As controversy continues to swirl around U.S. intelligence assessments that Russian spy agencies hacked American political organizations during the recent election campaign, there’s growing criticism of a Department of Homeland Security effort to compile a master list of technical indicators linked to the hacks.
The groups accused of the hacking, known as Fancy Bear and Cozy Bear or APT28 and APT29, have been tracked for years by cybersecurity specialists — almost all of whom long accepted the detailed, public pattern of evidence linking them to Russian intelligence, including technical indicators-of-compromise.
But now critics say the DHS effort to publish a master list of such IOCs — a DHS/FBI Joint Analysis Report, dubbed Grizzly Steppe — is backfiring, sowing confusion about the hackers’ identities and undermining hard-won trust in the U.S. government as an information-sharing partner.
And several major cybersecurity companies are telling their customers not to use the DHS technical indicators.
“We are advising customers not to directly use the Grizzly Steppe indicators as doing so would generate significant false positives for network defenders,” Christopher Porter, manager of threat intelligence for FireEye told CyberScoop.
“Grizzly Steppe’s indicator list contains significant errors, lumping in genuine APT28 and APT29 activity with indicators not uniquely related to Russian Government operations. The Grizzly Steppe report also fails to make its case that the Russian Government sponsored these activities, claiming a connection based on technical evidence that is not provided and in some cases is demonstrably wrong,” said Porter.
“Unfortunately, the inclusion of so many unreviewed and erroneous indicators in the first report the U.S. government used to prove its case against Russia for manipulating the election has provided significant ammunition for critics already inclined to be skeptical of the attribution case. This is unfortunate since the case for attribution to Moscow has only strengthened over time,” he added.
Sharing declassified threat indicators and other kinds of cyber-intelligence — the NSA’s much-ballyhooed “secret sauce” — is at the very heart of the business-government partnership approach successive administrations have taken to defending the nation in cyberspace, where so much of the vital infrastructure is privately owned.
And the Grizzly Steppe report is under a very bright spotlight, as some — although it seems no longer President-elect Donald Trump — continue to evidence skepticism about U.S. intelligence findings on the election campaign hacking, which dumped stolen Democratic Party emails on the web, and amplified their impact through fake news stories and automated social media echo chambers.
And even allies of DHS and champions of its information-sharing efforts say the Grizzly Steppe report is not standing up to the scrutiny.
“This is an outlier,” Aharon Chernin told CyberScoop of the flawed Grizzly Steppe report. The threat intelligence his company Perch Security pulls from DHS is “usually some of the best data … the highest quality,” he said.
But Grizzly Steppe contained technical indicators that, as Porter predicted, set off a barrage of false positives for Chernin’s customers — and for others using the same data.
“A small handful of them [watchlisted internet addresses in Grizzly Steppe] are so commonly used that almost every network is going to generate huge numbers of false positives,” Chernin said.
For example, he said, there were indicators that could cause the system to alarm because a user logged on to a Yahoo email account.
Some kinds of malicious software use Yahoo email as a command-and-control channel, explained a DHS official who responded to criticism of Grizzly Steppe via an email to CyberScoop.
”It’s particularly necessary to emphasize that the Russians hide in the noise. They often use [internet] addresses that are legitimate,” the official said.
But Chernin’s comments echo other criticism about Grizzly Steppe, which commentators say lumps together different kinds of threat indicators and provides none of the vital contextual information that would allow network defenders to properly calibrate their defenses.
“They have completely failed to understand what businesses actually want from information-sharing … which is fewer alerts and higher quality data,” former U.S. Air Force cyber-warrior Robert Lee told CyberScoop.
Threat sharing at machine speed
Worse still, according to Chernin, the context-less threat data was fed into the DHS Automated Indicator Sharing system, and automatically plugged into network security systems across all the department’s private sector AIS partners — causing a cascade of false alarms in security operations centers across the country.
AIS, massively touted by senior Obama administration officials, uses DHS-developed standardized language and software called STIX and TAXII to share threat indicators at machine speed. The vision is for automated threat data sharing in real time — any hacker attack, once used anywhere, should never be viable again, because its technical indicators will be shared instantaneously.
Chernin’s startup, Perch Security, built a system that pulls down those indicators and feeds them into the network security monitoring systems of its customers.
“Within seconds” of the Grizzly Steppe data being fed into AIS, “our Security Operations Center was alerted to this Russian threat popping up everywhere” on our customers’ networks, said Chernin.
The DHS official said the department had made the Grizzly Steppe technical indicators as comprehensive as possible so that the owners and operators of vital U.S. industries like the electricity grid could go back through their network logs looking for evidence of past intrusions.
“Simply because the [internet addresses] are in the logs does not mean there has been malicious activity. It is however cause for a further look,” the official said.
The problem, according to Chernin, is that those caveats were not included when the Grizzly Steppe data was loaded into AIS.
“Without that context, we can’t know what to do with the data,” he said.
STIX — the DHS supported format for real-time threat data exchange “has the ability to add such context,” he said. “Why not spend a few extra seconds” to do that?
A gold mine of detail
DHS’ defenders have tried to focus on the decision to publish what were until now in some cases classified threat indicators. They also have praised the decision to make public an intelligence assessment.
The DHS official lauded the publication of “the details of the [cyber]tools and infrastructure used by Russian intelligence services.”
“What we provided was actionable and detailed [tactics, techniques and procedures] that these actors leverage, as well as mitigations,” the official said.
One op-ed co-written by a former high-ranking military official called Grizzly Steppe “a dramatic precedent that could serve a significant blow to Russia’s current and future cyber-operations in the U.S. and elsewhere.”
Adm. James Stavrides, supreme commander of NATO until 2013 and now dean of the Fletcher School of Law and Diplomacy at Tufts, penned the New America op-ed with New Jersey State CTO Dave Weinstein. It calls the IOCs in the report “an intelligence windfall for ordinary network defenders who have been starving for rich real-time threat information from the federal government.”
But the complaints about Grizzly Steppe “echo complaints from industry in the past” about the threat intelligence products provided by the federal government, said former senior DHS official John Cohen.
The private sector “says the information they get from the government too broad,” said Cohen. “And there’s concern about sharing confidential information.”
Correcting the record in Vermont
Both of those concerns were thrown into sharp relief by the case of Burlington Electric.
The Post first reported that Grizzly Steppe IOCs found on the company’s system showed Russian intelligence were “actively trying to penetrate the grid to carry out potential attacks.” Gov.Peter Shumlin and Democratic Sen Pat Leahy had been briefed by state and federal officials, the paper said.
But on Monday, in a second story, the Post reported that officials told the company that the traffic they identified with the Grizzly Steppe IOCs was “not unique” and might be “benign, since this particular [internet] address is not always connected to malicious activity.”
“The danger is,” Lee told CyberScoop, the story sent two messages: “Firstly, that the IOC data you get from the government is no good and secondly, when you get a [false positive] hit off that data and tell the government about it, they will leak it to the media.”
It’s not clear how the Post first learned about the Vermont story, but the company said in a statement it was “unfortunate that an official or officials improperly shared inaccurate information with one media outlet, leading to multiple inaccurate reports around the country.”
False positives, false flags
Despite the flaws in Grizzly Steppe, Lee said, evidence that Fancy Bear and Cozy Bear are working for Russian intelligence agencies was based on a “holistic picture.”
But “the thing that really troubles me,” he said of the report, “is that it has added confusion to an already solid case.”
Lee said the attribution — and the wide acceptance it has enjoyed among cybersecurity practitioners — came from years of observation and analysis published by companies like CrowdStrike.
“This was never about the [internet] addresses” or other technical indicators, he said, “This is about behaviors, tradecraft, infrastructure … over years and from hundreds and hundreds of victims.”
Some cybersecurity researchers have raised the possibility of a so-called false flag operation, where one set of hackers pretend to be another.
“You can re-use malware … you can fake a trail,” said Lee, noting that Fancy Bear had itself run a false flag operation, trying to pass its own operations off as the work of an ISIS-aligned hacktivist group calling itself the CyberCaliphate.
But the election hacking was very unlikely to be such a false-flag job, he said.
“What we’ve never, ever seen,” said Lee “is a nation-state pretending to be another nation-state to attack a third nation-state. The risk in doing that” — of exposure by either victim or patsy — “would be extraordinary.”
Nonetheless, one former NSA senior official says the U.S. public attribution would be stronger if it included more information about the geo-political and strategic context.
“The question of attribution would be made stronger if we intensified our efforts to understand … Russia’s conception of its interests in cyberspace … [and] Russia’s doctrine regarding the use of cybersecurity tools to achieve its interests,” said Samuel Visner, now senior vice president and general manager for cybersecurity at ICF.
“Gaining this understanding is something from which the writers of future [Grizzly Steppe]-like reports would benefit,” he said.
A litmus test?
If Grizzly Steppe is a litmus test of how DHS is doing in information-sharing, it doesn’t look good.
The department was already wrestling with widespread skepticism about its credibility as an information-sharing partner, and the report “highlights the anemic and disjointed character of our national cybersecurity threat information sharing efforts,” acknowledged Cohen.
“This ultimately seems like a very rushed report,” blogged Lee.
Cohen denied that was likely. “There was probably a sense of urgency,” he said, “These things are always put together on a deadline.”
DHS’ other defenders, like former DHS official James Norton, acknowledged the “short turnaround, given the impending change of administration.”
The Grizzly Steppe report is “a first step” in the department’s response, said Norton, who served during the George W. Bush administration.
“It was never meant to be the definitive last word on attribution,” added Cohen. “It was laying out, at the unclassified level: ‘This is how they did it, and this is how you can stop them.'”
Chris Bing contributed reporting to this story.