
Technical report on DNC hack [pdf] - jbegley
https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296.pdf
======
codedokode
I have looked through the report. The only useful information was brief
description of attack methods, everything else looks like a list of general
recommendations one can find on the OWASP website.

As I understand from report the main methods used were:

\- sendind emails with executable files that victims for some reason executed

\- phishing

So, they used script kiddie level tools anyone could use (and they are cheap;
you don't have to buy expensive zero-day exploits on a black market). But of
course this could be done intentionally so it looks amateur-ish.

This attacks could be easily mitigated. First, OS and applications should not
run unknown files from Internet (because some people got used to double click
on everything they get in email), second, we should start using physical
cryptographic keys instead of passwords. Common people cannot handle
passwords, they either make easily guessed passwords or enter them everywhere
without thinking. I hate passwords too because they are hard to remember (and
please don't suggest that I should download some software and upload my
passwords to a "cloud" in NSA-controlled country).

By the way iOS is the only popular operating system I know that doesn't allow
to execute files downloaded from web or emails. Apple did it the right way.

The report also contains a pretty useless firewall rule named "PAS TOOL PHP
WEB KIT FOUND" that can be used to search malware in PHP files. It is
interesting that they have replaced digits in 'base64_decode' function name
with regexp as if there were any other similar functions.

~~~
StanislavPetrov
The "evidence" boils down to:

The Hackers drove a truck.

Russians drive trucks.

The Russians did the hacking.

While its insulting that our government would try to pass off this drivel as
"evidence", I'm much more dismayed that so many of my fellow Americans will
uncritically accept it as such.

~~~
empath75
The actual evidence is probably closer to 'we have moles in the kremlin and
taps on their phones' but they're not exactly going to publish that are they.

~~~
mtgx
Wasn't the NSA spying on the whole Internet or something? Are you telling me
the NSA saw _no evidence_ of Russia hacking the DNC servers? They wouldn't
necessarily have to reveal their "methods" that it was the Russians if it was
the NSA catching them and not some Kremlin CIA spy.

But who knows, maybe they are too busy spying on hundreds of millions of
Regular Joes to watch out for all of the Russian attacks.

~~~
untog
Haven't the NSA already said they believe it was the Russians? As you suggest,
they would be the ones to know.

~~~
Kadin
The NSA doesn't, in general, publicly announce anything. They exist to supply
analysis to other branches of government, and only very rarely to the public
directly. So the absence of commentary from them in public doesn't indicate
that they haven't drawn conclusions and passed them along.

------
snowwrestler
Folks, the point of this report is not to justify the punitive actions taken
today. It is to provide information that companies can use to protect
themselves against similar attacks in the future.

So if you judge it by whether it "makes the case" against Russia, it will be
lacking. We don't need 100 comments pointing that out.

~~~
sigmar
It seems notable that many of these comments are jumping on this for not
providing proof that it was Russia, when that was not the intention of the
report.

The first page states-

>This JAR provides technical indicators related to many of these operations,
recommended mitigations, suggested actions to take in response to the
indicators provided, and information on how to report such incidents to the
U.S. Government.

~~~
parktheredcar
The bloomberg article I read
([http://archive.is/j5wRd](http://archive.is/j5wRd)) presented it as evidence.
Maybe other publications are doing the same.

>As part of the administration’s response, the FBI and Homeland Security
Department also released a report with technical evidence intended to prove
Russia’s military and civilian intelligence services were behind the hacking
and to expose some of their most sensitive hacking infrastructure.

~~~
mundo
The "evidence" cited is not the handful of unclassified details included, it's
the fact that the FBI and DHS are willing to go on record publicly accusing
Russia. There are no asterisks or weasel-words or "allegedly"s. Just a clear
"Russia did it."

There are only two possible explanations for that:

1) A massive conspiracy in which the leaders of practically the entirety of
the US military/intelligence community are willing to go on record with a hoax
that will easily be unraveled by the incoming administration in a few months

2) There is clear and damning evidence that Russia did it, but it's classified

~~~
naturally2014
I'd guess a third option, actually: It's just a best guess, but they don't
like being questioned.

If they had damning evidence it'd be in their interest to release it.

~~~
walshemj
Not if it would give any humint sources away and they may have kicked out
people to allow a source to step into their shoes - as the UK did to put there
man in as the Resident in London

~~~
porpoisemonkey
It's somewhat obvious from the context but for anyone not familiar with
military jargon I think the parent post meant to say "humint" instead of
"humit" which is short hand for "human intelligence" or in layman's terms
"spies".

~~~
walshemj
oops my bad

------
downandout
It seems unlikely that email hacking will stop in the future. If the leaked
emails actually influenced the elections, it was because of their content.
I've heard exactly zero credible claims that the leaked emails were falsified
in any way. Perhaps if political candidates/party executives are going to do
unethical/illegal things, they shouldn't discuss them over email.

Edit: changed "zero claims" to "zero credible claims"

~~~
khrakhen
> I've heard exactly zero claims that the leaked emails were falsified in any
> way.

Podesta and high-ranking Dems have leveled this very charge.

The extent of the DKIM signatures all being true makes this very unlikely.

RSA1024 and SHA-1 can be beaten, but not easily and not in this volume.

It is not E2E from the people authoring the e-mails, so the server maintainer
(often Google) could be forging and signing e-mails.

However, again, doing it the volume it would have had to be done is not
likely.

The DNC has backed off from the forgery accusations. Besides the asinine
nature of the accusations making them look bad, such accusations weaken their
grand thesis: Russia hacked them. If they open up the possibility that most or
all of the e-mails could have been fabricated whole cloth, then it undermines
the argument that Putin pulled off an ingenuous heist of tens of thousands of
e-mails.

~~~
downandout
I suppose I should have said that I have heard no _credible_ claims that they
were falsified. Most of the denials I've heard were of the "I don't recognize
that" variety, which literally means nothing.

~~~
thehood
There was that twitter post from John podesta "i've switched sides hi /pol/"
post from his verified twitter page.

[http://www.dailymail.co.uk/news/article-3835460/Now-
Podesta-...](http://www.dailymail.co.uk/news/article-3835460/Now-Podesta-s-
Twitter-account-gets-hacked-day-Clinton-campaign-chair-accuses-Russia-hacking-
emails.html)

if the emails are fake, how could a password from the emails dump be used to
login into his twitter page.

------
altendo
As an aside, for those looking to understand YARA rules, [1] provides a brief
introduction and [2] introduces how to write them. I needed to look it up
myself, but seems relatively straightforward if you have a programming
background.

tl;dr: YARA rules are a method of categorizing malware based on their
characteristics. So the PDF here released a YARA rule to determine a specific
piece of malware used in the hack (it's not clear to me what it identifies,
other than a PHP script).

For convenience, here's the YARA rule presented in the PDF formatted to be
more readable:

rule PAS_TOOL_PHP_WEB_KIT {

    
    
      meta:
        description = "PAS TOOL PHP WEB KIT FOUND"
    
      strings:
        $php = "<?php"
        $base64decode = /\='base'\.\(\d+\*\d+\)\.'_de'\.'code'/
        $strreplace = "(str_replace("
        $md5 = ".substr(md5(strrev("
        $gzinflate = "gzinflate"
        $cookie = "_COOKIE"
        $isset = "isset"
    
      condition:
        (filesize > 20KB and filesize < 22KB) and
        #cookie == 2 and
        #isset == 3 and
        all of them

}

[1] [https://securityintelligence.com/signature-based-
detection-w...](https://securityintelligence.com/signature-based-detection-
with-yara/)

[2]
[http://yara.readthedocs.io/en/v3.5.0/writingrules.html](http://yara.readthedocs.io/en/v3.5.0/writingrules.html)

EDIT: formatting

~~~
_cereal
> (it's not clear to me what it identifies, other than a PHP script)

It seems obfuscated code. The $base64decode string seems a regular expression
to generate the PHP `base64_decode()` function.

At some point the script would read a base64 string, which would be an encoded
PHP script retrieved from remote or included in the script. The output is then
executed through the `eval()` function. Like in this example:
[http://ideone.com/awhqOg](http://ideone.com/awhqOg)

~~~
eropple
This is a pretty common PHP payload idiom, yup yup. (It also is common with
proprietary PHP applications, CMS extensions, etc. that are happy to burn your
system performance to "protect their IP". I've been unwinding them since I was
twelve.)

------
coldcode
Jeez people, read the report, it isn't any kind of justification of anything,
its just a fairly generic don't do this, like I see 100 times a week at work.
The real details were likely shown to congress and the senate (or at least a
portion of it). Those are the only people who can say if the actual attack was
real or imagined. Do you think the British and Americans were going to publish
stories about Enigma back in WW2 in the Times during the war? There were like
a handful of people in the world who knew the details.

While we technical folks would love to see all the details that's not how
intelligence works. Some things have to be secret even though these days
everything becomes a conspiracy and a political controversy and a tweet storm.

That said I doubt anyone in either party committee had any idea how security
works; even worse is that much of the US government is (and will be) lead by
political benefactors with an axe to grind and not people with a real clue
about modern security either so expect nothing much different in the future
until someone hacks the nuclear "football".

~~~
dmix
> Do you think the British and Americans were going to publish stories about
> Enigma back in WW2 in the Times during the war? There were like a handful of
> people in the world who knew the details.

Well they plan on releasing the malware samples and evidence of the hack, so
I'm not sure what you mean here...

This isn't the enigma in war time. It's not even a denied operation like
Stuxnet (which was also had malware samples found in the wild and plenty of
details on how it was spread and worked). It's standard nation state malware
from a foreign adversary and the phishing email was already released from the
Podesta hack via Wikileaks.

The only question is how they connected the public leaks to Russia. Which most
people doubt they even have. But that detail won't stop the press from
believing it was one and the same. Even though any number of people could have
accessed it.

But otherwise simply connecting the hack to Russia and the hack itself is
hardly a mystery or interesting in itself. You're very much overselling that
which I'll just attribute to not knowing much about infosec.

From NYTimes:

>> The samples of malware were in what the Obama administration called a
“joint analytic report” from the F.B.I. and the Department of Homeland
Security that was based in part on intelligence gathered by the National
Security Agency. A more detailed report on the intelligence, ordered by
President Obama, will be published in the next three weeks, though much of the
detail — especially evidence collected from “implants” in Russian computer
systems, tapped conversations and spies — is expected to remain classified.

[http://mobile.nytimes.com/2016/12/29/us/politics/russia-
elec...](http://mobile.nytimes.com/2016/12/29/us/politics/russia-election-
hacking-sanctions.html)

Obviously they won't release every detail, especially regarding implants in
Russia, but they'll release more than just 'trust us'. They always do.

~~~
Natsu
I'll wait to actually see it first.

We know what nation state hacking looks like thanks to the leaks about the
NSA. There would normally be things like custom hardware or TEMPEST like
tools, not kiddie level phishing scams.

------
sschueller
The Sony hack had more evidence than this...

Someone explain to me why this is such an issue?

There have been many proven hacks from many states that are far worse (the
Chinese Fighter plane that looks almost identical to the F35 come to mind)
than exposing the DNC's dirty laundry. No one is denying that the emails are
real. This seems like some sort of distraction.

~~~
etcet
> No one is denying that the emails are real.

Actually, Donna Brazile, who is inexplicably still the current chair of the
DNC, claimed the emails were falsified:
[https://youtu.be/P_WHsr07cbY?t=458](https://youtu.be/P_WHsr07cbY?t=458)

~~~
paganel
I wouldn't trust a person like Donna Brazile with running a thing as simple as
a banana stand, the fact that she claims the emails were falsified convinces
people like myself that they were indeed the real deal.

------
khrakhen
Great. Password expiration.

Cue everyone recycling a set of 10 unique passwords among devices and/or
writing passwords on Post-It notes on work computers at the office.

Only bit of truth in here was the phishing campaign. That could be anyone,
however. This is barely more advanced than the Nigerian bank scam e-mails.

Yet the POTUS says it's a sign of the highest levels of Russian government.

We've already been fed lies about e-mails being altered (DKIM signatures
disprove this) and now this PDF ignores the insider element in the
DNC/Wasserman-Schultz leaks.

What a joke. NIST, NSA, FBI, CIA et alia should be discredited almost entirely
at this point.

~~~
ue_
If I recally correctly, NIST recently issued guidelines specifically against
password expiration/recycling and against forced limits on what characters you
can have in your password.

~~~
khrakhen
Yep. All the more infuriating. They know better.

NGOs, private industry and the US government at most levels there has been a
movement away from password length limits and password expiration and SMS as a
second factor. (Even OTP and hashes may be replaced by U2F keys someday.)

Then we get this recommendation for password expirations.

Two steps forward, one back -- as always.

~~~
willstrafach
What? The old suggestion which government/enterprise followed was quarterly
password changes/rotation. This is no longer recommended by NIST though. How
is that bad?

------
__jal
This is a magic report.

Over the next 24 hours, it will transform a huge number of people into experts
on intelligence reporting requirements, hacking, sources and methods, and
diplomacy.

~~~
UnoriginalGuy
Respectfully, do you feel this is constructive discourse?

Because to me the purpose of your comment is to drag down other comments, even
yet unmade ones, into the mud. Invalidating everyone's opinion on this subject
except 0.1% of the population (namely very specific experts). Even politicians
or professional political commentators wouldn't meet your high bar.

And to the people who do feel like the bar should be set at "only experts are
allowed an opinion" then why stop on this issue? Why not branch it out to
every major political issue? Plus seemingly being well read on a topic is no
longer enough to have an informed opinion, qualifications are the only metric
by which we can measure an argument rather than the qualities of the argument
itself.

My point is that this is a dangerous argument that only seeks to result in the
silence of commentators. It only detracts rather than adds to the discussion's
value.

~~~
__jal
I was commenting on the phenomenon in which random "facts" from narrow
professional niches are cherry-picked to make politically motivated arguments.

The show is playing now on the usual blogs, so rest easy. If I had been making
an oblique argument attempting to shut people up, I failed rather miserably.

------
wongarsu
Page 5 lists a YARA signature names "PAS_TOOL_PHP_WEB_KIT" that is supposed to
match some kind of payload from the attack. It looks generic but is
surprisingly specific.

A quick search reveals that it happens to exactly match [1] (if you fix a few
obvious bugs where the github code uses $COOKIE instead of $_COOKIE, or
produces base64decode instead of base64_decode. The attackers probably fixed
that in production). Apart from the exact combination of three `isset` and two
`_COOKIE`, that code starts with the unusual sequence `<?php
$l___l_='base'.(32*2).'de'.'code';` which happens to be matched by the (also
very unusual) regex from the report. It also ticks all other boxes from the
provided signature.

I just found that within five minutes by searching github. It seems like an
encrypted payload that can be executed by visiting the php page while having
the password in a POST parameter or in a Cookie.

I'm not an expert, but the encryption looks very simple. Maybe somebody feels
up to the challenge to try some statistical analysis or similar on it?

[1]
[https://github.com/Nu11ers3t/Null/wiki](https://github.com/Nu11ers3t/Null/wiki)

~~~
codedokode
I would like to add some details about a username in case someone didn't
understand its meaning. The github username spells like 'nullers'. 'Nulling'
is a slang word meaning removing license protection from commercial web
applications like CMS (and usually publishing them for everyone to use like
some type of modern Robin Hood) and 'nullers' are the people who do it.

The code has a payload (probably a web shell) encrypted with a password that
should be sent via a cookie or a variable in the POST request body. The
encryption has some serious weaknesses.

The @masrermike's comment
[https://news.ycombinator.com/item?id=13281312](https://news.ycombinator.com/item?id=13281312)
has a link to the tool that could be used to encrypt the payload.

In case if anyone is interested I can post a formatted code (the payload is
still encrypted): [http://pastebin.com/sVLsGTub](http://pastebin.com/sVLsGTub)

------
ryanlol

        ~ grep IPV4 JAR-16-20296.csv|awk -F ',' '{print $1}'|sed 's/[][]//g'|sort -u|grep -f exits -c
      191
        ~ grep IPV4 JAR-16-20296.csv|awk -F ',' '{print $1}'|sed 's/[][]//g'|sort -u|wc -l           
      876
    

At least 191 of the IOC IPs are (probably random) Tor exit nodes :) The actual
number may very well be higher, I just grabbed current exit node list from
[https://check.torproject.org/exit-
addresses](https://check.torproject.org/exit-addresses)

Here's the PHP backdoor the YARA rule is for
[http://sprunge.us/ReFg](http://sprunge.us/ReFg) I'll probably put up the rest
of the samples in a sec.

Edit: Here, I uploaded most of the samples listed in the csv
[http://www.filedropper.com/samples_5](http://www.filedropper.com/samples_5)

Edit 2: The obfuscation used in the russian PHP shells looked _awfully_
familiar, I think the shell they're using could very well be this one
[http://profexer.name/pas/download.php](http://profexer.name/pas/download.php)
originally shared on a .ru hacker forum.

~~~
grandalf
Wow, this should be the top comment.

------
AlexCoventry
There doesn't seem to be much new information there. A bunch of IP addresses,
file hashes to look for, and general network security advice, in addition to a
history of the attacks which was already public, and an explicit attribution
to the Russians.

They mention a phishing attack which took place after the election, but don't
give any further details.

------
Dolores12
This report is a joke. I didn't find any reasoning about attribution.

Here is the only valuable part:

" rule PAS_TOOL_PHP_WEB_KIT { meta: description = "PAS TOOL PHP WEB KIT FOUND"
strings: $php = "<?php" $base64decode =
/\='base'\\.\\(\d+\\*\d+\\)\\.'_de'\\.'code'/ $strreplace = "(str_replace("
$md5 = ".substr(md5(strrev(" $gzinflate = "gzinflate" $cookie = "_COOKIE"
$isset = "isset" condition: (filesize > 20KB and filesize < 22KB) and #cookie
== 2 and #isset == 3 and all of them } "

~~~
sigmar
Did you read the first page? This report has nothing to do with detailing or
justifying attribution

~~~
ra1n85
Then why did the report attribute any of this to Russia without substantiating
those claims? It's one thing to detail mitigations, it's another to call out
Russia as the perpetrator without adding contextual value - the majority of
the addresses involved aren't Russian.

~~~
mundo
Did they really need to say, "We also have other data about the attack that
we're not publishing because it's classified"? Isn't that kind of safe to
assume?

~~~
ra1n85
When things like this are used as a pretext to sanction other countries, I
will assume nothing and expect data. The bogus weapons of mass destruction in
Iraq was enough to convince me that "just trust us" isn't sufficient data.

------
droithomme
Is this more or less reputable than the clear and unambiguous claims of Craig
Murray regarding the DNC leak, which he has stated clearly were the result of
him personally traveling to DC, acquiring the data dump face to face from a
non-Russian DNC insider, and then returning to the UK to give them to Assange
himself. If the us-cert.gov report is to be believed, then both Assange and
Murray are liars. Both can not be true. Who is more credible? Perhaps we can
compare the history of truth reliability in claims from each party? Would that
be a reasonable approach to ascertain who is lying here and who is telling the
truth?

~~~
BryantD
Craig Murray said he got the document drop in September, right? Didn't
Wikileaks start publishing emails earlier than that? (Sincere question, I
don't understand the timeline here.)

~~~
droithomme
Thank you BryantD, that is a relevant and useful contribution.

Per wikileaks:

> "Starting on Friday 22 July 2016 at 10:30am EDT, WikiLeaks released over 2
> publications 44,053 emails and 17,761 attachments from the top of the US
> Democratic National Committee -- part one of our new Hillary Leaks series.
> The leaks come from the accounts of seven key figures in the DNC:
> Communications Director Luis Miranda (10520 emails), National Finance
> Director Jordon Kaplan (3799 emails), Finance Chief of Staff Scott Comer
> (3095 emails), Finanace Director of Data & Strategic Initiatives Daniel
> Parrish (1742 emails), Finance Director Allen Zachary (1611 emails), Senior
> Advisor Andrew Wright (938 emails) and Northern California Finance Director
> Robert (Erik) Stowe (751 emails)."

Per Craig Murray:

"Craig Murray, former British ambassador to Uzbekistan and a close associate
of Wikileaks founder Julian Assange, told Dailymail.com that he flew to
Washington, D.C. for a clandestine hand-off with one of the email sources in
September."

[http://www.dailymail.co.uk/news/article-4034038/Ex-
British-a...](http://www.dailymail.co.uk/news/article-4034038/Ex-British-
ambassador-WikiLeaks-operative-claims-Russia-did-NOT-provide-Clinton-emails-
handed-D-C-park-intermediary-disgusted-Democratic-insiders.html)

Perhaps Craig Murray meant September 2015, or perhaps the Daily Mail wrote the
wrong thing down. If neither of these is true, there's a serious discrepancy
in these claims. Lacking such an explanation, the reasonable conclusion here
given the date discrepancy would be that either Ambassador Murray or the Daily
Mail is lying about the dates.

------
maxlybbert
At least the report is short. As others have stated, it doesn't really lay out
any new evidence to believe the Russian government was behind the hack. It
lays out information that almost looks like evidence, such as a list of
usernames, but doesn't discuss how the information is relevant to anything.
There is an assertion that three teams were involved, and that two teams
communicated with each other, but no discussion of where this information
comes from or why anyone should care how many teams there were. I get the
feeling that there's a message for someone, but I'm certainly not the intended
recipient.

The advice on avoiding similar hacks in the future is a grab bag. Near the end
it encourages using /etc/shadow on POSIX systems. I installed Linux on my
personal computer in 1999. Since then, I've installed several Linux
distributions, FreeBSD, OpenBSD, Plan 9, Inferno, etc. I can't remember any
installation offering to store password hashes in /etc/passwd. Some of the
advice is better, but not all of it is. I'm honestly disappointed. Perhaps
this is a wake-up to somebody, but I would hope Sony's hack would have already
served that purpose.

------
crb002
I've done security remediation for the U.S. Govt. About the same vulns you
would expect on 2003 PHP apps that haven't been updated since (OS or
otherwise). Congress doesn't budget for server/app maintenance, simple as
that.

------
varjag
We'll probably never know the name of the poor intern tasked to slap this
together overnight.

Hope the main report due in 3 weeks has some substance.

------
dominotw
>In spring 2016, APT28 compromised the same political party, again via
targeted spearphishing.

I think I might have missed it, but how did they conclude that it was 'APT28'
?

> APT28 is known for leveraging domains that closely mimic those of targeted
> organizations and tricking potential victims into entering legitimate
> credentials. APT28 actors relied heavily on shortened URLs in their
> spearphishing email campaigns.

Aren't these standard phishing 101 techniques. What makes them specific to
'APT28'. This 'report' looks like someone googled 'phishing 101' and 'web
security 101' and copy pasted bunch of stuff from wikipedia.

~~~
JohnTHaller
An intelligence agency won't declassify how they determined who it was. That
would compromise their ability to use the same method (informant,
vulnerability, etc) in the future.

They are standard techniques. It doesn't say they are unique. Just that this
hacker relies on these specific standard techniques as opposed to other ones.

~~~
Dolores12
>An intelligence agency won't declassify how they determined who it was.

Yeah, just like a weapon of mass destruction in Iraq. We can't tell how we got
this information, but we know for sure. Then few years later it turns out
there is no WMD found. Ooops. Sorry.

Give me a reason to trust them again?

~~~
okreallywtf
Why trust them in the first place, look at the evidence and if you disagree
with a conclusion, be able to say why.

This is the whole problem we're dealing with right now - people just decide
they do or do not trust something. Don't agree with a fact check? Just call it
bogus and move on, even though it might be a 50 point case they make why
bother finding a flaw in their reasoning and using that to refute their
conclusion when you can just be a cynic and shrug it off. Don't agree with
climate change? Just pick the 1 totally debunked study that supports your case
and ignore the 1000 that don't that haven't been debunked.

So I ask, in the analyses that have come out (not just this one), what do you
disagree with? As far back as June crowdstrike released a report [1], I assume
you went through it in detail and can point to flaws in its reasoning as well?

[1] [https://www.crowdstrike.com/blog/bears-midst-intrusion-
democ...](https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-
national-committee/)

~~~
grandalf
The basic flaws I'd mention are:

\- Multiple state actors (or well-funded non-state actors) likely compromised
the emails.

\- A state actor could also have faked the "trail" that points to Russia.

\- The rest of the evidence is circumstantial.

Sure, if we pretend we live in a pre-stuxnet, script kiddie sort of world,
this was likely a high level state sponsored attack, but it seems preposterous
that a state actor would be so sloppy:

If you were Putin wishing to try to use spearfishing to get access to specific
accounts, you would not source that work to groups that were known to work
with your government. You'd set up a fake Nigerian operation so that if found
it would look like the email address had been randomly chosen from a list of
many used by some Nigerian person to try to scam a few thousand dollars.

This is not akin to thinking three or four moves ahead, it's simply thinking
one move ahead.

~~~
dv_dt
Exactly, it could just as easily be China making it look like Russia did it...

~~~
rokosbasilisk
Yea, This made me think of chinese black pr groups too.

Hillary was not liked in china or korea.

------
jordache
Wtf? Majority of report is copy & pasted security risk descriptions

------
rplst8
Interestingly it says only one political party was hacked.

~~~
halflings
Only one (the DNC) was compromised, yes, but the phrasing about which
organizations/politicians were targeted by the emails is ambiguous, so one
might think that they also targeted Republicans.

------
cekvenich3
'The U.S. Government assesses that information was leaked to the press and
publicly disclosed.'

Who in US Government?

What information was leaked?

~~~
1_2__3
Are you under the impression that different parts of the US government
typically "speak" with difference voices? This was an official government
publication, that means "Who" is "The US Government", period.

~~~
jessaustin
Yes, I am under that distinct impression. Most noteworthy political and legal
matters amount to precisely that.

------
PaulHoule
That big list of code names is a hoot, it seems they mixed the names of
soldiers from metal gear solid 5 with a list of names they got off a small IRC
server as well as some codenames out of James Bond novels Ian Fleming never
wrote plus some fragments of mime headings salted with just a little bit of
line noise.

------
Abishek_Muthian
"At least one targeted individual activated links to malware hosted on
operational infrastructure of opened attachments containing malware" \- I pity
that individual, like I'm sure he's getting blamed in the party like 'Hey,
aren't you the piece of work who clicked a link'

~~~
peter_retief
It may have been many, I hear stories that the average user isn't that clued
up. Dumb users should be sandboxed but if its your main people its a bit
tricky i guess

------
jayess
First step to prevent "Russian hackers": Don't make your password "p@ssw0rd"

[https://wikileaks.org/podesta-
emails/emailid/22335](https://wikileaks.org/podesta-emails/emailid/22335)

~~~
huherto
Trying to understand the context of the email.

From: Eryn Sepp <eryn.sepp@gmail.com> To: john.podesta@gmail.com

    
    
      Though CAP is still having issues with my email and computer, yours is good to go.=20
      jpodesta
      p@ssw0rd
    

It looks like it was a temporary password assigned by the sys admin (or tech
savvy friend).

Also, It is not clear how this was hacked since it seems a gmail to gmail
communication.

------
bjourne
The report released by the US govt only contains a birds-eye view of the
hacking incident and not much technical details. But they do reference APT28
and APT29 which are described in reports from FireEye in 2014 and 2015:

    
    
       http://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf
       https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf
    

The evidence is circumstantial, but there is so much of it that I think you
can confidently say that Russia is behind it. For example, compile times
pointing towards office workers in Moscow, Russian language settings and so
on.

Read the reports and make up your own minds!

------
ejcx
tl;dr - "ultra advanced cyber persistent cyber threat cyber actors" are
sending phishing emails and people are still clicking on them.

~~~
cmdrfred
And these people want to write laws on encryption...

~~~
oriettaxx
+100

------
jbeckham
Nothing about this supports a Russian attribution.

~~~
grandalf
We're supposed to trust them that it was not just Russian geographically but
the Russian government and also the highest levels of the Russian government.

~~~
15155
WMDs were in Iraq, too, didn't you hear?

------
w8rbt
They ought to encourage the use of prepared statements to defend against SQL
injections. It's the only way to handle that threat, yet the report does not
mention it:

 __ _" 5\. Input Validation - Input validation is a method of sanitizing
untrusted user input provided by users of a web application, and may prevent
many types of web application security flaws, such as SQLi, XSS, and command
injection."_ __

    
    
    https://en.wikipedia.org/wiki/Prepared_statement 
        https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet

------
showmeevidence
Throwaway because I work in a related field.

Folks, now is the time that we need to make it clear that posturing and PR
statements do not constitute valid, independently verifiable evidence. As a
citizen of the United States, I am beyond terrified that our government has
made public statements, buttressed by newspaper articles supported by nothing
but anonymous sources[1], vilifying Russia for a nation-state-level
cyberattack. The support for such claims, as presented, is the
"sophistication" of the attack, which is not evidenced here (phishing is not a
particularly sophisticated means of entry). At best, this is a mistake, and at
worst, it wreaks of anti-Russia propaganda that will only serve to escalate
tensions between the two countries. Every single person who absorbs a report
like this without seeking supporting evidence (note that this report
immediately starts by claiming Russia's involvement, and never provides
support) is, to some extent, culpable in a hypothetical reality where the US
Government is blatantly wrong about this one.

There's only one thing we can do at this point: File Freedom of Information
requests. The fine folks at Muckrock[2] make this absurdly easy. Send requests
to the CIA and FBI -- hold them accountable to their statements, which have to
date been unsupported, that Russia as a nation-state entity was behind
anything.

1: [http://www.nytimes.com/2016/12/09/us/obama-russia-
election-h...](http://www.nytimes.com/2016/12/09/us/obama-russia-election-
hack.html?_r=1) 2: [https://www.muckrock.com](https://www.muckrock.com)

------
bobzibub
I think that there is a second assumption which is overlooked: Hypothetically,
let us assume that the Russians did break in and steal emails etc. Governments
do so all the time so it could well be true. Now the question to me is: why
would they release all the emails to Wikileaks? The emails seem relatively
benign and not very damming of HRC. Why not keep the information in your back
pocket until they can be researched and leveraged? Releasing them diminishes
their value to an intelligence agency. And why not release selected HRC's
(herself) emails? Surely the Russians could have gotten those of they tried.
Assuming she's not squeaky clean, they could have released selected individual
emails anonymously and ensured a Trump win, plus keep other assets for later.
Would a better hypothesis be that US intelligence services saw break-ins and
so released the information they knew foreign governments could be used as
leverage aagainst a likely future president? This way they immunize against
the information's use, plus blame the Russians but the US would dearly like to
punish Russia for their victory in Syria anyway. This makes more sense to me
but am interested in why this hypothesis is wrong or less likely.

------
nukka
Seriously!

Here is technical analysis of one of the malware used.
[http://researchcenter.paloaltonetworks.com/2015/07/unit-42-t...](http://researchcenter.paloaltonetworks.com/2015/07/unit-42-technical-
analysis-seaduke/)

Why does everyone thinks that only Russians can write such a malware, that too
in python!

Also, does it dawns on anyone that anyone can actually take this malware up
and reverse engineer it and repurpose it. All it takes is changing one JSON
blob embedded in the code to point to your own servers for CNC, use your own
AES IV/Key.

Also, I find it funny that they use embedded time stamps and resource locales
as a proof of anything. Didn't anyone ever use Resource Hacker or 'strings'
command? Is it really this hard to scrub or falsify timestamps in a DLL/EXE?

The most damning proof would have been some SSL certificate reused in a known
compromised server for CnC. I heard rumors around it but nowhere in the
analysis this was highlighted or discussed.

~~~
Natsu
This doesn't deserved to be downvoted.

------
Jabbles
Interesting date in footnote:

[http://msdn.microsoft.com/en-
us/library/ff648653.aspx](http://msdn.microsoft.com/en-
us/library/ff648653.aspx). Web site last accessed April 11, 2016.

Have they just copied this report from some general security advice and
prepended the latest attack at the top?

(Also, no https?)

------
geoffreyhale
Page 7: "Firewalls can be configured to block data from certain locations (IP
whitelisting)"

------
EvanAnderson
At least some of the DNC users who had VPN access (which, presumably
terminated "behind the firewall") had local Administrator rights on the PCs
they used [1]. Getting one of those people to load malware and piggybacking on
their VPN connection (letting them enter 2FA if there even was any) was likely
a cinch.

There's nothing that I've read anywhere that makes me think the DNC was any
kind of difficult target to compromise. Likely their information security
posture was on par industry norms for small office networks-- absolutely
terrible.

[1] [https://wikileaks.org/dnc-emails/emailid/8763](https://wikileaks.org/dnc-
emails/emailid/8763)

------
emmelaich
I remember two spates of gmail phishing, one in early 2015 that Google
responded to:

[https://googleblog.blogspot.com.au/2015/04/protect-your-
goog...](https://googleblog.blogspot.com.au/2015/04/protect-your-google-
account-with.html)

I think it's quite possible that this sort of warning actually may have
increased phishing attempts because it made malware authors aware of increased
possibilities.

From the report ... > In summer 2015, an APT29 spearphishing campaign directed
emails [ .. ]

PS. please don't seasons instead of dates in reports, specify the quarter of
the year.

------
peache
Nonsense. I'm doing cybersecurity analysis for a Navy program this very day.
To the person that says "The attackers did use stealthy persistence techniques
often called 'rootkits'" \-- you know exactly nothing about what you're
talking about.

A rootkit is the means to obtain "root" permissions which is an exclusive
feature of UNIX/Linux operating systems. Powershell is a Windows product...
these systems are Windows based. No rootkit. Period.

------
zanethomas
Calling it a "report on the DNC hack" is a fine example of fake news.

------
rogerthis
What about the disclaimer at the top of the document?

------
peter_retief
Multiple failures in network security and silly users fall victim to
unsophisticated hackers, is this news or an apology ;)

------
monochromatic
They may have evidence it was the Russians, but it sure isn't in this report.

------
fraytormenta
ok i think i know what happened: Obama forced FBI to produce the report, but
they got nothing, so they filled it mostly with irrelevant slightly-more
complicated mumbo jumbo than Obama can understand to slide under his scrutiny,
and then he pushes it out to the public without first consulting an actual
security professional.

------
mastermike
It's clear that this is being done to validate their lies about the Russian's
hacking. The US-CERT report came out today on this. I understand all this
content and it is very limited scope. It does not provide any validation that
Russia was involved in any kind of hacking against the US. They described what
is probably the most common form of spear-phish hacking, put Russia's name on
it, and listed a bunch of other hacking tools which are made by hackers who
actually claim to be part of ISIS (probably CIA assets, looks to me like they
are trying to false flag this)
[https://en.wikipedia.org/w/index.php?title=Fancy_Bear&oldid=...](https://en.wikipedia.org/w/index.php?title=Fancy_Bear&oldid=678878855)

------
LargeCompanies
Ummm what piece of information in the leak caused Clinton to lose?

Reality check nothing because there were no bombshells found like James Coomey
re-opening the FBI's investigation against that woman. A woman who nationally
especially compared to Obama is highly unlikeable with a horrible public
image. Though we're stuck with that crazy man... losing game either way!

~~~
cwkoss
\- HRC campaign got debate question before debate.

\- HRC campaign dictating what language journalists should use

\- DNC colluded with HRC campaign to attack Sanders before primary was
finished (or had even began in some cases)

\- Evidence of DNC "Pied Piper" strategy to make the RNC nominate a 'crazy'
candidate like Trump.

\- Discussing how to paint the Sanders campaign as sexist.

I don't know if leaks were the deciding factor, but I think a handful of
leaked things contributed.

~~~
Natsu
All of which are odd things to be mad at Russia about.

