The NSA Is Likely 'Hacking Back' Russia's Cyber Squads

PHOTO: Muscovites are pictured at the gala concert devoted to the Russia Day gala concert on Red Square in Moscow, June 12, 2016. PlayMaksim Blinov/Sputnik via AP
WATCH IP Address Linked Russia to DNC Hack, Expert Says

U.S. government hackers at the National Security Agency are likely targeting Russian government-linked hacking teams to see once and for all if they're responsible for the massive breach at the Democratic National Committee, according to three former senior intelligence officials. It's a job that the current head of the NSA's elite hacking unit said they've been called on to do many times before.

Robert Joyce, chief of the NSA's shadowy Tailored Access Operations, declined to comment on the DNC hack specifically, but said in general that the NSA has technical capabilities and legal authorities that allow the agency to "hack back" suspected hacking groups, infiltrating their systems to gather intelligence about their operations in the wake of a cyber attack.

"In terms of the foreign intelligence mission, one of the things we have to do is try to understand who did a breach, who is responsible for a breach," Joyce told ABC News in a rare interview this week. "So we will use the NSA's authorities to pursue foreign intelligence to try to get back into that collection, to understand who did it and get the attribution. That's hard work, but that's one of the responsibilities we have."

The NSA deferred direct questions about its potential involvement in the DNC hack investigation to the FBI, which is the leading agency in that probe. Representatives for the bureau have not returned ABC News' request for comment. Lisa Monaco, President Obama's homeland security and counterterrorism adviser whose responsibilities include cyber policy, declined to comment.

A former senior U.S. official said it was a "fair bet" the NSA was using its hackers' technical prowess to infiltrate two Russian hacking teams that the cybersecurity firm Crowdstrike alleged broke into the DNC's system and were linked to two separate Russian intelligence agencies, as first reported by The Washington Post. In some past unrelated cases, the former official said, NSA hackers have been able to watch from the inside as malicious actors conduct their operations in real time.

Rajesh De, former general counsel at the NSA, said that if the NSA is targeting the Russian groups, it could be doing it under its normal foreign intelligence authorities, as the Russian government is "clearly ... a valid intelligence target." Or the NSA could be working under the FBI's investigative authority and hacking the suspects' systems as part of technical support for investigators, said De, now head of the cyber security practice at the law firm Mayer Brown.

In the aftermath of an attack, a CIA official said that if there is an "overseas component," the NSA would be involved along with the CIA's own newly formed Directorate of Digital Innovation. The two agencies would work, potentially along with others in government, to sniff out suspects' "digital dust."

"It turns out that the people who carry out these activities use their keyboards for other things too," said Sean Roche, Associate Deputy Director for Digital Innovation at the CIA. Any attribution investigations, Roche said, would also include offline information -- the product of old fashioned, on-the-street intelligence gathering.

Like Joyce, Roche said he was speaking generally and could not comment on the DNC hack.

While U.S. officials have told news outlets anonymously they concur with Crowdstrike and other private cybersecurity firms who have pointed to Russian culpability, the U.S. government has declined to publicly blame the Russians.

The Russian government has said the hacking allegations are "absurd".

Director of National Intelligence James Clapper told the audience at the Aspen Security Forum Thursday that the U.S. intelligence community was "not quite ready to make a call on attribution," though he said there were "just a few usual suspects out there." The next day CIA Director John Brennan said that attribution is "to be determined" and a lot of people were "jumping to conclusions."

Professional hackers often use proxies, Brennan said, so investigators have to make two or three "hops" before tracing cyber attacks back to a state's intelligence agency, which makes the attribution process more difficult.

Kenneth Geers, a former cyber analyst at the Pentagon who recently published a book about Russian cyber operations, told ABC News earlier this week that he didn't necessarily doubt it was the Russians, but said that even in the best cases when doing cyber investigations, "You can have a preponderance of evidence -- and in nation-state cases, that’s likely what you’ll have -- but that’s all you’ll have."

That, he said, opens the possibility, however remote, that a very clever hacker or hacking team could be framing the Russians.

Michael Buratowski, the senior vice president of cybersecurity services at Fidelis Cybersecurity which studied some of the malicious code, said the evidence pointing to the Russians was so convincing, "it would have had to have been a very elaborate scheme" for it really to have been anyone else.

The NSA's Joyce said that in general it's very difficult to properly frame someone for a complex attack, since too many details have to be exactly right, requiring a tremendous amount of expertise and precision.

But Joyce said that before the U.S. government pins blame on anyone for a cyber attack publicly, the evidence has to pass an "extremely high bar."

So when they do come forward, he said, perhaps based on the results of attribution techniques that have not been publicly described, "You should bank on it."