“Russia and the US Election Hacks: Sorting through the confusion”

By Jeffrey Pawlick

Over the past couple of weeks, Americans have been alarmed by article titles along the lines of "Russian Hacking in US Elections" or "The CIA and FBI on Election Hacking." 

Yesterday in fact, an article in the New York Times bore the title: "The Perfect Weapon: How Russian Cyberpower Invaded the US."

These headlines are vague at best and confusing at worst.  "Hacking the election," to many people's minds, suggests the idea that Russia penetrated information systems used to collect votes, changed the total numbers, and fabricated a win for Trump. And "weapons" and "invasions" suggest physical damage—bombs.

Of course, that is not the case.  The Russian operations were neither direct nor atypical. And they were not surprising.  On the other hand, the evidence for Russia's involvement seems stronger by leaps and bounds than what Trump has been prepared to admit.

Clarifying what it means to hack the elections

A top CIA official has said that Russia influenced the elections not only to undermine confidence in American democracy, but also specifically to support Trump.  This support, however, would not have come in the form of altering the vote count. 

Instead, Russia reportedly penetrated both Republican National Committee and Democrat National Committee networks, but only released (damaging) information about the Democrats, thereby boosting the cause for Trump.

In addition to the DNC hack, Russia also seems to be responsible for the breach of the email account of John Podesta, the chairman of Hillary Clinton's campaign.

How could this happen?

While such high-level breaches are alarming, they are entirely feasible.  Russian hackers reportedly penetrated the DNC networks using a family of exploits alternatively called "The Duke," “Cosy Bear,” or “APT 29.”  This is the same family of malware (malicious software) which recently targeted the state department. 

APT stands for Advanced Persistent Threat, a class of attacks which give agents insider access to a system.  APTs deactivate security systems and override alerts in order to remain under the radar.  Some persist in a system for months before they are detected.

APT 29 is delivered by some type of social engineering such as a phishing email. After penetration, the malware searches for security products to disable.  Then it sends a signal back to a compromised website to indicate successful penetration.  Next the APT installs a set of commands and modules which give attackers backdoor access. 

With this access to the DNC servers, the attackers obtained emails which they released during the past summer, much to the Clinton campaign’s chagrin.

How strong is the evidence for Russian involvement?

The strongest statement for Russian involvement came in early October.  That declaration was unanimous: all 17 US intelligence agencies voiced agreement on Russian involvement. 

Since October things have been a little less direct.  This week the New York Times published the aforementioned claims that Russia hacked both the DNC and the RNC, but only publicized material from the DNC.  The Times seems to be the only major news agency to make this statement.  As evidence, they cite “interviews with dozens of players targeted in the attack, intelligence officials who investigated it and Obama administration officials who deliberated over the best response.”

Then today NBC said that US intelligence officials believe with a “high level of confidence” that Putin was personally involved in the Russian campaign.  They argue that Putin himself approved orders to interfere in the elections.  NBC’s sources are “two senior officials with direct access to the information.” 

According to other reports, the CIA and FBI are not completely in agreement.  Apparently, since the October statement by all US intelligence agencies, officials from the FBI have become more skeptical than their counterparts in the CIA.

In the way of independent analysis, the editors of Arstechnica published a detailed article about the reasons to suspect Russian involvement.  They note that the families of malware used to execute the attacks were built specifically for espionage, and have been used before against Russian opponents.  In addition, the attack software was regularly maintained and professionally updated in a way that would require long-term and organized funding.  Finally, evidence from the code includes time-stamps from someone in the same time zone as Moscow and St. Petersburg, as well as software from someone speaking Russian. 

Of course, a sophisticated attacker could leak these details to intentionally implicate the Russians.  Still, most independent analysts have agreed with Russian involvement.

And the President-Elect…

Finally, Trump’s response to the hacks has been simply to shrug off the claims and remind everyone that “the election ended a long time ago.”  Rather than addressing the evidence directly, Trump has launched an ad hominum attack on the CIA. 

“These are the same people,” he noted, “who said Saddam Hossein had weapons of mass destruction.”

While sensationalist headlines about “The Perfect Weapon” obscure the facts about what really happened, the response from the Trump transition team has done little to make things more clear.  Overall, porous political claims have been quick to rise to the surface, while solid technical evidence is taking more time. “Russia and the US Election Hacks: Sorting through the confusion”
 
By Jeffrey Pawlick
 
Over the past couple of weeks, Americans have been alarmed by article titles along the lines of "Russian Hacking in US Elections" or "The CIA and FBI on Election Hacking." 
 
Yesterday in fact, an article in the New York Times bore the title: "The Perfect Weapon: How Russian Cyberpower Invaded the US."
 
These headlines are vague at best and confusing at worst.  "Hacking the election," to many people's minds, suggests the idea that Russia penetrated information systems used to collect votes, changed the total numbers, and fabricated a win for Trump. And "weapons" and "invasions" suggest physical damage—bombs.
 
Of course, that is not the case.  The Russian operations were neither direct nor atypical. And they were not surprising.  On the other hand, the evidence for Russia's involvement seems stronger by leaps and bounds than what Trump has been prepared to admit.
  Clarifying what it means to hack the elections  
A top CIA official has said that Russia influenced the elections not only to undermine confidence in American democracy, but also specifically to support Trump.  This support, however, would not have come in the form of altering the vote count. 
 
Instead, Russia reportedly penetrated both Republican National Committee and Democrat National Committee networks, but only released (damaging) information about the Democrats, thereby boosting the cause for Trump.
 
In addition to the DNC hack, Russia also seems to be responsible for the breach of the email account of John Podesta, the chairman of Hillary Clinton's campaign.
  How could this happen?  
While such high-level breaches are alarming, they are entirely feasible.  Russian hackers reportedly penetrated the DNC networks using a family of exploits alternatively called "The Duke," “Cosy Bear,” or “APT 29.”  This is the same family of malware (malicious software) which recently targeted the state department. 
 
APT stands for Advanced Persistent Threat, a class of attacks which give agents insider access to a system.  APTs deactivate security systems and override alerts in order to remain under the radar.  Some persist in a system for months before they are detected.
 
APT 29 is delivered by some type of social engineering such as a phishing email. After penetration, the malware searches for security products to disable.  Then it sends a signal back to a compromised website to indicate successful penetration.  Next the APT installs a set of commands and modules which give attackers backdoor access. 
 
With this access to the DNC servers, the attackers obtained emails which they released during the past summer, much to the Clinton campaign’s chagrin.
  How strong is the evidence for Russian involvement?  
The strongest statement for Russian involvement came in early October.  That declaration was unanimous: all 17 US intelligence agencies voiced agreement on Russian involvement. 
 
Since October things have been a little less direct.  This week the New York Times published the aforementioned claims that Russia hacked both the DNC and the RNC, but only publicized material from the DNC.  The Times seems to be the only major news agency to make this statement.  As evidence, they cite “interviews with dozens of players targeted in the attack, intelligence officials who investigated it and Obama administration officials who deliberated over the best response.”
 
Then today NBC said that US intelligence officials believe with a “high level of confidence” that Putin was personally involved in the Russian campaign.  They argue that Putin himself approved orders to interfere in the elections.  NBC’s sources are “two senior officials with direct access to the information.” 
 
According to other reports, the CIA and FBI are not completely in agreement.  Apparently, since the October statement by all US intelligence agencies, officials from the FBI have become more skeptical than their counterparts in the CIA.
 
In the way of independent analysis, the editors of Arstechnica published a detailed article about the reasons to suspect Russian involvement.  They note that the families of malware used to execute the attacks were built specifically for espionage, and have been used before against Russian opponents.  In addition, the attack software was regularly maintained and professionally updated in a way that would require long-term and organized funding.  Finally, evidence from the code includes time-stamps from someone in the same time zone as Moscow and St. Petersburg, as well as software from someone speaking Russian. 
 
Of course, a sophisticated attacker could leak these details to intentionally implicate the Russians.  Still, most independent analysts have agreed with Russian involvement.
  And the President-Elect…  
Finally, Trump’s response to the hacks has been simply to shrug off the claims and remind everyone that “the election ended a long time ago.”  Rather than addressing the evidence directly, Trump has launched an ad hominum attack on the CIA. 
 
“These are the same people,” he noted, “who said Saddam Hossein had weapons of mass destruction.”
 
While sensationalist headlines about “The Perfect Weapon” obscure the facts about what really happened, the response from the Trump transition team has done little to make things more clear.  Overall, porous political claims have been quick to rise to the surface, while solid technical evidence is taking more time.