Quantcast
The Hacks We Can't See

DNC Hack: What We Know, And What We Still Don’t Know

Looking for all the answers behind the most important hack of the year.

Image: Mikhail Svetlov/Getty Images

As the Democrats coronated Hillary Clinton in Philadelphia as the party's new presidential nominee, the convention has somewhat been overshadowed by the big question of whether the Russian government is trying to mess with the US elections by leaking internal party emails stolen as part of the hack on the Democratic National Committee.

On Monday, Thomas Rid, a professor at King's College, wrote the most comprehensive and near-definitive take on the hack, laying out all the signs and evidence that point to the Russian government being behind the cyberattack on the DNC.

Since then, more digital bread crumbs pointing to Russia have been revealed, and anonymous U.S. government sources told The New York Times and The Daily Beast that American intelligence agencies are confident Russia was indeed the culprit.

But not everyone is convinced yet. Here's what we know and don't know at this point.

We know the original attack started around a year ago, and that there were two separate groups that each breached the target.

CrowdStrike, the security firm that investigated the hack, has identified the first breach of the DNC network dating back to the summer of 2015. A second hacking group got in later, in April 2016, tipping off the DNC IT team, according to CrowdStrike.

We don't know, but we strongly suspect, that the hacker who publicly claimed credit for the attack is not the real hacker—and that while we're not positive he's Russian, we're pretty sure he's not Romanian.

A day after CrowdStrike and The Washington Post revealed the hack on the DNC, a hacker calling himself Guccifer 2.0 claimed responsibility for the attack and leaked some DNC documents as proof. But given the timeline of the events, and some evidence (including metadata suggesting he manipulated documents on a Russian computer), it appears Guccifer 2.0 was likely a an hastily put-together attempt to cover up the initial hack and confuse and deceive the public.

Guccifer 2.0 claimed to be Romanian, but when challenged to chat in Romanian, he refused. The little Romanian he did use in a conversation with Motherboard, was full of mistakes that native speakers wouldn't use.

In other words, Guccifer 2.0's story just doesn't add up. Why would you claim to be Romanian and at the same time intentionally leave trails pointing to Russia? It's much more likely that the Romanian bit was a lie, and the Russian metadata was a mistake.

We don't know for sure that the real hackers were Russian, and even if they were Russian, we don't know for certain that they were state-sponsored.

There's a lot of evidence linking the groups identified in the DNC hack to past cyberattacks that have been linked to Russia or at least "state-sponsored" Russian hackers. As Rid summarized it, there's "used and reused tools, methods, infrastructure, even unique encryption keys."

But on Wednesday, Jeffrey Carr, a cybersecurity expert, explained in a blog post the reasons why everyone should be more careful when blaming Russia, and particularly its intelligence services the FSB and GRU.

"The whole nature of cyberspace deserves skepticism when it comes to attribution," Carr told Motherboard in a phone call. "We don't know anything, we don't have any facts."

Carr added that he's "not arguing that there there was no Russian involved," but "there's a big leap between a Russian speaking person and the FSB or GRU."

We know that at least one of the hacking collectives identified has established ties to the Russian government.

While Carr's caution is warranted, some of the evidence, as Rid pointed out, is damning. At least one of the hacking groups identified by CrowdStrike has clear ties with the Russian government, according to multiple experts.

The second hacker group that accessed the DNC, APT28, also known as Sofacy or Cozy Bear, has been described as "a state-sponsored group" that "might be of Russian origin," in a technical report on a previous attack on the German parliament. As Rid pointed out, the attackers in both cases share the same infrastructure. And no security firm, nor independent security expert, has refuted the notion that APT28 is a Russian government sponsored group.

Still, because of the nature of cyberspace and government hacking in particular, it's always hard—if not impossible—to find the smoking gun. We never saw a smoking gun in the Sony hack, or in the Stuxnet attack on an Iranian nuclear power plant, for example. That's why Rid also argues we should be careful in making some leaps.

Rid said that it's still unclear if APT29, the first DNC attacker, is linked to the FSB.

We don't know how many parties were involved.

We also still don't know whether the person who 1) did the hack, 2) claimed responsibility for the hack, 3) leaked documents and, 4) passed the emails to WikiLeaks, "is the same entity," Rid said.

More importantly, however, Rid said that it's impossible to know right now whether the hack on the DNC started with the intention of leaking documents, and particularly, with the goal of helping the Republican nominee Donald Trump.

We don't know that the attackers are pro-Trump.

"It's not right to say that Putin is trying to help Trump," Rid told me. "We can't make that leap yet."

We know more investigation is needed to determine if the attack came from Russia, if it was state-sponsored, and whether it was a direct order from the top or an initiative that grew out of the intelligence services.

That's why "the Democrats have not acted very wisely on this by making it so political," Rid said. "This is not about Trump or Clinton, this is about the integrity of the democratic process in the United States. They're making the work of the intelligence community and the FBI a lot harder by politicizing the investigation."

The FBI declined to comment for this story, only referring to a previous statement put out this week, saying it is investigating the incident. The NSA did not respond to a request for comment.

Meanwhile, on Wednesday, Trump appeared to invite Russia to keep hacking and "find the 30,000 [Clinton] emails that are missing."

"I think you will probably be rewarded mightily by our press. Let's see if that happens, that'll be nice," he said in a press conference.

The Clinton campaign denounced Trump's words, saying "this has gone from being a matter of curiosity, and a matter of politics, to being a national security issue."

We do know this story has become a political issue.

Unfortunately political motives will make accurate attribution more difficult, and draw attention away from the technical evidence—which seems to grow everyday in support of the original theory that the hack was sponsored by the Russian government.

The Hacks We Can't See is Motherboard's theme week dedicated to the future of security and the hacks no one's talking about. Follow along here.