White House Says Russia’s Hackers Are Too Good to Be Caught but NSA Partner Called Them “Morons”

Canadian signals intelligence found Russian hackers were logging into personal accounts on systems intended to mask their identities.

Pedestrians walk past the Kremlin and an entrance to Red Square in Moscow, Russia, Wednesday, June 14, 2017. (Phelan M. Ebenhack via AP)
Pedestrians walk past the Kremlin and an entrance to Red Square in Moscow, Russia, Wednesday, June 14, 2017. Photo: Phelan M. Ebenhack/AP

The hackers behind the dump of Democratic Party emails in the midst of last year’s presidential race left apparent evidence of their identity — a breadcrumb trail winding from the stolen files back to the Russian government, according to assessments from the U.S. intelligence community. Some of this evidence was there from the beginning, embedded inside the first documents to hit the web, raising a niggling question: Why would diabolically skilled Russian operatives operate so sloppily?

This question has persisted, and last week the White House seized upon it, promulgating the idea that if the Russian government were really behind the attacks, its online agents wouldn’t have left any fingerprints. Russia quickly repeated this claim through its UK embassy.

But a 2011 presentation to the NSA and its foreign partners by Canada’s signals intelligence agency, the Communications Security Establishment, undermines the notion of a foreign hacker so skilled that a victim would never know their identity. The document calls Russian hackers “morons” for routinely compromising the security of a “really well designed” system intended to cover their tracks; for example, the hackers logged into their personal social and email accounts through the same anonymizing system used to attack their targets, comparable to getting an anonymous burner phone for illicit use and then placing calls to your girlfriend, parents, and roommate.

The competence of Russian hackers became a prominent issue once more last Sunday, when the president’s communications director Anthony Scaramucci — since removed from his post but quoting the president directly — said the following to Jake Tapper on CNN:

“Somebody said to me yesterday, uh, I won’t tell you who, that if the Russians actually hacked this situation and actually spilled out those emails, you would have never seen it, you would have never had any evidence of them, meaning they’re super confident in their deception skills and hacking.”

Seconds later, Scaramucci revealed his anonymous technical source on the matter to have been Donald Trump himself.

It’s one thing to question circumstantial evidence based on the expectation that Russian agents are too competent to leave such clues behind. But ruling out Russia on the basis of unforced errors alone flies in the face of the intelligence community’s experience with online operators from that country.

The CSE presentation, provided by NSA whistleblower Edward Snowden, dates to no earlier than 2011, and describes the agency’s work tracking a set of Russian government-sponsored hackers codenamed MAKERSMARK. The MAKERSMARK team was believed by NSA “with a high level of confidence” to be sponsored by a Russian intelligence agency, according to a separate Snowden document originating with the NSA’s Special Source Operations division. The MAKERSMARK team was armed with a clever technical system to mask members’ identities and the location of their computers, thus (on paper, at least) making it less likely the attacks would be traced back to Russia.

CSE’s account of the Russian actors does not exactly jibe with the White House’s vision of ninja-like computer users. The agency presentation, prepared by a “cyber counter intelligence” agent focused on MAKERSMARK, highlights Russian hackers’ “misuse of operational infrastructure” and “poor OPSEC [operational security] practices,” both of which made it elementary for the Canadians to trace attacks back to their source. The document says Russian hackers were provided with “really well designed” systems with which to launch attacks, but because the execution was so shoddy, “this has not translated into security for MAKERSMARK operators.”

Put more bluntly, the Russian attacks CSE observed were “designed by geniuses” but “implemented by morons,” according to the presentation. MAKERSMARK hackers mixed their recreational internet habits with business, using “personal social networking” like Russia’s supremely popular Vkontakte from MAKERSMARK infrastructure, conducting personal web browsing there, and checking personal webmail accounts. The hackers also used the system for activities that are by definition deeply risky and “attributable,” like exfiltrating stolen data.

“This is not [computer network exploitation] best practices,” the report dryly concludes.

It didn’t help that the MAKERSMARK operators were, according to the presentation, infected by the “Gumblar” botnet that spread across the internet in 2009 in order to steal user credentials, covertly download further malware, and blast “pharmaceutical spam” to new victims. In other words, the hackers were hacked. So thoroughly did Russian hackers on MAKERSMARK expose themselves through sloppiness and poor judgment that Canadian analysts were able to detect their personal “interests” and “hobbies.”

CSE declined to comment on the document, other than to note that, “the document you referenced is dated and should not be considered reflective of the current reality.” Despite this claim, the agency asked The Intercept to redact a significant portion of the presentation on the grounds that it could jeopardize current operations. As well, it’s interesting and worth noting, however, that a 2017 NSA document previously published by The Intercept detailing Russia’s General Staff Main Intelligence Directorate’s (GRU) alleged attempts to infiltrate the American electoral system also flagged those hackers’ mixing of business and personal accounts while conducting their work. A 2016 joint report by the Department of Homeland Security and FBI claimed that GRU and FSB, the contemporary successor to the KGB, worked together to breach the DNC. The NSA did not comment.

All of this is to say that the commander-in-chief, privy to the full corpus of intelligence findings provided by the NSA and its allies in the “Five Eyes” intelligence-sharing alliance, including Canada, didn’t know what he was talking about. This isn’t new: One need only look back to the presidential debate wherein Trump famously remarked that the DNC perpetrator could be a bedridden “400-pound” hacker to know that he hasn’t ever taken this seriously. It’s also possible, given how fantastically impressionable Trump is, that the Too Good to Fail theory is based on something he heard recently — perhaps from Vladimir Putin himself, who in June speculated that the DNC hacker could’ve easily covered their tracks. No matter what, if he had any desire to actually know how sophisticated Russian state hackers are or have been in the past, the evidence is there for him to review.

Top photo: Pedestrians walk past the Kremlin and an entrance to Red Square in Moscow, Russia, Wednesday, June 14, 2017.

Join The Conversation