The story of the “Russian hackers” in the US has gone too far. It is not based on any compelling public evidence, and the fact that messages about the hacker attacks are often so inflated that do not reach your goal, is only a problem for those who care about the campaign of disinformation and standards of journalism — that is quite a small segment of the public. However, a new government report in the United States, which aims to set the technical details of the recent break-ins organized by Russian intelligence, is also not reached its goal, and theoretically can cause real damage to a much larger number of people and organizations.
In a joint report by the Department of homeland security and the Federal Bureau of investigation had given a rather loud name “Russian malicious cyberactivity” — “Steppe grizzly” — and created unlimited possibilities for transactions “under false flag” that the US government is, in fact, promises to attribute Russia.
The purpose of this paper is not to provide evidence, say, of Russian interference in presidential elections in the United States and to provide U.S. organizations with a way to detect the steps of the Russian kiberrazvedki and to report incidents to the U.S. government. It should show your network administrators what to look for. This goal was included in the report a rule YARA is a code used to identify malware. The report refers to software PAS PHP Web Tool Kit. Some inquisitive experts in the field of cybersecurity have looked for it online and found that this software can be easily downloaded from profexer.name. Although Monday, January 2, this program was already available, the researchers Feejit, developer of protective Wordfence plugin for WordPress, I took screenshots of this site, which proudly stated that the product made in Ukraine.
This, of course, not necessarily have to believe, because in the Internet anyone can be from anywhere. The alleged developer of this malware actively appears on a Russian hacker forum under the name Profexer. It advertised a free program PAS and thanked the sponsors who donated various amounts from a few dollars to several hundred dollars. This program is a so-called “vessel”, that is, that a hacker installs on a compromised server in order to obscure the theft of files and further hacking actions. Such programs are myriad, and PAS “is used by hundreds if not thousands of hackers that is often associated with Russia, but that could be anywhere in the world (judging by the posts on the forums of hackers),” as last week wrote in his blog, Robert Graham (Robert Graham) from Errata Security.
The version of PAS referred to the government report, several versions behind the current one.
“It is reasonable to assume that Russian intelligence agents are developing their own tools or at least use modern malware, taken from external sources,” wrote mark Maunder (Mark Maunder) from Wordfence.
And it’s also not too reasonable assumption. Any hacker, it is connected with the Russian intelligence or not, may use any tools and software that it finds convenient, including the old version is free, was developed in Ukraine program. Even Xagent, backdoor, strongly associated with the attacks, a hacker group affiliated with the Russian intelligence service — known as Advanced Persistent Threat 28 or Fancy Bear — can use almost any user, with sufficient knowledge in this area. In October 2016, ESET published a report which stated that she was able to detect all the source code of this malware. If ESET was able to get it, others can do it too.
Now that the American government has firmly connected the PAS c the Russian government-sponsored hackers, it became an invitation for every secondary attacker to use the program (or Xagent, which is also mentioned in the report) in order to give their illegal actions for the activities of Russian intelligence. The case is not helped by the fact that the US authorities published a list of the IP addresses associated with attacks of Moscow. Most of them don’t have obvious ties with Russia, and some of them are output nodes of the anonymous network Tor, which is part of the infrastructure of the Dark web. Use them could anyone, anywhere.
Microsoft Word is a program developed in the United States. Nevertheless, it is used by many, even — would you believe it — agents of the Russian intelligence. Similarly, living in the US hacker who wants to obtain passwords and credit card numbers, as well as seeking to raise its credibility, can use any available malicious software, including programs developed in Russia and Ukraine.
The confusion has already begun. In last Saturday’s edition of the Washington Post reported that “the code associated with the Russian hacking operation called “Step grizzly”, was discovered on the computer of one energy company in Vermont that triggered an avalanche of harsh comments from U.S. politicians who accused Russia of trying to hack the electrical grid of the United States. It soon became clear that the laptop was not connected to the power grid, but, in any case, if it was discovered the PAS program and this is immediately reported to government agencies, it is likely to be a false alarm. Hackers by the thousands of single daily send millions of phishing emails to unsuspecting user clicks on a link and opened hackers to access your computer. Now they have a convenient opportunity to use the created in Russia backdoors to attack targets in the United States.
For Russian intelligence agents, it has also become a good opportunity — if only they are not as lazy as they were presented by the authors of the report. They need to switch to a malicious program developed by Russian-speaking experts. Because their work is credited to the Russian government following the comments in the code, written in Russian, and other circumstantial evidence, and as experts in the field of cybersecurity and the U.S. government satisfied with the status quo, all they need is comments on the Chinese or, say, German.
The American intelligence community exposes himself to ridicule, under political pressure, the outgoing administration and some hawks in Congress. He should no longer do so. It is impossible to identify the perpetrators of hacker attacks on the base available for all programs and IP addresses. Moreover, there is no need: organizations and individual users need to prevent such attacks, not to look for blame when everything has already happened and the damage is done. The most informative part of the report, the FBI and Department of homeland security ironically was the part where we are talking about risk reduction measures. It talks about the need to continually update software, train staff in the basics of cybersecurity, to limit their administrative privileges to use the powerful antivirus programs. In most cases, it helps to prevent attacks of the Russian, Chinese and American hackers. American Democrats could learn a lot of good, taking advantage of these tips before their system was hacked: it is a pity that they either did not receive these tips, or simply ignored them.