Acreto new logo

Sign In

Russian Nation State Hackers & What We’re Not Doing

The effective use of Russian nation state hackers led to a hacked election that has resulted in a hacked America. We’re still licking our wounds and not doing anything about it. In fact, we are arguing if it happened at all!

Cybersecurity strategy incorporates the confluence of technology, business and geopolitics with so many moving parts that to call them complex is an understatement. Strategies must span multiple geographies across a plurality of nations and continents. That is why no one can “go it alone”.  Today we need our friends more than ever – not just for geopolitics, but also for cyber defense. Collaboration is the underpinning of cybersecurity.

As the largest global economy that comprises infrastructure, industry, enterprise and institutions, the US is the most technologically advanced. Many American companies span the globe making them one big glass house while the rest of the cyber world are kids with rocks on a dare. These “kids with rocks” fall into four major categories.

 

Four Major Types of Hackers

First, there are hacktivists, who hack for their cause. The most well known of these being the loosely bound group called Anonymous. The second category is terrorist organizations such as ISIS and Al Qaeda. These organizations recognize cyber warfare as a cornerstone to their mid to long-term strategy and are working feverishly and investing heavily to get them to maturity. The third group is financial hackers. The best way to describe financial hackers is the Mob and Cartels’ online arm. And finally, the most dangerous are state-sponsored hackers.

Even though they operate behind triple or quadruple blind systems, which makes tracking them extremely difficult, they can be identified by their unique hacking techniques or fingerprints.

Nation state hackers are not the moody lone-wolf nocturnal teenagers cranking death metal and surviving on Amp energy drinks. That’s a TV cliche. And hacking is not an organic game of pickup, where individual hackers are swapped indiscriminately. Nation state hackers are carefully curated teams that train, collaborate and solve problems together. Not only do they have to get along and gel over time, but they have to build and test many foundational tools they need to perform the advanced objectives they are charged with. Sometimes this can take years!

 

Hacking Fingerprints

Cyber-threat intelligence organizations that monitor and track Advanced Persistent Threats – APTs – use their threat fingerprints to build a profile on each team over time. The collection of fingerprints defines each team, otherwise called an APT. The profile fingerprints for the Russians, Chinese, North Koreans and Iranians all vary.

Each APT, or different hacking group, is assigned a unique number for identification. For example, APT37 is North Korea, APT34 is Iran, and the American election hacks are associated with APT28 and APT29 – which are obviously Russian nation state hackers. In fact, APT28, otherwise known as “Fancy Bear”, is a completely different team than APT29, “Cozy Bear”, both of which work for the Russian Government.  As an example, here is a sample of the fingerprint for Fancy Bear (APT28) that has been tracked since 2007, and the reasons for American intelligence agencies’ confidence in Russia as source for the election hacks:

APT28

Source: FireEye

Target Sectors:

The Caucasus, particularly Georgia, eastern European countries and militaries, North Atlantic Treaty Organization (NATO) and other European security organizations and defense firms

 

Type:

Cyber Espionage

 

Overview:

APT28 is a skilled team of developers and operators collecting intelligence on defense and geopolitical issues—intelligence that would be useful only to a government. This APT group compiles malware samples with Russian language settings during working hours (8 a.m. to 6 p.m.), consistent with the time zone of Russia’s major cities, including Moscow and St. Petersburg. This suggests that APT28 receives direct ongoing financial and other resources from a well-established organization, most likely the Russian government.

 

Associated Malware:

 CHOPSTICK, SOURFACE

 

Attack Vectors:

Tools commonly used by APT28 include the SOURFACE downloader, its second-stage backdoor EVILTOSS and a modular family of implants dubbed CHOPSTICK. APT28 has employed RSA encryption to protect files and stolen information moved from the victim’s network to the controller. It has also made incremental and systematic changes to the SOURFACE downloader and its surrounding ecosystem since 2007, indicating a long-standing and dedicated development effort.

 

Operations:

Operation RussianDoll:  Adobe & Windows Zero-Day Exploits Likely Leveraged by Russian APT28 in Highly-Targeted Attack

 

Detailed Report:

https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html

 

There are other means for determining the source of attacks.  Aside from fingerprinting, intelligence agencies do track the sale of zero-day exploits purchased on the markets. Zero-days are exploits for previously unknown vulnerabilities.

 

Exploits on the Market

There are numerous commercial and underground organizations whose business is finding, exploiting and weaponizing vulnerabilities.  Once the exploit is developed, it’s put up for bid – and governments are the most affluent bidders. Commercial organizations offer them for sale on the public market to sanctioned agencies, while underground groups sell their exploits on the black market to the highest bidder indiscriminately. In the case of juicy exploits, the buyer may pay significant sums for the privilege of exclusivity. The buyer wants the advantage of a weapon that nobody else has. All governments use a variety of proprietary techniques, technologies and informants to track the exploit inventory of both rival and ally countries.

Ultimately the recourse to cyber attacks is a blunt instrument in the form of counter-attack. Counter attacks may be counter hacks, economic sanctions, embargoes, or a combination.  However, countering the attacks on commercial and critical infrastructure is often reserved for the largest organizations and limited to the largest and most egregious attacks. American election compromises is such an example.

At this particular point in time, America has opted for a “go it alone” approach to global relationships. Collaboration on cyber issues is not exempt from this. As the occupant of “The Big Glass House” in a world of rock-throwing kids, especially Russian nation state hackers, America needs its friends more than ever.

 

Hacked America Not Minding The Store

Collaboration between government and commercial threat intelligence is key to a successful cyber strategy.

The nation’s top intelligence officer, Director of National Intelligence Dan Coats, indicated on Friday, July 13 that the “persistent danger of Russian cyberattacks today was akin to the warnings the United States had of stepped-up terror threats ahead of the Sept. 11, 2001, attacks.” (nytimes.com) “The system was blinking red,” Coats said. “Here we are nearly two decades later and I’m here to say the warning lights are blinking red again. Today, the digital infrastructure that serves this country is literally under attack. Every day, foreign actors – the worst offenders being Russia, China, Iran, and North Korea – are penetrating our digital infrastructure and conducting a range of cyber-intrusions and attacks against targets in the United States.”

Recently, Congress has zeroed out nearly $400 million from the fund used to protect the integrity of our election and has blocked subsequent efforts to fund it across partisan lines. In April 2018, the White House Cybersecurity coordinator was relieved from his role less than six months from the November elections. As of the end of July no replacement has been named. Moreover, tough sanctions passed by congress in July 2017 are yet to be implemented as of July 2018. It may be too late for anyone to take the helm and implement meaningful protections at such a late stage.

Collaborating to stop these attacks requires leadership, funding, a competent team, communications and sharing. At this point in time we have the competent team members in the form of our intelligence agencies that are raring to be let loose. However there is no leadership, no mandate and no funding. We also find ourselves in a strange situation with sparse dialog with our allies due to newly formed political trust issues. The patient is not in trouble because a first- year med student is the surgeon. Rather, the patient has been abandoned by the surgeon with little time to live while the operating room is dark because nobody paid the utility bill.

Next in this series we will look at an example of Russia’s nation-state hacking teams and their construct in our blog: Putin’s Eleven: Nation State Hacker Teams Uncovered.

 

About Acreto

Acreto is the first cloud-delivered, end-to-end connectivity and security platform that can connect and protect any technology, on any network, anywhere. Acreto SASE +Plus delivers Secure Access Service Edge (SASE) functionalities for access technologies such as devices, networks, IoT / OT and third-parties; while Acreto Secure Application and Data Interconnect (SADI) connects and protects application delivery infrastructure such as clouds, SaaS, data centers and co-locations. Acreto SASE +Plus is SASE plus SADI — one platform with one interface from one provider for all of your technologies around the world. Learn more at https://acreto.io or @acretoio.

Dealing with Incident Response Issue?

Fast Track Deployment