Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:20 PM
Connect Directly

Russian Cyberspies' Leaked Hacks Could Herald New Normal

Time to set cyber espionage 'norms' before more volatile nation-states follow suit, experts say.

Russia’s cyber espionage machine traditionally has kept intelligence it siphons from the US close to the vest, but the recent wave of data leaks surrounding the US political campaign and believed to be by Russian state hacker groups represent a new breed of threat by the nation.

The leaked emails and information from the Democratic National Committee and the (DCCC), which security firm CrowdStrike has tied to two known Russian nation-state cyber espionage units, marked the first time Russian nation-state cyber espionage actors have employed a combination of hacking and doxing against the US or another United Nations member, according to security experts. Russia has been known to perform similar tradecraft against neighboring nations, however.

This isn’t the first time a nation-state group has doxed a US target: US officials called out North Korea as the hackers behind the epic and massive data breach, data-wiping and doxing of Sony Pictures Entertainment in 2014. While the attackers attempted to portray the breach as payback for the Sony film “The Interview” that purportedly upset Kim Jong Un, experts say it was more of a geopolitical midgame by the North Koreans to pressure US dealings with the nation.

But Russia in its recent attacks and leaks via WikiLeaks against the DNC and others – with more victims expected to be uncovered in the coming weeks -- is seen as attempting to influence or shape the outcome of the US presidential election, a glaring red flag when it comes to cyber espionage “norms.” “I do think the North Korea attack on [Sony] … was a seminal turning point because the entire world was watching,” says Christopher Porter, manager of threat intelligence at FireEye. “Even though the attribution confidence was high, there was no public blowback for the North Korea government.”

Porter says Russia likely took the plunge against the US because it saw little risk of major political fallout. “At FireEye, we’ve seen them conducting [these types of attacks] for years, interfering in elections in their backyard,” for example, he says.

“The fact that they’re willing to do the same to Western governments” is a new Russian cyber espionage MO, Porter notes.

The timing of the leaks—during a US presidential election—indeed has the appearance of an intention to influence the outcome or at the least to shake things up: DNC emails that were leaked show a preference toward Hillary Clinton over Bernie Sanders, for example, and led to a reshuffle at the organization starting with the firing of former DNC chair Debbie Wasserman Schultz. US Department of Homeland Security Secretary Jeh Johnson recently said DHS is considering designating the US voting system as critical infrastructure so it can be secured accordingly.  

No Such Agency (NSA) Leak

Most recently came the online dump of tools and files of the Equation Group—aka the National Security Agency—by a group calling itself the ShadowBrokers. Kaspersky Lab, which first exposed the Equation Group in 2015, confirmed that the doxed files match those of the Equation Group (Kaspersky doesn’t identify actual actors behind hacking groups). Experts say the auction of the files by ShadowBrokers is a fake, but the files and tools are real, including tools from the NSA that hacked Cisco, Fortinet, and Juniper firewalls.

"Firewalls and routers are getting a lot of attention for attackers, so security on those devices needs to be carefully evaluated. The stakes have been raised in the inter-country hacking scene," says Liam O'Murchu, director of security technology & response at Symantec. "It is still unclear why these tools were leaked or by whom, but this may set a precedence of further leaking of government tools." 

Find out more in The Secret Behind the NSA Breach: Network Infrastructure Is the Next Target.

O'Murchu says whle the timing of ShadowBrokers leak indeed is suspicious, researchers at Symantec haven't found any evidence that confirms a connection between it and the DNC/DCCC incident.

Other security experts say it’s no coincidence the data dump came in the wake of the attacks on DNC, DCCC, and others, by Russia.

“This is definitely not Snowden stuff. This isn't the sort of data he took, and the release mechanism is not one that any of the reporters with access to the material would use. This is someone else, probably an outsider...probably a government,” said Bruce Schneier in a recent blog post. “Some group stole all of this data in 2013 and kept it secret for three years. Now they want the world to know it was stolen. Which governments might behave this way? The obvious list is short: China and Russia. Were I betting, I would bet Russia, and that it's a signal to the Obama Administration: "Before you even think of sanctioning us for the DNC hack, know where we've been and what we can do to you."

Whether Russia’s doxing of the Dems and others will actually have any influence on the US election or how the US responds to the attacks, remains to be seen. What is clear is that nations need to establish cyber norms for cyber espionage, notes Bill Wright, director of government affairs at Symantec. “The norms are currently nebulous. It’s going to take time and effort” in diplomacy to set the rules of the road in cyber espionage to rein in the doxing element, he says.

Setting parameters, such as the US-China pact that promises no hacking for economic gain, could help by at least starting the conversation over what is and isn't acceptable cyber-spying activity, experts say.

Even more chilling is that Russia's doubling down on doxing-style cyber espionage for geopolitical influence could open the floodgates for other nation-states to mimic it.

“I’m more concerned with the spread of new techniques” like this in cyber espionage, FireEye’s Porter says. “The most likely scenario to me is not conflicts between great superpowers, but unrestrained, widespread cyber conflict among regional powers worldwide. That to me is the most destabilizing, scary scenario coming out of this.”

But Oren Falkowitz, CEO and co-founder of Area 1, says the strategy of doxing for influence isn’t necessarily effective. The DNC leak came relatively late—just prior to Clinton accepting the nomination as the Democratic candidate—and the Equation Group tools dumped online by the ShadowBroker group was mostly older information that already had been exposed by Edward Snowden, he says.

“I’m not clear what the objective was by whoever did it and if it was successful,” Falkowitz says. “Long-term, I’m not sure people can keep up with these” leaks and they may not be as effective, he notes.

Meanwhile, the DNC and DCCC just scratch the surface of this Russian cyber espionage attack campaign, security experts say. In a typical cyber espionage attack, a nation-state targets the big fish like a DNC, as well as media, think-tanks, political action committees, and politicians themselves in order to gather as much intel as possible. “There are victims we are going learn about in six months that are [being hit] today,” Falkowitz says.

Related Content:


Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
8/30/2016 | 9:31:06 PM
Re: On "critical infrastructure"
@Whoopty: Ditto on the Republican side.  I've seen reports of election fraud to favor Ted Cruz in some locations during the primaries over Donald Trump.

Of course, Trump prevailed in getting the nomination anyway, but [alleged] election fraud is [alleged] election fraud.
User Rank: Ninja
8/29/2016 | 7:01:30 AM
Re: On "critical infrastructure"
While I definitely agree, it's interesting that this is mentioned during this election, which many consider was influenced and manipulated by the Clinton camp. Although it starts to edge into conspiracy territory, there's a lot of evidence to suggest that the Clinton's used election fraud to get ahead of Bernie Sanders during his campaign.
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
8/24/2016 | 8:54:24 PM
On "critical infrastructure"
I definitely agree that our nation's voting system should be considered and protected as critical infrastructure.

I'm not sure that political parties' systems (whether DNC, RNC, or whomever) are a necessary part of the nation's voting system or in any way "critical infrastructure."  I don't want my tax dollars used or the power of my government used to protect a political party's systems as "critical infrastructure" -- even if it's a political party I favor.

But we can certainly do more to secure the voting process itself.  That would be a good idea.
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-11-20
A CWE-200: Information Exposure vulnerability exists in Modicon Controllers (M340 CPUs, M340 communication modules, Premium CPUs, Premium communication modules, Quantum CPUs, Quantum communication modules - see security notification for specific versions), which could cause the disclosure of FTP har...
PUBLISHED: 2019-11-20
A CWE-79: Failure to Preserve Web Page Structure vulnerability exists in Andover Continuum (models 9680, 5740 and 5720, bCX4040, bCX9640, 9900, 9940, 9924 and 9702) , which could enable a successful Cross-site Scripting (XSS attack) when using the products web server.
PUBLISHED: 2019-11-20
Cross-site Scripting (XSS) in Dolibarr ERP/CRM 3.3.1 allows remote attackers to inject arbitrary web script or HTML in functions.lib.php.
PUBLISHED: 2019-11-20
Dolibarr ERP/CRM 3.3.1 does not properly validate user input in viewimage.php and barcode.lib.php which allows remote attackers to execute arbitrary commands.
PUBLISHED: 2019-11-20
The snprintf implementation in PostgreSQL before 9.0.20, 9.1.x before 9.1.16, 9.2.x before 9.2.11, 9.3.x before 9.3.7, and 9.4.x before 9.4.2 does not properly handle system-call errors, which allows attackers to obtain sensitive information or have other unspecified impact via unknown vectors, as d...