[Busec] Report on Russian hacking

Ethan Heilman eth3rs at gmail.com
Wed Jan 4 09:03:50 EST 2017


I worry that this wordfence report makes it look like only that php
malware was used and that there is no additional evidence.

However my understanding is that DNC hackers used several forms of
persistence including XAgent (according to the crowdstrike). I was
unable to find any evidence that XAgent was available for use by
anyone other than SEDNIT/APT28. I would love to see a report on the
windows variant of the XAgent used in the DNC hack.

> I believe (correct me if I'm wrong), there is no other data available from the USG. Only (very) pointed accusations against a certain country.

Not sure why the DHS/FBI report goes out of its way to present so
little evidence. Was the crowdstrike report incorrect? Did they not
want to step on crowdstrikes toes? Is this the result of over zealous
secrecy?

This issue highlights a critical need for neutral ICT investigative
bodies that operate not as intelligence agencies but instead work to
build public cases and publish evidence in a trustworthy open manner.
This should be the role of the FBI, but clearly something went wrong
here. Currently private companies like Crowdspike and Fireeye fill
this role but since they are hired and paid by an interested party
they are often viewed with skepticism.


On Wed, Jan 4, 2017 at 2:47 AM, Hristo Stoyanov <htstoyanov at gmail.com> wrote:
> Here's some actual details based on the csv and xml published alongside the
> written report:
> https://www.wordfence.com/blog/2016/12/russia-malware-ip-hack/
>
> Conclusions: old freely available malware, incredibly wide variety of
> countries making up the IP addresses given as a source of the attack. Hence,
> that data is as evidence-free as the written report. I believe (correct me
> if I'm wrong), there is no other data available from the USG. Only (very)
> pointed accusations against a certain country.
>
> However, what would be good technical details that show attribution? Russian
> documents/emails that order/discuss/report on the attack (perhaps with some
> signatures :)) would definitely cut it. What else?
>
> - Hristo
>
> 2017-01-03 13:10 GMT-08:00 Ari Trachtenberg <trachten at bu.edu>:
>>
>> Yes, the crowdstrike report is much more interesting, but, at this point,
>> rather dated.
>> What it doesn't include is evidence of attribution to the Russian
>> government (just
>> some suggestive information about the slickness of the attack and a belief
>> of
>> some link).  Has anyone seen public technical details in this realm?
>>
>> best,
>>         -Ari
>>
>> > On Jan 3, 2017, at 2:32 PM, Ethan Heilman <eth3rs at gmail.com> wrote:
>> >
>> > With the exception of the attribution of individual hackers the
>> > DHS/FBI report is almost entirely detail free. The crowdstrike report
>> > provides many of the missing details:
>> >
>> > https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/
>> >
>> > One interesting tidbit in DHS/FBI report was that it blame Slavik of
>> > Zeus Gameover fame.
>> >
>> > On Tue, Jan 3, 2017 at 2:08 PM, Ari Trachtenberg <trachten at bu.edu>
>> > wrote:
>> >> Somehow I'm missing the description ... I just see generic malware
>> >> information on a popular web shell tool and
>> >> generic mitigation strategies.  If anything, the suggests a *lack* of
>> >> an
>> >> actual smoking gun.
>> >>
>> >> best,
>> >> -Ari
>> >>
>> >> On Dec 29, 2016, at 5:56 PM, Scheffler, Sarah, Ann <sscheff at bu.edu>
>> >> wrote:
>> >>
>> >> This is a joint report written by DHS and the FBI, and it's the first
>> >> actual
>> >> decent description I've found of the Russian hacking that's been all
>> >> over
>> >> the news, and I figured y'all might be interested in reading it:
>> >>
>> >> http://www.nytimes.com/interactive/2016/12/29/us/politics/document-Report-on-Russian-Hacking.html
>> >>
>> >> Happy last-two-and-a-half-days-of-2016,
>> >> Sarah
>> >> _______________________________________________
>> >> Busec mailing list
>> >> Busec at cs.bu.edu
>> >> http://cs-mailman.bu.edu/mailman/listinfo/busec
>> >>
>> >>
>> >> —
>> >> Prof. Ari Trachtenberg
>> >> Electrical and Computer Engineering
>> >> Boston University
>> >> trachten at bu.edu
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >> _______________________________________________
>> >> Busec mailing list
>> >> Busec at cs.bu.edu
>> >> http://cs-mailman.bu.edu/mailman/listinfo/busec
>> >>
>>
>>>> Prof. Ari Trachtenberg
>> Electrical and Computer Engineering
>> Boston University
>> trachten at bu.edu
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> Busec mailing list
>> Busec at cs.bu.edu
>> http://cs-mailman.bu.edu/mailman/listinfo/busec
>>
>


More information about the Busec mailing list