December 29, 2016 – Tech experts disagree with Crowdstrike’s assessment and are critical of the FBI/DHS Joint Analysis Report (JAR)

In Email Timeline Post-Election 2016, Email/Dossier Investigations by Katie Weddington

(…)  “Breitbart News has interviewed tech experts who do not agree with the CrowdStrike assessment or Obama administration’s claims that the DNC/DCCC hacks clearly committed by Russian state actors, with much criticism aimed at the FBI/DHS Joint Analysis Report (JAR) “Grizzly Steppe” that was released at the end of December. As ZDNet reported after the JAR report was released by the Obama administration on the same day that they announced sanctions against Russia:

Mark Maunder, CEO, Wordfence (Credit: public domain)

The JAR included “specific indicators of compromise, including IP addresses and a PHP malware sample.” But what does this really prove? Wordfence, a WordPress security company specializing in analyzing PHP malware, examined these indicators and didn’t find any hard evidence of Russian involvement. Instead, Wordfence found the attack software was P.AS. 3.1.0, an out-of-date, web-shell hacking tool. The newest version, 4.1.1b, is more sophisticated. Its website claims it was written in the Ukraine.

Mark Maunder, Wordfence’s CEO, concluded that since the attacks were made “several versions behind the most current version of P.A.S sic which is 4.1.1b. One might reasonably expect Russian intelligence operatives to develop their own tools or at least use current malicious tools from outside sources.”

Rob Graham, CEO of Errata Security (Credit: public domain)

True, as Errata Security CEO Rob Graham pointed out in a blog post, P.A.S is popular among Russia/Ukraine hackers. But it’s “used by hundreds if not thousands of hackers, mostly associated with Russia, but also throughout the rest of the world.” In short, just because the attackers used P.A.S., that’s not enough evidence to blame it on the Russian government.

Jeffrey Carr (Credit: public domain)

Independent cybersecurity experts, such as Jeffrey Carr, have cited numerous errors that the media and CrowdStrike have made in discussing the hacking in what Carr refers to as a “runaway train” of misinformation.

For example, CrowdStrike has named a threat group that they have given the name “Fancy Bear” for the hacks and then said this threat group is Russian intelligence. In December 2016Carr wrote in a post on Medium:

A common misconception of “threat group” is that [it] refers to a group of people. It doesn’t. Here’s how ESET describes SEDNIT, one of the names for the threat group known as APT28, Fancy Bear, etc. This definition is found on p.12 of part two “En Route with Sednit: Observing the Comings and Goings”:

As security researchers, what we call “the Sednit group” is merely a set of software and the related network infrastructure, which we can hardly correlate with any specific organization.

Unlike CrowdStrike, ESET doesn’t assign APT28/Fancy Bear/Sednit to a Russian Intelligence Service or anyone else for a very simple reason. Once malware is deployed, it is no longer under the control of the hacker who deployed it or the developer who created it. It can be reverse-engineered, copied, modified, shared and redeployed again and again by anyone.

Despite these and other criticisms from technical experts with no political ax to grind, the House Intelligence Committee has called no independent cybersecurity professionals to challenge the Democrats’ claims of “Russian hacking” that have been repeated ad naseum by the media.

Instead of presenting counter-arguments to allow the general public to make up their own minds, the House committee has invited Shawn Henry and Dmitri Alperovitch from CrowdStrike. (Read more: Breitbart, 3/09/2017)