Securing Democracy Dispatch

It’s probable that REvil—the Russia-based hacker gang that vanished after being blamed for the Kaseya cyberattack—will pop back up with a new name and more victims, Cybersecurity Fellow Maurice Turner said on CBS News.

Russian state-backed media’s coverage of state elections in Germany criticized German media outlets’ reporting, attempted to stoke East-West divisions, and echoed claims of election fraud, mirroring tactics Russia used in the lead up to the 2020 U.S. election. Kristine Berzina, Corinna Blutguth, and David Metzger track Russia, Turkey, China, and Iran’s state-backed messaging in Germany in their latest analysis of data from our 2021 German Elections Dashboard.

The biggest legitimate concern with the New York City Board of Elections fiasco is the way an election administration mistake with no bearing on the actual results has been weaponized to fuel conspiracy theories that further undermine voter confidence, Elections Integrity Fellow David Levine writes in New York Daily News.

Russia’s notorious “troll farm” has morphed into a “news factory” called RIA FAN, which largely outsources its content creation to a group of anonymous, pro-Kremlin Telegram bloggers, Non-Resident Fellow Clint Watts and Lukas Mejia write in an ASD blog post.

Statements from democratic allies about China’s malicious cyber activities amplify the power of collective action, but they must be followed by specific, coordinated action to be an effective deterrent, Cybersecurity Fellow Maurice Turner explains on Twitter.

In coverage of the anti-government protests in Cuba, Russian state media and diplomats amplified calls to end the U.S. embargo on the country, as well as Cuban officials’ accusations that U.S.-funded mercenaries are fomenting the protests. The Russian Foreign Ministry warned against “external interference” in Cuba and echoed claims that the United States is “staging” the protests to create a “color revolution.” Russian diplomats also promoted Russian President Putin’s article “On the historical unity of Russians and Ukrainians,” amplifying passages that claim “Russians and Ukrainians are one people” and that the United States and EU “dragged [Ukraine] into a dangerous geopolitical game.” Finally, emerging information about U.S. connections to suspects in the assassination of Haitian President Moïse provided fodder for RT to speculate about “the real extent of Washington’s role,” including one RT video that suggested that “Washington did all but pull the trigger.”

Last week, Xinjiang was again the most-mentioned topic on the Twitter accounts monitored on the China dashboard as diplomats and state media attempted to distort facts about the human rights abuses being carried out in the region. Several Chinese state media outlets also quoted a Washington Post piece accusing the United States of “hoarding and wasting valuable COVID-19 vaccines.” Diplomats and state media continued to spread Fort Detrick conspiracy narratives and accompanying cartoons, with Chinese Ministry of Foreign Affairs spokesperson Hua Chunying once again floating claims of a U.S. cover up. Finally, Chinese officials pushed their regular claims that the United States, Canada, and EU member states were plagued by human rights problems, including racism, gun violence, and forced labor.  

The sixth anniversary of the Iran nuclear deal (JCPOA) dominated Tehran-linked Twitter last week, with many hardliners using it as an opportunity to criticize outgoing President Rouhani and former lead negotiator Javad Zarif for the agreement’s perceived shortcomings. Press TV reported on and amplified Chinese Ministry of Foreign Affairs Spokesperson Zhao Lijian’s comments that the United States should lift sanctions on Iran. Iranian media also reported heavily on ongoing violence between Israelis and Palestinians, as well as revelations surrounding the Israeli firm NSO Group selling hacking software to governments around the world. Fars News dismissed an alleged plot by Iranian intelligence operatives in the United States to abduct Iranian American journalist Masih Alinejad in a single story that called the accusations “ridiculous.” Finally, Fars News used an interview with former White House national security advisor John Bolton to disparage former President Donald Trump as lacking the intelligence to carry out a coup.

Read the full report here.

United States, NATO, EU, and others condemn China’s behavior in cyberspace: On July 19, the United States, the European Union, NATO, and several other countries issued statements condemning China’s malign behavior in cyberspace and accusing Beijing of working with criminal hackers in ransomware attacks and launching large-scale cyber espionage operations. The Biden administration formally blamed hackers affiliated with China’s Ministry of State Security for carrying out the Microsoft Exchange breach, which impacted more than 100,000 servers around the world. NATO’s statement marks the first time the alliance has publicly denounced China’s cyber activities. The United States also released details on 50 tactics and techniques used by Chinese state-sponsored hackers. ASD Cybersecurity Fellow Maurice Turner argued that the statements from democratic allies should be followed up with coordinated action to deter future Chinese cyber operations. 

Biden administration takes steps to counter ransomware threat: In a briefing to lawmakers on July 15, the White House announced an interagency task force will coordinate offensive and defensive measures to combat ransomware attacks across the U.S. government. The State Department will offer up to $10 million as a reward for tips that help track down cyber criminals backed by a foreign government, while the Treasury Department will work with public and private sector partners to cut ransomware groups off from the virtual currencies they use to sell their services and collect payments. The Cybersecurity and Infrastructure Security Agency (CISA) launched a new online hub where victims of ransomware attacks can find resources and request assistance. During the briefing, officials also asked lawmakers for expanded authority to establish mandatory cyber standards for critical infrastructure providers. ASD Cybersecurity Fellow Maurice Turner praised Treasury’s focus on virtual currencies but raised doubts about the effectiveness of the State Department’s tip program.

Data leak shows global abuse of spyware sold by NSO Group: A leaked list of 50,000 phone numbers spanning more than 50 countries shows that governments around the world are using hacking software licensed by NSO Group, an Israeli cyber-surveillance company, to monitor human rights activists, journalists, academics, opposition figures, and government officials. The nonprofit organizations Forbidden Stories and Amnesty International obtained the list, and a global consortium of 17 news outlets investigated it. The presence of a phone number on the list does not indicate whether it was targeted for surveillance, but the consortium believes that the data represents potential targets of NSO Group’s government clients. The phone numbers were concentrated in countries known to engage in surveillance of their citizens. The list included numbers of 85 human rights activists, 189 reporters, and over 600 politicians and government officials, including cabinet officials, prime ministers, and presidents. ASD Malign Finance Fellow Josh Rudolph argued that the Treasury Department’s Financial Crimes Enforcement Network should be given additional resources to track and report suspicious activities carried out by firms like NSO Group. 

In Case You Missed It

• A New York federal court unsealed an indictment that charged an Iranian intelligence network with attempting to kidnap a U.S.-based journalist and human rights activist. 
• The House Oversight and Reform Committee launched an investigation into the ballot review being run by Republicans in Arizona’s state senate. 
• Belarusian security forces raided the offices and homes of several journalists and news outlets, including the office of Radio Free Europe/Radio Liberty.
• Google published new research detailing a Russian state-backed hacking campaign that targeted European government officials through LinkedIn. 
• An organization of Russian-speaking hackers known as Trickbot is on the rise again after being hobbled last autumn by the U.S. Defense Department and Microsoft.
• The Federal Communications Commission unanimously approved a $1.9 billion program to help U.S. companies replace equipment made by Chinese telecom firms ZTE and Huawei.
• A group of Iranian hackers posed as job recruiters in an attempt to breach U.S. and European defense contractors, while another Iranian hacking gang posed as academics to target journalists and scholars in the United States and United Kingdom.
• The U.S. surgeon general urged social media platforms to address misinformation about the coronavirus and coronavirus vaccines, warning that it could lead to more virus-related deaths.
• The United States and Germany are expected to announce a deal over the Nord Stream 2 pipeline in the coming days despite disagreements over the project.

Windham election auditors confirm folding machine issue ‘root cause’ of discrepancy between vote, recount totals, WMUR9. Comments from Elections Integrity Fellow David Levine  

Zack Cooper and Oriana Skylar Mastro, Conversation Six. Conversation with Co-Director Zack Cooper

FOCUS: G-20 hails cooperation, but ease in U.S.-China tensions not in sight, Kyodo News. Comments from Co-Director Zack Cooper

US ex-VP Mike Pence slams Biden for being weak on China, Straits Times. Comments from Co-Director Zack Cooper

Disinformation: It’s History, Center for International Governance Innovation. Written by Non-Resident Fellow Heidi Tworek

Etterretningstrykket mot Norge er stort, sier etterretningssjefen to måneder før stortingsvalget. Er Norge under angrep? (The intelligence pressure on Norway is great, says the intelligence chief two months before the parliamentary election. Is Norway under attack?), Aftenposten. Comments from Elections Integrity Fellow David Levine

“We need to stop treating China as if they have a special immunity to being held accountable, and we need to act in parity as we have with the other major malicious cyber actors, including Russia.”

• Dmitri Alperovitch, chairman of Silverado Policy Accelerator, said to the Washington Post on July 19.

The views expressed in GMF publications and commentary are the views of the author alone.