Among the most persistent objections for the attribution to Russia of the 2016 hacking of the DNC is the DNC’s refused to grant access to their physical server to the FBI. President Donald Trump raised the issue as recently as last month at the G-20 in Hamburg.
Everyone here is talking about why John Podesta refused to give the DNC server to the FBI and the CIA. Disgraceful!
— Donald J. Trump (@realDonaldTrump) July 7, 2017
But, the fact that the FBI didn’t directly examine the server is probably not as big a deal as it might seem. It is not unusual for organizations subject to hacks to not turn over the keys to their servers. “This is normal practice,” Matt Tate, a British cybersecurity and intelligence expert, explained. “In cases like this, the onus for digital forensics is on the third-party contracted by the company that’s calling in the incident response team, in this case CrowdStrike.”
The New York Times followed the same approach when it was hacked in 2013, bringing in Mandiant, another cybersecurity firm to do the analysis work and coordinate with the FBI.
‘An Appropriate Substitute’
For investigators, access to the physical server falls into the “nice to have” category. It isn’t critical. The FBI was provided malware samples from which it could verify Crowdstrike’s findings. In January testimony before Congress, former FBI Director James Comey addressed the issue. “We got the forensics from the pros that they hired which — again, best practice is always to get access to the machines themselves, but this my folks tell me was an appropriate substitute,” Comey said.
It is true, that the FBI depended on Crowdstrike’s analysis for some of the technical details. But, the attribution of the hack to Russia does not rest solely on CrowdStrike’s findings. Several other cybersecurity firms, including Fidelis, FireEye, SecureWorks, and ThreatConnect have independently validated CrowdStike’s conclusions or surfaced additional evidence linking Russia to the DNC hacks.
The FBI also independently detected Russian attacks on the DNC as far back as September of 2015. That’s when the FBI notified a DNC IT staffer that hackers suspected to be associated with Russian intelligence services had infiltrated their computer systems. Later, the FBI alerted the DNC that a computer on their network was “phoning home” to Russia. (Some have raised the question of how the FBI could have known this. It is likely that the attacks were detected at the National Cybersecurity and Communications Integration Center (NCCIC) and then relayed to the FBI.)
In addition, the intelligence community’s conclusions were informed by classified sources including SIGINT intercepts and NSA capabilities. While that evidence is not publicly available, it is likely that it includes intercepted communications between Russian officials discussing the hack and forensics that directly traced the source of the hacks back to Russia. According to Snowden and others, the NSA reportedly has capabilities. that allow it to trace internet traffic through Tor server hops the hackers used to obscure their identity.
More Than a Shred of Evidence
It’s become a common refrain that there is “not one shred of evidence” for Russia’s hacking of the DNC. But, that’s m just not true. There is extensive evidence that establishes Russia’s efforts to influence the outcome of the election. Some of it is classified intelligence reporting, but there’s more than enough that is publicly known to verify it.
Here are a few examples of the non-technical forensic evidence that points to Russia. While any one of these details alone might not be conclusive, combined with other evidence it becomes possible to establish attribution when you have enough evidence that only one threat actor could possibly fit all of the evidence. In this care, Russia.
- Command and control IP addresses used in the DNC hacks have been used in prior attacks attributed to Russia. For example, the same IP address hard-wired into the code used in the attack on the CDU in Germany last year that was attributed to Russia’s hackers was also used in DNC attack.
- Malware used in the DNC hacks is unique to hackers associated with Russian intelligence services.
- The hackers spoke Russian, operated on St. Petersburg business hours, and used computers with Russian language settings at least some of the time.
- Gucifer 2.0, who claimed responsibility for the hacks, said that he was Romanian. It is now thought that G2 was a fictional persona that served as a cut-out for Russian intelligence agencies. As it turns out, G2 appears to be several different people, none of whom could speak Romanian properly, but all of whom spoke perfect Russian. G2 released docs created on computers with Russian language settings and used the )) emoticon, an idiosyncrasy of Russian internet culture.
- The Bitly account used in the spear phishing attack that snagged John Podesta was also employed in thousands of other hacks, almost all of which were primarily of interest only to the Kremlin.
Russian hacking of the DNC is entirely consistent with Kremlin strategic doctrine. Similar effforts they have conducted in other countries. Roy Godson, a professor emeritus Georgetown University and an authority on American intelligence, explained Russia’s rationale in a recent Senate Intel. Committtee hearing.
“They actually believe, whatever we think about it, that this gives them the possibility of achieving influence well beyond their economic and social status and conditions in their country,” Godson said. “For many, many decades, we did not take this subject seriously, and they were able to take enormous advantage.”
Russian interference in elections is completely reasonable in light of the Kremlin’s strategic objectives. Russia’s primary goal is to deter Western interference in its military operations against weaker neighbors and force western recognition of a sphere of influence in its near abroad. It seeks to fracture the NATO alliance and foster divisive internal politics in Western countries that constrain policymakers in their ability to counter Russian challenges to Western interests.
There’s more than enough external evidence to rule out the theory that the Russian attribution is solely a CrowdStrike fabrication. To account for all the evidence, you’d have to believe that the FBI, American and foreign intelligence services, the media, and at least three other cybersecurity firms were in on it as well. It is absurd to believe that delegitimizing Trump’s victory provides a sufficiently compelling interest to unite so many actors in a massive conspiracy.
And it’s even harder to believe that a conspiracy so extraordinary in its deviousness and criminality, with so many people involved, would not have been blown open a long time ago by a whistleblower. Secrets that big don’t stay secret for long unless only two people know them and one of them is dead.
We don’t know whether Russian meddling delivered Trump the election, nor do we know that there was any collusion between Trump and the Russians. Anyone who says otherwise is speculating. But, it seem certain that the only rational conclusion to be drawn is that Russia did hack the DNC and attempt to interfere with the election. Our focus should be on what to do about it now.