Russian Hacking and Disinformation Campaigns
A Post-ShmooCon Analysis
In this excellent piece by guest blogger Meagan Dunham Keim, she provides a synopsis of the two ShmooCon 2017 sessions that addressed Russian hacking and disinformation campaigns. She expertly supplements the session reviews with robust knowledge and insight on this topic. – Tracy Z. Maleeff, APSN Editor
As investigations into the Democratic National Committee hack and subsequent data leaks have unfolded, a lot has been written on the what, who, and how dimensions of the attacks. Few have shed light on why it happened and what exactly Russia stood to gain from its now widely-acknowledged influence operation. ShmooCon 2017 added more context to the discussion with two different talks focused on Russia’s information operations, but the presentations were still firmly rooted in the what, who, and how categories of the issue.
Toni Gidwani, Director of Research Operations at ThreatConnect, gave a presentation detailing her company’s investigation into last year’s Democratic National Committee (DNC) and Democratic Congressional Campaign Committee (DCCC) breaches, as well as Russia’s use of online fronts to strategically leak the stolen information. Through infrastructure analysis on Guccifer 2.0 and DCLeaks, ThreatConnect’s research team assessed that Russia created these outlets to conduct an active influence campaign aimed at the US presidential election. Gidwani also contextualized CrowdStrike’s and ThreatConnect’s findings that two distinct Russia-linked groups, Fancy Bear and Cozy Bear, both breached the DNC at separate times and did not coordinate their attacks. The same sets of documents were in fact exfiltrated by both of the groups, and there is no evidence either actor knew the other was in the DNC’s systems. As Gidwani pointed out, this complete lack of operations deconfliction is consistent with the highly competitive nature of Russia’s intelligence agencies.
Mark Kuhr, co-founder of Synack, described Russia’s disinformation tactics and then delved into a walkthrough of techniques attackers could use to make correct attribution of cyber-attacks much more difficult. Disturbingly, it is quite possible for a dedicated attacker to very closely mimic a known threat actor, especially through manipulation of threat intelligence feeds and careful creation and dismantling of attack infrastructure. The key to pulling this off is a fairly sophisticated understanding of a known group’s motives and modus operandi. All tactics, techniques, and procedures used in the cyber-attack can then be aligned to the larger motives of another group, building a convincing case for false attribution. Copy cats can further bolster their case by co-opting third parties to run with the disinformation, and anyone still questioning the predominant narrative will be left with very little evidence to argue against the incorrect theory of who is responsible.
Great credit is due to many dedicated researchers and experts (including the ShmooCon presenters mentioned above, Matt Tait, the Grugq, and Patrick Gray, among others) for increasing the community’s understanding of the events surrounding the 2016 US election. These individuals have provided a considerable public service by publishing credible information attributing the recent cyber-attacks and influence operation to Russia and backing these connections up with excellent analysis of motives.
What is underemphasized in public discussions of these issues, however, is the need to fully understand Russia’s geopolitical strategic interests and perceived threats when analyzing Russia’s actions in the cyber sphere and making predictions about what could be coming next.
In the Russian government’s highly centralized decision making process, core strategic interests win out over international laws and norms almost without exception. Russia’s influence operation aimed at the US presidential election illustrates this very well. Many have pointed to the unprecedented nature of Russia’s campaign, highlighting the country’s willingness to go beyond generally accepted cyber espionage activities to dump stolen information into the public sphere in order to actively exert influence. Considering the stakes for Russia, though, the government’s complete lack of regard for international norms can be understood.
Russia’s economy has been in steady decline since 2013, spurred on by falling oil prices, the country’s inability to quickly diversify sources of growth, rampant corruption, and economic sanctions over Russia’s invasion of Ukraine. Economic decline is causing shrinking government revenues, which erodes the Russian government’s power sources in two ways.
First, Russia’s ongoing economic troubles degrade Putin’s ability to ensure loyalty among the ruling class by sustaining patronage networks. If key high-level Russian officials can no longer reap substantial financial rewards and other benefits from supporting the status quo, then it is much more likely that they will conspire to undermine Putin or even carry out a palace coup. To maintain order in the ranks, Putin employs a divide and conquer strategy, pitting political factions against one another to ensure no one player or group amasses too much power. However, this strategy breaks down if competing factions are given sufficient reason to unite: namely, if the benefits of maneuvering against Putin outweigh the risks.
Depletion of the federal budget also threatens to break down the social contract between the Russian government and its citizens. According to this informal agreement, the government provides a basic lower middle class quality of life in return for citizens’ tacit support of the ruling class and disengagement from politics. With the next Russian presidential election coming up in March 2018, the Russian government is particularly wary of anything that would decrease its perceived legitimacy. If the status quo had continued, as it very likely would have under a Clinton presidency, these factors may have eventually led the Russian government to lose power through either an internal political coup or the less likely scenario of a popular movement fueled by a breakdown in the social contract.
Within this context, Putin was faced with two very different US presidential candidates who would affect these dynamics in sharply contrasting ways. On the one hand there is Hillary Clinton, who has direct experience (through the failed ‘reset’ in relations with Russia) of the futility of trying to forge a partnership with Putin. She is a firm supporter of maintaining pressure on Russia, mainly through continuing or increasing economic sanctions, and would have maintained the status quo in US policy toward NATO. Donald Trump, on the other hand, stated on the campaign trail he would consider removing sanctions against Russia and called into question the need to stand by our NATO allies.
Russia perceives NATO as an existential threat. Each time NATO gains a new member, Russia decries it as military encroachment, and the government has responded by using all available means to maintain a buffer of non-NATO nations around its borders. One of the main tactics Russia employs toward this end is to prop up separatist movements that embroil former Soviet states such as Ukraine and Georgia in frozen conflicts. This destroys political will within NATO to grant these countries membership lest the frozen conflicts become hot and trigger the need for a military response under the collective defense principle (Article 5) of the NATO treaty. It is difficult to overstate the strategic advantage Russia stood to gain, either through undermining the legitimacy of a Clinton presidency and therefore decreasing her freedom of action to counter Russia’s moves, or by assisting in the election of Trump, who has already significantly undermined NATO’s ability to curtail Russian aggression by questioning the principle of collective defense. Russia’s core geostrategic interests were at stake in the US presidential election and the potential benefits of influencing the incoming president far outweighed the risks of flying in the face of international norms.
Russia’s campaign to influence the US election does not have any close equivalents in terms of the target, scope, and impact (which is extremely difficult to assess given the many factors that influenced the outcome). However, Russia has tested its ability to exert influence and further its strategic aims through disinformation and cyber-attacks several times in recent history. Russia’s military and information operations in Ukraine and Crimea are some of the most prominent examples. In both cases, Russia has used a combination of covert military action, cyber-attacks, and disinformation campaigns to maintain de facto occupations and undermine Ukraine’s efforts to join the EU and cooperate more closely with NATO. As Gidwani pointed out in her presentation, the results of Russia’s influence campaign targeted at the US elections give Russia little reason to stop carrying out similar operations against other nations in the future.
Information security is becoming increasingly geopolitical, as the events of 2016 have shown. To be prepared for what may be coming next, it is very important that the information security community redouble its efforts to seek out and develop expertise on political issues that have not traditionally been part of its purview. As Russian government-linked attackers improve their ability to evade detection and cover their tracks, it is also crucial to be vigilant for signs of false flag operations and apply rigorous analysis of strategic interests and motives to future investigations of cyber-attacks. Guarding against disinformation and influence operations will require much broader awareness raising initiatives, to which the information security community is uniquely positioned to contribute.
Meagan Dunham Keim is a Russian language nerd and InfoSec enthusiast who studied Global Security and Russian at the University of Wisconsin-Madison. She is an alumna of the Russian Flagship, which is an intensive language and cultural studies program with a study abroad component. As part of an independent seminar conducted in Russian, Keim researched the Investigative Committee, which is one of Russia’s most powerful law enforcement agencies. During her Flagship capstone year in St. Petersburg, she studied political sociology with native Russian speakers. Keim has assisted in global cyber incident response efforts at a non-profit organization where she successfully advocated for improved digital security measures. She is currently pursuing an M.S. in Cybersecurity Technology at the University of Maryland University College.