Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: How to be a better spy: Cyber security lessons from the recent russian spy arrests - SANS Internet Storm Center SANS ISC InfoSec Forums

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
How to be a better spy: Cyber security lessons from the recent russian spy arrests

On Monday, a number of Russian nationals got arrested for espionage against the US [1]. With all the talk and attention paid to cyber spies, spear phishing, APT and new high tech satellites and drones, it is almost refreshing to see that good old fashioned human spies are still used and apparently found valuable. Skynet hasn't taken over quite yet.  However, the story has a few neat cyber security lessons.

Lesson 1: Encrypt your Wifi

The spies evidently used WiFi networks to communicate. However, instead of all of them to connect to a particular access point, they established Ad-Hoc networks. This idea is interesting in so far as it does make remote surveillance of the connection a bit harder. The FBI had to have a listening post close by in order to intercept the connection. It appears the FBI used to be parked close to coffee shops and such frequented by the spies in order to observe them meeting with their embassy contacts. The FBI was able to intercept the communication, and apparently used MAC addresses to track the participant. It is not clear if any kind of encryption was used for the WiFi connection. But Ad-Hoc networking would only allow for WEP unless encrypted chat software is used.

As a "sub lesson" one may take away that you should change your MAC address as a spy to avoid tracking. But it is not clear if this would have made a difference.

One neat side effect of this meeting method: The participants of the meeting never had to acknowledge each other visibly.

Lesson 2: Keep your password secure

The FBI followed these spies for a while already. A few years back, the FBI secretly searched the homes of some of the spies, copying various hard disks in the process. Small problem: The hard disk was encrypted. Luckily, an observant FBI agent noted a piece of paper during the search with a long number / letter combination. Turned out it was the password. This turned out to be critical as it allowed the agents to not only decrypt the hard disk, but after decrypting the hard disk the agents found steganography software and other encryption tools, as well as lists of web sites used to exchange steganographic messages.

Lesson 3: Obscurity != Security

The spies to some extend used steganography to exchange messages. These messages where encoded into an image, and then uploaded to various web sites. As explained above, the FBI was able to obtain a list of these sites and the software used to encode them. However, at least according to some reports, the messages were not encrypted. Typically, if you want to do steganography right, first encrypt the message, then encode it in an image. In particular if you use standard software to perform your steganography. (Update: Some reports mention that the messages had been encrypted before encoding them into the images)

Lesson 4: Perfect forward security

Perfect forward security is an important cryptographic concept. You never want to use an old password to encrypt the new password. If you do, once an attacker figured out one password, they will be able to decrypt all future passwords. It appears that the spies frequently made arrangements about future meetings and communication protocols over insecure channels (like the ad-hoc wifi). In some ways this may also be considered as relying on obscurity again.

various other news reports like:


Johannes B. Ullrich, Ph.D.
SANS Technology Institute

I will be teaching next: Defending Web Applications Security Essentials - SANS Security West 2019


3477 Posts
ISC Handler
I guess another important way is to use non-Windows machine. They can use Linux or any Live CD's to make it even more harder incase FBI is trying to exploit a vulnerability in the spying machine and wanted to get a backdoor of their machine.

In the networking side, they should have limit specific MAC's only to accept communication or configure their IP tables.Filter Inbound/outbound traffic

For their internet access, they should have used tools like Sandboxie-> and anonymity sites.

My 2 cents

Sign Up for Free or Log In to start participating in the conversation!