The Recent Russian Indictment Raises 7 Major Questions

While the recent indictment of 12 Russian hackers does give some interesting new details on the hacking of the DCCC (Democratic Congressional Campaign Committee) and DNC, it still leaves many questions unanswered. In addition, the indictment itself raises new questions. So, here is what we still need to know to get to the truth.

1. Why didn’t the FBI or other intelligence agencies look at the hacked servers?

Like it or not, Donald Trump is right to ask this question. If you were diagnosed with a serious illness, wouldn’t you get a second opinion before undergoing treatments? Why wouldn’t the FBI want to confirm the findings of private security firm, CrowdStrike, before investigating the hack? It seems like an obvious first step.

A number of answers have been given for this. The FBI claims they made several requests to see the servers, but the DNC refused them access. But if this was considered an issue of national security, couldn’t they have demanded access? They seem to have given up without much of a fight.

For its part, the DNC claims they offered the FBI the opportunity to see the servers but said that the FBI wasn’t interested. In the end, the FBI chose to take CrowdStrike’s word for the Russian intrusion.

Both stories may hold some truth. James Comey claimed that there was really no need to see the servers because they had “upstream” information that the Russians had hacked the DNC. True, back in 2015, they had warned both the DNC and the RNC that Russia would try to hack into their networks. Thus, when it looked like the Russians had eventually succeeded, the FBI was not surprised and probably felt no compulsion to investigate further.

Another story is that the DNC did not want the FBI to see the servers because there was incriminating information on them. We know, from the documents that were later released, that the fix was in against Bernie Sanders. Then, there was the Trump dossier. In addition, they did not want the negative attention such an investigation would give them as they were already feeling the backlash from the emails hacked from Hillary Clinton’s private server. Their ineptitude at protecting donor information could hinder supporter financial contributions. Remember, until June, 2016, they did not realize that the stolen documents would be made public. Add to this the fact that many heads of the intelligence community assumed an inevitable Clinton victory and one could understand why they did not want to rock the Clinton boat. Practically speaking, those that did might eventually lose their jobs when Clinton was elected.

Recently, some publications have claimed that the FBI did not need access to the servers because CrowdStrike had given them image files. That may be, but in this case we would have to believe that no files were deleted or tampered with before the images were created and turned over to the FBI.

2. How did the FBI identify these specific hackers?

What emerges most from the indictment is the U.S. intelligence community’s ability to follow the actions of the accused hackers. We can infer that the FBI had control of a server in Arizona used by the hackers to send the stolen documents on to their command and control (C&C) center. But how did they identify this particular server? Were they already following the cyber actions of these individuals? Did CrowdStrike find evidence of this when they examined the servers?

In the indictment, the Russian hackers are identified along with the positions they held in the Russian intelligence community. Information is also given on the roles they played in the DNC/DCCC hacks. But how did the intelligence community learn of these specific roles? Do they have malware within the Russian intelligence networks or do they have Russian informers working with them? These are important questions because, not knowing the answers, we are back to just believing whatever the intelligence community tells us.

3. The indictment includes much information on the hacking of Hillary Clinton campaign chairman, John Podesta. My main question is: Why was Podesta using a Gmail account for official communication? Who were those spear phished at the DNC/DCCC? Did they all have Gmail accounts?

Hillary Clinton campaign chairman, John Podesta, was hacked because he had a Gmail account. He was sent to a fake site to change his password and that password was captured by the hackers. Once his account was compromised, any of his contacts could be spearphished. Why wasn’t he given or forced to use a DNC account? Many others within the DNC, such as Debbie Wassermann-Schultz, also had Gmail accounts. How many of them were also hacked in this way? Did the FBI analyze these infected endpoints to gather information on the hackers?

The hackers compromised endpoints in the DCCC to hack into the DNC network. They then installed malware in the network to gather documents and data. What sort of cybersecurity did the DNC have that did not detect any of this activity? If the hackers were so sophisticated as to hide their activity, why were they so clumsy as to allow their identities to be traced? We know now that they used Tor to hide their IP addresses, so did the FBI have control of Tor?

4. How did the hackers manage to transfer so many gigabytes of data without being detected?

Many have suggested that the hack was an inside job; a leak. They claim that it would have been impossible to hack such data remotely because it would have taken too much time to transfer it. The timeframe for the movement of these documents is supposedly known and only a local transfer (e.g. to a USB) would be possible. To accomplish such a transfer of gigabytes of data remotely would be impossible even at peak internet speeds, which were not available at that time.

The indictment seems to be aware of this objection and answers it by stating that the hackers “used a publicly available tool to gather and compress multiple documents on the DCCC and DNC networks.” What tool was that? How much was this data compressed to enable hackers to move it across the internet so quickly? Was this information available in the logs? Where are those logs anyway?

5. How were the hackers able to maintain their presence on the DNC and DCCC networks until October, 2016?

Almost as soon as the hackers breached the DCCC network on April, 12, 2016, they were into the DNC network. They intalled X-Agent and X-Tunnel malware onto computers connected to both networks. Thereafter, they began harvesting data. And it did not end there. As the indictment states, “between on or about May 25, 2016 and June 1, 2016, the Conspirators hacked the DNC Microsoft Exchange Server and stole thousands of emails from the work accounts of DNC employees.” CrowdStrike came on the scene in May, and almost at once concluded Russia was behind the attack, but their concomitant report makes no mention of whether or not they purged the Russian malware from the network. The indictment makes it clear that they did not. It states that, “despite these efforts (by CrowdStrike), a Linux-based version of X-Agent, programmed to communicate with the GRU-registered domain linuxkrnl.net, remained on the DNC network until in or around October 2016.” So the hackers continued to hack the DNC and get information from it until the election.

The indictment also points out that “in or around September 2016, the Conspirators also successfully gained access to DNC computers hosted on a third-party cloud-computing service.” I believe this was the Amazon’s AWS service. This is new information, but we know nothing of what, specifically, was stolen. Can we have some details?

6. What was the real goal of the hackers?

The indictment seems to indicate that the true purpose of the hacks was to sow discord between the Sanders and Clinton campaigns. They did not feel that Trump was a viable candidate. At that time, Julian Assange of Wikileaks wrote to the hacker known as Guccifer 2.0, “we think trump has only a 25% chance of winning against hillary . . . so conflict between bernie and hillary is interesting.” He wanted documents to prove that such a conflict existed and could be exploited. At this point in the campaign, Russia news media was clearly supporting the Sander’s ideology. They, like everyone else, also probably thought that Trump had little chance of gaining the nomination, let alone the presidency. They would, therefore, be supportive of anyone who supported Sanders, such as Wikileaks. The indictment agrees that the goal of the hackers was mainly to “interfere in the 2016 U.S. presidential election.” There is no information in the indictment to conclude that the hackers committed their breaches to help the Trump campaign.

7. Did the Russian government hack the DNC/DCCC?

dnc

Maybe. Even probably, but, in fact, I’m not really sure. Cybersecurity expert, Brian Krebs, stated in a post on the DNC hack that “based on what I’ve learned over the past decade studying Russian language, culture and hacking communities, my sense is that if the Russians were responsible and wanted to hide that fact — they’d have left a trail leading back to some other country’s door.” Didn’t CrowdStrike, even for a brief moment, wonder if their so easily finding Russia in the DNC network was too good to be true? Then again, they probably knew what the FBI expected them to find.

According to the indictment, the hackers did try to cover their tracks, but, somehow, the FBI, or, at least, CrowdStrike, found those tracks. So either the hackers did a bad job hiding their tracks or the real hackers wanted it to look like Russia was behind the hacks. But if not Russia, who would want to make it look like it was Russia? Maybe that should be the main question.

Given the information above, it is hard to imagine why the 2017 report on Russian influence in the 2016 election stated that the election of Donald Trump was the main goal of Russia and its hackers. However, the intelligence agencies behind this report did not completely agree on this point. The FBI and CIA claimed high confidence in the conclusion that Russia hacked the DNC to help Donald Trump, while the NSA was only moderately confident in this regard. Moderate confidence “means that the information is credibly sourced and plausible but not of sufficient quality or corroborated sufficiently to warrant a higher level of confidence.”

Julian Assange has always maintained that it was not Russia that hacked the DNC. He claims he has the physical proof for this and, in fact, apparently offered this proof to the FBI in exchange for some sort of immunity deal. However, when given this opportunity, FBI Director, James Comey, apparently told those in contact with Assange to “stand down”. At least, this was the information delivered by Senator Mark Warner to Assange contact, Adam Waldman.

Of course, it is also possible that Assange only believes he has proof. He could have equally been fooled through obfuscation techniques. And that’s really the point. There’s a lot of information in the indictment but it fails to come together into a cohesive package that leaves no doubt about who was really behind these hacks and what their actual purpose was. If everyone involved in this investigation, (the intelligence agencies, the DNC, and Assange) would agree to work together, maybe we’d finally get to the bottom of this. But I can’t really say I see much hope that this will ever happen, especially since the DNC just filed a lawsuit, via Twitter, against Wikileaks.

About Steve Mierzejewski

Marketing consultant for InZero Systems, developer of the next generation in hardware-separated security, WorkPlay Technologies, TrustWall and Mobile bare-metal virtualization. I've worked in Poland, Japan, Korea, China, and Afghanistan. I'm a writer, technical editor, and an educator.
This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s