Monday, February 13, 2017

Election Intruders: Lessons learned from the 2016 U.S. Elections

(Photo: Giuseppe Cacace, AFP)

The U.S. intelligence community concluded in a recent report that the intrusion into DNC and Clinton campaign servers, and subsequent exfiltration and publication of their emails, was  a Russian attempt to influence the election in favor of now-President Trump. The account bookends the coverage of Russian hacking in the U.S. elections which has dominated global news headlines for the past few months. 
Looking ahead to 2017, however, we can expect to see further coverage on such incidents, as Russian-associated hacking groups like Fancy Bear and Cozy Bear will likely continue their efforts to interfere and affect outcomes of the upcoming European elections. The most significant elections which are at-risk of hacking are the Czech, French, German, and Dutch elections. All four elections offer a chance to either sow confusion within the internal politics of a major European democracy or elect a leader from a far-right party, which is critical of Euro-Atlantic relations and sympathetic to Russia. The Agence Nationale de las Securite de Systemes d’Information (ANSSI), the national cybersecurity agency of France, is already indicating that the groups active in the U.S. presidential election were active in France. ANSSI Chief, Guillaume Poupard indicated that ANSSI is fully mobilized to fight any network intrusions or “sabotage threats” which might seek to target “French interests”.[1] German MPs have also indicated that the German election is at risk from outside manipulation.
Bearing in mind the opportunity that the elections offer to Russia's subversive actors, pro-EU, liberal political organizations should take steps to secure themselves against intrusion and exploitation. While it may be that Fancy Bear and its associate Cozy Bear, a hacking group likely backed by Russian FSB, will leverage similar tactics to those used in the U.S. election, parties should be ready to defend against the entire array of techniques which typify Russian attacks.
APT28, more colloquially known as Fancy Bear and often associated with the Russian military intelligence agency GRU, was likely formed in 2007 and has been linked to major hacking incidents since 2014. Fancy Bear is considered the probable culprit behind the six-month cyber-attack against the Bundestag in December 2014, which leveraged targeted spearphishing tactics against Sahra Wagenknecht, Junge Union, and the CDU of Saarland. From 2014 to 2016, it is believed that Fancy Bear used Android malware to enable the tracking and elimination of the Ukrainian Armed Forces De-30 Howitzers and other artillery. Now, most recently in spring 2016, Fancy Bear launched a targeted spearphishing campaign against the DNC.
While not a particularly complex tactic, targeted spearphishing was responsible for some of the largest data breaches of 2015, including the breach of Anthem healthcare and the U.S. Office of Personnel Management. This attack targets user psychology more than a software vulnerability, exploiting user trust, fear, or laziness. DNC staff, trusting a convincing email, offered up their security credentials without realizing that they were compromising their systems.
Fancy Bear employs far more than just fraudulent emailing, however, and their toolbox includes a variety of reconnaissance and surveillance capabilities. Fancy Bear employs protocols which can log keystrokes and collect Office and PGP documents. Some of their hacks have focused on bypassing airgaps (a security measure where critical systems are isolated from the broader organizational network) and closed networks by routing messages through local networks and USB drives. Fancy Bear tends to install backdoors and leverages the victim's mail server to gain access to their targeted network.
It is an unfortunate fact that our democratic elections are now complicated by the threat of intrusion—and politicians need to do more than install private servers and firewalls. For European parties, this election season should be marked by a high degree of operational security. If they choose to ignore the lessons of the American elections, the European elections will be marked by information disclosures and leaks from mysterious web sources. These leaks will contain information about pro-EU politicians and parties which might be considered 'compromising'. They will be published at key moments, during a surge in the polls or before voting, when they can create the greatest change in public opinion and shift votes.
Unfortunately, the best advice to users may just be to assume that their network has already been compromised. Quite often, hacking groups penetrate and lurk on networks long before they begin to exploit their access, waiting and gathering intelligence. Party members should be careful of the information getting shared on internal servers and should be suspicious of unexpected emails, even those that appear genuine. Organizations should live the concept of 'least privilege", allocating network access based on necessity of job responsibilities. Most of all, party leaders and staffers should be careful when sending emails, even within the organization. A good rule of thumb—don't send the email if you wouldn't feel comfortable with it getting published in a newspaper. This election season, it just might.

Philip Chertoff

Project Coordinator
GLOBSEC Policy Institute


No comments:

Post a Comment