The hackers that never went away: Brace for more state-backed attacks, leaks and copycats this year

Attacks on the US presidential election might just be the beginning; expect more hacking and leaking this year across the globe.
Written by Steve Ranger, Global News Director

Hackers - including those backed by Russia - continue to probe.

Earlier this month, a report jointly compiled by the NSA, CIA and FBI concluded that Russia's intelligence services had conducted hacking attacks against organisations involved with the 2016 US presidential election, with the most high profile target being the Democratic National Committee (DNC).

Assessing the impact of the leaks that followed on the election itself is hard, and Russia has denied any involvement with any of these activities. But the impact of the hacking attacks on the US election process -- whoever was responsible -- will range far and wide this year, according to experts.

Trying to work out exactly what the repercussions will be is difficult. For example, it's perhaps relevant that, not long after the US report into Russian hacking was published, two players linked by many to Russian intelligence decided to break their silence.

The Shadow Brokers -- a mysterious group that somehow acquired a set of NSA hacking tools that they tried to auction to the highest bidder, said they were shutting up shop.

"So long, farewell peoples. TheShadowBrokers is going dark, making exit. Continuing is being much risk and bullshit, not many bitcoins. Despite theories it was always being about bitcoins for TheShadowBrokers. Free dumps and bullshit political talk was being for marketing attentions."

The group -- believed by many to be linked to Russian intelligence -- dumped some of the stolen NSA tools, ones that could be used to hack Windows, along with their goodbye note.

On the same day Guccifer 2.0 -- a character that US intelligence agencies think was created by Russian military intelligence to serve as a conduit for the data stolen from the Democratic National Committee and others in the run up to the US presidential election, also broke 'his' silence.

After a long absence he appeared again, and in considerably better English than the Shadow Brokers denied he had any link to the Russian government.

"The U.S. intelligence agencies have published several reports of late claiming I have ties with Russia. I'd like to make it clear enough that these accusations are unfounded. I have totally no relation to the Russian government. I'd like to tell you once again I was acting in accordance with my personal political views and beliefs," he said.

So were these messages an attempt by Russian intelligence to draw a line under the hacking controversy around the US presidential election -- or just another example of Russia's hackers tweaking the nose of US intelligence?

It's hard to say, because the rules of cyber-espionage have changed in the last couple of years. One of the most unexpected features of these recent hacking campaign has been its public nature.

Pretty much all countries indulge in cyber espionage of one sort or another - either aiming to steal industrial secrets or to keep tabs on other governments.

Usually when state-sponsored hackers steal information, they keep their thefts secret and use the information to support their own decision-making. In contrast, during the US election campaign not only was the information stolen then made public, but the apparent thieves also chatted happily to journalists about it.

What previously happened in the shadows was instead played out on Twitter.

All of this makes it harder to work out how cyber-espionage will develop in 2017. But it's highly unlikely that the cyber-spies are going to go away.

Russia's military intelligence, GRU, has been linked by security companies to a digital-espionage team known to researchers as APT 28, or Fancy Bears (there's also a second hacking group which apparently has strong links to the FSB, the modern version of the KGB, which known to security companies as APT 29, or Cozy Bear, or The Dukes).

Security company FireEye, which has been following APT 28's activities for the last decade said that since 2014 the group has supported operations designed to influence the domestic politics of foreign nations, often by leaking stolen information. It has been blamed for hacking into the World Anti-Doping Agency, the DNC, the Ukrainian Central Election Commission and others.

The security company's analysts point to how APT 28's software is made as evidence of a Russian origin: the malware is built during the working day of the GMT + 4 time zone, which includes Moscow and St. Petersburg, and the developers used Russian language settings until 2013.

Also, the group has over the years used a number of 'zero-day attacks' exploiting previously unknown vulnerabilities in software. These are hard to find and expensive to acquire, and having access to a steady stream of them suggests the group has its own research or acquisition programme, and deep pockets. The group also has the capability to take on multiple targets at once, again a sign of state-backing rather than lone hackers.

In addition, to deal with the technical preparation for some of the hacking campaigns it has conducted requires significant scale. For example, operations might involve setting up thousands of web domains, and dealing with the massive amount of information they are stealing likely involves the use of trained linguists to understand and evaluate it. All of this means that ATP 28 is likely to involve hundreds of staff directly, if not thousands indirectly, said Jonathan Wrolstad, senior threat intelligence analyst at FireEye.

Post-election hacking trends

And while the US presidential election is now over, that doesn't mean the hackers have decided to call it a day. Instead they are likely to continue their operations, out of the headlines, the security company predicted.

APT 28 has still been going after their traditional targets, looking to support military intelligence goals, particularly in Eastern Europe, Wrolstad said.

"They do something every day. The frequency might be varying but they're certainly continuing operations and I'm sure all those guys go to work every single day," he said.

"They're going to keep pushing this methodology until it doesn't work any longer and so, because they're so successful, I would fully expect them to continue the same information operations into 2017," he said.

US intelligence has come to the same conclusion. The report compiled by the CIA, FBI and NSA in the wake of the hacking around the US presidential elections said: "Russian intelligence services will continue to develop capabilities to provide Putin with options to use against the United States, judging from past practice and current efforts."

It noted that immediately after election day, Russian intelligence began a new spearphishing campaign (most likely conduced by APT 29) targeting US government employees, think tanks and others in the national security, defence, and foreign policy fields.

"This campaign could provide material for future influence efforts as well as foreign intelligence collection on the incoming administration's goals and plans," it warned.

Steven Adair, founder of security company Volexity, which first spotted the phishing campaign in November said that since then he has not see the Dukes/APT 29 group launch any attacks that would directly lead to a system being compromised.

"This is to say we have not seen continued targeted where a malicious attachment or link has been included as part of a spear phishing campaign," he said. "We believe the Dukes may be examining and profiling different targets organizations where they do not currently have access. We cannot say with any certainty or level of confidence that we would expect an attack at a particular time. However, we would not be surprised if they launched a new round of attacks soon or if they just stayed quiet for another six months."

The US is not likely the only target, the US intelligence agency report also warned.

"We assess Moscow will apply lessons learned from its campaign aimed at the US presidential election to future influence efforts in the United States and worldwide, including against US allies and their election processes. We assess the Russian intelligence services would have seen their election influence campaign as at least a qualified success because of their perceived ability to impact public discussion.

"Putin's public views of the disclosures suggest the Kremlin and the intelligence services will continue to consider using cyber-enabled disclosure operations because of their belief that these can accomplish Russian goals relatively easily without significant damage to Russian interests," it said.

The rise of state-sponsored copycat attacks

So now these techniques -- infiltrate, steal, leak -- have been proved effective on the largest stage possible, we're likely to see more incidents like this, not less. Another worry: these attacks didn't use hugely sophisticated techniques and advanced tools, and the success of this campaign could lead other governments to embark upon similar projects.

"We will certainly continue to see malicious activity in and through cyberspace coming out of the direction of Russia. It's been too successful a tool not to be continued to be employed," said Ewan Lawson, senior research fellow for military influence at the Royal United Services Institute.

"I expect to see not just Russia but others recognizing what has been achieved through cyberspace and learning the lesson from that," he said.

The fear is that 2017 is likely to see more attempts at hacking and leaking from a number of groups backed by different states. And as well as the targeting of government and corporate executives in their workplace, where they are well protected, hackers may we look for soft digital targets, like personal accounts, to go after, where they can still have political impacts.

Security measures like educating staff not to click on unexpected emails, having two-factor authentication across all accounts that support it and simply being aware that they are a target can do much to protect the average organization. Basic security hygiene is often enough to make an attacker look for an easier target. However, if an attacker is willing to spend enough money and time they are likely to be able to get into pretty much any system, so organizations also need to consider the types of data they keep, and why - and whether they should even have it or not.

The other issue is how the public should respond to leaks and revelations if more occur this year. So far, the emphasis has been on the content of the leaks, often rather trivial, while how the information was leaked has been less of a consideration for both the public and the media. More hacking and leaking are probably on their way. The biggest factor in whether these campaigns are successful is not about technology, but how the public and the press choose to respond.

Read more on cyber-espionage

Editorial standards