Compared with the alleged Russian hacks of the Democratic National Committee and other US targets, another important cyber theft that has also been tentatively attributed to Russia is getting far less attention. The revelations are much less titillating but they may be part of the same cyberwar.

By now, we assume that everyone hacks everyone but lately, the war hasn’t been just about spying. Bragging rights and publicity have become important. A hacker group (assumed to be a proxy for Russia) acts like swaggering kids. The US responds with threats and denunciation. It may seem heady material for a second-rate spy novel, but public cyber war is deadly serious.

Last week, a group calling itself Shadow Brokers announced it was “going dark" after failing to attract buyers for a huge cache of what is believed to be National Security Agency (NSA) malware. Shadow Brokers revealed that they were in possession of the stolen hacking tools in August, just as the DNC emails were being leaked by someone calling himself Guccifer 2.0. They claimed they had hacked a hacker outfit referred to as Equation Group. Kaspersky, the well-regarded Moscow-based cybersecurity company, linked Equation Group to the NSA. The list of Equation Group’s targets was one of the giveaways: Iran, Russia, Pakistan, Afghanistan, India and China. All countries the NSA would have an interest in.

Shadow Brokers announced they were auctioning the spoils of their hack—Equation Group’s cyber weapons. “We give you some Equation Group files free, you see," they wrote. “This is good proof no? You enjoy!!! You break many things. You find many intrusions." The proof seemed good indeed. Kaspersky analysed the sample malware and found its developers had used a specific implementation of an encryption algorithm that was only previously found in Equation Group software.

Some US security researchers quickly assumed Shadow Brokers were Russian. It was guesswork, but it made certain sense. Security technologist Bruce Schneier wrote, “It’s a signal to the Obama Administration: ‘Before you even think of sanctioning us for the DNC hack, know where we’ve been and what we can do to you.’"

Edward Snowden, whose revelations made the cyber-war-era public, shared that opinion. He tweeted that “circumstantial evidence and conventional wisdom indicates Russian responsibility". Snowden also pointed out that releasing cyber weapons into the public domain was highly unusual and that it was likely “more diplomacy than intelligence, related to the escalation around the DNC hack."

If indeed Russia is behind Shadow Brokers, the US didn’t heed the coded warnings. Instead, the ‘Russian election hack’ story was whipped up into a frenzy by anonymous leaks and, most recently, by two unclassified and scantily detailed reports from the intelligence community.

Last Thursday, Shadow Brokers staged a dramatic exit. Adopting a different kind of broken English from the one used in their initial message, the group released more samples from their cache and wrote that they were disappearing as their main purpose, earning bitcoins for their cache, had failed so far. On the same day, Guccifer 2.0 reappeared with a bizarre message claiming, not for the first time, that Guccifer 2.0 had nothing to do with Russia and accusing US intelligence of “deliberately falsifying evidence".

Since the US failed to heed the putative warning delivered through the Shadow Brokers dump and chose to believe that Russia was behind Guccifer 2.0, there is no logic to the former’s door-slamming and the latter’s re-emergence. Security researcher Matt Tait tweeted about Guccifer 2.0: “This release worries me. Is absurd & unpersuasive, but it’s also deliberate, carefully constructed & no new info. They cared about this text."

This kind of disorientation appears to be the goal of whoever is behind the activity. If all this is the handiwork of Russian intelligence services, they are using a number of carefully constructed public personae to communicate with the public, each with a specific style and even a specific set of typical mistakes in their English usage, and each with a hacker’s typical disdain for website design. This is meant to create the impression of a number of discrete hacking groups or lone hackers bragging about their exploits.

The approach the US has adopted in response is the exact opposite: It has “government" written all over it, from the ominous leaks to major news organizations to the refusal to reveal anything about sources and methods and the promises to retaliate in an undisclosed way.

The resulting visual is of a cop chasing a bunch of colourfully dressed punks. It’s easy to lose sight of what’s actually going on. Both sides appear to have a good understanding of each other’s tools and methods. The tools that have been revealed and analysed so far are meant for intelligence gathering, not the disruption of critical infrastructure. They have been used quietly for years, evolving to fit expanding needs and beat new defences. Now that knowledge is in the open, used for threats and innuendo-filled media reports. This is no longer cyber espionage, it’s a publicity war.

Just like conventional war and conventional spying, the cyberwar needs recognizable rules of engagement. Those rules will probably emerge after a while as a signalling system develops between intelligence agencies, who can then “go dark" again. In the meantime, both sides can wreak a lot of political havoc; but in this asymmetric war, a democracy is possibly the more vulnerable. Bloomberg

Leonid Bershidsky is a Bloomberg View columnist.

Close