6

Recently, US and non-US media has been publishing many articles regarding Russia being involved in the "Podesta-hack" or even accusing Putin of being directly responsible. For example:

However, none of these articles give any proof for such a claim, they are just referring to secret CIA information. Furthermore, in my country, Germany, media outlets are jumping on the accusation-bandwagon and start accusing Russia/Putin of hacking the NSA investigation committee.

Again, no evidence can be provided.

Now to my question:
I think that it's possible to act almost totally anonymously online, especially when you're backed/funded by a government. Also, I am aware that the CIA and german intelligence probably have their sources which cannot be made public.

But how can we be sure that this is not entirely propaganda against the russian government? Wouldn't one expect that Russia would be able to cover their tracks, if they'd want to?

What I have seen a couple of times now is the point that the attacker's active-time is coherent with the timezone of Moscow? Is this already enough evidence? What other possibilities are there to identify an attacker, when he knows his business and is hiding his IP/Info and not making stupid mistakes?

Anders
  • 64,406
  • 24
  • 178
  • 215
Doc
  • 163
  • 2
  • 2
    Intelligence agencies rarely make much of their evidence available to the public, as it could make it easier for attackers to learn to evade them. Plus, many would object to how the NSA can track data in general. But here is some evidence made available by private investigators: [CrowdStrike blog](https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/) & [another article](https://archive.is/2016.06.16-214721/http:/arstechnica.com/security/2016/06/guccifer-leak-of-dnc-trump-research-has-a-russians-fingerprints-on-it/) – Alexander O'Mara Dec 16 '16 at 20:08
  • Funnily, in germany the accusation of russia hacking the NSA investigation committee just dropped. Police is now investigating because it was a leak from inside. Couple days ago many politicians were pretty sure that this was russia. – Doc Dec 18 '16 at 13:12

2 Answers2

3

This is nearly a dupe of How do organizations check what has been hacked? While that question deals with unraveling what, you're asking about unraveling how and by whom.

What other possibilities are there to identify an attacker, when he knows his business and is hiding his IP/Info and not making stupid mistakes?

There are a lot of possibilities. There's a lot more to remaining un-attributed than "not making stupid mistakes"! it's fair to say, any APT (nation-state) actor is going to be attributed, eventually, by any nation-state level defender. National Defense gets hella more resources than, say, you trying to figure out who took advantage of your Yahoo! credentials.

If you read the list of forensic steps that can be taken, the methods of backtracking rely on all the bits of data, each of which is a small piece of the puzzle.

Data you'll start with:

  • IP addresses used in the attack
  • Attack tools used in the attack and left on the target servers
  • Times of activity (as you say, not conclusive, but a piece of the puzzle)

To quote the bible, "By their fruit you will recognize them." The advanced hacking groups build their own specialized tools, sometimes use the same IPs to route themselves through, and show enough consistency in times of activity to offset them from other advanced groups.

Some of this stuff can get really nitty-gritty. Individual actors have been identified personally because their username was embedded in a directory that was embedded in a file compiled from source that referenced that directory. Small strings found in one set of files have been enough to tie together that attack with another that also happened to have the same signature strings.

At the national level, the people who are working to defend and investigate have access to an awful lot of puzzle pieces, and can use them to attribute actions. They may know that attack XYZ, for example, was blatantly tied to Russia, and that attack QRS has a significant overlap of indicators. Enough overlap? They conclude that QRS was also tied to Russia.

If you're interested in seeing more about how this is done, I strongly recommend reading Mandiant's "APT1: Exposing One of China's Cyber-Espionage Units"

Community
  • 1
gowenfawr
  • 71,975
  • 17
  • 161
  • 198
  • 3
    I agree with your general answer, obviously, it's a complex investigative act; I do think that the examples you bring are extremely weak. None of these would not be among the things a state actor wouldn't at least try to fake – and you gotta admit, with NSA tools having been leaked, this doesn't sound all to abstract a scenario. And seriously, "it's 11am in Russia now, gotta be the Russians" is kind of not even an indication,even when repeatedly observed (by the way, Russia is seriously large). – Marcus Müller Dec 16 '16 at 22:04
  • @MarcusMüller The examples I've listed are simplified. The Mandiant paper, which goes into much more detail, will help reassure you that even serious state actors have difficulty faking everything. And with the time zone thing, often when that's discussed, it's far more subtle - for example, there have been examples where the time zone that's embedded in the compiled code reflects the location of the machine doing the compilation, regardless of what time the compilation was done, and completely unconnected from the (far more easily fungible) time the attack tool was _used_. – gowenfawr Dec 16 '16 at 22:20
  • yes! So, again, for the general audience, gowenfawr and I agree on such attributions being the result of complex investigations (I'm personally not ruling out at least an influence of political interest) that yield a lot of indications, but seldom what is mathematically a proof. – Marcus Müller Dec 16 '16 at 22:38
1

This is like any exercise in forensic investigation. Attackers leave trails. These can sometimes be correlated to evidence left behind in other attacks. Time of day may not seem like much, but if its from the same block of time every day, that may not be coincidence. Hacking tools left behind may have native language artifacts, custom directory path names, or timestamps consistent with other recognizable attacks featuring similar time zones. Often, the tools are customized, and leave unique fingerprints.

If you're an organization like NSA, you probably also don't obey the rules against counter-hacking.

The more resources you have, the better evidence you'll get from the forensic analysis. The NSA is pretty good at it.

John Deters
  • 33,650
  • 3
  • 57
  • 110