US: Hack of Federal Agencies 'Likely Russian In Origin' (apnews.com) 72
Top national security agencies in a rare joint statement Tuesday confirmed that Russia was likely responsible for a massive hack of U.S. government departments and corporations, rejecting President Donald Trump's claim that China might be to blame. The Associated Press reports: The statement represented the U.S. government's first formal attempt to assign responsibility for the breaches at multiple agencies and to assign a possible motive for the operation. It said the hacks appeared to be part of an "intelligence-gathering," suggesting the evidence so far pointed to a Russian spying effort rather than an attempt to damage or disrupt U.S. government operations. "This is a serious compromise that will require a sustained and dedicated effort to remediate," said the statement, distributed by a cyber working group comprised of the FBI and other investigative agencies. Russia has denied involvement in the hack.
in Soviet Russia... (Score:4, Funny)
Re: (Score:3, Insightful)
Re: (Score:1)
Actually no. I don't think Putin bothers himself with this nonsense. He simply lets his underlings be themselves.
Re: (Score:1)
That's what I meant actually. The fact you bothered to type it up so obviously in advance that you had it ready to paste almost immediately as a reply makes it so obvious to me that my allegation is 100% correct. And note that I never even alleged Putin was directly involved. You brought that part up. You overplayed your hand and gave it away. Pretty dumb, IMO.
Re: in Soviet Russia... (Score:2)
Wait, America is part of Soviet Russia now?
artful language (Score:1)
Re: (Score:2)
Actor might be a stretch... I imagine it's more like a voice actor, say, Paul Frees doing Boris Badenov.
Re: (Score:3, Informative)
Yes, "actor" in this context means an organization of unspecific headcount, anywhere from 1 to many. So they're not explicitly excluding the possibility of it being a lone rogue agent, but implying they think it's bigger than that.
Re:artful language (Score:5, Informative)
Actor is the term used to identify a hacker or group of hackers. The term I believe plays on the nature of theatre. As you said, the software attack can be considered the act or a series of acts. In one way the Actor, is simply the one performing these acts which we are ultimately attributing to human actions (as AI has not sophisticated to anything like Ghost in the Shell yet). However, more than this an actor plays a role, so a hacking group could attempt to come from another country and I believe there are few nation states that do this, originating their attacks primarily from foreign IPs. Likewise since it's often unclear if it's an individual or a group, actor encompasses the attacker as a "single entity", such that even if it's a group, they are acting in concert. In my mind, this only gets blurry when you consider groups like anon which perform more decentralized attacks and encompass many different actors (or hacking groups).
To attribute an attack to a group, it requires knowing the tool suites they use (e.g. the hallmarks of the code), the networks they utilize (e.g. IP addresses), and I believe a few other information sources. This can be non-trivial as tool suites can be leaked and then hacking groups utilize the tools that have the hallmarks of other nations. In particular a few tool suites the US and Israel use have been leaked.
All and all it's a really interesting "game" but one of a large amount of imperfect knowledge making most educated guesses a little better than a coin flip...
Re: (Score:3)
The term I believe plays on the nature of theatre.
I don't recall any publication within the security company ever making a credible claim to that origin and backing it up.
I think it's simply the noun for the verb "acting", the same way "action" is. An actor simply acts, conducting an action.
Don't look for complicated answer if there's a trivial one right in your face.
To attribute an attack to a group, it requires knowing the tool suites they use (e.g. the hallmarks of the code), the networks they utilize (e.g. IP addresses), and I believe a few other information sources.
Most active groups have a modus operandi which can be identified. It's like bank robbers - there are certain steps that every bank robber must take, but not necessarily in the same order and t
Re: (Score:2)
I don't recall any publication within the security company ever making a credible claim to that origin and backing it up.
Because they aren't wordsmiths... the community embraced a term that had connotation and the two primary connotations that exist are the ones that I mentioned which are relevant in both ways. Notice once hackers are charged with crimes, they are generally no longer referred to as actors. Both the acts have been previously committed and are of record, and their identities have been fully revealed (unmasking).
I have never seen a computer science publication mentioning that FUBAR comes from military language..
Re: (Score:2)
Because they aren't wordsmiths...
First, that should have been "security COMMUNITY", of course.
Second - actually some of us are quite interested in correct terminology, ontology and other details of words.
In general though, yes ignorance is widespread among even the high-paid experts. How long did too many of our community seriously run around telling people to put special characters into their passwords?
mentioning that FUBAR comes from military language...
A lot of early software was in the military sphere, though. It might have simply jumped over from some code examples.
Re: (Score:2)
A lot of early software was in the military sphere, though. It might have simply jumped over from some code examples.
I agree. The term "bug" effectively comes from us via this route. However, that's kind of my point. Since our language uses syllabograms instead of logograms, there is a lot that is "adopted" in connotation between words. I have never heard a thorough debate on the entomology of "cool" meaning okay but I find it highly likely that the adaptation comes from temperature relating to our comfort which means the original meaning is adapted to a new context with connotation. Even languages with logograms seem to
Re: (Score:2)
Yes, language being what it is, words and meanings move around quite a bit. There's the whole area of ethymology to follow the origins of words, but it rarely goes into those details on modern usage. We also have a lot more international travel and trade and a lot more speakers of languages who aren't native speakers, so I think this process is accelerated now towards ancient times.
It's always interesting to look at words, though. I give lectures on risk management, and I start them off by looking at the me
More in that topic (can't say "bad guy") (Score:2)
Like you said, I've always understood the term as the way we refer to the person or group without typing out "the person or group". There are at least three reasons for that term that I'm aware of.
When you're investigating, you have to be very careful about identifying exactly which facts you know and not confuse known facts with assumptions. You have to be very clear and careful when communicating with your team about these things, and all communications may end up in court. Therefore you can't say "the
Re: (Score:2)
Lastly, we aren't just talking about hackers, so we can't say "the hackers".
It goes even beyond that. In the initial stages of an investigation, we sometimes don't even know if there actually is a person acting with malicious intent. Saying "actor" allows us to include forces of nature or users making mistakes.
Re: (Score:2)
That's true. At first, what you have I something that looks suspicious and / or a problem which may be caused by error.
I clicked your home page link and noticed your work on amplification of reflection attacks. I thought you might find this interesting. Wikipedia and some other large sites use a DNS server called PowerDNS. I discovered that you can DOS the DNS for Wikipedia and other sites with infinite amplification. By spoofing the source as one of the DNS servers and setting the destination as the ot
Re: (Score:2)
Yeah, that work is 20 years or something old now. I leave it up for historic purposes only.
Your attack is nifty. I like that. Though spoofing is becoming more and more difficult.
Re: (Score:2)
Part of the new speak that police started using. They never mention a suspect now as the person has become an actor.
Re: (Score:2)
No, the term actor in the sense of the person or group that did a particular action has been around since at least the 1500s.
Re: (Score:2)
They are not a suspect until they have been identified.
Until then, they are something else. You could call them actors or agents or individuals, but what's relevant is their action.
Re: (Score:2)
The announcement reads "This work indicates that an Advanced Persistent Threat (APT) actor, likely Russian in origin, is responsible for..."
What is an 'actor' in this context? Software performs actions, it acts, it is an actor. The software is likely Russian in origin, and we don't know what party or parties carried it out?
Or, is an actor a person or persons, and the intelligence agencies are saying that the Russians did it?
This is stupid terminology that's been floating around governments for years. It's linguistic turd polishing. What used to be "government hackers" or "criminal hackers" is now "threat actor".
Re: (Score:2)
No, the term "actor" carries fewer connotations than "hackers" or "criminals", so is the better term to use when you don't want to imply things that you don't yet know for sure.
Re: (Score:2)
This is stupid terminology that's been floating around governments for years.
Actor, origin latin "agere" (do, act) -> latin "actor" (doer, actor) -> middle english "actor" (originally denoting an agent or administrator)
You could have googled "actor etymology" and then known what you were talking about. But you didn't, so you don't know what you're talking about. Congratulations! You done fucked up!
Re: (Score:2)
This is stupid terminology that's been floating around governments for years.
Actor, origin latin "agere" (do, act) -> latin "actor" (doer, actor) -> middle english "actor" (originally denoting an agent or administrator)
You could have googled "actor etymology" and then known what you were talking about. But you didn't, so you don't know what you're talking about. Congratulations! You done fucked up!
I could call all the local stores "retail vending actors" and it would be similarly stupid linguistic turd polishing.
Re: artful language (Score:2)
Just admit that you have poor language skills so we can move on.
Re: (Score:2)
The software is likely Russian in origin
It is however 2 years old. I did a full analysis on my blog when this came out: https://www.fagain.co.uk/node/... [fagain.co.uk]
Executive summary:
Case A. Best case scenario. Someone is using Russian software they have gotten from somewhere. Captured, received via security info exchange, etc. Basically, someone is driving a trophy tank. Old, but still serviceable. We should open the bubbly.
Case B. Russia has had every single major USA agency including the NSA and CIA, most major NATO governments and their 3 letters h
Re: (Score:2)
If they had access to BND, the German department of Defence (both SolarWinds customers and both affected by the hack) as well as other parts of the German government, why the f*ck the Bundestag?
Goes to show, that someone using Russian tools is like someone using an AK47. They may have it straight from a Russian factory. Alternatively, they could have pilfered it from half of the world instead.
Re: (Score:2)
this quote (Score:4, Informative)
Trump tweeted that the “Cyber Hack is far greater in the Fake News Media than in actuality” and suggested without any evidence that China could be to blame.
ok, it is true that Trump says stuff without evidence. I want to know how the article missed that the joint statement was also presented without evidence.
Here is a link to the actual statement [cisa.gov]. Worth noting that they don't actually blame the Russian government (unlike the article and careless commenters), they say the hackers were "likely Russian in origin."
Re: (Score:2)
The difference is that Trump does not HAVE evidence, which is what the joint statement said. He is the President, not a forensic tech.
The joint statement was put out by the people that actually investigated and definitely have evidence. They have not publicly shown that evidence because a) it is rather technical and 99% of the world would simply have to take their word about it anyway b) showing their evidence publicly also publicly teaches the hackers the mistakes they made, and c) should they ever pros
Re:this quote (Score:5, Insightful)
Yes, until 4 years ago, you could trust the President to not make statements unless apolitical federal employees could back it up with evidence.
You have a short memory. Remember WMDs in Iraq?
Re: (Score:2)
Pretty sure the government lies go all the way back to G. Washington.
Or if we really want to remember, back to King Arthur. Vote for Mordred!
Re: (Score:2)
The scene was set ~14 billion years ago [slashdot.org]
Re: (Score:2)
Yes, until 4 years ago, you could trust the President to not make statements unless apolitical federal employees could back it up with evidence.
You have a short memory. Remember WMDs in Iraq?
Trump could learn a thing or two.
Leadership is about finding trusted subordinates and having them do the work.
Real Presidents don't invent the evidence, they have their Intelligence agencies invent it for them!
Re: (Score:2)
Trump could learn a thing or two.
[Citation needed]
Re: (Score:2)
The other difference is Trump has rather significant business interests in Russia. That's why he wants to "preserve" that business relationship by ignoring what's going on.
The problem is attacks are coming from Russia, China and North Korea
Re: (Score:1)
The problem is attacks are coming from Russia, China and North Korea
I think they're coming from Cleveland, Fort Lauderdale, and Barstow
Re: (Score:2)
That's right! People who want to get as close to power as possible without having to go through all that being elected nonsense. Wait, sorry, they're the ones at the top of the bureaucracy, the rank and file are just predominantly Democrats.
Re: this quote (Score:2)
Given that Russia has a lot of competent hackers and programmers in general, and that if you were to hack the US, OF COURSE you'd make it look like it came from a source they would just eat up, like Russia, we can safely assume it to be both true and completely useless.
That's lime saying Sweden attacked you because the IP adress belonged to ipredator.se's VPN. (That's the VPN service by the Pirate Bay guys.)
Re: (Score:2)
Re: (Score:1)
The axis powers that are China, Russia, and Iran are going to really fuck us badly.
:-) Got your panic meter dialed up to 11, eh? You should be more worried about the cat lady across the street.
Re: "Confirmed" "Indications" that it was "Likely" (Score:2)
Thank you. Their wording, that something is "likely" in the computer world, bothers the hell out of me: they don't know, they don't want to admit they don't know, and they don't want to admit that their systems were totally compromised. In the absence of, say, logs detailing from which group of IP addresses were behind the cracking (not hacking), it could be anyone, from Russian / Chinese crackers, to the 16 year old down the street who noticed the DoD was running an unsecured TFTP server somewhere on their
Re: "Confirmed" "Indications" that it was "Likely" (Score:5, Funny)
> it could be anyone, from Russian / Chinese crackers, to the 16 year old down the street who noticed the DoD was running an unsecured TFTP server somewhere on their network...
Indeed when you read a headline, that headline doesn't provide any evidence that you can use to determine much.
On the other hand, I spent most of the last three weeks analyzing this. My boss told me to put all projects aside and focus on nothing but this. He wanted me to apply what I've learned over the last two decades in the field.
Obviously, one can determine a lot more based on decades of professional experience than one can determine based on 4 seconds reading a headline. To get a taste of that, let's spend 3-5 minutes together taking a look at it. Let's see what you can determine about who might have done it if you spend 3-5 minutes.
The attackers moved extensively through many sophisticated organizations undetected. Doing so, they exploited several different types of systems, including Windows, Linux, and network devices without setting off any alerts. What does that tell you about who the attackers might be? A script kiddie? Nope. Just looking at the systems they got, in the organizations they got them, and how long they were there, the attackers have a broader range of skills than I do after 25 years of professional experience and study in the field. They stayed at it for months. This is clearly a team of professionals.
They got a foothold, an open door, in tens of thousands of organizations, and chose fewer than 1% to actually do anything with. Did they go after troves of PII, or embarrassing account information from Brazzers? Nope. Hundreds of thousands of credit cards from major merchants? Nope, they weren't interested in money either. The organizations they chose to go into are US government and defense related. That tells us something about the motive if these professionals, and therefore narrows down whom they might be.
What did they DO after they completely owned US government networks? Sabotage, did they destroy things? Nope. Post political messages all over all of the government web pages, death to America stuff? Nope. They stayed quiet, damaged nothing, and just quietly pulled data from US government and defense organizations. In other words, espionage, spying z is what they did.
Well it's probably been about three minutes or so, so out time is up. So far you know it's a team of highly skilled professionals whose purpose is to spy on the US government. That's a pretty short list.
If, like myself, you had several weeks to spend on it, and decades of background, you could probably figure out ways to narrow it down a bit more, don't you think? (If you couldn't, you'd suck at your job.)
Of course this isn't your job, so you're not supposed to be good at this. You're probably just generally smart enough, though, to realize that there aren't THAT many groups who are "a team of skilled professionals working to spy on the US government",. Also you're probably smart enough to realize that everyone in the entire security field works a case for a couple of weeks, they can figure out even more than what you can figure out in three minutes.
Re: (Score:2)
Re: (Score:2)
To be fair though, it is the AP. Can't really expect accurate, unbiased, information from them.
Re: (Score:2)
If they were clear on those facts, they wouldn't have been able to slip in the political jabs that make it seem like the intel agencies are calling Trump a liar.
That's not what's implied exactly here. What's implied is that Trump was wrong. Why he was wrong is left as an exercise to the reader, but you've made up your mind that they said things they didn't say because you're a biased reader.
Of course, we know that Trump has made repeated excuses for the Russians and taken Putin's word over our intelligence agencies, and we know that Trump's been banking with Russia, and we know that Trump got dropped by Deutsch Bank when it was revealed that he defrauded banks into
They dropped an intentional cyrillic character let (Score:4, Insightful)
They dropped an intentional cyrillic character in a binary file somewhere let me guess.
Our CIA tools for doing this and framing other nations was already leaked by shadow brokers ages ago... Can we really determine what nation dropped hacked binary blobs anymore after the discovery that nation-state actors poison them with fake russian\chinese\korean\arabic character sets?
Please.
Re: (Score:2)
Our CIA tools for doing this and framing other nations was already leaked by shadow brokers ages ago
Were they? I remember leaked tools, but I don't remember that drop.
Re: They dropped an intentional cyrillic character (Score:2)
They're in my leak archive.
This is why you don't leave stuff in the "cloud", boys and girls!
Sign (Score:1)
Where is the proof?
Re: Sign (Score:2)
You're bringing a knife^Wlogic to a gun^Wemotions fight.
Re: (Score:2)
Aren't inhabitants of the USSA getting tired of this 'Russians' thing?
Yes. I am tired of our intelligence agencies telling us it's Russians, and our president telling us it isn't when he's in bed with the Russians both figuratively and literally.
Sick of the bias! (Score:2)
Here's why including it is complete bullshit - "The statement represented the U.S. government's first formal attempt to assign responsibility". So, they threw in a line to say, "Trump guessed wrong", but phrased it to convey their own private opinion instead of any fact. That's bad journalism, but good propaganda.
I'm appalled by how many people fall fo
Re: (Score:2)
Re: (Score:2)
That's why i rely on Forensic Journalism - like Wikileaks.
Between the Snowden releases and the Vault releases we know many of the methods used in intrusions, whereas before it was mostly what we had observed and what we suspected (and what idiots called conspiracy theories).
Re: (Score:2)
Why include the meaningless line, "rejecting President Donald Trump's claim that China might be to blame"? That is extraneous, irrelevant, and biased.
It's not biased, as it is factual. It's not irrelevant, because Trumpanistas still believe that China is to blame. It's not extraneous for reasons which would be obvious to anyone not trying to come up with an argument against, but since you need it spelled out for you, it's because the president has claimed that someone else is responsible despite every intelligence agency telling him otherwise.
So, they threw in a line to say, "Trump guessed wrong", but phrased it to convey their own private opinion instead of any fact.
It's a fact that Trump claimed that China was the likeliest party behind the hacking attempts, even after he was
Governments of the world: (Score:2)
I get you spy guys need something to do. Please devote your attention to criminals trying to steal money and trade secrets before some madman decides to start a real shooting war.
IT Security Pros say.,.. (Score:2)
...this is just another line in a long line of bullshit assertions.
Anyone who read the Wikileaks Vault releases know that the C.I.A. (and therefore others) have stolen tools from various other intelligence agencies and ROUTINELY uses those tools to obfuscate that the attacks are being performed by the C.I.A. so they can be attributed to the makers of those tools and ALWAYS using systems that have been hijacked, or VM's that have been rented from providers.
Yesterday I had to block off targeted attacks from t