icon bookmark-bicon bookmarkicon cameraicon checkicon chevron downicon chevron lefticon chevron righticon chevron upicon closeicon v-compressicon downloadicon editicon v-expandicon fbicon fileicon filtericon flag ruicon full chevron downicon full chevron lefticon full chevron righticon full chevron upicon gpicon insicon mailicon moveicon-musicicon mutedicon nomutedicon okicon v-pauseicon v-playicon searchicon shareicon sign inicon sign upicon stepbackicon stepforicon swipe downicon tagicon tagsicon tgicon trashicon twicon vkicon yticon wticon fm
1 Jan, 2017 17:43

‘Not enough data to show Russian link to election’ – Wordfence CEO

‘Not enough data to show Russian link to election’ – Wordfence CEO

The Department of Homeland Security (DHS)’s claims that Russia hacked the 2016 US election are based on flimsy evidence, says security expert Mark Maunder.

On December 29, the DHS and the Office of the Director of National Intelligence (DNI) released a Joint Analysis Report (JAR) put together by the DHS and the FBI that blames Russia for hacking the US presidential election in an operation which they nicknamed GRIZZLY STEPPE. Among other things, the report cites the presence of PHP malware as one of the clues pointing to Russian involvement.

RT talked to Mark Maunder, CEO of internet security company Wordfence, to get his perspective.

“Our field is PHP malware and WordPress security,” Maunder explained. “We protect about two million WordPress websites.”
“The Wordfence team analyzed the PHP malware the DHS and FBI included in their report, and we analyzed the IP addresses. Looking at the PHP malware, they provided a sample, so we used the sample to find the original PHP malware which is actually in some of the attacks we’ve seen on our customer’s websites and that we’ve blocked. And that malware is encrypted, so we had to find some way to decrypt it.
“Once we decrypted it, it showed us the name of the malware and some other information, like the version of the malware. We used that to do a few searches, and we actually found what looks like the source of the malware which is a hacking group that claimed they were based in Ukraine, and they’re distributing versions of that malware which are slightly newer,” he said.
Maunder said the malware isn’t so much tool for breaking into systems, as one used to control those already compromised.

“The malware is something the attacker would use if they’ve just hacked into a website and they want to have the ability to control that website. In other words, view files, or maybe copy files back and forth and install additional tools – they would use this malware to do that. So, it’s not malware that’s used to infect workstations. It’s sort of used as a step in the process a hacker would use to put something on a website that would then infect workstations,” the security expert explained.

However, the fact that this software was used in no way indicates that Russia interfered, officially or otherwise, in the American presidential elections.
“It’s unfortunate that the report was released on the same day that the White House took action and expelled 35 Russian diplomats from the United States. That, and some of the language in the report, seems to suggest that it is proof that Russia interfered in the 2016 US election.
“What’s actually in the report doesn’t actually include enough data, in our opinion, to show that there’s a clear link that Russia interfered in the US election. What’s actually in the report is indicators of compromise that any systems administrator could use to figure out they’ve been hacked. There’s some stuff in there that’s associated with some previous Russian activity, but it’s not evidence of a Russian link, and I think a lot of people are interpreting it as that. There are tools in the report that are sort of general tools that are used by any hacker, so if you find some of the malware that’s in the report on your network, it doesn’t mean that you were hacked by Russia, and the report doesn’t conclusively prove that Russia interfered in the election. And so, I think it’s being misinterpreted and I think that’s unfortunate,” he said.

Maunder said it is even possible that the whole attack was a false-flag operation of some kind, but he admitted there was no evidence to back this idea so far, either. He conceded, however, that the authorities could have some other information that they have not yet made public.

“A lot of indicators of compromise in this report can be used by anyone, because some of those hacking tools are publicly available. However, if the DHS and FBI have other indicators of compromise that conclusively provide a Russian link, then perhaps that’s what they used to identify the attack and link it to Russia,” he said.
Both the Obama administration and leading members of both the Democratic and Republican parties have accused the Russian government of hacking the Democratic National Committee (DNC) and releasing sensitive documents to WikiLeaks in order to compromise presidential candidate Hillary Clinton. Senator John McCain, the chairman of the Senate Armed Services Committee, has referred to the alleged hack as “an act of war.”
More recently, the Washington Post accused Russian hackers of breaking into the national power grid in Vermont, but the newspaper was soon forced to admit that its allegations were groundless.

The statements, views and opinions expressed in this column are solely those of the author and do not necessarily represent those of RT.