Modern field guide to security and privacy

Why doubts still cloud Russian hacking allegations

Evidence that the government has presented so far linking Russian operatives to the DNC hack is questionable, fueling skepticism and doubt about Moscow's role.


Jonathan Ernst/Reuters
Defense Under secretary for Intelligence Marcel Lettre (L), Director of National Intelligence James Clapper and National Security Agency Director Michael Rogers testified before a Senate Armed Services Committee hearing on Thursday. REUTERS/Jonathan Ernst

Since the White House blamed Russia for hacking US political organizations to undermine the presidential election, administration critics, skeptics, and cybersecurity experts have pushed the government to reveal its evidence.

But so far, much of what has come out of Washington regarding Moscow's suspected digital tampering has only raised more questions about the government's claims. 

joint analysis of recent hacking activity by the FBI and Department of Homeland Security (DHS) released Dec. 29 generated confusion about the scope of the political hacking campaign, leading many experts to doubt the agencies’ abilities to investigate sophisticated, multilayered digital attacks.

“At this point, we don’t know what is a trusted source and what isn’t,” says Bob Radvanovsky, cofounder of the security research firm Infracritical. “It really confuses people. Is the government of Russia behind these things, or is it some hacker kids in Ukraine?”

Even as Director of National Intelligence James Clapper and National Security Agency Director Michael Rogers said at a Senate hearing Thursday they are more certain than ever that Russia orchestrated the political hacking campaign, critics seem to be unconvinced.

Earlier this week, WikiLeaks founder Julian Assange told Fox News that Russians did not provide hacked political documents from John Podesta, former chairman of the Hillary Clinton campaign, and other Democratic Party operatives that he published on the antisecrecy site.

President-elect Donald Trump, one of the chief critics of the administration's Russia allegations, reiterated Mr. Assange's claim in a tweet: "Julian Assange said 'a 14 year old could have hacked Podesta' – why was DNC so careless? Also said Russians did not give him the info!"

It remains to be seen whether the US intelligence community will be able to convince Mr. Trump and other skeptics. But time is running out. Trump is set to take office Jan. 20. 

After promising and then failing to release his own evidence related to the hacks early this week, Trump said that he'll receive an intelligence briefing on the matter this Friday. Both Congress and the Obama administration are waiting for a full report from the country’s intelligence community on the hacking campaign.

Fog of cyberattacks

US officials’ attempts to grasp the scope of an unprecedented cyberattack speaks to the difficulty of attributing cyberattacks and to the complex nature of the campaign carried out against the US during the presidential election.

The attacks against the Democratic National Committee (DNC), Democratic Congressional Campaign Committee, and the Clinton presidential campaign involved a mix of targeted digital attacks, leaked emails, and the spread of fake news. Unraveling that kind of operation isn't an easy undertaking.

"Russia’s best cyber operators are judged to be as elusive and hard to identify as any in the world," said Sen. Jack Reed (D) of Rhode Island during the Armed Services Committee hearing Thursday on cyberthreats. "In this case, however, detection and attribution were not so difficult, the implication being that Putin may have wanted us to know what he had done, seeking only a level of plausible deniability to support an official rejection of culpability." 

Still, cybersecurity experts have expressed frustration with the government's stumbles as it tries to relay what it knows about the attacks and with what many consider ham-fisted efforts to connect them back to the Kremlin.  

Since it was released last week, the DHS and FBI analysis of the campaign the agencies dubbed “Grizzly Steppe” has been roundly criticized by cybersecurity professionals as incomplete, outdated, and politicized.

Grizzly missteps?

“The Grizzly Steppe report reads like a poorly done vendor intelligence report stringing together various aspects of attribution without evidence,” wrote Robert M. Lee, a former Air Force Cyber Warfare Operations Office and the chief executive of the cybersecurity firm Dragos Security.

Even though Lee has said he believes Russian operatives hacked the DNC, he says the government has stumbled making its case. His criticism, and those of other cybersecurity professionals, centers on the decision by DHS and FBI to characterize an extensive catalog of hacker groups, as well as tools, tactics and characteristics – what the industry refers to as “indicators of compromise” – and attribute all of it to the Russian government. 

But the government's laundry list of evidence also includes common families of malicious software with names like BlackEnergy and Havex that are widely known and used by state actors and cybercriminals alike. While some of that software may have been created in Russia and found in prior Russian government campaigns, it doesn't prove the government's case that Russian operatives carried out the US political hacks.

“[The Grizzly Steppe report] is full of garbage,” wrote security expert Robert Graham on his blog. “It contains signatures of viruses that are publicly available, used by hackers around the world, not just Russia. It contains a long list of IP addresses from perfectly normal services, like Tor, Google, Dropbox, Yahoo, and so forth.”

By equating such commonplace online threats with Russian hacking, the government's Grizzly Steppe analysis darkens the already muddy waters of attributing cyberattacks, experts say.

And those critics didn’t need to wait long for evidence of how sloppy evidence regarding the suspected Russian hack could go wrong.

The hack that wasn't

Last weekend, The Washington Post published claims that Russian hackers penetrated the US electric grid by way of the Vermont utility Burlington Electric. That report cited unnamed US officials saying that “code associated with the Russian hacking operation dubbed Grizzly Steppe” was detected within the facility. The story prompted a swift response from Vermont Gov. Peter Shumlin, who issued a statement decrying Russian tampering with US critical infrastructure.

But the article was immediately discredited and the Post backed away from the initial story. The Post published a follow up that said the suspicious computer activity identified at Burlington Electric was not connected to “Russian government effort to target or hack the utility.”

Cybersecurity experts pinned the blame for the confusion squarely on the Obama administration’s Grizzly Steppe report. “This misinformation is your fault,” Mr. Graham wrote.

Others such as Mr. Radvanovsky questioned the timing of the report, which DHS and the FBI made public on the same day that President Obama announced sanctions against the Russian government, expelling 35 Russian diplomats from the country in retaliation for the hacks.

“Because the timeliness of the [Grizzly Steppe report] … it leaves some doubt as to whether any of this happened at all,” he says. “This whole thing looks like it was entirely politically based and that raises questions about the merit of the report.” 

A history of skepticism

This isn’t the first time the cybersecurity community has cast doubt on the Obama administration and the US Government analysis after cyberattacks. 

Following the Sony Pictures Entertainment hack in 2014, the FBI and the Obama administration moved quickly to pin the blame on hackers working for the government of North Korea, citing similarities in the malware used in the attack. That, despite persistent questions from cybersecurity experts about other possible culprits. 

Others point to another, older incident of bad intelligence from DHS and FBI. In 2011, the agencies revealed they were investigating a purported Russian hack that caused a water pump to fail in the Curran-Gardner Township Public Water District in Illinois. The news spawned a blizzard of reports about destructive cyberattacks from the US’s Cold War foe.

Like the Burlington Electric hack, however, further investigations soon proved those initial reports were wrong. The pump in question simply reached the end of its life and burned out.

The Curran-Gardner dust-up eventually faded into the background. The administration’s narrative about North Korea hacking Sony Pictures eventually prevailed. But the controversy over the government’s report on Russia’s hacking may be more difficult to recover from, experts say. 

The holes in the Grizzly Steppe analysis will give critics more cause to doubt future government claims about Russian hacking or campaigns by other nation-states, say experts. At the same time, the botched intelligence about the Burlington Electric hack will damage already fraught relations between private sector firms, critical infrastructure owners, and the government at a time when cybersecurity cooperation is increasingly important.

“People will point to [Burlington Electric] and to Curran-Gardner and say, ‘This is happening because these people don’t know what they’re looking at,’ ” said Jake Brodsky, a Senior Control Systems Engineer who works for a large, East Coast water utility. 

And, with no legal requirement to report cyber incidents, Mr. Brodsky said, companies that own and operate critical infrastructure may hold back on reporting suspicious incidents. “Utilities will not put it out there,” he said. “They don’t need the grief.”

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to

QR Code to Why doubts still cloud Russian hacking allegations
Read this article in
QR Code to Subscription page
Start your subscription today