Why doubts still cloud Russian hacking allegations
Since the White House blamed Russia for hacking US political organizations to undermine the presidential election, administration critics, skeptics, and cybersecurity experts have pushed the government to reveal its evidence.
But so far, much of what has come out of Washington regarding Moscow's suspected digital tampering has only raised more聽questions about the government's claims.聽
础听聽of recent hacking activity by the FBI and Department of Homeland Security (DHS) released Dec. 29 generated confusion about the scope of the political hacking campaign, leading many experts to doubt聽the agencies鈥 abilities to investigate sophisticated, multilayered digital attacks.
鈥淎t this point, we don鈥檛 know what is a trusted source and what isn鈥檛,鈥 says聽Bob Radvanovsky, cofounder of the security research firm Infracritical.聽鈥淚t really confuses people. Is the government of Russia behind these things, or is it some hacker kids in Ukraine?鈥
Even as聽Director of National Intelligence James Clapper and National Security Agency Director Michael Rogers said at a Senate hearing聽Thursday聽they are more certain than ever that Russia orchestrated the political hacking campaign,聽critics seem to be unconvinced.
Earlier this week, WikiLeaks founder聽Julian Assange聽told Fox News that Russians聽聽hacked political documents from聽John Podesta, former chairman of the Hillary Clinton campaign, and other聽Democratic Party operatives that he published on the antisecrecy site.
President-elect Donald Trump, one of the chief critics of the administration's Russia allegations, reiterated Mr. Assange's claim in a tweet: "Julian Assange said 'a 14 year old could have hacked Podesta' 鈥 why was DNC so careless? Also said Russians did not give him the info!"
It remains to be seen whether the US intelligence community will be able to convince Mr. Trump and other skeptics.聽But time is running out. Trump is set to take office聽Jan. 20.聽
After promising聽and then failing聽to release his own evidence related to the hacks聽early this week, Trump聽said that he'll receive an intelligence briefing on the matter聽this Friday. Both Congress and the Obama administration are waiting for a full report from the country鈥檚 intelligence community on the hacking campaign.
Fog of cyberattacks
US officials鈥 attempts to grasp the scope of an unprecedented cyberattack聽speaks to the聽difficulty of attributing cyberattacks and to the complex nature of the campaign carried out against the US during the presidential election.
The attacks against the Democratic National Committee (DNC), Democratic Congressional Campaign Committee, and the Clinton presidential campaign involved a mix of targeted digital attacks, leaked emails, and the spread of fake news. Unraveling that kind of operation isn't an easy undertaking.
"Russia鈥檚 best cyber operators are judged to be as elusive and hard to identify as any in the world," said Sen. Jack Reed (D) of Rhode Island during the Armed Services Committee hearing聽Thursday聽on cyberthreats. "In this case, however, detection and attribution were not so difficult, the implication being that Putin may have wanted us to know what he had done, seeking only a level of plausible deniability to support an official rejection of culpability."聽
Still, cybersecurity experts have expressed frustration with the government's stumbles as it tries to relay what it knows about the attacks and with what many consider ham-fisted efforts to connect them back to the Kremlin.聽聽
Since it was released last week, the DHS and FBI analysis of the campaign the agencies dubbed聽鈥淕rizzly Steppe鈥 has been roundly criticized by cybersecurity professionals as incomplete, outdated, and politicized.
Grizzly missteps?
鈥淭he Grizzly Steppe report reads like a poorly done vendor intelligence report stringing together various aspects of attribution without evidence,鈥澛爓rote聽Robert M. Lee, a former Air Force Cyber Warfare Operations Office and the chief executive of the cybersecurity firm Dragos Security.
Even though Lee has聽聽Russian operatives hacked the DNC, he says the government has stumbled making its case. His聽criticism, and those of other cybersecurity professionals, centers on the decision by DHS and FBI聽to characterize聽an extensive catalog of hacker聽groups, as well as聽tools, tactics聽and characteristics 鈥 what the industry refers to as 鈥渋ndicators of compromise鈥 鈥 and attribute聽all of it聽to the Russian government.聽
But the government's laundry list of evidence also includes common聽families of malicious software聽with names like聽BlackEnergy and Havex聽that are widely known and聽used by state actors and cybercriminals alike. While some of that software may have been created in Russia and found in prior Russian government campaigns, it doesn't prove the government's case that Russian operatives carried out the US political hacks.
鈥淸The Grizzly Steppe report] is full of garbage,鈥澛犅爋n his blog. 鈥淚t contains signatures of viruses that are publicly available, used by hackers around the world, not just Russia. It contains a long list of IP addresses from perfectly normal services, like Tor, Google, Dropbox, Yahoo, and so forth.鈥
By equating such commonplace online threats with Russian hacking, the government's Grizzly Steppe analysis darkens the already muddy waters of attributing cyberattacks, experts say.
And those critics didn鈥檛 need to wait long for evidence of how sloppy evidence regarding the suspected Russian hack could go wrong.
The hack that wasn't
Last weekend, The Washington Post聽published claims that聽Russian hackers penetrated the US electric grid by way of the Vermont utility Burlington Electric. That report cited unnamed US officials saying that 鈥渃ode associated with the Russian hacking operation dubbed Grizzly Steppe鈥 was detected within the facility.聽The story prompted a swift response from Vermont Gov.聽Peter Shumlin, who聽issued a statement decrying Russian tampering with US critical infrastructure.
But the article was immediately discredited and the Post backed away from the initial story. The Post published a follow up聽that said the suspicious computer activity identified at Burlington Electric was not connected to聽鈥淩ussian government effort to target or hack the utility.鈥
Cybersecurity experts pinned the blame for the confusion squarely on the Obama administration鈥檚 Grizzly Steppe report.聽鈥淭his misinformation is your fault,鈥 Mr. Graham wrote.
Others such as聽Mr. Radvanovsky聽questioned the timing of the report, which DHS and the FBI made public on the same day that President Obama announced sanctions against the Russian government, expelling 35 Russian diplomats from the country in retaliation for the hacks.
鈥淏ecause the timeliness of the [Grizzly Steppe report] 鈥 it leaves some doubt as to whether any of this happened at all,鈥 he says.聽鈥淭his whole thing looks like it was entirely politically based and that raises questions about the merit of the report.鈥澛
A history of skepticism
This isn鈥檛 the first time the cybersecurity community has cast doubt on the聽Obama administration and the US Government analysis after cyberattacks.聽
Following the Sony Pictures Entertainment hack in 2014, the FBI and the Obama administration moved quickly to pin the blame on hackers working for the government of North Korea, citing similarities in the malware used in the attack. That, despite聽persistent questions from cybersecurity experts聽about other possible culprits.聽
Others point to another, older incident of bad intelligence from DHS and FBI. In 2011, the agencies revealed they聽were investigating a purported Russian hack that caused a water pump to fail in the Curran-Gardner Township Public Water District in Illinois. The news聽spawned聽a blizzard of reports about destructive cyberattacks from the US鈥檚 Cold War foe.
Like the Burlington Electric hack, however,聽further investigations soon proved those initial reports were wrong. The pump in question simply reached the end of its life and burned out.
The Curran-Gardner dust-up eventually faded into the background. The administration鈥檚 narrative about North Korea hacking Sony Pictures eventually prevailed. But the controversy over the government鈥檚 report on Russia鈥檚 hacking may be more difficult to recover from, experts say.聽
The holes in the Grizzly Steppe analysis will give critics more cause to doubt future government claims about Russian hacking or campaigns by other nation-states, say experts. At the same time, the botched intelligence about the Burlington Electric hack will damage already fraught relations between private sector firms, critical infrastructure owners, and the government at a time when cybersecurity cooperation is increasingly important.
鈥淧eople will point to [Burlington Electric] and to Curran-Gardner and say, 鈥楾his is happening because these people don鈥檛 know what they鈥檙e looking at,鈥 鈥 said聽Jake Brodsky, a Senior Control Systems Engineer who works for a large, East Coast water utility.聽
And, with no legal requirement to report cyber incidents, Mr. Brodsky said, companies that own and operate critical infrastructure may hold back on reporting suspicious incidents. 鈥淯tilities will not put it out there,鈥 he said. 鈥淭hey don鈥檛 need the grief.鈥
