Expert analyses from the intelligence community are destroying the Obama administration’s so called “proof” of Russian hacking.
On Thursday, as part of the White House response to alleged Russian hacking, the FBI and DHS released a Joint Analysis Report (JAR) called “Grizzly Steppe.” While this report was meant to prove, or at least provide evidence, that the Russian government was involved in hacks of the Democratic Party, experts have stated that it “adds nothing.”
Jeffrey Carr, a cybersecurity consultant, author, and founder of the Suits and Spooks conference, wrote in an analysis that the report merely lists every threat group ever reported on by a commercial cybersecurity company suspected of having ties to Russia, labeling them “Russian Intelligence Services,” without evidence that any such connection exists.
Unlike Crowdstrike, ESET doesn’t assign APT28/Fancy Bear/Sednit to a Russian Intelligence Service or anyone else for a very simple reason. Once malware is deployed, it is no longer under the control of the hacker who deployed it or the developer who created it,” Carr wrote, adding, “It can be reverse-engineered, copied, modified, shared and redeployed again and again by anyone. In other words?—?malware deployed is malware enjoyed!”
Carr added that if the White House had unclassified evidence tying Russia to the DNC hack, the evidence would have been made public by now. Since they have not made evidence public, he, like many other members of the intelligence community, believes that it is either classified or it simply does not exist. “If it’s classified, an independent commission should review it because this entire assignment of blame against the Russian government is looking more and more like a domestic political operation run by the White House that relied heavily on questionable intelligence generated by a for-profit cybersecurity firm with a vested interest in selling ‘attribution-as-a-service,’” Carr stated.
Likewise, Robert M. Lee, a National Cybersecurity Fellow at New America and CEO and founder of cybersecurity company Dragos, published a thorough critique of the JAR, saying it “reads like a poorly done vendor intelligence report stringing together various aspects of attribution without evidence.”
US Govt: it's good to release technical indicators to help defenders. But please don't call it your evidence of attribution when it's not.
— Robert M. Lee (@RobertMLee) December 29, 2016
Lee wrote. “It was a mixing of data types that didn’t meet any objective in the report and only added confusion as to whether the DHS/FBI knows what they are doing or if they are instead just telling teams in the government ‘contribute anything you have that has been affiliated with Russian activity.’”
Lee explained that it is extremely difficult to identify whether data was sourced from the private sector or from declassified government data. “It is useful to know what is government data from previously classified sources and what is data from the private sector and more importantly who in the private sector. Organizations will have different trust or confidence levels of the different types of data and where it came from,” Lee said. “Unfortunately, this is entirely missing. The report does not source its data at all. It’s a random collection of information and in that way, is mostly useless.” Lee, in his critique, detailed that it is important for government reports to detail where data came from, and to separate private-sector information from their own data, which is seen to have a higher confidence level. Further, Lee stated that some of the samples were already known to the public, so if they were classified, “it is a perfect example of over classification by government bureaucracy.”
“The DHS/FBI GRIZZLY STEPPE report does not meet its stated intent of helping network defenders and instead choose to focus on a confusing assortment of attribution, non-descriptive indicators, and re-hashed tradecraft,” Lee said. “Additionally, the bulk of the report (8 of the 13 pages) is general high level recommendations not descriptive of the RIS threats mentioned and with no linking to what activity would help with what aspect of the technical data covered. It simply serves as an advertisement
Lee summed up that JAR appears to be very rushed, and put together by multiple teams working with different data sets and motivations, resulting in a very confusing non-explanation that tried to cover too much, while saying too little.
The report also mentions an alphabetical list of 48 nicks of presumed hackers and hacker groups: APT28, APT29, Agent.btz, BlackEnergy V3, BlackEnergy2 APT, CakeDuke, etc.
One of these hacker groups calls itself Tsar Team and it looks like the Russian world “Tsar” (King) is seen as the only “proof” of Russia’s alleged involvement in these cyber-attacks one can possibly find in the 13-page report.
The “evidence” in the report, where Russian cyber activity is referred to as Grizzly Steppe, falls short of anything that would directly tie Russian intelligence services to any plan meant to influence the outcome of US elections.
“This group may include people from different countries who have a shared agenda, or they may be Russians all, but this is not enough reason for introducing sanctions and expelling diplomats,” Ioffe said.
“This is all lies and fairytales. Tracing hackers in today’s world is a mission impossible. You can say they are from Africa, Australia or the Antarctic and no one will be able to either confirm or deny this. But each report or analytical memo is written for a reason. In this case the reason is to prove Russia’s alleged influence on the US presidential elections even though this whole thing simply holds no water,” Alexei Smolin, a professor at the Moscow Humanitarian University.