President-elect Donald Trump has recently questioned: 1) President Obama's finger pointing at the Russians for election-related cyberattacks; and 2) the current media and pundit frenzy alleging a Russian cyber-strike targeting Secretary Hillary Clinton in order to assure a Trump presidency. President-elect Trump plans to press U.S. intelligence agencies to defend their conclusions, stating,
“I know a lot about hacking. And hacking is a very hard thing to prove. So it could be somebody else. And I also know things that other people don’t know, and so they cannot be sure of the situation.”
Having worked since 1995 as a first-responder to cyber-attacks, including serving 11 years as Chief of the SEC's Office of Internet Enforcement, I whole-heartedly agree with President-elect Trump. His skepticism is not only appropriate and warranted -- it's spot-on.
Official U.S. Statements About Russian Hacking of U.S. Election
Despite countless inflammatory headlines about Russian election hacking, there exist only two official U.S. statements specifically addressing the facts of recent election-related hacking incidents. The first is the October 7, 2016 Joint Statement from the Department of Homeland Security and Office of the Director of National Intelligence on Election Security (the "Joint Statement"). The second is the December 29, 2016 Joint Analysis Report of the Department of Homeland Security and the Federal Bureau of Investigation, entitled, "GRIZZLY STEPPE – Russian Malicious Cyber Activity" (the "JAR").
Both government statements are curt, vague, opaque and miles away from being concrete -- and both also beg far more questions than answers.
The Joint Statement
The Joint Statement adopts a cautionary approach to any sort of attribution or motive behind who "directed the recent compromises of e-mails from U.S. persons and institutions, including from US political organizations." The Joint Statement states that the hacks:
“. . . are consistent with the methods and motivations of Russian-directed efforts. These thefts and disclosures are intended to interfere with the US election process. Such activity is not new to Moscow — the Russians have used similar tactics and techniques across Europe and Eurasia, for example, to influence public opinion there. We believe, based on the scope and sensitivity of these efforts, that only Russia’s senior-most officials could have authorized these activities.”
Announcing that we think the hacks “are consistent with the methods and motivations of Russian-directed efforts” falls far short of a legitimate prosecutorial conclusion based upon actual evidence of Russian culpability and attribution. The Joint Statement's authors are clearly hedging their bets, which is exactly what any reasonable cyber-investigator would do under the circumstances.
After all, attributing disparate attack vectors to the same culprit is always speculative. The entire virtual criminal design could all be a ruse, where one country’s cyber gang coopts the techniques of another country’s cyber gang, to confuse or disassemble.
Moreover, even in its most favorable light, the Joint Statement does not support the conclusion that the Russians were trying to help Trump and hurt Hillary — as opposed to just doing what most hackers do i.e. rummaging voraciously and randomly through whatever data they can access, and leaving it to their patrons to determine what is, and is not, of use.
Interfering with the election process is only one of many possible motives behind cyber-attacks. Financial crime, insider trading, intellectual property thievery, trade secret pilfering, extortion, ransomware, governmental disruption, market manipulation (just to name a few) are all potential goals at the outset of a hack.
Cyber-attackers invade systems and networks, frantically grab every data-file they can and then continue mounting their virtual crime sprees wherever that stolen data may lead them -- disrupting organizations, causing damage and wreaking havoc all along the way. Make no mistake -- the 21st Century hacker's mantra is to shoot first and ask questions later.
Though more than half of the JAR is just a list of suggested preventive cybersecurity measures, the JAR is still an important report and a critical resource for any analysis of the Russian election rigging allegations -- both for what it does say and for what it doesn't say. Here is a play-by-play of its deconstruction:
- Attribution. The JAR is the first official government statement attributing certain politically-related malicious cyber activity to specific countries or threat actors, specifically, "to Russian government and civilian intelligent agencies."
- The DNC Cyber-Attacks. The cyber-attacks upon the Democratic National Committee ("DNC") apparently began with a 2015 cyber-attack upon the U.S. government. This is typical of cyber-attacks -- where the sole goal/motive is data exfiltration, leaving it until afterwards to determine how to take advantage of, or profit from, that exfiltrated data. Specifically, the JAR notes that in the summer of 2015, what looks like a Russian spear-phishing campaign targeting over 1,000 recipients, including U.S. government employees. Apparently, at least a few of these spear-phishing attacks hit pay dirt and in the course of that campaign, somehow "successfully compromised a "U.S. Political Party." (The JAR does not identify the "Political Party" to be the DNC.)
- Multiple Attacks Continue." The JAR describes a second attack upon the same "U.S. Political Party," which occurred in the Spring of 2015 and states that, "Actors likely associated with [Russia] are continuing to engage in spear-phishing campaigns, including one launched as recently as November 2016, just days after the U.S. election."
- APT Attacks. The JAR acknowledges the lengthy history of state-sponsored Advanced Persistent Threat or so-called APT attacks against every type of U.S. entity, including a range of foreign governments initiating "spear-phishing campaigns targeting government organizations, critical infrastructure entities, think tanks, universities, political organizations, and corporations." Given certain common indicators of compromise identified by the DHS and FBI, the JAR concludes that the perpetrators of the hacks upon the "U.S. Political Party" employed the same modus operandi used by purported Russian groups that have "historically targeted government organizations, think tanks, universities, and corporations around the world."
- The Leaks of Exfiltrated Emails and Other Data. The JAR ambiguously and blithely states that, "The U.S. Government assesses that information was leaked to the press and publicly disclosed." The JAR (whether clumsily or intentionally) employs the passive voice to describe the leak -- and does not state who leaked the information; how the information was leaked; or any other inculpatory details.
- The Podesta Emails. The JAR does not address or infer that the attacks upon the "U.S. Political Party" were perpetrated by the same attackers who somehow obtained the emails of Clinton campaign head John Podesta. In fact, the JAR makes no specific mention of the Podesta hacks.
- Trump Over Clinton. Like the Joint Statement, the JAR provides no evidence and makes no mention of any plot, effort or other scheme to steal the election from Hillary Clinton and favor Donald Trump. Rather, the JAR cites only the usual over-arching objective behind most state-sponsored APT attacks i.e. to disrupt and/or damage U.S. institutions and organizations.
Cybersecurity Experts Disagree (Often)
Like medical experts who disagree about a diagnosis or treatment, Cybersecurity experts are notorious for disagreeing about attribution conclusions gleaned from digital forensic remnants, residue, fragments and artifacts.
For instance, the firm investigating the DNC cyber-attacks, CrowdStrike, a highly reputable and well-respected data breach response firm, believes that "Fancy Bear," a hacking group with purported ties to the Russian government, likely orchestrated the DNC hack -- and therefore the DNC hack was orchestrated by the Russians.
Like most digital forensic experts, CrowdStrike seems to have based its conclusions upon technological correlations and shared modus operandi of hacker techniques, a common investigative method employed by digital forensic investigators to identify online intruders. Along those lines, on December 22, 2017, the Washington Post reported that:
The firm CrowdStrike linked malware used in the DNC intrusion to malware used to hack and track an Android phone app used by the Ukrainian army in its battle against pro-Russia separatists in eastern Ukraine from late 2014 through 2016.
CrowdStrike found that a variant of the Fancy Bear malware that was used to penetrate the DNC’s network in April 2016 was also used to hack an Android app developed by the Ukrainian army to help artillery troops more efficiently train their antiquated howitzers on targets.
The Washington Post reports further details about Fancy Bear:
While CrowdStrike, which was hired by the DNC to investigate the intrusions and whose findings are described in a new report, had always suspected that one of the two hacker groups that struck the DNC was the GRU, Russia’s military intelligence agency, it had only medium confidence. Now, said CrowdStrike co-founder Dmitri Alperovitch, “we have high confidence” it was a unit of the GRU. CrowdStrike had dubbed that unit “Fancy Bear.”
However, other cybersecurity experts would disagree with CrowdStrike. Security researcher Jeffrey Carr recently pointed out that a 2014 FireEye report on Fancy Bear, which links Fancy Bear to the Russian government, has significant credibility issues:
'To my surprise, the report’s authors declared that they deliberately excluded evidence that didn’t support their judgment that the Russian government was responsible for [Fancy Bear’s] activities:
'[Fancy Bear] has targeted a variety of organizations that fall outside of the three themes we highlighted above. However, we are not profiling all of [Fancy Bear’s] targets with the same detail because they are not particularly indicative of a specific sponsor’s interests.” (emphasis added)
That is the very definition of confirmation bias. Had FireEye published a detailed picture of Fancy Bear’s activities including all of their known targets, other theories regarding this group could have emerged; for example, that the malware developers and the operators of that malware were not the same or even necessarily affiliated.
The notion that [Fancy Bear] has a narrow focus on U.S. political targets is also undermined in a SecureWorks research paper, which shows that the [Fancy Bear] hackers have a wide variety of interests: 10 percent of their targets are nongovernment organizations, 22 percent are journalists, 4 percent are aerospace researchers, and 8 percent are within the “government's supply chain.” SecureWorks concludes that only 8 percent of Fancy Bear’s targets are “government personnel” of any nationality.
According to Carr, “it’s an old assumption going back years to when any attack against a non-financial target was attributed to a state actor.” Without that premise, the only logical conclusion is that some email accounts at the DNC appear to have been broken into by someone, and perhaps they speak Russian. Left ignored is the mammoth difference between Russians and Russia.
Some experts even go so far as to pit themselves directly against the JAR. Take famed data security pioneer John McAfee, the developer of the first commercial antivirus program. McAfee has been a major player in the cybersecurity industry for the past 50 years and does not believe that the Russians were behind the hacks on the DNC, John Podesta’s emails and the Hillary Clinton presidential campaign.
"While some of those IP addresses are from Russia, the majority are from all over the world, which means that the hackers constantly faked their location . . . if it looks like the Russians did it, then I can guarantee you it was not the Russians . . . [The JAR] is a fallacy . . . hackers can fake their location, their language, and any markers that could lead back to them. Any hacker who had the skills to hack into the DNC would also be able to hide their tracks . . ."
The entire election hacking activities could also be some sort of "false flag" operation by someone else with extremely deep pockets and a political agenda. Along these lines, McAfee derides recent investigative techniques behind conclusions of Russian attribution, stating:
"If I was the Chinese and I wanted to make it look like the Russians did it, I would use Russian language within the code, I would use Russian techniques of breaking into the organization . . . in the end, there simply is no way to assign a source for any attack.”
Meanwhile, WikiLeaks' founder Julian Assange has insisted that the Russian government is not the source of the Podesta and DNC e-mails, implying that the source is instead a disgruntled DNC or other Democratic operative.
Fancy Bear, What will You Wear
What does the public know for certain about Fancy Bear, or any of its other dozen names assigned by researchers such as APT 28, Tsar Team, Sofacy, Strontium and Pawn Storm? Not much.
Despite being one of the most reported-on groups of active hackers, there is very little any researcher can say with absolute certainty about Fancy Bear. No one knows, for instance, how many hackers are working regularly within Fancy Bear, or how they organize their hacking squads. No one even knows if Fancy Bear is based in one city or scattered in various locations across Russia or the world. They don’t even know what they call themselves.
No confirmed Fancy Bear hacker has ever actually gotten caught. Fancy Bear has evolved into a modern-day bogeyman -- powerful and ubiquitous, nowhere and everywhere.
A Quick Review of Reported Digital Forensic Evidence (in Plain English)
Some of the cited circumstantial digital evidence relating to the DNC hacks while important and useful, also raises some fairly obvious caveats and questions, including:
- The attacker or attackers registered a deliberately misspelled domain name used for email phishing attacks against DNC employees, connected to an IP address associated with Fancy Bear. (But aren't misspelled domains a cornerstone of phishing attacks all over the world?);
- The actual clock times of the phishing schemes correlated with "business hours" in Russia and St. Petersburg time zones. (But couldn't Russian hackers just as easily orchestrate their schemes from a different time zone or digitally forge time-stamps? Also, don't hackers notoriously work at all hours of the day and night from any location they prefer?);
- Malware found on the DNC computers was programmed to communicate with an IP address associated with Fancy Bear. (But would a sophisticated state sponsor of cyber-attacks be so incompetent as to use an IP address tracing back to their homeland?);
- The DCLeaks.com domain was registered by a person using the same email service as the person who registered a misspelled domain used to send phishing emails to DNC employees. (But are the poor spelling habits of foreign spies truly evidence of their culpability and motive?);
- Based on some sort of linguistic analysis, experts believe that Guccifer 2.0, the purported Romanian hacker who loudly and boldly claimed responsibility for the DNC hacks, was actually a Russian agent, posing as a Romanian in order to cover up Russian's own hack and spread disinformation. (But other experts disagree, including M.J. Connolly, a professor of Slavic and Eastern European linguistics at Boston College, who says that many of Guccifer 2.0’s language traits are not Russian and that Guccifer 2.0 was more likely Moldovan. Whatever the origins of Guccifer 2.0, isn't this evidence better suited for a Robert Ludlum spy novel or bad episode of The Americans, rather than a bona-fide government intelligence conclusion?)
- The code in malware and tools of the DNC hacks appears to have been regularly and professionally updated and maintained while utilizing a sophisticated platform, suggesting a Russian operation funded to provide long-term data espionage and information warfare capabilities. (But isn't it common practice for hacking coders to update their software and tool kits as defenses change i.e. isn't that a prerequisite for all kinds of successful hacking?)
- Metadata in a file leaked by “Guccifer 2.0″ shows it was modified by a user called, “Felix Edmundovich,” a reference to the founder of a Soviet-era secret police force. Another document contained Cyrillic metadata indicating it had been edited on a document with Russian language settings. (But is this how a sophisticated government spy ring behaves -- sloppily leaving behind blatant, inculpatory evidence in plain view?);
- Spear-phishing, the original hacking method used against the DNC, is the same method Fancy Bear uses to initiate its hacking operations. (But spear-phishing is used in some form by just about every hacking group, because it is proven to be the most effective way to inject malware on to a network in order to obtain command and control capabilities.)
- Some of the phishing emails were sent using Yandex, a Moscow-based webmail provider, which indicates Russian involvement. (But Yandex is the Russian equivalent of Google -- is its use in the DNC hack truly that compelling?); and
- A bit.ly link believed to have been used by Fancy Bear in the past was also used in the spear-phishing scheme that purportedly tricked John Podesta into giving up his Gmail password. (But does Fancy Bear own some sort of criminal patent on their malware, so other hackers cannot ever use their tools and techniques?)
It is now widely accepted that despite government claims to the contrary: 1) Saddam Hussein was never building weapons of mass destruction (as initially asserted by the Bush Administration); and 2) the Benghazi embassy attack was not because of a YouTube video (as initially asserted by the Obama administration). Whether based upon sophisticated guesswork, concrete intelligence sources or a little of both, experts in each U.S. administration simply got it wrong.
Let's also not be naive. Recalibrating raw intelligence data for political purposes has always been tempting for Republicans and Democrats alike. Even if made entirely in good faith, political and ideological motives undoubtedly lurked in the shadows of the WMD and Benghazi intelligence findings.
In the end, the Obama administration may be right about the Russians cyber-attack of election-related organizations. Russian-sponsored cyber-terrorism and data thievery is a major global problem --- and has been for years. Indeed, legions of soldiers from countries across the globe, including Russian cyber-troops, wake up each morning with the sole objective to break into American computer systems and steal data.
But for the time being, given the inherent subjectivity of intelligence regarding cyber-attacks and the differing interpretations of malware reverse engineering and other circumstantial digital evidence, a healthy dose of skepticism about Russian attribution still makes sense.
As to whether the Russians somehow cyber-hijacked the election from Hillary Clinton to prop up Donald Trump -- that is a completely different story. There is not a scintilla of official government evidence to support such an outrageous claim. It is a wholly unsubstantiated theory and my take is that mere skepticism is not enough. Flat out rejection may be in order.
Under any circumstance, President-elect Donald Trump is quite right to engage in his own de novo review of government intelligence analytics regarding Russian hacking. It is what Americans expect every Commander-in-Chief to do before making major foreign policy decisions and escalating military tensions. In fact, President-elect Trump's approach is not only smart, courageous, logical and scientific -- it is above all else, highly presidential.