ANALYSIS The current reds-under-the-beds scare in the US is increasingly being sold by the media, with unproven claims often being paraded as fact. A prime case of this was seen recently when the Associated Press claimed that the group that had allegedly targeted Hillary Clinton last year had also been hacking many other foes of the Russian state.
The AP story was built on data it had obtained from security company SecureWorks, which it claimed was exclusive. It was actually data that the company had been writing about itself since June last year. It was just the latest collection of data that was used.
Along the way, AP used what are now classic obfuscation methods – constructing a timeline where one event led to another. But occasionally, an event that has not been proven was used to link a series of happenings, and thus paraded as fact.
For example, one line in the story read, "The list revealed a direct line between the hackers and the leaks that rocked the presidential contest in its final stages, most notably the private emails of Clinton campaign chairman John Podesta." In fact, there is as yet no direct evidence that any external entity hacked into the Democrat National Committee server to exfiltrate emails. On the other hand, there is plenty of evidence to show it was an inside job.
{loadposition sam08}To back up its claim that the group it cited — Fancy Bear aka APT28, Pawn Storm, Sofacy Group, Sednit, IRON TWILIGHT and STRONTIUM — has Russian links, the AP cited an assessment which is said to have been made by 17 US intelligence groups. But this is incorrect — only two groups, the Office of the Director of National Intelligence and the Department of Homeland Security — have weighed in on this issue, not 17 intelligence agencies.
The conclusions drawn by the AP seem rather damning on the surface. But these conclusions appear to be rather overblown because when iTWire went back to SecureWorks to check, the company was remarkably sober in its assessments.
AP also mentioned CrowdStrike, the company which was called in by the DNC after the hack, without once mentioning that its report about the incident has been controversial, to say the least.
No mention was made of the fact that the FBI repeatedly asked CrowdStrike for access to the DNC servers and was denied. No mention was made either of the fact that CrowdStrike had claimed that Fancy Bear had attacked Ukraine artillery systems, a claim which turned out to be based on flimsy evidence. Sources used by CrowdStrike within their report have pushed back about this.
One source, IISS, told the VOA News site: "The CrowdStrike report uses our data, but the inferences and analysis drawn from that data belong solely to the report's authors. The inference they make that reductions in Ukrainian D-30 artillery holdings between 2013 and 2016 were primarily the result of combat losses is not a conclusion that we have ever suggested ourselves, nor one we believe to be accurate."
The maker of the app that was alleged to have been attacked, Yaroslav Sherstyuk, was also not contacted by CrowdStrike before they wrote their report.
All this was either ignored by the AP or else the agency was not aware of it.
When iTWire asked SecureWorks about CrowdStrike's involvement in the DNC hack, Rafe Pilling, senior security researcher with the Counter Threat Unit team, responded that it had no direct knowledge of, or involvement in, the case. "Presumably, from CrowdStrike's perspective, the decision to allow access to any client assets or systems sits with their client rather than with them," he added.
"We can't confirm the contextual analysis and data interpretation that CrowdStrike included in their report or any political affiliations or views they may or may not support.
"However, the malware sample they reference (6f7523d3019fa190499f327211e01fcb) does exist and does appear to be the Android version of a X-Agent. X-Agent is a malware family believed to be uniquely used by IRON TWILIGHT."
Pilling said the new part of the AP story was what he called a "deep dive analysis" of the dataset collected by SecureWorks.
SecureWorks was also asked whether the company had resorted to hacking to obtain all the data that it had handed over to AP. Pilling replied that the company "never exceeds legal authority in any part of the world in pursuit of threat research. In addition, we have a strong internal code of ethics which guides our actions and how we work. Illegal unauthorised access of any system is strictly forbidden".
"The data we collected was all made publicly available through a legitimate free analytics service provided by bit.ly at the time. This service has since been amended and is no longer available in the form that we were able toleverage to collect this dataset."
Asked about the AP's treating the allegations that hackers disrupted the US elections as an article of faith, Pilling said the data SecureWorks had collected pertained to "a long running email compromise operation that also included political groups and related individuals in the US".
"Based on our data we can't confirm that any targeted accounts were actually compromised. However, taken in conjunction with reporting from other vendors describing actual network compromises, at the DNC for example, and with the unauthorised public dissemination of email addresses that align with individuals that appear in our dataset, it certainly appears that in some cases IRON TWILIGHT was successful," he said.
"So we have supporting evidence of some level of criminal activity, but we leave it to the ongoing Congressional and law enforcement investigations to determine what role, if any, this may have played in potentially illegal activity relating to the US election."
In its story, AP had pointed to the fact that most of the work done by Fancy Bear was reportedly during the daylight hours of Moscow. iTWire pointed out to Pilling that most hackers are known to work during the wee hours when network resources are less congested and when there is less chance of being discovered; additionally, experienced hackers would hide their tracks, knowing full well that timestamps are one of the most revealing of things.
Pilling was cautious in his response. "Analysing the working pattern of an adversary is not an exact science and by itself does not provide definitive evidence," he said. "However it is a solid contributing argument to a wider attribution case.
"The TV stereotype of a hacker might see them operating late at night, but in our experience, professional hackers (criminal- and government-backed) tend to work much the same hours as a normal person would in their own time zone.
"An amateur might hack in the evening outside of their day job but mostly out of necessity rather than as a strategy. Also, hacking late at night 'to avoid detection' only applies if you're hacking someone in your time zone. In addition, in this case IRON TWILIGHT were sending phishing emails rather than moving through someone else's network so if doesn't make sense that they would need to 'do it at night to avoid detection'."
He said the working time analysis was derived over months and across thousands of data points. "Quite an effort to sustain just to make it appear as if they were working standard hours in a different time zone," he added.
Finally, iTWire pointed out that AP's claim, that the Russia link was backed up by the fact that the interests of the hackers seemingly aligned with that of the Kremlin, did not always hold water. The case of WikiLeaks founder Julian Assange was cited – he has no connection to any US government department but hacked into a number of federal US facilities when he was young.
Pilling did not offer a direct reply to this. His response was that people hacked into government and private contractors for different reasons.
"As we have mentioned, the data SecureWorks collected shows much wider targeting than just US political figures and has a focus that would
- "not lead one to infer that the intent of the operation was criminal financial gain; and
- "represents a spread of individuals that would most likely be of interest to the Russian Government.
"This is in addition to the wider technical links to other operations conducted by IRON TWILIGHT, the resources they can command and the targets they go after. Much of this information has previously been published by SecureWorks and other vendors using terms such as Fancy Bear, Pawn Storm, APT28 and Strontium. There is a wealth of supporting material available online."