- Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Risk & Repeat: Was the DNC hack an inside job?

Listen to this podcast

In this week's Risk & Repeat podcast, SearchSecurity editors examine claims from intelligence veterans that the DNC hack was an inside job, and not the work of Russian hackers.

A group of veteran intelligence officials presented a new theory about the Democratic National Committee hack, but the technical evidence behind it appears to be lacking.

The group, known as Veteran Intelligence Professionals for Sanity (VIPS), recently published an open letter to President Donald Trump arguing that the DNC hack was not perpetrated by Russian hackers, but instead by an insider threat. The DNC hack inside job theory circulated over the last year, but it hadn't carried much weight, if any, before the VIPS report.

The organization claimed that, based on technical evidence provided by two independent security researchers, it was determined that the download of the nearly 20,000 emails from the DNC was performed at a speed of 22.7 megabytes per second (roughly 180 megabits per second). VIPS and its security researchers argue that speed was simply too fast for a remote network connection and, therefore, the data must have been copied locally onto an external storage device, like a USB drive.

In addition to arguing that the DNC hack was an inside job, VIPS made the explosive claim that Russian fingerprints were generated to blame the incident on Russian state-sponsored hackers.

Several publications, including The Nation, picked up the VIPS letter, which challenges the FBI and CIA's assessment of the DNC hack. However, a number of infosec experts have debunked the VIPS theory, and have refuted the technical evidence that allegedly points to the DNC hack being an inside job.

Who are the independent security researchers VIPS used to build this case? What is the technical evidence that led VIPS to believe the DNC hack was an inside job? Why is this so-called evidence misleading? SearchSecurity editors Rob Wright and Peter Loshin discuss those questions and more in this episode of the Risk & Repeat podcast.

Next Steps

Risk & Repeat: MalwareTech indictment raises questions

Risk & Repeat: Voting machine hacking comes to Defcon 2017

Risk & Repeat: Highlights from Black Hat 2017

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Does your organization use phishing training to protect employees?
I must say I was very disappointed with your commentary. You rebut the download speed argument by suggesting that the hacker "could have been working with a janitor"??!! There is absolutely nothing to suggest this. Your comments are utter speculation.

Second, you state (with no proof) that the download speed of the pilfered data was "consistent with fast ethernet." Actually, it wasn't. The Nation (and the underlying report) demonstrated that it exceeded available download speed over a remote connection. If you're going to rebut that, do it with data.

Third, you mention that a remote hacker, you could download within the remote system at speeds faster than remote ethernet access speeds. You fail to mention, however, that the only outfit to examine the DNC server (Crowdstrike) found no evidence of this -- at least none that they reported.

Finally, you rely on the "17 intelligence agencies" theory?? Really? Have you not been reading the news? There are no "17 intelligence agencies." There are 3, none of whom actually examined the server in question, and whose non-classified conclusions are based on the "high confidence" interval.

Candidly, your lack of knowledge about the subject matter suggests: (a) you didn't read the Crowdstrike report; (b) you didn't read the intelligence assessment; and (c) you likely didn't read the full text of the Nation article (or you wouldn't have made so many basic errors).  
Thanks for the feedback. Lots to get to here so I'll go in order...

1. The janitor comment -- we *know* there's no evidence this happened. THAT WAS THE POINT. We're arguing that the "evidence" cited in the VIPS report doesn't provide any proof one way or another.

2. We DID rebut that with data -- as mentioned in the podcast, a number of ISPs offered speeds *in excess* of 200 mbps/22.7 megabytes per second *prior to 2016*. I actually cited specific ISPs and service packages in the recording, so I'm not sure why you're claiming I stated this with "no proof." I'm confident if you do a quick Google search you will find similar results.

3. I did read the Crowdstrike report -- many times, in fact – and if you're claiming that Crowdstrike found no evidence of remote hackers then I have to question whether *you* have read the report. Not only do Cozy/Fancy Bear have a distinguished history of using remote access tools, the report distinctly states that Crowdstrike found Agent X malware on the network as well as evidence of remote access commands.

And if that isn't enough for you, I'll refer you back to a point made in the podcast courtesy of Rob Graham – the timestamp for the 22.7 Mbps download was months AFTER the initial intrusion was detected and addressed by FireEye.

4. There actually *are* 17 distinct intelligence agencies within the federal government. It's true that they didn't all attest to the attribution case against Russia, and that only four major agencies (FBI, CIA, NSA and the Office of the Director of National Intelligence). But nevertheless, there are 17.

In closing, as stated in the podcast, I'm open to alternate theories about what happened with the DNC hack. What I'm not open to, however, are articles like the Nation's and others that make outlandish claims based on misunderstood technical "evidence." You can defend the article all you want, but I haven't seen a single subject matter expert in the infosec space – besides the two anonymous researchers working with VIPS – that has lent ANY credibility to the claims in that article or the underlying letter from VIPS. Not one.

At some level, the hack involved copying. The copying entity (call it "target") would have determined the final timestamp. The copied entity (call it "source") would have determined the initial timestamp. One would need the timestamps from *both* source and target to get a difference, by which to calculate a required download bandwidth. But what about the *system clocks* on these two computers (possibly identical)? (It begs the question to *assume* that one computer both was the source and made the copies - that is exactly the point in contention.) Suppose the computers used different clocks in their NTP configurations. Or, worse, suppose one was a hacker's computer which, in an attempt to improve operational security, didn't use NTP at all? The system clocks could be *wildly* un-synchronized. It could easily be the case, for example, that the source computer's clock was sufficiently advanced (i.e. moved forward relative to the target's clock) that the copy job appeared to be impossible over a pipe of average bandwidth. The general point is that timestamps are forensically weak (for more reasons that just this one) and so unable to sustain the argument made by VIPS.
1. "working with a janitor" is insider attack, not a hack. 2. 200 Mbps is a raw data transfer speed; file-transfer protocols are rarely anywhere more than 2/3 of overall bandwidth. 3. Cozy Bear and Fancy Bear may have a distinguished history of hacking tools, as does the NSA, but leaving behind forensic evidence a ten-year-old could find isn't part of that history. And it certainly doesn't prove your rigid assumption that Agent X was the exfiltration mechanism; perhaps you think it blocks thumb drives? Also, if the download was so much later than when FireEye detected the intrusion - why shouldn't I assume that the document exfiltration had nothing to do with the intrusion? 4. If you knew the report was signed not by all "17 intel agencies," why did you mention them? I really do not think you are open to alternate theories at all. The December intel report starts with exhaustive hand-waving and ass-covering about attributing covert cyber activity to anyone. You ought to be as cautious. For an info security professional to give up your critical thinking about a government report is ridiculous.
Thanks for the feedback. Again, I'll do this in order...

1. I know it's an insider attack but a) the point was the say the evidence highlighted by VIPS doesn't explain it one way or another, and b) an insider threat could have deliver the malware but not performed the actual exfiltration/download, as many organizations have protections in place to prevent the printing/downloading of massive amounts of data (see the recent example of the NSA docs and Reality Winner).

2. I'm not sure why you think that makes the VIPS claim any more sound since there were at the time of the hack commercially available download speeds that far exceeded that rate.

3. First, on Cozy/Fancy -- if they covered their tracks so well previously then why was Crowdstrike, SecureWorks, Mandiant, Threat Connect and others able to clue in on them as a Russian APT group PRIOR to the DNC hack? And second, the intel community in general and Comey specifically have said on several occasions that during the course of the election season, the hackers stopped trying to hide their attacks. Also, on the download date -- security folks like Rob Graham have noted it's typical for hackers to transfer files and data AFTER the attack from one staging server or cloud service to another.

5. I didn't mention the 17 agencies, my co-host did. And it was in jest, though I acknowledge it didn't come across that way.

Finally, you can dismiss the intel community assessment, which is admittedly thin on details. And you can poke holes in CrowdStrike's report as well. But what you and others are asking me to believe is essentially this: that the DNC, an organization that was clearly suffering from a poor infosec posture, was so dumb that they allowed an insider threat to download 20,000 emails, but yet so smart that they found a way to falsely implicate Russian threat actors by doctoring evidence and placing fake "fingerprints" on the available evidence and fool not only CrowdStrike and the other security vendors mentioned previously but the FBI, CIA and NSA. Or you're asking me to believe this is all one big conspiracy by the above parties, and that the network intrusions and database hacks of state election systems across the country were just a coincidence. Like I said, I'm open to new theories. But download speeds? That ain't gonna cut it. 

1. The point of your article is to cast doubt on the possibility this was an inside job. You just backtracked very seriously on this goal. 2. Transfer from DNC would be an upload, not a download, and again the bandwidth could be heavily compromised by other network activity. 3. Russian spy agencies are not infallible in covering their tracks, but whoever hacked the DNC, the evidence they left was blatant. And the notion that a proficient nation-state actor would suddenly stop bothering to cover its tracks while interfering with an election is flat-out ridiculous. Anti-cybercrime defenses have been ramping up for three years, and attackers drop their guard just as the election is ramping up? Not if they are pros. 5. Who said the DNC altered the fingerprints to cover tracks? If you were a leaker who did not want to be found out, or if you were an intermediary between the leaker and wikileaks, perhaps you would do that. Consider every step of every possible path from capture to exfiltration to wikileaks to CrowdStrike. Along many of those paths, especially insider paths, there's big incentive to cover one's tracks. Remember the Vault 7 dumps included evidence that at least the CIA was doing such obfuscation. Of course, if the FBI had performed a full forensic analysis rather than CrowdStrike, we would know more.  But seemingly neither Comey nor DNC were much motivated to do this. Whether CrowdStrike is expert or honest or not, they were not the people to do this. They were paid by the DNC. Unlike the DNC, the Departments of Justice and State cannot legitimately publish conclusions or take action on a hack based on a third party, they need an investigation of the servers by law authorities.
My argument exactly 
So... have your feelings about cyber investigations and CrowdStrike changed now that the National Republican Congressional Committee disclosed it was breached last spring, and that it *also* hired CrowdStrike (gasp!!!) to investigate the attack? Are you going to demand that the NRCC allow the FBI to access email accounts and infrastructure, or...was that just for the Democrats? 
Great response. My other question is why didn't the DNC allow the FBI to forensically exam the server. The FBI relied on a forensic "image" given to them from a private third-party company hired by the DNC. I believe this would be an integrity issue (chain of custody?) Really, so the FBI relies on the "victim" to forensically collect evidence from a crime scene (the server)? The entire story is a lie. And correct, the U.S. does nor have 17 intel agencies. If our "3" intel agencies have "evidence" why not provide it to the public; evidence that Russia actually hacked. I blame Podesta for making his password; "password".
forensically examine*
Good grief....
1) First, there are MANY servers, not just one.
2) Unplugging and handing over all those servers to the FBI is absolutely absurd since it would require shutting down the DNC network (assuming they owned the actual hardware rather than using a third-party data center/cloud provider) and halting IT operations during a crucial election season.
3) Using an image of infected or breached systems is standard operating procedure for federal law enforcement. Look it up.
4) The attribution case for the Russian APT group is likely based not only on technical evidence accrued by Crowdstrike and other private infosec companies but ALSO human intelligence gathered by the FBI, CIA and NSA. They're not going to make their information public (likely gathered through surveillance, human sources, undercover agents, etc.), nor should they.
5) This is getting really, really tiring, and if people are going to argue in bad faith I'd really appreciate some new material instead of rehashed old arguments.
Why are you approaching this topic from the prejudged assumption of Russian hacking? Why is it necessary to disprove Russian hacking, rather than evaluate the possibilities? It's certainly possible that it was an inside leak - this site is full of warnings about insider threats. We don't have to assume Julian Assange was lying when he said he didn't hack it, but that it was leaked. Now the point about file transfer speed could be valid - or it might not. It could certainly revive the likelihood of an external hack. But it wouldn't make it the only explanation. I would like to see a at least four names attached to the "number of security experts" you cite, not just Robert Graham. The VIPS group, you may note, has a track record dating from the Iraq War WMD debate. Inconsistent and invalid document metadata certainly blows away the attribution of those documents to Russia or to anywhere else. Not that the Russians would ever be such stupid clowns as to leave that metadata in an Office document, or to leave undeleted a phishing email by which they breached Podesta's account. For me, I'm about 75% concluding that someone within DNC saw the disgusting things Podesta was involved with, thought it should be exposed, and figured Wikileaks was the only option.
I wish I had read your second comment before replying to your first, because frankly, I probably wouldn't have bothered replying at all. I'm not going to engage someone that peddles the Podesta conspiracy nonsense, so thanks for your time and kindly take your nonsense elsewhere.
Which conspiracy nonsense? All of the Podesta emails were acknowledged as genuine, and you may not find them as repulsive as I do - there's no "conspiracy" here.
If you really need me to spell out that I won't indulge your pizzagate accusations, then fine. It's stated for the record. Please move on and find another place to discuss that nonsense. 
What pizzagate? The Podesta emails were revolting, I never bought into the pizzagate crap. But a Bernie supporter working for DNC could be furious at the party fixing the primary for Hillary, and very well might leak emails including those that document that.
1) My misunderstanding. Apologies. 2) Political arguments again -- Crowdstrike is on the take because the DNC paid them, and so is SecureWorks (which did the Podesta phishing email investigation)? So not one reputable infosec firm is willing to compromise its values and risk its reputation with false findings, but now it's two? Come on, man. Be reasonable.
No, any private entity is just the wrong entity to do the investigation of a criminal and possibly international espionage action. Whether you or I trust it or not, the only party with the explicit authority to investigate crime of this nature is the FBI. You have to take proper forensic images of all the computers. This is not a secret event to be discreetly investigated, and the FBI certainly has very well-defined disclosure rules regardless. I do fault any security firm for not demanding FBI involvement. This isn't a time to be another security company to use a commercial or private breach to build up some reputation. I may not know the ins and outs of those types of security firms, but I can't believe on the one hand that these hacks were so serious that we doubt our electoral processes, but on the other hand that they weren't serious enough for law enforcement to be involved.
Respectfully, your views on who should or shouldn't do these investigations are irrelevant. Private sector companies DID perform the forensic investigations in these two incidents. So I'm asking you -- are you arguing that they are lying and conducting a cover-up? Or are you arguing that they simply are wrong and an anonymous dude named the "Forensicator," with no identity and no professional credentials, is actually right? 
Well, to me it means they did not follow an appropriate professional procedure. CrowdStrike, of course, is not spotless after falsely claiming Russian cyberattacks disabled 80% of Ukrainian artillery of a particular type. And as the December Intel report said, attributing cyber attacks is an extremely difficult thing to do, and the certainty of attribution claimed by these reports is much higher than seems appropriate. Are they dishonest? I don't know. But in my opinion the VIPS report simply rephrases possibilities that I find extremely plausible: that the hacks were insider jobs. I don't think this article meets its fundamental purpose: it does not cast any substantial doubt on that possibility, certainly not by demonstrating conclusively that it was undeniably a Russian-backed hack.
Completely agree schemaczar, - many valid points.  The DNC intentionally buried the evidence.  The ICA contains no finding of fact and over half is nonsense about Russian Television that means nothing.  It is an embarrassment on par with the WMD reports; I'm ashamed as an American.  Since this podcast much has come to light that refutes the DNC hack narrative and undermines the Mueller investigation.  What I find troubling is our news media seems complicit with promotion of the false narrative and doesn't lift a finger to bring these issues to light - just the opposite.  Seems Stormy Daniels is more important that giving Americans truth.  
What exactly has refuted the DNC hack narrative? You do realize that the VIPS theory about it being an inside job has been completely demolished at this point, right?
"demolished" - nice spin.  Is there a reasonable counter argument, that is ALSO unproven, yes; demolished? Hardly.  By your standards and logic, the original "inside job" theory can also be considered valid.  

The DNC (and other "victims" in the so called hack) are partisan entities or political campaigns; they are NOT our elections.  Yet we are off to the races with concocted claims of 'collusion' and 'hacking our elections' - it's been over two years, where's the beef?  Can you (or anyone else) show a fully investigated, peer reviewed finding of fact by a disinterested, outside entity to support the hack claim?  If so, please share.  Isn't that at the core of this discussion?  PUT UP!  You're eager to discredit the many experts in the field who have raised valid points of argument questioning the DNC's and its hired gun's (who also has an agenda) hack story.  Where's your skepticism of the entire claim that has demonstrated no legs?  

Few are asking 1) what about all the dirty tricks and Russian connections related to the DNC and its minions/candidates?  2) Why is the "Russian election hacking" investigation off into the weeds, looking into things that have nothing to do with the mission? and 3) What's up with key members of the FBI and intelligence community, who have time and time again been shown to be bad actors and acting in a partisan fashion?  Does this not disturb you, or are you more interested in pushing the DNC's un-validated narrative?  The way they're going after Trump, you'd think he gave the Russians 20% of our uranium or something.  

This smells like a partisan, conspiracy based 'hit job' and the longer it goes the worse it stinks.  Now you have Lanny Davis (Clinton fixer and 3 time DNC board member) positioned on the inside  "representing" Trump's lawyer and giving out false information to CNN (and getting caught).  Where does it end?  You talk smart, don't you get any of this?  Did you read the ICA?  It's a joke.  The DNC and it's friends in the media are selling you a load of monkey poop and here you are arguing on unproven nonsense.  It's a beautiful thing because the more they double down, the more they are exposed.

You should read the article from our sister site ComputerWeekly on who "Adam Carter," one of the so-called technical experts who create the inside job theory, really is. And bear in mind that William Binney and Ray McGovern no longer support the theory.  

Also, you and others can keep hurling stuff about the politics of the matter and the Mueller investigation all you want. That's not what we do. We're not a political news outlet. We do infosec news. 
An unbiased observer would use terms like "conflicts", "contradicts", "offers an alternative view" etc. to an inside job, because no one knows (except the perpetrator, if one exists and his cohorts).  How do you "demolish" something that is speculation?  

Your "sister site" article is a borderline fake news, politicized story.  It makes the absurd statement "Russians caught red handed" and refers to a totally biased WaPo article based on, wait for it: Crowdstrike's narrative.  A narrative bought and paid for by the DNC, a partisan organization out to get Trump and further the fortunes of Democrat politicans. 

Did YOU have access to the DNC servers?  Do YOU have proof of anything?  No, it's all speculation and manipulation in a politicized environment, founded lock, stock and barrel by a partisan political group that is out of power.  To be credible, the DNC servers, Podesta's servers and Hillary's servers would need to be subject to a disinterested, third party forensic investigation.  That didn't happen and thwarts any serious finding of fact. 

The "inside job" theory while plausible, is irrelevant, look who 1) owned the servers, 2) made the hack claim, 3) hired the "forensic" investigators, 4) pushed the narrative to the press, 5) has a campaign (including former DNC insiders) to weaponize the narrative - AFTER their subterfuge to screw Sanders was revealed (see next comment).  

They have us all chasing our tails and diving down rabbit holes, as the scheme does its work to undermine the winner of the election.  You appear to be a smart guy, don't you wonder about the BIG picture here?  Think any of this can end up well for the American public?  Think stock market, value of the dollar, consumer confidence, etc.
As I wrote above to someone else...have your feelings about Crowdstrike changed now that the NRCC hired them to investigate their own breach? Or...nah?
Regardless of who accessed the DNC data and leaked it. WHAT did that data tell us? THAT is the point NOT who it was that accessed it and told us the truth. You guys and it seems like everyone is so concerned about who, but not paying attention to what. The what is, Sanders (and the democratic process) was cheated, the Clinton campaign was corrupt and the person nominated to be the democratic candidate was illegitimate and most likely criminal. None of this can be proven, fingerprints, time stamps, IP#, etc ... there is no tracing the culprit... lets get to the meat of the subject and not allow ourselves to be so distracted so easily.