Cause a war over hacking.

[Dugout DickStone]

So when I hear the conjecture that Russia is behind this hacking I don't literally think there is a KGB hacking bureau who does this (though I am sure they have tried and I am equally as sure the CIA or someone in Virginia is working on this for us) I just assume it is some pretty sophisticated Russians with the knowledge and tacit backing of the USSR.  I generally look at the Russian government as pretty third world and unable to pull much of this off.

This wasn't even particularly sophisticated by hacking standards. To date, not a shred of evidence has been made publicly available that the Russian government had knowledge of or tacitly backed this run of the mill spearphishing campaign. A ton of hackers operate out of Russia, Ukraine, and assorted eastern bloc countries because cyber crime deterrence is basically non-existent. But that's a pretty thin reed to blame the Russian government for even an indirect connection to this.

Don't you think it is more likely than not that the Russian Gov will have knowledge of those types who are doing this and give them some blessing?  I mean, they aren't constrained by the Constitution so they monitor professional hackers.  so if they are allowed to continue to attack American institutions (which could cause an international incident) doesn't it stand to reason that they do so with Russian permission.  Guys who conduct hacks that the Russian government DOES NOT want to happen end up gone.

[chum1]

Russia just sponsors a ton of crap. It's what they do.

Who was behind all of this? When I stumbled on it last fall, I had an idea. I was already investigating a shadowy organization in St. Petersburg, Russia, that spreads false information on the Internet. It has gone by a few names, but I will refer to it by its best known: the Internet Research Agency. The agency had become known for employing hundreds of Russians to post pro-Kremlin propaganda online under fake identities, including on Twitter, in order to create the illusion of a massive army of supporters; it has often been called a “troll farm.” The more I investigated this group, the more links I discovered between it and the hoaxes. In April, I went to St. Petersburg to learn more about the agency and its brand of information warfare, which it has aggressively deployed against political opponents at home, Russia’s perceived enemies abroad and, more recently, me.

http://www.nytimes.com/2015/06/07/magazine/the-agency.html

[Fake Sugar Dick (WARNING, NOT THE REAL SUGAR DICK!)]

I don't think you can take the position that the russian government is third world while simultaneously taking the position it has full knowledge and awareness of activities allegedly being conducted inrussia that are not illegal. Assuming the sophmoric "hacking operation" was conducted from russia, why would the government even be monitoring it?

[sonofdaxjones]

Guys, we hack the eff out of other people and countries as well. 

Just sayin.

Also, we let hackers hack so we can hack the hackers. 

[sonofdaxjones]

WL has said repeatedly source was not Russian and the malware they keep referencing is so readily available, it's comical.


This is what happens when you have shitty security (or none at all) on your IT platform. 

[Dugout DickStone]

I don't think you can take the position that the russian government is third world while simultaneously taking the position it has full knowledge and awareness of activities allegedly being conducted inrussia that are not illegal. Assuming the sophmoric "hacking operation" was conducted from russia, why would the government even be monitoring it?

Because they monitor everything.

[Dugout DickStone]

Guys, we hack the eff out of other people and countries as well. 

Just sayin.

Also, we let hackers hack so we can hack the hackers.

water is wet

[CNS]

So you guys filling all this under fake news?

http://www.usatoday.com/story/news/politics/2016/12/16/fbi-agrees-cia-russia-hacked-help-trump/95528318/

[Fake Sugar Dick (WARNING, NOT THE REAL SUGAR DICK!)]

So you guys filling all this under fake news?

http://www.usatoday.com/story/news/politics/2016/12/16/fbi-agrees-cia-russia-hacked-help-trump/95528318/

They're relying on the WaPo and the WaPo's unidentified unofficial sources, so obviously fake news

[CNS]

http://thehill.com/policy/national-security/312132-fbi-dhs-release-report-on-russia-hacking

The FBI and the Department of Homeland Security (DHS) on Thursday released a joint report detailing how federal investigators linked the Russian government to hacks of Democratic Party organizations.

The document makes clear reference to the hacks of the Democratic National Committee (DNC) and Hillary Clinton campaign chairman John Podesta, though it does not mention either by name.

[CNS]

https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf

This Joint Analysis Report (JAR) is the result of analytic efforts between the Department of
Hom
eland Security (DHS) and the Federal Bureau of Investigation (FBI). This document
provides technical details regarding the tools and infrastructure used by the Russian civilian and
military intelligence Services (RIS) to compromise and exploit networks and
 endpoints
associated with the U.S. election, as well as a range of U.S. G
overnment, political, and private
sector entities.
 The U.S. Government is referring to this malicious cyber
activity by RIS as
GRIZZLY STEPPE

[Phil Titola]

No evidence released would ever been enough or believed....Evidence that could be released that would be convincing would be too complex for most to understand and considered spoofed by those who did understand it. It's dumb dumb to even demand evidence. People either believe the agencies and independent firms or not....Published evidence isn't changing anybody's mind.

[CNS]

The bullshit that "fake news" is going to cause on the politics of the world is one thing.  That report was DHS, though.

[Fake Sugar Dick (WARNING, NOT THE REAL SUGAR DICK!)]

No evidence released would ever been enough or believed....Evidence that could be released that would be convincing would be too complex for most to understand and considered spoofed by those who did understand it. It's dumb dumb to even demand evidence. People either believe the agencies and independent firms or not....Published evidence isn't changing anybody's mind.

There was a pretty strong contingent of congresstards who wanted electors (regular civilians) to receive security briefings. It was rough ridin' kookooo.

When people say evidence, they mean an official statement from an agency. Not cryptic crap from unnamed WaPo sources.

[CNS]

No evidence released would ever been enough or believed....Evidence that could be released that would be convincing would be too complex for most to understand and considered spoofed by those who did understand it. It's dumb dumb to even demand evidence. People either believe the agencies and independent firms or not....Published evidence isn't changing anybody's mind.

There was a pretty strong contingent of congresstards who wanted electors (regular civilians) to receive security briefings. It was rough ridin' kookooo.

When people say evidence, they mean an official statement from an agency. Not cryptic crap from unnamed WaPo sources.

So you mean something like a report issued from the Dept of Homeland Security?

[K-S-U-Wildcats!]

https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf

This Joint Analysis Report (JAR) is the result of analytic efforts between the Department of
Hom
eland Security (DHS) and the Federal Bureau of Investigation (FBI). This document
provides technical details regarding the tools and infrastructure used by the Russian civilian and
military intelligence Services (RIS) to compromise and exploit networks and
 endpoints
associated with the U.S. election, as well as a range of U.S. G
overnment, political, and private
sector entities.
 The U.S. Government is referring to this malicious cyber
activity by RIS as
GRIZZLY STEPPE

You should actually read the report you linked. It does not contain one shred of evidence that the Russian government perpetrated, directly or indirectly, this hack. They don't even know for sure that the hackers were Russian.

[CNS]

How often do you get disclosed evidence from DHS?  You have some contact the rest of us don't? 

[CNS]

The U.S. Government confirms that two different RIS actors participated in the intrusion into a U.S. political party

This damn report is so vague!   

[Fake Sugar Dick (WARNING, NOT THE REAL SUGAR DICK!)]

Some day CNS will be something other than a useful idiot, alas today is not that day.  Here's some excerpts from the "report" (italics)and some commentary from a soon to be accused "fake news" source.

IS “GRIZZLY STEPPE” REALLY A RUSSIAN OPERATION?
I wrote here about the Obama administration’s underwhelming report, purporting to show that the malware that infected the Democratic National Committee’s email system was planted by Russia. The report is unimpressive in part because it consists mostly of pedestrian advice to IT professionals about computer security. This is the report’s description of the “Grizzly Steppe” malware:

Indicators of Compromise (IOCs)

IOCs associated with RIS cyber actors are provided within the accompanying .csv and .stix files of JAR-16-20296.
Yara Signature
rule PAS_TOOL_PHP_WEB_KIT
{
meta:
description = “PAS TOOL PHP WEB KIT FOUND” strings:
$php = “ 20KB and filesize < 22KB) and #cookie == 2 and #isset == 3 and all of them }

Does anything here provide persuasive evidence of Russian origin, let alone Russian government origin? I don’t know, but some with considerably more expertise are unimpressed. The linked analysis is long and technical, although more or less comprehensible to the untutored. The author’s conclusions:

Malware Conclusions

DHS and DNI have released a joint statement that says:

This document provides technical details regarding the tools and infrastructure used by the Russian civilian and military intelligence Services (RIS) to compromise and exploit networks and endpoints associated with the U.S. election, as well as a range of U.S. Government, political, and private sector entities. The report contains specific indicators of compromise, including IP addresses and a PHP malware sample.

The PHP malware sample they have provided appears to be P.A.S. version 3.1.0 which is commonly available and the website that claims to have authored it says they are Ukrainian. It is also several versions behind the most current version of P.A.S which is 4.1.1b. One might reasonably expect Russian intelligence operatives to develop their own tools or at least use current malicious tools from outside sources.

The author separately analyzes the IP addresses that the report finds probative:

Out of the 876 IP addresses that DHS provided, 134 or about 15% are Tor exit nodes, based on a reverse DNS lookup that we did on each IP address. These are anonymous gateways that are used by anyone using the Tor anonymous browsing service.
***
Conclusion regarding IP address data

What we’re seeing in this IP data is a wide range of countries and hosting providers. 15% of the IP addresses are Tor exit nodes. These exit nodes are used by anyone who wants to be anonymous online, including malicious actors.

And finally:

Overall Conclusion

The IP addresses that DHS provided may have been used for an attack by a state actor like Russia. But they don’t appear to provide any association with Russia. They are probably used by a wide range of other malicious actors, especially the 15% of IP addresses that are Tor exit nodes.

The malware sample is old, widely used and appears to be Ukrainian. It has no apparent relationship with Russian intelligence and it would be an indicator of compromise for any website.

Normally I would accept at face value an assertion by the U.S. government that intelligence agencies have identified Russia (or anyone else) as the source of a computer hack or other action. But the Obama administration has been so chronically dishonest, and the Democrats’ hysteria over their electoral defeats is so intense, that I don’t think they can be accorded the usual presumption of accuracy and truthfulness.

[K-S-U-Wildcats!]

How often do you get disclosed evidence from DHS?  You have some contact the rest of us don't?

I'm asking you to identify one. single. piece of evidence in that report that indicates a connection to the Russian government. It simply isn't there. It's like reading a headline that says one thing, only to read the article and realize it doesn't support the headline.

Give these a read - reputable internet security professional that have examined the DHS report and found is laughably lacking in any actual evidence of Russian hacking, let alone Russian government hacking.

https://www.wordfence.com/blog/2017/01/election-hack-faq/

the PHP malware sample that the US government provided is:
•An old version of malware. The sample was version 3.1.0 and the current version is 3.1.7 with 4.1.1 beta also available.
•Freely available to anyone who wants it.
•The authors claim they are Ukrainian, not Russian.
•The malware is an administrative tool used by hackers to upload files, view files on a hacked website, download database contents and so on. It is used as one step in a series of steps that would occur during an attack.

Wordfence also analyzed the IP addresses available and demonstrated that they are in 61 countries, belong to over 380 organizations and many of those organizations are well known website hosting providers from where many attacks originate. There is nothing in the IP data that points to Russia specifically.

We received the DHS/FBI report on Thursday. Rob McMahon, one of my colleagues and a security analyst at Wordfence alerted me to it’s existence at 8pm pacific time on Thursday December 29th. We worked through the night until 7am the next morning when we released the report. Here is what we did:

We read the report and noticed there was a Yara signature for PHP malware. That means that FBI and DHS provided just enough information to identify the existence of PHP malware. It didn’t actually provide the malware itself.

We went into Polestar which is a Wordfence proprietary big-data platform that we have developed to aggregate and mine a large number of attacks from a range of sources. We used the Yara signature to try to determine if anyone has attacked a WordPress site using this malware. At this point we didn’t know what it was or if it was even used against WordPress.

Jackpot! We had captured the entire 20k malware sample!

We extracted the malware sample from Polestar and I handed it to Rob who started analysis on the sample. We divided the work and I went off and analyzed the IP addresses that DHS/FBI had provided in Grizzly Steppe.

Rob realized that most of the malware is encrypted. The way it works is that a hacker will upload it to a website. They access the malware as a web page and are prompted for a password by a small amount of unencrypted code in the malware. They enter the password which is actually a decryption key.

That decryption key is stored in a cookie so the hacker doesn’t have to keep entering it. The key then decrypts the malware code which is executed. Then every time the hacker accesses the malware in future, the key stored in a cookie decrypts the malware so that it can execute. It’s quite clever and makes our jobs harder.

We needed to find the decryption key for the malware. So we went back to Polestar and tried to find an attack where the attacker was trying to access the malware they had uploaded.

Jackpot again! We found the key. Rob used the key to decrypt the malware and view the source code. Once he could see the source code, he could see the name of the malware and the version and a few Google searches revealed the source website that it came from.

The rest was much easier. We could now take the malware sample and put it on a sandboxed research environment and actually run it and see what it did. We could also download the newer version of the malware, called ‘P.A.S.’, and execute that to see what it does and how it differs.

This is how we determined that the FBI/DHS report contains an old malware sample that is publicly available and the hacker group that distributes it appears to be Ukrainian.

Perhaps a better title would have been: US Government report does not contain data attributing 2016 election hacks to Russia. The report includes outdated PHP malware that is publicly available and appears to originate from a Ukrainian hacker group. It also includes IP addresses with no clear link to Russia.

http://arstechnica.com/security/2016/12/did-russia-tamper-with-the-2016-election-bitter-debate-likely-to-rage-on/

Security consultant Jeffrey Carr also cast doubt on claims that attacks that hit the Democratic National Committee could only have originated from Russian-sponsored hackers because they relied on the same malware that also breached Germany's Bundestag and French TV network TV5Monde. Proponents of this theory, including the CrowdStrike researchers who analyzed the Democratic National Committee's hacked network, argue that the pattern strongly implicates Russia because no other actor would have the combined motivation and resources to hack the same targets. But as Carr pointed out, the full source code for the X-Agent implant that has long been associated with APT28 was independently obtained by researchers from antivirus provider Eset.

"If ESET could do it, so can others," Carr wrote. "It is both foolish and baseless to claim, as CrowdStrike does, that X-Agent is used solely by the Russian government when the source code is there for anyone to find and use at will."

The doubts raised by Lee, Graham, and Carr underscore the difficulty members of the US intelligence community face when taking findings out of the highly secretive channels they normally populate and putting them into the public domain. Indeed, the Joint Analysis Report makes no mention of the Democratic party or even the Democratic National Committee. The lack of specifics and vagueness about exactly how the DHS and FBI have determined Russian involvement in the hacks leaves the report sounding more like innuendo than a carefully crafted indictment.

[K-S-U-Wildcats!]

The U.S. Government confirms that two different RIS actors participated in the intrusion into a U.S. political party

This damn report is so vague!   

I asked for a piece of evidence - not a baseless conclusion.

[star seed 7]

Obama 

[chum1]

The question CNS was answering was whether or not a US government agency has implicated Russia.

 

[CNS]

 

[chum1]

Besides, eff Russia. Since when do we need evidence for that? This is the kind of crap Russia generally does. And some of the coding was uniquely Russian in nature on account of their mumped up language/keyboards. That's enough. eff Russia.