Can Facts Slow The DNC Breach Runaway Train?

“No, no! The adventures first, explanations take such a dreadful time.” 
(Lewis Carroll)

Yesterday, Professor Thomas Rid (Kings College London) published his narrative of the DNC breach and strongly condemned the lack of action by the U.S. government against Russia.

Susan Hennessey, a Harvard-educated lawyer who used to work at the Office of the General Counsel at NSA called the evidence “about as close to a smoking gun as can be expected where a sophisticated nation state is involved.”

Then late Monday evening, the New York Times reported that “American intelligence agencies have “high confidence” that the Russian government was behind the DNC breach.

It’s hard to beat a good narrative “when explanations take such a dreadful time” as Lewis Carroll pointed out. And the odds are that nothing that I write will change the momentum that’s rapidly building against the Russian government.

Still, my goal for this article is to address some of the factual errors in Thomas Rid’s Vice piece, provide some new information about the capabilities of independent Russian hackers, and explain why the chaos at GRU makes it such an unlikely home for an APT group.

Fact-Checking The Evidence

Thomas Rid wrote:

One of the strongest pieces of evidence linking GRU to the DNC hack is the equivalent of identical fingerprints found in two burglarized buildings: a reused command-and-control address — 176.31.112[.]10 — that was hard coded in a piece of malware found both in the German parliament as well as on the DNC’s servers. Russian military intelligence was identified by the German domestic security agency BfV as the actor responsible for the Bundestag breach. The infrastructure behind the fake MIS Department domain was also linked to the Berlin intrusion through at least one other element, a shared SSL certificate.

This paragraph sounds quite damning if you take it at face value, but if you invest a little time into checking the source material, its carefully constructed narrative falls apart.

Problem #1: The IP address 176.31.112[.]10 used in the Bundestag breach as a Command and Control server has never been connected to the Russian intelligence services. In fact, Claudio Guarnieri, a highly regarded security researcher, whose technical analysis was referenced by Rid, stated that “no evidence allows to tie the attacks to governments of any particular country.”

Problem #2: The Command & Control server (176.31.112.10) was using an outdated version of OpenSSL vulnerable to Heartbleed attacks. Heartbleed allows attackers to exfiltrate data including private keys, usernames,
passwords and other sensitive information.

The existence of a known security vulnerability that’s trivial to exploit opens the door to the possibility that the systems in question were used by one rogue group, and then infiltrated by a second rogue group, making the attribution process even more complicated. At the very least, the C2 server should be considered a compromised indicator.

Problem #3: The BfV published a newsletter in January 2016 which assumes that the GRU and FSB are responsible because of technical indicators, not because of any classified finding; to wit: “Many of these attack campaigns have each other on technical similarities, such as malicious software families, and infrastructure — these are important indicators of the same authorship. It is assumed that both the Russian domestic intelligence service FSB and the military foreign intelligence service GRU run cyber operations.”

Professor Rid’s argument depended heavily on conveying hard attribution by the BfV even though the President of the BfV didn’t disguise the fact that their attribution was based on an assumption and not hard evidence.

Personally, I don’t want to have my government create more tension in Russian-U.S. relations because the head of Germany’s BfV made an assumption.

In intelligence, as in other callings, estimating is what you do when you do not know. (Sherman Kent)

When it came to attributing Fancy Bear to the GRU, Dmitry Alperovich used a type of estimative language because there was no hard proof: “Extensive targeting of defense ministries and other military victims has been observed, the profile of which closely mirrors the strategic interests of the Russian government, and may indicate affiliation with Главное Разведывательное Управление (Main Intelligence Department) or GRU, Russia’s premier military intelligence service.”

For Cozy Bear’s attribution to the FSB, Dmitry simply observed that there were two threat actor groups operating at the same time while unaware of each other’s presence. He noted that the Russian intelligence services also compete with each other, therefore Cozy Bear is probably either the FSB or the SVR: “we observed the two Russian espionage groups compromise the same systems and engage separately in the theft of identical credentials. While you would virtually never see Western intelligence agencies going after the same target without de-confliction for fear of compromising each other’s operations, in Russia this is not an uncommon scenario.”

The Fidelis report on the malware didn’t mention the GRU or FSB at all. Their technical analysis only confirmed the APT groups involved: “Based on our comparative analysis we agree with CrowdStrike and believe that the COZY BEAR and FANCY BEAR APT groups were involved in successful intrusions at the DNC.”

When it came to attributing the attack to the Russian intelligence services, Fidelis’ Mike Buratowski told reporter Michael Heller: “In a situation like this, we can’t say 100% that it was this person in this unit, but what you can say is it’s more probable than not that it was this group of people or this actor set.”

As Mark Twain said, good judgment comes from experience, and experience comes from bad judgment. The problem with judgment calls and attribution is that since there’s no way to be proven right or wrong, there’s no way to discern if one’s judgment call is good or bad.

The metadata in the leaked documents are perhaps most revealing: one dumped document was modified using Russian language settings, by a user named “Феликс Эдмундович,” a code name referring to the founder of the Soviet Secret Police

OK. Raise your hand if you think that a GRU or FSB officer would add Iron Felix’s name to the metadata of a stolen document before he released it to the world while pretending to be a Romanian hacker. Someone clearly had a wicked sense of humor.

A Short History of the GRU (for perspective)

I’m fairly certain that most of those who are following and/or writing about the DNC hack know very little about the upheaval that has taken place at the GRU since Perestroika and continues to this day. I think that it’s important to understand the current climate there if you believe that they’re responsible for running an APT group for almost 10 years.

“By the end of 1980 the GRU intelligence service objective has become the largest of the world and one of the most informed. But surprisingly, in this case it was not formally and is not a special service. Main Intelligence had remained purely an army unit to which the laws on special services do not apply. And the most outstanding GRU officer less protected by law and social terms than the average employee of the FSB or SVR.”

“Reduction of intelligence and combat capability of the GRU began to Colonel-General Alexander Shlyahturova. As they say veterans of the intelligence services, are conserved or even eliminated virtually all foreign residency, except for those who work in countries closely adjacent to Russia.Indeed, why have the intelligence network in Latin America, Africa and Southeast Asia, if there is no military action, our country has no plans in the distant future?” (Source)

On April 2009, the long-serving head of GRU, Valentin Korabelnikov resigned/was dismissed. Korabelnikov was replaced by his first deputy, Colonel General Anatoli Shlyakhturov.

Shlyakhturov conducted the staff purge that Korabelnikov had refused to do. “He fired some 1,000 staff members, cut the number of agency divisions from eight to five and implemented other classified personnel reforms.” (Source)

On December 2011, Major General Igor Sergun took over as Chief of GRU from Shlyakhturov. Sergun died on Jan 3, 2016 from heart failure.

The new Chief is Lieutenant-General Igor Korobov, and the Russian Defense Policy blog has some interesting background on him:

TASS, and a couple other press services, carried one additional note. They reported Korobov was previously first deputy chief, or second-in-command, of the GRU and chief of strategic intelligence.

The chief of strategic intelligence is in charge of collection, fusion, and reporting of intelligence on military threats to the security and survival of the Russian Federation. But it’s like one word is so implicit, or regarded as so secret, that it’s left out — agent. Chief of strategic agent intelligence.

So Korobov managed all GRU human intelligence (HUMINT) collection resources, except its most critical and productive “illegals” and their agents which the Chief of the GRU personally controls, according to Viktor Suvorov (Vladimir Rezun).

While it has capable technical intelligence-gathering means, the GRU relies on HUMINT. It is focused on information collected from agent operations abroad. That’s its tradition and its forte.

That’s a quick overview of the massive changes and political turmoil that has taken place and is on-going at GRU, especially during the time frame that APT28 has been active. Would an organization known primarily for HUMINT really be the best choice to run an APT group? And if it did, could it have continued operations without any disruption during those years at GRU? The odds seem stacked against that.

APT Groups Aren’t People. They‘re’ Indicators.

This is a partial spreadsheet for Russian APT threat groups. The one for China is about four times as big. If it looks confusing, that’s because it is. There is no formal process for identifying a threat group. Cybersecurity companies like to assign their own naming conventions so you wind up having multiple names for the same group. For example, CrowdStrike’s Fancy Bear group has the primary name of Sofacy, and alternative names of APT28, Sednit, Pawn Storm, and Group 74.

While it’s natural to think of Sofacy as a group of individuals, it’s more like a group of technical indicators which include tools, techniques, procedures, target choices, countries of origin, and of course, people. Since most bad actors operate covertly, we are highly dependent on the forensics. Since many of the tools used are shared, and other indicators easily subverted, the forensics can be unreliable.

Non-Government Russian Hacker Groups

Russia’s Ministry of Communication reported that Russian cybercriminals are re-investing 40% of the millions of dollars that they earn each year in improving their technology and techniques as they continue to target the world’s banking system. Kaspersky Lab estimated earnings for one 20 member group at $1 billion over a three year period.

A common (and erroneous) rationale for placing the blame of a network breach on a nation state is that independent hacker groups either don’t have the resources or that stolen data doesn’t have financial value. These recent reports by Kaspersky Lab and Russian Ministry of Communication make it clear that money is no object when it comes to these independent groups, and that sophisticated tools and encryption methods are constantly improved upon, just as they would be at any successful commercial enterprise or government agency.

That, plus the occasional cross-over between independent Russian hackers and Russia’s security services makes differentiation between a State and non-State threat actor almost impossible. For that reason alone, it should be incumbent upon policymakers and journalists to question their sources about how they know that the individuals involved are part of a State-run operation.

A Nightmare Scenario

“Indeed, there will be some policymakers who could not pass a rudimentary test on the “facts of the matter” but who have the strongest views on what the policy should be and how to put it into effect.” (Sherman Kent)

Rep. Nancy Pelosi, the Minority Speaker of the House of Representatives and a member of the House Select Committee on Intelligence, has determined that the Russian government hacked the DNC. Not because of any intelligence that she has received from her committee. She just knows:

“The Russians hacked the Democratic National Committee,” she told MSNBC during an interview at the Democratic National Convention in Philadelphia. “There is no question about that. My source is not the Intelligence Committee of the Congress of the United States. It is what I know: They have hacked. That’s a fact.”

Here’s my nightmare. Every time a claim of attribution is made — right or wrong — it becomes part of a permanent record; an un-verifiable provenance that is built upon by the next security researcher or startup who wants to grab a headline, and by the one after him, and the one after her. The most sensational of those claims are almost assured of international media attention, and if they align with U.S. policy interests, they rapidly move from unverified theory to fact.

Because each headline is informed by a report, and because indicators of compromise and other technical details are shared between vendors worldwide, any State or non-State actor in the world will soon have the ability to imitate an APT group with State attribution, launch an attack against another State, and generate sufficient harmful effects to trigger an international incident. All because some commercial cybersecurity companies are compelled to chase headlines with sensational claims of attribution that cannot be verified.

I encourage my colleagues to leave attribution to the FBI and the agencies of the Intelligence Community, and I implore everyone else to ask for proof, even from the U.S. government, whenever you read a headline that places blame on a foreign government for an attack in cyberspace.