This is confirmed by several cybersecurity experts in interviews with Dutch investigative programme Argos (VPRO, Dutch public radio).
‘Looking at the evidence, I can’t say that it is plausible that this nation state actor provided this information to WikiLeaks’, states Oscar Koeroo, digital security expert at Dutch telecom company KPN.
In June 2016, the Democratic National Committee (DNC) broke the news that their servers had been hacked by two Russian hacker groups: Cozy Bear and Fancy Bear. A month later WikiLeaks published thousands of internal DNC emails.
Hillary Clinton later declared her losing the presidential campaign is partly due to ‘Russian WikiLeaks’.
In January of 2017, American intelligence agencies NSA, CIA and FBI stated ‘with high confidence that the GRU used (…) WikiLeaks’ to release the material stolen from the DNC.
But are we to blindly believe wat the DNC and American intelligence tell us? In its March 17th broadcast Argos highlights the many gaps in the official narrative.
Malware created after DNC installed protection platform
Among the findings is that the espionage software attributed to Fancy Bear was created after the DNC contracted cybersecurity company Crowdstrike. The creation date of this so-called X-Agent malware is May 10th 2016. This is notable, because Crowdstrike installed their ‘endpoint protection platform’ Falcon five days before that, on May 5th 2016. There is no evidence that the creation date of X-Agent has been manipulated, as Crowdstrike itself confirms.
The X-Agent malware ‘had its source code leaked or made available for a short period online’, says Alexis Dorais-Joncas, Security Intelligence Team Lead for cybersecurity company ESET. ‘ESET has a copy of the source code, which we found a few years ago. There are indications that other parties, among which security investigators, also have access to this code.’
As such, ESET states that it is plausible that anyone with access to this source code for Fancy Bear’s malware and knowledge of their usual tactics (TTP’s) could impersonate a hack by Fancy Bear. ‘If someone would obtain that source code and could easily modify it and perpetrate an attack, researchers could attribute this attack to Fancy Bear while in fact anyone could have done it.’
Such an impersonation could be made even better if the attackers had access to the X-agent source code and would modify in such a way that researchers would see it as an evolution of the tool, rather than just a copy of the old one, ESET tells Argos.
DNC-emails leaked after hack was discovered
The DNC-hack became worldwide news when WikiLeaks published thousands of leaked DNC-emails on July 22nd of 2016. These emails revealed how the members of the DNC supported Hillary Clinton and were actively thwarting her opponent in Bernie Sanders. The DNC-emails published by WikiLeaks can be traced back to the mail accounts of seven employees, among which their communication manager.
The leak led to the resignation of several DNC employees, including its Chairperson.
Research conducted by Argos shows that the majority of these leaked emails was sent in the twenty days after Crowdstrike was hired by the DNC.
‘It is customary for a cybersecurity company to leave the system open for a while in order to observe what the hackers are doing’, says Rickey Gevers, cybersecurity expert at RedSocks. ‘But twenty days is quite long. Especially if you knew from the get-go that there could be a Russian party in the system.’
“Crowdstrike must have observed the leaking of emails”
Crowdstrike and the DNC have repeatedly stated that they knew within a day that ‘the Russians were behind the attack’, thanks to Crowdstrike’s advanced endpoint protection platform Falcon. Crowdstrike also hired 24/7 Overwatch, which lets ‘elite security guards’ monitor the servers 24/7.
“If they were in fact monitoring the network this closely, they should have seen the emails leaking”, explains Gevers in Argos. But if this is not the case, an explanation could be that the emails were stolen in another way, according to experts Gevers (RedSocks), Koeroo (KPN) and Dorais-Joncas (ESET).
The initial coverage of the DNC hack contributes to the possibility that the network was not monitored that scrupulously, as stolen emails were not even mentioned. “The hackers stole two files”, according to Crowdstrike’s Shawn Henry. “No financial, donor or personal information appears to have been accessed or taken”, the DNC told the Washington Post.
Crowdstrike refused to comment on these findings due to client confidentiality.