DNC Servers Were Locally Hacked, Making Russian Interference Unlikely
AP_16211657824160
July 18th, 2017
Above Photo: People stand outside the Democratic National Committee (DNC)
headquarters in Washington (AP/Paul Holston)
The "Russiagate" scandal has dominated headlines and airwaves for months
now, with politicians and analysts lining up to pin last year's election
meddling on Russian spies. But an independent investigator's new analysis
lays the blame at the feet of a hacker closer to home.
WASHINGTON, D.C.- In the latest complication for the "Russiagate" scandal, a
new analysis has suggested that files and email stolen from the Democratic
National Committee (DNC) were copied to a USB drive by someone with physical
access to a computer that had DNC server access, indicating that the
committee's records were not hacked remotely by foreign actors, as has been
alleged.
The DNC's stolen files were published by the hacker "Guccifer 2.0," whose
name is an homage to the Romanian hacker Guccifer, who gained notoriety for
hacking the Bush and Rockefeller families among other U.S. government
officials.
Guccifer 2.0, despite professing that he is a Romanian and affiliated with
no government, was cited as an agent of Russian military intelligence by the
private cyber security firm Crowdstrike, which was hired by the DNC to
investigate the hack.
However, an independent investigator working under the pseudonym "The
Forensicator" has released a new analysis of the metadata found in the files
published by Guccifer 2.0.
The analysis shows that the files, published as a .7z archive file, were
transferred from the server at a speed of 23 MB/second, leading the
investigator to conclude that it was "unlikely that this initial data
transfer could have been done remotely over the Internet."
The investigator also found that the copying of the files from the DNC
servers took place either over a local high-speed network (LAN) or by
someone who had physical access to the computer where the data was stored.
In addition, The Forensicator analyzed the timestamps of the files, which
were preserved from the date of the initial transfer. The timestamps from
the documents were recorded in Coordinated Universal Time (UTC), but - when
adjusted to Eastern Daylight Time (EDT) - they fell "into the same range as
the last modified times for the directories archived in the .rar files."
Thus, it was concluded that the copying of the files took place on a
computer system where EDT was in use, meaning that the said system was
likely located on the eastern coast of the U.S.
In light of these findings, the party responsible for the initial hack was
likely located within the U.S. at the time, suggesting that the hack was
carried out by a disgruntled DNC insider or by someone located in the U.S.
who may have been working with Guccifer 2.0, who was responsible for gaining
access to the DNC server. This makes it unlikely that Russian military
intelligence remotely hacked the DNC servers from abroad.
This may explain why the DNC has repeatedly refused to hand over the hacked
servers to the government for examination, as only Crowdstrike has been
given access. Even the recent Congressional probes into alleged Russian
interference in the 2016 election have been denied access to the servers.
Given that the DNC hack has been central to the Russian hacker narrative, it
is certainly unusual that this key piece of evidence is being withheld from
investigators. This new analysis makes it highly likely that there is
evidence on the servers that would also show that remote hacking of the
servers was improbable.
But even before The Forensicator's analysis was released, there was plenty
of reason to doubt the DNC's narrative regarding the hack, particularly
regarding whether Russia was the culpable party.
For example, the evidence Crowdstrike cited as proving that the hack was
conducted by Russian military intelligence is largely speculative. The firm
claimed that the techniques used in the hack were similar to those used in
past hacking operations that have been attributed to Russian state actors
and the profile of those targeted by said hacks "closely mirrors the
strategic interests of the Russian government."
However, even if the exploits or tools used to conduct the hack were
associated with Russia in the past, that does not necessarily make the case
that the Russians were behind the hack this time. Indeed, once malware or
another exploit is used, it tends to be utilized by other hackers and cyber
criminals soon after. It may also be offered for sale on online black
markets.
This has occurred with Russian malware before. When the Gyges malware was
discovered by SentinelOne Research in 2014, it was found to share several
similarities with "Russian espionage malware" that had been repurposed by
non-state actor cybercriminals. The firm explained that the Gyges malware is
an "example of how advanced techniques and code developed by governments for
espionage are effectively being repurposed, modularized and coupled with
other malware to commit cybercrime."
U.S. government-created malware has also shared a similar fate, most
recently with the WikiLeaks "Vault 7" revelations that the CIA lost control
of its elite hacking arsenal, along with the breach of NSA hacking tools by
the Shadow Brokers hacking collective. Tools from the latter were recently
repurposed by the criminals responsible for the recent WannaCry ransomware
attack that affected 74 nations and is said to have been one of the largest
cyber attacks in history.
