[BreachExchange] In a first, Ukraine leaks Russian intellectual property as act of war

Terrell Byrd terrell.byrd at riskbasedsecurity.com
Mon Mar 14 10:09:43 EDT 2022


https://www.scmagazine.com/analysis/breach/in-a-first-ukraine-leaks-russian-intellectual-property-as-act-of-war

The Main Intelligence Department of the Ministry of Defense of Ukraine
(GURMO) hacked and leaked documents it claimed it stole from the Russian
Beloyarsk Nuclear Power Station this week. The act is believed to be the
first time a hack-and-leak operation weaponized the leak of intellectual
property to harm a nation.

GURMO has leaked a broad set of documents to writer Jeffery Carr, author of
the book "Inside Cyber Warfare" and creator of the Suits and Spooks
conference, to disseminate through his new Substack newsletter. Later in
the week, Carr sent out a second article of documents, this time of the
Russian space program.

Beloyarsk's trade secrets may be valuable. It is home to the only two
fast-breed nuclear reactors in commercial operation, the BN-600 and BN-800.
The Beloyarsk technology is so fuel-efficient that it creates no nuclear
waste, with countries such as Japan and France investing considerably to
replicate it.

"It's taking a multi-billion dollar project that Russia has been building
and made it open-source," said Eric Byres, chief technology officer at the
industrial control systems cyberdefense firm aDolus Technology.

Beloyarsk is run by the Rosenergoatom, the Russian state nuclear utility.
Damaging their ability to do business is both an economic strike and an
embarrassment for the broader nation.

While this is likely the first such use of intellectual property to damage
a nation, especially during a combat situation, hack-and-leak operations
are not an entirely new tool for nation-states. Leaks are often used as a
sub-war way to needle adversaries, like when North Korea leaked documents
from Sony Entertainment in its retaliation for the Kim Jung-un
assassination comedy "The Interview," and Russia leaking emails from
high-ranking Democrats in the run-up to the 2016 election.

Carr told SC Media that GURMO wanted, in part, to demonstrate its
capabilities.

"They want Putin to know that all of your resources are not keeping us out.
And while we have not done anything to cause harm, it's within our ability
to do that," Carr said.

"They are laughing at how easy it was for them. They have not hit anything
that would stop them from achieving their objectives," he added.

After the 2016 election and various hack-and-leak ventures that followed
it, many newsrooms reconsidered how they approached documents leaked by
governments for geopolitical gain. Carr, who said he has vetted documents
with experts to establish authenticity, said he believes he is being
ethical, due to the circumstances of the war, particularly the documented
targeting of civilians.

"If the world were [at] peace, I don't know that I would ... feel the same
way. In fact, I'm sure that I would not feel the same way," he said.

Carr said he is readying more document leaks for his newsletter.

The release of the Beloyarsk documents dent Russia in a variety of ways.
Immediately it tells Russia that intelligence has access to various pieces
of infrastructure. It embarrasses a country that likes to boast about its
scientific might. The leak of intellectual property — either from Beloarsk
or the threat of future leaks — may damage potential future sales for the
facility.

Any economic damage to sales might not be felt immediately.

"It won't make any difference today, but and I'm sure Mitsubishi is
watching this with enthusiasm so that they can start offering fast-breeder
reactors to their Middle Eastern clients," said Byres.

Since the beginning of the Russian invasion, Ukraine has set up a volunteer
team of hackers to conduct offensive operations. Yet the leaks to Carr were
done in a government ministry's name.

That is notable in a world where countries often use proxies and shell
personas to hide involvement in offensive hacking. Russia has previously
used ransomware operators, Anonymous and a Romanian hacktivist persona in
high-profile operations the U.S. attributed to Moscow.

"We see other actors in the world doing that, and saying, 'I don't want a
part of that, let's pass it off.' And I think strategically, strategically,
it's a big signal to me that Ukraine, it's a ministry of defense [saying]
that, 'No, this is ours,'" said Danielle Jablanski, OT cybersecurity
strategist at Nozomi Networks. "That's really interesting for the future of
what we're seeing in terms of the crowdsourcing and fluidity of the
[Ukranian volunteer hacker group, the] IT Army. They could have given the
IT Army that task, but instead they took a direct role in it."

Carr told SC that the hackers involved with the attack "have been doing
this a long time," in part because their experience wasn't entirely
governmental. "That part of the world, if you understand how to hack into a
system, you've probably been working in a gray area," he said.

Hack-and-leak IP operations may offer one other substantial benefit, noted
Jablanski: It sends a strong signal to critical infrastructure without
actually harming people by damaging critical infrastructure, and without
the relative difficulty of bridging the IT/OT divide.

"Stealing and publishing IP is just less risky than a cyber-physical
effect," she said.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20220314/9fb369a1/attachment.html>


More information about the BreachExchange mailing list