Booz Allen Hamilton, the largest private contractor for the US intelligence community, has published a comprehensive report this week detailing 15 years (2004 to 2019) of cyber operations carried out by Russia's military hackers.
The report is a rarity in the cyber-security community because it focuses on the bigger picture of how Russia's military uses its hacking units to support its foreign policy all over the globe.
This is in contrast with most other reports from the infosec industry that usually focus their investigations on isolated events, avoiding any political analysis, and rarely attributing attacks back to foreign governments.
Instead, the Booz Allen report takes all the previous reporting on past Russian hacks and puts them in a broader political context, in order to understand why they happened, rather than how, which malware was used, and who pushed what button and when.
More specifically, the Booz Allen report focuses on the cyber-operations carried out by the intelligence service attached to Russia's military.
Known as the Main Directorate of the General Staff of the Armed Forces, this intelligence agency is widely known within Russia and abroad by its former acronym, the GRU, derived from its historic name Glávnoye Razvedyvatel'noje Upravléniye (Main Intelligence Directorate, or GRU). The agency's current name is Glávnoye Upravléniye (Main Directorate), or GU, but this term it's rarely used, and the service is still broadly called the GRU.
For context, GRU is different from the Russian government's internal intelligence service, which is known as the FSB, a successor of the infamous KGB. Unlike the FSB, GRU only supports Russia's military operations and the Kremlin's foreign policy.
Over the past 15 years, the GRU has been linked to two very distinct hacking groups. The first is APT28 (aka Fancy Bear) and the second is Sandworm.
Each hacking group is believed to be a different military unit inside Russia's intelligence service, specifically tasked with carrying out cyber operations of various degrees of sophistication, with Sandworm believed to be the GRU's elite division.
According to the Booz Allen report, the cyber operations conducted by both groups cannot be viewed in isolation. They are almost exclusively conducted in a broader political context.
The GRU being a military-run operation, all actions follow a set of patterns. Booz Allen says it analyzed more than 200 unique cyber incidents publicly attributed to the GRU and found that pattern.
According to the US intelligence contractor, that pattern perfectly fits the principles described in a Russian government document called "The Military Doctrine of the Russian Federation," which the Russian Army publishes at regular intervals.
The last version of this document was published in 2014 and lists 23 security risks to the Russian Federation to which the Russian Army must reply in one form or fashion.
In a chunky 80-page report, Booz Allen analysts classified and arranged all the 200+ past GRU cyber-attacks into one of these 23 categories, showing how each cyber-attack was Russia's natural defensive mechanism of responding to the changing political environment around it.
The end conclusion of this report is that GRU offensive cyber operations can be predicted.
Companies or governments that find their agendas crossing with the Russian government in a way that Kremlin might interpret as one of the 23 risks listed in its military's response doctrine should anticipate an attack from Russia's famed hacker groups.
"Defending against cyber operations-like those of the GRU-demands understanding not just how these operations occur but, more importantly, why," Booz Allen analysts said this week. "By understanding why adversaries act, defenders can better anticipate when, where, and in what form those actions may occur and take deliberate action to mitigate their risk based on that insight."
We won't list all the 200+ known GRU cyber-attacks from the Booz Allen report in this article as we'll end up with an equally long piece.
However, below we list some international incidents where Russia responded by unleashing its GRU hacking units. We then correlate how a particular cyber-attack could be correlated back to one or more of the 23 principles described in its military doctrine.
We'll focus on the lesser-known incidents and not cover the major incidents.
Russia intervened in the affairs of Montenegro after the country wanted to join NATO. According to its military doctrine, Russia views NATO expansion as #1 on its list of security risks.
GRU operations were crucial in Kremlin's attempts to elect a pro-Russian government and prevent the country from joining NATO.
GRU supported Russia's war efforts in Syria, as the Kremlin tried to preserve a Putin-friendly leader in power. This effort fits with Russia's military doctrine of keeping a stable political climate around it and prevent foreign powers from destabilizing its allies and neighbors (#2 on its military doctrine list).
GRU cyber-espionage operations played a role in the Russian government's response to the creation of a major NATO base in Poland. This fits Russia's mandatory response to NATO's ever-increasing presence in the region (#1 on its military doctrine) but also the danger of foreign powers deploying troops near Russia's borders (#3 on its military doctrine).
GRU hackers began targeting Romania after the country increased its military spending and military operations. Just like in Poland's case, Russia responded to a foreign country increasing its military presence in an area of interest -- the Black Sea, in this case (also #3 on its military doctrine).
GRU hacking operations targeted Denmark for years after the country announced it was joining the NATO Missile Defense System.
Here, Russia responded to the US undermining its military deterrence capabilities by deploying an anti-missile system near its border (#4 on its military doctrine).
Russia deployed its military hackers against the UK after the country considered deploying troops in Syria, an obvious move that put it at odds with Russia (#2 and #8 on its military doctrine).
Russia deployed APT28 to meddle in the 2016 US presidential election after the US broke security risk #14 on its military doctrine -- State-sponsored subversive activities targeting Russia -- when the US ran a state-sponsored foreign influence campaign to support President's Putin rival during the 2012 Russian presidential election.
What followed was the DNC hack, APT28 posing as the Guccifer 2.0 hacktivist, DCLeaks, and an army of online trolls and networks of fake news sites targeting the US public.
Russia also deployed its GRU hackers to discredit international sports organizations across the world after Russian athletes were banned from several sporting events.
At the time, it seemed odd that Russian state hackers would go after sporting organizations since this is not the usual target of a state-sponsored hacker group. But per Booz Allen, WADA banning Russian athletes from the Olympics amounted for a public embarrassment of the Russian state, and effectively broke principle #17 in Russia's military doctrine -- which saw the WADA ban as an attack on Russian historical, spiritual, and patriotic values and traditions.
True to its military doctrine, the Russian unleashed its GRU hackers, which led to some of the non-standard state-backed hacking campaigns seen this decade, next to the 2014 Sony hack.
Tens of other cases studies are detailed further in the Booz Allen report.