Sandworm by Andy Greenberg at Wired reveals why attributing hacking to a particular state can be almost impossible

This article is a followup to yesterday’s article here.

Now that I’ve read the last 45 pages of Sandworm (2019) it’s sad to conclude that Andy appears to be somewhat of a mouthpiece for Western intelligence. He recognizes that cyber attribution is notoriously difficult, but still chooses to accept the conclusions made by Western intelligence as if these are facts despite having seen no evidence proving that the conclusions are right. This uncritical attitude of a Wired journalist is pretty Kafka:

“Just days after my visit with John Hultquist, however, the U.K. government’s National Cyber Security Centre released a remarkable document. It served as a final confirmation of the GRU’s connection to Sandworm, establishing a layer of ground truth beneath the fog of cyberwar.”

“As I’d come to expect from government statements on state-sponsored hacking, it provided only conclusions, not the clues that led to them. … And it settled any last, lingering questions of which intelligence agency might be ultimately responsible.” (…)

“There was no longer room for doubt about this underlying fact: Whatever the shape of Sandworm, almost every attack that anyone had ever attributed to it had now been named as the work of the GRU.” (…)

“The underlying mystery of its identity, however, had been solved. The answer was the one that had been coming into focus all along. It didn’t matter which part of the elephant the blind men were touching. The animal was the GRU, working in the service of the Russian Federation and its president, Vladimir Putin.”

Remarkable that Andy trusts US/UK intelligence after Manning, after Snowden, after the IC’s lies or misinformation about WMDs in Iraq, 2003. He treats these pedigree liars as being authoritative even when explaining why cyber attribution is maybe just guesswork:

“Rob Lee, with his official pedigree as an NSA hacker-hunter, had warned me months earlier that the international researchers tracking Sandworm—from FireEye to Kaspersky to ESET—were all only seeing pieces of the picture. For the most part, he pointed out, they were analyzing clues in the malware left behind in the wake of the hackers’ attacks, not other evidence such as the intrusion data pulled from victims’ logs.”

“The problem with that malware analysis approach, Lee explained, was that highly sophisticated hacking operations aren’t typically carried out by a single team working alone. Instead, like in any well-developed industry, the hackers inside any competent intelligence agency specialize. One team might be assigned only to build tools. Another might focus on gaining initial access to target networks. …”

“The problem with the story of Sandworm as I knew it, Lee pointed out, was that the group had mostly been tracked via clues in the software it used. Even its name had come from the Dune references in the code of its BlackEnergy infections. The cybersecurity research community had started from those initial fingerprints, finding other software hints that connected to those intrusions and grouping those operations as the work of Sandworm. But what if those operations shared only the same software developers, and different operations teams had deployed that code in their attacks? “You’re tracking the malware. The people who develop it are not always the same people who use it,” Lee warned me in a phone call. The result might be misconceptions along the lines of tying together a series of murders as the work of a single gang, when in fact they had simply all been carried out with weapons from the same gun shop.”

” … What if they were different groups, linked only by a shared software development team?” (…)

“CrowdStrike’s vice president of intelligence, Adam Meyers, hinted to me—but declined to show evidence to back up—that he had seen the group’s fingerprints appear alongside multiple other Russian hacking groups, including one that CrowdStrike believed wasn’t even a GRU operation but FSB.”

Russia however cooperates with many authoritarian regimes, similar to Five Eyes, but these states are not loyal to each other, but operate shady and deceitfully, just like the US spied on Germany for example. Reuters: U.S. spied on Merkel and other Europeans through Danish cables – broadcaster DR Here’s a speculative hypothesis: what if a Chinese intelligence analyst in Moscow put an USB stick with the Olympic Destroyer programs into the system of GRU in order to get away with a hack and let Russia take the heat afterward? China, after all, doesn’t want America and Russia to become friends in Cold War 2. Better to create hostility and mistrust between them.

It appears unscientific when Andy relies on the process of elimination in an attempt to attribute the Olympic hack to Russia:

“Finally, I asked the glaring question: If not China, and not North Korea, then who? It seemed that the conclusion of the process of elimination was practically sitting there in the conference room with us and yet couldn’t be spoken aloud.”

But Andy immediately admits that cyber attribution is dicey:

““Ah, for that question, I brought a nice game,” Soumenkov said, affecting a kind of chipper tone. He pulled out a small black cloth bag and took out of it a set of dice. On each side of the small black cubes were written words like “Anonymous,” “Cybercriminals,” “Hacktivists,” “USA,” “China,” “Russia,” “Ukraine,” “Cyber-terrorists,” “Iran.” I’d seen these so-called attribution dice before: a prop designed to illustrate the nihilistic notion that no cyberattack could ever be traced to its source and anyone who tried was simply guessing.”

The process of elimination is useless when up to dozens or more countries are now into the game of deceptive infrastructure hacking:

““Nothing has gotten better,” he summarized. “When I last saw you, we were tracking three different groups targeting industrial sectors specifically. We’re tracking ten now.””

“Those ten infrastructure-hacking teams, Dragos’s analysts believed, work in the service of six distinct governments, though Lee declined to list exactly which ones. “Russia, China, Iran, and North Korea are not the only actors in this space,” he hinted. “We’re tracking one African state targeting industrial sectors. All of this goes completely outside of what people tend to think.” And Lee estimated that despite Dragos’s extensive intelligence collection—now as the world’s largest cybersecurity incident response team focused on industrial control systems—they’d found less than half the active hacking operations infiltrating targets like grids, factories, pipelines, and water treatment facilities around the world.” (…)

“But Lee also viewed the continuing uptick in infrastructure hacking as a kind of self-perpetuating cycle: Every country’s intelligence agencies that witness another country’s hacking capabilities, he explained, immediately seek to match or overtake their foes. …”

” … “There will be a rush for everyone to build these capabilities. And the losers will be civilian infrastructure owners.””

The US is not willing to abstain from power grid hacking:

““Agreed, and I do not condone them,” Bossert said. “But put yourself in Putin’s perspective.” Putin was willing to send little green men into Ukraine, to shoot down planes, to hack power grids, Bossert noted. All of that was justified, in Putin’s view, by his original, dubious rationale for the invasion of Ukraine.”

“If a similar hypothetical situation confronted the U.S., and if we similarly didn’t care what the international opinion was, meaning we had reached the conclusion it was in our national self-defense interest, we might easily do the same,” Bossert said. “We would shoot down airplanes if we were at war with someone. We would take down power. We would do all those things. The difference here becomes whether Putin was justified militarily being in the Ukraine. We all believe he wasn’t.””

From my own idealistic viewpoint of nationalism I agree that Russian imperial forces should not be in Ukraine. But imperial EU and imperial NATO should not be in Ukraine either, as promised they would not be after the first Cold War. National Security Archive:

NATO Expansion: What Gorbachev Heard

From the viewpoint of political realism – the basic ideology of Western states despite their “liberality” – it’s only natural that Russia took back Crimea and also supports ethnic Russian separatists in eastern Ukraine. If NATO keeps pushing Russia by building up forces in Ukraine it’s elementary zoology, a basic mafia turf war dynamic, that the imperial forces of the West and East will one day spill tons of blood in Ukraine. The silver lining is that it may trigger a global war that destroys all imperial panopticons. From this perspective we should encourage NATO to defend Ukraine.


Russia Ukraine: Lavrov warns of return to military confrontation nightmare

But so far it looks like NATO countries will maybe just sanction Russia economically if Kremlin attacks Ukraine. Reuters:

Blinken confronts Russia’s Lavrov on Ukraine, warns of ‘severe costs’

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s