By Carey Wedler
On Thursday, the FBI and Department of Homeland Security released a joint analysis report addressing persistent allegations that the Russian government hacked the U.S. election.
Though, as the White House fact sheet asserts, the report largely consists of tips to improve cyber security and prevent future attacks, it also appears to cite evidence Russian Intelligence Services (RIS) actively attempted to hack into U.S. systems, a campaign the government has named “GRIZZLY STEPPE.”
But as the media runs with the story and many outlets accept the 13-page report as fact, veterans of the intelligence community have pointed out flaws with the FBI-DHS analysis.
According to Philip Giraldi, a former CIA agent, the report fails to prove Russia is behind the hack. In a recent Facebook post, he asserted that “apart from assertions of Russian activity connected to an unnamed political party, [the report] provides absolutely no evidence that the alleged intrusions into the DNC servers were anything beyond normal intelligence agency probing for vulnerabilities.”
“In fact,” he adds, “it doesn’t even provide the evidence for that.”
Further, he argues:
“There is no evidence of particular mal-intent that can be traced back to the Russian government, much less to Vladimir Putin. Nine of the thirteen pages of the report deal with advice on how to keep your system from being hacked.”
Robert M. Lee, a former U.S. Air Force Cyber Warfare Operations Officer and founder and CEO of cyber security firm Dragos, explains the report is confusing because it states early on that its intention is to aid “defenders” of the U.S. However, the report makes a point of declaring RIS guilty, veering away from the stated public service goals.
Lee highlights this convolution, highlighting two alleged groups included in the report:
“The public is looking for evidence of the attribution, the White House and the DHS/FBI clearly laid out that this report is meant for network defense, and then the entire discussion in the document is on how the DHS/FBI confirms that APT28 and APT29 are RIS groups that compromised a political party.”
But that’s not the only problem. As Lee points out, the report notes the FBI has previously refrained from naming specific actors in joint analysis reports — but does so for the purposes of this investigation, claiming they can confirm indicators of an attack from private sector attribution. Yet “the GRIZZLY STEPPE report reads like a poorly done vendor intelligence report stringing together various aspects of attribution without evidence,” Lee writes.
Jeffrey Carr, a cybersecurity consultant and author of Inside Cyber Warfare, has bluntly rejected the allegations contained in the report:
“It merely listed every threat group ever reported on by a commercial cybersecurity company that is suspected of being Russian-made and lumped them under the heading of Russian Intelligence Services (RIS) without providing any supporting evidence that such a connection exists.”
In contrast, Lee shies away from fully disregarding the report, issuing a “thank you” to “the government operators who did fantastic work and tried their best to push out the best information.” But he also has words for those who conducted “the sanitation of that information and the report writing.”
Addressing the report’s list of alleged RIS groups, Lee points out that the list contains both the names of hacking campaigns and types of malware. He explains “the list of reported RIS names includes relevant and specific names such as campaign names, more general and often unrelated malware family names, and extremely broad and non-descriptive classification of capabilities.”
This, like the report’s jumbled intentions, confuses the data. Lee explains:
“It was a mixing of data types that didn’t meet any objective in the report and only added confusion as to whether the DHS/FBI knows what they are doing or if they are instead just telling teams in the government ‘contribute anything you have that has been affiliated with Russian activity.’”
Lee also criticized the report for its failure to distinguish between data gleaned from the private sector versus the public sector, noting these different types of intelligence bear different confidence ratings. “[A]lways tell people where you got your data, separate it from your own data which you have a higher confidence level in having observed first hand, and if you are using other people’s campaign names, data, analysis, etc. explain why so that analysts can do something with it instead of treating it as random situational awareness,” he advises.
He also tackles the IP addresses listed in the report, noting “many (30%+) of these IP addresses are mostly useless as they are VPS, TOR exit nodes, proxies, and other non-descriptive internet traffic sites.” He explains that in order for the addresses to be valid indicators of an attack, they “must contain information around timing. I.e. when were these IP addresses associated with the malware or campaign and when were they in active usage.” The report does not include this information.
In the same vein, Lee notes that while the report does contain examples of 30 malicious files, “all but two have the same problems as the IP addresses in that there isn’t appropriate context as to what most of them are related to and when they were leveraged.”
Other experts had more general critiques of the report.
John McAfee, founder of the well-known McAfee anti-virus software and former Libertarian Party presidential candidate argued that hackers from countries besides Russia could have intentionally made the attack appear Russian. “If I was the Chinese and I wanted to make it look like the Russians did it, I would use Russian language within the code, I would use Russian techniques of breaking into the organization,” McAfee said. He added that “there simply is no way to assign a source for any attack.”
At least one journalist, Rolling Stone’s Matt Taibbi, pointed out a similar problem. Though he acknowledges “Grizzly Steppe” is a “sexy” name, he notes “we don’t learn much at all about what led our government to determine a) that these hacks were directed by the Russian government, or b) they were undertaken with the aim of influencing the election, and in particular to help elect Donald Trump.”
In spite of this pushback from seasoned members of the intelligence community and the award-winning journalist, media outlets that have parroted the “Russia did it” narrative continued to do so with the recent report. Taibbi pointed out that the New York Times headline for the story treated the report as fact. “Obama Strikes Back at Russia for Election Hacking,” it read, though Taibbi did note some outlets were careful to walk the line, “using ‘Obama says’ formulations” in their headlines.
Ultimately, he observes problems with media outlets simply repeating the statements of government institutions and agents:
“The problem with this story is that, like the Iraq-WMD mess, it takes place in the middle of a highly politicized environment during which the motives of all the relevant actors are suspect. Nothing quite adds up.”
He also doubts the existence of substantial evidence implicating Russia:
“If the American security agencies had smoking-gun evidence that the Russians had an organized campaign to derail the U.S. presidential election and deliver the White House to Trump, then expelling a few dozen diplomats after the election seems like an oddly weak and ill-timed response. Voices in both parties are saying this now.”
Similarly, Carr noted:
“If the White House had unclassified evidence that tied officials in the Russian government to the DNC attack, they would have presented it by now. The fact that they didn’t means either that the evidence doesn’t exist or that it is classified.”
Of course, the opinions of experts do not wholly disprove the theory Russia hacked the election, and detailed evidence is expected to be presented in a report to Congress before President-elect Donald Trump takes office. As Taibbi bluntly asserts, “I have no problem believing that Vladimir Putin tried to influence the American election. He’s gangster-spook-scum of the lowest order and capable of anything.”
Similarly, Graham Cluley, a cyber security expert based in the U.K., wrote in a blog post that he believes Russia was likely behind the attack. But as even he notes, “what’s to say that that Russian server isn’t itself under the control of hackers in an entirely different country who are covering their tracks? It’s hard to put a water-tight case together unless you have the ‘boots-on-the-ground’ willing assistance of local law enforcement to properly investigate if an overseas computer is itself acting as a proxy for someone else or not.”
As Edward Snowden tweeted:
The two most complete analyses from the US infosec community on FBI/DHS report: https://medium.com/@jeffreycarr/fbi-dhs-joint-analysis-report-a-fatally-flawed-effort-b6a98fafe2fa …http://www.robertmlee.org/critiques-of-the-dhsfbis-grizzly-steppe-report/ …
Considering 87 percent of Hillary Clinton voters now believe with certainty that Russia hacked the election, the role of the media in reporting on the U.S. government’s accusations has turned from critical investigation to obedient acceptance. Yet Taibbi’s comments on the news media’s response to the report may very well apply to the very government agents who released it:
“[W]e’ve been burned before in stories like this, to disastrous effect. Which makes it surprising we’re not trying harder to avoid getting fooled again.”
Delivered by The Daily Sheeple