During the first day of Exatel Security Day 2017, Adam Haertle, IT security expert, hosted a panel entitled “Election hacking. Cyber-security of socio-political processes”. BiznesAlert.pl is the event’s partner.
During his presentation, the expert explained how hackers attempt at influencing elections. As an example he used the latest presidential election in the US, and the hacking scandal that rocked Hillary Clinton’s campaign.
According to Haertle, it turned out that Clinton’s campaign, which had millions of dollars did not employ security specialists. The FBI informed the Democrats about the fact that their servers were hacked back in September 2015. After some time, the campaign hired the CrowdStrike company, which confirmed the Bureau’s information. It turned out that the Democrats’ entire network was under control of at least two groups APT 28 and APT 29, i.e. Russia’s civil and military intelligence respectively.
“Interestingly enough these groups do not cooperate with each other. They act independently. No evidence suggesting that they helped each other has been found,” said Haertle. The expert added that the discovery forced the staff to replace all of their IT equipment.
In Haertle’s opinion, there is a number of reasons to believe that Russian hackers were behind the attacks on the Democrats’ servers. In result of the hack, 60 thousand emails from Clinton’s campaign manager, John Podesta’s account were leaked. The perpetrators used the so-called phishing technique, which gave them access to the account’s password and allowed them to steal the data. The e-mails were published on, among others, WikiLeaks and a blog maintained by an internet user called Guciffer 2.0.
“The Democrats tried to turn the situation to their advantage. They wanted to say ‘we are the good guys and Russians attacked us, so vote for us.’ They revealed the hack and CrowdStrike’s discovery, which showed that it really was an organized group of professional hackers related to APT 28 and APT 29”, said the presenter.
The above statement was announced on 14 April. Right on the next day, Guciffer 2.0’s blog appeared where he stated he was Romanian and was behind the server hack.
According to Haertle journalists decided to interview him and verify if he was really Romanian. So they had an actual person from Romania to talk to him, but it turned out Guciffer’s Romanian was not as advanced as one would expect. At the same time, as the expert pointed, one could not exclude this was done on purpose to avoid falling prey to stylometric techniques and being identified.
During his presentation, Haertle showed a print screen from the blog and pointed to one detail “three closing brackets.”
“The context indicates that there should be a smile in this place. The question is why is someone smiling with three brackets?” he asked.
In his opinion this was about the keyboard that was used to make the blog entry. It is easier to type a colon on western (Latin) keyboards. It is very uncomfortable to type it on a Russian one, so three brackets are used instead.
Haertle also added that Guciffer 2.0 sent out stolen documents to various journalists who compared them.
“Those included the same document that was sent to two different receivers. In one of them links to non-existent addresses were in English, in the other in Russian. This means the computer on which the document was fabricated, or opened and saved had either a Russian version of Word, or its entire system was in Russian,” said Haertle and added that one of the last people who edited the document was Feliks Edmuntowicz, or Feliks Dzierżyński (in Cyrillic alphabet – ed.).
It also turned out that the sent e-mails had the same IP address (18.104.22.168). Analyses have shown it belonged to a Russian VNP server.
The expert also pointed to the fact that the stolen documents were published gradually and that the release depended on the developments in the US campaign. He also stated that it looked as if the hackers were well-prepared for the attack, but backed out before the elections.
Haertle also reminded about the recent presidential election in France. In his opinion, Paris prepared for the possible attacks, remembering what the hackers did across the pond. He also pointed to the fact that in September there will be elections in Germany and Norway. He did not exclude hackers’ increased activity during that period.