Russia used bitcoin to fund attacks on FIFA, chemical labs and anti-doping agencies
Real life spy work turns out to be a lot like the movies, just with more bitcoin and pettier objectives.
Bitcoin is an investigator's best friend, as the Justice Department doubtless appreciated when bitcoin transactions presented key evidence that helped verify the Russian election hacks.
But it's not just election manipulation. A new indictment reveals that Russia's military intelligence agency, the KGB-successor GRU (Glavnoye Razvedyvatel'noye Upravleniye, or Гла́вное разве́дывательное управле́ние if you're feeling Cyrillic), has used bitcoin to fund a widespread series of attacks in line with many of Russia's surprisingly petty international intelligence objectives, such as the theft and publication of athlete medical records in an attempt to accuse them of doping.
Targets included anti-doping agencies and athletics centres, FIFA (the world football federation), the Organisation for the Prohibition of Chemical Weapons (OPCW), a Swiss chemical lab that analysed the chemical agents connected to a recent series of poisoning assassination attempts and others.
The group operated under the name Fancy Bears, which portrayed itself as an independent group of hackers but was, in fact, a team of GRU agents.
It may be worth noting the use of Anonymous iconography by the Fancy Bears here, in the context of the United States' "alt-right" political demographic, which would go on to become the backbone of pro-Trump efforts in the election. The alt-right movement is largely characterised by its "anti-political correctness" schtick, which is also a mainstay of many who would identify with the Anonymous group.
The GRU agents behind the Fancy Bears are found to have been working since at least 2014, but quite possibly long before that. Russia's cultivation of the USA's alt-right movement might have been going on for many years now.
The main method outlined in the indictment was for the Fancy Bears to lay down the groundwork by doing their homework and setting up fake websites designed to mimic the real equivalent. The examples given include westinqhousenuclear dot com (with a Q instead of a G) rather than westinghousenuclear.com (the real one) and variations of the real World Anti-Doping Agency (WADA) URL.
The same fake website method is still widely used by hackers, especially in the cryptocurrency world where fake domains can prompt an unwary user to hand over their login details.
Spearphishing was usually the go-to move, the indictment says. These are carefully crafted and precisely targeted phishing attacks, which are used to direct employees of the targeted institution to the fake website in the hope of them entering their real credentials. These could then be used by the hackers to gain access to the real website.
The success rate wasn't great, but sometimes one click was all that was needed. In an attack on WADA on 4 August 2016, spearphishing emails were sent to 11 WADA employees, claiming to be from the WADA CTO. Only four employees went on to open them and unknowingly hand over their login details.
A few days later another bout was sent, which claimed to be from a WADA IT manager with a prompt that users should "update their Cisco client". At least one employee was taken in by this second volley. These emails were often assembled very carefully, and sometimes days of research and drafting went into their creation. Spearphishing is very much a quality over quantity approach.
Spearphishing couldn't do it all though, and when that failed things got much more sophisticated. Now the team would travel around the world to the actual locations of the targets, often facilitated by Russian embassy officials in the destination country who would help them through airport security and similar. On-site they would hack into Wi-Fi networks at the site itself, supported by teams back in Russia as well as specialised malware and hacking tools created by GRU.
For example, the team made a trip to Rio de Janeiro in July 2016, during which they researched the Wi-Fi network and router security used by a hotel that would be hosting officials during the Olympics. In a follow-up trip the next month, they cracked the hotel Wi-Fi and used it to get the details of an Olympics official who logged into a WADA database from the hotel.
Another method was to breach someone's email through hotel Wi-Fi and then send an email from that person's account to pull off a more sophisticated spearfishing attack.
On one occasion, a Canadian Centre for Ethics in Sport (CCES) official found an email in their sent box that they didn't send. It included a malicious link, but was riddled with typos including a sign off that said: "Sent from my SamsunCopenhagen."
Once the desired information was stolen it would be changed if needed to suit the goals at hand, and then distributed.
One of the most typical methods was to reach out to reporters directly through the Fancy Bears Twitter account.
"The conspirators would actively solicit and promote media coverage so the stolen information would receive international attention," the indictment says. "This was done to further a narrative favourable to the Russian government and in order to amplify its impact."
It goes without saying, but might as well be said anyway, that the credulity and factual flexibility of some media outlets might have helped a great deal.
The big break
The big break might have come on 13 April 2018, when the GRU team was interrupted by the Dutch Defence Intelligence Service (MIVD) while trying to hack into the Organisation for the Prohibition of Chemical Weapons (OPCW) headquarters in The Hague.
They Fancy Bears fled, but left behind their equipment. This was used to draw a trail going back years. It didn't take much more investigation to find out that the hackers had entered the country with the assistance of an official from the Russian embassy.
Bitcoin was the cryptocurrency of choice, the indictment says. It was used to pay for various services such as the hosting fees for the fake websites. They got their hands on at least some of the bitcoin by mining, which might have presented a more anonymous option.
The bitcoin trail helps tie it all together because the same computers were being used to send various spearphishing emails and carry out other attacks, as well as to send bitcoin transactions.
Once again, the immutable and unerasable bitcoin transactions were a solid connection that helped tie the investigation together. As they say, bitcoin isn't anonymous.
Disclosure: At the time of writing the author holds ETH, IOTA, ICX, VET, XLM, BTC, ADA