Russian government hackers leaked DNC e-mails: Cybersecurity experts

Russian hacking of the DNC
Patrick Tucker, writing in Defense One, quotes cybersecurity experts who say that the evidence suggests that a Russian intelligence group was the source of the most recent Wikileaks intel dump.

“Considerable evidence shows that the Wikileaks dump was an orchestrated act by the Russian government, working through proxies, to undermine Hillary Clinton’s Presidential campaign,” Tucker writes.

Tom Kellermann, the CEO of Strategic Cyber Ventures, agrees. “This has all the hallmarks of tradecraft. The only rationale to release such data from the Russian bulletproof host was to empower one candidate against another. The Cold War is alive and well,” he told Defense One.

Tucker notes that there were two hacks of the DNC by Russian intelligence groups: One group, FANCY BEAR or APT 28, gained access in April. The other group, COZY BEAR, (also called Cozy Duke and APT 29) first breached the network in the summer of 2015.

Cybersecurity firm FireEye learned of the existence of the APT 29 group in 2014, and in a report published in July 2015 offered detailed evidence of the Kremlin’s connection to the group: “We suspect the Russian government sponsors the group because of the organizations it targets and the data it steals. Additionally, APT 29 appeared to cease operations on Russian holidays, and their work hours seem to align with the UTC +3 time zone, which contains cities such as Moscow and St. Petersburg,” FireEye wrote.

Tucker notes that the same group hacked the computer systems of the State Department, the White House, and the civilian e-mail of the Joint Chiefs of Staff.

In his blog post on the DNC breaches CrowdStrike’s CTO Dmitri Alperovitch wrote “We’ve had lots of experience with both of these actors attempting to target our customers in the past and know them well. In fact, our team considers them some of the best adversaries out of all the numerous nation-state, criminal and hacktivist/terrorist groups we encounter on a daily basis. Their tradecraft is superb, operational security second to none and the extensive usage of ‘living-off-the-land’ techniques enables them to easily bypass many security solutions they encounter.”

Tucker reports that an individual going by the moniker Guccifer 2.0 claimed that he was the hacker who broke into the DNC systems and gave the e-mails to WikiLeaks, but CrowdStrike said they were confident in their analysis: “These claims do nothing to lessen our findings relating to the Russian government’s involvement, portions of which we have documented for the public and the greater security community.”

Other cybersecurity firms looking at the data reached the same conclusions CrowdStrike reached (see the analysis by Dan Goodin in Ars Technoca, and by Lorenzo Franceschi-Bicchierai in Motherboard).

In fact, experts note that the very intervention by Guccifer 2.0 lends credence to the conclusion that Russian government hackers were behind the hacking of the DNC systems: Russian intelligence often throws a smoke-screen around its operations by creating actors who take responsibility for certain operations, or “eye witnesses” who offer “evidence” supporting the Russian version of events (see Christopher Paul and Miriam Matthews, The Russian “Firehose of Falsehood” Propaganda Model: Why It Might Work and Options to Counter It [RAND, 2016]).

WikiLeake’s carelessness – and worse
Tucker notes that the hacking of the DNC by Russian government hackers, and the use the Russian government is making of WikiLeaks to advance Russian policy goals(in this case: increase division among Democrats in order to help Trump win the presidency), is worrisome.

WikiLeake calls itself a “library of mass education,” but strong advocates of government transparency, limits on government surveillance, and privacy protection, say that WikiLeake is now not only careless in its handing of leaked information, but a willing tool of unsavory actors.

Thus, the thousands of DNC e-mails the Russian government hackers provided WikiLeaks contained not only the politically sensitive staff exchanges about Sanders, but also a large amount of personal information about Democratic donors. This personal information — social security and credit card numbers – had nothing to do with the way the DNC conducted itself during the Democratic primaries, but “This suggests that Wikileaks didn’t perform a thorough analysis of the documents before they released them, or simply didn’t care,” Tucker writes.

The way WikiLeaks now conducts itself is troublesome for more than the careless handling of personal information. Cybersecurity expert Bruce Schneier calls it organizational doxing, and Lawfare’s Nicholas Weaver calls this the weaponization of Wikileaks.

“Wikileaks doesn’t seem to care that they are being used as a weapon by unknown parties, instead calling themselves a ‘library of mass education’. But the rest of us should,” Weaver writes.

“The evidence so far suggests it’s a weapon that Putin used to great effect last week,” Tucker concludes.