For one, a lot of the so-called evidence above is no such thing. CrowdStrike, whose claims of Russian responsibility are perhaps most influential throughout the media, says
APT 28/Fancy Bear “is known for its technique of registering domains that closely resemble domains of legitimate organizations they plan to target.”
But this isn’t a Russian technique any more than using a computer is a Russian technique — misspelled domains are a cornerstone of phishing attacks all over the world. Is Yandex — the Russian equivalent of Google — some sort of giveaway? Anyone who claimed a hacker must be a CIA agent because they used a Gmail account would be laughed off the internet.
We must also acknowledge that just because Guccifer 2.0 pretended to be Romanian, we can’t conclude he works for the Russian government — it just makes him a liar.
Next, consider the fact that CrowdStrike describes APT 28 and 29 like this:
Their tradecraft is superb, operational security second to none and the extensive usage of “living-off-the-land” techniques enables them to easily bypass many security solutions they encounter. In particular, we identified advanced methods consistent with nation-state level capabilities including deliberate targeting and “access management” tradecraft — both groups were constantly going back into the environment to change out their implants, modify persistent methods, move to new Command & Control channels and perform other tasks to try to stay ahead of being detected.
Compare that description to
CrowdStrike’s claim it was able to finger APT 28 and 29, described above as digital spies par excellence, because they were so incredibly sloppy. Would a group whose “tradecraft is superb” with “operational security second to none” really leave behind the name of a Soviet spy chief imprinted on a document it sent to American journalists?
Would these groups really be dumb enough to leave cyrillic comments on these documents? Would these groups that “constantly [go] back into the environment to change out their implants, modify persistent methods, move to new Command & Control channels” get caught because they precisely didn’t make sure not to use IP addresses they’d been associated before? It’s very hard to buy the argument that the Democrats were hacked by one of the most sophisticated, diabolical foreign intelligence services in history, and that we know this because they screwed up over and over again.
But
how do we even know these oddly named groups are Russian? CrowdStrike co-founder Dmitri Alperovitch himself describes APT 28 as a “Russian-based threat actor” whose modus operandi “closely mirrors the strategic interests of the Russian government” and “may indicate affiliation [Russia’s] Main Intelligence Department or GRU, Russia’s premier military intelligence service.”
Security firm SecureWorks issued a report blaming Russia with “moderate confidence.” What constitutes moderate confidence? SecureWorks said it adopted the “grading system published by the U.S. Office of the Director of National Intelligence to indicate confidence in their assessments. …
Moderate confidence generally means that the information is credibly sourced and plausible but not of sufficient quality or corroborated sufficiently to warrant a higher level of confidence.” All of this amounts to a very educated guess, at best.
Even the claim that APT 28/Fancy Bear itself is a group working for the Kremlin is speculative, a fact that’s been completely erased from this year’s discourse. In its 2014 reveal of the group, the high-profile security firm FireEye couldn’t even blame Russia without a question mark in the headline: “APT28: A Window into Russia’s Cyber Espionage Operations?” The blog post itself is remarkably similar to arguments about the DNC hack: technical but still largely speculative, presenting evidence the company “[believes] indicate a government sponsor based in Moscow.” Believe! Indicate! We should know already this is no smoking gun.
FireEye’s argument that the malware used by APT 28 is connected to the Russian government is based on the belief that its “developers are Russian language speakers operating during business hours that are consistent with the time zone of Russia’s major cities.”
As security researcher Jeffrey Carr pointed out in June,
FireEye’s 2014 report on APT 28 is questionable from the start:
To my surprise, the report’s authors declared that they deliberately excluded evidence that didn’t support their judgment that the Russian government was responsible for APT28’s activities:
“APT28 has targeted a variety of organizations that fall outside of the three themes we highlighted above. However, we are not profiling all of APT28’s targets with the same detail because they are not particularly indicative of a specific sponsor’s interests.” (emphasis added)
That is the very definition of confirmation bias. Had FireEye published a detailed picture of APT28’s activities including all of their known targets, other theories regarding this group could have emerged;
for example, that the malware developers and the operators of that malware were not the same or even necessarily affiliated.
The notion that APT 28 has a narrow focus on American political targets is undermined in another SecureWorks paper, which shows that the
hackers have a wide variety of interests: 10 percent of their targets are NGOs, 22 percent are journalists, 4 percent are aerospace researchers, and 8 percent are “government supply chain.” SecureWorks says that only 8 percent of APT 28/Fancy Bear’s targets are “government personnel” of any nationality — hardly the focused agenda described by CrowdStrike.
Truly, the argument that “Guccifer 2.0″ is a Kremlin agent or that GRU breached John Podesta’s email only works if you presume that APT 28/Fancy Bear is a unit of the Russian government, a fact that has never been proven beyond any reasonable doubt. According to Carr, “
it’s an old assumption going back years to when any attack against a non-financial target was attributed to a state actor.”
Without that premise,
all we can truly conclude is that some email accounts at the DNC et al. appear to have been broken into by someone, and perhaps they speak Russian. Left ignored is the mammoth difference between Russians and Russia.
Security researcher Claudio Guarnieri put it this way:
[Private security firms] can’t produce anything conclusive. What they produce is speculative attribution that is pretty common to make in the threat research field. I do that same speculative attribution myself, but it is just circumstantial. At the very best it can only prove that the actor that perpetrated the attack is very likely located in Russia. As for government involvement, it can only speculate that it is plausible because of context and political motivations, as well as technical connections with previous (or following attacks) that appear to be perpetrated by the same group and that corroborate the analysis that it is a Russian state-sponsored actor (for example, hacking of institutions of other countries Russia has some geopolitical interests in).
Finally, one can’t be reminded enough that all of this
evidence comes from private companies with a direct financial interest in making the internet seem as scary as possible, just as Lysol depends on making you believe your kitchen is crawling with E. Coli.
full article:
https://theintercept.com/2016/12/14/heres-the-public-evidence-russia-hacked-the-dnc-its-not-enough/