Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:20 PM
Connect Directly

Russian Cyberspies' Leaked Hacks Could Herald New Normal

Time to set cyber espionage 'norms' before more volatile nation-states follow suit, experts say.

Russia’s cyber espionage machine traditionally has kept intelligence it siphons from the US close to the vest, but the recent wave of data leaks surrounding the US political campaign and believed to be by Russian state hacker groups represent a new breed of threat by the nation.

The leaked emails and information from the Democratic National Committee and the (DCCC), which security firm CrowdStrike has tied to two known Russian nation-state cyber espionage units, marked the first time Russian nation-state cyber espionage actors have employed a combination of hacking and doxing against the US or another United Nations member, according to security experts. Russia has been known to perform similar tradecraft against neighboring nations, however.

This isn’t the first time a nation-state group has doxed a US target: US officials called out North Korea as the hackers behind the epic and massive data breach, data-wiping and doxing of Sony Pictures Entertainment in 2014. While the attackers attempted to portray the breach as payback for the Sony film “The Interview” that purportedly upset Kim Jong Un, experts say it was more of a geopolitical midgame by the North Koreans to pressure US dealings with the nation.

But Russia in its recent attacks and leaks via WikiLeaks against the DNC and others – with more victims expected to be uncovered in the coming weeks -- is seen as attempting to influence or shape the outcome of the US presidential election, a glaring red flag when it comes to cyber espionage “norms.” “I do think the North Korea attack on [Sony] … was a seminal turning point because the entire world was watching,” says Christopher Porter, manager of threat intelligence at FireEye. “Even though the attribution confidence was high, there was no public blowback for the North Korea government.”

Porter says Russia likely took the plunge against the US because it saw little risk of major political fallout. “At FireEye, we’ve seen them conducting [these types of attacks] for years, interfering in elections in their backyard,” for example, he says.

“The fact that they’re willing to do the same to Western governments” is a new Russian cyber espionage MO, Porter notes.

The timing of the leaks—during a US presidential election—indeed has the appearance of an intention to influence the outcome or at the least to shake things up: DNC emails that were leaked show a preference toward Hillary Clinton over Bernie Sanders, for example, and led to a reshuffle at the organization starting with the firing of former DNC chair Debbie Wasserman Schultz. US Department of Homeland Security Secretary Jeh Johnson recently said DHS is considering designating the US voting system as critical infrastructure so it can be secured accordingly.  

No Such Agency (NSA) Leak

Most recently came the online dump of tools and files of the Equation Group—aka the National Security Agency—by a group calling itself the ShadowBrokers. Kaspersky Lab, which first exposed the Equation Group in 2015, confirmed that the doxed files match those of the Equation Group (Kaspersky doesn’t identify actual actors behind hacking groups). Experts say the auction of the files by ShadowBrokers is a fake, but the files and tools are real, including tools from the NSA that hacked Cisco, Fortinet, and Juniper firewalls.

"Firewalls and routers are getting a lot of attention for attackers, so security on those devices needs to be carefully evaluated. The stakes have been raised in the inter-country hacking scene," says Liam O'Murchu, director of security technology & response at Symantec. "It is still unclear why these tools were leaked or by whom, but this may set a precedence of further leaking of government tools." 

Find out more in The Secret Behind the NSA Breach: Network Infrastructure Is the Next Target.

O'Murchu says whle the timing of ShadowBrokers leak indeed is suspicious, researchers at Symantec haven't found any evidence that confirms a connection between it and the DNC/DCCC incident.

Other security experts say it’s no coincidence the data dump came in the wake of the attacks on DNC, DCCC, and others, by Russia.

“This is definitely not Snowden stuff. This isn't the sort of data he took, and the release mechanism is not one that any of the reporters with access to the material would use. This is someone else, probably an outsider...probably a government,” said Bruce Schneier in a recent blog post. “Some group stole all of this data in 2013 and kept it secret for three years. Now they want the world to know it was stolen. Which governments might behave this way? The obvious list is short: China and Russia. Were I betting, I would bet Russia, and that it's a signal to the Obama Administration: "Before you even think of sanctioning us for the DNC hack, know where we've been and what we can do to you."

Whether Russia’s doxing of the Dems and others will actually have any influence on the US election or how the US responds to the attacks, remains to be seen. What is clear is that nations need to establish cyber norms for cyber espionage, notes Bill Wright, director of government affairs at Symantec. “The norms are currently nebulous. It’s going to take time and effort” in diplomacy to set the rules of the road in cyber espionage to rein in the doxing element, he says.

Setting parameters, such as the US-China pact that promises no hacking for economic gain, could help by at least starting the conversation over what is and isn't acceptable cyber-spying activity, experts say.

Even more chilling is that Russia's doubling down on doxing-style cyber espionage for geopolitical influence could open the floodgates for other nation-states to mimic it.

“I’m more concerned with the spread of new techniques” like this in cyber espionage, FireEye’s Porter says. “The most likely scenario to me is not conflicts between great superpowers, but unrestrained, widespread cyber conflict among regional powers worldwide. That to me is the most destabilizing, scary scenario coming out of this.”

But Oren Falkowitz, CEO and co-founder of Area 1, says the strategy of doxing for influence isn’t necessarily effective. The DNC leak came relatively late—just prior to Clinton accepting the nomination as the Democratic candidate—and the Equation Group tools dumped online by the ShadowBroker group was mostly older information that already had been exposed by Edward Snowden, he says.

“I’m not clear what the objective was by whoever did it and if it was successful,” Falkowitz says. “Long-term, I’m not sure people can keep up with these” leaks and they may not be as effective, he notes.

Meanwhile, the DNC and DCCC just scratch the surface of this Russian cyber espionage attack campaign, security experts say. In a typical cyber espionage attack, a nation-state targets the big fish like a DNC, as well as media, think-tanks, political action committees, and politicians themselves in order to gather as much intel as possible. “There are victims we are going learn about in six months that are [being hit] today,” Falkowitz says.

Related Content:


Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
8/30/2016 | 9:31:06 PM
Re: On "critical infrastructure"
@Whoopty: Ditto on the Republican side.  I've seen reports of election fraud to favor Ted Cruz in some locations during the primaries over Donald Trump.

Of course, Trump prevailed in getting the nomination anyway, but [alleged] election fraud is [alleged] election fraud.
User Rank: Ninja
8/29/2016 | 7:01:30 AM
Re: On "critical infrastructure"
While I definitely agree, it's interesting that this is mentioned during this election, which many consider was influenced and manipulated by the Clinton camp. Although it starts to edge into conspiracy territory, there's a lot of evidence to suggest that the Clinton's used election fraud to get ahead of Bernie Sanders during his campaign.
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
8/24/2016 | 8:54:24 PM
On "critical infrastructure"
I definitely agree that our nation's voting system should be considered and protected as critical infrastructure.

I'm not sure that political parties' systems (whether DNC, RNC, or whomever) are a necessary part of the nation's voting system or in any way "critical infrastructure."  I don't want my tax dollars used or the power of my government used to protect a political party's systems as "critical infrastructure" -- even if it's a political party I favor.

But we can certainly do more to secure the voting process itself.  That would be a good idea.
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-12
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 requests to user provided domains were not restricted to external IP addresses when transitional IPv6 addre...
PUBLISHED: 2021-04-12
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm third-party identif...
PUBLISHED: 2021-04-12
In Gradle before version 7.0, files created with open permissions in the system temporary directory can allow an attacker to access information downloaded by Gradle. Some builds could be vulnerable to a local information disclosure. Remote files accessed through TextResourceFactory are downloaded in...
PUBLISHED: 2021-04-12
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm third-party identif...
PUBLISHED: 2021-04-12
Advanced Authentication versions prior to 6.3 SP4 have a potential broken authentication due to improper session management issue.