Experts on the malicious computer codes commonly used by Russian hackers are far from united behind the Obama administration’s accusations against Moscow, with a few echoing President-elect Donald Trump’s mistrust and asking for more information.
Trump will sit down Friday for a high-level briefing with Director of National Intelligence James Clapper, CIA Director John Brennan and FBI Director James Comey.
Trump this week dismissed the “so-called ‘Russian hacking’ ” and bracketed the word intelligence in quote marks in his tweets, appearing to show disdain for U.S. intelligence agencies, only to tweet Thursday that the media have hyped the quarrel “when in fact I am a big fan!”
Allegations of Russian hacking and direct meddling in the U.S. elections have shoved a wedge between Trump and some Republican lawmakers long wary of Russia, and heightened tensions with the longtime U.S. adversary.
The Obama administration first lobbed the hacking charges against Moscow on Oct. 7, saying “only Russia’s senior most officials” could have ordered the computer penetrations of the Democratic National Committee and its political operatives. On Dec. 29, the administration released a 13-page report and supplemental data that provided raw material for cybersecurity experts to examine. In an associated step, Obama ordered the expulsion of 35 Russian diplomats suspected of espionage and imposed sanctions on two Russian intelligence agencies.
Obama’s outgoing head of intelligence, Clapper, speaking on behalf of all U.S. intelligence agencies, testified before the Senate Armed Services Committee on Thursday that Russia has “assumed an even more aggressive cyber posture,” and he repeated with greater certainty the charges of Russian meddling in the 2016 political campaign.
The Obama administration will release an unclassified report next week that will build on its previous charges against Russia, and Clapper said he planned to “push the envelope as much as I can” so that the report offers as much information as possible.
After digesting last week’s report, several large cybersecurity firms joined the chorus against Russia, but a few independent experts have voiced doubt and called for more details. By their own admission, that has created tension with colleagues.
“There are good reasons in this case to be skeptical,” said Jeffrey Carr, a Seattle-based analyst who runs an annual “Suits and Spooks” cybersecurity conference outside Washington, D.C., each year. “Based on public evidence, nothing connects the attacks to the government of Russia.”
In a telephone interview, Carr talked about the digital equivalent of fingerprints at a crime scene, or in this case pieces of malicious code, or malware, that were found in the various attacks, particularly the penetration of the servers belonging to the DNC that began in the summer of 2015 and lasted into mid-2016. The hackers appeared to have used scam emails that allowed them access to personal accounts and servers.
The hackers left fingerprints behind, including the use of X-agent, malware that has been associated with the Russian military intelligence agency known as the GRU and has been detected in penetrations of the German Bundestag, or parliament, last May and in an attempt to destroy a channel of French television in April 2015.
When deployed, X-agent implants itself on a network or a computer hard drive and allows a remote hacker to capture information, remove files or take control of a computer – all in complete stealth.
Carr said, however, that X-agent had slipped out of the exclusive grip of Russian hackers and had turned up in the possession of a Ukrainian hacktivist and a Slovakian company, ESET, that makes anti-virus software.
“Once malware is deployed, you’ve lost control of it. It can be captured; it can be reverse-engineered; it can be repurposed,” Carr said, making attribution even trickier. Suggestions that finding X-agent in DNC networks is ironclad evidence of Russian hacking “only holds up if you believe the myth of exclusive use.”
Carr acknowledged that he represents “a minority opinion. I’m one of the few people who is a vocal skeptic, and that’s because I work for myself.” He maintained that larger cybersecurity firms do not want to challenge the government posture on the issue.
Another cybersecurity expert, Matt Tait, founder of Alpha Capital Security, a British consultancy, initially doubted Russian involvement in the hacks but said the evidence was now preponderant and had convinced him of Russian responsibility.
“Jeffrey Carr is right. There was an operational screw-up by Russian intelligence in one particular case where some parts of the source code of the X-agent malware were accidentally leaked,” Tait said. But the leak did not include critical code for servers, he added, and without that code, one would need to design code for the malware “from scratch, essentially.”
A malicious implant like X-agent is not simple to create, Tait said.
“It would’ve taken, probably, a team of five to 10 people working on it full time,” Tait said. “It’s grown over time.”
Some of the criticism reflects on the Dec. 29 Obama administration report, which promises compelling evidence but delivers generalities and offers routine tips on avoiding hacking.
“This ultimately seems like a very rushed report put together by multiple teams working different data sets and motivations,” Robert M. Lee, founder of Dragos, a critical infrastructure cybersecurity company, wrote in a blog post.
Along with the 13-page report, the Obama administration released a spreadsheet of highly technical data that included digital signatures, character combinations known as file hashes and internet protocol, or IP, addresses, which are unique numerical combinations that allow devices to identify themselves and communicate with others. The report said the data were “indications of compromise” by Russian hackers.
“It lists, like, 870 IP addresses,” said Robert David Graham, a widely known hacker and cybersecurity blogger who runs an Atlanta-based consultancy, Errata Security. “Those were overwhelmingly benign IP addresses. . . . It’s like saying the hackers used roads so all roads are suspects.”
“It’s all garbage,” Graham said.
An offshoot of the DNC hacks was a separate hack on the Gmail account of John Podesta, the campaign chairman for Democratic presidential nominee Hillary Clinton.
Thousands of Podesta’s emails were passed to WikiLeaks, the nonprofit group that espouses radical government transparency, which published tens of thousands of them in the weeks before the Nov. 8 election.
Podesta clicked on a malicious link embedded in an email that allowed hackers to take control of his account and extract all emails.
Trump on Wednesday praised WikiLeaks founder Julian Assange, who gave an interview to Fox News that aired Tuesday night. “Julian Assange said ‘a 14 year old could have hacked Podesta’ – why was DNC so careless?” Trump tweeted.
Tait said, however, that carelessness may not have been the main culprit. A deeper look shows a larger organization carried out the hacks, although one with serious operational security shortcomings. He is convinced it was Russian government hackers. The bait that the hackers used, which turned up in one of the WikiLeaks emails, shows that the perpetrators used a special program to shorten the URL, or web address, to their diversionary site. That URL shortening program is called bit.ly.
The hackers set up an account to use bit.ly on a large scale but made a crucial error.
“They screwed up. They accidentally didn’t set up that account to be private,” Tait said.
As a result, researchers found that the account had been used to send more than 1,800 emails in 2015 alone and offers what Tait said was “a very precise map of who’s been targeted and when.” The data shows that the interests of the hackers gibe with interests of the Russian government, Tait said, convincing him of Russian involvement.
SecureWorks, an Atlanta-based company that does cybercrime prevention and threat intelligence, dissected the hackers’ bit.ly account and found that it targeted journalists and political activists who are foreign experts on Russia, as well as foreign military and government personnel and aerospace researchers. Most targets were in the United States, but others reside in China, Syria, Britain and NATO member nations.
The hackers have since corrected their mistake, taking their bit.ly account private.