Research shows Russia behind DNC email breach?

Can we put politics aside in order to understand forensic investigations in high profile breaches

dnc 2016 crowd
REUTERS/Rick Wilking

Last week I pontificated about the lingering questions I had after talking with cybersecurity experts who offered their opinions on whether Secretary Clinton's private server had been hacked. 

The common sentiment was that there was a strong likelihood that her emails had been hacked but that we ought not expect to see evidence of a breach because the culprits were most likely nation state actors who are too sophisticated to leave any traces of evidence.

Apparently, that's not completely accurate. As the events of the DNC unfold, the headlines in all the major news sources continue to report that Russians were most likely the ones who hacked into the DNC emails. Robby Mook, campaign manager for Hillary for America told CNN, "What's disturbing to us is experts are telling us that Russian state actors broke into the DNC, stole these emails and other experts are now saying that the Russians are releasing these emails."

In a June blog post Crowdstrike CTO, Dmitri Alperovitch wrote, "We deployed our IR team and technology and immediately identified two sophisticated adversaries on the network – COZY BEAR and FANCY BEAR. We’ve had lots of experience with both of these actors attempting to target our customers in the past and know them well. In fact, our team considers them some of the best adversaries out of all the numerous nation-state, criminal and hacktivist/terrorist groups we encounter on a daily basis."

Alperovitch detailed the mechanisms and techniques that these malicious actors used, all of which was learned through the investigation they conducted. That, to me, sounds like security experts being able to identify indicators of compromise from nation state actors.

Fox News reported, "Director of National Intelligence James Clapper has said U.S. officials have seen indications of foreign hackers spying on the presidential candidates, and that they expect more cyberthreats against the campaigns."

As the investigation continues to unfold, experts are weighing in with answers to who did what, when, and they are hypothesizing about why. Former special agent in charge of the FBI's NY cybercrime division and CSO of Cryptzone, Leo Taddeo, shared his thoughts based on the findings this far. (Please note that these comments reflect Taddeo's personal thoughts and not those of Cryptzone).

Taddeo said, "I believe the research that shows Russian state actors hacked into the DNC email servers and extracted the emails and other documents. There is a basis to believe Russian state actors passed some of the stolen material to Wikileaks to influence US policy towards Russia."

Contrary to what is being reported, said Taddeo, this is not Putin trying to help Trump. "Putin and his leadership are trying to influence Clinton and her future stance toward Europe's missile defenses and NATO expansion."

Like many other experts, Taddeo said, "There is credibility in the assertion that Russian state actors are behind the hack and the leak to Wikileaks."

Reuters reported, " A U.S. official who is taking part in the investigation said that intelligence collected on the hacking of Democratic National Committee (DNC) emails released by Wikileaks on Friday "indicates beyond a reasonable doubt that it originated in Russia."All of this, yet there is no evidence that Clinton's emails were compromised because nation state actors are so sophisticated that we wouldn't expect to find any evidence of their intrusion.

If Secretary Clinton's emails were hacked, and they were likely hacked by nation state actors, and those nation state actors are so sophisticated that experts expect to see no evidence of their intrusion, why then is there evidence beyond a reasonable doubt that Russia is behind the DNC email hack?

For those who are new to security and trying to wrap their heads around detection, forensic investigations, and incident response the contrasting expert claims that evidence points to Russia in one case but there would likely be no evidence pointing to Russia is another are confounding.

Politics aside, cybersecurity is and will continue to be a matter of national security. Rather than using these high-profile breaches as an opportunity to instill fear, uncertainty, and doubt, let's focus on what security practitioners need to know in order to identify the adversaries--because clearly, even nation state actors leave some evidence in their wake. 

Copyright © 2016 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)