https://medium.com/homefront-rising/dum ... fa522ff44f
“If I give you a malware binary to reverse engineer, what do you see?” This is the question that had been posited by Michael Tanji, the retired cyber intelligence analyst. “Exactly what the author wants you to see.”
I want you to see words in a language that would throw suspicion on someone else.
An article published in ArsTechnica highlighted the work of an independent security researcher, Adam Carter, who had uncovered evidence that some of the documents released by Guccifer 2.0 in his initial document dump had been manipulated in a manner which introduced Russian words, in the Cyrillic alphabet, into the metadata of the documents, including a reference to “Felix Edmundovich,” the first name and patronymic of the founder of the Soviet security service, Felix Dzerzhinsky. The combination of the Cyrillic alphabet and the reference to a Russian spymaster seems ideal if one is trying to attribute its existence to the Russian intelligence services.
I want you to see that my code was compiled in a particular foreign language (even though I only read and/or write in a totally different language).
FireEye, a well-known cyber security company, has written a report on APT-28 (another name for Fancy Bear), highlights a number of Russian language indicators, including the consistent use of Russian language in malware code over the course of six years.
I want you to see certain comments or coding styles that are the same or similar to someone else’s (because I reuse other people’s code.)
Fidelis Security, another well-known cyber security company, was provided samples of the Cozy Bear and Fancy Bear malware for “independent analysis.” According to Fidelis, these samples matched the description provided by CrowdStrike and “contained complex coding structures and utilized obfuscation techniques that we have seen advanced adversaries utilize in other investigations we have conducted,” Michael Buratowski, the senior vice president of security consulting services at Fidelis, noted. The malware was “at times identical to” malware that other cyber security vendors, such as Palo Alto Networks, have attributed to Fancy Bear. Many of these similarities have been previously identified by other cyber security vendors and made public as far back as 2013.
I want you to see data about compilation date/time, PDB file path, etc., which could lead you to draw erroneous conclusions have no bearing on malware behavior or capability.
FireEye, in its report on APT-28 (i.e., Fancy Bear), also notes that the compile times associated with the malware align with the work hours and holiday schedules of someone residing in the same time zone as Moscow and St. Petersburg.
The fascinating thing about Michael Tanji’s observations was that they were made in 2012, largely in response to the spate of China attributions headed up by Dmitri Alperovitch’s highly publicized 2011 Shady Rat report. Four years later, the fixation on pattern-derived attribution remained a problem within the cyber security collective, this time with Russia as the target de jour. In 2011, the Chinese caseload was spread across a broad field of separate cyber attacks. In 2016, the Russian data set was limited to a single event — the DNC cyber attack.
Moreover, the data set in 2016 was under the exclusive control of a single entity — CrowdStrike. While select malware samples were farmed out to like-minded vendors, for the most part outside analysis of the DNC cyber penetration was limited to the information provided by CrowdStrike in its initial report. Even the FBI found itself in the awkward position of being denied direct access to the DNC servers, having instead to make use of “forensic images” of the server provided by CrowdStrike, along with its investigative report and findings.
There is much unknown about these scans — were they taken from May 6, when CrowdStrike first detected what it assessed to be a Russian presence inside the DNC server? Or are they from June 10, the last day the server was in operation? The difference could be significant, keeping in mind the fact that there were more than 30 days between the two events.
In this intervening time, CrowdStrike watched Guccifer 2.0 exfiltrate documents. It also possibly engaged in offensive measures, such as the dangling of so-called “attractive data” (the Russian-language tainted opposition research documents come to mind.) The possibility of additional manipulation of data cannot be discounted. However, even though members of Congress are starting to call for the FBI to take physical possession of the server and conduct its own independent forensic investigation, the server remains in the possession of the DNC.
Through the release of its “Bears in the Midst” report, CrowdStrike anticipated that the US government and, by extension, the American people, would place their trust in CrowdStrike’s integrity regarding Russian attribution. The media has, for the most part, accepted at face value CrowdStrike’s Russian attribution regarding the DNC cyber attack.
The US government, while slower to come onboard, eventually published a Joint Statement by the Office of Director of National Intelligence and the Department of Homeland Security in October 2016 that declared, “The recent disclosures of alleged hacked e-mails…by the Guccifer 2.0 online persona are consistent with the methods and motivations of Russian-directed efforts.”
On December 29, 2016, the FBI and DHS released a Joint Analysis Report (JAR) that directly attributed the presence of both the Cozy Bear and Fancy Bear actors on the DNC server to “spearfishing” attacks, thereby eliminating from consideration any possibility that Guccifer 2.0 penetrated the DNC server through a “zero day” exploit. This was a curious assessment, given that the only data in existence regarding what had transpired inside the DNC server was the data collected by CrowdStrike — data CrowdStrike maintains did not provide evidence pertaining to how the DNC server was initially breached by either Cozy Bear or Fancy Bear.
The Director of National Intelligence followed up with a National Intelligence Assessment, released on January 6, 2017, that similarly endorsed the findings of CrowdStrike when it came to Russian attribution for the Cozy Bear and Fancy Bear penetration of the DNC, as well as linking Guccifer 2.0 to the GRU, or Russian military intelligence. It was the strength of this national assessment that closed the book on debate on the matter of Russian attribution. Senators and Congressmen, intelligence officials and media pundits — all seem to be in agreement that Russia was singularly responsible for the cyber attack against the DNC, and the subsequent release of documents acquired from that breach. “Without a doubt,” “undeniable,” “incontrovertible” — this was the verbiage that accompanied any discussion of the case against Russia.
The genesis moment for this collective clarity, however, remains the carefully choreographed release of the CrowdStrike report, “Bears in the Midst,” and the accompanying Washington Post exclusive laying the blame for the DNC cyber attack squarely at the feet of Russia. From this act all else followed, leading to the certainty that accompanied this attribution was enough to overcome the challenge posed by the sudden appearance of Guccifer 2.0, enabling the same sort of shoehorned analysis to occur that turned Guccifer 2.0 into a Russian agent as well.
Much of this discussion turns on the level of credibility given to the analysis used by CrowdStrike to underpin its conclusions. Alperovitch, the author of the “Bears in the Midst” report, does not have a good record in this regard; one need only look at the controversy surrounding the report he wrote on Shady Rat while working for McAfee. A new report released by Alperovitch and CrowdStrike casts further aspersions on Alperovitch’s prowess as a cyber analyst, and CrowdStrike’s overall methodology used to make its Russian attribution.
On December 22, 2016, CrowdStrike published a new report purporting to detail a new cyber intrusion by the Fancy Bear actor, titled “Danger Close: Fancy Bear Tracking of Ukrainian Field Artillery Units.” This analysis, prepared by Adam Meyers, CrowdStrike’s vice president for intelligence, was claimed to further support “CrowdStrike’s previous assessments that Fancy Bear is likely affiliated with the Russian military intelligence (GRU). This report was used to promote a Jan. 4 live discussion event with Meyers and Alperovitch, titled “Bear Hunting: History and Attribution of Russian Intelligence Operations,” which was intended to educate the audience on the links between Fancy Bear and the GRU.
The “Danger Close” report was presented as further validation of CrowdStrike’s Falcon Program, which CrowdStrike claims helps organizations stop cyber penetrations through proactive measures developed through a deep understanding of the adversary and the measures needed to stop them. It was Falcon that “lit up” ten seconds after being installed on the DNC server back on May 6, 2016, fingering Cozy Bear and Fancy Bear as the culprits in the DNC attack. Falcon was now being linked to this newest effort at Russian attribution.
The only problem for Meyers, Alperovitch and CrowdStrike was that “Danger Close” was wrong — dead wrong — in every aspect of its analysis. The report was dissected by none other than Jeffrey Carr — the same individual who criticized Alperovitch over his Shady Rat claims. One of Carr’s most important findings deals directly with the credibility methodology used by CrowdStrike to attribute Fancy Bear to the GRU. “Part of the evidence supporting Russian government involvement in the DNC and related hacks (including the German Bundestag and France’s TV5 Monde),” Carr writes, “stemmed from the assumption that X-Agent malware was exclusively developed and used by Fancy Bear. We now know that’s false, and that the source code has been obtained by others outside of Russia.” Carr cites at least two examples, one a security company, the other a hacker collective, of the X-Agent malware existing “in the wild.” If these two entities have the X-Agent malware, Carr notes, “then so do others, and attribution to APT28/Fancy Bear/GRU based solely upon the presumption of ‘exclusive use’ must be thrown out.”
In one fell swoop, Carr destroyed the very premise upon which CrowdStrike not only attributed the DNC cyber attack to Russia, but the heart and soul of CrowdStrike’s business platform — the Falcon Platform used by CrowdStrike to provide “end point” protection to its clients. Far from representing an intelligent platform capable of discerning threats through advanced algorithms and proprietary techniques, the Falcon Platform seems to be little more than a database pre-programmed to deliver a preordained finding — X-Agent equals Fancy Bear, and Fancy Bear equals Russia.
Also, metadata analysis by an independent researcher which contradicts the 'Russia Hack' narrative:
Forensicator maintains his position that the most probable and plausible interpretation of the observations derived from the NGP VAN 7zip metadata is:
There is evidence that suggests the files in the NGP VAN archive were copied (twice) locally, on the East Coast, US. Further, there are indications that a USB-2 capable media may have been used for the first copy operation on July 5, 2016 and that a FAT-formatted media was used in the second copy operation on Sept. 1, 2016. (A USB flash drive is one of the most popular FAT-formatted media, but there are others including SD cards and removable hard drives.)
Essentially: files eventually published by the Guccifer 2.0 persona were likely initially downloaded by a person with physical access to a computer possibly connected to the internal DNC network. The individual most likely used a USB drive to copy the information.