Sophos Cloud Optix
If you find the phenomenon of fake news dizzying, try “fake traffic” for size.
Last year nobody gave either much thought: now, they have starring roles in the increasingly serious stand-off between the US and Russia about the latter’s connections to an alleged hacking-for-Trump campaign.
In a strange new plot twist, Russia’s Alfa Bank last week released a furious statement that claimed someone “using an identified US-based service provider” has been generating spoofed traffic between its servers and those of the Trump Organization to foment suspicion:
Alfa Bank believes that these malicious attacks are designed to create the false impression that Alfa Bank has a secretive relationship with the Trump Organization. In fact, there is not and never has been such a relationship.
Specifically, hackers recently directed a stream of DNS lookups to Trump Organization servers spoofed to look as if they’d come from Alfa Bank. Those requests were then incorrectly “returned” to Alfa Bank, whose security systems marked them as bogus.
The fake traffic was also caused by manual intervention, unusual for a DNS system that functions automatically:
Indications of human intervention include the fact that the queries occurring in these logs included mixed uppercased and lowercased letters.
Alfa’s statement comes only months after the FBI was first reported to have investigated the same “mysterious” back channel server chatter between the company’s and Trump’s servers. Annoyed, Alfa Bank hired cyber-sniffers Mandiant to comb its logs for incriminating evidence. The US company concluded:
The information presented is inconclusive and is not evidence of substantive contact or a direct email or financial link between Alfa Bank and the Trump campaign or Organization.
The cry of a bystander caught in crossfire or a canny attempt to pre-empt further embarrassing revelations?
With supposed links to Vladimir Putin, Alfa is certainly a good target for anyone wanting to create a false flag that might help discredit a President Trump already fighting a stream of Russian-themed accusations.
But DNS traffic is pretty weak evidence that could just as easily been generated by innocent activities such as, say, employees at Alfa Bank visiting the campaign website of a man who was at the time running for president.
Even traffic in the other direction – from inside the Trump Organization to Alfa banking servers – would hardly be conclusive without an independent forensic investigation at both ends of the exchange. Phrases like “DNS traffic” are meaningless without context.
Clearly, though, the idea of cyber-attribution is suddenly back on the table. Spooks, cybercriminals and some security vendors normally dislike this because it’s hard to be certain who carried out an attack. On rare occasions where evidence points to a culprit, there are often national intelligence reasons to keep quiet.
The Trump and Russia controversy seems to have changed the calculus. Blaming someone in gory detail is suddenly worth the hassle – as is deflecting blame, talking up false flags, and fake traffic. The Alfa affair looks set to be a rerun of the tedious Cold War Russian doll metaphor where no-one can ever be sure they’ve reached the final piece.
They sound rather defensive. It’s interesting that it was only DNS queries that were supposedly spoofed. DNS tunneling uses DNS queries to send embedded messages that are very hard to find. If you want to send low bandwidth data between two IPs without much risk of being caught, use DNS tunneling with a tool such as iodine.