Yesterday, we blogged about the cyber-attack on the Democratic National Committee (DNC) that led a dossier of the presumptive Republican presidential nominee, Donald Trump. According to the US-based cyber security company CrowdStrike, two sophisticated Russian espionage groups, COZY BEAR and FANCY BEAR were behind the attacks basing that conclusion on specific techniques, tactics, and protocols (TTPs) uncovered during the company’s investigation of the breach – a lot can change in twenty-four hours!
Shortly after that blog was filed, a hacker going by the persona Guccifer 2.0, claimed responsibility for the DNC breach. Guccifer 2.0 is a play on a Romanian hacker calling himself Guccifer. Guccifer is believed to be the man behind hacking into Hillary Clinton’s personal email server, compromising thousands of sensitive US State Department documents,
Guffifer 2.0 ’s blog questions CrowdStrike’s conclusion that those behind the DNC attacks were sophisticated stating, “I’m very pleased the company appreciated my skills so highly))) But in fact, it was easy, very easy.” That’s not all. To prove his point, Guccifer 2.0 released several sensitive DNC documents including donor lists, strategy lists, and even a document titled “NATIONAL SECURITY TRANSITION PLANNING” detailing a timeline of activities of transitioning Secretary Hilary Clinton into the role of President after the November election.
This twist of events has called into question once again the value of attribution and it accuracy. As a threat intelligence analyst myself, the difficulty in pinpointing attribution to a particular individual, group, or even nation is very difficult and not without its critics. Security research Bruce Schneier accurately captured the attribution problem in his blog writing:
And while it now seems that North Korea did indeed attack Sony, the attack it most resembles was conducted by members of the hacker group Anonymous against a company called HBGary Federal in 2011. In the same year, other members of Anonymous threatened NATO, and in 2014, still others announced that they were going to attack ISIS. Regardless of what you think of the group’s capabilities, it’s a new world when a bunch of hackers can threaten an international military alliance.
And it’s an important point. At the geostrategic perspective, proper attribution of these types of attacks is critical, especially if the US election system appears to be a victim.
Whether or not the DNC beach will damage the campaigns of the presidential hopefuls is yet to be seen, but that isn’t necessarily the most important thing to consider. At stake is the election, arguably, of the most powerful person in the world. In a country that values its democracy so highly, any view that the election process has been compromised may have a serious impact on the public’s perception of the President elect’s legitimacy. Not only is attribution hard, it’s also vital for decision makers.
Just because attribution is hard, doesn’t mean we shouldn’t do it – even if we, as researchers get it wrong at times. I personally have seen the value of attribution not just at the nation-state level but on a much smaller scale, where the motivations of the hacker were less about global ambitions and more about financial gain. Watching cyber intelligence people in the private sector struggling with resources are far more empowered when making their arguments about funding their efforts when they turn the conversation from “How?” to “Who?” Amazing how quickly you grab a penny-pinching COO’s attention when you have pictures of hackers who just ran amok through you ERP system!
So has Guccifer 2.0 really called into question CrowdStrike’s conclusions?
Absolutely not! They’re an excellent threat intelligence shop and I’m confident they’ve done their homework. International espionage is a tricky game and a good defense is a good diversion. So is Guccifer 2.0 actually a Russian espionage threat actor? We don’t know, and may never know, but clearly Guccifer 2.0, whoever he is, he has access to leaked DNC documents, but for further proof is needed before I’m a disciple. It would have been a lot more believable if Guccifer 2.0 had walked through the attack in a YouTube video. Even then, you’d still have people disbelieving his claims.
In the end, we’re all left to draw your own conclusions, but keep in mind that disinformation is a powerful asset. Don’t always believe what you see.
Written by: Rick Gamache
Rick Gamache is a freelance writer with 25 years’ experience in the cyber security field. His past work includes the Managing Director of Wapack Labs, CIO of the Red Sky Alliance, and lead FISMA auditor for the US Navy’s destroyer program. Rick has written several high-level cyber and general risk reports with an emphasis on the Nordic countries, India, Russia, and Ukraine and has traveled extensively, speaking on strategic cyber threat intelligence matters as they relate global supply chains.
Twitter – https://twitter.com/thecissp
(Security Affairs – Russian Hackers, Guccifer 2.0)