FBI/DHS Report GRIZZLY STEPPE was Junk

The GRIZZLY STEPPE – Russian Malicious Cyber Activity released jointly by FBI and DHS on December 29, 2016 was an update on another propaganda piece — the Joint Statement from DHS and ODNI on Election Security, published by the Obama administration on October 7 to aid Hillary and other fellow democrats in the elections.

GRIZZLY STEPPE was so incompetent that even convinced partisans laughed it off. The Daily Beast, 2017-01-07 (the emphasis added):

At every level this report is a failure,” says security researcher Robert M. Lee. “It didn’t do what it set out to do, and it didn’t provide useful data. They’re handing out bad information to the industry when good information exists.”

“… the report is a gumbo of earnest security advice mixed with random information from a broad range of hacking activity. One piece of well-known malware used by criminal hackers, the PAS webshell, is singled out for special attention, while the sophisticated Russian “SeaDuke” code used in the DNC hack barely rates a mention. A full page of the report is dedicated to listing names that computer security companies have assigned to Russian malware and hacking groups over the years, information that nobody is asking for.”

Though the written report is confusing, it’s the raw data released along with it that truly exasperates security professionals. The department released 876 internet IP addresses it says is linked to Grizzly Steppe hacking, and urged network administrators everywhere to add the list to their networking monitoring.”

We had an extraordinary high amount of false positives on this dataset… Six of them were Yahoo e-mail servers.

“It turns out that some, perhaps most, of the watchlisted addresses have a decidedly weak connection to the Kremlin, if any. In addition to the Yahoo servers, about 44 percent of the addresses are exit nodes in the Tor anonymity network, The Intercept’s Micah Lee reported Wednesday. Tor is free software used primarily for anonymous web browsing. Russian hackers use Tor, but so do plenty of other people.”

“The consequences of the over inclusive list became apparent last week, when a Vermont utility company, Burlington Electric Department, followed DHS’s advice and added the addresses to its network monitoring setup. It got an alert within a day. The utility called the feds, and The Washington Post soon broke the distressing news that “Russian hackers penetrated [the] U.S. electricity grid through a utility in Vermont.”

The story was wrong. Not only was the laptop in question isolated from the utility’s control systems, the IP address that triggered the alert wasn’t dangerous after all: It was one of the Yahoo servers on the DHS list, and the alert had been generated by a Burlington Electric employee checking email. The Post article was later corrected, but not before Vermont Senator Patrick Leahy issued a statement condemning the putative Russian attack.”

These false positives fed the media frenzy for months.