When international hardware and software vendors come to Russia seeking sales, they must open up their wares for inspection by the Federal Service for Technical and Export Control, or FSTEC, a Russian agency ostensibly set up to warn government and private-sector users about bugs and other vulnerabilities. But a new paper by Western cybersecurity researchers shows that most of these bugs are never revealed to the public. That means that they could be used by Russian military and intelligence services without anyone knowing. The FSTEC is, itself, a military organization that supports counterintelligence and counterespionage operations.
The researchers from Recorded Future, a privately held company based in Massachusetts and Sweden, concluded that just 10 percent of the bugs discovered by FSTEC are eventually released to Russia’s national vulnerabilities database. (Compare that to the United States’ NSA, which ultimately posts some 80 to 90 percent of the bugs it finds to the National Vulnerabilities Database.)
Their report says FSTEC is basically a cover to get foreign companies looking to sell information technology inside Russia to allow the government to poke through those wares for vulnerabilities. The agency releases a fraction of what they find, just enough to be “credible” as a software reviewer.
“FSTEC’s vulnerability database provides a baseline for state information systems and legitimate cover for foreign technology reviews,” notes the report. “According to February 2017 amendments to FSTEC documentation regarding inspection and requirements for state information systems, vulnerabilities in the … database are intended to provide a baseline of security — not a comprehensive vulnerability listing — for state information systems.”
“While Russia’s NVD is highly focused, Recorded Future finds that it is incomplete, slow, and likely intended to support the control of the Russian state over technology companies and users,” a company spokesperson said in a press release.
Perhaps the Russians are simply finding fewer bugs than their American counterparts? No, says the report, noting that in the “experimental” year of 2015, the FSTEC published several times more vulnerabilities than usual. The following year, it returned to the 10-percent average.
The Russian approach differs from the American one, in that the latter discloses most bugs relatively quickly. Even the ones that the NSA holds back as possibly useful get published once the spy agency spots them being discussed on hacker forums.
“We may choose to restrict a vulnerability for offensive purposes,” like breaking into an adversary’s network, Curtis Dukes, the NSA’s former deputy national manager for national security systems, told a think-tank audience in 2016. “But that doesn’t mean we’re not also constantly looking for signs whether or not another nation-state or criminal network has actually found that same vulnerability and now are using it. As soon as we see any indications of that, then that decision immediately flips, and we move to disseminate and remediate.”
Russia watchers note that the Russian government either condones or encourages almost all of the cyber criminal behavior within its borders. That’s significant because Russia is also a lot more likely to exploit actual vulnerabilities that it finds. A 2017 paper from researchers at Arizona State University found that when hackers used Russian to discuss a new vulnerability in forums, they would go on to attempt to use that vulnerability to break into someone’s computer 46 percent of the time — compared to 13 percent for hackers speaking English, and 10 percent for hackers speaking Chinese.
The Russian government is about to require foreign firms, and even Russian citizens, to divulge even more cyber information. On July 6, Russian President Vladimir Putin announced a new program “to develop a system of the automated exchange of information on threats in the digital space,” he said. “Such solutions should increase the efficiency of the corresponding operational agencies to respond to such threats, and for this purpose it is important to create the relevant legal conditions and ensure convenient forms of interaction between citizens and state structures.”
Read that to mean: new mandates for companies and civilians to share more data with the government.