Just when the cybersecurity world thinks it's found the limits of how far Russian hackers will go to meddle in foreign elections, a new clue emerges that suggests another line has been crossed.

Even now, nearly a year after news first broke that Russian hackers had breached the Democratic National Committee and published its internal files, a leaked NSA document pointing to Russian attempts to hack a voting-tech firm has again redefined the scope of the threat. Taken with the recent history of Russia's digital fingerprints on foreign elections, it points to a disturbing trend: Moscow's habit of hacking democratic processes has only gotten more aggressive and technically focused over time.

This week, the national-security-focused news outlet the Intercept published a top-secret NSA file outlining how Russian hackers, believed to have been part of the country's GRU military agency, attempted to phish the credentials of employees at VR Systems, a Florida-based tech firm that sells equipment and software used in voting registration. The leak represents the first solid evidence that Russian election hacking has escalated beyond mere political leaks and disinformation to threaten the core systems of America’s voting apparatus.

"We were all kind of hoping that the election hacking was at the cognitive level: propaganda, doxing, influence operations. But this is proof that they were actually closer to the tactical, technical level," says Kenneth Geers, an ambassador to NATO's Cyber Center who has long followed Russian hacking campaigns. “They were closer to the guts, to the operating system of our democracy, than we knew.”

For Geers and his fellow digital Kremlinologists, the VR Systems attack represents only the latest in a progression of either confirmed or presumed Russian election-hacking tactics they've tracked for years. (And that progression doesn't even necessarily include the Kremlin's regular doses of bot-driven propaganda and misinformation—not true hacking, but disruptive nonetheless.) Here's what we know—and suspect—about Russia's digital attacks on the clockwork of democracy over the last decade.

DDOS Attacks

The crudest tool at Russia's disposal for election interference has been to simply knock the opposition's website off the internet. Starting in the late 2000s, pro-Russian hackers bombarded the sites of opposition leaders like Garry Kasparov in the midst of his 2007 campaign for president, keeping Kasparov's site offline or sluggish at key moments during the campaign season. In Russia's 2011 election, the target list expanded to include opposition media outlets like the Moscow Echo, and the election monitoring group Golos.

In all those cases, armies of malware-infected computers flooded the targets with junk traffic, overwhelming the servers that hosted the sites. Around the same time, attacks timed to political campaigns struck the websites of opposition politicians in former Soviet states where Russia maintains deep influence, like Belarus and Ukraine. As with most DODS attacks, it's been tough to definitively trace the original source of those attacks, or prove any government involvement.

Spoofed Results

In 2014, one pro-Russian hacker group tried a more fine-tuned approach to political web-hacking. A Russian-speaking hacker operation calling itself CyberBerkut compromised the website of Ukraine's Central Election Commission, and changed the election results it was set to display to declare the winner as ultra-right candidate Dmytro Yarosh. Commission officials spotted the attack less than an hour before the results were set to be released, and prevented the fraudulent version from being shown publicly. Russian state media, apparently coordinating with CyberBerkut, broadcast the fake results regardless.

Aside from that apparent coordination, more recent hints have tied CyberBerkut to the GRU hacker group known as APT28, or Fancy Bear. Cybersecurity researchers at the University of Toronto group Citizen Lab performed an analysis of another CyberBerkut operation last year, this one targeting investigative journalist David Satter. They found that the an account that created the phishing link used in that attack had also likely created URLs that security firms ThreatConnect and FireEye previously tied to Fancy Bear.

Targeted Leaks

Despite repeated statements from President Trump and his surrogates to the contrary, intelligence agencies and the cybersecurity community today agree almost unanimously that Russian government hackers stole and leaked a series of Democratic targets in 2016. Those targets included the Democratic National Committee, the Democratic Congressional Campaign Committee, and the emails of Clinton campaign manager John Podesta. The resulting leaks were published under the fake hacker handle Guccifer 2.0, sent to GOP operatives, and most effectively, shared with WikiLeaks, which trickled them out during key weeks of the campaign.

All of which represents a far more sophisticated and politically savvy attempt to influence the US democratic process than Russia had attempted previously, says Eric Rosenbach, a former assistant secretary of defense for cybersecurity under the Obama administration. "Three years ago they were spoofing a results page. That’s a low-grade information op," says Rosenbach. "Now they're going after very high profile political targets."

And the hack and leak trick may not be limited to the US alone: Hackers also published gigabytes of leaks from the party of center-left candidate Emmanuel Macron on the eve of the French election, and stole data from Germany's legislative body that hasn't yet been released.

Security firm Trend Micro found that the same APT28 group had crafted phishing links to target Macron's party, as well as the party of German Chancellor Angela Merkel. With the German election coming up in September, more political leaks may be in store. "The Russians are probably still refining their tactics," says Jim Lewis, a cybersecurity-focused fellow at the Center for Strategic and International Studies. "The next big target for them is Germany."

Infrastructure Hacking

As revealed in the Intercept's leaked NSA report, hackers believed to be working for Russia's GRU military agency—the same agency tied to the group known as Fancy Bear or APT28—sent phishing emails to VR Systems, the makers of hardware and code used to handle voter sign-ins at polling places in eight US states. Senate Intelligence committee vice chairman Mark Warner followed up by telling USA Today on Tuesday that the extent of the attacks were in fact much broader than anyone has yet reported. And US intelligence agencies had already implicated the Kremlin for breaches of the websites of the boards of election for Arizona and Illinois.

The NSA report focused on the VR Systems attack, at least, includes no evidence that the phishing attempts were successful. And even if they had been, the disruption that might have ensued would likely have been more effective at casting doubt on the election results than measurably changing its outcome. Warner, too, has said that there's no evidence the 2016 attacks changed actual vote counts.

VR Systems' equipment, it's worth noting, doesn't actually count votes in the first place. Still, University of Pennsylvania computer science professor Matt Blaze has pointed out that the impacted devices could have ended up on the same network used to manage local polling places, leading to potential attacks on voting machines. Even then, America's fragmented state-run voting infrastructure means that meaningfully changing election results would be an unpredictable, unlikely process.

The new leak nonetheless shows that Russian hackers have graduated from mere information and propaganda attacks to techniques designed to more directly tamper with election machinery. CSIS's Lewis argues that other countries may be more vulnerable than the US to that kind of tampering—and the Kremlin may just be getting started. "Russia wants to disrupt and discredit elections in the West. But their long-shot goal is actually to manipulate the outcomes of elections," Lewis says. "In this case, it doesn’t look like they succeeded. But it was just their first try."





Wired