Does the U.S. government really know who hacked Democrats’ emails?
The hacking and public release of Democratic campaign and committee emails made the news and a presidential debate, with more leaks expected to come.
This week, WikiLeaks published more emails from Hillary Clinton’s campaign chairman, John Podesta. Nearly 20 batches of campaign emails were released over the last month, in addition to Democratic National Committee emails released earlier this year.
In the final presidential debate on Oct. 19, Clinton said documents released by WikiLeaks were part of Russian espionage on the U.S. She called on Republican candidate Donald Trump to acknowledge the Russia connection and condemn such actions.
“She has no idea whether it’s Russia, China, or anybody else. She has no idea,” said Trump.
“I am not quoting myself. I am quoting 17, 17 intelligence agencies. Do you doubt 17 military and civilian agencies?” Clinton asked.
“Our country has no idea,” Trump responded.
Clinton was citing the Oct. 7 statement from the U.S. intelligence community saying it was “confident that the Russian government directed the recent compromises of emails from U.S. persons and institutions.”
Analysts say, however, that the ability to determine who cyber attackers are, where they’re located and sometimes who ordered their operations is rarely definitive and comes in degrees of confidence.
Beyond the government’s headline assertion that Russia is to blame, “it’s important to parse the public statement pretty closely,” said Susan Hennessey, a national security fellow at the Brookings Institution. “They’re being really careful in their word choice.”
The Department of Homeland Security and Office of the Director of National Intelligence on Election Security said in a statement earlier this month that “only Russia’s senior-most officials could have authorized these activities.”
But that statement does not mean that the U.S. has “direct evidence of senior official-level involvement,” Hennessey said.
Without more definitive statements, it’s difficult for some technical experts to take the government’s word on faith, she and others have said.
“There’s no evidence that this was done by the state itself, only evidence it was done by non-state actors that might be Russian-speaking,” said Jeffrey Carr, CEO of the cyber security consultancy firm Taia Global, referring to the evidence available to the public.
That evidence, which was released by private threat assessment companies rather than official channels, indicates hackers used Cyrillic keyboards and operated during Moscow working hours.
But indicators of identity like timestamps, language preferences and IP addresses “can be manipulated or faked rather easily,” said Juan Andres Guerrero-Saade, a senior security researcher at Kaspersky Lab.
Trump has a point when he says we can’t know for sure, said Cris Thomas, an information security professional known online as Space Rogue.
“I don’t know what [evidence] they have that couldn’t have been faked,” Thomas said.
Sophisticated attackers have learned how to tamper with the technical indicators to mask their identity, or at least send analysts in the wrong direction.
Dmitri Alperovitch, co-founder of CrowdStrike, hired by the Democratic National Committee to assess its breach, wrote a blog post attributing the hack to two separate Russian-intelligence affiliated groups, Fancy Bear and Cozy Bear.
Alperovitch classed both as sophisticated actors, writing on CrowdStrike’s blog that their “tradecraft is superb, operational security second to none.”
Fancy Bear is “very, very good at deception campaigns,” said Brian Bartholomew, who co-authored a report about the deception tactics that complicate attribution.
But, he added, the group has recently seemed “a little more lax” about getting caught.
PBS NewsHour co-anchor Judy Woodruff speaks with WikiLeaks founder Julian Assange about the release of hacked emails.
Carr asked, if these hacks are a ploy by Russian President Vladimir Putin to install what Clinton has called “a puppet” at the helm of a Western democracy, why leave such obvious technical indicators in their wake?
“That’s not even sloppy,” Carr said. “That’s just ignorant.”
“Perhaps [Russia] wanted it traced back to them to show that they’re flexing their geopolitical muscle,” Schwartz said.
Deception, however, “is exceptionally difficult to pull off at the level that is going to withstand the amount of scrutiny the government will put on it,” said Jason Healey, senior fellow at the Atlantic Council’s Cyber Statecraft Initiative.
Another complicating factor is that the first intrusions into the DNC go back more than a year, well before Trump, purported to be Putin’s favorite candidate, was perceived as having a reasonable chance of winning the Republican Party’s nomination.
To think these hacks were in service of a farsighted, cunning plan designed by the Kremlin is “imputing a level of insight and ability to understand and predict the U.S. electoral system that certainly no one in the United States has demonstrated,” Hennessey said.
A more likely explanation, she said, is that the hackers were conducting low-threshold espionage but ending up finding information that could be opportunistically released.
The U.S. government has swaths of intelligence and the ability to operate beyond laws that constrain private sector threat assessment companies, said Guerrero-Saade.
“As the public, we should really understand that there’s a lot more at play behind the scenes,” Bartholomew said.
Judging by the practice established by its three previous attribution claims, the government is unlikely to release substantiating evidence, in order to guard U.S. sources and methods.
The world of cyber crime “feels like the Wild West, but it’s not to say that nothing can be known,” Guerrero-Saade said.