Cybersecurity Expert Is Convinced Russia Was Behind DNC Hacking

Donald Trump has said the source of the Democratic Party hack is hard to prove. Cybersecurity expert Matt Tait was initially skeptical, but tells David Greene he is sure now the culprit was Russia.

DAVID GREENE, HOST:

President-elect Donald Trump chastised the U.S. intelligence community again last night. In a tweet, he put intelligence in quotation marks and suggested they delayed a briefing for him on allegations of Russian hacking because more time is needed to build a case.

RACHEL MARTIN, HOST:

Not exactly. According to our colleague Mary Louise Kelly, who covers intelligence, an official told her, quote, "the so-called Russia report was ordered by the White House. It has to go to President Obama first." Obama gets the briefing Thursday, Trump on Friday.

GREENE: Now, Russia has denied carrying out this hack. And Donald Trump, without offering evidence, has fed those doubts since the campaign.

(SOUNDBITE OF ARCHIVED RECORDING)

DONALD TRUMP: Once they hack, if you don't catch them in the act you're not going to catch them. They have no idea if it's Russia or China or somebody. It could be somebody sitting in a bed someplace.

GREENE: And we spoke to a cybersecurity expert who initially doubted Russian involvement as well. Matt Tait is CEO of Capital Alpha Security, a British cybersecurity firm. I asked him why he was skeptical.

MATT TAIT: Well, it just seems too fantastical to be true. Russia has very good hackers. You know, this is a government agency. So initially what I did was I decided I'm going to go and prove Crowdstrike wrong.

GREENE: They were hired by the Democratic National Committee, we should say, to look into this.

TAIT: Absolutely, and so I basically went through all of the technical evidence that had been published by them. I looked through the malware signatures that they had come up with. And eventually, what you start to discover is that there's a very large number of little pieces of information, some of which point towards Russia. Some of them point towards Russia very, very strongly. And eventually, I came to the conclusion that there's no other reasonable conclusion that you can make.

GREENE: Why couldn't it have been, like, any Joe Blow (ph), someone sitting in their bed, as Donald Trump suggested, masquerading as Russia and, you know, putting on a good disguise here?

TAIT: So there's two different hacks that took place. There's one hack that was of the DNC, and there was a different hack of John Podesta. And there's a...

GREENE: Hillary Clinton's campaign chairman, yeah.

TAIT: Absolutely. And there's a series of other smaller hacks of other Democratic members. But those are the two main hacks that took place. And the DNC hack used malware. It hacked into the DNC and placed malware on the DNC network. And we're able to look at this malware, and we're able to analyze it and see where it talks to, which other companies have been hacked by similar malware.

And quite quickly, we're able to see that this is malware that was communicating with servers that also were involved in the hack of the German parliament, the Bundestag. And one of the things that was very interesting is that this is a group that we know quite well in the cybersecurity industry. There's this group called APD 28. They're very prolific. They've been involved in the hack of NATO organizations. They've been involved in the hack of journalists. They've been involved in the hack of people investigating the MH17 airline that was shot down in Ukraine. And so this is a group that is so prolific that it's not really credible that this is an individual group.

GREENE: If, I mean, Russia's really good at this, wouldn't they disguise themselves better? Would Russia really want to put so many visible signs out there in the cybersecurity world that it was them and be identified?

TAIT: Right. So this wasn't deliberate. They accidentally leaked this. And this is one of the problems of when you're hacking at a really big scale. You look for efficiencies. You're - there's just not enough members of staff that Russia has in order to be able to do hacks on this kind of scale and make sure that they never screw up. And what happens is that people make small mistakes, which means that once - when they've hacked person A you might be able to say, well, that's, you know, the same group. They've used the same malware. They've used same control infrastructure as the hack of person B.

Once you start to discover that, you know, there's not just the DNC, there's, you know, a thousand other people that have been hacked, all of whom are very narrowly tied to Russian military interests - they're hacks of NATO; they're hacks of the German parliament; they're hacks of journalists that are reporting on things that Russia is not, you know, very happy are being reported on - you stop quite quickly to build up this picture where in order for it to be someone else, it really has to be someone that is prolific who is doing this full-time. There's nobody else who would be willing to put that sort of cash, that sort of effort into doing those types of hacks.

GREENE: But you said something very important there. You're saying that Russia, in your words, screwed up here.

TAIT: Absolutely. And this is normal. It's actually very common that we see mistakes in malware, we see mistakes in hacking campaigns which allow us to work out who it was that did this.

GREENE: Let me finish with this. I mean, another major cybersecurity firm, Kaspersky Lab, very respected - we should mention Kaspersky is an NPR funder, and we do work with them on our computers. But they said that there can be false flags. There can be a lack of reliable metrics.

And Americans have gone through a situation with the Iraq War where there was talk of weapons of mass destruction. The intelligence community was - their credibility was really called into question after that. But a president took this nation to war based on intelligence. I mean, are you absolutely certain here, or could we find later on down the road that there was some amazing hacker out there who was able to pull this off and make it look like Russia?

TAIT: So one of the pieces of evidence that, to me, is more compelling than any other one was an email that was sent to John Podesta saying, hey, we're from Google, you need to change your password. And they sent him a link for him to click on. And when he clicked on that link, it took him to a page that wasn't Google and asked him to input his password. And that's how they hacked his account. But the URL shortening service that they used, we're able to basically look at the user that was logged in and discover all of the other URLs that they were shortening and discover that this was not just a hack of John Podesta.

It was a hack of, you know, a thousand people. And it becomes immediately, once you look at this, incredible to suggest that this was a false flag operation. This is someone's entire intelligence operation that was accidentally exposed due to this one error. And so while false flag operations do exist and we have to always be on the lookout for them, the only plausible alternative explanation is that Russian intelligence was hacked. So it's not credible to suggest that this particular hack was a false flag operation.

GREENE: It's impossible that Russia's intelligence community was hacked.

TAIT: So in attribution, nothing is impossible. But this is about as impossible as it comes.

GREENE: OK. Matt Tait is founder and CEO of Capital Alpha Security, a cybersecurity firm in Britain. And we reached him via Skype. Matt, thanks a lot.

TAIT: Thank you very much.

GREENE: And we should also note here that Kaspersky Lab, whose doubts about the hack that we cited, has its headquarters in Moscow.

(SOUNDBITE OF MUSIC)

Copyright © 2017 NPR. All rights reserved. Visit our website terms of use and permissions pages at www.npr.org for further information.

NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.