Digital Sovereignty & Cyber Security

Red faces in Moscow this weekend, with the news that hackers have successfully targeted FSB—Russia’s Federal Security Service. The hackers managed to steal 7.5 terabytes of data from a major contractor, exposing secret FSB projects to de-anonymize Tor browsing, scrape social media, and help the state split its internet off from the rest of the world. The data was passed to mainstream media outlets for publishing. FSB is Russia’s primary security agency with parallels with the FBI and MI5, but its remit stretches beyond domestic intelligence to include electronic surveillance overseas and significant intelligence-gathering oversight. It is the primary successor agency to the infamous KGB, reporting directly to Russia’s president. A week ago, on July 13, a hacking group under the name 0v1ru$ that had reportedly breached SyTech, a major FSB contractor working on a range of live and exploratory internet projects, left a smiling Yoba Face on SyTech’s homepage alongside pictures purporting to showcase the breach. 0v1ru$ had passed the data itself to the larger hacking group Digital Revolution, which shared the files with various media outlets and the headlines with Twitter—taunting FSB that the agency should maybe rename one of its breached activities “Project Collander.” I received a link to the Digital Revolution site where an initial tranche of breached documents was “published two months ago… as part of that 7.5 terabytes.” I won’t publish the link here for obvious reasons. Digital Revolution has targeted FSB before. It is unknown how tightly the two hacking groups are linked. BBC Russia broke the news that 0v1ru$ had breached SyTech’s servers and shared details of contentious cyber projects, projects that included social media scraping (including Facebook and LinkedIn), targeted collection and the “de-anonymization of users of the Tor browser.” The BBC described the breach as possibly “the largest data leak in the history of Russian intelligence services.” As well as defacing SyTech’s homepage with the Yoba Face, 0v1ru$ also detailed the project names exposed: “Arion”, “Relation”, “Hryvnia,” alongside the names of the SyTech project managers. The BBC report claims that no actual state secrets were exposed. Twitter The projects themselves appear to be a mix of social media scraping (Nautilus), targeted collection against internet users seeking to anonymize their activities (Nautilus-S), data collection targeting Russian enterprises (Mentor), and projects that seem to relate to Russia’s ongoing initiative to build an option to separate the internal internet from the world wide web (Hope and Tax-3). The BBC claims that SyTech’s projects were mostly contracted with Military Unit 71330, part of FSB’s 16th Directorate which handles signals intelligence, the same group accused of emailing spyware to Ukranian intelligence officers in 2015. Nautilus-S, the Tor de-anonymization project, was actually launched in 2012 under the remit of Russia’s Kvant Research Institute, which comes under FSB’s remit. Russia has been looking for ways to compromise nodes within Tor’s structure to either prevent off-grid communications or intercept those communications. None of which is new news. It is believed that some progress has been made under this project. Digital Revolution claims to have hacked the Kvant Research Institute before The preparatory activities for splitting off a “Russian internet,” follow Russian President Vladimir Putin signing into law provisions for “the stable operation of the Russian Internet (Runet) in case it is disconnected from the global infrastructure of the World Wide Web.” The law set in train plans for an alternative domain name system (DNS) for Russia in the event that it is disconnected from the World Wide Web, or, one assumes, in the event that its politicians deem disconnection to be beneficial. Internet service providers would be compelled to disconnect from any foreign servers, relying on Russia’s DNS instead. There is nothing newsworthy in the projects exposed here, everything was known or expected. The fact of the breach itself, its scale and apparent ease is of more note. Contractors remain the weak link in the chain for intelligence agencies worldwide—to emphasize the point, just last week, a former NSA contractor was jailed in the U.S. for stealing secrets over two decades. And the fallout from Edward Snowden continues to this day. Digital Revolution passed the information to journalists without anything being edited, removed or changed—they said. Little is known about 0v1ru$ and the group has not come forward with any comment. Neither, unsurprisingly, has FSB.

Le terme le plus approprié est «data embassy».

Il exprime plus clairement de quoi on parle, puisqu’il s’agit d’un centre de données auquel on accorde les privilèges et immunités d’une ambassade classique. Autrement dit, la salle de serveurs qui hébergera des données de l’Estonie au Luxembourg bénéficiera des accords diplomatiques prévus par la convention de Vienne de 1961, de la même façon que les ambassades installées boulevard Royal.

La data embassy offre la possibilité à l’Estonie de protéger des données sensibles dans un pays ami. C’est un point important quand on se rappelle que l’Estonie a déjà été victime d’une cyber-attaque qui a paralysé ses sites gouvernementaux, des banques et des médias pendant deux semaines. La data embassy stockera donc au Luxembourg des informations gouvernementales dont le contenu est évidemment confidentiel.

The flood of “fake news” this election season got support from a sophisticated Russian propaganda campaign that created and spread misleading articles online with the goal of punishing Democrat Hillary Clinton, helping Republican Donald Trump and undermining faith in American democracy, say independent researchers who tracked the operation.

Russia’s increasingly sophisticated propaganda machinery — including thousands of botnets, teams of paid human “trolls,” and networks of websites and social-media accounts — echoed and amplified right-wing sites across the Internet as they portrayed Clinton as a criminal hiding potentially fatal health problems and preparing to hand control of the nation to a shadowy cabal of global financiers. The effort also sought to heighten the appearance of international tensions and promote fear of looming hostilities with nuclear-armed Russia.

Two teams of independent researchers found that the Russians exploited American-made technology platforms to attack U.S. democracy at a particularly vulnerable moment, as an insurgent candidate harnessed a wide range of grievances to claim the White House. The sophistication of the Russian tactics may complicate efforts by Facebook and Google to crack down on “fake news,” as they have vowed to do after widespread complaints about the problem.

There is no way to know whether the Russian campaign proved decisive in electing Trump, but researchers portray it as part of a broadly effective strategy of sowing distrust in U.S. democracy and its leaders. The tactics included penetrating the computers of election officials in several states and releasing troves of hacked emails that embarrassed Clinton in the final months of her campaign.

 

 

With a vigorous national debate underway on whether Sweden should enter a military partnership with NATO, officials in Stockholm suddenly encountered an unsettling problem: a flood of distorted and outright false information on social media, confusing public perceptions of the issue.

The claims were alarming: If Sweden, a non-NATO member, signed the deal, the alliance would stockpile secret nuclear weapons on Swedish soil; NATO could attack Russia from Sweden without government approval; NATO soldiers, immune from prosecution, could rape Swedish women without fear of criminal charges.

They were all false, but the disinformation had begun spilling into the traditional news media, and as the defense minister, Peter Hultqvist, traveled the country to promote the pact in speeches and town hall meetings, he was repeatedly grilled about the bogus stories.

“People were not used to it, and they got scared, asking what can be believed, what should be believed?” said Marinette Nyh Radebo, Mr. Hultqvist’s spokeswoman.

As often happens in such cases, Swedish officials were never able to pin down the source of the false reports. But they, numerous analysts and experts in American and European intelligence point to Russia as the prime suspect, noting that preventing NATO expansion is a centerpiece of the foreign policy of President Vladimir V. Putin, who invaded Georgia in 2008 largely to forestall that possibility.

In Crimea, eastern Ukraine and now Syria, Mr. Putin has flaunted a modernized and more muscular military. But he lacks the economic strength and overall might to openly confront NATO, the European Union or the United States. Instead, he has invested heavily in a program of “weaponized” information, using a variety of means to sow doubt and division. The goal is to weaken cohesion among member states, stir discord in their domestic politics and blunt opposition to Russia.

“Moscow views world affairs as a system of special operations, and very sincerely believes that it itself is an object of Western special operations,” said Gleb Pavlovsky, who helped establish the Kremlin’s information machine before 2008. “I am sure that there are a lot of centers, some linked to the state, that are involved in inventing these kinds of fake stories.”

Dark Arts: Russia’s Stealth Conflict
This article is the second in a series on how Russia covertly projects power.
The planting of false stories is nothing new; the Soviet Union devoted considerable resources to that during the ideological battles of the Cold War. Now, though, disinformation is regarded as an important aspect of Russian military doctrine, and it is being directed at political debates in target countries with far greater sophistication and volume than in the past.

The flow of misleading and inaccurate stories is so strong that both NATO and the European Union have established special offices to identify and refute disinformation, particularly claims emanating from Russia.

The Kremlin’s clandestine methods have surfaced in the United States, too, American officials say, identifying Russian intelligence as the likely source of leaked Democratic National Committee emails that embarrassed Hillary Clinton’s presidential campaign.

The Kremlin uses both conventional media — Sputnik, a news agency, and RT, a television outlet — and covert channels, as in Sweden, that are almost always untraceable.

Russia exploits both approaches in a comprehensive assault, Wilhelm Unge, a spokesman for the Swedish Security Service, said this year when presenting the agency’s annual report. “We mean everything from internet trolls to propaganda and misinformation spread by media companies like RT and Sputnik,” he said.

The fundamental purpose of dezinformatsiya, or Russian disinformation, experts said, is to undermine the official version of events — even the very idea that there is a true version of events — and foster a kind of policy paralysis.

Disinformation most famously succeeded in early 2014 with the initial obfuscation about deploying Russian forces to seize Crimea. That summer, Russia pumped out a dizzying array of theories about the destruction of Malaysia Airlines Flight 17 over Ukraine, blaming the C.I.A. and, most outlandishly, Ukrainian fighter pilots who had mistaken the airliner for the Russian presidential aircraft.

It was a perfect sunny summer afternoon in Copenhagen when the world’s largest shipping conglomerate began to lose its mind.

 

The headquarters of A.P. Møller-Maersk sits beside the breezy, cobblestoned esplanade of Copenhagen’s harbor. A ship’s mast carrying the Danish flag is planted by the building’s northeastern corner, and six stories of blue-tinted windows look out over the water, facing a dock where the Danish royal family parks its yacht. In the building’s basement, employees can browse a corporate gift shop, stocked with Maersk-branded bags and ties, and even a rare Lego model of the company’s gargantuan Triple-E container ship, a vessel roughly as large as the Empire State Building laid on its side, capable of carrying another Empire State Building–sized load of cargo stacked on top of it.

That gift shop also houses a technology help center, a single desk manned by IT troubleshooters next to the shop’s cashier. And on the afternoon of June 27, 2017, confused Maersk staffers began to gather at that help desk in twos and threes, almost all of them carrying laptops. On the machines’ screens were messages in red and black lettering. Some read “repairing file system on C:” with a stark warning not to turn off the computer. Others, more surreally, read “oops, your important files are encrypted” and demanded a payment of $300 worth of bitcoin to decrypt them.

He quietly swore under his breath. Jensen assumed the unplanned reboot was a typically brusque move by Maersk’s central IT department, a little-loved entity in England that oversaw most of the corporate empire, whose eight business units ranged from ports to logistics to oil drilling, in 574 offices in 130 countries around the globe.

Jensen looked up to ask if anyone else in his open-plan office of IT staffers had been so rudely interrupted. And as he craned his head, he watched every other computer screen around the room blink out in rapid succession.

“I saw a wave of screens turning black. Black, black, black. Black black black black black,” he says. The PCs, Jensen and his neighbors quickly discovered, were irreversibly locked. Restarting only returned them to the same black screen.

All across Maersk headquarters, the full scale of the crisis was starting to become clear. Within half an hour, Maersk employees were running down hallways, yelling to their colleagues to turn off computers or disconnect them from Maersk’s network before the malicious software could infect them, as it dawned on them that every minute could mean dozens or hundreds more corrupted PCs. Tech workers ran into conference rooms and unplugged machines in the middle of meetings. Soon staffers were hurdling over locked key-card gates, which had been paralyzed by the still-mysterious malware, to spread the warning to other sections of the building.

Disconnecting Maersk’s entire global network took the company’s IT staff more than two panicky hours. By the end of that process, every employee had been ordered to turn off their computer and leave it at their desk. The digital phones at every cubicle, too, had been rendered useless in the emergency network shutdown.

Around 3 pm, a Maersk executive walked into the room where Jensen and a dozen or so of his colleagues were anxiously awaiting news and told them to go home. Maersk’s network was so deeply corrupted that even IT staffers were helpless. A few of the company’s more old-school managers told their teams to remain at the office. But many employees—rendered entirely idle without computers, servers, routers, or desk phones—simply left.

Jensen walked out of the building and into the warm air of a late June afternoon. Like the vast majority of Maersk staffers, he had no idea when he might return to work. The maritime giant that employed him, responsible for 76 ports on all sides of the earth and nearly 800 seafaring vessels, including container ships carrying tens of millions of tons of cargo, representing close to a fifth of the entire world’s shipping capacity, was dead in the water.

 

On the edge of the trendy Podil neighborhood in the Ukrainian capital of Kiev, coffee shops and parks abruptly evaporate, replaced by a grim industrial landscape. Under a highway overpass, across some trash-strewn railroad tracks, and through a concrete gate stands the four-story headquarters of Linkos Group, a small, family-run Ukrainian software business.

Up three flights of stairs in that building is a server room, where a rack of pizza-box-sized computers is connected by a tangle of wires and marked with handwritten, numbered labels. On a normal day, these servers push out routine updates—bug fixes, security patches, new features—to a piece of accounting software called M.E.Doc, which is more or less Ukraine’s equivalent of TurboTax or Quicken. It’s used by nearly anyone who files taxes or does business in the country.

But for a moment in 2017, those machines served as ground zero for the most devastating cyberattack since the invention of the internet—an attack that began, at least, as an assault on one nation by another.

For the past four and a half years, Ukraine has been locked in a grinding, undeclared war with Russia that has killed more than 10,000 Ukrainians and displaced millions more. The conflict has also seen Ukraine become a scorched-earth testing ground for Russian cyberwar tactics. In 2015 and 2016, while the Kremlin-linked hackers known as Fancy Bear were busy breaking into the US Democratic National Committee’s servers, another group of agents known as Sandworm was hacking into dozens of Ukrainian governmental organizations and companies. They penetrated the networks of victims ranging from media outlets to railway firms, detonating logic bombs that destroyed terabytes of data. The attacks followed a sadistic seasonal cadence. In the winters of both years, the saboteurs capped off their destructive sprees by causing widespread power outages—the first confirmed blackouts induced by hackers.

 

But those attacks still weren’t Sandworm’s grand finale. In the spring of 2017, unbeknownst to anyone at Linkos Group, Russian military hackers hijacked the company’s update servers to allow them a hidden back door into the thousands of PCs around the country and the world that have M.E.Doc installed. Then, in June 2017, the saboteurs used that back door to release a piece of malware called ­NotPetya, their most vicious cyberweapon yet.

The code that the hackers pushed out was honed to spread automatically, rapidly, and indiscriminately. “To date, it was simply the fastest-propagating piece of malware we’ve ever seen,” says Craig Williams, director of outreach at Cisco’s Talos division, one of the first security companies to reverse engineer and analyze Not­Petya. “By the second you saw it, your data center was already gone.”

 

NotPetya was propelled by two powerful hacker exploits working in tandem: One was a penetration tool known as EternalBlue, created by the US National Security Agency but leaked in a disastrous breach of the agency’s ultrasecret files earlier in 2017. EternalBlue takes advantage of a vulnerability in a particular Windows protocol, allowing hackers free rein to remotely run their own code on any unpatched machine.

NotPetya’s architects combined that digital skeleton key with an older invention known as Mimikatz, created as a proof of concept by French security researcher Benjamin Delpy in 2011. Delpy had originally released Mimikatz to demonstrate that Windows left users’ passwords lingering in computers’ memory. Once hackers gained initial access to a computer, Mimikatz could pull those passwords out of RAM and use them to hack into other machines accessible with the same credentials. On networks with multiuser computers, it could even allow an automated attack to hopscotch from one machine to the next.

Before NotPetya’s launch, Microsoft had released a patch for its EternalBlue vulnerability. But EternalBlue and Mimikatz together nonetheless made a virulent combination. “You can infect computers that aren’t patched, and then you can grab the passwords from those computers to infect other computers that are patched,” Delpy says.

 

NotPetya took its name from its resemblance to the ransomware Petya, a piece of criminal code that surfaced in early 2016 and extorted victims to pay for a key to unlock their files. But NotPetya’s ransom messages were only a ruse: The malware’s goal was purely destructive. It irreversibly encrypted computers’ master boot records, the deep-seated part of a machine that tells it where to find its own operating system. Any ransom payment that victims tried to make was futile. No key even existed to reorder the scrambled noise of their computer’s contents.

 

The weapon’s target was Ukraine. But its blast radius was the entire world. “It was the equivalent of using a nuclear bomb to achieve a small tactical victory,” Bossert says.

 

The release of NotPetya was an act of cyberwar by almost any definition—one that was likely more explosive than even its creators intended. Within hours of its first appearance, the worm raced beyond Ukraine and out to countless machines around the world, from hospitals in Pennsylvania to a chocolate factory in Tasmania. It crippled multinational companies including Maersk, pharmaceutical giant Merck, FedEx’s European subsidiary TNT Express, French construction company Saint-Gobain, food producer Mondelēz, and manufacturer Reckitt Benckiser. In each case, it inflicted nine-figure costs. It even spread back to Russia, striking the state oil company Rosneft.

The result was more than $10 billion in total damages, according to a White House assessment confirmed to WIRED by former Homeland Security adviser Tom Bossert, who at the time of the attack was President Trump’s most senior cybersecurity-­focused official. Bossert and US intelligence agencies also confirmed in February that Russia’s military—the prime suspect in any cyberwar attack targeting Ukraine—was responsible for launching the malicious code. (The Russian foreign ministry declined to answer repeated requests for comment.)

To get a sense of the scale of NotPetya’s damage, consider the nightmarish but more typical ransomware attack that paralyzed the city government of Atlanta this past March: It cost up to $10 million, a tenth of a percent of NotPetya’s price. Even WannaCry, the more notorious worm that spread a month before NotPetya in May 2017, is estimated to have cost between $4 billion and $8 billion. Nothing since has come close. “While there was no loss of life, it was the equivalent of using a nuclear bomb to achieve a small tactical victory,” Bossert says. “That’s a degree of recklessness we can’t tolerate on the world stage.”

In the year since NotPetya shook the world, WIRED has delved into the experience of one corporate goliath brought to its knees by Russia’s worm: Maersk, whose malware fiasco uniquely demonstrates the danger that cyberwar now poses to the infrastructure of the modern world. The executives of the shipping behemoth, like every other non-Ukrainian victim WIRED approached to speak about NotPetya, declined to comment in any official capacity for this story. WIRED’s account is instead assembled from current and former Maersk sources, many of whom chose to remain anonymous.

 

But the story of NotPetya isn’t truly about Maersk, or even about Ukraine. It’s the story of a nation-state’s weapon of war released in a medium where national borders have no meaning, and where collateral damage travels via a cruel and unexpected logic: Where an attack aimed at Ukraine strikes Maersk, and an attack on Maersk strikes everywhere at once.

Russian military spies hacked several hundred computers used by authorities at the 2018 Winter Olympic Games in South Korea, according to U.S. intelligence.

They did so while trying to make it appear as though the intrusion was conducted by North Korea, what is known as a “false-flag” operation, said two U.S. officials who spoke on the condition of anonymity to discuss a sensitive matter.

Officials in PyeongChang acknowledged that the Games were hit by a cyberattack during the Feb. 9 Opening Ceremonies but had refused to confirm whether Russia was responsible. That evening there were disruptions to the Internet, broadcast systems and the Olympics website. Many attendees were unable to print their tickets for the ceremony, resulting in empty seats.

Analysts surmise the disruption was retaliation against the International Olympic Committee for banning the Russian team from the Winter Games due to doping violations. No officials from Russia’s Olympic federation were allowed to attend, and while some athletes were permitted to compete under the designation “Olympic Athletes from Russia,” they were unable to display the Russian flag on their uniforms and, if they won medals, their country’s anthem was not played.

As of early February, the Russian military agency GRU had access to as many as 300 Olympic-related computers, according to an intelligence report this month.

The Office of the Director of National Intelligence declined to comment.

The Opening Ceremonies were disrupted. Some are concerned the Closing Ceremonies might be targeted, too.

Heard of that presidential election coming up? Russia has too. And that worries US officials.

WHAT'S GOING ON?

Yesterday, the head of the NSA told lawmakers that he's worried a foreign government (hint: rhymes with Shmussia) may be trying to undermine the US election. The FBI is investigating two recent cyber attacks on voter registration databases in Illinois and Arizona that were traced back to Russia. Officials think more states might have been targeted, but their lips are sealed because classified.

WHY IS THIS HAPPENING?

Unclear. But this comes after the Democratic party was hacked earlier this year by groups believed to have ties to zee Russian government. The Clinton campaign thinks Russia hacked the Dems to benefit GOP nominee Donald Trump, who has given props to Russian President Putin many times on the campaign trail. Trump says Putin's not helping him, but he wouldn't mind if Russia did some more digginginto Clinton's inbox.

ANYTHING ELSE?

Yesterday, Russian hackers leaked the medical records of US Olympic athletes…including Serena Williams and Simone Biles. These records show that both ladies got the OK from officials to use banned drugs for medical reasons. The hackers said these records proved the athletes played "well but not fair." Reminder: dozens of Russian athletes were banned from Rio thanks to a state-sponsored doping scandal. Not the same thing.

theSKIMM

Many think all of these hacks are aimed at hurting the credibility of the US on the world stage. And the idea that Russia – a major geopolitical player – may be trying to manipulate the credibility of the US presidential race has some wondering when and how the US will respond.

What occurred with the recently disclosed breach of the Democratic National Committee servers, and the dumping of stolen data on a WordPress site, is more than an act of cyber espionage or harmless mischief. It meets the definition of an act of cyberwar, and the US government should respond as such.

 

The claims by “Guccifer 2.0”—that a lone hacker carried out this attack—are not believable. Of course, anything is possible, but the attack looks to be an operation conducted by Russian intelligence services. Had this been a “normal” operation—that is, covert intel gathering by Russia's Foreign Intelligence Service or any other foreign intelligence service (as the Chinese have done in past election seasons)—it would be business as usual. To be honest, the US government would not really be justified in denouncing it, as it does the same thing. But what makes this attack very different—and crosses the line—is the Russian team’s decision to dump the Clinton campaign’s opposition strategy on the public Web, presumably for the dual purpose of both spreading misinformation about the party responsible for the breach and interfering with the Clinton campaign.