I'd like to discuss the possibility of Russian hacking that's been in the news, and the likelihood of detecting it. Please keep politics out of this thread, I'm only interested in the technical details.

I'm just a grunt programmer and only know a tiny bit about hacking. I used to know a hacker or two, but have never tried it nor would I even consider doing so.

If there actually was hacking done by the Russian govt, they would have control of internet nodes and routers, and could construct any IP "shells" in the packets they wanted, thus making them basically untraceable. They might even be able to forward packets to specific routers outside of Russia making it even tougher. And really, they would probably have agents in other countries, probably the U.S., actually launch the hacks.

As far as as a Russian "signature" of the payload, it's common for hackers to copy other hacks and just change what they want to deliver, so that's no indication at all. Would anyone be able to detect and identify a hack from the actual Russian govt, whom you would assume be able to devote massive resources to the effort?

Experts, speak up!

(Maybe they should give immunity to Ed Snowden in exchange for tracking this down.)

There is a Computer technical forum on 2+2 which I assume has some knowledgeable people that could shed some light on the techniques employed, keep in mind that some things may actually be illegal to divulge. But, You could ask there.

Warning; I will simply nuke this thread if yahoos start ranting politics.

Well, I asked a couple times not to get political so hopefully that won't be a problem.

From past readings of that forum it seems to be mostly about connecting to Full Tilt, etc, so I thought the more knowledgeable folks to be here.

There are many answers to your question, and the definitive answer is likely a combination of them.

Fingerprinting: Hiding behind IP-addresses and such does very little. You have "fingerprinting" techniques that can recognize machine / hardware beyond that. When fingerprints match more benign traffic, you have your man. This is what law enforcement use to catch pedophiles who hide beyond the Tor network for example. We can assume hackers are aware of this and avoid using the same hardware over and over, still... small fingerprints can remain.

Signatures: Hacking (and its underlying mother, programming) like all other things, is cultural phenomena. Various methods are popular, signature methods are recognizable. Certain exploits / viruses / trojans popular in one group might be rare in another.

Social engineering: Hacking is a public thing. To a layman it might seem like a secretive and clandestine world, but hacking of public servers is really the technical equivalent of robbing busy banks in broad daylight. The people who inhabit this sphere will notice, and the people in this sphere are infiltrated by law enforcement and intelligence agencies. Furthermore, many "neutral" hackers are not enamored with state-sanctioned cyber-warfare and act as a watchdog of their own. The online nature of hacker groups also make them weak to social engineering and infiltration from government agents, this is not a trait necessarily shared by organized intelligence teams doing the same thing - but we can assume that if Russia wanted to hack US party servers, they would employ a third party to gain deniability.

Chain of command: Hacking done as an intelligence effort is the result of decisions taking the route from political offices, through directors, through administrators, through local leaders and to the hacking teams. This route is weak to traditional intelligence efforts and traffic monitoring. If you see a spike in administrative and political activity in the right committees and offices a week before a major hacking attack, suspicions are justified. Needless to say, the US monitors Russian political activity and communication traffic for such spikes, in today's open technological world such an effort doesn't even have to be intrusive.

Motive: Hacking often holds a motive of sorts. Traditional policework dictates we should always ask "who gains from this".

A packet is a packet. We're not talking about some schmuck trying to bypass node and router safeguards. If the Russian govt did the hack, they control the nodes and routers in their country and can construct the packets bit by bit and make them look exactly the way they want. A packet is just bits, there's no hardware about it.

As I said, it's common to copy hacks that others wrote, and only change the payload. Besides, one would assume govt employees are pretty smart, like Ed Snowden smart, and would either use unique code, or clone someone else's code. Using code that everyone can recognize is Russian for a hack as important as this would be pretty stupid.

Doubt it. They're not going to hire a kid with blue hair, tattoos, and a nose ring for something like this. They would have their internal intel people do it, or at least code it. They might have Mr Nose Ring launch it, but he would have no idea it's for the Russians.

Seriously? You're saying the KGB can't carry out an operation in secret?

I think you need to move away from the 90s knowledge of computer technology. These days you have many ways to uniquely identify hardware used, for example statistical analysis of clock skew and similar techniques.

You can also use statistical signal analysis to great effect, since any machine that used in hacking efforts is communicating.

Even doing that is a signature of its own.

No, that's not how Russia works. It works a lot through proxy... hackers, ultra-nationalists, insurgents. Putin's policy is always one of plausible deniability.

The KGB doesn't exist anymore, so no. As for the FSB, no it can't unless it relies on typewriters and face-to-face communication. Which it probably does from time to time (as does any intelligence agency occasionally in this day and age, I suspect).

Evidence is now starting to mount against "Fancy Bear", a hacking team which has been linked to Moscow officials and GRU (Russian military intelligence) in the past.

oh you fancy huh

And you're thinking at a completely different level than what a government is capable of. You're talking about someone hiding, and connecting to the public internet with a pc. When you have total control of a node and routers you can construct the packets any way you want and drop them into the internet in any fashion you want. There is no "pattern" of a machine, because a pc didn't create them in the first place.

Besides, even if they did something as weak as what you're talking about, they would have to be the stupidest hackers on earth. They would just trash the old hardware and buy new hardware for each hack. A pc box is a couple hundred bucks.

No, I have never been talking about that. Your own vision of how this stuff works was much closer to that, however. Your own misunderstanding of these concept is apparent when you are talking about "nodes and routers" as if they follow different rules. They don't, they're computers and they play by the protocol rules of the internet like every other device connected to it.

Your post gives the impression that a hacker can hold complete control of communication flow. That's not how the internet works. It's not a clandestine world of secret passageways, it's a network of millions of intersecting highways where any intersection or tap can monitor all traffic that passes through it. Total control of how information flows is only possible if you control all the infrastructure including your target, which - outside the realm of hypotheticals and completely uninteresting theory - you don't.

Hacking a public target is somewhere somewhere between pick-pocketing in times square or robbing a bank in broad daylight. And regardless of well you hide or how many layers you put up between yourself and the crime, you are generating traffic, and a lot of that traffic is accessible after the fact. This is also why any hacking effort's number one weakness is signal analysis: No act on the internet is "private", you can cloak what you're saying in onion layers of obfuscation - but you can't hide saying it, and all those onion layers are accessible for a listener to peel. And listening on the internet is a very trivial task.

And you certainly can't "construct the packets in any way you want". Packets are analogous to letters within a layer of envelopes. They need a certain construction, every envelope require a certain construction, every item needs a certain addressing, they need to fit into some criteria of form. For them to garner specific responses, they need to carry information in some way that is understandable to delivery services and the receiver, and for that they need to follow certain protocols.

You've got to be kidding. If you're a semi-totalitarian government like Russia you can program anything you want. I'll say it one last time - you can construct the packets to look like anything you want before you send them off to the next node. I don't know if you're a programmer or not, but it would be trivial for a software engineer.

I read the de-classified report. Lots of conclusions with zero evidence, so the public will probably never know how the FBI/CIA/NSA came to their conclusion.

The problem here is that you don't seem to know what a packet is. I've explained it in the previous posts. A packet is a small container of information ("payload"), enveloped in layers of what is basically electronic "logistics" information ("headers"), the latter type dependent on what communication protocol the layer is aimed at.

A packet that "looks like whatever you want" wouldn't go anywhere or be understood by anything. It would be like a letter consisting of random scribbles, no address and dropped on the floor.

And hackers rarely sit around "constructing packets". That's a very low level of network communication, comparative to a single dot of ink in a very big book. Various types of bogus packets have some uses (port scans, OS detection, DDOS attacks), but when your aim is to extract information you have to communicate with the machine in question.

To me it sounds like you have a meager understanding of this issue, but you're still trying very hard to make that it fit a foregone conclusion.