by Gordon M. Hahn
It increasingly appears that we have an unraveling of the hasty view put forward by the waning Washington consensus in media, academia and pre-Trump government circles regarding the exceptionalism of Russian cyber warfare and its alleged hacking of the Democratic National Committee (DNC) and Hilllary Clinton’s and John Podesta’s email servers. First, the U.S. intelligence reports on these alleged Russian hacking attacks are weak. Second, those attacks could just as easily have been undertaken by an entity or entities other than the Russian intelligence services or even Russians in general. There are several candidates for that role. Third, any Russian role may have been in response to U.S. intelligence’s hacking of Russian state bodies. Fourth, we can conclude that a U.S.-Russian cyberwar has broken out, necessitating negotiations and an agreement on limiting cyberwar means, which will play a palliative role in the U.S.-Russian competition of the 21st century that nuclear arms agreements played in the 20th century during the Cold War.
U.S. government sources have been unable to provide any convincing evidence to date that Russian intelligence carried out the APT 28 and 29 attacks, no less that Russian President Vladimir Putin ordered them.Less than 3 full pages of the first 13-page joint DHS/FBI technical report on Russia’s alleged hacking of the DNC and Democrat leaders’ email servers deal with what the Russin intelligence services are supposed to have done in allegedly hacking U.S. government, political party, think tank, and university websites and email systems. No evidence is provided to prove that the activity was undertaken or organized by the Russian intelligence services or that Putin ordered such cyber operations in those three pages. The remaining 10 pages of the report deals with how U.S. entities can implement cyber defense from such hacking attacks (www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf). A later assessment from the Office and Director of National Intelligence (DNI) James Clapper, “Background to ‘Assessing Russian Activities and Intentions in Recent US Elections’: The Analytic Process and Cyber Incident Attribution” included again just three pages covering the hacking issues and merely declares various conclusions of assessments without any evidence whatsoever to support them. The rest of the report is a summary of Russian propaganda efforts, mostly those of Russia’s Russia Today (RT) television channel (www.dni.gov/files/documents/ICA_2017_01.pdf).
Numerous leading American cyber security practitioners and experts have concluded the U.S. intel reports were meaningless, including McAfee CEO John McAfee, Jeffrey Carr, and Robert Graham. McAfee told Russia’s RT the DHS-FBI technical report was “a fallacy” (www.rt.com/usa/372219-larry-king-mcafee-cybersecurity/). Carr assessed official Russian culpability this way: “There is only some proof that Russian-speaking hackers were involved in parts of these attacks. But there is no proof that a Russian intelligence service had any hand in it. That is a pure speculation” (http://www.rt.com/op-edge/373453-hacking-russia-eu-us-elections/). Robert Graham explains: characterizing it as “full of garbage” (Robert Graham, “Dear Obama, from Infosec,” Errata Security, 3 January 2017, http://blog.erratasec.com/2017/01/dear-obama-from-infosec.html#.WItOqlUrKM8).
A Plethora of Potential Perpetrators
Second, those attacks could just as easily have been undertaken entities other than the Russian intelligence services or even Russian citizens. As McAfee and all other cyber security experts explain, hackers can fake their location, their language, and any other indicators that might lead investigators to them. McAfee does not believe that Russians were behind the hacking of the DNC), Clinton’s emails and presidential campaign, or Podesta’s emails. He told RT, “if it looks like the Russians did it, then I can guarantee you it was not the Russians.” “If I was the Chinese and I wanted to make it look like the Russians did it, I would use Russian language within the code, I would use Russian techniques of breaking into the organization,” McAfee said, adding that, in the end, “there simply is no way to assign a source for any attack” (www.rt.com/usa/372219-larry-king-mcafee-cybersecurity/). Jeffrey Carr notes: “(T)he process of attributing an attack by a cybersecurity company has nothing to do with the scientific method. Claims of attribution aren’t testable or repeatable because the hypothesis is never proven right or wrong” (Jeffrey Carr, “Faith-based Attribution,” Jeffrey Carr/Medium, 10 July 2016, https://medium.com/@jeffreycarr/faith-based-attribution-30f4a658eabc#.74lbxqpds; see also https://medium.com/@jeffreycarr/the-dnc-breach-and-the-hijacking-of-common-sense-20e89dacfc2b#.rdvvjw8cy). Robert Graham explains that the DHS-FBI’s technical report designates indicators of compromise by the Russian government that include “signatures of viruses that are publicly available, used by hackers around the world, not just Russia. It contains a long list of IP addresses from perfectly normal services, like Tor, Google, Dropbox, Yahoo, and so forth. Yes, hackers use Yahoo for phishing and maladvertising. It doesn’t mean every access of Yahoo is an ‘indicator of compromise'” (Graham, “Dear Obama, from Infosec,” http://blog.erratasec.com/2017/01/dear-obama-from-infosec.html#.WItOqlUrKM8). Even the New York Times eventually has concluded: “To date, American spy agencies have publicly provided little evidence for their conclusions about Russia’s role in the hacking efforts” (New York Times, 13 January 2017, http://www.nytimes.com/2017/01/12/us/politics/donald-trump-cia-nominee-mike-pompeo-russia.html).
Cyber security expert James Scott notes: “Incident Response techniques and processes are not comprehensive or holistic enough to definitively attribute an incident to a specific threat actor from the multitude of script kiddies, hacktivists, lone-wolf threat actors, cyber-criminals, cyber-jihadists, hail-mary threats, and nation-state sponsored advanced persistent threats (APTs), who all possess the means, motive, and opportunity, to attack minimally secured, high profile targets. Organizations such as the DNC, RNC, Whitehall, and the German Bundestag have all been targeted in cyberattacks launched with the possible intention of influencing global politics. … It would be easy to baselessly declare that all of the attacks were launched by Russia based on the malware employed; however, other threat actors such as Anonymous, Comment Crew, Desert Falcon, etc. could easily emulate the tools, tactics, and procedures of a Russian nation-state APT attack” (http://icitech.org/its-the-russians-or-is-it-cold-war-rhetoric-in-the-digital-age/). A U.S. Defense Department Cyberspace Policy Report notes: “The often low cost of developing malicious code and the high number and variety of actors in cyberspace make the discovery and tracking of malicious cyber tools difficult” (United States Department of Defense Cyberspace Policy Report: A Report to Congress Pursuant to the National Defense Authorization Act for Fiscal Year 2011, Section 934, November 2011, p. 8, http://nsarchive.gwu.edu/NSAEBB/NSAEBB424/docs/Cyber-059.pdf).
Scott has described the stealthy, shadowy nature of cyber wars: “Malicious actors can easily position their breach to be attributed to Russia. It’s common knowledge among even script kiddies that all one needs to do is compromise a system geo-located in Russia (ideally in a government office) and use it as a beachhead for attack so that indicators of compromise lead back to Russia. For additional operational security, use publicly available whitepapers and reports to determine the tool, techniques, and procedures of a well-known nation-state sponsored advanced persistent threat (APT), access Deep Web forums such as Alphabay to acquire a malware variant or exploit kit utilized in prolific attacks, and then employ the malware in new campaigns that will inevitably be attributed to foreign intelligence operations. Want to add another layer? Compromise a Chinese system, leap-frog onto a hacked Russian machine, and then run the attack from China to Russia to any country on the globe. Want to increase geopolitical tensions, distract the global news cycle, or cause a subtle, but exploitable shift in national positions? Hack a machine in North Korea and use it to hack the aforementioned machine in China, before compromising the Russian system and launching global attacks. This process is so common and simple that’s its virtually “Script Kiddie 101” among malicious cyber upstarts (http://icitech.org/its-the-russians-or-is-it-cold-war-rhetoric-in-the-digital-age/).
In this context, one can hypothesize that any party with an interest in discrediting Russia could have masked its attack to make it appear one executed by Russians. So interested parties would include: the Democratic party and/or the outgoing Obama administration, the Ukrainian Maidan regime, Ukrainian ultranationalists, China (seeking to make Russian even more dependent on the Sino-Russian strategic partnership), NATO, and many others. In terms of the Ukrainian hypothesis, Ukrainian intel and/or Ukrainian neofascists opposed to the more moderate Poroshenko could have deployed the APTs 28 and 29 so they appeared to be of Russian origin in order to facilitate the rise of radicals to power. The leaks would lead to pro-Maidan Clinton’s defeat, Trump’s election, the collapse of US support for Kiev, the deligitimization and destabilization of the Poroshenko-led version of the Maidan regime, and thus the rise of Ukraine ultra-nationalists to power.
Russian Intel Busts
The alleged Russian hacking affair got significantly hotter and more complex when on January 25th Russian media sources began reporting on the hitherto unknown early December 2016 arrest of several Russian private and intelligence cyber operatives, some from the FSB, on charges of treason for giving information to U.S. intelligence. They included Chief of the Second Operational Administration (OU-2) of the FSB’s Information Security Center (TsIB) Sergei Mikhaliov, OU-2 TsIB senior operations staffer Dmitrii Dokuchaev, worker at Russian cyber security firm Kaspersky Laboratories Ruslan Stoyanov, and another IT worker (http://tsargrad.tv/article/2017/01/25/zachistka-cib-fsb-borba-za-bigdata; http://www.novayagazeta.ru/articles/2017/01/26/71296-troyanskiy-kod?utm_source=push; and www.novayagazeta.ru/articles/2017/01/27/71314-mayor-forb-i-est-shaltay-boltay?utm_source=push). Later two more arrests were announced in the case.
Many saw the arrests as evidence that the Russians had ‘hacked the US presidential elections’, arguing that these cyber agents had leaked information to the CIA on the Russian hacking and were now being arrested for this. However, according to the Russian opposition newspaper, Novaya gazeta, which has followed the hacking activity of some tied to the arrestees, both FSB operatives, Mikhailov and Dokuchaev, had ties to a Russian hacking group called ‘Shaltai-Boltai’ which broke into the email accounts of Russian Prime Minister Dmitrii Medvedev, Deputy Prime Minister Arkadii Dvorkovich, bureaucrats in the Russian presidential administration, the Defense Ministry and the Russian Monitoring Committee ‘RosKomNadzor’, and it was for this activity that they were arrested in December, according to Novaya gazeta (www.novayagazeta.ru/articles/2017/01/27/71314-mayor-forb-i-est-shaltay-boltay?utm_source=push). The site that first broke the story of the arrests cited experts claiming less likely that Shaltai-Boltai was backed by, or tied to the CIA (http://tsargrad.tv/articles/zachistka-cib-fsb-borba-za-bigdata_45886).
However, another of Mikhailov’s past associates, payment processing company Chronopay’s founder Pavel Vrublyovskii charged Mikhailov with fabricating a criminal case against him for his alleged ties to an alleged hacking of the voting systems in Arizona and Illinois several years ago by servers rented by King Servers, charged by the US for the attack, from a Dutch company controlled by Vrublyovskii. In September 2016 the Russian special services, according to Novaya gazeta‘s sources, apparently the FSB, concluded that the information about King Servers’ and Vrublyoskii’s invlovement in the attacks was received by US law enforcement from Mikhailov (www.novayagazeta.ru/articles/2017/01/26/71296-troyanskiy-kod?utm_source=push). Mikhailov’s co-arrestee in December, Dokuchaev, was recruited by the TsIB FSB sometime before 2011 after becoming famous in Russian hacking circles for breaking “several serious sites, including American ones,” according to Novaya gazeta. In 2011, already as an FSB lieutenant, he wrote the column “Break-In” (Vzlom) for the Russian journal Hacker (Khaker), where in 2005 he wrote an article on how to hack websites. The USB FSB suspects taht Mikhailov was in charge of Shaltai-Boltai, and Dokuchaev was an indirect executioner of its hacking ops (www.novayagazeta.ru/articles/2017/01/27/71314-mayor-forb-i-est-shaltay-boltay?utm_source=push).
Thus, two versions cannot be excluded: (1) that the December arrests have nothing to do with the alleged Russian hacking of the US presidential campaign or (2) they have everything to do with it. In the former case, the arrests are for the previous hacking of Russian government persons and entities. In the latter case, it may be that Mikhailov and Dokuchaev, as only recently outsiders to the FSB with shady pasts brought into the agency on an emergency recruiting basis to promote the FSB’s cyber warfare and cyber security capacities, are being thrown under the bus in order to cover the FSB’s tracks in the hacking attacks on the US. A third option would be related to a power struggle, which could stand alone or be part of one of the first two versions. In this subaltern version, the arrests of Mikhailov, Dokuchaev, and the others is part of a Russian inter-clan power struggle. This is suggested by the fact that the website on which the first report of the arrests appeared, Tsargrad – tsargrad.ru, created by Russian metallurgy magnate and so-called ‘Orthodox oligarch’ Konstantin Malofeev. An active participant in Russia’s cryto-politics, Malofeev is a close associate of Andrei Ivashko, who is head of the FSB’s other cyber department, the Center for the Protection of Information and Special Communications (TsZISS). Its functions duplicate of TsIB creating competition and conflict between the two departments (www.novayagazeta.ru/articles/2017/01/26/71296-troyanskiy-kod?utm_source=push). That competition could very well be embedded in a larger power struggle between Malofeev and state officials and/or other oligarchs. Either way, it is quite clear that a Russo-American cyber war has been in progress for years, and the international community is becoming a playing field for this growing aspect of espionage, hybrid war, and strategic communications.
The Cyber Warfare Race
A U.S.-Russian cyber war has broken out, and Russia perhaps was not the initiator. But to Washington’s outrage regarding any Russian use of cyber attacks and interference in American domestic politics, one can legitimately retort: ‘Look who’s talking.’ As I noted previously, the U.S. has been interfering in Russian, post-Soviet and other countries’ politics for decades (https://gordonhahn.com/2016/12/27/russia-america-and-interference-in-domestic-politics-comparative-context/). Given revelations since 2013 of U.S. spying on Germany, one can assume the U.S. is actively and aggressively spying even on its NATO allies (www.bbc.com/news/world-europe-33106044 and http://www.nytimes.com/2015/07/02/world/europe/file-is-said-to-confirm-nsa-spied-on-merkel.html). Given U.S. and even German media’s silence on recent hearings’ revelations, readers likely will have forgotten about the massive U.S. spying effort against Berlin in which the NSA listened in on German Chancellor Angela Merkel’s smartphone and U.S. agents had infiltrated the German intelligence organs and Defense Ministry (http://www.dw.com/en/germanys-nsa-inquiry-committee-under-pressure/a-37572974). Therefore, any Russian role in the infamous hacks surrounding last year’s US presidential campaign may have been a response to U.S. intelligence’s hacking of Russian and other states’ government officials and bodies.
The use of cyber means to advance foreign policy goals is relatively new, but is now well-entrenched and set to intensify and become more complex as the Internet of Things creates many new attack surfaces. Cyber warfare could be defined to include one or more of the following elements deployed against foreign states: cyber activity initiating violence, death or injury; cyber attacks on critical infrastructure; use of cyber space to instigate social crises and revolution. In 2009-2010 the U.S. used the Stuxnet virus to attack both Iran’s and North Korea’s nuclear weapons programs (www.reuters.com/article/us-usa-northkorea-stuxnet-idUSKBN0OE2DM2015052910). U.S. government and U.S. government-funded NGOs regularly use and encourage and hail the use of social networks in promoting democracy and revolutions. Egypt 2010 and Ukraine 2013-14 are just the most recent examples.
The U.S. record of interference, spying and hacking of friends and foes alike is no excuse for Russian actions but it is an explanation and likely one of several causes. Moreover, it is safe to assume that Russia has deployed cyber espionage and attacks far more robustly than is known. Russia is reported to have hack attacked Estonian government institutions in 2010 and used cyber methods during the 2008 Georgian war. In October 2011, the head of U.S. counter-intelligence told a congressional hearing that both Russian and Chinese cyber espionage was “a persistent threat to U.S. economic security” (www.scribd.com/document/80154379/SDA-Cyber-Security-The-Vexed-Question-of-Global-Rules).
The use of cyber espionage and warfare goes far beyond Russia and the U.S. In 2013, seven Iranian hackers tied to the Teheran’s Revolutionary Guard Corps hit a small dam in Westchester County, New York were able to access the sluice gate but were not able to activate it. In April of 2016, it was discovered that hackers had broken into the Gundremmingen nuclear power plant in Germany. Non-state actors also deploy and are subject to cyber methods and attacks. The Brits hacked Al Qa`ida’s launch of its English-language journal Inspire in 2010. This cyber proliferation problem has a potential partial resolution or at least partial redress – international and/or great power negotiations on a set of rules or an international treaty regarding cyber warfare.
Cyber Uncertainty and the Need for a Cyber Warfare Limitation Treaty
On January 27th a criminal investigation was announced to have been opened by Russian law enforcement in connection with an alleged fall 2016 “massive hacking attack on SberBank, RosBank, Alfa Bank, the Moscow Stock Exchange and other Russian financial and commercial organizations.” According to Deputy FSB Chief Dmitrii Shalkov, there were more than 70 million attacks of various kinds on Russian information sources in 2016 with the majority undertaken from abroad (http://echo.msk.ru/news/1917462-echo.html). These supposed recent attacks on Russian financial institutions as well as the much larger universe of attacks could be part of the new cyber war, or they could be disinformation deployed as part of Russian strategic communications in the U.S.-Russian ‘new Cold War’. Again, the stealthy smoke and mirrors nature of cyber warfare makes it impossible to know.
The nature of cyber war makes any accusation impossible to prove. But one can imagine numerous scenarios in which cyber warfare leads to an international crisis or an international crisis devolves into war due to a complicating cyber attack which drives that level of uncertainty to critical mass prompting hasty decisions or immediate, escalating responses by leaders. Cyber terrorism is the paramount threat. The potential targets for such operations are numerous, and attacks on infrastructure – such as nuclear power plants, electrical grids, etc. – are fraught with catastrophic consequences. In US-Russian relations cyber warfare has already created an unprecedentedly high level of uncertainty and mistrust; a level of uncertainty that is likely to grow and spread throughout the international system. Already, the U.S., Russia, Chinese, and Israelis routinely carry out cyber operations against domestic opponents and external enemies. In short, the informational-technological revolution is making the present era in international (and even domestic) politics increasingly meta-stable, i.e., stable but easily destabilized.
This danger suggests a need to conclude an international cyber warfare treaty that would place certain targets and practices off limits. From 1998 to 2009 the US resisted repeated Russian attempts at the UN Committee on Disarmament and International Security (UN CDIS) to pursue a formalization of rules pertaining to cyber security. Russia significantly redrafted its 1998 draft resolution during Putin’s second presidential term. In October 2009, early in the U.S.-Russian ‘reset’, the Washington decided not to oppose Russia’s draft UN General Assembly resolution to consider measures to ‘strengthen information security at the global level.’ This resulted in a July 2010 report by the UN Group of Governmental Experts (GGE) composed of cyber security specialists and diplomats from 15 countries, including both Russia and the US. The group reached agreement on a number of recommendations: the need to pursue further dialogue among states on norms for the use of information and communication technologies (ICTs); the consideration of measures to address implications of states’ possible use of ICTs in armed conflicts; and examination of new elaborations of common terms and definitions for putposes of discussion and legal development. In 2011 Moscow and Beijing, along with Tajikistan and Uzbekistan submitted a draft United Nations General Assembly resolution on an International code of conduct for information security. The draft code requires states operating in cyber space to comply with the UN Charter and “universally recognized norms governing international relations that enshrine, inter alia, respect for the sovereignty, territorial integrity and political independence of all States.” It also calls on states “not to use information and communications technologies, including networks, to carry out hostile activities or acts of aggression, pose threats to international peace and security or proliferate information weapons or related technologies” [see Louise Arimatsu, “A Treaty for Governing Cyber-Weapons: Potential Benefits and Practical Limitations,” in C. Czosseck, R. Ottis, K. Ziolkowski, editors, 2012 4th International Conference on Cyber Conflict (Tallinn: NATO CCD COE Publications, 2012), pp. 91-109, https://ccdcoe.org/publications/2012proceedings/2_3_Arimatsu_ATreatyForGoverningCyber-Weapons.pdf, at pp. 91-2]. Indonesia has submitted four such draft codes to the UN.
The recent U.S.-Russian hacking crisis demonstrates the need to build on these earlier efforts promptly, regardless of the great difficulties that will be met in developing a codifiable consensus on any rules of cyber espionage and warfare. The argument that instead of formal codification the problem should be left to the natural development of international customary law is flawed. Any code, agreement or treaty will give an impulse to customary law development, the emergence of bilateral or multilateral talks on cyber-weapons limitations agreements or treaties, and/or movement towards international bans on some particular types of cyber-weapons.
Given their international status and cyber capabilities, American-Sino-Russian leadership on this issue is vital if any meaningful and workable document or full-fledged treaty is to be adopted. The three great powers should establish a working group to develop crisis management procedures in the event of a major cyber attack on any nation to limit misperception and miscalculation — given the difficulties in determining the perpetrators of cyber attacks — and address potential consequences of an attack. In addition, the working group should be charged with developing a framework for drafting a relevant international agreement or treaty limiting cyber espionage and warfare.
Unfortunately, the prospects of great power leadership in fashioning a global cyber-weapons or cyber warfare agreement are not the brightest. Mutual distrust between the West, especially the U.S., on the one hand, and Russia and China, on the other hand could very well confound efforts. Both Moscow’s and Beijing’s opposition to Western humanitarian intervention, real and perceived violations of countries’ state sovereignty, and color revolutionism could foil any codification. Although Moscow originally led the initiative towards codifying cyber conduct and warfare, it has balked at efforts to do the same driven by the West in large part because of American revolutionism’s regime change policies, its resulting distrust of Western motives, and the specifics of Western-drafted conventions that it perceives as potentially facilitating Western violations of its state sovereignty. For example, Russia, like the U.S., is a member of the Council of Europe (COE), but it has not ratified or signed the COE’s Convention on Cybercrime (Budapest Convention), unlike the U.S. which ratified it in September 2006. The reason, according to cyber security law experts, is that Moscow considers the provision permitting “unilateral transborder access by law enforcement agencies to computers and data with the consent of the computer- or data-owner to be a violation of sovereignty” [Michael Vatis ‘The Council of Europe Convention on Cybercrime’ in Proceedings of a Workshop on Deterring CyberAttacks: Informing Strategies and Developing Options for U.S. Policy (National Academies Press, 2010), http://www.nap.edu/catalog.php?record_id=12997, pp. 207 and 218 and Arimatsu, “A Treaty for Governing Cyber-Weapons: Potential Benefits and Practical Limitations,” p. 95, fn 17).
For its part, the U.S. suspects that any Russian draft of, or proposed clauses for such an agreement is motivated by a desire of Putin’s soft authoritarian regime to interfere in Russian citizens’ access to, or their communications on the Internet. For example, one cyber warfare law expert writing in a NATO publication notes Western concerns that “any concessions made on its part will assist in legitimizing State censorship and repressive domestic policies…are not without foundation.” Similarly, the Western “impression” is “that Russia’s broader concern is with how it can effectively maintain social control of the Internet in the face of both external and internal challenges” through “information security” or control versus cyber security. (“A Treaty for Governing Cyber-Weapons: Potential Benefits and Practical Limitations,” p. 95). The same view prevails regarding China (www.scribd.com/document/80154379/SDA-Cyber-Security-The-Vexed-Question-of-Global-Rules, pp. 55-56). Thus, the NATO-Russian security dilemma could ultimately confound any international or bilateral cyber accord. This raises the specter of further deployment of cyber espionage and warfare means, greater East-West military-political uncertainty, and cyber or virtual warfare leading to real warfare. Indeed,, in 2011 the Pentagon developed a cyber-strategy stipulating that the U.S. can respond to a cyber-attack using, proportional conventional military force (www.washingtonpost.com/national/list-of-cyber-weapons-developed-by-pentagon-to-streamline-computer-warfare/2011/05/31/AGSublFH_story.html?utm_term=.2d1f1627b0a3). Russia and China are likely to operate, if not institutionalize a similar operational framework. This creates a hierarchy of potential conflict escalation, starting from cyber-, to conventional, to nuclear warfare that begins at a much lower threshold. In an increasingly multipolar international order – what international relations theory often refers to as an anarchic system and regard as less stable and more fraught with potential military conflict – this is a worrisome development, the resolution of which requires great power leadership.
In the current tense atmosphere, some may regard a proposal that relies on U.S.-Russian cooperation on cyber security. However, a U.S. Defense Department’s (DoD) own cyber strategy notes: “If and when U.S.-Russia military relations resume, as a part of broader interagency efforts DoD will seek to develop a military-to-military cyber dialogue with Russia to foster strategic stability in cyberspace” (www.defense.gov/Portals/1/features/2015/0415_cyber-strategy/Final_2015_DoD_CYBER_STRATEGY_for_web.pdf).
EXCERPTS FROM, AND SUMMARIES OF U.S. INTELLIGENCE REPORTS ON RUSSIAN HACKING OF U.S. PRESIDENTIAL CAMPAIGNS
THE DHS/FBI TECHNICAL REPORT:
Less than 3 full pages of the first 13-page joint DHS/FBI technical report on Russia’s alleged hacking of the DNC and Democrat leaders’ email servers deal with what the Russin intelligence services are supposed to have done in allegedly hacking U.S. government, political party, think tank, and university websites and email systems. No evidence is provided to prove that the activity was undertaken or organized by the Russian intelligence services or that Putin ordered such cyber operations in those three pages. The remaining 10 pages of the report deals with how U.S. entities can implement cyber defense from such hacking attacks (https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf).
The report is “the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). This document provides technical details regarding the tools and infrastructure used by the Russian civilian and military intelligence Services (RIS) to compromise and exploit networks and endpoints associated with the U.S. election, as well as a range of U.S. Government, political, and private sector entities…
“These cyber operations have included spearphishing campaigns targeting government organizations, critical infrastructure entities, think tanks, universities, political organizations, and corporations leading to the theft of information. In foreign countries, RIS actors conducted damaging and/or disruptive cyber-attacks, including attacks on critical infrastructure networks. In some cases, RIS actors masqueraded as third parties, hiding behind false online personas designed to cause the victim to misattribute the source of the attack. This JAR provides technical indicators related to many of these operations…
RIS actors participated in the intrusion into a U.S. political party. The first actor group, known as Advanced Persistent Threat (APT) 29, entered into the party’s systems in summer 2015, while the second, known as APT28, entered in spring 2016. …
“Both groups have historically targeted government organizations, think tanks, universities, and corporations around the world. APT29 has been observed crafting targeted spearphishing campaigns leveraging web links to a malicious dropper; once executed, the code delivers Remote Access Tools (RATs) and evades detection using a range of techniques. APT28 is known for leveraging domains that closely mimic those of targeted organizations and tricking potential victims into entering legitimate credentials. APT28 actors relied heavily on shortened URLs in their spearphishing email campaigns. Once APT28 and APT29 have access to victims, both groups exfiltrate and analyze information to gain intelligence value. These groups use this information to craft highly targeted spearphishing campaigns. …
“In summer 2015, an APT29 spearphishing campaign directed emails containing a malicious link to over 1,000 recipients, including multiple U.S. Government victims. APT29 used legitimate domains, to include domains associated with U.S. organizations and educational institutions, to host malware and send spearphishing emails. In the course of that campaign, APT29 successfully compromised a U.S. political party. At least one targeted individual activated links to malware hosted on operational infrastructure of opened attachments containing malware. APT29 delivered malware to the political party’s systems, established persistence, escalated privileges, enumerated active directory accounts, and exfiltrated email from several accounts through encrypted connections back through operational infrastructure. In spring 2016, APT28 compromised the same political party, again via targeted spearphishing. This time, the spearphishing email tricked recipients into changing their passwords through a fake webmail domain hosted on APT28 operational infrastructure. Using the harvested credentials, APT28 was able to gain access and steal content, likely leading to the exfiltration of information from multiple senior party members. The U.S. Government assesses that information was leaked to the press and publicly disclosed. …
“Actors likely associated with RIS are continuing to engage in spearphishing campaigns, including one launched as recently as November 2016, just days after the U.S. election.”
US INTEL RUSSIAN HACKING ASSESSMENT
Excerpts from the US intellience report on Russia’s alleged hacking of 2016 presidential campaign (www.dni.gov/files/documents/ICA_2017_01.pdf):
Russian efforts to influence the 2016 US presidential election represent the most recent expression of Moscow’s longstanding desire to undermine the US-led liberal democratic order…
Putin ordered an influence campaign in 2016 aimed at the US presidential election. Russia’s goals were to undermine public faith in the US democratic process, denigrate Secretary Clinton, and harm her electability and potential presidency. We further assess Putin and the Russian Government developed a clear preference for President-elect Trump…
- Russia’s intelligence services conducted cyber operations against targets associated with the 2016 US presidential election, including targets associated with both major US political parties.
- We assess with high confidence that Russian military intelligence (General Staff Main Intelligence Directorate or GRU) used the Guccifer 2.0 persona and DCLeaks.com to release US victim data obtained in cyber operations publicly and in exclusives to media outlets and relayed material to WikiLeaks.
- 1 the Kremlin sought to advance its longstanding desire to undermine the US-led liberal democratic order
The Kremlin’s campaign aimed at the US election featured disclosures of data obtained through Russian cyber operations; intrusions into US state and local electoral boards; and overt propaganda
Russian intelligence services collected against the US primary campaigns, think tanks, and lobbying groups they viewed as likely to shape future US policies. In July 2015, Russian intelligence gained access to Democratic National Committee (DNC) networks and maintained that access until at least June 2016. · The General Staff Main Intelligence Directorate (GRU) probably began cyber operations aimed at the US election by March 2016. We assess that the GRU operations resulted in the compromise of the personal e-mail accounts of Democratic Party officials and political figures. By May, the GRU had exfiltrated large volumes of data from the DNC. Public Disclosures of Russian-Collected Data. We assess with high confidence that the GRU used the Guccifer 2.0 persona, DCLeaks.com, and WikiLeaks to release US victim data ….
cyber operations publicly and in exclusives to media outlets. · Guccifer 2.0, who claimed to be an independent Romanian hacker, made multiple contradictory statements and false claims about his likely Russian identity throughout the election. Press reporting suggests more than one person claiming to be Guccifer 2.0 interacted with journalists. · Content that we assess was taken from e-mail accounts targeted by the GRU in March 2016 appeared on DCLeaks.com starting in June. We assess with high confidence that the GRU relayed material it acquired from the DNC and senior Democratic officials to WikiLeaks. Moscow most likely chose WikiLeaks because of its self-proclaimed reputation for authenticity. Disclosures through WikiLeaks did not contain any evident forgeries.”
“Russian Cyber Intrusions Into State and Local Electoral Boards. Russian intelligence accessed elements of multiple state or local electoral boards. Since early 2014, Russian intelligence has researched US electoral processes and related technology and equipment. · DHS assesses that the types of systems we observed Russian actors targeting or compromising are not involved in vote tallying.”
About the Author – Gordon M. Hahn, Ph.D., is an analyst and Advisory Board member at Geostrategic Forecasting Corporation (Chicago, Ill.), http://www.geostrategicforecasting.com; member of the Executive Advisory Board at the American Institute of Geostrategy (AIGEO) (Los Angeles, Calif.), http://www.aigeo.org; a contributing expert for Russia Direct, russia-direct.org; a senior researcher at the Center for Terrorism and Intelligence Studies (CETIS), Akribis Group (San Jose, Calif.); and an analyst and consultant for Russia – Other Points of View (San Mateo, California), www.russiaotherpointsofview.com.
Dr. Hahn is the author of the forthcoming book from McFarland Publishers Ukraine Over the Edge: Russia, the West, and the “New Cold War”. Previously, he has authored three well-received books: The Caucasus Emirate Mujahedin: Global Jihadism in Russia’s North Caucasus and Beyond (McFarland Publishers, 2014), Russia’s Islamic Threat (Yale University Press, 2007), and Russia’s Revolution From Above: Reform, Transition and Revolution in the Fall of the Soviet Communist Regime, 1985-2000 (Transaction Publishers, 2002). He also has published numerous think tank reports, academic articles, analyses, and commentaries in both English and Russian language media.
Dr. Hahn also has taught at Boston, American, Stanford, San Jose State, and San Francisco State Universities and as a Fulbright Scholar at Saint Petersburg State University, Russia and has been a senior associate and visiting fellow at the Center for Strategic and International Studies, the Kennan Institute in Washington DC, and the Hoover Institution.