Russian Spies used Wi-Fi and Steganography

Some of the details are beginning to emerge about the 10 Russian spies that were captured in the US. According to an article on The Register, the spies communicated with Ad-Hoc Wi-Fi networks and hid messages in pictures using Steganography.

FBI agents monitored 28 year old Russian spy Anna Chapman as she communicated with a Russian government official. Anna would go to a book store and using her laptop, created an Ad-Hoc Wi-Fi connection to a Russian contact who was outside the store:

Surveillance agents nearby used “a commercially available tool that can detect the presence of wireless networks” to witness the creation of the ad hoc networks. NetStumbler is probably the most popular example of such software. Law enforcement agents were able to detect a particular MAC address – MAC address A – at the time that Chapman was observed powering on her laptop computer,” the complaint says. Law enforcement agents were also able to determine that the electronic device associated with MAC address A created the ad hoc network.”

The spies also embedded secret messages in pictures and uploaded them to sites where Russian officials retrieved them, and decoded the messages.

A New Jersey search uncovered a network of websites, from which the alleged spies had downloaded images. “These images appear wholly unremarkable to the naked eye,” the complaint explains. “But these images (and others) have been analyzed using the steganography program. As a result of this analysis, some of the images have been revealed as containing readable text files.”

It is interesting to see the tactics used by modern spies. Of course Russia is denying any and all involvement. Kudos to the FBI for taking them down.

6 thoughts on “Russian Spies used Wi-Fi and Steganography”

  1. Cool story. Thanks sharing.

    I always wondered why there are so many people in bookstores using laptops. They must all be spies! There whole operation seems so 80’s cloak and dagger to me. Steganography and coffee/book shops? Really? Couldn’t they have come up with something more high-tech? How unimaginative.

    I understand the reasoning behind these types of multi-year investigations, but it always bothers me that someone is getting away with doing something for so many years before being taken down. In my mind, it raises the question of how significant the information is that they guys were passing along.

    A story like this raises more questions than it answers. I wonder if we’ll ever learn what was truly going on here. Inquiring minds want to know!

    1. Thank you. Yes, I guess it was the fact that they were using old tech was how they got caught. A post on Discover Magazine said:

      Fortunately for the FBI, the Russians themselves used a relatively old version of steganography. Though no one’s head got inked, the version of the software the Russians used, according to IEEE Spectrum, left traces of the hidden messages. New versions–called network steganography–can erase any signs of wrongdoing after the receiver gets her message. The Russians used a 1990s version of the software, and the experts aren’t too impressed.

      Now, if the Russians kept up to date on versions, it may have been a different story, lol!.

      I hear you on the length of time it takes to build a case. One of my friends is a SWAT officer and it drives him nuts that it sometimes takes years to get the evidence to build a case and then its thrown out on a technicality.

  2. There is clearly a need for better Intrusion Detection Systems. Traditionally, IDS would look at anomalies or a well known patterns. Today’s attacks leave very little or no difference beetween legitimate traffic and malicious traffic. Most intruders methods use very legitimate methods, such as downloading and/or uploading images yet the intension behing is the problem. Security experts need to raise their game.

    1. I agree Jules, but what will they use? It seems like most major US companies are content with knowing they will be compromised and using network security monitoring to catch the malicious traffic. As Dr. Winter said recently, “Better security comes however, from a risk-management approach, namely Enterprise Threat and Risk Management, in which one assumes the adversary will get in“.

      I really don’t like that idea. It would be preferable to block the attack before it gets in. I thought Ipv6 would fix a lot of woes, but maybe they need to start over from scratch and make something new. Or better yet, get government systems and internal corporate networks off the public internet.

  3. Well, I am sure you know how the stories goes. The US, almost always have hints on what is going to happen but they choose to ignore them. The same applies in network security. There is always a hint that something irrugular is happening. Rather than raising a flag at that stage, most people, most security systems, will wait for the whole incident to happen before they say “right… this is what was happening”
    Speaking of IPv6, very little systems have a very good knowledge of it. Clever guys use terodo to bypass most security systems. IPv6 is certainly better but again only when correctly implemented.
    It is time that what was once flagged at noise (scan, OS fingerprinting, the presence of new ad-hoc network etc..) have another re-evaluation. They should probably come under highly suspicious. If someone come and check if our door (at home) is open, we should be very much concerned as the next cause of action will be fatal and it will be too late to do anything about it.

    1. I agree, very good points indeed. I think we can safely assume that the person doing the OS scanning may no longer be just a silly teenager fooling around.

      It would be cool if an intelligent firewall router could sense the probing attempts/ questionable traffic and automatically and seamlessly switch the traffic to a honeypot or a quarantine type area of the network for further analysis and detection.

      Interesting point about Teredo. If anyone wants to learn more about the security concerns of Teredo, Symantec has a Teredo Security PDF and also SANS has a short video on “IPv6 with Teredo” and a demonstration of their ipv6 conversion tool on the Internet Storm Center page.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.