Wikileaks Marble renews scrutiny surrounding attribution of DNC and BND email leaks

On March 31st 2017 Wikileaks released 676 source code files of the CIA Marble Project, an anti-forensic framework that is capable of hampering investigators from attributing software back to the CIA, or even mimicking the digital signature of a foreign state to conduct ‘false-flag’ operations.

There are two aspects to Marble: obfuscators called ‘Mibster’ and ‘Marbler’ create ‘dirty strings’ to hide the identity of the developer by manipulating code fragments and inserting code with foreign language text, and a deobfuscator called ‘Mender’ decrypts the source code back to its original.

Crucially, the software contains test examples in Chinese, Russian, Korean, Arabic and Farsi.

The files offer concrete evidence that the CIA was actively involved in developing obfuscation methods with the purpose of misattributing software to foreign nations. This immediately casts doubt on US intelligence services’ attribution of cyber attacks since Marble began in 2015.

The US intelligence community’s insistence that Julian Assange was lying in his claim that his source for the DNC emails ‘is not the Russian government and it is not a state party’ must be revisited. Likewise,  the decision of NSA-tied German intelligence officials to directly contradict the Bundestag police and claim that the hack of a German Parliamentary Inquiry into NSA and BND surveillance came from Russia,  and not a Berlin whistleblower, must also be called into question.

DNC Email Leak

The attribution of the DNC email leaks was not subject to any independent scrutiny outside of the US intelligence community’s sphere of influence. The list of cybersecurity firms that were approved to analyse the cyberattack reads like a who’s who of US intelligence community and military-industrial cronies:

Fidelis Cybersecurity and Mandiant are primarily contractors for US intelligence agencies,

The President of CrowdStrike is a former FBI executive assistant director. The firm’s CTO and co-founder, Dmitri Alperovitch, is a senior fellow at the Atlantic Council, a think tank with openly anti-Russian sentiments that is funded by Ukrainian billionaire Victor Pinchuk, who also happened to donate at least $10 million to the Clinton Foundation.

Crowdstrike also have a history of falsely accusing Russia of conducting Cyberattacks without sufficient evidence. They ruled in 2016 that Russia were the culprit of a hacking incident in Ukraine, however, the source of their data for this report, the International Institute for Strategic Studies (IISS), claimed that they had used their data erroneously and disowned CrowdStrike’s findings.

CrowdStrike were approached and contracted by the DNC in order to carry out an investigation, rather than any independent judiciary. The judge, in this case, was being paid out of the pocket of the victim. And yet we accept the results of this investigation without question?

Each company reached the conclusion that the hack was of Russian origin partially based on the fact that a file published by the culprit, Guccifer 2.0, used metadata that was written using a Russian-language keyboard. Now the capabilities of Marble are known to the public this evidence should be disregarded.

The public reports of each investigation by ostensibly ‘private’ companies goes into detail about how the hacker is likely culpable for other attacks and even outlines in detail how four separate dense DNC staffers including John Podesta clicked on phishing links. Absent from any report, however, are details of how they came to the conclusion of Russia being responsible for the hack.

The President of one firm who analysed the attacks, FireEye, claimed that he pointed the finger at Russia because “it’s an old assumption going back years that when any attack is against a non-financial target, [it should be]attributed to a state actor.” Forgive me for thinking that this isn’t sufficiently rigorous technical analysis to use as a reason to start World War 3.

Different Continent; Same Story

A German Parliamentary inquiry into joint surveillance between the German BND and the US NSA agencies had its data hacked 2015. Like the DNC hacks, the data was released to Wikileaks, and, again like the DNC leaks, it was blamed on Russia.

The German Bundestag concluded that the leak was sourced from a German whistleblower.

Without releasing any files surrounding the hack, German intelligence officials decided to announce that their internal investigations pointed towards Russia being the culprit of the attack.

Considering that the BND were the subject of the Parliamentary enquiry that was victim to the data breach, it is reasonable to suggest that German state intelligence agencies were too close to the events in question to conduct an independent investigation free from bias.

No organisation outside the circle of German intelligence agencies, that were exposed as being so closely-aligned with equivalent American agencies, were able to inspect the details of the cyber attack and draw their own conclusions.

Angela Merkel tightened oversight of the BND after the inquiry concluded that the German intelligence agency were working hand in hand with the American NSA to spy on German officials, including Merkel herself, and German corporations. One German official commented that the BND were cooperating with the NSA so closely that they had effectively become the ‘European branch’ of the US intelligence community.

No explanation was given to how German intelligence agencies came to the decision to hold Russia responsible for the attack. The evidence made public in the case of the DNC hacks was threadbare; in the case of the German Enquiry hack it is simply non-existent.

Despite the lack of evidence, US and EU officials have used the baseless accusations to spark a ‘Russians are coming’ media onslaught in order to win lucrative cyber security contracts or realign timid voters within their own self-interests.

Marble should change the way we view the official line of the US intelligence community

With new evidence proving that US intelligence agencies were in possession of software that is able to mimic the digital signatures of foreign nations it is necessary to renew scrutiny over the inspection and attribution of both the DNC and German Parliamentary Inquiry breaches, and ensure that future incidents are investigated in a more independent and transparent way.

The result of US intelligence agencies being able to dictate the terms and conclusions of cybersecurity investigations is not trivial; conveniently for them, Wikileaks, the organisation that in recent years has done most to expose their unconstitutional actions, is now routinely discredited as being a ‘Russian stooge’ and lacks the authority it once demanded. More dangerously, relations between Russia and the US are at their shakiest since the Cold War, even under a President that the US deep state tried to smear as a Kremlin puppet.

US intelligence agencies have until now acted as judge, jury and executioner in regards to cyberattacks. Now that the public are able to see their arsenal of digital smokescreens that have the potential to twist investigations and point the finger at a culprit of their choosing, it is time to shift the responsibility of attributing cyber attacks to to bodies that are free from the influence of the US intelligence community or any party with a clear conflict of interest, unlike CrowdStrike.

Rory Wood

Wikileaks Decrypted | Vault 7