WASHINGTON -. When Democratic National Committee officials first discovered their data network had been compromised this spring, a growing chorus of experts and officials have seen evidence that the Russian government was responsible
in the months ago, infiltration and its consequences roof surprising and often bizarre twists and turns, culminating in a political scandal this week when Democratic national Convention opened in Philadelphia. But one constant has been: a growing body of forensic evidence implicating the Russian government
The first hints came in May after the committee officials noticed unusual activity in their network .. They hired cyber security company Crowd Strike to investigate, and its experts quickly found source of activity: a group of hackers had, in late April, admitted for systems Committee’s opposition research team, from which the group had stolen two files containing information on Donald J. Trump , which would ultimately become the Republican candidate president.
the investigators found that hackers were part of APT 28, a group well known among cyber security experts. The name is an acronym for advanced persistent threat, which usually refers to the government’s hackers. Security firms and law enforcement officials have also used the name Fancy Bear, a reference to a widespread belief that the group operated by Russia s military intelligence, GRU
The study might have ended there, but Crowd Strike discovered another, better hidden Infiltrator in computers Democratic Committee: A group called APT 29 or Cozy Bear, which is considered more skilled and have been associated with the FSB, the main successor to the KGB
Cozy Bear, it seemed, had full access to its systems in almost a year. (Subsequent studies of two other cyber security firms confirmed Crowd Strike results.)
Linking a bride for a particular hacker group and bind a group to a state agency, is always based on circumstantial evidence. But the forensic evidence experts were able to collect connect these burglaries to Russian agencies was very strong compared to other cases
For example, the first group, APT 28, often use the same tactics :. Register a domain name that is similar to his goal, to trick users into revealing their passwords when you log in the wrong place. In this case, hackers created misdepatrment.com – switch two letters -. The target users of the MIS Department, which manages the network for the democratic selection
More telling, hackers linked this domain to an IP address they had used in previous offenses, giving investigators a way to search for patterns. They also used the same malware tool which sometimes included unique security or encryption keys, a kind of digital fingerprint. These fingerprints were found in other attacks, like a 2015 breach of Germany’s Parliament, which German intelligence officers said Russia, especially APT 28, had probably done.
Both APT 28 and APT 29 use methods “in accordance with the national state level capabilities,” according to a Crowd Strike report , and they are targeting foreign military and military contractors in a pattern that ” accurately reflect the strategic interests of the Russian government. ”
Another report , issued by the security company FireEye in July 2015 pointed out that hackers had seemed to go offline on Russian state holidays, and had appeared to operate during the hours in accordance with the Russian everyday.
Such intrusion, while annoying, is within expected limits for international spycraft. The case took a surprising turn in June, after Democratic Party officials might see an opportunity to paint Mr. Trump as Moscow’s preferred candidate, revealed the apparent Russian infiltration of The Washington Post .
Within 24 hours, had a person using the name Guccifer 2.0 opened a WordPress blog and made a far-fetched claim: he, not Russia, had been responsible for violating the democratic committee, and he had done it alone.
He also said that he had stolen thousands of internal e-mails, the first public mention of such a theft. He presented evidence, posting a number of stolen documents and leaking other news channels, as well as to WikiLeaks . His name, he said, was a tribute to a famous Romanian hacker who went Guccifer and has been imprisoned since 2014.
but Guccifer 2.0 documents as authentic, contradicted his claim that he had acted alone – and provided evidence of Russian government involvement. Some files, for example, included metadata shows they had been opened by the computers of the Russian language. Another had been changed a word processing program registered to Felix Edmundovich, rendered in Cyrillic script, a clear reference to Felix E. Dzerzhinsky, the founder of the Soviet secret police.
Guccifer 2.0 made themselves available to journalists, there is nothing criminal hackers often do. He insisted that Russia had infiltrated the democratic committee, a strange claim because he would have had no way of knowing. When discussing how he had committed the offense, his remarks were disjointed and, according to cybersecurity experts showed insufficient technical knowledge to understand – much less perform -. The attacks
He also claimed to be Romanian, but was unable to hold a conversation in that language when prompted by a reporter from the technology site Motherboard . But if Guccifer 2.0 was not who he said he was, how he had obtained thousands of documents stolen from the Committee? And why did he lie?
Threat Connect, a security analysis group concluded to Guccifer 2.0 “is probably a Russian denial and deception (D & D) efforts” meant to cast doubt on Russia’s responsibility for the hack. It later found metadata in Guccifer 2.0 e-mails suggest he had sent them from the Russian network, as well as some parallels with networks used by ATP 28, the Russian group.
The theory, widely shared of cyber security analysts, is that the Russian intelligence services when exposed by the report from June in The Washington post, built Guccifer 2.0 to distract from these accusations. The thinking behind such methods are detailed in Russia formal military doctrine , which calls for deception and misinformation, often through so called information operations, as confusion and maintain denial.
Last week, hackers published about 20,000 e-mails via a different channel: WikiLeaks, which has long experience with scrubbing documents incriminating information. So, this release offers little new forensic information. But security experts say that we can have more opportunities to hunt for clues :. The hackers had access to far more than just these e-mails, and after last week’s trick, may be tempted to leak more
