Why I Still Don't Buy the Russian Hacking Story
I'm willing to believe that Russia sought to hack the U.S. election, but I still find the evidence lacking. That skepticism applies to the latest sensation -- a report that Russian proxies in Ukraine are employing the same malicious software used on the U.S. Democratic National Committee.
For months, I have been parsing stories of the great Russian hack -- the anonymous leaks from U.S. administration officials, the two fact-poor statements from the U.S. intelligence community, the distant echoes of briefings received by U.S. legislators -- for technical evidence. There have been red herrings, such as a feeble attempt to prove that Trump was in contact with Russians through a server at Alfa Bank in Moscow (in reality, a marketing company was sending unsolicited email to Alfa managers). But so far, the only evidence pointing to Russian government involvement comes from cybersecurity companies that have studied Advanced Persistent Threat 28, a hacker collective that has attacked many targets over the years -- including the DNC in 2016.
That evidence is best summarized in a 2014 blog post by the security firm FireEye. APT 28 attacks governments and militaries hostile to Russia or strategically important for it. APT 28 appears professional and well-financed. APT 28 uses Russian in its malware. The malware is compiled during working hours in the Moscow time zone.
CrowdStrike, the firm that detected the DNC hack, calls APT 28 Fancy Bear. Until recently, the company's founder, Dmitri Alperovitch, said he had "medium level confidence" that the group was run by the GRU, Russia's military intelligence service. Now, he says the confidence level has changed to high. The increase comes from the finding by CrowdStrike that a Ukrainian-developed Android application, used to simplify targeting data for the D-30 howitzer, was contaminated with a version of APT 28 malware.
The logic: If the malware implant within the application was used to collect positioning data about Ukrainian artillery units, who else could be in the market for it but the GRU? Ominously, the CrowdStrike report says:
Open source reporting indicates that Ukrainian artillery forces have lost over 50% of their weapons in the 2 years of conflict and over 80% of D-30 howitzers, the highest percentage of loss of any other artillery pieces in Ukraine's arsenal.
The inference is that the Russians hacked the app used to target the D-30, and so the howitzers were mostly destroyed.
Although the Ukrainian military has suffered some crushing defeats in eastern Ukraine, mostly at the hands of Russian units sent to help pro-Russian separatists in the area, the loss rate seemed inordinately high. As far as I can ascertain, though, the data on the D-30s are not very reliable: They appear to be based on an assumption that changes in military balance reports, themselves far from perfect, can be interpreted as losses. Ukraine, a nation at war, doesn't broadcast information about its specific capabilities.
Then there's the issue of the targeting software itself. Yaroslav Sherstyuk, the Ukrainian military officer who developed the application, reacted angrily on Facebook to the CrowdStrike report, saying he never published the software on any public forums and encouraging fellow Ukrainian servicemen to keep using the latest version of his app. Via Facebook Messenger, he told me that he didn't believe an infected version of the app even existed. "This is a hoax to scare everyone and make us go back to the old methods of targeting fire," he wrote. A CrowdStrike spokesperson did not respond when I asked if it had contacted Sherstyuk. He said it hadn't.
The spokesperson, Ilina Dimitrova, wrote that "it is indisputable that the app has been hacked with Fancy Bear malware -- we have published the indicators related to it and they have been confirmed by others in the cybersecurity community." CrowdStrike said that it found the infected app "in limited public distribution on a Russian language, Ukrainian military forum." I doubt anyone in the Ukrainian military would download software for targeting artillery fire from a forum. Typically, they obtain it directly from known developers such as Sherstyuk. If I can contact him directly, so can Ukrainian artillery officers seeking to improve their performance in battle.
Hence, it's hard for me to believe that this infected app -- found somewhere on the internet and likely never used by Ukrainian soldiers -- offers evidence tying the GRU to APT28. And that's even if one accepts the initial logical leap to the GRU, as opposed to any of the other Russian spy services also involved in the Ukrainian conflict. I sincerely hope that when the U.S. intelligence community finally produces its findings on the election-related hacks, it will be more convincing.
Don't get me wrong. It stands to reason that Russian intelligence was interested in the U.S. election campaign, and it's a distinct possibility that it leaked what it found to the press via WikiLeaks, despite the latter's denials. Russian President Vladimir Putin dislikes Hillary Clinton, and he probably would have been happy to hurt her chances of getting elected -- thus, by default, helping Trump. It's all quite logical, which is why a third of Americans believe Russia influenced the outcome of the election.
In the real world outside of soap operas and spy novels, however, any conclusions concerning the hackers' identity, motives and goals need to be based on solid, demonstrable evidence. At this point, it's inadequate. This is particularly unfortunate given that the DNC hacks were among the defining events of the raging propaganda wars of 2016.
This column does not necessarily reflect the opinion of the editorial board or Bloomberg LP and its owners.
To contact the author of this story:
Leonid Bershidsky at email@example.com
To contact the editor responsible for this story:
Mark Whitehouse at firstname.lastname@example.org