[BreachExchange] Why It Matters Who Hacked the Democratic National Committee

Audrey McNeil audrey at riskbasedsecurity.com
Tue Jun 21 10:10:02 EDT 2016


https://www.yahoo.com/news/why-matters-hacked-democratic-national-155855520.html?nhp=1

A cyber security firm hired by the Democratic National Committee announced
on Monday that two groups affiliated with Russian intelligence were
responsible for infiltrating the Democrats’ network and stealing a ream of
confidential election-related information.

Two days later, a hacker claiming to be acting as a lone wolf, who said he
was unaffiliated with the Russians and called himself “Guccifer 2.0,”
leaked what appeared to be a 200-page document consisting of largely
unsurprising opposition research on Donald Trump.

The leak called into question who, exactly, had been responsible for the
hack on the Democratic headquarters.

If it was really the Russians, as the DNC’s cyber security firm,
CrowdStrike, claimed, who was this Guccifer 2.0 figure? (The name harkens
back to an actual Romanian lone wolf who hacked the Bush family, among
others, and is now in a jail in Virginia.) Had the DNC’s cyber team
misattributed the breach to the wrong group? Had it failed to detect a
different breach that had successfully stolen more confidential information?

Then, on Thursday, a flurry of articles in the tech media threw a curve
ball: Several cyber security experts suggested that perhaps Guccifer 2.0
was only claiming to be acting independently, in an elaborate effort to
cast doubt on CrowdStrike’s assertion that the Russians had been behind the
breach.

Meanwhile, to add further to the fog of cyberwarfare, Republican
presumptive nominee Donald Trump raised the possibility on Wednesday that
the Democrats had pretended to hack their own network in an effort to leak
negative stories on Trump to the press. “Maybe they weren’t hacked; maybe
they just want to get it out there,” Trump mused in an interview with Greta
Van Susteren on Fox News. (That seems unlikely as the alleged oppo research
on Trump released so far was mostly based on previously published articles
voters could already find themselves on Google. The document featured
chapters like “Trump has no core” and “Trump is a liar.”)

In the shrill and contorted media environment of an election year,
unraveling this tangle of finger-pointing could have serious political
implications.

If the hackers do indeed turn out to be Russian, it’s confirmation that a
powerful foreign state is seeking to influence, or at least spy on,
domestic U.S. politics.

If the hackers turned out to be politically-motivated domestic actors,
American voters—not to mention the Clinton and Trump campaigns—could expect
more potentially unsavory documents to surface before Election Day. For
example, in addition to claiming responsibility for the DNC hack, the
Guccifer 2.0 hacker also bragged about having access to documents from
presumptive Democratic nominee Hillary Clinton’s State Department computer
and to Democratic donors’ financial information. If those claims are
true—and huge emphasis on that “if”—it could be a game-changer in an
already-historical strange election year.

Alternatively, if the hackers turn out to be random ne’er–do–wells out for
a thrill, the immediately implications on U.S. electoral politics might be
more limited, but raise disturbing questions about the security of all
political communications.

As of now, the question of who, exactly, is behind the DNC hack, as well as
possibly related hacks on Republican political groups, and both Hillary
Clinton and Trump’s networks, remains a question mark.

What top U.S. technologists know for sure is that at least two groups of
hackers were willing to take a major risk—and make a substantial
investment—to access the DNC’s network. Who is behind the attacks remains
unclear—and, unfortunately, a satisfying answer isn’t likely to come any
time soon.

“Attribution is incredibly difficult—I wouldn’t say impossible, but it’s
very difficult,” Nathaniel Gleicher, the head of cybersecurity strategy at
Illumio, told TIME. “Investigations like this do not wrap up quickly and
often do not wrap up at all because it’s very hard to tell where they came
from.”

Amit Yoran, the president of the cybersecurity firm RSA was also
noncommittal on whether there’d ever be a smoking gun.

“I think attribution is one of those topics that people like to rush to
because it makes for sexier reporting—you want to make a meaningful story
for non-technologists,” he told TIME. “Saying you know who was responsible
makes for a very compelling story. But it’s also very hard to do well in
the cyber domain, especially over a short period of time with a
sophisticated actor.”

Gleicher, who served as director for cybersecurity policy on the National
Security Council at the White House, added that this particular case might
be especially tricky since the perpetrators were apparently hiding in the
DNC’s system for a long time.

CrowdStrike, the cyber security firm hired by the DNC, reported that at
least one of two groups of hackers that breached the DNC’s network had been
in the system since last summer.

“Because they were in there so long, it’s going to be very hard to unwind
everything, to track back to reality,” Gleicher said.

Reg Harnish, the CEO of GreyCastle Security, a New York-based cybersecurity
company, says he’s doubtful that Crowdstrike’s investigation—and it’s
determination that the Russians are to blame—is the “end of the story.”

“I’ve been personally involved in hundreds of these investigations, and you
just don’t end up in the same place where you began,” he told TIME. This
particular case, he said, is complicated by “all the politicking going on.”

“You have people being politically correct or outright lying,” Harnish
added. “I think there’s a lot of misinformation out there right now.”

Scott Borg, the head of the U.S. Cyber Consequences Unit, echoed the
skepticism. “Our best guess is that the second (and apparently less
skillful) of the two intruders was not Russian intelligence,” he told
Politico on Thursday.

“We are also uncertain about the first group,” he added.

CrowdStrike said in a blog post Monday that there were two distinct
breaches of the DNC’s network. One group of hackers, which CrowdStrike
called Cozy Bear, was in the network since summer 2015, and largely
monitoring the DNC’s email and chat communications.

The other, which the firm named Fancy Bear, triggered alarm bells when it
broke into the network in late April, targeting opposition research files
on Trump, CrowdStrike said.

In a statement sent to TIME, CrowdStrike defended its assessment that the
DNC had been breached by hackers affiliated with the Russian intelligence
community.

“CrowdStrike stands fully by its analysis and findings identifying two
separate Russian intelligence-affiliated adversaries present in the DNC
network in May 2016,” the statement said. It then acknowledged Guccifer
2.0’s claims to have accessed the DNC’s network and said it was “exploring
the documents’ authenticity and origin.”

“Regardless, these claims do nothing to lessen our findings relating to the
Russian government’s involvement,” the CrowdStrike statement said.

The DNC would not reply to several emails and voicemails from TIME asking
whether the organization had notified the Federal Bureau of Investigation
or another federal law enforcement agency.

The FBI would neither confirm or deny that it was investigating the breach.
A spokeswoman at CrowdStrike said she had not heard of the firm
collaborating with any federal investigation.

“It would surprise me if they did not get international law enforcement or
the intelligence community involved with this case,” Yoran said. “It’s
dealing with potentially extremely sensitive information that would have a
great impact on U.S. policy.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160621/0779f5c8/attachment.html>


More information about the BreachExchange mailing list