[Busec] Report on Russian hacking

Ethan Heilman eth3rs at gmail.com
Fri Jan 6 16:23:36 EST 2017


>In my (completely unsolicited) opinion, this is why there is no value
making
assessments such as these public; they should be provided (with evidence)
only
to those with sufficient clearance to see and critique them.

I agree that this isn't primary evidence. However I would posit that the
value of this assessment is as a signal that the US IC actually believes
Russia is behind it. As you said:

>If you trust the analyses of the FBI, CIA, and NSA, then this is certainly
a strong
statement;

If it turns out Russia was not behind it, such assessments would embarrass
the people in charge of the US IC and so such a signal assures me that at
least the DNI believes it.


On Fri, Jan 6, 2017 at 4:11 PM, Ari Trachtenberg <trachten at bu.edu> wrote:

> This is very interesting as a political piece, but it gives no technical
> evidence
> whatsoever (I suspect this is on purpose, to protect “methods and
> sources”).
>
> If you trust the analyses of the FBI, CIA, and NSA, then this is certainly
> a strong
> statement; if you don’t trust the analyses, this does nothing to support
> the
> public proclamations.
>
> In my (completely unsolicited) opinion, this is why there is no value
> making
> assessments such as these public; they should be provided (with evidence)
> only
> to those with sufficient clearance to see and critique them.
>
> best,
> -Ari
>
>
> On Jan 6, 2017, at 3:49 PM, Ethan Heilman <eth3rs at gmail.com> wrote:
>
> New DNI report on Russian intentions in hacking DNC:
> https://www.dni.gov/files/documents/ICA_2017_01.pdf
>
> 'Background to “Assessing Russian Activities and Intentions in Recent US
> Elections”: The Analytic Process and Cyber Incident Attribution'
>
> On Wed, Jan 4, 2017 at 2:54 PM, Ari Trachtenberg <trachten at bu.edu> wrote:
>
>> This just goes to show that ... well, people are corruptible, and
>> academics
>> no less than anyone else.  Complete transparency is no panacea either
>> (witness the complete uselessness of "privacy notices", or the major
>> vulnerabilities with open-source software).
>>
>> Seeing as we're developing a cynicism toward a benevolent monarchy,
>> perhaps a system of checks and balances will solve all our problems ;-)
>>
>> > On Jan 4, 2017, at 1:51 PM, Egele, Manuel <megele at bu.edu> wrote:
>> >
>> > On Wed, 2017-01-04 at 13:48 -0500, Ethan Heilman wrote:
>> >> The Silk road case was also not without problems. For instance the two
>> >> DEA agents in the Silk Road investigation that stole Bitcoins, ran an
>> >> extortion racket, sold investigation details to potential suspects and
>> >> altered evidence. US federal investigation bodies don't have a great
>> >> reputation --see FBI collaboration with Boston organised crime and DEA
>> >> employees selling confidential informant identities to drug cartels.
>> >
>> > Sure, but that was purely on the Law Enforcement side. The case with
>> > CMU-CERT was different as the let's call it malice, originated from the
>> > "academic" side of the partnership. You (or at least I as a responsible
>> > researcher) simply don't go, break TOR and then don't tell anyone about
>> > it.
>> >
>> > cheers,
>> > --manuel
>> >
>> >> On Wed, Jan 4, 2017 at 1:12 PM, Manuel Egele <megele at bu.edu> wrote:
>> >>        On Wed, 2017-01-04 at 08:11 -0800, Hristo Stoyanov wrote:
>> >>> Here's ESET claims they've acquired XAgent source
>> >>> code:
>> >>        http://www.welivesecurity.com/wp-content/uploads/2016/10/ese
>> t-sednit-part-2.pdf (described on the ESET website here:
>> https://www.eset.com/us/about/newsroom/press-releases/dissec
>> tion-of-sednit-espionage-group/)
>> >>> Here's another claim of a third party also having the XAgent
>> >>        source
>> >>> code:
>> >>        https://medium.com/@jeffreycarr/the-gru-ukraine-artillery-
>> hack-that-may-never-have-happened-820960bbb02d (this article references
>> the ESET report in the first link). Kinda shaky, I heard it from a friend
>> of a friend of my aunt type of evidence, admittedly.
>> >>>
>> >>>
>> >>> This can be post-factum attempt to get plausible deniability
>> >>        or it
>> >>> could be someone had XAgent that wasnt APT28. Can't tell
>> >>        between
>> >>> confirmation bias and circumstantial evidence here.
>> >>>
>> >>>
>> >>> Another thing that I'm missing is how exactly are APT28 as
>> >>        users of
>> >>> xagent and this PHP malware tied together. What detail links
>> >>        the two?
>> >>>
>> >>>
>> >>> As for an open and transparent organization that attempts to
>> >>        build
>> >>> good cases by acquiring the kind of evidence Ari listed - a
>> >>        lot of
>> >>> this seems to require some legal capabilities usually
>> >>        afforded to
>> >>> government agencies (hack back, gather court admissable
>> >>        evidence). The
>> >>> kind of thing that FBI is supposed to do. Perhaps some form
>> >>        of
>> >>> partnership between FBI and academia would be productive.
>> >>        They dealt
>> >>> very successfully with Silk road, after all.
>> >>
>> >>        I particularly agree with the last paragraph. Also, I'm not
>> >>        sure that
>> >>        modeling sth along the lines of CMU-CERT with respect to the
>> >>        security
>> >>        community is a good citizen model --- just look at the fallout
>> >>        that
>> >>        CMU-CERT's deanonymying TOR exercise produced.
>> >>
>> >>        cheers,
>> >>        --manuel
>> >>
>> >>> Hristo
>> >>>
>> >>> 2017-01-04 7:13 GMT-08:00 Ari Trachtenberg
>> >>        <trachten at bu.edu>:
>> >>>        Sounds like a perfect role for academia (maybe
>> >>        patterned after
>> >>>        CMU's CERT here at BU).  The biggest problem is, of
>> >>        course,
>> >>>        with
>> >>>        getting reliable data ... perhaps it is possible to
>> >>        cull data
>> >>>        from everybody
>> >>>        and use statistical tests to fish for bias.
>> >>>
>> >>>        Regarding Hristo's question ... I think that the key
>> >>        word is
>> >>>        evidence,
>> >>>        since most things can be faked with enough effort.
>> >>        Evidence
>> >>>        could
>> >>>        include:
>> >>>        * use, structure, and style reuse of attributed code
>> >>        or
>> >>>        vulnerabilities,
>> >>>                ideally those that are private
>> >>>        * IP addresses
>> >>>        * cryptographic keys
>> >>>        * pictures of hackers and geolocation (as with the
>> >>        Chinese
>> >>>        hackers not so long ago)
>> >>>        * hack back data
>> >>>
>> >>>        best,
>> >>>                -Ari
>> >>>
>> >>>> On Jan 4, 2017, at 9:03 AM, Ethan Heilman
>> >>        <eth3rs at gmail.com>
>> >>>        wrote:
>> >>>>
>> >>>> I worry that this wordfence report makes it look
>> >>        like only
>> >>>        that php
>> >>>> malware was used and that there is no additional
>> >>        evidence.
>> >>>>
>> >>>> However my understanding is that DNC hackers used
>> >>        several
>> >>>        forms of
>> >>>> persistence including XAgent (according to the
>> >>        crowdstrike).
>> >>>        I was
>> >>>> unable to find any evidence that XAgent was
>> >>        available for
>> >>>        use by
>> >>>> anyone other than SEDNIT/APT28. I would love to
>> >>        see a report
>> >>>        on the
>> >>>> windows variant of the XAgent used in the DNC
>> >>        hack.
>> >>>>
>> >>>>> I believe (correct me if I'm wrong), there is no
>> >>        other data
>> >>>        available from the USG. Only (very) pointed
>> >>        accusations
>> >>>        against a certain country.
>> >>>>
>> >>>> Not sure why the DHS/FBI report goes out of its
>> >>        way to
>> >>>        present so
>> >>>> little evidence. Was the crowdstrike report
>> >>        incorrect? Did
>> >>>        they not
>> >>>> want to step on crowdstrikes toes? Is this the
>> >>        result of
>> >>>        over zealous
>> >>>> secrecy?
>> >>>>
>> >>>> This issue highlights a critical need for neutral
>> >>        ICT
>> >>>        investigative
>> >>>> bodies that operate not as intelligence agencies
>> >>        but instead
>> >>>        work to
>> >>>> build public cases and publish evidence in a
>> >>        trustworthy
>> >>>        open manner.
>> >>>> This should be the role of the FBI, but clearly
>> >>        something
>> >>>        went wrong
>> >>>> here. Currently private companies like Crowdspike
>> >>        and
>> >>>        Fireeye fill
>> >>>> this role but since they are hired and paid by an
>> >>        interested
>> >>>        party
>> >>>> they are often viewed with skepticism.
>> >>>>
>> >>>>
>> >>>> On Wed, Jan 4, 2017 at 2:47 AM, Hristo Stoyanov
>> >>>        <htstoyanov at gmail.com> wrote:
>> >>>>> Here's some actual details based on the csv and
>> >>        xml
>> >>>        published alongside the
>> >>>>> written report:
>> >>>>>
>> >>>
>> >>         https://www.wordfence.com/blog/2016/12/russia-malware-ip-hack/
>> >>>>>
>> >>>>> Conclusions: old freely available malware,
>> >>        incredibly wide
>> >>>        variety of
>> >>>>> countries making up the IP addresses given as a
>> >>        source of
>> >>>        the attack. Hence,
>> >>>>> that data is as evidence-free as the written
>> >>        report. I
>> >>>        believe (correct me
>> >>>>> if I'm wrong), there is no other data available
>> >>        from the
>> >>>        USG. Only (very)
>> >>>>> pointed accusations against a certain country.
>> >>>>>
>> >>>>> However, what would be good technical details
>> >>        that show
>> >>>        attribution? Russian
>> >>>>> documents/emails that order/discuss/report on the
>> >>        attack
>> >>>        (perhaps with some
>> >>>>> signatures :)) would definitely cut it. What
>> >>        else?
>> >>>>>
>> >>>>> - Hristo
>> >>>>>
>> >>>>> 2017-01-03 13:10 GMT-08:00 Ari Trachtenberg
>> >>>        <trachten at bu.edu>:
>> >>>>>>
>> >>>>>> Yes, the crowdstrike report is much more
>> >>        interesting, but,
>> >>>        at this point,
>> >>>>>> rather dated.
>> >>>>>> What it doesn't include is evidence of
>> >>        attribution to the
>> >>>        Russian
>> >>>>>> government (just
>> >>>>>> some suggestive information about the slickness
>> >>        of the
>> >>>        attack and a belief
>> >>>>>> of
>> >>>>>> some link).  Has anyone seen public technical
>> >>        details in
>> >>>        this realm?
>> >>>>>>
>> >>>>>> best,
>> >>>>>>       -Ari
>> >>>>>>
>> >>>>>>> On Jan 3, 2017, at 2:32 PM, Ethan Heilman
>> >>>        <eth3rs at gmail.com> wrote:
>> >>>>>>>
>> >>>>>>> With the exception of the attribution of
>> >>        individual
>> >>>        hackers the
>> >>>>>>> DHS/FBI report is almost entirely detail free.
>> >>        The
>> >>>        crowdstrike report
>> >>>>>>> provides many of the missing details:
>> >>>>>>>
>> >>>>>>>
>> >>>
>> >>         https://www.crowdstrike.com/blog/bears-midst-intrusion-demo
>> cratic-national-committee/
>> >>>>>>>
>> >>>>>>> One interesting tidbit in DHS/FBI report was
>> >>        that it
>> >>>        blame Slavik of
>> >>>>>>> Zeus Gameover fame.
>> >>>>>>>
>> >>>>>>> On Tue, Jan 3, 2017 at 2:08 PM, Ari
>> >>        Trachtenberg
>> >>>        <trachten at bu.edu>
>> >>>>>>> wrote:
>> >>>>>>>> Somehow I'm missing the description ... I just
>> >>        see
>> >>>        generic malware
>> >>>>>>>> information on a popular web shell tool and
>> >>>>>>>> generic mitigation strategies.  If anything,
>> >>        the
>> >>>        suggests a *lack* of
>> >>>>>>>> an
>> >>>>>>>> actual smoking gun.
>> >>>>>>>>
>> >>>>>>>> best,
>> >>>>>>>> -Ari
>> >>>>>>>>
>> >>>>>>>> On Dec 29, 2016, at 5:56 PM, Scheffler, Sarah,
>> >>        Ann
>> >>>        <sscheff at bu.edu>
>> >>>>>>>> wrote:
>> >>>>>>>>
>> >>>>>>>> This is a joint report written by DHS and the
>> >>        FBI, and
>> >>>        it's the first
>> >>>>>>>> actual
>> >>>>>>>> decent description I've found of the Russian
>> >>        hacking
>> >>>        that's been all
>> >>>>>>>> over
>> >>>>>>>> the news, and I figured y'all might be
>> >>        interested in
>> >>>        reading it:
>> >>>>>>>>
>> >>>>>>>>
>> >>>
>> >>         http://www.nytimes.com/interactive/2016/12/29/us/politics/
>> document-Report-on-Russian-Hacking.html
>> >>>>>>>>
>> >>>>>>>> Happy last-two-and-a-half-days-of-2016,
>> >>>>>>>> Sarah
>> >>>>>>>>
>> >>        _______________________________________________
>> >>>>>>>> Busec mailing list
>> >>>>>>>> Busec at cs.bu.edu
>> >>>>>>>>
>> >>        http://cs-mailman.bu.edu/mailman/listinfo/busec
>> >>>>>>>>
>> >>>>>>>>
>> >>>>>>>> —
>> >>>>>>>> Prof. Ari Trachtenberg
>> >>>>>>>> Electrical and Computer Engineering
>> >>>>>>>> Boston University
>> >>>>>>>> trachten at bu.edu
>> >>>>>>>>
>> >>>>>>>>
>> >>>>>>>>
>> >>>>>>>>
>> >>>>>>>>
>> >>>>>>>>
>> >>>>>>>>
>> >>        _______________________________________________
>> >>>>>>>> Busec mailing list
>> >>>>>>>> Busec at cs.bu.edu
>> >>>>>>>>
>> >>        http://cs-mailman.bu.edu/mailman/listinfo/busec
>> >>>>>>>>
>> >>>>>>
>> >>>>>> —
>> >>>>>> Prof. Ari Trachtenberg
>> >>>>>> Electrical and Computer Engineering
>> >>>>>> Boston University
>> >>>>>> trachten at bu.edu
>> >>>>>>
>> >>>>>>
>> >>>>>>
>> >>>>>>
>> >>>>>>
>> >>>>>>
>> >>>>>> _______________________________________________
>> >>>>>> Busec mailing list
>> >>>>>> Busec at cs.bu.edu
>> >>>>>> http://cs-mailman.bu.edu/mailman/listinfo/busec
>> >>>>>>
>> >>>>>
>> >>>
>> >>>        —
>> >>>        Prof. Ari Trachtenberg
>> >>>        Electrical and Computer Engineering
>> >>>        Boston University
>> >>>        trachten at bu.edu
>> >>>
>> >>>
>> >>>
>> >>>
>> >>>
>> >>>
>> >>>
>> >>>
>> >>> _______________________________________________
>> >>> Busec mailing list
>> >>> Busec at cs.bu.edu
>> >>> http://cs-mailman.bu.edu/mailman/listinfo/busec
>> >>
>> >>
>> >>        _______________________________________________
>> >>        Busec mailing list
>> >>        Busec at cs.bu.edu
>> >>        http://cs-mailman.bu.edu/mailman/listinfo/busec
>> >>
>> >>
>> >>
>> >
>> >
>> > _______________________________________________
>> > Busec mailing list
>> > Busec at cs.bu.edu
>> > http://cs-mailman.bu.edu/mailman/listinfo/busec
>>
>>>> Prof. Ari Trachtenberg
>> Electrical and Computer Engineering
>> Boston University
>> trachten at bu.edu
>>
>>
>>
>>
>>
>>
>
> ---
> Prof. Ari Trachtenberg            ECE, Boston University
> trachten at bu.edu                    http://people.bu.edu/trachten
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cs-mailman.bu.edu/pipermail/busec/attachments/20170106/ea657824/attachment-0001.html>


More information about the Busec mailing list