Thursday, 17 December 2020

Media Blame Russia For Cyber Intrusions Without Providing Evidence

 Moon of Alabama 

To keep Moon of Alabama up and running is a significant effort. Please help me to sustain it. - b

As soon as someone hacked something the media start to blame Russia. This even when there is no evidence that Russia hacked anything.

On Tuesday, December 8, the network security company FireEye reported of a recent attack on its network:

Based on my 25 years in cyber security and responding to incidents, I’ve concluded we are witnessing an attack by a nation with top-tier offensive capabilities. This attack is different from the tens of thousands of incidents we have responded to throughout the years. The attackers tailored their world-class capabilities specifically to target and attack FireEye. They are highly trained in operational security and executed with discipline and focus. They operated clandestinely, using methods that counter security tools and forensic examination. They used a novel combination of techniques not witnessed by us or our partners in the past.

We are actively investigating in coordination with the Federal Bureau of Investigation and other key partners, including Microsoft. Their initial analysis supports our conclusion that this was the work of a highly sophisticated state-sponsored attacker utilizing novel techniques.

Intruding a cybersecurity company is a mistake as the chance of getting caught is significantly higher that during an intrusion into other environments. The intruders allegedly made off with some tools which likely can also be found in the wild.

On Sunday FireEye updated its analysis and provided technical details. This really was a sophisticated operation that must have cost significant resources:

We have identified a global campaign that introduces a compromise into the networks of public and private organizations through the software supply chain. This compromise is delivered through updates to a widely-used IT infrastructure management software—the Orion network monitoring product from SolarWinds. The campaign demonstrates top-tier operational tradecraft and resourcing consistent with state-sponsored threat actors.

Based on our analysis, the attacks that we believe have been conducted as part of this campaign share certain common elements:

  • Use of malicious SolarWinds update: Inserting malicious code into legitimate software updates for the Orion software that allow an attacker remote access into the victim’s environment
  • Light malware footprint: Using limited malware to accomplish the mission while avoiding detection
  • Prioritization of stealth: Going to significant lengths to observe and blend into normal network activity
  • High OPSEC: Patiently conducting reconnaissance, consistently covering their tracks, and using difficult-to-attribute tools

Based on our analysis, we have now identified multiple organizations where we see indications of compromise dating back to the Spring of 2020, and we are in the process of notifying those organizations. Our analysis indicates that these compromises are not self-propagating; each of the attacks require meticulous planning and manual interaction.

Neither FireEye nor Microsoft named any suspected actor behind the 'difficult-to-attribute' intrusion effort. Next to the NSA and Britain's GHCQ there are at least Israel, China and maybe Russia which do have such capabilities. But whoever had the chutzpah to intrude the cybersecurity company FireEye also blew up their own operation against many targets of much higher value. Years of work and millions of dollars went to waste because of that one mistake.

Despite the lack of evidence that points to a specific actor 'western' media immediately blamed Russia for the spying attempt.

As Reuters reported on Sunday:

Hackers believed to be working for Russia have been monitoring internal email traffic at the U.S. Treasury and Commerce departments, according to people familiar with the matter, adding they feared the hacks uncovered so far may be the tip of the iceberg.

The hack is so serious it led to a National Security Council meeting at the White House on Saturday, said one of the people familiar with the matter.
...
The U.S. government has not publicly identified who might be behind the hacking, but three of the people familiar with the investigation said Russia is currently believed to be responsible for the attack. Two of the people said that the breaches are connected to a broad campaign that also involved the recently disclosed hack on FireEye, a major U.S. cybersecurity company with government and commercial contracts.

In a statement posted here to Facebook, the Russian foreign ministry described the allegations as another unfounded attempt by the U.S. media to blame Russia for cyberattacks against U.S. agencies.

'People familiar with the issue' say 'Russia is believed to be responsible'. Well, some kids familiar with wobbly teeth believe in the tooth fairy. What is that 'believe' based on?

The Associated Press reported on the wider aspect of the intrusions and also blamed Russia:

Hackers broke into the networks of the Treasury and Commerce departments as part of a monthslong global cyberespionage campaign revealed Sunday, just days after the prominent cybersecurity firm FireEye said it had been breached in an attack that industry experts said bore the hallmarks of Russian tradecraft.

I have read FireEye's and Microsoft's detailed technical analysis of the intrusion and took a look at the code. As a (former) IT professional very familiar with network management, I have seen nothing in it that points to Russia. Who are those 'industry experts' who make such unfounded claims?

In response to what may be a large-scale penetration of U.S. government agencies, the Department of Homeland Security’s cybersecurity arm issued an emergency directive calling on all federal civilian agencies to scour their networks for compromises.

The threat apparently came from the same cyberespionage campaign that has afflicted FireEye, foreign governments and major corporations, and the FBI was investigating.

“This can turn into one of the most impactful espionage campaigns on record,” said cybersecurity expert Dmitri Alperovitch.

Ah - the AP talked to Alperovitch, the former chief technical officer of the cybersecurity firm CrowdStrike. The company which in 2016 claimed that Russia had stolen emails from the Democratic National Council but could not provide any evidence of that to the FBI. The company that admitted in Congress testimony that it did not see any exfiltration of emails from the DNC and had no evidence that Russia was involved. Alperovitch is also the 'industry expert' who falsely claimed that Russia hacked into an application used by the Ukrainian artillery. The same Alperovich who is a Senior Fellow of the anti-Russian lobbying organization Atlantic Council. Alperovitch apparently has never seen a software bug or malware that was not made by Russia.

Quoting an earlier version of the above AP story Max Abrams predicted:

Max Abrahms @MaxAbrahms - 3:20 UTC · Dec 14, 2020

“The U.S. government did not publicly identify Russia as the culprit behind the hacks, first reported by Reuters, and said little about who might be responsible.”

You know this story will be retold as all 17 intel agencies 100% certain Putin is behind it.

That is indeed likely to happen.

Even while there is no hint in the intrusion software where it might have come from the media all started to blame Russia.

On Sunday, in its first report on the attack, the New York Times headlined:

Russian Hackers Broke Into Federal Agencies, U.S. Officials Suspect

Its chief propagandist David Sanger wrote:

The Trump administration acknowledged on Sunday that hackers acting on behalf of a foreign government — almost certainly a Russian intelligence agency, according to federal and private experts — broke into a range of key government networks, including in the Treasury and Commerce Departments, and had free access to their email systems.
...
News of the breach, reported earlier by Reuters, came less than a week after the National Security Agency, which is responsible for breaking into foreign computer networks and defending the most sensitive U.S. national security systems, issued a warning that “Russian state-sponsored actors” were exploiting flaws in a system broadly used in the federal government.

That warning by the NSA was about a known vulnerability in VMware, a software issue that is completely unrelated to the intrusions FireEye had detected and which targeted multiple government agencies.

Not bothering with facts the NYT continued its insinuations:

At the time, the N.S.A. refused to give further details of what had prompted the urgent warning. Shortly afterward, FireEye announced that hackers working for a state had stolen some of its prized tools for finding vulnerabilities in its clients’ systems — including the federal government’s. That investigation also pointed toward the S.V.R., one of Russia’s leading intelligence agencies. It is often called Cozy Bear or A.P.T. 29, and it is known as a traditional collector of intelligence.

No, the investigation by FireEye does not point in any direction. The company did not name a suspected actor and it did not mention Russia or the S.V.R. at all. The intrusion is also in no way similar to those phishing attempts that some have named Cozy Bear or APT 29.

The Times then further discredits itself by quoting the anti-Russian nutter Alperovich.

On Monday another NYT piece, co-written by Sanger, describes the wider attack and includes the word 'Russia' 23 times! But it does not provide any evidence for any Russian involvement in the case. This is the nearest it comes to:

The early assessments of the intrusions — believed to be the work of Russia’s S.V.R., a successor to the K.G.B. — suggest that the hackers were highly selective about which victims they exploited for further access and data theft.

'Believed to be' the tooth fairy?

The piece also falsely insinuates that FireEye has linked the attack to Russia:

FireEye said that despite their widespread access, Russian hackers exploited only what was considered the most valuable targets.

Nowhere did FireEye say anything about Russian hackers. It only stated that the intrusions were specifically targeted. The implication of Russia only happened in the NYT writers' heads.

Reuters reports today:

On Monday, SolarWinds confirmed that Orion - its flagship network management software - had served as the unwitting conduit for a sprawling international cyberespionage operation. The hackers inserted malicious code into Orion software updates pushed out to nearly 18,000 customers.

And while the number of affected organizations is thought to be much more modest, the hackers have already parlayed their access into consequential breaches at the U.S. Treasury and Department of Commerce.

Three people familiar with the investigation have told Reuters that Russia is a top suspect, although others familiar with the inquiry have said it is still too early to tell.

As of now no one but the people behind the intrusion know where it has come from.

SolarWinds, the company behind the network management software that was abused to intrude agencies and companies, is known for a lack of security:

SolarWinds’ security, meanwhile, has come under new scrutiny.

In one previously unreported issue, multiple criminals have offered to sell access to SolarWinds’ computers through underground forums, according to two researchers who separately had access to those forums.

One of those offering claimed access over the Exploit forum in 2017 was known as “fxmsp” and is wanted by the FBI “for involvement in several high-profile incidents,” said Mark Arena, chief executive of cybercrime intelligence firm Intel471. Arena informed his company’s clients, which include U.S. law enforcement agencies.

Security researcher Vinoth Kumar told Reuters that, last year, he alerted the company that anyone could access SolarWinds’ update server by using the password “solarwinds123”

“This could have been done by any attacker, easily,” Kumar said.

And that's it.

Any significant actor with the necessary resources could have used the publicly known SolarWinds' password to sneak some malware into the Orion software update process to thereby intrude SolarWinds' customers and spy on them. Without further definitive evidence there is no reason to attribute the intrusions to Russia.

If anyone is to blame it is surely SolarWinds which has learned nothing from the attack. Monday night, days after it was warned, its infected software was still available on its servers. It seems that the SolarWinds people were busy with more important issues than their customers' security:

Top investors in SolarWinds, the Texas-based company whose software was breached in a major Russian cyberattack, sold millions of dollars in stock in the days before the intrusion was revealed.

The timing of the trades raises questions about whether the investors used inside information to avoid major losses related to the attack. SolarWinds’s share price has plunged roughly 22 percent since the company disclosed its role in the breach Sunday night.

Note the casual use of 'Russian cyberattack', for which there is no evidence, in the very first sentence.

Silver Lake, a Silicon Valley investor with a history of high-profile tech deals including Airbnb, Dell and Twitter, sold $158 million in shares of SolarWinds on Dec. 7 — six days before news of the breach became public. Thoma Bravo, a San Francisco-based private equity firm, also sold $128 million of its shares in SolarWinds on Dec. 7.

Together, the two investment firms own 70 percent of SolarWinds and control six of the company’s board seats, giving the firms access to key information and making their stock trades subject to federal rules around financial disclosures.

Well, grifters are gonna grift.

And 'western' mainstream writers will blame Russia for anything completely independent of what really happened.

 

Posted by b on December 16, 2020 at 19:07 UTC | Permalink 

https://www.moonofalabama.org/2020/12/media-blame-russia-for-cyber-intrusions-without-providing-evidence.html#more

0 Comments:

Post a Comment

Subscribe to Post Comments [Atom]

<< Home