A Brief History of Russian Hackers’ Evolving False Flags
Credit to Author: Andy Greenberg| Date: Mon, 21 Oct 2019 21:51:53 +0000
Most hackers know how to cover their tracks. But Russia’s elite groups are working at a whole other level.
Deception has always been part of the hacker playbook. But it's one thing for intruders to hide their tracks, and another to adopt an invented identity, or even frame another country for a cyberattack. Russia's hackers have done all of the above, and now have gone one step further. In a series of espionage cases, they hijacked another country's hacking infrastructure and used it to spy on victims and deliver malware.
On Monday, the NSA and Britain's GCHQ published warnings that a Russian hacker group known as Turla or Waterbug has for years carried out a convoluted new form of espionage: It took over the servers of an Iranian hacker group, known as OilRig, and used them to advance Russia's aims.
While Symantec and other cybersecurity firms had spotted Turla's piggybacking earlier this year, the US and UK intelligence agencies have now outlined the operation's sheer scale. The Russian team spied on victims in 35 countries, all of whom might have believed on first inspection that the intruders were instead Iranian. "We want to send a clear message that even when cyber actors seek to mask their identity, our capabilities will ultimately identify them," according to the statement from Paul Chichester, the NCSC’s director of operations.
But while Turla was ultimately unmasked, the operation adds a new dimension of uncertainty for digital investigators. More broadly, it shows the fast-evolving nature of how hackers hide behind false flags. Just a few years ago they were wearing clumsy masks; now they can practically wear another group's identity as a second skin. And while other countries have dabbled in the practice—North Korea famously hacked Sony Pictures under the moniker "Guardians of Peace"—no one has pushed that progress more than the Russians.
"Their aggressive cyberactivity sits on a foundation of substantial experience in active measures," says John Hultquist, director of intelligence analysis at threat intelligence firm FireEye. "There's no question that they’re at the bleeding edge of the problem."
Starting as early as 2014, Russian hackers have chosen from a proverbial grab bag of disguises to create a layer of confusion. In May of that year, for instance, a group calling itself Cyber Berkut hacked Ukraine's Central Election Commission in the midst of the country's post-revolution election. "Berkut" is Ukrainian for "eagle," and also the name of a police force that supported the pro-Russian regime in the revolution and killed more than 100 protestors. The Cyber Berkut hackers posted a political message to the commission's website under the guise of activists accusing the Ukrainian government of corruption. They later planted an image on the commission's web server that showed fake voting results on election day, putting the ultra-far-right candidate Dmytro Yarosh in the lead.
Though the commission managed to discover and delete the image before the voting results were released, Russian media ran with the fake tally nonetheless, hinting at collaboration between the hackers, Russian TV networks, and the Kremlin. Cyber Berkut was later revealed to be a front for the Russian military intelligence hacker group known as APT28 or Fancy Bear.
Over the following years, the GRU would repeat those false flag "hacktivist" attacks again and again. Hackers calling themselves Cyber Caliphate hit the French television station TV5Monde in 2015, destroying the station's computers and posting a jihadi message on its website. The misdirection lead to immediate speculation that ISIS had perpetrated the attack, before the French intelligence agency ANSSI pinned it on the GRU. And in 2016, security firm CrowdStrike identified the GRU as the spy agency behind US-targeted false flag operation, this time the hacking of the Democratic National Committee and later Hillary Clinton's presidential campaign. The Fancy Bear hackers responsible had hidden behind fronts like a Romanian hacktivist named Guccifer 2.0, and a whistle-blowing site called DCLeaks that distributed the stolen documents.
By the end of 2016, GRU hackers began to shift their tactics. In December of that year, analysts at the Slovakian cybersecurity firm ESET noted that the GRU hackers they called Telebots, also known as Voodoo Bear or Sandworm, used both hacktivist and cybercriminal fronts in their data-destructive attacks on Ukrainian networks. In some cases, they found that wiped computers displayed a message that said "WE ARE FSOCIETY, JOIN US," in a reference to anarchic hacktivists from the television show Mr. Robot. But in other incidents around the same time, ESET found the hackers demanded a bitcoin ransomware payment.
All of which created plausible deniability for the Kremlin. "When their old tricks are revealed, they need to experiment with new ways of doing this," says James Lewis, the director of the Strategic Technologies Program at the Center for Strategic and International Studies.
By the spring of 2017, the GRU hackers seemed to fully transition to ransomware as the cover story for their attacks, launching a series of ransomware worms against Ukrainian targets—malware known as XData, NotPetya, and Bad Rabbit. NotPetya in particular offered its victims no way to decrypt their files, even if they paid its $300 bitcoin ransom. It spread so explosively across Ukraine and beyond that it became the most destructive and expensive cyberattack in history. And yet it took eight full months for a collection of intelligence agencies across Australia, Canada, New Zealand, the UK, and the US to name the Russian military as the culprit.
Russia's real innovation in false flag operations would only begin in earnest in February 2018. That's when the GRU launched a cyberattack on the IT backend of the Pyeongchang Winter Olympics in retaliation for a doping-related ban of Russian athletes. But when researchers began to pull apart that malware, known as Olympic Destroyer, they initially found parts of the code that matched not only previous tools used by Russia, but also North Korean and Chinese state-sponsored hackers too—not merely a single false flag, but an entire confounding collection of them. "It was psychological warfare on reverse engineers," Silas Cutler, at the time a security researcher for CrowdStrike, would later tell WIRED.
The Olympic Destroyer whodunit was only solved weeks later, when FireEye and Kaspersky analysts tied a phishing document used to plant the malware to a collection of other malicious files that had been used in previous attacks. Many of those earlier targets were typical victims of Russian hacking, like Ukrainian government agencies and activists. FireEye then went further, matching a domain used in the command-and-control servers of those malware-laced documents with a domain used by the same hackers who had breached two US states' boards of elections in 2016—tying yet another incident to the GRU.
But while FireEye used infrastructure analysis to solve the Olympic Destroyer mystery, the Turla incident highlights that even that level of evidence can mislead. In this case, it could have easily indicated that Iran, not Russia, was behind Turla's spying campaign. "They keep upgrading their game," says Lewis.
In fact, Lewis argues that Russia's ultimate goal with its false flag attacks, aside from creating confusion and deniability, is to make the case that attribution isn't truly possible—that when a US intelligence agency or Department of Justice points the finger at the Kremlin after hacking incidents, they're merely guessing. "They don’t like being indicted," he adds. "They would like to create a counter-narrative: 'You can’t trust the Americans. Look, they got this wrong.'"
So far, none of Russia's false flags has ultimately succeeded in causing a government to make the wrong call—at least as far as anyone knows. But the most cunning cybersecurity false flags may have yet to be discovered. "It’s difficult to find this kind of sophisticated activity," says Alexandrea Berninger, the Symantec researcher who led the company's Turla investigation. "It may be happening a lot more than we’re able to observe."
In fact, security researchers may already have fallen for this kind of ruse. This, after all, is part of the point of false flags: They're not just a reminder you that you don't know what you don't know. They also make you doubt what you believe.