The recently released Joint Analysis Report (JAR) published by the Department of Homeland Security (DHS) and Federal Bureau of Investigation (FBI) to detail tools used by Russian hackers in cyber attacks against the United States election didn’t deliver on its promise, security experts argue.
The United States government said from the start that the JAR was meant to offer declassified technical information on the malicious cyber activity carried out by Russian civilian and military intelligence Services (RIS) referred to as GRIZZLY STEPPE. The information was also meant for network defenders in the United States and abroad to use to better “identify, detect, and disrupt Russia’s global campaign of malicious cyber activities.”
But the information included in the JAR isn’t enough to help improve defenses, some experts argue. What’s more, some suggest that “evidence” provided in the report that Cozy Bear (APT29) and Fancy Bear (APT28) were behind the election-focused attacks doesn’t actually prove that Russia was behind the attacks.
The report included a series of Indicators of Compromise (IOCs), but security exert Robert Graham explains that they are of low quality, have limited utility to defenders, and “are published as a political tool, to prove they have evidence pointing to Russia.”
One of these is the YARA rule included in the report, which is a tool security researchers use to classify files and to analyze infected systems for attribution purposes. The YARA rule in US-CERT’s GRIZZLY STEPPE report detects a web shell tool popular among Russia/Ukraine hackers, namely the “PAS TOOL WEB KIT.”
Graham argues that, because it can find the same web shell on all the victims, the YARA rule is useful at tracking the activity of hackers because they tend to continue using tools they are accustomed with. The issue with the JAR, however, is that the YARA it mentions is used to track a P.A.S. web shell used by “hundreds if not thousands of hackers,” which makes attribution problematic. Unless, Graham says, the report withholds some of the information used for attribution.
“We have little visibility into how the government used these IoCs. IP addresses and YARA rules like this are weak, insufficient for attribution by themselves. On the other hand, if they’ve got web server logs from multiple victims where commands from those IP addresses went to this specific web shell, then the attribution would be strong that all these attacks are by the same actor,” Graham says.
Robert M. Lee, CEO and Founder of security company Dragos, also believes that the report provides weak evidence for attribution and that the technical details included in it fail to achieve the intended purpose: it doesn’t help network defenders and doesn’t reveal new information on the two APTs (Advanced Persistent Threats) either, although it attributes the attacks to them (yet without offering the evidence everyone was expecting).
As Lee points out, a Fact Sheet published by the White House to accompany the announcement of various sanctions against Russia (intended as retaliation for RIS’ malicious cyber-activity), suggested that the JAR would contain declassified information on Russian malware, provide details on new tactics and techniques used by Russia, and also validate previously published private sector data. But it does none of those.
“Unfortunately, while the intent was laid out clearly by the White House that intent was not captured in the DHS/FBI report,” Lee notes. In fact, he suggests that the report creates confusion by interweaving unrelated data; that it fails to provide a source for the presented data (which makes the information useless); and that some of the provided indicators of compromise, such as the IP addresses, are nearly useless (they are VPS, TOR exit nodes, proxies, and other non-descriptive internet traffic sites).
According to Lee, however, this didn’t happen because the government operators who compiled the report didn’t do their job properly, but because the report then went through a series of reviews and sanitation operations that stripped out the best information. According to Lee, this is something that usually happens when the U.S. Intelligence Community releases any kind of information to the public.
Lee also says that the technical data and attribution are likely being included in a report prepared for Congress and which could be later declassified. “Yet, the GRIZZLY STEPPE report reads like a poorly done vendor intelligence report stringing together various aspects of attribution without evidence,” Lee says.
“The DHS/FBI GRIZZLY STEPPE report does not meet its stated intent of helping network defenders and instead choose to focus on a confusing assortment of attribution, non-descriptive indicators, and re-hashed tradecraft. Additionally, the bulk of the report (8 of the 13 pages) is general high level recommendations not descriptive of the RIS threats mentioned and with no linking to what activity would help with what aspect of the technical data covered. It simply serves as an advertisement of documents and programs the DHS is trying to support,” Lee also says.
Mark Maunder, Wordfence Founder and CEO, explains that an analysis of the PHP malware samples included in the JAR revealed that it was an older variant of P.A.S., namely version 3.1.0, which is “commonly available”. The malware’s site, he also reveals, points at newer versions of the malware, namely 3.1.7 and 4.1.1b and clai
ms that Ukrainians developed it.
“One might reasonably expect Russian intelligence operatives to develop their own tools or at least use current malicious tools from outside sources,” Maunder says.
He also explains that 134 or about 15% of the 876 IP addresses listed in the report are Tor exit nodes, which are “are anonymous gateways that are used by anyone using the Tor anonymous browsing service.” What’s more, most of the top 50 most active IP addresses by number of complex attacks they were used in during the past 60 days, are Tor exit nodes, meaning they can’t be used for attribution.
“The IP addresses that DHS provided may have been used for an attack by a state actor like Russia. But they don’t appear to provide any association with Russia. They are probably used by a wide range of other malicious actors, especially the 15% of IP addresses that are Tor exit nodes. The malware sample is old, widely used and appears to be Ukrainian. It has no apparent relationship with Russian intelligence and it would be an indicator of compromise for any website,” Maunder concludes.
Responding to an email inquiry, Chris Roberts, chief security architect at Acalvio, a Santa Clara, Calif.-based threat detection firm, told SecurityWeek that the report is fuzzy and non-committal, and that this is its main issue.
“It doesn’t come out and say “Hey the FSB and GRU hacked us” and has done so for the last 10-20 years. It simply refers to APT (actors) and insinuates that they are part of the establishment as opposed to providing actual details,” he said.
Paul Calatayud, CTO at FireMon, also told SecurityWeek that the report doesn’t offer new information regarding the activities of these threat groups: “Upon review, there is nothing new in regards to these actors and the techniques they are using. The newsworthy elements here are the source of the actors and their motivations in hitting political systems and implications of what it means in regards to national security.”