Did you hear the big new hacking news? The news about ‘Fancy Bear’ already getting ready to wage a new hacking campaign against US politicians? If not, here’s a brief summary: Trend Micro, a Japanese cybersecurity firm, just issued a new report purporting to show that ‘Fancy Bear’ has already set up multiple phishing websites intended to capture the login credentials to the US Senate’s email system. And Trend Micro is 100 percent confident this is the work of ‘Fancy Bear’, the Russian military intelligence hacking team.
And what led to Trend Micro’s 100 percent certainty that these phishing sites were set up by ‘Fancy Bear’? Well, that conclusion appears to be based on the similarity of this operation to the Macron email hack that impacted hit French election last year. You know, the same hack that the French cybersecurity agency said was so unsophisticated that any reasonably skilled hackers could have pulled them off. And the same hacks comically included the name of a Russian government security contractor in the meta-data [1] and were traced back to Andrew ‘weev’ Auernheimer [2]. That’s the hack that this current Senate phishing operation strongly mimics that led to Trend Micro’s 100 percent certainty that this is the work of ‘Fancy Bear.’ So how credible is this 100 percent certain cyber attribution? Well, that’s going to be the topic if this post. And as we’re going to see:
1. Contemporary cyber attribution is fraught with peril, relying heavily on “pattern recognition” that make it ripe for misattributions and false flags.
2. The move to employ “pattern recognition” and use that for nation-state-on-nation-state public attributions of hacks is a relatively new trend in the cybersecurity industry, and it was pioneered by one of the founders of CrowdStrike.
3. When you look at the recent history of the cybersecurity industry, there are A LOT of questions of whether or not these attributions are really be made with certainty.
4. If this mode of cyber attribution turns out to be a bad idea, it could result in international chaos. Seriously, international chaos. Those were the words of France’s top cybersecurity officer following the Macron email hacks.
In other words, beyond not wanting to get a particular instance of cyber attribution wrong, society really doesn’t want to get the whole approach to cyber attribution wrong. Because, again, that could be an invitation for international chaos.
So with that in mind, let’s take a look at that new Trend Micro report and the cyber attribution made with 100 percent certainty [3]:
Associated Press
Cybersecurity firm: US Senate in Russian hackers’ crosshairs
RAPHAEL SATTER
01/12/2018PARIS (AP) — The same Russian government-aligned hackers who penetrated the Democratic Party have spent the past few months laying the groundwork for an espionage campaign against the U.S. Senate, a cybersecurity firm said Friday.
The revelation suggests the group often nicknamed Fancy Bear, whose hacking campaign scrambled the 2016 U.S. electoral contest, is still busy trying to gather the emails of America’s political elite.
“They’re still very active — in making preparations at least — to influence public opinion again,” said Feike Hacquebord, a security researcher at Trend Micro Inc., which published the report [4] . “They are looking for information they might leak later.”
The Senate Sergeant at Arms office, which is responsible for the upper house’s security, declined to comment.
Hacquebord said he based his report on the discovery of a clutch of suspicious-looking websites dressed up to look like the U.S. Senate’s internal email system. He then cross-referenced digital fingerprints associated with those sites to ones used almost exclusively by Fancy Bear, which his Tokyo-based firm dubs “Pawn Storm.”
Trend Micro previously drew international attention when it used an identical technique to uncover a set of decoy websites apparently set up to harvest emails from the French presidential candidate Emmanuel Macron’s campaign in April 2017. The sites’ discovery was followed two months later by a still-unexplained publication of private emails from several Macron staffers in the final days of the race.
Hacquebord said the rogue Senate sites — which were set up in June and September of 2017 — matched their French counterparts.
“That is exactly the way they attacked the Macron campaign in France,” he said.
Attribution is extremely tricky in the world of cybersecurity, where hackers routinely use misdirection and red herrings to fool their adversaries. But Tend Micro, which has followed Fancy Bear for years, said there could be no doubt.
“We are 100 percent sure that it can attributed to the Pawn Storm group,” said Rik Ferguson, one of the Hacquebord’s colleagues.
Like many cybersecurity companies, Trend Micro refuses to speculate publicly on who is behind such groups, referring to Pawn Storm only as having “Russia-related interests.” But the U.S. intelligence community alleges that Russia’s military intelligence service pulls the hackers’ strings and a months-long Associated Press investigation into the group, drawing on a vast database of targets supplied by the cybersecurity firm Secureworks, has determined that the group is closely attuned to the Kremlin’s objectives.
If Fancy Bear has targeted the Senate over the past few months, it wouldn’t be the first time. An AP analysis of Secureworks’ list shows that several staffers there were targeted between 2015 and 2016.
Among them: Robert Zarate, now the foreign policy adviser to Florida Senator Marco Rubio; Josh Holmes, a former chief of staff to Senate Majority Leader Mitch McConnell who now runs a Washington consultancy; and Jason Thielman, the chief of staff to Montana Senator Steve Daines. A Congressional researcher specializing in national security issues was also targeted.
Fancy Bear’s interests aren’t limited to U.S. politics; the group also appears to have the Olympics in mind.
Trend Micro’s report said the group had set up infrastructure aimed at collecting emails from a series of Olympic winter sports federations, including the International Ski Federation, the International Ice Hockey Federation, the International Bobsleigh & Skeleton Federation, the International Luge Federation and the International Biathlon Union.
The targeting of Olympic groups comes as relations between Russia and the International Olympic Committee are particularly fraught. Russian athletes are being forced to compete under a neutral flag in the upcoming Pyeongchang Olympics following an extraordinary doping scandal that has seen 43 athletes and several Russian officials banned for life. Amid speculation that Russia could retaliate by orchestrating the leak of prominent Olympic officials’ emails, cybersecurity firms including McAfee and ThreatConnect have picked up on signs that state-backed hackers are making moves against winter sports staff and anti-doping officials.
On Wednesday, a group that has brazenly adopted the Fancy Bear nickname began publishing what appeared to be Olympics and doping-related emails from between September 2016 and March 2017. The contents were largely unremarkable but their publication was covered extensively by Russian state media and some read the leak as a warning to Olympic officials not to press Moscow too hard over the doping scandal.
Whether any Senate emails could be published in such a way isn’t clear. Previous warnings that German lawmakers’ correspondence might be leaked by Fancy Bear ahead of last year’s election there appear to have come to nothing.
On the other hand, the group has previously dumped at least one U.S. legislator’s correspondence onto the web.
One of the targets on Secureworks’ list was Colorado State Senator Andy Kerr, who said thousands of his emails were posted to an obscure section of the website DCLeaks — a web portal better known for publishing emails belonging to retired Gen. Colin Powell and various members of Hillary Clinton’s campaign — in late 2016.
...
———-
“Hacquebord said he based his report on the discovery of a clutch of suspicious-looking websites dressed up to look like the U.S. Senate’s internal email system. He then cross-referenced digital fingerprints associated with those sites to ones used almost exclusively by Fancy Bear, which his Tokyo-based firm dubs “Pawn Storm.””
So after cross-referencing the digital fingerprints associated with the Senate email phishing websites, Trend Micro found that these fingerprints were almost exclusively used by ‘Fancy Bear’. That appears to be at the core of Trend Micro’s 100 percent certainty in attributing these websites to Fancy Bear.
And it sounds like those digital fingerprints point back to the Macron hack, which is presumably part of the basis of their 100 percent level of certainty. Although it’s unclear because Trend Micro relates the US Senate phishing attempt back to the Macron hacks merely by stating that the US Senate phishing websites matched their French counterparts. “That is exactly the way they attacked the Macron campaign in France,” said Trend Micro:
...
Hacquebord said the rogue Senate sites — which were set up in June and September of 2017 — matched their French counterparts.“That is exactly the way they attacked the Macron campaign in France,” he said.
Attribution is extremely tricky in the world of cybersecurity, where hackers routinely use misdirection and red herrings to fool their adversaries. But Tend Micro, which has followed Fancy Bear for years, said there could be no doubt.
“We are 100 percent sure that it can attributed to the Pawn Storm group,” said Rik Ferguson, one of the Hacquebord’s colleagues.
...
“We are 100 percent sure that it can attributed to the Pawn Storm group.” That’s the message from Trend Micro following the release of this report.
And then Trend Micro touts its previous big attribution score when it drew international attention by attributing the phishing sites set up in the Macron hacks back to ‘Fancy Bear’/APT28/Pawn Storm:
...
Trend Micro previously drew international attention when it used an identical technique to uncover a set of decoy websites apparently set up to harvest emails from the French presidential candidate Emmanuel Macron’s campaign in April 2017. The sites’ discovery was followed two months later by a still-unexplained publication of private emails from several Macron staffers in the final days of the race.
...
“The sites’ discovery was followed two months later by a still-unexplained publication of private emails from several Macron staffers in the final days of the race.”
You have to love the phrasing of the “still-unexplained publication of private emails.” Yeah, it’s still unexplained because the whole world appeared to drop that line of inquiry after the reports pointing back to Auernheimer’s involvement in the hack [2].
So that’s the public reporting on these new US Senate phishing sites and the 100 percent certain attribution of them back to APT28. And if we take it face value we would have to conclude that Russia’s government hackers executed this phishing attempt while leaving digital fingerprints that unique tie back to prior phishing campaigns which, if true, sure sounds like “I’m a Russian hacker! Please blame it on me!” kind of behavior.
The Trend Micro US Senate Phishing Report: An Evidentiary Tributary Vague Trickle of ‘Digital Fingerprints’ Tells the Story
But if the digital fingerprints do indeed point back to prior hacking campaigns carried out by APT28/Fancy Bear/Pawn Storm, what’s actual evidence provided by Trend Micro? Did Trend Micro found that the phishing websites were literally hosted on the same servers as previously identified phishing sites and/or shared some other physical infrastructure that were used in previous hacks. And if so, which hacks?
Well, when you read the Trend Micro report [4], it does explicitly say that they can “uniquely relate” the phishing websites set up for this US Senate hack attempt back to two attacks by Fancy Bear a.k.a Pawn Storm. One in 2016 and one in 2017. But they don’t clarify which particular hacks they were referring to. The 2017 hack they refer to might be the Macron hack, but the report mentions a number of different 2017 campaigns they attributed to APT28.
The report also makes a rather notable observation about the behavior of ‘Fancy Bear’: they appear to follow largely the same script over and over. Trend Micro attributes this behavior to ‘Fancy Bear’ having both a large volume of targets but also a large box of hacking tools so few updates to its techniques are required. And this is true in terms of reusing the same methodology in the sense that relatively unsophisticated phishing campaigns probably can largely all follow the same script. But it’s also the case that reusing the same digital infrastructure — like same malware — over and over is a great way to make your hacking group relatively easy to identify by investigators and, more importantly, relatively easy to frame by third parties.
Now, it’s true that reuse of malware shouldn’t actually be seen as strong evidence that two separate attacks are related, unless it’s very unique malware and there’s no evidence of it being ‘in the wild’ and available to other hackers. But in today’s context, reuse of malware, including malware ‘in the wild’, is routinely used by the cybersecurity industry as evidence that different attacks were carried out by the same group. Take, for example, the bogus claim made by CrowdStrike that the “X‑Agent” malware found in the DNC server attack is used solely by the Russian government [5].
Similarly, seeing the same ISP being used in two separate attacks shouldn’t actually be seen as strong evidence that two separate attacks are related because you can easily have different hacking groups sharing the same hacker-friendly ISPs. But in today’s context, reusing things like the same ISP over and over is basically asking to having your various hacking campaigns attributed to each other. And it’s also asking to have a third party frame you.
In other words, reusing methodologies is understandable when you’re relying on unsophisticated techniques. But reusing the same digital infrastructure is a very different kind of lack of sophistication....unless, of course, a group like ‘Fancy Bear’ wants to have all of its various hacking campaigns attributed back to them. That’s something to keep in mind when reading the following Trend Micro report.
The report also includes a note on other hackers copying Fancy Bear’s technique, warning that “actors from developing countries will learn and probably adapt similar methods quickly in the near future.” And that warning raises the obvious question of why we shouldn’t assume all sorts of actors, in any country, haven’t already adapted similar methods already, including using the same digital infrastructure when information on that is available.
So there are a number of questions raised by the Trend Micro report, and not a lot of answers on how exactly they arrived at their conclusions [4]:
Trend Micro
Update on Pawn Storm: New Targets and Politically Motivated Campaigns
Posted on:January 12, 2018 at 5:00 am
In the second half of 2017 Pawn Storm, an extremely active espionage actor group [6], didn’t shy away from continuing their brazen attacks. Usually, the group’s attacks are not isolated incidents, and we can often relate them to earlier attacks by carefully looking at both technical indicators and motives.
Pawn Storm has been attacking political organizations in France, Germany, Montenegro, Turkey, Ukraine, and the United States since 2015. We saw attacks against political organizations again in the second half of 2017. These attacks don’t show much technical innovation over time, but they are well prepared, persistent, and often hard to defend against. Pawn Storm has a large toolset full of social engineering tricks, malware and exploits, and therefore doesn’t need much innovation apart from occasionally using their own zero-days and quickly abusing software vulnerabilities shortly after a security patch is released. [7].
In summer and fall of 2017, we observed Pawn Storm targeting several organizations with credential phishing and spear phishing attacks. Pawn Storm’s modus operandi is quite consistent over the years, with some of their technical tricks being used repeatedly. For example, tabnabbing [8] was used against Yahoo! users in August and September 2017 in US politically themed email. The method, which we first discussed in 2014, involves changing a browser tab to point to a phishing site after distracting the target.
We can often closely relate current and old Pawn Storm campaigns using data that spans more than four years, possibly because the actors in the group follow a script when setting up an attack. This makes sense, as the sheer volume of their attacks requires careful administration, planning, and organization to succeed. The screenshots below show two typical credential phishing emails that targeted specific organizations in October and November 2017. One type of email is supposedly a message from the target’s Microsoft Exchange server about an expired password. The other says there is a new file on the company’s OneDrive system.
While these emails might not seem to be advanced in nature, we’ve seen that credential loss is often the starting point of further attacks that include stealing sensitive data from email inboxes. We have worked with one of the targets, an NGO in the Netherlands targeted twice, in late October and early November 2017. We successfully prevented both attacks from causing any harm. In one case we were able to warn the target within two hours after a dedicated credential phishing site was set up. In an earlier attack, we were able to warn the organization 24 hours before the actual phishing emails were sent.
...
Political targets
In the week of the 2017 presidential elections in Iran, Pawn Storm set up a phishing site targeting chmail.ir webmail users. We were able to collect evidence that credential phishing emails were sent to chmail.ir users on May 18, 2017, just one day before the presidential elections in Iran. We have previously reported similar targeted activity against political organizations in France, Germany, Montenegro, Turkey, Ukraine, and the United States.
Beginning in June 2017, phishing sites were set up mimicking the ADFS (Active Directory Federation Services) of the U.S. Senate. By looking at the digital fingerprints of these phishing sites and comparing them with a large data set that spans almost five years, we can uniquely relate them to a couple of Pawn Storm incidents in 2016 and 2017. The real ADFS server of the U.S. Senate is not reachable on the open internet, however phishing of users’ credentials on an ADFS server that is behind a firewall still makes sense. In case an actor already has a foothold in an organization after compromising one user account, credential phishing could help him get closer to high profile users of interest.
The future of politically motivated campaigns
Rogue political influence campaigns are not likely to go away in the near future. Political organizations have to be able to communicate openly with their voters, the press and the general public. This makes them vulnerable to hacking and spear phishing. On top of that, it’s also relatively easy to influence public opinion via social media. Social media platforms continue to form a substantial part of users’ online experience, and they let advertisers reach consumers with their message.
This makes social media algorithms susceptible to abuse by various actors with bad intentions. Publishing stolen data together with spreading fake news and rumors on social media gives malicious actors powerful tools. While a successful influence campaign might seem relatively easy to do, it needs a lot of planning, persistence, and resources to be successful. Some of the basic tools and services, like ones used to spread fake news on social media, are already being offered as a service in the underground economy. [9].
As we have mentioned in our overview paper on Pawn Storm [6], other actors may also start their own campaigns that aim to influence politics and issues of interest domestically and abroad. Actors from developing countries will learn and probably adapt similar methods quickly in the near future. In 2016, we published a report on C Major [10], an espionage group that primarily targets the Indian military. By digging deeper into C Major’s activities, we found that this actor group not only attacks the Indian military, but also has dedicated botnets for compromised targets in Iranian universities, Afghanistan, and Pakistan. Recently, we have witnessed C Major also showing some interest in compromising military and diplomatic targets in the West. It is only a matter of time before actors like C Major begin attempting to influence public opinion in foreign countries, as well.
With the Olympics and several significant global elections taking place in 2018, we can be sure Pawn Storm’s activities will continue. We at Trend Micro will keep monitoring their targeted activities, as well as activities of similar actors, as cyberpropaganda and digital extortion remain in use.
...
———-
“Beginning in June 2017, phishing sites were set up mimicking the ADFS (Active Directory Federation Services) of the U.S. Senate. By looking at the digital fingerprints of these phishing sites and comparing them with a large data set that spans almost five years, we can uniquely relate them to a couple of Pawn Storm incidents in 2016 and 2017. The real ADFS server of the U.S. Senate is not reachable on the open internet, however phishing of users’ credentials on an ADFS server that is behind a firewall still makes sense. In case an actor already has a foothold in an organization after compromising one user account, credential phishing could help him get closer to high profile users of interest.”
So in June 2017, phishing sites get set up to mimic the US Senate’s email site. And the digital fingerprints on these sites “uniquely relates” them to them to a couple of Pawn Storm incidents in 2016 and 2017. That appears to be the primary line of evidence leading them to conclude that ‘Fancy Bear’/‘Pawn Storm’ is indeed the entity behind this Senate phishing attempt. And none of that evidence is actually given. It is solely a “Trust Us” attribution.
And note how the lack of technical innovation over time appears to be a key element in allowing Trend Micro to search through its database of attacks and match the ‘digital fingerprints’ of present day attacks with prior attacks:
...
Pawn Storm has been attacking political organizations in France, Germany, Montenegro, Turkey, Ukraine, and the United States since 2015. We saw attacks against political organizations again in the second half of 2017. These attacks don’t show much technical innovation over time, but they are well prepared, persistent, and often hard to defend against. Pawn Storm has a large toolset full of social engineering tricks, malware and exploits, and therefore doesn’t need much innovation apart from occasionally using their own zero-days and quickly abusing software vulnerabilities shortly after a security patch is released. [7]....
We can often closely relate current and old Pawn Storm campaigns using data that spans more than four years, possibly because the actors in the group follow a script when setting up an attack. This makes sense, as the sheer volume of their attacks requires careful administration, planning, and organization to succeed. The screenshots below show two typical credential phishing emails that targeted specific organizations in October and November 2017. One type of email is supposedly a message from the target’s Microsoft Exchange server about an expired password. The other says there is a new file on the company’s OneDrive system.
...
So ‘Fancy Bear’ keeps using the same methodology and seemingly follows a script, leaving a growing digital trail over the years that can be used for attribution of future attacks. And yet as Trend Micro warns, there’s reason to assume other actors are going to adopt similar methods “in the near future” to sway elections in other countries:
...
As we have mentioned in our overview paper on Pawn Storm [6], other actors may also start their own campaigns that aim to influence politics and issues of interest domestically and abroad. Actors from developing countries will learn and probably adapt similar methods quickly in the near future. In 2016, we published a report on C Major [10], an espionage group that primarily targets the Indian military. By digging deeper into C Major’s activities, we found that this actor group not only attacks the Indian military, but also has dedicated botnets for compromised targets in Iranian universities, Afghanistan, and Pakistan. Recently, we have witnessed C Major also showing some interest in compromising military and diplomatic targets in the West. It is only a matter of time before actors like C Major begin attempting to influence public opinion in foreign countries, as well.
...
And, of course, just as third parties might use the same methodology, they also might decide to try to leave the same digital fingerprints as ‘Fancy Bear’ if that’s an option because why not? If the malware or server hosts that ‘Fancy Bear’, or any other high profile hacking group, keeps getting reused and this becomes publicly known, why wouldn’t other hackers use the same malware and server hosts if that’s an option? This is probably a good time to remind ourselves that one of the key ‘digital fingerprints’ found in the 2016 DNC hack used to attribute that hack to ‘Fancy Bear’ was the reuse of a command and control server’s IP address (176.31.112.10) made public in 2015 following the Bundestag hack of May 2015 [11].
And note how there are actually a number of 2017 hacks attributed to ‘Fancy Bear’ that Trend Micro references in this report. So if it “uniquely” traced the US Senate phishing sites (which were actually set up in June of 2017...a month after the French elections) back to another 2017 attack, it’s not clear which 2017 attack Trend Micro was uniquely tying the US Senate phishing sites back to.
But again, the overall message from Trend Micro in this report is “Trust Us, we got this covered...look at what a great job we did identifying the Macron hacks.”
About Those Macron Hack Attributions...
So Trend Micro found that two prior attacks, one in 2017 and one in 2016, shared the same digital fingerprints that they found after investigating the websites associated this new US Senate phishing campaign. And the 2017 attack they referred to was maybe the Macron email hack, although that’s very ambiguous. And we’re basically expected to just trust them on this attribution.
So how much blind trust should we place in Trend Micro’s — or any other cybersecurity firm’s — attribution when basically no technical evidence is given. Well, to explore this topic, let’s take an extended look at the Macron hacks. And not just Trend Micro’s work on those hacks, because there were a number of different cybersecurity firms, along with the US government, who weighed in on that hack and concluded with near certainty that it was ‘Fancy Bear’ behind it.
And as we look into this, note that, if the 2017 hack Trend Micro related the US Senate phishing sites back to was indeed the Macron hack, then we can make an educated guess that the 2016 hack Trend Micro uniquely related back to the US Senate phishing attack was actually the 2016 DNC server attack. Because as we’ll see in the following article, when Trend Micro first reported on the Macron email hack back in April of 2017, there was one particular 2016 hack that Trend Micro claimed had a number of ‘digital similarities’ to the Macron hack. And those ‘digital similarities’ included similarities in the IP address involved and malware used: The 2016 DNC server hack [12]:
The Washington Post
Cyberattack on French presidential front-runner bears Russian ‘fingerprints,’ research group says
By Rick Noack
April 25, 2017PARIS — A security firm claimed Tuesday that new cyberattacks on the campaign offices of the front-runner in France’s presidential race carried digital “fingerprints” similar to the suspected Russian hacking of the Democratic National Committee and others in the 2016 U.S. election.
The report [13], by the Trend Micro research group, did not disclose the potential fallout of the infiltration on the campaign of Emmanuel Macron, a centrist who faces far-right leader Marine Le Pen in a May 7 runoff.
If a Russian connection is proved, the hacking would add to mounting allegations that Moscow is backing attempts to influence Western elections in favor of candidates with policies potentially more friendly to the Kremlin. Le Pen has voiced opposition to the powers of the European Union and has called for better ties with Russia, echoing some of the campaign rhetoric of President Trump.
Tokyo-based Trend Micro said Macron’s campaign was targeted in March and April by a cyberspying group called Pawn Storm. The group has allegedly used phishing and malware to infiltrate other political organizations, as well, such as German Chancellor Angela Merkel’s Christian Democratic Union and the U.S. Democratic National Committee.
“There are several things which suggest that the group behind the Macron hacking was also responsible for the DNC breach, for example. We found similarities in the IP addresses and malware used in the attacks,” said Rik Ferguson, vice president of Trend Micro’s security research program.
“We cannot say for sure whether this was directed by the Russian government, but the group behind the attacks certainly appears to pursue Russian interests,” added Ferguson, speaking from the company’s London offices.
According to the research firm, the hackers created several email addresses on a fake server with the URL onedrive-en-marche.fr, operating from computers with IP addresses in multiple European nations, including Britain.
...
ANSSI, the French government’s cybersecurity agency, confirmed the more recent cyberattacks against Macron but left open the possibility that they could be the work of “other high-level” hackers trying to point the blame at Pawn Storm.
...
———-
““There are several things which suggest that the group behind the Macron hacking was also responsible for the DNC breach, for example. We found similarities in the IP addresses and malware used in the attacks,” said Rik Ferguson, vice president of Trend Micro’s security research program.”
The same IP addresses and same malware used in the Macron and DNC attacks. Or, at least, similar IP addresses and malware. That’s what Trend Micro found when it looked into Macron email hacks back in 2017.
So what does it mean to “similar IP addresses between two hacks? Well, that’s probably a reference to two hacks sharing the same IP blocks. And sharing IP blocks with previous attacks merely suggests the use of the same Internet Service Provider (ISP), since ISPs will get set a block of IP addresses to use [14]. And sharing ISP with previous hackers is fairly weak evidence. Of course hackers are going to gravitate towards hacker friendly ISPs! Especially if they want to misdirect the attribution of the attack!
And neither is “similar malware” compelling evidence...unless there’s reason to believe that malware isn’t available outside hackers. But if ‘Fancy Bear’ has been reusing the same, or similar, malware for years, what are the odds that its malware collection isn’t already ‘in the wild’? As we saw with the ‘X‑Agent’ malware, assuming this malware is unique to one group is a bad idea. And even if the malware ‘Fancy Bear’ keeps reusing has somehow avoided ended up ‘in the wild’, why does this group continue to reuse the same unique collection of malware over and over? It just make attribution that much easier!
Where the Beef Evidence? Seriously, Where is It?
But let’s not focus exclusively on Trend Micro when it comes to the Macron hack. Because a lot of different cybersecurity companies made exactly the same attribution, along with the US government too. Curiously, all of these sources appeared to be extremely confident that the phishing sites targeting the Macron campaign and identified by Trend Micro in its April 25th, 2017, were indeed attributable to ‘Fancy Bear’, and they even referred back to their big reports in a number of cases. And yet, when you look at the actual reports, there is no evidence listed and, in the case of the US government report, there’s no reference to the Macron hacks at all. It’s bizarre.
First, let’s take a look at this Defense One article from May 6, 2017. That’s one day after the BIG document dump of Macron campaign emails. Recall that there was a May 3rd document dump of a few documents that appeared to be tampered with and the a much larger May 5th dump.
Also recall, and as we’ll examiner in more detail later, both of these document dumps appeared to originate from within the American ‘Alt-Right’, with Andrew Auernheimer a central figure.
So this article was written one day after a very big last minute document dump and the way these documents were dumped did not at all fit the ‘Russia did it’ pattern. That’s why when you read this article you’ll see parallel discussions of the phishing sites that Trend Micro reported on a couple weeks earlier paired with acknowledgments from Trend Micro that there’s no evidence conclusively pinning the hack on ‘Fancy Bear’. In other words, there’s an implicit acknowledgement that the phishing sites set up to target the Macron campaign may not have been the source of these hacked documents.
But when it comes to who set up those phishing sites, the article include more than just Trend Micro making near certain conclusions that Fancy Bear was behind it. A representative from Flashpoint, another cybersecurity firm, is also quoted as basically treating it as a foregone conclusion that ‘Fancy Bear’ set up the phishing sites, and the article links back to the US government’s “Grizzly Steppe” report, which was updated to include that evidence. But as we’ll see, Flashpoint never actually explains anywhere how it arrived at this conclusion and the US government report contains no reference at all to the Macron hacks. It was “Trust Us” attribution at work all around [15]:
Defense One
France’s Macron Hack Likely By Same Russian Group That Hit DNC, Sources Say
By Patrick Tucker
Technology EditorMay 6, 2017
The same Putin-backed hacking group that targeted the Democratic National Committee last year has been targeting French presidential candidate Emmanuel Macron, according to multiple cybersecurity groups.
On Friday, Macron claimed that his campaign had suffered a “massive and coordinated” data theft and smear campaign, some 9 gigabytes of data stolen and published to an anonymous sharing site called Pastebin.
No hard evidence has yet emerged linking the targeting to the doc dump. But over several weeks leading to the attack on Macron’s campaign, several firms in the private security community issued warnings. On April 25, cybersecurity group Trend Micro claimed [6] a group known as APT 28, or Fancy Bear and Pawn Storm, was actively targeting the Macron campaign with bogus emails to convince campaign higher-ups to click on links.
The evidence: On March 15, operators working from IP addresses associated with APT 28 [16] were registering domain names that were related to the Macron campaign, such as onedrive-en-marche.fr. Registering phony email domains would allow the operatives to send emails to targeted campaign workers that appear to be from the campaign. A cybersecurity professional with direct knowledge of the hack told Defense One that the same Putin-backed hacking group that targeted the DNC had also been targeting Macron. But they could not say with certainty that those actors were the same individuals who put the documents on the Pastebin site, (or if the documents on Pastebin were even authentic.)
Of particular interest in the Macron case is a new tactic: rather than luring the victim to a link and then trying to convince them to give up his or her password, APT 28 was targeting the Macron campaign with a lure to fake computer applications that looked like they actually came from Google.This time the victims weren’t prompted to give up their passwords. Instead they could simply authorize a program that looked like it came from a trusted provider to do what that program (looks like) it is supposed to do. The scam is called Open Authentication or an OAuth attack. “The big advantage is that users don’t have to reveal their password to the third party. Instead the third party applications get a token that can be used for authentication,” Trend Micro says in their report.
Greg Martin, CEO of the firm JASK, told Business Insider [17] that this represented a clear escalation of tactics. “It’s a new style of attack … very deadly and unprecedented … It’s the first time we have seen this in the wild.”
Vitali Kremez, director of research at the cybersecurity firm Flashpoint, also offered [18] cautious analysis to the New York Times on Friday. “The key goals and objectives of the campaign appear to be to undermine Macron’s presidential candidacy and cast doubt on the democratic electoral process in general.”
He later told Reuters [19] that APT 28 was indeed behind the attack after determining that APT 28 related entities had “registered decoy internet addresses to mimic the name of En Marche … including onedrive-en-marche.fr and mail-en-marche.fr.”
The event follows months of warnings about Kremlin influence and information operations allegedly targeting the French election for the benefit Marine Le Pen’s National Front Party. On January 8, France’s Minister of Defense Jean-Yves Le Drian told [20] French newspapers that “one cannot be naive,” about the likelihood of Kremlin involvement to aid Le Pen, who has supported [21] a closer relationship with Putin and a weakening of the EU.
Defense One first reported [22] in January that the group sometimes known as Fancy Bear, APT 28, and by other names was actively targeting the French election with the same email tactics that they employed against previous targets, including, most famously the DNC [23].
It’s not the first time Kremlin-backed hackers have targeted France. In April of 2015, the same group, posing as ISIS-linked Islamic extremists and calling itself the Cyber Caliphate [24] also attacked French television station TV5 Monde. The intent of that attack remains unclear.
Authorities and investigators have yet to make public hard forensic evidence linking the group to the hack on Macron’s campaign.
Today, in response to Macron’s claim, Trend Micro offered a clarifying statement. “Trend Micro does not have evidence that this is associated with the group known as Pawn Storm (also APT28 and other names). The techniques used in this case seem to be similar to previous attacks. Without further evidence, it is extremely difficult to attribute this hack to any particular person or group.”
In the meantime, some analysis suggests that portions of the 9 gigabyte document dump, or at least portions of it that are spreading on social media, may be forged [25].
@wikileaks [26] Two documents purporting to show that Macron has offshore accounts were created yesterday, the day of the debate #MacronLeaks [27] pic.twitter.com/cxqZnZmNTh [28]
— Nathan Patin (@NathanPatin) May 6, 2017 [29]The mixing of fake documents with stolen real documents, and then dumping both on the public to achieve a better political or market effect, is something that members of the intelligence community have worried about publicly for years. [30]. Kremlin-backed actors have done it before, but not through Wikileaks. Last August, hackers dumped a series of documents on the sites CyberBerkut and DC Leaks, both of which the intelligence community has linked to Putin’s government. It was an attempt to smear a Putin political opponent by connecting him to George Soros. Problem is, the docs didn’t match [31], suggesting a forgery.
...———-
“No hard evidence has yet emerged linking the targeting to the doc dump. But over several weeks leading to the attack on Macron’s campaign, several firms in the private security community issued warnings. On April 25, cybersecurity group Trend Micro claimed [6] a group known as APT 28, or Fancy Bear and Pawn Storm, was actively targeting the Macron campaign with bogus emails to convince campaign higher-ups to click on links.”
No hard evidence has yet emerged linking the targeting of the Macron camp with the phishing sites to the actual document dump. That was the assessment one day after the big Macron document dump. And that’s not unreasonable since it was just one day. That’s not a lot of time to gather evidence.
And yet the attribution of the phishing sites to ‘Fancy Bear’ is treated like a certainty. And that includes linking to the US government’s Grizzly Steppe report that purportedly ties the registration of the phishing site domain names to APT28/Fancy Bear:
...
The evidence: On March 15, operators working from IP addresses associated with APT 28 [16] were registering domain names that were related to the Macron campaign, such as onedrive-en-marche.fr. Registering phony email domains would allow the operatives to send emails to targeted campaign workers that appear to be from the campaign. A cybersecurity professional with direct knowledge of the hack told Defense One that the same Putin-backed hacking group that targeted the DNC had also been targeting Macron. But they could not say with certainty that those actors were the same individuals who put the documents on the Pastebin site, (or if the documents on Pastebin were even authentic.)
...
Here’s the problem with that Grizzly Steppe report’s attribution. If you look at the Grizzly Steppe report, there is indeed an April 6, 2017 update listed on the home page of that report [16]. It’s one line, “April 6, 2017: Updated AR-17–20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity with Section 508 Remediation.” The problem is that if you look at the AR-17–20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity report [32], there is no actual update with that information. If you search though the document, there no “Section 508”. You won’t even find the words “France”, or “Macron” or “onedrive”. There also isn’t any reference to the April 6, 2017 date. It’s as if the only update was the update on the homepage saying the report was updated.
And that’s not the only example of the assertion that ‘Fancy Bear’ was behind the registration of these Macron-targeted phishing domains. The Trend Micro report on “Pawn Storm” (Fancy Bear/APT28) released on April 25th, 2017, purporting to demonstrate that Fancy Bear was behind the phishing sites [13] contains a single reference to the Macron email hack in the list of domains Trend Micro has attributed to APT28. Go to page 13 of the report and you see the “Emmanuel Macron campaign” listed as the target and “onedrive-en-marche.fr” listed as the phishing domain in a table that lists the domains Trend Micro has concluded was registered by Pawn Storm/Fancy Bear/APT28. That’s it. No description of how that attribution was made. And there is no other reference to France or the Macron campaign or anything else in the document. And that means we have no idea what ‘digital fingerprints’ Trend Micro used to make that attribution. In other words, “Trust Us.”
And note that there’s no explanation for how all the other domain names listed in that table were conclusively attributed to Fancy Bear in the report, so there’s a lot of ambiguity about how Trend Micro arrived at ANY of its conclusions. “Trust Us Bigly.”
Similarly, when you read about how Flashpoint, another cybersecurity firm, also concluded that APT28/Fancy Bear/Pawn Storm was the entity that set up these phishing domains, it refers back to a Reuters report where Flashpoint tells Reuters that APT28 set up those domains. But, again, there’s absolutely no indication of how that attribution was made and no link to a publicly available report:
...
Vitali Kremez, director of research at the cybersecurity firm Flashpoint, also offered [18] cautious analysis to the New York Times on Friday. “The key goals and objectives of the campaign appear to be to undermine Macron’s presidential candidacy and cast doubt on the democratic electoral process in general.”He later told Reuters [19] that APT 28 was indeed behind the attack after determining that APT 28 related entities had “registered decoy internet addresses to mimic the name of En Marche … including onedrive-en-marche.fr and mail-en-marche.fr.”
...
And if you read the Reuters article [19], Flashpoint’s Vitali Kremez simply tells Reuters that, “his review indicated that APT 28, a group tied to the GRU, the Russian military intelligence directorate, was behind the leak.” That’s it. If there’s a public report someone explaining how they arrived at this attribution it’s unclear where to find it.
So we have this odd situation where the US government GRIZZLEY STEPPE report claims to be updated with evidence that the Macron phishing campaign was operated by Fancy Bear but that update doesn’t actually exist in the report. And Trend Micro’s and Flashpoint’s attributions are made without any explanation at all. Perhaps this evidence is publicly available elsewhere from these three sources?
Found Some Evidence! Or, Rather, Found Some ‘Evidence’!
That said, there are some reports that do give at least a bit of the technical evidence Trend Micro used to attribute these phishing domains to Fancy Bear/APT28/Pawn Storm. For example, the following April 24th, 2017, article in the Wall Street Journal about the Trend Micro report contains the following pieces of information: On March 15, someone used the name Johny Pinch and a fake Paris street address to register the name onedrive-en-marche.fr, according to public internet records. On April 12, someone using the same information registered mail-en-marche.fr, the records show. And those addresses were both hosted on IP address blocks previously associated with Pawn Storm, according to Trend Micro. There’s no further explanation, like a listing of those IP addresses or which previous attacks associated with them, and none of this information actually shows up in the report Trend Micro released, but at the time of the report’s release Trend Micro was asserting to journalists that IP address blocks associated with the onedrive-en-marche.fr and mail-en-marche.fr domains were previously attributed to Fancy Bear [33]:
The Wall Street Journal
Macron Campaign Wards Off Hacking Attempts Linked to Russia
Presidential candidate’s campaign suffers multipronged phishing attack beginning in mid-March
By Sam Schechner
April 24, 2017 1:17 p.m. ETPARIS—Hackers matching the profile of a pro-Kremlin group have tried in recent weeks to access campaign email accounts of French presidential candidate Emmanuel Macron, a cybersecurity firm said Monday, raising fears of election interference in the final two weeks of the France’s presidential campaign.
In a report set to be published Tuesday, security-research firm Trend Micro identified a pro-Kremlin hacking group it calls Pawn Storm as the likely source of a multipronged phishing attack that started in mid-March against Mr. Macron’s campaign.
As part of the attack, hackers set up multiple internet addresses that mimicked those of the campaign’s own servers in an attempt to lure Mr. Macron’s staffers into turning over their network passwords, said Feike Hacquebord, a senior threat researcher for Tokyo-based Trend Micro and the author of the report, a copy of which was reviewed by The Wall Street Journal.
...
On March 15, someone used the name Johny Pinch and a fake Paris street address to register the name onedrive-en-marche.fr, according to public internet records. On April 12, someone using the same information registered mail-en-marche.fr, the records show.
Those addresses were both hosted on internet protocol address blocks associated with Pawn Storm, Trend Micro’s Mr. Hacquebord said.
Mr. Hacquebord added that other clues, such as related addresses and the creation of security certificates to make the fake sites look authentic mirror techniques used by the group in several dozen other cases identified in he report, including the hacks of the Christian Democratic Union and the Democratic National Committee.
“I cannot say for sure, but the fingerprints match,” Mr. Hacquebord said.
———-
“I cannot say for sure, but the fingerprints match”
That was the statement from the author of Trend Micro’s report. So what were these ‘fingerprints’? The IP address blocks of the phishing domains onedrive-en-marche.fr and were mail-en-marche.fr were associated with attacks that were previously attributed to Fancy Bear/APT28/Pawn Storm. Also, the use of the technique of creating fake security certificates to make the fake sites look real was something Fancy Bear has done before. That appears to be the technical evidence Trend Micro relied on:
...
On March 15, someone used the name Johny Pinch and a fake Paris street address to register the name onedrive-en-marche.fr, according to public internet records. On April 12, someone using the same information registered mail-en-marche.fr, the records show.Those addresses were both hosted on internet protocol address blocks associated with Pawn Storm, Trend Micro’s Mr. Hacquebord said.
Mr. Hacquebord added that other clues, such as related addresses and the creation of security certificates to make the fake sites look authentic mirror techniques used by the group in several dozen other cases identified in he report, including the hacks of the Christian Democratic Union and the Democratic National Committee.
...
And, as with so much if this, the evidence is actually quite weak. Sharing IP blocks with previous attacks merely suggests the use of the same Internet Service Provider (ISP), since ISPs will get set a block of IP addresses to use. And sharing ISP with previous hackers is fairly weak evidence [34]. Of course hackers are going to gravitate towards hacker friendly ISPs!
But the weakest evidence is pointing towards the use of fake security certificates to make the phishing sites appear to be real so your browser doesn’t pop up with a warning. Because of course you would do that if you set up a fake phishing site. Any hacker would do that if they know how do to it.
Also recall that the Trend Micro report [13] makes absolutely no reference to any of the above ‘evidence’ described by the report’s author. It also doesn’t list the mail-en-marche.fr phishing domain at all. The ONLY reference to the Macron campaign is listing the onedrive-en-marche.fr domain in a table of domains Trend Micro has associated with Pawn Storm on page 13. That’s it.
So we have reports on April 24th, 2017, with interview of the Trend Micro report’s author about the evidence they’ve found that Fancy Bear is behind these new phishing domains targeting Macron’s campaign. The evidence laid out in the article is both inherently vague and weak. And then the actual report issued the next day doesn’t even contain any of that evidence. So very, very odd.
How Certain Was Trend Micro Based on This Weak Evidence? 99 percent
And, surprise!, it gets odder. Or perhaps sadder. Because if you look at the various reports from Trend Micro back in April-May of 2017 about the Macron hacks, Trend Micro’s own representative, Loïc Guézo, starts off being 99 percent certain that Fancy Bear was behind the phishing domains when Trend Micro first issued its April 25, 2017 report. But after the reports about how US ‘Alt-Right’ neo-Nazis appeared to be behind the leaked documents, Guézo suddenly makes it very clear that the dump of stolen emails was very amateurish and it’s very ambiguous as to who was behind the hack and it could have been US neo-Nazis behind it. So Trend Micro went from 99 percent certain Fancy Bear was behind the phishing domains targeting the Macron hacking campaign (without providing any actual evidence) to being very open about the possibility that it was a bunch of neo-Nazis who actually carried out the hack. And yet this sudden change in certainty seems to have completely fallen down the memory hole now that the US Senate phishing domains have emerged.
And now, in January of 2018, we have Trend Micro making a 100 percent conclusion that the US Senate phishing domains were ‘Fancy Bear’ and this 100 percent attribution is based on shared ‘digital fingerprints’ that uniquely tie back to two two prior hacking campaigns that Trend Micro had previously attributed to Pawn Storm/Fancy Bear/APT28, one in 2017 and one in 2016. So, unless that 2017 hacking incident with shared ‘digital fingerprints’ that Trend Micro is referring to wasn’t the Macron campaign hack, we have to reconcile how on Earth Trend Micro is concluding with 100 percent certainty that these US Senate phishing sites were actually set up by Fancy Bear/APT28/Pawn Storm. It’s all really, really odd.
So let’s flesh out this oddness. First, here’s a look at an April 26 article where Trend Micro’s Loïc Guézo claiming 99 percent certainty that the phishing domains targeting the Macron campaign was the work of Fancy Bear/APT28/Pawn Storm. And note how the cybersecurity expert hired by the Macron campaign, Mounir Mahjoubi, was far less sure about this attribution [35]:
France24
Cyber experts ’99% sure’ Russian hackers are targeting Macron
Text by Sébastian SEIBT
Date created : 2017-04-26
Latest update : 2017-04-27The Russian cyber-spying group Pawn Storm (also known as Fancy Bear) has targeted French presidential front-runner Emmanuel Macron, according to Japanese cyber-security experts. Macron campaign officials, however, say the group has so far failed.
Barely two weeks before the critical second round of the French presidential election, fears of Russian meddling in the 2017 campaign mounted with the publication of a report accusing Pawn Storm of targeting Macron’s En Marche! (Forward!) movement, employing identical tactics used to attack the Hillary Clinton campaign during the US presidential race.
A 41-page report, “Two Years of Pawn Storm [6],” by the Japanese cyber-security firm Trend Micro detailed a long list of the group’s targets, including German Chancellor Angela Merkel’s Christian Democratic Union party ahead of the September German general elections.
Reports of Russian cyber attackers targeting Macron’s campaign have been circulating for months, but the publication of the Trend Micro report provided details of the dates and domains targeted. They included a March 15 attempt to acquire sensitive information and passwords, a process known as “phishing” among cyber-security experts.
...
Campaign meets cyber-security officials
In January, a team of digital security officials from the Macron campaign visited the French cyber counter-espionage agency, ANSSI [36], to express concerns that their candidate was the “No. 1” target for fake news sites and cyber attacks, according to French media reports [37].
ANSSI is a government agency under the French defence ministry that advises public and private sector organisations about cyber-security measures.
The meeting between En Marche! and ANSSI officials followed a spate of rumours published on fake news sites as well as slanted coverage of Macron on Russian state media such as RT (formerly Russia Today) and the Sputnik news agency.
The concerns within the Macron camp led to the hiring of Mounir Mahjoubi, the former head of the French National Digital Council (CNNum), a council that advises on digital technologies.
In an interview with French weekly Journal du Dimanche [37] in February, Mahjoubi was more cautious than his Macron campaign colleagues about cyber attacks emanating from Russian-linked groups. “There is no doubt about the frontal attacks of Sputnik and Russia Today, two Russia-funded media outlets. But for the rest, we do not know where they come from,” he said.
Russia has consistently denied reports of interfering in the election campaigns of other countries.
“What [hacking] groups? From where? Why Russia? This slightly reminds me of accusations from Washington, which have been left hanging in mid-air until now and do not do their authors any credit,” Kremlin spokesman Dmitry Peskov told reporters on Monday.
‘99 percent sure’ attacks are from Russia
But the authors of the latest Trend Micro report have no doubt about the origins of the phishing campaigns targeting Macron. “We are 99 percent sure that it is attacks from Russia,” Loïc Guézo, Trend Micro’s strategy director for southern Europe, told FRANCE 24.
Pawn Storm – an aggressive cyber-espionage group also known as Fancy Bear, Sednit, APT28, Sofacy or Strontium – is engaged in much more than “just espionage activities”, the report notes. Over the past year, “the group attempted to influence public opinion, to influence elections, and sought contact with mainstream media with some success”.
When it came to targeting the Macron campaign, Pawn Storm’s goal appeared to be to get into the email accounts of senior campaign officials to retrieve information about the candidate – a modus operandi familiar to members of the Clinton campaign.
Stealing passwords
Cyber-security specialists at Trend Micro found four phishing domains created to try to extract information. The domain names feature plausible versions of Macron’s political movement, designed to catch campaign officials off guard. They include onedrive-en-marche.fr, portal-office.fr, mail-en-marche.fr and accounts-office.fr.
“This group set up a specific infrastructure to target Emmanuel Macron’s movement in March and April 2017,” Guézo explained.
...
A cyber Cold War
In a December 2016 report, the US Department of Homeland Security’s cyber-security unit accused Pawn Storm – under the alternate name APT 28 – of acting on the Kremlin’s orders.
The APT 28 footprint has been on so many major cyber attacks in recent years – including an April 2015 shutdown of French media giant TV5 Monde – that experts view the group as a symbol of a cyber Cold War, combining computer piracy and online propaganda. A Financial Times [38] report noted that US, UK, Israeli and German officials have all said they believe APT 28 is run by Russia’s sprawling military intelligence arm, the GRU.
Officials at Trend Micro, however, refuse to implicate the Kremlin directly: “All we can say is that the activities of this group are systematically aligned with the interests of the Russian authorities,” said Guézo.
...
Mahjoubi has reiterated that the attempts to target the Macron campaign so far have not succeeded. In his interviews with French media, Mahjoubi has admitted that traces to attack attempts have been found but that “none of the mailboxes have been hacked”.
En Marche! officials do not use email to share confidential information, according to the statement released Wednesday.
Mahjoubi has also refused to accuse a particular group for the attack attempts. “The procedure is very similar to [Pawn Storm], but you cannot rule out a very competent group trying to imitate them,” he warned.
But this hedging has not shaken Guézo’s conviction. The Macron campaign, he believes, is not willing to take the gloves off over this issue to avoid ruffling the Kremlin’s feathers if Macron is elected president next month.
———-
“Mahjoubi has also refused to accuse a particular group for the attack attempts. “The procedure is very similar to [Pawn Storm], but you cannot rule out a very competent group trying to imitate them,” he warned.”
That was the word of caution from Mounir Mahjoubi, the the former head of the French National Digital Council (CNNum) hired by the Macron campaign: “The procedure is very similar to [Pawn Storm], but you cannot rule out a very competent group trying to imitate them”. And it was a word of caution he issued not just to this Trend Micro report attributing the phishing domains to Fancy Bear. He had those same words of caution about the entire hacking campaign the Macron team had been experiencing throughout early 2017:
...
The concerns within the Macron camp led to the hiring of Mounir Mahjoubi, the former head of the French National Digital Council (CNNum), a council that advises on digital technologies.In an interview with French weekly Journal du Dimanche [37] in February, Mahjoubi was more cautious than his Macron campaign colleagues about cyber attacks emanating from Russian-linked groups. “There is no doubt about the frontal attacks of Sputnik and Russia Today, two Russia-funded media outlets. But for the rest, we do not know where they come from,” he said.
...
Mahjoubi has also refused to accuse a particular group for the attack attempts. “The procedure is very similar to [Pawn Storm], but you cannot rule out a very competent group trying to imitate them,” he warned.
But this hedging has not shaken Guézo’s conviction. The Macron campaign, he believes, is not willing to take the gloves off over this issue to avoid ruffling the Kremlin’s feathers if Macron is elected president next month.
...
“But this hedging has not shaken Guézo’s conviction. The Macron campaign, he believes, is not willing to take the gloves off over this issue to avoid ruffling the Kremlin’s feathers if Macron is elected president next month.”
And as we can see, Mahjoubi was issuing words of cyber attribution caution back in February 2017 when the Macron campaign was already talking about getting attacked by Russian hackers. And Trend Micro’s analyst commenting on their report, Loïc Guézo, viewed those words of caution as politically motivated ‘hedging’, as opposed to simply acknowledging the inherent ambiguities associated with digital forensic attribution. Guézo, instead, was “99 percent sure that it is attacks from Russia” and that certainty was based on the attribution of who set up those phishing domains:
...
‘99 percent sure’ attacks are from RussiaBut the authors of the latest Trend Micro report have no doubt about the origins of the phishing campaigns targeting Macron. “We are 99 percent sure that it is attacks from Russia,” Loïc Guézo, Trend Micro’s strategy director for southern Europe, told FRANCE 24.
...
Stealing passwords
Cyber-security specialists at Trend Micro found four phishing domains created to try to extract information. The domain names feature plausible versions of Macron’s political movement, designed to catch campaign officials off guard. They include onedrive-en-marche.fr, portal-office.fr, mail-en-marche.fr and accounts-office.fr.
“This group set up a specific infrastructure to target Emmanuel Macron’s movement in March and April 2017,” Guézo explained.
...
And again, note how it’s implied that the evidence of this attribution is laid out in Trend Micro’s 41 page report [13]:
...
A 41-page report, “Two Years of Pawn Storm [6],” by the Japanese cyber-security firm Trend Micro detailed a long list of the group’s targets, including German Chancellor Angela Merkel’s Christian Democratic Union party ahead of the September German general elections.
...
Yes, this report does in “detail a long list of the group’s targets.” It just doesn’t give any details on how these attributions were made. And while we saw in the above Wall Street Journal article that the attribution was based on shared IP blocks between two of the phishing domains and previous IP addresses attributed to Fancy Bear, that’s also really weak evidence and the report doesn’t list anything more.
And while it’s not outlandish that some elements of the analysis of these hacking campaigns won’t be publicly shared, there is basically no indication at all in that report of how any of the long list of phishing domains was attributed to Fancy Bear/Pawn Storm. It’s like a black box of analysis.
And it’s not like cybersecurity companies don’t ever issue reports detailing their attribution evidence. For instance, when you look at the report issued by the cybersecurity researchers linking the hacked documents back to Andrew Auernheimer and US neo-Nazis, they give all sorts of very specific technical evidence of how they arrived at their conclusion [2]. And that evidence is pretty damn convincing. So convincing that Loïc Guézo of Trend Micro admitted that the attribution for the hacking (as opposed to setting up the phishing sites) is a very open question after seeing that evidence [39]:
EUObserver
US neo-Nazis linked to Macron hack
By Andrew Rettman
BRUSSELS, 12. May 2017, 09:23The spread of stolen emails designed to harm Emmanuel Macron was linked to US-based neo-Nazis, according to a French investigation.
France’s Le Monde newspaper reported [40] on Thursday (11 May) that a website called nouveaumartel.com, which was named as a go-to place for the purloined emails, shared the same digital infrastructure as dailystormer.com, a website created by the US neo-Nazi activist Andrew Auernheimer.
The emails were dumped online on 5 May, shortly before Macron won the French presidential election by a landslide.
The dump came two days after an anonymous user of an online message board called 4chan.org published fake documents purporting to show that Macron had an offshore fund.
“The French scene will be at nouveaumartel.com later”, the anonymous 4chan.org user said.
The dailystormer.com’s Auernheimer is a white supremacist convicted of cyber crimes in the US.
His website often popularises the work of Nathan Damigo, another US far-right activist who gained notoriety after physically assaulting an anti-fascist protester.
Auernheimer, in a posting on his site on 4 May, suggested that Damigo was about to publish anti-Macron material.
“The prophet of the white sharia Nathan Damigo is about to release the frogs from pederasty”, he wrote.
Frogs could be a derogatory reference to French people or to a cartoon frog, Pepe, adopted as a symbol by US neo-Nazis.
Pederasty could be a homophobic allusion to unsubstantiated claims, first spread by Russian media, that Macron was gay, or to the fact that he fell in love with an older woman in his adolescence.
The stolen Macron emails were eventually dumped on the website Pastebin and were popularised online by other US-based far-right conspiracy theorists such as William Craddick and Jack Posobiec.
The National Security Agency in the US said earlier this week that the Russian regime stole the Macron emails.
Trend Micro, a Japanese-based cyber security firm, said in April that the Russian regime had previously tried to hack Macron’s team.
But one of the firm’s experts, Loic Guezo, told EUobserver this week that the 5‑May dump of stolen Macron emails was more amateurish than the Russian state’s modus operandi.
“It could even have been some alt-right activist in the US hacking Macron’s team. It’s fully open”, he said.
The links between US far-right activists, the Russian state, and the campaign team of US president Donald Trump are the subject of an FBI investigation in the US.
...
Meanwhile, Jack Posobiec, who has previously said that Macron is controlled by telepathy and by drugs, has obtained a White House press badge.
He attended a press briefing on 11 May on the FBI affair and later broadcast a video from the White House grounds praising the FBI chief’s sacking.
———-
“US neo-Nazis linked to Macron hack” by Andrew Rettman; EUObserver; 05/12/2017 [39]
“France’s Le Monde newspaper reported [40] on Thursday (11 May) that a website called nouveaumartel.com, which was named as a go-to place for the purloined emails, shared the same digital infrastructure as dailystormer.com, a website created by the US neo-Nazi activist Andrew Auernheimer.”
Ok, let’s break this down, because it’s somewhat confusing:
1. So on May 3rd, 2017, hacked Macron documents that appear to have been tampered with show up on 4chan.org, an ‘Alt-Right’ stomping ground. The user posting these documents then tells everyone that there’s going to be a bunch more documents showing up on nouveaumartel.com.
2. Cybersecurity researchers discover that the digital infrastructure behind nouveaumartel.com shares a heavy overlap with the Daily Stormer [2], a site managed by neo-Nazi hacker extraordinaire Andrew Auernheimer.
3. On May 4th, Andrew Auernheimer posts on his site that Nathan Damigo, another US far-right activist, is about to dump a whole bunch of Macron files.
4. On May 5th, the big document dump happens. Although it doesn’t show up on nouveaumartel.com. Instead, it shows up on Pastebin, a neutral site where people can just people documents and text.
5. After the second, much larger document dump on Pastebin, the documents quickly get spread around by Alt-Right figures.
That’s the summary of what happend:
...
The emails were dumped online on 5 May, shortly before Macron won the French presidential election by a landslide.The dump came two days after an anonymous user of an online message board called 4chan.org published fake documents purporting to show that Macron had an offshore fund.
“The French scene will be at nouveaumartel.com later”, the anonymous 4chan.org user said.
The dailystormer.com’s Auernheimer is a white supremacist convicted of cyber crimes in the US.
His website often popularises the work of Nathan Damigo, another US far-right activist who gained notoriety after physically assaulting an anti-fascist protester.
Auernheimer, in a posting on his site on 4 May, suggested that Damigo was about to publish anti-Macron material.
“The prophet of the white sharia Nathan Damigo is about to release the frogs from pederasty”, he wrote.
Frogs could be a derogatory reference to French people or to a cartoon frog, Pepe, adopted as a symbol by US neo-Nazis.
Pederasty could be a homophobic allusion to unsubstantiated claims, first spread by Russian media, that Macron was gay, or to the fact that he fell in love with an older woman in his adolescence.
The stolen Macron emails were eventually dumped on the website Pastebin and were popularised online by other US-based far-right conspiracy theorists such as William Craddick and Jack Posobiec.
...
It’s obviously some pretty compelling evidence that, at a minimum, a bunch of ‘Alt-Right’ neo-Nazis played some sort of role in this hack. And, sure enough, Trend Micro’s Loïc Guézo, who was 99 percent sure the phishing domains were set up by Fancy Bear, was suddenly very open to the possibility that the ‘Alt-Right’ could have been behind the hack:
...
Trend Micro, a Japanese-based cyber security firm, said in April that the Russian regime had previously tried to hack Macron’s team.But one of the firm’s experts, Loic Guezo, told EUobserver this week that the 5‑May dump of stolen Macron emails was more amateurish than the Russian state’s modus operandi.
“It could even have been some alt-right activist in the US hacking Macron’s team. It’s fully open”, he said.
...
“It could even have been some alt-right activist in the US hacking Macron’s team. It’s fully open”
It’s fully open. That was Loïc Guézo’s take on the situation after this revelation about the apparent ‘Alt-Right’ foreknowledge of these hacks. And yet here we are, almost a year later, and the Macron hack is being treated as if it’s an open-and-shut case that ‘the Russians did it’ and there is no mention at all of the role of Auernheimer and the ‘Alt-Right’.
Self-implicating “I’m a Russian Hacker!” Meta-Data Strikes Again
Now, it’s important to note that it’s entirely possible that you could have a situation where Fancy Bear (or another group trying to mimic Fancy Bear) did indeed set up a bunch of phishing sites while a bunch of neo-Nazis conduct a completely separate hacking operation. It’s also possible that Fancy Bear (or a third party pretending to be them) could have successfully pulled off a hack using their phishing domains and then handed the documents to Auernheimer or his associates. And yet these possibilities are never even mentioned. It’s as if any story that raises the mere possibility that some of these hacks are being done non-Russian hackers or might involve the cooperation of non-Russian hackers is completely ignored by almost everyone. What’s the explanation for this?
Well, part of the explanation probably has to do with the fact that metadata found in the dumped Macron documents just happened to contain identifying information of a Russian security contractor at a company that does work for the FSB. It was reminiscent of the “I’m a Russian hacker” metadata discovered literally one day after Guccifer 2.0 initially released some hacked DNC documents in June of 2015 [41]. Except even more self-implicating because the meta-data contained an actual name of an actual employee.
Another bit of metadata used to attribute the hacked Macron documents to Fancy Bear was the metadata of who uploaded the hacked documents, which led to an email address on a German free webmail provider. And this was declared to be further proof that this was the work of Fancy Bear because that same free webmail provider was used in some earlier attacks attributed to Fancy Bear. Which is horribly weak evidence. Of course hackers are going to a free German webmail provider. Germany has branded itself as a data privacy haven. All sort of hackers probably using free German webmail providers. It’s just silly to use that as evidence for attribution. And yet it happened.
So after this metadata hysteria was used to ‘conclusively’ prove that Russia really was behind the hack, the question of what role Andrew Auernheimer and the ‘Alt Right’ neo-Nazis played in the hack stopped getting asked. The desired ‘answer’ was achieved [1]:
Ars Technica
Evidence suggests Russia behind hack of French president-elect
Russian security firms’ metadata found in files, according to WikiLeaks and others.
Sean Gallagher — 5/8/2017, 1:18 PM
Late on May 5 as the two final candidates for the French presidency were about to enter a press blackout in advance of the May 7 election, nine gigabytes of data allegedly from the campaign of Emmanuel Macron were posted on the Internet in torrents and archives. The files, which were initially distributed via links posted on 4Chan and then by WikiLeaks, had forensic metadata suggesting that Russians were behind the breach—and that a Russian government contract employee may have falsified some of the dumped documents.
Even WikiLeaks, which initially publicized the breach and defended its integrity on the organization’s Twitter account, has since acknowledged that some of the metadata pointed directly to a Russian company with ties to the government:
#MacronLeaks [42]: name of employee for Russian govt security contractor Evrika appears 9 times in metadata for “xls_cendric.rar” leak archive pic.twitter.com/jyhlmldlbL [43]
— WikiLeaks (@wikileaks) May 6, 2017 [44]
Evrika (“Eureka”) ZAO [45] is a large information technology company in St. Petersburg that does some work for the Russian government, and the group includes the Federal Security Service of the Russian Federation (FSB) among its acknowledged customers (as noted in this job listing [46]). The company is a systems integrator, and it builds its own computer equipment and provides “integrated information security systems.” The metadata in some Microsoft Office files shows the last person to have edited the files to be “Roshka Georgiy Petrovich,” a current or former Evrika ZAO employee.
...
The metadata attached to the upload of the Macron files also includes some identifying data with an e‑mail address for the person uploading the content to archive.org:
Well this is fun pic.twitter.com/oXsH83snCS [48]
— Pwn ¦¦ ¦¦ ¦¦¦ (@pwnallthethings) May 6, 2017 [49]
The e‑mail address of the uploader, frankmacher1@gmx.de [50], is registered with a German free webmail provider used previously in 2016 Pawn Storm / APT28 phishing attacks against the Christian Democratic Union [51], German Chancellor Angela Merkel’s political party.
The involvement of APT28, the editing of some documents leaked by someone using a Russian version of Microsoft Office, and the attempt to spread the data through amplification in social media channels such as 4Chan, Twitter, and Facebook—where a number of new accounts posted links to the data—are all characteristics of the information operations seen during the 2016 US presidential campaign.
...
———-
“Evrika (“Eureka”) ZAO [45] is a large information technology company in St. Petersburg that does some work for the Russian government, and the group includes the Federal Security Service of the Russian Federation (FSB) among its acknowledged customers (as noted in this job listing [46]). The company is a systems integrator, and it builds its own computer equipment and provides “integrated information security systems.” The metadata in some Microsoft Office files shows the last person to have edited the files to be “Roshka Georgiy Petrovich,” a current or former Evrika ZAO employee”
Yep, a Russian contractor apparently screwed up big time and left modified a hacked Word Document on a version of Word registered to his personal name. That’s what we’re expected to believe. And while it’s certainly possible a mistake of that nature happened, when you factor this into the larger context of ‘Alt-Right’ fingerprints all over the actual distribution of the documents and the fact that metadata was used to attribute the DNC hacks to Russian hackers, it seems like an outrageous conclusion to assume with certainty that this metadata was indeed strong evidence of Russian hackers at work.
Similarly, the fact that the uploader’s email address used the same free German web mail service that previous attacks attributed to Fancy Bear is basically no evidence at all. And yet it’s treated as such:
...
The metadata attached to the upload of the Macron files also includes some identifying data with an e‑mail address for the person uploading the content to archive.org:Well this is fun pic.twitter.com/oXsH83snCS [48]
— Pwn ¦¦ ¦¦ ¦¦¦ (@pwnallthethings) May 6, 2017 [49]
The e‑mail address of the uploader, frankmacher1@gmx.de [50], is registered with a German free webmail provider used previously in 2016 Pawn Storm / APT28 phishing attacks against the Christian Democratic Union [51], German Chancellor Angela Merkel’s political party.
...
And that metadata appears to be the ‘evidence’ that more or less put to rest any questions about who actually hacked those documents. It was Fancy Bear.
Seriously, once this metadata was discovered, the news reports treated it as case closed. For instance, check out this New York Times article from May 9th, 2017, where the attribution is almost entirely based on the metadata and other ‘digital fingerprints’ in the documents suggesting that the documents were modified on Russian language computers using Russian version of software like Microsoft Word.
And there’s one particularly revealing comment from John Hultquist, the director of cyberespionage from FireEye, another US cybersecurity company: “There was a time when Russian hackers were characterized by their lack of sloppiness,” Mr. Hultquist said. “When they made mistakes, they burned their entire operation and started anew. But since the invasion of Ukraine and Crimea we’ve seen them carry out brazen, large scale attacks, [perhaps because] there have been few consequences for their actions.”
There was a time when Russian hackers were “burn down their entire operation and start anew” if they were caught. But now? It’s sloppiness and mistakes and reuse of the same digital infrastructure with almost every hack. Apparently [52]:
The New York Times
Hackers Came, but the French Were Prepared
By ADAM NOSSITER, DAVID E. SANGER and NICOLE PERLROTH
MAY 9, 2017PARIS — Everyone saw the hackers coming.
The National Security Agency in Washington picked up the signs. So did Emmanuel Macron’s bare-bones technology team. And mindful of what happened in the American presidential campaign, the team created dozens of false email accounts, complete with phony documents, to confuse the attackers.
The Russians, for their part, were rushed and a bit sloppy, leaving a trail of evidence that was not enough to prove for certain they were working for the government of President Vladimir V. Putin but which strongly suggested they were part of his broader “information warfare” campaign.
...
Testifying in front of the Senate Armed Services Committee in Washington on Tuesday, Adm. Michael S. Rogers, the director of the National Security Agency, said American intelligence agencies had seen the attack unfolding, telling their French counterparts, “Look, we’re watching the Russians. We’re seeing them penetrate some of your infrastructure. Here’s what we’ve seen. What can we do to try to assist?”
But the staff at Mr. Macron’s makeshift headquarters in the 15th Arrondissement at the edge of Paris didn’t need the N.S.A. to tell them they were being targeted: In December, after the former investment banker and finance minister had emerged as easily the most anti-Russian, pro-NATO and pro-European Union candidate in the presidential race, they began receiving phishing emails.
...
Oddly, the Russians did a poor job of covering their tracks. That made it easier for private security firms, on alert after the efforts to manipulate the American election, to search for evidence.
In mid-March, researchers with Trend Micro, the cybersecurity giant based in Tokyo, watched the same Russian intelligence unit behind some of the Democratic National Committee hacks start building the tools to hack Mr. Macron’s campaign. They set up web domains mimicking those of Mr. Macron’s En Marche! Party, and began dispatching emails with malicious links and fake login pages designed to bait campaign staffers into divulging their usernames and passwords, or to click on a link that would give the Russians a toehold onto the campaign’s network.
It was the classic Russian playbook, security researchers say, but this time the world was prepared. “The only good news is that this activity is now commonplace, and the general population is so used to the idea of a Russian hand behind this, that it backfired on them,” said John Hultquist, the director of cyberespionage analysis at FireEye, the Silicon Valley security firm.
Mr. Hultquist noted that the attack was characterized by haste, and a trail of digital mistakes. “There was a time when Russian hackers were characterized by their lack of sloppiness,” Mr. Hultquist said. “When they made mistakes, they burned their entire operation and started anew. But since the invasion of Ukraine and Crimea,” he said, “we’ve seen them carry out brazen, large scale attacks,” perhaps because “there have been few consequences for their actions.”
The hackers also made the mistake of releasing information that was, by any campaign standard, pretty boring. The nine gigabytes worth of purportedly stolen emails and files from the Macron campaign was spun as scandalous material, but turned out to be almost entirely the humdrum of campaign workers trying to conduct ordinary life in the midst of the election maelstrom.
One of the leaked emails details a campaign staffer’s struggle with a broken down car. Another documents how a campaign worker was reprimanded for failure to invoice a cup of coffee.
That is when the hackers got sloppy. The metadata tied to a handful of documents — code that shows the origins of a document — show some passed through Russian computers and were edited by Russian users. Some Excel documents were modified using software unique to Russian versions of Microsoft Windows.
Other documents had last been modified by Russian usernames, including one person that researchers identified as a 32-year-old employee of Eureka CJSC, based in Moscow, a Russian technology company that works closely with the Russian Ministry of Defense and intelligence agencies. The company has received licenses from Russia’s Federal Security Service, or FSB [53], to help protect state secrets. The company did not return emails requesting comment.
Other leaked documents appear to have been forged, or faked. One purported to detail the purchase of the stimulant mephedrone, sometimes sold as “bath salts,” by a Macron campaign staffer who allegedly had the drugs shipped to the address of France’s National Assembly. But Henk Van Ess, a member of the investigations team at Bellingcat, a British investigations organization, and others discovered that the transaction numbers in the receipt were not in the public ledger of all Bitcoin transactions.
“It’s clear they were rushed,” Mr. Hultquist said. “If this was APT28,” he said, using the name for a Russian group believed to be linked to the GRU, a military intelligence agency, “they have been caught in the act, and it has backfired for them.”
Now, he said, the failure of the Macron hacks could just push Russian hackers to improve their methods.
“They may have to change their playbook entirely,” Mr. Hultquist said.
———-
“Oddly, the Russians did a poor job of covering their tracks. That made it easier for private security firms, on alert after the efforts to manipulate the American election, to search for evidence.”
Yes, it is quite odd how poorly the Russians did of covering their tracks, if indeed this was a Russian government operation. Ahistorically odd:
...
It was the classic Russian playbook, security researchers say, but this time the world was prepared. “The only good news is that this activity is now commonplace, and the general population is so used to the idea of a Russian hand behind this, that it backfired on them,” said John Hultquist, the director of cyberespionage analysis at FireEye, the Silicon Valley security firm.Mr. Hultquist noted that the attack was characterized by haste, and a trail of digital mistakes. “There was a time when Russian hackers were characterized by their lack of sloppiness,” Mr. Hultquist said. “When they made mistakes, they burned their entire operation and started anew. But since the invasion of Ukraine and Crimea,” he said, “we’ve seen them carry out brazen, large scale attacks,” perhaps because “there have been few consequences for their actions.”
...
“When they made mistakes, they burned their entire operation and started anew.”
So until the conflict broke out in Ukraine, Russian hackers were intelligent enough to ‘burn their entire operation’ and switch up their methodology after gettin caught. But ever since the conflict with Ukraine, Russian hackers have suddenly decided to keep leaving the same ‘digital fingerprints’ over and over despite ‘getting caught’. And they’ve started leaving self-implicating metadata. It’s all quite odd.
And notice how the narrative of that article made no distinction between the phishing sites that Trend Micro and others attributed to Fancy Bear and the actual hacking and distribution of the documents that appeared to come from US ‘Alt-Right’ neo-Nazis. Recall how even Trend Micro’s analysts considered the case of who did the actual hacking as a ‘very open’ question one day after the hacks. But then this “I’m a Russian hacker!” metadata is discovered and the ‘Alt-Right’ neo-Nazi angle of entire affair is suddenly forgotten. of the In fact, if you read the full article, there was no mention of the ‘Alt-Right’ neo-Nazis at all. It was like it never happened.
Everyone Says it Was Fancy Bear. Except the French Cybersecurity Agency
So pretty much everyone in the cybersecurity arena has concluded that this hack was indeed done by Fancy Bear, right? Well, not quite. There are plenty of cybersecurity professionsals who have been critical of the contemporary cyber attribution standards. And as the following article from June of 2017, about a month after the actual hack, makes clear, there was one very notable dissenter from Dmitri Alpovertich’s attribution standards: The head of the French cybersecurity agency, Guillaume Poupard, viewed the hack as so unsophisticated that a lone individual could have pulled it off.
And Poupard had another critical warning: false flag cyberattacks designed to pit one nation against another could be used to create “international chaos” [54]:
EU Observer
Macron Leaks could be ‘isolated individual’, France says
By Andrew Rettman
BRUSSELS, 2. Jun 2017, 09:20France has found no evidence that Russia was behind Macron Leaks, but Russian leader Vladimir Putin has warned that “patriotic” hackers could strike the German election.
Guillaume Poupard, the head of the French cyber security agency, Anssi, told the AP news agency on Thursday (1 June) that the Macron hack resembled the actions of “an isolated individual”.
“The attack was so generic and simple that it could have been practically anyone”, he said. “It really could be anyone. It could even be an isolated individual”.
The Macron Leaks saw a hacker steal and publish [55] internal emails from the campaign of Emmanuel Macron 48 hours before the French vote last month, which Macron went on to win.
Some security experts blamed it on a hacker group called APT28, which is said by the US to be a front for Russian intelligence.
But Poupard said on Thursday: “To say Macron Leaks was APT28, I’m absolutely incapable today of doing that … I have absolutely no element to say whether it’s true or false”..
Macron’s campaign was also targeted by hackers earlier in March in a more sophisticated attack blamed on APT28.
...
‘Patriotic’ threat
US and German intelligence chiefs have been more bold in their accusations.
Hans-Georg Maassen, the director of Germany’s BfV intelligence service, said in May that Kremlin-linked hackers had stolen information on German MPs in the run-up to the German election in September.
“We recognise this as a campaign being directed from Russia”, he said.
But Russia has denied the allegations.
Its president, Vladimir Putin, told media in Moscow on Thursday: “We do not engage in this activity at the government level and are not going to engage in it”.
He warned at the same time that independent hackers might target the German or other EU elections for “patriotic” reasons if they felt leaders were “speaking ill of Russia”.
“Hackers are free people like artists. If artists get up in the morning feeling good, all they do all day is paint”, Putin said.
“The same goes for hackers. They got up today and read that something is going on internationally. If they are feeling patriotic they will start contributing, as they believe, to the justified fight against those speaking ill of Russia”.
With Macron having won despite the leaks, Putin said: “I am deeply convinced that no hackers can have a real impact on an election campaign in another country”.
Macron, at a meeting with Putin in Paris on Monday, said Russian state media [56] tried to influence the vote with fake news, but Putin said on Thursday: “Nothing, no information can be imprinted in voters’ minds, in the minds of a nation, and influence the final outcome and the final result”.
False flags
Poupard and Putin said false flag attacks were easier in cyberspace than in real life.
Poupard said France had in the past been hacked by groups “attributed to China … I don’t know if it was the state, criminals”. But he added that: “What I’m certain of is that among these attacks, some strangely resembled Chinese attacks but in fact didn’t come from China”.
Putin said: “I can image a scenario when somebody develops a chain of attacks in a manner that would show Russia as the source of these attacks. Modern technology allows that. It’s very easy”.
Poupard said if states wrongly accused each other of cyber strikes it could lead to “international chaos”.
“We’ll get what we all fear, which is to say a sort of permanent conflict where everyone is attacking everyone else”, he said.
The “nightmare scenario” would be “a sort of permanent war, between states and other organisations, which can be criminal and terrorist organisations, where everyone will attack each other, without really knowing who did what”, he said.
———-
“The attack was so generic and simple that it could have been practically anyone...It really could be anyone. It could even be an isolated individual”.
That was what Guillaume Poupard, the head of the French cyber security agency, Anssi, told the AP news. The attack was so generic and simple that it could have been done by an isolated individual. It’s a big reminder of why similarities in methodology between attacks is a bad idea for so many of the hacking campaigns we’re seeing: you don’t need a super sophisticated hacking campaign when all you’re doing is spear-phishing. Sure, you need to seet up convincing fake login websites or convincing emails that trick at least one person into downloading malware, but that’s the kind of thing a skilled isolated individual can do:
...
Some security experts blamed it on a hacker group called APT28, which is said by the US to be a front for Russian intelligence.But Poupard said on Thursday: “To say Macron Leaks was APT28, I’m absolutely incapable today of doing that … I have absolutely no element to say whether it’s true or false”..
...
“To say Macron Leaks was APT28, I’m absolutely incapable today of doing that … I have absolutely no element to say whether it’s true or false”
That seems like a pretty important point to publicly make in this kind of situation. After all, if major high-profile hack are taking place — hacks that appear to coming from nation states due to all the sloppy clues being left — and those hacks could indeed be carried out by individuals who would like to sow international choas, it seems like the public should know this. And yet the head of French cybersecurity is largely only cybersecurity public official in making this point, which is dangerously odd:
...
Poupard said France had in the past been hacked by groups “attributed to China … I don’t know if it was the state, criminals”. But he added that: “What I’m certain of is that among these attacks, some strangely resembled Chinese attacks but in fact didn’t come from China”....
Poupard said if states wrongly accused each other of cyber strikes it could lead to “international chaos”.
“We’ll get what we all fear, which is to say a sort of permanent conflict where everyone is attacking everyone else”, he said.
The “nightmare scenario” would be “a sort of permanent war, between states and other organisations, which can be criminal and terrorist organisations, where everyone will attack each other, without really knowing who did what”, he said.
...
“The “nightmare scenario” would be p, he said.”
Yeah, “a sort of permanent war, between states and other organisations, which can be criminal and terrorist organisations, where everyone will attack each other, without really knowing who did what” that sounds like quite a nightmare scenario.
But it’s a scenario that the US and German intelligence chiefs clearly do not fear. At least not when it comes to contemporary wave of hacks Russia:
...
US and German intelligence chiefs have been more bold in their accusations.Hans-Georg Maassen, the director of Germany’s BfV intelligence service, said in May that Kremlin-linked hackers had stolen information on German MPs in the run-up to the German election in September.
“We recognise this as a campaign being directed from Russia”, he said.
...
Alarmingly, Vladimir Putin also had a take on the situation that, if anything, made a bad situation much worse. First, he warned that the hacking attacks might in fact be ‘patriotic’ independent Russian hackers were might wake up in the morning feeling patrioci and “start contributing, as they believe, to the justified fight against those speaking ill of Russia.”:
...
Its president, Vladimir Putin, told media in Moscow on Thursday: “We do not engage in this activity at the government level and are not going to engage in it”.He warned at the same time that independent hackers might target the German or other EU elections for “patriotic” reasons if they felt leaders were “speaking ill of Russia”.
“Hackers are free people like artists. If artists get up in the morning feeling good, all they do all day is paint”, Putin said.
“The same goes for hackers. They got up today and read that something is going on internationally. If they are feeling patriotic they will start contributing, as they believe, to the justified fight against those speaking ill of Russia”.
...
“The same goes for hackers. They got up today and read that something is going on internationally. If they are feeling patriotic they will start contributing, as they believe, to the justified fight against those speaking ill of Russia”.
That was an absolutely insane comment for someone in Putin’s position to make publicly. Because while it is absolutely true that you could have ‘patriotic hackers’ doing all sorts of hacks, you don’t want national leaders encouraging and validating that. It’s the kind of comment that could easily be interpreted as an open invitation for Russian hackers to do exactly that and an open invitation for any other hacker around the world to wage a “I’m a Russian hacker!” hacking campaign. It was a dumb comment on multiple levels.
And then Putin made the insane comment that, “I am deeply convinced that no hackers can have a real impact on an election campaign in another country.” And this is after the obvious signficant impact the DNC hacks had on the 2016 campaign and the near-miss in the French election with faked documents. It wasn’t a good look:
...
With Macron having won despite the leaks, Putin said: “I am deeply convinced that no hackers can have a real impact on an election campaign in another country”.Macron, at a meeting with Putin in Paris on Monday, said Russian state media [56] tried to influence the vote with fake news, but Putin said on Thursday: “Nothing, no information can be imprinted in voters’ minds, in the minds of a nation, and influence the final outcome and the final result”.
...
So we have this remarkable situation where Western governments like the US and Germany have rejected the long-standing hesitancy in attributing cyber attacks due to the inherent ambiguity in making these kinds of attributions. And Vladimir Putin was making a nonsense comment about hackers not being able to sway elections while he appeared to be egging hackers and simultaneously making Russia an easier target for false flag attribution. In other words, the we have leaders on both sides of this ‘cyber Cold War’ helping to make the situation ripe for exactly the kind of “international chaos” France’s cyber chief was warning about.
The Other Side of the “Internation Chaos” Coin
At the same time, let’s not forget that a staus quo where cyberattribution is made very hesitantly due to these ambiguities and the ability to wage false flag attacks, is potentially another form of “international chaos.” A situation were nations and private entities can effective hack each other with relative impunity as long as they are reasonably competent in executing the hack without leaving self-implicating mistakes. In other words, the issue of how to address cyberattribution is one of those situations were there really is no ‘clean’ answer. Each approach has its own downsides.
For instance, imagine the NSA has secret intelligence that does actually allow it to confidently attribute a hack to Russia or China or Germany or whoever. But that evidence can’t be publicly revealed and the evidence that can be publicly revealed, like the IP addressed used in the hack, is too ambiguous to make a solid attribution. What is US government going to do in that situation? Especially if the hacks are very high-profile? Does it just throw its hands up and say, “oh well, we know it’s the Russians (or Chinese or Germans or whoever) pulling these hacks off, but we just can’t prove it”? Because that is an option. Another options is trying to address these topics on a government-to-government level and hoping it can get worked out that way. If it that avenue doesn’t yield results, what’s a government going to do if it really can confidently make an attribution but can’t publicly reveal the evidence?
Or let’s consider another scenario: a government can’t conclusively prove who is behind a hack, but it’s pretty sure it knows who’s behind it given the circumstances. What’s a government going to do in that situation when the inherent ambiguities in cyberattribution basically make presenting a public case proving their suspicions impossible? Especially if the hacks keep coming? What’s a government going to do?
And then there’s the other obvious scenario: a government can’t conclusively prove who is behind a hack, but it really wants to pin it on a particular adversary and the hackers just happened to make all sort of ‘mistakes’ that could be interpretted as real digital evidence but could also easily be interpretted as intentionally placed false flag decoy mistakes. What’s a government going to do when it’s handed that kind of ‘gift’ if it happens in the middle of a wave of brazen hacks?
These kinds of scenarios are all totally feasible and probably playing out around the globe all the time: a hack happens, a government has suspicions and hunches, maybe even some intelligence suggested that an adversary was probably behind it, but nothing can be conclusively proven based on the technical evidence. On one level, these are situations where a government can appear to be seemingly helpless and that really is a kind of “international chaos” situation. So what does a government do in this case?
This is probably a good point to re-read the comments we saw above from John Hultquist, the director of cyberespionage analysis at FireEye, about the sudden change in Russian hacking behavior that started in 2014 following the conflict in Ukraine:
...
Mr. Hultquist noted that the attack was characterized by haste, and a trail of digital mistakes. “There was a time when Russian hackers were characterized by their lack of sloppiness,” Mr. Hultquist said. “When they made mistakes, they burned their entire operation and started anew. But since the invasion of Ukraine and Crimea,” he said, “we’ve seen them carry out brazen, large scale attacks,” perhaps because “there have been few consequences for their actions.”
...
We have the sudden change in ‘Russian hacker’ behavior, where tensions flare up between Russian the West and then there’s all sort of “I’m a Russian hacker” attacks over an over where the evidence might be spoofed by a third party but also might be intentionally left be the Russian hackers to achieve some sort of psychological warfare objectives. And it’s possible the NSA has secret evidence tying all this back to actual Russian government hackers that it can’t reveal, or maybe not and the Western governments are merely ‘pretty sure’ it’s really a Russian government campaign and don’t want to let them ‘get away with it’?
So what’s the appropriate approach to a situation like this? Well, it turns out the current round of Western governments directly attributing these hacks to the Russian government is both historically very unusually and actually a reflection of a choice that was made at the government level and within the cybersecurity industry on how to address these situations: Make public attribution a priority because that’s seen as the best defense against future attacks. Yep, for the past 5 years or so, the cybersecurity industry has seen a revolution in how it treats cyberattribution based on a one-man campaign. And that man is Dmitri Alperovitch, the co-founder of CrowdStrike, the company that led the investigation of the 2016 DNC hack and made the initial ‘Russia did it’ attribution. As the following Esquire article about Alperovitch note, making a public attribution directly blaming other nation states and doing it fast and forefully used to be seen as heresy within the cybersecurity industry. But as Alpoveritch saw it, that hesitancy of cybersecurity firms was only encouraging nation-state hacking groups and the only solution was aggressive public attribution campaigns. And as the article makes clear, Alperovitch’s views won out, and the whole industry of cyberattribution has undergone a radical revolution [57]:
Esquire
The Russian Expat Leading the Fight to Protect America
In a war against hackers, Dmitri Alperovitch and CrowdStrike are our special forces (and Putin’s worst nightmare).
By Vicky Ward
Oct 24, 2016At six o’clock on the morning of May 6, Dmitri Alperovitch woke up in a Los Angeles hotel to an alarming email. Alperovitch is the thirty-six-year-old cofounder of the cybersecurity firm CrowdStrike, and late the previous night, his company had been asked by the Democratic National Committee to investigate a possible breach of its network. A CrowdStrike security expert had sent the DNC a proprietary software package, called Falcon, that monitors the networks of its clients in real time. Falcon “lit up,” the email said, within ten seconds of being installed at the DNC: Russia was in the network.
Alperovitch, a slight man with a sharp, quick demeanor, called the analyst who had emailed the report. “Are we sure it’s Russia?” he asked.
The analyst said there was no doubt. Falcon had detected malicious software, or malware, that was stealing data and sending it to the same servers that had been used in a 2015 attack on the German Bundestag. The code and techniques used against the DNC resembled those from earlier attacks on the White House and the State Department. The analyst, a former intelligence officer, told Alperovitch that Falcon had identified not one but two Russian intruders: Cozy Bear, a group CrowdStrike’s experts believed was affiliated with the FSB, Russia’s answer to the CIA; and Fancy Bear, which they had linked to the GRU, Russian military intelligence.
Alperovitch then called Shawn Henry, a tall, bald fifty-four-year-old former executive assistant director at the FBI who is now CrowdStrike’s president of services. Henry led a forensics team that retraced the hackers’ steps and pieced together the pathology of the breach. Over the next two weeks, they learned that Cozy Bear had been stealing emails from the DNC for more than a year. Fancy Bear, on the other hand, had been in the network for only a few weeks. Its target was the DNC research department, specifically the material that the committee was compiling on Donald Trump and other Republicans. Meanwhile, a CrowdStrike group called the Overwatch team used Falcon to monitor the hackers, a process known as shoulder-surfing.
...
Hacking, like domestic abuse, is a crime that tends to induce shame. Companies such as Yahoo usually publicize their breaches only when the law requires it. For this reason, Alperovitch says, he expected that the DNC, too, would want to keep quiet.
By the time of the hack, however, Donald Trump’s relationship to Russia had become an issue in the election. The DNC wanted to go public. At the committee’s request, Alperovitch and Henry briefed a reporter from The Washington Post about the attack. On June 14, soon after the Post story publicly linked Fancy Bear with the Russian GRU and Cozy Bear with the FSB for the first time, Alperovitch published a detailed blog post about the attacks.
Alperovitch told me he was thrilled that the DNC decided to publicize Russia’s involvement. “Having a client give us the ability to tell the full story” was a “milestone in the industry,” he says. “Not just highlighting a rogue nation-state’s actions but explaining what was taken and how and when. These stories are almost never told.”
In the five years since Alperovitch cofounded CrowdStrike, he and his company have played a critical role in the development of America’s cyberdefense policy. Frank Cilluffo, the former special assistant to the president for homeland security, likens Alperovitch to Paul Revere: “Dmitri, as an individual, has played a significant role in elevating cybersecurity policy not only inside the private sector but more generally.”
When I met Alperovitch in late September, at his open-plan offices outside Washington, D.C., he explained that CrowdStrike was created to take advantage of a simple but central lesson he’d learned about stopping hackers. It’s not enough, he says, to play defense with technology: “Otherwise the adversary will scale up and it becomes a game of numbers, which they will win.” Instead, attribution is crucial: First you need to identify the perpetrator, then you need to discover what motivates the crime, and finally—most important—you need to figure out how to fight back.
Before Alperovitch founded CrowdStrike, the idea that attribution ought to be a central defense against hackers was viewed as heresy. In 2011, he was working in Atlanta as the chief threat officer at the antivirus software firm McAfee. While sifting through server logs in his apartment one night, he discovered evidence of a hacking campaign by the Chinese government. Eventually he learned that the campaign had been going on undetected for five years, and that the Chinese had compromised at least seventy-one companies and organizations, including thirteen defense contractors, three electronics firms, and the International Olympic Committee.
That the Chinese government had been stealing information from the private sector was a shock to the security industry and to many U. S. officials. Almost no one thought that foreign governments used the Internet for anything other than old-fashioned espionage. “This was not spy versus spy,” says John Carlin, who was until recently the assistant attorney general for national security. The hacking was economic sabotage.
While Alperovitch was writing up his report on the breach, he received a call from Renee James, an executive at Intel, which had recently purchased McAfee. According to Alperovitch, James told him, “Dmitri, Intel has a lot of business in China. You cannot call out China in this report.”
Alperovitch removed the word China from his analysis, calling the operation Shady Rat instead. He told me that James’s intervention accelerated his plans to leave Intel. (James declined to comment.) He felt that he was “now being censored because I’m working for a company that’s not really an American company.”
Alperovitch and George Kurtz, a former colleague, founded CrowdStrike as a direct response. The cybersecurity industry at the time, Alperovitch says, was “terrified of losing their ability to market products in China.” Their new company would push the idea that hacking was a means, not an end. “We saw that no one’s really focused on the adversary,” Alperovitch told me. “No one’s focusing exclusively on how can we actually identify them, attribute them, deter them from taking this action again.” CrowdStrike’s tagline encapsulated its philosophy: “You don’t have a malware problem, you have an adversary problem.”
...
Alperovitch studied computer science at Georgia Tech and went on to work at an antispam software firm. There he met a striking dark-haired computer geek named Phyllis Schneck. As a teenager, Schneck once showed her father that she could hack into the company where he worked as an engineer. Appalled, Dr. Schneck made his daughter promise never to do something like that again.
Fighting email spam taught Alperovitch a second crucial lesson. He discovered that every time he blocked a server, the spammers deployed a hundred new servers to take its place. Alperovitch realized that defense was about psychology, not technology.
To better understand his adversaries, Alperovitch posed as a Russian gangster on spam discussion forums, an experience he wrote up in a series of reports. One day he returned from lunch to a voice mail telling him to call the FBI immediately. He was terrified. “I was not a citizen yet,” he told me.
As it happened, the bureau was interested in his work. The government was slowly waking up to the realization that the Internet was ripe for criminal exploitation: “the great price of the digital age,” in John Carlin’s words. In 2004, the bureau was hacked by Joseph Colon, a disgruntled IT consultant who gained “god-level” access to FBI files. Colon was eventually indicted, but his attack showed the government how vulnerable it was to cybercrime.
In 2005, Alperovitch flew to Pittsburgh to meet an FBI agent named Keith Mularski, who had been asked to lead an undercover operation against a vast Russian credit-card-theft syndicate. Mularski had no prior experience with the Internet; he relied on Alperovitch, whom he calls “a good guy and a friend,” to teach him how to get into the forum and speak the lingo. Mularski’s sting operation took two years, but it ultimately brought about fifty-six arrests.
Alperovitch’s first big break in cyberdefense came in 2010, while he was at McAfee. The head of cybersecurity at Google told Alperovitch that Gmail accounts belonging to human-rights activists in China had been breached. Google suspected the Chinese government. Alperovitch found that the breach was unprecedented in scale; it affected more than a dozen of McAfee’s clients.
Three days after his discovery, Alperovitch was on a plane to Washington. He’d been asked to vet a paragraph in a speech by the secretary of state, Hillary Clinton. She’d decided, for the first time, to call out another country for a cyberattack. “In an interconnected world,” she said, “an attack on one nation’s networks can be an attack on all.”
Despite Clinton’s announcement, Alperovitch believed that the government, paralyzed by bureaucracy and politics, was still moving too slowly. In 2014, Sony called in CrowdStrike to investigate a breach of its network. The company needed just two hours to identify North Korea as the adversary. Executives at Sony asked Alperovitch to go public with the information immediately, but it took the FBI another three weeks before it confirmed the attribution.
The delay still frustrates Alperovitch, who saw the long silence as a kind of disinformation. “Yesterday you had no idea. Today you’re 100 percent certain. It wasn’t credible.” From the perspective of the government, however, the handling of the Sony hack was a triumph. “In twenty-six days we figured out it was North Korea,” John Carlin told me. The attribution changed the focus, he said, from what Sony did wrong to how the government was going to respond to North Korea. As Phyllis Schneck, who now works at the Department of Homeland Security, told me, the government moves slowly because it cannot afford to be wrong: “Vendors like to be first. Government must be right.”
The government’s attitude toward attribution moved closer to Alperovitch’s in September 2015, in the run-up to a state visit by Chinese president Xi Jinping. A year earlier, five members of the Chinese People’s Liberation Army had been indicted by a grand jury in Pennsylvania for stealing economic secrets from the computers of U. S. firms in the nuclear, solar, and metals industries. Carlin told me that the indictments were meant as “a giant No Trespass sign: Get off our lawn.” But the indictment didn’t stop the hackers. Alperovitch went on television to call for a stronger response. In April 2015, after President Obama signed an executive order threatening sanctions against the Chinese, Alperovitch received a call from the White House. “You should be happy,” he was told. “You’re the one who’s been pushing for this.”
Six months later, just before the state visit, The Washington Post reported that the U. S. was considering making good on the executive order. A senior State Department official told me that Xi did not want to be embarrassed by an awkward visit. The Chinese sent over a negotiating team, and diplomats from both countries stayed up all night working out an agreement. During the state visit, Obama and Xi announced that “neither country’s government will conduct or knowingly support cyber-enabled theft of intellectual property” for the purpose of economic espionage. Since then, the Chinese burglaries have slowed dramatically.
...
The government’s reluctance to name the Russians as the authors of the DNC and DCCC hacks made Alperovitch feel that the lessons of the war game—call out your enemy and respond swiftly—had been wasted. He continued to be told by his friends in government that it was politically impossible for the United States to issue an official response to Russia. Some, especially in the State Department, argued that the United States needed Russia’s help in Syria and could not afford to ratchet up hostilities. Others said an attribution without a concrete response would be meaningless. Still others insisted that classified security concerns demanded consideration.
Alperovitch was deeply frustrated: He thought the government should tell the world what it knew. There is, of course, an element of the personal in his battle cry. “A lot of people who are born here don’t appreciate the freedoms we have, the opportunities we have, because they’ve never had it any other way,” he told me. “I have.”
The government’s hesitation was soon overtaken by events. During the first week of October, while Alperovitch was on a rare vacation, in Italy, Russia pulled out of an arms-reduction pact after being accused by the U. S. of bombing indiscriminately in Syria. The same day, the U. S. halted talks with Russia about a Syrian ceasefire. On October 7, two days before the second presidential debate, Alperovitch got a phone call from a senior government official alerting him that a statement identifying Russia as the sponsor of the DNC attack would soon be released. (The statement, from the office of the director of national intelligence and the Department of Homeland Security, appeared later that day.) Once again, Alperovitch was thanked for pushing the government along.
He got the news just after leaving the Sistine Chapel. “It kind of put things in perspective,” he told me. Though pleased, he wished the statement had warned that more leaks were likely. “It’s nice that you have the DHS and DNI jointly putting the statement out on a Friday night, but the president coming out and saying, ‘Mr. Putin, we know you’re doing this, we find it unacceptable, and you have to stop’ would be beneficial.”
Less than a week later, after WikiLeaks released another cache of hacked emails—this time from John Podesta, Hillary Clinton’s campaign chair—the White House announced that the president was considering a “proportional” response against Russia. Administration officials asked Alperovitch to attend a meeting to consider what to do. He was the only native Russian in the room. “You have to let them save face,” he told the group. “Escalation will not end well.”
———-
“The Russian Expat Leading the Fight to Protect America” by Vicky Ward; Esquire; 10/24/2016 [57]
“Alperovitch, a slight man with a sharp, quick demeanor, called the analyst who had emailed the report. “Are we sure it’s Russia?” he asked.”
That was reportedly Alperovitch’s initial response to the conclusion his company’s analyst that Russia was behind the DNC hack: Are we sure it’s Russia? And that’s a very reasonable question to ask at that point. A note the analyst’s response: There was no doubt. Why? Because the malware used in the DNC hack was sending data back to the same servers used in the Bundestag hack of 2015 and the malware code was similar to earlier hacks:
...
The analyst said there was no doubt. Falcon had detected malicious software, or malware, that was stealing data and sending it to the same servers that had been used in a 2015 attack on the German Bundestag. The code and techniques used against the DNC resembled those from earlier attacks on the White House and the State Department. The analyst, a former intelligence officer, told Alperovitch that Falcon had identified not one but two Russian intruders: Cozy Bear, a group CrowdStrike’s experts believed was affiliated with the FSB, Russia’s answer to the CIA; and Fancy Bear, which they had linked to the GRU, Russian military intelligence.
...
So this is a good time to remind ourselves that the IP address found in the malware used in that DNC hack and the Bundestag hack was published in 2015 [11] and Germany’s BfV government issued a newsletter attributed that Budestag hack to the Russian governent in January of 2016 [58], meaning it would have been an incredibly brazen for Russian government hackers to execute a hack using the same command & control server with the same IP address unless Russia wanted to get caught. But from CrowdStrike’s perspective, this was the kind of ‘digital fingerprint’ that could lead to a conclusion with “no doubt.”
And as the rest of the article made clear, arriving at a culprit for cyber attacks and then make a very public complaint about the attack is at the heart of the strategy that Alperovitch has been advocating for years. And advocating with great success:
...
Alperovitch told me he was thrilled that the DNC decided to publicize Russia’s involvement. “Having a client give us the ability to tell the full story” was a “milestone in the industry,” he says. “Not just highlighting a rogue nation-state’s actions but explaining what was taken and how and when. These stories are almost never told.”In the five years since Alperovitch cofounded CrowdStrike, he and his company have played a critical role in the development of America’s cyberdefense policy. Frank Cilluffo, the former special assistant to the president for homeland security, likens Alperovitch to Paul Revere: “Dmitri, as an individual, has played a significant role in elevating cybersecurity policy not only inside the private sector but more generally.”
When I met Alperovitch in late September, at his open-plan offices outside Washington, D.C., he explained that CrowdStrike was created to take advantage of a simple but central lesson he’d learned about stopping hackers. It’s not enough, he says, to play defense with technology: “Otherwise the adversary will scale up and it becomes a game of numbers, which they will win.” Instead, attribution is crucial: First you need to identify the perpetrator, then you need to discover what motivates the crime, and finally—most important—you need to figure out how to fight back.
...
“It’s not enough, he says, to play defense with technology: “Otherwise the adversary will scale up and it becomes a game of numbers, which they will win.” Instead, attribution is crucial: First you need to identify the perpetrator, then you need to discover what motivates the crime, and finally—most important—you need to figure out how to fight back.”
That’s Alperovitch’s philosophy: You can’t simply deal with hacking by playing defense. You have to play offense and that requires public attribution. And it’s a philosophy that was viewed as heresy in the cybersecurity industry not too long ago. The article characterizes this industry disposition as be in part due to concerns within the industry about losing clients in the nations they publicly attribute an attack to, but it seems like the inherent ambiguity in making these attributions would have also been a factor in why that was viewed as heresy. Either way, CrowdStrike was formed in response to this industry bias against public attribution of hacks against other governments:
...
Before Alperovitch founded CrowdStrike, the idea that attribution ought to be a central defense against hackers was viewed as heresy. In 2011, he was working in Atlanta as the chief threat officer at the antivirus software firm McAfee. While sifting through server logs in his apartment one night, he discovered evidence of a hacking campaign by the Chinese government. Eventually he learned that the campaign had been going on undetected for five years, and that the Chinese had compromised at least seventy-one companies and organizations, including thirteen defense contractors, three electronics firms, and the International Olympic Committee.That the Chinese government had been stealing information from the private sector was a shock to the security industry and to many U. S. officials. Almost no one thought that foreign governments used the Internet for anything other than old-fashioned espionage. “This was not spy versus spy,” says John Carlin, who was until recently the assistant attorney general for national security. The hacking was economic sabotage.
While Alperovitch was writing up his report on the breach, he received a call from Renee James, an executive at Intel, which had recently purchased McAfee. According to Alperovitch, James told him, “Dmitri, Intel has a lot of business in China. You cannot call out China in this report.”
Alperovitch removed the word China from his analysis, calling the operation Shady Rat instead. He told me that James’s intervention accelerated his plans to leave Intel. (James declined to comment.) He felt that he was “now being censored because I’m working for a company that’s not really an American company.”
Alperovitch and George Kurtz, a former colleague, founded CrowdStrike as a direct response. The cybersecurity industry at the time, Alperovitch says, was “terrified of losing their ability to market products in China.” Their new company would push the idea that hacking was a means, not an end. “We saw that no one’s really focused on the adversary,” Alperovitch told me. “No one’s focusing exclusively on how can we actually identify them, attribute them, deter them from taking this action again.” CrowdStrike’s tagline encapsulated its philosophy: “You don’t have a malware problem, you have an adversary problem.”
...
““No one’s focusing exclusively on how can we actually identify them, attribute them, deter them from taking this action again.” CrowdStrike’s tagline encapsulated its philosophy: “You don’t have a malware problem, you have an adversary problem.””
And that encapsulates much of CrowdStrike’s approach to stopping hacks:
Step 1. Determine a culprit.
Step 2. Make a big public stink about it.
And this approach appears to have been by a conclusion Alperovitch arrived while working at an antispam software firm where he met his future CrowdStike partner Phyllis Schneck: cyber defense was about psychology, not technology:
...
Alperovitch studied computer science at Georgia Tech and went on to work at an antispam software firm. There he met a striking dark-haired computer geek named Phyllis Schneck. As a teenager, Schneck once showed her father that she could hack into the company where he worked as an engineer. Appalled, Dr. Schneck made his daughter promise never to do something like that again.Fighting email spam taught Alperovitch a second crucial lesson. He discovered that every time he blocked a server, the spammers deployed a hundred new servers to take its place. Alperovitch realized that defense was about psychology, not technology.
...
And that psychological strategy is part of why making a public attribution is so important, according to this strategy. From Alperovitch’s perspective, intimidating your cyber adversary is basically the only realistic way to stop the hacks.
It’s a strategy that he first employed in 2010, when his analysis was used by the US government to publicly accuse China of cyber attacks on Google Gmail accounts. The strategy was used again 2014 to attributed the Sony hacks on North Korea and in 2015 once again against China. And that 2015 attribution against China, which included a the threat of an executive order by President Obama that would punish China over the hacks, apparently resulted in a bi-lateral agreement where “neither country’s government will conduct or knowingly support cyber-enabled theft of intellectual property” for the purpose of economic espionage. Chinese cyber burglaries have slowed dramatically since them:
...
Alperovitch’s first big break in cyberdefense came in 2010, while he was at McAfee. The head of cybersecurity at Google told Alperovitch that Gmail accounts belonging to human-rights activists in China had been breached. Google suspected the Chinese government. Alperovitch found that the breach was unprecedented in scale; it affected more than a dozen of McAfee’s clients.Three days after his discovery, Alperovitch was on a plane to Washington. He’d been asked to vet a paragraph in a speech by the secretary of state, Hillary Clinton. She’d decided, for the first time, to call out another country for a cyberattack. “In an interconnected world,” she said, “an attack on one nation’s networks can be an attack on all.”
Despite Clinton’s announcement, Alperovitch believed that the government, paralyzed by bureaucracy and politics, was still moving too slowly. In 2014, Sony called in CrowdStrike to investigate a breach of its network. The company needed just two hours to identify North Korea as the adversary. Executives at Sony asked Alperovitch to go public with the information immediately, but it took the FBI another three weeks before it confirmed the attribution.
The delay still frustrates Alperovitch, who saw the long silence as a kind of disinformation. “Yesterday you had no idea. Today you’re 100 percent certain. It wasn’t credible.” From the perspective of the government, however, the handling of the Sony hack was a triumph. “In twenty-six days we figured out it was North Korea,” John Carlin told me. The attribution changed the focus, he said, from what Sony did wrong to how the government was going to respond to North Korea. As Phyllis Schneck, who now works at the Department of Homeland Security, told me, the government moves slowly because it cannot afford to be wrong: “Vendors like to be first. Government must be right.”
The government’s attitude toward attribution moved closer to Alperovitch’s in September 2015, in the run-up to a state visit by Chinese president Xi Jinping. A year earlier, five members of the Chinese People’s Liberation Army had been indicted by a grand jury in Pennsylvania for stealing economic secrets from the computers of U. S. firms in the nuclear, solar, and metals industries. Carlin told me that the indictments were meant as “a giant No Trespass sign: Get off our lawn.” But the indictment didn’t stop the hackers. Alperovitch went on television to call for a stronger response. In April 2015, after President Obama signed an executive order threatening sanctions against the Chinese, Alperovitch received a call from the White House. “You should be happy,” he was told. “You’re the one who’s been pushing for this.”
Six months later, just before the state visit, The Washington Post reported that the U. S. was considering making good on the executive order. A senior State Department official told me that Xi did not want to be embarrassed by an awkward visit. The Chinese sent over a negotiating team, and diplomats from both countries stayed up all night working out an agreement. During the state visit, Obama and Xi announced that “neither country’s government will conduct or knowingly support cyber-enabled theft of intellectual property” for the purpose of economic espionage. Since then, the Chinese burglaries have slowed dramatically.
...
So that all sounds like a great success of Alperovitch’s public attribution strategy, right? A bi-lateral agreement with China that slowed Chinese cyber burglaries dramatically is quite an achievement.
Except, of course, there’s a rather significant problem with this approach and it relates directly to the warnings by France’s cyber security chief about “international chaos” from false flags: What if the dramatic slow down in Chinese cyber burglaries merely reflects a shift in strategy by Chinese hackers to make their hacks look like, say, Russian hackers? Or American hackers? Why isn’t this ‘new normal’ of aggressively making public attributions exactly the kind of ‘defensive’ tactic that makes false flag attacks even more tempting? And why wouldn’t third-parties who want to sow chaos, like neo-Nazi hackers, LOVE this new attribution paradigm?
And note the comment for Alperovitch’s former CrowdStrike partner, Phyllis Schneck, who is now at DHS, about how the cybersecurity industry’s predilection for “being first” on making an attribution now:
...
The delay still frustrates Alperovitch, who saw the long silence as a kind of disinformation. “Yesterday you had no idea. Today you’re 100 percent certain. It wasn’t credible.” From the perspective of the government, however, the handling of the Sony hack was a triumph. “In twenty-six days we figured out it was North Korea,” John Carlin told me. The attribution changed the focus, he said, from what Sony did wrong to how the government was going to respond to North Korea. As Phyllis Schneck, who now works at the Department of Homeland Security, told me, the government moves slowly because it cannot afford to be wrong: “Vendors like to be first. Government must be right.”
...
“Vendors like to be first. Government must be right.”
In other worlds, market forces have now been unleashed to encourage the cybersecurity industry to rush to attribution conclusions. After all, think about the incredible free advertising Trend Micro got for its report on the US Senate phishing sites and the Macron hacks. The profit-motive encourages this. Isn’t that wildly dangerous when those rushed attributions have geo-strategic implications? It sure sounds like a recipe for “international chaos”.
Still, let’s keep in mind that a world where Chinese government hackers can pilfer intellectual property rights with impunity and North Korea and attack corporations over movies it doesn’t like is another form of “international chaos”. Although probably not nearly as chaotic as the kind of world where conflicts break out as a result of cyber attacks and false flag campaigns, but it’s still a very non-ideal situation.
What’s the Cybersecurity Industry’s Secret to Cyber Attribution? Pattern Recognition. Hopefully Perfect Pattern Recognition (Because Otherwise it’s International Chaos)
So what’s the cybersecurity industry’s response to criticism that this new aggressive approach to attribution is vulnerable to false flag attacks an incorrect attributions? Well, according that describes the techniques the industry uses to arrive at its conclusions, the industry responds by stating false flag attacks just aren’t feasible because hackers make mistakes that reveal their true origin. Yep, that’s the response.
And this response is in an article that describes the primary technique for attribution as “pattern recognition”: looking at a hack’s ‘digital fingerprints’ and comparing them to past attacks. If you think about it, if you’re a hacker, and the digital fingerprints in your hacks allow analysts to trace your work back to previous attacks, that’s a mistake. Recall the comments from FireEye’s analyst about how the Russian hackers used to completely burn their digital infrastructure after getting caught (and then mysteriously stopped doing that around 2014). High quality government hackers shouldn’t actually be leaving an extensive trail of reused digit fingerprints. They apparently used to be able to operate without making so many conspicuous mistakes. And yet the cybersecurity industry is predicating its attributions on basically detecting mistakes hackers make and the deep conviction that hackers make mistakes and these mistakes can be used for high confidence attributions. Which seems like a massive mistake [59]:
CNET
How US cybersleuths decided Russia hacked the DNC
Digital clues led security pros to agencies in Putin’s government. It’s as close as we’ll ever get to proof that Russia did it.
by Laura Hautala
May 3, 2017 9:13 AM PD
It was a bombshell.
Operatives from two Russian spy agencies had infiltrated computers of the Democratic National Committee, months before the US national election.
One agency — nicknamed Cozy Bear by cybersecurity company CrowdStrike — used a tool that was “ingenious in its simplicity and power” to insert malicious code into the DNC’s computers, CrowdStrike’s Chief Technology Officer Dmitri Alperovitch wrote in a June blog post [60]. The other group, nicknamed Fancy Bear, remotely grabbed control of the DNC’s computers.
By October, the Department of Homeland Security and the Office of the Director of National Intelligence on Election Security agreed that Russia [61] was behind the DNC hack. On Dec. 29, those agencies, together with the FBI, Department of Homeland Security and the Office of the Director of National Intelligence on Election Security agreed that Russia [61].
And a week later, the Office of the Director of National Intelligence summarized its findings ((PDF) [62]) in a declassified (read: scrubbed) report. Even President Donald Trump acknowledged, “It was Russia [63],” a few days later — although he told “Face the Nation” earlier this week it “could’ve been China.” [64]
...
We’ll probably never really find out what the US intelligence community or CrowdStrike know or how they know it. This is what we do know:
CrowdStrike and other cyberdetectives had spotted tools and approaches they’d seen Cozy Bear and Fancy Bear use for years. Cozy Bear is believed to be either Russia’s Federal Security Service, known as the FSB, or its Foreign Intelligence Service, the SVR. Fancy Bear is thought to be Russia’s military intel agency, GRU.
It was the payoff of a long game of pattern recognition — piecing together hacker groups’ favorite modes of attack, sussing out the time of day they’re most active (hinting at their locations) and finding signs of their native language and the internet addresses they use to send or receive files.
“You just start to weigh all these factors until you get near 100 percent certainty,” says Dave DeWalt, former CEO of McAfee and FireEye, who now sits on the boards of five security companies. “It’s like having enough fingerprints in the system.”
Watching the cyberdetectives
CrowdStrike put that knowledge to use in April, when the DNC’s leadership called in its digital forensics experts and custom software — which spots when someone takes control of network accounts, installs malware or steals files — to find out who was mucking around in their systems, and why.
“Within minutes, we were able to detect it,” Alperovitch said in an interview the day the DNC revealed the break-in. CrowdStrike found other clues within 24 hours, he said.
Those clues included small fragments of code called PowerShell commands. A PowerShell command is like a Russian nesting doll in reverse. Start with the smallest doll, and that’s the PowerShell code. It’s only a single string of seemingly meaningless numbers and letters. Open it up, though, and out jumps a larger module that, in theory at least, “can do virtually anything on the victim system,” Alperovitch wrote.
One of the PowerShell modules inside the DNC system connected to a remote server and downloaded more PowerShells, adding more nesting dolls to the DNC network. Another opened and installed MimiKatz, malicious code for stealing login information. That gave hackers a free pass to move from one part of the DNC’s network to another by logging in with valid usernames and passwords. These were Cozy Bear’s weapons of choice.
Fancy Bear used tools known as X‑Agent and X‑Tunnel to remotely access and control the DNC network, steal passwords and transfer files. Other tools let them wipe away their footprints from network logs.
CrowdStrike had seen this pattern many times before.
“You could never go into the DNC as a single event and come up with that [conclusion],” said Robert M. Lee, CEO of cybersecurity firm Dragos.
Pattern recognition
Alperovitch compares his work to that of Johnny Utah, the character Keanu Reeves played in the 1991 surfing-bank-heist flick “Point Break.” In the movie, Utah identified the mastermind of a robbery by looking at habits and methods. “He’s already analyzed 15 bank robbers. He can say, ‘I know who this is,’ ” Alperovitch said in an interview in February.
“The same thing applies to cybersecurity,” he said.
One of those tells is consistency. “The people behind the keyboards, they don’t change that much,” said DeWalt. He thinks nation-state hackers tend to be careerists, working in either the military or intelligence operations.
Pattern recognition is how Mandiant, owned by FireEye, figured out that North Korea broke into Sony Pictures’ networks [65].
The government stole Social Security numbers from 47,000 employees and leaked embarrassing internal documents and emails. That’s because the Sony attackers left behind a favorite hacking tool that wiped, and then wrote over, hard drives. The cybersecurity industry had previously traced that tool to North Korea, which had been using it for at least four years, including in a massive campaign against South Korean banks the year before.
It’s also how researchers from McAfee figured out Chinese hackers were behind Operation Aurora in 2009, [66] when hackers accessed the Gmail accounts of Chinese human rights activists and stole source code from more than 150 companies, according to DeWalt, who was CEO of McAfee at the time of the investigation. Investigators found malware written in Mandarin, code that had been compiled in a Chinese operating system and time-stamped in a Chinese time zone, and other clues investigators had previously seen in attacks originating from China, DeWalt said.
Tell us more
One of the most common complaints about the evidence CrowdStrike presented is that the clues could have been faked: Hackers could have used Russian tools, worked during Russian business hours and left bits of Russian language behind in malware found on DNC computers.
It doesn’t help that, almost as soon as the DNC revealed it had been hacked, someone calling himself Guccifer 2.0 and claiming to be Romanian took credit as the sole hacker penetrating the political party’s network [67].
That set off a seemingly endless debate about who did what, even as additional hacks of former Hillary Clinton campaign chairman John Podesta and others led to more leaked emails.
Cybersecurity experts say it would be too difficult for hackers to consistently make it look like an attack was coming from a different group of hackers. One mistake could blow their cover.
Critics probably won’t be getting definitive answers anytime soon, since neither CrowdStrike nor US intelligence agencies plan to provide more details to the public, “as the release of such information would reveal sensitive sources or methods and imperil the ability to collect critical foreign intelligence in the future,” the Office of the Director of National Intelligence said in its report.
“The declassified report does not and cannot include the full supporting information, including specific intelligence and sources and methods.”
The debate has taken Alperovitch by surprise.
“Our industry has been doing attribution for 30 years,” although such work on focused on criminal activity, he said. “The minute it went out of cybercrime, it became controversial.”
———-
“How US cybersleuths decided Russia hacked the DNC” by Laura Hautala; CNET; 05/03/2017 [59]
“Alperovitch compares his work to that of Johnny Utah, the character Keanu Reeves played in the 1991 surfing-bank-heist flick “Point Break.” In the movie, Utah identified the mastermind of a robbery by looking at habits and methods. “He’s already analyzed 15 bank robbers. He can say, ‘I know who this is,’ ” Alperovitch said in an interview in February.”
Yep, Dmitri Alperovitch compares his work to a Keanu Reeves movie character who can just look at the evidence left in a robbery and deduce who did it. That’s the underlying technique at work. And while that’s a perfectly reasonable technique for making a cautious guess about the culprits, it’s apparently being treated as a technique that can allow for near 100 percent certainty:
...
CrowdStrike and other cyberdetectives had spotted tools and approaches they’d seen Cozy Bear and Fancy Bear use for years. Cozy Bear is believed to be either Russia’s Federal Security Service, known as the FSB, or its Foreign Intelligence Service, the SVR. Fancy Bear is thought to be Russia’s military intel agency, GRU.It was the payoff of a long game of pattern recognition — piecing together hacker groups’ favorite modes of attack, sussing out the time of day they’re most active (hinting at their locations) and finding signs of their native language and the internet addresses they use to send or receive files.
“You just start to weigh all these factors until you get near 100 percent certainty,” says Dave DeWalt, former CEO of McAfee and FireEye, who now sits on the boards of five security companies. “It’s like having enough fingerprints in the system.”
...
“You just start to weigh all these factors until you get near 100 percent certainty”
Pattern recognition leading to near 100 percent certainty. And as we saw with the Trend Micro reports, 99–100 percent certainty is indeed something the industry is arriving at with these very consequential attributions.
And this pattern recognition technique is partially predicated on the assumption that hackers don’t actually change their methods very much. Even government hackers:
...
One of those tells is consistency. “The people behind the keyboards, they don’t change that much,” said DeWalt. He thinks nation-state hackers tend to be careerists, working in either the military or intelligence operations.
...
So is it true that careerist government hackers tend to be consistent and don’t really bother switching up their techniques and ‘digital fingerprints’? Well, if so, yes, that would allow for pattern recognition to be used for attribution...except for the fact that government hackers behaving consistently makes them easy marks for a false flag attack. How is this not recognized?!
Also note that even if government hackers are consistent in their methods, that might not matter if they are consistently using malware and server hosting companies that other hackers use and leave ambiguous digitial fingerprints. The consistency might also not matter if they are consistently running their hacks by impersonating other hacking groups, although the cybersecurity industry appears to think that would be impossible for a government hacking group to do consistently without accidentally blowing their cover. Which, again, is an odd assumption to make.
What’s the industry response to these kinds of concerns? Don’t worry about false flags because, the hackers will make mistakes that reveal themselves:
...
Tell us moreOne of the most common complaints about the evidence CrowdStrike presented is that the clues could have been faked: Hackers could have used Russian tools, worked during Russian business hours and left bits of Russian language behind in malware found on DNC computers.
...
Cybersecurity experts say it would be too difficult for hackers to consistently make it look like an attack was coming from a different group of hackers. One mistake could blow their cover.
...
“Cybersecurity experts say it would be too difficult for hackers to consistently make it look like an attack was coming from a different group of hackers.”
WHAT?!! How is such an conclusion arrived at?
Now, it’s true that the longer a third party tries to impersonate another hacking group, the more likely they are to make a mistake. There’s just more opportunity to mistakes when the false flag attacks on consistently attempted. But what about an inconsistent attempt? Like just one or a few? Would that be very difficult?
Also keep in mind that if a false flag attack is successful, and cybersecurity researchers fall for the trick, that false flag group’s mode of operation will become the evidence used for future attributions. In other words, this “pattern recognition” technique is only as good as the quality of the past attributions. For all we know, a huge chunk of the past hacks attributed by the cybersecurity industry to Russia or China or any other country could be misattributed attacks and the digital paper trail is a mix of tracks left by actual Russian and Chinese government hackers plus a bunch of false flag third parties. There’s no reason to not assume this is the case unless the 5‑Eyes has far, far more information about who is hacking who than they let on.
For instance, look at some of the evidence used to attribute attacks to the Chinese government: Mandarin in the code that was compiled on Chinese operating systems, and Chinese work day compile times in the malware:
...
It’s also how researchers from McAfee figured out Chinese hackers were behind Operation Aurora in 2009, [66] when hackers accessed the Gmail accounts of Chinese human rights activists and stole source code from more than 150 companies, according to DeWalt, who was CEO of McAfee at the time of the investigation. Investigators found malware written in Mandarin, code that had been compiled in a Chinese operating system and time-stamped in a Chinese time zone, and other clues investigators had previously seen in attacks originating from China, DeWalt said.
...
Now, on the one hand, that sure seems like the signs of a Chinese hacker. On the other hand, if you were a non-Chinese skilled hacker who didn’t want to get be a suspect and decided to pretend to be a Chinese hacker, wouldn’t those be be exactly the kinds of ‘digital fingerprints’ you would try to leave?
And while the hacks on Chinese human rights activists seems like the kinds of targets Chinese hackers would specifically be interested in, the source code from those 150 companies seems like the kinds of things all sorts of parties would be interested in. So if you were, say, Russian or Brazillian hackers who had an interest in hacking those companies, waging that hacking campaign with Chinese ‘digital fingerprints’ and then target some Chinese human rights activists to lend credence to it. Do skilled professional hackers do such things? Who knows, but getting caught stealing source code from 150 companies seems like the kind of thing a hacking group would really, really, really not want to get caught doing, whether its a Chinese hacking group or any other hacking group. Or lone hacker. So we can’t rule the possiblity out. And yes, this is very unfortunate because that’s the kind of ambiguity that encourages “international chaos” on some level, but it is what it is.
At the same time, let’s remember that it’s entirely possible that the NSA and 5‑Eyes really does have much more information on who is carrying out various hacks — perhaps by storing almost all internet traffic and decrypting it — but they can’t reveal it and shoddy public attribution cases are made to provide public cover for an attribution that was really made with evidence they can’t reveal. So would that situation make it all ok if the cybersecurity industry just standardizes ‘pattern recognition’ as a gold standard for conclusive attribution if they were really just acting as proxy for attributions that were made by the NSA or some other government agency with access to secret evidence that they can’t reveal? Well, that seems like a massive risk because once that attribution standard is established it’s going to be useable by all sorts of companies and governments for whatever reasons they choose. Heck, you could have governments hack themselves and frame an adversary simply by leaving a bunch of ‘digital fingerprints’. For all we know that’s already happening.
And that’s why making attribution the key to cyber defense is such a risky ‘new normal’. The exploitation of the weaknesses in the “pattern recognition” approach to hacks is the ultimate weapon for “international chaos”.
Sure, the ‘old normal’ of refraining from attribution when the evidence is ambiguous is also a recipe for “international chaos” in the form of lots of hacking that’s difficult to stop. But when you compare that kind of ‘chaos’ to the risk of international conflicts getting sparked by doing things a false flag election hack, it seems like the ‘old normal’ should be the preferred ‘normal’. This ‘new normal’ is pretty scary.
And yet, when read the final comments for Alperovitch in the above article, he expresses surprise that there’s been so much debate over whether or not his “pattern recognition” approach to attribution is appropriate for government hack attribution:
...
The debate has taken Alperovitch by surprise.“Our industry has been doing attribution for 30 years,” although such work on focused on criminal activity, he said. “The minute it went out of cybercrime, it became controversial.”
...
“Our industry has been doing attribution for 30 years,” although such work on focused on criminal activity, he said. “The minute it went out of cybercrime, it became controversial.”
The minute pattern recognition attribution went out of cybercrime and got used for government hacking group attribution and high-profile political hacks, it become controversial. And for some reason this is surpising. Despite the fact that false flag hacks in the realm of cyber crime is a completely different story from false flag attacks for the purpose of framing a country in terms of the capabilities of the likely perpretrators and the motivations. And it’s also wildly different in terms of the need for accuracy. It’s not great if you screw up the attribution of a cyber burglarly by a common hacker, but you really don’t want to misattribute something like an election hack.
And let’s not forget that hack attacks can get a lot more disruptive than an election attack. Imagine a hack that takes down a national power grid. Maybe one that takes it down for an extended period of time. What’s the better attribution ‘normal’ in that situation? The ‘old normal’, where public attribution of government hacks was rare, which could conceivably encourage governments that they can get away for such an attack? Or the ‘new normal’, where you could conceivably incentive a devastating cyber false flag attack that takes down a power grid? Or maybe triggers a nuclear plant meltdown?
Which ‘normal’ is worse? It seems like the ‘old normal’ is probably safer since there’s still the implicit threat of mutually assured retaliation without incentizing false flags. But if there’s one ‘permanent normal’, it’s the fact that humanity is going to always need to struggle with the appropriate approach to cyber attribution as long as ‘perfect crime’ false flags are a technical possibility. This debate isn’t going away. Nor should it. It’s similar to the debate over the balance between security vs privacy for things like end-to-end strong encryption [68]. It’s a debate that shouldn’t actually be concluded [69]. Sure, policy decisions need to be made, but debate we shouldn’t assume policies reflect a conclusion the debate.
It’s also similar to the encryption debate in that high-quality government agencies and officials that the public can reasonably trust is probably one of the most important tools for navigating this risk minefield.
So we have this horrible situation where it’s ‘international chaos’ one way or another. And yet the message we’re hearing from US and German (and other) cyber chiefs is that they are 100 percent sure all these hacks being attributed to ‘sloppy’ Russian hackers really are Russian hackers. And the message from Putin in basically, “that wasn’t us, but if it was that would be ok and justified.” On top of that, we had the Macron hack take place last year with ‘Alt-Right’ neo-Nazi fingerprints all over it and that fact is almost entirely ignored and there was never a real attempt to explain it. This situation is an international cyber-tinderbox.
And as a consequence of this environment, we have stories like the one Trend Micro just issued about the US Senate phishing sites made with 100 percent confidence based on “pattern recognition”. And that conclusion is international news and largely accepted without any meaningful consideration of the possibility that, say, neo-Nazi hacker extraordinaire Andrew ‘weev’ Auernheimer or perhaps another government set up those site and left a bunch of ‘digital fingerprints’ designed to make it look like a ‘Fancy Bear’ operation. And no recognition that, if this was indeed a ‘Fancy Bear’ operation, it was conspicuously leaving digital fingerprints leading back to previous hacks, making this the latest incident of Russian hackers apparently suddenly getting super sloppy even since the conflict in Ukraine broke out. Instead, it’s just blanket acceptance of the report and that means it’s a situation ripe for all sorts of ‘international chaos’. Think about how many different entities probably want to run their own ‘Russian hacker’ false flag operations now.
Who knows, maybe the sudden change in Russian hacker behavior starting in 2014 — where digital infrastructure keeps getting re-used hack after hack, allowing the cybersecurity industry to go on a ‘pattern recognition’-spree — really is a Kremlin operation designed to entice hackers and government around the world to pretend to be Russian hackers in order to have a bunch of false flag operations expose and poison the well of ‘Russian hacker’ attribution. That would an incredibly risky operation but the rewards could be handsome. And very sneaky.
So let’s consider some basic scenarios:
A. Putin really has ordered a high-profile trollish hacking campaign following the outbreak of the Ukraine conflict as part of a strategy where Russia getting the blame is either seen as desirable or inconsequential. They’re self-implicating for a reason.
B. Putin really has ordered a hacking campaign following the outbreak of the Ukraine conflict and they keep leaving digital evidence because there’s been a degredation in the quality of Russian hacking personel. And for some reason the issue of reusing compromised digital infrastructure hasn’t been adequately addressed.
C. Putin really has ordered a high-profile trollish hacking campaign following the outbreak of the Ukraine conflict to be carried about by mafia hackers or some other proxies and they keep screwing up and leaving fingerprints. And the Kremlin keeps using them for some reason despite all the screw ups.
D. It really is ‘patriotic hackers’ operating on their own and the Russian government isn’t keen on stopping them despite all the blame they direct back to Russia.
E. One or more third parties, recognizing the opportunity the Ukraine conflict created for pushing a false flag ‘Russian hacker’ campaign, decided to wage such a campaign over the last few years, waging one high-profile hack after another with the full confidence that Western powers and the cybersecurity industry is strongly biased towards making attributions of Russian hackings.
F. Some mix of A thru E.
A range of possibilities is a basic element of this hacking situation and it’s almost never acknowledged these days. For any hack. Why isn’t that considered extremely dangerou
And it’s entirely possible that we’re seeing a situation where Putin is laying a trap based on the observation that the cybersecurity industry appears to be ready and willing to build 100 percent attribution narratives for public consumption for hire:
1. Have Russian hackers carry out a conspicuous wave of hacks filled with digital evidence that points back to Russia but could easily be planet.
2. Infuriate Western governments that know it’s Russian hackers because they have means of detection that can’t be publicly revealed. Like super-secret NSA/5‑Eyes evidence.
3. The cybersecurity industry basically offers to create a narrative ‘proving’ Russia did it using a shoddily constructed case based on guesswork and a refusal to accept the possibility of false flag hacks. And we effectively have to take their word for much of this. This is seen as acceptable in order to not allow Russian to get away with it’s flagrant hacking campaign.
4. Eventually the shoddiness of that attribution method is revealed and used to discredit past and present attributions against Russian. Putin smiles.
Might that explain the sudden sloppy aggressiveness of ‘Russian hackers’ over the past few years? Who knows, but something very odd is happening with all these ‘Russian hackers’ and there’s virtually no interest in understanding why.
Of course, two very obvious reasons there might be so much resistance to the idea of false flag attacks:
1. The fear that such talk might end up helping President Trump avoid culpability for colluding with Russia during the 2016 campaign
2. The fear that it might help take the heat off Putin in the midst of a Russian trollish hacking campaign targeting Western democracies.
But those aren’t great reasons. Even if Putin really has ordered a high-profile trollish destabilizing hacking campaigns, not acknowledging the false flag angle just invites in third parties to participate and create more chaos. And while you might be tempted to think, “oh good, all those false flag attacks will get attributed to Putin and this will apply even more international pressure on Russia to [insert demand here],” that’s an insane attitude. What if the false flag is much nastier, like a grid attack? That’s a flirtation with WWIII-started-by-third-party scenario.
And it’s not like the introduction of the possibility that the DNC server hacks could have involved a false flag third party has to be all that disruptiuve to the #TrumpRussia investigation. At this point that investigation is filled with so much evidence of the Trump campaign’s active desire to collude with Russia based on all the other incidents of Russian footsie that the investigation could go on almost without a hitch even if it was determined a 400 pound guy in bed [70] (or a neo-Nazi hacker like Andrew Auernheimer sitting in bed) did the hacks DNC hacks alone. The DNC hacks were central to the #TrumpRussia investigation at the beginning of Trump’s term, but this is a year into the investigation. Just look at a sampling of what we’ve learned:
1. Trump is basically a mobbed up celebrity businessman [71].
2. Donald Trump Jr., Paul Manafort, and Jared Kushner held a meeting in Trump Tower after Rob Goldstone promises him Russian government help in the form of dirt on Hillary. Whether or not they actually colluding with Russian, they certaintly wanted to. None other than Steve Bannon reportedly called this “treasonous” behavior [72].
3. Trump’s campaign foreign advisor, George Papadopoulos,told Australia’s top diplomat in the UK that the Russians told him they had thousands of Hillary Clinton’s emails [73].
4. GOP financier Peter Smith ran an operation to find Hillary’s hacked emails. They admit they were fine if the came from Russian government hackers. Much of the Trump team was reportedly involved — Steve Bannon, Kellyanne Conway, Sam Clovis, and Michael Flynn [74].
5. Peter Smith’s email-hunting expedition inquired with ‘Alt-Right’ troll-journalist Charles “Chuck” C. Johnson about who might know how to contact hackers on the Dark Web with Hillary Clinton’s emails. Johnson told Smith’s team that they should contact Andrew Auernheimer. Johnson also told Smith’s team that there were other ‘Alt-Right’ teams also looking for Hillary’s emails on the Dark Web. Which kind of sounds like the team that distributed the Macron emails [74].
6. Peter Smith’s email-hunting expedition also inquired with “Guccifer 2.0” about who might know how to contact hackers on the Dark Web with Hillary Clinton’s emails. Guccifer 2.0 told Smith’s team that they should contact Andrew Auernheimer [74].
7. Barbara Ledeen, wife of Michael — who was the co-author of a book on foreign policy with Michael Flynn — started her own Dark Web expedition with Newt Gingrich in 2015 hunting for Hillary’s emails [75].
8. All the other crazy crap Michael Flynn did.
9. All of Trump’s blatant obstruction of justice already known to the public. Even if he’s innocent of everything else, he’s still pretty clearly guilty of obstruction of justice. He talks about.
10. Paul Manafort is super shady. And may have been involved in the Ukraine sniper attacks according to his daughter’s hacked text messages [76].
11. Felix Sater’s Russian Mobster/FBI/CIA informant past [77]. A past Trump claimed to not know about [78].
12. Felix Sater and Trump Org attorney Michael Cohen tried to contact the Kremlin for a Trump Tower Moscow deal during the campaign [79].
13. Cambridge Analytica is own by SCL. SCL employed military-grade psychological warfare specialists for managing big opinion-changing campaigns targeting nations. And they’ve psychologically profiled most of the US [80].
14. Donald Trump, Jr. and Julian Assange were chatting with each other over Twitter’s direct messaging system during the campaign [81].
16. The Russian ‘troll farm’ Internet Research Agency had its own weird social media campaigns. This wasn’t remotely as big or significant as the Trump campaign’s social media presence, and a lot of the troll farm’s activity appeared to be experiments in seeing if they can initiate real-world action through social media enticement, but it’s certainly worth investigating. Especially since it’s entirely possible someone other than the Kremlin hired their services [83]. Although if it was someone like Paul Manafort hiring their services for a dirty tricks team for the Trump campaign that would presumably be done with Putin’s approval since that’s pretty sensitive and the Internet Research Agency is a close ally of Putin.
17. US intelligence officials acknowledged back in July of 2016, a week after the big DNC email batch was leaked by Wikileaks, that the hack was signficantly less sophisticated and sloppy than previous Russian government hacks. And the hackers left Cyrillic character data on the hacked DNC servers. Intelligence sources acknowledge that the attribution was based on dedection and not hard technical evidence, and deduced the sloppiness was intentional trollish signalling meant to show it was Russia [84]. And if that’s true, when you factor in all the footsie Kremlin operatives (or people posing to be Kremlin operatives) were playing with the Trump campaign during the time of this unusually sloppy hack, it suggests the Kremlin could have been trying to get caught and have their ties with the Trump campaign exposed in the subsequent investigation. And that’s a somewhat hilarious scenario that could help with de-escalating US/Russian tensions.
18. The final conclusive attribution by the US intelligence community that Putin ordered the DNC hacks was based on an intelligence source deep within the Kremlin who claimed Putin ordered the attacks and not the “pattern recognition” analysis by CrowdStrike or other cybersecurity companies [85]. So, assuming you believe this Kremlin source, it’s not as if standing behind the “pattern recognition” methodology is critical to any case against the Trump campaign anyway.
19. Trump might be insane.
And that’s just a sampling of the revelations that are now available for any investigators into Trump’s fitness for office.
So when you look at the full scope of all the evidence made public so far of the Trump campaign’s willingness and desire to collude with the Russian government, whether or not Russian carried it out the DNC hack is almost beside the point at this point. All the footsie the Trump campaign and Trump organization was playing with apparent Kremlin operatives throughout the campaign — George Papadopoulos, Felix Sater and Michael Cohen, the Trump Tower meeting — opens up the potential for blackmail anyway, with or without Russian government hackers being behind the DNC server hack. And the mobster-ish past of Trump and so many figures in his orbit is all the more reason to worry about things like blackmail. Who actually hacked the DNC is like an interesting side note when put in the broader context of whether or not Trump is fit for office.
And that creates a marvelous potential opening for addressing two critical goals the US should have at this point:
1. De-escalating the situation with Russia. De-escalation of US-Russian tensions really should be a priority even if you’re pissed at Putin over the 2016 election meddling. The longer there’s this cyber-standoff/trolling situation between the US and Russian the more time there is for third party false flag attacks or things spiralling out of control. Especially with Trump in place. The strategy of racheting international pressure on Russia until some ‘Russian Spring’ happens is high risk and could result in a Russian ultra-nationalist far more dangerous than Putin replacing him. That would be a catastrophe. A ‘Russian-Reset’ based on collective marveling at the corruption of Trump and the GOP would be a much better response.
And...
2. Addressing the “international chaos” risks that a “pattern recognition” standard of cyber attribution techniques introduce into world affairs. These techniques are vulnerable to spoofing and incentivize false flags. If an agency like the NSA wants to declare that it knows something using its superior knowledge, that’s one thing. But granting credibility to random cybersecurity firms using “pattern recognition” techniques for attribution in cases like nation-state-on-nation-state hacking is wildly dangerous. Don’t forget that the approach to stopping hacks advocated by Dmitri Alperovitch — that publicly naming and shaming the hacker is key to to defense — doesn’t necessarily dissuade hackers. It might just make them more intent on pretending to be someone else.
So what’s the opening the US should make to address these twin goals? The US should openly entertain the possibility that some of these high-profile Russian hacks might actually be false flags. Just get that idea out there so the public isn’t lulled into thinking “pattern recognition” is really the kind of gold standard we should accept for nation-state-on-nation-state hacking attributions. At the same time, the US should simultaneously suggest that, if these hacks are indeed ordered by the Russian government, running a high-profile self-implicating hacking campaign — a hacking campaign that’s seemingly designed to raise questions about whether or not it’s a false flag attack because it’s so over the top — is incredibly dangerous and irresponsible and a recipe for international chaos. If Putin actually ordered the years-long self-incriminating hacking campaign we’ve seen from Russian hackers since the outbreak of the conflict in Ukraine in 2014, that is simultaneously kind of clever and wildly irresponsible. And stupid. Because now any random hacker can frame Russia for all sorts of hacks against all sorts of countries and interests. All they’d have to do is run a sloppy, seemingly intentionally self-incriminating hacking campaign intended to trigger a “pattern recognition” match with previous ‘Russian hacks’. And while Putin and the Russian government could have determined that getting framed for hacks like, say, the Macron election hack are acceptable, what about an attack blamed on Russian take takes a Western power’s power-grid down? Or an attack that triggers a nuclear meltdown? That might not be the kind of thing you want to get framed for even if you’re a nuclear power. If Putin really did this launch the kind of hacking campaign we’ve seen since 2014 that was a desperate and dangerous move that really does risk triggering “international chaos” and he needs to stop.
Why can’t the US make that argument without feeling like some sort of major concession was made that helps Putin? It’s an argument that raises the degree of the crime if the Kremlin really is behind this high-profile “I’m a Russian hacker!” campaign by making it clear to the world that this is creating a real risk to the world. And it’s an argument that also makes it clear to the Russian people that it’s incredibly dangerous to them if the Kremlin is really doing this. Do the Russian people want a neo-Nazi elite hacker liek Andrew ‘weev’ Auernheimer framing them for something a lot more horrific than hacked political emails? That seems like a massive national risk.
And the above argument helps head off the risk to the world presented by vulnerable cyber attribution standards too. Don’t forget, the US intelligence communities conclusion Putin was behind the hacks was based on intelligence from a single source deep within the Kremlin who claimed Putin ordered the attacks and was not based on the “pattern recognition” analysis by CrowdStrike or other cybersecurity companies [85]. Not the initial pattern recognition guesswork because that was inconclusive even though it led to the initial hunch that Russian was behind it [84]. Also don’t forget that there are a lot more high-profile hacks attributed to the Russians in recent years so acknowledging the possibility that some of these hacks could be false flags doesn’t solely raise this question about the DNC hack. What about the ‘Alt-Right’ fingerprints all over the Macron hack? Aren’t people interested in resolving that mystery? And if a bunch of ‘Alt-Right’ neo-Nazis turned out to be behind the DNC hack instead of the Kremlin is that somehow good news for Trump and the GOP? Even if a 400 pound hacker in bed [86] did the DNC hack there’s still all the evidence of the Trump campaign’s desire to collude with the Russians and the subsequent blatant obstruction of justice.
Don’t forget that impeaching Trump is a political decision in the end and, not a criminal one. Even if raising the possibility of non-Kremlin source behind the DNC hack complicated Robert Mueller investigation’s ability to criminal charge in relation to the election hack, it’s not like that criminal charge is a deciding factor for impeachment purposes. That’s a political choice. What if the Trump campaign and the GOP arranged for their own ‘Russian hackers’? Or perhaps a bunch of ‘Alt-Right’ hackers were behind the DNC hack and Macron hacks and the Trump team had extensive contact with? Those kinds of scenarios wouldn’t exactly help their case against impeachment, would they? Is it politically acceptable to collude with ‘Alt-Right’ hackers now?
Impeaching Trump is also an act fraught with great peril and probably shouldn’t be considered the top priority for Democrats. Mike Pence could bring a level of competency to the White House that could be far more damaging than Trump’s daily whirlwind of chaotic corruption. And even if Mike Pence is impeached, next in line is the Koch-puppet House Speaker Paul Ryan. There isn’t really a ‘happy ending’ impeachment scenario here. If Trump gets impeached, a huge chunk of the the American conservative base is going to go more insane and develop an even more malignant grievance complex and that psychological wound will be nursed for decades. So is it worth impeaching the blatantly crazy fascist who might blow up the world only to have him replaced by a far more competent fascist? Both scenarios feel like existential risks. In other words, even if you could impeach Trump tomorrow over the Russian hacking and replace his dangerous chaos with a President Pence or Ryan are you sure you want to do that [87]? Super sure [88]? It’s another example of a contemporary catastrophic ‘no-win’ situation. A classical non-technological ‘no-win’ situation: do we try to replace an unpredictable extreme danger with a more predictable extreme danger? Who knows. And that ambiguity over whether or not impeaching Trump is even a desireable scenario is another reason not to fear letting Trump ‘off the hook’ by acknowledging the possibility that these hacks being attributed to Russia might include false flags.
Given all the catastrophic no-win situations swirling around this issue of cyber attribution, how is a society to proceed? Well, here’s something to keep in mind: the future of hacking attribution is probably going to depend on the credibility of the authority making the attribution since authoritative attribution will probably depend on information that can’t be publicly revealed. That’s basically the situation today, where an agency like the NSA is often left to make the final ‘call’ on attribution. But we could become more reliant on trusting an authority with access to secret information in the future, especially if we acknowledge the reality of false flags, and that’s going to raise the question of whether or not that authority can be trusted. And in a world of false flag cybercrimes at a nation-state level, that adds one more reason to have a very credible government. And how do we get credible governments? By creating societies that seem really nice and run by people that seem very unlikely to engage in malicious false accusations. Being really, really, really nice and non-aggressive could be a key element national cyber-defense in the future because the country with the most credibility could end up with the final word in the court of public opinion. And the court of public opinion matters in the realm of international cyber warfare.
Look at it this way: the catastrophic no-win situations around cyber attacks and attribution makes having a high-quality, trust-worthy government with a formidable intelligence capacity whose word is respected around the globe a national security priority. And the only way to realistically accomplish that feat is for a society to develop a track record of actually being really nice and compassionate and trustworthy and not agressively ambitious. Sure, on one level this is utopian thinking. But when you think about the array of new technologies that will allow for devastating attacks that could be carried out without clear attribution — false flag biowarfare, false flag nuclear attacks, false flag assassin drone attacks, false flag [insert technological horror show here] — it’s hard to see why false flag attacks aren’t going to be a popular mode for waging both warfare and terrorism, and that all makes having a really well-respected society all the more important in the future. Good! It’s one more reason for building good, decent societies populated by honorable and trustworthy individuals? How do we accomplish that? Good question! Let’s figure that out. It probably involves a nation carrying out the duel focus of being really decent to its citizens while constantly trying to make the world at large a better place for nation. Which is something that shouldn’t be considered utopian thinking and instead should be seen as a basic survival for a high-tech future. Plus, it’s not like this is the only technological nightmare situation that calls for a dedication to very good, trustworthy societies and governments [68].
And there’s one key aspect to being a well-like, trustworthy, nation with the kind of international credibility to make an attribution that will be believed, and it’s an ironic one: the capacity to ‘turn the other cheek’ and not respond in kind after an attack even after a public attribution is made. Yep, shaming the blamed attacker while simultaneously de-escalating the situation even after an attribution is made could be a great way for a society to build up ‘attribution cred’. And it might actually avoid situations from spiraling out of control. Because if we apply the ‘mutually assured destruction’ mode of dissuading attacks that’s been successfully employed with nuclear strikes to future technologies where attribution is far more difficult than a nuclear strike, we’re just asking for third parties to pick fights between nations with false flag attacks. Don’t forget that a third party could conceivably wage a false flag attack and a false flag counter-attack. That’s the kind of craziness that’s going to be unleashed by technology that potentially enables individuals to carry out devastating non-attributable attacks. That’s the future. The ‘400 pound hacker in his bed’ really might start WWIII in future. And WWIV after that. So our future had better involved quite a bit of ‘turning the other cheek’ if it’s going to avoid being a smoldering future. Utopian thinking might be a basic survival strategy going forward.
And if ‘being a really, really nice and trustworthy country’ feels like a high-risk solution for how to address the threat of technological false flags, don’t forget: international chaos. That’s the future we invite when technological false flags and mutually assured destruction is the norm. So when you read stories about cyber attributions being made with near certainty in these high-profile hacks based on circumstantial evidence and guesswork, keep in mind that the only thing you should be 100 percent certain about is that this level of certainty is a really bad idea for a lot of reasons [89]