Is “Grizzly Steppe” Really a Russian Operation?

I wrote here about the Obama administration’s underwhelming report, purporting to show that the malware that infected the Democratic National Committee’s email system was planted by Russia. The report is unimpressive in part because it consists mostly of pedestrian advice to IT professionals about computer security. This is the report’s description of the “Grizzly Steppe” malware:

Indicators of Compromise (IOCs)

IOCs associated with RIS cyber actors are provided within the accompanying .csv and .stix files of JAR-16-20296.
Yara Signature
description = “PAS TOOL PHP WEB KIT FOUND” strings:
$php = “ 20KB and filesize < 22KB) and #cookie == 2 and #isset == 3 and all of them }

Does anything here provide persuasive evidence of Russian origin, let alone Russian government origin? I don’t know, but some with considerably more expertise are unimpressed. The linked analysis is long and technical, although more or less comprehensible to the untutored. The author’s conclusions:

Malware Conclusions

DHS and DNI have released a joint statement that says:

This document provides technical details regarding the tools and infrastructure used by the Russian civilian and military intelligence Services (RIS) to compromise and exploit networks and endpoints associated with the U.S. election, as well as a range of U.S. Government, political, and private sector entities. The report contains specific indicators of compromise, including IP addresses and a PHP malware sample.

The PHP malware sample they have provided appears to be P.A.S. version 3.1.0 which is commonly available and the website that claims to have authored it says they are Ukrainian. It is also several versions behind the most current version of P.A.S which is 4.1.1b. One might reasonably expect Russian intelligence operatives to develop their own tools or at least use current malicious tools from outside sources.

The author separately analyzes the IP addresses that the report finds probative:

Out of the 876 IP addresses that DHS provided, 134 or about 15% are Tor exit nodes, based on a reverse DNS lookup that we did on each IP address. These are anonymous gateways that are used by anyone using the Tor anonymous browsing service.
Conclusion regarding IP address data

What we’re seeing in this IP data is a wide range of countries and hosting providers. 15% of the IP addresses are Tor exit nodes. These exit nodes are used by anyone who wants to be anonymous online, including malicious actors.

And finally:

Overall Conclusion

The IP addresses that DHS provided may have been used for an attack by a state actor like Russia. But they don’t appear to provide any association with Russia. They are probably used by a wide range of other malicious actors, especially the 15% of IP addresses that are Tor exit nodes.

The malware sample is old, widely used and appears to be Ukrainian. It has no apparent relationship with Russian intelligence and it would be an indicator of compromise for any website.

Normally I would accept at face value an assertion by the U.S. government that intelligence agencies have identified Russia (or anyone else) as the source of a computer hack or other action. But the Obama administration has been so chronically dishonest, and the Democrats’ hysteria over their electoral defeats is so intense, that I don’t think they can be accorded the usual presumption of accuracy and truthfulness.

Notice: All comments are subject to moderation. Our comments are intended to be a forum for civil discourse bearing on the subject under discussion. Commenters who stray beyond the bounds of civility or employ what we deem gratuitous vulgarity in a comment — including, but not limited to, “s***,” “f***,” “a*******,” or one of their many variants — will be banned without further notice in the sole discretion of the site moderator.