How we know Russia, not a guy in Jersey, hacked the DNC

I have to admit that I was shocked when I saw President-elect Donald Trump’s interview with Fox News.

While I don’t doubt he wants to deny the conclusion that Russia intended to help get him elected, his comment regarding computer crime attribution was grossly ignorant of both computer crime investigations practices, as well as the hundreds of people who have gone to jail as a result of the hard work of law enforcement officers. While the intelligence agencies are not law enforcement agencies, they have the same resources, and arguably more resources, and perhaps even more skilled investigators.

To quote Trump, “Nobody really knows and hacking is very interesting. Once they hack, if you don’t catch them in the act, you’re not going to catch them.”

If that is his actual belief on computer investigations, he should reconsider his position of not needing his daily intelligence briefings. While there are some computer investigations that begin because there is a proactive detection capability in place, almost all investigations involve investigating crimes after they occur. This is the result of good computer forensics and investigations skills, as well as good traditional police work.

Again, you can assume that intelligence agencies, while not performing criminal investigations, still have a robust investigative capability in place.

{mosads}So to help Trump, here are some of the many ways to properly attribute hacking related crimes without catching the criminals in the act.

Analysis of the software and infrastructure used in the attacks, aka computer forensics

Computer criminals, including intelligence agencies, tend to use the software and infrastructure (such as computer servers) they are most familiar with.

For example, the attacks against Sony were easily attributed to North Korea, as the software and communications systems used in the attack were previously used by North Korea in other attacks.

In the case of the hacks of the Democratic National Committee (DNC), there was a detailed analysis of the hack by Crowdstrike, a top cybersecurity company that investigates highly sophisticated attacks that clearly attributed to the software and infrastructure used to Russian state-sponsored hackers. The conclusion was confirmed by multiple organizations with similar expertise.

Clearly, the CIA and other intelligence agencies also agree with the analysis.

Another sign of the potential source of the attack is the sophistication of the attack itself. The Crowdstrike report details how advanced the attack against the DNC was. The attack was not something that could be perpetrated by a generic hacker operating out of his or her bed, as Trump loves to ponder.

Metadata

While this is technically an aspect of computer forensics, computer files usually contain metadata. This is information that is not displayed unless you look for it. The metadata could include information about the people who created the file and the computers on which the file was created.

For example, with pictures, it is common that exact geographic coordinates of where the picture was taken is included with the picture. In this case, you would assume that the Russians were smart enough to scrub the metadata.

Surveillance of the criminals

Wiretaps are a common practice of law enforcement and especially intelligence agencies.

It would be assumed that the National Security Agency (NSA) and other intelligence agencies are monitoring Russian leadership and intelligence activities.

While Snowden leaked information of NSA collection efforts against a variety of countries, his disclosures nefariously left out details of U.S. collection efforts against Russia and China, which you must assume to be extensive, especially given that they are the only existential threats to the United States.

It is extremely possible that NSA or other intelligence agencies intercepted communications detailing or involving Russian hacking efforts.

In the DNC case, U.S. intelligence agencies say they identified individuals with ties to the Russian government who provided the information to Wikileaks. While I have no direct knowledge of this, I would assume that given the nature of Wikileaks and the fact it is a non-U.S. entity, it is heavily monitored by NSA and other intelligence agencies, and they could have monitored the exchange of information.

Informants

As with all crimes, there are frequently other people involved in different aspects of the crime.

Sometimes, the criminals disclose details of their crimes to others. Any of these people can either come forward, or be enticed to offer information in exchange for lenient treatment, if the were arrested for crimes. For example, when members of Anonymous-affiliated groups were arrested, they readily provided information on other members of the group, and helped to have them arrested.

In this case, there is no current information that would indicate that informants were involved in identifying Russia as the source of the crime.

The criminals themselves

In the process of investigating many computer-based crimes over the last 20 years, I have learned that you should never underestimate the stupidity of a criminal.

There have been many cases of criminals posting their crimes to social media. They frequently brag to others.

In the case of Russia’s supporting Trump, you actually have a Putin adviser, Sergei Markov, who stated that Russia provided the DNC data to Wikileaks. The widely reported boast is, “Maybe we helped a bit with Wikileaks.”

This is of course in addition to Russian politicians toasting Trump’s election win.

Conclusion

These are just a few of the investigative resources available to U.S. intelligence agencies in their attempt to identify the perpetrators of the DNC and related hacks.

There are likely others which may include agents inside the Kremlin and Russian President Vladimir Putin’s inner circle, among other resources both imagined and unimaginable to the layperson.

While the U.S. intelligence agencies may never publicly disclose how they specifically know that Russian state-sponsored hackers are the definitive source of the DNC and related hacks, this level of disclosure is only made when there is indisputable proof available to them.

Even if you want to doubt the U.S. intelligence community, the previously identified commercial analyses of the hack provide more than sufficient evidence of the source, and are available for public analysis.

It is also important to note that this does not address the fake news sources, or any other potential efforts there may have been to sway the vote. There is currently no evidence that Russia hacked any voting systems to manipulate the vote count. At best, they may have swayed votes.

The problem for Democrats still remains that they did not make a clear enough case for Hillary Clinton so that a relatively minor disinformation campaign would not cost her the election.

At the same time, Trump and his transition committee cannot discount the evidence and make ridiculous claims that a hacker lying in their bed could have committed this attack.

Perhaps the president-elect should accept more intelligence briefings, so he understands Russia’s extensive hacking capability, as well as the extensive surveillance capabilities of U.S. intelligence agencies.

Ira Winkler is president of Secure Mentem, and author of “Advanced Persistent Security.” He can be reached through his company at www.securementem.com.

---

The views expressed by contributors are their own and not the views of The Hill.