Yesterday I posted on the report jointly authored by the FBI and DHS that was touted as the definitive proof of Russian state involvement in the hack of the DNC server and the spearphishing attack that compromised John Podesta’s email. Definitive enough, anyway, to justify Obama placing sanctions on Russia.
I don’t claim to be technical expertise but as I stated the FBI report offered us damned little that the private sector company, Crowdstrike, hadn’t posted over the past few months. The evidence indicated that the a) cyberattacks had originated from Russia, b) that the hacking cartel that carried out the attack had often operated in concert with the goals of the Russian government, c) that there was a presumption this group would not operate without the imprimatur of Russian security or intelligence services, and d) this indicated the attack was directed by the Kremlin. The only problem is that the fact chain ends with a) or b), depending upon how you look at things. Items c) and d) are reasonable inferences but they are just that.
Now other groups in the tech field are weighing in and basically calling the report bullsh**. I don’t know, this is not my area of expertise. But what I do know is that the people calling bullsh** are experts and they make at least a compelling case as the original report.
The 13-page report, which was jointly published Thursday by the Department of Homeland Security and the FBI, billed itself as an indictment of sorts that would finally lay out the intelligence community’s case that Russian government operatives carried out hacks on the Democratic National Committee, the Democratic Congressional Campaign Committee, and Clinton Campaign Chief John Podesta and leaked much of the resulting material. While security companies in the private sector have said for months the hacking campaign was the work of people working for the Russian government, anonymous people tied to the leaks have claimed they are lone wolves. Many independent security experts said there was little way to know the true origins of the attacks.
Sadly, the JAR, as the Joint Analysis Report is called, does little to end the debate. Instead of providing smoking guns that the Russian government was behind specific hacks, it largely restates previous private-sector claims without providing any support for their validity. Even worse, it provides an effective bait and switch by promising newly declassified intelligence into Russian hackers’ “tradecraft and techniques” and instead delivering generic methods carried out by just about all state-sponsored hacking groups.
Apparently, even the report’s attribution of hacking methods and tools is significantly at odds with what the cybersecurity industry knows to be true:
The writers showed a similar lack of rigor when publishing so-called indicators of compromise, which security practitioners use to detect if a network has been breached by a specific group or piece of malware. As Errata Security CEO Rob Graham pointed out in a blog post, one of the signatures detects the presence of “PAS TOOL WEB KIT,” a tool that’s widely used by literally hundreds, and possibly thousands, of hackers in Russia and Ukraine, most of whom are otherwise unaffiliated and have no connection to the Russian government.
“In other words, these rules can be a reflection of the fact the government has excellent information for attribution,” Graham wrote. “Or, it could be a reflection that they’ve got only weak bits and pieces. It’s impossible for us outsiders to tell.”
Security consultant Jeffrey Carr also cast doubt on claims that attacks that hit the Democratic National Committee could only have originated from Russian-sponsored hackers because they relied on the same malware that also breached Germany’s Bundestag and French TV network TV5Monde. Proponents of this theory, including the CrowdStrike researchers who analyzed the Democratic National Committee’s hacked network, argue that the pattern strongly implicates Russia because no other actor would have the combined motivation and resources to hack the same targets. But as Carr pointed out, the full source code for the X-Agent implant that has long been associated with APT28 was independently obtained by researchers from antivirus provider Eset.
“If ESET could do it, so can others,” Carr wrote. “It is both foolish and baseless to claim, as CrowdStrike does, that X-Agent is used solely by the Russian government when the source code is there for anyone to find and use at will.”
So what we have here is a report that is beginning to appear slapdash in construction. That is not to say the conclusions are wrong but it is to say they don’t appear to be quite as iron clad as they were portrayed. This is having an effect in the media, too, as they smell flopsweat. LIke this from the Obama-loving, Trump-hating Rolling Stone, Something About This Russia Story Stinks.
This dramatic story puts the news media in a jackpot. Absent independent verification, reporters will have to rely upon the secret assessments of intelligence agencies to cover the story at all.
Many reporters I know are quietly freaking out about having to go through that again. We all remember the WMD fiasco.
“It’s déjà vu all over again” is how one friend put it.
At one point we learn that the code name the U.S. intelligence community has given to Russian cyber shenanigans is GRIZZLY STEPPE, a sexy enough detail.
But we don’t learn much at all about what led our government to determine a) that these hacks were directed by the Russian government, or b) they were undertaken with the aim of influencing the election, and in particular to help elect Donald Trump.
The problem with this story is that, like the Iraq-WMD mess, it takes place in the middle of a highly politicized environment during which the motives of all the relevant actors are suspect. Nothing quite adds up.
If the American security agencies had smoking-gun evidence that the Russians had an organized campaign to derail the U.S. presidential election and deliver the White House to Trump, then expelling a few dozen diplomats after the election seems like an oddly weak and ill-timed response. Voices in both parties are saying this now.
The more that one looks at it the more it looks like this entire Russia-hacking episode is simply David Plouffe’s ‘Stray Voltage’ theory at work: Controversy sparks attention, attention provokes conversation, and conversation embeds previously unknown or marginalized ideas in the public consciousness. And it has been wildly successful.