Malcolm Nance - The Plot to Hack America

What better way to cause mayhem, confusion and mischief than to release the stolen emails under the same name? Google searches would only add to the confusion as the original Guccifer would always come up first. Since this was a new entity, a second generation, it was only fitting that he be version 2.0. Hence, Guccifer 2.0 was born.

In late July 2016, after the news of the DNC hack hit the headlines, two groups came to the center of attention after nearly a decade of engaging in attacks on perceived adversaries of the Russian government. These two groups carried the names given to them by the American cyber security firm CrowdStrike and thus the world would be introduced to two designations for Russian hackers: “FANCY BEAR” and “COZY BEAR.” These cryptonyms were assigned to hacking threats under the term “Advanced Persistent Threats” or APTs. APTs are often associated with nation-state actors because of the level of sophistication and resources needed to conduct persistent attacks on a given target. The weapon of choice for APTs is malware. Malware is malicious computer software, such as viruses or tools that can be inserted or introduced to a target’s computer. There are estimated to be just over a hundred APTs working hostile missions through cyberspace as of August 2016. ATPs include attacks by nation-state actors, cyber criminals, hacktivists (activists who use hacking as a tool of protest), and cyber mercenaries.

CYBER BEARS are what we will call the conglomeration of several Russian intelligence agencies, nationalist militias, criminal contractor cyber warfare units, and the malware weapons these groups use in cyberwarfare. The CYBER BEARS—so called due to Crowdstrike’s BEAR designation for the DNC hackers—have conducted numerous hacking and black political propaganda operations in states that came into conflict with Russia, including Estonia, Georgia, Lithuania, Kyrgyzstan, Crimea and Ukraine. COZY BEAR, FANCY BEAR, VENOUMOUS BEAR are specific cyber infection threats that have been traced to Russian intelligence, whereas CRIMINAL BEAR is the collective name for all Russian criminal hackers. MILITIA BEARS are pro-Russian nationalist hackers who pile onto Russian Intelligence attacks that become public.

Clusters of CYBER BEAR attacks occurred most often alongside tense geopolitical backdrops associated uniquely in line with the interest of one country, Russia. Whether it was retaliation in Lithuania or Estonia, data blinding operations in Georgia, or flipping the switches on power plants in Ukraine in an attempt to undermine confidence in the government, the CYBER BEARS attacks leave plenty of marks and footprints for cyber security companies and intelligence agencies to examine.

The history of the attacks of the CYBER BEARS demonstrates advanced abilities to create code-on-the-fly and to adapt to the security environment of their target in a way that few independent or lone attackers would be able to maintain due to the complexity of the attack alone. They are also believed to be associated with thousands of attempted penetrations of U.S. Defense and industry computers as well as cyber theft and internet fraud operations. Collectively, the BEARS are the definition of a national cyber threat.

The key characteristics of classifying an entity an APT is that they are:

• Advanced: The development skill for APTs is advanced enough to both develop their own tool kit and capable of using existing advanced tools with ease.

• Persistent:The Adversary is goal-oriented in the attack and is driven to achieve the mission. This can often indicate a nation-state actor who has been given orders to acquire specified information.

• Threat:The Adversary is organized, funded, motivated. There is a high level of intent to these attacks. Unlike malware that simply seeks to find any vulnerability and is cast like one would throw a fishing net, APTs are focused on a target until a mission is attained.

APTs are not actually groups of people but a description of the malware toolkits used by hackers. By examining the malware samples and correlating the metadata (the background information embedded in code) of the attacks you can discover much about the real world people on the other end in a way that code cannot tell you. By scrutinizing when malware kits are compiled, you can discover where development operations leading up to an attack occur. In most toolkits attributed to Russian hacking groups, the timecodes on their digital metadata occurs in one of the two Eastern hemisphere time zones of UTC+3 or UTC+4, indicating Eastern Europe and/or Western Russia as a likely development zone. Then there are sometimes tags in the code that indicate a similarity only found in a batch of malware like the “Sandworm” group, whose attacks were identified by a cyber security firm who noticed the code was laced with references to Frank Herbert’s book Dune .

These clues help forensic investigators piece together not only the story of a particular infection, but the trajectory of development by hackers who do not reveal themselves by name but by deed.

For example, CyberBerkut, a group of pro-Russian hackivists almost wholly focused on anti-Ukraine activity, includes subgroups who will announce their attacks as well as their ideology. CyberBerkut’s methods, tools, and remnants can be examined in the open, allowing investigators to attribute CyberBerkut’s contribution to the known attacks as they look for additional threats by groups who have aims beyond Ukraine. The same has been true for the APT29 malware sets known as COZY BEAR (aka “The Dukes”). The Finnish cybersecurity firm F-Secure found a series of malware sets that varied according to their version of development and improvements over time.

For example, private Russian hacker Dmytro Oleksiuk created a set of malware called BlackEnergy1 in 2007 to stop up networks through DDoS (distributed denial-of-service) attacks, where millions of pieces of emails or data to a single IP address create a massive internet traffic jam that stops all data flows. 1This malware was used by a group of Russian hackers in 2008 to overwhelm the Georgian internet. In 2010 a second variant, BlackEnergy2, emerged, containing more advanced malware tools inside. Finally, Russian intelligence took it and developed BlackEnergy3. Sandworm used a malware kit named BlackEnergy3 (the 3 rdvariant, or 3.0) to attack power plants in Ukraine.

In order to keep track of Advanced Persistent Threats (APTs) cyber firms designate the APTs with easily-remembered names associated with clustered behavior. They are also known by a variety of other names depending on the firms who have detected and catalogued their malware and activities. According to Richard Bejtlich of Mandiant, a cyber security firm associated with FireEye, and a former USAF information warfare agency operative, the practice came from US Air Force analysts who were working with civilians and needed a way to discuss the attacks with civilians. 2

APTs work by using a combination of code, social engineering (asking innocent questions and getting secrets), and common human errors to achieve their goals. They are capable of adapting to the most up-to-date security systems. As a persistent threat, they require constant vigilance on the part of security firms, developers, governments, institutions, and private enterprise. The tools these groups use are constantly evolving, even as security firms track their development and create patches to protect from their intrusion.

A Zero-day (or written 0day) is a vulnerability in code that has remained undetected until it becomes active, giving a target zero days to manage the effects of the vulnerability. If discovered first by hackers, then the target organization is at risk unless the hacker is friendly and working for them (called a White Hat hacker). If the hacker is from a malicious group (Black Hat hackers) the hacker can exploit the vulnerability until they are detected by cyber security experts.