Last week the World Anti-Doping Agency (WADA) released an update about its investigation into the recent hack and subsequent leaks of Olympic Athletes’ confidential information, and one of the more interesting revelations was that some of the stolen data may have been manipulated prior to being leaked.
“WADA has determined that not all data released by Fancy Bear (in its PDF documents) accurately reflects ADAMS [Anti-Doping Administration and Management System] data,” the agency wrote in a blog post. “However, we are continuing to examine the extent of this as a priority and we would encourage any affected parties to contact WADA should they become aware of any inaccuracies in the data that has been released.”
WADA did not elaborate on which athletes’ data may have been altered or provide any other explanations for the discrepancies, but it does highlight a unique cybersecurity concern that has surfaced recently: threat actors manipulating stolen data in order to increase the fallout from a breach.
A History of Fake and Exaggerated Breaches
Hackers have a long history of re-purposing data in order to claim new attacks.
Just last week the actor known as Guccifer 2.0 posted a dump of data allegedly stolen from the Clinton Foundation, claiming that “it was just a matter of time to gain access to the Clinton Foundation server.” However, a variety of news outlets have since reported the data appears to be from a previous hack of the Democratic Congressional Campaign Committee and the Democratic National Committee — not the Clinton Foundation. Prior to that there was a Pastebin post alleging a “full database leak” at cryptocurrency exchange Poloniex. Once again, the company was quick to dispute the claim, posting on social media that the data was actually from another company’s breach a year prior.
Claims of fake or exaggerated data breaches are troublesome for organizations, but they’re not as insidious as the manipulation of legitimate data.
“Imagine trying to explain to the press, eager to publish the worst of the details in [leaked] documents, that everything is accurate except this particular email. Or that particular memo,” security blogger Bruce Schneier wrote last month. “It would be impossible. Who would believe you? No one.”
WikiLeaks, Sputnik News and Donald Trump
An example of this potential issue was highlighted yesterday through a combination of WikiLeaks, Russia’s Sputnik News, and Donald Trump. On Monday morning, WikiLeaks released 2,000 emails that appear to be from the account of Hillary Clinton’s campaign chairman, John Podesta. One of those emails was from Clinton ally Sidney Blumenthal and contained a Newsweek article about the Benghazi hearings. Sputnik News then incorrectly reported on the email — either intentionally or as a result of sloppy journalism — quoting the Newsweek article email as if it were Blumenthal’s own thoughts on the subject. Hours later, Donald Trump quoted that false Sputnik News article at a rally in Wilkes Barre, Pennsylvania, telling the crowd that Blumenthal said the “attack was almost certainly preventable” and that Blumenthal was “now admitting they could have done something about Benghazi.”
That falsehood could be the result of the miscommunication inherent in a game of telephone — from Podesta’s email to WikiLeaks to Sputnik News to Donald Trump to the booing crowd — or it could be, as the author of the original Newsweek article suggested, an intentional effort from Russia.
This is not funny. It is terrifying. The Russians engage in a sloppy disinformation effort and, before the day is out, the Republican nominee for president is standing on a stage reciting the manufactured story as truth. How did this happen? …
The Russians have been obtaining American emails and now are presenting complete misrepresentations of them—falsifying them—in hopes of setting off a cascade of events that might change the outcome of the presidential election.
It was just last week that Congressman Adam Schiff put forth this very idea in The New York Times. Russia could take already-stolen emails, alter them, and give the impression that one of the presidential candidates had done something outrageous or illegal, potentially altering the election.
The Blumenthal story was quickly corrected by viewing the source email on WikiLeaks, but what if the source itself had been altered? In a dump of 2000 legitimate-looking emails, who would believe that one email or one line within an email was altered.
As Schneier wrote: “No one.”
Tactic Beyond Nation-States?
The examples cited above have been extremely high-profile events. Leaked data tied to the Olympics or a presidential race faces a far higher level of journalistic scrutiny than an ordinary dump of company documents, communications or other internal data. For those breached organizations, proving that leaked data was altered may be more difficult, and it may prove harder still to spread news of that proof without a media echo chamber to amplify that message.
While altering data may not be the most profitable avenue for cybercriminal groups, not all threat actors are concerned about profits. Hacktivists could alter data to create a scandal for political purposes. Malicious insiders may manipulate leaked communications to embarrass an executive or otherwise harm their organization. Competitors may tweak stolen documents to damage their rivals’ reputation and steal customers.
Even those motivated by profit may find ways to incorporate data alteration into their toolset. Data destruction has quickly become a common tag in SurfWatch Labs’ cyber threat intelligence data due to the surge in ransomware infections in recent years, and actors who are demanding tens or hundreds of thousand of dollars in extortion are likely to use every tool available to them to push organizations towards paying ransoms.
Many of the stories related to altered data currently revolve around nation-states, but like everything in cybersecurity, copycats can be expected if it proves to be a successful tactic. It’s just one more cyber risk facing organizations — and one more reason to prioritize keeping your organization’s data safe from malicious actors.