PUTIN’S CYBERWAR been released. In it, fake servers of the Board were created in order to carry out credential phishing 25 attacks. The aim was to gain access to the Board’s real servers, and thereby gain unauthorised access to sensitive material collected by Dutch, Malaysian, Australian, Belgian, and Ukrainian authorities. Those responsible for the attack, according to experts, were likely to be Pawn Storm, otherwise known as Advanced Persistent Threat 28 (APT28). APT28 is believed to be based in Russia and to have close links to the Russian government. According to the cybersecurity firm FireEye, the group has a history of targeting “insider information related to governments, militaries, and security 26 organizations that would likely benefit the Russian government”. 4.3 Think Tanks and Policy Communities In April 2009, a US-based foreign policy think tank was hit by cyberattacks. Over the course of two days, between 16 and 17 April, various personnel received emails containing attachments of malicious Microsoft Word documents and PDF files, in an attempt to infiltrate the organisation. Over the same two-day period, on the other side of the Atlantic, government institutions in both Czech Republic and Poland were subjected to the same treatment. The attacks began only days after President Barack Obama gave a major foreign-policy speech, on 5 April, in which he declared his intention to proceed with the deployment of the US’s “European Interceptor Site” missile 27 defence base in Poland, with a related radar station located in the Czech Republic. According to F-Secure Labs, the Finnish cybersecurity firm, the attacks were carried out by “The Dukes” – “a well-resourced, highly dedicated and organized cyberespionage group that … has been working for the Russian Federation since at least 2008 to collect intelligence in support of foreign 28 and security policy decision-making”. 4.4 Media and Press In April 2015, TV5Monde, a major French television network, was attacked by cybercriminals. In the attack, hackers gained control over the network’s ten news channels and its social media channels and published jihadist propaganda, including publish personal information of French soldiers serving in Syria. After an initial blackout, the station resumed broadcasting within hours and later regained control of its Facebook and Twitter pages. The hackers initially claimed to be ISIS militants, part of the so-called “CyberCaliphate”, but it soon became apparent that they were, 29 in fact, members of the Russian group APT28. The attack had been well planned, beginning three months earlier, in January, when hackers sent phishing emails to journalists at the network. 25 This is when emails are sent from what appears to be a trusted source in order to trick the recipient into opening a malicious attachment or visiting a malicious website where malware is downloaded to their computer. 26 ‘APT28: A Window Into Russia’s Cyber Espionage Operations?’, FireEye, 5 February 2010, available at: https://www2.fireeye.com/rs/fireye/images/rpt- apt28.pdf, last visited: 6 May 2016, p. 4. 27 ‘The Dukes: 7 years of Russian cyberespionage’, F-Secure Labs Threat Intelligence Whitepaper, 29 January 2011, available at: https://www.f- secure.com/documents/996508/1030745/dukes_whitepaper.pdf, last visited: 6 May 2016, p. 5. 28 Ibid., p. 3. 29 Riley, M. and Jordan Robertson, ‘Cyberspace Becomes Second Front in Russia’s Clash With NATO’, Bloomberg, 14 October 2015, available at: http://www.bloomberg.com/news/articles/2015-10-14/cyberspace-becomes-second-front-in-russia-s-clash-with-nato, last visited: 6 May 2016. 7
Putin's Cyberwar Page 9 Page 11