Julian Assange has said that he considers Hillary Clinton his personal enemy. So he helped Fancy Bear hackers publish stolen documents from the Democratic National Committee of the United States.
Conspiracy theorists from among Western officials and security experts have recently been actively discussing the topic of Russian hackers who allegedly carry out orders from the Russian government. Is there really a cyber army in Russia, or is it a fiction? Who is engaged in cyber espionage and gets dirt on American politicians?
The beginning of the cyber war. Stuxnet
Cyber warfare as a confrontation in cyberspace is one of the types of information warfare. Traditionally, Americans are strong on this front. It is considered almost certain that the famous Stuxnet computer worm was part of a secret hacking operation that was launched by Western countries. It was sanctioned at the highest level, that is, by the US President.In June 2012, the book "Confront and Conceal: Obama's Secret Wars and Surprising Use of American Power"was published David Sanger's book, which is called a must-read as a detailed description of how the US uses its power outside the country. David Sanger is a well-known journalist, two-time Pulitzer Prize winner, Washington bureau chief of the New York Times, and a member of the Council on Foreign Relations, so his sources can be trusted.
In the book, the author reveals the details of Operation Olympic Games, which was conducted by the United States and Israel against the Iranian nuclear program. Part of this operation was the Stuxnet worm, which was supposed to prevent Iran from developing nuclear weapons.
Stuxnet is the first known computer worm that intercepts and modifies the information flow between Simatic S7 programmable logic controllers and Siemens Simatic WinCC SCADA workstations. The program's uniqueness lies in the fact that for the first time in the history of cyber attacks, the virus physically destroyed the infrastructure, making small changes to the operating mode of centrifuges for uranium enrichment.
The virus exploited four vulnerabilities in the Windows system, including one 0day, spreading via USB drives. The presence of real digital signatures (two valid certificates issued by Realtek and JMicron) helped to remain unnoticed.
The book "Confront and Conceal: Obama's Secret Wars and Surprising Use of American Power" describes how meetings were held with President Obama, where they reported in detail on the implementation of Stuxnet. The President kept his finger on the pulse, was informed of progress and approved each new stage. The author describes the meetings in the so-called control room from the words of witnesses who were directly involved in the meetings.
Operation Olympic Games could have remained forever unknown to the general public, probably like many other secret US cyber operations, if not for one slip. As sometimes happens, the problem occurred due to a developer error. In the summer of 2010, due to a programming error, the program went beyond the limits of Iranian systems and began to spread on the Web in search of Siemens P-1 centrifuges, and on June 17, 2010, it was first reported in the press. This was done by specialists from the Belarusian antivirus company VirusBlokAda. According to available information, the error was in the second version of the program, which was written independently of the Americans by Israeli colleagues.
The author of the book writes that the first version of Stuxnet was written under former President George W. Bush by American experts in close cooperation with specialists from the Israeli army. The program had a specific goal: to search for Siemens P-1 centrifuges, which are used to enrich nuclear fuel, and physically disable them. This was done by unexpectedly reducing or increasing the speed of rotation of the centrifuges, so that in the end they broke down. The operation was reportedly a significant success: the number of uranium enrichment centrifuges was temporarily reduced from 5,000 to 4,000, and Iran's nuclear program was slowed down for one and a half to two years. At the same time, the authors of Stuxnet managed to cover their tracks, so that the Iranian experts attributed the incident to mechanical problems of the equipment.
The goal of creating Stuxnet was a peaceful solution to the problem — the Americans were very afraid that Israel would decide to bomb Iranian nuclear facilities, and then the conflict could get out of control.
After the discovery of Stuxnet, the Iranian authorities significantly tightened the protection of the IT infrastructure and began to talk about the complete isolation of the country from the Internet. After the capture of the American drone, they even ostentatiously claimed that they were able to hack it — this was done in retaliation for the Americans, in order to demonstrate to them the capabilities of local Iranian hackers.
Apparently, Operation Olympic Games is the first time that the United States has purposefully attacked the infrastructure of another state using cyber weapons. This case can officially be considered the beginning of a new global cyber war, which involved many major countries.
Chinese Army
China generally does not hide the presence of hacker units under the state, which are already no secret to anyone. In 2015, a new Chinese military doctrine was published, which explicitly spelled out three types of existing units:- Specialized military forces for online combat: designed to conduct defensive and offensive operations.
- Groups of specialists from civilian organizations authorized by the military leadership to conduct network operations. Among the "civil organizations" are the Ministry of State Security and the Ministry of Public Security.
- "External actors" that can be organized and mobilized for network operations.
Previously, details of the work of the so-called 61398 unit (Shanghai), which is part of the People's Liberation Army of China, were published in the public domain. This is one of the divisions that specializes in cyber operations. It is engaged in computer espionage and sabotage, mainly in English-speaking countries.
The study confirmed that the APT1 hacker group probably operates with the support of the government. During the monitoring period, APT1 systematically stole information from the corporate servers of 141 organizations, hundreds of terabytes of files were stolen in total. In 97% of the 1905 reported attacks, hackers used Shanghai IP addresses and computers with the Simplified Chinese system layout. The size of the APT1 hacker organization suggests dozens or hundreds of participants. Mandiant specialists managed to identify three of them. There have been several cases where Chinese hackers have logged in to their Facebook and Twitter accounts, which is impossible to do inside a Chinese firewall, and this has made it easier to establish identities.
Below is a screencast from the computer of one of the Chinese hackers under the nickname Doda, where you can see the contents of his mailbox and the programs used.
Another employee of the hacker division 61398, who was deanonymized by Mandiant specialists, says in his personal blog that he was recruited immediately after graduating from university in 2006. One of the first tasks was to adapt the Back Orifice 2000 RAT program so that it would not be detected by antivirus programs. He successfully managed to bypass the protection of McAfee, Symantec and Trend Micro, but he could not cope with Kaspersky.
Wang Tong described another task: to write a virus that automatically detects any USB device connected to the computer and secretly copies all files from it. This task was successfully completed, and the boss was satisfied, writes Wang.
"These are not elite superhackers," said IT security specialist Richard Mogull in a commentary for the LA Times. "Some people want to demonize these guys, but they are just first-line soldiers who are doing a job for their country, they are not villains."
Russia defends its hackers
It would be strange to assume that with the active actions of American and Chinese cyber units, Russian hackers will remain on the sidelines. According to some experts, it is in Eastern Europe that the most advanced, numerous and professional hacker scene has formed. The problem is that for a long time its representatives were interested in money, not politics.It all started in the 90s, when millions of highly educated programmers simply had nothing to put their hands on. There were no high-paying jobs in the country that matched their qualifications. At the same time, there were very favorable factors for making good money by carding, extortion, and hacking Western online stores. These are the conditions:
- Computer illiteracy of the national police (in the 90s).
- Lack of relevant articles in the Criminal Code (after their appearance — leniency of sentences for computer crimes).
- Protection from extradition.
About extradition. Russia has never turned over its hackers to the United States, even after the most high-profile crimes. So the Americans had to lure them out in clever ways, allegedly inviting them to work, like the programmer Dmitry Sklyarov from the hacker company Elcomsoft, who hacked the protection of e-books in Adobe PDF format.
Or by making detentions in friendly countries where the hacker inadvertently stopped by, as was the case on October 5, 2016 in Prague during the detention of Yevgeny Nikulin, who hacked LinkedIn from 167 million user accounts in 2012, which later ended up on the Internet.
Nikulin's detention. Operational survey of the Prague Police
It is important to note that even after the detention of Russian hackers abroad, Russia is taking diplomatic and not only diplomatic steps to release them. For example, immediately after Nikulin's detention, the LinkedIn website was blocked in Russia-ironically, the reason for blocking was chosen as a leak of private data, although it was precisely the fault of a Russian hacker. But at least the Americans should take the hint. On the part of LinkedIn, it is easier to reject claims against Nikulin than to be blocked in a country with tens of millions of users.
"In general, the situation around Yevgeny Nikulin confirms the line of Washington, which has organized a "hunt" for Russian citizens around the world and imposes its jurisdiction on other states. We insist on transferring Nikulin to the Russian Federation. The Russian side hopes that Prague will take all possible measures for an unbiased settlement of the issue, " said Alexey Kolmakov, a representative of the Russian Embassy in the Czech Republic.
Based on the experience of previous cases, when the powerful state machine of the Russian Federation was involved in the struggle to prevent the extradition of Russian hackers, we can assume that this time Russian diplomats will succeed. Moreover, LinkedIn itself should already be on their side.
In the service of the State
In recent years, the Russian hacking scene has undergone some changes. Anti-American propaganda has had some success.According to some security experts, it is Russian "state" hackers who are involved in many major recent hacks, including the cyberattack on the US Democratic National Committee.
Fancy Bear Symbol
The investigation of the cyberattack on the US Democratic National Committee was conducted by independent experts from CrowdStrike. According to them, two groups of Russian hackers managed to hack the information system-Cozy Bear (CozyDuke or APT29) and Fancy Bear (Sofacy Group or APT28). Cozy Bear group received unauthorized access to the information system in the summer of 2015, and Fancy Bear-in April 2016.
Julian Assange agreed to publish the stolen data on the Wikileaks website. According to him, in this way he wanted to prevent Hillary Clinton from winning the presidential election.
The impact of hacker attacks on the presidential election results? Assange's statements were considered eccentric. Hillary Clinton was leading in opinion polls, and it was absolutely impossible to imagine that hacking mailboxes would weaken her position so much that a person like Donald Trump could be elected president.
No one believed it…
