Democratic Party claims about Russian hacking interfering in the election of 2016 continue to make the news. A recent article in the respected computer journal Ars Technica discussed supposed attempts on the part of the Russian government to interfere with the election. The article claims that the evidence the government provided in a Joint Analysis Report (JAR) filed by the FBI and the Department of Homeland Security (DHS) is inconclusive and technically inaccurate.
The report’s 13 pages offer no smoking guns and mostly rehash statements put out by private-sector companies with no further evidence provided to back them up. In fact, the report doesn’t specifically mention the Democratic National Committee (DNC) or the Democratic Party at all.
While a number of such companies have claimed the Russian government was responsible, people close to the leaks say they were the product of “lone wolf” attacks; individual security professionals say there’s no way to verify the true origins of the hacking.
The report teases readers with contentions that it reveals secret “tradecraft and techniques” used by Russian hackers, but analysts say these techniques are generic and used by all state-sponsored computer hacking groups.
“This ultimately seems like a very rushed report put together by multiple teams working different data sets and motivations,” stated Robert Lee, the founder and CEO of security firm Dragos. “It’s my opinion and speculation that there were some really good government analysts and operators contributing to this data, and then, report reviews, leadership approval processes and sanitation processes stripped out most of the value and left behind a very confusing report trying to cover too much while saying too little.”
Lee noted that the report confused the names of known hacker groups APT28 and APT29, which sometimes go by the names Sofacy, Sednit, Sandworm, CozyBear and others, with the names of malware codes such as Havex and BlackEnergy. It even misused the name of a hacker capability called Powershell Backdoor. These incorrect references lead many security professionals to believe the report was not prepared by experts and may have been rushed to publication.
In fact, the report’s poor technical grasp, if anything, proves President-Elect Donald Trump’s assertions that the intelligence community’s capabilities may be lacking, to the extent that any of their expertise was actually used compiling the report.
According to Rob Graham, the CEO of Errata Security, one of the “indicators of compromise” (IOCs) listed in the report was “PAS TOOL WEB KIT,” which is a utility used by hundreds and perhaps even thousands of hackers in Ukraine and Russia, most of whom have no affiliation whatsoever with the government of either of those countries.
IOCs are what security experts use to know if a network has been broken into by outside groups or systems. “In other words, these rules can be a reflection of the fact that the [U.S.] government has excellent information for attribution,” Graham said. “Or, it could be a reflection that [it’s] got only weak bits and pieces. It’s impossible for us outsiders to tell.”
Jeffrey Carr, an industry security consultant, said that he doubts the attacks that affected the DNC originated from Russian hackers because they used the same malware that affected Germany’s Bundestag parliament and the French television network TV5Monde.
While researchers at security firm Crowdstrike believe this is a clue that points to Russia because other actors wouldn’t have the combined resources and motivation to attack all these targets, Carr pointed out that the source code for the malware was independently obtainable from an antivirus software provider called ESET.
“If ESET [can have] it, so can others,” Carr wrote. “It’s both foolish and baseless to claim, as CrowdStrike does, that X-Agent is used solely by the Russian government when the source code is there for anyone to find and use at will.”
The doubts expressed by Carr, Graham and Lee show that when the government takes its proprietary research and subsequently makes it public for the world at large to see, large gaps of knowledge are often displayed. In fact, it’s arguable that the so-called “experts” that the government employs for its defensive cyber warfare capabilities — depending on which agency is being discussed — may be anything but expert. The report’s vagueness and lack of specificity leave it sounding more like a brief catalog of innuendo than an indictment.
This isn’t the first time the government has shown itself to possibly employ novices when it comes to detecting hacking. The attack on Sony Pictures Entertainment by North Korea in 2014 also revealed an aggregation of incompetency and ineptitude that led to incorrect conclusions, finger-pointing and embarrassment for a number of U.S. government agencies.
At that time, it was also the FBI that made the original accusation against North Korea. But many security experts said that the evidence pointing to the Hermit Kingdom was circumstantial. Security consultant Lucas Zichkowsky declared, “State-sponsored attackers don’t create cool names for themselves like ‘Guardians of Peace’ and promote their activity to the public.” Writer Kim Zetter at Wired magazine termed the American government’s evidence “flimsy.”
To be fair, the government may be shy in many cases to reveal its sources and its methods of detection in such cases. Also, it’s possible that more in-depth technical evidence that’s classified may be being presented to Congress while not being revealed to the public.
But based on the data provided in the JAR report, there’s nothing that could definitively be used to make the case the Obama administration is attempting to claim; most computer security specialists could shoot holes in the government’s allegations ten feet wide. In fact some of the evidence points to origins of lone wolfs or activists from other country’s governments (i.e. North Korea or China or one of the Baltic state government agencies).
Therefore, the argument that the Obama administration and the Democrats are clinging to is unsound; it doesn’t pass the smell test.
So rather than a fact, what they’ve presented thus far is a theory. Of course, if the government does take retaliatory action, it wouldn’t be the first time that it acted based on theories rather than facts, but with a Republican majority in both houses of Congress and a Republican president about to take office, it’s doubtful this report and its accusations will go much further, barring additional evidence being proffered.