The DNC Hacker Indictment: A Lesson in Failed Misattribution
When reading the Mueller indictment of the Russian DNC hackers, I was stunned to see just how much visibility the US had into the hackers’ operations. In my recent SecurityWeek article, I examine the hackers’ attempts to obfuscate their activities, and discuss what particular actions led to misattribution failure.
The hackers made eight different kinds of misattribution operational security (OPSEC) errors in the course of their attacks that exposed their fake identities: account reuse, IP / computer reuse, known malware phylogeny, identifying metadata, writing style, financial tracing, late timing, and forgetting to use their tools.
The Russian hackers needed to achieve three goals for their misattribution efforts to be effective. First, they needed to hide the fact that Russia was involved in the activity at all. Second, they wanted Guccifer 2.0, the “hacker”, to be seen to be a Romanian lone wolf. Third, they wanted the DCLeaks website, which released the stolen documents, to appear to be run by American hacktivists who were completely independent of the hacker. All three goals were completely undermined by a collection of small, separate mistakes in misattribution.
The hackers used malware known to the security community as associated with the Russian government. Additionally, they selected servers within the United States to interact with the malware. This allowed the FBI to surveil, tap, and obtain search warrants against those servers, ultimately finding that the hackers had initially connected to them directly from the GRU.
Other telling OPSEC errors were fairly simple in indicating a Russian origin. The phishing emails that compromised the DNC and DCCC computers were sent from a Russian email service. Some of the actual leaked PDF documents contained metadata for a computer configured in the Russian language. The largest piece of evidence was the visible connections between Guccifer 2.0 and the DCLeaks operation. The Russians accessed both the Guccifer 2.0 WordPress site and DCLeaks.com from a common set of servers and IP addresses.
For a complete list and a more detailed look at the various misattribution failures made by the Russian hackers, you can read the full article in SecurityWeek.
This case shows just how difficult it is to maintain a false identity in the face of a highly resourced and motivated opponent. Every path for identification needs to be covered with 100 percent consistency. Small mistakes in OPSEC, tool use, timing, and language can snowball into complete exposure.