Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:50 PM
Connect Directly

Obama: US Will Retaliate Against Russian Cyberattacks In Proportional Manner

US action will include both covert and explicit response, President says. Meanwhile, a Russian-speaking hacker was discovered behind a data breach of the US Election Assistance Commission (EAC).

With just weeks left before he leaves office, President Obama Friday vowed to take action against Russia for attempting to interfere with the US election process by having hackers break into Democratic Party systems and leak data that proved detrimental to the Clinton campaign.

In an interview with NPR that aired Friday, Obama said there should be no doubt about the need for forceful action when any foreign government tries to impact the integrity of the US election system. "We need to take action, and we will at a time and place of our own choosing," President Obama said.

Obama did not elaborate on what actions are under consideration, but noted that "some of it may be explicit and publicized, and some of it may not be."

Obama said the US realizes that foreign intelligence agencies - including those belonging to foreign allies - will use cyberattacks to gather information on the inner workings of other countries. "There is a difference between that and activating intelligence in a way that is designed to influence elections. We have been working hard to make sure that what we do is proportion; that what we do is meaningful," Obama said.

The President’s threat of action drew a sharp and immediate rebuke from the Kremlin's spokesman, who demanded that the US either show proof of Russian government involvement in the cyberattacks or stop talking about it, The New York Times reported.

Nathan Wenzler, principal security architect ASTech Consulting, says there are two likely scenarios for a US response. One, the US could launch covert retaliatory strikes at Russian targets to demonstrate that it is capable of the same level of sophisticated cyberattacks as the Russians. But the long-term merits of such a strategy are dubious, he says.

"While this may satisfy a more primal need for direct retaliation, in today's cybersecurity space, this will most likely only cause a series of tit-for-tat attacks back and forth, escalating with each volley," he says, "It's typically a no-win scenario, despite the more immediate reward of getting back at the aggressor."

The second option is to impose sanctions and other forms of political restrictions on Russia and get US allies to do the same, he says.

Hackers broke into systems belonging to the Democratic National Committee (DNC) earlier this year and stole 19,000 emails, which they later leaked on whistleblower website Wikileaks. Many believe the contents of the emails damaged the Clinton campaign and caused it to lose momentum in the critical months leading up to the presidential elections.

The FBI and US intelligence agencies have blamed Russia for the intrusions. They have described the attacks as an attempt by people at the highest levels of the Russian government to influence the outcome of the US election. President-elect Trump himself has dismissed the US intelligence community’s conclusions as being politically motivated and insisted that there is no proof of any Russian government involvement, despite all the claims to the contrary.

Russian 'Rasputin'

Meanwhile, in a separate but related development, threat intelligence firm Recorded Future late yesterday said its investigation of chatter related to a suspected breach of the US Election Assistance Commission (EAC) shows that a Russian-speaking hacker is involved.

Recorded Future identified the hacker—whom it has named as Rasputin—as being involved in an attempt to sell access credentials to the EAC database to interested buyers. The researchers there said they have also seen Rasputin attempt to sell access to zero-day vulnerability on the EAC system to a buyer believed to be working on behalf of a Middle Eastern government.

Rasputin appears to have stolen more than 100 access credentials, including many that provide highest-level administrative privileges on the EAC systems. The admin accounts can be used to plant malware or modify the EAC site, Recorded Future warned. It is unclear how long the vulnerability that Rasputin attempted to sell has remained unpatched.

According to Recorded Future, its analysis of Rasputin's activities suggests the hacker is acting alone.

Related Content:



Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
User Rank: Apprentice
12/17/2016 | 1:46:20 PM
Observations on content of article
Thanks for posting the article Jai. Have some comments, observations, and questions of some items. First, I reviewed recently the blog of Dmitri Alpervitch about the findings and analysis of their work for the DNC, the gist of which was the detection by the CrowdStrike forensics team of obvious signs that the cyber-attacktics amd operational signature indicated the incursions and activities were attributable to CozyBear and FancyBear:

[from the blog titled

Bears in the Midst: Intrusion into the Democratic National Committee

"immediately identified two sophisticated adversaries on the network – COZY BEAR and FANCY BEAR. We've had lots of experience with both of these actors attempting to target our customers in the past and know them well."

I have not looked at any of the forensic evidence collected and analyzed by CrowdStrike, so my next few comments are obviously speculation. That being said, I would point out that since CrowdStrike has knowledge of the operational signatures of Cozy and Fancy, other cyber intelligence and even cyber-threat agents as or even more sophisticated then the CrowdStrike team would obviously also know these "operational signatures". And with that knowledge, other sophisticated cyber threat agents would be able to and likely would emulate these operational signatures as part of the offensive attacktic of false attribution to cover tracks. CrowdStrike does indicate that one of the operational tactic signatures they detected was the use of metamorphic actions, but even that attacktic can be sufficiently randomized to approximate the CozyBear / FancyBear signiature.

My main point here is that there really is no way to rule out the distinct possibility that either a different threat actor had penetrated and potentially took total super-user control over the DNC, DCCC, and Podesta e-mail systems or perhaps even multiple sophisticated threat actors were traversing in and out of those systems. As a professional cyber expert involved in work on critical infrastructures, I would have preferred that CrowdStrike and Dmitri had rendered their reports using the specification of probablities of occurence which is really all that CrowdStrike or any other credible incident response / forensics team should be including in both their reports and public statements (like the recent interview that Dmitri had with Wolf Blitzer and als NPR).

On your discussion about the reports from Recorded Future about the incursions and leaks of US EAC database access credentials, I am concerned that the system administrators of the EAC infrastructure did not utilize best practice implementations of security controls to have those database access credentials deployed using data-at-rest encryption with salted hashes and also deployed in the relatively common deployment of Active Directory or LDAP. The poor implementation of readily available NIST 800-53 or ISO 2700x series security contols is actually the largest vector to all of these incursions - DNC, DCCC, Podesta, and US EAC.

Looking forward to your thoughts on these factors.
User Rank: Strategist
12/18/2016 | 2:31:13 AM
Re: Cryptolocker 2016
We have already heard this "bla-bla-bla" in October, 2016 from another White House official. What is the time and place? North Pole in 2050?
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-20
The Quiz And Survey Master – Best Quiz, Exam and Survey Plugin WordPress plugin before 7.1.18 did not sanitise or escape its result_id parameter when displaying an existing quiz result page, leading to a reflected Cross-Site Scripting issue. This c...
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS contains a buffer overflow in the set_range test in TestBitmap which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS in test-crypto.cpp contains a stack buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS before commit 3844e8569689dd476064a0759d704bc64fb3ca2c contains a directory traversal vulnerability in tar/unzip that may lead to command execution or privilege escalation.