Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime
Trump's DNC 'Server' Conspiracy Rebutted
President Continues to Dismiss Russian Hacking Attribution, Backs Putin's DenialsOn Monday in Helsinki, U.S. President Donald Trump faced what may be a defining moment of his presidency. Standing next to Russian President Vladimir Putin during a post-summit press conference, Trump was asked by a reporter if he would denounce Russia for interfering in the 2016 U.S. presidential election and tell Putin to never do it again.
See Also: Gartner Guide for Digital Forensics and Incident Response
The reporter's question followed the U.S. Justice Department on Friday revealing an indictment charging 12 Russian GRU military intelligence agency officers with election interference, including hacking the Democratic National Committee and Democratic Congressional Campaign Committee (see 10 Takeaways: Russian Election Interference Indictment).
In response to the reporter's question, Trump appeared to try and change the subject.
"So let me just say that we have two thoughts," Trump said. "You have groups that are wondering why the FBI never took the server. Why haven't they taken the server? Why was the FBI told to leave the office of the Democratic National Committee?"
Trump added: "I've been wondering that. I've been asking that for months and months and I've been tweeting it out and calling it out on social media. Where is the server? I want to know where is the server and what is the server saying? With that being said, all I can do is ask the question."
Trump also appeared to prioritize Putin's denials over the findings of the combined U.S. intelligence and law enforcement community, including Director of National Intelligence Dan Coats.
"My people came to me, Dan Coats, came to me and some others; they said they think it's Russia. I have President Putin. He just said it's not Russia," Trump said. "I will say this: I don't see any reason why it would be. But I really do want to see the server but I have, I have confidence in both parties."
Debunked: 'Server' Conspiracy Claim
Trump's attempt to invoke a server "conspiracy claim" is nonsense and also flies in the face of good digital forensics and incident response practice, says Jake Williams, founder of security consultancy Rendition InfoSec, which provides incident response services.
"It's bunk through and through," says Williams, who's also an instructor at the SANS Institute and a former operator with the NSA's Tailored Access Operations unit, via Twitter.
"To someone outside the DFIR field, some of the actions by the DNC might look sketchy - e.g. not calling the FBI. In my actual experience in the field, it's completely normal," he says.
No Missing Server
Here's what the DNC did: It hired CrowdStrike, one of the world's most respected incident response firms, to investigate the intrusion, boot out hackers and get its systems up and running again as quickly as possible.
In addition, there simply was no mythical server that has yet to be found or revealed.
One of the most annoying things about "The Server" is that stupid singular.
— Thomas Rid (@RidT) July 16, 2018
Source: DNC Complaint, 20 Apr 2018 pic.twitter.com/p8rPwFVqUJ
"This 'DNC didn't give the server to the FBI' idea makes no sense," says Thomas Rid, a professor of strategic studies at Johns Hopkins University who's an expert in Russian "active measures" tactics.
"Investigators want disk images of many machines in the network, memory dumps of connected boxes, the adversary's movement in situ - network logs, other data, e.g. exfil [data exfiltration] behavior," Rid says via Twitter.
This situation btw is a great teaching moment for your next cyber security seminar - or perhaps for a DFIR job interview: "I'm sure you heard of the idea that the DNC didn't hand 'its server' to the FBI. What would you say in response?"
— Thomas Rid (@RidT) April 21, 2018
What investigators don't want to see, he adds, is "some disconnected server," because once a server gets unplugged, it loses everything in memory, thus becoming much less useful - if not worthless - to investigators.
More Than 150 DNC Servers
To be clear: There was no missing DNC server as referenced by Trump. Rather, there were more than 150 servers that needed to be wiped and rebuilt or else decommissioned.
"The remediation event went through the entire weekend. Our folks didn't sleep."
—Dmitri Alperovitch, CrowdStrike
According to a lawsuit filed by the DNC in Manhattan federal court on April 20, remediating the intrusion and excising hackers from the DNC's network required the DNC "to decommission more than 140 servers, remove and reinstall all software, including the operating systems, for more than 180 computers, and rebuild at least 11 servers."
In short, the entire DNC network needed to completely rebuilt, Dmitri Alperovitch, CrowdStrike's co-founder and CTO, told Information Security Media Group in June 2016 (see After Russia Hacks DNC: Surprising Candor).
"We rebuilt it from scratch," Alperovitch said, saying the work consumed the weekend of June 10, 2016. "The remediation event went through the entire weekend. Our folks didn't sleep."
In part, that was because the remediation took place during a national election campaign cycle, just five months before election day.
According to the U.S. indictment unsealed on Friday, Crowdstrike missed at least one piece of X-Agent Linux malware planted by the attackers, which persisted until October 2016.
CrowdStrike declined to comment on the indictment.
But Adrienne Watson, the DNC's deputy communications director, tells Politico that the DNC doesn't believe the X-Agent malware posed a threat after CrowdStrike's remediation efforts.
"This Linux based version of X-Agent malware was a remnant of the original hack and had been quarantined during the remediation process in June 2016," Watson says in a statement. "While programmed to communicate with a GRU-registered domain, we do not have any information to suggest that it successfully communicated, exfiltrated data, corrupted our newly built systems, or breached our voter file following the remediation process."
Attribution: Fancy Bear, Cozy Bear
The Justice Department isn't alone in attributing the election interference campaign to the Kremlin. CrowdStrike, among other security firms, has also said the attack appeared to be the work of Russia's Fancy Bear and Cozy Bear - respectively also known as APT28 and APT 29 - hacking teams. Whereas Cozy Bear is believed to be associated with Russia's SVR foreign intelligence service, Fancy Bear is believed to be associated with the GRU.
The DNC's lawsuit, meanwhile, alleges that a number of organizations and individuals - including the Russian Federation, the GRU Russian military intelligence organization, the GRU operative who used the pseudonym "Guccifer 2.0," WikiLeaks and its founder Julian Assange, Donald Trump as well as his 2016 presidential election campaign, Paul Manafort, Roger Stone, Jared Kushner, George Papadopoulos and others - engaged in a conspiracy designed to affect the outcome of the 2016 U.S. presidential election.
Find the Intrusion
But attributing attacks is not the work of an incident response firm, at least initially. In most cases, private incident responders' first responsibility is to the organization they're supporting. Typically, that requires identifying the intrusion and eradicating it as quickly as possible, according to David Stubley, who runs Edinburgh, Scotland-based incident response firm 7 Elements.
"I wouldn't have called the FBI either if it were my investigation."
—Jake Williams, Rendition InfoSec
Whether an organization calls in law enforcement is often entirely up to that organization. Doing so may also delay the ability of the organization to resume operations. Add in the fact that this was a political party running a national election campaign and which might be worried about leaks - "a very real concern," Williams says via Twitter - and it's not surprising that the DNC didn't immediately throw open its doors to law enforcement.
Even so, both the DNC and CrowdStrike have previously said they shared images of all compromised systems with the FBI, which the DNC's Adrienne Watson reiterated this week.
"The FBI was given images of servers, forensic copies, as well as a host of other forensic information we collected from our systems," Watson told Daily Beast. "We were in close contact and worked cooperatively with the FBI and were always responsive to their requests. Any suggestion that they were denied access to what they wanted for their investigation is completely incorrect."
Responders' Priorities
"Some cry foul that the FBI wasn't brought in at the beginning. I wouldn't have called the FBI either if it were my investigation. I don't call the FBI for breaches unless there's a specific reason (regulatory requirement, insurance underwriter says to, etc.)," Williams says.
Imagine the number of people who would have to be involved in a conspiracy to plant evidence against the Russians AND make a server with exculpatory evidence disappear. And none of them have talked? Um, yeah, that doesn't make sense... 12/n
— Jake Williams (@MalwareJake) July 16, 2018
The DNC was under no legal obligation to bring in the bureau (see FBI to DDoS Victims: Please Come Forward).
"The FBI is very good at what they do, but they are investigating crime to prosecute offenders and build cases," Williams says. "I'm trying to restore operations ASAP. DNC suspected this was a foreign nation state and CrowdStrike confirmed. You're not taking this one to trial."