Last week, German security officials said that Russia hacked secret German communications and provided them to Wikileaks (English translation).
But now, German officials say that the communications were likely leaked from an insider within the German parliament, the Bundestag (English translation).
Similarly, when a treasure trove of secret NSA tools were revealed, Russian hackers were initially blamed.
But it turns out that it was probably a leak by an NSA insider.
So claims that Russia is behind any specific hacking incident need to be taken with a grain of salt …
A group of high-level former American intelligence officials – including the man who designed the NSA’s global surveillance system (Bill Binney), a 27-year CIA officials who personally delivered the daily briefing to both Democratic and Republican presidents (Ray McGovern) , and others – say that the Democratic Party emails were not hacked, but were actually leaked by insiders.
A former British intelligence analyst and British Ambassador to Uzbekistan (Craig Murray) alleges that he personally met the leaker, and that it was an American working for the NSA.
But whether or not these American and British intelligence officials are right that the Democratic emails were leaked by insiders as opposed to hacked by Ruskies, the fact remains that the evidence for Russian hacking is very weak.
Initially, the main allegation for Russia hacking Democratic emails to throw the election for trump is that Wikileaks released Democratic – but not Republican – emails.
However, the RNC says that their cybersecurity stopped attempts to hack into their computers. If true, then it may be that the Dems were simply more careless than the GOP. Indeed, John Podesta fell for a basic phishing scam.
Moreover, it’s famously difficult to attribute the source of hacks.
A leading IT think tank – the Institute for Critical Infrastructure Technology – points out:
Malicious actors can easily position their breach to be attributed to Russia. It’s common knowledge among even script kiddies that all one needs to do is compromise a system geolocated in Russia (ideally in a government office) and use it as a beachhead for attack so that indicators of compromise lead back to Russia. For additional operational security, use publically available whitepapers and reports to determine the tool, techniques, and procedures of a well-known nation-state sponsored advanced persistent threat (APT), access Deep Web forums such as Alphabay to acquire a malware variant or exploit kit utilized in prolific attacks, and then employ the malware in new campaigns that will inevitably be attributed to foreign intelligence operations. Want to add another layer? Compromise a Chinese system, leap-frog onto a hacked Russian machine, and then run the attack from China to Russia to any country on the globe. Want to increase geopolitical tensions, distract the global news cycle, or cause a subtle, but exploitable shift in national positions? Hack a machine in North Korea and use it to hack the aforementioned machine in China, before compromising the Russian system and launching global attacks. This process is so common and simple that’s its virtually “Script Kiddie 101” among malicious cyber upstarts.
***
Incident Response techniques and processes are not comprehensive or holistic enough to definitively attribute an incident to a specific threat actor from the multitude of script kiddies, hacktivists, lone-wolf threat actors, cyber-criminals, cyber-jihadists, hail-mary threats, and nation-state sponsored advanced persistent threats (APTs), who all possess the means, motive, and opportunity, to attack minimally secured, high profile targets.
***
Attribution might be reliable if the target is well-protected, if the target operates in a niche field, or if the malware involved in the incident is unique because one or more of those characteristics can be deterministic of the sophistication and resources of the threat actor. Attribution is less exact in the case of the DNC breach because the mail servers compromised were not well-secured; the organization of a few hundred personnel did not practice proper cyber-hygiene; the DNC has a global reputation and is a valuable target to script kiddies, hacktivists, lone-wolf cyber-threat actors, cyber-criminals, cyber-jihadists, hail-mary threats, and nation-state sponsored advanced persistent threats (APTs); and because the malware discovered on DNC systems were well-known, publicly disclosed, and variants could be purchased on Deep Web markets and forums.
***
Both APT28 and APT29 are well-known sophisticated threat actors that have been extensively profiled by cybersecurity firms such as FireEye. As a result, their profiles, operational behavior, tools, and malware could all be easily emulated by even an unsophisticated adversary in a campaign against an insecure target such as the DNC, that did not prioritize cybersecurity, cyber-hygiene, or system cyber resiliency. For instance, the cyber-criminal group Patchwork Elephant, known for adopting malware from other campaigns, could easily have also conducted the DNC/ RNC attacks by emulating APT28 and APT29.
James Carden – a former Advisor to the US-Russia Presidential Commission at the US State Department – writes:
Evidence of a connection between the Russian government and the hackers that are believed to have stolen the DNC/John Podesta e-mails remains illusory. Cyber-security expert Jeffrey Carr has observed that “there is ZERO technical evidence to connect those Russian-speaking hackers to the GRU, FSB, SVR, or any other Russian government department.” The very real possibility that non-state actors carried out the hack of the DNC has been conspicuously absent from the mainstream narrative of “Russian interference.”
Craig Murray notes:
Despite himself being a former extremely competent KGB chief, Vladimir Putin [is alleged to have] put Inspector Clouseau in charge of Russian security and left him to get on with it. The Russian Bear has been the symbol of the country since the 16th century. So we have to believe that the Russian security services set up top secret hacking groups identifying themselves as “Cozy Bear” and “Fancy Bear”. Whereas no doubt the NSA fronts its hacking operations by a group brilliantly disguised as “The Flaming Bald Eagles”, GCHQ doubtless hides behind “Three Lions on a Keyboard” and the French use “Marianne Snoops”.
What is more, the Russian disguised hackers work Moscow hours and are directly traceable to Moscow IP addresses. This is plain and obvious nonsense. If crowdstrike [the consulting firm hired by the Democratic National Committee] were tracing me just now they would think I am in Denmark. Yesterday it was the Netherlands. I use Tunnel Bear, one of scores of easily available VPN’s and believe me, the Russian FSB have much better resources. We are also supposed to believe that Russia’s hidden hacking operation uses the name of the famous founder of the Communist Cheka, Felix Dzerzhinsky, as a marker and an identify of “Guccifer2” (get the references – Russian oligarchs and their Gucci bling and Lucifer) – to post pointless and vainglorious boasts about its hacking operations, and in doing so accidentally leave bits of Russian language script to be found.
The Keystone Cops portrayal of one of the world’s most clinically efficient intelligence services is of a piece with the anti-Russian racism which has permeated the Democratic Party rhetoric for quite some time. Frankly nobody in what is vaguely their right mind would believe this narrative.
It is not that “Cozy Bear”, “Fancy Bear” and “Guccifer2” do not exist. It is that they are not agents of the Russian government and not the source of the DNC documents. Guccifer2 is understood in London to be the fairly well known amusing bearded Serbian who turns up at parties around Camden under the (assumed) name of Gavrilo Princip.
Of course there were hacking and phishing attacks on the DNC. Such attacks happen every day to pretty well all of us. There were over 1,050 attacks on my own server two days ago, and many of them often appear to originate in Russia – though more appear to originate in the USA. I attach a cloudfare threat map. It happens to be from a while ago as I don’t have a more up to date one to hand from my technical people. Of course in many cases the computers attacking have been activated as proxies by computers in another country entirely. Crowdstrike apparently expect us to believe that Putin’s security services have not heard of this or of the idea of disguising which time zone you operate from.
One Day’s Attempts to Hack My Own Server – Happens Every Single Day
Pretty well all of us get phishing emails pretty routinely. Last year my bank phoned me up to check if I was really trying to buy a car with my credit card in St Petersburg. I don’t know what the DNC paid “Crowdstrike” for their narrative but they got a very poor return for their effort indeed. That the New York Times promotes it as any kind of evidence is a truly damning indictment of the mainstream media.
Andrew Cockburn asks some hard-hitting questions:
1/ The DNC hackers inserted the name of the founder of Russian intelligence, in Russian, in the metadata of the hacked documents. Why would the G.R.U., Russian military intelligence do that?
2/ If the hackers were indeed part of Russian intelligence, why did they use a free Russian email account, or, in the hack of the state election systems, a Russian-owned server? Does Russian intelligence normally display such poor tradecraft?
3/ Why would Russian intelligence, for the purposes of hacking the election systems of Arizona and Illinois, book space on a Russian-owned server and then use only English, as documents furnished by Vladimir Fomenko, proprietor of Kings Servers, the company that owned the server in question, clearly indicate?
4/ Numerous reports ascribe the hacks to hacking groups known as APT 28 or “Fancy Bear” and APT 29 or “Cozy Bear.” But these groups had already been accused of nefarious actions on behalf of Russian intelligence prior to the hacks under discussion. Why would the Kremlin and its intelligence agencies select well-known groups to conduct a regime-change operation on the most powerful country on earth?
5/ It has been reported in the New York Times, without attribution, that U.S. intelligence has identified specific G.R.U. officials who directed the hacking. Is this true, and if so, please provide details (Witness should be sworn)
6/ The joint statement issued by the DNI and DHS on October 7 2016 confirmed that US intelligence had no evidence of official Russian involvement in the leak of hacked documents to Wikileaks, etc, saying only that the leaks were “consistent with the methods and motivations of Russian-directed efforts.” Has the US acquired any evidence whatsoever since that time regarding Russian involvement in the leaks?
So while Russia may have hacked the Democratic emails and then delivered them to Wikileaks, the evidence is extremely weak.