When it comes to attribution—especially when foreign intelligence agencies are involved—plausible deniability is easy. However, the public has come to expect courtroom-quality evidence before believing attribution for cyber operations—a difficult task when the kind of cross-border cooperation you need to get to the bottom of the case is not likely to be forthcoming, for obvious reasons.
Alternatively, probabilistic, intelligence-based reasoning is the most honest and useful way to go about attribution. Once reasonable theories are established, they can then be compared to available evidence and eliminated. Those explanations that survive this scientific method-inspired attribution process are then thought to be more reliable and likely explanations.
Based on this scientific attribution process, there is no doubt that actors operating at the behest of the Russian Government were not only behind the DNC hack but also many of the other election-related compromises in the U.S. and Europe this year, as well as the false hacktivist personas like Guccifer 2.0. Forensic evidence that matches with known Russian government groups, infrastructure closely related to systems under the control of Moscow, combined with the targets and resulting information operations in line with Russia's stated foreign policy goals, are all very similar the overall methodology previously utilized by Russian groups. Additionally, the Kremlin last year bragged in its updated National Security Strategy document that it would take exactly these sorts of actions.
Other potential explanations—like Beijing, real hacktivists, a lone wolf, or other governments’ operations—all have obvious inconsistencies with the evidence already public. This sort of discussion about attribution is often presented in the press by the knee-jerk appeal to how common cybercrime is, and therefore how uncertain attribution for any one given incident must be. However, that is only true for one-off incidents where the actors rely upon commodity malware using new or compromised infrastructure. While these techniques were previously used in other Russian incidents, these conditions do not apply to this coordinated, multi-faceted, media savvy, bespoke malware-using, tightly controlled operation. This set of evidence rules out common cybercriminals and true hacktivists.
China, while a global cyber power, has—even in the case of Taiwan's elections—focused on espionage and used more traditional, overt levers to exert its influence. They also would not have been able to use the infrastructure involved in these operations without at least Moscow’s tacit permission given the long timespan involved—which also rules out any other non-cooperative government operation. They also have had little interest in the vast majority of victims from similar attacks; for example, the World Anti-Doping Agency banning Russian athletes from the Olympics, Eastern European embassies, and false-front cyberterrorism operations against France.
While the semantics of discussing these particular operations make attribution seem muddy in print, it is much less so for hands-on practitioners with access to global intelligence.
Simply put, while one could not prove it in a court of law, there are no alternative explanations consistent with all the known evidence, and every reason to think Moscow did it.
It is problematic to rely upon inference as the primary evidence presented to convince a skeptical public to strike back. Presenting weak public cases are exactly what give advanced persistent threat (APT) groups plausible deniability. In Russia's case—as I said in my public testimony to the National Institute of Standards and Technology (NIST) in March—this repeated cycle of vague government claims combined with a journalistic impulse to cover every attribution case as a 50-50 proposition has led to a disregard for the risks of their actions being attributed. In other words, because APT group sponsors—often nation-states—have realized victims' governments will face policy paralysis when trying to gather the collective political will to respond, they have been emboldened in targeting Western democracies.
In this case in particular, the reasoning presented in the press is especially unconvincing. The Russian government has compromised countless Western governments and officials and yet leaked only a tiny percentage of them, but the lack-of-a-leak is not a good analytic foundation for intent. The vast majority of the time the sponsors of Russian APT groups value keeping their secrets to themselves—or perhaps in reserve—over the utility of releasing the information to the public, even if they have been the most aggressive of the major actors at doing so. What they have leaked so far is nothing compared to what they have gathered over past compromises. This suggests that they are calibrating their level of interference to stay below a certain threshold or maintain the ability to stay on top of any escalation.
We should also keep in mind that Russian operations targeting the U.S. election began long before either party had a nominee, including targeting of media outlets and possibly benefitting from cybercriminal compromises of voter registration systems that ostensibly are non-partisan. There is no doubt that as the field narrowed, their operations naturally benefitted one candidate over the other, and Russian government officials knowingly continued their activities and may even have even enjoyed seeing the results. For example, we know that they were particularly adept at manipulating Twitter’s trending algorithms close to Election Day, and mostly used that power in ways that harmed one candidate.
But that is very different from suggesting that the goal of the operation was from the beginning to get a particular candidate elected. Those same Russian government social media accounts also spent the past year influencing discussions around the globe on a variety of issues related to Syria, Ukraine, Western European elections, NATO, and other events closely related to Russia’s stated foreign policy goals.
Even among their neighbors, for the past several years the Russian APT groups have overwhelmingly focused cyber operations on advancing their own foreign policy messages and undermining processes, rather than schemes to elect particular candidates. As their operations proceeded, the Russians must have realized that a legitimate populist tide in the United States was going to carry their operations much farther than they originally planned.
The views expressed in this article are those of the author alone.
