Russian attacks on the 2018 midterm election are underway


Earlier this year when Gov. Ducey kicked off his reelection campaign, it appears to have unleashed a horde of Twitter bots, similar to the Russian intelligence influence campaign in 2016. “A flurry of these kind of fake Twitter accounts have followed influencers and journalists in the Valley, all promoting Ducey’s re-election campaign.” We spoke to real people being used as pro-Ducey Twitter bots. Here’s what they said. “Regarding this recent rash of Twitter bots supporting Ducey, his campaign spokesperson Patrick Ptak told 12 News, “we saw it too. Not us.””

So the Ruskies love them some Doug Ducey, do they?

The local media quickly dismissed this incident and disappeared it down the memory hole.

But not so fast.

Facebook today announced it Has Identified Ongoing Political Influence Campaign:

Facebook announced on Tuesday that it has identified a coordinated political influence campaign, with dozens of inauthentic accounts and pages that are believed to be engaging in political activity around divisive social issues ahead of November’s midterm elections.

In a series of briefings on Capitol Hill this week and a public post on Tuesday, the company told lawmakers that it had detected and removed 32 pages and accounts connected to the influence campaign on Facebook and Instagram as part of its investigations into election interference. It publicly said it had been unable to tie the accounts to Russia, whose Internet Research Agency was at the center of an indictment earlier this year for interfering in the 2016 election, but company officials told Capitol Hill that Russia was possibly involved, according to two officials briefed on the matter.

Facebook said that the accounts — eight Facebook pages, 17 Facebook profiles, and seven Instagram accounts — were created between March 2017 and May 2018 and first discovered two weeks ago. Those numbers may sound small, but their influence is spreading: More than 290,000 accounts followed at least one of the suspect pages, the company said.

Between April 2017 and June 2018, the accounts ran 150 ads costing $11,000 on the two platforms. They were paid for in American and Canadian dollars. And the pages created roughly 30 events over a similar time period, the largest of which attracted interest from 4,700 accounts.

Nathaniel Gleicher, Facebook’s head of cybersecurity policy, said that the activity bore some similarities to that of the Internet Research Agency, but that the actors had better disguised their efforts, using VPNs, internet phone services and third parties to purchase ads for them. He said the company had yet to see any evidence connecting the accounts to Russian IP addresses, like the ones sometimes used in the past by Internet Research Agency accounts. But there were also connections between some of the accounts and others tied to the notorious Russian troll farm that were taken down by Facebook already.

“These bad actors have been more careful to cover their tracks, in part due to the actions we’ve taken to prevent abuse over the past year,” Mr. Gleicher said.

* * *

Like the Russian interference campaign in 2016, the recently detected campaign dealt with divisive social issues.

Facebook discovered coordinated activity around issues like a sequel to last year’s deadly “Unite the Right” white supremacist rally in Charlottesville, Va. Specifically, a page called “Resisters,” which interacted with one Internet Research Agency account in 2017, created an event called “No Unite the Right 2 — DC” to serve as a counterprotest to the white nationalist gathering, scheduled to take place in Washington in August. Mr. Gleicher said “inauthentic” administrators for the “Resisters” page went as far as to coordinate with administrators for five other apparently real pages to co-host the event, publicizing details about transportation and other logistics.

Mr. Gleicher said it disabled the event on Tuesday and notified 2,600 users of the site who had indicated interest in attending the event.

Coordinated activity was also detected around #AbolishICE, a left-wing campaign on social media that seeks to end the Immigration and Customs Enforcement agency, according to two people briefed on the findings. That echoed efforts in 2016 to fan division around the Black Lives Matter movement.

“Today’s disclosure is further evidence that the Kremlin continues to exploit platforms like Facebook to sow division and spread disinformation,” said Senator Mark Warner of Virginia, the top Democrat on the Senate Intelligence Committee. “And I am glad that Facebook is taking some steps to pinpoint and address this activity.”

And last week it was revealed that Russian hackers have targeted Democratic senators, including Sen. Clair McCaskill, according to The Daily Beast. Russian Hackers’ New Target: a Vulnerable Democratic Senator:

The Russian intelligence agency behind the 2016 election cyberattacks targeted Sen. Claire McCaskill as she began her 2018 re-election campaign in earnest, a Daily Beast forensic analysis reveals. That makes the Missouri Democrat the first identified target of the Kremlin’s 2018 election interference.

* * *

There’s no evidence to suggest that this attempt to lure McCaskill staffers was successful. The precise purpose of the approach was also unclear. Asked about the hack attempt by Russia’s GRU intelligence agency, McCaskill told The Daily Beast on Thursday that she wasn’t yet prepared to discuss it.

“I’m not going to speak of it right now,” she said. “I think we’ll have something on it next week. I’m not going to speak about it right now. I can’t confirm or do anything about it right now.”

The senator later released a statement asserting that the cyberattack was unsuccessful.

“Russia continues to engage in cyber warfare against our democracy. I will continue to speak out and press to hold them accountable,” McCaskill said. “While this attack was not successful, it is outrageous that they think they can get away with this. I will not be intimidated. I’ve said it before and I will say it again, Putin is a thug and a bully.”

In August 2017, around the time of the hack attempt, Trump traveled to Missouri and chided McCaskill, telling the crowd to “vote her out of office.” Just this last week, however, Trump said, on Twitter, that he feared Russians would intervene in the 2018 midterm elections on behalf of Democrats.

The revelations of the attempted hack of McCaskill staffers comes just weeks after Special Counsel Robert Mueller indicted 12 Russian intelligence officers, accusing them of orchestrating cyberattacks that targeted the Democratic National Committee, the Democratic Congressional Campaign Committee, and Clinton’s campaign in 2016.

* * *

The attempt against McCaskill’s office was a variant of the password-stealing technique used by Russia’s so-called “Fancy Bear” hackers against Clinton’s campaign chairman, John Podesta, in 2016.

The hackers sent forged notification emails to Senate targets claiming the target’s Microsoft Exchange password had expired, and instructing them to change it. If the target clicked on the link, he or she was taken to a convincing replica of the U.S. Senate’s Active Directory Federation Services (ADFS) login page, a single sign-on point for e-mail and other services.

As with the Podesta phishing, each Senate phishing email had a different link coded with the recipient’s email address. That allowed the fake password-change webpage to display the user’s email address when they arrived, making the site more convincing. In October, Microsoft wrested control of one of the spoofed website addresses— Seizing the Russians’ malicious domain names has been easy for Microsoft since August 2017, when a federal judge in Virginia issued a permanent injunction against the GRU hackers, after Microsoft successfully sued them as unnamed “John Doe” defendants. The court established a process that lets Microsoft take over any web addresses the hackers use that includes a Microsoft trademark.

Microsoft redirected the traffic from the fake Senate site to its own sinkhole server, putting it in a prime position to view targets trying to click through to change their passwords.

The Daily Beast identified McCaskill as a target while investigating statements made by Microsoft VP Tom Burt last week in an appearance at the Aspen Security Forum. Burton discussed the Virginia injunction, and told the audience that it allowed Microsoft to thwart a phishing campaign against three midterm election candidates, who he declined to name.“

We did discover that a fake Microsoft domain had been established as the landing page for phishing attacks, and we saw metadata that suggested those phishing attacks were being directed at three candidates who are all standing for elections in the midterm elections,” said Burt, Microsoft’s corporate vice president for customer security and trust. “We took down that domain and working with the government actually were able to avoid anybody being infected by that particular attack.”

A snapshot of a deep link on the phishing site taken September 26th by a website security scanner showed the fake password-change page with the Senate email address of a McCaskill policy aide on display.

There is a notable divide between Congress and the Trump administration over the vulnerability of the 2018 election to Russian election interference.

President Trump chaired a meeting Friday of his most senior national security advisers to discuss the administration’s effort to safeguard November’s elections from Russian interference, the first such meeting he’s led on the matter, but issued no new directives to counter or deter the threat. Trump chairs election security meeting but gives no new orders to repel Russian interference:

The meeting, which lasted less than an hour, covered all the activities by federal agencies to help state and local election officials, and to investigate and hold accountable Russian hackers seeking to undermine American democracy.

There was no discussion of new actions Trump wants or of a coordinated strategy to prevent Russia from interfering in U.S. politics, officials said. Instead, the meeting focused on the activities undertaken so far.

* * *

In the absence of direct guidance from the White House, individual federal agencies have marshaled efforts to detect and counter the threat. The head of the National Security Agency created a Russia “small group” composed of NSA and military cyber-specialists tasked with detecting and countering Russian efforts to target the elections. If directed, U.S. Cyber Command, using NSA intelligence, can carry out offensive operations to disrupt such activity.

Already, at least three congressional candidates have been targeted by Russian military hackers. None of the attempts was successful, according to an executive with Microsoft, who discussed the operation at a security conference last week.

* * *

FBI Director Christopher A. Wray last fall set up a foreign influence task force to counter influence operations targeting the United States. Such operations, the FBI said in a statement Friday, include covert efforts “to influence U.S. policy, distort public sentiment and public discourse, and undermine confidence in democratic values to achieve other governments’ geopolitical objectives.”

The Justice Department last week announced a new policy of exposing covert actions by foreign governments to undermine confidence in democratic institutions such as U.S. elections, often through cyberhacking and disinformation campaigns.

The most visible effort is being undertaken by the Department of Homeland Security, which is focused on election system security and has formed a task force made up of representatives from DHS and other federal agencies to share information and assist state and local election officials in bolstering the security of their systems.

Congress this year set aside $380 million to help states strengthen their election infrastructure. But that is widely seen as insufficient. The Senate is weighing approval of an additional $250 million in grants.

Also, the House and Senate armed services committees have crafted legislation authorizing the president to direct Cyber Command to disrupt Russian election interference operations. The bill, which must still be voted on by Congress, would also require the president to designate an NSC coordinator to head a multiagency process aimed at combating malign foreign influence campaigns.

Jennfer Rubin of the Washington Post is dismissive. Two theories on why Trump won’t harden our election machinery:

This smacks of a just-for-show meeting, the end result of his staff reading polls and deciding that he needed to show he was concerned about the integrity of our elections. Unfortunately, a transparently formulaic meeting with no new funding, no new proposals and no presidential leadership tells us that Trump doesn’t care about election security. His hint via tweet that Russia was going to hack the midterm elections specifically to benefit Democrats was entirely baseless, but it set off alarm bells that Trump might try to discredit election results if Democrats do very well (which is quite likely).

That sounds about right.