Spitfire List Web site and blog of anti-fascist researcher and radio personality Dave Emory.
The tag 'Fancy Bear' is associated with 2 posts.

Cyber Attribution, the Mega-Hacks of 2021, and the Existential Threat of Blind Faith in Bad-Faith

Move over COVID. 2021 is turn­ing out to be anoth­er year of the dig­i­tal virus. One mas­sive hack­ing sto­ry after anoth­er. Unre­lat­ed sto­ries in many cas­es, we are told. In par­tic­u­lar:
1. The Solar­Winds mega-hack announced in Decem­ber of 2020, blamed on Rus­sia, blamed on Cozy Bear
2. The Microsoft Exchange mega-hack dis­closed in March 2021, blamed on Chi­na.
3. The rev­e­la­tions about NSO Group’s over­sight (or lack there­of) of its pow­er­ful spy­ware sold to gov­ern­ments around the world.
4. The emerg­ing sto­ry of Can­diru, one of NSO Group’s fel­low “com­mer­cial sur­veil­lance ven­dors”, sell­ing toolk­its over­flow­ing with zero-day exploits, spe­cial­iz­ing in tar­get­ing Microsoft prod­ucts.

But how unre­lat­ed are these sto­ries? That’s the big ques­tion we’re going to explore in this post. A ques­tion punc­tu­at­ed by anoth­er meta-sto­ry we’ve looked at many times before: the meta-sto­ry of a cyber­at­tri­bu­tion par­a­digm seem­ing­ly designed to allow pri­vate com­pa­nies and gov­ern­ments to con­coct an attri­bu­tion sce­nario for what­ev­er guilty par­ty they want to fin­ger. As long as there was some sort of ‘clue’ found by inves­ti­ga­tors — like piece of Cyril­lic or Man­darin text or mal­ware pre­vi­ous­ly attrib­uted to a group — these clues were strung togeth­er in a “pat­tern recog­ni­tion” man­ner to arrive at a con­clu­sion about the iden­ti­ty of the per­pe­tra­tors. Attri­bu­tion con­clu­sions often arrived at with incred­i­ble lev­els of con­fi­dence. Recall how the Japan­ese cyber­se­cu­ri­ty firm Trend­Mi­cro attrib­uted a 2017 US Sen­ate email phish­ing cam­paign to ‘Pawn Storm’/Fancy Bear with 100 per­cent cer­tain­ty, and they made this high­ly cer­tain attri­bu­tion based heav­i­ly on how sim­i­lar the hack was to the 2017 hacks of Emmanuel Macron’s emails via a phish­ing cam­paign that Trend­Mi­cro attrib­uted at the time with 99 per­cent cer­tain­ty to Pawn Storm/Fancy Bear and yet the ANSSI, the French government’s cyber­se­cu­ri­ty agency, was leav­ing open the pos­si­bil­i­ty that the hack they could be the work of “oth­er high-lev­el” hack­ers try­ing to pin the blame on “Pawn Storm” (anoth­er name for “Fan­cy Bear”). Trend­Mi­cro was mak­ing 99 per­cent cer­tain attri­bu­tions that the French gov­ern­ment said could be any range of actors. That was the state of affairs for cyber­at­tri­bu­tions in 2017 and noth­ing has changed in the years since. High­ly cer­tain attri­bu­tions con­tin­ued to be piled on top of high­ly cer­tain attri­bu­tions — almost always point­ing towards Russ­ian, Iran, Chi­na, or North Korea — built on a foun­da­tion of what appear to be large­ly guess­work. Often high­ly moti­vat­ed guess­work (i.e. lies).


Cyber Attribution, the Macron hacks, and the Existential Threat of Unwarranted Certainty

Did you hear the big new hack­ing news? It’s the The news about ‘Fan­cy Bear’ already get­ting ready to wage a new hack­ing cam­paign against US politi­cians? If not, here’s a brief sum­ma­ry: Trend Micro, a Japan­ese cyber­se­cu­ri­ty firm, just issued a new report pur­port­ing to show that ‘Fan­cy Bear’ has already set up mul­ti­ple phish­ing web­sites intend­ed to cap­ture the login cre­den­tials to the US Sen­ate’s email sys­tem. And Trend Micro is 100 per­cent con­fi­dent this is the work of ‘Fan­cy Bear’, the Russ­ian mil­i­tary intel­li­gence hack­ing team. What led to Trend Micro’s 100 per­cent cer­tain­ty that these phish­ing sites were set up by ‘Fan­cy Bear’? It appears to be based on the sim­i­lar­i­ty of this oper­a­tion to the Macron email hack that impact­ed hit French elec­tion last year. The same hack that the French cyber­se­cu­ri­ty agency said was so unso­phis­ti­cat­ed that any rea­son­ably skilled hack­ers could have pulled them off. And the same hacks com­i­cal­ly includ­ed the name of a Russ­ian gov­ern­ment secu­ri­ty con­trac­tor in the meta-data and were traced back to Andrew ‘weev’ Auern­heimer. That’s the hack that this cur­rent Sen­ate phish­ing oper­a­tion strong­ly mim­ics that led to Trend Micro’s 100 per­cent cer­tain­ty that this is the work of ‘Fan­cy Bear.’ So how cred­i­ble is this 100 per­cent cer­tain cyber attri­bu­tion? Well, it’s pos­si­ble Trend Micro is cor­rect, it’s also extreme­ly pos­si­ble they aren’t cor­rect. That’s going to be the top­ic if this post, because Trend Micro is far from alone in mak­ing cyber attri­bu­tion an exer­cise in gam­bling with exis­ten­tial risks.