October 28, 2020
Hello, and welcome to the latest edition of Codebook. This week, we're thinking about how precious the franchise is. So please, if you haven't yet — go vote.
Today's newsletter is 1,287 words, a 5-minute read.
1 big thing: How overhyping became an election meddling tool
As online platforms and intelligence officials get more sophisticated about detecting and stamping out election meddling campaigns, bad actors are increasingly seeing the appeal of instead exaggerating their own interference capabilities to shake Americans' confidence in democracy.
Why it matters: It doesn't take a sophisticated operation to sow seeds of doubt in an already fractious and factionalized U.S. Russia proved that in 2016, and fresh schemes aimed at the 2020 election may already be proving it anew.
Driving the news: Intelligence officials last week detailed separate ongoing election interference efforts by Iran and Russia. Much of the activity officials described was rudimentary and scattershot, with both countries, for example, obtaining tranches of publicly available U.S. voter registration data.
- The U.S. has seen no evidence of Moscow operationalizing this information, said National Intelligence Director John Ratcliffe, but Iranian hackers were a different matter, commandeering a website associated with the far-right Proud Boys and sending threatening “spoofed” emails from that domain to voters in swing states, demanding that they vote for President Trump.
- Facebook Tuesday said it had taken down accounts on its platform linked to the same Iranian group.
Between the lines: The Iranian spoofing op was crude. The operatives threatened registered Democrats in Florida, for example, to “vote for Trump” or “we will come after you.”
- The messages also demanded that the targeted individuals change their voter registration to Republican "to let us know you received our message and will comply," and they warned that “we will know which candidate you voted for."
The message was contradictory: We, the Proud Boys, are so sophisticated that we'll be able to find out who you voted for — but we still need to check against public records to make sure you change parties.
- It also may have been obvious to recipients that they were targeted using publicly available data. Indeed, the threat by Iranian operators to later do a compliance check against that very same public data was part of the campaign.
Yes, but: None of that necessarily matters to the success of the operation.
- The Iranians likely had little interest in actually cowing Democrats into voting for Trump. (For his part, Ratcliffe described the effort as an attempt to hurt Trump, without explaining how or why.)
They may have wanted to do a mix of these things:
- Amplify tensions in a hyper-partisan U.S. environment and ultimately make Trump supporters look radical.
- Mount a deliberately sloppy campaign to attract attention to convince Americans that foreign hackers are indeed fiddling with the election.
- In either case, the net intended effect is discord and distrust among the American electorate.
Be smart: In that respect, they may have gotten an even bigger payoff than they were counting on.
- Ratcliffe’s very public exposure of the Iranians’ activity and description of it as an anti-Trump campaign, while offering scant details on Russian interest in the voter data, caused heated public debate, with Democrats slamming his presentation as highly partisan.
The bottom line: Actors like the Iranian operatives may be ultimately working to trick voters into thinking they're a greater direct threat to election integrity than they actually are.
- And yet that very trick poses its own threat to election integrity, particularly after the exposure of a campaign gets sucked into the partisan maelstrom of U.S. politics.
- It's a worryingly simple process: Be loud and sloppy; get caught; drop a little more poison in America’s political well.
2. Russian hackers penetrated U.S. government networks, say officials
Russian government-backed hackers stole data from two servers after targeting state, local, tribal and territorial government networks in the U.S. since at least September, the FBI and Cybersecurity and Infrastructure Security Agency said Thursday.
Why it matters: Russia remains determined to break into U.S. networks as part of its global campaign to obtain exploitable access to infrastructure and government accounts and otherwise potentially wreak havoc. This campaign may also have been about propagating fear, uncertainty and doubt ahead of the election.
Details: U.S. officials did not disclose which government networks were penetrated, but did say the hackers in one case accessed documents related to "sensitive network configurations and passwords,” among other potentially useful intelligence.
- Notably, the campaign did not “intentionally [disrupt] any aviation, education, elections, or government operations,” wrote the FBI and CISA.
Yes, but: Officials warned the group’s current operations may be in preparation for future action.
Context: The responsible Russian hackers, known in threat intelligence circles as “Energetic Bear,” are associated with Russia’s Federal Security Service and are considered a highly skilled, stealthy group that has a history of penetrating U.S. critical infrastructure, such as nuclear power plants.
- In March, Energetic Bear hacked into the WiFi of San Francisco International Airport, as well as two other West Coast airports, in a targeted operation aimed at compromising the computer of a single traveler, reported the New York Times.
3. Treasury sanctions Russian malware producer
On Friday, the Treasury Department sanctioned a key Russian government research facility that U.S. officials said helped develop some of the world’s most dangerous malware.
Why it matters: U.S. officials said the institution, the Central Scientific Research Institute of Chemistry and Mechanics (TsNIIKhM), is behind the “Triton” family of malware, designed to degrade or destroy industrial control systems used to operate critical infrastructure like petrochemical and power plants.
Background: Threat researchers concluded that Russian hackers used Triton malware in a 2017 attack on a Saudi petrochemical facility.
- Though the operation was foiled, the Russian attackers tried to shut off the facility’s emergency shut-off system and may have tried to trigger the physical destruction of the plant, said experts.
The big picture: The Triton attacks are considered a landmark in the world of cybersecurity.
- “In attacking the plant, the hackers crossed a terrifying Rubicon,” wrote the MIT Technology Review in a 2019 feature on Triton. “This was the first time the cybersecurity world had seen code deliberately designed to put lives at risk.”
Where it stands: The same Russian hacker group that previously deployed the Triton malware was “also reported to be scanning and probing at least 20 electric utilities in the United States for vulnerabilities” in 2019, said the Treasury announcement.
Meanwhile: TsNIIKhM is connected to the GRU, Russia’s main military intelligence agency, reports the Washington Post.
4. Trump's USAGM chief knocks down protections against interference
Michael Pack, the Trump-appointed CEO of the U.S. Agency for Global Media (USAGM), has posted a notice to repeal firewall protection intended to protect the agencies it governs, including the Voice of America, from political interference, Axios' Sara Fischer reports.
Why it matters: Critics argue that without the firewall, which separates journalists from the rest of the organization, there's nothing stopping USAGM-governed agencies from devolving into a propaganda arm of the administration — a move that's common in authoritarian regimes.
Details: Pack published a statement Monday saying that he took steps "to rectify a regulatory situation that was both in tension with the law and harmful to the agency and the U.S. national interest."
- He argued that the firewall was a misinterpretation of the 1994 International Broadcasting Act by the Broadcasting Board of Governors, the agency that formerly oversaw the media groups that USAGM now manages. (BBG was replaced by USAGM via a law passed during the Obama administration.)
- Pack said he "rescinded" the rule "based upon extensive legal analysis of the regulation and its conflict with Congress’s statutory mandate for USAGM — BBG’s successor — to support the foreign policy of the United States."
What's next: Pack's efforts come a week before the U.S. election.
- If President Trump loses, it's unclear what the future has in store for Pack and the agency.
- If he wins, sources tell Axios his goal will be to exert power over the USAGM to ensure that the reporting from broadcasters it governs promotes the Trump administration's values, not necessarily the values of unbiased journalism.
5. Odds and ends
- Hackers briefly took over Trump's campaign website, apparently in service of a cryptocurrency scam. (Axios)
- Sen. Ron Wyden says the NSA is stonewalling him on questions about whether the agency is getting backdoors placed into commercial technology to spy on Americans. (Reuters)
- The email accounts of local U.S. election officials have been targeted in what appears to be a malicious campaign. (Wall Street Journal)
- A deep dive into the activities of Black Cube, a private Israeli intelligence firm, in Romania. (Haaretz)
- The Louisiana National Guard has helped beat back a series of cyberattacks targeting government offices in that state. (Reuters)
- A North Korean state hacker group is targeting information “on foreign policy and national security issues related to the Korean peninsula, nuclear policy, and sanctions.” (FBI/CISA/Cyber Command)