No smoking gun for Russian DNC hacks

The Russian government may have hacked Hillary Clinton's campaign and the Democratic National Committee (DNC) to support Donald Trump's campaign, but there's no hard technical proof.
Written by Steven Vaughan-Nichols, Senior Contributing Editor

There's no question that Russia wanted Donald Trump to win the 2016 Presidential campaign. Trump's own tweets stated he wanted the Russians to hack Hillary Clinton's email. The Democratic National Committee (DNC) email was hacked. But the Department of Homeland Security and Federal Bureau of Investigation's Joint Analysis Report (JAR) on Russian cyber attacks doesn't prove the Russians were behind the DNC hacks.

P.A.S. web shell hacking tool

The P.A.S. web shell hacking tool used against the DNC is both out of date and commonly used by many hackers.

Indeed, even though President Barack Obama has expelled Russian diplomats over the cyber-attack, the JAR doesn't finger the Russian government. Instead, it merely claimed there are technical indicators that Russian intelligence Services (RIS) are attacking the US government and political and private sector entities. This continued assault is called Grizzly Steppe.

The primary method used in Grizzly Steppe is spear phishing. In spear phishing, a very common hacking approach, you receive messages, which look like they're coming from a friend or co-worker. In Grizzly Steppe, if you click on the message's content or follow a link, you infect your device with Remote Access Tools (RATs) malware. From that, emails and other data are syphoned to the attacker.

The JAR included "specific indicators of compromise, including IP addresses and a PHP malware sample." But what does this really prove? Wordfence, a WordPress security company specializing in analyzing PHP malware, examined these indicators and didn't find any hard evidence of Russian involvement.

Instead, Wordfence found the attack software was P.AS. 3.1.0, an out-of-date, web-shell hacking tool. The newest version, 4.1.1b, is more sophisticated. Its website claims it was written in the Ukraine.

Mark Maunder, Wordfence's CEO, concluded that since the attacks were made "several versions behind the most current version of P.A.S [sic] which is 4.1.1b. One might reasonably expect Russian intelligence operatives to develop their own tools or at least use current malicious tools from outside sources."

True, as Errata Security CEO Rob Graham pointed out in a blog post, P.A.S is popular among Russia/Ukraine hackers. But it's "used by hundreds if not thousands of hackers, mostly associated with Russia, but also throughout the rest of the world." In short, just because the attackers used P.A.S., that's not enough evidence to blame it on the Russian government.

Now, Graham continued: "If they've got web server logs from multiple victims where commands from those IP addresses went to this specific web shell, then the attribution would be strong that all these attacks are by the same actor." But that's not what we've been given.

Maunder and his crew also analyzed the Internet Protocol (IP) addresses used in Grizzly Steppe. They found the IP addresses that DHS provided "may have been used for an attack by a state actor like Russia. But they don't appear to provide any association with Russia. They are probably used by a wide range of other malicious actors, especially the 15 percent of IP addresses that are Tor exit nodes."

In short, Maunder continued in a FAQ, the data in the DHS/FBI Grizzly Steppe report contained "'indicators of compromise' (IOCs) [sic] which you can think of as footprints that hackers left behind. The IOC's in the report are tools that are freely available and IP addresses that are used by hackers around the world. There is very little Russia-specific data in the Grizzly Steppe report."

Others beside Wordfence found the JAR less than convincing. Robert M. Lee, CEO of the security company Dragos, wrote: "This ultimately seems like a very rushed report put together by multiple teams working different data sets and motivations. It is my opinion and speculation that there were some really good government analysts and operators contributing to this data and then report reviews, leadership approval processes, and sanitation processes stripped out most of the value and left behind a very confusing report trying to cover too much while saying too little."

In short, maybe it was the Russians behind the attacks on the DNC and other US organizations, but neither the source code nor the network analysis we've been shown so far strongly supports this conclusion.

Trump refuses to admit that Russia had any influence on the election, so we can expect little further information to come from the US government on the attacks once he's inaugurated. True, Trump promises to reveal insider information about Russian hacking. However, since Trump won't listen to intelligence briefings and minimal security experts on his staff, it's hard to imagine what "insider information" he could possibly possess.

This is, after all, a man whose closest computer expert appears to be his 10-year-old son. Perhaps he''ll reveal that Russian president Vladimir Putin told him that Russia didn't do it? Or, that, there were never any attacks and that the FBI and DHS are in cahoots with that nasty woman to ruin his victory? Who knows.

Sarcasm aside, the US and its organizations recently have been subjected to multiple cyber-attacks. These assaults must be treated seriously. We need a more thorough investigation of who is behind them.

Related Stories:

Editorial standards