After the U.S. government published a report on Russia’s cyber attacks against the U.S. election system, and included a list of computers that were allegedly used by Russian hackers, I became curious if any of these hackers had visited my personal blog. The U.S. report, which boasted of including “technical details regarding the tools and infrastructure used by Russian civilian and military intelligence services,” came with a list of 876 suspicious IP addresses used by the hackers, and these addresses were the clues I needed to, in the end, understand a gaping weakness in the report.
An IP address is a set of numbers that identifies a computer, or a network of computers, on the internet. Each time someone loads my website, it logs their IP address. So I searched my web server logs for the suspicious IP addresses, and I was shocked to discover over 80,000 web requests from IPs used by the Russian hackers in the last 14 months! Digging further, I found that some of these Russian hackers had even posted comments (mostly innocuous technical questions)! Even today, several days after publication of the report (which used a codename for the Russian attack, Grizzly Steppe), I’m still finding these suspicious IP addresses in my logs — although I would expect the Russians to stop using them after the U.S. government exposed them.
What is happening? Are elite Russian hackers regular readers of my blog? Am I under cyber attack?