When I was serving in cybersecurity in the Department of the Defense, the main lesson I learned was that you can never truly achieve a high-level of confidence in who is attacking you without the triangulation of multiple intelligence sources. The nation-state actors our team investigated were very adept at obfuscating activities through multiple command and control nodes used by a variety of actors. As I joined an incident response team, after leaving military service, I learned that threat actors not only used the command and control nodes of others but also used “open source” malware and frameworks to further hide their identities.
This is why I am always skeptical when I see that a particular threat actor has been identified, such as in the case of the recent DNC hacking event. Much of the public case for attribution has been put behind the analysis that CrowdStrike provided the DNC. There are other companies such as SecureWorks who have also provided additional “bread crumbs” that point the finger at Russian government affiliated actors.
However, when you look closely at the evidence that both of these outstanding organizations found in their investigations, they could all potentially be “false flags,” planted by an advance targeted threat actor emulating the capabilities of these supposed Russian actors. The CrowdStrike investigation linked the Fancy Bear actors by establishing that some of the tools and tactics used against the Ukrainian Army were also used in the DNC email breach. Many skeptics are now challenging the CrowdStrike findings as incorrect, based on false assumptions and the wide spread availability of the tools used.
SecureWorks uncovered an account used to shorten a URL in one of the phishing emails sent to the DNC victim that was also tied to actors associated with Russia. While that is compelling evidence, in the back of my mind, I wonder why a sophisticated threat actor would make such a rookie mistake? For example, there are some recently reported incidents of malware having Chinese and Russian language planted in the code that does not make sense to a native speaker of those languages, apparently placed by an actor to obfuscate their true identity.
At the end of the day, the public case made that Russian influence is behind the activity at the DNC has a few holes, but our government, on both sides of the political aisle, seem to be very sure of that conclusion. In my experience, the US government has many sources of intel and are unlikely counting on just the forensics evidence provided publicly by security vendors and other researchers. I suspect there is high probability that other classified sources point to Russian attribution which cannot be made public.
Based on sheer faith, I will take our government at its word, but this incident shows just how weak our ability to properly attribute cyberthreat activity actually is. I once told a reporter, “can you imagine if you could jump into someone else's skin and rob a bank? It would be difficult to name the true perpetrator. And, unfortunately, that is what it is like when trying to figure out attribution in cyber-space.”