The FBI and Department of Homeland Security issued a Joint Analysis Report (JAR) on December 29, 2016. The JAR claims to prove that the Russian government was behind the hacks of the Democratic National Committee and others. This JAR has failed to convince come cyber-security experts of Russian government complicity.
Prior to issuance of the JAR we took a look at the two sides of the debate regarding Russian government hacking. Now, we review that debate in light of the new JAR. We invite readers to further consider whether the U.S. government has proven its claim of hacking by the Russian government.
Does the Joint Analysis Report Prove Hacking by the Russian Government?
The JAR placed specific responsibility on Russian civilian and military intelligence services (RIS) for the compromise and exploitation of “networks and endpoints associated with the U.S. election, as well as a range of U.S. Government, political and private sector entities.” The JAR claims that “public attribution of these activities to RIS is supported by technical indicators from the U.S. Intelligence Community, DHS, FBI, the private sector, and other entities.”
The JAR provided a generalized description of how two groups, which it labelled APT29 and APT28, conducted their attacks.
APT29 has been observed crafting targeted spearphishing campaigns leverage web links to a malicious dropper; once executed, the code delivers Remote Access Tools and evades detection using a range of techniques. . . .
APT28 actors relied heavily on shortened URLs in their spearphishing email campaigns. . . .
These actors set up operational infrastructure to obfuscate their source infrastructure, host domains and malware for targeting organizations, establish command and control nodes, and harvest credentials and other valuable information from their targets.
The JAR continued with basic comments regarding the alleged actions by the two groups. For example, it observed that “at least one targeted individual activated links to malware hosted on operational infrastructure of opened attachments, containing malware.” The JAR listed “technical details” consisting of malware “signatures” identified through use of the Yara signature based detection tool. The JAR also listed specific IP addresses and PHP malware samples used to compromise targets.
The lengthy balance of the JAR consisted of recommended actions and mitigations network administrators should undertake.
Third-Party Analysis of the JAR Conclusions
Wordfence conducted a detailed analysis of the IP addresses and PHP malware samples incorporated into the JAR report. Wordfence produces a security tool that protects WordPress websites.
Malware Analysis
Wordfence concluded that the malware tools used in the attacks was old and readily available. They questioned the likelihood of Russian intelligence operatives using the detected malware.
The PHP malware sample they have provided appears to be P.A.S. version 3.1.0 which is commonly available and the website that claims to have authored it says they are Ukrainian. It is also several versions behind the most current version of P.A.S which is 4.1.1b. One might reasonably expect Russian intelligence operatives to develop their own tools or at least use current malicious tools from outside sources. . . .
The malware sample is old, widely used and appears to be Ukrainian. It has no apparent relationship with Russian intelligence and it would be an indicator of compromise for any website.
IP Address Analysis
Wordfence analyzed the 876 IP addresses that the JAR provided as indicators that compromises occurred. Wordfence’s conclusion:
The IP addresses that DHS [Department of Homeland Security] provided may have been used for an attack by a state actor like Russia. But they don’t appear to provide any association with Russia. They are probably used by a wide range of other malicious actors, especially the 15% of IP addresses that are Tor exit nodes.
Editor’s Note: Tor exit nodes are the gateways where encrypted Tor traffic hits the internet. Tor is software that enables anonymous communication. It directs traffic through a network of more than 7,000 relays. Tor makes it more difficult to trace activity back to the user.
Analysis By Other CyberSecurity Experts
Other cybersecurity experts have weighed in with views on the JAR.
Jeffrey Carr, a well-known cybersecurity expert, concluded that the JAR:
Adds nothing to the call for evidence that the Russian government was responsible for hacking the DNC, the DCCC, the email account of Democratic party officials, or for delivering the content of those hacks to Wikileaks.
It merely listed every threat group ever reported on by a commercial cybersecurity company that is suspected of being Russian-made and lumped them under the heading of RIS without providing any supporting evidence that such a connection exists.
Regarding malware, Carr notes that “once malware is deployed, it is no longer under the control of the hacker who deployed it. . . . It can be reverse-engineered, copied, modified, shared and redeployed again and again by anyone.”
Carr points out an inference from what was not provided in the JAR:
If the White House had unclassified evidence that tied officials in the Russian government to the DNC attack, they would have presented it by now. The fact that they didn’t means either that the evidence doesn’t exist or that it is classified.
If it’s classified, an independent commission should review it because this entire assignment of blame against the Russian government is looking more and more like a domestic political operation run by the White House that relied heavily on questionable intelligence generated by a for-profit cybersecurity firm with a vested interest in selling “attribution-as-a-service.
William Binney created the NSA’s mass surveillance program and served as NSA’s senior technical director. He observed to Washington’s Blog:
I expected to see the IP’s or other signatures of APT’s 28/29 and where they were located and how/when the data got transferred to them from DNC/HRC [Hillary Clinton]/etc. They seem to have been following APT 28/29 since at least 2015, so, where are they?
Further, once we see the data being transferred to them, when and how did they transfer that data to Wikileaks?
And . . . once they have the IPs and/or other signatures of 28/29 and DNC/HRC/etc., NSA would use Xkeyscore to help trace data passing across the network and show where it went.
In addition, since Wikileaks is (and has been) a cast iron target for NSA/GCHQ/etc for a number of years there should be no excuse for them missing data going to anyone associated with Wikileaks.
Inferences and Other Things
Russian government interference in a U.S. Presidential election, if it occurred, would be a serious matter. Yet, reaction by the Obama Administration to the claimed Russian attack was muted. It primarily consisted of diplomatic expulsions and narrowly targeted sanctions, largely symbolic actions. The Obama Administration’s lack of response disturbed U.S. political leaders on both sides of the aisle. Senators Lindsey Graham and John McCain released a joint statement calling the sanctions a “small price for Russia to pay for its brazen attack on American democracy.”
The Democratic National Committee stated that “these intrusions were not just ‘hacks’. They were attacks on the United States by a foreign power and should be treated as such. Therefore, [the new sanctions taken] by the White House [are] insufficient.”
As we previously noted, the tools and techniques relied upon as proof of Russian complicity is inconclusive. John McAfee, founder of software company McAfee Associates, agrees. McAfee stated that “any hacker who had the skills to hack into the DNC would also be able to hide their tracks.” It is easy to fake “any markers” that could lead back to them.
If I was the Chinese and I wanted to make it look like the Russians did it, I would use Russian language within the code, I would use Russian techniques of breaking into the organization. . . . There simply is no way to assign a source for any attack.
As a matter of completeness we must report that WikiLeaks founder Julian Assange continues to deny Russian government involvement. He asserts that “our source [for publication of the DNC and related emails] is not the Russian government and it is not a state party.” Readers should reach their own conclusion regarding Mr. Assange’s veracity.
What’s Your View of this Debate?
Are you convinced by the U.S. government report? Or do you think that the report is long on words but short on detail? Did the Russians do it?