Securing Democracy Dispatch

Russian hacking group launches powerful new cyber weapon: Fancy Bear, a hacking group linked to Russia’s military intelligence agency (GRU), has developed a powerful new cyber weapon that resists conventional counter-methods. The malware allows hackers to maintain access to a target even after a complete wipe of a computer’s hard drive, which would normally remove any threat. As described by the Daily Beast, the weapon “works by rewriting the code flashed into a computer’s UEFI chip, a small slab of silicon on the motherboard that controls the boot and reboot process.” Fancy Bear’s use of this tool represents the first time this type of malware has been deployed “in the wild,” according to cybersecurity firm ESET, proving that Fancy Bear “may be even more dangerous than previously thought.” According to ASD non-resident fellow Clint Watts, “The GRU is following a developmental model that’s very sophisticated … they have programmers who seem to be top-notch and they appear to rapidly deploy their cyberweapons not long after they develop them.” Fancy Bear, also known as APT 28, was responsible for the hacking of the Democratic National Committee and the email of Hillary Clinton campaign chair John Podesta in 2016. (Department of Defense, Investigate Russia, The Daily Beast, We Live Security, Department of Justice)

EU weighs fines in unprecedented Facebook data breach: Facebook announced on September 28 that, in an unprecedented security breach, hackers gained access to over 50 million users’ accounts, including those of CEO Mark Zuckerberg and COO Sheryl Sandberg. Hackers manipulated a bug using access tokens, giving the hackers full access to the users’ profiles. The hack also took advantage of the Single Sign-On, a feature that allows users to log on to multiple third party sites using one Facebook login, leaving open the possibility that hackers also accessed Facebook-linked sites such as Instagram and Spotify. The vulnerability of Single Sign-On is the subject of ongoing debate among digital privacy experts. University of Pennsylvania cryptographer Matt Blaze commented that, “We’re seeing the flip side of concentrating authentication into a few giants like Facebook, Google, etc.,” which means that when these companies get breached, “it’s a [catastrophe] of ecological proportion.” Rohit Chopra, a commissioner of the Federal Trade Commission, explained that breaches not only violate privacy, but “create enormous risks for our economy and national security.” Senator Mark Warner (D-VA) added: “This is another sobering indicator that Congress needs to step up and take action to protect the privacy and security of social media users.” Under Europe’s new GDPR data regulations, Facebook could be fined up to $1.63 billion for failing to protect the security of its users’ data. The breach will be one of the first high-profile cases in which GDPR is applied. (Axios, Recode, Twitter, The New York Times, Wall Street Journal)

As November midterms approach, experts continue to warn of vulnerabilities: On September 25, Senator James Lankford (R-OK) announced that the Secure Elections Act is unlikely to pass before the midterm elections in November. The bill, which is intended to strengthen voting systems against interference, is currently stalled in the Senate Rules and Administration Committee. Nevertheless, U.S. Secretary of State Mike Pompeo told CBS News’ Norah O’Donnell on September 26 that there is “no question” of the midterm elections’ security. However, a report delivered to Members of Congress on September 27 revealed that exploitable flaws remain present in voting machines that are still used in 26 states. Cybersecurity experts warn that these flaws could allow a malicious actor to alter the outcomes of an election. Meanwhile, McClatchy’s Tim Johnson and Ben Wieder report that underfunding of cybersecurity is endemic among 2018 midterm election campaigns. Of the candidates running for U.S. House and Senate positions, only six have spent over $1,000 on cybersecurity for their campaigns. (The Hill, Axios, CNN, Wall Street Journal, Just Security, WFMJ, McClatchy)

Macedonia referendum vote plagued by inauthentic online activity: Analysts noted an escalation in disinformation and other interference in the run-up to Macedonia’s name-change referendum on September 30, which could have potentially opened the door for the country to join NATO and the EU. Some of the interference was directly attributable to the Kremlin, as reports revealed that a Kremlin-linked oligarch had channeled funds into the country to encourage protests against the referendum. The origins of other interference efforts proved more difficult to trace, including a foreign-linked troll farm of fake Facebook accounts inauthentically “disliking” a pro-referendum video in an attempt to drum up anger over the issue. In a separate emotional appeal, the Facebook page Boycott the Referendum posted a slew of images linking the referendum to Nazism: “Some of the posts  —  including Nazi themed images  —  had over 1,000 likes and hundreds of shares.” As described by ASD’s Alexander Roberds and Brad Hanlon, the Kremlin has often employed its asymmetric toolkit to attempt to undermine the enlargement of Euroatlantic institutions. The results of the referendum were inconclusive, as only 36.5 percent of Macedonians turned out to vote, falling short of the 50 percent threshold; however, 91 percent of those who did vote supported the name change. The country is now in political crisis, with snap elections possibly on the horizon. (DW, Medium, EU Observer)

U.S. officials raise concerns over Chinese cyber threat: On September 30, a senior U.S. official revealed that China has cancelled an upcoming security meeting with U.S. Secretary of Defense Jim Mattis. While neither the United States nor China provided an official cause for the cancellation, the decision takes place against the backdrop of escalating tension between the two countries. On September 26, President Donald Trump accused China of meddling in the 2018 U.S. midterm elections. In remarks given at The Citadel military college, Director of National Intelligence Dan Coats described China’s cyber activities as “trying to exploit any divisions between federal and local levels on policy.” Coats described China’s hacking attempts as more methodical than those attributed to Russia. Voice of America raised similar concerns that China’s cyber initiatives may be shifting from corporate and industrial espionage to directly focusing on larger, strategic targets. (Reuters, Politico, CBS News, Voice of America)

Kremlin influence operations become more overt: An emboldened Kremlin is shifting its strategy from covert to overt messaging in attempts to spread disinformation, with Russia’s Ministry of Foreign Affairs going as far as to give an annual award to the embassy that best distinguishes itself in what journalist Kimberly Dozier calls “open verbal combat.” In the Daily Beast, ASD Director Laura Rosenberger explained, “Over the past nine months to a year, we’ve seen a much more aggressive overt messaging campaign from Russian outlets, from a lot of embassy accounts and the Foreign Ministry.” Lithuania has come up with a creative solution to battle Russian disinformation: a partnership between Lithuania’s STRATCOM and a volunteer force of “Baltic Elves” committed to debunking false narratives. (The Daily Beast, DW)

Kremlin continues to exploit divisions in the United States via social media: Last week, Graphika, a social media analysis firm, reported that Russian-linked Twitter accounts were involved in the hashtag campaign “boycottnike” after Nike launched an advertisement campaign featuring former San Francisco 49ers quarterback – and initiator of the NFL “take a knee” protests – Colin Kaepernick in September. Accounts tracked by the Hamilton 68 dashboard also confirmed that pro-Kremlin accounts focused heavily on the ad campaign. In the past, social media accounts linked to the Russian Internet Research Agency seized on the controversy surrounding Kaepernick to inflame tensions over race and police brutality in the United States. Russian trolls were also recently active in a popular pro-Trump Reddit community in an “effort to plant and [promote] links” to Russian government-run disinformation site USAReally. (Wired, CNN, Verge)

On October 4, ASD Director Laura Rosenberger will speak at a National Press Club event hosted by Pennsylvania State University’s McCourtney Institute for Democracy titled “Imagination Fails Again: Understanding and Responding to Attacks on our Democracy.” Rosenberger will discuss efforts to protect our democracies from foreign interference. The event is open to the public. Register here.

On October 4, ASD’s David Salvo and Bet Schafer will join Chatham House in London for an event entitled “Tracking Russian Interference in Western Democracies.” They will discuss ASD’s Policy Blueprint for Countering Authoritarian Interference in Democracies, and the ongoing challenge of Russian and other state actors’ efforts to undermine democracy and democratic institutions in the United States and Europe.

Accounts tracked by the Hamilton 68 Dashboard last week focused on a range of domestic and international issues. Early in the week, Kremlin-oriented accounts shared articles pushing Moscow’s narrative that blamed Israel for the downing of a Russian aircraft by the Syrian government last week. Following President Trump’s speech to the UN General Assembly on September 19, accounts diverged from their usual support for the president by promoting articles criticizing his policies in Syria and calling for support of the Russian-backed Assad regime. Later in the week, pro-Kremlin accounts transitioned to focus more heavily on the Kavanaugh hearings in Congress, propagating hashtags supporting Kavanaugh’s nomination and spreading articles decrying and attempting to discredit the women who accused him of sexual assault.

“There’s been no deterrence to Russian hacking … And as long as there’s no deterrence, they’re not going to stop, and they’re going to get more and more sophisticated.”

–Clint Watts, former FBI Aounterterrorism Agent, Research Fellow at the Foreign Policy Research Institute, Non-Resident Fellow at Alliance for Securing Democracy

After weeks of attempting to cast doubt on accusations of Russian government involvement in the poisoning of Sergei Skripal in the U.K., Moscow was caught off-guard when its key alibi fell apart. Reports last week revealed that “Ruslan Boshirov,” the “cathedral-obsessed, possibly gay fitness instructor” touted by the Kremlin and its affiliated media outlets as an innocent tourist, is actually Anatoly Chepiga, a high-ranking officer of Russia’s military intelligence agency who was awarded one of the Russian Federation’s highest honors, possibly by Putin himself. In response, Kremlin representatives claimed they did not know anything about Chepiga and promised to look into the claims, while state-controlled media asserted that the accusations are inaccurate. Despite this, Russian newspaper Kommersant interviewed several citizens from Chepiga’s small village who have confirmed his identity.

The views expressed in GMF publications and commentary are the views of the author alone.