During the recent US Senate Intelligence Committee hearings on Russian interference in US elections Jeannette Manfra, the acting deputy under-secretary for cybersecurity and communications, provided the soundbite of the day:
As of right now we have evidence of election related systems in 21 states that were targeted.
What neither Manfra nor others testifying would share, in open session at least, was how the Russians targeted the election systems, nor how successful they were. She did, however, concede that there is no evidence that any attempt was made to penetrate state voting systems and alter results. In her opinion, the decentralized nature of the US elections would make it “virtually impossible” to do so without being detected.
The senators were not pleased with the reluctance of Manfra and others to reveal additional details – the who, what, where, why, and how of the targeting – beyond the declaration that the activity was owned by Russia. So we are left to pull back the covers ourselves.
We turn to the unauthorized leak of the top secret NSA analysis on the Russian General Staff Main Intelligence Directorate (GRU) and their activities targeting the US election. The existence of this report became known when Reality Winner provided it to The Intercept. The NSA analysis, taken at face value, called out how the Russians “targeted US election via phishing attacks”.
Now to be clear, the information in the analysis was not especially noteworthy from a technological standpoint. What is interesting is the finding on how the information was used cumulatively to move on to the next target. The analytic document contained a redacted image that outlined the spear-phishing campaign and made clear which information was known, and what is being deduced.
The analysis indicates a phish email that was sent from
firstname.lastname@example.org to 122 separate recipients, all associated with local government organizations, across up to 21 states. Last year, both Illinois and Arizona were told that their election offices or employees had been affected by a Russian effort.
The Arizona incident, in August 2016, at first seemed to be inconsequential. As the Washington Post reported at the time, Arizona’s secretary of state, Michele Reagan, shut down the voter registration system for nearly a week following a call from the FBI that a “credible” threat existed. It turned out that no compromise of the state’s systems had occurred, nor that of any Arizona county. A single election official in Gila County, Arizona, had had their username and password compromised when “a worker may have inadvertently downloaded a virus”. However, the username/password combination would only have provided access to the Gila County voting registration system.
The Illinois incident in July 2016, however, was more substantive. Thomas Kyle, director of voting and registration systems for the Illinois State Board of Elections, sent an email to all state election officials acknowledging that the breach had occurred on July 12 2016. Subsequently we learned the voter registration information for a “small percentage” of voters had indeed been accessed, but not altered or deleted.
Then, in August 2016, the FBI published an FBI Flash Alert, Targeting Activity Against State Board of Election Systems. The similarity between the FBI Flash Alert and the Illinois email? They both described how the actors could inject SQL database queries into state’s systems. Given the timing of the outreach by the FBI, the incidents in both states appear to be consistent with the “targeting” that both Manfra and the NSA describe in their analysis.
Add to this the contemporaneous activities that were going on at the Democratic National Committee, whose dirty laundry was put on show by the Fancy Bear hacker group, and it seems clear that the Russians were busy in the summer of 2016. Interestingly, we learned from homeland security secretary Jeh Johnson, during a separate hearing that the DNC had turned away both the FBI and Homeland Security, instead relying on a private company to get to the bottom of who had ravaged their systems.
Despite all this, we would expect Russian president Vladimir Putin to deny the Russian hand has been involved. And yes, he he did not disappoint.
Hackers are free people. They are like artists. If they are in a good mood, they get up in the morning and begin painting their pictures. Hackers are the same. They wake up in the morning, they read about some developments in international affairs, and if they have a patriotic mindset, then they try to make their own contribution the way they consider right into the fight against those who have bad things to say about Russia.
Whether it is acknowledged or not, what the Russians have demonstrated is their active campaign to sow doubt and uncertainty in the US election (and those of other nations) has been successful. And one thing’s for sure: this is not the last we’ve heard about the Russian meddling in the US election process, and if predictions are correct, it isn’t the last we’ve seen of their meddling either.