Security News Russia Wanted to Be Caught, Says Company Waging War on the DNC Hackers

omidomi

Level 71
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Apr 5, 2014
6,008
The Russian groups behind the DNC hack no longer seem to care about getting caught. Long before the Kremlin-sponsored hacking squads APT 28 and APT 29 were making waves for stealing files from the Democratic National Committee, they made an appearance in two white papers put out by FireEye. The cybersecurity company has been monitoring and analyzing the two groups on behalf of corporate clients for years. In the DNCbreach, a company spokesman told Defense One: “They wanted experts and policymakers to know that Russia is behind it.”

That fits a pattern of increasing bold moves over the past year by the groups, which are also known as FANCY BEAR and COZYBEAR, says Christopher Porter, the manager of Horizons, the strategic intelligence and forecasting arm of FireEye iSIGHT Intelligence, the company’s threat monitoring division.

“We see them now persisting even when they know that security professionals have been called in to remove them from a system. They continue their operational pace at a very high level. So that’s a huge risk and a sea change in their behavior,” Porter said. “Even when they know they’re caught, they don’t stop the operation, necessarily.”

That’s highly unusual for an advanced persistent threat group. It signals that Russia is willing to work in a space normally reserved for criminals, devoting government resources and acting with impunity. That makes them incredibly difficult to counter, for the same reason the West had no good response to the “little green men” — the Russian forces that invaded Ukraine disguised as a organic populist militant movement.

That camouflaged brazenness was also seen in the 2015 hack on the Joint Chiefs of Staff’s nonclassified email, also attributed toAPT 29. The attackers were “jumping from one computer to another” in the network, according to a representative of the company the Pentagon hired to fix the damage. “A lot of the time you don’t have the command-and-control architecture to be able to go in and see the attack,” he said. “So the advanced threat characteristics change to be more automated, a kind of pervasive deployment using common vulnerabilities and exploiting them widely.”

That means that APT 29 has stopped retreating from networks when they think they’ve been detected. Now they adapt the hack in the open, bobbing and weaving like a fast and clever boxer, taunting the victim to expel them.

“We’ve even seen them on some systems where they know that there is anti-virus [software] on a computer inside of a network system that they’re on,” FireEye’s Porter said. “They’re moving laterally within a network. They know that their tool is going to be detected by a system that they’re about to move to and they’ll do it anyway because they’re such skilled hackers that they can compromise the system and then jump to another system and get what they need before they can be quarantined.”

There’s a reason that’s not normal behavior, even among very skilled hackers. After attackers are expelled from a system, defenders move quickly to patch the security hole they used. Groups that run advanced persistent attacks move stealthily, lest they burn too quickly through their bag of tricks.

Yet FireEye found that APT 28 and APT 29 didn’t even bother to change the pace of their attacks as their targets became aware of them.

“We have a Mandiant arm that can go back and recreate what happened,” after a breach, Porter said. “When we look back on it over time, there’s no evidence that if their operations were exposed on Tuesday that, on Wednesday, exploitation pace against their targets would change. It didn’t make any difference. They have an armory of zero days,” attacks that have never been seen before.

Case in point: a July 2015 incident in which a security firm published a blog post about how APT 28 was using a specific zero-day exploit. The group updated the hack the next day, as FireEye focused reporting team manager Kristen Dennesen told the RSA conference this year.

Porter thinks that’s one piece of evidence that both groups have state sponsorship. You need more than than coding chops to pull off a stunt like that; it helps to have an international intelligence collection network you can work with.

“If these state-backed actors have professional military or intelligence operators overseeing the operation, any change you can make, they’re going to try and find a counter to that,” he said. “They seem to know that certain white papers are going to be public and they make the changes the day before they come out. We’ve seen evidence that they’ve known in advance that someone is going to reveal that they were going to be discovered and they make changes so that they continue uninterrupted.”

Over the past week, U.S. intelligence community officials have said that they have “high confidence” that the Russian government was behind the theft of emails from the DNC. That’s an unusually bold statement for the IC to make about a data breach that’s currently moving the news cycle. By contrast, the intelligence community still hasn’t made a formal declaration of attribution about the OPM hack. Months after the intrusion was revealed, Clapper acknowledged only that China was the “leading suspect.”

Porter believes that part of the reason that the IC and multiple cyber security researchers were able to implicate Russia is that Russia was showing off. Consider that on June 15, one day after Crowdstrike fingered APT 28 and APT 29, a figure named Guccifer 2.0 claimed to have done the hack, alone. But Twitter users quickly found metadata in Guccifer 2.0’s files that undermined that claim. The docs contained a tag reading “Феликс Эдмундович,” a reference to to the founder of the Soviet Secret Police.

But security expert Jeff Carr thought the smoke off this smoking-gun was a bit too thick. In his minority report, he asks: what kind of spy ring tags their stolen docs before releasing them under a cover?

“Raise your hand if you think that a GRU or FSB officer would add Iron Felix’s name to the metadata of a stolen document before he released it to the world while pretending to be a Romanian hacker. Someone clearly had a wicked sense of humor,” he wrote.

You’ll Never Get 100% Certainty in Cyberwar

This shows the effectiveness of information warfare at this moment in history: a malware attack is fundamentally different from a missile strike that can be seen from space and immediately attributed to a party, a unit, a fixed position on earth, and a piece of machinery (if not an individual operator). One hundred percent certainty in any information attack will always be next to impossible, and that makes it hard to shape policy, legislation, or retribution.

“For U.S. policy makers and a lot of private-sector companies, they tend to be dismissive. They say, ‘Oh, we had a thousand spearphish attacks today.’ The fact that there’s such a huge background noise level in fairly sophisticated cyber crime across so many targets around the world, it allows APT groups to blend in if they want to,” Porter said. “It’s death by a thousand cuts from the perspective ofU.S. policy. Any individual cyber criminal act is not a national security concern, but taken in the aggregate, having a high level of cyber crime in general should be a very high-level concern.”

That plays into Russia’s hands. State actors can use headlines about persistent criminal cyber threats to make geopolitical activity look merely criminal.

“If you were to reduce the very high level of cybercrime, states wouldn’t be able to carry out these attacks. They would lose this plausible deniability and it would become a more straightforward attack. I think they want to make it difficult for leaders to have the kind of unambiguous statement that drives policy in a democracy,” Porter said. “They want to make it hard to respond. But they probably don’t mind getting caught, in the sense that they want to send a message.”

Crowdstrike president Shawn Henry is dubious. “I don’t know what kind of foreign intelligence service conducting a covert operation wants to be found,” he said on Thursday, but added that CrowdStrike picked up the DNC hack within 48 hours and that it “wasn’t difficult.”

If you buy Porter’s theory, the question becomes: what kind of message could the Russians mean to send? The FireEye employee guesses that these sorts of breaches are likely a demonstration of capability, or perhaps a reprisal against the West for sanctions against Russian leaders. It’s an idea that he’s sharing with his private-sector customers.

“I view their activities as, they want to muddy the political response in democracies by making it seem like a complicated and ambiguous issue,” Porter said. If they’re willing to do A, B, and C then you need to understand that it’s not difficult for them to target an individual. That’s what cyber gives them. From Russia, they can pick an individual that they want to bully, using the full resources of a state organization. And that’s unprecedented. So if they decide that they want to pick on a certain corporate executive, maybe they could do a particular, hacktivist style leak. Activists go after companies all the time…it’s hard for a the company to prove that their loss was caused by a state and not by a criminal. So the policy is still complicated. That’s a nice place to be in if you’re Russia.”
 
R

Rod McCarthy

They are pissed at Hillary and probably fear her getting the presidency. They don't want war, and the continued economic ruin as we have seen under obama. Also they would like help with isis, also not going to happen with obama or hillary. rather work toward prosperity for Russia with Trump. US economy goes up the whole world economy goes up...
 

Logethica

Level 13
Verified
Top Poster
Well-known
Jun 24, 2016
636
I have respect for the people of Russia and the US,but having dedicated years to researching "hidden history" and digging through formerly classified documents ,I have concluded that my respect does not extend to your respective Governments..
My advice?..
Don't believe anything said by the US about Russia,or anything said by Russia about the US..
It's a "smoke & mirrors" game..Propaganda in perpetual motion..
To understand each move,it has to be contextualised with "What we think we know" and "What we will never find out"
 

_CyberGhosT_

Level 53
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Aug 2, 2015
4,286
Russia seems to be having fun on the playground for now, they have not caused any real damage to the US, but they are making noise and it's not going unnoticed.
I think it will be advantagious for us to just watch for now and let Russia decide where this goes.
Nice share OmiDomi :)
 
Last edited:
R

Rod McCarthy

I would have to agree with your assessment. I LOVE my country, I fear my government. Every once in awhile a renegade comes along. I believe most of those people end up dead. Like JFK who was for the gold standard and threatened the "system".

I say (as a simple man) anyone who spends his own money and turns down a multi million dollar Hit TV show, who will work without taking a salary is a man I will vote for. What can I lose, HC has been in politics for 40 yrs, promised change and nothing ever happens.

The Hillary PC / email...was the last straw for me, she did it on purpose, maybe for money, maybe to hurt the USA... Either way I don't care she won't get my vote.
 
D

Deleted member 178

Im not US citizen but i live there few years, so im quite objective , but when i listen Trump, how wonder how come a guy that say one thing in front of a camera and 2 days later take back his words could be trusted, and i don't even mentioned his shady point of views...it is obvious that the guy don't want improve USA , he just want the benefits and power of the presidential seat , he throws appealing words just to get the votes and later we will take back his words because he will realize he can't apply what he promised.
I talked with many non-american people, they all are amazed how Trump could even be a GOP candidate in the first place; the guy knows nothing about politics, foreign diplomacy, even the US laws which he broke dozen times without any scruples (follow the lawsuits...). if i was an americanvoter, i would pick Hillary (the less worst choice) until next election in 4 years , expecting to have a better candidate.

To stay on topic, the guy just acknowledged the hacking of USA , now every hacker in the world will say "cool this guy doesn't mind we hack"... seriously ?! oh wait , he took back his words again , because he realized what he said can be considered as treason...

Voting for one because you don't like the other is not the proper way to vote; you vote for a project with realistic basis and plans; not for the charisma of a guy promising the moon.
 
R

Rod McCarthy

Im not US citizen but i live there few years, so im quite objective , but when i listen Trump, how wonder how come a guy that say one thing in front of a camera and 2 days later take back his words could be trusted, and i don't even mentioned his shady point of views...it is obvious that the guy don't want improve USA , he just want the benefits and power of the presidential seat , he throws appealing words just to get the votes and later we will take back his words because he will realize he can't apply what he promised.
I talked with many non-american people, they all are amazed how Trump could even be a GOP candidate in the first place; the guy knows nothing about politics, foreign diplomacy, even the US laws which he broke dozen times without any scruples (follow the lawsuits...). if i was an americanvoter, i would pick Hillary (the less worst choice) until next election in 4 years , expecting to have a better candidate.

To stay on topic, the guy just acknowledged the hacking of USA , now every hacker in the world will say "cool this guy doesn't mind we hack"... seriously ?! oh wait , he took back his words again , because he realized what he said can be considered as treason...

Voting for one because you don't like the other is not the proper way to vote; you vote for a project with realistic basis and plans; not for the charisma of a guy promising the moon.


I can't vote for someone who since the 90's has been selling secrets to Korea and China, missing laptops ETC... Someone who lies to FBI and puts our countries secrets on an unsecured PC. Treason comes to mind for her not the presidency.
 

ravi prakash saini

Level 13
Verified
Top Poster
Well-known
Apr 22, 2015
637
I have respect for the people of Russia and the US,but having dedicated years to researching "hidden history" and digging through formerly classified documents ,I have concluded that my respect does not extend to your respective Governments..
My advice?..
Don't believe anything said by the US about Russia,or anything said by Russia about the US..
It's a "smoke & mirrors" game..Propaganda in perpetual motion..
To understand each move,it has to be contextualised with "What we think we know" and "What we will never find out"
What Logethica has told is the truth for citizens of countries other than US and Russia and for citizens of these two countries the truth is what is told by their respective governments
 

Logethica

Level 13
Verified
Top Poster
Well-known
Jun 24, 2016
636
It is against my principles to support/vote for something that I do not agree with..
I do not agree with party politics,..as short-term policies do not solve long-term problems..
Why not a best Man/Woman for the Job system,on a platform that allows the hiring/sacking of individuals rather than a "Clean Slate" every 5-10 years?..
The Difference between a Dictatorship & a Democracy is that of "No choice" & "The illusion of having one"....
The end result is the same.."Whoever wins,we lose".
The film "Brewster's Millions" had the right idea...."Vote,None of the above!"
 

Solarlynx

Level 15
Verified
Top Poster
Well-known
Apr 30, 2012
711
IDK why US citizen love Trump and none US citizen hate him :p
LOL because none US citizens first see his eccentric behavior and think that Trump will be dangerous for them as a president.
As for US citizens I think only those trust Trump who doesn't see that he's just a demagogue.
Sanders proved to be a bloody demagogue by his final support to HC.
 

jamescv7

Level 85
Verified
Honorary Member
Mar 15, 2011
13,070
Russia and few other countries have manpower to conduct cyberattacks at any time, so any information they can get is already not new except for new leaks.

The point here, as long a country contains stronghold equipments then attacks will just expand.
 

_CyberGhosT_

Level 53
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Aug 2, 2015
4,286
I love reading how us Americans feel from outsiders, it makes me laugh, but sometimes it's not too far off the mark.
Firstly whoever wins they are just a face, a meat puppet for Special interests and their respective party. They wield no real power.
We the people don't choose the president the electorial college does, been that way for a long time. Money is where the power is here and where it will always be.
Trump for the Republican party would be one tough puppy to keep on the leash, while Hillary for the Dems needs no leash.
Either way with either candidate we are in the same boat as always, our capitalistic greed knows no limits and this influances every
aspect of being an American these days. Michael Moores "Where To Invade Next" gives a clear glimpse into our sickness,
I watched it and was sad to be an American (even more than normal), there is no real passion for the election
and there hasn't been since Regan and I doubt there will be for the foreseeable future.
 

Solarlynx

Level 15
Verified
Top Poster
Well-known
Apr 30, 2012
711
We the people don't choose the president the electorial college does, been that way for a long time. Money is where the power is here and where it will always be.

Yep, actually American president is elected by the Electoral College which consists of 538 electors. And these electors can vote as the want. ;)

The ever best sample of democracy. :D
 
R

Rod McCarthy

@Rod McCarthy

foreign intelligence doesn't need Hillary to get US secrets , Spying didn't started with Hillary.
Anyway , if you dont like her , so don't vote or vote for a third party , i rather don't vote than voting a faker.


Dude... Here in the US what she did is called "TREASON" and when we were a strong nation 100+ years ago, we shot people for that #####.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top