In the wake of WikiLeaks’ Vault7 release of documents revealing the CIA’s hacking tools, I must revisit a key section of a post from September 2016. The section was about the convenience of blaming “the Russians” given the craze of attributing everything wrong in the cyber world to the seemingly omnipresent “Russians.”
The point was, while it makes “victims” seem much less culpable to blame cyber incidents on an adversary such as the Russians, there needs to be substantially more evidence than using the same tools and techniques to prove it actually was. A skilled hacker knows their signature and knows the signature of others, knows how to hide their tracks, and knows how to mask their signature to emulate others. In the earlier post I used a video clip from a Bourne movie to demonstrate this point, embedded below.
Last October, regarding the DNC/Russian blame fest, I asked the opinion of intelligence agents from various countries what they thought and each one said to me, in substance, “if it looks like the Russians, it was probably was not the Russians.” I do not pretend to know who it really was or was not but common sense tells me they were probably right.
Since that time, we have had the CIA become more openly politicized by leaking information to the New York Times to say it was “the Russians” that hacked the DNC and they knew this because they used known tools and techniques that were used by “the Russians.” The CIA then leaked, in essence, “trust us” because we know what we’re talking about. Now it has been revealed that the CIA actually has and uses many of the tools and techniques of Russian hackers to make others think that hacks they are doing are actually being done by the Russians.
When it comes to Yahoo, the DNC, the Russians, and the CIA, what is truth? What is fiction? Who knows, but here were my thoughts on this last September:
WAS IT REALLY THE RUSSIANS? IF SO, WHY?
Since last summer when it became so en vogue to blame the Russians for so many of our cybersecurity woes, I have tried researching the situations where the “it’s the Russians” play is used to see what facts those assumptions are usually based upon. The most common one I find is that it is tied to IP addresses known to be used by groups working as proxies for Russian intelligence agencies. I find this odd, for several reasons.
First, it reminds me of the Forged Fingerprint scene out of the Bourne Supremacy:
In the movie, Jason Bourne is the most intelligent, highly trained, skillful, badass covert operator on the planet — someone who knows how to leave a fingerprint and how not to leave a fingerprint — yet, based on “his fingerprint” being at the scene, the intelligence world jumps to the conclusion that it was him.
Let’s think about this for a moment, in the context of the Russians. Let me be clear, I have no idea if it was the Russians or not. But, is a digital fingerprint — an IP address — really what we seem to be going off of on these claims?
First, nearly everybody in the cybersecurity universe knows that someone with even moderate skills can spoof an IP address and hide their identity or make it look like somebody else was doing it. Here is a Wikipedia page on IP address spoofing.
Second, most would agree that the hackers for Russia’s intelligence agencies are near the top in terms of skills and abilities — close to the level of our American intelligence agencies’ hackers — the best in the world. Do they not understand that (a) they could spoof their IP addresses and (b) they are leaving such digital tracks behind? Seriously, if this is all that we have to go on, would not it be more reasonable to believe that it is anybody but the Russians that the IP addresses point to?
Third, and perhaps most importantly, why would the Russians care about hacking into Yahoo and stealing its account users’ information? Are the Russians now subsidizing their economy by selling stolen Yahoo users’ account information on the dark web?
Indeed, is this even about obtaining the value of the users’ account and identity information? Or, is this about causing harm to Yahoo? I have written several posts recently about the evolution of hacking for extortion and embarrassment in the context of the Sony breach and how that has transitioned into the shame hacking we saw in the Ashley Madison and Brazzers breaches.
Do you think the attack on Yahoo has more to do with obtaining its users’ data or with potentially impacting its value in the marketplace — especially now that Yahoo is in negotiations to sell itself to Verizon for $4.8 billion, which Verizon just learned of 2 days ago?
For a breach that occurred in late 2014, the timing of the hackers’ letting this information slip sure is an interesting coincidence …
Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.