If it wasn’t Russia, who is disappointed? 177

Outgoing President Obama has accused Russia of hacking Democratic Party emails during the presidential campaign, and leaking them with the intention of interfering in America’s election process.

What the emails revealed should be the subject of scandal, but that is lost in the noise about Russia’s interference.

By accusing Russia, Obama casts a shadow of illegitimacy over Donald Trump’s election to the presidency; an implication that he only won because a foreign power intervened to help him. (Which is nonsense, of course.) 

But did Russians hack and leak those scandalous emails?

From Ars Technica, by Dan Goodin

Talk about disappointments. The US government’s much-anticipated analysis of Russian-sponsored hacking operations provides almost none of the promised evidence linking them to breaches that the Obama administration claims were orchestrated in an attempt to interfere with the 2016 presidential election.

The 13-page report, which was jointly published Thursday [December 29, 2016] by the Department of Homeland Security and the FBI, billed itself as an indictment of sorts that would finally lay out the intelligence community’s case that Russian government operatives carried out hacks on the Democratic National Committee, the Democratic Congressional Campaign Committee, and Clinton Campaign Chief John Podesta and leaked much of the resulting material. While security companies in the private sector have said for months the hacking campaign was the work of people working for the Russian government, anonymous people tied to the leaks have claimed they are lone wolves. Many independent security experts said there was little way to know the true origins of the attacks.

Sadly, the JAR, as the Joint Analysis Report is called, does little to end the debate. Instead of providing smoking guns that the Russian government was behind specific hacks, it largely restates previous private-sector claims without providing any support for their validity. Even worse, it provides an effective bait and switch by promising newly declassified intelligence into Russian hackers’ “tradecraft and techniques” and instead delivering generic methods carried out by just about all state-sponsored hacking groups.

“This ultimately seems like a very rushed report put together by multiple teams working different data sets and motivations,” Robert M. Lee, CEO and Founder of the security company Dragos, wrote in a critique published Friday. “It is my opinion and speculation that there were some really good [US] government analysts and operators contributing to this data and then report reviews, leadership approval processes, and sanitation processes stripped out most of the value and left behind a very confusing report trying to cover too much while saying too little.”

The sloppiness, Lee noted, included the report’s conflation of Russian hacking groups APT28 and APT29 — also known as CozyBear, Sandworm, Sednit, and Sofacy, among others — with malware names such as BlackEnergy and Havex, and even hacking capabilities such as “Powershell Backdoor”. The mix up of such basic classifications does little to inspire confidence that the report was carefully or methodically prepared. And that only sows more reasons for President elect Donald Trump and his supporters to cast doubt on the intelligence community’s analysis on a matter that, if true, poses a major national security threat.

The writers showed a similar lack of rigor when publishing so-called indicators of compromise, which security practitioners use to detect if a network has been breached by a specific group or piece of malware. As Errata Security CEO Rob Graham pointed out in a blog post, one of the signatures detects the presence of “PAS TOOL WEB KIT”, a tool that’s widely used by literally hundreds, and possibly thousands, of hackers in Russia and Ukraine, most of whom are otherwise unaffiliated and have no connection to the Russian government.

“In other words, these rules can be a reflection of the fact the government has excellent information for attribution,” Graham wrote. “Or, it could be a reflection that they’ve got only weak bits and pieces. It’s impossible for us outsiders to tell.”

Security consultant Jeffrey Carr also cast doubt on claims that attacks that hit the Democratic National Committee could only have originated from Russian-sponsored hackers because they relied on the same malware that also breached Germany’s Bundestag and French TV network TV5Monde. Proponents of this theory, including the CrowdStrike researchers who analyzed the Democratic National Committee’s hacked network, argue that the pattern strongly implicates Russia because no other actor would have the combined motivation and resources to hack the same targets. But as Carr pointed out, the full source code for the X-Agent implant that has long been associated with APT28 was independently obtained by researchers from antivirus provider Eset.

If ESET could do it, so can others,” Carr wrote. “It is both foolish and baseless to claim, as CrowdStrike does, that X-Agent is used solely by the Russian government when the source code is there for anyone to find and use at will.” …

It’s hard to escape the conclusion that Thursday’s Joint Analysis Report provides almost no new evidence to support the Obama Administration’s claims Russia attempted to interfere with the US electoral process.

And this is from PowerLine by John Hinderaker:

Evidence for Russian involvement in DNC hack is nonexistent.

The Obama administration insists that Russia’s government was behind the penetration of the Democratic National Committee’s email system (even though it admits that the intrusion was not carried out by the government itself). The administration released a report that purportedly provided evidence in support of this claim, but even an amateur like me could see that the report was surprisingly weak.

Then the experts started to weigh in. Their verdict was that the operation termed “Grizzly Steppe” by the Obama administration could possibly have been carried out by Putin’s regime, but the administration’s report contained no evidence at all that pointed toward Russia, let alone the Russian government.

Now, the internet security experts who are proprietors of Wordfence re-state their conclusions and explain the research they did to support them.

On Friday we published an analysis of the FBI and DHS Grizzly Steppe report. The report was widely seen as proof that Russian intelligence operatives hacked the US 2016 election. We showed that the PHP malware in the report is old, freely available from a Ukrainian hacker group and is an administrative tool for hackers.

We also performed an analysis on the IP addresses included in the report and showed that they originate from 61 countries and 389 different organizations with no clear attribution to Russia. …

If I find something in the DHS/FBI report on my website or network, does it mean that Russia hacked me?

No it does not. 

This has caused serious confusion already among press and US policy makers. A Vermont electrical utility found a sample of what is in the DHS/FBI Grizzly Steppe report on a single laptop. That laptop was not connected to the Electric Grid network. It was reported as Russia hacking the US electrical grid. …

The data in the DHS/FBI Grizzly Steppe report contains “indicators of compromise” (IOCs) which you can think of as footprints that hackers left behind. The IOC’s in the report are tools that are freely available and IP addresses that are used by hackers around the world. There is very little Russia-specific data in the Grizzly Steppe report.

If you find an IOC that is in the report on your network or server, it is unlikely that you have been targeted by Russian Intelligence.

The PHP malware the report provided, for example, is freely available for anyone who wants it.

The article then provides a technical explanation of “how the Wordfence proprietors got to the bottom of what appears to have been an attempt at obfuscation by the Obama administration”.

The Wordfence experts conclude:

[That]  is how we determined that the FBI/DHS report contains an old malware sample that is publicly available and the hacker group that distributes it appears to be Ukrainian.

Other experts have weighed in, pointing out that the administration’s report contains little or no evidence that Russia had anything to do with the DNC hack, e.g. Ars Technica and others … If any technical experts have endorsed the claims in the administration’s report, I am not aware of it.

Nevertheless, the Democratic Party operatives who masquerade as reporters in the U.S. have uncritically swallowed the administration’s line, and are hectoring Donald Trump and his aides to admit that Vladimir Putin was responsible for “hacking the election”. 

President-elect Donald Trump does not strike us as a man easily hectored. And he is very unlikely to “admit” to something he had nothing to do with – and that apparently didn’t happen.

If Obama and the Democrats are hoping he will accuse himself and defend Vladimir Putin, they are doomed to yet another disappointment.