Grizzlygate - U.S. Government evidence falls short in blame on Russian hackers

Never disclaim an analysis you intend to publish.

stbasils cathedral moscow russia
flowcomm (CC BY 2.0)

What the heck just happened? We went from cyber battle-stations and the sky is falling to pretty much “never mind” over the New Year holiday. Let’s look at how this went down and what we might learn from it.

The president, in cooperation with the DNI, FBI and DHS, released documents to include a Joint Analysis Report (JAR) regarding an incident called GRIZZLY STEPPE, the code name for a Russian APT group or groups accused of tampering with the US elections. The president chose to release this information at about 3 pm EST, Dec. 29, 2016. 

DHS and the FBI – at 4 pm on the same date, initiated a joint conference call to the National Council of ISACs and designated energy and law enforcement members.  A follow-on technical threat mitigation call was scheduled for the next morning at 11:30 am EST.

Analysis

It is probably not advisable to release an all-hands, emergency action required statement from the office of the president at closing time prior to a major holiday for all federal and many private sector workers. A significant portion of those who were available to receive the message and responsible for acting upon it encountered difficulty due to empty desks and holiday departures.

The timing of the release was not ideal. Most East Coast workers already were preparing to depart for the day and Washington, DC was no exception. DHS and the FBI scheduled the Friday technical threat mitigation call, lasting an hour, about 30-minutes prior to a traditional half-day release for federal employees at many organizations.

The status of the GRIZZLY STEPPE APT had been known within the intelligence and law enforcement communities for a significant amount of time and could have been released at any point.

Regardless of our level of automation or cybersecurity prowess, we still require human interaction to function. Consider the human factor before pressing a panic button.

The threat(s)

The JAR and associated documents released specifics on IPs, malware and indicators. It called for immediate action to analyze logs and determine if any organization had been affected by GRIZZLY STEPPE.

The U.S. Government named a large number of common hacker tools in use by individuals and groups worldwide. Most of the tools (Neutrino, PAS tool web kit, for example) and techniques (phishing, web page spoofing to harvest credentials) are not unique to the Russian APT 28 and APT 29 actors who conducted the GRIZZLY STEPPE intrusions. Entire families of malware were attributed to these events; this completely obfuscated any claim of attribution.

Author “Paul,” at Securityledger.com explained it quite well: “Conceptually simple, GRIZZLY STEPPE is an analytic grenade, scrambling already complex inter relations between malware authors, government sponsored hacking crews, cybercriminal and politically motivated hacktivist groups and neutral third party providers.”

The JAR opens with the following statement: “This report is provided “as is” for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service referenced in this advisory or otherwise."

The JAR appears to have been a mishmash of several reports and already published mitigations. How are you supposed to attribute GRIZZLY STEPPE to Russia when DHS openly and adamantly disclaims any “warranty of any kind regarding any information contained within?”

One must wonder if government analysts jumped onto this analytic grenade or were thrown onto it.

Grizzlygate

The Washington Post on Dec. 30, 2016, broke the following headline and its accompanying story: “Russian hackers penetrated U.S. electricity grid through a utility in Vermont, U.S. officials say.” 

In the subsequent hours, designated Federal agencies and compliance enforcement bodies came together to determine what, if any, threat existed to the nation’s Critical Cyber-Electrical Infrastructure. They found none.

In spite of the inflammatory article penned by the Post, the Vermont Utility (victims of the news avalanche now to be referred to as Grizzlygate) determined that upon a single, non-networked laptop, a copy of the common malware NEUTRINO had been discovered. NEUTRINO is a package of attack tools, an “exploit kit,” that has been for sale on the internet since March of 2013. Though NEUTRINO may have been used in the GRIZZLY STEPPE intrusion, it is not specifically attributed to APT 28 and APT 29.

[ ALSO ON CSO: The power grid hack that wasn’t – Vermont’s Burlington Electric  ]

This is where the confusion started. Since the net cast by the GRIZZLY STEPPE emergency action request covered such a wide range of malware and techniques, NEUTRINO was caught up in it. The Vermont utility reported they found a named malware on their laptop. This became, “Russian hackers penetrated U.S. electricity grid through a utility in Vermont, U.S. officials say.” 

The most reasonable response I have found from any involved party originated from the Edison Electric Institute, which is the association that represents all U.S. investor-owned electric companies. Their media statement:

 “On Thursday, December 29, 2016, senior government officials with the Departments of Energy and Homeland Security briefed the CEOs of the Electricity Subsector Coordinating Council (ESCC) and other energy sector representatives regarding Russian cyber incidents against U.S. interests. Critical infrastructure sectors—including the electric power sector—took immediate steps to review and to secure their systems based on this new intelligence.

 “At this time, we are aware of a single instance in which a U.S. electric utility discovered a suspected Russian presence on its enterprise network. The utility has shared this information with DOE, DHS, and all appropriate authorities. At this time, there is no evidence that any systems responsible for grid operations were impacted.”

That, ladies and gentlemen, is how it should be done.

Where does that leave us?

There was no immediate threat to or action required by the private sector. Information provided by the government was generic, certainly not specific to Russian actors such as APT 28 and 29 who are being assigned the blame for the GRIZZLY STEPPE intrusions (stealing the Democratic National Committee’s emails). This event was poorly timed, managed, and quickly spun out of control with the help of media sensationalism and lack of media cyber-savvy.

This article is published as part of the IDG Contributor Network. Want to Join?

Related:
New! Download the State of Cybercrime 2017 report