When a hacker wants to take over your laptop or steal your credit card, they will often use strategies you can learn about with a Google search.
Russian hackers — including operators who target government officials and other high-ranking people — are no different. According to experts on a panel at the SINET security conference Wednesday, Russian hackers operate much like a lean startup, using open source tools and popular software to target victims.
Tactics don’t have to be technically advanced. In fact, they’re widely available for everyone from the government to bad guys, according to Mike Murray, VP of security and intelligence at mobile security firm Lookout. People also buy and sell hacking tools on the dark web, or parts of the internet that require certain configurations to access. Most of this is done anonymously.
For example, one tactic Murray mentioned targets PowerShell, a Windows computer management tool that a hacker could take over remotely to control a user’s entire computer. Hackers can take it over remotely
But the most effective way to get your information is through a phishing attack. That’s how hackers accessed the email of John Podesta, former chair of Hillary Clinton’s presidential campaign. The U.S. intelligence community blamed Russia for hacking and then leaking the emails to Wikileaks, which published them during the 2016 campaign.
Panelist Herbert Lin, senior research scholar for cyber policy and security at Stanford University, called it “the most consequential hack of the election.”
Phishing is popular because it doesn’t take much effort. A hacker will send you something like a link or an email form that looks like it comes from a trusted source — for instance, they might send you an email that appears to be from Google asking you to share your password. According to an indictment from the Justice Department, the group of Russian hackers who allegedly stole 500 million Yahoo accounts used phishing attacks to target their victims.
Other tools hackers use are much more complicated. For instance, Xagent, is a type of bad software that can log keystrokes, steal your device backups, and capture what’s on your computer.
Russian hackers aren’t alone in their strategies. Even U.S. government agencies — like the CIA — use common software and hardware hacking tools.
Lin says there’s one attack that’s been so successful you might not realize it: an attack on our brains, not on cyberspace.
Experts say during the presidential election, the “Russian propaganda system” spread information to erode trust in media outlets, candidates, and the U.S. government, including through armies of Twitter bots.
On Thursday, the Senate Intelligence committee held a hearing on Russia’s influence on the election, including using botnets and fake Twitter accounts.
During the hearing, Florida Senator Marco Rubio described campaigns of fake news and information that spread on Twitter and websites as a “blitzkrieg” of information warfare “conducted by Russian trolls.” The goal, he said, is “to sow instability and to pit Americans against each other.”
Lin calls this a denial of service against human attention. (A denial of service or DDoS attack is a common way to flood a network with so much traffic that it goes offline.) The information overload, Lin said, was a high-volume attack meant to “muck up the waters.”
“People have a limited bandwidth, they can only focus on certain things,” Lin told CNNTech. “It’s easier to drown out a message than to refute it.”