Thursday, October 1, 2015

Why the "Russians Hacked Hillary's Email" Story Insults Your Intelligence

Guest post by Paul Henry

I write about computer security for a living, and as a matter of fact, just this week I've been working on a draft of a piece about exactly the kind of operation that targeted Hillary Clinton's email when she was Secretary of State, according to the Associated Press. It's a rare privilege when I have enough native knowledge about a topic to analyze a news story as an expert all by myself, and when the story could well end up playing some part in deciding whether or not we get Donald Trump as president next year, I feel obligated to share what I know so that others can judge the story on its merits as well. But the joke is that even a cursory examination of this "story" reveals that you don't need to be an expert in computer security to do a fair analysis of it—if at any point in your life you've ever used email, you have all the expertise you need.

To get
the preliminaries out of the way: yes, the Russians, and probably the Russian government itself, were almost certainly attempting to compromise the Clinton email system. It's called an advanced persistent threat (APT), and it's a cyberwarfare tactic that been traditionally used by governments to attack or gain intelligence from the computer systems of foreign or domestic adversaries; in recent years, companies and organized crime have started using APT tactics as well. Whereas most hacking and malware activity is opportunistic, with the attacker casting a wide net to compromise whichever computers they can get to, APTs target specific individuals or institutions and attack them persistently over several months or even years in an effort to gain access to their systems.

The attack here was highly typical of APTs, and of Russian cyberattacks specifically. Most people should be at least somewhat aware of phishing, a form of attack which involves sending email that appears to come from a bank or other trusted institution in an effort to fool the recipient into entering his or her username and password into a web page that the attacker controls; thus armed with the victim's login credentials, the attacker can access their bank account and wreak financial havoc on the victim. In this case, the attackers sent five email messages to Clinton over a short period of time that claimed to be from a government agency in New York City, where Clinton lived at the time, and included a copy of what it said was a traffic ticket she had incurred. In reality, the attached file was malware, and would have infected Clinton's computer had she opened it—which she didn't. A phishing-type message customized for the recipient's job, interests, or geographic area is a very common first tactic for APTs, and if it doesn't work (which it usually doesn't) they'll usually try something else.

But here's where the coverage of this story gets into trouble. The AP claims that this event "highlight[s] the risk of Clinton's unsecure email being pried open by foreign intelligence agencies." But as anyone who's ever sent or received an email message knows, anyone can send anything to anyone. There is absolutely no reason to believe that these attackers could not or would not have tried the same thing with an ordinary e-mail address (in fact, there's a good chance they did, as I'll explain in a bit). Given that a address for Clinton would probably have been easier for an attacker to locate than her unpublished private domain, actually, she probably would have received far more such attack attempts at a regular address.

In fact, how did the attackers get their hands on her private domain address in the first place? The address wasn't public, and Clinton mostly used it to correspond with State Department employees, who would not have been handing it out promiscuously to anyone who asked. Now we're getting back to the point where my own knowledge of the subject becomes useful. APT groups typically begin an attack campaign with a recon phase in which they attempt to gather useful information about an institution that will help them successfully target specific individuals for compromise later. One fairly standard modus operandi involves sending phishing messages to many different people in the organization. These messages are very much like the ones you probably receive spoofing banks and other popular online services, but in this case, the attackers are trying to gain access to the recipients' email accounts. Once they can access someone's email, they can find out a lot about the organization, including the email addresses of other people they can go after next. Hop from account to account at the State Department, and eventually the Secretary's address will probably surface. Put it all together and you realize that there's a pretty good chance that the attackers got Clinton's address by compromising the State Department email system. Suddenly a private domain address doesn't look like such a bad idea, does it?

Perhaps sensing this, the AP reporters who "broke" this "story" insist that "most commercial antivirus software at the time would have detected the [malicious attachment] and blocked it"—the implication being that Clinton's setup used half-assed security that let the attachment through when an enterprise AV system would have blocked it. But no, it wouldn't have. If this was in fact an APT attack, the attackers would have been damn sure to craft a custom malware variant exclusively for this attack and tested it against every well-known antivirus product, modifying it here and there and never sending it until they were certain it was fully undetected (FUD). Why does the AP claim that "most commercial antivirus software" would have detected this threat? They don't say.

tl;dr version: I know a lot about this stuff, and what I know tells me that this story is a ridiculous hit piece from top to bottom—but in a larger sense, you didn't need me to tell you that, because if you've ever used email yourself, you already knew it.


1 comment:

  1. Thanks for this contribution! I thought it just meant that Hillary gets spam/scam email just like everyone else.