‘The Best Cyberattacks Are Never Discovered' - Professor

CC0 / / Hacked
Hacked - Sputnik International
The National Cyber Security Center has accused Russia's military intelligence service (GRU) of cyberattacks, adding that the targets over the years included, among others, the US Democratic Party, a small TV network in the UK and even Russia's central bank.

According to the NCSC, it has assessed with "high confidence" that the GRU was most certainly responsible for the attacks.

Radio Sputnik discussed the accusations with Kevin Curran, professor of Cyber Security at the Faculty of Computing, Engineering and Built Environment at Ulster University.

Sputnik: The UK's National Cyber Security Center has concluded that Russia's GRU was responsible for many cyberattacks over the years; what's your take on the statement?

'Enter' key - Sputnik International
Canada Claims it Was Targeted by Russian Cyberattacks - Reports
Kevin Curran: It's a collection of what we know already, what has already been attributed to the GRU. In effect it's the cyber hacking groups that are commonly attributed to the GRU, called Fancy Bear, or APT-28, have always been associated with the Russian military intelligence agency, the GRU. What we're seeing, in this case, is that the NCSC has said that they believe they were responsible for hacking the World Anti-doping Agency, the DNC (Democratic National Committee), a TV station in the UK and also a Russian news agency; but all of this we've known in the past. We've known that these have been attributed by private companies in the UK and the US. So they have just put it together in a report saying that they're confident that it's the GRU who were behind these cyberattacks.

READ MORE: US Charges 7 Alleged Russian Military Intel Officers Over Hacking OPCW, WADA

Sputnik: Perhaps, what's new here is that they also mention Russia's central bank and a number of media outlets in this report. How would they be able to make this conclusion?

Kevin Curran: It might seem simple enough, but a fundamental concept in cyber security and digital forensics is that it sometimes is extremely difficult after a cyberattack to definitely and definitively name the perpetrators, because hackers have a lot of technical tools at their disposal to cover their tracks. Even when analysts figure out what computer the hackers are using, going from there to the user is difficult. This is called the attribution problem. They are getting better, it depends on the agency involved, but they are getting better at being able to track and they also have a lot of points of reference as well. Quite often when they do come up with it, they are pretty confident that they know who they believe does these attacks. If you look at some of these attacks, you just wonder why any nation-state would carry out some of these attacks, because they seem to be done on private companies. But sometimes an attack could be just a trial to see if it works. We only know of the attacks that we find out about, but the best attacks are never discovered.

READ MORE: PHOTOS of Russians Alleged to Have Attempted Hack of OPCW Released

Sputnik: Like you say, there's nothing new speaking about these attacks or alleged attacks. Why would London persist and continue this theme when you've got US President Donald Trump saying that there is no evidence to suggest the election results in the US had been swayed?

Kevin Curran: That's just Donald Trump's opinion. Of course, the Americans themselves have relaxed the rules on nation-state cyberattacks. Just last month, President Trump rolled back a series of Obama era classified rules on how the US government can launch cyberattacks on foreign targets; the Americans have always been opposed to any rules that stopped them. So, they themselves, like all large nation-states, like China or the UK, have their teams, just like these APT-28 and Fancy Bear, which have been attributed to the GRU.

That's his opinion, but a lot of private and security companies would believe that Fancy Bear was behind the DNC hack. In fact, this hack was subject to a lot of analyses and reports to defend the United States from their intelligence agencies that clearly show that an attack was done and they attributed that to APT-28. I think that it's in Trump's best interests to say what he's saying, but if you read the reports, you'll see that a lot of analysis has been done to track it back to APT-28.

READ MORE: Moscow Slams Netherlands' Claims of Russia's Attempted Hacker Attack on OPCW

Sputnik: There have been some other interesting scenarios; a US company, FireEye, published a report that said that North Korean hackers could have disguised themselves as Russians carrying out cyberattacks. This sounds a bit far-fetched, but what do we know about hackers from a certain country disguising themselves as someone else to confuse the investigation?

Kevin Curran: Countries will do that. First of all, they'll try to develop malware which is undetectable, sometimes using zero-days, which are attacks unknown to any malware or antivirus toolkits. Again, they can be quite extensive; but there have been ones done like Stuxnet, which was attributed to the US and the Israeli intelligence units; that was an attack against the Iranian subterfuges to stop them from making uranium. It is a common thing to do to try to hide your tracks; and then if you know that you're going to be discovered, then to try to make the code look like it was written in a foreign language and to launch it from a different area, and have others take the blame for it.

READ MORE: Dutch, British 100% Correct Attributing Recent Cyberattacks to Russia — Mattis

Cybercrime - Sputnik International
Danish Politicians Find Plan to Attack "Russian Hackers" 'Hardly Beneficial'
When it comes to code analysis, the digital forensic teams, who got through this, know about this and they try to read between the lines and see what everything else about the thing is. Usually, with enough time and sources, they're able to properly attribute the actual original source of the attack. But if you take any specific individual attack, of course, you just can't go by where it came from, what the code is written in and anything else which is inside the actual malware code.

Sputnik: So, basically, there is always a way to eventually find out who carried out the attack, no matter how well they disguise themselves. Have there been successful attacks when nobody really knows where it originated from?

Kevin Curran: Definitely, there are such attacks. Most numbers have been penetrated to some degree and there is code lying out there which has not been discovered. It's got into a network, it has exfiltrated what it needs and it's got out of there and cleaned all the code behind it; so no one ever knew what was in there.

Cyber intelligence agencies only have so many staff and resources, and it requires highly-skilled computer scientists to go through this; they've got finite budgets, so they can only concentrate on top priorities at any time. There's no way they are able to identify all the attacks, and also there's no way they can be 100% sure all the time when they attribute an attack to a certain country.

The views and opinions expressed by the speaker do not necessarily reflect those of Sputnik.

To participate in the discussion
log in or register
Заголовок открываемого материала