The “Russiagate” scandal has dominated headlines and airwaves for months now, with politicians and analysts lining up to pin last year’s election meddling on Russian spies. But an independent investigator’s new analysis lays the blame at the feet of a hacker closer to home.
WASHINGTON, D.C.– In the latest complication for the “Russiagate” scandal, a new analysis has suggested that files and email stolen from the Democratic National Committee (DNC) were copied to a USB drive by someone with physical access to a computer that had DNC server access, indicating that the committee’s records were not hacked remotely by foreign actors, as has been alleged.
The DNC’s stolen files were published by the hacker “Guccifer 2.0,” whose name is an homage to the Romanian hacker Guccifer, who gained notoriety for hacking the Bush and Rockefeller families among other U.S. government officials.
Guccifer 2.0, despite professing that he is a Romanian and affiliated with no government, was cited as an agent of Russian military intelligence by the private cyber security firm Crowdstrike, which was hired by the DNC to investigate the hack.
However, an independent investigator working under the pseudonym “The Forensicator” has released a new analysis of the metadata found in the files published by Guccifer 2.0.
The analysis shows that the files, published as a .7z archive file, were transferred from the server at a speed of 23 MB/second, leading the investigator to conclude that it was “unlikely that this initial data transfer could have been done remotely over the Internet.”
The investigator also found that the copying of the files from the DNC servers took place either over a local high-speed network (LAN) or by someone who had physical access to the computer where the data was stored.
More Proof Russia Did NOT Hack DNC: Files "Copied Locally" https://t.co/ub7OGzVASp
— Freeman's Watch (@FreemansWatch) July 12, 2017
In addition, The Forensicator analyzed the timestamps of the files, which were preserved from the date of the initial transfer. The timestamps from the documents were recorded in Coordinated Universal Time (UTC), but – when adjusted to Eastern Daylight Time (EDT) – they fell “into the same range as the last modified times for the directories archived in the .rar files.” Thus, it was concluded that the copying of the files took place on a computer system where EDT was in use, meaning that the said system was likely located on the eastern coast of the U.S.
In light of these findings, the party responsible for the initial hack was likely located within the U.S. at the time, suggesting that the hack was carried out by a disgruntled DNC insider or by someone located in the U.S. who may have been working with Guccifer 2.0, who was responsible for gaining access to the DNC server. This makes it unlikely that Russian military intelligence remotely hacked the DNC servers from abroad.
This may explain why the DNC has repeatedly refused to hand over the hacked servers to the government for examination, as only Crowdstrike has been given access. Even the recent Congressional probes into alleged Russian interference in the 2016 election have been denied access to the servers.
— Lou Dobbs (@LouDobbs) July 6, 2017
Given that the DNC hack has been central to the Russian hacker narrative, it is certainly unusual that this key piece of evidence is being withheld from investigators. This new analysis makes it highly likely that there is evidence on the servers that would also show that remote hacking of the servers was improbable.
But even before The Forensicator’s analysis was released, there was plenty of reason to doubt the DNC’s narrative regarding the hack, particularly regarding whether Russia was the culpable party.
For example, the evidence Crowdstrike cited as proving that the hack was conducted by Russian military intelligence is largely speculative. The firm claimed that the techniques used in the hack were similar to those used in past hacking operations that have been attributed to Russian state actors and the profile of those targeted by said hacks “closely mirrors the strategic interests of the Russian government.”
However, even if the exploits or tools used to conduct the hack were associated with Russia in the past, that does not necessarily make the case that the Russians were behind the hack this time. Indeed, once malware or another exploit is used, it tends to be utilized by other hackers and cyber criminals soon after. It may also be offered for sale on online black markets.
This has occurred with Russian malware before. When the Gyges malware was discovered by SentinelOne Research in 2014, it was found to share several similarities with “Russian espionage malware” that had been repurposed by non-state actor cybercriminals. The firm explained that the Gyges malware is an “example of how advanced techniques and code developed by governments for espionage are effectively being repurposed, modularized and coupled with other malware to commit cybercrime.”
U.S. government-created malware has also shared a similar fate, most recently with the WikiLeaks “Vault 7” revelations that the CIA lost control of its elite hacking arsenal, along with the breach of NSA hacking tools by the Shadow Brokers hacking collective. Tools from the latter were recently repurposed by the criminals responsible for the recent WannaCry ransomware attack that affected 74 nations and is said to have been one of the largest cyberattacks in history.