Monday, in a press conference with Vladimir Putin, Donald Trump refused to say that Russia had anything to do with the 2016 Democratic National Committee, DCCC, and Hillary Clinton campaign hacks, despite the fact that 12 Russians were indicted by the FBI Friday.
Instead, when asked if he believed the Russians were involved, Trump repeated his belief that the DNC and the FBI are hiding something.
“You have groups that are wondering why the FBI never took the server?,” Trump said. “Why was the FBI told to leave the office of the Democratic National Committee? I’ve been asking it for months and months. Where is the server? I want to know where is the server and what is the server saying?”
The short answer is that “the server” that Trump is referring to is sitting in a DNC office in Washington, DC—the New York Times has a photo of it here.
The long answer is that there is no “server”—there are many different servers and pieces of internet infrastructure in question, and the United States intelligence community and independent security researchers have examined much of it and have all reached the same conclusion: Russia hacked the DNC.
It is widely believed that CrowdStrike, a cybersecurity firm hired by the DNC to respond to the hack, gave an identical image of some of the servers to the FBI, which experts I’ve spoken to say would be more useful than giving the FBI a physical server itself. I say “widely believed,” because we don’t know exactly what CrowdStrike gave to the FBI. However, in March 2017, former FBI Director James Comey told Congress that the FBI got an “appropriate substitute” from CrowdStrike, and Mueller’s indictment makes clear that the FBI has lots of information about the hack from both within the DNC and from other sources. CrowdStrike declined a request for comment from Motherboard.
I called up Thomas Rid, professor of strategic studies at Johns Hopkins University’s School of Advanced International Studies to help explain the technical details behind this type of forensic investigation. Rid, who wrote a detailed explanation about why Russia was likely behind the DNC hack for Motherboard in July 2016, told me that “from a forensic point of view, the question of a server at this stage doesn’t make any sense.”
“To really investigate a high profile intrusion like the DNC hack, you have to look beyond the victim network,” Rid said. “You have to look at the infrastructure—the command and control sites that were used to get in that are not going to be on any server … looking at one server is just one isolated piece of infrastructure.”
“For decades, it has been industry-standard forensic and digital evidence handling practice to conduct analysis on forensic images instead of original evidence”
Even so, what CrowdStrike gave the FBI is likely better than if it had seized and analyzed a physical box.
“To keep it simple, let’s say there’s only one server. CrowdStrike goes in, makes a complete image including a memory dump of everything that was in the memory of the server at the time, including traffic and connections at the time,” Rid said. “You have that image from the machine live in the network including its memory content, versus a server that someone physically carries into the FBI headquarters. It’s unplugged, so there’s no memory content because it’s powered down. That physical piece of hardware is less valuable for an investigation than the onsite image and data extraction from a machine that is up and running. The idea a physical server would add any value doesn’t make any sense.”
What Rid means is that after a hack, some of the evidence of who did it and how they did it may be fleeting. It could be in the server’s memory, the RAM, and not stored on its hard drive. (Hackers use “fileless” malware precisely for this reason.) To preserve evidence in cases like these, incident responders need to make an image—essentially a copy of the server in that exact same state at that exact same time—so they can look at it afterwards. Think about this like when investigators take pictures of the crime scene or victim.
Lesley Carhart, principal threat hunter at the cybersecurity firm Dragos, told Motherboard that physical servers are rarely seized in forensics investigations.
“For decades, it has been industry-standard forensic and digital evidence handling practice to conduct analysis on forensic images instead of original evidence,” she said. “This decreases the risk of corruption or accidental modification of that evidence.”
I asked Rid if he thought it was suspicious that the DNC did not hand over the actual server to the FBI, and he said “no, not at all.”
“There’s nothing suspicious about the DNC’s behavior,” he said. “There were political reasons and skepticism on the part of the DNC to let the FBI have full visibility into what they do for various reasons during an ongoing election campaign.”
Rid likened any computer forensics investigation to that of a military planning campaign, sort of like a map. “You can connect the dots and the behavior,” he said. “You can show whoever hacked John Podesta also attacked the DNC, and also attacked Jake Sullivan, who worked for Hillary Clinton, and hundreds of other people on the campaign.”
“The evidence that we have going back to before the Mueller indictment was published was already overwhelming”
Robert Mueller’s indictment relies on information that goes far beyond any single server to tie the Russians to the hack. For example, the indictment states that Russian military agents’ search histories indicated an interest in the DNC network in the weeks leading up to one of the hacks; it also has specific information about the development of malware (called X-Agent and X-Tunnel) used to surveil DNC employees and exfiltrate data from their computers, as well as specifics about the types of spearphishing attacks Russians allegedly launched against DNC employees. The indictment also has information about an Arizona-based server that the Russians leased to filter data through.
Some of that information would have had to have been obtained by examining DNC networks (or a copy of them), while some of the other details would have nothing to do with the DNC’s networks, its servers, or computers. Rid says that security researchers outside of the US government have been investigating Russia’s involvement in the hack for years (the details Rid published in 2016 are very similar to what was published in Friday’s indictment.)
“The evidence that we have going back to before the Mueller indictment was published was already overwhelming,” Rid said. “You have to look at campaigns as an entire attack campaign over time. You can see an entire, high resolution picture emerge.”
According to Rid, some of the mistakes the Russians made was forgetting to turn on a VPN that linked its Guccifer 2.0 pseudonym to a specific IP account. The US government was also able to trace the cryptocurrency that was used to buy infrastructure used in the attack. Independent security researchers had already traced public bit.ly links used in the spearphishing campaigns to organizations believed to be tied to the Russians.
Rid said the President has “latched onto a very simplistic image” of how computer forensics works. “Because he runs with it, it appears many people just follow his lead,” he added.
“You can envision moving things on a map. In order to move around, you need communications, you need streets and rivers, you need infrastructure like buildings,” Rid said. “You have to study the campaign and troop movement over time. You can see patterns, and reuse of techniques. Looking at only one server is like looking at only one particular building in a larger battlefield and then thinking you can understand the battle’s evolution over time.”
As cybersecurity expert and former UK government hacker Matt Tait put it on Twitter: “This is a really dumb conspiracy as conspiracies go.”
Lorenzo Franceschi-Bicchierai contributed reporting to this article.