After much speculation, the report had little to do with cyber attribution. It had everything to do with traditional tradecraft and sourcing.
Two groups exist in the INFOSEC community right now. Those who swear CrowdStrike’s attribution was right and those who swear their report was inadequate. I’m still firmly with the latter.
Cyber attribution wasn’t the key factor according to the ODNI report.
25 pages. More than 90% of the report was focused on other sources than cyber / technology, and the majority of the justification and basis followed suit. Behavior. Patterns. History. Tradecraft.
Here are my comments on the sections that pertain to my quick analysis.
Behavior. Patterns. History. Cyber was one vector, one tool.
Guccifer2.0 notes match our SOC Intel team’s perspective from the summer. The content linkage is a big one. Excellent daisy-chaining of digital evidence. There’s a lot more to the highlighted bullet. Huge point.
It continues to be my belief that the evidence vs. attribution noted here is a leap. That doesn’t matter in the overall context of the report. Again, cyber was only 15% or so of the content.
GRU comments appear to be related to behavior and timing of source material releases when paired with (think intelligence SIEM) other patterns on RT, chatter, twitter trolls etc. “cyber operations” can mean twitter trolling, spearfishing, etc. Does not say whether or not they were successful.
Multiple sources. Non technical focus. Multiple could be two- Crowdstrike and a 3LA for instance. Again, doesn’t matter. The rest of the report makes the case without the cyber components.
Non cyber. Traditional intelligence. Very good reporting.
