SecureWorks attribution of Podesta phishing to Russia was false

The SecureWorks’ attribution of March 2016 phishing and hacking of Podesta and other DNC bosses to Russia (1, 2) by Bitly links was false. This is why.

The hackers did not need Bitly. They could insert a direct link to the phishing page. Usage of Bitly had only a downside: the risk of being exposed before the hacking campaign started, and the risk that the redirect from bit[.]ly would trigger a browser warning.

At the relevant time, Bitly shortlinks could be created and used without a Bitly account.

Bitly shortlinks in an account do not indicate that they were used. They cost no money and require very little time. Clicks are even cheaper. A smart hacker can create thousands of decoy shortlinks to hide one used for important business.

The phishing site’s log allows tracking clicks, so creating a Bitly account for that purpose is not warranted.

GRU created a Bitly account but forgot to set it to private mode” is a fairy tale for idiots.

According to SecureWorks, the “accounts-google.com” domain was used in many phishing campaigns starting in April 2015. One would expect it to be blacklisted by most security software and services long before March 2016.

SecureWorks announced on June 16 that it tracked TG-4127 since 2015. I searched and could not find any trace of this name or number 4127 on its website and its archived versions of it. For two years, 2014-2015, SecureWorks announced the detection of only two “threat groups”, TG-3279 and TG-3390. They were not tracking “threat groups”, possibly because they knew it was futile.

All that we know about this Bitly account (or 2-3 accounts) is what SecureWorks and Bitly told us. Although it was allegedly public, Bitly hid it after the attribution, potentially becoming an accomplice. A presentation purportedly containing the information from this Bitly account was sealed evidence in Gubarev v. Buzzfeed. Bitly fought to keep it sealed and succeeded (See 0:17-cv-60426-UU, Document 416-3, Entered on FLSD Docket 01/14/2019). An article from Motherboard was entered in the docket instead.

Given all the discrepancies in their story, the only explanation for this conduct is that SecureWorks and Bitly lied, and this Bitly account is either different from how it was described or shows evidence of tampering.

Thanks to Stephen McIntyre for the timely attention to this misattribution.

P.S. Creation of Bitly account and making it open might indicate actions of a phisher for hire, selling the use of suitable domain(s) and/or his services to multiple clients. This situation is also incompatible with the SecureWorks’ theory, which requires of a single actor behind all the shortlinks in the alleged account.

P.P.S. SecureWorks’ website contains interesting material that tends to refute the fallacy of attribution to specific groups based on the similarity of tools and methods.

Underground Hacker Marketplace, June 2016

Imagine a marketplace where illegal vendors offer hackers a wide range of goods, tools, and training to enable them to exploit or breach unsuspecting individuals, groups or organizations. Now imagine the walls of this marketplace lined with advertisements offering services and information. The point is, the underground marketplace is booming and only getting bigger, more sophisticated, and competitive.

Some SecureWorks articles even cite prices.