Escalation of Rhetoric
The New Year holidays and early congressional hearings of 2017 have brought us a steep escalation of the cyber conflict between the US and Russia, with the Obama administration now openly accusing Russia of interfering with the US election and imposing sanctions.
The reporting on this issue has been somewhat confusing as few average consumers of news are able to evaluate evidence brought forward and many special interest actors are deliberately or accidentally spreading inaccurate summaries.
In this briefing, we will therefore do our best to summarize the recent developments.
1) Hacking to influence the election vs. Hacking the election itself.
As we covered in our final briefing of 2016, "hacking the election" can mean two very different things. The first interpretation is that an actor used cyber attacks and information leaks to influence public opinion. The second interpretation is that an actor directly hacked the voting machines or tallying systems to falsify the election results.
While suspicions about the second kind of attack abounded at the end of 2016 and several recounts were held, no credible evidence at this point suggests that the election results themselves were altered using a cyber attack. Accordingly, the focus has shifted to whether Russia was involved in altering public opinion through targeted leaks.
2) Reports on hacking.
On December 29th, the CIA and FBI jointly released a report outlining the findings supposedly liking Russia to the attacks against the DNC and other US targets. While the report has been described as "proof" by some media sources, it contains very little actual information and appears to be hastily written.
- Several diagrams displaying common C&C patterns supposedly used by Russian attackers
- A list of aliases supposedly used by Russian attackers
- A fingerprint for the PAS TOOL WEB KIT, an open source attack toolkit which is freely available and very commonly used
- General information on common hacking attacks and advice for companies to train their staff and develop a security policy
What is not included are times, dates, IPs or any other details on actual attacks.
The PAS TOOL WEB KIT is so commonly used around the world that a reader cannot follow the attribution of it to Russian government services. Quite to the contrary, the claim that a state actor is using a publicly available toolkit instead of a more advanced custom-made one is surprising.
From an IT security perspective, the joint report itself contains no information that would indicate Russia was behind the attacks. While the private sector security companies tasked with investigating the breaches have published more detailed reports on when and how each attack took place we still have not seen any information linking them to any state actor.
The report thus seems to mostly serve the defensive purpose we have pointed repeatedly in the past: The anonymous nature of cyber attacks allows the victim to decide on a convenient party to blame for damage mitigation.
A further report was released on January 7th by the ODNI. It goes into greater detail to outline coordinated social media campaigns, orders publicly or allegedly given by Putin and re-states claims that confidential information exists that proves Russian involvement in hacking attacks. As expected however, no such information is published in the report itself. It is important to note that even publishing this kind of report in an unclassified format is highly unusual for the US intelligence services. The common mode of operation by most media outlets has been to accept intelligence service conclusions as-is.
Reflare are monitoring this trend closely. So far it is unclear whether a higher level of transparency and reporting will be applied to intelligence findings related to cyber security in the future.
It is likely that much more information on the attacks exists in a classified format within the US government and is thus not publicly available. Furthermore, additional information may be released or discovered in the future. This briefing in no way proposes to claim that Russia was not involved in the election-impacting attacks. However likewise, no proof that it was involved is publicly available at the moment.
Please be aware that our assessment merely covers cyber attacks and not whether or not Russia was involved in more traditional propaganda.
Our prediction from previous issues thus remains unchanged:
We assess it to be highly unlikely that the actor behind the US election attacks will ever be identified with a level of proof that would hold up in a court of law or international opinion.
We predict that attacks following the same pattern of gathering damaging information about an adversary and then leaking it will grown in number over the next 3-5 years as the plausible deniability built into them makes them more attractive than outright attacks against infrastructure to threat actors for the time being.