Tuesday, June 21, 2016

Why Should We Doubt Anything Asserted by the DNC, Repeated by the Company They Hired (CrowdStrike), and Confirmed by that Company's Industry Partner (Fidelis)?

According to news sources all over the internet, the verdict is in concerning the hack of the Democratic National Committee. A headline from Business Insider UK reads "Yes, Russia Really Did Hack the Democratic National Committee." Similar headlines have poured in from other sources, such as The Washington Post ("Cyber researches confirm Russian government hack of Democratic National Convention"), Computerworld ("Russian hackers were behind DNC breach"), and Neowin ("The Russian government hacked the DNC after all").

Apparently the world can breathe a sigh of relief and rest assured that the matter has been settled once and for all.

These headlines are generated with such certainty primarily because a cybersecurity outfit called Fidelis has independently corroborated the assertions of CrowdStrike, the company hired by the DNC to mitigate the damage done by the breach.

But none of the stories attached to the headlines question how "independent" the analysis of Fidelis really is. Certainly none of them mention that Fidelis joined a 7-member intelligence exchange program sponsored by CrowdStrike in August of 2014. Nor do they point out that a press release from General Dynamics that same month characterized Fidelis and CrowdStrike as "partners" rather than competitors in the cybersecurity industry.

The Washington Post attempts to bolster its case by referring to a statement from Marshall Heilman, a researcher from Mandiant (long considered a genuine rival of CrowdStrike), according to which "the malware and associated servers are consistent with those previously used by 'APT 28 and APT 29,' which are Mandiant’s names for Fancy Bear and Cozy Bear, respectively."

The Post article doesn't explain how Heilman obtained his malware samples, but gives us a hint in its invocation of yet a fourth cybersecurity firm, ThreatConnect, which "followed up on CrowdStrike’s analysis by looking at computer Internet protocol addresses that CrowdStrike said it had found while investigating the DNC intrusion." (Neither Mandiant nor its parent company, Fireeye, responded to my queries about how Heilman obtained the DNC malware samples.)

So for those keeping score, we know that Russians hacked the DNC because 1) The DNC told us so; 2) CrowdStrike (the cybersecurity firm hired by the DNC) told us so; 3) Fidelis (one of CrowdStrike's industry partners) told us so; 4) Mandiant (based on an examination of malware samples presumably provided to them by CrowdStrike) told us so; and 5) ThreatConnect (based on an examination of IP addresses admittedly provided to them by CrowdStrike) told us so.

No comments:

Post a Comment