Russian Hacking read more

A poorly kept secret

Strong evidence for Russia’s U.S. election interference was already provided by the private sector

Strong evidence for Russia’s U.S. election interference was already provided by the private sector

On Friday afternoon, the Office of the Director of National Intelligence released a declassified report that found Russian President Vladimir Putin initiated an “influence campaign” aimed at the 2016 U.S. election. But strong evidence of Russian involvement in the election has actually been publicly available for months — from the private sector.

Many people, most notably President-elect Donald Trump, have suggested that evidence Russia was behind the email hacks is as questionable as the 2003 intelligence assessments that Iraq had weapons of mass destruction. But this ignores reality. Robert M. Lee, founder of cybersecurity firm Dragos, explained that there is a much higher level of confidence in Friday’s intelligence assessment than there was in the WMD assessment 14 years ago, and for good reason.

Imagine if in 2003, the International Atomic Energy Agency had gone into Iraq and actually found nuclear weapons, instead of what actually happened, which is that it found “no smoking guns.” That’s akin to what we have today regarding Russia, except instead of the IAEA, it’s several private cybersecurity firms.

“If you’ve been following along, all the evidence that matters is already public,” Lee has said. It’s just a matter of finding and understanding it. Lee has argued that a joint FBI/DHS report on Russian hacking released in December was flawed and confusing, making the case for Russian involvement look much weaker than it actually is.

It’s private security experts, not the government, that have been providing more useful information. Thomas Rid, a professor at King’s College London, wrote an excellent run-down for Motherboard of the evidence Russia was behind the DNC hack. His analysis was based on a technical report by CrowdStrike, which was in turn confirmed by two competing firms, Mandiant and Fidelis.

But Rid’s article also highlights another way the Russian hacking evidence is different from the 2003 WMD evidence: it’s harder for most people to understand. The false claim that Iraq tried to buy material to build a nuclear weapon is much easier to conceive in your brain than something like this:

In late March the attackers registered a domain with a typo—misdepatrment[.]com—to look suspiciously like the company hired by the DNC to manage its network, MIS Department. They then linked this deceptive domain to a long-known APT 28 so-called X-Tunnel command-and-control IP address, 45.32.129[.]185.

Something that’s a little bit easier for your average internet user to understand is evidence Russia’s successfully phished Clinton campaign chair John Podesta. He got an email purporting to be from Google saying his password needed to be reset by clicking a link. As Lorenzo Franceschi-Bicchierai explained in Motherboard in October:

The phishing email that Podesta received on March 19 contained a URL, created with the popular Bitly shortening service, pointing to a longer URL that, to an untrained eye, looked like a Google link….

Inside that long URL, there’s a 30-character string that looks like gibberish but is actually the encoded Gmail address of John Podesta. According to Bitly’s own statistics, that link, which has never been published, was clicked two times in March.

That’s the link that opened Podesta’s account to the hackers.

That email was released by WikiLeaks, and you can see the Bitly link in it. Wikileaks founder Julian Assange, dismissing connections to Russia, suggested a “14-year-old” could have created the link. Except the hackers forgot to set their Bitly accounts to private, and the accounts responsible for that link are connected to Fancy Bear command and control domains — a hacking group believed by CrowdStrike to be connected to Russian intelligence.

Researchers saw Fancy Bear using 213 short links targeting 108 email addresses on the hillaryclinton.com domain,” Motherboard explains.

Explaining a URL shortener to someone like Trump whose ability to use a computer — though not a phone — has been brought into question would be difficult. This was the task faced by intelligence officials briefing Trump on Friday. And based on his statement afterwards, Trump did not appear to be very moved by their assessment.

M-F 7:30PM HBO