Cyberwarfare / Nation-State Attacks , Forensics , Fraud Management & Cybercrime
Final Report: More 2016 Russian Election Hacking Details
Fifth Senate Report Describes DNC Intrusions, Investigative MishapsThe Senate Intelligence Committee Tuesday released its fifth and final report on Russia's attempts to influence the 2016 election, providing more details on how Russian hackers resided on Democratic National Committee servers for months and citing shortcomings in the FBI’s investigation.
See Also: Gartner Guide for Digital Forensics and Incident Response
The committee portrayed the heavily redacted, 966-page document on its bipartisan investigation as the most comprehensive description to date of Russia's 2016 election interference activities (see: Senate Report Affirms Russian Election Interference Findings).
The committee concluded Russian President Vladimir Putin ordered the hack of the Democratic National Committee's computer networks and accounts to gain information intended to hurt the campaign of Democratic presidential candidate Hillary Clinton, help the campaign of President Donald Trump and undermine the election process.
The DNC hack and leak campaign was conducted by specialized cyber units in the GRU, Russia's intelligence agency, the report says.
Starting in March 2016, the GRU used spear-phishing attacks to gain access to the email accounts of DNC staff members and campaign manager, John Podesta, and stole thousands of emails.
"In April 2016, the GRU leveraged stolen credentials of some of these individuals to obtain further unauthorized access to the networks of the DNC and DCCC [Democratic Congressional Campaign Committee], where it identified and carefully exfiltrated tens of thousands of politically sensitive documents from April through June 2016," the report states. This operation continued until September 2016.
The GRU then used the personas Guccifer 2.0 and DCLeaks to disseminate the stolen documents from June through election day using a variety of sources, including U.S. social media platforms, the report says. And it ran a campaign to hide Russian responsibility for this activity.
DNC Cybersecurity Measures
The committee’s final report described the cybersecurity measures the DNC had in place before the GRU's penetration of its network. This included a firewall, spam filters, an IT directory that managed password rotation, the Windows Defender security system and two-factor authentication on its VPN. Staffers also received training from an outside security firm, and another third party conducted penetration tests on the DNC's publicly available assets, the report states.
Despite these defensive measures, the DNC's IT director, Yared Tamene, told the committee that on April 28, 2016, it was determined that unauthorized actors had entered its network. The DNC hired the cybersecurity firm Crowdstrike in May 2016 to investigate.
"On June 12, 2016, the DNC completed remediation related to the incident and transitioned to new systems. On June 14, 2016, the DNC approached and cooperated with The Washington Post to publish an article announcing that the Russian intelligence services had hacked the DNC," the report says.
CrowdStrike would eventually report that Cozy Bear, a Russian hacking group that’s also known as APT29, had been residing on the DNC's email server since the summer of 2015. After gaining access to an individual DNC staffer's computer through a spear-phishing campaign, Cozy Bear actors moved laterally through the DNC's system and gained access to the email server, the report says.
Another Russian hacking group, Fancy Bear, or APT28, was discovered on the DNC network with system-level privileges in April 2016, the report states.
Finger Pointing
The report also describes a level of conflict between the DNC's Tamene and the FBI. The FBI claims Tamene and his staff did not act quickly or effectively in response to the agency's warning about unauthorized access to the DNC network and sometimes went weeks without responding to their queries.
Tamene suggests, however, that the FBI did not express any sense of urgency with their requests, a point the FBI disputes.
The report states: "The committee found the FBI lacked a formal or considered process for escalating its warnings about the DNC hack within the organization of the DNC.” The FBI's "victim-driven response paradigm" that requires the victim's cooperation hindered the bureau’s ability to investigate the cyberattack “with appropriate urgency," according to the report.
Defenses for 2020 Election
U.S. Senate Select Committee on Intelligence acting chairman, Marco Rubio, R-Fla., and vice chairman, Mark Warner, D-Va., stressed that information gathered in the report should be used to help build defenses against interference with the upcoming election.
"We must do better in 2020,” Rubio says in a statement. “The committee’s five reports detail the signs and symptoms of that interference and show us how to protect campaigns, state and local entities, our public discourse and our democratic institutions."
Warner states: “This cannot happen again. As we head into the heat of the 2020 campaign season, I strongly urge campaigns, the executive branch, Congress and the American people to heed the lessons of this report in order to protect our democracy.”
State and local governments are better equipped to ensure election security than they were four years ago, says Christopher Krebs, director of the Cybersecurity Infrastructure and Security Agency, who calls on election officials to serve as "risk managers."