Wikileaks files show the CIA repurposing hacking code to save time, not to frame Russia

The Intercept reports: Attributing hacking attacks to the correct perpetrators is notoriously difficult. Even the U.S. government, for all its technical resources and expertise, took warranted criticism for trying to pin a high-profile 2014 cyberattack on North Korea, and more recently faced skepticism when it blamed Russia for hacks against top Democrats during the 2016 election.

In those cases, government officials said they based their attribution in part on software tools the hackers employed, which had been used in other cyberattacks linked to North Korea and Russia. But that sort of evidence is not conclusive; hackers have been known to intentionally use or leave behind software and other distinctive material linked to other groups as part of so-called false flag operations intended to falsely implicate other parties. Researchers at Russian digital security firm Kaspersky Lab have documented such cases.

On Tuesday, Wikileaks published a large cache of CIA documents that it said showed the agency had equipped itself to run its own false-flag hacking operations. The documents describe an internal CIA group called UMBRAGE that Wikileaks said was stealing the techniques of other nation-state hackers to trick forensic investigators into falsely attributing CIA attacks to those actors. According to Wikileaks, among those from whom the CIA has stolen techniques is the Russian Federation, suggesting the CIA is conducting attacks to intentionally mislead investigators into attributing them to Vladimir Putin.

“With UMBRAGE and related projects, the CIA can not only increase its total number of attack types, but also misdirect attribution by leaving behind the ‘fingerprints’ of the groups that the attack techniques were stolen from,” Wikileaks writes in a summary of its CIA document dump

It’s a claim that seems intended to shed doubt on the U.S. government’s attribution of Russia in the DNC hack; the Russian Federation was the only nation specifically named by Wikileaks as a potential victim of misdirected attribution. It’s also a claim that some media outlets have accepted and repeated without question.

“WikiLeaks said there’s an entire department within the CIA whose job it is to ‘misdirect attribution by leaving behind the fingerprints’ of others, such as hackers in Russia,” CNN reported without caveats.

It would be possible to leave such fingerprints if the CIA were re-using unique source code written by other actors to intentionally implicate them in CIA hacks, but the published CIA documents don’t say this. Instead they indicate the UMBRAGE group is doing something much less nefarious.

They say UMBRAGE is borrowing hacking “techniques” developed or used by other actors to use in CIA hacking projects. This is intended to save the CIA time and energy by copying methods already proven successful. If the CIA were actually re-using source code unique to a specific hacking group this could lead forensic investigators to mis-attribute CIA attacks to the original creators of the code. But the documents appear to say the UMBRAGE group is writing snippets of code that mimic the functionality of other hacking tools and placing it in a library for CIA developers to draw on when designing custom CIA tools. [Continue reading…]

Print Friendly
Facebooktwittermail