Grizzly Steppe and Carbanak: The Dangers of Miscalculation in Cyberspace

Hats off to the Department of Homeland Security (DHS) for releasing additional information on Grizzly Steppe — detailing Russian intelligence services’ efforts to influence last fall’s U.S. election. DHS added significant technical detail to a December 2016 Joint Analysis Report that security experts criticized for lacking actionable information.

Being curious, we ingested the new DHS report into TruSTAR’s intelligence exchange platform to see what private sector incidents would correlate with the report. The results are intriguing and offer insight on the trickiness of attribution and the potential dangers of miscalculation and escalation in cyberspace.

Our data shows some common tactics, techniques and procedures (TTPs) that support attacks associated with Grizzly Steppe and Carbanak, a criminal group with Russian roots that has carried out attacks since at least April of 2015 against financial institutions in several countries, including the United States. They both share exploit kits and elements of weaponization and exfiltration techniques, and the visualization below highlights the linkages between these two investigations.

TruSTAR visualization of overlap of TTPs of Carbanak and Grizzly Steppe

A Hall of Mirrors

We could judge that the actors behind Grizzly Steppe and Carbanak are one in the same because they share elements of attack infrastructure, such as malware and command and control. However, we have no proof of affiliation between the two groups. So what, if any, connection might there be?

At least a few scenarios are possible:

1. Russian intelligence operatives are borrowing infrastructure used by other hackers. They could be doing so to mask themselves or out of laziness.

2. Carbanak hackers are repurposing the work of others and/or are trying to make it look as though they are Russian operatives. This is possible thanks to the highly collaborative dark web, where information sharing and open toolkits are very common.

3. Both scenarios could be true: secret agent by day, hacker by night.

These scenarios illustrate the need for clarity and patience in asserting ultimate attribution.

This brings me to Peter Steiner’s cartoon in the New Yorker (1993) of the dog sitting behind the computer, “On the Internet, nobody knows you are a dog.”

The 2017 Grizzly Steppe update to the cartoon could be a Russian bear, Chinese dragon, Iranian cat, or a criminal sharing the same infrastructure to conduct attacks. While this is a stretch, it illustrates that adversaries — whether nation states or criminal organizations — utilize some of the same infrastructure. This creates the possibility of miscalculation and unwarranted escalation.

The Dangers of Misattribution leading to Miscalculation

John Petrik, the editor of the CyberWire, points to how the Gulf of Tonkin Incident drew the U.S. more directly into the Vietnam War, a dark point in our history to underscore the danger of misattribution.

On August 2, 1964, the USS Maddox was fired upon by North Vietnamese forces in international waters. The Maddox was on an eavesdropping mission against the North. On August 4, the Maddox and another destroyer thought they had been fired upon again. This led to a hurried effort by President Johnson to seek Congress’ passage of the Gulf of Tonkin Resolution which gave him the power to take “all necessary measures to repel any armed attack against the forces of the United States and to prevent further aggression.” Congress passed the Resolution on August 7 escalating the U.S into the Vietnam War.

While there is no question the Maddox received fire on August 2, it was not the case on August 4. Declassified documents revealed that while the commander of the Maddox, Captain Herrick, thought he had been under fire on August 4, he began to believe he had not. On August 5 he sent a message stating,

“Review of action makes many reported contacts and torpedoes fired appear doubtful. Freak weather effects on radar and overeager sonarmen may have accounted for many reports. No actual visual sightings by MADDOX. Suggest complete evaluation before any further action taken.”

Commander James Stockdale, who had flown over the scene on August 4 did not see any activity and reported so. However, intercepts of North Vietnamese forces supported the belief that the attacks had occurred. Ultimately, a response was ordered on August 5. Commander Stockdale reported,

“We were about to launch a war under false pretenses, in the face of the on-scene military commander’s advice to the contrary.”

The Power of Incident Exchange in Reducing Risk

The intersection of Grizzly Steppe and Carbanak underscore the urgency of continuing to break down barriers to information sharing. Without the active exchange of information, organizations will continue to suffer similar attacks and adversaries will more easily fly false flags or mask their identities increasing the potential for miscalculation.

The free flow of information within hacker communities enables cheap innovation and reusability of tools. A critical step in disrupting collaboration among adversaries is collaboration among the “good guys.” Active incident exchanges through platforms like TruSTAR Technology’s, provide a synoptic view of events, enabling us to protect ourselves more efficiently while making it harder for adversaries to mask their identities. High fidelity exchanges also accelerate attribution, which means companies can disable attacks faster. TruSTAR’s scalable exchange continues to grow with vetted corporate users and private hosted exchanges among groups of companies aligned by a common purpose.

Join our exchange today.