Microsoft confirms Russian spies stole source code, accessed internal systems
theregister.comThis is a big story, and it seems curious why it isn't on the front page of HN.
Also weird are the comments alleging this is really some US spy op, and not the Russian state.
Russia has the motive and means and unless other evidence comes to light, it seems likely that they are behind it.
Because Microsoft sold out the US to China, and is now trying to play victim it seems.
This may be a silly question, but how do they know who did it?
They investigate, but seriously, forensics, monitor active intrusions, honey traps, etc
> This may be a silly question, but how do they know who did it?
They don't know. But it is fashionable to blame the Russians. /s
And being against nazis is 1940s was just another fashion statement. "/s"
[dupe]
Some more discussion on official post: https://news.ycombinator.com/item?id=39641953
Remember when we all learned from the vault 7 leaks that the US government has the ability to create cyberattacks that appear to investigators to have come from another nation?
We were doing that prior to 2017. Thank God someone like China can't ever do that, even nearly a decade after we did and we can trust these sort of accusations at face value and not at all think critically about them.
The cyberattacks which used the Marble framework were limited to those where a payload was delivered. Marble is comparable to mailing a bomb and putting a fake return address on the package.
For data exfiltration, which is like robbing a bank vault, you'll need more than a fake address. It's orders of magnitude more difficult to cover your tracks, and you only need to leave one clue behind to undo all that work.
You don't think you can smuggle a few terabytes of traffic over the internet undetected?
For the US to have the capability to be aware of that they would have to be engaged in unconstitutional spying on US citizens. A thing they have claimed to have stopped doing.
"Trust us, we are lying"
P.S. this also means the feds have the ability to stop child sexual exploitation that takes place over the internet in its tracks but decided not to.
I think we're discussing different topics. The article headline says, "Microsoft confirms Russian spies stole source code, accessed internal systems." I interpreted your comment about vault 7 to imply that investigators (ie, MS & anyone that they asked to be involved) couldn't be certain this was Russia. I disagree with that; snuggling data leaves too many breadcrumbs. Your reply seems more focused on other parts of vault 7, and although I don't necessarily disagree with it, I'm not sure what you're trying to say here.
However, it's important to remember that FBI!=CIA!=NSA
> snuggling data leaves too many breadcrumbs
I can understand these breadcrumbs in detail. From easy stuff like TCP and DNS to the design patterns of the radiation hardened firmware running on the communication satellites.
I propose a blinded trial, give me a API with a few terabytes of data I'll have it accessed and the data moved to a third party. Then Microsoft can tell me who that person is right?
Attributions are about more than the code flow. You also need infrastructure to funnel exfiltrated data back to yourself.
As you can imagine, it’s harder to reuse someone else’s infrastructure. Easy to copy code patterns but you can’t exactly reuse domains, listening posts etc.
> Attributions are about more than the code flow. You also need infrastructure to funnel exfiltrated data back to yourself.
How is that even possible and how does it help? A computer is like a state machine where a minuscule amount of states are logged. When the state is gone the trace is gone. And you don't control the other involved computers anyway. And what good does accessing "exfiltrated data" do?
Take this wildly simplified example. You are the attacker. You already have access to internal systems at Microsoft.
Now you need to send the large amounts of data back to yourself, preferably without giving away your own location in the process. That’s the exfiltration phase of the cyber kill chain.
In order to do that, you’ve already established a set of listening posts and command/control sites across the internet. That’s your infrastructure. Setting that up in a pseudo anonymous way is hard, so you don’t do it often and may need to reuse it for multiple targets.
It’s that infrastructure that is hard to replicate if you’re trying to “look like” another threat actor on the Internet.
What happens after the first node is hit? You more or less need to control the network stack around it to know were it in turn sends data. If the NSA or whatever do control virtually every network stack they can access politically, every lead will end in countries which does not comply, right?
If there is any world-wide N-to-N statistical analysis of eavesdropped nodes for reentry of the data, it should trivially be able to be defeated by buffering in the nodes.
I don't get how these things can be tracked at all, unless the hackers are quite incompetent.
You’re overstating the technical capabilities at scale and understating just basic investigation techniques.
“Buffering” absolutely happens for a variety of reasons.
Tracking down the money or owning the operations infrastructure of the hosting companies along the way can help. Try to expand past bits on the wire- people set this stuff up at the end of the day.
What does scale have to do with it. That is like saying I don't understand, because it is Big Data in the Cloud with Edge Computing. As I see it I just need one computer in Venezuela and the trail is gone.
There is a lot of hand waiving from "security" folks. They are probably about as fraudulent as bullet forensics etc.
You’re doing your own hand waving. Why does a computer in Venezuela make the trail go cold? I could have an agent working for me passing me customer lists from Venezuelian colo facilities. Combine that with knowledge of known shell entities who also operate from other points of presence and I can make inferences. If I want I could then use offensive techniques to own the middle box and enhance my confidence level by observing traffic/stored data on that machine.
Look I can’t summarize how threat actor attribution works in a hacker news comment. Does that mean the people who do it are quacks? Nope. I know people who do it, who build tools to help, and they are exceptionally sharp technical minds.
And I see you have casually dismissed an entire industry because you may not understand how someone could draw conclusions from imperfect data?
Hate to say it but this happens all day every day as human existence is filled with imperfect data. Not everything can be summarized in a neat mathematical form.
Does that mean you don’t try? I choose to try my best and continually improve methods. Otherwise what’s the point? Just give up because we can’t model human behavior and geopolitics as a pure functional state machine?
Sure I am not claiming that you can't figure out who or where the hackers are. I am claiming that you more or less have to arrest them and get their computers to be even remotely sure, and that it is trivial to frame hackers or "frame" the plot of dirt where they are located, for a hack. Especially so, when the victim can shift blame to CYA.
If the methodology is secret because secret, I as a observer just assumes everything is made up. It is way to convenient for Microsoft to shift blame. There is this smell of the Clinton email leak again.
I mean, you I presume, and I, are programmers. How ludacris would it be to claim it is not a miracle the computer it even boots? It is black box upon black box and the "pink elephant behind my back", in the world of computing, is real.
I’m not sure how this shifts blame? In my opinion the blame sits squarely on the shoulders of the entity whose systems were exploited. Microsoft is responsible for the security of their systems, full stop. Doesn’t matter if the GRU did it or some random guy in Venezuela.
How do you know Microsoft was even “hacked”? I mean if you want to get super pedantic about this, I haven’t personally seen any proof.
So yes while a computer provides a convenient mathematical abstraction upon which we can reason, we aren’t talking about how a computer boots. We are talking about figuring out - within a certain confidence level - the group of individuals that likely carried out an attack. We are now firmly outside the scope of the neat little mathematical abstraction of the machine. Even within a machine, there’s more nondeterminism than you or I would like to admit. But that’s a topic for another day.
The methodology is not secret, you can google for threat actor attribution. Private companies do this work as well as governments. You are welcome to go join one of those companies or organizations to learn how it works and work to improve the process if you are so passionate about it!
You are the one putting some political agenda on this. China, Russia, as well as North Korea, Israel, Iran, and many other countries have robust offensive cyber capabilities. Attribution is not an exact science, and if you actually read any raw intelligence report it is clearly marked with a confidence level for that exact reason.
> you can google for threat actor attribution.
I've had a interesting life. I'm a expert in not getting "attributed" if you will. No need.
> Private companies do this work as well as governments.
It's mostly private snake oil vendors.
Famously the FBI used a conclusion a private company, hired by a presidential campaign made, as a pretext to engage in surveillance on their primary opponents campaign a few elections ago. They did no forensics themselves. They didn't even get the full report and what they got was heavily redacted![0]
[0]https://consortiumnews.com/2019/06/17/fbi-never-saw-crowdstr...
So once again you turn this back into a Hillary Clinton conspiracy theory. I guess theres no moving on from something that happened seven years ago now. Last I checked, the guy who was running against her won and Obama peacefully transferred power to him.
Glad you’ve had an interesting life! Best of luck in your future endeavours.
He's probably spot on, btw.
Lots of Clinton associates also worked for Microsoft. My guess is that Microsoft and the Clintons/Obama/libs sold the country out to China and are now trying to play victim.
I'm a-political but this is the pattern I see.
So is there any evidence for it being done by China beside that its been done by the US before?
No that's why we all can naively say it isn't happening even though many of us here could do it ourselves as a fun side project.
So you just are wildly speculating and assume this one technique you know about completely defeats teams of specialists with the budget of the richest country in the world
It's one thing to point out issues with attribution. It's another to just say since we can't say with 100% certainty let's just make up attributions.
Especially with no knowledge of the attributions certainty, they could be 99.9% sure
> we can't say with 100% certainty
This admission is unknown to the general public, they "trust the experts" that it is 100 proven.
> let's just make up attributions.
If you aren't 100% it is Russia and scream Russia, that's what you are doing
>If you aren't 100% it is Russia and scream Russia, that's what you are doing
So anything attributing attacks to Russia is made up?
I think you've lost the benefit of the doubt I was giving you. The other reply to my post is probably right, you seem to be purposefully spreading disinformation.
What OP is doing also happens to look like a disinformation technique.
Nobody in this thread is saying that but you, atm. I was just wondering if you were speculating or had any evidence. Id even be interested to hear more about your logic because "its possible and has been done before by other actors" isnt enough to convince me
Are you implying that people are not, in fact, IPs?
when caught being completely run over, change the subject to the awfulness of some enemy.. do not relent! every ounce of effort on media spin! oh wait
"Blame it on the X"
X: Russians Chinese Iran (current US enemy)
Bad ruskies again… Maybe it’s time to find another enemy of the state? How about reptilians from outer space?