Cybersecurity Expert: Proof Russia Behind DNC, Podesta Hacks
Eric Chien, a leading cybersecurity expert at Symantec, discusses the Showtime doc ‘Zero Days,’ how he uncovered the Stuxnet cyberattack on Iran, the election hacks, and much more.
Acclaimed filmmaker Alex Gibney’s latest chronicles the Stuxnet computer virus, a cyberweapon said to be created by the U.S. and Israel that targeted the Natanz nuclear enrichment lab in Iran, decommissioning approximately 1,000 centrifuges and slowing down the country’s nuclear program. Stuxnet was part of Operation Olympic Games—a covert campaign waged by the two countries against Iran’s nuclear facilities that began under President George W. Bush in 2006, and continued under President Barack Obama. Olympic Games “is probably the most significant covert manipulation of the electromagnetic spectrum since World War II, when cryptanalysts broke the Enigma cipher that allowed access to Nazi codes,” wrote The Atlantic.
Zero Days interviews several CIA and NSA employees who claim that Olympic Games was part of a much larger Iranian cyber mission called Nitro Zeus. In the event that Israel launched airstrikes against Iran, the U.S. and Israel allegedly infiltrated Iranian command and control systems so they couldn’t speak to each other in a fight; their IADs, or missile defense systems; power grids; transportation; and financial systems. “We were inside waiting, watching, ready to disrupt, degrade, and destroy those systems with cyberattacks,” the agents say in the film. “We were everywhere inside Iran. Still are.”
One of the computer experts who decoded and analyzed Stuxnet was Eric Chien, a cybersecurity specialist at Symantec whose job, he says, consists of anything from “protected your 16-digit credit card number to protecting things like U.S. critical infrastructure.” His job, more specifically, is to examine all the latest cyberattacks in order to understand how the attackers work, how their programs work, and how to build protections against them.
The Daily Beast spoke to Chien about state-sponsored cyberwarfare, the hacks on the Democratic National Committee and Clinton campaign chief John Podesta, and why we shouldn’t be too worried about hacking on Election Day.
How do you determine attribution in a state-sponsored cyberattack? There seems to be some confusion over this in light of recent events.
Attribution isn’t going to happen from looking at things like the binary code that’s been created. You can get hints from that, but there’s a real big issue with what people call “false flags.” Even if someone writes in their nickname, or a handle, or uses a language operating system, or puts in dates of their working hours, they could be working in the middle of the night to throw you off. From a binary perspective, looking at the samples and how the attacks are conducted, it’s very difficult. The way attribution has to happen is through old-school intelligence. You have spies working in different countries getting information and discovering that countries have conducted different types of activities. You’re not going to see it purely through cyber forensic analysis. The issue has come to the fore in the 2016 U.S. presidential election. The Department of Homeland Security and the Office of the Director of National Intelligence—a combined 17 intelligence agencies—issued a statement saying Russia was behind the election hacking.
It is pretty clear judging by the indicators of compromise [IOCs]. The binaries that were used to hack the DNC as well as Podesta’s email as well as some other Democratic campaign folks, those IOCs match binaries and also infrastructure that was used in attacks that were previously recorded by others as having Russian origin. That much we can confirm. So if you believe other people’s—primarily government’s—attribution that those previous attacks were Russian, then these attacks are definitely connected. We’re talking about the same binaries, the same tools, the same infrastructure. I understand you and your firm have spent significant time analyzing the DNC and Podesta hacks. What groups are responsible, and how did you determine attribution? We’ve analyzed the tools, the binaries, and the infrastructure that was used in the attack, and from that we can confirm that it’s connected to a group that has two names. One is Sofacy, or “Cozy Bear,” and The Dukes, which is also known as “Fancy Bear.” From the binary analysis point of view, I can tell you that the activities of these attackers have been during Russian working hours, either centered on UTC+3 or UTC+4; they don’t work Russian holidays; they work Monday to Friday; there are language identifiers inside that are Russian; when you look at all the victim profiles they would be in interest to the Russian nation-state. So all of that stuff fits the profile. Now, could all those things be false flags? Sure. Other government entities obviously have come out and said it is the Russian state, and the binary forensics would definitely match that.
Can you point to any other attacks conducted by the same groups—Sofacy and The Dukes? There was another attack that happened in the Ukraine. So in December, in the Ukraine, all the power went out to about 260,000 households, or customers. They basically infiltrated the power company, got access to the machines that controlled the power, they flipped the computer switches off and shut down the power, and then they began to wipe all the machines and devices—overriding the hard drives and trashing the machines so that they couldn’t be started up again, or so that the switches couldn’t come on again. Ukrainians were able to get power back after six hours by switching to manual mode. They went off their computer monitor mode and physically flipped the switches to bring the power back up. What’s interesting about that case is the fact that they were more behind technologically actually helped them. Something very similar could easily happen in the U.S. and we’re much more beholden to computing infrastructure here, so our ability to switch to manual mode here would be much more difficult.
Is there linkage between the DNC and Podesta hacks and the 2014 State Department hacks that were also believed to be carried out by Russia?
Yeah, these are being conducted by the same groups. We know that from the IOCs—by looking at the tools they use and the infrastructure they use.
The New York Times recently ran a story that concluded while all signs point to Russia in the DNC and Podesta hacks, the Russians only wished to cause chaos and disrupt the political process in America and not elect Trump. It seems like all the attacks are being carried out against the Democrats and Hillary Clinton, so then how can you reach the conclusion that the Russians aren’t trying to elect Trump?
Many of these attacks were happening prior to the nomination of Trump. Based on that theory, people believe that there was a general plan for disruption, and it may be the case now that the easiest and best way to do so is in the manner you speak, but these attacks did not just start happening post-Trump’s nomination. So in that sense, there is a feeling that it’s not a very Trump-specific activity versus an election disruption activity. This is the easiest way for them to disrupt the election. But they’re trying to disrupt the election of Hillary Clinton, no? Are the Republicans also being targeted? Well, the Republicans aren’t being targeted in a public way where their emails are being leaked. We haven’t seen that yet. But to say that the Republican campaigners or people haven’t had their machines infiltrated or documents stolen or things like that—that we don’t know. But I think it’s pretty reasonable to imagine that attempts are being made for that to happen as well. This just might be the easiest way—or the strategy—for the people that want to disrupt the election to do so.
Should the American people be worried about voting machines being hacked on Election Day? If the race were literally a one vote difference, then the country would need to be worried. But the spread is large enough and spread amongst the country enough that it would require quite a conspiracy for it to be conducted. Can an election machine be hacked? Sure. But that’s a very isolated view. You have to remember that, in many of these jurisdictions, they have policy procedures like bringing out the tapes, having two people review them, etc. Those checks and balances make it much more difficult to do. You see a lot of news that election machines can be hacked, and that’s absolutely the case, but there are procedural checks and balances that make it very difficult from succeeding.
Let’s talk about the Stuxnet worm—the U.S./Israeli cyberattack against the Natanz nuclear enrichment facility in Iran. How did you come across it?
Within the security industry we share telemetry and information about all the attacks that we’re seeing with each other. At any individual company we don’t have full visibility over the entire world, but collectively we sort of do. What happened was there was a company in Belarus that found this on one of their customer’s machines. All they knew was it was causing weird reboots and it had some exploit inside of it—some piece of code that was allowing it to spread all by itself. That fact that it had an exploit inside of it already raised the alarms since the number of threats we have that use these kinds of exploits are few and far between. So he shared it out to the rest of the security industry because he didn’t know what it was.
We began to look at it and what’s interesting is, in general, your average threat we look at usually takes us about 20 minutes max to analyze, and then we ship out protection for it. So just to give you a sense of the difference that Stuxnet was, it took us three months-plus to understand all of its code, and it was 20 times the size of the average piece of code that we look at. Over those three months, we began to discover bits and pieces more and more until we got to the very end and realized this was attacking Iran’s nuclear enrichment program.
And Stuxnet had four zero-day switches—an extraordinarily large number for a worm. Can you discuss what a zero-day exploit is, and why it’s so dangerous?
In all of 2012, we had 12 Microsoft zero-days, and four of those 12 were all inside of Stuxnet. We get millions of these threats every single day, and the vast majority of these don’t have any zero-days inside of them at all—and Stuxnet had four. What a zero-day exploit does is it allows a threat to spread from one computer system to another without you doing anything. The computer just has to be on and operating. Most threats that you see out there, you have to do something—go to a webpage, download a file, open a file, open an email. It requires some action on your behalf. But when you have a zero-day exploit, there’s some bug in some software in the computer—some thing that isn’t coded correctly—and the threat takes advantage of that to get on your computer and then jump to another computer without you having to do anything. The “zero-day” terminology means it’s unknown to anyone else. There’s no patch available for it and no way to protect yourself from it because the attackers have discovered it and are using it, but the vendors of the software don’t know about it and can’t patch that hole that allows it to operate.
And Zero Days puts forth that Stuxnet was allegedly part of a larger cyberattack plan code-named Nitro Zeus, wherein the U.S. infiltrated the entire Iranian infrastructure, from its missile defense systems to financial markets—or, as the NSA and CIA agents say in the film: “a full-scale cyberwar with no attribution.” It sounds terrifying.
What’s even more worrisome is that since the time the film was made, we’ve seen multiple campaigns from potentially multiple different state actors all doing very similar things—basically placing their implants, their malicious code, in key places in the infrastructure of different countries. Just waiting. So potentially some political event happens and then they can literally flip the switch, and through some cyberattack bring down critical infrastructure. So it’s not just reserved to something like Iran’s infrastructure being infected this way. We saw very similar things happening both in Western Europe and in the U.S. with potential state actors trying to infect critical infrastructure. This continues to go on, and since the time of Stuxnet we’ve seen a hundred different attack campaigns from all kinds of different potential state actors, both small and big. We are already in a state where the countries now know this is going on, look at it, and say, OK, we need to have our own offensive campaign. And the cost to do so is much, much lower than creating a nuclear bomb or other conventional types of warfare.”