1 September 2016

Russian Cyberspies' Leaked Hacks Could Herald New Normal



Time to set cyber espionage 'norms' before more volatile nation-states follow suit, experts say.

Russia’s cyber espionage machine traditionally has kept intelligence it siphons from the US close to the vest, but the recent wave of data leaks surrounding the US political campaign and believed to be by Russian state hacker groups represent a new breed of threat by the nation.

The leaked emails and information from the Democratic National Committee and the (DCCC), which security firm CrowdStrike has tied to two known Russian nation-state cyber espionage units, marked the first time Russian nation-state cyber espionage actors have employed a combination of hacking and doxing against the US or another United Nations member, according to security experts. Russia has been known to perform similar tradecraft against neighboring nations, however.

This isn’t the first time a nation-state group has doxed a US target: US officials called out North Korea as the hackers behind the epic and massive data breach, data-wiping and doxing of Sony Pictures Entertainment in 2014. While the attackers attempted to portray the breach as payback for the Sony film “The Interview” that purportedly upset Kim Jong Un, experts say it was more of a geopolitical midgame by the North Koreans to pressure US dealings with the nation.

But Russia in its recent attacks and leaks via WikiLeaks against the DNC and others – with more victims expected to be uncovered in the coming weeks -- is seen as attempting to influence or shape the outcome of the US presidential election, a glaring red flag when it comes to cyber espionage “norms.” “I do think the North Korea attack on [Sony] … was a seminal turning point because the entire world was watching,” says Christopher Porter, manager of threat intelligence at FireEye. “Even though the attribution confidence was high, there was no public blowback for the North Korea government.”

Porter says Russia likely took the plunge against the US because it saw little risk of major political fallout. “At FireEye, we’ve seen them conducting [these types of attacks] for years, interfering in elections in their backyard,” for example, he says.

“The fact that they’re willing to do the same to Western governments” is a new Russian cyber espionage MO, Porter notes.

The timing of the leaks—during a US presidential election—indeed has the appearance of an intention to influence the outcome or at the least to shake things up: DNC emails that were leaked show a preference toward Hillary Clinton over Bernie Sanders, for example, and led to a reshuffle at the organization starting with the firing of former DNC chair Debbie Wasserman Schultz. US Department of Homeland Security Secretary Jeh Johnson recently said DHS is considering designating the US voting system as critical infrastructure so it can be secured accordingly. 

No Such Agency (NSA) Leak 

Most recently came the online dump of tools and files of the Equation Group—aka the National Security Agency—by a group calling itself the ShadowBrokers. Kaspersky Lab, which first exposed the Equation Group in 2015, confirmed that the doxed files match those of the Equation Group (Kaspersky doesn’t identify actual actors behind hacking groups). Experts say the auction of the files by ShadowBrokers is a fake, but the files and tools are real, including tools from the NSA that hacked Cisco, Fortinet, and Juniper firewalls.

"Firewalls and routers are getting a lot of attention for attackers, so security on those devices needs to be carefully evaluated. The stakes have been raised in the inter-country hacking scene," says Liam O'Murchu, director of security technology & response at Symantec. "It is still unclear why these tools were leaked or by whom, but this may set a precedence of further leaking of government tools."


O'Murchu says whle the timing of ShadowBrokers leak indeed is suspicious, researchers at Symantec haven't found any evidence that confirms a connection between it and the DNC/DCCC incident.

Other security experts say it’s no coincidence the data dump came in the wake of the attacks on DNC, DCCC, and others, by Russia.

“This is definitely not Snowden stuff. This isn't the sort of data he took, and the release mechanism is not one that any of the reporters with access to the material would use. This is someone else, probably an outsider...probably a government,” said Bruce Schneier in a recent blog post. “Some group stole all of this data in 2013 and kept it secret for three years. Now they want the world to know it was stolen. Which governments might behave this way? The obvious list is short: China and Russia. Were I betting, I would bet Russia, and that it's a signal to the Obama Administration: "Before you even think of sanctioning us for the DNC hack, know where we've been and what we can do to you."

Whether Russia’s doxing of the Dems and others will actually have any influence on the US election or how the US responds to the attacks, remains to be seen. What is clear is that nations need to establish cyber norms for cyber espionage, notes Bill Wright, director of government affairs at Symantec. “The norms are currently nebulous. It’s going to take time and effort” in diplomacy to set the rules of the road in cyber espionage to rein in the doxing element, he says.

Setting parameters, such as the US-China pact that promises no hacking for economic gain, could help by at least starting the conversation over what is and isn't acceptable cyber-spying activity, experts say.

Even more chilling is that Russia's doubling down on doxing-style cyber espionage for geopolitical influence could open the floodgates for other nation-states to mimic it.

“I’m more concerned with the spread of new techniques” like this in cyber espionage, FireEye’s Porter says. “The most likely scenario to me is not conflicts between great superpowers, but unrestrained, widespread cyber conflict among regional powers worldwide. That to me is the most destabilizing, scary scenario coming out of this.”

But Oren Falkowitz, CEO and co-founder of Area 1, says the strategy of doxing for influence isn’t necessarily effective. The DNC leak came relatively late—just prior to Clinton accepting the nomination as the Democratic candidate—and the Equation Group tools dumped online by the ShadowBroker group was mostly older information that already had been exposed by Edward Snowden, he says.

“I’m not clear what the objective was by whoever did it and if it was successful,” Falkowitz says. “Long-term, I’m not sure people can keep up with these” leaks and they may not be as effective, he notes.

Meanwhile, the DNC and DCCC just scratch the surface of this Russian cyber espionage attack campaign, security experts say. In a typical cyber espionage attack, a nation-state targets the big fish like a DNC, as well as media, think-tanks, political action committees, and politicians themselves in order to gather as much intel as possible. “There are victims we are going learn about in six months that are [being hit] today,” Falkowitz says.

No comments: