Governance & Risk Management , Incident & Breach Response , Managed Detection & Response (MDR)

Russian Election-Related Hacking Details Declassified

Obama Expels 35 Russians for Trying to Sway U.S. Elections
Russian Election-Related Hacking Details Declassified
Russian and U.S. Presidents Vladimir Putin and Barack Obama

The Obama administration has announced sanctions against Russia - including the expulsion of 35 intelligence operatives - as punishment for cyberattacks that interfered with the U.S. presidential election. Plus, the administration has declassified technical information on Russian intelligence services' malicious cyber activities to help public and private-sector network defenders - in the U.S. and abroad - identify, detect and disrupt Russia's global campaign of mischievous cyber actions.

See Also: Deception-Based Threat Detection: Shifting Power to the Defenders

President Obama took the action on Dec. 27 after repeated private and public warnings to the Russian government, characterizing the sanctions as "a necessary and appropriate response to efforts to harm U.S. interests in violation of established international norms of behavior. All Americans should be alarmed by Russia's actions."

The president added that the theft of data and its disclosure - a reference to information that leaked about Democratic presidential candidate Hillary Clinton - "could only have been directed by the highest levels of the Russian government," a reference to Russian President Vladimir Putin, who wasn't mentioned by name (see Obama Suggests Putin Behind Hacks to Influence Vote).

The administration did not reveal any cyber response to the Russian hacks. "These actions are not the sum total of our response to Russia's aggressive activities," Obama said. "We will continue to take a variety of actions at a time and place of our choosing, some of which will not be publicized."

Trump Could Reverse Sanctions

President-elect Donald Trump, if he wants, could withdraw them, according to a top Obama administration official.

Hours after the announcement of the sanctions, Trump said he'll meet with intelligence community leaders about the breaches. "It's time for our country to move on to bigger and better things," Trump said in a statement. "Nevertheless, in the interest of our country and its great people, I will meet with leaders of the intelligence community next week in order to be updated on the facts of this situation."

In the past months, Trump had said he didn't believe the U.S. intelligence community's analysis that the Russians were behind the cyberattacks (see CIA Says Kremlin Tried to Sway Vote Toward Trump).

Kremlin Press Secretary Dmitry Peskov immediately characterized the sanctions as "a manifestation of an unpredictable and even aggressive foreign policy," according to RT.com, a Russian government-backed news service. "Considering the current transition period in Washington, we still expect that we'll be able to get rid of such clumsy actions ... of behaving like a bull in a china shop, and that we'll be able to make mutual joint steps to enter on the path of normalization of our bilateral relations."

Hacking Details Declassified

In addition to the sanctions against the Russians, the Department of Homeland Security and FBI plan released a joint analysis report that includes information on computers Russian intelligence services have co-opted without the knowledge of their owners. DHS labeled Russian malicious cyber activity as Grizzly Steppe.

The Russians used those computers, located around the world, to launch cyberattacks in ways that made it difficult to trace them back to Russia. In some cases, the White House says, the cybersecurity community was already aware of this infrastructure. In other cases, this information is newly declassified by the U.S. government.

The joint analysis report also includes newly declassified data that should help enable cybersecurity firms and other network defenders to identify certain malware that the Russian intelligence services use. The administration says it hopes network defenders will use this information to identify and block Russian malware, forcing the Russian intelligence services to re-engineer their malware.

How Russian-Tied Groups Hacked Democratic Party IT in 2015

Tactics and techniques used by APT29, or Cozy Bear, and APT28, or Fancy Bear, to conduct cyber intrusions against target systems. Source: DHS

In the joint analysis report, the administration reveals how Russian intelligence services typically conduct their activities. The report says this information should help network defenders better identify new tactics or techniques that a malicious actor might deploy or detect and disrupt a continuing intrusion.

How Russian Hackers Conduct Phishing Campaigns

APT28's use of spearphishing and stolen credentials. Source: DHS

In addition to the expulsion of the 35 Russian operatives, the White House imposed sanctions on Russia's two major intelligence services - the military's Glavnoye Razvedyvatelnoye Upravleniye, or GRU, and the civilian Federalnaya Sluzhba Bezopasnosti, or FSB. The administration also sanctioned four top officers of the military intelligence unit who are believed to have ordered attacks on the Democratic National Committee and other political groups.

Treasury Secretary Jack Lew identified two Russian individuals who he said used cyber-enabled means to cause misappropriation of funds and personally identifiable information. The State Department also shuttered two Russian compounds, in Maryland and New York, used by Russian agents for intelligence-related purposes.

Two Republican senators, Lindsey Graham of South Carolina and John McCain of Arizona, depicted the sanctions as too little, too late. In a joint statement, the senators said: "The retaliatory measures announced by the Obama administration today are long overdue. But ultimately, they are a small price for Russia to pay for its brazen attack on American democracy. We intend to lead the effort in the new Congress to impose stronger sanctions on Russia."


About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.