The FBI and the Department of Homeland Security (DHS) on Thursday released a joint report detailing how federal investigators linked the Russian government to hacks of Democratic Party organizations.
The document makes clear reference to the hacks of the Democratic National Committee (DNC) and Hillary Clinton campaign chairman John Podesta, though it does not mention either by name.
The 13-page report provides technical details regarding tools and infrastructure used by Russian civilian and military intelligence services to “compromise and exploit networks and endpoints associated with the U.S. election, as well as a range of U.S. Government, political, and private sector entities.” (See the entire report below.)
But security experts say that the document provides little in the way of forensic “proof” to confirm the government’s attribution. Private security firms — like CrowdStrike, who investigated the DNC breach — went much further, they say.
“The DHS statement is a restatement of already known public information, a series of technical indicators that are intended for use by cybersecurity professionals in finding and remediating APT28 malware on private sector networks, and some generic advice for companies as to how to improve their network security,” said Matt Tait, founder of the U.K.-based security consultancy Capital Alpha Security.
The U.S. report, known as a “Joint Analysis Report” or JAR, refers to the Russian hacking campaign as “Grizzly Steppe.”
It comes as part of a slate of retaliatory measures against Russia issued Thursday by the Obama administration in response to the hacks, and expands on a joint statement issued by the two agencies in October, formally attributing the attacks to Russia.
In the October statement, officials described the the hacks and subsequent publication of stolen emails on WikiLeaks as an attempt to “interfere” with the U.S. election that is “consistent with the Russian-directed efforts,” but provided no evidence to support their assessment.
It’s unclear whether Thursday’s report will satisfy critics. The administration is in the process of preparing a more detailed classified review of Russian interference, to be delivered to Congress before Trump takes office on Jan. 20.
“That this document doesn’t engage with the question of attribution seems, to me, to be quite deliberate,” Tait noted. “It’s purpose is to act as a measure against Russia (by adding a U.S. stamp of approval to private sector information, and making life harder for APT28 by exposing some of their malware), not to persuade the public that the DNC hack was by Russia.”
Private security firms provided more detailed forensic analysis linking the break-in to Moscow, which the FBI and DHS said Thursday correlated with the IC’s findings.
“The Joint Analysis Report recognizes the excellent work undertaken by security companies and private sector network owners and operators, and provides new indicators of compromise and malicious infrastructure identified during the course of investigations and incident response,” read a statement.
The report identifies two Russian intelligence groups already named by CrowdStrike and other private security firms.
The Federal Security Service, or FSB, is the main successor to the KGB — once headed by Russian President Vladimir Putin.
The FSB is thought to be behind the hacking group known as APT29. A more traditional, long-range intelligence agency, the FSB lurked on the DNC systems for over a year.
The GRU, Russia’s military intelligence service, is thought to be behind the second group that infiltrated the DNC, known as APT28. APT28 is also believed to have breached Podesta’s emails.
Despite their overlapping targets, the two agencies have different missions in the cyber realm.
APT28 is thought to be the group responsible for “doxxing” the DNC and Podesta by allegedly providing the stolen missives to WikiLeaks to publish.
Both organizations gained access to the DNC through targeted spearphishing campaigns, in which the hackers tricked targeted users into clicking bogus links that either deployed malware or directed them to a fake webmail domain hosted on Russian infrastructure.
APT28 was able to use harvested credentials to then gain access and steal content, according to the report. This likely led “to the exfiltration of information from multiple senior party members.”
“The U.S. Government assesses that information was leaked to the press and publicly disclosed,” the report says.
The report also states that Russian intelligence operatives continued to launch spearphishing attacks on the Democratic party following the election, “including one launched … just days after” the vote.
— Updated 9:30 a.m. on Dec. 30.