The DNC Hack: Dangers of Playing the Nation State Blame Game

UPDATE: Someone claiming to be responsible for the DNC breach has released the Trump opposition file to Gawker and mocked CrowdStrike according to the Salted Hash blog:

"The main part of the papers, thousands of files and mails, I gave to WikiLeaks. They will publish them soon. I guess CrowdStrike customers should think twice about company’s competence," they wrote."

CrowdStrike's response to Salted Hash included mention of a "Russian Intelligence Disinformation Campaign", and that they stand by their findings of Russian government involvement.

On June 14, the Washington Post reported that the Democratic National Committee had suffered a breach of their network by Russian hacker groups who stole the DNC's opposition research on Donald Trump. The Post's headline read "Russian Government Hackers penetrated DNC ..."

I trust CrowdStrike's judgment that the hackers were Russian-speaking, but were they employed by competing Russian intelligence services as CrowdStrike maintains? The truth is - no one knows for sure. CrowdStrike merely believes that they are. Here's the essential argument that Dmitri made in his blog post:

  1. Fancy Bear and Cozy Bear appeared to work separately from each other in the DNC network without being aware of the other's presence. 
  2. Russian intelligence services (GRU, SVR, FSB) compete with each other.
  3. The group Fancy Bear "may be affiliated" with the GRU.
  4. Therefore Cozy Bear must be affiliated with the FSB or SVR.
I'm embarrassed to say that that kind of logic is par for the course in the crazy world of cyber threat intelligence. When it comes from a company with the size and reputation of CrowdStrike, it isn't questioned in national policy circles. It's accepted as fact. Soon it will appear as a footnote in some academic's article about "nation state cyber war". The FBI's database will be updated without any critical examination of the data. 

And should a more serious cyber event occur at any point in the future that even smells like Fancy Bear or Cozy Bear, it'll be declared an attack by the Russian government and a diplomatic incident could occur, even though the Kremlin may have had nothing to do with it. 

The truth is that there's no way using digital forensics to differentiate between a skillful and well-paid Russian-speaking mercenary hacker group working on their own, and equally skilled Russian hackers employed by the FSB. And something as simple as responsible attribution would go a long way towards avoiding unnecessary diplomatic tensions between governments.