- By Joe Tidy
- cyber correspondent
7 hours ago
Image source: Crowdstrike
picture description,
Cyber security company Crowdstrike uses cartoons to illustrate the top hacker threats
A cyberattack that took iPhones at a Russian tech company has been blamed on US government hackers. Could the Russian government’s attack and response rewrite the narrative of who the good guys and bad guys are in cyberspace?
Camaro Dragon, Fancy Bear, Static Kitten and Stardust Chollima – these are not the latest superheroes from Marvel films, but the names of some of the most feared hacking groups in the world.
For years, these elite cyberteams have been pursued hack after hack, stealing secrets and causing riots, ostensibly on orders from their governments.
And cybersecurity companies have even created cartoon images of it.
picture description,
Camaro Dragon – Checkpoint’s latest example of a supposed Chinese group hacking European field workers
Using dots on a world map, marketers at these companies regularly warn their customers where these Advanced Persistent Threats (APTs) are coming from — typically Russia, China, North Korea, and Iran.
But parts of the map remain conspicuously empty.
Why is it so rare to hear about western hacking teams and cyber attacks?
A major hacking attack in Russia uncovered earlier this month may provide some clues.
Defenders are attacked
From his desk overlooking the Moscow Canal, the cyber security officer watched as strange pings were registered on the company’s Wi-Fi network.
Dozens of staff cellphones simultaneously sent information to strange places on the Internet.
But this was no ordinary venture.
picture description,
Kaspersky headquarters in Moscow
This was Russia’s largest cyber company, Kaspersky, which was investigating a possible attack on its own employees.
“Of course we immediately thought of spyware, but at first we were quite skeptical,” says Igor Kuznetsov, chief security researcher.
“Everyone has heard about powerful cyber tools that can turn cell phones into spy devices, but I imagined it as some kind of urban legend happening to someone else somewhere else.”
After carefully analyzing “several dozen” infected iPhones, Igor realized that their suspicion had been correct – they had indeed uncovered a large, sophisticated surveillance hacking campaign against their own employees.
The type of attack they found is a nightmare for cyber defenders.
The hackers invented a way to infect iPhones simply by sending an iMessage that automatically deletes itself once the malware has been injected into the device.
“Wham, you’re infected – and you don’t even see it,” says Igor.
“Reconnaissance Mission”
All of the victims’ phone content was now periodically sent back to the attackers. Messages, emails and pictures were shared – even access to cameras and microphones.
Adhering to Kaspersky’s long-standing rule of no finger pointing, Igor says they don’t care where this digital spy attack was launched from.
“Bytes don’t have nationalities, and whenever a cyberattack is attributed to a specific country, it’s done with intent,” he says.
But the Russian government is less worried about that.
On the same day that Kaspersky announced its discovery, Russian security services released an urgent bulletin stating that they had “uncovered a reconnaissance operation by American intelligence agencies conducted using Apple mobile devices.”
Russian cyber intelligence did not mention Kaspersky, but claimed that “several thousand phones” were infected by both Russians and foreign diplomats.
The Bulletin even accused Apple of being actively involved in the hacking campaign. Apple denies involvement.
The alleged perpetrator – the US National Security Agency (NSA) – told BBC News he had not commented.
Igor insists that Kaspersky did not coordinate with the Russian security services and they were caught off guard by the government bulletin.
picture description,
The NSA has elite hackers working for the US
Some in the cybersecurity world may be surprised at this — the Russian government appeared to be issuing a joint announcement with Kaspersky for maximum impact, a tactic increasingly used by Western countries to uncover hacking campaigns and point the finger loudly show.
And that announcement was quickly and predictably followed by a chorus of approval from America’s allies in cyberspace – Britain, Australia, Canada and New Zealand – known as the Five Eyes.
China responded with a quick denial, saying the story was all part of a “collective disinformation campaign” by the Five Eyes countries.
Chinese Foreign Ministry official Mao Ning added to China’s regular response: “The fact is that the United States is the empire of hacking.”
“China in sight”
But now China, like Russia, appears to be taking a more aggressive approach to denouncing Western hacking.
And that warning came with a statistic from Chinese company 360 Security Technology that it had “discovered 51 hacking organizations targeting China.”
The company did not respond to requests for comment.
Last September, China also accused the US of hacking a state-funded university responsible for aerospace research programs.
‘Fair play’
“China and Russia have slowly found that the Western model of cyber exposure is incredibly effective, and I think we’re seeing a shift,” said Steve Stone, head of Rubrik Zero Labs and former cyber intelligence contributor.
“I’ll also say that I think that’s a good thing. I have no problem with other countries disclosing what Western countries are doing. I think that’s fair and I think it’s appropriate.”
Many dismiss the Chinese accusation that the US is the empire of hacking as an exaggeration – but there is some truth in it.
According to the International Institute for Strategic Studies (IISS), the United States is the only cyber power in the world in terms of attack, defense and influence.
- China
- Russia
- the UK
- Australia
- France
- Israel
- Canada
Season’s lead researcher Julia Voo has also noticed a shift.
“Spying is the order of the day for governments, and it so often takes the form of cyberattacks these days – but there’s a narrative battle, and governments wonder who’s responsible and who’s irresponsible in cyberspace,” she says.
And compiling a list of APT hacking groups and pretending western ones don’t exist isn’t a true representation of reality, she says.
picture description,
British hackers operate from Government Communications Headquarters (GCHQ) in Cheltenham
“Reading the same reports of hacking attacks from just one page contributes to the general ignorance,” says Ms. Voo.
“It is important to educate the population in general, because this is where tensions between the states will take place in the future.”
“It’s not particularly detailed, but it’s more detailed than in other countries,” she says.
“data distortion”
But the lack of transparency could also be down to the cybersecurity companies themselves.
Mr. Stone calls it “data distortion” – Western cybersecurity companies don’t notice Western hacks because they don’t have customers in competing countries.
However, it could also be a conscious decision to put less effort into some examinations.
“I have no doubt that there are likely to be some companies that will strike and hide what they know about a Western attack,” says Stone.
But he was never part of a team that deliberately held back.
Image source: Crowdstrike
picture description,
Static Kitten is the name of a hacking group sponsored by the Iranian government
Also for many cybersecurity companies, lucrative contracts with governments such as the UK or the US are an important source of income.
As one Middle Eastern cybersecurity researcher puts it: “The cybersecurity information sector is heavily represented by Western vendors and is heavily influenced by the interests and needs of their customers.”
The expert, who has asked to remain anonymous, is one of more than a dozen volunteers who regularly contribute to the APT Google Sheet — a free online spreadsheet that tracks all known instances of threat actor activity, regardless of origin.
There is a tab for “Nato” APTs with nicknames like Longhorn, Snowglobe and Gossip Girl, but the expert admits that it’s pretty empty compared to tabs for other regions and countries.
‘Less noise’
He says another reason for the lack of information about Western cyber attacks may be that they are often more stealthy and cause less collateral damage.
“Western nations tend to be more precise and strategic in their cyber operations, in contrast to the more aggressive and broader attacks associated with countries like Iran and Russia,” says the expert.
“As a result, Western cyber operations often cause less noise.”
The other aspect of underreporting could be trust.
It’s easy to dismiss Russian or Chinese hacking allegations because they often lack evidence.
But even Western governments, when they point the finger loudly and regularly, rarely, if ever, present evidence.