As I stated in “Breakdown of the “So-called” Evidence for Russian Hacking, and the Sad State of Cybersecurity” on January 5, 2017:
“By no means is this evidence of anything. It could even be a US-sponsored hack, for that matter, obfuscating its origin by using a Russian build environment. This is pure speculation, and any security researcher knows this has effectively been used by malware authors in the past.”
With the release of the “Marble Framework” on WikiLeaks, we come upon more evidence that the entire so-called “Russian Hacking” story could very well have been a US state-sponsored hack – and it’s more likely.
“Marble is used to hamper forensic investigators and anti-virus companies from attributing viruses, trojans and hacking attacks to the CIA. Marble does this by hiding (“obfuscating”) text fragments used in CIA malware from visual inspection. This is the digital equivalent of a specialized CIA tool to place covers over the English language text on U.S. produced weapons systems before giving them to insurgents secretly backed by the CIA.”
[I corrected the hideous spelling errors]
Here’s the proof: https://wikileaks.org/vault7/?marble9#Marble%20Framework
I’ve been through many of the docs included in Vault 7 and it isn’t anything at all new or revelatory. I called this back in 2005 and detailed much of it back then. Most thought me a kook. Most of what I’ve looked at so far is valid, although it’s very basic info any hacker at DEFCON would know about.
It’s old crap, and I’d put money on it that the CIA itself “leaked” the data.
I’d write more about this, but it was nicely summed up in this article by John E Dunn:
Is there definitive evidence contained in the JAR (Joint Analysis Report – GRIZZLY STEPPE – Russian Malicious Cyber Activity), or FireEye’s analysis, “APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS” that Russian state-sponsored hackers compromised the DNC server with malware, and then leaked any acquired documents to WikiLeaks? Absolutely not. And here’s why:
Let’s first run through the “so-called” evidence – basically two “smoking guns” in the analysis – and a few other questions pertinent to the investigation. I’ll address each point with some technical details and maybe a little common-sense evaluation:
- Certain malware settings suggest that the authors did the majority of their work in a Russian language build environment.
- The malware compile times corresponded to normal business hours in the UTC + 4-time zone, which includes major Russian cities such as Moscow and St. Petersburg.
- Ultimately, WikiLeaks was the source of the dissemination of the compromised data – where did they acquire it?
- According to media sources, all 17 US intelligence agencies confirmed Russian state-sponsored hackers were the source of the attacks.
- Was this “so-called” hack designed to affect the outcome of the US election?
Let us now address each of these points specifically (some of this may be more technical for the average human – Program or be Programmed):
1. Certain malware settings suggest that the authors did the majority of their work in a Russian language build environment.
APT28 (Advanced Persistent Threat 28) consistently compiled Russian language settings into their malware.
Locale ID Primary language Country Samples
0x0419 Russian (ru) 59
0x0409 English (us) 27
0x0000 or 0x0800 Neutral locale 16
0x0809 English (uk) 1
By no means is this evidence of anything. It could even be a US-sponsored hack, for that matter, obfuscating its origin by using a Russian build environment. This is pure speculation, and any security researcher knows this has effectively been used by malware authors in the past.
2. The malware compile times corresponded to normal business hours in the UTC + 4-time zone, which includes major Russian cities such as Moscow and St. Petersburg.
The FireEye report states:
During our research into APT28’s malware, we noted two details consistent across malware samples. The first was that APT28 had consistently compiled Russian language
settings into their malware. The second was that malware compile times from 2007 to 2014 corresponded to normal business hours in the UTC + 4 time zone, which includes major Russian cities such as Moscow and St. Petersburg. Use of Russian and English Language Settings in PE Resources include language information that can be helpful if a developer wants to show user interface items in a specific language. Non-default language settings packaged with PE resources are dependent on the developer’s build environment. Each PE resource includes a “locale” identifier with a language ID “composed of a primary language identifier indicating the language and a sublanguage identifier indicating the country/region.”
Any malware author could intentionally leave behind false clues in the resources section, pointing to Russia or any other country. These signatures are very easy to manipulate, and anyone with a modicum of Googling skills can alter the language identifier of the resources in PE files. ANY state sponsored entity could easily obfuscate the language identifier in this way. One could also use online compilers or such an online integrated development environment (IDE) through a proxy service to alter times – indicating that compile times were from any specific region chosen. The information in the FireEye report is spurious at best.
3. Ultimately, WikiLeaks was the source of the dissemination of the compromised data – where did they acquire it?
Julian Assange, the founder of WikiLeaks, has repeatedly stated that the source of the information they posted was NOT from ANY state-sponsored source – including Russia. In fact, in all of the reports (including the JAR and FireEye) they never once mention WikiLeaks. Strange.
4. According to media sources, all 17 US intelligence agencies confirmed Russian state-sponsored hackers were the source of the attacks.
This is hilarious – many of these 17 agencies wouldn’t know a hack from a leak nor would they have been privy to any real data other than what a couple other agencies reported which was thin and barely circumstantial, and was wholly derived from a third-party security analysis:
Air Force Intelligence
Central Intelligence Agency
Coast Guard Intelligence
Defense Intelligence Agency
Department of Energy
Department of Homeland Security
Department of State
Department of the Treasury
Drug Enforcement Administration
Federal Bureau of Investigation
Marine Corps Intelligence
National Geospatial-Intelligence Agency
National Reconnaissance Office
National Security Agency
Office of the Director of National Intelligence
5. Was this “so-called” hack designed to affect the outcome of the US election?
It is clear, even if there were state-sponsored hacks, that the information provided in WikiLeaks had no relation to Russian manipulation of US elections. The information speaks for itself – it is the content of the leaks that is relevant – and it matters not where it came from. DNC corruption is the real issue, and any propaganda agenda designed to direct attention away from the damage the info presents is wholly deflection.
Most of the references used in the JAR report are really from third-party cybersecurity firms looking to “show off” their prowess at rooting out a hacker culprit. This ultimately means money for them. This is the reality of the sad state of security today. Note that not one report mentions that every single one of the compromises was directed at Microsoft operating systems. Why, when everyone knows that Microsoft is the most insecure OS and is specifically targeted by malware authors, state-sponsored or otherwise, do any governments still use it? Fortunately, there are real security researchers out there who see through the smoke and mirrors, and aren’t buying the BS handed them by government entities and the media outlets they control.
Please read the information in the links cited as references below.
Back on December 22nd, 2014, I wrote a piece called, “The Cold War Revival.” In it, I discuss the necessity of large corporate interests controlling the government to create agitation once again with Russia and other enemy states in order to gain the support of the people to funnel massive funds to the Military Industrial Complex. It’s a plausible tactic where the politicians of this country are sponsored by giant defense corporations. If they’re pulling out of active wars, but in desperate need to keep fueling the military industrial complex that signs their paychecks, they could cleverly revive the Cold War game plan. And, they have.
Recent “news” delivered by the MSM – who has wholly embraced the intelligentsia’s claims offered up by the CIA and now other 3-letter agencies – that a Russian state-sponsored hack of the DNC and the RNC had an effect in swaying the US’s election results, is patently absurd, and pure agit-prop. To date, there is absolutely no conclusive evidence that anything of the sort occurred. The Straw Man tactic has been employed again, and it appears to be working as usual.
The only reason to continually create new bad guys, or conjure up the old bad guys is to fill the coffers of corporate Department of Defense contractors who lobby the shit out of our government. THEY DON’T WORK FOR US. Our so-called government officials work for the money they get from corporate interests. And, they need those paychecks to keep coming in.
Now, I could go into the sexy details of what it takes to track down a real state-hacker (most of what the official rhetoric has to offer is juvenile and pedantic), but it’s pointless when you realize this has nothing to do with hacking. There is a bigger picture here people, and it’s emblazoned with a scarlet letter sewn into the very fabric of our willful unconsciousness. We need to wake the fuck up, and not accept this bullshit any longer.
Of course, there is no mention of what operating system was on the receiving end of the attacks, but we all know what it is.