The Obama administration is – brilliantly – punishing Russia for “hacking” the US election by censuring a few intelligence officers and forcing them to close a “luxurious 45-acre compound” in Maryland.
In other words: “We shut down your summer vacation palace, nyuk nyuk!” Holy crap, that’s gonna teach ’em!!
Of course, it’s going to cost the Russians some money (assuming they own the property, and that it’s not a loaner) and they’re going to have to find another love-shack on the Chesapeake Bay. This is not even a slap on the wrist – it’s bizzare – it’s like: “I am waving a wet noodle at your wrist and calling it a flogging!”
I’ve been waiting with bated breath* for the US administration’s retaliation for alleged Russian interference with the 2016 election. And, I’m sure none of you will be surprised that I am disappointed in pretty much every respect. First off, it’s politically weak. Secondly, it’s obviously weak: the US could have used the opportunity to re-engage with the topic of cyberwar standards and treaties among the superpowers (as China and Russia suggested back in 2011) Then, the evidence is weak – I’ll get to that – and lastly, and most importantly, it doesn’t do anything to actually improve the situation. All the US does is sets up the doctrine that “we may retaliate at random if we feel like it” which is a terrible precedent and very poor leadership.
The US has a terrible leadership problem, when it comes to being the pot that calls the kettle “black.” As the world has seen, in the last 5 years, the US NSA and UK GCHQ have decided that their mission is to hack whatever they want. Here I’m not referring just to the Snowden leaks; the US and UK have been pretty unapologetic about (for example) spying on foreign heads of state, diplomatic talks, and corporate negotiations. As Barack Obama said when Angela Merkel complained about the NSA compromising her cell phone, “that’s how it’s done.” I’m surprised that the North Koreans, Russians and Chinese have bothered to say “we didn’t do it!” when accused of cyberattacks when they could just repeat Barack Obama’s Arkell V. Pressdram style response. The US’ inconsistency about complaining also shows poor leadership: when Israeli spies are caught, they are quietly imprisoned with a minimum of fanfare. Meanwhile, the most damaging espionage against US strategic interests remains home-grown: many americans seem willing to sell secrets for bargain-basement prices, or to give them away outright. The US’ efforts against wikileaks (which, nobody in Washington seems to have noticed, is headed by an Australian) are ineffective, yet the accusations against Russia were expanded to, of course, include wikileaks. Wikileaks is being treated as though it were a state.
Here’s what I think the US should have done:
- Begin discussions with China, Russia, and the EU regarding standardization of international cybercrime laws, including defining what actions by governments are illegal.
- Establish a standard of attribution for how the US will determine to its satisfaction that a cyberwar/cybercrime was state-sponsored. This should include the type of system and method descriptions and analysis that will be provided; it should also include third party assessment of attribution. Understanding that evidence for attribution will not usually be of the type that can be presented and challenged in a court of law, it is important to establish how the evidence that does exist is presented, and its quality and reliability.
- Establish a standard of retorsion** for how the US will retaliate for economic or political damage: what is the process whereby the US will assess the damage it has suffered and how will it respond.
- Establish government-sponsored hardened system configuration doctrines for certain critical processes, including political email, file-sharing, and messaging. This would be kept up-to-date including management of vulnerabilities, by the NSA with validation and input from non-government cybersecurity experts.*** The hardened system doctrine would be oriented to provide attribution in accordance with 2) above – i.e.: if there’s a cluster of such systems an attacker can know that they are being watched in various ways and that the results may be presented as evidence, since that evidence has already been established as publication-worthy.
The last point is a serious one: the best way to “hurt” a cyber-opponent is to improve your defenses. It keeps out the riff-raff but also raises their cost to break in, and raises the likelihood that they will be identified credibly if that happens.
What bothers me the most about the administration’s announcement regarding how they are “dealing with” the alleged Russian electoral manipulation: they’re not actually doing anything that will help the problem.
The FBI/Department of Homeland Security Joint Announcement is also pretty lame, and also doesn’t do anything that will help the problem. It’s more of the same finger-pointing as we’ve seen before:
- The alleged Russians used phishing attacks
- The alleged Russians used malware that alleged Russians have used before
- The alleged Russians used IP addresses that are common to other alleged Russians
I know I sound like a broken record but: pretty much every hacker uses phishing attacks, pretty much every hacker uses malware (and the stuff the alleged Russians allegedly used is fairly common malware) and pretty much every hacker uses proxies to access command/control nodes that are compromised systems (and they use the same ones because: why not?).
The DHS/DNI statement, for example, reads:
The recent disclosures of alleged hacked e-mails on sites like DCLeaks.com and WikiLeaks and by the Guccifer 2.0 online persona are consistent with the methods and motivations of Russian-directed efforts. These thefts and disclosures are intended to interfere with the US election process. Such activity is not new to Moscow—the Russians have used similar tactics and techniques across Europe and Eurasia, for example, to influence public opinion there.
Note that WikiLeaks, at least, under the leadership of Julian Assange**** has overtly stated that it was anti-Clinton. So, by specifically mentioning WikiLeaks, the DHS is attempting to imply that they are part of the Russian operation – but that’s contradicted somewhat by WikiLeaks (per Assange) already saying it wanted to influence the election. I have a perfectly credible theory about Assange, namely that he’s an anti-government hipster who appears to hate some politicians slightly more than others – but his actions in that light are consistent: he has been doing whatever he can to hurt the establishment for a decade. I think Assange is a red herring, listed by DHS because the establishment hates WikiLeaks and the “Guccifer 2.0” persona used WikiLeaks as a vehicle for distributing information (rather than an establishment-controllable media outlet like The New York Times, presumably).
The DHS/DNI statement continues later:
Some states have also recently seen scanning and probing of their election-related systems, which in most cases originated from servers operated by a Russian company. However, we are not now in a position to attribute this activity to the Russian Government.
That’s a great big “What The Fuck?” Rephrased: “We don’t have any evidence at all that Russia was involved in probing election-related systems and we can’t attribute it but we’re going to report it anyway.” To my point 2) above, this is why the US should be establishing its practices of attribution: this kind of statement could be broken down into:
- Things we are willing to say and back up with evidence
- Things we are willing to say based on analysis of the evidence
- Things we are not willing to talk about because we lack analysis or evidence
Mixing the last item in with the first two flushes all credibility down the drain. Imagine if a prosecutor tried that kind of argument in a court of law.
That was the October statement from DHS/DNI. Now we have a more sober assessment. And, it’s crap. 
This activity by RIS is part of an ongoing campaign of cyber-enabled operations directed at the U.S. government and its citizens. These cyber operations have included spearphishing campaigns targeting government organizations, critical infrastructure entities, think tanks, universities, political organizations, and corporations leading to the theft of information. In foreign countries, RIS actors conducted damaging and/or disruptive cyber-attacks, including attacks on critical infrastructure networks. In some cases, RIS actors masqueraded as third parties, hiding behind false online personas designed to cause the victim to misattribute the source of the attack.
The claim is that RIS (Russian Intelligence Services) are hacking US organizations and are doing what intelligence services appear to do all the time – including hiding behind false online personas intended to encourage misattribution. In other words, they’re doing what the Chinese and the North Koreans and the NSA are doing.
The U.S. Government confirms that two different RIS actors participated in the intrusion into a U.S. political party. The first actor group, known as Advanced Persistent Threat ( APT ) 29, entered into the party’s systems in summer 2015, while the second, known as APT28, entered in spring 2016.
This bothers me a lot. When security analysts are identifying and naming a threat actor, what they’re trying to do is establish methods and timelines that argue that their actions are related. The existence of a threat actor, however, is a construct in the security analyst’s mind – it’s an arbitrary grouping – especially if the grouping includes things like command/control IP addresses and tools. Let’s say that the difference between APT29 and APT28 is that they used different command/control IP addresses – that doesn’t mean they’re actually different! It just means that some analyst somewhere said, “let’s treat these as two different groups.” Unless we know the criteria by which the analysis was clustered, we can’t make a meaningful assessment of any of this analysis. For example, Bill Cheswick once established to his confidence that an attacker was a student because their activity levels varied with spring break and summer vacation. That’s an interesting and provocative bit of analysis but it is not sufficient to say with high confidence that the attacker is a college student – it could be that the attacker has decided to simulate a college student; that’d be easy. A big problem with any of this analysis is that if the attacker knows the criteria that the analysts will be using, it’s ridiculously easy to manipulate the analysts by simulating the criteria.
This picture from the report needs some translation:
It says: “We think there were two groups of hackers. They used the internet (Neutral Space) and both attacked targeted systems using slightly different techniques that are common to all hackers.” It’s a pretty illustration but it conveys no useful information except that it appears that the criteria used by analysts to decide APT29 and APT28 are different is that they use different tools, became active at different times, and there was technological overlap between their methods. They don’t explicitly say the last piece but it’s important: if I can access your files using Method A, I’m not also likely to access your files using Method B because I already accessed your files with Method A and that worked perfectly fine.
Both groups have historically targeted government organizations, think tanks, universities, and corporations around the world. APT29 has been observed crafting targeted spearphishing campaigns leveraging web links to a malicious dropper; once executed, the code delivers Remote Access Tools (RATs) and evades detection using a range of techniques. APT28 is known for leveraging domains that closely mimic those of targeted organizations and tricking potential victims into entering legitimate credentials. APT28 actors relied heavily on shortened URLs in their spearphishing email campaigns. Once APT28 and APT29 have access to victims, both groups exfiltrate and analyze information to gain intelligence value. These groups use this information to craft highly targeted spearphishing campaigns. These actors set up operational infrastructure to obfuscate their source infrastructure, host domains and malware for targeting organizations, establish command and control nodes, and harvest credentials and other valuable information from their targets.In summer 2015, a APT29 spearphishing campaign directed emails containing a malicious link to over 1,000 recipients, including multiple U.S. Government victims.
- They used spearphishing, like every other hacker ever.
- They broadly targeted 1,000 targets, like every other hacker ever.
- They used URL encoding, like every other hacker ever (it helps hook the phish).
- They exfiltrate information, like every other hacker ever.
- They use the exfiltrated information and credentials to further craft targeted spearphishing attacks, like every other hacker ever.
- They establish command/control nodes, like every other hacker ever.
- They obfuscate their source infrastructure, like every other hacker ever. (I assume this means that they’re accessing their command/control nodes through one or more proxies, like every other hacker ever.)
The main difference appears to be that APT28 likes to phish people to a site that drops malware on their machines, while APT29 likes to phish people to a site that looks like someplace they normally go, to harvest their login/passwords. Some hackers prefer the latter, others the former, and some do both.
In the course of that campaign, APT29 successfully compromised a U.S. political party. At least one targeted individual activated links to malware hosted on operational infrastructure of opened attachments containing malware. APT29 delivered malware to the political party’s systems, established persistence, escalated privileges, enumerated active directory accounts, and exfiltrated email from several accounts through encrypted connections back through operational infrastructure.
Like every other hacker ever! This is how it’s been done since about 2002 or so: you carpet-bomb a link to a malware dropper, and you get a few gomers, then you see what you’ve caught and exploit the most exciting ones. So someone sent someone at a US political party some malware, and they opened it, and some hacker did like every other hacker ever. I’m still waiting to see how and why this is Russians. In fact, the methods described are the exact same methods that the Chinese that hacked OPM North Koreans that hacked Sony kid down the street uses. How do they know this was Russians and not North Koreans?
I really need to emphasize that this is standard operating procedure. The penetration testers that I know use exactly the same techniques, as do the hackers.
This time, the spearphishing email tricked recipients into changing their passwords through a fake webmail domain hosted on APT28 operational infrastructure. Using the harvested credentials, APT28 was able to gain access and steal content, likely leading to the exfiltration of information from multiple senior party members. The U.S. Government assesses that information was leaked to the press and publicly disclosed.
Sending someone to a fake webmail domain hosted on a compromised server is standard hacking operating procedure.
Next comes some incredibly sloppy work: (still from )
A YARA signature is an abstract matching rule that can be converted to run in a log, file, or network analysis tool to detect patterns that are “Indicators Of Compromise” (IOCs) This Yara signature identifies that a system has the “PAS TOOL PHP WEB KIT” if the system being examined contains a PHP file of a certain size that contains a set of patterns. In other words, you’re to run this and see if you have that particular web backdoor installed on your machine.
I’ve encountered this sort of web backdoor several times while doing incident responses. The last one, by the way, had Romanian comments, Romanian variable names, and the IP address from which it was being controlled was in Romania. The activity was during late afternoon/late night time windows in Romania. I’m still not willing to say that it was a Romanian doing it.
Anyhow, this particular web kit uses gzinflate and some typical strings. I’m glad that the intelligence community isn’t claiming that this was written by the same people who hacked Sony because they’re both using gzinflate (like tons of other web software!) That, by the way, was part of the high quality attribution that led the FBI to conclude that it was North Koreans that were hacking Sony: North Koreans apparently like to use a certain drive-wiping program. Guess what? So does pretty much every hacker ever, who wants a command-line drive-wiper.
The rest of the Joint Analysis Report is some “SECURITY 101” stuff about how not to get owned. That’s it. I still don’t see a single damn thing in the report that argues conclusively that the attacks were from Russia, let alone sponsored by the Russian Government. The best argument in the report is that: Russia appears to have benefitted from having the US look stupid. Guess what? The list of countries, individuals, and hackers that benefit from having the US look stupid would take several trainloads of paper to print out.
Here’s what is going to happen: next election, the deluge. Because the US still hasn’t done anything to improve the situation and now everyone can see how terribly weak the security is, on the systems that are used by the rulers of the US. That’s why the strategy the US has been pursuing is so damaging: let the NSA off the leash to hack the world, but don’t improve our own security at all. It’s the Department of Glass Houses telling the Department of Stone Throwing to go throw rocks at everyone they want to, and assuming there’s going to be no blowback.
What would an attribution look like that satisfied me? It’s complicated but there’s no way of getting around it without disclosing some intelligence information. Not much, just a bit. It would look like this:
“On this date at this time, we monitored a connection that originated in the network cloud belonging to Runet’s fixed IP range. We have observed that address engaged in multiple hacking attacks in the past; that fixed address appears to be a Linux system named whatever.runet.ru and (information about the system) During the particular attack we are describing, a connection via SSH went to a staging server in Amsterdam, which then launched a VPN proxy connection to a host in Dallas, Texas (information about the system) that appears to be a compromised home computer. The attackers made the mistake of using the same staging system and compromised system and we were able to execute search warrants or secure cooperation from the administrators of those machines, from which we recorded additional traces. The attacker then sent a phishing email to the target, which led them to a malware dropper on the staging server (details of dropper) (copy of phishing email). The malware dropper compromised the end user’s system, and the user’s exchange email was exfiltrated in a .ZIP file that was emailed to the staging server (system log lines) The contents of the emails collected were posted on Wikileaks on dd/mm/yy and exactly match the files collected. Following that, we executed a compromise against the linux server whatever.runet.ru using an unpatched system vulnerability, and collected a mirror of its hard drive. On that drive we found (copy of email) emails from the user who compromised the systems, the files that were collected, a tools archive of hacking tools, and emails from them to one name_withheld, who is an intelligence officer working for military intelligence.”
Dropping a load of detail like that would be pretty convincing: establish multiple points of view, a command authority linking it to an agent of a government, etc. It would require disclosing that the NSA monitors communications all over the place and has backdoored systems all over the place – which we already know, but they want to pretend isn’t the case. That’s the problem: it’s really hard to attribute a complaint that someone is hacking you when the way you attribute it is by hacking them first. But if you think about it, the only way that the US intelligence community could plausibly attribute the Sony attacks to North Korea would be with a statement like: “North Korea has 4 internet links and we so thoroughly own them that we have every packet that goes back and forth. So, here’s a reconstructed stream of a system on a North Korean military network attacking Sony.”
Tell us as much about “Guccifer 2.0” as we now know about hacker-turned-FBI-informant Hector Monsegur, AKA “Sabu.”
Here’s the big problem: the Russians know this and so does the US. The US and Israel were very careful hiding the tracks of Stuxnet, which we now know is the tip of a nasty iceberg attributable to “The Equation Group” which actually is implicated in developing tools for some US agency that is actually using them to penetrate foreign systems. If you look at the deconstruction of how the Equation Group’s code-trees evolve (stuxnet, duqu, etc) you can see a good example of the kind of attribution that the US intelligence community could and ought to be providing as evidence against the Russians – if they had that quality of evidence. I don’t think they’re doing it, because they actually don’t have any evidence that’s worth a hill of politician’s promises.
So here’s another bit for you: since I said earlier what I think the US should have done, I’ll say what I’d do if I were the Russians. I’d compromise the fuck out of as much of the NSA’s expensive custom-built malware as possible. I’d have intelligence officers feeding code samples of Equation Group code to every antivirus vendor that’s not headquartered in the US. I’d be dropping solid evidence linking the NSA to all the stuff Snowden told about, proving that it’s real. I wouldn’t be dropping it to the US lapdog media, I’d be giving it to the Germans, the French, the Chinese, and – actually – the Russian IT security people, too. Want to bet the Germans would find out they’ve been being spied on? Want to bet the Brazilians would wonder if their politics are being messed with? And, eventually – you know it’d happen – someone would sell the key to some of the deeply embedded trojan horses that NSA has apparently put in certain hard drives and in some systems. And I’d publish the keys, the code, and evidence of its origin. Because you know whose infrastructure is most exposed? Yep: The Department of Glass Houses. It’s the response from Arkell V Pressdram.
(* A lie.)
(** Retorsion (from French: rétorsion, from Latin: retortus, influenced by Late Latin, 1585–95, torsi, a twisting, wringing), a phrase used in international law, is an act perpetrated by one nation upon another in retaliation for a similar act perpetrated by the other nation.)
(*** I’ll note that this has already been done; it’s just ignored by important people, who later regret it. They’d need to dust off some of the work DISA and NIST and NSA have already done and bless it as a “how to” for organizations that are afraid of international espionage. They’d also have to resist the temptation to let CIA and NSA backdoor it.)
(**** It is deliberately difficult to tell how much Assange controls WikiLeaks. But as its spokesperson he has some control over WikiLeaks’ political impact.)
 Arms Control Association: China and Russia submit Cyber Proposal (The US’ response was that China and Russia were trying to control open and unfettered access to the Internet and that their proposal was an attempt to derail the US and Great Britain from establishing their view of how it should be done. Which is probably true. But, that doesn’t mean the US and Great Britain are the only players in cyberspace!)
BBC: London Hosts Cyberspace Security Conference (“Foreign Secretary William Hague convened the London Conference on Cyberspace, and urged a “global co-ordinated response” on policy.” – as long as it’s not from the Russians or the Chinese)
Letters of Note: Arkell V Pressdram
Newsweek: Israel Won’t Stop Spying on the US