Conspiracy theories sprout like mushrooms in the fertilized hothouse known as Twitter. Today, in the wake of news reports that Russian hackers stole Trump opposition research from the Democratic National Committee, Twitter is abuzz with speculation that Russia carried out the operation on behalf of Donald Trump. After all, why else would Russia want those files? After all, aren’t Putin and Trump BFFs? By #twitterlogic it must be true.
DNC called in CrowdStrike to investigate the breach. CrowdStrike president (and former FBI investigator) Shawn Henry publicly stated this hack fits a larger pattern of ongoing nation-state espionage against US targets. Russia wants the Trump Files for the same reason it wanted files it stole from the White House, State Department, Hillary Clinton, John McCain, and others. Putin does seem to be rooting for Trump, but that doesn’t prove anything.
In a blog post today, CrowdStrike co-founder Dmitri Alperovitch confirmed attribution of the DNC breach to Russia, identifying two hacker groups with suspected ties to rival Russian intelligence services. The groups, dubbed Cozy Bear and Fancy Bear, have a long history of cyber espionage against US targets. Forensic evidence indicates Cozy Bear penetrated DNC systems as long as a year ago, with Fancy Bear carrying out a separate intrusion last April.
Fancy Bear is believed to be the group that stole the Trump Files, delivering XAgent malware to an unsuspecting DNC staffer. Interestingly, XAgent has been the weapon of choice in an ongoing series of cyber-attacks dating back to 2014, dubbed Operation Pawn Storm by Trend Micro, widely attributed to Russia.
The DNC breach appears to be part of the Pawn Storm operation that has been underway for at least two years, well before Donald Trump announced his candidacy. That doesn’t mean Putin won’t take a particular interest in the Trump Files, and may even try to use them to influence the US election. But the notion that the hackers were working on behalf of Trump is far-fetched. Without convincing evidence, it fails to pass the Sagan’s Razor test. So much for #twitterlogic.
Donald Trump has been conspicuously silent on cybersecurity issues (except for one occasion when he made an accusation against China). He even remained silent on cybersecurity when hacktivist group Anonymous published Trump’s social security number last March and then launched all-out "war" against his campaign in April.
We hope this latest incident will finally move Mr. Trump to take a policy position on cyber issues currently before the US Congress such as active defense, intel sharing, and breach disclosure. While Ms. Clinton had security lapses with her email server and reportedly fostered an “anti-security culture” at the State Department, at least she publicly acknowledges the importance of sound cyber policy. After this DNC breach, she probably feels it more acutely than ever.
UPDATE 6/18/16: A hacker called Guccifer 2.0 now claims to be the DNC breach perpetrator.
Snopes has a good summary of recent competing claims. Bolstering Guccifer 2.0's claim is Julian Assange's announcement that he received documents damaging to Hillary Clinton at about the time Gucci 2.0 says they turned over a large cache of DNC exfil to WikiLeaks.
On the other hand, CrowdStrike is the only group with direct access to forensics inside the DNC network, so their attribution to Russian intelligence groups is credible. And Crowdstrike's claim is bolstered by Russian metadata discovered by Gawker in leaked DNC documents. It could have been fabricated to mislead investigators but that's not really Gucci's M.O.
It's possible the DNC was breached three times (Cozy Bear, Fancy Bear, Guccifer 2.0). It's also possible the Russians gave documents to Gucci 2.0 as a smoke screen, or even fabricated the existence of Gucci 2.0. We may never know the full story, but this reminds us again why attribution is so difficult.
UPDATE 12/9/16: CIA reported to Congress today that Russian government hackers were trying to help Trump win the election. A cyber counterattack could still come before Trump is sworn in.
Michael McCormick is in information security consultant, researcher, and founder of Taproot Security.