[Busec] Report on Russian hacking

Ethan Heilman eth3rs at gmail.com
Fri Jan 6 15:49:08 EST 2017


New DNI report on Russian intentions in hacking DNC:
https://www.dni.gov/files/documents/ICA_2017_01.pdf

'Background to “Assessing Russian Activities and Intentions in Recent US
Elections”: The Analytic Process and Cyber Incident Attribution'

On Wed, Jan 4, 2017 at 2:54 PM, Ari Trachtenberg <trachten at bu.edu> wrote:

> This just goes to show that ... well, people are corruptible, and academics
> no less than anyone else.  Complete transparency is no panacea either
> (witness the complete uselessness of "privacy notices", or the major
> vulnerabilities with open-source software).
>
> Seeing as we're developing a cynicism toward a benevolent monarchy,
> perhaps a system of checks and balances will solve all our problems ;-)
>
> > On Jan 4, 2017, at 1:51 PM, Egele, Manuel <megele at bu.edu> wrote:
> >
> > On Wed, 2017-01-04 at 13:48 -0500, Ethan Heilman wrote:
> >> The Silk road case was also not without problems. For instance the two
> >> DEA agents in the Silk Road investigation that stole Bitcoins, ran an
> >> extortion racket, sold investigation details to potential suspects and
> >> altered evidence. US federal investigation bodies don't have a great
> >> reputation --see FBI collaboration with Boston organised crime and DEA
> >> employees selling confidential informant identities to drug cartels.
> >
> > Sure, but that was purely on the Law Enforcement side. The case with
> > CMU-CERT was different as the let's call it malice, originated from the
> > "academic" side of the partnership. You (or at least I as a responsible
> > researcher) simply don't go, break TOR and then don't tell anyone about
> > it.
> >
> > cheers,
> > --manuel
> >
> >> On Wed, Jan 4, 2017 at 1:12 PM, Manuel Egele <megele at bu.edu> wrote:
> >>        On Wed, 2017-01-04 at 08:11 -0800, Hristo Stoyanov wrote:
> >>> Here's ESET claims they've acquired XAgent source
> >>> code:
> >>        http://www.welivesecurity.com/wp-content/uploads/2016/10/
> eset-sednit-part-2.pdf (described on the ESET website here:
> https://www.eset.com/us/about/newsroom/press-releases/
> dissection-of-sednit-espionage-group/)
> >>> Here's another claim of a third party also having the XAgent
> >>        source
> >>> code:
> >>        https://medium.com/@jeffreycarr/the-gru-ukraine-
> artillery-hack-that-may-never-have-happened-820960bbb02d (this article
> references the ESET report in the first link). Kinda shaky, I heard it from
> a friend of a friend of my aunt type of evidence, admittedly.
> >>>
> >>>
> >>> This can be post-factum attempt to get plausible deniability
> >>        or it
> >>> could be someone had XAgent that wasnt APT28. Can't tell
> >>        between
> >>> confirmation bias and circumstantial evidence here.
> >>>
> >>>
> >>> Another thing that I'm missing is how exactly are APT28 as
> >>        users of
> >>> xagent and this PHP malware tied together. What detail links
> >>        the two?
> >>>
> >>>
> >>> As for an open and transparent organization that attempts to
> >>        build
> >>> good cases by acquiring the kind of evidence Ari listed - a
> >>        lot of
> >>> this seems to require some legal capabilities usually
> >>        afforded to
> >>> government agencies (hack back, gather court admissable
> >>        evidence). The
> >>> kind of thing that FBI is supposed to do. Perhaps some form
> >>        of
> >>> partnership between FBI and academia would be productive.
> >>        They dealt
> >>> very successfully with Silk road, after all.
> >>
> >>        I particularly agree with the last paragraph. Also, I'm not
> >>        sure that
> >>        modeling sth along the lines of CMU-CERT with respect to the
> >>        security
> >>        community is a good citizen model --- just look at the fallout
> >>        that
> >>        CMU-CERT's deanonymying TOR exercise produced.
> >>
> >>        cheers,
> >>        --manuel
> >>
> >>> Hristo
> >>>
> >>> 2017-01-04 7:13 GMT-08:00 Ari Trachtenberg
> >>        <trachten at bu.edu>:
> >>>        Sounds like a perfect role for academia (maybe
> >>        patterned after
> >>>        CMU's CERT here at BU).  The biggest problem is, of
> >>        course,
> >>>        with
> >>>        getting reliable data ... perhaps it is possible to
> >>        cull data
> >>>        from everybody
> >>>        and use statistical tests to fish for bias.
> >>>
> >>>        Regarding Hristo's question ... I think that the key
> >>        word is
> >>>        evidence,
> >>>        since most things can be faked with enough effort.
> >>        Evidence
> >>>        could
> >>>        include:
> >>>        * use, structure, and style reuse of attributed code
> >>        or
> >>>        vulnerabilities,
> >>>                ideally those that are private
> >>>        * IP addresses
> >>>        * cryptographic keys
> >>>        * pictures of hackers and geolocation (as with the
> >>        Chinese
> >>>        hackers not so long ago)
> >>>        * hack back data
> >>>
> >>>        best,
> >>>                -Ari
> >>>
> >>>> On Jan 4, 2017, at 9:03 AM, Ethan Heilman
> >>        <eth3rs at gmail.com>
> >>>        wrote:
> >>>>
> >>>> I worry that this wordfence report makes it look
> >>        like only
> >>>        that php
> >>>> malware was used and that there is no additional
> >>        evidence.
> >>>>
> >>>> However my understanding is that DNC hackers used
> >>        several
> >>>        forms of
> >>>> persistence including XAgent (according to the
> >>        crowdstrike).
> >>>        I was
> >>>> unable to find any evidence that XAgent was
> >>        available for
> >>>        use by
> >>>> anyone other than SEDNIT/APT28. I would love to
> >>        see a report
> >>>        on the
> >>>> windows variant of the XAgent used in the DNC
> >>        hack.
> >>>>
> >>>>> I believe (correct me if I'm wrong), there is no
> >>        other data
> >>>        available from the USG. Only (very) pointed
> >>        accusations
> >>>        against a certain country.
> >>>>
> >>>> Not sure why the DHS/FBI report goes out of its
> >>        way to
> >>>        present so
> >>>> little evidence. Was the crowdstrike report
> >>        incorrect? Did
> >>>        they not
> >>>> want to step on crowdstrikes toes? Is this the
> >>        result of
> >>>        over zealous
> >>>> secrecy?
> >>>>
> >>>> This issue highlights a critical need for neutral
> >>        ICT
> >>>        investigative
> >>>> bodies that operate not as intelligence agencies
> >>        but instead
> >>>        work to
> >>>> build public cases and publish evidence in a
> >>        trustworthy
> >>>        open manner.
> >>>> This should be the role of the FBI, but clearly
> >>        something
> >>>        went wrong
> >>>> here. Currently private companies like Crowdspike
> >>        and
> >>>        Fireeye fill
> >>>> this role but since they are hired and paid by an
> >>        interested
> >>>        party
> >>>> they are often viewed with skepticism.
> >>>>
> >>>>
> >>>> On Wed, Jan 4, 2017 at 2:47 AM, Hristo Stoyanov
> >>>        <htstoyanov at gmail.com> wrote:
> >>>>> Here's some actual details based on the csv and
> >>        xml
> >>>        published alongside the
> >>>>> written report:
> >>>>>
> >>>
> >>         https://www.wordfence.com/blog/2016/12/russia-malware-ip-hack/
> >>>>>
> >>>>> Conclusions: old freely available malware,
> >>        incredibly wide
> >>>        variety of
> >>>>> countries making up the IP addresses given as a
> >>        source of
> >>>        the attack. Hence,
> >>>>> that data is as evidence-free as the written
> >>        report. I
> >>>        believe (correct me
> >>>>> if I'm wrong), there is no other data available
> >>        from the
> >>>        USG. Only (very)
> >>>>> pointed accusations against a certain country.
> >>>>>
> >>>>> However, what would be good technical details
> >>        that show
> >>>        attribution? Russian
> >>>>> documents/emails that order/discuss/report on the
> >>        attack
> >>>        (perhaps with some
> >>>>> signatures :)) would definitely cut it. What
> >>        else?
> >>>>>
> >>>>> - Hristo
> >>>>>
> >>>>> 2017-01-03 13:10 GMT-08:00 Ari Trachtenberg
> >>>        <trachten at bu.edu>:
> >>>>>>
> >>>>>> Yes, the crowdstrike report is much more
> >>        interesting, but,
> >>>        at this point,
> >>>>>> rather dated.
> >>>>>> What it doesn't include is evidence of
> >>        attribution to the
> >>>        Russian
> >>>>>> government (just
> >>>>>> some suggestive information about the slickness
> >>        of the
> >>>        attack and a belief
> >>>>>> of
> >>>>>> some link).  Has anyone seen public technical
> >>        details in
> >>>        this realm?
> >>>>>>
> >>>>>> best,
> >>>>>>       -Ari
> >>>>>>
> >>>>>>> On Jan 3, 2017, at 2:32 PM, Ethan Heilman
> >>>        <eth3rs at gmail.com> wrote:
> >>>>>>>
> >>>>>>> With the exception of the attribution of
> >>        individual
> >>>        hackers the
> >>>>>>> DHS/FBI report is almost entirely detail free.
> >>        The
> >>>        crowdstrike report
> >>>>>>> provides many of the missing details:
> >>>>>>>
> >>>>>>>
> >>>
> >>         https://www.crowdstrike.com/blog/bears-midst-intrusion-
> democratic-national-committee/
> >>>>>>>
> >>>>>>> One interesting tidbit in DHS/FBI report was
> >>        that it
> >>>        blame Slavik of
> >>>>>>> Zeus Gameover fame.
> >>>>>>>
> >>>>>>> On Tue, Jan 3, 2017 at 2:08 PM, Ari
> >>        Trachtenberg
> >>>        <trachten at bu.edu>
> >>>>>>> wrote:
> >>>>>>>> Somehow I'm missing the description ... I just
> >>        see
> >>>        generic malware
> >>>>>>>> information on a popular web shell tool and
> >>>>>>>> generic mitigation strategies.  If anything,
> >>        the
> >>>        suggests a *lack* of
> >>>>>>>> an
> >>>>>>>> actual smoking gun.
> >>>>>>>>
> >>>>>>>> best,
> >>>>>>>> -Ari
> >>>>>>>>
> >>>>>>>> On Dec 29, 2016, at 5:56 PM, Scheffler, Sarah,
> >>        Ann
> >>>        <sscheff at bu.edu>
> >>>>>>>> wrote:
> >>>>>>>>
> >>>>>>>> This is a joint report written by DHS and the
> >>        FBI, and
> >>>        it's the first
> >>>>>>>> actual
> >>>>>>>> decent description I've found of the Russian
> >>        hacking
> >>>        that's been all
> >>>>>>>> over
> >>>>>>>> the news, and I figured y'all might be
> >>        interested in
> >>>        reading it:
> >>>>>>>>
> >>>>>>>>
> >>>
> >>         http://www.nytimes.com/interactive/2016/12/29/us/
> politics/document-Report-on-Russian-Hacking.html
> >>>>>>>>
> >>>>>>>> Happy last-two-and-a-half-days-of-2016,
> >>>>>>>> Sarah
> >>>>>>>>
> >>        _______________________________________________
> >>>>>>>> Busec mailing list
> >>>>>>>> Busec at cs.bu.edu
> >>>>>>>>
> >>        http://cs-mailman.bu.edu/mailman/listinfo/busec
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> —
> >>>>>>>> Prof. Ari Trachtenberg
> >>>>>>>> Electrical and Computer Engineering
> >>>>>>>> Boston University
> >>>>>>>> trachten at bu.edu
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>        _______________________________________________
> >>>>>>>> Busec mailing list
> >>>>>>>> Busec at cs.bu.edu
> >>>>>>>>
> >>        http://cs-mailman.bu.edu/mailman/listinfo/busec
> >>>>>>>>
> >>>>>>
> >>>>>> —
> >>>>>> Prof. Ari Trachtenberg
> >>>>>> Electrical and Computer Engineering
> >>>>>> Boston University
> >>>>>> trachten at bu.edu
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> _______________________________________________
> >>>>>> Busec mailing list
> >>>>>> Busec at cs.bu.edu
> >>>>>> http://cs-mailman.bu.edu/mailman/listinfo/busec
> >>>>>>
> >>>>>
> >>>
> >>>        —
> >>>        Prof. Ari Trachtenberg
> >>>        Electrical and Computer Engineering
> >>>        Boston University
> >>>        trachten at bu.edu
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> _______________________________________________
> >>> Busec mailing list
> >>> Busec at cs.bu.edu
> >>> http://cs-mailman.bu.edu/mailman/listinfo/busec
> >>
> >>
> >>        _______________________________________________
> >>        Busec mailing list
> >>        Busec at cs.bu.edu
> >>        http://cs-mailman.bu.edu/mailman/listinfo/busec
> >>
> >>
> >>
> >
> >
> > _______________________________________________
> > Busec mailing list
> > Busec at cs.bu.edu
> > http://cs-mailman.bu.edu/mailman/listinfo/busec
>
>> Prof. Ari Trachtenberg
> Electrical and Computer Engineering
> Boston University
> trachten at bu.edu
>
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cs-mailman.bu.edu/pipermail/busec/attachments/20170106/4a57cbfc/attachment-0001.html>


More information about the Busec mailing list