51 comments

[ 3.1 ms ] story [ 114 ms ] thread
It's a shoddy story. Quote: "Our sources told us the hackers had gained access giving them the ability to intercept ALL INTERNET TRAFFIC going to several countries in the Middle East" Way back, I used to work with dissidents/journo's/academics against censorship and surveillance at various countries. All but Turkey where easy because I recall that it was the military being in full control; playing with BGP among other things. This makes the quote a bit awkward. Why would they gain abilities already possessed & put their cards open on the table ?
If they had access to the undersea cable(s), that would certainly be different than having the ability to fiddle with (generally detectable and attributable) BGP attacks.

My money is on this being similar to the leaks of tapes where a bunch of high ranking Turkish military & members of the administration were discussing false-flag attacks from Syria to have a reason to invade, basically the US feeling they have exhausted their diplomatic channels to Ankara and dropping pieces of intel into the wild to get Turkey to stop what they are doing.

# The "attack" level of sophistication does not befit a state actor. # The Reuters article mentions 2 British and one US security _officials_ # Same Reuters article states that GCHQ and US equivalent declined inquiry. ( Mind bullet #1. ) # Turkey states there has been no data ex-filtration; sources do not mention serious damage on either side.

The most simple explanation is usually true, so I think a security firm like NCC group ( GCHQ still holds a stake in them ) is creating waves for business.

Re "state actor", while reading the headline I figured "oh, they would have called it 'state actor' if it was believed to be Russian or Chinese", but reading the article, they may have chosen not to use that term also because it wasn't MIT but some loosely affiliated patriotic group. Given that the borders between state and non-state are very fluent in Turkey, there may also be multiple things being attributed.

Still very much possible that it's FUD/PR, there's likely information, misinformation, PR and news hyping in any such report, with degrees of each varying.

You said the simplest explanation is usually true, then peddled a nonsense conspiracy theory. I don’t think you understand what NCC does at all.
>As part of these attacks, hackers successfully breached some organizations that control top-level domains, which are the suffixes that appear at the end of web addresses immediately after the dot symbol, said James Shank, a researcher at U.S. cybersecurity firm Team Cymru ...

Anyone know which TLD orgs were hacked?

The evidence, if true, shows the hackers are acting in Turkey, but I don't see the proof that it is in Turkey's interest.

Disclaimer: I'm a Turkish citizen. I don't support what our government have been doing since 2006 except for some small stuff about healthcare and such. I could never vote for the winning party since I was given the right to vote.

Reading the article, it seems the conclusion was inferred from the fact that Cyprus, Greece, Albania and Turkish Masons were targets. That those targets are not a good way to steal but are all disliked by the current regime. That several western analysts concluded they were government sponsored and that the attacks were quite complex.
What are the chances the hackers disliked one of those targets and only attacked all of them to throw the investigators off?
Could be the whole thing is faked by an other country. Could be all the logs were misread. Could be the west trying to make Erdogan look bad, or a plot by Gulen or maybe UFOS.

But more likely is a regime spewing conspiracy theories so the people can no longer tell truth from fiction.

That is a commonly used technique actually and one to throw off the scent of false attribution. Although no evidence is cited in the article and all the nebulous case is built on anonymous sources.

The last disastrous piece on the alleged hack of firmware at AWS and Apple by the Chinese was built on anonymous sources as well and the cyberhacking article was not retracted or apologized by Bloomberg.

https://www.bloomberg.com/news/features/2018-10-04/the-big-h...

Time will not be forgiving to the authors of this article.

Maybe Reuters has article quotas on cyberattacks per month and it’s close to the end of the month and they need to fill it somehow. It’s the journalistic equivalent of being pulled over by cops for no reason towards the end of the month so they can issue a ticket and fulfill their quota.

And my favorite part is Turkish interests. Is that a couple of script kiddies who speak Turkish sitting in a basement in their pjs taking a break from Fortnite or PUBG?

This article makes Judith Miller look like a real journalist like Walter Cronkite. Judith Miller of NY Times wrote stories based on multiple western anonymous and credible sources covering WMD in Iraq.

https://en.m.wikipedia.org/wiki/Judith_Miller

The evidence isn't just that the hackers were in Turkey, the evidence to quote the article:

>According to two British officials and one U.S. official, the activity bears the hallmarks of a state-backed cyber espionage operation conducted to advance Turkish interests.

So the evidence is that it's a state sponsored attack done to pursue Turkish interests. You can choose not to believe it, but that's what western experts are saying.

Turkey has 80 million people and a GDP of $770 BILLION (nominal) or $2.3 Trillion PPP. Essentially unlimited money and manpower--for the task at hand.
that would make sense if 100% of turks were ultranationalists hellbent on spying countries of 10, 3 and 1 million.
They don't need 80 million hackers. They need the state to fund hackers from a huge pool of 80 million people. Or just set hackers loose for patriotic reasons.
A third of this population is underaged for hacking and another third will not be educated above primary school. It seems like a much smaller pool of "hackers" when you consider that this is a land where a large percentage of adults are undereucated farmers and workers are living off of agriculture, textile and menial labour. Where the general consensus is to spend a large sum of your money on government sponsored games of chance, or if you are on the more religious side, go and spend it on magic items and blessings. At any given time you will probably get 30-50 highly skilled hackers (self-taught out of pure chance) and rotation will be high due to getting a large number of opportunities to live a better life abroad.
Define "Turkey's Interest".
Like Amazon reviews and the rest of the internet, HN is being overtaken by commercial and political interests. Fuck them all; their souls are empty and destined for nothingness.
The Turkish government is seeking to tap into eastern Med's natural gas and oil reserves, while ignoring International laws and discarding neighboring countries Exclusive economic zones.

So acting basically like a pirate and threating each day with war. Let me give you a few examples and you can verify them later any way you wish.

In Cyprus the sent -not one but two- drilling ships and research vessels to search for oil, with the escort of Turkish Navy of course. They failed to find gas in one location and are moving to the next. To add insult to the injury they even say they will share what the find, like a thief saying he will sell your stuff and share with you the money...

In Greece were I live, there is a lot of up-heat with the recently signed Turkish-Lybian moratorium which basically ignores the Greek island of Crete (as well others smaller ones) and declares EEZ with Lybia, which they call "neighbours" (look at a map please), at the same time ignoring the rights of Greece, Cyprus, and Israel.

Also search for the clean water crisis in Iraq, which Turkish government is ...also to be blamed. Basically they build dams cutting Euphrates river flow and DENYING their neighbor's RIGHT for clean water, violating other International agreements.

Also let me remind you of the war in Lybia which the GNA is loosing, so they signed a deal with Turkey in order to help them win the war
What is the difference between this article and fake news? A whole article built on anonymous sources. Who are these credible anonymous sources? Donald Duck?

And doing a DDOS attack is quite trivial and any script kiddie could launch one from their computer or if they are slightly more adept from other peoples computers.

Turkey in fact is one of the most backward countries in terms of cybersecurity (and cyberattacks).

Turkey was just attacked recently with DDOS attacks and whole countries Internet came to a standstill. Did the anonymous sources have any thoughts on that?

Just look at Shodan to see how vulnerable and backward Turkey is in cybersecurity matters:

https://www.shodan.io/

Anonymous sources are an essential part of journalism, and Reuters is reputable enough to use them responsibly.

> The weakest sources are those whose names we cannot publish. Reuters uses anonymous sources when we believe they are providing accurate, reliable and newsworthy information that we could not obtain any other way. We should not use anonymous sources when sources we can name are readily available for the same information.

> Unnamed sources must have direct knowledge of the information they are giving us, or must represent an authority with direct knowledge. Remember that reliability declines the further away the source is from the event, and tougher questions must asked by reporters and supervisors on the validity of such information.

http://handbook.reuters.com/?title=The_Essentials_of_Reuters...

Unfortunately Reuters is famous for fabricating fake need in the name for some state actors too.
...and so is Yeni Safak, am I right?
It's hard to take these accusations at face value without evidence.
On a possibly-related subject, these three things seem like a big coincidence when taken together:

(1) Yesterday I noticed Wikipedia was way slower than normal. Article pages took ~30 seconds to load sometimes. (Down Detector agrees this: https://downdetector.com/status/wikipedia/)

(2) Yesterday, Hacker News had a headline Wikipedia was accessible in Turkey for the first time in years. (See https://news.ycombinator.com/item?id=22153304) Some people in that thread also noticed the coincidence between this and #1.

(3) Now this story about cyberattacks from (or on behalf of) Turkey.

These attacked occurred in 2018 and 2019.
That's not how I read it. First of all, the headline says "recent". The article mentions some attacks in 2018 and 2019, but it also says the "broader series of attacks is ongoing".
Ok.

I don't understand what the original post is implying then.

These aren't denial of service attacks, so what is the connection between Wikipedia being slow and some attacks that started in 2018 and are continuing now?

So I'm not an expert by any means, but from what I understand, estimating hacker provenance consists purely of modifiable and/or spoofable circumstantial evidence, including IP addresses, malware signature, and possibly timestamps/localizations within the binaries.

All of this makes a convincing story for media and laymen, but surely a competent hacker could pull of a hack and trivially modify the evidence to implicate any state actor/group who's modus operandi are known in hacking circles, no?

Which, incidentally, is why I had issue with the certainty with which croudstrike, for example, pointed to Russia over the DNC hack. Deliberately engineering your attack to mimic one from another group is an excellent way to keep people off your trail...and these are hackers we're talking about, after all.

Hackers do cover their track, actively.

But guess what, they're human and they fail, sometimes, not always.

Attribution becomes a playable game once you're a nation state, thanks to many "unfair advantages".

... In the end, many thing gets known.

Since you admit that you’re not an expert, you shouldn’t really assume that attribution is that simple, or that they aren’t fully aware of these things you mention.
Because all of these things being trivially manipulated means in the past, attribution was entirely done for nation states to point at other nation states or for scam artists to promote their cyber cyber cyber security technology consulting services. If there is such a thing as "the science of attribution", and that is very questionable, it sure as hell isn't above the noise floor.
Since he admits he isn't an expert, maybe you shouldn't scold him for probing the depths of his knowledge and asking questions to expand his understanding.
I’m not, and he isn’t really doing that either. He started by saying he isn’t an expert, and then attacked a straw man and challenged the work of actual experts, based on his incorrect assumptions of what they do. This is like what antivaxxers do, or like claiming that jet fuel can’t melt steel beams. Inquiry is fine, but never criticize from a position of ignorance.
Comparing the guy to antivaxxers or 911 truthers goes a bit further than merely scolding him...

In for a penny, in for a pound?

Don't lump me in with antivaxxers just because I'm being critical of something. Even if I'm not an expert I'm an experienced software developer and a generalist. This is a plausible suspicion and even then, look at the answers: most of them boil down to yeah, hackers cover tracks, but sometimes they screw up and leave behind clues - which really means we may only be catching the shitty ones. It's exactly the kind of business that potentially could be populated by dishonest and/or overconfident people, like people have been doing with arson for decades. There's the same lack of verifiability - you can finger a group, but how often do you get any sort of confirmation?

In any case, the fact that "anti vaxxers" use certain lines of questioning doesn't mean that the truth seeking methods are themselves suspect. Some people are pessimists, and rightly so; isn't that what hacking is all about?

Your argument seems to take the general form of "non-expert does not understand specialty field, doubts veracity of experts in field". It's understandable that some might be skeptical of any argument of this form, as they are all essentially arguments from incomprehension and incredulity.

The specialty here isn't software, really. It's intelligence. That's a very different field and knowing something generally about how computers work might not translate into as much relevant expertise as one could hope for.

I know my expertise in software security doesn't equip me to do this kind of intelligence analysis. IMO, that doesn't leave me with a lot of standing to comment substantively on many - even most - aspects of such analysis.

> estimating hacker provenance consists purely of modifiable and/or spoofable circumstantial evidence, including IP addresses, malware signature, and possibly timestamps/localizations within the binaries.

There's more to it than that, and often attribution is the result of the "bigger picture" of multiple clues, rather than a single smoking gun. Group operations develop patterns over time that are much greater than just a timestamp somewhere. Also, identifying a 0-day exploit somewhere often allows you to discover previous deployments of the same exploit, which have their own blast radius of evidence, contributing to these patterns that are identified over time.

>but surely a competent hacker could pull of a hack and trivially modify the evidence to implicate any nation/state who's modus operandi are known in hacking circles, no?

>Deliberately engineering your attack to mimic one from another group is an excellent way to keep people off your trail...

Yes, misdirection is the name of the game here, all bets are off and nothing is off limits. But covering your tracks leaves tracks of its own, and again, even when an attacker thinks all their bases are covered, they will never be sure there wasn't something somewhere they left behind that points back to them.

> and these are hackers we're talking about, after all.

Who do you think "hacker-hunters" are, if not hackers themselves?

(comment deleted)
The question should not be "can hacks be attributed by digital evidence alone" of course they can. The question should be, in this specific case:

1. How much evidence do we have?

2. How hard would it be for the hackers fake this evidence?

3. Are there any signs of forgeries? For instance logs that don't agree, file system artifacts, etc...

4. What were the capabilities of the attacker?

The longer a hack goes on and the larger its scale the harder it gets to forge 100% of the evidence.

>All of this makes a convincing story for media and laymen, but surely a competent hacker could pull of a hack and trivially modify the evidence to implicate any nation/state who's modus operandi are known in hacking circles, no?

I would say no, doing that is very difficult and is not trivial to do. All cases I've read up on, such as stuxnet, flame, APT-1 etc..., had clues as to the origin of the malware and such clues were left in the malware accidentally.

the strongest evidence is that all of the targets are of geopolitical or local importance to turkey. i'm not sure why anybody else would hack the turkish freemasons.
So I'm not an expert by any means

It's interesting - it's people who know a little bit who are doubtful about attribution, while those who actually know this understand it's possible to be pretty confident in many cases. It's hard to tell in this case, but the Crowdstrike report gives a lot of evidence which would persuade most in the field.

Generally speaking the best form of evidence is unique binaries which have been used in other attacks. Then you cluster attacks based on this information and other signatures. It's pretty hard to fake all of the required signatures at once, and most of the time a group doesn't really care.

It's much more robust than you seem to think - spoofing it occasionally is viable for a once-off attack, but doing the spoofing usually burns your access and methods so it's really expensive. It's not the kind of thing one burns on something like this attack or the DNC hack.

The DNC hack is a good example really - they had no idea how effective the misinformation campaign would be at the time, so why would they complicate it by trying to make it misattributable.

The funniest part about the ignorant attribution skeptics who think this kind of thing is done based on IP addresses or binary metadata is that in this particular case another intelligence agency actually hacked the systems they were hacking from in the Russian government facility, turned on their webcams, and got their faces while they were hacking.

The attribution was already solid without that, but that’s icing on the cake.

We need DoH (DNS over HTTPS) and/or DoT (DNS over TLS) faster and everywhere, including routers, browsers, OSes. And we need to get rid or find a viable alternative to this hostile hotel and airport WiFi hijacking DNS login methods which is essentially the same this hackers have done in a larger scale! We need some alternative and good method for that.
Agreed. The wireless (and wired) login/ToS page redirects common in guest Wifi and corporate environments were never really designed for. They work now by abusing what are essentially design flaws, and they don't even work very well.

Another glaring hole in Wifi is that there's no open + encrypted option. Your options are basically open with no encryption at all, personal mode (shared key for authentication and encryption), or enterprise mode (username + password, certificate-based, or similar).

The Wifi authentication standards should really be modernized to address these issues.

’The hackers have attacked at least 30 organizations, including government ministries, embassies and security services as well as companies and other groups, according to a Reuters review of public internet records‘

Which public internet records?

I'm guessing they did a whois on the domains linked to the attack.
There's more details on the SeaTurtle attack this was related to[1][2][3][4].

It looks like the new information here is that intelligence officers are confident enough to link the group to Turkey. Previously FireEye thought it was an Iranian group.

[1] https://www.zdnet.com/article/hackers-breached-greeces-top-l...

[2] https://techcrunch.com/2019/04/17/sea-turtle-talos-dns-hijac...

[3] https://blog.talosintelligence.com/2018/11/dnspionage-campai...

[4] https://www.fireeye.com/blog/threat-research/2019/01/global-...