Hacking the headlines
The intersection of geopolitics and cybersecurity can make for an irresistible headline. For the media, it’s a great story; for political players, it’s a talking point they can use to appeal to their base or to browbeat their opponents with; and for cybersecurity companies, it can be an unbeatable opportunity to raise their profile and market their services.
That can, however, encourage some of the individuals and institutions that bring allegations of hacking and espionage to light to make the biggest, most explosive claims possible. Sometimes accuracy, nuance or reasonable doubt go under the bus.
Two very high-profile hacking allegations with serious geopolitical implications have been made in recent weeks, but close inspection shows them to be based on thin and inconclusive evidence from private cybersecurity companies.
The first case involves a subsidiary of Burisma, the Ukrainian gas company which became embroiled in Donald Trump’s impeachment trial. ‘Russians hacked Ukrainian gas company at center of impeachment’, was the New York Times’ headline on 13 January. ‘Russians breached Burisma during Trump impeachment probe’, proclaimed the Wall Street Journal, while Fox went with ‘Russians hacked Burisma, Ukrainian company that hired Hunter Biden: Researchers’.
The researchers the Fox headline refers to were from Area 1 Security, a cybersecurity company that provides phishing detection and prevention services to private-sector and political organisations. Area 1’s CEO, Oren Falkowitz, told the Associated Press and Time magazine that his company’s findings were ‘incontrovertible’.
In fact, the story of a Russian hack on Burisma has proved to be very controvertible. There are two issues at play here. One is the way in which some media coverage has misinterpreted or exaggerated Area 1’s findings.
The second is the report itself. It’s eight pages long, but that includes one each for the title page, the end page and three screenshots. This short document provides inconclusive evidence that any successful hack of Burisma or its subsidiary took place, or that Russian state-linked actors were responsible.
Despite the headlines decrying a Russian attack on Burisma itself, the report actually alleges that Russia’s GRU was seeking to phish email credentials from a Burisma subsidiary, KUB-Gas LLC.
Area 1’s analysis is based on the fact that someone has registered lookalike domains for remote email login pages belonging to KUB-Gas and other Burisma subsidiaries. Area 1 asserts this was the GRU (Russia’s military intelligence agency) based on past patterns of behaviour.
So, this was a phishing attempt, not a hack; there’s no indication it was successful; and evidence linking the phishing attempt to the GRU is highly circumstantial.
Facebook’s former head of security Alex Stamos wrote on Twitter: ‘This report tying GRU to a Burisma phishing attack is both literally and figuratively very thin. No details on what data they have other than a public phishing page. The absolute rhetorical certainty instead of standard language on confidence level are red flags.’
Stamos notes that large incident response and tech companies have earned the benefit of the doubt on attribution claims thanks to years of care and obvious access to huge datasets. ‘This isn’t one of those companies and this kind of report doesn’t help [them] build that reputation’, he says.
Nonetheless, the notion that Russia hacked Burisma has become a political talking point—including being cited in House Intelligence Committee chair Adam Schiff’s opening argument at the Senate impeachment hearings. That’s happened despite the claim not being supported by Area 1’s research.
Relations among the US, Ukraine and Russia are already fraught; the Burisma hacking allegations can only add to this strain. The geopolitical narrative has taken on a life of without regard to the facts, or the lack of them.
A similar story has been playing out in relation to the alleged hack of Amazon founder Jeff Bezos’s phone by Saudi Arabia’s Crown Prince Mohammed bin Salman. On 22 January, international headlines broke airing allegations that Bezos’s phone had been hacked using malware sent in a WhatsApp message directly from bin Salman’s own account.
However, when the research underlying these claims was published a short time later, it again left more questions than answers.
The allegations are based on a report by FTI Consulting, a cybersecurity company hired by Bezos to analyse his phone after personal photographs were leaked to the media last year. FTI’s analysts found no malware on the device.
What they did find was that in early May 2018, Bezos’s phone began transmitting an unusually large amount of data, shortly after a video file was sent from bin Salman’s WhatsApp account, and continued to transmit a high volume of data for months thereafter.
This is strange behaviour and warrants investigation, but it doesn’t constitute solid proof that Bezos’s phone was hacked at all, let alone that it was hacked by bin Salman’s WhatsApp message. There’s nothing to disprove the claim either, but that’s no basis for launching such a serious allegation.
One aspect of the report which has experts puzzled is the claim that WhatsApp’s end-to-end encryption prevented FTI from decrypting the content of the downloader to inspect it for malicious code. The decryption keys should be stored on the device itself, so it’s not clear what—other than, perhaps, simple lack of expertise—prevented FTI from doing so.
Cybersecurity expert Rob Graham wrote on Twitter: ‘I see nothing here that suggests Bezos’ phone was hacked. It contains much that says “anomalies we don’t understand”, but lack of explanations point to incomplete forensics, not malicious APT actors. It uses phrases like “unauthorized exfiltration” to mean “outgoing data we can’t explain”. This is bad for such a report, really bad.’
Again, despite the inconclusive evidence, all it took was the initial headline splash for the ‘Saudi Arabia hacked Jeff Bezos’ political narrative to take off.
The geopolitical ramifications of the story were immediately apparent: the United Nations called for an investigation, a mass information operation on social media demanded a Saudi boycott of Amazon, public denials were issued by Saudi officials and bin Salman himself, and equally public questions were raised over the White House’s silence. The impact of the allegations is likely to reverberate for some time.
There are two lessons from all of this. The first is that journalists and media organisations should be asking much tougher questions whenever a cybersecurity company tries to shop them a story that sounds a little too cinematic to be true.
They also need to resist the urge to write a splashy but misleading headline. If the research doesn’t prove that a hack actually happened, as in both of these cases, the headline shouldn’t assert that it did.
The second is that cybersecurity companies need to act responsibly when publishing research, particularly research that’s likely to have very real geopolitical consequences.
The publicity involved in making an explosive, but poorly supported, allegation is not worth either the potential blowback from making incorrect claims about the activities of nation-states or political figures, or the long-term erosion of their reputations in the cybersecurity field.
This article was published by The Strategist.
Elise Thomas is a researcher at ASPI’s International Cyber Policy Centre. She was written widely on state sponsored misinformation campaigns and related topics.