
Q&A on Alleged Russian Hacking of 2016 Election
Overuse of the term “hacking”, along with poor communication about what really happened during the 2016 Election has led to misinformation and confusion.
We are completely dependent on information provided by the U.S. Government and some private security firms who analyze these cases. If I say that there is “no evidence” something happened, that refers to information available to the public. The U.S. Government probably knows more than they have released, but until they share more with the public there isn’t a whole lot of proof.
Did Russia hack voting machines and change the vote count?
No. There is nothing to suggest the voting process was tampered with.
Who was attacked?
The Democratic National Committee and the Clinton Campaign.
The FBI warned the DNC of a potential ongoing breach of their network in November of 2015. But the first hard evidence of an attack detected by a non-government agency was a spear-phishing campaign being tracked by Dell SecureWorks. That campaign began to target the DNC, the Clinton campaign, and others in the middle of March 2016, and it ran through mid-April.
Sean Gallagher, Ars Technica
What was the nature of the attacks?
Phishing. The attackers sent emails to targets within the DNC and Clinton Campaign that were used to either steal login credentials and other personal information or to deliver malware to the users’ computers.
John Podesta was one such victim within the Clinton Campaign, and I have written about how his situation unfolded at length.
In addition to targeting the DNC and the Clinton campaign’s Google Apps accounts, the spear-phishing messages connected to the campaign discovered by SecureWorks also went after a number of personal Gmail accounts. It was later discovered that the campaign had compromised the Gmail accounts of Clinton campaign chair John Podesta, former Secretary of State Colin Powell, and a number of other individuals connected to the Clinton campaign and the White House.
Sean Gallagher, Ars Technica
Phishing isn’t really “hacking” in the way that most of the public thinks. Some hacks occur without any human victim being directly involved, but phishing is not like that. Phishing is social engineering first-and-foremost. Users are tricked into clicking a link or volunteering personal information in a way that helps an attacker to access their computer or network.
This kind of attack should not work against government organizations since they are the sort of people who should be well trained and on high alert for potential intrusions. The fact that these attacks happened so broadly, and affected so many different individuals is troubling and serves as a wake-up call to the world.
How is Russia connected to the attacks?
Private security firms in the U.S have traced the phishing attacks to ATP28 (FancyBear) and ATP29 (Cozy Bear). These are both hacking groups based out of Russia. These organizations were already known for phishing attacks against governments, NGOs, and military targets.
COZY BEAR (also referred to in some industry reports as CozyDuke or APT 29) is the adversary group that last year successfully infiltrated the unclassified networks of the White House, State Department, and US Joint Chiefs of Staff. In addition to the US government, they have targeted organizations across the Defense, Energy, Extractive, Financial, Insurance, Legal, Manufacturing Media, Think Tanks, Pharmaceutical, Research and Technology industries, along with Universities… COZY BEAR’s preferred intrusion method is a broadly targeted spearphish campaign that typically includes web links to a malicious dropper.
FANCY BEAR (also known as Sofacy or APT 28) is a separate Russian-based threat actor, which has been active since mid 2000s, and has been responsible for targeted intrusion campaigns against the Aerospace, Defense, Energy, Government and Media sectors… Extensive targeting of defense ministries and other military victims has been observed, the profile of which closely mirrors the strategic interests of the Russian government, and may indicate affiliation with Главное Разведывательное Управление (Main Intelligence Department) or GRU, Russia’s premier military intelligence service.
Dmitri Alperovitch, CrowdStrike
Is there proof that the Russian Government coordinated or ordered the attacks?
No. It is clear that the attacks originated in Russia, and were carried out by Russian actors. What is not clear is how or if the Russian Government’s intelligence services are involved. CrowdStrike’s statements use phrases like “may indicate affiliation” and other conjecture that, while perhaps likely, has not been verified. There are no publicly available documents or testimony offering the smoking gun that the Russian Government carried out the attacks.
The conclusion that the Russian Government is behind the attacks is a reasonable one, but also built heavily on circumstantial evidence with plenty of reasonable doubt and alternate explanations.
What Justification Did the U.S. Have for Sanctions Against Russia?
I sincerely hope that the Obama Administration knows more than they were willing to include in the FBI-DHS JAR Report which they released at the time of announcing sanctions against Russia. That report contains nothing approaching proof of the Russian Government’s involvement.
Sadly, the JAR, as the Joint Analysis Report is called, does little to end the debate. Instead of providing smoking guns that the Russian government was behind specific hacks, it largely restates previous private-sector claims without providing any support for their validity. Even worse, it provides an effective bait and switch by promising newly declassified intelligence into Russian hackers’ “tradecraft and techniques” and instead delivering generic methods carried out by just about all state-sponsored hacking groups.
Dan Goodin, Ars Technica
The sanctions were either purely a political stunt, or are based on information the public is not aware of. Either way, it is a troubling lack of transparency when accusing another world power of serious crimes.
Outlook
“Hacking” is a really problematic phrase and is used all the time in the mainstream media. The 2016 Election was not “hacked”. The most accurate statement to sum up what happened would be something to the effect of:
“The DNC and Clinton Campaign fell victim to a series of social engineering attacks where they unintentionally gave foreign actors access to their internal systems. Using that access, the attackers leaked DNC and Clinton campaign emails and documents which hurt the public standing of the DNC and Hilary Clinton. The attacks originated in Russia, by known hacking groups, however there is currently no definitive proof which ties a foreign government to the attacks.”
Until new evidence is brought forward which can be independently analyzed, we can’t say anything more than that.
The takeaway for organizations in the U.S. should be focused on preventing phishing attacks. There are millions of phishing attacks each year, and those kinds of social engineering tricks are used as the primary methods of accessing private information and networks. Protecting your business begins with educating your employees about phishing and supporting them with IT staff who will handle potential threats properly.