Crossroads Blog | Institute National Security and Counterterrorism

Attribution, Cybersecurity, Cyberwar, Russia

The Man Who Cried [Grizzly] Bear (previously known as the Boy Who Cried Wolf)

<opinion>

The Russians are coming, the Russians are coming.  The latest narrative from the White House and the media reads like a Hollywood drama with the threat of our entire infrastructure being overtaken by Vladimir Putin and his evil operatives.  Does anyone else find it suspicious that when 20+ million personnel records were exfiltrated from the Office of Personnel Management the rhetoric and nation-blaming was somewhat calm.  However, when e-mails from high-level political campaigns are exposed suddenly we are expelling “diplomats” and preparing to do whatever is necessary to rein in the nefarious cyber-bullies — aka Mother Russia.

I had the chance to peruse the report that was issued claiming the Russian civilian and military intelligence services (“RIS”) were behind the cyber attacks which were focused on the government and specifically the U.S. Presidential Election.

The report has some really interesting graphics and a lot of advice about preventing attacks along with a tiny little Yara signature that purports to demonstrate that the attack(s) originated from Russia (or RIS).  Furthermore, a joint statement from the Department of Homeland Security (“DHS”) and the Office of the Director of National Intelligence (“ODNI”) from October 7, claims that the motives and methods used to hack the e-mails of political organizations are consistent with Russian-directed cyber events.  After reading the report I was left wondering if anyone that writes these ever worked in the technology sector or has had any experience in counterintelligence.

Having some experience myself, I would just note that if I need to perform something programmatically and someone else has already written the code I need and it is modular enough to allow ease-of-use with minor tweaking, I am absolutely going to use that (assuming of course that it is open-source or if in-house part of my code repository).  The logic of the analysis seems to be that RIS writes code and it always has comments in Russian (I mean that makes perfect sense, if I am going to write code to infiltrate a foreign government step 1 is to use my native language …) and it comes from IP address ranges known to be from, or used by RIS thus the hacking must have been performed by RIS  — seriously?  How about Tor and VPN, if the theory is that only a nation-state has the expertise to perform something as complex as getting John Podesta to click on an phishing e-mail then wouldn’t that same super-smart nation-state have the ability to obfuscate both the code used as well as the geolocation from which the attack was initiated?  Apparently not, the RIS re-uses their old code with comments written in Russian and has a limited number of IP addresses from which attacks can be launched and voila — we have our culprits.

To be fair, Hollywood also must take some responsibility here.  If you watch television or movies you see how easy it is to “trace” a hacker back to their actual location irrespective of the number of hops or whether they are using the Tor network or any number of covert techniques.  Attribution however is a puzzle which to this day remains unsolved.  Consequently, while it may fit the motives and the methods of the RIS it seems ludicrous to assert Russian involvement and the resulting expulsion of 35 diplomats based on the scant evidence that has thus far been doled out to the public.

What to do?  Unlike the report states, moving to a “more complex” password is just a delay tactic and won’t matter if you are ignorant and fall prey to a phishing attack.  Multi-factor authentication is a good start but the weakest element in cybersecurity continues to be the human.  So long as users are ignorant and unaware of proper cybersecurity hygiene we will continue to see successful attacks, be it from Mother Russia or the kid next door.

Of course the next question becomes, what happens when the US/Israeli Stuxnet (allegedly US/Israeli code) code starts showing up in other countries and is used for nefarious purposes? Does that mean our diplomats are going to be expelled since the theory seems to be if the code is ours then surely we must be the ones using it, right?  Apparently the moral of the story is borrow code from other Nations so the tricky intelligence community will never figure out who is really doing all this hacking.

Leave a Reply

Bitnami