When WikiLeaks began publishing thousands of emails from DNC accounts back in July, it only took a few days for the FBI to start investigating Russia's involvement in the hack. On October 7th, the US government made the rare decision to publicly blame Russia for directing "the recent compromises of emails from US persons and institutions." The DHS declined to state how they came to that conclusion, notes Motherboard, though they probably have data we can't see.
That left the media and researchers to connect many dots, but a pair of extensive pieces published yesterday by Motherboard and Esquire all but concluded that Russia is most likely behind the seemingly disparate hacks. The full story is a complex chain explaining the handful of mistakes made by two different groups, nicknamed Fancy Bear and Cozy Bear. It heavily suggests that their separate efforts breaking into the email accounts of Podesta, Powell, and members of the DNC and Hillary Clinton's campaign staff were directed by the Russian government.
The first piece of evidence is the shortened URL that Podesta erroneously clicked on that redirected him to a phony Google page where he likely submitted his password, a tactic known as spear-phishing. This truncated link, it turns out, was one of 12,000 created and used by Fancy Bear to target 5,000 individual Google email addresses from March 2015 to May 2016. But those attacks were too broad and voluminous to be done manually. Fancy Bear made a program that automatically generated the attacking links and fed them through the popular URL-shortening service Bit.ly.
The firm SecureWorks, which has been tracking the hacker group for the last year, found that each of the slim URLs in question was created by one of the Bit.ly accounts belonging to the hacker group -- but Fancy Bear forgot to make two of them private. That let SecureWorks see many links they'd created, and when the firm figured out how to decode the automatically created URL, they found that each contained the target's email address. By decoding each Bit.ly link created by the accounts, they found a list of targets, giving the firm a macro view of the group's extensive and varied spear-phishing campaigns, which included addresses in Ukraine, the Baltics, the United States, China, and Iran, according to Esquire.
SecureWorks built a target portfolio to see who Fancy Bear was working for. Lo and behold, the addresses attacked included a host of military, political, and government leaders in Ukraine, Georgia and other former Soviet states. They also sent spear-phishing emails to NATO military attachés, diplomatic and military personnel from the US and Europe, and critics of the Russian government from around the world. The pieces started to fit together as the firm identified more similarities between the previous hacks and those targeting Podesta, other members of Clinton's campaign staff and the DNC. Namely, the malware and server infrastructure supporting it are unique, acting like calling cards for Fancy Bear, according to SecureWorks' Senior Security Researcher Tom Finney.
"The link to Fancy Bear is very firm, germane to the structures they used before. We track these groups by the toolsets they use, the malware they use because they tend to have bespoke sets of malware that's only used by one group. That tends to be quite discrete, so you can say that if this malware is being used, it's being used by this group," said Finney.
From March to May, SecureWorks saw that Fancy Bear was sending more spear-phishing emails to people in the US. Because Bit.ly tracks when their URLs are clicked, the firm was able to see that of the 108 email addresses targeted at the Clinton campaign from March to May, 20 of the erroneous links had been opened; of the 16 targeted at the DNC, four people had clicked, as Buzzfeed reported last week.
SecureWorks released this information in a June 16th report, stating with "moderate confidence" that Fancy Bear's attacks were likely directed by Russia. Most of the group's targets in the previous year were individuals that were enemies of, or people of interest to, the Russian government.
"The 5,000 emails was quite a big data set," said Finney. "Added together, we can't really think of who else would be satisfied by the kind of information targeted by this group. So that's why we think it's Russia."
But they weren't the only ones paying attention. Fellow firm CrowdStrike released its own report on July 15th after the DNC called on them to investigate a breach in their security. Within a week, WikiLeaks publicly released 19,000 DNC emails that they had acquired.
A hacker entity identifying itself as Guccifer 2.0 claimed credit as a lone hacker. But CrowdStrike identified both the Fancy Bear and Cozy Bear hacker groups' presences on the DNC's network, recognizing their tradecraft and tactics used to evade detection. While Cozy Bear was content to target whole departments and quietly collect data for years once inside, it was Fancy Bear's more aggressive research and intrusion activity that tipped off security experts. Thanks to metadata in the released documents and Russian-language settings, security experts dismissed Guccifer 2.0's claim to be a Romanian national, rather theorizing it to have been a hollow account created by Fancy Bear or those acting with it as a distraction.
Fancy Bear's failure to keep its Bit.ly accounts private gave SecureWorks insight into the group's targets -- which is how researchers identified the link Powell clicked on that lead to his email getting hacked. This helped them confirm other compromises, like that of Clinton campaign staffer William Rinehart, as The Smoking Gun reported in August. Other groups have been targeted by similarly constructed links, like Bellingcat, the journalist organization investigating the destruction over Ukraine of flight MH17, points out Motherboard.
A third group known as the Shadow Brokers, as detailed by Thomas Rid in Esquire, took documents hacking tools from the NSA itself via its elite cyber infiltration unit, Tailored Access Operations. The group either compromised a computer that TAO used to stage its own attacks or acquired the assets the old-fashioned way using a mole. The Shadow Brokers published these tools on Github and elsewhere, and security researchers confirmed their authenticity.
Meanwhile, Cozy Bear had been using some 200 Microsoft OneNote cloud storage accounts to "exfiltrate" data back to Moscow, according to Rid. Microsoft provided information to US digital spies to help them confidently identify the DNC hackers as Russian.
These data points, combined with the nigh-unprecedented move by the DHS of openly blaming Russia for these and other hacks, strongly suggests that their government orchestrated a multi-armed campaign to gather documents germane to the US presidential election. But when making those stolen emails publicly available on WikiLeaks impacts public opinion, as Rid describes in Esquire, the campaign looks less like espionage and more like an attempt to influence the outcome of the election.
In the digital intrusion trade, hackers are known to plant diversions to misdirect security. These "false flags" might even be patterned after tactics known to be used by other countries' teams. A presentation by Kaspersky Lab at this year's Virus Bulletin security conference pointed out how effective this misdirection can be. According to a summary of the talk by Summit Route's Scott Piper:
"In one case, of an assumed Russian [advanced persistent threat] actor, it identified researcher systems running the first stage malware, so it sent down Chinese APT to the researchers as the second stage to throw them off, while sending down their real second stage to the actual victims.
In a similar case, when Turla (also Russian APT) worried they'd been detected, as they were pulling out their malware, they sent down a rare Chinese malware named Quarian for the IR team to investigate. This both gave them time to cover their own tracks, while at the same time burning China's toolset."
Ergo, there's a chance that security experts and journalists could wrongly attribute cyber attacks, even with good evidence. Remember the Sony megahack, where the US government first didn't blame North Korea then they did, and the security community couldn't decisively agree?
Hence SecureWorks' "moderate confidence" that Russia is behind these hacks, a level which generally means that "the information is credibly sourced and plausible but not of sufficient quality or corroborated sufficiently to warrant a higher level of confidence." In that middle ground, they can't definitively say that it was Russia, but they can illustrate how ludicrously difficult it would be to frame them by creating a Fancy Bear operation and targeting so many individuals over a year and a half, said SecureWorks' Finney.
"I base my assessment on the evidence. I go back to the overwhelming evidence, I think, of the targeting of this particular group. So we have 5,000 email accounts that were targeted. That's very difficult to make a false-flag operation, to target 5,000 email accounts to make it look like the Russians," said Finney.
SecureWorks doesn't have the means or resources of an intelligence agency to definitively prove that Russia was behind the hacks in a criminal case, said Finney. For their business, they examine circumstantial evidence to arrive at conclusions. That's the benefit for security firms of doing so much research in order to attribute blame: Now that they know with confidence the attackers' motivations and tactics, SecureWorks can make recommendations to shore up their clients' security. Against a spear-phishing campaign like this where attackers dupe targets into giving up email passwords, said Finney, clients can increase their protection by taking steps as simple as turning on two-step authentication.