More on Attribution of Russian Hacking

If you’re interested in the swirling scrimmage around attributing the “Russia” cyberattacks on the US 2016 election, there’s another fun bit of analysis dropped today:[1]

I sense a little sarcasm in their title. One would expect a government to use nice stuff, like the NSA’s Equation Group writes, not off the shelf stuff that’s been around for ages. In fact, this Ukrainian obfuscated PHP malware looks a lot like some Romanian stuff I had to deal with during an incident response in 2013.

The Wordfence analysis shows pretty much what I, and others, expected: a lot of fake IP addresses, and “basic hacking 101” stuff. The attribution of the US Government’s published data in the JAR is weak to nonexistent. They are failing to make anything like a solid case that shows Russian involvement. The sort of analysis presented by Wordfence is the sort of detailed analysis that would lead to a positive attribution, assuming there was any “there” there.

It is pathetic, sad, and lame that the JAR is the best the US government was able or willing to do. Given the vast resources expended on network hacking and surveillance, taxpayers deserve better than this.


[1]Wordfence: US Government Data Shows Russia Used Outdated Ukrainian Malware


  1. joehoffman says

    Reading between the lines in the newspaper, I got the impression that the attacks on the DNC et al. weren’t really front-line operations. More like the sergeant responsible for the summer interns thought it up, so they could learn the basics without getting under foot. Then some genius realized how much chaos they could sow with the kids’ results, and the rest is history.

  2. drken says

    I think this has more to do with Obama wanting to put some sanctions in place just to dare Trump to remove them. That way Trump gets to start his Presidency with accusations of being Putin’s lapdog. Personally, I’m far more worried about Trump removing the sanctions in place for invading Ukraine than I am this diplomatic pissing match. Given that his pick for Secretary of State is currently CEO of a company poised to make billions once those sanctions are lifted, that’s a far more likely scenario. Of course, Obama might think that if Trump lifts the hacking sanctions, it’ll be tougher politically to lift the invasion ones, so that might his plan.

  3. says

    I’m trying to just focus on the accuracy/inaccuracy of the reporting on computer security. There’s enough there, already.

    What the various rulers of various powers do with this stuff is sure to suck. It begins with lies and distortions, it’s going to end badly.

  4. says

    It doesn’t sound like a coordinated intelligence operation at all. A couple hackers scored with phishing attacks and some of them dumped some of it to wikileaks for the lulz. Why isn’t that scenario simple enough?

    Oh, right: because it doesn’t give a convenient scapegoat for incompetence. (Remember too that there was some attempt to float the ridiculous theory that some of the emails were fake.)

  5. says


    The “pwnallthethings” thread on twitter is pretty interesting. It’s summarized here:
    with some slant.
    (pwn original thread: typical unreadable twitter

    My assessment based on pwn’s analysis is that it was part of a large-scale phishing program that was heavily automated and well-organized. I’m still not convinced it’s Russian government but pwn makes good points that the targets all align along that target vector, which is certainly interesting.

    Now, if the NSA/CIA/FBI were coming out with that kind of analysis, or the wordpress guy’s analysis – that level of detail – I’d be reading it closely. But we’re still not getting anything better from the intelligence community than “trust us it was the Russians.” Guess what? I don’t trust them, the Russians, or Wikileaks.

  6. says

    There are a lot of Tor exit nodes, which doesn’t mean it was or wasn’t russians or CIA or FBI. All Tor tells me is that the US Government assumes they’re talking to rank amateurs when they didn’t include that in their joint report: either they’re so stupid they don’t know, or they think their readers are so stupid they won’t figure it out.

    I don’t like either of those options.

  7. says

    “No US government entity has run an independent forensic analysis on the system”. They’re just taking CrowdStrike’s word for it.

    The FBI doesn’t do forensic analysis of computers. They don’t know how. They usually ask a contractor or a third party to do it, then tell them they’re not allowed to talk about it because: national security (really: FBI incompetent) You can assume I have an axe to grind, there: most senior IT security people at some point or other have fallen for the “it’s for your country” waste of billable hours time-sink and then seen their reports splashed out with DHS or FBI logos all over them.

    I don’t mind if it’s Crowdstrike: it’s probably vastly better than the government agencies could do on their own. What I mind is that we aren’t getting enough crucial details to assess the attribution effectively. Which means they think we’re stupid, or they’re stupid. I can’t tell which.

    I should state again I have no opinion whether it was Russia or not. I don’t have enough information to form an opinion with. The opinion I am voicing is that the US Government is making an attribution without giving enough information, and I think that is irresponsible, dangerous, and sets a bad precedent.