The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: Why a hacking operation by a proto-state in Ukraine could spell trouble for the U.S.

April 17, 2019 at 7:28 a.m. EDT

THE KEY

The Luhansk People’s Republic, a region that has claimed independence from Ukraine with the backing of Russia’s military, isn’t recognized by the United States, the European Union or NATO. But it has a hacking army and it’s targeting the Ukrainian government and military, according to new research from the cybersecurity company FireEye.   

This is probably the most extreme case to date of an ultra-small group targeting a national government with a sophisticated hacking operation, John Hultquist, FireEye's director of intelligence analysis who co-wrote the report, told me.

And it could usher in a new era of small nations or nonstate actors developing sophisticated hacking operations, he said. That could mean a big headache for the United States and other global powers, which will have to defend themselves against a new slate of digital adversaries.

“We’re focused on the big players … and for good reason,” Hultquist said. “But we should bear in mind that if this small substate can put together a [hacking] capability, then anyone can.”

The major hacking powers the United States considers adversaries are Russia, China, Iran and North Korea — all of which have developed extensive capabilities and launched major, successful cyberattacks against U.S. targets in government and industry.

A small nation or nonstate group is highly unlikely to be able to pull off a major hack, such as Russia’s breach of the Democratic National Committee or China’s alleged theft of millions of background checks from the Office of Personnel Management, Hultquist said. But that doesn’t mean they couldn’t do serious damage.

“[Hacking] is an asymmetric capability,” Hultquist said. “Those groups may not be sufficiently advanced to cause a major threat to the U.S. government, but they may be sufficiently advanced to cause a threat to U.S. interests, to U.S. companies or to U.S. allies.”

Cybersecurity companies have identified hacking groups that might be linked to the militant Palestinian group Hamas that controls Gaza, for example. Those groups have launched malware campaigns at Israeli government targets and a rival Palestinian faction -- and they could easily turn their attention to the United States, Hultquist said. Or smaller nations, such as Cuba and Venezuela, could turn to hacking to retaliate against the United States over diplomatic disputes, he said. 

“New state actors are going to be significantly drawn to this practice and other substate actors will develop capabilities,” he said.

In the case of the Luhansk People’s Republic, the operation included a mix of hacking tools the group developed and tools it bought off the shelf.

The operation might have launched as far back as 2014 when the region first broke off from Ukraine, FireEye found. The most recent set of emails loaded with malware that FireEye found included phony pitches for technology to clear landmines. 

FireEye didn’t find clear evidence the hackers successfully penetrated Ukrainian government or military networks but, given they kept at for so long, it’s likely they were having at least some success, Hultquist said. The company also didn’t find evidence the Luhansk group was assisted by Russia, he said.

Ukraine has been a testing ground for new hacking trends and techniques since 2014, which often eventually make their way outside the region, Hultquist said.

“It’s created this consistent battle rhythm of activity that we’d never seen before,” he said.That activity is mostly driven by Russian hacking groups that perfect their techniques in Ukraine before launching them elsewhere, he said.

PINGED, PATCHED, PWNED

PINGED: A mysterious operative spent several months last year gathering intelligence from critics of the Russian anti-virus company Kaspersky Lab while ostensibly organizing a cybersecurity conference, the Associated Press’s Raphael Satter reported.

Here’s are comments from Keir Giles, a Russia expert at London’s Chatham House, who described to Satter an awkward meeting with the operative Lucas Lambert: “He was drilling down hard on whether there had been any ulterior motives behind negative media commentary on Kaspersky. The angle he wanted to push was that individuals — like me — who had been quoted in the media had been induced by or motivated to do so by Kaspersky’s competitors."

Kaspersky declined to comment to the AP about whether it had any connection to the operative. Congress banned Kaspersky from U.S. government computer networks in 2017 over concerns about Kremlin spying. Kaspersky has consistently denied assisting the Russian government.

Obama White House cybersecurity coordinator Michael Daniel was among Lambert’s targets, Satter reported, though it’s unclear if Daniel ever met with Lambert.

Here’s more from Satter: “The AP could find no evidence of the existence of the firm Lambert said he worked for, Tokyo- and Hong Kong-based NPH Investments. Research by Citizen Lab, an internet watchdog group based at the University of Toronto’s Munk School, suggests the Lucas Lambert operation is linked to an almost identical one involving a man calling himself Michel Lambert. Michel’s bungled attempt in a Manhattan restaurant to entrap John Scott-Railton, a senior researcher at the lab, was caught on camera by AP reporters two months ago.”

PATCHED: A new streamlined process for launching offensive hacking operations under the Trump administration has yielded “operational success,” federal Chief Information Security Officer Grant Schneider said Tuesday, Cyberscoop’s Sean Lyngaas reported.

Schneider declined, however, to detail what those successes were during an address hosted by the Intelligence and National Security Alliance, Sean reported.

Administration officials including national security adviser John Bolton have touted the new rules of engagement as an about-face from Obama-era timidity in cyberspace. What little is known about recent offensive operations, however, suggests cyberwarriors are still acting quite cautiously, wary of slipping into an escalating tit-for-tat hacking exchange with an adversary.

Also during the INSA event, Schneider offered new details about the program the government uses to decide whether to alert companies about newfound digital vulnerabilities in their products or to hold onto those vulnerabilities so intelligence agencies can hack adversaries.

Schneider also confirmed that the White House put digital defensive measures in place before labeling Iran’s Islamic Revolutionary Guard Corps a terrorist organization, per Politico’s Martin Matishak:

PWNED: U.S. government officials are urging allies to steer clear of China’s Huawei over digital spying concerns, but a major U.S. telecom — AT&T — relies heavily on Huawei technology in Mexico, the Wall Street Journal’s Drew Fitzgerald reports.

“Huawei boxes sit atop cellphone towers across Mexico, where AT&T is the No. 3 provider in terms of wireless subscribers,” the Journal reported. “The Dallas company inherited much of its Mexican gear through acquisitions, though executives say it also has used the Chinese supplier to upgrade its 4G network in recent years.”

U.S. officials haven’t asked AT&T to remove the Huawei gear, a spokesman told the Journal.

“When we upgraded our Mexico network to 4G LTE, we replaced Huawei in our data core network with equipment from the same suppliers we use in the United States, because it gave us consistency in design and scale in purchasing,” the spokesman said. “We expect to harmonize our networks in the same way when we upgrade to 5G in Mexico.”

PUBLIC KEY

The cybersecurity company Fortinet has agreed to pay $545,000 over claims it illegally sold the U.S. military Chinese technology disguised as American equipment, the Justice Department announced.

Here are details from Cyberscoop’s Jeff Stone: “Fortinet acknowledged that an employee responsible for supply chain management altered labels on products to make them appear compliant with the Trade Agreements Act, a law prohibiting federal agencies from acquiring products in specific countries. The unnamed employee directed others at Fortinet to include the phrases ‘Designed in the United States and Canada’ or ‘Assembled in the United States’ before those products were sold to distributors and resellers who resold the technology to the government.”

“Contractors that supply the U.S. Government with Chinese-made technology will be pursued and held accountable when violating the Trade Agreement Act,” Bryan D. Denny, the Defense Criminal Investigative Service special agent in charge, said in a statement.

More cybersecurity news from the public sector:

Gina Haspel Relies on Spy Skills to Connect With Trump. He Doesn’t Always Listen. (New York Times)

Moscow Server Hosted WikiLeaks and Iran’s Hackers Weeks Apart (The Daily Beast)

Class in Session for Federal Cyber Reskilling Academy (Nextgov)

PRIVATE KEY

Cybersecurity news from the private sector:

Security flaw in EA’s Origin client exposed gamers to hackers (TechCrunch)

THE NEW WILD WEST

Cybersecurity news from abroad:

Russian lawmakers approve new Internet law (Reuters)

Ecuador says hit by 40 million cyber attacks since Assange arrest (AFP)

Experts: Breach at IT Outsourcing Giant Wipro (Krebs on Security)

CHAT ROOM

Kim Dotcom, the creator of a controversial file-sharing service called MegaUpload who is trying to avoid being extradited to the United States on copyright infringement charges, has an idea about how to communicate securely online:

Information security Twitter disagrees. Here's from Axios's Joe Uchill:

From Ars Technica's Sean Gallagher:

And from the Electronic Frontier Foundation's Eva Galperin: