US Govt Data Shows Russia Used Outdated Ukrainian PHP Malware

Update at 1am Pacific Time, Monday morning Jan 2nd: Please note that we have published a FAQ that accompanies this report. It contains a summary of our findings and answers several other questions our readers have had. It also provides some background on our methodology. You can read it either before or after reading this report. The original report follows:

The United States government earlier this year officially accused Russia of interfering with the US elections. Earlier this year on October 7th, the Department of Homeland Security and the Office of the Director of National Intelligence released a joint statement that began:

The U.S. Intelligence Community (USIC) is confident that the Russian Government directed the recent compromises of e-mails from US persons and institutions, including from US political organizations. The recent disclosures of alleged hacked e-mails on sites like DCLeaks.com and WikiLeaks and by the Guccifer 2.0 online persona are consistent with the methods and motivations of Russian-directed efforts.

Yesterday the Obama administration announced that they would expel 35 Russian diplomats and close two Russian facilities in the United States, among other measures, as punishment for interfering with the US 2016 election.

In addition, yesterday the Department of Homeland Security (DHS) and the Office of the Director of National Intelligence (DNI) released a Joint Analysis Report, or JAR, compiled by the DHS and FBI, which they say attributes the election security compromises to Russian intelligence operatives that they have codenamed ‘GRIZZLY STEPPE‘.

The report that DHS and DNI released includes in its first paragraph: “This document provides technical details regarding the tools and infrastructure used by the Russian civilian and military intelligence Services (RIS) to compromise and exploit networks and endpoints associated with the U.S. election, as well as a range of U.S. Government, political, and private sector entities. The report contains specific indicators of compromise, including IP addresses and a PHP malware sample.

At Wordfence our focus is WordPress security. Our security analysts spend a lot of time analyzing PHP malware, because WordPress is powered by PHP.

As an interesting side-project, we performed analysis on the PHP malware sample and the IP addresses that the US government has provided as “…technical details regarding the tools and infrastructure used by Russian civilian and military intelligence services (RIS)”. [Source]

We used the PHP malware indicator of compromise (IOC) that DHS provided to analyze the attack data that we aggregate to try to find the full malware sample. We discovered that attackers use it to try to infect WordPress websites. We found it in the attacks that we block. Here it is.

PAS 3.1.0

The above is the header and here is the footer. The middle contains an encrypted block of text.

PAS 3.1.0 footer

This is PHP malware that is uploaded to a server. An attacker then accesses the file in a browser and enters a password. The password also acts as a decryption key and decrypts the encrypted block of text which then executes. Once an attacker enters their password, it is stored in a cookie and they don’t need to enter the password again to access the malicious application.

We managed to capture a request from an attacker that contained their password. It was ‘avto’ without quotes. We used the password to decrypt the block of encrypted text.

This is what the decrypted PHP looks like. It is a big chunk of PHP code that is a web shell.

PAS 3.1.0 decrypted

We installed the web shell on a sandboxed environment. This is what it looks like:

PAS Web Shell

This is the kind of web shell that we see all the time in our day-to-day forensic operations. It includes the following basic features:

  • File browser/explorer
  • File search function
  • A database client to download the contents of a hacked site database
  • Network tools including a port scanner and the ability to bind a service to a port
  • A tool to brute force attack passwords on FTP and POP3 services.
  • A command line client to run arbitrary operating system commands
  • A utility to view server configuration info

By viewing the source code, we could find the name of the malware and the version. It is P.A.S. 3.1.0.

We googled it and found a website that makes this malware. You can find the site at this address: http://profexer.name/pas/download.php

PAS Website

You can enter a password that you will use to access your malware once it’s installed and then hit ‘download’ and a ZIP file downloads.

The ZIP contains a text file and the malware. The text file looks like this:

PAS malware text file

The website claims the malware is made in Ukraine and the date at the bottom has the Ukraine country code UA.

This malware is version 3.1.7 which is newer than the malware that the DHS indicator of compromise identifies. It is almost identical including it’s indentation:

PAS 3.1.7 malware header

And the footer:

PAS 3.1.7 malware footer

But PAS has evolved even further since 3.1.7. It is now version 4.1.1 which you can get from the same website:

PAS 4 Download

The 4.1.1b info.txt file:

PAS 4 info.txt

And the code has changed in 4.1.1 quite substantially. This is the header:

PAS4 header

The PAS malware is user friendly. It has an About page:

PAS About malware

They also have a helpful FAQ:

PAS malware FAQ

 

How does PAS infect WordPress websites?

This is a typical infection attempt for PAS 3.1.0 which is the DHS sample:

PAS 3.1.0 malware infection attempt

The above request is an attempt to install a plugin in the WordPress CMS through the normal file upload method. What surprised us is that this request had a full set of cookies that indicates that the user or bot doing this was signed in and this probably was an actual web browser.

It also includes the WordPress nonce which is a security feature, also indicating this is a user. Only about 25% of the attacks that we see include the WordPress nonce, which suggests that many of these attempts fail.

The vast majority of attacks we see that try to infect with PAS 3.1.0 use this kind of request. Here are a few theories:

  • WordPress website owners have malware installed on their workstations and that malware attempts to install PAS 3.1.0 on their WordPress websites.
  • This is CSRF, or cross site request forgery attack, that installs the malware. This is unlikely because the nonce is present in many requests. A nonce is a security feature that prevents CSRF attacks.
  • Users are voluntarily installing this on their own websites after downloading it from a malicious website thinking it is safe. Unlikely because the file that is uploaded is plain text PHP and it is clearly suspicious if you examine the file contents.
  • Attackers are compromising websites through some other means and then using the compromised credentials to manually sign in and install PAS 3.1.0 with a standard browser. These sign-ins could be partially or fully automated.

Malware Conclusions

DHS and DNI have released a joint statement that says:

This document provides technical details regarding the tools and infrastructure used by the Russian civilian and military intelligence Services (RIS) to compromise and exploit networks and endpoints associated with the U.S. election, as well as a range of U.S. Government, political, and private sector entities. The report contains specific indicators of compromise, including IP addresses and a PHP malware sample.

The PHP malware sample they have provided appears to be P.A.S. version 3.1.0 which is commonly available and the website that claims to have authored it says they are Ukrainian. It is also several versions behind the most current version of P.A.S which is 4.1.1b. One might reasonably expect Russian intelligence operatives to develop their own tools or at least use current malicious tools from outside sources.

Analysis of the IP addresses provided by DHS and DNI

DHS provided us with 876 IP addresses as part of the package of indicators of compromise. Lets look at where they are located. The chart below shows the distribution of IP addresses by country.

Distribution of IP addresses

As you can see they are globally distributed with most of them in the USA.

Lets look at who the top ISP’s are who own the IP addresses:

Hosting companies that own malicious IPs

There are several hosting companies in the mix including OVH SAS, Digital OceanLinode and Hetzner. These are hosting companies that provide low cost hosting to WordPress customers and customers who use other PHP applications. A common pattern that we see in the industry is that accounts at these hosts are compromised and those hacked sites are used to launch attacks around the web.

Out of the 876 IP addresses that DHS provided, 134 or about 15% are Tor exit nodes, based on a reverse DNS lookup that we did on each IP address. These are anonymous gateways that are used by anyone using the Tor anonymous browsing service.

Tor exit nodes

We examined our attack data to see which IP addresses in the DHS data are attacking our customer websites. We found a total of 385 active IP addresses during the last 60 days. These IP addresses have launched a total of 21,095,492 complex attacks during that 60 day period that were blocked by the Wordfence firewall. We consider a complex attack to be an attack that tries to exploit a vulnerability to gain access to a target.

We also logged a total of 14,463,133 brute force attacks from these IP addresses during the same period.  A brute force attack is a login guessing attack.

The chart below shows the distribution of the number of attacks per IP address. It only takes into account complex attacks. As you can see, a small number of the IP addresses that DHS provided as IOC’s are responsible for most of the attacks on WordPress websites that we monitor.

Attack distribution from IPs

The following shows the list of the top 50 IP addresses in the DHS report sorted by the number of complex attacks we saw from each IP during the past 60 days.

screen-shot-2016-12-30-at-4-35-33-am

As you can see, many of the top attacking IP addresses are Tor exit nodes. There is also a relatively small number of IP addresses launching most of the attacks on websites we monitor.

Conclusion regarding IP address data

What we’re seeing in this IP data is a wide range of countries and hosting providers. 15% of the IP addresses are Tor exit nodes. These exit nodes are used by anyone who wants to be anonymous online, including malicious actors.

Overall Conclusion

The IP addresses that DHS provided may have been used for an attack by a state actor like Russia. But they don’t appear to provide any association with Russia. They are probably used by a wide range of other malicious actors, especially the 15% of IP addresses that are Tor exit nodes.

The malware sample is old, widely used and appears to be Ukrainian. It has no apparent relationship with Russian intelligence and it would be an indicator of compromise for any website.

You can find a public repository containing the data used in this report on github.

As always I welcome your comments. Please note that I will delete any political comments. Our goal in this report is to merely analyze the data DHS provided and share our findings.

Mark Maunder – Wordfence Founder/CEO

Special thanks to Rob McMahon and Dan Moen who provided valuable assistance with this research. For press inquiries please contact Dan Moen at press@wordfence.com.

Comments are now closed. Thank you for your contributions!

Did you enjoy this post? Share it!

Comments

137 Comments
  • Long story short, it doesnt have anything to do with Russia. 'May have' used by anyone indeed, however Russia being able to use datacenters located especially in Germany to hack against US is quite unlikely, with the German intelligence practically being subservient to US intelligence as recent leaks showed.

    • Ever shorter takeaway: (1) Trump is right that no computer is safe. The world must rethink the general access to data and (2) the government of the United States has lied to the American people about Russian involvement in the DNC hacking. They certainly know as much as is stated in this article but have ignored their own experts to construct and publish a deliberate falsehood for political purposes. Any hope for the New Year has rapidly evaporated.

      • The part they aren't telling you is that the CIA/DIA/NSA or whichever spook agency has probably hacked Wikileaks and they know where the information came from. They may have given us a report, but it was incomplete and only a small part of the story. The US Cyber stuff is very deep and very, very secret.

        • If they hacked Wikileaks, they would have shut it down. They would not have allowed their queen continue to be abused, day after day after day.

    • That is one possible summary you can conclude, but there is no clear public evidence that it was or was not the Russians. Until we have that, how can you logically conclude that it was or wasn't them?

  • What you appear to be saying is there is no "smoking gun" link even to Russia, nevermind the Russian Government!

    • Hi Steve,

      It does appear that way. Unless FBI/DHS shares some additional IOC's, there's not really anything here we can use to make the connection.

      Mark.

      • It seems, then, that the title of the article is misleading. It should not read "US Govt Data Shows Russia Used Outdated Ukrainian PHP Malware" but "US Govt Data Shows An Attack By Unknown Attackers Used Outdated Ukrainian PHP Malware". The current title lends credence to the US government's suspicious claims to tie this to Russia.

        There is no tie to any particular State actors whatsoever. Only connection is an outdated (moderately) malware that once originated in Ukraine but not even by Ukrainian government back then.

    • Do you honestly expect there to be a smoking gun? You do realize that there will never be one connecting it to anyone. Yet that has to be the hurdle to clear before anyone will care...

  • Would the DHS refrain from including damning evidence of how the Russians were pinpointed for fear of tipping them off as to how they were discovered? Kind of a reverse scenario where the OSS had to stay tight-lipped once they cracked the Enigma Code?

    • Yes I'd think so. We don't exactly advertise all of our methods for identifying attacks and turning them into firewall rules. Same situation for DHS/FBI. But one would hope that what they do reveal is at least a little compelling. This data isn't just a non-event - the Ukraine malware connection is just plain weird.

      • On top of which to start a national incident with Russia of all people... yeah its hard to swallow

        • Considering the ongoing Russia v Ukraine military conflict...

    • Uh, OSS didn't crack the Enigma code. GC&CS did, long before OSS was even founded.

  • A very nice breakdown of the details behind these attacks. Something that is missing from even the tech press.

    No surprise that Tor is being used as a vehicle. Just three days ago I cleaned a friend's computer of a boatload of malware. I noted that their Tor browser use coincided with when the malware appeared, at least for the malware I could track injection.

    As an aside, their use of Tor is due to their being Persian and a need to protect their identity while viewing Iranian websites. All good reasons to use it, but it opens them to nasty people on the Net. I've since helped them into another solution using VPNs outside of the USA.

    • Just using Tor browser may not be exactly the case.
      If you remember just a few week ago there was a critical vulnerability (0-day) discovered in Firefox as well as Tor browsers based on that Firefox version.

  • Thanks so much for your investigative work. Its is quite sad that WordPress sites are being targeted by these hackers. It makes you wonder what next will they try to hack. As ever keep up the good work.

    • Wordpress sites by themselves are very secure - its the hosting environment and configuration (ie unverified plugins) that is often the culprit

  • Interesting what you find when you are on a non-political quest for the truth. I appreciate the work you did digging into this. It's hard to find a source that doesn't lean one way or the other, and just provides cold, hard facts. Thanks!!!

  • This is some good research. I thought with this information posted it would have some meaning, but like everything before it this points to nowhere. This is some good research to be aware of.

  • Thanks for this analysis. I never trust straight 'news' stories, this was very helpful in answering some questions I had

  • Great article but don't you think it is a confusing headline because if anything, your article shows there is no smoking gun that leads back to Russia as a state actor?

    "US Govt Data Shows Russia Used Outdated Ukrainian PHP Malware"

    • Yes could be. It's a tough headline to write. :-)

  • Honestly, if I were a government entity tasked with hacking into another government the first thing I would do is acquire readily available software that anyone can grab if they know where to look so that I don't leave a specific signature that Torres directly back to how I wrote code. Second I would create a botnet with IP addresses that are wide ranging and definitely include tor nodes just like this attack so that I wouldn't be traced to my country of origin. This attack is exactly what I would expect a major international governmental attack to be I would never expect an organization like say the NSA to start a hack against another country from their own network and using custom software that screams high paid NSA employees when looking at the code.

    • Good point.

    • Exactly. In order to hide in broad day light.

    • Thank you for this comment! As I was reading this article and the other comments, I was thinking, "are we really this gullible?" If this is all "random" why just one political party? Why just one person?

      And yes, my money is on DHS holding on to the REAL smoking gun, so they can continue to monitor this kind of activity.

    • So...the lack of a Russian smoking gun IS the Russian smoking gun.

      • But if you know that I know then i know that you know that I know that you know...

        Smells of Russian nesting dolls to me. ;-)

    • The problem with that reasoning is that this is also exactly what a non-governmental hacking job would look like. The burden of proof lies with those attempting to demonstrate a Russian plot to affect the election, which means they need to find evidence that distinguishes the a Russian hacking attempt from the null scenario. In the absence of such evidence, we must assume the null hypothesis (that it was more likely any of the many non-Russian, non-governmental actors capable of such an attack) until further evidence is presented.

      Otherwise, we'd have to assume that the lack of evidence for aliens crash-landing in Roswell, New Mexico is evidence of a government conspiracy, because a government conspiracy would leave no evidence of an alien crash-landing in New Mexico. That would be circular reasoning, and therefore a fallacy.

      • Well said, I was trying to articulate this and failed. :)

    • By this reasoning the claim that the Russians did it is unfalsifiable, as others have suggested.

    • Just like Stuxnet. Off the shelf, hard to track. First out of the box government hack of an independent state asset. Nothing to see there.

  • All of you are making the assumption that this data is the only proof the US government has. Its unlikely the US government or foreign intelligence services are sharing everything with us.

    At this point it's clear they released this data to the public only to thwart additional attacks.

    • Your comment contradicts itself. If there are far more compelling data showing Russians behind those attacks, why release this as some sort of proof? How does it prevent future attacks when this poorly compiled, amateurish attempt as justification tells anyone in foreign governments that the USA hasn't a clue?

      • "If there are far more compelling data showing Russians behind those attacks, why release this as some sort of proof?"

        It may reveal how that information was gathered and compromise our intelligence operations.

        How does it prevent future attacks when this poorly compiled, amateurish attempt as justification tells anyone in foreign governments that the USA hasn't a clue?

        It misleads the enemy.

    • No. They released the information so that non-technical media and politicians could pivot away from the content that was released by Wikileaks which Wikileaks states unequivocally was handed to them in removable media. Is it possible to look at the content from Wikileaks and see if that looks more like a server dump than a 'hack' of a single user's email on their machine?

  • Isn't it true that hackers can spoof the origin point of an attack? I manage a web site that is getting hundreds of attacks, all attempts to access wp-login.php or rpcxml.php but originating from all over the world, including the U.S. If I were a hacker, the first thing I would do is make it look like I was operating from, say, Uganda.

  • Since there is no apparent Russian link in the technical aspects of the attacks, I assume US intelligence has determined the linkage by other means ( intercepted communications, spies). I think it makes sense that state-sponsored attackers would use off-the-shelf malware and tot IPs so the attacks did not point back to them.

    One thing unclear in the article was if the word fence team was familiar with this malware previously. If not, the released data has certainly been informative.

    • Exactly. A lot of people here are making the gigantic leap that because this particular detail was released, it's the complete body of evidence, and because this particular set of information doesn't necessarily implicate Russia, then there's no link.

      That's just not how spycraft works. Investigators assuredly have much more information than they're releasing. But, they correctly understand that they're not going to burn assets or compromise security simply to convince some random people commenting on a blog.

  • Interesting that it leads to Ukraine, they've been bombarded by Russian hacks for years, halting business, peoples paychecks, power outages by groups like "Sandworm". Russia infiltrating Ukraine with it's military and arming Pro-Russian separatists since 2014.
    How is there not a link?

    • "How is there not a link?"

      There are a lot of black hat hackers in Ukraine, you don't need to be looking for links. Ukrainian hackers regularly infiltrate Kremlin institutions as well.

  • Hm.. As always, great examination and brief report from the team!

    I do however really curious, do you think a great big country like USA don't have any tool to trace who is behind TOR?
    Also, do you think they didn't give whole evidence to the public? Its espionage world, the more you gave the information, the enemy will knew how deep their penetration known as well.

    I do believe there are some other evidences that USA gov still kept in, or else, its only a political movement from current gov related to their foreign policy with their competitor... just my 2 cents...

  • Thanks for the info.

    There's a very high chance that I am wrong, but I have a certain hunch that the ones responsible for rigging the US election aren't lawful Russian officials, but rogue hackers and third-party groups whose motives consist of wanting to see the world burn. Behavior like this is what causes war and grief among many nations.

    Right now, I believe the Second Cold War may have already begun.

  • Extremly interesting, thank you for doing this, I did wonder...
    Would be really interesting if they gave out any more data and you got a chance to see if you found similar findings again...

  • Thank you for showing us the step-by-step methodology as to how one ascertains these findings. As my husband said to me, the FBI looks at this kind of information as "will it hold up in a case of law"? Whereas, the CIA only has to determine if it is possible. I think I would prefer irrefutable evidence before making accusations in the world public arena. Wordfence is awesome. Keep up the good work!

  • What would keep this type of malware from being maliciously or unintentionally piggybacked within a legitimate free plugin?

  • Wow After reading this and all the notices you put out I get that warm and fuzzy feeling that I know Wordfence has mine and my clients backs. I recommend wordfence to all my clients and on the sites I develop and support wordfence is the first plugin I install and active.
    I would like to Thank you Mark for a wonderful Plugin.
    Mitch

  • It's already been pointed out that "obscurity" is a common tactic in subterfuge. Isn't the thrust of the assertion by US Intelligence that the attacks were launched mainly from within the US in order to fool recipients into accepting them as legitimate? I don't think the release of information regarding the malware was so much direct proof of the source as it was simply evidence of the means. It's kind of like you are over-analyzing a red herring.

  • Tor anonymous network and the landscape of cyber security. A lost cause because of the rights to individual freedom. All we can do is fence. But how far can we push fencing without compromising performance?

  • It's important to remember that the US agencies have repeatedly stated that they have additional information pointing to Russia as being the responsible party. The data here only shows one aspect from a technical perspective, the agencies in question have vast capabilities to gather intelligence, they don't just base such an opinion on the process detailed here.

    So, those claiming that this somehow "proves" that Russia was not involved are delusional, at best.

    From our perspective, it doesn't matter either way. Any malicious action should be prevented regardless of its origin.

    Thanks for keeping us updated and assisting us in securing our sites from these malicious actors.

  • Nice info shared. This is very helpful and much better with facts than what we hear in the media.

  • What an excellent analysis, thank you for all those details.
    Fix

  • Great piece. Since the article points out lack of direct connection with Russia, a better title might be "US Govt Data Shows SOMEONE Used Outdated Ukrainian PHP Malware". :)

  • The 'Ukrainian Connection' was discussed in the Wordfence report 'Who is Really Behind the Ukrainian Brute Force Attacks?'. The following statement was made:

    "The Russian intervention in Ukraine makes attribution of attacks even more complex. Using a Ukrainian Internet service provider gives Russia the ability to launch attacks globally with plausible deniability.

    It makes sense that disputed areas like eastern Ukraine and Syria are a hotbed of malicious activity because they provide attackers with means, motive and opportunity. Occupying forces have the means to launch their attacks by using local ISP’s. They have several motives: They want to benefit from the attack itself and also discredit local businesses or government. And they have plenty of opportunity as these regions are usually occupied for years"

    The element of 'plausible deniability' is a key element in any espionage type work. Is there concrete evidence for finger pointing--no. Is there a potential exploitable capability that Russia could use--yes. Has it been demonstrated that Russia makes often use of subterfuge and deniability in its' actions--absolutely.

    • Mark and Wordfence,

      Thanks for your research and bringing this to light.

      I agree with Jack's comment about your excellent earlier report, 'Who is Really Behind the Ukrainian Brute Force Attacks?' I keep thinking of The Usual Suspects and the quote, "The greatest trick the devil ever pulled was convincing the world he did not exist."

  • thanks for your research!
    however, i take issue with the post title of this article "US Govt Data Shows Russia Used Outdated Ukrainian PHP Malware".. based on your findings, the data does not show that "Russia" specifically did anything.

    • Is it your understanding that the use of this malware is the entire extent of the evidence that the security committee has?

      Would you consider the possibility that they know much, much more but have compelling reasons not to release everything?

      I'm aware that this may be frustrating for blog readers who'd like to know everything, but the fact of the matter is that the espionage trade relies on secrecy. That's simply the way it works.

  • Expert breakdown, nicely communicated. Thanks, Mark. Now we just need to get you to Washington to make the clowns pay attention. :)

  • Nice analysis. Reinforces what I've been saying to people who don't understand what I'm saying all along about who is responsible for the attacks.

    Thanks, keep up the good work.

  • There seems to be a typo in your number - "These IP addresses have launched a total of 2,109,5492 complex attacks"

    Great article. Thank you.

    • Corrected. Thanks Dave!

  • Should I manually block the IP addresses in the picture above showing the top 50 IP addresses in the DHS report? Or will the Wordfence Firevall do that?

    • Hi Nils, there might be some value in blocking these IP Addresses, but given that they have been very publicly released I doubt that they will remain active for long. I am not planning to block them on my sites if that helps.

      • Hi Dan,

        Thanks for your reply. You are probably right.

      • I don't trust reformed criminals. Once used, twice abused is my motto in trusting any IP identified as being used in nefarious activities.

        • I added the top ten IP addresses in the picture above just for fun and it took less than an hour. One of them tried to register a new user.

  • Thanks, Mark, for your due diligence in research and your mission to protect us WP enthusiasts. Having been hacked myself, and experience daily BFA's, hammering away at my WP sites, my wish is for a global effort to collaborate on "cleansing" bad actors beyond political and nationalistic boundaries. Just like we all agree, generally speaking, to a "code of ethics" when it gets to how we share life on this planet, it would be a worthwhile cause to pool forces and collaborate in a revision of the internet that makes it easier to stop and prosecute bad actors. Today's situation is that we intend to stay save behind thicker and thicker walls, and looking out through windows protected by grids and bars. Who is being "prosecuted" here? It is interesting, that there is an entire population out there, who feels that "acting out" online is acceptable, just because it is so difficult to control and police.

    As a species though, is that how we want to spend our precious time on this planet: Building up warfare in a medium, that opened up so many wonderful pathways to connect, share, create.............with this incredible potential to make life easier and more comfortable in many ways?

    Thank you, Wordfence, for your contribution (hopefully my words are being tolerated, as they transcend the purely "technical" aspect of this overall theme).

    Happy New Year to all.

    Peter

  • You seem to be saying that there is no evidence in the JAR that Russia is the source of hacking. Surely they must have, for example email addresses/ email messages/SMS etc between senior Russian government officials that discuss the hacking?
    Given that Tor exit nodes can be used by anyone is it possible for the US to determine the original source of hacking?
    And if they could determine the source would it be possible to prove hacking while not divulging how they did it?

    • There are a lot of articles out there suggesting that the FBI has ways of circumventing the Tor protections. From my understanding, it's more of a real-time thing than something they can do forensically a year later, but I haven't really dug that deeply.

  • Wondering what unknown country mean in a table with IP addresses....

    • It means that we did not have data on that IP address's location.

  • I see hits from the Ukraine all the time, including both brute-force and file upload attempts. This "evidence" shows even less direct connection than there was assumed. Considering details like wikileaks denying email dumps they received came from Russian sources at all, AND these types of attacks were commonplace before the "hacking" events in question, I have my doubts that Russia had anything more to do with this than it did before the election cycle. Which is no less than the CIA has been doing in Russia and other counties around the world, for the last 60+ years, and Russia and other countries have been doing right back at everyone else.

    Just because the link is possible, doesn't mean it actually exists. Sometimes, someone wants to paint a picture for the public to see. I see nothing here that I haven't seen already in the last 15 years I've been working in data security. Doesn't mean I'm right, but there's nothing here that says I'm wrong.

    • ...and that's the plausible deniability Russia would gain by obfuscation.

      • So you have two scenarios mutually exclusive and equally possible...why do you readily and unquestioningly accept one over the other?

        Simply put this is what is called a logical fallacy.

        In the situation where US government and Russian government are putting forward diametrically opposite statements as true, the only logical way for a 3rd party to try and ascertain the truth of either statement is to ignore both and look for proof of either, not possibility, not probability but certainty.

        Everything else is mere speculation and has no truth value.

  • Very nice examination and well-written for a general audience. Is is possible the Russians would use an easily accessible piece of malware to make the attacks look rather generic?

  • As always this is really great information. Thank you Mark for taking this stuff on. As far as my organization is concerned, Wordfence is 'our' security department.,
    Agree with Anon above that this is not a smoking gun, but it does not prove that Russia was not involved.

  • You're headline says it was the Russians who hacked the emails and that they were using outdated Ukrainian malware. Don't you think your report reveals otherwise? So an accurate headline would be something like:

    "Joint Analysis Report Fails to Link Hacking to Russia" ? It would be nice if you could alter the headline since many people fail to read the entire article, and therefore, never see your excellent summary.

    BTW, great article! Many of us do not have the technical expertise to know how to evaluate data that is being presented as it was in the JAR report.

    • Where would an IP from crimea or the disputed Eastern states in Ukraine show up as comming from? Just because it says UA in the geocode, does not mean it did not originate from somewhere inside the russian sphere of influence. If i was a foreign actor wanting to hide my origin, and had access to chunks of an adversaries IP blocks, guess where i would mount my attacks from?

    • In my naive opinion, a title such as "Joint Analysis Report Fails to Link Hacking to Russia" would be equally misleading. While I'm no Superpatriot, it seems gullible to think that the US government has told anyone other than those on a "need to know basis" the whole story. Why would they divulge sensitive information? (Have they in the past?)

      The fact that 35 Russian diplomats have been deported and two Russian agencies in the US closed, which seems like a pretty serious response, would indicate that the government knows more than what they are telling. Surprise, surprise.

  • I'd like to know what exactly it was that was allegedly hacked.

    If they are referring to the DNC emails that were published by WikiLeaks, that is disputed by Craig Murray, former British ambassador, who said that they were LEAKED to him directly by a 'whistleblower':
    http://www.dailymail.co.uk/news/article-4034038/Ex-British-ambassador-WikiLeaks-operative-claims-Russia-did-NOT-provide-Clinton-emails-handed-D-C-park-intermediary-disgusted-Democratic-insiders.html

    If they are referring to the voting machines themselves, that is said to be possible only by physical access since the machines are not directly connected to the internet:
    http://www.businessinsider.com/hacking-the-election-2016-10

    So, what exactly was supposed to have been hacked? State government websites ... running Wordpress?

  • It seems to me that our gov is just guessing what happened, from what I have read above I can not see how they are saying it was for sure the Russians. I am not that good with finding this out as I just work with word press mostly. Glad for wordfence that is for sure.

  • Just curious as to why you feel the "outdated" version of the malware would be out of character for a Russian intelligence agency. Unless I'm misunderstanding what I've read, the malware was suspected to have been placed in the summer of 2015, so I'd expect it to be an older version. Additionally, if you have a tool that works, it's not like you're going to feel compelled to grab the latest version. It might also be possible that the attacker slightly tweaked the older version and are sticking with it.

  • Thanks for the article and the investigation. Governments seem so quick to damn other governments when there are so many private veiled or otherwise anonymized individuals wreaking havoc out there. It is how wars get started… IMHO.

  • Great research! Not shocked there would be no smoking gun in the info that was made public. If the U.S. had one, you wouldn't tell Russia because you want to be able to use it again. Meanwhile, if you were Russia and wanted to play this game, you would not want to use anything with a definitive signature for the same reason. The every day person will never know what really happened. This game is being played out way above our ability to know.

    • Actually if the Russians knew that they did it, then they would know how the USA intelligence figured it out.

      It is not like the enigma, because the USA is making the accusation openly..

      Wikileaks has used insiders almost every single time. With regards to the DNC there is no password phishing (so insider makes more sense) and Podesta was the only one to get that phishing email, if it was a directed attack, don't you think everyone in HRC inner circle would have been phished?

  • Your article and analysis are outstanding! One small fault - I believe the title leads others to believe that the US Govt data correctly found Russian involvement when your conclusions clearly show it does not.

    A better title (a bit longer but far more accurate) would be: Website Security Firm Analysis Of US Govt Election Hacking Data Finds No Apparent Relationship To Russia

    You really should publish a Press Release about your findings - great free publicity for your company and your expertise. This is information that the world and especially all Americans need to know. Excellent work!!

  • Thanks for preparing a very interesting article! However, the conclusions many are drawing from the use of older malware etc (too simple to have been the Russians), strike me as being exactly the reason a bad actor would use them.

    If I was heading up the team on the Russian side (or whatever side did this), I'd be using something simple, something untraceable to me, and something fuzzy enough to provide plausible deniability. The last thing I'd want is a 'Made in Russia' solution, signed by the KGB. I wouldn't send an assassin out with a Russian gun wearing Russian clothing either.

    A good operation of this sort should look exactly like what we're seeing... vague and inconclusive when the post-mortem is done. However, what we don't know is what other information was collected. We are seeing only the digital trail, without any human intelligence included. I think it would be naive to think the digital information is all the investigators used to piece this together.

  • Excellent work and well-presented. Most of us non-techies don't have the ability to challenge government findings, but this does the job. I'd like to see DHS and DNI respond.

  • Very interesting and subject to interpretation as to whom the primary hackers are. Anonymous users are anonymous for a reason. Honest people and businesses don't have anything to hide. Great job on digging up some dirt!!

  • Thanks for this analysis, Mark! Excellent dissection job.

  • Well said... This just confirms what we have known for while. "Intelligence" offices does not know anything about current technology or how things work. After reading this (really good) article, it seems I'm as much suspect as Russia is. There is no real evidence who really controlled those hacked sites. It is so stupid to say that "IP xyz is hacker" if that host is only puppet...
    Anyone played uplink game? you never hack directly from own computer, only thru "proxy" servers. And after you did your thing, you better remove all logs or they backtrace to you. This seems to be exactly same kind of stuff.

  • I too would like to see a response to this from the government.

  • Great Work ! I also manage a web site that is getting hundreds of attacks, all attempts to access wp-login.php or rpcxml.php but originating from all over the world. LOL, when i'm bored, i play with them, i block their IP then the network, they simply hop around and keep trying but Wordfence keeps them at bay. Once again, Great Work. When i first came on board with the Law Firm i work for, we were hacked 5 days later ( and the website was destroyed )
    With Wordfence, i was able to track it right back to the hackers, it was actually a disgruntled SEO / Website Business that the firm fired was to blame.

  • I love these articles, very informative. I have been hacked and held for ransom on 25 WP sites, that I paid and never got the key back!! Be warned. I had to rebuild them all from scratch.

    For the DHS/FBI to blame Russia and then take Political action on Russia without any real "proof" as far as we can see, seems to speak loudly that, 1. They're not saying everything, or 2. They want any reason at all to blame the Russians so they can take action against them in 2017. ???

    To be honest, it screams of politics and less of Proof of Guilt in Cyber War on the US.

  • Exactly where does the U.S. have troops at the moment? You don't know right? What satellites are gathering information and on what? You don't know right? Should I continue with the list. If you think for a moment the U.S. Intel services are about to give Joe normal the whole plot then think again. There is a House Intel Committee that are likely to get the full brief. They in turn (without giving all or little info away) will advise other leaders that there is a credible cause and where it came from. Right now, the people who you feel have not given you enough proof are busy monitoring what I type. And can tell you my name, IP address and probably a lot of my life history. Don't be naive enough to think that they would not specifically point the finger (knowing the potential consequences) unless they were at least very confident. After all, you have to walk into the oval office and tell the President right!

    • I couldn't agree more. Why would anyone think that the government would actually tell the public much about such a sensitive issue?

      And no one else has dared touch this idea, but probable cause for Russia? Can you say Trump in Putin's pocket?

  • What the attack revealed and how to protect against it are much more important questions rather than who did it.

    The wordfence analysis looks very professional and objective.

    Thank you.

    • Just make sure you use quality hosting and keep your site up to date if you use plugins. I have removed many infections... most of the time the infections come from malware inside an ftp client or someone guessing passwords. With two factor authentication and a descent software firewall with quality hosting, infections are much less nowdays. Any site - i mean ANY SITE can be infected. There are many points of entry - not just the website itself.

  • The scariest part for me is not who did the hacking, it is that these government sites could be breached by something so readily available to ANYONE wishing to do harm. It would appear that our small business sites (protected by Wordfence - who successfully blocked millions of similar attacks) are more secure than our government?!?!?! Thank you everyone at Wordfence for your hard work! Mark for Secretary of Cyber Security! (And, yes, I realize there is no such position. But apparently there should be!)

    • Really good points, Cindy. And I agree, Mark for The Office of Cyber Security!

  • Incredible writeup - excellent job presenting the data and the research you performed. That was great to read and really get insight into some of the facts. I appreciate you going through the effort to do that. All the best.

  • Thanks for the great run-down of details, Mark. Makes for interesting reading - and impressed your article (and company) doesn't take a political slant.

  • For some reason people seem to forget about this Wired.com story below and the company Crowdstrike who has carefully documented the connection between the DNC and Russian intelligence. They documented a sophisticated military grade malware that seems to be completely separate from this discussion. I hate to post a link to a media site here at Wordfence but I really think for the sake of this discussion everyone needs to read this article and see some of the subsequent analysis. What is odd to me is this current GRIZZLY STEPPE information by DHS/FBI documented a sort of everyday off the shelf PHP webshell program like PAS.

    Mark did you find anything unusual about this webshell that made it significantly different from WSO, R57 or C99? Plus this malware will only affect webservers running PHP. I've read about the malware that cross-platform and was infecting Ukrainian soldiers cell phones so that Russian troops could target them. I don't doubt the Russian involvement but I feel like this release of information by DHS/FBI is a little ho-hum.

    https://www.wired.com/2016/07/heres-know-russia-dnc-hack/

    • Hi Eric,

      The only difference is that it's a bit unusual to use an encrypted shell that uses a user entered password stored in a cookie to decrypt the shell each time it's executed.

      Mark.

      • Hi Mark, so you must have been surprised by the apparent lack of sophistication with at least this tiny snippet of data that DHS/FBI provided. Maybe that is by design and certainly one could maybe modify the PAS webshell to their own choosing ... leaving an outdated software version number to maybe throw people off. But even still like you said the server response data they supplied seemed to indicate the hacker already had administrator credentials and was just uploading the webshell as a malicious plugin. Nothing sophisticated at all with this. Because they discuss that they have data on over 1000 different individuals / organizations that were targeted this is probably a tiny tiny chunk of data that they made public from the whole cache that they have. I guess I am just surprised that this is what they decided to make public.

        The obfuscation in PAS is a little different from what I have seen before in other webshells but I am guessing you have seen similar ones and your scanner would have picked these up as the basic nuts and bolts are similar to other webshells. With of course the exception that you noted in that this webshell uses a user entered password stored in a cookie to decrypt the shell each time it's executed. The whole thing just seems weird to me.

        • Hi Eric,

          Yes it's a bit weird. :-)

          The encryption feature is nice. Other than that, it's unremarkable.

          Also worth noting, this doesn't actually exploit anything. It's a toolkit for a hacker to administer a server they've hacked.

          Mark.

    • Wired won't let me read their article because I use an ad blocker. However, the little of it that I was able to read before they stopped me seemed to be based on what our government is leaking. The story about the attack on the Ukrainian military telephones could be planted to try to falsify the thought that the hacking software comes from the Ukraine. Once the story is about spy agencies there is no telling what double, triple, and quadruple agents might be twisting the story and for whose benefit. The only real proof that the Russians did anything derives from the fact that that's what our intelligence agencies want us to think, not even what they think themselves.

      • I am baffled by the almost desperate attempt to believe anything other than the involvement of the Russian Government? Where is this coming from? Last time I checked Russia is on the opposite side of the fence from us in terms of Syria and Iran and a host of other things related to Western Democracy. I don't understand why there are so many people that are completely resistant to the possibility that Russia might want to create havoc within the United States via hacking our various online systems, our organizations, our elections and infrastructure. Yes there is probably not going to be a smoking gun but you don't stop looking, gathering evidence, and stop being vigilant just because you can't find the smoking gun (which has most likely long ago been discarded at this point). Anyway I don't want to divert this discussion any further from Mark's original great analysis. Just find some of the discussion and resistance baffling.

        • Hello from that other side of the fence. If you follow Wikileaks and read what have actually been leaked, you would learn that this emails reveal huge connections between DNC candidate and Russian government. To make it easier for you i'll give you hints: uranium deal, sberbank, podesta group.

          What i mean, is that the Russians were as surprised with leaks and voting results as was DNC.

    • No one is forgetting anything, except that the information there is just as obfuscated and coming from a single private source (crowdstrike). Ironically all "hacking" incidents in the last 10 years or so in which foreign governments have been "implicated" (much without proof as is the case now) are connected to Dmitri Alperovitch who co-founded Crowdstrike.

      All of this has no real truth value of-course other then possible speculation that crowdstrike is being used to "leak" information the intelligence services can't deliver directly (wishful thinking) or to create smokescreens to put blame at targets they want to blame (cynical thinking). Either way we're back to a simple truth test for which we actually need solid evidence not based on speculative logic backed by assigning "trustability" values to one or another actor.

      Only then anything with truth value can be harnessed from all of this and without it speculation is useless as it generates no information worth anything other then political rhetoric.

      Unfortunately for some that is all they need or want out of it.

  • Hi Mark. This is very interesting. After reading this, I couldn't resist going through the data provided on the JAR. I don't have the resources to do in-depth research and backtracking as you did. I understand at WordFence you focus on WordPress security and I am one of your happy clients. Just wondering, do you have clients who run WordPress on Windows-based hosting environments? If so, did you manage to find anything in your databases that corresponds to the RATs hashes provided in the IOC apart from the PAS Yara signature? If not, wouldn't that be interesting to find out? They have indicated RATs which are variants of OnionDuke, believed to have Russian roots. And since OnionDuke and variants are known to infect traffic via Tor exits, it would have been interesting to know how the US determined whether the Tor exit-node(s) attacking the DNC and payloads are connected to Russian state actors. Also, since they didn't provide the actual PHP file and the DLLs of the RATs, any chance the PAS signature could be from anything other than PAS v 3.1.0?

    • That last note is what interests me as well, Masudi. Using an older version number of something easily updated, to me, indicates that they forked the code at that version and made customizations that would not be trivial to apply to updated code.

      • What gives you the impression the code was customized? We didn't see any data indicating that.

  • Mark,

    A fascinating piece of work, thank you.

    I'm sure many conclusions will be drawn from this, for me, I have an open mind and have to say that the more I find out, the less I know - but that's nothing new for me.

    Again, thank you for this.

  • My virtual private server host many wordpress sites, I use wordfence plugin on wordpress, I noticed last month there are 1464 block count on one site just from Ukraine, and on another site there are 123 block count, also from Ukraine, but on my virtual private server I receive everyday alerts of many large number of failed login attempts from China, Korea, ... etc
    I set the maximum number allowed:3 but they do not end attempts

    • Like you, I receive many failed login attempts, and not just on my word-press sites, and most IPs are from far away places, or at least spoofed to look like they come from far away places.

      In other words, I think it would be relatively easy to translate from addresses, like on a backbone somewhere, to make it appear that certain packets are coming from somewhere they are not.

      Only those in charge of the infrastructure could possibly know what comes from where.

  • I thought your headline was odd considering your conclusion, then I realized the sarcasm of the headline. I hope that most people won't just read the headline and think that this is proof that it was the Russians. If people come away understanding your conclusions, then you have performed a great service.

    • Thanks Steven. Glad someone finally realized it has a secondary meaning. It's not really sarcasm, but yes, the intended meaning was:

      "US government data, which was released at the same time as the whitehouse expelling 35 diplomats, and is therefore assumed to be attribution and uses language that implies attribution, surprisingly includes malware that appears to be old and of Ukrainian origin according to our research."

      That didn't fit. So I shortened it.

  • Awesome to get a write up like this. I am not a security person but I think that it is safe to say that it is all inconclusive and that the feds probably have a lot more information. I have a blog I write for kicks [link removed] and I noticed that on November 7th, the day before the election, the traffic spiked to 10 times of normal. Did anyone else experience this? Looking at the referrals, a lot of this traffic was from the service provider Hubspot, but I do nothing with Hubspot and this seems strange. It looks like the site was being scraped but if that is the case it would be one user or maybe not even registered as a user in Google Analytics. It all seems suspicious. In terms of the actual voting machines, it would be cool if there was a write-up on the technology. I heard from a friend that he read they are running Windows XP and even Windows 98 at times. Yikes! Anyway, keep up the good work!

  • I think you just went 'big-time'. Your analysis inspires confidence in your product and your analysis is now getting picked-up by worldwide news organizations.

    Wise to warn against political posts too. This is a very political subject BUT what is not political are the facts and an analysis of how those facts square with less technical 'news' reporting which, in instances like this often appears to be simple regurgitation of official press-releases. In other words, yours is the ONLY expert independent analysis to date. Get ready for television appearances...

  • Your headline is contradicted by your "Overall Conclusion" text.

    A more accurate headline would be:
    US Govt Data shows _Someone_ used outdated Ukranian PHP Malware against DNC.

    Or maybe even
    US Govt Data shows _"alleged Russians"_ Used Outdated Ukranian PHP Malware against DNC.

    Julian Assange and others have stated WikiLeaks got the DNC internal emails from a "whistleblower" inside the DNC, not from any Russian hackers.

    All this talk of "Russian Hackers" is a smoke screen. It's just disinformation put out by partisans, not supported by actual facts or data. From your "Overall conclusions," I take it you haven't seen anything which points definitively toward "Russian hackers" in the JAR and other "supporting data" which has been released to "prove" the Russian intelligence services were involved.

    • It's not us associating this report with Russia. It's the FBI and DHS.

    • It is my understanding that this PAS webshell was not the malware used against the DNC. This is just one exploit discussed in the JAR report that is being apparently attributed to Russian intelligence. But I think that is why some of us are confused ... because part of the story of why this dataset was released appears to be missing. From the Crowdstrike analysis the malware used against the DNC was completely different than what is being discussed here. I don't know if this PAS webshell was used against other US organizations or was used to infect various organization websites or was used to take over an intermediary site that was then used for the pHishing attempts. Keep in mind the report says that 1000 individuals and organizations besides the DNC were targeted so this could be data that DHS/FBI acquired from some of those other attempts. They never specifically link the PAS webshell to the DNC in the report. This is just one tool of many that DHS/FBI decided ... for whatever reason to make public.

      As Mark mentioned this tool does not actually do the hacking. It is only used after a hack on a particular webserver has been successful. It is a glimpse of a few frames in the middle of a short movie. We don't apparently know the frames of the movie before and after this dataset.

  • Congratulations and respect on making the decision to highlight the truth when it stands against the prevailing political winds.
    Its great to see facts presented with clarity and integrity (and courage).
    Thank You!

  • I was googling some of the terms in the malware, and came across this decoder, 'UnPHP.' It seems that it has a similar copy of the P.A.S malware! Here's the link:
    https://www.unphp.net/decode/9eb7064583a6a381ed3a0aa7ec63440c/

    • We found that in our initial analysis.

  • I'm personally not a professional in this sphere, so some of the technical stuff is beyond my comprehension, however it is still to see no direct or indirect connection with Russia that is in anyway greater or more likely then any other actor out there including US government and intelligence services.

    To me all logical conclusions of the type "they don't want to reveal their tools" and so on are logical fallacies and are based only on the premise that US intelligence services are inherently more trustable then other actors. Unfortunately as we know from the Iraq war that is not the case. Thus for me statements assigning blame need to be backed up with direct and not speculative evidence especially in an environment where multiple actors are putting forward diametrically opposite claims.

    As the burden of proof inherently lies with any accuser, it is up to the US government to present such evidence until then all logical and unbiased assertions can only come to a single conclusion and that is that it is not know who the actors were. That is the only statement with any truth value in it at this point in time.

    Thanks you for the scientific approach to the analysis of this information, we need more of this and less speculation...

  • Hey Mark you will find the thoughts on the Grizzly Steppe JAR by Moses Hernandez, who it appears is a Cisco employee and security analyst, very interesting. He found the report very confusing and disjointed and his commentary is very insightful. The part where he speculates that two different reports were spliced together as the only logical explanation for the seemingly incongruent report seems to explain our confusion as well. If this is the case it doesn't make me feel very confident in our cyber-intelligence abilities. You would think they would have had at least one technical analyst proof read this report before they put it out.

    https://www.renegade.blog/2016/12/thoughts-on-grizzly-steppe/
    -1016.55

  • What is astounding is that: hackers publications, forensic scientific analysis by university professors or agencies dealing with cyber crimes do not publish nor have public discussions on the accuracy of these accusations. The accusation and conclusion by the DHS/FBI, places Russia, without doubt, as the cyber criminal aggressor, impacting the quality of life and freedoms of the US. This DHS report helps to validate, that either the DHS/FBI is incompetent or trying to to skew public opinion. How is the DHS task with cyber forensics? This is way out of their league.

    The data and report released by the DHS would never see the light of a trial. Void of having any merit or substance, a trial date would never be set. The process of which these findings were discovered by Mark and staff of Wordfence brings forth a heightened meaning of their contribution to WordPress. It is the process of their analysis and evaluation which has impressed me. May I add, the Wordfence report on Panama Papers, dated April 14, 2016 was equally impressive. It is evident that the work Wordfence team brings forth, is a great contribution to the WordPress and the cyber community.

  • This makes me even wonder if the US didn't even fabricate the "evidence". I don't know if I care enough to look into it further.

    • Yes, I know. At the risk that the day the jackbooted thugs (from whatever source) arrive at my door will be that much sooner. Life is full of risks. You simply choose the ones you acknowledge. And your joys.

  • Was the attack easily preventable? What security measures should of been in place? If the DNC and others that were victims of these attacks did not properly secure themselves than the onus is on them. Earlier reports indicated that a DNC employee clicked on a link in a phishing email. Is this not the case?

  • Thanks for making this easy to read and understand. I don't know much about the technical details, but it was very interesting still, and written straightforward and easy to follow. Cheers!

  • Hey, in your ISP list number one is Yota, there is Russian mobile ISP with that brand name

  • Is there a pw for 3.1.0?

    • Yes I think we put it in the post above?