nytimes.com · · October 30, 2014
WASHINGTON — When the White House discovered in recent weeks that its unclassified computer systems had been breached, intelligence officials examined the digital evidence and focused on a prime suspect: Russia, which they believe is using its highly sophisticated cyber capabilities to test American defenses. But its tracks were well covered, and officials say they may never know for sure.
They have no doubt, however, about what happened this week on the edges of NATO territory in Europe. More than two dozen Russian aircraft, including four Tu-95 strategic bombers, flew through the Baltic and Black Seas, along the coast of Norway and all the way to Portugal, staying over international waters but prompting NATO forces to send up intercepting aircraft.
Taken together, they represent the old and the updated techniques of Cold War signal-sending. In the Soviet era, both sides probed each other’s defenses, hoping to learn something from the reaction those tests of will created. In 2014, cyber is the new weapon, one that can be used with less restraint, and because its creators believe they cannot be traced and can create a bit of havoc without prompting a response.
In this case, the response was that the White House shut down use of some of its networks for lengthy periods — more an inconvenience than anything else, but a sign of the fragility of the system to sophisticated attacks.
But in both, divining the motive of the probes and the advantage, if any, they created is far from easy.
The Russian aircraft exercises were part of a broader escalation: NATO has conducted more than 100 intercepts of Russian aircraft this year, its officials report, far more than last year, before Russia annexed Crimea and began its operations in Ukraine.
“This is message-sending by Putin, and it’s dangerous,” one senior defense official said Wednesday, noting that in many cases, the Russian aircraft had turned off their transponders and did not reply to radio calls to identify themselves. In response, Germany, Portugal, Turkey and Denmark sent aircraft aloft, along with two non-NATO nations, Finland and Sweden. They were particularly struck by the use of the Tu-95 bombers, which Russia usually keeps clear of Europe.
But what’s new is the sophistication of Russia’s cyberespionage campaigns, which differ somewhat from China’s. The Chinese attacks — like those led by Unit 61398 of the People’s Liberation Army, whose members were indicted earlier this year by the Justice Department — are aimed chiefly at intellectual property theft. The Russians do a bit of that, too, but the attacks also suggest more disruptive motives.
Last year, security researchers at several American cybersecurity companies uncovered a Russian cyberespionage campaign, in which Russian hackers were systematically hacking more than one thousand Western oil and gas computers, and energy investment firms. The first motive, given Moscow’s dependence on its oil and gas industry, was likely industrial espionage. But the manner in which hackers were choosing their targets also seemed intended to seize control of industrial control systems remotely, in much the same way the United States and Israel were able to take control of the Iranian nuclear facility at Natanz when it attacked its computer systems with malware through the summer of 2010, disabling a fifth of Iran’s centrifuges at the time.
In the case of the attack on the White House’s unclassified computer system, officials say no data was destroyed. “The activity of concern is not being used to enable a destructive attack,” Bernadette Meehan, the spokeswoman for the National Security Council, said Thursday. She would not say which country or hacking group was suspected of being behind the attack.
But there is evidence that the internal alarms at the White House were not set off — a sign of the sophistication of the attack. Instead, the United States was alerted by a “friendly ally,” one official said. That suggests the ally saw the results of the attack on a foreign network, perhaps picking up evidence of what data had been lifted.
Armond Caglar, a cybersecurity expert for TSC Advantage, a consultancy in Washington that focuses on these kinds of attacks, said the motive could be “to test what the security culture is, or to get valuable information about the security posture at the White House.”
But that posture is quite different for classified systems. He also said it could be to “prepare for more graduated attacks” against better protected networks, including SIPRnet, the classified system Chelsea Manning, formerly known as Bradley Manning, entered to turn over hundreds of thousands of documents to WikiLeaks in 2010.
Russian hackers — those working for the government and those engaged in “patriotic hacking” — are considered particularly stealthy. In several cases, security researchers have found evidence that hackers were probing the very core of victims’ machines, the part of the computer known as the BIOS, or basic input output system. Unlike software, which can be patched or updated, once the BIOS of a machine is infected with malware, it often renders the machine unusable.
Researchers have also found that the hackers were remarkably adept at covering their tracks, using encryption to cover their tools, but their digital crumbs left no doubt that they were Russian. Their tools were built and maintained during Moscow working hours, and snippets of Russian were found in the code. Though researchers were unable to tie the attacks directly to the state, they concluded that Russian government backing was likely, given their sophistication and resources.
Since researchers uncovered the campaign last year, they say the attacks have become more aggressive and sophisticated.
Early last month, security researchers uncovered a separate Russian cyberespionage campaign that used a zero-day vulnerability — a software bug that had never been reported in Microsoft’s Windows operating system — to launch cyberattacks on a long list of Russian adversaries. Among them: the North Atlantic Treaty Organization, European governments, the government of Ukraine, academics who focused on Ukraine, and visitors of the GlobSec conference, an annual national security gathering that took place last May in Slovakia and was largely dominated by the situation in Ukraine.
Then this week, researchers at FireEye, a Silicon Valley firm, released their work detailing a similar campaign by Russian hackers that also targeted NATO, and a long list of victims that included the governments of Georgia, Poland, Hungary, Mexico, Eastern European governments and militaries, and journalists writing on issues of importance to the Russian government.
“This is no smash-and-grab, financially motivated Russian cybercriminal,” said Laura Galante, the threat intelligence manager who oversaw the research at FireEye. “This is Russia using their network operations to achieve their key political goals.”