Are The Russians Really Attacking Us?

It seems that hardly a week goes by without some new cyber-attack being attributed to Fancy Bear, Cozy Bear, Grizzly Steppe, or some other cute-sounding Russian hacker collective.  One the one hand, we have the DHS, FBI, and US-CERT attributing these attacks to the Russians.  There are others, including those working in the cybersecurity profession, that are suggesting that the attackers are not agents of the Russian government, but merely opportunistic cyber-crime groups who are stealing data merely for it’s resale value on the Dark Web.  Politically, the supporters of Hillary Clinton’s campaign generally support the theory of Russian intervention, at least in the last Presidential election.  President Trump, and his supporters, would claim this is all “fake news.”  So what is the truth about Russian attacks against the US, it’s NATO allies, the Ukraine, and other former Soviet-block nations?

The more I dug into this question, the more it looked like the Russians are indeed attempting to influence political affairs, not just in the US but all over the world. They are exploiting the networked world we live in, by leveraging their considerable skills in deploying cyber operations against the west.

A while ago I read the book The Sword and the Shield: The Mitrokhin Archive and the Secret History of the KGB.  I recommend it to anyone who is interested in Russian espionage tactics, and how they apply to the activity we see coming from Russia today.  In the days of the old KGB, their clandestine operations focused on gathering political, military, and signals intelligence about their perceived enemies, stealing scientific and technological information, running “illegals” (spies) in foreign countries, and something called “active measures.”  Active measures were, operations carried out against targets in the press, radio, and television mass media, and focused on recruiting journalists and attempting to insert stories in the western press that showed the Soviet Union in a favorable light, or were designed to influence public opinion.  Often active measures were employed in an attempt to influence elections and put candidates in power who were pro-Soviet.  Sounds a little familiar, doesn’t it.

In the Internet connected world, active measures are easier than ever.  The Russians can use the popular social media platforms, focusing on using Facebook, Twitter, and Wikileaks to advance their agenda.  They also specialize in breaching emails accounts and networks using phishing attacks and social engineering.  Sometimes the contents of these email breaches are later published on Wikileaks.

The main debate about whether this activity is sponsored by the Russian Government, or whether it is the actions of independent cybercrime groups hinges on the concept of “attribution.”  The methods used by cyber-attackers are designed to obscure the source of the attacks through the use of VPNs and the TOR network.  Pinpointing the actual source IP address, and through it the geographic location of the attacker, if often impossible.

Most countries have some sort of military or intelligence service based cyber-command group.  Part of the problem with attributing exploits to the Russian government is that until recently, they tended to work with independent contractors who are also part of the Russian cyber-crime underground.  This has given Russia plausible deniability.  Recently though, it looks like this activity has come directly from the Russian intelligence services.

The companies and agencies that analyze these attacks are left parsing the code and looking for signatures and similarities in the code.  These signatures allow them to make informed guesses about the source or attribution of these exploits.  How these conclusions are derived is the source of the attribution debate.

In the next post, we will continue this investigation, and take a look at the active measures currently used by the Russian Government.

More information:

0

About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Serving small business owners in the St Paul, Minneapolis, and western Wisconsin area since 2001. Cybersecurity and hacking have been a passion of mine since I entered the computer and networking business in 2000. I hold several cybersecurity certifications including Certified Information Systems Security Professional (CISSP), Certified Advanced Security Pratitioner (CASP), and Certified Ethical Hacker (CEH). Other computer industry certifications include A+, Network+ and Microsoft Certified System Engineer (MCSE). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of security on their computers, networks, and websites. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. We also provide Cybersecurity Awareness Training for clients and their employees. I am a frequent speakers at cybersecurity conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference, the (ISC)2 World Congress, and the ISSA International Conference, and many local community organizations, Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2008.
  Related Posts

Add a Comment


This site uses Akismet to reduce spam. Learn how your comment data is processed.