You’ve probably heard all the grumblings and accusations toward the Russians about their alleged attempts to influence the US election through hackings. Last Friday, December 29th, President Obama sanctioned Russia and ejected several dozen Russian diplomats. A part of this action was the “FBI and DHS Grizzly Steppe report” which provided source addresses for the attack and malware used. More recently there have been claims that they could identify the particular keyboard used due to the “digital signature” the keyboard allegedly left in the malware code.
First, it is almost impossible to trace a given hack to an individual or group. The information presented does not explicitly point a finger at Russians much less the Russian government. Second, the idea that a particular keyboard would leave a “signature” in the malware is pure unadulterated bunk.
It’s possible that it was the Russian government that was behind the attacks. It’s also possible that the 14-year-old that lives down the street from YOU did the attacks. The intelligence agencies making the allegations have not yet presented any information that unequivocally demonstrates that it was the Russian government. It’s also possible that the US government has been perpetrating similar attacks against every known country in the world since the beginning of the Internet. I remember something called Stuxnet that was a cyberattack against the Iranian nuclear program, that was most likely perpetrated by among others the US government. So it seems quite hypocritical to make a big fuss about the Russians doing it. There’s also the thing about A. the organizations hacked should have done a better job of securing their servers, and B. if there was no incriminating evidence on the servers, nobody would have cared. It’s about like saying that someone was trying to influence the presidency by publicizing the Watergate break-in or President Clinton’s tryst in the oval office.
I host a number of websites on a “virtual private server” that I lease from a hosting provider. My websites are relatively obscure – they’re not amazon.com or the Democratic National Convention, and yet they suffer constant attack – people trying to log in to the website so that they can inject their own malware, as well as attacks that seek to take advantage of security weaknesses of the software I’m running. I get notices of hacking attempts against my server through various software I have running on the server, including a list of the IP addresses (something like 72.44.93.196, the address of the Team Veritas webserver) where the attacks are coming from (source IP), and the country where that IP address is registered.
The source IP’s come from all over the world, US, Russia, Vietnam, Brazil, Romania, you name it. They also come from sources you’d think would be watching their own networks better: Amazon cloud services (Amazon AWS), Godaddy, and many more. By the way, I’ve notified Amazon about attacks originating from their servers, they totally don’t care unless I hand over my logs – giving them the IP address and time isn’t sufficient.
There are times when what is clearly a single attack is coming from IP’s scattered all over the world. For instance, I may have attempted logins to user “admin” coming one a minute, and each attempt comes from a unique IP address. This is the same person or organization, but they are using computers that they have compromised from all over the world to mount the attack. They don’t foolishly mount the attack from any address that could easily be traced back to them. They take pains to “anonymize” their work. Instead, they use computers that have been hacked, including personal computers that have been infected with a virus and probably “Internet of Things” devices such as your wifi router, your security camera, or even your refrigerator. The owner of the virus-infected computer likely doesn’t even know they’re infected. There are literally many millions, maybe billions of personal computers and IoT devices that are infected and participating in hacking operations.
My point in describing all of this is to show how it’s virtually impossible to trace down the perpetrator based on IP addresses. Even if a large portion of the addresses originate from Russia, does that mean the Russian government has anything to do with it, or does it just mean that Russians are more likely to have virus-infected computers?
Regarding the malware they referenced. Per wordfence.com (see this article about the topic, and their Election Hack FAQ), the malware they referenced is an older version of publicly available malware that apparently originates from Ukraine.
Regardless of the IP addresses or the malware referenced, either and both could have just as easily originated from the teenager down the street who is experimenting with what kind of trouble he/she can get into on the internet.
The long and the short of it is, don’t believe the technical mumbo-jumbo being thrown around like mud from a fire hose. Don’t trust either the politicians making all the noise, or the organizations that are now in major CYA (Cover Your Afterburner) mode to convince politicians who don’t know any better, or the news outlets who are busy slanting the whole thing one way or the other depending on their target audience.