18
Aug 17

Blowing the Whistle on Bad Attribution

The New York Times this week published a fascinating story about a young programmer in Ukraine who’d turned himself in to the local police. The Times says the man did so after one of his software tools was identified by the U.S. government as part of the arsenal used by Russian hackers suspected of hacking into the Democratic National Committee (DNC) last year. It’s a good read, as long as you can ignore that the premise of the piece is completely wrong.

The story, “In Ukraine, a Malware Expert Who Could Blow the Whistle on Russian Hacking,” details the plight of a hacker in Kiev better known as “Profexer,” who has reportedly agreed to be a witness for the FBI. From the story:

“Profexer’s posts, already accessible to only a small band of fellow hackers and cybercriminals looking for software tips, blinked out in January — just days after American intelligence agencies publicly identified a program he had written as one tool used in Russian hacking in the United States. American intelligence agencies have determined Russian hackers were behind the electronic break-in of the Democratic National Committee.”

The Times’ reasoning for focusing on the travails of Mr. Profexer comes from the “GRIZZLYSTEPPE” report, a collection of technical indicators or attack “signatures” published in December 2016 by the U.S. government that companies can use to determine whether their networks may be compromised by a number of different Russian cybercrime groups.

The only trouble is nothing in the GRIZZLYSTEPPE report said which of those technical indicators were found in the DNC hack. In fact, Prefexer’s “P.A.S. Web shell” tool — a program designed to insert a digital backdoor that lets attackers control a hacked Web site remotely — was specifically not among the hacking tools found in the DNC break-in.

The P.A.S. Web shell, as previously offered for free on the now-defunct site profexer[dot]name.

The P.A.S. Web shell, as previously offered for free on the now-defunct site profexer[dot]name.

That’s according to Crowdstrike, the company called in to examine the DNC’s servers following the intrusion. In a statement released to KrebsOnSecurity, Crowdstrike said it published the list of malware that it found was used in the DNC hack, and that the Web shell named in the New York Times story was not on that list.

Robert M. Lee is founder of the industrial cybersecurity firm Dragos, Inc. and an expert on the challenges associated with attribution in cybercrime. In a post on his personal blog, Lee challenged The Times on its conclusions.

“The GRIZZLYSTEPPE report has nothing to do with the DNC breach though and was a collection of technical indicators the government compiled from multiple agencies all working different Russian related threat groups,” Lee wrote.

“The threat group that compromised the DNC was Russian but not all Russian groups broke into the DNC,” he continued. “The GRIZZLYSTEPPE report was also highly criticized for its lack of accuracy and lack of a clear message and purpose. I covered it here on my blog but that was also picked up by numerous journalists and covered elsewhere [link added]. In other words, there’s no excuse for not knowing how widely criticized the GRIZZLYSTEPPE report was before citing it as good evidence in a NYT piece.”

Perhaps in response to Lee’s blog post, The Times issued a correction to the story, re-writing the above-quoted and indented paragraph to read:

“It is the first known instance of a living witness emerging from the arid mass of technical detail that has so far shaped the investigation into the election hacking and the heated debate it has stirred. The Ukrainian police declined to divulge the man’s name or other details, other than that he is living in Ukraine and has not been arrested.”

[Side note: Profexer may well have been doxed by this publication just weeks after the GRIZZLYSTEPPE report was released.]

This would not be the first time the GRIZZLYSTEPPE report provided fodder for some too-hasty hacking conclusions by a major newspaper. On December 31 2016, The Washington Post published a breathless story reporting that an electric utility in Vermont had been compromised by Russian hackers who had penetrated the U.S. electric grid.

The Post cited unnamed “U.S. officials” saying the Vermont utility had found a threat signature from the GRIZZLYSTEPPE report inside its networks. Not long after the story ran, the utility in question said it detected the malware signature in a single laptop that was not connected to the grid, and the Post was forced to significantly walk back its story.

Matt Tait, a senior fellow at the Robert Strauss Center for International Security and Law at UT Austin, said indicators of compromise or IOCs like those listed in the GRIZZLYSTEPPE report have limited value in attributing who may be responsible for an online attack.

“It’s a classic problem that these IOCs indicate you may be compromised, but they’re not very good for attribution,” Tait said. “The Grizzly Steppe report is a massive file of signatures, and loads of people have run those, found various things on their network, and then assumed it’s all related to the DNC hack. But there’s absolutely no tie between the DNC hack that in any way involved this P.A.S. Web shell.”

If it’s not always clear how seriously to take conclusions from Uncle Sam about the sources of cybercrime, it certainly doesn’t help when intelligence agencies are still relying on discredited sources of information about the sources of cyberattacks. As Mr. Lee observed at the top of his blog post, the Twitter account for the U.S. Defense Intelligence Agency tweeted on Aug. 14, 2017: “Cyber attacks going on right now #DoDIIS17”.

The DIA tweet included a brief video of the global threat map produced by Norse Corp., a company whose lovely but otherwise misguided efforts at cyber attack attribution have been repeatedly denounced by Lee and other cybersecurity experts. For more on how Norse self-destructed from the inside, see my Jan. 2016 story, Sources: Security Firm Norse Corp. Imploding.

dia-norse

One final note: Wired.com has a lengthy but tremendous new story worth reading called A Guide to Russia’s High Tech Tool Box for Subverting US Democracy. It makes a convincing case that the real, long-term goal of Russian state-sponsored hacking activity is to sow public and popular distrust in the democratic process and to weaken democratic institutions inside countries that support the North Atlantic Treaty Organization (NATO).

Tags: , , , , , , , , , ,

41 comments

  1. Attribution based on the hacking tools used is problematic at best. These groups are frequently appropriating each other’s tools in order to purposely create misdirection.

  2. Outstanding analysis and overview, Brian; I hope that it is widely read — especially by those in our various security agencies!

  3. Richard Steven Hack

    The repeated notion that Russia’s media outlets in this country could have any conceivable impact against the anti-Trump onslaught conducted by the main stream media last year is laughable at best, moronic at worst.

    Outlets like RT and Sputnik are almost unknown to ninety-eight percent of the US population, even if they happen to have access to them via Youtube or a local cable outlet.

    Yet we are supposed to believe that somehow Russia influenced the election process in this country by alleged random hacks of voting organizations – perfect targets for ANY hacker wanting Personally Identifiable Information, the coin of the realm in the hacker underground – or other hysterically hypothetical “Russian propaganda” is ludicrous.

    Now we two new developments:

    1) Sy Hersh, much to his disgust, has been caught on tape revealing an FBI report that explicitly says that the murdered DNC staffer Seth Rich was in contact with Wikileaks and offered to sell them DNC documents. He also is preparing a report for publication which apparently will blame the entire “Russiagate” nonsense on CIA chief John Brennan.

    2) Julian Assange has now told a Congressman that he can PROVE that Wikileaks did NOT get the DNC documents from any Russians. something he has been vehemently stating all along – backed up by British ex-diplomat Craig Murray who has said he was one of the intermediaries in delivering the documents. Murray has never been asked by any law enforcement entity about those statements – as singularly unusual as the fact that the FBI never examined the DNC servers other than an alleged “certified true image” provided to them by CrowdStrike.

    CrowdStrike, of course, is compromised to the hilt by its founder being a Clinton supporter, and an avowed anti-Russian ex-pat who sees Russians under every PC.

    So even if this Ukrainian guy has nothing to do with the alleged DNC “hack”, we can be sure the FBI will create a connection. They reportedly already tried to get some other random hacker to confess to it, IIRC.

  4. Hardy Jr Brown Garcia

    NYT is good for FAKE news .
    Second best after CNN .

    • Anyone who screams FAKE news is either a troll or a zealot. Every single news source, even Krebs, has an agenda and has a slant. If you want to read or watch the news, you have to understand who created what you are watching and for what audience it was created. Even sites that ostensibly focus on the facts have an unconscious bias just because they are run by human beings and that’s how we are. I mean, I use PolitiFact and Snopes, but I try very hard to see what is fact and what is opinion, even something as simple as verb choice and betray a bias. It’s a hard line to stay skeptical without being cynical and I’m pretty far into the cynical side at this point. Basically, never stop asking questions, but also don’t be an asshole.

    • Bingo!

    • I’m with “The Duck”. +1

  5. The entire DNC hack attribution is fake. Russia simply did not “hack” the DNC. If you just read the report that Forensicator put out it clearly lays out the real evidence that the data was a local exfil and was not copied across a network. But then again it depends on if you really want the truth or if you just want to believe the media, of which have people that are clueless on security.

    • Not quite. The file creation dates appear to indicate that the files were copied locally rather than over a network. But if I had to download thousands of files, I’d zip them up into an archive file first, then download the single file.

      • That’s a worse way to do it. I hope you are not, like most people, misusing the term “download.” A download is a pull over a network. The pulling computer, where the data lands, makes the request. An upload is a push over a network. Copying a file may be an upload or download, but only if it’s over a network. Copying from one drive/partition to another WITHOUT the copied files going over a network is NOT up-/down-loading. “Moving” a file is just a copy followed by a deletion. Now that we have our terms clear…

        If your copy session (local or download) gets interrupted, you may have to start over, unless your download manager can pick up in the middle. However, a download manager on the recipient’s end runs in negotiation with the correct services (e.g. web services) offered on the machine serving the download, unless one uses (for example) a UNC session. All of that is if you’re on the outside pulling the giant zip file (a hack). If you’re on the inside pushing the files out over the network (uploading, and then it’s a leak, not a hack unless you’re on the outside controlling the inside machine), you still face the same risk of interruption.

        To get the giant zip file out, you’d need a utility that can resume the interrupted copy session in the middle, and we don’t know that the violated machine is running anything that would manage its side of the transfer. Without this, the risk of being interrupted means all the time copying the larger, single ZIP file is wasted opportunity.

        If you copy the files as a giant cluster of multiple files, then any interruption causes a minimal loss. That is, you have what you got so far regardless of an opportunity to resume, rather than an illegible partial zip file that requires you to return to get the remainder. A single, larger ZIP file is not the way to go. Plus, you waste time creating the ZIP that could be spent on letting individual files copy to the target drive. If you know you won’t be interrupted, then it’s still wasted effort and totally unnecessary.

        For this whole discussion of file creation dates, that hasn’t been made clear in the press. Were these files exported from another system, such as exporting an archive of one’s e-mail and the archive file has its creation date? Do they mean a time stamp we normally don’t see on Windows machines, not for when the file itself was created, but for when it was written to a particular disk while being copied? For that, we’d need the disk it was written to, which no one has, so that can’t be it. There’s some obfuscation of the discussion. Let’s think through the technology and start to realize how the MSM doesn’t understand technology and can’t report it well. (Oh, the moronic journalism majors I knew in college…The whole school.)

        • Sorry about the run-on sentence in the last paragraph. I realize longer, compound sentences can be more difficult to follow in the first place. I got interrupted while typing and then editing my reply above. I hope it makes sense.

    • It is certainly does look like the Russia-did-it narrative is unraveling. Which should be no surprise. All the evidence for that assertion I’ve seen boils down to ex-cathedra proclamations from individuals and agencies with a long history of deception.

  6. Attribution is next to impossible for nation states, if you have the cyber capabilities of Russia or China then you likely have good enough trade craft to cover up, cause mis-attribution, or, in some cases, leave just enough details to make people think it was you (if that suits your goals)

      • It used to be easier to attribute nation state attacks before the date mentioned in that article (2006). From 2003 to 2005, the Chinese were so confidant and arrogant, they didn’t even try to hide their tracks. After 2005, the source IPs changed to “Universities”. And of course later they came from BitTorrent, and I didn’t have the tools to back track those. I did notice though, that attackers would “salt” the PCs of clients of mine with note pad notes, with the language of the nationality that the attacker wanted the victim to think was the origin, and it was all just a way to try throw me off. I usually knew who was behind attacks on my victim’s IP – it was just finding out who they hired to break into these victim’s networks.

  7. It’s not that people are dumb about security, it is they are will full lied to about security. They are given sales points, to sell a security product. Which is “security ” supreme. But is it? Then you have to keep up with the product changes. And it changes daily, and the new updated interface changes, sometimes daily, and the device updates that change your settings, and permissions, yeah the people, end user are the problem, right!

  8. I would like some expert analysis of this:

    Guccifer 2.0 NGP/VAN Metadata Analysis

    https://theforensicator.wordpress.com/guccifer-2-ngp-van-metadata-analysis/

    • Thank you for the link. It is nice to see someone laying out actual evidence and, if nothing else, it raise the bar for real evidence. Those defending the Russia-did-it narrative can now lay out their evidence for examination.

      • I’m still waiting for some real expert analysis of it so someone can tell me if it’s valid info that has any bearing on this issue. A financial columnist who is extremely PC and network tech literate because he built, owned and operated a large Chicago ISP (which he sold just before the dot net crash – he’s also a economic buff) claims it is. The only critique of it has attacked The Nation’s article about it, not so much the data itself.

        • Denninger claims a lot of stuff, most of which is hyperbole. At some point, you need to make a choice. Either you believe our intelligence agencies or you don’t. And if you do, you don’t get to cherry-pick which info is real and which is subterfuge.

          Unless you are the one who works for the 3-letter agencies with that level of clearance, none of us know the full extent (or lack of) Russian hacking.

          • “Either you believe our intelligence agencies or you don’t.”

            Multiple instances of lying before Congress, WMD in Iraq is a “slam dunk”, etc. Don’t.

            For the final time, WHY is there no EXPERT analysis I can find anywhere online to totally REFUTE the info at the link I provided? I take NO ONE’S “word” on anything on these hyper-political subjects. I read everything I can and then make up my OWN mind.

          • “Denninger claims a lot of stuff, most of which is hyperbole. ”

            Economic topics are one subject I do happen to be an expert on and I can tell you that his commentary on that is not hyperbole. His occasional deep analysis on technical subjects is in line with his previous business, so I trust that also. He only posted a short article on the metadata with no confirming analysis, so I’m asking here for that.

  9. Any comments on this?

    Guccifer 2.0 NGP/VAN Metadata Analysis

    https://theforensicator.wordpress.com/guccifer-2-ngp-van-metadata-analysis/

  10. Interesting take. My take is since the FBI didn’t confiscate DNC server logs, and the DNC refused FBI request for logs and other data – why are we even wasting time on this?

    The DNC has used Russia to cloud the real issue, which is that they colluded to ensure HRC beat Sanders, and subverted the process by which the candidate was selected.

    Thank you

  11. Journalism is Dying

    Great reporting, as usual, Brian! It’s sad to see the drastic decline in the quality of “journalism” by outlets like the Mold Gray Lady since you left the WaPo. As they say, “Never let the facts get in the way of a good story!”

  12. If your purpose was to cause the NYT to update the story, the online version has been corrected (as you mention) and no longer indicates DNC hacking connection to this hacker’s tools. But apparently you’ve added more fuel to the fake news name calling (the news sources that correct mistakes are not fake news, they try to establish valid sources and correct when notified). Although you included it I suspect not everyone is reading your link to the wired.com article describing the entire focus of cyber warfare. And the links to critics of the GRIZZLYSTEPPE report seem to be largely focused ona lack of useful details.

  13. His name was Seth Rich.

    • Quite possible (since Mr. Assange agrees)

      Or was it Imran Awan? (not that he’ll get to testify – I’m sure he’ll trip on a bar of soap and break his neck or choke to death on his toothpaste or some other method) I truly hope he stays alive to testify.

  14. So as we say in Russian, NYT farted in a puddle again. Big whoop.

  15. And here I was thinking that tech reporters were the one exception to the “let’s fire all our science reporters” trend in mainstream journalism.

    Sad. Good thing there are still reporters like Brian.
    Keep ’em flying, Mr. Krebs!

  16. In my view, it is irrelevant whether the components listed in the GRIZZLYSTEPPE report were used in the DNC hack. As many have noted here, it is nearly impossible to attribute the use of hacker tools to individuals based on the tools themselves, which are widespread. You need to stop thinking in terms of hacking tools, and instead in terms of actual counterintelligence operations. It’s likely that the Intelligence Community is not revealing exactly how it knows certain things about the DNC hack. GRIZZLYSTEPPE is more likely just a convenient cover story to obscure the actual process by which NSA, FBI, CIA and others have traced the true culprits. My specialization is political analysis, specifically Kremlinology. From my standpoint, it is blindingly obvious that Putin’s intelligence agencies were behind the DNC hack. How they accomplished it, most likely through low-level contractors and cybercrime groups, is not particularly significant — it is standard operating procedure.

  17. I have seen a lot of bad judgement on security in my career, googling and reading about a topic does not make you an expert in security and certainly tech individuals are fooling themselves using security jargons implemented by sales / marketing.

    Spend time with people, training, development, database, systems, networking – understand how things actually tick.

    Most of the time its as simple as following a process and it has nothing to do with spending millions on the next best thing.

    Follow PCI / HIPAA – build upon that and keep on raising the bar.

    If you give a monkey a security book, the monkey does not become a security oracle by reading a few pages without doing the actual work or being in the moment.

  18. IRS iTUNE cards (Number 1 Fan)

    Great to see someone exposing these people

  19. If only the NYT or WaPo had a seasoned CyberSecurity expert on staff……

    They miss you Brian.

    They can’t pay you, but they still miss you.

  20. Failing New York Times
    Fake Washington Post

    Let me tell you who “hacked” DNC. It was the DNC. THE CALL IS COMING FROM INSIDE YOUR HOUSE, GET OUT!! ree ree ree *insert knife emoji

    Soon all will be revealed. This isn’t just 4D chess anymore.

    Bababooey to you all.

  21. I’m so sick and tired of ignorant trolls typing “fake news” about everything. There is real propaganda and deception (which is “fake news” for laymen terms) coming from Russia at an alarming rate. Our mainstream media undoubtedly relies on advertising dollars which skews their stories toward viewership. That “bias” of money exists around the world and is nothing novel. This mainstream “bias” of money doesn’t create a vacuum for propaganda or extreme bias. Unfortunately there are sheep who are skeptical of state agencies because they are vulnerable to manipulation from a narcissistic president and an obedient far-right propaganda machine (Breitbart, Ann Coulter, Milo, Tomi Lahren, even Fox News).

    With a story as serious as Russian manipulation in our democracy, it’s unbelievable how many blind sheep scream “Russophobia” and turn their backs on the very state agencies which their tax dollars go toward their very own protection. If you are intent on going against your state and its agencies, then move to Russia, where you can actively be harmed by your state. Otherwise, shut up with your misleading propaganda parroting. Russia hacked our infrastructure and spread fake news via our social media.

    Putin tasks his oligarchs with investing in projects that the state co-sponsors. There is no shortage of documentation on oligarch investments in state apparatus.

  22. N o doubt , I believe in every person there is a justice man and a desire to do good and the right.

  23. Dennis Kavanaugh

    I have not read the actual article, but based on what Brian has quoted I see some misleading and ambiguous wording but no invalid premise or attribution. The first statement: “American intelligence agencies publicly identified a program he had written as one tool used in Russian hacking in the United States.” seems correct if you can believe he turned himself in to authorities. The second statement: “American intelligence agencies have determined Russian hackers were behind the electronic break-in of the Democratic National Committee.” does not attribute this guy to the DNC hacks. Stupid and misleading, yes. Probably just one more attempt to create the news they think will further their agenda.