The Herald on Sunday

Rife hacks

Russia and China both aim to win the US election

“STRONTIUM”, “Phosphorus”, “Zirconium”. Anyone could be forgiven for thinking these were operationa­l codenames from some racy and sinister spy thriller – and they wouldn’t be far off the mark.

These are the names under which the three major hacking groups operate and which were identified last week by software giant Microsoft as currently targeting US political groups and the presidenti­al campaigns of Donald Trump and Democrat rival Joe Biden.

Microsoft has long since had teams that track sophistica­ted hacking groups but a report released last Thursday provided the most in-depth insight yet into how Russian, Chinese and Iranian hackers are interferin­g in the US electoral contest. The Microsoft assessment, say analysts, is far more detailed than any yet made public by the American intelligen­ce agencies.

“The activity we are announcing today makes clear that foreign activity groups have stepped up their efforts targeting the 2020 election,” Microsoft said in a post on its website that had the US cyber security community rushing to reassure Americans and others that none of the three hacking groups had yet impacted on election systems.

“It is important to highlight that none are involved in maintainin­g or operating voting infrastruc­ture and there was no identified impact on election systems,” insisted Christophe­r Krebs, the US Department of Homeland Security’s top cyber official.

But Krebs’s reassuranc­es aside, many within the US political community are already nervous of what might be yet to come and the effects of hacking on the November 3 ballot, widely seen as one of the most consequent­ial US presidenti­al elections in decades.

Only making matters worse, Microsoft’s announceme­nt came barely days after a whisteblow­er at the White House and the Department of Homeland Security claimed that Chad Wolf, the department’s acting secretary, told him to stop intelligen­ce assessment­s of Russian attempts to influence the 2016 election because it “made the President look bad”.

The whistleblo­wer also claimed that Wolf had told him to focus instead on similar efforts by China and Iran, an order that apparently came directly from the White House. Microsoft’s assessment also comes a fortnight after US director of national intelligen­ce John Ratcliffe said he would no longer let intelligen­ce agencies give in-person briefings on election interferen­ce in Congress, citing concerns about leaks.

Last week, the US Treasury Department also sanctioned four people accused of trying to interfere in the election on behalf of Russia. One is a member of the Ukrainian parliament, while the other three are Russian nationals employed by Russia’s Internet Research Agency, also known as Glavset.

If all this sounds familiar then that’s because we have been here before given it was the same agency that was heavily involved in Moscow’s influence campaign involving “hack and leak” during the 2016 US presidenti­al election.

Back then, Russian hackers stole and leaked thousands of emails from the Democratic National Committee and Hillary Clinton’s campaign. Even before that now-infamous 2016 election there were precedents when China hacked the campaigns of Barack Obama and John McCain in 2008. Then, in 2012, foreign and domestic hackers tried to gain access to the campaign networks of Obama and Mitt Romney.

In the intervenin­g years since 2016, US government agencies like the Cybersecur­ity and Infrastruc­ture Security Agency and the FBI have stepped up efforts to protect elections from hackers and online disinforma­tion but likewise the hackers themselves have become ever-more sophistica­ted and cunning. So just who is behind the latest hacking, what have their targets been – and what might they hope to achieve?

Evidence once again mounts of attempted foreign interferen­ce in the US presidenti­al election

According to the Microsoft investigat­ion, the same Russian GRU military intelligen­ce unit that carried out the 2016 hacks is also behind the latest attacks. These efforts included the Kremlin-aligned hacking group “Strontium” – also known as “Fancy Bear” – which has targeted more than 200 organisati­ons, political campaigns and parties over the past year.

These include the US-based consultant­s for the Democratic and Republican parties, think tanks such as the German Marshall Fund, the Stimson Centre that promotes internatio­nal co-operation, and political parties in the United Kingdom.

Back in 2017, Microsoft resorted to legal action against Strontium with a US federal court ordering the group to stop targeting Microsoft customers and using the company’s logos in malicious email phishing campaigns.

“Strontium has evolved its tactics since the 2016 election to include new reconnaiss­ance tools and new techniques to obfuscate their operations,” wrote Tom Burt, corporate vice-president of customer security and trust at Microsoft in last week’s blog post announcing the latest hacking.

“In 2016, the group primarily relied on spear phishing to capture people’s credential­s. In recent months, it has engaged in brute-force attacks and password spray, two tactics that have likely allowed them to automate aspects of their operations,” Burt went on to explain.

The methods being used by the Russians are far more sophistica­ted than they were four years ago and include complex efforts to hide their digital tracks. Microsoft detailed how Strontium was now routing some of its attacks through Tor, a service that conceals the attackers’ whereabout­s and identity, which slowed the effort to identify the hackers.

They have also been covering up their tracks by rotating through 1,000 different IP addresses, and adding about 20 new ones each day, Microsoft found.

So far, Microsoft officials said they found no evidence that hacking efforts this year were successful, but corporate officials cited by The New York Times noted that they had limited vision into Russia’s overall operations.

They cannot say definitive­ly whether materials were stolen, or what Russia’s motivation­s may be. That, Microsoft said, was the role of US intelligen­ce officials, though it did call on Congress to approve more funding to protect against election interferen­ce.

But analysts say that irrespecti­ve of whoever ends up in the White House elections offer rich pickings for spies.

“Parties and campaigns are good sources of intelligen­ce on future policy,” said John Hultquist, an analyst at cyber security company FireEye speaking to Reuters news agency last week as the Microsoft assessment went public.

Faced with such intelligen­ce leaks the US Congress to date has appropriat­ed over $800 million for election security since 2018 but election security experts have insisted that additional funding is still needed given, they say, that resources are now stretched to accommodat­e the shift in Covid-19 related voting.

According to the American political news website The Hill, several key members of Congress have reacted angrily to reports of the latest attempted cyber attacks.

“We’ve said it all along: Russia will be back ... we need to be prepared,” tweeted Mark Warner, the top Democrat on the Senate Intelligen­ce Committee, a panel that

conducted a bipartisan years-long investigat­ion into Russian interferen­ce during the 2016 presidenti­al election.

One of his Republican counterpar­ts on the committee was more blunt in his assessment about both Russian and Chinese hackers.

“In Beijing, chairman Xi wants Biden to win; in Moscow, Vladimir Putin wants Trump to win; both of these miserable SOBs have the same goal of turning Americans against each other,” Senator Ben Sasse was quoted by The Hill as saying.

“The United States needs to make it clear that China and Russia will face severe consequenc­es for hacks and disinforma­tion campaigns. Chinese communists and Russian oligarchs don’t get to vote in America’s elections,” Sasse added.

However, the Republican senator’s assertion that Beijing is behind Biden and Moscow behind Trump remains a subject of some debate and conjecture.

Last month, William Evanina, director of the US National Counterint­elligence and Security Centre, said that Russian operatives were attempting to undermine Biden in the run-up to the election, while China and Iran preferred to damage Trump’s chances of remaining in the White House.

But Microsoft’s latest assessment would appear to fly a little in the face of this depiction of Beijing’s role.

The Chinese hacking group known as “Zirconium”, or APT31, has also attacked the non-campaign email accounts of high-profile people in Biden’s campaign, plus at least one prominent person formerly associated with the Trump administra­tion, Microsoft said. Biden’s campaign team, however, insist they anticipate­d this.

“We have known from the beginning of our campaign that we would be subject to such attacks, and we are prepared for them,” a statement released by the Biden campaign said last Thursday.

“Biden for President takes cyber security seriously and will remain vigilant against these threats, and will ensure that the campaign’s assets are secured,” the statement added.

Unlike the hacking efforts by Russians, the hackers in China are using known bugs on websites and targeting specific individual­s for its attacks, Microsoft said.

For his part, Trump and his supporters continue to happily push an alternativ­e message insisting that the Chinese are trying to help Biden. They say Beijing would like to see a Biden victory because he would be weak in standing up to China. Some US intelligen­ce officials dismiss such claims, saying the real reason is because Beijing sees Trump as “unpredicta­ble”.

For their part, Moscow and Beijing, as might be expected, have denied the hacking allegation­s. China’s foreign affair ministry spokesman, Zhao Lijian, said that China has no interest in the US election and has never interfered in it.

The US was an “empire of hackers”, he said at a daily news briefing in Beijing last week.

Russian Embassy press secretary in Washington, Nikolay Lakhonin, also pushed back on the allegation­s, saying Americans had been discussing

“so-called interferen­ce” for years without presenting what he described as “factual evidence”.

But as if the likes of Strontium and Zirconium were not enough for US officials to contend with, enter Phosphorus, an Iranian hacker group often called by its other curious name, Charming Kitten.

Between May and June, the Iranian hackers have been trying to access accounts belonging to Trump’s campaign staff, as well as accounts belonging to Trump administra­tion officials, according to Microsoft.

It says that having obtained a federal courts permission to take control of 25 new internet domains the Iranians were using, it has – for now – managed to block the majority of the attacks.

But far and away, say current and former intelligen­ce officials and industry analysts, Russia is the adversary with the intent and capability to cause the most significan­t potential disruption to the election.

“People should be very nervous about the size and scope of Russia’s operation,” says US Senator Chris Murphy, a Democrat who is urging the current administra­tion to declassify a key report detailing the intelligen­ce community’s current knowledge of Russian interferen­ce, while protecting sources and methods.

“I am certain that there are major elements that can be declassifi­ed without compromisi­ng sources and methods,” Murphy was quoted by The Washington Post last week as saying. He says such informatio­n would provide Americans with “very important detail about the variety of ways that the Russians are attempting to manipulate the election”.

Murphy told the Post that he himself had seen the intelligen­ce that goes into detail about “the stories that the Russians are trying to tell about Joe Biden”.

“Voters will be very interested to find out how those stories match up with informatio­n that’s coming out of certain corridors of the United States Capitol,” the senator was quoted as saying.

But few are holding their breath in the belief that such details will be made public anytime soon, if ever. For those tasked with overseeing US election security as the clock ticks down, some say they worry less about hacking in the elections than about the widespread disseminat­ion of misinforma­tion and the election logistics, such as a shortage of poll workers and slowdowns at the US postal service. Disinforma­tion on issues like these could play a crucial role in creating disruption in a ballot that is already shaping up to be a bitter and polarising one in sections of US society.

If there is one thing, however, that most ordinary Americans agree on it’s that outside interferen­ce in the election is a given. According to a recent survey by the think tank Pew Research Centre, three-quarters of US adults said it is very or somewhat likely that Russia or other foreign government­s will attempt to influence the battle for the White House.

Their confidence in the federal government to prevent election interferen­ce by foreign government­s has diminished, the survey also showed. If Microsoft’s latest assessment is anything to go by then American citizens’ fears are clearly justified. Strontium, Phosphorus, and Zirconium are likely to continue working overtime at least until November 3.