Newspaper article The Christian Science Monitor

The Secret Linguistics Clues Researchers Used to Link DNC Hack to Russia

Newspaper article The Christian Science Monitor

The Secret Linguistics Clues Researchers Used to Link DNC Hack to Russia

Article excerpt

Call it the telltale font.

For security researchers delving into the source of malicious software that infected the Democratic National Committee's computers, linguistic clues in computer fonts, messages buried in malicious applications, and even comments from the alleged culprit helped tie the attack back to Russia.

In fact, linguistics is becoming increasingly important as governments and cybersecurity firms seek to accurately identify lone hackers or the nations that are behind high-profile attacks. And the stakes for this kind of attribution are growing higher as the US has responded to recent breaches with sanctions, political pressure, and in the future could retaliate with military action.

"In the digital world, we look at every aspect of communication," says Mario Vuksan, chief executive officer of the cybersecurity firm ReversingLabs. "From the way a hacking group connects to an asset to the way the binary code is written to text and email messages."

For instance, code could be compiled on machines that are loaded with specific languages. And hackers could tip their hand by using expressions common in certain countries or languages.

When it comes to investigating cybercrimes, techniques range from classical linguistic pursuits, such as word count analysis that examines patterns of language use, to more behavioral analysis that tries to identify unique patterns or behaviors using lexical analysis, says Steve Bongardt, a former agent in the FBI's Behavioral Analysis Unit who know works with the firm Fidelis Cybersecurity.

Mr. Bongardt likens it to investigating a crime scene, with hacking groups or individuals falling back on well-worn modus operandi that govern how an attack is carried out and less regimented "rituals" that are just as suggestive of a particular actor.

But linguistic clues often fall far short of pinning attribution for any single actor, Bongardt and others agreed. Rather, they say, governments and law enforcement agencies investigating crimes need to look to the preponderance of evidence - most of it not linguistic - as they attempt to understand who was behind an incident.

In the case of the DNC hack, a previously unknown hacker who identified himself as Guccifer 2.0 claimed responsibility for the breach. He said he was Romanian without any connections to the Russian government. But cybersecurity experts and tech journalists poked holes in those claims by closely analyzing his comment and other language and cultural identifiers in metadata. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed


An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.