02:50 PM
Connect Directly

Obama: US Will Retaliate Against Russian Cyberattacks In Proportional Manner

US action will include both covert and explicit response, President says. Meanwhile, a Russian-speaking hacker was discovered behind a data breach of the US Election Assistance Commission (EAC).

With just weeks left before he leaves office, President Obama Friday vowed to take action against Russia for attempting to interfere with the US election process by having hackers break into Democratic Party systems and leak data that proved detrimental to the Clinton campaign.

In an interview with NPR that aired Friday, Obama said there should be no doubt about the need for forceful action when any foreign government tries to impact the integrity of the US election system. "We need to take action, and we will at a time and place of our own choosing," President Obama said.

Obama did not elaborate on what actions are under consideration, but noted that "some of it may be explicit and publicized, and some of it may not be."

Obama said the US realizes that foreign intelligence agencies - including those belonging to foreign allies - will use cyberattacks to gather information on the inner workings of other countries. "There is a difference between that and activating intelligence in a way that is designed to influence elections. We have been working hard to make sure that what we do is proportion; that what we do is meaningful," Obama said.

The President’s threat of action drew a sharp and immediate rebuke from the Kremlin's spokesman, who demanded that the US either show proof of Russian government involvement in the cyberattacks or stop talking about it, The New York Times reported.

Nathan Wenzler, principal security architect ASTech Consulting, says there are two likely scenarios for a US response. One, the US could launch covert retaliatory strikes at Russian targets to demonstrate that it is capable of the same level of sophisticated cyberattacks as the Russians. But the long-term merits of such a strategy are dubious, he says.

"While this may satisfy a more primal need for direct retaliation, in today's cybersecurity space, this will most likely only cause a series of tit-for-tat attacks back and forth, escalating with each volley," he says, "It's typically a no-win scenario, despite the more immediate reward of getting back at the aggressor."

The second option is to impose sanctions and other forms of political restrictions on Russia and get US allies to do the same, he says.

Hackers broke into systems belonging to the Democratic National Committee (DNC) earlier this year and stole 19,000 emails, which they later leaked on whistleblower website Wikileaks. Many believe the contents of the emails damaged the Clinton campaign and caused it to lose momentum in the critical months leading up to the presidential elections.

The FBI and US intelligence agencies have blamed Russia for the intrusions. They have described the attacks as an attempt by people at the highest levels of the Russian government to influence the outcome of the US election. President-elect Trump himself has dismissed the US intelligence community’s conclusions as being politically motivated and insisted that there is no proof of any Russian government involvement, despite all the claims to the contrary.

Russian 'Rasputin'

Meanwhile, in a separate but related development, threat intelligence firm Recorded Future late yesterday said its investigation of chatter related to a suspected breach of the US Election Assistance Commission (EAC) shows that a Russian-speaking hacker is involved.

Recorded Future identified the hacker—whom it has named as Rasputin—as being involved in an attempt to sell access credentials to the EAC database to interested buyers. The researchers there said they have also seen Rasputin attempt to sell access to zero-day vulnerability on the EAC system to a buyer believed to be working on behalf of a Middle Eastern government.

Rasputin appears to have stolen more than 100 access credentials, including many that provide highest-level administrative privileges on the EAC systems. The admin accounts can be used to plant malware or modify the EAC site, Recorded Future warned. It is unclear how long the vulnerability that Rasputin attempted to sell has remained unpatched.

According to Recorded Future, its analysis of Rasputin's activities suggests the hacker is acting alone.

Related Content:



Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Moderator
12/18/2016 | 2:31:13 AM
Re: Cryptolocker 2016
We have already heard this "bla-bla-bla" in October, 2016 from another White House official. What is the time and place? North Pole in 2050?
User Rank: Apprentice
12/17/2016 | 1:46:20 PM
Observations on content of article
Thanks for posting the article Jai. Have some comments, observations, and questions of some items. First, I reviewed recently the blog of Dmitri Alpervitch about the findings and analysis of their work for the DNC, the gist of which was the detection by the CrowdStrike forensics team of obvious signs that the cyber-attacktics amd operational signature indicated the incursions and activities were attributable to CozyBear and FancyBear:

[from the blog titled

Bears in the Midst: Intrusion into the Democratic National Committee

"immediately identified two sophisticated adversaries on the network – COZY BEAR and FANCY BEAR. We've had lots of experience with both of these actors attempting to target our customers in the past and know them well."

I have not looked at any of the forensic evidence collected and analyzed by CrowdStrike, so my next few comments are obviously speculation. That being said, I would point out that since CrowdStrike has knowledge of the operational signatures of Cozy and Fancy, other cyber intelligence and even cyber-threat agents as or even more sophisticated then the CrowdStrike team would obviously also know these "operational signatures". And with that knowledge, other sophisticated cyber threat agents would be able to and likely would emulate these operational signatures as part of the offensive attacktic of false attribution to cover tracks. CrowdStrike does indicate that one of the operational tactic signatures they detected was the use of metamorphic actions, but even that attacktic can be sufficiently randomized to approximate the CozyBear / FancyBear signiature.

My main point here is that there really is no way to rule out the distinct possibility that either a different threat actor had penetrated and potentially took total super-user control over the DNC, DCCC, and Podesta e-mail systems or perhaps even multiple sophisticated threat actors were traversing in and out of those systems. As a professional cyber expert involved in work on critical infrastructures, I would have preferred that CrowdStrike and Dmitri had rendered their reports using the specification of probablities of occurence which is really all that CrowdStrike or any other credible incident response / forensics team should be including in both their reports and public statements (like the recent interview that Dmitri had with Wolf Blitzer and als NPR).

On your discussion about the reports from Recorded Future about the incursions and leaks of US EAC database access credentials, I am concerned that the system administrators of the EAC infrastructure did not utilize best practice implementations of security controls to have those database access credentials deployed using data-at-rest encryption with salted hashes and also deployed in the relatively common deployment of Active Directory or LDAP. The poor implementation of readily available NIST 800-53 or ISO 2700x series security contols is actually the largest vector to all of these incursions - DNC, DCCC, Podesta, and US EAC.

Looking forward to your thoughts on these factors.
Register for Dark Reading Newsletters
White Papers
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.