Forensics , Incident & Breach Response , Managed Detection & Response (MDR)
Did Russia - or Russian-Built Malware - Hack the DNC?Hack Attack Attribution: The Devil Is in the Details
Attributing attacks back to the responsible individual or group, and whoever might have sponsored them, is incredibly difficult. So is attempting to deduce a motive.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
That's my reaction to the June 20 headline on a Washington Post story: "Cyber researchers confirm Russian government hack of Democratic National Committee."
"The question ... has revived the long-running debate over whether attribution matters, at least to anyone who's not part of a government agency."
The story follows Dmitri Alperovich, CTO of cybersecurity firm CrowdStrike, announcing last week that his firm's investigation into a breach of the Democratic National Committee's systems had been perpetrated by two advanced persistent threat groups. The company refers to them as Fancy Bear, a.k.a. APT 28 in FireEye parlance, and Cozy Bear, a.k.a. APT 29. Both have been described as Russian APT groups by multiple security firms (see Report: Russia's 'Best' Hackers Access DNC's Trump Research).
"Our team considers them some of the best adversaries out of all the numerous nation-state, criminal and hacktivist/terrorist groups we encounter on a daily basis," Alperovich says in his blog post.
In the wake of the hack, the DNC said in a statement that no financial, donor or other sensitive personal information was stolen.
After obtaining samples of the malware recovered from the DNC systems, via CrowdStrike, Fidelis Cybersecurity has concurred with CrowdStrike's malware assessment. "Based on our comparative analysis we agree with CrowdStrike and believe that the Cozy Bear and Fancy Bear APT groups were involved in successful intrusions at the DNC," Fidelis says in a blog post. "The malware samples contain data and programing elements that are similar to malware that we have encountered in past incident response investigations and are linked to similar threat actors."
APT 28, called GRU by German intelligence, is a state-sponsored Russian hacking group, according to Thomas Rid, a professor in the Department of War Studies at King's College London.
How Many Hackers Were Involved?
But these malware-based assessments have left some big questions unanswered. For starters, some security watchers have noted, if the individual or group behind the DNC hack was a group of elite Russian hackers, it's highly unlikely they would have left any tracks.
In addition, a supposed lone hacker - named "Guccifer 2.0" - claims to have breached the DNC and released not just an alleged DNC report on presumptive Republican presidential candidate Donald Trump, but also an Excel spreadsheet that appears to list donors. Trump has dismissed the hack attack report, claiming that the leak was intentionally done by the DNC.
On June 21, Guccifer 2.0 released an alleged DNC dossier that compiles criticism of presumptive Democratic presidential nominee Hillary Clinton.
#Guccifer2 Dossier on #HillaryClintonhttps://t.co/LGcRb1spRN pic.twitter.com/qweBMKR1Qg— GUCCIFER 2.0 (@GUCCIFER_2) June 21, 2016
Does Malware Equal Motive?
Aleks Gostev (a.k.a. "codelancer"), a chief security researcher at Kaspersky Lab, notes that while multiple security firms agree on the malware discovered on the DNC's systems, they couldn't prove who had used it. He added that unlike most other supposedly nation-state sponsored APT groups in the world, APT 28 and APT 29 unusually continued to use the same attacks and infrastructure after they'd been outed.
Typical behavior for most of current APT groups after public disclosure:1) Infrastructure cleanup and shutdown 2) Old tools never used again— codelancer (@codelancer) June 20, 2016
Typical behavior for APT28/APT29 (attributed as most powerful intels): 1) Re-use of infrastructure 2) Sill using old tools— codelancer (@codelancer) June 20, 2016
One obvious possibility, of course, is that Cozy Bear and Fancy Bear weren't the only hacking groups enjoying access to the DNC's network, and that the discovery of their malware simply doesn't tell the full story. But it's also a reminder that just because malware has been recovered, that doesn't make it clear who used it.
Does Attribution Matter?
The question of whether Russians or the Russian government hacked the DNC - and leaked related information - has revived the long-running debate over whether attribution matters, at least to anyone who's not part of a government agency.
Some security experts, vendors and firms that specialize in attribution argue that, indeed, attribution matters because it can help firms sharpen their information security defenses and repel the latest generation of attacks.
But others allege that attribution too often gets abused, especially by groups or governments that have a political or profit motive (see Ransomware Report: Is China Attribution Merely Hype?).
Jeffrey Carr, CEO at cybersecurity firm Taia Global, has accused firms that sell attribution services of too often having "confirmation bias" when it comes to ascribing attacks to particular nation states. For example, he says in a blog post that in a comprehensive report into APT 28 released in 2014 by FireEye, the authors "declared that they deliberately excluded evidence that didn't support their judgment that the Russian government was responsible for APT 28's activities," including targets that didn't appear to line up with typical nation-state APT group behavior.
"Had FireEye published a detailed picture of APT 28's activities including all of their known targets, other theories regarding this group could have emerged; for example, that the malware developers and the operators of that malware were not the same or even necessarily affiliated," Carr says.
This debate is a further reminder that organizations are perhaps best served by first ensuring they can block as many hack attacks as possible, for example, by complying with the Defense Department of Australia's "Top 4 Mitigation Strategies to Protect Your ICT System." Australia's Cyber Security Operations Center claims the four strategies will prevent 85 percent of all intrusions, no matter whether they're launched by a cybercrime group, advanced persistent teenagers or even attackers wielding APT malware, whoever they might be.