
Hackers acting in Turkey's interests believed to be behind recent cyberattacks - mzs
https://www.reuters.com/article/us-cyber-attack-hijack-exclusive-idUSKBN1ZQ10X
======
allovernow
So I'm not an expert by any means, but from what I understand, estimating
hacker provenance consists purely of modifiable and/or spoofable
circumstantial evidence, including IP addresses, malware signature, and
possibly timestamps/localizations within the binaries.

All of this makes a convincing story for media and laymen, but surely a
competent hacker could pull of a hack and _trivially_ modify the evidence to
implicate any state actor/group who's modus operandi are known in hacking
circles, no?

Which, incidentally, is why I had issue with the certainty with which
croudstrike, for example, pointed to Russia over the DNC hack. Deliberately
engineering your attack to mimic one from another group is an excellent way to
keep people off your trail...and these are hackers we're talking about, after
all.

~~~
lawnchair_larry
Since you admit that you’re not an expert, you shouldn’t really assume that
attribution is that simple, or that they aren’t fully aware of these things
you mention.

~~~
stefan_
Because all of these things being trivially manipulated means in the past,
attribution was entirely done for nation states to point at other nation
states or for scam artists to promote their cyber cyber cyber security
technology consulting services. If there is such a thing as "the science of
attribution", and that is very questionable, it sure as hell isn't above the
noise floor.

~~~
lawnchair_larry
No, that is not the case.

------
therealmarv
We need DoH (DNS over HTTPS) and/or DoT (DNS over TLS) faster and everywhere,
including routers, browsers, OSes. And we need to get rid or find a viable
alternative to this hostile hotel and airport WiFi hijacking DNS login methods
which is essentially the same this hackers have done in a larger scale! We
need some alternative and good method for that.

~~~
packet_nerd
Agreed. The wireless (and wired) login/ToS page redirects common in guest Wifi
and corporate environments were never really designed for. They work now by
abusing what are essentially design flaws, and they don't even work very well.

Another glaring hole in Wifi is that there's no open + encrypted option. Your
options are basically open with no encryption at all, personal mode (shared
key for authentication and encryption), or enterprise mode (username +
password, certificate-based, or similar).

The Wifi authentication standards should really be modernized to address these
issues.

------
everybodyknows
>As part of these attacks, hackers successfully breached some organizations
that control top-level domains, which are the suffixes that appear at the end
of web addresses immediately after the dot symbol, said James Shank, a
researcher at U.S. cybersecurity firm Team Cymru ...

Anyone know which TLD orgs were hacked?

------
adrianmonk
On a possibly-related subject, these three things seem like a big coincidence
when taken together:

(1) Yesterday I noticed Wikipedia was way slower than normal. Article pages
took ~30 seconds to load sometimes. (Down Detector agrees this:
[https://downdetector.com/status/wikipedia/](https://downdetector.com/status/wikipedia/))

(2) Yesterday, Hacker News had a headline Wikipedia was accessible in Turkey
for the first time in years. (See
[https://news.ycombinator.com/item?id=22153304](https://news.ycombinator.com/item?id=22153304))
Some people in that thread also noticed the coincidence between this and #1.

(3) Now this story about cyberattacks from (or on behalf of) Turkey.

~~~
nl
These attacked occurred in 2018 and 2019.

~~~
adrianmonk
That's not how I read it. First of all, the headline says "recent". The
article mentions some attacks in 2018 and 2019, but it also says the "broader
series of attacks is ongoing".

~~~
nl
Ok.

I don't understand what the original post is implying then.

These aren't denial of service attacks, so what is the connection between
Wikipedia being slow and some attacks that started in 2018 and are continuing
now?

------
nl
There's more details on the _SeaTurtle_ attack this was related
to[1][2][3][4].

It looks like the new information here is that intelligence officers are
confident enough to link the group to Turkey. Previously FireEye thought it
was an Iranian group.

[1] [https://www.zdnet.com/article/hackers-breached-greeces-
top-l...](https://www.zdnet.com/article/hackers-breached-greeces-top-level-
domain-registrar/)

[2] [https://techcrunch.com/2019/04/17/sea-turtle-talos-dns-
hijac...](https://techcrunch.com/2019/04/17/sea-turtle-talos-dns-hijack/)

[3] [https://blog.talosintelligence.com/2018/11/dnspionage-
campai...](https://blog.talosintelligence.com/2018/11/dnspionage-campaign-
targets-middle-east.html)

[4] [https://www.fireeye.com/blog/threat-
research/2019/01/global-...](https://www.fireeye.com/blog/threat-
research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-
scale.html)

------
mzs
journalist's thread
[https://threadreaderapp.com/thread/1221837856622153733.html](https://threadreaderapp.com/thread/1221837856622153733.html)

~~~
coretx
It's a shoddy story. Quote: "Our sources told us the hackers had gained access
giving them the ability to intercept ALL INTERNET TRAFFIC going to several
countries in the Middle East" Way back, I used to work with
dissidents/journo's/academics against censorship and surveillance at various
countries. All but Turkey where easy because I recall that it was the military
being in full control; playing with BGP among other things. This makes the
quote a bit awkward. Why would they gain abilities already possessed & put
their cards open on the table ?

~~~
luckylion
_If_ they had access to the undersea cable(s), that would certainly be
different than having the ability to fiddle with (generally detectable and
attributable) BGP attacks.

My money is on this being similar to the leaks of tapes where a bunch of high
ranking Turkish military & members of the administration were discussing
false-flag attacks from Syria to have a reason to invade, basically the US
feeling they have exhausted their diplomatic channels to Ankara and dropping
pieces of intel into the wild to get Turkey to stop what they are doing.

~~~
coretx
# The "attack" level of sophistication does not befit a state actor. # The
Reuters article mentions 2 British and one US security _officials_ # Same
Reuters article states that GCHQ and US equivalent declined inquiry. ( Mind
bullet #1. ) # Turkey states there has been no data ex-filtration; sources do
not mention serious damage on either side.

The most simple explanation is usually true, so I think a security firm like
NCC group ( GCHQ still holds a stake in them ) is creating waves for business.

~~~
luckylion
Re "state actor", while reading the headline I figured "oh, they would have
called it 'state actor' if it was believed to be Russian or Chinese", but
reading the article, they may have chosen not to use that term also because it
wasn't MIT but some loosely affiliated patriotic group. Given that the borders
between state and non-state are very fluent in Turkey, there may also be
multiple things being attributed.

Still very much possible that it's FUD/PR, there's likely information,
misinformation, PR and news hyping in any such report, with degrees of each
varying.

------
diegoperini
The evidence, if true, shows the hackers are acting in Turkey, but I don't see
the proof that it is in Turkey's interest.

Disclaimer: I'm a Turkish citizen. I don't support what our government have
been doing since 2006 except for some small stuff about healthcare and such. I
could never vote for the winning party since I was given the right to vote.

~~~
TomMckenny
Reading the article, it seems the conclusion was inferred from the fact that
Cyprus, Greece, Albania and Turkish Masons were targets. That those targets
are not a good way to steal but are all disliked by the current regime. That
several western analysts concluded they were government sponsored and that the
attacks were quite complex.

~~~
hiccuphippo
What are the chances the hackers disliked one of those targets and only
attacked all of them to throw the investigators off?

~~~
notlukesky
That is a commonly used technique actually and one to throw off the scent of
false attribution. Although no evidence is cited in the article and all the
nebulous case is built on anonymous sources.

The last disastrous piece on the alleged hack of firmware at AWS and Apple by
the Chinese was built on anonymous sources as well and the cyberhacking
article was not retracted or apologized by Bloomberg.

[https://www.bloomberg.com/news/features/2018-10-04/the-
big-h...](https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-
china-used-a-tiny-chip-to-infiltrate-america-s-top-companies)

Time will not be forgiving to the authors of this article.

Maybe Reuters has article quotas on cyberattacks per month and it’s close to
the end of the month and they need to fill it somehow. It’s the journalistic
equivalent of being pulled over by cops for no reason towards the end of the
month so they can issue a ticket and fulfill their quota.

And my favorite part is Turkish interests. Is that a couple of script kiddies
who speak Turkish sitting in a basement in their pjs taking a break from
Fortnite or PUBG?

This article makes Judith Miller look like a real journalist like Walter
Cronkite. Judith Miller of NY Times wrote stories based on multiple western
anonymous and credible sources covering WMD in Iraq.

[https://en.m.wikipedia.org/wiki/Judith_Miller](https://en.m.wikipedia.org/wiki/Judith_Miller)

------
bluesign
’The hackers have attacked at least 30 organizations, including government
ministries, embassies and security services as well as companies and other
groups, according to a Reuters review of public internet records‘

Which public internet records?

~~~
mywittyname
I'm guessing they did a whois on the domains linked to the attack.

------
blunte
Define "Turkey's Interest".

~~~
planetis
The Turkish government is seeking to tap into eastern Med's natural gas and
oil reserves, while ignoring International laws and discarding neighboring
countries Exclusive economic zones.

So acting basically like a pirate and threating each day with war. Let me give
you a few examples and you can verify them later any way you wish.

In Cyprus the sent -not one but two- drilling ships and research vessels to
search for oil, with the escort of Turkish Navy of course. They failed to find
gas in one location and are moving to the next. To add insult to the injury
they even say they will share what the find, like a thief saying he will sell
your stuff and share with you the money...

In Greece were I live, there is a lot of up-heat with the recently signed
Turkish-Lybian moratorium which basically ignores the Greek island of Crete
(as well others smaller ones) and declares EEZ with Lybia, which they call
"neighbours" (look at a map please), at the same time ignoring the rights of
Greece, Cyprus, and Israel.

Also search for the clean water crisis in Iraq, which Turkish government is
...also to be blamed. Basically they build dams cutting Euphrates river flow
and DENYING their neighbor's RIGHT for clean water, violating other
International agreements.

~~~
planetis
Also let me remind you of the war in Lybia which the GNA is loosing, so they
signed a deal with Turkey in order to help them win the war

------
onetimemanytime
Turkey has 80 million people and a GDP of $770 BILLION (nominal) or $2.3
Trillion PPP. Essentially unlimited money and manpower--for the task at hand.

~~~
buboard
that would make sense if 100% of turks were ultranationalists hellbent on
spying countries of 10, 3 and 1 million.

~~~
onetimemanytime
They don't need 80 million hackers. They need the state to fund hackers from a
huge pool of 80 million people. Or just set hackers loose for patriotic
reasons.

~~~
nurettin
A third of this population is underaged for hacking and another third will not
be educated above primary school. It seems like a much smaller pool of
"hackers" when you consider that this is a land where a large percentage of
adults are undereucated farmers and workers are living off of agriculture,
textile and menial labour. Where the general consensus is to spend a large sum
of your money on government sponsored games of chance, or if you are on the
more religious side, go and spend it on magic items and blessings. At any
given time you will probably get 30-50 highly skilled hackers (self-taught out
of pure chance) and rotation will be high due to getting a large number of
opportunities to live a better life abroad.

------
notlukesky
What is the difference between this article and fake news? A whole article
built on anonymous sources. Who are these credible anonymous sources? Donald
Duck?

And doing a DDOS attack is quite trivial and any script kiddie could launch
one from their computer or if they are slightly more adept from other peoples
computers.

Turkey in fact is one of the most backward countries in terms of cybersecurity
(and cyberattacks).

Turkey was just attacked recently with DDOS attacks and whole countries
Internet came to a standstill. Did the anonymous sources have any thoughts on
that?

Just look at Shodan to see how vulnerable and backward Turkey is in
cybersecurity matters:

[https://www.shodan.io/](https://www.shodan.io/)

~~~
commoner
Anonymous sources are an essential part of journalism, and Reuters is
reputable enough to use them responsibly.

> The weakest sources are those whose names we cannot publish. Reuters uses
> anonymous sources when we believe they are providing accurate, reliable and
> newsworthy information that we could not obtain any other way. We should not
> use anonymous sources when sources we can name are readily available for the
> same information.

> Unnamed sources must have direct knowledge of the information they are
> giving us, or must represent an authority with direct knowledge. Remember
> that reliability declines the further away the source is from the event, and
> tougher questions must asked by reporters and supervisors on the validity of
> such information.

[http://handbook.reuters.com/?title=The_Essentials_of_Reuters...](http://handbook.reuters.com/?title=The_Essentials_of_Reuters_sourcing)

~~~
diminish
Unfortunately Reuters is famous for fabricating fake need in the name for some
state actors too.

~~~
commoner
It's hard to take these accusations at face value without evidence.

