The CIA has supposedly determined that Russian government hacks, as directed by Russian President Vladimir Putin, were the source for publication of Democratic National Committee (DNC) emails and related emails. Comments from a variety of private security firms buttress these claims. However, in an open letter dated December 12, 2016, the Veteran Intelligence Professionals for Sanity (VIPS) claimed that the emails were leaked, not hacked.
VIPS is no ordinary group of citizens with an opinion. Rather, it includes a group of highly accomplished retired and senior intelligence personnel. It’s steering committee includes intelligence luminaries including Thomas Drake (former senior executive with the NSA), Mike Gravel (former adjutant, top secret control officer and special agent of the Counter Intelligence Corps, as well as a former U.S. Senator), and famed NSA whistle blower William Binney (former technical director, world geopolitical and military analysis in the NSA), among others.
So which is it, Russian government hacks, third party hacks or insider leaks? Here’s what the two sides are telling us to date.
A Hack Versus a Leak
Let’s start with a simple review of the difference between a hack and a leak (per VIPS). A “hack” occurs “when someone in a remote location electronically penetrates operating systems, firewalls or any other cyber-protection system and then extracts data.” On the other hand, a leak is an event “when someone physically takes data out of any organization and gives it to another person or organization.”
The Case for Russian Government Hacks: Private Security Firms’ Analysis
Several private security firms have cited certain specific facts to prove that hacks of the DNC occurred. However, “proof” that these were Russian government hacks are more nuanced. Our debate contrasts the recited “facts”, with the claim of Russian government responsibility.
On June 16, 2016, SecureWorks released a public summary revealing a spear-phishing campaign that they stated targeted both Mrs. Clinton’s campaign and the DNC. SecureWorks provided technical details of the spear phishing efforts in the June 16 release. SecureWorks also offered two opinions in its report “with moderate confidence,” that (1) “the [hacking] group is operating from the Russian Federation”, and (2) the group “is gathering intelligence on behalf of the Russian government.”
Private security firm CrowdStrike (co-founded by Dmitri Alperovitch), hired by the DNC in May, 2016, also claims to have collected evidence that two groups they labelled Crazy Bear and Fancy Bear had hacked into the DNC. Here’s Crowdstrike’s take on Cozy Bear and Fancy Bear:
Our team considers them some of the best adversaries out of all the numerous nation-state, criminal and hacktivist/terrorist groups we encounter on a daily basis. Their tradecraft is superb, operational security second to none and the extensive usage of ‘living-off-the-land’ techniques enables them to easily bypass many security solutions they encounter. In particular, we identified advanced methods consistent with nation-state level capabilities including deliberate targeting and ‘access management’ tradecraft – both groups were constantly going back into the environment to change out their implants, modify persistent methods, move to new Command & Control channels and perform other tasks to try to stay ahead of being detected. Both adversaries engage in extensive political and economic espionage for the benefit of the government of the Russian Federation and are believed to be closely linked to the Russian government’s powerful and highly capable intelligence services.
So who are Cozy Bear and Fancy Bear (the “Bears”)? Cozy Bear is claimed to be tied to FSB, Russia’s internal security service. Similarly, Fancy Bear is claimed to be more generally tied to the Russian government. However, no one has provided definitive proof of these claimed connections.
Proof of Russian Government Hacks?
The private security firms point to information found in code and malware as proof of the hackers national origin. For example, security firm FireEye cites Russian language settings in code used by Fancy Bear in certain hacks. There is also evidence that indicates some code was written in the same time zone as Moscow and St. Petersburg. Of course, any hacker could have used the Russian language as misinformation to implicate Russia in the hacks.
Additional evidence alleged to prove Russian government hacks includes: (1) malware identified on DNC computers that was programmed to communicate directly with an IP address known to be used by Fancy Bear; and (2) use of a deliberately misspelled domain name connected to an IP address also used by Fancy Bear to certain email phishing attacks against the DNC.
Editors Observation: Readers might juxtapose comments such as those from CyberStrike, who acknowledge their opponents as “some of the best adversaries . . . [whose] tradecraft is superb [and] operational security second to none,” with claims that such groups would leave these easily discoverable and directly incriminating pieces of evidence behind. On the one hand, best-in-the-world hackers; on the other hand, bumblers and stumblers.
Do the Hacked Targets Prove Russian Government Complicity?
Cyber experts including FireEye have repeatedly referenced the identity of the targets of the two Bears as key evidence to support a claim of Russian government hacks. For example, they and others point to prior cyber attacks targeting the Ukrainian power grid, Georgian financial institutions and government websites, and Estonian government and financial systems, as evidence of Russian government complicity. In each instance, Russia’s defense interests are readily identifiable. We accept the reasonableness of this inference in these specific instances.
Editors Comment: Cyber attacks on targets within Russia’s natural sphere of immediate influence are one thing. These attacks could easily have been the result of Russian government hacks. From Russia’s perspective, there was little if any probability of a meaningful counter-attack.
However, we should be careful before extrapolating too much from Russia’s willingness to launch those attacks. At the least, Russia must have acted with full deliberation before deciding to similarly attack the United States. We presume that the United States and Russia regularly conduct cyber-probing of various data points for a variety of reasons. But a hack that might strike at the fabric of an American election for President is quite another thing. It would constitute, in our view, an attack of a much greater magnitude.
The United States is of course fully capable of launching a variety of highly destructive retaliatory attacks. Russian government hacks targeting an American election might force the United States to respond. This inference challenges the validity of the conclusion that Russia’s end-goal was to interfere in the U.S. election. Had the Russians elected to pursue such a goal, they must also have assumed there would be a reasonably high probability of U.S. retaliation, ultimately leading to a cycle of retaliation between the two countries.
At a minimum, this leads to the critical question: what ultimate goal of a Russian end-game would warrant Russia running the risk of a retaliatory wave that it would not be able to control? The consequences of such actions would be unknowable and game theory might not lead to outcomes with reasonable certainties.
Kaspersky Lab claims Cozy Bear responsibility for the 2015 hacks of White House and State Department unclassified networks. However, we doubt that an attack of that nature would warrant a material response from the U.S. A similar conclusion would have been reached by the Russian government.
Proving Russian Government Sponsorship is Not so Simple
The type of “proof” of Russian government hacks offered by FireEye is conclusory. It consists of circumstantial inferences drawn by claimed experts. However, this type of proof is not of a quality that would be direct evidence of complicity. Moreover, a hacker wishing to hide his identity would be wise to plant evidence pointing to Russia. Western analysts predisposed to find Russian government complicity could be nudged further in that direction by little slices of misinformation supporting their biases.
As noted by the Institute for Critical Infrastructure Technology (ICIT), a cyber security think tank:
Malicious actors can easily position their breach to be attributed to Russia. It’s common knowledge . . . that all one needs to do is compromise a system geolocated in Russia (ideally in a government office) and use it as a beachhead for attack so that indicators of compromise lead back to Russia. For additional operational security, use publicly available whitepapers and reports to determine the tool, techniques and procedures of a well-known nation-state sponsored advanced persistent threat (APT), access Deep Web forums such as Alphabay to acquire a malware variant or exploit kit utilized in prolific attacks, and then employ the malware in new campaigns that will inevitably be attributed to foreign intelligence operations.
Want to add another layer? Compromise a Chinese system, leap-frog onto a hacked Russian machine, and then run the attack from China to Russia to any country on the globe. . . . This process is so common and simple that it’s virtually “Script Kiddie 101” among malicious cyber upstarts.
ICIT doesn’t stop there. They point out:
Incident Response techniques and processes are not comprehensive or holistic enough to definitely attribute an incident to a specific threat actor from the multitude of script kiddies, hacktivists, lone-wolf threat actors, cyber-criminals, cyber-jihadists, hail-Mary threats, and nation-state sponsored advanced persistent threats, who all possess the means, motive and opportunity, to attack minimally secured, high profile targets. Organizations such as the DNC, RNC, Whitehall and the German Bundestag have all been targeted in cyber attacks launched with the possible intention of influencing global politics. . . . It would be easy to baselessly declare that all of the attacks were launched by Russia based on the malware employed; however, other threat actors such as Anonymous, Comment Crew, Desert Falcon, etc. could easily emulate the tools, tactics and procedures of a Russian nation-state APT attack.
There is ample technical evidence to support the theory that Russian-speaking hackers were responsible for a number of attacks related to the U.S. election, according to Cybersecurity consultant Jeffrey Carr. However, “there is ZERO technical evidence to connect those Russian-speaking hackers to . . . [any] Russian government department.”
In all, the data referenced may well be objective proof that hacks occurred. However, they fall short of being objective proof of Russian government hacks. They also are not definitive proof of Russian governmental control over the Two Bears.
The Case for Leaks
VIPS points out that the National Security Agency (NSA) “is able to identify both the sender and recipient when hacking is involved.” As a result, “any data that is passed from the servers of the DNC or of [Mrs.] Clinton is collected by the NSA.” And further, “these data transfers carry destination addresses . . . which enable the transfer to be traced and followed through the network.”
VIPS details how emails are broken down into “packets.” These packets are passed into the network and then re-assembled where they are received. All of the packets carry identifying numbers and “the originator and ultimate receiver internet protocol number.” With that in mind:
When email packets leave the U.S., the other “Five Eyes” countries (the U.K., Canada, Australia, and New Zealand) and the sever or eight additional countries participating with the U.S. in bulk-collection of everything on the planet would also have a record of where those email packets went after leaving the U.S.
These collection resources are extensive. . .; they include hundreds of trace route programs that trace the path of packets going across the network and tens of thousands of hardware and software implants in switches and servers that manage the network. Any emails being extracted from one server going to another would be, at least in part, recognizable and traceable by all these resources.
WikiLeaks maintains that the Russian government is not the source of the emails that it published. Readers will reach their own conclusion as to the degree of deference appropriate to WikiLeaks’ claim.
Is It Leaks, Not Russian Government Hacks?
With the foregoing in mind, VIPS concludes:
The bottom line is that the NSA would know where and how any “hacked” emails from the DNC, HRC [Mrs. Clinton] or any other servers were routed through the network. This process can sometimes require a closer look into the routing to sort out intermediate clients, but in the end sender and recipient can be traced across the network.
VIPS then directly addressed statements attributed to the CIA and other intelligence “sources” referenced in the press:
The various ways in which usually anonymous spokespeople for U.S. intelligence agencies are equivocating — saying things like “our best guess” or “our opinion” or “our estimate” etc. — shows that the emails alleged to have been “hacked” cannot be traced across the network. Given NSA’s extensive trace capability, we conclude that RNC and HRC servers alleged to have been hacked were, in fact, not hacked.
Contrary to Press Reports, Disclosure of Proof of Hacking Would Not Jeopardize U.S. Intelligence Sources
Reports in the New York Times state that U.S. intelligence agencies are unwilling to provide direct proof of Russian hacks. This unwillingness is attributed to a claimed risk that such disclosures might risk compromising U.S. data collection efforts. Other press reports have repeated these claims. Yet, VIPS directly debunks this claim:
The evidence [of hacking] that should be there is absent; otherwise, it would surely be brought forward, since this could be done without any danger to sources and methods. . . . As for the comments to the media as to what the CIA believes, the reality is that CIA is almost totally dependent on NSA for ground truth in the communications arena. Thus, it remains something of a mystery why the media is being fed strange stories about hacking that have no basis in fact. In sum, given what we know of NSA’s existing capabilities, it beggars belief that NSA would be unable to identify anyone – Russian or not – attempting to interfere in a U.S. election by hacking.
The Need for Evidence to be Seen By All
There is one simple way to resolve the uncertainties highlighted by this debate. The U.S. government should release all evidence of Russian government hacks, given the claimed assault on the American election process. It would be cyber warfare, after all, whose target is the American constitutional process. This is one case, perhaps above all others, where the American people have an absolute right to know. This information, if it exists, should be placed in the Marketplace of Ideas as soon as possible. There is no plausible reason not to.