The Mueller indictment: some thoughts on deterrence, OPSEC and linguistics

Unless your cave doesn’t have wifi, you probably know by now that 12 operatives from the GRU have been indicted by special counsel Robert Mueller.

The supporting document is a rare artefact, in a sense that it is the most public exposition of American cyber tradecraft ever.

Its analysis has been bolstered by an agency – the NSA, in case you are wondering – whose very DNA has been hardcoded with operational deniability. Remember, the US still issues a Glomar response on Stuxnet even when the operation has been outed by a hundred different sources.

There’s a specific reason behind that, which I will address in a separate article, but in a nutshell: nation states are still figuring out how cyber operations fit into the escalatory and declaratory ladders of conflict.

Until that gets chiselled with experience and mistakes, cyber attacks would keep on enjoying a sort of forced plausible deniability. I mean, would our world be any different if Iran, North Korea or Russia had owned up to Shamoon, Sony or DNC? Maybe not.

I’m always reminded of Col. Gary D. Brown’s (former staff judge advocate of the USCYBERCOM) assessment. He posits that states not defining their limits and capabilities in cyberspace is a big impediment to norm-setting.

Norms, as we imagine them, are the organic outcomes of the customs and practices of nations. So, the law of armed conflict, or whatever international markers we have established, become hazy when capabilities aren’t defined. That is exactly why the Tallinn Manual remains such a dud, apart from the fact that it’s overly kinetic-centric.

Dave Aitel labelled Stuxnet as the “announcement of a team” more than anything else, which could take out any factory, any time. Over the course, the US Department of Defence (DoD) seems to have figured out cyber’s fitment into the declaratory dimensions of power. It is exactly why the DoD tries hard to control the mathematics of the domain.

Yet, as Jacquelyn Schneider of the US Naval War College astutely observes: the military leaders get cold feet while calculating its escalation dynamics. To quote from a yet-to-be-published piece of mine:

A study of wargames conducted from 2011 to 2016 revealed a consistent pattern of going overboard with the escalatory risk of cyber operations – that they would eventually lead to a nuclear war. So awesome was the mythos around cyber that the defensive teams exercised restraint in cyberspace even when the allies were getting nuked. This fear psychosis pervaded all the way up in the chain of command.

Jason Healey concludes that it was the US which got deterred in the run-up to the Russian election hacking.

The prospect of hitting back with cyber caused trepidation within the deputies and principals meetings.

This indecisiveness was born out of a lack of political arithmetic for cyber operations. Cyber deterrence has little to do with the technicalities of the domain.

Coming back to the dossier, when the NSA, via the FBI, goes on to name the operatives and publishes their internet search histories, it’s merely giving cyber deterrence the required politico-legal shape.

Most pundits have fallen into the wow-trap. See, the competence of the NSA is well respected, thanks to Snowden. The attribution of APT 28 has been open-sourced, too, as the private sector has had a major investigative role to play. Even the details of the GRU units had trickled out earlier.

The NSA is actually giving a banshee-like scream with this trailer of capabilities – You may win a battle or two, but we are here to win the war.

Andrea L. Limbago of Endgame sums it up,

[These] indictments demonstrate the potential for attribution and the level of capabilities that can provide this evidence, help support a broader deterrence strategy.

While the 12 operatives are being portrayed as some wily geniuses, it’s clear that the team was overworked and understaffed. Tasked with a high-pressure, overwhelming mandate, they left a trail of OPSEC mistakes.

Similarly, we also saw an Indian cyber mercenary succumbing to the fog of war.

Or it could be the case that, in The Grugq’s trademark British humour, the Russian OPSEC policy is YOLO.

I can’t locate the exact tweet as always. Somewhere on The Grugq’s Twitter timeline – the most authoritative compendium of tradecraft on the internet – there’s a mention of linguistics and anthropology as the foundational sciences of cyber operations.

I can’t agree more. Richard J. Danzig recommends studying the “adversarial ecosystem of cyberspace in anthropological detail”. China even runs a full-fledged language feeder school SISU to complement its lucrative technical setup for cyber espionage.

While the two GRU units focused on hacking and dissemination, little effort was paid on the language front. There’s a marked similarity between the conspiratorial punchlines of the Shadow Brokers and the tin foil hatted references to the Illuminati by Guccifer. The GRU’s understanding of the paranoid hacker archetype sounds amusing and probably borrows from the KGB’s dealings with hackers like Karl Koch during the Cold War.

An Indian cyber mercenary for hire? Bad OPSEC and global footprint

Cisco Talos has just published a report unmasking an Indian cyber actor.

The specific operation under investigation was in progress since 2015. An iPhone malware was deployed using an open-source mobile device management suite and targeted exactly 13 mobiles. This seems like a very focused effort.

But the operator is to only blame itself for getting exposed – it followed terrible OPSEC practices.

Firstly, the C&C servers weren’t hardened at all. It seems that Talos scooped up the priceless operational and configuration data lying on them. The exploit writers tested the malware on their own mobiles and their phone numbers seem to have been logged by the C&C.

While poor attempts were made to masquerade as Russian hackers, the attribution is foolproof as the test numbers belonged to the Indian mobile networks. The rest of the targets, too, were Indian.

A quick, 15-minute search over the internet points out some more glaring OPSEC fails.

The cardinal rule of cyber operations is to never ever reuse the attack infrastructure, no matter how miserly you are. Even the NSA (FOXACID) and the CIA (Vault7) made similar mistakes.

One of the domains used in the operation wpitcher[.]com pointed to the name servers of an Indian hosting company ServerGuy, immediately after registration. You don’t leave a domestic footprint, unless you have a death wish. The gentleman at the helm of ServerGuy has an interesting professional background, too.

The second domain voguextra[.]com was earlier flagged and squarely linked to Bahamut in 2017, a cyber espionage nexus targeting Egyptian journalists, Qatari labour rights activists, Kashmiri terror organisations, and foreign policy institutions in other Gulf states. That’s like putting all eggs in one basket – no compartmentalisation at all.

Bahamut also has some noted similarities with Operation Kingfish that targeted the civil society in Qatar and Nepal, discovered by Amnesty International in 2017. Last but not the least, Kaspersky also stumbled upon a zero-day vulnerability in 2016 in the InPage word processing software (prevalent in the Arabic and Urdu speaking geographies) used to hack into Asian banks – linked to one of operator’s secondary domains.

I’m honestly clueless why the actor would resort to such recycling of infrastructure.

At the technical level, I would tag it as an elaborate social engineering toolkit than an actual APT, in a sense that the actor’s CONOPS seems to suggest so. It’s a trait, not a weakness.

A sneak peek into the Pakistan Army’s cyber tradecraft

This seems to have gone unnoticed, so I am placeholding it here. A small ideological disclaimer: I do not *hate* Pakistan like many right-wingers do. In fact, I long visiting Lahore some day and sample its street food. Nonetheless, this is an interesting public exposure to the tradecraft – if it could be called so – of an adversarial army.

In March this year, Amnesty International released a dossier (PDF) on the intimidation and spying of human rights activists based in Pakistan, allegedly by the country’s own army operatives. Apart from the usual scare tactics, the operatives also engaged in social engineering and cyber espionage. Android and Windows based malware were used for the purpose.

The operating model was hybrid: customised variants of COTS malware developed by a local contractor shop, and all of it being coordinated via a team of army officers.

The setup looks ragtag and low-end.

One of the C&C servers associated with the operation was misconfigured, publicly listing all the files present in a specific folder. A particular file “zahidskills.docx” contained some interesting titbits. It detailed the daily responsibilities of a member – someone by the name of Zahid Rasheed – of “Team Cyber Security” .

We scan network on daily basis to check open port or any outbound connection into our network, then we communicate with twitter and FB team captains for any new Anti Army or Fake accounts of COAS/DG ISPR. Check DG’s Facebook page security and Past 24 hour activity. We are working on different target accounts to trace their IP Addresses or to compromise their accounts. We check different new site to see if there are any Anti Army content on it, so we try to take them down or at least trace the administrator. Increasing likes/ followers and viral content on SM-Team request. We Scan ISPR/PakArmy Website on Weekly basis to find vulnerabilities or any type of errors. Explore and test new exploits on cyber security and to stay up to date with latest techniques.

For the uninitiated, COAS stands for the Chief of Army Staff. ISPR or Inter Services Public Relations, meant to be the Pakistan Army’s public relations directorate, is actually its propaganda arm.

So, this sounds like a CERT gone rogue, meddling in operations and intelligence. There is a noted political emphasis on keeping the top echelon happy – this unit is conscious of its direct access to the COAS’s office.

Its mandate is really confusing: some ad-hoc tasks around security administration, counterintelligence, OSINT and even cyber offense. This really violates all the tried and tested OPSEC best practices, eventually leading to the unmasking of the team.

My experiential take is that OPSEC blunders happen when the mandate gets messed up – a natural fallout of focusing more on placating the bureaucracy than pursuing relevant imperatives. It is a cultural thing in South Asia. Anyone who has been exposed to a government cyber setup would understand what I mean.

Operational awareness and nuance percolate from the very top when it comes to cyber, so the generals appear technically clueless. Not to sound churlish, but this pattern is also mirrored in India.

A unified cyber component that pervades all the army’s hierarchies seems to be absent, too – despite its focus on net-centric warfare since the times of Azm-e-Nau. The unit, like most such ill-thought-out apparatuses, is plagued with a tactical vision. Compare this to the interdisciplinary synergy between the NSA and the US Cyber Command.

There is a growing concern on this side of the fence that the cyber capabilities of the Pakistan Army are more sophisticated than we imagine. This sneak peek may quell that for some time.

Yet, my assessment is not to be treated like the gospel truth. The Inter Services Intelligence, and the directorates of Military Operations, Signals Intelligence and Military Intelligence may very well have their own competent structures. So would the air force and the navy.

GravityRAT, a decently-sophisticated and evolved APT originating from the same country, is a case in point.