Jeffrey Carr, the “Russian Hacking” Skeptic

2019-09-25: The linked posts by Jeffrey Carr are gone. He probably deleted them under pressure. Their copies are available on archive.org.

Jeffrey Carr is a cyber-security expert, and one of few open skeptics of the narrative that the leaked DNC and/or DCCC internal documents came from hacking by Russia. Few remarkable quotes from his posts, mostly from 2016-2017.

Can Facts Slow The DNC Breach Runaway Train?

“Here’s my nightmare. Every time a claim of attribution is made — right or wrong — it becomes part of a permanent record; an un-verifiable provenance that is built upon by the next security researcher or startup who wants to grab a headline, and by the one after him, and the one after her. The most sensational of those claims are almost assured of international media attention, and if they align with U.S. policy interests, they rapidly move from unverified theory to fact.

Because each headline is informed by a report, and because indicators of compromise and other technical details are shared between vendors worldwide, any State or non-State actor in the world will soon have the ability to imitate an APT group with State attribution, launch an attack against another State, and generate sufficient harmful effects to trigger an international incident. All because some commercial cybersecurity companies are compelled to chase headlines with sensational claims of attribution that cannot be verified.”

Why aren’t there more skeptics in InfoSec?

“There’s a cost to being too critical. One infosec company threatened to sue a researcher if he didn’t make substantive changes to a published paper that was critical of their report. Many employers don’t allow their employees to express controversial opinions that could hurt the company’s business or reputation. And if the company or organization that you’re critical of has influential connections in Washington D.C., your professional reputation may suffer as well.” 

The DNC: Swimming In Malware But Never Once Targeted

“As I and other cybersecurity researchers have pointed out, malware is shared. The concept of “exclusive use” is an unsubstantiated myth.”

The Yandex Domain Problem Or Who In Russian Intelligence Doesn’t Speak Russian?

“The point that I’m trying to make is that if anyone in Russia wanted to spear phish employees of the DNC, then creating a @yandex.com email address instead of a @yandex.ru email address is not only unnecessary extra effort but it makes absolutely no sense. You don’t gain anything operationally. You’ve used Yandex. You might as well paint a big red R on your forehead. However, you know what does make sense?That the person who opened the account DOESN’T SPEAK RUSSIAN!”

This brings to my mind: On August 22, the DNC yelled that it was targeted by hackers but thwarted the attack. The next day, it said that the targeting was a “test” by its own Michigan branch. Go figure.

The Publicly Available Evidence Doesn’t Support Russian Gov Hacking of 2016 Election (July 2017)

“The X-Agent malware used against the DNC is not exclusive to Russia. The source code has been acquired by at least one Ukrainian hacker group and one European cybersecurity company, which means that others have it as well. “Exclusive use” is a myth that responsible cybersecurity companies need to stop using as proof of attribution.

The various attacks attributed to the GRU were a comedy of errors; not the actions of a sophisticated adversary.

The FBI/DHS Grizzly Steppe report was a disaster (hereherehere, and here).

Crowdstrike’s Danger Close report, which was supposed to be the nail in the coffin that proved the GRU was involved in the DNC hack, has been repudiated by the Ukrainian government, the IISS whose data they misused, and the builder of the military app that they claimed was compromised.

The Arizona and Illinois attacks against electoral databases that were blamed on the Russian government were actually conducted by English-speaking hackers.”

“There are many other problems with the DNC investigation starting with the fact that no government agency actually did the forensics work. It was done by a company with strong ties to the Clinton campaign and an economic incentive to blame foreign governments for cyber attacks on evidence that was either flimsy or non-existent.”

FBI/DHS Joint Analysis Report: A Fatally Flawed Effort (Dec 30, 2016)

“The FBI/DHS Joint Analysis Report (JAR) “Grizzly Steppe” was released yesterday as part of the White House’s response to alleged Russian government interference in the 2016 election process. It adds nothing to the call for evidence that the Russian government was responsible for hacking the DNC, the DCCC, the email accounts of Democratic party officials, or for delivering the content of those hacks to Wikileaks.

It merely listed every threat group ever reported on by a commercial cybersecurity company that is suspected of being Russian-made and lumped them under the heading of Russian Intelligence Services (RIS) without providing any supporting evidence that such a connection exists.”

The JAR also contained a very broad set of alleged threat indicators producing lots of false positives, which caused bouts of panic later. The FBI/DHS JAR was lambasted even by authors and entities accepting the idea that Russia interfered in 2016 elections to help Trump. Examples:

SANS: Critiques of the DHS/FBI’s GRIZZLY STEPPE Report

Robert M. Lee: Critiques of the DHS/FBI’s GRIZZLY STEPPE Report

John Hindraker in Powerline was more direct: “GRIZZLY STEPPE”: IS THIS A JOKE?

“The Obama administration is retaliating against Russia for hacking into Debbie Wasserman-Schultz’s email account. It would have been much better if the administration had reacted when Russia hacked into the White House’s and State Department’s computers in 2014, but, as Glenn Reynolds says, at that time only national security was at stake, while now, it’s something really important: the Democratic Party’s power.”

Faith-based Attribution

“It’s important to know that the process of attributing an attack by a cybersecurity company has nothing to do with the scientific method. Claims of attribution aren’t testable or repeatable because the hypothesis is never proven right or wrong. Neither are claims of attribution admissible in any criminal case, so those who make the claim don’t have to abide by any rules of evidence (i.e., hearsay, relevance, admissibility).”

Philosophy of science call such claims unfalsifiable. Unfalsifiable claims are not scientific.

How “Hat-tribution” on China Has Harmed U.S. National Policymaking

“They [U.S. Air Force officers] were so positive that they gave China a code name — Advanced Persistent Threat (APT). Some of those Air Force officers later founded Mandiant …”

“Mandiant made a fortune from its long-standing policy of blaming every network breach on Chinese hackers; a fact that didn’t go un-noticed by almost every other cybersecurity company. Between 2010 and 2015, any report that named China as the culprit caught the attention of corporate CEOs as well as major news outlets. In 2013, Mandiant issued its APT1 report. By the end of the year, it was acquired by FireEye for $1B.”

APT1 might have been the only correct attribution made by Mandiant.

Cyber Intelligence and the Imaginary Other

“Imagining an unknown “other” in the world of cyber intelligence is not only common, it has become a profit center for many companies including Crowdstrike. You investigate an attack, look for common technical indicators, then slap a name on it like Fancy Bear or APT28, and call it an adversary. You then sell that report to your commercial customers and government agencies as “intelligence” without ever knowing the identities of the people involved or who, if anyone, was paying them.

This lack of “ground truth” was pointed out by malware researchers Eric Nunes, Nimish Kulkarni, and Paulo Shakarian in their excellent paper “Cyber Deception and Attribution in Capture-the-Flag Exercises”

“Crowdstrike’s ‘Danger Close: Fancy Bear Tracking of Ukrainian Field Artillery Units’ is a perfect example of performing cyber attribution with zero ground truth …”

This fake attribution, published on 12/22/2016 and totally debunked few months later,  has achieved its nefarious goal. It convinced the media, the public, and some people in the intelligence community that Fancy Bear was real and served Russian military.

“Crowdstrike wasn’t cooperative with early requests from this author or others, and still stands behind the fiction that they have perpetrated upon the press, the public, and the House Intelligence Committee.

While Crowdstrike is currently the most egregious offender in terms of irresponsible intelligence analysis, the entire industry needs to formally institute a process of peer review and malware sharing …”

Fact-Checking That “Trump & Putin” Thing

“For the record, I despise Donald Trump. I can’t imagine a worse candidate for President and I’m shocked and appalled that he is the Republican nominee. However, there’s no need to invent Russian conspiracies to make the Trump boogeyman appear worse than he is.”

 

He wrote this on July 24, 2016. Has he changed his opinion after that? BTW, there are many more lies, errors, and fallacies in that TPM piece than he listed in the article.

 

Updated by adding the top quote on Dec 26, 2018.

Originally published on September 3, 2018.