Threat Intelligence

The Shadow of the Russian Cyber Army Behind the 2016 Presidential Election

Pierluigi Paganini
November 3, 2016 by
Pierluigi Paganini

US Accuses Russia of Attempting to Disrupt The US Presidential Election

A few weeks ago, the US Government officially accused Russia of trying to interfere the 2016 US presidential election and announced it will adopt all necessary countermeasures to defeat the threat.

The Office of the Director of National Intelligence and the Department of Homeland Security have issued a joint security statement to accuse the Russian government of a series of intrusions into the networks of US organizations and state election boards involved in the Presidential Election.

Hands-on threat intel training

Hands-on threat intel training

Learn how to collect, analyze and act on cyber threat intelligence with expert instruction and hands-on exercises in Infosec Skills.

"The U.S. Intelligence Community (USIC) is confident that the Russian Government directed the recent compromises of e-mails from US persons and institutions, including from US political organizations. The recent disclosures of alleged hacked e-mails on sites like and WikiLeaks and by the Guccifer 2.0 online persona are consistent with the methods and motivations of Russian-directed efforts. These thefts and disclosures are intended to interfere with the US election process" reads the statement.

"We will take action to protect our interests, including in cyberspace, and we will do so at a time and place of our choosing," a senior administration official told AFP.

"The public should not assume that they will necessarily know what actions have been taken or what actions we will take."

The US intelligence publicly accused the Russian government of the cyber-attacks that targeted political organizations and individuals involved in the presidential elections to gather intelligence and destroy the Presidential election.

The authorities refer data leaks of the mysterious hacker Guccifer 2.0 that were "intended to interfere with the US election process." US intelligence analysts believe that the hacker Guccifer 2.0 is the forefront of an operation conducted by the Russian Government to destabilize the US by attacking the candidate Clinton and her politic party.

"We believe, based on the scope and sensitivity of these efforts, that only Russia's senior-most officials could have authorized these activities."

Guccifer 2.0 is the entity behind the attack against the Democratic National Committee (DNC). According to the security company CrowdStrike, the attack wasn't the result of the action of a lone wolf. Instead, two sophisticated Russian espionage groupsCOZY BEAR and FANCY BEAR were involved in the cyber espionage operation.

Russia rejects any accusation of interference with the Presidential Election and threatens the US for a future hack against its systems.

The US Government is demanding a strong response as a retaliation for this interference.

"Russia must face serious consequences," said Republican Senator Ben Sasse.

"Moscow orchestrated these hacks because Putin believes Soviet-style aggression is worth it." "The United States must upend Putin's calculus with a strong diplomatic, political, cyber and economic response."

"It's critical to convince the Russian government to cease these activities. If it does not, we must develop a strong response." said the Democrat Dianne Feinstein, vice chair of the Senate Intelligence Committee.

While many security experts believe that the Presidential Election is vulnerable to cyber-attacks powered by foreign governments, the ODNI and DHS downplay the risks. Both agencies believe that the entire national election infrastructure is resilient to cyber-attacks. US government officials believe that there is little chance Russian hackers could directly affect the election by hacking voting systems.

"The USIC and the Department of Homeland Security (DHS) assess that it would be extremely difficult for someone, including a nation-state actor, to alter actual ballot counts or election results by cyber-attack or intrusion. This assessment is based on the decentralized nature of our election system in this country, and the number of protections state and local election officials have in place. States ensure that voting machines are not connected to the Internet, and there are numerous checks and balances as well as extensive oversight at multiple levels built into our election process," continues the joint statement.

Nation-State Hackers Behind the Attacks

While Russian and US politician continue to accuse each other of hacking, security researchers are collecting evidence of the involvement of nation-state hackers in the attacks.

New evidence confirmed the involvement of the alleged Russian state-sponsored APT group called Fancy Bear for the cyber-attacks against the US Democratic National Committee's computers.

The ATP has been operating since 2004, it is considered by security firms a high-sophisticated and well-resources group that across the year targeted various entities. The list of victims is very long and includes Eastern European politics, NATO officials, Russian political dissidents, the French TV network TV5Monde, the German parliament, the DNC, the Hillary Clinton's presidential campaign boss John Podesta, and the former US Secretary of State Colin Powell.

The hackers launched spear-phishing attacks against their target aiming to collect login credentials of email services used by the victims.

In this way, the hackers obtained sensitive documents and private emails from their victims, such as the DNC and John Podesta messages that have been leaked online by hacker Guccifer 2.0.

The following image was shared by the expert Tomas Rid via Twitter and shows how the Fancy Bear hackers have compromised the Podesta's Gmail account.

In the image is visible the links included in the spear phishing messages sent to Podesta.

Figure 1 - Link used in the spear-phishing attack against John Podesta

According to security researchers at ESET, the Fancy Bear APT group has targeted over 1000 high profile individuals with phishing attacks and zero-day exploits in their attempts to steal sensitive information.

Targeted phishing emails, for instance, are sent to victims linking to fake login pages where users are tricked into entering their usernames and passwords. Most of the targets analyzed by ESET use Gmail account. The investigation conducted by ESET allowed the researchers to determine that the majority of the targets were individuals including political leaders and heads of police of Ukraine, members of NATO institutions, members of the People's Freedom Party, Russia's People's Freedom Party, and Russian political dissidents 'Shaltay Boltai,'.

The email messages sent the victims leverage on social engineering techniques to trick them into clicking on the embedded malicious link

The analysis conducted by ESET discovered that more than 1,888 unique email addresses were targeted between 16 March and 14 September 2015. It is very interesting to note that most attacks occurred on Mondays or Fridays.

The analysis of the time of day that the attackers appeared to be operating revealed that the working hours were concentrated mostly from 9 AM to 5 PM in UTC+3 time zone, a circumstance that links the APT behind the attack to some Russian entities.

Figure 2 - Attackers' working hours

In many cases, the hackers used the malicious attachment, to trigger vulnerabilities in common applications such as Microsoft Word, Microsoft Excel, Adobe Flash and Adobe Reader.

One of the most interesting aspects related to the attacks of the group that targeted the US Presidential election is the use of zero-day exploits to hack into computers of the targets.

The use of new zero-day exploit drastically increased the attacker's chances of a successful compromise of a target's system.

The researchers discovered that attackers have exploited more than six zero-day vulnerabilities in popular software (i.e. Windows, Adobe Flash and Java) only last year.

The availability of so large a number of zero-day exploits indicates that the APT is well founded and let the investigator exclude the involvement of a criminal gang.

Figure 3 - Zero-day vulnerabilities exploited by the Fancy Bear APT in 2015 (ESET Report)

"A run-of-the-mill criminal gang would be unlikely to make use of quite so many previously unknown, unpatched vulnerabilities because of the significant skill, time and resources required to properly uncover and exploit them," reads the analysis published by ESET.

Despite the fact that attribution is often the most difficult part for the analysis of a cyber-attack, the level of sophistication shown by Fancy Bear suggests the involvement of a nation state actor.

Breaking News on the Alleged Russian Interference in the Presidential Election

While security experts are questioning about the Russian interference in the Presidential Election, new, disconcerting details emerge from the everyday life.

Terry Myerson, Executive Vice President of Microsoft's Windows and Devices group, revealed that Windows Kernel zero-day recently disclosed was used by the Fancy Bear APT.

On Oct. 31, the Google Threat Analysis Group publicly disclosed a vulnerability in the Windows kernel that is actively being exploited by threat actors in the wild.

The zero-day could be exploited by hackers to gain administrator-level access by escaping the sandbox protection and execute malicious code.

Google experts decided to disclose the flaw without waiting for a patch because they have observed exploits for the flaw used in targeted attacks in the wild.

The decision is aligned with the Google disclosure timeline for vulnerability, when a flaw is exploited in the wild Google public disclosed the flaw after seven days.

"On Friday, October 21st, we reported 0-day vulnerabilities — previously publicly unknown vulnerabilities — to Adobe and Microsoft. Adobe updated Flash on October 26th to address CVE-2016-7855; this update is available via Adobe's updater and Chrome auto-update." reads a blog post published by Google.

"After 7 days, per our published policy for actively exploited critical vulnerabilities, we are today disclosing the existence of a remaining critical vulnerability in Windows for which no advisory or fix has yet been released. This vulnerability is particularly serious because we know it is being actively exploited."

Microsoft identifies the APT group as STRONTIUM, but we are more familiar with names like Pawn-StormAPT28, and Fancy Bear us.

Fancy Bear was one of the two APT groups involved in the DNC hackCOZY BEAR, and FANCY BEAR, it powered many other attacks in the recent months, including the hacks of both Clinton Campaign Chair John Podesta and the former Secretary of State Colin Powell.

The fact that Microsoft also detected the involvement of the STRONTIUM in the attacks against the 2016 Presidential confirms the previous investigations conducted by security firms and the US intelligence agencies

Many security firms argue the Fancy Bear is linked to the Kremlin and detailed their investigation that leads the experts into believing that it is a Russian nation-state group.

Myerson highlighted the importance of upgrading to Windows 10 for protection from further advanced threats while waiting for a patch for the Windows Kernel zero-day.

The group has demonstrated the ability to exploit several zero-days flaws across the years. Furthermore, the hackers used their capabilities in targeted attacks and never for financial crimes, both aspects that suggest the nation-state nature of this specific threat actor.

"Recently, the activity group that Microsoft Threat Intelligence calls STRONTIUM conducted a low-volume spear-phishing campaign. Customers using Microsoft Edge on Windows 10 Anniversary Update are known to be protected from versions of this attack observed in the wild. This attack campaign, originally identified by Google's Threat Analysis Group, used two zero-day vulnerabilities in Adobe Flash and the down-level Windows kernel to target a specific set of customers." reads the security advisory published by Microsoft.

Microsoft confirmed that customers using Windows 10 with Windows Defender Advanced Threat Detection are not exposed to the exploitation of the flaw.

"Customers who have enabled Windows Defender Advanced Threat Protection (ATP) will detect STRONTIUM's attempted attacks thanks to ATP's generic behavior detection analytics and up-to-date threat intelligence." continues the advisory.

At the time I was writing there is no news about the possible use of the Windows Kernel zero-day as part of the above attacks.

Why Putin Fears a Clinton Presidency

Donald Trump and Vladimir Putin share the same vision of a number of issues, while the Russian President is afraid of Clinton as President.

Hillary Clinton has no good relationship with the Russian Government from her experience as Secretary of State. The mutual interaction is considered by analysts and politicians not positive.

The Kremlin considers Donald Trump an extremely pragmatic person, a cynical and unscrupulous entrepreneur with which to weave a profitable relationship that does not also overlook the private interests.

On the other hand, Trump has explicitly expressed admiration and sympathy for Putin.

The facts suggest that the Russian Government is actively working to undermine Clinton's presidential campaigns, the hack of the Democratic National Committee and the numerous cyber intrusions in the Presidential campaign demonstrates the strategic interest in supporting Trump in the race to the White House.

Putin considers Clinton a serious threat to his objectives.

Back in 2011, Putin faced the biggest protests Russia had seen since the collapse of the Soviet Union.

The population went into the streets against Putin and calling for fair elections. In that period Clinton was serving as Secretary of State and openly sided with the protesters.

"The Russian people, like people everywhere," she said, "...deserve free, fair, transparent elections."

In the recent years, Putin has conducted an aggressive domestic and foreign policy, he challenged on several occasions the NATO, the EU and of course the US. Clinton always judged the Russian conduct outrageous and dangerous, she explicitly said that the United States must find ways to "confine, contain, [and] deter Russian aggression in Europe and beyond."

Back to Trump, experts consider his foreign policy aligned with the Russian one. He has suggested he recognize Russia's annexation of the Crimea, which was occupied by the pro-Putin military.

He always invoked the suspension of economic sanctions against Russia and expressed his support to the Putin ally, the Syrian Assad.

Clinton expressed a different opinion of his opponent, she criticized the approach of the US Government to the Crimean question as launched a clear message to Putin.

"I am in the category of people who wanted us to do more in response to the annexation of Crimea and the continuing destabilization of Ukraine," declared Clinton

"I remain convinced that we need a concerted effort to really up the costs on Russia and in particular on Putin."

One of the most urgent question to approach after the election for both the United States and Russia is the civil war in Syria.

Clinton has a clear idea of the way to proceed, stopping the Russian interference in support of Assad and imposing a no-fly zone to stop Russian strikes on the opponents.

Do you still have doubts on the Russian interest in the US Presidential election?


Hands-on threat intel training

Hands-on threat intel training

Learn how to collect, analyze and act on cyber threat intelligence with expert instruction and hands-on exercises in Infosec Skills.

Pierluigi Paganini
Pierluigi Paganini

Pierluigi is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group, member of Cyber G7 Workgroup of the Italian Ministry of Foreign Affairs and International Cooperation, Professor and Director of the Master in Cyber Security at the Link Campus University. He is also a Security Evangelist, Security Analyst and Freelance Writer.

Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.

Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.