US Indicts Hal Martin — But Offers No Hint He’s the Source for Shadow Brokers, Or Anyone Else

After David Petraeus shared notebooks full of code word intelligence with his girlfriend (and boxes of other classified information), then lied about it to the FBI, the government let Petraeus off with two years of probation.

DOJ just indicted Hal Martin — the Booz Allen contractor who allegedly stole terabytes of NSA information — with 20 charges each carrying up to 10 years of punishment. The indictment includes no hint that Martin did anything but hoard the files he stole. There’s no allegation he shared them with anyone (though, like Petraeus, he definitely kept very sensitive documents in highly insecure fashion).

Significantly, there’s no mention of the Shadow Brokers or even a description of the hacking tools Martin allegedly stole (though that’s likely because DOJ would draw up the indictment to avoid confirming that NSA even has hacking tools, much less the ones released to the public).

The only description of a document specifically targeting an adversary akin to the one described to the WaPo seems to target a terrorist organization, not Russia (meaning that they’re not presenting evidence Martin preferentially collected information on Russia, though again, if he were, they might hide that).

And the indictment alleges that Martin continued to steal documents up until 12 days before he was arrested, and significantly, three days after the first Shadow Brokers post on August 13.

It would be the height of folly for someone who knew he was the source for the Shadow Brokers to keep stealing documents after Shadow Brokers had gone public (though at that point, it wasn’t clear precisely what Shadow Brokers was going to release).

Certainly, the way in which DOJ has charged this — larding on 20 different charges — suggests they’re trying to coerce him into cooperating. The case against Chelsea Manning, which was partly an attempt to coerce Manning to testify against Julian Assange and Wikileaks, was very nearly parallel in the charging of many documents. In Manning’s case, there was no way for her to cooperate to implicate Assange except to lie; there’s nothing Assange did to elicit the files. That may be the case for Martin, too.

The big difference here is there’s absolutely no hint that Martin shared any of this. Given the Petraeus and Hillary precedents, the government will have a difficult time coercing Martin further, given that Petraeus didn’t even do prison time for hoarding and then sharing equally classified documents (albeit not as many of them).

Nevertheless, it appears that that DOJ is trying to coerce Martin to get information it offers no proof he even has.

Update: As it happens, DOJ indicted Hal Martin just over 4 hours before Jeff Sessions, who has refused to recuse himself in investigations of the Russian hack of the DNC, was confirmed as Attorney General. Again, there’s no evidence whatsoever that DOJ has any evidence Martin was a source for Shadow Brokers, who are presumed to have a tie to the DNC hack. But if they suspect it, indicting Martin with such extensive charges before Sessions comes in will make it hard for Sessions to reverse what seems to be an effort to coerce Martin to reveal any tie to the hack.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

How Hal Martin Stole 75% of NSA’s Hacking Tools: NSA Failed to Implement Required Security Fixes for Three Years after Snowden

The other day, Ellen Nakashima reported that Hal Martin, the Booz Allen contractor who has been in custody for months based on allegations he stole terabytes of NSA’s hacking tools, may be indicted this week. The story raises some interesting questions — such as how, absent some proof that Martin leaked this information to a third party, prosecutors intend to distinguish Martin’s hoarding from David Petraeus’ sharing of code word information with his girlfriend Paula Broadwell. One detail Nakashima included — that Martin had stolen “operational plans against ‘a known enemy’ of the United States” — may suggest prosecutors plan to insinuate Martin stole the information to alert that known enemy (especially if the known enemy is Russia).

All that said, the detail in Nakashima’s story that has attracted the most notice is the claim that Martin stole 75% of NSA’s hacking tools.

Some U.S. officials said that Martin allegedly made off with more than 75 percent of TAO’s library of hacking tools — an allegation which, if true, would be a stunning breach of security.

Frankly, this factoid feels a lot like the claim that Edward Snowden stole 1.5 million documents from NSA, a claim invented at least in part because Congress wanted an inflammatory detail they could leak and expand budgets with. That’s especially true given that the 75% number comes from “US officials,” which sometimes include members of Congress or their staffers.

Still, the stat is pretty impressive: even in the wake of the Snowden leak, a contractor was able to walk out the door, over time, with most of NSA’s most dangerous hacking tools.

Except it should in no way be a surprise. Consider what the House Intelligence Report on Snowden revealed, which I mentioned here. Buried way back at the end of the report, it describes how in the wake of Snowden’s leaks, NSA compiled a list of security improvements that would have stopped Snowden, which it dubbed, “Secure the Net.” This initiative included the following, among other things:

  • Imposing two person control for transferring data by removable media (making it harder for one individual to put terabytes of data on a thumb drive and walk out the door with it)
  • Reducing the number of privileged and authorized data transfer agents (making it easier to track those who could move terabytes of data around)
  • Moving towards continuous evaluation model for background investigations (which might reveal that someone had debt problems, as Martin did)

By July 2014, the report reveals, even some of the most simple changes included in the initiative had not been implemented. On August 22, 2016 — nine days after an entity calling itself Shadow Brokers first offered to auction off what have since been verified as NSA tools — NSA reported that four of the initiatives associated with the Secure the Net remained unfulfilled.

All the while, according to the prosecutors’ allegations, Martin continued to walk out of NSA with TAO’s hacking tools.

Parallel to NSA’s own Secure the Net initiative, in the intelligence authorization for 2016 the House directed the DOD Inspector General to assess NSA’s information security. I find it interesting that HPSCI had to order this review and that they asked DOD’s IG, not NSA’s IG, to do it.

DOD IG issued its report on August 29, 2016, two days after a search of Martin’s home had revealed he had taken terabytes of data and the very day he was arrested. The report revealed that NSA needed to do more than its proposed fixes under the Secure the Net initiative. Among the things it discovered, for example, is that NSA did not consistently secure server racks and other sensitive equipment in data centers, and did not extend two-stage authentication controls to all high risk users.

So more than three years after Snowden walked out of the NSA with thousands of documents on a thumb drive, DOD Inspector General discovered that NSA wasn’t even securing all its server racks.

“Recent security breaches at NSA underscore the necessity for the agency to improve its security posture,” The HPSCI report stated dryly, referring obliquely to Martin and (presumably) another case Nakashima has reported on.

Then the report went on to reveal that CIA didn’t even require a physical token for general or privileged users of its enterprise or mission systems.

So yes, it is shocking that a contractor managed to walk out the door with 75% of NSA’s hacking tools, whatever that means. But it is also shocking that even the Edward Snowden breach didn’t lead NSA to implement some really basic security procedures.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

On Russian Treason

Yesterday, several reports revealed that a top Kaspersky employee, Ruslan Stoyanov, had been arrested in December on treason charges, along with a top FSB officer. The news has led many people to assume — as Paul Rosenzweig did here that Stoyanov was a source for the dossier on Donald Trump. And the timing of Stoyanov’s arrest — reportedly some time in December — may coincide with the suspicious death of another person who might be tied to the dossier, Oleg Erovinkin.

That may well be the case. But perhaps not in an obvious way. Kaspersky, at least, claims that Stoyanov is under investigation for things that pre-date his start at Kaspersky, so 2012 or earlier.

This case is not related to Kaspersky Lab. Ruslan Stoyanov is under investigation for a period predating his employment at Kaspersky Lab. We do not possess details of the investigation. The work of Kaspersky Lab’s Computer Incidents Investigation Team is unaffected by these developments.

Moreover, there’s not anyone in the dossier that obviously fits the description of Stoyanov.

That said, there is a tie between Kaspersky and what is assumed to be the DNC hack. On January 8, Shadow Brokers — the entity that dumped a bunch of NSA hacking tools and targets on the web — announced it would sell a bunch of tools targeting Windows. On January 12, it dumped a subset of Windows tools. It claimed, in doing so, it was just dumping the tools identified by Kaspersky. But in fact, not all of them were detected at that point by Kaspersky.

They claim they only dumped the 58 tools that were detected by Kaspersky AV, but the dump contained 61 files.  A little anonymous birdie told me that Kaspersky only detects 43 of these files as of mid-day on the 12th. I don’t like Russian software on my machines so I can’t confirm whether or not that’s true.

At the time, a lot of US security people believed that Kaspersky was part of this plot. But it seemed to me, at the time, that this dump instead targeted Kaspersky for allowing vulnerabilities in Windows they knew about to remain unaddressed by the anti-virus (and perhaps by whatever other services they offered in Russia). The tools are dated, so they definitely could date to the period when Stoyanov was still at FSB.

Mind you, even if this connection explains why Stoyanov was arrested, it doesn’t explain several other things, such as why Russia would arrest Stoyanov before any of these Windows tools were released. Nor does it explain who Shadow Brokers is, and why he’d be targeting Kaspersky.

But it is a known tie between events believed to be related to the DNC hack and Kaspersky.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

On the Joint Analysis Review, AKA the False Tor Node Positives Report

As I noted here, everyone agrees that the Joint Analysis Report released with Obama’s sanctions package is a shitshow (here’s the best explanation of why). But aside from complaining about how the shitshow JAR undermines the Administration’s claims to have confirmed Russia’s role in the DNC hack, no one has tried to explain why the Administration would release such a shitshow report.

Until now. Jonathan Zdziarski argues that the reason the Administration released a shitshow report is because they’re very worried about the extent of Russian infiltration in our infrastructure, and by releasing a bunch of indicators that a probably not Russians but might be, it will get a lot of people (like utility Burlington Electric) looking for things that might be Russia, all while protecting the real intelligence that would expose sources and methods.

One thing that’s been made clear by recent statements by James Clapper and Admiral Rogers is that they don’t know how deep inside American computing infrastructure Russia has been able to get a foothold. Rogers cited his biggest fear as the possibility of Russian interference by injection of false data into existing computer systems. Imagine the financial systems that drive the stock market, criminal databases, driver’s license databases, and other infrastructure being subject to malicious records injection (or deletion) by a nation state. The FBI is clearly scared that Russia has penetrated more systems than we know about, and has put out pages of information to help admins go on the equivalent of a bug bounty.

Everyone knows that when you open a bug bounty, you get a flood of false positives, but somewhere in that mess you also get some true positives; some real data. What the government has done in releasing the JAR is made an effort to expand their intelligence by having admins look for (and report) on activity that looks like / smells like the same kind of activity they found happening with the DNC. It’s well understood this will include false positives; the Vermont power grid was a great example of this. False positives help them, too, because it helps to shore up the indicators they’re using by providing more data points to correlate. So whether they get a thousand false positives, or a few true ones in there, all of the data they receive is helping to firm up their intelligence on Russia, including indicators of where Russia’s interests lie.

Given that we don’t know how strong of a grasp Russia has on our systems, the JAR created a Where’s Waldo puzzle for network admins to follow that highlights some of the looser indicators of compromise (IP addresses, PHP artifacts, and other weak data) that doesn’t establish a link to Russia, but does make perfect sense for a network administrator to use to find evidence of a similar compromise. The indicators that tie Russia to the DNC hack were not included in the JAR and are undoubtedly classified.

There are many good reasons one does not release your evidentiary artifacts to the public. For starters, tradecraft is easy to alter. The quickest way to get Russia to fall off our radars is to tell them exactly how we’re tracking them, or what indicators we’re using for attribution. It’s also a great way to get other nation states to dress up their own tradecraft to mimic Russia to throw off our attributions of their activities. Secondly, it releases information about our [classified] collection and penetration capabilities. As much as Clapper would like to release evidence to the public, the government has to be very selective about what gets released, because it speaks to our capabilities. Both Clapper and Congress acknowledged that we have a “cyber presence” in several countries and that those points of presence are largely clandestine. In other words, we’ve secretly hacked the Russians, and probably many other countries, and releasing the evidence we have on Russia could burn those positions.

I don’t know. I remember that Khalid Sheikh Mohammed had the CIA chasing black Muslim extremists planning to set forest fires in Montana for three months. False positives waste limited resources. Perhaps the intelligence community thinks this is okay because it’s not their resources that will go to waste. But the entire thing seems to have increased the skepticism about the value of the government’s threat reporting, which is all in all a bad thing.

But false positives do have two other purposes. I would hope these two aren’t the reason why the IC released a shitshow report, but it deserves consideration.

First, false positives raise the fear level. Last week’s Vermont false alarm is the perfect example of that: within hours — even on a Friday night — much of the country was worrying about our power grid. And remember, that false alarm was leaked by a Senior Administration Official that chose to leak it to someone who is not an expert in this field.

At that level, this felt like the 2004 leaks about an election year al Qaeda plot that — we now know — were secretly used to reauthorize torture and the dragnet, but which were largely bogus and partly based off torture. I can only imagine the kind of heightened surveillance the IC is putting in place behind all this fearmongering.

But there’s another effect of the false positives that have already been generated by this report: tying a bunch of Tor nodes to Russian spying. Almost immediately after the report came out, Jerry Gamblin found that 21% of the IP addresses were Tor nodes. Micah Lee did more analysis and found that 49% of the IP addresses in the report are or recently have been Tor nodes.

What we don’t know about the Tor nodes, though, is how they came to be included in the report. Did they just happen to be used in a Russian attack; did the Russian hackers just let Tor randomly assign which node they exited from?

Or did the hackers choose — as you can do — which nodes they might use? There are a few reasons to pick a certain node over another. If you’re trying to watch the Beeb’s coverage of the Olympics, for example, you’ve got to pick a node in England.

But a more likely choice, for a smart Russian hacker, is to selectively choose nodes that the hacker believes would not keep logs.

Now consider some of the nodes that have been identified specifically. A Dutch paper made a big stink that the node operated by Rejo Zenger, who works at Europe’s equivalent to EFF, was on the list. Something like 11 of the IP addresses are nodes operated by Calyx Institute, the non-profit ISP operated by Nick Merrill.

Merrill is, as you may remember, the guy who spent a decade challenging a National Security Letter he received back in 2004. A big part of what he exposed is that the FBI was wrongly trying to get data flow with NSLs. In the last year, spooks have made several, thus far unsuccessful, efforts to get legal sanction for what Merrill exposed, the illegal acquisition of Electronic Communication Transaction Records using just an NSL.

Maybe Russian hackers chose to exit through Merrill’s Tor nodes because he doesn’t log traffic. Or maybe the government included him on this list because they know he doesn’t log traffic.

The effect, however, is to (temporarily) burn select Tor nodes, perhaps those that don’t log traffic, making it harder for anyone the government is trying to pursue through Tor to use it (and probably also making it more likely they’ll use one of the many nodes believed to be operated by US intelligence). We know the NSA does a variety of things to force traffic onto switches it has access to; could the JAR just be a very elaborate way of forcing Russian traffic onto Tor nodes the FBI and NSA have access to?

Not to mention tarring the most committed privacy activists with association with Russian hackers.

Maybe that’s not the intended effect of a report designed to generate false positives. But I’m sure the government considers it a happy side effect.

Update: Sounds like just about everyone found these indicators in their logs.

Robert M. Lee, CEO of the Maryland-based industrial security firm Dragos Inc., warned his customers, who span critical infrastructure including water, electric, manufacturing and petro-chemical sites, that the technical information was bad. About one dozen called with concerns.

“Every single company we have as a customer who ran the indicators got alerts, and all the alerts were bad,” Lee said. “These addresses were not only not descriptive of Russian activity, they were not descriptive of malicious activity. They were actually common sites.”

[snip]

One of the businesses that called Williams reported that an address tracked to Microsoft’s telemetry server, which sends data to Microsoft when an application crashes. That conversation with his client spun into an hour-long discussion of “can we trust this report at all?” Williams said. “My short answer on this is no.”

He added: “This has a real cost to business. I suspect for a lot of them there (was) a lot of money spent chasing ghosts.”

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

On the DNC-FBI Spat Over the DNC Server

The Ukrainian Ministry of Defense issued a statement in response to the media coverage following the CrowdStrike claim that malware in an artillery app had a role in massive casualties among Ukraine’s howitzer units. The Google translation (note, it has not yet been translated into English, which itself may say something about intended audience) of it reads,

In connection with the emergence in some media reports which stated that the alleged “80% howitzer D-30 Armed Forces of Ukraine removed through scrapping Russian Ukrainian hackers software gunners,” Land Forces Command of the Armed Forces of Ukraine informs that the said information is incorrect .

According Command Missile Forces and Artillery Land Forces of Ukraine, artillery weapons lost during the time of ATO times smaller than the above and are not associated with the specified cause. Currently, troops Missile Forces and Artillery Army Forces of Ukraine fully combat-ready, staffed and able to fulfill the missions.

Ministry of Defence of Ukraine asks journalists to publish only verified information received from the competent official sources. Spreading false information leads to increased social tension in society and undermines public confidence in the Armed Forces of Ukraine.

Understand what this is: it is in no way a denial that malware infected the artillery app (though it’s also, given that it comes from a country at war with Russia that wants people to stop using this to implicate Russia, not confirmation the malware is Russian). Rather, it is a correction for local journalists to an avowedly pro-Russian source used by Crowdstrike claiming that Ukraine faced 80% losses. And it is a statement that artillery losses from the period in question are due to something else (perhaps the drones that Crowdstrike admitted were involved in the fighting).

Mostly, it’s a complaint that Crowdstrike’s speculative report made Ukraine look bad. As I’ve noted, the report was released before Crowdstrike had spoken to the app developer (and as this statement makes clear, to Ukraine’s MOD), to explain why its previously “medium” confidence that GRU had hacked the DNC was now “high.”

I raise all that as background to the spat Buzzfeed’s Ali Watkins reported on yesterday between the DNC and FBI. In the morning, she reported the DNC claim that the FBI had inexplicably never, itself, accessed the DNC servers.

Six months after the FBI first said it was investigating the hack of the Democratic National Committee’s computer network, the bureau has still not requested access to the hacked servers, a DNC spokesman said. No US government entity has run an independent forensic analysis on the system, one US intelligence official told BuzzFeed News.

“The DNC had several meetings with representatives of the FBI’s Cyber Division and its Washington (DC) Field Office, the Department of Justice’s National Security Division, and U.S. Attorney’s Offices, and it responded to a variety of requests for cooperation, but the FBI never requested access to the DNC’s computer servers,” Eric Walker, the DNC’s deputy communications director, told BuzzFeed News in an email.

Over the course of the day, many people explained that that’s fairly normal. Crowdstrike would have imaged the server, which would provide FBI what it needed.

But the snipe to Watkins was not the first time DNC has presented their case in a light that makes FBI look as bad as possible — they did that with the NYT, too. And so it was inevitable that the FBI would eventually push back, as they did later in the day with Watkins.

“The FBI repeatedly stressed to DNC officials the necessity of obtaining direct access to servers and data, only to be rebuffed until well after the initial compromise had been mitigated. This left the FBI no choice but to rely upon a third party for information,” a senior law enforcement official told BuzzFeed News in a statement. “These actions caused significant delays and inhibited the FBI from addressing the intrusion earlier.”

Which promptly led the same DNC that originally leaked a claim making the FBI look bad to bitch about “haters.”

A DNC source familiar with the investigation tried to downplay that report on Thursday, hours before the FBI statement was issued. The fact that the FBI didn’t have direct access to the servers was not “significant,” the source said.

“I just don’t think that that’s really material or an important thing,” the source continued. “They had what they needed. There are always haters out here.”

In general, I think people are right that you can learn what you need to about a typical breach from an imaged server and the server logs. Indeed, the FBI rebuttal here doesn’t even address whether they needed to get the server. Rather, they just said that there was a delay in their access to the data, not that they didn’t eventually get the data they needed.

And it’s true that there was a delay.

FBI gave the DNC the information they needed to start responding to the FSB hack in September 2015, but the FBI wasn’t brought in formally until maybe June 2016. That doesn’t necessarily excuse that they didn’t escalate sooner (the FBI may have had other reasons not to and I expect we may one day learn that the FBI contacted people beyond just the contractor IT guy), but it does mean that the FBI repeatedly tried to help and the DNC did not accept that help until months later.

Underlying all this is surely the distrust that stems from a political party believing the FBI was conducting a witch hunt of its principal (they’d be proven right a month after the breach became public), though the FBI agents investigating the DNC hack were surely different than the ones investigating Hillary’s server. There may have even been other reasons the DNC didn’t want the FBI nosing around their servers.

Still, we now know they did not ever access DNC’s servers themselves.

And I think in this case they should have, for two reasons.

The Hill story covering this bickering includes this quote from a former FBI agent describing one reason why.

“In nine out of 10 cases, we don’t need access, we don’t ask for access, we don’t get access. That’s the normal [procedure],” Leo Taddeo, a former special agent in charge of the cyber division of the FBI’s New York office, told The Hill.

“It’s extraordinarily rare for the FBI to get access to the victim’s infrastructure because we could mess it up,” he added. “We usually ask for the logs and images, and 99 out of a hundred times, that’s sufficient.”

Asking for direct access to a server wouldn’t be necessary, Taddeo said, “unless there was a reason to think the victim was going to alter the evidence in some way.”

You don’t need access to the server itself unless you’ve got reason to believe the victim altered the evidence. From the very first, you had an entity, Guccifer 2.0, challenging the attribution Crowdstrike made on the server. Abundant analysis has proven that Guccifer is a liar, but Chinese and Iranians and Americans lie just as often as Russians do.

Plus, months after the hack, people started claiming that the source for the files that got to Wikileaks came from an insider. Which, if true (I don’t think it is, but nevertheless it is a competing theory, one that given the animosity within the Democratic party last year is not impossible), would mean that the victim might have altered the evidence.

There’s another reason why the FBI should have double checked the forensics, if they hadn’t already: because (we learned six months after the fact) Crowdstrike only ever had medium confidence that GRU had hacked the DNC based on the forensics they examined.

While CrowdStrike, which was hired by the DNC to investigate the intrusions and whose findings are described in a new report, had always suspected that one of the two hacker groups that struck the DNC was the GRU, Russia’s military intelligence agency, it had only medium confidence.

Now, said CrowdStrike co-founder Dmitri Alperovitch, “we have high confidence” it was a unit of the GRU. CrowdStrike had dubbed that unit “Fancy Bear.”

And Crowdstrike only came to have high confidence in that attribution by writing a paper that multiple Ukrainian sources (not exactly Russian shills) have now pushed back on. That is, nothing in the original forensics changed, as far as we know; external evidence, of whatever quality, led to a change in confidence.

Which means the forensics itself is not a slam dunk.

I’m beginning to see a hole in all the other security firms’ validation of Crowdstrike’s original attribution, which I hope to return to (though not before next week). In any case, it’d be useful for FBI to have really vetted this work, given that we’ve turned this into an international incident.

So, yeah, the FBI never obtained the DNC server full of political information the government really shouldn’t possess, particularly not an agency perceived to be really hostile to that political party.

But maybe, in this case, they should have.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

Did NSA Just Reveal Its China BIOS Story Was Made Up?

Secrecy News just released an NSA notice to Congress of authorized disclosure of classified information. The notice was dated December 13, just two days before 60 Minutes had a solicitous piece on the NSA.

Here’s the classified information the NSA says they gave what must be 60 Minutes.

The reference to assisting in locating hostages probably map to the metadata analysis of pirates done onscreen (albeit with altered phone numbers).

But what’s not there in unredacted form — at least beyond the vague description of “USG efforts to mitigate cyber threats” was the China kaboom story told on the show.

John Miller: Could a foreign country tomorrow topple our financial system?

Gen. Keith Alexander: I believe that a foreign nation could impact and destroy major portions of our financial system, yes.

John Miller: How much of it could we stop?

Gen. Keith Alexander: Well, right now it would be difficult to stop it because our ability to see it is limited.

One they did see coming was called the BIOS Plot. It could have been catastrophic for the United States. While the NSA would not name the country behind it, cyber security experts briefed on the operation told us it was China. Debora Plunkett directs cyber defense for the NSA and for the first time, discusses the agency’s role in discovering the plot.

Debora Plunkett: One of our analysts actually saw that the nation state had the intention to develop and to deliver, to actually use this capability– to destroy computers.

John Miller: To destroy computers.

Debora Plunkett: To destroy computers. So the BIOS is a basic input, output system. It’s, like, the foundational component firmware of a computer. You start your computer up. The BIOS kicks in. It activates hardware. It activates the operating system. It turns on the computer.

This is the BIOS system which starts most computers. The attack would have been disguised as a request for a software update. If the user agreed, the virus would’ve infected the computer.

John Miller: So, this basically would have gone into the system that starts up the computer, runs the systems, tells it what to do.

Debora Plunkett: That’s right.

John Miller: –and basically turned it into a cinderblock.

Debora Plunkett: A brick.

John Miller: And after that, there wouldn’t be much you could do with that computer.

Debora Plunkett: That’s right. Think about the impact of that across the entire globe. It could literally take down the U.S. economy.

John Miller: I don’t mean to be flip about this. But it has a kind of a little Dr. Evil quality– to it that, “I’m going to develop a program that can destroy every computer in the world.” It sounds almost unbelievable.

Debora Plunkett: Don’t be fooled. There are absolutely nation states who have the capability and the intentions to do just that.

John Miller: And based on what you learned here at NSA. Would it have worked?

Debora Plunkett: We believe it would have. Yes.

As I noted at the time, the story — the claim that a country of 1.3 billion people who have become very interdependent with the United States would want to destroy the US economy — was a bit absurd.

I’ll need to go back and review this, but the jist of the scary claim at the heart of the report is that the NSA caught China planning a BIOS plot to shut down the global economy.

To.

Shut.

Down.

The.

Global.

Economy.

Of course, if that happened, it’d mean a goodly percentage of China’s 1.3 billion people would go hungry, which would lead to unbelievable chaos in China, which would mean the collapse of the state in China, the one thing the Chinese elite want to prevent more than anything.

But the NSA wants us to believe that this was actually going to happen.

That China was effectively going to set off a global suicide bomb. Strap on the economy in a cyber-suicide vest and … KABOOOOOOOM!

And the NSA heroically thwarted that attack.

That’s what they want us to believe and some people who call themselves reporters are reporting as fact.

Anyway, like I said, no unredacted mention that this was among the classified information shared with CBS. Even accounting for the fact that NSA didn’t identify the country in question to CBS, even the description of the plot would seem to be classified.

If it were true.

But it doesn’t appear on the list of classified things revealed to CBS.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

Russia Hacked the DNC. But What, Specifically, Did GRU Do?

I’m working on a series of posts to point out existing holes in the claim that Russia hacked the DNC. None of them mean I am yet convinced it is someone besides Russia. But there are holes in the story that no one wants to acknowledge. And those who want to argue the case is solid would do well to at least answer them. In this one, I want to point to a curious piece of evidence in a necessary part of the evidence: how GRU is alleged to have hacked the DNC.

You need to separate attribution of FSB’s hack of the DNC from GRU’s hack of the DNC

One thing a lot of people don’t realize about the Russian hack attribution is there’s some slippage in the argument.

There are two groups in question: APT 29, which has been publicly associated with FSB, and APT 28, which has been publicly associated with GRU. As I laid out here, those two groups must be kept separate, because the story is that these two groups did different things: FSB hung around DNC’s servers for months and stole a lot of information, but never leaked it. That’s the kind of stuff intelligence services do all the time, including our own. Our government has no reason to make a case against that — which is unwanted but nevertheless normal espionage — because they do it too, such as when, in 2012, they stole communications between then Mexican presidential candidate Enrique Peña Nieto and his closest allies.

GRU, by contrast, was believed to have been in DNC’s servers briefly — and John Podesta’s Gmail account even more briefly — but to have, in that time, stolen the documents that ultimately made their way to Wikileaks. That’s the action that was deemed newly beyond the pale (even if the US has probably had documents leaked to Wikileaks itself).

In a sense, then, only the APT 28 attribution matters, because that’s the entity that is believed to have been involved in hacking and leaking; that’s the entity believed to have done things that might have affected the outcome of the election.

But people have long either intentionally or unknowingly conflated the two, claiming that “Russia” hacked the DNC. If FSB hacked the DNC, the claim is true, but that doesn’t prove that Russia is behind the tampering in the election, because unless you prove that GRU is APT 28, then the stuff you’re bugged about hasn’t been properly attributed.

I’ve come to distrust the claims of anyone who has paid close attention to this that doesn’t assiduously maintain the distinction between the APT 29 and APT 28 hacks.

The Administration’s creation of Grizzly Steppe conflates APT 29 and APT 28 more than ever before

So, reports on this hack should scrupulously avoid conflating the APT 29 hack and the APT 28 hack. But Obama’s response last month did the opposite. Whereas every infosec outfit treats APT 28 (which CrowdStrike calls Fancy Bear) and APT 29 (which CrowdStrike calls Cozy Bear) as distinct entities (regardless of how confident they are that one or the other are Russian intelligence), and even though within the reports the Administration retained this distinction, the materials released by the Obama Administration invented an entirely new entity: Grizzly Steppe.

Get it? This entity is not a soft and cuddly Cozy Bear or an entirely distinct suave Fancy Bear anymore. Put the two together and you get a Grizzly Bear!

RAWRRRRRRR!

Aside from just the fact that the Administration did this (which would permit them to say, correctly, that Russia hacked the DNC even if they were less certain about GRU, though I don’t think they are), there are two other interesting aspects of this conflation in their package of sanctions.

First, as I noted here, the Administration sanctioned FSB as well GRU. That’s weird because our intelligence community believes what FSB did is solidly within the norms of intelligence gathering. It’s possible the IC has some evidence that FSB did something to facilitate this operation that is not yet public. But the only explanation the sanctioning document offers is that, “The Federal Security Service (a.k.a. Federalnaya Sluzhba Bezopasnosti) (a.k.a FSB) assisted the GRU in conducting the activities described above.”

The other notable thing about the Obama package is the differential language the Joint Analysis Report uses to describe the APT 29 and APT 28 hacks, which I pointed out here.

In summer 2015, an APT29 spearphishing campaign directed emails containing a malicious link to over 1,000 recipients, including multiple U.S. Government victims. APT29 used legitimate domains, to include domains associated with U.S. organizations and educational institutions, to host malware and send spearphishing emails. In the course of that campaign, APT29 successfully compromised a U.S. political party. At least one targeted individual activated links to malware hosted on operational infrastructure of opened attachments containing malware. APT29 delivered malware to the political party’s systems, established persistence, escalated privileges, enumerated active directory accounts, and exfiltrated email from several accounts through encrypted connections back through operational infrastructure.

In spring 2016, APT28 compromised the same political party, again via targeted spearphishing. This time, the spearphishing email tricked recipients into changing their passwords through a fake webmail domain hosted on APT28 operational infrastructure. Using the harvested credentials, APT28 was able to gain access and steal content, likely leading to the exfiltration of information from multiple senior party members. The U.S. Government assesses that information was leaked to the press and publicly disclosed.

I admit I may be over-reading these differences. But there is a difference in the certitude with which this report speaks of the APT 29 hack and the APT 28 hack. Regarding the former, the report describes how APT 29 stole the documents: it “exfiltrated email from several accounts through encrypted connections back through operational infrastructure.” And whereas the report affirmatively says APT 28 “was able to gain access and steal content,” it seems far less sure about how much data it stole, saying the hack “likely [led] to the exfiltration of information from multiple senior party members.” Maybe that means it’s likely APT 28 stole documents from more than one person; maybe that means it is likely they exfiltrated documents period. But remember, matching precisely what documents GRU stole to those Wikileaks released was one of the things the FBI was still working on a month and a half after the DNC hack.

The bureau is trying to determine whether the emails obtained by the Russians are the same ones that appeared on the website of the anti-secrecy group WikiLeaks on Friday, setting off a firestorm that roiled the party in the lead-up to the convention.

The FBI is also examining whether APT 28 or an affiliated group passed those emails to WikiLeaks, law enforcement sources said.

That’s just one of several piece of evidence that suggests they don’t have (or at least didn’t have) as clear forensics on.

One more note about the JAR report: It makes no mention of Podesta. Again, we should not draw any conclusions for that, as they may have just chosen to focus on the DNC (which people often forget is a distinct entity from Hillary’s campaign). But, as I hope to show in a follow-up post, the IC may have either less information — or perhaps even some sheepishness — about the Podesta leak, which is remarkable because that’s the actual hack for which there is the best evidence tying it to APT 28.

The Administration materials endorse some, but not all, of what infosec companies have published

Which brings me to a point I’ve made before but deserves more focus. In the introduction to the JAR, the Administration has this to say about the great work infosec companies have done about this hack.

A great deal of analysis and forensic information related to Russian government activity has been published by a wide range of security companies. The U.S. Government can confirm that the Russian government, including Russia’s civilian and military intelligence services, conducted many of the activities generally described by a number of these security companies.

It confirms that Russia’s intelligence services have indeed done “many of the activities” described by “a number of these security companies.” That’s not a confirmation that Russia’s spooks have done all the things alleged by all the security companies. Indeed, it seems to suggest that the infosec reports are wrong on some (perhaps very minor) points. We just don’t know which ones those are.

What were FSB and GRU doing hacking the same target anyway?

Which brings me to an important side discussion, one for which everyone has an answer but about which there is no agreement.

While FSB and GRU have been portrayed as adversarial intelligence agencies (perhaps in the way that FBI and CIA don’t always get along, sometimes to spectacular effect), it’s not actually normal for them to be hacking the same target. The original CrowdStrike report on the hack noted that the two groups of hackers appeared not to be coordinating as they rooted around DNC’s servers.

At DNC, COZY BEAR intrusion has been identified going back to summer of 2015, while FANCY BEAR separately breached the network in April 2016. We have identified no collaboration between the two actors, or even an awareness of one by the other. Instead, we observed the two Russian espionage groups compromise the same systems and engage separately in the theft of identical credentials. While you would virtually never see Western intelligence agencies going after the same target without de-confliction for fear of compromising each other’s operations, in Russia this is not an uncommon scenario. “Putin’s Hydra: Inside Russia’s Intelligence Services”, a recent paper from European Council on Foreign Relations, does an excellent job outlining the highly adversarial relationship between Russia’s main intelligence services – Федеральная Служба Безопасности (FSB), the primary domestic intelligence agency but one with also significant external collection and ‘active measures’ remit, Служба Внешней Разведки (SVR), the primary foreign intelligence agency, and the aforementioned GRU. Not only do they have overlapping areas of responsibility, but also rarely share intelligence and even occasionally steal sources from each other and compromise operations. Thus, it is not surprising to see them engage in intrusions against the same victim, even when it may be a waste of resources and lead to the discovery and potential compromise of mutual operations.

It explains this away by the competition between the agencies. Still: note that according to CrowdStrike, there were two groups of Russians sniffing through the DNC servers that appeared unaware of each other’s presence.

A competing infosec company, Fire Eye, has come up with a completely different explanation for the presence of FSB and GRU in the same servers. It deems that proof of superior coordination.

According to data provided for this article by the private cybersecurity company, FireEye, two separate but coordinated teams under the Kremlin are running the campaign. APT 28, also known as “FancyBear,” has been tied to Russia’s foreign military intelligence agency, the Main Intelligence Agency or GRU. APT 29, aka “CozyBear,” has been tied to the Federal Security Service or FSB. Both have been actively targeting the United States. According to FireEye, they have only appeared in the same systems once, which suggests a high level of coordination — a departure from what we have seen and come to expect from Russian intelligence.

Frankly, I’m agnostic about what the answer to this question might be, and find either one plausible. Or, it’s possible we should pay more attention to how unusual it is to have FSB and GRU digging in the same holes and think about whether it might, instead, tell us something else about who did this hack. But it is a datapoint that any theory of the hack should at least acknowledge and try to explain. Most don’t.

Why is GRU using open source tools?

All of which is my long-winded explanation for why I went back and re-read specifically what CrowdStrike said about APT 28 (at a time, we now know but didn’t then, CrowdStrike only had “medium” confidence that the APT 28 hackers of DNC were GRU). It made me realize why the stakes on the APT 28 tool X-Agent — which is not the only tool associated with APT 28 — are so high.

FANCY BEAR adversary used different tradecraft, deploying X-Agent malware with capabilities to do remote command execution, file transmission and keylogging. It was executed via rundll32 commands such as:

rundll32.exe “C:\Windows\twain_64.dll”

In addition, FANCY BEAR’s X-Tunnel network tunneling tool, which facilitates connections to NAT-ed environments, was used to also execute remote commands. Both tools were deployed via RemCOM, an open-source replacement for PsExec available from GitHub. They also engaged in a number of anti-forensic analysis measures, such as periodic event log clearing (via wevtutil cl System and wevtutil cl Security commands) and resetting timestamps of files.

So after a longer section describing APT 29’s tools (which we now know, but which was not known then, were the less important part of the hack), Crowdstrike describes APT 28’s use of X-Agent and X-Tunnel (the latter of which I may come back to), but then also explains that these hackers deployed the APT 28 tools via an open source tool available on GitHub.

I’m no tech wizard, but this detail seems to beg some explanation, as it is awfully curious to have GRU resorting to an outdated open source tool to hack an American political party.

None of this is definitive. None of it changes my inclination that Russia probably is behind the APT 28 hack of the DNC (and, even more convincingly, behind the hack of John Podesta). But these are some details that deserve more attention amid the claims that all the case against GRU (as distinct from Russia) is rock solid.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

On CrowdStrike’s Curiously Timed Report Claiming Newfound “High” Confidence in Its GRU Attribution

Back on December 22, the security firm CrowdStrike released a report claiming that a tool used in the DNC hack had also been used — rewritten for Android — in malware that appeared in an application used by Ukrainian artillery units. The report itself purported to show that a hacking tool used in the DNC hack had also been used to kill Ukrainians fighting Russian separatists.

This implant represents further advancements in FANCY BEAR’s development of mobile malware for targeted intrusions and extends Russian cyber capabilities to the front lines of the battlefield.

But the release of the report — released just a few weeks after President Obama called for a review of the intelligence relating to the DNC hack — was pitched to the press as the piece of evidence that CrowdStrike’s confidence that Russia’s GRU had hacked the DNC was now solid.

While CrowdStrike, which was hired by the DNC to investigate the intrusions and whose findings are described in a new report, had always suspected that one of the two hacker groups that struck the DNC was the GRU, Russia’s military intelligence agency, it had only medium confidence.

Now, said CrowdStrike co-founder Dmitri Alperovitch, “we have high confidence” it was a unit of the GRU. CrowdStrike had dubbed that unit “Fancy Bear.”

The logic for that claim went this way:

  • Two entities hacked the DNC, the first using tools associated with APT 29 (which Crowdstrike believes is FSB), the second using one tool (X-Agent) associated with APT 28 (which Crowdstrike believes is GRU). As I’ve explained, only the GRU attribution matters, because they’re the ones associated with leaking the DNC documents to Wikileaks.
  • Crowdstrike found X-Agent, rewritten for the Android platform, infecting an application used by the Ukrainian military, which is an obvious application for Russia’s military intelligence GRU unit.
  • Since X-Agent was found being used in an operation with obvious Russian military application, which therefore must be GRU, then GRU must be the entity that also hacked the DNC, because it used a common tool.

CrowdStrike’s founder, Dmitri Alperovitch, told PBS that this amounted to DNA tying Russia to both the DNC hack and the Ukrainian artillery app.

Essentially the DNA of this malicious code that matches to the DNA that we saw at the DNC.

Yesterday, the chief infosec skeptic of the claims that Russian hacked the DNC, Jeffrey Carr, did a post criticizing the CrowdStrike report. He makes several points:

  • Two other entities (including an anti-Russian Ukrainian hacker) have gotten access to X-Agent — the tool in question — meaning that any use of it by GRU in one application cannot be said to be proof its use in another application means it was GRU.
  • The hacking of the artillery app probably couldn’t have had the complete functionality or the effect (devastating Ukrainian artillery units) CrowdStrike says it had.

The second point is interesting. I’d add that the timeline CrowdStrike develops to explain how Russian malware would end up in a Ukrainian artillery app by December 2014, in time to play a part in devastating losses, has some problems, notably that it assumes GRU was developing a tailored app to target Ukrainian soldiers more than six months before Viktor Yanukovich’s ouster, at a time when a Russian-Ukrainian war was unforeseen. Why would Russia start developing an app to kill Ukrainian soldiers at a time when they were still led by someone who was a Russian client? That development timetable appears to be dictated by the necessity of arguing that huge artillery losses that took place in July and August 2014 were due in part to this malware.

None of that is fatal to CrowdStrike’s argument that the malware infecting the Ukrainian artillery app was put there by Russia. I actually think that quite likely, though think CrowdStrike’s various explanations for it are unpersuasive.

But it does highlight how speculative the December 22 report was, creating explanations that had to be true because the conclusion — that the same malware used against the DNC had been used to kill Ukrainian soldiers — was presumed. Frankly, the report doesn’t hide that. Here’s just some of the uncertain language it uses:

Successful deployment of the FANCY BEAR malware within this application may have facilitated reconnaissance

The collection of such tactical artillery force positioning intelligence by FANCY BEAR further supports CrowdStrike’s previous assessments that FANCY BEAR is likely affiliated with the Russian military intelligence (GRU)

Therefore, the implant likely targeted military artillery units operating against pro-Russian separatists in Eastern Ukraine.

The promotion of the program was likely limited to social media,

At the time of this writing, it is unclear to what degree and for how long this specific application was utilized by the entirety of the Ukrainian Artillery Forces.

CrowdStrike Intelligence assesses that the application likely came to the attention of Russia-based adversaries around this time frame as a result of ongoing Russian reconnaissance

Because the Android malware could facilitate gross position information, its successful deployment could have facilitated anticipatory awareness of Ukrainian artillery force troop movement,

Although traditional overhead intelligence surveillance and reconnaissance (ISR) assets were likely still needed to finalize tactical movements, the ability of this application to retrieve communications and gross locational data from infected devices, could provide insight for further planning, coordination, and tasking of ISR, artillery assets, and fighting forces. [my emphasis]

While Carr’s piece is not fatal to the argument that the X-Agent in the Ukrainian artillery app came from GRU, it does highlight how one person, in less than two weeks, could have found answers to some of things that CrowdStrike still hadn’t even tried to answer (say, by interviewing the application developer) at least six months after they started looking into this malware.

More importantly, the first point Carr makes — that others have access to X-Agent — is very important. He notes that the anti-Russian hacker Sean Townsend not only knows that it could be used by others, but that it has been.

In fact, Sean Townsend believes that the Russian security services DO use it but he also knows that they aren’t the only ones.

That doesn’t mean that GRU wasn’t the entity using X-Agent in the DNC server last year. It just means it is not, as CrowdStrike has always claimed, definitive proof that it had to be. If multiple people have access to X-Agent, the Ukrainian app, with its clear Russian military function, may be Russia while the DNC hack may be someone else.

I’ll come back to that point later, but for the moment I want to look at how CrowdStrike came to release a speculative report tying the malware in the DNC servers to dead Ukrainians on December 22, less than two weeks after Obama called for a review of the intelligence on the hack.

I asked Alperovitch some questions about the genesis of the report on Twitter.

Alperovitch revealed that no one had paid for this report: CrowdStrike was apparently doing this work for free (!!). They found the X-Agent malware in the artillery app because they had set out to look for X-Agent implants. But when I asked about timing and/or where they found it, he got less responsive. Indeed, the timing of these discoveries is something the report itself is sort of funny about.

In late June and August 2016, CrowdStrike Intelligence provided initial reporting and technical analysis of a variant of the FANCY BEAR implant X-Agent that targeted the Android mobile platform2.

2-For more information, contact CrowdStrike

Barring more clarification on whether they started looking for X-Agents before or after they very publicly accused GRU of hacking the DNC in June, what appears to have happened is this: CrowdStrike found the X-Agent in the DNC servers, accused GRU of doing the hack, and then set out — on their own dime — to find more instances of X-Agent deployment. They did not, however, do basic research (like calling the developer of the Android app, Jaroslav Sherstuk) to confirm their speculative conclusions about it, not over six months time.

Having not done that research, however, they released a report claiming they now had high confidence in their earlier attribution at precisely the time when it would affect the debate about whether GRU really did this hack or not.

Again, none of this means CrowdStrike was wrong about GRU hacking the DNC last spring. Just that this report — the timing of which is as interesting as the speculative claims — should not be regarded as providing the high confidence it claims.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

The Russians Are Coming! The Russians Are — Oops! No Russians!

In my piece on Sunday on the package of sanctions the government released last week, I noted the likelihood the Joint Analysis Report would result in false positives.

But several of the reports also include some version of this conclusion from Lee: “the indicators are not very descriptive and will have a high rate of false positives for defenders that use them.”

That is, we may see more of what we saw Friday, when a Vermont utility did as instructed with the report — searched for the indicators included in the report — reported a positive hit, only to have anonymous sources immediately blow it up to mean Russia had hacked our grid. That find might turn out to be a Russian probe, or it might not; there’s little doubt that Russia can hack our electrical system. But what it did do is feed a panic.

Sure enough, that’s what Friday’s alarmist WaPo story turned out to be. Another WaPo story last night revealed that there’s no evidence Russian government hackers were in Burlington Electric — indeed, it sounds like what the utility might have found was one of the many Tor or other innocuous IP addresses included in the report.

As federal officials investigate suspicious Internet activity found last week on a Vermont utility computer, they are finding evidence that the incident is not linked to any Russian government effort to target or hack the utility, according to experts and officials close to the investigation.

An employee at Burlington Electric Department was checking his Yahoo email account Friday and triggered an alert indicating that his computer had connected to a suspicious IP address associated by authorities with the Russian hacking operation that infiltrated the Democratic Party. Officials told the company that traffic with this particular address is found elsewhere in the country and is not unique to Burlington Electric, suggesting the company wasn’t being targeted by the Russians. Indeed, officials say it is possible that the traffic is benign, since this particular IP address is not always connected to malicious activity.

As it happens, after the government took custody of they laptop, they found other malware, not associated with Russians, on the laptop, but which wasn’t found as a result of last week’s report and scan.

In the course of their investigation, though, they have found on the device a package of software tools commonly used by online criminals to deliver malware. The package, known as Neutrino, does not appear to be connected with Grizzly Steppe, which U.S. officials have identified as the Russian hacking operation. The FBI, which declined to comment, is continuing to investigate how the malware got onto the laptop.

But ultimately, Friday night’s scare, with comments from half of Vermont’s public officials, was about an IP address that has no definitive tie to the Russians.

And that wasn’t the only false positive arising from this report. A Dutch paper did a story accusing a key Dutch privacy person (Bits of Freedom is sort of like EFF) of running a Tor node used by the Russians, as if Tor node operators sign off on the traffic that transits their nodes.

Remember: one of the primary claimed goals of Russia’s hacking is to make Americans lose trust in our government. Because of the way this report and subsequent reporting was rolled out (and leaked to a White House beat reporter), both security professionals and the general public will lose confidence not just in the government’s ability to respond to hacks, but also in the government’s report claiming the Russians were behind the hack. Not to mention, the alarmist report has led the paper that pushed the PropOrNot bullshit to make this kind of claim, blaming sources but not their own reporting.

Authorities also were leaking information about the utility without having all the facts and before law enforcement officials were able to investigate further.

Remember: WaPo first published the story before getting any comment from Burlington Electric.

The government appears to be doing Vlad Putin’s work for him, damaging its own credibility in its efforts to combat his efforts to damage its credibility.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

Your Weekly Alarming Anonymous Friday Night WaPo Dump: Vermont Electrical Grid Edition

It seems like every Friday this month, there has been an alarming Friday night news dump in the WaPo based off anonymous leaks. This time, it’s a story claiming that,

Russian hackers penetrated U.S. electricity grid through a utility in Vermont

The anonymous officials behind this story have just squandered the efforts of a slew of infosecurity professionals trying to get non-experts to take the attribution of the DNC hack seriously.

The story, which features WaPo White House bureau chief Julie Eilperin first on the byline (followed by the usually strong Adam Entous) but does not include WaPo’s cybersecurity reporter Ellen Nakashima at all, claims that “a code” associated with the family of signatures associated with several Russian hacking groups that Obama dubbed Grizzly Steppe for the purposes of yesterday’s CERT report was found “within the system of a Vermont utility.” The language of the report — what do they mean by “code”??? — exhibited no certitude about what the report actually meant.

The original version of the story included no comment from Burlington Electric Department, though added one after the Burlington Free Press revealed that the “code” was not actually in the grid at all, but in a laptop unattached to it. As the Free Press explained, there’s really no reason to worry this would affect the grid.

The utility found the malware Friday on a laptop after the Obama administration released code associated with the campaign, dubbed Grizzly Steppe, on Thursday.

The aim of the release was to allow utilities, companies and organizations to search their computers for the digital signatures of the attack code, to see if they had been targeted.

The computer on which the malware was found was not connected to the operation of the grid, Vermont Public Service Commissioner Christopher Recchia said.

Based on his knowledge, Recchia said Friday night he did not believe the electrical power grid was at risk from the incident. “The grid is not in danger,” Recchia said. “The utility flagged it, saw it, notified appropriate parties and isolated that one laptop with that malware on it.”

So here’s what appears to have happened.

Yesterday, along with all the sanction-related information, DHS released a US-CERT report attempting to draw together all the signatures from the two Russian related hacking groups accused of hacking the DNC. Numerous security experts have criticized it, noting that it reads like “a poorly done vendor intelligence report stringing together various aspects of attribution without evidence” and finding that “21% (191 of 876) of [IP addresses included in the report] were TOR exit nodes,” meaning there are a lot of worse-than-useless details in the report.

That in and of itself was a problem. But then potential Russian targets, including utilities, started scanning their system for the malware included in the report and one of two Vermont utilities found one malware signature on a laptop and alerted the government. The other one is spending its Friday night insisting it was unaffected.

At which point multiple “US officials” (which can include Congressional staffers) and one Senior Administration Official (who, given Eilperin’s involvement, is likely at the White House) ran to the press and insinuated that Russia had hacked our grid, even while admitting they don’t really know what the fuck this is.

American officials, including one senior administration official, said they are not yet sure what the intentions of the Russians might have been. The incursion may have been designed to disrupt the utility’s operations or as a test to see whether they could penetrate a portion of the grid.

Officials said that it is unclear when the code entered the Vermont utility’s computers, and that an investigation will attempt to determine the timing and nature of the intrusion, as well as whether other utilities were similarly targeted.

“The question remains: Are they in other systems and what was the intent?” a U.S. official said.

Of course, by the time this report was amended to make it clear the malware was not in the grid at all, the story itself had gotten picked up by other outlets, even in spite of the many many many security professionals mocking the report as soon as it came out.

So now a slew of people are convinced that Russia has hacked (a word that has lost all meaning in the last month) our electrical grid — I’ve even seen some people assuming this occurred this week! — even though no actual analysis of what is going on has happened yet.

Here’s the thing. Some of these security professionals are the same ones who’ve been saying for months that the DNC hack can be reliably attributed to the Russian state. I mostly agree (though I’ve got some lingering doubts). And while those of us who follow this closely can distinguish the two different kind of analyses, the general public will not. And — having been alarmed off a premature report here that was not sufficiently researched before publicized — they will be utterly justified in believing the government is making baseless claims to generate fear among the public.

As I said, I mostly agree with reports attributing the DNC hack to the Russians. But seeing inflammatory shit like this peddled anonymously to the press makes me far more inclined to believe the government is blowing smoke.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.