‘Faith-based attribution': Microsoft unable to identify those behind pre-midterm hacking – experts

21 Aug, 2018 19:38 / Updated 5 years ago

Microsoft’s claim that it had identified an entity behind a recent phishing attack as a Kremlin-linked group is most likely hollow, as the tech-giant couldn’t have adequately verified the hacker’s identity, experts have told RT.

Any evidence Microsoft could get about the identity of the hacker, who it said attempted to launch a hacking attack by creating “spear-phishing” websites mimicking such pages as the Senate website or the International Republican Institute, would be circumstantial at best, technology and cybersecurity analysts said, adding that the claims made by the company in its recent blog are nothing more than mere assumptions.

In a statement largely focusing on Microsoft’s role in “defending democracy” and an advertisement of its new product, the company said that its digital crimes unit (DCU) had “acted on a court order to take control of six internet domains” which had been created by “a group known variously as Strontium, Fancy Bear and APT28”, which media reports have frequently linked to the Russian government.

Microsoft’s DCU can indeed “get a court order to lift privacy controls in place on any website that has violated its terms of service or is engaged in illegal activities,” Jeffrey Carr, a cybersecurity analyst and the founder and principal investigator of Project Grey Goose, told RT, commenting on the issue. “Once lifted, they can see who the registering party was,” he added. However, according to the experts, such knowledge would not ultimately reveal the identities of hackers.

“It is unlikely that the registering party used real names or addresses since the websites were set up for illegal activities,” Carr said, echoing the words of other experts. Even though the tech giant could trace the hacking attack to an “ultimate IP address” it might not only be “fraudulent” but could also be simply “hijacked by another party,” Robert Kay, a technology analyst, told RT, adding that “spam and phishing attacks often come from hijacked domains.”

The tech giant could possibly turn to the code itself to substantiate its suspicions and check if it has a “structure that resembles one used by a known entity” or “comments in a particular language” and code sets, which are “native to a geography or language,” Kay said. However, such efforts are equally unlikely to provide the company with any hard evidence on who might be behind the alleged attack.

“Experienced hackers” do not only “use fake IDs and stolen credit cards to obtain the domains” but also “use specific language and other cues to make it seem like it originated in another country by a different group,” John David McAfee, a computer programmer and businessman, who founded the software company McAfee Associates, told RT. Robert Kay also said that “some intelligence services try to throw off investigators by embedding false clues in the code.”

“In the end, analysts can only give their best assessment and a confidence level in that assessment,” Kay added, while McAfee admitted that any identification is “nearly impossible if the hackers were competent and experienced.” Being apparently unable to verifiably establish the identity of the alleged hackers, Microsoft eventually had to rely on assumptions made by earlier researchers, who in turn just made their own assumptions and got caught in the grip of anti-Russian hysteria.

The political nature of the websites affected only further contributed to the belief that the supposed attack had something to do with election meddling, which has been repeatedly blamed on Russia despite a lack of evidence. Jeffrey Carr described the results of Microsoft’s investigation as nothing but a “faith-based assumption.”

The tech giant itself admitted in its blog post that it has “no evidence” that the domains were used in any successful attacks — and no evidence “to indicate the identity of the ultimate targets.” Moscow, meanwhile, once again denied its involvement in any efforts aimed at affecting the US congressional midterm elections. Kremlin spokesman Dmitry Peskov said on Monday that the claims made by the US software giant were “groundless”.

Think your friends would be interested? Share this story!