https://www.politico.com/news/2020/10/06/trump-russia-ratcliffe-426868 Trump rewrites the Russia probe from the hospital The president declassified intelligence documents meant to implicate Clinton in 2016 meddling, but officials say they're misleading. Trump authorized the declassification and release of documents this week based on intelligence that even his own advisers warn could be Russian disinformation, in what his allies have signaled is aimed at sowing doubt at the intelligence community’s conclusion that the meddling in the 2016 campaign came at the Kremlin’s direction — and was intended to boost his candidacy. Some of those documents were released on Tuesday afternoon, including heavily redacted notes from former CIA Director John Brennan following a briefing with then-President Barack Obama. The notes describe intelligence reports that were drawn from Russian operatives, summaries of which Director of National Intelligence John Ratcliffe declassified last week. Republicans and Democrats had previously rejected this Russian chatter as likely disinformation intended to deflect from Moscow’s own hacking operation targeting the Democratic National Committee. And Clinton herself was publicly making the case at the time that Trump was inviting Russian interference. Nick Merrill, a spokesman for Clinton, said last week that the documents were “baseless bullshit.”
https://www.businessinsider.com/chr...r-fraud-claims-russian-disinformation-2020-12 Trump's fired election-security chief compared the president's false claims about voter fraud to Russian disinformation Former US election-security chief Chris Krebs has compared President Donald Trump's baseless claims of a rigged election to disinformation spread by hostile foreign powers to undermine US democracy. "One of the questions we asked: 'What would we do if the Russians were doing this?'" Krebs told Axios of how he responded to Trump's groundless claims while working as the head of the Cybersecurity and Infrastructure Security Agency. Trump fired Krebs on November 18 after Krebs dismissed the president's allegations of voter fraud and said that the 2020 election was the most secure in US history. Visit Business Insider's homepage for more stories. Chris Krebs, the former top US election-security official, has described President Donald Trump's baseless claims of voter fraud to Russian disinformation designed to corrode faith in US democracy. In an interview with Axios, Krebs was asked for his view on Trump, who on November 18 fired him from his position as Director of the Cybersecurity and Infrastructure Security Agency in the Department of Homeland Security. Krebs had rebutted the president's claim that the result of the 2020 election was tainted by widespread ballot fraud. "The caller was inside the house," Krebs told Axios' Jonathan Swan. "The president is a big part of the disinformation that's coming out there about the rigged election, but there are absolutely others." He went on to describe how he coped with Trump's attempts to undermine faith in the integrity of the election while he was still working for the administration: "One of the questions we asked: 'What would we do if the Russians were doing this?'" "The oath that we pledged coming into office as a federal official is that you uphold and defend the Constitution from threats foreign and domestic. We upheld our oath, carried it out." When asked by Swan if Trump is domestic threat, Krebs replied: "There is disinformation that he is spreading. I mean, disinformation is one type of threat." Since being fired, Krebs has continued to debunk Trump's assertions that the election was rigged — claims for which neither the president nor his legal team have produced convincing evidence. Krebs' criticisms of the president have led to a violent backlash and threats from Trump supporters, and Trump campaign attorney Joe DiGenova faced widespread condemnation last week after telling a radio show that Krebs should be shot.
https://www.washingtonpost.com/nati...a53b88-3d7d-11eb-9453-fc36ba051781_story.html Russian government spies are behind a broad hacking campaign that has breached U.S. agencies and a top cyber firm The Russian government hackers who breached a top cybersecurity firm are behind a global espionage campaign that also compromised the Treasury and Commerce departments and other U.S. government agencies, according to people familiar with the matter. The FBI is investigating the campaign by a hacking group working for the Russian foreign intelligence service, SVR. The breaches have been taking place for months and may amount to an operation as long-running and significant as one that occurred in 2014-2015. The group, known among private-sector security firms as APT29 or Cozy Bear, also hacked the State Department and the White House during the Obama administration. All of the organizations were breached through a network management system called Solar Winds, according to three people familiar with the matter, who spoke on condition of anonymity because of the issue’s sensitivity. Solar Winds could not immediately be reached for comment. It is not clear what information was accessed from the government agencies. Reuters first reported the hacks of the Treasury and Commerce agencies Sunday, saying they were carried out by a foreign government-backed group. The SVR link to the broader campaign is previously unreported. The matter was so serious it prompted an emergency National Security Council meeting on Saturday, Reuters reported. “The United States government is aware of these reports and we are taking all necessary steps to identify and remedy any possible issues related to this situation,” said NSC spokesman John Ullyot. He would not comment on the country or group responsible. APT29 has also been linked to attempts to steal coronavirus vaccine research. The Washington Post reported last week that the Russian hacking group, APT29, breached the cybersecurity firm, FireEye, according to three people familiar with the matter. At Commerce, the Russians targeted the National Telecommunications and Information Administration, an agency that handles internet and telecommunications policy, Reuters reported. The campaign is said to be quite broad, encompassing an array of targets, including government agencies in the United States and other countries. It has been running for months, one person said. In 2015, the same group compromised the servers of the Democratic National Committee. But unlike a rival Russian spy agency, which also hacked the DNC, it did not leak stolen material. In 2016, the GRU military spy agency leaked hacked emails to the online anti-secrecy organization WikiLeaks in an operation that disrupted the Democrats’ national convention in the midst of the presidential campaign. The SVR, by contrast, hacks for traditional espionage purposes, stealing information that might help the Kremlin understand the plans and motives of politicians and policymakers. Its operators also have filched industrial secrets, hacked foreign ministries and gone after coronavirus vaccine data.
https://www.dw.com/en/navalny-poisoning-russia-made-second-assassination-attempt-report/a-55921189 Navalny poisoning: Russia made second assassination attempt — report Russia agents carried out a second assassination attempt on Kremlin critic Alexei Navalny before he was flown to Berlin, a British newspaper has alleged. Moscow has repeatedly denied any involvement in the attacks. Alexei Navalny giving a speech at a rally in Moscow Government critic Alexei Navalny has proven to be a thorn in Russian President Vladimir Putin's side The Kremlin tried to poison outspoken Russian opposition figure Alexei Navalny a second time after the first attempt failed, The Times newspaper has alleged. A second dose of poison was allegedly given to Navalny before he was flown to Berlin for further treatment, western intelligence sources told the British newspaper on Saturday. The anti-corruption activist fell ill on a flight from Siberia to Moscow after having been poisoned with the Novichok nerve agent. The pilot of the plane made an emergency landing in the city of Omsk allowing an ambulance crew to administer him with atropine, an antidote for poison. Twice saved from a deadly attack It is believed that the antidote may have also prevented the success of the second assassination attemp
https://www.nytimes.com/2020/12/13/us/politics/russian-hackers-us-government-treasury-commerce.html Russian Hackers Broke Into Federal Agencies, U.S. Officials Suspect In one of the most sophisticated and perhaps largest hacks in more than five years, email systems were breached at the Treasury and Commerce Departments. Other breaches are under investigation. The Trump administration acknowledged on Sunday that hackers acting on behalf of a foreign government — almost certainly a Russian intelligence agency, according to federal and private experts — broke into a range of key government networks, including in the Treasury and Commerce Departments, and had free access to their email systems. Officials said a hunt was on to determine if other parts of the government had been affected by what looked to be one of the most sophisticated, and perhaps among the largest, attacks on federal systems in the past five years. Several said national security-related agencies were also targeted, though it was not clear whether the systems contained highly classified material. The Trump administration said little in public about the hack, which suggested that while the government was worried about Russian intervention in the 2020 election, key agencies working for the administration — and unrelated to the election — were actually the subject of a sophisticated attack that they were unaware of until recent weeks. “The United States government is aware of these reports, and we are taking all necessary steps to identify and remedy any possible issues related to this situation,” John Ullyot, a spokesman for the National Security Council, said in a statement. The Department of Homeland Security’s cybersecurity agency, whose leader was fired by President Trump last month for declaring that there had been no widespread election fraud, said in a statement that it had been called in as well. The Commerce Department acknowledged that one of its agencies had been affected, without naming it. But it appeared to be the National Telecommunications and Information Administration, which helps determine policy for internet-related issues, including setting standards and blocking imports and exports of technology that is considered a national security risk. The motive for the attack on the agency and the Treasury Department remains elusive, two people familiar with the matter said. One government official said it was too soon to tell how damaging the attacks were and how much material was lost, but according to several corporate officials, the attacks had been underway as early as this spring, meaning they continued undetected through months of the pandemic and the election season. News of the breach, reported earlier by Reuters, came less than a week after the National Security Agency, which is responsible for breaking into foreign computer networks and defending the most sensitive U.S. national security systems, issued a warning that “Russian state-sponsored actors” were exploiting flaws in a system broadly used in the federal government. At the time, the N.S.A. refused to give further details of what had prompted the urgent warning. Shortly afterward, FireEye, a leading cybersecurity firm, announced that hackers working for a state had stolen some of its prized tools for finding vulnerabilities in its clients’ systems — including the federal government’s. That investigation also pointed toward the S.V.R., one of Russia’s leading intelligence agencies. It is often called Cozy Bear or A.P.T. 29, and it is known as a traditional collector of intelligence. FireEye’s clients, including the Department of Homeland Security and intelligence agencies, hire the firm to conduct ingenious but benign hacks of their systems using the company’s large database of techniques it has seen around the world. Its “red team” tools — essentially imitating a real hacker — are used to plug security holes in networks. So the hackers who stole FireEye’s tools have added to their arsenal. But it appears that FireEye was hardly their only victim. The global campaign, investigators now believe, involved the hackers inserting their code into periodic updates of software used to manage networks by a company called SolarWinds. Its products are widely used in corporate and federal networks, and the malware was carefully minimized to avoid detection. The company, based in Austin, Texas, says it has more than 300,000 customers, including most of the nation’s Fortune 500 firms. But it is unclear how many of those use the Orion platform that the Russian hackers invaded, or whether they were all targets. If the Russia connection is confirmed, it will be the most sophisticated known theft of American government data by Moscow since a two-year spree in 2014 and 2015, in which Russian intelligence agencies gained access to the unclassified email systems at the White House, the State Department and the Joint Chiefs of Staff. It took years to undo the damage, but President Barack Obama decided at the time not to name the Russians as the perpetrators — a move that many in his administration now regard as a mistake. Emboldened, the same group of hackers went on to invade the systems of the Democratic National Committee and top officials in Hillary Clinton’s campaign, touching off investigations and fears that permeated both the 2016 and 2020 contests. Another, more disruptive Russian intelligence agency, the G.R.U., is believed to be responsible for then making public the hacked emails at the D.N.C. “There appear to be many victims of this campaign, in government as well as the private sector,” said Dmitri Alperovitch, the chairman of Silverado Policy Accelerator, a geopolitical think tank, who was the co-founder of CrowdStrike, a cybersecurity firm that helped find the Russians in the Democratic National Committee systems four years ago. “Not unlike what we had seen in 2014-2015 from this actor, when they ran a massive campaign and successfully compromised numerous victims.” Russia has been one of several countries that have also been hacking American research institutions and pharmaceutical companies. This summer, Symantec Corporation warned that a Russian ransomware group was exploiting the sudden change in American work habits because of the pandemic and were injecting code into corporate networks with a speed and breadth not previously seen. According to private-sector investigators, the attacks on FireEye led to a broader hunt to discover where else the Russian hackers might have been able to infiltrate both federal and private networks. FireEye provided some key pieces of computer code to the N.S.A. and to Microsoft, officials said, which went hunting for similar attacks on federal systems. That led to the emergency warning last week. Most hacks involve stealing user names and passwords, but this was far more sophisticated. Once they were in the SolarWinds network management software, the Russians, investigators said, were able to insert counterfeit “tokens,” essentially electronic indicators that provide an assurance to Microsoft, Google or other providers about the identity of the computer system its email systems are talking to. By using a flaw that is extraordinarily difficult to detect, the hackers were able to trick the system and gain access, undetected. It is unclear exactly what they extracted; the situation is reminiscent of the Chinese hack of the Office of Personnel Management, which went on for a year in 2014 and 2015, with the loss eventually tallied at more than 22 million security-clearance files and more than five million fingerprints. That turned out to be part of a much broader data-gathering effort by Beijing, which involved theft from the Starwood Hotels division of Marriott, the Anthem insurance database and Equifax, the credit reporting agency. The history of Russian theft of critical data from the United States government stretches more than two decades and resulted in the creation of United States Cyber Command, the Pentagon’s quickly expanding cyberwarfare force. As early as the mid-1990s, the F.B.I. was called in for an investigation into networks that included Los Alamos and Sandia National Laboratories, which work on nuclear weapons design, among other issues. In the minds of some experts, that Russian operation, soon called Moonlight Maze, never really ended. “The activity described by the name — Russian cyberoperations against a wide variety of American targets — continues to this day,” Ben Buchanan, now at Georgetown University, and Michael Sulmeyer, now a senior adviser at Cyber Command, wrote for the Carnegie Endowment for International Peace in 2016.
https://www.nytimes.com/2020/12/16/opinion/fireeye-solarwinds-russia-hack.html I Was the Homeland Security Adviser to Trump. We’re Being Hacked. The magnitude of this national security breach is hard to overstate. At the worst possible time, when the United States is at its most vulnerable — during a presidential transition and a devastating public health crisis — the networks of the federal government and much of corporate America are compromised by a foreign nation. We need to understand the scale and significance of what is happening. Last week, the cybersecurity firm FireEye said it had been hacked and that its clients, which include the United States government, had been placed at risk. This week, we learned that SolarWinds, a publicly traded company that provides software to tens of thousands of government and corporate customers, was also hacked. The attackers gained access to SolarWinds software before updates of that software were made available to its customers. Unsuspecting customers then downloaded a corrupted version of the software, which included a hidden back door that gave hackers access to the victim’s network. This is what is called a supply-chain attack, meaning the pathway into the target networks relies on access to a supplier. Supply-chain attacks require significant resources and sometimes years to execute. They are almost always the product of a nation-state. Evidence in the SolarWinds attack points to the Russian intelligence agency known as the S.V.R., whose tradecraft is among the most advanced in the world. According to SolarWinds S.E.C. filings, the malware was on the software from March to June. The number of organizations that downloaded the corrupted update could be as many as 18,000, which includes most federal government unclassified networks and more than 425 Fortune 500 companies. The magnitude of this ongoing attack is hard to overstate. The Russians have had access to a considerable number of important and sensitive networks for six to nine months. The Russian S.V.R. will surely have used its access to further exploit and gain administrative control over the networks it considered priority targets. For those targets, the hackers will have long ago moved past their entry point, covered their tracks and gained what experts call “persistent access,” meaning the ability to infiltrate and control networks in a way that is hard to detect or remove. While the Russians did not have the time to gain complete control over every network they hacked, they most certainly did gain it over hundreds of them. It will take years to know for certain which networks the Russians control and which ones they just occupy. The logical conclusion is that we must act as if the Russian government has control of all the networks it has penetrated. But it is unclear what the Russians intend to do next. The access the Russians now enjoy could be used for far more than simply spying. The actual and perceived control of so many important networks could easily be used to undermine public and consumer trust in data, written communications and services. In the networks that the Russians control, they have the power to destroy or alter data, and impersonate legitimate people. Domestic and geopolitical tensions could escalate quite easily if they use their access for malign influence and misinformation — both hallmarks of Russian behavior. What should be done? On Dec. 13, the Cybersecurity and Infrastructure Security Agency, a division of the Department of Homeland Security — itself a victim — issued an emergency directive ordering federal civilian agencies to remove SolarWinds software from their networks. The removal is aimed at stopping the bleeding. Unfortunately, the move is sadly insufficient and woefully too late. The damage is already done and the computer networks are already compromised. It also is impractical. In 2017, the federal government was ordered to remove from its networks software from a Russian company, Kaspersky Lab, that was deemed too risky. It took over a year to get it off the networks. Even if we double that pace with SolarWinds software, and even if it wasn’t already too late, the situation would remain dire for a long time. The remediation effort alone will be staggering. It will require the segregated replacement of entire enclaves of computers, network hardware and servers across vast federal and corporate networks. Somehow, the nation’s sensitive networks have to remain operational despite unknown levels of Russian access and control. A “do over” is mandatory and entire new networks need to be built — and isolated from compromised networks. Cyber threat hunters that are stealthier than the Russians must be unleashed on these networks to look for the hidden, persistent access controls. These information security professionals actively search for, isolate and remove advanced, malicious code that evades automated safeguards. This will be difficult work as the Russians will be watching every move on the inside. The National Defense Authorization Act, which each year provides the Defense Department and other agencies the authority to perform its work, is caught up in partisan wrangling. Among other important provisions, the act would authorize the Department of Homeland Security to perform network hunting in federal networks. If it wasn’t already, it is now a must-sign piece of legislation, and it will not be the last congressional action needed before this is resolved. Network operators also must take immediate steps to more carefully inspect their internet traffic to detect and neutralize unexplained anomalies and obvious remote commands from hackers before the traffic enters or leaves their network. The response must be broader than patching networks. While all indicators point to the Russian government, the United States, and ideally its allies, must publicly and formally attribute responsibility for these hacks. If it is Russia, President Trump must make it clear to Vladimir Putin that these actions are unacceptable. The U.S. military and intelligence community must be placed on increased alert; all elements of national power must be placed on the table. While we must reserve our right to unilateral self-defense, allies must be rallied to the cause. The importance of coalitions will be especially important to punishing Russia and navigating this crisis without uncontrolled escalation. President Trump is on the verge of leaving behind a federal government, and perhaps a large number of major industries, compromised by the Russian government. He must use whatever leverage he can muster to protect the United States and severely punish the Russians. President-elect Joe Biden must begin his planning to take charge of this crisis. He has to assume that communications about this matter are being read by Russia, and assume that any government data or email could be falsified. At this moment, the two teams must find a way to cooperate. President Trump must get past his grievances about the election and govern for the remainder of his term. This moment requires unity, purpose and discipline. An intrusion so brazen and of this size and scope cannot be tolerated by any sovereign nation. We are sick, distracted, and now under cyberattack. Leadership is essential.