Jay Kesan | Publications

On Friday, July 13th, Robert Mueller’s special prosecution team announced an indictment of twelve Russian agents in connection with cyber attacks against us.

The indictment discusses two computer intrusion units in the Russian military. One of these units is associated with actions to publicize private data, and the other unit is associated with attempts to disrupt our election infrastructure. Both of these sets of crimes include violations of federal law – the Computer Fraud and Abuse Act—the CFAA. The defendants in the indictment are charged with two violations of the CFAA: accessing a computer without authorization and obtaining information, and transmitting something that causes damage to a computer.

Information gathering was one focus of the Russian cyber intrusions.According to the indictment, Russian intelligence agencies have been deploying hackers against a variety of systems in the U.S.Arguably the most visible victim is the DNC, which experienced multiple intrusions resulting in the theft of emails and other digital information.Then, posting under names like DCLeaks and Guccifer 2.0, they staged releases of these documents.An unnamed organization – generally assumed to be Wikileaks – is described as working directly with Guccifer 2.0 to release the documents.

When someone wants to break into a computer system, they must find a security vulnerability.In many cases, that security vulnerability is situated right between the chair and the computer keyboard.The indictment alleges that units of the Russian military used spear phishing tactics to obtain passwords or other methods of access. Spear phishing involves sending emails by personalizing them so they appear to be from a trusted source thereby inducing the targeted individuals to reveal confidential information. Once they had access, they installed malware on the computers, including key loggers. That way, the hackers were able to record every keystroke that the user made.

When there is evidence that someone committed a crime, you want to know everyone who interacts with that evidence in the so-called chain of custody.You want the evidence to be in the same shape in court as it was when the crime was committed.An unknown hacker is hardly a reliable link in any chain of custody.When the documents were posted to Wikileaks, journalists immediately started reading them and identifying significant things.But there is no way of ensuring that the hacker didn’t plant dozens or hundreds of little lies throughout the stolen documents.

Another part of the indictment concerns interference with election infrastructure.The indictment refers to an unnamed state board of elections that was the target of a cyber attack by the defendants resulting in the theft of the personal information of about 500,000 voters.In the months following that data breach, some of the defendants also hacked into an American company that makes software to help state and local election boards verify voter registration information.The company is referred to as “Vendor 1.”Some journalists have suggested that this company might be VR Systems.

The indictment also alleges that the defendants used email addresses that resembled Vendor 1 as part of spear phishing campaigns against election officials across the country in November 2016.They used the company’s logo to make the emails seem more legitimate as coming from a company that election officials trust, but the attached Word documents contained malware.It is unknown how many of these spear phishing attempts were successful or what the hackers did when they got access.It’s possible that some of those problems were part of a hacking operation aimed at causing confusion and long lines and lowering voter turnout on election day.

But perhaps the strongest effect that we are experiencing is psychological, as the entire country is concerned about the legitimacy of our political system.

Author – Jay Kesan

TAKING A DEEP DIVE INTO THE RUSSIAN INDICTMENT BASED ON THEIR CYBER ATTACKS
Tagged on: