Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

12/1/2016
03:30 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Mandia: Russian State Hackers Changed The Game

Founder of Mandiant and FireEye CEO says Russia doesn't appear to want to cover its tracks anymore.

WASHINGTON, DC – Russia's leak of emails it hacked from the Democratic National Committee and Clinton campaign chairman John Podesta during the US presidential campaign came as a shock to FireEye CEO Kevin Mandia.

It takes a lot to surprise the seasoned Mandia, whose incident response firm Mandiant was acquired by FireEye nearly three years ago and who has been investigating and studying Russian nation-state breaches since the 1990s. In an interview at FireEye's Cyber Defense Summit here today, Mandia said the recent Russian state-sponsored attacks and leaking of information were a gamechanger in cyber espionage tradecraft.

"The doxing shocked me. I'm fascinated by it," he said. It's part of a major shift in Russia's nation-state hacking machine, according to Mandia.

Of the around two dozen breaches FireEye currently is investigating, Russian state hackers are behind many of them; in the "double digits," Mandia said. Even more chilling than the relative volume of attacks, however, is how dramatically Russia has changed its cyber espionage modus operandi over the past two years.

Mandia said the big shift began in the fall of 2014. "Suddenly, they [Russian state actors] didn't go away when we responded" to their attacks, he said. Historically, the attackers would disappear as soon as they were found: "The Russian rules of engagement were when we started a new investigation, they evaporated [and] just went way."

The Russian cyber espionage groups also began hacking universities, but not necessarily for the usual government research secrets they traditionally had been hunting. "They were [now] stealing [from] professors who had published … anti-Russian, anti-Putin sentiments. We'd seen the Chinese do that, but had never seen Russia doing that," Mandia said.

"The scale and scope were starting to change. Then I thought maybe their anti-forensics had gotten sloppier because now we could observe that they were not going away," he said. Rather than their usual counter-forensics cleanup, the Russians now merely left behind their digital footprints from their cyber espionage campaigns.

"They used to have a working directory and would remove it when they were done. But they just stopped doing that," Mandia said. That's either because they're no longer as disciplined in their campaigns, he said, or "they've just chosen to be more noticeable."

There are no easy solutions for response to this new MO of Russia's hacking machine, either, he said. "They're damn good at hacking," Mandia said.

The Obama administration's Executive Order signed in 2015 gives the US the power to freeze assets of attackers who disrupt US critical infrastructure, or steal trade secrets from US businesses or profit from theft of personal information.

It's unclear for now whether President-Elect Donald Trump will preserve Obama's cybersecurity EOs and policies. Mandia said he doesn't expect them to be scrapped. "No one wants to be hacked. Whether you're a Democrat or a Republican, you don't want people stealing your email. I can't imagine this is an issue that’s divided" politically, he said.

Trump's cybersecurity platform published during the campaign calls for developing "offensive" capabilities in cybersecurity. "Develop the offensive cyber capabilities we need to deter attacks by both state and non-state actors and, if necessary, to respond appropriately," according to his statement.

Some security experts say it's unclear if that leaves the door open for private organizations to hack back. Mandia opposes businesses hacking back at their online adversaries: "It's very dangerous. You will not have the intended consequences if you have anyone in the private industry do anything on offense, unless they were deputized by the government," he said.

Mandia is a fan of the oft-criticized pact by President Obama and China president president Xi Jinping not to conduct cyberspying attacks for economic gain. The agreement specifically applies to the theft of trade secrets and stops short of banning traditional espionage via hacking. Cyberespionage has been a notoriously prolific US strategy for China, with the US among its top targets, although Chinese officials deny such hacking activity.

While some security experts say the US-China agreement has not slowed China's hacking for IP theft, Mandia said his firm saw a dramatic decrease in the wake of the pact. FireEye saw the number of such attacks drop from 80 to four within one month after the pact. "Whoever runs China's cyber espionage: they have disciplined troops. They stick to the rules of engagement," Mandia said.

He said he can't see how the Trump administration would scrap the pact with China. "It has had impact in such an incisive way, I don't know why they would change it."

The New 'Wave'

Mandia said cyber espionage and cyberattacks have now entered a new, less predictable phase. "More emboldened nations are doing more emboldened things" hacking-wise, such as Iran, he said.

"Every day, Iran is hacking and there are no repercussions. They are getting operational experience and getting better at it," he said.

Grady Summers, CTO of FireEye, said his firm is seeing more coordination and destruction in all types of cyberattacks. They're seeing attackers use ransomware attacks moving from targeting a machine or two to thousands of machines. "They're establishing a foothold, going lateral and going destructive and encrypting en masse," Summers said. That allows attackers to encrypt thousands of machines, and do more damage and gain more leverage. 

Related Content:

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Crypt0L0cker
50%
50%
Crypt0L0cker,
User Rank: Strategist
12/6/2016 | 12:17:40 AM
Re: .osiris ransomware
One of the password recovery phone numbers was Russian, but Krebs said MUNI system was accidentally hacked, just another victim of cyber crooks.
.osiris
50%
50%
.osiris,
User Rank: Apprentice
12/5/2016 | 2:31:21 PM
Re: It is going to get interesting
What about the latest San Francisco MUNI ransomware hack? Brian Krebs found that hacker has Iranian or Russian background.
Crypt0L0cker
50%
50%
Crypt0L0cker,
User Rank: Strategist
12/5/2016 | 2:18:52 PM
Re: It is going to get interesting
Not really, all the latest ransomware examples are made in Russia, DynDNS DDoS attack on 10/21/16 has Russian origin. Hacking - is a part of their modern foreign policy, which includes hybrid war elements, to achieve their goals.
JetableJohn
50%
50%
JetableJohn,
User Rank: Apprentice
12/4/2016 | 7:47:54 AM
Re: It is going to get interesting
Putin or Russia interfering in the US election is a myth created by the Clinton campaign.
David Balaban
50%
50%
David Balaban,
User Rank: Strategist
12/3/2016 | 9:48:03 AM
Putin
We are very slow fighting Chinese cyber intruders. With Putin, it is going to be the same. I do not hope that we will be able to change things soon.
RetiredUser
50%
50%
RetiredUser,
User Rank: Ninja
12/2/2016 | 1:27:02 PM
Machismo is Back in Style
We've seen a few things the last few years that have set the tone for this type of brazen activity.  Certainly the hacker community in general has had a "brass set" attitude since the beginning, and while anonymity has been important, throwing your persona out there and making sure your hacks were attributed to you is nothing new.  But the days of such "machismo" (sorry to set up a gender-specific analogy here) between world leaders seemed like a thing of the past when it came to the global attitude toward Western leadership.  Seems like we're moving back to a certain mindset where countries like China, North Korea and Russia are happy to raise the middle finger to us and crack open our digital infrastructure.  Why not?  The Middle East (clarify: terrorist-organizations) has done this for years outside the digital realm, but even that is now fair game for radical terrorist groups.  The regular appearance of Anonymous (never forget, never forgive), Assange and other high-profile hackers also confuses some folks about whether hacking is now "OK".  While I can't say anything bad about Anonymous, Assange seems to be setting a tone of "cybercrime is the new investigative reporting" and to some extent that carefree attitude is catching on with world leaders who don't know the difference between back-slapping and outright... well, you get the point.  With the current chest-puffing administration here in the US, I can't see this stopping any time soon.  But is this a bad thing?  Not so sure it is.  There's nothing like knowing who your cyberattacker is when wanting to bring down an Enemy of the State.  Please, Russia, and any other country that wants to: brag, boast and puff.  Maybe this will inspire the harder-to-catch cybercriminals to do the same so we can finally nab them in the act, too.  
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
12/2/2016 | 10:58:00 AM
Re: Typo with the Name.
@Ashu001 Actually, the spelling is correct as-is. Kevin Mandia founded Mandiant. =)

 

Thank you for sharing your thoughts on nation-state cyber espionage. 
Ashu001
50%
50%
Ashu001,
User Rank: Apprentice
12/2/2016 | 9:25:14 AM
Typo with the Name.
Sara,

 

I don't mean to disparage your Amazing article but it sure bugs me a lot when I see your wonderful write-up get spoiled by the fact that the Company in Question is Named as "MANDIANT" and not "MANDIA".

 

I am amazed that nobody (in either the readership at Darkreading) or the Phenomenal Editors have spotted the error previously.

 

The Company does phenomenal research as ANyone who has used their REDLINE Tool regularly,will attest to.

 

ALso,I am not surprised that the Russian Hackers are no longer covering their tracks.

 

Just in the USA,the UK,Israel,China and of course Russia-State Sponsored Hacking Groups operate as a function of State Policy/Diktat.

The fact that the Russians are no longer covering their tracks simply implies that the Russian Government feels more confident in their place in the world.


Anyone who reads the Latest Geopolitical News will tell you how Russia is on the ascendency globally (Syria as well as with the Latest OPEC annoucement).


So,all this state sponsored Hacking is just a function of their Great Power Status.

Regards

Ashish.
ClarenceR927
50%
50%
ClarenceR927,
User Rank: Strategist
12/2/2016 | 9:12:25 AM
It is going to get interesting
Given that Putin made no attempt to hide his desire to see Trump win and Trump made no attempt to hide his desire to have Putin interfere with the US election it wil be _interesting_ to see how a Trump administration will respond to Russian hacking.  It would be even more interesting to see how US intelegence agencies respond if it appears as if a President Trump wants to take a hand off approach on the subject. They took an oath to protect the Constitution and people of the United States, not the President.
Stop Defending Everything
Kevin Kurzawa, Senior Information Security Auditor,  2/12/2020
Small Business Security: 5 Tips on How and Where to Start
Mike Puglia, Chief Strategy Officer at Kaseya,  2/13/2020
5 Common Errors That Allow Attackers to Go Undetected
Matt Middleton-Leal, General Manager and Chief Security Strategist, Netwrix,  2/12/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-20477
PUBLISHED: 2020-02-19
PyYAML 5.1 through 5.1.2 has insufficient restrictions on the load and load_all functions because of a class deserialization issue, e.g., Popen is a class in the subprocess module. NOTE: this issue exists because of an incomplete fix for CVE-2017-18342.
CVE-2019-20478
PUBLISHED: 2020-02-19
In ruamel.yaml through 0.16.7, the load method allows remote code execution if the application calls this method with an untrusted argument. In other words, this issue affects developers who are unaware of the need to use methods such as safe_load in these use cases.
CVE-2011-2054
PUBLISHED: 2020-02-19
A vulnerability in the Cisco ASA that could allow a remote attacker to successfully authenticate using the Cisco AnyConnect VPN client if the Secondary Authentication type is LDAP and the password is left blank, providing the primary credentials are correct. The vulnerabilities is due to improper in...
CVE-2015-0749
PUBLISHED: 2020-02-19
A vulnerability in Cisco Unified Communications Manager could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack on the affected software. The vulnerabilities is due to improper input validation of certain parameters passed to the affected software. An attacker ...
CVE-2015-9543
PUBLISHED: 2020-02-19
An issue was discovered in OpenStack Nova before 18.2.4, 19.x before 19.1.0, and 20.x before 20.1.0. It can leak consoleauth tokens into log files. An attacker with read access to the service's logs may obtain tokens used for console access. All Nova setups using novncproxy are affected. This is rel...