(Photo: Giuseppe Cacace, AFP)
The U.S. intelligence community concluded in a recent report
that the intrusion into DNC and Clinton campaign servers, and subsequent
exfiltration and publication of their emails, was a Russian attempt to influence the election
in favor of now-President Trump. The account bookends the coverage of Russian
hacking in the U.S. elections which has dominated global news headlines for the
past few months.
Looking ahead to 2017, however, we can expect to see further
coverage on such incidents, as Russian-associated hacking groups like Fancy
Bear and Cozy Bear will likely continue their efforts to interfere and affect
outcomes of the upcoming European elections. The most significant elections
which are at-risk of hacking are the Czech, French, German, and Dutch
elections. All four elections offer a chance to either sow confusion within the
internal politics of a major European democracy or elect a leader from a
far-right party, which is critical of Euro-Atlantic relations and sympathetic
to Russia. The Agence Nationale de las Securite de Systemes d’Information
(ANSSI), the national cybersecurity agency of France, is already indicating
that the groups active in the U.S. presidential election were active in France.
ANSSI Chief, Guillaume Poupard indicated that ANSSI is fully mobilized to fight
any network intrusions or “sabotage threats” which might seek to target “French
interests”.[1]
German MPs have also indicated that the German election is at risk from outside
manipulation.
Bearing in mind the opportunity that the elections offer to
Russia's subversive actors, pro-EU, liberal political organizations should take
steps to secure themselves against intrusion and exploitation. While it may be
that Fancy Bear and its associate Cozy Bear, a hacking group likely backed by
Russian FSB, will leverage similar tactics to those used in the U.S. election,
parties should be ready to defend against the entire array of techniques which
typify Russian attacks.
APT28, more colloquially known as Fancy Bear and often
associated with the Russian military intelligence agency GRU, was likely formed
in 2007 and has been linked to major hacking incidents since 2014. Fancy Bear
is considered the probable culprit behind the six-month cyber-attack against
the Bundestag in December 2014, which leveraged targeted spearphishing tactics
against Sahra Wagenknecht, Junge Union, and the CDU of Saarland. From 2014 to
2016, it is believed that Fancy Bear used Android malware to enable the
tracking and elimination of the Ukrainian Armed Forces De-30 Howitzers and
other artillery. Now, most recently in spring 2016, Fancy Bear launched a
targeted spearphishing campaign against the DNC.
While not a particularly complex tactic, targeted
spearphishing was responsible for some of the largest data breaches of 2015,
including the breach of Anthem healthcare and the U.S. Office of Personnel
Management. This attack targets user psychology more than a software
vulnerability, exploiting user trust, fear, or laziness. DNC staff, trusting a
convincing email, offered up their security credentials without realizing that
they were compromising their systems.
Fancy Bear employs far more than just fraudulent emailing,
however, and their toolbox includes a variety of reconnaissance and
surveillance capabilities. Fancy Bear employs protocols which can log
keystrokes and collect Office and PGP documents. Some of their hacks have
focused on bypassing airgaps (a security measure where critical systems are
isolated from the broader organizational network) and closed networks by
routing messages through local networks and USB drives. Fancy Bear tends to
install backdoors and leverages the victim's mail server to gain access to
their targeted network.
It is an unfortunate fact that our democratic elections are
now complicated by the threat of intrusion—and politicians need to do more than
install private servers and firewalls. For European parties, this election
season should be marked by a high degree of operational security. If they
choose to ignore the lessons of the American elections, the European elections
will be marked by information disclosures and leaks from mysterious web
sources. These leaks will contain information about pro-EU politicians and
parties which might be considered 'compromising'. They will be published at key
moments, during a surge in the polls or before voting, when they can create the
greatest change in public opinion and shift votes.
Unfortunately, the best advice to users may just be to
assume that their network has already been compromised. Quite often, hacking
groups penetrate and lurk on networks long before they begin to exploit their
access, waiting and gathering intelligence. Party members should be careful of
the information getting shared on internal servers and should be suspicious of
unexpected emails, even those that appear genuine. Organizations should live
the concept of 'least privilege", allocating network access based on
necessity of job responsibilities. Most of all, party leaders and staffers
should be careful when sending emails, even within the organization. A good
rule of thumb—don't send the email if you wouldn't feel comfortable with it
getting published in a newspaper. This election season, it just might.
Philip Chertoff
Project Coordinator
GLOBSEC Policy Institute
[1]
https://www.bloomberg.com/news/articles/2016-12-23/france-faces-cyber-attacks-by-groups-that-attacked-u-s-campaign?utm_content=bufferc78f9&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer
No comments:
Post a Comment