So there was CloudStrike’s initial forensic analysis of the DNC systems that were infected with malware. After that discovery, an account named Guccifer 2.0 appeared and claimed to be an independent Romanian hacker who was responsible.
CloudStrike’s forensic analysis is available, and the evidence in it is damning. It makes a strong case from the forensics that there were two separate groups independently going after the DNC, one with all the hallmarks of previous GRU-attributed attacks, the other with all the hallmarks of previous FSB-attributed attacks. Both of these actors are persistent threats that have been engaged in continuous attacks on government systems around the globe interesting for intelligence purposes. There are a few key pieces of evidence in that analysis that are a slam dunk, since a crypto key used in a previous attack by Russia was also used on the DNC. It’s been reviewed by pretty much everyone in the InfoSec domain and nobody contested the conclusions. In fact since then there’s been other research that’s appeared that further validates the initial findings, and nothing has been found to falsify the claim. The InfoSec world is not a place full of partisan Dems., just so you know. I work with people who are relieved Trump won, because Clinton.
After the CloudStrike was called in to do the forensics and clean up the mess, Guccifer 2.0 appeared. They started posting things, and released their first document, the DNC’s full oppo research file on Trump, probably the single most valuable document the Trump campaign could suddenly have as a gift.
The docs dumped were investigated by CloudStrike and confirmed to be data transmitted from the DNC, confirming the figure making the claim was involved in the attack. After the docs were out there, suspicions quickly grew that the Guccifer 2.0 figure was not the solo Romanian hacker they claimed to be. Part of that was metadata analysis (that Russian keyboard reference comes from this). That metadata also pointed to a large team of people involved in editing the docs, the use of Russian in various ways like:
https://twitter.com/pwnallthethings/status/743208737469509632
Also one of the accounts having a username referring to Felix Dzerzhinsky, the initial leader of the KGB:
https://twitter.com/pwnallthethings/status/743197064843104257
They also used a Russian idiomatic emoticon when communicating, and used Russian date settings, and took a break on a Russian state holiday, and there were dozens of other ways their story falls apart. It was very difficult to explain why a solo Romanian hacker would be using large number of different systems to pass docs around, with Russian metadata, from a hack with the KGB/FSB’s fingerprints on it, with an account named after the founder of the KGB/FSB, who was using Russian a lot, but never used Romanian, and when engaged in a chat session couldn’t speak Romanian. As problems were pointed out, they were immediately addressed in future releases of data, almost as though they were aware they were caught and were correcting their mistakes.
Guccifer 2.0 also claimed they sent the mail dump to Wikileaks, and unsurprisingly, shortly after Guccifer appeared, Wikileaks posted the DNC mail dump, though as it became more and more clear Russia was involved, Wikileaks eventually claimed it was really a Democrat who sent it to them.
Notably, hackers with all the same GRU fingerprints attacked a French gov’t bureau earlier, and when caught immediately made up a cover story of a lone hacker on social media which quickly fell apart.
I’ve gone over this stuff a bunch of times recently, there’s much, much more that can be said, but the important takeaway here is that the evidence really is as strong as it is claimed. Some things really can’t be explained with any other explanation than that Russian hackers with connections to the government were involved.
