Clues in language often tip hacker’s hand |


The firm Crowdstrike said that hacking groups affiliated with the Russian government infiltrated the Democratic National Committee (DNC).
The firm Crowdstrike said that hacking groups affiliated with the Russian government infiltrated the Democratic National Committee (DNC).

In-brief: forensic investigators are using language clues to help identify the source of sophisticated and targeted attacks, like those on Democratic Party committees and the campaign of Hillary Clinton. 

There’s continuing news about the apparent efforts of hacking groups to infiltrate and influence the U.S. elections. In the last week, reports of a hack targeting the Democratic National Committee (DNC) in June have been followed by reports of attacks on the Democratic Congressional Campaign Committee (DCCC) and the campaign presidential candidate Hillary Clinton.

Reports from companies like Crowdstrike, Fidelis, ThreatConnect and others have pointed confidently to  hacking crews with links to the government of Russian President Vladimir Putin. This, despite claims by the mysterious hacker using the handle Guccifer 2.0 that the hack and subsequent leak of e-mail messages from the DNC was his doing.

How do security companies help unravel truth from lies? Much of the work relies on compiling and analyzing technical clues from the hacks: domain names used, the type of malicious software used. But, increasingly, clues in language also help connect the dots between attack and attacker.

I wrote about this over at Christian Science Monitor, noting that forensic investigators can rely on a number of different linguistic analysis methods to derive important information from the clues that hackers leave behind.

From the article:

When it comes to investigating cyber crimes, techniques range from classical linguistic pursuits, such as word count analysis that examines patterns of language use, to more behavioral analysis that tries to identify unique patterns or behaviors using lexical analysis, says Steve Bongardt, a former agent in the FBI’s Behavioral Analysis Unit who now works with the firm Fidelis Cybersecurity.

Mr. Bongardt likens it to investigating a crime scene, with hacking groups or individuals falling back on well-worn modus operandi that govern how an attack is carried out and less regimented “rituals” that are just as suggestive of a particular actor.

Language clues hardly provide conclusive evidence behind a hack, forensic researchers told me, but they can contribute important pieces to the puzzle that is cyber forensices in the wake of sophisticated attacks.

Read more here: The secret linguistics clues researchers used to link DNC hack to Russia –

One Comment

  1. Richard Steven Hack

    Except there is ZERO evidence linking any such so–called “Russian” hackers to the Russian government. See Jeffrey Catt;’s analysis here:

    The DNC Breach and the Hijacking of Common Sense

    As well as:
    Blaming Russia For the DNC Hack Is Almost Too Easy

    NSA Whistleblower: Not So Fast On Claims Russia Behind Hillary Clinton Email Hack

    As Carr has said, attribution is something that should be done by the intelligence agencies and law enforcement who can derive offline intelligence beyond forensics to identify actors rather than speculations by corporate infosec companies who are playing to the market – especially in cases with geopolitical implications.