According to a top secret report by an analyst at the US National Security Agency (NSA) that was leaked by an anonymous whistleblower to the Intercept, the Russian Main Intelligence Directorate (GRU) launched a cyberattack on at least one unnamed supplier of voting software in the US. The 5 May 2017 report — published by the Intercept on 5 June 2017 — remains the most detailed US intelligence community account of Russian interference in the 2016 US election that has surfaced to date.
The NSA report clearly contradicts Russian President Vladimir Putin‘s recent denial that Russia had been involved in hacking any foreign elections. According to Ian Phillips and Vladimir Isachenkov reporting for the Associated Press on 1 June 2017 about “a meeting with senior editors of leading international news agencies,” Putin unequivocally denied state-sponsored electoral hacking when asked about the upcoming German parliamentary elections: “We never engaged in that on a state level, and have no intention of doing so.”
However, Putin acknowledged the possibility that “patriotic” individuals may have engaged in the hacking. “Hackers are free people, just like artists who wake up in the morning in a good mood and start painting,” Putin said at the meeting. “The hackers are the same. They would wake up, read about something going on in interstate relations and if they feel patriotic, they may try to contribute to the fight against those who speak badly about Russia.”
Putin flatly denied that hackers would be able to have a “radical impact” on a foreign election anyway: “No hackers can have a radical impact on an election campaign in another country…. No information can be imprinted in voters’ minds, in the minds of a nation, and influence the final outcome and the final result. No hackers can influence election campaigns in any country of Europe, Asia, or America.”
Matthew Cole, Richard Esposito, Sam Biddle, and Ryan Grim writing for the Intercept leave little room for doubt regarding state-sponsored hacking activities:
“The NSA has now learned, however, that Russian government hackers, part of a team with a ‘cyber espionage mandate specifically directed at US and foreign elections,’ focused on parts of the system directly connected to the voter registration process, including a private sector manufacturer of devices that maintain and verify the voter rolls. Some of the company’s devices are advertised as having wireless internet and Bluetooth connectivity, which could have provided an ideal staging point for further malicious actions.”
GRU spear-phishing attacks
The GRU apparently used the data obtained from the hack to launch several spear phishing attacks against local government officials, including those involved with absentee ballots. While the NSA report does not include the name of the company targeted, it refers to a product of VR Systems, a manufacturer of polling place hardware used to check voter information and voter registration roll software. The company’s electronic voting equipment is used in eight states (California, Florida, Illinois, Indiana, New York, North Carolina, Virginia, and West Virginia).
The NSA report indicates that seven email accounts of the unnamed targeted vendor were compromised using a method similar to that used to obtain access to certain Hillary Clinton presidential campaign email accounts.
The spear-phishing email included a link to a forged Google website requesting account credentials. Three of the spear-phishing emails were rejected by an email server, but according to the NSA report, at least one of the target accounts was probably compromised.
Subsequent emails, sent from the compromised target account to 122 email addresses associated with “US local government organizations,” contained a Microsoft Word attachment with instructions on how to use the vendor’s software to check voter registration status. The Microsoft Word document contained malicious code that likely downloaded and installed additional malware allowing the compromised computers to then be fully controlled by the hackers. The NSA report indicates the agency simply doesn’t know for certain if the “… spear-phishing deployment successfully compromised the intended victims, and what potential data could have been accessed by the cyber actor.”
Whistleblower Reality Leigh Winner arrested as source
Shortly after publication of the Intercept story of the attacks, the US Federal Bureau of Investigation (FBI) arrested Reality Leigh Winner, a contractor with top secret clearance, at her home in Augusta, GA. The FBI affidavit (.pdf; 128KB) alleges that Winner “printed and improperly removed classified intelligence reporting, which contained classified national defense information from an intelligence community agency, and unlawfully retained it.” The affidavit further alleges that Winner subsequently disclosed the classified information to an unidentified online news outlet.
The FBI affidavit does not identify the agency for which Winner was contracting. Charlie Savage writing for the New York Times reports that Winner “has worked for Pluribus International Corporation at a government facility in Georgia” since 13 February and that “the NSA uses Pluribus contractors and opened a branch facility in the suburbs outside Augusta in 2012.”
On 5 June 2017, Winner was charged with “removing classified material from a government facility and mailing it to a news outlet, in violation of 18 U.S.C. Section 793(e),” a section of the Espionage Act of 1917.
In conversations with the unnamed news outlet (presumably the Intercept) about the documents, copies of the documents were provided to the NSA. The NSA’s analysis of the copies indicated the original had been folded, “suggesting they had been printed and hand-carried out of a secured space.” Savage reports that the NSA’s auditing system “showed that six people had printed out the report” and that only “Winner had been in email contact with the news outlet.”
According to the FBI affidavit, in a conversation on 3 June 2017 — two days before the Intercept published its story — “Winner admitted intentionally identifying and printing the classified intelligence reporting at issue despite not having a ‘need to know,’ and with knowledge that the intelligence reporting was classified. Winner further admitted removing the classified intelligence reporting from her office space, retaining it, and mailing it from Augusta, GA to the News Outlet, which she knew was not authorized to receive or possess the documents.”
A few yellow dots and the unintentional burning of a source
Sean Gallagher writing for Ars Technica reports that the Intercept contacted the NSA on 1 June 2017, and provided a copy of the documents it had received from an anonymous source, to confirm the documents’ authenticity. The scanned copy the Intercept provided to the NSA “included encoded watermarking that revealed exactly when it had been printed and on what printer.”
That encoded watermark — consisting of a few yellow dots in a specific grid — is used to steganographically encode metadata about the document into the printed output.
On 6 June 2017, the Intercept released a statement on the US Justice Department allegations. The statement asserts absolutely that the publication’s source was anonymous. The Intercept‘s statement also includes a crucial reminder:
“While the FBI’s allegations against Winner have been made public through the release of an affidavit and search warrant, which were unsealed at the government’s request, it is important to keep in mind that these documents contain unproven assertions and speculation designed to serve the government’s agenda and as such warrant skepticism. Winner faces allegations that have not been proven. The same is true of the FBI’s claims about how it came to arrest Winner.”
On 6 June 2017, whistleblower-in-exile Edward Snowden released a statement in support of Winner receiving bail pending trial:
“The prosecution of any journalistic source without due consideration by the jury as to the harm or benefit of the journalistic activity is a fundamental threat to the free press. As long as a law like this remains on the books in a country that values fair trials, it must be resisted.”
On 8 June 2017, Winner pled not guilty to leaking classified information. She was denied bail.
Canonical source: Whistleblower leaks NSA report on Russian cyberattack.
Copyright © 2017 ARTS & FARCES internet. All rights reserved. | ISSN: 1535-8119 | OCLC: 48219498
Your use of this syndication feed is subject to the ARTS & FARCES LLC syndication policy.