How Russian and Chinese hackers are different
With all the arrows pointing at Moscow, the fact remains that the Chinese are also engaged in cyberattacks on the US government
After a closed-door meeting with Senate members on February 17 concerning alleged contacts between aides to Donald Trump and the Russians, there are signs that whatever FBI chief James Comey said has further motivated support for an investigation.
These alleged contacts prior to and after the election are part of a broader Congressional effort aimed at revealing the nature of Trump’s ties to Russia – if there are any – and any evidence of Russian hacking of the US election. No details of what was said during this FBI meeting have been disclosed, but demand for an investigation by the Senate Select Committee on Intelligence is gaining traction.
Democrat Senator Mark Warner of Virginia who serves as vice chair of the Select Committee expressed his confidence that it could carry out a proper investigation.
“Election integrity is essential in the world’s leading democracy; it is part of our ‘critical infrastructure’ and threats to our electoral system must be addressed with seriousness and urgency,” David J Hickton, founding director of the University of Pittsburgh Institute of Cyber Law Policy and Security, said in an interview just a few days ago after a panel discussion at the university on February 2 entitled, Russian Hacking: What Do We Know and How Is This Different?
With all the spotlights turned on Russia, the fact remains that China has also engaged in cyberattacks on the US government, and these incursions have been successful to date. That said, there are noticeable differences between how Russian and Chinese hackers operate.
Hickton, a former US Attorney, ranks as one of most experienced federal prosecutors of cyber criminals in the US. He successfully prosecuted five Chinese military officers, members of the People’s Liberation Army’s Unit 61398, who are now featured on wanted posters in their PLA uniforms. These five PLA officers were accused of hacking into several US companies and indicted in a US court, but have yet to face trial.
Hickton has been a part of numerous multinational investigations and gone after many individuals and criminal enterprises all over the world. He has worked closely with the US Department of Justice’s National Security Division Counterespionage Section and the DOJ’s Criminal Division’s Computer Crime and Intellectual Property Section.
“The Chinese hackers are more proliferative. They wake up in the morning, put on their uniforms and go to work in an office building,” Hickton said. “The Russian hackers are more likely to be linked to organized crime.”
This potential organized crime dimension of the Russian interference campaign aimed at the US is something he is very familiar with. In July, 2015, after busting the PLA officers, Hickton was instrumental in “Operation Shrouded Horizon,” which led to the the prosecution of 12 people for computer fraud conspiracy. The US along with law enforcement personnel in 20 countries, took down a computer hacking forum known as “Darkode,” which was extremely sophisticated and yet only one of roughly 800 criminal internet forums operating worldwide at the time.
“Through this operation, we have dismantled a cyber hornets’ nest of criminal hackers which was believed by many, including the hackers themselves, to be impenetrable,” said Hickton in 2015.
The Chinese hackers are more proliferative. They wake up in the morning, put on their uniforms and go to work in an office building. The Russian hackers are more likely to be linked to organized crime.
Darkode was a virtual bazaar where cyber criminals bought, sold and traded “malware, botnets and personally identifiable information used to steal from US citizens and individuals around the world,” said the DOJ in a release.
The release added: “Darkode was an online, password-protected forum in which hackers and other cyber criminals convened to buy, sell, trade and share information, ideas, and tools to facilitate unlawful intrusions on others’ computers and electronic devices.
“Before becoming a member of Darkode, prospective members were allegedly vetted through a process in which an existing member invited a prospective member to the forum for the purpose of presenting the skills or products that he or she could bring to the group.”
Does Darkode serve as a blueprint for Fancy Bear or Kozy Bear, two of the Russian hacker groups implicated in the recent Russian cyberattacks? That remains unclear, and yet, there are some signs that the Russian hacker groups engaged in a competitive pursuit of their objectives.
Andrei Soldatov, a Russian investigative journalist who specializes in security services experts, and cofounder and editor of Agentura.ru, was one of the participants in the University of Pittsburgh panel discussion. He described how groups of hackers in Russia, using a range of tactics and techniques, have evolved steadily. Email hacking is often used by the Russians.
In 2015, a new level of technology and sophistication was in evidence during the flood of cyberattacks on Ukraine. As in the case of the hack of emails from the US Democratic National Committee, two hacker groups spent seven months trying to figure out how to break into the Ukraine system, said Soldatov.
Because there is no conventional chain of command, this not only allows for a denial by the Russian government of any direct or indirect involvement, it also makes it almost impossible for journalists to find any hard evidence.
However, at the same time, Soldatov described how by operating outside of the existing bureaucratic structure, these groups of hackers may actually benefit in the form of being able to maintain much closer links to the Kremlin. Staying in close contact with the Kremlin has not always been viewed as the best way to proceed by these criminal hacker groups, said Soldatov.
Still, unlike the bureaucracy there, this degree of informal access removes barriers and restrictions imposed by any bureaucratic rule, thus making the hackers “more dangerous, adventurous and flexible.” In the end, the tactics and techniques used by the Russian hackers are all about seizing information, and then disclosing it or threatening to do so. The Russians can be secretive as one might expect, but the political leverage they attain is all about timing, impact and disclosure.
“[The Russian hackers are] unlike the Chinese who are very good at hacking, but not publicizing it,” said Soldatov.
Panelist Ellen Nakashima, national security reporter at The Washington Post, reminded everyone that the intercepts obtained by US intelligence of Russian officials – not the hackers themselves – congratulating themselves was very critical to understanding the ties to the Kremlin.
Luke Dembosky – a former Deputy Assistant Attorney General for National Security and former DOJ representative at the US Embassy in Moscow – spoke on the sophistication of the Russian hacking apparatus which focused on a set of criminal actors who excelled at getting money out, and setting up networks. As for the ongoing threat, he was very clear.
“Do we want people running for office who worry about their daughter’s email being hacked?” he asked. Later, he spoke about joint counter-terrorism efforts and how this area of shared concern ensures that the Kremlin remains at the table with the US.
Just over five years ago in late January 2012, Mike McConnell, former director of national intelligence, issued a stern warning that has now struck home.
Not suspecting that Russia would be so bold or go so far as to unleash a cyberattack on the 2016 US electoral process, McConnell warned during an interview with Reuters that it would take “a banking collapse” or the country’s electric power grid shutting down for a number of weeks “or something of that magnitude, we’re likely just to talk about it and not do much. There will be a thousand voices on what is the right thing to do, and it will probably require a crisis to reach consensus.”
A retired US Army General and former Supreme Allied Commander of the North Atlantic Treaty Organization, Philip Breedlove, who testified before the US Senate Foreign Relations Committee on February 9, said the US had still not defined the threat let alone how it would respond.
As for the prior Russian hacking in Ukraine, and which is now spreading to Germany and the Netherlands as well as other nations, he described it as a form of sophisticated, hybrid and below the line warfare. He talked about DIME or the diplomatic, informational, military and economic muscle that nations can apply to a variety of situations.
Breedlove went a step further and said the reticence of President Barack Obama’s administration to provoke the Russians was the reason why it did not respond earlier to the Russian influence campaign. This reluctance or unwillingness to confront the Russians and the consequences of this inaction will be debated for years to come.
In 2014, Russian hackers snatched some of President Obama’s emails from the White House’s unclassified computer system causing one senior official to confide to The New York Times that the sophistication of the attack was noteworthy, while another official described the Russian link to the attack as “worrisome.” The Times’ description of that troubling event was indeed ominous.
“While Chinese hacking groups are known for sweeping up vast amounts of commercial and design information, the best Russian hackers tend to hide their tracks better and focus on specific, often political targets. And the hacking happened at a moment of renewed tension with Russia – over its annexation of Crimea, the presence of its forces in Ukraine and its renewed military patrols in Europe, reminiscent of the Cold War,” said the Times.
However, a more ominous development involves a further evolution of Russian prowess as they proceed down this path. They executed their cyber warfare plan of attack of the US on an immense scale – one not seen before.
While experts point to Russia’s seeming reliance in the past on a decidedly decentralized organizational structure with firm ties to organized crime, one prominent member of the US Senate’s Select Committee on Intelligence told PBS Newshour on February 14 that Russia carefully assembled a huge group of hackers to carry out its highly successful influence campaign against the US, unleashing an unprecedented amount of fake news during the latest election cycle, among other things.
“There were literally 1,000 internet trolls working at a single location in Russia seeking to interfere in our election,” said Senator Warner.
Thus, the Russians appear to be embracing the practices of the PLA who have maintained a “hacker hotel” in the suburbs of Shanghai – unless they have recently relocated – filled with PLA officers who are very good at what they do. And they are getting better at it each day.