According to the NCSC, it has assessed with "high confidence" that the GRU was most certainly responsible for the attacks.
Radio Sputnik discussed the accusations with Kevin Curran, professor of Cyber Security at the Faculty of Computing, Engineering and Built Environment at Ulster University.
Sputnik: The UK's National Cyber Security Center has concluded that Russia's GRU was responsible for many cyberattacks over the years; what's your take on the statement?
Sputnik: Perhaps, what's new here is that they also mention Russia's central bank and a number of media outlets in this report. How would they be able to make this conclusion?
Kevin Curran: It might seem simple enough, but a fundamental concept in cyber security and digital forensics is that it sometimes is extremely difficult after a cyberattack to definitely and definitively name the perpetrators, because hackers have a lot of technical tools at their disposal to cover their tracks. Even when analysts figure out what computer the hackers are using, going from there to the user is difficult. This is called the attribution problem. They are getting better, it depends on the agency involved, but they are getting better at being able to track and they also have a lot of points of reference as well. Quite often when they do come up with it, they are pretty confident that they know who they believe does these attacks. If you look at some of these attacks, you just wonder why any nation-state would carry out some of these attacks, because they seem to be done on private companies. But sometimes an attack could be just a trial to see if it works. We only know of the attacks that we find out about, but the best attacks are never discovered.
Sputnik: Like you say, there's nothing new speaking about these attacks or alleged attacks. Why would London persist and continue this theme when you've got US President Donald Trump saying that there is no evidence to suggest the election results in the US had been swayed?
Kevin Curran: That's just Donald Trump's opinion. Of course, the Americans themselves have relaxed the rules on nation-state cyberattacks. Just last month, President Trump rolled back a series of Obama era classified rules on how the US government can launch cyberattacks on foreign targets; the Americans have always been opposed to any rules that stopped them. So, they themselves, like all large nation-states, like China or the UK, have their teams, just like these APT-28 and Fancy Bear, which have been attributed to the GRU.
That's his opinion, but a lot of private and security companies would believe that Fancy Bear was behind the DNC hack. In fact, this hack was subject to a lot of analyses and reports to defend the United States from their intelligence agencies that clearly show that an attack was done and they attributed that to APT-28. I think that it's in Trump's best interests to say what he's saying, but if you read the reports, you'll see that a lot of analysis has been done to track it back to APT-28.
Sputnik: There have been some other interesting scenarios; a US company, FireEye, published a report that said that North Korean hackers could have disguised themselves as Russians carrying out cyberattacks. This sounds a bit far-fetched, but what do we know about hackers from a certain country disguising themselves as someone else to confuse the investigation?
Kevin Curran: Countries will do that. First of all, they'll try to develop malware which is undetectable, sometimes using zero-days, which are attacks unknown to any malware or antivirus toolkits. Again, they can be quite extensive; but there have been ones done like Stuxnet, which was attributed to the US and the Israeli intelligence units; that was an attack against the Iranian subterfuges to stop them from making uranium. It is a common thing to do to try to hide your tracks; and then if you know that you're going to be discovered, then to try to make the code look like it was written in a foreign language and to launch it from a different area, and have others take the blame for it.
Sputnik: So, basically, there is always a way to eventually find out who carried out the attack, no matter how well they disguise themselves. Have there been successful attacks when nobody really knows where it originated from?
Kevin Curran: Definitely, there are such attacks. Most numbers have been penetrated to some degree and there is code lying out there which has not been discovered. It's got into a network, it has exfiltrated what it needs and it's got out of there and cleaned all the code behind it; so no one ever knew what was in there.
Cyber intelligence agencies only have so many staff and resources, and it requires highly-skilled computer scientists to go through this; they've got finite budgets, so they can only concentrate on top priorities at any time. There's no way they are able to identify all the attacks, and also there's no way they can be 100% sure all the time when they attribute an attack to a certain country.
The views and opinions expressed by the speaker do not necessarily reflect those of Sputnik.