Taking Evidence Seriously: Russian Hacking

Taking Evidence Seriously: Russian Hacking

One of the reasons I decided to start writing again was to put my experience in the field to good use. Primarily to explain the sometimes confusing world of Computers, Technology and Networking by making real world analogies. I hadn’t intended this to be political in any way but with what’s going on out there today it means that that’s what I’ve primarily been writing about.

So let’s talk about the recent hacking news based in the real world evidence and not hyperbole.

Unless you were living under a rock for the last half of 2016 you are aware that there was a massive leak of Democratic National Committee e-mails from key players in the Democratic Party. It’s been determined by a large number of public and private sector officials that these hacks were from the Russian Government. There are certain people who think that this can’t be true and while much of what occurred is classified, there is still plenty of public evidence readily available.

So how do they know that it was the Russians? Much like investigating a crime of say murder — the perpetrators leave behind key evidence like DNA, finger prints, fibers from their clothes, pieces of skin, etc etc. In a hacking attempt whether successful or not they also leave behind a signature. The tools used to infiltrate any systems whether government or private were created somewhere. I speak of things like malware and pieces of code that are created for the very specific purpose of gathering and extracting information from a target. The perpetrators will continue to use these toolsets in multiple attacks over time iterating on them and improving them, but the basis is still there — a signature if you will.

So how the heck do we know the Russians signature? I will point to one particular white paper written by CrowdStrike. You have probably heard their name once or twice on the news. They are a tech company who’s sole purpose is cybersecurity. They were hired to investigate the attack on the DNC in 2016.

In June CrowdStrike identified and attributed a series of targeted intrusions at the Democratic National Committee (DNC), and other political organizations that utilized a well known implant commonly called X-Agent. X-Agent is a cross platform remote access toolkit…

In the summer of 2016 they began investigating an Android package that was in Russian language and military in nature. This particular application was created to ease the aiming of an older artillery weapon called the D-30. In this application they uncovered a particular piece of code who’s entire purpose was to extract information from its use, particularly its location and report back that information. From late 2014 through 2016 the software was covertly distributed to Ukrainian military users within a legitimate Android application. Russia was in a conflict with Ukraine at the time.

Over 80% of D-30 howitzers were lost during conflicts with Russian Troops and Pro-Russian fighters in the last two years of conflict. This was the largest loss of artillery pieces in the Ukraine’s arsenal. Several other security agencies have also agreed with CrowdStrike that this attack is Russian in nature. After all they were the primary beneficiary of this attack.

Now the above is public sector information but it matches up with the US CERT advisory sent out just a few days ago. Now one thing that I will concede is that the US Government definitely had a PRIME opportunity here to really show that the Russians are behind this. Unfortunately their report is still fairly generic leaving it up to others do correlate evidence as I am doing here.

Hopefully with the news yesterday that portions of the final report will be released to the public we will get more information.

The information contained on this page is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). The joint DHS and FBI products provide technical details on the tactics, techniques, and procedures used by Russian government cyber actors.

The attacks against the DNC and others are sophisticated attacks that consist of Phishing and Spear Phishing, followed up by infiltration and exfiltration. There is no doubt they are orchestrated and organized attacks with very specific goals in mind, to undermine processes and sow doubt in our systems. While the attack on the Android application was mobile in nature the same techniques were also used in the DNC attacks.

With all that being said I encourage you to research this and I expect you will come to the same conclusion. While what is happening is highly technical at its very core it’s the same as any other criminal investigation. These agencies leave their signatures behind and then it’s all a matter of connecting the dots. As a result of all the items above, President Obama issued a series of actions including expulsion of Russian Diplomats and sanctions against individuals thought to be involved directly with the cyber actions. These actions are based on real evidence against the Russian Government and hundreds, if not thousands of experts in the realm of Cyber Security both Public Sector and Private Sector.

Today, I have ordered a number of actions in response to the Russian government’s aggressive harassment of U.S. officials and cyber operations aimed at the U.S. election. These actions follow repeated private and public warnings that we have issued to the Russian government, and are a necessary and appropriate response to efforts to harm U.S. interests in violation of established international norms of behavior.

I’ve previously stated that we should be concerned as citizens about our President-Elect. I believe that is the case now more than ever.

This past weekend he illustrated yet again that he believes he is the final expert authority on all issues including Cyber Security and that he “knows things” that other people do not. And since our “intelligence community got it wrong on WMD” then they must be wrong on this. He even said that he has a boy who is ten years old who can “do anything with a computer” not only is that laughable it’s insulting to the thousands of people who are experts in this field. These are the statements of a narcissistic man who thinks that computers are magic boxes and nobody knows how they work.

President-elect Donald Trump declared Saturday that he knows “things that other people don’t know” about Russian hacking allegations, suggesting FBI and CIA reports leave room for doubt over Russia’s meddling in the U.S. election.

Let’s not forget that he has consistently praised the current president of Russia where dissent is discouraged and he’s remained in power for over ten years.

And as if it couldn’t get any worse he sided with Julian Assange in the last few days.

According to Trump “Hacking is a hard thing to prove” which is definitely a valid statement. But as I’ve explained the investigation process is as tried and true as police have been using for decades. It isn’t magic and it’s well known. And intelligence is also something we have a lot of experience in.

Follow the evidence to it’s source and you will find the answers. The problem is our future President has decided that he is the authority on these things and nobody else can be trusted.

A slippery slope is it not?

Update: 14:15 1/6/17: After getting his full intel briefing Trump has somewhat changed his tune.


Your browser is out-of-date!

Update your browser to view this website correctly. Update my browser now