Earlier this week I conducted a follow-up discussion with an industry colleague about global cyber attack activity, specifically related to Russia and the situation in Syria. It was a valuable conversation so I want to share my thoughts on the topics we debated.

Our dialog began with a simple query: will Russia escalate its cyber attacks against the United States in retaliation for the military response the U.S. took against Syria after Assad’s chemical weapons attack against its very own citizens?

This is an interesting question for a few reasons. The chief issue with this specific question, and with discussions surrounding this topic in general, is there is no agreed upon, clear definition of what exactly constitutes a cyber attack. There is no way to answer the question before defining the term cyber attack. So lets start there.

Is a cyber attack defined as the mere exploitation of a vulnerability, and subsequent acquisition of access to a target network? Does an actor need to perform some malicious activity after obtaining access before the compromise is considered an attack?

In the context of attacking the electric power industry, is attacking the power grid and causing an outage, like what transpired in Ukraine in December’s 2015 and 2016, the demarcation line between what is and is not a cyber attack? Is sending phishing emails with malicious attachments, ultimately leading to establishing a foothold into a network for potential use later, a cyber attack?

This is where the media, the security industry, governments, and certain professionals tend to disagree on terminology. I feel it is important to dissect the words to better understand the original question. In the above, I would argue the latter – a phishing campaign resulting in mere command-and-control capabilities on a network – is not a cyber attack. Is most definitely is a network breach. I argue it is considered network exploitation or offensive cyber operations, but not necessarily a cyber attack. Generally it is part of a much larger, potentially multi-faceted campaign, but just breaching a network is not a cyber attack.

Just like breaking into a vehicle does not assume intent to steal the car, remotely accessing a network is likely equivalent to breaking and entering or trespassing. There may be intent to steal intellectual properly, disrupt network operations, surveil, participate in a botnet, or a host of other activities potentially rising to the level of a cyber attack. But mere access to a network cannot assume the actors intent.

Now back to the original question about the possibility of Russia increasing cyber attacks against the United States in retaliation for the airstrikes in Syria.

I do not believe Russian cyber attacks will increase as a direct result of the U.S. military actions in Syria. While Russia is likely not pleased with the airstrikes, there is no specific strategic reason for a cyber response from Russia. United States critical infrastructure is already purported to have been attacked on multiple recent occasions by Russia, most recently by leveraging a major Cisco router vulnerability.

Russia has already demonstrated sophisticated cyber operations capability, with the potential to own deliberate targets in the United States. However, they have yet to establish malicious intent. For the moment they have simply conducted a show of force, signifying their strength. This is the military equivalent of sending an aircraft carrier with an airwing aboard, accompanied by a battle group, off the coast of Russia. It suggests power and superiority.

It is unlikely Russia will currently attempt any cyber attack leading to major damage or disruption. In the short term they will continue to pursue network access, especially strategic targets within critical infrastructure, but doubtful anything beyond.

On the one hand, Russia has a high degree of cyber sophistication. Hypothetically, the Putin regime may explore false flag operations against the United States, but if the attack were ever unequivocally attributed to Russia then it may not end well. Although in this era of crying fake news left and right, even indisputable evidence of a Russian plot may not be convincing.

On the other hand, Russia could directly attack the United States. The problem with this approach is the U.S. policy on response. A cyber attack does not necessitate an in-kind response. Just because an adversary uses the cyber domain to attack, the United States does not limit its response to the same domain.

Put another way, if the U.S. is the victim of a major nation state backed cyber attack, it will likely respond kinetically. The U.S. government has stated on multiple occasions it has the option to respond via military force if it determines a cyber attack is above an as-yet publicly defined damage threshold. Expect bombs to be dropped, missiles to be launched, or troops to be engaged if the U.S. feels its sovereignty has been attacked.

Putin is most certainly cognizant of this, and is leveraging the ambiguity cyberspace offers to continue conducting operations and demonstrating Russian nation state capability. These minor operations will continue in the short term, but I find it hard to believe an actual attack will occur in the near future. Russia most assuredly does not want a traditional conflict with the United States. Russia will continue to pick at the proverbial scab since there are no repercussions.

Expect to see Russian cyber exploitation remain in the news cycle for the foreseeable future. Awareness of this threat is an important factor in ensuring U.S. government agencies, critical infrastructure, and businesses are prepared for the possibility of an attack. Resilient, proactive defensive measures and situational awareness will go a long way in limiting risk and potential exposure for the inevitable attack that will unquestionably materialize at some strategic time in the future.

The New York Post reports on the Obama Administration using the cyber hotline to Russia to warn Putin against interfering in the 2016 US Presidential election:

Michael Daniel, Obama’s cyber czar, said administration officials used the channel — added to the nuclear hotline in 2013 so the countries could communicate about hacking and cyberattacks — to tell the Kremlin to “knock it off.”

“We know that you are carrying out these kinds of activities. And stop. Knock it off,” Daniel told CBS’ “60 Minutes” about the call on Oct. 7, 2016.

Asked if Russia got the message, Daniel said he thinks so.

“The fact that this was the first time we had ever exercised this channel, which was supposed to be, you know, for very serious cyber incidents and cyber issues — I think that, in and of itself — sent a message,” he said.

The Obama administration resorted to using the hotline after earlier the same day, it released its first public statement about how Russia was behind the hacking of the Democratic National Committee.

I do not get the impression the average US citizen truly comprehends the problems the country faced in 2016 with the Russian interference. Too many people see this as a US-only political issue, meaning US politicians are using the interference to discredit President Trump, discredit Hillary Clinton, and even discredit and blame former FBI Director James Comey.

That is far too short-sighted and completely misses the point. It is time to look at the Russian interference from a wide-ranging, multi-faceted strategic level. This is objectively an attack on US sovereignty and its democracy.

The country needs to put aside its like or dislike for a particular political candidate, and focus on how a foreign country – in this case, the one foreign country who was the primary US adversary during the Cold War – interfered with a sovereign states election process to sow doubt and discord, effectively using propaganda to confuse citizens from understanding the true issues. Ostensibly the goal was to make sure Clinton was not elected given her relationship with Putin and position on Russia, not necessarily to get Trump elected.

It is time for the country to take a step back, take a deep breath, and take a look at this issue with renewed vigor, unshackled from the constraints of political affiliation and focus on it objectively. This attack unquestionably took place, unquestionably interfered with the election, and unequivocally played a pivotal role in the outcome of who was ultimately elected as the 45th President of the United States.

The time for playing partisan politics ended long ago. It is time to protect the future of the American democratic process. Enough with the games.

Dark Reading enumerates the escalating potential for destructive cyber attacks and false flag operations to take place as tensions rise on the global geopolitical stage:

Geopolitical tensions typically map with an uptick in nation-state cyberattacks, and security experts are gearing up for more aggressive and damaging attacks to ensue against the US and its allies in the near-term, including crafted false flag operations that follow the strategy of the recent Olympic Destroyer attack on the 2018 Winter Olympics network.

As US political discord escalates with Russia, Iran, North Korea, and even China, there will be expected cyberattack responses, but those attacks may not all entail the traditional, stealthy cyber espionage. Experts say the Trump administration’s recent sanctions and deportation of Russian diplomats residing in the US will likely precipitate more aggressive responses in the form of Russian hacking operations. And some of those could be crafted to appear as the handiwork of other nation-state actors.

The idea of false flag operations are rather easy to pull off in cyber space compared to traditional kinetic attacks. It takes a huge amount of sophistication to properly execute this type of operation and ensure the fingers are pointed at the framed nation state. But it can be done, and there are strong players with this capability.

Consider how well Russia, China, North Korea, and Iran approach cyber. Western countries like US, UK, Australia, Netherlands, and other allies are extremely capable. Even a smaller yet highly advanced country like Israel could pull off a false flag operation. It is well within all these nations capacities to successfully misdirect cyber attack attribution.

As a quick aside, I suspect Russia was behind WannaCry even though the US, UK, and other government have unequivocally attributed it to North Korea. This specific attack does not pass the smell test, and was just far too sloppy for a country like North Korea to execute so poorly, especially when ransomware is their prime expertise. There was motivation for Russia to false flag WannaCry, and I discussed this with Japanese media at length early last year after the outbreak occurred.

There are many political reason to both publicly shame or to hide Russia as the culprit. The former would fit in with exposing Russia for all their malicious global cyber activity, while the latter is exactly the modus operandi for the Trump Administration. Furthermore, if Russia did false flag WannaCry, there is also a strong possibility the US intelligence community and its partners would rather keep their knowledge of such hidden from the public. This would allow Russia to conduct further similar operations, with the various intelligence agencies collecting additional data on their tactics and strategy.

While I obviously could be wrong, I still feel as if something does not sit right.

Security experts worry that Russia will continue to ratchet up more aggressive cyberattacks against the US – likely posing as other nations and attack groups for plausible deniability – especially given the success of recent destructive attack campaigns like NotPetya. Not to mention the successful chaos caused by Russia’s election-meddling operation during the 2016 US presidential election.

That doesn’t mean Russia or any other nation-state could or would cause a massive power grid outage in the US, however. Instead, US financial services and transportation networks could be next in line for disruption via nation-state actors, experts say.

Russia definitely has demonstrated sophistication far beyond what the US had expected. Their ability to have penetrated so far and wide is a testament to their strong focus on leveraging cyber for geopolitical activity. It is a fundamental shift in their national intelligence and military strategy, but one that is generally inline with what they have done throughout history.

The likelihood Russia actually attacks US critical infrastructure is extremely low, with the exception of potential isolated incidents against smaller players in the industry. As the above quote rightly states, Russia will likely focus on financial services more than any other area. The US needs to be prepared, and I am concerned the maturity of these operators is not at the level it needs to be to properly withstand a sophisticated nation state attack.

The Daily Beast dissects a recent leak of a classified National Security Agency document outlining how Russian intelligence interfered with the 2016 Presidential election through its highly comprehensive information warfare campaign:

The dumped intelligence report offered some of the best confirmation of Russian meddling in the U.S. election, providing more evidence to tamp down the claims of President Trump and his legions that it was China or a guy in a basement that hacked the Democratic National Committee and many other current and former American officials.

The techniques targeting election officials—spam that redirects recipients to false email login pages yielding passwords to Russian hackers—appear eerily familiar to those used by the GRU against many other U.S. targets in 2015 and 2016.

To the disappointment of Trump’s biggest haters, the NSA leak provides no evidence that Russia changed any votes. And that makes sense, as Russian altering of the tally in favor of their preferred candidate Donald Trump would be sufficient justification for war—one Russia would lose against the U.S.

The Kremlin sought instead to create the perception among Americans that the election may not be authentic in order to push their secondary election effort: Undermine the mandate of Hillary Clinton to govern, should she win.

The idea that Russia hacked actual electronic voting machines is a non-story. That is not how Russian intelligence interfered with the election. Russia did not use the traditional concept of computer hacking to effectively undermine the Clinton campaign. Instead, their comprehensive strategy was old fashioned information warfare, something Russia is extremely capable at executing.

Through the skilled use of video manipulation, meme creation, small cells targeting specific conversations on various social networks, and a wide array of automated bots, Russia effectively mounted one of the most dynamic and well executed information warfare campaigns in history. The only outstanding question at this juncture is whether or not there was any collusion, quid pro quo or otherwise, between the Trump campaign and Moscow. This remains to be seen based on whatever Special Council Mueller and his team is capable of finding.

In America, it sought not to alter the tally, but to create the perception that it’s possible—and instill doubt among Americans in the process. Hacking of voter rolls rather than machines creates an impression in the voters’ psyches without provoking the U.S. into open conflict.

This is likely going to be one of the longest lasting affects of Russian interference in the US election: sowing doubt and discord among the American populace, so much so it begins to break down the trust in governmental institutions, potentially leading towards a collapse of the Republic itself.

That may sound over the top, but it is exactly the outcome Putin desires. He would like America and Russia on a level playing field once again. Since the decline of the Soviet Union, America has constantly been atop Russia, overshadowing it in every aspect of political and military capability. That is, until Putin came into power and changed the game once again.

At this point one has to wonder exactly how capable the United States is with offensive cyber operations. Is the US capable of pulling off a similar campaign in a major country like what Russia did in 2016?

POLITICO discusses the diametric views the soon-to-be former and incoming National Security Advisors have on Russian hacking, propaganda, and influence on the 2016 presidential election:

In their public comments, McMaster and Bolton have presented a stark contrast in their views on Moscow’s involvement in the hacks and online trolling that roiled the 2016 presidential election. While McMaster has taken a hard-line stance in blaming Moscow for orchestrating the digital disruption campaign, Bolton has made headlines by casting doubt on Russia’s role.

In fact, it was McMaster’s remarks on the subject that caused his strained relationship with the president to spill into public view.

Speaking at a February conference in Munich, McMaster proclaimed that evidence of Russian meddling in the 2016 elections was “incontrovertible.”

Trump lashed out on Twitter in response: “General McMaster forgot to say that the results of the 2016 election were not impacted or changed by the Russians and that the only Collusion was between Russia and Crooked H, the DNC and the Dems. Remember the Dirty Dossier, Uranium, Speeches, Emails and the Podesta Company!”

Conversely, Bolton — a former U.S. ambassador to the United Nations during the George W. Bush administration — has cast doubt on the evidence linking Russia to the Democratic National Committee hack, suggesting that the Obama administration was blaming the Kremlin for political purposes.

In December 2016, when Bolton was being floated as the possible deputy secretary of state, the former diplomat suggested that the digital footprints left behind at the DNC may have been a “false flag.”

“If you think the Russians did this, why did they leave fingerprints?” he asked during a Fox News interview.

Bolton is either being completely intellectually dishonest or he is obtuse and incapable of understanding how cyber attacks are executed. Seeing as he will be the next National Security Advisor, this should be a warning to the type of illogical thought processes that will go into future US national security decisions.

Every cyber attack leaves some form of a so-called fingerprint. Whether it is an IP address accidentally exposed and attributed to a specific organization, a set of attack tools used and left behind in haste because the actors had to get out before being caught, or a complete series of tactics, techniques, and procedures specific actors use on a reoccurring basis – there are always going to be some form of a fingerprint. These are just some of the many data points used when attributing attacks to specific groups performing operations across the globe.

What Bolton should already know seeing as he is a former US Ambassador, but is so obviously playing politics with, is the US intelligence community is embedded in networks all over the globe. The National Security Agency regularly watches Russian, North Korean, Chinese, and Iranian actors while in the act of breaching networks. This has allowed the NSA to fingerprint the techniques the different actors leverage, which is often how attacks are attributed to groups like Fancy Bear, Lazarus, and the countless others.

If the NSA is not watching an attack, it is likely one of the various US allies are collecting data. Take for example, the case of the Netherlands intelligence agency witnessing in real-time as Russia’s Cozy Bear conducted cyber attacks. So even if the US IC is not collecting data and learning how actors perform operations, its allies are and will share both the raw intelligence and the analysis conducted. This is what allows the US IC to be so successful.

The US is on a dangerous path. If Bolton opts to ignore strong evidence of Russian meddling in US election and sovereign affairs, the US should be prepared for what is likely the outcome or goal of his being hired as the National Security Advisor: to legitimize and sell a war against either North Korea or Iran to the American people.

The Brookings Institute discusses how the US has not yet seen the worst of Russian cyber attacks, thus far only having dealt with bots, trolls, and propaganda rather than crippling critical infrastructure:

In the West, Russia’s cyberattacks so far have been at the service of its disinformation operations: stolen data used to embarrass individuals, spin a narrative, discredit democratic institutions and values, and sow social discord. This was the pattern Russian operators followed in the United States, France, and Germany during the countries’ 2016–17 elections. Hacking email accounts of individuals or campaigns, leaking that stolen information using a proxy (primarily WikiLeaks), and then deploying an army of disinformation agents (bots, trolls, state controlled media) to disseminate and amplify a politically damaging narrative. Such cyber-enabled interference falls below the threshold of critical infrastructure attacks of significant consequence that could result in “loss of life, significant destruction of property, or significant impact on [national security interests].”

The nightmare of cyberattacks crippling critical infrastructure systems still has the sound of science fiction to most Americans. But in Ukraine, this nightmare is real. As the laboratory for Russian activities, Ukraine has seen a significant uptick in attacks on its critical infrastructure systems since the 2013–14 Maidan revolution. A barrage of malware, denial of service attacks, and phishing campaigns bombard Ukraine’s critical infrastructure environments on a daily basis. In December 2015, a well-planned and sophisticated attack on Ukraine’s electrical grid targeted power distribution centers and left 230,000 residents without power the day before Christmas. The attackers were able to override operators’ password access to the system and also disable backup generators.

Ukraine is all too familiar with Russian attacks against critical infrastructure. For a while it almost appeared as if Ukraine was some kind of testbed or cyber range of sorts for Russia to try and perfect its attack capabilities against electric power plants and substations.

Imagine the chaos a debilitating critical infrastructure attack would have on the US population. There has been a lot of news lately about Russia being embedded in the US power networks. This is no longer an “if it is possible” scenario, but rather “when will it occur”.

Time has an in-depth article discussing how a Russian KGB Chief once asked the US for peace in cyberspace:

“From the very beginning it was clear,” he tells TIME by phone from Moscow, where he now works mostly in the private sector. “We told our people, ‘Look, the public may not realize yet what’s going on. But we need to raise the alarm on a political level, because this stuff is a danger to our vital infrastructure.’”

The tables appear to have turned since then. The vital infrastructure now at risk is in the U.S., according to a March 15 report from the FBI and the Department of Homeland Security, which found that Russian hackers had penetrated deep into the control rooms of U.S. power stations, putting a finger on the light switch of American homes. “Since at least March 2016,” the report states, “Russian government cyber actors…targeted government entities and multiple U.S. critical infrastructure sectors, including the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors.”

These were precisely the sorts of attacks that Rubanov had feared from the Americans. He wouldn’t comment on whether Russia was in fact responsible this time; his old habits of discretion die hard, and he still serves as an occasional adviser to the Russian government. But he did note, with a tone of regret rather than self-satisfaction, that the Americans should have listened to his warnings two decades ago.

After the KGB was dissolved in 1991 along with the rest of the Soviet Union, Rubanov went to serve on the Kremlin’s Security Council, where he was also in charge of information security. He soon got to work, along with some colleagues at the Foreign Ministry and other agencies, on drafting rules of engagement for cyber space—a “code of conduct” of the type that governs the use of nuclear and chemical weapons.

“The point was to have a kind of non-aggression pact in the cyber sphere, one that would prohibit such attacks against sovereign nations,” he says. Their hope was that these rules would eventually be adopted by the United Nations and become international law. But the effort stalled, says Rubanov, in large part because the world’s last remaining superpower wasn’t interested. “Each country wants to have guarantees of security, but it does not want to extend those guarantees to others. So this is where we ended up. In a place where no one is safe.”

Global governments still continue to disagree on cyber norms. Until there are firm agreements in place, governments like Russia will continue to exploit the legal vulnerabilities and engage is malicious activities across the planet.

You do have to give Rubanov credit for his poignant observation about the importance of some type of cyber-based non-aggression pact. Imagine where the world would be today had something been agreed upon when Rubanov first brought it up.

A reputed technophobe, Putin had always been mistrustful of the Internet, which he has called a “CIA project.” And like many of Russia’s spy chiefs, he feared that microchips and operating systems imported from the U.S. were designed to function as secret tools of American sabotage, surveillance or both. But there was little he could do about it. In the field of cyber weaponry, “Russian generals felt they were losing the global arms race,” Andrei Soldatov and Irina Borogan wrote in their recent book, The Red Web, a history of Russian cyber policy. So instead of trying to match American technology, Russia tried using diplomacy “to put some limits on the United States’ offensive capabilities.”

These limits would have amounted to cyber disarmament. As outlined in 2009 by one of Rubanov’s successor at the Security Council, Vladislav Sherstyuk, Russia wanted a ban on cyber implants, which can act as remote-controlled bombs inside an enemy’s computer networks; a ban on the use of deception to hide the source of an attack; and, a rule that would extend humanitarian law into cyber space, effectively banning attacks on civilian targets like banks, hospitals or power stations.

One has to wonder just how genuine Putin was being when he and Sherstyuk discussed a form of cyber disarmament. It sounds more like a ploy to try and outmaneuver the United States rather than an actual desire to disarm cyberspace.

The entire article is well worth reading. It paints a very interesting picture of where the US-Russia relationship was, and where it has come since that time.

The Daily Beast has an exclusive report discussing how Guccifer 2.0, the ostensible self-purported lone DNC hacker, appears to have slipped up in tradecraft and inadvertently revealed being a Russian intelligence officer:

Guccifer famously pretended to be a “lone hacker” who perpetrated the digital DNC break-in. From the outset, few believed it. Motherboard conducted a devastating interview with Guccifer that exploded the account’s claims of being a native Romanian speaker. Based on forensic clues in some of Guccifer’s leaks, and other evidence, a consensus quickly formed among security experts that Guccifer was completely notional.

Proving that link definitively was harder. Ehmke led an investigation at ThreatConnect that tried to track down Guccifer from the metadata in his emails. But the trail always ended at the same data center in France. Ehmke eventually uncovered that Guccifer was connecting through an anonymizing service called Elite VPN, a virtual private networking service that had an exit point in France but was headquartered in Russia.

But on one occasion, The Daily Beast has learned, Guccifer failed to activate the VPN client before logging on. As a result, he left a real, Moscow-based Internet Protocol address in the server logs of an American social media company, according to a source familiar with the government’s Guccifer investigation. Twitter and WordPress were Guccifer 2.0’s favored outlets. Neither company would comment for this story, and Guccifer did not respond to a direct message on Twitter.

Working off the IP address, U.S. investigators identified Guccifer 2.0 as a particular GRU officer working out of the agency’s headquarters on Grizodubovoy Street in Moscow.

There are a few angles to look at this. Primarily, if this is true, it is an major slip-up in GRU cyber tradecraft. Failure to activate a VPN is a huge issue, and not something seasoned actors would normally do.

However, Putin seem unconcerned about being accused of taking part in the DNC hacks, and any potential connections to the Trump campaign. He just won a new term in a sham election, and likely looks at this find as not a big deal.

So what? What will the United States do that could potentially harm Russia? It is not like the Trump Administration has taken a strong stance on Russia.

Finally, the security world had all but decided Guccifer 2.0 was Russian intelligence. This merely adds one additional data point to a lot of data pointing towards the GRU. So really it is not a major find in the grand scheme.

Dark Reading discusses how DragonFly, a malicious Russian actor targeting US and UK critical infrastructure, is using a Cisco router vulnerability to compromise its targets:

Researchers from Cylance this month revealed that they recently discovered that the group had hacked a core Cisco router on the network of Vietnam’s largest oil-rig manufacturer, a state-owned entity, in order to steal user credentials and ultimately infiltrate energy firms in the UK in March of 2017. The Cisco router that was abused was an “end of life” network device that ultimately gave the attackers an attack vector to target energy firms, according to Cylance. DragonFly used the stolen credentials as phishing lures to attack energy sector entity targets in the UK.

But there are several missing pieces of the attack puzzle, according to Cylance: including just how the router was hacked and how exactly that got the attackers to their targets in the UK.

Kevin Livelli, director of threat intelligence at Cylance, says it’s also unclear whether the oil rig manufacturer was a supplier to the UK targets or not. Such a connection might explain how it chose those targets, but Cylance found no such direct connection in its research.

“This is a piece of a larger campaign that we’re reporting on here,” Livelli says. “We found a decoy document embedded in one of the hashes in malware samples in our continued research into this group. We could tell those decoy documents were being targeted at folks in the energy sector in UK.”

This sounds like an interesting campaign to follow, even if the Cisco exploit is not necessarily a major vulnerability in current and up-to-date versions of their router operating system.

TNW reports on official statements by both the Federal Bureau of Investigation (FBI) and Department of Homeland Security (DHS) in a recently released report, detailing how Russian nation state actors are targeting malicious cyber attacks at American critical infrastructure operators:

FBI and DHS officials pinpointed two distinct categories of victims: staging and intended targets. For the initial attack, hackers often infiltrated trusted third-party suppliers for their intended marks. Knowing these targets often relied on less-secure networks than their final victim, the threat actors used them as a sort of trojan horse to plant malware that was actually intended for a much bigger target. These were then used as pivot points to activate the planted malware for use in compromising larger, more-secure networks.

Today’s report didn’t reveal who these marks were, at least not specifically. It did state, however, that the attacked locations were “small commercial facilities” and that these were coordinated and targeted, not random. These also happen to be some of the most vulnerable facilities to these types of attacks, with some running systems first deployed over a decade ago.

Accompanying the allegations today were new sanctions on Russia. The sanctions target at least three organizations and 13 individuals. Of those, perhaps the most recognizable is the Internet Research Agency, the so-called “troll farm” responsible for wreaking havoc on the 2016 Presidential election through its use of Facebook ads designed to exploit divisions in American politics.

This is not anything new. Russia, and other nation state actors, have been probing US critical infrastructure, specifically the electric power industry, for years. Think about it – the US relies on computers, networks, and other technologies to conduct day-to-day work.

All of these devices require electricity to operate. That is the common denominator. Take out the electric power plants, and the nation that did so now has the upper hand in a kinetic attack.

This is not rocket science. It is why the electric power industry is one of the specifically named US critical infrastructure sectors. It is also why the industry needs to be proactive in not only securing their IT and OT assets, but also employing a strong situational awareness, and detection and alert strategy.

If an organization has no eyes on the network, they could be under attack and never know it until the lights go out. Literally and figuratively.

The Financial Times reports Russian criminals have been targeting cyber attacks at Russian owned banks and are making decent profit:

In Russia, however, the scourge of its hackers is fast becoming a problem for the country’s own businesses.

Russia was one of the countries worst affected by the WannaCry attack last year. Even though the US and UK have blamed the Kremlin for using the NotPetya attack a few months later to target Ukraine, Russian companies such as Rosneft, state-run oil giant, were also affected.

Most vulnerable, however, are Russia’s banks. Hackers used the Cobalt Strike security-testing tool to steal more than $17m from more than 240 Russian banks in 2017, according to the central bank. In the past few months, hackers used the Swift payment system to steal $6m from an unnamed bank and tried to steal nearly $1m from state-owned Globex.

Russia is now keen to change the perception of the country as a hacker’s paradise by showing that it, too, is trying to clamp down on cyber threats.

No honor among thieves indeed.

The Washington Post is reporting the Trump Administration finally implemented sanctions previously passed by Congress, focusing on the spying, propaganda, and cyber attacks during the 2016 US Presidential election:

The Trump administration on Thursday imposed fresh sanctions on Russian government hackers and spy agencies to punish Moscow for interfering in the 2016 presidential election and for a cyberattack against Ukraine and other countries last year that officials have characterized as “the most destructive and costly” in history.

Sanctions also were imposed on individuals known as “trolls” and the Russian organizations — including the Internet Research Agency — that supported their efforts to undermine the election. Additionally, the administration alerted the public that Russia is targeting the U.S. energy grid with computer malware that could sabotage its systems.

Taken together, the moves represent the administration’s most aggressive actions to date against Russia for its incursions against the United States, though analysts say their impact is mostly symbolic and noted that a number of the individuals and groups had already been subject to sanctions. Nonetheless, officials hope the actions will help deter tampering with this year’s midterm elections while signaling to Russia that Washington will not allow its attacks to go unchallenged.

Although the administration imposed sanctions, I have yet to hear Trump categorically state his belief the Russians were involved in election tampering. I consider that quite peculiar.

Dark Reading discusses how nation state cyber attacks appeared to have adopted the Russian “Maskirovka” military doctrine:

Positively identifying the actual threat group behind a cyberattack as well as its true intentions is getting harder than ever as nation-state hacker groups out of North Korea and Russia, for example, in 2017 employed tactics typically used by their cybercriminal counterparts, and vice versa. In May of last year, North Korea’s massive ransomware campaign WannaCry at first appeared to be the handiwork of traditional financially motivated hackers, while Russia’s data-destruction attack via NotPetya initially presented itself as a pure ransomware attack.

The cloak-and-dagger feature of NotPetya, for example, reflects a Russian military doctrine called “maskirovka,” which is all about deceiving and confusing the victim, while also hiding the actual intent of the operation, according to CrowdStrike. “Although NotPetya was eventually revealed to be a wiper, the veneer of ransomware delayed this initial assessment,” the security firm wrote in its new Global Threat Report published this week, which analyzes findings and trends from its incident response investigations and data from its cloud-based Falcon endpoint detection system in 2017.

The destructive NotPetya attack was a data-wiping campaign against Ukraine that also hit companies in the US (Merck and Federal Express), Russia’s top oil company Rosneft, Danish shipping giant A.P. Moller-Maersk, Russian metals manufacturer Evraz, as well as Ukraine’s Boryspyl Airport. In rare public attack-attribution statements, the US, UK, Canada, New Zealand and Australia, this month all pointed the finger at Russia as the culprit.

In the context of military operations, cyber space is still relatively new when compared to the traditional domains of land, sea, and air. As a result of this immaturity, it is only natural for nations to iterate and their strategy to evolve. What we saw ten years ago is not what we are seeing today, and will not what we see in ten years from now.

The Russian “Maskirovka” doctrine is actually far easier to pull off in a cyber attack than it is in a kinetic one. It should come as no surprise to see nation states attempting to deceive forensic attempts to attribute an attack to a specific actor.

Alternatively, the idea behind “Maskirovka” is the basis for conducting a false flag operation. This is basically a malicious actor framing a different group for an attack, to thwart attempts to be discovered while deceiving and confusing the intended target(s). Once again, cyber attacks make it exponentially easier to successfully pull off a false flag because of the nature of how these attacks are executed.

The Daily Beast has an interesting article discussing how North Korea may be developing malware capable of shutting down portions of the US power grid:

But in September, Dragos picked up a new adversary, code-named “Covellite,” that appears to be trying to join that club. Covellite has been targeting electric utilities in the U.S., Europe, and parts of East Asia with spear-phishing attacks that employ code and infrastructure eerily similar to that used by the so-called Lazarus Group, the most destructive and outright criminal of the state-sponsored hacking gangs. Dragos doesn’t link attacks to specific nation-states, but the U.S. government has publicly identified the Lazarus Group as North Korea.

If Kim Jong Un is trying to duplicate Russia’s electricity-killing capability, he’s in an early reconnaissance stage—Covellite hasn’t shown any particular expertise in the arcana of industrial-control systems. But Dragos’ Joe Slowik says it’s a worrying development. “From a risk standpoint, that actor could be really interesting,” says Slowik. “Particularly if things on the Korean Peninsula get worse.”

It should come as no surprise to see North Korea attempting to develop the same type of cyber weaponry other major nation state players are leveraging. The recently semi-cozy relationship between Russia and North Korea could be a factor in a focal change for the country.

Generally North Korea conducts cyber attacks primarily for financial gain due to the global sanctions imposed against the nation, as well as the country having been cut off from the world banking system. Additionally, the tensions between Trump and Kim Jong Un are likely pieces of a strategic puzzle being developed in Pyongyang, leading North Korea to pursue more destructive cyber weapons than mere ransomware and other forms of financial generation.

NPR is reporting Russia’s “Fancy Bear” cyber operations team has breached German government network assets:

Germany says it managed to fend off a cyberattack against key ministries, but declined to confirm media reports that the culprit was the Russian intelligence operation blamed for interference in U.S. elections.

“We can confirm that the Federal Office for Information Security (BSI) and intelligence services are investigating a cybersecurity incident concerning the federal government’s information technology and networks,” an Interior Ministry spokesman said Wednesday.

“The attack was isolated and brought under control within the federal administration,” which manages government computer networks, the spokesman said in a statement, Reuters reports.

According to Reuters: “Western governments and security experts have linked the hacker group known as APT28 or Fancy Bear to a Russian spy agency, and have blamed it for an attack on the Democratic National Committee ahead of the 2016 U.S. elections.

Welcome to the new normal, where Russia conducts daily cyber operations, gets caught, and periodically publicly reprimanded for their bad behavior. I do not expect anything to change, unless one of the more powerful nation states severely breaches Russian assets. However, with Trump “in charge” in the US, it is doubtful a strong response will ever occur while he is in office.