A cyber security firm hired by the Democratic National Committee announced on Monday that two groups affiliated with Russian intelligence were responsible for infiltrating the Democrats’ network and stealing a ream of confidential election-related information.
Two days later, a hacker claiming to be acting as a lone wolf, who said he was unaffiliated with the Russians and called himself “Guccifer 2.0,” leaked what appeared to be a 200-page document consisting of largely unsurprising opposition research on Donald Trump.
The leak called into question who, exactly, had been responsible for the hack on the Democratic headquarters.
If it was really the Russians, as the DNC’s cyber security firm, CrowdStrike, claimed, who was this Guccifer 2.0 figure? (The name harkens back to an actual Romanian lone wolf who hacked the Bush family, among others, and is now in a jail in Virginia.) Had the DNC’s cyber team misattributed the breach to the wrong group? Had it failed to detect a different breach that had successfully stolen more confidential information?
Then, on Thursday, a flurry of articles in the tech media threw a curve ball: Several cyber security experts suggested that perhaps Guccifer 2.0 was only claiming to be acting independently, in an elaborate effort to cast doubt on CrowdStrike’s assertion that the Russians had been behind the breach.
Meanwhile, to add further to the fog of cyberwarfare, Republican presumptive nominee Donald Trump raised the possibility on Wednesday that the Democrats had pretended to hack their own network in an effort to leak negative stories on Trump to the press. “Maybe they weren’t hacked; maybe they just want to get it out there,” Trump mused in an interview with Greta Van Susteren on Fox News. (That seems unlikely as the alleged oppo research on Trump released so far was mostly based on previously published articles voters could already find themselves on Google. The document featured chapters like “Trump has no core” and “Trump is a liar.”)
In the shrill and contorted media environment of an election year, unraveling this tangle of finger-pointing could have serious political implications.
If the hackers do indeed turn out to be Russian, it’s confirmation that a powerful foreign state is seeking to influence, or at least spy on, domestic U.S. politics.
If the hackers turned out to be politically-motivated domestic actors, American voters—not to mention the Clinton and Trump campaigns—could expect more potentially unsavory documents to surface before Election Day. For example, in addition to claiming responsibility for the DNC hack, the Guccifer 2.0 hacker also bragged about having access to documents from presumptive Democratic nominee Hillary Clinton’s State Department computer and to Democratic donors’ financial information. If those claims are true—and huge emphasis on that “if”—it could be a game-changer in an already-historical strange election year.
Alternatively, if the hackers turn out to be random ne’er–do–wells out for a thrill, the immediately implications on U.S. electoral politics might be more limited, but raise disturbing questions about the security of all political communications.
As of now, the question of who, exactly, is behind the DNC hack, as well as possibly related hacks on Republican political groups, and both Hillary Clinton and Trump’s networks, remains a question mark.
What top U.S. technologists know for sure is that at least two groups of hackers were willing to take a major risk—and make a substantial investment—to access the DNC’s network. Who is behind the attacks remains unclear—and, unfortunately, a satisfying answer isn’t likely to come any time soon.
“Attribution is incredibly difficult—I wouldn’t say impossible, but it’s very difficult,” Nathaniel Gleicher, the head of cybersecurity strategy at Illumio, told TIME. “Investigations like this do not wrap up quickly and often do not wrap up at all because it’s very hard to tell where they came from.”
Amit Yoran, the president of the cybersecurity firm RSA was also noncommittal on whether there’d ever be a smoking gun.
“I think attribution is one of those topics that people like to rush to because it makes for sexier reporting—you want to make a meaningful story for non-technologists,” he told TIME. “Saying you know who was responsible makes for a very compelling story. But it’s also very hard to do well in the cyber domain, especially over a short period of time with a sophisticated actor.”
Gleicher, who served as director for cybersecurity policy on the National Security Council at the White House, added that this particular case might be especially tricky since the perpetrators were apparently hiding in the DNC’s system for a long time.
CrowdStrike, the cyber security firm hired by the DNC, reported that at least one of two groups of hackers that breached the DNC’s network had been in the system since last summer.
“Because they were in there so long, it’s going to be very hard to unwind everything, to track back to reality,” Gleicher said.
Reg Harnish, the CEO of GreyCastle Security, a New York-based cybersecurity company, says he’s doubtful that Crowdstrike’s investigation—and its determination that the Russians are to blame—is the “end of the story.”
“I’ve been personally involved in hundreds of these investigations, and you just don’t end up in the same place where you began,” he told TIME. This particular case, he said, is complicated by “all the politicking going on.”
“You have people being politically correct or outright lying,” Harnish added. “I think there’s a lot of misinformation out there right now.”
Scott Borg, the head of the U.S. Cyber Consequences Unit, echoed the skepticism. “Our best guess is that the second (and apparently less skillful) of the two intruders was not Russian intelligence,” he told Politico on Thursday.
“We are also uncertain about the first group,” he added.
CrowdStrike said in a blog post Monday that there were two distinct breaches of the DNC’s network. One group of hackers, which CrowdStrike called Cozy Bear, was in the network since summer 2015, and largely monitoring the DNC’s email and chat communications.
The other, which the firm named Fancy Bear, triggered alarm bells when it broke into the network in late April, targeting opposition research files on Trump, CrowdStrike said.
In a statement sent to TIME, CrowdStrike defended its assessment that the DNC had been breached by hackers affiliated with the Russian intelligence community.
“CrowdStrike stands fully by its analysis and findings identifying two separate Russian intelligence-affiliated adversaries present in the DNC network in May 2016,” the statement said. It then acknowledged Guccifer 2.0’s claims to have accessed the DNC’s network and said it was “exploring the documents’ authenticity and origin.”
“Regardless, these claims do nothing to lessen our findings relating to the Russian government’s involvement,” the CrowdStrike statement said.
The DNC would not reply to several emails and voicemails from TIME asking whether the organization had notified the Federal Bureau of Investigation or another federal law enforcement agency.
The FBI would neither confirm or deny that it was investigating the breach. A spokeswoman at CrowdStrike said she had not heard of the firm collaborating with any federal investigation.
“It would surprise me if they did not get international law enforcement or the intelligence community involved with this case,” Yoran said. “It’s dealing with potentially extremely sensitive information that would have a great impact on U.S. policy.”