Report: Russians Behind Pentagon BreachHackers Said to Have Coordinated Attack Via Social Media
U.S. officials say Russians coordinated an attack on an unclassified Pentagon email system used by the Joint Chiefs of Staff that's been offline since July 25, according to NBC News.
A Defense Department spokeswoman declined to comment on the Aug. 6 report.
On July 29, Army Lt. Col. Valerie Henderson said the Joint Chiefs of Staff's unclassified email network had been taken down because of "suspicious activity" (see Pentagon Shuts Down Joint Chiefs Email Network). The network reportedly is used by 4,000 military and civilian personnel who work for the Joint Chiefs.
Officials say it's not clear whether the attack was sanctioned by the Russian government or was the work of individuals, the broadcast network reports. The officials said that no classified information was seized or compromised and that only unclassified accounts and emails were hacked, according to the report.
If the Russians were behind the attack, what would they look for? "Obviously, any sensitive data that spilled down from a high classified network," says former CIA CISO Robert Bigman. "Second, any access points that enable connectivity to higher classified networks."
The email system, which was shuttered almost immediately after the Pentagon detected the cyber-attack, is expected to be back up by week's end, NBC reports.
According to the Daily Beast news site, Defense Department officials characterized the attack on the email network as the "most sophisticated" breach in U.S. military history. One Defense official told the news site that the attack involved "new and unseen approaches into the network. Another said the assault involved spear phishing that targeted the personal information of scores of users, according to the report.
The Attribution Problem
But many security experts have long cautioned against taking such breach reports at face value. For any breached entity - government agency or otherwise - blaming attackers for being advanced and sophisticated is always easier than admitting that the organization's information security defenses may have been lackluster (see Chase Attackers Exploited Basic Flaws).
Experts also caution that the process of attributing attacks back to their source is typically a lengthy, complex process, and often produces no black-and-white results. That's just one of the reasons why many security experts often dismiss outright any attempted attack attribution that comes in the days or weeks following a breach being discovered, since it's unlikely that digital forensic investigators could have reached a reliable conclusion that quickly. In the early days of the investigation into the JPMorgan Chase breach that the bank discovered in July 2014, for example, unnamed U.S. government sources blamed the attack on the Russian government. But just a few months later, the FBI reported that it had ruled out the Russian government as a suspect.
Attribution skeptic Jeffrey Carr, CEO of threat-intelligence firm Taia Global, has also long warned that every anonymous source who comments about a breach may have their own agenda for doing so, be it for political, budgetary, diplomatic, or job-preservation purposes. Commenting on this particular unclassified Pentagon email system breach, Carr also notes via Twitter that even if an attack was relatively advanced, that by itself is no evidence of state involvement. "If anyone (Gov or Industry) says to you 'it's so sophisticated it must be a state actor,' just slap them."
When Mercenaries Attack
Compounding the attribution problem is the difficulty of untangling the degree to which attacks may be launched by a government's own military or espionage agencies, or third-party mercenaries, which many governments appear to use, to help maintain plausible deniability (see Report: Mercenaries Behind APT Attacks).
Furthermore, according to cybersecurity expert Alan Woodward, "some of these attacks do seem to be conducted on behalf of nation states." But it is often impossible to unravel whether the attacks were state-sponsored, or just the work of enterprising third parties who then shop exfiltrated data to the highest bidder, which of course could be a government espionage agency with deep pockets.
Cybercrime, Espionage May Overlap
For example, according to a report released this week at the Black Hat conference in Las Vegas by cybersecurity and threat intelligence firm Fox-IT, the notorious Gameover Zeus cybercrime botnet also appeared to be used to target organizations in Georgia, Turkey and Ukraine, for espionage purposes (see Lessons from Gameover Zeus Takedown). While the report says there is no evidence to suggest who may have benefited from the stolen data, it notes that "Slavik" - the nickname of Gameover Zeus author Evgeniy Bogachev - may have "obtained a level of protection, and was able to get away with certain crimes as long as they were not committed against Russia," in other words by occasionally assisting Russia's intelligence services.
"This of course remains speculation, but perhaps it is one of the reasons why he has as yet not been apprehended," the report adds. While Bogachev has been charged by the FBI with being the Gameover Zeus mastermind, he has so far evaded capture, although U.S. authorities believe that he is in Russia, which has no extradition treaty with the United States (see FBI Hacker Hunt Goes 'Wild West'). As that demonstrates, even if officials can reliably attribute attacks to criminal or espionage operators, stopping them remains a different matter entirely.
Executive Editor Mathew Schwartz also contributed to this report.