The Russian Hacking Diatribe, and Why It Is Complete Agitprop Nonsense

There is a necessity of (((large corporate interests controlling the government))) to create agitation once again with Russia and other enemy states in order to gain the support of the people to funnel massive funds to the Military Industrial Complex.  It's a plausible tactic where the politicians of this country are sponsored by giant defense corporations.  If they're pulling out of active wars, but in desperate need to keep fueling the military industrial complex that signs their paychecks, they could cleverly revive the Cold War game plan.  And they have.

Recent and past "news" delivered by the MSM - who has wholly embraced the intelligentsia's claims offered up by the CIA, and now other three-letter agencies - that a Russian state-sponsored hack of the DNC and the RNC had an effect in swaying the U.S.'s election results, is patently absurd, and pure agitprop.  To date, there is absolutely no conclusive evidence that anything of the sort occurred.  The "Straw Man" tactic has been employed again, and it appears to be working as usual.

The only reason to continually create new bad guys, or conjure up the old bad guys, is to fill the coffers of corporate Department of Defense contractors who lobby the shit out of our government.  They don't work for us.  Our so-called government officials work for the money they get from corporate interests.  And they need those paychecks to keep coming in.

Now, I could go into the sexy details of what it takes to track down a real state-hacker (most of what the official rhetoric has to offer is juvenile and pedantic), but it's pointless when you realize this has nothing to do with hacking.  There is a bigger picture here people, and it's emblazoned with a scarlet letter sewn into the very fabric of our willful unconsciousness.  We need to wake the f*ck up, and not accept this bullshit any longer.

Breakdown of the "So-Called" Evidence for Russian Hacking, and the Sad State of Cybersecurity

Was there definitive evidence contained in the JAR (Joint Analysis Report - "GRIZZLY STEPPE - Russian Malicious Cyber Activity"), or FireEye's analysis, "APT28: A Window Into Russia's Cyber Espionage Operations?" that Russian state-sponsored hackers compromised the DNC server with malware, and then leaked any acquired documents to WikiLeaks?  Absolutely not.  And here's why:

Let's first run through the "so-called" evidence - basically two "smoking guns" in the analysis - and a few other questions pertinent to the investigation.  I'll address each point with some technical details and maybe a little common sense evaluation.

Certain malware settings suggest that the authors did the majority of their work in a Russian language build environment.  The malware compile times corresponded to normal business hours in the UTC + 4-time zone, which includes major Russian cities such as Moscow and St. Petersburg.  Ultimately, WikiLeaks was the source of the dissemination of the compromised data.  Where did they acquire it?  According to media sources, all 17 U .S. intelligence agencies confirmed Russian state-sponsored hackers were the source of the attacks.  Was this "so-called" hack designed to affect the outcome of the U.S. election?

Let us now address each of these points specifically (some of this may be more technical for the average human - program or be programmed):

1.)  Certain malware settings suggest that the authors did the majority of their work in a Russian language build environment.

Advanced Persistent Threat 28 (APT28) consistently compiled Russian language settings into their malware:

Locale ID         Primary language  Country Samples
0x0419            Russian           (ru)    59
0x0409            English           (us)    27
0x0000 or 0x0800  Neutral locale            16
0x0809            English           (uk)    1

By no means is this evidence of anything.  It could even be a U.S.-sponsored hack, for that matter, obfuscating its origin by using a Russian build environment.  This is pure speculation, and any security researcher knows this has effectively been used by malware authors in the past.

2.)  The malware compile times corresponded to normal business hours in the UTC + 4 time zone, which includes major Russian cities such as Moscow and St. Petersburg.

The FireEye report states:

"During our research into APT28's malware, we noted two details consistent across malware samples.  The first was that APT28 had consistently compiled Russian language settings into their malware.  The second was that malware compile times from 2007 to 2014 corresponded to normal business hours in the UTC + 4 time zone, which includes major Russian cities such as Moscow and St. Petersburg.  Use of Russian and English Language Settings in PE Resources include language information that can be helpful if a developer wants to show user interface items in a specific language.  Non-default language settings packaged with PE resources are dependent on the developer's build environment.  Each PE resource includes a 'locale' identifier with a language ID composed of a primary language identifier indicating the language and a sublanguage identifier indicating the country/region."

Any malware author could intentionally leave behind false clues in the resources section, pointing to Russia or any other country.  These signatures are very easy to manipulate, and anyone with a modicum of Googling skills can alter the language identifier of the resources in PE files.  Any state-sponsored entity could easily obfuscate the language identifier in this way.  One could also use online compilers or such an online Integrated Development Environment (IDE) through a proxy service to alter times - indicating that compile times were from any specific region chosen.  The information in the FireEye report is spurious at best.

3.)  Ultimately, WikiLeaks was the source of the dissemination of the compromised data - where did they acquire it?

Julian Assange, the founder of WikiLeaks, has repeatedly stated that the source of the information they posted was not from any state-sponsored source - including Russia.  In fact, in all of the reports (including the JAR and FireEye), they never once mention WikiLeaks.  Strange.

4.)  According to media sources, all 17 U.S. intelligence agencies confirmed Russian state-sponsored hackers were the source of the attacks.

This is hilarious - many of these 17 agencies wouldn't know a hack from a leak, nor would they have been privy to any real data other than what a couple of other agencies reported, which was thin and barely circumstantial, and was wholly derived from a third-party security analysis:

5.)  Was this "so-called" hack designed to affect the outcome of the U.S. election?

It is clear, even if there were state-sponsored hacks, that the information provided in WikiLeaks had no relation to Russian manipulation of U.S. elections.  The information speaks for itself - it is the content of the leaks that is relevant - and it matters not where it came from.  DNC corruption is the real issue, and any propaganda agenda designed to direct attention away from the damage the info presents is wholly deflection.

Most of the references used in the JAR report are really from third-party cybersecurity firms looking to "show off" their prowess at rooting out a hacker culprit.  This ultimately means money for them.  This is the reality of the sad state of security today.  Note that not one report mentions that every single one of the compromises was directed at Microsoft operating systems.  Why, when everyone knows that Microsoft is the most insecure OS and is specifically targeted by malware authors, state-sponsored or otherwise, do any governments still use it?  Fortunately, there are real security researchers out there who see through the smoke and mirrors and aren't buying the BS handed them by government entities and the media outlets they control.

The Anti-Forensic Marble Framework

With the release of the "Marble Framework" (Source Code) on WikiLeaks, we come upon more evidence that the entire so-called "Russian Hacking" story could very well have been a U.S. state-sponsored hack - and it's more likely.

From WikiLeaks: "Marble is used to hamper forensic investigators and anti-virus companies from attributing viruses, Trojans, and hacking attacks to the CIA.  Marble does this by hiding ('obfuscating') text fragments used in CIA malware from visual inspection.  This is the digital equivalent of a specialized CIA tool to place covers over the English language text on U.S. produced weapons systems before giving them to insurgents secretly backed by the CIA."

CIA Leaks

I've been through many of the docs included in Vault 7 and it isn't anything at all new or revelatory.  I called this back in 2005 and detailed much of it back then.  Most thought me a kook.  Much of what I've looked at so far is valid, although it's very basic info any teenage hacker attending DEFCON would know about.

It's old crap, and I'd put money on it that the CIA itself "leaked" the data.

And finally, the most recent stories of Russian attempts to hack into U.S. voting systems are even more ridiculous in their claims, and were based exclusively on info from the Department of Homeland Security.  Apparently, 21 states, as cited by the MSM (in last year's presidential election), were targeted by "Russian" hackers.  These claims about Russian hacking get ineptly hyped by media outlets, and are almost always based on nothing more than fact-free claims from government officials, only to look completely absurd under even minimal scrutiny by real security experts because they are entirely lacking in any real evidence.

"In our age there is no such thing as 'keeping out of politics.'  All issues are political issues, and politics itself is a mass of lies, evasions, folly, hatred, and schizophrenia." - George Orwell

For complete information, please check out the links cited as references below:
Return to $2600 Index