The DNC hacks and Russia

I’m sceptical about the claims that Russian state intelligence was behind the hacks of the DNC servers. Maybe they were, but the process of attribution for attacks is a complicated one, and this association was claimed at the very outset.

For background, I investigate attacks on servers most weeks. Most of the time, you can’t say who was behind them with any certainty just from the attacks – you might have as a starting point the concern that a particular party is having a go at you or your client, and that’s different, of course. You start out tracing them to machines that were themselves compromised, and rely on some cooperation from their administrators. IP addresses or social media accounts used for the attacks are cut outs, in the classic tradecraft sense.  This is true when the people behind them are probably kids, or common commercial competitors. There are tens of millions of compromised computers in the world, any of which can be used to front an attack.

So when you read that an attack has been attributed to Russian hackers, this does not often mean there’s been any sort of trace through the internet.

Instead, there will have been some analysis of the toolkits or techniques used. This is the identification technique used by the investigators of the DNC hacks. But toolkits get shared and sold, and copied. This is true of toolkits and malicious code that’s used at first by intelligence agencies. I don’t think there’s much doubt that national agencies were the origin of the Stuxnet trojan that affected centrifuges in Iran. This first appeared, in an early form, in 2009 (although there are claims of earlier forms four years beforehand). The final form contained a timestamp from February 2010. By November 2010, having been discovered in June 2010, it was reportedly being traded commercially on the black market.

So a toolkit used in an attack that was likely to have been a state agency can, and will, turn up in other hands within months of being identified.

I’m not the only one who isn’t sure this was the Russian government. Fidelis Security has become involved in the DNC response, and this is how they blogged it:

Over a 12-month period, the DNC was victim to not just one, but two intrusions from a nation-state actor, Russia.

[…]

Finally, if Russia is to blame, this breach marks the first time that a nation-state has used cyber espionage to influence a United States election.

The first claim is what’s being reported, the ‘if’ isn’t. There’s a worrying degree of certainty being displayed in many reports at a stage in the investigation that’s so early it can’t be possible to say who was responsible. But confirmation bias is a powerful thing.

Crowdstrike did say they thought phishing, and spearphishing in particular, played a part in these attacks. That amounts to saying that people were induced by deceptive websites or other techniques to install malware themselves, unknowingly, on the DNC systems. That suggests they don’t think it was a remote exploit – some vulnerability in the internet-facing part of the systems that attackers could use to get in.

If malicious software could have been installed unknowingly, it could also have been installed knowingly. Rather like murder investigations, an actual penetration of a system casts suspicion on those closest to it, if you’re being an objective investigator.

I’ve been involved in electronic security since the late 1980s. Then, it was finding, and planting, listening devices and using other techniques to gather information. The most notorious thing I did was tap Darius Guppy’s telephone, and record the conversation he had with Boris Johnson about beating up a journalist, but most of the work I did was finding rather than planting. When you find an intrusion of some kind, and even then it could be external to the location that was being monitored, you need to consider who was behind it. You also need to consider whether it’s actually best to leave things in place, so the intrusion that’s happening is a known quantity, rather than blowing that and leaving the road open to further unknown ones.

When you try to figure out who was behind an intrusion, the first thing to think about is, who has a motive? Who benefits? And the first thing you need to think about when an attack is publicised, is why? Why not just watch it and gather intelligence?

So the Cui Bono question is worth considering here. Who benefited from these attacks, or who might have been the intended beneficiary? The main take-home was that the DNC favoured Clinton’s candidacy over that of Sanders. The releases of files came just before the Democratic Party’s convention. If you were a Sanders last-ditcher, that’s what and when you’d have wanted.

Who benefits from the claim it was Russia behind the attacks? Clinton does. Her main line of attack has shifted from Trump’s alleged racism, which isn’t such a strong line in the wake of the BLM movement stopping ambulances and inspiring the murders of police officers, to Putin wanting Trump to win. She is repeating the claim that Russia was behind this, when with the best will in the world the most that could be said is that some of the software used is similar to that used in what was thought to have been a Russian assault on some German systems a few years ago.

Maybe Putin does want Trump to win, and maybe he was behind these leaks of data. But Putin hasn’t done badly under the Obama administration Clinton served in. Russia has become the most credible external power in the Middle East and has invaded two Eastern European countries. More of the same would suit Putin. The only real problem he has is that fracking in the USA has depressed the price of gas, which Russia relies on. Clinton has given out mixed messages on fracking, but she did say, in a debate with Sanders, that:

“By the time we get through all of my conditions, I do not think there will be many places in America where fracking will continue to take place,”

Trump has benefited from the hacking in one way. He’s trying to get disaffected Sanders voters to switch to him, and the idea that their candidate was stitched up by the DNC, which is a stretch from what has actually been revealed – a preference rather than a manipulation of the process – would help him.

So it’s complicated, more so because the earliest DNC penetration was dated to last summer which, depending what ‘summer’ means, saw Trump on as low as single figure polling and makes it hard to believe an attack was started with the intended effect of helping him in his campaign.

It might be the case that Russia was behind this. It’s most likely, given the facts we know so far, that any definite attribution will be hard to make. But it is certainly true that if at the moment you think this is a Russian cyber attack designed to help Trump beat Clinton, you’re believing what you want to believe.

Out of interest, though, one of the techniques pioneered by one of the groups fingered for this is very cool. It uses Twitter accounts and steganography – which today is mainly the embedding of encrypted data in image files, but which was first described in 1499.