Russian Hacker Caught and Convicted: From US With Love

A little while ago, a client called me in to do a security operations ‘best practices’ education session. They were a dot com site that had recently spun off from one of the major financials. They had not yet laid down their sec ops roots and were still engaged in establishing the fundamentals. They wanted an informal education session to get the entire team on the same page.

Their conference room was packed with their security team as well as several people from their operations center, which I had requested. In many instances, the ops team is on the front line and often identifies and conducts the initial steps in handling security incidents.

At some point during the session, I started to talk about scammers. One trick that malicious people use is to acquire domain names that are similar to the site they are targeting. Since the client was a financial and their site contained personal information for hundreds of thousands of consumers, and was an attractive target. I first recommended they acquire or actively monitor all sound-alike and similar domains. For example, if their domain name is, they should acquire or monitor and

Second, I recommended that all permutations of domains that could be mis-typed by users should be acquired or monitored as well; specifically, any combination of surrounding characters on the keyboard for each letter that makes up their domain name. For example, if their domain name is, they should monitor domains where the ‘A’ in is replaced with S, X, Z, W, and Q. If a company wanted to take it a step further, they would cover the immediate two surrounding characters on the keyboard as well. Should users mistype, which they often do, they should not be directed to a look-alike site that they would innocently offer their credentials.

Third, I suggested that the plural version of the words included in their domain name should be acquired and monitored. As I was making this third point, I typed in the plural of their domain name – and their site showed up. I thought I had made a typo, that through muscle memory I had entered in their correct domain name. I double checked, and I had typed exactly what I intended to type – the incorrect, plural variant.

I was impressed. I thought to myself that they were ahead of me and had already acquired the plural domain and redirected it to their site. “Smart! You guys already got this?” I said to the group. I looked around the room and saw confused expressions all around. Finally, someone said, “I don’t think that we did – I’m pretty sure we didn’t.”

After a Dig on the Fully Qualified Domain Name (FQDN) and an MTR (a better traceroute) it became clear that the site was not theirs. It looked exactly like their site including the login page. However, it was not using their IP block nor any of their ISPs. It traced back to Las Vegas, Nevada.

Needless to say, the training session abruptly ended and became a real-life incident response. The organization’s executives, their general counsel, all security team members, and all IT managers and above joined an emergency meeting in the conference room. Anyone not on-site joined via conference bridge.

During the meeting, their sharp help-desk manager offered that he had seen an increase in the number of calls for password reset requests in the past two weeks. We started connecting the dots.

We came away from the meeting with several action items:

  • We needed to determine if there was a compromise, and if so, how many users it impacted and its duration.
  • The help-desk team set out to cross correlate password reset support calls and the date/time of failed authentication logins in their logs.
  • They would identify any users who called for a password reset whom had no corresponding failed login attempts in the logs. There was roughly a dozen dating back only two weeks.
  • The help-desk team contacted these users and established completely new identities for them.
  • My team was to implement an emergency infrastructure should the malicious person attempt to use the stolen identities.
  • I reached out to my contacts in the FBI cyber-crime team and reported the issue, and Agent Brown from the New York cybercrimes team was assigned to our case.
  • We contacted a law firm with experience in cyber crimes along with the organization’s retained counsel.
  • The legal team started to outline a notice as was required by compliance in preparation, should notifications be necessary.


After this, my team members and I set out to execute on a plan to identify and catch the person.

First, a honeypot. The compromised user credentials correlated by the helpdesk were redirected to a training system that looked and functioned just like their application, but contained dummy data. With this in place, the risk that any (more?) data theft, manipulation or deletion was mitigated.

Then, we implemented a high performance packet capture system using a powerful server, hardware offloading network interface and several open-source tools to collect all communications from the malicious person/people. We made sure that the packet capture system was implemented and processed with proper evidentiary chain of custody standards.

Finally, we configured the units to send us text messages as soon as any of the compromised accounts were accessed.

We were finally ready to track the malicious people.

In less than forty-eight hours we architected, acquired the highly specialized equipment required, and configured and tested the infrastructure. I then set out to document everything, including the operations runbook for these new systems, which included evidentiary chain of custody handling of any evidence collected.

I personally spent near seventy-two hours straight at the customer’s data center hopped up on adrenaline and coffee. It’s rare to catch hackers and scammers, and I felt strongly that we had a good chance of doing so in this case.

In the meantime, the FBI requested and received a subpoena for the IP address of the server as well as the domain name registrar. Fortunately, the ISP provided the physical address associated with the identified IP address quickly.

Agent Brown called the FBI field office in Nevada and requested agents drive by and visualize the address location. A few hours later we received information that the address was actually a car dealership. The FBI agents in Nevada managed to trace the ISP connection to the basement of the dealership. When they inquired about the Internet connection, the dealership informed them that the basement was rented to another party who was hardly ever there.

Technically, the malicious people had not done anything substantially criminal. So between the customer, the FBI and my team we decided to hang back and wait for the malicious people to attempt access to the customer system, and more importantly, to download personal identity information. There was no risk to any of the site users since the data the malicious people would access was made up training data.

We didn’t have to wait long. At 3:00am early morning the following day my phone started buzzing with alerts. I quickly logged on to see what had transpired. Jackpot! The malicious people had logged on under three different accounts and had systematically accessed multiple identifies before generating a report that can only be identified as an identity theft starter kit.

A quick check showed a Canadian IP address as the source. Every packet of the communications was collected and logged. We had all that was required to completely recreate and replay the malicious people’s entire effort.

The session was short. It had only lasted 15 minutes. But it was all that was necessary. There were no other attempts that day.

Early the following morning, we contacted Agent Brown and the cybercrime task force supervisor and arranged for collection of the evidence. During the call we also determined our next course of action.

The FBI could have reached out to the Canadian authorities, but thought it best to try to lure the person to the US.

The plan was that the FBI would get a court order to confiscate the computer in Las Vegas. If they spotted cameras they would simply disconnect the Internet connection at the Network Terminal outside the building.

And then – the FBI surprised us. They had a person of interest in the case. They did not share many details about how they found this person of interest. Our best guess is that the person had been on the FBI’s radar, and had somehow been associated with the stolen identity which was used to fraudulently pay for the acquired domain name and the Las Vegas basement housing the computer.

If all was to go as planned, the malicious person would think there is a technical issue and come to fix it.

Later that morning the FBI Agent Brown came to our offices and we held an evidence hand-off ceremony. The next day we noticed that the scam site had gone down. Now there was not much else for us to do but wait.

All was quiet for a while and life started to resume normalcy. Two weeks later we got word that there had been an arrest!

It was a Russian whom a few days after the site had gone down had flown to Canada and from Canada to Las Vegas. He was arrested at the airport port of entry. Apparently, when presented with the evidence he made a plea bargain and soon after plead guilty at the hearing.

The team’s dedication, professionalism and expertise drove this incident’s success. Both the customer and my team operated flawlessly together, and the FBI came through in a big way. At a time when hackers attack indiscriminately, it felt great to catch one and snag a win for the good guys.


About Acreto:

Acreto is the first cloud-delivered, end-to-end connectivity and security platform that can connect and protect any technology, on any network, anywhere. Acreto SASE+ Plus delivers Secure Access Service Edge (SASE) functionalities for access technologies such as devices, networks, IoT / OT and third-parties; while Acreto Secure Application and Data Interconnect (SADI) connects and protects application delivery infrastructure such as clouds, SaaS, data centers and co-locations. Acreto SASE+ Plus is SASE plus SADI — one platform with one interface from one provider for all of your technologies around the world.

The Security of Business vs. Business of Security

The security industry has spent a lot of time over the past 30 years thinking of imaginative ways to put lipstick on today’s cybersecurity pig.

It’s like a one hit wonder band who never adapted, playing the same song and putting on the same show over and over, even though their fans, the industry and the zeitgeist as a whole have evolved and transitioned.

We are more distributed and mobile than ever. Yet the security industry remains unevolved, putting on the same show – playing their all-time favorites like “On-Device Security” and their mega-hit “Gateway Security”. Gateway security is an especially nuanced piece with broad range. There’s the firewall, intrusion prevention, VPN gateway, the proxy, url and content filters, and the component that binds them – SIEM. And that’s the consolidated version of a lengthier and more complicated original score.

Compute has changed and continues to change dramatically in front of our eyes. Clouds, SaaS, Mobile devices and the big daddy of them all – IoT – are contorting traditional security models and tools in ways never intended – until something breaks. And today, everything is breaking since security as we know it dates back to the medieval ages.

Let’s Get Medieval On Security.

The king builds a castle (the network), puts a moat and draw-bridge around it (gateway security) and posts sentries at the gate with special instructions (security policy).

Need to operate outside the castle? If you have the strength (compute resources) and are wealthy enough to afford it (budget), you can put on custom armor (on-device security) and head out as a knight (remote user). Being a knight is exhausting though. Yes, you are well protected, but it burns a lot of energy (security team resources).

However, commoners have to assume risk and live in a state of constant vulnerability. Clouds and IoT have driven the vast majority of our functions and users to operate “outside the castle”. In fact, the business of the king’s court is now distributed. Commoners live and work remote, never needing to step foot in the castle.

There are even scenarios where some commoners operate and service other kingdoms near and far. When the court subjects are remote and distributed, the king has two options – insist on keeping the castle, moat and drawbridge or adapt. So far the security industry has bitterly resisted adapting. Why — Tradition? Lack of alternatives? It’s what they know? Or a combination of these.

Gateway security still has its uses, however, the gateway security model is long in the tooth and its use-cases diminishing by the week. And on-device security has been an expensive, ineffective and unsustainable failure. How can you package up an entire data center’s worth of security functions in a $5 sensor with the compute resources of a Timex watch.

What the cloud started, IoTs have finished. In the past compute was network-centric, now it is distributed all over and even mobile. And we like it. Initially CISOs tried to control users by saying no to cloud and SaaS. Users wouldn’t have it. They shrugged, walked away, and did it anyway. There was no putting that toothpaste back in the tube once they got a taste of cloud and SaaS.

Compute and technology has been democratized, however the way we secure is still medieval.

We have offered hackers the overwhelming advantage all the while spending billions and billions on security. Vendors continue to monetize on medieval security tools ill-suited to the new dominant compute model. How does this make sense?

There are a few reasons:

First, it’s what people know and have bought into. There are 30 plus years of approaches and methods, tools and technologies, processes and performance indicators that have been developed around medieval security. It has become muscle memory for many who spent years honing their skills around these approaches.

Just imagine if suddenly, through magical circumstances, the rule of thumb became NOT to apply pressure to bleeding wounds. The countless developed methods, processes, tools, and even tangential functions like billing would be impacted. The result would be chaos! Arguably security is experiencing a mild form of chaos now.

Second, there are a lot of vendor-centric security professionals that know and understand security through the prism of a particular vendor. This is not meant to be derogatory since these professionals are the backbone of the security industry. However many are not security operators, they are security product managers.

In most instances, along with functional and integration capabilities, security is but one of multiple features that security tools sport. Many security professionals are really, really good at keeping the lights on and packets flowing – and rely on the product do its security stuff.

Some vendors are so big and influential that more security professionals than we like to admit are exclusively committed to their tools. These professionals have done the economic calculus and have built their careers around a single brand, strictly based on market opportunity. Many evolve when vendors say it’s time to evolve for job prospect purposes. And the evolution of certain security professionals is curiously bound to the vendor’s business strategy. An arrangement that benefits the vendor and the professional – just not security.

This brings me to the third point: the security of business.

It takes many years for new and emerging approaches or technologies to become mainstream. Large influential vendors are focused on squeezing every last bit of economic value from their existing technology investments, while small innovative companies just don’t have the market megaphone. And pay-to-play analyst firms confuse matters further by offering tilted and skewed recommendations.

Now, let’s talk about the Cyber Hare vs. the Security Turtle.

Hackers are cutting-edge. They are imaginative. They formulate crazy ideas meant to break the rules. The security industry counters with security professionals who are compelled to be conservative – to a fault.

Hackers don’t care about function and performance, whereas organizations prioritize both over security. Hackers can experiment and fail countless times, forging their own path along the way, while organizations identify gaps by virtue of emerging product categories. Often it takes anywhere between three to five years, depending on the organization, to implement new product categories for an emerging threat type. At that point the threat is not so emerging anymore!

Moreover, organizations befuddle themselves by implementing a process, a very organized one at that, developed to assure failure. This includes assessing requirements, assigning budget, talking to Gartner to see who paid them most, evaluating several brands, selecting a technology, negotiating legal, purchasing, implementation, integration, administration, management, monitoring and troubleshooting. Where is the agility?!

Aside from the security functions the product offers, nothing in the process above even comes close to security operations.

What does this mean? It means that hackers have a significant upper hand. This upper hand is so overwhelmingly one-sided that it has evolved from having the ability to impact business, to the ability to devastate economies and undermine democracies.

Cyber – The Longest War.

Today, everyone talks about the war in Afghanistan as our longest running conflict. In the near future this distinction will easily be awarded to the global cyber-war. Every day, much like other security professionals, I see this war from our operations center. I see Russia, China, North Korea, Iran and even some allies wage war against our infrastructure. If not by Name (IP Address), then by reputation (APT).

If we have learned anything from the Afghani and Iraqi conflicts it’s that success does not always require a standing army. Special Operations have radically shifted the methods of war. Not only is this cheaper and faster, but also more effective to achieve many missions around the world. Today the SpecOps model is being employed in the Syrian conflict.

Maybe we should learn from the military and apply seismic shifts to our security approach. Here’s how:

First, let’s eliminate products from the equation. Building one-off security using tools that are ill-fitted to address the emerging distributed and mobile compute model is security suicide. Products are always out-of-date and security teams burn valuable resources performing technology refreshes, managing and troubleshooting products rather than operating security.

Security as a utility is a much more effective approach. It is simpler and much faster to sign up and turn on, than to buy and build out! Make implementation easy and let the development, upgrades, updates and keeping the lights on be someone else’s problem. The time your team is not spending on babysitting products can be put to better use operating security.

Second, fight hackers with (ethical) hackers. Build or train security teams of operators – not product administrators. Make your team critical thinkers who focus on “how to break things” rather than the mundane keeping the lights on tasks. Not all hackers are foul tempered, tattoo laced, twenty-something rock stars with an ego. There are many agreeable, thoughtful and reliable ethical hackers that can serve in foundational roles on your team. Most importantly, empower them and involve them from the beginning at the application design, development and roll out phases.

The traditional medieval security model is not failing, it has already failed spectacularly. Arguably, it was never successful in achieving any of the objectives for which organizations have paid billions of dollars. The product management approach to security is like trying to change the wheels while the car is doing a 100 mph. You won’t be able to do it and you WILL get hurt along the way.


About Acreto:

Acreto is the first cloud-delivered, end-to-end connectivity and security platform that can connect and protect any technology, on any network, anywhere. Acreto SASE+ Plus delivers Secure Access Service Edge (SASE) functionalities for access technologies such as devices, networks, IoT / OT and third-parties; while Acreto Secure Application and Data Interconnect (SADI) connects and protects application delivery infrastructure such as clouds, SaaS, data centers and co-locations. Acreto SASE+ Plus is SASE plus SADI — one platform with one interface from one provider for all of your technologies around the world.

Putin’s Eleven: Nation State Hacker Teams Uncovered

Before we discuss Russian nation state hacker teams, let’s look at how military branches have historically been born. On July 2, 1926, the United States Army established the Army Air Corps. After World War II it was determined that we were best served by a separate Air Force, and on September 18, 1947 the Air Force became America’s fifth service. On October 1, 2010 the Army Cyber Command (Army Cyber) was established and commanded by Major General Rhett A. Hernandez. United States Army Cyber Command’s mission is to direct and conduct integrated electronic warfare, information and cyberspace operations as authorized, or directed, to ensure freedom of action in and through cyberspace and the information environment, and to deny the same to our adversaries. It is only a matter of time before the Army Cyber Command becomes our sixth military branch. Much like the US has Special Operations teams – or ‘SpecOps’ – such as the Navy SEALs or Army Delta Force, we have Cyber SpecOps teams. So do our adversaries!


Nation State Hacker Teams: The Cyber Special Forces

Think of state sponsored or nation state actors as each country’s cyber special forces team. There are a few reasons that the nation state cyber teams can be more effective than hacktivists, terrorists or financial hackers. To start, they have permission to hack. This means they only have to hide from their remote adversary, and not local authorities; very much like the drone pilots in Nevada, operating behind enemy lines without the physical dangers. The approaches and techniques they use can be a bit louder and bolder without worrying about local authorities.  Furthermore, the only consideration they have for their target is while the attack is in process.  Often once the attack is over, it does not matter if the target knows of the attack and who the attackers are.  The nation’s response to accusations when called out is easy: Deny, Deny, Deny!

So when it comes to hacking, local authorities are all that matter. Just think of the 13 Russians indicted in February 2018, along with the most recent batch of 12 additional Russians in July 2018 indicted by Robert Mueller. So long as they don’t step into the US or allied countries, it just does not matter.

By virtue of not having to expend as much energy hiding, they spend less time on obfuscation and more time on their malicious intent. Moreover, in the event they conduct a cyber attack that is extremely high profile, they don’t have to run and lay low.


Russian Tradecraft

The Russian Nation State Hackers used a combination of technical and psychological tradecraft. Despite Robert Mueller’s identification of the attackers personally, there is little chance the indicted Russians will be extradited or suffer repercussions.  

State sponsored cyber hackers also benefit from functional teams. On NCIS, Abbey and McGee can hack into any and every type of system. If there is a lull in the plot – Hack Something! By the way, CBS, would it kill you to hire a subject matter expert so we don’t have to listen to nonsensical techno-babel? There’s no such thing as a “2048 bit firewall”.

In reality though, not every hacker is expert in everything. Complex compromises require teams of specialist subject matter experts that come together within different functional groups, each with a specified expertise.


The “Who” Behind Putin’s Eleven

First there is the strategy group. This group either identifies or receives orders on what or who to target for a cyber attack. Sometimes their target is very specific, such as the communications of the National Security Advisor, or it may be a broad mandate, such as demand for access to US critical infrastructure. Examples of critical infrastructure include election systems, power grids and water supplies. Other areas may include communications infrastructure like telephone carriers, radio and TV stations; healthcare infrastructure such as hospitals and blood banks; and transportation infrastructure that include roadways, airports, buses, and trains.

The strategy group will take the broad mandate and develop a specific strategy on how to implement it. For example, they would identify their target – let’s say a power station. To compromise the power station they may define the level of access required to accomplish their objective and specific person or persons to be personally targeted.

They may draw in the research group to perform information gathering and leg work. Prior to the strategy group formulating its approach, the research group investigates the options to identify and gather information on organizations, geographies, sites, systems, vendors, people, and more. This is used by the strategy group to develop the specific action plan.

With their mandates and plans in hand, other groups are brought in with specific functions and specialties. Lets take a closer look.


Specialized Cyber Special Forces

The Psychological Operations – or PsyOps – group whose work is focused on social engineering. Not all hackers operate with technology; there are also people hackers or social engineers. Often unsuspecting people are involved as part of the compromise effort. Think of the person who clicks on the malware laced email or the person who plugs in the USB stick they found in the parking lot. These examples are simple. A more advanced, real-life example is when a system administrator was identified and profiled. He turned out to be a fan of hobby trains and belonged to an associated forum. Though the organization systems that needed to be compromised were not vulnerable at the time, the cyber attackers did manage to compromise the hobby train site and collect the sys admin’s password, which happened to be the same as his company password.

In this case, they managed to spend over six months in the system stealing data and committing acts of cyber espionage. The compromise was only discovered after the damage irreversibly impacted the integrity of the company’s data dating six months back. At that point the affected organization did not know what were good data or bad data.  A horrible position to be in!

Thirdly, there is also the exploit development group. These guys are the folks who identify vulnerabilities, and weaponize them.

Another group consists of malware packagers. This is the team that takes an exploit and packages it up for delivery and dissemination. Just like in any sport in which you need to position yourself to be lined up before taking a shot, cyber exploits need specific circumstances to be properly executed. Typically there are existing dissemination frameworks that this team uses and adapts to their specific needs, however nation state hacker teams are known to develop their own dissemination framework as required. An example of the custom framework is StuxNet, where a unique and advanced framework was used to infiltrate Iranian nuclear centrifuges.

Then, there is the BotMaster. There may be instances where an exploit or cyber attack is disseminated, or data from an already implemented exploit is collected and forwarded via a BotNet. BotNets consist of many distributed systems that are already exploited and controlled by the BotMaster, where the user of the system is unaware.  BotNets can be used to disseminate or receive content. A nation-state may have their own BotNet or they may rent one from the various that are on the market – or a combination as required.

There is also a recruiter, the proverbial “Danny Ocean” who knows and is trusted by the different players to make sure the right resources are accessible as they are needed. Some of the hackers recruited are pure mercenary, while others need to be deceived. Often the recruit doesn’t know who they are working for. Interestingly enough, the recruiter may also be recruited themselves and be unaware of their employer.

Lastly, there is the buyer. The buyer has relationships with commercial exploit developers as well as a reach into the deep dark crevices of the dark web that exploit developers lurk in. This is how the state sponsored cyber-warriors have access to the best exploits, including zero-day exploits that the industry may not even be aware of. These exploits are purchased from commercial exploit developers authorized to sell to sanctioned groups, or on the dark web by the highest bidder. The dark web bidder is often anonymous and may be a country such as the US, Russia, China, North Korea, Iran or EU countries, among others. To do this they use Cryptocurrency, and lots of it. Usually, only nation states can afford to spend money on the juiciest exploits. And if you want exclusivity, then you will pay more. Nation states also have the resources to “get even” if the exploit seller does not respect their exclusivity.


Nation State Hacker Teams: Well-Funded & Well-Trained

Nation state Hacker teams are the best funded of all cyber attacker types. Hacking is expensive at this level. You need to be able to afford the rock stars, their support teams and infrastructure, tools, and exploits. Occasionally, they may need to bring in the “consultant” experts in a particular area, and these people cost money too. This type of operation needs management and is typically managed by a team of executive, director and manager ranks that are usually military. Though inexpensive compared to the cost of conventional troops and warfare, nation-state hacking teams still have a cost structure that can not be afforded by other Hacktivist, Terrorist or Financial groups.

With access to the broad resources with formal operational management, these teams are also the best trained. There is formal training, but also the training that comes from access to so many different approaches, techniques and other smart people. It drives up the expectations and operating tempo.

The best example of this “Putin’s Eleven” model is the 25 Russians Robert Mueller indicted for taking part in the compromise of the 2016 US elections that leveraged both technical and psyops efforts.  The 25 indicted Russians are representative of only two groups: “Fancy Bear” or APT28 and “Cozy Bear” or APT29. Moreover, these indictments may represent only the key players in the groups. It’s likely that many more were involved in support roles. The Russian nation state hacker teams are not your granddaddy’s spray and pray hackers.

In comparison to industry standard cyber security protection models, with roots dating back to medieval times, nation state hacker teams are organized, directed, well funded and use advanced techniques and the latest exploits to pinpoint and devastate their befuddled targets!


About Acreto

Acreto is the first cloud-delivered, end-to-end connectivity and security platform that can connect and protect any technology, on any network, anywhere. Acreto SASE +Plus delivers Secure Access Service Edge (SASE) functionalities for access technologies such as devices, networks, IoT / OT and third-parties; while Acreto Secure Application and Data Interconnect (SADI) connects and protects application delivery infrastructure such as clouds, SaaS, data centers and co-locations. Acreto SASE +Plus is SASE plus SADI — one platform with one interface from one provider for all of your technologies around the world. Learn more at or @acretoio.

Russian Nation State Hackers & What We’re Not Doing

The effective use of Russian nation state hackers led to a hacked election that has resulted in a hacked America. We’re still licking our wounds and not doing anything about it. In fact, we are arguing if it happened at all!

Cybersecurity strategy incorporates the confluence of technology, business and geopolitics with so many moving parts that to call them complex is an understatement. Strategies must span multiple geographies across a plurality of nations and continents. That is why no one can “go it alone”.  Today we need our friends more than ever – not just for geopolitics, but also for cyber defense. Collaboration is the underpinning of cybersecurity.

As the largest global economy that comprises infrastructure, industry, enterprise and institutions, the US is the most technologically advanced. Many American companies span the globe making them one big glass house while the rest of the cyber world are kids with rocks on a dare. These “kids with rocks” fall into four major categories.


Four Major Types of Hackers

First, there are hacktivists, who hack for their cause. The most well known of these being the loosely bound group called Anonymous. The second category is terrorist organizations such as ISIS and Al Qaeda. These organizations recognize cyber warfare as a cornerstone to their mid to long-term strategy and are working feverishly and investing heavily to get them to maturity. The third group is financial hackers. The best way to describe financial hackers is the Mob and Cartels’ online arm. And finally, the most dangerous are state-sponsored hackers.

Even though they operate behind triple or quadruple blind systems, which makes tracking them extremely difficult, they can be identified by their unique hacking techniques or fingerprints.

Nation state hackers are not the moody lone-wolf nocturnal teenagers cranking death metal and surviving on Amp energy drinks. That’s a TV cliche. And hacking is not an organic game of pickup, where individual hackers are swapped indiscriminately. Nation state hackers are carefully curated teams that train, collaborate and solve problems together. Not only do they have to get along and gel over time, but they have to build and test many foundational tools they need to perform the advanced objectives they are charged with. Sometimes this can take years!


Hacking Fingerprints

Cyber-threat intelligence organizations that monitor and track Advanced Persistent Threats – APTs – use their threat fingerprints to build a profile on each team over time. The collection of fingerprints defines each team, otherwise called an APT. The profile fingerprints for the Russians, Chinese, North Koreans and Iranians all vary.

Each APT, or different hacking group, is assigned a unique number for identification. For example, APT37 is North Korea, APT34 is Iran, and the American election hacks are associated with APT28 and APT29 – which are obviously Russian nation state hackers. In fact, APT28, otherwise known as “Fancy Bear”, is a completely different team than APT29, “Cozy Bear”, both of which work for the Russian Government.  As an example, here is a sample of the fingerprint for Fancy Bear (APT28) that has been tracked since 2007, and the reasons for American intelligence agencies’ confidence in Russia as source for the election hacks:


Source: FireEye

Target Sectors:

The Caucasus, particularly Georgia, eastern European countries and militaries, North Atlantic Treaty Organization (NATO) and other European security organizations and defense firms



Cyber Espionage



APT28 is a skilled team of developers and operators collecting intelligence on defense and geopolitical issues—intelligence that would be useful only to a government. This APT group compiles malware samples with Russian language settings during working hours (8 a.m. to 6 p.m.), consistent with the time zone of Russia’s major cities, including Moscow and St. Petersburg. This suggests that APT28 receives direct ongoing financial and other resources from a well-established organization, most likely the Russian government.


Associated Malware:



Attack Vectors:

Tools commonly used by APT28 include the SOURFACE downloader, its second-stage backdoor EVILTOSS and a modular family of implants dubbed CHOPSTICK. APT28 has employed RSA encryption to protect files and stolen information moved from the victim’s network to the controller. It has also made incremental and systematic changes to the SOURFACE downloader and its surrounding ecosystem since 2007, indicating a long-standing and dedicated development effort.



Operation RussianDoll:  Adobe & Windows Zero-Day Exploits Likely Leveraged by Russian APT28 in Highly-Targeted Attack


Detailed Report:


There are other means for determining the source of attacks.  Aside from fingerprinting, intelligence agencies do track the sale of zero-day exploits purchased on the markets. Zero-days are exploits for previously unknown vulnerabilities.


Exploits on the Market

There are numerous commercial and underground organizations whose business is finding, exploiting and weaponizing vulnerabilities.  Once the exploit is developed, it’s put up for bid – and governments are the most affluent bidders. Commercial organizations offer them for sale on the public market to sanctioned agencies, while underground groups sell their exploits on the black market to the highest bidder indiscriminately. In the case of juicy exploits, the buyer may pay significant sums for the privilege of exclusivity. The buyer wants the advantage of a weapon that nobody else has. All governments use a variety of proprietary techniques, technologies and informants to track the exploit inventory of both rival and ally countries.

Ultimately the recourse to cyber attacks is a blunt instrument in the form of counter-attack. Counter attacks may be counter hacks, economic sanctions, embargoes, or a combination.  However, countering the attacks on commercial and critical infrastructure is often reserved for the largest organizations and limited to the largest and most egregious attacks. American election compromises is such an example.

At this particular point in time, America has opted for a “go it alone” approach to global relationships. Collaboration on cyber issues is not exempt from this. As the occupant of “The Big Glass House” in a world of rock-throwing kids, especially Russian nation state hackers, America needs its friends more than ever.


Hacked America Not Minding The Store

Collaboration between government and commercial threat intelligence is key to a successful cyber strategy.

The nation’s top intelligence officer, Director of National Intelligence Dan Coats, indicated on Friday, July 13 that the “persistent danger of Russian cyberattacks today was akin to the warnings the United States had of stepped-up terror threats ahead of the Sept. 11, 2001, attacks.” ( “The system was blinking red,” Coats said. “Here we are nearly two decades later and I’m here to say the warning lights are blinking red again. Today, the digital infrastructure that serves this country is literally under attack. Every day, foreign actors – the worst offenders being Russia, China, Iran, and North Korea – are penetrating our digital infrastructure and conducting a range of cyber-intrusions and attacks against targets in the United States.”

Recently, Congress has zeroed out nearly $400 million from the fund used to protect the integrity of our election and has blocked subsequent efforts to fund it across partisan lines. In April 2018, the White House Cybersecurity coordinator was relieved from his role less than six months from the November elections. As of the end of July no replacement has been named. Moreover, tough sanctions passed by congress in July 2017 are yet to be implemented as of July 2018. It may be too late for anyone to take the helm and implement meaningful protections at such a late stage.

Collaborating to stop these attacks requires leadership, funding, a competent team, communications and sharing. At this point in time we have the competent team members in the form of our intelligence agencies that are raring to be let loose. However there is no leadership, no mandate and no funding. We also find ourselves in a strange situation with sparse dialog with our allies due to newly formed political trust issues. The patient is not in trouble because a first- year med student is the surgeon. Rather, the patient has been abandoned by the surgeon with little time to live while the operating room is dark because nobody paid the utility bill.

Next in this series we will look at an example of Russia’s nation-state hacking teams and their construct in our blog: Putin’s Eleven: Nation State Hacker Teams Uncovered.


About Acreto

Acreto is the first cloud-delivered, end-to-end connectivity and security platform that can connect and protect any technology, on any network, anywhere. Acreto SASE +Plus delivers Secure Access Service Edge (SASE) functionalities for access technologies such as devices, networks, IoT / OT and third-parties; while Acreto Secure Application and Data Interconnect (SADI) connects and protects application delivery infrastructure such as clouds, SaaS, data centers and co-locations. Acreto SASE +Plus is SASE plus SADI — one platform with one interface from one provider for all of your technologies around the world. Learn more at or @acretoio.

Interested in seeing Acreto SASE+Plus in action? Let’s start with some basic information.

    Interested in seeing Acreto SASE+Plus in action? Let’s start with some basic information.

      Interested in seeing Acreto SASE+Plus in action? Let’s start with some basic information.

        Interested in seeing Acreto SASE+Plus in action? Let’s start with some basic information.