
US Govt Data Shows Russia Used Outdated Ukrainian PHP Malware - Natsu
https://www.wordfence.com/blog/2016/12/russia-malware-ip-hack/
======
matheweis
The conclusions are of particular note:

"The IP addresses that DHS provided may have been used for an attack by a
state actor like Russia. But they don’t appear to provide any association with
Russia. They are probably used by a wide range of other malicious actors,
especially the 15% of IP addresses that are Tor exit nodes.

The malware sample is old, widely used and appears to be Ukrainian. It has no
apparent relationship with Russian intelligence and it would be an indicator
of compromise for any website."

~~~
gtirloni
That's the conclusion anyone working in the security/network area was bound to
arrive at.

It's really interesting FBI/DHS would make those claims publicly when the
chance of having any hard evidence of that would be minimal. But they still
did it. Why?

~~~
Gustomaximus
To me the ongoing 'Russia rigged elections' smells like propaganda from the
other side. And maybe russia did release the DNC emails, but Assange said that
wasn't the case and I feel he's more likely to be telling the truth than state
players. And even if they did release these emails it's hardly rigging an
election. Comneys email announcement at the 11th hour about reopening email
investigation was probably a deciding variable and that was hardly Russian
lead.

Your question of 'why' seems to be the scariest. US lead activities have been
encircling Russia and pressing influence right to their borders for some time.
For me I feel its too far and they are cornering the bear. Probably there is
too much resource in the 'spy' world and they have to do something to justify
their position, hence the older generation keep the pressure on Russia from
their cold war agenda or they are looking to pick a fight. The latter being
very scary.

...but really I'm no expert and just wonder why countries can put more effort
to looking after their own populations needs. All this spy/military
expenditure seems so wasteful.

~~~
threeseed
Nobody said Russia rigged the election. The issue was the attempts to
influence the election which Russia has a long, documented history of doing
so. And the US had an obligation to respond which they did with minimal
effect. So claiming all of this was about propaganda really makes no sense
given the facts on the ground.

And please remember why Russia's relations with almost all of the world
deteriorated in the first place. It's because they annexed Crimea
(unprecedented for our generation) and allowed soldiers and weapons to flood
into Ukraine which then resulted in Flight 117 being shot down.

Nobody is looking for a fight with Russia but capitulating and doing nothing
is not an answer either. Diplomatic sanctions have been the correct response
and I don't see anyone asking for an escalation of that.

~~~
whitemale
> So claiming all of this was about propaganda really makes no sense given the
> facts on the ground.

Where are those facts? please show hard evidence. So far I haven't seen any
hard evidence that proves it was the state of Russia who orchestrated the
hacks.

> And please remember why Russia's relations with almost all of the world
> deteriorated in the first place. It's because they annexed Crimea
> (unprecedented for our generation) and allowed soldiers and weapons to flood
> into Ukraine which then resulted in Flight 117 being shot down.

If you believe that Russia is absolutely bad and the US and Ukraine are
infinitely good and righteous, then you might want to look at what the other
side says:
[https://www.youtube.com/watch?v=-KHCNk9BYy4](https://www.youtube.com/watch?v=-KHCNk9BYy4)

The fact that the majority of the Crimean population is Russian, should give
you a hint that maybe there is more to this story than what the Western media
says.

[https://en.wikipedia.org/wiki/Crimea#Demographics](https://en.wikipedia.org/wiki/Crimea#Demographics)

I have yet to see Putin making an aggressive announcement, however US
officials continuously keep making threats and sanctions.

> Nobody is looking for a fight with Russia but capitulating and doing nothing
> is not an answer either. Diplomatic sanctions have been the correct response
> and I don't see anyone asking for an escalation of that.

Destroying diplomatic relations and throwing sanctions sound like looking for
a fight to me. I fail to see anything good coming out of this.

~~~
Isinlor
"You don't understand, George, that Ukraine is not even a state. What is
Ukraine? Part of its territories is Eastern Europe, but the greater part is a
gift from us." Said by Putin in 2008, Boekarest -> 2014, Crimea annexation and
Ukraine in war.

Polish president in 2008 was saying "Today Gorgia, tomorrow Ukraine, the day
after Baltic States and then maybe even Poland". He died in Russia in airplane
accident in 2010 when going for anniversary of the Katyn massacre, a mass
murder of Polish intellectuals, politicians, and military officers by the
Soviets during World War II.
[https://en.wikipedia.org/wiki/Katyn_massacre](https://en.wikipedia.org/wiki/Katyn_massacre)

I'm from Poland and I can tell you that having USA military bases in Poland is
a big win for every political force in my country. Left, right, liberal,
socialists agree - we want to keep Russians as far as possible. Last Russian
tanks left Poland in 1993 and I don't want to see them back. Not in my life
time nor after I'm gone. I'm happy to go with Donald Trump, Hillary Clinton,
Barack Obama, George W. Bush or whoever will be elected by the American
nation, just to stay as far as possible from Russians. And it's not that we
are that big fans of Americans, we just know the history way too well - we are
affected by it till this day.

If you want to see what happens when a person like Putin starts to say that
the last peace agreements are bad and borders need to be changed then look at
the second world war and the Polish history.
[https://en.wikipedia.org/wiki/Appeasement](https://en.wikipedia.org/wiki/Appeasement)

~~~
shard972
> If you want to see what happens when a person like Putin starts to say that
> the last peace agreements are bad and borders need to be changed then look
> at the second world war and the Polish history.
> [https://en.wikipedia.org/wiki/Appeasement](https://en.wikipedia.org/wiki/Appeasement)

So is that a fear in Poland? That peace with russia would involve handing over
parts of your country to Russia?

~~~
ptaipale
More likely that a war with or annexation by Russia would begin by handing
over parts of your country to Russia.

Which is largely how World War II started in Europe: Stalin and Hitler agreed
on a partition of the lands in between, and together started a war to
implement that agreement, so that their armies could shake hands in the middle
of Poland.

~~~
gspetr
Your understanding of WW2 is lacking. It wasn't 2 bad guys who wanted to split
Europe. Britain and France were totally on board with Hitler at first:

[https://en.wikipedia.org/wiki/Munich_Agreement](https://en.wikipedia.org/wiki/Munich_Agreement)

"The agreement was signed in the early hours of 30 September 1938 (but dated
29 September) after being negotiated at a conference held in Munich, Germany,
among the major powers of Europe, excluding the Soviet Union."

The German-Soviet Molotov-Ribbentrop pact was signed in August 1939, almost a
year later.

~~~
ptaipale
I'm very well aware of that history, thank you. But the two guys with mustache
were the ones actually going ahead with big time conquest in Europe.

Sure, Chamberlain was wrong with that peace in our time and handing Bohemia to
Hitler. But obviously he had difficulty in going to war over it, as well.

And Arthur Harris would have hung as a war criminal if Britain had been on the
losing side against Germany. But that's a different story. The two dictators
and systems in their countries were the ones most responsible for bloodshed.

------
natch
I don't know how much of the HN community is old enough to remember Colin
Powell just prior to the first Iraq war, getting up in front of the UN and the
whole world for that matter, and asserting that there was ironclad proof that
Iraq had weapons of mass destruction (which we came to know as WMD). Different
parts of the government had the same talking points and it was all presented
as irrefutable facts. But the evidence General Powell laid out was not
convincing to me at all, or to many other people. Grainy photos, reports of
known arms dealers appearing in coffee shops or hotel lobbies at the same time
as other key people.. it was all circumstantial and ended up being utter and
complete bullshit.

This wave of claims with "incontrovertible" (but secret!) evidence that
"Russia hacked the US" seems like the same kind of thing. I doubt they have
proof, even if they say they do... even if their claims are made in good
faith, they could be dead wrong. And more importantly I doubt the underlying
premise, that Russia would even be so stupid as to try such a thing. The
American people are stupid enough to vote ourselves into this situation; we
didn't need any help from the outside for it to happen. There may have been
hacks, but I doubt they were orchestrated by the Russian government and I
REALLY doubt the credibility of the US government making claims about this
kind of thing after their past record with things like the Iraq WMD.

~~~
ChuckMcM
I think it is reasonable to be skeptical of government claims but it is also
important to clearly distinguish between these two cases. In the WMD situation
the government was analyzing the actions of two third parties (the Hussein
government and arms dealers) engaged in activities outside of the US. In this
hacking situation these are actions being taken against US entities.

I don't believe anyone disputes that the DNC and other agencies "were
compromised" (I'm sure John Podesta did not release all of his email
voluntarily for example). So unlike the WMD scenario it seems incontrovertibly
clear that some actor did do this.

A number of non-government people have identified the servers, malware, and
techniques as originating either in Russia or the Ukraine. Krebs has written
several times on gangs that have stolen credentials this way.

Finally people have signatures in their actions, they learn things in one way
and they do things in that way. That has been true since the beginning of
time. I remember identifying other Amateur Radio operators by the way in which
they keyed code.

As a result, unlike the alleged WMD development efforts, I don't think anyone
disagrees that various people were hacked, or that the groups that hacked them
are associated with Russian and Ukrainian interests. The only question is
whether or not they did so at the behest of their government or just for the
lulz.

If anonymous were still around I expect they could get away with what ever
pranks they wanted to play on Russian interests at the moment. The interesting
question is whether the government would shield them from any Russian
retaliation.

~~~
natch
The level of gullibility displayed here is stunning. I completely agree that
the fact of a hack existing is undisputed. However, electronic records,
perhaps more than any records, lend themselves to being faked.

It's amusing that you would cite the example of the style of code keying of
amateur radio operators. In WWII this was know as the "fist" of the operator.
I refer you to appendix one of Leo Marks' excellent book "Between Silk and
Cyanide" for just one account of how the opposing sides were able to study and
fake each others' styles to create subterfuge. (You can thank me later for
turning you on to a fantastic read.)

There may not be actual "fists" involved here but the point is more general:
if an MO can be studied and understood, it can also be faked. For whatever
reason. It could be part of a false flag operation. Alternatively, maybe it's
not fake, but is done by rogue actors who carry their signature activities
with them whether they are working for one interest or another.

Even with direct access to all the actual purported evidence, which we do not
have, I still doubt we would know. And without seeing the evidence, I have to
fall back on what I have learned about people in the US government, which is
that they are often interested in saving face and finding scapegoats, even if
it means inflicting collateral damage.

~~~
ChuckMcM
Hmm, I don't nominally think of my self as "stunningly gullible."

lets unpack this statement though: _However, electronic records, perhaps more
than any records, lend themselves to being faked._

It is certainly true that someone can edit and change electronic records and
the tampering of such records, unless explicitly protected against, can be
made indistinguishable from untampered records. But what is much more
difficult is to tamper with records from a wide variety of unrelated sources
to show the same thing.

For example, it is certainly possible for me to construct a record that says
my "source IP" is KREMVAX[1] and to even have the source IP "logged" at the
destination site as the origination point. But it is not possible for me to
easily alter the s-flow records at Cogent which shows that the packet
originated on a port on a router which is sitting in California. Yes, I can by
a VPS in the Ukraine using bitcoin that has gone through several mixers but I
cannot completely erase all of the packet sources that lead to that VPS. Yes,
I can build an "IP over DNS" tunnel to disguise my traffic to the VPS as
"harmless" DNS traffic but I cannot disguise how those DNS packets are
propagated in the larger web.

The point I'm trying to make is that if you _are_ a state actor (like the 17
intelligence agencies of the US) and the events leave traces (which they do),
it is entirely feasible to unwind packet traces, money paths, and network
events to the exact origin point. I was at Google when they Chinese did it to
Google and got to watch on the sidelines the amazing amount of resource that
could be brought to bear on the problem. And what it more, _that_ incident and
others less well publicized have lead to still more infrastructure which is
completely passive and observational and captures all packet flows and meta
data.

As a result, I find it completely believable that the origin of those attacks
can be identified with certainty.

I believe it is reasonable to be skeptical about motivations and or command
chain that lead to the attacks.

[1] A stand in for some IP Block allocated to Russia

~~~
natch
I wasn't just thinking of records tampered after the fact. There is also the
problem of genuine records created by the orchestrated actions of an imposter
conducting a ruse. This would be the false flag possibility. I'm not saying I
believe this is a likely scenario; just that it's a possible one.

And yes it would be hard for an imposter to leave all the right evidence. But
if there is a hunt for a scapegoat and easy evidence is left in plain sight,
there's a great temptation to just cherry pick that evidence, even if it's
incomplete.

I don't know that the US isn't cherry picking and distorting whatever evidence
they have. Sometimes the interests of multiple entities in government all
align such that they put all their weight behind promoting one particular
scapegoat. What you saw at Google must have been fascinating... is there a
writeup? I was in the courtroom for the Wen Ho Lee hearings and got to watch
(and privy to some behind the scenes stuff) the amazing amount of resources
that could be brought to bear against an innocent scapegoat, and the
contortions government actors would bend to in order to omit countervailing
evidence and advance their false narrative.

False narratives have happened in other cases too... example, compare the New
Yorker account of the killing of Osama bin Laden:
[http://www.newyorker.com/magazine/2011/08/08/getting-bin-
lad...](http://www.newyorker.com/magazine/2011/08/08/getting-bin-laden) with
Seymour Hersh's revisiting of the same episode, which tells a completely
different story: [http://www.lrb.co.uk/v37/n10/seymour-m-hersh/the-killing-
of-...](http://www.lrb.co.uk/v37/n10/seymour-m-hersh/the-killing-of-osama-bin-
laden) \-- sometimes political expediency drives the investigation, more so
than analysis of real facts.

>As a result, I find it completely believable that the origin of those attacks
can be identified with certainty.

Strong statement. I was under the impression that TAO had tools which allowed
them to hack many routers (potentially then rewriting the logs you speak of?)
And I would expect they would not be alone in this. But even if you're right
that they (on the inside of the investigation) can know with certainty, and
even if going a step farther they DO know with certainty, we (on the outside)
probably never will know. Too bad, because it would be nice to be able to
trust our own government.

Edit: >have lead to still more infrastructure which is completely passive and
observational and captures all packet flows and meta data.

OK that is kind of cool... or scary... depending on whether you are a black
hat or not in whatever realm you're living under.

------
jwdunne
Anyone who has run a wordpress or vbulletin site has probably seen this at
some point in time. Got tonnes of logs from IPs in Ukraine, Russian, China,
etc that crawl for holes and if they find one you will find something like
this somewhere. VBulletin is the worst - executable code is stored in the
database so that's where you'll likely find it.

I find it hard to believe this is what a state sponsored attack would look
like - in business, we see this all the time.

I would love to see some action taken on this, there's probably tonnes of time
and post business spent on these attacks. I just don't want to see that
solution in the form of slanderous claims that paint it as more than it is.

------
lngnmn
It is ridiculous to think that the Russkies planed and executed these hacks as
a deliberate operation with a clear objective to derail the election or
whatever it might me.

Some guys routinely spreading primitive phishing spam got lucky and got a
password or two and gained the access to emails. Just this. No super spy
hacking operations. It does not even work that way - chance is the main
factor.

How the emails turned up on Wikileaks is another questions, but, again, they
have been published because they have been _already_ hacked by some primitive
phishing gang, not super-intelligent top-tier mega-hackers paid by the evil
KGB.

The whole idea of deliberate planed KGB operation is an utter nonsense. It
were kids with PHP crap. One should look for the brokers. They could have been
among the 35 kicked out guys.

~~~
jansenv
Plus it seems clear that many of the leaks were leaks, not hacks. RIP Seth
Rich

------
lern_too_spel
This is the type of amateur analysis I would expect from a "Wordpress
security" professional, certainly not front page worthy.

He completely ignored what this malware was used for. The attack was a
spearphishing campaign by APT29 that used hosts compromised with this malware
to send emails from legitimate government domains to targeted individuals in
the DNC and the US Government. The emails themselves contained malware that
has _only ever been used by APT29_.

Separately, APT28 ran a spearphishing campaign that directed recipients to a
webmail domain _hosted on APT28 operational infrastructure_ to change their
passwords.

This Joint Analysis Report is telling the government agencies whose
infrastructure was used to send the spearphishing emails to secure their
Wordpress installations to help reduce the risk of government infrastructure
being used to send legitimate-looking spearphishing emails.

------
crucialfelix
The php malware is the least interesting piece of all the alleged activity.
Being a version behind isnt significant. Its a simple common hacker tool. My
postgresql is a few versions behind. So what ? If RIS had used obvious elite
tools with impressive functionality then it would point straight to them. Its
much smarter to look amateur.

The JAR should have declassified something juicy. They put out this weak
report, revealed nothing and now critics will attack and win. Maybe its the US
that are a bunch of amateurs.

~~~
matt_wulfeck
The USA puts "hackers" in jail, and the ones they hire might not even get a
job if they admit to smoking weed in college. This is a country where you can
get prison time for using someone's open wireless network. There's hostility
towards hackers here from ignorant judges and lawmakers who come down hard on
things they don't understand.

They win by pressuring US companies with incentives/contracts (Juniper) or
jail time (Qwest) to weaken or backdoor their products for US and foreign
buyers.

Their own citizens are kept in the dark with secret court orders with dubious
constitutionality. "Amateur" is being generous.

------
ryanlol
I posted most of this stuff earlier, incl. the actual samples which someone
here might be interested in.

[https://news.ycombinator.com/item?id=13280068](https://news.ycombinator.com/item?id=13280068)

Based on the conclusions the authors of the article don't seem to understand
the purpose of these IoCs. Individually they aren't all intended to be 100%
solid indicators that you were targetted in this campaign, but to be used as a
whole.

------
Tsiolkovsky
This website has no political affiliation; completely unbiased research. Their
conclusion:

"The IP addresses that DHS provided may have been used for an attack by a
state actor like Russia. But they don’t appear to provide any association with
Russia. They are probably used by a wide range of other malicious actors,
especially the 15% of IP addresses that are Tor exit nodes. The malware sample
is old, widely used and appears to be Ukrainian. It has no apparent
relationship with Russian intelligence and it would be an indicator of
compromise for any website."

------
Lintaris
Someone around the GOP could merely have hired a hacker from Eastern Europe or
Russia specifically to do the hacking.

I find it troubling that this avenue was not explored.

~~~
Natsu
If we're going to speculate, I'd say Kim Dotcom is more suspicious based on
his tweets. I thought he tweeted some statements indicating foreknowledge of
certain leaks, but I never investigated it carefully.

EDIT: I'm certainly not claiming he did anything, I read this as just sour
grapes, but look for yourself at a sample -
[http://imgur.com/a/zv174](http://imgur.com/a/zv174)

EDIT 2: This is more like it -
[https://www.bloomberg.com/politics/articles/2015-05-14/kim-d...](https://www.bloomberg.com/politics/articles/2015-05-14/kim-
dotcom-julian-assange-will-be-hillary-clinton-s-worst-nightmare-in-2016)

~~~
shimon_e
I don't know why OP is being down voted. Kim Dotcom tweeted he had early
access to the leaks. It feels like a more plausible theory to me than the one
the Obama administration is pushing. He announced his attention to be "an
Internet Freedom fighter" and "Hillary's worse nightmare in 2016" back in
2014.

Look at this tweet from 10 hours ago: "My old hacker firm Data Protect hacked
100% of its clients."
[https://twitter.com/KimDotcom/status/815373371001028608](https://twitter.com/KimDotcom/status/815373371001028608)

Another tweet from a few days ago claiming: "I know with 100% certainty that
@Russia & @PutinRF_Eng had nothing to do with Clinton related election hacks!"
[https://twitter.com/KimDotcom/status/814593453963083776](https://twitter.com/KimDotcom/status/814593453963083776)

It surely seems like Kim Dotcom wants people to think he is involved.

~~~
Natsu
There's always heavy downvoting in these threads. Look for interesting
discussion to upvote to counter.

Thanks for those tweets, yes, he has done a lot of things that make him at
least suspicious. I wouldn't take him seriously at all if not for the fact
that he predicted some of this.

Incidentally, for those mentioning McAfee, I see no reason to take that guy
seriously, nor am I presently aware of him displaying any foreknowledge of any
of this.

