U.S. Intelligence Got the Wrong Cyber Bear
JAN 2, 2017 11:58 AM EST
The “Russian hacking” story in the U.S. has gone too far. That it’s not based on any solid public evidence, and that reports of it are often so overblown as to miss the mark, is only a problem to those who worry about disinformation campaigns, propaganda and journalistic standards — a small segment of the general public. But the recent U.S. government report that purports to substantiate technical details of recent hacks by Russian intelligence is off the mark and has the potential to do real damage to far more people and organizations.
The joint report by the Department of Homeland Security and the Federal Bureau of Investigation has a catchy name for “Russian malicious cyber activity” — Grizzly Steppe — and creates infinite opportunities for false flag operations that the U.S. government all but promises to attribute to Russia.
The report’s goal is not to provide evidence of, say, Russian tampering with the U.S. presidential election, but ostensibly to enable U.S. organizations to detect Russian cyber-intelligence efforts and report incidents related to it to the U.S. government. It’s supposed to tell network administrators what to look for. To that end, the report contains a specific YARA rule — a bit of code used for identifying a malware sample. The rule identifies software called the PAS Tool PHP Web Kit. Some inquisitive security researchers have googled the kit and found it easy to download from the profexer.name website. It was no longer available on Monday, but researchers at Feejit, the developer of WordPress security plugin Wordfence, took some screenshots of the site, which proudly declared the product was made in Ukraine.
That, of course, isn’t necessarily to be believed — anyone can be from anywhere on the internet. The apparent developer of the malware is active on a Russian-language hacking forum under the nickname Profexer. He has advertised PAS, a free program, and thanked donors who have contributed anywhere from a few dollars to a few hundred. The program is a so-called web shell — something a hacker will install on an infiltrated server to make file stealing and further hacking look legit. There are plenty of these in existence, and PAS is pretty common — “used by hundreds if not thousands of hackers, mostly associated with Russia, but also throughout the rest of the world (judging by hacker forum posts),” Robert Graham of Errata Security wrote in a blog postlast week.
MORE…dreamnightwind, leveymg, Mom Cat and 5 otherscanoeist52, 7wo7rees, djean111, Downwinder, like this
You must be logged in to reply to this topic.