Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

12/1/2016
03:30 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Mandia: Russian State Hackers Changed The Game

Founder of Mandiant and FireEye CEO says Russia doesn't appear to want to cover its tracks anymore.

WASHINGTON, DC – Russia's leak of emails it hacked from the Democratic National Committee and Clinton campaign chairman John Podesta during the US presidential campaign came as a shock to FireEye CEO Kevin Mandia.

It takes a lot to surprise the seasoned Mandia, whose incident response firm Mandiant was acquired by FireEye nearly three years ago and who has been investigating and studying Russian nation-state breaches since the 1990s. In an interview at FireEye's Cyber Defense Summit here today, Mandia said the recent Russian state-sponsored attacks and leaking of information were a gamechanger in cyber espionage tradecraft.

"The doxing shocked me. I'm fascinated by it," he said. It's part of a major shift in Russia's nation-state hacking machine, according to Mandia.

Of the around two dozen breaches FireEye currently is investigating, Russian state hackers are behind many of them; in the "double digits," Mandia said. Even more chilling than the relative volume of attacks, however, is how dramatically Russia has changed its cyber espionage modus operandi over the past two years.

Mandia said the big shift began in the fall of 2014. "Suddenly, they [Russian state actors] didn't go away when we responded" to their attacks, he said. Historically, the attackers would disappear as soon as they were found: "The Russian rules of engagement were when we started a new investigation, they evaporated [and] just went way."

The Russian cyber espionage groups also began hacking universities, but not necessarily for the usual government research secrets they traditionally had been hunting. "They were [now] stealing [from] professors who had published … anti-Russian, anti-Putin sentiments. We'd seen the Chinese do that, but had never seen Russia doing that," Mandia said.

"The scale and scope were starting to change. Then I thought maybe their anti-forensics had gotten sloppier because now we could observe that they were not going away," he said. Rather than their usual counter-forensics cleanup, the Russians now merely left behind their digital footprints from their cyber espionage campaigns.

"They used to have a working directory and would remove it when they were done. But they just stopped doing that," Mandia said. That's either because they're no longer as disciplined in their campaigns, he said, or "they've just chosen to be more noticeable."

There are no easy solutions for response to this new MO of Russia's hacking machine, either, he said. "They're damn good at hacking," Mandia said.

The Obama administration's Executive Order signed in 2015 gives the US the power to freeze assets of attackers who disrupt US critical infrastructure, or steal trade secrets from US businesses or profit from theft of personal information.

It's unclear for now whether President-Elect Donald Trump will preserve Obama's cybersecurity EOs and policies. Mandia said he doesn't expect them to be scrapped. "No one wants to be hacked. Whether you're a Democrat or a Republican, you don't want people stealing your email. I can't imagine this is an issue that’s divided" politically, he said.

Trump's cybersecurity platform published during the campaign calls for developing "offensive" capabilities in cybersecurity. "Develop the offensive cyber capabilities we need to deter attacks by both state and non-state actors and, if necessary, to respond appropriately," according to his statement.

Some security experts say it's unclear if that leaves the door open for private organizations to hack back. Mandia opposes businesses hacking back at their online adversaries: "It's very dangerous. You will not have the intended consequences if you have anyone in the private industry do anything on offense, unless they were deputized by the government," he said.

Mandia is a fan of the oft-criticized pact by President Obama and China president president Xi Jinping not to conduct cyberspying attacks for economic gain. The agreement specifically applies to the theft of trade secrets and stops short of banning traditional espionage via hacking. Cyberespionage has been a notoriously prolific US strategy for China, with the US among its top targets, although Chinese officials deny such hacking activity.

While some security experts say the US-China agreement has not slowed China's hacking for IP theft, Mandia said his firm saw a dramatic decrease in the wake of the pact. FireEye saw the number of such attacks drop from 80 to four within one month after the pact. "Whoever runs China's cyber espionage: they have disciplined troops. They stick to the rules of engagement," Mandia said.

He said he can't see how the Trump administration would scrap the pact with China. "It has had impact in such an incisive way, I don't know why they would change it."

The New 'Wave'

Mandia said cyber espionage and cyberattacks have now entered a new, less predictable phase. "More emboldened nations are doing more emboldened things" hacking-wise, such as Iran, he said.

"Every day, Iran is hacking and there are no repercussions. They are getting operational experience and getting better at it," he said.

Grady Summers, CTO of FireEye, said his firm is seeing more coordination and destruction in all types of cyberattacks. They're seeing attackers use ransomware attacks moving from targeting a machine or two to thousands of machines. "They're establishing a foothold, going lateral and going destructive and encrypting en masse," Summers said. That allows attackers to encrypt thousands of machines, and do more damage and gain more leverage. 

Related Content:

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Crypt0L0cker
50%
50%
Crypt0L0cker,
User Rank: Strategist
12/6/2016 | 12:17:40 AM
Re: .osiris ransomware
One of the password recovery phone numbers was Russian, but Krebs said MUNI system was accidentally hacked, just another victim of cyber crooks.
.osiris
50%
50%
.osiris,
User Rank: Apprentice
12/5/2016 | 2:31:21 PM
Re: It is going to get interesting
What about the latest San Francisco MUNI ransomware hack? Brian Krebs found that hacker has Iranian or Russian background.
Crypt0L0cker
50%
50%
Crypt0L0cker,
User Rank: Strategist
12/5/2016 | 2:18:52 PM
Re: It is going to get interesting
Not really, all the latest ransomware examples are made in Russia, DynDNS DDoS attack on 10/21/16 has Russian origin. Hacking - is a part of their modern foreign policy, which includes hybrid war elements, to achieve their goals.
JetableJohn
50%
50%
JetableJohn,
User Rank: Apprentice
12/4/2016 | 7:47:54 AM
Re: It is going to get interesting
Putin or Russia interfering in the US election is a myth created by the Clinton campaign.
David Balaban
50%
50%
David Balaban,
User Rank: Strategist
12/3/2016 | 9:48:03 AM
Putin
We are very slow fighting Chinese cyber intruders. With Putin, it is going to be the same. I do not hope that we will be able to change things soon.
RetiredUser
50%
50%
RetiredUser,
User Rank: Ninja
12/2/2016 | 1:27:02 PM
Machismo is Back in Style
We've seen a few things the last few years that have set the tone for this type of brazen activity.  Certainly the hacker community in general has had a "brass set" attitude since the beginning, and while anonymity has been important, throwing your persona out there and making sure your hacks were attributed to you is nothing new.  But the days of such "machismo" (sorry to set up a gender-specific analogy here) between world leaders seemed like a thing of the past when it came to the global attitude toward Western leadership.  Seems like we're moving back to a certain mindset where countries like China, North Korea and Russia are happy to raise the middle finger to us and crack open our digital infrastructure.  Why not?  The Middle East (clarify: terrorist-organizations) has done this for years outside the digital realm, but even that is now fair game for radical terrorist groups.  The regular appearance of Anonymous (never forget, never forgive), Assange and other high-profile hackers also confuses some folks about whether hacking is now "OK".  While I can't say anything bad about Anonymous, Assange seems to be setting a tone of "cybercrime is the new investigative reporting" and to some extent that carefree attitude is catching on with world leaders who don't know the difference between back-slapping and outright... well, you get the point.  With the current chest-puffing administration here in the US, I can't see this stopping any time soon.  But is this a bad thing?  Not so sure it is.  There's nothing like knowing who your cyberattacker is when wanting to bring down an Enemy of the State.  Please, Russia, and any other country that wants to: brag, boast and puff.  Maybe this will inspire the harder-to-catch cybercriminals to do the same so we can finally nab them in the act, too.  
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
12/2/2016 | 10:58:00 AM
Re: Typo with the Name.
@Ashu001 Actually, the spelling is correct as-is. Kevin Mandia founded Mandiant. =)

 

Thank you for sharing your thoughts on nation-state cyber espionage. 
Ashu001
50%
50%
Ashu001,
User Rank: Apprentice
12/2/2016 | 9:25:14 AM
Typo with the Name.
Sara,

 

I don't mean to disparage your Amazing article but it sure bugs me a lot when I see your wonderful write-up get spoiled by the fact that the Company in Question is Named as "MANDIANT" and not "MANDIA".

 

I am amazed that nobody (in either the readership at Darkreading) or the Phenomenal Editors have spotted the error previously.

 

The Company does phenomenal research as ANyone who has used their REDLINE Tool regularly,will attest to.

 

ALso,I am not surprised that the Russian Hackers are no longer covering their tracks.

 

Just in the USA,the UK,Israel,China and of course Russia-State Sponsored Hacking Groups operate as a function of State Policy/Diktat.

The fact that the Russians are no longer covering their tracks simply implies that the Russian Government feels more confident in their place in the world.


Anyone who reads the Latest Geopolitical News will tell you how Russia is on the ascendency globally (Syria as well as with the Latest OPEC annoucement).


So,all this state sponsored Hacking is just a function of their Great Power Status.

Regards

Ashish.
ClarenceR927
50%
50%
ClarenceR927,
User Rank: Strategist
12/2/2016 | 9:12:25 AM
It is going to get interesting
Given that Putin made no attempt to hide his desire to see Trump win and Trump made no attempt to hide his desire to have Putin interfere with the US election it wil be _interesting_ to see how a Trump administration will respond to Russian hacking.  It would be even more interesting to see how US intelegence agencies respond if it appears as if a President Trump wants to take a hand off approach on the subject. They took an oath to protect the Constitution and people of the United States, not the President.
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
MITRE Releases 2019 List of Top 25 Software Weaknesses
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2019
Preventing PTSD and Burnout for Cybersecurity Professionals
Craig Hinkley, CEO, WhiteHat Security,  9/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-14994
PUBLISHED: 2019-09-19
The Customer Context Filter in Atlassian Jira Service Desk Server and Jira Service Desk Data Center before version 3.9.16, from version 3.10.0 before version 3.16.8, from version 4.0.0 before version 4.1.3, from version 4.2.0 before version 4.2.5, from version 4.3.0 before version 4.3.4, and version...
CVE-2019-15000
PUBLISHED: 2019-09-19
The commit diff rest endpoint in Bitbucket Server and Data Center before 5.16.10 (the fixed version for 5.16.x ), from 6.0.0 before 6.0.10 (the fixed version for 6.0.x), from 6.1.0 before 6.1.8 (the fixed version for 6.1.x), from 6.2.0 before 6.2.6 (the fixed version for 6.2.x), from 6.3.0 before 6....
CVE-2019-15001
PUBLISHED: 2019-09-19
The Jira Importers Plugin in Atlassian Jira Server and Data Cente from version with 7.0.10 before 7.6.16, from 7.7.0 before 7.13.8, from 8.1.0 before 8.1.3, from 8.2.0 before 8.2.5, from 8.3.0 before 8.3.4 and from 8.4.0 before 8.4.1 allows remote attackers with Administrator permissions to gain rem...
CVE-2019-16398
PUBLISHED: 2019-09-19
On Keeper K5 20.1.0.25 and 20.1.0.63 devices, remote code execution can occur by inserting an SD card containing a file named zskj_script_run.sh that executes a reverse shell.
CVE-2019-11779
PUBLISHED: 2019-09-19
In Eclipse Mosquitto 1.5.0 to 1.6.5 inclusive, if a malicious MQTT client sends a SUBSCRIBE packet containing a topic that consists of approximately 65400 or more '/' characters, i.e. the topic hierarchy separator, then a stack overflow will occur.