Widespread accusations towards the Russian government services and the apparent lack of a “smoking gun” after the 2016 US election raises the question of whether the United States brought on a second post-hack crisis of their own creation.
First Published 12th January 2017 | Latest Refresh 8th May 2021
The accused - Mother Russia.
4 min read | Reflare Research Team
The New Year holidays and early congressional hearings of 2017 brought a steep escalation of the cyber conflict between the US and Russia, with the then outgoing Obama administration openly accusing Russia of interfering with the US election and imposing sanctions. The reporting on this issue was somewhat confusing as the average consumer of news at the time was unable to credibly evaluate the evidence presented. To confuse matters further, many special interest actors were deliberately or accidentally spreading inaccurate summaries.
Using this topic as an example, we will use this research report do our best to summarize the dynamics and developments that lead to an increase in associated risks that can enduce a post-hack crisis.
As we covered way back in our final research briefing of 2016, "hacking an election" can mean two very different things. The first interpretation is that an actor used cyber-attacks and information leaks to influence public opinion. The second interpretation is that an actor directly hacked the voting machines or tallying systems to falsify the election results.
While suspicions about the second kind of attack abounded at the end of 2016 and several recounts were held, no credible evidence at this point suggests that the election results themselves were altered using a cyber-attack. Accordingly, the focus has shifted to whether Russia was involved in altering public opinion through targeted leaks.
On December 29th 2016, the CIA and FBI jointly released a report outlining the findings supposedly liking Russia to the attacks against the DNC and other US targets. While the report has been described as "proof" by some media sources, it contains very little actual information and appears to be hastily written. It includes:
- Several diagrams displaying common C&C patterns supposedly used by Russian attackers
- A list of aliases supposedly used by Russian attackers
- A fingerprint for the *PAS TOOL WEB KIT, an open source attack toolkit which is freely available and very commonly used
- General information on common hacking attacks and advice for companies to train their staff and develop a security policy
What was not included are times, dates, Ips or any other details on actual attacks.
*The PAS TOOL WEB KIT is so commonly used around the world that a reader cannot follow the attribution of it to Russian government services. Quite to the contrary; the claim that a state actor is using a publicly available toolkit instead of a more advanced custom-made one is surprising.
From an IT security perspective, the joint report itself contains no information that would indicate Russia was behind the attacks. While the private sector security companies tasked with investigating the breaches have published more detailed reports on when and how each attack took place, we still have not seen any information linking them to any state actor. The CIA and FBI joint report seems to mostly serve the defensive purpose we have pointed out repeatedly in the past; the anonymous nature of cyber-attacks allows the victim to decide on a convenient party to blame for damage mitigation.
A further report was released on 7th of January 2017 by the ODNI. It goes into greater detail to outline coordinated social media campaigns, orders publicly or allegedly given by Putin and re-states claims that confidential information exists that proves Russian involvement in hacking attacks.
As expected, however, no such information is published in the report itself. It is important to note that even publishing this kind of report in an unclassified format is highly unusual for the US intelligence services. The common mode of operation by most media outlets has been to accept intelligence service conclusions as-is.
Do official reports that lack the evidence needed to support their claims of a breach only make matters worse?
It is likely that much more information on the attacks exists in a classified format within the US government. However, it is unclear whether a higher level of transparency and reporting will be applied to intelligence findings related to cyber security in the future.
This briefing in no way proposes to claim that Russia was not involved in the election-impacting attacks. However, likewise, no proof that Russia was involved is publicly available either. Please note that our assessment merely covers the dynamics of cyber-attacks and not whether or not Russia was involved in more traditional propaganda.
Subsequently, our assessments from prior research reports on events such as this remain unchanged:
We believe it to be highly unlikely that the state actor behind events like the 2016 US election attacks will ever be identified with a level of proof that would hold off in a court of law or international opinion. We predict that attacks following the same pattern of 1) gathering damaging information about an adversary, and 2) then leaking it will grow in numbers as time goes on. The plausible deniability built into these assertions makes them more attractive than outright attacks against the infrastructure of threat actors.
As you have seen in this research brief, there is much to think through when it comes to how you should act once you believe a breach has occurred. However, this is a reactive skill that most learn in the moment, which is way too late. You can learn how to get ahead of such breaches and mitigate the risks of these and many other types of attacks by checking out our research briefs on other related topics.