Russian hackers who attacked the 2018 Winter Olympics in PyeongChang, South Korea, didn’t want to get caught. So they cloaked their attacks with a web of false signals and misdirection designed to send investigators looking at China, North Korea and other potential suspects.
The ruse almost worked, too. It took careful sleuthing by numerous cybersecurity researchers to peel away the “false flags” to reveal Russia was behind the attack that disrupted the Olympics' Internet and broadcast systems and shut down ticket printing.
That’s the upshot of Wired reporter Andy Greenberg’s mammoth investigation into the “Olympic Destroyer” cyberattack, which offers a fascinating inside look at the cat-and-mouse game between increasingly sophisticated Russian hackers and the researchers and U.S. officials seeking to hold them to account. And it's a prime example of how hackers could use false flags to mislead the public about their attacks and sow distrust in intelligence agencies’ conclusions.
The story, which is adapted from Greenberg’s forthcoming book Sandworm, reads like a police procedural in which researchers wade through reams of contradictory evidence until they finally hit on the crucial clues. Their conclusion that it was a Russian job backed up the same attribution from U.S. intelligence agencies.
This case deals a major blow to Russian claims that it’s nearly impossible to attribute who is really behind an attack in the shadowy world of cyberspace. But it also offers a warning at how other false flags could be successful -- and let nation-states hack their enemies with impunity.
It's clear in this example how sophisticated adversary such as Russia can use its intelligence capability and understanding of other countries' cultures to plant just enough seeds to cast doubt, just like it did in the 2016 election.
For example, Kremlin hackers who breached the Democratic National Committee pretended to be a lone Romanian hacker dubbed Guccifer 2.0 — a far shoddier cover than in Olympic Destroyer, but it contributed to distrust in U.S. intelligence agencies’ attribution to Russia.
And three years later, conspiracy theorists -- and President Trump -- continue to question whether the Kremlin is to blame.
“As the 2020 election approaches, Olympic Destroyer shows that Russia has only advanced its deception techniques — graduating from flimsy cover stories to the most sophisticated planted digital fingerprints ever seen,” Andy writes. “And if they can fool even a few researchers or reporters, they can sow even more of the public confusion that misled the American electorate in 2016."
The attack on the Olympics was unique for how extensively Russian hackers seeded their malicious software with elements that appeared to come from North Korea, China and Russia itself. The clues were so contradictory, in fact, that they seemed designed to make attribution seem impossible rather than to pin the case on one particular nation.
“It … sent a message to the security community: You can be misled,” Craig Williams, a researcher at Cisco, told Andy.
All three nations have a prolific history of hacking adversaries, and North Korea and Russia both had clear motives. For Pyongyang, the attack would be an opportunity to poke its capitalist neighbor and Korean War adversary. For Moscow, it would be revenge against the International Olympic Committee for barring Russian athletes from competing under their country’s flag after a humiliating doping investigation.
One big break in the case came when a researcher with Moscow-based Kaspersky Lab found a piece of malicious software that looked North Korean but was wrongly constructed — suggesting a deliberate attempt to fake a North Korean attack and undermining the case against a key suspect.
The case cracked wide open, though, when a researcher with the U.S. cybersecurity firm FireEye found similarities between the Olympics attack and a series of 2017 Russian cyberattacks against Ukraine — a frequent Russian target.
False flags could have devastating consequences — especially if, say, if the victim retaliates against the wrong country.
“If you can't imagine this with [the] U.S. and Russia, imagine it with India and Pakistan, or China and Taiwan,” Jason Healey, a top White House cybersecurity official during the George W. Bush administration, told Andy.
A false flag like that could provoke “a much stronger response than even its authors intended, in a way that leaves the world looking very different afterwards,” he warned.
Indeed, there are already signs false flag operations are increasing. Just this morning, U.S. and British intelligence officials alerted about a Russian hacking group that hijacked Iranian infrastructure to cloak its identity and compromised organizations in at least 20 different countries over the past 18 months.
The group, which cybersecurity firms call Turla among other names, was most active in the Middle East but also targeted organizations in Britain and elsewhere, Reuters’s Jack Stubbs reports.
“We want to send a clear message that even when cyber actors seek to mask their identity, our capabilities will ultimately identify them,” Paul Chichester, a senior official with Britain’s top spy agency GCHQ said in the alert.
PINGED, PATCHED, PWNED
PINGED: Thousands of Chinese-made surveillance cameras that could be a conduit for Beijing spying are still being used at U.S. military and government sites, despite an August congressional ban, Asa Fitch at the Wall Street Journal reports. The ban did not require government agencies and military bases to remove already-purchased devices from the Chinese companies Hikvision and Dahua, but not doing so creates ongoing national security risks, experts say.
One big problem is cost. The bill that banned Hikvision and Dahua from government systems — along with the Chinese telecom firms Huawei and ZTE — didn’t include funding for replacements.
“It’s not that agencies aren’t concerned about the risk, or that they’re unwilling to take actions,” Jeanette Manfra, the Department of Homeland Security’s assistant director for cybersecurity, told the Journal. “It often just comes down to, they’ve got to balance all these different needs.”
Another problem is government officials who aren’t convinced the technology poses a threat, one former high-ranking government IT official told Asa.
“There are a significant number of people who are in denial,” the former official said. “They don’t believe the problem is that big a deal, and [believe it] can be managed and mitigated in other ways.”
A Defense Department spokeswoman told the Journal that the Defense Department was taking measures “to ensure the security of the supply chain and inspect equipment for vulnerabilities,” Asa writes.
PATCHED: A State Department investigation concluded that 38 individuals violated security protocols in sending emails to former secretary of state Hillary Clinton's private email server, potentially making those emails more vulnerable to hacking by U.S. adversaries, my colleague Greg Miller reports. The report also concluded, however, that none of the officials intentionally mishandled classified information.
Trump repeatedly attacked Clinton for using the private email server during the 2016 election but his admnistration has had similar cybersecurity lapses. Diplomats involved in pressuring Ukraine to investigate the son of Trump’s 2020 rival, former vice president Joe Biden, allegedly used private phones and texting apps to trade messages about their efforts, according to evidence released by leaders of the House impeachment inquiry.
Clinton’s email setup “added an increased degree of risk of compromise” since a private server “lacks the network monitoring and intrusion detection capabilities of State Department networks,” the report concluded. The State Department investigation found 91 violations by “culpable” individuals and another 497 violations where no specific individual was found at fault. None of the violations included material that had been marked classified.
PWNED: Acting White House chief of staff Mick Mulvaney continued to backpedal yesterday after initially suggesting a link between Ukrainian security aid and Trump urging Ukraine's president to investigate his political rivals.
Mulvaney told reporters on Thursday that Trump withheld the aid in part to pressure Ukraine to investigate his political rivals -- including a conspiracy theory that a hacked Democratic National Committee server is being hidden there. But he later released a statement backtracking on the shocking revelation. Then on Fox News Sunday, he said, “I never said there was a quid pro quo, ’cause there isn’t,” and insisted that the administration only took concerns over corruption and aid from other countries into consideration when deciding the future of Ukrainian aid.
Mulvaney's comments will likely be the subject of continued scrutiny by Democrats, who have heard from current and former officials during the House impeachment probe that the administration did push Ukraine to investigate allegations of a Democratic Party server being hidden in the country, my colleague Karoun Demirjian reports.
House Speaker Nancy Pelosi (D-Calif.) is planning a floor vote this week on a House measure that would explicitly require campaigns to report attempts by foreign nationals to offer them dirt on opponents and mandate more transparency in online political ads, Axios’s Mike Allen reports.
Similar bills are languishing in the Senate where Majority Leader Mitch McConnell (R-Ky.) has blocked most election security reforms. Democrats are also planning a PR blitz Mike reports, including a four-pager making the Ukraine case against Trump, "Truth Exposed: The Shakedown ... The Pressure Campaign ... The CoverUp," plus a video, "Do Us a Favor."
— More cybersecurity news from the public sector:
— Cybersecurity news from the private sector:
THE NEW WILD WEST
— Cybersecurity news from abroad:
A class-action lawsuit filed in federal court in Georgia alleges a number of startling security missteps by Equifax, the credit monitoring firm that exposed the personal information of 147 million people in 2017.
Here’s BuzzFeed's Jane Lytvynenko, who broke down a judge’s order in the case on Twitter on Friday:
In addition to having admin and the user and the password, they stored unencrypted information on a public-facing server. pic.twitter.com/Cp4jxfzsIq— Jane Lytvynenko 🤦🏽♀️🤦🏽♀️🤦🏽♀️ (@JaneLytv) October 18, 2019
"And, when Equifax did encrypt data, it left the keys to unlocking the encryption on the same public-facing servers, making it easy to remove the encryption from the data."— Jane Lytvynenko 🤦🏽♀️🤦🏽♀️🤦🏽♀️ (@JaneLytv) October 18, 2019
The viral thread set off a new wave of criticism against the company and the penalities it faced for the 2017 breach.
Cornell computer science professor Emin Gün Sirer:
And they got away by offering people "free credit monitoring." https://t.co/iwgMd0gUM8— Emin Gün Sirer (@el33th4xor) October 20, 2019
Director of Citizens for Responsibility and Ethics in Washington Robert Maguire:
Your regular reminder that Equifax still exists.— Robert Maguire (@RobertMaguire_) October 19, 2019
Everyone who runs the company -- which allowed 143 million Americans' personal data get hacked -- is still fantastically wealthy, and their former lawyer is now running the office at the FTC that's supposed to investigate them. https://t.co/pynLmuUQO9
The New York Times's Charlie Warzel:
Equifax is what happens when you have a company that nobody asked for, that serves no real need other than to harvest data for other companies (And no regulators). when you never had to serve a customer, you never need to think about their well-being. https://t.co/cjWEYowJJ7— Charlie Warzel (@cwarzel) October 18, 2019
- DC CyberWeek will take place today through Friday.
— Coming up:
- The House Committee on Homeland Security will host a hearing on "Preparing for the Future: An Assessment of Emerging Cyber Threats" on Tuesday at 2pm.
- The Cybersecurity Coalition, the Cyber Threat Alliance, and the National Security Institute at George Mason University’s Antonin Scalia School of Law will host the third annual CyberNextDC policy day in Washington on Thursday.