You are probably not on the list of people who have access to the classified evidence regarding the massive influence operation that targeted the 2016 U.S. presidential campaign. Most who have, including President Barack Obama, Republican Senate Majority Leader Mitch McConnell, Republican Senate Armed Services Committee Chairman John McCain, and pretty much every Democrat in Washington D.C., believe the U.S. intelligence community which has concluded with “high confidence” that the operation was directed by Russia. A distinct minority, a handful really, including Donald Trump, say the evidence is inconclusive and the intelligence community is wrong.
If you’re unwilling to trust either camp, or if you want to find out if one side is acting in bad faith, you have little public information on which to form your own opinion. So how can a citizen decide whether Russia just tried to undermine the core exercise of American democracy or even, as the CIA has reportedly concluded, tried to get Donald Trump elected?
Beyond the statements of the public figures above, the only real evidence comes from the analyses of private cybersecurity firms that track and defend against hackers, often in concert with the FBI, NSA and other government agencies.
One, CrowdStrike, was called in by the Democratic National Committee to analyze the hack against their computer system last April. With the DNC’s permission, CrowdStrike then posted details of what it had found. Attribution of hackers, whether by intelligence services or private firms, is a particular discipline. Much of it relies on signature methods used by the hackers, specific pieces of code, and distinguishing behavior.
CrowdStrike’s co-founder, Dmitri Alperovitch, uncovered evidence that two groups of Russian hackers he had named Cozy Bear and Fancy Bear, had been behind the DNC hack. Cozy Bear used a tool called SeaDaddy that allowed it to stealthily exfiltrate information from a victim’s computer. The tool was almost identical to another exfiltration tool previously identified by Symantec as belonging to the group of Russian hackers known to have operated at the behest of Russia’s FSB, a main successor agency to the KGB.
CrowdStrike also found the other group of hackers, Fancy Bear, was sending command and control instructions from a server with an Internet Protocol (IP) address of 220.127.116.11. This was the same IP address that was linked to command and control of an attack against the German parliament in 2015. The DNC attacker also used a special program to open a communication channel with the command and control server that was identical in form and function to the one used in the German hack. Microsoft had previously identified the communication program as belonging to Fancy Bear, which Microsoft had named “Strontium” at the time.
Crowdstrike’s analysis includes other evidence of Russian connections. One of the elements of a truly advanced hack is that it opens, and keeps open, a hidden communication channel with the hacked network, allowing it to continue to avoid detection and to find and steal information in other parts of a hacked computer network. In the DNC hack, the software that opened the hidden communication channel was a piece of software known to have been used by Fancy Bear.
Subsequent analyses by other private firms found other evidence that Russia was behind the hack. And as the attacks broadened over the course of the 2016 campaign to include the DCCC and the email of Hillary Clinton’s campaign chief, John Podesta, private firms found evidence linking the new hacks back to the DNC hack.
The private firms admit their open source evidence is not conclusive, but say in the world of cyber-attribution, this is close to as good as it gets. Those familiar with the classified evidence say there is even more convincing information that has not been released. President Obama has ordered a review of the influence operation, the results of which will be released before he steps down on Jan. 20, 2017.