On Friday evening the Washington Post published a problematic story saying that a Vermont electric utility's computer systems had been compromised as part of a Russian hacking campaign called “Grizzly Steppe.” The piece cited anonymous U.S. government officials, but left out important details like how the intrusion had been linked to the Russian campaign and which agencies the cited officials might have worked for. The story has since been edited, but the original contained this gem:
It is unclear which utility reported the incident. Officials from two major Vermont utilities, Green Mountain Power and Burlington Electric, could not be immediately reached for comment Friday.
It's reasonable that the utilities might have been difficult to contact that evening. Many businesses wrap up around 4:30 in Chittenden County, especially on Fridays. (Especially before a holiday weekend.) So it sounds like the authors rang a few unattended phones and then just gave up on verification, instead publishing a story based solely on a tip from an anonymous source. But that story should have waited, because it was botched, badly.
Later that evening April McCullum from the Free Press managed to get in touch with a spokesperson from Burlington Electric, who filled in some of the missing details: first, which utility had been compromised (you guessed it, BED), and second, some actual information about the breach itself. Apparently, whatever malware or compromise had been detected, had been contained to a single laptop, which was not connected to the electric grid. (The original Post headline had contained language which could have been read to suggest otherwise, but it was later edited.)
A day before the Post jumped the gun with its' scoop, US-CERT had released a short report about Grizzly Steppe, a Russian intelligence-linked hacking campaign that supposedly targeted the DNC this past summer. The report contained a few hundred indicators of compromise, or IoC's, intended to help network defenders identify and contain attacks associated with the campaign. The Post story mentioned the Grizzly Steppe report, and the tight timing suggested that the BED-Grizzly Steppe attribution might have been based on information therein.
However, the Post also wrote,
This week, officials from the Department of Homeland Security, FBI and the Office of the Director of National Intelligence shared the Grizzly Steppe malware code with executives from 16 sectors nationwide, including the financial, utility and transportation industries, a senior administration official said. Vermont utility officials identified the code within their operations and reported it to federal officials Friday, the official said.
It's unclear to me whether this means those industries recieved the same report, perhaps a few days earlier than everyone else, or if there is additional declassified information floating around the private sector. However, on New Year's Eve, a (not anonymous) offical from DHS confirmed to Eric Geller of Politico that the attribution was in fact based on information in the public report:
It is particularly worth noting that it appears that indicators found on a single laptop appear to match those in the Join Analysis Report released on the 29th of December.
Feel free to skip this section if you don't care to read the technical stuff.
The reason this matters is that most of the the IoC's in the Grizzly Steppe report are vague and lack context. An analyst given those indicators would have a hard time distinguishing a legitimate Russian intelligence operation from run-of-the-mill malware and normal network activity. (Many folks more respected than I have arrived at similar conclusions; their accounts are worth a read.)
The report and corresponding data from US-CERT contain one URL, 10 FQDN's (domain names), 876 IPv4 addresses, 24 hashes, and one Yara signature. However, only five of these indicators (discussed below) are listed with additional information that could suggest how an attacker might have used them, where in a network a defender might expect to find them, or what their presence might mean. The vast majority are listed beside vague comments like, “It is recommended that network administrators review traffic to/from the IP address to determine possible malicious activity.” 248 IP addresses are slightly better, each listed with geolocation information to the country level (which is about as coarse-grained as IP geolocation data can get).
The list of network indicators is especially troubling. IP addresses and domain names are reuseable items, subject to change over time, but no dating information is provided in the report. Without that, it is difficult to determine how an address or domain might have been used, or who it might have been used by, during the time that the indicator was relevant to Grizzly Steppe (because it's unclear which slice of the available historical data to examine.)
Furthermore, around 21% of the listed addresses were in use by Tor exit nodes on the day the report was released, while a full 426 — very nearly 50% of them — have served as exits at one point or another since 2010, according to data from the Tor project. (If you' like to know how I arrived at these figures, please contact me.) This seriously calls into question the provenance of the Grizzly Steppe IP indicators. Tor is a public service. The Grizzly Steppe attackers are known to have used it for malicious purposes before, but many people use Tor for benign reasons. The nature of the protocol is that a given exit node could be in use simultaneously by a malicious APT and someone just trying to check Facebook from China. So even if the exits were added to the report because of legitimate Grizzly Steppe activity, they are almost completely useless to network defenders and contribute nothing to attribution.
Hashes and signatures
The malware indicators, provided as MD5, SHA-1, and SHA-256 digests (and one Yara signature), also lack important contextual information. A few list file names (which are not terribly meaningful), and three hashes, discussed further below, have genuinely interesting metadata. But fully 17 of the 24 hashes are completely devoid of any contextual information whatsoever.
Almost three quarters of the malware indicators, including the singular Yara signature, appear to be PHP web shells. These are implants that can be uploaded to a compromised web server to give an attacker persistent backdoor access. They're probably not what was found on the laptop at Burlington Electric.
The remaining handful of samples are Windows malware of various sorts. VirusTotal's AV engines detect most of these as generic Trojan droppers, with first-seen dates throughout 2016. Without more information, it's hard to draw conclusions from these.
Rob Graham pointed out that at least one of the web shells is a generic tool called P.A.S, which can be downloaded by anyone (try it!) and is supposedly popular among Russian and Ukranian hackers. Given that, it seems like a stretch to attribute a P.A.S. web shell finding to a specific Russian intelligence operation, or even to Russian intelligence at all. The inclusion of a common tool like P.A.S. in the report is a red flag that calls into question the quality of the Windows indicators as well.
Some interesting IoC's
A small number of indicators are provided with contextual information beyond what is described above. One is another web shell; I won't describe it here. Two are hashes associated with the OnionDuke malware. One of these even comes with a short sample of network traffic observed between the malware and its' command and control, or C2 server. Two IP addresses are listed as C2 servers for these malware samples.
The first time either of these samples were uploaded to VirusTotal was the same day the report was released. Although the extra metadata is far from a full teardown of the malware and it's C2 infrastructure, I'm willing to give the government the benefit of the doubt and assume they're on to something with these IoC's.
What we need to find out
The problem is that most of the indicators in the US-CERT report are fairly generic and are presented with little context. All we know is that at least one of them, probably one the Windows-based malwares, was found on a computer at Burlington Electric. Two of these Windows malwares look interesting; the other handful look benign. Importantly, we don't know which indicator was found on that laptop. Only a few people know that at this point. It's hard to ignore the very likely possibility that whatever was found falls into the benign category, something that's been floating around the Internet for months — the type of threat that IT departments deal with every single day.
And the American people deserve to know the answer, because this attribution will invariably be used to inform policy decisions in the future. Senator Leahy, Representative Welch, and Governor Shumlin have each released aggressive statements about the story. The attribution in the DNC case was used to justify sanctions and the expulsion of Russian diplomats from the U.S. Some are alreading citing this as a possible precursor to actual electrical grid hacking. And we will soon have a recklessly aggressive President who claims to know “a lot about hacking.” If you thought major news outlets mouthing the unverified claims of anonymous government employees was an issue in 2016, it will be a complete disaster under the new administration. This cyber thing isn't going away. Americans need to know what the hell is going on.