Russian Hacker False Flags Work - Even After They're Exposed

Uploaded on 2018-03-09 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, FREE TO VIEW

False Flags for the modern nation-state hacker, are quickly becoming as standard a part of the toolkit as phishing links and infected Microsoft Office attachments. Why simply hide your identity when you can simply paste a new one over it, invented or borrowed?

Russia's hackers, in particular, have lately experimented with that digital mask-swapping with increasingly deceptive tactics, ones that, even when their deceit is successful dispelled, still manage to muddy the waters of accountability.

Recently, the US intelligence agencies have concluded that Russian hackers not only attempted to disrupt the Winter Olympics in Pyeongchang, but sought to frame North Korea for that attack.

That leaked confirmation of Russia's involvement in the operation, which planted destructive malware known as Olympic Destroyer on the network of the games' organisers, follows a week of speculation from the cyber-security research community about attribution.

While Russia had been the leading suspect for the Pyeongchang attack, cyber-security firms had also seen Chinese or North Korean hackers as candidates.

Those attempts at misdirection, researchers warn, are a sign that the Kremlin's hackers have advanced their impersonation techniques beyond flimsy masks, to planting relatively convincing fake fingerprints from other countries' hacking teams.

"They're getting bolder," says Juan Andres Guerrero-Saade, a researcher for security intelligence firm Recorded Future, who has warned for years of the rising threat of false flags. "I think this is the most effort on a campaign scale that we’ve seen trying to create a decent false flag."

Mixed-Breed Malware

Olympic Destroyer, according to the games' organizers, tore through their computer network just ahead of the Pyeongchang opening ceremonies, paralyzing display monitors, shutting down Wi-Fi, and taking down the Olympics' website so that many visitors were unable to print tickets or gain entrance to the event.

But for security researchers trying to identify the creators of that Olympic Destroyer malware, the code's clues pointed to a list of countries practically as diverse as the Olympics itself.

The malware roughly matched the behavior of NotPetya, another attack linked to Russia that struck Ukraine last year before rippling out to the rest of the world.

Like that earlier wiper malware sample, Olympic Destroyer integrated code derived from Mimikatz, an open-source password stealing tool, and spread within networks via the Windows functions PSExec and Windows Management Instrumentation before encrypting or destroying data.

But some elements hinted at Chinese and North Korean meddling nearly as convincingly. As Cisco's Talos security division pointed out in a blog post, the malware also resembled a tool used by North Korea's Lazarus hacking team.

According to The Washington Post, the Olympic Destroyer hackers even proxied their connections through North Korean IPs.

Their code contained Chinese red herrings, too: Security firm Intezer also spotted that Olympic Destroyer shared nearly 20 percent of its code with a tool used by Chinese hacking group APT3, though possibly due to both pieces of malware integrating Mimikatz, as well sharing a far more unique function for generating encryption keys with another Chinese hacking group known as APT10.

"Attribution is hard. Rarely do analysts reach the level of evidence that would lead to a conviction in a courtroom," the Talos post reads. "Many were quick to jump to conclusions, and to attribute Olympic Destroyer to specific groups.

However, the basis for such accusations are frequently weak. Now that we are potentially seeing malware authors placing multiple false flags, attribution based off malware samples alone has become even more difficult."

Kremlin Clues

Given that muddle, it's still not exactly how US intelligence came to the conclusion that Russia was behind the Olympic Destroyer attacks. In previous cases, more definitive attribution has come from on-the-ground incident response rather than mere malware analysis, or, as in the case of North Korea's attack on Sony in 2014, preemptively hacking the hackers to spy on their operations in real time.

But in the Olympic Destroyer case, the geopolitical context alone pointed strongly to Russia: By the start of the Olympics, Russia's would-be patsy, North Korea, had begun a campaign to use the Olympics as an opportunity to improve relations with South Korea.

Never mind that it was still likely spying on Pyeongchang targets and quietly attempting to steal from banks and bitcoin exchanges elsewhere in South Korea.

That left Russia as the prime suspect for a disruptive, public attack, in part because it had already declared its intent to meddle with the games in response to the International Olympic Committee's decision to ban its athletes for doping violations.

The known Russian military intelligence hacking team Fancy Bear had been attacking Olympics-related organisations for months, stealing documents and leaking them in retaliation for the IOC's ban. Olympic Destroyer immediately seemed like just another act of petty revenge.

"It's another example of Russian petulance," Center for Strategic and International Studies fellow James Lewis told WIRED in the immediate aftermath of the attack. "It's consistent with what they’ve done before. It's probably them."

Russian hackers have, in fact, flown plenty of false flags in the past, though not quite as elaborate as Olympic Destroyer's. Fancy Bear, for instance, has hidden in past operations behind "hacktivist" fronts like CyberBerkut, a pro-Russian grassroots (or astro-turf) movement, as well as Cyber Caliphate, a jihadist hacking outfit.

After hacking the Democratic National Committee, it famously created the Romanian hacktivist persona Guccifer 2.0, who leaked the documents in an self-proclaimed attempt to target the "illuminati."

North Korean hackers have experimented with false flags too, calling themselves the Guardians of Peace in the wake of the Sony attack and other names like the ‘New Romantic Cyber Army Team’ and the ‘WhoIs Team' in earlier attacks on South Korean targets.

But the Kremlin's cyber-spies have been most the innovative and persistent in developing those false personas. "The Russia-based teams have been the pioneers of false flags all along," says Recorded Future's Guerrero-Saade.

More Deception to Come

The Olympic Destroyer false flag suggests that Russia's deception is evolving. And it could be easily adopted by other hackers, too: Adding a generic component of another hacking team's malware to yours or even a single filename, as in the Olympic Destroyer case, isn't hard.

And false flags work, even thinner and flimsier ones than the latest attack. After masks like CyberBerkut or Guccifer 2.0 were peeled away, a process that took years of investigation in some cases, they still often served their intended purpose, says Guerrero-Saade.

In many cases, those false flags created significant doubt among non-experts and gave fodder to those, like Russian state media or President Trump, who were motivated to remain willfully blind to Russia's involvement in attacks like those during the 2016 election season.

The Olympic Destroyer false flag, despite the US intelligence pointing the finger squarely at Russia, served its purpose too, argues an essay from The Grugq, an influential pseudonymous security researcher for Comae Technologies.

"By acknowledging that a legitimate, serious, for real, false flag cyber operation occurred, the US intelligence community has created fodder for future conspiracy theories and contrarian attributions regarding cyber-attacks," writes the Grugq.

"When an attack is publicly attributed to Russia, trolls and other info war participants will be able to point at this false flag operation and raise doubts about future attributions." Even when false flags fail, in other words, they still succeed.

Still, the Olympic Destroyer attack was in some ways a bust, says John Hultquist, director of research at security intelligence firm FireEye. He points out that it appears to have caused only a fraction of the damage it was intended to, and gained little public notice in comparison to earlier Russian attacks like NotPetya.

But had the malware had achieved its disruptive goals, Hultquist argues, its false flag would have succeeded in confusing the public discussion of blame and accountability. "It would have been enough for the naysayer or the contrarian to latch onto and confuse the question," Hultquist says. "It would have mired us in a public discussion of attribution, instead of a discussion of how to respond."

Wired:

You Might Also Read:

Russian Spies Hacked The Korean Olympics:

Geolocation, Russian Hackers & False Flag Operations:

 

« Bill Gates Says Cryptocurrencies Are Deadly
Autonomous Cars Hit The Road In California »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Softtek

Softtek

Softtek helps its clients to gain a competitive edge by implementing digital solutions that propel their business strategies.

Ministry of Defence Georgia - Cyber Security Bureau

Ministry of Defence Georgia - Cyber Security Bureau

The aim of the Cyber Security Bureau is to establish and develop stable, effective and secure Information and Communication Technology systems for the Civil Office of MoD of Georgia.

Relution

Relution

Relution is the Unified Endpoint Management platform for innovative companies and educational institutions. It enables you to manage your mobile apps and devices easily and securely.

ICT Reverse

ICT Reverse

ICT Reverse is one of the UK’s leading, fully accredited providers of ICT asset disposal and secure data erasure.

ICS-CSR

ICS-CSR

ICS-CSR is a research conference bringing together researchers with an interest in the security of industrial control systems.

Cyber Threat Defense (CT Defense)

Cyber Threat Defense (CT Defense)

CT Defense specialize in penetration testing and security assessments.

RiskXchange

RiskXchange

RiskXchange's cybersecurity risk rating solution helps businesses solve complex cybersecurity and compliance challenges by providing a 360-degree view of your cybersecurity posture.

Macquarie Telecom Group

Macquarie Telecom Group

Macquarie Telecom is Australia's datacentre, cloud, cyber security and telecom company for mid-large business and government customers.

Metabase Q

Metabase Q

Metabase Q protects you from financial and reputational losses with more efficient and intelligent cybersecurity, using the best worldwide in technologies, processes and specialists.

Probity

Probity

Probity Inc. is a certified software development and systems engineering company, providing support to federal government and national defense related clients.

Tidelift

Tidelift

Tidelift provides the tools, data, and strategies that help organizations assess risk and improve the health, security, and resilience of the open source used in their applications.

Oz Forensics

Oz Forensics

Oz Forensics is a global leader in preventing biometric and deepfake fraud. It is a developer of facial Liveness detection for Antifraud Biometric Software with high expertise in the Fintech market.

CloudGuard

CloudGuard

CloudGuard is an AI-driven XDR platform that helps organisations to proactively detect and automatically remediate threats in real-time.

Cyber Security Global

Cyber Security Global

Cyber Security Global is a leader in electronic security, consultancy, technology, cybersecurity solutions, training, and specialized products.

Hiya

Hiya

Hiya's mission is to secure voice with trust, identity and intelligence. We're protecting people from spam and fraud calls, and helping carriers secure their networks for all.

TriVigil

TriVigil

TriVigil offer a full-service, comprehensive cybersecurity approach specifically tailored to meet the unique needs of educational institutions.