Trump, Russia and the media – The hacking of the Democratic party and private cybersecurity companies (part 1)

For several months, allegations that Russia interfered in the US presidential election to help Trump, as well as claims that Trump and some of his associates have ties with Russia, have been all over the media. They are repeated so constantly that, at this point, there are no doubt millions of Americans who believe that something is going on. And, if you ask me, they are right that something is going on, it’s just not what most of them think. In this post, I examine the evidence that is publicly available about those allegations, which I find to be severely lacking. Depending on the allegation, it ranges from clearly insufficient, given the standard of proof that I argue should be required, to completely preposterous. On the other hand, looking closely at how this has been reported by the media, one finds compelling evidence of incompetence and bias, regardless of the truth of the allegations against Trump and Russia. I also argue that we have good reasons to suspect that part of the US intelligence community is playing a dangerous game by trying to undermine Trump. This should be concerning to anyone who values democracy, even if they oppose Trump. So much has been written on these allegations that I can’t say that I have read everything about it, but I have read so much about this over the past few months that I’m confident I have read almost everything. Thus, I think my review of the evidence and discussion of how it has been covered by the media is very thorough, much more so than anything else I have read on that issue. Since the whole thing is approximately 16,000 words long and contains 137 hyperlinks, I decided to make it a four-part series of posts that I will publish this week. So, without further ado, here is the first part of the series.

Journalists, pundits and politicians often assert, as if this had been established beyond reasonable doubt, that Russia “hacked the election”. The fact that they use this expression, which doesn’t really mean anything, is already significant, because it suggests that Russia has altered vote tallies. Indeed, a poll conducted by Yougov in December showed that half of the people who voted for Clinton in November believed that, which is not surprising given how often the media has used that expression. Yet, even when Obama was still President, the US government has repeatedly said that there was no evidence of any such thing. Even James Clapper, who until recently was Director of National Intelligence and published a report that accused Russia of having interfered in the election to help Trump, repeated that in Senate when he answered a question John McCain asked him.

In order to understand what Russia has been accused of doing exactly, it’s useful to recall what happened during the campaign. In June 2016, it was revealed by the Washington Post that the Democratic National Committee had been hacked and, shortly after that, emails from members of the DNC were released by WikiLeaks and DC Leaks, another website that also released emails by members of the Republican party, although several of them were hostile to Trump. A few days later, a mysterious individual who calls himself “Guccifer 2.0” and claims to be a Romanian hacker said he was behind the hacking, which as we shall see has been questioned by many people. In October, WikiLeaks started releasing emails apparently stolen from John Podesta, the chairman of Clinton’s presidential campaign, on a regular basis. When people say that Russia “hacked the election”, what they really mean is that, according to them, the Russian government was responsible for the hacking of the Democratic party and arranged for the material they stole to be publicly released by a third part, most notably WikiLeaks, in order to help Trump win the election.

It’s important to distinguish 3 different claims that are being made in the media:
(1) Russia hacked the Democratic party,
(2) Russia hacked the Democratic party and arranged for the material it stole to be public released and
(3) Russia hacked the Democratic party, arranged for the material it stole to be publicly released and did so in order to help Trump win.
Those are distinct claims and, since (3) is logically stronger than (2), which is logically stronger than (1), even if we had evidence that conclusively establishes (1), we would still need more evidence to conclusively establish (2) and, even if we had evidence that conclusively establishes (2), we would still need more evidence to conclusively establish (3). Indeed, even if Russia hacked the DNC and Podesta’s email account, it doesn’t mean Russia released the material, since other people may have hacked them as well and other people no doubt at least tried. Similarly, even if Russia released the material after hacking both the DNC and Podesta’s email account, it doesn’t mean it did so in order to help Trump, a further claim that requires yet more evidence. Thus, it’s crucial to distinguish those claims, yet they almost never are.

Even if (1) were true, it would be completely uninteresting, since we already know that states spy on each other all the time, including between allies. For instance, in 2015, WikiLeaks published documents proving that the NSA had spied on three French Presidents between 2006 and 2012, even though France is supposed to be a close ally of the US. In 2013, Edward Snowden had already revealed that the NSA had been tapping Angela Merkel’s phone, which generated a lot of outrage in Germany. Another document he leaked described how the NSA had been spying on Mexico for years, including on Enrique Peña Nieto, who is now President of the country. It was later revealed that Germany had also spied on France, supposedly its closest ally, on behalf of the US. Similarly, Israel has a long history of spying on the US, despite being a close ally of Washington. These examples of spying were far worse than what, according to (1), Russia did to the Democratic party. After all, it would just be spying on a party, whereas the examples I mentioned involve spying on state institutions. But even if for some reason people are particularly concerned by the hacking of a political party, WikiLeaks recently published documents showing that, in the months leading to the French presidential elections in 2012, the CIA had spied on several French political parties. The point is that everybody is spying on everybody, but even when that is revealed, we typically don’t see the kind of hysteria that we have seen in the US after Russia was accused of hacking the Democratic party. On the other hand, if (2) and (3) were true, it would be more unusual and arguably quite serious. However, as should be plain to everyone, even that would still be nowhere as bad as what the US routinely does against regimes it doesn’t like.

Before I discuss the evidence that has been adduced in favor of those claims, it’s important to say a few words about what the standard of proof should be in that case. The accusations that Russia interfered in the US presidential election, at least (2) and (3), are very serious. Some politicians and commentators, such as John McCain and Thomas Friedman, went as far as saying that Russia’s alleged interference was an act of war. If those accusations were confirmed, it would dramatically fuel the tensions between Russia and the US, which are already high. Indeed, during Obama’s second term, the relations between Russia and the US badly deteriorated, especially because of their divergence about the Syrian civil war. I don’t think anyone would deny that, at the end of Obama’s second term, the relations between Russia and the US had never been so tense since the worst days of the Cold War. In Syria, where both countries are intervening in the civil war, the risks of an incident that could have led to a conflict were very real. Given that Russia and the US are nuclear superpowers, with enough thermonuclear warheads to kill millions of people in a few hours, any tensions between them should be very concerning, even if the probability that a conflict would degenerate into a nuclear war is low. Thus, in order to assert that Russia interfered in the US presidential election, the evidence should be extremely strong.

The claim that Russia was responsible for the hacking of the DNC was first made by CrowdStrike, a private cybersecurity firm hired by the Democratic party to deal with the hacking. Their analysis was later supported by other private cybersecurity firms, such as ThreatConnect and Fidelis, but also specialized websites, that published reports in which they presented more evidence that Russia was behind the hacking of the DNC and, a few months later, Podesta’s email account. (For the most part, private cybersecurity companies have focused on the hacking of the DNC, but I also discuss evidence that Russia was responsible for hacking Podesta’s email account below. It was published by a firm called Secure Works and, in my opinion, it constitutes the strongest evidence in favor of the claim that Russia was behind the hacking of the Democratic party.) Those reports use language that is dismissive of Russia and, when they are written by private cybersecurity firms, they often seem to advertise their products. They have a clear interest in exaggerating the threat posed by hackers, since they sell their services to people who want protection against hacking. Not to mention the fact that, at least in the case of CrowdStrike, they were paid by the Democratic party, which had a clear interest in promoting the view that Russia was trying to help Trump. It should also be noted that Crowdstrike’s co-founder, Dmitri Alperovitch, is a senior fellow at the Atlantic Council. The Atlantic Council is a think tank which promotes NATO and receives funding from various member states, including the US government, but also the Ukrainian World Congress. Those are good reasons to be suspicious of what those firms are saying, which should have been reported by the media when they presented the findings of the firms in question, yet they almost never were. However, to be clear, it doesn’t mean that we should ignore the evidence these firms provide in favor of their claims. But it means that we should subject those claims to a high degree of scrutiny, which unfortunately journalists rarely do.

To be clear, I’m not a cybersecurity expert, but I have a Bachelor in computer science and I have been programming since I was 14, so I’m at least capable of understanding the vast majority of the evidence that has been given by the private cybersecurity firms that have accused Russia of interfering in the election. (When I didn’t know what they were talking about, I did some research.) It would take forever to explain that evidence in details, so I will just try to give you a sense of what kind of evidence that is and how those firms used it to arrive at their conclusions. If you want to know all the details, you can read the reports I have linked to above, which I encourage you to do. Basically, in order to attribute the hacking of the Democratic party to Russia, those private cybersecurity firms have pointed out that whoever hacked the DNC used similar methods and softwares as those used in previous attacks on other individuals and organizations, which were attributed to groups called APT28 or Fancy Bear and APT29 or Cozy Bear in the industry, among other names they are sometimes given. In some cases, even the command and control infrastructure (i. e. the servers used to communicate with the malware installed by the hackers on the computer of their targets) were the same, which strengthens the attribution.

Fancy Bear and Cozy Bear are believed by those private cybersecurity firms and some Western intelligence agencies to be state-sponsored entities used by Russian intelligence agencies to hack targets of interest. This is the main reason why they think that Russia was behind the hacking of the Democratic party. Using the same kind of evidence, they claim to have established some ties between those groups and DC Leaks/Guccifer 2.0, which have released some of the stolen material. In addition, various people have pointed out that the metadata in the documents released by DC Leaks contained text in Cyrillic alphabet, which is used in Russia but also several other countries. According to the metadata, one of the files had also been modified by a user called “Feliks Dzerzhinsky”, a reference to the founder of the Soviet secret police. Moreover, the software used in the attack against the DNC contained time stamps which, assuming they were not tampered with, showed that it was compiled during the business hours in the time zone of Moscow and Saint Petersburg. Private cybersecurity firms have also reverse engineered the softwares used in the attack against the DNC, as well as in other attacks that, according to them, were conducted by the same groups. It showed that the programs used had been designed in a highly modular way, which according to these firms suggests that it was the work of government-sponsored groups.

Again, I can’t review the evidence in every detail, but this should give you a pretty good idea of how private cybersecurity firms have attributed the attacks to Russia. Now, I don’t want to say there is nothing here, but anyone who has studied the evidence can see that, at the end of the day, it’s just circumstantial. As Jeffrey Carr, a cybersecurity expert who has worked on Russian cyber attacks against Georgia, noted after CrowdStrike published its report, the attribution of a cyber attack to anyone is always uncertain and people should be honest about that. The evidence uncovered by private cybersecurity firms would not be admissible in a court of law, yet it was widely assumed to be sufficient to accuse Russia of being responsible for hacking the Democratic party and releasing the stolen material, even before the US government said it had reached the same conclusion. Just as I couldn’t describe every piece of evidence that has been given to support the allegations against Russia, I also can’t discuss every problem with that evidence, so I will just try to give you a sense of how uncertain the attribution to Russia is.

Much of the evidence that private cybersecurity firms used to attribute the attack on the DNC and Podesta’s email account to Fancy Bear and Cozy Bear is extremely weak. For instance, they say that the softwares and methods used to hack the DNC are similar to those used in other attacks, which are believed to have been conducted by Fancy Bear and/or Cozy Bear. But as Jeffrey Carr pointed out, this is like saying, in a murder case where the victim is known to have been killed with a Kalashnikov, that the culprit is Russian because that kind of rifle was invented in Russia… As he also noted, once a software has been developed and used to remotely access a computer somewhere else, it can be reverse-engineered, modified, distributed and used by a lot of people who have nothing to do with the person who created the original version. For instance, take the attack on the DNC in the Spring of 2015, which CrowdStrike and other private cybersecurity firms attributed to Fancy Bear. One reason they made this attribution is that, in the attack on the DNC, the malware used was the same as that used previously against the Bundestag in Germany and the French television channel TV5 Monde, which they believe was the work of Fancy Bear. But as Carr pointed out, another private cybersecurity firm called ESET was able to retrieve the source code of that malware, which means that other people could have done the same thing and used the malware to conduct attacks on various targets even though they have nothing to do with the people who developed it.

In fact, the truth is that although CrowdStrike and other cybersecurity companies talk about Fancy Bear and Cozy Bear as if they were well-defined groups of people, there is no way to know for sure that any group to which they attributed various attacks actually exist. Of course, for each of the attacks in question, someone is responsible, but the existence of a well-defined group of people behind all of them is just a hypothesis based on a host of circumstantial evidence. As ESET writes in a report it published about Sednit, which is their name for APT28/Fancy Bear, ultimately what they call a group is “merely a set of software and the related network infrastructure, which we can hardly correlate with any specific organization”. (Emphasis in the original.) Of course, the similarity of the softwares used is not the only thing cybersecurity companies use to attribute different attacks to the same group, there is also the fact that sometimes they have used the same servers, domain names registered with the same email address, etc. But, at the end of the day, the attribution of any particular attack to a group and even the existence of that group are just sophisticated conjectures.

Sometimes, the evidence used to support those conjectures is pretty strong, but sometimes it’s rather flimsy. For instance, several private cybersecurity firms have conjectured that Fancy Bear works for the Russian intelligence because they think that some of their targets, such as the Bundestag and TV5 Monde, could only have been of interest to the Russian government. But this is hardly obvious, since one can imagine many people who could want to hack the German parliament or a French television channel and, as we have seen, it’s not even clear that the same people were responsible for these attacks and the attack on the DNC. In fact, as Carr pointed out, the cybersecurity firms that attributed the attack on the DNC to Fancy Bear and claim that both Fancy Bear and Cozy Bear work for the Russian government have reviewed the evidence selectively to draw that conclusion. They claim that the various attacks they have attributed to those groups over the years were against targets that, according to them, are likely to be of interest to Russia but not anyone else. However, a report on APT28/Fancy Bear published by FireEye, another private cybersecurity firm that has been cited to accuse Russia of hacking the Democratic party, begins the analysis of the targets of that group with this remark:

APT28 has targeted a variety of organizations that fall outside of the three themes we highlighted above. However, we are not profiling all of APT28’s targets with the same detail because they are not particularly indicative of a specific sponsor’s interests. They do indicate parallel areas of interest to many governments and do not run counter to Russian state interests.

In other words, APT28/Fancy Bear has targeted a lot of organizations that are presumably of no interest to the Russian government, but FireEye chose to ignore that. Of course, it could just be that, for reasons I have already explained, not all of the attacks that have been attributed to APT28/Fancy Bear were actually conducted by a single, well-defined group, but rather by various people with different motivations that just happened to use the same methods, softwares and infrastructure. However, if that’s the explanation, then it would also cast doubt on the ability of cybersecurity companies to identify the groups and individuals behind specific attacks.

In fact, we already know that attribution if highly fallible, something that should be abundantly clear after everything I said. There are examples in which attacks were initially attributed to a particular group/governments, only for this attribution to be retracted later. Carr mentions the example of attacks on banks in Bangladesh that were initially attributed to North Korea, for exactly the same kind of reasons that are used to blame Russia for the hacking of the Democratic party (the hackers had used the same methods, softwares, etc. as in the attack on Sony in 2014, which US officials blamed on North Korea), but investigators now believe that Russian hackers were responsible. We also know that CrowdStrike, the group hired by the Democratic party after it was hacked that first attributed the attack to Russia, sometimes got things badly wrong. For instance, as Carr explained, it blamed Russian intelligence for hacking the software used by Ukrainian artillery units, but this apparently never happened and, in any case, Crowdstrike’s reasoning was seriously flawed, since it relies on premises that are not supported by the evidence.

Other arguments used by private cybersecurity companies to show that Fancy Bear and Cozy Bear must be operated by the Russian intelligence are frankly preposterous. For instance, as John McAfee, a cybersecurity legend who created the first commercial antivirus, explained during the campaign, it’s hard to believe that the Russian intelligence could have made the kind of mistakes that private cybersecurity firms have used to blame the Russian government, such as leaving the time stamps in the software that shows when it was compiled or using the Cyrillic alphabet. (Since I mentioned Alperovitch’s ties to the Atlantic Council above, I should also say that McAfee is a libertarian who supports a non-interventionist foreign policy, which means that he probably oppose the anti-Russian policy of the US.) To be sure, as people in the US should know, intelligence services often screw up, so we shouldn’t assume they never make mistakes. But leaving Felix Dzerzhinsky’s name in the metadata of a file you stole from a foreign party that you are leaking is not a mistake, it’s so stupid that it’s almost a joke and it’s hard to believe that anyone working for the GRU could do something like that… As I also noted, cybersecurity firms also claim that, since the malware used by Fancy Bear and Cozy Bear was designed in a highly modular way, it has to be the work of a government. But I was doing that when I was still a teenager, so this is a complete joke. Now, the malware used by those groups is probably more sophisticated than anything I did when I was a teenager, but in any case the inference that, since it was designed in a highly modular way, it must have been the work of a government is preposterous. Anyone who has learned how to code properly and is disciplined enough can do that.

Again, I don’t want to make it sound as if there was no evidence whatsoever, I just think it’s clearly insufficient to make the accusations that are routinely made against Russia. As far as I know, the strongest piece of evidence that has been reported by private cybersecurity companies was published by another firm called SecureWorks in June 2016, in reports about a spearphishing campaign they attributed to APT28/Fancy Bear. Spearphishing consists in sending an email from the target’s email provider, saying that they need to change their password because they have been hacked. The email contains a link to a fake login webpage, where the target is asked to enter his password. If he does, the hacker can access his email account. The firm was monitoring a command and control which they think is used by that group and noticed that it was using Bitly to create shortlinks, that were included in spearphishing emails. However, the hackers apparently forgot to set the Bitly account they used to create those shortlinks to “private”, so the analysts at SecureWorks were able to determine what other shortlinks had been created using that account, which in turn allowed them to get a sense of who they were targeting. According to the report published by SecureWorks about that campaign, they were able to determine that 1,800 Google accounts had been targeted, using more than 3,000 shortlinks to do so.

According to SecureWorks, most of the targets were people in Russia or in states that used to be part of the Soviet Union, but the hackers also targeted people in the rest of the world. SecureWorks claims that 36% of the targets outside of the former Soviet Union were authors, journalists, NGOs, and political activists, who in half of the cases work on topics related to Russia or Ukraine. According to SecureWorks, the other 64% outside of the former Soviet Union were government personnel, military personnel, government supply chain and aerospace researchers, mostly in the US and other members of NATO but not only. The firm argued that, given the profile of the people targeted by the group, Russian intelligence groups were probably behind that spearphishing campaign, for they are the kind of people Russia would be interested in hacking. As it happens, various members of the Democratic party whose emails were later released by DC Leaks or WikiLeaks, including John Podesta, were targeted during this campaign. The spearphishing email used to steal Podesta’s password was even part of the dump released by WikiLeaks. Using the information that Bitly makes public about every shortlink created using their website, we can even tell that it was accessed twice in March 2016, although we can’t tell if the person who opened the fake login webpage entered Podesta’s password. (As you can see in the email released by WikiLeaks, one of Podesta’s staffers failed to tell another staffer it was a spearphishing attempt, when she asked him about the email that Podesta received with the shortlink. He later claimed was only because he made a typo when he replied, but it’s hard to tell whether it’s true. In any case, this makes it likely that Podesta or someone on his staff entered his password on the fake login webpage, but we still can’t know that for sure.)

As far as I know, this is by far the strongest piece of evidence that Russia was responsible for hacking the Democratic party and providing the material to WikiLeaks, but I think it’s still insufficient. First, even if the Russian intelligence was really behind the spearphishing email sent to Podesta, as I have noted, we don’t even know for sure that it was successful. Even if it was successful, we don’t know that whoever accessed Podesta’s email account through this spearphishing email also sent the material to WikiLeaks, since other people could have successfully hacked his account and leaked the material to WikiLeaks. It’s true that the most recent emails in the dump released by WikiLeaks are from March 21, only two days after Podesta received the spearphishing email that contained the shortlink created by the account used by SecureWorks to determine other targets of the group, but this is hardly conclusive. Moreover, as we have seen the reason why SecureWorks thinks that a Russian intelligence group was behind this spearphishing attempt on Podesta is that whoever sent him that email used the same Bitly account to create shortlinks in order to target many other people that, according to SecureWorks, would be natural targets for Russia. However, the report provides no inkling as to how SecureWorks was able to identify the targets from the shortlinks, which presumably would only tell you the email addresses associated with the Google accounts that were targeted. I don’t see how they could have figured out the identity of everyone whose email address had been targeted. Even if the email address contains the name of the person who uses it, you still have to figure out who that person is, which is often not easy. Even if SecureWorks emailed everyone on the list, which it doesn’t say in the report it published, the rate of response would presumably have been pretty low. So when it claims that e. g. 36% of the targets outside of the former Soviet Union were authors, journalists, NGOs, and political activists, 53% of whom are working on topics related to Russian and Ukraine, the report is probably just talking about the people they were able to identify, which could be a small subset of the 1,800 accounts the firm determined had been targeted.

Even if this were not the case and FireWorks was somehow able to identify every individual behind every email account targeted during this spearphishing campaign, the profile of those people alone clearly doesn’t allow us to conclude that Russian intelligence groups were behind the campaign, especially since we only have the characterization of their profile by SecureWorks but don’t have any details on what criteria it used to classify them. Thus, according to me, SecureWorks published reasonable though inconclusive evidence for (1), almost no evidence for (2) and absolutely no evidence whatsoever for (3), although to be fair it never said anything about (3). Now, as I pointed out above, (1) would be relatively uninteresting even if we had conclusive evidence that it was true, because even allies spy on each other all the time. So the evidence published by SecureWorks, which is probably the strongest of everything that is publicly available,  cannot even conclusively establish the weakest of the 3 claims I have distinguished above.

Thus, having read most of what the private cybersecurity companies who attribute the hacking of the Democratic party to Russia have published, my conclusion is that it doesn’t even come close to meeting the necessary standard of proof to make that accusation. In my opinion, the attacks probably came from people in Russia, but the evidence provided by private cybersecurity firms that the Russian government was behind them and provided the material to WikiLeaks is clearly insufficient. The fact that the attacks came from Russia, if that is even a fact, doesn’t mean much since nobody disputes that Russia is literally infested by hackers, including some of the best in the world. Moreover, Russians are very patriotic and anti-American, so it wouldn’t be surprising if some Russian hackers had undertaken to hack the Democratic party on their own to harm Clinton, who was extremely hostile to Russia and even compared Putin to Hitler in 2014. The notion that we can accuse Russia of being responsible for hacking the Democratic party and releasing the material publicly, with everything this entails for the relations between Russia and the US, on the basis of the evidence published by private cybersecurity companies strikes me as totally unreasonable and I don’t see how anyone who has reviewed the evidence and understands what is at stake could disagree.

EDIT: I have added a few paragraphs about the evidence published by SecureWorks, which I think makes the strongest case for the claim that Russia was behind the hacking of the Democratic party (although in my opinion it’s still far from conclusive), because I didn’t want to make the case against Russia look weaker than it actually is.

NOTE: This is the first post in a four-part series of posts. See also part 2part 3 and part 4.

2 thoughts

  1. “Thus, in order to assert that Russia interfered in the US presidential election, the evidence should be extremely strong.”

    You considered the costs of making a false accusation, but you neglected to account for the costs of failing to make a true accusation. If Russia did orchestrate the DNC leaks, and faced no consequences for doing so, this would likely embolden the Kremlin to continue to meddle in future elections, both in the United States and elsewhere, and to expand their cyberwarfare activities on other fronts. This is undesirable for its own sake– Russia tends to support divisive nationalist demagogues like Trump and Le Pen, who are (to put it mildly) bad news for their countries, and the world– and it’s also liable to make our allies in Eastern Europe extremely nervous, which, in turn, has the potential to increase the chances of war down the line. Given that both the costs of making a false accusations and the costs of failing to make a true accusation are uncertain and largely speculative, I don’t think it makes sense to demand a specially high burden of proof for accusations against Russia. Probably the most responsible thing to do is to simply report the confidence levels warranted by the evidence.

    1. The fact that I only considered the cost of making a false accusation and not the cost of failing to make a true one is a fair point, but I really don’t think there is a good case that failing to make a true accusation would have a high cost, whether I think the cost of making a false one is very clear. I think some people think otherwise because they have all sorts of false beliefs, such as the belief that Russia is a threat to Europe, but this isn’t the place to talk about this as I plan to write a post about this at some point. Moreover, if you have reasons to suspect that Russia interfered in the election, but no conclusive evidence, there are other ways, beside imposing sanctions and fueling a dangerous anti-Russian hysteria in the public, to make clear to Moscow that you won’t go for that shit. Indeed, during the campaign, Biden made that clear. Anyway, I don’t think it matters very much anyway, because the evidence is quite weak and I don’t think it would meet any reasonable standard of proof.

Leave a Reply