Page 1BfV Newsletter 01/2016Post counterintelligence Intelligence-driven

1.  
2. Page 1
3. BfV Newsletter 01/2016
4. Post counterintelligence
5. Intelligence-driven electronic attacks from Russia country
6.  
7. Germany is the focus of foreign intelligence services. The geostrategic situation in central Europe, the influence in the EU, the membership in NATO, the GRO SSE economic power with many innovative companies and global recognition tion German scientific and research achievements of public and private Set back the Federal Republic into the center of intelligence reconnaissance aspirations. To government agencies, companies or research institutions auszuforschen, be of a variety of foreign intelligence services cyber- Attacks employed. Russian intelligence Electronic attacks against German targets usually part of several years, internationally oriented cyber espionage operations Part of a comprehensive strategic intelligence gathering. their attack campaigns are characterized by a high level of technical skill, verdeutli- chen strong financial resources and be in the nature and scope of the global operand rations exceptional operative system and Auswertefähigkeiten recognize. Elektronische cal attacks the Russian services threaten a considerable extent the infor- onssicherheit German posts in government and administration, business, science economy and research. Some of these operations can be over a period of seven to ten Retrace years. Many of these attack campaigns have each other tech- African commonalities such as malware families and infrastructure on - these are important indicators of the same authorship. It can be assumed hen that both the Russian domestic intelligence service FSB and the military cal foreign intelligence service GRU run cyber operations. Targets of attacks Russian services are primarily the strengthening of the external and rus- internal security, securing strategic influence and promoting sischer military and energy exports and Russian high technology. The observed ended campaigns are usually on information retrieval, ie espionage, addressed. But in individual cases Russian intelligence services also showed the readiness society to sabotage and data changes, such as the cancellation of a Database showed a German victim. Similarly, the Enlightenment with traditional espionage methods is the informa- mationsgewinnung by electronic attacks, the focus of the Russian services to all policy areas which may affect Russian interests. Attacks on govern- sector bodies relate in particular to energy policy and security, foreign policy Issues such coordination processes in the European Union (EU), the Central Asia and the Middle East policy and the military and armaments policy, the distribution of EU Funds and humanitarian issues.
8. Page 2
9. NATO's enlargement policy and the EU's focus on the transatlantic Alliance with the US are of the Russian leadership as a threat to national tional safety considered. The Russian economy and the state budget are to a large extent by the Development of the revenue from which is characterized by falling prices of oil and Gas business depends. SOEs are in strategic areas such as the Energy and raw materials sector, in aircraft and partially in the field of information and communication technology dominant. Attacks on foreign companies companies and research institutions serve the levy of expertise and Promoting private business and research. Russian attack campaigns aimed inter alia against supranational or- organizations, government agencies, armed forces, politicians and parliaments, German and international business enterprises and science and research tions. They are aimed at scrutinizing of advanced technologies. Here are Priorities in the fields of energy, military, X-ray and nuclear technology as well such as aerospace observed. It also offers government critics, journalists th and NGOs, as well as major international banks and television stations in focus Russian attacker. In addition to long-term operations are also event-driven or event-dependent Detected attacks in favor of a Russian state intelligence interest, such as the cyber-attacks on the Dutch investigative team in time Context with the publication of the final report in the autumn of 2015 the causes chen of the crash of the Malaysia Airlines flight MH17 on 17 July 2014, the Eastern Ukraine. The Russian attacker demonstrate their technical expertise among others using a wide range difficult to be detected attack vectors. They include summarizes emails with malicious attachments or links to websites containing malicious code, USB- Sticks, phishing sites, Watering Holes or infected legitimate websites. Spear-phishing attacks are characterized by good social engineering of the Victims cut from emails. This is regularly a good re- cherchierte, credible emails relevant to the victim content (partially Insider knowledge) and he supposedly known senders. Drawing addition the attacker by a great language skills. Thus contaminated E- were Mails already established in different European languages. A frequently observed in recent months method of obtaining private Access to victim systems via spear phishing attacks describes the For the IT security company Trend Micro in an appropriate re- port: These recorded the attacker domains that the only by small changes in Case of legitimate websites differ (so-called. Typosquatting). then compared sending an e-mail with a link to selected victims, in this example, to employees ter of the American security company Academi (formerly Blackwater). If the Link clicked appear in the preview window of MS-Outlook in a new tire ter a legitimate news site - in this case a page about Afghanistan
10. Page 3
11. expected reports and therefore correspond to the interests of recipients. in the However background makes in the meantime, therefore a modified Java script command for that located on the now hidden tab page to the newly created Outlook page of the attacker is replaced. Changes the victims now of the Preview of the news site back to its Outlook program, it only looks nor manipulated attacker's side (with remanufactured login screen), the pre- deceives, the session had expired and requesting his access again enter. This input allows the attacker then, using this information the Spy victims and possibly to gain further access. This spear phishing attack shows the sophistication with which the attacker can do here. The victim usually has no chance to see this attack as such because hardly anyone will pay attention to the exact spelling of a URL. Moreover verdeut- light of this incident, the aspect of some intelligence-controlled arrival grabbed waves. So the attacks against Academi spring 2014 were made ​​at the same time accusing the Russian Foreign Ministry, the company was sending 400 Mercenaries in the Ukraine. When analyzing the state-controlled electronic attacks from Russia shows clearly the high quality information technology these offensive operations - for Example by exploiting previously unknown vulnerabilities. Visible is also the financial strength of the perpetrators; also reflect the nature and scope of global operations recognize immense operative system and Auswertekapazitäten. The observed attacks are usually carried out very focused and fit: The respective victims are targeted selected and attacked ( "target list"). The likelihood of success and therefore the harmful potential of Russian attacks due to the apparent high resources approach, the prominent technical rule skills and good social engineering large.