CYBERWARFARE: RUSSIA’S ATTACK ON THE 2016 ELECTION

Note: If you find my posts too long or too dense to read on occasion, please just read the bolded portions. They present the key points I’m making and the most important information I’m sharing.

This is my sixth post on computer hacking and cyberwarfare and part of my overview of New York Times cybersecurity reporter Nicole Perlroth’s outstanding book, This Is How They Tell Me the World Ends. [1] My first post summarized the book’s information on the scale of computer hacking, cybercrime, and cyberwarfare; the 2017 North Korean ransomware attack; and the 2009 U.S. National Security Agency (NSA) cyberwarfare attack on Iran. My second post covered the leaks from the NSA, electronic surveillance in the U.S., and the use of encryption to protect privacy. My third post described Russia’s cyberattacks on Ukraine. The fourth and fifth posts described China’s cyberattack on Google and Google’s response.

This post summarizes Russia’s attack on the 2016 U.S. election which began in June 2014 when Russia sent two agents to the U.S. for a three-week reconnaissance tour to gather intelligence on U.S. politics and elections. Their report became the field guide for Russia’s interference in the 2016 election. Starting in 2014, the Russians tried to hack into voter registration and election systems in all 50 states. They are known to have succeed in accessing Arizona’s and Illinois’s voter databases. In 2015 (and probably before then), the Russians aggressively hacked into computer networks at the State Department, White House, and Joint Chiefs of Staff of the Defense Department, although this was probably unrelated to the election and was just “routine” espionage. Occurring in the midst of the unprecedented and mind-boggling presidential campaign that was ongoing at the time, these cyberattacks got little coverage in the mainstream media.

Russia’s social media propaganda agency, known as the Internet Research Agency (IRA), had as its goal for the U.S. election in 2016 to “spread distrust toward the candidates and the political system in general. … [to create] division, distrust, and mayhem.” [2] In September 2014, the IRA created a Facebook group, Heart of Texas, focused on right-wing Texans that generated 5.5 million likes within a year. It also created another Facebook group, United Muslims of America. Then, among other things, it used these two Facebook groups to promote rallies and counter-rallies at the Islamic Center in Houston that led to real-world confrontations. The IRA used the stolen identities of Americans to make their work more credible, but nonetheless its cyber manipulators were surprised at how gullible and susceptible the Americans were to their Facebook disinformation.

Based on its success in Texas, the IRA began replicating this approach across the country, focusing on purple states. Its staffing grew to more than 80 people who were directed to “Use any opportunity to criticize Hillary and the rest (except Sanders and Trump – we support them)” according to leaked memos. [3] The IRA:

Communicated with Trump campaign volunteers.
Bought Facebook ads promoting Trump and attacking Clinton.
Promoted race-baiting and xenophobic messages.
Worked to suppress minority voter turnout and to encourage voting for third party candidates instead of for Clinton.
Paid an unwitting Florida Trump supporter to put a cage on a flatbed truck and paid an actress to dress up as Clinton and sit in the cage as Trump rally goers chanted “Lock her up!” Based on this success, they promoted similar rallies in other states.
Reached 126 million Facebook users and generated 288 million Twitter actions, which are staggering numbers given that 139 million people voted in the 2016 election.

In June 2016, it was discovered that two other Russian groups had hacked into the Democratic National Committee’s computer network months earlier, extracting and releasing embarrassing emails, among other things.

The Obama Administration, facing multi-faceted and snowballing Russian interference in the election, finally decided in the fall of 2016 that a strong bipartisan statement (so it wouldn’t appear political) was necessary. Top Homeland Security and FBI officials were sent to brief Congress. But the response from the Republicans was completely partisan. Republican Senate Majority Leader Mitch McConnell refused to warn Americans about Russia’s efforts to influence and undermine the 2016 elections. He refused to sign any bipartisan statement, argued (falsely) that the intelligence on the cyberattacks was wrong, and claimed (falsely) that this was all just Democratic partisan politics.

After the election, the Obama Administration imposed significant sanctions on the Russians, but they were too little and too late. Although there’s some argument over the ultimate impact of the Russian’s efforts, Perlroth concludes that the Russian actions may well have tipped the election to Trump. Black voter turnout declined sharply in 2016 for the first time in 20 years, which was a constituency and an outcome that the Russians had aggressively targeted. Black voter turnout fell from 66.6% in 2012 to 59.6% in 2016, its lowest level since 2000. This represented a decline of 765,000 votes when less than 80,000 votes in three key states determined the outcome of the election. Furthermore, Trump’s margin in each of these three key states – Wisconsin (22,800 votes, a 0.8% margin), Pennsylvania (44,300 votes, a 0.7% margin), and Michigan (10,700 votes, a 0.2% margin) – was less in each state than the vote for the Green Party candidate. This voting for third party candidates instead of Clinton was another outcome that the Russians had aggressively targeted. Given the closeness of the election, a relatively small change in either (let alone both) of Black voter turnout or the number of votes for the Green Party instead of for Clinton would have changed the outcome of the election – and both of these were factors that the Russians specifically worked to influence.

Subsequent posts will outline the Perlroth book’s reporting on:

Russia’s continuing cyberattacks on the 2018 and 2020 U.S. elections and the Trump administration’s response, and
What can be done to counter cybercrime and warfare at the individual and governmental levels.

[1] Perlroth, N. This Is How They Tell Me the World Ends. Bloomsbury Publishing, NY, NY. 2021.

[2] Perlroth, N., see above, page 310

[3] Perlroth, N., see above, page 311

CYBERWARFARE: GOOGLE’S RESPONSE TO CHINA’S ATTACK

This is my fifth post on computer hacking and cyberwarfare, all of which are part of my overview of New York Times cybersecurity reporter Nicole Perlroth’s outstanding book, This Is How They Tell Me the World Ends. [1] My first post summarized the book’s information on the scale of computer hacking, cybercrime, and cyberwarfare; the 2017 worldwide ransomware attack by North Korea; and the 2009 cyberwarfare attack by the NSA on Iran’s uranium enrichment plant. My second post provided an overview of the book’s reporting on leaks from the NSA, electronic surveillance in the U.S., and the use of encryption to protect privacy. My third post described Russia’s cyberattacks on Ukraine and the fourth post described China’s cyberattack on Google.

Google had begun doing business in China in 2006, agreeing to the censorship of search results that the government demanded. In 2009, it was still struggling to accommodate China’s increasingly draconian censorship rules. Nonetheless, China waged a cyberattack on Google in 2009 in an effort to make Google an unwitting accomplice in Chinese surveillance of dissidents. (See my previous post for more details about this cyberattack.)

In response, on January 12, 2010, Google publicly revealed the Chinese cyberattack and its decision to pull out of China, despite its being the largest and most sought-after market in the world. Fearing for its employees’ safety, it had briefed the State Department and the U.S. embassy in Beijing was prepared to undertake a mass evacuation of Google’s Chinese employees and their families. Google shut down its Chinese operation and routed all Chinese Internet traffic to Hong Kong. In response, the Chinese government scrambled to censor and block Internet content flowing from Hong Kong, lambasted Google, denied involvement in the cyberattack, and accused the U.S. government of conducting an anti-China propaganda campaign. It permanently blocked Internet access to Google and three years later, under new President Xi Jinping, took over total control of the Internet in China.

The Chinese hackers who had executed the attack, having been outed, unplugged their Internet computer servers and abandoned their hacking tools. They abstained from hacking in the U.S. for a number months, but one year later engaged in a sophisticated attack on RSA, the cybersecurity company that sold security services to, among others, high profile defense contractors. Based on this successful attack, the Chinese hackers were able to infiltrate Lockheed Martin and thousands of other western companies including banks, automakers, chemical companies, law firms, non-profit organizations, and more. They stole billions of dollars-worth of proprietary information, including military and trade secrets.

Back at Google, less than a year after the 2010 pullout, some executives began pushing to go back to doing business in China. As Google diversified its businesses and re-organized under the over-arching corporation Alphabet in 2015, re-entry into the Chinese market, with its 750 million Internet users, became a hot topic of debate. Ultimately, human rights, ethical considerations, and Google’s motto of “Don’t be evil” were overwhelmed by a focus on profits.

In 2016, Google established a new, artificial intelligence research center in Beijing and released some small-scale products, e.g., an app and a mobile game, into the Chinese market. Simultaneously, it was working on a search engine for the Chinese market, code-named Dragonfly, that met government censorship requirements. In August 2018, an employee leaked information about the work on Dragonfly. After protests by Google employees and others, the Dragonfly project was terminated in July 2019. Google does not offer a search engine in China at this time.

Google’s business ethics have been questioned not just for doing business in China, but for its behavior in the U.S. and elsewhere. It profits off sites that spread disinformation and conspiracy theories, and its YouTube subsidiary allows the spread of videos that harm the well-being of children. In Saudi Arabia, it hosted an app that allowed men to track and, thereby, control the movements of female family members.

In subsequent posts, I will outline the Perlroth book’s reporting on:

The cyberattacks on U.S. elections and the Trump administration’s response, and
What can be done to counter cybercrime and warfare at the individual and governmental levels.

[1] Perlroth, N. This Is How They Tell Me the World Ends. Bloomsbury Publishing, NY, NY. 2021.

CORPORATE CRIMINALS GET OFF SCOT-FREE

Corporate criminals in the U.S. almost always get off scot-free regardless of how serious their crimes or how many offenses they have committed. Federal prosecutions of white-collar crime have been rare over the last 40 years and, nonetheless, dropped dramatically during the Trump administration to a 25-year low in 2020.

The Department of Justice (DOJ) announced last week that it would take a new, more aggressive approach to corporate crime. A similar statement was made in 2015 by the Obama administration, but nothing of substance changed. Therefore, this current announcement won’t be taken seriously until the DOJ begins taking significant actions. [1]

Typically, corporate crime has been settled with fines and signed agreements with the DOJ promising not to engage in the same illegal behavior again for a specified period of time, typically only three years. These agreements are called deferred prosecution agreements (DPAs) or non-prosecution agreements (NPAs). The corporations typically do not admit to being guilty of any crimes.

Furthermore, these settlement agreements have rarely been enforced and there are numerous examples of corporations engaging in prohibited behavior again without penalties being imposed. The watchdog group Public Citizen reviewed 500 of these settlement agreements and found only seven cases where the corporation had even been notified that they had violated the agreement and only three where any prosecutorial action was taken.

Public Citizen recently issued a report identifying 20 major corporations with current settlement agreements. [2] In an indication that the DOJ may be stepping up enforcement of such agreements, two corporations were recently notified that they were in violation of their agreements: Ericsson, a Swedish telecom company, and NatWest, a British bank.

The 20 corporations with active settlement agreements ALL had previous violations; in 16 cases over ten violations and in five cases over 90 violations. The list includes seven banks and financial corporations, including Merrill Lynch (a subsidiary of Bank of America) with 97 total violations, JP Morgan Chase with 92 violations, Wells Fargo with 92, Deutsche Bank with 41, and Goldman Sachs with 38. Also included are United Airlines with 533 violations (464 of them from the Federal Aviation Administration), Walmart with 330 (292 from the Labor Department), Boeing with 84, and the pharmaceutical company Novartis with 18.

The DOJ announcement included a statement that when determining penalties for violations it will consider the corporation’s overall record, not only previous violations of the same type as had been the practice. It also stated that the DOJ will require corporations to disclose the individuals involved in corporate crime. In the last 30 years, it has been very rare that individuals at corporations have been held personally accountable for corporate crime.

The non-prosecution of corporate, white-collar crime stands in stark contrast to the aggressive prosecution of non-corporate, non-white-collar crime by individuals. For crimes by individuals, the U.S. has had a tough-on-crime approach for 40 years, which includes mandatory sentences and three strikes you’re out laws. Clearly, anything approaching this type of tough-on-crime prosecution of corporate criminal behavior would have put corporations out of business, i.e., their corporate charters would have been revoked, and would have put their executives in jail. Similarly, the practice of ignoring corporate violations of different types when determining penalties for a crime is unlike individual sentencing when all types of crimes are considered, e.g., theft, assault, drug crimes, and gun violations. Finally, individuals (with the exception of juveniles) don’t get a clean slate after three or so years as corporations do when their non-prosecution agreements expire.

I urge you to contact President Biden to let him know that you support strong action by the Department of Justice to hold corporate criminals accountable, both the corporations themselves and their executives. You can email President Biden at https://www.whitehouse.gov/contact/ or you can call the White House comment line at 202-456-1111 or the switchboard at 202-456-1414. You can also send letters to the White House; details are here: http://www.whitehouse.gov/contact/submit-questions-and-comments.

[1] Dayen, D., 11/12/21, “The corporate most-wanted list,” The American Prospect (https://prospect.org/power/corporate-most-wanted-list/)

[2] Claypool, R., 11/12/21, “The usual corporate suspects,” Public Citizen (https://www.citizen.org/article/usual-corporate-suspects-report/)

CYBERWARFARE: CHINA’S ATTACK ON GOOGLE

This is my fourth post on computer hacking and cyberwarfare and part of my overview of New York Times cybersecurity reporter Nicole Perlroth’s outstanding book, This Is How They Tell Me the World Ends. [1] My first post summarized the book’s information on the scale of computer hacking, cybercrime, and cyberwarfare; the 2017 worldwide ransomware attack by North Korea; and the 2009 cyberwarfare attack by the U.S. National Security Agency (NSA) on Iran’s uranium enrichment plant. My second post provided an overview of the book’s reporting on leaks from the NSA, electronic surveillance in the U.S., and the use of encryption to protect privacy. My third post described Russia’s cyberattacks on Ukraine.

This post summarizes China’s cyberwarfare and, in particular, its attack on Google. The Chinese government’s cyberwarfare initiatives use both army personnel and contracts with non-government hackers at Chinese universities and technology companies. This contracting with private hackers is similar to President Putin’s strategy in Russia, where cyberattacks had been outsourced to cybercriminals for years to give the government some marginally credible deniability of responsibility. As in Russia, many of the private hackers in China are likely to have been conscripted, rather than hired in the private market.

For years, the Chinese have been hacking into defense companies where they focus on stealing aerospace, missile, space, and satellite technologies, as well as nuclear propulsion and weapon information. They have also been hacking into a broad range of U.S. businesses and stealing intellectual property. A former Director of the NSA, Keith Alexander, called Chinese cyber theft the “greatest transfer of wealth in history.” [2]

In December 2009, now ancient history in the annals of cyber hacking, Google’s digital security team noticed an electronic intruder in their computer network. It was moving from computer to computer in what they called the fastest cyberattack they had ever seen. It had managed to breach what was one of the toughest digital security systems in existence at the time and was conducting a very sophisticated search across Google’s extensive computer network. As is often the case, the intruder’s access had been initiated by unsuspecting Google employees who had clicked on a link in a hacker’s phishing message. The link went to a website in Taiwan that put the hacker’s computer program, i.e., malware, onto the employee’s computer via a vulnerability in Microsoft’s Internet Explorer browser. The malware allowed the hacker to access the employee’s computer and Google’s network.

The attack was very sophisticated – the work of highly skilled, well-resourced hackers, not a small-time, individual cybercriminal. This was made clear by the hackers’ encrypting of their attacking computer program and obfuscating of their tracks, along with the expertise needed to use the Internet Explorer vulnerability.

Over a couple of weeks, Google assembled a team of 250 inside and outside security experts to counter the attack, and then determine who had attacked and what they were trying to accomplish. Team members worked 24/7 and December holiday vacations were canceled.

Eventually, the team’s work identified the attacker as a group contracted with by the Chinese government. It was being monitored by the NSA, which had code-named it “Legion Yankee.” It was one of the most active of the more than two dozen Chinese hacking groups that the NSA monitored. These groups had attacked U.S. government agencies, technology companies, think tanks, and universities in attempts to steal intellectual property, military secrets, and correspondence.

As Google and outside security experts dug into the attack, they traced it back to Legion Yankee’s computer server and discovered that dozens of other U.S. companies had been attacked as well, including Adobe, Intel, Northrop Grumman, Dow Chemical, and Morgan Stanley. As Google tried to warn these other companies, they found it was hard to reach someone who would take their warning seriously and understand its implications. Many of the companies refused to acknowledge that their computer systems had been breached – not wanting the bad publicity.

Google and its outside experts also eventually figured out what the attacker was after: Google’s source code. This is the computer programming that runs the Google application – it’s what displays its screens when you access Google, it’s what runs the search engine and displays the results, it’s what determines what ads to show you and what to do when you click on an ad or search result, etc. Microsoft’s Windows computer operating system, which runs many of our computers, is probably the best-known example of source code, along with Apple’s Operating System (OS) or the Android software that runs your phone.

This kind of attack wasn’t about short-term gain, e.g., theft of money or information, this was a long-term strategy that could bear fruit immediately but also for years to come. The hackers would insert code into or change the programming of Goggle’s source code to allow them access to the information that was flowing through Google, to Gmail accounts, and also to the computers and networks that were using Google.

Ultimately, Google determined that Chinese government wanted to change Google’s source code so it would have long-term access to any Gmail account and that its interest was in accessing the Gmail accounts of Chinese dissidents, including pro-democracy activists in Hong Kong, Tibetan and Uighur Muslim dissidents, pro-independence Taiwanese, the Dalai Lama, and others. In other words, China’s goal for its most sophisticated cyberattack capabilities was to be able to monitor, threaten, and thereby control its own people.

U.S. State Department officials would eventually connect Legion Yankee and the Google attack to the Chinese government’s top security official, Zhou Yongkang, and to Li Changchun, a member of China’s top ruling body (the Politburo Standing Committee) and China’s top propaganda official. Li had reportedly googled himself and was not happy with what he found and, therefore, ordered the attack on Google.

My next post will summarize Google’s response to the Chinese attack: it made a big splash by publicizing China’s attack and pulling out of the Chinese market completely in 2010 – only to re-enter the Chinese market in 2016. Subsequent posts will outline the Perlroth book’s reporting on:

The cyberattacks on U.S. elections and the Trump administration’s response, and
What can be done to counter cybercrime and warfare at the individual and governmental levels.

[1] Perlroth, N. This Is How They Tell Me the World Ends. Bloomsbury Publishing, NY, NY. 2021.

[2] Perlroth, N. This Is How They Tell Me the World Ends. Bloomsbury Publishing, NY, NY. 2021. page xix

CYBERWARFARE: RUSSIA’S ATTACKS ON UKRAINE AND USE OF NSA’S CYBER WEAPONS

This is my third post on computer hacking and cyberwarfare, part of my overview of New York Times cybersecurity reporter Nicole Perlroth’s outstanding book, This Is How They Tell Me the World Ends. [1] My first post summarized the book’s information on:

The scale of computer hacking, cybercrime, and cyberwarfare,
The 2017 worldwide ransomware attack by North Korea using a Microsoft Windows vulnerability stolen from the U.S. National Security Agency (NSA), and
The 2009 cyberwarfare attack by the NSA on Iran’s uranium enrichment plant.

My second post provided an overview of the book’s reporting on:

Electronic surveillance in the U.S. and the use of encryption to protect privacy, and
Leaks from the NSA, including of its cyberwarfare weapons.

This post provides an overview of Russia’s cyberattacks on Ukraine. Russia is and has been a formidable and active player in espionage and international warfare since the 1950s Cold War, which Perlroth touches on as background for her reporting on cyberwarfare.

Not surprisingly then, Russia has been an early, active, and formidable participant in cyberwarfare. It has attacked Ukraine both to demonstrate its capabilities to the world and to display its ongoing displeasure with independence in Ukraine, which threw out the Russian puppet government in 2014. Russia’s cyberwarfare has interfered with Ukraine’s elections and its everyday life. In 2014, Russia planted disinformation during Ukraine’s election and engaged in serious cyber hacking of its election infrastructure. Ukrainian election officials discovered the hacking just before manipulated results would have been announced to the media. It was the most brazen cyberattack on a national election ever at the time.

For its next attack, on Christmas Eve in 2015, Russia’s cyber warriors flipped off circuit breakers in the Ukrainian power grid, turning off electricity for hundreds of thousands of people. They also shut off backup power in many locations and shut down emergency phone lines. Things were turned back on roughly six hours later, but the message and the capabilities were clear. This represented an escalation of cyberwarfare; no country had ever shutdown another country’s civilian power grid before. A year later, Russia did it again, this time shutting down the power and heat in the Ukrainian capital of Kyiv.

On June 27, 2017, Russia launched another, much more devastating cyberattack on the Ukraine, this time using weapons from the U.S. National Security Administration (NSA) that had been stolen and leaked in 2016 and 2017. (See my previous post for more details on this leak.) Russia specifically timed its attack to occur on Ukraine’s independence day to underscore its political message. The attack shutdown government offices, trains, ATMs, the postal service, and almost all financial systems so people couldn’t get paid and electronic cash registers didn’t work so people couldn’t buy anything, even food and gas. Even the radiation monitors at the Chernobyl nuclear disaster site were shutdown. The attack destroyed the data on 80% of the computers in Ukraine. The damage was so severe that it took over two years for Ukraine to recover from this Russian cyberattack.

Not unexpectedly, the cyberweapons (i.e., malicious computer programming) that Russia used in the attack on Ukraine self-propagated through the Internet and other computer networks so that any company doing business in Ukraine was vulnerable. The cyberweapons shutdown factories in Tasmania, destroyed vaccines at pharmaceutical companies Pfizer and Merck, infected FedEx’s computer systems, and brought the world’s biggest shipping company, Maersk, to a halt. The cyberweapons even spread back to Russia, destroying data at the giant, Russian government-owned oil company, Rosneft, and at the Russian steelmaker, Evraz.

When author Perlroth visited Ukraine in the winter of 2019, a year and a half after the attack, the damage estimate there was $10 billion and climbing, and significant disruption of daily life was still evident. Railroad and shipping systems were still not back to normal, pension checks still hadn’t been received, and people were still trying to find packages that had gone missing when shipment tracking data was lost, for example. It was also estimated that the attack cost just Merck, Fed Ex, and all the other companies that were affected billions of dollars. Some insurers refused to pay for damages from this cyberattack, claiming it was an act of war and therefore fell under a war exemption clause in their policies.

This Russian cyberattack made it clear that cyberweapons are weapons of mass destruction. Russia could have done much worse. It could have crashed trains and planes instead of just disabling scheduling, ticketing, and payment systems. It could have created explosions or toxic incidents at manufacturing plants or nuclear power plants.

Some experts believe Russia used the NSA’s tools in this attack to discredit and expose the NSA and the U.S. government. Others believe Russia was just using this attack, and the earlier ones in the Ukraine, to test its capabilities and prepare or signal its capability to execute even more devastating attacks in the future. By the way, Russia has continued to harass Ukraine. For example, in 2019, it inundated Ukrainian Facebook accounts with anti-vaccination propaganda as the worst measles outbreak of recent times spread there.

In subsequent posts, I will outline the Perlroth book’s reporting on:

The Chinese attack on Google and Google’s response,
The cyberattacks on U.S. elections and the Trump administration’s response, and
What can be done to counter cybercrime and warfare at the individual and governmental levels.

[1] Perlroth, N. This Is How They Tell Me the World Ends. Bloomsbury Publishing, NY, NY. 2021.