detailed retelling of the crowdstrike saga, etc

From Russia, with Panic
Yasha Levine, The Baffler, n.d.

B34_Levine_openerIllus: Yarek Wasul

The Russians hacked Pindostan. After Donald Trump’s surprise victory in November, these four words reverberated across the nation. Demagog Party insiders, liberal pundits, economists, congress critturs, spies, Hollywood celebrities, and neocons of every stripe and classification level, all these worthy souls reeled in horror at the horribly compromised new Pindosi electoral order. In unison, the centers of responsible opinion concurred that Vladimir Putin carried off a brazen and successful plan to throw the most important election in the most powerful democracy in the world to a candidate of his choosing. It seemed like a plotline from a vintage James Bond film. From his Moscow lair, Vladimir Putin struck up an alliance with Julian Assange to mount a massive cyber-offensive to discredit Hillary Clinton and her retinue of loyal Demagog Party operatives in the eyes of the Pindo creeple. The plot was full of twists and turns and hair-raising tangents, including tales of Pindo-Russian retiree-agents sunning in Miami while collecting payoffs from Russia’s impoverished pension system. But the central ruse, it appears, was to enter the email server of the DNC and then tap into the gmail account belonging to John Podesta, founder of the Center for Pindosi Progress and premier DC Demagog insider. As the long 2016 general election campaign unwound, WikiLeaks released a steady stream of embarrassing revelations from the DNC, though the disclosures were no more compromising than what you’d find in the correspondence of any mid-sized private-sector company: dumb boardroom gossip, petty press intrigues, and sleazy attempts to undermine a well-placed executive rival, Bernie Sanders. Truly, it would have been astonishing to learn that the DNC went about its business in any other way. But the sheer fact of the data breach was dispositive in the eyes of Demagog operatives and their many defenders in the liberal press. After all, WikiLeaks also reportedly collected data from the RNC and did nothing with it. Clearly this was cyber-espionage of the most sophisticated variety.

On the Trump side of the ledger, things were murkier. Trump’s political advisers indeed had ties to Russia and Ukraine, but this was hardly surprising given the authoritarian-friendly lobbying climate within Faschingstein. During the campaign, the GOP nominee was disinclined to say anything critical about Putin. Indeed, breaking with decades of Republican tradition, Trump openly praised the Russian leader as a powerful, charismatic figure who got things done. But since the candidate also refused to disclose his tax returns, a commercial alliance with the Russian autocrat was necessarily a matter of conjecture. That didn’t stop theories from running wild, culminating in January with the titillating report from BuzzFeed that Pindo intelligence agencies believed that Putin had compromising footage of Trump cavorting with prostitutes at a Moscow hotel previously patronized by Barack and Michelle Obama. Not only was the Yank stooge defiling the very room where the first couple had stayed, but he allegedly had his rented amorous companions urinate in the bed. Behold, virtuous Pindo sheeple, the degradation Vladimir Putin has in store for you!

Taking the Piss

The dossier published by BuzzFeed had been circulating for a while. On closer inspection, it appeared to be repurposed opposition research from the doomed Jeb Bush campaign. Its author was a former MI6 officer apparently over-eager to market salacious speculation. By the end of this latest lurid installment of the Russian hacking saga, no one knew anything more than they had when the heavy-breathing allegations first began to make their way through the political press. Nevertheless, the Obama White House had expelled Russian diplomats and expanded sanctions against Putin’s regime, while the FBI continued to investigate reported contacts between Trump campaign officials and Russian intelligence operatives during the campaign. This latter development doesn’t exactly inspire confidence. As allegations of Russian responsibility for the DNC hack flew fast and furious, we learned that the FBI never actually carried out an independent investigation of the claims. Instead, agency officials carelessly signed off on the findings of CrowdStrike, a private cyber-security firm retained by the DNC. Far from establishing an airtight case for Russian espionage, CrowdStrike made a point of telling its DNC clients what it already knew they wanted to hear. After a cursory probe, it pronounced the Russians the culprits. Mainstream press outlets, primed for any faint whiff of great-power scandal and poorly versed in online threat detection, likewise treated the CrowdStrike report as all but incontrovertible.

Other intelligence players haven’t fared much better. The DNI produced a risible account of an alleged Russian disinformation campaign to disrupt the 2016 election which hinged on such revelations as that state-sponsored TV news outlet Russia Today aired uncomplimentary reports on the Clinton campaign and reported critically on fracking. In a frustratingly vague statement to Congress on the report, then-DNI Clapper hinted at deeper and more definitive findings that proved serious and rampant Russian interference in Pindostan’s presidential balloting, but insisted that all this underlying proof must remain classified. For observers of the DC intelligence scene, Clapper’s performance harkened back to his role in touting definitive proof of the imminent threat of Saddam Hussein’s WMD arsenal in the run-up to the Pindosi invasion of Iraq. It’s been easy, amid the accusations and counter-accusations, to lose sight of the underlying seriousness of the charges. If the hacking claims are true, we are looking at a truly dangerous crisis that puts Pindostan’s democratic system at risk. The gravity of the allegation calls for a calm, measured, meticulously documented inquiry: pretty much the opposite of what we’ve seen so far. The level of wild assertion has gotten to the point that some of the most respected pro-Western voices in Russia’s opposition have expressed alarm. As much as they despise Putin, they don’t buy the bungled investigations. Leonid Bershidsky wrote:

In the real world outside of soap operas and spy novels, any conclusions concerning the hackers’ identity, motives and goals need to be based on solid, demonstrable evidence. At this point, it’s inadequate. This is particularly unfortunate given that the DNC hacks were among the defining events of the raging propaganda wars of 2016.

The lack of credible evidence, the opaque nature of cyber-attacks, the partisan squabbles and smears, and the national-security fear-mongering have all made this particular scandal very difficult to navigate. It may be years before we find out what really happened.

(long story about the Georgian cyber-war, omitted)

While the financial industry was teetering on the brink of oblivion, another industry was being born: the cyber-security complex. By now it is a multi-billion-dollar boondoggle, employing shoddy forensic techniques and politicized investigations. But it is highly profitable. The boom has been driven by the grim leaky reality of our digital world. Not a month goes by without some huge corporation or government agency getting hacked, its data splattered across the internet or siphoned off for the exclusive use of scammers, corporate spies, and intelligence agencies. Cyber-security firms have stepped up to the challenge. They’ve attracted funding from the biggest and most powerful venture capital houses: Sequoia, Google Capital, and the like. Not surprisingly, the CIA’s in-house VC outfit, In-Q-Tel, has been a leading investor in this space. All these firms position themselves as objective forensic investigators, patiently sifting through the evidence to find the guilty party and then figuring out how to defend against it. They have been involved with diagnosing and attributing big hacks for shamefaced clients like Target, J P Morgan and Sony Pictures. Investors and intelligence agencies sing the praises of the critical services these outfits offer in an online environment teeming with hostile threats. But in private conversations, as well as little-noticed public discussions, security professionals take a dimmer view of the cyber-security complex. And the more I’ve looked at the hysteria surrounding Russia’s supposed hacking of our elections, the more I’ve come to see it as a case study of everything wrong and dangerous about the cyber-attribution business.

Fancy Bears, Cozy Bears — Oh My!

Take CrowdStrike, the hottest cyber-security firm operating today. Based in Irvine, California, CrowdStrike was launched in 2012 by two veterans of the cyber-attribution business, George Kurtz and Dmitri Alperovitch. Both previously worked for McAfee, an anti-virus firm turned massive cyber-security firm, now partially owned by Intel. But Kurtz and Alperovitch saw a market opportunity for a new boutique type of cyber-defense outfit and decided to strike out on their own. They also brought on board Shawn Henry, a top FBI official who had been in charge of running the agency’s worldwide cyber-investigations. CrowdStrike positioned itself as a next-generation full-service cyber-security firm. Company officials argued that cyber-security was no longer just about defense. There was too much data and too many ways of getting at it to protect everything all the time. You had to know your attacker. CrowdStrike cofounder George Kurtz wrote:

Knowing their capabilities, objectives, and the way they go about executing on them is the missing piece of the puzzle in today’s defensive security technologies. By identifying the adversary, we can hit them where it counts.

CrowdStrike hit the big time in 2015 with a $100m infusion from Google Capital (now Capital G), Google’s first-ever investment in a cyber-security company. It was good timing, because CrowdStrike was about to be catapulted into the front ranks of cyber-threat assessors. Sometime in April or May, CrowdStrike got a call from the DNC to investigate a possible intrusion into their servers. The company’s investigators worked with surprising efficiency. As one DNC insider explained to the NYT, the company was able to make a definite attribution within a day. There was no doubt, CrowdStrike told its DNC clients: the Russian government did it. The results of CrowdStrike’s investigation were first broken by the WaPo and then followed up in greater detail by CrowdStrike itself. In a post entitled “Bears in the Midst,” Dmitri Alperovitch attributed the hack to two distinct and very nefarious “Russian espionage” groups, Cozy Bear and Fancy Bear, among the most sophisticated cyber-operators CrowdStrike had ever come across. He wrote:

In fact, our team considers them some of the best adversaries out of all the numerous nation-state, criminal and hacktivist/terrorist groups we encounter on a daily basis. Their tradecraft is superb, operational security second to none and the extensive usage of ‘living-off-the-land’ techniques enables them to easily bypass many security solutions they encounter.

These cyber-spooks were allegedly behind a string of recent attacks on Pindo corporations and think-tanks, as well as recent penetrations of the unclassified networks of the State Dept, the White House and the Joint Chiefs of Staff. According to CrowdStrike, Cozy Bear was most likely FSB, while Fancy Bear was GRU. Here, the cyber-experts were telling us, was conclusive evidence that both the FSB and the GRU targeted the central apparatus of the Demagog Party. CrowdStrike’s findings didn’t just cause a sensation; they carpet-bombed the news cycle. Reports that Vladimir Putin had tried to hack Pindostan’s democratic process raced around the world, making newspaper front pages and setting off nonstop cable news chatter. The story got even hotter after a hacker who called himself Guccifer 2.0 suddenly appeared. He took credit for the DNC hack, called CrowdStrike’s investigation a fraud, and began leaking select documents pilfered from the DNC, including a spreadsheet containing names and addresses of the DNC’s biggest donors. The story finally started going nuclear when WikiLeaks somehow got hold of the entire DNC email archive and began dribbling the data out to the public.

A Terrible System

CrowdStrike stuck to its guns, and other cyber-security firms and experts likewise clamored to confirm its findings: Russia was behind the attack. Most journalists took these security savants at their word, not bothering to investigate or vet their forensic methods or look at the way CrowdStrike arrived at its conclusions. And how could they? They were the experts. If you couldn’t trust CrowdStrike and company, who could you trust? Unfortunately, there were big problems with CrowdStrike’s account. For one thing, the names of the two Russian espionage groups that CrowdStrike supposedly caught, Cozy Bear and Fancy Bear, were a fiction. Cozy Bear and Fancy Bear are what cyber-monitors call “Advanced Persistent Threats” or APTs. When investigators analyze an intrusion, they look at the tools and methods that the hackers used to get inside: source code, language settings, compiler times, time zones, IP settings and so on. They then compare all these things against a database of previously recorded hacks that is shared among cyber-professionals. If the attack fits an old profile, they assign it to an existing APT. If they find something new, they create a group and give it an official name (say, APT911) and then a cooler moniker they can throw around in their reports (say, TrumpDump). CrowdStrike followed the protocols for existing APTs. Its investigation of DNC servers turned up two known threat actor groups, APT28 and APT29. Depending on the cyber-security firm doing the analysis, these two APTs have been called by all sorts of names: Pawn Storm, Sofacy, Sednit, CozyCar, The Dukes, CozyDuke, Office Monkeys. Neither of them has ever been linked by any cyber-security firm to the Russian government with certainty. Some firms have tried, most notably FireEye, CrowdStrike’s bigger and wealthier competitor, but FireEye’s evidence was ridiculously thin and inferential. In nearly any other industry, it would have been an embarrassment. Consider for example FireEye’s report on APT29:

We suspect the Russian government sponsors the group because of the organizations it targets and the data it steals. Additionally, APT29 appeared to cease operations on Russian holidays, and their work hours seem to align with the UTC +3 time zone, which contains cities such as Moscow and St Petersburg.

Or consider FireEye’s report on APT28, which among other things attributes this attack group to a Russian intelligence unit active in Russia’s “invasion of Georgia,” an invasion that we know never took place.

They compile malware samples with Russian language settings during working hours consistent with the time zone of Russia’s major cities, including Moscow and St Petersburg.While we don’t have pictures of a building, personas to reveal, or a government agency to name, what we do have is evidence of long-standing, focused operations that indicate a government sponsor: specifically, a government based in Moscow.

So, FireEye knows that these two APTs are run by the Russian government because a few language settings are in Russian and because of the tell-tale timestamps on the hackers’ activity? First off, what kind of hacker, especially a sophisticated Russian spy hacker, keeps to standard 9-to-5 working hours and observes official state holidays? Second, what other locations are in Moscow’s time zone and full of Russians? Israel, Belarus, Estonia, Latvia, Moldova, Romania, Lithuania, Ukraine? If non-Russian-speaking countries are included, since after all, language settings could easily be switched as a decoy tactic, that list grows longer still: Greece, Finland, Turkey, Jordan, Lebanon, Syria, Iraq, Saudi Arabia, Somalia, Yemen, Ethiopia, Kenya. The countries go on and on. The flimsiness of this evidence didn’t stop CrowdStrike. Its analysts matched some of the tools and methods used in the DNC hack to APT28 and APT29, slapped a couple of Russian-sounding names with “bear” in them on their report, and claimed that the FSB and GRU did it. And most journalists covering this beat ate it all up without gagging. Author and cyber-security expert Jeffrey Carr told me:

You don’t know there is anybody there. It’s not like it’s a club and everyone has a membership card that says Fancy Bear on it. It’s just a made-up name for a group of attacks and techniques and technical indicators associated with these attacks. There is rarely if ever any confirmation that these groups even exist or that the claim was proven as correct.

Carr has been in the industry a long time. During the Russia-Georgia war, he led an open-source intelligence effort backed by Palantir in an attempt to attribute and understand the actors behind the cyber-war. I read his reports on the conflict back then, and even though I disagreed with some of his conclusions, I found his analysis nuanced and informative. His findings at the time tracked with those of the general cyber-security industry and bent toward implicating the Russian government in the cyber-attacks on Georgia. But these days Carr has broken with the cyber-world consensus:

Any time a cyber-attack occurs nowadays you have cyber-security companies looking back and seeing a historical record and seeing assignments on responsibility and attribution and they just keep plowing ahead. Whether they are right or wrong nobody knows, and probably will never know. That’s how it works. It’s a terrible system.

This is forensic science in reverse: first you decide on the guilty party, then you find the evidence that confirms your belief.

Not for Attribution

Over time, bad evidence was piled on top of unsubstantiated claims and giant inductive leaps of logic to the point that, if you tried to figure out what was actually happening, you’d lose all sense of direction. Matt Tait, a former GCHQ analyst and founder of Capital Alpha Security who blogs under the influential Twitter handle @pwnallthethings, found a Word document pilfered from the DNC and leaked by Guccifer 2.0. As he examined its data signatures, he discovered that it had been edited by Felix Edmundovich (Dzerzhinsky, founder of the Cheka). To him, it was proof that Guccifer 2.0 was part of the same Russian intelligence operation. He really believed that the super-sophisticated spy group trying to hide its Russian ties would register its Microsoft Word processor in the name of the leader of the infamously brutal Soviet security service. Meanwhile, Thomas Rid, a cyber-expert based in London, drew a straight line from the DNC hacks to the attempted hacking of the Germans and TV5 to attacks on Georgia and Baltic States, even though on closer inspection none of those efforts had been linked to the Russian government. John Podesta’s Gmail account was hacked with a rudimentary spear-phishing attack that tricked him into entering his password with a fake Google login page. His emails ended up on WikiLeaks, too. All sorts of people linked this to Russian military intelligence, with no concrete evidence to speak of. Sensing its moment had arrived, CrowdStrike went into frenetic PR mode. The company released a series of cyber-attribution reports illustrated with sexy communist robots wearing fur hats, using visual marketing techniques in lieu of solid evidence.

After Donald Trump won the presidency, all these outlandish claims were accepted as unassailable truth. The “hacking” of the 2016 presidential election was the ultimate damning conclusion that cyber-security experts were now working backward from. Just as Georgia’s compromised net infrastructure provided conclusive proof of Russia’s concerted plan to invade Georgia, Trump’s improbably successful presidential run demonstrated that Russian subterfuge, rather than the collapse of Pindosi political institutions, had elected a dangerous outsider president. Watching this new round of cyber-attribution hysteria, I got a queasy feeling. Even Dmitri Alperovitch’s name sounded familiar. I looked through my notes and remembered why. He was one of the minor online voices supporting the idea that the cyber-attacks against Georgia were some kind of Russian plot. Back then, he was in charge of intelligence analysis at Secure Computing Corporation, a cyber-security company that also made censorship tools used by countries like Saudi Arabia. He was now not only running his own big shop, but also playing a central role in a dangerous geopolitical game. In other words, the election-hacking panic was a stateside extension of the battle first joined on the ISP frontiers of the Georgia-Russia war. Impressionable journalists and Demagog party hacks who ignore this background do so at their peril and ours.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s