Juha Saarinen: Another reason to beware of geeks from the East

Some online security organisations have been reporting bugs - and exploiting them too. Photo / 123RF

OPINION:

The latest episode in the SolarWinds saga is that the kettle boiled over at the White House and individuals and companies in Russia got slapped with United States sanctions.

To recap, the attack on network monitoring software SolarWinds resulted in over 16,000 systems being compromised, often at US government agencies but also tech companies like Microsoft and Cisco.

As far as we know, the threat actors only followed through fully at a few agencies and organisations.

It's a mix of cleverness, long-term planning and patience, and that blunderbuss strategy often attributed to Russian nation-state hackers.

Russia was blamed for releasing the NotPetya malware against Ukraine, which ended up doing hundreds of millions of dollars worth of damage around the world as it rapidly spread through IT defences masked as a software update.

Ignoring collateral damage seems to be the modus operandi of Russian intelligence services, both in cyberspace and in the real world.

A few days ago, Czechia expelled 18 Russian envoys and cancelled a nuclear reactor contract in response to a spectacular sabotage operation that saw 50 tonnes of munitions blown up and two people killed in an explosion which was probably intended to take place outside the central European country.

The armaments were destined for Ukraine — at war with Russia — via a Bulgarian arms dealer who almost got a dose of Novichok nerve poison. Speaking of poison, the two Russian sabotage tourists in Czechia appear to have been the same senior GRU military intelligence officers who poisoned defector Sergei Skripal and his daughter Yulia in Salisbury, UK.

Some of that brazenness no doubt comes from being part of a large nation with plenty of nukes, but also because of sloppy vetting in the West in the past decade or more.

It is clear that Western adversaries have for a long time appreciated the power that asymmetric cyber warfare brings, providing heaps of leverage to geeks who dare —and who often win. We know this from those who lost and were caught.

Well-known security researcher Katie Moussouris pointed me to the "12th man" in the 2010 bust of the Illegals Programme spy ring run by Russia's external intelligence agency, Alexey Karetnikov.

Karetnikov whose sparse Facebook page remains online, was deported from the US as a spy after working for Microsoft for nine months. He supposedly worked as a software developer for Neobit, a security vendor that counts Russian intelligence agencies as customers. The Biden administration has now placed Neobit under sanctions, and you have to wonder why the obvious clues weren't noticed earlier.

Another Russian security vendor, Positive Technologies, was also hit by the recent round of sanctions. Their often very good research will be missed, but if PT's alleged playing it both ways by supplying Russian intelligence with vulnerabilities and even taking part in operations is true, that kind of duplicity won't be.

Neobit and Positive Technologies' joint enterprise software security company ERPscan, which in 2018 was also sanctioned by the US, had supplied hundreds of solid bug reports to Oracle and other tech firms.

They won't be the last, and it's fair to say that Russia and information security have now become two incompatible terms.

Chinese security vendors, many of which also publish excellent work, are most likely next on the West's list. The whole thing could spill over to the West, in fact, and dent trust in our security firms. They have always been viewed with suspicion anyway, staffed with unruly hackers whose work is opaque and hard to understand for most others.

Our Minister for the Government Communications Security Bureau and the Security Intelligence Agency, Andrew Little, has condemned Russia's actions, and called on all states to "behave responsibly online".

It would be great if they did, but experience over the past few years tells us that Little's plea will fall on deaf ears. New Zealand had better get ready and gain infosec expertise and experience, and not rely on gentle diplomacy —and being left off many world maps.