Ever since last Friday’s bombshell reports that the CIA believes Russian hackers penetrated both Democratic and Republican computer networks before the election, GOP officials have vehemently denied that systems linked to the Republican National Committee were hacked. By contrast, Democratic officials acknowledged last summer that Russian hackers had gained access to the Democratic National Committee, the Democratic Congressional Campaign Committee, and the email account of John Podesta, Hillary Clinton’s campaign chairman.
The reports, which describe a CIA assessment that the Kremlin interfered with the U.S. election in order to help Donald Trump win, have sparked a fierce divide between President-elect Trump and some Republican leaders in Congress. Trump has dismissed the reports, while Senators John McCain and Lindsey Graham have joined Democrats in calling for investigations into the hacking. Among the most hotly debated details is that Russian agents hacked the RNC’s computer systems but “did not release whatever information they gleaned from the Republican networks,” per the New York Times.
“Number one, the RNC was not hacked,” said Reince Priebus, chairman of the RNC and President-elect Donald Trump’s pick for chief of staff, on NBC’s Meet the Press Sunday. “I don’t know of any employee, on any of their own Gmail accounts, that was hacked.”
Priebus said in the televised interview that the RNC worked with the FBI after well-publicized digital attacks on the Democratic National Committee this year, and that the FBI found no evidence the RNC’s systems were compromised. Through a spokeswoman, the RNC declined to provide Fast Company with additional information about the steps it took to determine its systems were hacker-free. According to a Friday report in The Wall Street Journal citing sources close to the investigation, experts found that the RNC’s filters blocked phishing emails targeting a former staffer and believed that the hackers made a less determined effort to breach the RNC’s systems.
Still, cybersecurity experts say it’s generally difficult for an organization to definitively determine it hasn’t been hacked and even to fully prevent attacks by sophisticated adversaries.
“Especially when a state-level adversary is going after an organization, there’s very little you could do to prevent that,” says Danny Rogers, CEO of security firm Terbium Labs.
Still, neither federal officials nor outside researchers have yet to publicly produce any evidence that RNC systems were penetrated, though Graham said in a Wednesday CNN interview that his own campaign attack was hacked by Russians.
A few hundred relatively innocuous emails appearing to be linked to state-level Republican organizations and campaign workers for Graham and fellow senator John McCain appeared online in data dumps linked to Russian state-sponsored hackers earlier this year, but there’s been no evidence that the emails came from a system linked to national Republican organizations. Other Republican-linked information, like personal data about Republican primary delegates and Trump Organization staff, also appeared online earlier this year, says Rogers, though he says there’s also no indication that it came from a breach of the RNC’s network rather than from other sources.
Publications including The New York Times reported that CIA officials believed Russian hackers had deliberately withheld information about Republican campaigns while leaking Democratic Party data in order to boost President-elect Donald Trump’s campaign.
Multiple news outlets reported Wednesday that intelligence officials believe Russian President Vladimir Putin personally directed how some Democratic Party information was leaked. While the White House stopped short of directly accusing Putin of directing the attack, deputy national security advisor Ben Rhodes told MSNBC it’s unlikely something “of this consequence” would take place without Putin’s knowledge. Russian Foreign Minister Sergei Lavrov has dismissed the accusations against Putin, according to Reuters.
The RNC hasn’t identified any security firms involved in securing its email systems or certifying them as free from breaches. But senior staff at a multiple companies involved in securing digital systems used for this summer’s Republican National Convention told Fast Company they saw no sign of targeted, sophisticated attacks on convention networks, though the companies weren’t directly involved with other RNC-related systems outside the convention.
“We didn’t see anything that we felt was a nation-state adversary working in a very sophisticated manner,” says Katherine Gronberg, vice president of government affairs at security firm ForeScout. “We didn’t see evidence of something that we thought, just from our experience, could be attributed to one particular country or actor or group, like these groups in Russia.”
Nor, says CEO Vince Crisler of Dark Cubed, did the companies securing convention systems hear at the time of any such attacks on other Republican Party computers.
“I know from all our interactions with them they have been engaged and proactive on this issue,” Crisler says of the RNC.
Trump and some of his political allies have repeatedly questioned the reported assertions by federal intelligence agencies and outside analysts that Russian hackers were responsible for election-related hacks. He has also questioned the ability of analysts to determine who was responsible for a cyberattack after it’s taken place.
“Unless you catch ‘hackers’ in the act, it is very hard to determine who was doing the hacking,” Trump wrote in a Monday tweet. And John Bolton, considered a likely Trump nominee for deputy secretary of state, even suggested election-related hacks could be a “false flag” attack, deliberately crafted by another country’s intelligence agents to implicate Russia.
Yet experts say it’s often quite possible to determine who’s responsible for a cyberattack based on digital clues left behind. “You could say hey, we have seen this code somewhere else or similar code and it was known to be used by this criminal group, so we can make the link,” says Chenxi Wang, chief strategy officer at security firm Twistlock. Or, she says, compromised computers may connect to servers or other internet resources known to be connected with particular hacker groups.
Those sorts of clues were how security company CrowdStrike, which investigated the DNC breach, was able to identify Russian groups dubbed Fancy Bear and Cozy Bear as having accessed the network.
Online accounts at URL shorteners that were evidently used in targeted phishing attacks on some Democratic Party officials were also used for months prior to those attacks to attack political figures in Russia and Ukraine, consistent with Russian involvement, according to cybersecurity firm SecureWorks. That makes a false flag operation less likely, since another spy organization would be less likely to spend months of work attacking targets in the former Soviet countries only to frame Russia, says SecureWorks senior security researcher Phil Burdette.
“We certainly considered that possibility,” he says. “If you’re an intelligence service, at the end of the day you have timelines and you have budgets in which you have to execute.”
Experts from security company ThreatConnect have similarly said DC Leaks, a site used to leak data tied to the Hillary Clinton campaign and the emails taken from Republican operatives, appears to be tied to Fancy Bear. That implies that even if the national party did indeed evade the pre-election wave of cyberattacks, Russian hackers still managed to grab some internal messages from Republican campaign operations.
“The DCLeaks website almost certainly was set up to be used as a public mouthpiece specifically to leak documents gleaned from Fancy Bear operations, as we assessed back in August,” ThreatConnect senior intelligence researcher Kyle Ehmke wrote in an email response to questions. “We have seen no indication that DCLeaks has hosted information garnered through non-Fancy Bear operations.”