by James Scott, Sr. Fellow, ICIT
Malicious actors can easily position their breach to be attributed to Russia. It’s common knowledge among even script kiddies that all one needs to do is compromise a system geolocated in Russia (ideally in a government office) and use it as a beachhead for attack so that indicators of compromise lead back to Russia. For additional operational security, use publically available whitepapers and reports to determine the tool, techniques, and procedures of a well-known nation-state sponsored advanced persistent threat (APT), access Deep Web forums such as Alphabay to acquire a malware variant or exploit kit utilized in prolific attacks, and then employ the malware in new campaigns that will inevitably be attributed to foreign intelligence operations. Want to add another layer? Compromise a Chinese system, leap-frog onto a hacked Russian machine, and then run the attack from China to Russia to any country on the globe. Want to increase geopolitical tensions, distract the global news cycle, or cause a subtle, but exploitable shift in national positions? Hack a machine in North Korea and use it to hack the aforementioned machine in China, before compromising the Russian system and launching global attacks. This process is so common and simple that’s its virtually “Script Kiddie 101” among malicious cyber upstarts.
Western systems lack the security and resiliency to withstand foreign compromise. Moreover, Incident Response techniques and processes are not comprehensive or holistic enough to definitively attribute an incident to a specific threat actor from the multitude of script kiddies, hacktivists, lone-wolf threat actors, cyber-criminals, cyber-jihadists, hail-mary threats, and nation-state sponsored advanced persistent threats (APTs), who all possess the means, motive, and opportunity, to attack minimally secured, high profile targets. Organizations such as the DNC, RNC, Whitehall, and the German Bundestag have all been targeted in cyberattacks launched with the possible intention of influencing global politics  . These incidents aimed to influence voter confidence by hindering public opinion through leaked emails, social media hashtags, and disinformation. In particular, the DNC and RNC hacks demonstrated to the global community that the United States was not cyber-secure and adversaries capitalized on that exploitable vulnerability. It would be easy to baselessly declare that all of the attacks were launched by Russia based on the malware employed; however, other threat actors such as Anonymous, Comment Crew, Desert Falcon, etc. could easily emulate the tools, tactics, and procedures of a Russian nation-state APT attack.
Attribution Remains More Guesswork than Fact
The attribution of cybersecurity incidents is a developing process that has not advanced as rapidly as the expansion of the next generation threat landscape, the explosive proliferation of sophisticated threat actors, or the increasing accessibility and availability of complex malware, exploit kits, and tools. Incidents, such as the DNC breach, are investigated based on presumptions of a threat actor profile and on the Incident Response process that preserves and analyzes any indicators of compromise that remain on the system (i.e. the digital crime scene). Threat actor profiles typically consist of a pool of actors with the means, motive, and opportunity to target the system. Incident Response includes data logs from perimeter security devices (firewall, IDS/IPS, etc.), full packet capture archives, and any other data that provide insight into the network and server/host level activities of the threat actor .
Attribution might be reliable if the target is well-protected, if the target operates in a niche field, or if the malware involved in the incident is unique because one or more of those characteristics can be deterministic of the sophistication and resources of the threat actor. Attribution is less exact in the case of the DNC breach because the mail servers compromised were not well-secured; the organization of a few hundred personnel did not practice proper cyber-hygiene; the DNC has a global reputation and is a valuable target to script kiddies, hacktivists, lone-wolf cyber-threat actors, cyber-criminals, cyber-jihadists, hail-mary threats, and nation-state sponsored advanced persistent threats (APTs); and because the malware discovered on DNC systems were well-known, publically disclosed, and variants could be purchased on Deep Web markets and forums .
The DNC breach has been widely believed to be part of a misinformation campaign, possibly attributed to APT28 (aka Sofacy, Sednit, Fancy Bear) and APT29 (aka Cozy Duke, Cozy Bear) based on the operational security observed, the modular malware employed, and the command and control (C2) structure used to perform tasks and avoid detection . Sources close to the investigation believe that the threat actors involved in the incident were known entities, at least one step removed from the Russian government . Based on accounts of the classified briefing, the intelligence community has not collectively attributed the DNC breach and other recent incidents that weaponized information against the U.S. electoral process, to Russia. This disagreement is likely due to the ease which an adversary could conduct a breach mimicking the documented and publically available tools, tactics, and procedures, of advanced persistent threat (APT) groups with known affiliations to the Russian government.
In their blogpost, Crowdstrike does not directly attribute the incident to Russia, China, or to any other nation-state entity, in part because it is possible that the threat actors operate as cyber-mercenaries or do not work exclusively for a nation-state, and in part because it is possible that attacks were launched by another threat actor emulating the publically disclosed tools, tactics, and procedures of the more infamous APT28 and APT29. APT28 is known to target Western Government, Media, Energy, and Defense organizations with malicious phishing domains that resemble that of the legitimate target and with malware and exploit kits including Sofacy, X-Agent, X-Tunnel, WinIDS, Foozer, and DownRange droppers. Breaches attributed to APT28 include the 2015 breaches of the German Bundestag and the French TV5 Monde. APT29 targets Western Defense, Energy, Extractive, Financial, Insurance, Legal, Manufacturing Media, Think Tanks, Pharmaceutical, Research and Technology industries, and Universities, with spear phishing campaigns, malicious droppers, and a Remote Access Trojan (RAT), such as AdobeARM, ATI-Agent, and MiniDionis. Both APT28 and APT29 are well-known sophisticated threat actors that have been extensively profiled by cybersecurity firms such as FireEye. As a result, their profiles, operational behavior, tools, and malware could all be easily emulated by even an unsophisticated adversary in a campaign against an insecure target such as the DNC, that did not prioritize cybersecurity, cyber-hygiene, or system cyber resiliency . For instance, the cyber-criminal group Patchwork Elephant, known for adopting malware from other campaigns, could easily have also conducted the DNC/ RNC attacks by emulating APT28 and APT29.
The Weaponization of Social Media for Digital Information Warfare
Espionage and geopolitical manipulation can now be easily achieved through cyber and information warfare from any adversary ranging from script kiddie to nation state APT, with access to social media networks like Twitter, Reddit, Facebook and YouTube. Internet channels have always provided Intelligence to entities in Russia, China, the United States, and every major nation have and use the capability to distribute ideological propaganda. Now, at least China, Iran, Russia, and Venezuela, have funded political propaganda campaigns that digitally weaponized information by spreading disinformation and polarizing content throughout Western nations . For instance, Russia had “The Agency”, in which internet trolls were hired to actively promote disinformation on internet sites relevant to Western interests. The Chinese government has similar capabilities . Digital Information warfare weaponizes social media to proliferate ideological variants and disinformation, in order to manipulate public perception in a manner that coincides with an adversarial desired outcome. Digital perception management is a subset of information warfare that focuses on the spread of misinformation, propaganda, and disruptive ideologies, through seemingly innocuous sources such as social media, online publications, etc. Information leaks, such as the DNC leaks, are dangerous because they provide a context-less release of information to the public that breeds distrust and resentment. While impactful, leaks are just one form of information warfare. Every threat actor ranging from script kiddie to Anonymous, to the Duke APTs has access to Twitter, Facebook, Reddit, 4chan, and other platforms that can be leveraged to impart national ideological variance into the public. Likewise, the Dabiq magazine published by the Cyber Caliphate and used to recruit lone wolf threat actors and militant jihadists demonstrates that even an unsophisticated threat actor can freely distribute propaganda online in order to reach and influence a certain portion of the internet .
2016 has demonstrated that America is ill-prepared for any form of information warfare. American workforces deficient in cyber-hygiene are tasked with defending insecure networks lacking cybersecurity and cyber resiliency from potent cyber adversaries who are capable of obfuscating and adapting their activities to avoid detection and attribution. Regardless of attribution, the recent series of leaks, propaganda proliferation, and other information warfare attacks have demonstrated to the global community that the United States is susceptible to manipulation and ideological compromise through even basic tools like email, Twitter hashtags, and other social media. In 2016, digital information warfare attacks from major adversarial nation-states (China, Iran, Russia, etc.) sowed seeds of doubt in the pillars of American government, which include the democratic process, the legitimacy of the elections, and the spreading of rumors to make the intelligence community see dis-unified and ill-informed. Still, the nation got away relatively scot-free if all we experienced was the limited weaponization of social media for information warfare and some breaches with limited kinetic effect. All of these pseudo-anonymous attacks that occurred this year pale in comparison to the cyber and information warfare attacks that hyper-evolving threat actors ranging in sophistication from script kiddie to nation-state APT, will launch in the near future. Imagine the damage an unsophisticated script kiddie could have wrought if instead of simply breaching the DNC or RNC, they conducted a Mirai attack on election systems. Imagine if a sophisticated threat, like a Chinese APT, stole or altered data as Deep Panda may have done in the OPM breach. Even malicious adversaries lacking in cyber-capabilities, such as the cyber caliphate, hail-mary threat actors, or enemy nation-states, can launch cyber and cyber-kinetic attacks against critical infrastructure systems by outsourcing the attack to a cyber-mercenary or mercenary APT, for no purpose other than demonstrating a capability, declaring a geopolitical statement, or spreading discord. In 2016, the United States lacked readiness for digital information warfare from a multitude of so many known threat actors, possessing even modest technical capability and competing to proliferate their variant of reality to the American people. National prioritization of cybersecurity, cyber-hygiene, and cyber resiliency will be needed to deter and to combat adversarial theft and manipulation of data and digital information warfare campaigns.
 C. Mortimer, “Russian hackers tried to disrupt UK general election, security sources say,” in The Independent – Home News, Independent, 2016. [Online]. Available: http://www.independent.co.uk/news/uk/home-news/russian-hackers-tried-to-disrupt-uk-general-election-security-sources-say-a7329406.html. Accessed: Dec. 12, 2016.
 BBC, “Russian hackers ‘threaten Germany 2017 election’, MPs warn,” in BBC Europe, BBC News, 2016. [Online]. Available: http://www.bbc.com/news/world-europe-38288181. Accessed: Dec. 13, 2016.
 M. Mcardle, “Why Attribution of hacks like the DNC breach is so difficult,” in Esentire, 2016. [Online]. Available: https://www.esentire.com/blog/whodunnit-why-attribution-of-hacks-is-so-difficult/. Accessed: Dec. 12, 2016.
 D. Alperovitch, “Bears in the midst: Intrusion into the democratic national committee »,” in From The Front Lines, 2016. [Online]. Available: https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/. Accessed: Dec. 13, 2016.
 PBS NewsHour, “Russia aimed to help trump through hacking, CIA finds,” in YouTube, YouTube, 2016. [Online]. Available: https://www.youtube.com/watch?v=1XsYKNRPBEY. Accessed: Dec. 12, 2016.
 M. Gonzalez, “Are you reading propaganda from China and Russia?,” in Media, The Federalist, 2016. [Online]. Available: http://thefederalist.com/2016/04/19/authoritarian-regimes-send-westerners-agitprop-to-inflame-far-left-far-right/. Accessed: Dec. 12, 2016.
 M. Ohlberg and B. Lang, “How to counter china’s global propaganda offensive,” in The Opinion Pages, The New York Times, 2016. [Online]. Available: http://www.nytimes.com/2016/09/22/opinion/how-to-counter-chinas-global-propaganda-offensive.html. Accessed: Dec. 12, 2016.
 Scott. J and Spaniel. D, “The Anatomy of Cyber-Jihad: Cyberspace is the New Great Equalizer,” ICIT. 2016. [Online] Available: https://icitech.org/publications/