Does the report prove that Russia Hacked the 2016 US Election?
No it does not. What Wordfence revealed on Friday is that the PHP malware sample that the US government provided is:
- An old version of malware. The sample was version 3.1.0 and the current version is 3.1.7 with 4.1.1 beta also available.
- Freely available to anyone who wants it.
- The authors claim they are Ukrainian, not Russian.
- The malware is an administrative tool used by hackers to upload files, view files on a hacked website, download database contents and so on. It is used as one step in a series of steps that would occur during an attack.
Wordfence also analyzed the IP addresses available and demonstrated that they are in 61 countries, belong to over 380 organizations and many of those organizations are well known website hosting providers from where many attacks originate. There is nothing in the IP data that points to Russia specifically.
If I find something in the DHS/FBI report on my website or network, does it mean that Russia hacked me?
No it does not.
This has caused serious confusion already among press and US policy makers. A Vermont electrical utility found a sample of what is in the DHS/FBI Grizzly Steppe report on a single laptop. That laptop was not connected to the Electric Grid network. It was reported as Russia hacking the US electrical grid.
Glenn Greenwald has provided some magnificent reporting on this incident and the response from the media and from US senators.
The data in the DHS/FBI Grizzly Steppe report contains “indicators of compromise” (IOCs) which you can think of as footprints that hackers left behind. The IOC’s in the report are tools that are freely available and IP addresses that are used by hackers around the world. There is very little Russia-specific data in the Grizzly Steppe report.
If you find an IOC that is in the report on your network or server, it is unlikely that you have been targeted by Russian Intelligence.
The PHP malware the report provided, for example, is freely available for anyone who wants it. You can even customize it to include your own password to limit access to others. Please see our original report for details. Any attacker can use it to hack your website, not just Russian Intelligence.
The DHS/FBI report also included IP addresses. The owners of IP addresses change from time to time. An IP that was being used by Russian Intelligence today to hack a target may be used by another attacker to hack a different target a few days later. This can happen for several reasons:
- A hacked IP can be used by one attacker and then be compromised by a different attacker later on to also launch attacks.
- IP addresses change ownership from time to time. A Linode IP may be hacked by Russia and used to launch attacks. Then it may be shut down by Linode, change ownership and the new owner’s site can get hacked. Then that IP address is attacking once again, but the attacker is someone else.
- IP addresses are also dynamic if they belong to an internet service provider (ISP). Some of the IP’s in the Grizzly Steppe report do belong to ISP’s. For example we can see IP’s belonging to Yota.ru, a Russian internet service provider. The hostnames are ‘wimax-client.yota.ru’ which suggests that they are wifi customers. These IP’s are probably dynamic and regularly change hands. They may be used by one attacker today and a different attacker tomorrow.
How did Wordfence determine the malware source, the authors and the version?
We received the DHS/FBI report on Thursday. Rob McMahon, one of my colleagues and a security analyst at Wordfence alerted me to it’s existence at 8pm pacific time on Thursday December 29th. We worked through the night until 7am the next morning when we released the report. Here is what we did:
We read the report and noticed there was a Yara signature for PHP malware. That means that FBI and DHS provided just enough information to identify the existence of PHP malware. It didn’t actually provide the malware itself.
We went into Polestar which is a Wordfence proprietary big-data platform that we have developed to aggregate and mine a large number of attacks from a range of sources. We used the Yara signature to try to determine if anyone has attacked a WordPress site using this malware. At this point we didn’t know what it was or if it was even used against WordPress.
Jackpot! We had captured the entire 20k malware sample!
We extracted the malware sample from Polestar and I handed it to Rob who started analysis on the sample. We divided the work and I went off and analyzed the IP addresses that DHS/FBI had provided in Grizzly Steppe.
Rob realized that most of the malware is encrypted. The way it works is that a hacker will upload it to a website. They access the malware as a web page and are prompted for a password by a small amount of unencrypted code in the malware. They enter the password which is actually a decryption key.
That decryption key is stored in a cookie so the hacker doesn’t have to keep entering it. The key then decrypts the malware code which is executed. Then every time the hacker accesses the malware in future, the key stored in a cookie decrypts the malware so that it can execute. It’s quite clever and makes our jobs harder.
We needed to find the decryption key for the malware. So we went back to Polestar and tried to find an attack that was blocked and logged where the attacker was trying to access the malware they had uploaded.
Jackpot again! We found the key. Rob used the key to decrypt the malware and view the source code. Once he could see the source code, he could see the name of the malware and the version and a few Google searches revealed the source website that it came from.
The rest was much easier. We could now take the malware sample and put it on a sandboxed research environment and actually run it and see what it did. We could also download the newer version of the malware, called ‘P.A.S.’, and execute that to see what it does and how it differs.
This is how we determined that the FBI/DHS report contains an old malware sample that is publicly available and the hacker group that distributes it appears to be Ukrainian.
Why did Wordfence use the title “US Govt Data Shows Russia Used Outdated Ukrainian PHP Malware” when publishing this research?
Some of our readers commented that the title we used for the post was confusing or misleading. Keep in mind that when we published, my team and I had been working through the night.
The problem that some readers had with that title is that it suggests that Russia hacked the US election. But our research indicates that the DHS/FBI report actually does not contain any data attributing the attack to Russia.
If you rewrite the above title and put ‘Russia’ in single quotes it may make more sense.
Perhaps a better title would have been: US Government report does not contain data attributing 2016 election hacks to Russia. The report includes outdated PHP malware that is publicly available and appears to originate from a Ukrainian hacker group. It also includes IP addresses with no clear link to Russia.
That would have been too long, but I think it accurately captures what we were trying to convey.
I chose to not change the headline to protect the credibility of our community. When we publish a blog post, many of you share that post on Twitter, Facebook and in other social media. Your share includes the post title. If I change the title later on, it makes it look like you edited the title yourself when sharing our post. You may be accused of exaggerating or changing our words. So once we pull the trigger on a post, the title is never edited.