Spitfire List Web site and blog of anti-fascist researcher and radio personality Dave Emory.
The tag 'Candiru' is associated with 1 posts.

Cyber Attribution, the Mega-Hacks of 2021, and the Existential Threat of Blind Faith in Bad-Faith

Move over COVID. 2021 is turn­ing out to be anoth­er year of the dig­i­tal virus. One mas­sive hack­ing sto­ry after anoth­er. Unre­lat­ed sto­ries in many cas­es, we are told. In par­tic­u­lar:
1. The Solar­Winds mega-hack announced in Decem­ber of 2020, blamed on Rus­sia, blamed on Cozy Bear
2. The Microsoft Exchange mega-hack dis­closed in March 2021, blamed on Chi­na.
3. The rev­e­la­tions about NSO Group’s over­sight (or lack there­of) of its pow­er­ful spy­ware sold to gov­ern­ments around the world.
4. The emerg­ing sto­ry of Can­diru, one of NSO Group’s fel­low “com­mer­cial sur­veil­lance ven­dors”, sell­ing toolk­its over­flow­ing with zero-day exploits, spe­cial­iz­ing in tar­get­ing Microsoft prod­ucts.

But how unre­lat­ed are these sto­ries? That’s the big ques­tion we’re going to explore in this post. A ques­tion punc­tu­at­ed by anoth­er meta-sto­ry we’ve looked at many times before: the meta-sto­ry of a cyber­at­tri­bu­tion par­a­digm seem­ing­ly designed to allow pri­vate com­pa­nies and gov­ern­ments to con­coct an attri­bu­tion sce­nario for what­ev­er guilty par­ty they want to fin­ger. As long as there was some sort of ‘clue’ found by inves­ti­ga­tors — like piece of Cyril­lic or Man­darin text or mal­ware pre­vi­ous­ly attrib­uted to a group — these clues were strung togeth­er in a “pat­tern recog­ni­tion” man­ner to arrive at a con­clu­sion about the iden­ti­ty of the per­pe­tra­tors. Attri­bu­tion con­clu­sions often arrived at with incred­i­ble lev­els of con­fi­dence. Recall how the Japan­ese cyber­se­cu­ri­ty firm Trend­Mi­cro attrib­uted a 2017 US Sen­ate email phish­ing cam­paign to ‘Pawn Storm’/Fancy Bear with 100 per­cent cer­tain­ty, and they made this high­ly cer­tain attri­bu­tion based heav­i­ly on how sim­i­lar the hack was to the 2017 hacks of Emmanuel Macron’s emails via a phish­ing cam­paign that Trend­Mi­cro attrib­uted at the time with 99 per­cent cer­tain­ty to Pawn Storm/Fancy Bear and yet the ANSSI, the French government’s cyber­se­cu­ri­ty agency, was leav­ing open the pos­si­bil­i­ty that the hack they could be the work of “oth­er high-lev­el” hack­ers try­ing to pin the blame on “Pawn Storm” (anoth­er name for “Fan­cy Bear”). Trend­Mi­cro was mak­ing 99 per­cent cer­tain attri­bu­tions that the French gov­ern­ment said could be any range of actors. That was the state of affairs for cyber­at­tri­bu­tions in 2017 and noth­ing has changed in the years since. High­ly cer­tain attri­bu­tions con­tin­ued to be piled on top of high­ly cer­tain attri­bu­tions — almost always point­ing towards Russ­ian, Iran, Chi­na, or North Korea — built on a foun­da­tion of what appear to be large­ly guess­work. Often high­ly moti­vat­ed guess­work (i.e. lies).