Earlier this week I conducted a follow-up discussion with an industry colleague about global cyber attack activity, specifically related to Russia and the situation in Syria. It was a valuable conversation so I want to share my thoughts on the topics we debated.

Our dialog began with a simple query: will Russia escalate its cyber attacks against the United States in retaliation for the military response the U.S. took against Syria after Assad’s chemical weapons attack against its very own citizens?

This is an interesting question for a few reasons. The chief issue with this specific question, and with discussions surrounding this topic in general, is there is no agreed upon, clear definition of what exactly constitutes a cyber attack. There is no way to answer the question before defining the term cyber attack. So lets start there.

Is a cyber attack defined as the mere exploitation of a vulnerability, and subsequent acquisition of access to a target network? Does an actor need to perform some malicious activity after obtaining access before the compromise is considered an attack?

In the context of attacking the electric power industry, is attacking the power grid and causing an outage, like what transpired in Ukraine in December’s 2015 and 2016, the demarcation line between what is and is not a cyber attack? Is sending phishing emails with malicious attachments, ultimately leading to establishing a foothold into a network for potential use later, a cyber attack?

This is where the media, the security industry, governments, and certain professionals tend to disagree on terminology. I feel it is important to dissect the words to better understand the original question. In the above, I would argue the latter – a phishing campaign resulting in mere command-and-control capabilities on a network – is not a cyber attack. Is most definitely is a network breach. I argue it is considered network exploitation or offensive cyber operations, but not necessarily a cyber attack. Generally it is part of a much larger, potentially multi-faceted campaign, but just breaching a network is not a cyber attack.

Just like breaking into a vehicle does not assume intent to steal the car, remotely accessing a network is likely equivalent to breaking and entering or trespassing. There may be intent to steal intellectual properly, disrupt network operations, surveil, participate in a botnet, or a host of other activities potentially rising to the level of a cyber attack. But mere access to a network cannot assume the actors intent.

Now back to the original question about the possibility of Russia increasing cyber attacks against the United States in retaliation for the airstrikes in Syria.

I do not believe Russian cyber attacks will increase as a direct result of the U.S. military actions in Syria. While Russia is likely not pleased with the airstrikes, there is no specific strategic reason for a cyber response from Russia. United States critical infrastructure is already purported to have been attacked on multiple recent occasions by Russia, most recently by leveraging a major Cisco router vulnerability.

Russia has already demonstrated sophisticated cyber operations capability, with the potential to own deliberate targets in the United States. However, they have yet to establish malicious intent. For the moment they have simply conducted a show of force, signifying their strength. This is the military equivalent of sending an aircraft carrier with an airwing aboard, accompanied by a battle group, off the coast of Russia. It suggests power and superiority.

It is unlikely Russia will currently attempt any cyber attack leading to major damage or disruption. In the short term they will continue to pursue network access, especially strategic targets within critical infrastructure, but doubtful anything beyond.

On the one hand, Russia has a high degree of cyber sophistication. Hypothetically, the Putin regime may explore false flag operations against the United States, but if the attack were ever unequivocally attributed to Russia then it may not end well. Although in this era of crying fake news left and right, even indisputable evidence of a Russian plot may not be convincing.

On the other hand, Russia could directly attack the United States. The problem with this approach is the U.S. policy on response. A cyber attack does not necessitate an in-kind response. Just because an adversary uses the cyber domain to attack, the United States does not limit its response to the same domain.

Put another way, if the U.S. is the victim of a major nation state backed cyber attack, it will likely respond kinetically. The U.S. government has stated on multiple occasions it has the option to respond via military force if it determines a cyber attack is above an as-yet publicly defined damage threshold. Expect bombs to be dropped, missiles to be launched, or troops to be engaged if the U.S. feels its sovereignty has been attacked.

Putin is most certainly cognizant of this, and is leveraging the ambiguity cyberspace offers to continue conducting operations and demonstrating Russian nation state capability. These minor operations will continue in the short term, but I find it hard to believe an actual attack will occur in the near future. Russia most assuredly does not want a traditional conflict with the United States. Russia will continue to pick at the proverbial scab since there are no repercussions.

Expect to see Russian cyber exploitation remain in the news cycle for the foreseeable future. Awareness of this threat is an important factor in ensuring U.S. government agencies, critical infrastructure, and businesses are prepared for the possibility of an attack. Resilient, proactive defensive measures and situational awareness will go a long way in limiting risk and potential exposure for the inevitable attack that will unquestionably materialize at some strategic time in the future.

The New York Times has an interesting story about a cyber attack against a petrochemical plant in Saudi Arabia seemingly meant to sabotage its operations and potentially trigger an explosion:

A team at Schneider Electric, which made the industrial systems that were targeted, called Triconex safety controllers, is also looking into the attack, the people who spoke to The Times said. So are the National Security Agency, the F.B.I., the Department of Homeland Security and the Pentagon’s Defense Advanced Research Projects Agency, which has been supporting research into forensic tools designed to assist hacking investigations.

All of the investigators believe the attack was most likely intended to cause an explosion that would have killed people. In the last few years, explosions at petrochemical plants in China and Mexico — though not triggered by hackers — have killed several employees, injured hundreds and forced evacuations of surrounding communities.

What worries investigators and intelligence analysts the most is that the attackers compromised Schneider’s Triconex controllers, which keep equipment operating safely by performing tasks like regulating voltage, pressure and temperatures. Those controllers are used in about 18,000 plants around the world, including nuclear and water treatment facilities, oil and gas refineries, and chemical plants.

“If attackers developed a technique against Schneider equipment in Saudi Arabia, they could very well deploy the same technique here in the United States,” said James A. Lewis, a cybersecurity expert at the Center for Strategic and International Studies, a Washington think tank.

Schneider Electric has apparently designed their Triconex safety controllers to only be modified with physical contact, not via network-based interfaces. So if this is in fact the true design, then why would there be any worry of a potential physical explosion? No malware should be able to send a command to modify the Triconex system unless there is a missing link.

It is possible the attackers have studied Triconex so well, they were able to locate a bug Schneider Electric is unaware of, which could force other components to receive commands which would affect the safety controllers. If this is the case, then the culprit is likely an extremely sophisticated actor backed by deep resources. There are only a limited number of nation states with these advanced capabilities and the funding to purchase expensive equipment like this for the sole purpose of bug hunting.

Security experts said Iran, China, Russia the United States and Israel had the technical sophistication to launch such attacks. But most of those countries had no motivation to do so. China and Russia are increasingly making energy deals with Saudi Arabia, and Israel and the United States have moved to cooperate with the kingdom against Iran.

That leaves Iran, which experts said had a growing military hacking program, although the Iranian government has denied any involvement in such attacks.

Tensions between Iran and Saudi Arabia have steadily escalated in recent years, and the conflict has drifted online.

Iran is likely the nation state with arguably the strongest reason to want to physically attack Saudi Arabia. Leveraging this type of cyber attack to perform such damage would make attribution exceedingly difficult, and therefore with no conclusive evidence to support any claims, chances are no public pronouncements of responsibility would ever be made.

So how did the hackers get in? Investigators found an odd digital file in a computer at an engineering workstation that looked like a legitimate part of the Schneider controllers but was designed to sabotage the system. Investigators will not say how it got there, but they do not believe it was an inside job. This was the first time these systems were sabotaged remotely.

The only thing that prevented significant damage was a bug in the attackers’ computer code that inadvertently shut down the plant’s production systems.

You can bet the attackers will not make the same mistake twice, assuming their actual intent was to cause physical disruption.

Dark Reading discusses how nation state cyber attacks appeared to have adopted the Russian “Maskirovka” military doctrine:

Positively identifying the actual threat group behind a cyberattack as well as its true intentions is getting harder than ever as nation-state hacker groups out of North Korea and Russia, for example, in 2017 employed tactics typically used by their cybercriminal counterparts, and vice versa. In May of last year, North Korea’s massive ransomware campaign WannaCry at first appeared to be the handiwork of traditional financially motivated hackers, while Russia’s data-destruction attack via NotPetya initially presented itself as a pure ransomware attack.

The cloak-and-dagger feature of NotPetya, for example, reflects a Russian military doctrine called “maskirovka,” which is all about deceiving and confusing the victim, while also hiding the actual intent of the operation, according to CrowdStrike. “Although NotPetya was eventually revealed to be a wiper, the veneer of ransomware delayed this initial assessment,” the security firm wrote in its new Global Threat Report published this week, which analyzes findings and trends from its incident response investigations and data from its cloud-based Falcon endpoint detection system in 2017.

The destructive NotPetya attack was a data-wiping campaign against Ukraine that also hit companies in the US (Merck and Federal Express), Russia’s top oil company Rosneft, Danish shipping giant A.P. Moller-Maersk, Russian metals manufacturer Evraz, as well as Ukraine’s Boryspyl Airport. In rare public attack-attribution statements, the US, UK, Canada, New Zealand and Australia, this month all pointed the finger at Russia as the culprit.

In the context of military operations, cyber space is still relatively new when compared to the traditional domains of land, sea, and air. As a result of this immaturity, it is only natural for nations to iterate and their strategy to evolve. What we saw ten years ago is not what we are seeing today, and will not what we see in ten years from now.

The Russian “Maskirovka” doctrine is actually far easier to pull off in a cyber attack than it is in a kinetic one. It should come as no surprise to see nation states attempting to deceive forensic attempts to attribute an attack to a specific actor.

Alternatively, the idea behind “Maskirovka” is the basis for conducting a false flag operation. This is basically a malicious actor framing a different group for an attack, to thwart attempts to be discovered while deceiving and confusing the intended target(s). Once again, cyber attacks make it exponentially easier to successfully pull off a false flag because of the nature of how these attacks are executed.

Vice reports on a new automated toolkit to streamline and aggregate multiple tools into a single application to make finding and breaching vulnerable devices far easier:

In short, AutoSploit simply brings together several different tools and workflows for hackers into one package. Usually, a hacker might have to find a server or other target; check whether the target is vulnerable to whatever exploit they may have; and then deliver the attack successfully.

AutoSploit on the other hand, combines Shodan, a sort-of search engine for internet-connected devices, and Metasploit, a well-known penetration testing tool for executing of exploits.

“Basically you start the tool, and enter a search query, something like ‘apache’,” Vector told Motherboard in a Twitter message, referring to the popular web server software. “After that the tool uses the Shodan API to find boxes [computers] that are described as being ‘apache’ on Shodan.”

“After that a list of Metasploit modules is loaded and sorted based on your search query; once the appropriate modules are selected it will start running them in sequence on the list of targets you acquired,” they added.

This surely is a novel effort. I give the developer credit for cobbling together multiple tools in an easy-to-use package.

While it is an interesting idea to combine these disparate tools into a single package, lowering the barrier to entry to breach networks, this arguably will have a negligible impact. Even a basic cyber security control implementation should be able to withstand this effort. Likely, the people leveraging AutoSploit will have very little experience in breaching networks and will create enough noise, or make enough mistakes, to be caught by security tools or analysts.

The International Business Times reports on some fallout from their recent bombshell about NL intelligence tracking Cozy Bear:

Several top banks and the national tax authority in the Netherlands were briefly crippled by a series of powerful DDoS attacks targeting their networks. ABN Amro, ING and Rabobank confirmed in separate statements that they were attacked with their online and mobile banking services temporarily knocked offline. The wave of cyber attacks come just days after local media reported that Dutch intelligence agency AIVD spied on Russia-linked hacker group Cozy Bear, also known as APT29, as early as 2014.

Rabobank tweeted on Monday that it was suffering DDoS attacks while ABN AMRO said it experienced three hours-long DDoS attacks on Saturday and Sunday (27 and 28 January). ING said it was targeted on Sunday as well. All three institutions assured customers that their systems were not breached and customer accounts and details were not compromised in the attacks.

The Dutch tax authority also said it was hit by DDoS attacks that temporarily took down its website and online services for about 5-10 minutes on Monday. Later, the Dutch official online signature system DigiD was also reportedly hit.

The slew of cyberattacks come just days after local media reported that Dutch intelligence agency AIVD spied on Russia-linked hacker group Cozy Bear, also known as APT29, as early as 2014.

This should not come as a surprise considering the bombshell intelligence revelations to come out of the Netherlands.

Using deception as part of organizational cyber defense in not the same as just deploying a basic honeypot:

Almost 15 years ago, Honeyd was introduced as the first commercially available honeypot and offered simple network emulation tools designed to detect attackers.

Deception is still a fairly new technology, so it is not surprising that seasoned security professionals will ask, “Isn’t deception just a honeypot or honeynet?” In fairness, if you consider that they are both built on trapping technology, they are similar.

Gene Spafford, a leading security industry expert and professor of computer science at Purdue University, originally introduced the concept of cyber deception in 1989 when he employed “Active defenses” to identify attacks that were underway, designed to slow down attackers, learn their techniques, and feed them fake data.

Deception technology has made monumental strides in evolving from limited, static capabilities to adaptive, machine learning deception that is designed for easy operationalization and scalability.

Based on our own internal testing and from others in the emerging deception market, deception is now so authentic that highly skilled red team penetration testers continually fall prey to deception decoys and planted credentials, further validating the technology’s ability to successfully detect and confuse highly skilled cyberattackers into revealing themselves.

Bangladesh’s central bank is poised to dump FireEye from their incident response and forensics contract:

Bangladesh’s central bank is unlikely to extend the contract of U.S. cyber security firm FireEye to investigate the electronic theft of $81 million of its money, sources at the bank said on Wednesday, citing high costs as one of the factors.

I have to wonder if there is more to this story than meets the eye. Mandiant, while an exceptionally talented team of forensics experts, may be struggling to accurately determine exactly what happened, thus causing the bank to lose confidence in their ability to meet contract requirements.

FireEye’s Mandiant forensics division was hired by Bangladesh Bank weeks after the cyber heist in early February. It said in an interim report that hackers took control of the bank’s network, stole credentials for sending messages on the SWIFT transactions system and used “sophisticated” malicious software to attack the computers the bank uses to process and authorize transactions.

Mandiant has said it needs 570 hours of more work to complete its investigations, a director on the board of Bangladesh Bank told Reuters. The bank has already paid about $280,000 to the company at an hourly rate of $400, he and other officials said on condition of anonymity.

Unbelievable cost. This could, quite possibly, be the reason for FireEye getting dumped. There is no reason they should be charging this much, unless their goal was to take advantage of the Bangladesh central bank.