Russian Cyber Spies & Hackers Are The New Normal

Time to set cyber espionage 'norms' before more volatile nation-states follow suit, experts say.

Russia’s cyber espionage machine traditionally has kept intelligence it siphons from the US close to the vest, but the recent wave of data leaks surrounding the US political campaign and believed to be by Russian state hacker groups represent a new breed of threat by the nation.

The leaked emails and information from the Democratic National Committee and the (DCCC), which security firm CrowdStrike has tied to two known Russian nation-state cyber espionage units, marked the first time Russian nation-state cyber espionage actors have employed a combination of hacking and doxing against the US or another United Nations member, according to security experts. Russia has, however,  been known to perform similar tradecraft against neighboring nations.

This isn’t the first time a nation-state group has doxed a US target: US officials called out North Korea as the hackers behind the epic and massive data breach, data-wiping and doxing of Sony Pictures Entertainment in 2014. While the attackers attempted to portray the breach as payback for the Sony film “The Interview” that purportedly upset Kim Jong Un, experts say it was more of a geopolitical midgame by the North Koreans to pressure US dealings with the nation.

But Russia in its recent attacks and leaks via WikiLeaks against the DNC and others, with more victims expected to be uncovered in the coming weeks -- is seen as attempting to influence or shape the outcome of the US presidential election, a glaring red flag when it comes to cyber espionage “norms.” “I do think the North Korea attack on Sony … was a seminal turning point because the entire world was watching,” says Christopher Porter, manager of threat intelligence at FireEye. “Even though the attribution confidence was high, there was no public blowback for the North Korea government.”

Porter says Russia likely took the plunge against the US because it saw little risk of major political fallout. “At FireEye, we’ve seen them conducting these types of attacks for years, interfering in elections in their backyard,” for example, he says.

“The fact that they’re willing to do the same to Western governments” is a new Russian cyber espionage MO, Porter notes.

The timing of the leaks, during a US presidential election, indeed has the appearance of an intention to influence the outcome or at the least to shake things up: DNC emails that were leaked show a preference toward Hillary Clinton over Bernie Sanders, for example, and led to a reshuffle at the organization starting with the firing of former DNC chair Debbie Wasserman Schultz. US Department of Homeland Security Secretary Jeh Johnson recently said DHS is considering designating the US voting system as critical infrastructure so it can be secured accordingly.  

No Such Agency (NSA) Leak

Most recently came the online dump of tools and files of the Equation Group, aka the National Security Agency, by a group calling itself the ShadowBrokers. Kaspersky Lab, which first exposed the Equation Group in 2015, confirmed that the doxed files match those of the Equation Group (Kaspersky doesn’t identify actual actors behind hacking groups). Experts say the auction of the files by ShadowBrokers is a fake, but the files and tools are real, including tools from the NSA that hacked Cisco, Fortinet, and Juniper firewalls.

"Firewalls and routers are getting a lot of attention for attackers, so security on those devices needs to be carefully evaluated. The stakes have been raised in the inter-country hacking scene," says Liam O'Murchu, director of security technology & response at Symantec. "It is still unclear why these tools were leaked or by whom, but this may set a precedence of further leaking of government tools."

O'Murchu says while the timing of ShadowBrokers leak indeed is suspicious, researchers at Symantec haven't found any evidence that confirms a connection between it and the DNC/DCCC incident.

Other security experts say it’s no coincidence the data dump came in the wake of the attacks on DNC, DCCC, and others, by Russia.

“This is definitely not Snowden stuff. This isn't the sort of data he took, and the release mechanism is not one that any of the reporters with access to the material would use. This is someone else, probably an outsider...probably a government,” said Bruce Schneier in a recent blog post. “Some group stole all of this data in 2013 and kept it secret for three years. Now they want the world to know it was stolen. Which governments might behave this way? The obvious list is short: China and Russia. Were, I betting, I would bet Russia, and that it's a signal to the Obama Administration: "Before you even think of sanctioning us for the DNC hack, know where we've been and what we can do to you."

Whether Russia’s doxing of the Dems and others will actually have any influence on the US election or how the US responds to the attacks, remains to be seen. What is clear is that nations need to establish cyber norms for cyber espionage, notes Bill Wright, director of government affairs at Symantec. “The norms are currently nebulous. It’s going to take time and effort” in diplomacy to set the rules of the road in cyber espionage to rein in the doxing element, he says.

Setting parameters, such as the US-China pact that promises no hacking for economic gain, could help by at least starting the conversation over what is and isn't acceptable cyber-spying activity, experts say.

Even more chilling is that Russia's doubling down on doxing-style cyber espionage for geopolitical influence could open the floodgates for other nation-states to mimic it.

“I’m more concerned with the spread of new techniques” like this in cyber espionage, FireEye’s Porter says. “The most likely scenario to me is not conflicts between great superpowers, but unrestrained, widespread cyber conflict among regional powers worldwide. That to me is the most destabilizing, scary scenario coming out of this.”

But Oren Falkowitz, CEO and co-founder of Area 1, says the strategy of doxing for influence isn’t necessarily effective. The DNC leak came relatively late, just prior to Clinton accepting the nomination as the Democratic candidate, and the Equation Group tools dumped online by the ShadowBroker group was mostly older information that already had been exposed by Edward Snowden, he says.

“I’m not clear what the objective was by whoever did it and if it was successful,” Falkowitz says. “Long-term, I’m not sure people can keep up with these” leaks and they may not be as effective, he notes.

Meanwhile, the DNC and DCCC just scratch the surface of this Russian cyber espionage attack campaign, security experts say. In a typical cyber espionage attack, a nation-state targets the big fish like a DNC, as well as media, think-tanks, political action committees, and politicians themselves in order to gather as much intel as possible. “There are victims we are going learn about in six months that are [being hit] today,” Falkowitz says.

Dark Reading

 

 

« The Cyber War Winter Has Arrived
For Russian journalists fighting hacks is part of the job »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 8,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Centre for Secure Information Technologies (CSIT)

Centre for Secure Information Technologies (CSIT)

CSIT is a UK Innovation and Knowledge Centre (IKC) for secure information technologies. Our vision is to be a global innovation hub for cyber security.

High-Tech Bridge

High-Tech Bridge

High-Tech Bridge SA is a Swiss MSSP provider offering security auditing, source code review and computer forensics.

Avatu

Avatu

Avatu specialise in providing clients the advice, technology and tools they need to fight cyber and insider threats.

Convercent

Convercent

We offer comprehensive and integrated compliance management, reporting, and analytics. A 360-degree view of compliance drives efficiency by aligning initiatives and data into a single dashboard.

CyberSift

CyberSift

CyberSift is a cyber security provider. We develop threat detection software which needs no infrastructure changes as it integrates with almost any security tool.

Olfeo

Olfeo

Olfeo is a content filtering software vendor. Our proxy and filtering solution helps our customers to manage, monitor and secure their Internet traffic.

Garrison Technology

Garrison Technology

Garrison SAVI® is a unique technology for secure remote browsing that can dramatically change the risk profile for enterprise cyber security.

vdiscovery

vdiscovery

vdiscovery is a provider of proprietary and best-in-breed solutions in computer forensics, document review, and electronic discovery.

CipherBlade

CipherBlade

CipherBlade specializes in blockchain forensics, data science and transaction tracking.

jobsDB.com

jobsDB.com

jobsDB Singapore is a search engine for jobs throughout Singapore.

AttackIQ

AttackIQ

AttackIQ delivers continuous validation of your enterprise security program so you can strengthen your security posture and your response capabilities.

Symmetry Systems

Symmetry Systems

Symmetry Systems is a provider of data store and object-level security (DSOS) solutions that give organizations visibility into, and unified access control of, their most valuable data assets.

Pulsant

Pulsant

Pulsant is the UK’s premier digital edge infrastructure company providing next-generation cloud, colocation and connectivity services.

Theta

Theta

Theta is a New Zealand owned technology consultancy. Our team of over 330 experienced professionals help organisations transform with technology.

Zenzero

Zenzero

Zenzero simplifies technology adoption and supports our customers through managed and outsourced IT support.

Bastion Security Group

Bastion Security Group

Bastion Security combines the skills, expertise and leadership from Quantum Security, ZX Security, Helix Security and Cassini.