By Danny Yadron in San Francisco and Siobhan Gorman in Washington
Earlier this year, investigators for Silicon Valley security
company FireEye Inc. visited a U.S. firm to determine who, and
what, sneaked into the firm's network harboring military
secrets.
There they found what they call a sophisticated cyberweapon,
able to evade detection and hop between computers walled off from
the Internet. The spy tool was programmed on Russian-language
machines and built during working hours in Moscow. FireEye's
conclusion, in a report to be released Tuesday: The cyberspying has
a "government sponsor--specifically, a government based in
Moscow."
The report is one of four recent assessments by cybersecurity
companies, buttressed by reports from Google Inc. and U.S.
intelligence agencies, pointing to Russian sponsorship of a skilled
hacking campaign dating back to 2007. Targets included NATO,
governments of Russia's neighbors, and U.S. defense contractors
Science Applications International Corp. and Academi LLC, the U.S.
security firm previously known as Blackwater.
Collectively, the new research offers evidence supporting a view
long expressed privately by U.S. officials and American security
researchers: Moscow commands the A-team of Internet
adversaries.
China, the object of recent U.S. allegations of cyberspying, may
hack more often, U.S. officials and researchers say. But Russia
hacks better.
"I worry a lot more about the Russians" than China, America's
top spy, Director of National Intelligence James Clapper, said at a
University of Texas forum this month, speaking of cyberattacks.
A U.S. official said differentiating between Russian criminal
hackers and government hackers is difficult because the government
uses cybersurveillance tools created by criminal groups and
criminals use tools developed by the government.
For example, U.S. officials still haven't determined whether the
high-profile infiltration of a classified military system in 2008
was carried out by criminals or government hackers because the same
surveillance tool was used by both, the U.S. official said.
More recently, the infiltration of J.P. Morgan Chase & Co.
has also been difficult to pin down.
"It looks to be criminal and of Russian origin," the U.S.
official said. But when it comes to gauging whether that criminal
element is working with the government, "you're back into that gray
area. You really can't tell."
People with direct knowledge of the investigation said there is
no evidence implicating the Russian government in the J.P. Morgan
breach.
The Russian embassy didn't respond to a request for comment.
American complaints about Moscow's espionage skills come as
U.S.-Kremlin relations have hit a post-Cold War low following
Russia's incursion into Ukraine. Although some security firms said
they are seeing more activity from Russia-linked attacks these
days, U.S. officials say it's difficult to establish a baseline for
Russian-based cyberspying and that finding such attacks is
"serendipitous."
FireEye shared its findings earlier this month with The Wall
Street Journal, which then found that other security firms and the
U.S. government had reached similar conclusions. FireEye also has
shared its findings with the government. "Who else benefits from
this?" asked Laura Galante, a FireEye manager and former Russia
analyst for the U.S. Department of Defense. "It just looks so much
like something that comes from Russia that we can't avoid the
conclusion."
FireEye's Mandiant unit made a name for itself in 2013 when it
revealed a Chinese-military hacking group working from an office
building in Shanghai. The Justice Department confirmed many of
Mandiant's findings, even naming one of the same hackers, in May
when it charged five People's Liberation Army officers with
stealing U.S. trade secrets. FireEye acquired Mandiant for $1
billion in January.
In the case of the Russian-language hackers, researchers inside
and outside the government compared notes and believe they are
tracking the same group. They dubbed the spy tool described by
FireEye "Sofacy."
The company's investigators said they were caught off guard when
they responded to the U.S. firm that had been hacked earlier this
year and which held military secrets. The company, which they
decline to name, had lost sensitive data, but there were none of
the digital fingerprints that Chinese hackers often leave behind,
investigators said. Rather, the malware, or malicious code, was
littered with spycraft.
The malware program also deployed countermeasures to deter
investigators from determining how it worked. It encrypted stolen
data and exported it in a way to resemble that victim's email
traffic to better conceal it. FireEye analysts determined the group
has been active since at least 2007 and has steadily updated its
hacking tools.The malware's authors also designed it, if needed, to
harvest data from machines not connected to the Internet by jumping
onto USB thumb drives.
Governments often disconnect computers with highly sensitive
information to guard against cyberspies. But government spies in
the U.S. and elsewhere have used USB drives to overcome this
defense in the past. The Russian hackers used this technique in the
2008 Defense Department intrusion, U.S. officials have said. "These
are state-grade weapons," Ms. Galante said.
Sofacy's authors consistently logged changes to the code between
8 a.m. and 6 p.m. local time in Moscow and St. Petersburg--like an
analyst working at a desk, Ms. Galante said. Most of their
computers were configured to use Russian, researchers at FireEye
and Google found.
Perhaps most telling, researchers say, the hackers deployed the
malware almost exclusively in targets of interest to
Russia--government networks in the Caucasus and Eastern Europe,
U.S. defense contractors and NATO. FireEye found a well-crafted
phishing email aimed at a Georgian journalist, purporting to come
from an editor at libertarian magazine Reason.
In another phishing attack, the security firm Trend Micro Inc.
found the group created fake websites designed to trick employees
at Academi into handing over their work email credentials, Tom
Kellermann, chief cybersecurity officer said. One of these sites,
the slightly misspelled academl.com, was created just weeks after
the Russian government accused a firm with links to Academi of
sending freelance troops to Ukraine to support the government,
according to Internet registration records.
Academi has denied any involvement in Ukraine. A spokeswoman
declined to comment.
Trend Micro said the hacking group aimed similar techniques at
Science Applications International. A SAIC spokeswoman said the
company appeared to have been targeted by hackers creating fake
company websites, but blocked the efforts.
Two other computer-security firms with close ties to federal law
enforcement, Crowdstrike Inc. and iSight Partners Inc., dubbed the
hackers behind the Sofacy malware "Fancy Bear" and "Tsar Team,"
respectively. Executives at both companies acknowledge the names
are references to Russia.
The Google researchers don't name Russia explicitly in its
researchers' previously unreported memo submitted last month to the
Department of Homeland Security and other security professionals.
Rather, the 41-page white paper, viewed by the Journal, referred to
the hackers as a "sophisticated state-sponsored group" and noted
the computers used to craft the cyberweapons were set to work with
the Russian language. A Google spokesman confirmed the report's
existence and contents.
Write to Danny Yadron at danny.yadron@wsj.com and Siobhan Gorman
at siobhan.gorman@wsj.com
Subscribe to WSJ: http://online.wsj.com?mod=djnwires