White House Kicks Russian Diplomats Out Of The Country, Releases Preliminary Report On Russian Hacking With More To Come
from the escalation-time dept
As was widely expected, the White House officially announced its response to claims of Russian interference in our election process, and the “response” is basically kicking 35 Russian diplomats out of the country. Russia admittedly suggested it will do the same. The announcement also includes adding some entities to the official list of “Specially Designated Nationals and Blocked Persons.” Somewhat incredibly, now added to that list is the FSB, which is the modern incarnation of the KGB. What’s incredible about this was that it took until now for this to happen. With this, the administration also issued an executive order expanding on a previous executive order from last year, enabling it to take these actions.
Somewhat ridiculously, the new executive order just shows the full new order, and doesn’t call out what changes were made from the original. So I went through and did a diff on the two executive orders myself. The first major change is an additional first line of who can be sanctioned. While the original had a description of what types of people could be sanctioned for cybersecurity violations, that same sanction has been bumped down to the 2nd item, and the new first item is:
the persons listed in the Annex to this order
Hmmm. That feels unfortunately close to an “enemies list.”
The second major change is the addition of this action which can get you sanctioned to a long list of reasons:
tampering with, altering, or causing a misappropriation of information with the purpose or effect of interfering with or undermining election processes or institutions;
Yup. Remember, we noted already that interfering with “election systems” was not previously listed as a sanctionable offense. Now it is. That was to be expected.
Along with this report, Homeland Security and the FBI also (finally) released something of a “Joint Analysis Report” about the alleged Russian interference. The only major revelation in there is that the US government is referring to this hacking program as “GRIZZLY STEPPE.”
This Joint Analysis Report (JAR) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). This document provides technical details regarding the tools and infrastructure used by the Russian civilian and military intelligence Services (RIS) to compromise and exploit networks and endpoints associated with the U.S. election, as well as a range of U.S. Government, political, and private sector entities. The U.S. Government is referring to this malicious cyber activity by RIS as GRIZZLY STEPPE.
Previous JARs have not attributed malicious cyber activity to specific countries or threat actors. However, public attribution of these activities to RIS is supported by technical indicators from the U.S. Intelligence Community, DHS, FBI, the private sector, and other entities. This determination expands upon the Joint Statement released October 7, 2016, from the Department of Homeland Security and the Director of National Intelligence on Election Security.
This activity by RIS is part of an ongoing campaign of cyber-enabled operations directed at the U.S. government and its citizens. These cyber operations have included spearphishing campaigns targeting government organizations, critical infrastructure entities, think tanks, universities, political organizations, and corporations leading to the theft of information. In foreign countries, RIS actors conducted damaging and/or disruptive cyber-attacks, including attacks on critical infrastructure networks. In some cases, RIS actors masqueraded as third parties, hiding behind false online personas designed to cause the victim to misattribute the source of the attack. This JAR provides technical indicators related to many of these operations, recommended mitigations, suggested actions to take in response to the indicators provided, and information on how to report such incidents to the U.S. Government.
Other than that, the report really doesn’t tell us much more than was already reported in the past by various cybersecurity outfits, about the supposed infiltration by two hacking groups — called APT28 and APT29 (APT: Advanced Persistent Threat) that people say are connected to the Russian government. There is a nifty graphic, though:
The report also posts the YARA signature of the malware that was used (and encourage security folks to check for matching YARA signatures on their systems), and highlights (as was already known) that most of the “hacking” involved spearphishing (directly targeting individuals and tricking them into giving up passwords, with fake password reset requests).
The report does not add much to prove that it was actually the Russians behind this, though everyone insists that’s now the consensus view. The NY Times notes that “a more detailed report on the intelligence… will be published in the next three weeks,” which certainly could reveal more details. But… of course… “much of the detail — especially evidence collected from “implants” in Russian computer systems, tapped conversations and spies ? is expected to remain classified.” In other words, for those who are still skeptical that it was Russia, don’t expect them to be convinced by any of this.
Meanwhile, Donald Trump, when asked about all of this managed to toss off his typical word salad of nothingness:
?I think we ought to get on with our lives. I think that computers have complicated lives very greatly. The whole age of computer has made it where nobody knows exactly what is going on. We have speed, we have a lot of other things, but I?m not sure we have the kind, the security we need.?
Yes, it’s true that attribution in online security is difficult, but most of that statement is completely ridiculous.
And, of course, this is all kinds of a mess. You have claims of attacks that no one wants to back up with actual details, for fear that it will reveal too much about sources and methods. You have escalation of “diplomatic responses” to counter this attack that everyone tells us was done by the Russians. You have an incoming President who basically said “how do I even computer.” None of this is good, and none of it should be okay from no matter where you sit. If we’re going to get into a fight with Russia, it would be nice if we had more evidence that “hey, someone broke into the email systems of political parties — because those organizations are bad at security.” But that doesn’t seem likely to happen.
Instead, we’re left with this weird game where we’re constantly being told “trust us” by one side and “computers confusing” by the other. That’s not comforting.