US officially accuses Russia of leaking DNC emails

The Capitol Building

The US government has officially blamed Russia for cyber hacks exposing 19,000 emails from the Democratic National Committee's (DNC) servers.

While Russia was previously named by the FBI and cybersecurity experts, this is the first time the White House has explicitly attributed the attack to Russia, saying it was trying to interfere with the US election.

"The US Intelligence Community (USIC) is confident that the Russian government directed the recent compromises of emails from US persons and institutions, including from US political organisations," read a joint statement from the directors of the Department of Homeland Security and the Office of the Director of National Intelligence on Election Security.

A supposedly Romanian hacker called Guccifer 2.0 claimed responsibility for the hacks, but security experts said the persona was likely a front for Russian hackers.

"The recent disclosures of alleged hacked emails on sites like DCLeaks.com and WikiLeaks and by the Guccifer 2.0 online persona are consistent with the methods and motivations of Russian-directed efforts," the departments added.

"We believe, based on the scope and sensitivity of these efforts, that only Russia's senior-most officials could have authorised these activities."

The leaked emails revealed suggestions of an internal bias against Democrat presidential candidate Hillary Clinton's then-rival, Bernie Sanders, amid other embarrassing revelations for the DNC.

However, Putin's spokesman responded to Washington's statement by denying the allegation, according to the Guardian, and deputy foreign minister Sergei Ryabkov said: "This whipping up of emotions regarding 'Russian hackers' is used in the US election campaign, and the current US administration, taking part in this fight, is not averse to using dirty tricks." He extended an offer for Moscow and Washington to work together on tackling cybercrime.

Washington also said some states' "election-related systems" had been scanned and probed, but stopped short of saying Russia's government was responsible, saying only that these attacks emanated from a Russian company's servers.

Homeland Security is helping election officials safeguard their systems with cyber hygiene scans of any connected systems, sharing information about cyber attacks, and advising best practices to secure voter registration databases.

"[Homeland Security] has convened an Election Infrastructure Cybersecurity Working Group with experts across all levels of government to raise awareness of cybersecurity risks potentially affecting election infrastructure and the elections process," the departments added.

The unprecedented step by the US to formally accuse Russia of the DNC hacks follows a widespread spate of suspected Russian hacking.

KGB-connected hacking collective Fancy Bear spilled Olympic athletes' medical data onto the internet following Russian athletes' ban from Rio 2016, and has also been linked to attempts to thwart journalists' investigation into the crash of Malaysian Airlines' MH17 flight, which was shot down over Ukraine in 2014.

10/08/2016: Julian Assange suggests shot DNC staffer was behind leaked emails

WikiLeaks founder Julian Assange has appeared to suggest a murdered staffer at the Democratic National Committee was the source for recently leaked emails.

The FBI's own investigations pointed to Russia as the source of the hack, after Wikileaks published a swathe of DNC emails last month that appeared to show the committee had a bias towards electing Hillary Clinton over Bernie Sanders as the party's presidential candidate.

But, appearing on a Dutch television show, Assange suggested that Seth Rich, a DNC employee shot to death in Washington last month, was WikiLeaks' source for the emails.

He told the programme Nieuwsuur (transcript from BuzzFeed): "Whistleblowers often take very significant efforts to bring us material and often at very significant risks.

"There's a 27-year-old who works for the DNC and who was shot in the back, murdered, just a few weeks ago, for unknown reasons as he was walking down the streets in Washington."

WikiLeaks has put up a $20,000 reward for information about Rich's death, which remains unsolved.

Pressed on exactly what he was suggesting, Assange added: "I am suggesting that our sources take risks and they become concerned to see things occurring like that. We don't comment on who our sources are."

03/08/2016: FBI 'kept Russian DNC hack quiet for months'

The FBI suspected Russia was behind the hack on the servers of the Democratic National Committee (DNC) months before it informed the political organisation, according to Reuters.

When the law enforcement agency first contacted the DNC in autumn 2015, it already suspected the involvement of a cyber gang backed by the Russian government, Reuters reported, citing three individuals "with knowledge of the discussions".

It was not until summer this year, however, that DNC party officials were informed of possible Russian involvement, with the hack potentially being an espionage attack at heart.

"In its initial contact with the DNC ... the FBI instructed DNC personnel to look for signs of unusual activity on the group's computer network, one person familiar with the matter said. DNC staff examined their logs and files without finding anything suspicious," Reuters reported.

When DNC staff asked for more information from the FBI, the agency did not provide it, Reuters claimed, and did not mention its suspicions in further conversations with the DNC.

The alleged failure of the FBI to disclose the possible source of the attack meant the DNC's IT team was unable to take appropriate measures to reduce the number of emails and documents stolen, according to one of Reuters' sources.

This allegedly allowed the hackers to continue to have access to DNC computers during the primaries.

IT Pro was unable to reach the FBI for comment on the allegations.

26/07/2016: Was Russia behind the DNC email hack?

Emails at the centre of a political scandal in the US Democrat Party may have been extracted from their servers by Russian hackers, it has been claimed.

Wikileaks published a sheaf of emails last Friday stolen from the servers of the Democratic National Committee (DNC), the most controversial of which allegedly show bias against Bernie Sanders, who at the time of the emails was still in the running to be the Democratic nominee for the 2016 US presidential election.

The DNC acknowledged back in June that its servers had been hacked, at which time it was though the alleged Russian hackers were primarily after a research document on Republican nominee Donald Trump.

With this latest leak, Robby Mook, the campaign manager of Hillary for America - Democratic presidential nominee Hillary Clinton's official presidential campaign - has once again invoked Russia as the source of the attack, but has now suggested a different MO: Moscow wants Trump to be president.

"What's disturbing to us is that experts are telling us that Russian state actors broke into the DNC, stole these emails, and now other experts are saying the Russians are releasing these emails for the purpose of helping Donald Trump. I don't think it's coincidental that these emails were released on the eve of our convention here," Mook told CNN's State of the Union programme (via Fortune).

"We need to be concerned that we also saw last week at the Republican convention that Trump and his allies made changes to the Republican platform to make it more pro-Russian. When you put all this together, it's a disturbing picture, and I think voters need to reflect on that."

Russia's foreign minister, Sergei Lavrov, has once again denied the involvement of the Russian government and security agencies in the DNC hack. However, a number of cybersecurity firms, including FireEye and CrowdStrike, the latter of which was brought in by the DNC following the discovery of the initial hack, believe they have evidence backing up the claims.

The case for Russian government involvement...

CrowdStrike was the first organisation to point the finger at Russian involvement and has always stood by its initial analysis. The two threat actors identified as having been involved in the DNC hack, which it dubbed Cozy Bear (aka CozyDuke or APT29) and Fancy Bear (aka Sofacy or APT28), have been active for 12 months and about 10 years, respectively.

Crowdstrike co-founder and CTO Dmitri Alperovitch published an initial blog post outlining how and when the two Bears attacked the DNC servers and stated why he and his team believe they are related to the Russian government - specifically the FSB and SVR (the Russian equivalents of MI5 and MI6).

When someone calling themselves Guccifer 2.0 came forward to claim responsibility and outright denied they worked for the Russian government, Alperovitch's blog was updated with a note stating: "CrowdStrike stands fully by its analysis and findings identifying two separate Russian intelligence-affiliated adversaries present in the DNC network in May 2016."

"Whether or not [Guccifer 2.0's blog] posting is part of a Russian Intelligence disinformation campaign, we are exploring the documents' authenticity and origin. Regardless, these claims do nothing to lessen our findings relating to the Russian government's involvement, portions of which we have documented for the public and the greater security community."

CrowdStrike was not the first organisation to tie Cozy Bear/APT29 to Russian intelligence. Almost a year earlier, researchers at FireEye produced a report on a malware called Hammertoss, in which it profiled APT29 (Cozy Bear), stating: "APT29 has been operating in its current form since at least late 2014. We suspect the Russian government sponsors the group because of the organisations it targets and the data it steals. Additionally, APT29 appeared to cease operations on Russian holidays, and their work hours seem to align with the UTC +3 time zone, which contains cities such as Moscow and St Petersburg."

There are also some linguistic tics suggesting Russian involvement, including pseudonyms written using the cyrillic alphabet, that have been found in the metadata of the documents. It is also well known that Putin and Trump are mutual fans, each having spoken admiringly of the other publicly. Indeed, it is not so much the hack itself that has drawn the attention of the FBI this time, as the timing, since it is feared the information could influence the vote in November.

... and the case against it

It is very easy to misattribute cyber attacks - the reality is that many are never fully resolved and governments do not come forward and claim responsibility, even if they are suspected in the strongest possible terms, so guarantees are virtually impossible.

In this case, all the known actors have denied any involvement - Lavrov said he didn't want to have to resort to "four-letter words" when asked by journalists of Russia's involvement, Donald Trump said "the new joke in town is that Russia leaked the disastrous DNC e-mails, which should never have been written (stupid), because Putin likes me", while Wikileaks founder Julian Assange told NBC News "there is no proof whatsoever" that the documents his organisation released on Friday were handed over by Russian intelligence.

Guccifer 2.0, meanwhile, has stated he is Eastern European, but not Russian, adding: "This is my personal project and I'm proud of it. Yes, I risk my life. But I know it's worth it. No one knew about me several weeks ago. Nowadays the whole world's talking about me." He also stated that the idea of the "almighty Russian hackers" is actually a myth.

Intel Security's EMEA CTO, Raj Samani, told IT Pro: "We don't do attribution ... until we've had the opportunity to forensically analyse the compromised systems and until we've had the opportunity to interview potential suspects and so forth. The whole concept of attribution through rudimentary technical analysis is dangerous, because some of the best attackers today will use what we call false flag operations where they will make it appear to come from somewhere and it's actually relatively simple to do.

"Our job as a technical security company is to provide technical security and technical analysis, but in terms of attribution and going after bad guys, that's law enforcement's job."

Jane McCallion
Managing Editor

Jane McCallion is ITPro's Managing Editor, specializing in data centers and enterprise IT infrastructure. Before becoming Managing Editor, she held the role of Deputy Editor and, prior to that, Features Editor, managing a pool of freelance and internal writers, while continuing to specialize in enterprise IT infrastructure, and business strategy.

Prior to joining ITPro, Jane was a freelance business journalist writing as both Jane McCallion and Jane Bordenave for titles such as European CEO, World Finance, and Business Excellence Magazine.