Why the latest theory about the DNC not being hacked is probably wrong

A forensic report claiming to show that a Democratic National Committee insider, not Russia, stole files from the DNC is full of holes, say cybersecurity experts. 

“In short, the theory is flawed,” said FireEye’s John Hultquist, director of intelligence analysis at FireEye, a firm that provides forensic analysis and other cybersecurity services. 

“The author of the report didn’t consider a number of scenarios and breezed right past others. It completely ignores all the evidence that contradicts its claims.”

{mosads}The theory behind the report is that it would have been impossible for information from the DNC to have been hacked due to upload and download speeds.  

The claims have slowly trickled through the media, finding backers at the right -wing site Breitbart in early June. Last week, the left-wing magazine The Nation published a 4,500-word story on the allegations.

The claims are based on metadata from the files, which were leaked by their purported hacker, Guccifer 2.0, during the 2016 election season. 

When files are copied to a new device, the metadata can record the time each file finishes being duplicated as the time it was “last modified.” 

A blogger named “The Forensicator” analyzed the “last modified” times in one set of documents released by Guccifer 2.0. Based on the size of the documents and the times they were downloaded, Forensicator calculated that a hacker was able to copy the files at a speed of more than 20 megabytes per second. 

That is faster than consumer internet services in the United States can upload documents.

As a result, Forensicator concluded that the documents could not have been copied over the internet. Instead, someone with physical access to the network must have copied them in person to a USB drive, the blogger concluded. 

“This theory assumes that the hacker downloaded the files to a computer and then leaked it from that computer,” said Rich Barger, director of security research at Splunk. 

But, said Barger and other experts, that overlooks the possibility the files were copied multiple times before being released, something that may be more probable than not in a bureaucracy like Russian intelligence. 

“A hacker might have downloaded it to one computer, then shared it by USB to an air gapped [off the internet] network for translation, then copied by a different person for analysis, then brought a new USB to an entirely different air gapped computer to determine a strategy all before it was packaged for Guccifer 2.0 to leak,” said Barger.

Every time the files were copied, depending on the method they were transmitted, there would be a new chance for the metadata to be changed. 

Hultquist said the date that Forensicator believes that the files were downloaded, based on the metadata, is almost definitely not the date the files were removed from the DNC. 

That date, July 5, 2016, was far later than the April dates when the DNC hackers registered “electionleaks.com” and “DCLeaks.com.” Hulquist noted that the DNC hackers likely had stolen files by the time they began determining their strategy to post them. 

The July date is also months after the DNC brought in FireEye competitor CrowdStrike to remove the hackers from their network and well after Crowdstrike first attributed the attack to Russia. 

With increased scrutiny on the network, it would be a high-risk way to remove files. And if an insider removed files from the DNC on July 5, it could just as likely be a second, unrelated attack to the Russian one. 

Even if there were no other scenarios that would create the same metadata, experts note that metadata is among the easiest pieces of forensic evidence to falsify. It would be far more difficult to fabricate other evidence pointing to Russia, including the malware only known to be used by the suspected Russian hackers, and internet and email addresses seen in previous attacks by that group.

Forensicator’s claim that 20 to 25 megabyte per second downloads would be impossible over the internet also raised eyebrows. 

John Bambenek, threat systems manager at the security firm Fidelis, noted that while home internet, where uploads are much slower than downloads, would not allow that speed, corporate and cloud networks could do so.

The DNC would not provide details about its upload speeds in July of 2016.

Proponents of the Forensicator theory have accused CrowdStrike co-founder Dmitri Alperovitch of being biased against Russia, negating his firm’s analysis. 

But CrowdStrke was not the only firm to conclude Russia was behind the attack. 

Other companies independently discovered evidence that linked the attacks to the same culprit. SecureWorks found an improperly secured URL shortening account used by Fancy Bear while investigating other attacks by the group. That account contained evidence of nearly 4,000 phishing attacks Fancy Bear waged against Gmail addresses — the attack that ensnared Hillary Clinton campaign chairman John Podesta’s email account among them. 

In the end, Fidelis, FireEye, SecureWorks, Threat Connect and other CrowdStrike competitors all confirmed Crowdstike’s results.

The intelligence community, including the CIA, FBI and NSA, also claims to have evidence the attacks were coordinated by Moscow, though they have not released their evidence to the public.

“I find it interesting that people are so eager to believe that Dmitri Alperovitch is biased, but willing to accept the forensics of an anonymous blogger, with no reputation, that no one knows anything about,” said Hultquist.

The cybersecurity industry is not shy about shaming competitors for spurious research. Companies have gone out of business after high-profile reports were disproven. 

“This industry loves to eat itself up. If you get something wrong, your peers will tell you,” said Barger. 

“When this many brands agree on something, come together to provide several different aspects of the attack, sometimes it’s true.”