The Cyber Attacks on America — Today, Identifying Russian Civilian and Military Intelligence Players as the Culprits

December 29 2016

FBI, Homeland Security, the Director of National Intelligence, the White House — speaking out today on the issues.  The pros and cons are vigorously debated!

by Hank Boerner

The headlines roared forth today:  President Barack Obama’s Administration announcing sanctions on Russian interests — President-Elect Donald Trump saying he’s not so sure the Russians were involved.  Prominent Republican U.S. Senators (John McCain and Lindsay Graham) demanding action against Russia.  Back and forth it went all day and on into the nightly news and the chattering cable class.  Russian leadership immediately chimed in promising retribution for any U.S. action taken against their country.

So what is going on?  We’ll see a flood of comments here in the U.S. (pro and con, certain and questioning) on this and that and whatever, about the Russians hacking, whether that affected the recent election outcome, who thinks they did and who thinks they did not…and on and on.

Take a deep breath.  For context, let’s begin with the official announcements from the U.S. government agencies on the front lines of the attack/defense/retribution. (I know, I know — not everyone will trust the official government explanations!)  To the extent that you trust government agencies and leaders of those entities, at least understand what it is that they are saying on the record.  And what information they put forth to support their opinions.

The President today authorized actions in response to the Russian government’s “…aggressive harassment of U.S. officials and cyber operations aimed at the U.S. election in 2016…”

The President-elect has been communicating (in various ways as is his style) that he is not so sure that it was the Russian government.

Some people are not getting past these conflicting views to get to the rest of the story. (We do know that President-elect Donald Trump apparently bristles at any mention of less-than-a-triumph-for-him-at-the-ballot-box — just watch the tweeting. So the idea that there was outside influence could undermine the confidence in his win – not good.

The White House today emphatically said the cyber intrusions — yes, attacks — were intended to attempt to influence the 2016 election (the main story the media picks up on).  AND they were intended to erode faith in U.S. democratic institutions; and, undermine confidence in the institutions of the U.S. government.  That part should make every American anxious — and angry — and give pause to think about the consequences of this, if true — no matter their political and personal beliefs (left/right, liberal/conservative, Democrat/Republican, etc.)

The Obama Administration is taking action in response, and what we know at least publicly tonight is:

  • Nine Russian entities and individuals are now officially sanctioned. These are the two Russian intelligence services (GRU and FSB); four officers of the GRU; and three “companies” providing support to the GRU.
  • The U.S. Treasury Department identified two Russians who used cyber-enabled means to steal funds and personal identifications.
  • The U.S. State Department designated two Russian compounds (in New York and Maryland) used by Russian intelligence agencies, ordering them shut overnight and entrance barred to Russians.
  • 35 individuals identified as Russian intelligence operatives are declared persona non grata – they are accused of violating their diplomatic duties and must leave the U.S. (and cannot enter if they are out of the country).  The individuals are in the Washington, D.C. Russian embassy and the San Francisco Consulate.  They have to be out of the U.S. (with their families) in 72 hours.
  • The U.S. Department of Homeland Security and the Federal Bureau of Investigation released de-classified technical information on Russia’s civil and military intelligence services cyber activity to help American network managers identify, detect and disrupt Russia’s global campaign of malicious cyber attacks.
  • The Obama Administration will deliver a report to the U.S. Congress soon detailing the Russian efforts to interfere in the November presidential election and what the Russians have done in past elections.  This should create more headlines (and cable chatter) as it lands on Capitol Hill.
  • The White House pointedly reminded us today that President Obama, back in April 2015 — long before the 2016 election — signed an Executive Order (#13964) creating a new authority for the U.S. government to more effectively respond to Russian (and others’) cyber threats.  This enabled the U.S. government to harm or compromise the abilities of “entities” attacking the U.S. — this could be via a distributed-denial-of-service (“DDOS”), for example.
  • And, the U.S. government could cause a significant misappropriation of funds or economic resources, trade secrets, personal identifiers, or financial information for commercial or competitive advantage or private financial gain.  Watch this!  There’s three weeks to go in the tenure of President Obama.The FBI and the Department of Homeland Security today issued a “white bulletin” (publicly available information) on “Grizzly Steppe” (Russian Malicious Cyber Activity).  The 13-page document is a “Joint Analysis Report” (JAR) that says this:  Russian civilian and military intelligence services (“RIS”) have been attacking the U.S. government, private sector entities, political entities (the Democratic Party), and attempted to interfere with the presidential election.

Think about this:  Attacked / hacked in the USA:  critical infrastructure entities; think tanks; universities; political organizations; corporations in the private sector.

Today’s document provides detailed information for American network security managers to protect their systems. Watch out for “Energetic Bear,” “Fancy Bear,” “Grey Cloud,” “HammerDuke,” “Tiny Baron,” “SEADADDY,” “WaterBug” — and many more Russian operators in your IT systems!

As for the election season attacks, the U.S. government officially confirms that two different “RIS” actors penetrated the Democratic National Committee systems.  They were identified as “APT 29” and “APT 28” — Advanced Persistent Threats.  The successful attacks started in summer 2015 and continued into spring 2016. The attacks are detailed in the JAR — you can read it (it’s publicly available) here: https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296.pdf

And to make sure the American public understands the Federal government’s position on the Russian attacks, the FBI, Homeland Security (DHS) and the Office of Director of National Intelligence (ODNI) said the following:  The intelligence community is confident that the Russian Government directed the recent compromises of e-mails from U.S. persons and institutions, and that the disclosures of alleged hacked e-mails on sites like DCLeaks.com and WikiLeaks are consistent with the Russian-directed efforts.

Government officials said this activity by Russian intelligence services is part of a decade-long campaign of cyber-enabled operations directed at the U.S. government and its citizens.

As we know, a great deal of information — such as analysis and forensics — related to Russian government activity has been published by private sector security companies.  The U.S. government today confirms that the Russian Government conducted many of these activities as reported by the private sector firms over the recent months. (The U.S. government says the attacks have been going on for a decade or more.)

And so, the U.S. government is now arming computer network defenders with tools to identify, detect and disrupt Russian cyber activities that can do harm.

Over the coming days there will be lots of back and forth on who did what / or didn’t / or who should be tracked down and punished / or “we should move on and forget all this talk about the election, etc. 

Remember that Executive Order 13694: It was issued in April 2015 and updated (amended) today by the President.  This is an Executive Order Taking Additional Steps to Address The National Emergency With Respect to Malicious Cyber-Enabled Activities.

The update adds entities and individuals to the “Specially Designated Nationals and Blocked Persons (SDN List). Russian individuals are named as well as these Russian entities:

  • The FSB / Federal Security Service of Russia
  • The Main Intelligence Directorate
  • Special Technology Center/St. Petersburg
  • Zorsecurity / Esage Lab / Tsor Security
  • ANO PO KSI — The Autonomous Noncommercial Organization of Professional Association of Designers of Data Processing Systems

Stay Tuned:  Watch the rollout of the activities authorized by the Executive Order — including naming names and related personal financial information that could roil Moscow, depending on the details to be released.

There’s still more than 20 days to go for President Barack Obama to order action. Silent or announced.

You can read the Executive Order update here at the U.S. Department of the Treasury: https://www.treasury.gov/resource-center/sanctions/OFAC-Enforcement/Pages/20161229.aspx

 

 

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *

*