Last week’s release of a declassified U.S. intelligence community report assessing Russia’s alleged activities during the last American election was stripped of any juicy bits — or supposed juicy bits — like broken codes, intercepted phone calls, spies in Moscow, overheard conversations in bars etc. Like any intelligence report from any government, there’s a lot of “trust us” in it.
Leaving aside whether there was successful influence in the election, which is beyond the scope of our readers in the IT community, the Jan. 6, 2017 report from the Office of the Director of National Intelligence (DNI) does include some interesting statements, starting with this one: “The nature of cyberspace makes attribution of cyber operations difficult but not impossible. Every kind of cyber operation—malicious or not—leaves a trail.” Any cyber forensic investigator would agree with that.
The question is does this report, which largely deals with Russian government intent in the election period (to favour Donald Trump) and capabilities (Russia has a lot of media tools) — with the Dec. 29, 2016 report dealing directly with hacking in 2015 and 2016 — helps CISOs in the private sector see what’s going on?
Still not yet.
This latest report makes some direct statements:
–“Russia’s intelligence services conducted cyber operations against targets associated with the 2016 U.S. presidential election, including targets associated with both major U.S. political parties.” The Dec. 29 report named two Russian intelligence actors as “APT 28” and “APT 29”, which used spear phishing campaigns against an unnamed political party, presumably the Democrats.
This report said a 2015 phishing campaign including sending a malicious link to over 1,000 recipients, including multiple U.S. Government victims. At least one person clicked on the link, which delivered malware to the political party’s systems, established persistence, escalated privileges, enumerated active directory accounts, and exfiltrated email from several accounts through encrypted connections back through operational infrastructure.
A 2016 campaign against the same political party “tricked recipients into changing their passwords through a fake webmail domain hosted on APT28 operational infrastructure. Using the harvested credentials, APT28 was able to gain access and steal content, likely leading to the exfiltration of information from multiple senior party members.”
–In adding a little more colour, the Jan. 6 report says “Russian intelligence services collected against the U.S. primary campaigns, think tanks, and lobbying groups they viewed as likely to shape future U.S. policies. In July 2015, Russian intelligence gained access to Democratic National Committee (DNC) networks and maintained that access until at least June 2016.
The General Staff Main Intelligence Directorate (GRU) probably began cyber operations aimed at the U.S. election by March 2016. We assess that the GRU operations resulted in the compromise of the personal e-mail accounts of Democratic Party officials and political figures. By May, the GRU had exfiltrated large volumes of data from the DNC.”
–“We assess with high confidence that the GRU used the Guccifer 2.0 persona, DCLeaks.com, and WikiLeaks to release U.S. victim data obtained in cyber operations publicly and in exclusives to media outlets.
–“We assess with high confidence that the GRU relayed material it acquired from the DNC and senior Democratic officials to WikiLeaks.”
Which leaves some IT pros dangling. Arguably American institutions — particularly intelligence ones — have at times been politicized. It is not beyond the realm of possibility that the DNI and the heads of the FBI and CIA told the Obama administration what it wanted to hear. On the other hand the DNI, James Clapper, National Security Agency director Admiral Mike Rogers and Marcel Lettre, undersecretary of defense for intelligence went before Congress last week to testify that didn’t happen. Republicans had every opportunity to question them.
So I’ll give the final word to veteran IT security pro Bruce Schneier, currently CTO at Resilient Systems, who in a column for CNN agreed that while attribution is hard it hasn’t stopped many vendors and commercial threat intelligence providers from doing it — including CrowdStrike, which was hired by the Democratic Party to do the original analysis on the attack.. That includes, he pointed out, the University of Toronto’s Citizen Lab, which routinely blames attacks against the computers of activists and dissidents to particular Third World governments.
In Schneier’s opinion “the constellation of evidence attributing the attacks against the DNC, and subsequent release of information, is comprehensive.”
In the end, though, he admits “attribution comes down to whom you believe.”