Hey guys. I've been spending way too much time over at Climate Audit this last week or so because they've been discussing the (supposed) Russian hacks of various computer networks within the United States. System security is a topic I've long been interested in so naturally I was curious what people were saying there. I regret have even looked now.
The quality of the discussion for the last few posts at Climate Audit is surprisingly low. It's nothing compared to what used to be found on the site, which is a shame as I alwlays held the site in high regard. Don't worry though. I'm not going to start some inter-blog argument today. Today, I just want to show you one of the most hilarious arguments I have ever seen anyone make, an argumend endorsed by Steve McIntyre, proprietor of Climate Audit.
Before I go on, I want to point out I did try to discuss this issue at Climate Audit. However, what I said on this seems to have been ignored like a number of other clarifications/corrections I have posted. Additionally, I've had two comments get stuck in moderation. One has been in moderation for three days, and the other disappeared at sitting in moderation for a while. I mention this because I really did make a genuine effort at having a reasoned discussion of details and fact.` I'd rather have someone correct an error then have to write a post like this. But alas.
The hilarious argument I want to discuss came about because I criticized the general failure to get basic facts right over at Climate Audit, saying, "I think it would be helpful for people to agree to set of basic facts/terminology." I meant that. If people can't agree on the basics, I don't see how they will agree on the more complex issues. As an example, I quoted Steve McIntyre:
Tools can be used by more than one institution or re-purposed. A key malware example in the DHS report attributed to APT28 (or APT29, I forget) turned out to be publicly available Ukrainian malware.
And noted the "evidence" people relied on to claim the malware in question was Ukrainian ultimately amounted to nothing more than an anonymous hacker claiming to be Ukraining (though I then noted other evidence which hasn't received much attention supports the idea). I thought it was remarkable people at that site showed a great deal of skepticism for official government reports/statements yet seemed to show no skepticism of what some anonymous hacker said.
This example was a minor point made out of convenience, and the factual errors I spoke out against were numerous and of greater importance. However, while most of the errors/inaccuracies I pointed out got ignored, this one got a response:
Petri Krohn plausibly connected the PAS malware to identifiable Ukrainian.
This response blew me away as I hadn't realized anyone took Petri Krohn's argument seriously. I mean, I didn't think many people had read his argument as he's not any sort of expert people would have heard of. Of those who might have stumbled across it, I would have assumed they'd all consider it a joke. The supposedly plausible connection in question is one of the most bizarre things I've ever seen. To understand why, here is the title of the article Krohn wrote:
Did a Ukrainian University Student Create Grizzly Steppe?
This should immediately send up red flags to anyone reading his piece. It's not just a bad headline either. Krohn's first paragraph begins:
1) U.S. Department of Homeland Security claims that the DNC was hacked by Russian intelligence services using a Russian malware tool they have named Grizzly Steppe or "PAS tool PHP web kit".
Pretty much no part of this sentetnce is true. The DHS did not claim the Democratic National Commitee (DNC) was hacked with the PAS web shell in question. What the DHS said is the DNC had been hacked by Russians, and Russians have used the PAS web shell in cyberattacks directed at influencing the United States electoral system/process. That means the malware in question could have been used in attacks against some systems while different malware was used against the DNC.
This is burying the lede though. Petri Krohn calls this software "Grizzly Steppe," talking about the hacker who supposedly created it and how "Grizzly Steppe" was used as a tool to hack into systems. That makes no sense at all. Grizzly Steppe is not software. Grizzly Steppe is, to quote the DHS:
On October 7, 2016, the Department Of Homeland Security (DHS) and the Office of the Director of National Intelligence (DNI) issued a joint statement on election security compromises. DHS has released a Joint Analysis Report (JAR) attributing those compromises to Russian malicious cyber activity, designated as GRIZZLY STEPPE.
Grizzly Steppe is the name the DHS gave to a cybercampaign it claims Russia carried out. The PAS web shell was just one of many tools the DHS says Russia used. I can't begin to imagine how Krohn managed to conflate these two things. That'd be like calling a patriot missile "Operation Enduring Freedom" because it was launched during the war on terror which went by that name.
But things get worse. The next paragraph repeats the claim with a false reference:
2) Security company Wordefence says Grizzly Steppe is actually P.A.S. web shell, a common malware tool on WordPress sites. They have identified its origin to an Ukrainian download site Profexer.name
"Wordefence" never claimed Grizzly Steppe was the name of hte malware so I have no idea why Krohn says they did. There is nothing in the reference he provides which could cause that sort of confusion.
As weird as these errors are though, they are just about what things are named. What's truly astonishing is what follows. Krohn builds a chain of connections between the site the software was available from. I'm going to skip a couple of them because only the last step matters. Step 41 makes a connection:
The contacts given on the pro-os.ru site link to the VK account of Roman Alexeev and the email address firstname.lastname@example.org.
Step 5 says:
5) "Roman Alexeev" advertises his skills and services as a web developer, linking to his VK account but also giving a skype account (ya.aalexeev) and an email address (email@example.com).
The idea being the person who goes by "Roman Alexeev" is the hacker who wrote this software. Krohn suggests that isn't his real name though, that the hacker has created a profile with fake information. He explains:
6) One of the sites where "Roman Alexeev" links to his VK account is Freelancehunt.com. His profile contains a photograph and the nick aazzz. He claims he is from Zaporizhia and 25 years old.
This is the photograph Krohn identifies the hacker as using:
He then notes:
7) The profile photo on Freelancehunt actually belongs to Jaroslav Volodimirovich Panchenko (ПАНЧЕНКО Ярослав Володимирович), an information technology student and member of the student self-government structure of the Poltava National Technical University.
Showing an uncropped version of the photograph (he says was) used by the hacker. This ostensibly shows the hacker took this image of a university student, cropped it and used it in a profile he created with a fake name... therefore the hacker is that university student.
I'm not kidding. That is Krohn's argument. Krohn has "plausibly connected" the hacker to a college student by virtue of the fact the hacker used the student's image on a profile page he created under a fake name. That's it. That's where the piece ends. There's not a single word mentioned of the possibility the guy making a fake profile page might have used an image of someone other than himself.
I don't have words for how absurd that is. What I do have is an image of Cindy Crawford I think would make for a great profile picture.