and devastate their befuddled targets!


About Acreto

Acreto is the first cloud-delivered, end-to-end connectivity and security platform that can connect and protect any technology, on any network, anywhere. Acreto SASE +Plus delivers Secure Access Service Edge (SASE) functionalities for access technologies such as devices, networks, IoT / OT and third-parties; while Acreto Secure Application and Data Interconnect (SADI) connects and protects application delivery infrastructure such as clouds, SaaS, data centers and co-locations. Acreto SASE +Plus is SASE plus SADI — one platform with one interface from one provider for all of your technologies around the world. Learn more at https://acreto.io or @acretoio.

About The Author: Babak Pasdar

Babak Pasdar is an ethical hacker and a globally-recognized expert in Cyber-Security, Networking and Cloud. He has a reputation for developing innovative approaches and methodologies for the industry’s most complex security problems. Before Acreto, Pasdar brought the first proxy-in-the-cloud platform to market, even before the word “cloud” was coined. He called it security in the "Grid". Named one of New York’s Top Ten Startup Founders over 40, he has built and successfully exited two Cyber-Security technology companies and his innovations have been widely adopted by the industry.

Interested in seeing Acreto SASE+Plus in action? Let’s start with some basic information.

    Interested in seeing Acreto SASE+Plus in action? Let’s start with some basic information.

      Interested in seeing Acreto SASE+Plus in action? Let’s start with some basic information.

        Interested in seeing Acreto SASE+Plus in action? Let’s start with some basic information.