U.S. Government and Tech Firms Push Back on Russia (and Trump)

Over the past two weeks, United States Cyber Command and a group of companies led by Microsoft have engaged in an aggressive campaign against a suspected Russian network that they feared could hold election systems hostage come November.

Then, on Monday, the Justice Department indicted members of the same elite Russian military unit that hacked the 2016 election for hacking the French elections, cutting power to Ukraine and sabotaging the opening ceremony at the 2018 Olympics. And in Silicon Valley, tech giants including Facebook, Twitter and Google have been sending out statements every few days advertising how many foreign influence operations they have blocked, all while banning forms of disinformation in ways they never imagined even a year ago.

It is all intended to send a clear message that whatever Russia is up to in the last weeks before Election Day, it is no hoax. The goal, both federal officials and corporate executives say, is to disrupt Russia’s well-honed information-warfare systems, whether they are poised to hack election systems, amplify America’s political fissures or get inside the minds of voters.

But behind the scenes is a careful dance by members of the Trump administration to counter the president’s own disinformation campaign, one that says the outcome on Nov. 3 will be “rigged” unless he wins.

So while President Trump continues to dismiss the idea of Russian intervention, a combination of administration and industry officials are pushing a different narrative: that U.S. intelligence agencies, Facebook, Twitter, Google and others are avoiding the mistakes of four years ago, when they all had their radars off.

But there is also no assurance it will work.

“We don’t like to admit it, but the Russians may not be deterrable,” said James A. Lewis, the director of the technology and public policy program at the Center for Strategic and International Studies in Washington. “How far do we have to go? Is this far enough? We are still scoping that out.”

Keep up with Election 2020

No one will be able to assess the effectiveness of the counteroffensive until after Election Day, when Washington circulates the cyberequivalent of battle-damage reports. But even now there are reasons to question whether the efforts to take on Russia, some of which began in the 2018 midterm elections, have been too timid.

It is hardly a coincidence that the indictments announced on Monday against hackers with Russia’s G.R.U. were unsealed 15 days before the election. But it is unclear what deterrent effect indictments can have when the G.R.U.’s officers are unlikely to ever see the inside of an American courtroom.

One of the hackers named in the indictment was previously charged with hacking U.S. election administrators four years ago. That did not stop him from a brazen hack on the country of Georgia last year. Likewise, even after Russia was outed for hacking the 2018 Pyeongchang Olympics, that apparently did nothing to dissuade it from hacking the postponed 2020 Tokyo games, British officials revealed Monday.

John P. Carlin, the former assistant attorney general for national security who developed much of the Justice Department’s strategy for indicting foreign hackers, and later wrote about it in the book “Dawn of the Code War,” said Mr. Trump’s denial of what happened four years ago gave Russia lots of leeway.

“The details in the indictment are stunning and reveal Russian operatives at the direction of the state attacking the whole world,” he said, adding that “the conspicuous absence of leadership from President Trump” on the issue was all the more striking given the efforts “to expose and disrupt this activity.”

“These attacks on countries and civilian behavior won’t stop until the commander-in-chief calls it out and works with the rest of the victimized world to deter future indiscriminate attacks,” Mr. Carlin said.

If the indictments are the public face of the offensive against the Russians, the effort to dismantle Trickbot — a vast network of infected computers used by ransomware groups — is the more covert element.

Late last month, the military’s Cyber Command started neutralizing Trickbot with a series of attacks. Microsoft’s Digital Crimes Unit secured federal court orders to shut down Trickbot’s infrastructure around the world.

On Tuesday, Microsoft said the operation had been largely successful. It has taken down over 90 percent of Trickbot’s command-and-control servers. The idea is to keep the Russians on the run, so distracted that they are unable to use those systems for ransomware attacks that could hold the election hostage.

“These guys are really good and really move fast, and we knew they would react to rebuild their systems,” said Tom Burt, the Microsoft executive who is running the team. “We were prepared to follow them, and tear down whatever they build up.”

But as Cyber Command and Microsoft were taking aim at Trickbot, a new hacking threat emerged.

Over the past two months, a different group of Russian hackers — known as “Energetic Bear” or “Dragonfly,” and believed to be operating within the country’s Federal Security Service, or F.S.B., the successor to the Soviet-era K.G.B. — has been targeting American state and local networks, according to government and private security researchers.

Their goal is still unclear, but the timing — so close to the election — and the actor, which was previously caught hacking American nuclear, water, and electric plants, has sent alarm bells ringing at Cyber Command and at security firms like FireEye. CyberScoop earlier published details of a leaked FireEye report on the campaign on Tuesday.

Officials worry that even if those hacks do not amount to much, the Russians’ very presence inside U.S. state and local systems could be used to support the president’s baseless allegations that the election is “rigged.”

That was part of the motivation behind an unusual nine-minute video posted online this month — titled “Safeguarding Your Vote”— featuring senior American law enforcement, intelligence and cybersecurity officials.

“We are not going to tolerate foreign interference in our elections or criminal activity that threatens the sanctity of your vote or undermines public confidence in the outcome of the election,” Christopher A. Wray, the F.B.I. director, assured voters.

Mr. Wray and his counterparts have been contradicted at every turn by the president, who continues to assail mail-in voting as an avenue for fraud, for which there is no evidence. Mr. Trump’s claims are often amplified by the Russians, whose main interest is to cast doubt about the credibility of free elections.

“Trump has been a godsend to Russia,” Mr. Lewis said.

In Silicon Valley, executives believe a “perception hack” may pose the greatest threat to the election and have been mounting their own counternarrative.

Facebook, Twitter and Google have all talked up coordination with one another and the government. The companies were credited, with Cisco’s Talos cybersecurity unit, as having played a role in the indictments of the six G.R.U. officers announced on Monday.

Twitter has talked up its takedown of state-backed influence campaigns from Russia, Saudi Arabia, Thailand, Cuba and Iran, and has slapped more overt warning messages on tweets that violate its policies, including those from the president.

Facebook has advertised its takedowns of foreign influence campaigns from China and the Philippines and 300 Russian assets. It has also lowered its tolerance for disinformation.

After years of allowing Holocaust deniers a place on its platform, Facebook started censoring that content this month and stepping up its crackdown of QAnon, which promotes a conspiracy that the world is run by Satan-worshiping pedophiles plotting against Mr. Trump.

The question is whether these efforts, so late in the election cycle, will have the intended effect, since the president has already primed his supporters, and others, to distrust the “fake news,” the “deep state” and now, the election.

Source link

Breaking New

Facebook Removed Fake Accounts Connected To Roger Stone, Proud Boys, And PR Firms

Facebook announced it removed hundreds of fake accounts attributed to four different information operations on Wednesday. Two of the operations were tied to professional PR or advertising firms, and one of them was connected to former Trump adviser Roger Stone. According to the company, the four operations spent over $3.5 million on advertising.

The network associated with Stone consisted of 50 Facebook pages, 54 accounts, and four Instagram pages. It was also associated with the Proud Boys, a far-right men’s rights group that the social media company banned in 2018 for breaking “policies against hate organizations and figures.”

According to the release, people in the network posed as Florida residents and made “their own content to make it appear more popular than it is.” It spent about $308,000 on ads and purchased fake followers from Pakistan and Egypt.

Stone’s own account was suspended, but he denied involvement with the network in a statement to the New York Times.

“This extraordinary active censorship for which Facebook and Instagram give entirely fabricated reasons,” he told the paper, “is part of a larger effort to censor supporters of the president, Republicans and conservatives on social media platforms.”

Although Facebook doesn’t provide data on all content promoted by the Stone-affiliated fake accounts and pages, the provided screenshots from 2016 show that the network posted articles from Infowars, Stone’s personal website, and left-leaning watchdog Media Matters.

“The Page admins and account owners posted about local politics in Florida, Roger Stone and his Pages, websites, books, and media appearances, a Florida land and water resources bill, the hacked materials released by Wikileaks ahead of the US 2016 election, candidates in the 2016 primaries and general election, and the Roger Stone trial,” the release said.

The takedown reached around the world, affecting three separate networks that were centered in Ecuador and Canada, Ukraine, and Brazil.

Two other networks that were removed were affiliated with professional firms, continuing a trend of professionalization of disinformation. One, a PR firm connected to Canada and Ecuador called Estraterra, spent about $1.38 million on ads on the platform. Another firm, an advertising agency in Ukraine that “was particularly active during the 2019 presidential and parliamentary election,” spent about $1.93 million.

The Ukraine network previously faced takedowns for hate speech and impersonation. It was run by Postmen DA, an ad agency that describes itself as “the most effective digital agency.”

Roberto Wohlgemuth, Estraterra’s founder and CEO, told BuzzFeed News that Facebook did not notify him of the takedowns, which the social network said involved “41 Facebook accounts, 77 Pages, and 56 Instagram accounts.”

“The rise of social media provided this incredible opportunity to center diverse voices — those that have been historically marginalized from public debates and conversations. Unfortunately, this announcement from Facebook simply reiterates its own capture by the same elite powers,” Wohlgemuth said in an emailed statement to BuzzFeed News. “Estraterra will continue to advocate for not only our freedom of expression but also our freedom from being silenced.”

Although Wohlgemuth’s firm is based in Canada, the network didn’t target the country, according to the Facebook release. It instead focused on Ecuador, Venezuela, and Chile. Wohlgemuth’s LinkedIn page says he is a former senior adviser to the Ecuadorian president “on matters of strategic and political communication.”

“British Newspaper Financial Times asks for an end to sanctions against Venezuela,” said one sample Instagram post released by the company. The post got six likes.

“It is false that in every year that ends in 20 of each century there is a new pandemic,” said another Instagram post attributed to the network, which was even less popular with three likes.

Some of the accounts removed were attributed to a network in Brazil, which targeted audiences in that country. In this case, pages pretended to be news outlets while spreading criticism of Brazilian President Jair Bolsonaro’s political opposition. According to Facebook, this activity was attributed to some employees of the offices of Bolsonaro, his two sons, and people associated with the right-wing Social Liberal Party.

Source link

Breaking New

Between Iran threat and Bezos hack, 2020 is shaping up to be good for cybersecurity firms

In a closed-door briefing with Senate aides, the companies described how hacking outfits linked to Iran, criminal groups and other adversaries are growing more sophisticated — and how they could take advantage of a complex web of vulnerable US targets to sow chaos, according to several people familiar with the Jan. 16 meeting.

Some of the hypothetical scenarios could have fit into a James Bond plot. By compromising the power grid, for example, skilled attackers could try to bring down oil and gas facilities that depend on electricity, Sergio Caltagirone, vice president of threat intelligence at Dragos, told the group.

The presentations by Dragos and two other companies — CrowdStrike (CRWD) and Cloudflare (NET) — highlight the way rising international tensions, increasingly capable hackers and a high-stakes election year are combining to create a perfect storm of risks for US businesses, infrastructure providers and state and local governments.
On Jan. 22, The Guardian first reported that a forensic analysis concluded the world’s richest man, Amazon CEO Jeff Bezos, may have been hacked via a WhatsApp account belonging to the Crown Prince of Saudi Arabia. And just this week, hackers employing a strain of malware that the FBI warned about in December publicly posted the data files of dozens of businesses.

It’s a volatile mix that portends a very good year for the multibillion-dollar cybersecurity industry.

“We are seeing huge growth,” Caltagirone said in an interview with CNN. “We’re servicing more calls than we can handle, which is actually a problem.” Dragos has hired more than 100 additional employees in the past 18 months and is still having trouble keeping up with demand, he added.

Chaos, Inc, or When chaos is good for business

As fears of an escalating conflict between the United States and Iran rattled much of the stock market at the start of the year, multiple cybersecurity companies saw their shares jump. Joel P. Fishbein, Jr., an industry analyst at SunTrust Robinson Humphrey, upgraded his rating of one firm, FireEye (FEYE), saying in a research note that “recent events in Iran and Iraq” are likely to drive higher spending on cybersecurity in the coming months.
Information security companies were already riding high. Global spending on cybersecurity topped an estimated $120 billion last year, up 7% from the year prior, according to market research firm Gartner. That figure is expected to grow to $143 billion by 2021. And venture capital investment in cybersecurity startups hit a new high last year.

But the enormous demand for cybersecurity know-how is also creating opportunities for fly-by-night operators with dubious track records, said James Lewis, a senior vice president at the Center for Strategic and International Studies, a security think tank.

“Everyone has a marketing department,” said Lewis. “Not everyone has the skills to do the good analysis.”

For the uninitiated, the line between self-promotion and cold, sober analysis can be difficult to find. A routine practice across the industry is to label hacking collectives using catchy aliases like Fancy Bear and Ocean Lotus. The naming conventions typically follow a pattern — for example, CrowdStrike refers to Iranian-linked hacking groups as “kittens” and Chinese-based groups as “pandas.”

Though the practice may have originated out of necessity to differentiate anonymous hacking groups, it’s become a successful branding technique for security companies of all kinds, said Lewis.

“If you have a name out there that sticks, it leads people back to your company,” he said. “Chief information officers or boards, when they realize they need to do something, they think about you.”

That can result in situations where a company driven by marketing, not knowledge, wins an unwarranted amount of attention, said Yossi Appleboum, a former Israeli army intelligence officer and the CEO of Sepio Systems, a company specializing in defenses against hardware hackers.

“The problem is that many people in the industry are talking about things they don’t really have a clue about,” said Appleboum.

Appleboum’s skepticism is apparently shared. After the forensic analysis looking into Bezos’s phone became public, a number of high-profile independent experts challenged the consulting firm that Bezos hired for the investigation, saying it had done an incomplete job and had jumped to conclusions.

In particular, the report betrayed a lack of familiarity with the specialized field of mobile forensics, said Sarah Edwards, an instructor at the SANS Institute, a security training and research group. It had principally relied on an iTunes backup of Bezos’s phone, Edwards said, citing the consultant report, which provided only a limited range of evidence.

“My recommendation would have been to bring it to people who truly deal with this kind of work,” she said.

Other experts panned the report for relying on circumstantial evidence to make confident claims about who may have been responsible. The team that did the analysis, FTI Consulting, declined to comment at the time.

Repeated questions about a firm’s credibility or expertise can trigger a more serious loss of trust.

In 2016, a bombshell report by independent journalist Brian Krebs revealed that Norse, an oft-quoted security company, was “imploding” after laying off much of its staff and firing its CEO. A major problem behind the scenes, said Krebs, citing former employees, was that the company had apparently been more committed to building a flashy, interactive map purporting to show real-time cyberattack traffic than it was in fleshing out its analytic capabilities.
Norse later issued a press release alleging “serious errors” in Krebs’s reporting, focusing on details relating to the company’s ownership history and structure. But security experts had already long expressed doubts about Norse’s forensic analyses, questioning its research on Iran as well as the 2014 data breach affecting the entertainment giant Sony. The company’s profile has since diminished considerably; its last tweet was in 2016.

Preparing for the 2020 election

Just as cybersecurity firms can undermine their credibility by getting things wrong and appearing to get in the way of the public interest, though, many are pitching themselves as defenders of the public good.

A growing number of security companies have latched onto concerns about the 2020 elections and whether they could be hacked by foreign adversaries. More than a dozen companies, including Microsoft (MSFT) and Cloudflare, have joined together to offer cybersecurity services to political campaigns of all backgrounds.
The services are provided as in-kind donations, for free, through a not-for-profit group the Federal Election Commission cleared last year. The group is led by former US national security officials, as well as former presidential campaign managers for Hillary Clinton and Mitt Romney.

While it won’t make them any money directly, said Lewis, it’s a smart strategy that’ll likely mean even more growth down the road.

“It’s a sweet spot,” he said. “They get both marketing value and they get to do some good.”

Source link