As we now know, Fancy Bear (aka APT28) and Cozy Bear (aka APT29) are nicknames for Russian-government-led cyber-espionage hacking units that are likely to undermine America's free election system. Their objectives look like clues from a yellowing, dog-eared Cold War spy novel.
With monikers like “bots,” “troll factories,” and “SQL injections,” the lexicon that we have to describe our modern-day cyber tools reads like some kind of bizarre hybrid between a stark dystopian novel and languages we previously attributed largely to thirty-five-year-old gamers who live in their parents’ basements.
It is tough for many people to care about computer-generated intrusions because, frankly, most of us just don't understand them. We don't understand the culture that spawned the techniques that were adapted to the twenty-first-century cyber terrain, and we don't understand the terrain itself. For people who have been spoon-fed the notion that we are the most powerful country in the world, we are surprisingly unequipped to protect and defend ourselves in cyberspace. How do we know this? Well, first of all, it happened. Russian hackers broke into the emails of political, military, and government officials and scanned and probed state voter databases.1 Second, we don't necessarily have the resources at present to fight them. Many of our voting systems are antiquated. States struggling to recover from attacks require millions of dollars to fix these systems.2
In November 2017, two Democrats appealed to the House Appropriations Committee to free up about $400 million for election security upgrades in states across the country.3 It was an acknowledgment that the states cannot carry this burden alone. Which frankly wasn't much of a shock considering what state election officials were up against. There is a disconnect between state and federal government. There has been too much inaction on this issue approaching the 2018 midterm elections. And it's not as if most members of Congress don't realize what's at stake.
Democratic congressmen Bennie Thompson of Mississippi and Robert Brady of Pennsylvania wrote in a letter to House Appropriations requesting the $400 million: “We know that Russia launched an unprecedented assault on our elections in 2016, targeting 21 states’ voting systems, and we believe this money is necessary to protect our elections from future attack.” They called Russia's intrusions on state election systems “an attack on our country,” and warned, “We cannot leave states to defend against the sophisticated cyber tactics of state actors like Russia on their own.”4
By then states had been “flying solo” for months. They were navigating the cybersecurity terrain against topflight Russian hackers largely without the knowledge US intelligence and law enforcement could provide if there was a coordinated response. The response was disjointed from the beginning in part because of a lack of leadership from the top. The very top. The White House. It really came down to priorities. Cybersecurity experts have testified that the $400 million will go a long way to protect voting systems. The Pentagon has been spending more than that on military musical bands.5
CYBERSECURITY
The job market is wide open for future cyber juggernauts, wunderkind hackers, and spies. The United States lacks the roughly three hundred thousand cybersecurity experts it needs, according to White House cybersecurity czar Rob Joyce.6
Until the United States beefs up its cyber forces, we must work with what we have. One of the first steps is to perhaps acknowledge our culture shock, namely, all the things we do not know. It's almost impossible to know how widespread the Russian cyberattacks really were, and how deeply embedded in US systems the Russian hackers are. These are questions we may never really know the answer to until it's too late. We'll really know—I suspect—when the power starts shutting down in some city grid, which would be similar to what happened in Ukraine.7
THE TROLLS
Jim Lewis, a cyber expert with the Center for Strategic and International Studies, describes how trolls aren't in fact the fictional tiny, green, blob-like creatures living under bridges in fantastical countries. Today, they are more like disgruntled government white-collar slobs who work in “troll factories where they are required to muscle into cyberspace.”8 Lewis explains that trolls are an integral technique for the Russian government to break the transatlantic alliance and destroy the world image of Western-style democracy.
Trolls, internet trolls, are apparently not very well paid, so if they're listening, I apologize. But they sit there, and you can see it [the internet trolls] in some online newspaper.
You can just tell when it's a Russian government employee posting a comment, pretending to be an American or a German or a Brit, saying, “The West is bad; Putin is good.” That's basically their theme. They have thousands of people whose job it is to post comments like that [in comment sections of news reports, chat rooms, blogs, etc.]. But they have other techniques as well. And the best technique that they have used so far is to hack into databases, take sensitive information, and then leak it.9
He explains that trolls are a major component of information warfare. It is a “new tool they use to get political effect.” Alternative names for information warfare are hybrid warfare or political warfare. “They don't need the Red Army anymore. They have the internet,” he said.10
MALWARE
Malicious software or malware is all the bad stuff. It's a generic term used to describe all the dirty little things that could weasel their way into your computer, including programs like Trojan horses, scareware, spyware, worms, and more run-of-the-mill computer viruses that technicians charge you a small fortune to purge.
As technology becomes more sophisticated and enters our online shopping carts, we become more vulnerable. Many of us are educated and/or paranoid enough about all the ways in which our computers can set us up as marks that we're tempted to put duct tape over our webcams. Some may even pay a yearly fee for software that disguises their IP address so their location can't be tracked through their computer or phone.
The majority of folks out there are either not so savvy or not so concerned. Most are probably wary enough to install antivirus software and leave it at that.
Adam Meyers of the security firm CrowdStrike explained how malware can use seemingly ordinary methods to infect not just computers but devices connected to them, such as digital cameras, cell phones, televisions, and scanners.11
Imagine you buy a new wireless high-end printer. It is considered the best of its kind because it is as thin as a potato chip and 0.5 ounces lighter than the previous model and happens to be bedazzled with purple gemstones. You take it out of the box. Experience has taught you that the setup process is less complicated if you don't read the three-page instruction pamphlet with its half-inch text. So, you plug the device in and run through your own version of the setup process, and, boom, it's connected to the internet and you are ready for business. You elect not to create an elaborate, unique username and password because you are sick of passwords. Besides, creating one requires that you type all of your personal information into the printing company's website. You are leery about giving away your personal information that could be used for goodness knows what nefarious purpose, ranging from trying to get you to buy more equipment to selling your name to the highest bidder. Finally, you aren't really great at remembering new passwords and are just as likely to lock yourself out of being able to use the machine as to prevent someone else from getting in. You leave it on the default settings. You are sure signing up would come back to bite you in the bum.
Then one day you realize you should have. A “botnet” has found it and has started to inject its own code into it. Your machine is now a delivery device for malware.
BOTNET
Mirai (aka the Future)
On October 26, 2016, a massive take-no-prisoners cyberattack took down Dyn, a company that takes care of the entire web's domain name system, which lasted for the better part of the afternoon and took down major websites including Netflix, Reddit, and CNN. This kind of attack is known as a distributed denial of service (DDoS) attack. It uses a beast called a botnet to overwhelm a server with traffic until it buckles. Another name for it is an exhaustion attack.12
In this case the botnet being used was a special kind of apocalyptic beast called Mirai, which means “the future” in Japanese. Mirai is distinguished from other botnets because it is not just made up of computer parts. Rather, it is made up of “the internet of things,” a mishmash of salvaged junk parts from devices like digital cameras and DVD players. This quality makes Mirai a supercharged botnet, which could commit sustained large-scale attacks on multiple “endpoints” with a speed equivalent to a peregrine falcon dive-bombing a pigeon—that's 1.2 terabytes per second in internet talk, an exceptionally high speed.13
Another extraordinary element of Mirai is that anyone can get the source code for free. The person who created it claimed to have already made enough money in the lucrative DDoS business and wanted to get out, so the creator put Mirai on open source, which means that essentially anyone who wanted it could use it both as a revenue-generating tool and as a nifty little manual for carrying out a cyberattack.14
Meyers also provides the nitty description of a DDoS attack. “It means that when you're attacking a target you distribute the load of the attack across many different hosts [devices]. So, what they do is infect lots of different hosts across the internet and then use those infected hosts to then target the actual end victim.”15 That certainly makes it easier to understand.
Mirai was thought to be a dry run. Its unusual attributes were its strength and the manner in which it was released. Meyers believes the botnet was released “to make a statement about the capability, showing that the capability exists.”16
Cyber forensic investigators examining the Mirai bot's code found that much of it was written in Russian. By the way, the code also included the sentence, “I love chicken nuggets.”17 Some of these highly skilled hackers seem to have a fairly juvenile sense of humor.
Meyers explained how a botnet like Mirai could be used to impact an election: “If you plan to be broadcasting during the election, this could be used to disrupt signals; it could be used to disrupt your website. During the actual election, depending on what the targets might be, you could use this to disrupt voting stations or the infrastructure involved in tallying votes.”18
On election night 2016, CBS News and other news organizations were prepping for the potential of that type of attack. Imagine an election night—you're watching your favorite channel, and all of a sudden the numbers start scrambling. The anchor can't figure out what's happening. The IT staff can't figure it out either. Viewers are left puzzled, and doubt starts creeping in about the results, even if the station has these results in some form of a hard copy. Do you trust those numbers? See how damaging any type of cyberattack on an election night could be?
OTHER NIFTY BOTS
Social Bots
When Clint Watts, a Robert A. Fox fellow in the Foreign Policy Research Institute, provided expert testimony before the Senate Intelligence Committee on Russian information operations, he detailed ways in which Russian operatives may use social media in espionage efforts. The former FBI agent also noted that social bots can be created, replicating “the appearance and speech of the target audience making unwitting observers more likely to engage with and believe the falsehoods they spread. Social bots play on this psychology broadcasting at such high volumes [of hits or views] it makes falsehoods appear more credible.” Social bots can be manufactured at “social media sweatshops.”19
Watts explains how Kremlin-hired hackers can create social bots and inject storylines into not just the web browsing of an unsuspecting public but also the social intercourse of people who should know better, namely influencers such as reporters, political figures, and CEOs of major companies. The dummy narratives arrive in their newsfeeds or emails. In this manner, the public and private sectors can be duped into believing lies told by imaginary people they meet on their screens. In spreading these fake stories, these people can ruin their own reputations. The news these deceitful dummy personas carry can easily replace or usurp what is real news, or influence new policies and legislation.
SATURATION
Social media content is more trusted when it comes from close relations like friends and family. By exploiting these relationships, social bots can create Facebook groups, personas, and pages to saturate social and political discussions with “divisive content designed to enrage competing poles of the US electorate,” Watts said.20 One fake Facebook ad posted by Russian “trolls” came from a group called Stop All Invaders. It showed photos of a woman wearing Islamic religious head covering, and urged followers to stop the spread of sharia law. Yet another ad said, “Down with Hillary!” and it promoted a rally outside Clinton campaign headquarters in Brooklyn.21
LAUNDERING
The technique of laundering information that we learned about in chapter 24 when the Russian government tried to discredit Dr. Martin Luther King is less cumbersome to pull off in the information age. Laura Rosenberger, director of the Alliance for Securing Democracy, explains how it works: “Something that will come from Russia—a piece of disinformation or misinformation—will be laundered through covert networks, [such as] the social media or online media environment, so that people can't really tell where it's come from. And then it ends up getting picked up sometimes in credible news sources. And, people don't have any idea where that information has come from.”22 Case in point, in August 2016 there was an active shooter scare at New York's JFK International Airport. At CBS News we were following the story because we saw people on Twitter posting messages about it. But we couldn't figure out if that threat was real. It turns out Russian fake-news writers on social media added to the panic.23
Rosenberger detailed a famous case in Germany. A thirteen-year-old Russian/German girl named “Lisa” was reported missing from her home. When she returned home with a bruised face, it was reported that she had been raped by three men who were Muslims.24 Before the story could be corroborated, Kremlin-controlled print, television, and social media ran with it. This resulted in massive protests against refugees, holding German chancellor Angela Merkel's refugee policy accountable. Among the protestors were members of German right-wing radical groups.25
The girl later admitted she lied. But German officials believe the Russian media exploited the situation and controversy, surrounding policies allowing nearly a million asylum seekers into Germany, in order to further discredit Merkel—who opposed Russia's interference in Ukraine.
Rosenberger explains the German government's response. “Now as a consequence in Germany in fact—there's a very high level of awareness about this potential challenge. I don't think we've had quite that kind of ‘aha’ moment in the United States. And that's not to say I think Germany is totally protected against this either. But it's just to say that that kind of laundering certainly happens. And the media often enough allows that to happen more easily.”26
Examples of laundering that have occurred in the United States since then include the false news that spread about hate crimes in Idaho, or the Antifa intifada that was picked up by RT.
Vice highlighted an uptick in fake Antifa accounts claiming to belong to the anti-fascist movement that were actually operated out of Russia.27 In Idaho Russian trolls used Facebook events to set up anti-immigrant protests. The Russians were using false identities to do it.28 What may have started on social media was then picked up by RT. The Russian-government-backed news network would then trumpet the divisions in the United States to its audience.
Some call cyber laundering propaganda. Watts calls it forgery. He notes how digital forgeries can be distributed through sites laden with conspiracy theories, such as Reddit and 4Chan, and are often far superior to the KGB's active measures efforts at clunky forgeries that were spread using antiquated equipment (wire services and the postal service), which could take years to have an impact and didn't offer much return on their investment. He notes how forgeries can be used by anonymous sources in “smear campaigns and falsehoods that tarnish confidence in America and trust in democratic institutions.” He further notes that they can be used strategically to “support conspiracies” and “support anti-government narratives or enflame social divisions in America.”29
PHISHING
We have seen how a seemingly innocuous email was sent to officials—such as the Arizona secretary of state administrator living in a rural location—and used like bait on a hook to phish out their usernames and passcodes and sell them online. As I reported on CBS News in October 2016, the Arizona worker opened an email attachment and just like that the Russian hackers were into the computer network. The Russian intrusion then spread, endangering Arizona's election infrastructure.30
The Russian operation took many different approaches in its attack on democracy. It saturated social media, and by infecting social media it indirectly seeped into the mainstream news cycle. Early on some people in important positions saw the warning signs and spoke out. One person in particular realized that she could not take on the Russians alone.