The ‘Russian hacking’ story gets curiouser and curiouser


The perpetual ‘Red Scare’ mentality that has sustained the high levels of US military spending for a century has taken a curious turn. The basic charge is that the Russian government materially involved itself in the US presidential election by hacking into the websites of the Democratic party, and especially the emails of Hillary Clinton’s campaign chair John Podesta, and released those emails through WikiLeaks in order to hurt her campaign and aid in the election of Donald Trump, and that the Russian government was actively in communication with the Trump campaign. An additional charge against the Russians is that they doctored some of the documents leaked through WikiLeaks to make them look worse than the originals and that they also helped in the dissemination of fake news.

It has become almost an article of faith in some liberal and Democratic circles that this charge is true. The problem is that the charges are based on anonymous leaks, some of them of highly dubious origin like the shady group PropOrNot that the Washington Post in particular has heavily promoted, though in recent days the paper has made a cryptic addition to that story distancing themselves from it.

Meanwhile, president Obama has called for a full probe of these charges. This is undoubtedly a good thing but only if, as Jeremy Scahill and Jon Schwarz write, the results of the probe are made public and the evidence is declassified and made public as well. Too often, all we get are the conclusions with all the evidence redacted and the plea to trust the government’s version of events.

HERE ARE TWO of political history’s great constants: first, countries meddling in the internal affairs of others (both enemies and “friends”); and, second, bogus charges from a faction in one country that foreigners are meddling in its internal affairs to help another faction.

Both are poison for any country that wishes to rule itself.

So if we’re serious about being a self-governing republic, we have to demand that President Obama declassify as much intelligence as possible that Russia may have intervened in the 2016 presidential election.

Taking Donald Trump’s position — that we should just ignore the question of Russian hacking and “move on” — would be a disaster.

Relying on a hazy war of leaks from the CIA, FBI, various politicians, and their staff is an equally terrible idea.

A congressional investigation would be somewhat better, but that would take years — like the investigations of the intelligence on Iraq and weapons of mass destruction — and would be fatally compromised by the Democrats’ political timidity and GOP opposition.

The only path forward that makes sense is for Obama to order the release of as much evidence as possible underlying the reported “high confidence” of U.S. intelligence agencies that Russia both intervened in the election and did so with the intention of aiding Trump’s candidacy.

What is curious is how various factions have lined up on this issue. Most Republicans would normally be extremely anti-Russian but in this case many of them, and especially those close to the Trump camp, are decidedly downplaying the charge. The Republican chair of the House Intelligence committee says that he sees no reason to open a new probe. Meanwhile, Democrats are ramping up anti-Russian feeling.

The CIA, another source whose credibility is hardly unimpeachable, has added to the story by anonymous leaks to the media that support the Russian hacking charge. Glenn Greenwald condemns this kind of uncritical reporting of anonymous sources.

THE WASHINGTON POST late Friday night published an explosive story that, in many ways, is classic American journalism of the worst sort: The key claims are based exclusively on the unverified assertions of anonymous officials, who in turn are disseminating their own claims about what the CIA purportedly believes, all based on evidence that remains completely secret.

Deep down in its article, the Post notes — rather critically — that “there were minor disagreements among intelligence officials about the agency’s assessment, in part because some questions remain unanswered.” Most importantly, the Post adds that “intelligence agencies do not have specific intelligence showing officials in the Kremlin ‘directing’ the identified individuals to pass the Democratic emails to WikiLeaks.” But the purpose of both anonymous leaks is to finger the Russian government for these hacks, acting with the motive to defeat Hillary Clinton.

Needless to say, Democrats — still eager to make sense of their election loss and to find causes for it other than themselves — immediately declared these anonymous claims about what the CIA believes to be true, and, with a somewhat sweet, religious-type faith, treated these anonymous assertions as proof of what they wanted to believe all along: that Vladimir Putin was rooting for Donald Trump to win and Hillary Clinton to lose and used nefarious means to ensure that outcome. That Democrats are now venerating unverified, anonymous CIA leaks as sacred is par for the course for them this year, but it’s also a good indication of how confused and lost U.S. political culture has become in the wake of Trump’s victory.

Greenwald also writes that while the ‘fake news’ label has been applied to the output of Macedonian teenagers out to make a quick buck, that label could well be applied to what are considered mainstream US media outlets and even to people supporting the Clinton campaign who spread a false story that Clinton’s speeches to Goldman Sachs had been doctored and placed the blame on WikiLeaks for it, though that organization had never published the document.

But the person who created that forged Goldman Sachs transcript was not a “Trumpist” at all; he was a devoted supporter of Hillary Clinton. In the Daily Beast, the person behind the anonymous “The Omnivore” account unmasks himself as “Marco Chacon,” a self-professed creator of “viral fake news” whose targets were Sanders and Trump supporters (he specialized in blatantly fake anti-Clinton frauds with the goal of tricking her opponents into citing them, so that they would be discredited). When he wasn’t posting fabricated news accounts designed to make Clinton’s opponents look bad, his account looked like any other standard pro-Clinton account: numerous negative items about Sanders and then Trump, with links to many Clinton-defending articles.

As if this whole story is not confusing enough, it further looks like the FBI, or at least many of its senior people, have lined up against Clinton while the CIA has taken her side and against the Russians. We are witnessing a battle of anonymous leaks between two major government agencies and any investigation will have to arbitrate between these two competing powerful organizations.

What is highly disturbing are the charges that are being leveled at anyone who merely asks that the evidence of Russian government hacking be made public, that they are either agents of Russia or dupes. That is a classic and despicable Cold War tactic, where the motives of the US must always be assumed to be noble while that of the enemies are always evil and no evidence need be provided for either claim.

Comments

  1. GenghisFaun says

    Annoyingly, whether or not Russians were involved, Dems gloss over the fact that Hillary should be held responsible for putting her emails in a position to be hacked. She hurt her chances in the election, not the Russian government or any other bogeyman responsible for the hack.
    Is potential election tampering by a foreign power disturbing? Yes. Would Dems be crying foul if the alleged tampering had helped Hillary win? I doubt it. Are Dems learning anything from the election results? I fear not.

  2. Hj Hornbeck says

    It has become almost an article of faith in some liberal and Democratic circles that this charge is true. The problem is that the charges are based on anonymous leaks, some of them of highly dubious origin like the shady group PropOrNot that the Washington Post in particular has heavily promoted, though in recent days the paper has made a cryptic addition to that story distancing themselves from it.

    Oh no, there’s a lot more than just anonymous leaks. There’s CrowdStrike‘s public statements.

    Nearly two months earlier, in April, the Democrats had noticed that something was wrong in their networks. Then, in early May, the DNC called in CrowdStrike, a security firm that specializes in countering advanced network threats. After deploying their tools on the DNC’s machines, and after about two hours of work, CrowdStrike found “two sophisticated adversaries” on the Committee’s network. The two groups were well-known in the security industry as “APT 28” and “APT 29.” APT stands for Advanced Persistent Threat—usually jargon for spies.

    CrowdStrike linked both groups to “the Russian government’s powerful and highly capable intelligence services.” APT 29, suspected to be the FSB, had been on the DNC’s network since at least summer 2015. APT 28, identified as Russia’s military intelligence agency GRU, had breached the Democrats only in April 2016, and probably tipped off the investigation.

    PropOrNot’s findings are backed up by a trio of authors blogging at War On The Rocks, two of which recently did a write-up for Politico.

    As analysts who have spent years studying Russia’s influence campaigns, we’re confident the spooks have it mostly right: The Kremlin ran a sophisticated, multilayered operation that aimed to sow chaos in the U.S. political system, if not to elect Trump outright. But you don’t need a security clearance or a background in spycraft to come to that conclusion. All you need to do is open your eyes. […]

    It wasn’t by hacking election machines or manipulating the results, as some have suggested. That would be too crude. The Kremlin’s canny operatives didn’t change votes; they won them, influencing voters to choose Russia’s preferred outcome by pushing stolen information at just the right time—through slanted, or outright false stories on social media. As we detail in our recent report, based on 30 months of closely watching Russia’s online influence operations and monitoring some 7,000 accounts, the Kremlin’s troll army swarmed the web to spread disinformation and undermine trust in the electoral system.

    And America was just the latest target. These “active measures” are techniques Moscow has honed for decades, continually adapting its formula to changing technology and new circumstances. All of it is in service of Putin’s grand strategy of breaking up the European Union and NATO from the inside out—without even firing a shot.

    And while these sources are anonymous, the findings of the CIA seem to be the opinion of European spy agencies too.

    Officials from two European countries tell Newsweek that Trump’s comments about Russia’s hacking have alarmed several NATO partners because it suggests he either does not believe the information he receives in intelligence briefings, does not pay attention to it, does not understand it or is misleading the American public for unknown reasons. One British official says members of that government who are aware of the scope of Russia’s cyberattacks both in Western Europe and America found Trump’s comments “quite disturbing” because they fear that, if elected, the Republican presidential nominee would continue to ignore information gathered by intelligence services in the formulation of U.S. foreign policy. […]

    All of the NATO allies are sure Russia is behind the hacking. All of America’s intelligence agencies are, too. The foreign intelligence services had been sharing what they knew about this with the Americans, and Trump had been told about it. But he blithely dismissed the conclusion of not only the United States but its allies as well, based on absolutely nothing. Trump had no apparent means of developing his own information to contradict the findings of intelligence agencies around the world. And that he would so aggressively fight to clear Putin and cast aspersions on all Western intelligence agencies, left the British officials slack-jawed.

    “They didn’t know what to think,” says one former British official who has spoken to numerous members of the government about Trump’s comments in that debate. “A lot of people are now trying to connect the dots of all the data [in the intelligence files] to try and understand Trump…. There certainly are a lot of conspiracy theories being bandied about, but no question there is a lot of concern about what’s going on in Trump’s head…and whether we would be able to work with him.”

  3. Hj Hornbeck says

    Hell, we even know how the hackers got the emails, which is rare for these sort of investigations.

    The data linking a group of Russian hackers—known as Fancy Bear, APT28, or Sofacy—to the hack on Podesta is also yet another piece in a growing heap of evidence pointing toward the Kremlin. And it also shows a clear thread between apparently separate and independent leaks that have appeared on a website called DC Leaks, such as that of Colin Powell’s emails; and the Podesta leak, which was publicized on WikiLeaks.

    All these hacks were done using the same tool: malicious short URLs hidden in fake Gmail messages. And those URLs, according to a security firm that’s tracked them for a year, were created with Bitly account linked to a domain under the control of Fancy Bear.

    And have you forgotten about the time 17 US intelligence agencies teamed up to issue a joint statement?

    The U.S. Intelligence Community (USIC) is confident that the Russian Government directed the recent compromises of e-mails from US persons and institutions, including from US political organizations. The recent disclosures of alleged hacked e-mails on sites like DCLeaks.com and WikiLeaks and by the Guccifer 2.0 online persona are consistent with the methods and motivations of Russian-directed efforts. These thefts and disclosures are intended to interfere with the US election process. Such activity is not new to Moscow—the Russians have used similar tactics and techniques across Europe and Eurasia, for example, to influence public opinion there. We believe, based on the scope and sensitivity of these efforts, that only Russia’s senior-most officials could have authorized these activities.

    While attribution is really hard online, It’s about as obvious as it can get that the Russians were trying to tamper with the election via spreading the DNC emails around, and blasting out fake news.

    Also, it’s important to note where the FBI and CIA differ. It’s not over whether or not the Russians engaged in hacking.

    The FBI does not dispute that the CIA’s assessment could be accurate, said a U.S. official with knowledge of the matter. The difference lies in the institutional standards the agencies require in reaching such conclusions. While the CIA develops assessments based on a broad interpretation of available data, the FBI, as a law enforcement agency, requires a standard of proof that could sustain a possible criminal prosecution.

    There have been differences, the official said, in how much weight to ascribe a range of possible motives: Were the Russians specifically seeking to tilt the election in favor of Trump? Was the effort designed to damage Democratic nominee Hillary Clinton’s future ability to govern, believing that she was destined to win? Or was the operation a hedging of bets to sow confusion and undermine confidence in the process?

    Of the assessment that the Republican Party systems were likely breached, the official said the picture is not entirely clear. While not dismissing the intelligence community’s conclusion, the official said a more definitive determination has not yet been reached.

  4. Hj Hornbeck says

    [Whoops, one clarification: European intelligence thinks the Kremlin’s plan was to divide the political Left (via Kurt Eichenwald, the FBI thinks the Kremlin was just trying to disrupt the election (New York Times), while the CIA now thinks the goal was to elect Donald Trump (Washington Post). So when I said “the findings of the CIA seem to be the opinion of European spy agencies too,” I meant they agreed that Russia meddled, not the motivations for that meddling.]

  5. Hj Hornbeck says

    Last citation, I promise.

    An examination by The Times of the Russian operation — based on interviews with dozens of players targeted in the attack, intelligence officials who investigated it and Obama administration officials who deliberated over the best response — reveals a series of missed signals, slow responses and a continuing underestimation of the seriousness of the cyberattack. […]

    While there’s no way to be certain of the ultimate impact of the hack, this much is clear: A low-cost, high-impact weapon that Russia had test-fired in elections from Ukraine to Europe was trained on the United States, with devastating effectiveness. For Russia, with an enfeebled economy and a nuclear arsenal it cannot use short of all-out war, cyberpower proved the perfect weapon: cheap, hard to see coming, hard to trace.
    “There shouldn’t be any doubt in anybody’s mind,” Adm. Michael S. Rogers, the director of the National Security Agency and commander of United States Cyber Command said at a postelection conference. “This was not something that was done casually, this was not something that was done by chance, this was not a target that was selected purely arbitrarily,” he said. “This was a conscious effort by a nation-state to attempt to achieve a specific effect.”

  6. Dunc says

    Craig Murray maintains that the DNC emails were provided to Wikileaks by a DNC insider, and that he knows this because he has spoken with the leaker personally. He is quoted in the Guardian here:

    Craig Murray, the former UK ambassador to Uzbekistan, who is a close associate of Assange, called the CIA claims “bullshit”, adding: “They are absolutely making it up.”

    “I know who leaked them,” Murray said. “I’ve met the person who leaked them, and they are certainly not Russian and it’s an insider. It’s a leak, not a hack; the two are different things.

    “If what the CIA are saying is true, and the CIA’s statement refers to people who are known to be linked to the Russian state, they would have arrested someone if it was someone inside the United States.

    “America has not been shy about arresting whistleblowers and it’s not been shy about extraditing hackers. They plainly have no knowledge whatsoever.”

    Now, Craig may be a lot of things, but he’s not a liar, he’s not gullible, and I’m pretty certain that he’s not a Russian agent. I certainly trust him more than I trust anonymous leaks from the CIA, unnamed “intelligence officials”, or anybody at CrowdStrike.

  7. lanir says

    @HJ Hornbeck:

    Okay… That’s a lot of data. Skeptical hat on.

    — Crowdstrike: The linked article oddly seems to think basing the investigation on another investigation is the best evidence pointing toward a particular conclusion. Usually this is only considered a loose corroboration. And for the less technical readers, 176.31.112.10 is a French IP address. If it’s a known Kremlin spy gateway then I’d expect a lot more evidence from it or to hear that it had been shut down. I stopped reading at about this point because really… I expect evidence when people say they have evidence, not smoke and mirrors.

    — PropOrNot & War On the Rocks: PropOrNot’s credibility has been very effectively eviscerated by this Intercept article. The War On the Rocks piece does not support anything except it’s own existence. It’s a pure sales piece. It doesn’t take much to see that. Look at the language. Or as they prefer, “you just have to open your eyes.” They argue/imply that the Russians are supermen who not only know everything anyone else knows but also that they win even by losing. Whether you agree with the opinion they express or not, I hope you can see how this will never prove anything to me because it’s pure hyperbole.

    I stopped digging after this. You may have made a strong point later but this is what you lead with and it was rubbish.

  8. patrick2 says

    Democrats seem to be using the hack at the moment to shift the blame for their loss to something other than themselves. Whether the hack was by Russians or not, the stuff it revealed was not as bad as what was revealed about Trump, yet the Democrats lost anyway. They really have nobody but themselves to blame for that.

  9. Hj Hornbeck says

    Dunc @6:

    I certainly trust him more than I trust anonymous leaks from the CIA, unnamed “intelligence officials”, or anybody at CrowdStrike.

    You didn’t Google CrowdStrike, did you?

    CrowdStrike is the leader in cloud-delivered next-generation endpoint protection. CrowdStrike has revolutionized endpoint protection by being the first and only company to unify next-generation antivirus, endpoint detection and response (EDR), and a 24/7 managed hunting service — all delivered via a single lightweight agent. … Core to its innovative approach is the CrowdStrike Threat Graph™ which analyzes and correlates over 27 billion events per day from millions of sensors deployed across more than 170 countries, uniquely providing crowdsourced protection for the entire customer community.

    Many of the world’s largest organizations already put their trust in CrowdStrike, including three of the 10 largest global companies by revenue, five of the 10 largest financial institutions, three of the top 10 health care providers, and three of the top 10 energy companies.

    I think I’d trust a well-established company that specializes in online security over the former UK ambassador to Uzbekistan, at least when it comes to the topic of online security. If I want to know about Uzbekistan, different story.

    Also, you seem to have missed something, in the links I quoted above:

    The U.S. Intelligence Community (USIC) is confident that the Russian Government directed the recent compromises of e-mails from US persons and institutions, including from US political organizations.

    The USIC includes the CIA, part of the FBI, the NSA, the Office of Naval Intelligence, and twelve other intelligence-gathering organizations. Are you telling me every one of those is blindly deferring to the CIA? That the heads of each of those organizations, which must have had a final say in issuing that joint statement, are anonymous? Because I think you just made LtGen Vincent R. Stewart feel sad and ignored.

  10. Dunc says

    I didn’t need to Google CrowdStrike, I’ve been aware of them for some time. They have a remarkable ability to almost instantly attribute cyber attacks to whichever nation state the US intelligence community happens to be most interested in at the time. I’ve read some of their papers, and the evidence and arguments they make public are not hugely convincing.

    On the other hand Craig Murray claims to have spoken personally to the leaker in this case. It’s not a question of what he knows about online security, because he’s not relying on IT forensics for attribution.

    It is, of course, possible that both sides are right. Russian hackers and internal leaks are not necessarily mutually exclusive.

  11. sssss sssssss says

    So having just watched Trump win the election using blatant lie after blatant lie left-wingers get a story dropped in their laps which could be used to attack and delegitimize his entire presidency and what do they do with it? Waste their time fretting over whether or not the allegations are true.

    God I hate my side sometimes.

  12. Hj Hornbeck says

    lanir @7:

    The linked article oddly seems to think basing the investigation on another investigation is the best evidence pointing toward a particular conclusion.

    An “investigation on another investigation?” That was a news report of an investigation, by someone technically savvy. The best evidence is in that original investigation from Crow-

    Whoops, my mistake. I forgot that multiple private security companies have done investigations into this. In addition to CrowdStrike, we have SecureWorks. They’ve been in the biz since 1999, were purchased by Dell in 2011, claim to have “~4,300 clients in 58 countries,” and raised $112 million in a recent IPO. I don’t see much controversy around them, unlike CrowdStrike.

    And for the less technical readers, 176.31.112.10 is a French IP address.

    I didn’t know your CnC had to be in your country of origin by law. Taking over a virtual server used to host someone’s shitty web app sounds like a great way to anonymize your origin. And, wouldn’t you know it, that IP belongs to the “number 3 internet hosting company in the world” (“250 000 servers” and “18M web applications hosted” make for a wonderful place to hide).

    If it’s a known Kremlin spy gateway then I’d expect a lot more evidence from it or to hear that it had been shut down.

    It’s shut down as I type this, sorta. No response to pings and none of the usual internet ports are open, though it looks like there’s some activity on the higher ports. That’s probably remote VM maintenance stuff.

    You may have made a strong point later but this is what you lead with and it was rubbish.

    SecureWork’s report is rubbish? Looks pretty good to me; one of the Russian hackers got careless and used a public Bitly URL redirection account; once SecureWorks had one of the URLs in their hand, they could track down the account and read what it had done.

    Publicly available Bitly data reveals how many of the short links were clicked, likely by a victim opening a spearphishing email and clicking the link to the fake Gmail login page. Only 20 of the 213 short links have been clicked as of this publication. Eleven of the links were clicked once, four were clicked twice, two were clicked three times, and two were clicked four times.

    Those URLs were sent to Hillary for America and the DNC. SecureWorks say they can link the group behind this to some attacks on the White House, the German parliament, and Angela Merkle’s political party. Hmm, doesn’t Putin have a thing about Merkle?

  13. says

    Hj Hornbeck@#10:
    I think I’d trust a well-established company that specializes in online security over the former UK ambassador to Uzbekistan

    I wouldn’t. US infosec companies are notorious for letting their marketing departments publish irresponsibly sloppy attributions in order to get media attention. What should matter is what evidence is presented and how the evidence leads to a solid attribution matching events, effect, tools, method, and intent to show benefit.

    Not specifically at Hj Hornbeck:
    There are so many things about this whole story that are distressingly badly reported. Everyone is doing a terrible job – including The Intercept, I’m sad to say. For example, Sam Biddle drops this nugget of silliness:

    It’s highly unusual for evidence of a crime to be assembled on the victim’s dime.

    As someone who has worked incident responses for major breaches (including 2 that I am fairly sure everyone on this blog would recognize) that’s exactly the opposite of the truth: the incident responders, whether CrowdStrike or an independent consultant, are trying to figure out events, effects, tools, method, and benefit for an attack — it’s hard to make useful recommendations on how to prevent future attacks unless you figure out those factors. What is not typical is for a consultant to go public about the details of a client’s breach without their permission (I would never dream of even asking!) so my suspicion is that critical information is not being presented and we’re only getting a partial picture at best. At best.

    The Russian-ness of “Guccifer” is a farce – it’s as farcical as the North Korean-ness of the Sony hackers. If I was trying to fuzz attribution for an attack, I’d have a couple of friends I know help me out, friends who are fluent in Heian Period court Japanese. But that’s because I’m a surrealist with a sense of humor. You need to realize that some of these attributions are so poor that they are basically “the computer that created this document had the Korean keyboard setup enabled.” Well, if you want to do that, just click on Control Panel->Region and Language and have fun: it’ll take you at most a minute. As far as Guccifer being Russian: these things are so silly they hurt. How long do you think it would take any of us to find a language-speaking native and set up a chat stream between them and a reporter, and another window to the person feeding them what to say? I could get you an interview with a North Korean-sounding “hacker” in a day, no problem. Russian-sounding would be even easier. And as far as laundering IP addresses, shit, there’s a whole industry around selling proxy server access and a black market for VPN credentials – you want a romanian IP address? You can have one for under $50 in a couple hours. (take a look at http://gatherproxy.com/proxylist/country/?c=Romania that’s a public-facing example; if you want a nailed IP address you’d have to go on the darkweb and spend a fraction of bitcoin)

    With regard:
    The U.S. Intelligence Community (USIC) is confident

    Most of the USIC couldn’t find its ass in a paper bag if it had a flashlight and a map. But even if they did, they would report based on political considerations, not technical ones. In case it eluded anyone’s attention, the FBI and the CIA are playing politics and both were playing politics in the last election. The NSA was also, BTW. “How so!?” you ask, “the NSA didn’t say anything!!!” you say. Exactly. The USIC is separate fiefdoms that do not cooperate unless it’s in their bureaucratic interest to do so, and when one (e.g.: FBI) starts playing politics, the others which compete with that one may play politics back. Remember Watergate? What took down Nixon was a pissing match between CIA and FBI. This is nothing new.

    Craig Murray maintains that the DNC emails were provided to Wikileaks by a DNC insider, and that he knows this because he has spoken with the leaker personally.

    I would find an insider leaker vastly more likely than an outside leaker. But I would expect the political reaction to be completely mis-directed because the idea of an insider being disloyal to the machinery: unthinkable. Therefore, it must be Russians.

    The Russians managed to send the whole US intelligence apparatus into a feeding frenzy on its own muscles back in the cold war: an agent provocateur convinced James Jesus Angleton (head of CI for CIA) that there was a mole. There was no mole, it was just a way of making Angleton go into paranoid spasms of purging people. Very clever. If there’s a Russian plot going on, it could be simply that the Russians have decided to give the Dems and Repubs and CIA and FBI a good chance to distrust eachother a little bit more, while laughing at the keystone kops routine that ensues. If you want a plausible scenario, that’s one. After all the Russians have done that before. Possibly several times.

    SecureWork’s report is rubbish? Looks pretty good to me; one of the Russian hackers got careless and used a public Bitly URL redirection account

    If the “Russian” hackers are so good, they would not make such a mistake “accidentally”. Or they’re not so good. So, we have a contradiction: they are fantastic hackers, but they have such bad tradecraft that they make basic mistakes that attribute them as Russian.

    The SecureWorks report is not rubbish but it’s rubbish-y – what they are saying is that certain people were using the same types of attacks and therefore it’s the same people. That doesn’t fly at all. Lots of hackers use bit.ly to shorten and mask URLs. Like, pretty much all of them. Lots of hackers use phishing. Like, pretty much all of them. The only way I’d be willing to attribute specific spearphish attacks to a particular attack group is if the message-IDs mapped to a server log record that had the same originating address, and the messages were the same and fingerprints on the MUA matched and – even then I’d be skeptical (because it’s really easy to resend someone’s phish!) I know hackers who have done spearphishing campaigns by stealing someone else’s spearphish and just re-launching it at different targets.

    Key point from The Intercept article:
    much of the evidence has been drawn from publicly available data like the hacked emails and documents.

    …. which is why I call bullshit on the whole stinking story. You can’t do anything remotely resembling a good enough attribution based on stuff like message-IDs and server IPs in email headers. At the very least you need corroborating log data from intermediate servers (and intermediate servers are really suspicious)

    The sort of things they say, I.e.: “An IP address associated with threat group fuzzy wuzzy”
    is complete shit, too. The last time I did forensics on an intermediate hacker system, there were signs of at least 3 and maybe as many as 5 different hacker groups using it. A lot of the time what happens when an intermediate box gets rooted is credentials to the box are sold on the darkweb. So you may have one guy running spearphish from there and another group selling and staging credit cards, and another group using it as a command/control server for a botnet. Sure, sometimes you have an intermediate machine that’s solely owned and operated, but unless you’ve got the forensics from the intermediate machine nobody knows anything.

    Let me finish (I could go on all night but it’d be boring) by dissecting a sample fewmet from The Intercept article, to illustrate how sloppily people are thinking about this stuff:

    Metadata in a file leaked by “Guccifer 2.0″ shows it was modified by a user called, in cyrillic, “Felix Edmundovich,”

    OH IT MUST BE A RUSSIAN BECAUSE HE USED A CYRILLIC CHARACTER SET ON HIS FAKE NAME.
    See how stupid this is? The hacker fakes his name and the journalist goes “ooh, how clever” but then assumes that the character set still means something.

    It’s all fake.

  14. says

    I didn’t know your CnC had to be in your country of origin by law. Taking over a virtual server used to host someone’s shitty web app sounds like a great way to anonymize your origin.

    There are services that facilitate exactly that, though most hackers will take over a computer and use it as an intermediate or buy one on the darkweb. Usually just take one over.

    Let me tell you how hard it is: you grab a copy of Nessus and Metasploit and decide what country you want to appear to be in. Did you say Croatia? Ok, an ISP in Croatia is Metronet AS so you look up the address ranges they sell hmmmm…. http://whoisip.ovh/212.92.219.28 looks good! Then you Nessus scan all of 212.92.219 and see if you find a vulnerable system. If you do, you use the vuln identified by Nessus to use an exploit from Metasploit and drop your favorite remote control code on it, perhaps Zeus. Congratulations, you’re now a Croatian hacker. Don’t forget to change your character set in your keyboard mappings and use a name like – whups bummer “anarchists in croatia” came up dry on google. But you get the idea. jebi sustav!

  15. Hj Hornbeck says

    Marcus Ranum @14:

    The USIC is separate fiefdoms that do not cooperate unless it’s in their bureaucratic interest to do so, and when one (e.g.: FBI) starts playing politics, the others which compete with that one may play politics back. Remember Watergate? What took down Nixon was a pissing match between CIA and FBI. This is nothing new.

    Well yeah, the two have radically different cultures. The FBI is pretty anti-Clinton, as evidenced by Comey and the folly of their New York office, while the CIA is theoretically non-partisan but would probably favor someone who reads their security briefs and keeps getting called a “hawk.” If the two agencies agree on something, it’s probably not a political power-play but something legit.

    The positions of Comey and Clapper were revealed in a message that CIA Director John Brennan sent to the agency’s workforce Friday.

    “Earlier this week, I met separately with FBI [Director] James Comey and DNI Jim Clapper, and there is strong consensus among us on the scope, nature, and intent of Russian interference in our presidential election,” Brennan said, according to U.S. officials who have seen the message.

    The CIA and the FBI declined to comment on Brennan’s message or on the classified intelligence assessment that CIA officials shared with members of the Senate Intelligence Committee earlier this month, setting off a political firestorm.

    Hmmm, but that relies on an anonymous source. At least we have another way to dismiss these changes: if this really was playing politics with the US election, then we shouldn’t be able to find another instance where the Kremlin tried to influence a foreign election. It’s ridiculous to claim Russia tried to interfere with a foreign power, when they have no track record of doing so.

    EU foreign ministers mulled their next moves on the Ukraine crisis in Brussels on Monday after the German chancellor, Angela Merkel, delivered her most robust and pessimistic public condemnation of Putin to date, warning that the Kremlin was seeking to spread its sphere of influence not only in the former Soviet states of Georgia and Moldova, but also to Serbia and Bosnia.

    The foreign ministers decided to freeze the assets of and blacklist several more Russia-backed separatist leaders in eastern Ukraine, although more substantial penalties for the Russian economy will probably have to wait until the new year.

    Moscow has notched up notable gains in Hungary, an EU and Nato member, where the government negotiated secret loans from the Russians, awarded nuclear power contracts to the Russian state atomic conglomerate, and where parliament a fortnight ago gave a green light to Russia’s key gas pipeline project in Europe, defying blocking orders from Brussels.

    They also tried to fiddle with the Brexit vote and funded Le Pen’s far-Right party in France, too, but I’m on a link budget.

    Anyway, there’s one last signal we can rely on: the right-wing Noise Machine would never defect from Herr Trump’s party line, unless the evidence was pretty damn strong.

    Despite Fox’s campaign to cast doubt on the possibility of the Russian government seeking to undermine American elections, a December 15 report from chief intelligence correspondent Catherine Herridge said that “Fox News has independently confirmed that Russian backed cyber-militias were targeting US systems and influential US persons in the summer of 2015,” an operation which “evolved into an effort to interfere in the US election … sanctioned by the highest levels of the Russian government.”

    *throws a sheaf of papers into the air in disgust*

Leave a Reply

Your email address will not be published. Required fields are marked *