Recently US online security commentator Brian Krebs provided some detailed analysis of the apparent connections between Artem Tveritinov from Perm, Russia, the 28-year-old CEO of data protection company InfoKube/Infocube, and the infamous Carbanak, East European hacker group believed to have stolen a billion dollars, mostly from Russian banks.
Essentially Krebs and security researcher Ron Guilmette followed up the original website registration records for sites that had been used to push malware known to be used by the Carbanak gang.
With some deft sleuthing they looked into the domains on the historic registration “WHOIS” records at Domaintools.com, found Xicheng Co in China and a contact address for firstname.lastname@example.org. Some 484 domains were registered to the email@example.com address and at least 304 of these domains were associated with a malware plugin previously attributed to Carbanak activity, according to threat intelligence provider ThreatConnect which informed KrebsOnSecurity. A domain with the same registration, but not putting out malware, was that of Infocube.
Krebs also reports that InfoKube/Cubehost runs Internet addresses managed by Petersburg Internet Network (PIN) Ltd, whose wide range of dodgy dealing includes domain names conclusively tied to Carbanak distribution. Tveritinov was contacted directly by Krebs, and in real time, his social profile was deleted from a second screen in front of Krebs' eyes; needless to say, he was not forthcoming. Although last month Russia arrested 50 people reportedly tied to the Carbanak cyber-bankrobbers, no names were published. There is no transparency from Russia regarding who the arrested people were.
Krebs briefly mentioned, but did not pursue, the observation that InfoKube publicises the fact that it undertakes “information security” projects for and with the State Ministry of Interior of Russia, and given that it also partnered with some major security players, it could be that the Russian state was only leveraging InfoKube's legitimate activities.
Also this month, in a suitably vodka-fuelled meeting at Zima in Soho, Don Smith who heads up the SecureWorks Counter Threat Unit (CTU) research group that's been focused on monitoring attacks from Russian Threat Group-4127, updated journalists on CTU's findings.
TG-4127 primarily targets governments, military and international non-governmental organisations (NGOs) and components of its operations have been reported under the names APT28, Sofacy, Sednit, Fancy Bear and Pawn Storm.
CTU researchers say they have moderate confidence that the group is operating from the Russian Federation and is gathering intelligence on behalf of the Russian government.
CTU researcher, Tom Finney looked at who TG-4127 is targeting, how it links back to Russia and the former Soviet state's current policies as well how these attacks are actually being carried out. Based on his findings, Finney told SC that the conclusion was it is more likely than not that it was the Russian FSB that commissioned or ordered the attacks and that it had used the criminal TG-4127's botnet infrastructure for its own espionage activity.
Last year CTU researchers analysed 4,396 phishing URLs sent to 1,881 Google accounts between March and September 2015 by TG-4127 to gain insight about the targets and the threat group's intent. It did this by making itself appear to be part of TG-4127's botnet.
It found that most of the eastern Google accounts targeted by TG-4127 are linked to intelligence gathering or information control within Russia or former Soviet states, particularly Russia's military involvement in eastern Ukraine, especially the spokesperson for the Ukrainian prime minister. Also targeted were individuals in political, military and diplomatic positions in former Soviet states, as well as journalists, human rights organisations and regional advocacy groups in Russia.
Other targets outside the region were predominantly split into two categories – 36 percent were authors, journalists, NGOs and political activists whilst the remaining 64 percent comprised government and military personnel, government supply chain and aerospace researchers. These targets included a systems engineer working on a military simulation tool, a consultant specialising in unmanned aerial systems, an IT security consultant working for NATO and a director of federal sales for the security arm of a multinational technology company, as well as US-based military spouses who wrote online content about the military and military families, and high-profile Syrian rebel leaders, including a leader of the Syrian National Coalition.
TG-4127's targeting of the Google accounts of individuals and groups associated with US politics most famously included those leading to high-profile hacks of Hilary Clinton's 2016 presidential campaign and the US Democratic National Committee in June 2016. It was one of two Russian groups, as Fancy Bear, which infiltrated the DNC, which was again breached this weekend, with Russians again blamed. Whether via ‘Guccifer 2.0' or not, the emails, which were embarrassing for Hilary Clinton, were put on Wikileaks – see SC news.
A distinguishing mark of the hacking group's activity was its use of the Bitly URL-shortening service to hide the location of a spoofed Google login page. Some 60 percent of the recipients clicked the malicious Bitly. Of the accounts that were targeted more than once, 57 percent of the recipients clicked the malicious link in the repeated attempts.
The URL-shortening services provide detailed statistics about which links were clicked when, and from what location, allowing threat actors to track the success of a spearphishing campaign. Few realised that by pasting Bitly URLs, appended with a plus sign, into the address bar of a web browser it would reveal the full URL.
And this week the news is full of reports about how Russia hacked Hillary Clinton's campaign, either to discredit her, or to exert pressure to influence her, with Guccifer 2.0 increasingly seen as part of Russia's state activity and not an independent hacker. And notwithstanding the Carbanak arrests, there seems to have been little action against fairly open online activity by Russian cyber-criminals such as those on deer-io, as reported on by Digital Shadows, again suggesting accommodation if not collusion.
But all's fair in love and war – isn't it?
We have the Geneva Convention. There is the Tallinn Manual on cyber-warfare and the Wassenaar Agreement on military exports extending into cyber-products. What more do we need?
It may initially seem like a good idea to use criminal methods or actual criminals to do our bidding. The British government did it with privateer pirates given free rein to plunder Spanish ships. And it's a Hollywood staple, letting ‘our bad guys' out of prison to fight ‘their bad guys'.
But if we take this route we facilitate the creation of bigger and more powerful cyber-criminal gangs, and undermine the rule of law. It is the same as the argument for use of torture – that the end justifies the means. And it is the same argument against – that our means are the ends, and while our worthy ends may not necessarily be achieved, the means we use define us.
Many governments flout laws and international agreements when they perceive it to be in their interests to do so; it's naive to think otherwise, and no one is saying it's just the Russians. However, while regulations didn't stop Black Ops and extraordinary rendition happening, there are sanctions for those responsible and in functioning democracies that enables it to be stopped when proven to happen.
Some will say, well, the police employ informers, and all states do similar things, plus many do a lot worse too – it's all ‘part of the game'.
We should not accept this argument. The rule of law needs to be upheld and applied to all, including the lawmakers, and even if we don't trust them to abide by the rules, we need to have agreed standards of behaviour online, a system to catch offenders and sanctions for those caught breaching them.
We cannot simply accept things online that we would not tolerate in ‘real life', and capability or difficulty should not be the determinant of acceptability. There is no distinction now between online and the physical world, but our 'rules of engagement' and willingness to uphold the law have fallen behind our digital ability to subvert it, and it's in all our interests, as global citizens, to rein back escalating excessive and criminal interventions by governments which are adopting new norms just because they can and believe themselves unlikely to be caught or punished.