Russian Cyberspies Caught With Mittens in Cyber Cookie Jar

Russian cyberspies — unlike their Chinese counterparts — have a reputation for stealth, so it’s unusual when two digital espionage operations linked to the Kremlin come to light in a week.

FireEye early last week released a report detailing how hackers working for the Russian government have been using sophisticated techniques over a seven-year period to penetrate computer systems at governments, military branches, security organizations and even NATO.

The report contrasts the Russian operation, which FireEye calls “APT28,” with similar cyber-raids by hackers affiliated with the Chinese government.

“APT28 does not appear to conduct widespread intellectual property theft for economic gain,” FireEye threat researcher Dan McWhorter noted.

“Instead, APT28 focuses on collecting intelligence that would be most useful to a government,” he pointed out. “Specifically, FireEye found that since at least 2007, APT28 has been targeting privileged information related to governments, militaries and security organizations that would likely benefit the Russian government.”

White House Caper

On the heels of the FireEye report, The Washington Post, citing confidential sources, reported that hackers affiliated with the Russian government had breached some unclassified computer networks at the White House.

Although the attackers’ presence on the White House networks was unnoticed by users, the investigation of the breach wasn’t. They experienced some service disruptions as the FBI, Secret Service and NSA worked to contain the intrusion.

Keeping an operation like APT28 undiscovered for so many years attests to the stealth skills of the Russian hackers, but it also may point to deficiencies in detection methodologies.

“The cybersecurity industry has obsessively focused on a very narrow range of defenses that the Russians know how to circumvent,” Scott Borg, CEO and chief economist with the U.S. Cyber Consequences Unit, an independent, nonprofit research institute, told TechNewsWorld.

“They look obsessively for penetration while not noticing stuff happening in the system because they’d already been penetrated,” he explained. “They were looking for new penetrations, and the penetrations had already been accomplished.”

Won’t Play in Sandbox

One reason more Russian attacks are being exposed may be that there are just more of them.

“There’s been a dramatic escalation in their attacks,” Tom Kellermann, chief cybersecurity officer for Trend Micro, told TechNewsWorld.

Other factors are contributing to discovery of Russian attacks, too.

“There are certain technical indicators that have commonality,” Kellermann said. “That’s why they’re becoming more widely disclosed.”

That doesn’t mean, however, that it’s any easier to detect a Russian breach now than in the past. For example, a common technique to identify a bad app is to isolate it from a system and run it in a sandbox.

“One of the limitations of sandboxing is that it expects the payload to detonate once it hits the sandbox,” Kellermann explained, “but if the payload has a timer on it or is searching for human interaction, or looking for commands in another language, it won’t detonate.”

Even if they identify those sandbox evasion techniques and cut off the command-and-control link between the malware and its Russian masters, defenders still may be outmaneuvered.

“The attackers will install a secondary command-and-control so the first command-and-control link is like a one-time use thing — like Snapchat,” Kellermann said.

New Cold War

“What worries me most here is that since July, there’s been a dramatic increase in sophistication, organization and escalation of attacks on significant U.S. interests coming from entities in the former Soviet bloc,” Kellermann said.

“A lot of the people who used to target financial institutions and perform financial crimes are now acting in a patriotic fashion for Russia,” he added.

When put in a broader context, the acceleration in cyberattacks affiliated with Russia can be very disturbing.

“It’s quite troubling that geopolitical tensions are now escalating in a cybercontext,” Kellermann observed.

“We’ve seen this with Iran,” he continued. “We’ve seen it with North Korea, and in a limited fashion, with the Russian regime in Estonia and Georgia. But what we’re seeing now is a campaign of infiltration that’s truly unprecedented.”

Although the U.S. has cast China as a cyberbogeyman in the past, those views may change if Russia continues to step up its network attacks.

“The Chinese are not intent on causing the United States any harm, especially through a cyberattack,” Bill Hagestad II, author of several books on Chinese cyberwarfare, told TechNewsWorld.

“They want harmony and peace with us as much a we do,” said Hagestad, who recently visited both China and Russia.

“Russia, on the other hand, is still fighting the cold war,” he added. “They do not like Americans.”

Breach Diary

  • Oct. 27. Digital Marketing Association distributes to its members attending conference in San Diego “The Essential Guide to Data Breach Notification,” a set of guidelines for handling data breaches.
  • Oct. 28. FireEye releases report on seven-year cyber espionage campaign by Russia to steal sensitive data related to governments, military branches and security firms worldwide.
  • Oct. 28. The Washington Post reports hackers believed to be working for the Russian government breached unclassified White House computer networks in recent weeks.
  • Oct. 28. California Attorney General Kamala Harris reports her office received 167 data breach notifications in 2013, a 28 percent increase over 2012. Breaches affected 18.5 million records belonging to residents of her state, a 600 percent increase over the prior year.
  • Oct. 28. Arizona Republic reports that personal information of 44,000 Arizona retirees is at risk after two disks containing unencrypted data were lost in transit between Arizona State Retirement and a benefits company in Kansas City, Missouri.
  • Oct. 29. Drupal Security Teams advises users of the software to immediately apply a security patch issued October 14. It also warned that unless the patch was applied before October 15, a website should be assumed compromised. It’s estimated that Drupal is used on some 12 million websites.
  • Oct. 29. MCX reports email provider for testers of its CurrentC mobile payment app suffered data breach and an unspecified number of email addresses compromised. CurrentC is expected to be a competitor to Apple Pay, Apple’s mobile payment platform.
  • Oct. 30. Credit Union National Association reports Home Depot data breach cost its members US$60 million. By comparison, the Target breach cost credit unions $30 million.
  • Oct. 30. EY survey of 1,825 organizations in 60 countries finds more than half of them (53 percent) said lack of skilled resources was one of the main challenges facing their information security programs.

Upcoming Security Events

  • Nov. 3-5. FS-ISAC EU Summit. 155 Bishopsgate, London, UK. Registration: free, members; non-member, $1,750; core member, $1,500; standard, $1,250; government, $750.
  • Nov. 4. The Road to a Secure Email Channel: Uncovering the Blind Spots with DMARC Data. 11 a.m. ET. Webinar sponsored by Agari. Free with registration.
  • Nov. 5. Strategies for Third-Party Software Security that Actually Work. Noon ET. Webinar sposored by Veracode. Free with registration.
  • Nov. 5. More Detection, Less Defense: How to be more agile. 1 p.m. ET. Webinar sponsored by BAE Systems. Free with registration.
  • Nov. 5. Bay Area Secureworld. Santa Clara Convention Center, Santa Clara, California. Registration: $695, two days; $545, one day.
  • Nov. 5. FedCyber 2014 Annual Summit. Tyson’s Corner Marriot, 8028 Leesburg Pike, Tyson’s Corner, Virginia. Registration: free, government; $106.49, academics; $626.92, industry.
  • Nov. 6. B-Sides Iceland. Tjarnarb, Reykjavk, Iceland. Free.
  • Nov. 8. B-Sides Dallas-Fort Worth. University of Texas-Dallas (UTD), ECSS building, 800 West Campbell Rd, Richardson, Texas. Free.
  • Nov. 8. B-Sides Jackson. Southern Farm Bureau Casualty, 1800 E. County Rd. #400, Jackson, Mississippi. Free.
  • Nov. 12-13. Seattle Secureworld. Meydenbauer Center, Seattle. Registration: $695, two days; $545, one day.
  • Nov. 14-15. B-Sides Delaware. Wilmington University, 320 North Dupont Highway, New Castle, Delaware. Free.
  • Nov. 15. B-Sides Jacksonville. The Sheraton Hotel, 10605 Deerwood Park Blvd., Jacksonville, Florida. Free.
  • Nov. 19. Stealing from Uncle Sam. 7:30 a.m.-1:30 p.m. ET. Newseum, Washington, D.C. Registration: government and press, free; before Nov. 19, $495; Nov. 19, $595.
  • Nov. 20. Amazon Aws Services’ Security Basics — Escalating Privileges from EC2. 2 p.m. ET. Black Hat webcast. Free with registration.
  • Nov. 21-22. B-Sides Charleston. College of Charleston campus, Charleston, South Carolina. Free.
  • Nov. 22. B-Sides Vienna. Top Kino, Rahlgasse 1 (Ecke Theobaldgasse, 1060 Wien, Vienna, Austria. Free.
  • Dec. 2-4. Gartner Identity & Access Management Summit. Caesars Palace, Las Vegas, Nevada. Registration: before Oct. 4, $2,150; after Oct. 4, $2,450; public employees, $2,050.
  • Dec. 5. Be an Onion not an Apple. 9 a.m.-4 p.m. ET. Capital Technology University, 11301 Springfield Rd., Laurel, Maryland. Workshop sponsored by Cybersecurity Forum Initiative. $195/seat.
  • Dec. 8-11. Black Hat Trainings. The Bolger Center, Potomac, Maryland. Course Registation: before Nov. 1, $2,500-$3,800; before Dec. 6, $2,700-$4,000; after Dec. 10, $3,800-$4,300.

John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on Google+.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Cybersecurity

Technewsworld Channels