Criminal Justice & the Rule of Law Cybersecurity & Tech Democracy & Elections

On the Need for Official Attribution of Russia’s DNC Hack

Matt Tait
Thursday, July 28, 2016, 1:00 AM

Yesterday, Sen. Dianne Feinstein and Rep. Adam Schiff—Vice Chair of the Senate Select Committee on Intelligence and Ranking Member of the House Permanent Select Committee on Intelligence, respectively—called on the Obama administration to consider declassifying and releasing any intelligence community assessments on the attribution and motives of the DNC hackers.

I wholeheartedly agree.

Published by The Lawfare Institute
in Cooperation With

Yesterday, Sen. Dianne Feinstein and Rep. Adam Schiff—Vice Chair of the Senate Select Committee on Intelligence and Ranking Member of the House Permanent Select Committee on Intelligence, respectively—called on the Obama administration to consider declassifying and releasing any intelligence community assessments on the attribution and motives of the DNC hackers.

I wholeheartedly agree.

The intelligence community has powers and capabilities that far exceed that of the private sector for attribution, and do not suffer from the same conflicts of interest. Whereas private sector attribution tends to rely on technical forensics of the malware and infrastructure used by the hackers, the IC is able to draw upon a much more diverse set of capabilities—such as financial intelligence, human intelligence, and counter-intelligence—to bring together a wider set of facts with narrower bands of uncertainty than the private sector would normally have at its disposal.

Making a public statement on behalf of the United States that the intrusion is (or is not) directed by the Russian government would be a huge step in the right direction towards a formal response.

The DNC leaks, if they were caused by the Russian government, are a big deal regardless of one's political persuasion. If this hack and leak are really a Russian intelligence operation, they would be an intentional bulk leak of data by a state actor collaterally containing large quantities of private citizens’ personally identifiable information. It also matters if the purpose of the hack was to influence the election. It is thus important to distinguish the level of confidence concerning who’s behind the hack and the confidence we have in that actor's motive for doing so.

We need to proceed with care and precision in the response to this attack, not least because it will set the normative precedent for responses to attributed-but-denied collateral mass-leaks of private citizen data by foreign governments in the future. If future similar leaks are to be properly discouraged, we need to carefully consider whether the hackers are really the Russian government; if so, what part or parts of the DNC leak operation we fundamentally object to; and finally what domains and what scale of response is proportionate and appropriate to respond to the attack.

With that in mind, here are some of my thoughts on the initial DNC hack; why I was initially very sceptical of CrowdStrike’s attribution; why the mass-leak of documents makes a big difference; what are—in my view—the best public-domain facts suggesting the DNC hackers are, in fact, Russian intelligence; and finally, what’s new about this leak and what types of response might be available to the administration to dissuade similar attacks in future.

* * *

About six weeks ago, on Tuesday June 14, the Washington Post ran a story on the DNC becoming the latest victim of state sponsored hacking.

The story didn’t strike me as particularly interesting at first. Shocking news: foreign intelligence agencies collect intelligence on politicians, and in the 21st Century they sometimes do so by hacking.

It was, to be sure, a vindication of something various intelligence and ex-intelligence officials had been saying for a while. Just a few weeks earlier, DNI Director Clapper had openly warned that foreign intelligence agencies were targeting and hacking the US political campaigns.

The claim that the groups were “after Trump opposition research” felt a lot like a clever political deflection at first: sure, the group probably stole the Trump opposition research, but that doesn’t mean it was the objective of the breach. Casting the hack as being about Trump’s affiliation to Putin rather being about the DNC being hacked for a year without noticing felt like good, old fashioned political deflection. As did the attribution to Russia.

A couple of years ago every breach was China. Hacked because your website was misconfigured? China. Forgot to install Windows Updates for two years and someone ran off with your customers’ data? Definitely Chinese nation state hackers. Oops, ran some malware that came in as an email attachment? Those clever PLA hackers have done it again!

The industry-standard attribution in the past to China, then briefly to Iran, then to NSA, and then to the “Cyber Caliphate”, and most recently with Russia’s APT28 is often ill-founded and self-serving. For victims, knowing that you were hacked because the attackers were sophisticated rather than because your defences are woefully inadequate helps you sleep at night (and defend against lawsuits). For professional threat intelligence companies, it is infinitely better for your company PR to loudly proclaim the sophistication of the intelligence agencies evicted from a client’s network than in admitting the compromise was because a user “enabled macros” on an unsolicited email attachment.

Threat intelligence companies also have a particularly infuriating habit of being very public with their conclusions, but very secretive about their methods, data, and even malware samples, which actively frustrates independent corroboration, and doesn’t inspire an enormous amount of confidence in their conclusions.

From a technical perspective, attribution can also be a distraction to technically defending networks. You don’t design networks to be secure against intrusions from Russia or from China specifically. You build networks to be secure against intrusions from anyone who’s unauthorized, regardless of their affiliation.

So when CrowdStrike published its technical analysis of the DNC hack and found not one, but two hackers on the network, both of whom were Russia, I was initially, let’s say, a little sceptical.

My read through of CrowdStrike’s blog post left me rather unimpressed with the supposed sophistication of the hackers. The malware was noisy, badly built, made basic encryption mistakes and had frankly rookie operational security errors. It’s tempting to think of nation-state hackers as hyper-sophisticated ultra-opsec aware spies, but it’s a view that rarely matches reality.

It’s worth noting, of course, that CrowdStrike’s analysis was of the APT29 (COSYBEAR) malware, not malware of the more famous APT28 (FANCYBEAR) variety. Sophisticated intelligence agencies often use unsophisticated “disposable implants” But the whole thing left me with a lingering feeling that the “Russia” attribution, while certainly plausible, remained unclear.

But then something crazy happened: Gawker published the opposition research.

The number of governments who would deeply like to know what the DNC (and, for that matter, the RNC) seniors are saying in private is pretty large. Understanding who’s influential in the party, what they’re saying behind closed doors and the relationships at the top makes it easier to influence a future president and the halo of advisors around the president, or at the very least, to plan ahead for possible US policy direction changes. That’s foreign intelligence 101.

But mass-leaking documents obtained via foreign intelligence to influence public opinion? That’s no longer run of the mill espionage, it’s an influence operation, and it caught my attention.

The metadata analysis I did on the leaked documents that day was almost by accident. I was actually looking for evidence of something much more frightening and which still keeps me up at night: What if the documents were mostly real, but had been surgically doctored? How effective would a carefully planted paragraph in an otherwise valid document be at derailing a campaign? How easily could Russia remove or sidestep an inconvenient DNC official with a single doctored paragraph showing “proof” of dishonest, unethical or illegal practices? And how little credibility would the sheepish official have in asserting that “all of the rest of the emails are true, but just not the one paragraph or email that makes me look bad”?

As it happens, I didn’t find any evidence of document tampering (although it is also impossible to prove the absence of such tampering), but I did find something unusual: the documents had auto-saved at some point while on the attackers’ network — most likely occurring while Microsoft Word was converting the documents to PDF. My analysis on Twitter from the time is Storified here:

One of the facts it turned up was that the hackers were opening the documents in a virtual environment configured in Russian, and that the username of one of the virtual computers in this environment was Фе́ликс Эдму́ндович — a reference to Felix Dzerzhinsky, a huge statue of whom stood in pride of place in the Lubyanka Square opposite KGB headquarters, now FSB headquarters, until 1991.

It’s an operational security failure by a group whose malware was riddled with other basic operational security failures. While amusing at first, the hackers’ attempts to address it in future leaks was so overt and ham-fisted that it just served to highlight the initial error.

But while the leak is quite a nice visual piece of evidence — it’s written in Russian and references the KGB after all — it’s not the main, or even a particularly significant reason in making me change my mind over whether the DNC hack was by Russian intelligence.

To me, there are three key facts in the public domain that strongly link the DNC hack to Russia, the first two of which are entirely non-technical.

The first fact is that the Guccifer 2 account, despite being ostensibly a lone Eastern European hacker, is totally out of character for lone hackers. For a start, most lone hackers show a huge sense of bravado and self-aggrandizement which is a role the Guccifer2 character acts very poorly. Even his hacker pseudonym “Guccifer2” references another hacker rather than choosing his own brand to operate under. Despite having his own outlet, Guccifer2 allowed his most impactful stolen documents to be laundered by another outlet, and stands idly by when that outlet spreads disinformation about his involvement.

Moreover, the quality of his English varies dramatically, even between sections of the same document when swapping between paragraphs that are more political to ones that are more technical, and he makes basic technical errors that sound an awful lot like a linguist misunderstanding a technical person, than a mistranslation. To top it all off, the hacker seems unable to explain how he hacked the DNC in any detail, and rather than bragging about how he technically hacked the DNC, he makes statements about it that make no technical sense.

In short, the notion that the hacker is an individual rather than an organization such as a foreign intelligence agency strains credulity beyond breaking point.

The second important fact is that the stolen documents were leaked en masse at all. There’s lots of capable foreign intelligence organizations that would plausibly hack the US to get dirt on senior Democrats, but mass-dumping stolen or intercepted political data to influence the public media has all the hallmarks of a Russian information influence operation. Other countries, of course, wouldn’t hesitate to use documents obtained via foreign intelligence for political advantage, or even maybe for HUMINT advantage, but mass-dumping intercepted documents is a Rubicon most foreign intelligence agencies simply do not cross.

The third fact is technical; uncovered by cybersecurity expert and author Thomas Rid, showing that the malware control servers used in the DNC hack are the same computers as the malware control servers used in the hack of the German Parliament a few years ago.

It’s an important link and one that’s hard to fake. It ties the DNC hack to a much larger series of hacks, including against NATO, Georgia, human rights and Russian military monitoring groups in Syria, ministries of foreign affairs in Europe, and so on. It’s also important because the Bundestag hack was attributed by the head of Germany’s BfV intelligence to be Russian intelligence.

In the game of attribution, there’s no such thing as “proof”; only a body of evidence that combine to form an overall assessment; but the link between the DNC malware servers and the Bundestag malware servers is about as close to “proof” as it comes.

The next question is this: If Russia did hack the DNC and pass their emails to Wikileaks, so what? Does it matter? This isn’t the first time and it won’t be the last in which Russia has used its intelligence agencies to covertly try to influence US politics. What’s new?

Two things are new.

First, unlike other interventions, this leak has caused a high degree of collateral loss of personally identifiable information of people unrelated to the target of the leak. The media spent a lot of time covering the emails that caused the DNC chair to resign, but considerably less attention to the spreadsheets of PII from democrat donors, or the names, addresses, phone numbers and affiliations of invitees to an LGBT reception held by the DNC. Another of the documents reference voicemails by a DNC staffer about her children going to the zoo, and another – a voicemail from a member of the public phoning a DNC staffer – has already led to harassment of that individual by groups on the Internet.

If the Russian government is intentionally collaterally mass-leaking private information on US citizens that’s kind of a big deal.

Second, the sheer audacity of the leak is noteworthy in and of itself. The hack had been publicly attributed to Russia by CrowdStrike and the DNC even before they began leaking documents. The badly-run disinformation operation using the “Guccifer 2” pseudonym backfired tremendously, turning an espionage operation where the link to Russia was a little shaky into an information influence operation affirmatively attributed to Russia by a much wider variety of private sector companies and experts with a much stronger body of evidence than had they never leaked documents in the first place.

But even then, the leaking did not—and still has not—stopped.

Do these changes to how Russia runs intelligence operations against the US matter? And if so, what is the correct response?

First things first. We need to ask serious questions about how the DNC got hacked for over a year by actually pretty unsophisticated malware, and other organizations need to take note of the answer. There is lots of evidence that foreign governments are hacking political parties, charities, NGOs, think tanks and so on, and this evidence is not new. Defending private sector organizations against foreign government cyber-attacks cannot fall solely at the feet of the federal government; private sector organizations need to pull their weight and defend their own networks seriously too.

But the DNC’s network security failures shouldn’t preclude a diplomatic response from the administration. How thin a veneer of deniability can Russia operate under before the United States becomes paralyzed and unable to respond? Does it matter if a foreign government is collaterally leaking personally identifiable information about voters? Will we stand idly by as a foreign government mass-leaks spreadsheets of donor financial information or the names, addresses and phone numbers of DNC LGBT supporters? Is it okay to let a foreign government interfere in a US election unchallenged? This is what’s at stake in Russia’s DNC hack.

The US has lots of political levers that it can utilize for a response. It does not need to respond in kind, and it does not need to respond in cyberspace. At the “light touch” end of the spectrum, the US government could simply put an official stamp on an attribution to Russia; an official “we see you, you’re not fooling anybody” statement to make a point.

More robust responses are also available. The US could name and indict the Russian intelligence officers that ran or authorized the leak. It could add GRU senior officials to the international sanction list. It could make public statements reaffirming the US’ commitment to NATO “in light of recent cyberattacks against the US”. It could declassify and publish evidence of Russian intelligence attacks on other nations. There are lots of options at the administrations’ disposal.

Perhaps the answer is to start small, but with the clear assertion that future leaks will receive escalating diplomatic responses.

But we should be under no illusions. The lack of a response is a decision as well, and a green light to using similar tactics in future. How—and if—we respond to this attack will set the tone for future cyberattacks and response for years to come.

Matt Tait is the Chief Operating Officer of Corellium. Previously he was CEO of Capital Alpha Security, a consultancy in the UK, worked at Google Project Zero, was a principal security consultant for iSEC Partners, and NGS Secure, and worked as an information security specialist for GCHQ.

Subscribe to Lawfare