Modern field guide to security and privacy

Are Russian cyberspies buried in Dutch networks, too?

A US government analysis appears to show that Russian operatives hijacked hundreds of computers globally to carry out attacks on US political groups. But in this case, looks may be deceiving.

Yuri Kochetkov/Reuters/File
Russian President Vladimir Putin.

That 10-digit number is an Internet Protocol (IP) address, a unique identifier for computers and other devices that connect to the web. 

The address above maps to internet infrastructure in the Netherlands that, according to US authorities, Russian operatives hijacked to orchestrate part of a long-running cyberespionage campaign that targeted the Democratic Party and other American organizations.

Newly declassified findings released by the Homeland Security Department (DHS) and the FBI show Moscow cyberspies have their tentacles around hundreds of IP addresses located in 60 countries, primarily in the US (47), China (45), Netherlands (20), Germany (14) and France (12).

While it may appear that Russia has a troubling grip on US, Chinese, and European networks, there's probably no link between the corrupted IP addresses and the whereabouts of whoever or whatever Russia is targeting, multiple threat analysts caution.

"Russia’s use of infrastructure in the US, China, Netherlands, Germany, France, etc., does not directly correlate to geopolitical interest in those nations," said Kyle Ehmke, a senior intelligence researcher at security firm ThreatConnect.

The various IP addresses that a country's cyberspies or independent hackers co-opt often have little to do with locations they might target. Often, hackers utilize infected computers in one location to target computers elsewhere in the world to hide their tracks. 

Plus, "by acquiring infrastructure in various locations, [the bad guys] are also hedging against the possibilities that all of their infrastructure will be discovered or shut down by a single government," Mr. Ehmke added.

As for why Russia has glommed on to Dutch IP addresses, "if you look at the Netherlands, that's probably some of the best infrastructure in Western Europe," said Mark Arena, chief executive officer of Intel 471, a firm that analyzes cyberattackers' motivations.

Last week, a DHS official said, "We know the Russians are a highly capable adversary who conduct technical operations in a manner intended to blend into legitimate traffic."

Private cybersecurity researchers for the past five years have been publishing suspicious IP addresses, along with other tools and tactics, associated with Russian military and civilian government hackers. They've also named various threat groups, differentiated between their individual operations and parsed their modus operandi. For instance, there's one group that's alternatively dubbed Fancy Bear, APT 28, and Sofacy that the US government claims assailed the Democratic National Committee.

But the DHS-FBI Joint Analysis Report and accompanying spreadsheet listing IP addresses marked the first time the US government acknowledged the Russian cybergang names and methods exist. The Russian government "conducted many of the activities generally described by a number of these security companies," the statement said, referring to independent cybersecurity firms who have previously blamed Russian operatives for the DNC hack.

Still, say critics, naming specific IP addresses does little to help potentially high value targets such as the DNC and others protect themselves from malicious hackers. 

"An IP address associated with a Russian nation state campaign in March might be Granny Smith’s Bakeshop in July. Infrastructure moves around the internet," said Robert M. Lee, former Air Force Cyber Warfare Operations Officer and now a cybersecurity fellow at New America. 

The government report is "entirely useless or harmful" to technical network defenders who will lose time and money responding to false alarms, he said.

There are signs the listing of suspect IP addresses is already leading to some confusion.

On Dec. 30, an employee at a Vermont utility was checking his Yahoo webmail account and triggered an alert indicating that his laptop had connected to a suspicious IP address associated with the Russian hacking operation.

It turned out "that traffic with this particular address is found elsewhere in the country and is not unique to Burlington Electric, suggesting the company wasn’t being targeted by the Russians. Indeed, officials say it is possible that the traffic is benign, since this particular IP address is not always connected to malicious activity," The Washington Post reported.

To thwart potential cyberspies, wherever they may be located, US officials still recommend that system administrators crosscheck the published IP addresses with their logs to discriminate between malicious and innocuous activity.

"It's particularly necessary to emphasize that the Russians hide in the noise. They often use IP addresses that are legitimate machines generating legitimate inbound and outbound traffic connections," a DHS official said Tuesday.

"Simply because the IPs are in the logs does not mean there has been malicious activity," the official said. "It is, however, cause for a further look to determine if malware, for example, may be resident."

of stories this month > Get unlimited stories
You've read  of  free articles. Subscribe to continue.

Unlimited digital access $11/month.

Get unlimited Monitor journalism.