Digital technology, media and intellectual property
Random header image at GB Media

HOLY CYBER!! Part 1: THE RUSSIANS ARE COMING!! THE RUSSIANS ARE COMING!! (oh, the Chinese, too)

March 24th, 2017 |  Published in Cyber security

[ Pour lire cet article en français, cliquez ici. ]

A gentle tiptoe into the Russian hacking of the political process, the Chinese hacking of the commercial process … 

and several aspects of the politics of cyber war

Putin ear cocked

 

24 MARCH 2017 (Paris, France) – Whatever you might think of Russia’s recent antics on the world stage, you have to concede: they have brilliantly exploited information-age tools to confuse audiences about what is truth, what isn’t, and to set their own narrative. The returns have been massive … and out of all proportion to the modest investment (see below).

This isn’t quite the millennium we were promised. The data-bedazzled twenty-first century was to be a time of painlessly enhanced social justice and seamless market accommodation. Oh, that marvelous “arc of history” was surely bent unmistakably toward a bigger, shinier “Information Age”! The propaganda of progress!! The illuminism of new technologies!!

Eh, no. Somebody clearly did not get the email.

Instead, America slouches toward this century’s second decade with a lunatic bigot directing its national politics, and fascism is on the march in those blessed United States. And the painful truth is that it’s been feeding on all the social forces we’d naively entrusted to a feckless “expert class”. And we of that estimable “Facebook society” … where the task of “knowing” means having an image of things, a visual of things … have let our modes of perception take a strike against real cognition. Our social networks have displaced the narrative form, the long reads. Storytelling, decisive analysis has died … replaced by divisiveness of the Tweet variety, which isn’t narrative at all but communal weak thinking and a habituation-based intolerance. And if you have taken any time to look at this from a neuroscience perspective, it’s perfect. We love the indifference of phatic communication. All of this weak thinking leads to communication on Facebook which enjoys its popularity because it frees its users from the burdensome communication of meaning.

Wow. Gee. I wonder if anybody could exploit that?

Cyber bullets for sale

Workplace violence concept

This year my schedule was front-loaded with cyber-related conferences. In the space of 10 weeks I have attended the:

– World Economic Forum in Davos,Switzerland;

– CyberSecurity Forum in Lille, France;

– Computers, Privacy and Data Protection (CPDP) in Brussels, Belgium;

– Munich Security Conference in Munich, Germany;

– Mobile World Congress in Barcelona, Spain;

– Pentagon Cyber Workshop in Washington, DC; and

– InfoSecurity 2017 in Brussels, Belgium

 

Besides attending some info-packed sessions in all of the above, I squeezed in some video interviews with cyber mavens like:

  • John Frank, Vice President of EU Government Affairs for Microsoft
  • David Grout, Technical Director for FireEye, the preeminent global cyber security authority
  • Colonel Nicolas Duvinage, Head of the French National Cybercrime Center, who put European cyber war challenges in perspective
  • Oliver Grall, Area Sales Manager of MSAB, a company that builds a complete mobile forensics capability for law enforcement organizations
  • Colonel Brick Susky of the United States Cyber Command, who outlined the change in mindset Western intelligence communities must make to challenge Russian influence

And many more. Those interviews will all be in this series.

A common topic at all of these events? How Vladimir Putin carried off a brazen and successful plan to throw the most important election in the most powerful democracy in the world to a candidate of his choosing. Surely a vintage James Bond film plotline. From his Moscow lair, Vladimir Putin struck up an alliance with Julian Assange to mount a massive cyber-offensive. A plot full of twists and turns and hair-raising tangents. Lions. And tigers. And bears. OH, MY!!

Oh the nefarious activity attributed to Russia or its proxies. There has been mischief afoot to influence the Brexit vote, the American, German and Dutch elections, encouraging the National Front in France, plus very credible claims of trying to engineer a coup in Montenegro to replace the government with one less inclined to NATO membership.

And we have British intelligence warning against threats to its politicians, government officials and think tanks … and now offering training against Russian hackers. Plus the recent announcement by the U.S. Justice Department that they have charged two former Russian intelligence officers and two hired associates for cyber-crimes.

And then we had General Philip Breedlove, the Supreme Allied Commander of NATO, going on TV with a whopper.  He said the campaign to wrest Crimea from Ukraine was the most amazing information warfare blitzkrieg we have ever seen. Incredible.”

 

And Cyber Lord Assange. Am I now to believe he is possession of the CIA trove of “zero day” weaponized exploits? Jesus wept.

 

Assange is better known for the WikiLeaks slow drip of embarrassing revelations from the Democratic National Committee. I mean, really.  These disclosures were no more compromising than what you’d find in the correspondence of any private-sector company: dumb boardroom gossip, petty press intrigues, and sleazy attempts to undermine a well-placed executive rival (namely Bernie Sanders). As Yasha Levine opined in The Baffler last month:

Quite frankly it would have been astonishing to learn that the DNC went about its business in any other way. But the sheer fact of the data breach was dispositive in the eyes of Democratic operatives and their many defenders in the liberal press. After all, WikiLeaks also reportedly collected data from the Republican National Committee, and did nothing with it. 

 

On the Trump side of the ledger … well, things are sure murkier. We know Trump’s political advisers had major ties to Russia and Ukraine but none of this was hardly surprising given the authoritarian-friendly lobbying climate within Washington. And given Trump has refused to disclose his tax returns which many believe are the “Holy Grail” to all of this, a commercial alliance with Lord Putin was necessarily the only conjecture.

But make no mistake. What we have here is clearly cyber-espionage of the most sophisticated variety.

What we are up against

cold-war

The press has been making a big thing about a Canadian military deployment later this year: 450 soldiers to Latvia and leading a NATO battle group that will include forces from Albania, Italy, Poland, Slovenia and Spain. They will liaise closely with other battle groups in the region led by Germany, the U.K., and the U.S..

The purpose: to collectively demonstrate NATO resolve against any physical incursion into the Baltics.

It is an easy sell, politically. Deterrence, reassurance and confidence-building. RAH, RAH!! Counter-insurgency (Afghanistan), counter-terrorism (Daesh), peace-restoration (UN) … eh, a bit tougher.

As Brett Boundreau, an analyst for Veritas, puts it:

The Baltic states are democratic, enjoy a high quality of life, and are deeply supportive of the deployment. There are no dams to rebuild, no schools to repair, no humanitarian support needed, and no villages to wrest from insurgent groups. Easy.

Well, CNN might be pissed off.  I mean, can you see Wolf Blitzer reporting from his infernal “Situation Room” on all those “being there” activities: neighborhood patrols, hockey games amongst soldiers, Eurovision parties?  Damn! How about some special operations forces helping to direct fire onto Daesh positions!

Russia is far too clever to send troops across the border of a NATO member. No matter how ambivalent Emperor Looney seems to be about Europe, somebody would trigger the Article 5 provision and a strong military response would be the rage.

No, instead, the Canadian deployment will be targeted with a significant disinformation campaign of industrial scale and scope. The “information effect” is central to Russian operational efforts. The capability is massively resourced, remarkably well done, and is always ‘on’ across multiple information channels, backed by the fearless use of diplomacy, military and economic instruments of national power.

As I learned from chatting with some sources at the U.S. Cyber Command, NATO militaries (and Western intelligence in general) have been slow to evolve a response to these new threats. Yes, we have seen some major investment in cyber defence. But the military mindset is still based on a career of training for physical battlegrounds and the use of kinetic weapons, not missions fought in the information space. One thing I learned from Colonel Duvinage (noted above): it has been a struggle to change the organization, structure, doctrine and policies necessary to best employ and empower our capabilities to fight today’s internet-driven, inform-influence-persuade campaigns.

Bang, straight on: communications technology, particularly the Internet and smart phones, has changed how operations are conducted — particularly non-combat missions — and has evolved much faster than our military forces and security institutions have been able to adapt.

So what should Canadians expect? Well, here is a “laundry list” from several sources based on Russian activity across the Baltic states already, and Ukraine:

  • Beware bad behavior on the part of any military personnel. It will be used to discredit everybody and, as in Ukraine, fictitious improprieties will be created.
  • Watch for “honey-traps,” stories of women being molested or raped, reference to occupying forces and the ‘mistreatment’ of the local Russian-speaking population.
  • A favorite: thugs may be hired to elicit reactions by soldiers including fighting: these ‘impromptu’ events will be filmed and used against military forces.
  • One-line news sites will feature massive amounts of commentary from “trolls,” people paid to engage in and dominate the on-line space. Spouses of deployed members might be phoned and told their loved one has died (it has been done many times). Soldiers could receive legitimate-looking emails or posts claiming a major crisis at home requiring their immediate attention.
  • Social media accounts of soldiers will be studied for vulnerabilities, and exploited. This is all carefully designed to destabilize, distract and discredit.

Yes, NATO is planning. They are hoping to deploy not a platoon of infantry but a platoon of communications practitioners, deploying spokespersons fluent in Russian and Latvian and embedded staff with long experience of serving or living in the region. They hope to monitor media and social media 24/7 in Russian, the Baltic languages, and those of countries providing forces.

But how did we get here?

OH, THOSE RUSSIANS …

Russian da
When I was in Moscow recently to run an e-discovery review, I had the opportunity to chat with some cyber mavens from Kaspersky Lab. The chat was … ummm … insightful.

 

In an otherwise residential district of southwest Moscow, a nineteen-story gray-and-white high rise, surrounded by a mod­est fence, could at first glance be mistaken for an average apart­ment block. But there is something odd about it: only twelve of the floors have windows.

This building is the heart of the Russian Internet phone sta­tion … the building is called “M9” … containing a crucial Internet exchange point known as MSK-QC. Nearly half of Russia’s Internet traffic passes through this structure every day. I was told that yellow and gray fiber-optic cables snake through the rooms and hang in coils from the ceilings, connecting servers and boxes between the racks and between floors.

Most interesting? Google rents an entire floor on M9 to be as close as possible to the Internet exchange point of Russia. Each floor is protected by a thick metal door, accessible only to those with a special card.

On the eighth floor is a room occupied by the Federal Secu­rity Service, or Federalnaya Sluzhba Bezopamom, or the FSB, the main successor organization to the KGB. The FSB’s presence is evident on all the floors. Said my source:

Scattered among the communications racks throughout the building are a few electronic boxes the size of a video player.These boxes are marked SORM, and they allow the FSB officers in the room on the eighth floor to have access to all of Russia’s Internet traffic.

SORM stands for the Russian words meaning “operative search measure”. But the words imply much more.

At its most simplest, the story of how Russia won the (first) Russo-American cyberwar is because Obama did not fight back and failed to protect America’s democracy from Putin’s well-orchestrated, wide-ranging cyber assault. Obama’s maddening naiveté … manifesting hardly for the first time during his presidency … demonstrated how poorly he understood his adversary, and unsurprisingly, Putin was emboldened on so many fronts.

Well, that and not understanding the Russian dynamic. At the European Electronic Warfare Symposium last year, one of the best presentations was by Dr. David Stupples, director of the Centre for Cyber Security Sciences at City University London. He made several points but here are the key ones from the presentation:

  1. Russia’s intelligence services decided years ago to make cyber warfare a national defense priority. They have become increasingly proficient in cyber operations as a result.
  2. From around 2007, Russia decided that information warfare was key to winning any world conflict, and that it was this area of capability and technology they decided would benefit from vastly increased military investment. What made this decision easier was that Russia was also home to the largest numbers of some of the world’s best hackers.
  3. The Democratic National Committee (DNC) was obviously not a high-value military target but it served a threefold motivation to hack its system: (i) demonstrate that Russia is on top of its game in this kind of shadowy warfare; (ii) embarrass the Democrats and undermine the presidential election process; and (ii) test U.S. security measures.
  4. This testing goes on all the time.  Testing U.S. defenses would reveal to Moscow how Washington might react in response to further provocations. The goal of testing U.S. security measures is not now, nor has it in the past, proved to be a difficult objective for Moscow. The National Security Agency and FBI have both admitted that Russia had penetrated a significant number of sensitive U.S. infrastructure systems in order to test efficacy and document structure. I would surmise also to steal military secrets.

Read any of the major defense/cyber security journals … for example, Defense One or Cyber Brief  … and you come away with a key point: Russia’s cyber warfare activities are not just random disruption or embarrassing revelations. What Russia is doing is linking cyber attacking and hacking with its open information warfare methods … propaganda disguised as news programming, funding of NGOs, etc., etc. … and in coordination with its military establishment’s use of electronic warfare.

By employing all three methods together in an integrated pattern of activity Moscow can achieve what its military theorists call “reflexive control” – in other words warping your adversary’s perceptions to the point where that adversary begins to unknowingly take wrong or damaging actions.

And Russia has a distinct advantage in the cyber realm because on a regular basis it engages the services of non-governmental cyber crime entities, which masks its role in cyber attacks. This is what the U.S. and others do not do – engage proxy cyber warriors. This is not to say we never use them. But as explained to me by Linda Nowak of Crowdstrike:

“What the Russians are saying is that we will make these criminal organizations our partners – recruiting them to do cyber work for the Russian state. The Kremlin promises its criminal partners it will turn a blind eye to their attacking banks, disrupting commerce in the West, stealing money, etc. so long as they make themselves available to do the odd job for Russia’s intelligence services and military”.

A presenter from NATO intelligence said they believe there are currently more than one million Russian programmers engaged in cyber crime. These programmers are affiliated with 40 Russian-based cyber crime rings. The United States and its partners could not feasibly match this level of manpower using only government agencies and employees.

A brief note about Crowstrike it was their analysis of the code and techniques used against the DNC which resembled those from earlier attacks on the White House and the State Department that led them to identify not one but two Russian intruders, names you have all heard in the media: Cozy Bear, which is believed to be affiliated with the FSB, Russia’s answer to the CIA; and Fancy Bear, which they had linked to the GRU, Russian military intelligence.

And let’s be very clear. Russian spies did not, of course, wait until the summer of 2015 to start hacking the United States. This past fall, in fact, marked the twentieth anniversary of the world’s first major campaign of state-on-state digital espionage. There are a lot of histories out there on this period, so just a few points:

 

In 1996, five years after the end of the USSR, the Pentagon began to detect high-volume network breaches from Russia. The campaign was an intelligence-gathering operation: whenever the intruders from Moscow found their way into a U. S. government computer, they binged, stealing copies of every file they could.

By 1998, when the FBI code-named the hacking campaign “Moonlight Maze”, the Russians were commandeering foreign computers and using them as staging hubs. At a time when a 56 kbps dial-up connection was more than sufficient to get the best of Pets.com and AltaVista, Russian operators extracted several gigabytes of data from a U. S. Navy computer in a single session. With the unwitting help of proxy machines – including a Navy supercomputer in Virginia Beach, a server at a London nonprofit, and a computer lab at a public library in Colorado – that accomplishment was repeated hundreds of times over. Eventually, the Russians stole the equivalent, as an Air Intelligence Agency estimate later had it, of “a stack of printed copier paper three times the height of the Washington Monument.”

One of the key points made this year at the Munich Security Conference was that Russia is extremely patient, more so than their American counterparts, when it comes to espionage. Rob Richer, former CIA Associate Deputy Director for Operations and formerly chief of Russian Operations, has often noted that when he was chief of Russia operations from 1995 to 1998 it was at a time when the CIA was catching Russia’s long term penetrations of the CIA, of the FBI, of NSA, and of the U.S. military. (There are numerous books on this period, too). Richer noted some of those people were developed over time. The Russians have no problem looking five, ten years down the road. The U.S. government tends to look at things in two to three year windows.

Richer gives this example: a CIA case officer arrives at a new station. His job is to recruit spies; he recruits them. That’s where he gets his credit. He turns them over to someone else. The handler doesn’t get as much credit as the person who has recruited the spy. The CIA is continually turning people over and looking for short-term gains. Whereas the Russians will have someone handle a guy for 10, 12, 15 years. The CIA keeps bumping into him.

But this “short-termism” is in so much of American culture. Americans live in political cycles and in assignment cycles. Every four to eight years, we have a new presidency. If you look at Congress, you look at the Senate, you look at Intelligence Oversight. There’s a high rate of turnover. And in the CIA you get a new director every administration. Each time, they have a different agenda.

The Russians put someone in charge of an intelligence service for more than a decade.

Yes, technology and the ability to manipulate the web and develop hacking skills – that’s modern history of the last three, four years. That was a game changer. But what did we do? The Western intelligence community spent billions to spy on everyone, while Russia stayed focused. The West turned into what they previously despised and feared (a surveillance state), while Russia stayed focused on getting their ducks in line: further developed their human intelligence assets, further developed their targeted cyber-ops capability, showed off their developed weaponry in Syria, etc.

And Putin made brilliant use of old and new forms of propaganda to exploit political divisions. The leading element of this has been RT (Russia Today) which is not only one of the most widely watched (and heavily subsidized) global sources of state television propaganda (which claims 70 million weekly viewers and 35 million daily) but a vast social-media machinery as well. Added to its hidden influence is a vast network of Russian trolls – agents paid to spread disinformation and Russian propaganda points by posing as authentic and spontaneous commentators.

We always, always, always make the mistake of treating Russia as if it were backwards. Russia wants to be an equal world power, if not the world power. Putin in many ways thinks like a Czar. He wants that authority. He wants that control. So he sets a goal to be able to influence things in the United States, whether politically, using firms to lobby or through business deals.

Look at Syria. Does Putin really care about Syria? Of course not. Does he care about being a main player in the Middle East and showing that he has the clout to push the U.S. back? Yes, and that’s what he’s done. Look at Ukraine. This is more about the politics of presence and influence, than about the politics of actually what happens.

And do not discount the “fear factor’. Since huge swaths of society rose up in color revolutions in the former Yugoslavia in 2000, in Georgia in 2003, and in Ukraine in 2004-2005 – all to protest electoral fraud and bring about a transition from authoritarianism to democracy – Putin has behaved as if obsessed with fear that the virus of mass democratic mobilization might spread to Russia itself. Neither was he prepared to condone the “loss” of key parts of the former Soviet Union, such as Georgia and Ukraine, to any potential alliance structure with the West.

The U.S. is now a step back … far back. It must now accelerate its intelligence gathering on Russian intentions. That is the hardest intelligence to collect. It has to actively recruit target officers, who have understanding of intent against America. Since 9/11, the focus has been on combatting terrorism. We flooded Afghanistan with officers, then reduced them.  We flooding Iraq with officers, then reduced them. EVERYTHING was flavored by what was happening across the Middle East.

COMING IN PART 2

But for Russian citizen activists, there is a bit of a disconnect between these amazing information-age tools and what they are able to get away with. We’ll discuss some flaws in the Russian surveillance system.

COMING IN PART 3

chinese-take-out

In the dark world of cyber-espionage, the finger of blame has often been pointed at China. With good reason. I shall leave you with this forbidding tale from a very knowledgable hacker-turned-security expert:

So I had been hired by a large, online entertainment company. And here is the intrusion I found: the Chinese hacking team first went into a subcontractor, a global offshore payment processor that handled credit-card transactions, and then, having gained possession of that network, quietly entered the Company through a legitimate back door that had been installed on the Company’s network to administer consumer accounts. The initial breach was a work of art. The Chinese wrote a piece of customized software purely for that job. It was a one-of-a-kind ‘callback dropper,’ a Trojan horse that could be loaded with any of many malware modules, but otherwise stood empty, and regularly checked in with its masters to ask for instructions. Once inside the network, the Chinese were able to move laterally because the Company, for the sake of operational efficiency, had not compartmentalized its network.

First, using ‘bounce points’ within the network to further obscure their presence, the hackers went after the central domain controller, where they acquired their own administrative account, effectively compromising 100 million user names and passwords and gaining the ability to push software packages throughout the network.

 
Second, and more important, the Chinese headed into the network’s ‘build’ system, a part of the network where software changes are compiled and then uploaded to a content-distribution network for the downloading of updates to customers. In that position they acquired the ability to bundle their own software packages and insert them into the regular flow, potentially reaching 70 million personal computers or more.

 

But, for the moment, they did none of that. Instead they installed three empty callback Trojans on three separate network computers and left them standing there to await future instructions. I concluded that the purpose was to lay the groundwork for the rapid construction of a giant botnet.

We caught it. But you know what? I suspect this same payment processor vulnerability was clearly exploited at other companies, as well, as part of a plan to launch this giant botnet as part of a global cyber-war. Considering I only caught the attack due to one small error made by the hackers, the discovery is unnerving.

And coming in Part 4 and beyond ….

 

After Part 3 we start to roll out our video interviews mentioned at the start of this article and discuss not only the importance of technology in cyber security but also the need to understand the human element. Yes, we need to deal with firewalls, routers, wireless access points,  physical aspects such as locks, security guards and fences. And the latest “new new” thing: applying AI and machine learning to the cybersecurity problem. But there is so much more.

 

So in Part 3 we start with our video interviews of David Grout of FireEye who sets the table for us and puts all of cyber security in perspective.

 

geeks

About the author


Email | All posts by

"The mind that lies fallow but a single day sprouts up follies that are only to be killed by a constant and assiduous culture."
Latest Videos

Un aperçu de la FIC 2017 / A quick look at FIC 2017 (Lille, France)

Cybersecurity: a chat with John Frank, Vice President EU Government Affairs for Microsoft

From Legaltech NYC 2017: a chat with Andy Wilson of Logikcull

5G is coming ... and it's going to blow you away. Yes. Really.

The Internet of Things ... or the cybernetic consortia? (Part 1)

From the Mobile World Congress 2016: an introduction