Among the routine stream of network compromises and dumped login credentials this year, one attack stands head and shoulders above the rest for intrigue – the Democratic National Committee (DNC) breach. The hack led to political uproar, a high-level resignation, damaging leaks and, in a complete reversal of the norm, the nation state hackers have become more public since being discovered.
It is worth starting with a recap. The FBI alerted the DNC to the presence of attackers on their network in April this year, but incident response specialists CrowdStrike found that there were two state-sponsored attackers with access to sensitive emails and data. The investigators assessed the network was first breached in the summer of 2015 and established the attackers had stolen large quantities of emails, campaign documents and donor information. Before the hack was publicly disclosed in mid-June, WikiLeaks founder Julian Assange announced the whistle-blowing website had ‘enough evidence' to indict Hillary Clinton.
On 14 June, the Washington Post ran a story detailing the hack and subsequent investigation. The finger was pointed squarely at Russia. Other cyber-security firms lined up to endorse the CrowdStrike attribution, each one adding more evidence to the assessment that the two groups (‘COZY BEAR' AND ‘FANCY BEAR') work within the Russian intelligence and military apparatus. One day later, Guccifer 2.0 claimed responsibility for the attack and stated CrowdStrike had got it all wrong.
Cyber Sleight of Hand
Guccifer's appearance was widely seen as misdirection, an attempt by the attackers to shift blame from Russia and onto a lone wolf hacker from Romania, but the ruse was quickly exposed when the hacker was unable to communicate in Romanian. The hacker persona began to leak stolen data via a Twitter and a blog, but to what end? Was this simply revenge for being discovered or had this been the plan to all along? And what was the plan? WikiLeaks could happily have dumped all of the stolen data without Guccifer's exposure.
This case fascinates me. State-sponsored hacking generally subsides when it becomes clear the attack has been detected and mitigated. Although direct consequences for state sponsored hacking are highly unusual (the sanctions against North Korea following the Sony hack in 2014 are a rare example), most states prefer to issue a simple denial and keep a low profile for a while. Not so here.
Mainstream news outlets have focused on the output of the hack and the impact on the presidential election campaign making it easy to forget Guccifer is neither a freedom fighter nor a whistle-blower. Guccifer is a front for the Russian intelligence services and we must keep in mind that intelligence agencies do not do things for fun; there is purpose to this activity and an intelligence gain, even if it is not immediately clear what that gain is.
If misdirection was the sole objective Guccifer would have disappeared within a week or two, never to be heard from again, but that is not the case. Guccifer has an active online profile and even delivered a speech to a cyber-security conference in London last week with his words read out by an organiser. Guccifer also continues to offer stolen documents to journalists. Far from being misdirection, my assessment is that this is an operation to gather information to improve targeting of journalists covering cyber-security.
Russia has previous form in this area. In June 2015, the New York Times reported on Russia's troll army – dozens (possibly hundreds) of pro-Kremlin online activists paid to steer internet comment sections, spread misinformation and push President Putin's agenda around the world. By identifying those hostile to Russia, the regime could seek to discredit or harass them to the point where they would ‘get the message'.
Western journalists are regularly targeted by the Russian intelligence services. Within a few days of being online, the information gathered through the Guccifer accounts would have allowed the Russians to map the majority of the cyber-journalism community. By building trust through providing stolen documents the attackers would learn enough about the journalists to socially engineer them or remotely attack their systems. Some journalists eager for the story may let temptation get the better of them. Given the political risk such operations carry, it is reasonable to expect the attackers have a very senior sponsor in the Kremlin.
Russian state hackers are also thought to be behind the recent World Anti-Doping Agency hack, another example of stolen data being offered to journalists via Twitter and more reason to be extra careful. Media companies must invest appropriately in network defence and make their journalists aware of the risks of cyber-attack. States are getting ever more creative in how they exploit the internet to further their agendas and potential targets must not forget that.
Contributed by Rob Sloan, head of IS, Dow Jones