Cyberwar Has Gone Public, and That's Dangerous
Compared with the alleged Russian hacks of the Democratic National Committee and other U.S. targets, another important cybertheft that has also been tentatively attributed to Russia is getting far less attention. The revelations are much less titillating than those that have made headlines recently -- they aren't even understandable to most people -- but they may be part of the same cyberwar, one whose rules seem to be changing.
By now, we assume that everyone hacks everyone and that security is essential for any organization in possession of confidential information. But lately, the war hasn't been just about spying. Bragging rights and publicity have become important too. A hacker group (often assumed to be a proxy for the Russian state these days) acts like a bunch of swaggering kids. The U.S. responds with threats and denunciation. It may seem heady material for a second-rate spy novel, but the more public cyberwar is also deadly serious.
On Thursday, a group calling itself Shadow Brokers announced it was "going dark" after failing to attract buyers for a huge cache of what is widely believed to be National Security Agency malware. Shadow Brokers revealed that they were in possession of the stolen hacking tools in August, just as the DNC emails were being leaked by someone calling himself Guccifer 2.0. They claimed they'd hacked a hacker outfit referred to as Equation Group. Kaspersky, the well-regarded Moscow-based cybersecurity company, linked Equation Group to the National Security Agency. The list of Equation Group's targets was one of the giveaways: Iran, Russia, Pakistan, Afghanistan, India and China. All countries the NSA would have an interest in.
In terrible English, Shadow Brokers announced they were auctioning the spoils of their hack -- Equation Group's "cyber weapons." "We give you some Equation Group files free, you see," they wrote.
This is good proof no? You enjoy!!! You break many things. You find many intrusions.
The proof seemed good indeed. Kaspersky analyzed the sample malware and found its developers had used a specific implementation of an encryption algorithm that was only previously found in Equation Group software.
Some U.S. security researchers quickly assumed Shadow Brokers were Russian. It was essentially guesswork, but it made certain sense. "Were I betting, I would bet Russia," security technologist Bruce Schneier wrote, "and that it's a signal to the Obama Administration: 'Before you even think of sanctioning us for the DNC hack, know where we've been and what we can do to you.'"
Edward Snowden, whose revelations brought the cyberwar era public, shared that opinion. He tweeted up a storm when Shadow Brokers revealed their catch, saying, among other things, that "circumstantial evidence and conventional wisdom indicates Russian responsibility." Snowden also pointed out that releasing stolen cyberweapons into the public domain was highly unusual and that it was likely "more diplomacy than intelligence, related to the escalation around the DNC hack."
If indeed Russia is behind Shadow Brokers, the U.S. didn't heed the coded warnings. Instead, the "Russian election hack" story was whipped up into a frenzy by anonymous leaks and, most recently, by two unclassified and scantily detailed reports from the intelligence community.
On Thursday, Shadow Brokers staged a dramatic exit. Adopting a different kind of broken English from the one used in their initial message, the group released more samples from their cache and wrote that they were disappearing as their main purpose, earning bitcoins for their cache, had failed so far.
On the same day, the Guccifer 2.0 persona reappeared after a long silence with a bizarre message claiming, not for the first time, that Guccifer 2.0 had nothing to do with Russia and accusing U.S. intelligence of "deliberately falsifying evidence."
Since the U.S. failed to heed the putative warning delivered through the Shadow Brokers dump and firmly chose to believe that Russia was behind Guccifer 2.0, there is no logic to the former's door-slamming and the latter's re-emergence. Security researcher Matt Tait tweeted about Guccifer 2.0:
This kind of disorientation appears to be the goal of whoever is behind the activity. If all this is the handiwork of Russian intelligence services, they are using a number of carefully constructed public personae to communicate with the public, each with a specific style and even a specific set of typical mistakes in their English usage, and each with a hacker's typical disdain for website design. This appears meant to create the impression of a number of discrete hacking groups or lone hackers bragging about their exploits.
The approach the U.S. has adopted in response is the exact opposite: It has "government" written all over it, from the ominous leaks to major news organizations to the refusal to reveal anything about sources and methods and the promises to retaliate in an undisclosed way.
The resulting visual is of a cop chasing a bunch of colorfully dressed punks. It's easy to lose sight of what's actually going on. Both sides in this particular battle of the cyberwar appear to have a good understanding of each other's tools and methods. The tools that have been revealed and analyzed so far are meant for intelligence gathering, not the disruption of critical infrastructure. They have been used quietly for years, evolving to fit the expanding needs and beat new defenses. Now that knowledge is in the open, used for threats and innuendo-filled media reports. This is no longer cyber-espionage, it's a publicity war.
Just like conventional war and conventional spying, the cyberwar needs recognizable rules of engagement. Those rules will probably emerge after a while as a signaling system develops between intelligence agencies, who can then "go dark" again. In the meantime, both sides can wreak a lot of political havoc; but in this asymmetric war, a democracy is possibly the more vulnerable.
This column does not necessarily reflect the opinion of the editorial board or Bloomberg LP and its owners.
To contact the author of this story:
Leonid Bershidsky at firstname.lastname@example.org
To contact the editor responsible for this story:
Therese Raphael at email@example.com