An indictment of 12 Russian operatives filed on July 13, 2018 goes to great lengths in describing the techniques, tactics and technologies used to sow havoc on the 2016 U.S. presidential election. The complex cyber subterfuge generally undermined the U.S. democratic process in the controversial 2016 presidential election and specifically targeted the campaign and apparatus of then presidential candidate, Hillary Clinton, and the Democratic Party. The 29-page indictment clearly outlines the concerted efforts carried out by Russians operatives, including such commonplace cyber threats as spear phishing, malware, spoofing, virtual private networks (VPN), social engineering, and the use of bitcoin as a means of payment. It is perhaps this last area, the use of bitcoin and the perception of anonymity the agents relied on, that left the clearest trails of their financial movements and wherewithal.
This much is shown in the indictment, which devotes substantial passages to outlining how bitcoin’s public blockchain registry served to trace back $95,000 and the perceived anonymity the perpetrators relied on. While the bitcoin blockchain does provide “identity shelter” in the form of pseudonymous addresses, it is nevertheless a highly traceable transaction registry, much more so than the U.S. dollar for example, which only triggers red flags at large transaction thresholds. These anti-money laundering (AML) and know your customer (KYC) rules in traditional banking also rely on often spotty compliance from a vast global banking network (one that is often culpable), wherein transactional information is stored in a one-sided manner and may be typically accessed through subpoena. The bitcoin blockchain by contrast is a public ledger and the movements of capital and their destinations, albeit in hashed digital addresses or wallets, are highly traceable, widely known and at a much lower transaction value. In effect, these properties enables law enforcement officials to quickly ring-fence a suspect transaction, set up trip wires and follow a veritable digital crumb trail if bitcoins are liquidated. This much held true in the WannaCry ransomware attack, where despite the vast ransom drag net, the cyber criminals only absconded with $65,000 worth of bitcoin.
While crypto crime fighting clearly taps a new set of forensic and technological approaches, such as Bitfury’s Crystal, the indictment, like the limited haul of the vast WannaCry ransomware attack, which spread to over 150 countries over a weekend affecting thousands of organizations, shows that bitcoin may not be the best economic instrument for criminals. Indeed, if there were a 13th indictment to be filed, it would be the pitiable cyber defenses shielding our electoral processes and candidates irrespective of party. That the Democratic Party and its presidential candidate were taken down with such ease and such completeness should give the U.S. population great pause. That the Administration seems either disinterested or dismissive of these events should be just as worrying.
What this case also shows is that at least one half of cyber risk emanates between the keyboard and the chair. While very sophisticated technologies were arrayed against the Democrats over the span of 9 months in 2016, beginning in March. The real treasure trove of ill-gotten data seems to have been obtained using targeted spear phishing techniques, social engineering and spoofing, wherein malicious websites or links masquerade as legitimate exchanges. The so-called X-Agent malware that was installed in campaign and party official devices shows the latency of cyber threats, which can lurk inside a system for many years entirely undetected. In this case the X-Agent tool could be activated to record keystrokes revealing passwords, key contacts and other movements (between the keyboard and the chair), while a screenshot and screen recording feature could capture visual navigation, picking up sensitive financial information, electoral directions, opposition research and other vital points. All of this state-backed intelligence gathering had one aim – to derail Hillary Clinton’s presidential aspirations and to besmirch the Democratic Party.
This targeted campaign cannot be viewed in isolation of the wholesale public social engineering that accompanied it, which leveraged people’s obsessive compulsion with social media to spread misinformation and foment chaos. On this score, foreign actors such as Russia’s Internet Research Agency, were just as successful as their counterparts at the Main Intelligence Directorate and their special units 26165 and 74455, which spearheaded the targeted anti-Clinton campaign. Where technology and targeted strikes were the tools of trade of units 26165 and 74455, the broadside fired against the U.S. public by the Internet Research Agency and an army of internet trolls exploited our gullibility to believe that anything on the “trusty” internet is true and our propensity to hide inside our social media echo chambers. The extent of fake accounts recently purged from Twitter, at more than 70 million, which is roughly the size of its U.S. user base and 20% of its monthly active users, along with the Cambridge Analytica and Facebook scandals, reveals the scope of these misinformation campaigns and how they are very much set on autopilot.
