The disastrous hacking of the Democratic National Committee in 2016 has raised alarm bells for anyone worried about the international chaos,media reported. On Monday night, local time, Americans had a new reason to worry about the 2020 election. The New York Times and the cybersecurity firm Area1 reported a new wave of hacking by Russian intelligence agencies against Burisma, a Ukrainian gas company.
For months, Republicans have been suggesting that there is some terrible corruption within the company, and that if Russian spies do break into the company’s network, it could have dire consequences.
Some members of Congress are already predicting a repeat of the 2016 election, with Democratic Rep. Adam Schiff commenting, “It looks like they want to help this president (Trump). That’s a worrying idea, and given Trump’s last refusal to acknowledge Russian hacking, there is no sign that the White House will do anything to stop it. “
Although the report paints a terrible picture, the evidence is not as conclusive as it seems. While there is strong evidence that Burisma has successfully been targeted for phishing activities, it is difficult to determine who is behind the campaign. There are indeed indications that Russia’s GRU intelligence agencies may be involved, but much of the evidence is circumstantial.
It is understood that most of the evidence is contained in an eight-page report published in conjunction with the New York Times article. The core evidence is previous attack patterns against the Hudson Institute and George Soros. Worst of all, these phishing activities use different versions of the same SSL vendor and the same URL and then masquerade as a service called My Sharepoint. In Area1’s view, this is GRU tactics, and Burisma is just the latest of many targets.
But not everyone agrees that inferences based on domain name attributes are ten-nine-way. When Kyle Ehmke examined early iterations of the same pattern of ThreatConnect, he came to the more cautious conclusion that the domain names were “moderately confident” in their connection to APT28, an acronym for the Russian GRU. “We see consistency, but in some cases, it doesn’t apply to individual actors,” Ehmke told The Verge. This pattern of registration and phishing attacks does look like gru’s script, but it’s not the only script or the only script it uses.
In practice, this means that network operators should alert you at any time when they detect an attack that matches this situation, but it is much more difficult to make a definitive decision on a single event. The network infrastructure used in the campaign is public and used by many other political parties, so these are not conclusive evidence. The most striking feature is the term “sharepoint”, which the researchers have only seen in urs that are closely linked to the GRU. But anyone can register a URL with “sharepoint”, so the connection is only indirect.
“This is a remarkable set of consistencies that can be used to find and identify their infrastructure,” Ehmke said. But that’s not to say that all the things that have these consistencies are and will be APT28. “
It is difficult to make stronger attributions in the absence of specific information on the strategies and objectives of a particular agency. Going in the opposite direction — from a weak attribution to an assumption of intent — can be dangerous.
Frustratingly, this weakness is so common in the world of cybersecurity that it can cause real problems as countries struggle to understand international diplomacy in cyberwarfare. Farzaneh Badii, a former executive director of the Internet Governance Project at the Georgia Institute of Technology, described the lack of clarity as “indirect evidence that can be technically questioned”. She considered it a global problem and advocated the establishment of an international attribution group to resolve the impasse so that observers did not have to rely on private companies or government intelligence agencies. It is difficult to solve this trust problem without it.