It's election hacking season: Are you a target?

A flurry of reports this week allege that certain (ahem) “state actors” have been acting up again.

Allegedly, Russia and Iran have been phishing, hacking, and building fake profiles on Facebook, Twitter, and YouTube. (What? No Google Plus?) With the midterms just a few months away, the froth is building.

But some are accusing certain organizations of over-egging their stories, and cynically choosing when to disclose. In this week’s Security Blogwatch, we avoid the Русский разворот.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Blue vs. Red 

Application Security Research Update: The State of App Sec in 2018

Disintermediating disinformation

What’s the история? Brendan O'Brien and Christopher Bing bring Russian hackers targeted U.S. Senate, think tanks:

Microsoft Corp said that hackers linked to Russia’s government sought to launch cyber attacks on U.S. political groups, warning that Moscow is broadening attacks ahead of November’s congressional elections.

The domain takedowns represent Microsoft’s latest effort to thwart what it says are hacking attempts by a group known as “Fancy Bear,” or APT28, that is linked to the Russian government. … Russian government officials rejected the Microsoft allegations and said there was no evidence to support them.

The targeted think tanks included the International Republican Institute, whose board members include … John McCain … and the Hudson Institute, according to Microsoft.

And Donie O'Sullivan implies an implication, in DNC calls FBI after detecting attempt to hack its voter database:

The Democratic National Committee contacted the FBI … after it detected what it believes was the beginning of a sophisticated attempt to hack into its voter database, [said] a Democratic source.

The DNC was alerted … by a cloud service provider and a security research firm that a fake login page had been created in an attempt to gather usernames and passwords that would allow access to the party's database, the source said.

[ Update: "Whoops: the cyberattack on the DNC was a test" ]

So Ryan Nakashima adds fuel to the fire—Facebook takes down 652 accounts linked to Russia, Iran:

Facebook has identified and banned hundreds of accounts, groups and pages engaged in misleading political behavior, a far larger discovery than a “sophisticated” effort it reported three weeks ago with great fanfare.

[The] “coordinated inauthentic behavior” … included the sharing of political material. … Shortly after Facebook’s announcement, Twitter revealed that it had also suspended 284 accounts for “coordinated manipulation,” many of them apparently originating from Iran.

Facebook said its latest action … resulted from four investigations. … The first focused on a group called “Liberty Front Press” … linked to Iranian state media. … The second group … was linked to “Liberty Front Press” and attempted to hack people’s accounts to spread malware. … A third group also operated out of Iran had as many as 813,000 followers, and also shared political content about the Middle East, the U.K. and U.S. … A fourth group that attempted to influence politics in Syria and the Ukraine was connected to sources that Facebook said the U.S. had linked to Russian military intelligence.

But wait. There’s more? Tony Romm doesn’t only read: [You’re fired—Ed.]

Can confirm YouTube also has taken down at least one account tied to Iran. Looks like the Russia/Iran disinformation … touched FB, Google, Twitter and more.

Expect more.

Okay, but sky falling? John Hultquist ist the voice of reason:

Before everyone gets too spun up at the prospect of more “election hacking” it’s important to remember that APT28 is first and foremost an intelligence collector. These attempted intrusions do not necessarily presage active measures.

Long before it started dabbling in leaks and personas, APT28 was a run of the mill cyber espionage actor targeting things like parliaments and think tanks. In fact, my team first found them when they hit a think tank many years ago.

Obviously the election cycle increases the danger of an active measures campaign, which this may well have been headed toward, but it also increases uncertainty, and intelligence collectors are tasked to reduce uncertainty.

O RLY? Jason Kichen thinks Hultquist is spot on:

There’s a first principles thing at play: as an intelligence collector, collecting information is paramount. Doing something with that data (i.e. active measures) depends on what you can collect and how informative it is towards the objective you want.

Successful effects operations depend on the data available to those executing the ops, thus … the act of collection doesn’t mean effects operations are next. But it should raise the flag that they are possible.

Understanding what was compromised and collected is key to understanding what effects operations may result.

And Esfandyar Batmanghelidj worries that one of these things is not like the others:

A couple things that stick out about … the discovery of an Iranian “influence operation” across websites, Facebook, and Twitter. This doesn't look like an Internet Research Agency type operation.

Let’s start with … Instituto Manquehue. … It is a weird site … but it doesn’t seem inherently “fake.” The institute appears to have been around since 2014 offering a leftist vision for Latin American journalism. … What is most interesting, however, is that there is a physical institute in Santiago, Chile of the same name. It would be extreme for an “influence operation” to … create a physical site in Latin America [that] has existed since [at least] Oct. 2014. …

Basically, using open sources, you can verify FireEye’s claims. But it is worth looking at the assertion that Iranian actors “continue to engage in and experiment” with influence operations in light of the information gathered here. … It is all very sloppy: … It doesn’t reflect a deliberate attempt to hide the connections.

Basically, I think FireEye/Facebook/Twitter has stumbled upon the past amateurish efforts of Press TV and its affiliates to create influential news platforms. … This is very different from an army of trolls assembled by an intelligence agency.

Iran is pumping out fake news as it has for years and years. … the label "Iran" made it politically easy to decide to ban the accounts, whereas Alex Jones gets a pass.

Oh! And here’s @Pentangeli1984:

Timing is interesting. … Announcement regarding Iranian influence operation 2 days after Bolton warns of potential Iranian meddling. Who paid … for this fact-finding mission?

Possibility that a foreign or domestic entity … might seek to further exacerbate anti-Iran hysteria in the US. … Certainly plausible.

Adding to the general tin-foil-hattery, it’s Ari Levy:

Facebook said it was going to release this news on Thursday.

And then it mysteriously decided to move the announcement up [a day].

Meanwhile, Stan Horaczek sounds slightly jealous:

One thing that happens when Facebook announces that it’s deleting fake news accounts is that I get sad because terrible Russian propaganda meme accounts have more Instagram followers than I do.


The moral of the story: Are you a target for state actors? Are you monitoring your platforms accordingly?

And finally …

The Blue Angels vs. the Red Arrows

 


You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Samuel Gentilhomme (cc:by-nd)

Topics: Security