Setting the Trap

The documents show the investigators considered the possibility of creating a honeypot, to lure the attackers into a system designed to help identify information about them. This had proven to be a successful method in well-known attacks involving a German hacker called Markus Hess, who had stolen technologies to sell to the Soviet Union in the 1980s.

Rid describes a relatively simple method that the investigators used — a honey document they allowed the attackers to steal, that when opened initiated a DNS request back to a machine operated by the investigators. This provided the location of the machine the document was opened on.

A Russian nexus

Many of the documents are concerned with suspicions of who is behind the attacks. They note that the attackers didn’t work during Russian Orthodox holidays, and their working hours could align with a typical working day in Russia.

Some attacker connections were identified from dial-up modem accounts in Moscow. Whilst it’s possible the attackers proxied connections from elsewhere, it is less likely with a dial-up connection than with a server.

Public reports at the time referred to the Russian Academy of Sciences as being a possible source, and an encryption company reported an attack against it’s servers from a system in their network range. However there is no public information clearly linking the academy to the attacks.

Rid describes further findings. An Air Force investigator named Kevin Mandia, now the CEO of cyber-security juggernaut FireEye Mandiant, identified the Russian phrase for “child process” within one of the attackers tools. School children in many parts of the former USSR learn Russian — so this is not as strong an indicator as it may appear.