URR here. Much hullabaloo has been made of supposed Russian attempts to influence the US 2016 Presidential election. Trumpeted repeatedly by the Obama Administration is the accusation that Russian black hats had hacked into the e-mail systems of the Democratic National Committee, and subsequently released the information stolen from those e-mails to Wikileaks, who released them publicly. They did this, according to Obama, to win the election for Donald Trump. The government, he said, had the proof.
Well, late yesterday, the DHS/FBI Joint Analysis Report on the incident(s) was published. The report calls the malicious cyber incident GRIZZLY STEPPE. The report might seem, to the uninitiated, a confirmation of evidence of Russian "hacking". However, to those familiar with the subject matter, the report is woefully lacking in anything resembling "evidence". The DHS/FBI report is a 13-page document that outlines HOW network exploits can be done, how a phishing/spearphishing scam works, and even points to some forensic evidence that MIGHT be attributable to the two identified Russian-affiliated cyber actors. Those entities most mentioned, however, Advanced Persistent Threat (APT) 29 and APT 28, are relatively well-known actors, having been mentioned in several software security firms' reports in recent years. Essentially, the DHS/FBI report provides nothing more than a summary of how APT 29 and APT 28 have been operating for several years. The report also lists, on Page 4, some forty-eight cyber actors, it claims, work for either Russian military or civilian intelligence services.
As mentioned here in a previous post, simply doing work for an entity is no evidence whatever that such an actor is controlled by, or a part of, any government or intelligence service. Quite the contrary, a skilled cyber actor works with and for myriad interests, government and private, often at the same time. While it is almost certainly true that some or most of those entities have worked with RIS (Russian Intelligence Services) at various times, the only "evidence" pointing to the intrusion into DNC e-mail systems being done at Russian government behest is the report's assertion that it is so. The report also neglects to mention that, for every known cyber actor, there are dozens or hundreds or thousands who are not known. The best of them avoid detection entirely.
The report is filled with helpful hints of how to try and avoid network intrusions through phishing and spear-phishing schemes, and the like. Actions such as permission and access controls, credentialing, firewall configuration, whitelisting, and a host of other things a prudent network administrator already does, are advised. This includes advocacy for several government-encouraged DHS programs such as Automated Indicator Sharing (AIS), which the private sector has been extremely hesitant to engage in. (Understandable, since this is the same Federal Government that allowed Office of Personnel Management database information to be available to a Chinese software company who was given rootkit access, among other such mind-numbingly foolish decisions in recent years which led to massive and damaging network breaches.)
Also accompanying the report is a series of files that show "Indicators of Compromise" (IOC) for each of the alleged Russian cyber actors. What the report assiduously ignores is that the trading of malicious code, including code in specific languages, is common in the Black Hat world. This is done both to leverage known successful codes for specific network exploits, and to obfuscate identity, making attribution all but impossible. While a network administrator may find one of those IOCs listed in the report, meaningfully attributing such a compromise to an actor identified in the report is extremely doubtful, at best. And those who produced this report know that good and well.
The other assertion the DHS/FBI report makes, that information from those DNC e-mails was exfiltrated and then sent to Wikileaks for public release, is NOT BACKED UP BY ANY EVIDENCE whatsoever. No screen shots of log activity showing exfil of data, no link to any exfil being directed by RIS, and certainly no evidence of that data being sent to, and received by, Wikilieaks. There is simply a statement on Page 3 that states "The U.S. Government assesses that information was leaked to the press and publicly disclosed. " Imagine that. There is plenty of anecdotal evidence to the contrary elsewhere, however, not to mention the undisputed fact that Wikileaks, as abhorrent as they can be at times, has never published or released a forged document. For their part, they assert unequivocally that the DNC e-mails were leaked to them via a DNC staffer disgusted with Hillary Clinton's (and the DNC's complicity with her) underhanded methods.
The DHS/FBI report is thunderously silent on the two critical topics that were central to the Democratic claims of Russian "hacking" and the candidacy of Hillary Clinton. The first is that there is nothing, not a word, in the report that Russian cyber actors in any way penetrated and/or altered the results of any electronic voting machines, or manipulated voter rolls. Because it was clear from the start that nothing of that sort had occurred. (Such direct manipulation, incidentally, is the ONLY bit of Russian intrusion about which Americans should be rightfully alarmed, given that the Russians/Soviets have tried to indirectly influence US elections for almost a century.)
The second assertion is in regards to Hillary Clinton's compromise of classified information following its illegal transmission and storage on an unauthorized private server at her home in Chappaqua, NY. We were assured countless times that the server was secure, and that there was no evidence that her private network had been compromised. Those who understand how the internet works, and how networks can be penetrated and exploited, knew these assurances to be either absurdly naive, or deliberately dishonest, and almost certainly the latter. Cyber actor entities such as the Joint Analysis Report identified (and the hundreds and thousands it didn't) likely knew within days, perhaps hours, that Hillary was setting up a private server for her official State Department business, and had breached that network very shortly afterward.
The DHS/FBI report, then, is little more than a restatement of unfounded assertions as to the depth and intent of Russian government involvement in influencing a US election. The admixture of technical details and mitigation strategies that comprise the majority of information on the thirteen pages simply provide filler to a document that is otherwise devoid of anything resembling the "evidence" we were all assured exists. While some will say that such evidence should not be made public, I would ask that comparison be made to the reports of the Sony breach in 2014, which provided extensive illustration of likely DPRK involvement. (Even with that, there is considerable room for doubt as to the origin and intent of the Sony cyber actors.) If this Administration had such "evidence", this report would be the place for it. With the lack of that evidence in these pages, further doubt is cast on the assertions of high-level Russian involvement.
So, to summarize, there is precious little "evidence" that any of the cyber actors who allegedly penetrated DNC e-mail networks did so at the direction of Russian intelligence. There is virtually NO evidence that those actors then provided those exfiltrated e-mails to Wikileaks. There is no mention of hacking of voting machines or voter rolls, things that would have a direct impact on vote counts. Certainly there is nothing resembling hard confirmation that Vladimir Putin was in any way personally involved in any of this, as the CIA assessment last month unequivocally stated. It isn't as if Putin paid taxpayer money to fund the activities of an opposition group, such as Barack Obama did in Israel, or as if Putin came to this country and warned against the consequences of the American people voting against his wishes, such as was done over the BREXIT referendum.
For all these thirteen pages contain, this report could have been written in a day, by a low-level staffer, before Hallowe'en. But then, with Hillary's victory all but certain, none of this was an issue. Funny, that.
This farce allows the true believers to blame someone other than the Democrats themselves for the loss.
Posted by: SCOTTtheBADGER | 12/31/2016 at 01:03 AM
Liars are going to lie.
Paul L. Quandt
Posted by: Paul L. Quandt | 12/31/2016 at 06:20 AM
URR, thanks for the great analysis. I have a basic knowledge of cyber security (I have some smart friends that I hang around with) and the reporting so far on "Russian Hacking" seemed bogus to me. I have been in a room with my friends while they hacked into some Fortune 100 companies (we had approval from those companies to test the system, we also had a written "get out of jail" letter." I was shocked at how easy it was to penetrate companies electronic defenses.
One of the most negative aspects of all this deliberate false reporting by government agencies that once had some public trust is that the trust is gone. I agree that no smart public company is going to trust any of the DHS or other agencies with any data that could be used by a competitor or could cause harm to the company if the information became public.
Hard for me to become more cynical than I am, but Hillary managed to do so. She committed treason while Secretary of State and no one in government seems to care- certainly not on the Democrat side. Where are our Trumans, Scoop Jacksons, Daniel Patrick Moynihans?
Without the internet, and the type of information you just provided, the disinformation campaign of the Legacy Media would be impossible to counteract.
Posted by: ron snyder | 12/31/2016 at 02:03 PM