Pages

31 October 2014

Online Security Experts Link More Breaches To Russian Government

By NICOLE PERLROTH

OCT. 28, 2014


SAN FRANCISCO — For the second time in four months, researchers at a computer security company are connecting the Russian government to electronic espionage efforts around the world.

In a report released on Tuesday by FireEye, a Silicon Valley firm, researchers say hackers working for the Russian government have for seven years been using sophisticated techniques to break into computer networks, including systems run by the government of Georgia, other Eastern European governments and militaries, the North Atlantic Treaty Organization and other European security organizations

The report does not cite any direct evidence of Russian government involvement, such as a web server address or the individuals behind the attack, nor does it name the Russian agency responsible. The researchers have made the government connection because the malicious software used in the incidents was written during Moscow and St. Petersburg working hours on computers that use Russian language settings and because the targets closely align with Russian intelligence interests.

“This is state espionage,” Laura Galante, FireEye’s manager of threat intelligence, said in an interview on Tuesday. “This is Russia using its network operations to bolster their key political goals.”

Officials at the Russian Embassy in Washington could not be immediately reached for comment.

Last year, FireEye acquired Mandiant, the security firm that teamed up with The New York Times to identify the unit of China’s People’s Liberation Army responsible for thousands of cyber attacks on United States companies, government agencies and nongovernmental organizations.

FireEye is one of several security firms to tie the Russian government to hacking incidents. In July, three security firms, Symantec, F-Secure and CrowdStrike, also tied a string of coordinated attacks on Western oil and gas companies to Moscow.

United States intelligence analysts have long cited Russia as a major concern. One top-secret 2009 National Security Agency intelligence estimate obtained by The New York Times last year named Russia as the most sophisticated adversary for the United States in cyberspace. But diplomatic efforts have predominantly been aimed at curbing digital threats from China.

Attacks from hackers in China are typically less sophisticated, but far more prolific than those originating in Russia.

The FireEye report notes, however, that it is often difficult to discern between Russian government attacks and attacks conducted by Russian cybercriminals.

“You only exist as a significant Russian cybercriminal if you abide by three rules,” said Tom Kellermann, chief cyber security officer at Trend Micro, a security firm based in Irving, Tex. “You are not allowed to hack anything within the sovereign boundary; if you find anything of interest to the regime you share it; and when called upon for ‘patriotic activities,’ you do so. In exchange you get ‘untouchable status.’ ”

One top-secret 2009 N.S.A. report, for example, named the Russian Nashi, a pro-Kremlin youth group, as the culprit behind the powerful 2007 cyber attacks on Estonia that nearly crippled the Baltic nation.

American officials also said Russian hackers were responsible for a similar attack on Kyrgyzstan in January 2009 that, analysts suspected, was connect to efforts to persuade Kyrgyzstan’s president to evict an American military base there. Shortly after the attacks ceased, Kyrgyzstan announced plans to remove the military base and received $2 billion in aid and loans from Moscow.

Those attacks were distributed denial-of-service, or so-called DDoS attacks, aimed at flooding foreign networks with web traffic to knock them offline. Over the last seven years, FireEye researchers say, Moscow has crafted and honed sophisticated malware tools and deployed them, in many cases undetected, on the networks of its neighbors and adversaries.

The espionage campaign, called APT28 by researchers at FireEye, started in 2007. Security researchers say professional hackers have been infecting their targets with malware, using emails containing malicious links and attachments. This malware can change its characteristics, making it hard to detect.

Researchers say the malware is particularly good for creating back doors into computer networks that allow hackers to come and go without being detected. The code is also designed to be flexible, allowing its builders to adjust it and add new features, and it uses encryption to evade security researchers. It was also built to stop running malicious programs the second it recognizes an attempt to reverse-engineer the code, which is a sign that it has been detected.

Ms. Galante said FireEye’s researchers uncovered the campaign on computer networks of some of its clients. They were able to reverse-engineer the code enough to uncover many tools and signatures and unearth more about the people and operation behind it before the malicious programs stopped running.

The FireEye research was reported by The Wall Street Journal.

The targets, FireEye’s researchers say, include the Ministry of Internal Affairs of Georgia and its Ministry of Defense, journalists writing on Caucasus issues, and the Kavkaz Center, an international news agency focused on issues in Chechnya, Russia, and Islam. Researchers have also tied the campaign to attacks on the governments of Poland and Hungary and an Eastern European government’s ministry of foreign affairs. European security organizations, including NATO, the Organization for Security and Co-operation in Europe and the Baltic Host, a military exercise, have also been targets.

The firm’s researchers also note that the same group has spied on governments and organizations that are not deemed immediate Russian threats, including the Chilean military, the government of Mexico, and the Al-Wayi news organization, a Russian-language magazine for readers in the Middle East.

Those targets are not necessarily outliers, Ms. Galante said, because they would be of interest to any government. What convinced FireEye’s researchers that the campaign was the work of the Russian government, she said, was the malware.

“The malware indicates a seven-year espionage effort, operating and developed over time,” Ms. Galante said. “This is a professional, well-resourced effort that has been going on for years.”

No comments:

Post a Comment