Political Play: Indicting Other Nations' HackersAttributing Hack Attacks to Governments Remains a Diplomatic Tool. Does It Work?
Espionage: Every nation does it. So why has the U.S. Department of Justice continued to charge individuals - who allegedly worked on behalf of a foreign intelligence service - with hacking U.S. targets?
See Also: Why CASBs Matter to Cloud Security
The latest example: Last month's indictment of 12 Russian intelligence officers for attempting to interfere in the 2016 U.S. elections.
None of the intelligence agents named in the indictments has been extradited to the United States to stand trial. Russian President Vladimir Putin has previously suggested that any such extraditions would never take place.
Realistically, so long as the indicted Russians avoid taking a vacation in, or traveling through, countries that are friendly to the U.S., they'll likely never appear in a U.S. courtroom (see Hackers' Vacation Plans in Disarray After Prague Arrest).
Again: Why bother indicting foreign intelligence agents?
The U.S. has always been careful to note that when it conducts espionage, it's to gather intelligence that is used to inform policymakers. At the same time, it's attempted to hold to account nations that use espionage to steal intellectual property or to disrupt domestic politics or business.
For the Justice Department, leveling criminal charges against a foreign nation's hackers appears to be a diplomatic way of saying: "We see what you're doing, now knock it off."
The Politics of Attribution
As that suggests, attributing an attack to a particular individual, group or organization remains inherently a political exercise. Attributing an attack typically occurs because a government has a diplomatic point to make or political pressure it wants to bring to bear.
In the case of the U.S., attribution can be used to attempt to get other nations to play by U.S. rules.
In January 2015, for example, James Comey, then director of the FBI, made the unusual move of attributing the Sony Pictures Entertainment hack to North Korea.
Numerous information security experts responded by saying: "We'd like to believe you, but we need to see the evidence." While the bureau declined, what emerged in subsequent press reports was that the U.S. intelligence community reached its conclusion using both signals intelligence and human intelligence.
In other words, they'd hacked North Korean operatives' computers.
Shine a Light
Nations, of course, have espionage agencies so they can glean these insights and use them to inform policy. Such intelligence-gathering also appears to have formed the basis of the grand jury indictment unsealed last month against the 12 Russian intelligence officers.
Thomas Rid, an expert on Soviet and Russian "active measures" campaigns, says prosecutors pulled out all the stops. He called the indictment "a truly extraordinary move on the part of the FBI to name-and-shame two specific GRU units (26165 and 74455), their commanding officers, subordinate officers, operational details," which reveals "very impressive visibility on the part of the U.S. intelligence community" into Russian operations, including its alleged use of the Guccifer 2.0 persona.
This is jaw-droppingly impressive forensic work: the indictment doesn't just show Guccifer 2 was managed by a specific GRU unit - it *reconstructs the internet searches made while some GRU officer was drafting the first post as Guccifer 2* ... pic.twitter.com/agu3tLat8x— Thomas Rid (@RidT) July 13, 2018
Rid, who's a professor of security studies at Johns Hopkins University, adds: "I can't think of a historical precedent that goes into similar detail in response to active measures."
Calling Out Iran, China, Russia
The Justice Department, however, has previously leveled criminal indictments against hackers allegedly working for multiple countries:
- Iran: In March, the U.S. charged nine Iranian nationals with targeting multiple universities, businesses and government agencies.
- Russia: In February, the U.S. indicted 13 Russians and three companies - including alleged troll factory Internet Research Agency LLC, based in St. Petersburg, Russia - for running an "information warfare" campaign against the United States. While that indictment resulted from Special Counsel Robert Mueller's ongoing investigation into Russian election interference, it did not charge the individuals or organizations with having been directed by the Russian government.
- Russia: In 2017, the U.S. charged two agents of Russia's internal security service, the FSB, with hacking search giant Yahoo from 2014 until mid-2016. Authorities also charged a Russian national, who remains at large, as do the Russian agents. But a Canadian national, Karim Baratov, earlier this year pleaded guilty to working as a hacker for hire for the alleged Russian operation, and was sentenced to serve five years in prison.
- Iran: In 2016, the Justice Department indicted seven Iranians for allegedly launching massive DDoS attacks against U.S. financial institutions - as part of a campaign for which a group calling itself the Izz ad-Din al-Qassam Cyber Fighters claimed credit - as well as targeting a dam near New York City.
- China: In 2014, the Justice Department indicted five Chinese army officers for hacking American corporate computers to steal intellectual property.
The Art of Diplomacy
Singling out specific governments and individuals - and accusing them of hacking - has produced diplomatic results.
After the Obama administration called out China in 2014 for hacking - especially in the service of government-ordered intellectual property theft - and made it clear in 2015 that it was ready to impose economic sanctions, the two governments held bilateral cybersecurity talks. Security researchers say this led to a decrease in hack attacks from China.
China this year has continued to pledge to honor the 2015 cybersecurity agreements.
But information security firm FireEye says that since the summer of 2017, it's seen a sharp rise in hack attacks against the U.S. emanating from China, likely tied to increasing trade tensions between the Trump administration and Beijing.
While it's impossible to gain a complete view of these operations, FireEye suggested that they were being run much more carefully. For example, one ongoing campaign appeared to target U.S. engineering and maritime targets, and especially those connected to South China Sea issues.
"From what we observed, Chinese state actors can gain access to most firms when they need to," Bryce Boland, CTO for Asia-Pacific at FireEye, told South China Morning Post in April. "It's a matter of when they choose to and also whether or not they steal the information that is within the agreement."
Now, of course, the U.S. appears to be trying to bring diplomatic pressure to bear on Russia as U.S. intelligence leaders warn that Moscow's election-interference campaigns have not diminished at all since 2016.
"We have been clear in our assessments of Russian meddling in the 2016 election and their ongoing, pervasive efforts to undermine our democracy," Director of National Intelligence Dan Coats said last month (see How Trump Talks About Russian Hacking).
Risk of Reprisal
But indicting foreign intelligence officers may have unwelcome consequences. What if Russia, Iran, China or North Korea were to seek the extradition of National Security Agency employees who hacked their systems? What if they, like the U.S., were to practice informal extradition - literally, kidnapping someone to return them for trial - if a suspect traveled through a friendly country?
Former U.S. intelligence agency employees have already voiced such concerns.
In the wake of @TheJusticeDept charging foreign hackers, I'm publicly calling on the federal government to formally and publicly tell all US gov hackers (current and former) that we will be protected, not extradited. The silence on this is deafening. Please RT if you support.— Jake Williams @Summer Camp (@MalwareJake) November 28, 2017
Last December, Jake Williams, head of consultancy Rendition Infosec and a former member of the National Security Agency's offense hacking team, told Motherboard that he was worried that China or Russia might attempt to detain him or other agency alumni on their travels abroad.
"It's not a question of if, it's just a question of when and how bad," Williams told Motherboard. "What goes around comes around."