Russian hacked ‘at least one’ Florida county prior to 2016 election

Russian operatives successfully targeted and hacked “at least one” Florida county government in the run up to the 2016 U.S. presidential election, according to new findings by the Special Counsel Robert Mueller.

The report, published Thursday by the Justice Department, said the county was targeted by the Russian intelligence service, known as the GRU. The hackers sent spearphishing emails to more than 120 email accounts used by county officials responsible for administering the election, the report said.

According to the findings:

In August 2016, GRU officers targeted employees of [REDACTED], a voting technology company that developed software used by numerous U.S. counties to manage voter rolls, and installed malware on the company network… the spearphishing emails contained an attached Word document coded with malicious software (commonly referred to as a Trojan) that permitted the GRU to access the infected computer.

The findings are a significant development from previous reporting that said Florida’s election systems were merely targets of the Russian operatives.

Sen. Bill Nelson (D-FL) was derided after he claimed just days before his eventual re-election that hackers had gained access to the state’s election systems. According to NBC News, some of Nelson’s assertions were based off classified information that was not yet public.

Nelson’s remarks came almost a year after The Intercept published a classified document — later discovered to have been sent by since-jailed NSA whistleblower and Reality Winner — showing that intelligence pointed to a concerted effort by the GRU to target election infrastructure. The NSA said the hackers sent emails impersonating voting technology company VR Systems to state government officials.

The Orlando Sentinel confirmed Thursday following the release of Mueller’s report’s that Volusia County was sent infected emails containing malware, suggesting Volusia County — north of Orlando — may have been the target.

Mueller’s report confirmed that the FBI investigated the incident.

The office of Florida’s secretary of state said that Florida’s voter registration system “was and remains secure,” and “official results or vote tallies were not changed.”

Two years later following the 2018 midterm elections, the Justice Department and Homeland Security said there was “no evidence” of vote hacking or tampering.

Mueller says use of encrypted messaging stalled some lines of inquiry

A single paragraph in the Mueller report out Thursday offers an interesting look into how the Special Counsel’s investigation came head-to-head with associates of President Trump who used encrypted and ephemeral messaging to hide their activities.

From the report:

Further, the Office learned that some of the individuals we interviewed or whose conduct we investigated-including some associated with the Trump Campaign — deleted relevant communications or communicated during the relevant period using applications that feature encryption or that do not provide for long-term retention of data or communications records. In such cases, the Office was not able to corroborate witness statements through comparison to contemporaneous communications or fully question witnesses about statements that appeared inconsistent with other known facts.

The report didn’t spell out specifics of whom or why, but clearly Mueller wasn’t happy. He was talking about encrypted messaging apps that also delete conversation histories over a period of time. Apps like Signal and WhatsApp are popular for this exact reason — you can communicate securely and wipe any trace after the fact.

Clearly, some of Trump’s associates knew better.

But where prosecutors who have faced similar setbacks with individuals using encrypted messaging apps to hide their tracks have often attacked tech companies for building the secure apps, Mueller did not. He just stated a fact and left it at that.

For years, police and law enforcement have lobbied against encryption because they say it hinders investigations. More and more, apps are using end-to-end encryption — where the data is scrambled from one device to another — so that even the tech companies can’t read their users’ messages. But just as criminals use encrypted messaging for bad, ordinary people use encrypted messaging to keep their conversations private.

According to the report, it wasn’t just those on the campaign trail. The hackers associated with the Russian government and WikiLeaks, both of which were in contact following the breaches on Hillary Clinton’s campaign and the Democratic National Committee, took efforts to “hide their communications.”

Not all of Trump’s associates have fared so well over the years.

Michael Cohen, Trump’s former personal attorney, learned the hard way that encrypted messaging apps are all good and well — unless someone has your phone. Federal agents seized Cohen’s BlackBerry, allowing prosecutors to recover streams of WhatsApp and Telegram chats with Trump’s former campaign chief Paul Manafort.

Manafort, the only person jailed as part of the Mueller investigation, also tripped up after his “opsec fail” after prosecutors obtained a warrant to access his backed-up messages stored in iCloud.

Mueller report details the evolution of Russia’s troll farm as it began targeting US politics

BRENDAN SMIALOWSKI/AFP/Getty Images

On Thursday, Attorney General William Barr released the long-anticipated Mueller report. With it comes a useful overview of how Russia leveraged U.S.-based social media platforms to achieve its political ends.

While we’ve yet to find too much in the heavily redacted text that we didn’t already know, Mueller does recap efforts undertaken by Russia’s mysterious Internet Research Agency or “IRA” to influence the outcome of the 2016 presidential election. The IRA attained infamy prior to the 2016 election after it was profiled in depth by the New York Times in 2015. (That piece is still well worth a read.)

Considering the success the shadowy group managed to achieve in infiltrating U.S. political discourse — and the degree to which those efforts have reshaped how we talk about the world’s biggest tech platforms — the events that led us here are worth revisiting.

IRA activity begins in 2014

In Spring of 2014, the special counsel reports that the IRA started to “consolidate U.S. operations within a single general department” with the internal nickname the “translator.” The report indicates that this is the time the group began to “ramp up” its operations in the U.S. with its sights on the 2016 presidential election.

At this time, the IRA was already running operations across various social media platforms, including Facebook, Twitter and YouTube. Later it would expand its operations to Instagram and Tumblr as well.

Stated anti-Clinton agenda

As the report details, in the early stages of its U.S.-focused political operations, the IRA mostly impersonated U.S. citizens but into 2015 it shifted its strategy to create larger pages and groups that pretended to represent U.S.-based interests and causes, including “anti-immigration groups, Tea Party activists, Black Lives Matter [activists]” among others.

The IRA offered internal guidance to its specialists to “use any opportunity to criticize Hillary [Clinton] and the rest (except Sanders and Trump – we support them” in early 2016.

While much of the IRA activity that we’ve reported on directly sowed political discord on divisive domestic issues, the group also had a clearly stated agenda to aid the Trump campaign. When the mission strayed, one IRA operative was criticized for a “lower number of posts dedicated to criticizing Hillary Clinton” and called the goal of intensify criticism of Clinton “imperative.”

That message continued to ramp up on Facebook into late 2016, even as the group also continued its efforts in issued-based activist groups that, as we’ve learned, sometimes inspired or intersected with real life events. The IRA bought a total of 3,500 ads on Facebook for $100,000 — a little less than $30 per ad. Some of the most successful IRA groups had hundreds of thousands of followers. As we know, Facebook shut down many of these operations in August 2017.

IRA operations on Twitter

The IRA used Twitter as well, though its strategy there produced some notably different results. The group’s biggest wins came when it managed to successfully interact with many members of the Trump campaign, as was the case with @TEN_GOP which posed as the “Unofficial Twitter of Tennessee Republicans.” That account earned mentions from a number of people linked to the Trump campaign, including Donald Trump Jr., Brad Parscale and Kellyanne Conway.

As the report describes, and has been previously reported, that account managed to get the attention of Trump himself:

“On September 19, 2017, President Trump’s personal account @realDonaldTrump responded to a tweet from the IRA-controlled account @ l0_gop (the backup account of @TEN_ GOP, which had already been deactivated by Twitter). The tweet read: “We love you, Mr. President!”

The special counsel also notes that “Separately, the IRA operated a network of automated Twitter accounts (commonly referred to as a bot network) that enabled the IRA to amplify existing content on Twitter.”

Real life events

The IRA leveraged both Twitter and Facebook to organize real life events, including three events in New York in 2016 and a series of pro-Trump rallies across both Florida and Pennsylvania in the months leading up the election. The IRA activity includes one event in Miami that the then-candidate Trump’s campaign promoted on his Facebook page.

While we’ve been following revelations around the IRA’s activity for years now, Mueller’s report offers a useful birds-eye overview of how the group’s operations wrought havoc on social networks, achieving mass influence at very little cost. The entire operation exemplified the greatest weaknesses of our social networks — weaknesses that up until companies like Facebook and Twitter began to reckon with their role in facilitating Russian election interference, were widely regarded as their greatest strengths.

Mueller report sheds new light on how the Russians hacked the DNC and the Clinton campaign

The Mueller report contains new information about how the Russian government hacked documents and emails from Hillary Clinton’s presidential campaign and the Democratic National Committee .

At one point, the Russians used servers located in the U.S. to carry out the massive data exfiltration effort, the report confirms.

Much of the information was previously learned from the indictment of Viktor Borisovich Netyksho, the Russian officer in charge of Unit 26165. Netyksho is believed to be still at large in Russia.

But new details in the 488-page redacted report released by the Justice Department on Thursday offered new insight into how the GRU operatives hacked.

The operatives working for the Russian intelligence directorate, the GRU, sent dozens of targeted spearphishing emails in just five days to the work and personal accounts of Clinton Campaign employees and volunteers, as a way to break into the campaign’s computer systems.

The GRU hackers also gained access to the email account of John Podesta, Clinton’s campaign chairman, of which its contents were later published.

Using credentials they stole along the way, the hackers broke into the networks of the Democratic Congressional Campaign Committee days later. By stealing the login details of a system administrator who had “unrestricted access” to the network, the hackers broke into 29 computers in the ensuring weeks, and more than 30 computers on the DNC.

The operatives, known collectively as “Fancy Bear,” is made up of several units tasked with specific operations. Mueller formally blamed Unit 26165, a division of the GRU specializing in targeting government and political organizations, for taking on the “primary responsibility for hacking the DCCC and DNC, as well as email accounts of individuals affiliated with the Clinton Campaign,” said the Mueller report.

The hackers used Mimikatz, a hacking tool used once an intruder is already in a target network, to collect credentials, and two other kinds of malware: X-Agent for taking screenshots and logging keystrokes, and X-Tunnel used to exfiltrate massive amounts of data from the network to servers controlled by the GRU. Mueller’s report found that Unit 26165 used several “middle servers” to act as a buffer between the hacked networks and the GRU’s main operations. Those servers, Mueller said, were hosted in Arizona — likely as a way to obfuscate where the attackers were located but also to avoid suspicion or detection.

In all, some 70 gigabytes of data were exfiltrated from Clinton’s campaign servers and some 300 gigabytes of data were from the DNC’s network.

Meanwhile, another GRU hacking unit, Unit 74455, which helped to disseminate and publish hacked and stolen documents, pushed the stolen data out through two fictitious personas. DCLeaks was a website that hosted the hacked material, while Guccifer 2.0 was a hacker-like figure who had a social presence and would engage with reporters.

Under pressure from the U.S. government, the two GRU-backed personas were shut down by the social media companies. Later, tens of thousands of hacked files were funneled to and distributed by WikiLeaks .

Mueller’s report also found a cause-and-effect between Trump’s remarks in July 2016 and subsequent cyberattacks.

“I hope you’re able to find the 30,000 emails that are missing,” said then-candidate Trump at a press conference, referring to emails Clinton stored on a personal email server while she headed the State Department. Mueller’s report said “within approximately five hours” of those remarks, GRU officers began targeting for the first time Clinton’s personal office.

More than a dozen staffers were targeted by Unit 26165, including a senior aide. “It is unclear how the GRU was able to identify these email accounts, which were not public,” said Muller.

Mueller said the Trump campaign made efforts to “find the deleted Clinton emails.” Trump is said to have privately asked would-be national security advisor Michael Flynn, since convicted following inquiries by the Special Counsel’s office, to reach out to associates to obtain the emails. One of those associates was Peter Smith, who died by suicide in May 2017, claimed to be in contact with Russian hackers — claims which Mueller said were not true.

Does that implicate the Trump campaign in an illegal act? Likely not.

“Under applicable law, publication of these types of materials would not be criminal unless the publisher also participated in the underlying hacking conspiracy,” according to Elie Honig, a CNN legal analyst. “The special counsel’s report did not find that any person associated with the Trump campaign illegally participated in the dissemination of the materials.”

Read the Mueller report here

The Mueller report has been published. It was posted at 11am ET, a month after Special Counsel Robert Mueller submitted his findings to the Justice Department examining Russian interference in the 2016 U.S. presidential election.

Per remarks by U.S. attorney general William Barr speaking this morning, there are three major components to the report:

  • How the Russian troll farm, the so-called Internet Research Agency, used social media and disinformation to sow uncertainty and doubt among American voters;
  • The involvement of the Russian government’s intelligence unit, the GRU, in hacking into computers belonging to the Democratic National Committee and the Hillary Clinton campaign to steal documents and emails;
  • And the investigation of the Trump campaign’s links and connections over possible collusion with the Russian government during the 2016 presidential election,

We’ve uploaded the final redacted report here. You can read below. You can follow along with TechCrunch’s coverage of the Mueller report, and read more about how and why we’re covering it.

Why we’re looking into the Mueller report

After nearly two years of investigation and months of delays — not to mention partisan bickering the whole time, Special Counsel Robert Mueller’s report on the president’s campaign and Russian interference in the 2016 election is out today.

We’re not a politics news site but we’re still looking into it — tech has figured more prominently than ever in the last few years and understanding its role in what could be a major political event is crucial for the industry and government both.

The report and discussion thereof is bound to be highly politically charged from the get-go and the repercussions from what is disclosed therein are sure to reach many in and out of office. But there are also interesting threads to pull as far as events and conspiracies that could only exist online or using modern technology and services, and for these the perspective of technology, not politics, reporting may be best suited to add context and interpretation.

What do we expect to find in the report that is of particular interest to the tech world?

The topic that is most relevant and least explored already is the nature of Russia’s most direct involvement in the 2016 election, namely the hack of the Democratic National Committee email server, attributed to Russia’s GRU intelligence unit, and funneling of this information to WikiLeaks and the Trump campaign. The recent arrest of Julian Assange may prove relevant here.

The report will illuminate many things relating to these events, not necessarily technical details — although they may have been furnished by any number of parties — but plans, dates, people involved, and networks through which the hack and resulting data were communicated. Why was this added to Mueller’s pile in the first place? What about Assange? Who knew about the hack and when, and what does that imply?

Another topic, which seems more well trodden but about which we can never seem to know enough, is the origin and extent of Russian “troll farm” activity through the so-called Internet Research Agency. We’ve seen a great deal of their work as part of the ongoing barbecue of Facebook’s leadership, and to a lesser extent other social media platforms, but there’s much we don’t know as well.

Was there coordination with some U.S. entities? How was the content created, and the topics chosen? Was there a stated outcome, such as dividing the electorate or damaging Clinton’s reputation? Was this contiguous with earlier operations? How, if at all, did it change once Trump was named the Republican candidate, and was this related to other communications with his campaign?

The last of our topics of most likely interest is that of the technological methods employed by Mueller in his investigation. Previous investigations of this scale into the activities of sitting presidents and their campaigns have occurred in completely different eras, when things like emails, metadata, and encrypted messaging weren’t, as they are today, commonplace.

How did Mueller pursue and collect privileged communications on, for example, private email servers and hosted web services? What services and networks were contacted, and how did they respond? How were the U.S.’ surveillance tools employed? What about location service from tech giants or telecoms? Was other garden-variety metadata — the type we are often told is harmless and which is often unregulated — used in the investigation to any effect?

We will be poring over the report with these thoughts and ideas in mind but also with an eye to any other interesting tech-related item that may appear. Perhaps that private server used “admin/password” as their login. Perhaps GRU agents were communicating using a cryptographic method known to be unsafe. Perhaps the vice-president uses a Palm Pre?

We’ll leave the politics to cable news and D.C. insiders, but tech is key to this report and we aim to explain why and how.

Congress readies for Mueller report to be delivered on CDs

If there weren’t enough obstacles already standing between Congress and the results of the special counsel’s multiyear investigation, lawmakers are expecting to need an optical drive to read the document.

A Justice Department official told the Associated Press that a CD containing the Mueller report would be delivered to Congress tomorrow between 11 and noon Eastern. At some point after the CDs are delivered, the report is expected to be made available to the public on the special counsel’s website.

Any Congressional offices running Macs will likely have to huddle up with colleagues who still have a CD-capable drive. Optical drives disappeared from Apple computers years ago. With people increasingly reliant on cloud storage over physical storage, they’re no longer as popular on Windows machines either.

Tomorrow’s version of the report is expected to come with a fair amount of detail redacted throughout, though a portion of Congress may receive a more complete version at a later date. The report’s release on Thursday will be preceded by a press conference hosted by Attorney General William Barr and Deputy Attorney General Rod Rosenstein. If you ask us, there’s little reason to tune into that event rather than waiting for substantive reporting on the actual contents of the report once it’s out in the wild. Better yet, hunker down and read some of the 400 pages yourself while you wait for thoughtful analyses to materialize.

Remember: No matter what sound bites start flying tomorrow morning, digesting a dense document like this takes time. Don’t trust anyone who claims to have synthesized the whole thing right off the bat. After all, America has waited this long for the Mueller report to materialize — letting the dust settle won’t do any harm.

FCC looks to slap down China Mobile’s attempt to join US telecom system

The FCC has proposed to deny an application from China Mobile, a state-owned telecom, to provide interconnect and mobile services here in the U.S., citing security concerns. It’s another setback to the country’s attempts to take part in key portions of American telecommunications.

China Mobile was essentially asking to put call and data interconnection infrastructure here in the U.S.; It would have come into play when U.S. providers needed to connect to Chinese ones. Right now the infrastructure is generally in China, an FCC spokesperson explained on a press call.

In a draft order that will be made public tomorrow and voted on in May, FCC Chairman Ajit Pai moves to deny the application, which has been pending since 2011. Such applications by foreign-owned entities to build and maintain critical infrastructure like this in the U.S. have to pass through the Executive, which only last year issued word that it advised against the deal.

In the last few months, the teams at the FCC have reviewed the record and came to the conclusion that, as Chairman Ajit Pai put it:

It is clear that China Mobile’s application to provide telecommunications services in our country raises substantial and serious national security and law enforcement risks. Therefore, I do not believe that approving it would be in the public interest.

National security issues are of course inevitable whenever a foreign-owned company wants to be involved with major infrastructure work in the U.S., and often this can be taken care of with a mitigation agreement. This would be something like an official understanding between the relevant parties that, for instance, law enforcement in the U.S. would have access to data handled by the, say, German-owned equipment, and German authorities would alert U.S. about stuff it finds, that sort of thing.

But that presupposes a level of basic trust that’s absent in the case of a company owned (indirectly but fully) by the Chinese government, the FCC representative explained. It’s a similar objection to that leveled at Huawei, which given its close ties to the Chinese government, the feds have indicated they won’t be contracting with the company for infrastructure work going forward.

The denial of China Mobile’s application on these grounds is apparently without precedent, Pai wrote in a separate note: “Notably, this is the first time the Executive Branch has ever recommended that the FCC deny an application due to national security concerns.”

It’s likely to further strain relations between our two countries, though the news likely comes as no surprise to China Mobile, which probably gave up hope some time around the third or fourth year its application was stuck in a bureaucratic black hole.

The draft order will be published tomorrow, and will contain the evidence and reasoning behind the proposal. It will be voted on at the FCC open meeting on May 9.

Terry Gou will resign as Foxconn’s chairman to run for president of Taiwan

Foxconn chairman Terry Gou officially announced on Wednesday that he will run for president of Taiwan. Gou will step down from leading the company (also known as Hon Hai Precision Industry Co. Ltd.), one of Apple’s most important manufacturers, in order to campaign for the nomination of the Kuomintang, the pro-China opposition party.

Taiwan’s economy and complicated relationship with China will be at the heart of the 2020 presidential campaign, as incumbent Tsai Ing-wen defends her position against not only candidates from the Kuomintang and other parties, but also a challenger from her own party, the Democratic Progressive Party, William Lai, who entered the race last month.

Gou earlier said that his presidential aspirations had been blessed by Mazu, the sea goddess who is one of the most important Taoist and Buddhist deities. Gou founded Foxconn in 1974 and has held no political office, but his campaign will be helped by his business reputation and reported $7 billion net worth.

Gou’s lack of government experience may be balanced in the mind of voters by his relationships with Donald Trump and China’s government. Foxconn has committed to building a $10 billion factory in Wisconsin. Even though Taiwan’s sovereignty is not recognized by China, which views the country as a rogue province, Foxconn has more plants there than in any other country.

A new state-backed hacker group is hijacking government domains at a phenomenal pace

A few months ago, researchers at Cisco’s Talos cybersecurity unit sounded the alarm after discovering a previously undiscovered hacker group targeting a core part of the internet’s infrastructure.

Their alarm was heard: FireEye quickly came out with new intelligence warning of a “global” domain name hijacking campaign targeting websites of predominantly Arab governments. The campaign, dubbed “DNSpionage,” rerouted users from a legitimate web address to a malicious server to steal passwords. Homeland Security warned the U.S. government had been targeted, and ICANN, the non-profit charged with keeping the internet’s address book, said the domain name system (DNS) was under an “ongoing and significant” attack and urged domain owners to take action.

Now, Talos researchers say they have found another highly advanced hacker group, likely backed by a nation-state, which they say has targeted 40 government and intelligence agencies, telecom firms and internet giants in 13 countries for more than two years.

“This is a new group that is operating in a relatively unique way that we have not seen before.” Craig Williams, Cisco Talos

“We assess with high confidence that these operations are distinctly different and independent from the operations performed by DNSpionage,” said the Talos report out Wednesday, seen by TechCrunch.

The group, which Talos calls “Sea Turtle” — an internal codename that ended up sticking — similarly targets companies by hijacking their DNS. That allows the hackers to point a target’s domain name to a malicious server of their choosing. This clever site-spoofing technique exploits long-known flaws in DNS that can be used to trick unsuspecting corporate victims into turning over their credentials on fake login pages, which the hackers can use for further compromise.

“This is a new group that is operating in a relatively unique way that we have not seen before, using new tactics, techniques, and procedures,” Craig Williams, director, outreach at Cisco Talos, told TechCrunch.

The hackers first compromise an intended target using spearphishing to get a foothold on the network, then use known exploits to target servers and routers to move laterally and obtain and exfiltrate network-specific passwords. The hackers then use those credentials to target the organization’s DNS registrar by updating its records so that the domain name points away from the IP address of the target’s server to a server controlled by the hackers.

Once the target’s domain is pointing to the malicious server, the hackers can run a man-in-the-middle operation to impersonate login pages and scrape the usernames and passwords of the staff as a way of getting deeper access into the network. The hackers also used their own HTTPS certificate for the target’s domain from another provider to make the malicious server look like the real thing.

With the credentials for greater network access in hand, the hackers aim to obtain the target’s SSL certificates used across the corporate network, granting greater visibility into the organization’s operations. The attackers also stole the SSL certificates used in security appliances, like virtual private networks (VPN), which were used to steal credentials to gain access to the organization’s network from outside its walls.

Using this same technique, Talos said that the hacker group compromised Netnod, a DNS provider in Sweden and one of the 13 root servers that powers the global DNS infrastructure. In February, Netnod confirmed its infrastructure was hijacked. The successful attack allowed the hackers to steal the passwords of administrators who manage Saudi Arabia’s top-level domain — .sa — suggesting other Saudi-based companies could be in the hacker group’s crosshairs.

Williams said Talos can “conclusively” link the Sea Turtle hackers to the Netnod attack.

In another case, the hackers gained access to the registrar that manages Armenia’s top-level domains, allowing the group to potentially target any .am domain name.

Talos wouldn’t name the targets of the attacks nor name the registrars at risk, citing the risk of further or copycat attacks — and the researchers wouldn’t name the state likely behind the group, instead deferring to the authorities to attribute. But the researchers said Armenia, along with Egypt, Turkey, Swwden, Jordan, and the United Arab Emirates were among the countries where it found victims.

Given the eventual targets included internet and telecom infrastructure companies, foreign ministries, and intelligence agencies in the Middle East and Africa, Williams said the group’s primary motivations are to conduct espionage.

Sea Turtle are said to be “highly capable,” said the researchers’ findings, and the hackers are able to maintain long-term access by using the stolen credentials.

The researchers urged companies to begin using DNSSEC, a cryptographically more secure domain name system that’s far tougher to spoof, and employing two-factor on an organization’s DNS records.

“While this incident is limited to targeting primarily national security organizations in the Middle East and North Africa, and we do not want to overstate the consequences of this specific campaign, we are concerned that the success of this operation will lead to actors more broadly attacking the global DNS system,” the researchers said.