It was the keyboards that gave them away. Russian hackers, typing on keyboards configured in Cyrillic and doing it in a time zone consistent with Moscow, created the “eloquent” code that breached the computers of the Democratic National Committee, according to a top analyst who investigated the hack.
“This was absolutely not an amateur operation … When you look at the totality of all those pieces and you put them together, it kind of paints a really good picture of who the actor was,” Michael Buratowski, the senior vice president of cybersecurity services at Fidelis Cybersecurity, told ABC News Monday. “I come from a law enforcement background, and it’s [about being] beyond a reasonable doubt. And I would say it’s beyond a reasonable doubt … I’m very confident that the malware that we looked at [was from] Russian actors.”
“When we looked at the malware, we found that it was very, very eloquent in its design as well as its functionality — very advanced, not something that script user or lower level hacker would be able to really generate or customize,” he said.
Buratowski said IP addresses linked to the attack were associated with Russian servers. A U.S. official said that it appeared that the hackers never worked on Russian holidays.
And not least to consider, Buratowski said, was the target and timing of the WikiLeaks posting on Friday — which made public 20,000 emails from the pilfered computers.
“We know for a fact that the malicious actors were in there and had access to this data for some time,” he said. “The timing of the release of information from WikiLeaks is very suspect. When you look at it — it was released right before the [Democratic] convention — you have to question what the motivation was behind that.”
Buratowski’s firm was one of three independent cybersecurity firms brought in by another firm, Crowdstrike, to analyze parts of malware that infected computers belonging to the Democratic National Committee. Last month Crowdstrike, which was first to analyze the attack, fingered two Russian hacker groups that the firm said were working for two rival Russian intelligence agencies.
Crowdstrike has already tied one of the hacking teams to a series of attacks on unclassified U.S. government networks last year.
“This shows you espionage has now moved off the just physical realm of recruiting spies and getting information. It’s now through cyber means,” Dmitri Alperovitch, a co-founder of Crowdstrike, told ABC News in June.
Presidential candidates and campaigns have been “a traditional target of Russian intelligence for 100 years, but now [Russia is] doing it for cyber," he said.
Fidelis and another firm, Mandiant, said last month they agreed that Russia state actors appeared to be to blame for the DNC hack. Buratowski said his firm was given only a portion of the code and therefore could not say if other actors were involved.
Today the FBI confirmed it was investigating the breach. Rep. Adam Schiff, D-Calif., the ranking Democratic member of the House Intelligence Committee, said the committee was briefed by the intelligence community on the hack. He said the committee will “continue to seek further information from the [intelligence community] as to the origin of any attack and a potential connection to Russia or another state sponsor.”
Despite the confident reports from the several respected cybersecurity firms, cybersecurity expert Kenneth Geers said he's cautious about blaming the Russians so squarely. Attribution in the case of cyber attacks is notoriously difficult to nail down.
“I think that the world’s three-letter agencies are involved in more information operations than the public would assume. So that’s not to say that this isn’t from Russia. It could be other actors with more obscure intentions,” said Geers, a former Pentagon cybersecurity analyst who recently wrote a book about Russia’s cyber operations in Ukraine. “I’m not discounting it … You can have a preponderance of evidence, and in nation-state cases, that’s likely what you’ll have, but that’s all you’ll have.”
Buratowski doubts it was a setup.
“In the sense it was so complex, it would have taken a lot — it would have had to have been a very elaborate scheme to try and pin it on somebody else,” he said.
A spokesman for the Russian government, Dmitry Peskov, declined to comment on the hacking allegations, according to a Russian news report.
ABC News’ Megan Christie, Randy Kreider, Cho Park, Alex Hosenball, Michael Faucher and Andrea GonzalezPaul contributed to this report.