CyberWire Daily - Election protection. [Research Saturday]
Episode Date: November 3, 2018Symantec technical director Vikram Thakur returns to share his team's look at threat groups APT 28 and APT 29, the influence they had on the 2016 election, and how the cyber security industry has resp...onded in preparation for the 2018 midterms. The original research can be found here: https://www.symantec.com/blogs/election-security/election-hacking-faq Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs
that are exploited by bad actors more easily than ever with AI tools. It's time to rethink your security. Thank you. specific apps, not the entire network. Continuously verifying every request based on identity and
context. Simplifying security management with AI-powered automation. And detecting threats
using AI to analyze over 500 billion daily transactions. Hackers can't attack what they
can't see. Protect your organization with Zscaler Zero Trust and AI. Learn more at zscaler.com security.
The groups that we're talking about out here, as well as others that we are aware of having the motivation to create some sort of disturbance or influence our elections.
That's Vikram Thakur. He's a technical director at Symantec.
The research we're discussing today is titled Subverting Democracy, How Cyber Attackers Try to Hack the Vote.
They are active, or at least we've seen them active time to time over the last
few years. In fact, the last time we saw one of these groups was just a couple of months ago.
They're in various stages, but they are trying to create some sort of disinformation or they're
trying to gather information from some election-related authorities with what motivation, that's always hard to tell, but at least we know that they are around.
Can we start off, can you give us a little overview of what we saw back in the 2016 election?
So in the 2016 election, one of the things which became public was John Podesta's email account actually got compromised by a simple phishing technique where somebody sent him an email asking him to change his password.
And John did not think much about the email.
He went ahead and clicked on the link, which took him to a page which appeared as though it was a legitimate email provider's website, but it actually wasn't.
It was a website controlled by an attacker.
And when he went through the process of inputting his password over there and trying to create a new password out there, he effectively gave his password and his credentials over to an attacker.
And what happened after is fairly well documented in the public domain, which is the attackers
were able to get a hold of his email, get a hold of a lot of information.
And what that effectively did was the information becoming public or the information from his
email becoming public created a little bit of a disturbance
within the normal election cycle that one would imagine.
I mean, not only does it throw into disarray the campaign itself, but there's a whole bunch
of people who then get involved in trying to track the attack, trying to figure out
whether a certain country might be behind the attack overall.
But effectively, this sort of takes us away a little tangential from the normal election process,
if you would imagine, where candidates just go out, they campaign, they influence,
or they convince voters to go one way or the other.
Voters go to poll and somebody gets elected. So we think that there are actors or there are attackers out there who will continue to try to create these little disturbances within our own election process.
I think for your average person out there, when they think about the possibility of election hacking, I think one of the things that would come to mind first would be with the use of computerized election voting machines,
that those machines themselves could be hacked and people would be afraid of the vote totals, the tallies being changed by outsiders.
But that ended up not being something that we really saw.
I think you're absolutely correct. The first thing that people think about when somebody
mentions the phrase election hacking is the end user, the citizen's perception that we're really
just talking about electronic equipment, which is being used to tally votes getting compromised in one way or another.
What people do not realize is that the hacking or the term hacking in this case goes far beyond that electrical equipment or that electronic equipment.
In this case, rather than going for the equipment themselves,
the attackers, they believed that, hey, there's enough way to sway a voter's decision from one way to another or put them into this little state of flux where they're not even sure which candidate to vote for using information or using social techniques, where you might be influenced by a news article that you're reading on one of
your social media sites, or you might be influenced when you actually get to see some stolen emails or
some classified documents from another source. So people really need to be cognizant of the
information that they're reading, but also the information sources that they are now being subject to.
And it's exactly for that reason that Symantec actually made a technology of theirs or technology of ours publicly available,
because we want people to be able to visit election related websites with a lot more confidence that they are dealing with legitimate organizations and
this is not some sort of a scam website being hosted by different people. There are a pair of
cyber espionage groups in particular that you all were tracking here. Can you describe to us who are
we talking about and what do we know about them? So the groups have been, the two groups that we
mentioned, they've been around for a number of years.
And when they actually started out their campaigns or their attacks a number of years ago,
they were not very different from some of the other attack groups that we track,
where the end goal over there is to acquire intellectual property from different companies.
acquire intellectual property from different companies. So you would imagine, hey, if I went over to, if I was somehow able to attack a company that was a defense contractor building the next
generation of fighter planes, maybe there's enough intellectual property to be stolen from that
organization where I can go to a third country, give that information and make that same technology
for cheaper. So that's how all these groups really started.
But the mandate for these particular two groups grew pretty rapidly
because soon after their successes in being able to target corporations,
their mandate shifted to attacking government organizations.
Now, there have been several public articles over the years
about these groups attacking defense establishments in the United States, diplomatic
organizations all across the globe. And if one was to think about the purpose of attacking these
organizations, they're purely strategic. They're not as tactical as they used to be where somebody's
stealing intellectual property of the formula to make a certain good. Attacking defense
organizations as well as diplomatic organizations globally really just gives you insight into what
other parties are capable of strategizing against your government or against one's
government's interests. And that became the centerpiece of the information that these attack
groups were focused on. So the attacks did not occur between these two groups. They did not occur
against private organizations. They shifted against governments.
These two groups have kind of gone on,
and some of this information about some of these groups' activities
has been documented in the past few months,
where different entities have come forward
and not only paying their activity as being sponsored by the Russian government,
but also detailing how these connections have
been made and what it is that these attackers are trying to do to influence the common man's
view about the world, elections, certain parties, certain individuals, and governments for that
matter. Now, let's go through each of them one at a time. We're talking about APT28 and APT29.
They go by many names.
Let's start with APT28.
What are some of the other names that people might recognize them as being?
So Symantec's name for APT28 is Swallowtail.
That's just our bug name that we've assigned to that group.
that's just an internal or that's just our bug name that we've assigned to that group another name that people might actually recognize for swallowtail or apt28 would be
fancy bear it's a name which has been given to this group by one of our
one of our peers in the industry i think that would be the main ones for APT28. For APT29,
our internal name or our name is Fritillary. It's just another bug name that Symantec picks,
but other names that people might recognize them by would be Cozy Bear, Euro APT, Cozy Duke.
Duke seems to be a very common phrase inside the names which have been associated to APT29.
And also there's another name called Ice Sheet.
But these all essentially track back to the exact same group which people commonly refer to as APT29.
So let's start with APT28. Take us through what sort of tactics do they use and who are they after?
So APT28, they use pretty common tactics like sending people phishing emails or hosting watering hole sites.
But this is exactly when they wanted data from some very precise location,
be it a particular diplomatic organization that exists somewhere
or some news-related website related to a very particular subject.
So these guys, APT28, has been around since at least 2007. or some news-related website related to a very particular subject.
So these guys, APT28, has been around since at least 2007.
And initially they targeted military embassy-related targets as well as defense contractors in Europe and North America.
But since then they've sort of moved on to more focused attacks against government institutions.
And what specific types of tools do they usually use?
So their tools are fairly generic in some sense, but they're very custom written for them.
Two of them come to mind very immediately.
One is what we would call a backdoor.
But essentially, if it is
a file that gets onto your computer and it starts running, it allows somebody sitting in somewhere
all across the globe to be able to access all the information on your computer as though they were
actually sitting right in front of it. So that's one of the tools. We call that a backdoor because
essentially it has given somebody backdoor access into your computer. And that's one of the tools. We call that a backdoor because essentially it has given somebody
backdoor access into your computer. And the other one is what we call a tunnel.
So information flows on the internet from one computer all the way to the other.
But if you want to create a virtual tunnel that data is not accessible to anybody else, we're just looking at the tunnel, but except on the two endpoints of the tunnel.
APT28 did create such a tunnel as their own tool where a tunnel is created between the victim computer and some infrastructure that the attacker is actually using.
and some infrastructure that the attacker is actually using.
And the data which is being stolen just goes through that tunnel,
which might spread across multiple countries, but it is a tunnel.
And their tool allows them to sort of encrypt the information and pass it from one point to the other without anybody else being able to see it.
So these are sort of the two main tools that
Sophocene or APT28 or Swallowtail have used over many years.
And the development of these tools have gone on for a long time. By that I mean the group has been
updating these tools very regularly to avoid somebody else being able to find it.
So let's move on to APT29 and contrast them against 28. What's the difference here? Who are we talking about? and international policy think tanks or related organizations.
And they use a bunch of tools that people commonly just call the dukes.
That's because at least in the industry or the security industry,
there have been many terms used for these.
There's cozy duke, there's sea duke, there's Dionysus duke, there's net duke.
But essentially, all these tools were created in a very specific
programming language. And they are meant for different purposes. But ultimately,
all they do is they give access to the attacker onto a victim's computer. So
while their targeting and their tool set is completely different, or should I say slightly different, it's very easy to make out the difference between the attack campaigns of the two different groups out here.
Now we are heading into the 2018 midterm elections. What sort of activity are we seeing from these groups?
So what we've seen from the groups is pretty much more of the same in terms of targeting and their usage of the tools.
And I want to say that, you know, we've been very good about protecting end users and end organizations against the attacks of these groups when it comes to the malware itself.
So on the technical side, I think we're doing very well and we'll continue to do what we can as an industry to get better at it. information that can be released at critical times to make an impact on decision making of
the end users rather than trying to influence technology or trying to influence computer
systems, which are directly part of the election process. And we think that that method or that
process or that thinking is going to continue. And over the coming months, as well as
years and subsequent elections as well, we think that will play a bigger and bigger role rather
than hacking of electronics being used in the elections themselves. Yeah, it strikes me that
it's an interesting shift. And I wonder how much you think it may be from necessity. If we are doing a better job
technically locking down these systems, then I suppose the folks who are trying to do this stuff
don't have a whole lot of choice. They have to switch to those softer targets,
the influence operations and those sorts of things. I think you're absolutely correct.
One of the things which also goes into their thinking, which we believe, is when you compromise a piece of electronic equipment and you tamper with, let's say, the tallies for specific elections, that will get discovered at some point. Even if it didn't get discovered at timeline point zero, it might get
discovered five days later. And when that happens, there will be methods by which we can revert some
of those changes which have been influenced by the attackers, be it backup voting, backup paper
voting systems or backups of the electronic equipment itself.
But there might be ways for us to move back from there. The attackers figured that a much longer
goal, longer term goal would be to influence the mindset of the voter itself, rather than trying
to go in and make this one time change, which is extremely binary in terms of either you
get caught or you don't get caught. And the risk would be much higher on that side. A much longer
goal would be to work on disinformation and try to influence the voter himself. And I think that's
where they've sort of hedged their bets primarily at this point. Now, in terms of
IDing these groups as being Russian-based, I mean, this is an area where both Homeland Security and
the FBI have been pretty direct at who they think is up to these things, yes? Yes. I mean, very
recently, the U.S. government actually put out a note calling some of these actors out, not just by country and affiliation,
but also naming some of these individuals very specifically and talking about exactly what these
people did to influence or to make an impact on the elections which happened a couple of years ago.
Now, in terms of voters' confidence in the integrity of our election system, when
we have the news from 2016 that we had these issues, what is your sense in terms of what we
should tell the general public? Are we getting better? Are we pretty much where we were in 2016?
Where do you think we stand? I think from a technology and awareness
perspective, I think we are definitely in a much better place than we were in 2016.
Both the technology companies as well as the common citizen are much more aware of tactics being used by attackers to influence our thinking.
The technology teams all across the industry have taken steps to try to weed out some of the
false information that might be floating around. They've tried to weed out bogus accounts being created by some attackers to spread these incorrect stories, which are on social media.
So that is continuing to get better and better.
technology will become even better where only reputed or confirmed news outlets or news sources will be able to portray or will be able to pitch their new story to millions and millions of people
across the globe but that's on the technology side we also see that end users are becoming a
lot more aware and questioning the source of information that they're reading online.
I think that is where we're in a natural progression where it'll be a matter.
It's just a matter of time before we get even better.
And user awareness continues to grow to a point where we're fairly convinced that people will not just look at the news article,
but will also look at the sources. And that's obviously going to take a little bit longer time, but I think we're getting there. And we have no doubt we're way better than
where we were in 2016. Our thanks to Vikram Thakur from Symantec for joining us. The research is
titled Subverting Democracy, How Cyber Attackers Try to Hack the Vote.
We'll have a link for it in the show notes.
You can also find it on the Symantec website.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total
control, stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default deny approach can keep your company safe and compliant.
The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios
of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Thanks for listening.