On Sunday, Germany will elect the 20th German Bundestag with over 60 million eligible voters and almost 3 million first-time voters. Do we all vote out of a free will? How much are we influenced, not only by targeted disinformation, but also by targeted and selected leaks of information, perhaps mixed with dosed lies?
The following text is not about the German federal elections, but how carelessness and fatigue during a cyber attack can have devastating consequences. Perhaps also during an election campaign in Germany?
The GU (formerly GRU, one a Russian acronym for “Main Intelligence Agency”) is a major institution within the Russian army’s military intelligence service. In March 2016, GRU began an operation against the Democratic National Committee (DNC), the governing body of the U.S. Democratic Party.
A year earlier, another group of Russian “state hackers” had successfully gained access. It was an embarrassing operation, because the FBI and DNC took a long time to stop this attack, even though they knew about it. The GRU learned a lot during that operation about the technology used by the DNC, the DCCC (their campaign committee) and by the Hillary Clinton campaign.
However, they were particularly successful in their phishing campaign: 9000 phishing emails were sent to 4000 accounts. During that process, they gained access to email accounts belonging to Clinton’s campaign chairman, John Podesta. This was a big hit for the GRU right out of the gate, as Podesta was closely intertwined with many high-ranking members and decision-makers within the Democratic Party.
Podesta didn’t fall for the malicious phishing email right away, however. Instead, he forwarded it to his IT experts. One of those aides later stated he had just made a mistake and wanted to tell him the email was NOT real. Instead he replied that the email was genuine and therefore trustworthy. Podesta then gave his credentials to a web page made up by the attackers for the purpose, which tried to look like it was a Google page. The spies subsequently gained access to tens of thousands of emails to and from Podesta.
A day later, another high-ranking campaign staffer was caught. This one stated in later investigations that he had opened the phishing email while half asleep in the early morning hours and had not clicked through in full consciousness.
What was interesting and noteworthy about this attack campaign was the fact that the GRU knew from the start, or was preparing very early on, to publish data from the data theft. At least, this is indicated by the registrations of domains in Romania for this purpose, which took place in April 2016 and were attributed to the GRU. Payment was made with cryptocurrency.
Eventually, some of the emails ended up on a web server behind that domain (www.DCLeaks.com) and after WikiLeaks became aware of it, on WikiLeaks. All of this fueled hot debates and triggered an official investigation, especially as it became clear that Clinton shared sensitive information and perhaps classified data using her private server during her time as Secretary of State in the Obama cabinet from 2009 to 2013.
Hillary Clinton was not elected president.
In December 2016, she accused Putin of using electoral manipulation to retaliate for her questioning the legitimacy of Russian elections five years earlier. In early 2017, the CIA, FBI, and NSA intelligence agencies published the unanimous but independently obtained assessment that with “a high degree of certainty” Russian President Vladimir Putin had personally ordered the cyberattack on the Democratic Party. He would have arranged for the publication in order to let Trump win. Even Trump had to admit after an intelligence briefing that he also shared this assessment.
Considering the energy and resources the attackers may have had, I think it’s likely that an SMS with an additional passcode in addition to the password would not have been enough. The Russians would have simply queried that as well and forwarded it as a “man in the middle”. A hardware security token with U2F might have helped. Such a FIDO-U2F security key, which is inserted into the USB port, is strong against “man in the middle” attacks (MITM). However, it is imaginable that such a dongle could have been intercepted and tampered or replaced by the attackers. U2F was also not in widespread use at the time, and other methods such as OTP methods would also be vulnerable to MITM.
Anomaly detection of the servers used would likely have issued a warning. Over the course of many sessions, a user of an online service generates a certain pattern, e.g., she has an 80% probability of checking her email from Washington, DC, for 20 minutes at 7:30 AM and a 1% probability of checking at 4:00 AM. If that deviates and there is also a password change request from another continent, that could cause an alarm to be triggered. Also, the large number of requests generated by the download, which would not otherwise occur, would be an indicator that data has been exfiltrated.
Detecting deviations requires collecting a lot of data beforehand. That, in turn, poses further dangers. An attacker is also likely to camouflage a mass download or design it in such a way that it is not detected. It is also possible for an attacker to take over the infrastructure in the victim’s environment, so that it looks to the server as if the requests are coming from the usual places.
When pilots communicate with air traffic control (ATC), they must abide by certain rules. One of these, according to the FAA, is “think before you transmit”. Another is to “read back” a message, or the important parts of it, to the sender repeatedly. Had Podesta and Rinehart followed this, they probably would not have fallen victim to the phishing sites.
It is time pressure and fatigue, plus perhaps other intentional pressure from attackers such as a phone call stating that the victim urgently needs to open an email, that often leads to the injection of malware or the stealing of information.
Making employees aware of this might have prevented worse. Of course, we cannot know this in retrospect.
But perhaps we can learn a thing or two from it.