"The targeted activity has been observed against organizations based in the United States and across Europe since May 2021. NOBELIUM is the same actor behind the SolarWinds compromise in 2020, and this latest activity shares the hallmarks of the actor’s compromise-one-to-compromise-many approach."
Just tell us which country.. It's probably one of two options.
I don't really like the way attribution for these sorts of things happens. Conspiracy theories aside, we do have a history of questionable attribution (Gulf of Tonkin, Iraq WMD to name two). So a rational mind is right to be skeptical and ask for evidence before accepting a narrative whole cloth.
Instead, we are rarely given any evidence at all. In the article cited, we're just supposed to trust that Microsoft knows it's Russian government and can prove it. When we _are_ given some explanation, it's usually pretty weak: IP addresses are from XYZ country, metadata in a word doc is ABC language, etc. Add to that you have criminal elements that may or may not be controlled by their government.
...and then when you do question, you're downvoted, accused of being a shill, etc. I understand this sort of thing can rarely be proven 100%, and there is a need to protect intelligence sources and methods, but given that we should stop speaking and behaving as though things are 100% certain. Personally I'd like to see articles present more evidence and/or summarize into a percentage. "We rate the likelihood this is XYZ branch of Russian government at 60% due to the following factors: ...."
> you have criminal elements that may or may not be controlled by their government
We can debate whether the Kremlin controls Russia's criminal elements. What is apparent is it's unwilling to pursue them. So much so that they practically live in the open.
I think the major problem for organizations like MSTIC is that the vast majority of information they have access to came from other companies under strict confidentiality agreements. This is the norm in information security, most intelligence sharing goes through large vendor security centers or ISACs. In order to encourage/facilitate that sharing, these organizations require all of their members to agree to non-disclosure regimes (the "traffic light protocol" classification scheme is common in ISACs).
It creates a bureaucratic situation where a company might have a great deal of data points to base an attribution on, but is prevented from disclosing 95% of them... not necessarily out of concern about source protection, but simply by contract with the data source(s).
There's a long-running controversy within the industry about whether or not this situation is productive. The confidentiality agreements make corporations more willing to disclose data due to reduced risk of reputational damage and liability. But it also tends to make research and open communication more difficult and vague. The federal government has been through basically the exact same controversy over the last two decades regarding intelligence sharing, and to further complicate things it's common for there to be government elements (e.g. DHS) involved in these circles that mean there are also confidentiality agreements between government agencies and private industry that enforce many of the same rules.
At its core, this comes out of a fundamental tension of liability and the law: is it better to do research that will produce damning material in lawsuit discovery, or to avoid doing the research and remain ignorant to the problem? Various industries have various half-solutions to this problem (e.g. Patient Safety Organizations in healthcare that are exempt from discovery), but the dominant one in information security reflects the roots of the industry in the intelligence community: anonymity of sources and confidentiality of information.
There will likely be some form of confidential agreement with another party who supplied the info to MSFTIC, however, I also agree with your statement.
Microsoft has been quite lax lately with a lot of things, you only need to see the stuff Kevin Beaumont is posting (ex-MSFT employee - senior cyber) about them knowingly hosting malware in OneDrive (standout as a OneDrive user), and knowing about a lot of issues and potentially being rather passive about fixing them.
I love MSFT products, but lately from what I’ve been reading, their attitude to a lot of things security lately is a bit worrisome to me, I could be completely wrong as i don’t know what’s happening internally, but it’s also slightly worrying from one of essentially, the most powerful cyber security firms around.
It has somehow become common for people to use "nation-state" almost interchangeably with "state" without fully considering the connotations it implies. Regardless, there's not a clearly agreed upon threshold of how much national identity must be shared to qualify as a nation-state, nor was Microsoft intending to make any sort of commentary on national identity.
>there's not a clearly agreed upon threshold of how much national identity must be shared to qualify as a nation-state
The best place to draw the line is Texas. More national identity than Texas and you're a nation-state, less and you're a state. The nationality of Texas is undefined in this scheme, which is just as they would have it.
P.S. people call extremely well-funded cybersecurity adversaries "nation-state adversaries" because those three words start with the letters NSA. It's a joke about US national security being the greatest threat to US private security.
> The best place to draw the line is Texas. More national identity than Texas and you're a nation-state, less and you're a state.
When used in the politico-social sense that invokes national identity, nation-state still takes as a minimum requirement the functional sense of Westphalian sovereignty, which Texas lacks. Texas would probably be considered a nation-state in both senses if it was a nation-state in the functional sense; but as a subordinate unit of a Westphalian sovereignty it is not a nation-state in the functional sense, much less the narrower social sense.
The "nation-" at the beginning of the term also doesn't add any context that is useful to understanding the story. People should just try not to use that term unless they're making some kind of sociological point. It's "state-level adversary", or something similar.
It does that by abusing a term that isn't directly applicable, and meanwhile there is no serious ambiguity: when people say "state-level actors", nobody thinks they're talking about Nebraska. People talk about "statecraft", not about "nation-statecraft".
> It does that by abusing a term that isn't directly applicabl
It is directly applicable, and not at all a used; the broader functional (Westphalian sovereign) and social (the functional definition + two-way close mapping to a nationality) definitions of “nation-state” are both technical definitions widely used (and distinguished by context) in the field from which the term originates. (Just like “consistency” has different meanings in a CAP context vs. an ACID one, except with less ambiguity for “nation-state”, because compared to the functional and social definitions of “nation-state”, the CAP and ACID definitions of “consistency” are far more likely to both be plausibly relevant in the same context.)
The common use in cybersecurity is exactly the functional definition, not an abuse of terminology.
> Weird because Russia isn't really a nation-state.
Its a nation-state in the functional sense (a Westphalian sovereignty) but arguably not in the politico-social sense (a nation-state in the functional sense that is also aligned with a single national identity and vice versa), though like most Westphalian sovereigns where that is true, works very hard to align national identity with the state, and the former sense is mostly a clear, concrete distinction [0] while the latter sense is a platonic ideal which is, at best, approximated, so binary inclusion/exclusion is always something of an arbitrary line-drawing exercise.
[0] And mostly corresponds to status in international law, but there are exceptions
more likely its NSA/CIA... i mean how can anyone even know, look at NSA/CIA program "Marble" its designed to do this make their hacks look like Russians are doing it etc.
>which the U.S. government and others have identified as being part of Russia
Microsoft is not making their own determination of who the state actor is and is just letting the three letter agencies' finger pointing fly with no evidence. There is however significant evidence indicating a country other than Russia in the FBI's Solarwinds report that contradicts the headlines if you read the body of the report.
CIA? look at Vault 7 "Marble" program.... and you really think hackers don't do what the CIA does? could be anyone basically... China etc etc and are probably doing the same crap as the CIA with their "Marble" program attributing the hacks to another state.
The narrative US = good, Russia = bad is true but only if you are in the US.
In Russia you see the complete opposite.
Both US and Russian intelligence have lied in the past, it's part of their job.
For example, the intelligence agencies don't have the right to spy or attack their own population (as far as I know), but there is nothing that forbids them to ask an ally to do it and put the blame on someone else.
Russia denies doing it, and both US and Russia have interest into collecting this data, so starting from there, it's important to keep an open mind that the interactions between countries are not black & white.
The first link has this text: "Today, we’re sharing the latest activity we’ve observed from the Russian nation-state actor Nobelium. This is the same actor behind the cyberattacks targeting SolarWinds customers in 2020 and which the U.S. government and others have identified as being part of Russia’s foreign intelligence service known as the SVR."
What do you mean by this? Is it because they didn't explicitly say "The Russian Federation"? Because we both know that's exactly what they meant, and that it is most certainly a nation-state.
A nation-state is a state that perfectly aligns with a nationality. Hence nation-state. A nation that is also a state. The Russian Federation is a state with many nationalities within its borders. So it isn't a nation-state.
Other classic examples of non-nation-states are the UK and the US.
I think you misunderstand the use of nation-state in the context of threat actors then. It simply means government backed, as opposed to a private entity like a ransomware gang or NSO Group. Splitting hairs about nationalities is irrelevant when talking about who is behind a cyberattack.
Indeed, in security this term works well because it means often “not explicitly related national agents acting for the state”. This loose coupling allows the responsible states to deny accusation while harming their target through unofficial partners (national or not).
If you don't mean 'nation-state' then why use that very specific technical word instead of just saying 'country'?
It's like saying 'I saw a 2019 Ford Focus in blue' and then when someone points out it was actually a green Dodge saying 'well I just meant any car why are you splitting hairs'.
In cybersecurity, and in the attribution of cyberattacks especially, nation-state actor is a very specific technical word. Words mean different things in different fields, and in this case the word is very clear and obvious in conveying what is intended, which is a government backed threat actor.
> If you don't mean 'nation-state' then why use that very specific technical word
Nation-state has at least two specific uses in its field of origin (political science), which are closely linked conceptually though very different. It can mean either a state that is approximately one-to-one with a nation as became something of a European norm after after the Peace of Westphalia, or it can be the structural kind of sovereign that became the norm in the same space after the peace of Westphalia (a synonym for the latter sense is “Westphalian sovereign”).
When the context is more legal/structural the latter use dominates, when it leans more to the social the former use does.
Is this the first time you've heard the term "nation-state" in cybersecurity context? Used as an adjective, "nation-state adversary" flows better/sounds cooler than "government-backed adversary" or "country-level adversary".
You may be right in poli-sci class, but that's just how it is in cybersecurity. To use your framework, it would be like me colloquially asking "do you have a car?" and someone responding "yeah, a Jeep Wrangler". Car = automobile. But I wouldn't be that casual when filling out my auto's title information.
> It simply means government backed, as opposed to a private entity like a ransomware gang or NSO Group.
I would be incredibly surprised if Israel's intelligence didn't make use of NSO tech, especially since their founders came right out of Unit 8200, their military intelligence cyber warfare division.
Could you give examples of states that you consider to be nation states? It seems like there must be a sliding scale, and basically any state would fail a "perfectly aligns" test, so I'm guessing there is some lesser definition to go by.
In the context of cybersecurity this term has a specific meaning and refers to an adversary that has the highest level of resources usually attributed to a state.
I would also expect Russian/Chinese hackers to get someone to come into such a discussion such as this, and deflect comments against them towards the CIA/NSA, as you have done 4 times already in this small thread. Who can believe anything any more, in the post-modern over-information age?
yea i could be, that's the point. I don't trust any government or "corporate" source on this type of stuff unless they show me physical evidence. I ain't defending those countries if that's what your suggesting, i am very anti CCP and Putin but i don't just attribute stuff to them because some "expert" says they did a hack.. based on what? something that could easily be made to look like any state did it like what the dump from the CIA shows... i use CIA because that's the only public state information we have about this type of program.
whats the misdirect? is it not true a state would not try to obfuscate the who is doing the attack? so Microsoft telling us its "X" without direct physical evidence is bs to me. Even the NSA intercepts network equipment orders and installs backdoor before sending them back to being delivered... now your hack is coming from "X" but it was done from "Y" using that hacked router etc, you get the picture? how can you know who did what?
yea that's my point, who can know unless you have like a spy in the place doing the hacking. Yes of course China and Russia are probably doing these things, i just don't accept this type of evidence, just like i didn't accept the "WMD" bs
Ooh yeah Vault 7 but we all know all nation states spy and hack each other. We are in a whole new world where we now have bipolar situation of Eurasians vs Anglo-Saxons going full spectrum warfare against each other.
was it? what if China is using the CIA "Marble" program as well? or even the US could be doing it. I don't doubt Russia is doing cyber warfare but how can anyone without seeing the hacker doing his thing really know for sure what state it came from?
The Darknet Diaries podcast just released an episode on a similar attack (via MSP) if you're interested in hearing what this looks like from a remidiation standpoint
Something I've been thinking a lot about is that news of nation states attacking NATO member systems often make headlines, but there is little about NATO members attacking these same nation states.
This sort of results in an impression that there is a capability asymmetry between the two. Is that true? Or do we just not hear about it.
There is no asymmetry in capability but there is an asymmetry in the desire to provoke. Russia has solidified its role in the world as essentially - a geopolitical troll. "Stabbing in the back", the thing they accuse everyone else of, is the strategy.
NATO does not want this fight, and they do not have the hierarchy of plausible deniability, which the Russian security services have perfected to a form of art.
"Independent" hacking groups do jobs for the government, in exchange to freely conduct mercenary for-profit attacks without fear of being jailed.
NATO countries don't have this system. If they do something, they do it without proxies.
> There is no asymmetry in capability but there is an asymmetry in the desire to provoke.
Or asymmetry in the desire to report it. Any country reports threats against them wide and far, and they downplay or ignore any threatening actions they make.
> NATO countries don't have this system. If they do something, they do it without proxies.
Colour me skeptical. "Open and transparent" is just not how intelligence services operate.
No asymmetry, we only hear about it when successful. One thing to also keep in mind is that intelligence organizations like the CIA typically work through intermediaries such that a cybercrime organization in South Korea may not know they’re executing an attack on China on behalf of the CIA — they may have already wanted to do so for their own reasons and the CIA just made sure they found the right info to execute it.
The Chinese media would label such an attack as a US hack on China, while the US media would report it as a Korean hack on China (meaning you probably never hear about it at all unless you’re in the business).
Do you have any links to events that you would suspect of being of the described nature: done by crime actors and described as done by any nato state by some non nato state?
I’m only aware of this happening the other way round (.ru crime actors doing things Moscow needs done, ddos on Estonia etc etc)
I believe that individual vendors (MSTC, FireEye, Talos, etc.) name threat actors differently. If you're interested, I'd highly recommend this page by CrowdStrike: https://adversary.crowdstrike.com/en-US/
It's very interesting to see how humans naturally tend to craft identities for faceless, nameless adversaries, which I think is very interesting from a social standpoint. Also the artwork in the website above is just plain cool IMO :)
Although the vendors share information quite freely, I think there's hesitation on a vendor mutually adopting another vendor's threat actor name because it implies more substantive research on the latter's part, which is usually a no-no in a field like this. Ofc, I'm sure there are exceptions.
> It's very interesting to see how humans naturally tend to craft identities for faceless, nameless adversaries, which I think is very interesting from a social standpoint.
It's quite simple: you need a name (preferably unique) in order to refer to it in communication.
Really appreciate the Thai CERT link -- I was really interested in seeing that Crowdstrike information presented in a format that's not about to pitch me the Crowdstrike Cinematic Universe or next-gen-Rainbow-6-arena-MMO or whatever they're going for. The glitchy elements/animations made it actually stressful for me to read.
Initially this started internally at the US Government.
Probably mostly the NSA, but then the vernacular spread. Kinda useful when having conversations to say "Cranky Frog" and not "China special operations group 304 PLA #122"
The names were classified (Secret perhaps?), but at some point the US Government realized everyone was kinda using these names in conversations, probably not all at the secret level. These names had leaked out too much, they needed new names.
So they decided to rename them with new Secret names, and just kinda let the old names become utilized. They tried to hide the old <-> new name mapping because the new name mapping was classified.
Crowdstrike started as mostly former FBI / NSA employees. They liked using all these names to identify actors. But they realized they didn't want to use classified names. So they came up with their own very boring names (APT1, APT2 ,etc.). While others had always done this internally (Microsoft had names, Google had internal names, etc. etc.), Crowd strike utilized these names very publicly and it just kinda took off.
I think the US Government at some point realized they could just use Crowdstrike names and avoid all of the Classified name mess, so they just utilized crowd strike names as well. So now Crowdstrike names are mostly the go-to. Unless you are micrososft, then you keep using your names....
My guess is Somewhere at Ft Meade an analyst has produced a massive, beautiful chart mapping all this shit together, and her sole job is to keep it updated.
I was idly thinking while reading the Journalist & Pegasus story from a few days ago[1], that some of the names for these exploits and groups, like KISMET, NOBELIUM, and HIPPOCRENE FACTOR especially, sound like codenames from a Destiny Lore Card[2] or something. Must be a fun exercise to brainstorm some of them up, if nothing else.
Marketing managers and security researchers in private companies giving them names. The same reason high-profile exploits have nickname (heartbleed for example).
Its just individuals deploying their code over clearnet with computers they found on darknet RDP marketplaces
The authorities are so incompetent in generating consequences that they have go with the idea that Putin signed off on the action himself, just to deflect
“A dozen intelligence agencies” are all going to have the same evidence: a non-VPN IP address
People are really gullible, remember when even just that turned into a partisan thing a few years ago? lulz. idiots.
Lol, this stuff happens since forever with webfacing servers. Thats why you dont use 'root' or 'admin' as a ssh user. Just some PR fear mongering stuff to get the newbies in the cloudspace instead of hosting own servers.
Just a fear mongering article intended to SELL extra Azure services for $$$ that in theory maybe fix some of the Microsoft's own Security vulnerabilities. Like internet facing RDP (aka Ransomware Deployment Protocol) server.
Notice how everyone in this thread is scared of "nation-state" and Russia - this is the exact emotion and reaction Microsoft wants. After fear of some "god-level Russian state hacker superpower" is seeded, the next logical step is to SELL some crappy cloud subscriptions for $$$ and keep milking your fear and making money.
The fact that MS wants "to SELL extra Azure services for $$$" and the fact that RUS, CCP and other nation/state actors often attack those services are not mutually exclusive.
Claiming that the notice is false simply because some aspect of it it may also align with some profit sounds like an entry-level fallacy spouted by Qanoners, or an actual RUS twitter troll posting their daily dezinformatsiya, or just the everyday paranoia of those who flock under those banners.
Do you have any actual evidence that the notice is false?
Just tell us which country.. It's probably one of two options.