WEBVTT - UPDATE: Russian Interference in the U.S. Election 0:00:00.480 --> 0:00:03.040 Hi everyone, This is Brad. We're hard at work on 0:00:03.080 --> 0:00:05.560 a series of new episodes for the fall, and so 0:00:05.640 --> 0:00:08.000 this week will be re airing a shortened version of 0:00:08.039 --> 0:00:10.600 a very topical episode we first ran almost a year 0:00:10.600 --> 0:00:13.800 ago in October two thousand and sixteen. At the end 0:00:13.960 --> 0:00:26.400 will update you with everything that's happened since then. On Friday, 0:00:26.400 --> 0:00:29.720 October seven, the U S. Department of Homeland Security in 0:00:29.760 --> 0:00:32.680 the Office of the Director of National Intelligence released a 0:00:32.720 --> 0:00:36.160 statement and it was a pretty stunning announcement. Barely two 0:00:36.200 --> 0:00:38.680 and a half months after a cyber attack was revealed 0:00:38.720 --> 0:00:42.360 on the Democratic National Committee, the Obama administration laid the 0:00:42.400 --> 0:00:45.640 blame at the feet of Russia's President Vladimir Putin with 0:00:45.720 --> 0:00:49.200 a strongly the US government publicly blaming a foreign country 0:00:49.240 --> 0:00:52.280 for attacking a U S entity. That's an incredibly rare thing. 0:00:52.520 --> 0:00:54.440 I was surprised when I saw this statement come out, 0:00:54.960 --> 0:00:57.600 even though it's something that the private cybersecurity experts have 0:00:57.680 --> 0:01:00.600 been talking about for a while. Uh, the government formally 0:01:00.600 --> 0:01:03.120 blaming a foreign entities only happened a handful of times, 0:01:03.600 --> 0:01:07.000 and specifically here, the US was accusing Russia of hacking 0:01:07.080 --> 0:01:10.840 the Democratic Party right as voters prepared to go to 0:01:10.880 --> 0:01:13.959 the polls on November eight. It's a scary prospect. Could 0:01:13.959 --> 0:01:17.360 hackers tamper with or even obliterate our votes. So here's 0:01:17.360 --> 0:01:21.000 my question. We are so close now to election day, 0:01:21.040 --> 0:01:23.319 and you can tell because that's really all you see 0:01:23.400 --> 0:01:26.600 on TV right now. So how do we know for 0:01:26.640 --> 0:01:30.160 sure what we think we know about these hacks? This 0:01:30.240 --> 0:01:33.399 is a perpetual problem in cybersecurity, and it reminds me 0:01:33.440 --> 0:01:36.480 of the famous New Yorker cartoon that goes on the internet. 0:01:36.560 --> 0:01:39.280 Nobody knows you're a dog, But when you're investigating a 0:01:39.319 --> 0:01:43.520 cybersecurity breach, uh, nobody knows whether you're a Russian hacker 0:01:44.080 --> 0:01:46.840 or a Chinese hacker pretending to be a Russian hacker, 0:01:47.400 --> 0:01:50.040 or even a US hacker pretending to be a Chinese 0:01:50.080 --> 0:01:53.520 hacker pretending to be a Russian hacker. Or, as Donald 0:01:53.520 --> 0:01:56.600 Trump put it so delicately, I don't think anybody knows 0:01:56.600 --> 0:01:58.640 it was Russia that broke into the d n C. 0:01:58.800 --> 0:02:01.320 She's saying Russia, Russia, Russia, but I don't know. Maybe 0:02:01.320 --> 0:02:03.040 it was. I mean, it could be Russia, but it 0:02:03.080 --> 0:02:05.559 could also be China, could also be lots of other people. 0:02:05.600 --> 0:02:07.640 It also could be somebody sitting on their bed that 0:02:07.760 --> 0:02:11.840 weighs four hundred pounds, Okay, And how is the US 0:02:12.080 --> 0:02:15.160 or anyone else for that matter, so certain that the 0:02:15.240 --> 0:02:18.560 Russians are trying to hijack our elections? What should an 0:02:18.680 --> 0:02:31.239 ordinary voter do? And should we even care? Hi, am Akito, 0:02:31.639 --> 0:02:34.880 and I'm George Robertson, and this week on Decrypted, we're 0:02:34.880 --> 0:02:37.360 going to take you inside the hunt for the people 0:02:37.440 --> 0:02:40.919 who have the Democratic National Committee. It's a sort of 0:02:41.040 --> 0:02:43.480 tale of how two of the world's great superpowers have 0:02:43.520 --> 0:02:47.200 found themselves locked in an escalating information war just weeks 0:02:47.200 --> 0:02:49.760 before millions of Americans go to the polls, and the 0:02:49.800 --> 0:02:53.000 stakes they really couldn't be any higher. Not only is 0:02:53.040 --> 0:02:55.960 this the most divisive election we've seen in recent memory, 0:02:56.480 --> 0:03:00.200 with Hillary Clinton and Donald Trump advocating for completely print 0:03:00.280 --> 0:03:03.240 visions of America, but also hanging in the balance is 0:03:03.520 --> 0:03:08.240 the democratic process itself. What happens to a country's sovereignty 0:03:08.240 --> 0:03:12.320 in the age of the Internet. Our story today starts 0:03:12.320 --> 0:03:15.079 in April when the I T staff at the Democratic 0:03:15.200 --> 0:03:18.720 National Committee noticed something a little weird going on in 0:03:18.760 --> 0:03:22.160 their network. For our non American listeners, this is the 0:03:22.280 --> 0:03:25.480 official organization behind the Democratic Party, the d n C, 0:03:26.200 --> 0:03:29.560 and the i T staff there, they escalated their concerns 0:03:29.560 --> 0:03:33.519 to their executives and a cyber security firm called CrowdStrike 0:03:33.720 --> 0:03:39.440 was called in to investigate. So CrowdStrike is one of 0:03:39.480 --> 0:03:43.640 a small group of digital forensics firms that really all 0:03:43.680 --> 0:03:46.680 they do is investigate data breaches. And they went in. 0:03:47.200 --> 0:03:50.440 They installed sophtware in the DNC servers, essentially allowing them 0:03:50.440 --> 0:03:52.960 to spy on the spies, and it didn't take them 0:03:52.960 --> 0:03:55.400 long to pin the attacks on two groups of hackers 0:03:55.440 --> 0:03:58.720 associated with the Russian government. They called these groups Cozy 0:03:58.760 --> 0:04:02.520 Bear and Fancy Bear. Cozy Bear and Fancy Bear. Is 0:04:02.560 --> 0:04:06.680 this some kind of industry inside joke? Yeah, the hypersecurity 0:04:06.720 --> 0:04:09.400 industry has a lot of kind of goofy, funny names 0:04:09.400 --> 0:04:13.320 for groups. They're thematic, often associated with a region. Uh. 0:04:13.440 --> 0:04:16.080 Some others are called deep Panda and things like that. 0:04:16.720 --> 0:04:20.520 I love that. Then CrowdStrike closed all the security holes 0:04:20.520 --> 0:04:23.080 that had allowed the attackers to breach the DNC servers, 0:04:23.640 --> 0:04:25.280 and so the hackers wouldn't be able to read the 0:04:25.279 --> 0:04:29.240 staff emails anymore. Now, normally you don't really disclose this 0:04:29.360 --> 0:04:32.760 kind of thing unless you absolutely have to. It's certainly 0:04:32.800 --> 0:04:36.400 embarrassing for the d n C, especially when, as we 0:04:36.600 --> 0:04:40.200 learned later, they were warned about their networks vulnerabilities and 0:04:40.400 --> 0:04:44.040 ended up ignoring those early warnings. But the DNC may 0:04:44.080 --> 0:04:46.120 have had a hint that some of this information was 0:04:46.120 --> 0:04:48.520 about to be leaked on the internet, so they dropped 0:04:48.520 --> 0:04:51.920 this bomb show. But first, the Democratic National Committee said 0:04:51.960 --> 0:04:56.839 today Russian government hackers have penetrated its computer network. Breaches 0:04:56.880 --> 0:05:01.560 by two separate groups allowed hackers to access emails, internal chats, 0:05:01.720 --> 0:05:06.839 and the opposition Research Democrats have compiled unpresumptive Republican nominee 0:05:06.880 --> 0:05:10.440 Donald Trump. That's PPS News Hour reporting the hack on 0:05:10.600 --> 0:05:14.240 June four, the day this all became public, and it 0:05:14.320 --> 0:05:17.400 hit the US political system like a bolt of lightning. 0:05:17.760 --> 0:05:20.960 People were furious, how dare Russia try to mess with 0:05:21.000 --> 0:05:25.640 America that type of thing. And then one day after 0:05:25.680 --> 0:05:29.000 the DNC announcement, someone or a group of people who 0:05:29.000 --> 0:05:31.720 go by the name Goose Offer too Dato came out 0:05:31.720 --> 0:05:33.720 in a blog post and basically laughed in the d 0:05:33.800 --> 0:05:36.480 n c's face. This person was like, no, you idiots, 0:05:36.480 --> 0:05:38.600 I am the lone hacker that infiltrated the d n C. 0:05:39.120 --> 0:05:41.359 And this had nothing to do with the Russians and 0:05:41.400 --> 0:05:44.080 Goosefer too. Dato released a bunch of documents that he 0:05:44.160 --> 0:05:46.480 claimed he had stolen from the d n C as 0:05:46.520 --> 0:05:50.360 evidence that he was behind it, and from there it 0:05:50.400 --> 0:05:54.039 was chaos. Was it the Russians with some lunar kid 0:05:54.080 --> 0:05:57.159 who had too much time on his hands, And that's 0:05:57.160 --> 0:06:02.560 when crowd Strike called in this guy for help. My 0:06:02.640 --> 0:06:04.880 name is Mike Burtaski. I'm the senior vice president of 0:06:04.920 --> 0:06:11.080 cybersecurity Services at Fidela Cybersecurity here in Maryland. I lead 0:06:11.200 --> 0:06:16.039 a incident response team of about thirty individuals and we've 0:06:16.080 --> 0:06:19.039 handled some of the largest breaches that have have occurred 0:06:19.040 --> 0:06:22.760 over the past decade or so. So I've known Mike 0:06:22.800 --> 0:06:24.760 for several years now, and he's a really interesting guy. 0:06:24.960 --> 0:06:27.239 Used to be a cop with the Montgomery County Police 0:06:27.240 --> 0:06:30.160 Department in Maryland, and he looks like at X cop. 0:06:30.240 --> 0:06:33.880 He's got the short cropped haircut, solidly built guy at 0:06:34.120 --> 0:06:37.440 very friendly and uh, you know, very genial. Even before 0:06:37.440 --> 0:06:39.720 his time in the private sector, he had this long 0:06:39.760 --> 0:06:43.760 experience of tracking down criminals. Mike's now an incident responder 0:06:43.960 --> 0:06:46.640 in cybersecurity speak, that means he flies out at the 0:06:46.680 --> 0:06:49.239 drop of a hat two companies that believe they've been breached, 0:06:49.560 --> 0:06:52.440 and he helps investigate and fix their networks. So like 0:06:52.560 --> 0:06:55.560 the computer nerd version of c s I or Law 0:06:55.600 --> 0:06:58.720 and Order right, and Mike and Fideli's his job was 0:06:58.760 --> 0:07:01.600 too independently VERI by the group of people who attack 0:07:01.640 --> 0:07:05.680 the DNC, and this cybersecurity version of the who done 0:07:05.680 --> 0:07:11.000 it investigation. It's called attribution in the industry, and CrowdStrike 0:07:11.040 --> 0:07:13.560 had asked Fidelis and to other firms to check their work. 0:07:14.320 --> 0:07:16.880 So so we had, um, you know, we got five 0:07:16.880 --> 0:07:19.160 pieces of mal where we had a team of four 0:07:19.160 --> 0:07:21.800 reverse engineers. That's all they do is reverse engineering, so 0:07:21.840 --> 0:07:25.120 we had them bang on it. Jordan, I think we 0:07:25.120 --> 0:07:29.520 should explain this to our listeners. Sure, So CrowdStrike sent 0:07:29.640 --> 0:07:33.080 Mike's team five files of the computer code that was 0:07:33.200 --> 0:07:36.520 on the DNC servers and was responsible for stealing information 0:07:36.560 --> 0:07:39.240 from the emails. And the job of Fidelis and these 0:07:39.240 --> 0:07:41.560 two other firms was to look at this code in 0:07:41.600 --> 0:07:45.960 what's called a virtual environment, like a parallel universe. Right, 0:07:46.280 --> 0:07:48.840 It's a simulated computer system where the code can't do 0:07:48.920 --> 0:07:52.120 any damage on the real servers. Hackers used all kinds 0:07:52.120 --> 0:07:55.480 of tricks to prevent their malware from even opening in 0:07:55.600 --> 0:07:58.160 that kind of hall of mirrors. So a key job 0:07:58.240 --> 0:08:01.320 of an investigator is decoding all of those techniques to 0:08:01.400 --> 0:08:04.840 see how the attack code actually behaves. Okay, and then 0:08:05.200 --> 0:08:09.680 Mike's team they compared that behavior to documented quode in 0:08:09.680 --> 0:08:12.320 the past that was linked to the two hacker groups 0:08:12.360 --> 0:08:16.400 associated with the Russian government and crowd Strait called these 0:08:16.440 --> 0:08:19.760 two groups Cozy Bear and Fancy Bear, and the clues 0:08:19.760 --> 0:08:23.320 surface immediately. You know, really there were a couple of 0:08:23.360 --> 0:08:25.360 things that that we looked at, So you look at 0:08:25.400 --> 0:08:28.240 the complexity of of what the malware was able to do. 0:08:28.640 --> 0:08:32.320 The fact that it had the ability to m basically 0:08:33.559 --> 0:08:37.560 terminate itself and wipe its its tracks, hide its tracks. 0:08:37.600 --> 0:08:40.600 You know, that's not stuff you see in commoditized malware. Really, 0:08:40.840 --> 0:08:43.120 it kills itself. It kills itself. Yeah, And actually one 0:08:43.120 --> 0:08:45.560 of the functions within the one of the pieces of malware, 0:08:46.040 --> 0:08:51.160 UM had had a terminology for essentially Harry Carey UM 0:08:51.400 --> 0:08:55.640 to kill itself. So this automatic suicide switch, this is 0:08:55.679 --> 0:08:59.360 something that's incredibly sophisticated, right, I mean, this is one 0:08:59.400 --> 0:09:02.640 of the reason that Fidelist and CrowdStrike and the other 0:09:02.800 --> 0:09:07.320 forensics researchers were so taken aback by this malware. You know, 0:09:07.320 --> 0:09:10.080 there's a there's a black market for pre built malware 0:09:10.840 --> 0:09:14.240 on the Internet that even somebody like me can piece together, 0:09:14.440 --> 0:09:17.520 so like malware can be like legos. But this feature 0:09:17.520 --> 0:09:21.080 of killing yourself to avoid getting detected, that's really complicated stuff. 0:09:21.600 --> 0:09:23.560 And that's when Mike's team knew they were dealing with 0:09:23.640 --> 0:09:25.680 real pros here. You know, there aren't a ton of 0:09:25.679 --> 0:09:28.319 people around the world who have this level of sophistication, 0:09:28.800 --> 0:09:30.400 and there were a bunch of other things that backed 0:09:30.440 --> 0:09:34.520 up this conclusion. To the level of access that the 0:09:34.520 --> 0:09:40.280 malware gave the malicious user UM was pretty astonishing. Uh. 0:09:40.320 --> 0:09:44.800 It was also written very very um well, I I 0:09:44.800 --> 0:09:47.800 guess elegant is probably a good way to to say it. 0:09:47.800 --> 0:09:51.080 It was not sloppy by any stretch of the imagination. UM. 0:09:51.160 --> 0:09:53.600 And again, so you start looking at, Okay, who would 0:09:53.600 --> 0:09:55.520 have had the capability to do that? And you know 0:09:55.559 --> 0:09:58.640 we talked earlier how you know, yeah, you can have 0:09:58.679 --> 0:10:01.280 somebody on the inside do something, but they may not 0:10:01.400 --> 0:10:04.319 be the best at it. So you have, uh, you've 0:10:04.320 --> 0:10:06.600 got to have people who are a lot of experience 0:10:06.600 --> 0:10:08.200 doing it, or a lot of training to do it, 0:10:08.240 --> 0:10:12.280 and um, it was. It was a very complex piece 0:10:12.320 --> 0:10:15.640 of malware that the average person probably couldn't use. Uh. 0:10:15.679 --> 0:10:19.360 It's also not something that we've seen out in the 0:10:19.400 --> 0:10:24.480 wild necessarily. It's very targeted pieces of malware, very limited. 0:10:24.600 --> 0:10:26.360 Can't buy it on the black market. You can't buy 0:10:26.360 --> 0:10:33.000 these components. Not that. No, not that we've come across. Okay, okay, 0:10:33.000 --> 0:10:36.319 So so far we know that this attack was orchestrated 0:10:36.360 --> 0:10:40.920 by someone really really good, someone really really experienced, and 0:10:41.240 --> 0:10:44.440 that immediately limited the pool of people who could be 0:10:44.520 --> 0:10:47.360 responsible for this. It really limited the pool of people 0:10:47.960 --> 0:10:51.520 to someone with the kind of resources, with backing from 0:10:51.520 --> 0:10:54.200 an entire government. And on top of that, there were 0:10:54.200 --> 0:10:56.079 a bunch of things that pointed to the code being 0:10:56.120 --> 0:10:59.280 written in Russia. Yeah, some of these details are really interesting. 0:11:00.080 --> 0:11:03.320 So one of the most fascinating for me is, you know, 0:11:03.360 --> 0:11:05.960 from the way the code was written, it was clear 0:11:06.120 --> 0:11:09.040 that it was written on a Russian language keyboard, and 0:11:09.080 --> 0:11:12.160 the dates and times that the code was compiled was 0:11:12.240 --> 0:11:15.360 during normal business hours in Russia, and that's consistent with 0:11:15.400 --> 0:11:17.800 the code that's already been traced back to the Russian 0:11:17.800 --> 0:11:21.000 government backed hackers in the past, and that's not something 0:11:21.040 --> 0:11:24.360 that you can easily fake, right, like change the time 0:11:24.400 --> 0:11:27.120 stamps or something. Yeah, that was my question too, But 0:11:27.160 --> 0:11:29.240 Mike said, there's so many different things that you'd have 0:11:29.320 --> 0:11:34.000 to consistently change to successfully pull off that spoof. You're 0:11:34.000 --> 0:11:36.079 dealing with a situation that if it was a one 0:11:36.120 --> 0:11:38.800 off easier to change. You know, same same thing with 0:11:39.080 --> 0:11:40.520 you know, you can change the date and time on 0:11:40.559 --> 0:11:42.720 your computer. Absolutely, you can do that, and it would 0:11:42.800 --> 0:11:46.079 potentially throw an investigator off consistently across five pieces of 0:11:46.200 --> 0:11:49.600 mour Okay, you know, probably a little more difficult across 0:11:49.920 --> 0:11:52.520 x number of pieces of hour across how many incidents 0:11:52.600 --> 0:11:54.800 and to all have them point to the same place. 0:11:57.040 --> 0:11:59.240 And that's why Mike doesn't buy Trump's theory of this 0:11:59.280 --> 0:12:03.720 four man sitting on the bed orchestrating this incredibly sophisticated attack. 0:12:04.160 --> 0:12:06.719 And while he doesn't buy goose offer Toodato's claim that 0:12:06.760 --> 0:12:09.560 he was a lone hacker. Okay, is it a script, kiddiers, 0:12:09.600 --> 0:12:11.640 it's somebody who bought a piece of malware, or is 0:12:11.679 --> 0:12:14.440 it you know, somebody drinking mountain doing it in twinkies 0:12:14.480 --> 0:12:18.959 and mom's basement. No, it really needs a level of 0:12:19.160 --> 0:12:24.000 operational discipline that you don't see really in the wild. 0:12:24.400 --> 0:12:27.120 And you're right, the number of people who could pull 0:12:27.160 --> 0:12:31.880 it off, it becomes dramatically narrower. So Icky, are you convinced? 0:12:32.679 --> 0:12:35.959 I mean I think so. I don't know. I keep 0:12:36.000 --> 0:12:39.120 on expecting a twist, like you're you're tricking me, Like 0:12:39.200 --> 0:12:41.679 in Law and Order when the guy who seems really 0:12:41.720 --> 0:12:44.640 suspicious turns out to be innocent in the end. I 0:12:44.720 --> 0:12:48.040 like that. Well, here's maybe the most important part. Then 0:12:48.200 --> 0:12:50.040 you need to look at the target, the victim of 0:12:50.040 --> 0:12:52.240 this hack, which was the d n C, and it 0:12:52.320 --> 0:12:54.440 later turned out a broad cross section of the U. 0:12:54.520 --> 0:12:58.440 S political system, everyone from lobbyists to lawyers to Hillary 0:12:58.440 --> 0:13:01.839 Clinton's campaign. Going back to Mike's background of working in 0:13:01.920 --> 0:13:04.840 law enforcement, you have to ask who would have had 0:13:04.840 --> 0:13:07.680 the motive to pour this kind of effort into spying 0:13:07.679 --> 0:13:15.280 on key members of American politics. Sure, an opportunistic hacker, 0:13:15.559 --> 0:13:17.800 you know, putting a feather in their caps, saying hey, 0:13:17.800 --> 0:13:21.480 we you know we broke into the d n C. Okay, yeah, 0:13:21.559 --> 0:13:24.720 I mean that that could potentially happen um, But then 0:13:24.960 --> 0:13:30.000 releasing the emails the evening before the convention started. Well 0:13:30.480 --> 0:13:32.960 then again, now you now you're looking at it, okay, Well, 0:13:33.240 --> 0:13:38.640 you know that really smacks like an information operation. And 0:13:38.760 --> 0:13:41.240 here I think we should remind our listeners of the 0:13:41.440 --> 0:13:44.600 chronology of the events that took place just a few 0:13:44.679 --> 0:13:47.000 weeks after the d n C announced the hack in 0:13:47.040 --> 0:13:50.040 mid June. I mean, this was a time when the 0:13:50.080 --> 0:13:54.319 Republican Party was still in complete disarray, but things were 0:13:54.320 --> 0:13:56.280 looking pretty good for the Democrats. This was a time 0:13:56.320 --> 0:13:59.480 when Hillary Clinton UM was trying to solidify her support 0:14:00.440 --> 0:14:02.760 and you have this forest fire raging on the internet 0:14:02.800 --> 0:14:05.319 about this issue. You have Wiki leaks and Goosea for 0:14:05.400 --> 0:14:08.680 Todato publishing a stream of emails that turned out to 0:14:08.679 --> 0:14:10.800 be really embarrassing for the d n C. At you 0:14:10.800 --> 0:14:14.040 know what couldn't have been a worse time for them, Yeah, 0:14:14.120 --> 0:14:17.080 like that one from when Bernie Sanders was still in 0:14:17.120 --> 0:14:21.040 the primary race with Hillary Clinton and a senior staff 0:14:21.080 --> 0:14:23.440 were at the DNC talked about how they should try 0:14:23.440 --> 0:14:26.800 to paint Sanders as an atheist, try to question his 0:14:26.880 --> 0:14:29.520 Jewish faith and the party itself is supposed to be neutral, 0:14:29.880 --> 0:14:32.840 and that led to a lot of turmoil within the party. 0:14:32.880 --> 0:14:35.480 I mean, the Democratic Convention that took place at the 0:14:35.560 --> 0:14:38.240 end of July. That was kind of a mess, at 0:14:38.320 --> 0:14:41.760 least at the beginning. All these Bernie supporters were protesting 0:14:42.000 --> 0:14:45.120 and booing down speakers on stage, and ultimately d n 0:14:45.160 --> 0:14:48.280 C Chairwoman Debbie Wasserman Schultz, who was a rising young 0:14:48.360 --> 0:14:52.160 star in the party, she resigned. And bringing this back 0:14:52.240 --> 0:14:54.920 to our story today, like you said, Jordan's, this really 0:14:55.000 --> 0:14:58.440 does point to motive. I mean, who would really want 0:14:58.480 --> 0:15:01.359 to introduce this kind of termal well to the democratic 0:15:01.440 --> 0:15:04.200 process itself in America, which is, you know, really the 0:15:04.240 --> 0:15:07.320 sacristanc thing. Who would want to do this thing that 0:15:07.360 --> 0:15:10.600 would make you question the fairness of the system that 0:15:10.600 --> 0:15:13.520 we've developed over the years. Yeah, this project has been 0:15:13.520 --> 0:15:15.880 interesting to me because I consider myself, you know, a 0:15:15.880 --> 0:15:18.120 pretty serious skeptic on a lot of these claims. It's 0:15:18.160 --> 0:15:20.360 it's just way too easy for a hacked entity to 0:15:20.400 --> 0:15:22.720 throw out, oh the Russians did this and the Chinese 0:15:22.720 --> 0:15:26.000 did that or whatever. Yeah, kind of like this get 0:15:26.000 --> 0:15:29.040 at a jail free card when your company has been hacked? Right, 0:15:29.400 --> 0:15:34.080 these really sophisticated organized hackers backed by a whole government. 0:15:34.160 --> 0:15:36.920 If if someone like that tries to target you, what 0:15:37.040 --> 0:15:40.120 could you have possibly done. It's like when we reported 0:15:40.120 --> 0:15:43.000 about Yahoo's breach, which was this massive, you know, more 0:15:43.040 --> 0:15:46.960 than five million customer accounts getting hacked. We reported that 0:15:47.000 --> 0:15:50.240 the company's claim of the attack being state sponsored, you know, 0:15:50.400 --> 0:15:53.560 isn't so iron clad. But this one with the d 0:15:53.680 --> 0:15:56.520 n C. After talking to Mike, after talking to all 0:15:56.520 --> 0:16:01.680 these other experts, Jordan, are you convinced. Yeah, I'm pretty convinced. 0:16:01.680 --> 0:16:03.720 I mean, it takes a lot to clear that hurdle 0:16:03.840 --> 0:16:06.720 of you've got this piece of malware and this is 0:16:06.760 --> 0:16:09.600 evidence that the Russians did it. Uh, you know, but 0:16:10.040 --> 0:16:12.400 Mike will be the first to tell you this. Well, 0:16:12.440 --> 0:16:14.840 it's it's always risky. I mean, you know, when you're 0:16:15.000 --> 0:16:18.360 when you're you're doing attribution, you're really never saying a 0:16:18.400 --> 0:16:23.160 hundred percent that it's this person, because, you know, barring 0:16:23.560 --> 0:16:26.760 seeing somebody at the keyboard and actually doing it or 0:16:26.800 --> 0:16:32.360 a confession, you're you're relying on that circumstantial evidence. This 0:16:32.440 --> 0:16:34.720 all comes down to Mike's days as a cop. Can 0:16:34.760 --> 0:16:37.760 you prove to a jury beyond a reasonable doubt that 0:16:37.800 --> 0:16:41.320 the Russians did this? And his answer was yes. And 0:16:41.360 --> 0:16:44.920 now the US government has come out and officially blame 0:16:45.000 --> 0:16:50.280 the Russian government, and there are lots of reasons potentially 0:16:50.320 --> 0:16:52.960 for that happening. There are ways that the government can 0:16:53.000 --> 0:16:56.640 really know what's going on, intercepted phone calls, intercepted emails, 0:16:57.080 --> 0:17:00.720 human and signals intelligence sources in a way that no 0:17:00.880 --> 0:17:04.920 private cybersecurity could ever match. Sounds a little sinister. Well, 0:17:04.960 --> 0:17:07.159 we don't know for sure, but here's what Rob Owens, 0:17:07.160 --> 0:17:09.919 who's an industry analyst at Pacific Press Securities, told me. 0:17:10.320 --> 0:17:13.959 Nation States do hack. I think the US government hacks 0:17:13.960 --> 0:17:19.040 as well. It's a well known fact within the industry that, uh, 0:17:19.800 --> 0:17:24.600 everybody's hacking everybody to some degree. So maybe the US 0:17:24.680 --> 0:17:28.240 government was spying on Russia while Russia was spying on 0:17:28.280 --> 0:17:31.439 the d n C. Well, we know that both countries 0:17:31.480 --> 0:17:33.320 spied each other all the time, but in this case, 0:17:33.359 --> 0:17:35.600 we don't know exactly what the evidence is. But it's 0:17:35.600 --> 0:17:37.800 fair to assume that that's the case. And that's why 0:17:37.800 --> 0:17:39.679 at the top of the show today you called it 0:17:39.760 --> 0:17:46.080 an information war like the Cold War of our generation exactly. So, 0:17:46.119 --> 0:17:48.440 if we've managed to keep our listeners till now through 0:17:48.480 --> 0:17:51.880 this complicated journey inside the d n C hack, first 0:17:51.880 --> 0:17:55.840 of all, thanks for sticking with us and second of all, 0:17:55.880 --> 0:17:59.720 I think the burning question everyone has now is what's 0:17:59.760 --> 0:18:11.480 not next? Okay, so Jordan's you and I are now 0:18:11.520 --> 0:18:14.919 in the present day. It's September two thousand seventeen, and 0:18:15.000 --> 0:18:17.600 this story has evolved in ways we never could have 0:18:17.640 --> 0:18:21.520 imagined over the last eleven months. Well since then, Donald 0:18:21.560 --> 0:18:25.520 Trump got elected. Yes, I do recall that happening, and 0:18:25.600 --> 0:18:27.600 Facebook took a lot of heat for not doing enough 0:18:27.640 --> 0:18:29.800 to stop the spread of fake news on its platform, 0:18:30.119 --> 0:18:32.719 the subject of another great episode of Decrypted. We ran 0:18:32.760 --> 0:18:35.800 in November last year, and there were quite a few 0:18:35.800 --> 0:18:40.440 reports connecting these fake news stories to Russian state funded organizations. Right, 0:18:40.800 --> 0:18:43.320 and then the CIA, FBI, and n s A came 0:18:43.320 --> 0:18:45.960 out and reported that Russia's meddling was meant to help 0:18:46.040 --> 0:18:49.600 Donald Trump and undermine Hillary Clinton, And of course Special 0:18:49.640 --> 0:18:52.880 Counsel Robert Mueller is now leading an investigation into Russia's 0:18:52.960 --> 0:18:57.080 tampering and possible ties to Donald Trump's campaign. It also 0:18:57.160 --> 0:19:00.560 turns out that Russia's attack went beyond an information in campaign. 0:19:00.640 --> 0:19:03.520 To my colleague Mike Riley and I report in June 0:19:03.840 --> 0:19:06.919 that Russia's hackers actually breached the voting systems in thirty 0:19:07.000 --> 0:19:10.960 nine states, for example, in Illinois, intruders tried to delete 0:19:11.080 --> 0:19:13.879 or alter voter data. And the most recent twist to 0:19:13.920 --> 0:19:16.880 hauld this is this Facebook announced that it found one 0:19:16.960 --> 0:19:20.520 hundred thousand dollars in ad spending connected to fake accounts 0:19:20.520 --> 0:19:23.200 that were probably run from Russia that aimed to stir 0:19:23.359 --> 0:19:27.200 political controversy in the election. Which is to say, this 0:19:27.359 --> 0:19:30.320 Jordan is a story that never ends. Just when you 0:19:30.359 --> 0:19:32.960 think you've got your arms around the entire story, there's 0:19:33.080 --> 0:19:35.560 yet another development. So what do you make of the 0:19:35.600 --> 0:19:38.800 most recent announcement from Facebook on that one grand in 0:19:39.080 --> 0:19:41.879 an ad spending? It just goes to show that, you know, 0:19:41.960 --> 0:19:46.960 this Russian information operation went further than really anybody understood, 0:19:47.119 --> 0:19:50.840 and in ways that subverted, you know, the very coin 0:19:50.880 --> 0:19:54.760 of the realm of silicon value, which is targeted digital ads. 0:19:54.840 --> 0:19:57.639 And you know, how do you disentangle yourself from that 0:19:57.680 --> 0:20:00.760 system if your Facebook or Google or you know, anybody 0:20:00.760 --> 0:20:02.920 else that relies on them. But hang on, because a 0:20:03.000 --> 0:20:05.399 lot of people when this news came out said a 0:20:05.480 --> 0:20:08.520 hundred thousands of small potatoes. I mean, do you think 0:20:08.520 --> 0:20:10.359 it's a small amount or do you think that there's 0:20:10.400 --> 0:20:12.480 more that we just don't know of yet? There definitely 0:20:12.520 --> 0:20:14.440 could be more that we don't know about yet, because 0:20:14.480 --> 0:20:17.000 the way that these things are tracked are you know, 0:20:17.040 --> 0:20:19.199 you go from known accounts that have been identified to 0:20:19.200 --> 0:20:21.480 you either by the company or the U. S. Government, 0:20:21.720 --> 0:20:23.640 and you work backwards from there. But these networks are 0:20:23.680 --> 0:20:26.639 so vast, these ad networks, you know that knowing really 0:20:26.680 --> 0:20:29.720 who is pumping money into these systems is uh is, 0:20:29.760 --> 0:20:32.399 you know, a pretty challenging test. But the hundred thousand 0:20:32.520 --> 0:20:35.399 signified something different to me. It's that one of my 0:20:35.520 --> 0:20:39.760 key takeaways from this information operation was that the Russians 0:20:39.760 --> 0:20:42.040 are learning, the hackers are learning. It's not that they've 0:20:42.480 --> 0:20:45.920 entered like a state of perfect execution. All of these 0:20:45.960 --> 0:20:49.600 things were tests, were trial runs, and that's the really 0:20:49.640 --> 0:20:52.719 concerning things. So in that context, a hundred thousand dollars 0:20:52.720 --> 0:20:54.960 may have gotten them what they needed, which was, you know, 0:20:55.000 --> 0:20:56.679 just a set of principles to operate on for the 0:20:56.720 --> 0:21:00.280 next time. What I found partly remarkable was that the 0:21:00.600 --> 0:21:04.120 culprit and all this was a shadowy organization based out 0:21:04.119 --> 0:21:07.720 of St. Petersburg called the Internet Research Agency, which is 0:21:07.800 --> 0:21:11.320 known for pushing Kremlin propaganda. And this was not this 0:21:11.359 --> 0:21:14.080 is actually not all that secretive and organization like these 0:21:14.080 --> 0:21:17.440 are known guys. There have been profiles in major media 0:21:17.800 --> 0:21:21.040 organizations about about this agency. Had you heard of them 0:21:21.080 --> 0:21:23.679 and what do you make of their involvement? Yeah? I have? 0:21:23.920 --> 0:21:25.760 Then you know, I mean there are there are armies 0:21:25.760 --> 0:21:30.000 of these kind of professional trolls, kind of quasi spammers 0:21:30.000 --> 0:21:33.399 that are not necessarily breaking the law, but are certainly 0:21:33.440 --> 0:21:35.840 acting in many ways as hackers, even if they're not 0:21:35.880 --> 0:21:38.280 breaking into accounts. And you know, one thing that we 0:21:38.320 --> 0:21:42.480 can't forget is that in this current information ecosystem, it's 0:21:42.480 --> 0:21:46.520 all about headlines. And even if they're promoting fake headlines 0:21:46.560 --> 0:21:48.520 and half of your news feed or fake headlines that 0:21:48.800 --> 0:21:51.200 if you clicked on any any individual one of them 0:21:51.400 --> 0:21:54.560 you would recognize as bogus, it's the aggregate is the effect. 0:21:54.640 --> 0:21:56.879 So if you see enough of these things, you know, 0:21:57.040 --> 0:22:01.800 fake news, slanted news, propaganda, it actually psychologically can have 0:22:01.840 --> 0:22:03.800 an effect over time if you see enough of it. 0:22:04.320 --> 0:22:06.520 And that's that's the disturbing part. Is you're not breaking 0:22:06.520 --> 0:22:09.280 a law, but they're influencing the way you think about things, 0:22:09.359 --> 0:22:11.920 and happens on a subliminal level. Right, Well, so we're 0:22:11.960 --> 0:22:15.119 talking about changing people's minds but what about actually changing 0:22:15.119 --> 0:22:18.160