WikiLeaks and CIA’s Russian Hacking Tools & Techniques: Was it really the Russians?

Seal_of_the_Central_Intelligence_Agency.svg.pngIn the wake of WikiLeaks’ Vault7 release of documents revealing the CIA’s hacking tools, I must revisit a key section of a post from September 2016. The section was about the convenience of blaming “the Russians” given the craze of attributing everything wrong in the cyber world to the seemingly omnipresent “Russians.”

See: “SHAME HACKING” LIBERAL GROUPS — IS IT REALLY RUSSIAN HACKERS DOING IT?

The point was, while it makes “victims” seem much less culpable to blame cyber incidents on an adversary such as the Russians, there needs to be substantially more evidence than using the same tools and techniques to prove it actually was. A skilled hacker knows their signature and knows the signature of others, knows how to hide their tracks, and knows how to mask their signature to emulate others. In the earlier post I used a video clip from a Bourne movie to demonstrate this point, embedded below.

Last October, regarding the DNC/Russian blame fest, I asked the opinion of intelligence agents from various countries what they thought and each one said to me, in substance, “if it looks like the Russians, it was probably was not the Russians.” I do not pretend to know who it really was or was not but common sense tells me they were probably right.

Since that time, we have had the CIA become more openly politicized by leaking information to the New York Times to say it was “the Russians” that hacked the DNC and they knew this because they used known tools and techniques that were used by “the Russians.” The CIA then leaked, in essence, “trust us” because we know what we’re talking about. Now it has been revealed that the CIA actually has and uses many of the tools and techniques of Russian hackers to make others think that hacks they are doing are actually being done by the Russians.

When it comes to Yahoo, the DNC, the Russians, and the CIA, what is truth? What is fiction? Who knows, but here were my thoughts on this last September:

WAS IT REALLY THE RUSSIANS? IF SO, WHY?

Since last summer when it became so en vogue to blame the Russians for so many of our cybersecurity woes, I have tried researching the situations where the “it’s the Russians” play is used to see what facts those assumptions are usually based upon. The most common one I find is that it is tied to IP addresses known to be used by groups working as proxies for Russian intelligence agencies. I find this odd, for several reasons.

First, it reminds me of the Forged Fingerprint scene out of the Bourne Supremacy:

In the movie, Jason Bourne is the most intelligent, highly trained, skillful, badass covert operator on the planet — someone who knows how to leave a fingerprint and how not to leave a fingerprint — yet, based on “his fingerprint” being at the scene, the intelligence world jumps to the conclusion that it was him.

Let’s think about this for a moment, in the context of the Russians. Let me be clear, I have no idea if it was the Russians or not. But, is a digital fingerprint — an IP address — really what we seem to be going off of on these claims?

First, nearly everybody in the cybersecurity universe knows that someone with even moderate skills can spoof an IP address and hide their identity or make it look like somebody else was doing it. Here is a Wikipedia page on IP address spoofing.

Second, most would agree that the hackers for Russia’s intelligence agencies are near the top in terms of skills and abilities — close to the level of our American intelligence agencies’ hackers — the best in the world. Do they not understand that (a) they could spoof their IP addresses and (b) they are leaving such digital tracks behind? Seriously, if this is all that we have to go on, would not it be more reasonable to believe that it is anybody but the Russians that the IP addresses point to?

Third, and perhaps most importantly, why would the Russians care about hacking into Yahoo and stealing its account users’ information? Are the Russians now subsidizing their economy by selling stolen Yahoo users’ account information on the dark web?

Indeed, is this even about obtaining the value of the users’ account and identity information? Or, is this about causing harm to Yahoo? I have written several posts recently about the evolution of hacking for extortion and embarrassment in the context of the Sony breach and how that has transitioned into the shame hacking we saw in the Ashley Madison and Brazzers breaches.

Do you think the attack on Yahoo has more to do with obtaining its users’ data or with potentially impacting its value in the marketplace — especially now that Yahoo is in negotiations to sell itself to Verizon for $4.8 billion, which Verizon just learned of 2 days ago?

For a breach that occurred in late 2014, the timing of the hackers’ letting this information slip sure is an interesting coincidence …

______________________

Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

Shawn Tuma Discusses Government Scanning of Yahoo Emails on WHDT World News

______________________

Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud and data privacy law. He is a Cybersecurity & Data Privacy Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

What You Need to Know About Protecting Trade Secrets Under State and Federal Law

A few years ago Texas joined most other states and enacted its version of the Uniform Trade Secrets Act (UTSA, or Texas’ TUTSA). Recently, the federal Defend Trade Secrets Act (DTSA) became law. While there are quite a few similarities between these laws, there are also some substantial differences that you need to know to protect your businesses’ trade secrets.  Continue reading “What You Need to Know About Protecting Trade Secrets Under State and Federal Law”

Tuma Discusses Hack of DNC Trump Research (Radio Interviews)

On Wednesday, June 15, 2016 and Thursday, June 16, 2016, Shawn Tuma was a guest on several radio stations to discuss the hacking attack on the Democratic National Committee in which the hackers obtained the DNC’s opposition research on Donald Trump. Here is the audio from some of the interviews:

Continue reading “Tuma Discusses Hack of DNC Trump Research (Radio Interviews)”

FBI Director Talks Cyber Espionage: Chinese Like “Drunk Burglar”

FBI

“[T]here are two kinds of big companies in the United States. There are those who’ve been hacked by the Chinese and those who don’t know they’ve been hacked by the Chinese” -FBI Director

The pervasive threat that cyber espionage poses to American business is not a new topic on this blog — we have been talking about it for a few years. But you do not have to take my word for it; there is a “higher authority” on the subject. No, not that high! But the Director of the FBI is pretty high.

Here is the transcript of what FBI Director James Comey had to say about the Chinese cyber espionage efforts. If you follow the link at the bottom, you can watch the video of his interview:

“What countries are attacking the United States as we sit here in cyberspace?”

“Well, I don’t want to give you a complete list. But the top of the list is the Chinese. As we have demonstrated with the charges we brought earlier this year against five members of the People’s Liberation Army. They are extremely aggressive and widespread in their efforts to break into American systems to steal information that would benefit their industry,” said FBI director Comey.

“What are they trying to get?”

“Information that’s useful to them so they don’t have to invent. They can copy or steal to learn about how a company might approach negotiations with a Chinese company, all manner of things,” said Comey.

“How many hits from China do we take in a day?”

“Many, many, many. I mean, there are two kinds of big companies in the United States. There are those who’ve been hacked by the Chinese and those who don’t know they’ve been hacked by the Chinese,” said Comey.

“The Chinese are that good?”

“Actually,” the FBI director replied, “not that good. I liken them a bit to a drunk burglar. They’re kicking in the front door, knocking over the vase, while they’re walking out with your television set. They’re just prolific. Their strategy seems to be: We’ll just be everywhere all the time. And there’s no way they can stop us.”

via FBI Director: Chinese Like ‘Drunk Burglar’ | The Weekly Standard.