[Busec] Report on Russian hacking

Manuel Egele megele at bu.edu
Wed Jan 4 13:51:59 EST 2017


On Wed, 2017-01-04 at 13:48 -0500, Ethan Heilman wrote:
> The Silk road case was also not without problems. For instance the two
> DEA agents in the Silk Road investigation that stole Bitcoins, ran an
> extortion racket, sold investigation details to potential suspects and
> altered evidence. US federal investigation bodies don't have a great
> reputation --see FBI collaboration with Boston organised crime and DEA
> employees selling confidential informant identities to drug cartels.

Sure, but that was purely on the Law Enforcement side. The case with
CMU-CERT was different as the let's call it malice, originated from the
"academic" side of the partnership. You (or at least I as a responsible
researcher) simply don't go, break TOR and then don't tell anyone about
it.

cheers,
--manuel

> On Wed, Jan 4, 2017 at 1:12 PM, Manuel Egele <megele at bu.edu> wrote:
>         On Wed, 2017-01-04 at 08:11 -0800, Hristo Stoyanov wrote:
>         > Here's ESET claims they've acquired XAgent source
>         > code:
>         http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf (described on the ESET website here: https://www.eset.com/us/about/newsroom/press-releases/dissection-of-sednit-espionage-group/)
>         > Here's another claim of a third party also having the XAgent
>         source
>         > code:
>         https://medium.com/@jeffreycarr/the-gru-ukraine-artillery-hack-that-may-never-have-happened-820960bbb02d (this article references the ESET report in the first link). Kinda shaky, I heard it from a friend of a friend of my aunt type of evidence, admittedly.
>         >
>         >
>         > This can be post-factum attempt to get plausible deniability
>         or it
>         > could be someone had XAgent that wasnt APT28. Can't tell
>         between
>         > confirmation bias and circumstantial evidence here.
>         >
>         >
>         > Another thing that I'm missing is how exactly are APT28 as
>         users of
>         > xagent and this PHP malware tied together. What detail links
>         the two?
>         >
>         >
>         > As for an open and transparent organization that attempts to
>         build
>         > good cases by acquiring the kind of evidence Ari listed - a
>         lot of
>         > this seems to require some legal capabilities usually
>         afforded to
>         > government agencies (hack back, gather court admissable
>         evidence). The
>         > kind of thing that FBI is supposed to do. Perhaps some form
>         of
>         > partnership between FBI and academia would be productive.
>         They dealt
>         > very successfully with Silk road, after all.
>         
>         I particularly agree with the last paragraph. Also, I'm not
>         sure that
>         modeling sth along the lines of CMU-CERT with respect to the
>         security
>         community is a good citizen model --- just look at the fallout
>         that
>         CMU-CERT's deanonymying TOR exercise produced.
>         
>         cheers,
>         --manuel
>         
>         > Hristo
>         >
>         > 2017-01-04 7:13 GMT-08:00 Ari Trachtenberg
>         <trachten at bu.edu>:
>         >         Sounds like a perfect role for academia (maybe
>         patterned after
>         >         CMU's CERT here at BU).  The biggest problem is, of
>         course,
>         >         with
>         >         getting reliable data ... perhaps it is possible to
>         cull data
>         >         from everybody
>         >         and use statistical tests to fish for bias.
>         >
>         >         Regarding Hristo's question ... I think that the key
>         word is
>         >         evidence,
>         >         since most things can be faked with enough effort.
>         Evidence
>         >         could
>         >         include:
>         >         * use, structure, and style reuse of attributed code
>         or
>         >         vulnerabilities,
>         >                 ideally those that are private
>         >         * IP addresses
>         >         * cryptographic keys
>         >         * pictures of hackers and geolocation (as with the
>         Chinese
>         >         hackers not so long ago)
>         >         * hack back data
>         >
>         >         best,
>         >                 -Ari
>         >
>         >         > On Jan 4, 2017, at 9:03 AM, Ethan Heilman
>         <eth3rs at gmail.com>
>         >         wrote:
>         >         >
>         >         > I worry that this wordfence report makes it look
>         like only
>         >         that php
>         >         > malware was used and that there is no additional
>         evidence.
>         >         >
>         >         > However my understanding is that DNC hackers used
>         several
>         >         forms of
>         >         > persistence including XAgent (according to the
>         crowdstrike).
>         >         I was
>         >         > unable to find any evidence that XAgent was
>         available for
>         >         use by
>         >         > anyone other than SEDNIT/APT28. I would love to
>         see a report
>         >         on the
>         >         > windows variant of the XAgent used in the DNC
>         hack.
>         >         >
>         >         >> I believe (correct me if I'm wrong), there is no
>         other data
>         >         available from the USG. Only (very) pointed
>         accusations
>         >         against a certain country.
>         >         >
>         >         > Not sure why the DHS/FBI report goes out of its
>         way to
>         >         present so
>         >         > little evidence. Was the crowdstrike report
>         incorrect? Did
>         >         they not
>         >         > want to step on crowdstrikes toes? Is this the
>         result of
>         >         over zealous
>         >         > secrecy?
>         >         >
>         >         > This issue highlights a critical need for neutral
>         ICT
>         >         investigative
>         >         > bodies that operate not as intelligence agencies
>         but instead
>         >         work to
>         >         > build public cases and publish evidence in a
>         trustworthy
>         >         open manner.
>         >         > This should be the role of the FBI, but clearly
>         something
>         >         went wrong
>         >         > here. Currently private companies like Crowdspike
>         and
>         >         Fireeye fill
>         >         > this role but since they are hired and paid by an
>         interested
>         >         party
>         >         > they are often viewed with skepticism.
>         >         >
>         >         >
>         >         > On Wed, Jan 4, 2017 at 2:47 AM, Hristo Stoyanov
>         >         <htstoyanov at gmail.com> wrote:
>         >         >> Here's some actual details based on the csv and
>         xml
>         >         published alongside the
>         >         >> written report:
>         >         >>
>         >
>          https://www.wordfence.com/blog/2016/12/russia-malware-ip-hack/
>         >         >>
>         >         >> Conclusions: old freely available malware,
>         incredibly wide
>         >         variety of
>         >         >> countries making up the IP addresses given as a
>         source of
>         >         the attack. Hence,
>         >         >> that data is as evidence-free as the written
>         report. I
>         >         believe (correct me
>         >         >> if I'm wrong), there is no other data available
>         from the
>         >         USG. Only (very)
>         >         >> pointed accusations against a certain country.
>         >         >>
>         >         >> However, what would be good technical details
>         that show
>         >         attribution? Russian
>         >         >> documents/emails that order/discuss/report on the
>         attack
>         >         (perhaps with some
>         >         >> signatures :)) would definitely cut it. What
>         else?
>         >         >>
>         >         >> - Hristo
>         >         >>
>         >         >> 2017-01-03 13:10 GMT-08:00 Ari Trachtenberg
>         >         <trachten at bu.edu>:
>         >         >>>
>         >         >>> Yes, the crowdstrike report is much more
>         interesting, but,
>         >         at this point,
>         >         >>> rather dated.
>         >         >>> What it doesn't include is evidence of
>         attribution to the
>         >         Russian
>         >         >>> government (just
>         >         >>> some suggestive information about the slickness
>         of the
>         >         attack and a belief
>         >         >>> of
>         >         >>> some link).  Has anyone seen public technical
>         details in
>         >         this realm?
>         >         >>>
>         >         >>> best,
>         >         >>>        -Ari
>         >         >>>
>         >         >>>> On Jan 3, 2017, at 2:32 PM, Ethan Heilman
>         >         <eth3rs at gmail.com> wrote:
>         >         >>>>
>         >         >>>> With the exception of the attribution of
>         individual
>         >         hackers the
>         >         >>>> DHS/FBI report is almost entirely detail free.
>         The
>         >         crowdstrike report
>         >         >>>> provides many of the missing details:
>         >         >>>>
>         >         >>>>
>         >
>          https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/
>         >         >>>>
>         >         >>>> One interesting tidbit in DHS/FBI report was
>         that it
>         >         blame Slavik of
>         >         >>>> Zeus Gameover fame.
>         >         >>>>
>         >         >>>> On Tue, Jan 3, 2017 at 2:08 PM, Ari
>         Trachtenberg
>         >         <trachten at bu.edu>
>         >         >>>> wrote:
>         >         >>>>> Somehow I'm missing the description ... I just
>         see
>         >         generic malware
>         >         >>>>> information on a popular web shell tool and
>         >         >>>>> generic mitigation strategies.  If anything,
>         the
>         >         suggests a *lack* of
>         >         >>>>> an
>         >         >>>>> actual smoking gun.
>         >         >>>>>
>         >         >>>>> best,
>         >         >>>>> -Ari
>         >         >>>>>
>         >         >>>>> On Dec 29, 2016, at 5:56 PM, Scheffler, Sarah,
>         Ann
>         >         <sscheff at bu.edu>
>         >         >>>>> wrote:
>         >         >>>>>
>         >         >>>>> This is a joint report written by DHS and the
>         FBI, and
>         >         it's the first
>         >         >>>>> actual
>         >         >>>>> decent description I've found of the Russian
>         hacking
>         >         that's been all
>         >         >>>>> over
>         >         >>>>> the news, and I figured y'all might be
>         interested in
>         >         reading it:
>         >         >>>>>
>         >         >>>>>
>         >
>          http://www.nytimes.com/interactive/2016/12/29/us/politics/document-Report-on-Russian-Hacking.html
>         >         >>>>>
>         >         >>>>> Happy last-two-and-a-half-days-of-2016,
>         >         >>>>> Sarah
>         >         >>>>>
>         _______________________________________________
>         >         >>>>> Busec mailing list
>         >         >>>>> Busec at cs.bu.edu
>         >         >>>>>
>         http://cs-mailman.bu.edu/mailman/listinfo/busec
>         >         >>>>>
>         >         >>>>>
>         >         >>>>> —
>         >         >>>>> Prof. Ari Trachtenberg
>         >         >>>>> Electrical and Computer Engineering
>         >         >>>>> Boston University
>         >         >>>>> trachten at bu.edu
>         >         >>>>>
>         >         >>>>>
>         >         >>>>>
>         >         >>>>>
>         >         >>>>>
>         >         >>>>>
>         >         >>>>>
>         _______________________________________________
>         >         >>>>> Busec mailing list
>         >         >>>>> Busec at cs.bu.edu
>         >         >>>>>
>         http://cs-mailman.bu.edu/mailman/listinfo/busec
>         >         >>>>>
>         >         >>>
>         >         >>> —
>         >         >>> Prof. Ari Trachtenberg
>         >         >>> Electrical and Computer Engineering
>         >         >>> Boston University
>         >         >>> trachten at bu.edu
>         >         >>>
>         >         >>>
>         >         >>>
>         >         >>>
>         >         >>>
>         >         >>>
>         >         >>> _______________________________________________
>         >         >>> Busec mailing list
>         >         >>> Busec at cs.bu.edu
>         >         >>> http://cs-mailman.bu.edu/mailman/listinfo/busec
>         >         >>>
>         >         >>
>         >
>         >         —
>         >         Prof. Ari Trachtenberg
>         >         Electrical and Computer Engineering
>         >         Boston University
>         >         trachten at bu.edu
>         >
>         >
>         >
>         >
>         >
>         >
>         >
>         >
>         > _______________________________________________
>         > Busec mailing list
>         > Busec at cs.bu.edu
>         > http://cs-mailman.bu.edu/mailman/listinfo/busec
>         
>         
>         _______________________________________________
>         Busec mailing list
>         Busec at cs.bu.edu
>         http://cs-mailman.bu.edu/mailman/listinfo/busec
>         
> 
> 




More information about the Busec mailing list