[liquidify]

"Serious buyers only: solarleaks@protonmail.com

- - Q: Is this really happening? Can you provide proof? A: Yes and yes.

Q: Why no more details? A: We aren't fully done yet and we want to preserve the most of our current access. Consider this a first batch.

Q: I'm [vendor] and want my data back? A: Talk to us.

Q: Why not leak it for free? A: Nothing comes free in this world.

Q: How to buy? A: Contact us for more information."

These don't sound like things that the Russian government or any nation state would be saying.

Makes the U.S. intelligence / media look stupid. And if it turns out that it is some individuals that happen to live in Russia, it still makes the U.S. look stupid.

[ymosy]

Russia behaved exactly the same after the DNC hack. They made up a story about some Romanian hacker called Guccifer but their cover up was debunked by Vice: https://www.vice.com/en/article/wnxgwq/guccifer-20-is-likely...

[Thorentis]

> The main element pointing to Russia is the timeline of the events.

I didn't realize the bar for "debunking" had become so low.

[freeflight]

The whole basis of Vice debunk is "Nobody heard of a Guccifer 2.0 persona before", which is not exactly strong evidence for anything.

Particularly considering Guccifer is a real person and referencing other hackers not that unheard of.

[ymosy]

According to https://www.srcbeat.com/2021/01/solarleaks/ their email sent to solarleaks@protonmail.com bounced back with "Address does not exist" error.

[ALittleLight]

I was about to check if I could register it, but then thought that might be a bad idea.

[freebuju]

Lol. Proton mail has strong encryption and is hosted in one of the most strongest jurisdictions in the world as regards privacy laws. Nothing to worry about :)

Tutanota on the other hand lost a court battle in Germany and had to give up email data from one of their suspected-to-be-criminal clients [0]

0:https://www.cyberscoop.com/germany-court-ruling-tutanota-ema...

[shbooms]

> These don't sound like things that the Russian government or any nation state would be saying.

I mean this could just be an attempt to make it _seem_ like it's not a nation state.

One way to essentially guarntee that it _was_ a nation state is for the stolen data to never turn up for sale to the public/back to the owners as we would naturally assume whoever the actor was was happy just keeping everything to themselves, something only a nation state would ever really do. a non-nation state's only real motivation would be financial and so if no evidence of that ever came about, the only real alternative would be to assume it was a nation state.

[michaelt]

Well, or the hack was by some greyhat/kid who realised they were in over their head and that keeping evidence of their crime around was a dumb move.

[saltedonion]

Maybe that’s the entire point

[sudosysgen]

While that's possible, pushed far enough this line of reasoning is unfalsifiable and evidence is thin either way.

[freeflight]

> These don't sound like things that the Russian government or any nation state would be saying.

This goes both ways: Or they would be exactly the kind of things a government would say to dispel any notion of it being a government.

> Makes the U.S. intelligence / media look stupid. And if it turns out that it is some individuals that happen to live in Russia, it still makes the U.S. look stupid.

I wonder whatever happened to that whole mantra of the early 2000s and 2010s when governments would regurgitate the difficulty in dealing with "cyber" due to the "asymmetric" nature of "cyber warfare"?

Somehow that was completely forgotten over the last decade in favor of blaming any and all InfoSec breaches instantly on some state actor.

One has to wonder how much of that is just deflecting from bad practices with "The enemy is a state, nothing we could do to defend against an attacker that powerful!" in favor over admitting "Yeah some autistic dude in his parents basement pwned all our stuff because our security is completely amateurish".

[willxinc]

Are the US intelligence community / media saying that the attack was by the Russians?

[zwp]

Washington Post attributed the attack to Russian actor APT29/Cozy Bear on Dec 14th [1], quoting unnamed sources.

FireEye [2] Dec 13th & Volexity [3] Dec 14th were more cautious, citing an unknown actor that they dubbed UNC2452, and Dark Halo, respectively.

Recorded Future made a fair but ultimately inconclusive case for Chinese attribution [4], Dec 30th.

US gov/CISA continues to claim "Russian linked" [5], Jan 5th.

Kaspersky reported a link to the Kazuar malware used by Russian actor Turla [6], Jan 11th.

CrowdStrike's report on the malware injector [7], Jan 11th says "does not attribute the SUNSPOT implant, SUNBURST backdoor or TEARDROP post-exploitation tool to any known adversary".

[1] https://www.washingtonpost.com/national-security/russian-gov...

[2] https://www.fireeye.com/blog/threat-research/2020/12/evasive...

[3] https://www.volexity.com/blog/2020/12/14/dark-halo-leverages...

[4] https://www.recordedfuture.com/solarwinds-attribution/

[5] https://www.cisa.gov/news/2021/01/05/joint-statement-federal...

[6] https://securelist.com/sunburst-backdoor-kazuar/99981/

[7] https://www.crowdstrike.com/blog/sunspot-malware-technical-a...

[lemonspat]

That's an impressively detailed response. Did you happen to track all these kinds of quotes routinely for your own research, or are you that good at finding this info that quickly.

[willxinc]

Ahh interesting, thanks for the response. Surprisingly enough, Kaspersky also attributed it to a Russian APT, so I'm still not sure about the parent post's claim that it makes the US look stupid, if it's the global intelligence community saying so.

[liquidify]

No evidence has every been shown. It is easy to site a lot of people parroting the idea that it came from Russia, but aside from some vague connections, there is 0 hard evidence. If you were an Israeli, Iranian, Chinese, etc... hacker, you would obviously tunnel through servers in foreign countries that were easy scapegoats. So even if there was actual evidence (which there isn't) it still wouldn't mean anything unless it could be tracked back to an originating IP and connected to an individual with a motive and without an alibi.

The benefits of blaming things on Russia for certain political parties are obvious, but those politicians and media members continue to make claims while never presenting any evidence, so you really have to ask yourself what is more likely to be true; A bunch of vapid politicians self benefitting claims without evidence, or the far more obvious possibility that a group of techie people from some random country hacked an easy target for money.

Occam's razor say it is the later.

[intern4tional]

So, attribution doesn't work that way.

During an active incident, attribution details are not published. This incident still has people responding to it, and potentially further impacted victims. Indicators of compromise are published to allow for entities to hunt for malware or evidence of breach within their environments, but details that directly attribute a particular strain of malware to a threat actor are generally not shared (at least with the general public). Publishing those details could cause the threat actor to change those details and therefore evade detection and persist in impacted environments.

Let's take the Google breach of 2009, known as Operation Aurora as an example (https://en.wikipedia.org/wiki/Operation_Aurora). China was claimed to be the culprit at the time, but it was not until three years later that Fireeye / Mandiant finally published the details that were used to track and identify the threat actor as part of their APT1 report (https://www.fireeye.com/blog/threat-research/2013/02/mandian...).

In this particular case, even though the known impacted entity count is around 250, around 18 thousand entities downloaded the backdoored version of SolarWinds and are at risk. Publishing attribution details now could negatively impact their response. When respected entities in the field make a claim on attribution, generally it is accepted as if those entities were lying, their service (and potentially some of their executives as they are publicly traded in some cases) would go to jail.

It's important to note that each responding team will have access to different data sources and be able to make different claims as a result. CrowdStrike declined to do attribution, whereas FireEye was more definitive with naming a group. This is likely as FireEye was impacted first hand and was able to capture indicators that are not public. (One of the steps of IR is containment, where you observe a threat actors activity to figure out where they are in your environment, so you literally get to watch them some.)

The people in charge of the various government agencies are politicians without experience in this area true, but they are briefed and educated by the experts that do have experience in that space. Likewise, Washington Post is known for vetting stories in this space carefully. At this stage in the game, it is highly unlikely it is not Russia, as this sales pitch is very similar to when Russian associated actors leaked the NSA toolset. It too was advertised for sale via bitcoin (https://en.wikipedia.org/wiki/The_Shadow_Brokers).

Anyways, if you're interested in this space, go find your local incident response (DFIR) meetup and ask how they track malware families. IP addresses are probably not one of their best signals for who made malware or executed an attack.

[meowface]

>At this stage in the game, it is highly unlikely it is not Russia, as this sales pitch is very similar to when Russian associated actors leaked the NSA toolset. It too was advertised for sale via bitcoin (https://en.wikipedia.org/wiki/The_Shadow_Brokers).

Great post overall, but I disagree here. It's indeed very likely Russian intelligence did the compromise, but it's still unclear if this particular "leaks for sale" offer is legitimate or just a random unrelated troll trying to make quick money before they get outed as fake. It does sound similar to the Shadow Brokers offer, but that could easily be emulated (and probably would be emulated if a scammer was trying to sound like Russia).

It could be legitimate, but I would be highly skeptical unless/until they release some samples of what they have. The Shadow Brokers started out not providing anything but later started leaking things to prove they weren't lying.

So I'd say this is worth keeping an eye on, but shouldn't be taken very seriously until they post at least some shred of evidence supporting their claims.

[ryanlol]

>when Russian associated actors leaked the NSA toolset

Has anyone actually attributed TSB to Russian actors? I don’t think so.

The US government certainly hasn’t made such claim, to my knowledge the mainstream press hasn’t made such a claim and neither have any of the companies you’d usually trust to make such assessments.

[freeflight]

> if it's the global intelligence community saying so

Tho it's really not, the only "official" attributions are WaPos unnamed government source and US agencies saying "Russian linked".

But there is no real evidence for that except those Kaspersky heuristics about the malware having been used before, which is really not that much of a "smoking gun".

There's also the fact that for pretty much everybody involved it would be much more convenient to have this framed as a "state actor attack": The amount of companies breached and their nature just makes this horribly embarrassing for most people responsible and involved.

Even letting on the possibility that some kind of non-state actor is responsible for this would add even more insult to the already existing injury.

[Thorrez]

Kaspersky actually didn't attribute it to a Russian ATP. They say they found one thing in common, but are actually explicitly saying that they don't know whether they are the same group.

> TLDR; just tell us who’s behind the SolarWinds supply chain attack?

> Honestly, we don’t know.

> To clarify – we are NOT saying that DarkHalo / UNC2452, the group using Sunburst, and Kazuar or Turla are the same.

[1MachineElf]

Yes https://thehill.com/policy/cybersecurity/532756-us-intel-age...

[willxinc]

Ah, thanks for the source / context.

[anewaccount2021]

US digital infrastructure is the ultimate soft target. I assume for every SolarWinds we hear about, there are others that the government squashes due to sheer embarrassment or national security concerns.

[ryanlol]

> These don't sound like things that the Russian government or any nation state would be saying.

Why not? Sharing stolen source costs them nothing, and nation state hackers have budgets just like the rest of us.

They probably wouldn’t even get in big trouble for selling this stuff and using the money to buy themselves lambos, a nice bonus on top of the government hacker salary.

[throwaway99252]

>a nice bonus on top of the government hacker salary.

The current narrative is that they aren't on payroll or under orders, but instead individuals or groups within the collective (cozy bear) act on their own initiative to win putin's favor.

[ryanlol]

>The current narrative

According to whom?

[naikrovek]

> Q: Why not leak it for free? A: Nothing comes free in this world.

They didn't pay to get that data they're now charging money for. "Nothing is free when we're offering it" they should say.

[nhumrich]

We pay for things with money and time. They absolutely "paid" for the money if you consider the amount of time they probably put into it.