Inside Cyber Warfare - Jeffrey Carr [79]
He tells how Sergei Sokolov, Russia’s best-known investigative reporter and deputy editor for Novaya Gazeta (Anna’s former employer), testified how one of the accused men in her murder was an FSB agent who was ordered to follow Anna.
Charges related to planning the reporter’s murder were also brought against a former major in a police unit whose job it was to fight organized crime.
That same major was charged four years earlier with the torture and kidnapping of a Russian businessman. His reported accomplice was a former FSB colonel.
On February 19, 2009, the trial ended with no convictions. One month earlier, on January 19, Stanislav Markelov, Anna Politkovskaya’s lawyer, was shot to death as he left a news conference located less than half a mile from the Kremlin. No one has been charged with his murder.
There is a lengthy list of unsolved murders of journalists, businessmen, political opponents, and other figures over the past few years that should make anyone who envisions taking on organized crime reconsider.
The relevance of this broad look at Russian organized crime in a book about cyber warfare is to help establish a better understanding of the relationship between these criminal organizations and Russian government officials. That relationship doesn’t change because the landscape moves from the streets of Moscow to the virtual world of the Internet. Cyberspace simply becomes another domain in which organized crime can operate with the same ruthlessness and violence that they do elsewhere.
Understanding this is vital for Western government policymakers who may still believe that cyber wars are being fought by bored teenage hackers.
The links between Russian organized crime, Russian intelligence, and the Russian government are fairly well documented, but its extension into cyber crime is not. Affected governments need to conduct additional investigations into this problem and coordinate assets.
Chapter 9. Investigating Attribution
A well-designed, defensible network should have a number of monitoring elements available for forensic analysis when it is attacked or compromised. For example, most networks will have deployed intrusion detection systems, firewall and router traffic logs, and access logs contained on the server itself. There exists a bevy of tools and techniques that can allow an investigator to gain further insight using open source data. This includes routing information from the border gateway protocol (BGP), [37] domain name system (DNS), darknet monitoring, blacklist services (such as those offered by Spamhaus, CBL, etc.), and, to a lesser degree, Internet registry information (e.g., ARIN, RIPE, APNIC, etc.).
Performing a traceroute on each IP will show an experienced computer security engineer where the attacks originated from and what path the packets took to get to the target.
This chapter takes a rudimentary look at these computer forensic tools by way of some real-world examples.
Using Open Source Internet Data
The following serves as an introduction to several key internetworking concepts. This is fairly complex subject matter, and will be discussed only at a very high level here.
The border gateway protocol (BGP) is widely characterized as the “glue of the Internet.” Every Internet service provider uses BGP to move packets between source and destination nodes. Essentially, each BGP “speaking” router will dynamically maintain a table of network addresses, or “prefixes,” which details network availability.
For the sake of the examples outlined in this chapter, there are three main concepts you should understand:
Autonomous system
“[A] collection of connected IP routing prefixes under the control of one or more network operators that presents a common, clearly defined routing policy to the Internet” (*RFC 1930)
I-BGP
Internal Border