Photographee.eu - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Risk & Repeat: Was the DNC hack an inside job?

Listen to this podcast

In this week's Risk & Repeat podcast, SearchSecurity editors examine claims from intelligence veterans that the DNC hack was an inside job, and not the work of Russian hackers.

A group of veteran intelligence officials presented a new theory about the Democratic National Committee hack, but the technical evidence behind it appears to be lacking.

The group, known as Veteran Intelligence Professionals for Sanity (VIPS), recently published an open letter to President Donald Trump arguing that the DNC hack was not perpetrated by Russian hackers, but instead by an insider threat. The DNC hack inside job theory circulated over the last year, but it hadn't carried much weight, if any, before the VIPS report.

The organization claimed that, based on technical evidence provided by two independent security researchers, it was determined that the download of the nearly 20,000 emails from the DNC was performed at a speed of 22.7 megabytes per second (roughly 180 megabits per second). VIPS and its security researchers argue that speed was simply too fast for a remote network connection and, therefore, the data must have been copied locally onto an external storage device, like a USB drive.

In addition to arguing that the DNC hack was an inside job, VIPS made the explosive claim that Russian fingerprints were generated to blame the incident on Russian state-sponsored hackers.

Several publications, including The Nation, picked up the VIPS letter, which challenges the FBI and CIA's assessment of the DNC hack. However, a number of infosec experts have debunked the VIPS theory, and have refuted the technical evidence that allegedly points to the DNC hack being an inside job.

Who are the independent security researchers VIPS used to build this case? What is the technical evidence that led VIPS to believe the DNC hack was an inside job? Why is this so-called evidence misleading? SearchSecurity editors Rob Wright and Peter Loshin discuss those questions and more in this episode of the Risk & Repeat podcast.

Next Steps

Risk & Repeat: MalwareTech indictment raises questions

Risk & Repeat: Voting machine hacking comes to Defcon 2017

Risk & Repeat: Highlights from Black Hat 2017

Join the conversation

16 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Does your organization use phishing training to protect employees?
Cancel
I must say I was very disappointed with your commentary. You rebut the download speed argument by suggesting that the hacker "could have been working with a janitor"??!! There is absolutely nothing to suggest this. Your comments are utter speculation.

Second, you state (with no proof) that the download speed of the pilfered data was "consistent with fast ethernet." Actually, it wasn't. The Nation (and the underlying report) demonstrated that it exceeded available download speed over a remote connection. If you're going to rebut that, do it with data.

Third, you mention that a remote hacker, you could download within the remote system at speeds faster than remote ethernet access speeds. You fail to mention, however, that the only outfit to examine the DNC server (Crowdstrike) found no evidence of this -- at least none that they reported.

Finally, you rely on the "17 intelligence agencies" theory?? Really? Have you not been reading the news? There are no "17 intelligence agencies." There are 3, none of whom actually examined the server in question, and whose non-classified conclusions are based on the "high confidence" interval.

Candidly, your lack of knowledge about the subject matter suggests: (a) you didn't read the Crowdstrike report; (b) you didn't read the intelligence assessment; and (c) you likely didn't read the full text of the Nation article (or you wouldn't have made so many basic errors).  
Cancel
Thanks for the feedback. Lots to get to here so I'll go in order...

1. The janitor comment -- we *know* there's no evidence this happened. THAT WAS THE POINT. We're arguing that the "evidence" cited in the VIPS report doesn't provide any proof one way or another.

2. We DID rebut that with data -- as mentioned in the podcast, a number of ISPs offered speeds *in excess* of 200 mbps/22.7 megabytes per second *prior to 2016*. I actually cited specific ISPs and service packages in the recording, so I'm not sure why you're claiming I stated this with "no proof." I'm confident if you do a quick Google search you will find similar results.

3. I did read the Crowdstrike report -- many times, in fact – and if you're claiming that Crowdstrike found no evidence of remote hackers then I have to question whether *you* have read the report. Not only do Cozy/Fancy Bear have a distinguished history of using remote access tools, the report distinctly states that Crowdstrike found Agent X malware on the network as well as evidence of remote access commands.

And if that isn't enough for you, I'll refer you back to a point made in the podcast courtesy of Rob Graham – the timestamp for the 22.7 Mbps download was months AFTER the initial intrusion was detected and addressed by FireEye.

4. There actually *are* 17 distinct intelligence agencies within the federal government. It's true that they didn't all attest to the attribution case against Russia, and that only four major agencies (FBI, CIA, NSA and the Office of the Director of National Intelligence). But nevertheless, there are 17.

In closing, as stated in the podcast, I'm open to alternate theories about what happened with the DNC hack. What I'm not open to, however, are articles like the Nation's and others that make outlandish claims based on misunderstood technical "evidence." You can defend the article all you want, but I haven't seen a single subject matter expert in the infosec space – besides the two anonymous researchers working with VIPS – that has lent ANY credibility to the claims in that article or the underlying letter from VIPS. Not one.

Cancel
At some level, the hack involved copying. The copying entity (call it "target") would have determined the final timestamp. The copied entity (call it "source") would have determined the initial timestamp. One would need the timestamps from *both* source and target to get a difference, by which to calculate a required download bandwidth. But what about the *system clocks* on these two computers (possibly identical)? (It begs the question to *assume* that one computer both was the source and made the copies - that is exactly the point in contention.) Suppose the computers used different clocks in their NTP configurations. Or, worse, suppose one was a hacker's computer which, in an attempt to improve operational security, didn't use NTP at all? The system clocks could be *wildly* un-synchronized. It could easily be the case, for example, that the source computer's clock was sufficiently advanced (i.e. moved forward relative to the target's clock) that the copy job appeared to be impossible over a pipe of average bandwidth. The general point is that timestamps are forensically weak (for more reasons that just this one) and so unable to sustain the argument made by VIPS.
Cancel
1. "working with a janitor" is insider attack, not a hack. 2. 200 Mbps is a raw data transfer speed; file-transfer protocols are rarely anywhere more than 2/3 of overall bandwidth. 3. Cozy Bear and Fancy Bear may have a distinguished history of hacking tools, as does the NSA, but leaving behind forensic evidence a ten-year-old could find isn't part of that history. And it certainly doesn't prove your rigid assumption that Agent X was the exfiltration mechanism; perhaps you think it blocks thumb drives? Also, if the download was so much later than when FireEye detected the intrusion - why shouldn't I assume that the document exfiltration had nothing to do with the intrusion? 4. If you knew the report was signed not by all "17 intel agencies," why did you mention them? I really do not think you are open to alternate theories at all. The December intel report starts with exhaustive hand-waving and ass-covering about attributing covert cyber activity to anyone. You ought to be as cautious. For an info security professional to give up your critical thinking about a government report is ridiculous.
Cancel
Thanks for the feedback. Again, I'll do this in order...

1. I know it's an insider attack but a) the point was the say the evidence highlighted by VIPS doesn't explain it one way or another, and b) an insider threat could have deliver the malware but not performed the actual exfiltration/download, as many organizations have protections in place to prevent the printing/downloading of massive amounts of data (see the recent example of the NSA docs and Reality Winner).

2. I'm not sure why you think that makes the VIPS claim any more sound since there were at the time of the hack commercially available download speeds that far exceeded that rate.

3. First, on Cozy/Fancy -- if they covered their tracks so well previously then why was Crowdstrike, SecureWorks, Mandiant, Threat Connect and others able to clue in on them as a Russian APT group PRIOR to the DNC hack? And second, the intel community in general and Comey specifically have said on several occasions that during the course of the election season, the hackers stopped trying to hide their attacks. Also, on the download date -- security folks like Rob Graham have noted it's typical for hackers to transfer files and data AFTER the attack from one staging server or cloud service to another.

5. I didn't mention the 17 agencies, my co-host did. And it was in jest, though I acknowledge it didn't come across that way.

Finally, you can dismiss the intel community assessment, which is admittedly thin on details. And you can poke holes in CrowdStrike's report as well. But what you and others are asking me to believe is essentially this: that the DNC, an organization that was clearly suffering from a poor infosec posture, was so dumb that they allowed an insider threat to download 20,000 emails, but yet so smart that they found a way to falsely implicate Russian threat actors by doctoring evidence and placing fake "fingerprints" on the available evidence and fool not only CrowdStrike and the other security vendors mentioned previously but the FBI, CIA and NSA. Or you're asking me to believe this is all one big conspiracy by the above parties, and that the network intrusions and database hacks of state election systems across the country were just a coincidence. Like I said, I'm open to new theories. But download speeds? That ain't gonna cut it. 

Cancel
1. The point of your article is to cast doubt on the possibility this was an inside job. You just backtracked very seriously on this goal. 2. Transfer from DNC would be an upload, not a download, and again the bandwidth could be heavily compromised by other network activity. 3. Russian spy agencies are not infallible in covering their tracks, but whoever hacked the DNC, the evidence they left was blatant. And the notion that a proficient nation-state actor would suddenly stop bothering to cover its tracks while interfering with an election is flat-out ridiculous. Anti-cybercrime defenses have been ramping up for three years, and attackers drop their guard just as the election is ramping up? Not if they are pros. 5. Who said the DNC altered the fingerprints to cover tracks? If you were a leaker who did not want to be found out, or if you were an intermediary between the leaker and wikileaks, perhaps you would do that. Consider every step of every possible path from capture to exfiltration to wikileaks to CrowdStrike. Along many of those paths, especially insider paths, there's big incentive to cover one's tracks. Remember the Vault 7 dumps included evidence that at least the CIA was doing such obfuscation. Of course, if the FBI had performed a full forensic analysis rather than CrowdStrike, we would know more.  But seemingly neither Comey nor DNC were much motivated to do this. Whether CrowdStrike is expert or honest or not, they were not the people to do this. They were paid by the DNC. Unlike the DNC, the Departments of Justice and State cannot legitimately publish conclusions or take action on a hack based on a third party, they need an investigation of the servers by law authorities.
Cancel
Why are you approaching this topic from the prejudged assumption of Russian hacking? Why is it necessary to disprove Russian hacking, rather than evaluate the possibilities? It's certainly possible that it was an inside leak - this site is full of warnings about insider threats. We don't have to assume Julian Assange was lying when he said he didn't hack it, but that it was leaked. Now the point about file transfer speed could be valid - or it might not. It could certainly revive the likelihood of an external hack. But it wouldn't make it the only explanation. I would like to see a at least four names attached to the "number of security experts" you cite, not just Robert Graham. The VIPS group, you may note, has a track record dating from the Iraq War WMD debate. Inconsistent and invalid document metadata certainly blows away the attribution of those documents to Russia or to anywhere else. Not that the Russians would ever be such stupid clowns as to leave that metadata in an Office document, or to leave undeleted a phishing email by which they breached Podesta's account. For me, I'm about 75% concluding that someone within DNC saw the disgusting things Podesta was involved with, thought it should be exposed, and figured Wikileaks was the only option.
Cancel
I wish I had read your second comment before replying to your first, because frankly, I probably wouldn't have bothered replying at all. I'm not going to engage someone that peddles the Podesta conspiracy nonsense, so thanks for your time and kindly take your nonsense elsewhere.
Cancel
Which conspiracy nonsense? All of the Podesta emails were acknowledged as genuine, and you may not find them as repulsive as I do - there's no "conspiracy" here.
Cancel
If you really need me to spell out that I won't indulge your pizzagate accusations, then fine. It's stated for the record. Please move on and find another place to discuss that nonsense. 
Cancel
What pizzagate? The Podesta emails were revolting, I never bought into the pizzagate crap. But a Bernie supporter working for DNC could be furious at the party fixing the primary for Hillary, and very well might leak emails including those that document that.
Cancel
1) My misunderstanding. Apologies. 2) Political arguments aside...so again -- Crowdstrike is on the take because the DNC paid them, and so is SecureWorks (which did the Podesta phishing email investigation)? So not one reputable infosec firm is willing to compromise its values and risk its reputation with false findings, but now it's two? Come on, man. Be reasonable.
Cancel
No, any private entity is just the wrong entity to do the investigation of a criminal and possibly international espionage action. Whether you or I trust it or not, the only party with the explicit authority to investigate crime of this nature is the FBI. You have to take proper forensic images of all the computers. This is not a secret event to be discreetly investigated, and the FBI certainly has very well-defined disclosure rules regardless. I do fault any security firm for not demanding FBI involvement. This isn't a time to be another security company to use a commercial or private breach to build up some reputation. I may not know the ins and outs of those types of security firms, but I can't believe on the one hand that these hacks were so serious that we doubt our electoral processes, but on the other hand that they weren't serious enough for law enforcement to be involved.
Cancel
Respectfully, your views on who should or shouldn't do these investigations are irrelevant. Private sector companies DID perform the forensic investigations in these two incidents. So I'm asking you -- are you arguing that they are lying and conducting a cover-up? Or are you arguing that they simply are wrong and an anonymous dude named the "Forensicator," with no identity and no professional credentials, is actually right? 
Cancel
Well, to me it means they did not follow an appropriate professional procedure. CrowdStrike, of course, is not spotless after falsely claiming Russian cyberattacks disabled 80% of Ukrainian artillery of a particular type. And as the December Intel report said, attributing cyber attacks is an extremely difficult thing to do, and the certainty of attribution claimed by these reports is much higher than seems appropriate. Are they dishonest? I don't know. But in my opinion the VIPS report simply rephrases possibilities that I find extremely plausible: that the hacks were insider jobs. I don't think this article meets its fundamental purpose: it does not cast any substantial doubt on that possibility, certainly not by demonstrating conclusively that it was undeniably a Russian-backed hack.
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close