Move over COVID. 2021 is turning out to be another year of the digital virus. One massive hacking story after another. Unrelated stories in many cases, we are told. In particular:
1. The SolarWinds mega-hack announced in December of 2020, blamed on Russia, blamed on Cozy Bear
2. The Microsoft Exchange mega-hack disclosed in March 2021, blamed on China.
3. The revelations about NSO Group’s oversight (or lack thereof) of its powerful spyware sold to governments around the world.
4. The emerging story of Candiru, one of NSO Group’s fellow “commercial surveillance vendors”, selling toolkits overflowing with zero-day exploits, specializing in targeting Microsoft products.
But how unrelated are these stories? That’s the big question we’re going to explore in this post. A question punctuated by another meta-story we’ve looked at many times before: the meta-story of a cyberattribution paradigm seemingly designed to allow private companies and governments to concoct an attribution scenario for whatever guilty party they want to finger. As long as there was some sort of ‘clue’ found by investigators — like piece of Cyrillic or Mandarin text or malware previously attributed to a group — these clues were strung together in a “pattern recognition” manner to arrive at a conclusion about the identity of the perpetrators. Attribution conclusions often arrived at with incredible levels of confidence. Recall how the Japanese cybersecurity firm TrendMicro attributed a 2017 US Senate email phishing campaign to ‘Pawn Storm’/Fancy Bear with 100 percent certainty, and they made this highly certain attribution based heavily on how similar the hack was to the 2017 hacks of Emmanuel Macron’s emails via a phishing campaign that TrendMicro attributed at the time with 99 percent certainty to Pawn Storm/Fancy Bear and yet the ANSSI, the French government’s cybersecurity agency, was leaving open the possibility that the hack they could be the work of “other high-level” hackers trying to pin the blame on “Pawn Storm” (another name for “Fancy Bear”). TrendMicro was making 99 percent certain attributions that the French government said could be any range of actors. That was the state of affairs for cyberattributions in 2017 and nothing has changed in the years since. Highly certain attributions continued to be piled on top of highly certain attributions — almost always pointing towards Russian, Iran, China, or North Korea — built on a foundation of what appear to be largely guesswork. Often highly motivated guesswork (i.e. lies).
Did you hear the big new hacking news? It’s the The news about ‘Fancy Bear’ already getting ready to wage a new hacking campaign against US politicians? If not, here’s a brief summary: Trend Micro, a Japanese cybersecurity firm, just issued a new report purporting to show that ‘Fancy Bear’ has already set up multiple phishing websites intended to capture the login credentials to the US Senate’s email system. And Trend Micro is 100 percent confident this is the work of ‘Fancy Bear’, the Russian military intelligence hacking team. What led to Trend Micro’s 100 percent certainty that these phishing sites were set up by ‘Fancy Bear’? It appears to be based on the similarity of this operation to the Macron email hack that impacted hit French election last year. The same hack that the French cybersecurity agency said was so unsophisticated that any reasonably skilled hackers could have pulled them off. And the same hacks comically included the name of a Russian government security contractor in the meta-data and were traced back to Andrew ‘weev’ Auernheimer. That’s the hack that this current Senate phishing operation strongly mimics that led to Trend Micro’s 100 percent certainty that this is the work of ‘Fancy Bear.’ So how credible is this 100 percent certain cyber attribution? Well, it’s possible Trend Micro is correct, it’s also extremely possible they aren’t correct. That’s going to be the topic if this post, because Trend Micro is far from alone in making cyber attribution an exercise in gambling with existential risks.
Recent Comments