Russian Cyber Spies & Hackers Are The New Normal

Time to set cyber espionage 'norms' before more volatile nation-states follow suit, experts say.

Russia’s cyber espionage machine traditionally has kept intelligence it siphons from the US close to the vest, but the recent wave of data leaks surrounding the US political campaign and believed to be by Russian state hacker groups represent a new breed of threat by the nation.

The leaked emails and information from the Democratic National Committee and the (DCCC), which security firm CrowdStrike has tied to two known Russian nation-state cyber espionage units, marked the first time Russian nation-state cyber espionage actors have employed a combination of hacking and doxing against the US or another United Nations member, according to security experts. Russia has, however,  been known to perform similar tradecraft against neighboring nations.

This isn’t the first time a nation-state group has doxed a US target: US officials called out North Korea as the hackers behind the epic and massive data breach, data-wiping and doxing of Sony Pictures Entertainment in 2014. While the attackers attempted to portray the breach as payback for the Sony film “The Interview” that purportedly upset Kim Jong Un, experts say it was more of a geopolitical midgame by the North Koreans to pressure US dealings with the nation.

But Russia in its recent attacks and leaks via WikiLeaks against the DNC and others, with more victims expected to be uncovered in the coming weeks -- is seen as attempting to influence or shape the outcome of the US presidential election, a glaring red flag when it comes to cyber espionage “norms.” “I do think the North Korea attack on Sony … was a seminal turning point because the entire world was watching,” says Christopher Porter, manager of threat intelligence at FireEye. “Even though the attribution confidence was high, there was no public blowback for the North Korea government.”

Porter says Russia likely took the plunge against the US because it saw little risk of major political fallout. “At FireEye, we’ve seen them conducting these types of attacks for years, interfering in elections in their backyard,” for example, he says.

“The fact that they’re willing to do the same to Western governments” is a new Russian cyber espionage MO, Porter notes.

The timing of the leaks, during a US presidential election, indeed has the appearance of an intention to influence the outcome or at the least to shake things up: DNC emails that were leaked show a preference toward Hillary Clinton over Bernie Sanders, for example, and led to a reshuffle at the organization starting with the firing of former DNC chair Debbie Wasserman Schultz. US Department of Homeland Security Secretary Jeh Johnson recently said DHS is considering designating the US voting system as critical infrastructure so it can be secured accordingly.  

No Such Agency (NSA) Leak

Most recently came the online dump of tools and files of the Equation Group, aka the National Security Agency, by a group calling itself the ShadowBrokers. Kaspersky Lab, which first exposed the Equation Group in 2015, confirmed that the doxed files match those of the Equation Group (Kaspersky doesn’t identify actual actors behind hacking groups). Experts say the auction of the files by ShadowBrokers is a fake, but the files and tools are real, including tools from the NSA that hacked Cisco, Fortinet, and Juniper firewalls.

"Firewalls and routers are getting a lot of attention for attackers, so security on those devices needs to be carefully evaluated. The stakes have been raised in the inter-country hacking scene," says Liam O'Murchu, director of security technology & response at Symantec. "It is still unclear why these tools were leaked or by whom, but this may set a precedence of further leaking of government tools."

O'Murchu says while the timing of ShadowBrokers leak indeed is suspicious, researchers at Symantec haven't found any evidence that confirms a connection between it and the DNC/DCCC incident.

Other security experts say it’s no coincidence the data dump came in the wake of the attacks on DNC, DCCC, and others, by Russia.

“This is definitely not Snowden stuff. This isn't the sort of data he took, and the release mechanism is not one that any of the reporters with access to the material would use. This is someone else, probably an outsider...probably a government,” said Bruce Schneier in a recent blog post. “Some group stole all of this data in 2013 and kept it secret for three years. Now they want the world to know it was stolen. Which governments might behave this way? The obvious list is short: China and Russia. Were, I betting, I would bet Russia, and that it's a signal to the Obama Administration: "Before you even think of sanctioning us for the DNC hack, know where we've been and what we can do to you."

Whether Russia’s doxing of the Dems and others will actually have any influence on the US election or how the US responds to the attacks, remains to be seen. What is clear is that nations need to establish cyber norms for cyber espionage, notes Bill Wright, director of government affairs at Symantec. “The norms are currently nebulous. It’s going to take time and effort” in diplomacy to set the rules of the road in cyber espionage to rein in the doxing element, he says.

Setting parameters, such as the US-China pact that promises no hacking for economic gain, could help by at least starting the conversation over what is and isn't acceptable cyber-spying activity, experts say.

Even more chilling is that Russia's doubling down on doxing-style cyber espionage for geopolitical influence could open the floodgates for other nation-states to mimic it.

“I’m more concerned with the spread of new techniques” like this in cyber espionage, FireEye’s Porter says. “The most likely scenario to me is not conflicts between great superpowers, but unrestrained, widespread cyber conflict among regional powers worldwide. That to me is the most destabilizing, scary scenario coming out of this.”

But Oren Falkowitz, CEO and co-founder of Area 1, says the strategy of doxing for influence isn’t necessarily effective. The DNC leak came relatively late, just prior to Clinton accepting the nomination as the Democratic candidate, and the Equation Group tools dumped online by the ShadowBroker group was mostly older information that already had been exposed by Edward Snowden, he says.

“I’m not clear what the objective was by whoever did it and if it was successful,” Falkowitz says. “Long-term, I’m not sure people can keep up with these” leaks and they may not be as effective, he notes.

Meanwhile, the DNC and DCCC just scratch the surface of this Russian cyber espionage attack campaign, security experts say. In a typical cyber espionage attack, a nation-state targets the big fish like a DNC, as well as media, think-tanks, political action committees, and politicians themselves in order to gather as much intel as possible. “There are victims we are going learn about in six months that are [being hit] today,” Falkowitz says.

Dark Reading

 

 

« The Cyber War Winter Has Arrived
For Russian journalists fighting hacks is part of the job »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Biscom

Biscom

Biscom offers solutions for secure file transfer, synchronization, file translation, and mobile devices, designed to deliver mission-critical reliability, streamline workflows and reduce costs.

Prolinx

Prolinx

Prolinx provide secure Data Centre hosting services and other fully managed security services for networks and information systems.

Green Hills Software

Green Hills Software

Green Hills Software is the largest independent vendor of embedded secure software solutions for applications including the Internet of Things.

Idemia

Idemia

Idemia is a global leader in security and identity solutions.

TÜV Informationstechnik (TÜViT)

TÜV Informationstechnik (TÜViT)

TÜViT is a leading service provider in the IT sector offering unbiased and independent tests and certifications of IT products, hardware, software, systems and processes.

Avatao

Avatao

Avatao is an online training platform for building secure software, offering a rich library of hands-on IT security exercises for software engineers to teach secure programming.

ITU Arab Regional Cyber Security Center (ITU-ARCC)

ITU Arab Regional Cyber Security Center (ITU-ARCC)

ITU-ARCC acts as ITU’s cybersecurity hub in the Arab Region localizing and coordinating cybersecurity initiatives.

Swascan

Swascan

Swascan is the first all-in-one, GDPR Compliant, Cloud Security Suite Platform. GDPR Assessment, Web Application Scan, Network Scan, Code Review.

VLATACOM Institute

VLATACOM Institute

Vlatacom Institute is privately owned accredited research and development institute, system integrator and turn-key solution provider. Areas of expertise include encryption and authentication.

World Informatix Cyber Security (WICS)

World Informatix Cyber Security (WICS)

World Informatix Cyber Security provides a range of cyber security services to protect valuable information assets to global business and governments.

Darkbeam

Darkbeam

Darkbeam provides a unified solution to protect against security, brand and compliance risks across your digital infrastructure.

Digitale Gründerinitiative Oberpfalz (DGO)

Digitale Gründerinitiative Oberpfalz (DGO)

Digital Founder Initiative Oberpfalz's goal is to build a sustainable start-up culture in the field of digitization throughout the Upper Palatinate district of Bavaria.

Gradient Cyber

Gradient Cyber

Gradient Cyber is a trusted cybersecurity partner specializing in small businesses and mid-market enterprises concerned about cybersecurity but lacking the staff to give it the attention it deserves.

Focus Digitech

Focus Digitech

Focus Digitech helps you with your digital transformation journey with our main core offerings of Cloud, Cybersecurity, Analytics and DevOps.

Keyrus

Keyrus

Keyrus is a global consultancy that develops data and digital solutions for performance management.

CyberSalus

CyberSalus

CyberSalus is a pioneering cyber tech services company dedicated to protecting the digital integrity of healthcare organizations.