21 September 2020

Disputes raised over the interferences in the US elections. Who is more dangerous: Russia or China?

Liviu Ioniţă

Strontium. Zirconium. Phosphorus. No, this has nothing to do with the Mendeleev Table. Strontium from Russia, zirconium from China and phosphorus from Iran.A week after Facebook presented its plan to protect the US elections and highlighted the foreign interference threat, Microsoft has published, on company’s blog, an analysis according to which “foreign groups” have intensified their efforts targeting the US electoral process.

Image source: Profimedia

Three big hacking groups which are connected to Russia, China and Iran are targeting, currently, the US politics and Donald Trump and Joe Biden’s presidential campaigns.

Previously, the chief of National Counterintelligence and Security Center/NCSC, William Evanina, publicly stated that, alongside Russia, China and Iran there are also some other countries wanting to influence the US presidential elections to take place this year.

Also, the officials from the National Security Agency and the UC Cyber Command have presented their own assessment on the increasing threats against the electoral process and the recognition of the existence of these threats from other nations as well, not only Russia, including China, Iran and North Korea. The analysis published by Microsoft confirms, thus, the assessments of the intelligence community on foreign interferences, other than the Russian ones, but, on the other hand, Microsoft’s breakthroughs on China’s hackers do not seem to support the hypothesis according to which China want Joe Biden to win the elections.

Is it Trump or Biden? Is it Russia or China?

Groups involved in intelligence thievery and cyber-espionage         

 According to Microsoft’s analysis, in the last weeks, there were detected cyber attacks which are targeting “people and organizations involved in the upcoming presidential election, including unsuccessful attacks on people associated with both the Trump and Biden campaigns”.

Foreign activity groups have stepped up their efforts “targeting the 2020 election as had been anticipated, and is consistent with what the U.S. government and others have reported”. Who are these “foreign groups”?

Microsoft’s Threat Intelligence Centre (MSTIC) has noticed, since September 2019 until now, many attacks of groups operating from Russia.

The activities developed by Strontium were tracked and counterattacked by Microsoft many times. These can also be found in the Mueller Report, where Strontium is mentioned as the main organization responsible with the attacks against the democratic campaign from 2016.

The objectives of the group are similar to those from 2016, the Strontium actions affecting more than 200 organizations, which are directly and indirectly connected with the future US elections, as well as with other political organizations from Europe: political campaigns, lobby groups, parties and political consultation, from both Republicans and the Democrats, think tanks like the German Marshall Fund from the US, the European People’s Party and the Great Britain’s political parties.

Strontium targeted also companies inside the entertainment, manufacturing, financial services and physical security fields.

The MSTIC investigation revealed that, although Strontium is keeping its objectives, after the 2016 elections the group developed its tactic, using new tools and techniques to …confuse things.

If in 2016 the group relied on spear phishing (unlike the phishing campaigns, which are not targeting people individually, but try to get private data from hundreds, thousands of people, spear phishing is targeting only one person), in the last months, Strontium committed in brute force attacks (a crypto-analytical attack, which theoretically can be used for any type of coded data, hackers trying to find out the authentication data) and password spray (an version of brute force attack, wherein the attacker avoids the usual  countermeasures by using the same password in several accounts, before trying a different one).

The group is directing some of the attacks through Tor, a software which allows keeping the anonymity on the Internet, hides the place and identity of the attackers, which has also slowed down hackers’ identification effort.

Zirconium is a different group, from China, which attacked, according to Microsoft, high-profile people associated to the US elections, important leaders from the international businesses community, specialists in international businesses from more than 15 universities, accounts connected  18 international business and political organizations, including Atlantic Council and the Stimson Centre.

Microsoft has found “thousands of attacks” between March 2020 and September 2020, Zirconium using what we call web bugs or web beacons (a technique used to verify if a user has accessed certain content). For the “state actors, this is a simple way of determining if the account is available or if the user is active”. Zirconium “indirectly and unsuccessfully” targeted Joe Biden’s presidential campaign, through e-mail accounts belonging to people associated to the company.

Another group, Phosphorus, which works from Iran, has continued to attack the personal accounts of those associated to Donald Trump’s campaign. Phosphorus is a hackers group tracked by MSTIC during many years, which developed espionage campaigns targeting a “different organizations connected with the geopolitical, economic or human rights’ interests in the Middle East region”.

Between May and June 2020, Phosphorus tried, unsuccessfully, to enter the accounts of officials working for the administration and the personnel of president’s campaign.

Microsoft was involved, during time, in the legal actions against Phosphorus, getting the permission of federal courts to take over the control of 155 internet domains used by the group.

Strontium, Zirconium and Phosphorus are groups involved in generating APT (advanced persistent threat), a sophisticated cyber attack that an entity gets unauthorized access to a target, attacks that stays, for quite some time, unidentified and has the objective of stealing information and develop cyber-espionage.

According to Kaspersky, in 2017, globally, there were more than 100 groups which were periodically launching APP, mostly being states of groups of hackers sponsored by the state.

Strontium is known also under different names, among them Fancy Bear or ATP 28 or Pawn Storm, Sofacy, Sednit and Tsar Team, and the cyber security companies have agreed to it is working in behalf of the GRU, the military intelligence agency of Russia.

Microsoft warned, not long ago, about the hacking attempts of Strontium, which targeted the computers of SKDKnickerbocker’s personnel, from Washington, a consulting company working with Joe Biden and representatives of the Democratic Party.

However, in July, wired.com has revealed actions made by Fancy Bear, which targeted the US governmental agencies, education institutions and the energy field, with no clear intention of affecting the 2020 elections.

Zirconium or APT31 is a hacking group sponsored by the Chinese state, which is active at least since 2016 and targeted foreign companies for intellectual property thievery, but also diplomatic entities.

Phosphorus, also known as APT35, Newscaster, Charming Kitten or Ajax Security Team is a cyber-espionage group, sponsored by the Iranian government, which has generally targeted the US and Middle East troops, the diplomatic and governmental personnel, mass-media organizations, the energy and defence fields, private companies and telecommunications services.

The cyber-security company FireEye has identified APT35 operations which date back to 2014.

Last year, APT35 targeted also the personnel involved in Donald Trump’s campaign, 2019’s attacks being noticed by Microsoft as well.

In July, Google Threat Analysis Group (TAG), a division within Google’s security department, which tracks the hacking groups, announced that hackers sponsored by the state from China and Iran have unsuccessfully developed phishing attacks over the campaign personnel of the US presidency’s candidates, Joe Biden and Donald Trump.

According to TAG’s chief, Shane Huntley, the groups behind the attacks are the APT33 (which targeted Biden) or APT35 (which targeted Trump).

The fact that these attacks are happening is no surprise for the cyber-security experts, but it is not clear yet if the Chinese and Iranians hackers are acting similarly to Russia’s ones or are just seeking observation of the campaign and are collecting information for the future political decisions, rather than modifying the US presidential elections’ result.

An extended public warning

The purpose of the analysis published by Microsoft is, according to the company, “defending democracy” and “strengthening the cyber-security”.

Equally, we can say that his is also a business-oriented action: “the majority of these attacks were detected and stopped by security tools built into our products”, says the report.

Many cyber security companies, including Google and Microsoft, are offering free security tools for the electoral officials and campaign personnel.

Russia and China have denied Microsoft’s report. Dmitry Peskov, the spokesperson of president Vladimir Putin, has stated that Moscow has never tried to interfere in other countries’ elections, and the spokesperson of the Chinese foreign affairs ministry, Zhao Lijian, stated that Microsoft “should not accuse China…for nothing”.

Also, Chinese analysts quoted by the Global Times (coordinated by the Chinese government) believe that Microsoft conducted the assessment in an attempt to show loyalty to US President Donald Trump and ensure the smooth purchase of the TikTok application.

It did not go unnoticed that Microsoft's analysis was published a day after Brian Murphy, a US intelligence official, claimed in a whistleblower complaint that he has been pressured to minimize the threat of Russian interference in the United States.

Brian Murphy, a former deputy undersecretary of intelligence in the U.S. Department of Homeland Security, claims that Chad Wolf, the department's interim secretary, is the one who told him to stop assessing Russia's attempts to influence the 2016 election because "he made the president to look bad”. Instead, Wolf asked him to focus on the similar efforts of China and Iran, an order that apparently came directly from the White House.

Both the White House and the Department of Homeland Security have denied the allegations.

Microsoft's analysis also comes out given that two weeks ago, John Ratcliffe, Director of National Intelligence, sent letters of notification to the leadership of the Senate and the House of Representatives, as well as the chairmen and members of the intelligence committees of both chambers, where he stated that he would no longer allow intelligence agencies to report on electoral interference in Congress, citing concerns about leaks.

According to Politico, Microsoft's assessment is the most widespread public warning to date about foreign governments' efforts to undermine US democracy through hackers, but the revelations take place "amid the dispute between congressional Democrats and the administration over foreign threats against elections". And given that the message promoted by Trump and his supporters that the Chinese are trying to help Joe Biden is not supported by intelligence officials, which say Russia's efforts are "the most active and noteworthy and dangerous".

Which one represents a bigger threat?

According to cyber-security firm FireEye, of all the recently revealed attacks, the Russian group's actions are worrying,  given the history of Strontium's involvement in "intelligence operations" involving not only hacking targets for gathering information, but also using it for political purposes. And unlike Iran or China, GRU - and especially the GRU team known as Fancy Bear - "has a history of overcoming traditional espionage through political hacks and brief operations", such as those it carried out before the 2016 US presidential election and the 2017 French presidential election.

The Treasury Department has announced its own measures to combat Kremlin’s interference, saying it imposes sanctions on pro-Russian Ukrainian parliamentarian Andriy Derkach for promoting the discrediting of Joe Biden, and three other Russian citizens, Artem Lifshits, Anton Andreyev and Darya Aslanova, Russian employees. The Kremlin-backed Internet Research Agency (Glavset) is accused of trying to interfere in the US election on behalf of Russia.

Also on September 1st, Facebook announced that, given FBI’s suggestion, it identified, in August, the campaign carried out by the Russian Internet Research Agency.

The Russians set up a network of accounts and Facebook pages to direct traffic to PeaceData, a site that allegedly contained profiles of non-existent people, portrayed as publishers recruiting writers for articles. Facebook said it used technical indicators to link the campaign to the Russian Internet Research Agency.

PeaceData seems to be a left-wing news site that describes, in a disinformation campaign, the Biden-Harris couple as conservative tools.

Although Facebook claims that the Russian action was "largely unsuccessful", more than 700 articles were published on the PeaceData website, in English and Arabic, starting in February, when it was set up.

Graphika, the social media analytics firm hired by Facebook to independently investigate the election campaign, warns that the Russian agency has used new techniques that could make it more difficult to identify interference in the future: using artificial intelligence to generate fake profiles, using real authors to add credibility to a fake news site and target specific communities.

PeaceData denied the Russian Internet Research Agency's connection, calling Facebook's assessment a "slander".

The conclusion is set by the New York Times: there are significant differences between the actions of the Russians and those of the Chinese in terms of sophistication, with security researchers agreeing that Russian hackers pose the most serious threat. China's attack on Joe Biden's campaign appears to be a standard espionage attempt, similar to the 2008 actions, when hackers got to internal documents and emails from campaign advisers to both candidates, John McCain and Barack Obama.

There is "no doubt" that Microsoft's assessment complicates the administration's claims that China poses a greater threat to US elections than Russia, as both National Security Adviser Robert C. O'Brien and Attorney General William Barr have said.

Translated by Andreea Soare