Cybersecurity
,
Data Loss
Attribution: Information Warfare Ties to 'Russia's Senior-Most Officials'
Mathew J. Schwartz (euroinfosec) •
October 10, 2016
Photo:
Diego Cambiaso (Flickr/CC)
In an unprecedented move, the U.S. intelligence community has blamed the Russian government for attempting to interfere in U.S. elections by hacking and leaking documents.
See Also: Managing Identity, Security and Device Compliance in an IT World
"We believe, based on the scope and sensitivity of these efforts, that only Russia's senior-most officials could have authorized these activities," according to a joint statement released by the U.S. Department Of Homeland Security and Office of the Director of National Intelligence.
In particular, it cited "the recent disclosures of alleged hacked e-mails on sites like DCLeaks.com and WikiLeaks and by the Guccifer 2.0 online persona," which it noted have been "consistent with the methods and motivations of Russian-directed efforts," and which are "intended to interfere with the U.S. election process."
DHS and ODNI also said Russia could be behind recent attempts to probe the security of states' election systems, but stopped short of attributing the attacks to Moscow, although they did say most of these efforts originated from servers run by an unnamed Russian company. The agencies added that "the decentralized nature of our election system in this country and the number of protections state and local election officials have in place" would make it very difficult for a hacker, even one with nation-state backing, to alter ballot counts or election results via a cyberattack.
The attack campaign has included the leak of emails stolen from the Democratic National Committee, which triggered an FBI investigation into the broader attack campaign (see Ex-FBI Agent on DNC Breach Investigation).
But the Kremlin on Oct. 7 fired back at the attack attribution, calling it "nonsense." "Tens of thousands of hackers attack the site of [Russian President Vladimir] Putin every day," Kremlin spokesman Dmitry Peskov told private Russian news agency Interfax. "Many attacks are traced back to U.S. territory. We don't blame the White House or ... [the CIA] every time," Peskov reportedly said.
Escalating Tensions
The DNC leaks began in June, when Guccifer 2.0 - who claimed to have no affiliation to the Russian government - began posting DNC files to the internet. It was followed by further leaks via "hacktivist" website DCleaks.com as well as via WikiLeaks.
Multiple security experts have said the DNC network infiltration appeared to be the work of the advanced persistent threat group known as Fancy Bear - a.k.a. Sofacy or APT 28 - which they suspect is part of Russia's military intelligence agency GRU.
Experts say the election meddling is only the latest episode in what's been a long-running series of political skirmishes that date from at least 2008, when the United States advocated for Ukraine to become part of NATO. Since then, tensions have escalated over Russia's annexation of Crimea in 2014 and more recently over Russia's backing of the Syrian government in that country's five-year civil war, as well as last month's breakdown of a ceasefire negotiated by the Russian and U.S. governments.
"For the past two years, there has been a massive increase in hacking by the Russians," Dmitri Alperovitch, CTO of cybersecurity firm CrowdStrike - which has been retained by the DNC to investigate the hack attacks against it - told NBC News.
"Not all of it is politics. It is across the board," said Alperovitch, who's been involved in the DNC investigation. "But it got more intense this year with the election."
Last month, the emails of one prominent Republican, former Secretary of State Colin Powell, were leaked via the DC Leaks site.
But as part of the same cyber-espionage campaign that targeted the DNC and Powell, hackers have also targeted "hundreds" of other people, including numerous high-ranking Republicans, an unnamed cybersecurity expert who's assisting with the U.S. government investigation tells NBC News.
Victims have included "high-profile former officials, political figures, current officials," the expert said. "I can't tell you who the Russians are going to leak information about next. ... "The only thing I can tell you is that there are going to be more leaks."
Presidential Debates Talk Hacking - Or Not
The subject of Russia's alleged hacking of U.S. systems in an attempt to influence the election was raised at the second presidential debate between Democratic nominee Hillary Clinton and Republican nominee Donald Trump, held Oct. 9.
During the debates, Clinton again criticized Trump for having praised Russian President Vladimir Putin, especially in the wake of the new election hacking attribution. "The Kremlin - meaning Putin and the Russian government - are directing the attacks, the hacking on American accounts to influence our election. And WikiLeaks is part of that," Clinton said.
"Never in the history of our country been in a situation where an adversary, a foreign power, [worked] so hard to influence the outcome of the election," she added.
In response, Trump said there's a propensity to blame Russia for any type of online hacking. He added: "Maybe there is no hacking."
Information Warfare
The Russian government has previously been accused of running propaganda campaigns using what's often referred to as the 4D approach: dismiss, distort, distract and dismay.
The U.S. Ambassador to Germany, John B. Emerson, described the approach in a 2015 speech in Berlin to the Atlantic Council think tank, noting that the Kremlin runs a $400 million media operation that covers 100 countries, and which includes its Russia Today - a.k.a. RT - news network.
"The Russian government, and the media that it controls, are trying to prevent the publication of information that doesn't conform to Russia's aims, and are manipulating the presentation of information to cloak Russia's actions," Emerson said. "The Kremlin's disinformation campaign goes far beyond controlling its own media. It is aimed at nothing less than presenting a parallel version of reality and disseminating it as if it were news. The Kremlin's goal is to make people question the value of media at all; to reject the idea of an absolute truth; and to persuade the public that 'reality' is relative."
WikiLeaks Cited
While the U.S. intelligence community's election-hacking attribution doesn't cite the 4D strategy by name, it does note that Russian-led disinformation campaigns are not new. "The Russians have used similar tactics and techniques across Europe and Eurasia, for example, to influence public opinion there," the statement reads.
Thomas Rid, a professor in security studies at King's College London, says it's notable that the U.S. intelligence agency statement explicitly names WikiLeaks - calling it a tool of "Russian-directed efforts" against the United States - and adds that related Russian disinformation campaigns may be continuing.
"The U.S. intelligence community jointly [and] explicitly named WikiLeaks as an outlet of a Russian influence [operation]. They did not do so lightly," Rid says via Twitter. "Note that Wikileaks has no way of knowing individual files are doctored or not," he added. "Do not take hacked [and] leaked files at face value, on WikiLeaks or elsewhere."
2-Assange may be unaware his site is used as such an outlet-this is good tradecraft, makes the op more credible. This is not the first time.
Next Step: Sanctions?
The intelligence community statement now leaves the White House in a difficult position: How should it respond?
One obvious approach would be employ sanctions against individuals or organizations that that U.S. government suspects ordered or enabled the election-related hacking and leaks.
But Elizabeth Rosenberg, a former senior adviser to the U.S. Treasury who until 2013 helped develop and implement financial and energy sanctions, told The Wall Street Journal that imposing sanctions over the online attacks might be perceived as overkill.
"Imposing sanctions based on a hack alone is aggressive and disproportionate," she said. "It's a really aggressive response to a malicious cyber activity such as this one."