This week President-elect Donald Trump questioned: 1) President Obama’s finger pointing at the Russians for election-related cyberattacks; and 2) the current media and pundit frenzy alleging a Russian cyber-strike targeting Secretary Hillary Clinton in order to assure a Trump presidency. Having worked since 1995 as a first-responder to cyber-attacks, including serving 11 years as Chief of the SEC’s Office of Internet Enforcement, I whole-heartedly agree with President-elect Trump. His skepticism is not only appropriate and warranted — it’s spot-on.
My take is that given the inherent subjectivity of intelligence regarding cyber-attacks and the differing interpretations of malware reverse engineering and other circumstantial digital evidence, a healthy dose of skepticism about Russian attribution makes perfect sense.
“Some of the cited circumstantial digital evidence relating to the DNC hacks while important and useful, also raises some fairly obvious caveats and questions, including:
- The attacker or attackers registered a deliberately misspelled domain name used for email phishing attacks against DNC employees, connected to an IP address associated with Fancy Bear. (But aren’t misspelled domains a cornerstone of phishing attacks all over the world?);
- The actual clock times of the phishing schemes correlated with “business hours” in Russia and St. Petersburg time zones. (But couldn’t Russian hackers just as easily orchestrate their schemes from a different time zone or digitally forge time-stamps? Also, don’t hackers notoriously work at all hours of the day and night from any location they prefer?);
- Malware found on the DNC computers was programmed to communicate with an IP address associated with Fancy Bear. (But would a sophisticated state sponsor of cyber-attacks be so incompetent as to use an IP address tracing back to their homeland?);
- The DCLeaks.com domain was registered by a person using the same email service as the person who registered a misspelled domain used to send phishing emails to DNC employees. (But are the poor spelling habits of foreign spies truly evidence of their culpability and motive?);
- Based on some sort of linguistic analysis, experts believe that Guccifer 2.0, the purported Romanian hacker who loudly and boldly claimed responsibility for the DNC hacks, was actually a Russian agent, posing as a Romanian in order to cover up Russian’s own hack and spread disinformation. (But other experts disagree, including M.J. Connolly, a professor of Slavic and Eastern European linguistics at Boston College, who says that many of Guccifer 2.0’s language traits are not Russian and that Guccifer 2.0 was more likely Moldovan. Whatever the origins of Guccifer 2.0, isn’t this evidence better suited for a Robert Ludlum spy novel or bad episode of The Americans, rather than a bona-fide government intelligence conclusion?)
- The code in malware and tools of the DNC hacks appears to have been regularly and professionally updated and maintained while utilizing a sophisticated platform, suggesting a Russian operation funded to provide long-term data espionage and information warfare capabilities. (But isn’t it common practice for hacking coders to update their software and tool kits as defenses change i.e. isn’t that a prerequisite for all kinds of successful hacking?)
- Metadata in a file leaked by “Guccifer 2.0? shows it was modified by a user called, “Felix Edmundovich,” a reference to the founder of a Soviet-era secret police force. Another document contained Cyrillic metadata indicating it had been edited on a document with Russian language settings. (But is this how a sophisticated government spy ring behaves — sloppily leaving behind blatant, inculpatory evidence in plain view?);
- Spear-phishing, the original hacking method used against the DNC, is the same method Fancy Bear uses to initiate its hacking operations. (But spear-phishing is used in some form by just about every hacking group, because it is proven to be the most effective way to inject malware on to a network in order to obtain command and control capabilities.)
- Some of the phishing emails were sent using Yandex, a Moscow-based webmail provider, which indicates Russian involvement. (But Yandex is the Russian equivalent of Google — is its use in the DNC hack truly that compelling?); and
- A bit.ly link believed to have been used by Fancy Bear in the past was also used in the spear-phishing scheme that purportedly tricked John Podesta into giving up his Gmail password. (But does Fancy Bear own some sort of criminal patent on their malware, so other hackers cannot ever use their tools and techniques?)”