Security Market Segment LS
Thursday, 16 November 2017 09:34

AP spreads 'Russia hacked DNC' claim as though it is gospel truth


ANALYSIS The current reds-under-the-beds scare in the US is increasingly being sold by the media, with unproven claims often being paraded as fact. A prime case of this was seen recently when the Associated Press claimed that the group that had allegedly targeted Hillary Clinton last year had also been hacking many other foes of the Russian state.

The AP story was built on data it had obtained from security company SecureWorks, which it claimed was exclusive. It was actually data that the company had been writing about itself since June last year. It was just the latest collection of data that was used.

Along the way, AP used what are now classic obfuscation methods – constructing a timeline where one event led to another. But occasionally, an event that has not been proven was used to link a series of happenings, and thus paraded as fact.

For example, one line in the story read, "The list revealed a direct line between the hackers and the leaks that rocked the presidential contest in its final stages, most notably the private emails of Clinton campaign chairman John Podesta." In fact, there is as yet no direct evidence that any external entity hacked into the Democrat National Committee server to exfiltrate emails. On the other hand, there is plenty of evidence to show it was an inside job.

To back up its claim that the group it cited — Fancy Bear aka APT28, Pawn Storm, Sofacy Group, Sednit, IRON TWILIGHT and STRONTIUM — has Russian links, the AP cited an assessment which is said to have been made by 17 US intelligence groups. But this is incorrect — only two groups, the Office of the Director of National Intelligence and the Department of Homeland Security — have weighed in on this issue, not 17 intelligence agencies.

The conclusions drawn by the AP seem rather damning on the surface. But these conclusions appear to be rather overblown because when iTWire went back to SecureWorks to check, the company was remarkably sober in its assessments.

AP also mentioned CrowdStrike, the company which was called in by the DNC after the hack, without once mentioning that its report about the incident has been controversial, to say the least.

No mention was made of the fact that the FBI repeatedly asked CrowdStrike for access to the DNC servers and was denied. No mention was made either of the fact that CrowdStrike had claimed that Fancy Bear had attacked Ukraine artillery systems, a claim which turned out to be based on flimsy evidence. Sources used by CrowdStrike within their report have pushed back about this.

fancy bear

One source, IISS, told the VOA News site: "The CrowdStrike report uses our data, but the inferences and analysis drawn from that data belong solely to the report's authors. The inference they make that reductions in Ukrainian D-30 artillery holdings between 2013 and 2016 were primarily the result of combat losses is not a conclusion that we have ever suggested ourselves, nor one we believe to be accurate."

The maker of the app that was alleged to have been attacked, Yaroslav Sherstyuk, was also not contacted by CrowdStrike before they wrote their report.

All this was either ignored by the AP or else the agency was not aware of it.

When iTWire asked SecureWorks about CrowdStrike's involvement in the DNC hack, Rafe Pilling, senior security researcher with the Counter Threat Unit team, responded that it had no direct knowledge of, or involvement in, the case. "Presumably, from CrowdStrike's perspective, the decision to allow access to any client assets or systems sits with their client rather than with them," he added.

"We can't confirm the contextual analysis and data interpretation that CrowdStrike included in their report or any political affiliations or views they may or may not support.

"However, the malware sample they reference (6f7523d3019fa190499f327211e01fcb) does exist and does appear to be the Android version of a X-Agent. X-Agent is a malware family believed to be uniquely used by IRON TWILIGHT."

Pilling said the new part of the AP story was what he called a "deep dive analysis" of the dataset collected by SecureWorks.

SecureWorks was also asked whether the company had resorted to hacking to obtain all the data that it had handed over to AP. Pilling replied that the company "never exceeds legal authority in any part of the world in pursuit of threat research. In addition, we have a strong internal code of ethics which guides our actions and how we work. Illegal unauthorised access of any system is strictly forbidden".

"The data we collected was all made publicly available through a legitimate free analytics service provided by at the time. This service has since been amended and is no longer available in the form that we were able toleverage to collect this dataset."

Asked about the AP's treating the allegations that hackers disrupted the US elections as an article of faith, Pilling said the data SecureWorks had collected pertained to "a long running email compromise operation that also included political groups and related individuals in the US".

"Based on our data we can't confirm that any targeted accounts were actually compromised. However, taken in conjunction with reporting from other vendors describing actual network compromises, at the DNC for example, and with the unauthorised public dissemination of email addresses that align with individuals that appear in our dataset, it certainly appears that in some cases IRON TWILIGHT was successful," he said.

"So we have supporting evidence of some level of criminal activity, but we leave it to the ongoing Congressional and law enforcement investigations to determine what role, if any, this may have played in potentially illegal activity relating to the US election."

In its story, AP had pointed to the fact that most of the work done by Fancy Bear was reportedly during the daylight hours of Moscow. iTWire pointed out to Pilling that most hackers are known to work during the wee hours when network resources are less congested and when there is less chance of being discovered; additionally, experienced hackers would hide their tracks, knowing full well that timestamps are one of the most revealing of things.

Pilling was cautious in his response. "Analysing the working pattern of an adversary is not an exact science and by itself does not provide definitive evidence," he said. "However it is a solid contributing argument to a wider attribution case.

"The TV stereotype of a hacker might see them operating late at night, but in our experience, professional hackers (criminal- and government-backed) tend to work much the same hours as a normal person would in their own time zone.

"An amateur might hack in the evening outside of their day job but mostly out of necessity rather than as a strategy. Also, hacking late at night 'to avoid detection' only applies if you're hacking someone in your time zone. In addition, in this case IRON TWILIGHT were sending phishing emails rather than moving through someone else's network so if doesn't make sense that they would need to 'do it at night to avoid detection'."

He said the working time analysis was derived over months and across thousands of data points. "Quite an effort to sustain just to make it appear as if they were working standard hours in a different time zone," he added.

Finally, iTWire pointed out that AP's claim, that the Russia link was backed up by the fact that the interests of the hackers seemingly aligned with that of the Kremlin, did not always hold water. The case of WikiLeaks founder Julian Assange was cited – he has no connection to any US government department but hacked into a number of federal US facilities when he was young.

Pilling did not offer a direct reply to this. His response was that people hacked into government and private contractors for different reasons.

"As we have mentioned, the data SecureWorks collected shows much wider targeting than just US political figures and has a focus that would

  1. "not lead one to infer that the intent of the operation was criminal financial gain; and
  2. "represents a spread of individuals that would most likely be of interest to the Russian Government.

"This is in addition to the wider technical links to other operations conducted by IRON TWILIGHT, the resources they can command and the targets they go after. Much of this information has previously been published by SecureWorks and other vendors using terms such as Fancy Bear, Pawn Storm, APT28 and Strontium. There is a wealth of supporting material available online."

Read 3299 times

Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here


Thoughtworks presents XConf Australia, back in-person in three cities, bringing together people who care deeply about software and its impact on the world.

In its fifth year, XConf is our annual technology event created by technologists for technologists.

Participate in a robust agenda of talks as local thought leaders and Thoughtworks technologists share first-hand experiences and exchange new ways to empower teams, deliver quality software and drive innovation for responsible tech.

Explore how at Thoughtworks, we are making tech better, together.

Tickets are now available and all proceeds will be donated to Indigitek, a not-for-profit organisation that aims to create technology employment pathways for First Nations Peoples.

Click the button below to register and get your ticket for the Melbourne, Sydney or Brisbane event



It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site and prominent Newsletter promotion and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinars and campaigns and assistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.


Sam Varghese

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News