FBI, DHS release report on Russian hacking as administration-ordered sanctions take effect

Ever since the DNC was hacked earlier this year, there’s been an ongoing tussle in the media over what the government knew, why it suspected the Russians, and what actions, if any, the Obama Administration would take in response. While some initial evidence of foreign involvement was presented by third-party security firms, the government had refrained from sharing its own conclusions or any of the underlying material. As of yesterday, we have both a joint report from the US’ various federal agencies as well as a formal announcement of sanctions to be taken against the Russian government. Let’s take a look at both.

The report, which you can read here, is a joint product of the FBI and Department of Homeland Security on the actions of the Russian civilian and military intelligence services (RIS). Like the independent cybersecurity reports of earlier this year, the FBI and DHS assert that two entities — labeled APT28 and APT29 — worked in concert as part of a deliberate attempt to penetrate US government infrastructure. APT29 (Advanced Persistent Threat) first penetrated a political party’s servers in 2015, while APT28 did so in 2016.

APTAttack

The two groups have related but distinct skill sets and attack methods. The report states: “In spring 2016, APT28 compromised the same political party, again via targeted spearphishing. This time, the spearphishing email tricked recipients into changing their passwords through a fake webmail domain hosted on APT28 operational infrastructure. Using the harvested credentials, APT28 was able to gain access and steal content, likely leading to the exfiltration of information from multiple senior party members. The U.S. Government assesses that information was leaked to the press and publicly disclosed.”

The use of common practices and methodologies is part of why the government is confident that both APT28 and APT29 are associated with RIS. As we’ve previously discussed in very different contexts, military cyberwarfare divisions don’t have much in common with the kinds of script kiddies and attack profiles you see from run-of-the-mill zombie botnets. A cryptocurrency-mining botnet just wants to spread itself to as many systems as possible to make as much more money as possible. It’s not necessarily concerned with remaining hidden for months or years at a time, and it’s not going to be written to target specific and particular computers. The government’s report states that beginning in September 2015, APT29 targeted over 1,000 recipients as part of a spearphishing campaign. That might sound huge, but it’s ludicrously tiny compared to any commercial botnet. This was a precise, targeted strike, not a broad salvo aimed at converting as many systems as possible. The report doesn’t have as much specific information as we might like, but it’s now the formal conclusion of the entire government.

The Obama Administration’s decision to enforce sanctions against the Russians reflects this conclusion in a rather interesting way. Instead of targeting general sections of the Russian economy or interests, Obama announced that the government would specifically enforce sanctions against 35 specific individuals identified as intelligence operatives. The individuals in question were ejected not for the DNC hack itself, but in response to “harassment of our diplomatic personnel in Russia by security personnel and police.” That’s according to a White House fact sheet distributed on the attacks, the government’s response, and its rationale for various actions. There are also reports that the government will close a known Russian spy base.

The reason it’s interesting to see the United States taking these kinds of actions is because spycraft isn’t just about what you know — it’s about what the other team knows you know. The reason the government would leave known enemy assets in play is simple: If you force the other team to reestablish a new set of procedures or recruit new agents, you guarantee that you’ll have to penetrate their security once again.

US Speaker of the House Paul Ryan called the new sanctions “overdue,” adding “Russia does not share America’s interests. In fact, it has consistently sought to undermine them, sowing dangerous instability around the world.” That’s not to say Speaker Ryan is endorsing Obama’s Russia policies, which he described as “a prime example of this administration’s ineffective foreign policy that has left America weaker in the eyes of the world.”

Initial reactions from GOP leaders to news of the hacks were muted throughout the fall and into December. Of course, implementing effective policies against future Russian or enemy state incursions will be the responsibility of President Trump, who has previously dismissed intelligence agencies’ conclusions and briefings by noting that he is “like, a very smart person.” Trump again called on the country to “move on to bigger and better things,” but stated “I will meet with leaders of the intelligence community next week in order to be updated on the facts of this situation.” Trump has generally pursued a very friendly relationship with Russian President Vladimir Putin and his Secretary of State pick, Rex Tillerson, was revealed as the director of ExxonMobil’s Russian subsidiary, Exxon Neftegas, from 1998 – 2006.

This article passed through the Full-Text RSS service – if this is your content and you’re reading it on someone else’s site, please read the FAQ at fivefilters.org/content-only/faq.php#publishers.
Recommended article: The Guardian’s Summary of Julian Assange’s Interview Went Viral and Was Completely False.

ExtremeTechExtremeTech