From Mechanical Hacks to Cyber Theft
In the height of the cold war, Russia learned to make the leap from manual intercept of printed media to the computer age well before the internet existed. Between 1978–1984 the KGB carried out an audacious electronic intelligence operation that preceded the CYBER BEARS antics. A select group of special technicians had intercepted a shipment of American IBM Selectric II and Selectric III electrical typewriters en route to the American embassy in Moscow and the US Consulate in St Petersburg. The KGB inserted devices called the Selectric Bug into sixteen of the typewriters.4 The special electrical device was embedded in a hollow aluminum bar that would capture the impact of the rotating print ball as it struck the paper. As a typist struck the keys, the bug would transmit each keystroke to a nearby listening post via a short-distance radio signal. The NSA countered this by deploying a special team to Moscow and inspected all of the Embassy’s computers, encoding machines and typewriters. Code named GUNMAN, the NSA team eventually found the bugs and replaced the typewriters with secure ones in secret.5 Still, the KGB’s early awareness of the advance in print technology led them to implement one of the very first keystroke detection systems before computers became commonplace. With this corporate knowledge in hand, the KGB was well ahead of the curve in intercept technology, an aptitude they would soon come to command in the computer age.
Cyber intelligence collection operations didn’t start in the 21st century, they preceded the rise of Putin. During the period where Vladimir Putin was just taking the reins from the former KGB under the leadership of Boris Yeltsin, the NSA and the Department of Defense’s Information Operations Response Cell noted a series of sophisticated computer penetrations, accessed through research university servers. The hackers were stealing sensitive information, but what was noteworthy was the seemingly random nature of the hacks and the peculiar nature of the sensitive information. Author Fred Kaplan detailed this hack, and numerous others, called MOONLIGHT MAZE in his brilliant book Dark Territory: The Secret History of Cyber War. The hack was tracked back to Russia after decrypts found that the hacker was using a Cyrillic, Russian language, keyboard. The classified materials stolen about obscure scientific programs perfectly matched discussion topics at recent conferences in the United States attended by Russian scientists. The Russian would attend a conference, realize that it held more secrets, and task the CYBER BEARS to steal the research. The Russian Academy of Sciences in Moscow submitted hack requests and the KGB, now FSB, acquired the 5.5GB of classified materials.6
Russia didn’t sit on its laurels by stealing American scientific data. For more than ten years, volunteer militia hackers and cyber criminals carried out limited, and on occasion, full-scale cyber warfare on its neighbors in Europe. There is an arms race in the cyber weapons world as nation-state and freelance hackers seek to push the technology envelope. By 2016 the history of Russia’s attacks showed proficiency at destroying enemies with cyber strikes.
First Steps in Cyber Campaigns
The first step is to establish a target organization or individual. Second would be to find out how and where to compromise the target’s IT systems with the least amount of effort possible and without being detected. This will most often start with examining the publicly-posted employee rosters at a company, organization, or government office. Next will be a scour on social media sites like Facebook, LinkedIn, Twitter, Google, or even simply within the agency of the target.7
The target or targets are subjected to an email spear-phishing campaign. Spearphishing is a technique that seeks to fool a target into clicking on links or opening email attachments in emails the target would expect to receive. For example, if a State Department official was expected to attend a conference on a UN refugee program, they might receive an email with the title “Schedule for the Refugee Committee” with an attached document or link. If it is a link instead of an attachment, the target might take a look at the link before clicking, but the reasonable-looking link will lead to a spoofed site that has just returned malware back to their computer. Once that malware is installed, it may do a number of things depending on the intent of its coding. The first function it is likely to perform is to breach.
The APT countermeasure system tracks not only the malware toolkits themselves, but the source of origin and related resources, including IP addresses of the remote Command-and-Control servers (C2), or in some cases metadata found in the compiled tools used by the threat actors. In addition, a pattern of behavior in what the hackers steal can help indicate further distinctions on the group behind the malware infection. For instance, nation-state hackers acting on behalf of Russia and China do not typically engage in financial theft but focus on espionage targets, even if that target is a private enterprise.
In the case of the attacks on the DNC, the company CrowdStrike identified two actors in separate breaches on the servers used. The two found were identified as “FancyBear” and “CozyBear” by CrowdStrike, but elsewhere they have other names depending on the security firm who encounters their activities. FancyBear is also commonly known as APT28 or Sofacy. CozyBear is commonly known as APT29.
APT 28—FANCY BEAR
Russian State Security/Covert External Intelligence (FSB/SVR)
APT28 is a group that goes by many names, depending on who has discovered them. In order to learn the character of this group it helps to look at all the cases investigated on the range of names the group gets assigned. Along with the naming of the group, different firms also name the malware and conflicting names can occur for the same toolset. FireEye calls them APT28, CrowdStrike named them FancyBear, Trend Micro has called them Operation Pawn Storm, Microsoft Security Intelligence Report calls them STRONTIUM,8 Secure Works tagged them as TG-4127. They’ve also been called Sednit (by Eset), Tsar Team (iSight) and Sofacy Group. Despite these names the methodology and toolset is distinct and shows a deployment sophistication that truly qualifies as an advanced and persistent threat; it is considered one of the most potent threats in the list of known APTs.
Security authorities first discovered the group in 2007. Their attacks have included a range of Eastern European countries including Ukraine, Georgia, Poland, to the south at Pakistan and further west to the United States and France. They have been linked to the GRU. They were even tied to attacks on the Russian all-girl band Pussy Riot.9
Typosquatters and Watering Holes
Many hackers establish typosquatting websites. These are where a false “squatter” website is installed on the actual location of a known website or where they buy a URL that is nearly identical to a well known website but where fat-fingered “typos” occur (e.g. Microsift.com, Amaxon.com). Hence “Typosquatter.” Another technique to gather login, password or financial information from a targeted victim is to establish or insert malicious viruses into a targeted site. Many typosquatters are Watering Hole sites—decoy or fraudulent websites that are loaded with malware and used to lure targets via spear-phishing emails to download their payload. To fool computer users into following these links, the site would need to look relevant or identical to the target’s working interest, and include very up-to-date information, whether it be a bombing attack in Iraq mentioned in an email to the Vatican Embassy in Iraq, or schedule and coordination information sent to Hungary. In many cases, the malicious domain is very similar to the real domain.