President-elect Donald Trump's repeated denials that Russian intelligence-linked hackers broke into Democratic Party computers has frustrated the cybersecurity firm that caught them in the act.
"Unless you catch 'hackers' in the act, it is very hard to determine who was doing the hacking," Trump wrote on Twitter Monday (12 December).
"Ironically, we actually did catch these intruders in the act," said Dmitri Alperovitch, co-founder of cybersecurity firm Crowdstrike, which investigated the Democratic National Committee (DNC) security breach in the spring. "I hope the intelligence community briefs the President-elect on that evidence."
Trump was responding to the findings of a secret CIA report leaked to the Washington Post Friday (9 December) that found Russia intervened in the 2016 election to help him win the presidency.
When asked about whether Vladimir Putin's government hacked the DNC and Clinton campaign's emails in a Time magazine interview last week, Trump said: "I don't believe [Russia] interfered" in the election. The Democrats' emails were published by WikiLeaks throughout the 2016 campaign.
Crowdstrike was hired by the DNC in May and then later the Democratic campaign when their computers were breached in July. During those hacks Crowdstrike's digital forensics team observed everything the intruders were doing inside the Democrats' computer systems.
"Both asked us to share the report of our full findings with the FBI, which we had done at that time," said Alperovitch. The FBI may not agree with the CIA's claim that Russia intended to support Donald Trump, he said, "but they certainly agree with the fact that the Russians have hacked the DNC."
A statement by the US Director of National Intelligence in October identified Russia as the source of the cyber-intrusion.
President Barack Obama launched a bi-partisan review of the extent of Russia's influence on the election Friday (9 December) with the backing of several prominent Republicans. It is expected to be published before Trump takes office 20 January 2017.
How does Alperovitch know it was the Russians? "There's a lot that goes into attribution," he said. "It's basically a tremendous amount of forensic evidence that we've collected from the network in terms of tools, tradecraft, and infrastructure." The kinds of viruses and malware they use to break-in offer fingerprints to who was behind the intrusion.
Alperovitch likens cyber forensics to traditional detective work in a robbery. "The first thing they try to do is link it to past intrusions, past robberies that they've investigated," he said, "and you do the same thing in cyberspace." Sensitive sources also help, he said.
Crowdstrike had been watching the activities of the Russian intelligence-linked hacker groups Fancy Bear and Cozy Bear for years. Cozy Bear in the past hacked into the White House, the Joint Chiefs of Staff, and the State Department. Fancy Bear hacked the German Bundestag, numerous targets inside of Ukraine, the Republic of Georgia on the Russian border, Syria, as well as Nato countries. The German government and the French governments, Alperovitch said, have both tied Fancy Bear back to Russian intelligence services. This was the group behind the hack of Clinton campaign chief John Podesta's emails.
Currently, Cozy Bear has been observed in American think tanks that focus on Russian policy. Alperovitch has traced them to Russia's domestic intelligence service, the FSB.
Identifying these hacking groups is possible said Justin Fier, director of cyber intelligence and analysis at British cybersecurity firm Darktrace. "Analysing the pieces of code, remote infrastructure, the time of day and the type of data exfiltrated are all breadcrumbs that can help point to the attacker," he said.
Over the summer Trump urged Russia to hack American computers to find emails deleted by Hillary Clinton from a private server she had used to conduct some sensitive work while secretary of state. In the Time interview last week Trump said he thought the intelligence community has been politicised.
Rather than the Russians, the Obama administration could be behind the hacks, Trump adviser and potential pick for deputy secretary of state, John Bolton told Fox News when asked in an interview on Monday.
"It is not at all clear to me, just viewing this from the outside, that this hacking into the DNC and the RNC computers was not a false flag operation," Bolton said, appearing to back Vice President-elect Mike Pence's claim that the Republican National Committee (RNC) was also hacked. No emails or documents from the RNC were ever leaked.
"I believe that intelligence has been politicized in the Obama administration to a very significant degree," Bolton said. "If you think the Russians did this," he asked, "then why did they leave fingerprints?"
It's because the hackers were caught in the act, said cyber security expert Matt Tait, CEO of UK security consultants Capital Alpha Security, and a former information security specialist for British intelligence agency GCHQ. "That's why we have malware samples," and it's "why [the] intelligence community told [the] DNC to check their network," he wrote on Twitter.
Tait, who specialises in software vulnerabilities, mocked Trump's tweets and claims of lack of evidence with an analogy: "Your honour, unless you catch murderers in the act," he said, "it's very hard to determine who did the killing, therefore my client is innocent."