They are finding various correlations, such as Russian language settings, compile timestamps matching Russian work days, malware activity ceasing on Russian holidays...
As a software developer, I can say that this "feels" par for the course for software developed in large organizations. Software that does it's job but obvious things, such as not realizing the developers workstation's locale names are being added to the binary, is forgotten.
Note also that the accusations against Russia hacking the DNC aren't coming out of the blue. The same evidence was there already in July when the emails were published by WikiLeaks. It wasn't until after the election that pundits started to believe something other than Russia was behind the hack.
> APT28 had consistently compiled Russian language
settings into their malware. The second was that
malware compile times from 2007 to 2014
corresponded to normal business hours in the UTC
+ 4 time zone, which includes major Russian cities
such as Moscow and St. Petersburg.
You'd think that a state-sponsored attack would be a little less careless. This seems like a rookie give-away and makes me wonder if this is made to look like Russia instead of being Russia. When I think of a state-sponsored attack, I automatically envision something in the realm of Stuxnet in terms of quality and the level of sophistication.
a) Not enough evidence that it was Russia!
b) To much evidence, it can't have been Russia!
:)
Remember how Edward Snowden, a low-level contractor, was able to run away with all the NSA:s big secrets? Government enterprises are characterized by cluelessness, political in-fighting and not sophistication.
Perhaps I shouldn't have made such a wild claim. I was just taken aback at the lack of competence due to lots of giveaways hidden in plain sight. Hard to believe that a state-sponsored cyber espionage actor doesn't realize that the first thing investigators would do is disassemble the executable once it's discovered. I guess everything's possible. @bjourne does make a good point in his reply.
Did you ever consider the Russians didn't care if they were caught or intentionally left clues to let the American Administration understand that they were responsible?
As a software developer, I can say that this "feels" par for the course for software developed in large organizations. Software that does it's job but obvious things, such as not realizing the developers workstation's locale names are being added to the binary, is forgotten.
Note also that the accusations against Russia hacking the DNC aren't coming out of the blue. The same evidence was there already in July when the emails were published by WikiLeaks. It wasn't until after the election that pundits started to believe something other than Russia was behind the hack.