The Declassified Russian Hack Report

The Intelligence Community’s report on Russia’s tampering in the election is here.

What we see of it is uneven. I think the report is strongest on Russia’s motive for tampering with the election, even if the report doesn’t provide evidence. I think there are many weaknesses in the report’s discussion of media. That raises concerns that the material on the actual hack — which we don’t get in any detail at all — is as weak as the media section.

This will be a working thread.

The first 5 pages are front-matter and fluff, which means this is less than a 10 page report, plus a media annex which is problematic.

Scope

Here’s how the report describes the scope of the assessment.

It covers the motivation and scope of Moscow’s intentions regarding US elections and Moscow’s use of cyber tools and media campaigns to influence US public opinion. The assessment focuses on activities aimed at the 2016 US presidential election and draws on our understanding of previous Russian influence operations. When we use the term “we” it refers to an assessment by all three agencies.

I checked with ODNI, and the classified report has the exact same conclusions as this one, suggesting the scope is the same. That seems to be a significant problem to me. At a minimum, it should address whether Shadow Brokers was part of the same campaign. But there are other, less obvious things that would need to be included that would not be under this scope, things that I believe should be considered in the process of drawing conclusions.

The scope also includes this, which Director Clapper had already noted in yesterday’s hearing.

We did not make an assessment of the impact that Russian activities had on the outcome of the 2016 election. The US Intelligence Community is charged with monitoring and assessing the intentions, capabilities, and actions of foreign actors; it does not analyze US political processes or US public opinion.

It’s a bit of a cop-out, but a fair one: our nation’s spooks should not be delving into electoral outcomes (aside from the way the FBI’s Jim Comey was the most important player in this election after Hillary).

Sourcing

I’m fascinated by the entirety of the sourcing section. First, it doesn’t even say that it is relying on private contractor reports, which it surely is.

Many of the key judgments in this assessment rely on a body of reporting from multiple sources that are consistent with our understanding of Russian behavior.

Then there’s this section that pretends the government doesn’t have Putin and his associates lit up like Christmas trees.

Insights into Russian efforts—including specific cyber operations—and Russian views of key US players derive from multiple corroborating sources. Some of our judgments about Kremlin preferences and intent are drawn from the behavior of Kremlin loyal
political figures, state media, and pro-Kremlin social media actors, all of whom the Kremlin either directly uses to convey messages or who are answerable to the Kremlin.

On top of all the other problems with the media section, this use of media is tautological: a statement that because Russia has propaganda all its propaganda must be a clear representation of Russia’s views.

The Russian leadership invests significant resources in both foreign and domestic propaganda and places a premium on transmitting what it views as consistent, self-reinforcing narratives regarding its desires and redlines, whether on Ukraine, Syria, or relations with the United States.

Key Judgements

While it is nowhere near this bad elsewhere, check out how the IC conceives of Russia’s efforts in terms of US exceptionalism, the “US-led liberal democratic order.”

Russian efforts to influence the 2016 US presidential election represent the most recent expression of Moscow’s longstanding desire to undermine the US-led liberal democratic order, but these activities demonstrated a significant escalation in directness, level of activity, and scope of effort compared to previous operations. [my emphasis]

I mean, Putin also wants to disrupt US backing of Saudi/Qatari regime change in Syria, and US backing for Neo-Nazis in Ukraine. But the IC pitches US hegemony as exclusively ponies and daisies.

Contrary to what you might read at other outlets, the assessment of Russia’s motive describes Putin’s animosity towards Clinton before it addresses his fondness for Trump.

Russia’s goals were to undermine public faith in the US democratic process, denigrate Secretary Clinton, and harm her electability and potential presidency. We further assess Putin and the Russian Government developed a clear preference for President-elect Trump. We have high confidence in these judgments.

In fact, the judgment that Putin affirmatively wanted Trump is broken out largely because the NSA has less confidence in this than the CIA and FBI.

We also assess Putin and the Russian Government aspired to help President-elect Trump’s election chances when possible by discrediting Secretary Clinton and publicly contrasting her unfavorably to him. All three agencies agree with this judgment. CIA and FBI have high confidence in this judgment; NSA has moderate confidence.

That’s especially interesting given the reference to what we know to be, in part, intercepts showing Putin and his buddies celebrating.

Further information has come to light since Election Day that, when combined with Russian behavior since early November 2016, increases our confidence in our assessments of Russian motivations and goals.

That says that the folks who spend the most time reading SIGINT are the least convinced the SIGINT supports the case that Putin was hoping to get Trump elected.

Here’s the key finding on the hack: that GRU not only hacked the targets but used the cut-outs to get the information to the outlets to publish.

We assess with high confidence that Russian military intelligence (General Staff Main Intelligence Directorate or GRU) used the Guccifer 2.0 persona and DCLeaks.com to release US victim data obtained in cyber operations publicly and in exclusives to media outlets and relayed material to WikiLeaks.

We know the classified report describes the cut-outs that got the documents to Assange.

The one new disclosure in this document is that the IC now assesses the probes of state-related election outlets to be Russian, which they had never before done.

Russian intelligence obtained and maintained access to elements of multiple US state or local electoral boards. DHS assesses that the types of systems Russian actors targeted or compromised were not involved in vote tallying.

I’ll come back to this point.

I noted in my deep dive on the sanctions package that the sanctions apply to those who tamper in our allies’ elections. This finding — that Russia wants to do more of this — is why the EO was written that way.

We assess Moscow will apply lessons learned from its Putin-ordered campaign aimed at the US presidential election to future influence efforts worldwide, including against US allies and their election processes.

Russia’s influence campaign

In addition to restating the top-line motives, the section describing why Putin ordered this operation (and it does say that, explicitly) this section describes a few of the motives that the IC hasn’t been as ready to leak to the press. It describes Putin’s retaliation for Panama Papers and the Olympic doping scandal this way:

Putin publicly pointed to the Panama Papers disclosure and the Olympic doping scandal as US-directed efforts to defame Russia, suggesting he sought to use disclosures to discredit the image of the United States and cast it as hypocritical.

Note how the passage does not deny that the US was behind Panama Papers (for which there is no public evidence) and the doping scandal (which would fit more squarely in the way the US wields its power). I assume the most compartmented version of this report explains whether we did have a role in Panama Papers.

The report also admits that Putin did this to retaliate for what protests he believes Clinton incited in Russia.

Putin most likely wanted to discredit Secretary Clinton because he has publicly blamed her since 2011 for inciting mass protests against his regime in late 2011 and early 2012, and because he holds a grudge for comments he almost certainly saw as disparaging him.

Again, this passage is remarkably non-committal about whether the US did incite those protests.

The timing on the description of how Russia came to love the Donald is interesting — beginning in June.

Beginning in June, Putin’s public comments about the US presidential race avoided directly praising President-elect Trump,

In its description of Putin’s desire to force an international ISIL coalition, the report doesn’t address a number of things, most notably the reasons why we don’t have an international coalition now. Again, this is a bullet point that I’m sure the most classified report has far more detail on.

Moscow also saw the election of Presidentelect Trump as a way to achieve an international counterterrorism coalition against the Islamic State in Iraq and the Levant (ISIL).

Likewise, I wonder whether there’s backup to this discussion of Putin’s comfort in working with people who have business ties to Russia.

Putin has had many positive experiences working with Western political leaders whose business interests made them more disposed to deal with Russia, such as former Italian Prime Minister Silvio Berlusconi and former German Chancellor Gerhard Schroeder.

How much did CIA lay out what Trump’s business interests in Russia are?

The section on the actual hack is interesting. It starts by saying “Russian intelligence” got into the DNC in July 2015, which would refer to the FSB hack. Here’s how it talks about the GRU hack(s).

The General Staff Main Intelligence Directorate (GRU) probably began cyber operations aimed at the US election by March 2016. We assess that the GRU operations resulted in the compromise of the personal e-mail accounts of Democratic Party officials and political figures. By May, the GRU had exfiltrated large volumes of data from the DNC.

So:

  • The report admits that they don’t know when GRU started this. This is interesting for a slew of reasons, not least that it shows some uncertainty in the forensics.
  • Note how it refers to “Democratic party officials and political figures,” but never Podesta by name. It also doesn’t name Colin Powell, though the follow-up language must include him too.
  • Here, unlike in the JAR, the report says GRU exfiltrated a lot of data.

I’m not terrifically impressed by their paragraph on Guccifer 2.0, which is a problem, because this is one of the weakest parts of their argument.

Guccifer 2.0, who claimed to be an independent Romanian hacker, made multiple contradictory statements and false claims about his likely Russian identity throughout the election. Press reporting suggests more than one person claiming to be Guccifer 2.0 interacted with journalists.

I’ll come back to this. I just think it’s weak in a number of places.

The DC Leaks passage is stronger.

Content that we assess was taken from e-mail accounts targeted by the GRU in March 2016 appeared on DCLeaks.com starting in June.

Here’s the passage on WikiLeaks.

We assess with high confidence that the GRU relayed material it acquired from the DNC and senior Democratic officials to WikiLeaks. Moscow most likely chose WikiLeaks because of its selfproclaimed reputation for authenticity. Disclosures through WikiLeaks did not contain any evident forgeries.

The passage doesn’t talk about cut-outs, but earlier leaks make it clear that’s how it happened. I think the sentence “Moscow most likely chose WL” is either bullshit or not very smart.

Others have complained that this passage confirms there were no “obvious forgeries.” The passage as a whole undermines some claims IC affiliates were saying in real time. So behind this paragraph, there’s a whole lot of real-time assessments that were revisited. Indeed, several paragraphs later, the report makes the claim that forgeries are the MO for GRU.

Such efforts have included releasing or altering personal data, defacing websites, or releasing emails.

I’m going to come back to the passage on WL and RT.

Note, the report includes the WADA hacking, even though the scope of this is supposed to be the election.

Again, I’m going to come back to the section on the info ops. I think it is weak, in part because it doesn’t seem to distinguish genuinely held belief from outright propaganda. But this passage really gets to the core of the problem with it.

RT’s coverage of Secretary Clinton throughout the US presidential campaign was consistently negative and focused on her leaked e-mails and accused her of corruption, poor physical and mental health, and ties to Islamic extremism. Some Russian officials echoed Russian lines for the influence campaign that Secretary Clinton’s election could lead to a war between the United States and Russia.

After all, you could say the same about most mainstream US outlets (some of which were ahead of RT on Hillary’s health). There is almost nothing in the RT section that couldn’t be said by a lot of  US based outlets, some of which got bigger play. So how do you prove something is propaganda if it is doing what everyone else is doing? Moreover, much of what the passage points to depends on social media, and therefore algorithms built in Silicon Valley. Are they not a part of this propaganda? Also note, there’s no discussion of Sputnik here, which was if anything more obvious in its opposition to Hillary. Why?

There’s a long section from 2012 that deals with RT. I’ll return to it when I return to the media section. It’s really bad, though.

The report says it’s not going to weigh in on whether Russia’s efforts affected the election. But it does, here.

We assess the Russian intelligence services would have seen their election influence campaign as at least a qualified success because of their perceived ability to impact public discussion.

 

Thom Tillis Reminds James Clapper that the US Tampers in Elections, Too

Several times in today’s hearing on foreign cyberattacks on the US, James Clapper explained why he never favored big retaliation for China’s hack of OPM: because he considers it the kind of espionage we engage in too. “People who live in glass houses shouldn’t throw rocks.”

When North Carolina Republican Thom Tillis got his turn, he addressed Clapper’s comment, pointing out that on election-tampering, as with espionage, the US lives in a big glass house.

The glass house comment is something that I think is very important. There’s been research done by a professor up at Carnegie Mulligan that um Mellon that estimated that the United States has been involved in one way or another in 81 different elections since World War II. That doesn’t include coups or regime changes. Tangible evidence where we’ve tried to affect an outcome to our purpose. Russia’s done it some 36 times. In fact, when Russia apparently was trying to influence our election, we had the Israelis accusing us of trying to influence their election.

So I’m not here to talk about that. But I am here to say we live in a big glass house and there are a lot of rocks to throw and I think that that’s consistent with what you said on other matters.

With regards to comparative numbers on US and Russian intervention in elections, Tillis is discussing research published by Dov Levin last year (see WaPo version), who found that either the US or Russia intervened in 11.3% of all elections since World War II, with the US — indeed — intervening far more often (and more broadly) than Russia.

Overall, 117 partisan electoral interventions were made by the US and the USSR/Russia between 1 January 1946 and 31 December 2000. Eighty-one (or 69%) of these interventions were done by the US while the other 36 cases (or 31%) were conducted by the USSR/ Russia. To put this number in the proper perspective, during the same period 937 competitive national-level executive elections, or plausible targets for an electoral intervention, were conducted within independent countries.20 Accordingly, 11.3% of these elections, or about one of every nine competitive elections since the end of the Second World War, have been the targets of an electoral intervention.

With regards to tampering in the Israeli election, Tillis is probably referring to State Department support for an NGO that worked to oust Bibi Netanyahu.

Curiously, Tillis made no mention of his own state party’s rather spectacular tampering to suppress the votes of African Americans, though perhaps his local experience explains why he presents all this data about American hypocrisy on election tampering as a reality about elections rather than a cautionary tale to be avoided.

Still, even if he’s trying to whitewash Russia’s involvement to help Trump get elected, he does have a point: the US has done this to a lot of other countries.

As Chilean-American Ariel Dorfman put it in an op-ed last year, America’s own election-tampering doesn’t make Russia’s this year’s right, but it should elicit a determination that the US will never again do unto others what we have just had done to us.

The United States cannot in good faith decry what has been done to its decent citizens until it is ready to face what it did so often to the equally decent citizens of other nations. And it must firmly resolve never to engage in such imperious activities again.

If ever there was a time for America to look at itself in the mirror, if ever there was a time of reckoning and accountability, it is now.

By all means, let’s pursue Russia for its intervention in this year’s election. But let’s, at the same time, engage in some accountability for what the US has itself done.

Russia Hacked the DNC. But What, Specifically, Did GRU Do?

I’m working on a series of posts to point out existing holes in the claim that Russia hacked the DNC. None of them mean I am yet convinced it is someone besides Russia. But there are holes in the story that no one wants to acknowledge. And those who want to argue the case is solid would do well to at least answer them. In this one, I want to point to a curious piece of evidence in a necessary part of the evidence: how GRU is alleged to have hacked the DNC.

You need to separate attribution of FSB’s hack of the DNC from GRU’s hack of the DNC

One thing a lot of people don’t realize about the Russian hack attribution is there’s some slippage in the argument.

There are two groups in question: APT 29, which has been publicly associated with FSB, and APT 28, which has been publicly associated with GRU. As I laid out here, those two groups must be kept separate, because the story is that these two groups did different things: FSB hung around DNC’s servers for months and stole a lot of information, but never leaked it. That’s the kind of stuff intelligence services do all the time, including our own. Our government has no reason to make a case against that — which is unwanted but nevertheless normal espionage — because they do it too, such as when, in 2012, they stole communications between then Mexican presidential candidate Enrique Peña Nieto and his closest allies.

GRU, by contrast, was believed to have been in DNC’s servers briefly — and John Podesta’s Gmail account even more briefly — but to have, in that time, stolen the documents that ultimately made their way to Wikileaks. That’s the action that was deemed newly beyond the pale (even if the US has probably had documents leaked to Wikileaks itself).

In a sense, then, only the APT 28 attribution matters, because that’s the entity that is believed to have been involved in hacking and leaking; that’s the entity believed to have done things that might have affected the outcome of the election.

But people have long either intentionally or unknowingly conflated the two, claiming that “Russia” hacked the DNC. If FSB hacked the DNC, the claim is true, but that doesn’t prove that Russia is behind the tampering in the election, because unless you prove that GRU is APT 28, then the stuff you’re bugged about hasn’t been properly attributed.

I’ve come to distrust the claims of anyone who has paid close attention to this that doesn’t assiduously maintain the distinction between the APT 29 and APT 28 hacks.

The Administration’s creation of Grizzly Steppe conflates APT 29 and APT 28 more than ever before

So, reports on this hack should scrupulously avoid conflating the APT 29 hack and the APT 28 hack. But Obama’s response last month did the opposite. Whereas every infosec outfit treats APT 28 (which CrowdStrike calls Fancy Bear) and APT 29 (which CrowdStrike calls Cozy Bear) as distinct entities (regardless of how confident they are that one or the other are Russian intelligence), and even though within the reports the Administration retained this distinction, the materials released by the Obama Administration invented an entirely new entity: Grizzly Steppe.

Get it? This entity is not a soft and cuddly Cozy Bear or an entirely distinct suave Fancy Bear anymore. Put the two together and you get a Grizzly Bear!

RAWRRRRRRR!

Aside from just the fact that the Administration did this (which would permit them to say, correctly, that Russia hacked the DNC even if they were less certain about GRU, though I don’t think they are), there are two other interesting aspects of this conflation in their package of sanctions.

First, as I noted here, the Administration sanctioned FSB as well GRU. That’s weird because our intelligence community believes what FSB did is solidly within the norms of intelligence gathering. It’s possible the IC has some evidence that FSB did something to facilitate this operation that is not yet public. But the only explanation the sanctioning document offers is that, “The Federal Security Service (a.k.a. Federalnaya Sluzhba Bezopasnosti) (a.k.a FSB) assisted the GRU in conducting the activities described above.”

The other notable thing about the Obama package is the differential language the Joint Analysis Report uses to describe the APT 29 and APT 28 hacks, which I pointed out here.

In summer 2015, an APT29 spearphishing campaign directed emails containing a malicious link to over 1,000 recipients, including multiple U.S. Government victims. APT29 used legitimate domains, to include domains associated with U.S. organizations and educational institutions, to host malware and send spearphishing emails. In the course of that campaign, APT29 successfully compromised a U.S. political party. At least one targeted individual activated links to malware hosted on operational infrastructure of opened attachments containing malware. APT29 delivered malware to the political party’s systems, established persistence, escalated privileges, enumerated active directory accounts, and exfiltrated email from several accounts through encrypted connections back through operational infrastructure.

In spring 2016, APT28 compromised the same political party, again via targeted spearphishing. This time, the spearphishing email tricked recipients into changing their passwords through a fake webmail domain hosted on APT28 operational infrastructure. Using the harvested credentials, APT28 was able to gain access and steal content, likely leading to the exfiltration of information from multiple senior party members. The U.S. Government assesses that information was leaked to the press and publicly disclosed.

I admit I may be over-reading these differences. But there is a difference in the certitude with which this report speaks of the APT 29 hack and the APT 28 hack. Regarding the former, the report describes how APT 29 stole the documents: it “exfiltrated email from several accounts through encrypted connections back through operational infrastructure.” And whereas the report affirmatively says APT 28 “was able to gain access and steal content,” it seems far less sure about how much data it stole, saying the hack “likely [led] to the exfiltration of information from multiple senior party members.” Maybe that means it’s likely APT 28 stole documents from more than one person; maybe that means it is likely they exfiltrated documents period. But remember, matching precisely what documents GRU stole to those Wikileaks released was one of the things the FBI was still working on a month and a half after the DNC hack.

The bureau is trying to determine whether the emails obtained by the Russians are the same ones that appeared on the website of the anti-secrecy group WikiLeaks on Friday, setting off a firestorm that roiled the party in the lead-up to the convention.

The FBI is also examining whether APT 28 or an affiliated group passed those emails to WikiLeaks, law enforcement sources said.

That’s just one of several piece of evidence that suggests they don’t have (or at least didn’t have) as clear forensics on.

One more note about the JAR report: It makes no mention of Podesta. Again, we should not draw any conclusions for that, as they may have just chosen to focus on the DNC (which people often forget is a distinct entity from Hillary’s campaign). But, as I hope to show in a follow-up post, the IC may have either less information — or perhaps even some sheepishness — about the Podesta leak, which is remarkable because that’s the actual hack for which there is the best evidence tying it to APT 28.

The Administration materials endorse some, but not all, of what infosec companies have published

Which brings me to a point I’ve made before but deserves more focus. In the introduction to the JAR, the Administration has this to say about the great work infosec companies have done about this hack.

A great deal of analysis and forensic information related to Russian government activity has been published by a wide range of security companies. The U.S. Government can confirm that the Russian government, including Russia’s civilian and military intelligence services, conducted many of the activities generally described by a number of these security companies.

It confirms that Russia’s intelligence services have indeed done “many of the activities” described by “a number of these security companies.” That’s not a confirmation that Russia’s spooks have done all the things alleged by all the security companies. Indeed, it seems to suggest that the infosec reports are wrong on some (perhaps very minor) points. We just don’t know which ones those are.

What were FSB and GRU doing hacking the same target anyway?

Which brings me to an important side discussion, one for which everyone has an answer but about which there is no agreement.

While FSB and GRU have been portrayed as adversarial intelligence agencies (perhaps in the way that FBI and CIA don’t always get along, sometimes to spectacular effect), it’s not actually normal for them to be hacking the same target. The original CrowdStrike report on the hack noted that the two groups of hackers appeared not to be coordinating as they rooted around DNC’s servers.

At DNC, COZY BEAR intrusion has been identified going back to summer of 2015, while FANCY BEAR separately breached the network in April 2016. We have identified no collaboration between the two actors, or even an awareness of one by the other. Instead, we observed the two Russian espionage groups compromise the same systems and engage separately in the theft of identical credentials. While you would virtually never see Western intelligence agencies going after the same target without de-confliction for fear of compromising each other’s operations, in Russia this is not an uncommon scenario. “Putin’s Hydra: Inside Russia’s Intelligence Services”, a recent paper from European Council on Foreign Relations, does an excellent job outlining the highly adversarial relationship between Russia’s main intelligence services – Федеральная Служба Безопасности (FSB), the primary domestic intelligence agency but one with also significant external collection and ‘active measures’ remit, Служба Внешней Разведки (SVR), the primary foreign intelligence agency, and the aforementioned GRU. Not only do they have overlapping areas of responsibility, but also rarely share intelligence and even occasionally steal sources from each other and compromise operations. Thus, it is not surprising to see them engage in intrusions against the same victim, even when it may be a waste of resources and lead to the discovery and potential compromise of mutual operations.

It explains this away by the competition between the agencies. Still: note that according to CrowdStrike, there were two groups of Russians sniffing through the DNC servers that appeared unaware of each other’s presence.

A competing infosec company, Fire Eye, has come up with a completely different explanation for the presence of FSB and GRU in the same servers. It deems that proof of superior coordination.

According to data provided for this article by the private cybersecurity company, FireEye, two separate but coordinated teams under the Kremlin are running the campaign. APT 28, also known as “FancyBear,” has been tied to Russia’s foreign military intelligence agency, the Main Intelligence Agency or GRU. APT 29, aka “CozyBear,” has been tied to the Federal Security Service or FSB. Both have been actively targeting the United States. According to FireEye, they have only appeared in the same systems once, which suggests a high level of coordination — a departure from what we have seen and come to expect from Russian intelligence.

Frankly, I’m agnostic about what the answer to this question might be, and find either one plausible. Or, it’s possible we should pay more attention to how unusual it is to have FSB and GRU digging in the same holes and think about whether it might, instead, tell us something else about who did this hack. But it is a datapoint that any theory of the hack should at least acknowledge and try to explain. Most don’t.

Why is GRU using open source tools?

All of which is my long-winded explanation for why I went back and re-read specifically what CrowdStrike said about APT 28 (at a time, we now know but didn’t then, CrowdStrike only had “medium” confidence that the APT 28 hackers of DNC were GRU). It made me realize why the stakes on the APT 28 tool X-Agent — which is not the only tool associated with APT 28 — are so high.

FANCY BEAR adversary used different tradecraft, deploying X-Agent malware with capabilities to do remote command execution, file transmission and keylogging. It was executed via rundll32 commands such as:

rundll32.exe “C:\Windows\twain_64.dll”

In addition, FANCY BEAR’s X-Tunnel network tunneling tool, which facilitates connections to NAT-ed environments, was used to also execute remote commands. Both tools were deployed via RemCOM, an open-source replacement for PsExec available from GitHub. They also engaged in a number of anti-forensic analysis measures, such as periodic event log clearing (via wevtutil cl System and wevtutil cl Security commands) and resetting timestamps of files.

So after a longer section describing APT 29’s tools (which we now know, but which was not known then, were the less important part of the hack), Crowdstrike describes APT 28’s use of X-Agent and X-Tunnel (the latter of which I may come back to), but then also explains that these hackers deployed the APT 28 tools via an open source tool available on GitHub.

I’m no tech wizard, but this detail seems to beg some explanation, as it is awfully curious to have GRU resorting to an outdated open source tool to hack an American political party.

None of this is definitive. None of it changes my inclination that Russia probably is behind the APT 28 hack of the DNC (and, even more convincingly, behind the hack of John Podesta). But these are some details that deserve more attention amid the claims that all the case against GRU (as distinct from Russia) is rock solid.

On CrowdStrike’s Curiously Timed Report Claiming Newfound “High” Confidence in Its GRU Attribution

Back on December 22, the security firm CrowdStrike released a report claiming that a tool used in the DNC hack had also been used — rewritten for Android — in malware that appeared in an application used by Ukrainian artillery units. The report itself purported to show that a hacking tool used in the DNC hack had also been used to kill Ukrainians fighting Russian separatists.

This implant represents further advancements in FANCY BEAR’s development of mobile malware for targeted intrusions and extends Russian cyber capabilities to the front lines of the battlefield.

But the release of the report — released just a few weeks after President Obama called for a review of the intelligence relating to the DNC hack — was pitched to the press as the piece of evidence that CrowdStrike’s confidence that Russia’s GRU had hacked the DNC was now solid.

While CrowdStrike, which was hired by the DNC to investigate the intrusions and whose findings are described in a new report, had always suspected that one of the two hacker groups that struck the DNC was the GRU, Russia’s military intelligence agency, it had only medium confidence.

Now, said CrowdStrike co-founder Dmitri Alperovitch, “we have high confidence” it was a unit of the GRU. CrowdStrike had dubbed that unit “Fancy Bear.”

The logic for that claim went this way:

  • Two entities hacked the DNC, the first using tools associated with APT 29 (which Crowdstrike believes is FSB), the second using one tool (X-Agent) associated with APT 28 (which Crowdstrike believes is GRU). As I’ve explained, only the GRU attribution matters, because they’re the ones associated with leaking the DNC documents to Wikileaks.
  • Crowdstrike found X-Agent, rewritten for the Android platform, infecting an application used by the Ukrainian military, which is an obvious application for Russia’s military intelligence GRU unit.
  • Since X-Agent was found being used in an operation with obvious Russian military application, which therefore must be GRU, then GRU must be the entity that also hacked the DNC, because it used a common tool.

CrowdStrike’s founder, Dmitri Alperovitch, told PBS that this amounted to DNA tying Russia to both the DNC hack and the Ukrainian artillery app.

Essentially the DNA of this malicious code that matches to the DNA that we saw at the DNC.

Yesterday, the chief infosec skeptic of the claims that Russian hacked the DNC, Jeffrey Carr, did a post criticizing the CrowdStrike report. He makes several points:

  • Two other entities (including an anti-Russian Ukrainian hacker) have gotten access to X-Agent — the tool in question — meaning that any use of it by GRU in one application cannot be said to be proof its use in another application means it was GRU.
  • The hacking of the artillery app probably couldn’t have had the complete functionality or the effect (devastating Ukrainian artillery units) CrowdStrike says it had.

The second point is interesting. I’d add that the timeline CrowdStrike develops to explain how Russian malware would end up in a Ukrainian artillery app by December 2014, in time to play a part in devastating losses, has some problems, notably that it assumes GRU was developing a tailored app to target Ukrainian soldiers more than six months before Viktor Yanukovich’s ouster, at a time when a Russian-Ukrainian war was unforeseen. Why would Russia start developing an app to kill Ukrainian soldiers at a time when they were still led by someone who was a Russian client? That development timetable appears to be dictated by the necessity of arguing that huge artillery losses that took place in July and August 2014 were due in part to this malware.

None of that is fatal to CrowdStrike’s argument that the malware infecting the Ukrainian artillery app was put there by Russia. I actually think that quite likely, though think CrowdStrike’s various explanations for it are unpersuasive.

But it does highlight how speculative the December 22 report was, creating explanations that had to be true because the conclusion — that the same malware used against the DNC had been used to kill Ukrainian soldiers — was presumed. Frankly, the report doesn’t hide that. Here’s just some of the uncertain language it uses:

Successful deployment of the FANCY BEAR malware within this application may have facilitated reconnaissance

The collection of such tactical artillery force positioning intelligence by FANCY BEAR further supports CrowdStrike’s previous assessments that FANCY BEAR is likely affiliated with the Russian military intelligence (GRU)

Therefore, the implant likely targeted military artillery units operating against pro-Russian separatists in Eastern Ukraine.

The promotion of the program was likely limited to social media,

At the time of this writing, it is unclear to what degree and for how long this specific application was utilized by the entirety of the Ukrainian Artillery Forces.

CrowdStrike Intelligence assesses that the application likely came to the attention of Russia-based adversaries around this time frame as a result of ongoing Russian reconnaissance

Because the Android malware could facilitate gross position information, its successful deployment could have facilitated anticipatory awareness of Ukrainian artillery force troop movement,

Although traditional overhead intelligence surveillance and reconnaissance (ISR) assets were likely still needed to finalize tactical movements, the ability of this application to retrieve communications and gross locational data from infected devices, could provide insight for further planning, coordination, and tasking of ISR, artillery assets, and fighting forces. [my emphasis]

While Carr’s piece is not fatal to the argument that the X-Agent in the Ukrainian artillery app came from GRU, it does highlight how one person, in less than two weeks, could have found answers to some of things that CrowdStrike still hadn’t even tried to answer (say, by interviewing the application developer) at least six months after they started looking into this malware.

More importantly, the first point Carr makes — that others have access to X-Agent — is very important. He notes that the anti-Russian hacker Sean Townsend not only knows that it could be used by others, but that it has been.

In fact, Sean Townsend believes that the Russian security services DO use it but he also knows that they aren’t the only ones.

That doesn’t mean that GRU wasn’t the entity using X-Agent in the DNC server last year. It just means it is not, as CrowdStrike has always claimed, definitive proof that it had to be. If multiple people have access to X-Agent, the Ukrainian app, with its clear Russian military function, may be Russia while the DNC hack may be someone else.

I’ll come back to that point later, but for the moment I want to look at how CrowdStrike came to release a speculative report tying the malware in the DNC servers to dead Ukrainians on December 22, less than two weeks after Obama called for a review of the intelligence on the hack.

I asked Alperovitch some questions about the genesis of the report on Twitter.

Alperovitch revealed that no one had paid for this report: CrowdStrike was apparently doing this work for free (!!). They found the X-Agent malware in the artillery app because they had set out to look for X-Agent implants. But when I asked about timing and/or where they found it, he got less responsive. Indeed, the timing of these discoveries is something the report itself is sort of funny about.

In late June and August 2016, CrowdStrike Intelligence provided initial reporting and technical analysis of a variant of the FANCY BEAR implant X-Agent that targeted the Android mobile platform2.

2-For more information, contact CrowdStrike

Barring more clarification on whether they started looking for X-Agents before or after they very publicly accused GRU of hacking the DNC in June, what appears to have happened is this: CrowdStrike found the X-Agent in the DNC servers, accused GRU of doing the hack, and then set out — on their own dime — to find more instances of X-Agent deployment. They did not, however, do basic research (like calling the developer of the Android app, Jaroslav Sherstuk) to confirm their speculative conclusions about it, not over six months time.

Having not done that research, however, they released a report claiming they now had high confidence in their earlier attribution at precisely the time when it would affect the debate about whether GRU really did this hack or not.

Again, none of this means CrowdStrike was wrong about GRU hacking the DNC last spring. Just that this report — the timing of which is as interesting as the speculative claims — should not be regarded as providing the high confidence it claims.

The Dragnet Donald Trump Will Wield Is Not Just the Section 215 One

I’ve been eagerly anticipating the moment Rick Perlstein uses his historical work on Nixon to analyze Trump. Today, he doesn’t disappoint, calling Trump more paranoid than Nixon, warning of what Trump will do with the powerful surveillance machine laying ready for his use.

Revenge is a narcotic, and Trump of all people will be in need of a regular, ongoing fix. Ordering his people to abuse the surveillance state to harass and destroy his enemies will offer the quickest and most satisfying kick he can get. The tragedy, as James Madison could have told us, is that the good stuff is now lying around everywhere, just waiting for the next aspiring dictator to cop.

But along the way, Perlstein presents a bizarre picture of what happened to the Section 215 phone dragnet under Barack Obama.

That’s not to say that Obama hasn’t abused his powers: Just ask the journalists at the Associated Press whose phone records were subpoenaed by the Justice Department. But had he wanted to go further in spying on his enemies, there are few checks in place to stop him. In the very first ruling on the National Security Administration’s sweeping collection of “bulk metadata,” federal judge Richard Leon blasted the surveillance as downright Orwellian. “I cannot imagine a more ‘indiscriminate’ and ‘arbitrary’ invasion than this collection and retention of personal data,” he ruled. “Surely, such a program infringes on ‘that degree of privacy’ that the founders enshrined in the Fourth Amendment.”

But the judge’s outrage did nothing to stop the surveillance: In 2015, an appeals court remanded the case back to district court, and the NSA’s massive surveillance apparatus—soon to be under the command of President Trump—remains fully operational. The potential of the system, as former NSA official William Binney has described it, is nothing short of “turnkey totalitarianism.”

There are several things wrong with this.

First, neither Richard Leon nor any other judge has reviewed the NSA’s “sweeping collection of ‘bulk metadata.'” What Leon reviewed — in Larry Klayman’s lawsuit challenging the collection of phone metadata authorized by Section 215 revealed by Edward Snowden — was just a small fraction of NSA’s dragnet. In 2013, the collection of phone metadata authorized by Section 215 collected domestic and international phone records from domestic producers, but even there, Verizon had found a way to exclude collection of its cell records.

But NSA collected phone records — indeed, many of the very same phone records, as they collected a great deal of international records — overseas as well. In addition, NSA collected a great deal of Internet metadata records, as well as financial and anything else records. Basically, anything the NSA can collect “overseas” (which is interpreted liberally) it does, and because of the way modern communications works, those records include a significant portion of the metadata of Americans’ everyday communications.

It is important for people to understand that the focus on Section 215 was an artificial creation, a limited hangout, an absolutely brilliant strategy (well done, Bob Litt, who has now moved off to retirement) to get activists to focus on one small part of the dragnet that had limitations anyway and NSA had already considered amending. It succeeded in pre-empting a discussion of just what the full dragnet entailed.

Assessments of whether Edward Snowden is a traitor or a saint always miss this, when they say they’d be happy if Snowden had just exposed the Section 215 program. Snowden didn’t want the focus to be on just that little corner of the dragnet. He wanted to expose the full dragnet, but Litt and others succeeded in pretending the Section 215 dragnet was the dragnet, and also pretending that Snowden’s other disclosures weren’t just as intrusive on Americans.

Anyway, another place where Perlstein is wrong is in suggesting there was just one Appeals Court decision. The far more important one is the authorized by Gerard Lynch in the Second Circuit, which ruled that Section 215 was not lawfully authorized. It was a far more modest decision, as it did not reach constitutional questions. But Lynch better understood that the principle involved more than phone records; what really scared him was the mixing of financial records with phone records, which is actually what the dragnet really is.

That ruling, on top of better understanding the import of dragnets, is important because it is one of the things that led to the passage of USA Freedom Act, a law that, contrary to Perlstein’s claim, did change the phone dragnet, both for good and ill.

The USA Freedom Act, by imposing limitations on how broadly dragnet orders (for communications but not for financial and other dragnets) can be targeted, adds a check at the beginning of the process. It means only people 2 degrees away from a terrorism suspect will be collected under this program (even while the NSA continues to collect in bulk under EO 12333). So the government will have in its possession far fewer phone records collected under Section 215 (but it will still suck in massive amounts of phone records via EO 12333, including massive amounts of Americans’ records).

All that said, Section 215 now draws from a larger collection of records. It now includes the Verizon cell records not included under the old Section 215 dragnet, as well as some universe of metadata records deemed to be fair game under a loose definition of “phone company.” At a minimum, it probably includes iMessage, WhatsApp, and Skype metadata, but I would bet the government is trying to get Signal and other messaging metadata (note, Signal metadata cannot be collected retroactively; it’s unclear whether it can be collected with standing daily prospective orders). This means the Section 215 collection will be more effective in finding all the people who are 2 degrees from a target (because it will include any communications that exist solely in Verizon cell or iMessage networks, as well as whatever other metadata they’re collecting). But it also means far more innocent people will be impacted.

To understand why that’s important, it’s important to understand what purpose all this metadata collection serves.

It was never the case that the collection of metadata, however intrusive, was the end goal of the process. Sure, identifying someone’s communications shows when you’ve been to an abortion clinic or when you’re conducting an affair.

But the dragnet (the one that includes limited Section 215 collection and EO 12333 collection limited only by technology, not law) actually serves two other primary purposes.

The first is to enable the creation of dossiers with the click of a few keys. Because the NSA is sitting on so much metadata — not just phone records, but Internet, financial, travel, location, and other data — it can put together a snapshot of your life as soon as they begin to correlate all the identifiers that make up your identity. One advantage of the new kind of collection under USAF, I suspect, is it will draw from the more certain correlations you give to your communications providers, rather than relying more heavily on algorithmic analysis of bulk data. Facebook knows with certainty what email address and phone number tie to your Facebook account, whereas the NSA’s algorithms only guess that with (this is an educated guess) ~95+% accuracy.

This creation of dossiers is the same kind of analysis Facebook does, but instead of selling you plane tickets the goal is government scrutiny of your life.

The Section 215 orders long included explicit permission to subject identifiers found via 2-degree collection to all the analytical tools of the NSA. That means, for any person — complicit or innocent — identified via Section 215, the NSA can start to glue together the pieces of dossier it already has in its possession. While not an exact analogue, you might think of collection under Section 215 as a nomination to be on the equivalent of J Edgar Hoover’s old subversives list. Only, poor J Edgar mostly kept his list on index cards. Now, the list of those the government wants to have a network analysis and dossier on is kept in massive server farms and compiled using supercomputers.

Note, the Section 215 collection is still limited to terrorism suspects — that was an important win in the USA Freedom fight — but the EO 12333 collection, with whatever limits on nominating US persons, is not. Plus, it will be trivial for Trump to expand the definition of terrorist; the groundwork is already being laid to do so with Black Lives Matter.

The other purpose of the dragnet is to identify which content the NSA will invest the time and energy into reading. Most content collected is not read in real time. But Americans’ communications with a terrorism suspect will probably be, because of the concern that those Americans might be plotting a domestic plot. The same is almost certainly true of, say, Chinese-Americans conversing with scientists in China, because of a concern they might be trading US secrets. Likewise it is almost certainly true of Iranian-Americans talking with government officials, because of a concern they might be dealing in nuclear dual use items. The choice to prioritize Americans makes sense from a national security perspective, but it also means certain kinds of people — Muslim immigrants, Chinese-Americans, Iranian-Americans — will be far more likely to have their communications read without a warrant than whitebread America, even if those whitebread Americans have ties to (say) NeoNazi groups.

Of course, none of this undermines Perlstein’s ultimate categorization, as voiced by Bill Binney, who created this system only to see the privacy protections he believed necessary get wiped away: the dragnet — both that authorized by USAF and that governed by EO 12333 — creates the structure for turnkey totalitarianism, especially as more and more data becomes available to NSA under EO 12333 collection rules.

But it is important to understand Obama’s history with this dragnet. Because while Obama did tweak the dragnet, two facts about it remain. First, while there are more protections built in on the domestic collection authorized by Section 215, that came with an expansion of the universe of people that will be affected by it, which must have the effect of “nominating” more people to be on this late day “Subversives” list.

Obama also, in PPD-28, “limited” bulk collection to a series of purposes. That sounds nice, but the purposes are so broad, they would permit bulk collection in any area of the world, and once you’ve collected in bulk, it is trivial to then call up that data under a more broad foreign intelligence purpose. In any case, Trump will almost certainly disavow PPD-28.

Which makes Perlstein’s larger point all the more sobering. J Edgar and Richard Nixon were out of control. But the dragnet Trump will inherit is far more powerful.

A Deep Dive on the Obama Response to Russian DNC Hack (and Theft and Harassment)

I was still with family when the White House rolled out its retaliation against Russian hacks of the election the other day, so I didn’t have a chance to unpack what they released. I’ll do that here.

The actions — which retaliate not just for the DNC hack — consist of a package that includes:

  • A “Voxsplainer” telling you “everything you need to know” about the package
  • An Obama statement
  • An expansion of cyber sanctions to include both our elections and those of our allies and partners
  • State Department retaliation against Russia for harassing our personnel
  • Two documents about Russian hacking: A Joint Analysis Report and an introduction to it

The Voxsplainer

In addition to promising to tell us “What You Need to Know” about “The Administration’s Response to Russia,” the Voxsplainer provides links to all the other pieces. There are two significant details.

First, the “response” is not just to “cyber operations aimed at our election” but also to “the Russian government’s aggressive harassment of U.S. officials.” Some of the most showy retaliation was actually specifically retaliation for the latter.

The other key detail is that, in describing Russia’s motive for the hack, the Voxsplainer steers very, very clear of the two more controversial motives (to retaliate for perceived and real covert operations against Russia, and to get Trump elected). Instead, the Voxsplainer provides the most wishy-washy description of Russia’s purpose.

Russia’s cyber activities were intended to influence the election, erode faith in U.S. democratic institutions, sow doubt about the integrity of our electoral process, and undermine confidence in the institutions of the U.S. government.

“Faith, integrity, and confidence” are pretty squishy things that don’t require much proof.

Obama’s statement

Obama’s statement is basically a description of what he ordered (here, he admits some of the individual sanctions are for cyber-crime, not the hack). The most important part of the statement is the last paragraph.

These actions are not the sum total of our response to Russia’s aggressive activities. We will continue to take a variety of actions at a time and place of our choosing, some of which will not be publicized. In addition to holding Russia accountable for what it has done, the United States and friends and allies around the world must work together to oppose Russia’s efforts to undermine established international norms of behavior, and interfere with democratic governance. To that end, my Administration will be providing a report to Congress in the coming days about Russia’s efforts to interfere in our election, as well as malicious cyber activity related to our election cycle in previous elections.

As I’ll show in this and a follow-up post, some of what Obama ordered is silly or downright counterproductive. But the actions took place alongside a claim that there would also be covert retaliation we won’t see. So we’ve got silly and counterproductive overt retaliation, with the promise of covert retaliation that may be less silly.

Obama also stated what the presumed goal of these actions are, to prevent Russia from undermining democratic norms, norms which the President-Elect has expressed intent to violate.

New Cyber-Sanctions

Obama extended the application of an EO he signed in April 2015 to apply to election related hacking. The Voxsplainer doesn’t explicitly describe what’s new about the cyber-sanctions, leaving that to a separate fact sheet and an annex to the Executive Order extending the sanctions. Instead, the Voxsplainer describes what the original EO 13964 had done, which basically permitted the President to sanction entities that hacked critical infrastructure or big money.

Curiously, the White House doesn’t appear to have issued a new version of EO 13964, relying solely on the fact sheet to explain the newly expanded scope.

Just as interesting there’s a subtle difference in the way the attached fact sheet describes the addition, and how Obama did in his statement. The fact sheet does not specify whether these sanctions only apply for the targeting of our own election processes or institutions, or for others.

The increasing use of cyber-enabled means to undermine democratic processes at home and abroad, as exemplified by Russia’s recent activities, has made clear that a tool explicitly targeting attempts to interfere with elections is also warranted. As such, the President has approved amending Executive Order 13964 to authorize sanctions on those who:

  • Tamper with, alter, or cause a misappropriation of information with the purpose or effect of interfering with or undermining election processes or institutions.

But Obama’s statement says the EO “provides additional authority for responding to certain cyber activity that seeks to interfere with or undermine our election processes and institutions, or those of our allies or partners.” [my emphasis] That Obama would extend such sanctions to protect our allies’ elections make sense, as there’s real concern about Russia’s plans for the upcoming French and German elections. But it’s also really funny given that the NSA and CIA have targeted the election institutions and processes of our allies Pakistan and Mexico. Does that mean we have to sanction the NSA and CIA now? This is so confusing.

As to the sanctions themselves, they target the following:

1. Main Intelligence Directorate (a.k.a. Glavnoe Razvedyvatel’noe Upravlenie) (a.k.a. GRU); Moscow, Russia
2. Federal Security Service (a.k.a. Federalnaya Sluzhba Bezopasnosti) (a.k.a FSB); Moscow, Russia
3. Special Technology Center (a.k.a. STLC, Ltd. Special Technology Center St. Petersburg); St. Petersburg, Russia
4. Zorsecurity (a.k.a. Esage Lab); Moscow, Russia
5. Autonomous Noncommercial Organization “Professional Association of Designers of Data Processing Systems” (a.k.a. ANO PO KSI); Moscow, Russia Individuals

1. Igor Valentinovich Korobov; DOB Aug 3, 1956; nationality, Russian
2. Sergey Aleksandrovich Gizunov; DOB Oct 18, 1956; nationality, Russian
3. Igor Olegovich Kostyukov; DOB Feb 21, 1961; nationality, Russian
4. Vladimir Stepanovich Alexseyev; DOB Apr 24, 1961; nationality, Russian

As I noted the other day, I find it particularly interesting that Obama included FSB in these sanctions, given that the public record only reflects them doing the kind of data collection that we also do all the time (and that China and others have done against us in the past). Perhaps that means there’s evidence they did more, or perhaps this is just gratuitous sanctioning. It will be interesting to see how seriously this part of the sanctions gets taken, given that we need to cooperate with Russian intelligence on things like bombing ISIS.

There has been some befuddlement about why Zorsecurity got included on the list, as its owner, Alisa Esage Shevchenko, claims she doesn’t work for the Russian state and has been celebrated for her security research in the past, though one anonymous source claims she has.

“I’m just trying not to freak out,” she told me over email. “My company never worked with the government. It never had the necessary licenses to do so in the first place. And I personally tried to stay as far away as possible from anything remotely suspicious, as I’m naturally a cosmopolitan person, and an introverted single woman. I wouldn’t want any job that would put me in danger or restrictions.”

Talking about the defunct state of the company, she added: “This is fixed in the public registry, and should be well known to any foreign intelligence that bothered to do any research.” A search on the public registry showed ZorSecurity as still active, however — Shevchenko said the firm stopped submitting any tax statements, which should be visible in the registry.

[snip]

One Russian hacker who claimed knowledge of Esage Lab’s business, and who asked to remain anonymous, said the company sold software exploits and hacking tools, and had worked with the Russian government. “Esage do exploits and offensive software,” said the well-connected Moscow source. “Esage worked with government customers … but I’m really not sure if they related to the DNC hack.”

That same anonymous Russian hacker also doesn’t see why the US sanctioned the two other Russian companies.

The anonymous Moscow source told me the list of organizations named in the sanctions – which also included the St. Petersburg-based Special Technology Center and the Autonomous Noncommercial Organization’s Professional Association of Designers of Data Processing Systems – did “not look professional at all.” “It looks like the U.S. government does not know who is behind this DNC thing,” they added.

So it’s possible the US just sanctioned some companies for the sake of sanctioning some companies. As MalwareJake notes in a critique of the sanctions, these companies don’t do business in the US so it’s not like the sanctions will have any effect anyway.

Four of the individuals sanctioned are top GRU officials (making this the equivalent of the post-Sony sanction on North Korean officials).

Sanctioned individuals include Igor Valentinovich Korobov, the current Chief of the GRU; Sergey Aleksandrovich Gizunov, Deputy Chief of the GRU; Igor Olegovich Kostyukov, a First Deputy Chief of the GRU; and Vladimir Stepanovich Alexseyev, also a First Deputy Chief of the GRU.

The Voxsplainer also notes that Treasury added two Russian criminals to its sanction list.

In addition, the Department of the Treasury is designating two Russian individuals, Evgeniy Bogachev and Aleksey Belan, under a pre-existing portion of the Executive Order for using cyber-enabled means to cause misappropriation of funds and personal identifying information.

  • Evgeniy Mikhailovich Bogachev is designated today for having engaged in significant malicious cyber-enabled misappropriation of financial information for private financial gain.  Bogachev and his cybercriminal associates are responsible for the theft of over $100 million from U.S. financial institutions, Fortune 500 firms, universities, and government agencies.
  • Aleksey Alekseyevich Belan engaged in the significant malicious cyber-enabled misappropriation of personal identifiers for private financial gain.  Belan compromised the computer networks of at least three major United States-based e-commerce companies.

Note, however, that at least Bogachev has been implicated in surveillance in the past. So it’s possible these sanctions are designed to nod towards related activity, the sanctioned (heh) permission of cybercrime by entities willing to help out the Russian government.

Diplomatic retaliation

As noted above, this package of actions actually responds not just to the election (and Bogachev and Belan’s crimes), but also to harassment of US personnel in Russia.

The beginning of the Voxsplainer says that the diplomatic measures were in retaliation for harassment that has gone on in the last year. “Moreover, our diplomats have experienced an unacceptable level of harassment in Moscow by Russian security services and police over the last year.”

The part of the Voxsplainer that explains the actual actions says it responds to two years of harassment.

Over the past two years, harassment of our diplomatic personnel in Russia by security personnel and police has increased significantly and gone far beyond international diplomatic norms of behavior. Other Western Embassies have reported similar concerns. In response to this harassment, the President has authorized the following actions:

Today the State Department declared 35 Russian government officials from the Russian Embassy in Washington and the Russian Consulate in San Francisco “persona non grata.” They were acting in a manner inconsistent with their diplomatic status. Those individuals and their families were given 72 hours to leave the United States.

In addition to this action, the Department of State has provided notice that as of noon on Friday, December 30, Russian access will be denied to two Russian government-owned compounds, one in Maryland and one in New York.

I find the temporal inconsistency interesting, especially since neither period extends back to the post-Boston Marathon period when numerous CIA officers, most notably Randy Fogle, were getting expelled from Russia. It does, however, cover incidents that have been reported since at least July, including this apparent attempt to detain someone who just barely made it into the US embassy, with ABC providing more detail in October.

In any case, the closure of the two recreational facilities had the excellent effect of getting journalists scurrying to the sites, one of which US officials misidentified:

Articles on Friday about the Obama administration’s decision to close two Russian-owned compounds in the United States misidentified one of the compounds, using information from the White House and F.B.I. officials. The administration ordered the closure of Norwich House in Upper Brookville, N.Y., owned by Russia — not the nearby Killenworth Mansion in Glen Cove, N.Y., also owned by the Russians. An accompanying picture that showed Killenworth Mansion should have been of Norwich House.

Every outlet was able to highlight pictures of big mansions and interview neighbors about weird interactions with Russians. All perfectly scripted just like the Americans.

Putin, of course, threatened to retaliate by kicking out 35 diplomats, but instead invited the children of American diplomats to a party at the Kremlin. Also perfectly scripted.

Two documents on Russian hacking

Finally, the government released two documents on Russian hacking: a document introducing a Joint Analysis Report and the Joint Analysis Report itself. It appears the introductory document served mostly to get FBI, ODNI, and DHS all listed on one document — so there’s no doubt that this comes from the entire IC, as there was of the October 7 report that FBI declined to sign off on. It has this odd endorsement of many — but not all — claims made by a number of — but not all — security industry reports.

A great deal of analysis and forensic information related to Russian government activity has been published by a wide range of security companies.  The U.S. Government can confirm that the Russian government, including Russia’s civilian and military intelligence services, conducted many of the activities generally described by a number of these security companies.

I guess we’ll just have to guess which parts the security firms got right and which they did not.

As for the Joint Analysis Report (JAR), it purports to be an alert to make everyone more vigilant against Russian hacks. A number of tech experts have criticized the contents. Robert Graham calls them a “political tool, to prove they have evidence pointing to Russia. They have limited utility to defenders, or those publicly analyzing attacks.” Robert M Lee says the report “reads like a poorly done vendor intelligence report stringing together various aspects of attribution without evidence.” Jerry Gamblin notes that a fifth of the IP addresses included were Tor exit nodes, meaning they could be used by anyone. Wordfence analyzes one malware sample and finds that it “is old, widely used and appears to be Ukrainian. It has no apparent relationship with Russian intelligence.” Ultimately, the tech folks are complaining that the report is not very useful for defensive purposes, which is ostensibly what it is supposed to do.

But several of the reports also include some version of this conclusion from Lee: “the indicators are not very descriptive and will have a high rate of false positives for defenders that use them.”

That is, we may see more of what we saw Friday, when a Vermont utility did as instructed with the report — searched for the indicators included in the report — reported a positive hit, only to have anonymous sources immediately blow it up to mean Russia had hacked our grid. That find might turn out to be a Russian probe, or it might not; there’s little doubt that Russia can hack our electrical system. But what it did do is feed a panic.

And even though the report is supposed to only address defense (with the report to Congress designed to report on the actual attacks) there is an odd detail in the narrative about the attack. After describing APT 29 (associated with FSB) and APT 28 (associated with GRU) generally, the report includes these two paragraphs.

In summer 2015, an APT29 spearphishing campaign directed emails containing a malicious link to over 1,000 recipients, including multiple U.S. Government victims. APT29 used legitimate domains, to include domains associated with U.S. organizations and educational institutions, to host malware and send spearphishing emails. In the course of that campaign, APT29 successfully compromised a U.S. political party. At least one targeted individual activated links to malware hosted on operational infrastructure of opened attachments containing malware. APT29 delivered malware to the political party’s systems, established persistence, escalated privileges, enumerated active directory accounts, and exfiltrated email from several accounts through encrypted connections back through operational infrastructure.

In spring 2016, APT28 compromised the same political party, again via targeted spearphishing. This time, the spearphishing email tricked recipients into changing their passwords through a fake webmail domain hosted on APT28 operational infrastructure. Using the harvested credentials, APT28 was able to gain access and steal content, likely leading to the exfiltration of information from multiple senior party members. The U.S. Government assesses that information was leaked to the press and publicly disclosed.

Of FSB’s attack (APT29 ), the report states that at least one person clicked a bad link. After infesting (not a technical term!) the DNC server, the report describes, FSB “exfiltrated email from several accounts through encrypted connections.”

That is, the government is saying it (or someone else) watched FSB steal documents.

Now compare that to the GRU description (APT 28). I guess the narrative vaguely suggests that recipients changed their passwords after being phished, though there’s nowhere near the exactitude of at least one user clicking a bad link as used with FSB. And on the critical issue — whether any data was exfiltrated — the report only says it was “likely” that the information was exfiltrated. There’s no claim here, as there was with FSB, to have watched the documents be exfiltrated.

That’s important because GRU is the presumed source for the dump to Wikileaks (as the “assessment” that follows states). We’ve long known that the government wasn’t certain how the documents got from GRU to Wikileaks, but here, they seem to go further and say they only believe it “likely” that the documents were exfiltrated.

And note what’s not in the report? Any mention of John Podesta, whose leaked emails took up the final month of the campaign.

Maybe I’m overreading this (wouldn’t be the first time). But after going out of its way to include a narrative that isn’t necessary to the point of the report, the report stops short of making certain statements about the issues we most care about, that GRU stole the documents that Wikileaks got.

I’ll have a bit more on this report later. But it just seems odd from both the technical side and the narrative side.

 

Is Trump’s Revelation the Same as Craig Murray’s Revelation: An American Cut-Out?

Because security professionals are so confident in the Russian attribution of the DNC hack, they have largely ignored alternative theories from the likes of Wikileaks and Bill Binney. That’s unfortunate, because Craig Murray, in his description of his own role in getting the Podesta files to Wikileaks, at least, revealed a detail that needs greater attention. He believes he received something (perhaps the documents themselves, perhaps something else) from a person with ties to US national security.

[I]f we believe that Murray believes this, we know that the intermediary can credibly claim to have ties to American national security.

So on September 25, Murray met a presumed American in DC for a hand-off related to the Podesta hack.

I raise that because Trump is now promising we’ll learn something this week about the hack that may cast doubt on the claims Russia was behind it.

He added: “And I know a lot about hacking. And hacking is a very hard thing to prove. So it could be somebody else. And I also know things that other people don’t know, and so they cannot be sure of the situation.”

When asked what he knew that others did not, Mr. Trump demurred, saying only, “You’ll find out on Tuesday or Wednesday.”

If Murray met an American claiming to have done the hack, then Trump may have too. That doesn’t mean the Russians didn’t do the hack (though it could mean an American borrowed GRU’s tools to do it). It could just as easily mean the Russians have an American cut-out, and that while the security community has been looking for Russian-speaking proxies, they’ve ignored the possibility of American ones.

I have a suspicion that Trump’s campaign did meet with such a person (I even have a guess about when it would have happened).

I guess we’ll learn more this week.

The Conspiracy Theory in YouGov’s Conspiracy Theory Poll

YouGov has a poll showing that “belief in conspiracy theories largely depends on political identity.” For example, it shows that Republicans believe Obama is Kenyan.

It focuses on several things it considers conspiracy theories tied to this election, including pizzagate, millions of alleged illegal votes, and claims about the Russian hack.

Interestingly, it shows that half of Clinton voters believe that Russia tampered with vote tallies to get Trump elected, in spite of the White House’s assurances that did not happen.

It’s the other tested question about Russian hacking that strikes me as more curious. 87% of Clinton voters believe Russia hacked Democratic emails “in order to help Donald Trump,” whereas only 20% of Trump voters believe that.

That’s about the result I’d expect. But to explain why this is a conspiracy theory, YouGov writes,

Similarly, even after the Central Intelligence Agency and the Federal Bureau of Investigation reported that Russia was responsible for the leaks of damaging information from the Democratic National Committee and the Clinton campaign and that the hacking was done to help Donald Trump win the Presidency, only one in five say that is definitely true, about the same percentage as believe it is definitely not true.

So YouGov bases this “truth” on a claim that the CIA and FBI “reported that Russia was responsible for the leaks … and that the hacking was done to help Donald Trump win the Presidency.”

Except there has been no such report, not from CIA and FBI, anyway.

There was an official report finding that,

The U.S. Intelligence Community (USIC) is confident that the Russian Government directed the recent compromises of e-mails from US persons and institutions, including from US political organizations. … These thefts and disclosures are intended to interfere with the US election process.

That is, the official report stated that the hack was “intended to interfere with the US election process;” it did not say the hack was done to help Trump.

Moreover, while the report speaks for the entire IC (including the FBI), the report itself came from DHS and ODNI, not FBI or CIA.

It is absolutely true that anonymous leakers — at least some of whom appear to be Democratic Senate sources — claim that CIA said the hack happened to get Trump elected. It is also true that anonymous sources passed on the substance of a John Brennan letter that said in separate conversations with Jim Comey and James Clapper, each agreed with Brennan about the purpose of the hack, which WaPo edited its previous reporting to say included electing Trump as one of a number of purposes, but that’s a third-hand report about what Jim Comey believes.

But that was not an official report, not even from CIA. Here’s what John Brennan said when interviewed about this topic by NPR’s Mary Louise Kelly:

You mentioned the FBI director and the director of national intelligence. And NPR confirmed with three sources that after the three of you meeting last week, you sent a memo to your workforce and that the memo read: There is strong consensus among us on the scope, nature and intent of Russian interference in our presidential elections. Is that an accurate quote from your memo?

I certainly believe that, that there is strong consensus.

Was there ever not?

Well, sometimes in the media, there is claims, allegations, speculation about differences of view. Sometimes I think that just feeds concerns about, you know, the strength of that intelligence and …

And in this case it was reports of tension between FBI and CIA …

… and differences of view. And I want to make sure that our workforce is kept as fully informed as possible so that they understand that what we’re doing, we’re doing in close coordination with our partners in the intelligence community. And so I try to keep my workforce informed on a periodic basis. But aside from whatever message I might have sent out to the workforce, there is, I strongly believe, very strong consensus among the key players — but not just the leaders of these organizations, but also the institutions themselves. And that’s why we’re going through this review. We want to make sure that we scrub this data, scrub the information and make sure that the assessment and analysis is as strong and as grounded as it needs to be.

That quote I read you about the memo that you sent mentioned that there is agreement on scope, nature and intent of Russian interference. And intent is the one that’s been controversial recently, the question of motive. How confident are you in the intelligence on that? It seems like proving motive is an infinitely harder thing than proving that somebody did something. The “why” is tough.

I will not disagree with you that the why is tough. And that’s why there needs to be very careful consideration of what it is that we know, what it is that we have insight into and what our analysis needs to be. But even back in early October when Jim Clapper and Jeh Johnson put out this statement, it said “the intent to interfere in the election.” Now, there are different elements that could be addressed in terms of how it wanted to interfere. And so that’s why this review is being done to make sure that there is going to be a thorough look at the nature, scope and intent of what transpired.

What’s been reported is that the CIA has concluded the intent was to interfere with the election with the purpose of swinging at Donald Trump. Is that an accurate characterization?

That’s an accurate characterization of what’s been appearing in the media. Yes.

Is it an accurate characterization of where the CIA is on this?

Well, that’s what the review is going to do. And we will be as forward-leaning as the intelligence and analysis allows us to be, and we will make sure that, again, President Obama and the incoming administration understands what the intelligence community has assessed and determined to have happened during the run-up to this election.

Why not confirm that that’s where the CIA is on this? Why not confirm if you have the evidence that you believe is …

Because I don’t work for NPR, Mary Louise. I work for the president, I work for the administration, and it is my responsibility to give them the best information and judgment possible.

That is, the CIA Director specifically avoided stating what he or his agency believes the motive to be, deferring to the ongoing review of the evidence, something that Obama also did in his press conference earlier this month.

Q Mr. President, I want to talk about Vladimir Putin again. Just to be clear, do you believe Vladimir Putin himself authorized the hack? And do you believe he authorized that to help Donald Trump? And on the intelligence, one of the things Donald Trump cites is Saddam Hussein and the weapons of mass destruction, and that they were never found. Can you say, unequivocally, that this was not China, that this was not a 400-pound guy sitting on his bed, as Donald Trump says? And do these types of tweets and kinds of statements from Donald Trump embolden the Russians?

THE PRESIDENT: When the report comes out, before I leave office, that will have drawn together all the threads. And so I don’t want to step on their work ahead of time.

What I can tell you is that the intelligence that I have seen gives me great confidence in their assessment that the Russians carried out this hack.

None of that is to say that CIA and (perhaps to a lesser extent) FBI don’t think Russia hacked Democrats to help Trump, as one of several — probably evolving over the course of the election — reasons. CIA surely does (but then it has a big incentive to downplay the most obvious motivation, that Russia was retaliating for perceived and real CIA covert actions against it). FBI probably does.

But there has been no “report” that they believe that, just anonymous reports of reports. The official stance of the Executive Branch is that they’re conducting a review of the evidence on this point.

Perhaps if YouGov wants to test conspiracy theories, it should start by sticking to topics about which there aren’t a slew of anonymous leaks and counter-leaks contravened by public deferral?

Now the Spooks Are Leaking Criticism of Obama’s Sole Use of the “Red Phone”

NBC, which seems to be sharing the role of spook leak central with WaPo, has upped the ante on previous leaks. Last night, it revealed that on October 31, Obama used the “Red Phone” (which is in reality an email system) designed to avert disasters with Russia for the first time in his Administration to warn Vladimir Putin not to fuck with our election process.

A month later, the U.S. used the vestige of an old Cold War communications system — the so-called “Red Phone” that connects Moscow to Washington — to reinforce Obama’s September warning that the U.S. would consider any interference on Election Day a grave matter.

This time Obama used the phrase “armed conflict.”

The reason we’re getting this leak seems fairly clear. Not only are Democrats peeved that Obama didn’t manage to recall or suppress documents already leaked to WikiLeaks, but one “senior intelligence official” is angry that Obama laid down no bright line.

A senior intelligence official told NBC News the message ultimately sent to the Russians was “muddled” — with no bright line laid down and no clear warning given about the consequences. The Russian response, said the official, was non-committal.

I’m pretty favorable to leaks (though not their use to preempt deliberative assessment of intelligence). They serve an important check on government, even on the President.

But it alarms me that someone decided it was a good idea to go leak criticisms of a Red Phone exchange. It would seem that such an instrument depends on some foundation of trust that, no matter how bad things have gotten, two leaders of nuclear armed states can speak frankly and directly.

Without that conversation being broadcast to the entire world via leaks.

It would seem such a leak might lead Putin to take such exchanges less seriously in the future knowing that the spooks reviewing the exchange don’t take the gravity of it all that seriously.

Ah well. Good things these spooks are so successfully combatting the inappropriate leak of information by leaking more information.

Matt Olsen Admits He Didn’t Bargain on a President Trump

Something predictable, but infuriating, happened at least week’s Cato conference on surveillance.

A bunch of spook lawyers did a panel, at which they considered the state of surveillance under Trump. Former White House Director of Privacy and Civil Liberties Tim Edgar asked whether adhering to basic norms, which he suggested would otherwise be an adequate on surveillance, works in a Trump Administration.

In response, former NSA General Counsel Matt Olsen provided an innocuous description of the things he had done to expand the dragnet.

I fought hard … in the last 10 [years] when I worked in national security, for increasing information sharing, breaking down barriers for sharing information, foreign-domestic, within domestic agencies, and for the modernization of FISA, so we could have a better approach to surveillance.

Then, Olsen admitted that he (who for three years after he left NSA headed up the National Counterterrorism Center managing a ton of analysts paid to imagine the unimaginable) did not imagine someone like Trump might come along.

As I fought for these changes, I did not bargain on a President Trump. That was beyond my ability to imagine as a leader of the country in thinking about how these policies would actually be implemented by the Chief Executive.

It was beyond his ability [breathe, Marcy, breathe] to imagine someone who might abuse power to come along!!!

What makes Olsen’s comment even more infuriating that I called out Olsen’s problematic efforts to “modernize” FISA and sustain the phone dragnet even in spite of abuse in September, in arguing that Hillary could not, in fact, be supporting a balanced approach on intelligence if she planned on hiring him, as seemed likely.

Olsen was the DOJ lawyer who oversaw the Yahoo challenge to PRISM in 2007 and 2008. He did two things of note. First, he withheld information from the FISC until forced to turn it over, not even offering up details about how the government had completely restructured PRISM during the course of Yahoo’s challenge, and underplaying details of how US person metadata is used to select foreign targets. He’s also the guy who threatened Yahoo with $250,000 a day fines for appealing the FISC decision.

Olsen was a key player in filings on the NSA violations in early 2009, presiding over what I believe to be grossly misleading claims about the intent and knowledge NSA had about the phone and Internet dragnets. Basically, working closely with Keith Alexander, he hid the fact that NSA had basically willfully treated FISA-collected data under the more lenient protection regime of EO 12333.

These comments were used, in this post by former NSA Compliance chief John DeLong and former NSA lawyer Susan Hennessey (the latter of whom was on this panel) to unbelievably dishonestly suggest that surveillance skeptics, embodied by me and EFF’s Nate Cardozo (who has been litigating some of these issues for years), took our understanding of NSA excesses from one footnote in a FISA Court opinion, rather than from years of reading underlying documents.

Readers are likely aware of the incident, which has become a persistent reference point for NSA’s most ardent critics. One such critic recently pointed to a FISC memorandum referencing the episode as evidence that “NSA lawyers routinely lie, even to the secret rubber stamp FISA court”; another cited it in claiming DOJ’s attorneys made “misleading claims about the intent and knowledge NSA had about the phone and Internet dragnets” and that “NSA had basically willfully treated FISA-collected data under the more lenient protection regime of EO 12333.”

These allegations are false. And by insisting that government officials routinely mislead and lie, these critics are missing one of the most important stories in the history of modern intelligence oversight.

Never mind that I actually hadn’t cited the footnote. Never mind that then FISA Judge Reggie Walton was the first to espouse my “false” view, even before seven more months of evidence came out providing further support for it.

The underlying point is that these two NSA people were so angry that I called out Matt Olsen for documented actions he had taken that they used it as a foil to make some pretty problematic claims about the oversight over NSA spying. But before they did so, they assured us of the integrity of the people involved (that is, Olsen and others).

It’s tempting to respond to these accusations by defending the integrity of the individuals involved. After all, we know from firsthand experience that our former colleagues—both within the NSA and across the Department of Justice, the Office of the Director of National Intelligence, and the Department of Defense—serve the public with a high degree of integrity. But we think it is important to move beyond the focus on who is good and who is bad, and instead explore the history behind that footnote and the many lessons learned and incorporated into practice. After all, we are ultimately a “government of laws,” not of people.

 

 

We are a government of laws, not people, they said in October, before laying out oversight that (they don’t tell you, but I will once I finally get back to responding to this post) has already proven to be inadequate. I mean, I agree with their intent — that we need(ed) to build a bureaucracy that could withstand the craziest of Executives. But contrary to what they claim in their piece and the presumably best intent of DeLong, they didn’t do that.

They now seem to realize that.

In the wake of the Trump victory, a number of these people are now admitting that maybe their reassurances about the bureaucracy they contributed to — which were in reality based on faith in the good intentions and honesty and competence of their colleagues — were overstated. Maybe these tools are too dangerous for an unhinged man to wield.

And, it turns out, one of the people largely responsible for expanding the dragnet that its former defenders now worry might be dangerous for Donald Trump to control never even imagined that someone like Trump might come along.

image_print