"We track all Russian threat actors under 'bear'" said Adam Meyers, VP of intelligence at CrowdStrike and a widely recognised expert in the field, as he addressed a crowd at InfoSec 2017.
In a talk labelled Hacking Exposed: Real-World Tradecraft Bears, Pandas and Kittens, Meyers lifted the lid on some of the attribution work for which Crowdstrike has become famous.
Fancy Bear, along with Cozy Bear, was identified by Crowdstrike as the two Russian groups behind the ‘hacking' of the US election in 2016. The firm gained international acclaim for labelling them as such.
Fancy Bear, said Meyer, is fairly unique even within the elite world of APTs. It is "unique because of the way they're able to quickly change and advance their capabilities". The group uses multiple zero days and regularly employs tactics like phishing using domains similar to the target mail server, to avoid rapid detection and attribution.
While the group is known by a variety of names including Pawn Storm, Sofacy and the sober APT 28, Crowdstrike labels all Russia-associated groups with the moniker, ‘bear'.
Technical indicators aside, there's a wealth of open information that can point investigators to an attack's provenance. Russia's interests are often quite public; Ukraine, Syria, NATO and doping all have figured heavily in Russian politics in recent years and those interests have been borne out in the paw prints of groups like Fancy Bear.
China, on the other hand, Meyers told SC Media UK, has “been very focused on the South China Sea over the last couple of years”. Crowdstrike has spotted activity around political development in Hong Kong, and the fallout from the 2014 ‘Umbrella Revolution', which called for greater autonomy from the Chinese mainland. The interest of China-associated groups has also refocused westwards, added Meyers, “We've seen China now reinvigorating their interest in the US and western targets as well.”
The WannaCry attacks that paralysed government departments, large corporations and public utilities like the NHS across the world have now been attributed by many to North Korea. The charge has been criticised, but said Meyers, “there's a lot of compelling evidence behind that.”
While Crowdstrike has not stated that the North Korean government was behind the attack and nor did Meyers, he added “It's certainly feasible.” North Korea is believed to have a history of using cyber against targets such as Sony Pictures and more recently users of the SWIFT network.
Though people have cited the shoddy workmanship that apparently went into WannaCry, Meyer contends that there was more skill involved than might immediately be obvious. There's a tendency, he added, to think that nation states use incredibly advanced, sophisticated methods to pull off their attacks, when in fact they'll use whatever will work. WannaCry, said Meyers, was an operation which “requires some tradecraft and some capability” and was “as effective as it needed to be to work.”
Attribution is sensitive topic within cyber-security. Its use, value and even the potential damage it can wreak is hotly contested and many choose to dismiss it entirely.
Attribution, said Meyer, can certainly offer advantages even to those who might be unconcerned with the machinations of geopolitics: “It's about the asymmetry of cyber-warfare and understanding who is attacking you will give you the ability to defend against it.”
“Understanding what that threat is and what they're after, you can better coordinate your defences to not fall victim to them.”
While attribution claims are often attacked, Meyers maintains that, “it's easy to make an attribution claims and it's really easy to attack an attribution claim.”
“Attribution eventually comes to an assessment. Somebody has to say that ‘based on X, Y and Z, I believe that this actor is the North Korean state sponsored group'.”
Attribution is a ultimately a judgement of the facts that an investigator has in front of them: “It's hard to attack facts but it's easy to attack a judgement based on the facts that are there.”
