This is part 2 of yours truly’s ‘The Hacked Election’ posts. Part 1 is here.
Note: This post isn’t about any speculation regarding the hacking of actual electronic ballots. There is no evidence of that taking place. Though, apparently doing so wouldn’t be terribly difficult. This post is about hacking related to DNC and Clinton campaign email accounts. Why people voted as they did where they were located is a matter of demographics.
If the supposed Russian propaganda campaign was a metaphorical hacking attack that broke through the weak firewall that is America’s lack of media literacy, then the cyber attacks against the Democratic National Committee the Clinton campaign and others was just plain non-metaphorical hacking. And the evidence of it is more credible.
The great thing about writing slowly and sporadically is that someone’s going to get around to doing it before you, and possibly better. War is Boring covers the play-by play of the whole saga. So read that for the details. I’m more interested here in who’s still decided it’s not true, and why. Maintaining the counter narrative is approaching the Herculean level of being a climate denier or opposing vaccines.
The evidence is fairly conclusive. Yes, attribution can be difficult, but unlike debates over whether this or that piece of faux news content is actually part of a strategic propaganda campaign or not, the evidence is rarely as subjective. You have server logs, the paths of data packets, the history of malware and the servers it connects to, common vectors of attack and the error that the hackers make that can leave a digital footprint of their own. This is not to say that someone can’t refute the evidence or produce valid counter-arguments. It’s that anyone doing so has to take the digital evidence seriously, and respond to it. The circle of people with the background to do that is relatively small. This hasn’t stopped a lot of people outside of it from trying really hard, though.
So instead of going through the various evidence and reasons that the attribution for the DNC hacks is credible, I’ll let the War is Boring post, the various Crowdstrike blog posts (here, here, here, etc.) and others do that.
One objection came from Sam Biddle, who countered in The Intercept that “We should also bear in mind that private security firm CrowdStrike’s frequently cited findings of Russian responsibility were essentially paid for by the DNC, who contracted their services in June. It’s highly unusual for evidence of a crime to be assembled on the victim’s dime.” That would be true in a number of instances, but not this one. Actually, it is entirely common. Crowdstrike is one of just a few firms in the field of advanced cyber attack analysis. Corporations, governments, large organisations hire companies like this to do exactly this kind of thing. Furthermore, the analysis goes far beyond Crowdstrike’s work on the DNC hacks. ThreatConnect looked at the various personas used to gain and disseminate hacked emails, and could trace them all to common origin servers. So, that hired firms investigated this is not counter-evidence.
Most striking part of NYT article was the primitive nature of Podesta hack & the sheer luck of its success: hardly some masterful invasion pic.twitter.com/uZf3pc7cAP— Glenn Greenwald (@ggreenwald) December 13, 2016
In the Tweet above, Greenwald asserts that these hacks were down to luck, and weren’t that sophisticated. The argument is that they look to armature to be from a government. The argument doesn’t work on a lot of levels. I mean, look at how much else governments have done that come off as half-baked.
In one respect, Greenwald is right. The attacks weren’t that sophisticated. But it’s also true that spearphishing attacks don’t need to be sophisticated in order to be state sponsored, or to be effective. Many states use off-the-shelf methods to attack targets. Why spend more than what’s needed? Why not hire people who can cheaply deploy a simple hack before investing in more complex, and possibly more traceable, methods? The more typical it is, the more likely it will blend in.
This is the closest I've ever come to falling for a Gmail phishing attack. If it hadn't been for my high-DPI screen making the image fuzzy… pic.twitter.com/MizEWYksBh— Tom Scott (@tomscott) December 23, 2016
Spearphishing attacks are fairly basic: You get the target to click a link and enter some sensitive information, or download a piece of malware onto their computer. Once you’re into one account, you use it to trick their contacts and get into theirs. They’re also quite successful, because people aren’t actively skeptical about things that look like they’re coming from trusted sources. It’s the same attack that that millions of people fall for which allows criminals access to their social network pages, online shopping sites and bank accounts And this is all it took to get into the email accounts of Secretary of State Colin Powell and Clinton campaign chairman John Podesta. So, that the hacks were simplistic, is not counter-evidence.
Left: how people think the Russians stole Clinton emails. Right: how they actually stole them. pic.twitter.com/1PlAROuGWs— Matthew Green (@matthew_d_green) November 8, 2016
Others point to statements made by Craig Murray, the former U.S. diplomat who’s now a Wikileaks supporter. The gist of Murray’s claim is that the stolen email data came from someone on the inside of the Democratic party, and not hackers. He says he knows this because he was the person they gave the data to. It’s worth noting that Julian Assange doesn’t support the statement.
That aside, there are other transparent problems with this line from the start: Who inside the democratic party or the Clinton campaign had backdoor server access to email accounts? He’s basically implicating either someone running campaign IT, or the account holders themselves. It also runs counter to what Julian Assange says about the source. While Assange has said the Guccifer 2.0 look like a Russian operation, his own source, he has said, is not a state actor from the U.S., Russia or elsewhere.
Whether what Assange is saying is true or not, is impossible to ascertain, but it does not contradict the evidence laid out by Crowdstrike and others. Reasonably, The thousands of emails copied from John Podesta’s gmail account couldn’t have come from either a disgruntled insider or a disinterested outsider. It came from someone who knew about spearphishing attacks and who used infrastructure that was also targeting high-profile email account holders in Ukraine, the Baltics, China and Iran. So just saying you got the data handed to you doesn’t refute the evidence pointing to how it was originally obtained.
The Grugq has captured all the prevailing evidence in one post. Interestingly, it seems more people rank some of the least technical evidence as the most damning. I tend to reverse the order.
- Guccifer 2.0, the source of these DNC emails, doesn’t talk like a hacker. It’s widely believed by researchers that this person is a cut-out, or a a front for the real attackers. One of the reasons for this is that he doesn’t talk like a hacker. I suppose, but that’s fairly subjective. He may not sound technically proficient, but maybe he’s just avoiding that language on purpose.
- Much of the software that Guccifer 2.0 used seems to have been Russian language. That’s fine. Maybe the hacker was a Russian speaker. We’ve got some evidence here that points to specific geographical and/or linguistic details. But there are, logically, hackers who speak Russian that are not employed by a government.
- Then we have the indirect corollary events: Trump refusing to meet for intelligence briefings, dismissing out of hand that the Russian government could be involved, calling for hackers to hack Clinton campaign data earlier on the campaign, etc. All of these are easily found with a Google search, but to quote every Reddit user ever: correlation is not causation. It is suspicious, but not in and of itself evidence.
- Both Trump and Putin seem to be speaking from the same script. Again, it’s suspicious, but we need more.
- Infrastructure reuse seems, to me, the best evidence. Analysing email headers, studying the VPN used, the domain registration meta and most interestingly, the common server employed in different attack campaigns from Ukraine to the U.S. are traceable and more conclusive than anything else.
When the best defense is not offense
While there’s a consensus forming around who’s behind the DNC email attacks, there’s still room for debate in what should be done about it. Obama’s response continues to be the wrong one. He could have helped prevent the attacks earlier, when he’d first been informed about them, but did nothing. Now he’s making public statements threatening retaliatory hacks against Russia. This is ridiculous, of course. First: Obama’s remaining time as president is just days. Second: Obama is not Anonymous. One doesn’t use a televised address to announce a cyber offensive. Finally, a threat of a cyber attack is not what counters a cyber attack. The Cold War logic, flawed as that is, doesn’t work here at all.
The best defense is, in fact, defensive tactics. The NSA is sitting on top of zero-day exploits that could strengthen the networks and devices we all use. Release those to the companies effected by them. Stop trying to install backdoors in technology, and end all these pointless attacks on strong encryption. End the mass surveillance projects that put more and more data streams at risk. More strategically, identify what you’re trying to protect and who wants to get it.
For individuals, avoiding the kinds of hacks that snared Podesta and Powell is fairly low tech: Use complex, long pass-phrases, enable 2-factor authentication, and don’t click on documents or links you haven’t examined. You will then have stronger online security then people who work in national defense, apparently.
Also realise Russia isn’t the only country doing this.
American cyber attacks against the rest of the world are well documented. This hack is fairly small beans compared to United States offensive cyber operations taking place on a daily basis. Also, a lot of smaller states are in on it as well, and those that can’t run it entirely in-house, can outsource it, mostly from firms located in Western countries.
There is enough evidence to reasonably make the assertion that Russian government sponsored hackers were behind the DNC and Clinton campaign email hacking campaign. What’s missing from the people who continue to oppose it is a credible reason to support their case.