Why Trump is spot-on about the Russians and the election

January 4, 2017 01:52 PM

Cybersecurity Experts Disagree (Often)

Like medical experts who disagree about a diagnosis or treatment, Cybersecurity experts are notorious for disagreeing about attribution conclusions gleaned from digital forensic remnants, residue, fragments and artifacts.

For instance, the firm investigating the DNC cyber-attacks, CrowdStrike, a highly reputable and well-respected data breach response firm, believes that "Fancy Bear," a hacking group with purported ties to the Russian government, likely orchestrated the DNC hack -- and therefore the DNC hack was orchestrated by the Russians.

Like most digital forensic experts, CrowdStrike seems to have based its conclusions upon technological correlations and shared modus operandi of hacker techniques, a common investigative method employed by digital forensic investigators to identify online intruders.

Along those lines, on December 22, 2017, the Washington Post reported that:

“The firm CrowdStrike linked malware used in the DNC intrusion to malware used to hack and track an Android phone app used by the Ukrainian army in its battle against pro-Russia separatists in eastern Ukraine from late 2014 through 2016 . . . CrowdStrike found that a variant of the Fancy Bear malware that was used to penetrate the DNC’s network in April 2016 was also used to hack an Android app developed by the Ukrainian army to help artillery troops more efficiently train their antiquated howitzers on targets.”

The Washington Post reports further details about Fancy Bear:

“While CrowdStrike, which was hired by the DNC to investigate the intrusions and whose findings are described in a new report, had always suspected that one of the two hacker groups that struck the DNC was the GRU, Russia’s military intelligence agency, it had only medium confidence. Now, said CrowdStrike co-founder Dmitri Alperovitch, “we have high confidence” it was a unit of the GRU. CrowdStrike had dubbed that unit "Fancy Bear.’"

However, other cybersecurity experts would disagree with CrowdStrike. Security researcher Jeffrey Carr recently pointed out that a 2014 FireEye report on Fancy Bear, which links Fancy Bear to the Russian government, has significant credibility issues:

“To my surprise, the report’s authors declared that they deliberately excluded evidence that didn’t support their judgment that the Russian government was responsible for [Fancy Bear’s] activities . . . [Fancy Bear] has targeted a variety of organizations that fall outside of the three themes we highlighted above. However, we are not profiling all of [Fancy Bear’s] targets with the same detail because they are not particularly indicative of a specific sponsor’s interests . . . That is the very definition of confirmation bias. Had FireEye published a detailed picture of Fancy Bear’s activities including all of their known targets, other theories regarding this group could have emerged; for example, that the malware developers and the operators of that malware were not the same or even necessarily affiliated.”

The notion that [Fancy Bear] has a narrow focus on U.S. political targets is also undermined in a SecureWorks research paper, which shows that the [Fancy Bear] hackers have a wide variety of interests: 10% of their targets are nongovernment organizations, 22% are journalists, 4% are aerospace researchers, and 8% are within the “government's supply chain.” SecureWorks concludes that only 8% of Fancy Bear’s targets are “government personnel” of any nationality.

According to Carr, “it’s an old assumption going back years to when any attack against a non-financial target was attributed to a state actor.” Without that premise, the only logical conclusion is that some email accounts at the DNC appear to have been broken into by someone, and perhaps they speak Russian. Left ignored is the mammoth difference between Russians and Russia.

Some experts even go so far as to pit themselves directly against the JAR. Take famed data security pioneer John McAfee, the developer of the first commercial antivirus program. McAfee has been a major player in the cybersecurity industry for the past 50 years and does not believe that the Russians were behind the hacks on the DNC, John Podesta’s emails and the Hillary Clinton presidential campaign.

McAfee notes that the JAR contains an appendix that lists hundreds of IP addresses that were supposedly “used by Russian civilian and military intelligence services,” but notes that,

"While some of those IP addresses are from Russia, the majority are from all over the world, which means that the hackers constantly faked their location . . . if it looks like the Russians did it, then I can guarantee you it was not the Russians . . . [The JAR] is a fallacy . . . hackers can fake their location, their language, and any markers that could lead back to them. Any hacker who had the skills to hack into the DNC would also be able to hide their tracks . . ."

The entire election hacking activities could also be some sort of "false flag" operation by someone else with extremely deep pockets and a political agenda. Along these lines, McAfee derides recent investigative techniques behind conclusions of Russian attribution, stating:

"If I was the Chinese and I wanted to make it look like the Russians did it, I would use Russian language within the code, I would use Russian techniques of breaking into the organization . . . in the end, there simply is no way to assign a source for any attack.”

Meanwhile, WikiLeaks' founder Julian Assange has insisted that the Russian government is not the source of the Podesta and DNC e-mails, implying that the source is instead a disgruntled DNC or other Democratic operative. 

Fancy Bear, What will You Wear

What does the public know for certain about Fancy Bear, or any of its other dozen names assigned by researchers such as APT 28, Tsar Team, Sofacy, Strontium and Pawn Storm? Not much.

Despite being one of the most reported-on groups of active hackers, there is very little any researcher can say with absolute certainty about Fancy Bear. No one knows, for instance, how many hackers are working regularly within Fancy Bear, or how they organize their hacking squads. No one even knows if Fancy Bear is based in one city or scattered in various locations across Russia or the world. They don’t even know what they call themselves.

No confirmed Fancy Bear hacker has ever actually gotten caught. Fancy Bear has evolved into a modern-day bogeyman -- powerful and ubiquitous, nowhere and everywhere.


Page 2 of 3
About the Author

John Reed Stark is president of John Reed Stark Consulting LLC, a data breach response and digital compliance firm. Formerly, Stark served for almost 20 years in the Enforcement Division of the U.S. Securities and Exchange Commission, the last 11 of which as Chief of its Office of Internet Enforcement.