Late last week, the Department of Homeland Security and the FBI published a report that alleged there was evidence of Russian hacking that swayed the election in favor of President-elect Donald Trump.
“The activity by [Russian intelligence services] is part of an ongoing campaign of cyber-enabled operations directed at the US government and its citizens,” authors of the government report wrote. “This [joint analysis report] provides technical indicators related to many of these operations, recommended mitigations, suggested actions to take in response to the indicators provided, and information on how to report such incidents to the US government.”
However, some experts said the Joint Analysis Report (JAR) had serious issues or was too-little, too-late.
“This ultimately seems like a very rushed report put together by multiple teams working different data sets and motivations,” Robert M. Lee, the CEO and Founder of the security company Dragos, wrote in an analysis published Friday in reference to the to U.S. agencies’ Joint Analysis Report.
“It is my opinion and speculation that there were some really good government analysts and operators contributing to this data and then report reviews, leadership approval processes, and sanitation processes stripped out most of the value and left behind a very confusing report trying to cover too much while saying too little,” Lee wrote.
The JAR, he added, “reads like a poorly done vendor intelligence report stringing together various aspects of attribution without evidence. The beginning of the report (Figure 2) specifically notes that the DHS/FBI has avoided attribution before in their JARs but that based off of their technical indicators they can confirm the private sector attribution to RIS.”
Lee said that the JAR made mistakes in its report, conflating APT28 and APT29—which are known as CozyBear, Sandworm, Sednit, and Sofacy—with malware names like BlackEnergy and Havex and capabilities like “Powershell Backdoor,” as Ars Technica reported.
Ars Technica, a noted tech website, says the report, meanwhile, “does little to end the debate,” and “it largely restates previous private-sector claims without providing any support for their validity.”
Errata Security CEO Rob Graham said that the alleged indicator of compromise, or IOC, that shows Russian hacking “are of low quality.” He added: “They are published as a political tool, to prove they have evidence pointing to Russia. They have limited utility to defenders, or those publicly analyzing attacks.”
Even Salon.com, the liberal-leaning publication, described the JAR as “woefully inadequate.” It reported that the 13-page report seems to be more an advisory for government server administrators, noting that private security firm assessment about hacks against the Democratic National Committee and Hillary Clinton’s campaign have been more “thorough.”
Thomas Rid, a professor at the University of London, further wrote on Twitter: “It would’ve helped, really, to publish a thorough, precise, historically informed and technically honest attribution report in plain English.”
The report was released as President Barack Obama announced sanctions against Russia for allegedly interfering in the election while expelling 35 Russian diplomats.