Attributing digital covert action: the curious case of WikiSaudiLeaks

ABSTRACT

How can digital covert action be attributed? This paper revisits one of the most complex, most significant, and most mysterious digital covert actions of our time: a 2015 hack-and-leak case known among investigators as ‘WikiSaudiLeaks’ that so far has evaded attribution. We argue that WikiSaudiLeaks was not a stand-alone event, but a puzzle piece in a larger covert action campaign that involved advanced computer network exploitation, computer network attack, persistent deception, and a creative influence and disinformation effort. By disintegrating the larger event into its components, limited attribution becomes possible. We present the most detailed and comprehensive investigation of this case to date, attribute at least one component of the larger event to Iranian intelligence, and draw conceptional conclusions.

Acknowledgements

The authors would like to thank the BAE Systems Threat Intelligence Team and Crowdstrike’s Charlie Cullen for sharing exclusive findings that informed parts of this paper. The authors also wish to thank Collin Anderson, Kevin Bustamante, and Juan Andres Guerrero-Saade for their valuable comments. All errors in fact or judgement are those of the authors alone.

Disclosure statement

No potential conflict of interest was reported by the author(s).

Correction Statement

This article has been corrected with minor changes. These changes do not impact the academic content of the article.

Notes

1. WikiLeaks, ”The Saudi Cables,” as archived on December 7, 2015, https://web.archive.org/web/20151207233002/https://wikileaks.org/saudi-cables/.

2. For instance, see Black, “Saudi Arabia Tells Citizens to Ignore Latest WikiLeaks Release.” The Guardian, June 21, 2015.

3. The event also is an early example of what Joshua Rovner called an ‘intelligence contest’, see Joshua Rovner, “What is an Intelligence Contest?” 114–120; Chesney and Smeets, Deter, Disrupt, or Deceive: Assessing Cyber Conflict as an Intelligence Contest.

4. For an early reflection of deception in cyber-operations, see Gartzke and Lindsay, “Weaving Tangled Webs: Offense, Defense, and Deception in Cyberspace,” 316–348.

5. For an overview, see Shires, “Hack-and-Leak Operations: Intrusion and Influence in the Gulf,” 235–56; Shires, “The Simulation of Scandal: Hack-and-Leak Operations, the Gulf States, and U.S. Politics.”

6. ”APT1,” Mandiant, 2013.

7. See for example, McCombie et al., “The US 2016 Presidential Election & Russia’s Troll Farms,” 95–114; Shackelford et al., “Making Democracy Harder to Hack,” 629–68; Kreps, Social Media and International Relations.

8. On the contribution of academia to public attribution, see Egloff, Florian J. “Contested Public Attributions of Cyber Incidents and the Role of Academia,” 55–81.

9. Cormac and Aldrich. “Grey Is the New Black: Covert Action and Implausible Deniability,” 477–94; Stout, “Covert Action in the Age of Social Media,” 94–103.

10. Warner, “Reflections on Technology and Intelligence Systems,” 133–53; Gioe et al. “Intelligence in the Cyber Era: Evolution or Revolution?” 191–224; Warner, “Intelligence in Cyber – and Cyber in Intelligence.” In Understanding Cyber Conflict; 14 Analogies; Zegart, Spies, Lies, and Algorithms; The History and Future of American Intelligence.

11. Falliere et al., “W32.Stuxnet Dossier.” Wired, February 2011; Albright and Stricker, “Stuxnet Worm Targets Automated Systems for Frequency Converters: Are Iranian Centrifuges the Target?” Institute for Science and International Security, November 17, 2010.

12. Zetter, Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon.

13. Perlroth, “In Cyberattack on Saudi Firm, U.S. Sees Iran Firing Back,” The New York Times, October 23, 2012; Zetter, “Qatari Gas Company Hit With Virus in Wave of Attacks on Energy Companies,” Wired, August 30, 2012.

14. Gadher, “Iran ‘Faked British Chemical Weapons Plot’.” The Sunday Times, February 3, 2013.

15. St. James and Lee, “The 2014 Sony Hacks, Explained,” Vox, June 3, 2015.

16. Zetter, “Inside the Cunning, Unprecedented Hack of Ukraine’s Power Grid,” Wired, March 3, 2016; Greenberg, “New Clues Show How Russia’s Grid Hackers Aimed for Physical Destruction,” Wired, September 12, 2019.

17. Rid, Active Measures: The Secret History of Disinformation and Political Warfare.

18. Greenberg, “Hackers Claim to Auction Data They Stole From NSA-Linked Spies,” Wired, August 15, 2016.

19. The United States Department of Justice, “North Korean Regime-Backed Programmer Charged With Conspiracy to Conduct Multiple Cyber Attacks and Intrusions,” September 6, 2018; National Cyber Security Centre, “Russian Military ‘Almost Certainly’ Responsible for Destructive 2017 Cyber Attack,” February 14, 2018.

20. O’Neill, “Russia Hacked an American Satellite Company One Hour Before the Ukraine Invasion,” MIT Technology Review, May 10, 2022. One may argue that the Viasat destructive intrusion via the ACIDRAIN/SKYFALL malware was not covert action, but rather unacknowledged traditional military fires. The cross border character, coupled with potential alliance impact, may have necessitated avoidance in political response rather than confusion of covert character.

21. Fischerkeller et al., Cyber Persistence Theory: Redefining National Security in Cyberspace; Deeks, “Defend Forward and Cyber Countermeasures.”

22. There are few exceptions. See, for example, Shires, “Hack-and-Leak Operations: Intrusion and Influence in the Gulf.”

23. Satter and Michael, “Private Lives Are Exposed as WikiLeaks Spills Its Secrets,” Associated Press, August 23, 2016.

24. Shires, “Hack-and-Leak Operations”; Rid, Active Measures.

25. Rid and Buchanan, “Attributing Cyber Attacks,” 4–37.

26. Egloff and Smeets, “Publicly Attributing Cyber Attacks: A Framework,” 502–533.

27. Declassified intelligence files in the former Eastern Bloc provide some of the most instructive insights into active measures. See Rid, Active Measures.

28. Turovsky, “Шалтай-Болтай — побочный продукт других игр,” Meduza, January 13, 2015.

29. ”Это только начало … It’s only a beginning …,” October 26, 2015, https://web.archive.org/web/20200325083125/https://mediamvd.wordpress.com/author/turokmvd/, the zip folder of allegedly leaked FSB files is turop.zip, 9944f9b81be71cb859d5ddd5aae5f037.

30. Such a goal would be in line with historical active measures; KGB’s and Service A’s intended target audience were political decision makers, not journalists or the public. See Справка относно разговорите, водени в служба АМ при ПГУ – КГБ в Москва от 25 до 28 октомври 1988 г. по въпроси на сътрудничеството с отдел 08 ПГУ/ДС, 28 ноември 1988 г. (ф. НРС, п.ф. 9, оп. 4., а.е. 681, л. 104–143), COMDOS Archive, p. 5.

31. MacFarquhar and Schmitt, “Syria Threatens Chemical Attack on Foreign Force,” The New York Times, July 23, 2012.

32. Landler, ‘Obama Threatens Force Against Syria,” The New York Times, August 20, 2012.

33. Khatchadourian, “The Case of Agent 15: Did Syria Use a Nerve Agent?” The New Yorker, January 16, 2013.

34. Rogin, “Exclusive: Secret State Department Cable: Chemical Weapons Used in Syria,” Foreign Policy, January 15, 2013.

35. ”Millitary server hacked. Confidential data! [sic],” Pastebin, January 22, 2013. https://web.archive.org/web/20130126062131/http://pastebin.com/Whyvnnd6.

36. Lee, “Britam defence hacked, confidential documents leaked, site offline,” CyberWarNews.info, 24 January 2013.

37. Faal, Sorcha (pseudonym). “Obama Plan For World War III Stuns Russia,” Whatdoesitmean.Com, January 28, 2013.

38. Watson, “Hacked Emails Reveal ‘Washington-Approved’ Plan to Stage Chemical Weapons Attack in Syria,” Infowars.Com, January 28, 2013.

39. Boyle, “U.S. Backed Plan to Launch Chemical Weapon Attack on Syria and Blame It on Assad’s Regime’,” Daily Mail, January 29, 2013. Deleted, but archived at: https://web.archive.org/web/20130130001542/http://www.dailymail.co.uk/news/article −2,270,219/U-S-planned-launch-chemical-weapon-attack-Syria-blame-Assad.html.

40. On April 18, 2013 The Daily Mail removed the article and apologised for the error. See The Daily Mail. “Britam Defence, David Goulding and Philip Doughty,” April 18, 2013. Britam sued the Mail for defamation. The lawsuit was settled for £110,000 in fines. See “The Mail apologises and pays £110,000 in damages over chemical weapons libel,” Carter-Ruck press release, 26 June 2013. https://web.archive.org/web/20211025201056/http://www.carter-ruck.com/wp-content/uploads/2020/04/Britam-Press_Release-260613.pdf

41. ”Millitary Server Hacked. Confidential Data!.”

42. Alleged email from David Goulding to Phillip Doughty. “Iranian Issue,” October 16, 2012. Available in the ‘Iran’ folder of the file archive from ‘Millitary Server Hacked. Confidential Data!’, see https://web.archive.org/web/20130203093421/http://pastebin.com:80/whyvnnd6, Mediafire download.

43. ”Britam Defence Hacked Files + Chemical Warfare [sic],” Pastebin, January 25, 2013. https://web.archive.org/web/20130323183309/http://pastebin.com/0VqxpZVG.

44. ”UK-Qatari Plot against Syria Revealed,” Press TV, January 30, 2013.

45. ”Putin Orders Massive Strike Against Saudi Arabia If West Attacks Syria,” Fars News Agency, August 28, 2013.

46. ”رفت؟ لو چطور سوریه شیمیایی حمله جزئیات,” Mehr News Agency, August 28, 2013.

47. Gadher, “Iran ‘Faked British Chemical Weapons Plot.”

48. For a theory of cyber operations as a means of subversion, see: Maschmeyer, “Subversion, Cyber Operations, and Reverse Structural Power in World Politics,” 79–103.

49. Aaltola, “Stages of Digitalized Regressive Meddling in Three Western Elections,” In Democratic Vulnerability and Autocratic Meddling: The ‘Thucydidean Brink’ in Regressive Geopolitical Competition, 131–47.

50. ”Iran TV Channel Hacked,” Radio Free Europe/Radio Liberty, April 12, 2015. One of Al-Alam’s alleged correspondents in Saudi Arabia was Dr. Abdallah M. Al-Halimi, a then-member of the city council of Al-Ahsa in Saudi Arabia. Following the leak, he denied any affiliation with Al-Alam or the Iranian government. See: “ظلموني بقناة العالم :الحليمي,” Al Alarabiya, April 13, 2015.

51. Sahar TV posted on Twitter: “Saudi Hacker Attacked Al Alam TV Accounts, Insulted Iranians: 2015-04-12 13:02:25,” April 12, 2015. https://web.archive.org/web/20211104212720/https://twitter.com/EnSaharTV/status/587187461756887041.

52. ”يوتيوب” و ’تويتر‘ على حسابيها استعادة عن تعلن العالم قناة”,” Al Alam, April 14, 2015.

53. Sobhan Hassanvand tweeted: “Yesterday Website of Saudi Arabia Got Hacked, Now Twitter Account of Iran Arabic News Channel al Alam #CyberWarfare.” April 12, 2015. https://web.archive.org/web/20230106230120/https://twitter.com/Hassanvand/status/587128277275410432. @Cyber__Emotion was suspended on Twitter.

54. ”اختراق حساب وزارة العدل الرسمي في تويتر,” Al Riyadh, October 14, 2014.

55. ”تعرف على مطالبات مخترق حساب وزير التعليم على تويتر .الآن,” Al-Madina Online, February 16, 2016.

56. ”Pan-Arab Newspaper al-Hayat Hacked by Yemen ‘Cyber Army’,” Al Arabiya, April 14, 2015.

57. Ibid.

58. ”YEMEN CYBER ARMY HACKED ALHAYAT.COM [Sic].” Pastebin, April 13, 2015. https://web.archive.org/web/20200606175133/https://pastebin.com/eKHDGgE6.

59. ”EXCLUSIVE: Hackers Take Down Alhayat Pro Saudi News Website,” Fars News Agency, April 14, 2015. Deleted but archived at: https://web.archive.org/web/20150721101215/http://english.farsnews.com/newstext.aspx?nn = 13940125000056.

60. Pastebin announcement: https://web.archive.org/web/20200606175133/https://pastebin.com/eKHDGgE6). Search results for the Pastebin announcement on Twitter: https://twitter.com/search?q=http%3A%2F%2Fpastebin.com%2FVRGh3imf&src=typed_query&f=live last retrieved January 18, 2023.

61. “Islamic Cyber Resistance’ Breaks Iranian Hacker Silence, Exposes Links to SEA,” Recorded Future, December 24, 2013. ‘Anti-Israel Hackers Parastoo Prepare for OpIsrael Anniversary’, Recorded Future, February 4, 2014.

62. The IP address is (78.38.240.18) and is part of a larger range (78.38.240.0/20). See https://www.virustotal.com/gui/ip-address/78.38.240.18/relations.

63. Quickleak[.]org was registered by Faramarz Shahi Savandi, the same Iranian registrant of the hacking forum zone-hc. One of the email addresses associated with this individual had accessed the Al-Hayat website at least four days before the defacement. The authors would like to thank Charlie Cullen for sharing this piece of information.

64. Wikileak[.]ir was registered by another Iranian individual whose other domains were detected in a Parastoo operation in 2013. We thank Charlie Cullen for this information.

65. Frenkel, “Meet The Mysterious New Hacker Army Freaking Out The Middle East,” BuzzFeed News, June 24, 2015. Franceschi-Bicchierai, “There’s Evidence the ‘Yemen Cyber Army’ Is Actually Iranian,” Vice, June 26, 2015.

66. The Embassy of the Kingdom of Saudi Arabia in the United States, “Operation Decisive Storm Ends, Operation Renewal of Hope Begins With Military Objectives Achieved, Focus Shifts to the Political Process,” April 21, 2015. https://web.archive.org/web/20221228170211/https://www.saudiembassy.net/press-release/operation-decisive-storm-ends-operation-renewal-hope-begins-military-objectives.

67. ”MOFA.GOV.SA Hacked By Yemen Cy [sic],” Pastebin. https://web.archive.org/web/20150528083510/http://pastebin.ro/9sAhrWRy.

68. Perlroth, “In Cyberattack on Saudi Firm, U.S. Sees Iran Firing Back.”

69. ”Saudileaks 1: Yemeni Group Hacks Saudi Gov’t, Releases Thousands of Top Secret Documents,” Fars News Agency, May 21, 2015.

70. ”Saudileaks 2: Yemen Cyber Army Releases Hacked Contents,” Fars News Agency, May 21, 2015.

71. Twitter search results for @QuickLeakOrg between May 19 and 22, 2015: https://twitter.com/search?q=(from%3AQuickLeakOrg)%20until%3A2015-05-22 per cent20since%3A2015-05-19&src=typed_query.

72. Frenkel, “Meet The Mysterious New Hacker Army Freaking Out The Middle East.”

73. ‘عام/رئيس الإدارة الإعلامية بوزارة الخارجية : تعرض الحاسب الآلي لوزارة الخارجية لهجمة إلكترونية محدودة’, Saudi Press Agency, May 22, 2015.

74. WikiLeaks, “The Saudi Cables Press Release,” June 19, 2015. https://web.archive.org/web/20230315050633/https://wikileaks.org/saudi-cables/press.

75. Satter and Michael, “Private Lives Are Exposed as WikiLeaks Spills Its Secrets.”

76. WikiLeaks, ”The Saudi Cables Press Release.”

77. Frenkel, “Meet The Mysterious New Hacker Army Freaking Out The Middle East.”

78. ”Arab Youth Group.” Pastebin, August 15, 2012. https://web.archive.org/web/20221214100511/https://pastebin.com/PUHqDQnd.

79. Reporters Without Borders, “How Saudi Arabia Manipulates Foreign Media Outlets,” July 9, 2015.

80. Ghattas, “Which Lebanese and Arab Media Covered #SaudiCables and Which Ones Didn’t?” Global Voices, July 2, 2015.

81. ”Saudis’ 10 Million-Dollar Bribe to UN Special Rapporteur for Human Rights in Iran,” AWD News, July 27, 2015. Website is not longer available but is archived at: https://web.archive.org/web/20150730014140/http://awdnews.com/political/saudis%E2 per cent80 per cent99-million-dollar-bribe-to-un-special-rapporteur-for-human-rights-in-iran.

82. Yazdan Panah, “Iran’s Attempts to Blame UN for Its Own Human Rights Abuses,” Iran Focus, August 7, 2015.

83. Markson, “Cables expose UK agreement to back Saudi Arabia for top UN rights body,” The Australian, September 29, 2015: 8; “Saudi Cable No. 40312,” WikiLeaks, September 29, 2011.

84. The story had first appeared on Al-Waei News in Arabic one day earlier. ‘السعودية ترشي أحمد شهيد بمليون دولار للضغط على ايران’, Al-Waei News, July 26, 2015. Deleted but archived at: https://web.archive.org/web/20150730003051/http://alwaienews.com/%D8 per centA7 per centD9 per cent84 per centD8 per centB9 per centD8 per centA7 per centD9 per cent84 per centD9 per cent85-%D8 per centA7 per centD9 per cent84 per centD8 per centB9 per centD8 per centB1 per centD8 per centA8 per centD9 per cent8A/%D8 per centA7 per centD9 per cent84 per centD9 per cent83 per centD9 per cent88 per centD9 per cent8A%D8 per centAA/143793863.

85. باشگاه خبرنگاران جوان. “رشوه سعودی ها به احمد شهید برای گزارش علیه ایران + ‘رشوه سعودی ها به احمد شهید برای گزارش علیه ایران + سند’, Young Journalists Club (باشگاه خبرنگاران جوان), July 27, 2015; ‘وثيقة تكشف : السعودية ترشي أحمد شهيد بمليون دولار للضغط على ايران’, Tasnim News Agency, July 27, 2015.

86. WikiLeaks tweeted: “@IranFrontPage Please Show Which Cable This Claim Is Based on. You Fail to Link to One of Our Cables in the Article,” July 27, 2015. https://web.archive.org/web/20220519132326/https://twitter.com/wikileaks/status/625661545410760704.

87. The Guardian reported that perpetrators merged two sets of different real diplomatic Saudi letterheads and forged an entirely new letterhead. Kamali Dehghan, ”Iran Uses Fabricated WikiLeaks Cable to Smear UN Rights Rapporteur,” The Guardian, August 2, 2015.

88. Ahmad Shaheed tweeted: “@wikileaks Thank You Wikileaks for Clarifying This @saeedKD@IranFrontPage.” July 27, 2015. https://twitter.com/ahmedshaheed/status/625678971074670592.

89. Twitter Safety, “Working with our industry peers today, we have suspended 284 accounts from Twitter for engaging in coordinated manipulation. Based on our existing analysis, it appears many of these accounts originated from Iran.” August 21, 2018. https://web.archive.org/web/20180822001918/https://twitter.com/twittersafety/status/1032055161978585088; “Taking Down More Coordinated Inauthentic Behavior,” Meta, August 21, 2018. https://web.archive.org/web/20230303112012/https://about.fb.com/news/2018/08/more-coordinated-inauthentic-behavior/.

90. See the ‘Iran (October 2018) − 770 Accounts’ takedown dataset, Twitter Moderation Research Consortium, October 2018. https://transparency.twitter.com/en/reports/moderation-research.html.

91. The United States Department of Justice, ”United States Seizes 27 Additional Domain Names Used by Iran’s Islamic Revolutionary Guard Corps to Further a Global, Covert Influence Campaign,” November 4, 2020.

92. “Taking Down More Coordinated Inauthentic Behavior.”

93. “Iran (October 2018) − 770 Accounts.”

94. ”Suspected Iranian Influence Operation Leverages Network of Inauthentic News Sites & Social Media Targeting Audiences in U.S., UK, Latin America, Middle East,” FireEye, August 21, 2018.

95. “Global Iranian Disinformation Operation,” ClearSky, November 2018.

96. The United States Department of Justice, “Affidavit In Support Of Application For Seizure Warrant”, November 4, 2020.

97. “Thamar Reservoir – An Iranian Cyber-Attack Campaign against Targets in the Middle East,” ClearSky, June 3, 2015.

98. “Thamar Reservoir – An Iranian Cyber-Attack Campaign against Targets in the Middle East”; Pernet and Lu, “Operation Woolen-Goldfish,” 2015 Trend Micro Incorporated, March 19, 2015; Villeneuve et al., “Operation Saffron Rose,” FireEye, May 13, 2014.

99. “Operation Cleave,r” Cylance, December 2, 2014. The press coverage at the time overstated the attributive evidence referenced in the report. See for example: ‘Iran-Backed Hackers Target Airports, Carriers’, Bloomberg, 2 December 2014. Also see p.14 of the report.

100. Saudi Cables, “Doc #129906, RE: Operation CLEAVER – Follow-up Actions.” https://web.archive.org/web/20230315050634/https://wikileaks.org/saudi-cables/doc129906.html.

101. Ibid.

102. “Operation Cleaver.” VirusTotal IP analysis is available at: https://www.virustotal.com/gui/ip-address/88.150.214.166/relations.

103. Saudi Cables, “Doc #129906, RE: Operation CLEAVER – Follow-up Actions.”

104. ”2015 Global Threat Report,” CrowdStrike, January 22, 2016.

105. Bartholomew and Guerrero-Saade, “Wave Your False Flags! Deception Tactics Muddying Attribution In Targeted Attacks.”

106. Maccaglia, “Evolving Threats: Dissection of a CyberEspionage Attack,” presentation at the RSA Conference 2015, November 2015. https://web.archive.org/web/20190508165734/https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/2015.11.04_Evolving_Threats/cct-w08_evolving-threats-dissection-of-a-cyber-espionage-attack.pdf; Rid, Active Measures.

107. MonoVM homepage saved on Internet Archive (May 4, 2015): https://web.archive.org/web/20150504181306/https://monovm.com.

108. Special Counsel Mueller, “Report On The Investigation Into Russian Interference In The 2016 Presidential Election, Volume I of II,” March 2019.

109. We thank BAE Systems for sharing an internal threat intelligence report with us on WikiSaudiLeaks from September 2015.

110. Nakashima et al., “FBI Links Iran to Online Hit List Targeting Top Officials Who’ve Refuted Trump’s Election Fraud Claims,” The Washington Post, December 22, 2020.

111. Ibid.

112. Kyle Ehmke tweeted: “New ‘Enemiesofthepeople’ Site Enemiesofthepeople[.]ca Registered through MonoVM on 12/11 and Hosted on a Dedicated Server at M247 IP 193.239.84[.]135. Hosting Same Atrocious Content,” December 11, 2020. https://web.archive.org/web/20201211152539/https://twitter.com/kyleehmke/status/1337415369657610242.

113. ”Fog of War: How the Ukraine Conflict Transformed the Cyber Threat Landscape,” Google’s Threat Analysis Group (TAG), February 16, 2023.

114. United States National Security Agency, and United Kingdom National Cyber Security Centre, “Joint Cybersecurity Advisory: Turla Group Exploits Iranian APT To Expand Coverage Of Victims,” October 21, 2019.

115. ”Turla Hiding in the Sky: Russian Speaking Cyberespionage Group Exploits Satellites to Reach the Ultimate Level of Anonymity,” Kaspersky, September 9, 2015.

116. In this study, we reference several reports written by analysts who at the time worked for a leading forensic team at Kaspersky, a Russian cybersecurity provider. These reports were among the most evidence-driven, most creative, and best-argued contributions at the time. Emphasis on the temporality is important as subsequent criticisms of the company do not impact our analysis.

117. ”Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments,” Symantec, June 20, 2019.

118. Bartholomew and Guerrero-Saade, “Wave Your False Flags!.”

119. Ibid.

120. Poulsen, “Moscow Server Hosted WikiLeaks and Iran’s Hackers Weeks Apart.” The Daily Beast, April 16, 2019.

121. Ibid.

122. Intelligence agencies apply similar vectors in their approach to attribution. See for example: ”A Guide to Cyber Attribution,” Office of the Director of National Intelligence, September 14, 2018.

123. CHRIS. “Cyber Attacks in the Spin Cycle: Saudi Aramco and Shamoon,” Recorded Future, November 1, 2012.

124. Rid, Active Measures; “Russia Military Power,” Defense Intelligence Agency, 2017.

125. Cherney, “Pro-Russian Hackers Took Down Three NATO Websites,” Vice, March 16, 2014.

126. “Hacktivist Group CyberBerkut Behind Attacks on German Official Websites,” Trend Micro, January 20, 2015. The original report is not archived but a mirrored copy is available at: https://web.archive.org/web/20221128050959/https://www.viruss.eu/malware/hacktivist-group-cyberberkut-behind-attacks-on-german-official-websites/.

127. Corera, “How France’s TV5 Was Almost Destroyed by ‘Russian Hackers’,” BBC News, October 10, 2016.

128. Ostovar, “Sectarian Dilemmas in Iranian Foreign Policy: When Strategy and Identity Politics Collide,” Carnegie Endowment for Peace and Democracy, November 30, 2016; Al-Jubeir, “Can Iran Change?” The New York Times, January 19, 2016.

129. Herpig and Reinhold, “Spotting the Bear: Credible Attribution and Russian Operations in Cyberspace” in Hacks, Leaks, and Disruption, 2018, 33–42.

130. ODNIA, “A Guide to Cyber Attribution.”

131. DIA, “Russia Military Power.”

132. We acknowledge that attributing responsibility to a machine or a known malicious actor does not always attribute the attack to a particular country or government.

133. These challenges break down along multiple axes. For detailed considerations of public and non-public attribution, see Egloff and Smeets, “Publicly Attributing Cyber Attacks: A Framework.”

134. Herpig and Reinhold, “Spotting the Bear: Credible Attribution and Russian Operations in Cyberspace.”

135. Rid and Buchanan, “Attributing Cyber Attacks”; Lin, “Attribution of Malicious Cyber Incidents”; Banks, “Cyber Attribution and State Responsibility,” 1038–72; Steffens, Attribution of Advanced Persistent Threats: How to Identify the Actors Behind Cyber-Espionage.

136. Romanosky and Boudreaux, “Private-Sector Attribution of Cyber Incidents: Benefits and Risks to the U.S. Government,” 463–93; Work, “Evaluating Commercial Cyber Intelligence Activity,” 278–308.

137. Banks, “Cyber Attribution and State Responsibility.”

138. ”Russian Active Measures Campaigns And Interference In the 2016 U.S. Election (Volumes I-V),” United States Senate Select Committee on Intelligence, 2020, 116–290; ‘Russia’, Intelligence and Security Committee of Parliament, 2020.

139. Warner, “Reflections on Technology and Intelligence Systems.”

140. For an assessment of the persistent engagement strategy for intelligence collection and mitigating harm to allies, see Smeets, “U.S. Cyber Strategy of Persistent Engagement & Defend Forward: Implications for the Alliance and Intelligence Collection,” 444–53.

141. Andrew and Mitrokhin, The Mitrokhin Archive: The KGB in Europe and the West. Also see Rid, Active Measures.

142. ”Anatomy of Russia’s 2016 Influence Operations,” Mandiant/FireEye Intelligence, October 2017.

143. ”Defending Ukraine,” Microsoft, June 22, 2022.

144. ”Fog of War,” Google’s Threat Analysis Group (TAG).

145. Healey and Caudill, “Success of Persistent Engagement in Cyberspace,” 9–15.

Additional information

Notes on contributors

Simin Kargar

Simin Kargar is a PhD Candidate at Johns Hopkins University’s School of Advanced International Studies.

Thomas Rid

Thomas Rid is Professor of Strategic Studies and founding director of the Alperovitch Institute for Cybersecurity Studies at Johns Hopkins University’s School of Advanced International Studies.