- Spitfire List - http://spitfirelist.com -

Cyber Attribution, the Macron hacks, and the Existential Threat of Unwarranted Certainty

Did you hear the big new hack­ing news? The news about ‘Fan­cy Bear’ already get­ting ready to wage a new hack­ing cam­paign against US politi­cians? If not, here’s a brief sum­ma­ry: Trend Micro, a Japan­ese cyber­se­cu­ri­ty firm, just issued a new report pur­port­ing to show that ‘Fan­cy Bear’ has already set up mul­ti­ple phish­ing web­sites intend­ed to cap­ture the login cre­den­tials to the US Sen­ate’s email sys­tem. And Trend Micro is 100 per­cent con­fi­dent this is the work of ‘Fan­cy Bear’, the Russ­ian mil­i­tary intel­li­gence hack­ing team.

And what led to Trend Micro’s 100 per­cent cer­tain­ty that these phish­ing sites were set up by ‘Fan­cy Bear’? Well, that con­clu­sion appears to be based on the sim­i­lar­i­ty of this oper­a­tion to the Macron email hack that impact­ed hit French elec­tion last year. You know, the same hack that the French cyber­se­cu­ri­ty agency said was so unso­phis­ti­cat­ed that any rea­son­ably skilled hack­ers could have pulled them off. And the same hacks com­i­cal­ly includ­ed the name of a Russ­ian gov­ern­ment secu­ri­ty con­trac­tor in the meta-data [1] and were traced back to Andrew ‘weev’ Auern­heimer [2]. That’s the hack that this cur­rent Sen­ate phish­ing oper­a­tion strong­ly mim­ics that led to Trend Micro’s 100 per­cent cer­tain­ty that this is the work of ‘Fan­cy Bear.’ So how cred­i­ble is this 100 per­cent cer­tain cyber attri­bu­tion? Well, that’s going to be the top­ic if this post. And as we’re going to see:

1. Con­tem­po­rary cyber attri­bu­tion is fraught with per­il, rely­ing heav­i­ly on “pat­tern recog­ni­tion” that make it ripe for mis­at­tri­bu­tions and false flags.

2. The move to employ “pat­tern recog­ni­tion” and use that for nation-state-on-nation-state pub­lic attri­bu­tions of hacks is a rel­a­tive­ly new trend in the cyber­se­cu­ri­ty indus­try, and it was pio­neered by one of the founders of Crowd­Strike.

3. When you look at the recent his­to­ry of the cyber­se­cu­ri­ty indus­try, there are A LOT of ques­tions of whether or not these attri­bu­tions are real­ly be made with cer­tain­ty.

4. If this mode of cyber attri­bu­tion turns out to be a bad idea, it could result in inter­na­tion­al chaos. Seri­ous­ly, inter­na­tion­al chaos. Those were the words of France’s top cyber­se­cu­ri­ty offi­cer fol­low­ing the Macron email hacks.

In oth­er words, beyond not want­i­ng to get a par­tic­u­lar instance of cyber attri­bu­tion wrong, soci­ety real­ly does­n’t want to get the whole approach to cyber attri­bu­tion wrong. Because, again, that could be an invi­ta­tion for inter­na­tion­al chaos.

So with that in mind, let’s take a look at that new Trend Micro report and the cyber attri­bu­tion made with 100 per­cent cer­tain­ty [3]:

Asso­ci­at­ed Press

Cyber­se­cu­ri­ty firm: US Sen­ate in Russ­ian hack­ers’ crosshairs

RAPHAEL SATTER
01/12/2018

PARIS (AP) — The same Russ­ian gov­ern­ment-aligned hack­ers who pen­e­trat­ed the Demo­c­ra­t­ic Par­ty have spent the past few months lay­ing the ground­work for an espi­onage cam­paign against the U.S. Sen­ate, a cyber­se­cu­ri­ty firm said Fri­day.

The rev­e­la­tion sug­gests the group often nick­named Fan­cy Bear, whose hack­ing cam­paign scram­bled the 2016 U.S. elec­toral con­test, is still busy try­ing to gath­er the emails of America’s polit­i­cal elite.

“They’re still very active — in mak­ing prepa­ra­tions at least — to influ­ence pub­lic opin­ion again,” said Feike Hac­que­bord, a secu­ri­ty researcher at Trend Micro Inc., which pub­lished the report [4] . “They are look­ing for infor­ma­tion they might leak lat­er.”

The Sen­ate Sergeant at Arms office, which is respon­si­ble for the upper house’s secu­ri­ty, declined to com­ment.

Hac­que­bord said he based his report on the dis­cov­ery of a clutch of sus­pi­cious-look­ing web­sites dressed up to look like the U.S. Senate’s inter­nal email sys­tem. He then cross-ref­er­enced dig­i­tal fin­ger­prints asso­ci­at­ed with those sites to ones used almost exclu­sive­ly by Fan­cy Bear, which his Tokyo-based firm dubs “Pawn Storm.”

Trend Micro pre­vi­ous­ly drew inter­na­tion­al atten­tion when it used an iden­ti­cal tech­nique to uncov­er a set of decoy web­sites appar­ent­ly set up to har­vest emails from the French pres­i­den­tial can­di­date Emmanuel Macron’s cam­paign in April 2017. The sites’ dis­cov­ery was fol­lowed two months lat­er by a still-unex­plained pub­li­ca­tion of pri­vate emails from sev­er­al Macron staffers in the final days of the race.

Hac­que­bord said the rogue Sen­ate sites — which were set up in June and Sep­tem­ber of 2017 — matched their French coun­ter­parts.

“That is exact­ly the way they attacked the Macron cam­paign in France,” he said.

Attri­bu­tion is extreme­ly tricky in the world of cyber­se­cu­ri­ty, where hack­ers rou­tine­ly use mis­di­rec­tion and red her­rings to fool their adver­saries. But Tend Micro, which has fol­lowed Fan­cy Bear for years, said there could be no doubt.

“We are 100 per­cent sure that it can attrib­uted to the Pawn Storm group,” said Rik Fer­gu­son, one of the Hacquebord’s col­leagues.

Like many cyber­se­cu­ri­ty com­pa­nies, Trend Micro refus­es to spec­u­late pub­licly on who is behind such groups, refer­ring to Pawn Storm only as hav­ing “Rus­sia-relat­ed inter­ests.” But the U.S. intel­li­gence com­mu­ni­ty alleges that Russia’s mil­i­tary intel­li­gence ser­vice pulls the hack­ers’ strings and a months-long Asso­ci­at­ed Press inves­ti­ga­tion into the group, draw­ing on a vast data­base of tar­gets sup­plied by the cyber­se­cu­ri­ty firm Secure­works, has deter­mined that the group is close­ly attuned to the Kremlin’s objec­tives.

If Fan­cy Bear has tar­get­ed the Sen­ate over the past few months, it wouldn’t be the first time. An AP analy­sis of Secure­works’ list shows that sev­er­al staffers there were tar­get­ed between 2015 and 2016.

Among them: Robert Zarate, now the for­eign pol­i­cy advis­er to Flori­da Sen­a­tor Mar­co Rubio; Josh Holmes, a for­mer chief of staff to Sen­ate Major­i­ty Leader Mitch McConnell who now runs a Wash­ing­ton con­sul­tan­cy; and Jason Thiel­man, the chief of staff to Mon­tana Sen­a­tor Steve Daines. A Con­gres­sion­al researcher spe­cial­iz­ing in nation­al secu­ri­ty issues was also tar­get­ed.

Fan­cy Bear’s inter­ests aren’t lim­it­ed to U.S. pol­i­tics; the group also appears to have the Olympics in mind.

Trend Micro’s report said the group had set up infra­struc­ture aimed at col­lect­ing emails from a series of Olympic win­ter sports fed­er­a­tions, includ­ing the Inter­na­tion­al Ski Fed­er­a­tion, the Inter­na­tion­al Ice Hock­ey Fed­er­a­tion, the Inter­na­tion­al Bob­sleigh & Skele­ton Fed­er­a­tion, the Inter­na­tion­al Luge Fed­er­a­tion and the Inter­na­tion­al Biathlon Union.

The tar­get­ing of Olympic groups comes as rela­tions between Rus­sia and the Inter­na­tion­al Olympic Com­mit­tee are par­tic­u­lar­ly fraught. Russ­ian ath­letes are being forced to com­pete under a neu­tral flag in the upcom­ing Pyeongchang Olympics fol­low­ing an extra­or­di­nary dop­ing scan­dal that has seen 43 ath­letes and sev­er­al Russ­ian offi­cials banned for life. Amid spec­u­la­tion that Rus­sia could retal­i­ate by orches­trat­ing the leak of promi­nent Olympic offi­cials’ emails, cyber­se­cu­ri­ty firms includ­ing McAfee and Threat­Con­nect have picked up on signs that state-backed hack­ers are mak­ing moves against win­ter sports staff and anti-dop­ing offi­cials.

On Wednes­day, a group that has brazen­ly adopt­ed the Fan­cy Bear nick­name began pub­lish­ing what appeared to be Olympics and dop­ing-relat­ed emails from between Sep­tem­ber 2016 and March 2017. The con­tents were large­ly unre­mark­able but their pub­li­ca­tion was cov­ered exten­sive­ly by Russ­ian state media and some read the leak as a warn­ing to Olympic offi­cials not to press Moscow too hard over the dop­ing scan­dal.

Whether any Sen­ate emails could be pub­lished in such a way isn’t clear. Pre­vi­ous warn­ings that Ger­man law­mak­ers’ cor­re­spon­dence might be leaked by Fan­cy Bear ahead of last year’s elec­tion there appear to have come to noth­ing.

On the oth­er hand, the group has pre­vi­ous­ly dumped at least one U.S. legislator’s cor­re­spon­dence onto the web.

One of the tar­gets on Secure­works’ list was Col­orado State Sen­a­tor Andy Kerr, who said thou­sands of his emails were post­ed to an obscure sec­tion of the web­site DCLeaks — a web por­tal bet­ter known for pub­lish­ing emails belong­ing to retired Gen. Col­in Pow­ell and var­i­ous mem­bers of Hillary Clinton’s cam­paign — in late 2016.

...

———-

“Cyber­se­cu­ri­ty firm: US Sen­ate in Russ­ian hack­ers’ crosshairs” by RAPHAEL SATTER; Asso­ci­at­ed Press; 01/12/2018 [3]

“Hac­que­bord said he based his report on the dis­cov­ery of a clutch of sus­pi­cious-look­ing web­sites dressed up to look like the U.S. Senate’s inter­nal email sys­tem. He then cross-ref­er­enced dig­i­tal fin­ger­prints asso­ci­at­ed with those sites to ones used almost exclu­sive­ly by Fan­cy Bear, which his Tokyo-based firm dubs “Pawn Storm.”

So after cross-ref­er­enc­ing the dig­i­tal fin­ger­prints asso­ci­at­ed with the Sen­ate email phish­ing web­sites, Trend Micro found that these fin­ger­prints were almost exclu­sive­ly used by ‘Fan­cy Bear’. That appears to be at the core of Trend Micro’s 100 per­cent cer­tain­ty in attribut­ing these web­sites to Fan­cy Bear.

And it sounds like those dig­i­tal fin­ger­prints point back to the Macron hack, which is pre­sum­ably part of the basis of their 100 per­cent lev­el of cer­tain­ty. Although it’s unclear because Trend Micro relates the US Sen­ate phish­ing attempt back to the Macron hacks mere­ly by stat­ing that the US Sen­ate phish­ing web­sites matched their French coun­ter­parts. “That is exact­ly the way they attacked the Macron cam­paign in France,” said Trend Micro:

...
Hac­que­bord said the rogue Sen­ate sites — which were set up in June and Sep­tem­ber of 2017 — matched their French coun­ter­parts.

“That is exact­ly the way they attacked the Macron cam­paign in France,” he said.

Attri­bu­tion is extreme­ly tricky in the world of cyber­se­cu­ri­ty, where hack­ers rou­tine­ly use mis­di­rec­tion and red her­rings to fool their adver­saries. But Tend Micro, which has fol­lowed Fan­cy Bear for years, said there could be no doubt.

“We are 100 per­cent sure that it can attrib­uted to the Pawn Storm group,” said Rik Fer­gu­son, one of the Hacquebord’s col­leagues.
...

“We are 100 per­cent sure that it can attrib­uted to the Pawn Storm group.” That’s the mes­sage from Trend Micro fol­low­ing the release of this report.

And then Trend Micro touts its pre­vi­ous big attri­bu­tion score when it drew inter­na­tion­al atten­tion by attribut­ing the phish­ing sites set up in the Macron hacks back to ‘Fan­cy Bear’/APT28/Pawn Storm:

...
Trend Micro pre­vi­ous­ly drew inter­na­tion­al atten­tion when it used an iden­ti­cal tech­nique to uncov­er a set of decoy web­sites appar­ent­ly set up to har­vest emails from the French pres­i­den­tial can­di­date Emmanuel Macron’s cam­paign in April 2017. The sites’ dis­cov­ery was fol­lowed two months lat­er by a still-unex­plained pub­li­ca­tion of pri­vate emails from sev­er­al Macron staffers in the final days of the race.
...

“The sites’ dis­cov­ery was fol­lowed two months lat­er by a still-unex­plained pub­li­ca­tion of pri­vate emails from sev­er­al Macron staffers in the final days of the race.”

You have to love the phras­ing of the “still-unex­plained pub­li­ca­tion of pri­vate emails.” Yeah, it’s still unex­plained because the whole world appeared to drop that line of inquiry after the reports point­ing back to Auern­heimer’s involve­ment in the hack [2].

So that’s the pub­lic report­ing on these new US Sen­ate phish­ing sites and the 100 per­cent cer­tain attri­bu­tion of them back to APT28. And if we take it face val­ue we would have to con­clude that Rus­si­a’s gov­ern­ment hack­ers exe­cut­ed this phish­ing attempt while leav­ing dig­i­tal fin­ger­prints that unique tie back to pri­or phish­ing cam­paigns which, if true, sure sounds like “I’m a Russ­ian hack­er! Please blame it on me!” kind of behav­ior.

The Trend Micro US Sen­ate Phish­ing Report: An Evi­den­tiary Trib­u­tary Vague Trick­le of ‘Dig­i­tal Fin­ger­prints’ Tells the Sto­ry

But if the dig­i­tal fin­ger­prints do indeed point back to pri­or hack­ing cam­paigns car­ried out by APT28/Fancy Bear/Pawn Storm, what’s actu­al evi­dence pro­vid­ed by Trend Micro? Did Trend Micro found that the phish­ing web­sites were lit­er­al­ly host­ed on the same servers as pre­vi­ous­ly iden­ti­fied phish­ing sites and/or shared some oth­er phys­i­cal infra­struc­ture that were used in pre­vi­ous hacks. And if so, which hacks?

Well, when you read the Trend Micro report [4], it does explic­it­ly say that they can “unique­ly relate” the phish­ing web­sites set up for this US Sen­ate hack attempt back to two attacks by Fan­cy Bear a.k.a Pawn Storm. One in 2016 and one in 2017. But they don’t clar­i­fy which par­tic­u­lar hacks they were refer­ring to. The 2017 hack they refer to might be the Macron hack, but the report men­tions a num­ber of dif­fer­ent 2017 cam­paigns they attrib­uted to APT28.

The report also makes a rather notable obser­va­tion about the behav­ior of ‘Fan­cy Bear’: they appear to fol­low large­ly the same script over and over. Trend Micro attrib­ut­es this behav­ior to ‘Fan­cy Bear’ hav­ing both a large vol­ume of tar­gets but also a large box of hack­ing tools so few updates to its tech­niques are required. And this is true in terms of reusing the same method­ol­o­gy in the sense that rel­a­tive­ly unso­phis­ti­cat­ed phish­ing cam­paigns prob­a­bly can large­ly all fol­low the same script. But it’s also the case that reusing the same dig­i­tal infra­struc­ture — like same mal­ware — over and over is a great way to make your hack­ing group rel­a­tive­ly easy to iden­ti­fy by inves­ti­ga­tors and, more impor­tant­ly, rel­a­tive­ly easy to frame by third par­ties.

Now, it’s true that reuse of mal­ware should­n’t actu­al­ly be seen as strong evi­dence that two sep­a­rate attacks are relat­ed, unless it’s very unique mal­ware and there’s no evi­dence of it being ‘in the wild’ and avail­able to oth­er hack­ers. But in today’s con­text, reuse of mal­ware, includ­ing mal­ware ‘in the wild’, is rou­tine­ly used by the cyber­se­cu­ri­ty indus­try as evi­dence that dif­fer­ent attacks were car­ried out by the same group. Take, for exam­ple, the bogus claim made by Crowd­Strike that the “X‑Agent” mal­ware found in the DNC serv­er attack is used sole­ly by the Russ­ian gov­ern­ment [5].

Sim­i­lar­ly, see­ing the same ISP being used in two sep­a­rate attacks should­n’t actu­al­ly be seen as strong evi­dence that two sep­a­rate attacks are relat­ed because you can eas­i­ly have dif­fer­ent hack­ing groups shar­ing the same hack­er-friend­ly ISPs. But in today’s con­text, reusing things like the same ISP over and over is basi­cal­ly ask­ing to hav­ing your var­i­ous hack­ing cam­paigns attrib­uted to each oth­er. And it’s also ask­ing to have a third par­ty frame you.

In oth­er words, reusing method­olo­gies is under­stand­able when you’re rely­ing on unso­phis­ti­cat­ed tech­niques. But reusing the same dig­i­tal infra­struc­ture is a very dif­fer­ent kind of lack of sophistication....unless, of course, a group like ‘Fan­cy Bear’ wants to have all of its var­i­ous hack­ing cam­paigns attrib­uted back to them. That’s some­thing to keep in mind when read­ing the fol­low­ing Trend Micro report.

The report also includes a note on oth­er hack­ers copy­ing Fan­cy Bear’s tech­nique, warn­ing that “actors from devel­op­ing coun­tries will learn and prob­a­bly adapt sim­i­lar meth­ods quick­ly in the near future.” And that warn­ing rais­es the obvi­ous ques­tion of why we should­n’t assume all sorts of actors, in any coun­try, haven’t already adapt­ed sim­i­lar meth­ods already, includ­ing using the same dig­i­tal infra­struc­ture when infor­ma­tion on that is avail­able.

So there are a num­ber of ques­tions raised by the Trend Micro report, and not a lot of answers on how exact­ly they arrived at their con­clu­sions [4]:

Trend Micro

Update on Pawn Storm: New Tar­gets and Polit­i­cal­ly Moti­vat­ed Cam­paigns

Post­ed on:January 12, 2018 at 5:00 am

In the sec­ond half of 2017 Pawn Storm, an extreme­ly active espi­onage actor group [6], didn’t shy away from con­tin­u­ing their brazen attacks. Usu­al­ly, the group’s attacks are not iso­lat­ed inci­dents, and we can often relate them to ear­li­er attacks by care­ful­ly look­ing at both tech­ni­cal indi­ca­tors and motives.

Pawn Storm has been attack­ing polit­i­cal orga­ni­za­tions in France, Ger­many, Mon­tene­gro, Turkey, Ukraine, and the Unit­ed States since 2015. We saw attacks against polit­i­cal orga­ni­za­tions again in the sec­ond half of 2017. These attacks don’t show much tech­ni­cal inno­va­tion over time, but they are well pre­pared, per­sis­tent, and often hard to defend against. Pawn Storm has a large toolset full of social engi­neer­ing tricks, mal­ware and exploits, and there­fore doesn’t need much inno­va­tion apart from occa­sion­al­ly using their own zero-days and quick­ly abus­ing soft­ware vul­ner­a­bil­i­ties short­ly after a secu­ri­ty patch is released. [7].

In sum­mer and fall of 2017, we observed Pawn Storm tar­get­ing sev­er­al orga­ni­za­tions with cre­den­tial phish­ing and spear phish­ing attacks. Pawn Storm’s modus operan­di is quite con­sis­tent over the years, with some of their tech­ni­cal tricks being used repeat­ed­ly. For exam­ple, tab­n­ab­bing [8] was used against Yahoo! users in August and Sep­tem­ber 2017 in US polit­i­cal­ly themed email. The method, which we first dis­cussed in 2014, involves chang­ing a brows­er tab to point to a phish­ing site after dis­tract­ing the tar­get.

We can often close­ly relate cur­rent and old Pawn Storm cam­paigns using data that spans more than four years, pos­si­bly because the actors in the group fol­low a script when set­ting up an attack. This makes sense, as the sheer vol­ume of their attacks requires care­ful admin­is­tra­tion, plan­ning, and orga­ni­za­tion to suc­ceed. The screen­shots below show two typ­i­cal cre­den­tial phish­ing emails that tar­get­ed spe­cif­ic orga­ni­za­tions in Octo­ber and Novem­ber 2017. One type of email is sup­pos­ed­ly a mes­sage from the target’s Microsoft Exchange serv­er about an expired pass­word. The oth­er says there is a new file on the company’s OneDrive sys­tem.

While these emails might not seem to be advanced in nature, we’ve seen that cre­den­tial loss is often the start­ing point of fur­ther attacks that include steal­ing sen­si­tive data from email inbox­es. We have worked with one of the tar­gets, an NGO in the Nether­lands tar­get­ed twice, in late Octo­ber and ear­ly Novem­ber 2017. We suc­cess­ful­ly pre­vent­ed both attacks from caus­ing any harm. In one case we were able to warn the tar­get with­in two hours after a ded­i­cat­ed cre­den­tial phish­ing site was set up. In an ear­li­er attack, we were able to warn the orga­ni­za­tion 24 hours before the actu­al phish­ing emails were sent.

...

Polit­i­cal tar­gets

In the week of the 2017 pres­i­den­tial elec­tions in Iran, Pawn Storm set up a phish­ing site tar­get­ing chmail.ir web­mail users. We were able to col­lect evi­dence that cre­den­tial phish­ing emails were sent to chmail.ir users on May 18, 2017, just one day before the pres­i­den­tial elec­tions in Iran. We have pre­vi­ous­ly report­ed sim­i­lar tar­get­ed activ­i­ty against polit­i­cal orga­ni­za­tions in France, Ger­many, Mon­tene­gro, Turkey, Ukraine, and the Unit­ed States.

Begin­ning in June 2017, phish­ing sites were set up mim­ic­k­ing the ADFS (Active Direc­to­ry Fed­er­a­tion Ser­vices) of the U.S. Sen­ate. By look­ing at the dig­i­tal fin­ger­prints of these phish­ing sites and com­par­ing them with a large data set that spans almost five years, we can unique­ly relate them to a cou­ple of Pawn Storm inci­dents in 2016 and 2017. The real ADFS serv­er of the U.S. Sen­ate is not reach­able on the open inter­net, how­ev­er phish­ing of users’ cre­den­tials on an ADFS serv­er that is behind a fire­wall still makes sense. In case an actor already has a foothold in an orga­ni­za­tion after com­pro­mis­ing one user account, cre­den­tial phish­ing could help him get clos­er to high pro­file users of inter­est.

The future of polit­i­cal­ly moti­vat­ed cam­paigns

Rogue polit­i­cal influ­ence cam­paigns are not like­ly to go away in the near future. Polit­i­cal orga­ni­za­tions have to be able to com­mu­ni­cate open­ly with their vot­ers, the press and the gen­er­al pub­lic. This makes them vul­ner­a­ble to hack­ing and spear phish­ing. On top of that, it’s also rel­a­tive­ly easy to influ­ence pub­lic opin­ion via social media. Social media plat­forms con­tin­ue to form a sub­stan­tial part of users’ online expe­ri­ence, and they let adver­tis­ers reach con­sumers with their mes­sage.

This makes social media algo­rithms sus­cep­ti­ble to abuse by var­i­ous actors with bad inten­tions. Pub­lish­ing stolen data togeth­er with spread­ing fake news and rumors on social media gives mali­cious actors pow­er­ful tools. While a suc­cess­ful influ­ence cam­paign might seem rel­a­tive­ly easy to do, it needs a lot of plan­ning, per­sis­tence, and resources to be suc­cess­ful. Some of the basic tools and ser­vices, like ones used to spread fake news on social media, are already being offered as a ser­vice in the under­ground econ­o­my. [9].

As we have men­tioned in our overview paper on Pawn Storm [6], oth­er actors may also start their own cam­paigns that aim to influ­ence pol­i­tics and issues of inter­est domes­ti­cal­ly and abroad. Actors from devel­op­ing coun­tries will learn and prob­a­bly adapt sim­i­lar meth­ods quick­ly in the near future. In 2016, we pub­lished a report on C Major [10], an espi­onage group that pri­mar­i­ly tar­gets the Indi­an mil­i­tary. By dig­ging deep­er into C Major’s activ­i­ties, we found that this actor group not only attacks the Indi­an mil­i­tary, but also has ded­i­cat­ed bot­nets for com­pro­mised tar­gets in Iran­ian uni­ver­si­ties, Afghanistan, and Pak­istan. Recent­ly, we have wit­nessed C Major also show­ing some inter­est in com­pro­mis­ing mil­i­tary and diplo­mat­ic tar­gets in the West. It is only a mat­ter of time before actors like C Major begin attempt­ing to influ­ence pub­lic opin­ion in for­eign coun­tries, as well.

With the Olympics and sev­er­al sig­nif­i­cant glob­al elec­tions tak­ing place in 2018, we can be sure Pawn Storm’s activ­i­ties will con­tin­ue. We at Trend Micro will keep mon­i­tor­ing their tar­get­ed activ­i­ties, as well as activ­i­ties of sim­i­lar actors, as cyber­pro­pa­gan­da and dig­i­tal extor­tion remain in use.

...

———-

“Update on Pawn Storm: New Tar­gets and Polit­i­cal­ly Moti­vat­ed Cam­paigns”; Trend Micro; 01/12/2018 [4]

Begin­ning in June 2017, phish­ing sites were set up mim­ic­k­ing the ADFS (Active Direc­to­ry Fed­er­a­tion Ser­vices) of the U.S. Sen­ate. By look­ing at the dig­i­tal fin­ger­prints of these phish­ing sites and com­par­ing them with a large data set that spans almost five years, we can unique­ly relate them to a cou­ple of Pawn Storm inci­dents in 2016 and 2017. The real ADFS serv­er of the U.S. Sen­ate is not reach­able on the open inter­net, how­ev­er phish­ing of users’ cre­den­tials on an ADFS serv­er that is behind a fire­wall still makes sense. In case an actor already has a foothold in an orga­ni­za­tion after com­pro­mis­ing one user account, cre­den­tial phish­ing could help him get clos­er to high pro­file users of inter­est.”

So in June 2017, phish­ing sites get set up to mim­ic the US Sen­ate’s email site. And the dig­i­tal fin­ger­prints on these sites “unique­ly relates” them to them to a cou­ple of Pawn Storm inci­dents in 2016 and 2017. That appears to be the pri­ma­ry line of evi­dence lead­ing them to con­clude that ‘Fan­cy Bear’/‘Pawn Storm’ is indeed the enti­ty behind this Sen­ate phish­ing attempt. And none of that evi­dence is actu­al­ly giv­en. It is sole­ly a “Trust Us” attri­bu­tion.

And note how the lack of tech­ni­cal inno­va­tion over time appears to be a key ele­ment in allow­ing Trend Micro to search through its data­base of attacks and match the ‘dig­i­tal fin­ger­prints’ of present day attacks with pri­or attacks:

...
Pawn Storm has been attack­ing polit­i­cal orga­ni­za­tions in France, Ger­many, Mon­tene­gro, Turkey, Ukraine, and the Unit­ed States since 2015. We saw attacks against polit­i­cal orga­ni­za­tions again in the sec­ond half of 2017. These attacks don’t show much tech­ni­cal inno­va­tion over time, but they are well pre­pared, per­sis­tent, and often hard to defend against. Pawn Storm has a large toolset full of social engi­neer­ing tricks, mal­ware and exploits, and there­fore doesn’t need much inno­va­tion apart from occa­sion­al­ly using their own zero-days and quick­ly abus­ing soft­ware vul­ner­a­bil­i­ties short­ly after a secu­ri­ty patch is released. [7].

...

We can often close­ly relate cur­rent and old Pawn Storm cam­paigns using data that spans more than four years, pos­si­bly because the actors in the group fol­low a script when set­ting up an attack. This makes sense, as the sheer vol­ume of their attacks requires care­ful admin­is­tra­tion, plan­ning, and orga­ni­za­tion to suc­ceed. The screen­shots below show two typ­i­cal cre­den­tial phish­ing emails that tar­get­ed spe­cif­ic orga­ni­za­tions in Octo­ber and Novem­ber 2017. One type of email is sup­pos­ed­ly a mes­sage from the target’s Microsoft Exchange serv­er about an expired pass­word. The oth­er says there is a new file on the company’s OneDrive sys­tem.
...

So ‘Fan­cy Bear’ keeps using the same method­ol­o­gy and seem­ing­ly fol­lows a script, leav­ing a grow­ing dig­i­tal trail over the years that can be used for attri­bu­tion of future attacks. And yet as Trend Micro warns, there’s rea­son to assume oth­er actors are going to adopt sim­i­lar meth­ods “in the near future” to sway elec­tions in oth­er coun­tries:

...
As we have men­tioned in our overview paper on Pawn Storm [6], oth­er actors may also start their own cam­paigns that aim to influ­ence pol­i­tics and issues of inter­est domes­ti­cal­ly and abroad. Actors from devel­op­ing coun­tries will learn and prob­a­bly adapt sim­i­lar meth­ods quick­ly in the near future. In 2016, we pub­lished a report on C Major [10], an espi­onage group that pri­mar­i­ly tar­gets the Indi­an mil­i­tary. By dig­ging deep­er into C Major’s activ­i­ties, we found that this actor group not only attacks the Indi­an mil­i­tary, but also has ded­i­cat­ed bot­nets for com­pro­mised tar­gets in Iran­ian uni­ver­si­ties, Afghanistan, and Pak­istan. Recent­ly, we have wit­nessed C Major also show­ing some inter­est in com­pro­mis­ing mil­i­tary and diplo­mat­ic tar­gets in the West. It is only a mat­ter of time before actors like C Major begin attempt­ing to influ­ence pub­lic opin­ion in for­eign coun­tries, as well.
...

And, of course, just as third par­ties might use the same method­ol­o­gy, they also might decide to try to leave the same dig­i­tal fin­ger­prints as ‘Fan­cy Bear’ if that’s an option because why not? If the mal­ware or serv­er hosts that ‘Fan­cy Bear’, or any oth­er high pro­file hack­ing group, keeps get­ting reused and this becomes pub­licly known, why would­n’t oth­er hack­ers use the same mal­ware and serv­er hosts if that’s an option? This is prob­a­bly a good time to remind our­selves that one of the key ‘dig­i­tal fin­ger­prints’ found in the 2016 DNC hack used to attribute that hack to ‘Fan­cy Bear’ was the reuse of a com­mand and con­trol server’s IP address (176.31.112.10) made pub­lic in 2015 fol­low­ing the Bun­destag hack of May 2015 [11].

And note how there are actu­al­ly a num­ber of 2017 hacks attrib­uted to ‘Fan­cy Bear’ that Trend Micro ref­er­ences in this report. So if it “unique­ly” traced the US Sen­ate phish­ing sites (which were actu­al­ly set up in June of 2017...a month after the French elec­tions) back to anoth­er 2017 attack, it’s not clear which 2017 attack Trend Micro was unique­ly tying the US Sen­ate phish­ing sites back to.

But again, the over­all mes­sage from Trend Micro in this report is “Trust Us, we got this covered...look at what a great job we did iden­ti­fy­ing the Macron hacks.”

About Those Macron Hack Attri­bu­tions...

So Trend Micro found that two pri­or attacks, one in 2017 and one in 2016, shared the same dig­i­tal fin­ger­prints that they found after inves­ti­gat­ing the web­sites asso­ci­at­ed this new US Sen­ate phish­ing cam­paign. And the 2017 attack they referred to was maybe the Macron email hack, although that’s very ambigu­ous. And we’re basi­cal­ly expect­ed to just trust them on this attri­bu­tion.

So how much blind trust should we place in Trend Micro’s — or any oth­er cyber­se­cu­ri­ty fir­m’s — attri­bu­tion when basi­cal­ly no tech­ni­cal evi­dence is giv­en. Well, to explore this top­ic, let’s take an extend­ed look at the Macron hacks. And not just Trend Micro’s work on those hacks, because there were a num­ber of dif­fer­ent cyber­se­cu­ri­ty firms, along with the US gov­ern­ment, who weighed in on that hack and con­clud­ed with near cer­tain­ty that it was ‘Fan­cy Bear’ behind it.

And as we look into this, note that, if the 2017 hack Trend Micro relat­ed the US Sen­ate phish­ing sites back to was indeed the Macron hack, then we can make an edu­cat­ed guess that the 2016 hack Trend Micro unique­ly relat­ed back to the US Sen­ate phish­ing attack was actu­al­ly the 2016 DNC serv­er attack. Because as we’ll see in the fol­low­ing arti­cle, when Trend Micro first report­ed on the Macron email hack back in April of 2017, there was one par­tic­u­lar 2016 hack that Trend Micro claimed had a num­ber of ‘dig­i­tal sim­i­lar­i­ties’ to the Macron hack. And those ‘dig­i­tal sim­i­lar­i­ties’ includ­ed sim­i­lar­i­ties in the IP address involved and mal­ware used: The 2016 DNC serv­er hack [12]:

The Wash­ing­ton Post

Cyber­at­tack on French pres­i­den­tial front-run­ner bears Russ­ian ‘fin­ger­prints,’ research group says

By Rick Noack
April 25, 2017

PARIS — A secu­ri­ty firm claimed Tues­day that new cyber­at­tacks on the cam­paign offices of the front-run­ner in France’s pres­i­den­tial race car­ried dig­i­tal “fin­ger­prints” sim­i­lar to the sus­pect­ed Russ­ian hack­ing of the Demo­c­ra­t­ic Nation­al Com­mit­tee and oth­ers in the 2016 U.S. elec­tion.

The report [13], by the Trend Micro research group, did not dis­close the poten­tial fall­out of the infil­tra­tion on the cam­paign of Emmanuel Macron, a cen­trist who faces far-right leader Marine Le Pen in a May 7 runoff.

If a Russ­ian con­nec­tion is proved, the hack­ing would add to mount­ing alle­ga­tions that Moscow is back­ing attempts to influ­ence West­ern elec­tions in favor of can­di­dates with poli­cies poten­tial­ly more friend­ly to the Krem­lin. Le Pen has voiced oppo­si­tion to the pow­ers of the Euro­pean Union and has called for bet­ter ties with Rus­sia, echo­ing some of the cam­paign rhetoric of Pres­i­dent Trump.

Tokyo-based Trend Micro said Macron’s cam­paign was tar­get­ed in March and April by a cyber­spy­ing group called Pawn Storm. The group has alleged­ly used phish­ing and mal­ware to infil­trate oth­er polit­i­cal orga­ni­za­tions, as well, such as Ger­man Chan­cel­lor Angela Merkel’s Chris­t­ian Demo­c­ra­t­ic Union and the U.S. Demo­c­ra­t­ic Nation­al Com­mit­tee.

“There are sev­er­al things which sug­gest that the group behind the Macron hack­ing was also respon­si­ble for the DNC breach, for exam­ple. We found sim­i­lar­i­ties in the IP address­es and mal­ware used in the attacks,” said Rik Fer­gu­son, vice pres­i­dent of Trend Micro’s secu­ri­ty research pro­gram.

“We can­not say for sure whether this was direct­ed by the Russ­ian gov­ern­ment, but the group behind the attacks cer­tain­ly appears to pur­sue Russ­ian inter­ests,” added Fer­gu­son, speak­ing from the com­pa­ny’s Lon­don offices.

Accord­ing to the research firm, the hack­ers cre­at­ed sev­er­al email address­es on a fake serv­er with the URL onedrive-en-marche.fr, oper­at­ing from com­put­ers with IP address­es in mul­ti­ple Euro­pean nations, includ­ing Britain.

...

ANSSI, the French gov­ern­men­t’s cyber­se­cu­ri­ty agency, con­firmed the more recent cyber­at­tacks against Macron but left open the pos­si­bil­i­ty that they could be the work of “oth­er high-lev­el” hack­ers try­ing to point the blame at Pawn Storm.

...
———-

“Cyber­at­tack on French pres­i­den­tial front-run­ner bears Russ­ian ‘fin­ger­prints,’ research group says” by Rick Noack; The Wash­ing­ton Post; 04/25/2018 [12]

““There are sev­er­al things which sug­gest that the group behind the Macron hack­ing was also respon­si­ble for the DNC breach, for exam­ple. We found sim­i­lar­i­ties in the IP address­es and mal­ware used in the attacks,” said Rik Fer­gu­son, vice pres­i­dent of Trend Micro’s secu­ri­ty research pro­gram.”

The same IP address­es and same mal­ware used in the Macron and DNC attacks. Or, at least, sim­i­lar IP address­es and mal­ware. That’s what Trend Micro found when it looked into Macron email hacks back in 2017.

So what does it mean to “sim­i­lar IP address­es between two hacks? Well, that’s prob­a­bly a ref­er­ence to two hacks shar­ing the same IP blocks. And shar­ing IP blocks with pre­vi­ous attacks mere­ly sug­gests the use of the same Inter­net Ser­vice Provider (ISP), since ISPs will get set a block of IP address­es to use [14]. And shar­ing ISP with pre­vi­ous hack­ers is fair­ly weak evi­dence. Of course hack­ers are going to grav­i­tate towards hack­er friend­ly ISPs! Espe­cial­ly if they want to mis­di­rect the attri­bu­tion of the attack!

And nei­ther is “sim­i­lar mal­ware” com­pelling evidence...unless there’s rea­son to believe that mal­ware isn’t avail­able out­side hack­ers. But if ‘Fan­cy Bear’ has been reusing the same, or sim­i­lar, mal­ware for years, what are the odds that its mal­ware col­lec­tion isn’t already ‘in the wild’? As we saw with the ‘X‑Agent’ mal­ware, assum­ing this mal­ware is unique to one group is a bad idea. And even if the mal­ware ‘Fan­cy Bear’ keeps reusing has some­how avoid­ed end­ed up ‘in the wild’, why does this group con­tin­ue to reuse the same unique col­lec­tion of mal­ware over and over? It just make attri­bu­tion that much eas­i­er!

Where the Beef Evi­dence? Seri­ous­ly, Where is It?

But let’s not focus exclu­sive­ly on Trend Micro when it comes to the Macron hack. Because a lot of dif­fer­ent cyber­se­cu­ri­ty com­pa­nies made exact­ly the same attri­bu­tion, along with the US gov­ern­ment too. Curi­ous­ly, all of these sources appeared to be extreme­ly con­fi­dent that the phish­ing sites tar­get­ing the Macron cam­paign and iden­ti­fied by Trend Micro in its April 25th, 2017, were indeed attrib­ut­able to ‘Fan­cy Bear’, and they even referred back to their big reports in a num­ber of cas­es. And yet, when you look at the actu­al reports, there is no evi­dence list­ed and, in the case of the US gov­ern­ment report, there’s no ref­er­ence to the Macron hacks at all. It’s bizarre.

First, let’s take a look at this Defense One arti­cle from May 6, 2017. That’s one day after the BIG doc­u­ment dump of Macron cam­paign emails. Recall that there was a May 3rd doc­u­ment dump of a few doc­u­ments that appeared to be tam­pered with and the a much larg­er May 5th dump.

Also recall, and as we’ll exam­in­er in more detail lat­er, both of these doc­u­ment dumps appeared to orig­i­nate from with­in the Amer­i­can ‘Alt-Right’, with Andrew Auern­heimer a cen­tral fig­ure.

So this arti­cle was writ­ten one day after a very big last minute doc­u­ment dump and the way these doc­u­ments were dumped did not at all fit the ‘Rus­sia did it’ pat­tern. That’s why when you read this arti­cle you’ll see par­al­lel dis­cus­sions of the phish­ing sites that Trend Micro report­ed on a cou­ple weeks ear­li­er paired with acknowl­edg­ments from Trend Micro that there’s no evi­dence con­clu­sive­ly pin­ning the hack on ‘Fan­cy Bear’. In oth­er words, there’s an implic­it acknowl­edge­ment that the phish­ing sites set up to tar­get the Macron cam­paign may not have been the source of these hacked doc­u­ments.

But when it comes to who set up those phish­ing sites, the arti­cle include more than just Trend Micro mak­ing near cer­tain con­clu­sions that Fan­cy Bear was behind it. A rep­re­sen­ta­tive from Flash­point, anoth­er cyber­se­cu­ri­ty firm, is also quot­ed as basi­cal­ly treat­ing it as a fore­gone con­clu­sion that ‘Fan­cy Bear’ set up the phish­ing sites, and the arti­cle links back to the US gov­ern­men­t’s “Griz­zly Steppe” report, which was updat­ed to include that evi­dence. But as we’ll see, Flash­point nev­er actu­al­ly explains any­where how it arrived at this con­clu­sion and the US gov­ern­ment report con­tains no ref­er­ence at all to the Macron hacks. It was “Trust Us” attri­bu­tion at work all around [15]:

Defense One

France’s Macron Hack Like­ly By Same Russ­ian Group That Hit DNC, Sources Say

By Patrick Tuck­er
Tech­nol­o­gy Edi­tor

May 6, 2017

The same Putin-backed hack­ing group that tar­get­ed the Demo­c­ra­t­ic Nation­al Com­mit­tee last year has been tar­get­ing French pres­i­den­tial can­di­date Emmanuel Macron, accord­ing to mul­ti­ple cyber­se­cu­ri­ty groups.

On Fri­day, Macron claimed that his cam­paign had suf­fered a “mas­sive and coor­di­nat­ed” data theft and smear cam­paign, some 9 giga­bytes of data stolen and pub­lished to an anony­mous shar­ing site called Paste­bin.

No hard evi­dence has yet emerged link­ing the tar­get­ing to the doc dump. But over sev­er­al weeks lead­ing to the attack on Macron’s cam­paign, sev­er­al firms in the pri­vate secu­ri­ty com­mu­ni­ty issued warn­ings. On April 25, cyber­se­cu­ri­ty group Trend Micro claimed [6] a group known as APT 28, or Fan­cy Bear and Pawn Storm, was active­ly tar­get­ing the Macron cam­paign with bogus emails to con­vince cam­paign high­er-ups to click on links.

The evi­dence: On March 15, oper­a­tors work­ing from IP address­es asso­ci­at­ed with APT 28 [16] were reg­is­ter­ing domain names that were relat­ed to the Macron cam­paign, such as onedrive-en-marche.fr. Reg­is­ter­ing pho­ny email domains would allow the oper­a­tives to send emails to tar­get­ed cam­paign work­ers that appear to be from the cam­paign. A cyber­se­cu­ri­ty pro­fes­sion­al with direct knowl­edge of the hack told Defense One that the same Putin-backed hack­ing group that tar­get­ed the DNC had also been tar­get­ing Macron. But they could not say with cer­tain­ty that those actors were the same indi­vid­u­als who put the doc­u­ments on the Paste­bin site, (or if the doc­u­ments on Paste­bin were even authen­tic.)

Of par­tic­u­lar inter­est in the Macron case is a new tac­tic: rather than lur­ing the vic­tim to a link and then try­ing to con­vince them to give up his or her pass­word, APT 28 was tar­get­ing the Macron cam­paign with a lure to fake com­put­er appli­ca­tions that looked like they actu­al­ly came from Google.This time the vic­tims weren’t prompt­ed to give up their pass­words. Instead they could sim­ply autho­rize a pro­gram that looked like it came from a trust­ed provider to do what that pro­gram (looks like) it is sup­posed to do. The scam is called Open Authen­ti­ca­tion or an OAuth attack. “The big advan­tage is that users don’t have to reveal their pass­word to the third par­ty. Instead the third par­ty appli­ca­tions get a token that can be used for authen­ti­ca­tion,” Trend Micro says in their report.

Greg Mar­tin, CEO of the firm JASK, told Busi­ness Insid­er [17] that this rep­re­sent­ed a clear esca­la­tion of tac­tics. “It’s a new style of attack … very dead­ly and unprece­dent­ed … It’s the first time we have seen this in the wild.”

Vitali Kre­mez, direc­tor of research at the cyber­se­cu­ri­ty firm Flash­point, also offered [18] cau­tious analy­sis to the New York Times on Fri­day. “The key goals and objec­tives of the cam­paign appear to be to under­mine Macron’s pres­i­den­tial can­di­da­cy and cast doubt on the demo­c­ra­t­ic elec­toral process in gen­er­al.”

He lat­er told Reuters [19] that APT 28 was indeed behind the attack after deter­min­ing that APT 28 relat­ed enti­ties had “reg­is­tered decoy inter­net address­es to mim­ic the name of En Marche … includ­ing onedrive-en-marche.fr and mail-en-marche.fr.”

The event fol­lows months of warn­ings about Krem­lin influ­ence and infor­ma­tion oper­a­tions alleged­ly tar­get­ing the French elec­tion for the ben­e­fit Marine Le Pen’s Nation­al Front Par­ty. On Jan­u­ary 8, France’s Min­is­ter of Defense Jean-Yves Le Dri­an told [20] French news­pa­pers that “one can­not be naive,” about the like­li­hood of Krem­lin involve­ment to aid Le Pen, who has sup­port­ed [21] a clos­er rela­tion­ship with Putin and a weak­en­ing of the EU.

Defense One first report­ed [22] in Jan­u­ary that the group some­times known as Fan­cy Bear, APT 28, and by oth­er names was active­ly tar­get­ing the French elec­tion with the same email tac­tics that they employed against pre­vi­ous tar­gets, includ­ing, most famous­ly the DNC [23].

It’s not the first time Krem­lin-backed hack­ers have tar­get­ed France. In April of 2015, the same group, pos­ing as ISIS-linked Islam­ic extrem­ists and call­ing itself the Cyber Caliphate [24] also attacked French tele­vi­sion sta­tion TV5 Monde. The intent of that attack remains unclear.

Author­i­ties and inves­ti­ga­tors have yet to make pub­lic hard foren­sic evi­dence link­ing the group to the hack on Macron’s cam­paign.

Today, in response to Macron’s claim, Trend Micro offered a clar­i­fy­ing state­ment. “Trend Micro does not have evi­dence that this is asso­ci­at­ed with the group known as Pawn Storm (also APT28 and oth­er names). The tech­niques used in this case seem to be sim­i­lar to pre­vi­ous attacks. With­out fur­ther evi­dence, it is extreme­ly dif­fi­cult to attribute this hack to any par­tic­u­lar per­son or group.”

In the mean­time, some analy­sis sug­gests that por­tions of the 9 giga­byte doc­u­ment dump, or at least por­tions of it that are spread­ing on social media, may be forged [25].

@wikileaks [26] Two doc­u­ments pur­port­ing to show that Macron has off­shore accounts were cre­at­ed yes­ter­day, the day of the debate #Macron­Leaks [27] pic.twitter.com/cxqZnZmNTh [28]
— Nathan Patin (@NathanPatin) May 6, 2017 [29]

The mix­ing of fake doc­u­ments with stolen real doc­u­ments, and then dump­ing both on the pub­lic to achieve a bet­ter polit­i­cal or mar­ket effect, is some­thing that mem­bers of the intel­li­gence com­mu­ni­ty have wor­ried about pub­licly for years. [30]. Krem­lin-backed actors have done it before, but not through Wik­ileaks. Last August, hack­ers dumped a series of doc­u­ments on the sites Cyber­Berkut and DC Leaks, both of which the intel­li­gence com­mu­ni­ty has linked to Putin’s gov­ern­ment. It was an attempt to smear a Putin polit­i­cal oppo­nent by con­nect­ing him to George Soros. Prob­lem is, the docs didn’t match [31], sug­gest­ing a forgery.
...

———-

“France’s Macron Hack Like­ly By Same Russ­ian Group That Hit DNC, Sources Say” by Patrick Tuck­er; Defense One; 05/06/2017 [15]

No hard evi­dence has yet emerged link­ing the tar­get­ing to the doc dump. But over sev­er­al weeks lead­ing to the attack on Macron’s cam­paign, sev­er­al firms in the pri­vate secu­ri­ty com­mu­ni­ty issued warn­ings. On April 25, cyber­se­cu­ri­ty group Trend Micro claimed [6] a group known as APT 28, or Fan­cy Bear and Pawn Storm, was active­ly tar­get­ing the Macron cam­paign with bogus emails to con­vince cam­paign high­er-ups to click on links.”

No hard evi­dence has yet emerged link­ing the tar­get­ing of the Macron camp with the phish­ing sites to the actu­al doc­u­ment dump. That was the assess­ment one day after the big Macron doc­u­ment dump. And that’s not unrea­son­able since it was just one day. That’s not a lot of time to gath­er evi­dence.

And yet the attri­bu­tion of the phish­ing sites to ‘Fan­cy Bear’ is treat­ed like a cer­tain­ty. And that includes link­ing to the US gov­ern­men­t’s Griz­zly Steppe report that pur­port­ed­ly ties the reg­is­tra­tion of the phish­ing site domain names to APT28/Fancy Bear:

...
The evi­dence: On March 15, oper­a­tors work­ing from IP address­es asso­ci­at­ed with APT 28 [16] were reg­is­ter­ing domain names that were relat­ed to the Macron cam­paign, such as onedrive-en-marche.fr. Reg­is­ter­ing pho­ny email domains would allow the oper­a­tives to send emails to tar­get­ed cam­paign work­ers that appear to be from the cam­paign. A cyber­se­cu­ri­ty pro­fes­sion­al with direct knowl­edge of the hack told Defense One that the same Putin-backed hack­ing group that tar­get­ed the DNC had also been tar­get­ing Macron. But they could not say with cer­tain­ty that those actors were the same indi­vid­u­als who put the doc­u­ments on the Paste­bin site, (or if the doc­u­ments on Paste­bin were even authen­tic.)
...

Here’s the prob­lem with that Griz­zly Steppe report’s attri­bu­tion. If you look at the Griz­zly Steppe report, there is indeed an April 6, 2017 update list­ed on the home page of that report [16]. It’s one line, “April 6, 2017: Updat­ed AR-17–20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity with Sec­tion 508 Reme­di­a­tion.” The prob­lem is that if you look at the AR-17–20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity report [32], there is no actu­al update with that infor­ma­tion. If you search though the doc­u­ment, there no “Sec­tion 508”. You won’t even find the words “France”, or “Macron” or “onedrive”. There also isn’t any ref­er­ence to the April 6, 2017 date. It’s as if the only update was the update on the home­page say­ing the report was updat­ed.

And that’s not the only exam­ple of the asser­tion that ‘Fan­cy Bear’ was behind the reg­is­tra­tion of these Macron-tar­get­ed phish­ing domains. The Trend Micro report on “Pawn Storm” (Fan­cy Bear/APT28) released on April 25th, 2017, pur­port­ing to demon­strate that Fan­cy Bear was behind the phish­ing sites [13] con­tains a sin­gle ref­er­ence to the Macron email hack in the list of domains Trend Micro has attrib­uted to APT28. Go to page 13 of the report and you see the “Emmanuel Macron cam­paign” list­ed as the tar­get and “onedrive-en-marche.fr” list­ed as the phish­ing domain in a table that lists the domains Trend Micro has con­clud­ed was reg­is­tered by Pawn Storm/Fancy Bear/APT28. That’s it. No descrip­tion of how that attri­bu­tion was made. And there is no oth­er ref­er­ence to France or the Macron cam­paign or any­thing else in the doc­u­ment. And that means we have no idea what ‘dig­i­tal fin­ger­prints’ Trend Micro used to make that attri­bu­tion. In oth­er words, “Trust Us.”

And note that there’s no expla­na­tion for how all the oth­er domain names list­ed in that table were con­clu­sive­ly attrib­uted to Fan­cy Bear in the report, so there’s a lot of ambi­gu­i­ty about how Trend Micro arrived at ANY of its con­clu­sions. “Trust Us Bigly.”

Sim­i­lar­ly, when you read about how Flash­point, anoth­er cyber­se­cu­ri­ty firm, also con­clud­ed that APT28/Fancy Bear/Pawn Storm was the enti­ty that set up these phish­ing domains, it refers back to a Reuters report where Flash­point tells Reuters that APT28 set up those domains. But, again, there’s absolute­ly no indi­ca­tion of how that attri­bu­tion was made and no link to a pub­licly avail­able report:

...
Vitali Kre­mez, direc­tor of research at the cyber­se­cu­ri­ty firm Flash­point, also offered [18] cau­tious analy­sis to the New York Times on Fri­day. “The key goals and objec­tives of the cam­paign appear to be to under­mine Macron’s pres­i­den­tial can­di­da­cy and cast doubt on the demo­c­ra­t­ic elec­toral process in gen­er­al.”

He lat­er told Reuters [19] that APT 28 was indeed behind the attack after deter­min­ing that APT 28 relat­ed enti­ties had “reg­is­tered decoy inter­net address­es to mim­ic the name of En Marche … includ­ing onedrive-en-marche.fr and mail-en-marche.fr.”
...

And if you read the Reuters arti­cle [19], Flash­point’s Vitali Kre­mez sim­ply tells Reuters that, “his review indi­cat­ed that APT 28, a group tied to the GRU, the Russ­ian mil­i­tary intel­li­gence direc­torate, was behind the leak.” That’s it. If there’s a pub­lic report some­one explain­ing how they arrived at this attri­bu­tion it’s unclear where to find it.

So we have this odd sit­u­a­tion where the US gov­ern­ment GRIZZLEY STEPPE report claims to be updat­ed with evi­dence that the Macron phish­ing cam­paign was oper­at­ed by Fan­cy Bear but that update does­n’t actu­al­ly exist in the report. And Trend Micro’s and Flash­point’s attri­bu­tions are made with­out any expla­na­tion at all. Per­haps this evi­dence is pub­licly avail­able else­where from these three sources?

Found Some Evi­dence! Or, Rather, Found Some ‘Evi­dence’!

That said, there are some reports that do give at least a bit of the tech­ni­cal evi­dence Trend Micro used to attribute these phish­ing domains to Fan­cy Bear/APT28/Pawn Storm. For exam­ple, the fol­low­ing April 24th, 2017, arti­cle in the Wall Street Jour­nal about the Trend Micro report con­tains the fol­low­ing pieces of infor­ma­tion: On March 15, some­one used the name Johny Pinch and a fake Paris street address to reg­is­ter the name onedrive-en-marche.fr, accord­ing to pub­lic inter­net records. On April 12, some­one using the same infor­ma­tion reg­is­tered mail-en-marche.fr, the records show. And those address­es were both host­ed on IP address blocks pre­vi­ous­ly asso­ci­at­ed with Pawn Storm, accord­ing to Trend Micro. There’s no fur­ther expla­na­tion, like a list­ing of those IP address­es or which pre­vi­ous attacks asso­ci­at­ed with them, and none of this infor­ma­tion actu­al­ly shows up in the report Trend Micro released, but at the time of the report’s release Trend Micro was assert­ing to jour­nal­ists that IP address blocks asso­ci­at­ed with the onedrive-en-marche.fr and mail-en-marche.fr domains were pre­vi­ous­ly attrib­uted to Fan­cy Bear [33]:

The Wall Street Jour­nal

Macron Cam­paign Wards Off Hack­ing Attempts Linked to Rus­sia

Pres­i­den­tial candidate’s cam­paign suf­fers mul­ti­pronged phish­ing attack begin­ning in mid-March

By Sam Schech­n­er
April 24, 2017 1:17 p.m. ET

PARIS—Hackers match­ing the pro­file of a pro-Krem­lin group have tried in recent weeks to access cam­paign email accounts of French pres­i­den­tial can­di­date Emmanuel Macron, a cyber­se­cu­ri­ty firm said Mon­day, rais­ing fears of elec­tion inter­fer­ence in the final two weeks of the France’s pres­i­den­tial cam­paign.

In a report set to be pub­lished Tues­day, secu­ri­ty-research firm Trend Micro iden­ti­fied a pro-Krem­lin hack­ing group it calls Pawn Storm as the like­ly source of a mul­ti­pronged phish­ing attack that start­ed in mid-March against Mr. Macron’s cam­paign.

As part of the attack, hack­ers set up mul­ti­ple inter­net address­es that mim­ic­ked those of the campaign’s own servers in an attempt to lure Mr. Macron’s staffers into turn­ing over their net­work pass­words, said Feike Hac­que­bord, a senior threat researcher for Tokyo-based Trend Micro and the author of the report, a copy of which was reviewed by The Wall Street Jour­nal.

...

On March 15, some­one used the name Johny Pinch and a fake Paris street address to reg­is­ter the name onedrive-en-marche.fr, accord­ing to pub­lic inter­net records. On April 12, some­one using the same infor­ma­tion reg­is­tered mail-en-marche.fr, the records show.

Those address­es were both host­ed on inter­net pro­to­col address blocks asso­ci­at­ed with Pawn Storm, Trend Micro’s Mr. Hac­que­bord said.

Mr. Hac­que­bord added that oth­er clues, such as relat­ed address­es and the cre­ation of secu­ri­ty cer­tifi­cates to make the fake sites look authen­tic mir­ror tech­niques used by the group in sev­er­al dozen oth­er cas­es iden­ti­fied in he report, includ­ing the hacks of the Chris­t­ian Demo­c­ra­t­ic Union and the Demo­c­ra­t­ic Nation­al Com­mit­tee.

“I can­not say for sure, but the fin­ger­prints match,” Mr. Hac­que­bord said.

———-

“Macron Cam­paign Wards Off Hack­ing Attempts Linked to Rus­sia” by Sam Schech­n­er; The Wall Street Jour­nal; 04/24/2017 [33]

“I can­not say for sure, but the fin­ger­prints match”

That was the state­ment from the author of Trend Micro’s report. So what were these ‘fin­ger­prints’? The IP address blocks of the phish­ing domains onedrive-en-marche.fr and were mail-en-marche.fr were asso­ci­at­ed with attacks that were pre­vi­ous­ly attrib­uted to Fan­cy Bear/APT28/Pawn Storm. Also, the use of the tech­nique of cre­at­ing fake secu­ri­ty cer­tifi­cates to make the fake sites look real was some­thing Fan­cy Bear has done before. That appears to be the tech­ni­cal evi­dence Trend Micro relied on:

...
On March 15, some­one used the name Johny Pinch and a fake Paris street address to reg­is­ter the name onedrive-en-marche.fr, accord­ing to pub­lic inter­net records. On April 12, some­one using the same infor­ma­tion reg­is­tered mail-en-marche.fr, the records show.

Those address­es were both host­ed on inter­net pro­to­col address blocks asso­ci­at­ed with Pawn Storm, Trend Micro’s Mr. Hac­que­bord said.

Mr. Hac­que­bord added that oth­er clues, such as relat­ed address­es and the cre­ation of secu­ri­ty cer­tifi­cates to make the fake sites look authen­tic mir­ror tech­niques used by the group in sev­er­al dozen oth­er cas­es iden­ti­fied in he report, includ­ing the hacks of the Chris­t­ian Demo­c­ra­t­ic Union and the Demo­c­ra­t­ic Nation­al Com­mit­tee.
...

And, as with so much if this, the evi­dence is actu­al­ly quite weak. Shar­ing IP blocks with pre­vi­ous attacks mere­ly sug­gests the use of the same Inter­net Ser­vice Provider (ISP), since ISPs will get set a block of IP address­es to use. And shar­ing ISP with pre­vi­ous hack­ers is fair­ly weak evi­dence [34]. Of course hack­ers are going to grav­i­tate towards hack­er friend­ly ISPs!

But the weak­est evi­dence is point­ing towards the use of fake secu­ri­ty cer­tifi­cates to make the phish­ing sites appear to be real so your brows­er does­n’t pop up with a warn­ing. Because of course you would do that if you set up a fake phish­ing site. Any hack­er would do that if they know how do to it.

Also recall that the Trend Micro report [13] makes absolute­ly no ref­er­ence to any of the above ‘evi­dence’ described by the report’s author. It also does­n’t list the mail-en-marche.fr phish­ing domain at all. The ONLY ref­er­ence to the Macron cam­paign is list­ing the onedrive-en-marche.fr domain in a table of domains Trend Micro has asso­ci­at­ed with Pawn Storm on page 13. That’s it.

So we have reports on April 24th, 2017, with inter­view of the Trend Micro report’s author about the evi­dence they’ve found that Fan­cy Bear is behind these new phish­ing domains tar­get­ing Macron’s cam­paign. The evi­dence laid out in the arti­cle is both inher­ent­ly vague and weak. And then the actu­al report issued the next day does­n’t even con­tain any of that evi­dence. So very, very odd.

How Cer­tain Was Trend Micro Based on This Weak Evi­dence? 99 per­cent

And, sur­prise!, it gets odd­er. Or per­haps sad­der. Because if you look at the var­i­ous reports from Trend Micro back in April-May of 2017 about the Macron hacks, Trend Micro’s own rep­re­sen­ta­tive, Loïc Gué­zo, starts off being 99 per­cent cer­tain that Fan­cy Bear was behind the phish­ing domains when Trend Micro first issued its April 25, 2017 report. But after the reports about how US ‘Alt-Right’ neo-Nazis appeared to be behind the leaked doc­u­ments, Gué­zo sud­den­ly makes it very clear that the dump of stolen emails was very ama­teur­ish and it’s very ambigu­ous as to who was behind the hack and it could have been US neo-Nazis behind it. So Trend Micro went from 99 per­cent cer­tain Fan­cy Bear was behind the phish­ing domains tar­get­ing the Macron hack­ing cam­paign (with­out pro­vid­ing any actu­al evi­dence) to being very open about the pos­si­bil­i­ty that it was a bunch of neo-Nazis who actu­al­ly car­ried out the hack. And yet this sud­den change in cer­tain­ty seems to have com­plete­ly fall­en down the mem­o­ry hole now that the US Sen­ate phish­ing domains have emerged.

And now, in Jan­u­ary of 2018, we have Trend Micro mak­ing a 100 per­cent con­clu­sion that the US Sen­ate phish­ing domains were ‘Fan­cy Bear’ and this 100 per­cent attri­bu­tion is based on shared ‘dig­i­tal fin­ger­prints’ that unique­ly tie back to two two pri­or hack­ing cam­paigns that Trend Micro had pre­vi­ous­ly attrib­uted to Pawn Storm/Fancy Bear/APT28, one in 2017 and one in 2016. So, unless that 2017 hack­ing inci­dent with shared ‘dig­i­tal fin­ger­prints’ that Trend Micro is refer­ring to was­n’t the Macron cam­paign hack, we have to rec­on­cile how on Earth Trend Micro is con­clud­ing with 100 per­cent cer­tain­ty that these US Sen­ate phish­ing sites were actu­al­ly set up by Fan­cy Bear/APT28/Pawn Storm. It’s all real­ly, real­ly odd.

So let’s flesh out this odd­ness. First, here’s a look at an April 26 arti­cle where Trend Micro’s Loïc Gué­zo claim­ing 99 per­cent cer­tain­ty that the phish­ing domains tar­get­ing the Macron cam­paign was the work of Fan­cy Bear/APT28/Pawn Storm. And note how the cyber­se­cu­ri­ty expert hired by the Macron cam­paign, Mounir Mahjoubi, was far less sure about this attri­bu­tion [35]:

France24

Cyber experts ’99% sure’ Russ­ian hack­ers are tar­get­ing Macron

Text by Sébas­t­ian SEIBT
Date cre­at­ed : 2017-04-26
Lat­est update : 2017-04-27

The Russ­ian cyber-spy­ing group Pawn Storm (also known as Fan­cy Bear) has tar­get­ed French pres­i­den­tial front-run­ner Emmanuel Macron, accord­ing to Japan­ese cyber-secu­ri­ty experts. Macron cam­paign offi­cials, how­ev­er, say the group has so far failed.

Bare­ly two weeks before the crit­i­cal sec­ond round of the French pres­i­den­tial elec­tion, fears of Russ­ian med­dling in the 2017 cam­paign mount­ed with the pub­li­ca­tion of a report accus­ing Pawn Storm of tar­get­ing Macron’s En Marche! (For­ward!) move­ment, employ­ing iden­ti­cal tac­tics used to attack the Hillary Clin­ton cam­paign dur­ing the US pres­i­den­tial race.

A 41-page report, “Two Years of Pawn Storm [6],” by the Japan­ese cyber-secu­ri­ty firm Trend Micro detailed a long list of the group’s tar­gets, includ­ing Ger­man Chan­cel­lor Angela Merkel’s Chris­t­ian Demo­c­ra­t­ic Union par­ty ahead of the Sep­tem­ber Ger­man gen­er­al elec­tions.

Reports of Russ­ian cyber attack­ers tar­get­ing Macron’s cam­paign have been cir­cu­lat­ing for months, but the pub­li­ca­tion of the Trend Micro report pro­vid­ed details of the dates and domains tar­get­ed. They includ­ed a March 15 attempt to acquire sen­si­tive infor­ma­tion and pass­words, a process known as “phish­ing” among cyber-secu­ri­ty experts.

...

Cam­paign meets cyber-secu­ri­ty offi­cials

In Jan­u­ary, a team of dig­i­tal secu­ri­ty offi­cials from the Macron cam­paign vis­it­ed the French cyber counter-espi­onage agency, ANSSI [36], to express con­cerns that their can­di­date was the “No. 1” tar­get for fake news sites and cyber attacks, accord­ing to French media reports [37].

ANSSI is a gov­ern­ment agency under the French defence min­istry that advis­es pub­lic and pri­vate sec­tor organ­i­sa­tions about cyber-secu­ri­ty mea­sures.

The meet­ing between En Marche! and ANSSI offi­cials fol­lowed a spate of rumours pub­lished on fake news sites as well as slant­ed cov­er­age of Macron on Russ­ian state media such as RT (for­mer­ly Rus­sia Today) and the Sput­nik news agency.

The con­cerns with­in the Macron camp led to the hir­ing of Mounir Mahjoubi, the for­mer head of the French Nation­al Dig­i­tal Coun­cil (CNNum), a coun­cil that advis­es on dig­i­tal tech­nolo­gies.

In an inter­view with French week­ly Jour­nal du Dimanche [37] in Feb­ru­ary, Mahjoubi was more cau­tious than his Macron cam­paign col­leagues about cyber attacks ema­nat­ing from Russ­ian-linked groups. “There is no doubt about the frontal attacks of Sput­nik and Rus­sia Today, two Rus­sia-fund­ed media out­lets. But for the rest, we do not know where they come from,” he said.

Rus­sia has con­sis­tent­ly denied reports of inter­fer­ing in the elec­tion cam­paigns of oth­er coun­tries.

“What [hack­ing] groups? From where? Why Rus­sia? This slight­ly reminds me of accu­sa­tions from Wash­ing­ton, which have been left hang­ing in mid-air until now and do not do their authors any cred­it,” Krem­lin spokesman Dmit­ry Peskov told reporters on Mon­day.

‘99 per­cent sure’ attacks are from Rus­sia

But the authors of the lat­est Trend Micro report have no doubt about the ori­gins of the phish­ing cam­paigns tar­get­ing Macron. “We are 99 per­cent sure that it is attacks from Rus­sia,” Loïc Gué­zo, Trend Micro’s strat­e­gy direc­tor for south­ern Europe, told FRANCE 24.

Pawn Storm – an aggres­sive cyber-espi­onage group also known as Fan­cy Bear, Sed­nit, APT28, Sofa­cy or Stron­tium – is engaged in much more than “just espi­onage activ­i­ties”, the report notes. Over the past year, “the group attempt­ed to influ­ence pub­lic opin­ion, to influ­ence elec­tions, and sought con­tact with main­stream media with some suc­cess”.

When it came to tar­get­ing the Macron cam­paign, Pawn Storm’s goal appeared to be to get into the email accounts of senior cam­paign offi­cials to retrieve infor­ma­tion about the can­di­date – a modus operan­di famil­iar to mem­bers of the Clin­ton cam­paign.

Steal­ing pass­words

Cyber-secu­ri­ty spe­cial­ists at Trend Micro found four phish­ing domains cre­at­ed to try to extract infor­ma­tion. The domain names fea­ture plau­si­ble ver­sions of Macron’s polit­i­cal move­ment, designed to catch cam­paign offi­cials off guard. They include onedrive-en-marche.fr, portal-office.fr, mail-en-marche.fr and accounts-office.fr.

“This group set up a spe­cif­ic infra­struc­ture to tar­get Emmanuel Macron’s move­ment in March and April 2017,” Gué­zo explained.

...

A cyber Cold War

In a Decem­ber 2016 report, the US Depart­ment of Home­land Security’s cyber-secu­ri­ty unit accused Pawn Storm – under the alter­nate name APT 28 – of act­ing on the Kremlin’s orders.

The APT 28 foot­print has been on so many major cyber attacks in recent years – includ­ing an April 2015 shut­down of French media giant TV5 Monde – that experts view the group as a sym­bol of a cyber Cold War, com­bin­ing com­put­er pira­cy and online pro­pa­gan­da. A Finan­cial Times [38] report not­ed that US, UK, Israeli and Ger­man offi­cials have all said they believe APT 28 is run by Russia’s sprawl­ing mil­i­tary intel­li­gence arm, the GRU.

Offi­cials at Trend Micro, how­ev­er, refuse to impli­cate the Krem­lin direct­ly: “All we can say is that the activ­i­ties of this group are sys­tem­at­i­cal­ly aligned with the inter­ests of the Russ­ian author­i­ties,” said Gué­zo.

...

Mahjoubi has reit­er­at­ed that the attempts to tar­get the Macron cam­paign so far have not suc­ceed­ed. In his inter­views with French media, Mahjoubi has admit­ted that traces to attack attempts have been found but that “none of the mail­box­es have been hacked”.

En Marche! offi­cials do not use email to share con­fi­den­tial infor­ma­tion, accord­ing to the state­ment released Wednes­day.

Mahjoubi has also refused to accuse a par­tic­u­lar group for the attack attempts. “The pro­ce­dure is very sim­i­lar to [Pawn Storm], but you can­not rule out a very com­pe­tent group try­ing to imi­tate them,” he warned.

But this hedg­ing has not shak­en Guézo’s con­vic­tion. The Macron cam­paign, he believes, is not will­ing to take the gloves off over this issue to avoid ruf­fling the Kremlin’s feath­ers if Macron is elect­ed pres­i­dent next month.

———-

“Cyber experts ’99% sure’ Russ­ian hack­ers are tar­get­ing Macron” by Sébas­t­ian SEIBT; France24; 04/26/2017 [35]

“Mahjoubi has also refused to accuse a par­tic­u­lar group for the attack attempts. “The pro­ce­dure is very sim­i­lar to [Pawn Storm], but you can­not rule out a very com­pe­tent group try­ing to imi­tate them,” he warned.

That was the word of cau­tion from Mounir Mahjoubi, the the for­mer head of the French Nation­al Dig­i­tal Coun­cil (CNNum) hired by the Macron cam­paign: “The pro­ce­dure is very sim­i­lar to [Pawn Storm], but you can­not rule out a very com­pe­tent group try­ing to imi­tate them”. And it was a word of cau­tion he issued not just to this Trend Micro report attribut­ing the phish­ing domains to Fan­cy Bear. He had those same words of cau­tion about the entire hack­ing cam­paign the Macron team had been expe­ri­enc­ing through­out ear­ly 2017:

...
The con­cerns with­in the Macron camp led to the hir­ing of Mounir Mahjoubi, the for­mer head of the French Nation­al Dig­i­tal Coun­cil (CNNum), a coun­cil that advis­es on dig­i­tal tech­nolo­gies.

In an inter­view with French week­ly Jour­nal du Dimanche [37] in Feb­ru­ary, Mahjoubi was more cau­tious than his Macron cam­paign col­leagues about cyber attacks ema­nat­ing from Russ­ian-linked groups. “There is no doubt about the frontal attacks of Sput­nik and Rus­sia Today, two Rus­sia-fund­ed media out­lets. But for the rest, we do not know where they come from,” he said.

...

Mahjoubi has also refused to accuse a par­tic­u­lar group for the attack attempts. “The pro­ce­dure is very sim­i­lar to [Pawn Storm], but you can­not rule out a very com­pe­tent group try­ing to imi­tate them,” he warned.

But this hedg­ing has not shak­en Guézo’s con­vic­tion. The Macron cam­paign, he believes, is not will­ing to take the gloves off over this issue to avoid ruf­fling the Kremlin’s feath­ers if Macron is elect­ed pres­i­dent next month.
...

But this hedg­ing has not shak­en Guézo’s con­vic­tion. The Macron cam­paign, he believes, is not will­ing to take the gloves off over this issue to avoid ruf­fling the Kremlin’s feath­ers if Macron is elect­ed pres­i­dent next month.”

And as we can see, Mahjoubi was issu­ing words of cyber attri­bu­tion cau­tion back in Feb­ru­ary 2017 when the Macron cam­paign was already talk­ing about get­ting attacked by Russ­ian hack­ers. And Trend Micro’s ana­lyst com­ment­ing on their report, Loïc Gué­zo, viewed those words of cau­tion as polit­i­cal­ly moti­vat­ed ‘hedg­ing’, as opposed to sim­ply acknowl­edg­ing the inher­ent ambi­gu­i­ties asso­ci­at­ed with dig­i­tal foren­sic attri­bu­tion. Gué­zo, instead, was “99 per­cent sure that it is attacks from Rus­sia” and that cer­tain­ty was based on the attri­bu­tion of who set up those phish­ing domains:

...
‘99 per­cent sure’ attacks are from Rus­sia

But the authors of the lat­est Trend Micro report have no doubt about the ori­gins of the phish­ing cam­paigns tar­get­ing Macron. “We are 99 per­cent sure that it is attacks from Rus­sia,” Loïc Gué­zo, Trend Micro’s strat­e­gy direc­tor for south­ern Europe, told FRANCE 24.

...

Steal­ing pass­words

Cyber-secu­ri­ty spe­cial­ists at Trend Micro found four phish­ing domains cre­at­ed to try to extract infor­ma­tion. The domain names fea­ture plau­si­ble ver­sions of Macron’s polit­i­cal move­ment, designed to catch cam­paign offi­cials off guard. They include onedrive-en-marche.fr, portal-office.fr, mail-en-marche.fr and accounts-office.fr.

“This group set up a spe­cif­ic infra­struc­ture to tar­get Emmanuel Macron’s move­ment in March and April 2017,” Gué­zo explained.
...

And again, note how it’s implied that the evi­dence of this attri­bu­tion is laid out in Trend Micro’s 41 page report [13]:

...
A 41-page report, “Two Years of Pawn Storm [6],” by the Japan­ese cyber-secu­ri­ty firm Trend Micro detailed a long list of the group’s tar­gets, includ­ing Ger­man Chan­cel­lor Angela Merkel’s Chris­t­ian Demo­c­ra­t­ic Union par­ty ahead of the Sep­tem­ber Ger­man gen­er­al elec­tions.
...

Yes, this report does in “detail a long list of the group’s tar­gets.” It just does­n’t give any details on how these attri­bu­tions were made. And while we saw in the above Wall Street Jour­nal arti­cle that the attri­bu­tion was based on shared IP blocks between two of the phish­ing domains and pre­vi­ous IP address­es attrib­uted to Fan­cy Bear, that’s also real­ly weak evi­dence and the report does­n’t list any­thing more.

And while it’s not out­landish that some ele­ments of the analy­sis of these hack­ing cam­paigns won’t be pub­licly shared, there is basi­cal­ly no indi­ca­tion at all in that report of how any of the long list of phish­ing domains was attrib­uted to Fan­cy Bear/Pawn Storm. It’s like a black box of analy­sis.

And it’s not like cyber­se­cu­ri­ty com­pa­nies don’t ever issue reports detail­ing their attri­bu­tion evi­dence. For instance, when you look at the report issued by the cyber­se­cu­ri­ty researchers link­ing the hacked doc­u­ments back to Andrew Auern­heimer and US neo-Nazis, they give all sorts of very spe­cif­ic tech­ni­cal evi­dence of how they arrived at their con­clu­sion [2]. And that evi­dence is pret­ty damn con­vinc­ing. So con­vinc­ing that Loïc Gué­zo of Trend Micro admit­ted that the attri­bu­tion for the hack­ing (as opposed to set­ting up the phish­ing sites) is a very open ques­tion after see­ing that evi­dence [39]:

EUOb­serv­er

US neo-Nazis linked to Macron hack

By Andrew Rettman
BRUSSELS, 12. May 2017, 09:23

The spread of stolen emails designed to harm Emmanuel Macron was linked to US-based neo-Nazis, accord­ing to a French inves­ti­ga­tion.

France’s Le Monde news­pa­per report­ed [40] on Thurs­day (11 May) that a web­site called nouveaumartel.com, which was named as a go-to place for the pur­loined emails, shared the same dig­i­tal infra­struc­ture as dailystormer.com, a web­site cre­at­ed by the US neo-Nazi activist Andrew Auern­heimer.

The emails were dumped online on 5 May, short­ly before Macron won the French pres­i­den­tial elec­tion by a land­slide.

The dump came two days after an anony­mous user of an online mes­sage board called 4chan.org pub­lished fake doc­u­ments pur­port­ing to show that Macron had an off­shore fund.

“The French scene will be at nouveaumartel.com lat­er”, the anony­mous 4chan.org user said.

The dailystormer.com’s Auern­heimer is a white suprema­cist con­vict­ed of cyber crimes in the US.

His web­site often pop­u­laris­es the work of Nathan Dami­go, anoth­er US far-right activist who gained noto­ri­ety after phys­i­cal­ly assault­ing an anti-fas­cist pro­test­er.

Auern­heimer, in a post­ing on his site on 4 May, sug­gest­ed that Dami­go was about to pub­lish anti-Macron mate­r­i­al.

“The prophet of the white sharia Nathan Dami­go is about to release the frogs from ped­erasty”, he wrote.

Frogs could be a deroga­to­ry ref­er­ence to French peo­ple or to a car­toon frog, Pepe, adopt­ed as a sym­bol by US neo-Nazis.

Ped­erasty could be a homo­pho­bic allu­sion to unsub­stan­ti­at­ed claims, first spread by Russ­ian media, that Macron was gay, or to the fact that he fell in love with an old­er woman in his ado­les­cence.

The stolen Macron emails were even­tu­al­ly dumped on the web­site Paste­bin and were pop­u­larised online by oth­er US-based far-right con­spir­a­cy the­o­rists such as William Crad­dick and Jack Poso­biec.

The Nation­al Secu­ri­ty Agency in the US said ear­li­er this week that the Russ­ian regime stole the Macron emails.

Trend Micro, a Japan­ese-based cyber secu­ri­ty firm, said in April that the Russ­ian regime had pre­vi­ous­ly tried to hack Macron’s team.

But one of the firm’s experts, Loic Gue­zo, told EUob­serv­er this week that the 5‑May dump of stolen Macron emails was more ama­teur­ish than the Russ­ian state’s modus operan­di.

“It could even have been some alt-right activist in the US hack­ing Macron’s team. It’s ful­ly open”, he said.

The links between US far-right activists, the Russ­ian state, and the cam­paign team of US pres­i­dent Don­ald Trump are the sub­ject of an FBI inves­ti­ga­tion in the US.

...

Mean­while, Jack Poso­biec, who has pre­vi­ous­ly said that Macron is con­trolled by telepa­thy and by drugs, has obtained a White House press badge.

He attend­ed a press brief­ing on 11 May on the FBI affair and lat­er broad­cast a video from the White House grounds prais­ing the FBI chief’s sack­ing.

———-

“US neo-Nazis linked to Macron hack” by Andrew Rettman; EUOb­serv­er; 05/12/2017 [39]

“France’s Le Monde news­pa­per report­ed [40] on Thurs­day (11 May) that a web­site called nouveaumartel.com, which was named as a go-to place for the pur­loined emails, shared the same dig­i­tal infra­struc­ture as dailystormer.com, a web­site cre­at­ed by the US neo-Nazi activist Andrew Auern­heimer.”

Ok, let’s break this down, because it’s some­what con­fus­ing:

1. So on May 3rd, 2017, hacked Macron doc­u­ments that appear to have been tam­pered with show up on 4chan.org, an ‘Alt-Right’ stomp­ing ground. The user post­ing these doc­u­ments then tells every­one that there’s going to be a bunch more doc­u­ments show­ing up on nouveaumartel.com.

2. Cyber­se­cu­ri­ty researchers dis­cov­er that the dig­i­tal infra­struc­ture behind nouveaumartel.com shares a heavy over­lap with the Dai­ly Stormer [2], a site man­aged by neo-Nazi hack­er extra­or­di­naire Andrew Auern­heimer.

3. On May 4th, Andrew Auern­heimer posts on his site that Nathan Dami­go, anoth­er US far-right activist, is about to dump a whole bunch of Macron files.

4. On May 5th, the big doc­u­ment dump hap­pens. Although it does­n’t show up on nouveaumartel.com. Instead, it shows up on Paste­bin, a neu­tral site where peo­ple can just peo­ple doc­u­ments and text.

5. After the sec­ond, much larg­er doc­u­ment dump on Paste­bin, the doc­u­ments quick­ly get spread around by Alt-Right fig­ures.

That’s the sum­ma­ry of what hap­pend:

...
The emails were dumped online on 5 May, short­ly before Macron won the French pres­i­den­tial elec­tion by a land­slide.

The dump came two days after an anony­mous user of an online mes­sage board called 4chan.org pub­lished fake doc­u­ments pur­port­ing to show that Macron had an off­shore fund.

“The French scene will be at nouveaumartel.com lat­er”, the anony­mous 4chan.org user said.

The dailystormer.com’s Auern­heimer is a white suprema­cist con­vict­ed of cyber crimes in the US.

His web­site often pop­u­laris­es the work of Nathan Dami­go, anoth­er US far-right activist who gained noto­ri­ety after phys­i­cal­ly assault­ing an anti-fas­cist pro­test­er.

Auern­heimer, in a post­ing on his site on 4 May, sug­gest­ed that Dami­go was about to pub­lish anti-Macron mate­r­i­al.

“The prophet of the white sharia Nathan Dami­go is about to release the frogs from ped­erasty”, he wrote.

Frogs could be a deroga­to­ry ref­er­ence to French peo­ple or to a car­toon frog, Pepe, adopt­ed as a sym­bol by US neo-Nazis.

Ped­erasty could be a homo­pho­bic allu­sion to unsub­stan­ti­at­ed claims, first spread by Russ­ian media, that Macron was gay, or to the fact that he fell in love with an old­er woman in his ado­les­cence.

The stolen Macron emails were even­tu­al­ly dumped on the web­site Paste­bin and were pop­u­larised online by oth­er US-based far-right con­spir­a­cy the­o­rists such as William Crad­dick and Jack Poso­biec.
...

It’s obvi­ous­ly some pret­ty com­pelling evi­dence that, at a min­i­mum, a bunch of ‘Alt-Right’ neo-Nazis played some sort of role in this hack. And, sure enough, Trend Micro’s Loïc Gué­zo, who was 99 per­cent sure the phish­ing domains were set up by Fan­cy Bear, was sud­den­ly very open to the pos­si­bil­i­ty that the ‘Alt-Right’ could have been behind the hack:

...
Trend Micro, a Japan­ese-based cyber secu­ri­ty firm, said in April that the Russ­ian regime had pre­vi­ous­ly tried to hack Macron’s team.

But one of the firm’s experts, Loic Gue­zo, told EUob­serv­er this week that the 5‑May dump of stolen Macron emails was more ama­teur­ish than the Russ­ian state’s modus operan­di.

“It could even have been some alt-right activist in the US hack­ing Macron’s team. It’s ful­ly open”, he said.
...

“It could even have been some alt-right activist in the US hack­ing Macron’s team. It’s ful­ly open”

It’s ful­ly open. That was Loïc Gué­zo’s take on the sit­u­a­tion after this rev­e­la­tion about the appar­ent ‘Alt-Right’ fore­knowl­edge of these hacks. And yet here we are, almost a year lat­er, and the Macron hack is being treat­ed as if it’s an open-and-shut case that ‘the Rus­sians did it’ and there is no men­tion at all of the role of Auern­heimer and the ‘Alt-Right’.

Self-impli­cat­ing “I’m a Russ­ian Hack­er!” Meta-Data Strikes Again

Now, it’s impor­tant to note that it’s entire­ly pos­si­ble that you could have a sit­u­a­tion where Fan­cy Bear (or anoth­er group try­ing to mim­ic Fan­cy Bear) did indeed set up a bunch of phish­ing sites while a bunch of neo-Nazis con­duct a com­plete­ly sep­a­rate hack­ing oper­a­tion. It’s also pos­si­ble that Fan­cy Bear (or a third par­ty pre­tend­ing to be them) could have suc­cess­ful­ly pulled off a hack using their phish­ing domains and then hand­ed the doc­u­ments to Auern­heimer or his asso­ciates. And yet these pos­si­bil­i­ties are nev­er even men­tioned. It’s as if any sto­ry that rais­es the mere pos­si­bil­i­ty that some of these hacks are being done non-Russ­ian hack­ers or might involve the coop­er­a­tion of non-Russ­ian hack­ers is com­plete­ly ignored by almost every­one. What’s the expla­na­tion for this?

Well, part of the expla­na­tion prob­a­bly has to do with the fact that meta­da­ta found in the dumped Macron doc­u­ments just hap­pened to con­tain iden­ti­fy­ing infor­ma­tion of a Russ­ian secu­ri­ty con­trac­tor at a com­pa­ny that does work for the FSB. It was rem­i­nis­cent of the “I’m a Russ­ian hack­er” meta­da­ta dis­cov­ered lit­er­al­ly one day after Guc­cifer 2.0 ini­tial­ly released some hacked DNC doc­u­ments in June of 2015 [41]. Except even more self-impli­cat­ing because the meta-data con­tained an actu­al name of an actu­al employ­ee.

Anoth­er bit of meta­da­ta used to attribute the hacked Macron doc­u­ments to Fan­cy Bear was the meta­da­ta of who uploaded the hacked doc­u­ments, which led to an email address on a Ger­man free web­mail provider. And this was declared to be fur­ther proof that this was the work of Fan­cy Bear because that same free web­mail provider was used in some ear­li­er attacks attrib­uted to Fan­cy Bear. Which is hor­ri­bly weak evi­dence. Of course hack­ers are going to a free Ger­man web­mail provider. Ger­many has brand­ed itself as a data pri­va­cy haven. All sort of hack­ers prob­a­bly using free Ger­man web­mail providers. It’s just sil­ly to use that as evi­dence for attri­bu­tion. And yet it hap­pened.

So after this meta­da­ta hys­te­ria was used to ‘con­clu­sive­ly’ prove that Rus­sia real­ly was behind the hack, the ques­tion of what role Andrew Auern­heimer and the ‘Alt Right’ neo-Nazis played in the hack stopped get­ting asked. The desired ‘answer’ was achieved [1]:

Ars Tech­ni­ca

Evi­dence sug­gests Rus­sia behind hack of French pres­i­dent-elect

Russ­ian secu­ri­ty firms’ meta­da­ta found in files, accord­ing to Wik­iLeaks and oth­ers.

Sean Gal­lagher — 5/8/2017, 1:18 PM

Late on May 5 as the two final can­di­dates for the French pres­i­den­cy were about to enter a press black­out in advance of the May 7 elec­tion, nine giga­bytes of data alleged­ly from the cam­paign of Emmanuel Macron were post­ed on the Inter­net in tor­rents and archives. The files, which were ini­tial­ly dis­trib­uted via links post­ed on 4Chan and then by Wik­iLeaks, had foren­sic meta­da­ta sug­gest­ing that Rus­sians were behind the breach—and that a Russ­ian gov­ern­ment con­tract employ­ee may have fal­si­fied some of the dumped doc­u­ments.

Even Wik­iLeaks, which ini­tial­ly pub­li­cized the breach and defend­ed its integri­ty on the orga­ni­za­tion’s Twit­ter account, has since acknowl­edged that some of the meta­da­ta point­ed direct­ly to a Russ­ian com­pa­ny with ties to the gov­ern­ment:

Evri­ka (“Eure­ka”) ZAO [45] is a large infor­ma­tion tech­nol­o­gy com­pa­ny in St. Peters­burg that does some work for the Russ­ian gov­ern­ment, and the group includes the Fed­er­al Secu­ri­ty Ser­vice of the Russ­ian Fed­er­a­tion (FSB) among its acknowl­edged cus­tomers (as not­ed in this job list­ing [46]). The com­pa­ny is a sys­tems inte­gra­tor, and it builds its own com­put­er equip­ment and pro­vides “inte­grat­ed infor­ma­tion secu­ri­ty sys­tems.” The meta­da­ta in some Microsoft Office files shows the last per­son to have edit­ed the files to be “Rosh­ka Georgiy Petro­vich,” a cur­rent or for­mer Evri­ka ZAO employ­ee.

[see screen­shot of meta­da­ta show­ing the name of Evri­ka ZAO employ­ee “Rosh­ka Georgiy Petro­vich” [47]]

...

The meta­da­ta attached to the upload of the Macron files also includes some iden­ti­fy­ing data with an e‑mail address for the per­son upload­ing the con­tent to archive.org:

The e‑mail address of the uploader, frankmacher1@gmx.de [50], is reg­is­tered with a Ger­man free web­mail provider used pre­vi­ous­ly in 2016 Pawn Storm / APT28 phish­ing attacks against the Chris­t­ian Demo­c­ra­t­ic Union [51], Ger­man Chan­cel­lor Angela Merkel’s polit­i­cal par­ty.

The involve­ment of APT28, the edit­ing of some doc­u­ments leaked by some­one using a Russ­ian ver­sion of Microsoft Office, and the attempt to spread the data through ampli­fi­ca­tion in social media chan­nels such as 4Chan, Twit­ter, and Facebook—where a num­ber of new accounts post­ed links to the data—are all char­ac­ter­is­tics of the infor­ma­tion oper­a­tions seen dur­ing the 2016 US pres­i­den­tial cam­paign.

...

———-

“Evi­dence sug­gests Rus­sia behind hack of French pres­i­dent-elect” by Sean Gal­lagher; Ars Tech­ni­ca; 05/08/2017 [1]

Evri­ka (“Eure­ka”) ZAO [45] is a large infor­ma­tion tech­nol­o­gy com­pa­ny in St. Peters­burg that does some work for the Russ­ian gov­ern­ment, and the group includes the Fed­er­al Secu­ri­ty Ser­vice of the Russ­ian Fed­er­a­tion (FSB) among its acknowl­edged cus­tomers (as not­ed in this job list­ing [46]). The com­pa­ny is a sys­tems inte­gra­tor, and it builds its own com­put­er equip­ment and pro­vides “inte­grat­ed infor­ma­tion secu­ri­ty sys­tems.” The meta­da­ta in some Microsoft Office files shows the last per­son to have edit­ed the files to be “Rosh­ka Georgiy Petro­vich,” a cur­rent or for­mer Evri­ka ZAO employ­ee

Yep, a Russ­ian con­trac­tor appar­ent­ly screwed up big time and left mod­i­fied a hacked Word Doc­u­ment on a ver­sion of Word reg­is­tered to his per­son­al name. That’s what we’re expect­ed to believe. And while it’s cer­tain­ly pos­si­ble a mis­take of that nature hap­pened, when you fac­tor this into the larg­er con­text of ‘Alt-Right’ fin­ger­prints all over the actu­al dis­tri­b­u­tion of the doc­u­ments and the fact that meta­da­ta was used to attribute the DNC hacks to Russ­ian hack­ers, it seems like an out­ra­geous con­clu­sion to assume with cer­tain­ty that this meta­da­ta was indeed strong evi­dence of Russ­ian hack­ers at work.

Sim­i­lar­ly, the fact that the upload­er’s email address used the same free Ger­man web mail ser­vice that pre­vi­ous attacks attrib­uted to Fan­cy Bear is basi­cal­ly no evi­dence at all. And yet it’s treat­ed as such:

...
The meta­da­ta attached to the upload of the Macron files also includes some iden­ti­fy­ing data with an e‑mail address for the per­son upload­ing the con­tent to archive.org:

The e‑mail address of the uploader, frankmacher1@gmx.de [50], is reg­is­tered with a Ger­man free web­mail provider used pre­vi­ous­ly in 2016 Pawn Storm / APT28 phish­ing attacks against the Chris­t­ian Demo­c­ra­t­ic Union [51], Ger­man Chan­cel­lor Angela Merkel’s polit­i­cal par­ty.
...

And that meta­da­ta appears to be the ‘evi­dence’ that more or less put to rest any ques­tions about who actu­al­ly hacked those doc­u­ments. It was Fan­cy Bear.

Seri­ous­ly, once this meta­da­ta was dis­cov­ered, the news reports treat­ed it as case closed. For instance, check out this New York Times arti­cle from May 9th, 2017, where the attri­bu­tion is almost entire­ly based on the meta­da­ta and oth­er ‘dig­i­tal fin­ger­prints’ in the doc­u­ments sug­gest­ing that the doc­u­ments were mod­i­fied on Russ­ian lan­guage com­put­ers using Russ­ian ver­sion of soft­ware like Microsoft Word.

And there’s one par­tic­u­lar­ly reveal­ing com­ment from John Hultquist, the direc­tor of cyberes­pi­onage from Fire­Eye, anoth­er US cyber­se­cu­ri­ty com­pa­ny: “There was a time when Russ­ian hack­ers were char­ac­ter­ized by their lack of slop­pi­ness,” Mr. Hultquist said. “When they made mis­takes, they burned their entire oper­a­tion and start­ed anew. But since the inva­sion of Ukraine and Crimea we’ve seen them car­ry out brazen, large scale attacks, [per­haps because] there have been few con­se­quences for their actions.”

There was a time when Russ­ian hack­ers were “burn down their entire oper­a­tion and start anew” if they were caught. But now? It’s slop­pi­ness and mis­takes and reuse of the same dig­i­tal infra­struc­ture with almost every hack. Appar­ent­ly [52]:

The New York Times

Hack­ers Came, but the French Were Pre­pared

By ADAM NOSSITER, DAVID E. SANGER and NICOLE PERLROTH
MAY 9, 2017

PARIS — Every­one saw the hack­ers com­ing.

The Nation­al Secu­ri­ty Agency in Wash­ing­ton picked up the signs. So did Emmanuel Macron’s bare-bones tech­nol­o­gy team. And mind­ful of what hap­pened in the Amer­i­can pres­i­den­tial cam­paign, the team cre­at­ed dozens of false email accounts, com­plete with pho­ny doc­u­ments, to con­fuse the attack­ers.

The Rus­sians, for their part, were rushed and a bit slop­py, leav­ing a trail of evi­dence that was not enough to prove for cer­tain they were work­ing for the gov­ern­ment of Pres­i­dent Vladimir V. Putin but which strong­ly sug­gest­ed they were part of his broad­er “infor­ma­tion war­fare” cam­paign.

...

Tes­ti­fy­ing in front of the Sen­ate Armed Ser­vices Com­mit­tee in Wash­ing­ton on Tues­day, Adm. Michael S. Rogers, the direc­tor of the Nation­al Secu­ri­ty Agency, said Amer­i­can intel­li­gence agen­cies had seen the attack unfold­ing, telling their French coun­ter­parts, “Look, we’re watch­ing the Rus­sians. We’re see­ing them pen­e­trate some of your infra­struc­ture. Here’s what we’ve seen. What can we do to try to assist?”

But the staff at Mr. Macron’s makeshift head­quar­ters in the 15th Arrondisse­ment at the edge of Paris didn’t need the N.S.A. to tell them they were being tar­get­ed: In Decem­ber, after the for­mer invest­ment banker and finance min­is­ter had emerged as eas­i­ly the most anti-Russ­ian, pro-NATO and pro-Euro­pean Union can­di­date in the pres­i­den­tial race, they began receiv­ing phish­ing emails.

...

Odd­ly, the Rus­sians did a poor job of cov­er­ing their tracks. That made it eas­i­er for pri­vate secu­ri­ty firms, on alert after the efforts to manip­u­late the Amer­i­can elec­tion, to search for evi­dence.

In mid-March, researchers with Trend Micro, the cyber­se­cu­ri­ty giant based in Tokyo, watched the same Russ­ian intel­li­gence unit behind some of the Demo­c­ra­t­ic Nation­al Com­mit­tee hacks start build­ing the tools to hack Mr. Macron’s cam­paign. They set up web domains mim­ic­k­ing those of Mr. Macron’s En Marche! Par­ty, and began dis­patch­ing emails with mali­cious links and fake login pages designed to bait cam­paign staffers into divulging their user­names and pass­words, or to click on a link that would give the Rus­sians a toe­hold onto the campaign’s net­work.

It was the clas­sic Russ­ian play­book, secu­ri­ty researchers say, but this time the world was pre­pared. “The only good news is that this activ­i­ty is now com­mon­place, and the gen­er­al pop­u­la­tion is so used to the idea of a Russ­ian hand behind this, that it back­fired on them,” said John Hultquist, the direc­tor of cyberes­pi­onage analy­sis at Fire­Eye, the Sil­i­con Val­ley secu­ri­ty firm.

Mr. Hultquist not­ed that the attack was char­ac­ter­ized by haste, and a trail of dig­i­tal mis­takes. “There was a time when Russ­ian hack­ers were char­ac­ter­ized by their lack of slop­pi­ness,” Mr. Hultquist said. “When they made mis­takes, they burned their entire oper­a­tion and start­ed anew. But since the inva­sion of Ukraine and Crimea,” he said, “we’ve seen them car­ry out brazen, large scale attacks,” per­haps because “there have been few con­se­quences for their actions.”

The hack­ers also made the mis­take of releas­ing infor­ma­tion that was, by any cam­paign stan­dard, pret­ty bor­ing. The nine giga­bytes worth of pur­port­ed­ly stolen emails and files from the Macron cam­paign was spun as scan­dalous mate­r­i­al, but turned out to be almost entire­ly the hum­drum of cam­paign work­ers try­ing to con­duct ordi­nary life in the midst of the elec­tion mael­strom.

One of the leaked emails details a cam­paign staffer’s strug­gle with a bro­ken down car. Anoth­er doc­u­ments how a cam­paign work­er was rep­ri­mand­ed for fail­ure to invoice a cup of cof­fee.

That is when the hack­ers got slop­py. The meta­da­ta tied to a hand­ful of doc­u­ments — code that shows the ori­gins of a doc­u­ment — show some passed through Russ­ian com­put­ers and were edit­ed by Russ­ian users. Some Excel doc­u­ments were mod­i­fied using soft­ware unique to Russ­ian ver­sions of Microsoft Win­dows.

Oth­er doc­u­ments had last been mod­i­fied by Russ­ian user­names, includ­ing one per­son that researchers iden­ti­fied as a 32-year-old employ­ee of Eure­ka CJSC, based in Moscow, a Russ­ian tech­nol­o­gy com­pa­ny that works close­ly with the Russ­ian Min­istry of Defense and intel­li­gence agen­cies. The com­pa­ny has received licens­es from Russia’s Fed­er­al Secu­ri­ty Ser­vice, or FSB [53], to help pro­tect state secrets. The com­pa­ny did not return emails request­ing com­ment.

Oth­er leaked doc­u­ments appear to have been forged, or faked. One pur­port­ed to detail the pur­chase of the stim­u­lant mephedrone, some­times sold as “bath salts,” by a Macron cam­paign staffer who alleged­ly had the drugs shipped to the address of France’s Nation­al Assem­bly. But Henk Van Ess, a mem­ber of the inves­ti­ga­tions team at Belling­cat, a British inves­ti­ga­tions orga­ni­za­tion, and oth­ers dis­cov­ered that the trans­ac­tion num­bers in the receipt were not in the pub­lic ledger of all Bit­coin trans­ac­tions.

“It’s clear they were rushed,” Mr. Hultquist said. “If this was APT28,” he said, using the name for a Russ­ian group believed to be linked to the GRU, a mil­i­tary intel­li­gence agency, “they have been caught in the act, and it has back­fired for them.”

Now, he said, the fail­ure of the Macron hacks could just push Russ­ian hack­ers to improve their meth­ods.

“They may have to change their play­book entire­ly,” Mr. Hultquist said.

———-

“Hack­ers Came, but the French Were Pre­pared” by ADAM NOSSITER, DAVID E. SANGER and NICOLE PERLROTH; The New York Times; 05/09/2017 [52]

Odd­ly, the Rus­sians did a poor job of cov­er­ing their tracks. That made it eas­i­er for pri­vate secu­ri­ty firms, on alert after the efforts to manip­u­late the Amer­i­can elec­tion, to search for evi­dence.”

Yes, it is quite odd how poor­ly the Rus­sians did of cov­er­ing their tracks, if indeed this was a Russ­ian gov­ern­ment oper­a­tion. Ahis­tor­i­cal­ly odd:

...
It was the clas­sic Russ­ian play­book, secu­ri­ty researchers say, but this time the world was pre­pared. “The only good news is that this activ­i­ty is now com­mon­place, and the gen­er­al pop­u­la­tion is so used to the idea of a Russ­ian hand behind this, that it back­fired on them,” said John Hultquist, the direc­tor of cyberes­pi­onage analy­sis at Fire­Eye, the Sil­i­con Val­ley secu­ri­ty firm.

Mr. Hultquist not­ed that the attack was char­ac­ter­ized by haste, and a trail of dig­i­tal mis­takes. “There was a time when Russ­ian hack­ers were char­ac­ter­ized by their lack of slop­pi­ness,” Mr. Hultquist said. “When they made mis­takes, they burned their entire oper­a­tion and start­ed anew. But since the inva­sion of Ukraine and Crimea,” he said, “we’ve seen them car­ry out brazen, large scale attacks,” per­haps because “there have been few con­se­quences for their actions.”
...

“When they made mis­takes, they burned their entire oper­a­tion and start­ed anew.”

So until the con­flict broke out in Ukraine, Russ­ian hack­ers were intel­li­gent enough to ‘burn their entire oper­a­tion’ and switch up their method­ol­o­gy after get­tin caught. But ever since the con­flict with Ukraine, Russ­ian hack­ers have sud­den­ly decid­ed to keep leav­ing the same ‘dig­i­tal fin­ger­prints’ over and over despite ‘get­ting caught’. And they’ve start­ed leav­ing self-impli­cat­ing meta­da­ta. It’s all quite odd.

And notice how the nar­ra­tive of that arti­cle made no dis­tinc­tion between the phish­ing sites that Trend Micro and oth­ers attrib­uted to Fan­cy Bear and the actu­al hack­ing and dis­tri­b­u­tion of the doc­u­ments that appeared to come from US ‘Alt-Right’ neo-Nazis. Recall how even Trend Micro’s ana­lysts con­sid­ered the case of who did the actu­al hack­ing as a ‘very open’ ques­tion one day after the hacks. But then this “I’m a Russ­ian hack­er!” meta­da­ta is dis­cov­ered and the ‘Alt-Right’ neo-Nazi angle of entire affair is sud­den­ly for­got­ten. of the In fact, if you read the full arti­cle, there was no men­tion of the ‘Alt-Right’ neo-Nazis at all. It was like it nev­er hap­pened.

Every­one Says it Was Fan­cy Bear. Except the French Cyber­se­cu­ri­ty Agency

So pret­ty much every­one in the cyber­se­cu­ri­ty are­na has con­clud­ed that this hack was indeed done by Fan­cy Bear, right? Well, not quite. There are plen­ty of cyber­se­cu­ri­ty pro­fes­sion­sals who have been crit­i­cal of the con­tem­po­rary cyber attri­bu­tion stan­dards. And as the fol­low­ing arti­cle from June of 2017, about a month after the actu­al hack, makes clear, there was one very notable dis­senter from Dmitri Alpover­tich’s attri­bu­tion stan­dards: The head of the French cyber­se­cu­ri­ty agency, Guil­laume Poupard, viewed the hack as so unso­phis­ti­cat­ed that a lone indi­vid­ual could have pulled it off.

And Poupard had anoth­er crit­i­cal warn­ing: false flag cyber­at­tacks designed to pit one nation against anoth­er could be used to cre­ate “inter­na­tion­al chaos” [54]:

EU Observ­er

Macron Leaks could be ‘iso­lat­ed indi­vid­ual’, France says

By Andrew Rettman
BRUSSELS, 2. Jun 2017, 09:20

France has found no evi­dence that Rus­sia was behind Macron Leaks, but Russ­ian leader Vladimir Putin has warned that “patri­ot­ic” hack­ers could strike the Ger­man elec­tion.

Guil­laume Poupard, the head of the French cyber secu­ri­ty agency, Anssi, told the AP news agency on Thurs­day (1 June) that the Macron hack resem­bled the actions of “an iso­lat­ed indi­vid­ual”.

“The attack was so gener­ic and sim­ple that it could have been prac­ti­cal­ly any­one”, he said. “It real­ly could be any­one. It could even be an iso­lat­ed indi­vid­ual”.

The Macron Leaks saw a hack­er steal and pub­lish [55] inter­nal emails from the cam­paign of Emmanuel Macron 48 hours before the French vote last month, which Macron went on to win.

Some secu­ri­ty experts blamed it on a hack­er group called APT28, which is said by the US to be a front for Russ­ian intel­li­gence.

But Poupard said on Thurs­day: “To say Macron Leaks was APT28, I’m absolute­ly inca­pable today of doing that … I have absolute­ly no ele­ment to say whether it’s true or false”..

Macron’s cam­paign was also tar­get­ed by hack­ers ear­li­er in March in a more sophis­ti­cat­ed attack blamed on APT28.

...

‘Patri­ot­ic’ threat

US and Ger­man intel­li­gence chiefs have been more bold in their accu­sa­tions.

Hans-Georg Maassen, the direc­tor of Germany’s BfV intel­li­gence ser­vice, said in May that Krem­lin-linked hack­ers had stolen infor­ma­tion on Ger­man MPs in the run-up to the Ger­man elec­tion in Sep­tem­ber.

“We recog­nise this as a cam­paign being direct­ed from Rus­sia”, he said.

But Rus­sia has denied the alle­ga­tions.

Its pres­i­dent, Vladimir Putin, told media in Moscow on Thurs­day: “We do not engage in this activ­i­ty at the gov­ern­ment lev­el and are not going to engage in it”.

He warned at the same time that inde­pen­dent hack­ers might tar­get the Ger­man or oth­er EU elec­tions for “patri­ot­ic” rea­sons if they felt lead­ers were “speak­ing ill of Rus­sia”.

“Hack­ers are free peo­ple like artists. If artists get up in the morn­ing feel­ing good, all they do all day is paint”, Putin said.

“The same goes for hack­ers. They got up today and read that some­thing is going on inter­na­tion­al­ly. If they are feel­ing patri­ot­ic they will start con­tribut­ing, as they believe, to the jus­ti­fied fight against those speak­ing ill of Rus­sia”.

With Macron hav­ing won despite the leaks, Putin said: “I am deeply con­vinced that no hack­ers can have a real impact on an elec­tion cam­paign in anoth­er coun­try”.

Macron, at a meet­ing with Putin in Paris on Mon­day, said Russ­ian state media [56] tried to influ­ence the vote with fake news, but Putin said on Thurs­day: “Noth­ing, no infor­ma­tion can be imprint­ed in vot­ers’ minds, in the minds of a nation, and influ­ence the final out­come and the final result”.

False flags

Poupard and Putin said false flag attacks were eas­i­er in cyber­space than in real life.

Poupard said France had in the past been hacked by groups “attrib­uted to Chi­na … I don’t know if it was the state, crim­i­nals”. But he added that: “What I’m cer­tain of is that among these attacks, some strange­ly resem­bled Chi­nese attacks but in fact did­n’t come from Chi­na”.

Putin said: “I can image a sce­nario when some­body devel­ops a chain of attacks in a man­ner that would show Rus­sia as the source of these attacks. Mod­ern tech­nol­o­gy allows that. It’s very easy”.

Poupard said if states wrong­ly accused each oth­er of cyber strikes it could lead to “inter­na­tion­al chaos”.

“We’ll get what we all fear, which is to say a sort of per­ma­nent con­flict where every­one is attack­ing every­one else”, he said.

The “night­mare sce­nario” would be “a sort of per­ma­nent war, between states and oth­er organ­i­sa­tions, which can be crim­i­nal and ter­ror­ist organ­i­sa­tions, where every­one will attack each oth­er, with­out real­ly know­ing who did what”, he said.

———-

“Macron Leaks could be ‘iso­lat­ed indi­vid­ual’, France says” by Andrew Rettman; EU Observ­er; 06/02/2017 [54]

“The attack was so gener­ic and sim­ple that it could have been prac­ti­cal­ly anyone...It real­ly could be any­one. It could even be an iso­lat­ed indi­vid­ual”.

That was what Guil­laume Poupard, the head of the French cyber secu­ri­ty agency, Anssi, told the AP news. The attack was so gener­ic and sim­ple that it could have been done by an iso­lat­ed indi­vid­ual. It’s a big reminder of why sim­i­lar­i­ties in method­ol­o­gy between attacks is a bad idea for so many of the hack­ing cam­paigns we’re see­ing: you don’t need a super sophis­ti­cat­ed hack­ing cam­paign when all you’re doing is spear-phish­ing. Sure, you need to seet up con­vinc­ing fake login web­sites or con­vinc­ing emails that trick at least one per­son into down­load­ing mal­ware, but that’s the kind of thing a skilled iso­lat­ed indi­vid­ual can do:

...
Some secu­ri­ty experts blamed it on a hack­er group called APT28, which is said by the US to be a front for Russ­ian intel­li­gence.

But Poupard said on Thurs­day: “To say Macron Leaks was APT28, I’m absolute­ly inca­pable today of doing that … I have absolute­ly no ele­ment to say whether it’s true or false”..
...

“To say Macron Leaks was APT28, I’m absolute­ly inca­pable today of doing that … I have absolute­ly no ele­ment to say whether it’s true or false”

That seems like a pret­ty impor­tant point to pub­licly make in this kind of sit­u­a­tion. After all, if major high-pro­file hack are tak­ing place — hacks that appear to com­ing from nation states due to all the slop­py clues being left — and those hacks could indeed be car­ried out by indi­vid­u­als who would like to sow inter­na­tion­al choas, it seems like the pub­lic should know this. And yet the head of French cyber­se­cu­ri­ty is large­ly only cyber­se­cu­ri­ty pub­lic offi­cial in mak­ing this point, which is dan­ger­ous­ly odd:

...
Poupard said France had in the past been hacked by groups “attrib­uted to Chi­na … I don’t know if it was the state, crim­i­nals”. But he added that: “What I’m cer­tain of is that among these attacks, some strange­ly resem­bled Chi­nese attacks but in fact did­n’t come from Chi­na”.

...

Poupard said if states wrong­ly accused each oth­er of cyber strikes it could lead to “inter­na­tion­al chaos”.

“We’ll get what we all fear, which is to say a sort of per­ma­nent con­flict where every­one is attack­ing every­one else”, he said.

The “night­mare sce­nario” would be “a sort of per­ma­nent war, between states and oth­er organ­i­sa­tions, which can be crim­i­nal and ter­ror­ist organ­i­sa­tions, where every­one will attack each oth­er, with­out real­ly know­ing who did what”, he said.
...

“The “night­mare sce­nario” would be p, he said.”

Yeah, “a sort of per­ma­nent war, between states and oth­er organ­i­sa­tions, which can be crim­i­nal and ter­ror­ist organ­i­sa­tions, where every­one will attack each oth­er, with­out real­ly know­ing who did what” that sounds like quite a night­mare sce­nario.

But it’s a sce­nario that the US and Ger­man intel­li­gence chiefs clear­ly do not fear. At least not when it comes to con­tem­po­rary wave of hacks Rus­sia:

...
US and Ger­man intel­li­gence chiefs have been more bold in their accu­sa­tions.

Hans-Georg Maassen, the direc­tor of Germany’s BfV intel­li­gence ser­vice, said in May that Krem­lin-linked hack­ers had stolen infor­ma­tion on Ger­man MPs in the run-up to the Ger­man elec­tion in Sep­tem­ber.

“We recog­nise this as a cam­paign being direct­ed from Rus­sia”, he said.
...

Alarm­ing­ly, Vladimir Putin also had a take on the sit­u­a­tion that, if any­thing, made a bad sit­u­a­tion much worse. First, he warned that the hack­ing attacks might in fact be ‘patri­ot­ic’ inde­pen­dent Russ­ian hack­ers were might wake up in the morn­ing feel­ing patri­o­ci and “start con­tribut­ing, as they believe, to the jus­ti­fied fight against those speak­ing ill of Rus­sia.”:

...
Its pres­i­dent, Vladimir Putin, told media in Moscow on Thurs­day: “We do not engage in this activ­i­ty at the gov­ern­ment lev­el and are not going to engage in it”.

He warned at the same time that inde­pen­dent hack­ers might tar­get the Ger­man or oth­er EU elec­tions for “patri­ot­ic” rea­sons if they felt lead­ers were “speak­ing ill of Rus­sia”.

“Hack­ers are free peo­ple like artists. If artists get up in the morn­ing feel­ing good, all they do all day is paint”, Putin said.

“The same goes for hack­ers. They got up today and read that some­thing is going on inter­na­tion­al­ly. If they are feel­ing patri­ot­ic they will start con­tribut­ing, as they believe, to the jus­ti­fied fight against those speak­ing ill of Rus­sia”.
...

“The same goes for hack­ers. They got up today and read that some­thing is going on inter­na­tion­al­ly. If they are feel­ing patri­ot­ic they will start con­tribut­ing, as they believe, to the jus­ti­fied fight against those speak­ing ill of Rus­sia”.

That was an absolute­ly insane com­ment for some­one in Putin’s posi­tion to make pub­licly. Because while it is absolute­ly true that you could have ‘patri­ot­ic hack­ers’ doing all sorts of hacks, you don’t want nation­al lead­ers encour­ag­ing and val­i­dat­ing that. It’s the kind of com­ment that could eas­i­ly be inter­pret­ed as an open invi­ta­tion for Russ­ian hack­ers to do exact­ly that and an open invi­ta­tion for any oth­er hack­er around the world to wage a “I’m a Russ­ian hack­er!” hack­ing cam­paign. It was a dumb com­ment on mul­ti­ple lev­els.

And then Putin made the insane com­ment that, “I am deeply con­vinced that no hack­ers can have a real impact on an elec­tion cam­paign in anoth­er coun­try.” And this is after the obvi­ous sign­f­i­cant impact the DNC hacks had on the 2016 cam­paign and the near-miss in the French elec­tion with faked doc­u­ments. It was­n’t a good look:

...
With Macron hav­ing won despite the leaks, Putin said: “I am deeply con­vinced that no hack­ers can have a real impact on an elec­tion cam­paign in anoth­er coun­try”.

Macron, at a meet­ing with Putin in Paris on Mon­day, said Russ­ian state media [56] tried to influ­ence the vote with fake news, but Putin said on Thurs­day: “Noth­ing, no infor­ma­tion can be imprint­ed in vot­ers’ minds, in the minds of a nation, and influ­ence the final out­come and the final result”.
...

So we have this remark­able sit­u­a­tion where West­ern gov­ern­ments like the US and Ger­many have reject­ed the long-stand­ing hes­i­tan­cy in attribut­ing cyber attacks due to the inher­ent ambi­gu­i­ty in mak­ing these kinds of attri­bu­tions. And Vladimir Putin was mak­ing a non­sense com­ment about hack­ers not being able to sway elec­tions while he appeared to be egging hack­ers and simul­ta­ne­ous­ly mak­ing Rus­sia an eas­i­er tar­get for false flag attri­bu­tion. In oth­er words, the we have lead­ers on both sides of this ‘cyber Cold War’ help­ing to make the sit­u­a­tion ripe for exact­ly the kind of “inter­na­tion­al chaos” France’s cyber chief was warn­ing about.

The Oth­er Side of the “Inter­na­tion Chaos” Coin

At the same time, let’s not for­get that a staus quo where cyber­at­tri­bu­tion is made very hes­i­tant­ly due to these ambi­gu­i­ties and the abil­i­ty to wage false flag attacks, is poten­tial­ly anoth­er form of “inter­na­tion­al chaos.” A sit­u­a­tion were nations and pri­vate enti­ties can effec­tive hack each oth­er with rel­a­tive impuni­ty as long as they are rea­son­ably com­pe­tent in exe­cut­ing the hack with­out leav­ing self-impli­cat­ing mis­takes. In oth­er words, the issue of how to address cyber­at­tri­bu­tion is one of those sit­u­a­tions were there real­ly is no ‘clean’ answer. Each approach has its own down­sides.

For instance, imag­ine the NSA has secret intel­li­gence that does actu­al­ly allow it to con­fi­dent­ly attribute a hack to Rus­sia or Chi­na or Ger­many or who­ev­er. But that evi­dence can’t be pub­licly revealed and the evi­dence that can be pub­licly revealed, like the IP addressed used in the hack, is too ambigu­ous to make a sol­id attri­bu­tion. What is US gov­ern­ment going to do in that sit­u­a­tion? Espe­cial­ly if the hacks are very high-pro­file? Does it just throw its hands up and say, “oh well, we know it’s the Rus­sians (or Chi­nese or Ger­mans or who­ev­er) pulling these hacks off, but we just can’t prove it”? Because that is an option. Anoth­er options is try­ing to address these top­ics on a gov­ern­ment-to-gov­ern­ment lev­el and hop­ing it can get worked out that way. If it that avenue does­n’t yield results, what’s a gov­ern­ment going to do if it real­ly can con­fi­dent­ly make an attri­bu­tion but can’t pub­licly reveal the evi­dence?

Or let’s con­sid­er anoth­er sce­nario: a gov­ern­ment can’t con­clu­sive­ly prove who is behind a hack, but it’s pret­ty sure it knows who’s behind it giv­en the cir­cum­stances. What’s a gov­ern­ment going to do in that sit­u­a­tion when the inher­ent ambi­gu­i­ties in cyber­at­tri­bu­tion basi­cal­ly make pre­sent­ing a pub­lic case prov­ing their sus­pi­cions impos­si­ble? Espe­cial­ly if the hacks keep com­ing? What’s a gov­ern­ment going to do?

And then there’s the oth­er obvi­ous sce­nario: a gov­ern­ment can’t con­clu­sive­ly prove who is behind a hack, but it real­ly wants to pin it on a par­tic­u­lar adver­sary and the hack­ers just hap­pened to make all sort of ‘mis­takes’ that could be inter­pret­ted as real dig­i­tal evi­dence but could also eas­i­ly be inter­pret­ted as inten­tion­al­ly placed false flag decoy mis­takes. What’s a gov­ern­ment going to do when it’s hand­ed that kind of ‘gift’ if it hap­pens in the mid­dle of a wave of brazen hacks?

These kinds of sce­nar­ios are all total­ly fea­si­ble and prob­a­bly play­ing out around the globe all the time: a hack hap­pens, a gov­ern­ment has sus­pi­cions and hunch­es, maybe even some intel­li­gence sug­gest­ed that an adver­sary was prob­a­bly behind it, but noth­ing can be con­clu­sive­ly proven based on the tech­ni­cal evi­dence. On one lev­el, these are sit­u­a­tions where a gov­ern­ment can appear to be seem­ing­ly help­less and that real­ly is a kind of “inter­na­tion­al chaos” sit­u­a­tion. So what does a gov­ern­ment do in this case?

This is prob­a­bly a good point to re-read the com­ments we saw above from John Hultquist, the direc­tor of cyberes­pi­onage analy­sis at Fire­Eye, about the sud­den change in Russ­ian hack­ing behav­ior that start­ed in 2014 fol­low­ing the con­flict in Ukraine:

...
Mr. Hultquist not­ed that the attack was char­ac­ter­ized by haste, and a trail of dig­i­tal mis­takes. “There was a time when Russ­ian hack­ers were char­ac­ter­ized by their lack of slop­pi­ness,” Mr. Hultquist said. “When they made mis­takes, they burned their entire oper­a­tion and start­ed anew. But since the inva­sion of Ukraine and Crimea,” he said, “we’ve seen them car­ry out brazen, large scale attacks,” per­haps because “there have been few con­se­quences for their actions.”
...

We have the sud­den change in ‘Russ­ian hack­er’ behav­ior, where ten­sions flare up between Russ­ian the West and then there’s all sort of “I’m a Russ­ian hack­er” attacks over an over where the evi­dence might be spoofed by a third par­ty but also might be inten­tion­al­ly left be the Russ­ian hack­ers to achieve some sort of psy­cho­log­i­cal war­fare objec­tives. And it’s pos­si­ble the NSA has secret evi­dence tying all this back to actu­al Russ­ian gov­ern­ment hack­ers that it can’t reveal, or maybe not and the West­ern gov­ern­ments are mere­ly ‘pret­ty sure’ it’s real­ly a Russ­ian gov­ern­ment cam­paign and don’t want to let them ‘get away with it’?

So what’s the appro­pri­ate approach to a sit­u­a­tion like this? Well, it turns out the cur­rent round of West­ern gov­ern­ments direct­ly attribut­ing these hacks to the Russ­ian gov­ern­ment is both his­tor­i­cal­ly very unusu­al­ly and actu­al­ly a reflec­tion of a choice that was made at the gov­ern­ment lev­el and with­in the cyber­se­cu­ri­ty indus­try on how to address these sit­u­a­tions: Make pub­lic attri­bu­tion a pri­or­i­ty because that’s seen as the best defense against future attacks. Yep, for the past 5 years or so, the cyber­se­cu­ri­ty indus­try has seen a rev­o­lu­tion in how it treats cyber­at­tri­bu­tion based on a one-man cam­paign. And that man is Dmitri Alper­ovitch, the co-founder of Crowd­Strike, the com­pa­ny that led the inves­ti­ga­tion of the 2016 DNC hack and made the ini­tial ‘Rus­sia did it’ attri­bu­tion. As the fol­low­ing Esquire arti­cle about Alper­ovitch note, mak­ing a pub­lic attri­bu­tion direct­ly blam­ing oth­er nation states and doing it fast and fore­ful­ly used to be seen as heresy with­in the cyber­se­cu­ri­ty indus­try. But as Alpover­itch saw it, that hes­i­tan­cy of cyber­se­cu­ri­ty firms was only encour­ag­ing nation-state hack­ing groups and the only solu­tion was aggres­sive pub­lic attri­bu­tion cam­paigns. And as the arti­cle makes clear, Alper­ovitch’s views won out, and the whole indus­try of cyber­at­tri­bu­tion has under­gone a rad­i­cal rev­o­lu­tion [57]:

Esquire

The Russ­ian Expat Lead­ing the Fight to Pro­tect Amer­i­ca

In a war against hack­ers, Dmitri Alper­ovitch and Crowd­Strike are our spe­cial forces (and Putin’s worst night­mare).

By Vicky Ward
Oct 24, 2016

At six o’clock on the morn­ing of May 6, Dmitri Alper­ovitch woke up in a Los Ange­les hotel to an alarm­ing email. Alper­ovitch is the thir­ty-six-year-old cofounder of the cyber­se­cu­ri­ty firm Crowd­Strike, and late the pre­vi­ous night, his com­pa­ny had been asked by the Demo­c­ra­t­ic Nation­al Com­mit­tee to inves­ti­gate a pos­si­ble breach of its net­work. A Crowd­Strike secu­ri­ty expert had sent the DNC a pro­pri­etary soft­ware pack­age, called Fal­con, that mon­i­tors the net­works of its clients in real time. Fal­con “lit up,” the email said, with­in ten sec­onds of being installed at the DNC: Rus­sia was in the net­work.

Alper­ovitch, a slight man with a sharp, quick demeanor, called the ana­lyst who had emailed the report. “Are we sure it’s Rus­sia?” he asked.

The ana­lyst said there was no doubt. Fal­con had detect­ed mali­cious soft­ware, or mal­ware, that was steal­ing data and send­ing it to the same servers that had been used in a 2015 attack on the Ger­man Bun­destag. The code and tech­niques used against the DNC resem­bled those from ear­li­er attacks on the White House and the State Depart­ment. The ana­lyst, a for­mer intel­li­gence offi­cer, told Alper­ovitch that Fal­con had iden­ti­fied not one but two Russ­ian intrud­ers: Cozy Bear, a group Crowd­Strike’s experts believed was affil­i­at­ed with the FSB, Rus­si­a’s answer to the CIA; and Fan­cy Bear, which they had linked to the GRU, Russ­ian mil­i­tary intel­li­gence.

Alper­ovitch then called Shawn Hen­ry, a tall, bald fifty-four-year-old for­mer exec­u­tive assis­tant direc­tor at the FBI who is now Crowd­Strike’s pres­i­dent of ser­vices. Hen­ry led a foren­sics team that retraced the hack­ers’ steps and pieced togeth­er the pathol­o­gy of the breach. Over the next two weeks, they learned that Cozy Bear had been steal­ing emails from the DNC for more than a year. Fan­cy Bear, on the oth­er hand, had been in the net­work for only a few weeks. Its tar­get was the DNC research depart­ment, specif­i­cal­ly the mate­r­i­al that the com­mit­tee was com­pil­ing on Don­ald Trump and oth­er Repub­li­cans. Mean­while, a Crowd­Strike group called the Over­watch team used Fal­con to mon­i­tor the hack­ers, a process known as shoul­der-surf­ing.

...

Hack­ing, like domes­tic abuse, is a crime that tends to induce shame. Com­pa­nies such as Yahoo usu­al­ly pub­li­cize their breach­es only when the law requires it. For this rea­son, Alper­ovitch says, he expect­ed that the DNC, too, would want to keep qui­et.

By the time of the hack, how­ev­er, Don­ald Trump’s rela­tion­ship to Rus­sia had become an issue in the elec­tion. The DNC want­ed to go pub­lic. At the com­mit­tee’s request, Alper­ovitch and Hen­ry briefed a reporter from The Wash­ing­ton Post about the attack. On June 14, soon after the Post sto­ry pub­licly linked Fan­cy Bear with the Russ­ian GRU and Cozy Bear with the FSB for the first time, Alper­ovitch pub­lished a detailed blog post about the attacks.

Alper­ovitch told me he was thrilled that the DNC decid­ed to pub­li­cize Rus­si­a’s involve­ment. “Hav­ing a client give us the abil­i­ty to tell the full sto­ry” was a “mile­stone in the indus­try,” he says. “Not just high­light­ing a rogue nation-state’s actions but explain­ing what was tak­en and how and when. These sto­ries are almost nev­er told.”

In the five years since Alper­ovitch cofound­ed Crowd­Strike, he and his com­pa­ny have played a crit­i­cal role in the devel­op­ment of Amer­i­ca’s cyberde­fense pol­i­cy. Frank Cil­luffo, the for­mer spe­cial assis­tant to the pres­i­dent for home­land secu­ri­ty, likens Alper­ovitch to Paul Revere: “Dmitri, as an indi­vid­ual, has played a sig­nif­i­cant role in ele­vat­ing cyber­se­cu­ri­ty pol­i­cy not only inside the pri­vate sec­tor but more gen­er­al­ly.”

When I met Alper­ovitch in late Sep­tem­ber, at his open-plan offices out­side Wash­ing­ton, D.C., he explained that Crowd­Strike was cre­at­ed to take advan­tage of a sim­ple but cen­tral les­son he’d learned about stop­ping hack­ers. It’s not enough, he says, to play defense with tech­nol­o­gy: “Oth­er­wise the adver­sary will scale up and it becomes a game of num­bers, which they will win.” Instead, attri­bu­tion is cru­cial: First you need to iden­ti­fy the per­pe­tra­tor, then you need to dis­cov­er what moti­vates the crime, and finally—most important—you need to fig­ure out how to fight back.

Before Alper­ovitch found­ed Crowd­Strike, the idea that attri­bu­tion ought to be a cen­tral defense against hack­ers was viewed as heresy. In 2011, he was work­ing in Atlanta as the chief threat offi­cer at the antivirus soft­ware firm McAfee. While sift­ing through serv­er logs in his apart­ment one night, he dis­cov­ered evi­dence of a hack­ing cam­paign by the Chi­nese gov­ern­ment. Even­tu­al­ly he learned that the cam­paign had been going on unde­tect­ed for five years, and that the Chi­nese had com­pro­mised at least sev­en­ty-one com­pa­nies and orga­ni­za­tions, includ­ing thir­teen defense con­trac­tors, three elec­tron­ics firms, and the Inter­na­tion­al Olympic Com­mit­tee.

That the Chi­nese gov­ern­ment had been steal­ing infor­ma­tion from the pri­vate sec­tor was a shock to the secu­ri­ty indus­try and to many U. S. offi­cials. Almost no one thought that for­eign gov­ern­ments used the Inter­net for any­thing oth­er than old-fash­ioned espi­onage. “This was not spy ver­sus spy,” says John Car­lin, who was until recent­ly the assis­tant attor­ney gen­er­al for nation­al secu­ri­ty. The hack­ing was eco­nom­ic sab­o­tage.

While Alper­ovitch was writ­ing up his report on the breach, he received a call from Renee James, an exec­u­tive at Intel, which had recent­ly pur­chased McAfee. Accord­ing to Alper­ovitch, James told him, “Dmitri, Intel has a lot of busi­ness in Chi­na. You can­not call out Chi­na in this report.”

Alper­ovitch removed the word Chi­na from his analy­sis, call­ing the oper­a­tion Shady Rat instead. He told me that James’s inter­ven­tion accel­er­at­ed his plans to leave Intel. (James declined to com­ment.) He felt that he was “now being cen­sored because I’m work­ing for a com­pa­ny that’s not real­ly an Amer­i­can com­pa­ny.”

Alper­ovitch and George Kurtz, a for­mer col­league, found­ed Crowd­Strike as a direct response. The cyber­se­cu­ri­ty indus­try at the time, Alper­ovitch says, was “ter­ri­fied of los­ing their abil­i­ty to mar­ket prod­ucts in Chi­na.” Their new com­pa­ny would push the idea that hack­ing was a means, not an end. “We saw that no one’s real­ly focused on the adver­sary,” Alper­ovitch told me. “No one’s focus­ing exclu­sive­ly on how can we actu­al­ly iden­ti­fy them, attribute them, deter them from tak­ing this action again.” Crowd­Strike’s tagline encap­su­lat­ed its phi­los­o­phy: “You don’t have a mal­ware prob­lem, you have an adver­sary prob­lem.”

...

Alper­ovitch stud­ied com­put­er sci­ence at Geor­gia Tech and went on to work at an anti­spam soft­ware firm. There he met a strik­ing dark-haired com­put­er geek named Phyl­lis Sch­neck. As a teenag­er, Sch­neck once showed her father that she could hack into the com­pa­ny where he worked as an engi­neer. Appalled, Dr. Sch­neck made his daugh­ter promise nev­er to do some­thing like that again.

Fight­ing email spam taught Alper­ovitch a sec­ond cru­cial les­son. He dis­cov­ered that every time he blocked a serv­er, the spam­mers deployed a hun­dred new servers to take its place. Alper­ovitch real­ized that defense was about psy­chol­o­gy, not tech­nol­o­gy.

To bet­ter under­stand his adver­saries, Alper­ovitch posed as a Russ­ian gang­ster on spam dis­cus­sion forums, an expe­ri­ence he wrote up in a series of reports. One day he returned from lunch to a voice mail telling him to call the FBI imme­di­ate­ly. He was ter­ri­fied. “I was not a cit­i­zen yet,” he told me.

As it hap­pened, the bureau was inter­est­ed in his work. The gov­ern­ment was slow­ly wak­ing up to the real­iza­tion that the Inter­net was ripe for crim­i­nal exploita­tion: “the great price of the dig­i­tal age,” in John Car­lin’s words. In 2004, the bureau was hacked by Joseph Colon, a dis­grun­tled IT con­sul­tant who gained “god-lev­el” access to FBI files. Colon was even­tu­al­ly indict­ed, but his attack showed the gov­ern­ment how vul­ner­a­ble it was to cyber­crime.

In 2005, Alper­ovitch flew to Pitts­burgh to meet an FBI agent named Kei­th Mula­rs­ki, who had been asked to lead an under­cov­er oper­a­tion against a vast Russ­ian cred­it-card-theft syn­di­cate. Mula­rs­ki had no pri­or expe­ri­ence with the Inter­net; he relied on Alper­ovitch, whom he calls “a good guy and a friend,” to teach him how to get into the forum and speak the lin­go. Mula­rski’s sting oper­a­tion took two years, but it ulti­mate­ly brought about fifty-six arrests.

Alper­ovitch’s first big break in cyberde­fense came in 2010, while he was at McAfee. The head of cyber­se­cu­ri­ty at Google told Alper­ovitch that Gmail accounts belong­ing to human-rights activists in Chi­na had been breached. Google sus­pect­ed the Chi­nese gov­ern­ment. Alper­ovitch found that the breach was unprece­dent­ed in scale; it affect­ed more than a dozen of McAfee’s clients.

Three days after his dis­cov­ery, Alper­ovitch was on a plane to Wash­ing­ton. He’d been asked to vet a para­graph in a speech by the sec­re­tary of state, Hillary Clin­ton. She’d decid­ed, for the first time, to call out anoth­er coun­try for a cyber­at­tack. “In an inter­con­nect­ed world,” she said, “an attack on one nation’s net­works can be an attack on all.”

Despite Clin­ton’s announce­ment, Alper­ovitch believed that the gov­ern­ment, par­a­lyzed by bureau­cra­cy and pol­i­tics, was still mov­ing too slow­ly. In 2014, Sony called in Crowd­Strike to inves­ti­gate a breach of its net­work. The com­pa­ny need­ed just two hours to iden­ti­fy North Korea as the adver­sary. Exec­u­tives at Sony asked Alper­ovitch to go pub­lic with the infor­ma­tion imme­di­ate­ly, but it took the FBI anoth­er three weeks before it con­firmed the attri­bu­tion.

The delay still frus­trates Alper­ovitch, who saw the long silence as a kind of dis­in­for­ma­tion. “Yes­ter­day you had no idea. Today you’re 100 per­cent cer­tain. It was­n’t cred­i­ble.” From the per­spec­tive of the gov­ern­ment, how­ev­er, the han­dling of the Sony hack was a tri­umph. “In twen­ty-six days we fig­ured out it was North Korea,” John Car­lin told me. The attri­bu­tion changed the focus, he said, from what Sony did wrong to how the gov­ern­ment was going to respond to North Korea. As Phyl­lis Sch­neck, who now works at the Depart­ment of Home­land Secu­ri­ty, told me, the gov­ern­ment moves slow­ly because it can­not afford to be wrong: “Ven­dors like to be first. Gov­ern­ment must be right.”

The gov­ern­men­t’s atti­tude toward attri­bu­tion moved clos­er to Alper­ovitch’s in Sep­tem­ber 2015, in the run-up to a state vis­it by Chi­nese pres­i­dent Xi Jin­ping. A year ear­li­er, five mem­bers of the Chi­nese Peo­ple’s Lib­er­a­tion Army had been indict­ed by a grand jury in Penn­syl­va­nia for steal­ing eco­nom­ic secrets from the com­put­ers of U. S. firms in the nuclear, solar, and met­als indus­tries. Car­lin told me that the indict­ments were meant as “a giant No Tres­pass sign: Get off our lawn.” But the indict­ment did­n’t stop the hack­ers. Alper­ovitch went on tele­vi­sion to call for a stronger response. In April 2015, after Pres­i­dent Oba­ma signed an exec­u­tive order threat­en­ing sanc­tions against the Chi­nese, Alper­ovitch received a call from the White House. “You should be hap­py,” he was told. “You’re the one who’s been push­ing for this.”

Six months lat­er, just before the state vis­it, The Wash­ing­ton Post report­ed that the U. S. was con­sid­er­ing mak­ing good on the exec­u­tive order. A senior State Depart­ment offi­cial told me that Xi did not want to be embar­rassed by an awk­ward vis­it. The Chi­nese sent over a nego­ti­at­ing team, and diplo­mats from both coun­tries stayed up all night work­ing out an agree­ment. Dur­ing the state vis­it, Oba­ma and Xi announced that “nei­ther coun­try’s gov­ern­ment will con­duct or know­ing­ly sup­port cyber-enabled theft of intel­lec­tu­al prop­er­ty” for the pur­pose of eco­nom­ic espi­onage. Since then, the Chi­nese bur­glar­ies have slowed dra­mat­i­cal­ly.

...

The gov­ern­men­t’s reluc­tance to name the Rus­sians as the authors of the DNC and DCCC hacks made Alper­ovitch feel that the lessons of the war game—call out your ene­my and respond swiftly—had been wast­ed. He con­tin­ued to be told by his friends in gov­ern­ment that it was polit­i­cal­ly impos­si­ble for the Unit­ed States to issue an offi­cial response to Rus­sia. Some, espe­cial­ly in the State Depart­ment, argued that the Unit­ed States need­ed Rus­si­a’s help in Syr­ia and could not afford to ratch­et up hos­til­i­ties. Oth­ers said an attri­bu­tion with­out a con­crete response would be mean­ing­less. Still oth­ers insist­ed that clas­si­fied secu­ri­ty con­cerns demand­ed con­sid­er­a­tion.

Alper­ovitch was deeply frus­trat­ed: He thought the gov­ern­ment should tell the world what it knew. There is, of course, an ele­ment of the per­son­al in his bat­tle cry. “A lot of peo­ple who are born here don’t appre­ci­ate the free­doms we have, the oppor­tu­ni­ties we have, because they’ve nev­er had it any oth­er way,” he told me. “I have.”

The gov­ern­men­t’s hes­i­ta­tion was soon over­tak­en by events. Dur­ing the first week of Octo­ber, while Alper­ovitch was on a rare vaca­tion, in Italy, Rus­sia pulled out of an arms-reduc­tion pact after being accused by the U. S. of bomb­ing indis­crim­i­nate­ly in Syr­ia. The same day, the U. S. halt­ed talks with Rus­sia about a Syr­i­an cease­fire. On Octo­ber 7, two days before the sec­ond pres­i­den­tial debate, Alper­ovitch got a phone call from a senior gov­ern­ment offi­cial alert­ing him that a state­ment iden­ti­fy­ing Rus­sia as the spon­sor of the DNC attack would soon be released. (The state­ment, from the office of the direc­tor of nation­al intel­li­gence and the Depart­ment of Home­land Secu­ri­ty, appeared lat­er that day.) Once again, Alper­ovitch was thanked for push­ing the gov­ern­ment along.

He got the news just after leav­ing the Sis­tine Chapel. “It kind of put things in per­spec­tive,” he told me. Though pleased, he wished the state­ment had warned that more leaks were like­ly. “It’s nice that you have the DHS and DNI joint­ly putting the state­ment out on a Fri­day night, but the pres­i­dent com­ing out and say­ing, ‘Mr. Putin, we know you’re doing this, we find it unac­cept­able, and you have to stop’ would be ben­e­fi­cial.”

Less than a week lat­er, after Wik­iLeaks released anoth­er cache of hacked emails—this time from John Podes­ta, Hillary Clin­ton’s cam­paign chair—the White House announced that the pres­i­dent was con­sid­er­ing a “pro­por­tion­al” response against Rus­sia. Admin­is­tra­tion offi­cials asked Alper­ovitch to attend a meet­ing to con­sid­er what to do. He was the only native Russ­ian in the room. “You have to let them save face,” he told the group. “Esca­la­tion will not end well.”

———-

“The Russ­ian Expat Lead­ing the Fight to Pro­tect Amer­i­ca” by Vicky Ward; Esquire; 10/24/2016 [57]

“Alper­ovitch, a slight man with a sharp, quick demeanor, called the ana­lyst who had emailed the report. “Are we sure it’s Rus­sia?” he asked.

That was report­ed­ly Alper­ovitch’s ini­tial response to the con­clu­sion his com­pa­ny’s ana­lyst that Rus­sia was behind the DNC hack: Are we sure it’s Rus­sia? And that’s a very rea­son­able ques­tion to ask at that point. A note the ana­lyst’s response: There was no doubt. Why? Because the mal­ware used in the DNC hack was send­ing data back to the same servers used in the Bun­destag hack of 2015 and the mal­ware code was sim­i­lar to ear­li­er hacks:

...
The ana­lyst said there was no doubt. Fal­con had detect­ed mali­cious soft­ware, or mal­ware, that was steal­ing data and send­ing it to the same servers that had been used in a 2015 attack on the Ger­man Bun­destag. The code and tech­niques used against the DNC resem­bled those from ear­li­er attacks on the White House and the State Depart­ment. The ana­lyst, a for­mer intel­li­gence offi­cer, told Alper­ovitch that Fal­con had iden­ti­fied not one but two Russ­ian intrud­ers: Cozy Bear, a group Crowd­Strike’s experts believed was affil­i­at­ed with the FSB, Rus­si­a’s answer to the CIA; and Fan­cy Bear, which they had linked to the GRU, Russ­ian mil­i­tary intel­li­gence.
...

So this is a good time to remind our­selves that the IP address found in the mal­ware used in that DNC hack and the Bun­destag hack was pub­lished in 2015 [11] and Ger­many’s BfV gov­ern­ment issued a newslet­ter attrib­uted that Bud­estag hack to the Russ­ian gov­ernent in Jan­u­ary of 2016 [58], mean­ing it would have been an incred­i­bly brazen for Russ­ian gov­ern­ment hack­ers to exe­cute a hack using the same com­mand & con­trol serv­er with the same IP address unless Rus­sia want­ed to get caught. But from Crowd­Strike’s per­spec­tive, this was the kind of ‘dig­i­tal fin­ger­print’ that could lead to a con­clu­sion with “no doubt.”

And as the rest of the arti­cle made clear, arriv­ing at a cul­prit for cyber attacks and then make a very pub­lic com­plaint about the attack is at the heart of the strat­e­gy that Alper­ovitch has been advo­cat­ing for years. And advo­cat­ing with great suc­cess:

...
Alper­ovitch told me he was thrilled that the DNC decid­ed to pub­li­cize Rus­si­a’s involve­ment. “Hav­ing a client give us the abil­i­ty to tell the full sto­ry” was a “mile­stone in the indus­try,” he says. “Not just high­light­ing a rogue nation-state’s actions but explain­ing what was tak­en and how and when. These sto­ries are almost nev­er told.”

In the five years since Alper­ovitch cofound­ed Crowd­Strike, he and his com­pa­ny have played a crit­i­cal role in the devel­op­ment of Amer­i­ca’s cyberde­fense pol­i­cy. Frank Cil­luffo, the for­mer spe­cial assis­tant to the pres­i­dent for home­land secu­ri­ty, likens Alper­ovitch to Paul Revere: “Dmitri, as an indi­vid­ual, has played a sig­nif­i­cant role in ele­vat­ing cyber­se­cu­ri­ty pol­i­cy not only inside the pri­vate sec­tor but more gen­er­al­ly.”

When I met Alper­ovitch in late Sep­tem­ber, at his open-plan offices out­side Wash­ing­ton, D.C., he explained that Crowd­Strike was cre­at­ed to take advan­tage of a sim­ple but cen­tral les­son he’d learned about stop­ping hack­ers. It’s not enough, he says, to play defense with tech­nol­o­gy: “Oth­er­wise the adver­sary will scale up and it becomes a game of num­bers, which they will win.” Instead, attri­bu­tion is cru­cial: First you need to iden­ti­fy the per­pe­tra­tor, then you need to dis­cov­er what moti­vates the crime, and finally—most important—you need to fig­ure out how to fight back.
...

“It’s not enough, he says, to play defense with tech­nol­o­gy: “Oth­er­wise the adver­sary will scale up and it becomes a game of num­bers, which they will win.” Instead, attri­bu­tion is cru­cial: First you need to iden­ti­fy the per­pe­tra­tor, then you need to dis­cov­er what moti­vates the crime, and finally—most important—you need to fig­ure out how to fight back.

That’s Alper­ovitch’s phi­los­o­phy: You can’t sim­ply deal with hack­ing by play­ing defense. You have to play offense and that requires pub­lic attri­bu­tion. And it’s a phi­los­o­phy that was viewed as heresy in the cyber­se­cu­ri­ty indus­try not too long ago. The arti­cle char­ac­ter­izes this indus­try dis­po­si­tion as be in part due to con­cerns with­in the indus­try about los­ing clients in the nations they pub­licly attribute an attack to, but it seems like the inher­ent ambi­gu­i­ty in mak­ing these attri­bu­tions would have also been a fac­tor in why that was viewed as heresy. Either way, Crowd­Strike was formed in response to this indus­try bias against pub­lic attri­bu­tion of hacks against oth­er gov­ern­ments:

...
Before Alper­ovitch found­ed Crowd­Strike, the idea that attri­bu­tion ought to be a cen­tral defense against hack­ers was viewed as heresy. In 2011, he was work­ing in Atlanta as the chief threat offi­cer at the antivirus soft­ware firm McAfee. While sift­ing through serv­er logs in his apart­ment one night, he dis­cov­ered evi­dence of a hack­ing cam­paign by the Chi­nese gov­ern­ment. Even­tu­al­ly he learned that the cam­paign had been going on unde­tect­ed for five years, and that the Chi­nese had com­pro­mised at least sev­en­ty-one com­pa­nies and orga­ni­za­tions, includ­ing thir­teen defense con­trac­tors, three elec­tron­ics firms, and the Inter­na­tion­al Olympic Com­mit­tee.

That the Chi­nese gov­ern­ment had been steal­ing infor­ma­tion from the pri­vate sec­tor was a shock to the secu­ri­ty indus­try and to many U. S. offi­cials. Almost no one thought that for­eign gov­ern­ments used the Inter­net for any­thing oth­er than old-fash­ioned espi­onage. “This was not spy ver­sus spy,” says John Car­lin, who was until recent­ly the assis­tant attor­ney gen­er­al for nation­al secu­ri­ty. The hack­ing was eco­nom­ic sab­o­tage.

While Alper­ovitch was writ­ing up his report on the breach, he received a call from Renee James, an exec­u­tive at Intel, which had recent­ly pur­chased McAfee. Accord­ing to Alper­ovitch, James told him, “Dmitri, Intel has a lot of busi­ness in Chi­na. You can­not call out Chi­na in this report.”

Alper­ovitch removed the word Chi­na from his analy­sis, call­ing the oper­a­tion Shady Rat instead. He told me that James’s inter­ven­tion accel­er­at­ed his plans to leave Intel. (James declined to com­ment.) He felt that he was “now being cen­sored because I’m work­ing for a com­pa­ny that’s not real­ly an Amer­i­can com­pa­ny.”

Alper­ovitch and George Kurtz, a for­mer col­league, found­ed Crowd­Strike as a direct response. The cyber­se­cu­ri­ty indus­try at the time, Alper­ovitch says, was “ter­ri­fied of los­ing their abil­i­ty to mar­ket prod­ucts in Chi­na.” Their new com­pa­ny would push the idea that hack­ing was a means, not an end. “We saw that no one’s real­ly focused on the adver­sary,” Alper­ovitch told me. “No one’s focus­ing exclu­sive­ly on how can we actu­al­ly iden­ti­fy them, attribute them, deter them from tak­ing this action again.” Crowd­Strike’s tagline encap­su­lat­ed its phi­los­o­phy: “You don’t have a mal­ware prob­lem, you have an adver­sary prob­lem.”
...

““No one’s focus­ing exclu­sive­ly on how can we actu­al­ly iden­ti­fy them, attribute them, deter them from tak­ing this action again.” Crowd­Strike’s tagline encap­su­lat­ed its phi­los­o­phy: “You don’t have a mal­ware prob­lem, you have an adver­sary prob­lem.””

And that encap­su­lates much of Crowd­Strike’s approach to stop­ping hacks:
Step 1. Deter­mine a cul­prit.

Step 2. Make a big pub­lic stink about it.

And this approach appears to have been by a con­clu­sion Alper­ovitch arrived while work­ing at an anti­spam soft­ware firm where he met his future Crowd­Stike part­ner Phyl­lis Sch­neck: cyber defense was about psy­chol­o­gy, not tech­nol­o­gy:

...
Alper­ovitch stud­ied com­put­er sci­ence at Geor­gia Tech and went on to work at an anti­spam soft­ware firm. There he met a strik­ing dark-haired com­put­er geek named Phyl­lis Sch­neck. As a teenag­er, Sch­neck once showed her father that she could hack into the com­pa­ny where he worked as an engi­neer. Appalled, Dr. Sch­neck made his daugh­ter promise nev­er to do some­thing like that again.

Fight­ing email spam taught Alper­ovitch a sec­ond cru­cial les­son. He dis­cov­ered that every time he blocked a serv­er, the spam­mers deployed a hun­dred new servers to take its place. Alper­ovitch real­ized that defense was about psy­chol­o­gy, not tech­nol­o­gy.
...

And that psy­cho­log­i­cal strat­e­gy is part of why mak­ing a pub­lic attri­bu­tion is so impor­tant, accord­ing to this strat­e­gy. From Alper­ovitch’s per­spec­tive, intim­i­dat­ing your cyber adver­sary is basi­cal­ly the only real­is­tic way to stop the hacks.

It’s a strat­e­gy that he first employed in 2010, when his analy­sis was used by the US gov­ern­ment to pub­licly accuse Chi­na of cyber attacks on Google Gmail accounts. The strat­e­gy was used again 2014 to attrib­uted the Sony hacks on North Korea and in 2015 once again against Chi­na. And that 2015 attri­bu­tion against Chi­na, which includ­ed a the threat of an exec­u­tive order by Pres­i­dent Oba­ma that would pun­ish Chi­na over the hacks, appar­ent­ly result­ed in a bi-lat­er­al agree­ment where “nei­ther coun­try’s gov­ern­ment will con­duct or know­ing­ly sup­port cyber-enabled theft of intel­lec­tu­al prop­er­ty” for the pur­pose of eco­nom­ic espi­onage. Chi­nese cyber bur­glar­ies have slowed dra­mat­i­cal­ly since them:

...
Alper­ovitch’s first big break in cyberde­fense came in 2010, while he was at McAfee. The head of cyber­se­cu­ri­ty at Google told Alper­ovitch that Gmail accounts belong­ing to human-rights activists in Chi­na had been breached. Google sus­pect­ed the Chi­nese gov­ern­ment. Alper­ovitch found that the breach was unprece­dent­ed in scale; it affect­ed more than a dozen of McAfee’s clients.

Three days after his dis­cov­ery, Alper­ovitch was on a plane to Wash­ing­ton. He’d been asked to vet a para­graph in a speech by the sec­re­tary of state, Hillary Clin­ton. She’d decid­ed, for the first time, to call out anoth­er coun­try for a cyber­at­tack. “In an inter­con­nect­ed world,” she said, “an attack on one nation’s net­works can be an attack on all.”

Despite Clin­ton’s announce­ment, Alper­ovitch believed that the gov­ern­ment, par­a­lyzed by bureau­cra­cy and pol­i­tics, was still mov­ing too slow­ly. In 2014, Sony called in Crowd­Strike to inves­ti­gate a breach of its net­work. The com­pa­ny need­ed just two hours to iden­ti­fy North Korea as the adver­sary. Exec­u­tives at Sony asked Alper­ovitch to go pub­lic with the infor­ma­tion imme­di­ate­ly, but it took the FBI anoth­er three weeks before it con­firmed the attri­bu­tion.

The delay still frus­trates Alper­ovitch, who saw the long silence as a kind of dis­in­for­ma­tion. “Yes­ter­day you had no idea. Today you’re 100 per­cent cer­tain. It was­n’t cred­i­ble.” From the per­spec­tive of the gov­ern­ment, how­ev­er, the han­dling of the Sony hack was a tri­umph. “In twen­ty-six days we fig­ured out it was North Korea,” John Car­lin told me. The attri­bu­tion changed the focus, he said, from what Sony did wrong to how the gov­ern­ment was going to respond to North Korea. As Phyl­lis Sch­neck, who now works at the Depart­ment of Home­land Secu­ri­ty, told me, the gov­ern­ment moves slow­ly because it can­not afford to be wrong: “Ven­dors like to be first. Gov­ern­ment must be right.”

The gov­ern­men­t’s atti­tude toward attri­bu­tion moved clos­er to Alper­ovitch’s in Sep­tem­ber 2015, in the run-up to a state vis­it by Chi­nese pres­i­dent Xi Jin­ping. A year ear­li­er, five mem­bers of the Chi­nese Peo­ple’s Lib­er­a­tion Army had been indict­ed by a grand jury in Penn­syl­va­nia for steal­ing eco­nom­ic secrets from the com­put­ers of U. S. firms in the nuclear, solar, and met­als indus­tries. Car­lin told me that the indict­ments were meant as “a giant No Tres­pass sign: Get off our lawn.” But the indict­ment did­n’t stop the hack­ers. Alper­ovitch went on tele­vi­sion to call for a stronger response. In April 2015, after Pres­i­dent Oba­ma signed an exec­u­tive order threat­en­ing sanc­tions against the Chi­nese, Alper­ovitch received a call from the White House. “You should be hap­py,” he was told. “You’re the one who’s been push­ing for this.”

Six months lat­er, just before the state vis­it, The Wash­ing­ton Post report­ed that the U. S. was con­sid­er­ing mak­ing good on the exec­u­tive order. A senior State Depart­ment offi­cial told me that Xi did not want to be embar­rassed by an awk­ward vis­it. The Chi­nese sent over a nego­ti­at­ing team, and diplo­mats from both coun­tries stayed up all night work­ing out an agree­ment. Dur­ing the state vis­it, Oba­ma and Xi announced that “nei­ther coun­try’s gov­ern­ment will con­duct or know­ing­ly sup­port cyber-enabled theft of intel­lec­tu­al prop­er­ty” for the pur­pose of eco­nom­ic espi­onage. Since then, the Chi­nese bur­glar­ies have slowed dra­mat­i­cal­ly.
...

So that all sounds like a great suc­cess of Alper­ovitch’s pub­lic attri­bu­tion strat­e­gy, right? A bi-lat­er­al agree­ment with Chi­na that slowed Chi­nese cyber bur­glar­ies dra­mat­i­cal­ly is quite an achieve­ment.

Except, of course, there’s a rather sig­nif­i­cant prob­lem with this approach and it relates direct­ly to the warn­ings by France’s cyber secu­ri­ty chief about “inter­na­tion­al chaos” from false flags: What if the dra­mat­ic slow down in Chi­nese cyber bur­glar­ies mere­ly reflects a shift in strat­e­gy by Chi­nese hack­ers to make their hacks look like, say, Russ­ian hack­ers? Or Amer­i­can hack­ers? Why isn’t this ‘new nor­mal’ of aggres­sive­ly mak­ing pub­lic attri­bu­tions exact­ly the kind of ‘defen­sive’ tac­tic that makes false flag attacks even more tempt­ing? And why would­n’t third-par­ties who want to sow chaos, like neo-Nazi hack­ers, LOVE this new attri­bu­tion par­a­digm?

And note the com­ment for Alper­ovitch’s for­mer Crowd­Strike part­ner, Phyl­lis Sch­neck, who is now at DHS, about how the cyber­se­cu­ri­ty indus­try’s predilec­tion for “being first” on mak­ing an attri­bu­tion now:

...
The delay still frus­trates Alper­ovitch, who saw the long silence as a kind of dis­in­for­ma­tion. “Yes­ter­day you had no idea. Today you’re 100 per­cent cer­tain. It was­n’t cred­i­ble.” From the per­spec­tive of the gov­ern­ment, how­ev­er, the han­dling of the Sony hack was a tri­umph. “In twen­ty-six days we fig­ured out it was North Korea,” John Car­lin told me. The attri­bu­tion changed the focus, he said, from what Sony did wrong to how the gov­ern­ment was going to respond to North Korea. As Phyl­lis Sch­neck, who now works at the Depart­ment of Home­land Secu­ri­ty, told me, the gov­ern­ment moves slow­ly because it can­not afford to be wrong: “Ven­dors like to be first. Gov­ern­ment must be right.”
...

“Ven­dors like to be first. Gov­ern­ment must be right.”

In oth­er worlds, mar­ket forces have now been unleashed to encour­age the cyber­se­cu­ri­ty indus­try to rush to attri­bu­tion con­clu­sions. After all, think about the incred­i­ble free adver­tis­ing Trend Micro got for its report on the US Sen­ate phish­ing sites and the Macron hacks. The prof­it-motive encour­ages this. Isn’t that wild­ly dan­ger­ous when those rushed attri­bu­tions have geo-strate­gic impli­ca­tions? It sure sounds like a recipe for “inter­na­tion­al chaos”.

Still, let’s keep in mind that a world where Chi­nese gov­ern­ment hack­ers can pil­fer intel­lec­tu­al prop­er­ty rights with impuni­ty and North Korea and attack cor­po­ra­tions over movies it does­n’t like is anoth­er form of “inter­na­tion­al chaos”. Although prob­a­bly not near­ly as chaot­ic as the kind of world where con­flicts break out as a result of cyber attacks and false flag cam­paigns, but it’s still a very non-ide­al sit­u­a­tion.

What’s the Cyber­se­cu­ri­ty Indus­try’s Secret to Cyber Attri­bu­tion? Pat­tern Recog­ni­tion. Hope­ful­ly Per­fect Pat­tern Recog­ni­tion (Because Oth­er­wise it’s Inter­na­tion­al Chaos)

So what’s the cyber­se­cu­ri­ty indus­try’s response to crit­i­cism that this new aggres­sive approach to attri­bu­tion is vul­ner­a­ble to false flag attacks an incor­rect attri­bu­tions? Well, accord­ing that describes the tech­niques the indus­try uses to arrive at its con­clu­sions, the indus­try responds by stat­ing false flag attacks just aren’t fea­si­ble because hack­ers make mis­takes that reveal their true ori­gin. Yep, that’s the response.

And this response is in an arti­cle that describes the pri­ma­ry tech­nique for attri­bu­tion as “pat­tern recog­ni­tion”: look­ing at a hack­’s ‘dig­i­tal fin­ger­prints’ and com­par­ing them to past attacks. If you think about it, if you’re a hack­er, and the dig­i­tal fin­ger­prints in your hacks allow ana­lysts to trace your work back to pre­vi­ous attacks, that’s a mis­take. Recall the com­ments from FireEye’s ana­lyst about how the Russ­ian hack­ers used to com­plete­ly burn their dig­i­tal infra­struc­ture after get­ting caught (and then mys­te­ri­ous­ly stopped doing that around 2014). High qual­i­ty gov­ern­ment hack­ers should­n’t actu­al­ly be leav­ing an exten­sive trail of reused dig­it fin­ger­prints. They appar­ent­ly used to be able to oper­ate with­out mak­ing so many con­spic­u­ous mis­takes. And yet the cyber­se­cu­ri­ty indus­try is pred­i­cat­ing its attri­bu­tions on basi­cal­ly detect­ing mis­takes hack­ers make and the deep con­vic­tion that hack­ers make mis­takes and these mis­takes can be used for high con­fi­dence attri­bu­tions. Which seems like a mas­sive mis­take [59]:

CNET

How US cyber­sleuths decid­ed Rus­sia hacked the DNC

Dig­i­tal clues led secu­ri­ty pros to agen­cies in Putin’s gov­ern­ment. It’s as close as we’ll ever get to proof that Rus­sia did it.

by Lau­ra Hau­ta­la

May 3, 2017 9:13 AM PD

It was a bomb­shell.

Oper­a­tives from two Russ­ian spy agen­cies had infil­trat­ed com­put­ers of the Demo­c­ra­t­ic Nation­al Com­mit­tee, months before the US nation­al elec­tion.

One agency — nick­named Cozy Bear by cyber­se­cu­ri­ty com­pa­ny Crowd­Strike — used a tool that was “inge­nious in its sim­plic­i­ty and pow­er” to insert mali­cious code into the DNC’s com­put­ers, Crowd­Strike’s Chief Tech­nol­o­gy Offi­cer Dmitri Alper­ovitch wrote in a June blog post [60]. The oth­er group, nick­named Fan­cy Bear, remote­ly grabbed con­trol of the DNC’s com­put­ers.

By Octo­ber, the Depart­ment of Home­land Secu­ri­ty and the Office of the Direc­tor of Nation­al Intel­li­gence on Elec­tion Secu­ri­ty agreed that Rus­sia [61] was behind the DNC hack. On Dec. 29, those agen­cies, togeth­er with the FBI, Depart­ment of Home­land Secu­ri­ty and the Office of the Direc­tor of Nation­al Intel­li­gence on Elec­tion Secu­ri­ty agreed that Rus­sia [61].

And a week lat­er, the Office of the Direc­tor of Nation­al Intel­li­gence sum­ma­rized its find­ings ((PDF) [62]) in a declas­si­fied (read: scrubbed) report. Even Pres­i­dent Don­ald Trump acknowl­edged, “It was Rus­sia [63],” a few days lat­er — although he told “Face the Nation” ear­li­er this week it “could’ve been Chi­na.” [64]

...

We’ll prob­a­bly nev­er real­ly find out what the US intel­li­gence com­mu­ni­ty or Crowd­Strike know or how they know it. This is what we do know:

Crowd­Strike and oth­er cyberde­tec­tives had spot­ted tools and approach­es they’d seen Cozy Bear and Fan­cy Bear use for years. Cozy Bear is believed to be either Rus­si­a’s Fed­er­al Secu­ri­ty Ser­vice, known as the FSB, or its For­eign Intel­li­gence Ser­vice, the SVR. Fan­cy Bear is thought to be Rus­si­a’s mil­i­tary intel agency, GRU.

It was the pay­off of a long game of pat­tern recog­ni­tion — piec­ing togeth­er hack­er groups’ favorite modes of attack, suss­ing out the time of day they’re most active (hint­ing at their loca­tions) and find­ing signs of their native lan­guage and the inter­net address­es they use to send or receive files.

“You just start to weigh all these fac­tors until you get near 100 per­cent cer­tain­ty,” says Dave DeWalt, for­mer CEO of McAfee and Fire­Eye, who now sits on the boards of five secu­ri­ty com­pa­nies. “It’s like hav­ing enough fin­ger­prints in the sys­tem.”

Watch­ing the cyberde­tec­tives

Crowd­Strike put that knowl­edge to use in April, when the DNC’s lead­er­ship called in its dig­i­tal foren­sics experts and cus­tom soft­ware — which spots when some­one takes con­trol of net­work accounts, installs mal­ware or steals files — to find out who was muck­ing around in their sys­tems, and why.

“With­in min­utes, we were able to detect it,” Alper­ovitch said in an inter­view the day the DNC revealed the break-in. Crowd­Strike found oth­er clues with­in 24 hours, he said.

Those clues includ­ed small frag­ments of code called Pow­er­Shell com­mands. A Pow­er­Shell com­mand is like a Russ­ian nest­ing doll in reverse. Start with the small­est doll, and that’s the Pow­er­Shell code. It’s only a sin­gle string of seem­ing­ly mean­ing­less num­bers and let­ters. Open it up, though, and out jumps a larg­er mod­ule that, in the­o­ry at least, “can do vir­tu­al­ly any­thing on the vic­tim sys­tem,” Alper­ovitch wrote.

One of the Pow­er­Shell mod­ules inside the DNC sys­tem con­nect­ed to a remote serv­er and down­loaded more Pow­er­Shells, adding more nest­ing dolls to the DNC net­work. Anoth­er opened and installed MimiKatz, mali­cious code for steal­ing login infor­ma­tion. That gave hack­ers a free pass to move from one part of the DNC’s net­work to anoth­er by log­ging in with valid user­names and pass­words. These were Cozy Bear’s weapons of choice.

Fan­cy Bear used tools known as X‑Agent and X‑Tunnel to remote­ly access and con­trol the DNC net­work, steal pass­words and trans­fer files. Oth­er tools let them wipe away their foot­prints from net­work logs.

Crowd­Strike had seen this pat­tern many times before.

“You could nev­er go into the DNC as a sin­gle event and come up with that [con­clu­sion],” said Robert M. Lee, CEO of cyber­se­cu­ri­ty firm Dra­gos.

Pat­tern recog­ni­tion

Alper­ovitch com­pares his work to that of John­ny Utah, the char­ac­ter Keanu Reeves played in the 1991 surf­ing-bank-heist flick “Point Break.” In the movie, Utah iden­ti­fied the mas­ter­mind of a rob­bery by look­ing at habits and meth­ods. “He’s already ana­lyzed 15 bank rob­bers. He can say, ‘I know who this is,’ ” Alper­ovitch said in an inter­view in Feb­ru­ary.

“The same thing applies to cyber­se­cu­ri­ty,” he said.

One of those tells is con­sis­ten­cy. “The peo­ple behind the key­boards, they don’t change that much,” said DeWalt. He thinks nation-state hack­ers tend to be careerists, work­ing in either the mil­i­tary or intel­li­gence oper­a­tions.

Pat­tern recog­ni­tion is how Man­di­ant, owned by Fire­Eye, fig­ured out that North Korea broke into Sony Pic­tures’ net­works [65].

The gov­ern­ment stole Social Secu­ri­ty num­bers from 47,000 employ­ees and leaked embar­rass­ing inter­nal doc­u­ments and emails. That’s because the Sony attack­ers left behind a favorite hack­ing tool that wiped, and then wrote over, hard dri­ves. The cyber­se­cu­ri­ty indus­try had pre­vi­ous­ly traced that tool to North Korea, which had been using it for at least four years, includ­ing in a mas­sive cam­paign against South Kore­an banks the year before.

It’s also how researchers from McAfee fig­ured out Chi­nese hack­ers were behind Oper­a­tion Auro­ra in 2009, [66] when hack­ers accessed the Gmail accounts of Chi­nese human rights activists and stole source code from more than 150 com­pa­nies, accord­ing to DeWalt, who was CEO of McAfee at the time of the inves­ti­ga­tion. Inves­ti­ga­tors found mal­ware writ­ten in Man­darin, code that had been com­piled in a Chi­nese oper­at­ing sys­tem and time-stamped in a Chi­nese time zone, and oth­er clues inves­ti­ga­tors had pre­vi­ous­ly seen in attacks orig­i­nat­ing from Chi­na, DeWalt said.

Tell us more

One of the most com­mon com­plaints about the evi­dence Crowd­Strike pre­sent­ed is that the clues could have been faked: Hack­ers could have used Russ­ian tools, worked dur­ing Russ­ian busi­ness hours and left bits of Russ­ian lan­guage behind in mal­ware found on DNC com­put­ers.

It does­n’t help that, almost as soon as the DNC revealed it had been hacked, some­one call­ing him­self Guc­cifer 2.0 and claim­ing to be Roman­ian took cred­it as the sole hack­er pen­e­trat­ing the polit­i­cal par­ty’s net­work [67].

That set off a seem­ing­ly end­less debate about who did what, even as addi­tion­al hacks of for­mer Hillary Clin­ton cam­paign chair­man John Podes­ta and oth­ers led to more leaked emails.

Cyber­se­cu­ri­ty experts say it would be too dif­fi­cult for hack­ers to con­sis­tent­ly make it look like an attack was com­ing from a dif­fer­ent group of hack­ers. One mis­take could blow their cov­er.

Crit­ics prob­a­bly won’t be get­ting defin­i­tive answers any­time soon, since nei­ther Crowd­Strike nor US intel­li­gence agen­cies plan to pro­vide more details to the pub­lic, “as the release of such infor­ma­tion would reveal sen­si­tive sources or meth­ods and imper­il the abil­i­ty to col­lect crit­i­cal for­eign intel­li­gence in the future,” the Office of the Direc­tor of Nation­al Intel­li­gence said in its report.

“The declas­si­fied report does not and can­not include the full sup­port­ing infor­ma­tion, includ­ing spe­cif­ic intel­li­gence and sources and meth­ods.”

The debate has tak­en Alper­ovitch by sur­prise.

“Our indus­try has been doing attri­bu­tion for 30 years,” although such work on focused on crim­i­nal activ­i­ty, he said. “The minute it went out of cyber­crime, it became con­tro­ver­sial.”

———-

“How US cyber­sleuths decid­ed Rus­sia hacked the DNC” by Lau­ra Hau­ta­la; CNET; 05/03/2017 [59]

Alper­ovitch com­pares his work to that of John­ny Utah, the char­ac­ter Keanu Reeves played in the 1991 surf­ing-bank-heist flick “Point Break.” In the movie, Utah iden­ti­fied the mas­ter­mind of a rob­bery by look­ing at habits and meth­ods. “He’s already ana­lyzed 15 bank rob­bers. He can say, ‘I know who this is,’ ” Alper­ovitch said in an inter­view in Feb­ru­ary.”

Yep, Dmitri Alper­ovitch com­pares his work to a Keanu Reeves movie char­ac­ter who can just look at the evi­dence left in a rob­bery and deduce who did it. That’s the under­ly­ing tech­nique at work. And while that’s a per­fect­ly rea­son­able tech­nique for mak­ing a cau­tious guess about the cul­prits, it’s appar­ent­ly being treat­ed as a tech­nique that can allow for near 100 per­cent cer­tain­ty:

...
Crowd­Strike and oth­er cyberde­tec­tives had spot­ted tools and approach­es they’d seen Cozy Bear and Fan­cy Bear use for years. Cozy Bear is believed to be either Rus­si­a’s Fed­er­al Secu­ri­ty Ser­vice, known as the FSB, or its For­eign Intel­li­gence Ser­vice, the SVR. Fan­cy Bear is thought to be Rus­si­a’s mil­i­tary intel agency, GRU.

It was the pay­off of a long game of pat­tern recog­ni­tion — piec­ing togeth­er hack­er groups’ favorite modes of attack, suss­ing out the time of day they’re most active (hint­ing at their loca­tions) and find­ing signs of their native lan­guage and the inter­net address­es they use to send or receive files.

“You just start to weigh all these fac­tors until you get near 100 per­cent cer­tain­ty,” says Dave DeWalt, for­mer CEO of McAfee and Fire­Eye, who now sits on the boards of five secu­ri­ty com­pa­nies. “It’s like hav­ing enough fin­ger­prints in the sys­tem.”
...

“You just start to weigh all these fac­tors until you get near 100 per­cent cer­tain­ty”

Pat­tern recog­ni­tion lead­ing to near 100 per­cent cer­tain­ty. And as we saw with the Trend Micro reports, 99–100 per­cent cer­tain­ty is indeed some­thing the indus­try is arriv­ing at with these very con­se­quen­tial attri­bu­tions.

And this pat­tern recog­ni­tion tech­nique is par­tial­ly pred­i­cat­ed on the assump­tion that hack­ers don’t actu­al­ly change their meth­ods very much. Even gov­ern­ment hack­ers:

...
One of those tells is con­sis­ten­cy. “The peo­ple behind the key­boards, they don’t change that much,” said DeWalt. He thinks nation-state hack­ers tend to be careerists, work­ing in either the mil­i­tary or intel­li­gence oper­a­tions.
...

So is it true that careerist gov­ern­ment hack­ers tend to be con­sis­tent and don’t real­ly both­er switch­ing up their tech­niques and ‘dig­i­tal fin­ger­prints’? Well, if so, yes, that would allow for pat­tern recog­ni­tion to be used for attri­bu­tion...except for the fact that gov­ern­ment hack­ers behav­ing con­sis­tent­ly makes them easy marks for a false flag attack. How is this not rec­og­nized?!

Also note that even if gov­ern­ment hack­ers are con­sis­tent in their meth­ods, that might not mat­ter if they are con­sis­tent­ly using mal­ware and serv­er host­ing com­pa­nies that oth­er hack­ers use and leave ambigu­ous digi­tial fin­ger­prints. The con­sis­ten­cy might also not mat­ter if they are con­sis­tent­ly run­ning their hacks by imper­son­at­ing oth­er hack­ing groups, although the cyber­se­cu­ri­ty indus­try appears to think that would be impos­si­ble for a gov­ern­ment hack­ing group to do con­sis­tent­ly with­out acci­den­tal­ly blow­ing their cov­er. Which, again, is an odd assump­tion to make.

What’s the indus­try response to these kinds of con­cerns? Don’t wor­ry about false flags because, the hack­ers will make mis­takes that reveal them­selves:

...
Tell us more

One of the most com­mon com­plaints about the evi­dence Crowd­Strike pre­sent­ed is that the clues could have been faked: Hack­ers could have used Russ­ian tools, worked dur­ing Russ­ian busi­ness hours and left bits of Russ­ian lan­guage behind in mal­ware found on DNC com­put­ers.

...

Cyber­se­cu­ri­ty experts say it would be too dif­fi­cult for hack­ers to con­sis­tent­ly make it look like an attack was com­ing from a dif­fer­ent group of hack­ers. One mis­take could blow their cov­er.
...

“Cyber­se­cu­ri­ty experts say it would be too dif­fi­cult for hack­ers to con­sis­tent­ly make it look like an attack was com­ing from a dif­fer­ent group of hack­ers.”

WHAT?!! How is such an con­clu­sion arrived at?

Now, it’s true that the longer a third par­ty tries to imper­son­ate anoth­er hack­ing group, the more like­ly they are to make a mis­take. There’s just more oppor­tu­ni­ty to mis­takes when the false flag attacks on con­sis­tent­ly attempt­ed. But what about an incon­sis­tent attempt? Like just one or a few? Would that be very dif­fi­cult?

Also keep in mind that if a false flag attack is suc­cess­ful, and cyber­se­cu­ri­ty researchers fall for the trick, that false flag group’s mode of oper­a­tion will become the evi­dence used for future attri­bu­tions. In oth­er words, this “pat­tern recog­ni­tion” tech­nique is only as good as the qual­i­ty of the past attri­bu­tions. For all we know, a huge chunk of the past hacks attrib­uted by the cyber­se­cu­ri­ty indus­try to Rus­sia or Chi­na or any oth­er coun­try could be mis­at­trib­uted attacks and the dig­i­tal paper trail is a mix of tracks left by actu­al Russ­ian and Chi­nese gov­ern­ment hack­ers plus a bunch of false flag third par­ties. There’s no rea­son to not assume this is the case unless the 5‑Eyes has far, far more infor­ma­tion about who is hack­ing who than they let on.

For instance, look at some of the evi­dence used to attribute attacks to the Chi­nese gov­ern­ment: Man­darin in the code that was com­piled on Chi­nese oper­at­ing sys­tems, and Chi­nese work day com­pile times in the mal­ware:

...
It’s also how researchers from McAfee fig­ured out Chi­nese hack­ers were behind Oper­a­tion Auro­ra in 2009, [66] when hack­ers accessed the Gmail accounts of Chi­nese human rights activists and stole source code from more than 150 com­pa­nies, accord­ing to DeWalt, who was CEO of McAfee at the time of the inves­ti­ga­tion. Inves­ti­ga­tors found mal­ware writ­ten in Man­darin, code that had been com­piled in a Chi­nese oper­at­ing sys­tem and time-stamped in a Chi­nese time zone, and oth­er clues inves­ti­ga­tors had pre­vi­ous­ly seen in attacks orig­i­nat­ing from Chi­na, DeWalt said.
...

Now, on the one hand, that sure seems like the signs of a Chi­nese hack­er. On the oth­er hand, if you were a non-Chi­nese skilled hack­er who did­n’t want to get be a sus­pect and decid­ed to pre­tend to be a Chi­nese hack­er, would­n’t those be be exact­ly the kinds of ‘dig­i­tal fin­ger­prints’ you would try to leave?

And while the hacks on Chi­nese human rights activists seems like the kinds of tar­gets Chi­nese hack­ers would specif­i­cal­ly be inter­est­ed in, the source code from those 150 com­pa­nies seems like the kinds of things all sorts of par­ties would be inter­est­ed in. So if you were, say, Russ­ian or Brazil­lian hack­ers who had an inter­est in hack­ing those com­pa­nies, wag­ing that hack­ing cam­paign with Chi­nese ‘dig­i­tal fin­ger­prints’ and then tar­get some Chi­nese human rights activists to lend cre­dence to it. Do skilled pro­fes­sion­al hack­ers do such things? Who knows, but get­ting caught steal­ing source code from 150 com­pa­nies seems like the kind of thing a hack­ing group would real­ly, real­ly, real­ly not want to get caught doing, whether its a Chi­nese hack­ing group or any oth­er hack­ing group. Or lone hack­er. So we can’t rule the pos­si­b­li­ty out. And yes, this is very unfor­tu­nate because that’s the kind of ambi­gu­i­ty that encour­ages “inter­na­tion­al chaos” on some lev­el, but it is what it is.

At the same time, let’s remem­ber that it’s entire­ly pos­si­ble that the NSA and 5‑Eyes real­ly does have much more infor­ma­tion on who is car­ry­ing out var­i­ous hacks — per­haps by stor­ing almost all inter­net traf­fic and decrypt­ing it — but they can’t reveal it and shod­dy pub­lic attri­bu­tion cas­es are made to pro­vide pub­lic cov­er for an attri­bu­tion that was real­ly made with evi­dence they can’t reveal. So would that sit­u­a­tion make it all ok if the cyber­se­cu­ri­ty indus­try just stan­dard­izes ‘pat­tern recog­ni­tion’ as a gold stan­dard for con­clu­sive attri­bu­tion if they were real­ly just act­ing as proxy for attri­bu­tions that were made by the NSA or some oth­er gov­ern­ment agency with access to secret evi­dence that they can’t reveal? Well, that seems like a mas­sive risk because once that attri­bu­tion stan­dard is estab­lished it’s going to be use­able by all sorts of com­pa­nies and gov­ern­ments for what­ev­er rea­sons they choose. Heck, you could have gov­ern­ments hack them­selves and frame an adver­sary sim­ply by leav­ing a bunch of ‘dig­i­tal fin­ger­prints’. For all we know that’s already hap­pen­ing.

And that’s why mak­ing attri­bu­tion the key to cyber defense is such a risky ‘new nor­mal’. The exploita­tion of the weak­ness­es in the “pat­tern recog­ni­tion” approach to hacks is the ulti­mate weapon for “inter­na­tion­al chaos”.

Sure, the ‘old nor­mal’ of refrain­ing from attri­bu­tion when the evi­dence is ambigu­ous is also a recipe for “inter­na­tion­al chaos” in the form of lots of hack­ing that’s dif­fi­cult to stop. But when you com­pare that kind of ‘chaos’ to the risk of inter­na­tion­al con­flicts get­ting sparked by doing things a false flag elec­tion hack, it seems like the ‘old nor­mal’ should be the pre­ferred ‘nor­mal’. This ‘new nor­mal’ is pret­ty scary.

And yet, when read the final com­ments for Alper­ovitch in the above arti­cle, he express­es sur­prise that there’s been so much debate over whether or not his “pat­tern recog­ni­tion” approach to attri­bu­tion is appro­pri­ate for gov­ern­ment hack attri­bu­tion:

...
The debate has tak­en Alper­ovitch by sur­prise.

“Our indus­try has been doing attri­bu­tion for 30 years,” although such work on focused on crim­i­nal activ­i­ty, he said. “The minute it went out of cyber­crime, it became con­tro­ver­sial.”
...

“Our indus­try has been doing attri­bu­tion for 30 years,” although such work on focused on crim­i­nal activ­i­ty, he said. “The minute it went out of cyber­crime, it became con­tro­ver­sial.”

The minute pat­tern recog­ni­tion attri­bu­tion went out of cyber­crime and got used for gov­ern­ment hack­ing group attri­bu­tion and high-pro­file polit­i­cal hacks, it become con­tro­ver­sial. And for some rea­son this is surpis­ing. Despite the fact that false flag hacks in the realm of cyber crime is a com­plete­ly dif­fer­ent sto­ry from false flag attacks for the pur­pose of fram­ing a coun­try in terms of the capa­bil­i­ties of the like­ly per­pre­tra­tors and the moti­va­tions. And it’s also wild­ly dif­fer­ent in terms of the need for accu­ra­cy. It’s not great if you screw up the attri­bu­tion of a cyber bur­glar­ly by a com­mon hack­er, but you real­ly don’t want to mis­at­tribute some­thing like an elec­tion hack.

And let’s not for­get that hack attacks can get a lot more dis­rup­tive than an elec­tion attack. Imag­ine a hack that takes down a nation­al pow­er grid. Maybe one that takes it down for an extend­ed peri­od of time. What’s the bet­ter attri­bu­tion ‘nor­mal’ in that sit­u­a­tion? The ‘old nor­mal’, where pub­lic attri­bu­tion of gov­ern­ment hacks was rare, which could con­ceiv­ably encour­age gov­ern­ments that they can get away for such an attack? Or the ‘new nor­mal’, where you could con­ceiv­ably incen­tive a dev­as­tat­ing cyber false flag attack that takes down a pow­er grid? Or maybe trig­gers a nuclear plant melt­down?

Which ‘nor­mal’ is worse? It seems like the ‘old nor­mal’ is prob­a­bly safer since there’s still the implic­it threat of mutu­al­ly assured retal­i­a­tion with­out incen­tiz­ing false flags. But if there’s one ‘per­ma­nent nor­mal’, it’s the fact that human­i­ty is going to always need to strug­gle with the appro­pri­ate approach to cyber attri­bu­tion as long as ‘per­fect crime’ false flags are a tech­ni­cal pos­si­bil­i­ty. This debate isn’t going away. Nor should it. It’s sim­i­lar to the debate over the bal­ance between secu­ri­ty vs pri­va­cy for things like end-to-end strong encryp­tion [68]. It’s a debate that should­n’t actu­al­ly be con­clud­ed [69]. Sure, pol­i­cy deci­sions need to be made, but debate we should­n’t assume poli­cies reflect a con­clu­sion the debate.

It’s also sim­i­lar to the encryp­tion debate in that high-qual­i­ty gov­ern­ment agen­cies and offi­cials that the pub­lic can rea­son­ably trust is prob­a­bly one of the most impor­tant tools for nav­i­gat­ing this risk mine­field.

So we have this hor­ri­ble sit­u­a­tion where it’s ‘inter­na­tion­al chaos’ one way or anoth­er. And yet the mes­sage we’re hear­ing from US and Ger­man (and oth­er) cyber chiefs is that they are 100 per­cent sure all these hacks being attrib­uted to ‘slop­py’ Russ­ian hack­ers real­ly are Russ­ian hack­ers. And the mes­sage from Putin in basi­cal­ly, “that was­n’t us, but if it was that would be ok and jus­ti­fied.” On top of that, we had the Macron hack take place last year with ‘Alt-Right’ neo-Nazi fin­ger­prints all over it and that fact is almost entire­ly ignored and there was nev­er a real attempt to explain it. This sit­u­a­tion is an inter­na­tion­al cyber-tin­der­box.

And as a con­se­quence of this envi­ron­ment, we have sto­ries like the one Trend Micro just issued about the US Sen­ate phish­ing sites made with 100 per­cent con­fi­dence based on “pat­tern recog­ni­tion”. And that con­clu­sion is inter­na­tion­al news and large­ly accept­ed with­out any mean­ing­ful con­sid­er­a­tion of the pos­si­bil­i­ty that, say, neo-Nazi hack­er extra­or­di­naire Andrew ‘weev’ Auern­heimer or per­haps anoth­er gov­ern­ment set up those site and left a bunch of ‘dig­i­tal fin­ger­prints’ designed to make it look like a ‘Fan­cy Bear’ oper­a­tion. And no recog­ni­tion that, if this was indeed a ‘Fan­cy Bear’ oper­a­tion, it was con­spic­u­ous­ly leav­ing dig­i­tal fin­ger­prints lead­ing back to pre­vi­ous hacks, mak­ing this the lat­est inci­dent of Russ­ian hack­ers appar­ent­ly sud­den­ly get­ting super slop­py even since the con­flict in Ukraine broke out. Instead, it’s just blan­ket accep­tance of the report and that means it’s a sit­u­a­tion ripe for all sorts of ‘inter­na­tion­al chaos’. Think about how many dif­fer­ent enti­ties prob­a­bly want to run their own ‘Russ­ian hack­er’ false flag oper­a­tions now.

Who knows, maybe the sud­den change in Russ­ian hack­er behav­ior start­ing in 2014 — where dig­i­tal infra­struc­ture keeps get­ting re-used hack after hack, allow­ing the cyber­se­cu­ri­ty indus­try to go on a ‘pat­tern recognition’-spree — real­ly is a Krem­lin oper­a­tion designed to entice hack­ers and gov­ern­ment around the world to pre­tend to be Russ­ian hack­ers in order to have a bunch of false flag oper­a­tions expose and poi­son the well of ‘Russ­ian hack­er’ attri­bu­tion. That would an incred­i­bly risky oper­a­tion but the rewards could be hand­some. And very sneaky.

So let’s con­sid­er some basic sce­nar­ios:

A. Putin real­ly has ordered a high-pro­file troll­ish hack­ing cam­paign fol­low­ing the out­break of the Ukraine con­flict as part of a strat­e­gy where Rus­sia get­ting the blame is either seen as desir­able or incon­se­quen­tial. They’re self-impli­cat­ing for a rea­son.

B. Putin real­ly has ordered a hack­ing cam­paign fol­low­ing the out­break of the Ukraine con­flict and they keep leav­ing dig­i­tal evi­dence because there’s been a degre­da­tion in the qual­i­ty of Russ­ian hack­ing per­son­el. And for some rea­son the issue of reusing com­pro­mised dig­i­tal infra­struc­ture has­n’t been ade­quate­ly addressed.

C. Putin real­ly has ordered a high-pro­file troll­ish hack­ing cam­paign fol­low­ing the out­break of the Ukraine con­flict to be car­ried about by mafia hack­ers or some oth­er prox­ies and they keep screw­ing up and leav­ing fin­ger­prints. And the Krem­lin keeps using them for some rea­son despite all the screw ups.

D. It real­ly is ‘patri­ot­ic hack­ers’ oper­at­ing on their own and the Russ­ian gov­ern­ment isn’t keen on stop­ping them despite all the blame they direct back to Rus­sia.

E. One or more third par­ties, rec­og­niz­ing the oppor­tu­ni­ty the Ukraine con­flict cre­at­ed for push­ing a false flag ‘Russ­ian hack­er’ cam­paign, decid­ed to wage such a cam­paign over the last few years, wag­ing one high-pro­file hack after anoth­er with the full con­fi­dence that West­ern pow­ers and the cyber­se­cu­ri­ty indus­try is strong­ly biased towards mak­ing attri­bu­tions of Russ­ian hack­ings.

F. Some mix of A thru E.

A range of pos­si­bil­i­ties is a basic ele­ment of this hack­ing sit­u­a­tion and it’s almost nev­er acknowl­edged these days. For any hack. Why isn’t that con­sid­ered extreme­ly dan­ger­ou

And it’s entire­ly pos­si­ble that we’re see­ing a sit­u­a­tion where Putin is lay­ing a trap based on the obser­va­tion that the cyber­se­cu­ri­ty indus­try appears to be ready and will­ing to build 100 per­cent attri­bu­tion nar­ra­tives for pub­lic con­sump­tion for hire:

1. Have Russ­ian hack­ers car­ry out a con­spic­u­ous wave of hacks filled with dig­i­tal evi­dence that points back to Rus­sia but could eas­i­ly be plan­et.

2. Infu­ri­ate West­ern gov­ern­ments that know it’s Russ­ian hack­ers because they have means of detec­tion that can’t be pub­licly revealed. Like super-secret NSA/5‑Eyes evi­dence.

3. The cyber­se­cu­ri­ty indus­try basi­cal­ly offers to cre­ate a nar­ra­tive ‘prov­ing’ Rus­sia did it using a shod­di­ly con­struct­ed case based on guess­work and a refusal to accept the pos­si­bil­i­ty of false flag hacks. And we effec­tive­ly have to take their word for much of this. This is seen as accept­able in order to not allow Russ­ian to get away with it’s fla­grant hack­ing cam­paign.

4. Even­tu­al­ly the shod­di­ness of that attri­bu­tion method is revealed and used to dis­cred­it past and present attri­bu­tions against Russ­ian. Putin smiles.

Might that explain the sud­den slop­py aggres­sive­ness of ‘Russ­ian hack­ers’ over the past few years? Who knows, but some­thing very odd is hap­pen­ing with all these ‘Russ­ian hack­ers’ and there’s vir­tu­al­ly no inter­est in under­stand­ing why.

Of course, two very obvi­ous rea­sons there might be so much resis­tance to the idea of false flag attacks:

1. The fear that such talk might end up help­ing Pres­i­dent Trump avoid cul­pa­bil­i­ty for col­lud­ing with Rus­sia dur­ing the 2016 cam­paign

2. The fear that it might help take the heat off Putin in the midst of a Russ­ian troll­ish hack­ing cam­paign tar­get­ing West­ern democ­ra­cies.

But those aren’t great rea­sons. Even if Putin real­ly has ordered a high-pro­file troll­ish desta­bi­liz­ing hack­ing cam­paigns, not acknowl­edg­ing the false flag angle just invites in third par­ties to par­tic­i­pate and cre­ate more chaos. And while you might be tempt­ed to think, “oh good, all those false flag attacks will get attrib­uted to Putin and this will apply even more inter­na­tion­al pres­sure on Rus­sia to [insert demand here],” that’s an insane atti­tude. What if the false flag is much nas­ti­er, like a grid attack? That’s a flir­ta­tion with WWI­II-start­ed-by-third-par­ty sce­nario.

And it’s not like the intro­duc­tion of the pos­si­bil­i­ty that the DNC serv­er hacks could have involved a false flag third par­ty has to be all that dis­rup­tiuve to the #TrumpRus­sia inves­ti­ga­tion. At this point that inves­ti­ga­tion is filled with so much evi­dence of the Trump cam­paign’s active desire to col­lude with Rus­sia based on all the oth­er inci­dents of Russ­ian foot­sie that the inves­ti­ga­tion could go on almost with­out a hitch even if it was deter­mined a 400 pound guy in bed [70] (or a neo-Nazi hack­er like Andrew Auern­heimer sit­ting in bed) did the hacks DNC hacks alone. The DNC hacks were cen­tral to the #TrumpRus­sia inves­ti­ga­tion at the begin­ning of Trump’s term, but this is a year into the inves­ti­ga­tion. Just look at a sam­pling of what we’ve learned:

1. Trump is basi­cal­ly a mobbed up celebri­ty busi­ness­man [71].

2. Don­ald Trump Jr., Paul Man­afort, and Jared Kush­n­er held a meet­ing in Trump Tow­er after Rob Gold­stone promis­es him Russ­ian gov­ern­ment help in the form of dirt on Hillary. Whether or not they actu­al­ly col­lud­ing with Russ­ian, they cer­taint­ly want­ed to. None oth­er than Steve Ban­non report­ed­ly called this “trea­so­nous” behav­ior [72].

3. Trump’s cam­paign for­eign advi­sor, George Papadopou­los,told Aus­trali­a’s top diplo­mat in the UK that the Rus­sians told him they had thou­sands of Hillary Clin­ton’s emails [73].

4. GOP financier Peter Smith ran an oper­a­tion to find Hillary’s hacked emails. They admit they were fine if the came from Russ­ian gov­ern­ment hack­ers. Much of the Trump team was report­ed­ly involved — Steve Ban­non, Kellyanne Con­way, Sam Clo­vis, and Michael Fly­nn [74].

5. Peter Smith’s email-hunt­ing expe­di­tion inquired with ‘Alt-Right’ troll-jour­nal­ist Charles “Chuck” C. John­son about who might know how to con­tact hack­ers on the Dark Web with Hillary Clin­ton’s emails. John­son told Smith’s team that they should con­tact Andrew Auern­heimer. John­son also told Smith’s team that there were oth­er ‘Alt-Right’ teams also look­ing for Hillary’s emails on the Dark Web. Which kind of sounds like the team that dis­trib­uted the Macron emails [74].

6. Peter Smith’s email-hunt­ing expe­di­tion also inquired with “Guc­cifer 2.0” about who might know how to con­tact hack­ers on the Dark Web with Hillary Clin­ton’s emails. Guc­cifer 2.0 told Smith’s team that they should con­tact Andrew Auern­heimer [74].

7. Bar­bara Ledeen, wife of Michael — who was the co-author of a book on for­eign pol­i­cy with Michael Fly­nn — start­ed her own Dark Web expe­di­tion with Newt Gin­grich in 2015 hunt­ing for Hillary’s emails [75].

8. All the oth­er crazy crap Michael Fly­nn did.

9. All of Trump’s bla­tant obstruc­tion of jus­tice already known to the pub­lic. Even if he’s inno­cent of every­thing else, he’s still pret­ty clear­ly guilty of obstruc­tion of jus­tice. He talks about.

10. Paul Man­afort is super shady. And may have been involved in the Ukraine sniper attacks accord­ing to his daugh­ter’s hacked text mes­sages [76].

11. Felix Sater’s Russ­ian Mobster/FBI/CIA infor­mant past [77]. A past Trump claimed to not know about [78].

12. Felix Sater and Trump Org attor­ney Michael Cohen tried to con­tact the Krem­lin for a Trump Tow­er Moscow deal dur­ing the cam­paign [79].

13. Cam­bridge Ana­lyt­i­ca is own by SCL. SCL employed mil­i­tary-grade psy­cho­log­i­cal war­fare spe­cial­ists for man­ag­ing big opin­ion-chang­ing cam­paigns tar­get­ing nations. And they’ve psy­cho­log­i­cal­ly pro­filed most of the US [80].

14. Don­ald Trump, Jr. and Julian Assange were chat­ting with each oth­er over Twit­ter’s direct mes­sag­ing sys­tem dur­ing the cam­paign [81].

15. The Trump cam­paign had embeds from Face­book, Google, and Twit­ter. These embeds helped the Trump cam­paign to effec­tive­ly wage an unprece­dent­ed micro­tar­get­ing cam­paign and sophis­ti­cat­ed social media per­son­al pro­fil­ing cam­paigns using high­ly per­son­al­ly cus­tomized mes­sag­ing strate­gies that these social media giants made avail­able to the Trump cam­paign [82].

16. The Russ­ian ‘troll farm’ Inter­net Research Agency had its own weird social media cam­paigns. This was­n’t remote­ly as big or sig­nif­i­cant as the Trump cam­paign’s social media pres­ence, and a lot of the troll far­m’s activ­i­ty appeared to be exper­i­ments in see­ing if they can ini­ti­ate real-world action through social media entice­ment, but it’s cer­tain­ly worth inves­ti­gat­ing. Espe­cial­ly since it’s entire­ly pos­si­ble some­one oth­er than the Krem­lin hired their ser­vices [83]. Although if it was some­one like Paul Man­afort hir­ing their ser­vices for a dirty tricks team for the Trump cam­paign that would pre­sum­ably be done with Putin’s approval since that’s pret­ty sen­si­tive and the Inter­net Research Agency is a close ally of Putin.

17. US intel­li­gence offi­cials acknowl­edged back in July of 2016, a week after the big DNC email batch was leaked by Wik­ileaks, that the hack was sign­f­i­cant­ly less sophis­ti­cat­ed and slop­py than pre­vi­ous Russ­ian gov­ern­ment hacks. And the hack­ers left Cyril­lic char­ac­ter data on the hacked DNC servers. Intel­li­gence sources acknowl­edge that the attri­bu­tion was based on dedec­tion and not hard tech­ni­cal evi­dence, and deduced the slop­pi­ness was inten­tion­al troll­ish sig­nalling meant to show it was Rus­sia [84]. And if that’s true, when you fac­tor in all the foot­sie Krem­lin oper­a­tives (or peo­ple pos­ing to be Krem­lin oper­a­tives) were play­ing with the Trump cam­paign dur­ing the time of this unusu­al­ly slop­py hack, it sug­gests the Krem­lin could have been try­ing to get caught and have their ties with the Trump cam­paign exposed in the sub­se­quent inves­ti­ga­tion. And that’s a some­what hilar­i­ous sce­nario that could help with de-esca­lat­ing US/Russian ten­sions.

18. The final con­clu­sive attri­bu­tion by the US intel­li­gence com­mu­ni­ty that Putin ordered the DNC hacks was based on an intel­li­gence source deep with­in the Krem­lin who claimed Putin ordered the attacks and not the “pat­tern recog­ni­tion” analy­sis by Crowd­Strike or oth­er cyber­se­cu­ri­ty com­pa­nies [85]. So, assum­ing you believe this Krem­lin source, it’s not as if stand­ing behind the “pat­tern recog­ni­tion” method­ol­o­gy is crit­i­cal to any case against the Trump cam­paign any­way.

19. Trump might be insane.

And that’s just a sam­pling of the rev­e­la­tions that are now avail­able for any inves­ti­ga­tors into Trump’s fit­ness for office.

So when you look at the full scope of all the evi­dence made pub­lic so far of the Trump cam­paign’s will­ing­ness and desire to col­lude with the Russ­ian gov­ern­ment, whether or not Russ­ian car­ried it out the DNC hack is almost beside the point at this point. All the foot­sie the Trump cam­paign and Trump orga­ni­za­tion was play­ing with appar­ent Krem­lin oper­a­tives through­out the cam­paign — George Papadopou­los, Felix Sater and Michael Cohen, the Trump Tow­er meet­ing — opens up the poten­tial for black­mail any­way, with or with­out Russ­ian gov­ern­ment hack­ers being behind the DNC serv­er hack. And the mob­ster-ish past of Trump and so many fig­ures in his orbit is all the more rea­son to wor­ry about things like black­mail. Who actu­al­ly hacked the DNC is like an inter­est­ing side note when put in the broad­er con­text of whether or not Trump is fit for office.

And that cre­ates a mar­velous poten­tial open­ing for address­ing two crit­i­cal goals the US should have at this point:
1. De-esca­lat­ing the sit­u­a­tion with Rus­sia. De-esca­la­tion of US-Russ­ian ten­sions real­ly should be a pri­or­i­ty even if you’re pissed at Putin over the 2016 elec­tion med­dling. The longer there’s this cyber-stand­of­f/trolling sit­u­a­tion between the US and Russ­ian the more time there is for third par­ty false flag attacks or things spi­ralling out of con­trol. Espe­cial­ly with Trump in place. The strat­e­gy of rachet­ing inter­na­tion­al pres­sure on Rus­sia until some ‘Russ­ian Spring’ hap­pens is high risk and could result in a Russ­ian ultra-nation­al­ist far more dan­ger­ous than Putin replac­ing him. That would be a cat­a­stro­phe. A ‘Russ­ian-Reset’ based on col­lec­tive mar­veling at the cor­rup­tion of Trump and the GOP would be a much bet­ter response.

And...

2. Address­ing the “inter­na­tion­al chaos” risks that a “pat­tern recog­ni­tion” stan­dard of cyber attri­bu­tion tech­niques intro­duce into world affairs. These tech­niques are vul­ner­a­ble to spoof­ing and incen­tivize false flags. If an agency like the NSA wants to declare that it knows some­thing using its supe­ri­or knowl­edge, that’s one thing. But grant­i­ng cred­i­bil­i­ty to ran­dom cyber­se­cu­ri­ty firms using “pat­tern recog­ni­tion” tech­niques for attri­bu­tion in cas­es like nation-state-on-nation-state hack­ing is wild­ly dan­ger­ous. Don’t for­get that the approach to stop­ping hacks advo­cat­ed by Dmitri Alper­ovitch — that pub­licly nam­ing and sham­ing the hack­er is key to to defense — does­n’t nec­es­sar­i­ly dis­suade hack­ers. It might just make them more intent on pre­tend­ing to be some­one else.

So what’s the open­ing the US should make to address these twin goals? The US should open­ly enter­tain the pos­si­bil­i­ty that some of these high-pro­file Russ­ian hacks might actu­al­ly be false flags. Just get that idea out there so the pub­lic isn’t lulled into think­ing “pat­tern recog­ni­tion” is real­ly the kind of gold stan­dard we should accept for nation-state-on-nation-state hack­ing attri­bu­tions. At the same time, the US should simul­ta­ne­ous­ly sug­gest that, if these hacks are indeed ordered by the Russ­ian gov­ern­ment, run­ning a high-pro­file self-impli­cat­ing hack­ing cam­paign — a hack­ing cam­paign that’s seem­ing­ly designed to raise ques­tions about whether or not it’s a false flag attack because it’s so over the top — is incred­i­bly dan­ger­ous and irre­spon­si­ble and a recipe for inter­na­tion­al chaos. If Putin actu­al­ly ordered the years-long self-incrim­i­nat­ing hack­ing cam­paign we’ve seen from Russ­ian hack­ers since the out­break of the con­flict in Ukraine in 2014, that is simul­ta­ne­ous­ly kind of clever and wild­ly irre­spon­si­ble. And stu­pid. Because now any ran­dom hack­er can frame Rus­sia for all sorts of hacks against all sorts of coun­tries and inter­ests. All they’d have to do is run a slop­py, seem­ing­ly inten­tion­al­ly self-incrim­i­nat­ing hack­ing cam­paign intend­ed to trig­ger a “pat­tern recog­ni­tion” match with pre­vi­ous ‘Russ­ian hacks’. And while Putin and the Russ­ian gov­ern­ment could have deter­mined that get­ting framed for hacks like, say, the Macron elec­tion hack are accept­able, what about an attack blamed on Russ­ian take takes a West­ern pow­er’s pow­er-grid down? Or an attack that trig­gers a nuclear melt­down? That might not be the kind of thing you want to get framed for even if you’re a nuclear pow­er. If Putin real­ly did this launch the kind of hack­ing cam­paign we’ve seen since 2014 that was a des­per­ate and dan­ger­ous move that real­ly does risk trig­ger­ing “inter­na­tion­al chaos” and he needs to stop.

Why can’t the US make that argu­ment with­out feel­ing like some sort of major con­ces­sion was made that helps Putin? It’s an argu­ment that rais­es the degree of the crime if the Krem­lin real­ly is behind this high-pro­file “I’m a Russ­ian hack­er!” cam­paign by mak­ing it clear to the world that this is cre­at­ing a real risk to the world. And it’s an argu­ment that also makes it clear to the Russ­ian peo­ple that it’s incred­i­bly dan­ger­ous to them if the Krem­lin is real­ly doing this. Do the Russ­ian peo­ple want a neo-Nazi elite hack­er liek Andrew ‘weev’ Auern­heimer fram­ing them for some­thing a lot more hor­rif­ic than hacked polit­i­cal emails? That seems like a mas­sive nation­al risk.

And the above argu­ment helps head off the risk to the world pre­sent­ed by vul­ner­a­ble cyber attri­bu­tion stan­dards too. Don’t for­get, the US intel­li­gence com­mu­ni­ties con­clu­sion Putin was behind the hacks was based on intel­li­gence from a sin­gle source deep with­in the Krem­lin who claimed Putin ordered the attacks and was not based on the “pat­tern recog­ni­tion” analy­sis by Crowd­Strike or oth­er cyber­se­cu­ri­ty com­pa­nies [85]. Not the ini­tial pat­tern recog­ni­tion guess­work because that was incon­clu­sive even though it led to the ini­tial hunch that Russ­ian was behind it [84]. Also don’t for­get that there are a lot more high-pro­file hacks attrib­uted to the Rus­sians in recent years so acknowl­edg­ing the pos­si­bil­i­ty that some of these hacks could be false flags does­n’t sole­ly raise this ques­tion about the DNC hack. What about the ‘Alt-Right’ fin­ger­prints all over the Macron hack? Aren’t peo­ple inter­est­ed in resolv­ing that mys­tery? And if a bunch of ‘Alt-Right’ neo-Nazis turned out to be behind the DNC hack instead of the Krem­lin is that some­how good news for Trump and the GOP? Even if a 400 pound hack­er in bed [86] did the DNC hack there’s still all the evi­dence of the Trump cam­paign’s desire to col­lude with the Rus­sians and the sub­se­quent bla­tant obstruc­tion of jus­tice.

Don’t for­get that impeach­ing Trump is a polit­i­cal deci­sion in the end and, not a crim­i­nal one. Even if rais­ing the pos­si­bil­i­ty of non-Krem­lin source behind the DNC hack com­pli­cat­ed Robert Mueller inves­ti­ga­tion’s abil­i­ty to crim­i­nal charge in rela­tion to the elec­tion hack, it’s not like that crim­i­nal charge is a decid­ing fac­tor for impeach­ment pur­pos­es. That’s a polit­i­cal choice. What if the Trump cam­paign and the GOP arranged for their own ‘Russ­ian hack­ers’? Or per­haps a bunch of ‘Alt-Right’ hack­ers were behind the DNC hack and Macron hacks and the Trump team had exten­sive con­tact with? Those kinds of sce­nar­ios would­n’t exact­ly help their case against impeach­ment, would they? Is it polit­i­cal­ly accept­able to col­lude with ‘Alt-Right’ hack­ers now?

Impeach­ing Trump is also an act fraught with great per­il and prob­a­bly should­n’t be con­sid­ered the top pri­or­i­ty for Democ­rats. Mike Pence could bring a lev­el of com­pe­ten­cy to the White House that could be far more dam­ag­ing than Trump’s dai­ly whirl­wind of chaot­ic cor­rup­tion. And even if Mike Pence is impeached, next in line is the Koch-pup­pet House Speak­er Paul Ryan. There isn’t real­ly a ‘hap­py end­ing’ impeach­ment sce­nario here. If Trump gets impeached, a huge chunk of the the Amer­i­can con­ser­v­a­tive base is going to go more insane and devel­op an even more malig­nant griev­ance com­plex and that psy­cho­log­i­cal wound will be nursed for decades. So is it worth impeach­ing the bla­tant­ly crazy fas­cist who might blow up the world only to have him replaced by a far more com­pe­tent fas­cist? Both sce­nar­ios feel like exis­ten­tial risks. In oth­er words, even if you could impeach Trump tomor­row over the Russ­ian hack­ing and replace his dan­ger­ous chaos with a Pres­i­dent Pence or Ryan are you sure you want to do that [87]? Super sure [88]? It’s anoth­er exam­ple of a con­tem­po­rary cat­a­stroph­ic ‘no-win’ sit­u­a­tion. A clas­si­cal non-tech­no­log­i­cal ‘no-win’ sit­u­a­tion: do we try to replace an unpre­dictable extreme dan­ger with a more pre­dictable extreme dan­ger? Who knows. And that ambi­gu­i­ty over whether or not impeach­ing Trump is even a desire­able sce­nario is anoth­er rea­son not to fear let­ting Trump ‘off the hook’ by acknowl­edg­ing the pos­si­bil­i­ty that these hacks being attrib­uted to Rus­sia might include false flags.

Giv­en all the cat­a­stroph­ic no-win sit­u­a­tions swirling around this issue of cyber attri­bu­tion, how is a soci­ety to pro­ceed? Well, here’s some­thing to keep in mind: the future of hack­ing attri­bu­tion is prob­a­bly going to depend on the cred­i­bil­i­ty of the author­i­ty mak­ing the attri­bu­tion since author­i­ta­tive attri­bu­tion will prob­a­bly depend on infor­ma­tion that can’t be pub­licly revealed. That’s basi­cal­ly the sit­u­a­tion today, where an agency like the NSA is often left to make the final ‘call’ on attri­bu­tion. But we could become more reliant on trust­ing an author­i­ty with access to secret infor­ma­tion in the future, espe­cial­ly if we acknowl­edge the real­i­ty of false flags, and that’s going to raise the ques­tion of whether or not that author­i­ty can be trust­ed. And in a world of false flag cyber­crimes at a nation-state lev­el, that adds one more rea­son to have a very cred­i­ble gov­ern­ment. And how do we get cred­i­ble gov­ern­ments? By cre­at­ing soci­eties that seem real­ly nice and run by peo­ple that seem very unlike­ly to engage in mali­cious false accu­sa­tions. Being real­ly, real­ly, real­ly nice and non-aggres­sive could be a key ele­ment nation­al cyber-defense in the future because the coun­try with the most cred­i­bil­i­ty could end up with the final word in the court of pub­lic opin­ion. And the court of pub­lic opin­ion mat­ters in the realm of inter­na­tion­al cyber war­fare.

Look at it this way: the cat­a­stroph­ic no-win sit­u­a­tions around cyber attacks and attri­bu­tion makes hav­ing a high-qual­i­ty, trust-wor­thy gov­ern­ment with a for­mi­da­ble intel­li­gence capac­i­ty whose word is respect­ed around the globe a nation­al secu­ri­ty pri­or­i­ty. And the only way to real­is­ti­cal­ly accom­plish that feat is for a soci­ety to devel­op a track record of actu­al­ly being real­ly nice and com­pas­sion­ate and trust­wor­thy and not agres­sive­ly ambi­tious. Sure, on one lev­el this is utopi­an think­ing. But when you think about the array of new tech­nolo­gies that will allow for dev­as­tat­ing attacks that could be car­ried out with­out clear attri­bu­tion — false flag biowar­fare, false flag nuclear attacks, false flag assas­sin drone attacks, false flag [insert tech­no­log­i­cal hor­ror show here] — it’s hard to see why false flag attacks aren’t going to be a pop­u­lar mode for wag­ing both war­fare and ter­ror­ism, and that all makes hav­ing a real­ly well-respect­ed soci­ety all the more impor­tant in the future. Good! It’s one more rea­son for build­ing good, decent soci­eties pop­u­lat­ed by hon­or­able and trust­wor­thy indi­vid­u­als? How do we accom­plish that? Good ques­tion! Let’s fig­ure that out. It prob­a­bly involves a nation car­ry­ing out the duel focus of being real­ly decent to its cit­i­zens while con­stant­ly try­ing to make the world at large a bet­ter place for nation. Which is some­thing that should­n’t be con­sid­ered utopi­an think­ing and instead should be seen as a basic sur­vival for a high-tech future. Plus, it’s not like this is the only tech­no­log­i­cal night­mare sit­u­a­tion that calls for a ded­i­ca­tion to very good, trust­wor­thy soci­eties and gov­ern­ments [68].

And there’s one key aspect to being a well-like, trust­wor­thy, nation with the kind of inter­na­tion­al cred­i­bil­i­ty to make an attri­bu­tion that will be believed, and it’s an iron­ic one: the capac­i­ty to ‘turn the oth­er cheek’ and not respond in kind after an attack even after a pub­lic attri­bu­tion is made. Yep, sham­ing the blamed attack­er while simul­ta­ne­ous­ly de-esca­lat­ing the sit­u­a­tion even after an attri­bu­tion is made could be a great way for a soci­ety to build up ‘attri­bu­tion cred’. And it might actu­al­ly avoid sit­u­a­tions from spi­ral­ing out of con­trol. Because if we apply the ‘mutu­al­ly assured destruc­tion’ mode of dis­suad­ing attacks that’s been suc­cess­ful­ly employed with nuclear strikes to future tech­nolo­gies where attri­bu­tion is far more dif­fi­cult than a nuclear strike, we’re just ask­ing for third par­ties to pick fights between nations with false flag attacks. Don’t for­get that a third par­ty could con­ceiv­ably wage a false flag attack and a false flag counter-attack. That’s the kind of crazi­ness that’s going to be unleashed by tech­nol­o­gy that poten­tial­ly enables indi­vid­u­als to car­ry out dev­as­tat­ing non-attrib­ut­able attacks. That’s the future. The ‘400 pound hack­er in his bed’ real­ly might start WWIII in future. And WWIV after that. So our future had bet­ter involved quite a bit of ‘turn­ing the oth­er cheek’ if it’s going to avoid being a smol­der­ing future. Utopi­an think­ing might be a basic sur­vival strat­e­gy going for­ward.

And if ‘being a real­ly, real­ly nice and trust­wor­thy coun­try’ feels like a high-risk solu­tion for how to address the threat of tech­no­log­i­cal false flags, don’t for­get: inter­na­tion­al chaos. That’s the future we invite when tech­no­log­i­cal false flags and mutu­al­ly assured destruc­tion is the norm. So when you read sto­ries about cyber attri­bu­tions being made with near cer­tain­ty in these high-pro­file hacks based on cir­cum­stan­tial evi­dence and guess­work, keep in mind that the only thing you should be 100 per­cent cer­tain about is that this lev­el of cer­tain­ty is a real­ly bad idea for a lot of rea­sons [89]