A report from a cybersecurity expert that concludes that the Grizzly Steppe report—issued the same day that President Obama issued sanctions against Russia for suspected hacking—raises new concerns that the Obama administration and departments like the FBI and Homeland Security may be playing fast and loose with facts surrounding their allegation of “Russian hacking” of the election.
In a blog post, cybersecurity company CEO and writer Robert M. Lee said that a list included in the report muddies the waters about “whether the DHS/FBI knows what they are doing.”
The Grizzly Steppe report was hailed by the media as a significant step in the process of the Obama Administration making the case and proving its assertions about alleged Russian hacking. As the AP reported about the release:
The 13-page joint analysis by the Department of Homeland Security and the FBI was the first such report ever to attribute malicious cyber activity to a particular country or actors.
It was also the first time the U.S. has officially and specifically tied intrusions into the Democratic National Committee to hackers with the Russian civilian and military intelligence services, the FSB and GRU, expanding on an Oct. 7 accusation by the Obama administration.
Lee’s article Critiques of the DHS/FBI’s GRIZZLY STEPPE Report takes a detailed look at the report.
To be clear and fair to Mr. Lee’s analysis, he states his belief that Russia did, in fact, hack the DNC and he calls Obama’s explanation of reprisals against Russia “ultimately a strong and accurate statement.” Although he critiques aspects of the DHS/FBI report, Mr. Lee also says “POTUS’ statement, the multiple government agency response, and the validation of private sector intelligence by the government is wholly a great response.”
In other words, Mr. Lee is no Obama-basher and he’s even accepted the underlying argument—yet still publicly unproven—that the Obama administration has made about Russian involvement in the DNC hacking. This is exactly what makes his assessment of the Grizzly Steppe report so devastating—he’s broadly on the Obama administration’s side.
So when Lee says the Grizzly Steppe report “reads like a poorly done vendor intelligence report stringing together various aspects of attribution without evidence,” it’s stinging criticism.
Lee’s harshest judgment comes for a bizarre list in the 13-page report that might have gotten by people who don’t understand what the list is, but sent up immediate red flags for cybersecurity experts like Lee.
As Lee writes, “the list contains campaign/group names such as APT28, APT29, COZYBEAR, Sandworm, Sofacy, and others. This is exactly what you’d want to see,” before dropping the hammer by pointing out that “the government’s justification for this assessment is completely lacking.”
Lee goes on to explain in detail why the list is actually such an embarrassing mess:
…as the list progresses it becomes worrisome as the list also contains malware names (HAVEX and BlackEnergy v3 as examples) which are different than campaign names. Campaign names describe a collection of intrusions into one or more victims by the same adversary. Those campaigns can utilize various pieces of malware and sometimes malware is consistent across unrelated campaigns and unrelated actors. It gets worse though when the list includes things such as “Powershell Backdoor”. This is not even a malware family at this point but instead a classification of a capability that can be found in various malware families.
There’s no explanation for mixing the different data on the list, no explanation for what the list means, and no context for any of it.
Lee points out that “a mixing of data types that didn’t meet any objective in the report and only added confusion as to whether the DHS/FBI knows what they are doing or if they are instead just telling teams in the government ‘contribute anything you have that has been affiliated with Russian activity.’”
Others have also criticized the Grizzly Steppe report, with another cybersecurity expert named Jeffrey Carr stating that the report “adds nothing to the call for evidence that the Russian government was responsible” for the campaign cyber hacks.
The Obama administration has also ignored the role of Wikileaks, who published the damn revelations obtained from the hacks that showed DNC collusion to support Hillary Clinton in her primary bid against Bernie Sanders. Wikileaks founder Julian Assange has denied that the information came from the Russian government and the Obama administration has failed to provide any evidence of this.
Get smarter every morning with a roundup on the day’s news with The Stranahan Report. Subscribe free here.