There is no doubt that cyberspace is the new battlefield for security agencies when it comes to protecting their most valuable assets from potential cyber attacks. However, as in the physical world, the media also plays an important role in projecting a point of view into the public sphere regarding the origin of these cyber attacks. As a result, we are used to hearing that all our ills in the virtual world come from Russia, North Korea and China, or from organised groups within their borders.
An example of this is the theft of information from the World Anti-Doping Agency (WADA). Immediately after the first leak, in which it was revealed that American athletes had consumed banned substances with the consent of the International Olympic Committee (IOC), the agency itself published an official statement indicating that it had been informed by the authorities that the cyber attack had come from Russia and that it had been perpetrated by a group called Fancy Bear. However, is it so easy to verify the origin? ElevenPaths, Telefónica’s cybersecurity unit, has published a report (in Spanish) analysing the case.
What we Know about the Leak
On 13 September, the group known as @FancyBears on Twitter, published information on four well-known, elite athletes on a newly set up website, which had presumably been obtained in an action perpetrated against WADA. This incident occurred just weeks after a series of spear phishing emails were sent, aimed at gathering WADA user credentials.
The information published on the website belonging to the group included several PDF files and screenshots of what appeared to be official WADA reports. The metadata of the leaked documents bore the name chnd (an administrative user at the organisation), used OpenOffice 2.1 software, which is known to have remote execution vulnerabilities, and bore the date of 31 August 2016 in the UTC-4 time zone.
The Website where the Information was Published
The cyber-identities involved used a characteristic narrative traditionally associated with the Anonymous hacktivist group, which the hackers themselves place in the context of a larger-scale operation referred to as #OpOlympics. Furthermore, there is evidence that the Fancy Bear Hack Team brand was previously associated, in February 2016, to other hacktivist groups with links to Russia, such as APT28.
13 September is the date of the leak, as given on the website, thus indicating a possible time lag, which would at least place the hacker in the UTC+3 time zone, which is that of Moscow. The second part of the leak was published online on 15 September. However, the headers consulted on 15 September give the “last modified” date as 14 September 2016 at 9:30pm GMT, i.e., Wednesday 14 September at 11:30pm UTC+2, which is already 15 September for the UTC+3 and earlier time zones. This circumstance is consistent with WADA’s hypothesis regarding the origin of the attack.
The leaked information was also posted on their Facebook account. Although the first comment is in Greek, 6 of the following 10 are in Russian, which also suggests it was first disclosed on the Facebook page on Russian-speaking platforms.
The fancybear.org domain is registered to an anonymous registry vendor, while additional information has been identified on fancybear.net which points to a user located in France with the account gmx.com. Both domains were registered very recently: on 1 September, 2016.
The HTML code comments which indicate the website on which the first part of the leak was exposed were in Korean, although they corresponded to simple words such as content (함유량), social media (소셜 네트워킹), or final (끝). Curiously, following disclosure of the second part of the leak, these comments were not found again.
Finally, one of the images on fancybear.net is 0_125b8b_3cb8177e_M.png with hash MD5 a20350dc2e412a9c351d83571ecc3251. Curiously, the only reference found on the Internet to an image with this name was found published on the Russian language website kira-scrap.ru.
It is Not so Easy to Attribute Responsibility for Online Actions
One of the priorities of cyber-crime, which is also adopted by hacktivist groups, is Operational Security, also known as OpSec. OpSec refers to the use of techniques designed to prevent exposure of technological infrastructure and to hide the methods used by attackers. In the case of Fancy Bear, contradictory information was identified at times, so it is not possible to completely rule out that it is a case of a false flag attack, in which the information was intentionally disclosed in such a way as to make it appear that the attack originated in Russia. Unfortunately, it is often a case of simply having to wait for the criminals to make a mistake before they can be brought to justice.