Analysis: From IP smokescreens to political espionage – CBR separates fact from fiction in the recent surge in attacks purportedly from Russia.
Hackers have certainly been pushed front and centre into the public eye recently. The New York Times, the World Anti-Doping Agency, Hilary Clinton and the Democratic National Convention are just a few of the high-profile names and organisations who have fallen victim to a cyber attack.
Not only have they all fallen victim to hacking, but they are all said to share the same perpetrator(s) – hackers that seemingly originate from Russia.
The media has been bold in pointing the finger of blame at ‘Russian Hackers’, bandying round claims that the attacks are state-sponsored and are the start of a cyber cold war. So is there any truth to these claims?
Identifying the hackers as Russian is no simple task. Russia has for a long time been renowned for the calibre of its white and black-hat hackers, as well as the significant positive contributions to the cyber security industry. The relative ease in which a hacker can point the finger of blame elsewhere must be considered in the ‘Russian hacker’ narrative, as Stephen Gates, chief research intelligence analyst at NSFOCUS, told CBR:
“What most people don’t realise outside of cybersecurity circles, is that just because an attack appears to come from Russia (due to the source IP address involved), often times those hacks are not actually being performed by “Russians”. Instead, hackers understand how to compromise computers in homes, schools, and businesses all over the world. Once they compromised a computer and are running it remotely, they use that computer instead of their own computer to launch an attack.”
That being said, the cyber security industry is confident in its assertions that recent high-profile attacks have been part of groups backed by Russian intelligence agencies. US Intelligence agencies said with ‘high confidence’ that Guccifer 2.0, the name of an individual or group who hacked the Democratic National Committee, was backed by the Russian government – despite statements from the Kremlin denying any involvement in the DNC theft.
Security firms such as CrowdStrike, SecureWorks, and FireEye are among those who believe some of the attacks to be perpetrated by a group called APT28. It is speculated that this group, also reported under the names of Fancy Bear, Cosy Bear, Sofacy, and Pawn Storm, is Russian due to cyber activity and information operations that have been observed over a number of years. It seems that APT28 only collects intelligence that would be useful to government, as FireEye itself has observed:
“We believe it is engaged in espionage against political and military targets including the country of Georgia, Eastern European governments and militaries, and European security organisations since at least 2007.” Said Jens Monrad, Principle Systems Engineer at FireEye.
“They compile malware samples with Russian language settings during working hours consistent with the time zone of Russia’s major cities. While we don’t have pictures of a building, personas to reveal, or a government agency to name, what we do have is evidence of longstanding, focused operations that indicate a government sponsor – specifically, a government based in Moscow."
The motivations of such state-backed hackers seem obvious – political tensions between the US and Russia is nothing new, with recent hacks seemingly carried out for political and cyber-espionage purposes. SecureWorks, who refer to APT28 as Threat Group – 4127, told CBR of the Russian government’s possible motivations, saying:
“The Russian government views the U.S. as a strategic rival and is known to task its intelligence agencies with gathering confidential information about individuals and organizations close to the centre of power in the U.S. Individuals working for the Hillary for America campaign could have information about proposed policies for a Clinton presidency, including foreign-policy positions, which would be valuable to the Russian government.
“Information about travel plans and campaign scheduling could provide short-term opportunities for other intelligence operations. Long-term access to email accounts of senior campaign advisors, who may be appointed to staff positions in a Clinton administration, could provide The Russian Threat Group (TG-4127) and the Russian government with access to those individual’s accounts.”
According to SecureWorks, TG-4127 primarily poses a threat to organisations and individuals from Russia and former Soviet States. However, the exponential rise in attacks targeting the West indicates the confidence and willingness of these state-sponsored hackers to expand the scope of their attacks. This leads to a number of people being of very real risk to attacks, with SecureWorks identifying the following individuals and organisations at possible risk:
•Russia subject matter experts
•Individuals and organizations that publish articles portraying Russia in a negative context
•Defence or government organizations
•Organizations and individuals involved in the government supply chain
•Former military or government personnel
•Individuals associated with U.S. politics
These ‘Russian hackers’ may not be the top cyber security priority for British businesses or government – after all, the attention seems to be on the US at the moment. However, it would be foolish to not regard these hackers as a very real threat, due in large part to the fact that we live in a world without borders.
Just look at the BlackEnergy malware of last year, supposedly state-sponsored and leading to a blackout which affected hundreds of thousands of Ukrainians. This attack on the Ukrainian power grid is case in point – hackers can do much more than steal data and spy with the prevalence of connected devices and increasing digitisation, as Carbon Black’s , National Security Strategist Eric O'Neill told CBR:
“In a world where we are seeing more and more connected devices and an increasing level of digitalisation in the infrastructure of our cities, it isn’t hard to imagine hackers gaining access to all sorts of day-to-day systems and inflicting terrible damage through them. This could apply to anything from traffic signalling to financial institutions, utilities companies, airlines – you name it. The UK Government, and governments everywhere for that matter, need to start seriously considering how they can work more closely with private sector organisations to protect connected devices from those that would wish to do them harm.”
One of the biggest mistakes would be to think that the motivations behind these attacks are purely for political and cyber espionage purposes. Just like cyber criminals in America, UK, China and elsewhere, Russian cybercriminals are also hacking for one of the world’s best known and oldest motivators – money.
Hackers chasing money, combined with those who are reportedly working for the government, has transformed Russia into a cybercrime hotbed. Commenting on how Russia is now ‘blossoming’ in the world of cybercrime, Ray Walsh from BestVPN.com said:
“Not long ago, Russian hackers prided themselves on hacking for a greater good: Seeing themselves as noble Robin Hoods of the digital age. Now, however, the promise of personal riches has infected that culture, and we notice a rise in cybercrime across the board in Russia. Security vulnerabilities in the networks of US, UK and EU firms are being subjected to worms and Trojans for stealing financial records. Malware that turns those networks into hosts for spam farms; even financial extortion with the threat of DDoS attacks and with dreaded ransomware.”
While it must again be noted that cybercriminals could be using Russian IP addresses as a smokescreen, all evidence points to the fact that the recent surge in cyber attacks are originating from Russia. We could indeed be on the cusp of a cyber cold war – but what makes this a really frightening prospect is that the fight will not just be between governments, but essentially anyone with a digital footprint.
Just as Russia and the US battled in the Space Race, it seems a new race is on for supremacy in cyber space. Individuals, businesses and governments should be wary of the innovation, resources and state involvement in Russian cyber crime, because this cyber space race will not just be between two countries, it will involve everyone.
“While the recent surge of hacks appears to be state-sponsored and politically motivated, the fact is that Russia is on fire when it comes to cybercrime.” Said Mr Walsh from BestVPN.
“Plus, with Russian hackers acting with state approval (even if unofficially and not directly sponsored), they likely feel they can act with total impunity. Scary times indeed.”