[Busec] Report on Russian hacking

Manuel Egele megele at bu.edu
Wed Jan 4 13:12:49 EST 2017


On Wed, 2017-01-04 at 08:11 -0800, Hristo Stoyanov wrote:
> Here's ESET claims they've acquired XAgent source
> code: http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf (described on the ESET website here: https://www.eset.com/us/about/newsroom/press-releases/dissection-of-sednit-espionage-group/)
> Here's another claim of a third party also having the XAgent source
> code: https://medium.com/@jeffreycarr/the-gru-ukraine-artillery-hack-that-may-never-have-happened-820960bbb02d (this article references the ESET report in the first link). Kinda shaky, I heard it from a friend of a friend of my aunt type of evidence, admittedly.
> 
> 
> This can be post-factum attempt to get plausible deniability or it
> could be someone had XAgent that wasnt APT28. Can't tell between
> confirmation bias and circumstantial evidence here. 
> 
> 
> Another thing that I'm missing is how exactly are APT28 as users of
> xagent and this PHP malware tied together. What detail links the two?
> 
> 
> As for an open and transparent organization that attempts to build
> good cases by acquiring the kind of evidence Ari listed - a lot of
> this seems to require some legal capabilities usually afforded to
> government agencies (hack back, gather court admissable evidence). The
> kind of thing that FBI is supposed to do. Perhaps some form of
> partnership between FBI and academia would be productive. They dealt
> very successfully with Silk road, after all. 

I particularly agree with the last paragraph. Also, I'm not sure that
modeling sth along the lines of CMU-CERT with respect to the security
community is a good citizen model --- just look at the fallout that
CMU-CERT's deanonymying TOR exercise produced.

cheers,
--manuel

> Hristo
> 
> 2017-01-04 7:13 GMT-08:00 Ari Trachtenberg <trachten at bu.edu>:
>         Sounds like a perfect role for academia (maybe patterned after
>         CMU's CERT here at BU).  The biggest problem is, of course,
>         with
>         getting reliable data ... perhaps it is possible to cull data
>         from everybody
>         and use statistical tests to fish for bias.
>         
>         Regarding Hristo's question ... I think that the key word is
>         evidence,
>         since most things can be faked with enough effort.  Evidence
>         could
>         include:
>         * use, structure, and style reuse of attributed code or
>         vulnerabilities,
>                 ideally those that are private
>         * IP addresses
>         * cryptographic keys
>         * pictures of hackers and geolocation (as with the Chinese
>         hackers not so long ago)
>         * hack back data
>         
>         best,
>                 -Ari
>         
>         > On Jan 4, 2017, at 9:03 AM, Ethan Heilman <eth3rs at gmail.com>
>         wrote:
>         >
>         > I worry that this wordfence report makes it look like only
>         that php
>         > malware was used and that there is no additional evidence.
>         >
>         > However my understanding is that DNC hackers used several
>         forms of
>         > persistence including XAgent (according to the crowdstrike).
>         I was
>         > unable to find any evidence that XAgent was available for
>         use by
>         > anyone other than SEDNIT/APT28. I would love to see a report
>         on the
>         > windows variant of the XAgent used in the DNC hack.
>         >
>         >> I believe (correct me if I'm wrong), there is no other data
>         available from the USG. Only (very) pointed accusations
>         against a certain country.
>         >
>         > Not sure why the DHS/FBI report goes out of its way to
>         present so
>         > little evidence. Was the crowdstrike report incorrect? Did
>         they not
>         > want to step on crowdstrikes toes? Is this the result of
>         over zealous
>         > secrecy?
>         >
>         > This issue highlights a critical need for neutral ICT
>         investigative
>         > bodies that operate not as intelligence agencies but instead
>         work to
>         > build public cases and publish evidence in a trustworthy
>         open manner.
>         > This should be the role of the FBI, but clearly something
>         went wrong
>         > here. Currently private companies like Crowdspike and
>         Fireeye fill
>         > this role but since they are hired and paid by an interested
>         party
>         > they are often viewed with skepticism.
>         >
>         >
>         > On Wed, Jan 4, 2017 at 2:47 AM, Hristo Stoyanov
>         <htstoyanov at gmail.com> wrote:
>         >> Here's some actual details based on the csv and xml
>         published alongside the
>         >> written report:
>         >>
>         https://www.wordfence.com/blog/2016/12/russia-malware-ip-hack/
>         >>
>         >> Conclusions: old freely available malware, incredibly wide
>         variety of
>         >> countries making up the IP addresses given as a source of
>         the attack. Hence,
>         >> that data is as evidence-free as the written report. I
>         believe (correct me
>         >> if I'm wrong), there is no other data available from the
>         USG. Only (very)
>         >> pointed accusations against a certain country.
>         >>
>         >> However, what would be good technical details that show
>         attribution? Russian
>         >> documents/emails that order/discuss/report on the attack
>         (perhaps with some
>         >> signatures :)) would definitely cut it. What else?
>         >>
>         >> - Hristo
>         >>
>         >> 2017-01-03 13:10 GMT-08:00 Ari Trachtenberg
>         <trachten at bu.edu>:
>         >>>
>         >>> Yes, the crowdstrike report is much more interesting, but,
>         at this point,
>         >>> rather dated.
>         >>> What it doesn't include is evidence of attribution to the
>         Russian
>         >>> government (just
>         >>> some suggestive information about the slickness of the
>         attack and a belief
>         >>> of
>         >>> some link).  Has anyone seen public technical details in
>         this realm?
>         >>>
>         >>> best,
>         >>>        -Ari
>         >>>
>         >>>> On Jan 3, 2017, at 2:32 PM, Ethan Heilman
>         <eth3rs at gmail.com> wrote:
>         >>>>
>         >>>> With the exception of the attribution of individual
>         hackers the
>         >>>> DHS/FBI report is almost entirely detail free. The
>         crowdstrike report
>         >>>> provides many of the missing details:
>         >>>>
>         >>>>
>         https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/
>         >>>>
>         >>>> One interesting tidbit in DHS/FBI report was that it
>         blame Slavik of
>         >>>> Zeus Gameover fame.
>         >>>>
>         >>>> On Tue, Jan 3, 2017 at 2:08 PM, Ari Trachtenberg
>         <trachten at bu.edu>
>         >>>> wrote:
>         >>>>> Somehow I'm missing the description ... I just see
>         generic malware
>         >>>>> information on a popular web shell tool and
>         >>>>> generic mitigation strategies.  If anything, the
>         suggests a *lack* of
>         >>>>> an
>         >>>>> actual smoking gun.
>         >>>>>
>         >>>>> best,
>         >>>>> -Ari
>         >>>>>
>         >>>>> On Dec 29, 2016, at 5:56 PM, Scheffler, Sarah, Ann
>         <sscheff at bu.edu>
>         >>>>> wrote:
>         >>>>>
>         >>>>> This is a joint report written by DHS and the FBI, and
>         it's the first
>         >>>>> actual
>         >>>>> decent description I've found of the Russian hacking
>         that's been all
>         >>>>> over
>         >>>>> the news, and I figured y'all might be interested in
>         reading it:
>         >>>>>
>         >>>>>
>         http://www.nytimes.com/interactive/2016/12/29/us/politics/document-Report-on-Russian-Hacking.html
>         >>>>>
>         >>>>> Happy last-two-and-a-half-days-of-2016,
>         >>>>> Sarah
>         >>>>> _______________________________________________
>         >>>>> Busec mailing list
>         >>>>> Busec at cs.bu.edu
>         >>>>> http://cs-mailman.bu.edu/mailman/listinfo/busec
>         >>>>>
>         >>>>>
>         >>>>> —
>         >>>>> Prof. Ari Trachtenberg
>         >>>>> Electrical and Computer Engineering
>         >>>>> Boston University
>         >>>>> trachten at bu.edu
>         >>>>>
>         >>>>>
>         >>>>>
>         >>>>>
>         >>>>>
>         >>>>>
>         >>>>> _______________________________________________
>         >>>>> Busec mailing list
>         >>>>> Busec at cs.bu.edu
>         >>>>> http://cs-mailman.bu.edu/mailman/listinfo/busec
>         >>>>>
>         >>>
>         >>> —
>         >>> Prof. Ari Trachtenberg
>         >>> Electrical and Computer Engineering
>         >>> Boston University
>         >>> trachten at bu.edu
>         >>>
>         >>>
>         >>>
>         >>>
>         >>>
>         >>>
>         >>> _______________________________________________
>         >>> Busec mailing list
>         >>> Busec at cs.bu.edu
>         >>> http://cs-mailman.bu.edu/mailman/listinfo/busec
>         >>>
>         >>
>         
>>         Prof. Ari Trachtenberg
>         Electrical and Computer Engineering
>         Boston University
>         trachten at bu.edu
>         
>         
>         
>         
>         
>         
> 
> 
> _______________________________________________
> Busec mailing list
> Busec at cs.bu.edu
> http://cs-mailman.bu.edu/mailman/listinfo/busec




More information about the Busec mailing list