Are Russian cyberspies buried in Dutch networks, too?
86.105.18.111.
That 10-digit number is an Internet Protocol (IP) address, a unique identifier for computers and other devices that connect to the web.聽
The address above maps to internet infrastructure in the Netherlands that, according to US authorities, Russian operatives hijacked to orchestrate part of a long-running cyberespionage campaign that targeted the Democratic Party and other American organizations.
聽released by the Homeland Security Department (DHS) and the FBI show Moscow cyberspies have their tentacles around hundreds of IP addresses located in 60 countries, primarily in the US (47), China (45), Netherlands (20), Germany (14) and France (12).
While it may appear that Russia has a troubling grip on聽US, Chinese, and European networks,聽there's probably no link between the corrupted IP addresses聽and the whereabouts of whoever or whatever Russia is targeting, multiple threat analysts caution.
"Russia鈥檚 use of infrastructure in the US, China, Netherlands, Germany, France, etc., does not directly correlate to geopolitical interest in those nations," said Kyle Ehmke, a senior intelligence researcher at security firm ThreatConnect.
The various IP聽addresses聽that a country's cyberspies or independent hackers co-opt often have little to do with locations they might target. Often, hackers utilize infected computers in one location to target computers elsewhere in the world to hide their tracks.聽
Plus, "by acquiring infrastructure in various locations, [the bad guys] are also hedging against the possibilities that all of their infrastructure will be discovered or shut down by a single government," Mr. Ehmke added.
As for why Russia has glommed on to Dutch IP addresses, "if you look at the Netherlands, that's probably some of the best infrastructure in Western Europe," said Mark Arena, chief executive officer of Intel 471, a firm that analyzes cyberattackers' motivations.
Last week, a DHS official said, "We know the Russians are a highly capable adversary who conduct technical operations in a manner intended to blend into legitimate traffic."
Private cybersecurity researchers for the past five years have been publishing suspicious IP addresses, along with other tools and tactics, associated with Russian military and civilian government hackers. They've also named聽various threat groups, differentiated between their individual operations and parsed their modus operandi. For instance, there's one group that's alternatively dubbed Fancy Bear, APT 28, and Sofacy聽that the US government claims聽assailed the Democratic National Committee.
But the聽DHS-FBI聽聽and accompanying spreadsheet listing IP addresses marked the first time the US government acknowledged the Russian cybergang names and methods exist. The Russian government "conducted many of the activities generally described by a number of these security companies," the statement said, referring to independent cybersecurity firms who have previously blamed Russian operatives for the DNC hack.
Still, say critics, naming specific IP addresses does little to help potentially high value targets such as the DNC and others protect themselves from malicious hackers.聽
"An IP address associated with a Russian nation state campaign in March might be Granny Smith鈥檚 Bakeshop in July. Infrastructure moves around the internet," said聽Robert M. Lee,聽former聽Air Force Cyber Warfare Operations Officer聽and聽now a聽cybersecurity fellow at New聽America.聽
The government report is "entirely useless or harmful" to technical network defenders who will lose time and money responding to false alarms, he said.
There are signs the listing聽of suspect IP addresses is already leading to some confusion.
On Dec. 30, an employee at a Vermont utility was checking his Yahoo webmail account and triggered an alert indicating that his laptop had connected to a suspicious IP address associated with the Russian hacking operation.
It turned out "that traffic with this particular address is found elsewhere in the country and is not unique to Burlington Electric, suggesting the company wasn鈥檛 being targeted by the Russians. Indeed, officials say it is possible that the traffic is benign, since this particular IP address is not always connected to malicious activity,"聽
To thwart potential cyberspies, wherever they may be located, US officials still recommend that system administrators crosscheck the published IP addresses with their logs to discriminate between malicious and innocuous activity.
"It's particularly necessary to emphasize that the Russians hide in the noise. They often use IP addresses that are legitimate machines generating legitimate inbound and outbound traffic connections," a DHS official said聽Tuesday.
"Simply because the IPs are in the logs does not mean there has been malicious activity," the official said. "It is, however, cause for a further look to determine if malware, for example, may be resident."
