Democratic presidential candidate Hillary Clinton claimed Russian interference in the US polls after losing the presidential race to President Donald Trump. PHOTO/SHUTTERSTOCK
The claim that the Kremlin was behind the emails stolen from the Democratic Party and leaked to WikiLeaks has been accepted too easily. This is confirmed by several cybersecurity experts in interviews with Dutch investigative programme Argos (VPRO, Dutch public radio).
‘‘Looking at the evidence, I can’t say that it is plausible that this nation state actor provided this information to WikiLeaks’, states Oscar Koeroo, digital security expert at Dutch telecom company KPN.
In June 2016, the Democratic National Committee (DNC) broke the news that their servers had been hacked by two Russian hacker groups: Cozy Bear and Fancy Bear. A month later WikiLeaks published thousands of internal DNC emails.
Hillary Clinton later declared her losing the presidential campaign is partly due to ‘Russian WikiLeaks’. In January of 2017, American intelligence agencies NSA, CIA and FBI stated ‘with high confidence that the GRU used (…) WikiLeaks’ to release the material stolen from the DNC.
But are we to blindly believe wat the DNC and American intelligence tell us? In its March 17th broadcast Argos highlights the many gaps in the official narrative.
Malware created after DNC installed protection platform
Among the findings is that the espionage software attributed to Fancy Bear was created after the DNC contracted cybersecurity company Crowdstrike. The creation date of this so-called X-Agent malware is May 10th 2016. This is notable, because Crowdstrike installed their ‘endpoint protection platform’ Falcon five days before that, on May 5th 2016. There is no evidence that the creation date of X-Agent has been manipulated, as Crowdstrike itself confirms.
The X-Agent malware ‘had its source code leaked or made available for a short period online’, says Alexis Dorais-Joncas, Security Intelligence Team Lead for cybersecurity company ESET. ‘ESET has a copy of the source code, which we found a few years ago. There are indications that other parties, among which security investigators, also have access to this code.’
As such, ESET states that it is plausible that anyone with access to this source code for Fancy Bear’s malware and knowledge of their usual tactics (TTP’s) could impersonate a hack by Fancy Bear. ‘If someone would obtain that source code and could easily modify it and perpetrate an attack, researchers could attribute this attack to Fancy Bear while in fact anyone could have done it.’
Such an impersonation could be made even better if the attackers had access to the X-agent source code and would modify in such a way that researchers would see it as an evolution of the tool, rather than just a copy of the old one, ESET tells Argos.
DNC-emails leaked after hack was discovered
Democratic National headquarters. PHOTO/THE NATION
The DNC-hack became worldwide news when WikiLeaks published thousands of leaked DNC-emails on July 22nd of 2016. These emails revealed how the members of the DNC supported Hillary Clinton and were actively thwarting her opponent in Bernie Sanders. The DNC-emails published by WikiLeaks can be traced back to the mail accounts of seven employees, among which their communication manager. The leak led to the resignation of several DNC employees, including its Chairperson.
Research conducted by Argos shows that the majority of these leaked emails was sent in the twenty days after Crowdstrike was hired by the DNC.
‘It is customary for a cybersecurity company to leave the system open for a while in order to observe what the hackers are doing’, says Rickey Gevers, cybersecurity expert at the RedSocks (specialized in malicious threat detection). ‘But twenty days is quite long. Especially if you knew from the get-go that there could be a Russian party in the system.’
“Crowdstrike must have observed the leaking of emails”
Crowdstrike and the DNC have repeatedly stated that they knew within a day that ‘the Russians were behind the attack’, thanks to Crowdstrike’s advanced endpoint protection platform Falcon. Crowdstrike also hired 24/7 Overwatch, which lets ‘elite security guards’ monitor the servers 24/7.
“If they were in fact monitoring the network this closely, they should have seen the emails leaking”, explains Gevers in Argos. But if this is not the case, an explanation could be that the emails were stolen in another way, according to experts Gevers (RedSocks), Koeroo (KPN) and Dorais-Joncas (ESET).
The initial coverage of the DNC hack contributes to the possibility that the network was not monitored that scrupulously, as stolen emails were not even mentioned. “The hackers stole two files”, according to Crowdstrike’s Shawn Henry. “No financial, donor or personal information appears to have been accessed or taken”, the DNC told the Washington Post.
Crowdstrike refused to comment on these findings due to client confidentiality.
No phishing mails sent to leaked DNC email accounts
CIA headquarters. PHOTO/WIKIMEDIA COMMONS
As American intelligence agencies and several cybersecurity companies accuse Fancy Bear of sending out spear phishing mails, Argos has also looked into this option.
In the spring of 2016 Fancy Bear sent over two hundred phishing mails to 108 employees of the ‘Hillary for America Campaign’. These mails were aimed at obtaining logins to mail accounts. DNC employees also received phishing mails. Although it has not been proven that these spear phishing emails are connected to the DNC hack, researchers from cybersecurity company SecureWorks state that a coincidence seems unlikely.
Argos gained exclusive access to the bit.ly links sent by Fancy Bear. In March and April of 2016 Fancy Bear sent out sixteen phishing mails to the DNC-email accounts (@dnc.org) of nine different DNC-employees. Argos discovered that three people clicked on the link in the phishing mail. The possibility of these people subsequently giving out their DNC-password is very slim, as this link led to a fake login page for Gmail, whereas the DNC used a different mail server.
Argos also tracked down which DNC-email accounts the phishing mails were sent to. None of the persons whose inbox has been exposed by WikiLeaks are among these accounts. Other persons with possible access to these email accounts, like assistants or secretaries, were not among the targets either.
There does appear to be a link between phishing mails sent out by Fancy Bear and the emails belonging to John Podesta, published by WikiLeaks. The chairman of the Hillary Clinton presidential campaign received a phishing email on his Gmail-account on March 19th 2016. His inbox was subsequently emptied.
The DNC has, despite multiple requests, not reacted to these findings.
This story was first published by Dutch investigative programme Argos (VPRO, Dutch public radio
