The cyber attacks on Democratic National Committee (DNC) computers and leak of more than 19,000 pilfered committee e-mails—just before the party’s national convention this week—have created improbable twists an election that already seemed stranger than fiction. But one thing that stands out is the unusual level of confidence with which investigators pinned the blame on Russian intelligence agencies. If true, this would amount to another country trying to tilt the outcome of a U.S. presidential election through successful digital sabotage—and it might provide a glimpse of what to expect in the near future.
Pinpointing a hacker is a notoriously frustrating process complicated by the use of spoofed Internet addresses, proxy servers that route network data around the world to disguise its point of origin and malicious software (malware) written to cover the attacker’s tracks. Two months after the DNC hired CrowdStrike Services to investigate the hack, the cybersecurity firm publicly identified the infiltrators in a June 15 blog as two separate groups “closely linked to the Russian government’s powerful and highly capable intelligence services.” CrowdStrike indicated that one of the alleged attackers—code-named “Cozy Bear”—had likewise last year infiltrated the unclassified networks of the White House, Department of State and Joint Chiefs of Staff as well as other organizations worldwide. A second alleged attacker—known as “Fancy Bear”—has been striking defense ministries and military sites since the mid 2000s, according to CrowdStrike.
PICKING UP THE DIGITAL TRAIL
Cybersecurity researchers say they can make certain assumptions about an attack based on the sophistication of the tools involved, the techniques, the type of data stolen and where it was sent. For example, CrowdStrike says it identified a modus operandi for Cozy Bear that included using so-called “spear phishing” e-mails to insert malware into victims’ computers, then checking those computers for security software and standing down if the security software proved too formidable. The cybersecurity firm linked Fancy Bear to intrusions into systems of the German Bundestag and France’s TV5 Monde TV station in April 2015.
E-mail systems such as the DNC’S are relatively soft targets because they must be easy to use and manage, which means they typically do not feature the strongest security possible. “There are hardly any e-mail systems that haven’t been successfully hacked,” says Scott Borg, director and chief economist for The U.S. Cyber Consequences Unit, an independent, nonprofit cybersecurity research institute. “Almost any system that Russian intelligence has had an interest in, they’ve been able to get into. Expecting an e-mail system that a lot of people need to use easily, quickly and casually will have [National Security Agency]-levels of security is quite unrealistic.” Rival cybersecurity firms Fidelis Cybersecurity and Mandiant, part of FireEye, Inc., agreed with CrowdStrike’s conclusions after making their own investigations.
CrowdStrike says the DNC intruders went to great lengths to avoid detection by using encrypted files as well as modifying their methods and attack software. “Hackers can obfuscate their work to some degree but it is very difficult to conceal the skill level and resources involved in the DNC attack,” Borg says.
Although CrowdStrike provided details about how it came to tie the DNC attacks to Russian intelligence, cyber forensic examiners are often reluctant to explain conclusions because they do not want to reveal how they gather intelligence, says Morgan Marquis-Boire, a senior researcher at the University of Toronto’s Citizen Lab and former member of Google’s security team. Hackers can use such information to adjust their approach for the next attacks. When cyber criminals late last year shut off power to 80,000 Ukrainians and infiltrated computers at the country’s largest airport, some Ukrainian officials were quick to point the finger at the Kremlin due to their ongoing tensions and because the attacks apparently came from computers in Russia. Other officials, however, cautioned that Internet addresses can be spoofed and that, even though investigators recovered some of the “BlackEnergy” malware used to carry out the attack, they were unable to figure out exactly who wrote it.
In the DNC hack “the best way to mitigate damage is to provide a clear U.S. intelligence assessment as to whether there is Russian involvement and the degree of confidence,” Susan Hennessey, managing editor of Brookings Institute’s Lawfare blog and general counsel of the think tank’s Lawfare Institute, wrote on Monday. Borg agrees, saying federal agencies involved in responding to the cyber attack—including the FBI, State Department and White House—must make sure the American public is not manipulated to focus more on the contents of the leaked e-mails than on who stole them. In terms of recourse, “the United States needs to boldly, clearly and unambiguously declare that we won’t put up with this,” he says. The primary concern in the U.S. should be that a “foreign power has intervened in a national election in a way that’s beyond anything that we’ve ever had before in American history.”
“I’d like to think that this will influence the cyber security that political campaigns use moving forward,” Marquis-Boire says. One option might for the federal government to provide candidates’ information technology systems with cyber security, just as the Secret Service provides them with physical security. The challenge, Marquis-Boire points out, is that campaigns are typically in a state of flux, often relying on grassroots efforts and temporary bases that are set up quickly in different locations.
The DNC hack demonstrates that despite these challenges, both parties will have to make cybersecurity a priority in the coming months. As CrowdStrike co-founder Dmitri Alperovitch warned in his June 15 blog, “Attacks against electoral candidates and the parties they represent are likely to continue up until the election in November.”