It's practically impossible for even the experts to determine who leaked what. That's why efforts to pin the hacks of DNC servers on Russian officials is basically a fool's errand. This story in the Intercept offers a fascinating glimpse at the latest leak of CIA materials released through Wikileaks, and how attribution is an inexact science at best. I cover these issues at great length in my latest two novels, the techno-thriller 4o4 - A John Decker Thriller, about the surveillance state, recently listed as a Top Ten Amazon Bestseller in Technothrillers, as well as my latest book, dEATH in dAVOS, about a teen serial killer and hacker of Haitian descent who gets herself invited to the World Economic Forum in Davos, Switzerland, ostensibly because of an app she's developed, though in reality to take out nefarious billionaires who have committed unspeakable crimes but whose great wealth and power insulates them from prosecution and punishment. For more on this topic, check out this article from The Intercept.
WIKILEAKS FILES SHOW THE CIA REPURPOSING HACKING CODE TO SAVE TIME, NOT TO FRAME RUSSIA
ATTRIBUTING HACKING ATTACKS to the correct perpetrators is notoriously difficult. Even the U.S. government, for all its technical resources and expertise, took warranted criticism for trying to pin a high-profile 2014 cyberattack on North Korea, and more recently faced skepticism when it blamed Russia for hacks against top Democrats during the 2016 election.
In those cases, government officials said they based their attribution in part on software tools the hackers employed, which had been used in other cyberattacks linked to North Korea and Russia. But that sort of evidence is not conclusive; hackers have been known to intentionally use or leave behind software and other distinctive material linked to other groups as part of so-called false flag operations intended to falsely implicate other parties. Researchers at Russian digital security firm Kaspersky Lab have documented such cases.
On Tuesday, WikiLeaks published a large cache of CIA documents that it said showed the agency had equipped itself to run its own false-flag hacking operations. The documents describe an internal CIA group called UMBRAGE that WikiLeaks said was stealing the techniques of other nation-state hackers to trick forensic investigators into falsely attributing CIA attacks to those actors. According to WikiLeaks, among those from whom the CIA has stolen techniques is the Russian Federation, suggesting the CIA is conducting attacks to intentionally mislead investigators into attributing them to Vladimir Putin.
âWith UMBRAGE and related projects, the CIA can not only increase its total number of attack types, but also misdirect attribution by leaving behind the âfingerprintsâ of the groups that the attack techniques were stolen from,â WikiLeaks writes in a summary of its CIA document dump.
Itâs a claim that seems intended to shed doubt on the U.S. governmentâs attribution of Russia in the DNC hack; the Russian Federation was the only nation specifically named by WikiLeaks as a potential victim of misdirected attribution. Itâs also a claim that some media outlets have accepted and repeated without question.
âWikiLeaks said thereâs an entire department within the CIA whose job it is to âmisdirect attribution by leaving behind the fingerprintsâ of others, such as hackers in Russia,â CNN reported without caveats.
It would be possible to leave such fingerprints if the CIA were reusing unique source code written by other actors to intentionally implicate them in CIA hacks, but the published CIA documents donât say this. Instead, they indicate the UMBRAGE group is doing something much less nefarious.
They say UMBRAGE is borrowing hacking âtechniquesâ developed or used by other actors to use in CIA hacking projects. This is intended to save the CIA time and energy by copying methods already proven successful. If the CIA were actually reusing source code unique to a specific hacking group, this could lead forensic investigators to misattribute CIA attacks to the original creators of the code. But the documents appear to say the UMBRAGE group is writing snippets of code that mimic the functionality of other hacking tools and placing it in a library for CIA developers to draw on when designing custom CIA tools.
âThe goal of this repository is to provide functional code snippets that can be rapidly combined into custom solutions,â notes a document in the cache that discusses the project. âRather than building feature-rich tools, which are often costly and can have significant CI value, this effort focuses on developing smaller and more targeted solutions built to operational specifications.â
Robert Graham, CEO of Errata Security, agrees that the CIA documents are not talking about framing Russia or other nations.
âWhat we can conclusively say from the evidence in the documents is that theyâre creating snippets of code for use in other projects and theyâre reusing methods in code that they find on the internet,â he told The Intercept. âElsewhere they talk about obscuring attacks so you canât see where itâs coming from, but thereâs no concrete plan to do a false flag operation. Theyâre not trying to say, âWeâre going to make this look like Russia.ââ
The UMBRAGE documents do mention looking at source code, but these reference widely available source code for popular tools, not source code unique to, say, Russian Federation hackers. And the purpose of examining the source code seems to be for purposes of inspiring the CIA code developers in developing their code, not so they can copy/paste it into CIA tools.
Itâs not unusual for attackers of all persuasion â nation-state and criminal â to copy the techniques of other hackers. Success breeds success. A month after Stuxnet was discovered in June 2010, someone created a copycat exploit to attack the same Windows vulnerability Stuxnet exploited.
Components the UMBRAGE project has borrowed from include keyloggers; tools for capturing passwords and webcam imagery; data-destruction tools; components for gaining escalated privileges on a machine and maintaining stealth and persistent presence; and tools for bypassing anti-virus detection.
Some of the techniques UMBRAGE has borrowed come from commercially available tools. The documents mention Dark Comet, a well-known remote access trojan, or RAT, which can capture screenshots and keystrokes and grab webcam imagery, among other things. The French programmer who created Dark Comet stopped distributing it after stories emerged that the Syrian government was using it to spy on dissidents. Another tool UMBRAGE highlights is RawDisk, a tool made by the commercial software company Eldos, which contains drivers that system administrators can use to securely delete information from hard drives.
But legitimate tools are often used by hackers for illegitimate purposes, and RawDisk is no different. It played a starring role in the Sony hack in 2014, where the attackers used it to wipe data from Sonyâs servers.
It was partly the use of RawDisk that led forensic investigators to attribute the Sony hack to North Korea. Thatâs because RawDisk had been previously used in 2011 âDark Seoulâ hack attacks that wiped the hard drives and master boot records of three banks and two media companies in South Korea. South Korea blamed the attack on North Korea and China. But RawDisk was also used in the destructive Shamoon attack in 2012 that wiped data from 30,000 systems at Saudi Aramco. That attack wasnât attributed to North Korea, however; instead U.S. officials attributed it to Iran.
All of this highlights how murky attribution can be, particularly when focused only on the tools or techniques a group uses, and how the CIA is not doing anything different than other groups in borrowing tools and techniques.
âEverything theyâre referencing [in the CIA documents] is extremely public code, which means the Russians are grabbing the same snippets and the Chinese are grabbing them and the U.S. is grabbing,â says Graham. âSo theyâre all grabbing the same snippets of code and then theyâre making their changes to it.â
The CIA documents do talk elsewhere about using techniques to thwart forensic investigators and make it hard to attribute attacks and tools to the CIA. But the methods discussed are simply proper operational security techniques that any nation-state attackers would be expected to use in covert operations they donât want attributed to them. The Intercept wasnât able to find documents within the WikiLeaks cache that talk about tricking forensic investigators into attributing attacks to Russia. Instead, they discuss doâs and donâts of tradecraft, such as encrypting strings and configuration data in malware to prevent someone from reverse engineering the code, or removing file compilation timestamps to prevent investigators from making correlations between compilation times and the working hours of CIA hackers in the U.S.
Researchers at anti-virus firms often use compilation times to determine where a malwareâs creators might be located geographically if their files are consistently compiled during work hours that are distinctive to a region. For example, tools believed to have been created in Israel have shown compilation times on Sunday, which is a normal workday in Israel.
The bottom line with the CIA data dump released by WikiLeaks is that journalists and others should take care to examine statements made around it to ensure that theyâre reporting accurately on the contents.
Recent Comments