As the FBI confirmed that it’s investigating the recent hack that led to last week’s disclosure by WikiLeaks of tens of thousands of Democratic National Committee emails, multiple leading cybersecurity firms are more convinced than ever that the hack was the work of the Russian government.
The hack isn’t the first reported attack by state-sponsored hackers on a government or political party: Germany has previously blamed Russian hackers for a digital attack on its parliament and U.S. officials have alleged that hackers linked to the Chinese government stole documents from both major presidential campaigns in 2008.
But, experts say, this is the first time that such documents have been released to the public in a possible attempt to influence the result of a U.S. election.
“We’ve never seen anything like this here in the States—nothing like this on this scale,” says Rich Barger, chief intelligence officer at security firm ThreatConnect. “I think what we saw on Friday is a game changer.”
Barger and others pointed at evidence first analyzed in June by security firm CrowdStrike, hired by the DNC to investigate the breach, which indicated that two Russian government hacking groups dubbed Cozy Bear and Fancy Bear had managed to penetrate the DNC’s systems.
“Both adversaries engage in extensive political and economic espionage for the benefit of the government of the Russian Federation and are believed to be closely linked to the Russian government’s powerful and highly capable intelligence services,” the company said in June.
CrowdStrike and other firms, including Fidelis Cybersecurity and Mandiant, have indicated that malware found on DNC computers appears similar to that found in other attacks attributed to the Bear groups. Thomas Rid, a professor of security studies at King’s College in London, also wrote in Motherboard that some of the malware included references to an IP address belonging to a remote control server linked to the attack on the German legislature—something Rid compared to an identical fingerprint appearing in two burglarized buildings.
A CrowdStrike representative declined to comment on the matter beyond what the company has already released.
While the ultimate effects of the hack and any additional disclosures may not be known at least until November’s election, last week’s leak has already managed to stir up plenty of discord in the Democratic Party. After leaked emails revealed apparent hostility by DNC higher-ups toward the candidacy of Vermont Senator Bernie Sanders, leading to the resignation of DNC chair Debbie Wasserman Schultz, The Daily Beast reported that U.S. officials have privately speculated that the attacks were an effort by Vladimir Putin’s regime to help Republican nominee Donald Trump win the White House. Representatives from Democratic candidate Hillary Clinton’s campaign were quick to point out the leak came soon after Trump’s campaign apparently insisted on changes to the Republican platform seen as favorable to Russia, something the Trump campaign derided as “nonsense.”
And while some DNC documents were purportedly leaked by a purported Romanian hacker who identified himself as Guccifer 2.0, security experts have argued that inconsistencies in the hacker’s story suggest that Guccifer was himself a fiction created by the real attackers.
The hacker claimed that he was able to gain access to the DNC network by reverse-engineering code from political software vendor NGP VAN, but it’s highly unlikely that an outsider would be able to get access to the company’s code, since it’s a cloud-based service made available to political campaigns, not downloadable binary software, according to a ThreatConnect blog post. And, after conducting a Twitter chat interview with the alleged hacker, a journalist from Motherboard reported that his grasp of Romanian appeared unusually shaky to native speakers.
Russia has previously been accused of fabricating bogus organizations to take credit for state-sponsored hacks, including a group called the Cyber Caliphate that attacked U.S. and U.K. government computers and a French television network, ThreatConnect says.
“Here’s what we think is going on: Guccifer 2.0 is leaking purported DNC documents of minimal value to Russian intelligence for possible political points in the U.S. and Russian propaganda at home about the failings of democracy and the West,” the company wrote.
Still, not every security expert is entirely convinced that Russia’s behind the hack: Jeffrey Carr, the founder of security firm Taia Global and the author of the book Inside Cyber Warfare, argued in a Medium post that the evidence just isn’t sufficient to conclusively blame the attack on the Russian government.
“There is only circumstantial evidence which these firms are stamping their imprimatur on as their best guess,” he said in an interview with Fast Company.
While he says it’s certainly possible that the Russian regime is, in fact, behind the hack, he argues that it’s also possible that some other party got ahold of the same malware previously used by Russian agencies, or even took steps to make it seem like the Russians are to blame. Finding a Russian-made rifle at a murder scene wouldn’t automatically imply that the killer was Russian, he argues.
“Do you automatically say it must be a Russian shooter or it must be Mr. Kalashnikov himself?” he asks, referring to the inventor of the AK-47.
But, other experts argue, it’s unlikely that attackers not affiliated with the Russian state would be able to get access to the particular crafted malware tools its agents typically deploy. Even if they could get access to the software used to infect computers, they likely wouldn’t know how to control its obfuscated code or have access to the server code with which it communicates, says Barger.
The Russian government has publicly denied being connected to the attack, seemingly mockingly suggesting that the DNC may have simply have had weak passwords, letting even untrained attackers in.
And while those comments seem intended more as taunts, the ultimate lessons from the DNC attack seem to be the same advice typically given after security breaches: Make sure employees are trained to resist phishing emails, a primary vector for malware, and avoid writing anything in email you wouldn’t want made public.
“If they’re aren’t happy putting it down in writing, then it’s probably the wrong approach to something, as was really evidenced by this leak,” says Peter Bauer, cofounder and CEO of email security company Mimecast. “This wasn’t what we would expect from the DNC, and hence the resignation of the person at the top.”