Close your eyes and imagine that a hacking group backed by Russian President Vladimir Putin broke into the email system of a major U.S. political party. The group stole thousands of sensitive messages and then published them through an obliging third party in a way that was strategically timed to influence the United States presidential election. Now open your eyes, because it looks like that’s what just happened.
On Friday, Wikileaks published 20,000 emails stolen from the Democratic National Committee. They reveal, among other things, thuggish infighting, a push by a top DNC official to use Bernie Sanders’s religious convictions against him in the South, and attempts to strong-arm media outlets. In other words, they reveal the Washington campaign monster for what it is.
But leave aside the purported content of the Wikileaks data dump (to which numerous other outlets have devoted considerable attention) and consider the source. Considerable evidence shows that the Wikileaks dump was an orchestrated act by the Russian government, working through proxies, to undermine Hillary Clinton’s presidential campaign.
“This has all the hallmarks of tradecraft. The only rationale to release such data from the Russian bulletproof host was to empower one candidate against another. The Cold War is alive and well,” Tom Kellermann, the CEO of Strategic Cyber Ventures said.
Here’s the timeline: On June 14, the cybersecurity company CrowdStrike, under contract with the DNC, announced in a blog post that two separate Russian intelligence groups had gained access to the DNC network. One group, FANCY BEAR or APT 28, gained access in April. The other, COZY BEAR, (also called Cozy Duke and APT 29) first breached the network in the summer of 2015.
The cybersecurity company FireEye first discovered APT 29 in 2014 and was quick to point out a clear Kremlin connection. “We suspect the Russian government sponsors the group because of the organizations it targets and the data it steals. Additionally, APT29 appeared to cease operations on Russian holidays, and their work hours seem to align with the UTC +3 time zone, which contains cities such as Moscow and St. Petersburg,” they wrote in their report on the group. Other U.S. officials have said that the group looks like it has sponsorship from the Russian government due in large part to the level of sophistication behind the group’s attacks.
It’s the same group that hit the State Department, the White House, and the civilian email of the Joint Chiefs of Staff. The group’s modus operandi (a spear-phishing attack that uploads a distinctive remote access tool on the target’s computer) is well known to cybersecurity researchers.
In his blog post on the DNC breaches, CrowdStrike’s CTO Dmitri Alperovitch wrote: “We’ve had lots of experience with both of these actors attempting to target our customers in the past and know them well. In fact, our team considers them some of the best adversaries out of all the numerous nation-state, criminal and hacktivist/terrorist groups we encounter on a daily basis. Their tradecraft is superb, operational security second to none and the extensive usage of ‘living-off-the-land’ techniques enables them to easily bypass many security solutions they encounter.”
Crowdstrike stood by its original analysis, writing: “these claims do nothing to lessen our findings relating to the Russian government’s involvement, portions of which we have documented for the public and the greater security community.”
Other security firms offered independent analysis and reached the same conclusion. The group Fidelis undertook its own investigation and found Crowdstrike to be correct.
A Twitter user named @PwnAlltheThings looked at the metadata on the docs that Guccifer 2.0 provided in his blog post and found literal Russian signatures.
His findings were backed up by Dan Goodin at Ars Technica. “Given the evidence combined with everything else, I think it’s a strong attribution to one of the Russian intelligence agencies,” @PwnAllTheThings remarked to Motherboard.
Motherboard reporter Lorenzo Franceschi-Bicchierai actually conversed with Guccifer 2.0 over Twitter. The hacker, who claimed to be Romanian, answered questions in short sentences that “were filled with mistakes according to several Romanian native speakers,” Bicchieri found.
A large body of evidence suggests that Guccifer 2.0 is a smokescreen that the actual culprits employed to hide their involvement in the breach.
That would be consistent with Russian information and influence operations. “Russian propagandists have been caught hiring actors to portray victims of manufactured atrocities or crimes for news reports (as was the case when Viktoria Schmidt pretended to have been attacked by Syrian refugees in Germany for Russia’s Zvezda TV network), or faking on-scene news reporting (as shown in a leaked video in which ‘reporter’ Maria Katasonova is revealed to be in a darkened room with explosion sounds playing in the background rather than on a battlefield in Donetsk when a light is switched on during the recording),” notes a RAND report from earlier in July.
The use of Wikileaks as the publishing platform served to legitimize the information dump, which also contains a large amount of personal information related to democratic donors such as social security and credit card numbers. This suggests that Wikileaks didn’t perform a thorough analysis of the documents before they released them, or simply didn’t care.
The most remarkable example of this, prior to the DNC incident, was the June 2015 the publication of several sets of NSA records related to government intelligence collection targets in France, Japan, Brazil, and Germany. The data itself was not remarkable, but it did harm U.S. relations and may have compromised NSA tradecraft. “Wikileaks doesn’t seem to care that they are being used as a weapon by unknown parties, instead calling themselves a ‘library of mass education’. But the rest of us should,” Weaver writes.
The evidence so far suggests it’s a weapon that Putin used to great effect last week.
This post appears courtesy of Defense One.