Regardless of U.S. President Donald Trump’s denials, Special Counsel Robert Mueller’s criminal indictment on Friday of 12 Russian military intelligence officers for hacking into computer systems of the Democratic National Committee, Democratic Congressional Campaign Committee, and Hillary Clinton’s presidential campaign bears hard lessons for geopolitical cybersecurity and U.S. political campaigns.
The 29-page indictment is vast in scope and deep in detail. In short, it alleges that two units in the Russian military intelligence division, known as the GRU, were created with the specific tasks of hacking the computers and networks belonging to the DNC, DCCC, Clinton, and others, disseminating documents stolen from them, and creating fake social-media accounts to help spread the word in order to help Trump’s 2016 presidential campaign and harm Clinton’s.
Mueller charged the 12 GRU officers with 11 counts of computer crimes. The first count charges nine of them with violations of the Computer Fraud and Abuse Act; counts two through nine charge 11 defendants with aggravated identity theft, citing eight victims. The 10th count charges all defendants with conspiracy to launder more than $95,000 in cryptocurrency, earned during 2015 and 2016, with the intention of supporting illegal activity.
READ MORE ON HACKING THE 2016 ELECTION
For want of a VPN, Guccifer 2.0 was lost
Looking to hide your traffic from ISPs? Not all VPNs are equal
Lessons learned from hacking an election (Q&A)
Facebook’s Stamos on protecting elections from hostile hackers (Q&A)
For decade-old flaws in voting machines, no quick fix
Post-recount, experts say electronic voting remains ‘shockingly’ vulnerable
Can your vote be hacked—after you cast it?
The final charge, against GRU officers Anatoliy Sergeyevich Kovalev and Aleksandr Vladimirovich Osadchuk, alleges conspiracy to violate the CFAA, and specifically to steal information from computers used by officials in the 2016 election—including data on 500,000 voters from an unnamed state board of elections.
The indictment goes far beyond an outline of accusations. As Dave Aitel, former NSA cybersecurity analyst and the current chief security technical officer of cybersecurity company Cyxtera tells The Parallax, the details of the indictment indicate the high level of confidence the Justice Department has in its charges.
“The level of compromise [revealed in the indictment] of the Russian operation was extraordinary,” Aitel says. And Mueller’s resolve not just to “make the accusation, but to go to court with it,” in the face of intense scrutiny, is indicative of extraordinary efforts to uncover just who did what, when, and how.
The highest levels of the Russian government (including President Vladimir Putin, who met with Trump on Monday) were aware of the operation, the indictment alleges. And the GRU didn’t just hire independent Russian hackers to do its dirty work, but rather assigned it to its own officials, including Kovalev and Osadchuk, who were logged into sock puppet accounts when Clinton campaign manager John Podesta was spear-phished, forensic evidence reveals.
In March 2016, the GRU began targeting more than 300 individuals associated with the Democratic Party, including Clinton campaign volunteers, with personal spear-phishing attacks that had one goal: to steal computer passwords.
The GRU officers were able to use their hacks of DCCC computers to gain access to DNC computers. By mid-June, they had access to at least 10 DCCC computers and 33 DNC computers. And as they stole data from the DCCC and DNC, they covered their tracks, the indictment alleges.
To investigate what it saw as suspicious activity on its servers, the Democratic political groups hired CrowdStrike, an organization known for helping secure computer networks after geopolitical hacks that the indictment names only as “Company 1.”
Despite CrowdStrike’s efforts, which began in May 2016, to remove GRU-affiliated malware from infected computers, the malware remained present and active until October—including while the Trump campaign was in contact with named and unnamed Russian co-conspirators.
Separately, the Justice Department on Monday charged Russian political activist Mariia Butina with acting as a Kremlin agent, “infiltrating organizations” such as the National Rifle Association to present Russia as a favorable ally to the United States.
Mueller’s Friday indictment is only the latest indication of the serious consequences that lax (or weak) cybersecurity policies or practices can have on individuals and organizations. The GRU’s spear-phishing attack against Podesta was successful because his staff cybersecurity experts said the phishing email, designed to look like an authentic password reset email sent by Gmail, was legitimate.
Organizations very broadly should be highly wary of how they operate online, especially if they are likely to be targeted by government agencies or other organizations with advanced hacking abilities. But 20 months after the 2016 elections, the federal government has given very little clear guidance on how to prevent or respond to such attacks, on the geopolitical stage or at home, as it struggles to even muster a coherent response to the long-alleged hacking.
The indictment implies that the United States, and likely other countries, are struggling to find appropriate and effective cybersecurity deterrents to geopolitical hacking, Aitel says.
“Indictments are not typically how you respond, nation to nation,” he says, adding that U.S. cyberespionage agents are rarely indicted for their actions. “From a norm-setting perspective, this may be the only deterrent we have, [and] it may not work.”
Legally, says Andrea Matwyshyn, law professor at Northeastern University and co-director of the school’s Center for Law, Innovation, and Creativity, the DNC hacking indictment is “boring” and unremarkable for the charges brought under the CFAA, despite how broad they are. But its technical details should serve as a “wake-up call” to “every” political campaign in America.
“The moral of the story is, assume the worst, take every precaution, and take appropriate action, hiring security personnel from Day 1. When in doubt, rebuild your systems,” she says. These lessons, she argues, are no different than those the private sector has been learning from decades of catastrophic breaches.
Before taking the enormous step of rebuilding computer systems and networks from scratch, Matwyshyn says, organizations need to reset log-in credentials, and when system providers are compromised, they need to address their vulnerabilities.
It isn’t clear that systems administrators and elections officials are hearing the same klaxon call that Matwyshyn says is sounding throughout America. Despite repeated warnings, two February reports, in fact, paint a dire picture.
The Center for American Progress gave 40 states a grade of C or lower on the security of their voting machines and election databases; no states earned an A. And New York University’s Brennan Center for Justice found that although 229 officials in 33 states want to replace their voting machines before the 2020 presidential election because of concerns over “breakdown, malfunction, and hacking,” many can’t because of a lack of funding or interest.
North Dakota and Arkansas refused to approve funds for newer machines, while Wisconsin’s Republican governor cut five state election commission jobs at a time when the commission says it needs more employees to handle cybersecurity issues.
Exacerbating the problem is a lack of cybersecurity expertise at the local level, where most election administration occurs, and a lack of support for independent voting-machine research by some secretaries of state and Trump, who eliminated the White House cybersecurity coordinator position in May.
Voting-machine vendors generally have not been supportive of the research, either. One vendor admitted on Tuesday to lying to reporters about the presence of remote-access software on its voting machines.
“This will repeat unless we fix the infrastructure problems,” Matwyshyn says. “It would be prudent to add more cybersecurity coordinator positions. We’re not just talking about voting systems; recent reports say attackers are sitting in other infrastructure, such as power plants and electrical grids.”
While locking down voting machines and switching to paper ballot backups is no panacea, she concedes, it will help restore and maintain confidence to U.S. elections, even in the wake of future hacks.
Making the Russian hackers named in Mueller’s indictment accountable for their alleged actions will depend on the goodwill of allies of the United States at a time it faces a deficit of global trust, says Emily Pierce, who worked as the acting deputy director of the Justice Department press office from 2014 to 2016, a period during which five Chinese hackers were indicted for espionage.
“There is power in naming and shaming,” she says, “But hubris is important.” If the hackers get caught on vacation, as alleged LinkedIn hacker Yevgeniy Nikulin did in Prague in 2016 (he was eventually extradited to the United States this year), “they have to decide if they want to anger Russia.”
Correction, July 18 at 1:45 p.m. PST: A previous version of this story misspelled the last name of Andrea Matwyshyn.