Breakdown of the “So-called” Evidence for Russian Hacking, and the Sad State of Cybersecurity

Is there definitive evidence contained in the JAR (Joint Analysis Report – GRIZZLY STEPPE – Russian Malicious Cyber Activity),  or FireEye’s analysis, “APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS” that Russian state-sponsored hackers compromised the DNC server with malware, and then leaked any acquired documents to WikiLeaks? Absolutely not. And here’s why:

CNN's depiction of how Russian hackers "hack" - gleaned from a screenshot of the video game "Fallout 4".

CNN’s ridiculous depiction of how Russian hackers “hack” – gleaned from a screenshot of the video game “Fallout 4”.

 

Let’s first run through the “so-called” evidence – basically two “smoking guns” in the analysis – and a few other questions pertinent to the investigation. I’ll address each point with some technical details and maybe a little common-sense evaluation:

 

  1. Certain malware settings suggest that the authors did the majority of their work in a Russian language build environment.
  2. The malware compile times corresponded to normal business hours in the UTC + 4-time zone, which includes major Russian cities such as Moscow and St. Petersburg.
  3. Ultimately, WikiLeaks was the source of the dissemination of the compromised data – where did they acquire it?
  4. According to media sources, all 17 US intelligence agencies confirmed Russian state-sponsored hackers were the source of the attacks.
  5. Was this “so-called” hack designed to affect the outcome of the US election?

Let us now address each of these points specifically (some of this may be more technical for the average human – Program or be Programmed):

1. Certain malware settings suggest that the authors did the majority of their work in a Russian language build environment.

APT28 (Advanced Persistent Threat 28) consistently compiled Russian language settings into their malware.

Locale ID                        Primary language Country        Samples

0x0419                            Russian (ru)                                 59
0x0409                            English (us)                                 27
0x0000 or 0x0800       Neutral locale                             16
0x0809                            English (uk)                                1

By no means is this evidence of anything. It could even be a US-sponsored hack, for that matter, obfuscating its origin by using a Russian build environment. This is pure speculation, and any security researcher knows this has effectively been used by malware authors in the past.

 2. The malware compile times corresponded to normal business hours in the UTC + 4-time zone, which includes major Russian cities such as Moscow and St. Petersburg.

The FireEye report states:

During our research into APT28’s malware, we noted two details consistent across malware samples. The first was that APT28 had consistently compiled Russian language
settings into their malware. The second was that malware compile times from 2007 to 2014 corresponded to normal business hours in the UTC + 4 time zone, which includes major Russian cities such as Moscow and St. Petersburg. Use of Russian and English Language Settings in PE Resources include language information that can be helpful if a developer wants to show user interface items in a specific language. Non-default language settings packaged with PE resources are dependent on the developer’s build environment. Each PE resource includes a “locale” identifier with a language ID “composed of a primary language identifier indicating the language and a sublanguage identifier indicating the country/region.”

Any malware author could intentionally leave behind false clues in the resources section, pointing to Russia or any other country. These signatures are very easy to manipulate, and anyone with a modicum of Googling skills can alter the language identifier of the resources in PE files. ANY state sponsored entity could easily obfuscate the language identifier in this way. One could also use online compilers or such an online integrated development environment (IDE) through a proxy service to alter times – indicating that compile times were from any specific region chosen. The information in the FireEye report is spurious at best.

     3. Ultimately, WikiLeaks was the source of the dissemination of the compromised data – where did they acquire it?

Julian Assange, the founder of WikiLeaks, has repeatedly stated that the source of the information they posted was NOT from ANY state-sponsored source – including Russia. In fact, in all of the reports (including the JAR and FireEye) they never once mention WikiLeaks. Strange.

      4. According to media sources, all 17 US intelligence agencies confirmed Russian state-sponsored hackers were the source of the attacks.

This is hilarious – many of these 17 agencies wouldn’t know a hack from a leak nor would they have been privy to any real data other than what a couple other agencies reported which was thin and barely circumstantial, and was wholly derived from a third-party security analysis:

Air Force Intelligence
Army Intelligence
Central Intelligence Agency
Coast Guard Intelligence
Defense Intelligence Agency
Department of Energy
Department of Homeland Security
Department of State
Department of the Treasury
Drug Enforcement Administration
Federal Bureau of Investigation
Marine Corps Intelligence
National Geospatial-Intelligence Agency
National Reconnaissance Office
National Security Agency
Navy Intelligence
Office of the Director of National Intelligence

https://www.dni.gov/index.php/intelligence-community/members-of-the-ic

5. Was this “so-called” hack designed to affect the outcome of the US election?

It is clear, even if there were state-sponsored hacks, that the information provided in WikiLeaks had no relation to Russian manipulation of US elections. The information speaks for itself – it is the content of the leaks that is relevant – and it matters not where it came from. DNC corruption is the real issue, and any propaganda agenda designed to direct attention away from the damage the info presents is wholly deflection.

Most of the references used in the JAR report are really from third-party cybersecurity firms looking to “show off” their prowess at rooting out a hacker culprit. This ultimately means money for them. This is the reality of the sad state of security today. Note that not one report mentions that every single one of the compromises was directed at Microsoft operating systems. Why, when everyone knows that Microsoft is the most insecure OS and is specifically targeted by malware authors, state-sponsored or otherwise, do any governments still use it? Fortunately, there are real security researchers out there who see through the smoke and mirrors, and aren’t buying the BS handed them by government entities and the media outlets they control.

Please read the information in the links cited as references below.

http://arstechnica.com/security/2016/12/did-russia-tamper-with-the-2016-election-bitter-debate-likely-to-rage-on/

https://www.codeandsec.com/Sophisticated-CyberWeapon-Shamoon-2-Malware-Analysis

https://www.dni.gov/index.php/intelligence-community/members-of-the-ic

Claims that Russia hacked the US election and power grid are ‘overblown’

http://www.usatoday.com/story/news/politics/onpolitics/2016/10/21/17-intelligence-agencies-russia-behind-hacking/92514592/

http://www.defenseone.com/technology/2016/12/accidental-mastermind-dnc-hack/134266/

https://www.rt.com/usa/372630-wikileaks-20k-reward-obama/

https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf

 

Advertisements

One thought on “Breakdown of the “So-called” Evidence for Russian Hacking, and the Sad State of Cybersecurity

  1. Pingback: Anti-Forensic Marble Framework | Nature On Security

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s