CyberWire Daily - Lessons learned from Ukraine elections. [Research Saturday]
Episode Date: April 6, 2019Joep Gommers from EclecticIQ joins us to share their research tracking the information operations and and security methods they've been tracking that Russians have been using in advance of the recentl...y held elections in Ukraine. The research can be found here: https://www.eclecticiq.com/resources/fusion-center-report-situational-awareness-ukraine-elections Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase
in ransomware attacks and a $75 million record payout in 2024.
These traditional security tools expand your attack surface
with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools. It's time to rethink your
security. Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making apps and IPs
invisible, eliminating lateral movement, connecting users only to specific apps, not the entire
network, continuously verifying every request based on identity and context, simplifying security Thank you. your organization with Zscaler Zero Trust and AI. Learn more at zscaler.com slash security.
Our fusion center has been looking at kind of what's influencing
Eastern European elections and specifically Ukraine for a while now.
That's Hugh Gomers from Eclectic IQ.
The research we're discussing today comes from their fusion center.
It's titled Situational Awareness, Ukraine Elections.
With the election, of course, there is specific attention to,
hey, do we see any influence, operations directed at that?
And kind of trying to look into that we uncovered quite a
few different things um though it's kind of been in the wake of months and months
of activity against exactly that and so we've seen i think malware campaigns and kind of influence
campaigns across many different spectra like media and online and local that are trying to influence
local populace and so in that research, some of these very specific campaigns
that we've kind of deepened out a little bit further came to light.
Can you describe to us some of the history here with Russia and Ukraine when it comes to elections?
Sure. So back in, let's say, 2014, when Russia annexed part of Ukraine, the Crimea area, we already
saw there was a very digital component next to the physical kinetic component of moving
tanks into areas and people into areas and things like that, under the guise of, let's
say, separatists, but with Russian military people inside those
jackets, let's say. And in kind of tracking that exactly, we've seen Russian and other influence
throughout the process of who is in power on the other side of the conflict inside of Ukraine.
And now very specifically in this occasion, one interesting thing is that there's been some outside forces trying to, let's say, provide a counterforce to Russian influence.
It's a, let's say, a group of groups of which the most prominent is called the DDoS group.
It's kind of a transparency collective that's trying to take it upon themselves to expose information internal to
russian power and bring it into the light so they kind of disclosed a lot of documents
under the guise of something like the dark side of gremlin is what they're going to use
to the coldest set of documents and in it you can kind of see very specifically plans that clearly
show people in power trying to use influence operations to create effects locally, physically in Ukraine and globally.
And around this kind of leak of documents, and so with some sense kind of a proof of people trying to influence Ukrainian elections
and Ukrainian populace for just kind of cognitive purposes, we've kind of seen malware campaigns happening around it.
for just kind of cognitive purposes, we've kind of seen malware campaigns happening around it.
And one of them was very interesting to us
when we kind of looked into it,
we saw a large set of, let's say, government official
or kind of local prosecutors,
or even kind of non-government,
but local lawyer offices or law offices even being targeted,
trying to kind of find information
about the upcoming elections
and about those that can potentially influence those upcoming elections.
Immediately followed up by, most likely through exfiltrating that data, by very physical activities
based on that information.
Like if they exfiltrated information about finding out specific people, for example,
have specific, let's say, social networks. It would try and offline try and influence those people through bribery or through other
ways of influence to make these local officials or these local prosecutors or whatever people
in power in Ukraine it concerns, they can act in a manner that is helping Russia, for
example, by spreading a certain message or supporting a quote in a local newspaper to
influence a certain media story or to, let's say, not condone certain, perhaps not violent acts,
but kind of protests or something that were kind of pro-Russia. And so we've seen this for the very
first time. I think we've seen a kind of microcosm of very well-coordinated,
you know, both physical activities and digital activities, kind of all together towards the
one goal of influencing the elections. It's been fascinating to watch and to kind of dive deeper
into some of these activities. Yeah, so when we talk about this notion of hybrid warfare, I suppose, I mean, this is it.
Yeah, absolutely right. Yeah, absolutely right.
So it's even interesting, when you kind of think about it,
there's this triangle of kind of physical activities you use.
There's now an angle of digital activities,
and they're kind of governed by, let's say, a cognitive space of the local populace.
And it's not a new notion, I think.
Even Western countries are using this notion
of combining cognitive influence or influence operations
with the physical or kinetic component for a while.
But to see it play out in such a small space
in such a small time has been very interesting.
But as a result of that, you even hear, for example, Russia publicly saying things like,
hey, the attention that we have on non-military activities versus military activities is shifting
to the non-military activities.
So the focus of military leaders, the focus of resources is kind of shifting a little
bit even from a kinetic component to the digital component, which is why now we see, contrary to before,
Russia as well kind of played an AI card a little bit of, you know, those who in the future control
AI have a larger capability in the non-military sphere of influence operation than other countries.
And I think that was a very interesting angle to kind of add on there as both a conversation
topic but also as a concept to think about.
There's a link between nation states intends to be involved in artificial intelligence
because there's a large non-military component in warfare these days, because, and now kind
of zooming into the campaigns we're looking at,
there's direct correlation with how, you know, malware campaigns operate and how that influences media and then how that influences kind of the cognitive sphere of a populace.
It's a very interesting connection to start drawing.
And also, I think, interesting to see how they are focusing their actions based on,
I suppose, a return they're getting on that investment.
In terms of kind of they can see the return coming back based on their...
Yeah, well, I mean, just at a real basic level, instead of, you know, paying for tanks and soldiers,
that investing in some of these influence operations and cyber activities perhaps gets a positive return on that investment?
Oh, no doubt. Exactly right. The breadth of different, let's say, type of activities
in that is also interesting because it also shows not all of those methods are very expensive,
right? So let's say hacking operations, they might, for certain types of individuals,
hacking operations, they might, for certain types of individuals, be very expensive because they're,
let's say, well protected digitally or they're of a certain stature and therefore they have access to special equipment. But when you're trying to influence a populace and not, let's say,
get secret information out of a military apparatus to understand where power grids are or specific
military equipment is, when you're just trying to kind of influence
the normal civil servants or normal population, then protection kind of fades away. And so the
cost of malware campaigns directed against the normal populace or normal civil servants or like
a law office or a small local office or something like that is a lot easier. The cost is a lot lower.
So I think you're absolutely right in that it's really paying off
if you're really involved in influencing the cognitive side of the populace.
You don't need to be targeting highly protected military things.
You're targeting the whole supply chain of, let's say,
of government relations to the populace,
like the media or like news that is about a very specific topic, or even like entertainment
websites.
We see a lot of websites that young people go to, let's say, with interesting pictures
or with nice stories or kind of a very informal sphere where people interact without political
intent.
They're just sharing
something about their hobby or about a joke or something like that that they're
on mass influencing even those websites by injecting their you know funny pictures that
make fun of a local politician for example uh and so it's not even you know this this very
nefarious idea of we influence the media and there's fake news or whatever it's also also just there's a young person scrolling through like a picture websites and he laughs because they're like a dark picture that does something weird.
And then the next picture is another weird picture about, you know, something local funny to him,
but at the same time influencing his perception of whatever the topic is about,
like a local politician or something from the news or a joke about something in the news.
local politician or something from the news or a joke about something in the news and these very
large-scale kind of subtle influences eventually um help put for example somebody in power
uh like we see here in the uh in the ukrainian elections and how how do these types of influence operations that we're seeing from the russians in this election, how do they compare to the types of things that the Russians did in the 2016 U.S. election?
Conceptually, it follows the same set of capabilities.
But when you look at the influence in the U.S.,
we saw, for example, very large leaks of information that were better protected. Whereas on the
Ukrainian side now, we see very targeted things, but they aren't leaking per se. And so I think
they're having the same set of operational capabilities available to them, like they can
influence, let's say, online websites, they can try and have a malware campaign that's attacking a specific subset of people and
they're extracting documents.
But then how it's orchestrated on top of that seems to be somewhat different between the
two.
And there's also a much smaller physical component to influencing US elections than, let's say,
Ukrainian elections, where in the Ukrainian elections,
you can take information that you have found online
and try and do, let's say, local bribery,
or you can try and fund some extra protests,
or you can try and have these physical moments
with people to accelerate certain processes,
which of course is very, very difficult
and very expensive to do if you're
russia if you want to do that on u.s oil and so there's a clear kind of let's say tread lightly
feeling on the u.s side where there's kind of an all-in uh let's make this happen kind of feeling
on the on the ukrainian side and of course they're at the same time using same you know types of
malware same types of campaigns um we've even seen some of the malware that's being
used over the last few months targeting those government officials that we're just talking
about used in campaigns against UK citizens trying to influence people's perception of Brexit,
for example, where the same malware families are used and it seems to be somewhat of the
same actors behind it in the campaigns by virtue of how we observe them to work.
And so there's definitely kind of, you know, same groups of people or same capabilities, same political interest guiding all those operations,
but they seem to orchestrate them differently for each, let's say, theater of interest, be it Brexit influence or the Catalans in in spain or in this case in ukraine now well let's
dig into uh what you discovered when it comes to some of that malware uh what did you all find well
maybe one interesting part of that is you usually see it come in in a very let's say we're going to
call it normal way or or in a very common way so those would be
for example phishing emails or those be email send very specifically to specific
people containing like an attachment for example with a word document or some
other LER that's bringing people to to open the document and in this specific
case we saw I think something about kind of radio communications locally or
something like that sent to these government officials.
And so kind of looking into that, we found a few different links.
So we found one link to the same malware family we saw across other theaters, like influencing Brexit, for example.
We've also seen the document itself being reused in campaigns that were previously known to be linked to
Russian influence. And so every time we dive into one of these campaigns, we see both this
kind of lateral reuse, horizontal reuse across different activities around the world, and
we constantly see then when we zoom into that, the link back to Russian influence. There's always this question of
it's serving Russian interest but you know is the Russian military orchestrating this? Is it kind of
loyalty you know loyalty groups or something like that? Of course those are small question
marks everybody has but it seems to all point in that same direction. Even when you go kind of back
in time like 215,2016, when some of these
activities have still been going on, because from 2014 up until now,
I'm not sure all your listeners know this, there's been active
conflict between eastern Ukraine
and Russian-influenced forces and Ukrainian military.
There's been conflict
and shooting and kind of throughout this whole kind of four-year period and so in 2015 and 16
um we've seen cyber again supporting these physical activities by targeting in that case
the power grid uh kind of a concerted effort together with kind of the kinetic side of
of things uh again kind of zooming into
that in that case it was a pecha not pecha which again we're kind of russian influence known
malware families and so every time we kind of zoom in we were brought back to to the same conclusions
and in terms of the malware and the the pathways that they're using to infect people, they're using word macros?
For example, yeah. Yeah, exactly right. Exactly right.
Amongst, admittedly, many other things.
Comparing this to other election hacking attempts, other influence campaigns,
I mean, is this, are we sort of reaching the point where this is the established Russian playbook,
we can recognize it, this is what we've come to expect from them?
the established Russian playbook, we can recognize it, this is what we've come to expect from them?
I'd say so, but I think the difference seems to be, I think the closer it is to their sphere of influence, the more aggressive they go into it, and the more different types of influence
that, let's say, they're adding. And so as you get closer to Russia, you have local media, troll farms influencing
like online sites, you have some sometimes really violent acts
or simply protests that may come to some sort of
by conclusion orchestrated locally.
You have in the case of Ukraine,
you even have them kind of insert fake polling data
into the local sphere. like you have local websites publishing the fake polling there that are perhaps not untouchable,
but kind of are difficult to influence. When you kind of zoom out and you get further away from
Russia, the methods that they can use, of course, shrink and shrink, and it gets more around the
digital space, around the social space, around less about even media influence and more about kind of content influence
in let's say spaces of content like like blogs or like news websites that are
easier to influence then you know proper media outlets let's say that they can
influence when it's closer to their closer to their sphere but then let's
say for everything that is relatively far from the physical sphere of Russia, I think we see
the same methods used across the board. Exactly right, yeah.
Yeah, it's really fascinating to see how, I guess, the effect that that proximity has
on their ability to do things by literally being right next door, that opens up a whole
lot of options for them that they probably wouldn't have otherwise.
Exactly right. And there's something, especially, especially you know we've seen quite a few of these things now publicly let's say analyzed you know the Russian
influence on the Facebook platform or these troll farms for your listeners
that they don't know where you know they have buildings full of people that have racks full of phones that aren't just manually trying to, let's say, add content to blogs online or to, let's say, send these half funny pictures that have some sort of political intent, as we talked about earlier, disseminated.
funny pictures that have some sort of political intent as we talked about earlier disseminated uh they're automating this they're scripting this right there there's a group of developers and
content producers um that are steering a rack of you know 100 phones let's say to to do this in a
kind of semi-automated way and so the path to you know further automation and then further autonomy
and then kind of support by let's say ai or some sort of automated algorithms is starting to get much, much closer.
And so the the prevalence of it, I think, will only grow versus be limited just because machines can start to take over, which is going to be very, very hard to to to stop.
Right. Yeah. And I suppose I mean suppose that's one of the takeaway lessons here.
I suppose as other nations are looking at what's going on here
and trying to determine how can they protect themselves against these foreign influence operations,
this type of meddling, there's some lessons to be taken away from this example.
For sure.
I think it kind of follows this path of we're used to thinking about, you know,
protecting our secrets in a certain way, and we're used to protecting things of value like politicians or like a military apparatus.
And so I think we kind of cracked a knot on how to do that.
But as you kind of zoom
out from it, let's say your wider political sphere and those that are involved in the
conversation that is political, let's say from the media itself to like prosecutors or to judges or
the whole kind of environment around it, I don't think we know very well as nation states or as alliances
how to really protect them.
And part of that is normal computer hygiene, let's say, right?
So not be clicking on phishing emails, not be infected by a malware campaign, not have
information stolen and so forth.
But we, especially in the Western world, we kind of lack the mechanisms by which
we can regulate the level of protection that we can provide to this wider group of people,
let alone if you even draw it even wider, just the populace, right? Learning the populace of how to
avoid fake news or how to distinguish trustworthy sources from untrustworthy sources is culturally
something as well that I think that we struggle with. So we've traditionally been very good at
this kind of special protection of a small group of things we know is very important,
but I don't think we've cracked the nut yet as kind of the Western rule perhaps, or anywhere,
on how to do it at a larger scale for this wider area of influence,
which leaves us very influenceable. I think that's what we've been seeing
for the last years. And I don't think we found a good way around it yet.
Our thanks to Joep Gommers from Eclectic IQ for joining us. The report comes from their
fusion center. It's titled Situational Awareness, Ukraine Elections.
We'll have a link in the show notes.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals
to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
The Cyber Wire Research Saturday is proudly produced in Maryland out of the startup studios
of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Bond, Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen, Nick Valecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben,
Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening.