If you’re interested in the swirling scrimmage around attributing the “Russia” cyberattacks on the US 2016 election, there’s another fun bit of analysis dropped today:[1]
I sense a little sarcasm in their title. One would expect a government to use nice stuff, like the NSA’s Equation Group writes, not off the shelf stuff that’s been around for ages. In fact, this Ukrainian obfuscated PHP malware looks a lot like some Romanian stuff I had to deal with during an incident response in 2013.
The Wordfence analysis shows pretty much what I, and others, expected: a lot of fake IP addresses, and “basic hacking 101” stuff. The attribution of the US Government’s published data in the JAR is weak to nonexistent. They are failing to make anything like a solid case that shows Russian involvement. The sort of analysis presented by Wordfence is the sort of detailed analysis that would lead to a positive attribution, assuming there was any “there” there.
It is pathetic, sad, and lame that the JAR is the best the US government was able or willing to do. Given the vast resources expended on network hacking and surveillance, taxpayers deserve better than this.
[1]Wordfence: US Government Data Shows Russia Used Outdated Ukrainian Malware
Reading between the lines in the newspaper, I got the impression that the attacks on the DNC et al. weren’t really front-line operations. More like the sergeant responsible for the summer interns thought it up, so they could learn the basics without getting under foot. Then some genius realized how much chaos they could sow with the kids’ results, and the rest is history.
I think this has more to do with Obama wanting to put some sanctions in place just to dare Trump to remove them. That way Trump gets to start his Presidency with accusations of being Putin’s lapdog. Personally, I’m far more worried about Trump removing the sanctions in place for invading Ukraine than I am this diplomatic pissing match. Given that his pick for Secretary of State is currently CEO of a company poised to make billions once those sanctions are lifted, that’s a far more likely scenario. Of course, Obama might think that if Trump lifts the hacking sanctions, it’ll be tougher politically to lift the invasion ones, so that might his plan.
I’m trying to just focus on the accuracy/inaccuracy of the reporting on computer security. There’s enough there, already.
What the various rulers of various powers do with this stuff is sure to suck. It begins with lies and distortions, it’s going to end badly.
Joehoffman@#1:
It doesn’t sound like a coordinated intelligence operation at all. A couple hackers scored with phishing attacks and some of them dumped some of it to wikileaks for the lulz. Why isn’t that scenario simple enough?
Oh, right: because it doesn’t give a convenient scapegoat for incompetence. (Remember too that there was some attempt to float the ridiculous theory that some of the emails were fake.)
Apparently half the IP address listed in the report are Tor exit nodes…
https://theintercept.com/2017/01/04/the-u-s-government-thinks-thousands-of-russian-hackers-are-reading-my-blog-they-arent/
Oh, this is hilarious… According to Buzzfeed, The FBI Never Asked For Access To Hacked Computer Servers. “No US government entity has run an independent forensic analysis on the system”. They’re just taking CrowdStrike’s word for it.
MORE STORY—-
The “pwnallthethings” thread on twitter is pretty interesting. It’s summarized here:
http://www.huffingtonpost.co.uk/entry/14-year-old-hack-john-podesta-emails_uk_586e22f0e4b0c1c826fa5510
with some slant.
(pwn original thread: typical unreadable twitter
https://twitter.com/pwnallthethings/status/816621553643294720
)
My assessment based on pwn’s analysis is that it was part of a large-scale phishing program that was heavily automated and well-organized. I’m still not convinced it’s Russian government but pwn makes good points that the targets all align along that target vector, which is certainly interesting.
Now, if the NSA/CIA/FBI were coming out with that kind of analysis, or the wordpress guy’s analysis – that level of detail – I’d be reading it closely. But we’re still not getting anything better from the intelligence community than “trust us it was the Russians.” Guess what? I don’t trust them, the Russians, or Wikileaks.
NathanL@#5/6:
There are a lot of Tor exit nodes, which doesn’t mean it was or wasn’t russians or CIA or FBI. All Tor tells me is that the US Government assumes they’re talking to rank amateurs when they didn’t include that in their joint report: either they’re so stupid they don’t know, or they think their readers are so stupid they won’t figure it out.
I don’t like either of those options.
Dunc@#7:
“No US government entity has run an independent forensic analysis on the system”. They’re just taking CrowdStrike’s word for it.
The FBI doesn’t do forensic analysis of computers. They don’t know how. They usually ask a contractor or a third party to do it, then tell them they’re not allowed to talk about it because: national security (really: FBI incompetent) You can assume I have an axe to grind, there: most senior IT security people at some point or other have fallen for the “it’s for your country” waste of billable hours time-sink and then seen their reports splashed out with DHS or FBI logos all over them.
I don’t mind if it’s Crowdstrike: it’s probably vastly better than the government agencies could do on their own. What I mind is that we aren’t getting enough crucial details to assess the attribution effectively. Which means they think we’re stupid, or they’re stupid. I can’t tell which.
I should state again I have no opinion whether it was Russia or not. I don’t have enough information to form an opinion with. The opinion I am voicing is that the US Government is making an attribution without giving enough information, and I think that is irresponsible, dangerous, and sets a bad precedent.