A report has outlined fears about the possible interference by nation-state hackers in the run-up to the Brexit vote. The concerns relate to register to vote outage, which took the voter registration website offline just hours before the deadline to register for the EU referendum closed.
The Commons Public Administration and Constitutional Affairs Committee (PACAC) said that MPs were concerned that the outage was no mere IT glitch and instead the work of foreign malicious actors, naming the cyber methods of Russia and China as a case in point.
The report comes at a time of great political tensions, in particular between the US and Russia. Developments in Syria have many thinking that we are on the cusp of war, while allegations of election interference has plagued new US President Trump and his government.
Russian hacking up to this point has been focused on its cold war rival, with attacks against The New York Times, the World Anti-Doping Agency, Hilary Clinton and the Democratic National Convention just a few of the organisations supposedly hacked by actors originating from Russia. Then of course, there are the allegations of Russian interference in the US Presidential Election, with Trump saying in a statement before the election:
“While Russia, China, other countries, outside groups and people are consistently trying to break through the cyber infrastructure of our governmental institutions, businesses and organizations including the Democrat National Committee, there was absolutely no effect on the outcome of the election including the fact that there was no tampering whatsoever with voting machines. There were attempts to hack the Republican National Committee, but the RNC had strong hacking defenses and the hackers were unsuccessful.”
It is worth noting at this point that hackers are adept at covering their tracks, with intelligence analyst Stephen Gates recently telling CBR that often when an attack appears to come from Russia, those hacks are often not being performed by Russians.
“Instead, hackers understand how to compromise computers in homes, schools, and businesses all over the world. Once they compromised a computer and are running it remotely, they use that computer instead of their own computer to launch an attack,” Gates said.
That being said, cybercrime is booming in Russia and many in the cyber security industry are confident of asserting that some high-profile attacks have been backed by Russian intelligence agencies. US Intelligence agencies said with ‘high confidence’ that Guccifer 2.0, the name of an individual or group who hacked the Democratic National Committee, was backed by the Russian government – despite statements from the Kremlin denying any involvement.
Security firms such as CrowdStrike, SecureWorks, and FireEye are among those who believe some of the attacks to be perpetrated by a group called APT28. It is speculated that this group, also reported under the names of Fancy Bear, Cosy Bear, Sofacy, and Pawn Storm, is Russian due to cyber activity and information operations that have been observed over a number of years.
“They compile malware samples with Russian language settings during working hours consistent with the time zone of Russia’s major cities. While we don’t have pictures of a building, personas to reveal, or a government agency to name, what we do have is evidence of longstanding, focused operations that indicate a government sponsor – specifically, a government based in Moscow,” said Jens Monrad, Principle Systems Engineer at FireEye.
With the UK such a strong ally of the US and a sizeable world power, it seems logical that the Russian government would have an interest in something as historic as Brexit. The UK government has been vocal in articulating the Russian cyber threat, with Defence Secretary Sir Michael Fallow recently warning of Russian hacking and its threat to British Democracy. Fallon warned of Russia ‘weaponising information’ in a bid to destabilise Western democracy and critical infrastructure, saying:
“There is the use of cyber weaponry to disrupt critical infrastructure and disable democratic machinery.”
Fallon may have also forewarned the possible foreign interference in key UK events like Brexit, pointing to European neighbour Germany and saying that the Head of the German BfV intelligence agency had warned that the Kremlin is “seeking to influence public opinion and decision-making processes” ahead of this year’s German elections.”
Fallon’s Russian fears were echoed by GCHQ in March, with Ciaran Martin, chief executive of GCHQ’s National Cyber Security Centre (NCSC) sending a letter to politicians offering advice on preventing breaches.
“This is not just about the network security of political parties’ own systems. Attacks against our democratic processes go beyond this and can include attacks on parliament, constituency offices, think tanks and pressure groups and individuals’ email accounts,” said the computer security chief.
China is also a possible suspect – but why would they hack the voter registration website?
However, although the political landscape of late dominated by Russia in regards to Syria and the US presidential election, it is but one adversary amongst many. Although the evidence is compelling to put Russia in the frame for the supposed DDoS attack, the committee report did mention another world power – China.
Mentioned specifically alongside Russia, the Committee’s report said:
“Russia and China use a cognitive approach based on understanding of mass psychology and of how to exploit individuals.
“The implications of this different understanding of cyber-attack, as purely technical or as reaching beyond the digital to influence public opinion, for the interference in elections and referendums are clear.”
China’s military-based cyber team is known as Unit 61398 and has had notably success in the past with hacking government-controlled and defence contractor domains to collect plans, drawings and other information. A 2015 agreement between then-US President Obama and Chinese President Xi Jinping did see the amount of websites targeted by Unit 61398 decrease, it did not stop China’s cyber espionage operations completely. In fact, the US intelligence community told the Senate earlier this year that “Beijing continues to conduct cyber espionage against the U.S. government, our allies and U.S. companies.”
With a rumoured army of hackers numbering in their hundreds of thousands, combined with the resources and financial backing of the government, China certainly is a serious adversary in the cyber world. Earlier this month it was reported that the UK had been targeted by Chinese hackers looking to steal trade secrets.
As part of a global hacking operation, the APT10 hacking group used malware and spear phishing techniques to launch targeted attacks against managed service providers. The MSPs were exploited in order for the hackers to access the systems of big customers. In what was described as “one of the largest ever sustained global cyber espionage campaigns,” the motivation behind the attacks was clearly monetary – but why would China target the voter registration system?
The UK is an ally of the US and, similarly to Russia, China may have been looking to disrupt political relationships and damage the UK on the world stage.
However, there may be a simpler reason as to why the motivations of a Russian or Chinese hacker are hard to pin down – maybe it wasn’t a state-nation hacker who attacked the register to vote site.
If you look at the method of attack there is a clear argument for the malicious actor not being state-backed. If you think of the CIA, NSA, GCHQ, MI5 or any big government agency, the majority would assume that their cyber arsenals held the most technologically advanced cyber weapons. Would a nation state really deploy a classic DDoS? Doubting that the voter registration outage was the work of a serious actor like a nation state, Ilia Kolochenko said:
“Governments have enough technical and financial resources to create smart botnets, simulating human behaviour that would be hardly distinguishable from legitimate website visitors,” said the CEO of web security firm, High-Tech Bridge.
“Running a classic DDoS attack is too coarse, and would rather attract unnecessary attention to the external interference, trigger investigations and all other outcomes that smart attackers would avoid at any price.”
The prime suspect is usually the most obvious – so was the register to vote website crash just an IT glitch?
However, there are many in the security industry who dispute the DDoS diagnosis of the register to vote website crash – it must also be noted that the Committees report said that there was only an indication of the outage being a DDoS attack. The question has to be asked as to why the government cannot definitively state that the voter registration downtime was the cause of a cyber attack. The problem with this may lie in the fact that it is hard to distinguish a DDoS attack from a surge in traffic, as AlienVault’s Javvad Malik told CBR:
“It’s quite likely that a sudden huge spike in traffic could be attributed to a DDoS attack as opposed to an increase in demand. At times, it can be difficult to differentiate between the two without having detection controls that can identify the source and type of traffic, or behavioural controls that look at the traffic flow and seeing whether the flow differs from what would resemble normal behaviour.”
So the question to ‘who hacked Brexit’ may very well have a simple answer – no one. The current political landscape and concern around a cyber cold war may be fuelling this rhetoric around a supposed DDoS attack when, in reality, the outage was down to underprepared IT systems being overwhelmed with genuine voters.
“The question of whether the online voting site for the EU referendum was subject to a DDoS attack or not is a hard one to answer for anyone outside of the parliamentary arena,” said security researcher Lee Munson.
“On the face of it, a huge surge of visitors was not entirely unexpected, given the emotive nature of the referendum itself and the quoted visitor numbers are not vastly greatly than figures recorded in the past, suggesting no attack took place.”
Looking at the evidence, both Russia and China are viable suspects if the outage was indeed a DDoS attack – both have a rich cyber espionage history and the resources and backing to boot. But questions still remain, chiefly what was their motivation and why use a cheap trick like DDoS?
On the other hand you have the standalone hacker or hacking group which is not state-backed, presumably driven by political and emotive beliefs who launched an easy to use DDoS. However, if it were a DDoS then the government would be able to confirm the attack. All the evidence at this stage points to a mere IT glitch – the website went down because of the IT failings of the government. They were under prepared and slow to act – but maybe this is why MP’s are pointing to Russia and China. The mistake on home ground is less easy to explain away in contrast to the villainous foreign hacker.
“There are credible reports that Russia attempted to influence the outcome of votes on Brexit, and national elections across Europe and the US. In one case in Ukraine they even temporarily changed the tallies of the vote so a far-right candidate appeared to have won,” concluded Chris Doman, Security Researcher at AlienVault.
“But so far the MPs comments about the Brexit website being attacked don’t have any supporting evidence – and have been dismissed by the government. If the site had been the subject of an attack, GovCERT would have been well aware.”