This entry was posted in General Security, Miscellaneous, Research, Wordfence, WordPress Security on January 2, 2017 by Mark Maunder 13 Replies

On Friday we published an analysis of the FBI and DHS Grizzly Steppe report. The report was widely seen as proof that Russian intelligence operatives hacked the US 2016 election. We showed that the PHP malware in the report is old, freely available from a Ukrainian hacker group and is an administrative tool for hackers.

We also performed an analysis on the IP addresses included in the report and showed that they originate from 61 countries and 389 different organizations with no clear attribution to Russia.

Our report has received wide coverage. Since then I have been interviewed on international network news and by online publications to share our findings. I’d like to provide some clarity both on the FBI/DHS report itself and our findings in the form of an FAQ.

Our business is WordPress security and our customers use WordPress and the Wordfence firewall and malware scanner. Some of this report will be talking directly to our customers, and some of it will be helpful for those interested in security in general and global events.

Table of Contents:

I’m a Wordfence customer who uses WordPress. What do I need to know?

Wordfence detects the PHP malware that is in the report. It also blocks it from being uploaded to a WordPress website. Even before the FBI/DHS released this report, we were blocking this malware.

That is how we found the original source code: By capturing a sample when a hacker tried to upload it to a customer website. The upload occurred before the FBI/DHS report came out. We tracked and logged over 130 unique attempts to upload the specific malware sample the FBI/DHS provided.

The samples the FBI released are old and limited. Wordfence detects thousands of malware varieties that are actively used to attack WordPress websites. We also track a much larger set of IP addresses.

The bottom line is that if you use Wordfence, you are safe from anything in the DHS report that affects your website, and much more.



Does the report prove that Russia Hacked the 2016 US Election?

No it does not. What Wordfence revealed on Friday is that the PHP malware sample that the US government provided is:

An old version of malware. The sample was version 3.1.0 and the current version is 3.1.7 with 4.1.1 beta also available.

Freely available to anyone who wants it.

The authors claim they are Ukrainian, not Russian.

The malware is an administrative tool used by hackers to upload files, view files on a hacked website, download database contents and so on. It is used as one step in a series of steps that would occur during an attack.

Wordfence also analyzed the IP addresses available and demonstrated that they are in 61 countries, belong to over 380 organizations and many of those organizations are well known website hosting providers from where many attacks originate. There is nothing in the IP data that points to Russia specifically.



If I find something in the DHS/FBI report on my website or network, does it mean that Russia hacked me?

No it does not.

This has caused serious confusion already among press and US policy makers. A Vermont electrical utility found a sample of what is in the DHS/FBI Grizzly Steppe report on a single laptop. That laptop was not connected to the Electric Grid network. It was reported as Russia hacking the US electrical grid.

Glenn Greenwald has provided some magnificent reporting on this incident and the response from the media and from US senators.

The data in the DHS/FBI Grizzly Steppe report contains “indicators of compromise” (IOCs) which you can think of as footprints that hackers left behind. The IOC’s in the report are tools that are freely available and IP addresses that are used by hackers around the world. There is very little Russia-specific data in the Grizzly Steppe report.

If you find an IOC that is in the report on your network or server, it is unlikely that you have been targeted by Russian Intelligence.

The PHP malware the report provided, for example, is freely available for anyone who wants it. You can even customize it to include your own password to limit access to others. Please see our original report for details. Any attacker can use it to hack your website, not just Russian Intelligence.

The DHS/FBI report also included IP addresses. The owners of IP addresses change from time to time. An IP that was being used by Russian Intelligence today to hack a target may be used by another attacker to hack a different target a few days later. This can happen for several reasons:

A hacked IP can be used by one attacker and then be compromised by a different attacker later on to also launch attacks.

IP addresses change ownership from time to time. A Linode IP may be hacked by Russia and used to launch attacks. Then it may be shut down by Linode, change ownership and the new owner’s site can get hacked. Then that IP address is attacking once again, but the attacker is someone else.

IP addresses are also dynamic if they belong to an internet service provider (ISP). Some of the IP’s in the Grizzly Steppe report do belong to ISP’s. For example we can see IP’s belonging to Yota.ru, a Russian internet service provider. The hostnames are ‘wimax-client.yota.ru’ which suggests that they are wifi customers. These IP’s are probably dynamic and regularly change hands. They may be used by one attacker today and a different attacker tomorrow.

How did Wordfence determine the malware source, the authors and the version?

We received the DHS/FBI report on Thursday. Rob McMahon, one of my colleagues and a security analyst at Wordfence alerted me to it’s existence at 8pm pacific time on Thursday December 29th. We worked through the night until 7am the next morning when we released the report. Here is what we did:

We read the report and noticed there was a Yara signature for PHP malware. That means that FBI and DHS provided just enough information to identify the existence of PHP malware. It didn’t actually provide the malware itself.

We went into Polestar which is a Wordfence proprietary big-data platform that we have developed to aggregate and mine a large number of attacks from a range of sources. We used the Yara signature to try to determine if anyone has attacked a WordPress site using this malware. At this point we didn’t know what it was or if it was even used against WordPress.

Jackpot! We had captured the entire 20k malware sample!

We extracted the malware sample from Polestar and I handed it to Rob who started analysis on the sample. We divided the work and I went off and analyzed the IP addresses that DHS/FBI had provided in Grizzly Steppe.

Rob realized that most of the malware is encrypted. The way it works is that a hacker will upload it to a website. They access the malware as a web page and are prompted for a password by a small amount of unencrypted code in the malware. They enter the password which is actually a decryption key.

That decryption key is stored in a cookie so the hacker doesn’t have to keep entering it. The key then decrypts the malware code which is executed. Then every time the hacker accesses the malware in future, the key stored in a cookie decrypts the malware so that it can execute. It’s quite clever and makes our jobs harder.

We needed to find the decryption key for the malware. So we went back to Polestar and tried to find an attack where the attacker was trying to access the malware they had uploaded.

Jackpot again! We found the key. Rob used the key to decrypt the malware and view the source code. Once he could see the source code, he could see the name of the malware and the version and a few Google searches revealed the source website that it came from.

The rest was much easier. We could now take the malware sample and put it on a sandboxed research environment and actually run it and see what it did. We could also download the newer version of the malware, called ‘P.A.S.’, and execute that to see what it does and how it differs.

This is how we determined that the FBI/DHS report contains an old malware sample that is publicly available and the hacker group that distributes it appears to be Ukrainian.



Why did Wordfence use the title “US Govt Data Shows Russia Used Outdated Ukrainian PHP Malware” when publishing this research?

Some of our readers commented that the title we used for the post was confusing or misleading. Keep in mind that when we published, my team and I had been working through the night.

The problem that some readers had with that title is that it suggests that Russia hacked the US election. But our research indicates that the DHS/FBI report actually does not contain any data attributing the attack to Russia.

If you rewrite the above title and put ‘Russia’ in single quotes it may make more sense.

Perhaps a better title would have been: US Government report does not contain data attributing 2016 election hacks to Russia. The report includes outdated PHP malware that is publicly available and appears to originate from a Ukrainian hacker group. It also includes IP addresses with no clear link to Russia.

That would have been too long, but I think it accurately captures what we were trying to convey.

I chose to not change the headline to protect the credibility of our community. When we publish a blog post, many of you share that post on Twitter, Facebook and in other social media. Your share includes the post title. If I change the title later on, it makes it look like you edited the title yourself when sharing our post. You may be accused of exaggerating or changing our words. So once we pull the trigger on a post, the title is never edited.



Which other researchers are talking about this and are worth reading?

On Friday Jeff Carr said about the report:

“It merely listed every threat group ever reported on by a commercial cybersecurity company that is suspected of being Russian-made and lumped them under the heading of Russian Intelligence Services (RIS) without providing any supporting evidence that such a connection exists.”

Also on Friday Robert M Lee commented about the list of Russian Intelligence Services provided in the report:

“But as the list progresses it becomes worrisome as the list also contains malware names (HAVEX and BlackEnergy v3 as examples) which are different than campaign names. Campaign names describe a collection of intrusions into one or more victims by the same adversary. Those campaigns can utilize various pieces of malware and sometimes malware is consistent across unrelated campaigns and unrelated actors. It gets worse though when the list includes things such as “Powershell Backdoor”. This is not even a malware family at this point but instead a classification of a capability that can be found in various malware families.

Or said more simply: the list of reported RIS names includes relevant and specific names such as campaign names, more general and often unrelated malware family names, and extremely broad and non-descriptive classification of capabilities. It was a mixing of data types that didn’t meet any objective in the report and only added confusion as to whether the DHS/FBI knows what they are doing or if they are instead just telling teams in the government “contribute anything you have that has been affiliated with Russian activity.””



Where is this being written about in main-stream news?

Here is a list of news coverage as of Sunday night at 11:15PM Pacific Time:

Final Note

Thank you very much to our community for your kind feedback and input on Friday’s report. I have read every single comment and responded to many. If you have any other questions, please post them in the comments below and I’ll be happy to answer them. Once again, please refrain from posting any political comments. Thank you.

Comments on this post are now closed. Thank you very much for your participation.