Gray Day
Page 27
The link transported Podesta to a fake website mocked up to look like the Google Gmail password-security page. He entered his current username and password and then the new password he crafted to keep the Ukrainians out of his business, thank you very much. He then closed the site and went back to his day. Mission accomplished.
Within moments, Russian cyber spies compromised Podesta’s account. The email was sent by Aleksey Viktorovich Lukashev, a senior lieutenant in Russian military Unit 26165 located in Moscow. He was using a Russian-based email account, hi.mymail@yandex.com, which he spoofed to make it look like it came from Google. The use of Ukraine as the “location” on the email address and a corresponding IP address that led to a Ukrainian city was gallows humor. Russia had test-fired the same attack against Ukraine to disrupt the most pivotal election campaign in the nation’s history—one that grew out of a February overthrow of the prior pro-Russian government. On May 21, 2014, four days before the election, a hacktivist group called CyberBerkut triggered an attack on Ukraine’s Central Election Commission computers. The attack destroyed hardware, corrupted software, and disrupted the internal network. Twelve minutes before polls closed on Election Day, CyberBerkut posted false election results to the election commission’s website. Russia’s TV Channel One aired the fake information.
The Russians, of course, did not stop with Podesta either. In March 2016 Lukashev and his comrades compromised at least ten computers and numerous individuals at the Democratic Congressional Campaign Committee (DCCC) through email attacks. The Russian spies used a control server they leased in Arizona to monitor individual employees’ computer activity or steal passwords. They then used this compromised network access to spread the attack. In April 2016, the Democratic National Committee discovered a breach that the FBI had been warning them about for months. The FBI had informed the DNC in September 2015 that Russian hackers had compromised at least one DNC computer. The DNC IT department found no malware after scanning the system and apparently chose not to share the FBI’s concerns with the DNC’s senior leadership. In November 2015, the FBI called again. Now the DNC computer was transmitting information back to Russia. A few months later, Podesta clicked his devastating email link.
A month after that, the DNC finally installed cybersecurity tools that spotted the breach. Too little, too late. The Russians had already stolen what they needed. When you don’t hunt the threat, the threat hunts you.
Democrats wrung their hands as private emails and confidential memoranda appeared online like revenants, resurrected to destroy the party. In July, WikiLeaks published nearly 20,000 emails from the DCCC and DNC’s servers. As an encore, WikiLeaks distributed nearly 60,000 pages of emails from Podesta’s account in October and November 2016. The fallout included the resignation of the DNC chairwoman and most of her top party aides, a scandal that sidelined a number of leading Democrats, weeks of negative press that called into question the honesty and integrity of the Hillary campaign, and unlimited fodder for Trump’s Twitter account.
A July 13, 2018, indictment from the Robert Mueller investigation accused Lukashev and eleven other Russian GRU officers of hacking into the computers of US persons involved in the 2016 presidential election, stealing documents from those persons, and staging the release of that information in order to interfere with the election. To mask their connection to Russia, the twelve cyber spies used false identities and exploited a network of computers located across the world funded by cryptocurrency such as Bitcoin. These “middle server” computers acted as proxies to obscure the connection between the Russian attackers and their victims at the DCCC, DNC, and Hillary Clinton campaign. Essentially, the Russians created a modern Moonlight Maze.
Russia has long sought to influence and undermine elections and the political process of rival nations. In attacking the DNC, Russia played the role of the provocateur, testing the United States’ response at the same time it sought to destabilize us. If recruiting sources to steal information is Espionage 101, then Russia’s attack on the DNC, its propaganda meddling in the Syrian conflict, its infrastructure attacks on Ukraine, and the electoral interference with then-candidate, now French president Emmanuel Macron’s campaign all constitute spying on the master’s level. The Russians acted in order to see how we’d react, and in the process we showed them the cracks in our systems.
The influence campaign against the US election did not stop with the release of damaging information stolen from the Clinton campaign. Russia also blended covert intelligence operations with outreach through state and private media, using paid social-media trolls and official news stories to establish a narrative that the US election system was compromised at best and corrupt at worst.
In September 2016, the cybersecurity company Carbon Black, Inc., conducted a study of voters in the United States to determine whether Russia’s meddling in our election had American citizens concerned. As Carbon Black’s national security strategist, I was keen to learn how Russia’s espionage could affect the hearts and minds of American citizens. The sobering results showed that more than half of US voters thought that the upcoming election would be affected by cyberattacks. Despite constant media appearances by cyber experts, including me, assuring Americans that our voting system—which, unlike Ukraine’s, is decentralized and remains primarily unconnected to the Internet—could not be compromised, half of those surveyed thought our electronic voting machines could be hacked during the election sufficiently to change its outcome. One in five voters was so concerned about this possibility that they considered sitting the election out—which would mean more than 15 million voters potentially staying away from the polls over cybersecurity concerns.
In July 2017, we decided to check back in. Carbon Black polled 5,000 eligible voters to determine how all the talk about election cybersecurity that dominated the media might affect upcoming elections. This time one in four voters said they would consider not voting in upcoming elections over cybersecurity fears. More than 200 million voters are registered in the United States—that’s more than 50 million people potentially sitting out the 2018 midterms or the 2020 presidential election. Russia doesn’t have to change a single vote to influence our elections. It only has to make Americans think it can.
A January 2017 Intelligence Community Assessment called the Russian efforts to influence the 2016 US presidential election “the most recent expression of Moscow’s longstanding desire to undermine the US-led liberal democratic order, but these activities demonstrated a significant escalation in directness, level of activity, and scope of effort compared to previous operations.” In other words, Russia is only getting started. And other countries, like Iran, China, and North Korea, have invested wholesale in Russia’s playbook.
Influencing the hearts and minds of American voters is only the tip of the Russian cyberattack spear. Russia has long sought a tactical military advantage against the United States to complement its aggressive cyber espionage and disinformation efforts. In our connected world, any future military engagement will be fought on a new battleground—rather than missiles, it will be cyberattacks that seek to disrupt, deny, and destroy.
On March 15, 2018, the Department of Homeland Security and the FBI issued a Joint Technical Alert that highlights Russia’s attempts to compromise our critical infrastructure. The DHS and FBI released the alert to coordinate with new US sanctions against Russian agencies, individuals, and intelligence services charged with meddling in the 2016 US presidential election, including the Russian “Troll Farm” that used Facebook ads to exploit divisions in American politics. The alert highlights a multistage intrusion campaign by Russian cyber spies to target and compromise US government agencies and the US energy, nuclear, commercial, water, aviation, and critical manufacturing sectors dating back as early as 2016. Although this is the first time the US government has publicly confirmed that foreign attacks are targeting our infrastructure, cybersecurity professionals have long know
n that numerous countries have probed for ways to shut down our nation’s essential functions.
Russia has long succeeded in stealing our data. More recently it has exploited the political fractures and divisions that make us shout inward instead of scrutinizing outward threats. The next phase of Russian active measures is to directly disrupt—and perhaps threaten—our lives. To beat Russia and other foreign countries, terrorist groups, and fringe organization cyberattackers, the United States needs a different playbook. We’ll need a new way of thinking to beat Hanssen’s law.
CHAPTER 28
UP ALL NIGHT
Protecting my PC, locking down servers, backing up data, securing the cloud—all of these issues keep me up at night. Ever wondered if someone is watching you through your laptop camera or the new home-security system you just bought off eBay, or maybe through your new smart-home device? Did you open an email attachment or click on a link that made you think twice when your screen flickered? Do you have concerns about the future of autonomous cars and networked robotics and whether these innovations will open us up to future tragedy?
I do. After leaving the FBI, I realized that it wasn’t enough to ride through towns shouting that the cyber spies were coming. My success in Room 9930 had come when I’d broken Hanssen’s OODA loop of his action and my reaction. Once I made the spy react to me, I’d discovered where he kept the information that would undo him.
On the streets as a ghost, we don’t blindly follow targets from point A to B. Surveillance is an art form that predicts targets’ behavior and makes judgment calls on where they will be before they make a turn or take a step. Ghosts don’t follow people. We hunt them.
Understanding where a spy will attack is the first step in neutralizing espionage. Actively monitoring all activity in that worst possible place is the next goal. Organizations that combine cybersecurity defense with active threat hunting thwart spies, both from without and within. Even wannabe spies.
* * *
Gregory Allen Justice worked the graveyard shift as a mechanical engineer for a US defense contractor in California. His job focused on operational security testing for commercial and military satellites deployed by the Air Force, the Navy, and NASA. While he did not have access to information classified by the US government, Justice did work on defense-group systems that help the US military communicate. Not the sort of information you’d like the Russians to get their hands on.
In early 2016, Justice was brooding over his financial woes. His wife had a medical condition that confined her to their bedroom. In three years, Justice had paid nearly $6,000 in medical expenses to doctors, hospitals, and clinics. In March, he had told his wife to cancel all of her medical appointments for the foreseeable future. Not only were they broke, but there was no way to get her to the appointments: his car wouldn’t start, and he didn’t have the money to fix it. Justice’s situation looked grim, but he had a plan. Gregory Justice would become a spy. The name he chose for himself: Brian.
The world of espionage fascinated Justice. He loved James Bond and Jason Bourne and was fully caught up on the first season of The Americans. In the past two years he’d prepared himself for his clandestine career by purchasing $4,344 in online courses. He mastered “Spy Escape and Evasion,” explored “Delta Defense LLC,” and learned from “Legally Concealed” and “Fight Fast.” He located addresses and phone numbers for the Russian embassy in Washington, DC, and the Russian consulate general in San Francisco. All he needed was something of value to trade.
In November 2015, Justice plugged a USB thumb drive into his defense contractor workstation and accessed folders of files that contained satellite-design information. He had swiped his security badge at the entrance to the defense group building where he worked on his employer’s campus. He’d swiped his badge again at the door to his work area, then inserted the badge into his computer to log in with a unique PIN. He’d typed the PIN again to access a collaboration and storage workgroup database controlled by an access list. Much like Hanjuan Jin a decade before him, Justice took the secrets he could use to buy himself out of debt. He also had to keep his superspy lifestyle going.
While his wife lay in her bed, Justice kept a supermodel on the side. It didn’t matter that Justice hadn’t ever made the trip to her Long Beach apartment. The woman Justice knew only as Chay looked great in the pictures she had emailed to him. In return he sent her cash. Loads of it. From December 2015 until May 2016, Justice sent Chay a total of $21,420 and gifts through Amazon.com totaling $5,916.09, which included a grill, furniture, a Dyson fan, two televisions, and an iPhone 6s.
Successfully infiltrate his employer. Check. Keep his Bond Girl happy. Check. Now Justice needed to get paid.
He mailed a printout of a satellite schematic to a captain at the Russian embassy in Washington, DC, but then couldn’t get the guy on the phone when he called. Justice called again and left a message for the captain and waited to hear back. A few days later, in February 2016, his phone rang.
The man on the other end identified himself as a representative of Russian intelligence and set up a meet. Over the next four months, Justice met with his new SVR handler five times and shared a number of phone conversations. During their first meeting, Justice offered him the moon: “So what I’m offering is basically everything on our servers, on our computers. The plans, the test procedures, that’s what I have access to.” He asked his contact to call him “Brian” and said, “I know it’s not like real life, but I like spy movies.”
Each time they met, Justice handed over secrets on a thumb drive in return for an envelope of cash. He’d count the hundred-dollar bills and sign a receipt. He would return to his overnight shift at the office and load another thumb drive with satellite information to trade. As soon as he had a free moment, he’d send his Russian money directly to Chay.
Justice never made it to his sixth meeting. In July 2016, the FBI arrested him and ended “Brian’s” short espionage career. The first time Justice had stuck an unauthorized USB drive into his workstation, his employer alerted the DOJ. The FBI sent a team to ghost Justice and intercepted his call to the Russian embassy. Much as they had built a case against Earl Pitts, FBI agents began a false-flag operation and used an undercover FBI employee to dupe Justice.
In total, the FBI paid Justice $3,500 for restricted satellite technology that thankfully never made it to Russian intelligence. Caught red-handed, Justice pled guilty to one count of attempted espionage and one count of attempted violation of the Arms Export Control Act, which prohibits sending certain technology to a foreign power. On September 18, 2017, a federal judge sentenced Justice to five years in prison. Justice made a pathetic spy, but had a good lawyer. He had faced a maximum of thirty-five years.
Justice’s employer had no idea that one of its employees was playing spy. But it didn’t need to, because it was monitoring the worst possible place: the database that contained the company’s most sensitive information. The best security technology focuses on the place closest to the human that will either make a mistake, as Podesta did, or turn traitor, as Justice tried to do. We call these points of access to information “endpoints.” The moment Justice stuck a thumb drive into his workstation—an endpoint—his employer’s security tools logged the potential breach. Security professionals examined the threat and called in reinforcements.
Endpoints are the new doorways into the worst possible place, and hunting threats requires that we secure all of them. Without security that actively hunts threats, a rogue employee like Hanjuan Jin or Justice can steal information directly from an employer or a government agency. But it is not enough to focus security inward. Even the most security-conscious employee can be tricked into opening an attachment or clicking a link. Humans will always make mistakes. By turning each endpoint into the most secure room in cyberspace, we can prevent most breaches and limit the damage done by the ones that sneak through. By collaborating across a
vast network of endpoints that leverage big data and analytics, instantly updated from the cloud to allow us to orient to the best decision, we may be able to prevent all of them.
Imagine a collaboration of consumers, organizations, agencies, and businesses aligned in a common network of shared information. Any attempt to breach a single laptop or execute malware through an unfortunate mouse click by one member will instantly inoculate every other device on the network. Deep-learning analysis of all these devices in the cloud will allow a cybersecurity AI to identify and even predict attacks. An entire community of cybersecurity operations will simplify down to a single recurring OODA loop, one that continually resets and defeats attackers.
Nobody wants to go back to file cabinets and typewriters. But new tools require new forms of security. Hanssen was just the beginning, and wannabes like Justice serve as a stark warning of what the future may hold. It’s not enough to stop the spies who are already within. We must hunt the threat before it hunts us. Otherwise, one email or one misplaced thumb drive may be all it takes to undermine the foundations of American society.
Hanssen and I never defined “information assurance” during the two months we spent together at the FBI’s newest section, but we achieved the objective of the Information Assurance/Technology Team. We taught the FBI a new law for espionage’s cyber revolution. In the years since, I’ve updated Hanssen’s law to fit our modern espionage problems. In a nod to my old boss, I call it O’Neill’s law: