Every hacking technique leaves a “fingerprint” which, when collated, can be used to connect different attacks and tie them to the same culprit.
The CIA’s Remote Development Branch (RDB)’s Umbrage sub-group collects an archive of hacking exploits created by other actors, like Russia and other hackers, and leaves this false trace for others to detect.
— Christine Maguire (@_ChrisMaguire) March 7, 2017
Umbrage captures and collects keyloggers, passwords, webcam captures, data destruction, persistence, privilege escalation, stealth, anti-virus (PSP) avoidance and survey techniques.
This allows the CIA to not only steal other’s hack techniques, but falsely apportion blame to those actors.
CIA uses techniques to make cyber attacks look like they originated from enemy state. It turns DNC/Russia hack allegation by CIA into a JOKE
— Kim Dotcom (@KimDotcom) March 7, 2017
An Umbrage document shows how the agency mined information from a breach of Italian “offensive security” vendor Hacking Team, that boasts governmental and law enforcement clients.
Some 400GB of data including “browser credential stealing” and “six different zero-day exploits” was released in the breach, which Umbrage studied and added to its repository.
— DeplorableRictracee (@Rictracee) March 7, 2017
— Russian Hotties (@hottiesfortrump) March 7, 2017
In the case of the Democratic National Committee (DNC) hack, which reports have connected to Russia, the fingerprints used to link blame to Russian hackers may have been manipulated.
Binoy Kampmark, legal and social sciences academic, said the technique is widely used not just by the CIA, but by other agencies worldwide, and had recently been used for tapping into the US elections.
“That’s one of the classic aspects of it which is done of course not just by the CIA, but by other agencies – that is to give the impression that the attack is coming from another source, and that’s one of the state-of-the-art ways of doing it,” Kampmark said.
“It throws the investigators off the scent by giving the impression [the attack] comes from multiple targets and sources and that’s what’s what happened in one of the cases that has been made in recent time – the allegations of hacking and interference in electoral system.”
Crowdstrike, a private security firm linked to the Atlantic Council, found the hackers who accessed the DNC emails (and those of Clinton campaign chair John Podesta) left “clues,” which Crowdstrike attributed to Russian hackers.
Malware dug into the DNC computers was found to be programmed to communicate with IP addresses associated with Fancy Bear and Cozy Bear – hacking groups that Crowdstrike says are controlled by Russian intelligence.
Metadata found in a file contained modifications by a user using Cyrillic text and a codename Felix Edmundovich.
— John Hanson (@Crayz9000) March 7, 2017
While the documents released don’t tie Crowdstrike to the CIA’s Umbrage program, the data demonstrates how easily fingerprints can be manipulated, and how the CIA’s vast collection of existing malware can be employed to disguise its own actions.
Former Pentagon official Michael Maloof says that by using Russian “fingerprints” the CIA may have deliberately put the blame for hacking on the Russians.
“Apparently they were able to obtain Russian malware and then they can turn that around and make it look like [attacks] were coming from Russia. And that gets into a political narrative that we’re hearing these days of hacking and what have you, blaming it all on the Russians.
“But was it something that earlier hackers obtained from the release of this information and then turned it around in order to put the blame on the Russians – big question,”