The Reality of Russian Hacking and Advanced Persistent Threats (APTs)
January 13, 2017
Over the last few weeks you can’t avoid hearing about Russian hacking and our presidential election in the news. You may be tired of hearing about it. From the news coverage I’ve seen, there seems to be an elephant in the room in such reports and presentations.
First, it is vital to ensure the public really understand what an Advanced Persistent Threat (APT) is, how it is related to foreign espionage and intelligence programs. Second, understand that technical attribution is difficult, but it is possible based on existing cyber analytic Techniques, Tactics and Procedures (TTPs). Lastly, there seems to be an unwillingness in most U.S. news articles and reports to cover what is known about a particular Russian APT, because for cyber threat analysts, none of this information or activity is new to us.
Nation-State Sponsored Espionage is Not Something New
Nation-state sponsored espionage is not something new. Human Intelligence (HUMINT), aka – traditional spying on people by other people – has roots going back to Rome. Rome even recruited merchants as spies (MAJ Robert A. Sayre 2004)! Fast forward a few hundred years and espionage has become very sophisticated and technical (although HUMINT is still widely used).
For example, Signals Intelligence (SIGINT) is a technical field consisting of communications intelligence (COMINT) and electronic intelligence (ELINT) (Spy Museum n.d.). Nations, including the U.S. closely guard the secrets and methodologies used in such technical intelligence because they don’t want an adversary to learn how it collects intelligence. If discovered, the adversary can mitigate the collection efforts by changing communication techniques or using more sophisticated encryption.
Technical Evolution of Espionage
The point is that “cyber” as a technique and methodology for conduction nation-state sponsored espionage is a logical continuum in terms of spying and thus should not come as a surprise to anyone. One of the best reports that details many known APTs specifically states that, “State sponsored groups may target organizations or governments to steal financial information, defense information, information that would grant a geopolitical economic or technological advantage, or any information that would be of use in intelligence or counterintelligence operations.” (Spaniel 2016). The point is that when politicians, intelligence agency representatives or private cyber firms (such as Crowdstrike, Dell Secure Works, FireEye) report or reference suspected nation-state sponsored APTs, they are really speaking about foreign intelligence operations that are utilizing and exploiting IT networks (aka ‘cyberspace’).
Cyber-Attack Attribution is difficult but not impossible
Secondly, I think attribution remains a mystery to many people. To be clear, cyber experts use the term attribution normally when referring to a specific intrusion (or a ‘hack of a system’) regarding the actors responsible for said incident.
To use an analogy, think of a police detective investigating a murder. There could be many ways the police end up with a list of suspects based on all sorts of evidence, such as physical evidence (forensics), or by interviewing people or perhaps through the use of a legal surveillance technique on a primary suspect (undercover monitoring, wiretapping a suspect’s phone, etc). There may be a lot or little evidence.
This analogy, while not perfect, can help explain how cyber experts try to determine who (and maybe why) a threat actor breached a network, if they stole information or left malware on the system, or other aspects related to the specific incident.
Incident Response (IR) teams and forensics experts may look for all sorts of tell-tale signs of a breach (we will not be going into the technical incident response steps here). Just like in a police led murder investigation, they look for clues that might attribute the incident to a known cyber threat actor, such as an APT.
Understanding ‘Cyber Clues’ and Attribution
These ‘cyber clues’ could include keyboard language settings, file names, strings left in custom made malware, reuse of attack infrastructure, type of malware used, type of spear phishing used, re-use of email addresses or domains, what information was stolen (targeted), when did the attack occur, similarities in past intrusions and so on (Spaniel 2016).
Each intrusion is different, each one may have a lot of clues or very few clues because each cyber incident differs. Unlike traditional intelligence though, we have many private companies being targeted with sophisticated cyber-attacks by probable nation-state sponsored APTs. We also have many private Incident Response (IR) Companies, cyber forensic experts and cyber threat intelligence companies who are tracking suspected APTs separately from the U.S. intelligence agencies.
Russian APTs FANCY BEAR and COZY BEAR
There is a widely known and tracked APT that has the code name FANCY BEAR. The cyber threat intelligence company Crowdstrike has quite a bit of information about FANCY BEAR. According to Crowdstrike, “FANCY BEAR (also known as Sofacy or APT 28) is a Russian-based threat actor…Because of its extensive operations against defense ministries and other military victims, FANCY BEAR’s profile closely mirrors the strategic interests of the Russian government, and may indicate affiliation with Главное Разведывательное Управление (Main Intelligence Department) or GRU, Russia’s premier military intelligence service.” (Editorial Team 2016)
In fact, Crowdstrike was the company that the Democratic National Committee (DNC) called in for incident response. Crowdstrike identified two known Russian APTs, FANCY BEAR and COZY BEAR. As per Crowdstrike, “both groups were constantly going back into the environment to change out their implants, modify persistent methods, move to new Command & Control channels and perform other tasks to try to stay ahead of being detected. Both adversaries engage in extensive political and economic espionage,” (Alperovitch 2016).
APTs and Cyber Threat Analysts
In conclusion, the APT threat is not in and of itself new. APTs are the next wave of espionage and will remain problematic. However, there are companies and experts who can help prevent, track, mitigate and attribute APTs responsible for cyber incidents and breaches. This is a complex, technically challenging field, operating alongside the U.S. intelligence community, but separate from those classified efforts. If this sounds like the challenge you are interested in, I recommend you get studying because cyber threat analysts are going to be needed to combat APTs.
I recommend EC-Council’s Certified Ethical Hacker (CEH) course which will focus on basic hacking techniques. Thinking like the black hat hacker allows you to defend and mitigate known and evolving cyber threats, such as APTs. Training and education is always important as cyber threats evolve.
Additional Reading Materials
- Introduction to Cyber-Warfare: A Multidisciplinary Approach, by Andrew Ruef, Jana Shakarian, and Paulo Shakarian
The book examines the issues related to cyber warfare not only from a computer science perspective but from military, sociological, and scientific perspectives as well. Presents detailed case studies of cyber-attack including inter-state cyber-conflict (Russia-Estonia), cyber-attack as an element of an information operations strategy (Israel-Hezbollah,) and cyber-attack as a tool against dissidents within a state (Russia, Iran).
- State Actors, APTs and Espionage-as-a-Service, by Tripwire
- Alperovitch, Dmitri. 2016. Bears in the Midst: Intrusion into the Democratic National Committee. 06 15. Accessed 01 06, 2017.
- Editorial Team. 2016. Who is FANCY BEAR? 09 12. Accessed 01 06, 2017.
- MAJ Robert A. Sayre, Jr. US Army. 2004. “Some Principles of Human Intelligence and Their Application.” School of Advanced Military Studies. 05 26. Accessed 01 06, 2017.
- Spaniel, James Scott and Dew. 2016. Know your Enemies 2.0; A Primer on Advanced Persistent Threat Groups., Institute for Critical Infrastructure Technology.
- Spy Museum. n.d. Spy Museum.