The DNC attack was originally attributed to hackers working for the Russian government, but a lone attacker has...
come forward and put that cyber attribution under question.
The basics of the story don't change: At some point over the past year, the Democratic National Committee (DNC) network was compromised and CrowdStrike was called in to investigate the attack in May 2016. But, after that, the stories get more difficult to parse.
Dmitri Alperovitch, co-founder and CTO of CrowdStrike, wrote in a blog post that the company "immediately identified two sophisticated adversaries on the network -- COZY BEAR and FANCY BEAR," and said that "both adversaries engage in extensive political and economic espionage for the benefit of the government of the Russian Federation and are believed to be closely linked to the Russian government's powerful and highly capable intelligence services."
According to Alperovitch, COZY BEAR broke into the DNC network in the summer of 2015 and FANCY BEAR breached the network in April 2016, but CrowdStrike "identified no collaboration between the two actors or even an awareness of one by the other." Alperovitch and the DNC claimed that the only documents stolen in the attacks were from the database of opposition research on GOP presidential candidate Donald Trump.
However, a hacker named Guccifer 2.0, taking the name of the hacker who had compromised Hilary Clinton's mail servers, came forward taking credit for the attack and providing documents allegedly stolen from DNC servers, including the opposition research on Trump as well as Democratic Party donation lists, internal memos and more.
Alperovitch reiterated that "CrowdStrike stands fully by its analysis, and findings identifying two separate Russian intelligence-affiliated adversaries present in the DNC network in May 2016.
"Whether or not this posting is part of a Russian Intelligence disinformation campaign, we are exploring the documents' authenticity and origin. Regardless, these claims do nothing to lessen our findings relating to the Russian government's involvement, portions of which we have documented for the public and the greater security community."
Security researcher and former black hat hacker Hector X. Monsegur said that regardless of whether CrowdStrike was right or wrong in its cyber attribution, the biggest mistake made was to conclusively say it was Russian groups and a nation state attack.
"Let this be a prime example of how bad or impossible attribution can be. Just because one attacker shares a (common) modus operandi with another group of Russian hackers does not mean they are related at all," Monsegur said. "After all, most of these attackers use the same tools, the same attack methodologies and may even hang out on the same forums."
Jeffrey Carr, CEO of Taia Global, said the trouble arises from the fact that commercial firms have conflicting interests in assigning cyber attribution.
"They get attention from the press when they can point to Russia or China. That could be worth [money]," Carr wrote in an email. "They don't get nearly as much attention (read [zero]) if they leave attribution out of their report, or say that they don't know."
CrowdStrike did not respond to requests for comment.
Monsegur and Carr agreed that the indicators of compromise (IOCs) used in cyber attribution by intelligence firms can often be misleading.
"For years, companies have used IOCs to invent names for threat actors," Carr said. "They see a familiar group of tools and techniques, and deduce that it must be [a specific advanced persistent threat]. But it could be anyone using those tools or mimicking those techniques."
Monsegur said, "At the very best, CrowdStrike has made speculations as to the origins of the attack. But, speculation, sadly, isn't reality."
Carr said one of the biggest issues with cyber attribution is that the analysis stops after the initial theory is made.
"No one does negative analysis to see if they can disprove their own theory of attribution. Because of that, they can get led around by the nose by any trickster who wants to deceive them," Carr said, and added that negative analysis is not difficult. "It's considered a best practice in the intelligence community, although it's not always done as rigorously as it should be. In the commercial cyberintelligence world, it's rarely done, if at all."
Learn more about the Clinton email scandal and information governance.
Find out if attack attribution offers any value for enterprise.