The secret linguistics clues researchers used to link DNC hack to Russia
Call it the telltale font.
For security researchers delving into the source of malicious software that infected the Democratic National Committee's computers, linguistic clues in computer fonts, messages buried in malicious applications, and even comments from the alleged culprit helped听tie the attack back to Russia.
In fact, linguistics is becoming increasingly important听as governments and听cybersecurity firms听seek to accurately identify lone hackers or the nations that are behind high-profile attacks. And the stakes for this kind of attribution are growing higher as the US has responded to recent breaches with sanctions, political pressure, and in the future could retaliate with military action.
"In the digital world, we look at every aspect of communication," says Mario Vuksan, chief executive officer of the cybersecurity firm ReversingLabs. "From the way a hacking group connects to an asset to the way the binary code is written to text and email messages."
For instance, code could be听compiled on machines that are loaded with specific听languages. And hackers could tip their hand by using expressions common in certain countries or languages.
When it comes to investigating cybercrimes, techniques range from classical linguistic pursuits, such as word count analysis that examines patterns of language use, to more behavioral analysis that tries to identify unique patterns or behaviors using lexical analysis, says听Steve Bongardt,听a former agent in the FBI's Behavioral Analysis Unit who now works with the firm听Fidelis Cybersecurity.
Mr. Bongardt likens it to investigating a crime scene, with hacking groups or individuals falling back on well-worn听modus operandi听that govern how an attack is carried out and less regimented "rituals" that are just as suggestive of a particular actor.
But linguistic clues often fall far short of pinning attribution for any single actor, Bongardt听and others agreed. Rather, they say, governments and law enforcement agencies investigating crimes need to look to the preponderance of evidence 鈥 most of it not linguistic 鈥 as they attempt to understand who was behind an incident.听
In the case of the DNC hack, a previously unknown hacker who identified himself as claimed responsibility for the breach. He said he was Romanian without any connections to the Russian government. But and poked holes in those claims by closely analyzing his comment and other language and cultural identifiers in metadata.听
Initially, however, 听of the suspected DNC hackers by the cybersecurity firm CrowdStrike relied on a听wealth of technical evidence to support the theory听two groups with links to Russian intelligence were responsible.
CrowdStrike's analysis did not rely at all on linguistic clues. Rather, it compiled a list of 12 separate indicators of compromise that were common to the two hacking crews. They ranged from malicious programs to tools for managing malicious software and extracting sensitive data.
But after Guccifer 2.0 emerged to claim responsibility for the DNC breach, researchers soon noted subtle clues in his speech 鈥撎齛s well as in documents offered from his website 鈥 that cast doubt on his account of the hack. For instance, the tech news site Ars Technica ranged from Russian language text buried in the PDF format of leaked opposition research on Donald Trump.
But that听kind of information is still not conclusive, says Mr.听Vuksan of ReversingLabs, making听attribution a challenge when it comes to cyberattacks and breaches,听
鈥淐yber being what it is, it鈥檚 an area where covert action can be done at different levels in many different ways,鈥 he says. 鈥淒ecoys, intelligence, and counter intelligence can all reside within the same breath.鈥
Still, clues buried in language in blog posts, social media, or malicious code is critical in an age when nation-backed hackers aren鈥檛 beyond using disinformation campaigns to cover their tracks.
Experts say that Guccifer 2.0's claim of credit for the DNC hack is strikingly similar to claims of responsibility following an听in April 2015. After attackers took over the network's websites and displayed images promoting the Islamic State, a group听calling themselves the CyberCaliphate said they were behind the breach.
However, on closer examination, the attack was carried about by the same group tied to the DNC hack, says Toni Gidwani, director of threat research operations at the firm ThreatConnect.
The purpose of such ruses isn鈥檛 to fool everyone, says Ms. Gidwani. Instead, she says, its to be "good enough" to create doubt about the prevailing narrative. "If you look at the broader Russian doctrine of cyberoperations, sowing discord is a measure of success."
听
