THE KEY

Russian hackers who attacked the 2018 Winter Olympics in PyeongChang, South Korea, didn’t want to get caught. So they cloaked their attacks with a web of false signals and misdirection designed to send investigators looking at China, North Korea and other potential suspects. 

The ruse almost worked, too. It took careful sleuthing by numerous cybersecurity researchers to peel away the “false flags” to reveal Russia was behind the attack that disrupted the Olympics' Internet and broadcast systems and shut down ticket printing.

That’s the upshot of Wired reporter Andy Greenberg’s mammoth investigation into the “Olympic Destroyer” cyberattack, which offers a fascinating inside look at the cat-and-mouse game between increasingly sophisticated Russian hackers and the researchers and U.S. officials seeking to hold them to account. And it's a prime example of how hackers could use false flags to mislead the public about their attacks and sow distrust in intelligence agencies’ conclusions. 

The story, which is adapted from Greenberg’s forthcoming book Sandworm, reads like a police procedural in which researchers wade through reams of contradictory evidence until they finally hit on the crucial clues. Their conclusion that it was a Russian job backed up the same attribution from U.S. intelligence agencies.

This case deals a major blow to Russian claims that it’s nearly impossible to attribute who is really behind an attack in the shadowy world of cyberspace. But it also offers a warning at how other false flags could be successful -- and let nation-states hack their enemies with impunity.

It's clear in this example how sophisticated adversary such as Russia can use its intelligence capability and understanding of other countries' cultures to plant just enough seeds to cast doubt, just like it did in the 2016 election. 

For example, Kremlin hackers who breached the Democratic National Committee pretended to be a lone Romanian hacker dubbed Guccifer 2.0 — a far shoddier cover than in Olympic Destroyer, but it contributed to distrust in U.S. intelligence agencies’ attribution to Russia.

And three years later, conspiracy theorists -- and President Trump -- continue to question whether the Kremlin is to blame.

“As the 2020 election approaches, Olympic Destroyer shows that Russia has only advanced its deception techniques — graduating from flimsy cover stories to the most sophisticated planted digital fingerprints ever seen,” Andy writes. “And if they can fool even a few researchers or reporters, they can sow even more of the public confusion that misled the American electorate in 2016." 

The attack on the Olympics was unique for how extensively Russian hackers seeded their malicious software with elements that appeared to come from North Korea, China and Russia itself. The clues were so contradictory, in fact, that they seemed designed to make attribution seem impossible rather than to pin the case on one particular nation.

“It … sent a message to the security community: You can be misled,” Craig Williams, a researcher at Cisco, told Andy.

All three nations have a prolific history of hacking adversaries, and North Korea and Russia both had clear motives. For Pyongyang, the attack would be an opportunity to poke its capitalist neighbor and Korean War adversary. For Moscow, it would be revenge against the International Olympic Committee for barring Russian athletes from competing under their country’s flag after a humiliating doping investigation.

One big break in the case came when a researcher with Moscow-based Kaspersky Lab found a piece of malicious software that looked North Korean but was wrongly constructed — suggesting a deliberate attempt to fake a North Korean attack and undermining the case against a key suspect.

The case cracked wide open, though, when a researcher with the U.S. cybersecurity firm FireEye found similarities between the Olympics attack and a series of 2017 Russian cyberattacks against Ukraine — a frequent Russian target.

False flags could have devastating consequences — especially if, say, if the victim retaliates against the wrong country.

“If you can't imagine this with [the] U.S. and Russia, imagine it with India and Pakistan, or China and Taiwan,” Jason Healey, a top White House cybersecurity official during the George W. Bush administration, told Andy.

A false flag like that could provoke “a much stronger response than even its authors intended, in a way that leaves the world looking very different afterwards,” he warned.

Indeed, there are already signs false flag operations are increasing. Just this morning, U.S. and British intelligence officials alerted about a Russian hacking group that hijacked Iranian infrastructure to cloak its identity and compromised organizations in at least 20 different countries over the past 18 months.

The group, which cybersecurity firms call Turla among other names, was most active in the Middle East but also targeted organizations in Britain and elsewhere, Reuters’s Jack Stubbs reports.

“We want to send a clear message that even when cyber actors seek to mask their identity, our capabilities will ultimately identify them,” Paul Chichester, a senior official with Britain’s top spy agency GCHQ said in the alert.

PINGED, PATCHED, PWNED

PINGED: Thousands of Chinese-made surveillance cameras that could be a conduit for Beijing spying are still being used at U.S. military and government sites, despite an August congressional ban, Asa Fitch at the Wall Street Journal reports. The ban did not require government agencies and military bases to remove already-purchased devices from the Chinese companies Hikvision and Dahua, but not doing so creates ongoing national security risks, experts say.

One big problem is cost. The bill that banned Hikvision and Dahua from government systems — along with the Chinese telecom firms Huawei and ZTE — didn’t include funding for replacements. 

“It’s not that agencies aren’t concerned about the risk, or that they’re unwilling to take actions,” Jeanette Manfra, the Department of Homeland Security’s assistant director for cybersecurity, told the Journal. “It often just comes down to, they’ve got to balance all these different needs.”

Another problem is government officials who aren’t convinced the technology poses a threat, one former high-ranking government IT official told Asa.

“There are a significant number of people who are in denial,” the former official said. “They don’t believe the problem is that big a deal, and [believe it] can be managed and mitigated in other ways.”

A Defense Department spokeswoman told the Journal that the Defense Department was taking measures “to ensure the security of the supply chain and inspect equipment for vulnerabilities,” Asa writes.

PATCHED: A State Department investigation concluded that 38 individuals violated security protocols in sending emails to former secretary of state Hillary Clinton's private email server, potentially making those emails more vulnerable to hacking by U.S. adversariesmy colleague Greg Miller reports. The report also concluded, however, that none of the officials intentionally mishandled classified information. 

Trump repeatedly attacked Clinton for using the private email server during the 2016 election but his admnistration has had similar cybersecurity lapses. Diplomats involved in pressuring Ukraine to investigate the son of Trump’s 2020 rival, former vice president Joe Biden, allegedly used private phones and texting apps to trade messages about their efforts, according to evidence released by leaders of the House impeachment inquiry.

Clinton’s email setup “added an increased degree of risk of compromise” since a private server “lacks the network monitoring and intrusion detection capabilities of State Department networks,” the report concluded. The State Department investigation found 91 violations by “culpable” individuals and another 497 violations where no specific individual was found at fault. None of the violations included material that had been marked classified.

PWNED: Acting White House chief of staff Mick Mulvaney continued to backpedal yesterday after initially suggesting a link between Ukrainian security aid and Trump urging Ukraine's president to investigate his political rivals.

Mulvaney told reporters on Thursday that Trump withheld the aid in part to pressure Ukraine to investigate his political rivals -- including a conspiracy theory that a hacked Democratic National Committee server is being hidden there. But he later released a statement backtracking on the shocking revelation. Then on Fox News Sunday, he said, “I never said there was a quid pro quo, ’cause there isn’t,” and insisted that the administration only took concerns over corruption and aid from other countries into consideration when deciding the future of Ukrainian aid.

Mulvaney's comments will likely be the subject of continued scrutiny by Democrats, who have heard from current and former officials during the House impeachment probe that the administration did push Ukraine to investigate allegations of a Democratic Party server being hidden in the country, my colleague Karoun Demirjian reports.

PUBLIC KEY

House Speaker Nancy Pelosi (D-Calif.) is planning a floor vote this week on a House measure that would explicitly require campaigns to report attempts by foreign nationals to offer them dirt on opponents and mandate more transparency in online political ads, Axios’s Mike Allen reports.

Similar bills are languishing in the Senate where Majority Leader Mitch McConnell (R-Ky.) has blocked most election security reforms. Democrats are also planning a PR blitz Mike reports, including a four-pager making the Ukraine case against Trump, "Truth Exposed: The Shakedown ... The Pressure Campaign ... The CoverUp," plus a video, "Do Us a Favor."

— More cybersecurity news from the public sector:

A “Cold War mentality” and “bully behavior” are hindering mutual trust in cyberspace, China’s propaganda chief said on Sunday at the start of the World Internet Conference in the eastern Chinese town of Wuzhen.
Reuters
The system, known as a "risk-limiting audit," uses advanced statistical analysis and a dose of randomness to look for irregularities in vote tallies.
NBC News

PRIVATE KEY

— Cybersecurity news from the private sector:
 

Blacklisted Chinese telecoms equipment giant Huawei is in early-stage talks with some U.S. telecoms companies about licensing its 5G network technology to them, a Huawei executive told Reuters on Friday.
Reuters
Seven-years-old class-action lawsuit nears its end, but data breach victims won't be happy.
ZDNet
The flaw is especially worrisome because fingerprint sensors not only unlock Samsung phones, but also enable payments through the company’s Samsung Pay system.
NBC News
Companies are misusing Alphabet Inc.’s virus scanner and similar products, and are unwittingly leaking data such as factory blueprints to intellectual property online, Israeli cybersecurity company Otorio Ltd. said.
Bloomberg

THE NEW WILD WEST

— Cybersecurity news from abroad:

Are you there, God? It’s me, a serious security flaw.
CNET

CHAT ROOM

A class-action lawsuit filed in federal court in Georgia alleges a number of startling security missteps by Equifax, the credit monitoring firm that exposed the personal information of 147 million people in 2017. 

Here’s BuzzFeed's Jane Lytvynenko, who broke down a judge’s order in the case on Twitter on Friday:

The viral thread set off a new wave of criticism against the company and the penalities it faced for the 2017 breach.

Cornell computer science professor Emin Gün Sirer:

Director of Citizens for Responsibility and Ethics in Washington Robert Maguire:

The New York Times's Charlie Warzel:

ZERO DAYBOOK

— Today:

— Coming up:

  • The House Committee on Homeland Security will host a hearing on "Preparing for the Future: An Assessment of Emerging Cyber Threats" on Tuesday at 2pm.
  • The Cybersecurity Coalition, the Cyber Threat Alliance, and the National Security Institute at George Mason University’s Antonin Scalia School of Law will host the third annual CyberNextDC policy day in Washington on Thursday.