Experts: Hard to prove Russians behind DNC hack
SAN FRANCISCO – Computer security researchers say it’s difficult to definitively say the cyber theft of files from the Democratic National Committee subsequently posted online by Wikileaks was the work of Russian hackers, as some media outlets have reported.
“Just because you find an AK-47 at a crime scene doesn’t mean a Russian pulled the trigger,” said J.J. Thompson, chief executive of Rook Security, an Indianapolis-based firm.
On Friday, Wikileaks released what it said were 19,252 emails and 8,034 attachments from leaders at the Democratic National Committee.
The documents show antipathy toward Bernie Sanders, who had hoped to win the party's presidential nomination.
They infuriated Sanders supporters and led to U.S. Rep. Debbie Wasserman Schultz’s announcement she would step down as the committee’s chair.
Q&A: What's the deal with the leaked DNC emails?
On Sunday, Hillary Clinton's campaign manager, Robby Mook, said on ABC's "This Week" that the emails had been extracted by the Russians to help Donald Trump's campaign.
Mook added to this charge Monday, telling reporters, "All we know right now is what experts are telling us," which is that "Russian state actors were feeding the emails to hackers for the purpose of helping Donald Trump.”
In an article published Monday, The New York Times reported that researchers at CrowdStrike, an Irvine, Calif.-based cybersecurity firm, had concluded the breach was the work of two Russian intelligence agencies, or people working for or with them, possibly to disrupt the 2016 U.S. presidential campaign.
Crowdstrike declined to comment for this article. However in May and June it blogged that an analysis it had completed of the long-known intrusion into the DNC's computer network was the work of Russian intelligence-affiliated adversaries, one of whom it called Cozy Bear and the other Fancy Bear.
Russian hackers were implicated in a penetration into the DNC's computer network in June. At the time a federal law enforcement official confirmed the FBI had been investigating the breach for about a year. The official, who is not authorized to comment publicly, declined comment on the source of the hack, but did not dispute an assertion by assertion that Russia was responsible.
Russia hacks Democratic National Committee, Trump info compromised
Crowdstrike said that it had run into both of these groups in previous attacks.
"Both adversaries engage in extensive political and economic espionage for the benefit of the government of the Russian Federation and are believed to be closely linked to the Russian government’s powerful and highly capable intelligence services," Dmitri Alperovitch, the company's co-founder, wrote on in its blog.
However experts within the cybersecurity world say it’s extremely difficult to know exactly who is behind an attack without the kind of on-the-ground surveillance that only government agencies are able to provide.
The amount of information and the conclusions that can be drawn from strictly technical forensics are limited, said Steve Grobman, chief technology officer with for the Intel Security Group.
For instance, if hackers wanted to make it seem as if they were coming from Russia, they would put strings of Russian in their code and then compromise a machine somewhere in Russia and use it to launch the attack from, he said.
“If you looked at that picture, it might look like a very convincing story that it is being perpetrated by someone in Russia,” Grobman said.
“The ‘who’ behind all this stuff online is next to impossible without actual operators who are doing the work on the ground, the way our intelligence agencies operate,” said Thompson.
Crowdstrike hasn’t yet released evidence that shows who used the tools to break in, just that certain tools were used, he said.
Identifying attackers by the digital tools they use is not easy. While intrusions tend to leave traces — digital DNA — these can sometimes be spoofed, said Mark McArdle, chief technology officer with eSentire, a Canadian computer security company with offices in the United States.
However it is clear that the malicious software used in these attacks was extremely high-level and not something purchased off the shelf in the seamier part of the Internet or created by a low-level computer person, he said.
“This was a laser-focused, highly engineered tool developed by someone or some organization. It was not inexpensive — or easy — to create. It took lots of time and effort,” said McArdle.
In law enforcement investigations of criminal activity, the questions are always who had the means, the motive and the opportunity.
In this instance, the pool of those with the means is very small. McArdle limited it to the Israelis, the Chinese, the North Koreans, the Russians and a few extremely sophisticated criminal groups such as those behind recent multimillion dollar bank transfer thefts.
Others feel confident that Russians are behind the attack.
Anup Ghosh, CEO of cyber threat firm Invincea said his company has analyzed in the attackers methods and tools and found them to be similar to other operations tracked back to Russian hacking groups Cozy Bear and Fancy Bear.
The same tactics were used by Russian actors in attacks against the State Department, the White House, and the Joint Chiefs of Staff, Ghosh said.
In addition he notes that pro-Russian hackers have a history of using cyber attacks to compromise elections. In November a pro-Moscow hacking collective that calls itself CyberBerkut attacked the Ukraine’s national election commission, destroying software, disabling hard drives, undoing router settings and erasing backups. The election went forward but clean up was costly.
Russian and the Ukraine have been engaged in a sometimes shooting war over portions of eastern Ukraine, which is controlled by militants who have Russian backing.
Ukraine violence ramps up as efforts to end separatist rebellion stall
The FBI said in a statement that it was investigating the intrusion into the DNC's computer network and was "working to determine the nature and scope of the matter."