Symantec technical director Vikram Thakur returns to share his team's look at threat groups APT 28 and APT 29, the influence they had on the 2016 election, and how the cyber security industry has responded in preparation for the 2018 midterms.
The original research can be found here:
Dave Bittner: [00:00:03] Hello everyone, and welcome to the CyberWire's Research Saturday presented by the Hewlett Foundation's Cyber Initiative. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, and solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
Dave Bittner: [00:00:26] And now a moment to tell you about our sponsor, the Hewlett Foundation's Cyber Initiative. While government and industry focus on the latest cyber threats, we still need more institutions and individuals who take a longer view. They're the people who are helping to create the norms and policies that will keep us all safe in cyberspace. The Cyber Initiative supports a cyber policy field that offers thoughtful solutions to complex challenges for the benefit of societies around the world. Learn more at hewlett.org/cyber.
Dave Bittner: [00:01:02] And thanks also to our sponsor, Enveil, whose revolutionary ZeroReveal solution closes the last gap in data security: protecting data in use. It's the industry's first and only scalable commercial solution enabling data to remain encrypted throughout the entire processing lifecycle. Imagine being able to analyze, search, and perform calculations on sensitive data - all without ever decrypting anything. All without the risks of theft or inadvertent exposure. What was once only theoretical is now possible with Enveil. Learn more at enveil.com.
Vikram Thakur: [00:01:41] The groups that we're talking about out here, as well as others that we are aware of having the motivation to create some sort of disturbance or influence our elections.
Dave Bittner: [00:01:56] That's Vikram Thakur. He's a technical director at Symantec. The research we're discussing today is titled "Subverting Democracy: How Cyber Attackers Try to Hack the Vote."
Vikram Thakur: [00:02:07] They are active, or at least we've seen them active time to time over the last few years. In fact, the last time we saw one of these groups was just a couple of months ago. They're in various stages, but they are trying to create some sort of disinformation, or they're trying to gather information from some election-related authorities. With what motivation? That's always hard to tell. But at least we know that they are around.
Dave Bittner: [00:02:38] Can we start off - can you give us a little overview of what we saw back in the 2016 election?
Vikram Thakur: [00:02:44] So, in the 2016 election, one of the things which became public was John Podesta's email account actually got compromised by a simple phishing technique, where somebody sent him an email asking him to change his password, and John did not think much about the email. He went ahead and clicked on the link which took him to a page which appeared as though it was a legitimate email provider's website, but it actually wasn't - it was a website controlled by an attacker.
Vikram Thakur: [00:03:20] And when he went through the process of inputting his password over there and trying to create a new password out there, he effectively gave his password and his credentials over to an attacker. And what happened after is fairly well-documented in the public domain, which is the attackers were able to get a hold of his email, get a hold of a lot of information.
Vikram Thakur: [00:03:41] And what that effectively did was, the information becoming public, this information from his email becoming public created a little bit of a disturbance within the normal election cycle that one would imagine. I mean, not only does it throw into disarray the campaign itself, but there's a whole bunch of people who then get involved in trying to track the attack, trying to figure out whether a certain country might be behind the attack at all.
Vikram Thakur: [00:04:13] But effectively, this sort of takes us away, a little tangential from the normal election process, if you would imagine, where candidates just go out, they campaign, they influence, or they convince voters to go one way or the other, the voters go to poll, and somebody gets elected. So, we think that there are actors or there are attackers out there who will continue to try to create these little disturbances within our own election across.
Dave Bittner: [00:04:45] Now, I think for your average person out there, when they think about the possibility of election hacking, I think one of the things that would come to mind first would be with the use of computerized election voting machines. That those machines themselves could be hacked and people would be afraid of the vote totals, the tallies, being changed by outsiders. But that ended up not being something that we really saw?
Vikram Thakur: [00:05:10] I think you're absolutely correct. The first thing that people think about when somebody mentions the phrase "election hacking," is the end user, the citizens perception that we're really just talking about electronic equipment which has been used to tally votes getting compromised in one way or another. What people do not realize is that the hacking, or the term "hacking," in this case, goes far beyond that electrical equipment or that electronic equipment.
Vikram Thakur: [00:05:42] In this case, rather than going for the equipment themselves, the attackers, they believed that, hey, there's enough ways to sway a voter's decision from one way to another, or put them into this little state of flux where they're not even sure which candidate to vote for, using information or using social techniques, where you might be influenced by a news article that you're reading on one of your social media sites, or you might be influenced when you actually get to see some stolen emails or some classified documents from another source.
Vikram Thakur: [00:06:21] So people really need to be cognizant of the information that they're reading, but also the information sources that they are now being subject to. And it's exactly for that reason that Symantec actually made a technology of theirs - or a technology of ours - publicly available, because we want people to be able to visit election-related websites with a lot more confidence that they are dealing with legitimate organizations and this is not some sort of a scam website being hosted by different people.
Dave Bittner: [00:06:56] There are a pair of cyber espionage groups in particular that you all were tracking here. Can you describe to us - who are we talking about and what do we know about them?
Vikram Thakur: [00:07:04] So, the groups have been - the two groups that we mentioned - they've been around for a number of years. And when they actually started out their campaigns, or their attacks, a number of years ago, they were not very different from some of the other attack groups that we track, where the end goal over there is to acquire intellectual property from different companies.
Vikram Thakur: [00:07:29] So you would imagine, hey, if I went over to - if I was somehow able to attack a company that was a defense contractor building the next generation of fighter planes, maybe there's enough intellectual property to be stolen from that organization where I can go to a third country, give that information, and make that same technology for cheaper.
Vikram Thakur: [00:07:49] So that's how all these groups really started. But the mandate for these particular two groups grew pretty rapidly, because soon after their successes in being able to target corporations, their mandate shifted to attacking government organizations. Now, there have been several public articles over the years about these groups attacking defense establishments in the United States, diplomatic organizations all across the globe, and when you - if one was to think about the purpose of attacking these organizations, they're purely strategic. They're not as tactical as they used to be, where somebody stealing intellectual property of a formula to make a certain good.
Vikram Thakur: [00:08:36] Attacking defense organizations, as well as diplomatic organizations globally, it really just gives you insight into what other parties are capable of strategizing against your government or against your - one's government's interests. And that became the centerpiece of the information that these attack groups were focused on. So the attacks did not occur - between these two groups - they did not occur against private organizations. They shifted against governments.
Vikram Thakur: [00:09:12] And these two groups have kind of gone on, and some of this information about some of these groups whose activity has been documented in the past few months, where different entities have come forward and not only hanged their activity as being sponsored by the Russian government, but also detailing how these connections have been made, and what it is that these attackers are trying to do to influence the common man's view about the world, elections, certain parties, certain individuals, and governments, for that matter.
Dave Bittner: [00:09:47] Now, let's go through each of them one at a time. We're talking about APT28 and APT29. They go by many names. Let's start with APT28. What are some of the other names that people might recognize them as being?
Vikram Thakur: [00:10:02] So, Symantec's name for APT28 is "Swallowtail." That's just an internal - that's just our bug name that we've assigned to that group. Another name that people might actually recognize for Swallowtail or APT28 would be Fancy Bear. It's a name which has being given to this group by one of our peers in the industry. I think that would be the main ones for APT28.
Vikram Thakur: [00:10:36] For 29 - for APT29 - our internal name or our name is Fritillary. It's just another bug name that Symantec picks. But their names that people might recognize them by would be Cozy Bear, EuroAPT, Cozy Duke - Duke seems to be a very common phrase inside the names which have been associated with APT29 - and also there's another name called Ice Sheet. But these are all essentially tracked back to the exact same group which people commonly refer to as APT29.
Dave Bittner: [00:11:13] So let's start with APT 28. Take us through - what sort of tactics do they use, and who are they after?
Vikram Thakur: [00:11:21] So, APT28, they use pretty common tactics, like sending people phishing emails, or hosting watering-hole sites. But this is exactly when they wanted data from some very precise location, be it a particular diplomatic organization that exists somewhere, or some news-related website related to a very particular subject. So these guys are - APT28 has been around since at least 2007, and initially they targeted military, embassy-related targets, as well as defense contractors in Europe and North America. But since then they sort of moved on to more focused attacks against government institutions.
Dave Bittner: [00:12:13] What specific types of tools do they usually use?
Vikram Thakur: [00:12:17] So their tools are fairly generic, in some sense. But they are very custom-written for them. Two of them come to mind, very majorly. One is what we would call a backdoor, but essentially if is a file that gets onto your computer and it starts running, it allows somebody sitting in somewhere all across the globe to be able to access all the information on your computer as though they were actually sitting right in front of it. So that's one of the tools. We call that a backdoor because essentially it has given somebody backdoor access into your computer.
Vikram Thakur: [00:12:54] And the other one is what we call a tunnel. So, information flows on the Internet from one computer all the way to the other. But if you want to create a virtual tunnel, that data is not accessible to anybody else just looking at the tunnel, except on the two endpoints of the tunnel. APT28 did create such a tunnel as their own tool, where the tunnel is created between the victim computer and some infrastructure that the attacker is actually using. And the data which is being stolen just goes through that tunnel, which might spread across multiple countries, but it is a tunnel. And their tool allows them to sort of encrypt the information and pass it from one point to the other without anybody else being able to see it.
Vikram Thakur: [00:13:45] So these are sort of the two main tools that Sofacy or APT28 or Swallowtail have used over many years, and the development of these tools have gone on for a long time. By that I mean the group has been updating these tools very regularly to avoid somebody else being able to find it.
Dave Bittner: [00:14:06] So, let's move on to a APT29 and contrast them against 28. What's the difference here? Who are we talking about?
Vikram Thakur: [00:14:15] So APT29 has been slightly different in their targeting, where for a very long time they have been after private research and international policy, think tanks or related organizations, and they used a bunch of tools that, you know, people commonly just called the Dukes. That's because - at least in the industry, or the security industry - there have been many terms used for these. There's Cozyduke, there's Seaduke, there's Dionisduke, and there's Netduke. But essentially, all these tools were created in a very specific programming language and they are meant for different purposes, but ultimately all they do is they give access to the attacker onto a victim's computer.
Vikram Thakur: [00:15:04] So, while they're targeting and their toolset is completely different - or shall I say, slightly different - it's very easy to make out the difference between the attack campaigns of the two different groups out here.
Dave Bittner: [00:15:19] Now, we are heading into the 2018 midterm elections - what sort of activity are we seeing from these groups?
Vikram Thakur: [00:15:26] So, what we've seen from the groups is pretty much more of the same, in terms of targeting and their usage of the tools. And I want to say that, you know, we've been very good about protecting end users and end organizations against the attacks of these groups when it comes to the malware itself. So on the technical side, I think we're doing very well, and we'll continue to do what we can as an industry to get better at it.
Vikram Thakur: [00:15:54] Where we're seeing a shift of some of these resources from within these groups is in this information warfare business, where they're trying to get to information that can be released at critical times to make an impact on decision-making of the end users, rather than trying to influence technology or trying to influence computer systems, which are directly part of the election process. And we think that that method, or that process, or that thinking is going to continue. And over the coming months as well as years in subsequent elections as well, we think that will play a bigger and bigger role, rather than hacking of electronics being used in the elections themselves.
Dave Bittner: [00:16:44] Yeah, it strikes me that it's an interesting shift, and I wonder how much you think it may be from necessity. If we are doing a better job of technically locking down these systems, then I suppose the folks who are trying to do this stuff don't have a whole lot of choice. They have to switch to those softer targets, the influence operations, and those sorts of things.
Vikram Thakur: [00:17:06] I think you're absolutely correct. One of the things which also goes into their thinking, which we believe, is when you compromise a piece of electronic equipment and you tamper with, let's say the tallies for specific elections, that will get discovered at some point. Even if it didn't get discovered at a timeline point zero, it might get discovered five days later. And when that happens, there will be methods by which we can revert some of those changes which have been influenced by the attackers, be it backup paper voting systems, or backups of the electronic equipment itself. But there might be ways for us to move back from there.
Vikram Thakur: [00:17:56] The attackers figured that a much longer-term goal would be to influence the mindset of the voter itself, rather than trying to go in and make this one time change which is extremely binary, in terms of either you get caught or you don't get caught. The risk would be much higher on that side. A much longer goal would be to work on this information and try to influence the voter himself, and I think that's where they've sort of hedged their bets primarily at this point.
Dave Bittner: [00:18:30] Now, in terms of IDing these groups as being Russian-based - I mean, this is an area where both Homeland Security and the FBI have been pretty direct at who they think is up to these things, yes?
Vikram Thakur: [00:18:42] Yes. Very recently, the US government actually put out a note calling some of these actors out, not just by country and affiliation, but also naming some of these individuals very specifically, and talking about exactly what these people did to influence or to make an impact on the elections which happened a couple of years ago.
Dave Bittner: [00:19:07] Now, in terms of voters' confidence in the integrity of our election system, when we have the news from 2016 that we had these issues, what is your sense in terms of what we should tell the general public? Are we getting better, or are we pretty much where we were in 2016? Where do you think we stand?
Vikram Thakur: [00:19:30] I think from a technology and awareness perspective, I think we are definitely in a much better place than we were in 2016. Both the technology companies as well as the common citizen are much more aware of tactics being used by attackers to influence our thinking. The technology teams all across the industry have taken steps to try to weed out some of the false information that might be floating around. They've tried to weed out bogus accounts being created by some attackers to spread these incorrect stories which are on social media.
Vikram Thakur: [00:20:16] So that is continuing to get better and better, and we expect that in the coming months and weeks, and even beyond this election cycle of ours, technology will become even better, where only reputed or confirmed news outlets or news sources will be able to portray, or will be able to pitch their news story to millions and millions of people across the globe.
Vikram Thakur: [00:20:41] But that's on the technology side. We also see that end users are becoming a lot more aware and questioning the source of information that they're reading online. I think that is where we're in a natural progression where it's just a matter of time before we get even better, and user awareness continues to grow to a point where we're fairly convinced that people will not just look at the news article, but also look at the sources. And that's obviously going to take a little bit longer time, but I think we're getting there and we're - no doubt, we're way better than where we were in 2016.
Dave Bittner: [00:21:21] Our thanks to Vikram Thakur from Symantec for joining us. The research is titled "Subverting Democracy: How Cyber Attackers Try to Hack the Vote." We'll have a link for it in the show notes. You can also find it on the Symantec website.
Dave Bittner: [00:21:36] Thanks to the Hewlett Foundation's Cyber Initiative for sponsoring our show. You can learn more about them at hewlett.org/cyber.
Dave Bittner: [00:21:44] And thanks to Enveil for their sponsorship. You can find out how they're closing the last gap in data security at enveil.com.
Dave Bittner: [00:21:52] The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. The coordinating producer is Jennifer Eiben. Editor is John Petrik. Technical editor is Chris Russell. Executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.
Copyright © 2020 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.
The Hewlett Foundation makes grants to proactively define, research and manage the burgeoning intersections between people and digital technologies. The Cyber Initiative seeks to cultivate a field that develops thoughtful, multidisciplinary solutions to complex cyber challenges and catalyzes better policy outcomes for the benefit of society. Learn more at hewlett.org/cyber.
Enveil is revolutionizing data security by addressing a Data in Use vulnerability that people have been chasing for more than 20 years. Founded by U.S. Intelligence Community alumni, Enveil’s ZeroReveal™ solutions ensure data remains encrypted throughout the processing lifecycle. Learn more at www.enveil.com.