Today's Indictment in Context.....Again
Today’s indictment continues the uptick in the use of indictments to counter cyber attacks and disinformation which, in conjunction with automation, reflect the authoritarian playbook for interference operations. The indictment charges a dozen members of the Main Intelligence Directorate of the General Staff (GRU) with conducting “large-scale cyber operations to interfere with the 2016 U.S. presidential election”, including the Democratic National Committee (DNC) compromise. This is just the latest high-profile indictment against Russia for election interference and continues the steady beat of indictments against nation-state affiliates for cyber activity.
As the indictment details, the interference operation employed a series of phishing campaigns, credential theft, and malware to enable data exfiltration. The GRU members used these tactics persistently to compromise Clinton campaign employees and volunteers in addition to the DNC and DCCC compromise, created fake personas (DCLeaks and Guccifer 2.0), and maintained a series of computers located globally to mask their identity and location. The GRU members created fake Facebook and Twitter accounts to launch and promote DCLeaks-related information. Importantly, the indictment also notes the compromise of a vendor that verifies voter registration, reveals the theft of voter registration information of 500,000 voters by hacking state board of elections websites, and states that the GRU members conducted reconnaissance into county-level election websites in several states.
This global infrastructure was paid for in cryptocurrency, which is interesting as it is both a popular means for criminals to obfuscate attribution, and also because Russia previously considered creating its own national cryptocurrency (but later decided it was too risky and instead helped Venezuela create one to circumvent U.S. sanctions). The indictment details the use of both cryptomining as well as purchasing Bitcoin via currency exchanges.
This broad range of attacks and targets demonstrates the extreme coordination of Russian interference operations across the spectrum of influence, synchronizing bots, trolls, and cyber attacks as part of a coherent strategy. Given that the twelve individuals likely will never be arrested in the United States, many question the purpose of such indictments. As I’ve previously argued, indictments demonstrate the potential for attribution and the level of capabilities that can provide this evidence, help support a broader deterrence strategy, and have led to arrests previously when those indicted travel outside of Russia. In this case, the indictment can also help disrupt the financial apparatus funding the operation.
Importantly, this indictment also comes at a time when Russian interference operations extend well beyond elections and include compromise and/or reconnaissance of U.S. critical infrastructure, underwater cables that are core to trillions of dollars of transactions and communications, a global campaign targeting routers, not to mention the NotPetya attack which caused over a billion dollars in damage globally.
The timing is of course relevant with Monday’s summit between President Donald Trump and Russian President Vladimir Putin. Trump has stated that election interference will be discussed, but currently it appears issues such as Syria, Ukraine, the Middle East and nuclear proliferation will take precedent over any constructive discussion of further repercussions for Russian interference operations. As the U.S. increasingly employs a range of tools against numerous countries in response to interference operations, today’s indictment signals the vast level of detail and potential for attribution. It also demonstrates that a strategy of naming and shaming will continue in response to the spectrum of malicious digital activity, while potentially contributing to the much needed foundation for a broader deterrence strategy against this behavior.