【Dear Utol (2025): Doctor, Doctor I'm Sick Episode 41】

President-Elect Donald Trump may want to ask his 10-year-old son about how hacking really works.

The Dear Utol (2025): Doctor, Doctor I'm Sick Episode 41CIA is now pretty sure that the Russians hacked the Presidential election, not by attacking voting booths and polling places, but through the Democratic National Committee email hack that promoted the slow, steady release of embarrassing emails, which may have swayed public sentiment, if not the vote.

But Donald Trump isn't having any of it.

He doesn't believe the CIA, wonders why the news is just coming out now and, finally, has a theory about how you catch hackers: "In the act."

This Tweet is currently unavailable. It might be loading or has been removed.

On one level, Trump's actually right. It's hard to pin down a hacker's identity. It also might help Trump answer his own question: "Why wasn't this brought up before the election?" Clearly, the CIA was looking at the DNC hack as early as June of this year, when the first reports of Russian hackers infiltrating the DNC surfaced. It'd appear that it took all these months for the CIA to reach its conclusion.

It's a conclusion Trump clearly doesn't buy, and off the back of it, may serve as evidence (to him) that the CIA's somehow seeking to undermine his incoming administration by questioning the legitimacy of his presidency (funny, considering Trump long claimed that President Barack Obama wasn't actually an American citizen, before backpedaling that entire series of events during his presidential campaign).

That said? Trump's claim that the surest way to catch a hacker is "in the act" is just plain wrong.

Gotcha!

Of course, it'd be awesome if authorities could—like tracing a call in a Hollywood blockbuster ("Keep him talking ... almost got it, almost got it!")—burst in on a hacker, just as he's downloading a destructive payload onto the DNC (and maybe RNC) servers.

But that's just not how hacking works in the 21st century.

Hackers don't have to be connected to your servers to hack them. Usually, all they need is one weak link in the cyber chain: an average person on email, who opened a fake email from "their bank" or "their favorite social network." Then, they followed the link. Since the email wasn't really from their bank or social network and, instead, a Russian hacker, the opened email dropped a payload on the network, which found its way to the servers.

Once inside, the payload opens a backdoor where a Russian hacker waltzes in, pours over the servers for useful data, and then, downloads whatever they can. All of this can happen in minutes. Once they have what they need—such as all of former Hillary Clinton Campaign Chair John Podesta's emails—they pull up their stakes, and try to leave as little evidence as possible.

In the case of the Russian hack, they did leave some bots in place to watch further email and chat traffic, which may be one of the reasons the DNC noticed the hack was happening.

With the help of cybersecurity firm CrowdStrike, the DNC cleaned up its servers. In a July report amusingly entitled Bears in the Midst,the firm identified "Russian intelligence-affiliated adversaries" on the DNC network.

The two "adversaries" were actually a pair of hacking bots known as CozyBear and FancyBear. From the report:

Both adversaries engage in extensive political and economic espionage for the benefit of the government of the Russian Federation and are believed to be closely linked to the Russian government’s powerful and highly capable intelligence services.

Firms like CrowdStrike identify these bits of malware based on digital signatures. The signatures are what pointed them to the Russian government with a high-level of confidence. In an interview with Bloomberg News, CrowdStrike CEO George Kurtz said "We talk about having high confidence, but there's no absolute in cyber security. That's what makes it so hard."

Digital fingerprints

Signatures are one thing, but tracing a hack back to its source is even trickier, because the hackers are usually gone by the time the hack's been discovered. But sometimes, investigators get lucky. Because CrowdStrike found malware active on the DNC servers, they may have been able to collect IP addresses, which they likely shared with authorities (including the CIA).

If the addresses weren't spoofed or piped through the Dark Web, it might have been traceable, or at least, may have pointed to a large geographic origin point.

It's not catching someone in the act, but an IP address can, like a paw print in the mud, tell you something about what made the track, and where it came from. That track often ends after one server hop or another, but considering the certainty of the CIA's report to lawmakers, this one may have led much closer to its originator than a typical case.

Steven Morgan, cyber security expert and CEO of Cybersecurity Ventures, agrees that yes, you can track some hackers via IP addresses, but added that the more sophisticated hackers will try to leave behind spoofed IPs built to misdirect investigators. Fortunately, "our intelligence agencies are also very sophisticated and aware of fake footprints. So, if they see something indicating an IP address belonging to a particular (hostile) nation—they'll be especially careful before calling it out," Morgan wrote to me in an email.

So maybe the CIA did get close enough to smell the bear's hot breath.

This is how hacking and cyber sleuthing works. The room where the hacker sat is empty. There is no catching a hacker in the act—just a trace that's followed as keenly and as doggedly as election returns. There's no rushing the truth or the facts, just acceptance.

It's something President-Elect Trump's 10-year-old son probably could have told him.

He is, after all, so good with computers, "it's unbelievable."