‘Pravyy Sector’ and DNC leak as symptoms of new trend in Russian cyber operations

Hacking group Pravyy Sector (‘pravyy’ is bastardised Ukrainian for ‘right’, Right Sector is the name of Ukrainian ultranationalist party), responsible for leaking customer data of Polish ISP Netia, claimed on Twitter that they breached network of Polish Ministry of Defense. Group claimed that they gained full access to the MoD network and, what might be even more interesting, got their hands on ‘PRISM Poland logs’. Pravyy Sector then demanded $50 000 transferred to specified account or bitcoin address in exchange for not leaking the data.

To prove their access, group has posted screenshots from apparent MoD computer, photos of application to ‘PRISM service’ and xml containing information about hosts in alleged MoD network. It is worth noting that materials posted initially were hardly a proof of compromised network – attached screenshots suggests that all files were taken from single computer. MoD soon issued a statement claiming that attackers has gained only outdated documents and are trying to overestimate their success. Pravyy Sector countered with posting screenshots of emails with information related to organisation of recent NATO summit. Ultimately however, it seems that they bluffed. Alleged information coming from PRISM programme are probably just data collected by botnet with only superficial modifications made to make them more believable. Soon after, group has deleted twitts related to hack.

If allegations of complete breach of MoD network were true, Pravyy Sector would have quite impressive resume for rising hacker group though. Previous hack – stealing Netia’s customers data – was probably one of the most significant breaches in recent history of Polish hacking. Selection of targets, especially quick leap to strategic government networks, raises question about origins of the group and possible political motivation behind attacks. MO of the group would certainly be in line of state sponsored operations conducted by Russian government. Conduct of Pravyy Sector combines two elements commonly employed by Russian operatives – attacking government institutions (especially related to national defence and main administration of the state) and using attack for propaganda purposes. Such approach is in stark contrast to Chinese efforts which are centred around conducting industrial espionage through long-term APT campaigns (such as Mofang to name one) and are designed to stay unnoticed and gather data.

The most interesting aspect about this event is how breach of the MoD network appears not to be goal in itself but rather a mean to the main goal of the group which seemed to be information warfare. There are two possible explanations for this version. First, is that group was trying to gain more access to the MoD network, however were detected relatively early and decided to use whatever they had (plus some made up data) to follow through with propaganda content. Second, was that scope of possible access to MoD network was known way before the operation, and bluff with ‘Prism files’ was, wrongly but still, calculated. Anyway, group has deleted relevant tweets and backed out of whole thing – while going back to relaying usual propaganda messages.

Meanwhile on the other side of the Atlantic, Democratic party has suffered massive leak of internal emails that most famously included messages supposedly proving party’s bias against Bernie Sanders. This is even more interesting case in point. First of all, timing of the attack was clearly pinpointed to harm Hillary Clinton’s presidential campaign. Furthermore, given how whole operation was conducted, achieving such timing and impact was only possible through cooperation with WikiLeaks, which enabled significantly wider exposure than what was available to PravyySector.

‘Cooperation’ has to be understood in correct terms though. It is rather unlikely that WikiLeaks has actively sought opportunities to cooperate with Russian intelligence, however it is very likely that they couldn’t resist publishing materials which were, probably anonymously, send to them. Similarly in case of Pravyy Sector, one major polish netsec company was extremely eager to get comment from the attackers – up to the point of publicly telling the group how happy they would be to hear from them. While latter case was most likely a result of lack of understanding of probable motivations and goals of the attackers, WikiLeaks was certainly aware of both who might be the source of the leak and what will be implications of releasing them in the particular time frame. Both examples, however shows how convenient it is two make damaging data available to the public. Not only media outlets will provide help, but also ethics of doing so is not clear cut. The arguments that publishing data, especially in case of the DNC leak, is in public interest regardless of source of the leak are not without merits. The real problem is balancing public interest with the fact of being used by foreign power to cause certain effect. Such balance requires analysis of origins of data and possible motivations of attackers – something that might be beyond capabilities of some media outlets.

Both examples highlights also elemental problem of attribution of cyber attacks and proper reaction. Especially in case of DNC leak the big question is what should be proper reaction to foreign activities that aims at influencing political process in the country and what is the threshold of proof sufficient for retaliation. It would be hypocritical for the US to show much outrage about what happened, given the record of their own intelligence activities. Governments trying to influence results of elections in other countries is usually not an attack, but a fact of international relations. Also, for now at least, it is not absolutely clear that whole operation was planned by Russian intelligence.

From Polish perspective recent events are even more disturbing given lack of cyber defence infrastructure comparable to that of the US. Poland, as well as other Baltic states, seems to be likely targets for Russian intelligence activities, especially given current political turmoil in Europe. Without dwelling to much into tinfoil territory, it would be interesting to consider whether wiretapping and subsequent leak of politicians’ private conversations at Sowa restaurant in Warsaw, might have also been facilitated by foreign powers. Certainly leak helped Law and Justice party, whose policies are definitely more in line with Russian interests in the region, win the elections. In this terms, US should definitely consider providing Eastern European countries with cybersec support as a mean of reducing Russian influence in the area. Detection and swift attribution of eventual breaches would help with reducing influence of propaganda operation.

Whatever response of the US will be, it is hard to underestimate significance of recent events. What is most striking about DNC incident is collision of (usually) noble and malevolent causes. Fact that Russian intelligence tries to sway election in a way that would be beneficial for Russia does not change the fact that DNC members did wrote those email and releasing them to the public was in the interest of the public debate. Also let’s acknowledge that attack ‘feels’ quite different because everything happened in broad daylight and in the context of the US elections, which were already rather unusual. Now however, lawfare has actually done legal analysis on whether major candidate for the office of the President of United States might be legally considered a foreign agent. And frankly I believe there might be no better summary of the whole incident.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s