I find the toughest part of threat research is relying on Twitter as the medium to stay engaged with other threat researchers and INFOSEC experts to stay tuned to what’s going on “out there.” Today, two tweets and their ensuing discussion caught our eye and I felt it’s time to speak up on the issue yet again. Every time a significant ransomware attack or data breach is reported, it seems there are two main questions and maybe they’re asked before the news release articles even hit the digital press: Who did it?
Why? But I hate – no I don’t hate to tell you, I enjoy telling you – it doesn’t matter. My day started with two tweets I read about Russian-supported hackers nailing the Sinclair Broadcasting group (and they had to add “a conservative media outlet”) over the weekend, and another was concerning Russia vs. US agriculture firms.
Here’s what is wrong with all the speculation in both cases. In the first case, the discussion started alluding to how maybe Putin was directing the attack on Sinclair because Sinclair wasn’t broadcasting enough hyper sensationalized material to keep our nation divided. As I said, it was carefully inserted that Sinclair is a conservative media group (see the tie?). So, the delusion here is that Putin is coercing conservative American media via state-sponsored cyberattack…does that remind you of a certain four years of bogus Russian collusion history? The logic is completely wrong. If Putin wanted them to broadcast more, he wouldn’t have hackers shut them down over a weekend with a ransomware attack. The simple fact is the hacker group found vulnerable systems, exploited them, followed their usual pattern, and tried to extort some cash from Sinclair.
That is all that happened. And the fact that the hackers may be attributed to the Russian Evil Corp. hacker group is irrelevant. Sinclair IT security analysts and technicians had one job to do, and they failed. Think about it, a US-sanctioned (oh feel the devastating power) group of cyber thugs nailed Sinclair, because they could. Because Sinclair didn’t do its job.
The second story alluded to Russian attackers going after US agriculture firms as a follow-up to a story about the impact of such attacks on rural America. Again, a heavy focus was on who did it. And again, it doesn’t matter. Let’s get one thing straight: America is the world’s largest exporter of grain, not the importer. How much grain do we import from Russia?
Zero. Could Russia try to stagger US grain exports to assert itself as a supplier in the world? Maybe. But attacking a firm with ransomware is a very petty step in that effort with likely little to no global grain distribution impact. No. In the end, the hacker group got lucky again, found another company whose IT security did not do its job, and hit the paydirt. No politics, no global market manipulation, just straight-up extortion.
It would be nice if our companies were important enough to be considered the targets of state-sponsored cyberattacks. Imagine being so important on the world stage that a foreign leader, through their military cyber units and 3d party contract hackers, is coming for you. But really, they are not. Most of us are small fish in a big ocean, and most of us are just minnows.
And here’s another take: If you think attribution and geopolitical global market manipulation motives are going to get you some payback in court someday, think again. Very few hacker groups get caught, and even fewer are tried in any court in any country. It happens. It’s just rare. First off, countries like China and Russia would first have to admit such creatures are part of their society and that would be embarrassing. Admitting to something embarrassing is not a part of their way. Then, they’d have to admit there’s a problem that should be involved in helping solve.
They don’t because they didn’t do it. Ever. They’ve never done it. They’ve never admitted it, and they never will. Even when you present them the forensics that prove it. So why bother attributing anything to anyone.
Attribution is for the security threat researchers and their community solely to try to gain some intelligence on what might happen next or what bad hacking campaign is currently underway, so they can help you prevent future attacks. Even they can do little to nothing about it except watch and warn.
So, our advice is this: Stop worrying about who did it.
Stop trying to assign hyped-up clandestine geopolitical, global market manipulation and supply disruption faulty logic as to why it happened. It happened because you were and are vulnerable. As a company with any size of IT assets that are connected to the internet, you are a sitting duck. You can add some armor to your feathers and improve your chances of survival, but you will and are taking shots every single day you are connected to the internet. So do one job and do it well. Know your IT inventory. Know how it works and how it’s connected. And defend it. Everything else is irrelevant.