Swaziland or Switzerland? FBI silent about peculiarities in Russian hack documentation

The documentation given by FBI and Homeland Security in an attempt to prove Russian hacking of American politicians, organizations and businesses are marked by several deviations that seem to be trivial typing errors.

This is what a check made by the Danish IT website Version2 of the attached IP address lists in the report by the authorities shows.

The report lists 876 IP addresses that the American authorities believe Russian hacker groups used in connection with attacks on the USA in recent years.

Some of the mismatches revealed by Version2's crosscheck. Illustration: US-CERT og Version2 Facts: This is what we did Firstly, Version2's cross-checking was done by looking up information on infobyip.com Then we went through several of the addresses that did not match the FBI list, by looking up the information on other whois websites. These websites contain information about who registered the address, where it is registered and what purpose the IP address serves. It looks like the FBI have used the same or similar websites since overall there are many similarities between the results.

On this list the country that the address supposedly belongs to has been noted by 248 of the addresses. But some of the locations do not seem to be correct.

Version2 cross-checked the geographical locations via publicly available databases and in 18 cases the country names did not correspond.

The most noticeable deviation is that according to the documentation from Homeland Security and FBI three IP addresses belong in the kingdom of Swaziland in Africa while Version2's research shows that they belong in Switzerland in Europe.

While there are thousands of kilometres between their physical location they are somewhat closer linguistically.

To make sure, we ran the IP addresses through even more so-called whois tools. They show you who owns what IP addresses and where they are placed.

Yoel Caspersen is director of the Danish Internet service provider Kviknet. He works with the administration of IP addresses on a daily basis.

'On the face of it it simply seems like one of the writers of the report did a typing error,' he says.

Yoel Caspersen has looked at the 'Swaziland' addresses - 185.12.46.178, 95.183.50.23 and 46.102.152.132 - and he says that nothing points to the fact that the IP addresses in question were ever located in Swaziland.

Also, according to whois, all the IP addresses that are noted as located in Denmark, is actually located in Germany.

May have other data

Yoel Caspersen stresses that the FBI and the American authorities may very well have access to other sets of data than the publicly accessible databases.

Not least because FBI has the opportunity to contact authorities around the world when investigating given IP addresses.

Having said that, Yoel Caspersen believes that a possible explanation of the deviations may be that while the FBI and other authorities have very likely been meticulous when it comes to the actual investigation, the same care might not have been taken when writing a fair copy of the list of country names.

'The simple explanation is that it is a communication error because they basically don't care. They have the information they need. This is purely about making it seem probable to the rest of the world that there was an attack,' says Yoel Caspersen.

When it comes to why the apparently German IP addresses have been written down as Danish, Yoel Caspersen points to the fact that the country code for Germany is DE and in the eyes of an American it may become 'Denmark' if you are in a hurry.

Version2 have been in contact with the FBI, but they haven't wished to contribute to solving how countries and IP addresses have been linked together in connection with the report on the Russian hacker attacks.

The police authority does not wish to comment on the strange confusion of Swaziland and Switzerland.

Addresses from all over the world

IP addresses from several countries are mentioned in the report. For instance it says USA by some of them, Russia by a very few, but smaller countries such as Holland and Sweden are also mentioned in the report.

Denmark also seems to be home to several of the addresses, but as told by Version2 previously these addresses actually look like they belong in Germany.

'Basically the home countries of the IP addresses don't matter because it is the owner of the IP address who indicates where it belongs,' says Yoel Caspersen who could place his own IP addresses in Swaziland if he wanted to.

'But that doesn't explain the error,' he adds.

Warning to IT professionals

The 13 page long report contains a list of 876 IP addresses supposedly used by several hackers supported by the Russian state. Amongst other things the list is meant as a tool for security managers so that they can screen their network logs for suspicious IP traffic from the addresses.

Version2 has previously told of Version2 blogger Henrik Kramshoej, who has two of his IP addresses figuring on the list. His explanation is that he runs an exit node on the anonymization service TOR.

In short that means that traffic goes through Kramshoej's IP addresses. No matter whether this is due to hackers trying to hide their footprints or freedom fighters who fear for their safety and wish to conceal their identity in countries where freedom of speech is under pressure.

On The Intercept, blogger Micah Lee has pointed out that almost half of the in all 876 addresses made public are actually TOR exit nodes. This means that they are addresses that anyone using the anonymization service can risk being given.

In connection with this Yoel Caspersen says that when it comes to security the IP addresses are not crucial 'in a time when services such as TOR are so widespread' that people can pretty easily hide their IP identity.