Why Russian hackers, not a lone wolf, were likely behind the US Democrat breach

A lone hacker named Guccifer 2.0 has tried to take credit

Proving who pulled off a cyber attack is never easy and sometimes impossible. That’s the reality investigators face as they try to figure out who breached the network of the Democratic National Committee, which revealed last week that hackers had made off with confidential documents including research on Republican presidential opponent Donald Trump.

Russia was fingered as the likely suspect, until a hacker calling himself Guccifer 2.0 stepped up and claimed that he acted alone. But despite what appear to be DNC documents posted by Guccifer online, some security experts remain convinced that a group of skilled Russian hackers was behind the attack - likely acting on behalf of the Russian government. Here's why they think that:

The malware

The breach began as far back as last summer and involved malware previously used by two hacking groups known as Cozy Bear and Fancy Bear.

Both are thought to be based in Russia and considered among the best hacking teams in the world, said Michael Buratowski, a senior vice president with Fidelis Cybersecurity, which was called in to examine the malware in the DNC attack.

Not just anyone could have pulled off the attack, he said. For instance, the malware used to breach the DNC networks is relatively rare and highly developed.

A hacker would need significant expertise to properly customize and deploy the code, something no amateur “script kiddie” would possess, he said.

A growing pattern

Another big reason for suspecting Russian hackers is the target itself and what was stolen -- the attackers wanted information related to political campaigns and foreign policy plans. Cybercriminals are typically more interested in financial data such as credit card numbers, noted Ben Johnson, chief security strategist for Carbon Black.

This fits with the pattern of Cozy Bear and Fancy Bear, whose past victims include the White House and the U.S. State Department, in addition to businesses in defense, energy and aerospace. Email systems of top U.S. officials have also been among their targets.

“It seems like the attackers knew what they were after,” Johnson said. “They also didn’t kick up a lot of dust.”

Although the initial breach began last summer, the DNC became aware of it only in late April. This suggests the hackers were probably experts and had done that type of hack before.

“Attribution is incredibly difficult,” Johnson said. “But from what we’ve seen, it’s most likely that a sophisticated group is responsible.”

Russia

It's difficult to definitively link a hacker group to a government, but security firms have made a connection to Russia by examining attack patterns over a long period of time, said Mark Arena, CEO of security firm Intel 471.

For example, past attacks by Fancy Bear show consistent use of the Russian language in developing its malware. Their targets have included NATO and Eastern European governments, with a focus on stealing political and military data, as opposed to intellectual property -- more typically a target of Chinese hackers.

Targeting the DNC could obviously align with Russia's goals, as one of the U.S.'s biggest geopolitical opponents.

Russian officials have flatly denied any involvement, but that doesn't tell us much one way or the other.

The timing

A lone hacker, Guccifer 2.0, has sought to take credit for the DNC hack, claiming it was "easy, very easy," and leaking several documents to back up his claim. Some media reports say the hacker is Romanian and dislikes Russians.

Not everyone believes the claims. On Tuesday, the DNC itself said the leaked files may be “part of a disinformation campaign by the Russians.”

In Guccifer 2.0's first post, the hacker mocked CrowdStrike, the security firm that claimed Russians were behind the breach, and denounced unspecified "illuminati" and their “conspiracies.”

“Together we’ll be able to throw off the political elite, the rich clans that exploit the world!” the hacker wrote in another posting.

Johnson sees the timing of Guccifer's appearance as too convenient.

“It’s a very timely cover-up,” he said. “It seems a little too staged.”

Buratowski agreed. He noted that Guccifer 2.0 could be one person or multiple people belonging to a larger group. Metadata found within the leaked DNC documents included snippets of Russian.

“There’s always the possibility that [Guccifer 2.0] is just a smokescreen to divert attention from the real actors,”Buratowski said.

Join the CSO newsletter!

Error: Please check your email address.

More about Carbon BlackCrowdStrikeIntelNATO

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Michael Kan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place