19 comments

[ 2.1 ms ] story [ 38.5 ms ] thread
> Russia has denied responsibility for the NotPetya attack - which is estimated to have cost companies more than $1.2bn - and pointed out that Russian firms were among those whose systems were affected.

Or perhaps this has become a standard OpSec playbook to provide sufficient diplomatic cover? Not sure who to believe.

Sure, it's also reasonable to think that these companies were in on it and received compensation or hadn't signed on to an agency's agenda/paid protection money/whatever. Plenty could have happened, we just don't know.
Recently a wave of DDOS attacks hit the banks of the Netherlands. While the large Bank CEOs were on the news saying this was a professional, very possibly the Russians, Jelle M. from the small town of Oosterhout was caught and confessed that he had spend something like 50$ on some DDOS stress testing service. There is a very nice story on this [0], unfortunately it is in Dutch.

Yes, this is different but the ease with which the Russians are blamed seems to be very wide spread. Of course, we never get to see and investigate the evidence.

[0] https://tweakers.net/reviews/6031/een-ddoser-betrapt-hoe-de-...

Russia does employ 'Maskirovka' so it is pretty standard for them to deny anything despite being aware of it.
It's kinda sad the public just eat it up.
Makes you wonder how much other BS is being forced down our throats. Often as a subject matter expert, when you see media coverage of your domain, you know it’s BS. But then you forget about that the second an “expert” in another domain is on TV telling you what to think.

There have been psychology studies on this effect but I can’t find the references atm.

Gell-Mann Amnesia
Yep, that's it. I guess the idea comes from a quote attributed to him [0]:

> Briefly stated, the Gell-Mann Amnesia effect works as follows. You open the newspaper to an article on some subject you know well. In Murray’s case, physics. In mine, show business. You read the article and see the journalist has absolutely no understanding of either the facts or the issues. Often, the article is so wrong it actually presents the story backward-reversing cause and effect. I call these the “wet streets cause rain” stories. Paper’s full of them. In any case, you read with exasperation or amusement the multiple errors in a story-and then turn the page to national or international affairs, and read with renewed interest as if the rest of the newspaper was somehow more accurate about far-off Palestine than it was about the story you just read. You turn the page, and forget what you know.

I swear I've seen this confirmed in some psychology studies but I can't find them right now.

[0] https://en.wikiquote.org/wiki/Murray_Gell-Mann

It's starting to become a problem, honestly.

There was a case with a local MP here who was supporting an unpopular bill, so his website got DDOS'd and the next day he was in the media talking about how this had to be a sophisticated attack. Basically implying that it had to be a rogue state behind it, not mentioning Russia by name, but it was obvious, cringy, sad and obvious.

Same with social justice outrage sells the product.
Same thing with the French election email leaks. Google "french election russia hack" and look at the assertions. The French intelligence agency very quietly denied Russia was behind the hack months later.
The Mirai botnet was also attributed to "nation state actors." Turns out it was a couple teenagers trying to make some money with Minecraft. [0]

Copy-pasting from an earlier comment of mine [1] on the Mirai/Minecraft story:

> I don’t understand why every single cyberattack is immediately blamed on Russia or China. It’s an intellectual embarrassment, and especially worse when it’s coming from experts within the community rather than politicians in congress.

Adding to that, equally embarrassing is the fact that the media and governments refer to "Russia" as if it's a single, personified entity. Even if an attack did "originate" in Russia, does that mean that it was sanctioned and planned by the Russian government? Or could it be one of the 144 million Russian citizens acting autonomously? It really requires a leap of faith to conclude that not only did the attack originate in Russia, but it was actually planned by the Russian government.

Attribution of cyberattacks is hard, borderline impossible, without non-technical corroborating evidence. For example, a SIGINT or HUMINT intercept that reveals intent would corroborate otherwise unreliable technical attribution. When the only evidence for attribution is Russian IP addresses and "Cyrillic characters," it's irresponsible to go public with accusations like this. Of course, if there is corroborating intelligence pointing to Russia, we'll never see it.

[0] https://www.wired.com/story/mirai-botnet-minecraft-scam-brou...

[1] https://news.ycombinator.com/item?id=15921340

>The Mirai botnet was also attributed to "nation state actors."

Not by anyone you should listen to, Mirai was attacking minecraft servers from day one.

Unless you count Bruce Schneier, who congress sometimes listens to. To be fair, I ridiculed him for exactly this in my original comment, so I agree with you.

The issue is not who we should listen to. It's who the politicians listen to, and who the media listens to. Those are the "experts" who, often unwillingly, set the narrative, driving public perception on the topic and ultimately influencing policy.

This just proves that you should only listen to Schneier when he is discussing the domain in which he is an expert, which is certainly not attribution.

It’s pretty obvious that he had not looked at Mirai at all when he attributed it to ‘state actors’.

Politicians and the media will always listen to whoever yells the loudest.

So you're comparing a security researcher saying:

“We don’t know who is doing this, but it feels like a large nation-state. China or Russia would be my first guesses.” in the early stages of an investigation into a massive botnet that grew much faster then even its creators expected.

And the government of the UK officially naming Russia (and to your second point, specifically the Russian Military) as being behind an attack.

I sometimes feel like modern society has been attacked by a context-eating virus.

>Attribution of cyberattacks is hard, borderline impossible, without non-technical corroborating evidence.

Intelligence agency budget increases and sky-high consultancy fees are going to be more forthcoming when it's "a scary nation-state" behind an attack rather than a couple of teenagers or a band of cyber-criminals.

Also, Russia, after North Korea, does seem to be everybody's favorite bogeyman these days.

Intelligence agencies and security consultants will have to balance potential reputation risk as well, of course (if it comes out that they were wrong it's quite embarrassing), but if attributional evidence is weak then it pays to pick the bogeyman.

Your point about consultants is an important one, and demonstrates a moral hazard of outsourcing intelligence work.

CrowdStrike is especially guilty of this. It seems whenever there's a cyber attack, CrowdStrike is there to attribute it to whichever bogeyman is most convenient today.