Finding the perpetrator of a sophisticated hacker intrusion can be messy. Getting to the bottom of a vicious data breach at the center of a no-holds-barred presidential campaignis a full-on trainwreck.
On Wednesday, Gawker and the Smoking Gun published the Democratic National Committee’s opposition research files on Republican presumptive presidential nominee Donald Trump, which the DNC admitted earlier in the week had been stolen by hackers. And a hacker using the name Guccifer 2.0 posted a sample of the files to WordPress, along with a taunting note. “Guccifer may have been the first one who penetrated Hillary Clintons and other Democrats mail servers. But he certainly wasnt the last,” the hacker wrote, referring to earlier claims by a well-known Romanian hacker known as Guccifer, who has said he penetrated Clinton’s unofficial email servers during her time as secretary of state before being arrested and extradited to the US earlier this year. “No wonder […] any other hacker could easily get access to the DNCs servers.”
The leaked documents, more than 200 pages of Trump’s record of offensive statements, dishonest remarks, and questionable business moves, call him a “misogynist-in-chief” with “no core.” On his WordPress site, Guccifer 2.0 separately posted a sample of donor information stolen from the DNC’s servers, apparently contradicting the DNC’s earlier claims that no financial information was lost in its breach. The hacker also claimed to have given “thousands of files and mails” to WikiLeaks.
But just as lurid as the leaked data has been the fingerpointing that came after. Earlier in the week, the security firm Crowdstrike, which the DNC brought in to remediate the breach, published a blog post claiming that a pair of hacker groups based in Russia and associated with the government’s intelligence apparatus carried out the intrusion. The post pointed to the specific malware and tactics linked with the Russian groups known as Cozy Bear and Fancy Bear. Both have a history of hacking high-value international intelligence targets.
But Guccifer 2.0’s statement mocked that conclusion. The hacker said he or she was working alone, that the hack wasn’t actually “sophisticated” at all. “Im very pleased the company appreciated my skills so highly,” he or she wrote. “But in fact, it was easy, very easy…I guess CrowdStrike customers should think twice about companys competence.”
Security analysts following the release pointed to Guccifer 2.0’s leak as evidence that Crowdstrike had misidentified the DNC hacker or hackers and badly overestimated their skills and resources. But Crowdstrike, in a statement, stood by its initial analysis. “Whether or not this posting is part of a Russian Intelligence disinformation campaign, we are exploring the documents authenticity and origin,” a spokesperson wrote in a statement to WIRED.
Another statement from the DNC went further: “Our experts are confident in their assessment that the Russian government hackers were the actors responsible for the breach detected in April, and we believe that todays release and the claims around it may be a part of a disinformation campaign by the Russians.” Some small signs do point to Russian involvement: The PDFs posted by Gawker and the Smoking Gun contain error messages on several URLs that include Cyrillic characters and translate from Russian to “error, invalid hyperlinks.”
Trump, not one to stay silent during a scandal, offered the wildest theory of all: that the DNC had faked the breach as an excuse to publish negative information about him. “We believe it was the DNC itself that did the ‘hacking’ as a way to distract from the many issues facing their deeply flawed candidate and failed party leader,” he wrote in a press statement, adding that the research file had been “out there for years,” and claiming that much of it was inaccurate.
That doesn’t make much sense. Guccifer’s data appears to include sensitive financial documents as well as the Trump-focused research files. But that doesn’t clear up whether the hackers were state-sponsored intelligence agents or a single amateur—or both, a real possibility given that Crowdstrike has said the DNC servers had been repeatedly penetrated for close to a year. If those intruders were aiming to inject more chaos into the most chaotic political campaign in recent memory, they’ve already succeeded.