Research Saturday 4.6.19
Ep 80 | 4.6.19

Lessons learned from Ukraine elections.


Dave Bittner: [00:00:03] Hello everyone, and welcome to the CyberWire's Research Saturday, presented by Juniper Networks. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, and solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Dave Bittner: [00:00:26] And now a word about our sponsor, Juniper Networks. Organizations are constantly evolving and increasingly turning to multicloud to transform IT. Juniper's connected security gives organizations the ability to safeguard users, applications, and infrastructure by extending security to all points of connection across the network. Helping defend you against advanced threats, Juniper's connected security is also open, so you can build on the security solutions and infrastructure you already have. Secure your entire business, from your endpoints to your edge, and every cloud in between, with Juniper's connected security. Connect with Juniper on Twitter or Facebook. And we thank Juniper for making it possible to bring you Research Saturday.

Dave Bittner: [00:01:13] And thanks also to our sponsor, Enveil, whose revolutionary ZeroReveal solution closes the last gap in data security: protecting data in use. It's the industry's first and only scalable commercial solution enabling data to remain encrypted throughout the entire processing lifecycle. Imagine being able to analyze, search, and perform calculations on sensitive data - all without ever decrypting anything. All without the risks of theft or inadvertent exposure. What was once only theoretical is now possible with Enveil. Learn more at

Joep Gommers: [00:01:53] Our Fusion Center has been looking at kind of what's influencing Eastern European elections, and specifically Ukraine, for a while now.

Dave Bittner: [00:02:01] That's Joep Gommers from EclecticIQ. The research we're discussing today comes from their Fusion Center. It's titled, "Situational Awareness Ukraine Elections."

Joep Gommers: [00:02:11] With the election, of course, there is specific attention to, hey, do we see any influence operations directed at that? And kind of trying to look into that, we uncovered quite a few different things, though it's kind of been in the wake of months and months of activity against exactly that. So, we've seen, I think, malware campaigns and kind of influence campaigns across many different spectra, like media and online and local, that are trying to influence local populace. And so, in that research, some of these very specific campaigns that we've kind of deepened out a little bit further came to light.

Dave Bittner: [00:02:46] Can you describe to us some of the history here with Russia and Ukraine when it comes to elections?

Joep Gommers: [00:02:55] Sure. So, back in, let's say 2014, when Russia annexed part of Ukraine - the Crimea area - we already saw there was a very digital component next to the physical kinetic component of, you know, moving tanks into areas and people into areas, and things like that under the guise of, let's say separatists, but with Russian military people inside those jackets, let's say. And in kind of tracking that exactly, we've seen Russian and other influence throughout the process of who's in power on the other side of the conflict inside of Ukraine.

Joep Gommers: [00:03:37] And now very specifically, in this occasion, one interesting thing is that there's been some outside forces trying to, let's say provide a counter force to Russian influence. It's a - let's say a group of groups, of which the most prominent is called the "DDoS" group. It's kind of a transparency collective that's trying to take it upon themselves to expose information internal to Russian power and bring it into the light.

Joep Gommers: [00:04:06] So they kind of disclosed a lot of documents under the guise of something like "The Dark Side of the Kremlin," is what they kind of used to - they called the set of documents. And in it, you can kind of see, very specifically, plans that clearly show people in power trying to use influence operations to create effects locally, physically in Ukraine, and globally. And around this kind of leak of documents - and so, with some sense, kind of a proof of people trying to influence Ukrainian elections and Ukrainian populace for just kind of cognitive purposes - we've kind of seen malware campaigns happening around that.

Joep Gommers: [00:04:41] And one of them was very interesting to us. When we kind of looked into it, we saw a large set of, let's say government official, or local prosecutors, or even the kind of non-government but local lawyer officers or law offices even being targeted, trying to kind of find information about about the upcoming elections and about those that can potentially influence those upcoming elections. Immediately followed up by - most likely through exfiltrating that data - by very physical activities based on that information.

Joep Gommers: [00:05:13] Like if they exfiltrated information about finding out specific people, for example, have specific, let's say social networks, they would try and, offline, try and influence those people - through bribery or through other ways of influence - to make these local officials or these local prosecutors, or whatever people in power in Ukraine it concerned, to kind of act in a manner that is helping Russia. For example, by spreading a certain message, or supporting a quote in a local newspaper to influence a certain media story, or to, let's say, not condone certain - perhaps not violent acts - but kind of protests or something that were kind of pro-Russia.

Joep Gommers: [00:05:55] So, we've seen this - for the very first time, I think we've seen a kind of microcosm of very well-coordinated, you know, both physical activities and digital activities, kind of all together towards the one goal of influencing the elections. It's been fascinating to watch and to kind of dive deeper into some of these activities.

Dave Bittner: [00:06:19] Yeah, so when we talk about this notion of "hybrid warfare," I suppose, I mean, this is it.

Joep Gommers: [00:06:25] Yeah, that's absolutely right. Yeah. Absolutely right. So, it's even interesting, when you kind of think about it, there's this triangle of physical activities you use, there's now an angle of digital activities, and they're kind of governed by, let's say a cognitive space of the local populace. And it's not a new notion - I think even Western countries are using this notion of combining, you know, cognitive influence or influence operations with the physical or kinetic component for a while - but to see it kind of play out in such a small space in such a small time is very interesting.

Joep Gommers: [00:07:00] But as a result of that, you even hear, for example, Russia publicly saying things like, hey, the attention that we have on non-military activities versus military activities is shifting to the non-military activities. So, the focus of military leaders, the focus of resources, is kind of shifting a little bit, even from a kinetic component to the digital component. Which is why now we see, contrary to before, Russia as well kind of play the AI card a little bit - of, you know, those who in the future control AI have a larger capability in the non-military sphere of influence operation than other countries.

Joep Gommers: [00:07:41] And I think that was a very interesting angle to kind of add on there, as both a conversation topic but also as a concept to think about - that there's a link between our nation-states' intents to be involved in artificial intelligence, because there's a large non-military component in warfare these days, because - and now kind of zooming into the campaigns we're looking at - there's direct correlation with how malware campaigns operate and how that influences media, and then how that influences kind of the cognitive sphere of a populace. It's a very interesting connection to start drawing.

Dave Bittner: [00:08:14] And also, I think, interesting to see how they are focusing their actions based on, I suppose, a return they're getting on that investment.

Joep Gommers: [00:08:24] In terms of kind of - they can see the return coming back based on their activities?

Dave Bittner: [00:08:28] Yeah, well, I mean, just at a real basic level, instead of, you know, paying for tanks and soldiers, that investing in some of these influence operations and cyber activities perhaps gets a positive return on that investment.

Joep Gommers: [00:08:45] Oh, no doubt. Exactly right. The breadth of different kind of, let's say type of activities in that is also interesting, because it also shows not all of those methods are very expensive, right?

Dave Bittner: [00:08:55] Hmm.

Joep Gommers: [00:08:54] So, let's say hacking operations - they might for certain types of individuals be very expensive, because they're, let's say well-protected digitally, or they're of a certain stature and therefore they have access to special equipment. But when you're trying to influence a populace and not, let's say, get secret information out of a military apparatus to understand where power grids are, or where specific military equipment is - when you're just trying to kind of influence the normal, you know, civil servants or normal population - then protection kind of fades away, and so the cost of malware campaigns directed against the normal populace, or normal civil servants, or like a law office, a small local office or something like that - it's a lot easier. The cost is a lot lower.

Joep Gommers: [00:09:41] So I think you're absolutely right, in that it's really paying off. If you're really involved in the, you know, influencing the cognitive side of the populace, you don't need to be targeting, you know, highly-protected military things. You're targeting the whole supply chain of, let's say, of government relations to the populace, like the media, or like the news that is about very specific topic, or even like entertainment websites - we see a lot of websites that young people go to, let's say, with interesting pictures, or with nice stories, or kind of a very informal sphere where people interact without political intent, they're just sharing something about their hobby or about a joke, or something like that - that they're en masse influencing even those websites by injecting their, you know, funny pictures that make fun of a local politician, for example.

Joep Gommers: [00:10:35] And so, it's not even, you know, this very kind of nefarious idea of "we influence the media and there's fake news or whatever." It's also just a - there's a young person scrolling through, like, a picture website, and he laughs because there's like a dog picture that does something weird, and then the next picture is another weird picture about, you know, something local, funny to him, but at the same time influencing his perception of whatever the topic is about - like a local politician, or something from the news, or a joke about something in the news. And these very large-scale, kind of subtle influences eventually help put, for example, somebody in power, like we see here in the Ukraine elections.

Dave Bittner: [00:11:14] And how did these types of influence operations that we're seeing from the Russians in this 2019 Ukrainian election - how do they compare to the types of things that the Russians did in the 2016 US election?

Joep Gommers: [00:11:27] Conceptually, it follows the same set of capabilities. But when you look at the influence in the US, we saw, for example, very large leaks of information that were better-protected. Whereas on the Ukrainian side now, we see very targeted things, but they aren't leaking per se. And so, I think they're having the same set of operational capabilities available to them - like, they can influence, let's say, online websites, they can try and have a malware campaign that's attacking a specific subset of people and they're extracting documents - but then, how it's orchestrated on top of that seems to be somewhat different between the two.

Joep Gommers: [00:12:13] And there's also a much smaller physical component to influencing US elections than, let's say, Ukrainian elections, where - in the Ukrainian elections, you can take information that you have found online and try and do, let's say, local bribery, or you can try and fund some extra protests, or you can try and have these physical moments with people to accelerate certain processes. Which of course is very, very difficult and very, very expensive to do, if you're Russia, if you want to do that on US soil. And so, there's a clear kind of, let's say, tread-lightly feeling on the US side, where there is kind of an all-in, let's-make-this-happen kind of feeling on the Ukrainian side.

Joep Gommers: [00:12:54] And of course they're at the same time using same types of malware, same types of campaigns. We've even seen some of the malware that's being used over the last few months targeting those government officials that we were just talking about, used in campaigns against UK citizens trying to influence people's perception of Brexit, for example, where the same malware families are used. And it seems to be somewhat of the same actors behind it in the campaigns, by virtue of how we observe them to work.

Dave Bittner: [00:13:25] Hmm.

Joep Gommers: [00:13:25] So there's definitely kind of, you know, same groups of people, or same capabilities, same political interest, guiding all those operations. But they seem to orchestrate them differently for each, let's say, theater of interest - be it Brexit influence, or the Catalans in Spain, or in this case, in Ukraine now.

Dave Bittner: [00:13:44] Well, let's dig into what you discovered when it comes to some of that malware. What did you all find?

Joep Gommers: [00:13:50] Well, maybe one interesting part of that is you usually see it come in in a very, let's say - what can I call it? - "normal way," or in a very common way. So those would be, for example, phishing emails, or those would be emails sent very specifically to specific people containing, like, an attachment, for example, with a Word document, or some other lure that's bringing people to open the documents. And in this specific case, we saw, I think, something about kind of radio communications locally or something like that sent to these government officials.

Joep Gommers: [00:14:22] And so, kind of looking into that, we found a few different links. So, we found one link to the same malware family we saw across other theaters, like influencing Brexit, for example. We've also seen that document itself being reused in campaigns that were kind of previously known to be linked to Russian influence. And so, every time we kind of dive into one of these campaigns, we see both, you know, this kind of lateral reuse, horizontal reuse, across different activities around the world, and we constantly see it then, when we zoom into that - the link back to Russian influence.

Joep Gommers: [00:15:00] There's always this question of, it's serving Russian interest, but, you know, is the Russian military orchestrating this? Is it kind of loyalty - you know, loyalty groups or something like that? Of course, those are small question marks everybody has, but it seems to all point in that same direction. Even when you go back in time, like 2015, 2016, when some of these kind of activities have still been going on, because, from 2014 up until now - I'm not sure all your listeners know this - there's been active conflict, right? Between eastern Ukraine and Russian influence forces and the Ukrainian military, there's been conflict and shooting kind of throughout this whole kind of four-year period.

Joep Gommers: [00:15:45] And so, in 2015 and '16, we've seen cyber again supporting these physical activities by targeting, in that case, the power grid - kind of a concerted effort together with kind of the kinetic side of things. Again, zooming into that, in that case, it was Petya/NotPetya - which, again, were kind of Russian influence-known malware families. And so, every time we kind of zoom in, we were brought back to the same conclusions.

Dave Bittner: [00:16:11] And in terms of the malware and the pathways that they're using to infect people, they're using Word macros?

Joep Gommers: [00:16:21] For example, yeah. Yeah, exactly right. Exactly right. Amongst, admittedly, many other things.

Dave Bittner: [00:16:29] Comparing this to other election-hacking attempts, other influence campaigns, I mean, is this - are we sort of reaching the point where this is the established Russian playbook? We can recognize it? This is what we've come to expect from them?

Joep Gommers: [00:16:42] I'd say so, but I think the difference seems to be - I think the closer it is to their sphere of influence, the more aggressive they go into it, and the more different types of influence that, say, they're adding. And so, as you get closer to Russia, you have local media, troll farms influencing, like, online sites, you have sometimes really violent acts, or simply protests that may come to some sort of violent conclusion, orchestrated locally. You have, in the case of Ukraine, you even have them kind of insert fake polling data into into the local sphere, like you have local websites publishing the fake polling data, or they have a TV station air it, or something like that. They even have - they've organized kind of religious pilgrimages from Russia into Ukraine, just to have kind of a group of people there that are perhaps not untouchable, but kind of are difficult to influence.

Joep Gommers: [00:17:45] When you kind of zoom out and you get further away from Russia, the methods that they can use of course shrink and shrink, and it gets more around the digital space or the social space around - less about even media influence, and more about kind of content influence in, let's say, the space of content like blogs, or like news websites that are easier to influence than, you know, proper media outlet, let's say, that they can influence when it's closer to their sphere. But then, let's say, for everything that is relatively far from the physical sphere of Russia, I think we see the same methods used across the board. Exactly right.

Dave Bittner: [00:18:26] You know, it's really fascinating to see how, I guess, the effect that that proximity has on their ability to do things. By, you know, literally being right next door, that opens up a whole lot of options for them that they probably wouldn't have otherwise.

Joep Gommers: [00:18:42] Exactly right. And there's something especially - you know, we've seen quite a few of these things now publicly, let's say, analyzed the Russian influence on the Facebook platform, or these troll farms. For your listeners that don't know, where they have buildings full of people that have racks full of phones, that aren't just, you know, manually trying to, let's say, add content to blogs online, or to, let's say, send these half-funny pictures that have some sort of political intent, as we talked about earlier, disseminated.

Joep Gommers: [00:19:22] They're automating this, they're scripting this, right? There is a group of developers and content producers that are steering a rack of, you know, a hundred phones, let's say, to do this in a kind of semi-automated way. And so, the path to, you know, further automation, and then further autonomy, and then kind of support by, let's say, AI or some sort of automated algorithms is starting to get much, much closer. And so, the prevalence of it I think will only grow, versus be limited, just because machines can start to take over, which is going to be very, very hard to stop, right?

Dave Bittner: [00:20:00] Yeah. And I suppose, I mean, that's one of the takeaway lessons here. I suppose, as other nations are looking at what's going on here, and trying to determine how can they protect themselves against these foreign influence operations, this type of meddling, there's some lessons to be taken away from this example.

Joep Gommers: [00:20:20] For sure. And I think it kind of follows this path of - we're used to thinking about, you know, protecting our secrets in a certain way, and we're used to protecting things of value, like politicians or like a military apparatus. And so, I think we kind of cracked the knot on how to do that. But then you kind of zoom out from it - let's say, your wider political sphere and those that are involved in the conversation that is political, let's say, from the media itself, to like prosecutors, or to judges, or the whole kind of environment around it - I don't think we know very well as nation-states, or as alliances, how to really protect them.

Joep Gommers: [00:21:05] And part of that is just normal computer hygiene, let's say, right? So, you know, not be clicking on phishing emails, not be infected by a malware campaign, not have information stolen, and so forth. But we - especially the Western world, we kind of lack the mechanisms by which we can regulate the level of protection that we can provide to this wider group of people. Let alone, if you even draw it even wider, just the populace, right? Learning the populace is how to avoid fake news, or how to distinguish trustworthy sources from untrustworthy sources is culturally something as well that I think that we struggle with.

Joep Gommers: [00:21:46] So, we've traditionally been very good at this kind of special protection of a small group of things we know is very important, but I don't think we've cracked the knot yet - as kind of the Western world, perhaps, or anywhere - on how to do it at a larger scale for this wider area of influence. Which leaves us very influenceable. I think that's what we've been seeing for the last years, and I don't think we've found a good way around it yet.

Dave Bittner: [00:22:15] Our thanks to Joep Gommers from EclecticIQ for joining us. The report comes from their Fusion Center. It's titled, "Situational Awareness Ukraine Elections." We'll have a link in the show notes.

Dave Bittner: [00:22:26] Thanks to Juniper Networks for sponsoring our show. You can learn more at, or connect with them on Twitter or Facebook.

Dave Bittner: [00:22:37] And thanks to Enveil for their sponsorship. You can find out how they're closing the last gap in data security at

Dave Bittner: [00:22:45] The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. The coordinating producer is Jennifer Eiben, editor is John Petrik, technical editor is Chris Russell, executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.