The Obama administration insists that Russia’s government was behind the penetration of the Democratic National Committee’s email system (even though it admits that the intrusion was not carried out by the government itself). The administration released a report that purportedly provided evidence in support of this claim, but even an amateur like me could see that the report was surprisingly weak.
Then the experts started to weigh in. Their verdict was that the operation termed “Grizzly Steppe” by the Obama administration could possibly have been carried out by Putin’s regime, but the administration’s report contained no evidence at all that pointed toward Russia, let alone the Russian government.
Now, the internet security experts who are proprietors of Wordfence re-state their conclusions and explain the research they did to support them:
On Friday we published an analysis of the FBI and DHS Grizzly Steppe report. The report was widely seen as proof that Russian intelligence operatives hacked the US 2016 election. We showed that the PHP malware in the report is old, freely available from a Ukrainian hacker group and is an administrative tool for hackers.
We also performed an analysis on the IP addresses included in the report and showed that they originate from 61 countries and 389 different organizations with no clear attribution to Russia.
Our report has received wide coverage.
If I find something in the DHS/FBI report on my website or network, does it mean that Russia hacked me?
No it does not.
This has caused serious confusion already among press and US policy makers. A Vermont electrical utility found a sample of what is in the DHS/FBI Grizzly Steppe report on a single laptop. That laptop was not connected to the Electric Grid network. It was reported as Russia hacking the US electrical grid. …
The data in the DHS/FBI Grizzly Steppe report contains “indicators of compromise” (IOCs) which you can think of as footprints that hackers left behind. The IOC’s in the report are tools that are freely available and IP addresses that are used by hackers around the world. There is very little Russia-specific data in the Grizzly Steppe report.
If you find an IOC that is in the report on your network or server, it is unlikely that you have been targeted by Russian Intelligence.
The PHP malware the report provided, for example, is freely available for anyone who wants it.
This is how the Wordfence proprietors got to the bottom of what appears to have been an attempt at obfuscation by the Obama administration:
We received the DHS/FBI report on Thursday. Rob McMahon, one of my colleagues and a security analyst at Wordfence alerted me to it’s existence at 8pm pacific time on Thursday December 29th. We worked through the night until 7am the next morning when we released the report. Here is what we did:
We read the report and noticed there was a Yara signature for PHP malware. That means that FBI and DHS provided just enough information to identify the existence of PHP malware. It didn’t actually provide the malware itself.
We went into Polestar which is a Wordfence proprietary big-data platform that we have developed to aggregate and mine a large number of attacks from a range of sources. We used the Yara signature to try to determine if anyone has attacked a WordPress site using this malware. At this point we didn’t know what it was or if it was even used against WordPress.
Jackpot! We had captured the entire 20k malware sample!
We extracted the malware sample from Polestar and I handed it to Rob who started analysis on the sample. We divided the work and I went off and analyzed the IP addresses that DHS/FBI had provided in Grizzly Steppe.
Rob realized that most of the malware is encrypted. The way it works is that a hacker will upload it to a website. They access the malware as a web page and are prompted for a password by a small amount of unencrypted code in the malware. They enter the password which is actually a decryption key.
That decryption key is stored in a cookie so the hacker doesn’t have to keep entering it. The key then decrypts the malware code which is executed. Then every time the hacker accesses the malware in future, the key stored in a cookie decrypts the malware so that it can execute. It’s quite clever and makes our jobs harder.
We needed to find the decryption key for the malware. So we went back to Polestar and tried to find an attack that was blocked and logged where the attacker was trying to access the malware they had uploaded.
Jackpot again! We found the key. Rob used the key to decrypt the malware and view the source code. Once he could see the source code, he could see the name of the malware and the version and a few Google searches revealed the source website that it came from.
The rest was much easier. We could now take the malware sample and put it on a sandboxed research environment and actually run it and see what it did. We could also download the newer version of the malware, called ‘P.A.S.’, and execute that to see what it does and how it differs.
This is how we determined that the FBI/DHS report contains an old malware sample that is publicly available and the hacker group that distributes it appears to be Ukrainian.
Other experts have weighed in, pointing out that the administration’s report contains little or no evidence that Russia had anything to do with the DNC hack, e.g. Ars Technica and others quoted by Fortune. If any technical experts have endorsed the claims in the administration’s report, I am not aware of it.
Nevertheless, the Democratic Party operatives who masquerade as reporters in the U.S. have uncritically swallowed the administration’s line, and are hectoring Donald Trump and his aides to admit that Vladimir Putin was responsible for “hacking the election.”