Wednesday, January 4, 2017

How credible is the "Russians hacked the DNC" report from the Intelligence community?

In this corner, the "You l4mers need to up your game" argument:
[The Administration] had the DHS and US-CERT issue the "GRIZZLY-STEPPE" report "attributing those compromises to Russian malicious cyber activity". It does nothing of the sort. It's full of garbage. It contains signatures of viruses that are publicly available, used by hackers around the world, not just Russia. It contains a long list of IP addresses from perfectly normal services, like Tor, Google, Dropbox, Yahoo, and so forth.

Yes, hackers use Yahoo for phishing and malvertising. It doesn't mean every access of Yahoo is an "Indicator of Compromise".

For example, I checked my web browser [chrome://net-internals/#dns] and found that last year on November 20th, it accessed two IP addresses that are on the Grizzley-Steppe list:
No, this doesn't mean I've been hacked. It means I just had a normal interaction with Yahoo. It means the Grizzley-Steppe IoCs are garbage.
The summing up:
If your intent was to show technical information to experts to confirm Russia's involvement, you've done the precise opposite. Grizzley-Steppe proves such enormous incompetence that we doubt all the technical details you might have. I mean, it's possible that you classified the important details and de-classified the junk, but even then, that junk isn't worth publishing.
In the other corner, the "Russia uses non-state hackers all the time" argument:
That source, who won’t be named here because it would compromise his current position and create legal problems for him, said he routinely saw Russian intelligence services recruiting hackers on cybercrime forums — particularly for research into potential vulnerabilities in the software and hardware that powers various national power grids and other energy infrastructure.
“All these guys had interest in hacking government resources, including Russian [targets],” my source told me. “Several years ago I got to know one of these hackers who worked for Russian government, [and] he operated his [cybercrime] forum as a government honeypot for hiring hackers. They were hiring hackers to work in official government organizations.”
Initially, he said, the hackers targeted U.S. military installations and U.S. news media outlets, but eventually they turned their attention to collecting government and corporate secrets full-time. The source said the teams routinely used botnets for foreign intelligence gathering and counterintelligence, and frequently sought to infiltrate botnets that were suspected of being co-opted for the same purposes by other countries.
My take is that both of these are plausible.  The Russian government has at least loose connections to a whole community of Black Hats who live on their soil (as do other governments, especially China, Iran, and Israel).  Influence is absolutely plausible, though the Grizzley-Steppe report is unconvincing here.  Motivations vary from country to country - China and Iran likely would have preferred Hillary, Israel almost certainly would have preferred Trump.

Does it make a difference?  Not really, as long as DNC bigwigs use an email password of "password".  What is clear is that the DHS report should be taken with a huge grain of salt.  But both of these linked articles do a very good job covering the landscape - if you are interested in this topic, you should click through.

No comments: