Modern field guide to security and privacy

Are Russian cyberspies buried in Dutch networks, too?

A US government analysis appears to show that Russian operatives hijacked hundreds of computers globally to carry out attacks on US political groups. But in this case, looks may be deceiving.

|
Yuri Kochetkov/Reuters/File
Russian President Vladimir Putin.

86.105.18.111.

That 10-digit number is an Internet Protocol (IP) address, a unique identifier for computers and other devices that connect to the web. 

The address above maps to internet infrastructure in the Netherlands that, according to US authorities, Russian operatives hijacked to orchestrate part of a long-running cyberespionage campaign that targeted the Democratic Party and other American organizations.

Newly declassified findings released by the Homeland Security Department (DHS) and the FBI show Moscow cyberspies have their tentacles around hundreds of IP addresses located in 60 countries, primarily in the US (47), China (45), Netherlands (20), Germany (14) and France (12).

While it may appear that Russia has a troubling grip on US, Chinese, and European networks, there's probably no link between the corrupted IP addresses and the whereabouts of whoever or whatever Russia is targeting, multiple threat analysts caution.

"Russia’s use of infrastructure in the US, China, Netherlands, Germany, France, etc., does not directly correlate to geopolitical interest in those nations," said Kyle Ehmke, a senior intelligence researcher at security firm ThreatConnect.

The various IP addresses that a country's cyberspies or independent hackers co-opt often have little to do with locations they might target. Often, hackers utilize infected computers in one location to target computers elsewhere in the world to hide their tracks. 

Plus, "by acquiring infrastructure in various locations, [the bad guys] are also hedging against the possibilities that all of their infrastructure will be discovered or shut down by a single government," Mr. Ehmke added.

As for why Russia has glommed on to Dutch IP addresses, "if you look at the Netherlands, that's probably some of the best infrastructure in Western Europe," said Mark Arena, chief executive officer of Intel 471, a firm that analyzes cyberattackers' motivations.

Last week, a DHS official said, "We know the Russians are a highly capable adversary who conduct technical operations in a manner intended to blend into legitimate traffic."

Private cybersecurity researchers for the past five years have been publishing suspicious IP addresses, along with other tools and tactics, associated with Russian military and civilian government hackers. They've also named various threat groups, differentiated between their individual operations and parsed their modus operandi. For instance, there's one group that's alternatively dubbed Fancy Bear, APT 28, and Sofacy that the US government claims assailed the Democratic National Committee.

But the DHS-FBI Joint Analysis Report and accompanying spreadsheet listing IP addresses marked the first time the US government acknowledged the Russian cybergang names and methods exist. The Russian government "conducted many of the activities generally described by a number of these security companies," the statement said, referring to independent cybersecurity firms who have previously blamed Russian operatives for the DNC hack.

Still, say critics, naming specific IP addresses does little to help potentially high value targets such as the DNC and others protect themselves from malicious hackers. 

"An IP address associated with a Russian nation state campaign in March might be Granny Smith’s Bakeshop in July. Infrastructure moves around the internet," said Robert M. Lee, former Air Force Cyber Warfare Operations Officer and now a cybersecurity fellow at New America. 

The government report is "entirely useless or harmful" to technical network defenders who will lose time and money responding to false alarms, he said.

There are signs the listing of suspect IP addresses is already leading to some confusion.

On Dec. 30, an employee at a Vermont utility was checking his Yahoo webmail account and triggered an alert indicating that his laptop had connected to a suspicious IP address associated with the Russian hacking operation.

It turned out "that traffic with this particular address is found elsewhere in the country and is not unique to Burlington Electric, suggesting the company wasn’t being targeted by the Russians. Indeed, officials say it is possible that the traffic is benign, since this particular IP address is not always connected to malicious activity," The Washington Post reported.

To thwart potential cyberspies, wherever they may be located, US officials still recommend that system administrators crosscheck the published IP addresses with their logs to discriminate between malicious and innocuous activity.

"It's particularly necessary to emphasize that the Russians hide in the noise. They often use IP addresses that are legitimate machines generating legitimate inbound and outbound traffic connections," a DHS official said Tuesday.

"Simply because the IPs are in the logs does not mean there has been malicious activity," the official said. "It is, however, cause for a further look to determine if malware, for example, may be resident."

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to Are Russian cyberspies buried in Dutch networks, too?
Read this article in
https://www.csmonitor.com/World/Passcode/2017/0105/Are-Russian-cyberspies-buried-in-Dutch-networks-too
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe