January 12, 2017

From Russia With Love

My patience has finally been rewarded.  The declassified version of the highly classified election intelligence report has been released and is available to the general public.  The PDF document is short and sweet, but it gives a high level overview of the joint investigation by the NSA, CIA, and FBI into Russian activities and involvement related to the 2016 US presidential election.  Despite the lack of details related to the Russian campaign (the supporting information is still considered classified), its conclusions are just as intriguing and revealing.  After drowning in the ocean of political social media posts throughout the election, I ran to Facebook, ready to contribute to the wave post comments, likes, and shares undoubtedly overtaking the usual cat videos.

Download the report here.

giphy

Actual photo of me running to Facebook

But upon my successful login… There wasn’t a single post or share.  Not even a single, nonchalant like.

What the actual f*ck? It seemed like everyone I ever met and their mothers spent the better part of their days sharing every stupid post about the presidential candidates for the last month.  Conservatives were screaming about Secretary Clinton’s emails like they were national security professionals. Liberals exploded when there were possible connections between Trump and Russia. So, the question has to be asked… Where the f*ck did everyone go?  Much sad, such disappointment.

giphy-1

Actual photo of me being disappointed

Sure, people tend to share more articles and post more political content during the election cycle, but the dead silence just didn’t make sense.  It’s almost been a week since the report was released (Jan 6, 2016) and I’ve only seen one friend on Facebook even mention the report.   Maybe people wanted the classified supporting details, or perhaps the report wasn’t clear to those without a security background.  No matter the reason, I believe it’s important to provide people with clear, easily understandable information.  Russia’s massive presence in the cyber world will have more consequences in the future, and you know should how their actions can affect you.  So get ready for hacking, history, and whatever else I manage to cover before falling asleep.

A Hacking History

Whether you’re part of the 37% of Republicans who view Russia favorably, or you have a general disdain for the autocratic nation, or you just couldn’t give less of a sh*t, you can at least recognize a cyber superpower when you see one.  The mention of Russia usually conjures up visions of Vodka, James Bond era spies, and bears riding unicycles to many Americans, but the nation has become a dominant force across all facets of the internet, only surpassed by China.

The internet has become the fifth dimension of war (the others being land, sea, air, and space).  Nations have been building their cyber/information warfare capabilities since the mid 1970’s.  The US was one of the first to capitalize on its benefits, intercepting Soviet microwave communication signals during the Cold War.  Since then, the nation’s cyber capabilities have rapidly evolved, providing a massive strategic edge in every military and political conflict since then.  Today, three nations have risen to become “cyber superpowers”, each with their own unique motivations and goals:

  • China
    • Heavily targets corporate secrets, military design documents.
    • Values control over communication systems to spy on activists and dissenters.
    • Notable attacks: Google, Lockheed Martin (unconfirmed, substantial evidence)
  • Russia
    • Military advantage – intelligence, battlefield dominance, preparation.
    • Political motivation, generally attempting to ensure themselves a position of power.
    • Notable attacks: Estonia cyber attacks, “Ouroboros” malware in Ukraine
  • United States
    • Mass intelligence, espionage – what you don’t know can hurt you.
    • Counter command and control, creating military advantage by disrupting enemy trust and communications .
    • Notable attacks: Stuxnet malware, Flame malware

Others notable nations include Israel, Iran, and North Korea.

Cyber warfare, or information warfare, is a extensive story that grows every day.  If you’re interested in learning more about cyber security and cyber warfare, I highly recommend reading Cybersecurity and Cyberwar: What Everyone Needs to Know.  You can find it on Amazon or Audible.

Aren’t we here to talk about Russia?

Yes, I just get distracted easily.

10-a-game

But a brief history is important to know before diving into the confusing enigma that is Russian cyber operations.  If we look back through previous Russian cyber campaigns, there are a few distinct attributes that standout from other nations’ strategies:

Deny, Deny, Deny – Political leaders, including Vladimir Putin, maintain a headstrong strategy of denial when it comes to cyber espionage.  Forget the dominant reputation gained by executing a major hack against a competing nation.  Capitalizing on the natural complexity of tracing a cyber attack and denying any claims of attribution creates confusion, even frustration, that only multiplies over time.

Hackers Wanted – The Kremlin is well known for hiring cyber criminal gangs and individual hackers to assist or execute their campaigns, both Russian and international.  Want US Navy submarine diagrams? Just call up Fancy Bear and let them do the dirty work.  The obvious benefit of this strategy is the redirection of attribution.  If the campaign is revealed publicly, it’s easy to throw the hired guns under the bus.  A similar strategy involves breaching computers in another country, then executing the attacks via the hacked foreign computers.  The attacks will appear to originate from the the hacked computers and can only be traced back to Russia if the owners discover the breach.  Russia will often utilize a country that is at odds with their target, hoping to spark additional conflict and inhibit investigation.

Wait for it… Wait for it… – Russia isn’t often attributed to massive, destructive attacks or operations that include one of a kind malware.  The nation has mastered the art of disinformation campaigns, where intentionally false or misleading information is spread in a calculated way to deceive target audiences.  This primarily evolved from a KGB trade craft.  Disinformation isn’t an easy act, it’s an art involving meticulous research, precise timing, and advanced technical skills.  It’s a devastating attack when executed right, and has been employed by the US in several conflicts as well (notable example, Bosnia war and the Milosevic family). But when it comes time for the big guns, Russia reveals its serious power.  Before invading Georgia and the Ukraine, Russian military crippled internet services for each country.  It also wiped Estonia off the internet map for 3 days.  While other countries go HAM (Hard As A Motherboard), the Kremlin only unleashes its full power when absolutely necessary.

So who did they attack?

Russia has targeted many nations for cyber attacks and disinformation campaigns.  There are three significant events that standout from the rest: distributed denial of service attacks against Estonia, cyber attacks during the invasion of Georgia, and the Ouroboros malware during the invasion of the Ukraine.  These attacks either provided Russia with crucial military advantages and/or caused massive damage.

Estonia

In 2007, Estonia attempted to relocate a Soviet-era grave marker called the Bronze Soldier of Tallinn from its capital city to the outskirts.  The Soviets had built the monument in 1947 to commemorate their casualties of war after driving the Nazis out of the region in World War II.  With the country now Nazi-free, the Russians decided it was a nice place to stay and soon enough the Soviet secret police were deporting Estonians to Siberia.  Now, after 16 years of independence from Russia, the Estonians saw the statue as a symbol of Russia’s occupation and oppression.

Russia, and the many Russian born citizens still residing in Estonia, predictably disagreed with this decision.  Russia warned that there would be consequences, and oooh boy were they serious.

Now let’s remember that this is 2007.  eCommerce is rapidly growing and Estonia is riding that wave hard.  The country thrived with the development of the internet.  Many utilities and services were digitized, including the country’s voting system.  And then…

300

Russia blasted Estonia completely off the internet.  A massive distributed denial of service (DDoS) attack took down the websites for Estonian organizations, including the parliament, banks, ministries, newspapers, broadcasters, and more.  Websites that managed to survive the tidal wave of ping floods were spammed by Russian supporters and some were ever defaced, including the website of the Estonian Reform Party.  At the time, this attack was regarded as the 2nd largest act of cyber war ever seen, second to an operation called Titan Rain (attributed to China).

Estonia called upon NATO to enact Article 5 for collective defense.  Its allies, including the US, stated that the attacks did not constitute and act of war and therefore did not call for collective defense.  The DDoS attacks lasted for 3 days, causing massive disruptions to financial systems and eCommerce markets, as well as mass panic across the general population.  The statue was eventually moved, but not without riots and criticism.

Georgia

In August 2008, Georgia’s relationship with Russia was deteriorating quickly.  Georgia had declared its independence from the Soviet Union in 1991. During 1991/1992, a war with the South Ossetian autonomous oblast sparked tension with Russia, as the oblast was under de-facto control by the Russian government. Vladimir Putin’s rise to power in 2000 and a pro-Western rise to power in Georgia during 2003 was enough to light the flame.  By 2008, it had become a full diplomatic crisis, and on August 1st, Ossetian separatists began shelling Georgian villages.

On August 7th, Georgian government and news websites went down and hosting servers were taken offline.  Communication systems were disrupted, causing confusion among citizens and military.

Georgia didn’t even see Russia coming.  Russian battle ships moved into position on the Black Sea, deploying troops to the shore and setting up a blockade around Georgia’s sole access to the open waters.  Russia fighter pilots approached from the north, deploying airborne troops behind enemy lines and dropping airstrikes.  This was the first time that a cyber attack coincided with military action, and it was damn effective.  Russia also conducted a disinformation campaign throughout the war, bringing Russian journalists to the combat zone to report news discrediting Georgia and portraying Russia as the savior of Russian citizens in the conflict zone.

The war lasted only 5 days before a ceasefire agreement was negotiated.  Hundreds of soldiers and civilians were killed and over 192,000 people were displaced.  Russia occupied four major Georgian cities and held control beyond the ceasefire.  The South Ossetians destroyed most of the ethnic Georgian villages in South Ossetia and were responsible for an ethnic cleansing of Georgians.

The Ukraine

In 2014, the Russian military marched into Ukraine, but not without some cyber support.  Russia enlisted the help of a well known and highly skill hacker group, often called Fancy Bear.  The group is also credited with hacking the World Anti-Doping Agency and the Democratic National Committee.

Fancy Bear (aka ATP28) created Android malware that targeted the artillery of the Ukrainian army.  The group created an infected version of an Android application that was meant to control one of the army’s artillery units. The application looked legitimate, but it contained a version of the X-Agent spyware.  The goal was to use the infected application to track Ukrainian artillery, giving Russian air forces an accurate map of their current positions.

CrowdStrike, a US-based cyber security investigation company, claimed that over 80% of Ukrainian D-30 Howitzer artillery units were destroyed during the war, and attributed these astronomically high losses to the malware’s tracking ability.  The Ukrainian army disagrees with this estimate, saying that the losses were far less severe, but there’s no doubt that the malware assisted in the destruction of its artillery.

Didn’t you mention a report or something?

Ah yes, the report.  The Office of the Director of National Intelligence has released a declassified version of the joint investigation.  The report assess Russian actions and intentions related to the 2016 US presidential elections.  As I mentioned before, the details still remain highly classified, but the conclusions have been made public.  Now that we’re familiar with Russia’s cyber warfare methodologies and techniques, let’s take a look at the report’s conclusions.

Influence Campaign

 The report details an influence campaign, ordered by Vladimir Putin, that aimed to accomplish the following:

  • Undermine the publish faith in the US democratic process
  • Criticize and attack Secretary Clinton
  • Harm Secretary Clinton’s electability or possible presidency

It was determined that the Russian government developed a preference for President-elect Trump.  They focused the campaigns efforts on undermining Secretary Clinton’s expected presidency once it appeared she would be the winner.  All three intelligence agencies agree that the Russian government attempted to discredit Secretary Clinton to decrease her chances of winning.

It was assessed that Putin and the Russian government developed a clear preference for President-elect Trump:

  • Beginning in June, Putin directly avoided praising President-elect Trump
    • Kremlin officials believed their support would backfire in the US
  • Putin publicly indicated a preference for President-elect Trump’s policy to work with Russia
  • Pro-Kremlin leaders praised his Russian-friendly positions related to Syria and Ukraine.
  • President-elect Trump’s business experience in Russia was favorable to Putin
  • Russia stopped public criticism of the US election system immediately after the election
    • Could possibly counter productive, as opposed to building relations with new leaders

Due to strong predictions that Secretary Clinton would win, Russia focused the influence campaign on ensuring Secretary Clinton’s presidency would be crippled from the start and the legitimacy of the election would be widely question.

  • Russian diplomats publicly denounced the electoral process
    • Promised to publicly question the validity of the election results
  • After President-elect Trump’s victory, no questions were raised
  • Pro-Kremlin Twitter accounts prepared a Twitter campaign (#DemocracyRIP) on election night, preparing for a Clinton victory.

Russian intelligence conduct cyber espionage operations to support the influence campaign.  Targets include US primary campaigns, think tanks, and lobbying groups.

  • July 2015 – Russia gained access to the DNC
    • Maintained access until June 2016
  • March 2016 – cyber operations target personal email accounts of Democratic Party officials.
    • Stolen large volumes of data from the DNC with the email accounts

Russian intelligence then used the stolen data to leverage its influence by publicly disclosing the documents.

  • Utilized the Guccifer 2.o persona (supposedly a Romanian hacker, but much evidence points to it being a shared persona), DCLeaks, and WikiLeaks.
  • Content confirmed to be stolen during the March 2016 attacks appeared on DCLeaks in June.
  • Leveraged WikiLeaks reputation of authenticity to amplify the effects
  • Data related to Republican-affiliated targets was confirmed to be stolen as well, but Russia did not conduct a comparable disclosure campaign.

The section related to Russia’s state-run propaganda and media efforts is extensive, by far the largest part of the report.  I would recommend reading through this section yourself, as it contains many conclusions and examples of Russia’s ability to influence opinion through the media.  Absolutely intriguing and I’m looking forward to the full version of the report (when ever that’s declassified).

The report does make a few board conclusions, and a couple are a bit of a stretch without the supporting evidence.  But overall, a majority of the documented Russian efforts can easily be confirmed from a Google search or YouTube video.  The outlined influence campaign also strongly resembles many of the previous Russia information based operations.

You’re free to come to your own conclusions.  As for me, information and evidence is crucial.  The declassified version of the report may not include the full evidence (for understandable reasons), but it’s a big step forward for a government that has lost a lot of its transparency in the past few years.  No matter who you supported during the election, in the end we’re all Americans who care about our security, privacy, integrity, equality, and country.

Thanks for reading.

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About Jean Fleury

Naval officer, privateer, cyber security professional. Traded in my five-ship squadron for a computer and Burp Suite license.

Category

Cyber Security News

Tags

, , , , ,