Spitfire List Web site and blog of anti-fascist researcher and radio personality Dave Emory.

News & Supplemental  

Cyber Attribution, the Macron hacks, and the Existential Threat of Unwarranted Certainty

Did you hear the big new hack­ing news? The news about ‘Fan­cy Bear’ already get­ting ready to wage a new hack­ing cam­paign against US politi­cians? If not, here’s a brief sum­ma­ry: Trend Micro, a Japan­ese cyber­se­cu­ri­ty firm, just issued a new report pur­port­ing to show that ‘Fan­cy Bear’ has already set up mul­ti­ple phish­ing web­sites intend­ed to cap­ture the login cre­den­tials to the US Sen­ate’s email sys­tem. And Trend Micro is 100 per­cent con­fi­dent this is the work of ‘Fan­cy Bear’, the Russ­ian mil­i­tary intel­li­gence hack­ing team.

And what led to Trend Micro’s 100 per­cent cer­tain­ty that these phish­ing sites were set up by ‘Fan­cy Bear’? Well, that con­clu­sion appears to be based on the sim­i­lar­i­ty of this oper­a­tion to the Macron email hack that impact­ed hit French elec­tion last year. You know, the same hack that the French cyber­se­cu­ri­ty agency said was so unso­phis­ti­cat­ed that any rea­son­ably skilled hack­ers could have pulled them off. And the same hacks com­i­cal­ly includ­ed the name of a Russ­ian gov­ern­ment secu­ri­ty con­trac­tor in the meta-data and were traced back to Andrew ‘weev’ Auern­heimer. That’s the hack that this cur­rent Sen­ate phish­ing oper­a­tion strong­ly mim­ics that led to Trend Micro’s 100 per­cent cer­tain­ty that this is the work of ‘Fan­cy Bear.’ So how cred­i­ble is this 100 per­cent cer­tain cyber attri­bu­tion? Well, that’s going to be the top­ic if this post. And as we’re going to see:

1. Con­tem­po­rary cyber attri­bu­tion is fraught with per­il, rely­ing heav­i­ly on “pat­tern recog­ni­tion” that make it ripe for mis­at­tri­bu­tions and false flags.

2. The move to employ “pat­tern recog­ni­tion” and use that for nation-state-on-nation-state pub­lic attri­bu­tions of hacks is a rel­a­tive­ly new trend in the cyber­se­cu­ri­ty indus­try, and it was pio­neered by one of the founders of Crowd­Strike.

3. When you look at the recent his­to­ry of the cyber­se­cu­ri­ty indus­try, there are A LOT of ques­tions of whether or not these attri­bu­tions are real­ly be made with cer­tain­ty.

4. If this mode of cyber attri­bu­tion turns out to be a bad idea, it could result in inter­na­tion­al chaos. Seri­ous­ly, inter­na­tion­al chaos. Those were the words of France’s top cyber­se­cu­ri­ty offi­cer fol­low­ing the Macron email hacks.

In oth­er words, beyond not want­i­ng to get a par­tic­u­lar instance of cyber attri­bu­tion wrong, soci­ety real­ly does­n’t want to get the whole approach to cyber attri­bu­tion wrong. Because, again, that could be an invi­ta­tion for inter­na­tion­al chaos.

So with that in mind, let’s take a look at that new Trend Micro report and the cyber attri­bu­tion made with 100 per­cent cer­tain­ty:

Asso­ci­at­ed Press

Cyber­se­cu­ri­ty firm: US Sen­ate in Russ­ian hack­ers’ crosshairs

RAPHAEL SATTER
01/12/2018

PARIS (AP) — The same Russ­ian gov­ern­ment-aligned hack­ers who pen­e­trat­ed the Demo­c­ra­t­ic Par­ty have spent the past few months lay­ing the ground­work for an espi­onage cam­paign against the U.S. Sen­ate, a cyber­se­cu­ri­ty firm said Fri­day.

The rev­e­la­tion sug­gests the group often nick­named Fan­cy Bear, whose hack­ing cam­paign scram­bled the 2016 U.S. elec­toral con­test, is still busy try­ing to gath­er the emails of America’s polit­i­cal elite.

“They’re still very active — in mak­ing prepa­ra­tions at least — to influ­ence pub­lic opin­ion again,” said Feike Hac­que­bord, a secu­ri­ty researcher at Trend Micro Inc., which pub­lished the report . “They are look­ing for infor­ma­tion they might leak lat­er.”

The Sen­ate Sergeant at Arms office, which is respon­si­ble for the upper house’s secu­ri­ty, declined to com­ment.

Hac­que­bord said he based his report on the dis­cov­ery of a clutch of sus­pi­cious-look­ing web­sites dressed up to look like the U.S. Senate’s inter­nal email sys­tem. He then cross-ref­er­enced dig­i­tal fin­ger­prints asso­ci­at­ed with those sites to ones used almost exclu­sive­ly by Fan­cy Bear, which his Tokyo-based firm dubs “Pawn Storm.”

Trend Micro pre­vi­ous­ly drew inter­na­tion­al atten­tion when it used an iden­ti­cal tech­nique to uncov­er a set of decoy web­sites appar­ent­ly set up to har­vest emails from the French pres­i­den­tial can­di­date Emmanuel Macron’s cam­paign in April 2017. The sites’ dis­cov­ery was fol­lowed two months lat­er by a still-unex­plained pub­li­ca­tion of pri­vate emails from sev­er­al Macron staffers in the final days of the race.

Hac­que­bord said the rogue Sen­ate sites — which were set up in June and Sep­tem­ber of 2017 — matched their French coun­ter­parts.

“That is exact­ly the way they attacked the Macron cam­paign in France,” he said.

Attri­bu­tion is extreme­ly tricky in the world of cyber­se­cu­ri­ty, where hack­ers rou­tine­ly use mis­di­rec­tion and red her­rings to fool their adver­saries. But Tend Micro, which has fol­lowed Fan­cy Bear for years, said there could be no doubt.

“We are 100 per­cent sure that it can attrib­uted to the Pawn Storm group,” said Rik Fer­gu­son, one of the Hacquebord’s col­leagues.

Like many cyber­se­cu­ri­ty com­pa­nies, Trend Micro refus­es to spec­u­late pub­licly on who is behind such groups, refer­ring to Pawn Storm only as hav­ing “Rus­sia-relat­ed inter­ests.” But the U.S. intel­li­gence com­mu­ni­ty alleges that Russia’s mil­i­tary intel­li­gence ser­vice pulls the hack­ers’ strings and a months-long Asso­ci­at­ed Press inves­ti­ga­tion into the group, draw­ing on a vast data­base of tar­gets sup­plied by the cyber­se­cu­ri­ty firm Secure­works, has deter­mined that the group is close­ly attuned to the Kremlin’s objec­tives.

If Fan­cy Bear has tar­get­ed the Sen­ate over the past few months, it wouldn’t be the first time. An AP analy­sis of Secure­works’ list shows that sev­er­al staffers there were tar­get­ed between 2015 and 2016.

Among them: Robert Zarate, now the for­eign pol­i­cy advis­er to Flori­da Sen­a­tor Mar­co Rubio; Josh Holmes, a for­mer chief of staff to Sen­ate Major­i­ty Leader Mitch McConnell who now runs a Wash­ing­ton con­sul­tan­cy; and Jason Thiel­man, the chief of staff to Mon­tana Sen­a­tor Steve Daines. A Con­gres­sion­al researcher spe­cial­iz­ing in nation­al secu­ri­ty issues was also tar­get­ed.

Fan­cy Bear’s inter­ests aren’t lim­it­ed to U.S. pol­i­tics; the group also appears to have the Olympics in mind.

Trend Micro’s report said the group had set up infra­struc­ture aimed at col­lect­ing emails from a series of Olympic win­ter sports fed­er­a­tions, includ­ing the Inter­na­tion­al Ski Fed­er­a­tion, the Inter­na­tion­al Ice Hock­ey Fed­er­a­tion, the Inter­na­tion­al Bob­sleigh & Skele­ton Fed­er­a­tion, the Inter­na­tion­al Luge Fed­er­a­tion and the Inter­na­tion­al Biathlon Union.

The tar­get­ing of Olympic groups comes as rela­tions between Rus­sia and the Inter­na­tion­al Olympic Com­mit­tee are par­tic­u­lar­ly fraught. Russ­ian ath­letes are being forced to com­pete under a neu­tral flag in the upcom­ing Pyeongchang Olympics fol­low­ing an extra­or­di­nary dop­ing scan­dal that has seen 43 ath­letes and sev­er­al Russ­ian offi­cials banned for life. Amid spec­u­la­tion that Rus­sia could retal­i­ate by orches­trat­ing the leak of promi­nent Olympic offi­cials’ emails, cyber­se­cu­ri­ty firms includ­ing McAfee and Threat­Con­nect have picked up on signs that state-backed hack­ers are mak­ing moves against win­ter sports staff and anti-dop­ing offi­cials.

On Wednes­day, a group that has brazen­ly adopt­ed the Fan­cy Bear nick­name began pub­lish­ing what appeared to be Olympics and dop­ing-relat­ed emails from between Sep­tem­ber 2016 and March 2017. The con­tents were large­ly unre­mark­able but their pub­li­ca­tion was cov­ered exten­sive­ly by Russ­ian state media and some read the leak as a warn­ing to Olympic offi­cials not to press Moscow too hard over the dop­ing scan­dal.

Whether any Sen­ate emails could be pub­lished in such a way isn’t clear. Pre­vi­ous warn­ings that Ger­man law­mak­ers’ cor­re­spon­dence might be leaked by Fan­cy Bear ahead of last year’s elec­tion there appear to have come to noth­ing.

On the oth­er hand, the group has pre­vi­ous­ly dumped at least one U.S. legislator’s cor­re­spon­dence onto the web.

One of the tar­gets on Secure­works’ list was Col­orado State Sen­a­tor Andy Kerr, who said thou­sands of his emails were post­ed to an obscure sec­tion of the web­site DCLeaks — a web por­tal bet­ter known for pub­lish­ing emails belong­ing to retired Gen. Col­in Pow­ell and var­i­ous mem­bers of Hillary Clinton’s cam­paign — in late 2016.

...

———-

“Cyber­se­cu­ri­ty firm: US Sen­ate in Russ­ian hack­ers’ crosshairs” by RAPHAEL SATTER; Asso­ci­at­ed Press; 01/12/2018

“Hac­que­bord said he based his report on the dis­cov­ery of a clutch of sus­pi­cious-look­ing web­sites dressed up to look like the U.S. Senate’s inter­nal email sys­tem. He then cross-ref­er­enced dig­i­tal fin­ger­prints asso­ci­at­ed with those sites to ones used almost exclu­sive­ly by Fan­cy Bear, which his Tokyo-based firm dubs “Pawn Storm.”

So after cross-ref­er­enc­ing the dig­i­tal fin­ger­prints asso­ci­at­ed with the Sen­ate email phish­ing web­sites, Trend Micro found that these fin­ger­prints were almost exclu­sive­ly used by ‘Fan­cy Bear’. That appears to be at the core of Trend Micro’s 100 per­cent cer­tain­ty in attribut­ing these web­sites to Fan­cy Bear.

And it sounds like those dig­i­tal fin­ger­prints point back to the Macron hack, which is pre­sum­ably part of the basis of their 100 per­cent lev­el of cer­tain­ty. Although it’s unclear because Trend Micro relates the US Sen­ate phish­ing attempt back to the Macron hacks mere­ly by stat­ing that the US Sen­ate phish­ing web­sites matched their French coun­ter­parts. “That is exact­ly the way they attacked the Macron cam­paign in France,” said Trend Micro:

...
Hac­que­bord said the rogue Sen­ate sites — which were set up in June and Sep­tem­ber of 2017 — matched their French coun­ter­parts.

“That is exact­ly the way they attacked the Macron cam­paign in France,” he said.

Attri­bu­tion is extreme­ly tricky in the world of cyber­se­cu­ri­ty, where hack­ers rou­tine­ly use mis­di­rec­tion and red her­rings to fool their adver­saries. But Tend Micro, which has fol­lowed Fan­cy Bear for years, said there could be no doubt.

“We are 100 per­cent sure that it can attrib­uted to the Pawn Storm group,” said Rik Fer­gu­son, one of the Hacquebord’s col­leagues.
...

“We are 100 per­cent sure that it can attrib­uted to the Pawn Storm group.” That’s the mes­sage from Trend Micro fol­low­ing the release of this report.

And then Trend Micro touts its pre­vi­ous big attri­bu­tion score when it drew inter­na­tion­al atten­tion by attribut­ing the phish­ing sites set up in the Macron hacks back to ‘Fan­cy Bear’/APT28/Pawn Storm:

...
Trend Micro pre­vi­ous­ly drew inter­na­tion­al atten­tion when it used an iden­ti­cal tech­nique to uncov­er a set of decoy web­sites appar­ent­ly set up to har­vest emails from the French pres­i­den­tial can­di­date Emmanuel Macron’s cam­paign in April 2017. The sites’ dis­cov­ery was fol­lowed two months lat­er by a still-unex­plained pub­li­ca­tion of pri­vate emails from sev­er­al Macron staffers in the final days of the race.
...

“The sites’ dis­cov­ery was fol­lowed two months lat­er by a still-unex­plained pub­li­ca­tion of pri­vate emails from sev­er­al Macron staffers in the final days of the race.”

You have to love the phras­ing of the “still-unex­plained pub­li­ca­tion of pri­vate emails.” Yeah, it’s still unex­plained because the whole world appeared to drop that line of inquiry after the reports point­ing back to Auern­heimer’s involve­ment in the hack.

So that’s the pub­lic report­ing on these new US Sen­ate phish­ing sites and the 100 per­cent cer­tain attri­bu­tion of them back to APT28. And if we take it face val­ue we would have to con­clude that Rus­si­a’s gov­ern­ment hack­ers exe­cut­ed this phish­ing attempt while leav­ing dig­i­tal fin­ger­prints that unique tie back to pri­or phish­ing cam­paigns which, if true, sure sounds like “I’m a Russ­ian hack­er! Please blame it on me!” kind of behav­ior.

The Trend Micro US Sen­ate Phish­ing Report: An Evi­den­tiary Trib­u­tary Vague Trick­le of ‘Dig­i­tal Fin­ger­prints’ Tells the Sto­ry

But if the dig­i­tal fin­ger­prints do indeed point back to pri­or hack­ing cam­paigns car­ried out by APT28/Fancy Bear/Pawn Storm, what’s actu­al evi­dence pro­vid­ed by Trend Micro? Did Trend Micro found that the phish­ing web­sites were lit­er­al­ly host­ed on the same servers as pre­vi­ous­ly iden­ti­fied phish­ing sites and/or shared some oth­er phys­i­cal infra­struc­ture that were used in pre­vi­ous hacks. And if so, which hacks?

Well, when you read the Trend Micro report, it does explic­it­ly say that they can “unique­ly relate” the phish­ing web­sites set up for this US Sen­ate hack attempt back to two attacks by Fan­cy Bear a.k.a Pawn Storm. One in 2016 and one in 2017. But they don’t clar­i­fy which par­tic­u­lar hacks they were refer­ring to. The 2017 hack they refer to might be the Macron hack, but the report men­tions a num­ber of dif­fer­ent 2017 cam­paigns they attrib­uted to APT28.

The report also makes a rather notable obser­va­tion about the behav­ior of ‘Fan­cy Bear’: they appear to fol­low large­ly the same script over and over. Trend Micro attrib­ut­es this behav­ior to ‘Fan­cy Bear’ hav­ing both a large vol­ume of tar­gets but also a large box of hack­ing tools so few updates to its tech­niques are required. And this is true in terms of reusing the same method­ol­o­gy in the sense that rel­a­tive­ly unso­phis­ti­cat­ed phish­ing cam­paigns prob­a­bly can large­ly all fol­low the same script. But it’s also the case that reusing the same dig­i­tal infra­struc­ture — like same mal­ware — over and over is a great way to make your hack­ing group rel­a­tive­ly easy to iden­ti­fy by inves­ti­ga­tors and, more impor­tant­ly, rel­a­tive­ly easy to frame by third par­ties.

Now, it’s true that reuse of mal­ware should­n’t actu­al­ly be seen as strong evi­dence that two sep­a­rate attacks are relat­ed, unless it’s very unique mal­ware and there’s no evi­dence of it being ‘in the wild’ and avail­able to oth­er hack­ers. But in today’s con­text, reuse of mal­ware, includ­ing mal­ware ‘in the wild’, is rou­tine­ly used by the cyber­se­cu­ri­ty indus­try as evi­dence that dif­fer­ent attacks were car­ried out by the same group. Take, for exam­ple, the bogus claim made by Crowd­Strike that the “X‑Agent” mal­ware found in the DNC serv­er attack is used sole­ly by the Russ­ian gov­ern­ment.

Sim­i­lar­ly, see­ing the same ISP being used in two sep­a­rate attacks should­n’t actu­al­ly be seen as strong evi­dence that two sep­a­rate attacks are relat­ed because you can eas­i­ly have dif­fer­ent hack­ing groups shar­ing the same hack­er-friend­ly ISPs. But in today’s con­text, reusing things like the same ISP over and over is basi­cal­ly ask­ing to hav­ing your var­i­ous hack­ing cam­paigns attrib­uted to each oth­er. And it’s also ask­ing to have a third par­ty frame you.

In oth­er words, reusing method­olo­gies is under­stand­able when you’re rely­ing on unso­phis­ti­cat­ed tech­niques. But reusing the same dig­i­tal infra­struc­ture is a very dif­fer­ent kind of lack of sophistication....unless, of course, a group like ‘Fan­cy Bear’ wants to have all of its var­i­ous hack­ing cam­paigns attrib­uted back to them. That’s some­thing to keep in mind when read­ing the fol­low­ing Trend Micro report.

The report also includes a note on oth­er hack­ers copy­ing Fan­cy Bear’s tech­nique, warn­ing that “actors from devel­op­ing coun­tries will learn and prob­a­bly adapt sim­i­lar meth­ods quick­ly in the near future.” And that warn­ing rais­es the obvi­ous ques­tion of why we should­n’t assume all sorts of actors, in any coun­try, haven’t already adapt­ed sim­i­lar meth­ods already, includ­ing using the same dig­i­tal infra­struc­ture when infor­ma­tion on that is avail­able.

So there are a num­ber of ques­tions raised by the Trend Micro report, and not a lot of answers on how exact­ly they arrived at their con­clu­sions:

Trend Micro

Update on Pawn Storm: New Tar­gets and Polit­i­cal­ly Moti­vat­ed Cam­paigns

Post­ed on:January 12, 2018 at 5:00 am

In the sec­ond half of 2017 Pawn Storm, an extreme­ly active espi­onage actor group, didn’t shy away from con­tin­u­ing their brazen attacks. Usu­al­ly, the group’s attacks are not iso­lat­ed inci­dents, and we can often relate them to ear­li­er attacks by care­ful­ly look­ing at both tech­ni­cal indi­ca­tors and motives.

Pawn Storm has been attack­ing polit­i­cal orga­ni­za­tions in France, Ger­many, Mon­tene­gro, Turkey, Ukraine, and the Unit­ed States since 2015. We saw attacks against polit­i­cal orga­ni­za­tions again in the sec­ond half of 2017. These attacks don’t show much tech­ni­cal inno­va­tion over time, but they are well pre­pared, per­sis­tent, and often hard to defend against. Pawn Storm has a large toolset full of social engi­neer­ing tricks, mal­ware and exploits, and there­fore doesn’t need much inno­va­tion apart from occa­sion­al­ly using their own zero-days and quick­ly abus­ing soft­ware vul­ner­a­bil­i­ties short­ly after a secu­ri­ty patch is released..

In sum­mer and fall of 2017, we observed Pawn Storm tar­get­ing sev­er­al orga­ni­za­tions with cre­den­tial phish­ing and spear phish­ing attacks. Pawn Storm’s modus operan­di is quite con­sis­tent over the years, with some of their tech­ni­cal tricks being used repeat­ed­ly. For exam­ple, tab­n­ab­bing was used against Yahoo! users in August and Sep­tem­ber 2017 in US polit­i­cal­ly themed email. The method, which we first dis­cussed in 2014, involves chang­ing a brows­er tab to point to a phish­ing site after dis­tract­ing the tar­get.

We can often close­ly relate cur­rent and old Pawn Storm cam­paigns using data that spans more than four years, pos­si­bly because the actors in the group fol­low a script when set­ting up an attack. This makes sense, as the sheer vol­ume of their attacks requires care­ful admin­is­tra­tion, plan­ning, and orga­ni­za­tion to suc­ceed. The screen­shots below show two typ­i­cal cre­den­tial phish­ing emails that tar­get­ed spe­cif­ic orga­ni­za­tions in Octo­ber and Novem­ber 2017. One type of email is sup­pos­ed­ly a mes­sage from the target’s Microsoft Exchange serv­er about an expired pass­word. The oth­er says there is a new file on the company’s OneDrive sys­tem.

While these emails might not seem to be advanced in nature, we’ve seen that cre­den­tial loss is often the start­ing point of fur­ther attacks that include steal­ing sen­si­tive data from email inbox­es. We have worked with one of the tar­gets, an NGO in the Nether­lands tar­get­ed twice, in late Octo­ber and ear­ly Novem­ber 2017. We suc­cess­ful­ly pre­vent­ed both attacks from caus­ing any harm. In one case we were able to warn the tar­get with­in two hours after a ded­i­cat­ed cre­den­tial phish­ing site was set up. In an ear­li­er attack, we were able to warn the orga­ni­za­tion 24 hours before the actu­al phish­ing emails were sent.

...

Polit­i­cal tar­gets

In the week of the 2017 pres­i­den­tial elec­tions in Iran, Pawn Storm set up a phish­ing site tar­get­ing chmail.ir web­mail users. We were able to col­lect evi­dence that cre­den­tial phish­ing emails were sent to chmail.ir users on May 18, 2017, just one day before the pres­i­den­tial elec­tions in Iran. We have pre­vi­ous­ly report­ed sim­i­lar tar­get­ed activ­i­ty against polit­i­cal orga­ni­za­tions in France, Ger­many, Mon­tene­gro, Turkey, Ukraine, and the Unit­ed States.

Begin­ning in June 2017, phish­ing sites were set up mim­ic­k­ing the ADFS (Active Direc­to­ry Fed­er­a­tion Ser­vices) of the U.S. Sen­ate. By look­ing at the dig­i­tal fin­ger­prints of these phish­ing sites and com­par­ing them with a large data set that spans almost five years, we can unique­ly relate them to a cou­ple of Pawn Storm inci­dents in 2016 and 2017. The real ADFS serv­er of the U.S. Sen­ate is not reach­able on the open inter­net, how­ev­er phish­ing of users’ cre­den­tials on an ADFS serv­er that is behind a fire­wall still makes sense. In case an actor already has a foothold in an orga­ni­za­tion after com­pro­mis­ing one user account, cre­den­tial phish­ing could help him get clos­er to high pro­file users of inter­est.

The future of polit­i­cal­ly moti­vat­ed cam­paigns

Rogue polit­i­cal influ­ence cam­paigns are not like­ly to go away in the near future. Polit­i­cal orga­ni­za­tions have to be able to com­mu­ni­cate open­ly with their vot­ers, the press and the gen­er­al pub­lic. This makes them vul­ner­a­ble to hack­ing and spear phish­ing. On top of that, it’s also rel­a­tive­ly easy to influ­ence pub­lic opin­ion via social media. Social media plat­forms con­tin­ue to form a sub­stan­tial part of users’ online expe­ri­ence, and they let adver­tis­ers reach con­sumers with their mes­sage.

This makes social media algo­rithms sus­cep­ti­ble to abuse by var­i­ous actors with bad inten­tions. Pub­lish­ing stolen data togeth­er with spread­ing fake news and rumors on social media gives mali­cious actors pow­er­ful tools. While a suc­cess­ful influ­ence cam­paign might seem rel­a­tive­ly easy to do, it needs a lot of plan­ning, per­sis­tence, and resources to be suc­cess­ful. Some of the basic tools and ser­vices, like ones used to spread fake news on social media, are already being offered as a ser­vice in the under­ground econ­o­my..

As we have men­tioned in our overview paper on Pawn Storm, oth­er actors may also start their own cam­paigns that aim to influ­ence pol­i­tics and issues of inter­est domes­ti­cal­ly and abroad. Actors from devel­op­ing coun­tries will learn and prob­a­bly adapt sim­i­lar meth­ods quick­ly in the near future. In 2016, we pub­lished a report on C Major, an espi­onage group that pri­mar­i­ly tar­gets the Indi­an mil­i­tary. By dig­ging deep­er into C Major’s activ­i­ties, we found that this actor group not only attacks the Indi­an mil­i­tary, but also has ded­i­cat­ed bot­nets for com­pro­mised tar­gets in Iran­ian uni­ver­si­ties, Afghanistan, and Pak­istan. Recent­ly, we have wit­nessed C Major also show­ing some inter­est in com­pro­mis­ing mil­i­tary and diplo­mat­ic tar­gets in the West. It is only a mat­ter of time before actors like C Major begin attempt­ing to influ­ence pub­lic opin­ion in for­eign coun­tries, as well.

With the Olympics and sev­er­al sig­nif­i­cant glob­al elec­tions tak­ing place in 2018, we can be sure Pawn Storm’s activ­i­ties will con­tin­ue. We at Trend Micro will keep mon­i­tor­ing their tar­get­ed activ­i­ties, as well as activ­i­ties of sim­i­lar actors, as cyber­pro­pa­gan­da and dig­i­tal extor­tion remain in use.

...

———-

“Update on Pawn Storm: New Tar­gets and Polit­i­cal­ly Moti­vat­ed Cam­paigns”; Trend Micro; 01/12/2018

Begin­ning in June 2017, phish­ing sites were set up mim­ic­k­ing the ADFS (Active Direc­to­ry Fed­er­a­tion Ser­vices) of the U.S. Sen­ate. By look­ing at the dig­i­tal fin­ger­prints of these phish­ing sites and com­par­ing them with a large data set that spans almost five years, we can unique­ly relate them to a cou­ple of Pawn Storm inci­dents in 2016 and 2017. The real ADFS serv­er of the U.S. Sen­ate is not reach­able on the open inter­net, how­ev­er phish­ing of users’ cre­den­tials on an ADFS serv­er that is behind a fire­wall still makes sense. In case an actor already has a foothold in an orga­ni­za­tion after com­pro­mis­ing one user account, cre­den­tial phish­ing could help him get clos­er to high pro­file users of inter­est.”

So in June 2017, phish­ing sites get set up to mim­ic the US Sen­ate’s email site. And the dig­i­tal fin­ger­prints on these sites “unique­ly relates” them to them to a cou­ple of Pawn Storm inci­dents in 2016 and 2017. That appears to be the pri­ma­ry line of evi­dence lead­ing them to con­clude that ‘Fan­cy Bear’/‘Pawn Storm’ is indeed the enti­ty behind this Sen­ate phish­ing attempt. And none of that evi­dence is actu­al­ly giv­en. It is sole­ly a “Trust Us” attri­bu­tion.

And note how the lack of tech­ni­cal inno­va­tion over time appears to be a key ele­ment in allow­ing Trend Micro to search through its data­base of attacks and match the ‘dig­i­tal fin­ger­prints’ of present day attacks with pri­or attacks:

...
Pawn Storm has been attack­ing polit­i­cal orga­ni­za­tions in France, Ger­many, Mon­tene­gro, Turkey, Ukraine, and the Unit­ed States since 2015. We saw attacks against polit­i­cal orga­ni­za­tions again in the sec­ond half of 2017. These attacks don’t show much tech­ni­cal inno­va­tion over time, but they are well pre­pared, per­sis­tent, and often hard to defend against. Pawn Storm has a large toolset full of social engi­neer­ing tricks, mal­ware and exploits, and there­fore doesn’t need much inno­va­tion apart from occa­sion­al­ly using their own zero-days and quick­ly abus­ing soft­ware vul­ner­a­bil­i­ties short­ly after a secu­ri­ty patch is released..

...

We can often close­ly relate cur­rent and old Pawn Storm cam­paigns using data that spans more than four years, pos­si­bly because the actors in the group fol­low a script when set­ting up an attack. This makes sense, as the sheer vol­ume of their attacks requires care­ful admin­is­tra­tion, plan­ning, and orga­ni­za­tion to suc­ceed. The screen­shots below show two typ­i­cal cre­den­tial phish­ing emails that tar­get­ed spe­cif­ic orga­ni­za­tions in Octo­ber and Novem­ber 2017. One type of email is sup­pos­ed­ly a mes­sage from the target’s Microsoft Exchange serv­er about an expired pass­word. The oth­er says there is a new file on the company’s OneDrive sys­tem.
...

So ‘Fan­cy Bear’ keeps using the same method­ol­o­gy and seem­ing­ly fol­lows a script, leav­ing a grow­ing dig­i­tal trail over the years that can be used for attri­bu­tion of future attacks. And yet as Trend Micro warns, there’s rea­son to assume oth­er actors are going to adopt sim­i­lar meth­ods “in the near future” to sway elec­tions in oth­er coun­tries:

...
As we have men­tioned in our overview paper on Pawn Storm, oth­er actors may also start their own cam­paigns that aim to influ­ence pol­i­tics and issues of inter­est domes­ti­cal­ly and abroad. Actors from devel­op­ing coun­tries will learn and prob­a­bly adapt sim­i­lar meth­ods quick­ly in the near future. In 2016, we pub­lished a report on C Major, an espi­onage group that pri­mar­i­ly tar­gets the Indi­an mil­i­tary. By dig­ging deep­er into C Major’s activ­i­ties, we found that this actor group not only attacks the Indi­an mil­i­tary, but also has ded­i­cat­ed bot­nets for com­pro­mised tar­gets in Iran­ian uni­ver­si­ties, Afghanistan, and Pak­istan. Recent­ly, we have wit­nessed C Major also show­ing some inter­est in com­pro­mis­ing mil­i­tary and diplo­mat­ic tar­gets in the West. It is only a mat­ter of time before actors like C Major begin attempt­ing to influ­ence pub­lic opin­ion in for­eign coun­tries, as well.
...

And, of course, just as third par­ties might use the same method­ol­o­gy, they also might decide to try to leave the same dig­i­tal fin­ger­prints as ‘Fan­cy Bear’ if that’s an option because why not? If the mal­ware or serv­er hosts that ‘Fan­cy Bear’, or any oth­er high pro­file hack­ing group, keeps get­ting reused and this becomes pub­licly known, why would­n’t oth­er hack­ers use the same mal­ware and serv­er hosts if that’s an option? This is prob­a­bly a good time to remind our­selves that one of the key ‘dig­i­tal fin­ger­prints’ found in the 2016 DNC hack used to attribute that hack to ‘Fan­cy Bear’ was the reuse of a com­mand and con­trol server’s IP address (176.31.112.10) made pub­lic in 2015 fol­low­ing the Bun­destag hack of May 2015.

And note how there are actu­al­ly a num­ber of 2017 hacks attrib­uted to ‘Fan­cy Bear’ that Trend Micro ref­er­ences in this report. So if it “unique­ly” traced the US Sen­ate phish­ing sites (which were actu­al­ly set up in June of 2017...a month after the French elec­tions) back to anoth­er 2017 attack, it’s not clear which 2017 attack Trend Micro was unique­ly tying the US Sen­ate phish­ing sites back to.

But again, the over­all mes­sage from Trend Micro in this report is “Trust Us, we got this covered...look at what a great job we did iden­ti­fy­ing the Macron hacks.”

About Those Macron Hack Attri­bu­tions...

So Trend Micro found that two pri­or attacks, one in 2017 and one in 2016, shared the same dig­i­tal fin­ger­prints that they found after inves­ti­gat­ing the web­sites asso­ci­at­ed this new US Sen­ate phish­ing cam­paign. And the 2017 attack they referred to was maybe the Macron email hack, although that’s very ambigu­ous. And we’re basi­cal­ly expect­ed to just trust them on this attri­bu­tion.

So how much blind trust should we place in Trend Micro’s — or any oth­er cyber­se­cu­ri­ty fir­m’s — attri­bu­tion when basi­cal­ly no tech­ni­cal evi­dence is giv­en. Well, to explore this top­ic, let’s take an extend­ed look at the Macron hacks. And not just Trend Micro’s work on those hacks, because there were a num­ber of dif­fer­ent cyber­se­cu­ri­ty firms, along with the US gov­ern­ment, who weighed in on that hack and con­clud­ed with near cer­tain­ty that it was ‘Fan­cy Bear’ behind it.

And as we look into this, note that, if the 2017 hack Trend Micro relat­ed the US Sen­ate phish­ing sites back to was indeed the Macron hack, then we can make an edu­cat­ed guess that the 2016 hack Trend Micro unique­ly relat­ed back to the US Sen­ate phish­ing attack was actu­al­ly the 2016 DNC serv­er attack. Because as we’ll see in the fol­low­ing arti­cle, when Trend Micro first report­ed on the Macron email hack back in April of 2017, there was one par­tic­u­lar 2016 hack that Trend Micro claimed had a num­ber of ‘dig­i­tal sim­i­lar­i­ties’ to the Macron hack. And those ‘dig­i­tal sim­i­lar­i­ties’ includ­ed sim­i­lar­i­ties in the IP address involved and mal­ware used: The 2016 DNC serv­er hack:

The Wash­ing­ton Post

Cyber­at­tack on French pres­i­den­tial front-run­ner bears Russ­ian ‘fin­ger­prints,’ research group says

By Rick Noack
April 25, 2017

PARIS — A secu­ri­ty firm claimed Tues­day that new cyber­at­tacks on the cam­paign offices of the front-run­ner in France’s pres­i­den­tial race car­ried dig­i­tal “fin­ger­prints” sim­i­lar to the sus­pect­ed Russ­ian hack­ing of the Demo­c­ra­t­ic Nation­al Com­mit­tee and oth­ers in the 2016 U.S. elec­tion.

The report, by the Trend Micro research group, did not dis­close the poten­tial fall­out of the infil­tra­tion on the cam­paign of Emmanuel Macron, a cen­trist who faces far-right leader Marine Le Pen in a May 7 runoff.

If a Russ­ian con­nec­tion is proved, the hack­ing would add to mount­ing alle­ga­tions that Moscow is back­ing attempts to influ­ence West­ern elec­tions in favor of can­di­dates with poli­cies poten­tial­ly more friend­ly to the Krem­lin. Le Pen has voiced oppo­si­tion to the pow­ers of the Euro­pean Union and has called for bet­ter ties with Rus­sia, echo­ing some of the cam­paign rhetoric of Pres­i­dent Trump.

Tokyo-based Trend Micro said Macron’s cam­paign was tar­get­ed in March and April by a cyber­spy­ing group called Pawn Storm. The group has alleged­ly used phish­ing and mal­ware to infil­trate oth­er polit­i­cal orga­ni­za­tions, as well, such as Ger­man Chan­cel­lor Angela Merkel’s Chris­t­ian Demo­c­ra­t­ic Union and the U.S. Demo­c­ra­t­ic Nation­al Com­mit­tee.

“There are sev­er­al things which sug­gest that the group behind the Macron hack­ing was also respon­si­ble for the DNC breach, for exam­ple. We found sim­i­lar­i­ties in the IP address­es and mal­ware used in the attacks,” said Rik Fer­gu­son, vice pres­i­dent of Trend Micro’s secu­ri­ty research pro­gram.

“We can­not say for sure whether this was direct­ed by the Russ­ian gov­ern­ment, but the group behind the attacks cer­tain­ly appears to pur­sue Russ­ian inter­ests,” added Fer­gu­son, speak­ing from the com­pa­ny’s Lon­don offices.

Accord­ing to the research firm, the hack­ers cre­at­ed sev­er­al email address­es on a fake serv­er with the URL onedrive-en-marche.fr, oper­at­ing from com­put­ers with IP address­es in mul­ti­ple Euro­pean nations, includ­ing Britain.

...

ANSSI, the French gov­ern­men­t’s cyber­se­cu­ri­ty agency, con­firmed the more recent cyber­at­tacks against Macron but left open the pos­si­bil­i­ty that they could be the work of “oth­er high-lev­el” hack­ers try­ing to point the blame at Pawn Storm.

...
———-

“Cyber­at­tack on French pres­i­den­tial front-run­ner bears Russ­ian ‘fin­ger­prints,’ research group says” by Rick Noack; The Wash­ing­ton Post; 04/25/2018

““There are sev­er­al things which sug­gest that the group behind the Macron hack­ing was also respon­si­ble for the DNC breach, for exam­ple. We found sim­i­lar­i­ties in the IP address­es and mal­ware used in the attacks,” said Rik Fer­gu­son, vice pres­i­dent of Trend Micro’s secu­ri­ty research pro­gram.”

The same IP address­es and same mal­ware used in the Macron and DNC attacks. Or, at least, sim­i­lar IP address­es and mal­ware. That’s what Trend Micro found when it looked into Macron email hacks back in 2017.

So what does it mean to “sim­i­lar IP address­es between two hacks? Well, that’s prob­a­bly a ref­er­ence to two hacks shar­ing the same IP blocks. And shar­ing IP blocks with pre­vi­ous attacks mere­ly sug­gests the use of the same Inter­net Ser­vice Provider (ISP), since ISPs will get set a block of IP address­es to use. And shar­ing ISP with pre­vi­ous hack­ers is fair­ly weak evi­dence. Of course hack­ers are going to grav­i­tate towards hack­er friend­ly ISPs! Espe­cial­ly if they want to mis­di­rect the attri­bu­tion of the attack!

And nei­ther is “sim­i­lar mal­ware” com­pelling evidence...unless there’s rea­son to believe that mal­ware isn’t avail­able out­side hack­ers. But if ‘Fan­cy Bear’ has been reusing the same, or sim­i­lar, mal­ware for years, what are the odds that its mal­ware col­lec­tion isn’t already ‘in the wild’? As we saw with the ‘X‑Agent’ mal­ware, assum­ing this mal­ware is unique to one group is a bad idea. And even if the mal­ware ‘Fan­cy Bear’ keeps reusing has some­how avoid­ed end­ed up ‘in the wild’, why does this group con­tin­ue to reuse the same unique col­lec­tion of mal­ware over and over? It just make attri­bu­tion that much eas­i­er!

Where the Beef Evi­dence? Seri­ous­ly, Where is It?

But let’s not focus exclu­sive­ly on Trend Micro when it comes to the Macron hack. Because a lot of dif­fer­ent cyber­se­cu­ri­ty com­pa­nies made exact­ly the same attri­bu­tion, along with the US gov­ern­ment too. Curi­ous­ly, all of these sources appeared to be extreme­ly con­fi­dent that the phish­ing sites tar­get­ing the Macron cam­paign and iden­ti­fied by Trend Micro in its April 25th, 2017, were indeed attrib­ut­able to ‘Fan­cy Bear’, and they even referred back to their big reports in a num­ber of cas­es. And yet, when you look at the actu­al reports, there is no evi­dence list­ed and, in the case of the US gov­ern­ment report, there’s no ref­er­ence to the Macron hacks at all. It’s bizarre.

First, let’s take a look at this Defense One arti­cle from May 6, 2017. That’s one day after the BIG doc­u­ment dump of Macron cam­paign emails. Recall that there was a May 3rd doc­u­ment dump of a few doc­u­ments that appeared to be tam­pered with and the a much larg­er May 5th dump.

Also recall, and as we’ll exam­in­er in more detail lat­er, both of these doc­u­ment dumps appeared to orig­i­nate from with­in the Amer­i­can ‘Alt-Right’, with Andrew Auern­heimer a cen­tral fig­ure.

So this arti­cle was writ­ten one day after a very big last minute doc­u­ment dump and the way these doc­u­ments were dumped did not at all fit the ‘Rus­sia did it’ pat­tern. That’s why when you read this arti­cle you’ll see par­al­lel dis­cus­sions of the phish­ing sites that Trend Micro report­ed on a cou­ple weeks ear­li­er paired with acknowl­edg­ments from Trend Micro that there’s no evi­dence con­clu­sive­ly pin­ning the hack on ‘Fan­cy Bear’. In oth­er words, there’s an implic­it acknowl­edge­ment that the phish­ing sites set up to tar­get the Macron cam­paign may not have been the source of these hacked doc­u­ments.

But when it comes to who set up those phish­ing sites, the arti­cle include more than just Trend Micro mak­ing near cer­tain con­clu­sions that Fan­cy Bear was behind it. A rep­re­sen­ta­tive from Flash­point, anoth­er cyber­se­cu­ri­ty firm, is also quot­ed as basi­cal­ly treat­ing it as a fore­gone con­clu­sion that ‘Fan­cy Bear’ set up the phish­ing sites, and the arti­cle links back to the US gov­ern­men­t’s “Griz­zly Steppe” report, which was updat­ed to include that evi­dence. But as we’ll see, Flash­point nev­er actu­al­ly explains any­where how it arrived at this con­clu­sion and the US gov­ern­ment report con­tains no ref­er­ence at all to the Macron hacks. It was “Trust Us” attri­bu­tion at work all around:

Defense One

France’s Macron Hack Like­ly By Same Russ­ian Group That Hit DNC, Sources Say

By Patrick Tuck­er
Tech­nol­o­gy Edi­tor

May 6, 2017

The same Putin-backed hack­ing group that tar­get­ed the Demo­c­ra­t­ic Nation­al Com­mit­tee last year has been tar­get­ing French pres­i­den­tial can­di­date Emmanuel Macron, accord­ing to mul­ti­ple cyber­se­cu­ri­ty groups.

On Fri­day, Macron claimed that his cam­paign had suf­fered a “mas­sive and coor­di­nat­ed” data theft and smear cam­paign, some 9 giga­bytes of data stolen and pub­lished to an anony­mous shar­ing site called Paste­bin.

No hard evi­dence has yet emerged link­ing the tar­get­ing to the doc dump. But over sev­er­al weeks lead­ing to the attack on Macron’s cam­paign, sev­er­al firms in the pri­vate secu­ri­ty com­mu­ni­ty issued warn­ings. On April 25, cyber­se­cu­ri­ty group Trend Micro claimed a group known as APT 28, or Fan­cy Bear and Pawn Storm, was active­ly tar­get­ing the Macron cam­paign with bogus emails to con­vince cam­paign high­er-ups to click on links.

The evi­dence: On March 15, oper­a­tors work­ing from IP address­es asso­ci­at­ed with APT 28 were reg­is­ter­ing domain names that were relat­ed to the Macron cam­paign, such as onedrive-en-marche.fr. Reg­is­ter­ing pho­ny email domains would allow the oper­a­tives to send emails to tar­get­ed cam­paign work­ers that appear to be from the cam­paign. A cyber­se­cu­ri­ty pro­fes­sion­al with direct knowl­edge of the hack told Defense One that the same Putin-backed hack­ing group that tar­get­ed the DNC had also been tar­get­ing Macron. But they could not say with cer­tain­ty that those actors were the same indi­vid­u­als who put the doc­u­ments on the Paste­bin site, (or if the doc­u­ments on Paste­bin were even authen­tic.)

Of par­tic­u­lar inter­est in the Macron case is a new tac­tic: rather than lur­ing the vic­tim to a link and then try­ing to con­vince them to give up his or her pass­word, APT 28 was tar­get­ing the Macron cam­paign with a lure to fake com­put­er appli­ca­tions that looked like they actu­al­ly came from Google.This time the vic­tims weren’t prompt­ed to give up their pass­words. Instead they could sim­ply autho­rize a pro­gram that looked like it came from a trust­ed provider to do what that pro­gram (looks like) it is sup­posed to do. The scam is called Open Authen­ti­ca­tion or an OAuth attack. “The big advan­tage is that users don’t have to reveal their pass­word to the third par­ty. Instead the third par­ty appli­ca­tions get a token that can be used for authen­ti­ca­tion,” Trend Micro says in their report.

Greg Mar­tin, CEO of the firm JASK, told Busi­ness Insid­er that this rep­re­sent­ed a clear esca­la­tion of tac­tics. “It’s a new style of attack … very dead­ly and unprece­dent­ed … It’s the first time we have seen this in the wild.”

Vitali Kre­mez, direc­tor of research at the cyber­se­cu­ri­ty firm Flash­point, also offered cau­tious analy­sis to the New York Times on Fri­day. “The key goals and objec­tives of the cam­paign appear to be to under­mine Macron’s pres­i­den­tial can­di­da­cy and cast doubt on the demo­c­ra­t­ic elec­toral process in gen­er­al.”

He lat­er told Reuters that APT 28 was indeed behind the attack after deter­min­ing that APT 28 relat­ed enti­ties had “reg­is­tered decoy inter­net address­es to mim­ic the name of En Marche … includ­ing onedrive-en-marche.fr and mail-en-marche.fr.”

The event fol­lows months of warn­ings about Krem­lin influ­ence and infor­ma­tion oper­a­tions alleged­ly tar­get­ing the French elec­tion for the ben­e­fit Marine Le Pen’s Nation­al Front Par­ty. On Jan­u­ary 8, France’s Min­is­ter of Defense Jean-Yves Le Dri­an told French news­pa­pers that “one can­not be naive,” about the like­li­hood of Krem­lin involve­ment to aid Le Pen, who has sup­port­ed a clos­er rela­tion­ship with Putin and a weak­en­ing of the EU.

Defense One first report­ed in Jan­u­ary that the group some­times known as Fan­cy Bear, APT 28, and by oth­er names was active­ly tar­get­ing the French elec­tion with the same email tac­tics that they employed against pre­vi­ous tar­gets, includ­ing, most famous­ly the DNC.

It’s not the first time Krem­lin-backed hack­ers have tar­get­ed France. In April of 2015, the same group, pos­ing as ISIS-linked Islam­ic extrem­ists and call­ing itself the Cyber Caliphate also attacked French tele­vi­sion sta­tion TV5 Monde. The intent of that attack remains unclear.

Author­i­ties and inves­ti­ga­tors have yet to make pub­lic hard foren­sic evi­dence link­ing the group to the hack on Macron’s cam­paign.

Today, in response to Macron’s claim, Trend Micro offered a clar­i­fy­ing state­ment. “Trend Micro does not have evi­dence that this is asso­ci­at­ed with the group known as Pawn Storm (also APT28 and oth­er names). The tech­niques used in this case seem to be sim­i­lar to pre­vi­ous attacks. With­out fur­ther evi­dence, it is extreme­ly dif­fi­cult to attribute this hack to any par­tic­u­lar per­son or group.”

In the mean­time, some analy­sis sug­gests that por­tions of the 9 giga­byte doc­u­ment dump, or at least por­tions of it that are spread­ing on social media, may be forged.

@wikileaks Two doc­u­ments pur­port­ing to show that Macron has off­shore accounts were cre­at­ed yes­ter­day, the day of the debate #Macron­Leaks pic.twitter.com/cxqZnZmNTh
— Nathan Patin (@NathanPatin) May 6, 2017

The mix­ing of fake doc­u­ments with stolen real doc­u­ments, and then dump­ing both on the pub­lic to achieve a bet­ter polit­i­cal or mar­ket effect, is some­thing that mem­bers of the intel­li­gence com­mu­ni­ty have wor­ried about pub­licly for years.. Krem­lin-backed actors have done it before, but not through Wik­ileaks. Last August, hack­ers dumped a series of doc­u­ments on the sites Cyber­Berkut and DC Leaks, both of which the intel­li­gence com­mu­ni­ty has linked to Putin’s gov­ern­ment. It was an attempt to smear a Putin polit­i­cal oppo­nent by con­nect­ing him to George Soros. Prob­lem is, the docs didn’t match, sug­gest­ing a forgery.
...

———-

“France’s Macron Hack Like­ly By Same Russ­ian Group That Hit DNC, Sources Say” by Patrick Tuck­er; Defense One; 05/06/2017

No hard evi­dence has yet emerged link­ing the tar­get­ing to the doc dump. But over sev­er­al weeks lead­ing to the attack on Macron’s cam­paign, sev­er­al firms in the pri­vate secu­ri­ty com­mu­ni­ty issued warn­ings. On April 25, cyber­se­cu­ri­ty group Trend Micro claimed a group known as APT 28, or Fan­cy Bear and Pawn Storm, was active­ly tar­get­ing the Macron cam­paign with bogus emails to con­vince cam­paign high­er-ups to click on links.”

No hard evi­dence has yet emerged link­ing the tar­get­ing of the Macron camp with the phish­ing sites to the actu­al doc­u­ment dump. That was the assess­ment one day after the big Macron doc­u­ment dump. And that’s not unrea­son­able since it was just one day. That’s not a lot of time to gath­er evi­dence.

And yet the attri­bu­tion of the phish­ing sites to ‘Fan­cy Bear’ is treat­ed like a cer­tain­ty. And that includes link­ing to the US gov­ern­men­t’s Griz­zly Steppe report that pur­port­ed­ly ties the reg­is­tra­tion of the phish­ing site domain names to APT28/Fancy Bear:

...
The evi­dence: On March 15, oper­a­tors work­ing from IP address­es asso­ci­at­ed with APT 28 were reg­is­ter­ing domain names that were relat­ed to the Macron cam­paign, such as onedrive-en-marche.fr. Reg­is­ter­ing pho­ny email domains would allow the oper­a­tives to send emails to tar­get­ed cam­paign work­ers that appear to be from the cam­paign. A cyber­se­cu­ri­ty pro­fes­sion­al with direct knowl­edge of the hack told Defense One that the same Putin-backed hack­ing group that tar­get­ed the DNC had also been tar­get­ing Macron. But they could not say with cer­tain­ty that those actors were the same indi­vid­u­als who put the doc­u­ments on the Paste­bin site, (or if the doc­u­ments on Paste­bin were even authen­tic.)
...

Here’s the prob­lem with that Griz­zly Steppe report’s attri­bu­tion. If you look at the Griz­zly Steppe report, there is indeed an April 6, 2017 update list­ed on the home page of that report. It’s one line, “April 6, 2017: Updat­ed AR-17–20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity with Sec­tion 508 Reme­di­a­tion.” The prob­lem is that if you look at the AR-17–20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity report, there is no actu­al update with that infor­ma­tion. If you search though the doc­u­ment, there no “Sec­tion 508”. You won’t even find the words “France”, or “Macron” or “onedrive”. There also isn’t any ref­er­ence to the April 6, 2017 date. It’s as if the only update was the update on the home­page say­ing the report was updat­ed.

And that’s not the only exam­ple of the asser­tion that ‘Fan­cy Bear’ was behind the reg­is­tra­tion of these Macron-tar­get­ed phish­ing domains. The Trend Micro report on “Pawn Storm” (Fan­cy Bear/APT28) released on April 25th, 2017, pur­port­ing to demon­strate that Fan­cy Bear was behind the phish­ing sites con­tains a sin­gle ref­er­ence to the Macron email hack in the list of domains Trend Micro has attrib­uted to APT28. Go to page 13 of the report and you see the “Emmanuel Macron cam­paign” list­ed as the tar­get and “onedrive-en-marche.fr” list­ed as the phish­ing domain in a table that lists the domains Trend Micro has con­clud­ed was reg­is­tered by Pawn Storm/Fancy Bear/APT28. That’s it. No descrip­tion of how that attri­bu­tion was made. And there is no oth­er ref­er­ence to France or the Macron cam­paign or any­thing else in the doc­u­ment. And that means we have no idea what ‘dig­i­tal fin­ger­prints’ Trend Micro used to make that attri­bu­tion. In oth­er words, “Trust Us.”

And note that there’s no expla­na­tion for how all the oth­er domain names list­ed in that table were con­clu­sive­ly attrib­uted to Fan­cy Bear in the report, so there’s a lot of ambi­gu­i­ty about how Trend Micro arrived at ANY of its con­clu­sions. “Trust Us Bigly.”

Sim­i­lar­ly, when you read about how Flash­point, anoth­er cyber­se­cu­ri­ty firm, also con­clud­ed that APT28/Fancy Bear/Pawn Storm was the enti­ty that set up these phish­ing domains, it refers back to a Reuters report where Flash­point tells Reuters that APT28 set up those domains. But, again, there’s absolute­ly no indi­ca­tion of how that attri­bu­tion was made and no link to a pub­licly avail­able report:

...
Vitali Kre­mez, direc­tor of research at the cyber­se­cu­ri­ty firm Flash­point, also offered cau­tious analy­sis to the New York Times on Fri­day. “The key goals and objec­tives of the cam­paign appear to be to under­mine Macron’s pres­i­den­tial can­di­da­cy and cast doubt on the demo­c­ra­t­ic elec­toral process in gen­er­al.”

He lat­er told Reuters that APT 28 was indeed behind the attack after deter­min­ing that APT 28 relat­ed enti­ties had “reg­is­tered decoy inter­net address­es to mim­ic the name of En Marche … includ­ing onedrive-en-marche.fr and mail-en-marche.fr.”
...

And if you read the Reuters arti­cle, Flash­point’s Vitali Kre­mez sim­ply tells Reuters that, “his review indi­cat­ed that APT 28, a group tied to the GRU, the Russ­ian mil­i­tary intel­li­gence direc­torate, was behind the leak.” That’s it. If there’s a pub­lic report some­one explain­ing how they arrived at this attri­bu­tion it’s unclear where to find it.

So we have this odd sit­u­a­tion where the US gov­ern­ment GRIZZLEY STEPPE report claims to be updat­ed with evi­dence that the Macron phish­ing cam­paign was oper­at­ed by Fan­cy Bear but that update does­n’t actu­al­ly exist in the report. And Trend Micro’s and Flash­point’s attri­bu­tions are made with­out any expla­na­tion at all. Per­haps this evi­dence is pub­licly avail­able else­where from these three sources?

Found Some Evi­dence! Or, Rather, Found Some ‘Evi­dence’!

That said, there are some reports that do give at least a bit of the tech­ni­cal evi­dence Trend Micro used to attribute these phish­ing domains to Fan­cy Bear/APT28/Pawn Storm. For exam­ple, the fol­low­ing April 24th, 2017, arti­cle in the Wall Street Jour­nal about the Trend Micro report con­tains the fol­low­ing pieces of infor­ma­tion: On March 15, some­one used the name Johny Pinch and a fake Paris street address to reg­is­ter the name onedrive-en-marche.fr, accord­ing to pub­lic inter­net records. On April 12, some­one using the same infor­ma­tion reg­is­tered mail-en-marche.fr, the records show. And those address­es were both host­ed on IP address blocks pre­vi­ous­ly asso­ci­at­ed with Pawn Storm, accord­ing to Trend Micro. There’s no fur­ther expla­na­tion, like a list­ing of those IP address­es or which pre­vi­ous attacks asso­ci­at­ed with them, and none of this infor­ma­tion actu­al­ly shows up in the report Trend Micro released, but at the time of the report’s release Trend Micro was assert­ing to jour­nal­ists that IP address blocks asso­ci­at­ed with the onedrive-en-marche.fr and mail-en-marche.fr domains were pre­vi­ous­ly attrib­uted to Fan­cy Bear:

The Wall Street Jour­nal

Macron Cam­paign Wards Off Hack­ing Attempts Linked to Rus­sia

Pres­i­den­tial candidate’s cam­paign suf­fers mul­ti­pronged phish­ing attack begin­ning in mid-March

By Sam Schech­n­er
April 24, 2017 1:17 p.m. ET

PARIS—Hackers match­ing the pro­file of a pro-Krem­lin group have tried in recent weeks to access cam­paign email accounts of French pres­i­den­tial can­di­date Emmanuel Macron, a cyber­se­cu­ri­ty firm said Mon­day, rais­ing fears of elec­tion inter­fer­ence in the final two weeks of the France’s pres­i­den­tial cam­paign.

In a report set to be pub­lished Tues­day, secu­ri­ty-research firm Trend Micro iden­ti­fied a pro-Krem­lin hack­ing group it calls Pawn Storm as the like­ly source of a mul­ti­pronged phish­ing attack that start­ed in mid-March against Mr. Macron’s cam­paign.

As part of the attack, hack­ers set up mul­ti­ple inter­net address­es that mim­ic­ked those of the campaign’s own servers in an attempt to lure Mr. Macron’s staffers into turn­ing over their net­work pass­words, said Feike Hac­que­bord, a senior threat researcher for Tokyo-based Trend Micro and the author of the report, a copy of which was reviewed by The Wall Street Jour­nal.

...

On March 15, some­one used the name Johny Pinch and a fake Paris street address to reg­is­ter the name onedrive-en-marche.fr, accord­ing to pub­lic inter­net records. On April 12, some­one using the same infor­ma­tion reg­is­tered mail-en-marche.fr, the records show.

Those address­es were both host­ed on inter­net pro­to­col address blocks asso­ci­at­ed with Pawn Storm, Trend Micro’s Mr. Hac­que­bord said.

Mr. Hac­que­bord added that oth­er clues, such as relat­ed address­es and the cre­ation of secu­ri­ty cer­tifi­cates to make the fake sites look authen­tic mir­ror tech­niques used by the group in sev­er­al dozen oth­er cas­es iden­ti­fied in he report, includ­ing the hacks of the Chris­t­ian Demo­c­ra­t­ic Union and the Demo­c­ra­t­ic Nation­al Com­mit­tee.

“I can­not say for sure, but the fin­ger­prints match,” Mr. Hac­que­bord said.

———-

“Macron Cam­paign Wards Off Hack­ing Attempts Linked to Rus­sia” by Sam Schech­n­er; The Wall Street Jour­nal; 04/24/2017

“I can­not say for sure, but the fin­ger­prints match”

That was the state­ment from the author of Trend Micro’s report. So what were these ‘fin­ger­prints’? The IP address blocks of the phish­ing domains onedrive-en-marche.fr and were mail-en-marche.fr were asso­ci­at­ed with attacks that were pre­vi­ous­ly attrib­uted to Fan­cy Bear/APT28/Pawn Storm. Also, the use of the tech­nique of cre­at­ing fake secu­ri­ty cer­tifi­cates to make the fake sites look real was some­thing Fan­cy Bear has done before. That appears to be the tech­ni­cal evi­dence Trend Micro relied on:

...
On March 15, some­one used the name Johny Pinch and a fake Paris street address to reg­is­ter the name onedrive-en-marche.fr, accord­ing to pub­lic inter­net records. On April 12, some­one using the same infor­ma­tion reg­is­tered mail-en-marche.fr, the records show.

Those address­es were both host­ed on inter­net pro­to­col address blocks asso­ci­at­ed with Pawn Storm, Trend Micro’s Mr. Hac­que­bord said.

Mr. Hac­que­bord added that oth­er clues, such as relat­ed address­es and the cre­ation of secu­ri­ty cer­tifi­cates to make the fake sites look authen­tic mir­ror tech­niques used by the group in sev­er­al dozen oth­er cas­es iden­ti­fied in he report, includ­ing the hacks of the Chris­t­ian Demo­c­ra­t­ic Union and the Demo­c­ra­t­ic Nation­al Com­mit­tee.
...

And, as with so much if this, the evi­dence is actu­al­ly quite weak. Shar­ing IP blocks with pre­vi­ous attacks mere­ly sug­gests the use of the same Inter­net Ser­vice Provider (ISP), since ISPs will get set a block of IP address­es to use. And shar­ing ISP with pre­vi­ous hack­ers is fair­ly weak evi­dence. Of course hack­ers are going to grav­i­tate towards hack­er friend­ly ISPs!

But the weak­est evi­dence is point­ing towards the use of fake secu­ri­ty cer­tifi­cates to make the phish­ing sites appear to be real so your brows­er does­n’t pop up with a warn­ing. Because of course you would do that if you set up a fake phish­ing site. Any hack­er would do that if they know how do to it.

Also recall that the Trend Micro report makes absolute­ly no ref­er­ence to any of the above ‘evi­dence’ described by the report’s author. It also does­n’t list the mail-en-marche.fr phish­ing domain at all. The ONLY ref­er­ence to the Macron cam­paign is list­ing the onedrive-en-marche.fr domain in a table of domains Trend Micro has asso­ci­at­ed with Pawn Storm on page 13. That’s it.

So we have reports on April 24th, 2017, with inter­view of the Trend Micro report’s author about the evi­dence they’ve found that Fan­cy Bear is behind these new phish­ing domains tar­get­ing Macron’s cam­paign. The evi­dence laid out in the arti­cle is both inher­ent­ly vague and weak. And then the actu­al report issued the next day does­n’t even con­tain any of that evi­dence. So very, very odd.

How Cer­tain Was Trend Micro Based on This Weak Evi­dence? 99 per­cent

And, sur­prise!, it gets odd­er. Or per­haps sad­der. Because if you look at the var­i­ous reports from Trend Micro back in April-May of 2017 about the Macron hacks, Trend Micro’s own rep­re­sen­ta­tive, Loïc Gué­zo, starts off being 99 per­cent cer­tain that Fan­cy Bear was behind the phish­ing domains when Trend Micro first issued its April 25, 2017 report. But after the reports about how US ‘Alt-Right’ neo-Nazis appeared to be behind the leaked doc­u­ments, Gué­zo sud­den­ly makes it very clear that the dump of stolen emails was very ama­teur­ish and it’s very ambigu­ous as to who was behind the hack and it could have been US neo-Nazis behind it. So Trend Micro went from 99 per­cent cer­tain Fan­cy Bear was behind the phish­ing domains tar­get­ing the Macron hack­ing cam­paign (with­out pro­vid­ing any actu­al evi­dence) to being very open about the pos­si­bil­i­ty that it was a bunch of neo-Nazis who actu­al­ly car­ried out the hack. And yet this sud­den change in cer­tain­ty seems to have com­plete­ly fall­en down the mem­o­ry hole now that the US Sen­ate phish­ing domains have emerged.

And now, in Jan­u­ary of 2018, we have Trend Micro mak­ing a 100 per­cent con­clu­sion that the US Sen­ate phish­ing domains were ‘Fan­cy Bear’ and this 100 per­cent attri­bu­tion is based on shared ‘dig­i­tal fin­ger­prints’ that unique­ly tie back to two two pri­or hack­ing cam­paigns that Trend Micro had pre­vi­ous­ly attrib­uted to Pawn Storm/Fancy Bear/APT28, one in 2017 and one in 2016. So, unless that 2017 hack­ing inci­dent with shared ‘dig­i­tal fin­ger­prints’ that Trend Micro is refer­ring to was­n’t the Macron cam­paign hack, we have to rec­on­cile how on Earth Trend Micro is con­clud­ing with 100 per­cent cer­tain­ty that these US Sen­ate phish­ing sites were actu­al­ly set up by Fan­cy Bear/APT28/Pawn Storm. It’s all real­ly, real­ly odd.

So let’s flesh out this odd­ness. First, here’s a look at an April 26 arti­cle where Trend Micro’s Loïc Gué­zo claim­ing 99 per­cent cer­tain­ty that the phish­ing domains tar­get­ing the Macron cam­paign was the work of Fan­cy Bear/APT28/Pawn Storm. And note how the cyber­se­cu­ri­ty expert hired by the Macron cam­paign, Mounir Mahjoubi, was far less sure about this attri­bu­tion:

France24

Cyber experts ’99% sure’ Russ­ian hack­ers are tar­get­ing Macron

Text by Sébas­t­ian SEIBT
Date cre­at­ed : 2017-04-26
Lat­est update : 2017-04-27

The Russ­ian cyber-spy­ing group Pawn Storm (also known as Fan­cy Bear) has tar­get­ed French pres­i­den­tial front-run­ner Emmanuel Macron, accord­ing to Japan­ese cyber-secu­ri­ty experts. Macron cam­paign offi­cials, how­ev­er, say the group has so far failed.

Bare­ly two weeks before the crit­i­cal sec­ond round of the French pres­i­den­tial elec­tion, fears of Russ­ian med­dling in the 2017 cam­paign mount­ed with the pub­li­ca­tion of a report accus­ing Pawn Storm of tar­get­ing Macron’s En Marche! (For­ward!) move­ment, employ­ing iden­ti­cal tac­tics used to attack the Hillary Clin­ton cam­paign dur­ing the US pres­i­den­tial race.

A 41-page report, “Two Years of Pawn Storm,” by the Japan­ese cyber-secu­ri­ty firm Trend Micro detailed a long list of the group’s tar­gets, includ­ing Ger­man Chan­cel­lor Angela Merkel’s Chris­t­ian Demo­c­ra­t­ic Union par­ty ahead of the Sep­tem­ber Ger­man gen­er­al elec­tions.

Reports of Russ­ian cyber attack­ers tar­get­ing Macron’s cam­paign have been cir­cu­lat­ing for months, but the pub­li­ca­tion of the Trend Micro report pro­vid­ed details of the dates and domains tar­get­ed. They includ­ed a March 15 attempt to acquire sen­si­tive infor­ma­tion and pass­words, a process known as “phish­ing” among cyber-secu­ri­ty experts.

...

Cam­paign meets cyber-secu­ri­ty offi­cials

In Jan­u­ary, a team of dig­i­tal secu­ri­ty offi­cials from the Macron cam­paign vis­it­ed the French cyber counter-espi­onage agency, ANSSI, to express con­cerns that their can­di­date was the “No. 1” tar­get for fake news sites and cyber attacks, accord­ing to French media reports.

ANSSI is a gov­ern­ment agency under the French defence min­istry that advis­es pub­lic and pri­vate sec­tor organ­i­sa­tions about cyber-secu­ri­ty mea­sures.

The meet­ing between En Marche! and ANSSI offi­cials fol­lowed a spate of rumours pub­lished on fake news sites as well as slant­ed cov­er­age of Macron on Russ­ian state media such as RT (for­mer­ly Rus­sia Today) and the Sput­nik news agency.

The con­cerns with­in the Macron camp led to the hir­ing of Mounir Mahjoubi, the for­mer head of the French Nation­al Dig­i­tal Coun­cil (CNNum), a coun­cil that advis­es on dig­i­tal tech­nolo­gies.

In an inter­view with French week­ly Jour­nal du Dimanche in Feb­ru­ary, Mahjoubi was more cau­tious than his Macron cam­paign col­leagues about cyber attacks ema­nat­ing from Russ­ian-linked groups. “There is no doubt about the frontal attacks of Sput­nik and Rus­sia Today, two Rus­sia-fund­ed media out­lets. But for the rest, we do not know where they come from,” he said.

Rus­sia has con­sis­tent­ly denied reports of inter­fer­ing in the elec­tion cam­paigns of oth­er coun­tries.

“What [hack­ing] groups? From where? Why Rus­sia? This slight­ly reminds me of accu­sa­tions from Wash­ing­ton, which have been left hang­ing in mid-air until now and do not do their authors any cred­it,” Krem­lin spokesman Dmit­ry Peskov told reporters on Mon­day.

‘99 per­cent sure’ attacks are from Rus­sia

But the authors of the lat­est Trend Micro report have no doubt about the ori­gins of the phish­ing cam­paigns tar­get­ing Macron. “We are 99 per­cent sure that it is attacks from Rus­sia,” Loïc Gué­zo, Trend Micro’s strat­e­gy direc­tor for south­ern Europe, told FRANCE 24.

Pawn Storm – an aggres­sive cyber-espi­onage group also known as Fan­cy Bear, Sed­nit, APT28, Sofa­cy or Stron­tium – is engaged in much more than “just espi­onage activ­i­ties”, the report notes. Over the past year, “the group attempt­ed to influ­ence pub­lic opin­ion, to influ­ence elec­tions, and sought con­tact with main­stream media with some suc­cess”.

When it came to tar­get­ing the Macron cam­paign, Pawn Storm’s goal appeared to be to get into the email accounts of senior cam­paign offi­cials to retrieve infor­ma­tion about the can­di­date – a modus operan­di famil­iar to mem­bers of the Clin­ton cam­paign.

Steal­ing pass­words

Cyber-secu­ri­ty spe­cial­ists at Trend Micro found four phish­ing domains cre­at­ed to try to extract infor­ma­tion. The domain names fea­ture plau­si­ble ver­sions of Macron’s polit­i­cal move­ment, designed to catch cam­paign offi­cials off guard. They include onedrive-en-marche.fr, portal-office.fr, mail-en-marche.fr and accounts-office.fr.

“This group set up a spe­cif­ic infra­struc­ture to tar­get Emmanuel Macron’s move­ment in March and April 2017,” Gué­zo explained.

...

A cyber Cold War

In a Decem­ber 2016 report, the US Depart­ment of Home­land Security’s cyber-secu­ri­ty unit accused Pawn Storm – under the alter­nate name APT 28 – of act­ing on the Kremlin’s orders.

The APT 28 foot­print has been on so many major cyber attacks in recent years – includ­ing an April 2015 shut­down of French media giant TV5 Monde – that experts view the group as a sym­bol of a cyber Cold War, com­bin­ing com­put­er pira­cy and online pro­pa­gan­da. A Finan­cial Times report not­ed that US, UK, Israeli and Ger­man offi­cials have all said they believe APT 28 is run by Russia’s sprawl­ing mil­i­tary intel­li­gence arm, the GRU.

Offi­cials at Trend Micro, how­ev­er, refuse to impli­cate the Krem­lin direct­ly: “All we can say is that the activ­i­ties of this group are sys­tem­at­i­cal­ly aligned with the inter­ests of the Russ­ian author­i­ties,” said Gué­zo.

...

Mahjoubi has reit­er­at­ed that the attempts to tar­get the Macron cam­paign so far have not suc­ceed­ed. In his inter­views with French media, Mahjoubi has admit­ted that traces to attack attempts have been found but that “none of the mail­box­es have been hacked”.

En Marche! offi­cials do not use email to share con­fi­den­tial infor­ma­tion, accord­ing to the state­ment released Wednes­day.

Mahjoubi has also refused to accuse a par­tic­u­lar group for the attack attempts. “The pro­ce­dure is very sim­i­lar to [Pawn Storm], but you can­not rule out a very com­pe­tent group try­ing to imi­tate them,” he warned.

But this hedg­ing has not shak­en Guézo’s con­vic­tion. The Macron cam­paign, he believes, is not will­ing to take the gloves off over this issue to avoid ruf­fling the Kremlin’s feath­ers if Macron is elect­ed pres­i­dent next month.

———-

“Cyber experts ’99% sure’ Russ­ian hack­ers are tar­get­ing Macron” by Sébas­t­ian SEIBT; France24; 04/26/2017

“Mahjoubi has also refused to accuse a par­tic­u­lar group for the attack attempts. “The pro­ce­dure is very sim­i­lar to [Pawn Storm], but you can­not rule out a very com­pe­tent group try­ing to imi­tate them,” he warned.

That was the word of cau­tion from Mounir Mahjoubi, the the for­mer head of the French Nation­al Dig­i­tal Coun­cil (CNNum) hired by the Macron cam­paign: “The pro­ce­dure is very sim­i­lar to [Pawn Storm], but you can­not rule out a very com­pe­tent group try­ing to imi­tate them”. And it was a word of cau­tion he issued not just to this Trend Micro report attribut­ing the phish­ing domains to Fan­cy Bear. He had those same words of cau­tion about the entire hack­ing cam­paign the Macron team had been expe­ri­enc­ing through­out ear­ly 2017:

...
The con­cerns with­in the Macron camp led to the hir­ing of Mounir Mahjoubi, the for­mer head of the French Nation­al Dig­i­tal Coun­cil (CNNum), a coun­cil that advis­es on dig­i­tal tech­nolo­gies.

In an inter­view with French week­ly Jour­nal du Dimanche in Feb­ru­ary, Mahjoubi was more cau­tious than his Macron cam­paign col­leagues about cyber attacks ema­nat­ing from Russ­ian-linked groups. “There is no doubt about the frontal attacks of Sput­nik and Rus­sia Today, two Rus­sia-fund­ed media out­lets. But for the rest, we do not know where they come from,” he said.

...

Mahjoubi has also refused to accuse a par­tic­u­lar group for the attack attempts. “The pro­ce­dure is very sim­i­lar to [Pawn Storm], but you can­not rule out a very com­pe­tent group try­ing to imi­tate them,” he warned.

But this hedg­ing has not shak­en Guézo’s con­vic­tion. The Macron cam­paign, he believes, is not will­ing to take the gloves off over this issue to avoid ruf­fling the Kremlin’s feath­ers if Macron is elect­ed pres­i­dent next month.
...

But this hedg­ing has not shak­en Guézo’s con­vic­tion. The Macron cam­paign, he believes, is not will­ing to take the gloves off over this issue to avoid ruf­fling the Kremlin’s feath­ers if Macron is elect­ed pres­i­dent next month.”

And as we can see, Mahjoubi was issu­ing words of cyber attri­bu­tion cau­tion back in Feb­ru­ary 2017 when the Macron cam­paign was already talk­ing about get­ting attacked by Russ­ian hack­ers. And Trend Micro’s ana­lyst com­ment­ing on their report, Loïc Gué­zo, viewed those words of cau­tion as polit­i­cal­ly moti­vat­ed ‘hedg­ing’, as opposed to sim­ply acknowl­edg­ing the inher­ent ambi­gu­i­ties asso­ci­at­ed with dig­i­tal foren­sic attri­bu­tion. Gué­zo, instead, was “99 per­cent sure that it is attacks from Rus­sia” and that cer­tain­ty was based on the attri­bu­tion of who set up those phish­ing domains:

...
‘99 per­cent sure’ attacks are from Rus­sia

But the authors of the lat­est Trend Micro report have no doubt about the ori­gins of the phish­ing cam­paigns tar­get­ing Macron. “We are 99 per­cent sure that it is attacks from Rus­sia,” Loïc Gué­zo, Trend Micro’s strat­e­gy direc­tor for south­ern Europe, told FRANCE 24.

...

Steal­ing pass­words

Cyber-secu­ri­ty spe­cial­ists at Trend Micro found four phish­ing domains cre­at­ed to try to extract infor­ma­tion. The domain names fea­ture plau­si­ble ver­sions of Macron’s polit­i­cal move­ment, designed to catch cam­paign offi­cials off guard. They include onedrive-en-marche.fr, portal-office.fr, mail-en-marche.fr and accounts-office.fr.

“This group set up a spe­cif­ic infra­struc­ture to tar­get Emmanuel Macron’s move­ment in March and April 2017,” Gué­zo explained.
...

And again, note how it’s implied that the evi­dence of this attri­bu­tion is laid out in Trend Micro’s 41 page report:

...
A 41-page report, “Two Years of Pawn Storm,” by the Japan­ese cyber-secu­ri­ty firm Trend Micro detailed a long list of the group’s tar­gets, includ­ing Ger­man Chan­cel­lor Angela Merkel’s Chris­t­ian Demo­c­ra­t­ic Union par­ty ahead of the Sep­tem­ber Ger­man gen­er­al elec­tions.
...

Yes, this report does in “detail a long list of the group’s tar­gets.” It just does­n’t give any details on how these attri­bu­tions were made. And while we saw in the above Wall Street Jour­nal arti­cle that the attri­bu­tion was based on shared IP blocks between two of the phish­ing domains and pre­vi­ous IP address­es attrib­uted to Fan­cy Bear, that’s also real­ly weak evi­dence and the report does­n’t list any­thing more.

And while it’s not out­landish that some ele­ments of the analy­sis of these hack­ing cam­paigns won’t be pub­licly shared, there is basi­cal­ly no indi­ca­tion at all in that report of how any of the long list of phish­ing domains was attrib­uted to Fan­cy Bear/Pawn Storm. It’s like a black box of analy­sis.

And it’s not like cyber­se­cu­ri­ty com­pa­nies don’t ever issue reports detail­ing their attri­bu­tion evi­dence. For instance, when you look at the report issued by the cyber­se­cu­ri­ty researchers link­ing the hacked doc­u­ments back to Andrew Auern­heimer and US neo-Nazis, they give all sorts of very spe­cif­ic tech­ni­cal evi­dence of how they arrived at their con­clu­sion. And that evi­dence is pret­ty damn con­vinc­ing. So con­vinc­ing that Loïc Gué­zo of Trend Micro admit­ted that the attri­bu­tion for the hack­ing (as opposed to set­ting up the phish­ing sites) is a very open ques­tion after see­ing that evi­dence:

EUOb­serv­er

US neo-Nazis linked to Macron hack

By Andrew Rettman
BRUSSELS, 12. May 2017, 09:23

The spread of stolen emails designed to harm Emmanuel Macron was linked to US-based neo-Nazis, accord­ing to a French inves­ti­ga­tion.

France’s Le Monde news­pa­per report­ed on Thurs­day (11 May) that a web­site called nouveaumartel.com, which was named as a go-to place for the pur­loined emails, shared the same dig­i­tal infra­struc­ture as dailystormer.com, a web­site cre­at­ed by the US neo-Nazi activist Andrew Auern­heimer.

The emails were dumped online on 5 May, short­ly before Macron won the French pres­i­den­tial elec­tion by a land­slide.

The dump came two days after an anony­mous user of an online mes­sage board called 4chan.org pub­lished fake doc­u­ments pur­port­ing to show that Macron had an off­shore fund.

“The French scene will be at nouveaumartel.com lat­er”, the anony­mous 4chan.org user said.

The dailystormer.com’s Auern­heimer is a white suprema­cist con­vict­ed of cyber crimes in the US.

His web­site often pop­u­laris­es the work of Nathan Dami­go, anoth­er US far-right activist who gained noto­ri­ety after phys­i­cal­ly assault­ing an anti-fas­cist pro­test­er.

Auern­heimer, in a post­ing on his site on 4 May, sug­gest­ed that Dami­go was about to pub­lish anti-Macron mate­r­i­al.

“The prophet of the white sharia Nathan Dami­go is about to release the frogs from ped­erasty”, he wrote.

Frogs could be a deroga­to­ry ref­er­ence to French peo­ple or to a car­toon frog, Pepe, adopt­ed as a sym­bol by US neo-Nazis.

Ped­erasty could be a homo­pho­bic allu­sion to unsub­stan­ti­at­ed claims, first spread by Russ­ian media, that Macron was gay, or to the fact that he fell in love with an old­er woman in his ado­les­cence.

The stolen Macron emails were even­tu­al­ly dumped on the web­site Paste­bin and were pop­u­larised online by oth­er US-based far-right con­spir­a­cy the­o­rists such as William Crad­dick and Jack Poso­biec.

The Nation­al Secu­ri­ty Agency in the US said ear­li­er this week that the Russ­ian regime stole the Macron emails.

Trend Micro, a Japan­ese-based cyber secu­ri­ty firm, said in April that the Russ­ian regime had pre­vi­ous­ly tried to hack Macron’s team.

But one of the firm’s experts, Loic Gue­zo, told EUob­serv­er this week that the 5‑May dump of stolen Macron emails was more ama­teur­ish than the Russ­ian state’s modus operan­di.

“It could even have been some alt-right activist in the US hack­ing Macron’s team. It’s ful­ly open”, he said.

The links between US far-right activists, the Russ­ian state, and the cam­paign team of US pres­i­dent Don­ald Trump are the sub­ject of an FBI inves­ti­ga­tion in the US.

...

Mean­while, Jack Poso­biec, who has pre­vi­ous­ly said that Macron is con­trolled by telepa­thy and by drugs, has obtained a White House press badge.

He attend­ed a press brief­ing on 11 May on the FBI affair and lat­er broad­cast a video from the White House grounds prais­ing the FBI chief’s sack­ing.

———-

“US neo-Nazis linked to Macron hack” by Andrew Rettman; EUOb­serv­er; 05/12/2017

“France’s Le Monde news­pa­per report­ed on Thurs­day (11 May) that a web­site called nouveaumartel.com, which was named as a go-to place for the pur­loined emails, shared the same dig­i­tal infra­struc­ture as dailystormer.com, a web­site cre­at­ed by the US neo-Nazi activist Andrew Auern­heimer.”

Ok, let’s break this down, because it’s some­what con­fus­ing:

1. So on May 3rd, 2017, hacked Macron doc­u­ments that appear to have been tam­pered with show up on 4chan.org, an ‘Alt-Right’ stomp­ing ground. The user post­ing these doc­u­ments then tells every­one that there’s going to be a bunch more doc­u­ments show­ing up on nouveaumartel.com.

2. Cyber­se­cu­ri­ty researchers dis­cov­er that the dig­i­tal infra­struc­ture behind nouveaumartel.com shares a heavy over­lap with the Dai­ly Stormer, a site man­aged by neo-Nazi hack­er extra­or­di­naire Andrew Auern­heimer.

3. On May 4th, Andrew Auern­heimer posts on his site that Nathan Dami­go, anoth­er US far-right activist, is about to dump a whole bunch of Macron files.

4. On May 5th, the big doc­u­ment dump hap­pens. Although it does­n’t show up on nouveaumartel.com. Instead, it shows up on Paste­bin, a neu­tral site where peo­ple can just peo­ple doc­u­ments and text.

5. After the sec­ond, much larg­er doc­u­ment dump on Paste­bin, the doc­u­ments quick­ly get spread around by Alt-Right fig­ures.

That’s the sum­ma­ry of what hap­pend:

...
The emails were dumped online on 5 May, short­ly before Macron won the French pres­i­den­tial elec­tion by a land­slide.

The dump came two days after an anony­mous user of an online mes­sage board called 4chan.org pub­lished fake doc­u­ments pur­port­ing to show that Macron had an off­shore fund.

“The French scene will be at nouveaumartel.com lat­er”, the anony­mous 4chan.org user said.

The dailystormer.com’s Auern­heimer is a white suprema­cist con­vict­ed of cyber crimes in the US.

His web­site often pop­u­laris­es the work of Nathan Dami­go, anoth­er US far-right activist who gained noto­ri­ety after phys­i­cal­ly assault­ing an anti-fas­cist pro­test­er.

Auern­heimer, in a post­ing on his site on 4 May, sug­gest­ed that Dami­go was about to pub­lish anti-Macron mate­r­i­al.

“The prophet of the white sharia Nathan Dami­go is about to release the frogs from ped­erasty”, he wrote.

Frogs could be a deroga­to­ry ref­er­ence to French peo­ple or to a car­toon frog, Pepe, adopt­ed as a sym­bol by US neo-Nazis.

Ped­erasty could be a homo­pho­bic allu­sion to unsub­stan­ti­at­ed claims, first spread by Russ­ian media, that Macron was gay, or to the fact that he fell in love with an old­er woman in his ado­les­cence.

The stolen Macron emails were even­tu­al­ly dumped on the web­site Paste­bin and were pop­u­larised online by oth­er US-based far-right con­spir­a­cy the­o­rists such as William Crad­dick and Jack Poso­biec.
...

It’s obvi­ous­ly some pret­ty com­pelling evi­dence that, at a min­i­mum, a bunch of ‘Alt-Right’ neo-Nazis played some sort of role in this hack. And, sure enough, Trend Micro’s Loïc Gué­zo, who was 99 per­cent sure the phish­ing domains were set up by Fan­cy Bear, was sud­den­ly very open to the pos­si­bil­i­ty that the ‘Alt-Right’ could have been behind the hack:

...
Trend Micro, a Japan­ese-based cyber secu­ri­ty firm, said in April that the Russ­ian regime had pre­vi­ous­ly tried to hack Macron’s team.

But one of the firm’s experts, Loic Gue­zo, told EUob­serv­er this week that the 5‑May dump of stolen Macron emails was more ama­teur­ish than the Russ­ian state’s modus operan­di.

“It could even have been some alt-right activist in the US hack­ing Macron’s team. It’s ful­ly open”, he said.
...

“It could even have been some alt-right activist in the US hack­ing Macron’s team. It’s ful­ly open”

It’s ful­ly open. That was Loïc Gué­zo’s take on the sit­u­a­tion after this rev­e­la­tion about the appar­ent ‘Alt-Right’ fore­knowl­edge of these hacks. And yet here we are, almost a year lat­er, and the Macron hack is being treat­ed as if it’s an open-and-shut case that ‘the Rus­sians did it’ and there is no men­tion at all of the role of Auern­heimer and the ‘Alt-Right’.

Self-impli­cat­ing “I’m a Russ­ian Hack­er!” Meta-Data Strikes Again

Now, it’s impor­tant to note that it’s entire­ly pos­si­ble that you could have a sit­u­a­tion where Fan­cy Bear (or anoth­er group try­ing to mim­ic Fan­cy Bear) did indeed set up a bunch of phish­ing sites while a bunch of neo-Nazis con­duct a com­plete­ly sep­a­rate hack­ing oper­a­tion. It’s also pos­si­ble that Fan­cy Bear (or a third par­ty pre­tend­ing to be them) could have suc­cess­ful­ly pulled off a hack using their phish­ing domains and then hand­ed the doc­u­ments to Auern­heimer or his asso­ciates. And yet these pos­si­bil­i­ties are nev­er even men­tioned. It’s as if any sto­ry that rais­es the mere pos­si­bil­i­ty that some of these hacks are being done non-Russ­ian hack­ers or might involve the coop­er­a­tion of non-Russ­ian hack­ers is com­plete­ly ignored by almost every­one. What’s the expla­na­tion for this?

Well, part of the expla­na­tion prob­a­bly has to do with the fact that meta­da­ta found in the dumped Macron doc­u­ments just hap­pened to con­tain iden­ti­fy­ing infor­ma­tion of a Russ­ian secu­ri­ty con­trac­tor at a com­pa­ny that does work for the FSB. It was rem­i­nis­cent of the “I’m a Russ­ian hack­er” meta­da­ta dis­cov­ered lit­er­al­ly one day after Guc­cifer 2.0 ini­tial­ly released some hacked DNC doc­u­ments in June of 2015. Except even more self-impli­cat­ing because the meta-data con­tained an actu­al name of an actu­al employ­ee.

Anoth­er bit of meta­da­ta used to attribute the hacked Macron doc­u­ments to Fan­cy Bear was the meta­da­ta of who uploaded the hacked doc­u­ments, which led to an email address on a Ger­man free web­mail provider. And this was declared to be fur­ther proof that this was the work of Fan­cy Bear because that same free web­mail provider was used in some ear­li­er attacks attrib­uted to Fan­cy Bear. Which is hor­ri­bly weak evi­dence. Of course hack­ers are going to a free Ger­man web­mail provider. Ger­many has brand­ed itself as a data pri­va­cy haven. All sort of hack­ers prob­a­bly using free Ger­man web­mail providers. It’s just sil­ly to use that as evi­dence for attri­bu­tion. And yet it hap­pened.

So after this meta­da­ta hys­te­ria was used to ‘con­clu­sive­ly’ prove that Rus­sia real­ly was behind the hack, the ques­tion of what role Andrew Auern­heimer and the ‘Alt Right’ neo-Nazis played in the hack stopped get­ting asked. The desired ‘answer’ was achieved:

Ars Tech­ni­ca

Evi­dence sug­gests Rus­sia behind hack of French pres­i­dent-elect

Russ­ian secu­ri­ty firms’ meta­da­ta found in files, accord­ing to Wik­iLeaks and oth­ers.

Sean Gal­lagher — 5/8/2017, 1:18 PM

Late on May 5 as the two final can­di­dates for the French pres­i­den­cy were about to enter a press black­out in advance of the May 7 elec­tion, nine giga­bytes of data alleged­ly from the cam­paign of Emmanuel Macron were post­ed on the Inter­net in tor­rents and archives. The files, which were ini­tial­ly dis­trib­uted via links post­ed on 4Chan and then by Wik­iLeaks, had foren­sic meta­da­ta sug­gest­ing that Rus­sians were behind the breach—and that a Russ­ian gov­ern­ment con­tract employ­ee may have fal­si­fied some of the dumped doc­u­ments.

Even Wik­iLeaks, which ini­tial­ly pub­li­cized the breach and defend­ed its integri­ty on the orga­ni­za­tion’s Twit­ter account, has since acknowl­edged that some of the meta­da­ta point­ed direct­ly to a Russ­ian com­pa­ny with ties to the gov­ern­ment:

Evri­ka (“Eure­ka”) ZAO is a large infor­ma­tion tech­nol­o­gy com­pa­ny in St. Peters­burg that does some work for the Russ­ian gov­ern­ment, and the group includes the Fed­er­al Secu­ri­ty Ser­vice of the Russ­ian Fed­er­a­tion (FSB) among its acknowl­edged cus­tomers (as not­ed in this job list­ing). The com­pa­ny is a sys­tems inte­gra­tor, and it builds its own com­put­er equip­ment and pro­vides “inte­grat­ed infor­ma­tion secu­ri­ty sys­tems.” The meta­da­ta in some Microsoft Office files shows the last per­son to have edit­ed the files to be “Rosh­ka Georgiy Petro­vich,” a cur­rent or for­mer Evri­ka ZAO employ­ee.

[see screen­shot of meta­da­ta show­ing the name of Evri­ka ZAO employ­ee “Rosh­ka Georgiy Petro­vich”]

...

The meta­da­ta attached to the upload of the Macron files also includes some iden­ti­fy­ing data with an e‑mail address for the per­son upload­ing the con­tent to archive.org:

The e‑mail address of the uploader, frankmacher1@gmx.de, is reg­is­tered with a Ger­man free web­mail provider used pre­vi­ous­ly in 2016 Pawn Storm / APT28 phish­ing attacks against the Chris­t­ian Demo­c­ra­t­ic Union, Ger­man Chan­cel­lor Angela Merkel’s polit­i­cal par­ty.

The involve­ment of APT28, the edit­ing of some doc­u­ments leaked by some­one using a Russ­ian ver­sion of Microsoft Office, and the attempt to spread the data through ampli­fi­ca­tion in social media chan­nels such as 4Chan, Twit­ter, and Facebook—where a num­ber of new accounts post­ed links to the data—are all char­ac­ter­is­tics of the infor­ma­tion oper­a­tions seen dur­ing the 2016 US pres­i­den­tial cam­paign.

...

———-

“Evi­dence sug­gests Rus­sia behind hack of French pres­i­dent-elect” by Sean Gal­lagher; Ars Tech­ni­ca; 05/08/2017

Evri­ka (“Eure­ka”) ZAO is a large infor­ma­tion tech­nol­o­gy com­pa­ny in St. Peters­burg that does some work for the Russ­ian gov­ern­ment, and the group includes the Fed­er­al Secu­ri­ty Ser­vice of the Russ­ian Fed­er­a­tion (FSB) among its acknowl­edged cus­tomers (as not­ed in this job list­ing). The com­pa­ny is a sys­tems inte­gra­tor, and it builds its own com­put­er equip­ment and pro­vides “inte­grat­ed infor­ma­tion secu­ri­ty sys­tems.” The meta­da­ta in some Microsoft Office files shows the last per­son to have edit­ed the files to be “Rosh­ka Georgiy Petro­vich,” a cur­rent or for­mer Evri­ka ZAO employ­ee

Yep, a Russ­ian con­trac­tor appar­ent­ly screwed up big time and left mod­i­fied a hacked Word Doc­u­ment on a ver­sion of Word reg­is­tered to his per­son­al name. That’s what we’re expect­ed to believe. And while it’s cer­tain­ly pos­si­ble a mis­take of that nature hap­pened, when you fac­tor this into the larg­er con­text of ‘Alt-Right’ fin­ger­prints all over the actu­al dis­tri­b­u­tion of the doc­u­ments and the fact that meta­da­ta was used to attribute the DNC hacks to Russ­ian hack­ers, it seems like an out­ra­geous con­clu­sion to assume with cer­tain­ty that this meta­da­ta was indeed strong evi­dence of Russ­ian hack­ers at work.

Sim­i­lar­ly, the fact that the upload­er’s email address used the same free Ger­man web mail ser­vice that pre­vi­ous attacks attrib­uted to Fan­cy Bear is basi­cal­ly no evi­dence at all. And yet it’s treat­ed as such:

...
The meta­da­ta attached to the upload of the Macron files also includes some iden­ti­fy­ing data with an e‑mail address for the per­son upload­ing the con­tent to archive.org:

The e‑mail address of the uploader, frankmacher1@gmx.de, is reg­is­tered with a Ger­man free web­mail provider used pre­vi­ous­ly in 2016 Pawn Storm / APT28 phish­ing attacks against the Chris­t­ian Demo­c­ra­t­ic Union, Ger­man Chan­cel­lor Angela Merkel’s polit­i­cal par­ty.
...

And that meta­da­ta appears to be the ‘evi­dence’ that more or less put to rest any ques­tions about who actu­al­ly hacked those doc­u­ments. It was Fan­cy Bear.

Seri­ous­ly, once this meta­da­ta was dis­cov­ered, the news reports treat­ed it as case closed. For instance, check out this New York Times arti­cle from May 9th, 2017, where the attri­bu­tion is almost entire­ly based on the meta­da­ta and oth­er ‘dig­i­tal fin­ger­prints’ in the doc­u­ments sug­gest­ing that the doc­u­ments were mod­i­fied on Russ­ian lan­guage com­put­ers using Russ­ian ver­sion of soft­ware like Microsoft Word.

And there’s one par­tic­u­lar­ly reveal­ing com­ment from John Hultquist, the direc­tor of cyberes­pi­onage from Fire­Eye, anoth­er US cyber­se­cu­ri­ty com­pa­ny: “There was a time when Russ­ian hack­ers were char­ac­ter­ized by their lack of slop­pi­ness,” Mr. Hultquist said. “When they made mis­takes, they burned their entire oper­a­tion and start­ed anew. But since the inva­sion of Ukraine and Crimea we’ve seen them car­ry out brazen, large scale attacks, [per­haps because] there have been few con­se­quences for their actions.”

There was a time when Russ­ian hack­ers were “burn down their entire oper­a­tion and start anew” if they were caught. But now? It’s slop­pi­ness and mis­takes and reuse of the same dig­i­tal infra­struc­ture with almost every hack. Appar­ent­ly:

The New York Times

Hack­ers Came, but the French Were Pre­pared

By ADAM NOSSITER, DAVID E. SANGER and NICOLE PERLROTH
MAY 9, 2017

PARIS — Every­one saw the hack­ers com­ing.

The Nation­al Secu­ri­ty Agency in Wash­ing­ton picked up the signs. So did Emmanuel Macron’s bare-bones tech­nol­o­gy team. And mind­ful of what hap­pened in the Amer­i­can pres­i­den­tial cam­paign, the team cre­at­ed dozens of false email accounts, com­plete with pho­ny doc­u­ments, to con­fuse the attack­ers.

The Rus­sians, for their part, were rushed and a bit slop­py, leav­ing a trail of evi­dence that was not enough to prove for cer­tain they were work­ing for the gov­ern­ment of Pres­i­dent Vladimir V. Putin but which strong­ly sug­gest­ed they were part of his broad­er “infor­ma­tion war­fare” cam­paign.

...

Tes­ti­fy­ing in front of the Sen­ate Armed Ser­vices Com­mit­tee in Wash­ing­ton on Tues­day, Adm. Michael S. Rogers, the direc­tor of the Nation­al Secu­ri­ty Agency, said Amer­i­can intel­li­gence agen­cies had seen the attack unfold­ing, telling their French coun­ter­parts, “Look, we’re watch­ing the Rus­sians. We’re see­ing them pen­e­trate some of your infra­struc­ture. Here’s what we’ve seen. What can we do to try to assist?”

But the staff at Mr. Macron’s makeshift head­quar­ters in the 15th Arrondisse­ment at the edge of Paris didn’t need the N.S.A. to tell them they were being tar­get­ed: In Decem­ber, after the for­mer invest­ment banker and finance min­is­ter had emerged as eas­i­ly the most anti-Russ­ian, pro-NATO and pro-Euro­pean Union can­di­date in the pres­i­den­tial race, they began receiv­ing phish­ing emails.

...

Odd­ly, the Rus­sians did a poor job of cov­er­ing their tracks. That made it eas­i­er for pri­vate secu­ri­ty firms, on alert after the efforts to manip­u­late the Amer­i­can elec­tion, to search for evi­dence.

In mid-March, researchers with Trend Micro, the cyber­se­cu­ri­ty giant based in Tokyo, watched the same Russ­ian intel­li­gence unit behind some of the Demo­c­ra­t­ic Nation­al Com­mit­tee hacks start build­ing the tools to hack Mr. Macron’s cam­paign. They set up web domains mim­ic­k­ing those of Mr. Macron’s En Marche! Par­ty, and began dis­patch­ing emails with mali­cious links and fake login pages designed to bait cam­paign staffers into divulging their user­names and pass­words, or to click on a link that would give the Rus­sians a toe­hold onto the campaign’s net­work.

It was the clas­sic Russ­ian play­book, secu­ri­ty researchers say, but this time the world was pre­pared. “The only good news is that this activ­i­ty is now com­mon­place, and the gen­er­al pop­u­la­tion is so used to the idea of a Russ­ian hand behind this, that it back­fired on them,” said John Hultquist, the direc­tor of cyberes­pi­onage analy­sis at Fire­Eye, the Sil­i­con Val­ley secu­ri­ty firm.

Mr. Hultquist not­ed that the attack was char­ac­ter­ized by haste, and a trail of dig­i­tal mis­takes. “There was a time when Russ­ian hack­ers were char­ac­ter­ized by their lack of slop­pi­ness,” Mr. Hultquist said. “When they made mis­takes, they burned their entire oper­a­tion and start­ed anew. But since the inva­sion of Ukraine and Crimea,” he said, “we’ve seen them car­ry out brazen, large scale attacks,” per­haps because “there have been few con­se­quences for their actions.”

The hack­ers also made the mis­take of releas­ing infor­ma­tion that was, by any cam­paign stan­dard, pret­ty bor­ing. The nine giga­bytes worth of pur­port­ed­ly stolen emails and files from the Macron cam­paign was spun as scan­dalous mate­r­i­al, but turned out to be almost entire­ly the hum­drum of cam­paign work­ers try­ing to con­duct ordi­nary life in the midst of the elec­tion mael­strom.

One of the leaked emails details a cam­paign staffer’s strug­gle with a bro­ken down car. Anoth­er doc­u­ments how a cam­paign work­er was rep­ri­mand­ed for fail­ure to invoice a cup of cof­fee.

That is when the hack­ers got slop­py. The meta­da­ta tied to a hand­ful of doc­u­ments — code that shows the ori­gins of a doc­u­ment — show some passed through Russ­ian com­put­ers and were edit­ed by Russ­ian users. Some Excel doc­u­ments were mod­i­fied using soft­ware unique to Russ­ian ver­sions of Microsoft Win­dows.

Oth­er doc­u­ments had last been mod­i­fied by Russ­ian user­names, includ­ing one per­son that researchers iden­ti­fied as a 32-year-old employ­ee of Eure­ka CJSC, based in Moscow, a Russ­ian tech­nol­o­gy com­pa­ny that works close­ly with the Russ­ian Min­istry of Defense and intel­li­gence agen­cies. The com­pa­ny has received licens­es from Russia’s Fed­er­al Secu­ri­ty Ser­vice, or FSB, to help pro­tect state secrets. The com­pa­ny did not return emails request­ing com­ment.

Oth­er leaked doc­u­ments appear to have been forged, or faked. One pur­port­ed to detail the pur­chase of the stim­u­lant mephedrone, some­times sold as “bath salts,” by a Macron cam­paign staffer who alleged­ly had the drugs shipped to the address of France’s Nation­al Assem­bly. But Henk Van Ess, a mem­ber of the inves­ti­ga­tions team at Belling­cat, a British inves­ti­ga­tions orga­ni­za­tion, and oth­ers dis­cov­ered that the trans­ac­tion num­bers in the receipt were not in the pub­lic ledger of all Bit­coin trans­ac­tions.

“It’s clear they were rushed,” Mr. Hultquist said. “If this was APT28,” he said, using the name for a Russ­ian group believed to be linked to the GRU, a mil­i­tary intel­li­gence agency, “they have been caught in the act, and it has back­fired for them.”

Now, he said, the fail­ure of the Macron hacks could just push Russ­ian hack­ers to improve their meth­ods.

“They may have to change their play­book entire­ly,” Mr. Hultquist said.

———-

“Hack­ers Came, but the French Were Pre­pared” by ADAM NOSSITER, DAVID E. SANGER and NICOLE PERLROTH; The New York Times; 05/09/2017

Odd­ly, the Rus­sians did a poor job of cov­er­ing their tracks. That made it eas­i­er for pri­vate secu­ri­ty firms, on alert after the efforts to manip­u­late the Amer­i­can elec­tion, to search for evi­dence.”

Yes, it is quite odd how poor­ly the Rus­sians did of cov­er­ing their tracks, if indeed this was a Russ­ian gov­ern­ment oper­a­tion. Ahis­tor­i­cal­ly odd:

...
It was the clas­sic Russ­ian play­book, secu­ri­ty researchers say, but this time the world was pre­pared. “The only good news is that this activ­i­ty is now com­mon­place, and the gen­er­al pop­u­la­tion is so used to the idea of a Russ­ian hand behind this, that it back­fired on them,” said John Hultquist, the direc­tor of cyberes­pi­onage analy­sis at Fire­Eye, the Sil­i­con Val­ley secu­ri­ty firm.

Mr. Hultquist not­ed that the attack was char­ac­ter­ized by haste, and a trail of dig­i­tal mis­takes. “There was a time when Russ­ian hack­ers were char­ac­ter­ized by their lack of slop­pi­ness,” Mr. Hultquist said. “When they made mis­takes, they burned their entire oper­a­tion and start­ed anew. But since the inva­sion of Ukraine and Crimea,” he said, “we’ve seen them car­ry out brazen, large scale attacks,” per­haps because “there have been few con­se­quences for their actions.”
...

“When they made mis­takes, they burned their entire oper­a­tion and start­ed anew.”

So until the con­flict broke out in Ukraine, Russ­ian hack­ers were intel­li­gent enough to ‘burn their entire oper­a­tion’ and switch up their method­ol­o­gy after get­tin caught. But ever since the con­flict with Ukraine, Russ­ian hack­ers have sud­den­ly decid­ed to keep leav­ing the same ‘dig­i­tal fin­ger­prints’ over and over despite ‘get­ting caught’. And they’ve start­ed leav­ing self-impli­cat­ing meta­da­ta. It’s all quite odd.

And notice how the nar­ra­tive of that arti­cle made no dis­tinc­tion between the phish­ing sites that Trend Micro and oth­ers attrib­uted to Fan­cy Bear and the actu­al hack­ing and dis­tri­b­u­tion of the doc­u­ments that appeared to come from US ‘Alt-Right’ neo-Nazis. Recall how even Trend Micro’s ana­lysts con­sid­ered the case of who did the actu­al hack­ing as a ‘very open’ ques­tion one day after the hacks. But then this “I’m a Russ­ian hack­er!” meta­da­ta is dis­cov­ered and the ‘Alt-Right’ neo-Nazi angle of entire affair is sud­den­ly for­got­ten. of the In fact, if you read the full arti­cle, there was no men­tion of the ‘Alt-Right’ neo-Nazis at all. It was like it nev­er hap­pened.

Every­one Says it Was Fan­cy Bear. Except the French Cyber­se­cu­ri­ty Agency

So pret­ty much every­one in the cyber­se­cu­ri­ty are­na has con­clud­ed that this hack was indeed done by Fan­cy Bear, right? Well, not quite. There are plen­ty of cyber­se­cu­ri­ty pro­fes­sion­sals who have been crit­i­cal of the con­tem­po­rary cyber attri­bu­tion stan­dards. And as the fol­low­ing arti­cle from June of 2017, about a month after the actu­al hack, makes clear, there was one very notable dis­senter from Dmitri Alpover­tich’s attri­bu­tion stan­dards: The head of the French cyber­se­cu­ri­ty agency, Guil­laume Poupard, viewed the hack as so unso­phis­ti­cat­ed that a lone indi­vid­ual could have pulled it off.

And Poupard had anoth­er crit­i­cal warn­ing: false flag cyber­at­tacks designed to pit one nation against anoth­er could be used to cre­ate “inter­na­tion­al chaos”:

EU Observ­er

Macron Leaks could be ‘iso­lat­ed indi­vid­ual’, France says

By Andrew Rettman
BRUSSELS, 2. Jun 2017, 09:20

France has found no evi­dence that Rus­sia was behind Macron Leaks, but Russ­ian leader Vladimir Putin has warned that “patri­ot­ic” hack­ers could strike the Ger­man elec­tion.

Guil­laume Poupard, the head of the French cyber secu­ri­ty agency, Anssi, told the AP news agency on Thurs­day (1 June) that the Macron hack resem­bled the actions of “an iso­lat­ed indi­vid­ual”.

“The attack was so gener­ic and sim­ple that it could have been prac­ti­cal­ly any­one”, he said. “It real­ly could be any­one. It could even be an iso­lat­ed indi­vid­ual”.

The Macron Leaks saw a hack­er steal and pub­lish inter­nal emails from the cam­paign of Emmanuel Macron 48 hours before the French vote last month, which Macron went on to win.

Some secu­ri­ty experts blamed it on a hack­er group called APT28, which is said by the US to be a front for Russ­ian intel­li­gence.

But Poupard said on Thurs­day: “To say Macron Leaks was APT28, I’m absolute­ly inca­pable today of doing that … I have absolute­ly no ele­ment to say whether it’s true or false”..

Macron’s cam­paign was also tar­get­ed by hack­ers ear­li­er in March in a more sophis­ti­cat­ed attack blamed on APT28.

...

‘Patri­ot­ic’ threat

US and Ger­man intel­li­gence chiefs have been more bold in their accu­sa­tions.

Hans-Georg Maassen, the direc­tor of Germany’s BfV intel­li­gence ser­vice, said in May that Krem­lin-linked hack­ers had stolen infor­ma­tion on Ger­man MPs in the run-up to the Ger­man elec­tion in Sep­tem­ber.

“We recog­nise this as a cam­paign being direct­ed from Rus­sia”, he said.

But Rus­sia has denied the alle­ga­tions.

Its pres­i­dent, Vladimir Putin, told media in Moscow on Thurs­day: “We do not engage in this activ­i­ty at the gov­ern­ment lev­el and are not going to engage in it”.

He warned at the same time that inde­pen­dent hack­ers might tar­get the Ger­man or oth­er EU elec­tions for “patri­ot­ic” rea­sons if they felt lead­ers were “speak­ing ill of Rus­sia”.

“Hack­ers are free peo­ple like artists. If artists get up in the morn­ing feel­ing good, all they do all day is paint”, Putin said.

“The same goes for hack­ers. They got up today and read that some­thing is going on inter­na­tion­al­ly. If they are feel­ing patri­ot­ic they will start con­tribut­ing, as they believe, to the jus­ti­fied fight against those speak­ing ill of Rus­sia”.

With Macron hav­ing won despite the leaks, Putin said: “I am deeply con­vinced that no hack­ers can have a real impact on an elec­tion cam­paign in anoth­er coun­try”.

Macron, at a meet­ing with Putin in Paris on Mon­day, said Russ­ian state media tried to influ­ence the vote with fake news, but Putin said on Thurs­day: “Noth­ing, no infor­ma­tion can be imprint­ed in vot­ers’ minds, in the minds of a nation, and influ­ence the final out­come and the final result”.

False flags

Poupard and Putin said false flag attacks were eas­i­er in cyber­space than in real life.

Poupard said France had in the past been hacked by groups “attrib­uted to Chi­na … I don’t know if it was the state, crim­i­nals”. But he added that: “What I’m cer­tain of is that among these attacks, some strange­ly resem­bled Chi­nese attacks but in fact did­n’t come from Chi­na”.

Putin said: “I can image a sce­nario when some­body devel­ops a chain of attacks in a man­ner that would show Rus­sia as the source of these attacks. Mod­ern tech­nol­o­gy allows that. It’s very easy”.

Poupard said if states wrong­ly accused each oth­er of cyber strikes it could lead to “inter­na­tion­al chaos”.

“We’ll get what we all fear, which is to say a sort of per­ma­nent con­flict where every­one is attack­ing every­one else”, he said.

The “night­mare sce­nario” would be “a sort of per­ma­nent war, between states and oth­er organ­i­sa­tions, which can be crim­i­nal and ter­ror­ist organ­i­sa­tions, where every­one will attack each oth­er, with­out real­ly know­ing who did what”, he said.

———-

“Macron Leaks could be ‘iso­lat­ed indi­vid­ual’, France says” by Andrew Rettman; EU Observ­er; 06/02/2017

“The attack was so gener­ic and sim­ple that it could have been prac­ti­cal­ly anyone...It real­ly could be any­one. It could even be an iso­lat­ed indi­vid­ual”.

That was what Guil­laume Poupard, the head of the French cyber secu­ri­ty agency, Anssi, told the AP news. The attack was so gener­ic and sim­ple that it could have been done by an iso­lat­ed indi­vid­ual. It’s a big reminder of why sim­i­lar­i­ties in method­ol­o­gy between attacks is a bad idea for so many of the hack­ing cam­paigns we’re see­ing: you don’t need a super sophis­ti­cat­ed hack­ing cam­paign when all you’re doing is spear-phish­ing. Sure, you need to seet up con­vinc­ing fake login web­sites or con­vinc­ing emails that trick at least one per­son into down­load­ing mal­ware, but that’s the kind of thing a skilled iso­lat­ed indi­vid­ual can do:

...
Some secu­ri­ty experts blamed it on a hack­er group called APT28, which is said by the US to be a front for Russ­ian intel­li­gence.

But Poupard said on Thurs­day: “To say Macron Leaks was APT28, I’m absolute­ly inca­pable today of doing that … I have absolute­ly no ele­ment to say whether it’s true or false”..
...

“To say Macron Leaks was APT28, I’m absolute­ly inca­pable today of doing that … I have absolute­ly no ele­ment to say whether it’s true or false”

That seems like a pret­ty impor­tant point to pub­licly make in this kind of sit­u­a­tion. After all, if major high-pro­file hack are tak­ing place — hacks that appear to com­ing from nation states due to all the slop­py clues being left — and those hacks could indeed be car­ried out by indi­vid­u­als who would like to sow inter­na­tion­al choas, it seems like the pub­lic should know this. And yet the head of French cyber­se­cu­ri­ty is large­ly only cyber­se­cu­ri­ty pub­lic offi­cial in mak­ing this point, which is dan­ger­ous­ly odd:

...
Poupard said France had in the past been hacked by groups “attrib­uted to Chi­na … I don’t know if it was the state, crim­i­nals”. But he added that: “What I’m cer­tain of is that among these attacks, some strange­ly resem­bled Chi­nese attacks but in fact did­n’t come from Chi­na”.

...

Poupard said if states wrong­ly accused each oth­er of cyber strikes it could lead to “inter­na­tion­al chaos”.

“We’ll get what we all fear, which is to say a sort of per­ma­nent con­flict where every­one is attack­ing every­one else”, he said.

The “night­mare sce­nario” would be “a sort of per­ma­nent war, between states and oth­er organ­i­sa­tions, which can be crim­i­nal and ter­ror­ist organ­i­sa­tions, where every­one will attack each oth­er, with­out real­ly know­ing who did what”, he said.
...

“The “night­mare sce­nario” would be p, he said.”

Yeah, “a sort of per­ma­nent war, between states and oth­er organ­i­sa­tions, which can be crim­i­nal and ter­ror­ist organ­i­sa­tions, where every­one will attack each oth­er, with­out real­ly know­ing who did what” that sounds like quite a night­mare sce­nario.

But it’s a sce­nario that the US and Ger­man intel­li­gence chiefs clear­ly do not fear. At least not when it comes to con­tem­po­rary wave of hacks Rus­sia:

...
US and Ger­man intel­li­gence chiefs have been more bold in their accu­sa­tions.

Hans-Georg Maassen, the direc­tor of Germany’s BfV intel­li­gence ser­vice, said in May that Krem­lin-linked hack­ers had stolen infor­ma­tion on Ger­man MPs in the run-up to the Ger­man elec­tion in Sep­tem­ber.

“We recog­nise this as a cam­paign being direct­ed from Rus­sia”, he said.
...

Alarm­ing­ly, Vladimir Putin also had a take on the sit­u­a­tion that, if any­thing, made a bad sit­u­a­tion much worse. First, he warned that the hack­ing attacks might in fact be ‘patri­ot­ic’ inde­pen­dent Russ­ian hack­ers were might wake up in the morn­ing feel­ing patri­o­ci and “start con­tribut­ing, as they believe, to the jus­ti­fied fight against those speak­ing ill of Rus­sia.”:

...
Its pres­i­dent, Vladimir Putin, told media in Moscow on Thurs­day: “We do not engage in this activ­i­ty at the gov­ern­ment lev­el and are not going to engage in it”.

He warned at the same time that inde­pen­dent hack­ers might tar­get the Ger­man or oth­er EU elec­tions for “patri­ot­ic” rea­sons if they felt lead­ers were “speak­ing ill of Rus­sia”.

“Hack­ers are free peo­ple like artists. If artists get up in the morn­ing feel­ing good, all they do all day is paint”, Putin said.

“The same goes for hack­ers. They got up today and read that some­thing is going on inter­na­tion­al­ly. If they are feel­ing patri­ot­ic they will start con­tribut­ing, as they believe, to the jus­ti­fied fight against those speak­ing ill of Rus­sia”.
...

“The same goes for hack­ers. They got up today and read that some­thing is going on inter­na­tion­al­ly. If they are feel­ing patri­ot­ic they will start con­tribut­ing, as they believe, to the jus­ti­fied fight against those speak­ing ill of Rus­sia”.

That was an absolute­ly insane com­ment for some­one in Putin’s posi­tion to make pub­licly. Because while it is absolute­ly true that you could have ‘patri­ot­ic hack­ers’ doing all sorts of hacks, you don’t want nation­al lead­ers encour­ag­ing and val­i­dat­ing that. It’s the kind of com­ment that could eas­i­ly be inter­pret­ed as an open invi­ta­tion for Russ­ian hack­ers to do exact­ly that and an open invi­ta­tion for any oth­er hack­er around the world to wage a “I’m a Russ­ian hack­er!” hack­ing cam­paign. It was a dumb com­ment on mul­ti­ple lev­els.

And then Putin made the insane com­ment that, “I am deeply con­vinced that no hack­ers can have a real impact on an elec­tion cam­paign in anoth­er coun­try.” And this is after the obvi­ous sign­f­i­cant impact the DNC hacks had on the 2016 cam­paign and the near-miss in the French elec­tion with faked doc­u­ments. It was­n’t a good look:

...
With Macron hav­ing won despite the leaks, Putin said: “I am deeply con­vinced that no hack­ers can have a real impact on an elec­tion cam­paign in anoth­er coun­try”.

Macron, at a meet­ing with Putin in Paris on Mon­day, said Russ­ian state media tried to influ­ence the vote with fake news, but Putin said on Thurs­day: “Noth­ing, no infor­ma­tion can be imprint­ed in vot­ers’ minds, in the minds of a nation, and influ­ence the final out­come and the final result”.
...

So we have this remark­able sit­u­a­tion where West­ern gov­ern­ments like the US and Ger­many have reject­ed the long-stand­ing hes­i­tan­cy in attribut­ing cyber attacks due to the inher­ent ambi­gu­i­ty in mak­ing these kinds of attri­bu­tions. And Vladimir Putin was mak­ing a non­sense com­ment about hack­ers not being able to sway elec­tions while he appeared to be egging hack­ers and simul­ta­ne­ous­ly mak­ing Rus­sia an eas­i­er tar­get for false flag attri­bu­tion. In oth­er words, the we have lead­ers on both sides of this ‘cyber Cold War’ help­ing to make the sit­u­a­tion ripe for exact­ly the kind of “inter­na­tion­al chaos” France’s cyber chief was warn­ing about.

The Oth­er Side of the “Inter­na­tion Chaos” Coin

At the same time, let’s not for­get that a staus quo where cyber­at­tri­bu­tion is made very hes­i­tant­ly due to these ambi­gu­i­ties and the abil­i­ty to wage false flag attacks, is poten­tial­ly anoth­er form of “inter­na­tion­al chaos.” A sit­u­a­tion were nations and pri­vate enti­ties can effec­tive hack each oth­er with rel­a­tive impuni­ty as long as they are rea­son­ably com­pe­tent in exe­cut­ing the hack with­out leav­ing self-impli­cat­ing mis­takes. In oth­er words, the issue of how to address cyber­at­tri­bu­tion is one of those sit­u­a­tions were there real­ly is no ‘clean’ answer. Each approach has its own down­sides.

For instance, imag­ine the NSA has secret intel­li­gence that does actu­al­ly allow it to con­fi­dent­ly attribute a hack to Rus­sia or Chi­na or Ger­many or who­ev­er. But that evi­dence can’t be pub­licly revealed and the evi­dence that can be pub­licly revealed, like the IP addressed used in the hack, is too ambigu­ous to make a sol­id attri­bu­tion. What is US gov­ern­ment going to do in that sit­u­a­tion? Espe­cial­ly if the hacks are very high-pro­file? Does it just throw its hands up and say, “oh well, we know it’s the Rus­sians (or Chi­nese or Ger­mans or who­ev­er) pulling these hacks off, but we just can’t prove it”? Because that is an option. Anoth­er options is try­ing to address these top­ics on a gov­ern­ment-to-gov­ern­ment lev­el and hop­ing it can get worked out that way. If it that avenue does­n’t yield results, what’s a gov­ern­ment going to do if it real­ly can con­fi­dent­ly make an attri­bu­tion but can’t pub­licly reveal the evi­dence?

Or let’s con­sid­er anoth­er sce­nario: a gov­ern­ment can’t con­clu­sive­ly prove who is behind a hack, but it’s pret­ty sure it knows who’s behind it giv­en the cir­cum­stances. What’s a gov­ern­ment going to do in that sit­u­a­tion when the inher­ent ambi­gu­i­ties in cyber­at­tri­bu­tion basi­cal­ly make pre­sent­ing a pub­lic case prov­ing their sus­pi­cions impos­si­ble? Espe­cial­ly if the hacks keep com­ing? What’s a gov­ern­ment going to do?

And then there’s the oth­er obvi­ous sce­nario: a gov­ern­ment can’t con­clu­sive­ly prove who is behind a hack, but it real­ly wants to pin it on a par­tic­u­lar adver­sary and the hack­ers just hap­pened to make all sort of ‘mis­takes’ that could be inter­pret­ted as real dig­i­tal evi­dence but could also eas­i­ly be inter­pret­ted as inten­tion­al­ly placed false flag decoy mis­takes. What’s a gov­ern­ment going to do when it’s hand­ed that kind of ‘gift’ if it hap­pens in the mid­dle of a wave of brazen hacks?

These kinds of sce­nar­ios are all total­ly fea­si­ble and prob­a­bly play­ing out around the globe all the time: a hack hap­pens, a gov­ern­ment has sus­pi­cions and hunch­es, maybe even some intel­li­gence sug­gest­ed that an adver­sary was prob­a­bly behind it, but noth­ing can be con­clu­sive­ly proven based on the tech­ni­cal evi­dence. On one lev­el, these are sit­u­a­tions where a gov­ern­ment can appear to be seem­ing­ly help­less and that real­ly is a kind of “inter­na­tion­al chaos” sit­u­a­tion. So what does a gov­ern­ment do in this case?

This is prob­a­bly a good point to re-read the com­ments we saw above from John Hultquist, the direc­tor of cyberes­pi­onage analy­sis at Fire­Eye, about the sud­den change in Russ­ian hack­ing behav­ior that start­ed in 2014 fol­low­ing the con­flict in Ukraine:

...
Mr. Hultquist not­ed that the attack was char­ac­ter­ized by haste, and a trail of dig­i­tal mis­takes. “There was a time when Russ­ian hack­ers were char­ac­ter­ized by their lack of slop­pi­ness,” Mr. Hultquist said. “When they made mis­takes, they burned their entire oper­a­tion and start­ed anew. But since the inva­sion of Ukraine and Crimea,” he said, “we’ve seen them car­ry out brazen, large scale attacks,” per­haps because “there have been few con­se­quences for their actions.”
...

We have the sud­den change in ‘Russ­ian hack­er’ behav­ior, where ten­sions flare up between Russ­ian the West and then there’s all sort of “I’m a Russ­ian hack­er” attacks over an over where the evi­dence might be spoofed by a third par­ty but also might be inten­tion­al­ly left be the Russ­ian hack­ers to achieve some sort of psy­cho­log­i­cal war­fare objec­tives. And it’s pos­si­ble the NSA has secret evi­dence tying all this back to actu­al Russ­ian gov­ern­ment hack­ers that it can’t reveal, or maybe not and the West­ern gov­ern­ments are mere­ly ‘pret­ty sure’ it’s real­ly a Russ­ian gov­ern­ment cam­paign and don’t want to let them ‘get away with it’?

So what’s the appro­pri­ate approach to a sit­u­a­tion like this? Well, it turns out the cur­rent round of West­ern gov­ern­ments direct­ly attribut­ing these hacks to the Russ­ian gov­ern­ment is both his­tor­i­cal­ly very unusu­al­ly and actu­al­ly a reflec­tion of a choice that was made at the gov­ern­ment lev­el and with­in the cyber­se­cu­ri­ty indus­try on how to address these sit­u­a­tions: Make pub­lic attri­bu­tion a pri­or­i­ty because that’s seen as the best defense against future attacks. Yep, for the past 5 years or so, the cyber­se­cu­ri­ty indus­try has seen a rev­o­lu­tion in how it treats cyber­at­tri­bu­tion based on a one-man cam­paign. And that man is Dmitri Alper­ovitch, the co-founder of Crowd­Strike, the com­pa­ny that led the inves­ti­ga­tion of the 2016 DNC hack and made the ini­tial ‘Rus­sia did it’ attri­bu­tion. As the fol­low­ing Esquire arti­cle about Alper­ovitch note, mak­ing a pub­lic attri­bu­tion direct­ly blam­ing oth­er nation states and doing it fast and fore­ful­ly used to be seen as heresy with­in the cyber­se­cu­ri­ty indus­try. But as Alpover­itch saw it, that hes­i­tan­cy of cyber­se­cu­ri­ty firms was only encour­ag­ing nation-state hack­ing groups and the only solu­tion was aggres­sive pub­lic attri­bu­tion cam­paigns. And as the arti­cle makes clear, Alper­ovitch’s views won out, and the whole indus­try of cyber­at­tri­bu­tion has under­gone a rad­i­cal rev­o­lu­tion:

Esquire

The Russ­ian Expat Lead­ing the Fight to Pro­tect Amer­i­ca

In a war against hack­ers, Dmitri Alper­ovitch and Crowd­Strike are our spe­cial forces (and Putin’s worst night­mare).

By Vicky Ward
Oct 24, 2016

At six o’clock on the morn­ing of May 6, Dmitri Alper­ovitch woke up in a Los Ange­les hotel to an alarm­ing email. Alper­ovitch is the thir­ty-six-year-old cofounder of the cyber­se­cu­ri­ty firm Crowd­Strike, and late the pre­vi­ous night, his com­pa­ny had been asked by the Demo­c­ra­t­ic Nation­al Com­mit­tee to inves­ti­gate a pos­si­ble breach of its net­work. A Crowd­Strike secu­ri­ty expert had sent the DNC a pro­pri­etary soft­ware pack­age, called Fal­con, that mon­i­tors the net­works of its clients in real time. Fal­con “lit up,” the email said, with­in ten sec­onds of being installed at the DNC: Rus­sia was in the net­work.

Alper­ovitch, a slight man with a sharp, quick demeanor, called the ana­lyst who had emailed the report. “Are we sure it’s Rus­sia?” he asked.

The ana­lyst said there was no doubt. Fal­con had detect­ed mali­cious soft­ware, or mal­ware, that was steal­ing data and send­ing it to the same servers that had been used in a 2015 attack on the Ger­man Bun­destag. The code and tech­niques used against the DNC resem­bled those from ear­li­er attacks on the White House and the State Depart­ment. The ana­lyst, a for­mer intel­li­gence offi­cer, told Alper­ovitch that Fal­con had iden­ti­fied not one but two Russ­ian intrud­ers: Cozy Bear, a group Crowd­Strike’s experts believed was affil­i­at­ed with the FSB, Rus­si­a’s answer to the CIA; and Fan­cy Bear, which they had linked to the GRU, Russ­ian mil­i­tary intel­li­gence.

Alper­ovitch then called Shawn Hen­ry, a tall, bald fifty-four-year-old for­mer exec­u­tive assis­tant direc­tor at the FBI who is now Crowd­Strike’s pres­i­dent of ser­vices. Hen­ry led a foren­sics team that retraced the hack­ers’ steps and pieced togeth­er the pathol­o­gy of the breach. Over the next two weeks, they learned that Cozy Bear had been steal­ing emails from the DNC for more than a year. Fan­cy Bear, on the oth­er hand, had been in the net­work for only a few weeks. Its tar­get was the DNC research depart­ment, specif­i­cal­ly the mate­r­i­al that the com­mit­tee was com­pil­ing on Don­ald Trump and oth­er Repub­li­cans. Mean­while, a Crowd­Strike group called the Over­watch team used Fal­con to mon­i­tor the hack­ers, a process known as shoul­der-surf­ing.

...

Hack­ing, like domes­tic abuse, is a crime that tends to induce shame. Com­pa­nies such as Yahoo usu­al­ly pub­li­cize their breach­es only when the law requires it. For this rea­son, Alper­ovitch says, he expect­ed that the DNC, too, would want to keep qui­et.

By the time of the hack, how­ev­er, Don­ald Trump’s rela­tion­ship to Rus­sia had become an issue in the elec­tion. The DNC want­ed to go pub­lic. At the com­mit­tee’s request, Alper­ovitch and Hen­ry briefed a reporter from The Wash­ing­ton Post about the attack. On June 14, soon after the Post sto­ry pub­licly linked Fan­cy Bear with the Russ­ian GRU and Cozy Bear with the FSB for the first time, Alper­ovitch pub­lished a detailed blog post about the attacks.

Alper­ovitch told me he was thrilled that the DNC decid­ed to pub­li­cize Rus­si­a’s involve­ment. “Hav­ing a client give us the abil­i­ty to tell the full sto­ry” was a “mile­stone in the indus­try,” he says. “Not just high­light­ing a rogue nation-state’s actions but explain­ing what was tak­en and how and when. These sto­ries are almost nev­er told.”

In the five years since Alper­ovitch cofound­ed Crowd­Strike, he and his com­pa­ny have played a crit­i­cal role in the devel­op­ment of Amer­i­ca’s cyberde­fense pol­i­cy. Frank Cil­luffo, the for­mer spe­cial assis­tant to the pres­i­dent for home­land secu­ri­ty, likens Alper­ovitch to Paul Revere: “Dmitri, as an indi­vid­ual, has played a sig­nif­i­cant role in ele­vat­ing cyber­se­cu­ri­ty pol­i­cy not only inside the pri­vate sec­tor but more gen­er­al­ly.”

When I met Alper­ovitch in late Sep­tem­ber, at his open-plan offices out­side Wash­ing­ton, D.C., he explained that Crowd­Strike was cre­at­ed to take advan­tage of a sim­ple but cen­tral les­son he’d learned about stop­ping hack­ers. It’s not enough, he says, to play defense with tech­nol­o­gy: “Oth­er­wise the adver­sary will scale up and it becomes a game of num­bers, which they will win.” Instead, attri­bu­tion is cru­cial: First you need to iden­ti­fy the per­pe­tra­tor, then you need to dis­cov­er what moti­vates the crime, and finally—most important—you need to fig­ure out how to fight back.

Before Alper­ovitch found­ed Crowd­Strike, the idea that attri­bu­tion ought to be a cen­tral defense against hack­ers was viewed as heresy. In 2011, he was work­ing in Atlanta as the chief threat offi­cer at the antivirus soft­ware firm McAfee. While sift­ing through serv­er logs in his apart­ment one night, he dis­cov­ered evi­dence of a hack­ing cam­paign by the Chi­nese gov­ern­ment. Even­tu­al­ly he learned that the cam­paign had been going on unde­tect­ed for five years, and that the Chi­nese had com­pro­mised at least sev­en­ty-one com­pa­nies and orga­ni­za­tions, includ­ing thir­teen defense con­trac­tors, three elec­tron­ics firms, and the Inter­na­tion­al Olympic Com­mit­tee.

That the Chi­nese gov­ern­ment had been steal­ing infor­ma­tion from the pri­vate sec­tor was a shock to the secu­ri­ty indus­try and to many U. S. offi­cials. Almost no one thought that for­eign gov­ern­ments used the Inter­net for any­thing oth­er than old-fash­ioned espi­onage. “This was not spy ver­sus spy,” says John Car­lin, who was until recent­ly the assis­tant attor­ney gen­er­al for nation­al secu­ri­ty. The hack­ing was eco­nom­ic sab­o­tage.

While Alper­ovitch was writ­ing up his report on the breach, he received a call from Renee James, an exec­u­tive at Intel, which had recent­ly pur­chased McAfee. Accord­ing to Alper­ovitch, James told him, “Dmitri, Intel has a lot of busi­ness in Chi­na. You can­not call out Chi­na in this report.”

Alper­ovitch removed the word Chi­na from his analy­sis, call­ing the oper­a­tion Shady Rat instead. He told me that James’s inter­ven­tion accel­er­at­ed his plans to leave Intel. (James declined to com­ment.) He felt that he was “now being cen­sored because I’m work­ing for a com­pa­ny that’s not real­ly an Amer­i­can com­pa­ny.”

Alper­ovitch and George Kurtz, a for­mer col­league, found­ed Crowd­Strike as a direct response. The cyber­se­cu­ri­ty indus­try at the time, Alper­ovitch says, was “ter­ri­fied of los­ing their abil­i­ty to mar­ket prod­ucts in Chi­na.” Their new com­pa­ny would push the idea that hack­ing was a means, not an end. “We saw that no one’s real­ly focused on the adver­sary,” Alper­ovitch told me. “No one’s focus­ing exclu­sive­ly on how can we actu­al­ly iden­ti­fy them, attribute them, deter them from tak­ing this action again.” Crowd­Strike’s tagline encap­su­lat­ed its phi­los­o­phy: “You don’t have a mal­ware prob­lem, you have an adver­sary prob­lem.”

...

Alper­ovitch stud­ied com­put­er sci­ence at Geor­gia Tech and went on to work at an anti­spam soft­ware firm. There he met a strik­ing dark-haired com­put­er geek named Phyl­lis Sch­neck. As a teenag­er, Sch­neck once showed her father that she could hack into the com­pa­ny where he worked as an engi­neer. Appalled, Dr. Sch­neck made his daugh­ter promise nev­er to do some­thing like that again.

Fight­ing email spam taught Alper­ovitch a sec­ond cru­cial les­son. He dis­cov­ered that every time he blocked a serv­er, the spam­mers deployed a hun­dred new servers to take its place. Alper­ovitch real­ized that defense was about psy­chol­o­gy, not tech­nol­o­gy.

To bet­ter under­stand his adver­saries, Alper­ovitch posed as a Russ­ian gang­ster on spam dis­cus­sion forums, an expe­ri­ence he wrote up in a series of reports. One day he returned from lunch to a voice mail telling him to call the FBI imme­di­ate­ly. He was ter­ri­fied. “I was not a cit­i­zen yet,” he told me.

As it hap­pened, the bureau was inter­est­ed in his work. The gov­ern­ment was slow­ly wak­ing up to the real­iza­tion that the Inter­net was ripe for crim­i­nal exploita­tion: “the great price of the dig­i­tal age,” in John Car­lin’s words. In 2004, the bureau was hacked by Joseph Colon, a dis­grun­tled IT con­sul­tant who gained “god-lev­el” access to FBI files. Colon was even­tu­al­ly indict­ed, but his attack showed the gov­ern­ment how vul­ner­a­ble it was to cyber­crime.

In 2005, Alper­ovitch flew to Pitts­burgh to meet an FBI agent named Kei­th Mula­rs­ki, who had been asked to lead an under­cov­er oper­a­tion against a vast Russ­ian cred­it-card-theft syn­di­cate. Mula­rs­ki had no pri­or expe­ri­ence with the Inter­net; he relied on Alper­ovitch, whom he calls “a good guy and a friend,” to teach him how to get into the forum and speak the lin­go. Mula­rski’s sting oper­a­tion took two years, but it ulti­mate­ly brought about fifty-six arrests.

Alper­ovitch’s first big break in cyberde­fense came in 2010, while he was at McAfee. The head of cyber­se­cu­ri­ty at Google told Alper­ovitch that Gmail accounts belong­ing to human-rights activists in Chi­na had been breached. Google sus­pect­ed the Chi­nese gov­ern­ment. Alper­ovitch found that the breach was unprece­dent­ed in scale; it affect­ed more than a dozen of McAfee’s clients.

Three days after his dis­cov­ery, Alper­ovitch was on a plane to Wash­ing­ton. He’d been asked to vet a para­graph in a speech by the sec­re­tary of state, Hillary Clin­ton. She’d decid­ed, for the first time, to call out anoth­er coun­try for a cyber­at­tack. “In an inter­con­nect­ed world,” she said, “an attack on one nation’s net­works can be an attack on all.”

Despite Clin­ton’s announce­ment, Alper­ovitch believed that the gov­ern­ment, par­a­lyzed by bureau­cra­cy and pol­i­tics, was still mov­ing too slow­ly. In 2014, Sony called in Crowd­Strike to inves­ti­gate a breach of its net­work. The com­pa­ny need­ed just two hours to iden­ti­fy North Korea as the adver­sary. Exec­u­tives at Sony asked Alper­ovitch to go pub­lic with the infor­ma­tion imme­di­ate­ly, but it took the FBI anoth­er three weeks before it con­firmed the attri­bu­tion.

The delay still frus­trates Alper­ovitch, who saw the long silence as a kind of dis­in­for­ma­tion. “Yes­ter­day you had no idea. Today you’re 100 per­cent cer­tain. It was­n’t cred­i­ble.” From the per­spec­tive of the gov­ern­ment, how­ev­er, the han­dling of the Sony hack was a tri­umph. “In twen­ty-six days we fig­ured out it was North Korea,” John Car­lin told me. The attri­bu­tion changed the focus, he said, from what Sony did wrong to how the gov­ern­ment was going to respond to North Korea. As Phyl­lis Sch­neck, who now works at the Depart­ment of Home­land Secu­ri­ty, told me, the gov­ern­ment moves slow­ly because it can­not afford to be wrong: “Ven­dors like to be first. Gov­ern­ment must be right.”

The gov­ern­men­t’s atti­tude toward attri­bu­tion moved clos­er to Alper­ovitch’s in Sep­tem­ber 2015, in the run-up to a state vis­it by Chi­nese pres­i­dent Xi Jin­ping. A year ear­li­er, five mem­bers of the Chi­nese Peo­ple’s Lib­er­a­tion Army had been indict­ed by a grand jury in Penn­syl­va­nia for steal­ing eco­nom­ic secrets from the com­put­ers of U. S. firms in the nuclear, solar, and met­als indus­tries. Car­lin told me that the indict­ments were meant as “a giant No Tres­pass sign: Get off our lawn.” But the indict­ment did­n’t stop the hack­ers. Alper­ovitch went on tele­vi­sion to call for a stronger response. In April 2015, after Pres­i­dent Oba­ma signed an exec­u­tive order threat­en­ing sanc­tions against the Chi­nese, Alper­ovitch received a call from the White House. “You should be hap­py,” he was told. “You’re the one who’s been push­ing for this.”

Six months lat­er, just before the state vis­it, The Wash­ing­ton Post report­ed that the U. S. was con­sid­er­ing mak­ing good on the exec­u­tive order. A senior State Depart­ment offi­cial told me that Xi did not want to be embar­rassed by an awk­ward vis­it. The Chi­nese sent over a nego­ti­at­ing team, and diplo­mats from both coun­tries stayed up all night work­ing out an agree­ment. Dur­ing the state vis­it, Oba­ma and Xi announced that “nei­ther coun­try’s gov­ern­ment will con­duct or know­ing­ly sup­port cyber-enabled theft of intel­lec­tu­al prop­er­ty” for the pur­pose of eco­nom­ic espi­onage. Since then, the Chi­nese bur­glar­ies have slowed dra­mat­i­cal­ly.

...

The gov­ern­men­t’s reluc­tance to name the Rus­sians as the authors of the DNC and DCCC hacks made Alper­ovitch feel that the lessons of the war game—call out your ene­my and respond swiftly—had been wast­ed. He con­tin­ued to be told by his friends in gov­ern­ment that it was polit­i­cal­ly impos­si­ble for the Unit­ed States to issue an offi­cial response to Rus­sia. Some, espe­cial­ly in the State Depart­ment, argued that the Unit­ed States need­ed Rus­si­a’s help in Syr­ia and could not afford to ratch­et up hos­til­i­ties. Oth­ers said an attri­bu­tion with­out a con­crete response would be mean­ing­less. Still oth­ers insist­ed that clas­si­fied secu­ri­ty con­cerns demand­ed con­sid­er­a­tion.

Alper­ovitch was deeply frus­trat­ed: He thought the gov­ern­ment should tell the world what it knew. There is, of course, an ele­ment of the per­son­al in his bat­tle cry. “A lot of peo­ple who are born here don’t appre­ci­ate the free­doms we have, the oppor­tu­ni­ties we have, because they’ve nev­er had it any oth­er way,” he told me. “I have.”

The gov­ern­men­t’s hes­i­ta­tion was soon over­tak­en by events. Dur­ing the first week of Octo­ber, while Alper­ovitch was on a rare vaca­tion, in Italy, Rus­sia pulled out of an arms-reduc­tion pact after being accused by the U. S. of bomb­ing indis­crim­i­nate­ly in Syr­ia. The same day, the U. S. halt­ed talks with Rus­sia about a Syr­i­an cease­fire. On Octo­ber 7, two days before the sec­ond pres­i­den­tial debate, Alper­ovitch got a phone call from a senior gov­ern­ment offi­cial alert­ing him that a state­ment iden­ti­fy­ing Rus­sia as the spon­sor of the DNC attack would soon be released. (The state­ment, from the office of the direc­tor of nation­al intel­li­gence and the Depart­ment of Home­land Secu­ri­ty, appeared lat­er that day.) Once again, Alper­ovitch was thanked for push­ing the gov­ern­ment along.

He got the news just after leav­ing the Sis­tine Chapel. “It kind of put things in per­spec­tive,” he told me. Though pleased, he wished the state­ment had warned that more leaks were like­ly. “It’s nice that you have the DHS and DNI joint­ly putting the state­ment out on a Fri­day night, but the pres­i­dent com­ing out and say­ing, ‘Mr. Putin, we know you’re doing this, we find it unac­cept­able, and you have to stop’ would be ben­e­fi­cial.”

Less than a week lat­er, after Wik­iLeaks released anoth­er cache of hacked emails—this time from John Podes­ta, Hillary Clin­ton’s cam­paign chair—the White House announced that the pres­i­dent was con­sid­er­ing a “pro­por­tion­al” response against Rus­sia. Admin­is­tra­tion offi­cials asked Alper­ovitch to attend a meet­ing to con­sid­er what to do. He was the only native Russ­ian in the room. “You have to let them save face,” he told the group. “Esca­la­tion will not end well.”

———-

“The Russ­ian Expat Lead­ing the Fight to Pro­tect Amer­i­ca” by Vicky Ward; Esquire; 10/24/2016

“Alper­ovitch, a slight man with a sharp, quick demeanor, called the ana­lyst who had emailed the report. “Are we sure it’s Rus­sia?” he asked.

That was report­ed­ly Alper­ovitch’s ini­tial response to the con­clu­sion his com­pa­ny’s ana­lyst that Rus­sia was behind the DNC hack: Are we sure it’s Rus­sia? And that’s a very rea­son­able ques­tion to ask at that point. A note the ana­lyst’s response: There was no doubt. Why? Because the mal­ware used in the DNC hack was send­ing data back to the same servers used in the Bun­destag hack of 2015 and the mal­ware code was sim­i­lar to ear­li­er hacks:

...
The ana­lyst said there was no doubt. Fal­con had detect­ed mali­cious soft­ware, or mal­ware, that was steal­ing data and send­ing it to the same servers that had been used in a 2015 attack on the Ger­man Bun­destag. The code and tech­niques used against the DNC resem­bled those from ear­li­er attacks on the White House and the State Depart­ment. The ana­lyst, a for­mer intel­li­gence offi­cer, told Alper­ovitch that Fal­con had iden­ti­fied not one but two Russ­ian intrud­ers: Cozy Bear, a group Crowd­Strike’s experts believed was affil­i­at­ed with the FSB, Rus­si­a’s answer to the CIA; and Fan­cy Bear, which they had linked to the GRU, Russ­ian mil­i­tary intel­li­gence.
...

So this is a good time to remind our­selves that the IP address found in the mal­ware used in that DNC hack and the Bun­destag hack was pub­lished in 2015 and Ger­many’s BfV gov­ern­ment issued a newslet­ter attrib­uted that Bud­estag hack to the Russ­ian gov­ernent in Jan­u­ary of 2016, mean­ing it would have been an incred­i­bly brazen for Russ­ian gov­ern­ment hack­ers to exe­cute a hack using the same com­mand & con­trol serv­er with the same IP address unless Rus­sia want­ed to get caught. But from Crowd­Strike’s per­spec­tive, this was the kind of ‘dig­i­tal fin­ger­print’ that could lead to a con­clu­sion with “no doubt.”

And as the rest of the arti­cle made clear, arriv­ing at a cul­prit for cyber attacks and then make a very pub­lic com­plaint about the attack is at the heart of the strat­e­gy that Alper­ovitch has been advo­cat­ing for years. And advo­cat­ing with great suc­cess:

...
Alper­ovitch told me he was thrilled that the DNC decid­ed to pub­li­cize Rus­si­a’s involve­ment. “Hav­ing a client give us the abil­i­ty to tell the full sto­ry” was a “mile­stone in the indus­try,” he says. “Not just high­light­ing a rogue nation-state’s actions but explain­ing what was tak­en and how and when. These sto­ries are almost nev­er told.”

In the five years since Alper­ovitch cofound­ed Crowd­Strike, he and his com­pa­ny have played a crit­i­cal role in the devel­op­ment of Amer­i­ca’s cyberde­fense pol­i­cy. Frank Cil­luffo, the for­mer spe­cial assis­tant to the pres­i­dent for home­land secu­ri­ty, likens Alper­ovitch to Paul Revere: “Dmitri, as an indi­vid­ual, has played a sig­nif­i­cant role in ele­vat­ing cyber­se­cu­ri­ty pol­i­cy not only inside the pri­vate sec­tor but more gen­er­al­ly.”

When I met Alper­ovitch in late Sep­tem­ber, at his open-plan offices out­side Wash­ing­ton, D.C., he explained that Crowd­Strike was cre­at­ed to take advan­tage of a sim­ple but cen­tral les­son he’d learned about stop­ping hack­ers. It’s not enough, he says, to play defense with tech­nol­o­gy: “Oth­er­wise the adver­sary will scale up and it becomes a game of num­bers, which they will win.” Instead, attri­bu­tion is cru­cial: First you need to iden­ti­fy the per­pe­tra­tor, then you need to dis­cov­er what moti­vates the crime, and finally—most important—you need to fig­ure out how to fight back.
...

“It’s not enough, he says, to play defense with tech­nol­o­gy: “Oth­er­wise the adver­sary will scale up and it becomes a game of num­bers, which they will win.” Instead, attri­bu­tion is cru­cial: First you need to iden­ti­fy the per­pe­tra­tor, then you need to dis­cov­er what moti­vates the crime, and finally—most important—you need to fig­ure out how to fight back.

That’s Alper­ovitch’s phi­los­o­phy: You can’t sim­ply deal with hack­ing by play­ing defense. You have to play offense and that requires pub­lic attri­bu­tion. And it’s a phi­los­o­phy that was viewed as heresy in the cyber­se­cu­ri­ty indus­try not too long ago. The arti­cle char­ac­ter­izes this indus­try dis­po­si­tion as be in part due to con­cerns with­in the indus­try about los­ing clients in the nations they pub­licly attribute an attack to, but it seems like the inher­ent ambi­gu­i­ty in mak­ing these attri­bu­tions would have also been a fac­tor in why that was viewed as heresy. Either way, Crowd­Strike was formed in response to this indus­try bias against pub­lic attri­bu­tion of hacks against oth­er gov­ern­ments:

...
Before Alper­ovitch found­ed Crowd­Strike, the idea that attri­bu­tion ought to be a cen­tral defense against hack­ers was viewed as heresy. In 2011, he was work­ing in Atlanta as the chief threat offi­cer at the antivirus soft­ware firm McAfee. While sift­ing through serv­er logs in his apart­ment one night, he dis­cov­ered evi­dence of a hack­ing cam­paign by the Chi­nese gov­ern­ment. Even­tu­al­ly he learned that the cam­paign had been going on unde­tect­ed for five years, and that the Chi­nese had com­pro­mised at least sev­en­ty-one com­pa­nies and orga­ni­za­tions, includ­ing thir­teen defense con­trac­tors, three elec­tron­ics firms, and the Inter­na­tion­al Olympic Com­mit­tee.

That the Chi­nese gov­ern­ment had been steal­ing infor­ma­tion from the pri­vate sec­tor was a shock to the secu­ri­ty indus­try and to many U. S. offi­cials. Almost no one thought that for­eign gov­ern­ments used the Inter­net for any­thing oth­er than old-fash­ioned espi­onage. “This was not spy ver­sus spy,” says John Car­lin, who was until recent­ly the assis­tant attor­ney gen­er­al for nation­al secu­ri­ty. The hack­ing was eco­nom­ic sab­o­tage.

While Alper­ovitch was writ­ing up his report on the breach, he received a call from Renee James, an exec­u­tive at Intel, which had recent­ly pur­chased McAfee. Accord­ing to Alper­ovitch, James told him, “Dmitri, Intel has a lot of busi­ness in Chi­na. You can­not call out Chi­na in this report.”

Alper­ovitch removed the word Chi­na from his analy­sis, call­ing the oper­a­tion Shady Rat instead. He told me that James’s inter­ven­tion accel­er­at­ed his plans to leave Intel. (James declined to com­ment.) He felt that he was “now being cen­sored because I’m work­ing for a com­pa­ny that’s not real­ly an Amer­i­can com­pa­ny.”

Alper­ovitch and George Kurtz, a for­mer col­league, found­ed Crowd­Strike as a direct response. The cyber­se­cu­ri­ty indus­try at the time, Alper­ovitch says, was “ter­ri­fied of los­ing their abil­i­ty to mar­ket prod­ucts in Chi­na.” Their new com­pa­ny would push the idea that hack­ing was a means, not an end. “We saw that no one’s real­ly focused on the adver­sary,” Alper­ovitch told me. “No one’s focus­ing exclu­sive­ly on how can we actu­al­ly iden­ti­fy them, attribute them, deter them from tak­ing this action again.” Crowd­Strike’s tagline encap­su­lat­ed its phi­los­o­phy: “You don’t have a mal­ware prob­lem, you have an adver­sary prob­lem.”
...

““No one’s focus­ing exclu­sive­ly on how can we actu­al­ly iden­ti­fy them, attribute them, deter them from tak­ing this action again.” Crowd­Strike’s tagline encap­su­lat­ed its phi­los­o­phy: “You don’t have a mal­ware prob­lem, you have an adver­sary prob­lem.””

And that encap­su­lates much of Crowd­Strike’s approach to stop­ping hacks:
Step 1. Deter­mine a cul­prit.

Step 2. Make a big pub­lic stink about it.

And this approach appears to have been by a con­clu­sion Alper­ovitch arrived while work­ing at an anti­spam soft­ware firm where he met his future Crowd­Stike part­ner Phyl­lis Sch­neck: cyber defense was about psy­chol­o­gy, not tech­nol­o­gy:

...
Alper­ovitch stud­ied com­put­er sci­ence at Geor­gia Tech and went on to work at an anti­spam soft­ware firm. There he met a strik­ing dark-haired com­put­er geek named Phyl­lis Sch­neck. As a teenag­er, Sch­neck once showed her father that she could hack into the com­pa­ny where he worked as an engi­neer. Appalled, Dr. Sch­neck made his daugh­ter promise nev­er to do some­thing like that again.

Fight­ing email spam taught Alper­ovitch a sec­ond cru­cial les­son. He dis­cov­ered that every time he blocked a serv­er, the spam­mers deployed a hun­dred new servers to take its place. Alper­ovitch real­ized that defense was about psy­chol­o­gy, not tech­nol­o­gy.
...

And that psy­cho­log­i­cal strat­e­gy is part of why mak­ing a pub­lic attri­bu­tion is so impor­tant, accord­ing to this strat­e­gy. From Alper­ovitch’s per­spec­tive, intim­i­dat­ing your cyber adver­sary is basi­cal­ly the only real­is­tic way to stop the hacks.

It’s a strat­e­gy that he first employed in 2010, when his analy­sis was used by the US gov­ern­ment to pub­licly accuse Chi­na of cyber attacks on Google Gmail accounts. The strat­e­gy was used again 2014 to attrib­uted the Sony hacks on North Korea and in 2015 once again against Chi­na. And that 2015 attri­bu­tion against Chi­na, which includ­ed a the threat of an exec­u­tive order by Pres­i­dent Oba­ma that would pun­ish Chi­na over the hacks, appar­ent­ly result­ed in a bi-lat­er­al agree­ment where “nei­ther coun­try’s gov­ern­ment will con­duct or know­ing­ly sup­port cyber-enabled theft of intel­lec­tu­al prop­er­ty” for the pur­pose of eco­nom­ic espi­onage. Chi­nese cyber bur­glar­ies have slowed dra­mat­i­cal­ly since them:

...
Alper­ovitch’s first big break in cyberde­fense came in 2010, while he was at McAfee. The head of cyber­se­cu­ri­ty at Google told Alper­ovitch that Gmail accounts belong­ing to human-rights activists in Chi­na had been breached. Google sus­pect­ed the Chi­nese gov­ern­ment. Alper­ovitch found that the breach was unprece­dent­ed in scale; it affect­ed more than a dozen of McAfee’s clients.

Three days after his dis­cov­ery, Alper­ovitch was on a plane to Wash­ing­ton. He’d been asked to vet a para­graph in a speech by the sec­re­tary of state, Hillary Clin­ton. She’d decid­ed, for the first time, to call out anoth­er coun­try for a cyber­at­tack. “In an inter­con­nect­ed world,” she said, “an attack on one nation’s net­works can be an attack on all.”

Despite Clin­ton’s announce­ment, Alper­ovitch believed that the gov­ern­ment, par­a­lyzed by bureau­cra­cy and pol­i­tics, was still mov­ing too slow­ly. In 2014, Sony called in Crowd­Strike to inves­ti­gate a breach of its net­work. The com­pa­ny need­ed just two hours to iden­ti­fy North Korea as the adver­sary. Exec­u­tives at Sony asked Alper­ovitch to go pub­lic with the infor­ma­tion imme­di­ate­ly, but it took the FBI anoth­er three weeks before it con­firmed the attri­bu­tion.

The delay still frus­trates Alper­ovitch, who saw the long silence as a kind of dis­in­for­ma­tion. “Yes­ter­day you had no idea. Today you’re 100 per­cent cer­tain. It was­n’t cred­i­ble.” From the per­spec­tive of the gov­ern­ment, how­ev­er, the han­dling of the Sony hack was a tri­umph. “In twen­ty-six days we fig­ured out it was North Korea,” John Car­lin told me. The attri­bu­tion changed the focus, he said, from what Sony did wrong to how the gov­ern­ment was going to respond to North Korea. As Phyl­lis Sch­neck, who now works at the Depart­ment of Home­land Secu­ri­ty, told me, the gov­ern­ment moves slow­ly because it can­not afford to be wrong: “Ven­dors like to be first. Gov­ern­ment must be right.”

The gov­ern­men­t’s atti­tude toward attri­bu­tion moved clos­er to Alper­ovitch’s in Sep­tem­ber 2015, in the run-up to a state vis­it by Chi­nese pres­i­dent Xi Jin­ping. A year ear­li­er, five mem­bers of the Chi­nese Peo­ple’s Lib­er­a­tion Army had been indict­ed by a grand jury in Penn­syl­va­nia for steal­ing eco­nom­ic secrets from the com­put­ers of U. S. firms in the nuclear, solar, and met­als indus­tries. Car­lin told me that the indict­ments were meant as “a giant No Tres­pass sign: Get off our lawn.” But the indict­ment did­n’t stop the hack­ers. Alper­ovitch went on tele­vi­sion to call for a stronger response. In April 2015, after Pres­i­dent Oba­ma signed an exec­u­tive order threat­en­ing sanc­tions against the Chi­nese, Alper­ovitch received a call from the White House. “You should be hap­py,” he was told. “You’re the one who’s been push­ing for this.”

Six months lat­er, just before the state vis­it, The Wash­ing­ton Post report­ed that the U. S. was con­sid­er­ing mak­ing good on the exec­u­tive order. A senior State Depart­ment offi­cial told me that Xi did not want to be embar­rassed by an awk­ward vis­it. The Chi­nese sent over a nego­ti­at­ing team, and diplo­mats from both coun­tries stayed up all night work­ing out an agree­ment. Dur­ing the state vis­it, Oba­ma and Xi announced that “nei­ther coun­try’s gov­ern­ment will con­duct or know­ing­ly sup­port cyber-enabled theft of intel­lec­tu­al prop­er­ty” for the pur­pose of eco­nom­ic espi­onage. Since then, the Chi­nese bur­glar­ies have slowed dra­mat­i­cal­ly.
...

So that all sounds like a great suc­cess of Alper­ovitch’s pub­lic attri­bu­tion strat­e­gy, right? A bi-lat­er­al agree­ment with Chi­na that slowed Chi­nese cyber bur­glar­ies dra­mat­i­cal­ly is quite an achieve­ment.

Except, of course, there’s a rather sig­nif­i­cant prob­lem with this approach and it relates direct­ly to the warn­ings by France’s cyber secu­ri­ty chief about “inter­na­tion­al chaos” from false flags: What if the dra­mat­ic slow down in Chi­nese cyber bur­glar­ies mere­ly reflects a shift in strat­e­gy by Chi­nese hack­ers to make their hacks look like, say, Russ­ian hack­ers? Or Amer­i­can hack­ers? Why isn’t this ‘new nor­mal’ of aggres­sive­ly mak­ing pub­lic attri­bu­tions exact­ly the kind of ‘defen­sive’ tac­tic that makes false flag attacks even more tempt­ing? And why would­n’t third-par­ties who want to sow chaos, like neo-Nazi hack­ers, LOVE this new attri­bu­tion par­a­digm?

And note the com­ment for Alper­ovitch’s for­mer Crowd­Strike part­ner, Phyl­lis Sch­neck, who is now at DHS, about how the cyber­se­cu­ri­ty indus­try’s predilec­tion for “being first” on mak­ing an attri­bu­tion now:

...
The delay still frus­trates Alper­ovitch, who saw the long silence as a kind of dis­in­for­ma­tion. “Yes­ter­day you had no idea. Today you’re 100 per­cent cer­tain. It was­n’t cred­i­ble.” From the per­spec­tive of the gov­ern­ment, how­ev­er, the han­dling of the Sony hack was a tri­umph. “In twen­ty-six days we fig­ured out it was North Korea,” John Car­lin told me. The attri­bu­tion changed the focus, he said, from what Sony did wrong to how the gov­ern­ment was going to respond to North Korea. As Phyl­lis Sch­neck, who now works at the Depart­ment of Home­land Secu­ri­ty, told me, the gov­ern­ment moves slow­ly because it can­not afford to be wrong: “Ven­dors like to be first. Gov­ern­ment must be right.”
...

“Ven­dors like to be first. Gov­ern­ment must be right.”

In oth­er worlds, mar­ket forces have now been unleashed to encour­age the cyber­se­cu­ri­ty indus­try to rush to attri­bu­tion con­clu­sions. After all, think about the incred­i­ble free adver­tis­ing Trend Micro got for its report on the US Sen­ate phish­ing sites and the Macron hacks. The prof­it-motive encour­ages this. Isn’t that wild­ly dan­ger­ous when those rushed attri­bu­tions have geo-strate­gic impli­ca­tions? It sure sounds like a recipe for “inter­na­tion­al chaos”.

Still, let’s keep in mind that a world where Chi­nese gov­ern­ment hack­ers can pil­fer intel­lec­tu­al prop­er­ty rights with impuni­ty and North Korea and attack cor­po­ra­tions over movies it does­n’t like is anoth­er form of “inter­na­tion­al chaos”. Although prob­a­bly not near­ly as chaot­ic as the kind of world where con­flicts break out as a result of cyber attacks and false flag cam­paigns, but it’s still a very non-ide­al sit­u­a­tion.

What’s the Cyber­se­cu­ri­ty Indus­try’s Secret to Cyber Attri­bu­tion? Pat­tern Recog­ni­tion. Hope­ful­ly Per­fect Pat­tern Recog­ni­tion (Because Oth­er­wise it’s Inter­na­tion­al Chaos)

So what’s the cyber­se­cu­ri­ty indus­try’s response to crit­i­cism that this new aggres­sive approach to attri­bu­tion is vul­ner­a­ble to false flag attacks an incor­rect attri­bu­tions? Well, accord­ing that describes the tech­niques the indus­try uses to arrive at its con­clu­sions, the indus­try responds by stat­ing false flag attacks just aren’t fea­si­ble because hack­ers make mis­takes that reveal their true ori­gin. Yep, that’s the response.

And this response is in an arti­cle that describes the pri­ma­ry tech­nique for attri­bu­tion as “pat­tern recog­ni­tion”: look­ing at a hack­’s ‘dig­i­tal fin­ger­prints’ and com­par­ing them to past attacks. If you think about it, if you’re a hack­er, and the dig­i­tal fin­ger­prints in your hacks allow ana­lysts to trace your work back to pre­vi­ous attacks, that’s a mis­take. Recall the com­ments from FireEye’s ana­lyst about how the Russ­ian hack­ers used to com­plete­ly burn their dig­i­tal infra­struc­ture after get­ting caught (and then mys­te­ri­ous­ly stopped doing that around 2014). High qual­i­ty gov­ern­ment hack­ers should­n’t actu­al­ly be leav­ing an exten­sive trail of reused dig­it fin­ger­prints. They appar­ent­ly used to be able to oper­ate with­out mak­ing so many con­spic­u­ous mis­takes. And yet the cyber­se­cu­ri­ty indus­try is pred­i­cat­ing its attri­bu­tions on basi­cal­ly detect­ing mis­takes hack­ers make and the deep con­vic­tion that hack­ers make mis­takes and these mis­takes can be used for high con­fi­dence attri­bu­tions. Which seems like a mas­sive mis­take:

CNET

How US cyber­sleuths decid­ed Rus­sia hacked the DNC

Dig­i­tal clues led secu­ri­ty pros to agen­cies in Putin’s gov­ern­ment. It’s as close as we’ll ever get to proof that Rus­sia did it.

by Lau­ra Hau­ta­la

May 3, 2017 9:13 AM PD

It was a bomb­shell.

Oper­a­tives from two Russ­ian spy agen­cies had infil­trat­ed com­put­ers of the Demo­c­ra­t­ic Nation­al Com­mit­tee, months before the US nation­al elec­tion.

One agency — nick­named Cozy Bear by cyber­se­cu­ri­ty com­pa­ny Crowd­Strike — used a tool that was “inge­nious in its sim­plic­i­ty and pow­er” to insert mali­cious code into the DNC’s com­put­ers, Crowd­Strike’s Chief Tech­nol­o­gy Offi­cer Dmitri Alper­ovitch wrote in a June blog post. The oth­er group, nick­named Fan­cy Bear, remote­ly grabbed con­trol of the DNC’s com­put­ers.

By Octo­ber, the Depart­ment of Home­land Secu­ri­ty and the Office of the Direc­tor of Nation­al Intel­li­gence on Elec­tion Secu­ri­ty agreed that Rus­sia was behind the DNC hack. On Dec. 29, those agen­cies, togeth­er with the FBI, Depart­ment of Home­land Secu­ri­ty and the Office of the Direc­tor of Nation­al Intel­li­gence on Elec­tion Secu­ri­ty agreed that Rus­sia.

And a week lat­er, the Office of the Direc­tor of Nation­al Intel­li­gence sum­ma­rized its find­ings ((PDF)) in a declas­si­fied (read: scrubbed) report. Even Pres­i­dent Don­ald Trump acknowl­edged, “It was Rus­sia,” a few days lat­er — although he told “Face the Nation” ear­li­er this week it “could’ve been Chi­na.”

...

We’ll prob­a­bly nev­er real­ly find out what the US intel­li­gence com­mu­ni­ty or Crowd­Strike know or how they know it. This is what we do know:

Crowd­Strike and oth­er cyberde­tec­tives had spot­ted tools and approach­es they’d seen Cozy Bear and Fan­cy Bear use for years. Cozy Bear is believed to be either Rus­si­a’s Fed­er­al Secu­ri­ty Ser­vice, known as the FSB, or its For­eign Intel­li­gence Ser­vice, the SVR. Fan­cy Bear is thought to be Rus­si­a’s mil­i­tary intel agency, GRU.

It was the pay­off of a long game of pat­tern recog­ni­tion — piec­ing togeth­er hack­er groups’ favorite modes of attack, suss­ing out the time of day they’re most active (hint­ing at their loca­tions) and find­ing signs of their native lan­guage and the inter­net address­es they use to send or receive files.

“You just start to weigh all these fac­tors until you get near 100 per­cent cer­tain­ty,” says Dave DeWalt, for­mer CEO of McAfee and Fire­Eye, who now sits on the boards of five secu­ri­ty com­pa­nies. “It’s like hav­ing enough fin­ger­prints in the sys­tem.”

Watch­ing the cyberde­tec­tives

Crowd­Strike put that knowl­edge to use in April, when the DNC’s lead­er­ship called in its dig­i­tal foren­sics experts and cus­tom soft­ware — which spots when some­one takes con­trol of net­work accounts, installs mal­ware or steals files — to find out who was muck­ing around in their sys­tems, and why.

“With­in min­utes, we were able to detect it,” Alper­ovitch said in an inter­view the day the DNC revealed the break-in. Crowd­Strike found oth­er clues with­in 24 hours, he said.

Those clues includ­ed small frag­ments of code called Pow­er­Shell com­mands. A Pow­er­Shell com­mand is like a Russ­ian nest­ing doll in reverse. Start with the small­est doll, and that’s the Pow­er­Shell code. It’s only a sin­gle string of seem­ing­ly mean­ing­less num­bers and let­ters. Open it up, though, and out jumps a larg­er mod­ule that, in the­o­ry at least, “can do vir­tu­al­ly any­thing on the vic­tim sys­tem,” Alper­ovitch wrote.

One of the Pow­er­Shell mod­ules inside the DNC sys­tem con­nect­ed to a remote serv­er and down­loaded more Pow­er­Shells, adding more nest­ing dolls to the DNC net­work. Anoth­er opened and installed MimiKatz, mali­cious code for steal­ing login infor­ma­tion. That gave hack­ers a free pass to move from one part of the DNC’s net­work to anoth­er by log­ging in with valid user­names and pass­words. These were Cozy Bear’s weapons of choice.

Fan­cy Bear used tools known as X‑Agent and X‑Tunnel to remote­ly access and con­trol the DNC net­work, steal pass­words and trans­fer files. Oth­er tools let them wipe away their foot­prints from net­work logs.

Crowd­Strike had seen this pat­tern many times before.

“You could nev­er go into the DNC as a sin­gle event and come up with that [con­clu­sion],” said Robert M. Lee, CEO of cyber­se­cu­ri­ty firm Dra­gos.

Pat­tern recog­ni­tion

Alper­ovitch com­pares his work to that of John­ny Utah, the char­ac­ter Keanu Reeves played in the 1991 surf­ing-bank-heist flick “Point Break.” In the movie, Utah iden­ti­fied the mas­ter­mind of a rob­bery by look­ing at habits and meth­ods. “He’s already ana­lyzed 15 bank rob­bers. He can say, ‘I know who this is,’ ” Alper­ovitch said in an inter­view in Feb­ru­ary.

“The same thing applies to cyber­se­cu­ri­ty,” he said.

One of those tells is con­sis­ten­cy. “The peo­ple behind the key­boards, they don’t change that much,” said DeWalt. He thinks nation-state hack­ers tend to be careerists, work­ing in either the mil­i­tary or intel­li­gence oper­a­tions.

Pat­tern recog­ni­tion is how Man­di­ant, owned by Fire­Eye, fig­ured out that North Korea broke into Sony Pic­tures’ net­works.

The gov­ern­ment stole Social Secu­ri­ty num­bers from 47,000 employ­ees and leaked embar­rass­ing inter­nal doc­u­ments and emails. That’s because the Sony attack­ers left behind a favorite hack­ing tool that wiped, and then wrote over, hard dri­ves. The cyber­se­cu­ri­ty indus­try had pre­vi­ous­ly traced that tool to North Korea, which had been using it for at least four years, includ­ing in a mas­sive cam­paign against South Kore­an banks the year before.

It’s also how researchers from McAfee fig­ured out Chi­nese hack­ers were behind Oper­a­tion Auro­ra in 2009, when hack­ers accessed the Gmail accounts of Chi­nese human rights activists and stole source code from more than 150 com­pa­nies, accord­ing to DeWalt, who was CEO of McAfee at the time of the inves­ti­ga­tion. Inves­ti­ga­tors found mal­ware writ­ten in Man­darin, code that had been com­piled in a Chi­nese oper­at­ing sys­tem and time-stamped in a Chi­nese time zone, and oth­er clues inves­ti­ga­tors had pre­vi­ous­ly seen in attacks orig­i­nat­ing from Chi­na, DeWalt said.

Tell us more

One of the most com­mon com­plaints about the evi­dence Crowd­Strike pre­sent­ed is that the clues could have been faked: Hack­ers could have used Russ­ian tools, worked dur­ing Russ­ian busi­ness hours and left bits of Russ­ian lan­guage behind in mal­ware found on DNC com­put­ers.

It does­n’t help that, almost as soon as the DNC revealed it had been hacked, some­one call­ing him­self Guc­cifer 2.0 and claim­ing to be Roman­ian took cred­it as the sole hack­er pen­e­trat­ing the polit­i­cal par­ty’s net­work.

That set off a seem­ing­ly end­less debate about who did what, even as addi­tion­al hacks of for­mer Hillary Clin­ton cam­paign chair­man John Podes­ta and oth­ers led to more leaked emails.

Cyber­se­cu­ri­ty experts say it would be too dif­fi­cult for hack­ers to con­sis­tent­ly make it look like an attack was com­ing from a dif­fer­ent group of hack­ers. One mis­take could blow their cov­er.

Crit­ics prob­a­bly won’t be get­ting defin­i­tive answers any­time soon, since nei­ther Crowd­Strike nor US intel­li­gence agen­cies plan to pro­vide more details to the pub­lic, “as the release of such infor­ma­tion would reveal sen­si­tive sources or meth­ods and imper­il the abil­i­ty to col­lect crit­i­cal for­eign intel­li­gence in the future,” the Office of the Direc­tor of Nation­al Intel­li­gence said in its report.

“The declas­si­fied report does not and can­not include the full sup­port­ing infor­ma­tion, includ­ing spe­cif­ic intel­li­gence and sources and meth­ods.”

The debate has tak­en Alper­ovitch by sur­prise.

“Our indus­try has been doing attri­bu­tion for 30 years,” although such work on focused on crim­i­nal activ­i­ty, he said. “The minute it went out of cyber­crime, it became con­tro­ver­sial.”

———-

“How US cyber­sleuths decid­ed Rus­sia hacked the DNC” by Lau­ra Hau­ta­la; CNET; 05/03/2017

Alper­ovitch com­pares his work to that of John­ny Utah, the char­ac­ter Keanu Reeves played in the 1991 surf­ing-bank-heist flick “Point Break.” In the movie, Utah iden­ti­fied the mas­ter­mind of a rob­bery by look­ing at habits and meth­ods. “He’s already ana­lyzed 15 bank rob­bers. He can say, ‘I know who this is,’ ” Alper­ovitch said in an inter­view in Feb­ru­ary.”

Yep, Dmitri Alper­ovitch com­pares his work to a Keanu Reeves movie char­ac­ter who can just look at the evi­dence left in a rob­bery and deduce who did it. That’s the under­ly­ing tech­nique at work. And while that’s a per­fect­ly rea­son­able tech­nique for mak­ing a cau­tious guess about the cul­prits, it’s appar­ent­ly being treat­ed as a tech­nique that can allow for near 100 per­cent cer­tain­ty:

...
Crowd­Strike and oth­er cyberde­tec­tives had spot­ted tools and approach­es they’d seen Cozy Bear and Fan­cy Bear use for years. Cozy Bear is believed to be either Rus­si­a’s Fed­er­al Secu­ri­ty Ser­vice, known as the FSB, or its For­eign Intel­li­gence Ser­vice, the SVR. Fan­cy Bear is thought to be Rus­si­a’s mil­i­tary intel agency, GRU.

It was the pay­off of a long game of pat­tern recog­ni­tion — piec­ing togeth­er hack­er groups’ favorite modes of attack, suss­ing out the time of day they’re most active (hint­ing at their loca­tions) and find­ing signs of their native lan­guage and the inter­net address­es they use to send or receive files.

“You just start to weigh all these fac­tors until you get near 100 per­cent cer­tain­ty,” says Dave DeWalt, for­mer CEO of McAfee and Fire­Eye, who now sits on the boards of five secu­ri­ty com­pa­nies. “It’s like hav­ing enough fin­ger­prints in the sys­tem.”
...

“You just start to weigh all these fac­tors until you get near 100 per­cent cer­tain­ty”

Pat­tern recog­ni­tion lead­ing to near 100 per­cent cer­tain­ty. And as we saw with the Trend Micro reports, 99–100 per­cent cer­tain­ty is indeed some­thing the indus­try is arriv­ing at with these very con­se­quen­tial attri­bu­tions.

And this pat­tern recog­ni­tion tech­nique is par­tial­ly pred­i­cat­ed on the assump­tion that hack­ers don’t actu­al­ly change their meth­ods very much. Even gov­ern­ment hack­ers:

...
One of those tells is con­sis­ten­cy. “The peo­ple behind the key­boards, they don’t change that much,” said DeWalt. He thinks nation-state hack­ers tend to be careerists, work­ing in either the mil­i­tary or intel­li­gence oper­a­tions.
...

So is it true that careerist gov­ern­ment hack­ers tend to be con­sis­tent and don’t real­ly both­er switch­ing up their tech­niques and ‘dig­i­tal fin­ger­prints’? Well, if so, yes, that would allow for pat­tern recog­ni­tion to be used for attri­bu­tion...except for the fact that gov­ern­ment hack­ers behav­ing con­sis­tent­ly makes them easy marks for a false flag attack. How is this not rec­og­nized?!

Also note that even if gov­ern­ment hack­ers are con­sis­tent in their meth­ods, that might not mat­ter if they are con­sis­tent­ly using mal­ware and serv­er host­ing com­pa­nies that oth­er hack­ers use and leave ambigu­ous digi­tial fin­ger­prints. The con­sis­ten­cy might also not mat­ter if they are con­sis­tent­ly run­ning their hacks by imper­son­at­ing oth­er hack­ing groups, although the cyber­se­cu­ri­ty indus­try appears to think that would be impos­si­ble for a gov­ern­ment hack­ing group to do con­sis­tent­ly with­out acci­den­tal­ly blow­ing their cov­er. Which, again, is an odd assump­tion to make.

What’s the indus­try response to these kinds of con­cerns? Don’t wor­ry about false flags because, the hack­ers will make mis­takes that reveal them­selves:

...
Tell us more

One of the most com­mon com­plaints about the evi­dence Crowd­Strike pre­sent­ed is that the clues could have been faked: Hack­ers could have used Russ­ian tools, worked dur­ing Russ­ian busi­ness hours and left bits of Russ­ian lan­guage behind in mal­ware found on DNC com­put­ers.

...

Cyber­se­cu­ri­ty experts say it would be too dif­fi­cult for hack­ers to con­sis­tent­ly make it look like an attack was com­ing from a dif­fer­ent group of hack­ers. One mis­take could blow their cov­er.
...

“Cyber­se­cu­ri­ty experts say it would be too dif­fi­cult for hack­ers to con­sis­tent­ly make it look like an attack was com­ing from a dif­fer­ent group of hack­ers.”

WHAT?!! How is such an con­clu­sion arrived at?

Now, it’s true that the longer a third par­ty tries to imper­son­ate anoth­er hack­ing group, the more like­ly they are to make a mis­take. There’s just more oppor­tu­ni­ty to mis­takes when the false flag attacks on con­sis­tent­ly attempt­ed. But what about an incon­sis­tent attempt? Like just one or a few? Would that be very dif­fi­cult?

Also keep in mind that if a false flag attack is suc­cess­ful, and cyber­se­cu­ri­ty researchers fall for the trick, that false flag group’s mode of oper­a­tion will become the evi­dence used for future attri­bu­tions. In oth­er words, this “pat­tern recog­ni­tion” tech­nique is only as good as the qual­i­ty of the past attri­bu­tions. For all we know, a huge chunk of the past hacks attrib­uted by the cyber­se­cu­ri­ty indus­try to Rus­sia or Chi­na or any oth­er coun­try could be mis­at­trib­uted attacks and the dig­i­tal paper trail is a mix of tracks left by actu­al Russ­ian and Chi­nese gov­ern­ment hack­ers plus a bunch of false flag third par­ties. There’s no rea­son to not assume this is the case unless the 5‑Eyes has far, far more infor­ma­tion about who is hack­ing who than they let on.

For instance, look at some of the evi­dence used to attribute attacks to the Chi­nese gov­ern­ment: Man­darin in the code that was com­piled on Chi­nese oper­at­ing sys­tems, and Chi­nese work day com­pile times in the mal­ware:

...
It’s also how researchers from McAfee fig­ured out Chi­nese hack­ers were behind Oper­a­tion Auro­ra in 2009, when hack­ers accessed the Gmail accounts of Chi­nese human rights activists and stole source code from more than 150 com­pa­nies, accord­ing to DeWalt, who was CEO of McAfee at the time of the inves­ti­ga­tion. Inves­ti­ga­tors found mal­ware writ­ten in Man­darin, code that had been com­piled in a Chi­nese oper­at­ing sys­tem and time-stamped in a Chi­nese time zone, and oth­er clues inves­ti­ga­tors had pre­vi­ous­ly seen in attacks orig­i­nat­ing from Chi­na, DeWalt said.
...

Now, on the one hand, that sure seems like the signs of a Chi­nese hack­er. On the oth­er hand, if you were a non-Chi­nese skilled hack­er who did­n’t want to get be a sus­pect and decid­ed to pre­tend to be a Chi­nese hack­er, would­n’t those be be exact­ly the kinds of ‘dig­i­tal fin­ger­prints’ you would try to leave?

And while the hacks on Chi­nese human rights activists seems like the kinds of tar­gets Chi­nese hack­ers would specif­i­cal­ly be inter­est­ed in, the source code from those 150 com­pa­nies seems like the kinds of things all sorts of par­ties would be inter­est­ed in. So if you were, say, Russ­ian or Brazil­lian hack­ers who had an inter­est in hack­ing those com­pa­nies, wag­ing that hack­ing cam­paign with Chi­nese ‘dig­i­tal fin­ger­prints’ and then tar­get some Chi­nese human rights activists to lend cre­dence to it. Do skilled pro­fes­sion­al hack­ers do such things? Who knows, but get­ting caught steal­ing source code from 150 com­pa­nies seems like the kind of thing a hack­ing group would real­ly, real­ly, real­ly not want to get caught doing, whether its a Chi­nese hack­ing group or any oth­er hack­ing group. Or lone hack­er. So we can’t rule the pos­si­b­li­ty out. And yes, this is very unfor­tu­nate because that’s the kind of ambi­gu­i­ty that encour­ages “inter­na­tion­al chaos” on some lev­el, but it is what it is.

At the same time, let’s remem­ber that it’s entire­ly pos­si­ble that the NSA and 5‑Eyes real­ly does have much more infor­ma­tion on who is car­ry­ing out var­i­ous hacks — per­haps by stor­ing almost all inter­net traf­fic and decrypt­ing it — but they can’t reveal it and shod­dy pub­lic attri­bu­tion cas­es are made to pro­vide pub­lic cov­er for an attri­bu­tion that was real­ly made with evi­dence they can’t reveal. So would that sit­u­a­tion make it all ok if the cyber­se­cu­ri­ty indus­try just stan­dard­izes ‘pat­tern recog­ni­tion’ as a gold stan­dard for con­clu­sive attri­bu­tion if they were real­ly just act­ing as proxy for attri­bu­tions that were made by the NSA or some oth­er gov­ern­ment agency with access to secret evi­dence that they can’t reveal? Well, that seems like a mas­sive risk because once that attri­bu­tion stan­dard is estab­lished it’s going to be use­able by all sorts of com­pa­nies and gov­ern­ments for what­ev­er rea­sons they choose. Heck, you could have gov­ern­ments hack them­selves and frame an adver­sary sim­ply by leav­ing a bunch of ‘dig­i­tal fin­ger­prints’. For all we know that’s already hap­pen­ing.

And that’s why mak­ing attri­bu­tion the key to cyber defense is such a risky ‘new nor­mal’. The exploita­tion of the weak­ness­es in the “pat­tern recog­ni­tion” approach to hacks is the ulti­mate weapon for “inter­na­tion­al chaos”.

Sure, the ‘old nor­mal’ of refrain­ing from attri­bu­tion when the evi­dence is ambigu­ous is also a recipe for “inter­na­tion­al chaos” in the form of lots of hack­ing that’s dif­fi­cult to stop. But when you com­pare that kind of ‘chaos’ to the risk of inter­na­tion­al con­flicts get­ting sparked by doing things a false flag elec­tion hack, it seems like the ‘old nor­mal’ should be the pre­ferred ‘nor­mal’. This ‘new nor­mal’ is pret­ty scary.

And yet, when read the final com­ments for Alper­ovitch in the above arti­cle, he express­es sur­prise that there’s been so much debate over whether or not his “pat­tern recog­ni­tion” approach to attri­bu­tion is appro­pri­ate for gov­ern­ment hack attri­bu­tion:

...
The debate has tak­en Alper­ovitch by sur­prise.

“Our indus­try has been doing attri­bu­tion for 30 years,” although such work on focused on crim­i­nal activ­i­ty, he said. “The minute it went out of cyber­crime, it became con­tro­ver­sial.”
...

“Our indus­try has been doing attri­bu­tion for 30 years,” although such work on focused on crim­i­nal activ­i­ty, he said. “The minute it went out of cyber­crime, it became con­tro­ver­sial.”

The minute pat­tern recog­ni­tion attri­bu­tion went out of cyber­crime and got used for gov­ern­ment hack­ing group attri­bu­tion and high-pro­file polit­i­cal hacks, it become con­tro­ver­sial. And for some rea­son this is surpis­ing. Despite the fact that false flag hacks in the realm of cyber crime is a com­plete­ly dif­fer­ent sto­ry from false flag attacks for the pur­pose of fram­ing a coun­try in terms of the capa­bil­i­ties of the like­ly per­pre­tra­tors and the moti­va­tions. And it’s also wild­ly dif­fer­ent in terms of the need for accu­ra­cy. It’s not great if you screw up the attri­bu­tion of a cyber bur­glar­ly by a com­mon hack­er, but you real­ly don’t want to mis­at­tribute some­thing like an elec­tion hack.

And let’s not for­get that hack attacks can get a lot more dis­rup­tive than an elec­tion attack. Imag­ine a hack that takes down a nation­al pow­er grid. Maybe one that takes it down for an extend­ed peri­od of time. What’s the bet­ter attri­bu­tion ‘nor­mal’ in that sit­u­a­tion? The ‘old nor­mal’, where pub­lic attri­bu­tion of gov­ern­ment hacks was rare, which could con­ceiv­ably encour­age gov­ern­ments that they can get away for such an attack? Or the ‘new nor­mal’, where you could con­ceiv­ably incen­tive a dev­as­tat­ing cyber false flag attack that takes down a pow­er grid? Or maybe trig­gers a nuclear plant melt­down?

Which ‘nor­mal’ is worse? It seems like the ‘old nor­mal’ is prob­a­bly safer since there’s still the implic­it threat of mutu­al­ly assured retal­i­a­tion with­out incen­tiz­ing false flags. But if there’s one ‘per­ma­nent nor­mal’, it’s the fact that human­i­ty is going to always need to strug­gle with the appro­pri­ate approach to cyber attri­bu­tion as long as ‘per­fect crime’ false flags are a tech­ni­cal pos­si­bil­i­ty. This debate isn’t going away. Nor should it. It’s sim­i­lar to the debate over the bal­ance between secu­ri­ty vs pri­va­cy for things like end-to-end strong encryp­tion. It’s a debate that should­n’t actu­al­ly be con­clud­ed. Sure, pol­i­cy deci­sions need to be made, but debate we should­n’t assume poli­cies reflect a con­clu­sion the debate.

It’s also sim­i­lar to the encryp­tion debate in that high-qual­i­ty gov­ern­ment agen­cies and offi­cials that the pub­lic can rea­son­ably trust is prob­a­bly one of the most impor­tant tools for nav­i­gat­ing this risk mine­field.

So we have this hor­ri­ble sit­u­a­tion where it’s ‘inter­na­tion­al chaos’ one way or anoth­er. And yet the mes­sage we’re hear­ing from US and Ger­man (and oth­er) cyber chiefs is that they are 100 per­cent sure all these hacks being attrib­uted to ‘slop­py’ Russ­ian hack­ers real­ly are Russ­ian hack­ers. And the mes­sage from Putin in basi­cal­ly, “that was­n’t us, but if it was that would be ok and jus­ti­fied.” On top of that, we had the Macron hack take place last year with ‘Alt-Right’ neo-Nazi fin­ger­prints all over it and that fact is almost entire­ly ignored and there was nev­er a real attempt to explain it. This sit­u­a­tion is an inter­na­tion­al cyber-tin­der­box.

And as a con­se­quence of this envi­ron­ment, we have sto­ries like the one Trend Micro just issued about the US Sen­ate phish­ing sites made with 100 per­cent con­fi­dence based on “pat­tern recog­ni­tion”. And that con­clu­sion is inter­na­tion­al news and large­ly accept­ed with­out any mean­ing­ful con­sid­er­a­tion of the pos­si­bil­i­ty that, say, neo-Nazi hack­er extra­or­di­naire Andrew ‘weev’ Auern­heimer or per­haps anoth­er gov­ern­ment set up those site and left a bunch of ‘dig­i­tal fin­ger­prints’ designed to make it look like a ‘Fan­cy Bear’ oper­a­tion. And no recog­ni­tion that, if this was indeed a ‘Fan­cy Bear’ oper­a­tion, it was con­spic­u­ous­ly leav­ing dig­i­tal fin­ger­prints lead­ing back to pre­vi­ous hacks, mak­ing this the lat­est inci­dent of Russ­ian hack­ers appar­ent­ly sud­den­ly get­ting super slop­py even since the con­flict in Ukraine broke out. Instead, it’s just blan­ket accep­tance of the report and that means it’s a sit­u­a­tion ripe for all sorts of ‘inter­na­tion­al chaos’. Think about how many dif­fer­ent enti­ties prob­a­bly want to run their own ‘Russ­ian hack­er’ false flag oper­a­tions now.

Who knows, maybe the sud­den change in Russ­ian hack­er behav­ior start­ing in 2014 — where dig­i­tal infra­struc­ture keeps get­ting re-used hack after hack, allow­ing the cyber­se­cu­ri­ty indus­try to go on a ‘pat­tern recognition’-spree — real­ly is a Krem­lin oper­a­tion designed to entice hack­ers and gov­ern­ment around the world to pre­tend to be Russ­ian hack­ers in order to have a bunch of false flag oper­a­tions expose and poi­son the well of ‘Russ­ian hack­er’ attri­bu­tion. That would an incred­i­bly risky oper­a­tion but the rewards could be hand­some. And very sneaky.

So let’s con­sid­er some basic sce­nar­ios:

A. Putin real­ly has ordered a high-pro­file troll­ish hack­ing cam­paign fol­low­ing the out­break of the Ukraine con­flict as part of a strat­e­gy where Rus­sia get­ting the blame is either seen as desir­able or incon­se­quen­tial. They’re self-impli­cat­ing for a rea­son.

B. Putin real­ly has ordered a hack­ing cam­paign fol­low­ing the out­break of the Ukraine con­flict and they keep leav­ing dig­i­tal evi­dence because there’s been a degre­da­tion in the qual­i­ty of Russ­ian hack­ing per­son­el. And for some rea­son the issue of reusing com­pro­mised dig­i­tal infra­struc­ture has­n’t been ade­quate­ly addressed.

C. Putin real­ly has ordered a high-pro­file troll­ish hack­ing cam­paign fol­low­ing the out­break of the Ukraine con­flict to be car­ried about by mafia hack­ers or some oth­er prox­ies and they keep screw­ing up and leav­ing fin­ger­prints. And the Krem­lin keeps using them for some rea­son despite all the screw ups.

D. It real­ly is ‘patri­ot­ic hack­ers’ oper­at­ing on their own and the Russ­ian gov­ern­ment isn’t keen on stop­ping them despite all the blame they direct back to Rus­sia.

E. One or more third par­ties, rec­og­niz­ing the oppor­tu­ni­ty the Ukraine con­flict cre­at­ed for push­ing a false flag ‘Russ­ian hack­er’ cam­paign, decid­ed to wage such a cam­paign over the last few years, wag­ing one high-pro­file hack after anoth­er with the full con­fi­dence that West­ern pow­ers and the cyber­se­cu­ri­ty indus­try is strong­ly biased towards mak­ing attri­bu­tions of Russ­ian hack­ings.

F. Some mix of A thru E.

A range of pos­si­bil­i­ties is a basic ele­ment of this hack­ing sit­u­a­tion and it’s almost nev­er acknowl­edged these days. For any hack. Why isn’t that con­sid­ered extreme­ly dan­ger­ou

And it’s entire­ly pos­si­ble that we’re see­ing a sit­u­a­tion where Putin is lay­ing a trap based on the obser­va­tion that the cyber­se­cu­ri­ty indus­try appears to be ready and will­ing to build 100 per­cent attri­bu­tion nar­ra­tives for pub­lic con­sump­tion for hire:

1. Have Russ­ian hack­ers car­ry out a con­spic­u­ous wave of hacks filled with dig­i­tal evi­dence that points back to Rus­sia but could eas­i­ly be plan­et.

2. Infu­ri­ate West­ern gov­ern­ments that know it’s Russ­ian hack­ers because they have means of detec­tion that can’t be pub­licly revealed. Like super-secret NSA/5‑Eyes evi­dence.

3. The cyber­se­cu­ri­ty indus­try basi­cal­ly offers to cre­ate a nar­ra­tive ‘prov­ing’ Rus­sia did it using a shod­di­ly con­struct­ed case based on guess­work and a refusal to accept the pos­si­bil­i­ty of false flag hacks. And we effec­tive­ly have to take their word for much of this. This is seen as accept­able in order to not allow Russ­ian to get away with it’s fla­grant hack­ing cam­paign.

4. Even­tu­al­ly the shod­di­ness of that attri­bu­tion method is revealed and used to dis­cred­it past and present attri­bu­tions against Russ­ian. Putin smiles.

Might that explain the sud­den slop­py aggres­sive­ness of ‘Russ­ian hack­ers’ over the past few years? Who knows, but some­thing very odd is hap­pen­ing with all these ‘Russ­ian hack­ers’ and there’s vir­tu­al­ly no inter­est in under­stand­ing why.

Of course, two very obvi­ous rea­sons there might be so much resis­tance to the idea of false flag attacks:

1. The fear that such talk might end up help­ing Pres­i­dent Trump avoid cul­pa­bil­i­ty for col­lud­ing with Rus­sia dur­ing the 2016 cam­paign

2. The fear that it might help take the heat off Putin in the midst of a Russ­ian troll­ish hack­ing cam­paign tar­get­ing West­ern democ­ra­cies.

But those aren’t great rea­sons. Even if Putin real­ly has ordered a high-pro­file troll­ish desta­bi­liz­ing hack­ing cam­paigns, not acknowl­edg­ing the false flag angle just invites in third par­ties to par­tic­i­pate and cre­ate more chaos. And while you might be tempt­ed to think, “oh good, all those false flag attacks will get attrib­uted to Putin and this will apply even more inter­na­tion­al pres­sure on Rus­sia to [insert demand here],” that’s an insane atti­tude. What if the false flag is much nas­ti­er, like a grid attack? That’s a flir­ta­tion with WWI­II-start­ed-by-third-par­ty sce­nario.

And it’s not like the intro­duc­tion of the pos­si­bil­i­ty that the DNC serv­er hacks could have involved a false flag third par­ty has to be all that dis­rup­tiuve to the #TrumpRus­sia inves­ti­ga­tion. At this point that inves­ti­ga­tion is filled with so much evi­dence of the Trump cam­paign’s active desire to col­lude with Rus­sia based on all the oth­er inci­dents of Russ­ian foot­sie that the inves­ti­ga­tion could go on almost with­out a hitch even if it was deter­mined a 400 pound guy in bed (or a neo-Nazi hack­er like Andrew Auern­heimer sit­ting in bed) did the hacks DNC hacks alone. The DNC hacks were cen­tral to the #TrumpRus­sia inves­ti­ga­tion at the begin­ning of Trump’s term, but this is a year into the inves­ti­ga­tion. Just look at a sam­pling of what we’ve learned:

1. Trump is basi­cal­ly a mobbed up celebri­ty busi­ness­man.

2. Don­ald Trump Jr., Paul Man­afort, and Jared Kush­n­er held a meet­ing in Trump Tow­er after Rob Gold­stone promis­es him Russ­ian gov­ern­ment help in the form of dirt on Hillary. Whether or not they actu­al­ly col­lud­ing with Russ­ian, they cer­taint­ly want­ed to. None oth­er than Steve Ban­non report­ed­ly called this “trea­so­nous” behav­ior.

3. Trump’s cam­paign for­eign advi­sor, George Papadopou­los,told Aus­trali­a’s top diplo­mat in the UK that the Rus­sians told him they had thou­sands of Hillary Clin­ton’s emails.

4. GOP financier Peter Smith ran an oper­a­tion to find Hillary’s hacked emails. They admit they were fine if the came from Russ­ian gov­ern­ment hack­ers. Much of the Trump team was report­ed­ly involved — Steve Ban­non, Kellyanne Con­way, Sam Clo­vis, and Michael Fly­nn.

5. Peter Smith’s email-hunt­ing expe­di­tion inquired with ‘Alt-Right’ troll-jour­nal­ist Charles “Chuck” C. John­son about who might know how to con­tact hack­ers on the Dark Web with Hillary Clin­ton’s emails. John­son told Smith’s team that they should con­tact Andrew Auern­heimer. John­son also told Smith’s team that there were oth­er ‘Alt-Right’ teams also look­ing for Hillary’s emails on the Dark Web. Which kind of sounds like the team that dis­trib­uted the Macron emails.

6. Peter Smith’s email-hunt­ing expe­di­tion also inquired with “Guc­cifer 2.0” about who might know how to con­tact hack­ers on the Dark Web with Hillary Clin­ton’s emails. Guc­cifer 2.0 told Smith’s team that they should con­tact Andrew Auern­heimer.

7. Bar­bara Ledeen, wife of Michael — who was the co-author of a book on for­eign pol­i­cy with Michael Fly­nn — start­ed her own Dark Web expe­di­tion with Newt Gin­grich in 2015 hunt­ing for Hillary’s emails.

8. All the oth­er crazy crap Michael Fly­nn did.

9. All of Trump’s bla­tant obstruc­tion of jus­tice already known to the pub­lic. Even if he’s inno­cent of every­thing else, he’s still pret­ty clear­ly guilty of obstruc­tion of jus­tice. He talks about.

10. Paul Man­afort is super shady. And may have been involved in the Ukraine sniper attacks accord­ing to his daugh­ter’s hacked text mes­sages.

11. Felix Sater’s Russ­ian Mobster/FBI/CIA infor­mant past. A past Trump claimed to not know about.

12. Felix Sater and Trump Org attor­ney Michael Cohen tried to con­tact the Krem­lin for a Trump Tow­er Moscow deal dur­ing the cam­paign.

13. Cam­bridge Ana­lyt­i­ca is own by SCL. SCL employed mil­i­tary-grade psy­cho­log­i­cal war­fare spe­cial­ists for man­ag­ing big opin­ion-chang­ing cam­paigns tar­get­ing nations. And they’ve psy­cho­log­i­cal­ly pro­filed most of the US.

14. Don­ald Trump, Jr. and Julian Assange were chat­ting with each oth­er over Twit­ter’s direct mes­sag­ing sys­tem dur­ing the cam­paign.

15. The Trump cam­paign had embeds from Face­book, Google, and Twit­ter. These embeds helped the Trump cam­paign to effec­tive­ly wage an unprece­dent­ed micro­tar­get­ing cam­paign and sophis­ti­cat­ed social media per­son­al pro­fil­ing cam­paigns using high­ly per­son­al­ly cus­tomized mes­sag­ing strate­gies that these social media giants made avail­able to the Trump cam­paign.

16. The Russ­ian ‘troll farm’ Inter­net Research Agency had its own weird social media cam­paigns. This was­n’t remote­ly as big or sig­nif­i­cant as the Trump cam­paign’s social media pres­ence, and a lot of the troll far­m’s activ­i­ty appeared to be exper­i­ments in see­ing if they can ini­ti­ate real-world action through social media entice­ment, but it’s cer­tain­ly worth inves­ti­gat­ing. Espe­cial­ly since it’s entire­ly pos­si­ble some­one oth­er than the Krem­lin hired their ser­vices. Although if it was some­one like Paul Man­afort hir­ing their ser­vices for a dirty tricks team for the Trump cam­paign that would pre­sum­ably be done with Putin’s approval since that’s pret­ty sen­si­tive and the Inter­net Research Agency is a close ally of Putin.

17. US intel­li­gence offi­cials acknowl­edged back in July of 2016, a week after the big DNC email batch was leaked by Wik­ileaks, that the hack was sign­f­i­cant­ly less sophis­ti­cat­ed and slop­py than pre­vi­ous Russ­ian gov­ern­ment hacks. And the hack­ers left Cyril­lic char­ac­ter data on the hacked DNC servers. Intel­li­gence sources acknowl­edge that the attri­bu­tion was based on dedec­tion and not hard tech­ni­cal evi­dence, and deduced the slop­pi­ness was inten­tion­al troll­ish sig­nalling meant to show it was Rus­sia. And if that’s true, when you fac­tor in all the foot­sie Krem­lin oper­a­tives (or peo­ple pos­ing to be Krem­lin oper­a­tives) were play­ing with the Trump cam­paign dur­ing the time of this unusu­al­ly slop­py hack, it sug­gests the Krem­lin could have been try­ing to get caught and have their ties with the Trump cam­paign exposed in the sub­se­quent inves­ti­ga­tion. And that’s a some­what hilar­i­ous sce­nario that could help with de-esca­lat­ing US/Russian ten­sions.

18. The final con­clu­sive attri­bu­tion by the US intel­li­gence com­mu­ni­ty that Putin ordered the DNC hacks was based on an intel­li­gence source deep with­in the Krem­lin who claimed Putin ordered the attacks and not the “pat­tern recog­ni­tion” analy­sis by Crowd­Strike or oth­er cyber­se­cu­ri­ty com­pa­nies. So, assum­ing you believe this Krem­lin source, it’s not as if stand­ing behind the “pat­tern recog­ni­tion” method­ol­o­gy is crit­i­cal to any case against the Trump cam­paign any­way.

19. Trump might be insane.

And that’s just a sam­pling of the rev­e­la­tions that are now avail­able for any inves­ti­ga­tors into Trump’s fit­ness for office.

So when you look at the full scope of all the evi­dence made pub­lic so far of the Trump cam­paign’s will­ing­ness and desire to col­lude with the Russ­ian gov­ern­ment, whether or not Russ­ian car­ried it out the DNC hack is almost beside the point at this point. All the foot­sie the Trump cam­paign and Trump orga­ni­za­tion was play­ing with appar­ent Krem­lin oper­a­tives through­out the cam­paign — George Papadopou­los, Felix Sater and Michael Cohen, the Trump Tow­er meet­ing — opens up the poten­tial for black­mail any­way, with or with­out Russ­ian gov­ern­ment hack­ers being behind the DNC serv­er hack. And the mob­ster-ish past of Trump and so many fig­ures in his orbit is all the more rea­son to wor­ry about things like black­mail. Who actu­al­ly hacked the DNC is like an inter­est­ing side note when put in the broad­er con­text of whether or not Trump is fit for office.

And that cre­ates a mar­velous poten­tial open­ing for address­ing two crit­i­cal goals the US should have at this point:
1. De-esca­lat­ing the sit­u­a­tion with Rus­sia. De-esca­la­tion of US-Russ­ian ten­sions real­ly should be a pri­or­i­ty even if you’re pissed at Putin over the 2016 elec­tion med­dling. The longer there’s this cyber-stand­of­f/trolling sit­u­a­tion between the US and Russ­ian the more time there is for third par­ty false flag attacks or things spi­ralling out of con­trol. Espe­cial­ly with Trump in place. The strat­e­gy of rachet­ing inter­na­tion­al pres­sure on Rus­sia until some ‘Russ­ian Spring’ hap­pens is high risk and could result in a Russ­ian ultra-nation­al­ist far more dan­ger­ous than Putin replac­ing him. That would be a cat­a­stro­phe. A ‘Russ­ian-Reset’ based on col­lec­tive mar­veling at the cor­rup­tion of Trump and the GOP would be a much bet­ter response.

And...

2. Address­ing the “inter­na­tion­al chaos” risks that a “pat­tern recog­ni­tion” stan­dard of cyber attri­bu­tion tech­niques intro­duce into world affairs. These tech­niques are vul­ner­a­ble to spoof­ing and incen­tivize false flags. If an agency like the NSA wants to declare that it knows some­thing using its supe­ri­or knowl­edge, that’s one thing. But grant­i­ng cred­i­bil­i­ty to ran­dom cyber­se­cu­ri­ty firms using “pat­tern recog­ni­tion” tech­niques for attri­bu­tion in cas­es like nation-state-on-nation-state hack­ing is wild­ly dan­ger­ous. Don’t for­get that the approach to stop­ping hacks advo­cat­ed by Dmitri Alper­ovitch — that pub­licly nam­ing and sham­ing the hack­er is key to to defense — does­n’t nec­es­sar­i­ly dis­suade hack­ers. It might just make them more intent on pre­tend­ing to be some­one else.

So what’s the open­ing the US should make to address these twin goals? The US should open­ly enter­tain the pos­si­bil­i­ty that some of these high-pro­file Russ­ian hacks might actu­al­ly be false flags. Just get that idea out there so the pub­lic isn’t lulled into think­ing “pat­tern recog­ni­tion” is real­ly the kind of gold stan­dard we should accept for nation-state-on-nation-state hack­ing attri­bu­tions. At the same time, the US should simul­ta­ne­ous­ly sug­gest that, if these hacks are indeed ordered by the Russ­ian gov­ern­ment, run­ning a high-pro­file self-impli­cat­ing hack­ing cam­paign — a hack­ing cam­paign that’s seem­ing­ly designed to raise ques­tions about whether or not it’s a false flag attack because it’s so over the top — is incred­i­bly dan­ger­ous and irre­spon­si­ble and a recipe for inter­na­tion­al chaos. If Putin actu­al­ly ordered the years-long self-incrim­i­nat­ing hack­ing cam­paign we’ve seen from Russ­ian hack­ers since the out­break of the con­flict in Ukraine in 2014, that is simul­ta­ne­ous­ly kind of clever and wild­ly irre­spon­si­ble. And stu­pid. Because now any ran­dom hack­er can frame Rus­sia for all sorts of hacks against all sorts of coun­tries and inter­ests. All they’d have to do is run a slop­py, seem­ing­ly inten­tion­al­ly self-incrim­i­nat­ing hack­ing cam­paign intend­ed to trig­ger a “pat­tern recog­ni­tion” match with pre­vi­ous ‘Russ­ian hacks’. And while Putin and the Russ­ian gov­ern­ment could have deter­mined that get­ting framed for hacks like, say, the Macron elec­tion hack are accept­able, what about an attack blamed on Russ­ian take takes a West­ern pow­er’s pow­er-grid down? Or an attack that trig­gers a nuclear melt­down? That might not be the kind of thing you want to get framed for even if you’re a nuclear pow­er. If Putin real­ly did this launch the kind of hack­ing cam­paign we’ve seen since 2014 that was a des­per­ate and dan­ger­ous move that real­ly does risk trig­ger­ing “inter­na­tion­al chaos” and he needs to stop.

Why can’t the US make that argu­ment with­out feel­ing like some sort of major con­ces­sion was made that helps Putin? It’s an argu­ment that rais­es the degree of the crime if the Krem­lin real­ly is behind this high-pro­file “I’m a Russ­ian hack­er!” cam­paign by mak­ing it clear to the world that this is cre­at­ing a real risk to the world. And it’s an argu­ment that also makes it clear to the Russ­ian peo­ple that it’s incred­i­bly dan­ger­ous to them if the Krem­lin is real­ly doing this. Do the Russ­ian peo­ple want a neo-Nazi elite hack­er liek Andrew ‘weev’ Auern­heimer fram­ing them for some­thing a lot more hor­rif­ic than hacked polit­i­cal emails? That seems like a mas­sive nation­al risk.

And the above argu­ment helps head off the risk to the world pre­sent­ed by vul­ner­a­ble cyber attri­bu­tion stan­dards too. Don’t for­get, the US intel­li­gence com­mu­ni­ties con­clu­sion Putin was behind the hacks was based on intel­li­gence from a sin­gle source deep with­in the Krem­lin who claimed Putin ordered the attacks and was not based on the “pat­tern recog­ni­tion” analy­sis by Crowd­Strike or oth­er cyber­se­cu­ri­ty com­pa­nies. Not the ini­tial pat­tern recog­ni­tion guess­work because that was incon­clu­sive even though it led to the ini­tial hunch that Russ­ian was behind it. Also don’t for­get that there are a lot more high-pro­file hacks attrib­uted to the Rus­sians in recent years so acknowl­edg­ing the pos­si­bil­i­ty that some of these hacks could be false flags does­n’t sole­ly raise this ques­tion about the DNC hack. What about the ‘Alt-Right’ fin­ger­prints all over the Macron hack? Aren’t peo­ple inter­est­ed in resolv­ing that mys­tery? And if a bunch of ‘Alt-Right’ neo-Nazis turned out to be behind the DNC hack instead of the Krem­lin is that some­how good news for Trump and the GOP? Even if a 400 pound hack­er in bed did the DNC hack there’s still all the evi­dence of the Trump cam­paign’s desire to col­lude with the Rus­sians and the sub­se­quent bla­tant obstruc­tion of jus­tice.

Don’t for­get that impeach­ing Trump is a polit­i­cal deci­sion in the end and, not a crim­i­nal one. Even if rais­ing the pos­si­bil­i­ty of non-Krem­lin source behind the DNC hack com­pli­cat­ed Robert Mueller inves­ti­ga­tion’s abil­i­ty to crim­i­nal charge in rela­tion to the elec­tion hack, it’s not like that crim­i­nal charge is a decid­ing fac­tor for impeach­ment pur­pos­es. That’s a polit­i­cal choice. What if the Trump cam­paign and the GOP arranged for their own ‘Russ­ian hack­ers’? Or per­haps a bunch of ‘Alt-Right’ hack­ers were behind the DNC hack and Macron hacks and the Trump team had exten­sive con­tact with? Those kinds of sce­nar­ios would­n’t exact­ly help their case against impeach­ment, would they? Is it polit­i­cal­ly accept­able to col­lude with ‘Alt-Right’ hack­ers now?

Impeach­ing Trump is also an act fraught with great per­il and prob­a­bly should­n’t be con­sid­ered the top pri­or­i­ty for Democ­rats. Mike Pence could bring a lev­el of com­pe­ten­cy to the White House that could be far more dam­ag­ing than Trump’s dai­ly whirl­wind of chaot­ic cor­rup­tion. And even if Mike Pence is impeached, next in line is the Koch-pup­pet House Speak­er Paul Ryan. There isn’t real­ly a ‘hap­py end­ing’ impeach­ment sce­nario here. If Trump gets impeached, a huge chunk of the the Amer­i­can con­ser­v­a­tive base is going to go more insane and devel­op an even more malig­nant griev­ance com­plex and that psy­cho­log­i­cal wound will be nursed for decades. So is it worth impeach­ing the bla­tant­ly crazy fas­cist who might blow up the world only to have him replaced by a far more com­pe­tent fas­cist? Both sce­nar­ios feel like exis­ten­tial risks. In oth­er words, even if you could impeach Trump tomor­row over the Russ­ian hack­ing and replace his dan­ger­ous chaos with a Pres­i­dent Pence or Ryan are you sure you want to do that? Super sure? It’s anoth­er exam­ple of a con­tem­po­rary cat­a­stroph­ic ‘no-win’ sit­u­a­tion. A clas­si­cal non-tech­no­log­i­cal ‘no-win’ sit­u­a­tion: do we try to replace an unpre­dictable extreme dan­ger with a more pre­dictable extreme dan­ger? Who knows. And that ambi­gu­i­ty over whether or not impeach­ing Trump is even a desire­able sce­nario is anoth­er rea­son not to fear let­ting Trump ‘off the hook’ by acknowl­edg­ing the pos­si­bil­i­ty that these hacks being attrib­uted to Rus­sia might include false flags.

Giv­en all the cat­a­stroph­ic no-win sit­u­a­tions swirling around this issue of cyber attri­bu­tion, how is a soci­ety to pro­ceed? Well, here’s some­thing to keep in mind: the future of hack­ing attri­bu­tion is prob­a­bly going to depend on the cred­i­bil­i­ty of the author­i­ty mak­ing the attri­bu­tion since author­i­ta­tive attri­bu­tion will prob­a­bly depend on infor­ma­tion that can’t be pub­licly revealed. That’s basi­cal­ly the sit­u­a­tion today, where an agency like the NSA is often left to make the final ‘call’ on attri­bu­tion. But we could become more reliant on trust­ing an author­i­ty with access to secret infor­ma­tion in the future, espe­cial­ly if we acknowl­edge the real­i­ty of false flags, and that’s going to raise the ques­tion of whether or not that author­i­ty can be trust­ed. And in a world of false flag cyber­crimes at a nation-state lev­el, that adds one more rea­son to have a very cred­i­ble gov­ern­ment. And how do we get cred­i­ble gov­ern­ments? By cre­at­ing soci­eties that seem real­ly nice and run by peo­ple that seem very unlike­ly to engage in mali­cious false accu­sa­tions. Being real­ly, real­ly, real­ly nice and non-aggres­sive could be a key ele­ment nation­al cyber-defense in the future because the coun­try with the most cred­i­bil­i­ty could end up with the final word in the court of pub­lic opin­ion. And the court of pub­lic opin­ion mat­ters in the realm of inter­na­tion­al cyber war­fare.

Look at it this way: the cat­a­stroph­ic no-win sit­u­a­tions around cyber attacks and attri­bu­tion makes hav­ing a high-qual­i­ty, trust-wor­thy gov­ern­ment with a for­mi­da­ble intel­li­gence capac­i­ty whose word is respect­ed around the globe a nation­al secu­ri­ty pri­or­i­ty. And the only way to real­is­ti­cal­ly accom­plish that feat is for a soci­ety to devel­op a track record of actu­al­ly being real­ly nice and com­pas­sion­ate and trust­wor­thy and not agres­sive­ly ambi­tious. Sure, on one lev­el this is utopi­an think­ing. But when you think about the array of new tech­nolo­gies that will allow for dev­as­tat­ing attacks that could be car­ried out with­out clear attri­bu­tion — false flag biowar­fare, false flag nuclear attacks, false flag assas­sin drone attacks, false flag [insert tech­no­log­i­cal hor­ror show here] — it’s hard to see why false flag attacks aren’t going to be a pop­u­lar mode for wag­ing both war­fare and ter­ror­ism, and that all makes hav­ing a real­ly well-respect­ed soci­ety all the more impor­tant in the future. Good! It’s one more rea­son for build­ing good, decent soci­eties pop­u­lat­ed by hon­or­able and trust­wor­thy indi­vid­u­als? How do we accom­plish that? Good ques­tion! Let’s fig­ure that out. It prob­a­bly involves a nation car­ry­ing out the duel focus of being real­ly decent to its cit­i­zens while con­stant­ly try­ing to make the world at large a bet­ter place for nation. Which is some­thing that should­n’t be con­sid­ered utopi­an think­ing and instead should be seen as a basic sur­vival for a high-tech future. Plus, it’s not like this is the only tech­no­log­i­cal night­mare sit­u­a­tion that calls for a ded­i­ca­tion to very good, trust­wor­thy soci­eties and gov­ern­ments.

And there’s one key aspect to being a well-like, trust­wor­thy, nation with the kind of inter­na­tion­al cred­i­bil­i­ty to make an attri­bu­tion that will be believed, and it’s an iron­ic one: the capac­i­ty to ‘turn the oth­er cheek’ and not respond in kind after an attack even after a pub­lic attri­bu­tion is made. Yep, sham­ing the blamed attack­er while simul­ta­ne­ous­ly de-esca­lat­ing the sit­u­a­tion even after an attri­bu­tion is made could be a great way for a soci­ety to build up ‘attri­bu­tion cred’. And it might actu­al­ly avoid sit­u­a­tions from spi­ral­ing out of con­trol. Because if we apply the ‘mutu­al­ly assured destruc­tion’ mode of dis­suad­ing attacks that’s been suc­cess­ful­ly employed with nuclear strikes to future tech­nolo­gies where attri­bu­tion is far more dif­fi­cult than a nuclear strike, we’re just ask­ing for third par­ties to pick fights between nations with false flag attacks. Don’t for­get that a third par­ty could con­ceiv­ably wage a false flag attack and a false flag counter-attack. That’s the kind of crazi­ness that’s going to be unleashed by tech­nol­o­gy that poten­tial­ly enables indi­vid­u­als to car­ry out dev­as­tat­ing non-attrib­ut­able attacks. That’s the future. The ‘400 pound hack­er in his bed’ real­ly might start WWIII in future. And WWIV after that. So our future had bet­ter involved quite a bit of ‘turn­ing the oth­er cheek’ if it’s going to avoid being a smol­der­ing future. Utopi­an think­ing might be a basic sur­vival strat­e­gy going for­ward.

And if ‘being a real­ly, real­ly nice and trust­wor­thy coun­try’ feels like a high-risk solu­tion for how to address the threat of tech­no­log­i­cal false flags, don’t for­get: inter­na­tion­al chaos. That’s the future we invite when tech­no­log­i­cal false flags and mutu­al­ly assured destruc­tion is the norm. So when you read sto­ries about cyber attri­bu­tions being made with near cer­tain­ty in these high-pro­file hacks based on cir­cum­stan­tial evi­dence and guess­work, keep in mind that the only thing you should be 100 per­cent cer­tain about is that this lev­el of cer­tain­ty is a real­ly bad idea for a lot of rea­sons

Discussion

13 comments for “Cyber Attribution, the Macron hacks, and the Existential Threat of Unwarranted Certainty”

  1. @Pterrafractyl–

    Con­spic­u­ous in its glar­ing absence from this sto­ry is the fact that the CIA’s cyber-weapon­ry is specif­i­cal­ly designed to mim­ic Russ­ian cyber-espi­onage and war­fare soft­ware.

    Best,

    Dave Emory

    Posted by Dave Emory | January 16, 2018, 9:55 pm
  2. @Dave: Lol, yeah, the cyber­se­cu­ri­ty indus­try isn’t super keen on talk­ing about that. But in terms of the CIA’s hack­ing tools specif­i­cal­ly set up to mim­ic a Russ­ian hack­ing oper­a­tion, part of what makes that angle so in this sto­ry inter­est­ing is how the ‘Russ­ian hack­ers’ — hacks attrib­uted to the Rus­sia gov­ern­ment — appear to have sud­den­ly changed their behav­ior after the out­break of the con­flict in Ukraine 2014 and the big “Vault 7” batch of CIA hack­ing tools the Shad­ow Bro­kers devel­oped released had files that were from no lat­er than 2013.

    So a num­ber of ques­tions that need to be answered about the CIA’s Russ­ian-mim­ic­k­ing hack­ing tools is whether or not the kind of ‘Russ­ian hack­er’ fin­ger­prints it leaves are more close­ly mim­ic­k­ing the behav­ior attrib­uted to ‘Russ­ian hack­ers’ before or after the change in Russ­ian hack­ing behav­ior that start­ed after the 2014 Ukraine cri­sis. Because if the CIA hack­ing tools from 2013 mim­ic­ked more close­ly the ‘Russ­ian hack­er’ behav­ior start­ing in 2014 that would be quite some­thing.

    And based on the pat­tern recog­ni­tion method­ol­o­gy the cyber­se­cu­ri­ty indus­try has adopt­ed, there are all sorts of ways a hack­ing tool might leave a Russ­ian hack­er dig­i­tal fin­ger­print. Maybe it sim­ply does graf­fi­ti-like acts like insert­ing Cyril­lic char­ac­ters into the ‘dig­i­tal fin­ger­prints’ left behind? Or per­haps there’s some­thing more spe­cif­ic like leav­ing trails back to dig­i­tal infra­struc­ture pre­vi­ous­ly attrib­uted to Rus­sia (pre­vi­ous­ly attrib­uted mal­ware, IP bands, etc)? That’s unclear because there has­n’t real­ly been much detailed report­ing on how that ‘Russ­ian hack­er’ CIA tool set oper­ates.

    But there has been some report­ing on the tool kit. Leonid Bershid­sky had a piece in Bloomberg short­ly after the Vault 7 release that con­tained a bit on the tools used to imper­son­ate a for­eign intel­li­gence ser­vice, and it sounds like the mim­ic­k­ry tools large­ly involved leav­ing for­eign lan­guages in the mal­ware and a library of mal­ware that is either pub­licly avail­able or pre­vi­ous­ly attrib­uted to for­eign intel­li­gence ser­vices. Bershid­sky goes on to sug­gest that this would­n’t real­ly be an ade­quate set of tools required to real­ly pull off a false flag hack because the cyber­se­cu­ri­ty indus­try would­n’t accept such low stan­dards, which is kind of fun­ny because the the above OP was about how the indus­try just might accepts such low stan­dards. He then points to how a the DNC hack attri­bu­tion was based on the use of spe­cif­ic com­mand and con­trol servers known to be used by Russ­ian intel­li­gence and sug­gests that this is the kind of high­er stan­dard used for seri­ous attri­bu­tion (this is the same com­mand and con­trol serv­er that was lat­er revealed to be pub­licly known since 2015 and vul­ner­a­ble to the Heart­bleed attack). So it sounds like, at a min­i­mum, the Vault 7 hack­ing tools would facil­i­tate some of the more overt “I’m a Russ­ian hack­er” dig­i­tal graf­fi­ti:

    Bloomberg View

    Wik­ileaks’ CIA Rev­e­la­tions Look Like a Dud for Now
    No, the CIA prob­a­bly has­n’t hacked your instant mes­sen­gers or your smart TV.

    by Leonid Bershid­sky
    March 8, 2017, 6:54 AM CST

    Wik­ileaks’ lat­est data dump, the “Vault 7,” pur­port­ing to reveal the Cen­tral Intel­li­gence Agen­cy’s hack­ing tools, appears to be some­thing of a dud. If you did­n’t know before that spy agen­cies could apply these tools and tech­niques, you’re naive, and if you think it under­mines the attri­bu­tion of hack­er attacks on the Demo­c­ra­t­ic Nation­al Com­mit­tee and oth­er tar­gets, you’ll be dis­ap­point­ed.

    ...

    The obfus­ca­tion sto­ry is sim­i­lar­ly unim­pres­sive. The Wik­ileaks cache con­tains a man­u­al for CIA hack­ers on mak­ing their mal­ware hard­er to trace, for exam­ple, by adding for­eign lan­guages. Wik­ileaks also said that the CIA “col­lects and main­tains a sub­stan­tial library of attack tech­niques ‘stolen’ from mal­ware pro­duced in oth­er states includ­ing the Russ­ian Fed­er­a­tion.” The library, how­ev­er, con­tains all sorts of pub­licly avail­able mal­ware, as well as sam­ples ten­ta­tive­ly attrib­uted to for­eign intel­li­gence ser­vices; all that does is con­firm that hack­ers, includ­ing CIA ones, aren’t picky about the ori­gins of the prod­ucts they use. The impor­tant thing is that the mal­ware should work.

    This should­n’t affect seri­ous attempts to attribute hack­er attacks. I’m not sure this is ful­ly under­stood with­in the U.S. intel­li­gence com­mu­ni­ty itself — at any rate, the declas­si­fied report on Russ­ian hack­ing it released late last year appeared to base attri­bu­tion on the use of spe­cif­ic pub­licly avail­able mal­ware. But indus­try experts usu­al­ly need much more evi­dence. A num­ber of pos­si­ble Russ­ian attacks were attrib­uted to Moscow’s intel­li­gence ser­vices because the attack­ers used spe­cif­ic com­mand and con­trol cen­ters — servers — to col­lect infor­ma­tion from var­i­ous Rus­sia adver­saries. To set up a false flag oper­a­tion, the CIA would need to go much fur­ther than obfus­cat­ing the ori­gins of its mali­cious code.

    ...

    ———-

    “Wik­ileaks’ CIA Rev­e­la­tions Look Like a Dud for Now” by Leonid Bershid­sky; Bloomberg View; 03/08/2017

    “The obfus­ca­tion sto­ry is sim­i­lar­ly unim­pres­sive. The Wik­ileaks cache con­tains a man­u­al for CIA hack­ers on mak­ing their mal­ware hard­er to trace, for exam­ple, by adding for­eign lan­guages. Wik­ileaks also said that the CIA “col­lects and main­tains a sub­stan­tial library of attack tech­niques ‘stolen’ from mal­ware pro­duced in oth­er states includ­ing the Russ­ian Fed­er­a­tion.” The library, how­ev­er, con­tains all sorts of pub­licly avail­able mal­ware, as well as sam­ples ten­ta­tive­ly attrib­uted to for­eign intel­li­gence ser­vices; all that does is con­firm that hack­ers, includ­ing CIA ones, aren’t picky about the ori­gins of the prod­ucts they use. The impor­tant thing is that the mal­ware should work.”

    A man­u­al rec­om­mend­ing for­eign lan­guages and library of pre­vi­ous­ly attrib­uted mal­ware. That’s at least part of what’s in Vault 7’s toolk­it for iden­ti­ty obfus­ca­tion.

    And as Bershid­sky iron­i­cal­ly puts it, This should­n’t affect seri­ous attempts to attribute hack­er attacks. And he’s cor­rect that it should­n’t affect seri­ous attempts to attribute hack­er attacks. But these kinds of ‘clues’ clear­ly do affect seri­ous attempts at attrib­uted because we’ve seen such ‘clues’ point­ed to as evi­dence over and over since the advent of these high-pro­file hacks:

    ...
    This should­n’t affect seri­ous attempts to attribute hack­er attacks. I’m not sure this is ful­ly under­stood with­in the U.S. intel­li­gence com­mu­ni­ty itself — at any rate, the declas­si­fied report on Russ­ian hack­ing it released late last year appeared to base attri­bu­tion on the use of spe­cif­ic pub­licly avail­able mal­ware. But indus­try experts usu­al­ly need much more evi­dence. A num­ber of pos­si­ble Russ­ian attacks were attrib­uted to Moscow’s intel­li­gence ser­vices because the attack­ers used spe­cif­ic com­mand and con­trol cen­ters — servers — to col­lect infor­ma­tion from var­i­ous Rus­sia adver­saries. To set up a false flag oper­a­tion, the CIA would need to go much fur­ther than obfus­cat­ing the ori­gins of its mali­cious code.
    ...

    So it will be inter­est­ing to see if there are more detailed reports on those capa­bil­i­ties some­where and how many of them were obvi­ous things lots of hack­ers must know like “insert for­eign lan­guage and reuse mal­ware” and how many were nov­el tech­niques. It cer­tain­ly seems like top­i­cal set of ques­tions. Espe­cial­ly now that this toolk­it is ‘in the wild’.

    Posted by Pterrafractyl | January 17, 2018, 12:27 am
  3. Uh oh: It looks like the poten­tial con­se­quence of incor­rect cyber attri­bu­tion just went ther­monu­clear. And not metaphor­i­cal­ly ‘ther­monu­clear’. The con­se­quences could lit­er­al­ly be ther­monu­clear in nature: The Pen­ta­gon has report­ed­ly sent a nuclear strat­e­gy to Pres­i­dent Trump for approval that would per­mit the use of nuclear weapons in response to a wide range of non-nuclear attacks on Amer­i­can infra­struc­ture, includ­ing dev­as­tat­ing cyber attacks:

    The New York Times

    Pen­ta­gon Sug­gests Coun­ter­ing Dev­as­tat­ing Cyber­at­tacks With Nuclear Arms

    By DAVID E. SANGER and WILLIAM J. BROAD
    JAN. 16, 2018

    WASHINGTON — A new­ly draft­ed Unit­ed States nuclear strat­e­gy that has been sent to Pres­i­dent Trump for approval would per­mit the use of nuclear weapons to respond to a wide range of dev­as­tat­ing but non-nuclear attacks on Amer­i­can infra­struc­ture, includ­ing what cur­rent and for­mer gov­ern­ment offi­cials described as the most crip­pling kind of cyber­at­tacks.

    For decades, Amer­i­can pres­i­dents have threat­ened “first use” of nuclear weapons against ene­mies in only very nar­row and lim­it­ed cir­cum­stances, such as in response to the use of bio­log­i­cal weapons against the Unit­ed States. But the new doc­u­ment is the first to expand that to include attempts to destroy wide-reach­ing infra­struc­ture, like a country’s pow­er grid or com­mu­ni­ca­tions, that would be most vul­ner­a­ble to cyber­weapons.

    The draft doc­u­ment, called the Nuclear Pos­ture Review, was writ­ten at the Pen­ta­gon and is being reviewed by the White House. Its final release is expect­ed in the com­ing weeks and rep­re­sents a new look at the Unit­ed States’ nuclear strat­e­gy. The draft was first pub­lished last week by Huff­Post.

    It called the strate­gic pic­ture fac­ing the Unit­ed States quite bleak, cit­ing not only Russ­ian and Chi­nese nuclear advances but advances made by North Korea and, poten­tial­ly, Iran.

    “We must look real­i­ty in the eye and see the world as it is, not as we wish it to be,” the draft doc­u­ment said. The Trump administration’s new ini­tia­tive, it con­tin­ued, “realigns our nuclear pol­i­cy with a real­is­tic assess­ment of the threats we face today and the uncer­tain­ties regard­ing the future secu­ri­ty envi­ron­ment.”

    ...

    But three cur­rent and for­mer senior gov­ern­ment offi­cials said large cyber­at­tacks against the Unit­ed States and its inter­ests would be includ­ed in the kinds of for­eign aggres­sion that could jus­ti­fy a nuclear response — though they stressed there would be oth­er, more con­ven­tion­al options for retal­i­a­tion. The offi­cials spoke on the con­di­tion of anonymi­ty because they are not autho­rized to dis­cuss the pro­posed pol­i­cy.

    Gary Samore, who was a top nuclear advis­er to Pres­i­dent Barack Oba­ma, said much of the draft strat­e­gy “repeats the essen­tial ele­ments of Oba­ma declara­to­ry pol­i­cy word for word” — includ­ing its dec­la­ra­tion that the Unit­ed States would “only con­sid­er the use of nuclear weapons in extreme cir­cum­stances to defend the vital inter­ests of the Unit­ed States or its allies and part­ners.”

    But the biggest dif­fer­ence lies in new word­ing about what con­sti­tutes “extreme cir­cum­stances.”

    In the Trump administration’s draft, those “cir­cum­stances could include sig­nif­i­cant non-nuclear strate­gic attacks.” It said that could include “attacks on the U.S., allied, or part­ner civil­ian pop­u­la­tion or infra­struc­ture, and attacks on U.S. or allied nuclear forces, their com­mand and con­trol, or warn­ing and attack assess­ment capa­bil­i­ties.”

    The draft does not explic­it­ly say that a crip­pling cyber­at­tack against the Unit­ed States would be among the extreme cir­cum­stances. But experts called a cyber­at­tack one of the most effi­cient ways to par­a­lyze sys­tems like the pow­er grid, cell­phone net­works and the back­bone of the inter­net with­out using nuclear weapons.

    “In 2001, we strug­gled with how to estab­lish deter­rence for ter­ror­ism because ter­ror­ists don’t have pop­u­la­tions or ter­ri­to­ry to hold at risk. Cyber pos­es a sim­i­lar quandary,” said Kori Schake, a senior Nation­al Secu­ri­ty Coun­cil and State Depart­ment offi­cial dur­ing Pres­i­dent George W. Bush’s admin­is­tra­tion, who is now the deputy direc­tor gen­er­al of the Inter­na­tion­al Insti­tute for Strate­gic Stud­ies in Lon­don.

    “So if cyber can cause phys­i­cal mal­func­tion of major infra­struc­ture result­ing in deaths,” Ms. Schake said, the Pen­ta­gon has now found a way “to estab­lish a deter­rent dynam­ic.”

    The draft review also cites “par­tic­u­lar con­cern” about “expand­ing threats in space and cyber­space” to the com­mand-and-con­trol sys­tems of the Amer­i­can nuclear arse­nal that the review iden­ti­fies as a “lega­cy of the Cold War.” It was the lat­est warn­ing in a grow­ing cho­rus that the nuclear response net­works could them­selves be dis­abled or fed false data in a cyber­at­tack.

    So far, all of the Unit­ed States’ lead­ing adver­saries — includ­ing Rus­sia, Chi­na, North Korea and Iran — have stopped well short of the kind of cyber­at­tacks that could prompt a larg­er, and more vio­lent response.

    The Rus­sians have placed mal­ware called “Black Ener­gy” in Amer­i­can util­i­ty sys­tems, but nev­er tried to cause a major black­out. They have sent cable-cut­ting sub­marines along the path of under­sea fiber optic lines that con­nect the con­ti­nents, but not cut them. North Korea has attacked com­pa­nies like Sony, and used cyber­weapons to cause chaos in the British health care sys­tem, but nev­er direct­ly tak­en on the Unit­ed States.

    Still, the doc­u­ment rec­og­nizes that Amer­i­can, Russ­ian and Chi­nese strate­gies have all been updat­ed in recent years to reflect the real­i­ty that any con­flict would begin with a light­ning strike on space and com­mu­ni­ca­tions sys­tems. Dur­ing the Oba­ma admin­is­tra­tion, for exam­ple, a secret pro­gram, code-named “Nitro Zeus,” called for a blind­ing cyber­at­tack on Iran in the event nego­ti­a­tions over its nuclear pro­gram failed and Wash­ing­ton found itself going to war with Tehran.

    There are oth­er dif­fer­ences with the Oba­ma admin­is­tra­tion pol­i­cy.

    The draft strat­e­gy embraces the Amer­i­can pro­duc­tion of a new gen­er­a­tion of small, low-yield nuclear weapons — some of which were under devel­op­ment dur­ing the Oba­ma admin­is­tra­tion. Some experts warn that such small­er weapons can blur the dis­tinc­tion between nuclear and non-nuclear weapons, and, as a result, be more tempt­ing to use.

    And it states out­right that Rus­sia is test­ing its first autonomous nuclear tor­pe­do, one that Amer­i­can offi­cials believe would be guid­ed large­ly by arti­fi­cial intel­li­gence to strike the Unit­ed States even if com­mu­ni­ca­tions with Moscow were ter­mi­nat­ed. It was Washington’s first pub­lic acknowl­edg­ment of such an under­sea weapon, a pro­to­type of which was first envi­sioned in the 1960s by Andrei Sakharov, the physi­cist who lat­er ranked among the Sovi­et Union’s most famous dis­si­dents.

    The torpedo’s devel­op­ment was detect­ed by the Oba­ma admin­is­tra­tion and has been wide­ly dis­cussed in defense cir­cles, but nev­er pub­licly referred to by the Pen­ta­gon as a sig­nif­i­cant future threat.

    Mr. Trump has rarely pub­licly crit­i­cized Pres­i­dent Vladimir V. Putin of Rus­sia for Russia’s aggres­sions around the world. But the Pen­ta­gon doc­u­ment describes Moscow’s actions as so desta­bi­liz­ing that the Unit­ed States may be forced to reverse Mr. Obama’s com­mit­ment to reduce the role and size of the Amer­i­can nuclear arse­nal.

    Rus­sia is adopt­ing “mil­i­tary strate­gies and capa­bil­i­ties that rely on nuclear esca­la­tion for their suc­cess,” Defense Sec­re­tary Jim Mat­tis wrote in an intro­duc­tion to the report. “These devel­op­ments, cou­pled with Russia’s inva­sion of Crimea and nuclear threats against our allies, mark Moscow’s unabashed return to Great Pow­er com­pe­ti­tion.”

    In most cas­es, the Trump admin­is­tra­tion plan would sim­ply move for­ward nuclear weapons that Mr. Oba­ma had endorsed, such as a new gen­er­a­tion of nuclear cruise mis­siles — low-fly­ing weapons with stub­by wings that, when dropped from a bomber, hug the ground to avoid ene­my radars and air defens­es.

    But the strat­e­gy envi­sions oth­er new nuclear weapons. The draft pol­i­cy calls for “the rapid devel­op­ment” of a cruise mis­sile to be fired from sub­marines. Mr. Oba­ma had retired that class. It also calls for the devel­op­ment of a low-yield war­head for bal­lis­tic mis­siles fired from sub­marines.

    It is rel­a­tive­ly easy for pres­i­dents to change the country’s declara­to­ry pol­i­cy on the use of nuclear arms and quite dif­fi­cult for them to reshape its nuclear arse­nal, which takes not only vast sums of mon­ey but many years and some­times decades of plan­ning and imple­men­ta­tion.

    The price tag for a 30-year makeover of the Unit­ed States’ nuclear arse­nal was put last year at $1.2 tril­lion. Ana­lysts said the expand­ed Trump admin­is­tra­tion plan would push the bill much high­er, not­ing that firm esti­mates will have to wait until the pro­posed fed­er­al bud­get for the 2019 fis­cal year is made pub­lic.

    “Almost every­thing about this rad­i­cal new pol­i­cy will blur the line between nuclear and con­ven­tion­al,” said Andrew C. Weber, an assis­tant defense sec­re­tary dur­ing the Oba­ma admin­is­tra­tion who direct­ed an inter­a­gency pan­el that over­saw the country’s nuclear arse­nal.

    If adopt­ed, he added, the new pol­i­cy “will make nuclear war a lot more like­ly.”

    One of the document’s edgi­est con­clu­sions involves the exis­tence of a dead­ly new class of Russ­ian nuclear tor­pe­do — a cig­ar-shaped under­wa­ter mis­sile meant to be fired from a sub­ma­rine.

    Tor­pe­does tipped with nuclear arms were com­mon dur­ing the Cold War, with the Sovi­et Union pio­neer­ing the weapons and devel­op­ing them most vig­or­ous­ly. One Sovi­et mod­el had a range of miles and a large war­head.

    Mr. Sakharov, a famous Russ­ian dis­si­dent in the 1970s and 1980s, envi­sioned a giant tor­pe­do able to trav­el sev­er­al hun­dred miles and incur heavy casu­al­ties with a war­head thou­sands of times more pow­er­ful than the Hiroshi­ma bomb. Though his vision was reject­ed at the time, the new review dis­clos­es that Moscow has res­ur­rect­ed a weapon along the same lines.

    The doc­u­ment calls it “a new inter­con­ti­nen­tal, nuclear-armed under­sea autonomous tor­pe­do.” In a dia­gram labeled “New Nuclear Deliv­ery Vehi­cles over the Past Decade,” it iden­ti­fies the tor­pe­do by its code name, Status‑6.

    News sto­ries have report­ed the pos­si­ble exis­tence of such a weapon since at least 2015, but the document’s ref­er­ence appears to be the first time the fed­er­al gov­ern­ment has con­firmed its exis­tence. The long-range tor­pe­do with a mon­ster war­head is appar­ent­ly meant to show­er coastal regions with dead­ly radioac­tiv­i­ty, leav­ing cities unin­hab­it­able.

    ———-

    “Pen­ta­gon Sug­gests Coun­ter­ing Dev­as­tat­ing Cyber­at­tacks With Nuclear Arms” by DAVID E. SANGER and WILLIAM J. BROAD; The New York Times; 01/16/2018

    “For decades, Amer­i­can pres­i­dents have threat­ened “first use” of nuclear weapons against ene­mies in only very nar­row and lim­it­ed cir­cum­stances, such as in response to the use of bio­log­i­cal weapons against the Unit­ed States. But the new doc­u­ment is the first to expand that to include attempts to destroy wide-reach­ing infra­struc­ture, like a country’s pow­er grid or com­mu­ni­ca­tions, that would be most vul­ner­a­ble to cyber­weapons.”

    So Amer­i­ca’s nuclear trig­ger-fin­ger is about to get a lot ‘itch­i­er’. And that’s going to hap­pen by the defin­ing-down what con­sti­tutes “extreme cir­cum­stance” to include par­a­lyz­ing attacks on thins like the pow­er grid, cell­phone net­works and the inter­net, and that’s why a big cyber attack just might get a nuclear response: if you want to take down the pow­er grid, cell­phone net­works and the inter­net, you’ll prob­a­bly want to use a cyber attack:

    ...
    Gary Samore, who was a top nuclear advis­er to Pres­i­dent Barack Oba­ma, said much of the draft strat­e­gy “repeats the essen­tial ele­ments of Oba­ma declara­to­ry pol­i­cy word for word” — includ­ing its dec­la­ra­tion that the Unit­ed States would “only con­sid­er the use of nuclear weapons in extreme cir­cum­stances to defend the vital inter­ests of the Unit­ed States or its allies and part­ners.”

    But the biggest dif­fer­ence lies in new word­ing about what con­sti­tutes “extreme cir­cum­stances.”

    In the Trump administration’s draft, those “cir­cum­stances could include sig­nif­i­cant non-nuclear strate­gic attacks.” It said that could include “attacks on the U.S., allied, or part­ner civil­ian pop­u­la­tion or infra­struc­ture, and attacks on U.S. or allied nuclear forces, their com­mand and con­trol, or warn­ing and attack assess­ment capa­bil­i­ties.”

    The draft does not explic­it­ly say that a crip­pling cyber­at­tack against the Unit­ed States would be among the extreme cir­cum­stances. But experts called a cyber­at­tack one of the most effi­cient ways to par­a­lyze sys­tems like the pow­er grid, cell­phone net­works and the back­bone of the inter­net with­out using nuclear weapons.

    “In 2001, we strug­gled with how to estab­lish deter­rence for ter­ror­ism because ter­ror­ists don’t have pop­u­la­tions or ter­ri­to­ry to hold at risk. Cyber pos­es a sim­i­lar quandary,” said Kori Schake, a senior Nation­al Secu­ri­ty Coun­cil and State Depart­ment offi­cial dur­ing Pres­i­dent George W. Bush’s admin­is­tra­tion, who is now the deputy direc­tor gen­er­al of the Inter­na­tion­al Insti­tute for Strate­gic Stud­ies in Lon­don.

    “So if cyber can cause phys­i­cal mal­func­tion of major infra­struc­ture result­ing in deaths,” Ms. Schake said, the Pen­ta­gon has now found a way “to estab­lish a deter­rent dynam­ic.”
    ...

    ““So if cyber can cause phys­i­cal mal­func­tion of major infra­struc­ture result­ing in deaths,” Ms. Schake said, the Pen­ta­gon has now found a way “to estab­lish a deter­rent dynam­ic.””

    Yes, the Pen­ta­gon has indeed found a “deter­rent dynam­ic.” A deter­rent dynam­ic that makes false flag cyber attacks even more tempt­ing than ever before. Yay.

    And this change is nuclear pol­i­cy is com­ing at teh same time the US is poised to embrace small, low-yield nukes. And the threat from Rus­sia is being framed as the key dri­ver for this new pol­i­cy:

    ...
    There are oth­er dif­fer­ences with the Oba­ma admin­is­tra­tion pol­i­cy.

    The draft strat­e­gy embraces the Amer­i­can pro­duc­tion of a new gen­er­a­tion of small, low-yield nuclear weapons — some of which were under devel­op­ment dur­ing the Oba­ma admin­is­tra­tion. Some experts warn that such small­er weapons can blur the dis­tinc­tion between nuclear and non-nuclear weapons, and, as a result, be more tempt­ing to use.

    And it states out­right that Rus­sia is test­ing its first autonomous nuclear tor­pe­do, one that Amer­i­can offi­cials believe would be guid­ed large­ly by arti­fi­cial intel­li­gence to strike the Unit­ed States even if com­mu­ni­ca­tions with Moscow were ter­mi­nat­ed. It was Washington’s first pub­lic acknowl­edg­ment of such an under­sea weapon, a pro­to­type of which was first envi­sioned in the 1960s by Andrei Sakharov, the physi­cist who lat­er ranked among the Sovi­et Union’s most famous dis­si­dents.

    The torpedo’s devel­op­ment was detect­ed by the Oba­ma admin­is­tra­tion and has been wide­ly dis­cussed in defense cir­cles, but nev­er pub­licly referred to by the Pen­ta­gon as a sig­nif­i­cant future threat.

    Mr. Trump has rarely pub­licly crit­i­cized Pres­i­dent Vladimir V. Putin of Rus­sia for Russia’s aggres­sions around the world. But the Pen­ta­gon doc­u­ment describes Moscow’s actions as so desta­bi­liz­ing that the Unit­ed States may be forced to reverse Mr. Obama’s com­mit­ment to reduce the role and size of the Amer­i­can nuclear arse­nal.

    Rus­sia is adopt­ing “mil­i­tary strate­gies and capa­bil­i­ties that rely on nuclear esca­la­tion for their suc­cess,” Defense Sec­re­tary Jim Mat­tis wrote in an intro­duc­tion to the report. “These devel­op­ments, cou­pled with Russia’s inva­sion of Crimea and nuclear threats against our allies, mark Moscow’s unabashed return to Great Pow­er com­pe­ti­tion.”

    ...

    The price tag for a 30-year makeover of the Unit­ed States’ nuclear arse­nal was put last year at $1.2 tril­lion. Ana­lysts said the expand­ed Trump admin­is­tra­tion plan would push the bill much high­er, not­ing that firm esti­mates will have to wait until the pro­posed fed­er­al bud­get for the 2019 fis­cal year is made pub­lic.

    “Almost every­thing about this rad­i­cal new pol­i­cy will blur the line between nuclear and con­ven­tion­al,” said Andrew C. Weber, an assis­tant defense sec­re­tary dur­ing the Oba­ma admin­is­tra­tion who direct­ed an inter­a­gency pan­el that over­saw the country’s nuclear arse­nal.

    If adopt­ed, he added, the new pol­i­cy “will make nuclear war a lot more like­ly.”.
    ...

    “If adopt­ed, he added, the new pol­i­cy “will make nuclear war a lot more like­ly.””

    Yep, in addi­tion to adopt­ing a pol­i­cy that encour­ages false flag cyber attacks that can cause your adver­saries to nuke each oth­er, the US is set to move full steam ahead on low-yield nukes that will obvi­ous­ly make the use of nuclear weapons a lot more like­ly.

    But per­haps the most chill­ing part of this reports is the par­tic­u­lar Russ­ian nuclear weapon that the Pen­ta­gon was focused on: A nuclear tor­pe­do that could trav­el hun­dreds of miles and make a coast­line unin­hab­it­able:

    ...
    One of the document’s edgi­est con­clu­sions involves the exis­tence of a dead­ly new class of Russ­ian nuclear tor­pe­do — a cig­ar-shaped under­wa­ter mis­sile meant to be fired from a sub­ma­rine.

    Tor­pe­does tipped with nuclear arms were com­mon dur­ing the Cold War, with the Sovi­et Union pio­neer­ing the weapons and devel­op­ing them most vig­or­ous­ly. One Sovi­et mod­el had a range of miles and a large war­head.

    Mr. Sakharov, a famous Russ­ian dis­si­dent in the 1970s and 1980s, envi­sioned a giant tor­pe­do able to trav­el sev­er­al hun­dred miles and incur heavy casu­al­ties with a war­head thou­sands of times more pow­er­ful than the Hiroshi­ma bomb. Though his vision was reject­ed at the time, the new review dis­clos­es that Moscow has res­ur­rect­ed a weapon along the same lines.

    The doc­u­ment calls it “a new inter­con­ti­nen­tal, nuclear-armed under­sea autonomous tor­pe­do.” In a dia­gram labeled “New Nuclear Deliv­ery Vehi­cles over the Past Decade,” it iden­ti­fies the tor­pe­do by its code name, Status‑6.

    News sto­ries have report­ed the pos­si­ble exis­tence of such a weapon since at least 2015, but the document’s ref­er­ence appears to be the first time the fed­er­al gov­ern­ment has con­firmed its exis­tence. The long-range tor­pe­do with a mon­ster war­head is appar­ent­ly meant to show­er coastal regions with dead­ly radioac­tiv­i­ty, leav­ing cities unin­hab­it­able.
    ...

    News sto­ries have report­ed the pos­si­ble exis­tence of such a weapon since at least 2015, but the document’s ref­er­ence appears to be the first time the fed­er­al gov­ern­ment has con­firmed its exis­tence. The long-range tor­pe­do with a mon­ster war­head is appar­ent­ly meant to show­er coastal regions with dead­ly radioac­tiv­i­ty, leav­ing cities unin­hab­it­able.”

    Get for the upcom­ing nuclear tor­pe­do arms race. You have to won­der if that kind of tech­nol­o­gy is going to make a sub­ma­rine-based false flag nuclear attack more fea­si­ble. Because nuclear armed bombers or ICBMs are prob­a­bly pret­ty easy to attribute to a spe­cif­ic ene­my, sub attacks are poten­tial­ly more dif­fi­cult to attribute if you can’t deter­mine who actu­al­ly launched it. So a very long-range nuclear tor­pe­do seems like the kind of tech­nol­o­gy that could be launched in secret by all sorts of dif­fer­ent inter­ests in the future if they can get their hands on one — Rus­sia, Chi­na, North Korea, Jihadists, the Under­ground Reich, a crazy bil­lion­aire who hap­pens to own a pri­vate sub with nuclear tor­poe­do launch­ing capa­bil­i­ties — and it’s not clear a coun­try could deter­mine who launched it. So that’s rather dis­turb­ing. Espe­cial­ly since the dis­turb­ing nature of this tech­nol­o­gy is appar­ent­ly going to be used to spark a nuclear arms race with Rus­sia.

    And it gets more dis­turb­ing. Much, much more dis­turb­ing. Accord­ing to a new report on the GOP’s con­cerns over their polit­i­cal prospects in the 2018 mid-term elec­tions, Pres­i­dent Trump isn’t so con­cerned. Why? Because he appar­ent­ly has been telling peo­ple in the White House that he doesn’t think the 2018 elec­tion has to be as bad as oth­ers are pre­dict­ing. And then he ref­er­ences how the GOP did bet­ter in the 2002 midterms fol­low­ing the the Sept. 11 ter­ror­ist attacks. *gulp*:

    The Wash­ing­ton Post

    New alarm among Repub­li­cans that Democ­rats could win big this year

    By Michael Scher­er, Josh Dawsey and Sean Sul­li­van
    Jan­u­ary 14, 2018

    A raft of retire­ments, dif­fi­cul­ty recruit­ing can­di­dates and Pres­i­dent Trump’s con­tin­u­ing pat­tern of throw­ing his par­ty off mes­sage have prompt­ed new alarm among Repub­li­cans that they could be fac­ing a Demo­c­ra­t­ic elec­toral wave in Novem­ber.

    The con­cern has grown so acute that Trump received what one con­gres­sion­al aide described as a “sober­ing” slide pre­sen­ta­tion about the dif­fi­cult midterm land­scape at Camp David last week­end, lead­ing the pres­i­dent to pledge a robust sched­ule of fundrais­ing and cam­paign trav­el in the com­ing months, White House offi­cials said.

    ...

    Repub­li­cans hold the advan­tage of a his­tor­i­cal­ly favor­able elec­toral map, with more House seats than ever ben­e­fit­ing from Repub­li­can-friend­ly redis­trict­ing and a Sen­ate land­scape that puts 26 Demo­c­ra­t­ic seats in play, includ­ing 10 states that Trump won in 2016, and only eight Repub­li­can seats.

    But oth­er indi­ca­tors are clear­ly flash­ing GOP warn­ing signs. Democ­rats have ben­e­fit­ed from sig­nif­i­cant recruit­ment advan­tages — there are at least a half dozen for­mer Army Rangers and Navy SEALs run­ning as Democ­rats this year, for exam­ple — as Repub­li­cans strug­gle to con­vince incum­bents to run for reelec­tion.

    At least 29 House seats held by Repub­li­cans will be open in Novem­ber fol­low­ing announced retire­ments, a greater num­ber for the major­i­ty par­ty than in each of the past three midterm elec­tions when con­trol of Con­gress flipped.

    The president’s own job approval, a tra­di­tion­al har­bin­ger of his party’s midterm per­for­mance, is at record lows as he approach­es a year in office, accord­ing to Gallup. Polls ask­ing which par­ty Amer­i­cans want to see con­trol Con­gress in 2019 show a dou­ble-dig­it advan­tage for Democ­rats.

    “When the wave comes, it’s always under­es­ti­mat­ed in the polls,” said a con­ser­v­a­tive polit­i­cal strate­gist who has met with GOP can­di­dates. “That is the rea­son that Repub­li­cans are duck­ing for cov­er.”

    Amid the onslaught, Repub­li­can strate­gists say they con­tin­ue to pin their party’s elec­toral hopes on the nation’s still-ris­ing eco­nom­ic indi­ca­tors, the poten­tial effects of the recent tax-reform bill and Trump’s abil­i­ty to ral­ly the con­ser­v­a­tive base.

    “The month­ly met­rics are bad, from the gener­ic bal­lot to the Repub­li­can retire­ments to the num­ber of Demo­c­ra­t­ic recruits with mon­ey,” said one Repub­li­can polit­i­cal con­sul­tant, who works with major con­ser­v­a­tive donors involved in the midterms and asked for anonymi­ty to speak frankly. “The big ques­tion is: Is every­thing dif­fer­ent with Trump? Because the major met­rics point to us los­ing at least one house of Con­gress.”

    ...

    In pri­vate con­ver­sa­tions, Trump has told advis­ers that he doesn’t think the 2018 elec­tion has to be as bad as oth­ers are pre­dict­ing. He has ref­er­enced the 2002 midterms, when George W. Bush and Repub­li­cans fared bet­ter after the Sept. 11 ter­ror­ist attacks, these peo­ple said.

    ...

    ———-

    “New alarm among Repub­li­cans that Democ­rats could win big this year” by Michael Scher­er, Josh Dawsey and Sean Sul­li­van; The Wash­ing­ton Post; 01/14/2018

    “In pri­vate con­ver­sa­tions, Trump has told advis­ers that he doesn’t think the 2018 elec­tion has to be as bad as oth­ers are pre­dict­ing. He has ref­er­enced the 2002 midterms, when George W. Bush and Repub­li­cans fared bet­ter after the Sept. 11 ter­ror­ist attacks, these peo­ple said.”

    Uhh...it sure sounds like Pres­i­dent Trump is bet­ting on a mas­sive attack. In 2018. And he seems to be look­ing for­ward to this.

    So if you’re the type of per­son who thrives on liv­ing every day like it’s your last day on Earth, this should be a good year for you. At least until it real­ly is your last day. The rest of the year won’t be very good for you after that.

    Posted by Pterrafractyl | January 17, 2018, 4:50 pm
  4. @Dave: One quick cor­rec­tion: when I stat­ed that the Vault 7 trove of CIA hack­ing tools only went until 2013, I was mix­ing that up with the Shad­ow Bro­kers NSA toolk­it. The dates on the files in Vault 7 trove went from 2013 — 2016. So that Vault 7 toolk­it spans the peri­od before and after the ‘Russ­ian hack­ers’ start­ed get­ting super slop­py and leav­ing “I’m a Russ­ian hack­er!” clues fol­low­ing the out­break of the con­flict in Ukraine. That makes the con­tent of things like the library of mal­ware that’s been used by for­eign gov­ern­ments to obscure the CIA hack­er’s iden­ti­ty poten­tial­ly quite inter­est­ing. For instance, was either “X‑Agent” — the mal­ware that was found in the DNC hack that was incorect­ly described as exclu­sive­ly used by ‘Fan­cy Bear’/APT28 — part of that mal­ware library?

    Along those lines, check out this fas­ci­nat­ing sto­ry relat­ed to the ‘X‑Agent’ mal­ware and who it may have orig­i­nat­ed with: Remem­ber when “Hack­ing Team” — the pri­vate Ital­ian ‘law­ful hack­ing group’ that’s hired by gov­ern­ments around the world — got hacked and had its toolk­it released back in July of 2015? Well, guess what: It appears that X‑Agent was part of Hack­ing Team’s toolk­it that was released to the world in July of 2015:

    Mal­ware­bytes
    Blog

    Two new Mac back­doors dis­cov­ered

    Post­ed: March 1, 2017 by Thomas Reed

    On Valentine’s Day, Mac users got a spe­cial “treat” in the form of new mal­ware. Then, lat­er that same week, there were signs of yet anoth­er piece of mal­ware loom­ing. These threats were over­shad­owed a bit by the dis­cov­ery last week of the sec­ond ran­somware app to ever appear on the Mac, but they’re still wor­thy of con­sid­er­a­tion.

    The first mal­ware, named XAgent, was ana­lyzed by Palo Alto Net­works. XAgent, it turns out, is relat­ed to the Kom­plex mal­ware dis­cov­ered by Palo Alto last year, as can be seen by com­par­ing some of the strings to those found in Kom­plex.

    At that time, Palo Alto tied Kom­plex to the Sofa­cy Group – also known by the names Fan­cy Bear and APT28, among oth­ers – a Russ­ian hack­ing orga­ni­za­tion that has since been linked to such things as the hack of the Demo­c­ra­t­ic Nation­al Con­ven­tion.

    XAgent is a back­door that pro­vides a num­ber of pow­er­ful remote access fea­tures, includ­ing key­log­ging, screen­shots, remote shell access, and file exfil­tra­tion. Of par­tic­u­lar inter­est is a com­mand that pro­vides the hack­er with infor­ma­tion about iOS back­ups stored on the infect­ed Mac. iPhones (and oth­er iOS devices) are noto­ri­ous­ly dif­fi­cult to hack, but by tar­get­ing back­ups instead, this mal­ware could access poten­tial­ly sen­si­tive iPhone data.

    Inter­est­ing­ly, Patrick War­dle, Direc­tor of Research at Synack, had anoth­er inter­est­ing rev­e­la­tion about this mal­ware. He shows quite con­vinc­ing­ly that the Sofa­cy Group used code copied from the Hack­ing Team. (Hack­ing Team is the cre­ator of the Remote Con­trol Sys­tem back­door, which it sells to gov­ern­ments and law enforce­ment, among oth­er orga­ni­za­tions.)

    Hack­ing Team was itself the vic­tim of a hack in 2015, and all their source code was made pub­lic. War­dle was able to demon­strate key sim­i­lar­i­ties, such as iden­ti­cal bugs, in the decom­piled XAgent code and the leaked Hack­ing Team code. It appears that Sofa­cy used Hack­ing Team code in their mal­ware, most like­ly obtained from the Hack­ing Team breach.

    Accord­ing to a whitepa­per released by Bit­de­fend­er, the mal­ware installs itself into the fol­low­ing fold­er, where it is giv­en one of a set of hard-cod­ed names:

    ~/Library/Assistants/.local/

    At the time of its dis­cov­ery, the XAgent com­mand & con­trol servers were down, mean­ing that this vari­ant of the mal­ware is no longer a threat.

    On the heels of the XAgent dis­cov­ery came an intrigu­ing glance at anoth­er piece of Mac mal­ware, a sam­ple of which has not yet been found. Three days after Palo Alto released their analy­sis of XAgent, Apple released an update to XPro­tect – the built-in anti-mal­ware soft­ware in macOS – that added detec­tion of XAgent.

    How­ev­er, that update also includ­ed a sig­na­ture for some­thing Apple called OSX.Proton.A, which ignit­ed a storm of ques­tions in the secu­ri­ty com­mu­ni­ty, who had nev­er heard of any such mal­ware for the Mac.

    A lit­tle dig­ging by Arnaud Abbati, a researcher at Nin­ja, Inc, turned up a page from the Sixgill web­site with a terse descrip­tion of a remote access tool (RAT) called Pro­ton. The page has been tak­en down, but can still be found in Google’s cache here.

    Appar­ent­ly, the mal­ware is being sold on a Russ­ian cyber­crime forum, among oth­er places. Sixgill also pro­vid­ed a link to a YouTube video from Decem­ber, appar­ent­ly made to pro­mote the mal­ware by demon­strat­ing its capa­bil­i­ties. Anoth­er YouTube video, post­ed on Feb­ru­ary 8, showed addi­tion­al capa­bil­i­ties.

    Unfor­tu­nate­ly, thus far, no sam­ples of the mal­ware have been found. It does not appear to be in the Virus­To­tal data­base, and nei­ther of the sites that appear to be asso­ci­at­ed with Pro­ton (ptn[dot]is or protonsolutions[dot]net) are respond­ing. Even Sixgill’s analy­sis seemed to be done entire­ly from online sources, and had no infor­ma­tion to sug­gest that they had seen a copy of the mal­ware. For now, this is a com­plete­ly unknown threat with rather fright­en­ing appar­ent capa­bil­i­ties.

    ...

    ———-

    “Two new Mac back­doors dis­cov­ered” by Thomas Reed; Mal­ware­bytes Blog; 03/01/2017

    “Inter­est­ing­ly, Patrick War­dle, Direc­tor of Research at Synack, had anoth­er inter­est­ing rev­e­la­tion about this mal­ware. He shows quite con­vinc­ing­ly that the Sofa­cy Group used code copied from the Hack­ing Team. (Hack­ing Team is the cre­ator of the Remote Con­trol Sys­tem back­door, which it sells to gov­ern­ments and law enforce­ment, among oth­er orga­ni­za­tions.)”

    So, uh, wow! X‑Agent, one of the pieces of mal­ware that seen as a key “dig­i­tal fin­ger­print” in the DNC hack of 2016 point­ing back to APT28 was in the July 2017 release of “Hack­ing Team’s” unit? That’s quite some­thing.

    And just to get a taste of how the pres­ence of X‑Agent was used by Crowd­Strike to attribute the DNC hack to ‘Fan­cy Bear’, here’s the open­ing para­graph of Crowd­Stike’s Decem­ber 2016 report that tried to use the X‑Agent to erro­neous­ly claim that ‘Fan­cy Bear’ cre­ate mal­ware used to infect the smart­phones of Ukrain­ian artillery troops so they could be locat­ed and neu­tral­ized:

    Crowd­Strike
    Blog

    Dan­ger Close: Fan­cy Bear Track­ing of Ukrain­ian Field Artillery Units

    Decem­ber 22, 2016
    Adam Mey­ers

    Update – As of March 2017, the esti­mat­ed loss­es of D‑30 how­itzer plat­form have been amend­ed. Accord­ing to an update pro­vid­ed by the Inter­na­tion­al Insti­tute for Strate­gic Stud­ies (IISS) Research Asso­ciate for Defence and Mil­i­tary Analy­sis, Hen­ry Boyd, their cur­rent assess­ment is as fol­lows: “exclud­ing the Naval Infantry bat­tal­ion in the Crimea which was effec­tive­ly cap­tured whole­sale, the Ukrain­ian Armed Forces lost between 15% and 20% of their pre-war D–30 inven­to­ry in com­bat oper­a­tions.”

    In June Crowd­Strike iden­ti­fied and attrib­uted a series of tar­get­ed intru­sions at the Demo­c­ra­t­ic Nation­al Com­mit­tee (DNC), and oth­er polit­i­cal orga­ni­za­tions that uti­lized a well known implant com­mon­ly called X‑Agent. X‑Agent is a cross plat­form remote access toolk­it, vari­ants have been iden­ti­fied for var­i­ous Win­dows oper­at­ing sys­tems, Apple’s iOS, and like­ly the MacOS. Also known as Sofa­cy, X‑Agent has been tracked by the secu­ri­ty com­mu­ni­ty for almost a decade, Crowd­Strike asso­ciates the use of X‑Agent with an actor we call FANCY BEAR. This actor to date is the exclu­sive oper­a­tor of the mal­ware, and has con­tin­u­ous­ly devel­oped the plat­form for ongo­ing oper­a­tions which Crowd­Strike assess­es is like­ly tied to Russ­ian Mil­i­tary Intel­li­gence (GRU). The source code to this mal­ware has not been observed in the pub­lic domain and appears to have been devel­oped unique­ly by FANCY BEAR.

    ...

    ———-

    “Dan­ger Close: Fan­cy Bear Track­ing of Ukrain­ian Field Artillery Units” by Adam Mey­ers; Crowd­Strike Blog; Decem­ber 22, 2016;

    “Also known as Sofa­cy, X‑Agent has been tracked by the secu­ri­ty com­mu­ni­ty for almost a decade, Crowd­Strike asso­ciates the use of X‑Agent with an actor we call FANCY BEAR. This actor to date is the exclu­sive oper­a­tor of the mal­ware

    Jef­frey Carr did a great take down of why that Crowd­Strike ‘attri­bu­tion’ was bogus. It was bogus for a lot of rea­sons, and one of those includ­ed the fact that X‑Agent is already ‘in the wild’.

    Here’s some­thing else to keep in mind: The secu­ri­ty ana­lyst who dis­cov­ered that the X‑Agent code appears to be extreme­ly sim­i­lar to the leak Hack­ing Team code and con­cludes that X‑Agent did indeed come from the Hack­ing Team leak also notes in their post [it’s very tech­ni­cal] that there’s the ques­tion of whether or not ‘Fan­cy Bear’ cre­at­ed X‑Agent using based on the Hack­ing Team leak or whether the Russ­ian gov­ern­ment sim­ply pur­chased the mal­ware from Hack­ing Team since Hack­ing Team report­ed­ly sold its ser­vices and tools to the Russ­ian gov­ern­ment. And while either of those are pos­si­bil­i­ties, we can’t for­get that Hack­ing Team sold its mal­ware to gov­ern­ments around the world:

    Forbes

    Wik­ileaks Release: Hack­ing Team Says It Sold Spy­ware To FSB, Rus­si­a’s Secret Police

    Thomas Fox-Brew­ster , FORBES STAFF
    JUL 9, 2015 @ 01:47 PM

    Now that Wik­ileaks has released the emails includ­ed in the 415GB leaked by the hack­ers who breached Ital­ian “law­ful inter­cept” provider Hack­ing Team, the world has easy access to a trove of infor­ma­tion blow­ing open the inner work­ings of the pri­vate sur­veil­lance indus­try. Amongst the files seen by FORBES so far are emails detail­ing Hack­ing Team’s sales to Russia’s secret police, the FSB.

    Pre­vi­ous analy­sis of the leaks had sold its Galileo Remote Con­trol Sys­tem (RCS) to KVANT, a Russ­ian state-owned mil­i­tary research and devel­op­ment organ­i­sa­tion that works with the FSB. This inspired ques­tions from Dutch politi­cian and Euro­pean Mem­ber of Par­lia­ment Mari­et­je Shaake about the poten­tial breach of Euro­pean Union sanc­tions about the sale of such goods to Rus­sia, which has been put on black­lists for its oper­a­tions in war-torn Ukraine. Sell­ing to the FSB would like­ly con­cern onlook­ers more, giv­en the agency’s wide­spread access to com­mu­ni­ca­tions in Rus­sia.

    Hack­ing Team has repeat­ed­ly denied it sells its tech­nol­o­gy, which sur­rep­ti­tious­ly siphons off com­mu­ni­ca­tions data from PCs, iPhones and Android devices, to regimes which it believes com­mit human rights abus­es.

    Hack­ing Team appeared to have tak­en an inter­est in the FSB ini­tial­ly through NICE, an Israeli com­pa­ny with links to the country’s sur­veil­lance indus­tri­al com­plex, in par­tic­u­lar sig­nals intel­li­gence agency Unit 8200. NICE seems to have act­ed as a reseller for Hack­ing Team’s tools. In May 2011, a mem­ber of NICE’s sales team boast­ed about some suc­cess­ful RCS demos with the FSB.

    “The feed­back was very good, and we’ve been asked with many ques­tions regard­ing the solu­tion and its capa­bil­i­ties. It was clear that their ques­tions implies that they have a back­ground in the law­ful hack­ing area, how­ev­er that their exist­ing solu­tion may lack some of the capa­bil­i­ties, espe­cial­ly in infect­ing [Apple] Mac devices, and mobile devices,” the NICE employ­ee said.

    After numer­ous demon­stra­tions, progress seemed stymied, but in Decem­ber 2012, a NICE employ­ee asked Hack­ing Team whether it had sold direct­ly to the FSB rather than via the Israeli com­pa­ny.

    “Yes we did,” the Hack­ing Team employ­ee respond­ed. “We dis­cussed this oppor­tu­ni­ty in the past and you were aware of the fact we were work­ing there. I’d like to take advan­tage of this con­ver­sa­tion to ask you a feed­back about Azer­bai­jan.”

    Asked about work­ing in Rus­sia, Hack­ing Team head of com­mu­ni­ca­tions Eric Rabe said: “We have not sold to black­list­ed coun­tries — at least when they were actu­al­ly on a black­list. As you know these things can change and a coun­try, that is con­sid­ered respectable, may lat­er on turn out not to be.” Hack­ing Team may have stopped pro­vid­ing ser­vices once the sanc­tions were imposed, just as it’s claimed it did for Sudan.

    FORBES also spoke with Vitaliy Toropov a Moscow-based researcher who sold zero-days — pre­vi­ous­ly unknown, unpatched vul­ner­a­bil­i­ties — to Hack­ing Team. He was sur­prised the FSB need­ed out­side help with exploits. “I’ve nev­er heard that FSB open­ly buys zero-days. I thought either they have their inter­nal tal­ents or they out­source it some­where,” Toropov said over email.

    ...

    Anoth­er email, relat­ing to cor­re­spon­dence from your reporter about an arti­cle for The Guardian about the use of Hack­ing Team tech­nol­o­gy in Ethiopia, appeared to indi­cate nei­ther Rabe nor CEO David Vin­cen­zetti were aware of a deal with the coun­try, which has a poor track record when it comes to human rights abus­es. Accord­ing to the leaked doc­u­ments, Ethiopia signed on in 2012.

    It’s now known that Hack­ing Team was sell­ing to a vast num­ber of gov­ern­ments, includ­ing Sudan, Sau­di Ara­bia, UAE, Bahrain, Moroc­co and Egypt. The US is also a cus­tomer via the FBI, the mil­i­tary and the Drug Enforce­ment Agency.

    ———-

    “Wik­ileaks Release: Hack­ing Team Says It Sold Spy­ware To FSB, Rus­si­a’s Secret Police” by Thomas Fox-Brew­ster; Forbes; 07/09/2015

    “It’s now known that Hack­ing Team was sell­ing to a vast num­ber of gov­ern­ments, includ­ing Sudan, Sau­di Ara­bia, UAE, Bahrain, Moroc­co and Egypt. The US is also a cus­tomer via the FBI, the mil­i­tary and the Drug Enforce­ment Agency.”

    So we have com­pa­nies like Crowd­Strike treat­ing X‑Agent as unique­ly used by the Russ­ian gov­ern­ment, a tool that appears to be part of the Hack­ing Team toolk­it that they were sell­ing to gov­ern­ments around the world. Talk about being ‘in the wild’.

    And notice how the the FBI, US mil­i­tary, and DEA are all Hack­ing Team cus­tomers. It’s some­thing that would make the absence of some­thing like X‑Agent in Vault 7 kind of sur­pris­ing. It seems like it would be a great piece of mal­ware for obscur­ing your iden­ti­ty giv­en that Hack­ing Team has prob­a­bly been sell­ing to clients for years.

    Posted by Pterrafractyl | January 18, 2018, 3:38 pm
  5. With the “March for our Lives” march in DC in response to the Park­land, FL, shoot­ing at Mar­jo­ry Stone­man Dou­glas High School by Niko­las Cruz, a neo-Nazi-inspired for­mer stu­dent, turn­ing into a major polit­i­cal event, it’s worth ask­ing what it was about the shoot­ing in Park­land, Flori­da, that elicit­ed such an excep­tion­al­ly strong response. And it’s hard to avoid the con­clu­sion that the “law of tru­ly large num­bers” played a role: the sta­tis­ti­cal adage that that even improb­a­ble events will hap­pen giv­en a large enough sam­ple size. And in the case of the US, if a coun­try has one school shoot­ing after anoth­er after anoth­er, at some point that “sam­ple” of shot up schools will include a school that has a num­ber of excep­tion­al­ly artic­u­late stu­dents with the charis­ma nec­es­sary to shift the debate and change the pub­lic con­ver­sa­tion. In oth­er words, the stu­dents of Mar­jo­ry Stone­man Dou­glas were an inevitabil­i­ty. Thanks to the law of tru­ly large num­bers and the tru­ly shock­ing­ly large num­ber of school shoot­ings Amer­i­ca reg­u­lar­ly expe­ri­ences.

    So giv­en that a plucky band of teenagers has shift­ed the con­ver­sa­tion around gun reg­u­la­tions (or the lack there­of) in the US and led a mass march, per­haps it’s worth not­ing that the gun debate in the US has a num­ber of eerie par­al­lels with anoth­er life and death top­ic that impacts not just the US but the entire world: the log­ic of mutu­al­ly assured destruc­tion and the flaws in that log­ic that con­tin­ues to threat­en life on Earth.

    Yes, guns and nuclear weapons are pret­ty much at oppo­site ends of the ‘tools for vio­lence’ spec­trum, but it’s hard to ignore the fact that the argu­ments used by the most rabid gun pro­po­nents from groups like the NRA — argu­ments like ‘a well armed soci­ety is a polite soci­ety’ — has a lot in com­mon with the mutu­al­ly assured destruc­tion (MAD) log­ic behind the nuclear arms race that con­tin­ues to this day.

    And trag­i­cal­ly, the top­ic of the per­ils of mutu­al­ly assured destruc­tion have become per­ilous­ly top­i­cal now that Pres­i­dent Trump has cho­sen the uber-war hawk John Bolton — a man who nev­er met a pre­emp­tive mil­i­tary strike he did­n’t like — to become his nation­al secu­ri­ty advi­sor. When John Bolton is the lead guy pro­vid­ing the pres­i­dent of the Unit­ed States advice on nation­al secu­ri­ty mat­ters you can be assured that mutu­al­ly assured destruc­tion is a lot more like­ly to actu­al­ly hap­pen. Or, if not the exchange of nukes, some sort of hor­ri­ble con­ven­tion­al war, which is, itself, a form of mutu­al­ly assured destruc­tion when it’s war between mil­i­tary pow­ers.

    And it’s the con­cerns over some­one like John Bolton push­ing the US into a major con­flict that high­lights the fact that, as the fol­low­ing arti­cle notes, the log­ic of mutu­al­ly assured destruc­tion with weapons of mass destruc­tion is filled with a series of self-destruc­tive para­dox­es that under­mine that log­ic. Self-desta­bi­liz­ing dynam­ics like how the need to assure nuclear sec­ond-strike capa­bil­i­ty inher­ent­ly leads to an arms race that threat­ens that sec­ond-strike capa­bil­i­ty. Anal­o­gous­ly, the log­ic behind ‘more guns = less shoot­ings’ is under­mined by both the log­ic that more guns also clear­ly cre­ates the oppor­tu­ni­ty for more shoot­ings — espe­cial­ly by sui­ci­dal peo­ple who don’t care about return fire — and the obser­va­tion that the US has a gun death epi­dem­ic not seen in coun­tries with stronger gun reg­u­la­tions.

    In oth­er words, for both nukes and guns, there is indeed a log­ic that says ‘more is more’, i.e. more nukes/guns lead to greater over­all safe­ty. But there is simul­ta­ne­ous­ly log­ic that tells use that ‘more is less’ (more guns/nukes makes every­one less safe by cre­at­ing an end­less arms race), ‘less is less’ (few­er guns/nukes makes every­one less safe by encour­ag­ing aggres­sors), and ‘less is more’(fewer guns/nukes makes every­one safer). All four of this log­i­cal con­clu­sions co-exist simul­ta­ne­ous­ly. It’s a gen­uine para­dox.

    And as the arti­cle also notes, we are increas­ing­ly liv­ing in a world gov­erned by para­dox­es and where over­com­ing these para­dox­es can only hap­pen with we both acknowl­edge these para­dox and accept that the ‘less is more’ log­ic real­ly is the only sus­tain­able dynam­ic that can work in the long run. There’s no risk-free path for­ward for human­i­ty when it comes to how we col­lec­tive ‘keep the peace’, whether it’s at an inter­per­son­al lev­el or inter­na­tion­al lev­el. An end­less arms race car­ries obvi­ous risks for human­i­ty. But so does mass dis­ar­ma­ment sim­ply become one or more par­ties might sud­den­ly arm them­selves and take over or just wipe their adver­saries out. ‘More is more’ and ‘less is more’. Para­dox­i­cal­ly.

    But that does­n’t mean the very dif­fer­ent paths for­ward inher­ent in that para­dox have equal risks, espe­cial­ly when you con­sid­er the kinds of sce­nar­ios that become ever more like­ly when you think about the ‘law of tru­ly large num­bers’ and high­ly improb­a­bly events becom­ing just a mat­ter of time. And that means we need to deal with this para­dox inher­ent for deal­ing with both guns and weapons of mass destruc­tion by ask­ing our­selves which high­ly improb­a­bly events do we want to risk hap­pen­ing: for guns in the US, where ‘defend­ing against a tyran­ni­cal gov­ern­ment’ is often used as a jus­ti­fi­ca­tion for civil­ians own­ing mil­i­tary-grade weapons, do we want to con­tin­ue flood­ing the US with weapons — which guar­an­tees a steady rate of gun deaths — and risk an armed civ­il con­flict or an insur­rec­tion by heav­i­ly armed reac­tionary forces? Because that’s the risk being court­ed by cur­rent gun poli­cies. Or is it bet­ter to dra­mat­i­cal­ly reduce or elim­i­nat­ed civil­ian access to guns and run the risk that some future tyran­ni­cal gov­ern­ment will sub­ju­gate the pop­u­lace? Part of deal­ing with the para­dox­es inher­ent in the gun debate is ask­ing which of those risks is the big­ger risk.

    Sim­i­lar­ly, for weapons of mass destruc­tion, which risk is greater: the risk that mutu­al­ly assured destruc­tion actu­al­ly hap­pens if human­i­ty con­tin­ues down the path of this end­less arms race of ever more pow­er­ful offen­sive and defen­sive capa­bil­i­ties? Or is it a greater risk for coun­tries to col­lec­tive­ly ban weapons of mass destruc­tion, risk­ing the pos­si­bil­i­ty of a rogue actor obtain­ing them and effec­tive­ly black­mail­ing the world? Which of those risks does human­i­ty want to court?

    These are the kinds of para­dox­es that human­i­ty has to increas­ing­ly deal with as tech­nol­o­gy injects more and more destruc­tive into soci­eties and into glob­al geopo­lit­i­cal real­i­ties. And if human­i­ty is going to sur­vive this age of ‘rule by para­dox’ we’re going to have to come to grips with the fact that these para­dox­es exist and that the ‘less is more’ log­ic real­ly is the low­est risk approach in the long run, whether we’re talk­ing about guns or nukes:

    The Huff­in­g­ton Post

    Reg­u­lat­ing Guns: The Social Equiv­a­lent of MAD (Mutu­al­ly Assured Destruc­tion)

    By Ian I. Mitroff
    01/19/2016 03:38 pm ET Updat­ed Jan 19, 2017

    In the 1950s, at the height of the cold war, the U.S. and the Sovi­et Union real­ized that their huge nuclear arse­nals gave rise to a fun­da­men­tal para­dox: they exist­ed for the prime pur­pose of pre­vent­ing their use.

    To pro­tect their mis­siles, both sides loaded them on sub­marines that were capa­ble of hid­ing indef­i­nite­ly in the vast oceans of the world. In this way, the side that was attacked first would always have enough mis­siles to retal­i­ate, if not destroy, the oth­er side. Since the sit­u­a­tion was com­plete­ly sym­met­ri­cal, nuclear weapons exist­ed for the prime pur­pose of assur­ing that nei­ther side would start a nuclear war that no one could win. This was enshrined in the doc­trine of Mutu­al­ly Assured Destruc­tion, or MAD, an apt acronym if there ever was one.

    Unfor­tu­nate­ly, MAD was not the only para­dox that enveloped nuclear weapons.

    Both sides pro­tect­ed their land-based nuclear mis­siles by putting them in silos buried in the ground. Cov­er­ing the silos with mas­sive amounts of con­crete offered fur­ther pro­tec­tion. More con­crete led to greater or more felt secu­ri­ty. In pithy terms, More Led to More.

    But putting more con­crete only encour­aged both sides to load mul­ti­ple war­heads onto their mis­siles so they could more eas­i­ly pen­e­trate the silos. More con­crete threat­ened the oth­er side more and led to an arms race, i.e., More Led to Less.

    It occurred that less con­crete would threat­en one’s adver­sary less and thus lead to greater felt secu­ri­ty, i.e., Less Leads to More.

    But, since it made no sense to have zero or few­er num­bers of nuclear mis­siles than one’s adver­saries, less mis­siles led to less felt secu­ri­ty, i.e., Less Led to Less.

    More Leads to More and Less Leads to Less are the two pri­ma­ry modes of think­ing that have pre­vailed for thou­sands of years. An army with greater num­bers of sol­diers could gen­er­al­ly defeat an army with few­er. But because of their enor­mous destruc­tive pow­er, nuclear weapons altered these long stand­ing tenets. The side with more nukes was not nec­es­sar­i­ly supe­ri­or.

    The biggest para­dox of all was due to the fact that think­ing about nuclear weapons was con­stant­ly cycling through all four modes simul­ta­ne­ous­ly. Under­ly­ing all of them is the fact that at some point what’s good in the small becomes bad in the large. That is, big­ness turns back on itself.

    Con­sid­er the high­ly con­tentious issue of guns. The U.S. has rough­ly 5 per­cent of the world’s pop­u­la­tion, but 40 per­cent of the guns. If more guns were the answer, then the U.S. would be the safest plan­et on the globe, which it is not, i.e., More Has Led to Less. More Guns Has Led to More Mass Shoot­ings (i.e., Less). We are in the grips of a self-imposed form of MAD.

    ...

    Increas­ing­ly, we live in a world where every aspect is gov­erned by para­dox. To sur­vive, let alone pros­per, means not only rec­og­niz­ing the basic exis­tence of para­dox, but that In many cas­es, Less Is More. How many more mass shoot­ings will it take for us to final­ly real­ize that More Is Not Always Bet­ter, and to act on this fun­da­men­tal real­iza­tion?

    ———-

    “Reg­u­lat­ing Guns: The Social Equiv­a­lent of MAD (Mutu­al­ly Assured Destruc­tion)” by Ian I. Mitroff; The Huff­in­g­ton Post; 01/19/2016

    “Unfor­tu­nate­ly, MAD was not the only para­dox that enveloped nuclear weapons.”

    It is indeed unfor­tu­nate. The para­dox­es of mutu­al assured destruc­tion — where the neces­si­ty of assur­ing destruc­tion leads to an end­less arms race — aren’t the only para­dox­es asso­ci­at­ed with nuclear weapons. There are also the para­dox­es asso­ci­at­ed with not have dooms­day weapons. And these para­dox­es are mutu­al­ly jus­ti­fy­ing. The risks of world peace are used to jus­ti­fy glob­al mil­i­ta­riza­tion and vice ver­sa. It’s a fas­ci­nat­ing moral conun­drum that could destroy us all if mis­han­dled:

    ...
    Both sides pro­tect­ed their land-based nuclear mis­siles by putting them in silos buried in the ground. Cov­er­ing the silos with mas­sive amounts of con­crete offered fur­ther pro­tec­tion. More con­crete led to greater or more felt secu­ri­ty. In pithy terms, More Led to More.

    But putting more con­crete only encour­aged both sides to load mul­ti­ple war­heads onto their mis­siles so they could more eas­i­ly pen­e­trate the silos. More con­crete threat­ened the oth­er side more and led to an arms race, i.e., More Led to Less.

    It occurred that less con­crete would threat­en one’s adver­sary less and thus lead to greater felt secu­ri­ty, i.e., Less Leads to More.

    But, since it made no sense to have zero or few­er num­bers of nuclear mis­siles than one’s adver­saries, less mis­siles led to less felt secu­ri­ty, i.e., Less Led to Less.

    More Leads to More and Less Leads to Less are the two pri­ma­ry modes of think­ing that have pre­vailed for thou­sands of years. An army with greater num­bers of sol­diers could gen­er­al­ly defeat an army with few­er. But because of their enor­mous destruc­tive pow­er, nuclear weapons altered these long stand­ing tenets. The side with more nukes was not nec­es­sar­i­ly supe­ri­or.
    ...

    We need nukes because if we don’t have them we’ll be help­less towards nuclear black­mail. But once one nation has nukes, every oth­er one is going to want them and there will be an end­less arms race that can only end in doom. It’s a grim nest of inter­twined para­dox­es that hap­pens to be a major test for human­i­ty.

    And as the arti­cle not­ed at the end, rec­og­niz­ing these nest­ed, mutu­al­ly-jus­ti­fy­ing

    ...
    Increas­ing­ly, we live in a world where every aspect is gov­erned by para­dox. To sur­vive, let alone pros­per, means not only rec­og­niz­ing the basic exis­tence of para­dox, but that In many cas­es, Less Is More. How many more mass shoot­ings will it take for us to final­ly real­ize that More Is Not Always Bet­ter, and to act on this fun­da­men­tal real­iza­tion?

    The abil­i­ty to rec­og­nize sit­u­a­tions where Less is More and col­lec­tive­ly give us access to a tech­nol­o­gy might be a basic ingre­di­ent for sur­viv­ing tech­nol­o­gy. And acquir­ing that abil­i­ty requires human­i­ty col­lec­tive­ly acknowl­edge such para­dox­es exist. But at that point we have to make a choice. A fate­ful choice because these para­dox­es point in VERY dif­fer­ent direc­tions. Peace through end­less arms races? Or peace through end­less mutu­al com­mit­ments to peace and the mutu­al reduc­tion in the the tools of vio­lence that are avail­able to every­one cou­pled with cre­at­ing the kind of world where only the insane would feel the need to resort to vio­lence. Build a great world or build a lot of bombs and guns. That’s one of the fun­da­men­tal ques­tion at the heart of the guns and nukes pol­i­cy debates. It’s the same nest of para­dox­es.

    And as the arti­cle sug­gests, when you look at all the ways ‘more (tools of mass vio­lence is more (peace and pros­per­i­ty’ break down, it’s hard to avoid the con­clu­sion that ‘less (tools of mass vio­lence) is more (peace and pros­per­i­ty)’ is clear­ly the best path for­ward. Yes, it’s not a per­fect path. There are still risks asso­ci­at­ed with mutu­al dis­ar­ma­ment. But they are prefer­able risks com­pared to the alter­na­tive, whether it’s nukes or guns.

    Yes, mutu­al­ly assured destruc­tion has ‘kept the WMD peace’ so far. The US and the Sovi­ets did­n’t nuke each oth­er. But let’s not for­get that there have been quite a few near miss­es over the decades, where sim­ple mis­takes and human error almost lead to a full-scale nuclear exchange. That real­ly almost hap­pened. Repeat­ed­ly. How’s that kind of dynam­ic going to turn out when the ‘law of tru­ly large num­bers’ takes effect?

    And as the Unit­ed States, which owns 40 per­cent of the world’s guns, has amply demon­strat­ed to the world on the gun issue, more guns has most assured­ly result in more deaths. It’s been mutu­al­ly assured destruc­tion on an inter­per­son­al scale and the result has been a lot of destruc­tion:

    ...
    Con­sid­er the high­ly con­tentious issue of guns. The U.S. has rough­ly 5 per­cent of the world’s pop­u­la­tion, but 40 per­cent of the guns. If more guns were the answer, then the U.S. would be the safest plan­et on the globe, which it is not, i.e., More Has Led to Less. More Guns Has Led to More Mass Shoot­ings (i.e., Less). We are in the grips of a self-imposed form of MAD.
    ...

    So, with that par­al­lel para­dox between guns and weapons of mass destruc­tion in mind, it’s worth not­ing that the kind of focus the US sud­den­ly has on the gun issue real­ly needs to hap­pen on the WMD issue too. They’re part of the same meta-issue of how we deal with our capac­i­ty for vio­lence. It’s ‘the talk’ for a soci­ety with free will. And that talk needs to col­lec­tive­ly hap­pen for both guns and nukes because as the fol­low­ing arti­cle describes, there is grow­ing con­cern in the nation­al secu­ri­ty sec­tor that the para­dox­i­cal log­ic of mutu­al­ly assured destruc­tion that has kind of kept the peace in the nuclear age is about to fall apart.

    What’s break­ing the log­ic of MAD­ness? Well, that has to do with the fact that the doc­trine of mutu­al­ly assured destruc­tion has long co-exist­ed with the goals of indi­vid­ual nuclear pow­ers to achieve nuclear dom­i­nance, i.e. the capa­bil­i­ties to car­ry­ing out nuclear strike with­out fear of reprisal. Or the capa­bil­i­ty of sim­ply stop­ping a lone mis­sile from a rogue regime. Those kinds of defen­sive capa­bil­i­ties that inevitably dis­rupt the log­ic of MAD­ness appear to have reached the point where it’s very pos­si­ble that mutu­al­ly assured destruc­tion might not be mutu­al­ly assured in the future.

    Thanks to emerg­ing defen­sive tech­nolo­gies — like func­tion­al mis­sile defense, Con­ven­tion­al Prompt Glob­al Strike pro­gram, a US ini­tia­tive to devel­op mis­siles tipped with con­ven­tion­al weapons designed to take down nuclear facil­i­ties any­where in the world in under and hour, and cyber capa­bil­i­ties that inca­pac­i­tate or take over the com­mand-and-con­trol infra­struc­ture of adver­saries — it’s going to be fea­si­ble for a nuclear pow­er to crip­ple an adver­sary’s sec­ond-strike capa­bil­i­ties. And if an adver­sary can’t guar­an­tee a retal­ia­to­ry sec­ond strike there’s no longer any mutu­al assur­ance of destruc­tion. And when there’s no mutu­al­ly assured destruc­tion, the law or tru­ly large num­bers starts get­ting very scary in a heav­i­ly armed world. Effec­tive nuclear defens­es make the use of nukes more and more like­ly. It’s a reminder that one of the great­est risks of rely­ing on mutu­al­ly assured destruc­tion to avoid mutu­al­ly assured destruc­tion is that those mutu­al assur­ances can’t nec­es­sar­i­ly be assured, which is why MAD­ness in a world where nuclear dom­i­nance is also a goal is tru­ly mad­ness in the long run:

    The Econ­o­mist

    Why nuclear sta­bil­i­ty is under threat

    Mutu­al­ly assured destruc­tion has served as the ulti­mate deter­rent, but for how much longer?

    Jan 25th 2018

    NUCLEAR WEAPONS, LIKE the poor, seem like­ly always to be with us. Even though arms-con­trol agree­ments between Amer­i­ca and the Sovi­et Union, and then Rus­sia, have dras­ti­cal­ly reduced over­all num­bers, both coun­tries are com­mit­ted to cost­ly long-term mod­erni­sa­tion pro­grammes for their strate­gic nuclear forces that should ensure their via­bil­i­ty for the rest of the cen­tu­ry.

    Rus­sia is about halfway through recap­i­tal­is­ing its strate­gic forces, which include a soon-to-be-deployed road-mobile inter­con­ti­nen­tal bal­lis­tic mis­sile (ICBM); a new heavy ICBM; eight new bal­lis­tic-mis­sile sub­marines (SSB­Ns), most of which will be in ser­vice by 2020; upgrad­ed heavy bombers; and a new stealth bomber able to car­ry hyper­son­ic cruise mis­siles. Amer­i­ca will replace every leg of its nuclear tri­ad over the next 30 years, at an esti­mat­ed cost of $1.2trn. There will be 12 new SSB­Ns; a new pen­e­trat­ing strike bomber, the B21; a replace­ment for the Min­ute­man III ICBMs; and a new long-range air-launched cruise mis­sile. As Tom Plant, a nuclear expert at RUSI, a think-tank, puts it: “For both Rus­sia and the US, nukes have retained their pri­ma­cy. You only have to look at how they are spend­ing their mon­ey.”

    Oth­er states with nuclear weapons, such as Chi­na, Pak­istan, India and, par­tic­u­lar­ly, North Korea, are hard at work to improve both the qual­i­ty and the size of their nuclear forces. Iran’s long-term inten­tions remain ambigu­ous, despite the deal in 2015 to con­strain its nuclear pro­gramme. Nuclear weapons have lost none of their allure or their unique abil­i­ty to inspire dread. Whether or not they are ever used in anger, they are very much part of the future of war­fare.

    So far, the best argu­ment for nuclear weapons has been that the fear of mutu­al­ly assured destruc­tion (MAD) has deterred states that pos­sess them from going to war with each oth­er. MAD rests on the prin­ci­ple of a secure sec­ond-strike capa­bil­i­ty, which means that even if one side is sub­ject­ed to the most wide-rang­ing first strike con­ceiv­able, it will still have more than enough nuclear weapons left to destroy the aggres­sor. When war­heads became accu­rate enough to oblit­er­ate most of an adversary’s mis­siles in their silos, Amer­i­ca and Rus­sia turned to sub­marines and mobile launch­ers to keep MAD viable.

    A more dan­ger­ous world

    It still is, and is like­ly to remain so for some time. But dis­rup­tive new tech­nolo­gies, wors­en­ing rela­tions between Rus­sia and Amer­i­ca and a less cau­tious Russ­ian lead­er­ship than in the cold war have raised fears that a new era of strate­gic insta­bil­i­ty may be approach­ing. James Miller, who was under-sec­re­tary of defence for pol­i­cy at the Pen­ta­gon until 2014, thinks that the deploy­ment of increas­ing­ly advanced cyber, space, mis­sile-defence, long-range con­ven­tion­al strike and autonomous sys­tems “has the poten­tial to threat­en both sides’ nuclear retal­ia­to­ry strike capa­bil­i­ties, par­tic­u­lar­ly their com­mand-and-con­trol appa­ra­tus­es”, and that “the poten­tial of a dis­pute lead­ing to a cri­sis, of a cri­sis lead­ing to a war, and of a war esca­lat­ing rapid­ly” is grow­ing.

    In a new report, Mr Miller and Richard Fontaine, the pres­i­dent of the Cen­tre for a New Amer­i­can Secu­ri­ty (CNAS), iden­ti­fy cyber and counter-space (eg, satel­lite jam­mers, lasers and high-pow­er microwave-gun sys­tems) attacks as pos­si­ble trig­gers for an unplanned con­flict. Oth­er new weapons may threat­en either side’s capa­bil­i­ty for nuclear retal­i­a­tion, par­tic­u­lar­ly their strate­gic com­mand-and-con­trol cen­tres. James Acton, a nuclear-pol­i­cy expert at the Carnegie Endow­ment for Inter­na­tion­al Peace, lists three trends that could under­mine sta­bil­i­ty in a future cri­sis: advanced tech­nol­o­gy that can threat­en the sur­viv­abil­i­ty of nuclear attacks; com­mand-and-con­trol sys­tems that are used for both nuclear and con­ven­tion­al weapons, leav­ing room for con­fu­sion; and an increased risk of cyber attacks on such sys­tems because of digi­ti­sa­tion.

    Both Amer­i­ca and Rus­sia rely heav­i­ly on dig­i­tal net­works and space-based sys­tems for com­mand, con­trol, com­mu­ni­ca­tions, intel­li­gence, sur­veil­lance and recon­nais­sance (C3ISR) to run almost every aspect of their respec­tive mil­i­tary enter­pris­es. Cyber space and out­er space there­fore offer attack­ers tempt­ing tar­gets in the very ear­ly stages of a con­flict. In the utmost secre­cy, both sides have invest­ed heav­i­ly in offen­sive cyber capa­bil­i­ties. In 2013 the Defence Sci­ence Board advised the Pen­ta­gon that: “The ben­e­fits to an attack­er using cyber exploits are poten­tial­ly spec­tac­u­lar. Should the Unit­ed States find itself in a full-scale con­flict with a peer adver­sary, attacks would be expect­ed to include denial of ser­vice, data cor­rup­tion, sup­ply-chain cor­rup­tion, trai­tor­ous insid­ers, kinet­ic and relat­ed non-kinet­ic attacks at all alti­tudes from under water to space. US guns, mis­siles and bombs may not fire, or may be direct­ed against our own troops. Resup­ply, includ­ing food, water, ammu­ni­tion and fuel, may not arrive when or where need­ed. Mil­i­tary com­man­ders may rapid­ly lose trust in the infor­ma­tion and abil­i­ty to con­trol US sys­tems and forces.”

    One prob­lem with this is that the space archi­tec­ture on which Amer­i­ca depends for its nuclear com­mand and con­trol, includ­ing mis­sile ear­ly warn­ing, is also used for con­ven­tion­al war­fare. That means a con­ven­tion­al attack might be mis­tak­en for a pre-emp­tive nuclear strike, which could lead to rapid esca­la­tion. Anoth­er dif­fi­cul­ty is that an aggres­sor may be tempt­ed to go after cyber and space assets in the hope of caus­ing major dam­age to a target’s defences with­out actu­al­ly killing any­body. That would raise doubts over whether nuclear retal­i­a­tion could be jus­ti­fied. A third wor­ry is that because of the poten­tial speed and sur­prise of such attacks, some respons­es might be del­e­gat­ed to autonomous sys­tems that can react in mil­lisec­onds. Last­ly, there is the pos­si­bil­i­ty of “false flag” cyber oper­a­tion by a rogue state or non-state hack­er group.

    Don’t wor­ry just yet

    For now, the prospects of a suc­cess­ful dis­arm­ing strike remain suf­fi­cient­ly remote to leave the strate­gic bal­ance intact. Mr Miller argues that it would require a “fun­da­men­tal trans­for­ma­tion in the mil­i­tary-tech­no­log­i­cal balance…enabled by the devel­op­ment and inte­gra­tion of nov­el mil­i­tary capa­bil­i­ties” to upset the bal­ance.

    Omi­nous­ly, he thinks that such a fun­da­men­tal trans­for­ma­tion may now be on the hori­zon, in the shape of con­ven­tion­al prompt glob­al strike (CPGS) and new mis­sile-defence sys­tems. Both Chi­na and Rus­sia fear that new Amer­i­can long-range non-nuclear strike capa­bil­i­ties could be used to deliv­er a dis­arm­ing attack on a sub­stan­tial part of their strate­gic forces or decap­i­tate their nuclear com­mand and con­trol. Although they would still launch their sur­viv­ing nuclear mis­siles, improved mis­sile-defence sys­tems would mop up most of the remain­der before their war­heads could do any dam­age.

    Still, Michael Elle­man, a mis­sile expert at the Inter­na­tion­al Insti­tute for Strate­gic Stud­ies, reck­ons that for now those con­cerns are overblown. As much as any­thing, he says, they are talked up to restrain invest­ment in the enabling tech­nolo­gies: “They [the Rus­sians and the Chi­nese] are say­ing to the US, the trou­ble with you guys is that you nev­er know when to stop.”

    CPGS would involve a hyper­son­ic mis­sile at least five times faster than the speed of sound and a range of more than 1,000 miles. This could be achieved in sev­er­al ways. One would be to stick a con­ven­tion­al war­head on an ICBM or a sub­ma­rine-launched bal­lis­tic missile—a cheap solu­tion but a dan­ger­ous one, because defend­ers would not know whether they were under con­ven­tion­al or nuclear attack, so they might over­re­act.

    ...

    Cur­rent Amer­i­can mis­sile-defence sys­tems, such as Patri­ot, THAAD (ter­mi­nal high-alti­tude area defence) and Aegis, pro­vide quite effec­tive region­al defence but are not designed to cope with a sal­vo of ICBMs. The Ground-based Mid­course Defence sys­tem in Alas­ka and Cal­i­for­nia is sup­posed to pro­vide some defence of the home­land against a few mis­siles launched by a North Korea or an Iran, but it was nev­er designed to defeat a mas­sive sal­vo attack by a major adver­sary.

    How­ev­er, sub­stan­tial improve­ments are on their way. Mr Elle­man describes the SM‑3 IIA inter­cep­tors, which could be deployed as soon as next year on Aegis-class destroy­ers, as a “big deal”. They are much faster than their pre­de­ces­sors, and Mr Miller thinks that if hun­dreds of them were put on ships close to Amer­i­ca, they might sup­port a late mid­course defence against Russ­ian ICBMs.

    More exot­ic mis­sile defences are not far behind. Mr Elle­man says that in about five years’ time it may be pos­si­ble to put sol­id-state lasers on large num­bers of unmanned aer­i­al vehi­cles (UAVs) orbit­ing at very high alti­tude. Small mis­siles could also be put on UAVs as boost-phase inter­cep­tors, fir­ing a minute or so after launch. Inter­cep­tion at that stage is tech­ni­cal­ly much eas­i­er than lat­er on because the tar­get is much larg­er when all its stages are still intact, and mov­ing more slow­ly.

    Mr Elle­man believes that for now the advan­tage is like­ly to remain with the attack­er rather than the defend­er, but like Mr Miller he fears that emerg­ing tech­nolo­gies could “under­mine cri­sis sta­bil­i­ty very rapid­ly”. Yet if arms-con­trol agree­ments could be reached at the height of the cold war, it should sure­ly be pos­si­ble for Amer­i­ca, Rus­sia and Chi­na to talk to each oth­er now to avoid per­sis­tent insta­bil­i­ty.

    ———-

    “Why nuclear sta­bil­i­ty is under threat”; The Econ­o­mist; 01/25/2018

    “So far, the best argu­ment for nuclear weapons has been that the fear of mutu­al­ly assured destruc­tion (MAD) has deterred states that pos­sess them from going to war with each oth­er. MAD rests on the prin­ci­ple of a secure sec­ond-strike capa­bil­i­ty, which means that even if one side is sub­ject­ed to the most wide-rang­ing first strike con­ceiv­able, it will still have more than enough nuclear weapons left to destroy the aggres­sor. When war­heads became accu­rate enough to oblit­er­ate most of an adversary’s mis­siles in their silos, Amer­i­ca and Rus­sia turned to sub­marines and mobile launch­ers to keep MAD viable.”

    The entire premise of MAD rests on the prin­ci­ple of a secure sec­ond-strike capa­bil­i­ty. And yet there’s rea­son to assume that sec­ond-strike capa­bil­i­ty can be assured because there’s no assur­ances that a tech­nol­o­gy that sub­verts that sec­ond-strike capa­bil­i­ty won’t be devel­oped. Espe­cial­ly when the major nuclear pow­ers are con­stant­ly work­ing on devel­op­ing those capa­bil­ties. Capa­bil­i­ties that increas­ing­ly include cyber attacks tak­ing over com­mand-and-con­trol sys­tems thanks to the increas­ing­ly digi­ti­sa­tion of the sys­tems that con­trol nuclear arse­nals:

    ...
    A more dan­ger­ous world

    It still is, and is like­ly to remain so for some time. But dis­rup­tive new tech­nolo­gies, wors­en­ing rela­tions between Rus­sia and Amer­i­ca and a less cau­tious Russ­ian lead­er­ship than in the cold war have raised fears that a new era of strate­gic insta­bil­i­ty may be approach­ing. James Miller, who was under-sec­re­tary of defence for pol­i­cy at the Pen­ta­gon until 2014, thinks that the deploy­ment of increas­ing­ly advanced cyber, space, mis­sile-defence, long-range con­ven­tion­al strike and autonomous sys­tems “has the poten­tial to threat­en both sides’ nuclear retal­ia­to­ry strike capa­bil­i­ties, par­tic­u­lar­ly their com­mand-and-con­trol appa­ra­tus­es”, and that “the poten­tial of a dis­pute lead­ing to a cri­sis, of a cri­sis lead­ing to a war, and of a war esca­lat­ing rapid­ly” is grow­ing.

    In a new report, Mr Miller and Richard Fontaine, the pres­i­dent of the Cen­tre for a New Amer­i­can Secu­ri­ty (CNAS), iden­ti­fy cyber and counter-space (eg, satel­lite jam­mers, lasers and high-pow­er microwave-gun sys­tems) attacks as pos­si­ble trig­gers for an unplanned con­flict. Oth­er new weapons may threat­en either side’s capa­bil­i­ty for nuclear retal­i­a­tion, par­tic­u­lar­ly their strate­gic com­mand-and-con­trol cen­tres. James Acton, a nuclear-pol­i­cy expert at the Carnegie Endow­ment for Inter­na­tion­al Peace, lists three trends that could under­mine sta­bil­i­ty in a future cri­sis: advanced tech­nol­o­gy that can threat­en the sur­viv­abil­i­ty of nuclear attacks; com­mand-and-con­trol sys­tems that are used for both nuclear and con­ven­tion­al weapons, leav­ing room for con­fu­sion; and an increased risk of cyber attacks on such sys­tems because of digi­ti­sa­tion.
    ...

    And this risk of cyber attacks is so great that that the Defence Sci­ence Board advised the Pen­ta­gon in 2013 that “The ben­e­fits to an attack­er using cyber exploits are poten­tial­ly spec­tac­u­lar,” poten­tial­ly includ­ing the pos­si­bil­i­ty of turn­ing a nation’s nuclear arse­nal against itself:

    ...
    Both Amer­i­ca and Rus­sia rely heav­i­ly on dig­i­tal net­works and space-based sys­tems for com­mand, con­trol, com­mu­ni­ca­tions, intel­li­gence, sur­veil­lance and recon­nais­sance (C3ISR) to run almost every aspect of their respec­tive mil­i­tary enter­pris­es. Cyber space and out­er space there­fore offer attack­ers tempt­ing tar­gets in the very ear­ly stages of a con­flict. In the utmost secre­cy, both sides have invest­ed heav­i­ly in offen­sive cyber capa­bil­i­ties. In 2013 the Defence Sci­ence Board advised the Pen­ta­gon that: “The ben­e­fits to an attack­er using cyber exploits are poten­tial­ly spec­tac­u­lar. Should the Unit­ed States find itself in a full-scale con­flict with a peer adver­sary, attacks would be expect­ed to include denial of ser­vice, data cor­rup­tion, sup­ply-chain cor­rup­tion, trai­tor­ous insid­ers, kinet­ic and relat­ed non-kinet­ic attacks at all alti­tudes from under water to space. US guns, mis­siles and bombs may not fire, or may be direct­ed against our own troops. Resup­ply, includ­ing food, water, ammu­ni­tion and fuel, may not arrive when or where need­ed. Mil­i­tary com­man­ders may rapid­ly lose trust in the infor­ma­tion and abil­i­ty to con­trol US sys­tems and forces.”
    ...

    And, or course, this 2013 study also rec­og­nized the pos­si­bil­i­ty that these cyber vul­ner­a­bil­i­ties could be exploit­ed by a third-par­ty as part of a false flag attack. Imag­ine a false flag cyber attack involv­ing turn­ing a nation’s nuclear forces are turned against itself. Or against anoth­er nation. That’s the kind of sit­u­a­tion we have to wor­ry about. Increas­ing­ly:

    ...
    One prob­lem with this is that the space archi­tec­ture on which Amer­i­ca depends for its nuclear com­mand and con­trol, includ­ing mis­sile ear­ly warn­ing, is also used for con­ven­tion­al war­fare. That means a con­ven­tion­al attack might be mis­tak­en for a pre-emp­tive nuclear strike, which could lead to rapid esca­la­tion. Anoth­er dif­fi­cul­ty is that an aggres­sor may be tempt­ed to go after cyber and space assets in the hope of caus­ing major dam­age to a target’s defences with­out actu­al­ly killing any­body. That would raise doubts over whether nuclear retal­i­a­tion could be jus­ti­fied. A third wor­ry is that because of the poten­tial speed and sur­prise of such attacks, some respons­es might be del­e­gat­ed to autonomous sys­tems that can react in mil­lisec­onds. Last­ly, there is the pos­si­bil­i­ty of “false flag” cyber oper­a­tion by a rogue state or non-state hack­er group.
    ...

    But it’s not just the risk of cyber attacks that have some nation­al secu­ri­ty experts increas­ing­ly con­cerned that the bal­ance of MAD­ness might be break­ing down. Defen­sive capa­bil­i­ties like the con­ven­tion­al prompt glob­al strike (CPGS) pro­gram don’t just threat­en rogue regimes like North Korea. It also poten­tial­ly threat­ens the sec­ond-strike capa­bil­i­ties of nations with large nuclear forces like Rus­sia and Chi­na:

    ...
    Don’t wor­ry just yet

    For now, the prospects of a suc­cess­ful dis­arm­ing strike remain suf­fi­cient­ly remote to leave the strate­gic bal­ance intact. Mr Miller argues that it would require a “fun­da­men­tal trans­for­ma­tion in the mil­i­tary-tech­no­log­i­cal balance…enabled by the devel­op­ment and inte­gra­tion of nov­el mil­i­tary capa­bil­i­ties” to upset the bal­ance.

    Omi­nous­ly, he thinks that such a fun­da­men­tal trans­for­ma­tion may now be on the hori­zon, in the shape of con­ven­tion­al prompt glob­al strike (CPGS) and new mis­sile-defence sys­tems. Both Chi­na and Rus­sia fear that new Amer­i­can long-range non-nuclear strike capa­bil­i­ties could be used to deliv­er a dis­arm­ing attack on a sub­stan­tial part of their strate­gic forces or decap­i­tate their nuclear com­mand and con­trol. Although they would still launch their sur­viv­ing nuclear mis­siles, improved mis­sile-defence sys­tems would mop up most of the remain­der before their war­heads could do any dam­age.

    Still, Michael Elle­man, a mis­sile expert at the Inter­na­tion­al Insti­tute for Strate­gic Stud­ies, reck­ons that for now those con­cerns are overblown. As much as any­thing, he says, they are talked up to restrain invest­ment in the enabling tech­nolo­gies: “They [the Rus­sians and the Chi­nese] are say­ing to the US, the trou­ble with you guys is that you nev­er know when to stop.”

    CPGS would involve a hyper­son­ic mis­sile at least five times faster than the speed of sound and a range of more than 1,000 miles. This could be achieved in sev­er­al ways. One would be to stick a con­ven­tion­al war­head on an ICBM or a sub­ma­rine-launched bal­lis­tic missile—a cheap solu­tion but a dan­ger­ous one, because defend­ers would not know whether they were under con­ven­tion­al or nuclear attack, so they might over­re­act.
    ...

    And if that capa­bil­i­ty to rapid­ly tak­en out nuclear launch strikes fails, the tech­nol­o­gy to take even waves of ICBMs out after they’re launched is also improv­ing:

    ...
    Cur­rent Amer­i­can mis­sile-defence sys­tems, such as Patri­ot, THAAD (ter­mi­nal high-alti­tude area defence) and Aegis, pro­vide quite effec­tive region­al defence but are not designed to cope with a sal­vo of ICBMs. The Ground-based Mid­course Defence sys­tem in Alas­ka and Cal­i­for­nia is sup­posed to pro­vide some defence of the home­land against a few mis­siles launched by a North Korea or an Iran, but it was nev­er designed to defeat a mas­sive sal­vo attack by a major adver­sary.

    How­ev­er, sub­stan­tial improve­ments are on their way. Mr Elle­man describes the SM‑3 IIA inter­cep­tors, which could be deployed as soon as next year on Aegis-class destroy­ers, as a “big deal”. They are much faster than their pre­de­ces­sors, and Mr Miller thinks that if hun­dreds of them were put on ships close to Amer­i­ca, they might sup­port a late mid­course defence against Russ­ian ICBMs.

    More exot­ic mis­sile defences are not far behind. Mr Elle­man says that in about five years’ time it may be pos­si­ble to put sol­id-state lasers on large num­bers of unmanned aer­i­al vehi­cles (UAVs) orbit­ing at very high alti­tude. Small mis­siles could also be put on UAVs as boost-phase inter­cep­tors, fir­ing a minute or so after launch. Inter­cep­tion at that stage is tech­ni­cal­ly much eas­i­er than lat­er on because the tar­get is much larg­er when all its stages are still intact, and mov­ing more slow­ly.
    ...

    And yet, as the arti­cle con­cludes, as much as the sit­u­a­tion appears to point towards increas­ing­ly desta­bi­liza­tion of the cur­rent MAD sta­tus quo, there is one very obvi­ous answer: arms-con­trol treaties designed to break the arms race cycle. And if arms-con­trol treaties could be reached at the height of the cold war, sure­ly it should be pos­si­ble today:

    ...
    Mr Elle­man believes that for now the advan­tage is like­ly to remain with the attack­er rather than the defend­er, but like Mr Miller he fears that emerg­ing tech­nolo­gies could “under­mine cri­sis sta­bil­i­ty very rapid­ly”. Yet if arms-con­trol agree­ments could be reached at the height of the cold war, it should sure­ly be pos­si­ble for Amer­i­ca, Rus­sia and Chi­na to talk to each oth­er now to avoid per­sis­tent insta­bil­i­ty.

    Arms-con­trol to end the oth­er­wise end­less arms race. It’s pret­ty much the only answer. Less is more. At least, arms con­trol treaties the only real­is­tic answer when it comes to deal­ing with the arms race.

    But as we saw, even if a glob­al arms con­trol treaty was mirac­u­lous­ly estab­lished and the nuclear arms race that threat­ens the sta­bil­i­ty of mutu­al­ly assured destruc­tion was end­ed, and even of the major nuclear pow­ers mirac­u­lous­ly agreed to not devel­op capa­bil­i­ties like the con­ven­tion­al prompt glob­al strike sys­tem or advanced mis­sile defense — sys­tems whose exis­tence is hard to keep a secret — there’s still the pos­si­bil­i­ty that nations will secret­ly devel­op those cyber capa­bil­i­ties to neu­tral­ize an adver­saries com­mand-and-con­trol sys­tems. In oth­er words, arms con­trol treaties are no replace­ment for dis­ar­ma­ment. Yes, arms-con­trol treaties are still clear­ly a big step in the right direc­tion, but sig­nif­i­cant risks remain as long as human­i­ty is still point­ing a giant col­lec­tion of nuclear weapons at each oth­er.

    And yet we have to acknowl­edge that even if all of the nuclear pow­ers agreed to com­plete­ly dis­arm them­selves there’s no guar­an­tee every­one will agree to abide by it. Espe­cial­ly rogue gov­ern­ments or pri­vate par­ties. The Under­ground Reich and oth­er ter­ror groups would pre­sum­ably like a nuclear arse­nal of their own. Dis­ar­ma­ment does­n’t pre­clude rear­ma­ment. Or secret arse­nals. Or the emer­gence of future tech­nolo­gies of mass destruc­tion that are unimag­in­able. In oth­er words, less is poten­tial­ly less. At least under some worst case sce­nar­ios.

    It’s also worth con­sid­er­ing a world that con­tains ample nuclear defen­sive mea­sures paired with a com­mit­ment to dis­ar­ma­ment. Imag­ine a world where every nation agrees to both destroy their nuclear arse­nals while simul­ta­ne­ous­ly agree­ing to build a real­ly, real­ly com­pre­hen­sive glob­al mis­sile defense sys­tem. Lit­er­al­ly a glob­al­ly admin­is­tered anti-mis­sile sys­tem set up just in case some­one breaks the treaty. Less is clear­ly more in that sit­u­a­tion. Espe­cial­ly because no arms race makes it a lot hard­er for rogue actors to devel­op their own weapons of mass destruc­tion since they’re gen­er­al­ly going to be just try­ing to copy tech­nol­o­gy devel­oped by oth­ers.

    But there’s still no deny­ing that mis­siles are the only way to deliv­er a nuclear device or some oth­er weapon of mass destruc­tion. As long as the tech­no­log­i­cal know-how exists to devel­op nuclear weapons its hard to imag­ine a sys­tem that tru­ly guar­an­tees nuclear secu­ri­ty. MAD­ness can break down, but so can World Peace. There are no guar­an­tees. Only edu­cat­ed guess­es about risk pro­files.

    So per­haps it’s worth acknowl­edg­ing that col­lec­tive dis­arm­ing is a form of mutu­al assur­ance too. But it’s not a guar­an­teed assur­ance, just like mutu­al­ly assured destruc­tion. No path is per­fect and all con­tains exis­ten­tial risks. It’s a ques­tion of which exis­ten­tial risks you want to col­lec­tive­ly incur.
    Mutu­al­ly assured destruc­tion just might result in mutu­al destruc­tion. And mutu­al­ly assured peace might result in treach­ery, betray­al, and the takeover of soci­eties com­mit­ted to non-vio­lence by the kind of peo­ple that would use vio­lence to con­trol or destroy the non-vio­lent (i.e. the worst kind of peo­ple). Again, it’s part of the para­dox. A para­dox that extends from guns to nukes and beyond. And a para­dox that gets very dif­fi­cult to wrap your head around when you start fac­tor­ing in the law of tru­ly large num­bers. Improb­a­bly things hap­pen. Includ­ing improb­a­ble cat­a­stro­phes. There’s no per­fect path. And it’s real­ly hard to change paths and the longer you remain on that path the more the law of tru­ly large num­bers comes in, so you bet­ter choose that path wise­ly. Mutu­al­ly assured destruc­tion might blow up the world and mutu­al­ly assured peace might result in the takeover by very hor­ri­ble vio­lent peo­ple.

    It’s all a reminder that the gun reg­u­la­tion debate cur­rent grip­ping the US is inex­tri­ca­bly tied to the much larg­er debate of how on earth we live with that para­dox. The ‘more is more’ and ‘more is less’ and ‘less is less’ and ‘less is more’ para­dox. A para­dox that includes the ques­tion of are we live with the future super weapons of mass destruc­tion that haven’t even been con­ceived of yet. How are we to best pro­tect against that? Cre­ate super-duper anti-WMD defense sys­tems?

    It’s also a reminder that we don’t just need world peace. We need very well thought out sys­tems for main­tain­ing world peace and keep­ing EVERYONE sat­is­fied. Every­one, with the excep­tion of inevitable peo­ple who are going to try to break the peace for what­ev­er rea­son.

    How do we build sus­tain­able world peace? It’s a ques­tion that’s at the heart of both the gun debate and WMD pol­i­cy debate. Even if we aren’t ask­ing it, that ques­tion real­ly is at the heart of it. Because weapons of mass destruc­tion and guns and all oth­er tools for killing fall into the cat­e­go­ry of things where, in a bet­ter world, we would ask, “should­n’t these be banned? Yeah, let’s ban these because this is just obscene­ly dan­ger­ous,” and then all hap­pi­ly give up our guns and nukes and demil­i­ta­rize and sings the Whoville song. In a bet­ter world we would have done that by now. But we’re still an extreme­ly vio­lent species. And still extreme­ly unequal and dom­i­nat­ing. And often unem­pa­thet­ic and dan­ger­ous­ly mis­in­formed. Which is a reminder that set­ting the col­lec­tive goal of cre­at­ing a soci­ety focused on build­ing high­ly informed cit­i­zens for the pur­pose of mak­ing the world oper­at­ing bet­ter for every­one. Max­i­miz­ing glob­al wel­fare by striv­ing for an awe­some exis­tence for every­one. Non-vio­lent­ly. It’s not just some pie and the sky vision for heav­en on Earth. It’s also a great pol­i­cy solu­tion for how human­i­ty is sup­posed to deal with guns and dooms­day weapons and every­thing in between. Which would prob­a­bly look a lot like high-qual­i­ty social­ism. Every­where.

    So it’s impor­tant to remem­ber that if we’re going to have all these guns and nukes we had bet­ter have a lot of great social­ism for the guns and world peace and pros­per­i­ty and a glob­al paci­fism pact. And even­tu­al­ly glob­al demil­i­ta­riza­tion because would­n’t that be awe­some. We can cre­ate Starfleet Acad­e­my at that point.
    Build­ing a bet­ter and just world that works for every coun­try and is great for every­one is clear­ly part of the pol­i­cy solu­tion for both guns and WMDs for every coun­try. It’s a col­lec­tive pol­i­cy solu­tion.

    Is human­i­ty capa­ble of that? Who knows? Human­i­ty is still a con­fused hominid and prone to all sorts of behav­ior that becomes cat­a­stroph­i­cal­ly self-destruc­tive when fueled through tech­nol­o­gy. Tech­nol­o­gy real­ly is a bless­ing and curse for us in large part because we are very prone towards vio­lence and col­lec­tive stu­pid­i­ty as a species. And that’s a reminder that the ulti­mate para­dox human­i­ty needs to over­come regard­ing guns, nukes, vio­lence in gen­er­al and the risk of self-destruc­tion is the ques­tion of whether or not human­i­ty can over­come its own nature. We haven’t fig­ured that out yet.

    It’s also all a reminder that one of the fun­da­men­tal goals of social struc­tures is keep­ing the peace. Peace is sort of a basic ingre­di­ent for a lot stuff peo­ple gen­er­al­ly want to do. And you should­n’t expect secu­ri­ty and ‘keep­ing the peace’ if the social struc­ture intend­ed to do that is wide­ly viewed as lack­ing legit­i­ma­cy. That’s why gov­ern­ment and soci­ety that works for every­one real­ly is crit­i­cal for vio­lence con­trol. Guns safe­ty at a nation­al lev­el requires pro­gres­sive pol­i­tics, inclu­siv­i­ty, a strong saftey-net, and oppor­tu­ni­ty for every­one. And nuke safe­ty requires world peace and a com­mit­ment to main­tain­ing it. How do we do that? It’s a good ques­tion, but high-qual­i­ty social­ism with a pro­gres­sive, inclu­sive soci­ety is most assured­ly a big part of the answer.

    And yes, there is a risk that world peace won’t be tak­en seri­ous­ly, but it’s also very pos­si­ble that not tak­ing it seri­ous­ly is the great­est risk of all. Is human­i­ty capa­ble of over­com­ing its own vio­lent dom­i­neer­ing nature? We’ll see. Plucky bands of charis­mat­ic teenagers may be required.

    Posted by Pterrafractyl | March 24, 2018, 9:49 pm
  6. Here’s a pair of arti­cle that should be fac­tored into any hack­ing sto­ries going for­ward: Remem­ber Hack­ing Team, the Ital­ian offen­sive mal­ware firm that was licensed to sell pow­er­ful hack­ing tools to gov­ern­ments around the world, includ­ing a num­ber of oppres­sive gov­ern­ments in the Mid­dle East? And remem­ber how Hack­ing Team was, itself, hacked in 2015 and had all of its offen­sive hack­ing tools released to the pub­lic? And remem­ber that sto­ry about a secu­ri­ty researcher at Mal­ware­Bytes who observed that Hack­ing Team’s leaked code con­tained some mal­ware with a num­ber of sim­i­lar­i­ties to “X‑Agent”, a piece of mal­ware odd­ly found in the “Fan­cy Bear” hack of the DNC (odd because X‑Agent had pre­vi­ous­ly been found in hacks attrib­uted to “Fan­cy Bear”, mak­ing it a kind of ‘call­ing card’ if used again in a high-pro­file hack)?

    Well, here are a cou­ple updates on what become of Hack­ing Team after it got hacked and had all its source released: The com­pa­ny did indeed see an exo­dus of clients, as one might expect. But it did­n’t shut down. Instead, it found a new investor. And while the iden­ti­ty this investor isn’t entire­ly clear, it’s pret­ty clear that this mys­tery investor is the gov­ern­ment of Sau­di Ara­bia or some­one very close to the gov­ern­ment of Sau­di Ara­bia:

    Vice Moth­er­board

    Hack­ing Team Is Still Alive Thanks to a Mys­te­ri­ous Investor From Sau­di Ara­bia
    An investor from Sau­di Ara­bia is appar­ent­ly behind a com­pa­ny that bought a stake in the con­tro­ver­sial spy­ware ven­dor.

    Loren­zo Franceschi-Bic­chierai
    Jan 31 2018, 12:43pm

    The 2015 breach of spy­ware ven­dor Hack­ing Team seemed like it should have end­ed the com­pa­ny. Hack­ing Team was thor­ough­ly owned, with its once-secret list of cus­tomers, inter­nal emails, and spy­ware source code leaked online for any­one to see. But near­ly three years lat­er, the com­pa­ny trudges on, in large part thanks to a cash influx in 2016 from a mys­te­ri­ous investor who had been pub­licly unknown until now.

    The hack hurt the company’s rep­u­ta­tion and bot­tom line: Hack­ing Team lost cus­tomers, was strug­gling to make new ones, and sev­er­al key employ­ees left. Three years later—after the appear­ance of this new investor—the com­pa­ny appears to have stopped the bleed­ing. The com­pa­ny reg­is­tered around $1 mil­lion in loss­es in 2015, but bounced back with around $600,000 in prof­its in 2016.

    Moth­er­board has learned that this appar­ent recov­ery is in part thanks to the new investor, who appears to be from Sau­di Arabia—and whose lawyer’s name match­es that of a promi­nent Sau­di attor­ney who reg­u­lar­ly works for the Sau­di Ara­bi­an gov­ern­ment and facil­i­tates deals between the gov­ern­ment and inter­na­tion­al com­pa­nies.

    Hack­ing Team sells hack­ing and sur­veil­lance tech­nolo­gies exclu­sive­ly to gov­ern­ment author­i­ties. And it became infa­mous for sell­ing its wares to author­i­tar­i­an regimes such as Ethiopia, Sudan, Kaza­khstan, and Bahrain, among oth­ers.

    Accord­ing to finan­cial records obtained by Moth­er­board, a com­pa­ny based in Cyprus called Tablem Lim­it­ed took con­trol of 20 per­cent of the equi­ty of Hack­ing Team as of 2016, equiv­a­lent to around 44,000 euros (about $55,000) of the company’s total nom­i­nal share val­ue, which at the time was 223,572 euros (around $280,000). This invest­ment came a few months after the dam­ag­ing hack, when the 15-year-old com­pa­ny was hit­ting rock bot­tom and its endur­ing sur­vival seemed unlike­ly.

    Hack­ing Team co-founder David Vin­cen­zetti owns the oth­er 80 per­cent of the com­pa­ny, accord­ing to the records.

    WHO IS BEHIND TABLEM LIMITED?

    The rea­son why Sau­di investors, and by proxy, the Sau­di Ara­bi­an gov­ern­ment might have still been inter­est­ed in Hack­ing Team’s sur­veil­lance tech­nol­o­gy even after the hack can be explained by the geopol­i­tics of the region. The Sau­di gov­ern­ment is in the mid­dle of a messy tran­si­tion, and its rulers are wor­ried about ter­ror­ism, Iran, and dis­si­dents among their own cit­i­zens, giv­ing them plen­ty of rea­son to seek sur­veil­lance tools.

    Ever since the Arab Spring, the country’s rul­ing class has expand­ed its crack­down on free­dom of expres­sion, accord­ing to Amnesty International’s researcher May Romanos.

    “What dri­ves this crack­down is fear of dis­sent, fear of polit­i­cal oppo­nents and fear of free­dom of expres­sion,” Romanos told me in a phone call, adding that Amnesty has heard reports of activists hav­ing their email accounts hacked.

    Lucie Krahul­co­va, a pol­i­cy ana­lyst at Access, a dig­i­tal rights NGO, told me that “there is evi­dence that Sau­di Ara­bia import­ed inter­net sur­veil­lance sys­tems capa­ble of car­ry­ing out mass sur­veil­lance,” and Access has lob­bied for stronger con­trols to stop Euro­pean com­pa­nies from export­ing tech to coun­tries like Sau­di Ara­bia, who tar­get jour­nal­ists and human rights defend­ers.

    “They are even more at risk when the author­i­ties have access to tech­nolo­gies that can turn peo­ple’s devices into tools of repres­sion,” she added in an email.

    In Novem­ber of last year, the Sau­di gov­ern­ment set up a new cyber­se­cu­ri­ty author­i­ty, and gov­ern­ment offi­cials have stepped up their rhetoric against dis­si­dents and in favor of online mon­i­tor­ing.

    In mid 2016, Ital­ian media report­ed that sev­er­al Hack­ing Team investors had stepped away, and that Tablem Lim­it­ed had stepped in. But at that time no one knew exact­ly who was behind this com­pa­ny.

    Hack­ing Team’s end of year state­ment from 2016 (the last finan­cial cycle avail­able online) is accom­pa­nied by a copy of the min­utes of the share­hold­ers meet­ing of May 8, 2017. This doc­u­ment, pro­vid­ed to the Ital­ian gov­ern­ment and reviewed by Moth­er­board, final­ly reveals the names behind the mys­te­ri­ous com­pa­ny.

    The doc­u­ment men­tions some­one named Abdul­lah Al-Qah­tani (spelled both that way, as well as “Alghatani” in a dif­fer­ent sec­tion of the doc­u­ments) as the direc­tor of Tablem Lim­it­ed.

    Accord­ing to the doc­u­ment, Abdul­lah Al-Qah­tani was not present for the May meet­ing at Hack­ing Team’s head­quar­ters in Milan, but he appoint­ed a lawyer named Khalid Al-Thebity to act as a rep­re­sen­ta­tive of Tablem Lim­it­ed. Al-Thebity is a promi­nent Sau­di lawyer who has done work for the Sau­di Ara­bi­an gov­ern­ment for years. Though the Ital­ian gov­ern­ment doc­u­ments name Al-Thebity as Abdul­lah Al-Qahtani’s lawyer, Moth­er­board tried mul­ti­ple times to reach Al-Thebity and his law firm, Squire Pat­ton Bog­gs, to dis­cuss his involve­ment but received no response.

    Al-Thebity’s pub­lic bio and resume, as well as quotes he’s giv­en to oth­er pub­li­ca­tions, sug­gest that he reg­u­lar­ly works with the Sau­di Ara­bi­an gov­ern­ment to facil­i­tate the entry of inter­na­tion­al com­pa­nies into the coun­try.

    “Our strat­e­gy’s to con­tin­ue to rep­re­sent the gov­ern­ment and to focus on rep­re­sent­ing major Sau­di cor­po­ra­tions,” Al-Thebity told The Lawyer mag­a­zine in a 2011 arti­cle. “We work close­ly with inter­na­tion­al cor­po­ra­tions enter­ing the mar­ket.”

    Al-Thebity has “been rep­re­sent­ing the Gov­ern­ment of Sau­di Ara­bia on sev­er­al inter­na­tion­al law mat­ters since 1996,” reads his online bio. Accord­ing to Squire Pat­ton Bog­gs, his law firm, Al-Thebity has “rep­re­sent­ed the Min­istry of Com­mu­ni­ca­tions and Infor­ma­tion Tech­nol­o­gy on the draft­ing of pri­va­cy and data pro­tec­tion leg­is­la­tion.”

    Using open-source online infor­ma­tion, it’s dif­fi­cult to tell exact­ly who Abdul­lah Al-Qah­tani is, or even where he’s from. But peo­ple famil­iar with Hack­ing Team and busi­ness records point to his asso­ci­a­tion with Sau­di Arabia’s gov­ern­ment.

    “The Sau­di gov­ern­ment want­ed tools to do espi­onage on its own cit­i­zens,” said a for­mer Hack­ing Team employ­ee who asked to remain anony­mous because he was still barred from talk­ing about his ex-employ­er. “There’s the Sau­di gov­ern­ment behind it, the mon­ey comes from them.”

    “They were on the brink of bank­rupt­cy, and that’s when David [Vin­cen­zetti] sold his soul to the Saud­is to save the com­pa­ny,” he added.

    Vin­cen­zetti told me in a text mes­sage that he isn’t sure who Adbul­lah Al-Qah­tani or Khalid Al-Thebity real­ly are.

    “The Sau­di gov­ern­ment is opaque even for me,” Vin­cen­zetti told me. “I don’t have vis­i­bil­i­ty in the role nor the activ­i­ties of this per­son in Sau­di [Ara­bia].”

    He then declined to answer any fur­ther ques­tions: “I can’t release any com­ment about this,” he said.

    The Al-Qah­tani who appears in Hack­ing Team’s doc­u­ments is work­ing for the Al-Qah­tani Group, also known as Abdel Hadi Abdul­lah Al-Qah­tani & Sons Co., a con­glom­er­ate based in Dammam, Sau­di Ara­bia, accord­ing to a source who’s famil­iar with the Ital­ian spy­ware mar­ket. Emails sent to the Al-Qah­tani group bounced back.

    Abdul­lah Al-Qah­tani could not be reached for com­ment at the phone num­ber list­ed on Tablem Limited’s pub­lic records, which notes that the com­pa­ny spe­cial­izes in “exports.” The num­ber appeared to belong to a com­pa­ny called Nobel Trust Lim­it­ed, a finan­cial con­sult­ing firm. When we called, a woman iden­ti­fied her­self as work­ing for Nobel Trust. When asked if we could speak with a rep­re­sen­ta­tive of Tablem Lim­it­ed, she hung up and put through a voice­mail mes­sage say­ing Nobel Trust was closed at the moment.

    SAUDI ARABIA AND HACKING TEAM

    Sau­di Ara­bi­an inter­est in Hack­ing Team is well doc­u­ment­ed.

    Sau­di gov­ern­ment agen­cies have pur­chased Hack­ing Team’s spy­ware since 2010, accord­ing to doc­u­ments leaked by the hack­er who broke into the com­pa­ny in 2015.

    H.E. Saud Al-Qah­tani, the country’s roy­al court advi­sor who spe­cial­izes in online sur­veil­lance, was direct­ly in touch with Hack­ing Team’s top brass in 2015, accord­ing to leaked emails.

    “Con­sid­er­ing your esteemed rep­u­ta­tion and pro­fes­sion­al­ism, we here at the Cen­ter for Media Mon­i­tor­ing and Analy­sis at the Sau­di Roy­al Court (THE King Office) would like to be in pro­duc­tive coop­er­a­tion with you and devel­op a long and strate­gic part­ner­ship,” H.E. Saud Al-Qah­tani wrote in an email to Hack­ing Team.

    H.E. Saud Al-Qah­tani is report­ed­ly close to the con­tro­ver­sial young crown prince Mohammed bin Salman. H.E. Saud Al-Qah­tani has been accused by a promi­nent local jour­nal­ist of being an inter­net troll who tries to fright­en dis­si­dents online, and he recent­ly tweet­ed a veiled threat to put any­one who con­spires against the Arab coun­tries on a “black­list.”

    “The man has trans­gressed a lot,” Sau­di writer Tur­ki al-Ruqi, the founder of Al-Wi’am news­pa­per, wrote in an arti­cle last year that H.E. Saud Al-Qah­tani has used hack­ers to tar­get crit­ics of the roy­al fam­i­ly. “Many of the country’s young men have been his vic­tims.”

    We were unable to estab­lish any link between H.E. Saud Al-Qah­tani and the Abdul­lah Al-Qah­tani who heads Tablem Lim­it­ed and invest­ed in Hack­ing Team.

    H.E. Saud Al-Qah­tani was recent­ly named head of the Sau­di Fed­er­a­tion for Cyber­se­cu­ri­ty and Pro­gram­ming. He did not respond to mul­ti­ple requests for com­ment sent over the course of a week.

    After the Hack­ing Team hack, news reports indi­cat­ed that the Sau­di government—through local busi­ness­men—was inter­est­ed in acquir­ing a major­i­ty stake in Hack­ing Team as ear­ly as 2013.

    Then, in ear­ly 2016, there were new talks for a poten­tial acqui­si­tion, but just like the first ones, the invest­ment didn’t go through. Then, lat­er in 2016, the long-time Ital­ian investors who had shares in the com­pa­ny stepped out, and Vin­cen­zetti increased his shares while also wel­com­ing a new invest­ment from Abdul­lah Al-Qahtani’s Tablem Lim­it­ed.

    After Abdul­lah Al-Qahtani’s invest­ment, employ­ees all of a sud­den got a salary increase, which was designed to stop them from leav­ing the com­pa­ny, as many had done after the hack, accord­ing to for­mer Hack­ing Team employ­ees who are still aware of goings on at the com­pa­ny. In 2015, at the time of the hack, the com­pa­ny had 45 employ­ees, accord­ing to an undat­ed leaked doc­u­ment that lists all the company’s employ­ees. As of Sep­tem­ber of 2017, the com­pa­ny has 31 employ­ees, up from 26 at the begin­ning of last year, accord­ing to the finan­cial doc­u­ments.

    Abdu­lah Al-Qahtani’s invest­ment in Hack­ing Team might have been a way to go from being sim­ple cus­tomers to hav­ing a voice in shap­ing the direc­tion of the com­pa­ny. Hack­ing Team’s finan­cial woes might have worked to the investor’s advan­tage, prov­ing to be a cheap oppor­tu­ni­ty to acquire tech­nol­o­gy that still works to spy in many cas­es, peo­ple famil­iar with Hack­ing Team’s prod­ucts told me.

    The Sau­di Ara­bia gov­ern­ment might have seen in Hack­ing Team an oppor­tu­ni­ty to step up its capa­bil­i­ties, as oth­er gulf states are also heav­i­ly invest­ing in inter­net sur­veil­lance and hack­ing.

    “Giv­en how much the Unit­ed Arab Emi­rates have invest­ed in the tech­nol­o­gy, the Saud­is want­ed to do the same,” the sec­ond for­mer Hack­ing Team employ­ee told me, refer­ring to Dark Mat­ter, a fledg­ling—and con­tro­ver­sial—Dubai-based sur­veil­lance and hack­ing com­pa­ny that’s been hir­ing for­mer CIA agents and NSA hack­ers to bol­ster the country’s sur­veil­lance appa­ra­tus.

    ...

    ———-

    “Hack­ing Team Is Still Alive Thanks to a Mys­te­ri­ous Investor From Sau­di Ara­bia” by Loren­zo Franceschi-Bic­chierai; Vice Moth­er­board; 01/31/2018

    “The hack hurt the company’s rep­u­ta­tion and bot­tom line: Hack­ing Team lost cus­tomers, was strug­gling to make new ones, and sev­er­al key employ­ees left. Three years later—after the appear­ance of this new investor—the com­pa­ny appears to have stopped the bleed­ing. The com­pa­ny reg­is­tered around $1 mil­lion in loss­es in 2015, but bounced back with around $600,000 in prof­its in 2016.

    Three years after get­ting hacked and humil­i­at­ed, Hack­ing Team has stopped the bleed­ing and is once again prof­itable. And that sud­den turn around appears to large­ly be thanks to mys­te­ri­ous new investors. And while it’s unclear who exact­ly these mys­tery investors are, doc­u­ments do include the name “Abdul­lah Al-Qah­tani” (also spelled “Alghatani” in the doc­u­ments). And the lawyer for Abdul­lah Al-Qah­tani’s invest­ment firm, Cyprus based Tablem Lim­it­ed, match­es the name of a promi­nent Sau­di attor­ney who reg­u­lar­ly works for the Sau­di Ara­bi­an gov­ern­ment and facil­i­tates deals between the gov­ern­ment and inter­na­tion­al com­pa­nies: Khalid Al-Thebity:

    ...
    Moth­er­board has learned that this appar­ent recov­ery is in part thanks to the new investor, who appears to be from Sau­di Arabia—and whose lawyer’s name match­es that of a promi­nent Sau­di attor­ney who reg­u­lar­ly works for the Sau­di Ara­bi­an gov­ern­ment and facil­i­tates deals between the gov­ern­ment and inter­na­tion­al com­pa­nies.

    Hack­ing Team sells hack­ing and sur­veil­lance tech­nolo­gies exclu­sive­ly to gov­ern­ment author­i­ties. And it became infa­mous for sell­ing its wares to author­i­tar­i­an regimes such as Ethiopia, Sudan, Kaza­khstan, and Bahrain, among oth­ers.

    Accord­ing to finan­cial records obtained by Moth­er­board, a com­pa­ny based in Cyprus called Tablem Lim­it­ed took con­trol of 20 per­cent of the equi­ty of Hack­ing Team as of 2016, equiv­a­lent to around 44,000 euros (about $55,000) of the company’s total nom­i­nal share val­ue, which at the time was 223,572 euros (around $280,000). This invest­ment came a few months after the dam­ag­ing hack, when the 15-year-old com­pa­ny was hit­ting rock bot­tom and its endur­ing sur­vival seemed unlike­ly.

    Hack­ing Team co-founder David Vin­cen­zetti owns the oth­er 80 per­cent of the com­pa­ny, accord­ing to the records.

    ...

    In mid 2016, Ital­ian media report­ed that sev­er­al Hack­ing Team investors had stepped away, and that Tablem Lim­it­ed had stepped in. But at that time no one knew exact­ly who was behind this com­pa­ny.

    Hack­ing Team’s end of year state­ment from 2016 (the last finan­cial cycle avail­able online) is accom­pa­nied by a copy of the min­utes of the share­hold­ers meet­ing of May 8, 2017. This doc­u­ment, pro­vid­ed to the Ital­ian gov­ern­ment and reviewed by Moth­er­board, final­ly reveals the names behind the mys­te­ri­ous com­pa­ny.

    The doc­u­ment men­tions some­one named Abdul­lah Al-Qah­tani (spelled both that way, as well as “Alghatani” in a dif­fer­ent sec­tion of the doc­u­ments) as the direc­tor of Tablem Lim­it­ed.

    Accord­ing to the doc­u­ment, Abdul­lah Al-Qah­tani was not present for the May meet­ing at Hack­ing Team’s head­quar­ters in Milan, but he appoint­ed a lawyer named Khalid Al-Thebity to act as a rep­re­sen­ta­tive of Tablem Lim­it­ed. Al-Thebity is a promi­nent Sau­di lawyer who has done work for the Sau­di Ara­bi­an gov­ern­ment for years. Though the Ital­ian gov­ern­ment doc­u­ments name Al-Thebity as Abdul­lah Al-Qahtani’s lawyer, Moth­er­board tried mul­ti­ple times to reach Al-Thebity and his law firm, Squire Pat­ton Bog­gs, to dis­cuss his involve­ment but received no response.

    Al-Thebity’s pub­lic bio and resume, as well as quotes he’s giv­en to oth­er pub­li­ca­tions, sug­gest that he reg­u­lar­ly works with the Sau­di Ara­bi­an gov­ern­ment to facil­i­tate the entry of inter­na­tion­al com­pa­nies into the coun­try.

    Al-Thebity has “been rep­re­sent­ing the Gov­ern­ment of Sau­di Ara­bia on sev­er­al inter­na­tion­al law mat­ters since 1996,” reads his online bio. Accord­ing to Squire Pat­ton Bog­gs, his law firm, Al-Thebity has “rep­re­sent­ed the Min­istry of Com­mu­ni­ca­tions and Infor­ma­tion Tech­nol­o­gy on the draft­ing of pri­va­cy and data pro­tec­tion leg­is­la­tion.”
    ...

    So it appears that Khalid Al-Thebity has been large­ly iden­ti­fied. But it’s still unclear who Abdul­lah Al-Qah­tani is or where he’s from. Even the own­er of Hack­ing Team, who still owns 80 per­cent of the firm, claims he does­n’t know that actu­al iden­ti­fy of Abdul­lah Al-Qah­tani:

    ...
    Using open-source online infor­ma­tion, it’s dif­fi­cult to tell exact­ly who Abdul­lah Al-Qah­tani is, or even where he’s from. But peo­ple famil­iar with Hack­ing Team and busi­ness records point to his asso­ci­a­tion with Sau­di Arabia’s gov­ern­ment.

    ...

    Vin­cen­zetti told me in a text mes­sage that he isn’t sure who Adbul­lah Al-Qah­tani or Khalid Al-Thebity real­ly are.

    “The Sau­di gov­ern­ment is opaque even for me,” Vin­cen­zetti told me. “I don’t have vis­i­bil­i­ty in the role nor the activ­i­ties of this per­son in Sau­di [Ara­bia].”
    ...

    That’s right, a major offen­sive hack­ing firm sold a 20 per­cent stake to a mys­tery investors that’s so mys­te­ri­ous even the own­ers of this offen­sive hack­ing firm don’t know the real iden­ti­ty. That seems like a secu­ri­ty risk, no?

    Still, all signs do indi­cate that Al-Qah­tani real­ly is a rep­re­sen­ta­tive for the Sau­di gov­ern­ment. Al-Qah­tani appears to be the same Al-Qah­tani who works for the Al-Qah­tani Group, also known as Abdel Hadi Abdul­lah Al-Qah­tani & Sons Co., a Sau­di con­gomer­ate. And the phone num­ber list­ed on Talbem Lim­it­ed’s pub­lic records belongs to anoth­er firm, Nobel Trust Lim­it­ed. So there does appear to be quite a bit of infor­ma­tion about Al-Qah­tani, just not enough to know who he actu­al­ly is:

    ...
    The Al-Qah­tani who appears in Hack­ing Team’s doc­u­ments is work­ing for the Al-Qah­tani Group, also known as Abdel Hadi Abdul­lah Al-Qah­tani & Sons Co., a con­glom­er­ate based in Dammam, Sau­di Ara­bia, accord­ing to a source who’s famil­iar with the Ital­ian spy­ware mar­ket. Emails sent to the Al-Qah­tani group bounced back.

    Abdul­lah Al-Qah­tani could not be reached for com­ment at the phone num­ber list­ed on Tablem Limited’s pub­lic records, which notes that the com­pa­ny spe­cial­izes in “exports.” The num­ber appeared to belong to a com­pa­ny called Nobel Trust Lim­it­ed, a finan­cial con­sult­ing firm. When we called, a woman iden­ti­fied her­self as work­ing for Nobel Trust. When asked if we could speak with a rep­re­sen­ta­tive of Tablem Lim­it­ed, she hung up and put through a voice­mail mes­sage say­ing Nobel Trust was closed at the moment.
    ...

    Inter­est­ing­ly, Abdul­lah Al-Qah­tani also shares the same sur­name with H.E. Saud Al-Qah­tani, roy­al court advi­sor who spe­cial­izes in online sur­veil­lance. And H.E. Saud Al-Qah­tani was known to be direct­ly in touch with Hack­ing Team in 2015 accord­ing to leaked emails. H.E. Saud Al-Qah­tani is also report­ed­ly close to crown prince Mohammed bin Salman and was recent­ly named the head of the Sau­di Fed­er­al for Cyber­se­cu­ri­ty and Pro­gram­ming:

    ...
    Sau­di Ara­bi­an inter­est in Hack­ing Team is well doc­u­ment­ed.

    Sau­di gov­ern­ment agen­cies have pur­chased Hack­ing Team’s spy­ware since 2010, accord­ing to doc­u­ments leaked by the hack­er who broke into the com­pa­ny in 2015.

    H.E. Saud Al-Qah­tani, the country’s roy­al court advi­sor who spe­cial­izes in online sur­veil­lance, was direct­ly in touch with Hack­ing Team’s top brass in 2015, accord­ing to leaked emails.

    “Con­sid­er­ing your esteemed rep­u­ta­tion and pro­fes­sion­al­ism, we here at the Cen­ter for Media Mon­i­tor­ing and Analy­sis at the Sau­di Roy­al Court (THE King Office) would like to be in pro­duc­tive coop­er­a­tion with you and devel­op a long and strate­gic part­ner­ship,” H.E. Saud Al-Qah­tani wrote in an email to Hack­ing Team.

    H.E. Saud Al-Qah­tani is report­ed­ly close to the con­tro­ver­sial young crown prince Mohammed bin Salman. H.E. Saud Al-Qah­tani has been accused by a promi­nent local jour­nal­ist of being an inter­net troll who tries to fright­en dis­si­dents online, and he recent­ly tweet­ed a veiled threat to put any­one who con­spires against the Arab coun­tries on a “black­list.”

    “The man has trans­gressed a lot,” Sau­di writer Tur­ki al-Ruqi, the founder of Al-Wi’am news­pa­per, wrote in an arti­cle last year that H.E. Saud Al-Qah­tani has used hack­ers to tar­get crit­ics of the roy­al fam­i­ly. “Many of the country’s young men have been his vic­tims.”

    We were unable to estab­lish any link between H.E. Saud Al-Qah­tani and the Abdul­lah Al-Qah­tani who heads Tablem Lim­it­ed and invest­ed in Hack­ing Team.

    H.E. Saud Al-Qah­tani was recent­ly named head of the Sau­di Fed­er­a­tion for Cyber­se­cu­ri­ty and Pro­gram­ming. He did not respond to mul­ti­ple requests for com­ment sent over the course of a week.
    ...

    So we have a “Abdul­lah Al-Qah­tani” list­ed on the doc­u­ments of Tablem Lim­it­ed, the Cyprus-based firm, and a H.E. Saud Al-Qah­tani who is close to the crown prince and recent­ly named the head of the Sau­di Fed­er­al for Cyber­se­cu­ri­ty and Pro­gram­ming. Are they relat­ed? That’s still unclear. But what is clear is that the Sau­di gov­ern­ment has been try­ing to invest in Hack­ing Team for years, going back to 2010, mak­ing it just one of a num­ber of gulf states invest­ing heav­i­ly of hack­ing tech­nol­o­gy:

    ...
    After the Hack­ing Team hack, news reports indi­cat­ed that the Sau­di government—through local busi­ness­men—was inter­est­ed in acquir­ing a major­i­ty stake in Hack­ing Team as ear­ly as 2013.

    Then, in ear­ly 2016, there were new talks for a poten­tial acqui­si­tion, but just like the first ones, the invest­ment didn’t go through. Then, lat­er in 2016, the long-time Ital­ian investors who had shares in the com­pa­ny stepped out, and Vin­cen­zetti increased his shares while also wel­com­ing a new invest­ment from Abdul­lah Al-Qahtani’s Tablem Lim­it­ed.

    ...

    The Sau­di Ara­bia gov­ern­ment might have seen in Hack­ing Team an oppor­tu­ni­ty to step up its capa­bil­i­ties, as oth­er gulf states are also heav­i­ly invest­ing in inter­net sur­veil­lance and hack­ing.

    “Giv­en how much the Unit­ed Arab Emi­rates have invest­ed in the tech­nol­o­gy, the Saud­is want­ed to do the same,” the sec­ond for­mer Hack­ing Team employ­ee told me, refer­ring to Dark Mat­ter, a fledg­ling—and con­tro­ver­sial—Dubai-based sur­veil­lance and hack­ing com­pa­ny that’s been hir­ing for­mer CIA agents and NSA hack­ers to bol­ster the country’s sur­veil­lance appa­ra­tus.
    ...

    So that’s our update on Hack­ing Team: it’s trag­i­cal­ly alive and well. And pre­sum­ably run by and for Sau­di Ara­bia at this point.

    And that’s not all. Because it turns out Hack­ing Team appears to have spawned a com­peti­tor: Grey Heron, a com­pa­ny that seem­ing­ly came out of nowhere this year and is sud­den­ly adver­tis­ing its abil­i­ty hack­ing strong­ly-encrypt­ed mes­sag­ing plat­forms like Sig­nal and Telegram. But those hack­ing capa­bil­i­ties aren’t Grey Heron’s key fea­ture it offers its clients. Instead, the key fea­ture is that Grey Heron isn’t called Hack­ing Team, which became a very impor­tant fea­ture after Hack­ing Team was hacked and had its rep­u­ta­tion destroyed:

    Vice Moth­er­board

    New Spy­ware Com­pa­ny ‘Grey Heron’ Is Linked to Hack­ing Team
    Grey Heron emerged from the con­tro­ver­sial spy­ware ven­dor Hack­ing Team, and is look­ing to break into the Euro­pean and North Amer­i­can mar­kets.

    By Joseph Cox and Loren­zo Franceschi-Bic­chierai
    Mar 26 2018, 10:35am

    In ear­ly March, Moth­er­board report­ed that a new, mys­te­ri­ous gov­ern­ment-mal­ware com­pa­ny called Grey Heron is adver­tis­ing mal­ware designed to steal data from Sig­nal and Telegram mes­sag­ing apps. The com­pa­ny seem­ing­ly came out of nowhere, sud­den­ly adver­tis­ing its wares at sur­veil­lance fairs over the last few months.

    But Grey Heron does have a his­to­ry: The com­pa­ny emerged from con­tro­ver­sial spy­ware firm Hack­ing Team, despite Grey Heron not men­tion­ing these links pub­licly, Moth­er­board has learned. The move, it appears, may be to dis­tance Grey Heron from the noto­ri­ous, and per­haps dam­aged, brand of Hack­ing Team.

    “Grey Heron’s mis­sion is to pro­vide to law enforce­ment the strong tools to bal­ance the capa­bil­i­ties of those who wish to do harm,” a copy of Grey Heron’s brochure pre­vi­ous­ly pub­lished by Moth­er­board reads.

    Grey Heron was formed from oth­er play­ers in the gov­ern­ment hack­ing space, includ­ing Hack­ing Team, a source famil­iar with the com­pa­ny said. In pri­vate con­ver­sa­tions with­in the sur­veil­lance indus­try that were lat­er detailed to Moth­er­board, Grey Heron has sug­gest­ed it sees dis­tanc­ing itself from Hack­ing Team and its his­to­ry as a ben­e­fit.

    Indeed, Hack­ing Team may be the most high-pro­file gov­ern­ment mal­ware provider in the world due to its bold, pub­lic fac­ing mar­ket­ing, and because it sold sur­veil­lance prod­ucts to a host of author­i­tar­i­an regimes, includ­ing Sudan, Ethiopia, Bahrain. It also suf­fered a mas­sive data breach, expos­ing many of the company’s secrets. In 2015, a pseu­do­ny­mous hack­er known as Phineas Fish­er broke into the servers of the com­pa­ny, and went unno­ticed for weeks. The hack­er stole more than 400 giga­bytes of inter­nal data, includ­ing emails, cus­tomer records, and—worse—the spyware’s source code. On July 5, 2015, he revealed the hack from Hack­ing Team’s own, hacked, Twit­ter account, and dumped all the data online.

    After a cou­ple of years of strug­gles, an investor linked to the Sau­di gov­ern­ment bought a stake in Hack­ing Team, giv­ing the com­pa­ny new cash to grow again, Moth­er­board recent­ly report­ed,

    Although the exact con­tours of the rela­tion­ship between Hack­ing Team and Grey Heron are still fuzzy, an ex-Hack­ing Team employ­ee, who spoke on con­di­tion of anonymi­ty because he’s not allowed to talk about his for­mer employ­er, said that it would “make sense to use a dif­fer­ent name to con­tin­ue to sell to those clients who weren’t hap­py after the hack.”

    “Except those cus­tomers who don’t care because they buy spy­ware with­out think­ing twice,” the for­mer employ­ee, who had no direct knowl­edge of Grey Heron, told Moth­er­board. “I imag­ine that there’s a lot of them who don’t see Hack­ing Team favor­ably any­more, includ­ing the reselling part­ners, per­haps even more so than the final cus­tomers.”

    Grey Heron has said pri­vate­ly that the Ital­ian gov­ern­ment has giv­en the com­pa­ny per­mis­sion to export its prod­ucts through­out the Euro­pean Union, and that Grey Heron has par­tic­u­lar inter­est in sell­ing to Euro­pean and North Amer­i­can clients.

    The firm has exhib­it­ed at two recent UK sur­veil­lance shows, the Home Office spon­sored Secu­ri­ty & Polic­ing event, and the Inter­na­tion­al Secu­ri­ty Expo, accord­ing to the shows’ web­sites. At the lat­ter, Eric Rabe, who han­dles Grey Heron’s mar­ket­ing and com­mu­ni­ca­tion and is also Hack­ing Team’s long­time spokesper­son, gave a talk on “pri­va­cy and the encryp­tion threat.”

    Rabe did not respond to mul­ti­ple requests for com­ment con­cern­ing con­nec­tions between the two Milan-based com­pa­nies. David Vin­cen­zetti, Hack­ing Team’s CEO, did not respond either.

    The idea that those linked to Hack­ing Team can rebrand them­selves under a new com­pa­ny may irk those push­ing for account­abil­i­ty in the sur­veil­lance indus­try.

    “The sur­veil­lance sec­tor clear­ly needs fur­ther reg­u­la­tion to stop bad actors sell­ing the means to crush dis­sent to any author­i­tar­i­an afraid of their own soci­ety,” Lloyd Rus­sell-Moyle MP, mem­ber of the UK Com­mit­tees on Arms Export Con­trols (CAEC), told Moth­er­board in a state­ment. “It is vital that export licens­ing regimes across Europe apply these laws and cru­cial­ly talk to one anoth­er to ensure human rights are not tram­pled over.”

    ...

    ———-

    “New Spy­ware Com­pa­ny ‘Grey Heron’ Is Linked to Hack­ing Team” by Joseph Cox and Loren­zo Franceschi-Bic­chierai; Vice Moth­er­board; 03/26/2018

    “In ear­ly March, Moth­er­board report­ed that a new, mys­te­ri­ous gov­ern­ment-mal­ware com­pa­ny called Grey Heron is adver­tis­ing mal­ware designed to steal data from Sig­nal and Telegram mes­sag­ing apps. The com­pa­ny seem­ing­ly came out of nowhere, sud­den­ly adver­tis­ing its wares at sur­veil­lance fairs over the last few months.

    *Poof* A com­pa­ny appears seem­ing­ly out of no where this year offer­ing a num­ber of tan­ta­liz­ing hack­ing capa­bil­i­ties. And, of course, it does­n’t come out of nowhere. It emerged from Hack­ing Team, although Grey Heron does­n’t men­tion this pub­licly which makes sense since dis­tanc­ing itself from Hack­ing Team is a high­ly desir­able ser­vice the gov­ern­ments who used to be Hack­ing Team clients and were forced to leave after the bad press from the 2015 Hack­ing Team hack:

    ...
    But Grey Heron does have a his­to­ry: The com­pa­ny emerged from con­tro­ver­sial spy­ware firm Hack­ing Team, despite Grey Heron not men­tion­ing these links pub­licly, Moth­er­board has learned. The move, it appears, may be to dis­tance Grey Heron from the noto­ri­ous, and per­haps dam­aged, brand of Hack­ing Team.

    “Grey Heron’s mis­sion is to pro­vide to law enforce­ment the strong tools to bal­ance the capa­bil­i­ties of those who wish to do harm,” a copy of Grey Heron’s brochure pre­vi­ous­ly pub­lished by Moth­er­board reads.

    Grey Heron was formed from oth­er play­ers in the gov­ern­ment hack­ing space, includ­ing Hack­ing Team, a source famil­iar with the com­pa­ny said. In pri­vate con­ver­sa­tions with­in the sur­veil­lance indus­try that were lat­er detailed to Moth­er­board, Grey Heron has sug­gest­ed it sees dis­tanc­ing itself from Hack­ing Team and its his­to­ry as a ben­e­fit.
    ...

    Like the phoenix, Gery Heron rose from Hack­ing Team’s ash­es. Of course, Hack­ing Team also rose from its own ash­es thanks to that Sau­di mon­ey. But Hack­ing Team is still going to have a much hard­er time get­ting out­side clients thanks to its dam­aged rep­u­ta­tion. Grey Heron, on the oth­er hand, appears to be licensed to export its hack­ing prod­ucts through­out the EU and has a par­tic­u­lar inter­est in sell­ing to North Amer­i­can clients:

    ...
    Grey Heron has said pri­vate­ly that the Ital­ian gov­ern­ment has giv­en the com­pa­ny per­mis­sion to export its prod­ucts through­out the Euro­pean Union, and that Grey Heron has par­tic­u­lar inter­est in sell­ing to Euro­pean and North Amer­i­can clients.
    ...

    So that’s what hap­pened to Hack­ing Team fol­low­ing its dev­as­tat­ing 2015 hack: it’s once again prof­itable thanks to mys­te­ri­ous Sau­di investors and has also indi­rect­ly spawned an entire­ly new firm that appears to be offer­ing the same kinds of hack­ing prod­ucts under a non-‘Hacking Team’ brand. It’s some­thing to keep in mind that next time we see a high-pro­file hack...especially if the hack once again involves X‑Agent.

    Posted by Pterrafractyl | March 29, 2018, 3:59 pm
  7. Well, that’s quite an indict­ment, even by #TrumpRus­sia stan­dards: The Mueller team issued an indict­ment against 12 GRU offi­cers over the 2016 hacks of the Democ­rats. The indict­ment does­n’t just name names but actu­al­ly described the roles they played in the teams that car­ried out the hacks. It was by far the most details we’ve seen thus far, includ­ing infor­ma­tion like ‘Per­son A searched for terms XYZ a day before those terms showed up in a mes­sage from Guc­cifer 2.0’. From a cyber-attri­bu­tion stand­point the indict­ment avoids one of the biggest flaws in the attri­bu­tion we’ve seen thus far: it’s not sim­ply based on high­ly spoofa­ble “pat­tern recog­ni­tion”. There is evi­dence that pur­port­ed­ly links direct­ly back to com­put­ers known to be man­aged and used by the GRU. Although, as we’re going to see, there’s actu­al­ly only one piece of evi­dence in the indict­ment that pur­ports to link direct­ly back to the GRU, but it’s a pret­ty big piece of evi­dence if real. The rest of the details in the indict­ment may or may not link back direct­ly to the GRU. It’s ambigu­ous­ly word­ed so we don’t know if the rest of the details are spec­u­la­tive (it’s what the Mueller team thinks hap­pened) vs author­i­ta­tive (it’s what the Mueller team con­clu­sive­ly knows hap­pened).

    Sep­a­rate­ly, we also just learned that Trump was report­ed­ly informed by the gov­ern­ment two weeks before his Jan­u­ary 2016 inau­gu­ra­tion about spe­cif­ic, high­ly clas­si­fied evi­dence from a Krem­lin source claim­ing that, yes, the Krem­lin was behind it all. This is going to be impor­tant to keep in mind in rela­tion to the many details in the indict­ment because, again, a large num­ber of those details are asser­tions of spe­cif­ic GRU offi­cers car­ry­ing out spe­cif­ic actions on par­tic­u­lar dates, but it’s nev­er clear if it’s con­clu­sive­ly know that the GRU offi­cers car­ried out these acts of if it’s mere­ly sus­pect­ed that they did so based on their known roles with­in the GRU and the assump­tion that the GRU was behind the hacks. So know­ing that the tes­ti­mo­ny of this Krem­lin insid­er was impor­tant in arriv­ing at the con­clu­sion that the GRU real­ly was behind the hack fur­ther rais­es the ques­tions about whether or not the many details in the indict­ment are based on con­clu­sive direct evi­dence or infer­ences and sus­pi­cions.

    The details are plen­ti­ful in the indict­ment. The indict­ment charges two spe­cif­ic GRU units with the hack, each play­ing dif­fer­ent roles: Unit 26165 car­ried out the hacks and Unit 74445 dis­trib­uted the hacked mate­ri­als by cre­at­ing web­sites like DCleaks.com and the Guc­cifer 2.0 per­sona. The spe­cif­ic peo­ple in these units are named and their roles in the oper­a­tion are giv­en. Some details include actu­al search­es online that spe­cif­ic GRU offi­cers did at spe­cif­ic times that include phras­es found in Guc­cifer 2.0’s first mes­sage to the world.

    Then there’s the one detail that, if true, would appear to con­clu­sive­ly link the “Guc­cifer 2.0” per­sona to the GRU’s Unit 74455: In the indict­ment we find the fol­low­ing asser­tion that some­one on a Moscow-based serv­er man­aged and used by Unit 74455 made a bunch of search queries for phras­es that showed up in Guc­cifer 2.0’s first mes­sages to the world lat­er that day:

    41. On or about June 15, 2016, the Con­spir­a­tors logged into a Moscow-based serv­er used and
    man­aged by Unit 74455 and, between 4:19 PM and 4:56 PM Moscow Stan­dard Time, searched
    for cer­tain words and phras­es
    , includ­ing
    :

    page 15

    Search Terms(s):
    “some hun­dred sheets”
    “some hun­dreds of sheets”
    dcleaks
    illu­mi­nati
    mnpono useec’rnm? nepeaon
    [wide­ly known trans­la­tion]
    “world­wide known”
    “think twice about”
    “com­pa­ny’s com­pe­tence”

    42. Lat­er that day, at 7:02 PM Moscow Stan­dard Time, the online per­sona Guc­cifer 2.0
    pub­lished its first post on a blog site cre­at­ed through Word­Press
    . Titled “DNC’s servers hacked
    by a lone hack­er,” the post used numer­ous Eng­lish words and phras­es that the Con­spir­a­tors had
    searched for ear­li­er that day (bold­ed below):

    World­wide known cyber secu­ri­ty com­pa­ny [Com­pa­ny 1] announced that
    the Demo­c­ra­t­ic Nation­al Com­mit­tee (DNC) servers had been hacked by
    “sophis­ti­cat­ed” hack­er groups.

    I’m very pleased the com­pa­ny appre­ci­at­ed my skills so high­ly)))[...]

    Here are just a few docs from many thou­sands I extract­ed when hack­ing
    into DNC’s net­work. [...]

    Some hun­dred sheets! This’s a seri­ous case, isn’t it? [...]

    I guess [Com­pa­ny 1] cus­tomers should think twice about com­pa­ny’s
    com­pe­tence.

    F[***] the Illu­mi­nati and their con­spir­a­cies!!!!!!!! F[***]
    [Com­pa­ny 1]!!!!!!!!

    This is the sole part of the indict­ment that stands out for refer­ring to a serv­er known to be oper­at­ed by the GRU. There are numer­ous alle­ga­tions in the indict­ment where one of the GRU agents is alleged to have done some­thing on a serv­er leased by the GRU, and in the indict­ment we learn about the use of bit­coins to some of the servers used bit­coin wal­lets man­aged by email accounts assumed to be man­aged by the GRU, but it’s nev­er made clear how con­clu­sive the evi­dence is that the GRU specif­i­cal­ly man­ag­ing those email account and leas­ing. But in this one instance with the Moscow-based serv­er it is specif­i­cal­ly stat­ed that it’s a serv­er known to be man­aged and used by the GRU. It will be inter­est­ing to see if we get to learn more about this serv­er.

    It’s also worth not­ing that the indict­ment specif­i­cal­ly says some­one logged into the GRU man­aged serv­er from 4:19 to 4:56 PM on the day of Guc­cifer 2.0’s first mes­sage to the world. This rais­es the ques­tion of whether or not US inves­ti­ga­tors were giv­en legal access to that serv­er. If so, that would be an impres­sive lev­el of coop­er­a­tion from a Moscow-based com­pa­ny used by the GRU. Because if the US did­n’t gain legal access to this Moscow-based serv­er, that rais­es the ques­tion of whether or not the evi­dence was gath­ered by hack­ing the serv­er by the US or an ally, which would obvi­ous­ly col­or the inter­pre­ta­tion of this evi­dence.

    It’s also pos­si­ble the serv­er login evi­dence is based on gen­er­al inter­net traf­fic infor­ma­tion that show some­one com­mu­ni­cat­ing with serv­er cou­pled with infor­ma­tion from Google or anoth­er search engine about search traf­fic from that serv­er short­ly after. There are a range of pos­si­bil­i­ties. But if there’s real evi­dence of some­one log­ging into a GRU man­aged serv­er and mak­ing those search term queries before those terms showed up in Guc­cifer­’s first post to the world, that’s pret­ty con­clu­sive evi­dence of the GRU being behind the hack. And that’s why this is real­ly the key piece of evi­dence in the indict­ment that pur­ports to direct­ly link the GRU to the hack­ing oper­a­tions. So the details of that par­tic­u­lar piece of evi­dence is going to be impor­tant.

    And if this Moscow-based serv­er real­ly was a GRU man­aged serv­er and a GRU agent real­ly did make those search­es the day of the Guc­cifer 2.0 first mes­sage to the world, it also rais­es the ques­tion of whether or not the GRU had rea­son to believe that serv­er was known as a GRU serv­er. Because if so, that would be anoth­er remark­able exam­ple of brazen “I’m a Russ­ian hack­er” slop­pi­ness by the GRU in this oper­a­tion. Using a know GRU serv­er for an oper­a­tion of this nature seems like an extra­or­di­nar­i­ly unnec­es­sary risk to take.

    Unless, of course, get­ting caught and blamed was always part of the plan. And let’s not for­get that one of the ini­tial con­clu­sions of US inves­ti­ga­tors to explain all of the unusu­al slop­pi­ness of ‘mis­takes’ in the hack cou­pled with the aggres­sive use of advanced exploits in order to stay on the DNC’s serv­er was that Russ­ian gov­ern­ment hack­ers were ‘show­ing off’.

    And if if Putin real­ly did order a hack­ing cam­paign where Rus­sia intends to get caught and blamed, that means the Trump cam­paign was col­lud­ing with some­one try­ing to get caught, which is pret­ty fun­ny. Whoops! The Krem­lin may not have been the best col­lu­sion part­ner, unless the Trump cam­paign want­ed Rus­sia to get itself impli­cat­ed in order to take the sus­pi­cions for the hacks off the Trump cam­paign. In which case, whoops again, because that would be a crazy plan.

    The financ­ing of the oper­a­tion is also described in detail in the indict­ment, with bit­coin min­ing and laun­der­ing pro­vid­ing the funds used to pur­chase things like servers and VPNs (like Crook­serv­er com­pa­ny that pro­vid­ed the com­mand-and-con­trol serv­er with the 176.31.112.10 IP address, which was paid in bit­coins).

    One inter­est­ing new set of details involves the loca­tion of some of the servers used. One alleged­ly GRU-con­trolled serv­er was in Ari­zona and anoth­er in Illi­nois. At first, the mal­ware was com­mu­ni­cat­ing with the Ari­zona serv­er, but at some point they decid­ed to relay the data to a for­eign serv­er and then back to the Ari­zona serv­er. It would be inter­est­ing to know what led to that deci­sion.

    Anoth­er inter­est­ing new detail involves a fourth com­mand-and-con­trol serv­er that was nev­er men­tioned in Crowd­strike’s report. The ini­tial Crowd­Strike men­tioned three com­mand-and-con­trol serv­er address­es that was found in the mal­ware, includ­ing the serv­er with the same 176.31.112.10 IP address found in the mal­ware used in the 2015 Bun­destag hack. But it nev­er men­tioned linuxkrnl.net, the address of the new fourth com­mand-and-con­trol serv­er that is ref­er­enced in the Mueller indict­ment. This is lead­ing to spec­u­la­tion that Crowd­strike nev­er actu­al­ly found the mal­ware with the linuxkrnl.net com­mand-and-con­trol serv­er and that was the mal­ware that was left on the serv­er until Octo­ber of 2016.

    Also recall how one of the more eye­brow-rais­ing aspects of how the hacks were ini­tial­ly described by the cyber­se­cu­ri­ty con­trac­tors who actu­al­ly work on con­tain­ing the infec­tion on the DNC’s servers was that the hack­ers were unusu­al­ly aggres­sive in main­tain­ing a foothold on the sys­tem and the bat­tle to dis­in­fect the DNC’s net­work went on for six weeks start­ing in June of 2016. So it would­n’t be sur­pris­ing if the mal­ware that man­aged to stay hid­den until Octo­ber was placed on the net­work dur­ing that peri­od when the hack­ers were bat­tling with the cyber­se­cu­ri­ty con­trac­tors and used the linuxkrnl.net com­mand-and-con­trol serv­er (the linuxkrnl.net IP address for out­bound traf­fic would look a lot less sus­pi­cious than a string of num­bers).

    So this indict­ment is cer­tain­ly a high­ly provoca­tive new devel­op­ment in this case, and one that pur­ports to fill in numer­ous details. But the verac­i­ty of some of these new details remains a mys­tery, espe­cial­ly the details about spe­cif­ic GRU offi­cers car­ry­ing out spe­cif­ic actions.

    The num­ber of spe­cif­ic details about indi­vid­u­als car­ry­ing out spe­cif­ic acts on spe­cif­ic days list­ed in the indict­ment were so numer­ous that it rais­es the ques­tion of how so much was known, on top of the ques­tion raised by the Moscow serv­er Guc­cifer 2.0 claim. Were West­ern intel­li­gence agen­cies spy­ing on the GRU at the time of the hacks? Or was this infor­ma­tion obtained by US author­i­ties and allies after the fact? And that mys­tery on the tim­ing of the col­lec­tion of this intel­li­gence is part of what makes the indict­ment rather remark­able: there are a num­ber of details about ‘who did what’, and almost no details at all about how this infor­ma­tion was obtained or the lev­el of con­fi­dence behind the alle­ga­tions. It’s not clear if the asser­tions in the indict­ment are descrip­tions of what the Mueller team thinks hap­pened and is plan­ning on prov­ing did hap­pen, or if the alle­ga­tions are based on very strong evi­dence that ‘per­son X did Y on date Z’. We are left with no idea, with the notable excep­tion of the Moscow-based serv­er that’s said to be known to be man­aged by the GRU.

    There’s also a remark­able admis­sion that mal­ware from the hack remained on the DNC’s net­work until Octo­ber of 2016, long after Crowd­strike assured the world that the mal­ware was removed. Now, a DNC offi­cial assures us that the lin­ger­ing piece of mal­ware was quar­an­tined and effec­tive­ly dis­able, which is plau­si­ble.

    But per­haps the most eye­brow-rais­ing aspect of the indict­ment is how much detail and empha­sis it places on one of the most inex­plic­a­ble aspects of the entire hack­ing sto­ry: X‑Agent. There is A LOT of details in the indict­ment about these GRU agents and their devel­op­ment, test­ing, and even­tu­al use of X‑Agent.

    Recall how X‑Agent was used as a key piece of evi­dence by Crowd­strike ear­ly on to pin the blame on the Russ­ian gov­ern­ment, based on the asser­tion by Crowd­strike that X‑Agent was exclu­sive­ly used by Russ­ian gov­ern­ment hack­ers. As secu­ri­ty expert Jef­frey Carr point­ed out, this con­clu­sion that X‑Agent was exclu­sive devel­oped and used by Russ­ian hack­ers was sub­se­quent­ly proven to be erro­neous. The cyber­se­cu­ri­ty firm ESET man­aged to get its hands on X‑Agent source code from 2015 along with an anti-Russ­ian Ukrain­ian hack­er. So the X‑Agent source was clear­ly in ‘the wild’ at the time of the hacks.

    But the big ‘WTF’ aspect of the X‑Agent angle is the fact that the IP address of the com­mand-and-con­trol serv­er used to remote­ly con­trol the X‑Agent mal­ware installed on the Democ­rats’ servers was the same IP address hard cod­ed into the X‑Agent mal­ware found on the Bun­destag servers in 2015 fol­low­ing the Bun­destag hack and that IP address was lit­er­al­ly pub­lished in 2015. And that same com­mand-and-con­trol serv­er was also found to be vul­ner­a­ble to the ‘Heart­bleed’ attack, mean­ing the com­mand-and-con­trol serv­er whose IP address was hard-cod­ed into the X‑Agent mal­ware found on the Democ­rats’ servers might have itself been hacked. When the same IP address shows up in two sep­a­rate high pro­file hacks, and that IP address hap­pens to be made pub­licly avail­able dur­ing the time between the two hacks, that either points towards a set up job, hack­ers try­ing to get caught, or incred­i­bly incom­pe­tent hack­ers who did­n’t want to be caught and acci­den­tal­ly left a mas­sive clue.

    Beyond that, in March of 2017, a secu­ri­ty researcher at Mal­ware­bytes wrote about how X‑Agent source code appears to be based on hack­ing code cre­at­ed by “Hack­ing Team”, the Italy-based legal hack­ing enti­ty that sold pow­er­ful hack­ing tools to gov­ern­ments around the world, includ­ing Rus­sia. In oth­er words, not only was the X‑Agent code like­ly ‘in the wild’ at the time of the hack, but ver­sions of it may have actu­al­ly been sold to gov­ern­ments around the world for years. That’s why the cen­tral role X‑Agent alleged­ly played in both car­ry­ing out the hack and attribut­ing that hack to the Russ­ian gov­ern­ment was always a ‘WTF’ aspect of the entire inves­ti­ga­tion. If the GRU real­ly was using X‑Agent and NOT try­ing to get caught it would have been a mis­take of stun­ning pro­por­tions.

    And yet much of the new indict­ment describes a focus by the GRU on devel­op­ing, test­ing, and deploy­ing X‑Agent. So while there are cer­tain­ly many sub­stan­tive details in the indict­ment, a large num­ber of those details turn out to be the kind of details that increase the argu­ment that the GRU was either incred­i­bly incom­pe­tent or try­ing to get caught. The inex­plic­a­ble X‑Agent angle does­n’t leave too many oth­er plau­si­ble expla­na­tions.

    But that’s also all why the spe­cif­ic details in this indict­ment about GRU offi­cers work­ing on X‑Agent are actu­al­ly quite cru­cial for Mueller’s case: The Crowd­strike argu­ment that the pres­ence of X‑Agent on the Democ­rats’ servers point­ed the fin­ger at Rus­sia was always a bad argu­ment and an exam­ple of the dan­gers of rely­ing on pat­tern recog­ni­tion for attri­bu­tion in the cyber-realm. And if X‑Agent was nev­er actu­al­ly exclu­sive to Russ­ian gov­ern­ment hack­ers, pro­vid­ing evi­dence that Russ­ian gov­ern­ment hack­ers specif­i­cal­ly deployed X‑Agent in this hack was actu­al­ly quite cru­cial to Mueller’s case. This indict­ment pur­ports to show exact­ly that.

    At this point its a col­lec­tion of asser­tions about GRU agents car­ry­ing out the spe­cif­ic actions known to be done by who­ev­er car­ried out the hacks and the release of the doc­u­ments. Asser­tions that make the GRU appear extreme­ly com­pe­tent at evad­ing Crowd­Strike’s counter-intru­sion spe­cial­ists but real­ly incom­pe­tent at the ‘cov­er­ing your tracks’ angle and/or real­ly inter­est­ed in get­ting cred­it:

    The Dai­ly Beast

    Russ­ian Hack­ers Kept DNC Back­door Longer Than Any­one Knew
    The Democ­rats swore in the sum­mer of 2016 that they had ban­ished all out­side intru­sions from their net­works. They were wrong.

    Kevin Poulsen
    07.13.18 10:00 PM ET

    The indict­ment Fri­day of 12 Russ­ian mil­i­tary offi­cers for the elec­tion hacks against the DNC and Hillary Clinton’s cam­paign lends a sur­pris­ing new detail to the 2016 elec­tion inter­fer­ence time­line: The Kremlin’s hack­ers appar­ent­ly still main­tained a foothold in the DNC’s net­work four months after the Democ­rats announced that they’d locked the intrud­ers out.

    Until today, the sto­ry of the DNC hack end­ed prompt­ly on June 14, 2016, when the Democ­rats went pub­lic with the intru­sion in the pages of the Wash­ing­ton Post, and Crowd­strike, the secu­ri­ty firm hired to respond to the breach, pub­lished a detailed tech­ni­cal account.

    Today’s indict­ment con­firms every aspect of the DNC’s and Crowdstrike’s account, with one excep­tion. Both the DNC and Crowd­strike have said repeat­ed­ly that they went pub­lic only after expelling all the Russ­ian hack­ers.

    But buried in the new indict­ment is lan­guage sug­gest­ing that Crowd­strike missed a spot, and one com­put­er infect­ed with the GRU’s mal­ware “remained on the DNC net­work until in or around Octo­ber 2016.”

    If Mueller’s right, it rais­es the pos­si­bil­i­ty that the Rus­sians gath­ered months and months of addi­tion­al intel­li­gence on the DNC—right as the cam­paign was in its final, most impor­tant stretch. The hack­ers may have even had a front row seat on the DNC’s net­work that July, when Wik­ileaks pub­lished the hacked emails and the DNC was thrown into upheaval.

    The new indict­ment also rips the cov­ers off the hid­den work­ings of the GRU’s hack­ing appa­ra­tus, putting names, ranks and even street address­es to the elite com­put­er intru­sion unit that secu­ri­ty experts have known for a decade under monikers like “APT28” and “Fan­cy Bear.”

    Fan­cy Bear, as described by Mueller, is split between two depart­ments with­in the GRU’s Unit 26165. Boris Alek­see­vich Antonov, a major in the Russ­ian mil­i­tary, con­trols the pointy end of the stick, head­ing the team of hack­ers that car­ry out Fan­cy Bear’s net­work intru­sions and sig­na­ture spear phish­ing attacks. They craft the fake web­sites and bogus emails, gath­er infor­ma­tion on their tar­gets, and, once suc­cess­ful, deploy­ing GRU’s arse­nal of cus­tom mal­ware.

    Lt. Col Sergey Mor­gachev alleged­ly over­sees the GRU’s geek squad, head­ing the depart­ment that codes the most infa­mous mal­ware on the Inter­net, like the back­door pro­grams X‑Agent and Sedreco, and the stealth VPN known as X‑Tunnel. That lat­ter group is also respon­si­ble for mon­i­tor­ing the mal­ware once it’s in place on a target’s net­work. They draw down the intel­li­gence haul and send it upstream into the Russ­ian mil­i­tary.

    Atop it all is the lead defen­dant in the indict­ment, Vik­tor Boriso­vich Netyk­sho, the alleged head of Unit 26165 and the man who over­saw the elec­tion inter­fer­ence cam­paign.

    The oper­a­tion began with Antonov’s hack­ers stag­ing a bulk phish­ing attack in March 2016 that tar­get­ed the Gmail accounts of more than 300 peo­ple affil­i­at­ed with the Clin­ton cam­paign and the Demo­c­ra­t­ic par­ty. It was this attack that claimed the GRU’s first big tro­phy, the entire Gmail archive for Clin­ton cam­paign chief John Podes­ta.

    The next month anoth­er phish­ing attack gave the GRU login cre­den­tials for the net­work of the Demo­c­ra­t­ic Con­gres­sion­al Cam­paign Com­mit­tee. A Fan­cy Bear hack­er named Ivan Yer­makov alleged­ly estab­lished a beach­head on the net­work on April 12th. The GRU began mov­ing lat­er­al­ly, installing X‑Agents every­where, cap­tur­ing covert screen­shots and mon­i­tor­ing DCCC work­ers key­stroke as they typed in their pass­words.

    Six days lat­er, they found a DCCC work­er who also had access to the DNC’s net­work. They used the worker’s pass­word to breach the DNC, where they were quick­ly siphon­ing giga­bytes of stolen data over X‑Tunnel to a leased serv­er in Illi­nois. By May they’d sat­u­rat­ed the DNC with X‑Agent implants and pen­e­trat­ed the Microsoft Exchange serv­er, where they sucked down the 40,000 DNC emails des­tined for Wik­ileaks.

    The GRU already had a plan lined up to release the stolen mate­r­i­al through a fake whistle­blow­er site. The first step in March was to use Bit­coin to sign up with a Russ­ian VPN provider, so they could anonymize their Inter­net con­nec­tion as they set up the infra­struc­ture for the leaks. They used the same Bit­coin wal­let to reg­is­ter the domain name dcleaks.com on April 19, and set up host­ing at a Malaysian serv­er farm nine days lat­er.

    But in May, before the GRU could exe­cute the faux whistle­blow­er leaks, the DCCC and the DNC fig­ured out they’d been hacked and brought in Crowd­strike. The week­end of June 11th, Crowd­strike moved to purge the DNC of the Fan­cy Bear infec­tion.

    Imme­di­ate­ly after­wards, the Wash­ing­ton Post sto­ry appeared, and Crowd­strike CTO Dmitri Alper­ovitch pub­lished a tech­ni­cal account of the breach that left lit­tle room for doubt that Rus­sia was behind the hacks. The blog post also ran down a list of the mal­ware used in the intru­sions, includ­ing the GRU’s sig­na­ture back­door pro­gram X‑Agent.

    The indict­ment, though, rais­es the first doubts that the purge was a com­plete suc­cess.

    “By in or around June 2016, [Crowd­strike] took steps to exclude intrud­ers from the net­works,” the indict­ment reads. “Despite these efforts, a Lin­ux-based ver­sion of X‑Agent, pro­grammed to com­mu­ni­cate with the GRU-reg­is­tered domain linuxkrnl[.]net, remained on the DNC net­work until in or around Octo­ber 2016.”

    The ref­er­ence to the com­mand-and-con­trol serv­er “linuxkrnl[.]net” is note­wor­thy for its com­plete absence from Crowdstrike’s blog post. The company’s report list­ed three com­mand-and-con­trol servers used by the GRU to con­trol their DNC mal­ware, and that domain name was not on the list, and has nev­er been pub­licly linked before to Fan­cy Bear. It’s unclear whether Crowd­strike omit­ted it, or nev­er dis­cov­ered it.

    Mueller’s asser­tion that the hack­ing tools per­sist­ed for months on the Democ­rats’ net­works rough­ly match­es what for­mer inter­im DNC chief Don­na Brazille’s account in her book, Hacks: The Inside Sto­ry of the Break-Ins and Break­downs that Put Don­ald Trump in the White House. In it, she wrote that “the intrud­ers had been sit­ting in our vot­er data files for months” after their sup­posed ouster.

    Crowd­strike referred the Dai­ly Beast’s inquiry to the DNC, which acknowl­edged the lin­ger­ing X‑Agent infec­tion, but said it wasn’t a threat, and nev­er made con­tact with the GRU.

    “This Lin­ux based ver­sion of X‑agent mal­ware was a rem­nant of the orig­i­nal hack and had been quar­an­tined dur­ing the reme­di­a­tion process in June 2016,” said Adri­enne Wat­son, the DNC’s deputy com­mu­ni­ca­tions direc­tor. “While pro­grammed to com­mu­ni­cate with a GRU-reg­is­tered domain, we do not have any infor­ma­tion to sug­gest that it suc­cess­ful­ly com­mu­ni­cat­ed, exfil­trat­ed data, cor­rupt­ed our new­ly built sys­tems, or breached our vot­er file fol­low­ing the reme­di­a­tion process.”

    At least one secu­ri­ty expert says the DNC’s answer is plau­si­ble. “You usu­al­ly don’t remove all adver­sary com­po­nents until you’re sure they’re out in all oth­er means,” says Ser­gio Cal­t­a­girone, direc­tor of threat intel­li­gence at Dra­gos. “These things can go on for a long time.”

    What’s cer­tain is that when the DNC and Crowd­strike went pub­lic on June 14, Fan­cy Bear was caught off guard. The GRU’s whistle­blow­er nar­ra­tive was still in the can, and the truth about Russia’s attack was in all the news­pa­pers.

    “In response, the Con­spir­a­tors cre­at­ed the online per­sona Guc­cifer 2.0, and false­ly claimed to be a lone Roman­ian hack­er to under­mine the alle­ga­tions of Russ­ian respon­si­bil­i­ty for the intru­sion,” accord­ing to Mueller’s indict­ment.

    Man­ag­ing the Guc­cifer per­son­al fell to a com­plete­ly dif­fer­ent group in a sep­a­rate GRU facil­i­ty called Unit 74455, which appears from the indict­ment to serve as a more-sophis­ti­cat­ed ver­sion of the Inter­net Research Agency, main­tain­ing fake social media pro­files to extend Russia’s covert influ­ence around the world.

    Guc­cifer 2.0 claimed that he, and he alone, was respon­si­ble for the DNC breach. The intel­li­gence com­mu­ni­ty and secu­ri­ty experts weren’t fooled, but oth­ers were. Helped by Trump advis­er Roger Stone and oth­er high-pro­file fig­ures, Unit 74455 man­aged to sow doubt on the mar­gins about Russia’s involve­ment in the elec­tion hacks.

    ...

    ———-

    “Russ­ian Hack­ers Kept DNC Back­door Longer Than Any­one Knew” by Kevin Poulsen; The Dai­ly Beast; 07/13/2018

    “The indict­ment Fri­day of 12 Russ­ian mil­i­tary offi­cers for the elec­tion hacks against the DNC and Hillary Clinton’s cam­paign lends a sur­pris­ing new detail to the 2016 elec­tion inter­fer­ence time­line: The Kremlin’s hack­ers appar­ent­ly still main­tained a foothold in the DNC’s net­work four months after the Democ­rats announced that they’d locked the intrud­ers out.

    While there’s been no short­age of new details as the #TrumpRus­sia inves­ti­ga­tion unfolds, not all new details are equal and learn­ing that the hack­ers may have main­tained a foothold on the Democ­rats’ net­work for months lat­er after Crowd­strike assured the world that the infec­tion was purged is quite a sig­nif­i­cant new detail. Maybe. If the hack­ers had access to the Democ­rats net­work through Octo­ber of 2016 that would have giv­en the Trump cam­paign and GOP poten­tial­ly extreme­ly valu­able real-time cam­paign infor­ma­tion. But it’s said that only one com­put­er remained infect­ed until Octo­ber 2016 so it’s pos­si­ble that com­put­er did­n’t yield much use­ful infor­ma­tion. It’s also pos­si­ble that com­put­er had access to an abun­dance of infor­ma­tion, espe­cial­ly if it could access the broad­er DNC net­work. At this point we don’t know:

    ...
    Until today, the sto­ry of the DNC hack end­ed prompt­ly on June 14, 2016, when the Democ­rats went pub­lic with the intru­sion in the pages of the Wash­ing­ton Post, and Crowd­strike, the secu­ri­ty firm hired to respond to the breach, pub­lished a detailed tech­ni­cal account.

    Today’s indict­ment con­firms every aspect of the DNC’s and Crowdstrike’s account, with one excep­tion. Both the DNC and Crowd­strike have said repeat­ed­ly that they went pub­lic only after expelling all the Russ­ian hack­ers.

    But buried in the new indict­ment is lan­guage sug­gest­ing that Crowd­strike missed a spot, and one com­put­er infect­ed with the GRU’s mal­ware “remained on the DNC net­work until in or around Octo­ber 2016.”

    If Mueller’s right, it rais­es the pos­si­bil­i­ty that the Rus­sians gath­ered months and months of addi­tion­al intel­li­gence on the DNC—right as the cam­paign was in its final, most impor­tant stretch. The hack­ers may have even had a front row seat on the DNC’s net­work that July, when Wik­ileaks pub­lished the hacked emails and the DNC was thrown into upheaval.
    ...

    The DNC, how­ev­er, assures us that the lin­ger­ing X‑Agent infec­tion was quar­an­tined and harm­less. Which is pos­si­ble:

    ...
    Crowd­strike referred the Dai­ly Beast’s inquiry to the DNC, which acknowl­edged the lin­ger­ing X‑Agent infec­tion, but said it wasn’t a threat, and nev­er made con­tact with the GRU.

    “This Lin­ux based ver­sion of X‑agent mal­ware was a rem­nant of the orig­i­nal hack and had been quar­an­tined dur­ing the reme­di­a­tion process in June 2016,” said Adri­enne Wat­son, the DNC’s deputy com­mu­ni­ca­tions direc­tor. “While pro­grammed to com­mu­ni­cate with a GRU-reg­is­tered domain, we do not have any infor­ma­tion to sug­gest that it suc­cess­ful­ly com­mu­ni­cat­ed, exfil­trat­ed data, cor­rupt­ed our new­ly built sys­tems, or breached our vot­er file fol­low­ing the reme­di­a­tion process.”

    At least one secu­ri­ty expert says the DNC’s answer is plau­si­ble. “You usu­al­ly don’t remove all adver­sary com­po­nents until you’re sure they’re out in all oth­er means,” says Ser­gio Cal­t­a­girone, direc­tor of threat intel­li­gence at Dra­gos. “These things can go on for a long time.”
    ...

    And yet Don­na Brazille wrote in her book that the hack­ers were sit­ting on the DNC’s vot­er files for months after their sup­posed ouster. So if they had access to DNC vot­er files that’s poten­tial­ly some of the most use­ful infor­ma­tion they could have had that point in the cam­paign. Espe­cial­ly for micro-tar­get­ing appli­ca­tions:

    ...
    Mueller’s asser­tion that the hack­ing tools per­sist­ed for months on the Democ­rats’ net­works rough­ly match­es what for­mer inter­im DNC chief Don­na Brazille’s account in her book, Hacks: The Inside Sto­ry of the Break-Ins and Break­downs that Put Don­ald Trump in the White House. In it, she wrote that “the intrud­ers had been sit­ting in our vot­er data files for months” after their sup­posed ouster.
    ...

    So that will be some­thing to watch as more infor­ma­tion comes out. Espe­cial­ly because, while the DNC hack sto­ry has large­ly focused on release of Demo­c­ra­t­ic Par­ty emails, there was undoubt­ed­ly plen­ty of infor­ma­tion gath­ered that would be best exploit­ed qui­et­ly and not plas­tered on the inter­net. Like DNC vot­er infor­ma­tion.

    But the biggest over­all rev­e­la­tion in this indict­ment is the nam­ing of names and roles with­in the two GRU units that pur­port­ed­ly pulled off the hack. At least, it’s a rev­e­la­tion assum­ing there is indeed con­clu­sive evi­dence impli­cat­ing these indi­vid­u­als and it’s not just pros­e­cu­to­r­i­al asser­tions:

    ...
    The new indict­ment also rips the cov­ers off the hid­den work­ings of the GRU’s hack­ing appa­ra­tus, putting names, ranks and even street address­es to the elite com­put­er intru­sion unit that secu­ri­ty experts have known for a decade under monikers like “APT28” and “Fan­cy Bear.”

    Fan­cy Bear, as described by Mueller, is split between two depart­ments with­in the GRU’s Unit 26165. Boris Alek­see­vich Antonov, a major in the Russ­ian mil­i­tary, con­trols the pointy end of the stick, head­ing the team of hack­ers that car­ry out Fan­cy Bear’s net­work intru­sions and sig­na­ture spear phish­ing attacks. They craft the fake web­sites and bogus emails, gath­er infor­ma­tion on their tar­gets, and, once suc­cess­ful, deploy­ing GRU’s arse­nal of cus­tom mal­ware.

    Lt. Col Sergey Mor­gachev alleged­ly over­sees the GRU’s geek squad, head­ing the depart­ment that codes the most infa­mous mal­ware on the Inter­net, like the back­door pro­grams X‑Agent and Sedreco, and the stealth VPN known as X‑Tunnel. That lat­ter group is also respon­si­ble for mon­i­tor­ing the mal­ware once it’s in place on a target’s net­work. They draw down the intel­li­gence haul and send it upstream into the Russ­ian mil­i­tary.

    Atop it all is the lead defen­dant in the indict­ment, Vik­tor Boriso­vich Netyk­sho, the alleged head of Unit 26165 and the man who over­saw the elec­tion inter­fer­ence cam­paign.
    ...

    Adding the ‘wow’ fac­tor of the indict­ment is how much empha­sis there was on the X‑Agent mal­ware. Of course, a big part of that ‘wow’ fac­tor is due to the fact that the X‑Agent mal­ware was one of the most con­spic­u­ous­ly appalling­ly ‘I’m a Russ­ian hack­er’ left by the hack­ers. One of the big obvi­ous ques­tions about the hack­er from the very beg­ging was the gen­er­al ques­tion of whether or not Russ­ian gov­ern­ment hack­ers be that stu­pid or if they try­ing to get caught...or was it some­one else try­ing to make it look like Russ­ian hack­ers. And accord­ing to this indict­ment, this GRU team did choose X‑Agent at their pri­ma­ry mal­ware for car­ry­ing out the attack (which still leave the ‘stu­pid or try­ing to get caught’ ques­tion unad­dressed):

    ...
    The oper­a­tion began with Antonov’s hack­ers stag­ing a bulk phish­ing attack in March 2016 that tar­get­ed the Gmail accounts of more than 300 peo­ple affil­i­at­ed with the Clin­ton cam­paign and the Demo­c­ra­t­ic par­ty. It was this attack that claimed the GRU’s first big tro­phy, the entire Gmail archive for Clin­ton cam­paign chief John Podes­ta.

    The next month anoth­er phish­ing attack gave the GRU login cre­den­tials for the net­work of the Demo­c­ra­t­ic Con­gres­sion­al Cam­paign Com­mit­tee. A Fan­cy Bear hack­er named Ivan Yer­makov alleged­ly estab­lished a beach­head on the net­work on April 12th. The GRU began mov­ing lat­er­al­ly, installing X‑Agents every­where, cap­tur­ing covert screen­shots and mon­i­tor­ing DCCC work­ers key­stroke as they typed in their pass­words.

    Six days lat­er, they found a DCCC work­er who also had access to the DNC’s net­work. They used the worker’s pass­word to breach the DNC, where they were quick­ly siphon­ing giga­bytes of stolen data over X‑Tunnel to a leased serv­er in Illi­nois. By May they’d sat­u­rat­ed the DNC with X‑Agent implants and pen­e­trat­ed the Microsoft Exchange serv­er, where they sucked down the 40,000 DNC emails des­tined for Wik­ileaks.
    ...

    Beyond the specifics on the mal­ware, the indict­ment includ­ed quite a bit of infor­ma­tion on how the infra­struc­ture used in the hack (servers, VPNs) was paid for: with bit­coins, of course. And US inves­ti­ga­tors appear to have quite a bit of infor­ma­tion on those Bit­coin trans­ac­tions, includ­ing the Bit­coin wal­let used to pur­chase the dcleaks.com domain. Accord­ing to inves­ti­ga­tors, the ini­tial GRU plan was to use a fake whistle­blow­er per­sona and the dcleaks.com web­site to dis­trib­ute the hacked mate­ri­als, but they were tak­en by sur­prise with the June announce­ment by Crowd­strike and the Democ­rats that they had con­clud­ed that the DNC was hacked and Russ­ian hack­ers were the cul­prits. The alleged exclu­siv­i­ty of X‑Agent was one of the key pieces of evi­dence used for that ear­ly attri­bu­tion:

    ...
    The GRU already had a plan lined up to release the stolen mate­r­i­al through a fake whistle­blow­er site. The first step in March was to use Bit­coin to sign up with a Russ­ian VPN provider, so they could anonymize their Inter­net con­nec­tion as they set up the infra­struc­ture for the leaks. They used the same Bit­coin wal­let to reg­is­ter the domain name dcleaks.com on April 19, and set up host­ing at a Malaysian serv­er farm nine days lat­er.

    But in May, before the GRU could exe­cute the faux whistle­blow­er leaks, the DCCC and the DNC fig­ured out they’d been hacked and brought in Crowd­strike. The week­end of June 11th, Crowd­strike moved to purge the DNC of the Fan­cy Bear infec­tion.

    Imme­di­ate­ly after­wards, the Wash­ing­ton Post sto­ry appeared, and Crowd­strike CTO Dmitri Alper­ovitch pub­lished a tech­ni­cal account of the breach that left lit­tle room for doubt that Rus­sia was behind the hacks. The blog post also ran down a list of the mal­ware used in the intru­sions, includ­ing the GRU’s sig­na­ture back­door pro­gram X‑Agent.
    ...

    The indict­ment makes no men­tion of the com­mand-and-con­trol serv­er with the 176.31.112.10 IP address, the same IP address found in the Bun­destag hack mal­ware which was high­ly sus­pi­cious. But it does men­tion a pre­vi­ous­ly unknown com­mand-and-con­trol serv­er address, linuxkrnl[.]net. And the fact that the mal­ware that remained on the Democ­rats’ net­work until Octo­ber of 2016 was con­fig­ured to the com­mu­ni­cate with this linuxkrnl[.]net serv­er and the fact that Crowd­strike nev­er men­tion this in its ini­tial blog post sug­gests that Crowd­strike did­n’t actu­al­ly find the mal­ware dur­ing the ini­tial purge, which in keep­ing with what Don­na Brazille wrote in her book about the hack­ers hav­ing access to the Democ­rats’ vot­er files months after the mal­ware was alleged­ly removed:

    ...
    The indict­ment, though, rais­es the first doubts that the purge was a com­plete suc­cess.

    “By in or around June 2016, [Crowd­strike] took steps to exclude intrud­ers from the net­works,” the indict­ment reads. “Despite these efforts, a Lin­ux-based ver­sion of X‑Agent, pro­grammed to com­mu­ni­cate with the GRU-reg­is­tered domain linuxkrnl[.]net, remained on the DNC net­work until in or around Octo­ber 2016.”

    The ref­er­ence to the com­mand-and-con­trol serv­er “linuxkrnl[.]net” is note­wor­thy for its com­plete absence from Crowdstrike’s blog post. The company’s report list­ed three com­mand-and-con­trol servers used by the GRU to con­trol their DNC mal­ware, and that domain name was not on the list, and has nev­er been pub­licly linked before to Fan­cy Bear. It’s unclear whether Crowd­strike omit­ted it, or nev­er dis­cov­ered it.
    ...

    The indict­ment also asserts that the cre­ation of the “Guc­cifer 2.0” per­sona was a hasty forced response to the June 2016 reports about the DNC hack that fin­gered the Rus­sians. And it was Unit 74455 that was tasked with putting togeth­er the Guc­cifer 2.0 per­sona to try to take the blame off of the Russ­ian gov­ern­ment:

    ...
    What’s cer­tain is that when the DNC and Crowd­strike went pub­lic on June 14, Fan­cy Bear was caught off guard. The GRU’s whistle­blow­er nar­ra­tive was still in the can, and the truth about Russia’s attack was in all the news­pa­pers.

    “In response, the Con­spir­a­tors cre­at­ed the online per­sona Guc­cifer 2.0, and false­ly claimed to be a lone Roman­ian hack­er to under­mine the alle­ga­tions of Russ­ian respon­si­bil­i­ty for the intru­sion,” accord­ing to Mueller’s indict­ment.

    Man­ag­ing the Guc­cifer per­son­al fell to a com­plete­ly dif­fer­ent group in a sep­a­rate GRU facil­i­ty called Unit 74455, which appears from the indict­ment to serve as a more-sophis­ti­cat­ed ver­sion of the Inter­net Research Agency, main­tain­ing fake social media pro­files to extend Russia’s covert influ­ence around the world.

    Guc­cifer 2.0 claimed that he, and he alone, was respon­si­ble for the DNC breach. The intel­li­gence com­mu­ni­ty and secu­ri­ty experts weren’t fooled, but oth­ers were. Helped by Trump advis­er Roger Stone and oth­er high-pro­file fig­ures, Unit 74455 man­aged to sow doubt on the mar­gins about Russia’s involve­ment in the elec­tion hacks.
    ...

    Recall that one of the ini­tial clues that Guc­cifer 2.0 was­n’t actu­al­ly a lone Roman­ian hack­er was the fact that the Guc­cifer 2.0 per­sona did­n’t actu­al­ly talk like a Roman­ian. So if Unit 74455, the GRU’s crack team for social media influ­ence oper­a­tions, was unable to come up with a per­sona that actu­al­ly spoke flu­ent Roman­ian that’s a pret­ty hor­ri­ble crack team. But that’s what the Mueller indict­ment specif­i­cal­ly says hap­pened.

    So as we can see, the indict­ment pur­ports to answer a num­ber of ques­tions that have been swirling around the inves­ti­ga­tion, while leav­ing a num­ber of open ques­tions. And the ques­tion of “why would the Rus­sians be so utter­ly incom­pe­tent” remains unasked entire­ly. But the indict­ment does raise one very mas­sive new ques­tion, and it’s a ques­tion the Russ­ian gov­ern­ment must be ask­ing itself rather earnest­ly at this point: did the US hack the GRU?

    Bloomberg Opin­ion

    Rus­sia Hack­er Indict­ments Should Make the Krem­lin Squirm

    Mueller’s knowl­edge of indi­vid­ual Russ­ian intel­li­gence offi­cers should make the Krem­lin uncom­fort­able.

    By Leonid Bershid­sky
    July 16, 2018, 8:05 AM CDT

    The real bomb­shell in Spe­cial Coun­sel Robert Mueller’s lat­est indict­ment is the inves­ti­ga­tors’ appar­ent abil­i­ty to link spe­cif­ic actions, such as search­es and tech­ni­cal queries, to spe­cif­ic offi­cers of the GRU, Russia’s mil­i­tary intel­li­gence ser­vice. By mak­ing these con­nec­tions, Mueller’s team has made an enor­mous leap from the U.S. intel­li­gence community’s pre­vi­ous dis­clo­sures. They draw the first straight line from the hack­ing and spearphish­ing of U.S. Democ­rats to the Russ­ian gov­ern­ment — and pose some fur­ther ques­tions for the media and the pub­lic to ask about this bizarre affair.

    The indict­ment blames the Demo­c­ra­t­ic Nation­al Com­mit­tee hack and the spearphish­ing of Clin­ton cam­paign chair­man John Podes­ta on Mil­i­tary Unit 26165, locat­ed at Kom­so­mol­sky Prospekt 20 in Moscow — in for­mer hus­sar bar­racks which also house the Russ­ian Defense Ministry’s Mil­i­tary Uni­ver­si­ty. Anoth­er mil­i­tary unit, 74445, alleged­ly only helped main­tain the infra­struc­ture and helped dis­trib­ute the stolen data.

    Unit 26165 is a high­brow one: It does cryp­tog­ra­phy for the GRU, and many of its offi­cers are math­e­mati­cians and com­put­er pro­gram­mers. Its com­man­der until Jan­u­ary 2018, Vik­tor Netyk­sho, named in the indict­ment, is a math­e­mati­cian and neur­al net­work expert. Netyksho’s pre­de­ces­sor, Sergey Gizunov, received a pres­ti­gious gov­ern­ment prize for tech­no­log­i­cal inno­va­tion; he is now deputy head of the GRU.

    It’s plau­si­ble that Unit 26165 could have tak­en part in cyber­at­tacks on the Democ­rats. The Russ­ian inves­tiga­tive site The Insid­er, also known for unmask­ing GRU offi­cers involved in Russia’s hybrid war in east­ern Ukraine, dis­cov­ered that Geor­gy Rosh­ka, one of the unit’s offi­cers, was involved in hack­ing French Pres­i­dent Emmanuel Macron’s elec­tion cam­paign in the spring of 2017. Roshka’s name showed up in the meta­da­ta of sev­er­al finan­cial doc­u­ments stolen from the cam­paign — a slip-up that allowed The Insid­er to trace the name to Unit 26165 by ana­lyz­ing par­tic­i­pant lists of a secre­tive reg­u­lar con­fer­ence called Par­al­lel Com­put­ing Tech­nolo­gies.

    No sim­i­lar slip-ups took place dur­ing the Demo­c­ra­t­ic Nation­al Com­mit­tee hack or the theft of Podesta’s emails. While researchers found Russ­ian lan­guage traces in meta­da­ta, they did not include any of the 12 names list­ed in the Mueller indict­ment. But Mueller appears to know which one of them per­formed which spe­cif­ic task linked to the hacks.

    The indict­ment says, for exam­ple, that Niko­lai Kozachek, a “lieu­tenant cap­tain” (a non-exis­tent rank in the Russ­ian army so per­haps this is rough­ly trans­lat­ed into the Amer­i­can equiv­a­lent), devel­oped X‑Agent, the mal­ware used to hack the DNC net­work, with the help of oth­er offi­cers, includ­ing Pavel Yer­shov. It says that Lieu­tenant Colonel Sergey Mor­gachev over­saw the devel­op­ment and that “Sec­ond Lieu­tenant” (anoth­er non-exis­tent rank) Artem Maly­shev mon­i­tored the spe­cif­ic instal­la­tion of X‑Agent at the DNC. It iden­ti­fies Senior Lieu­tenant Alek­sey Luka­shev as the per­son who spearphished Podes­ta. It says Ivan Yer­makov (rank not spec­i­fied) ran spe­cif­ic tech­ni­cal queries to research the DNC’s com­put­er net­work.

    This lev­el of detail is a major leap from the U.S. intel­li­gence community’s Jan­u­ary 2017 assess­ment con­cern­ing Russ­ian inter­fer­ence in the 2016 elec­tion. That doc­u­ment mere­ly said the GRU “prob­a­bly began cyber oper­a­tions aimed at the U.S. elec­tion by March 2016,” pen­e­trat­ed the Democ­rats’ net­works and stole their doc­u­ments. There is no longer any “prob­a­bly” to the spe­cif­ic descrip­tion of the GRU oper­a­tion.

    How were inves­ti­ga­tors able to get the real names and ranks (such as they are) of peo­ple behind spe­cif­ic actions? One pos­si­bil­i­ty is that the U.S. had a mole with­in the GRU, who had to be pro­tect­ed until last Fri­day, so U.S. intel­li­gence didn’t release the specifics or even hint at them before. In that case, which would sug­gest a recent defec­tion, we may only find out what hap­pened years from now — or ear­li­er, if either the Russ­ian or the U.S. side leaks.

    Anoth­er sce­nario is that the U.S. or an ally pen­e­trat­ed the GRU net­work and watched the oper­a­tion in real time. In Jan­u­ary, Dutch jour­nal­ists report­ed that the Dutch intel­li­gence agency AIVD man­aged to hack into the net­work of a Russ­ian gov­ern­ment-con­nect­ed hack­ing group locat­ed in a “uni­ver­si­ty build­ing next to Red Square in Moscow,” and watched it launch an attack on the DNC; it even iden­ti­fied the group’s mem­bers by watch­ing the feed from a secu­ri­ty cam­era in their space. Unit 26165 is, indeed, locat­ed in a uni­ver­si­ty build­ing (though not next to Red Square), but the Dutch scoop point­ed to a dif­fer­ent hack­ing group, APT-28 or Cozy Bear, linked to the SVR, Russia’s for­eign intel­li­gence, not to the GRU.

    The Dutch sto­ry, how­ev­er, also con­tained this tid­bit: “Accord­ing to one Amer­i­can source, in late 2015, the NSA hack­ers man­age to pen­e­trate the mobile devices of sev­er­al high rank­ing Russ­ian intel­li­gence offi­cers. They learn that right before a hack­ing attack, the Rus­sians search the inter­net for any news about the oncom­ing attack.” This could explain the lev­el of detail in the indict­ment.

    If, how­ev­er, the U.S. or its allies watched the attacks in real time, it’s not clear why the GRU was allowed to steal and dis­trib­ute the Democ­rats’ infor­ma­tion with­out the U.S. government’s inter­fer­ing. Was the infor­ma­tion the U.S. was receiv­ing about the GRU’s meth­ods so valu­able that any effect the hacks could have had on the cam­paign were of sec­ondary impor­tance to U.S. intel­li­gence? Were the cam­paigns, Demo­c­ra­t­ic and Repub­li­can ones, briefed as U.S. intel­li­gence watched the Russ­ian hack­ing oper­a­tion unfold? Was the Oba­ma admin­is­tra­tion briefed? These ques­tions arise inevitably if one believes the hacks were mon­i­tored.

    ...

    ———-

    “Rus­sia Hack­er Indict­ments Should Make the Krem­lin Squirm” by Leonid Bershid­sky; Bloomberg Opin­ion; 07/16/2018

    “The real bomb­shell in Spe­cial Coun­sel Robert Mueller’s lat­est indict­ment is the inves­ti­ga­tors’ appar­ent abil­i­ty to link spe­cif­ic actions, such as search­es and tech­ni­cal queries, to spe­cif­ic offi­cers of the GRU, Russia’s mil­i­tary intel­li­gence ser­vice. By mak­ing these con­nec­tions, Mueller’s team has made an enor­mous leap from the U.S. intel­li­gence community’s pre­vi­ous dis­clo­sures. They draw the first straight line from the hack­ing and spearphish­ing of U.S. Democ­rats to the Russ­ian gov­ern­ment — and pose some fur­ther ques­tions for the media and the pub­lic to ask about this bizarre affair.”

    As Leonid Bershid­sky puts it, the biggest bomb­shell in this new indict­ment is all the details. The abil­i­ty to link actions like web search­es to spe­cif­ic GRU officiers hints at the pos­si­bil­i­ty that the GRU was, itself, hacked and mon­i­tored as the hacks were car­ried out.

    Bershid­sky then reminds us one of the most inex­plic­a­bly stu­pid alleged hack­ing mis­takes of the GRU as addi­tion­al evi­dence that the GRU’s Unit 26165 was direct­ly involved in the hacks: The name of the Russ­ian employ­ee of a com­pa­ny believed to con­tract with the Russ­ian intel­li­gence ser­vices was found in the meta­da­ta of one of the doc­u­ments released in the Macron hack in the lead up to the 2017 French elec­tions (also recall that the release of those hacked doc­u­ments was tracked back to US neo-Nazi Andrew ‘weev’ Auern­heimer). And as Bershid­sky notes, that same Russ­ian employ­ee, Geor­gy Roshka/Roshka Georgiy Petro­vichan, was iden­ti­fied as an offi­cer of Unit 26165 by the Russ­ian invesatiga­tive site The Insid­er:

    ...
    It’s plau­si­ble that Unit 26165 could have tak­en part in cyber­at­tacks on the Democ­rats. The Russ­ian inves­tiga­tive site The Insid­er, also known for unmask­ing GRU offi­cers involved in Russia’s hybrid war in east­ern Ukraine, dis­cov­ered that Geor­gy Rosh­ka, one of the unit’s offi­cers, was involved in hack­ing French Pres­i­dent Emmanuel Macron’s elec­tion cam­paign in the spring of 2017. Roshka’s name showed up in the meta­da­ta of sev­er­al finan­cial doc­u­ments stolen from the cam­paign — a slip-up that allowed The Insid­er to trace the name to Unit 26165 by ana­lyz­ing par­tic­i­pant lists of a secre­tive reg­u­lar con­fer­ence called Par­al­lel Com­put­ing Tech­nolo­gies.
    ...

    And the fact that Geor­gy Roshka’s mem­ber­ship was­n’t known to be a mem­ber Unit 26165 until after his name showed up in the meta­da­ta is quite notable. Because if Geor­gy Rosh­ka real­ly did acci­den­tal­ly leave his name in the meta­da­ta of the Macron files that’s just a stun­ning mis­take. But, on the oth­er hand, if his name was plant­ed in those doc­u­ments that would sug­gest that who­ev­er did the plant­i­ng had knowl­edge of Unit 26165 mem­ber­ship. So, giv­en that neo-Nazi Andrew ‘weev’ Auern­heimer appeared to be involved in the dis­tri­b­u­tion of those hacked doc­u­ments, if he was work­ing with the GRU it would sug­gest it was the GRU who mod­i­fied the doc­u­ments and then gave them to Auern­heimer to dis­trib­ute. But if he was­n’t work­ing with the GRU it sug­gests work­ing with a group that has knowl­edge of Unit 26165 mem­ber­ship. That’s all worth keep­ing in mind.

    Bershid­sky goes on to point out the sur­pris­ing lev­el of detail the Mueller team appar­ent­ly has about who did what, while not­ing the ranks for these GRU mem­bers list­ed in the indict­ment aren’t actu­al­ly real Russ­ian army ranks (pre­sum­ably the ranks were effec­tive­ly trans­lat­ed to Amer­i­can mil­i­tary ranks?):

    ...
    No sim­i­lar slip-ups took place dur­ing the Demo­c­ra­t­ic Nation­al Com­mit­tee hack or the theft of Podesta’s emails. While researchers found Russ­ian lan­guage traces in meta­da­ta, they did not include any of the 12 names list­ed in the Mueller indict­ment. But Mueller appears to know which one of them per­formed which spe­cif­ic task linked to the hacks.

    The indict­ment says, for exam­ple, that Niko­lai Kozachek, a “lieu­tenant cap­tain” (a non-exis­tent rank in the Russ­ian army so per­haps this is rough­ly trans­lat­ed into the Amer­i­can equiv­a­lent), devel­oped X‑Agent, the mal­ware used to hack the DNC net­work, with the help of oth­er offi­cers, includ­ing Pavel Yer­shov. It says that Lieu­tenant Colonel Sergey Mor­gachev over­saw the devel­op­ment and that “Sec­ond Lieu­tenant” (anoth­er non-exis­tent rank) Artem Maly­shev mon­i­tored the spe­cif­ic instal­la­tion of X‑Agent at the DNC. It iden­ti­fies Senior Lieu­tenant Alek­sey Luka­shev as the per­son who spearphished Podes­ta. It says Ivan Yer­makov (rank not spec­i­fied) ran spe­cif­ic tech­ni­cal queries to research the DNC’s com­put­er net­work.

    This lev­el of detail is a major leap from the U.S. intel­li­gence community’s Jan­u­ary 2017 assess­ment con­cern­ing Russ­ian inter­fer­ence in the 2016 elec­tion. That doc­u­ment mere­ly said the GRU “prob­a­bly began cyber oper­a­tions aimed at the U.S. elec­tion by March 2016,” pen­e­trat­ed the Democ­rats’ net­works and stole their doc­u­ments. There is no longer any “prob­a­bly” to the spe­cif­ic descrip­tion of the GRU oper­a­tion.
    ...

    He then asks the obvi­ous ques­tion: so how did the US obtain this lev­el of detail about the hack­ing oper­a­tion? Did it come from a mole inside the Russ­ian gov­ern­ment? Or was the GRU already hacked and was it being watched dur­ing the hack­ing oper­a­tion? Bershid­sky then recalls the remark­able report from Feb­ru­ary about how Dutch gov­ern­ment hack­ers had appar­ent­ly hacked Cozy Bear (the FSB hack­ers) and actu­al­ly observed the online search­es high rank Russ­ian intel­li­gence offi­cers made and notes that the Mueller indict­ment also includ­ed online search­es attrib­uted to GRU offi­cers. So was both the FSB and GRU hack­ing teams hacked?

    ...
    How were inves­ti­ga­tors able to get the real names and ranks (such as they are) of peo­ple behind spe­cif­ic actions? One pos­si­bil­i­ty is that the U.S. had a mole with­in the GRU, who had to be pro­tect­ed until last Fri­day, so U.S. intel­li­gence didn’t release the specifics or even hint at them before. In that case, which would sug­gest a recent defec­tion, we may only find out what hap­pened years from now — or ear­li­er, if either the Russ­ian or the U.S. side leaks.

    Anoth­er sce­nario is that the U.S. or an ally pen­e­trat­ed the GRU net­work and watched the oper­a­tion in real time. In Jan­u­ary, Dutch jour­nal­ists report­ed that the Dutch intel­li­gence agency AIVD man­aged to hack into the net­work of a Russ­ian gov­ern­ment-con­nect­ed hack­ing group locat­ed in a “uni­ver­si­ty build­ing next to Red Square in Moscow,” and watched it launch an attack on the DNC; it even iden­ti­fied the group’s mem­bers by watch­ing the feed from a secu­ri­ty cam­era in their space. Unit 26165 is, indeed, locat­ed in a uni­ver­si­ty build­ing (though not next to Red Square), but the Dutch scoop point­ed to a dif­fer­ent hack­ing group, APT-28 or Cozy Bear, linked to the SVR, Russia’s for­eign intel­li­gence, not to the GRU.

    The Dutch sto­ry, how­ev­er, also con­tained this tid­bit: “Accord­ing to one Amer­i­can source, in late 2015, the NSA hack­ers man­age to pen­e­trate the mobile devices of sev­er­al high rank­ing Russ­ian intel­li­gence offi­cers. They learn that right before a hack­ing attack, the Rus­sians search the inter­net for any news about the oncom­ing attack.” This could explain the lev­el of detail in the indict­ment.
    ...

    Bershid­sky then asks the obvi­ous fol­lowup ques­tion: if the GRU was indeed hacked and watched in real time by US intel­li­gence agen­cies or its allies, why was the GRU allowed to car­ry out these attacks with­out the Democ­rats being informed about it?

    ...
    If, how­ev­er, the U.S. or its allies watched the attacks in real time, it’s not clear why the GRU was allowed to steal and dis­trib­ute the Democ­rats’ infor­ma­tion with­out the U.S. government’s inter­fer­ing. Was the infor­ma­tion the U.S. was receiv­ing about the GRU’s meth­ods so valu­able that any effect the hacks could have had on the cam­paign were of sec­ondary impor­tance to U.S. intel­li­gence? Were the cam­paigns, Demo­c­ra­t­ic and Repub­li­can ones, briefed as U.S. intel­li­gence watched the Russ­ian hack­ing oper­a­tion unfold? Was the Oba­ma admin­is­tra­tion briefed? These ques­tions arise inevitably if one believes the hacks were mon­i­tored.
    ...

    This is a ques­tion that the Mueller indict­ment makes more rel­e­vant because when you read the chronol­o­gy of the hacks found in the indict­ment it’s clear that the hack­ing of the Democ­rats was the a mul­ti-stage event. As we saw in the first arti­cle, the first hack took place in March of 2016 when John Podesta’s email got hacked. It was in April that a DCCC employ­ee got hacked, with the DNC hack tak­ing place almost a week lat­er. So if the GRU was being watched this whole time there were plen­ty of oppor­tu­ni­ties to warn the Democ­rats that they were once again being hacked (recall the inex­plic­a­ble sev­en month delays in the FBI warn­ing the Democ­rats about the Cozy Bear hack of 2015).

    Along those lines, it’s worth keep­ing in mind the report from August of 2016 about how some mem­bers of con­gress had known about the ini­tial 2015 hack (the ‘Cozy Bear’ hack) of the DNC in 2015 for over a year as of August 2016, and the rea­son the Demo­c­ra­t­ic par­ty was nev­er informed was due to the high­ly sen­si­tive nature of the intel­li­gence. So if it real­ly was the case that the GRU was hacked by the US or its allies it would appear that US pol­i­cy is to err on the side of watch­ing and not doing any­thing that would tip off the hack.

    But, again, that’s all assum­ing that the stun­ning lev­el of detail in this indict­ment actu­al­ly reflects real evi­dence the US gov­ern­ment pos­sess­es vs just being a series of asser­tions about what the Mueller team thinks hap­pened. And at this point we have no idea. Even for the asser­tions that are quite spe­cif­ic, with the notable excep­tion of the Moscow-based serv­er search­es of the Guc­cifer 2.0 phras­es. We don’t know if the under­ly­ing evi­dence is sim­ply linked to a com­put­er assumed to be used by a spe­cif­ic GRU offi­cer was used to make a search, or if the evi­dence is con­vinc­ing­ly linked back to that GRU offi­cer’s com­put­ers.

    Alright, now let’s take a look at the actu­al indict­ment. Be sure to note the fol­low­ing the exten­sive ref­er­ences to the X‑Agent mal­ware. X‑Agent, said by Crowd­Strike to be exclu­sive to the GRU (even though that does­n’t appear to be true), was cen­tral to the tech­ni­cal exe­cu­tion of the hack and the. And the sto­ry of the GRU offi­cers work­ing on devel­op­ing, test­ing, and deploy­ing, and man­ag­ing X‑Agent is cen­tral to the indict­ment. But the key piece of evi­dence is on para­graph 41 which states that some­one at a Mosow-based serv­er known to be man­aged by the GRU made search­es of phras­es that showed up in Guc­cifer 2.0’s first mes­sage to the world:

    IN THE UNITED STATES DISTRICT COURT
    FOR THE DISTRICT OF COLUMBIA

    CRIMINAL NO.
    (18 U.S.C. 2, 1956,
    and 3551 et seq.)

    UNITED STATES OF AMERICA
    V.

    VIKTOR BORIS OVICH
    BORIS ALEKSEYEVICH ANTONOV,
    DMITRIY SERGEYEVICH BADIN,
    IVAN SERGEYEVICH YERMAKOV,
    ALEKSEY VIKTOROVICH
    LUKASI-IEV,
    SERGEY ALEKSANDROVICH JUL 13 2018
    Clark. 0.5 IDis­trict B’mkru )tr
    NIKOLAY YURYEVICH KOZACHEK, ‘lourts for the Dis­trict oi
    PAVEL VYACHESLAVOVICH
    YERSHOV,
    ARTEM ANDREYEVICH
    MALYSHEV,
    ALEKSANDR VLADIMIROVICH
    OSAD CHUK,
    ALEKSEY ALEKSANDROVICH
    POTEMKIN, and
    ANATOLIY SERGEYEVICH
    KOVALEV,

    Defen­dants.

    *******

    INDICTMENT

    The Grand Jury for the Dis­trict of Colum­bia charges:

    COUNT ONE
    (Con­spir­a­cy to Com­mit an Offense Against the Unit­ed States)

    1. In or around 2016, the Russ­ian Fed­er­a­tion (“Rus­sia”) oper­at­ed a mil­i­tary intel­li­gence
    agency called the Main Intel­li­gence Direc­torate of the Gen­er­al Staff (“GRU”). The GRU had
    mul­ti­ple units, includ­ing Units 26165 and 74455, engaged in cyber oper­a­tions that involved the
    staged releas­es of doc­u­ments stolen through com­put­er intru­sions. These units con­duct­ed large-
    scale cyber oper­a­tions to inter­fere with the 2016 US. pres­i­den­tial elec­tion.

    page 2

    2. Defen­dants VIKTOR BORISOVICH BORIS ALEKSEYEVICH
    ANTONOV, DMITRIY SERGEYEVICH IVAN SERGEYEVICH YERMAKOV,
    ALEKSEY VIKTOROVICH LUKASHEV, SERGEY ALEKSANDROVICH MORGACHEV,
    NIKOLAY YURYEVICH KOZACHEK, PAVEL VYACHESLAVOVICH YERSHOV, ARTEM
    ANDREYEVICH ALEKSANDR VLADIMIROVICH OSADCHUK, and
    ALEKSEY ALEKSANDROVICH POTEMKIN were GRU offi­cers who know­ing­ly and
    inten­tion­al­ly con­spired with each oth­er, and with per­sons known and unknown to the Grand Jury
    (col­lec­tive­ly the “Con­spir­a­tors”), to gain unau­tho­rized access (to “hack”) into the com­put­ers of
    U.S. per­sons and enti­ties involved in the 2016 U.S. pres­i­den­tial elec­tion, steal doc­u­ments from
    these com­put­ers, and stage releas­es of the stolen doc­u­ments to inter­fere with the 2016 U.S.
    pres­i­den­tial elec­tion.

    3. Start­ing in at least March 2016, the Con­spir­a­tors used a vari­ety of means to hack the email
    accounts of Vol­un­teers and employ­ees of the U.S. pres­i­den­tial cam­paign of Hillary Clin­ton (the
    “Clin­ton Cam­paign”), includ­ing the email account of the Clin­ton Cam­paign’s chair­man.

    4. By in or around April 2016, the Con­spir­a­tors also hacked into the com­put­er net­works of
    the Demo­c­ra­t­ic Con­gres­sion­al Cam­paign Com­mit­tee (“DCCC”) and the Demo­c­ra­t­ic Nation­al
    Com­mit­tee (“DNC”). The Con­spir­a­tors covert­ly mon­i­tored the com­put­ers of dozens of DCCC
    and DNC employ­ees, implant­ed hun­dreds of files con­tain­ing mali­cious com­put­er code
    (“mal­ware”), and stole emails and oth­er doc­u­ments from the DCCC and DNC.

    5. By in or around April 2016, the Con­spir­a­tors began to plan the release of mate­ri­als stolen
    from the Clin­ton Cam­paign, DCCC, and DNC.

    6. Begin­ning in or around June 2016, the Con­spir­a­tors staged and released tens of thou­sands
    of the stolen emails and doc­u­ments. They did so using fic­ti­tious online per­sonas, includ­ing

    page 3

    “DCLeaks” and “Guc­cifer 2.0.”

    7. The Con­spir­a­tors also used the Guc­cifer 2.0 per­sona to release addi­tion­al stolen doc­u­ments
    through a web­site main­tained by an orga­ni­za­tion (“Orga­ni­za­tion 1”), that had pre­vi­ous­ly post­ed
    doc­u­ments stolen from U.S. per­sons, enti­ties, and the U.S. gov­ern­ment. The Con­spir­a­tors
    con­tin­ued their U.S. elec­tion-inter­fer­ence oper­a­tions through in or around Novem­ber 2016.

    8. To hide their con­nec­tions to Rus­sia and the Russ­ian gov­ern­ment, the Con­spir­a­tors used
    false iden­ti­ties and made false state­ments about their iden­ti­ties. To fur­ther avoid detec­tion, the
    Con­spir­a­tors used a net­work of com­put­ers locat­ed across the world, includ­ing in the Unit­ed States,
    and paid for this infra­struc­ture using cryp­tocur­ren­cy.

    Defen­dants

    9. Defen­dant VIKTOR BORISOVICH (HBTLIKDJO Bru­crop Bop­n­con­nu) was
    the Russ­ian mil­i­tary offi­cer in com­mand of Unit 26165, locat­ed at 20 Kom­so­mol­skiy Prospekt,
    Moscow, Rus­sia. Unit 26165 had pri­ma­ry respon­si­bil­i­ty for hack­ing the and DNC, as well
    as the email accounts of indi­vid­u­als affil­i­at­ed with the Clin­ton Cam­paign.

    10. Defen­dant BORIS ALEKSEYEVICH ANTONOV (AHTOHOB Bop­nc) was a
    Major in the Russ­ian mil­i­tary assigned to Unit 26165. ANTONOV over­saw a depart­ment with­in
    Unit 26165 ded­i­cat­ed to tar­get­ing mil­i­tary, polit­i­cal, gov­ern­men­tal, and non-gov­ern­men­tal
    orga­ni­za­tions with spearphish­ing emails and oth­er com­put­er intru­sion activ­i­ty. ANTONOV held
    the title “Head of Depart­ment.
    ” In or around 2016, ANTONOV super­vised oth­er co-con­spir­a­tors
    who tar­get­ed the DNC, and indi­vid­u­als affil­i­at­ed with the Clin­ton Cam­paign.

    11. Defen­dant DMITRIY SERGEYEVICH BADIN (Sauna Cepreen­nu) was a
    Russ­ian mil­i­tary offi­cer assigned to Unit 26165 who held the title “Assis­tant Head of Depart­ment.”
    In or around 2016, BADIN, along with AN TONOV, super­vised oth­er co-con­spir­a­tors who tar­get­ed
    the DNC, and indi­vid­u­als affil­i­at­ed with the Clin­ton Cam­paign.

    page 4

    12. Defen­dant IVAN SERGEYEVICH YERMAKOV (Epmanon Cepreeanu) was a
    Russ­ian mil­i­tary offi­cer assigned to depart­ment with­in Unit 26165. Since in or
    around 2010, YERMAKOV used var­i­ous online per­sonas, includ­ing “Kate S. Mil­ton,” “James
    McMor­gans,” and “Karen W. Millen,” to con­duct hack­ing oper­a­tions on behalf of Unit 26165. In
    or around March 2016, YERMAKOV par­tic­i­pat­ed in hack­ing at least two email accounts from
    which cam­paign-relat­ed doc­u­ments were released through DCLeaks. In or around May 2016,
    YERMAKOV also par­tic­i­pat­ed in hack­ing the DNC email serv­er and steal­ing DNC emails that
    were lat­er released through Orga­ni­za­tion 1.

    13. Defen­dant ALEKSEY VIKTOROVICH LUKASHEV Aner­c­ceii BKK­To­pon­ntI)
    was a Senior Lieu­tenant in the Russ­ian mil­i­tary assigned to depart­ment with­in Unit
    26165. LUKASHEV used var­i­ous online per­sonas, includ­ing “Den Katen­berg” and “Yuliana
    Mar­tyno­va.” In or around 2016, LUKASHEV sent spearphish­ing emails to mem­bers of the
    Clin­ton Cam­paign and affil­i­at­ed indi­vid­u­als, includ­ing the chair­man of the Clin­ton Cam­paign.

    14. Defen­dant SERGEY ALEKSANDROVICH MORGACHEV (MopraI­IeB Cepreii
    Anen­can­ponm) was a Lieu­tenant Colonel in the Russ­ian mil­i­tary assigned to Unit 26165.
    MORGACHEV over­saw a depart­ment with­in Unit 26165 ded­i­cat­ed to devel­op­ing and man­ag­ing
    mal­ware, includ­ing a hack­ing tool used by the GRU known as “X‑Agent.” Dur­ing the hack­ing of
    the DC CC and DNC net­works, MORGACI-IEV super­vised the co-con­spir­a­tors who devel­oped and
    mon­i­tored the X‑Agent mal­ware implant­ed on those com­put­ers.

    15. Defen­dant NIKOLAY YURYEVICH KOZACHEK (Koaaqert) was a
    Lieu­tenant Cap­tain in the Russ­ian mil­i­tary assigned to MOR­GACHEV’s depart­ment with­in Unit
    26165. KOZACHEK used a vari­ety of monikers, includ­ing “kazak” and “blablabla1234565.”
    KOZACHEK devel­oped, cus­tomized, and mon­i­tored X‑Agent mal­ware used to hack the DCCC

    page 5

    and DNC net­works begin­ning in or around April 2016.

    16. Defen­dant PAVEL VYACHESLAVOVICH YERSHOV (Eprnoa Banec­na­sos­na)
    was a Russ­ian mil­i­tary offi­cer assigned to depart­ment with­in Unit 26165. In or
    around 2016, . YERSHOV assist­ed KOZACHEK and oth­er co-con­spir­a­tors in test­ing and
    cus­tomiz­ing X‑Agent mal­ware before actu­al deploy­ment and use.

    17. Defen­dant ARTEM ANDREYEVICH MALYSHEV (Annpeen­ntr) was
    a Sec­ond Lieu­tenant in the Russ­ian mil­i­tary assigned to MOR­GACHEV’s depart­ment with­in Unit
    26165. MALYSHEV used a vari­ety of monikers, includ­ing “djan­go­mag­icdev” and “real­bla­tr.” In
    or around 2016, MALYSHEV mon­i­tored X‑Agent mal­ware implant­ed on the and DNC
    net­works.

    18. Defen­dant ALEKSANDR VLADIMJROVICH OSADCHUK (Ocanayx Aner­c­can­np)
    was a Colonel in the Russ­ian mil­i­tary and the com­mand­ing offi­cer of Unit 74455.
    Unit 74455 was locat­ed at 22 Kiro­va Street, Khim­ki, Moscow, a build­ing referred to with­in the
    GRU as the “Tow­er.” Unit 74455 assist­ed in the release of stolen doc­u­ments through the DCLeaks
    and Guc­cifer 2.0 per­sonas, the pro­mo­tion of those releas­es, and the pub­li­ca­tion of anti-Clin­ton
    con­tent on social media accounts oper­at­ed by the GRU.

    19. Defen­dant ALEKSEY ALEKSANDROVICH POTEMKIN (?oreMKnn Aner­c­ce­fi)
    was an offi­cer in the Russ­ian mil­i­tary assigned to Unit 74455. POTEMKIN was
    a super­vi­sor in a depart­ment with­in Unit 74455 respon­si­ble for the admin­is­tra­tion of com­put­er
    infra­struc­ture used in cyber oper­a­tions. Infra­struc­ture and social media accounts admin­is­tered by
    depart­ment were used, among oth­er things, to assist in the release of stolen
    doc­u­ments through the DCLeaks and Guc­cifer 2.0 per­sonas.

    page 6

    Object of the Con­spir­a­cy

    20. The object of the con­spir­a­cy was to hack into the com­put­ers of U.S. per­sons and enti­ties
    involved in the 2016 U.S. pres­i­den­tial elec­tion, steal doc­u­ments from those com­put­ers, and stage
    releas­es of the stolen doc­u­ments to inter­fere with the 2016 U.S. pres­i­den­tial elec­tion.

    Man­ner and Means of the Con­spir­acv

    Spearphish­ing Oper­a­tions

    21. ANTONOV, BADIN, YERMAKOV, LUKASHEV, and their co-con­spir­a­tors tar­get­ed
    vic­tims using a tech­nique known as spearphish­ing to steal vic­tims’ pass­words or oth­er­wise gain
    access to their com­put­ers. Begin­ning by at least March 2016, the Con­spir­a­tors tar­get­ed over 300
    indi­vid­u­als affil­i­at­ed with the Clin­ton Cam­paign, and DNC,

    a. For exam­ple, on or about March 19, 2016, LUKASHEV and his co-con­spir­a­tors
    cre­at­ed and sent a spearphish­ing email to the chair­man of the Clin­ton Cam­paign.
    LUKASHEV used the account “john356gh” at an online ser­vice that abbre­vi­at­ed
    web­site address­es (referred to as a “URL-short­en­ing ser­vice”).
    LUKASHEV used the account to mask a link con­tained in the spearphishin email,
    which direct­ed the recip­i­ent to a GRU-cre­at­ed web­site. LUKASHEV altered the
    appear­ance of the sender email address in order to make it look like the email was
    a secu­ri­ty noti­fi­ca­tion from Google (a tech­nique known as “spoof­ing”), instruct­ing
    the user to change his pass­word by click­ing the embed­ded link. Those instruc­tions
    Were fol­lowed. On or about March 21, 2016, LUKASHEV, YERMAKOV, and
    their co-con­spir­a­tors stole the con­tents of the chair­man’s email account, which
    con­sist­ed of over 50,000 emails.

    b. Start­ing on or about March 19, 2016, LUKASHEV and his co-con­spir­a­tors sent
    spearphish­ing emails to the per­son­al accounts of oth­er indi­vid­u­als affil­i­at­ed with

    page 7

    the Clin­ton Cam­paign, includ­ing its cam­paign man­ag­er and a senior for­eign pol­i­cy
    advis­er. On or about March 25, 2016, LUKASHEV used the same john356gh
    account to mask addi­tion­al links includ­ed in spearphish­ing emails sent to numer­ous
    indi­vid­u­als affil­i­at­ed with the Clin­ton Cam­paign, includ­ing Vic­tims 1 and 2.
    LUKASHEV sent these emails from the Rus­sia-based email account
    hi.mymail@yandex.com that he spoofed to appear to be from Google.

    c. On or about March 28, 2016, YERMAKOV researched the names of Vic­tims 1 and
    2 and their asso­ci­a­tion with Clin­ton on var­i­ous social media sites
    . Through their
    spearphish­ing oper­a­tions, LUKASHEV, YERMAKOV, and their co-con­spir­a­tors
    suc­cess­ful­ly stole email cre­den­tials and thou­sands of emails from numer­ous
    indi­vid­u­als affil­i­at­ed with the Clin­ton Cam­paign. Many of these stolen emails,
    includ­ing those from Vic­tims 1 and 2, were lat­er released by the Con­spir­a­tors
    through DCLeaks.

    d. On or about April 6, 2016, the Con­spir­a­tors cre­at­ed an email account in the name
    (with a one-let­ter devi­a­tion from the actu­al spelling) of a known mem­ber of the
    Clin­ton Cam­paign. The Con­spir­a­tors then used that account to send spearphish­ing
    emails to the work accounts of more than thir­ty dif­fer­ent Clin­ton Cam­paign
    employ­ees. In the spearphish­ing emails, LUKASHEV and his co-con­spir­a­tors
    embed­ded a link pur­port­ing to direct the recip­i­ent to a doc­u­ment titled “hillary-
    clinton-favorable-rating.xlsx.” In fact, this link direct­ed the recip­i­ents’ com­put­ers
    to a GRU-cre­at­ed web­site.

    22. The Con­spir­a­tors spearphished indi­vid­u­als affil­i­at­ed with the Clin­ton Cam­paign
    through­out the sum­mer of 2016. For exam­ple, on or about July 27, 2016, the Con­spir­a­tors

    page 8

    attempt­ed after hours to spearphish for the first time email accounts at a domain host­ed by a third-
    par­ty provider and used by Clin­ton’s per­son­al office
    . At or around the same time, they also
    tar­get­ed sev­en­ty-six email address­es at the domain for the Clin­ton Cam­paign.

    Hack­ing into the DCCC Net­work

    23. Begin­ning in or around March 2016, the Con­spir­a­tors, in addi­tion to their spearphish­ing
    efforts, researched the DCCC and DNC com­put­er net­works to iden­ti­fy tech­ni­cal spec­i­fi­ca­tions and
    vul­ner­a­bil­i­ties.

    a. For exam­ple, begin­ning on or about March 15, 2016, YERMAKOV ran a tech­ni­cal
    query for the inter­net pro­to­col con­fig­u­ra­tions to iden­ti­fy con­nect­ed devices.

    b. On or about the same day, YERMAKOV searched for open-source infor­ma­tion
    about the DNC net­work, the Demo­c­ra­t­ic Par­ty, and Hillary Clin­ton.

    c. On or about April 7, 2016, YERMAKOV ran a tech­ni­cal query for the DCCC
    inter­net pro­to­col con­fig­u­ra­tions to iden­ti­fy con­nect­ed devices.

    24. By in or around April 2016, With­in days of search­es regard­ing the DCCC,
    the Con­spir­a­tors hacked into the DCCC com­put­er net­work. Once they gained access, they
    installed and man­aged dif­fer­ent types of mal­ware to explore the DCCC net­work and steal data.

    a. On or about April 12, 2016, the Con­spir­a­tors used the stolen cre­den­tials of a
    Employ­ee (“DCCC Employ­ee 1”) to access the DCCC net­work. DCCC
    Employ­ee 1 had received a spearphish­ing email from the Con­spir­a­tors on or about
    April 6, 2016, and entered her pass­word after click­ing on the link.

    b. Between in or around April 2016 and June 2016, the Con­spir­a­tors installed mul­ti­ple
    ver­sions of their X‑Agent mal­ware on at least ten com­put­ers, which allowed
    them to mon­i­tor indi­vid­ual employ­ees’ com­put­er activ­i­ty, steal pass­words, and
    main­tain access to the DCCC net­work.

    page 9

    c. X‑Agent mal­ware implant­ed on the DCCC net­work trans­mit­ted infor­ma­tion from
    the vic­tims’ com­put­ers to a GRU-leased serv­er locat­ed in Ari­zona. The
    Con­spir­a­tors referred to this serv­er as their “AMS” pan­el. KOZACHEK,
    MALYSHEV, and their co-con­spir­a­tors logged into the AMS pan­el to use
    X‑Agent’s key­log and screen­shot func­tions in the course of mon­i­tor­ing and
    sur­veilling activ­i­ty on the com­put­ers. The key­log func­tion allowed the
    Con­spir­a­tors to cap­ture key­strokes entered by employ­ees. The screen­shot
    func­tion allowed the Con­spir­a­tors to take pic­tures of the employ­ees?
    com­put­er screens.

    d. For exam­ple, on or about April 14, 2016, the Con­spir­a­tors repeat­ed­ly acti­vat­ed
    X‑Agent’s key­log and screen­shot func­tions to sur­veil DCCC Employ­ee 1’s
    com­put­er activ­i­ty over the course of eight hours. Dur­ing that time, the Con­spir­a­tors
    cap­tured DCCC Employ­ee 1’s com­mu­ni­ca­tions with co-work­ers and the pass­words
    she entered while work­ing on fundrais­ing and vot­er out­reach projects. Sim­i­lar­ly,
    on or about April 22, 2016, the Con­spir­a­tors acti­vat­ed X‑Agent’s key­log and
    screen­shot func­tions to cap­ture the dis­cus­sions of anoth­er DCCC Employ­ee
    (“DCCC Employ­ee 2”) about the DCC­C’s finances, as well as her indi­vid­ual
    bank­ing infor­ma­tion and oth­er per­son­al top­ics.

    25. On or about April 19, 2016, KOZACHEK, YERSHOV, and their co-con­spir­a­tors remote­ly
    con­fig­ured an over­seas com­put­er to relay com­mu­ni­ca­tions between X‑Agent mal­ware and the
    AMS pan­el and then test­ed X‑Agent’s abil­i­ty to con­nect to this com­put­er. The Con­spir­a­tors
    referred to this com­put­er as a “mid­dle serv­er.” The mid­dle serv­er act­ed as a proxy to obscure the
    con­nec­tion between mal­ware at the DCCC and the Con­spir­a­tors’ AMS pan­el
    . On or about April

    page 10

    20, 2016, the Con­spir­a­tors direct­ed X‑Agent mal­ware on the com­put­ers to con­nect to this
    mid­dle serv­er and receive direc­tions from the Con­spir­a­tors.

    Hack­ing into the DNC Net­work

    26. On or about April 18, 2016, the Con­spir­a­tors hacked into the DNC’s com­put­ers through
    their access to the DCCC net­work. The Con­spir­a­tors then installed and man­aged dif­fer­ent types
    of mal­ware (as they did in the DCCC net­work) to explore the DNC net­work and steal doc­u­ments.

    a. On or about April 18, 2016, the Con­spir­a­tors acti­vat­ed X‑Agent’s key­log and
    screen­shot func­tions to steal cre­den­tials of a employ­ee who was autho­rized
    to access the DNC net­work. The Con­spir­a­tors hacked into the DNC net­work from
    the DCCC net­work using stolen cre­den­tials. By in or around June 2016, they
    gained access to approx­i­mate­ly thir­ty-three DNC com­put­ers.

    b. In or around April 2016, the Con­spir­a­tors installed X‑Agent mal­ware on the DNC
    net­work, includ­ing the same ver­sions installed on the DCCC net­work.
    MALYSHEV and his co-con­spir­a­tors mon­i­tored the X‑Agent mal­ware from the
    AMS pan­el and cap­tured data from the vic­tim com­put­ers. The AMS pan­el col­lect­ed
    thou­sands of key­log and screen­shot results from the DCCC and DNC com­put­ers,
    such as a screen­shot and key­stroke cap­ture of DCCC Employ­ee 2 view­ing the
    DCC­C’s online bank­ing infor­ma­tion.

    Theft of DCCC and DNC Doc­u­ments

    27. The Con­spir­a­tors searched for and iden­ti­fied com­put­ers with­in the DCCC and DNC
    net­works that stored infor­ma­tion relat­ed to the 2016 US. pres­i­den­tial elec­tion. For exam­ple, on
    or about April 15, 2016, the Con­spir­a­tors searched one hacked DCCC com­put­er for terms that
    includ­ed “hillary,” “cruz,” and “trump.” The Con­spir­a­tors also copied select fold­ers,
    includ­ing “Beng­hazi Inves­ti­ga­tions.” The Con­spir­a­tors tar­get­ed com­put­ers con­tain­ing infor­ma­tion

    page 11

    such as oppo­si­tion research and field oper­a­tion plans for the 2016 elec­tions.

    28. To enable them to steal a large num­ber of doc­u­ments at once with­out detec­tion, the
    Con­spir­a­tors used a pub­licly avail­able tool to gath­er and com­press mul­ti­ple doc­u­ments on the
    DCCC and DNC net­works. The Con­spir­a­tors then used oth­er GRU mal­ware, known as
    “X‑Tunnel,” to move the stolen doc­u­ments out­side the DCCC and DNC net­works through
    encrypt­ed chan­nels.

    a. For exam­ple, on or about April 22, 2016, the Con­spir­a­tors com­pressed giga­bytes
    of data from DNC com­put­ers, includ­ing oppo­si­tion research. The Con­spir­a­tors
    lat­er moved the com­pressed DNC data using X‑Tunnel to a GRU-leased com­put­er
    locat­ed in Illi­nois.

    b. On or about April 28, 2016, the Con­spir­a­tors con­nect­ed to and test­ed the same
    com­put­er locat­ed in Illi­nois. Lat­er that day, the Con­spir­a­tors used X‑Tunnel to
    con­nect to that com­put­er to steal addi­tion­al doc­u­ments from the DCCC net­work.

    29. Between on or about May 25, 2016 and June 1, 2016, the Con­spir­a­tors hacked the DNC
    Microsoft Exchange Serv­er and stole thou­sands of emails from the work accounts of DNC
    employ­ees. Dur­ing that time, YERMAKOV researched Pow­er­Shell com­mands relat­ed to
    access­ing and man­ag­ing the Microsoft Exchange Serv­er.

    30. On or about May 30, 2016, MALYSHEV accessed the AMS pan­el in order to upgrade
    cus­tom AMS soft­ware on the serv­er
    . That day, the AMS pan­el received updates from
    approx­i­mate­ly thir­teen dif­fer­ent X‑Agent mal­ware implants on DCCC and DNC com­put­ers.

    31. Dur­ing the hack­ing of the DCCC and DNC net­works, the Con­spir­a­tors cov­ered their tracks
    by inten­tion­al­ly delet­ing logs and com­put­er files
    . For exam­ple, on or about May 13, 2016, the
    Con­spir­a­tors cleared the event logs from a DNC com­put­er. On or about June 20, 2016, the

    page 12

    Con­spir­a­tors delet­ed logs from the AMS pan­el that doc­u­ment­ed their activ­i­ties on the pan­el,
    includ­ing the login his­to­ry.

    Efforts to Remain on the DCCC and DNC Net­works

    32. Despite the Con­spir­a­tors’ efforts to hide their activ­i­ty, begin­ning in or around May 2016,
    both the DCCC and DNC became aware that they had been hacked and hired a secu­ri­ty com­pa­ny
    (“Com­pa­ny 1”) to iden­ti­fy the extent of the intru­sions. By in or around June 2016, Com­pa­ny 1
    took steps to exclude intrud­ers from the net­works. Despite these efforts, a Lin­ux-based ver­sion of
    X‑Agent, pro­grammed to com­mu­ni­cate with the GRU-reg­is­tered domain linuxkrnl.net, remained
    on the DNC net­work until in or around Octo­ber 2016
    .

    33. In response to Com­pa­ny 1’s efforts, the Con­spir­a­tors took coun­ter­mea­sures to main­tain
    access to the and DNC net­works.

    a. On or about May 31, 2016, YERMAKOV searched for open~source infor­ma­tion
    about Com­pa­ny 1 and its report­ing on X‑Agent and X‑Tunnel
    . On or about June
    1, 2016, the Con­spir­a­tors attempt­ed to delete traces of their pres­ence on the DCCC
    net­work using the com­put­er pro­gram CClean­er.

    b. On or about June 14, 2016, the Con­spir­a­tors reg­is­tered the domain actblues.com,
    which mim­ic­ked the domain of a polit­i­cal fundrais­ing plat­form that includ­ed a
    DCCC dona­tions page. Short­ly there­after, the Con­spir­a­tors used stolen DCCC
    cre­den­tials to mod­i­fy the DCCC web­site and redi­rect Vis­i­tors to the actblues.com
    domain.

    c. On or about June 20, 2016, after Com­pa­ny 1 had dis­abled X‑Agent on the DCCC
    net­work, the Con­spir­a­tors spent over sev­en hours unsuc­cess­ful­ly try­ing to con­nect
    to X‑Agent. The Con­spir­a­tors also tried to access the DCCC net­work using
    pre­vi­ous­ly stolen cre­den­tials.

    page 13

    34. In or around Sep­tem­ber 2016, the Con­spir­a­tors also suc­cess­ful­ly gained access to DNC
    com­put­ers host­ed on a third-par­ty cloud-com­put­ing ser­vice. These com­put­ers con­tained test
    appli­ca­tions relat­ed to the DNC’s ana­lyt­ics. After con­duct­ing recon­nais­sance, the Con­spir­a­tors
    gath­ered data by cre­at­ing back­ups, or “snap­shots,” of the cloud-based sys­tems using the
    cloud provider’s own tech­nol­o­gy. The Con­spir­a­tors then moved the snap­shots to cloud-based
    accounts they had reg­is­tered with the same ser­vice, there­by steal­ing the data from the DNC.

    Stolen Doc­u­ments Released through DCLeaks

    35. More than a month before the release of any doc­u­ments, the Con­spir­a­tors con­struct­ed the
    online per­sona DCLeaks to release and pub­li­cize stolen elec­tion-relat­ed doc­u­ments. On or about
    April 19, 2016, after attempt­ing to reg­is­ter the domain electionleaks.com, the Con­spir­a­tors
    reg­is­tered the domain dcleaks.com through a ser­vice that anonymized the reg­is­trant. The funds
    used to pay for the dcleaks.com domain orig­i­nat­ed from an account at an online
    ser­vice that the Con­spir­a­tors also used to fund the lease of a vir­tu­al pri­vate serv­er reg­is­tered with
    the oper­a­tional email account dirbinsaabol@mail.com. The dirbin­saabol email account was also
    used to reg­is­ter the john356gh URL-short­en­ing account used by LUKASHEV to spearphish the
    Clin­ton Cam­paign chair­man and oth­er cam­paign-relat­ed indi­vid­u­als
    .

    36. On or about June 8, 2016, the Con­spir­a­tors launched the pub­lic web­site dcleaks.com, which
    they used to release stolen emails. Before it shut down in or around March 2017, the site received
    over one mil­lion page Views. The Con­spir­a­tors false­ly claimed on the site that DCLeaks was
    start­ed by a group of “Amer­i­can hack­tivists,” when in fact it was start­ed by the Con­spir­a­tors.

    37. Start­ing in or around June 2016 and con­tin­u­ing through the 2016 US. pres­i­den­tial elec­tion,
    the Con­spir­a­tors used DCLeaks to release emails stolen from indi­vid­u­als affil­i­at­ed with the Clin­ton
    Cam­paign. The Con­spir­a­tors also released doc­u­ments they had stolen in oth­er spearphish­ing
    oper­a­tions, includ­ing those they had con­duct­ed in 2015 that col­lect­ed emails from indi­vid­u­als

    page 14

    affil­i­at­ed with the Repub­li­can Par­ty.

    38. On or about June 8, 2016, and at approx­i­mate­ly the same time that the dcleakscom web­site
    was launched, the Con­spir­a­tors cre­at­ed a DCLeaks Face­book page using a pre­ex­ist­ing social media
    account under the fic­ti­tious name “Alice Dono­van.” In addi­tion to the DCLeaks ace­book page,
    the Con­spir­a­tors used oth­er social media accounts in the names of fic­ti­tious U.S. per­sons such as
    “Jason Scott” and “Richard Gin­grey” to pro­mote the DCLeaks web­site. The Con­spir­a­tors accessed
    these accounts from com­put­ers man­aged by POTEMKIN and his co-con­spir­a­tors.

    39. On or about June 8, 2016, the Con­spir­a­tors cre­at­ed the Twit­ter account @dcleaks_. The
    Con­spir­a­tors oper­at­ed the @dcleaks_ Twit­ter account from the same com­put­er used for oth­er
    efforts to inter­fere with the 2016 U.S. pres­i­den­tial elec­tion. For exam­ple, the Con­spir­a­tors used
    the same com­put­er to oper­ate the Twit­ter account @BaltimoreIsWhr, through which they
    encour­aged U.S. audi­ences to “[i]oin our flash mob” oppos­ing Clin­ton and to post images with the
    hash­tag #Black­sAgain­stHillary.

    Stolen Doc­u­ments Released through Guc­cifer 2.0

    40. On or about June 14, 2016, the DNC-through Com­pa­ny 1‑publicly announced that it
    had been hacked by Russ­ian gov­ern­ment actors. In response, the Con­spir­a­tors cre­at­ed the online
    per­sona Guc­cifer 2.0 and false­ly claimed to be a lone Roman­ian hack­er to under­mine the
    alle­ga­tions of Russ­ian respon­si­bil­i­ty for the intru­sion.

    41. On or about June 15, 2016, the Con­spir­a­tors logged into a Moscow-based serv­er used and
    man­aged by Unit 74455 and, between 4:19 PM and 4:56 PM Moscow Stan­dard Time, searched
    for cer­tain words and phras­es
    , includ­ing
    :

    page 15

    Search Terms(s):
    “some hun­dred sheets”
    “some hun­dreds of sheets”
    dcleaks
    illu­mi­nati
    mnpono useec’rnm? nepeaon
    [wide­ly known trans­la­tion]
    “world­wide known”
    “think twice about”
    “com­pa­ny’s com­pe­tence”

    42. Lat­er that day, at 7:02 PM Moscow Stan­dard Time, the online per­sona Guc­cifer 2.0
    pub­lished its first post on a blog site cre­at­ed through Word­Press
    . Titled “DNC’s servers hacked
    by a lone hack­er,” the post used numer­ous Eng­lish words and phras­es that the Con­spir­a­tors had
    searched for ear­li­er that day (bold­ed below):

    World­wide known cyber secu­ri­ty com­pa­ny [Com­pa­ny 1] announced that
    the Demo­c­ra­t­ic Nation­al Com­mit­tee (DNC) servers had been hacked by
    “sophis­ti­cat­ed” hack­er groups.

    I’m very pleased the com­pa­ny appre­ci­at­ed my skills so high­ly)))[...]

    Here are just a few docs from many thou­sands I extract­ed when hack­ing
    into DNC’s net­work. [...]

    Some hun­dred sheets! This’s a seri­ous case, isn’t it? [...]

    I guess [Com­pa­ny 1] cus­tomers should think twice about com­pa­ny’s
    com­pe­tence.

    F[***] the Illu­mi­nati and their con­spir­a­cies!!!!!!!! F[***]
    [Com­pa­ny 1]!!!!!!!!

    43. Between in or around June 2016 and Octo­ber 2016, the Con­spir­a­tors used Guc­cifer 2.0 to
    release doc­u­ments through Word­Press that they had stolen from the DCCC and DNC. The
    Con­spir­a­tors, pos­ing as Guc­cifer 2.0, also shared stolen doc­u­ments with cer­tain indi­vid­u­als.

    a. On or about August 15, 2016, the Con­spir­a­tors, pos­ing as Guc­cifer 2.0, received a

    page 16

    request for stolen doc­u­ments from a can­di­date for the U.S. Con­gress. The
    Con­spir­a­tors respond­ed using the Guc­cifer 2.0 per­sona and sent the can­di­date
    stolen doc­u­ments relat­ed to the can­di­date’s oppo­nent.

    b. On or about August 22, 2016, the Con­spir­a­tors, pos­ing as Guc­cifer 2.0, trans­ferred
    approx­i­mate­ly 2.5 giga­bytes of data stolen from the DCCC to a then-reg­is­tered state
    lob­by­ist and online source of polit­i­cal news. The stolen data includ­ed donor records
    and per­son­al iden­ti­fy­ing infor­ma­tion for more than 2,000 Demo­c­ra­t­ic donors.

    c. On or about August 22, 2016, the Con­spir­a­tors, pos­ing as Guc­cifer 2.0, sent a
    reporter stolen doc­u­ments per­tain­ing to the Black Lives Mat­ter move­ment. The
    reporter respond­ed by dis­cussing when to release the doc­u­ments and offer­ing to
    write an alti­cle about their release.

    44. The Con­spir­a­tors, pos­ing as Guc­cifer 2.0, also com­mu­ni­cat­ed with US. per­sons about the
    release of stolen doc­u­ments. On or about August 15, 2016, the Con­spir­a­tors, pos­ing as Guc­cifer
    2.0, wrote to a per­son who was in reg­u­lar con­tact with senior mem­bers of the pres­i­den­tial cam­paign
    of Don­ald J. Trump, “thank u for writ­ing back ... do u find anyt[h]ing inter­est­ing in the docs i
    post­ed?” On or about August 17, 2016, the Con­spir­a­tors added, “please tell me if i can help
    any­how ... it would be a great plea­sure to me.” On or about Sep­tem­ber 9, 2016, the Con­spir­a­tors,
    again pos­ing as Guc­cifer 2.0, referred to a stolen doc­u­ment post­ed online and asked the
    per­son, “what do think of the info on the turnout mod­el for the democ­rats entire pres­i­den­tial
    cam­paign.” The per­son respond­ed, “[p]retty stan­dard.”

    45. The Con­spir­a­tors con­duct­ed oper­a­tions as Guc­cifer 2.0 and DCLeaks using over­lap­ping
    com­put­er infra­struc­ture and financ­ing.

    a. For exam­ple, between on or about March 14, 2016 and April 28, 2016, the

    page 17

    Con­spir­a­tors used the same pool of bit­coin funds to pur­chase a vir­tu­al pri­vate
    net­work (“VPN”) account and to lease a serv­er in Malaysia. In or around June
    2016, the Con­spir­a­tors used the Malaysian serv­er to host the dcleaks.com web­site.
    On or about July 6, 2016, the Con­spir­a­tors used the VPN to log into the
    @Guccifer_2 Twit­ter account. The Con­spir­a­tors opened that VPN account from
    the same serv­er that was also used to reg­is­ter mali­cious domains for the hack­ing of
    the DCCC and DNC net­works.

    b. On or about June 27, 2016, the Con­spir­a­tors, pos­ing as Guc­cifer 2.0, con­tact­ed a
    U.S. reporter with an offer to pro­vide stolen emails from “Hillary Clin­ton’s staff.”
    The Con­spir­a­tors then sent the reporter the pass­word to access a non­pub­lic,
    pass­word-pro­tect­ed por­tion of dcleaks.com con­tain­ing emails stolen from Vic­tim 1
    by LUKASHEV, YERMAKOV, and their co-con­spir­a­tors in or around March
    2016.

    46. On or about Jan­u­ary 12, 2017, the Con­spir­a­tors pub­lished a state­ment on the Guc­cifer 2.0
    Word­Press blog, false­ly claim­ing that the intru­sions and release of stolen doc­u­ments had “total­ly
    no rela­tion to the Russ­ian gov­ern­ment.”

    Use of Orga­ni­za­tion 1

    47. In order to expand their inter­fer­ence in the 2016 U.S. pres­i­den­tial elec­tion, the Con­spir­a­tors
    trans­ferred many of the doc­u­ments they stole from the DNC and the chair­man of the Clin­ton
    Cam­paign to Orga­ni­za­tion 1. The Con­spir­a­tors, pos­ing as Guc­cifer 2.0, dis­cussed the release of
    the stolen doc­u­ments and the tim­ing of those releas­es with Orga­ni­za­tion 1 to height­en their impact
    on the 2016 U.S. pres­i­den­tial elec­tion.

    a. On or about June 22, 2016, Orga­ni­za­tion I sent a pri­vate mes­sage to Guc­cifer 2.0
    to “[s]end any new mate­r­i­al [stolen from the dnc] here for us to review and it will

    page 18

    have a much high­er impact than what you are doing.” On or about July 6, 2016,
    Orga­ni­za­tion 1 added, “if you have any­thing hillary relat­ed we want it in the next
    tweo [sic] days pre­fa­ble [sic] because the DNC [Demo­c­ra­t­ic Nation­al Con­ven­tion]
    is approach­ing and she will solid­i­fy bernie sup­port­ers behind her after.” The
    Con­spir­a­tors respond­ed, “0k . . . i see.” Orga­ni­za­tion 1 explained, “we think trump
    has only a 25% chance of win­ning against hillary ... so con­flict between bernie
    and hillary is inter­est­ing.”

    b. After failed attempts to trans­fer the stolen doc­u­ments start­ing in late June 2016, on
    or about July 14, 2016, the Con­spir­a­tors, pos­ing as Guc­cifer 2.0, sent
    Orga­ni­za­tion 1 an email with an attach­ment titled “wk linkl.txt.gpg.” The
    Con­spir­a­tors explained to Orga­ni­za­tion 1 that the encrypt­ed file con­tained
    instruc­tions on how to access an online archive of stolen DNC doc­u­ments. On or
    about July 18, 2016, Orga­ni­za­tion 1 con­firmed it had “the 1Gb or so archive” and
    would make a release of the stolen doc­u­ments “this week.”

    48. On or about July 22, 2016, Orga­ni­za­tion 1 released over 20,000 emails and oth­er
    doc­u­ments stolen from the DNC net­work by the Con­spir­a­tors. This release occurred
    approx­i­mate­ly three days before the start of the Demo­c­ra­t­ic Nation­al Con­ven­tion. Orga­ni­za­tion 1
    did not dis­close Guc­cifer 2.0’s role in pro­vid­ing them. The lat­est-in-time email released through
    Orga­ni­za­tion 1 was dat­ed on or about May 25, 2016, approx­i­mate­ly the same day the Con­spir­a­tors
    hacked the DNC Microsoft Exchange Serv­er.

    49. On or about Octo­ber 7, 2016, Orga­ni­za­tion 1 released the first set of emails from the
    chair­man of the Clin­ton Cam­paign that had been stolen by LUKASHEV and his co-con­spir­a­tors.
    Between on or about Octo­ber 7, 2016 and Novem­ber 7, 2016, Orga­ni­za­tion 1 released

    page 19

    approx­i­mate­ly thir­ty-three tranch­es of doc­u­ments that had been stolen from the chair­man of the
    Clin­ton Cam­paign. In total, over 50,000 stolen doc­u­ments were released.

    Statu­to­ry Alle­ga­tions

    50. Para­graphs 1 through 49 of this Indict­ment are re-alleged and incor­po­rat­ed by ref­er­ence as
    if ful­ly set forth here­in.

    51. From at least in or around March 2016 through Novem­ber 2016, in the Dis­trict of Colum­bia
    and else­where, Defen­dants ANTONOV, YERMAKOV, LUKASHEV,
    MORGACHIEV, KOZACHEK, YERSHOV, MALYSHEV, OSADCHUK, and POTEMKIN,
    togeth­er with oth­ers known and unknown to the Grand Jury, know­ing­ly and inten­tion­al­ly con­spired
    to com­mit offens­es against the Unit­ed States, name­ly:

    a. To know­ing­ly access a com­put­er with­out autho­riza­tion and exceed autho­rized
    access to a com­put­er, and to obtain there­by infor­ma­tion from a pro­tect­ed com­put­er,
    where the val­ue of the infor­ma­tion obtained exceed­ed $5,000, in Vio­la­tion of Title
    18, Unit­ed States Code, Sec­tions 1030(a)(2)© and 1030©(2)(B); and

    b. To know­ing­ly cause the trans­mis­sion of a pro­gram, infor­ma­tion, code, and
    com­mand, and as a result of such con­duct, to inten­tion­al­ly cause dam­age with­out
    autho­riza­tion to a pro­tect­ed com­put­er, and where the offense did cause and, if
    com­plet­ed, would have caused, loss aggre­gat­ing $5,000 in iralue to at least one
    per­son dur­ing a one-year peri­od from a relat­ed course of con­duct affect­ing a
    pro­tect­ed com­put­er, and dam­age affect­ing at least ten pro­tect­ed com­put­ers dur­ing
    a one-year peri­od, in Vio­la­tion of Title 18, Unit­ed States Code, Sec­tions
    1030(a)(5)(A) and 1030©(4)(B).

    52. In fur­ther­ance of the Con­spir­a­cy and to effect its ille­gal objects, the Con­spir­a­tors
    com­mit­ted the overt acts set forth in para­graphs 1 through 19, 21 through 49, 55, and 57 through

    page 20

    64, which are re-alleged and incor­po­rat­ed by ref­er­ence as if ful­ly set forth here­in.

    53. In fur­ther­ance of the Con­spir­a­cy, and as set forth in para­graphs 1 through 19, 21 through
    49, 55, and 57 through 64, the Con­spir­a­tors know­ing­ly false­ly reg­is­tered a domain name and
    know­ing­ly used that domain name in the course of com­mit­ting an offense, name­ly, the
    Con­spir­a­tors reg­is­tered domains, includ­ing dcleaks.com and actblues.com, with false names and
    address­es, and used those domains in the course of com­mit­ting the felony offense charged in Count
    One.

    All in Vio­la­tion of Title 18, Unit­ed States Code, Sec­tions 371 and 3559(g)(1).

    COUNTS TWO THROUGH NINE
    (Aggra­vat­ed Iden­ti­ty Theft)

    54. Para­graphs 1 through 19, 21 through 49, and 57 through 64 of this Indict­ment are re-alleged
    and incor­po­rat­ed by ref­er­ence as if ful­ly set forth here­in.

    55. On or about the dates spec­i­fied below, in the Dis­trict of Colum­bia and else­where,
    Defen­dants BORISOVICH BORIS ALEKSEYEVICH ANTONOV,
    DMITRIY SERGEYEVICH IVAN SERGEYEVICH YERMAKOV, ALEKSEY
    VIKTOROVICH LUKASHEV, SERGEY ALEKSANDROVICH MORGACHEV, NIKOLAY
    YURYEVICH KOZACHEK, PAVEL VYACHESLAVOVICH YERSHOV, ARTEM
    ANDREYEVICH MALYSHEV, ALEKSANDR VLADIMTROVICH OSADCHUK, and
    ALEKSEY ALEKSANDROVICH POTEMKIN did know­ing­ly trans­fer, pos­sess, and use, with­out
    law­ful author­i­ty, a means of iden­ti­fi­ca­tion of anoth­er per­son dur­ing and in rela­tion to a felony
    Vio­la­tion enu­mer­at­ed in Title 18, Unit­ed States Code, Sec­tion 1028A©, name­ly, com­put­er fraud
    in Vio­la­tion of Title 18, Unit­ed States Code, Sec­tions 1030(a)(2)© and 1030©(2)(B), know­ing
    that the means of iden­ti­fi­ca­tion belonged to anoth­er real per­son:

    page 21

    Count | Approx­i­mate Date | Vic­tim | Means of Iden­ti­fi­ca­tion
    2 | March 21, 2016 | Vic­tim 3 | User­name and pass­word for per­son­al email account
    3 | March 25, 2016 | Vic­tim 1 | User­name and pass­word for per­son­al email account
    4 | April 12, 2016 | Vic­tim 4 | User­name and pass­word for DCCC com­put­er net­work
    5 | April 15, 2016 | Vic­tim 5 | User­name and pass­word for DCCC com­put­er net­work
    6 | April 18, 2016 | Vic­tim 6 | User­name and pass­word for DCCC com­put­er net­work
    7 | May 10, 2016 | Vic­tim 7 | User­name and pass­word for DNC com­put­er net­work
    8 | June 2, 2016 | Vic­tim 2 | User­name and pass­word for per­son­al email account
    9 | July 6, 2016 | Vic­tim 8 | User­name and pass­word for per­son­al email account

    All in vio­la­tion of Title 18, Unit­ed States Code, Sec­tions 1028A(a)(1) and 2.

    COUNT TEN
    (Con­spir­a­cy to Laun­der Mon­ey)

    56. Para­graphs 1 through 19, 21 through 49, and 55 are re-alleged and incor­po­rat­ed by ref­er­ence
    as if ful­ly set forth here­in.

    57. To facil­i­tate the pur­chase of infra­struc­ture used in their hack­ing activ­i­ty-includ­ing hack­ing
    into the com­put­ers of U.S. per­sons and enti­ties involved in the 2016 U.S. pres­i­den­tial elec­tion and
    releas­ing the stolen doc­u­ments-the Defen­dants con­spired to laun­der the equiv­a­lent of more than
    $95,000 through a web of trans­ac­tions struc­tured to cap­i­tal­ize on the per­ceived anonymi­ty of
    such as bit­coin
    .

    58. Although the Con­spir­a­tors caused trans­ac­tions to be con­duct­ed in a vari­ety of cur­ren­cies,
    includ­ing U.S. dol­lars, they prin­ci­pal­ly used bit­coin when pur­chas­ing servers, reg­is­ter­ing domains,
    and oth­er­wise mak­ing pay­ments in fur­ther­ance of hack­ing activ­i­ty. Many of these pay­ments were

    page 22

    processed by com­pa­nies locat­ed in the Unit­ed States that pro­vid­ed pay­ment pro­cess­ing ser­vices to
    host­ing com­pa­nies, domain reg­is­trars, and oth­er ven­dors both inter­na­tion­al and domes­tic. The use
    of bit­coin allowed the Con­spir­a­tors to avoid direct rela­tion­ships with tra­di­tion­al finan­cial
    insti­tu­tions, allow­ing them to evade greater scruti­ny of their iden­ti­ties and sources of funds.

    59. All bit­coin trans­ac­tions are added to a pub­lic ledger called the Blockchain, but the
    Blockchain iden­ti­fies the par­ties to each trans­ac­tion only by alpha-numer­ic iden­ti­fiers known as
    bit­coin address­es. To fur­ther avoid cre­at­ing a cen­tral­ized paper trail of all of their pur­chas­es, the
    Con­spir­a­tors pur­chased infra­struc­ture using hun­dreds of dif­fer­ent email accounts, in some cas­es
    using a new account for each pur­chase. The Con­spir­a­tors used fic­ti­tious names and address­es in
    order to obscure their iden­ti­ties and their links to Rus­sia and the Russ­ian gov­ern­ment. For
    exam­ple, the dcleaks.com domain was reg­is­tered and paid for using the fic­ti­tious name “Car­rie
    Fee­han” and an address in New York. In some cas­es, as part of the pay­ment process, the
    Con­spir­a­tors pro­vid­ed ven­dors with non­sen­si­cal address­es such as “usa Den­ver AZ,” “gfhgh
    ghfhgfh fdgfdg WA,” and “1 2 dwd Dis­trict of Colum­bia.”

    60. The Con­spir­a­tors used sev­er­al ded­i­cat­ed email accounts to track basic bit­coin trans­ac­tion
    infor­ma­tion and to facil­i­tate bit­coin pay­ments to ven­dors. One of these ded­i­cat­ed accounts,
    reg­is­tered with the user­name “gfadel47,” received hun­dreds of bit­coin pay­ment requests from
    approx­i­mate­ly 100 dif­fer­ent email accounts. For exam­ple, on or about Feb­ru­ary 1, 2016, the
    gfadel47 account received the instruc­tion to “[p]lease send exact­ly 0.026043 bit­coin to” a cer­tain
    thir­ty-four char­ac­ter bit­coin address. Short­ly there­after, a trans­ac­tion match­ing those exact
    instruc­tions was added to the Blockchain.

    61. On occa­sion, the Con­spir­a­tors facil­i­tat­ed bit­coin pay­ments using the same com­put­ers that
    they used to con­duct their hack­ing activ­i­ty, includ­ing to cre­ate and send test spearphish­ing emails.

    page 23

    Addi­tion­al­ly, one of these ded­i­cat­ed accounts was used by the Con­spir­a­tors in or around 2015 to
    renew the reg­is­tra­tion of a domain (linuxkrnl.net) encod­ed in cer­tain X‑Agent mal­ware installed
    on the DNC net­work.

    62. The Con­spir­a­tors fund­ed the pur­chase of com­put­er infra­struc­ture for their hack­ing activ­i­ty
    in part by “min­ing” bit­coin. Indi­vid­u­als and enti­ties can mine bit­coin by allow­ing their com­put­ing
    pow­er to be used to ver­i­fy and record pay­ments on the bit­coin pub­lic ledger, a ser­vice for which
    they are reward­ed with fresh­ly-mint­ed bit­coin. The pool of bit­coin gen­er­at­ed from the GRU’s
    min­ing activ­i­ty was used, for exam­ple, to pay a Roman­ian com­pa­ny to reg­is­ter the domain
    dcleaks.com through a pay­ment pro­cess­ing com­pa­ny locat­ed in the Unit­ed States.

    63. In addi­tion to min­ing bit­coin, the Con­spir­a­tors acquired bit­coin through a vari­ety of means
    designed to obscure the ori­gin of the funds. This includ­ed pur­chas­ing bit­co in through peer-to-peer
    exchanges, mov­ing funds through oth­er dig­i­tal cur­ren­cies, and using pre-paid cards. They also
    enlist­ed the assis­tance of one or more third-par­ty exchang­ers who facil­i­tat­ed lay­ered trans­ac­tions
    through dig­i­tal cur­ren­cy exchange plat­forms pro­vid­ing height­ened anonymi­ty.

    64. The Con­spir­a­tors used the same fund­ing struc­ture-and in some cas­es, the very same pool
    of funds-to pur­chase key accounts, servers, and domains used in their elec­tion-relat­ed hack­ing
    activ­i­ty.

    a. The bit­coin min­ing oper­a­tion that fund­ed the reg­is­tra­tion pay­ment for dcleaks.com
    also sent new­ly-mint­ed bit­coin to a bit­coin address con­trolled by “Daniel Farell,”
    the per­sona that was used to renew the domain linuxkrnl.net.
    The bit­coin min­ing
    oper­a­tion also fund­ed, through the same bit­coin address, the pur­chase of servers
    and domains used in the spearphish­ing oper­a­tions, includ­ing accounts-
    qooqle.com and account-gooogle.com

    page 24

    b. On or about March 14, 2016, using funds in a bit­coin address, the Con­spir­a­tors
    pur­chased a VPN account, which they lat­er used to log into the @Guccifer_2
    Twit­ter account. The remain­ing funds from that bit­coin address were then used on
    or about April 28, 2016, to lease a Malaysian serv­er that host­ed the dcleaks.com
    web­site.

    c. The Con­spir­a­tors used a dif­fer­ent set of fic­ti­tious names (includ­ing “Ward
    DeClaur” and “Mike Long”) to send bit­coin to a com­pa­ny in order to lease a
    serv­er used to admin­is­ter X‑Tunnel mal­ware implant­ed on the and DNC
    net­works, and to lease two servers used to hack the cloud net­work.

    Statu­to­ry Alle­ga­tions

    65. From at least in or around 2015 through 2016, with­in the Dis­trict of Colum­bia and
    else­where, Defen­dants VIKTOR BORISOVICH BORIS ALEKSEYEVICH
    ANTONOV, DMITRIY SERGEYEVICH IVAN SERGEYEVICH YERMAKOV,
    ALEKSEY VIKTOROVTCH LUKASHEV, SERGEY ALEKSANDROVICH MORGACHEV,
    NIKOLAY YURYEVICH KOZACHEK, PAVEL VYACHESLAVOVICH YERSHOV, ARTEM
    ANDREYEVICH MALYSHEV, ALEKSANDR VLADIMIROVICH OSADCHUK, and
    ALEKSEY ALEKSANDROVICH POTEMKIN, togeth­er with oth­ers, known and unknown to the
    Grand Jury, did know­ing­ly and inten­tion­al­ly con­spire to trans­port, trans­mit, and trans­fer mon­e­tary
    instru­ments and funds to a place in the Unit­ed States from and through a place out­side the Unit­ed
    States and from a place in the Unit­ed States to and through a place out­side the Unit­ed States, with
    the intent to pro­mote the car­ry­ing on of spec­i­fied unlaw­ful activ­i­ty, name­ly, a Vio­la­tion of Title
    18, Unit­ed States Code, Sec­tion 1030, con­trary to Title 18, Unit­ed States Code, Sec­tion
    1956(a)(2)(A).

    All in Vio­la­tion of Title 18, Unit­ed States Code, Sec­tion 1956(h).

    page 25

    COUNT ELEVEN
    (Con­spir­a­cy to Com­mit an Offense Against the Unit­ed States)

    66. Para­graphs 1 through 8 of this Indict­ment are re-alleged and incor­po­rat­ed by ref­er­ence as
    if ful­ly set forth here­in.

    Defen­dants

    67. Para­graph 18 of this Indict­ment relat­ing to ALEKSANDR VLADIMIROVICH
    OSADCHUK is re-alleged and incor­po­rat­ed by ref­er­ence as if ful­ly set forth here­in.

    68. Defen­dant ANATOLIY SERGEYEVICH KOVALEV (Koaanea AHa­Ton­nii CepreeBnLr)
    was an offi­cer in the Russ­ian mil­i­tary assigned to Unit 74455 who worked in the GRU’s 22 Kiro­va
    Street build­ing (the Tow­er).

    69. Defen­dants OSADCHUK and KOVALEV were GRU offi­cers who know­ing­ly and
    inten­tion­al­ly con­spired with each oth­er and with per­sons, known and unknown to the Grand Jury,
    to hack into the com­put­ers of US. per­sons and enti­ties respon­si­ble for the admin­is­tra­tion of 2016
    US. elec­tions, such as state boards of elec­tions, sec­re­taries of state, and US. com­pa­nies that
    sup­plied soft­ware and oth­er tech­nol­o­gy relat­ed to the admin­is­tra­tion of US. elec­tions.

    Object of the Con­spir­a­cy

    70. The object of the con­spir­a­cy was to hack into pro­tect­ed com­put­ers of per­sons and enti­ties
    charged with the admin­is­tra­tion of the 2016 US. elec­tions in order to access these com­put­ers and
    steal vot­er data and oth­er infor­ma­tion stored on these com­put­ers.

    Man­ner and Means of the Con­spir­a­cy

    71. In or around June 2016, KOVALEV and his co-con­spir­a­tors researched domains used by
    US. state boards of elec­tions, sec­re­taries of state, and oth­er elec­tion-relat­ed enti­ties for web­site
    vul­ner­a­bil­i­ties. KOVALEV and his co-con­spir­a­tors also searched for state polit­i­cal par­ty email
    address­es, includ­ing fil­tered queries for email address­es list­ed on state Repub­li­can Par­ty web­sites.

    page 26

    72. In or around July 2016, KOVALEV and his co-con­spir­a­tors hacked the web­site of a state
    board of elec­tions (“SBOE 1”) and stole infor­ma­tion relat­ed to approx­i­mate­ly 500,000 vot­ers,
    includ­ing names, address­es, par­tial social secu­ri­ty num­bers, dates of birth, and dri­ver’s license
    num­bers.

    73. In or around August 2016, KOVALEV and his co-con­spir­a­tors hacked into the com­put­ers
    of a U.S. ven­dor (“Ven­dor 1”) that sup­plied soft­ware used to ver­i­fy vot­er reg­is­tra­tion infor­ma­tion
    for the 2016 U.S. elec­tions. KOVALEV and his co-con­spir­a­tors used some of the same
    infra­struc­ture to hack into Ven­dor 1 that they had used to hack into SBOE 1.

    74. In or around August 2016, the Fed­er­al Bureau of Inves­ti­ga­tion issued an alert about the
    hack­ing of SBOE 1 and iden­ti­fied some of the infra­struc­ture that was used to con­duct the hack­ing.
    In response, KOVALEV delet­ed his search his­to­ry. KOVALEV and his co-con­spir­a­tors also
    delet­ed records from accounts used in their oper­a­tions tar­get­ing state boards of elec­tions and
    sim­i­lar elec­tion-relat­ed enti­ties.

    75. In or around Octo­ber 2016, KOVALEV and his co-con­spir­a­tors fur­ther tar­get­ed state and
    coun­ty offices respon­si­ble for admin­is­ter­ing the 2016 U.S. elec­tions. For exam­ple, on or about
    Octo­ber 28, 2016, KOVALEV and his co-con­spir­a­tors vis­it­ed the web­sites of cer­tain coun­ties in
    I Geor­gia, Iowa, and Flori­da to iden­ti­fy vul­ner­a­bil­i­ties.

    76. In or around Novem­ber 2016 and pri­or to the 2016 U.S. pres­i­den­tial elec­tion, KOVALEV
    and his co-con­spir­a­tors used an email account designed to look like a Ven­dor 1 email address to
    send over 100 spearphish­ing emails to orga­ni­za­tions and per­son­nel involved in admin­is­ter­ing
    elec­tions in numer­ous Flori­da coun­ties. The spearphish­ing emails con­tained mal­ware that the
    Con­spir­a­tors embed­ded into Word doc­u­ments bear­ing Ven­dor 1’s logo.

    Statu­to­ry Alle­ga­tions

    77. Between in or around June 2016 and Novem­ber 2016, in the Dis­trict of Colum­bia and

    page 27

    else­where, Defen­dants OSADCHUK and KOVALEV, togeth­er with oth­ers known and unknown
    to the Grand Jury, know­ing­ly and inten­tion­al­ly con­spired to com­mit offens­es against the Unit­ed
    States, name­ly:

    a. To know­ing­ly access a com­put­er with­out autho­riza­tion and exceed autho­rized
    access to a com­put­er, and to obtain there­by infor­ma­tion from a pro­tect­ed com­put­er,
    where the val­ue of the infor­ma­tion obtained exceed­ed $5,000, in vio­la­tion of Title
    18, Unit­ed States Code, Sec­tions 1030(a)(2)© and 1030©(2)(B); and

    b. To know­ing­ly cause the trans­mis­sion of a pro­gram, infor­ma­tion, code, and
    com­mand, and as a result of such con­duct, to inten­tion­al­ly cause dam­age with­out
    autho­riza­tion to a pro­tect­ed com­put­er, and where the offense did cause and, if
    com­plet­ed, would have caused, loss aggre­gat­ing $5,000 in val­ue to at least one
    per­son dur­ing a one-year peri­od from a relat­ed course of con­duct affect­ing a
    pro­tect­ed com­put­er, and dam­age affect­ing at least ten pro­tect­ed com­put­ers dur­ing
    a one-year peri­od, in vio­la­tion of Title 18, Unit­ed States Code, Sec­tions
    1030(a)(5)(A) and 1030©(4)(B).

    78. In fur­ther­ance of the Con­spir­a­cy and to effect its ille­gal objects, OSADCHUK,
    KOVALEV, and their co-con­spir­a­tors com­mit­ted the overt acts set forth in para­graphs 67 through
    69 and 71 through 76, which are re-alleged and incor­po­rat­ed by ref­er­ence as if ful­ly set forth
    here­in.

    All in vio­la­tion of Title 18, Unit­ed States Code, Sec­tion 371.

    FORFEITURE ALLEGATION

    79. Pur­suant to Fed­er­al Rule of Crim­i­nal Pro­ce­dure 32.2, notice is here­by giv­en to Defen­dants
    that the Unit­ed States will seek for­fei­ture as part of any sen­tence in the event of Defen­dants’
    con­vic­tions under Counts One, Ten, and Eleven of this Indict­ment. Pur­suant to Title 18, Unit­ed

    page 28

    States Code, Sec­tions 982(a)(2) and 1030(i), upon con­vic­tion of the offens­es charged in Counts
    One and Eleven, Defen­dants ANTONOV, BADIN, YERMAKOV, LUKASHEV,
    MORGACHEV, KOZACHEK, YERSHOV, MALYSHEV, OSADCHUK, POTEMKIN, and
    KOVALEV shall for­feit to the Unit­ed States any prop­er­ty, real or per­son­al, which con­sti­tutes or
    is derived from pro­ceeds obtained direct­ly or indi­rect­ly as a result of such vio­la­tion, and any
    per­son­al prop­er­ty that was used or intend­ed to be used­i­to com­mit or to facil­i­tate the com­mis­sion
    of such offense. Pur­suant to Title 18, Unit­ed States Code, Sec­tion 982(a)(l), upon con­vic­tion of
    the offense charged in Count Ten, Defen­dants ANTONOV, BADIN,
    YERMAKOV, LUKASHEV, MORGACHEV, KOZACHEK, YERSHOV, MALYSHEV,
    OSADCHUK, and POTEMKIN shall for­feit to the Unit­ed States any prop­er­ty, real or per­son­al,
    involved in such offense, and any prop­er­ty trace­able to such prOp­er­ty. Notice is fur­ther giv­en that,
    upon con­vic­tion, the Unit­ed States intends to seek a judg­ment against each Defen­dant for a sum
    of mon­ey rep­re­sent­ing the prop­er­ty described in this para­graph, as applic­a­ble to each Defen­dant
    (to be off­set by the for­fei­ture of any spe­cif­ic prop­er­ty).

    Sub­sti­tute Assets

    80. If any of the prop­er­ty described above as being sub­ject to for­fei­ture, as a result of any act or

    omis­sion of any Defen­dant –

    a. can­not be locat­ed upon the exer­cise of due dili­gence;

    b. has been trans­ferred or sold to, or deposit­ed with, a third par­ty;

    c. has been placed beyond the juris­dic­tion of the court;

    d. has been sub­stan­tial­ly dimin­ished in val­ue; or

    e. has been com­min­gled with oth­er prop­er­ty that can­not be sub­di­vid­ed with­out
    dif­fi­cul­ty;

    it is the intent of the Unit­ed States of Amer­i­ca, pur­suant to Title 18, Unit­ed States Code, Sec­tion

    page 29

    982(b) and Title 28, Unit­ed States Code, Sec­tion 2461(0), incor­po­rat­ing Title 21, Unit­ed States
    Code, Sec­tion 853, to seek for­fei­ture of any oth­er prop­er­ty of said Defen­dant.
    Pur­suant to 18 U.S.C. 982 and 1030(i); 28 U.S.C. 2461(0).

    Rod­bert S. Mueller, 111
    Spe­cial Coun­sel

    US. Depart­ment of Jus­tice

    A TRUE BILL:

    Foreper­son

    Date: July 13, 2018
    ———-

    Ok, so that was a lot of legalese, but notably easy to read legalese. It was a sto­ry of what hap­pened. With lots of spe­cif­ic details. And lots of vague details. And no indi­ca­tion whether or not the spe­cif­ic tech­ni­cal details have been asso­ci­at­ed with the GRU agents in the indict­ment or whether it’s mere­ly being assert­ed that these indi­vid­u­als were the peo­ple behind the tech­ni­cal details. That’s very unclear.

    Also keep in mind that the fact that the Mueller team a lots of spe­cif­ic tech­ni­cal evi­dence — like email accounts or VPNs or bit­coin wal­lets used in the hacks — is what we should expect at this point. What’s sur­pris­ing is the link­ing of this techini­cal evi­dence to spe­cif­ic GRU offi­cers.

    But, at a min­i­mum, the indict­ment indi­cates the Mueller team might have evi­dence that con­clu­sive­ly links these GRU units the hacks. Let review those details. First, the indict­ment lists the GRU mem­bers and gives a brief chronol­o­gy of the ini­tial hacks. What’s note­wor­thy is that chronol­o­gy starts at March of 2016 and the lan­guage indi­cates that the GRU units start­ed work­ing on hack­ing the Democ­rats “start­ing in at least March 2016”. So the evi­dence this indict­ment is based on appears to start from March of 2016, which is inter­est­ing giv­en all the hack­ing activ­i­ty that pre­ced­ed this (the ‘Cozy Bear’ hacks of 2015) and the indi­ca­tions that GRU units were, them­selves, hacked and mon­i­tored by the US and/or its allies:

    ...
    INDICTMENT

    The Grand Jury for the Dis­trict of Colum­bia charges:

    COUNT ONE
    (Con­spir­a­cy to Com­mit an Offense Against the Unit­ed States)

    1. In or around 2016, the Russ­ian Fed­er­a­tion (“Rus­sia”) oper­at­ed a mil­i­tary intel­li­gence
    agency called the Main Intel­li­gence Direc­torate of the Gen­er­al Staff (“GRU”). The GRU had
    mul­ti­ple units, includ­ing Units 26165 and 74455, engaged in cyber oper­a­tions that involved the
    staged releas­es of doc­u­ments stolen through com­put­er intru­sions. These units con­duct­ed large-
    scale cyber oper­a­tions to inter­fere with the 2016 US. pres­i­den­tial elec­tion.

    page 2

    2. Defen­dants VIKTOR BORISOVICH BORIS ALEKSEYEVICH
    ANTONOV, DMITRIY SERGEYEVICH IVAN SERGEYEVICH YERMAKOV,
    ALEKSEY VIKTOROVICH LUKASHEV, SERGEY ALEKSANDROVICH MORGACHEV,
    NIKOLAY YURYEVICH KOZACHEK, PAVEL VYACHESLAVOVICH YERSHOV, ARTEM
    ANDREYEVICH ALEKSANDR VLADIMIROVICH OSADCHUK, and
    ALEKSEY ALEKSANDROVICH POTEMKIN were GRU offi­cers who know­ing­ly and
    inten­tion­al­ly con­spired with each oth­er, and with per­sons known and unknown to the Grand Jury
    (col­lec­tive­ly the “Con­spir­a­tors”), to gain unau­tho­rized access (to “hack”) into the com­put­ers of
    U.S. per­sons and enti­ties involved in the 2016 U.S. pres­i­den­tial elec­tion, steal doc­u­ments from
    these com­put­ers, and stage releas­es of the stolen doc­u­ments to inter­fere with the 2016 U.S.
    pres­i­den­tial elec­tion.

    3. Start­ing in at least March 2016, the Con­spir­a­tors used a vari­ety of means to hack the email
    accounts of Vol­un­teers and employ­ees of the U.S. pres­i­den­tial cam­paign of Hillary Clin­ton (the
    “Clin­ton Cam­paign”), includ­ing the email account of the Clin­ton Cam­paign’s chair­man.

    4. By in or around April 2016, the Con­spir­a­tors also hacked into the com­put­er net­works of
    the Demo­c­ra­t­ic Con­gres­sion­al Cam­paign Com­mit­tee (“DCCC”) and the Demo­c­ra­t­ic Nation­al
    Com­mit­tee (“DNC”). The Con­spir­a­tors covert­ly mon­i­tored the com­put­ers of dozens of DCCC
    and DNC employ­ees, implant­ed hun­dreds of files con­tain­ing mali­cious com­put­er code
    (“mal­ware”), and stole emails and oth­er doc­u­ments from the DCCC and DNC.

    5. By in or around April 2016, the Con­spir­a­tors began to plan the release of mate­ri­als stolen
    from the Clin­ton Cam­paign, DCCC, and DNC.

    6. Begin­ning in or around June 2016, the Con­spir­a­tors staged and released tens of thou­sands
    of the stolen emails and doc­u­ments. They did so using fic­ti­tious online per­sonas, includ­ing

    page 3

    “DCLeaks” and “Guc­cifer 2.0.”

    7. The Con­spir­a­tors also used the Guc­cifer 2.0 per­sona to release addi­tion­al stolen doc­u­ments
    through a web­site main­tained by an orga­ni­za­tion (“Orga­ni­za­tion 1”), that had pre­vi­ous­ly post­ed
    doc­u­ments stolen from U.S. per­sons, enti­ties, and the U.S. gov­ern­ment. The Con­spir­a­tors
    con­tin­ued their U.S. elec­tion-inter­fer­ence oper­a­tions through in or around Novem­ber 2016.

    8. To hide their con­nec­tions to Rus­sia and the Russ­ian gov­ern­ment, the Con­spir­a­tors used
    false iden­ti­ties and made false state­ments about their iden­ti­ties. To fur­ther avoid detec­tion, the
    Con­spir­a­tors used a net­work of com­put­ers locat­ed across the world, includ­ing in the Unit­ed States,
    and paid for this infra­struc­ture using cryp­tocur­ren­cy.
    ...

    Next, the indict­ment gives details on the defend­ents in Unit 26165, the unit that alleged­ly did the actu­al hack­ing:

    ..
    Defen­dants

    9. Defen­dant VIKTOR BORISOVICH (HBTLIKDJO Bru­crop Bop­n­con­nu) was
    the Russ­ian mil­i­tary offi­cer in com­mand of Unit 26165, locat­ed at 20 Kom­so­mol­skiy Prospekt,
    Moscow, Rus­sia. Unit 26165 had pri­ma­ry respon­si­bil­i­ty for hack­ing the and DNC, as well
    as the email accounts of indi­vid­u­als affil­i­at­ed with the Clin­ton Cam­paign
    .

    10. Defen­dant BORIS ALEKSEYEVICH ANTONOV (AHTOHOB Bop­nc) was a
    Major in the Russ­ian mil­i­tary assigned to Unit 26165. ANTONOV over­saw a depart­ment with­in
    Unit 26165 ded­i­cat­ed to tar­get­ing mil­i­tary, polit­i­cal, gov­ern­men­tal, and non-gov­ern­men­tal
    orga­ni­za­tions with spearphish­ing emails and oth­er com­put­er intru­sion activ­i­ty. ANTONOV held
    the title “Head of Depart­ment.” In or around 2016, ANTONOV super­vised oth­er co-con­spir­a­tors
    who tar­get­ed the DNC, and indi­vid­u­als affil­i­at­ed with the Clin­ton Cam­paign
    .

    11. Defen­dant DMITRIY SERGEYEVICH BADIN (Sauna Cepreen­nu) was a
    Russ­ian mil­i­tary offi­cer assigned to Unit 26165 who held the title “Assis­tant Head of Depart­ment.”
    In or around 2016, BADIN, along with ANTONOV, super­vised oth­er co-con­spir­a­tors who tar­get­ed
    the DNC, and indi­vid­u­als affil­i­at­ed with the Clin­ton Cam­paign.

    page 4

    12. Defen­dant IVAN SERGEYEVICH YERMAKOV (Epmanon Cepreeanu) was a
    Russ­ian mil­i­tary offi­cer assigned to depart­ment with­in Unit 26165. Since in or
    around 2010, YERMAKOV used var­i­ous online per­sonas, includ­ing “Kate S. Mil­ton,” “James
    McMor­gans,” and “Karen W. Millen,” to con­duct hack­ing oper­a­tions on behalf of Unit 26165. In
    or around March 2016, YERMAKOV par­tic­i­pat­ed in hack­ing at least two email accounts from
    which cam­paign-relat­ed doc­u­ments were released through DCLeaks
    . In or around May 2016,
    YERMAKOV also par­tic­i­pat­ed in hack­ing the DNC email serv­er and steal­ing DNC emails that
    were lat­er released through Orga­ni­za­tion 1.

    13. Defen­dant ALEKSEY VIKTOROVICH LUKASHEV Aner­c­ceii BKK­To­pon­ntI)
    was a Senior Lieu­tenant in the Russ­ian mil­i­tary assigned to depart­ment with­in Unit
    26165. LUKASHEV used var­i­ous online per­sonas, includ­ing “Den Katen­berg” and “Yuliana
    Mar­tyno­va.” In or around 2016, LUKASHEV sent spearphish­ing emails to mem­bers of the
    Clin­ton Cam­paign and affil­i­at­ed indi­vid­u­als, includ­ing the chair­man of the Clin­ton Cam­paign.

    ...

    And note how the fol­low­ing four mem­bers of Unit 26165 are specif­i­cal­ly said to have worked with the X‑Agent mal­ware. Again, one of the big ‘WTF’ ques­tions about the hacks has always been how on earth could the GRU have been so incom­pe­tent as to use mal­ware that was ‘known’ to be ‘exclu­sive’ to the ‘Fan­cy Bear’/APT28 hack­ing group (even though that appears to be untrue) and con­tained the same com­mand-and-con­trol IP address had pre­vi­ous­ly been pub­licly attrib­uted hack blamed on the Russ­ian gov­ern­ment. Was it a slip up that a sin­gle indi­vid­ual at the GRU made? Well, accord­ing to this indict­ment, there were at least four peo­ple ded­i­cat­ed to devel­op­ing, test­ing, and deploy­ing the X‑Agent mal­ware. The ‘WTF’ aspect of this remains unad­drssed:

    ...
    14. Defen­dant SERGEY ALEKSANDROVICH MORGACHEV (MopraI­IeB Cepreii
    Anen­can­ponm) was a Lieu­tenant Colonel in the Russ­ian mil­i­tary assigned to Unit 26165.
    MORGACHEV over­saw a depart­ment with­in Unit 26165 ded­i­cat­ed to devel­op­ing and man­ag­ing
    mal­ware, includ­ing a hack­ing tool used by the GRU known as “X‑Agent.” Dur­ing the hack­ing of
    the DC CC and DNC net­works, MORGACI-IEV super­vised the co-con­spir­a­tors who devel­oped and
    mon­i­tored the X‑Agent mal­ware implant­ed on those com­put­ers.

    15. Defen­dant NIKOLAY YURYEVICH KOZACHEK (Koaaqert) was a
    Lieu­tenant Cap­tain in the Russ­ian mil­i­tary assigned to MOR­GACHEV’s depart­ment with­in Unit
    26165. KOZACHEK used a vari­ety of monikers, includ­ing “kazak” and “blablabla1234565.”
    KOZACHEK devel­oped, cus­tomized, and mon­i­tored X‑Agent mal­ware used to hack the DCCC

    page 5

    and DNC net­works begin­ning in or around April 2016.

    16. Defen­dant PAVEL VYACHESLAVOVICH YERSHOV (Eprnoa Banec­na­sos­na)
    was a Russ­ian mil­i­tary offi­cer assigned to depart­ment with­in Unit 26165. In or
    around 2016, . YERSHOV assist­ed KOZACHEK and oth­er co-con­spir­a­tors in test­ing and
    cus­tomiz­ing X‑Agent mal­ware before actu­al deploy­ment and use.

    17. Defen­dant ARTEM ANDREYEVICH MALYSHEV (Annpeen­ntr) was
    a Sec­ond Lieu­tenant in the Russ­ian mil­i­tary assigned to MOR­GACHEV’s depart­ment with­in Unit
    26165. MALYSHEV used a vari­ety of monikers, includ­ing “djan­go­mag­icdev” and “real­bla­tr.” In
    or around 2016, MALYSHEV mon­i­tored X‑Agent mal­ware implant­ed on the and DNC
    net­works.

    ...

    Next, the indict­ment cov­ers the mem­bers of Unit 74455, which alleged­ly cre­at­ed the “Guc­cifer 2.0” per­sona and set up the dcleaks.com web­site that the hacked doc­u­ments were ini­tial­ly dis­trib­uted through. The Unit also alleged­ly oper­at­ed social media cam­paigns to pro­mote the hacked mate­ri­als. This was the unit that used the Moscow-based serv­er to make search­es for phras­es that showed up Guc­cifer 2.0’s first mes­sage to the world:

    ...
    18. Defen­dant ALEKSANDR VLADIMJROVICH OSADCHUK (Ocanayx Aner­c­can­np)
    was a Colonel in the Russ­ian mil­i­tary and the com­mand­ing offi­cer of Unit 74455.
    Unit 74455 was locat­ed at 22 Kiro­va Street, Khim­ki, Moscow, a build­ing referred to with­in the
    GRU as the “Tow­er.” Unit 74455 assist­ed in the release of stolen doc­u­ments through the DCLeaks
    and Guc­cifer 2.0 per­sonas, the pro­mo­tion of those releas­es, and the pub­li­ca­tion of anti-Clin­ton
    con­tent on social media accounts oper­at­ed by the GRU
    .

    19. Defen­dant ALEKSEY ALEKSANDROVICH POTEMKIN (?oreMKnn Aner­c­ce­fi)
    was an offi­cer in the Russ­ian mil­i­tary assigned to Unit 74455. POTEMKIN was
    a super­vi­sor in a depart­ment with­in Unit 74455 respon­si­ble for the admin­is­tra­tion of com­put­er
    infra­struc­ture used in cyber oper­a­tions. Infra­struc­ture and social media accounts admin­is­tered by
    depart­ment were used, among oth­er things, to assist in the release of stolen
    doc­u­ments through the DCLeaks and Guc­cifer 2.0 per­sonas.
    ...

    The indict­ment then goes into some specifics of the spearphish­ing oper­a­tion. Recall that this spearphish­ing oper­a­tion was anoth­er one of the aspects of this hack­ing oper­a­tion that involved the hack­ers mak­ing a mas­sive mis­take: the spearphish­ing emails used the Bit.ly URL-short­en­ing ser­vice and the hack­ers for­got to set their Bit.ly account to pri­vate, which allowed inves­ti­ga­tors to uncov­er ALL of the tar­get­ed address­es in this spearphish­ing cam­paign. It’s just one of the many incred­i­ble mis­takes alleged­ly made by the GRU:

    ...
    page 6

    Object of the Con­spir­a­cy

    20. The object of the con­spir­a­cy was to hack into the com­put­ers of U.S. per­sons and enti­ties
    involved in the 2016 U.S. pres­i­den­tial elec­tion, steal doc­u­ments from those com­put­ers, and stage
    releas­es of the stolen doc­u­ments to inter­fere with the 2016 U.S. pres­i­den­tial elec­tion.

    Man­ner and Means of the Con­spir­acv

    Spearphish­ing Oper­a­tions

    21. ANTONOV, BADIN, YERMAKOV, LUKASHEV, and their co-con­spir­a­tors tar­get­ed
    vic­tims using a tech­nique known as spearphish­ing to steal vic­tims’ pass­words or oth­er­wise gain
    access to their com­put­ers. Begin­ning by at least March 2016, the Con­spir­a­tors tar­get­ed over 300
    indi­vid­u­als affil­i­at­ed with the Clin­ton Cam­paign, and DNC,

    a. For exam­ple, on or about March 19, 2016, LUKASHEV and his co-con­spir­a­tors
    cre­at­ed and sent a spearphish­ing email to the chair­man of the Clin­ton Cam­paign.
    LUKASHEV used the account “john356gh” at an online ser­vice that abbre­vi­at­ed
    web­site address­es (referred to as a “URL-short­en­ing ser­vice”).
    LUKASHEV used the account to mask a link con­tained in the spearphishin email,
    which direct­ed the recip­i­ent to a GRU-cre­at­ed web­site
    . LUKASHEV altered the
    appear­ance of the sender email address in order to make it look like the email was
    a secu­ri­ty noti­fi­ca­tion from Google (a tech­nique known as “spoof­ing”), instruct­ing
    the user to change his pass­word by click­ing the embed­ded link. Those instruc­tions
    Were fol­lowed. On or about March 21, 2016, LUKASHEV, YERMAKOV, and
    their co-con­spir­a­tors stole the con­tents of the chairman?s email account, which
    con­sist­ed of over 50,000 emails.

    b. Start­ing on or about March 19, 2016, LUKASHEV and his co-con­spir­a­tors sent
    spearphish­ing emails to the per­son­al accounts of oth­er indi­vid­u­als affil­i­at­ed with

    page 7

    the Clin­ton Cam­paign, includ­ing its cam­paign man­ag­er and a senior for­eign pol­i­cy
    advis­er. On or about March 25, 2016, LUKASHEV used the same john356gh
    account to mask addi­tion­al links includ­ed in spearphish­ing emails sent to numer­ous
    indi­vid­u­als affil­i­at­ed with the Clin­ton Cam­paign, includ­ing Vic­tims 1 and 2.
    LUKASHEV sent these emails from the Rus­sia-based email account
    hi.mymail@yandex.com that he spoofed to appear to be from Google.
    ...

    Here, we see that one GRU indi­vid­ual is iden­ti­fied as research­ing on social media sites the names of some of the spearphish­ing vic­tims on March 28, 2016. This is a good exam­ple of the kind of tech­ni­cal detail that is both spe­cif­ic and vague. Because we don’t know if the actu­al evi­dence about those search­es was sim­ply evi­dence from a social media com­pa­ny, like Face­book, that some­one using par­tic­u­lar com­put­er that is assumed to have been used by those GRU indi­vid­u­als researched the vic­tims’ names on that day or if inves­ti­ga­tors tracked those search­es down to a com­put­er that they know was used by these GRU agents. But the fact that inves­ti­ga­tors appar­ent­ly know which com­put­ers (or IP address­es) were asso­ci­at­ed with spe­cif­ic social media search­es of the vic­tims does indi­cate that inves­ti­ga­tors do know quite a bit about which com­put­ers were direct­ly used in the attacks and how they were used:

    ...
    c. On or about March 28, 2016, YERMAKOV researched the names of Vic­tims 1 and
    2 and their asso­ci­a­tion with Clin­ton on var­i­ous social media sites
    . Through their
    spearphish­ing oper­a­tions, LUKASHEV, YERMAKOV, and their co-con­spir­a­tors
    suc­cess­ful­ly stole email cre­den­tials and thou­sands of emails from numer­ous
    indi­vid­u­als affil­i­at­ed with the Clin­ton Cam­paign. Many of these stolen emails,
    includ­ing those from Vic­tims 1 and 2, were lat­er released by the Con­spir­a­tors
    through DCLeaks.
    ...

    Next, the indict­ment includes a fact that’s received quite a bit of atten­tion: On July 27, 2016, the hack­ers made their very first attempt to hack the pri­vate email serv­er used by Hillary Clin­ton’s home office. Now, this is pre­sum­ably not the pri­vate email serv­er that was the sub­ject of so much intense scruti­ny by the GOP and FBI since Clin­ton turned that over to the FBI in 2015. But the fact that this new pri­vate email serv­er alleged­ly expe­ri­enced its first spearphish­ing attempt on July 27, 2016, remains notable since that is the same day Don­ald Trump made his infa­mous pub­lic plea to ‘Rus­sia’ to hack find and release Hillary’s emails. And this hack­ing attempt is described as tak­ing place “after hours” on that day, sug­gest­ing the hack­ing attempt came after, not before, Trump’s pub­lic call for the hack. It’s just one more exam­ple of an action that the hack­ers that almost appears to be intend­ed to send an “I’m a Russ­ian hack­er!” mes­sage to the world. Because while we’re only learn­ing about this detail now in this indict­ment, the pri­vate email com­pa­ny pre­sum­ably con­nect­ed the dots dur­ing the time of the phish­ing attempt:

    ...
    d. On or about April 6, 2016, the Con­spir­a­tors cre­at­ed an email account in the name
    (with a one-let­ter devi­a­tion from the actu­al spelling) of a known mem­ber of the
    Clin­ton Cam­paign. The Con­spir­a­tors then used that account to send spearphish­ing
    emails to the work accounts of more than thir­ty dif­fer­ent Clin­ton Cam­paign
    employ­ees. In the spearphish­ing emails, LUKASHEV and his co-con­spir­a­tors
    embed­ded a link pur­port­ing to direct the recip­i­ent to a doc­u­ment titled “hillary-
    clinton-favorable-rating.xlsx.” In fact, this link direct­ed the recip­i­ents’ com­put­ers
    to a GRU-cre­at­ed web­site.

    22. The Con­spir­a­tors spearphished indi­vid­u­als affil­i­at­ed with the Clin­ton Cam­paign
    through­out the sum­mer of 2016. For exam­ple, on or about July 27, 2016, the Con­spir­a­tors

    page 8

    attempt­ed after hours to spearphish for the first time email accounts at a domain host­ed by a third-
    par­ty provider and used by Clin­ton’s per­son­al office. At or around the same time
    , they also
    tar­get­ed sev­en­ty-six email address­es at the domain for the Clin­ton Cam­paign.
    ...

    Next, the indict­ment gives more details about the hack­ing of the DCCC and DNC net­works. Once again, it attrib­ut­es spe­cif­ic web search­es to spe­cif­ic GRU agents. In this case they were search­es relat­ed to the tech­ni­cal asspects of the DNC and DCCC com­put­er net­works. Again, we have no idea if these searchers are sim­ply tracked to com­put­ers that are assumed to have been oper­at­ed by these GRU agents pp+ if they were direct­ly tracked back to these indi­vid­u­als:

    ...
    Hack­ing into the DCCC Net­work

    23. Begin­ning in or around March 2016, the Con­spir­a­tors, in addi­tion to their spearphish­ing
    efforts, researched the DCCC and DNC com­put­er net­works to iden­ti­fy tech­ni­cal spec­i­fi­ca­tions and
    vul­ner­a­bil­i­ties.

    a. For exam­ple, begin­ning on or about March 15, 2016, YERMAKOV ran a tech­ni­cal
    query for the inter­net pro­to­col con­fig­u­ra­tions to iden­ti­fy con­nect­ed devices.

    b. On or about the same day, YERMAKOV searched for open-source infor­ma­tion
    about the DNC net­work, the Demo­c­ra­t­ic Par­ty, and Hillary Clin­ton.

    c. On or about April 7, 2016, YERMAKOV ran a tech­ni­cal query for the DCCC
    inter­net pro­to­col con­fig­u­ra­tions to iden­ti­fy con­nect­ed devices.

    ...

    Next, the indict­ment once again dis­cuss­es the use of the X‑Agent mal­ware. Of note is how mul­ti­ple ver­sions of X‑Agent were found. One inter­est­ing ques­tion regard­ing this is whether or not ALL of the ver­sion of the X‑Agent mal­ware con­tained the 176.31.112.10 com­mand-and-con­trol serv­er IP address pre­vi­ous­ly attrib­uted to ‘Fan­cy Bear’ or it only some of the X‑Agent ver­sions con­tained that con­spic­u­ous clue. The indict­ment also asserts that spe­cif­ic GRU indi­vid­u­als logged into the X‑Agent “AMS” con­trol pan­el on spe­cif­ic dates. Once again, we have no idea if the under­ly­ing evi­dence is that some­one logged into these com­mand-and-con­trol servers on that date and it’s assumed to be these GRU agents or if if the evi­dence direct­ly ties back to these indi­vid­u­als. Inter­est­ing­ly, that AMS con­trol pan­el serv­er was locat­ed in Ari­zona. So one of the servers the GRU alleged­ly chose to run this oper­a­tion was in the Unit­ed States, thus guar­an­tee­ing that it would be left for US inves­ti­ga­tors to pore over and gath­er foren­sic evi­dence. It’s one more rather odd tac­ti­cal choice by these Russ­ian gov­ern­ment hack­ers:

    ...
    24. By in or around April 2016, With­in days of search­es regard­ing the DCCC,
    the Con­spir­a­tors hacked into the DCCC com­put­er net­work. Once they gained access, they
    installed and man­aged dif­fer­ent types of mal­ware to explore the DCCC net­work and steal data.

    a. On or about April 12, 2016, the Con­spir­a­tors used the stolen cre­den­tials of a
    Employ­ee (“DCCC Employ­ee 1”) to access the DCCC net­work. DCCC
    Employ­ee 1 had received a spearphish­ing email from the Con­spir­a­tors on or about
    April 6, 2016, and entered her pass­word after click­ing on the link.

    b. Between in or around April 2016 and June 2016, the Con­spir­a­tors installed mul­ti­ple
    ver­sions of their X‑Agent mal­ware on at least ten com­put­ers, which allowed
    them to mon­i­tor indi­vid­ual employ­ees’ com­put­er activ­i­ty, steal pass­words, and
    main­tain access to the DCCC net­work.

    page 9

    c. X‑Agent mal­ware implant­ed on the DCCC net­work trans­mit­ted infor­ma­tion from
    the vic­tims’ com­put­ers to a GRU-leased serv­er locat­ed in Ari­zona. The
    Con­spir­a­tors referred to this serv­er as their “AMS” pan­el. KOZACHEK,
    MALYSHEV, and their co-con­spir­a­tors logged into the AMS pan­el to use
    X‑Agent’s key­log and screen­shot func­tions in the course of mon­i­tor­ing and
    sur­veilling activ­i­ty on the com­put­ers. The key­log func­tion allowed the
    Con­spir­a­tors to cap­ture key­strokes entered by employ­ees. The screen­shot
    func­tion allowed the Con­spir­a­tors to take pic­tures of the employ­ees?
    com­put­er screens.

    d. For exam­ple, on or about April 14, 2016, the Con­spir­a­tors repeat­ed­ly acti­vat­ed
    X‑Agent’s key­log and screen­shot func­tions to sur­veil DCCC Employ­ee 1’s
    com­put­er activ­i­ty over the course of eight hours. Dur­ing that time, the Con­spir­a­tors
    cap­tured DCCC Employ­ee 1’s com­mu­ni­ca­tions with co-work­ers and the pass­words
    she entered while work­ing on fundrais­ing and vot­er out­reach projects. Sim­i­lar­ly,
    on or about April 22, 2016, the Con­spir­a­tors acti­vat­ed X‑Agent’s key­log and
    screen­shot func­tions to cap­ture the dis­cus­sions of anoth­er DCCC Employ­ee
    (“DCCC Employ­ee 2”) about the DCC­C’s finances, as well as her indi­vid­ual
    bank­ing infor­ma­tion and oth­er per­son­al top­ics.

    ...

    Relat­ing to the odd loca­tion choice of a com­mand-and-con­trol serv­er in Ari­zona, one might assume that the choice had to do with not cre­at­ing out­bound traf­fic from the Democ­rats’ servers that would arouse sus­pi­cions (like out­bound traf­fic to a serv­er in Rus­sia). So, in that sense, using an Ari­zona serv­er might reduce the risk of get­ting caught in the act even if it enhances the risk after the fact. But that’s what makes this oth­er detail so odd: On April 19, 2016, the hack­ers appar­ent­ly set up an over­seas “mid­dle­man” serv­er that would relay the traf­fic out of the Democ­rats’ net­works back to the Ari­zona serv­er. In oth­er words, the ini­tial con­fig­u­ra­tion for the X‑Agent mal­ware was to direct­ly send traf­fic to the Ari­zona serv­er. Then, about a month into the hack­ing oper­a­tion, the X‑Agent mal­ware starts send­ing traf­fic to this over­seas mid­dle­man serv­er which relays the data back to the Ari­zona serv­er. Recall that the 176.31.112.10 serv­er was indeed oper­at­ed by the UK-based Crook­serv­er com­pa­ny, along with the 91.121.108.153 com­mand-and-con­trol serv­er that was also used by the Mal­ware. So might this “mid­dle­man” serv­er have been one of the Crook­serv­er com­put­ers? If so, that’s extra intrest­ing since, was we also pre­vi­ous­ly saw, the hack­ers who were pre­vi­ous­ly asso­ci­at­ed with using that 176.31.112.10 serv­er in the 2015 Bun­destag hack report­ed­ly lost con­trol of the serv­er in July of 2015 when that serv­er itself was hacked and found to be used by four dif­fer­ent hack­ing oper­a­tions (recall that the serv­er was vul­ner­a­ble to the Heart­bleed attack). So learn­ing more about this mid­dle­man serv­er and which par­tic­u­lar IP address it used seems like a key fac­tor in this inves­ti­ga­tion. Unfor­tu­nate­ly, the details on the mid­dle­man serv­er aren’t giv­en in the indict­ment:

    ...
    25. On or about April 19, 2016, KOZACHEK, YERSHOV, and their co-con­spir­a­tors remote­ly
    con­fig­ured an over­seas com­put­er to relay com­mu­ni­ca­tions between X‑Agent mal­ware and the
    AMS pan­el and then test­ed X‑Agent’s abil­i­ty to con­nect to this com­put­er. The Con­spir­a­tors
    referred to this com­put­er as a “mid­dle serv­er.” The mid­dle serv­er act­ed as a proxy to obscure the
    con­nec­tion between mal­ware at the DCCC and the Con­spir­a­tors’ AMS pan­el
    . On or about April

    page 10

    20, 2016, the Con­spir­a­tors direct­ed X‑Agent mal­ware on the com­put­ers to con­nect to this
    mid­dle serv­er and receive direc­tions from the Con­spir­a­tors.
    ...

    Next, the indict­ment again makes asser­tions that spe­cif­ic GRU agents remote­ly logged into the Ari­zona serv­er dur­ing the month of April to man­age the X‑Agent mal­ware. Once again, we have no idea if this is based on tech­ni­cal evi­dence show­ing some­one logged into the serv­er and it’s assumed to be these GRU agents or if there’s evi­dence direct­ly link­ing that com­mand-and-con­trol serv­er usage back to these indi­vid­u­als:

    ...
    Hack­ing into the DNC Net­work

    26. On or about April 18, 2016, the Con­spir­a­tors hacked into the DNC’s com­put­ers through
    their access to the DCCC net­work. The Con­spir­a­tors then installed and man­aged dif­fer­ent types
    of mal­ware (as they did in the DCCC net­work) to explore the DNC net­work and steal doc­u­ments.

    a. On or about April 18, 2016, the Con­spir­a­tors acti­vat­ed X‑Agent’s key­log and
    screen­shot func­tions to steal cre­den­tials of a employ­ee who was autho­rized
    to access the DNC net­work. The Con­spir­a­tors hacked into the DNC net­work from
    the DCCC net­work using stolen cre­den­tials. By in or around June 2016, they
    gained access to approx­i­mate­ly thir­ty-three DNC com­put­ers.

    b. In or around April 2016, the Con­spir­a­tors installed X‑Agent mal­ware on the DNC
    net­work, includ­ing the same ver­sions installed on the DCCC net­work.
    MALYSHEV and his co-con­spir­a­tors mon­i­tored the X‑Agent mal­ware from the
    AMS pan­el and cap­tured data from the vic­tim com­put­ers. The AMS pan­el col­lect­ed
    thou­sands of key­log and screen­shot results from the DCCC and DNC com­put­ers,
    such as a screen­shot and key­stroke cap­ture of DCCC Employ­ee 2 view­ing the
    DCC­C’s online bank­ing infor­ma­tion.

    Theft of DCCC and DNC Doc­u­ments

    27. The Con­spir­a­tors searched for and iden­ti­fied com­put­ers with­in the DCCC and DNC
    net­works that stored infor­ma­tion relat­ed to the 2016 US. pres­i­den­tial elec­tion. For exam­ple, on
    or about April 15, 2016, the Con­spir­a­tors searched one hacked DCCC com­put­er for terms that
    includ­ed “hillary,” “cruz,” and “trump.” The Con­spir­a­tors also copied select fold­ers,
    includ­ing “Beng­hazi Inves­ti­ga­tions.” The Con­spir­a­tors tar­get­ed com­put­ers con­tain­ing infor­ma­tion

    page 11

    such as oppo­si­tion research and field oper­a­tion plans for the 2016 elec­tions.
    ...

    Next, the indict­ment men­tions one of piece of mal­ware used in the hacks: X‑Tunnel. The mal­ware is also described as “GRU mal­ware”. So it’s worth recall­ing that the June 19, 2015, arti­cle in netzpolitik.org that cov­ers the Bun­destag hack of 2015 and men­tions the 176.31.112.10 IP address, also dis­cuss­es the use of X‑Tunnel in that hack! So if X‑Tunnel was mal­ware that GRU was exclu­sive­ly using up until that point it in 2015 would be par­tic­u­lar­ly brazen of them to con­tin­ue using X‑Tunnel in the 2016 hack of the Democ­rats:

    ...
    28. To enable them to steal a large num­ber of doc­u­ments at once with­out detec­tion, the
    Con­spir­a­tors used a pub­licly avail­able tool to gath­er and com­press mul­ti­ple doc­u­ments on the
    DCCC and DNC net­works. The Con­spir­a­tors then used oth­er GRU mal­ware, known as
    “X‑Tunnel,” to move the stolen doc­u­ments out­side the DCCC and DNC net­works through
    encrypt­ed chan­nels.

    a. For exam­ple, on or about April 22, 2016, the Con­spir­a­tors com­pressed giga­bytes
    of data from DNC com­put­ers, includ­ing oppo­si­tion research. The Con­spir­a­tors
    lat­er moved the com­pressed DNC data using X‑Tunnel to a GRU-leased com­put­er
    locat­ed in Illi­nois.

    ...

    And note how we learn about anoth­er serv­er locat­ed in the Unit­ed States that was used by the hack­er: a serv­er in Illi­nois that was com­mu­ni­cat­ing with the X‑Tunnel mal­ware:

    ...
    b. On or about April 28, 2016, the Con­spir­a­tors con­nect­ed to and test­ed the same
    com­put­er locat­ed in Illi­nois. Lat­er that day, the Con­spir­a­tors used X‑Tunnel to
    con­nect to that com­put­er to steal addi­tion­al doc­u­ments from the DCCC net­work
    .

    ...

    Next, the indict­ment specif­i­cal­ly asserts one of the GRU agents researched Pow­er­Shell com­mands relat­ed to man­ag­ing the Microsoft Exchange Serv­er used by the DNC. The indict­ment then asserts a spe­cif­ic GRU agent logged into the Ari­zona com­mand-and-con­trol serv­er on May 30, 2016, to upgrade some of the com­mand-and-con­trol soft­ware. To reit­er­ate, we have no idea if these claims are based on tech­ni­cal evi­dence show­ing some­one did these things and it’s assumed to be these GRU agents or if there’s evi­dence direct­ly link­ing these searchers back to these indi­vid­u­als:

    ...
    29. Between on or about May 25, 2016 and June 1, 2016, the Con­spir­a­tors hacked the DNC
    Microsoft Exchange Serv­er and stole thou­sands of emails from the work accounts of DNC
    employ­ees. Dur­ing that time, YERMAKOV researched Pow­er­Shell com­mands relat­ed to
    access­ing and man­ag­ing the Microsoft Exchange Serv­er.

    30. On or about May 30, 2016, MALYSHEV accessed the AMS pan­el in order to upgrade
    cus­tom AMS soft­ware on the serv­er
    . That day, the AMS pan­el received updates from
    approx­i­mate­ly thir­teen dif­fer­ent X‑Agent mal­ware implants on DCCC and DNC com­put­ers.
    ...

    Next, the indict­ment notes how the hack­ers appar­ent­ly tried to cov­er their tracks on both the hacked Democ­rats’ net­work and the Ari­zona com­mand-and-con­trol serv­er. Keep in mind that one of the sig­na­ture aspects of this hack­ing oper­a­tion is how brazen the hack­ers were and how lit­tle they appeared to care about get­ting caught and were try­ing to show off and it was assumed by US offi­cials that they were try­ing to send a mes­sage from the Russ­ian gov­ern­ment. So while the hack­ers may have made some efforts to cov­er their tracks, they also appeared to be inter­est­ed in get­ting caught even­tu­al­ly and send­ing an “I’m a Russ­ian hack­er” mes­sage in the process:

    ...
    31. Dur­ing the hack­ing of the DCCC and DNC net­works, the Con­spir­a­tors cov­ered their tracks
    by inten­tion­al­ly delet­ing logs and com­put­er files
    . For exam­ple, on or about May 13, 2016, the
    Con­spir­a­tors cleared the event logs from a DNC com­put­er. On or about June 20, 2016, the

    page 12

    Con­spir­a­tors delet­ed logs from the AMS pan­el that doc­u­ment­ed their activ­i­ties on the pan­el,
    includ­ing the login his­to­ry.
    ...

    Next, the indict­ment includes the remark­able rev­e­la­tion that at least one piece of the X‑Agent mal­ware remained on the Democ­rats’ net­works until Octover of 2016, months after Crowd­strike assured the world they removed all the infec­tions. This ver­sion of X‑Agent was con­fig­ured to com­mu­ni­cate with a com­mand-and-con­trol serv­er at the linuxkrnl.net address. Recall what we saw above about how the linuxkrnl.net address was­n’t includ­ed in Crowd­stike’s ini­tial report, sug­gest­ing they nev­er found it. DNC assert­ed that it was found and quar­an­tined and unable to com­mu­ni­cate with the hack­ers, while Don­na Brazille wrote in her book that mal­ware was steal­ing vot­er infor­ma­tion files for months after Crowd­strike gave the all clear:

    ...
    Efforts to Remain on the DCCC and DNC Net­works

    32. Despite the Con­spir­a­tors’ efforts to hide their activ­i­ty, begin­ning in or around May 2016,
    both the DCCC and DNC became aware that they had been hacked and hired a secu­ri­ty com­pa­ny
    (“Com­pa­ny 1”) to iden­ti­fy the extent of the intru­sions. By in or around June 2016, Com­pa­ny 1
    took steps to exclude intrud­ers from the net­works. Despite these efforts, a Lin­ux-based ver­sion of
    X‑Agent, pro­grammed to com­mu­ni­cate with the GRU-reg­is­tered domain linuxkrnl.net, remained
    on the DNC net­work until in or around Octo­ber 2016
    .
    ...

    Next, the indict­ment includes anoth­er alle­ga­tion about a spe­cif­ic GRU agent search­ing for infor­ma­tion about Crowd­strike (“Com­pa­ny 1”) and its report­ing on X‑Agent and X‑Tunnel. So, again, don’t for­get that X‑Agent and X‑Tunnel were both report­ed in June of 2015 in netzpolitik.org’s arti­cle about the Bun­destag hack, where the 176.31.112.10 IP address was specif­i­cal­ly men­tioned as a key piece of evi­dence link­ing the Bun­destag hack to ear­li­er hacks attrib­uted to the APT-28/­So­fa­cy group. X‑Agent is the “Arti­fact #1” in the report and X‑Tunnel “Arti­fact #2” and it is not­ed that the name “XTun­nel” shows up in the unob­scured source code. So if it has just occured to the GRU at the end of May 2016 to check and see if there were any reports on the inter­net talk­ing about X‑Agent and X‑Tunnel that would be one more remark­able instance of incom­pe­tence. If, on the oth­er hand, they were doing that search to get an idea of whether or not Crowd­strike had issued a recent report on their then-ongo­ing hack of the Democ­rats that would indi­cate they were well aware of the con­spic­u­ous nature of using X‑Agent and X‑Tunnel:

    ...
    33. In response to Com­pa­ny 1’s efforts, the Con­spir­a­tors took coun­ter­mea­sures to main­tain
    access to the and DNC net­works.

    a. On or about May 31, 2016, YERMAKOV searched for open~source infor­ma­tion
    about Com­pa­ny 1 and its report­ing on X‑Agent and X‑Tunnel
    . On or about June
    1, 2016, the Con­spir­a­tors attempt­ed to delete traces of their pres­ence on the DCCC
    net­work using the com­put­er pro­gram CClean­er.

    b. On or about June 14, 2016, the Con­spir­a­tors reg­is­tered the domain actblues.com,
    which mim­ic­ked the domain of a polit­i­cal fundrais­ing plat­form that includ­ed a
    DCCC dona­tions page. Short­ly there­after, the Con­spir­a­tors used stolen DCCC
    cre­den­tials to mod­i­fy the DCCC web­site and redi­rect Vis­i­tors to the actblues.com
    domain.

    c. On or about June 20, 2016, after Com­pa­ny 1 had dis­abled X‑Agent on the DCCC
    net­work, the Con­spir­a­tors spent over sev­en hours unsuc­cess­ful­ly try­ing to con­nect
    to X‑Agent. The Con­spir­a­tors also tried to access the DCCC net­work using
    pre­vi­ous­ly stolen cre­den­tials.

    ...

    Next, the indict­ment notes a Sep­tem­ber 2016 hack of DNC com­put­ers host­ed on a cloud com­put­ing plat­form. The stolen data includ­ed the DNC’s ana­lyt­ics soft­ware. This is the kind of infor­ma­tion that would have been extreme­ly help­ful for the Trump cam­paign’s social-media micro-tar­get­ing oper­a­tions, so it’s notable for being the kind of infor­ma­tion that the Trump cam­paign would have found extreme­ly use­ful to obtain qui­et­ly:

    ...
    page 13

    34. In or around Sep­tem­ber 2016, the Con­spir­a­tors also suc­cess­ful­ly gained access to DNC
    com­put­ers host­ed on a third-par­ty cloud-com­put­ing ser­vice. These com­put­ers con­tained test
    appli­ca­tions relat­ed to the DNC’s ana­lyt­ics
    . After con­duct­ing recon­nais­sance, the Con­spir­a­tors
    gath­ered data by cre­at­ing back­ups, or “snap­shots,” of the cloud-based sys­tems using the
    cloud provider’s own tech­nol­o­gy. The Con­spir­a­tors then moved the snap­shots to cloud-based
    accounts they had reg­is­tered with the same ser­vice, there­by steal­ing the data from the DNC.
    ...

    Next, the indict­ment notes that the same email address, dirbinsaabol@mail.com, was used to pay for the dcleaks.com domain reg­is­tra­tion and sign up for the URL-short­en­ing account (the URL-short­en­ing account they appar­ent­ly acci­dent­ly left pub­licly acce­si­ble). It’s also worth not­ing that using the same email address for dif­fer­ent aspects of this hack is kind of lazy if you’re try­ing to hin­der inves­ti­ga­tors. But it’s also con­sis­tent with the ama­tur­ish exe­cu­tion of this hack. So ama­tur­ish that it begs the ques­tion of whether or not it was pro­fes­sion­al­ly ama­tur­ish. A ques­tion that is almost nev­er asked:

    ...
    Stolen Doc­u­ments Released through DCLeaks

    35. More than a month before the release of any doc­u­ments, the Con­spir­a­tors con­struct­ed the
    online per­sona DCLeaks to release and pub­li­cize stolen elec­tion-relat­ed doc­u­ments. On or about
    April 19, 2016, after attempt­ing to reg­is­ter the domain electionleaks.com, the Con­spir­a­tors
    reg­is­tered the domain dcleaks.com through a ser­vice that anonymized the reg­is­trant. The funds
    used to pay for the dcleaks.com domain orig­i­nat­ed from an account at an online
    ser­vice that the Con­spir­a­tors also used to fund the lease of a vir­tu­al pri­vate serv­er reg­is­tered with
    the oper­a­tional email account dirbinsaabol@mail.com. The dirbin­saabol email account was also
    used to reg­is­ter the john356gh URL-short­en­ing account used by LUKASHEV to spearphish the
    Clin­ton Cam­paign chair­man and oth­er cam­paign-relat­ed indi­vid­u­als
    .
    ...

    Next, the indict­ment gives some details on the man­age­ment and pro­mo­tion of the dcleaks.com web­site that was ini­tial­ly used to dis­trib­ute hacked doc­u­ments. It notes that Face­book accounts were set up by fake per­sonas to pro­mote the DCLeaks site at approx­i­mate­ly the same time the dcleaks.com domain was reg­is­tered and these Face­book accounts were used by com­put­ers man­aged by “POTEMKIN”, who, as we saw above, is described as “a super­vi­sor in a depart­ment with­in Unit 74455 respon­si­ble for the admin­is­tra­tion of com­put­er infra­struc­ture used in cyber oper­a­tions”. This is note­wor­thy because one of the ques­tions regard­ing the speci­fici­ty of these alle­ga­tions is whether or not they are based on spe­cif­ic evi­dence that ties back to com­put­ers known to be used by the GRU or if it’s assumed to be the case based on cir­cum­stan­tial evi­dence and con­jec­ture. So when we see that this Potemkin indi­vid­ual is appar­ent­ly known as the admin­is­tra­tor of Unit 74455’s cyber oper­a­tions infra­struc­ture it again rais­es the ques­tion of whether or not the evi­dence is based on tech­ni­cal evi­dence that specif­i­cal­ly ties back to com­put­ers known to be used by Potemk­in’s unit or if it’s infer­ence based on the con­cluc­sion that ‘Unit 74455 did this so there­fore these are the com­put­ers that must have done it it and Potemkin man­ages them’. Again, the nature of the evi­dence is left com­plete­ly ambigu­ous in the indict­ment:

    ...
    36. On or about June 8, 2016, the Con­spir­a­tors launched the pub­lic web­site dcleaks.com, which
    they used to release stolen emails. Before it shut down in or around March 2017, the site received
    over one mil­lion page Views. The Con­spir­a­tors false­ly claimed on the site that DCLeaks was
    start­ed by a group of “Amer­i­can hack­tivists,” when in fact it was start­ed by the Con­spir­a­tors.

    37. Start­ing in or around June 2016 and con­tin­u­ing through the 2016 US. pres­i­den­tial elec­tion,
    the Con­spir­a­tors used DCLeaks to release emails stolen from indi­vid­u­als affil­i­at­ed with the Clin­ton
    Cam­paign. The Con­spir­a­tors also released doc­u­ments they had stolen in oth­er spearphish­ing
    oper­a­tions, includ­ing those they had con­duct­ed in 2015 that col­lect­ed emails from indi­vid­u­als

    page 14

    affil­i­at­ed with the Repub­li­can Par­ty.

    38. On or about June 8, 2016, and at approx­i­mate­ly the same time that the dcleakscom web­site
    was launched, the Con­spir­a­tors cre­at­ed a DCLeaks Face­book page using a pre­ex­ist­ing social media
    account under the fic­ti­tious name “Alice Dono­van.” In addi­tion to the DCLeaks ace­book page,
    the Con­spir­a­tors used oth­er social media accounts in the names of fic­ti­tious U.S. per­sons such as
    “Jason Scott” and “Richard Gin­grey” to pro­mote the DCLeaks web­site. The Con­spir­a­tors accessed
    these accounts from com­put­ers man­aged by POTEMKIN and his co-con­spir­a­tors.

    ...

    Next, the indict­ment notes how the @decleaks_ Twit­ter account was man­aged from the same com­put­er “used for oth­er
    efforts to inter­fere with the 2016 U.S. pres­i­den­tial elec­tion”. And the exam­ple of anoth­er effort this com­put­er was used for is the man­age­ment of the @BaltimoreIsWhr Twit­ter account that ran anti-Hillary #Black­sAgain­stHillary trolling oper­a­tions. It would be inter­est­ing to learn about whether what oth­er trolling oper­a­tions the @BaltimoreIsWhr social media per­sona inter­act­ed with. And, again, what this tells us is that the same com­put­er was used for those two Twit­ter accounts and some oth­er stuff pre­sum­ably involv­ing social media trolling oper­a­tions. Since that com­put­er that direct­ly ran the Twit­ter accounts was pre­sum­ably a VPN which could be dif­fi­cult to trace back to par­tic­u­lar end-user com­put­ers (VPNs rout­ed through more VPNs, etc), we don’t know whether or not there is tech­ni­cal evi­dence that ties the com­put­er that man­aged these Twit­ter accounts back to the GRU hack­er com­put­ers or if it’s assumed to be the GRU based on cir­cum­stan­tial evi­dence based on the Krem­lin source and oth­er intel­li­gence:

    ...
    39. On or about June 8, 2016, the Con­spir­a­tors cre­at­ed the Twit­ter account @dcleaks_. The
    Con­spir­a­tors oper­at­ed the @dcleaks_ Twit­ter account from the same com­put­er used for oth­er
    efforts to inter­fere with the 2016 U.S. pres­i­den­tial elec­tion
    . For exam­ple, the Con­spir­a­tors used
    the same com­put­er to oper­ate the Twit­ter account @BaltimoreIsWhr, through which they
    encour­aged U.S. audi­ences to “[i]oin our flash mob” oppos­ing Clin­ton and to post images with the
    hash­tag #Black­sAgain­stHillary.
    ...

    Ok, now we get to para­graph 41, the point in the doc­u­ment that men­tions some­one log­ging into a Moscow-based serv­er used and man­aged by Unit 74455 from 4:19 to 4:56 PM and searched for a num­ber of phras­es that showed up in Guc­cifer 2.0’s open­ing mes­sage to world:

    ...
    Stolen Doc­u­ments Released through Guc­cifer 2.0

    40. On or about June 14, 2016, the DNC-through Com­pa­ny 1‑publicly announced that it
    had been hacked by Russ­ian gov­ern­ment actors. In response, the Con­spir­a­tors cre­at­ed the online
    per­sona Guc­cifer 2.0 and false­ly claimed to be a lone Roman­ian hack­er to under­mine the
    alle­ga­tions of Russ­ian respon­si­bil­i­ty for the intru­sion.

    41. On or about June 15, 2016, the Con­spir­a­tors logged into a Moscow-based serv­er used and
    man­aged by Unit 74455 and, between 4:19 PM and 4:56 PM Moscow Stan­dard Time, searched
    for cer­tain words and phras­es
    , includ­ing:

    page 15

    Search Terms(s):
    “some hun­dred sheets”
    “some hun­dreds of sheets”
    dcleaks
    illu­mi­nati
    mnpono useec’rnm? nepeaon
    [wide­ly known trans­la­tion]
    “world­wide known”
    “think twice about”
    “com­pa­ny’s com­pe­tence”

    42. Lat­er that day, at 7:02 PM Moscow Stan­dard Time, the online per­sona Guc­cifer 2.0
    pub­lished its first post on a blog site cre­at­ed through Word­Press
    . Titled “DNC’s servers hacked
    by a lone hack­er,” the post used numer­ous Eng­lish words and phras­es that the Con­spir­a­tors had
    searched for ear­li­er that day (bold­ed below):

    World­wide known cyber secu­ri­ty com­pa­ny [Com­pa­ny 1] announced that
    the Demo­c­ra­t­ic Nation­al Com­mit­tee (DNC) servers had been hacked by
    “sophis­ti­cat­ed” hack­er groups.

    I’m very pleased the com­pa­ny appre­ci­at­ed my skills so high­ly)))[...]

    Here are just a few docs from many thou­sands I extract­ed when hack­ing
    into DNC’s net­work. [...]

    Some hun­dred sheets! This’s a seri­ous case, isn’t it? [...]

    I guess [Com­pa­ny 1] cus­tomers should think twice about com­pa­ny’s
    com­pe­tence.

    F[***] the Illu­mi­nati and their con­spir­a­cies!!!!!!!! F[***]
    [Com­pa­ny 1]!!!!!!!!

    ...

    Next, the indict­ment includes an alle­ga­tion that’s bad news for some­one in the GOP but it’s unclear who: On August 15, 2016, an unnamed GOP can­di­date con­tact­ed Guc­cifer 2.0 request­ing any doc­u­ments on their Demo­c­ra­t­ic oppo­nent and Guc­cifer 2.0 sup­plied them with doc­u­ments. And this is dif­fer­ent from the sto­ry we already knew about that Flori­da GOP oper­a­tives Aaron Nevins asked for and received 2.5 giga­byes of data from Guc­cifer 2.0 which is also list­ed below. So if that GOP can­di­date won their race this indict­ment is a big deal for them:

    ...
    43. Between in or around June 2016 and Octo­ber 2016, the Con­spir­a­tors used Guc­cifer 2.0 to
    release doc­u­ments through Word­Press that they had stolen from the DCCC and DNC. The
    Con­spir­a­tors, pos­ing as Guc­cifer 2.0, also shared stolen doc­u­ments with cer­tain indi­vid­u­als.

    a. On or about August 15, 2016, the Con­spir­a­tors, pos­ing as Guc­cifer 2.0, received a

    page 16

    request for stolen doc­u­ments from a can­di­date for the U.S. Con­gress. The
    Con­spir­a­tors respond­ed using the Guc­cifer 2.0 per­sona and sent the can­di­date
    stolen doc­u­ments relat­ed to the can­di­date’s oppo­nent.

    b. On or about August 22, 2016, the Con­spir­a­tors, pos­ing as Guc­cifer 2.0, trans­ferred
    approx­i­mate­ly 2.5 giga­bytes of data stolen from the DCCC to a then-reg­is­tered state
    lob­by­ist and online source of polit­i­cal news
    . The stolen data includ­ed donor records
    and per­son­al iden­ti­fy­ing infor­ma­tion for more than 2,000 Demo­c­ra­t­ic donors.
    ...

    The indict­ment then men­tions a reporter who appar­ent­ly recieved doc­u­ments about Black Lives Mat­ters from Guc­cifer 2.0 and dis­cussed with Guc­cifer 2.0 the tim­ing of releas­ing the doc­u­ments, sug­gest­ing that this reporter was almost cer­tain­ly a right-wing reporter who was hap­py to work with Guc­cifer 2.0. It’s a reminder that Guc­cifer 2.0’s chat­ti­ness prob­a­bly end­ed up impli­cat­ing a lot of dif­fer­ent peo­ple:

    ...
    c. On or about August 22, 2016, the Con­spir­a­tors, pos­ing as Guc­cifer 2.0, sent a
    reporter stolen doc­u­ments per­tain­ing to the Black Lives Mat­ter move­ment. The
    reporter respond­ed by dis­cussing when to release the doc­u­ments and offer­ing to
    write an alti­cle about their release.

    ...

    Next, the indict­ment notes that Guc­cifer 2.0 com­mu­ni­cat­ed with some­one who was in reg­u­lar con­tact with senior mem­bers of the Trump cam­paign. Roger Stone’s admit­ted to com­mu­ni­ca­tions with Guc­cifer 2.0 start­ing in mid-August 2016 so this is like­ly a ref­er­ence to that. One of those com­mu­ni­ca­tions with Stone involve a dis­cus­sion of the Democ­rats’ turnout mod­el, which indi­cates Guc­cifer 2.0 was in pos­ses­sion of the Democ­rats vot­er ana­lyt­ics files. Recall how Don­na Brazille com­plained about the hack­ers have access to the Democ­rats vot­er files months after Crowd­strike said the infec­tion was con­tained, so this dis­cus­sion with Roger Stone sug­gests the mal­ware left on the DNC’s net­works until Octo­ber of 2016 may have been active­ly send­ing infor­ma­tion back to the hack­ers:

    ...
    44. The Con­spir­a­tors, pos­ing as Guc­cifer 2.0, also com­mu­ni­cat­ed with US. per­sons about the
    release of stolen doc­u­ments. On or about August 15, 2016, the Con­spir­a­tors, pos­ing as Guc­cifer
    2.0, wrote to a per­son who was in reg­u­lar con­tact with senior mem­bers of the pres­i­den­tial cam­paign
    of Don­ald J. Trump, “thank u for writ­ing back ... do u find anyt[h]ing inter­est­ing in the docs i
    post­ed?” On or about August 17, 2016, the Con­spir­a­tors added, “please tell me if i can help
    any­how ... it would be a great plea­sure to me.” On or about Sep­tem­ber 9, 2016, the Con­spir­a­tors,
    again pos­ing as Guc­cifer 2.0, referred to a stolen doc­u­ment post­ed online and asked the
    per­son, “what do think of the info on the turnout mod­el for the democ­rats entire pres­i­den­tial
    cam­paign.” The per­son respond­ed, “[p]retty stan­dard.”

    ...

    Next, the indict­ment men­tions that the com­put­er infra­struc­ture used to man­age the Guc­cifer 2.0 per­sona and DCLeaks web­site used the same pool of bit­coins to lease the Malaysian serv­er used to host the dcleaks.com web­site and open up a VPN account. That VPN was used to log into the Guccifer_2 Twit­ter accont and also reg­is­ter domains used in the spearphish­ing oper­a­tions. This isn’t par­tic­u­lar­ly remark­able giv­en that the Guc­cifer 2.0 per­sona always main­tained that they were a lone hack­er oper­at­ing alone so it would make sense to use the same bit­coins for things involv­ing the hacks and dis­tri­b­u­tion of hacked doc­u­ments:

    ...
    45. The Con­spir­a­tors con­duct­ed oper­a­tions as Guc­cifer 2.0 and DCLeaks using over­lap­ping
    com­put­er infra­struc­ture and financ­ing.

    a. For exam­ple, between on or about March 14, 2016 and April 28, 2016, the

    page 17

    Con­spir­a­tors used the same pool of bit­coin funds to pur­chase a vir­tu­al pri­vate
    net­work (“VPN”) account and to lease a serv­er in Malaysia. In or around June
    2016, the Con­spir­a­tors used the Malaysian serv­er to host the dcleaks.com web­site.
    On or about July 6, 2016, the Con­spir­a­tors used the VPN to log into the
    @Guccifer_2 Twit­ter account. The Con­spir­a­tors opened that VPN account from
    the same serv­er that was also used to reg­is­ter mali­cious domains for the hack­ing of
    the DCCC and DNC net­works
    .

    b. On or about June 27, 2016, the Con­spir­a­tors, pos­ing as Guc­cifer 2.0, con­tact­ed a
    U.S. reporter with an offer to pro­vide stolen emails from “Hillary Clin­ton’s staff.”
    The Con­spir­a­tors then sent the reporter the pass­word to access a non­pub­lic,
    pass­word-pro­tect­ed por­tion of dcleaks.com con­tain­ing emails stolen from Vic­tim 1
    by LUKASHEV, YERMAKOV, and their co-con­spir­a­tors in or around March
    2016.

    46. On or about Jan­u­ary 12, 2017, the Con­spir­a­tors pub­lished a state­ment on the Guc­cifer 2.0
    Word­Press blog, false­ly claim­ing that the intru­sions and release of stolen doc­u­ments had “total­ly
    no rela­tion to the Russ­ian gov­ern­ment.”

    ...

    Next, the indict­ment describes Guc­cifer 2.0’s inter­ac­tions with Wik­ileaks (Orga­ni­za­tion 1). Intrest­ing­ly, it men­tions that the Guc­cifer 2.0 per­sona dis­cussed with Wik­ileak the tim­ing of releas­ing the doc­u­ments, which rais­es the ques­tion of how those com­mu­ni­ca­tions were bob­tained. Recall the ear­li­er reports about Julian Assange com­mu­ni­cat­ing with Don­ald Trump Jr. over Twit­ter direct mes­sages and how Assange was report­ed­ly known to com­mu­ni­cate quite a bit using Twit­ter’s DMs. And when Roger Stone com­mu­ni­cat­ed with Guc­cifer 2.0 that was also over Twit­ter direct mes­sages. So it seems like­ly that Guc­cifer 2.0 was com­mu­ni­cat­ing with Assange over Twit­ter, in which case it seems like there’s a good chance all of these com­mu­ni­a­tions are avail­able to inves­ti­ga­tors. It’s also just a remark­able secu­ri­ty deci­sion of Assange, Stone, and Guc­cifer 2.0 to use Twit­ter to car­ry out their osten­si­bly secret coor­di­na­tion. You almost have to won­der if there was­n’t a more secret backchan­nel that was employed as the real com­mu­ni­ca­tions chan­nel, because it does­n’t seem like Twit­ter DMs is the most secure form of com­mu­ni­ca­tion from the stand­point of avoid­ing hav­ing your mes­sages seized by author­i­ties:

    ...
    Use of Orga­ni­za­tion 1

    47. In order to expand their inter­fer­ence in the 2016 U.S. pres­i­den­tial elec­tion, the Con­spir­a­tors
    trans­ferred many of the doc­u­ments they stole from the DNC and the chair­man of the Clin­ton
    Cam­paign to Orga­ni­za­tion 1. The Con­spir­a­tors, pos­ing as Guc­cifer 2.0, dis­cussed the release of
    the stolen doc­u­ments and the tim­ing of those releas­es with Orga­ni­za­tion 1 to height­en their impact
    on the 2016 U.S. pres­i­den­tial elec­tion
    .

    a. On or about June 22, 2016, Orga­ni­za­tion I sent a pri­vate mes­sage to Guc­cifer 2.0
    to “[s]end any new mate­r­i­al [stolen from the dnc] here for us to review and it will

    page 18

    have a much high­er impact than what you are doing.” On or about July 6, 2016,
    Orga­ni­za­tion 1 added, “if you have any­thing hillary relat­ed we want it in the next
    tweo [sic] days pre­fa­ble [sic] because the DNC [Demo­c­ra­t­ic Nation­al Con­ven­tion]
    is approach­ing and she will solid­i­fy bernie sup­port­ers behind her after.” The
    Con­spir­a­tors respond­ed, “0k . . . i see.” Orga­ni­za­tion 1 explained, “we think trump
    has only a 25% chance of win­ning against hillary ... so con­flict between bernie
    and hillary is inter­est­ing.”

    b. After failed attempts to trans­fer the stolen doc­u­ments start­ing in late June 2016, on
    or about July 14, 2016, the Con­spir­a­tors, pos­ing as Guc­cifer 2.0, sent
    Orga­ni­za­tion 1 an email with an attach­ment titled “wk linkl.txt.gpg.” The
    Con­spir­a­tors explained to Orga­ni­za­tion 1 that the encrypt­ed file con­tained
    instruc­tions on how to access an online archive of stolen DNC doc­u­ments. On or
    about July 18, 2016, Orga­ni­za­tion 1 con­firmed it had “the 1Gb or so archive” and
    would make a release of the stolen doc­u­ments “this week.”

    48. On or about July 22, 2016, Orga­ni­za­tion 1 released over 20,000 emails and oth­er
    doc­u­ments stolen from the DNC net­work by the Con­spir­a­tors. This release occurred
    approx­i­mate­ly three days before the start of the Demo­c­ra­t­ic Nation­al Con­ven­tion. Orga­ni­za­tion 1
    did not dis­close Guc­cifer 2.0’s role in pro­vid­ing them. The lat­est-in-time email released through
    Orga­ni­za­tion 1 was dat­ed on or about May 25, 2016, approx­i­mate­ly the same day the Con­spir­a­tors
    hacked the DNC Microsoft Exchange Serv­er.

    49. On or about Octo­ber 7, 2016, Orga­ni­za­tion 1 released the first set of emails from the
    chair­man of the Clin­ton Cam­paign that had been stolen by LUKASHEV and his co-con­spir­a­tors.
    Between on or about Octo­ber 7, 2016 and Novem­ber 7, 2016, Orga­ni­za­tion 1 released

    page 19

    approx­i­mate­ly thir­ty-three tranch­es of doc­u­ments that had been stolen from the chair­man of the
    Clin­ton Cam­paign. In total, over 50,000 stolen doc­u­ments were released.
    ...

    Next, the indict­ment for­mal­ly lays out the hack­ing charges in terms of some for­mal crim­i­nal alle­ga­tions like knowi­ing­ly access­ing a com­put­er with autho­riza­tion, and steal­ing peo­ple’s cre­den­tials, etc:

    ...
    Statu­to­ry Alle­ga­tions

    50. Para­graphs 1 through 49 of this Indict­ment are re-alleged and incor­po­rat­ed by ref­er­ence as
    if ful­ly set forth here­in.

    51. From at least in or around March 2016 through Novem­ber 2016, in the Dis­trict of Colum­bia
    and else­where, Defen­dants ANTONOV, YERMAKOV, LUKASHEV,
    MORGACHIEV, KOZACHEK, YERSHOV, MALYSHEV, OSADCHUK, and POTEMKIN,
    togeth­er with oth­ers known and unknown to the Grand Jury, know­ing­ly and inten­tion­al­ly con­spired
    to com­mit offens­es against the Unit­ed States, name­ly:

    a. To know­ing­ly access a com­put­er with­out autho­riza­tion and exceed autho­rized
    access to a com­put­er, and to obtain there­by infor­ma­tion from a pro­tect­ed com­put­er,
    where the val­ue of the infor­ma­tion obtained exceed­ed $5,000, in Vio­la­tion of Title
    18, Unit­ed States Code, Sec­tions 1030(a)(2)© and 1030©(2)(B); and

    b. To know­ing­ly cause the trans­mis­sion of a pro­gram, infor­ma­tion, code, and
    com­mand, and as a result of such con­duct, to inten­tion­al­ly cause dam­age with­out
    autho­riza­tion to a pro­tect­ed com­put­er, and where the offense did cause and, if
    com­plet­ed, would have caused, loss aggre­gat­ing $5,000 in iralue to at least one
    per­son dur­ing a one-year peri­od from a relat­ed course of con­duct affect­ing a
    pro­tect­ed com­put­er, and dam­age affect­ing at least ten pro­tect­ed com­put­ers dur­ing
    a one-year peri­od, in Vio­la­tion of Title 18, Unit­ed States Code, Sec­tions
    1030(a)(5)(A) and 1030©(4)(B).

    52. In fur­ther­ance of the Con­spir­a­cy and to effect its ille­gal objects, the Con­spir­a­tors
    com­mit­ted the overt acts set forth in para­graphs 1 through 19, 21 through 49, 55, and 57 through

    page 20

    64, which are re-alleged and incor­po­rat­ed by ref­er­ence as if ful­ly set forth here­in.

    53. In fur­ther­ance of the Con­spir­a­cy, and as set forth in para­graphs 1 through 19, 21 through
    49, 55, and 57 through 64, the Con­spir­a­tors know­ing­ly false­ly reg­is­tered a domain name and
    know­ing­ly used that domain name in the course of com­mit­ting an offense, name­ly, the
    Con­spir­a­tors reg­is­tered domains, includ­ing dcleaks.com and actblues.com, with false names and
    address­es, and used those domains in the course of com­mit­ting the felony offense charged in Count
    One.

    All in Vio­la­tion of Title 18, Unit­ed States Code, Sec­tions 371 and 3559(g)(1).

    COUNTS TWO THROUGH NINE
    (Aggra­vat­ed Iden­ti­ty Theft)

    54. Para­graphs 1 through 19, 21 through 49, and 57 through 64 of this Indict­ment are re-alleged
    and incor­po­rat­ed by ref­er­ence as if ful­ly set forth here­in.

    55. On or about the dates spec­i­fied below, in the Dis­trict of Colum­bia and else­where,
    Defen­dants BORISOVICH BORIS ALEKSEYEVICH ANTONOV,
    DMITRIY SERGEYEVICH IVAN SERGEYEVICH YERMAKOV, ALEKSEY
    VIKTOROVICH LUKASHEV, SERGEY ALEKSANDROVICH MORGACHEV, NIKOLAY
    YURYEVICH KOZACHEK, PAVEL VYACHESLAVOVICH YERSHOV, ARTEM
    ANDREYEVICH MALYSHEV, ALEKSANDR VLADIMTROVICH OSADCHUK, and
    ALEKSEY ALEKSANDROVICH POTEMKIN did know­ing­ly trans­fer, pos­sess, and use, with­out
    law­ful author­i­ty, a means of iden­ti­fi­ca­tion of anoth­er per­son dur­ing and in rela­tion to a felony
    Vio­la­tion enu­mer­at­ed in Title 18, Unit­ed States Code, Sec­tion 1028A©, name­ly, com­put­er fraud
    in Vio­la­tion of Title 18, Unit­ed States Code, Sec­tions 1030(a)(2)© and 1030©(2)(B), know­ing
    that the means of iden­ti­fi­ca­tion belonged to anoth­er real per­son:

    page 21

    Count | Approx­i­mate Date | Vic­tim | Means of Iden­ti­fi­ca­tion
    2 | March 21, 2016 | Vic­tim 3 | User­name and pass­word for per­son­al email account
    3 | March 25, 2016 | Vic­tim 1 | User­name and pass­word for per­son­al email account
    4 | April 12, 2016 | Vic­tim 4 | User­name and pass­word for DCCC com­put­er net­work
    5 | April 15, 2016 | Vic­tim 5 | User­name and pass­word for DCCC com­put­er net­work
    6 | April 18, 2016 | Vic­tim 6 | User­name and pass­word for DCCC com­put­er net­work
    7 | May 10, 2016 | Vic­tim 7 | User­name and pass­word for DNC com­put­er net­work
    8 | June 2, 2016 | Vic­tim 2 | User­name and pass­word for per­son­al email account
    9 | July 6, 2016 | Vic­tim 8 | User­name and pass­word for per­son­al email account

    All in vio­la­tion of Title 18, Unit­ed States Code, Sec­tions 1028A(a)(1) and 2.
    ...

    Next, the indict­ment includes more alle­ga­tions regard­ing the use of bit­coins to pay for the infra­struc­ture (servers and web domains) used in the hack and dis­tri­b­u­tion of the doc­u­ments. The indict­ment notes that lit­er­al­ly hun­dreds of emails address­es were set up to car­ry­ing out the var­i­ous pur­chas­es made with the bit­coins, with some email address­es being used for a sin­gle pur­chase. It’s said that this was done to avoid “a cen­tral­ized paper trail of all of their pur­chas­es,” but there was also sev­er­al ded­i­cat­ed email accounts used to track these bit­coin trans­ac­tion and the inves­ti­ga­tors appear to have access to those email accounts. One of the email accounts received hun­dreds of requests from approx­i­mate­ly 100 dif­fer­ent email accounts for spe­cif­ic amounts of bit­coins to be sent to par­tic­u­lar bit­coin wal­lets. And that all rais­es the ques­tion: why were there hun­dreds of pur­chas­es being made by these GRU units. Dozens, ok, that might be plau­si­ble. But hun­dreds of pay­ments? Wow:

    ...
    COUNT TEN
    (Con­spir­a­cy to Laun­der Mon­ey)

    56. Para­graphs 1 through 19, 21 through 49, and 55 are re-alleged and incor­po­rat­ed by ref­er­ence
    as if ful­ly set forth here­in.

    57. To facil­i­tate the pur­chase of infra­struc­ture used in their hack­ing activ­i­ty-includ­ing hack­ing
    into the com­put­ers of U.S. per­sons and enti­ties involved in the 2016 U.S. pres­i­den­tial elec­tion and
    releas­ing the stolen doc­u­ments-the Defen­dants con­spired to laun­der the equiv­a­lent of more than
    $95,000 through a web of trans­ac­tions struc­tured to cap­i­tal­ize on the per­ceived anonymi­ty of
    such as bit­coin
    .

    58. Although the Con­spir­a­tors caused trans­ac­tions to be con­duct­ed in a vari­ety of cur­ren­cies,
    includ­ing U.S. dol­lars, they prin­ci­pal­ly used bit­coin when pur­chas­ing servers, reg­is­ter­ing domains,
    and oth­er­wise mak­ing pay­ments in fur­ther­ance of hack­ing activ­i­ty. Many of these pay­ments were

    page 22

    processed by com­pa­nies locat­ed in the Unit­ed States that pro­vid­ed pay­ment pro­cess­ing ser­vices to
    host­ing com­pa­nies, domain reg­is­trars, and oth­er ven­dors both inter­na­tion­al and domes­tic. The use
    of bit­coin allowed the Con­spir­a­tors to avoid direct rela­tion­ships with tra­di­tion­al finan­cial
    insti­tu­tions, allow­ing them to evade greater scruti­ny of their iden­ti­ties and sources of funds.

    59. All bit­coin trans­ac­tions are added to a pub­lic ledger called the Blockchain, but the
    Blockchain iden­ti­fies the par­ties to each trans­ac­tion only by alpha-numer­ic iden­ti­fiers known as
    bit­coin address­es. To fur­ther avoid cre­at­ing a cen­tral­ized paper trail of all of their pur­chas­es, the
    Con­spir­a­tors pur­chased infra­struc­ture using hun­dreds of dif­fer­ent email accounts, in some cas­es
    using a new account for each pur­chase. The Con­spir­a­tors used fic­ti­tious names and address­es in
    order to obscure their iden­ti­ties and their links to Rus­sia and the Russ­ian gov­ern­ment
    . For
    exam­ple, the dcleaks.com domain was reg­is­tered and paid for using the fic­ti­tious name “Car­rie
    Fee­han” and an address in New York. In some cas­es, as part of the pay­ment process, the
    Con­spir­a­tors pro­vid­ed ven­dors with non­sen­si­cal address­es such as “usa Den­ver AZ,” “gfhgh
    ghfhgfh fdgfdg WA,” and “1 2 dwd Dis­trict of Colum­bia.”

    60. The Con­spir­a­tors used sev­er­al ded­i­cat­ed email accounts to track basic bit­coin trans­ac­tion
    infor­ma­tion and to facil­i­tate bit­coin pay­ments to ven­dors
    . One of these ded­i­cat­ed accounts,
    reg­is­tered with the user­name “gfadel47,” received hun­dreds of bit­coin pay­ment requests from
    approx­i­mate­ly 100 dif­fer­ent email accounts
    . For exam­ple, on or about Feb­ru­ary 1, 2016, the
    gfadel47 account received the instruc­tion to “[p]lease send exact­ly 0.026043 bit­coin to” a cer­tain
    thir­ty-four char­ac­ter bit­coin address. Short­ly there­after, a trans­ac­tion match­ing those exact
    instruc­tions was added to the Blockchain.
    ...

    The indict­ment then notes that, on occai­sion, the hack­ers used the same com­put­er to send bit­coins that they used to car­ry­ing out the hacks like send­ing spearphish­ing emails or reg­is­ter the linuxkrnl.net domain. That sounds like one more exam­ple of the sur­pris­ing slop­pi­ness of these hack­ers if they real­ly did care about not get­ting caught:

    ...
    61. On occa­sion, the Con­spir­a­tors facil­i­tat­ed bit­coin pay­ments using the same com­put­ers that
    they used to con­duct their hack­ing activ­i­ty, includ­ing to cre­ate and send test spearphish­ing emails.

    page 23

    Addi­tion­al­ly, one of these ded­i­cat­ed accounts was used by the Con­spir­a­tors in or around 2015 to
    renew the reg­is­tra­tion of a domain (linuxkrnl.net) encod­ed in cer­tain X‑Agent mal­ware installed
    on the DNC net­work.

    ...

    Next, the indict­ment notes that some of the bit­coins used by the hack­ers were gen­er­at­ed with GRU-run min­ing oper­a­tions, whil oth­er bit­coins were pur­chased on exchanges that obscure the ori­gin of the bit­coin (bit­coin ‘laun­der­ing’ exchanges). And a new­ly mint­ed bit­coin from the pool of GRU-mined bit­coins was appar­ent­ly used to pur­chase the dcleaks.com domain! While pur­chas­ing bit­coins on a bit­coin laun­der­ing exchange makes a lot of sense, the use of bit­coins that were direct­ly mined from a GRU min­ing oper­a­tion seems like a poten­tial­ly big risk for the GRU. Why take that kind of risk unless you don’t care about get­ting caught? Why not at least run those bit­coins gen­er­at­ed by the GRU min­ing oper­a­tions through a laun­der­ing oper­a­tion first? It’s one more exam­ple of the GRU alleged­ly play­ing dumb:

    ...
    62. The Con­spir­a­tors fund­ed the pur­chase of com­put­er infra­struc­ture for their hack­ing activ­i­ty
    in part by “min­ing” bit­coin.
    Indi­vid­u­als and enti­ties can mine bit­coin by allow­ing their com­put­ing
    pow­er to be used to ver­i­fy and record pay­ments on the bit­coin pub­lic ledger, a ser­vice for which
    they are reward­ed with fresh­ly-mint­ed bit­coin. The pool of bit­coin gen­er­at­ed from the GRU’s
    min­ing activ­i­ty was used, for exam­ple, to pay a Roman­ian com­pa­ny to reg­is­ter the domain
    dcleaks.com through a pay­ment pro­cess­ing com­pa­ny locat­ed in the Unit­ed States.

    63. In addi­tion to min­ing bit­coin, the Con­spir­a­tors acquired bit­coin through a vari­ety of means
    designed to obscure the ori­gin of the funds
    . This includ­ed pur­chas­ing bit­co in through peer-to-peer
    exchanges, mov­ing funds through oth­er dig­i­tal cur­ren­cies, and using pre-paid cards. They also
    enlist­ed the assis­tance of one or more third-par­ty exchang­ers who facil­i­tat­ed lay­ered trans­ac­tions
    through dig­i­tal cur­ren­cy exchange plat­forms pro­vid­ing height­ened anonymi­ty.

    64. The Con­spir­a­tors used the same fund­ing struc­ture-and in some cas­es, the very same pool
    of funds-to pur­chase key accounts, servers, and domains used in their elec­tion-relat­ed hack­ing
    activ­i­ty.

    a. The bit­coin min­ing oper­a­tion that fund­ed the reg­is­tra­tion pay­ment for dcleaks.com
    also sent new­ly-mint­ed bit­coin to a bit­coin address con­trolled by “Daniel Farell,”
    the per­sona that was used to renew the domain linuxkrnl.net.
    The bit­coin min­ing
    oper­a­tion also fund­ed, through the same bit­coin address, the pur­chase of servers
    and domains used in the spearphish­ing oper­a­tions, includ­ing accounts-
    qooqle.com and account-gooogle.com

    page 24

    b. On or about March 14, 2016, using funds in a bit­coin address, the Con­spir­a­tors
    pur­chased a VPN account, which they lat­er used to log into the @Guccifer_2
    Twit­ter account. The remain­ing funds from that bit­coin address were then used on
    or about April 28, 2016, to lease a Malaysian serv­er that host­ed the dcleaks.com
    web­site.

    c. The Con­spir­a­tors used a dif­fer­ent set of fic­ti­tious names (includ­ing “Ward
    DeClaur” and “Mike Long”) to send bit­coin to a com­pa­ny in order to lease a
    serv­er used to admin­is­ter X‑Tunnel mal­ware implant­ed on the and DNC
    net­works, and to lease two servers used to hack the cloud net­work.
    ...

    Next, the indict­ment lays out the charges regard­ing alleged attempts to hack into US elec­tion sys­tems as well as the ven­dor of US soft­ware elec­tion sys­tems. It specif­i­cal­ly blames two GRU offi­cers from Unit 74455 with these state elec­tion sys­tem intru­sion attempts. It states that in July of 2016, the GRU hacked into a par­tic­u­lar state board of elec­ton sys­tems and stole infor­ma­tion on 500,000 vot­ers. This is a ref­er­ence to the Illi­nois state board of elec­tions. The indict­ment then men­tions that the FBI issued an alert in August of 2016 over the hack­ing of the Illi­nois state board of elec­tions, and in response to that alert one of the GRU agents “delt­ed his search his­to­ry” and “delet­ed records from accounts used in their oper­a­tions tar­get­ing state boards of elec­tions. But the indict­ment goes on to say they con­tin­ued try­ing to hack state elec­tion sys­tems through Octo­ber and even ear­ly Novem­ber. It’s anoth­er exam­ple of evi­dence that would indi­cate a sur­pris­ing lev­el of detail about the actions of spe­cif­ic GRU agents because know­ing about the deleti­ion of search his­to­ry implies access to the serv­er used. It’s also an exam­ple of the hack­ers alleged­ly being con­cerned about get­ting caught while demon­strat­ing a brazen lack of con­cern, which is the theme of this entire sto­ry:

    ...
    page 25

    COUNT ELEVEN
    (Con­spir­a­cy to Com­mit an Offense Against the Unit­ed States)

    66. Para­graphs 1 through 8 of this Indict­ment are re-alleged and incor­po­rat­ed by ref­er­ence as
    if ful­ly set forth here­in.

    Defen­dants

    67. Para­graph 18 of this Indict­ment relat­ing to ALEKSANDR VLADIMIROVICH
    OSADCHUK is re-alleged and incor­po­rat­ed by ref­er­ence as if ful­ly set forth here­in.

    68. Defen­dant ANATOLIY SERGEYEVICH KOVALEV (Koaanea AHa­Ton­nii CepreeBnLr)
    was an offi­cer in the Russ­ian mil­i­tary assigned to Unit 74455 who worked in the GRU’s 22 Kiro­va
    Street build­ing (the Tow­er).

    69. Defen­dants OSADCHUK and KOVALEV were GRU offi­cers who know­ing­ly and
    inten­tion­al­ly con­spired with each oth­er and with per­sons, known and unknown to the Grand Jury,
    to hack into the com­put­ers of US. per­sons and enti­ties respon­si­ble for the admin­is­tra­tion of 2016
    US. elec­tions, such as state boards of elec­tions, sec­re­taries of state, and US. com­pa­nies that
    sup­plied soft­ware and oth­er tech­nol­o­gy relat­ed to the admin­is­tra­tion of US. elec­tions.

    Object of the Con­spir­a­cy

    70. The object of the con­spir­a­cy was to hack into pro­tect­ed com­put­ers of per­sons and enti­ties
    charged with the admin­is­tra­tion of the 2016 US. elec­tions in order to access these com­put­ers and
    steal vot­er data and oth­er infor­ma­tion stored on these com­put­ers.

    Man­ner and Means of the Con­spir­a­cy

    71. In or around June 2016, KOVALEV and his co-con­spir­a­tors researched domains used by
    US. state boards of elec­tions, sec­re­taries of state, and oth­er elec­tion-relat­ed enti­ties for web­site
    vul­ner­a­bil­i­ties. KOVALEV and his co-con­spir­a­tors also searched for state polit­i­cal par­ty email
    address­es, includ­ing fil­tered queries for email address­es list­ed on state Repub­li­can Par­ty web­sites.

    page 26

    72. In or around July 2016, KOVALEV and his co-con­spir­a­tors hacked the web­site of a state
    board of elec­tions (“SBOE 1”) and stole infor­ma­tion relat­ed to approx­i­mate­ly 500,000 vot­ers,
    includ­ing names, address­es, par­tial social secu­ri­ty num­bers, dates of birth, and dri­ver’s license
    num­bers
    .

    73. In or around August 2016, KOVALEV and his co-con­spir­a­tors hacked into the com­put­ers
    of a U.S. ven­dor (“Ven­dor 1”) that sup­plied soft­ware used to ver­i­fy vot­er reg­is­tra­tion infor­ma­tion
    for the 2016 U.S. elec­tions
    . KOVALEV and his co-con­spir­a­tors used some of the same
    infra­struc­ture to hack into Ven­dor 1 that they had used to hack into SBOE 1.

    74. In or around August 2016, the Fed­er­al Bureau of Inves­ti­ga­tion issued an alert about the
    hack­ing of SBOE 1 and iden­ti­fied some of the infra­struc­ture that was used to con­duct the hack­ing.
    In response, KOVALEV delet­ed his search his­to­ry. KOVALEV and his co-con­spir­a­tors also
    delet­ed records from accounts used in their oper­a­tions tar­get­ing state boards of elec­tions and
    sim­i­lar elec­tion-relat­ed enti­ties
    .

    75. In or around Octo­ber 2016, KOVALEV and his co-con­spir­a­tors fur­ther tar­get­ed state and
    coun­ty offices respon­si­ble for admin­is­ter­ing the 2016 U.S. elec­tions
    . For exam­ple, on or about
    Octo­ber 28, 2016, KOVALEV and his co-con­spir­a­tors vis­it­ed the web­sites of cer­tain coun­ties in
    I Geor­gia, Iowa, and Flori­da to iden­ti­fy vul­ner­a­bil­i­ties.

    76. In or around Novem­ber 2016 and pri­or to the 2016 U.S. pres­i­den­tial elec­tion, KOVALEV
    and his co-con­spir­a­tors used an email account designed to look like a Ven­dor 1 email address to
    send over 100 spearphish­ing emails to orga­ni­za­tions and per­son­nel involved in admin­is­ter­ing
    elec­tions in numer­ous Flori­da coun­ties
    . The spearphish­ing emails con­tained mal­ware that the
    Con­spir­a­tors embed­ded into Word doc­u­ments bear­ing Ven­dor 1’s logo.
    ...

    So that’s a review of the actu­al con­tents of the indict­ment. As we can see, there’s quite an abun­dance of detail about how the hack­ers car­ried out the actu­al hacks and set up and man­aged the infra­struc­ture used to car­ry out the hacks and dis­trib­ute the doc­u­ments. The indict­ment also includes an abun­dance of detailed alle­ga­tions about spe­cif­ic GRU agents car­ry­ing out spe­cif­ic roles in the oper­a­tion and car­ry­ing out spe­cif­ic acts on spe­cif­ic dates. And yet of all the alle­ga­tions, only one alle­ga­tion — about some­one log­ging in and out of a Moscow-based serv­er man­aged by the GRU to search for phras­es that showed up in Guc­cifer­’s first mes­sage — sug­gest­ed there was evi­dence that con­clu­sive­ly deter­mines that a known GRU serv­er was used to in this oper­a­tion. And as we saw, it’s unclear how that evi­dence was obtained with­out that serv­er itself being hacked.

    So with a sin­gle seem­ing­ly con­clu­sive piece of evi­dence, how should we inter­pret the rest of this indict­ment? Well, it’s impor­tant to note that there was one oth­er report­ed instance of evi­dence that was direct­ly linked back to the GRU. Inter­est­ing­ly, while this sto­ry pur­ports to give strong evi­dence of the GRU being actu­al­ly behind the hacks, the arti­cle notes how, with­out this one piece of evi­dence, the inves­ti­ga­tors were hav­ing a very dif­fi­cult time actu­al­ly track­ing the tech­ni­cal evi­dence back to the GRU. The evi­dence would lead to servers in France owned by Elite VPN (a Moscow-based VPN ser­vice), but the trail would go cold from there (which is why VPNs are use­ful for hack­ers).

    Accord­ing to the report, there was one instance when a GRU offi­cer for­got to log into this VPN ser­vice while log­ging into one of the social media accounts used by Guc­cifer 2.0. This result­ed in the logs of this social media com­pa­ny hav­ing a login from Moscow. And the IP address of that login led direct­ly back to a com­put­er used by a GRU offi­cer at the agen­cy’s head­quar­ters on Gri­zo­dubovoy Street in Moscow.

    Yep, we are told that the GRU is so casu­al about their high stakes hack­ing oper­a­tion that they lit­er­al­ly sit at their offices head­quar­ters in Moscow and hack away! The only thing obscur­ing their iden­ti­ties is the use of a VPN ser­vice. If true, it would be one more exam­ple of the stun­ning­ly casu­al secu­ri­ty mea­sures appar­ent­ly used by the GRU. But if not true, and this sto­ry is puffery, it would indi­cate that inves­ti­ga­tors actu­al­ly lack any tech­ni­cal evi­dence lead­ing back to the GRU since this was appar­ent­ly the one crit­i­cal slip-up that allowed inves­ti­ga­tors to con­clu­sive­ly link it back to the GRU.

    Of course, this sto­ry is from March of 2018, so it’s pos­si­ble inves­ti­ga­tors col­lect­ed some new infor­ma­tion over that last few months. Like, for instance, the infor­ma­tion about login times and search­es made on the Moscow-based serv­er that the Mueller team includ­ed in the indict­ment. But when we’re try­ing to make sense of how to inter­pret the numer­ous high­ly spe­cif­ic, yet vague sourced, alle­ga­tions in the indict­ment, the fact that there was alleged­ly only one key piece of evi­dence inves­ti­ga­tors had link­ing the hacks back to the GRU as of March of this year seems impor­tant to keep in mind. Did inves­ti­ga­tors have anoth­er set of break­throughs in recent months?

    The arti­cle includes anoth­er alle­ga­tion that’s worth keep­ing in mind regard­ing the evi­dence in the indict­ment about the Moscow-based ser­er and the Guc­cifer 2.0 search terms: The GRU agent who was ini­tial­ly in charge of the Guc­cifer 2.0 per­sona was replaced at some point by a more expe­ri­enced GRU offi­cer. It’s not known when exact­ly this replace­ment occured but it’s assumed to hap­pen based on notice­able improve­ments in Guc­cifer 2.0’s eng­lish over time. Giv­en that the Guc­cifer 2.0 per­sona described itself as being a lone Roman­ian hack­er, it’s kind of remark­able that they would­n’t main­tain the same style of Eng­lish even if they hand­ed switched with par­tic­u­lar GRU offi­cer was work­ing on the case. Again, wow, that is some slop­py trade­craft:

    The Dai­ly Beast

    EXCLUSIVE: ‘Lone DNC Hack­er’ Guc­cifer 2.0 Slipped Up and Revealed He Was a Russ­ian Intel­li­gence Offi­cer
    Robert Mueller’s team has tak­en over the inves­ti­ga­tion of Guc­cifer 2.0, who com­mu­ni­cat­ed with (and was defend­ed by) long­time Trump advis­er Roger Stone.
    Kevin Poulsen
    Spencer Ack­er­man
    03.22.18 7:00 PM ET

    Update, 7/13/2018: Spe­cial coun­sel Robert Mueller’s office iden­ti­fied Guc­cifer 2.0 as a Russ­ian intel­li­gence offi­cer and indict­ed him along with 11 oth­er offi­cers for crimes relat­ed to the alleged hack­ing of Democ­rats in 2016.

    Guc­cifer 2.0, the “lone hack­er” who took cred­it for pro­vid­ing Wik­iLeaks with stolen emails from the Demo­c­ra­t­ic Nation­al Com­mit­tee, was in fact an offi­cer of Russia’s mil­i­tary intel­li­gence direc­torate (GRU), The Dai­ly Beast has learned. It’s an attri­bu­tion that result­ed from a fleet­ing but crit­i­cal slip-up in GRU trade­craft.

    That foren­sic deter­mi­na­tion has sub­stan­tial impli­ca­tions for the crim­i­nal probe into poten­tial col­lu­sion between Pres­i­dent Don­ald Trump and Rus­sia. The Dai­ly Beast has learned that the spe­cial coun­sel in that inves­ti­ga­tion, Robert Mueller, has tak­en over the probe into Guc­cifer and brought the FBI agents who worked to track the per­sona onto his team.

    While it’s unclear what Mueller plans to do with Guc­cifer, his last round of indict­ments charged 13 Rus­sians tied to the Inter­net Research Agency troll farm with a con­spir­a­cy “for the pur­pose of inter­fer­ing with the U.S. polit­i­cal and elec­toral process­es, includ­ing the pres­i­den­tial elec­tion of 2016.” It was Mueller’s first move estab­lish­ing Russ­ian inter­fer­ence in the elec­tion with­in a crim­i­nal con­text, but it stopped short of direct­ly impli­cat­ing the Putin regime.

    Mueller’s office declined to com­ment for this sto­ry. But the attri­bu­tion of Guc­cifer 2.0 as an offi­cer of Russia’s largest for­eign intel­li­gence agency would cross the Krem­lin threshold—and move the inves­ti­ga­tion clos­er to Trump him­self.

    Trump’s long­time polit­i­cal advis­er Roger Stone admit­ted being in touch with Guc­cifer over Twitter’s direct mes­sag­ing ser­vice. And in August 2016, Stone pub­lished an arti­cle on the pro-Trump-friend­ly Bre­it­bart News call­ing on his polit­i­cal oppo­nents to “Stop Blam­ing Rus­sia” for the hack. “I have some news for Hillary and Democrats—I think I’ve got the real cul­prit,” he wrote. “It doesn’t seem to be the Rus­sians that hacked the DNC, but instead a hack­er who goes by the name of Guc­cifer 2.0.”

    Five months lat­er, in Jan­u­ary 2017, the CIA, NSA, and FBI assessed “with high con­fi­dence” that “Russ­ian mil­i­tary intel­li­gence (Gen­er­al Staff Main Intel­li­gence Direc­torate or GRU) used the Guc­cifer 2.0 per­sona and DCLeaks.com to release US vic­tim data.” But the assess­ment did not direct­ly call Guc­cifer a Russ­ian intel­li­gence offi­cer. Nor did it pro­vide any evi­dence for its asser­tions.

    It turns out there is a pow­er­ful rea­son to con­nect Guc­cifer to the GRU.

    ——

    Guc­cifer 2.0 sprang into exis­tence on June 15, 2016, hours after a report by a com­put­er secu­ri­ty firm foren­si­cal­ly tied Rus­sia to an intru­sion at the Demo­c­ra­t­ic Nation­al Com­mit­tee. In a series of blog posts and tweets over the fol­low­ing sev­en months—conspicuously end­ing right as Trump took office and not resuming—the Guc­cifer per­sona pub­lished a smat­ter­ing of the DNC doc­u­ments while game­ly pro­ject­ing an image as an inde­pen­dent Roman­ian hack­tivist who’d breached the DNC on a lark. As Stone’s Bre­it­bart piece demon­strat­ed, Guc­cifer pro­vid­ed Moscow with a counter-nar­ra­tive for the elec­tion inter­fer­ence.

    Guc­cifer famous­ly pre­tend­ed to be a “lone hack­er” who per­pe­trat­ed the dig­i­tal DNC break-in. From the out­set, few believed it. Moth­er­board con­duct­ed a dev­as­tat­ing inter­view with Guc­cifer that explod­ed the account’s claims of being a native Roman­ian speak­er. Based on foren­sic clues in some of Guccifer’s leaks, and oth­er evi­dence, a con­sen­sus quick­ly formed among secu­ri­ty experts that Guc­cifer was com­plete­ly notion­al.

    “Almost imme­di­ate­ly var­i­ous cyber secu­ri­ty com­pa­nies and indi­vid­u­als were skep­ti­cal of Guc­cifer 2.0 and the back­sto­ry that he had gen­er­at­ed for him­self,” said Kyle Ehmke, an intel­li­gence researcher at the cyber secu­ri­ty firm Threat­Con­nect. “We start­ed see­ing these incon­sis­ten­cies that led back to the idea that he was cre­at­ed hasti­ly… by the indi­vid­ual or indi­vid­u­als that affect­ed the DNC com­pro­mise.”

    Prov­ing that link defin­i­tive­ly was hard­er. Ehmke worked on an inves­ti­ga­tion at Threat­Con­nect that tried to track down Guc­cifer from the meta­da­ta in his emails. But the trail always end­ed at the same data cen­ter in France. Ehmke even­tu­al­ly uncov­ered that Guc­cifer was con­nect­ing through an anonymiz­ing ser­vice called Elite VPN, a vir­tu­al pri­vate net­work­ing ser­vice that had an exit point in France but was head­quar­tered in Rus­sia.

    But on one occa­sion, The Dai­ly Beast has learned, Guc­cifer failed to acti­vate the VPN client before log­ging on. As a result, he left a real, Moscow-based Inter­net Pro­to­col address in the serv­er logs of an Amer­i­can social media com­pa­ny, accord­ing to a source famil­iar with the government’s Guc­cifer inves­ti­ga­tion. Twit­ter and Word­Press were Guc­cifer 2.0’s favored out­lets. Nei­ther com­pa­ny would com­ment for this sto­ry, and Guc­cifer did not respond to a direct mes­sage on Twit­ter.

    Work­ing off the IP address, U.S. inves­ti­ga­tors iden­ti­fied Guc­cifer 2.0 as a par­tic­u­lar GRU offi­cer work­ing out of the agency’s head­quar­ters on Gri­zo­dubovoy Street in Moscow. (The Dai­ly Beast’s sources did not dis­close which par­tic­u­lar offi­cer worked as Guc­cifer.)

    Secu­ri­ty firms and declas­si­fied U.S. intel­li­gence find­ings pre­vi­ous­ly iden­ti­fied the GRU as the agency run­ning “Fan­cy Bear,” the ten-year-old hack­ing orga­ni­za­tion behind the DNC email theft, as well as breach­es at NATO, Obama’s White House, a French tele­vi­sion sta­tion, the World Anti-Dop­ing Agency, and count­less NGOs, and mil­i­taries and civil­ian agen­cies in Europe, Cen­tral Asia, and the Cau­ca­sus.

    Time­stamps in Guc­cifer 2.0’s first leaks show they were pack­aged for release over the course of a sin­gle day in June 2016, begin­ning just hours after the DNC intru­sion and its attri­bu­tion to Rus­sia were made pub­lic. The moniker was an homage to Roman­ian hack­er Mar­cel Lazar Lehel, who as “Guc­cifer” achieved noto­ri­ety in 2013 for a string of hacks against celebri­ties and politi­cians.

    In his inau­gur­al blog post, Guc­cifer 2.0 dis­put­ed Russia’s involve­ment and claimed cred­it per­son­al­ly for the DNC breach, posi­tion­ing him­self as a one-time hack­ing oper­a­tion work­ing to expose “the Illu­mi­nati.” The post includ­ed the world’s first glimpse of the enor­mous cache of doc­u­ments siphoned from the DNC’s net­work, includ­ing the Democ­rats’ oppo­si­tion research report on Trump. Pre­sag­ing the leaks that would roil the elec­tion, Guc­cifer 2.0 declared that he’d already sent the bulk of the stolen mate­r­i­al to WikiLeaks—which has spent the time since obfus­cat­ing whether Guc­cifer was its source.

    On July 22, 2016, Wik­iLeaks began releas­ing its cache of approx­i­mate­ly 19,000 emails and 8,000 attach­ments stolen in the hack. While Trump pro­mot­ed the leak on Twit­ter and in ral­lies, his sur­ro­gate Roger Stone pushed back against the Krem­lin attri­bu­tion. In his August 2016 arti­cle for Bre­it­bart, he argued that Guc­cifer 2.0 was the Roman­ian hack­tivist he claimed to be. “Guc­cifer 2.0 is the real deal,” he wrote.

    Last May, Stone admit­ted that he’d also exchanged direct mes­sages with the Guc­cifer 2.0 per­sona, and he released what he claimed was a com­plete tran­script of his com­mu­ni­ca­tions with the account. The tran­script is brief and banal, show­ing Stone con­grat­u­lat­ing Guc­cifer 2.0 on return­ing to Twit­ter after a brief sus­pen­sion, and then most­ly ignor­ing him. Then and since, Stone has con­sis­tent­ly denied that Guc­cifer was con­nect­ed to the Krem­lin.

    “I myself had no con­tacts or com­mu­ni­ca­tions with the Russ­ian State, Russ­ian Intel­li­gence or any­one fronting for them or act­ing as inter­me­di­aries for them,” he wrote.

    Guc­cifer 2.0 main­tained a spo­radic online pres­ence through­out the elec­tion, post­ing to his ded­i­cat­ed Word­Press blog and on Twit­ter, and spilling more DNC doc­u­ments, some­times in pri­vate emails to jour­nal­ists.

    While the nation­al elec­tion clear­ly inter­est­ed him (“Democ­rats pre­pare new provo­ca­tion against Trump,” he thun­dered in Octo­ber 2016), Guc­cifer 2.0 reached down the bal­lot as well, post­ing doc­u­ments from the Democ­rats’ nation­al cam­paign com­mit­tee on his Word­Press blog. There, read­ers could find inter­nal Demo­c­ra­t­ic can­di­date assess­ments rel­e­vant to bat­tle­ground states like Penn­syl­va­nia and Flori­da; inter­nal aassess­ments of key con­gres­sion­al dis­tricts, with gran­u­lar analy­ses of their demo­graph­ics; and cam­paign recruit­ment mate­r­i­al.

    The GRU offi­cer was eager to share this trove, as well. A GOP polit­i­cal oper­a­tive in Flori­da, Aaron Nevins, DM’d Guc­cifer 2.0 a request for “any Flori­da based infor­ma­tion” and received 2.5 giga­bytes’ worth, accord­ing to The Wall Street Jour­nal. The data, he enthused to Guc­cifer 2.0, was “prob­a­bly worth mil­lions of dol­lars.” A con­sul­tant for a suc­cess­ful Flori­da Repub­li­can con­gres­sion­al can­di­date told the paper, “I did adjust some vot­ing tar­gets based on some data I saw from the leaks.”

    ———-

    Some­time after its hasty launch, the Guc­cifer per­sona was hand­ed off to a more expe­ri­enced GRU offi­cer, accord­ing to a source famil­iar with the mat­ter. The tim­ing of that hand­off is unclear, but Guc­cifer 2.0’s last blog post, from Jan. 12, 2017, evinced a far greater com­mand of Eng­lish than the persona’s ear­li­er efforts.

    “It’s obvi­ous that the intel­li­gence agen­cies are delib­er­ate­ly fal­si­fy­ing evi­dence,” the post read. “In my opin­ion, they’re play­ing into the hands of the Democ­rats who are try­ing to blame for­eign actors for their fail­ure.”

    (Con­trast that with the lan­guage from a June 2016 post: “I made some con­clu­sions from the Marcel’s sto­ry and decid­ed not to put all eggs in one bas­ket. More­over, oth­er cas­es weren’t so suc­cess­ful and didn’t bring me the glo­ry.”)

    ...

    ———–

    “EXCLUSIVE: ‘Lone DNC Hack­er’ Guc­cifer 2.0 Slipped Up and Revealed He Was a Russ­ian Intel­li­gence Offi­cer” Kevin Poulsen; Spencer Ack­er­man; The Dai­ly Beast; 03/22/2018

    “Guc­cifer 2.0, the “lone hack­er” who took cred­it for pro­vid­ing Wik­iLeaks with stolen emails from the Demo­c­ra­t­ic Nation­al Com­mit­tee, was in fact an offi­cer of Russia’s mil­i­tary intel­li­gence direc­torate (GRU), The Dai­ly Beast has learned. It’s an attri­bu­tion that result­ed from a fleet­ing but crit­i­cal slip-up in GRU trade­craft.

    Yep, the con­clu­sive attri­bu­tion link­ing the hack back to the GRU was based on this one slip-up in GRU trade­craft. Which, at this point, is less of a slip-up and more like the actu­al trade­craft giv­en the rate of these slip-ups. But this was a par­tic­u­lar­ly big slip-up if real. Log­ging direct­ly into Guc­cifer 2.0’s social media account from your com­put­er at the GRU head­quar­ters in Moscow seems like a big no-no. And that’s why this slip-up had such big impli­ca­tions for the inves­ti­ga­tion: with­out the slip-up, there appar­ent­ly was­n’t actu­al­ly any tech­ni­cal evi­dence link­ing this back to the GRU. At least, as of March of this year:

    ...
    That foren­sic deter­mi­na­tion has sub­stan­tial impli­ca­tions for the crim­i­nal probe into poten­tial col­lu­sion between Pres­i­dent Don­ald Trump and Rus­sia. The Dai­ly Beast has learned that the spe­cial coun­sel in that inves­ti­ga­tion, Robert Mueller, has tak­en over the probe into Guc­cifer and brought the FBI agents who worked to track the per­sona onto his team.

    ...

    Trump’s long­time polit­i­cal advis­er Roger Stone admit­ted being in touch with Guc­cifer over Twitter’s direct mes­sag­ing ser­vice. And in August 2016, Stone pub­lished an arti­cle on the pro-Trump-friend­ly Bre­it­bart News call­ing on his polit­i­cal oppo­nents to “Stop Blam­ing Rus­sia” for the hack. “I have some news for Hillary and Democrats—I think I’ve got the real cul­prit,” he wrote. “It doesn’t seem to be the Rus­sians that hacked the DNC, but instead a hack­er who goes by the name of Guc­cifer 2.0.”

    Five months lat­er, in Jan­u­ary 2017, the CIA, NSA, and FBI assessed “with high con­fi­dence” that “Russ­ian mil­i­tary intel­li­gence (Gen­er­al Staff Main Intel­li­gence Direc­torate or GRU) used the Guc­cifer 2.0 per­sona and DCLeaks.com to release US vic­tim data.” But the assess­ment did not direct­ly call Guc­cifer a Russ­ian intel­li­gence offi­cer. Nor did it pro­vide any evi­dence for its asser­tions.

    It turns out there is a pow­er­ful rea­son to con­nect Guc­cifer to the GRU.
    ...

    The arti­cle then notes how Guc­cifer 2.0’s claims of being a lone Roman­ian hack­er were quick­ly explod­ed when Vice Moth­er­board issued a report about how Guc­cifer did­n’t actu­al­ly talk like a native Roman­ian speak­er. Which, again, is a reminder of what a joke this oper­a­tion was. We don’t know the exact nature of that joke and whether or not it was an inten­tion­al joke. But it was def­i­nite­ly a joke:

    ...
    Guc­cifer 2.0 sprang into exis­tence on June 15, 2016, hours after a report by a com­put­er secu­ri­ty firm foren­si­cal­ly tied Rus­sia to an intru­sion at the Demo­c­ra­t­ic Nation­al Com­mit­tee. In a series of blog posts and tweets over the fol­low­ing sev­en months—conspicuously end­ing right as Trump took office and not resuming—the Guc­cifer per­sona pub­lished a smat­ter­ing of the DNC doc­u­ments while game­ly pro­ject­ing an image as an inde­pen­dent Roman­ian hack­tivist who’d breached the DNC on a lark. As Stone’s Bre­it­bart piece demon­strat­ed, Guc­cifer pro­vid­ed Moscow with a counter-nar­ra­tive for the elec­tion inter­fer­ence.

    Guc­cifer famous­ly pre­tend­ed to be a “lone hack­er” who per­pe­trat­ed the dig­i­tal DNC break-in. From the out­set, few believed it. Moth­er­board con­duct­ed a dev­as­tat­ing inter­view with Guc­cifer that explod­ed the account’s claims of being a native Roman­ian speak­er. Based on foren­sic clues in some of Guccifer’s leaks, and oth­er evi­dence, a con­sen­sus quick­ly formed among secu­ri­ty experts that Guc­cifer was com­plete­ly notion­al.

    “Almost imme­di­ate­ly var­i­ous cyber secu­ri­ty com­pa­nies and indi­vid­u­als were skep­ti­cal of Guc­cifer 2.0 and the back­sto­ry that he had gen­er­at­ed for him­self,” said Kyle Ehmke, an intel­li­gence researcher at the cyber secu­ri­ty firm Threat­Con­nect. “We start­ed see­ing these incon­sis­ten­cies that led back to the idea that he was cre­at­ed hasti­ly… by the indi­vid­ual or indi­vid­u­als that affect­ed the DNC com­pro­mise.”
    ...

    And while Guc­cifer 2.0 was assumed by vir­tu­al­ly no one to be a lone Roman­ian hack­er, the tech­ni­cal evi­dence just kept lead­ing back to the Elite VPN serv­er in France. Except once, when a GRU offi­cer work­ing out of the GRU head­quar­ters in Moscow for­got to use the VPN ser­vice and direct­ly logged into one of Guc­cifer 2.0’s social media accounts. This led direct­ly back to a com­put­er at the GRU’s head­quar­ters:

    ...
    Prov­ing that link defin­i­tive­ly was hard­er. Ehmke worked on an inves­ti­ga­tion at Threat­Con­nect that tried to track down Guc­cifer from the meta­da­ta in his emails. But the trail always end­ed at the same data cen­ter in France. Ehmke even­tu­al­ly uncov­ered that Guc­cifer was con­nect­ing through an anonymiz­ing ser­vice called Elite VPN, a vir­tu­al pri­vate net­work­ing ser­vice that had an exit point in France but was head­quar­tered in Rus­sia.

    But on one occa­sion, The Dai­ly Beast has learned, Guc­cifer failed to acti­vate the VPN client before log­ging on. As a result, he left a real, Moscow-based Inter­net Pro­to­col address in the serv­er logs of an Amer­i­can social media com­pa­ny, accord­ing to a source famil­iar with the government’s Guc­cifer inves­ti­ga­tion. Twit­ter and Word­Press were Guc­cifer 2.0’s favored out­lets. Nei­ther com­pa­ny would com­ment for this sto­ry, and Guc­cifer did not respond to a direct mes­sage on Twit­ter.

    Work­ing off the IP address, U.S. inves­ti­ga­tors iden­ti­fied Guc­cifer 2.0 as a par­tic­u­lar GRU offi­cer work­ing out of the agency’s head­quar­ters on Gri­zo­dubovoy Street in Moscow. (The Dai­ly Beast’s sources did not dis­close which par­tic­u­lar offi­cer worked as Guc­cifer.)
    ...

    So that’s one hell of a fun fact: the GRU was run­ning this hack­ing oper­a­tion out of its Moscow head­quar­ters. Lit­er­al­ly. They did­n’t, like, go to an inter­net cafe or some­thing.

    Final­ly, we learn that Guc­cifer 2.0’s ini­tial per­sona was even­tu­al­ly hand­ed off to a more expe­ri­enced offi­cer, as evi­denced by the change in Guc­cifer 2.0’s Eng­lish skills:

    ...
    Some­time after its hasty launch, the Guc­cifer per­sona was hand­ed off to a more expe­ri­enced GRU offi­cer, accord­ing to a source famil­iar with the mat­ter. The tim­ing of that hand­off is unclear, but Guc­cifer 2.0’s last blog post, from Jan. 12, 2017, evinced a far greater com­mand of Eng­lish than the persona’s ear­li­er efforts.

    “It’s obvi­ous that the intel­li­gence agen­cies are delib­er­ate­ly fal­si­fy­ing evi­dence,” the post read. “In my opin­ion, they’re play­ing into the hands of the Democ­rats who are try­ing to blame for­eign actors for their fail­ure.”

    (Con­trast that with the lan­guage from a June 2016 post: “I made some con­clu­sions from the Marcel’s sto­ry and decid­ed not to put all eggs in one bas­ket. More­over, oth­er cas­es weren’t so suc­cess­ful and didn’t bring me the glo­ry.”)
    ...

    Again, while the non-flu­ent use of Roman­ian in the ini­tial Guc­cifer 2.0 posts was cer­tain­ly ama­teur­ish, the more expe­ri­enced GRU offi­cer who alleged­ly took over appar­ent­ly made the high­ly ama­teur­ish move of changine Guc­cifer 2.0’s use of Eng­lish.

    And that was the Dai­ly Beast report from back in March about the oth­er piece of evi­dence pos­sessed by the inves­ti­ga­tors that pur­port­ed­ly linked straight back to the GRU. And it’s a remark piece of evi­dence giv­en what it alleged­ly shows about GRU trade­craft, which is that the GRU is so lazy they run­ning their high pro­file hack­ing oper­a­tions out of their head­quar­ters.

    It’s also note­wor­thy that this piece of evi­dence was­n’t cit­ed in the indict­ment. It seems like it would be a lynch­pin for the case.

    So, at this point, we can sum­ma­rize the tech­ni­cal evi­dence made pub­lic so far as “ten­u­ous­ly con­clu­sive.” It gen­er­al­ly sounds con­clu­sive giv­en the way the indict­ments con­fi­dent­ly state who did what when in the exe­cu­tion of the hack­ing cam­paign and broad­er trolling effort. But we gen­er­al­ly have no idea if the alle­ga­tions are spec­u­la­tive or author­i­ta­tive in nature. And when it’s unclear if the alle­ga­tions are spec­u­la­tive or author­i­ta­tive in nature, it’s ten­u­ous­ly con­clu­sive at best. With the notable excep­tions of the Moscow-based serv­er alle­ga­tion and this for­got-to-VPN alle­ga­tion from back in March.

    And the evi­dence is per­haps under­stand­ably vague if the evi­dence comes from high­ly clas­si­fied sources, like the hack­ing of a GRU serv­er. But that just high­lights how the nature of this inves­ti­ga­tion cre­ates a “trust us” sit­u­a­tion because a lot of the most con­clu­sive evi­dence for cyber inves­ti­ga­tions is prob­a­bly going to be high­ly clas­si­fied in nature. Like evi­dence gath­ered from hacked GRU servers. It’s pret­ty under­stand­able if there’s a strong restance to reveal­ing some­thing like that and say­ing “trust us” instead. But the more the evi­dence relies on a “trust us” dynam­ic, the more ten­u­ous it inher­ent­ly becomes. There’s no avoid­ing it.

    But if we accept the “trust us” evi­dence in the indict­ment, it is con­clu­sive. The GRU did it. The Moscow-based serv­er alle­ga­tion in the indict­ment alone is con­clu­sive if real. And the for­got-to-VPN Guc­cifer login alle­ga­tion in the above Dai­ly Beast arti­cle is con­clu­sive too if true. Either one basi­cal­ly nails the case.

    And if the tech­ni­cal lynch­pins come down to “trust us” evi­dence, it’s going to be a reminder of why all of the entire his­to­ry of past intel­li­gence com­mu­ni­ty abus­es and lying to the pub­lic — the entire his­to­ry of it — is extra unhelp­ful in the age of cyber­war­fare. Because “trust us” sit­u­a­tions are going to always come up and all those past abus­es will inevitably be fac­tored into the that pub­lic deci­sion to trust the “trust us”-based evi­dence. We need high­ly cred­i­ble intel­li­gence agen­cies and you can’t change the past.

    But while these two key pieces of crit­i­cal tech­ni­cal evi­dence might be con­clu­sive if accept­ed, there’s no get­ting around the fact that the bulk of the cir­cum­stan­tial evi­dence point­ing towards GRU involve­ment all along has involved amaz­ing mis­takes and slip-ups and gen­er­al incom­pe­tence. The screw-ups were there from the begin­ning. So did the GRU want to get caught or what? That seems like a real­ly rel­e­vant ques­tion in this case.

    Let’s also not for­get that there was appar­ent­ly a high­ly placed Krem­lin infor­mant that says Putin ordered the whole thing. That’s the oth­er key piece of evi­dence that would appear to con­clu­sive­ly estab­lish cul­pa­bil­i­ty. It’s sort of a ‘trust us and trust the infor­mant’ piece of evi­dence.

    So we’re at the point in the #TrumpRus­sia inves­ti­ga­tion where we know a lot of details about the nature of the con­clu­sive evi­dence that we are told exists but have yet to see the actu­al evi­dence. It’s a sig­nif­i­cant advance­ment of Mueller’s case in terms of the specifics of the claims, but the evi­dence is all ‘yet-to-be-revealed’. And giv­en that the accused GRU offi­cers are unlike­ly to ever face tri­al, it’s unclear that the claimed evi­dence will ever be revealed. Although they real­ly just need to con­clu­sive­ly prove that Moscow-based serv­er or for­got-to-VPN alle­ga­tions are true in order to make the case.

    That’s all part of what makes Mueller’s lat­est indict­ments so intrigu­ing. It claims to be con­clu­sive but it’s issued against peo­ple who will almost cer­tain­ly not face the indict­ment in court so it’s unclear if the evi­dence behind these alle­ga­tions is ever going to be fleshed out. And it will be excep­tion­al­ly unfor­tu­nate if they aren’t fleshed out because these were the most impor­tant indict­ments the Mueller team has made thus far in terms of under­stand­ing how the hack took place and who car­ried it out. If they can prove these alle­ga­tions they proved the case. But if they can’t prove these alle­ga­tion the core asser­tion of US gov­ern­ment that the GRU was behind the hacks will for­ev­er remain in the ‘trust us’ cat­e­go­ry and, at this point, we have no com­pelling rea­son to believe that con­clu­sive evi­dence is going to be revealed. It’s almost a worst-case sce­nario for the case to end in a sit­u­a­tion where the US gov­ern­ment is essen­tial­ly argu­ing, ‘we have the evi­dence, and it’s con­clu­sive, but we can’t actu­al­ly show it so you just have to trust that we have it’.

    Although the worst worst-case senario is if the the indict­ment is true. Because if there is con­clu­sive evi­dence the GRU did the hack­ing we have to face the awful pos­si­ble that Putin basi­cal­ly went mad and decid­ed to unleash an inter­na­tion­al hack­ing spree using hack­ers who leave all sorts of “I’m a Russ­ian hack­er” ama­tur­ish clues. That’s real­ly bad. It’s one of the rea­sons the “I’m a Russ­ian hack­er” ama­tur­ish nature of the hacks was always such a big red flag about this hack­ing. If it’s true, that’s real­ly bad and we real­ly are in per­il. Because that’s the kind of cyber-show­down dynam­ic that poten­tial­ly any third-par­ty can exac­er­bate with false-flag oper­a­tions. And those false-flag oper­a­tions will be excep­tion­al­ly easy to pull off thanks to the inex­plic­a­bly ama­tur­ish track-record of Rus­si­a’s hack­ers in recent years. Just today, we got the lat­est report from the US about Russ­ian hack­ers infil­i­trat­ing the con­trol sys­tems of US util­i­ties. And giv­en the appar­ent­ly ama­tur­ish ‘brand’ that Rus­si­a’s hack­ers have adopt­ed, all sorts of oth­er actors can now eas­i­ly imper­son­ate ‘Russ­ian hack­ers’ while pulling off those kinds of dev­as­tat­ing hacks. Hacks that would guar­an­tee a major response. And when that’s the dynam­ic, it’s a sit­u­a­tion that’s out of Putin’s con­trol and out of any­one else’s, which is why this was such an insane move if Putin actu­al­ly ordered this. The metaphor­i­cal ‘400 pound guy from New Jer­sey’ in his base­ment real­ly could spark a major con­flict some­day.

    But the per­il that comes from poten­tial cyber false-flags designed to spark a con­flict between the two main nuclear pow­ers is also why the pur­port­ed­ly con­clu­sive nature of the evi­dence in this indict­ment is poten­tial­ly good news and also an impor­tant prece­dent. Because, while Rus­si­a’s gov­ern­ment has been blamed for the hacks all along almost exclu­sive­ly based on cir­cum­stan­tial evidence/pattern recog­i­tion (and, we lat­er learn, the claims of the Krem­lin mole), it’s inher­ent­ly dan­ger­ous if the tech­ni­cal evi­dence in the indict­ment was also just based on cir­cum­stan­tial evi­dence and pat­tern recog­ni­tion. If it’s good enough for Crowd­strike, that does­n’t mean it’s good enough for a gov­ern­ment, espe­cial­ly when the con­se­quences are an esca­la­tion of a cyber­war and false-flag setups.

    But, again, the val­ue of bas­ing the indict­ment on at least one instance of spe­cif­ic evi­dence tied to the GRU is also why it will be very dam­ag­ing to the Mueller case if the evi­dence con­clu­sive­ly tying this hack back to the GRU is nev­er revealed and left in the ‘trust us’ cat­e­go­ry for­ev­er. And yet we have to face the real­i­ty that the evi­dence of that nature — the search­es of a GRU serv­er in Moscow — might be from a source that’s so sen­si­tive that it can’t be revealed.

    More gen­er­al­ly, this is going to keep hap­pen­ing in real cas­es for gov­ern­ments every­where because gov­ern­ments are def­i­nite­ly going forced into ‘trust us’ sit­u­a­tions in evi­dence in the cyber are­na. Over and over. It’s unavoid­able. Espe­cial­ly when the evi­dence was gath­ered from a hack­er serv­er run by the sus­pect rival intel­li­gence agency. That’s the kind of evi­dence that poten­tial­ly com­pro­mis­es the source by mere­ly men­tion­ing it exists. So even if the Mueller team ends up reveal­ing con­clu­sive evi­dence tying this back to the GRU and it’s not all left in the ‘trust us’ realm, there’s still the inher­ent prob­lem that ‘trust us’ sit­u­a­tions are going to come up in the future. Over and over.

    Plus, even if the Mueller team does even­tu­al­ly reveal the con­slu­sive evi­dence — like a GRU serv­er was search­ing for phras­es that showed up in Guc­cifer 2.0’s posts — there’s still going to be a ‘trust us’ dynam­ic giv­en the inher­ent­ly spoofa­ble nature of cyber evi­dence. That’s just comes with the ter­ri­to­ry. The US gov­ern­ment can release search logs and the Russ­ian gov­ern­ment can say they were faked. And that’s the case for almost all cyber evi­dence. It’s dig­i­tal. It can be faked. Trust­ing the inves­ti­ga­tors and sources of evi­dence is inher­ent­ly impor­tant in solv­ing these kinds of cyber­crimes far more than oth­er crimes. And there’s going to be a lot more cyber­crimes with geopo­lit­i­cal con­se­quences in the future. That’s more or less guar­an­teed.

    That ‘trust us, we have con­clu­sive evi­dence’ aspect of this lat­est indict­ment is a reminder that one of the key lessons we should take from this entire #TrumpRus­sia night­mare expe­ri­ence is that it is very imper­a­tive that coun­tries build gov­ern­ments peo­ple can trust. And not just the trust of domes­tic audi­ences but also inter­na­tion­al audi­ences. How can soci­eties build trust­wor­thy nation­al secu­ri­ty states? It was always an incred­i­bly impor­tant ques­tion, but now it’s even more impor­tant thanks to our mass embrace of infor­ma­tion tech­nol­gy and the legal and evi­den­tiary pecu­liaries of the cyber­land­scape.

    So, while the lat­est Mueller indict­ment is one of the first and only hack­ing indict­ments ever of this nature — where a gov­ern­ment for­mal­ly charges anoth­er gov­ern­ments hack­ers with a cyber attack (Oba­ma did it to Chi­nese gov­ern­ment hack­ers in 2014) — it’s also just one of the first in what is inevitably going to be a long line of future gov­er­ment-to-gov­ern­ment hack­ing charges. In oth­er words, it’s set­ting a prece­dent. And that’s why it’s nice that the indict­ment appears to be based on some very spe­cif­ic evi­dence. But that evi­dence is all in the ‘trust us’ realm and might remain there indef­i­nite­ly if the indict­ment nev­er leads to the extra­di­tion of the GRU mem­bers. And that’s not actu­al­ly a great prece­dent.

    And if it turns out the evi­dence is BS and/or faked and that that’s obvi­ous­ly very cat­a­stroph­ic. But it it turns out to be real evi­dence, that’s even more cat­a­stroph­ic in the sense that it means Putin went mad and just decid­ed to bla­tant­ly hack the shit out of the West and not hide it by leav­ing stun­ning­ly ama­tur­ish clues on each hack. So it’s an over­all cas­tas­troph­ic sit­u­a­tion, we just don’t quite know yet the nature of the cat­a­stro­phe. And may not ever know. Which will per­haps be unavoid­able due to the nature of the evi­dence. We’re going to be asked to nation­al secu­ri­ty states in the realm of cyber-evi­dence. It’s that’s kind of cat­a­stro­phe.

    On the plus side, there’s no doubt more indict­ments to come from the Mueller team for US cit­i­zens who will actu­al­ly have to face tri­al (like Roger Stone), so hope­ful­ly the var­i­ous­ly alle­ga­tions against the GRU gets fleshed out dur­ing those tri­als.

    Posted by Pterrafractyl | July 23, 2018, 10:25 pm
  8. There was a pair of new ‘Russ­ian hack­er’ sto­ries this week that direct relate to the the Trend Micro report issued back in Jan­u­ary. That was the report where Trend Micro claimed with 100 per­cent cer­tain­ty that ‘Fan­cy Bear’/APT28 was behind a series of fake web­sites and a phish­ing cam­paign designed to mim­ic ADFS (Active Direc­to­ry Fed­er­a­tion Ser­vices) web­sites that han­dle the US Sen­ate’s email sys­tem based on find­ing dig­i­tal fin­ger­prints that unique­ly tie the attack­ers back to two pre­vi­ous hacks attrib­uted to Fan­cy Bear.

    Also recall that Trend Micro attrib­uted the Macron hack to Fan­cy Bear with 99 per­cent cer­tain­ty based on shared dig­i­tal fin­ger­prints for that hack with pre­vi­ous hacks attrib­uted to Fan­cy Bear, but it turns out those shared dig­i­tal fin­ger­prints were shar­ing the same IP address blocks and sim­i­lar­i­ties in mal­ware used, espe­cial­ly rely­ing on shared IP blocks which is extreme­ly weak evi­dence. So the con­fi­dence that Trend Micro has in its attri­bu­tions appears to be rather ques­tion­able. And if Trend Micro is cor­rect about these Sen­ate email hacks and it real­ly was Rus­si­a’s GRU hack­ers behind it, it was anoth­er instance where they appar­ent­ly aren’t try­ing to hide it at all and instead just reusing the same ‘dig­i­tal fin­ger­prints’ over and over in a man­ner that guar­an­tees attri­bu­tion will be tied back to ‘Fan­cy Bear’. It’s anoth­er one of those kinds of sto­ries.

    And now, thanks to some com­ments by a Microsoft exec­u­tive Tom Burt dur­ing a secu­ri­ty con­fer­ence pan­el in Aspen last week (Burt’s com­ments are at ~12:00–19:00 in the YouTube video the pan­el), the sto­ry of those Sen­ate email phish­ing sites are back in the news. But it was actu­al­ly treat­ed as new news and a new phish­ing attempt against the US Sen­ate because Burt actu­al­ly mis­states what hap­pened and makes it sounds like some new phish­ing sites were dis­cov­ered ear­li­er this year (as opposed to be pub­licly dis­closed ear­li­er this year after being found last year).

    That mis­take aside, Burt reveal some­thing new: it was appar­ent­ly three spe­cif­ic Sen­ate offices that were tar­get­ed in the phish­ing attempt, although he does­n’t reveal which Sen­a­tors were tar­get­ed

    BBC News

    Hack­ers ‘tar­get­ing US mid-term elec­tions’

    By Chris Bara­niuk Tech­nol­o­gy reporter
    20 July 2018

    At least three con­gres­sion­al can­di­dates have been tar­get­ed by hack­ers ahead of the US mid-term elec­tions, accord­ing to Microsoft.

    Tom Burt, an exec­u­tive at the firm, made the rev­e­la­tion dur­ing a secu­ri­ty con­fer­ence pan­el in Col­orado.

    The three can­di­dates appear to have been tar­get­ed by phish­ing attacks, he told the audi­ence.

    One cyber­se­cu­ri­ty expert said the hack­ing was prob­a­bly an attempt to “under­mine the demo­c­ra­t­ic process”.

    US vot­ers will go to the polls on 6 Novem­ber to elect a swathe of new mem­bers of Con­gress, sen­a­tors and state gov­er­nors.

    Phish­ing attacks

    The tech giant dis­cov­ered the appar­ent foul play after check­ing fake Microsoft web domains that had been asso­ci­at­ed with espi­onage in 2016.

    A group exploit­ing the domains is known by many as “Fan­cy bear” but has been dubbed “Stron­tium” by Microsoft.

    Some cyber­se­cu­ri­ty firms, includ­ing Secure­Works and Man­di­ant, believe the hack­ers are linked to Russ­ian intel­li­gence.

    Rus­sia has con­sis­tent­ly denied alle­ga­tions of hack­ing.

    Mr Burt told the Aspen Secu­ri­ty Forum atten­dees: “Ear­li­er this year, we did dis­cov­er that a fake Microsoft domain had been estab­lished as the land­ing page for phish­ing attacks and we saw meta­da­ta that sug­gest­ed those phish­ing attacks were being direct­ed at three can­di­dates who were all stand­ing for elec­tion in the mid-term elec­tions.”

    In oth­er words, the hack­ers tried to trick the can­di­dates into vis­it­ing a bogus Microsoft web page.

    Mr Burt did not name the affect­ed can­di­dates but said they were all poten­tial­ly “inter­est­ing tar­gets from an espi­onage stand­point”.

    He added that the hack­ers were not suc­cess­ful in access­ing the three can­di­dates and that the fake Microsoft domain had been tak­en down.

    The hack­ers might have been try­ing to gain access to the can­di­dates’ per­son­al mes­sages or emails, for exam­ple, said cyber­se­cu­ri­ty expert Prof Alan Wood­ward at the Uni­ver­si­ty of Sur­rey.

    “If you can grab emails... you can start mak­ing peo­ple look bad,” he said.

    “I think the pri­ma­ry motive is to under­mine the demo­c­ra­t­ic process so it does­n’t mat­ter which can­di­date they man­age to sub­vert.”

    ...

    Last week, the US Direc­tor of Nation­al Intel­li­gence said Russ­ian attempts at hack­ing US tar­gets remained “per­sis­tent... regard­less of whether it is elec­tion time or not”.

    Prof Wood­ward told the BBC: “Every sin­gle intel­li­gence agency, includ­ing the British ones, have said it’s ongo­ing, it’s an ongo­ing onslaught and the fin­ger seems to point at Rus­sia.”

    ———-

    “Hack­ers ‘tar­get­ing US mid-term elec­tions’ ” by Chris Bara­niuk; BBC News.; 07/20/2018

    “Mr Burt told the Aspen Secu­ri­ty Forum atten­dees: “Ear­li­er this year, we did dis­cov­er that a fake Microsoft domain had been estab­lished as the land­ing page for phish­ing attacks and we saw meta­da­ta that sug­gest­ed those phish­ing attacks were being direct­ed at three can­di­dates who were all stand­ing for elec­tion in the mid-term elec­tions.””

    So, accord­ing to Burt, Microsoft dis­cov­ered a fake domain set up for phish­ing pass­words from three US can­di­dates. And this was ear­li­er this year. As we’ll see, this was a mis­take and he’s refer­ring to the domains that were dis­cov­ered last year and pub­licly revealed ear­li­er this year.

    But Burt would­n’t say which can­di­dates:

    ...
    The tech giant dis­cov­ered the appar­ent foul play after check­ing fake Microsoft web domains that had been asso­ci­at­ed with espi­onage in 2016.

    A group exploit­ing the domains is known by many as “Fan­cy bear” but has been dubbed “Stron­tium” by Microsoft.

    Some cyber­se­cu­ri­ty firms, includ­ing Secure­Works and Man­di­ant, believe the hack­ers are linked to Russ­ian intel­li­gence.

    Rus­sia has con­sis­tent­ly denied alle­ga­tions of hack­ing.

    ...

    In oth­er words, the hack­ers tried to trick the can­di­dates into vis­it­ing a bogus Microsoft web page.

    Mr Burt did not name the affect­ed can­di­dates but said they were all poten­tial­ly “inter­est­ing tar­gets from an espi­onage stand­point”.

    He added that the hack­ers were not suc­cess­ful in access­ing the three can­di­dates and that the fake Microsoft domain had been tak­en down.
    ...

    Ok, so how do we know that Burt was­n’t refer­ring to a new set of domains dis­cov­ered this year phish­ing for cre­den­tials to the Sen­ate email sys­tem? Well, as the fol­low­ing arti­cle makes clear, Mr Burt mis­poke and was actu­al­ly refer­ring to the phish­ing sites tak­en down last year.

    The arti­cle also reveals the iden­ti­ty of one of the tar­gets of the phish­ing cam­paign: Demo­c­ra­t­ic Sen­a­tor Claire McCaskill, who is up for reelec­tion this year and con­sid­ered one of the most vul­ner­a­ble Democ­rats up for reelec­tion.

    The arti­cle also informs us that the attri­bu­tion to Fan­cy Bear was impor­tant for allow­ing Microsoft to actu­al­ly thwart the hack. Thanks to a law­suit Microsoft filed against Fan­cy Bear, Microsoft now has the legal right in the US to seize any domains used by Fan­cy Bear intend­ed to spoof a Microsoft domain. This is what allowed Microsoft to legal­ly seize the domains used the Sen­ate email phish­ing in Octo­ber rapid­ly and redi­rect the traf­fic to a Microsoft-con­trolled serv­er. Time was of the essence and it was that suc­cess­ful law­suit against Fan­cy Bear that enabled Microsoft to act fast in tak­ing down the phish­ing site.

    And that points towards a rather dis­turb­ing new dimen­sion to the cur­rent hyper-focused on Russ­ian hack­ing to the near exclu­sion of all oth­er sources of hack­ing: if rapid­ly and legal­ly tak­ing con­trol of phish­ing domains can only be done against when the hack is attrib­uted to a pre­vi­ous­ly sued hack­ing group like Fan­cy Bear, that’s going to cre­ate a pow­er­ful incen­tive to attribute future hacks those past cul­prits regard­less of the real strength of the evi­dence:

    The Dai­ly Beast

    Russ­ian Hack­ers’ New Tar­get: a Vul­ner­a­ble Demo­c­ra­t­ic Sen­a­tor

    Andrew Deside­rio
    Kevin Poulsen
    07.26.18 5:22 PM ET

    The Russ­ian intel­li­gence agency behind the 2016 elec­tion cyber­at­tacks tar­get­ed Sen. Claire McCaskill as she began her 2018 re-elec­tion cam­paign in earnest, a Dai­ly Beast foren­sic analy­sis reveals. That makes the Mis­souri Demo­c­rat the first iden­ti­fied tar­get of the Kremlin’s 2018 elec­tion inter­fer­ence.

    McCaskill, who has been high­ly crit­i­cal of Rus­sia over the years, is wide­ly con­sid­ered to be among the most vul­ner­a­ble Sen­ate Democ­rats fac­ing re-elec­tion this year as Repub­li­cans hope to hold their slim major­i­ty in the Sen­ate. In 2016, Pres­i­dent Don­ald Trump defeat­ed Hillary Clin­ton by almost 20 points in the senator’s home state of Mis­souri.

    There’s no evi­dence to sug­gest that this attempt to lure McCaskill staffers was suc­cess­ful. The pre­cise pur­pose of the approach was also unclear. Asked about the hack attempt by Russia’s GRU intel­li­gence agency, McCaskill told The Dai­ly Beast on Thurs­day that she wasn’t yet pre­pared to dis­cuss it.

    “I’m not going to speak of it right now,” she said. “I think we’ll have some­thing on it next week. I’m not going to speak about it right now. I can’t con­firm or do any­thing about it right now.”

    The sen­a­tor lat­er released a state­ment assert­ing that the cyber­at­tack was unsuc­cess­ful.

    “Rus­sia con­tin­ues to engage in cyber war­fare against our democ­ra­cy. I will con­tin­ue to speak out and press to hold them account­able,” McCaskill said. “While this attack was not suc­cess­ful, it is out­ra­geous that they think they can get away with this. I will not be intim­i­dat­ed. I’ve said it before and I will say it again, Putin is a thug and a bul­ly.”

    In August 2017, around the time of the hack attempt, Trump trav­eled to Mis­souri and chid­ed McCaskill, telling the crowd to “vote her out of office.” Just this last week, how­ev­er, Trump said, on Twit­ter, that he feared Rus­sians would inter­vene in the 2018 midterm elec­tions on behalf of Democ­rats.

    The rev­e­la­tions of the attempt­ed hack of McCaskill staffers comes just weeks after Spe­cial Coun­sel Robert Mueller indict­ed 12 Russ­ian intel­li­gence offi­cers, accus­ing them of orches­trat­ing cyber­at­tacks that tar­get­ed the Demo­c­ra­t­ic Nation­al Com­mit­tee, the Demo­c­ra­t­ic Con­gres­sion­al Cam­paign Com­mit­tee, and Clinton’s cam­paign in 2016.

    On Fri­day, Trump is sched­uled to chair a meet­ing of the Nation­al Secu­ri­ty Coun­cil on elec­tion vul­ner­a­bil­i­ties fac­ing the midterm elections—amid per­sis­tent crit­i­cism, par­tic­u­lar­ly after his Helsin­ki meet­ing with Russ­ian Pres­i­dent Vladimir Putin, that he isn’t tak­ing Russ­ian inter­fer­ence seri­ous­ly.

    The attempt against McCaskill’s office was a vari­ant of the pass­word-steal­ing tech­nique used by Russia’s so-called “Fan­cy Bear” hack­ers against Clinton’s cam­paign chair­man, John Podes­ta, in 2016.

    The hack­ers sent forged noti­fi­ca­tion emails to Sen­ate tar­gets claim­ing the target’s Microsoft Exchange pass­word had expired, and instruct­ing them to change it. If the tar­get clicked on the link, he or she was tak­en to a con­vinc­ing repli­ca of the U.S. Senate’s Active Direc­to­ry Fed­er­a­tion Ser­vices (ADFS) login page, a sin­gle sign-on point for e‑mail and oth­er ser­vices.

    As with the Podes­ta phish­ing, each Sen­ate phish­ing email had a dif­fer­ent link cod­ed with the recip­i­en­t’s email address. That allowed the fake pass­word-change web­page to dis­play the user’s email address when they arrived, mak­ing the site more con­vinc­ing.

    In Octo­ber, Microsoft wrest­ed con­trol of one of the spoofed web­site addresses—adfs.senate.qov.info. Seiz­ing the Rus­sians’ mali­cious domain names has been easy for Microsoft since August 2017, when a fed­er­al judge in Vir­ginia issued a per­ma­nent injunc­tion against the GRU hack­ers, after Microsoft suc­cess­ful­ly sued them as unnamed “John Doe” defen­dants. The court estab­lished a process that lets Microsoft take over any web address­es the hack­ers use that includes a Microsoft trade­mark.

    Microsoft redi­rect­ed the traf­fic from the fake Sen­ate site to its own sink­hole serv­er, putting it in a prime posi­tion to view tar­gets try­ing to click through to change their pass­words.

    The Dai­ly Beast iden­ti­fied McCaskill as a tar­get while inves­ti­gat­ing state­ments made by Microsoft VP Tom Burt last week in an appear­ance at the Aspen Secu­ri­ty Forum. Bur­ton dis­cussed the Vir­ginia injunc­tion, and told the audi­ence that it allowed Microsoft to thwart a phish­ing cam­paign against three midterm elec­tion can­di­dates, who he declined to name.

    “We did dis­cov­er that a fake Microsoft domain had been estab­lished as the land­ing page for phish­ing attacks, and we saw meta­da­ta that sug­gest­ed those phish­ing attacks were being direct­ed at three can­di­dates who are all stand­ing for elec­tions in the midterm elec­tions,” said Burt, Microsoft’s cor­po­rate vice pres­i­dent for cus­tomer secu­ri­ty and trust. “We took down that domain and work­ing with the gov­ern­ment actu­al­ly were able to avoid any­body being infect­ed by that par­tic­u­lar attack.”

    The most recent domain seizures record­ed in the Vir­ginia case took place between August and Decem­ber of last year, when Microsoft grabbed sev­en mali­cious web address­es, includ­ing the “qov.info” address. A report from the secu­ri­ty com­pa­ny Trend Micro released in Jan­u­ary list­ed that address and the role it played in a Sen­ate phish­ing cam­paign against unnamed tar­gets.

    A snap­shot of a deep link on the phish­ing site tak­en Sep­tem­ber 26th by a web­site secu­ri­ty scan­ner showed the fake pass­word-change page with the Sen­ate email address of a McCaskill pol­i­cy aide on dis­play.

    There is a notable divide between Con­gress and the Trump admin­is­tra­tion over the vul­ner­a­bil­i­ty of the 2018 elec­tion to Russ­ian elec­tion inter­fer­ence.

    In March, the Sen­ate Intel­li­gence Com­mit­tee warned state elec­tion offi­cials to make cyber­se­cu­ri­ty a “high pri­or­i­ty” for their elec­tion sys­tems, par­tic­u­lar­ly over vot­er data­bas­es, and urged the states to bol­ster their coor­di­na­tion with the Depart­ment of Home­land Secu­ri­ty. But the sec­re­tary of Home­land Secu­ri­ty, Kirst­jen Nielsen, appeared ear­li­er this month to down­play the threat. While “adver­saries and non­state actors” con­sid­er U.S. elec­tions a per­sis­tent tar­get, Nielsen said there are “no indi­ca­tions that Rus­sia is tar­get­ing the 2018 U.S. midterms at a scale or scope to match their activ­i­ties in 2016.”

    By con­trast, Dan Coats, the embat­tled direc­tor of nation­al intel­li­gence, tes­ti­fied in Feb­ru­ary that Rus­sia con­sid­ered its 2016 elec­tion hack­ing a suc­cess. Putin “views the 2018 U.S. midterm elec­tions as a poten­tial tar­get for Russ­ian influ­ence oper­a­tions,” Coats told the Sen­ate intel­li­gence pan­el. Last week, after being rebuked by Trump beside Putin in Helsin­ki, Coats reit­er­at­ed his con­cern about Russia’s “ongo­ing, per­va­sive efforts to under­mine our democ­ra­cy.”

    Ear­li­er this year, Con­gress appro­pri­at­ed $380 mil­lion, as part of a broad­er spend­ing pack­age, to indi­vid­ual states for elec­tion secu­ri­ty. The Sen­ate is cur­rent­ly weigh­ing whether to autho­rize an addi­tion­al $250 mil­lion in sim­i­lar grants.

    A spokesper­son for the Sen­ate Intel­li­gence Com­mit­tee declined to com­ment, as did a spokesper­son for Mark Warn­er, the top Demo­c­rat on the pan­el.

    McCaskill is one of 10 Sen­ate Democ­rats fac­ing re-elec­tion this year in states that Trump won in 2016. Her like­ly Repub­li­can chal­lenger is Josh Haw­ley, who cur­rent­ly serves as the state’s attor­ney gen­er­al. Out­side groups and cam­paign com­mit­tees have spent more than $15.5 mil­lion against McCaskill so far.

    McCaskill has spo­ken out force­ful­ly against Moscow, liken­ing Russ­ian elec­tion-med­dling to “a form of war­fare” and call­ing Putin a “thug and a bul­ly.” She was also caught up in the Podes­ta hack, which was revealed when Wik­iLeaks released the Clin­ton cam­paign chair’s pri­vate email com­mu­ni­ca­tions. The doc­u­ment dump showed that McCaskill called Podes­ta to inform him that she had “info” about an indi­vid­ual work­ing in the State Department’s inspec­tor general’s office, which at the time was inves­ti­gat­ing Clinton’s pri­vate email serv­er. The “info” was that a top aide at the inspec­tor general’s office once worked for a Repub­li­can sen­a­tor, Chuck Grass­ley of Iowa.

    McCaskill’s crit­i­cisms of Wik­iLeaks stretch back near­ly a decade. In 2010, she and Sen. Lind­sey Gra­ham (R‑S.C.) called for pros­e­cu­tions of indi­vid­u­als who send clas­si­fied infor­ma­tion to Wik­iLeaks. Ear­li­er this month, Mueller’s GRU indict­ment includ­ed Russ­ian intel­li­gence offi­cers who, through the Guccifer2.0 per­sona, are accused of fun­nelling the hacked 2016 data to Wik­iLeaks.

    ...

    ———–

    “Russ­ian Hack­ers’ New Tar­get: a Vul­ner­a­ble Demo­c­ra­t­ic Sen­a­tor
    ” by Andrew Deside­rio and Kevin Poulsen; The Dai­ly Beast; 07/26/2018

    “The Russ­ian intel­li­gence agency behind the 2016 elec­tion cyber­at­tacks tar­get­ed Sen. Claire McCaskill as she began her 2018 re-elec­tion cam­paign in earnest, a Dai­ly Beast foren­sic analy­sis reveals. That makes the Mis­souri Demo­c­rat the first iden­ti­fied tar­get of the Kremlin’s 2018 elec­tion inter­fer­ence.”

    It’s a Dai­ly Beast “foren­sic analy­sis”. Is that hyper­bole or is the Dai­ly Beast actu­al­ly doing foren­sic analy­sis of hacks now? Regard­less, the con­clu­sions of the Dai­ly Beast foren­sic analy­sis appears to be iden­ti­cal to Trend Micro’s analy­sis of Sen­ate email phish­ing sites when they were dis­cov­ered last year: it was Fan­cy Bear.

    The spe­cif­ic phish­ing attempt against McCaskil­l’s office appears to have start­ed around August of 2017. The phish­ing emails were pret­ty stan­dard: they claimed to be from the Sen­ate Microsoft Exchange serv­er indi­cat­ing a pass­word expi­ra­tion and if peo­ple clicked on the link they were go to a fake ver­sion of the Sen­ate’s Active Direc­to­ry Fed­er­a­tion Ser­vices (ADFS) login page:

    ...
    In August 2017, around the time of the hack attempt, Trump trav­eled to Mis­souri and chid­ed McCaskill, telling the crowd to “vote her out of office.” Just this last week, how­ev­er, Trump said, on Twit­ter, that he feared Rus­sians would inter­vene in the 2018 midterm elec­tions on behalf of Democ­rats.

    ...

    The attempt against McCaskill’s office was a vari­ant of the pass­word-steal­ing tech­nique used by Russia’s so-called “Fan­cy Bear” hack­ers against Clinton’s cam­paign chair­man, John Podes­ta, in 2016.

    The hack­ers sent forged noti­fi­ca­tion emails to Sen­ate tar­gets claim­ing the target’s Microsoft Exchange pass­word had expired, and instruct­ing them to change it. If the tar­get clicked on the link, he or she was tak­en to a con­vinc­ing repli­ca of the U.S. Senate’s Active Direc­to­ry Fed­er­a­tion Ser­vices (ADFS) login page, a sin­gle sign-on point for e‑mail and oth­er ser­vices.

    As with the Podes­ta phish­ing, each Sen­ate phish­ing email had a dif­fer­ent link cod­ed with the recip­i­en­t’s email address. That allowed the fake pass­word-change web­page to dis­play the user’s email address when they arrived, mak­ing the site more con­vinc­ing.
    ...

    It’s worth recall­ing how the Trend Micro report on this phish­ing cam­paign described it as not being “advanced in nature” and in keep­ing with a pat­tern of Fan­cy Bear (which Trend Micro calls “Pawn­Storm”) using the same ‘script’ over and over.

    And to make it clear that Mr Burt was incor­rect when he claimed that Microsoft dis­cov­ered these Sen­ate email phish­ing domains ear­li­er this year, the arti­cle notes that Microsoft actu­al­ly obtained con­trol of one of the spoofed domains for the ADFS serv­er in Octo­ber. And Microsoft was able to seize those domains so rapid­ly thanks to its suc­cess­ful law­suit against Fan­cy Bear that made it pos­si­ble for Microsoft to rapid­ly seize fake domains spoof­ing Microsoft domains if it’s Fan­cy Bear doing the spoof­ing:

    ...
    In Octo­ber, Microsoft wrest­ed con­trol of one of the spoofed web­site addresses—adfs.senate.qov.info. Seiz­ing the Rus­sians’ mali­cious domain names has been easy for Microsoft since August 2017, when a fed­er­al judge in Vir­ginia issued a per­ma­nent injunc­tion against the GRU hack­ers, after Microsoft suc­cess­ful­ly sued them as unnamed “John Doe” defen­dants. The court estab­lished a process that lets Microsoft take over any web address­es the hack­ers use that includes a Microsoft trade­mark.

    Microsoft redi­rect­ed the traf­fic from the fake Sen­ate site to its own sink­hole serv­er, putting it in a prime posi­tion to view tar­gets try­ing to click through to change their pass­words.
    ...

    And it sounds like the peri­od when Microsoft was seiz­ing domains assumed to be run by Fan­cy Bear was from August to Decem­ber of 2017. This is based on the records of the legal case Microsoft has against Fan­cy Bear:

    ...
    The most recent domain seizures record­ed in the Vir­ginia case took place between August and Decem­ber of last year, when Microsoft grabbed sev­en mali­cious web address­es, includ­ing the “qov.info” address. A report from the secu­ri­ty com­pa­ny Trend Micro released in Jan­u­ary list­ed that address and the role it played in a Sen­ate phish­ing cam­paign against unnamed tar­gets.

    A snap­shot of a deep link on the phish­ing site tak­en Sep­tem­ber 26th by a web­site secu­ri­ty scan­ner showed the fake pass­word-change page with the Sen­ate email address of a McCaskill pol­i­cy aide on dis­play.
    ...

    And that all clar­i­fies that there was­n’t a new set of phish­ing sites iden­ti­fied by Microsoft in ear­ly 2018. When Microsoft exec­u­tive Tom Burt told the audi­ence as the secu­ri­ty con­fer­ence in Aspen last week that Microsoft dis­cov­ered phish­ing sites tar­get­ing three US can­di­dates ear­li­er this year he was erro­neous­ly refer­ring to the pub­lic dis­clo­sure about this phish­ing cam­paign that was made in Jan­u­ary of 2018 with Trend Micro’s report where they attrib­uted this phish­ing cam­paign to Fan­cy Bear with 100 per­cent cer­tain­ty. And Microsoft took con­trol of those domains form August — Decem­ber of 2017 using its law­suit against Fan­cy Bear. A law­suit that required the phish­ing sites be attrib­uted to Fan­cy Bear to allow for the rapid takeover of the phish­ing domains.

    And that’s all why the 100 per­cent cer­tain­ty of Trend Micro’s attri­bu­tion of the Sen­ate email phish­ing cam­paign should prob­a­bly be expect­ed for a lot more cyber attack attri­bu­tions going for­ward. Cer­tain­ty will help in over­com­ing legal obsta­cle to actions required to stop the phish­ing cam­paigns like seiz­ing domains. It’s just an inher­ent aspect of how imple­ment­ing the rule of law is going to cre­ate some bias­es in the cyber-attri­bu­tion realm. When cyber­se­cu­ri­ty firms are attribut­ing a hack, it’s going to be con­ve­nient to attribute it to an enti­ty your client has a court order against for a pre­vi­ous hack­ing attempt when seiz­ing domains is an option. And that’s also an addi­tion­al incen­tive for third par­ties to leave ‘Fan­cy Bear’ dig­i­tal fin­ger­prints (like using the same web host­ing ser­vice with the same IP address blocks).
    And if Trend Micro and Microsoft are cor­rect in their Fan­cy Bear attri­bu­tion for this phish­ing cam­paign, it’s just one more high pro­file inci­dent of Fan­cy Bear try­ing to get caught. Because think about it: imag­ine ‘Fan­cy Bear’ decid­ing to leave the same dig­i­tal ‘fin­ger­prints’ in a US Sen­ate email spearphish­ing cam­paign that tie the hack back to pre­vi­ous hacks already attrib­uted to Fan­cy Bear in 2015 and 2016. With every hack it’s seem­ing eas­i­er to attribute it because it’s like a grow­ing trail of pre­vi­ous hacks. The same mal­ware and same com­mand and con­trol servers or VPNs or what­ev­er the par­tic­u­lar ‘dig­i­tal fin­ger­prints’ that got pre­vi­ous attrib­uted to Fan­cy Bear. That’s ask­ing to get caught, which is what Fan­cy Bear appar­ent­ly tries to do over and over. This Sen­ate email phish­ing cam­paign is just one piece of a much larg­er puz­zle. That puz­zle being the exact­ly strat­e­gy of bla­tant self-attribut­ing hack­ing that Putin is appar­ent­ly employ­ing. It seems like a strat­e­gy designed to turn Rus­sia into some sort of hack­ing pari­ah so that’s real­ly scary if this is actu­al­ly Putin’s hack­ing project.

    It’s also real­ly scary if it’s the GOP pre­tend­ing to be Fan­cy Bear. Or neo-Nazis or what­ev­er. That’s a dif­fer­ent kind of real­ly scary and much, much scari­er giv­en the cur­rent con­text.

    Posted by Pterrafractyl | July 29, 2018, 9:23 pm
  9. Well that’s inter­est­ing: The Nation­al Repub­li­can Con­gres­sion­al Com­mit­tee (NRCC) just revealed that it suf­fered a seri­ous hack this year. Recall how the Repub­li­cans actu­al­ly suf­fered a hack in 2016 when Smartech, a GOP IT firm, was hacked and sev­er­al hun­dred emails were stolen (but nev­er released). This 2018 hack sounds more seri­ous, although it’s still just lim­it­ed to stolen emails.

    The hack was dis­cov­ered in April and it was deter­mined that the email accounts of four NRCC senior aides were sur­veilled for sev­er­al months. It sounds like it was just a hack involv­ing the theft of the email pass­words for these four indi­vid­u­als and did­n’t involve mal­ware on the NRCC net­work, so it’s not near­ly as seri­ous as what the Democ­rats expe­ri­enced in 2015/2016. But it still sounds like thou­sands of emails described as “sen­si­tive” were indeed tak­en by the hack­er.

    Adding to the intrigue is that the NRCC appar­ent­ly did­n’t tell any­one until now, even senior House Repub­li­cans. House Speak­er Paul Ryan, Major­i­ty Leader Kevin McCarthy, and Major­i­ty Whip Steve Scalise report­ed­ly all had no idea about this hack until a Politi­co report­ed con­tact­ed them about it to get a com­ment for the fol­low­ing arti­cle.

    And here’s the extra intrigu­ing part: the expla­na­tion for why the NRCC did­n’t even inform the House Repub­li­can lead­er­ship is that they feared reveal­ing the hack would com­pro­mise efforts to find the cul­prit. And that sounds a lot like there were sus­pi­cions that that this was an inside job. The fact that there’s been no black­mail attempts or use of the hacked infor­ma­tion fur­ther points towards a pos­si­ble inside job.

    Not sur­pris­ing­ly, the sus­pects at this point are some for­eign hack­er. What are those sus­pi­cions based on? We are only told that the sus­pi­cions are based on “the nature of the attack”.

    Oh, and guess which com­pa­ny that NRCC alert­ed to help inves­ti­gate the hack back in April: Crowd­strike! As we’ll see, Crowd­strike already had a con­tract with the NRCC to pro­tect their net­works. The par­tic­u­lar cyber­se­cu­ri­ty firm that dis­cov­ered the hack was MSSP, which was hired to mon­i­tor the NRC­C’s net­works. Crowd­strike was involved with assist­ing MSSP’s job of mon­i­tor the NRCC net­work. MSSP con­tact­ed Crowd­strike and the FBI after dis­cov­er­ing the hack and Crowd­strike is tak­ing part in the inves­ti­ga­tion, so we should prob­a­bly expect either Rus­sia or Chi­na to end up get­ting the offi­cial blame at some point.

    And note that there’s no men­tion of “spearphish­ing” in all of this. Giv­en that it sounds like the only thing the hack­ers obtained was the pass­words of four email accounts, that would nor­mal­ly point towards a suc­cess­ful spearphish­ing attack if this real­ly was an out­side hack­er. So the lack of any men­tion of spearphish­ing also points towards a pos­si­ble inside job since Repub­li­can insid­ers would be the ones most like­ly to be able to obtain pass­words through some oth­er means.

    As we’re also going to see, the NRCC began nego­ti­a­tions with Democ­rats in May of this year (so fol­low­ing the dis­cov­ery of the hack) to nego­ti­ate an agree­ment on the use of hacked mate­ri­als in elec­tions. NRCC chair­man Steve Stivers led the Repub­li­can side of the nego­ti­a­tions. The nego­ti­a­tions were pro­ceed­ing along and it sounds like the two par­ties were close to reach­ing an agree­ment. But then, at the last minute, the Stivers pulled out of the nego­ti­a­tions. This was in Sep­tem­ber, just two months before the mid-term elec­tions. Also keep in mind that one of the four senior aides was like­ly Stiver­s’s senior aide. We don’t know that’s the case, but if there are four senior aides with their emails hacked it seems like­ly that one of them is going to be an aide to the chair­man

    What was the basis for the GOP pulling out of these nego­ti­a­tions in Sep­tem­ber? Well, the Stivers agreed to lan­guage that would reject “(pro­mot­ing) or (dis­sem­i­nat­ing) hacked mate­ri­als to the press, regard­less of the source.” The Democ­rats tried to add lan­guage that “nei­ther com­mit­tee will use known stolen or hacked infor­ma­tion”. It was after the Democ­rats added that lan­guage about agree­ing not to use hacked infor­ma­tion that Stivers pulled out of the nego­ti­a­tions. Stivers is on record oppos­ing the idea of agree­ing to not use released hacked doc­u­ments. Back in June, Stivers said he would not “run down one of my can­di­dates for using some­thing that’s in the pub­lic domain,” and that, “once some­thing is in the pub­lic domain, I’m not sure you can say, ‘Let’s ignore this,’ ” dur­ing an event.

    But Stivers gives a dif­fer­ent expla­na­tion for why he pulled out of the nego­ti­a­tions. It basi­cal­ly makes no sense. A week before Stivers pulled out of the nego­ti­a­tions, the Democ­rats’ nego­tia­tor told the Wall Street Jour­nal that he “would hope that Steve and I are able to roll some­thing out that we agree on this week,” adding, “I think that we’re close.” Stivers said this was the lat­est attempt by Democ­rats to pres­sure the NRCC through the media, say­ing it “was sort of the straw that broke the camel’s back on trust.”

    So the NRCC found out about a hack in April, and informed Crowd­strike and the FBI, but did­n’t inform the House Lead­er­ship or rank-and-file GOP­ers osten­si­bly because they were con­cerned about tip­ping off the hack­ers, sug­gest­ing con­cerns of an inside job. Then, in May, the chair­man of the NRCC, Steve Stivers, entered into nego­ti­a­tions with the Democ­rats over an anti-hack-exploita­tion agree­ment. The nego­ti­a­tions went on for about four months until Stivers sud­den­ly pulled out in Sep­tem­ber after the Democ­rats tried to add an agree­ment that would ban the use of hacked mate­ri­als in cam­paign ads. Yes, two months before the mid-terms, the NRCC pulled out of an agree­ment with the Democ­rats to not use hacked doc­u­ments in cam­paign ads at the same time the NRCC was appar­ent­ly very con­cerned about the hack­ing of four if its senior aides months ear­li­er. And, of course, they are lean­ing towards this being for­eign hack­ers, although we aren’t giv­en any expla­na­tion why they arrived at that con­clu­sion oth­er than the ‘nature of the attack’:

    Politi­co

    Exclu­sive: Emails of top NRCC offi­cials stolen in major 2018 hack

    Repub­li­can lead­ers were not informed until POLITICO con­tact­ed com­mit­tee offi­cials about the inci­dent.

    By ALEX ISENSTADT and JOHN BRESNAHAN

    12/04/2018 11:51 AM EST

    The House GOP cam­paign arm suf­fered a major hack dur­ing the 2018 midterm cam­paigns, expos­ing thou­sands of sen­si­tive emails to an out­side intrud­er, accord­ing to three senior par­ty offi­cials.

    The email accounts of four senior aides at the Nation­al Repub­li­can Con­gres­sion­al Com­mit­tee were sur­veilled for sev­er­al months, the par­ty offi­cials said. The intru­sion was detect­ed in April by an NRCC ven­dor, who alert­ed the com­mit­tee and its cyber­se­cu­ri­ty con­trac­tor. An inter­nal inves­ti­ga­tion was ini­ti­at­ed, and the FBI was alert­ed to the attack, said the offi­cials, who request­ed anonymi­ty to dis­cuss the inci­dent.

    How­ev­er, senior House Repub­li­cans — includ­ing Speak­er Paul Ryan of Wis­con­sin, Major­i­ty Leader Kevin McCarthy of Cal­i­for­nia and Major­i­ty Whip Steve Scalise of Louisiana — were not informed of the hack until Politi­co con­tact­ed the NRCC on Mon­day with ques­tions about the episode. Rank-and-file House Repub­li­cans were not told, either.

    Rep. Steve Stivers of Ohio, who served as NRCC chair­man this past elec­tion cycle, did not respond to repeat­ed requests for com­ment.

    Com­mit­tee offi­cials said they decid­ed to with­hold the infor­ma­tion because they were intent on con­duct­ing their own inves­ti­ga­tion and feared that reveal­ing the hack would com­pro­mise efforts to find the cul­prit.

    “We don’t want to get into details about what was tak­en because it’s an ongo­ing inves­ti­ga­tion,” said a senior par­ty offi­cial. “Let’s say they had access to four active accounts. I think you can draw from that.”

    The hack became a major source of con­ster­na­tion with­in the com­mit­tee as the midterm cam­paign unfold­ed. The NRCC brought on the promi­nent Wash­ing­ton law firm Cov­ing­ton & Burl­ing as well as Mer­cury Pub­lic Affairs to over­see the response to the hack. The NRCC paid the two firms hun­dreds of thou­sands of dol­lars to help respond to the intru­sion. The committee’s chief legal coun­sel, Chris Winkel­man, devot­ed many hours to deal­ing with the mat­ter.

    Par­ty offi­cials would not say when the hack began or who was behind it, although they pri­vate­ly believe it was a for­eign agent because of the nature of the attack.

    Donor infor­ma­tion was not com­pro­mised dur­ing the intru­sion, the par­ty offi­cials said.

    “The NRCC can con­firm that it was the vic­tim of a cyber intru­sion by an unknown enti­ty. The cyber­se­cu­ri­ty of the Committee’s data is para­mount, and upon learn­ing of the intru­sion, the NRCC imme­di­ate­ly launched an inter­nal inves­ti­ga­tion and noti­fied the FBI, which is now inves­ti­gat­ing the mat­ter,” said Ian Pri­or, a vice pres­i­dent at Mer­cury.

    ...

    None of the infor­ma­tion accessed dur­ing the hack — thou­sands of emails from senior NRCC aides — has appeared in pub­lic, par­ty offi­cials said. And they said there were no attempts to threat­en the NRCC or its lead­er­ship dur­ing the cam­paign with expo­sure of the infor­ma­tion.

    But the fact that the NRCC was hacked and with­held that infor­ma­tion is like­ly to prove embar­rass­ing at a time when Repub­li­cans are grap­pling with an elec­tion in which they lost 40 seats and con­trol of the House. Pres­i­dent Don­ald Trump has also claimed that Repub­li­cans are bet­ter than Democ­rats at cyber­se­cu­ri­ty, explain­ing why one par­ty was hacked in 2016 but the oth­er was not.

    “The DNC should be ashamed of them­selves for allow­ing them­selves to be hacked. They had bad defens­es, and they were able to be hacked,” Trump told CBS News in July. “I heard they were try­ing to hack the Repub­li­cans, too. But, and this may be wrong, but they had much stronger defens­es.”

    Rep. Tom Emmer of Min­neso­ta will take over as NRCC chair­man this cycle, a selec­tion that was direct­ly approved by McCarthy. Emmer is in the process of hir­ing his own senior aides for the com­mit­tee, a nor­mal pro­ce­dure when a new chair­man takes over a par­ty com­mit­tee. Emmer was first briefed on the hack on Mon­day evening.

    Cyber­se­cu­ri­ty remains a press­ing con­cern for politi­cians and polit­i­cal com­mit­tees, height­ened by the high-pro­file Russ­ian hack­ing of the Demo­c­ra­t­ic Nation­al Com­mit­tee and Hillary Clin­ton cam­paign chief John Podes­ta dur­ing the 2016 elec­tion cycle. It’s not clear, how­ev­er, what the NRCC could have done to avoid this intru­sion.

    The hack was first detect­ed by an MSSP, a man­aged secu­ri­ty ser­vices provider that mon­i­tors the NRCC’s net­work. The MSSP informed NRCC offi­cials and they, in turn, alert­ed Crowd­strike, a well-known cyber­se­cu­ri­ty firm that had already been retained by the NRCC.

    Like oth­er major com­mit­tees, the NRCC also had secu­ri­ty pro­ce­dures in place before the elec­tion cycle began to try to lim­it the amount of infor­ma­tion that could be exposed to a poten­tial hack­er. It also employed a full-time cyber­se­cu­ri­ty employ­ee.

    ———-

    “Exclu­sive: Emails of top NRCC offi­cials stolen in major 2018 hack” by ALEX ISENSTADT and JOHN BRESNAHAN; Politi­co; 12/04/2018

    “The email accounts of four senior aides at the Nation­al Repub­li­can Con­gres­sion­al Com­mit­tee were sur­veilled for sev­er­al months, the par­ty offi­cials said. The intru­sion was detect­ed in April by an NRCC ven­dor, who alert­ed the com­mit­tee and its cyber­se­cu­ri­ty con­trac­tor. An inter­nal inves­ti­ga­tion was ini­ti­at­ed, and the FBI was alert­ed to the attack, said the offi­cials, who request­ed anonymi­ty to dis­cuss the inci­dent.”

    So back in April, an NRCC cyber­se­cu­ri­ty ven­dor detects an intru­sion and the NRCC starts an inter­nal inves­ti­ga­tion and alerts the FBI. Curi­ous­ly, almost no one else was alert­ed, includ­ed House Repub­li­can lead­er­ship. Why? Well, accord­ing to the NRCC, they feared reveal­ing the hack could make it hard­er to find the cul­prit:

    ...
    How­ev­er, senior House Repub­li­cans — includ­ing Speak­er Paul Ryan of Wis­con­sin, Major­i­ty Leader Kevin McCarthy of Cal­i­for­nia and Major­i­ty Whip Steve Scalise of Louisiana — were not informed of the hack until Politi­co con­tact­ed the NRCC on Mon­day with ques­tions about the episode. Rank-and-file House Repub­li­cans were not told, either.

    Rep. Steve Stivers of Ohio, who served as NRCC chair­man this past elec­tion cycle, did not respond to repeat­ed requests for com­ment.

    Com­mit­tee offi­cials said they decid­ed to with­hold the infor­ma­tion because they were intent on con­duct­ing their own inves­ti­ga­tion and feared that reveal­ing the hack would com­pro­mise efforts to find the cul­prit.

    “We don’t want to get into details about what was tak­en because it’s an ongo­ing inves­ti­ga­tion,” said a senior par­ty offi­cial. “Let’s say they had access to four active accounts. I think you can draw from that.”
    ...

    And while not reveal­ing the hack to the pub­lic over con­cerns about tip­ping off the hack­er is a legit­i­mate con­cern, that does­n’t explain whey they would­n’t have qui­et­ly alert­ed Repub­li­can House lead­ers like Paul Ryan...unless the hack­er sus­pect list includ­ed Repub­li­can lead­ers. Oth­er­wise it’s just bizarre to keep that a secret from the par­ty lead­er­ship. But that’s the offi­cial line from the NRCC.

    And while none of the emails have emerged in the pub­lic domain and no black­mail attempts have been made, the NRCC claim they pri­vate­ly believe it was a for­eign agent ‘because of the nature of the attack’, which is a remark­ably vague descrip­tion of the basis for that attri­bu­tion. But when we learn who did the inves­ti­gat­ing, it’s not a sur­prise that a for­eign agent at the top of the sus­pect list: Crowd­strike, which had already been retained by the NRCC for cyber­se­cu­ri­ty ser­vices:

    ...
    The hack became a major source of con­ster­na­tion with­in the com­mit­tee as the midterm cam­paign unfold­ed. The NRCC brought on the promi­nent Wash­ing­ton law firm Cov­ing­ton & Burl­ing as well as Mer­cury Pub­lic Affairs to over­see the response to the hack. The NRCC paid the two firms hun­dreds of thou­sands of dol­lars to help respond to the intru­sion. The committee’s chief legal coun­sel, Chris Winkel­man, devot­ed many hours to deal­ing with the mat­ter.

    Par­ty offi­cials would not say when the hack began or who was behind it, although they pri­vate­ly believe it was a for­eign agent because of the nature of the attack.

    ...

    None of the infor­ma­tion accessed dur­ing the hack — thou­sands of emails from senior NRCC aides — has appeared in pub­lic, par­ty offi­cials said. And they said there were no attempts to threat­en the NRCC or its lead­er­ship dur­ing the cam­paign with expo­sure of the infor­ma­tion.

    ...

    The hack was first detect­ed by an MSSP, a man­aged secu­ri­ty ser­vices provider that mon­i­tors the NRCC’s net­work. The MSSP informed NRCC offi­cials and they, in turn, alert­ed Crowd­strike, a well-known cyber­se­cu­ri­ty firm that had already been retained by the NRCC.
    ...

    Recall how Crowd­strike’s co-founder, Dmitri Alper­ovitch, played a crit­i­cal role in recent year in a sig­nif­i­cant change in how the US response to hacks. In par­tic­u­lar, recall how the cyber­se­cu­ri­ty indus­try tra­di­tion­al­ly did­n’t make dec­la­ra­tions about which par­tic­u­lar nation-state might be behind a hack due to the high­ly ambigu­ous nature of cyber­at­tri­bu­tion that is based on ‘pat­tern recog­ni­tion’ (i.e. match­ing up the mal­ware, servers, tech­niques, etc. used in new hacks to pre­vi­ous hacks and look­ing for pat­terns) and the fact that such evi­dence is inher­ent­ly spoofa­ble by third-par­ties. But Alper­ovitch, a Russ­ian ex-pat, has long advo­cat­ed for the US to address this chal­lenge by arriv­ing at a hard con­clu­sion of cul­pa­bil­i­ty and sim­ply open­ly declar­ing that a par­tic­u­lar coun­try is the guilty par­ty and warn of future con­se­quence. Alper­ovtich was report­ed­ly delight­ed that the US decid­ed to do so in the case of the DNC hack. Also recall how Alper­ovitch is a senior fel­low at the Atlantic Coun­cil. Giv­en that back­ground, it’s impor­tant to keep in mind that Crowd­strike is a com­pa­ny that is ide­o­log­i­cal­ly dri­ven to arrive at the con­clu­sion of “for­eign agents” (espe­cial­ly for­eign agents the Atlantic Coun­cil does­n’t like) are behind high pro­file hacks. The fact that the NRCC and the DNC hire Crowd­strike is an exam­ple about how the com­pa­ny is con­sid­ered to be a very US nation­al secu­ri­ty state-friend­ly com­pa­ny.

    Now, let’s take a look at the fol­low­ing arti­cle that gives a few more fun facts about the NRC­C’s hack. It sounds like the hack­ers did not get access to the actu­al NRCC net­works but instead just got the email pass­words of those four senior NRCC aides. No infor­ma­tion is giv­en about how those pass­words were obtained. Keep in mind that if the hack­ers just got the email pass­words that would nor­mal­ly point towards a suc­cess­ful spearphish­ing oper­a­tion. But the NRCC is refus­ing to give any infor­ma­tion about how the pass­words were obtained. And if it was­n’t a spearphish­ing oper­a­tion behind this, that would again point towards the pos­si­bil­i­ty of an inside job because get­ting email pass­words with­out using sprearphish­ing is the kind of thing one can imag­ine a fel­low GOP­er car­ry­ing out through all sorts of means.

    And as the arti­cle also notes, the NRCC and DNC had actu­al­ly been in the mid­dle of nego­ti­a­tions this year over a treaty to not use hacked mate­ri­als in elec­tions, but those nego­ti­a­tions broke down months before the mid-terms:

    CNN

    House Repub­li­can cam­paign arm hacked dur­ing 2018 midterms

    By Dan Mer­i­ca, Mar­shall Cohen and Donie O’Sul­li­van, CNN
    Updat­ed 7:10 PM ET, Tue Decem­ber 4, 2018

    Wash­ing­ton (CNN)Emails from top offi­cials at the Nation­al Repub­li­can Con­gres­sion­al Com­mit­tee were hacked dur­ing the 2018 midterm elec­tions, Repub­li­can sources tell CNN, expos­ing the GOP’s House cam­paign arm to an intru­sion by an “unknown enti­ty.”

    The hack, which was first report­ed by Politi­co, was dis­cov­ered by a ven­dor in April after emails from four senior com­mit­tee aides had been sur­veilled for months, a Repub­li­can offi­cial with knowl­edge of the intru­sion tells CNN.

    A source famil­iar with the inves­ti­ga­tion into the hack told CNN that the attack­ers would have been able to see all the emails being sent and received by the NRCC aides whose accounts were breached.

    The attack­ers could have signed into those offi­cials’ accounts as if they were the offi­cials them­selves, the source said. To do this, the source said the attack­ers had obtained the pass­words belong­ing to the offi­cials. The source would not say how the attack­ers obtained the pass­words.

    The attack­ers did not have access to oth­er NRCC sys­tems as a result of this breach, the source added.

    The rev­e­la­tion of the hack comes weeks after House Repub­li­cans lost their major­i­ty and saw Democ­rats pick up close to 40 seats in the House. In a sign of how seri­ous the com­mit­tee believed the hack to be, they brought on the law firm Cov­ing­ton and Burl­ing to han­dle the issue, as well as Mer­cury Pub­lic Affairs to deal with the pub­lic rela­tions around the intru­sion.

    After the NRCC was alert­ed to the hack, top offi­cials then informed Crowd­Strike, a Repub­li­can offi­cial said, the cyber­se­cu­ri­ty firm that helped Democ­rats expel the Rus­sians from their com­put­er sys­tems in 2016, and lat­er shared infor­ma­tion with the FBI as it inves­ti­gat­ed the elec­tion-sea­son hacks.

    Ian Pri­or, a spokesman for the com­mit­tee, said Tues­day that they were hacked “by an unknown enti­ty.”

    “The NRCC can con­firm that it was the vic­tim of a cyber intru­sion by an unknown enti­ty,” said Pri­or. “The cyber­se­cu­ri­ty of the Com­mit­tee’s data is para­mount, and upon learn­ing of the intru­sion, the NRCC imme­di­ate­ly launched an inter­nal inves­ti­ga­tion and noti­fied the FBI, which is now inves­ti­gat­ing the mat­ter.”

    “To pro­tect the integri­ty of that inves­ti­ga­tion, the NRCC will offer no fur­ther com­ment on the inci­dent,” he added.

    In a state­ment, Crowd­Strike con­firmed it had been asked to inves­ti­gate by the NRCC.

    “In April 2018, Crowd­Strike was asked by the NRCC to per­form an inves­ti­ga­tion relat­ed to unau­tho­rized access to NRC­C’s emails. Pri­or to the inci­dent, Crowd­Strike was help­ing to pro­tect NRC­C’s inter­nal cor­po­rate net­work, which was not com­pro­mised in this inci­dent,” the com­pa­ny state­ment read.

    The use of hacked mate­r­i­al dur­ing elec­toral cam­paigns has been a focus ever since the 2016 cam­paign, when emails from the upper ech­e­lons of the Clin­ton cam­paign were leaked in the clos­ing weeks of the cam­paign.

    The Demo­c­ra­t­ic Con­gres­sion­al Cam­paign Com­mit­tee was also hacked in 2016. Krem­lin-backed hack­ers pub­lished inter­nal doc­u­ments stolen from DCCC servers as part of the Russ­ian gov­ern­men­t’s wide-rang­ing effort to inter­fere in the US elec­tion and some of those sen­si­tive inter­nal cam­paign doc­u­ments were lat­er used in Repub­li­can ads.

    The heads of the NRCC and the DCCC engaged in pro­longed nego­ti­a­tions over not using hacked mate­ri­als in elec­tion ads dur­ing the 2018 midterms, but the talks broke down months before Elec­tion Day due to an ero­sion of trust between the par­ties.

    Despite not sign­ing any agree­ment, the head of the NRCC issued a state­ment say­ing the com­mit­tee had no inten­tion of using hacked mate­r­i­al.

    “We are not seek­ing stolen or hacked mate­r­i­al, we do not want stolen or hacked mate­r­i­al, we have no inten­tion of using stolen or hacked mate­r­i­al,” then NRCC chair­man Steve Stivers of Ohio said at the time.

    ...

    ———-

    “House Repub­li­can cam­paign arm hacked dur­ing 2018 midterms” by Dan Mer­i­ca, Mar­shall Cohen and Donie O’Sul­li­van; CNN; 12/04/2018

    “The attack­ers could have signed into those offi­cials’ accounts as if they were the offi­cials them­selves, the source said. To do this, the source said the attack­ers had obtained the pass­words belong­ing to the offi­cials. The source would not say how the attack­ers obtained the pass­words.

    So we know attack­ers only got the pass­words, but no talk of spearphish­ing. Again, that hints as a pos­si­ble inside job.

    Also note how it sounds like Crowd­strike was informed of the hack before the FBI got involved:

    ...
    The attack­ers did not have access to oth­er NRCC sys­tems as a result of this breach, the source added.

    The rev­e­la­tion of the hack comes weeks after House Repub­li­cans lost their major­i­ty and saw Democ­rats pick up close to 40 seats in the House. In a sign of how seri­ous the com­mit­tee believed the hack to be, they brought on the law firm Cov­ing­ton and Burl­ing to han­dle the issue, as well as Mer­cury Pub­lic Affairs to deal with the pub­lic rela­tions around the intru­sion.

    After the NRCC was alert­ed to the hack, top offi­cials then informed Crowd­Strike, a Repub­li­can offi­cial said, the cyber­se­cu­ri­ty firm that helped Democ­rats expel the Rus­sians from their com­put­er sys­tems in 2016, and lat­er shared infor­ma­tion with the FBI as it inves­ti­gat­ed the elec­tion-sea­son hacks.

    ...

    “In April 2018, Crowd­Strike was asked by the NRCC to per­form an inves­ti­ga­tion relat­ed to unau­tho­rized access to NRC­C’s emails. Pri­or to the inci­dent, Crowd­Strike was help­ing to pro­tect NRC­C’s inter­nal cor­po­rate net­work, which was not com­pro­mised in this inci­dent,” the com­pa­ny state­ment read.
    ...

    And amaz­ing­ly, at the same time the NRCC was qui­et­ly and secret­ly freak­ing out about these hacked emails, the heads of the NRCC and DNC were engaged in pro­longed nego­ti­a­tions over not using hacked mate­ri­als in elec­tion ads dur­ing the 2018 mid-terms, but the talks broke down due to “an ero­sion of trust”:

    ...
    The heads of the NRCC and the DCCC engaged in pro­longed nego­ti­a­tions over not using hacked mate­ri­als in elec­tion ads dur­ing the 2018 midterms, but the talks broke down months before Elec­tion Day due to an ero­sion of trust between the par­ties.

    Despite not sign­ing any agree­ment, the head of the NRCC issued a state­ment say­ing the com­mit­tee had no inten­tion of using hacked mate­r­i­al.

    “We are not seek­ing stolen or hacked mate­r­i­al, we do not want stolen or hacked mate­r­i­al, we have no inten­tion of using stolen or hacked mate­r­i­al,” then NRCC chair­man Steve Stivers of Ohio said at the time.
    ...

    “We are not seek­ing stolen or hacked mate­r­i­al, we do not want stolen or hacked mate­r­i­al, we have no inten­tion of using stolen or hacked mate­r­i­al.” That was the state­ment by then NRCC chair­man Steve Stivers after the col­lapse the nego­ti­a­tions.

    So what exact­ly cause that ero­sion of trust between the NRCC and DNC? Well, as the fol­low­ing arti­cle from back in Sep­tem­ber describes, it turns out the NRCC broke off the talks. Also, the talks start­ed in May, the month fol­low­ing the NRC­C’s dis­cov­ery of this email hack. Giv­en the tim­ing it would be inter­est­ing to know if the NRCC ini­tial­ly reached out to the DNC for these nego­ti­a­tions but we aren’t told which side start­ed them.

    The Democ­rats point to the fact right before the talks broke down they had added lan­guage to a pro­posed agree­ment about not using hacked mate­ri­als in elec­tion ads and the NRCC balked at that as the rea­son for the col­lapse in the talks. They also point out that NRCC chair­man Steve Stivers, who led the nego­ti­a­tions, had argued back in July that it would be too much to expect can­di­dates to not use hacked mate­r­i­al once it’s ‘out there’. In oth­er words, when Stivers assures the world that the NRCC has no inten­tion of using hacked mate­ri­als, he’s pre­sum­ably only talk­ing about the NRCC itself, not indi­vid­ual Repub­li­can can­di­dates.

    Stivers coun­ters that the rea­son he broke off the nego­ti­a­tions is that he was alleged­ly very upset that the Democ­rats had giv­en an inter­view with the Wall Street Jour­nal and said they were opti­mistic that an agree­ment could be reached soon. That, accord­ing to Stivers, was an attempt to pres­sure the NRCC into mak­ing the agree­ment. Democ­rats counter that it was Stivers who made the secret nego­ti­a­tions pub­lic in the first place back in June when he talked about it with reporters.

    Yep, the NRCC/DNC nego­ti­a­tions over an agree­ment to not used hacked mate­ri­als in elec­tion ads broke down when the Democ­rats attempt­ed to add lan­guage to the agree­ment about not using hacked mate­ri­als in elec­tion ads the NRCC wants to assure us that it broke down because the Democ­rats were pub­licly opti­mistic that an agree­ment could be reached:

    CNN

    Talks break down for bipar­ti­san pledge to reject using hacked mate­ri­als

    By Rebec­ca Berg, CNN

    Updat­ed 5:45 PM ET, Fri Sep­tem­ber 7, 2018

    (CNN)The head of House Repub­li­cans’ cam­paign arm defend­ed abrupt­ly pulling out of late-stage nego­ti­a­tions with Democ­rats on a pledge to reject using hacked mate­ri­als in elec­tion ads, cit­ing an ero­sion of trust between the par­ties.

    But Nation­al Repub­li­can Con­gres­sion­al Com­mit­tee chair­man Steve Stivers, an Ohio con­gress­man, on Fri­day also took his strongest pub­lic stance to date against using such illic­it mate­ri­als, telling reporters, “We are not seek­ing stolen or hacked mate­r­i­al, we do not want stolen or hacked mate­r­i­al, we have no inten­tion of using stolen or hacked mate­r­i­al.”

    Stivers and his Demo­c­ra­t­ic coun­ter­part, New Mex­i­co Rep. Ben Ray Lujan, have been in talks since May to try to reach an agree­ment on a pact, which they hoped would send a strong mes­sage against elec­tion inter­fer­ence in the lead-up to the midterms.

    ...

    In the lat­est ver­sion of the bipar­ti­san House cam­paign pledge, which the DCCC sent back to the NRCC on Tues­day, Democ­rats sug­gest­ed adding that “nei­ther com­mit­tee will use known stolen or hacked infor­ma­tion” on top of Repub­li­can lan­guage to reject “(pro­mot­ing) or (dis­sem­i­nat­ing) hacked mate­ri­als to the press, regard­less of the source.”

    Oth­er­wise, the par­ties seem­ing­ly had agreed that they would not “par­tic­i­pate, (aid), or encour­age hack­ers or for­eign actors in any attempt to influ­ence Amer­i­can elec­tions,” nor “seek out stolen or hacked infor­ma­tion for use in any oper­a­tions.” The draft doc­u­ment, pro­vid­ed by a source famil­iar with the lat­est ver­sion of the pledge, fur­ther agreed that the com­mit­tees would report any sus­pect­ed for­eign inter­fer­ence to law enforce­ment and encour­age state offi­cials to safe­guard their elec­tions sys­tems.

    Pro­tect­ing “cam­paigns from out­side inter­fer­ence is para­mount and must be reflect­ed in the oper­a­tions of each cam­paign com­mit­tee,” the draft stat­ed.

    Both sides con­firmed pub­licly that they had been close to reach­ing an agree­ment on the lan­guage of the pledge when the process unrav­eled this week.

    Indeed, Stivers’ state­ment Fri­day affirm­ing that his com­mit­tee does not intend to use hacked mate­r­i­al was “pret­ty damn close to the pledge we sent them on Tues­day,” said a Demo­c­ra­t­ic source famil­iar with the nego­ti­a­tions. “I don’t know why he would­n’t have just signed it.”

    For his part, Stivers blamed a Wall Street Jour­nal inter­view this week in which Lujan said he “would hope that Steve and I are able to roll some­thing out that we agree on this week,” adding, “I think that we’re close.”

    Stivers said he saw the com­ments as the lat­est attempt by Lujan and Democ­rats to pres­sure the NRCC through the media, say­ing it “was sort of the straw that broke the camel’s back on trust.”

    Democ­rats have point­ed out that the nego­ti­a­tions might nev­er have been pub­lic, thus attract­ing ele­vat­ed press inter­est, had Stivers not men­tioned the talks dur­ing an event in June with the Wall Street Jour­nal and NBC News.

    Still, Democ­rats acknowl­edged that Stivers’ remarks Fri­day reflect­ed that some progress had been made between the par­ties, even if it did­n’t cul­mi­nate in a signed pact.

    “It’s rhetoric,” the Demo­c­ra­t­ic source said, “but it’s rhetoric in the right direc­tion.”

    While Lujan has con­sis­tent­ly called for the com­mit­tees to des­ig­nate hacked mate­ri­als as off-lim­its, Stivers has been less eager to draw a line in the sand. In June, the Ohio con­gress­man said he would not “run down one of my can­di­dates for using some­thing that’s in the pub­lic domain.”

    “Once some­thing is in the pub­lic domain, I’m not sure you can say, ‘Let’s ignore this,’ ” Stivers said at the time, dur­ing the event host­ed by the Wall Street Jour­nal and NBC News. “It’s out there.”

    In a state­ment Fri­day, as Democ­rats released their own pledge inde­pen­dent of Repub­li­cans, Lujan expressed hope that Stivers might still come around.

    “This com­mit­ment is impor­tant to our democ­ra­cy, I’m proud to sign it, and it is my hope that the NRCC will ulti­mate­ly change course and com­mit to this same pledge,” Lujan said.

    ———-

    “Talks break down for bipar­ti­san pledge to reject using hacked mate­ri­als” by Rebec­ca Berg; CNN; 09/07/2018

    “The head of House Repub­li­cans’ cam­paign arm defend­ed abrupt­ly pulling out of late-stage nego­ti­a­tions with Democ­rats on a pledge to reject using hacked mate­ri­als in elec­tion ads, cit­ing an ero­sion of trust between the par­ties.”

    Yes, as we can see, it was the NRCC who pulled out of these nego­ti­a­tions back in Sep­tem­ber, two months before the mid-terms. And yet Stivers wants to assure us that the NRCC has absolute­ly no inter­est in polit­i­cal­ly exploit­ing any hacked mate­ri­als. Instead, Stivers makes a bizarre case that it was the Democ­rats try­ing to pres­sure the NRCC through the media that led to an ero­sion of trust. And what did the Democ­rats do to pres­sure the NRCC through the media? The DNC nego­tia­tor told the Wall Street Jour­nal that he “would hope that Steve and I are able to roll some­thing out that we agree on this week,” adding, “I think that we’re close.” That was appar­ent­ly was caus­es the ero­sion trust:

    ...
    But Nation­al Repub­li­can Con­gres­sion­al Com­mit­tee chair­man Steve Stivers, an Ohio con­gress­man, on Fri­day also took his strongest pub­lic stance to date against using such illic­it mate­ri­als, telling reporters, “We are not seek­ing stolen or hacked mate­r­i­al, we do not want stolen or hacked mate­r­i­al, we have no inten­tion of using stolen or hacked mate­r­i­al.”

    ...

    Both sides con­firmed pub­licly that they had been close to reach­ing an agree­ment on the lan­guage of the pledge when the process unrav­eled this week.

    Indeed, Stivers’ state­ment Fri­day affirm­ing that his com­mit­tee does not intend to use hacked mate­r­i­al was “pret­ty damn close to the pledge we sent them on Tues­day,” said a Demo­c­ra­t­ic source famil­iar with the nego­ti­a­tions. “I don’t know why he would­n’t have just signed it.”

    For his part, Stivers blamed a Wall Street Jour­nal inter­view this week in which Lujan said he “would hope that Steve and I are able to roll some­thing out that we agree on this week,” adding, “I think that we’re close.”

    Stivers said he saw the com­ments as the lat­est attempt by Lujan and Democ­rats to pres­sure the NRCC through the media, say­ing it “was sort of the straw that broke the camel’s back on trust.”
    ...

    The Democ­rats counter that the talks broke down right after they added lan­guage that “nei­ther com­mit­tee will use known stolen or hacked infor­ma­tion” on top of Repub­li­can lan­guage to reject “(pro­mot­ing) or (dis­sem­i­nat­ing) hacked mate­ri­als to the press, regard­less of the source.” So at the time of the nego­ti­a­tion break down, the NRCC mere­ly want­ed to agree that it would­n’t pro­mote the use of hacked mate­ri­als:

    ...
    In the lat­est ver­sion of the bipar­ti­san House cam­paign pledge, which the DCCC sent back to the NRCC on Tues­day, Democ­rats sug­gest­ed adding that “nei­ther com­mit­tee will use known stolen or hacked infor­ma­tion” on top of Repub­li­can lan­guage to reject “(pro­mot­ing) or (dis­sem­i­nat­ing) hacked mate­ri­als to the press, regard­less of the source.”

    Oth­er­wise, the par­ties seem­ing­ly had agreed that they would not “par­tic­i­pate, (aid), or encour­age hack­ers or for­eign actors in any attempt to influ­ence Amer­i­can elec­tions,” nor “seek out stolen or hacked infor­ma­tion for use in any oper­a­tions.” The draft doc­u­ment, pro­vid­ed by a source famil­iar with the lat­est ver­sion of the pledge, fur­ther agreed that the com­mit­tees would report any sus­pect­ed for­eign inter­fer­ence to law enforce­ment and encour­age state offi­cials to safe­guard their elec­tions sys­tems.

    Pro­tect­ing “cam­paigns from out­side inter­fer­ence is para­mount and must be reflect­ed in the oper­a­tions of each cam­paign com­mit­tee,” the draft stat­ed.
    ...

    Democ­rats also point out that it was Stivers him­self who ini­tial­ly made these talks pub­lic. And dur­ing that WSJ/NBC News event back in June when Stivers made these talks pub­lic, he said he would not “run down one of my can­di­dates for using some­thing that’s in the pub­lic domain,” adding, “Once some­thing is in the pub­lic domain, I’m not sure you can say, ‘Let’s ignore this’ ”:

    ...
    Democ­rats have point­ed out that the nego­ti­a­tions might nev­er have been pub­lic, thus attract­ing ele­vat­ed press inter­est, had Stivers not men­tioned the talks dur­ing an event in June with the Wall Street Jour­nal and NBC News.

    Still, Democ­rats acknowl­edged that Stivers’ remarks Fri­day reflect­ed that some progress had been made between the par­ties, even if it did­n’t cul­mi­nate in a signed pact.

    “It’s rhetoric,” the Demo­c­ra­t­ic source said, “but it’s rhetoric in the right direc­tion.”

    While Lujan has con­sis­tent­ly called for the com­mit­tees to des­ig­nate hacked mate­ri­als as off-lim­its, Stivers has been less eager to draw a line in the sand. In June, the Ohio con­gress­man said he would not “run down one of my can­di­dates for using some­thing that’s in the pub­lic domain.”

    “Once some­thing is in the pub­lic domain, I’m not sure you can say, ‘Let’s ignore this,’ ” Stivers said at the time, dur­ing the event host­ed by the Wall Street Jour­nal and NBC News. “It’s out there.”
    ...

    And note the month the talks start­ed: May, which just hap­pens to short­ly fol­low the April dis­cov­ery of the NRCC hack:

    ...
    Stivers and his Demo­c­ra­t­ic coun­ter­part, New Mex­i­co Rep. Ben Ray Lujan, have been in talks since May to try to reach an agree­ment on a pact, which they hoped would send a strong mes­sage against elec­tion inter­fer­ence in the lead-up to the midterms.
    ...

    It will be inter­est­ing to learn which side start­ed the talks.

    So how is it that the NRCC dis­cov­ered thou­sands of “sen­si­tive” emails were hacked and it was a top­ic of seri­ous con­ster­na­tion for the NRCC in the lead up to the mid-terms, and yet the NRCC appar­ent­ly pulled out of the nego­ti­a­tions at the last minute when the Democ­rats tried to ad lan­guage to the agree­ment that nei­ther side would use hacked mate­ri­als in ads? Would­n’t such an agree­ment have been a dream come true for the NRCC? Were there expec­ta­tions of a hack against the Democ­rats?

    Might it be that the NRCC had already deter­mined that the hack was like­ly an inside job done by some­one who had no inten­tion of release the emails to the pub­lic and that’s why Stivers was so cav­a­lier about it? Or might it be the case that the GOP has already got many more caches of hacked doc­u­ments on Democ­rats that its plan­ning on using in 2020? At this point we don’t know. But giv­en that the NRCC refused to an agree­ment of this nature at a time when it had every incen­tive to make such an agree­ment it’s hard to avoid the con­clu­sion that the Repub­li­can Par­ty has big plans for the use of hacked mate­ri­als in the future.

    But hey, at least the NRCC was will­ing to go as far as agree­ing to not pro­mote the use of hacked emails or the hack­ing of its oppo­nents. Baby steps.

    Posted by Pterrafractyl | December 8, 2018, 6:02 pm
  10. Here’s an arti­cle in Vice from back in Octo­ber that relates to a num­ber of dif­fer­ent sto­ries: It’s a sto­ry about the the Sau­di gov­ern­men­t’s lead hack­er Saud Al-Qah­tani and his his­to­ry of seek­ing how hack­ing tools for the Sau­di gov­ern­ment.

    First, recall how Al-Qah­tani is close to Mohammed bin Salman and the same fig­ure who is believed to have orches­trat­ed the mur­der of Jamal Khashog­gi. He also basi­cal­ly became the Sau­di gov­ern­men­t’s offi­cial fall guy after in the wake of the inter­na­tion­al out­cry.

    Next, recall how Al-Qah­tani was pre­vi­ous­ly iden­ti­fied as the point of con­tact between the Sau­di gov­ern­ment and Hack­ing Team, the Ital­ian com­pa­ny that made mal­ware tools for gov­ern­ments. Hack­ing Team itself got hacked by in 2015 and accord­ing to the released hacked doc­u­ments the Sau­di gov­ern­ment had been a client of Hack­ing Team since 2010. By May of 2016, when Hack­ing Team was los­ing clients fol­low­ing the embar­rass­ment of get­ting hacked, a mys­te­ri­ous investor who appears to be close to the Sau­di gov­ern­ment, Abdul­lah Al-Qah­tani, invest­ed in the com­pa­ny (20 per­cent of the shares).

    And don’t for­get the impor­tant poten­tial tie in between the leak of the hacked Hack­ing Team mal­ware and the March 2016 ‘Fan­cy Bear’ hack of the Democ­rats: a key part of the basis for the attri­bu­tion of that hack to the GRU was the dis­cov­ery of the X‑Agent mal­ware on the hacked serv­er. It was basi­cal­ly assumed by Crowd Strike that X‑Agent was exclu­sive­ly a GRU tool But in March of 2017, a secu­ri­ty researcher at Mal­ware­bytes wrote about how X‑Agent source code appears to be based on hack­ing code cre­at­ed by Hack­ing Team. In oth­er words, not only was the X‑Agent code like­ly ‘in the wild’ at the time of the hack, but ver­sions of it may have actu­al­ly been sold to gov­ern­ments around the world for years.

    But it’s impor­tant to note that Hack­ing Team isn’t the only com­pa­ny that spe­cial­izes in sell­ing hack­ing tools to gov­ern­ments that that Sau­di gov­ern­ment has been pur­chas­ing from. Recall how the mur­der of Jamal Khashog­gi was pre­ced­ed by the hack­ing of his phone using what appeared to be mal­ware pur­chased from NSO Group. Also recall how Michael Fly­nn was on the advi­so­ry board of Lux­em­bourg-based OSY Tech­nolo­gies and con­sult­ed for the US-based pri­vate equi­ty firm Fran­cis­co Part­ners and it turns out Fran­cis­co Part­ners owns NSO Group and OSY is an NSO off­shoot. Fly­nn joined OSY in May of 2016 and was paid more than $40,000 to be an advi­so­ry board mem­ber from May 2016 to Jan­u­ary 2017. NSO Group’s approach to ensur­ing gov­ern­ments don’t abuse its soft­ware was to large­ly rely on gov­ern­ments to police them­selves.

    And that brings us to the fol­low­ing Vice arti­cle from back in Octo­ber because it’s in this arti­cle that we about how the Sau­di gov­ern­ment, specif­i­cal­ly Saud Al-Qah­tani, was trawl­ing a pop­u­lar hack­ing forum, called “Hack Forums”, in search of mal­ware, advice, and even hir­ing peo­ple from the forums for var­i­ous ser­vices. It turns out he used the same email address, saudq1978@gmail.comm to reg­is­ter for Hack Forums that he used to con­tact Hack­ing Team for tech­ni­cal sup­port. Forum user report that they assumed he was work­ing for the Sau­di gov­ern­ment at the time.

    There’s one detail in the arti­cle that’s espe­cial­ly notable in rela­tion to the ‘Fan­cy Bear’ hack of the Democ­rats in March of 2016: Al-Qah­tani’s activ­i­ty on Hack Forum start­ed in 2009 with the user­name Nokia2mon2. And Nokia2mon2 con­tin­ued to post on the forum until in April of 2016. So Al-Qah­tani was com­fort­able post­ing on this forum for around sev­en years and then sud­den­ly, right after the ‘Fan­cy Bear’ hack of the Democ­rats’ servers, he stops post­ing there.

    At the same time, giv­en the fact that it sounds like the Sau­di invest­ment into Hack­ing Team took place in May of 2016, it’s entire­ly pos­si­ble that the rea­son Al-Qah­tani stopped post­ing on Hack Forums a month ear­li­er is that the Sau­di gov­ern­ment basi­cal­ly pur­chased a bunch of the Hack­ing Team staff/expertise and some­one else got to take over at that point for Al-Qah­tani when the hack­ing forums need­ed to be trawled. Plus, its sounds like a lot of Al-Qah­tani’s posts on the Hack Forums were ask­ing rel­a­tive­ly basic ques­tions that Hack­ing Team’s experts pre­sum­ably would­n’t need to ask.

    So the April 2016 tim­ing of the end of Al-Qah­tani’s post­ings on Hack Forums is poten­tial­ly sus­pi­cious in rela­tion to the hack of the Democ­rats’ servers but it might sim­ply indi­cate that the Sau­di invest­ment in Hack­ing Team gave the gov­ern­ment the exper­tise that made most of those Hack Forum posts unnec­es­sary. Also don’t for­get that the Sau­di gov­ern­ment hired Joel Zomen’s Psy Group in 2016 to plot a dig­i­tal dirty tricks cam­paign to help Trump defeat Hillary. So the Sau­di gov­ern­ment may have sim­ply not need­ed much out­side hack­ing tech­ni­cal exper­tise start­ing in 2016 for their dig­i­tal dirty tricks. The elite hack­ing com­mer­cial space may have sim­ply made Saud Al-Qan­tani’s Hack Forums trawl­ing unnec­es­sary.

    Either way, that Hack­ing Team invest­ment undoubt­ed­ly made Sau­di Ara­bia a more potent enti­ty in the hack­ing space. There’s a big glob­al mar­ket in hack­ing tools for gov­ern­ments and the Sau­di king­dom is clear­ly a big cus­tomer so we should prob­a­bly expect a lot more Sau­di-relat­ed hack sto­ries going for­ward.

    Final­ly, it’s worth not­ing the tim­ing of the arti­cle and how it relates to the emerg­ing sto­ry of the black­mail attempt against against Jeff Bezos by AMI, the pub­lish­er of the Nation­al Enquir­er. First, recall how Bezos’s pri­vate inves­ti­ga­tors are hint­ing at a gov­ern­ment being behind the hack and that strong­ly points in the direc­tion of the Sau­di gov­ern­ment giv­en the reports that David Peck­er was apoplet­ic over the Wash­ing­ton Post’s inves­ti­ga­tion of AMI expand­ing its oper­a­tions in Sau­di Ara­bia. Then the Wall Street Jour­nal just report­ed that the Sau­di gov­ern­ment has been secret­ly pay­ing off a num­ber of US media out­lets for pos­i­tive cov­er­age, includ­ing Vice Media. Well, it turns out that, back in Octo­ber while the out­rage over the Khashog­gi mur­der was at a peak, Vice announced that it was review­ing its con­tract with SRMG, a Sau­di pub­lish­ing group with close ties to the gov­ern­ment, to make some doc­u­men­taries about Sau­di Ara­bia.

    And then a week lat­er Vice pub­lished the fol­low­ing report on Saud Al-Qah­tani trawl­ing hack­er forums. Although we should­n’t assume that Vice was­n’t pre­vi­ous­ly report­ing on the Sau­di Hack­ing Team sto­ry due to its Sau­di media con­tract. In Jan­u­ary of 2018, Vice’s Moth­er­board broke the sto­ry on the Sau­di invest­ment in Hack­ing Team. It’s con­tract was to make doc­u­men­taries. But it sounds like Vice was far from the only media com­pa­ny hired by the Sau­di gov­ern­ment in recent years to get one form of pos­i­tive cov­er­age or anoth­er and that means we should def­i­nite­ly assume that A LOT of there’s a lot of Sau­di mon­ey slosh­ing around the US media and think tanks and any­where else where mon­ey might buy bet­ter cov­er­age for the king­dom.

    Vice’s deci­sion to review its doc­u­men­tary con­tract also points at one of the ways the out­cry over the mur­der of Jamal Khashog­gi seri­ous­ly harmed the Sau­di gov­ern­men­t’s glob­al image: the mur­der of Khashog­gi looked so bad the media com­pa­nies hired to give them a good look con­sid­ered can­cel­ing their con­tracts. Con­tracts that are prob­a­bly pay­ing a pre­mi­um these days.

    So that’s all part of why this sto­ry from Octo­ber about Saud Al-Qah­tani’s hack­ing his­to­ry relates to so many dif­fer­ent major sto­ries: There’s just a lot of hack­ing sto­ries and media manip­u­la­tion sto­ries these days that tie back to Sau­di Ara­bia:

    Vice

    How ‘Mr. Hash­tag’ Helped Sau­di Ara­bia Spy on Dis­si­dents
    Saud Al-Qah­tani, a close advi­sor of crown prince Mohammed bin Salman, was tasked with buy­ing Hack­ing Team spy­ware, and appar­ent­ly moon­light­ed as a mem­ber of online cyber­crime web­site Hack Forums.

    by Loren­zo Franceschi-Bic­chierai
    29 Octo­ber 2018, 5:32pm

    Ear­li­er this month, secu­ri­ty researchers revealed that the Sau­di Ara­bi­an gov­ern­ment tried to hack a promi­nent Sau­di dis­si­dent and human rights work­er who lives in Cana­da. This came just a few weeks after Amnesty Inter­na­tion­al accused the coun­try of using sophis­ti­cat­ed spy­ware to hack one of its researchers. Then, the New York Times revealed that the Saud­is have turned a Twit­ter employ­ee into a spy who helped them keep tabs on dig­i­tal rights activists by access­ing their accounts and pri­vate mes­sages.

    These are just the lat­est rev­e­la­tions about Sau­di Arabia’s aggres­sive push to quash dis­sent and track down activists online. The regime’s favorite tools online are Twit­ter bots to spread dis­in­for­ma­tion and pro-gov­ern­ment pro­pa­gan­da, and spy­ware to keep tabs on those who dare to speak up. It’s part of a broad­er and years-long crack­down on free speech that has come to the fore­front in the after­math of the state-led mur­der of jour­nal­ist Jamal Khashog­gi, a Sau­di Ara­bi­an cit­i­zen whose columns in the Wash­ing­ton Post were crit­i­cal of crown prince Mohammed bin Salman.

    Sau­di Ara­bia has become a sophis­ti­cat­ed hack­ing machine, able to tar­get dis­si­dents liv­ing on the oth­er side of the world with expen­sive spy­ware. The regime has long focused on sur­veil­lance; the coun­try bought hack­ing tools from Ital­ian spy­ware ven­dor Hack­ing Team, accord­ing to emails that became pub­lic after the com­pa­ny was hacked in 2015. Sev­er­al Sau­di agen­cies paid Hack­ing Team almost 5 mil­lion euros in five years, accord­ing to spread­sheets leaked as part of the 2015 Hack­ing Team breach. In 2016, a year after Hack­ing Team’s embar­rass­ing breach, a mys­te­ri­ous Sau­di investor acquired 20 per­cent of the com­pa­ny, sav­ing it from going under, as Moth­er­board report­ed ear­li­er this year.

    Accord­ing to the Hack­ing Team emails, a Sau­di gov­ern­ment advi­sor named Saud Al-Qah­tani served as the kingdom’s pri­ma­ry point of con­tact with Hack­ing Team. Al-Qah­tani also appar­ent­ly remote­ly over­saw the mur­der of Khashog­gi via Skype, insult­ing the jour­nal­ist and order­ing his col­leagues to “bring me the head of the dog,” accord­ing to Reuters.

    Until being fired last week, Saud Al-Qah­tani worked as media advis­er for Mohammed bin Salman. Some called him Sau­di Arabia’s Steve Ban­non, or “Mr. Hash­tag” for his deft use of pro­pa­gan­da and social media online. He used to play a key role for the gov­ern­ment, head­ing the king­dom’s effi­cient efforts to dis­sem­i­nate dis­in­for­ma­tion and harass crit­ics on social media, which earned him the nick­name of “troll mas­ter.”

    But off of social media, Al-Qahtani—or some­one claim­ing to be him—seems to have played a much more impor­tant role for the gov­ern­ment: Reach­ing out to and set­ting up meet­ings with Hack­ing Team in order to pur­chase the company’s sur­veil­lance tools. And, per­haps, trawl­ing the rest of the inter­net look­ing for hack­ing tools for the coun­try to use against dis­si­dents.

    Most impor­tant­ly, Al-Qah­tani appears to have been inte­gral to Sau­di Arabia’s rela­tion­ship with Hack­ing Team: Some­one also iden­ti­fy­ing him­self as Saud Al-Qah­tani had a large cor­re­spon­dence over the years with Hack­ing Team using the offi­cial gov­ern­ment email s.qahtani@royalcourt.gov.sa, and saudq@saudq.com, accord­ing to com­pa­ny emails leaked by hack­ers in 2015.

    “We here at the Cen­ter for Media Mon­i­tor­ing and Analy­sis at the Sau­di Roy­al Court (THE King Office) would like to be in pro­duc­tive coop­er­a­tion with you and devel­op a long and strate­gic part­ner­ship,” Al-Qah­tani wrote using that .gov.sa address in a mes­sage sent direct­ly to Hack­ing Team’s co-founder and CEO David Vin­cen­zetti in 2015.

    The emails show that Hack­ing Team was con­duct­ing busi­ness with this per­son; Vin­cen­zetti prompt­ly answered Al-Qah­tani, not­ing that his “trust­ed Arab col­league will get in touch with you short­ly.” Anoth­er email exchanged between that offi­cial Sau­di gov­ern­ment email address and Hack­ing Team ref­er­enced phone calls between com­pa­ny rep­re­sen­ta­tives and Al-Qah­tani, and one of the emails appears to be tech sup­port trou­bleshoot­ing.

    In 2012, years before the gov­ern­ment-affil­i­at­ed s.qahtani@royalcourt.gov.sa email address reached out to Hack­ing Team, some­one call­ing them­selves “Saud Al-Qah­tani” and rep­re­sent­ing them­selves as a mem­ber of the Sau­di gov­ern­ment, reached out to Hack­ing Team say­ing the Sau­di gov­ern­ment was inter­est­ed in buy­ing spy­ware, accord­ing to the emails. That Al-Qah­tani iden­ti­fied as an employ­ee of “roy­al court of sau­di ara­bia, the king office,” and used the email saudq1978@gmail.com.

    Al-Qahtani’s ver­i­fied Twit­ter han­dle, where he makes strong polit­i­cal state­ments against Sau­di Arabia’s ene­mies in the region, is @saudq1978, which was cre­at­ed in Feb­ru­ary 2011. The saudq1978@gmail.com email address was also used in 2009 to reg­is­ter an account on the pop­u­lar web­site Hack Forums, which pre­dates both the Hack­ing Team emails and the reg­is­tra­tion of the ver­i­fied Twit­ter account, Moth­er­board has learned.

    “We need you to come ASAP,” some­one using the saudq1978@gmail.com email address wrote in one of the first emails exchanged with Hack­ing Team employ­ees.

    Moth­er­board has not been able to defin­i­tive­ly link the saudq1978@gmail.com email to Al-Qah­tani, but the tone and sub­stance of the emails are sim­i­lar to those sent from the s.qahtani@royalcourt.gov.sa email address. The emails also show that Hack­ing Team was ini­tial­ly skep­ti­cal and asked him to use an offi­cial email address.

    “Since our pol­i­cy allows us to work with gov­ern­men­tal agen­cies only, I would like to know more infor­ma­tion about this oppor­tu­ni­ty (the agency name and its needs). Your offi­cial email address is high­ly appre­ci­at­ed,” a sales man­ag­er told them.

    The per­son using saudq1978@gmail.com told Hack­ing Team that, at the time, the Roy­al Court did not use offi­cial email. “Im autho­rized from my gov­ern­ment to con­tact you. We are from the roy­al court of sau­di ara­bia, the king office,” they wrote. “We don’t have offi­cial emails and we use secure fax only.”

    Hack­ing Team was appar­ent­ly sat­is­fied with this response (or a fol­low-up fax), because the com­pa­ny con­tin­ued to cor­re­spond with that email address, and even­tu­al­ly set up a meet­ing in Sau­di Arabia’s cap­i­tal of Riyadh: “It is a plea­sure for Hack­ing Team to vis­it you in Riyadh. We would be avail­able to show you a live demo and a pre­sen­ta­tion of our solu­tion on May the 9th 2012,” an account man­ag­er said in an email.

    Around the same time it was cor­re­spond­ing with Hack­ing Team, who­ev­er was using the saudq1978@gmail.com email address was also active­ly look­ing for hack­ing and sur­veil­lance tools else­where on the inter­net.

    Some­one using the same saudq1978@gmail.com email address used in ear­li­er cor­re­spon­dence with Hack­ing Team as “Saud Al-Qah­tani” was also a pro­lif­ic mem­ber of the online cyber­crime com­mu­ni­ty Hack Forums for years, ask­ing for help hack­ing vic­tims and using sur­veil­lance soft­ware. The forum is con­sid­ered a place most­ly for young hack­ers with lim­it­ed skills, where peo­ple can exchange hack­ing tips and buy rudi­men­ta­ry hack­ing tools and ser­vices.

    Users need an email to reg­is­ter for a user account on the forum, and the email saudq1978@gmail.com was used to reg­is­ter the user Nokia2mon2, accord­ing to data pub­lished online by hack­ers who breached Hack Forums in 2011, which was reviewed by Moth­er­board.

    A long­time Hack Forums insid­er told Moth­er­board that Nokia2mon2 had a Sau­di Ara­bi­an address on the Pay­pal account he used to make dona­tions to the forum. The source said that some ven­dors on the forums at the time oper­at­ed under the assump­tion that the user was work­ing for the Sau­di Ara­bi­an gov­ern­ment.

    “I got the impres­sion that he was well con­nect­ed to the Roy­al fam­i­ly,” the source, who asked to remain anony­mous to avoid bring­ing atten­tion to his online per­sona, said in an online chat. “The rumor was that he was using Hack Forums to get tools to spy on jour­nal­ists, for­eign­ers, and dis­si­dents.”

    In its entry about Nokia2mon2, the forum wiki calls him “one of the most known Hack Forums users.”

    Nokia2mon2 made hefty dona­tions, amount­ing to more than $10,000, to the forum, accord­ing to awards giv­en to him by the site’s mod­er­a­tion team and list­ed on his user pro­file. Nokia2mon2 made 501 posts on the site between 2009 and April 2016, when the account went inac­tive. The user often asked for help using and buy­ing spy­ware.

    “IS THERE ANY RAT THAT CAN INFECT MAC PC?“ Nokia2mon2 asked in March 2014, using the infos­ec lin­go for Remote Access Tool, soft­ware that can be used to con­trol com­put­ers remote­ly and is pop­u­lar among mali­cious hack­ers who want to break into vic­tims’ com­put­ers and steal their files or turn on their web­cams.

    In anoth­er thread, the user said they were look­ing for an “expert” who could help with njRAT, a rel­a­tive­ly pop­u­lar and easy to use piece of spy­ware, because “AFTER exe­cut­ing THE FILE IN VICTIM after 1 SECOND its [dis­con­nect­ed].” The user offered $200 for their ser­vice.

    Secu­ri­ty researcher Jacob Rig­gs was the first one to alert Moth­er­board that Al-Qahtani’s appar­ent Gmail appeared in both the Hack­ing Team leak and the Hack Forums leak. Moth­er­board inde­pen­dent­ly ver­i­fied that saudq1978@gmail.com is indeed the email asso­ci­at­ed with Nokia2mon2. We were not able to con­clu­sive­ly link that Gmail address to the for­mer Sau­di gov­ern­ment advi­sor Saud Al-Qah­tani, but through the Hack­ing Team emails were able to con­firm that the email address was used to solic­it hack­ing tools and to plan an in-per­son meet­ing with Hack­ing Team in Sau­di Ara­bia.

    Dylan Hai­ley, a cyber­se­cu­ri­ty researcher who said he used to mon­i­tor Hack Forums as part of his job at the time, told Moth­er­board that he still remem­bers the user Nokia2mon2.

    What stuck out the most about Nokia2mon2, Hai­ley said, was that he was will­ing to offer a lot of mon­ey for rel­a­tive­ly easy and gen­er­al­ly cheap ser­vices.

    “He did pay large amounts to have peo­ple tar­get oth­ers for him, but he did it very poor­ly,” Hai­ley said in an online chat, adding that it was unusu­al because he believed many of the users on the site to be young peo­ple who typ­i­cal­ly didn’t have a lot of spare cash. “When most peo­ple from that site were minors it was rare to see that,” he added.

    Hai­ley said he didn’t know who Nokia2mon2 was at the time. But he said it was clear the user was from Sau­di Ara­bia or at least from the Mid­dle East because one time Nokia2mon2 attempt­ed to pay some­one to set­up mal­ware for him and he exposed bank­ing infor­ma­tion that indi­cat­ed he was from Sau­di Ara­bia. Anoth­er time, Hai­ley recalled, Nokia2mon2 asked for help hack­ing a tar­get by post­ing the victim’s email address, which prompt­ed many users to spam the tar­get.

    ...

    ———–

    “How ‘Mr. Hash­tag’ Helped Sau­di Ara­bia Spy on Dis­si­dents” by Loren­zo Franceschi-Bic­chierai; Vice; 10/29/2018

    “Sau­di Ara­bia has become a sophis­ti­cat­ed hack­ing machine, able to tar­get dis­si­dents liv­ing on the oth­er side of the world with expen­sive spy­ware. The regime has long focused on sur­veil­lance; the coun­try bought hack­ing tools from Ital­ian spy­ware ven­dor Hack­ing Team, accord­ing to emails that became pub­lic after the com­pa­ny was hacked in 2015. Sev­er­al Sau­di agen­cies paid Hack­ing Team almost 5 mil­lion euros in five years, accord­ing to spread­sheets leaked as part of the 2015 Hack­ing Team breach. In 2016, a year after Hack­ing Team’s embar­rass­ing breach, a mys­te­ri­ous Sau­di investor acquired 20 per­cent of the com­pa­ny, sav­ing it from going under, as Moth­er­board report­ed ear­li­er this year.”

    Hack­ing Team, the Ital­ian gov­ern­ment hack­ing toolk­it firm, gets hacked in 2015, starts los­ing clients, and a mys­te­ri­ous Sau­di investor acquires a 20 per­cent stake in 2016 (like­ly May of 2016). And it turns out Hack­ing Team’s con­tact with the Sau­di gov­ern­ment going back to 2012 was Saud Al-Qah­tani, the same gov­ern­ment offi­cial close to Mohammed bin Salman who led the Jamal Khashog­gi mur­der oper­a­tion and became the offi­cial fall guy by the Sau­di gov­ern­ment to cov­er bin Salman order­ing the oper­a­tion. Al-Qah­tani is also Sau­di Ara­bi­a’s social media oper­a­tions guy. So he’s a pret­ty busy guy. Or was busy before the Khashog­gi mur­der:

    ...
    Accord­ing to the Hack­ing Team emails, a Sau­di gov­ern­ment advi­sor named Saud Al-Qah­tani served as the kingdom’s pri­ma­ry point of con­tact with Hack­ing Team. Al-Qah­tani also appar­ent­ly remote­ly over­saw the mur­der of Khashog­gi via Skype, insult­ing the jour­nal­ist and order­ing his col­leagues to “bring me the head of the dog,” accord­ing to Reuters.

    Until being fired last week, Saud Al-Qah­tani worked as media advis­er for Mohammed bin Salman. Some called him Sau­di Arabia’s Steve Ban­non, or “Mr. Hash­tag” for his deft use of pro­pa­gan­da and social media online. He used to play a key role for the gov­ern­ment, head­ing the king­dom’s effi­cient efforts to dis­sem­i­nate dis­in­for­ma­tion and harass crit­ics on social media, which earned him the nick­name of “troll mas­ter.”
    ...

    Yes, Al-Qah­tani was seen as MBS’s ‘Steve Ban­non’. It’s a pro­found­ly chill­ing descrip­tion.

    And MBS’s ‘Steve Ban­non’ was in charge of trawl­ing the inter­net look­ing for hack­ing tools to use against dis­si­dents and inter­fac­ing with com­pa­nies like Hack­ing Team for tech­ni­cal sup­port and meet­ings:

    ...
    But off of social media, Al-Qahtani—or some­one claim­ing to be him—seems to have played a much more impor­tant role for the gov­ern­ment: Reach­ing out to and set­ting up meet­ings with Hack­ing Team in order to pur­chase the company’s sur­veil­lance tools. And, per­haps, trawl­ing the rest of the inter­net look­ing for hack­ing tools for the coun­try to use against dis­si­dents.

    Most impor­tant­ly, Al-Qah­tani appears to have been inte­gral to Sau­di Arabia’s rela­tion­ship with Hack­ing Team: Some­one also iden­ti­fy­ing him­self as Saud Al-Qah­tani had a large cor­re­spon­dence over the years with Hack­ing Team using the offi­cial gov­ern­ment email s.qahtani@royalcourt.gov.sa, and saudq@saudq.com, accord­ing to com­pa­ny emails leaked by hack­ers in 2015.

    “We here at the Cen­ter for Media Mon­i­tor­ing and Analy­sis at the Sau­di Roy­al Court (THE King Office) would like to be in pro­duc­tive coop­er­a­tion with you and devel­op a long and strate­gic part­ner­ship,” Al-Qah­tani wrote using that .gov.sa address in a mes­sage sent direct­ly to Hack­ing Team’s co-founder and CEO David Vin­cen­zetti in 2015.

    The emails show that Hack­ing Team was con­duct­ing busi­ness with this per­son; Vin­cen­zetti prompt­ly answered Al-Qah­tani, not­ing that his “trust­ed Arab col­league will get in touch with you short­ly.” Anoth­er email exchanged between that offi­cial Sau­di gov­ern­ment email address and Hack­ing Team ref­er­enced phone calls between com­pa­ny rep­re­sen­ta­tives and Al-Qah­tani, and one of the emails appears to be tech sup­port trou­bleshoot­ing.
    ...

    When the Sau­di gov­ern­men­t’s hack­ing expert need­ed hack­ing exper­tise he went to Hack­ing Team. And who knows how many oth­er hack­ing firms too. We know the Sau­di gov­ern­ment is a client of NSO Group too.

    Accord­ing to Hack­ing Team’s hacked email, Al-Qah­tani reached out to Hack­ing Team in 2012 for the pur­pose of buy­ing spy­ware. But despite Hack­ing Team’s ser­vices, Al-Qah­tani was post­ing on Hack Forums for years for exper­tise. Using the same saudq1978@gmail.com email address to cre­ate his Hack Forum pro­file that he used to com­mu­ni­cate with Hack­ing Team:

    ...
    In 2012, years before the gov­ern­ment-affil­i­at­ed s.qahtani@royalcourt.gov.sa email address reached out to Hack­ing Team, some­one call­ing them­selves “Saud Al-Qah­tani” and rep­re­sent­ing them­selves as a mem­ber of the Sau­di gov­ern­ment, reached out to Hack­ing Team say­ing the Sau­di gov­ern­ment was inter­est­ed in buy­ing spy­ware, accord­ing to the emails. That Al-Qah­tani iden­ti­fied as an employ­ee of “roy­al court of sau­di ara­bia, the king office,” and used the email saudq1978@gmail.com.

    Al-Qahtani’s ver­i­fied Twit­ter han­dle, where he makes strong polit­i­cal state­ments against Sau­di Arabia’s ene­mies in the region, is @saudq1978, which was cre­at­ed in Feb­ru­ary 2011. The saudq1978@gmail.com email address was also used in 2009 to reg­is­ter an account on the pop­u­lar web­site Hack Forums, which pre­dates both the Hack­ing Team emails and the reg­is­tra­tion of the ver­i­fied Twit­ter account, Moth­er­board has learned.
    ...

    Inter­est­ing­ly, the only rea­son we know that saudq1978@gmail.com was used by Al-Qah­tani to reg­is­ter for the Hack Forums is because those forums got hacked in 2011. Which is kind of iron­ic and kind of fit­ting. Either way, Al-Qah­tani’s Nokia2mon2 account was described as “pro­lif­ic” in its requests for help:

    ...
    Around the same time it was cor­re­spond­ing with Hack­ing Team, who­ev­er was using the saudq1978@gmail.com email address was also active­ly look­ing for hack­ing and sur­veil­lance tools else­where on the inter­net.

    Some­one using the same saudq1978@gmail.com email address used in ear­li­er cor­re­spon­dence with Hack­ing Team as “Saud Al-Qah­tani” was also a pro­lif­ic mem­ber of the online cyber­crime com­mu­ni­ty Hack Forums for years, ask­ing for help hack­ing vic­tims and using sur­veil­lance soft­ware. The forum is con­sid­ered a place most­ly for young hack­ers with lim­it­ed skills, where peo­ple can exchange hack­ing tips and buy rudi­men­ta­ry hack­ing tools and ser­vices.

    Users need an email to reg­is­ter for a user account on the forum, and the email saudq1978@gmail.com was used to reg­is­ter the user Nokia2mon2, accord­ing to data pub­lished online by hack­ers who breached Hack Forums in 2011, which was reviewed by Moth­er­board.

    A long­time Hack Forums insid­er told Moth­er­board that Nokia2mon2 had a Sau­di Ara­bi­an address on the Pay­pal account he used to make dona­tions to the forum. The source said that some ven­dors on the forums at the time oper­at­ed under the assump­tion that the user was work­ing for the Sau­di Ara­bi­an gov­ern­ment.

    “I got the impres­sion that he was well con­nect­ed to the Roy­al fam­i­ly,” the source, who asked to remain anony­mous to avoid bring­ing atten­tion to his online per­sona, said in an online chat. “The rumor was that he was using Hack Forums to get tools to spy on jour­nal­ists, for­eign­ers, and dis­si­dents.”

    In its entry about Nokia2mon2, the forum wiki calls him “one of the most known Hack Forums users.”
    ...

    A poten­tial­ly impor­tant detail in rela­tion to the DNC hack is that Al-Qah­tani made 501 posts as Nokia2mo2 between 2009 and April of 2016, when the account went inac­tive. So right around the time of the DNC serv­er hack, Al-Qah­tani stops post­ing in the hack­er forum:

    ...
    Nokia2mon2 made hefty dona­tions, amount­ing to more than $10,000, to the forum, accord­ing to awards giv­en to him by the site’s mod­er­a­tion team and list­ed on his user pro­file. Nokia2mon2 made 501 posts on the site between 2009 and April 2016, when the account went inac­tive. The user often asked for help using and buy­ing spy­ware.
    ...

    But the was that Sau­di invest­ment in Hack­ing Team in May of 2016, so per­haps that explains Saud Al-Qah­tani’s Nokia2mon2 account going qui­et a month ear­li­er after sev­en years of post­ing. Maybe the invest­ment just got the king­dom much bet­ter on call hack­ing tech sup­port that made the Hack Forums posts unnec­es­sary.

    But whan Al-Qah­tani was post­ing on the Hack Forum, it sounds like he was will­ing to hire strangers over the inter­net he met on these cyber­crime forums for help and would hire peo­ple to tar­get oth­er peo­ple. But he was remem­bered as pay­ing a lot for rel­a­tive­ly sim­ple ser­vices:

    ...
    In anoth­er thread, the user said they were look­ing for an “expert” who could help with njRAT, a rel­a­tive­ly pop­u­lar and easy to use piece of spy­ware, because “AFTER exe­cut­ing THE FILE IN VICTIM after 1 SECOND its [dis­con­nect­ed].” The user offered $200 for their ser­vice.

    Secu­ri­ty researcher Jacob Rig­gs was the first one to alert Moth­er­board that Al-Qahtani’s appar­ent Gmail appeared in both the Hack­ing Team leak and the Hack Forums leak. Moth­er­board inde­pen­dent­ly ver­i­fied that saudq1978@gmail.com is indeed the email asso­ci­at­ed with Nokia2mon2. We were not able to con­clu­sive­ly link that Gmail address to the for­mer Sau­di gov­ern­ment advi­sor Saud Al-Qah­tani, but through the Hack­ing Team emails were able to con­firm that the email address was used to solic­it hack­ing tools and to plan an in-per­son meet­ing with Hack­ing Team in Sau­di Ara­bia.

    Dylan Hai­ley, a cyber­se­cu­ri­ty researcher who said he used to mon­i­tor Hack Forums as part of his job at the time, told Moth­er­board that he still remem­bers the user Nokia2mon2.

    What stuck out the most about Nokia2mon2, Hai­ley said, was that he was will­ing to offer a lot of mon­ey for rel­a­tive­ly easy and gen­er­al­ly cheap ser­vices.

    “He did pay large amounts to have peo­ple tar­get oth­ers for him, but he did it very poor­ly,” Hai­ley said in an online chat, adding that it was unusu­al because he believed many of the users on the site to be young peo­ple who typ­i­cal­ly didn’t have a lot of spare cash. “When most peo­ple from that site were minors it was rare to see that,” he added.

    Hai­ley said he didn’t know who Nokia2mon2 was at the time. But he said it was clear the user was from Sau­di Ara­bia or at least from the Mid­dle East because one time Nokia2mon2 attempt­ed to pay some­one to set­up mal­ware for him and he exposed bank­ing infor­ma­tion that indi­cat­ed he was from Sau­di Ara­bia. Anoth­er time, Hai­ley recalled, Nokia2mon2 asked for help hack­ing a tar­get by post­ing the victim’s email address, which prompt­ed many users to spam the tar­get.
    ...

    Over­pay­ing strangers on the cyber­crime forums to tar­get polit­i­cal oppo­nents and dis­si­dents. It’s all in a days work for MBS’s ‘Steve Ban­non’.

    And that all gives a much bet­ter idea of Sau­di Ara­bi­a’s hack­ing capa­bil­i­ties from around 2009–2016: the chief of hack­ing capa­bil­i­ties was on hack­er forums ask­ing for tech­ni­cal sup­port and offer­ing to pay for peo­ple to car­ry out basic hack attacks on the king­dom’s oppo­nents.

    And the Hack Forums posts all end in April of 2016, a month after the DNC hack and a month before the Sau­di invest­ment in Hack­ing Team. It explains why the Hack­ing Team invest­ment was prob­a­bly a pret­ty good invest­ment and why we should expect a lot more Sau­di invest­ments in hack­ing exper­tise. Far few­er cyber­crime forum posts are required.

    And don’t for­get that the Sau­di gov­ern­ment is just one many gov­ern­ments around the world that would prob­a­bly like to buy them­selves some elite hack­ing capa­bil­i­ties, which is why ‘gov­ern­ment hack­er for hire’ is prob­a­bly going to be a pret­ty good job mar­ket for the fore­see­able future.

    Posted by Pterrafractyl | February 10, 2019, 11:26 pm
  11. As the US 2020 pres­i­den­tial elec­tion cycle gets under­way one of that many hor­ri­ble loom­ing ques­tions is whether or not we’re going to see a repeat of the 2016 #TrumpRus­sia dynam­ic. Specif­i­cal­ly, whether or not we’re going to see a major polit­i­cal hack that, based on the tech­ni­cal evi­dence, could have been pulled off by any­one but gets reflex­ive­ly blamed on the Russ­ian gov­ern­ment by default regard­less of the strength of the evi­dence. And are we going to see a repeat of the mas­sive social media right-wing dis­in­for­ma­tion cam­paign that is also almost reflex­ive­ly blamed on Rus­sia despite the fact that the avail­able evi­dence of the Krem­lin troll farm activ­i­ty indi­cate it was insignif­i­cant in 2016 com­pared to the Repub­li­can Par­ty’s mas­sive dis­in­for­ma­tion appa­ra­tus. And as the fol­low­ing arti­cles sug­gest, yes, we are poised to see a repeat of both of those phe­nom­e­na.

    For starters, as the fol­low­ing Dai­ly Beast arti­cle high­lights, it’s becom­ing increas­ing­ly clear that the Trump cam­paign and the Repub­li­can Par­ty in gen­er­al are active­ly plan­ning on exploit­ing polit­i­cal hacks. Or at least are very open to it if the oppor­tu­ni­ty aris­es. And they aren’t hid­ing it. That’s the pic­ture that emerges after the Dai­ly Beast asked all of the Demo­c­ra­t­ic cam­paigns that have already announced and the Trump cam­paign whether or not they would pledge to not use hacked mate­ri­als in the 2020 cam­paign. The only cam­paign that would­n’t take the pledge is, of course, the Trump cam­paign.

    Now, in fair­ness, we have to note that the nature of an ‘anti-hack’ pledge can some­what vague. Is it a pledge to not active­ly seek out hacked mate­ri­als? If so, that’s def­i­nite­ly a pledge we would want the Trump cam­paign to make giv­en that the cam­paign was deeply involved in with the entire Peter Smith oper­a­tion to make con­tact with hack­ers they believed had pre­vi­ous­ly hacked Hillary Clin­ton’s pri­vate email serv­er. An oper­a­tion that includ­ed mul­ti­ple Trump peo­ple (Michael Fly­nn, Steve Ban­non, Kellyanne Con­way, and Sam Clo­vis).

    Or is the pledge to not active­ly work with enti­ties like Wik­ileaks to max­i­mize the polit­i­cal impact of a hack? If so, that’s also a pledge we would def­i­nite­ly want the Trump cam­paign to make giv­en the mul­ti­ple cam­paign con­tacts with Wik­ileaks. There was Roger Stone’s appar­ent con­tacts with Wik­ileaks. Con­tacts that alleged­ly took place in the spring of 2016. And Roger Stone’s admit­ted con­tacts with “Guc­cifer 2.0”. Plus Don Jr’s con­tact with Assange in the fall of 2016. And we can’t for­get Cam­bridge Ana­lyt­i­ca’s offer to Wik­ileaks to help index the hacked emails to make them eas­i­er to search. In oth­er words, we have every rea­son to believe that the Trump team is more than hap­py to active­ly work­ing with hack­ers because they repeat­ed­ly attempt­ed to so already.

    But this ‘no hack­ing’ pledge could be a far more gen­er­al pledge to not even make ref­er­ence to hacked mate­ri­als even if they are inde­pen­dent­ly released by hack­ers who have noth­ing to do with the cam­paign. And that’s the pledge the Dai­ly Beast asked the cam­paigns if they were will­ing to make: A pledge to not use or ref­er­ence hacked mate­ri­als that get released. This is a much trick­i­er pledge to take sim­ply because once infor­ma­tion is released it’s much hard­er to expect cam­paigns to total­ly ignore that infor­ma­tion if it becomes part of the media cov­er­age. Plus, if it turns out the Trump cam­paign gets hacked and doc­u­ments released it would almost be wrong from the Democ­rats to ignore that infor­ma­tion after the Trump cam­paign’s 2016 behav­ior. Espe­cial­ly after the Trump cam­paign refus­es to make any sort of pledge for 2020.

    And it turns out all of the Demo­c­ra­t­ic cam­paigns agreed to make that pledge. If the Trump cam­paign gets hacked and the mate­ri­als are released, all of the Democ­rats agreed to not even ref­er­ence it.

    And as the fol­low­ing arti­cle notes, the Demo­c­ra­t­ic and Repub­li­can par­ties had actu­al­ly been work­ing on an anti-hack­ing agree­ment between the two par­ties, but the Repub­li­can Par­ty even­tu­al­ly backed out the talks, cit­ing the idea of agree­ing to not even refer to released hacked mate­ri­als as going too far.

    So we have the Democ­rats already pledg­ing to not even ref­er­ence hacked mate­ri­als at the same time the Repub­li­can par­ty refus­es and the Trump cam­paign refus­es any pledge at all. Not even a much weak­er pledge to not seek out hacked mate­ri­als. That rais­es the obvi­ous ques­tion of whether or not the Democ­rats will be expect­ed to stick to those pledges if the Repub­li­cans nev­er return the favor. But at this point there should be lit­tle ques­tion as to whether or not the Repub­li­can par­ty and the Trump cam­paign are plan­ning on rely­ing on polit­i­cal hacks are part of their 2020 cam­paign strate­gies:

    The Dai­ly Beast

    Trump Won’t Rule Out Using Stolen Data in 2020 Cam­paign

    Demo­c­ra­t­ic can­di­dates have com­mit­ted not to use hacked mate­ri­als. The Trump cam­paign declined to make such a pledge.

    Sam Stein, Jack­ie Kucinich, Scott Bix­by
    02.21.19 9:01 PM ET

    Near­ly three years after hacked mate­ri­als upend­ed the 2016 pres­i­den­tial cam­paign, every Demo­c­ra­t­ic can­di­date run­ning for the White House has pledged not to know­ing­ly use such mate­r­i­al should they end up being pub­lished dur­ing the cur­rent elec­tion cycle.

    Only one 2020 cam­paign declined to make such a com­mit­ment: Pres­i­dent Don­ald Trump’s.

    The Dai­ly Beast asked each pres­i­den­tial cam­paign either up-and-run­ning or in its explorato­ry phase whether they would com­mit to not know­ing­ly using or ref­er­enc­ing hacked mate­r­i­al that appears online on grounds that it may have been obtained ille­gal­ly.

    Each Demo­c­ra­t­ic can­di­date respond­ed with some form of com­mit­ment to not used hacked mate­ri­als. Sen. Kirsten Gillibrand’s (D‑N.Y.) team issued a state­ment in the senator’s name in which she stressed that both cam­paigns and mem­bers of the media need­ed to “learn seri­ous lessons from their cyber attack on our elec­tion sys­tems in 2016.”

    “For my part,” Gilli­brand added, “I vow that our cam­paign will not seek out stolen hacked infor­ma­tion from for­eign adver­saries or know­ing­ly weaponize or pro­mote stolen hacked mate­ri­als, and I urge all of my col­leagues in the 2020 field to pledge the same.”

    Josh Orton, a top advis­er to Sen. Bernie Sanders (I‑VT), said that the sen­a­tor “believes the Amer­i­can peo­ple want an issue-based cam­paign,” while adding, “We would not use stolen mate­r­i­al to attack anoth­er can­di­date.”

    Jeff Giertz, a spokesman for Sen­a­tor Cory Booker’s (D‑NJ) cam­paign said that, “Unlike Don­ald Trump who wel­comed and encour­aged elec­tion inter­fer­ence from a for­eign adver­sary, our cam­paign con­demns the use for polit­i­cal gain of infor­ma­tion or mate­r­i­al obtained by ille­gal means.”

    Kris­ten Orth­man, a top aide to Sen. Eliz­a­beth War­ren (D‑MA), said the Mass­a­chu­setts Demo­c­rat would com­mit to not using mate­ri­als obtained by ille­gal means. So too did Ian Sams, a spokesman for Sen. Kamala Harris’(D‑CA) cam­paign and Lis Smith, a top advis­er to May­or Pete Buttigieg.

    Jen­nifer Fiore, a senior advis­er for Julian Castro’s cam­paign said that, “With­out ques­tion, Julián Cas­tro’s cam­paign would nev­er know­ing­ly use or ref­er­ence mate­r­i­al that [was] obtained through ille­gal means.”

    Eri­ka Tsu­ji, a spok­er­son for Rep. Tul­si Gabbard’s (D‑HI) cam­paign, said, “Tul­si com­mits to not using hacked mate­ri­als on com­peti­tors, and calls upon oth­er can­di­dates who are run­ning to make the same com­mit­ment.”

    Lis Smith, com­mu­ni­ca­tions advis­er to May­or Pete Buttigieg’s cam­paign, told The Dai­ly Beast that the can­di­date “will not use” any hacked mate­ri­als against fel­low can­di­dates.

    “Our cam­paign will not know­ing­ly use hacked mate­ri­als that have been obtained ille­gal­ly,” a spokesman for Sen. Amy Klobuchar’s (D‑MN) said.

    An aide to for­mer Star­bucks CEO Howard Schultz, who is mulling an inde­pen­dent pres­i­den­tial bid, said that, “if we were to become a cam­paign we would fol­low that rule.”

    Numer­ous attempts to obtain com­ment from the Trump cam­paign were not returned. But after pub­li­ca­tion, Kayleigh McE­nany, the Trump cam­paign’s nation­al press sec­re­tary, sent the fol­low­ing note: “We’re not in the busi­ness of tak­ing pledges invent­ed by the lib­er­al online media.”

    The remarks from the field of Demo­c­ra­t­ic can­di­dates and Schultz reflect the acute sen­si­tiv­i­ty and fear that many oper­a­tives have about the pos­si­bil­i­ty of a rerun of the last pres­i­den­tial elec­tion.

    ...

    In the after­math of that episode, efforts were made between the two major polit­i­cal par­ties to strike a pact that would effec­tive­ly bind them from weaponiz­ing stolen or hacked con­tent again. But those con­ver­sa­tions nev­er cul­mi­nat­ed in an actu­al agree­ment. The Demo­c­ra­t­ic Con­gres­sion­al Cam­paign Com­mit­tee and the Nation­al Repub­li­can Cam­paign Com­mit­tee came close in the 2018 cycle. But talks broke down after the NRCC balked at the idea that they or their can­di­dates couldn’t ref­er­ence or high­light press reports that were based on mate­ri­als that had been hacked. The committee’s log­ic was that it would be vir­tu­al­ly impos­si­ble to sim­ply not acknowl­edge infor­ma­tion that was already in the pub­lic domain.

    It remains to be seen if the Demo­c­ra­t­ic can­di­dates who have made pledges not to know­ing­ly use hacked mate­ri­als will also balk at not ref­er­enc­ing press reports based on those mate­ri­als. Aides who spoke to The Dai­ly Beast said there had not been back-chan­nel con­ver­sa­tions about form­ing some larg­er pact. But they also not­ed that the cam­paign had just begun.

    To date, there has been no appar­ent hack­ing of any can­di­date or cam­paign run­ning in 2020. But Russ­ian hack­ers did tar­get can­di­dates in the midterm cycle and the fear among oper­a­tives and cyber­se­cu­ri­ty experts is that the same pat­tern will hold true in this elec­tion.

    ———-

    “Trump Won’t Rule Out Using Stolen Data in 2020 Cam­paign” by Sam Stein, Jack­ie Kucinich, Scott Bix­by; The Dai­ly Beast; 02/21/2019

    “The Dai­ly Beast asked each pres­i­den­tial cam­paign either up-and-run­ning or in its explorato­ry phase whether they would com­mit to not know­ing­ly using or ref­er­enc­ing hacked mate­r­i­al that appears online on grounds that it may have been obtained ille­gal­ly.”

    That was the ques­tion the Dai­ly Beast asked each cam­paign: will you pledge to not use or ref­er­ence hacked mate­ri­als. And only the Trump cam­paign refused to make that com­mit­ment:

    ...
    Only one 2020 cam­paign declined to make such a com­mit­ment: Pres­i­dent Don­ald Trump’s.

    ...

    Numer­ous attempts to obtain com­ment from the Trump cam­paign were not returned. But after pub­li­ca­tion, Kayleigh McE­nany, the Trump cam­paign’s nation­al press sec­re­tary, sent the fol­low­ing note: “We’re not in the busi­ness of tak­ing pledges invent­ed by the lib­er­al online media.”
    ...

    And the Trump cam­paign isn’t alone in refus­ing to make such a com­mit­ment. As the arti­cle notes, when the Demo­c­ra­t­ic and Repub­li­can par­ties tried to make a no-hack­ing pact, the Repub­li­cans balked at the idea of not even ref­er­enc­ing hacked mate­ri­als once they’re released. And while it’s a some­what valid argu­ment that it would be vir­tu­al­ly impos­si­ble to ignore infor­ma­tion that’s already in the pub­lic domain, it’s also a very valid counter-argu­ment to point out that we have every rea­son to sus­pect the GOP of plan­ning on exploit­ing future hacks and that’s why the par­ty if refus­ing the pledge:

    ...
    In the after­math of that episode, efforts were made between the two major polit­i­cal par­ties to strike a pact that would effec­tive­ly bind them from weaponiz­ing stolen or hacked con­tent again. But those con­ver­sa­tions nev­er cul­mi­nat­ed in an actu­al agree­ment. The Demo­c­ra­t­ic Con­gres­sion­al Cam­paign Com­mit­tee and the Nation­al Repub­li­can Cam­paign Com­mit­tee came close in the 2018 cycle. But talks broke down after the NRCC balked at the idea that they or their can­di­dates couldn’t ref­er­ence or high­light press reports that were based on mate­ri­als that had been hacked. The committee’s log­ic was that it would be vir­tu­al­ly impos­si­ble to sim­ply not acknowl­edge infor­ma­tion that was already in the pub­lic domain.
    ...

    So that’s all one rea­son we should expect a repeat of the 2016 hacks. Next, the fol­low­ing two arti­cles high­light why we should expect any 2020 hacks to be reflex­ive­ly attrib­uted to Rus­sia regard­less of the strength of the evi­dence.

    First, here’s a Politi­co arti­cle about a “sus­tained and ongo­ing” dis­in­for­ma­tion cam­paign being waged against the Demo­c­ra­t­ic can­di­dates on social media. The arti­cle describes a study that was done on behalf of Politi­co by the group Guardians.ai, a firm that spe­cial­izes in pro­tect­ing pro-democ­ra­cy groups from cyber­at­tacks and dis­in­for­ma­tion cam­paigns. Guardians.ai had pre­vi­ous­ly stud­ied how a Twit­ter net­work of 200 core pro­files were respon­si­ble for a high­ly pro­lif­ic social media dis­in­for­ma­tion cam­paign in pro­mot­ing false memes around vot­er fraud in the 2018 US mid-terms. And that same core group of 200 twit­ter pro­files is now aggres­sive­ly pro­mot­ing all sorts of dis­in­for­ma­tion about the 2020 Demo­c­ra­t­ic can­di­dates.

    It’s an inter­est­ing study. But as we’re going to see, the fact that this twit­ter dis­in­for­ma­tion net­work is already run­ning dis­in­for­ma­tion oper­a­tions in 2020 is being cit­ed as an exam­ple of state actors, in par­tic­u­lar Rus­sia but also North Korea and Iran, are already med­dling in the 2020 elec­tion. And this asser­tion is being made despite the fact that the Guardians.ai study in no way attrib­ut­es that twit­ter net­work of 200 users to Rus­sia or any gov­ern­ment at all and despite the fact that the ana­lysts make clear that much of the dis­in­for­ma­tion activ­i­ty appears to be “organ­ic”, as in, it’s real peo­ple just pump­ing out right-wing dis­in­for­ma­tion on their own. So why are state actors sus­pect­ed to be behind this net­work? Because some of the dis­in­for­ma­tion activ­i­ty is also clear­ly orga­nized and “shares char­ac­ter­is­tics” with the Krem­lin’s Inter­net Research Agency activ­i­ty from 2016. What are those shared char­ac­ter­is­tics? We aren’t told. We’re just informed that there are “shared char­ac­ter­is­tics” and that’s the basis for the con­clu­sion that state actors are behind at least some of this dis­in­for­ma­tion activ­i­ty

    Politi­co

    ‘Sus­tained and ongo­ing’ dis­in­for­ma­tion assault tar­gets Dem pres­i­den­tial can­di­dates

    A coor­di­nat­ed bar­rage of social media attacks sug­gests the involve­ment of for­eign state actors.

    By NATASHA KORECKI
    02/20/2019 06:05 AM EST

    A wide-rang­ing dis­in­for­ma­tion cam­paign aimed at Demo­c­ra­t­ic 2020 can­di­dates is already under­way on social media, with signs that for­eign state actors are dri­ving at least some of the activ­i­ty.

    The main tar­gets appear to be Sens. Kamala Har­ris (D‑Calif.), Eliz­a­beth War­ren (D‑Mass.) and Bernie Sanders (I‑Vt.), and for­mer Rep. Beto O’Rourke (D‑Texas), four of the most promi­nent announced or prospec­tive can­di­dates for pres­i­dent.

    A POLITICO review of recent data extract­ed from Twit­ter and from oth­er plat­forms, as well as inter­views with data sci­en­tists and dig­i­tal cam­paign strate­gists, sug­gests that the goal of the coor­di­nat­ed bar­rage appears to be under­min­ing the nascent can­di­da­cies through the dis­sem­i­na­tion of memes, hash­tags, mis­in­for­ma­tion and dis­tor­tions of their posi­tions. But the divi­sive nature of many of the posts also hints at a broad­er effort to sow dis­cord and chaos with­in the Demo­c­ra­t­ic pres­i­den­tial pri­ma­ry.

    The cyber pro­pa­gan­da — which fre­quent­ly picks at the rawest, most sen­si­tive issues in pub­lic dis­course — is being pushed across a vari­ety of plat­forms and with a more insid­i­ous approach than in the 2016 pres­i­den­tial elec­tion, when online attacks designed to polar­ize and mis­lead vot­ers first sur­faced on a mas­sive scale.

    Recent posts that have received wide­spread dis­sem­i­na­tion include racial­ly inflam­ma­to­ry memes and mes­sag­ing involv­ing Har­ris, O’Rourke and War­ren. In Warren’s case, a false nar­ra­tive sur­faced alleg­ing that a black­face doll appeared on a kitchen cab­i­net in the back­ground of the senator’s New Year’s Eve Insta­gram livestream.

    Not all of the activ­i­ty is orga­nized. Much of it appears to be organ­ic, a reflec­tion of the polit­i­cal­ly polar­iz­ing nature of some of the can­di­dates. But there are clear signs of a coor­di­nat­ed effort of unde­ter­mined size that shares sim­i­lar char­ac­ter­is­tics with the com­pu­ta­tion­al pro­pa­gan­da attacks launched by online trolls at Russia’s Inter­net Research Agency in the 2016 pres­i­den­tial cam­paign, which spe­cial coun­sel Robert Mueller accused of aim­ing to under­mine the polit­i­cal process and ele­vate Don­ald Trump.

    “It looks like the 2020 pres­i­den­tial pri­ma­ry is going to be the next bat­tle­ground to divide and con­fuse Amer­i­cans,” said Brett Hor­vath, one of the founders of Guardians.ai, a tech com­pa­ny that works with a con­sor­tium of data sci­en­tists, aca­d­e­mics and tech­nol­o­gists to dis­rupt cyber­at­tacks and pro­tect pro-democ­ra­cy groups from infor­ma­tion war­fare. “As it relates to infor­ma­tion war­fare in the 2020 cycle, we’re not on the verge of it — we’re already in the third inning.”

    An analy­sis con­duct­ed for POLITICO by Guardians.ai found evi­dence that a rel­a­tive­ly small clus­ter of accounts — and a broad­er group of accounts that ampli­fy them — drove a dis­pro­por­tion­ate amount of the Twit­ter con­ver­sa­tion about the four can­di­dates over a recent 30-day peri­od.

    Using pro­pri­etary tools that mea­sured the dis­cus­sion sur­round­ing the can­di­dates in the Demo­c­ra­t­ic field, Guardians.ai iden­ti­fied a cohort of rough­ly 200 accounts — includ­ing both unwit­ting real accounts and oth­er “sus­pi­cious” and auto­mat­ed accounts that coor­di­nate to spread their mes­sages — that pumped out neg­a­tive or extreme themes designed to dam­age the can­di­dates.

    This is the same core group of accounts the com­pa­ny first iden­ti­fied last year in a study as anchor­ing a wide-scale influ­ence cam­paign in the 2018 elec­tions.

    Since the begin­ning of the year, those accounts began specif­i­cal­ly direct­ing their out­put at Har­ris, O’Rourke, Sanders and War­ren, and were ampli­fied by an even wider group­ing of accounts. Over a recent 30-day peri­od, between 2 per­cent and 15 per­cent of all Twit­ter men­tions of the four can­di­dates emanat­ed in some way from with­in that clus­ter of accounts, accord­ing to the Guardians.ai find­ings. In that time frame, all four can­di­dates col­lec­tive­ly had 6.8 mil­lion men­tions on Twit­ter.

    “We can con­clu­sive­ly state that a large group of sus­pi­cious accounts that were active in one of the largest influ­ence oper­a­tions of the 2018 cycle is now engaged in sus­tained and ongo­ing activ­i­ty for the 2020 cycle,” Hor­vath said.

    Amar­nath Gup­ta, a research sci­en­tist at the San Diego Super­com­put­er Cen­ter at the Uni­ver­si­ty of Cal­i­for­nia at San Diego who mon­i­tors social media activ­i­ty, said he’s also seen a recent surge in Twit­ter activ­i­ty neg­a­tive­ly tar­get­ing three can­di­dates — O’Rourke, Har­ris and War­ren.

    That increased activ­i­ty includes a rise in the sheer vol­ume of tweets, the rate at which they are being post­ed and the appear­ance of “clus­ter behav­ior” tied to the three can­di­dates.

    “I can say that from a very, very cur­so­ry look, a lot of the infor­ma­tion is neg­a­tive­ly biased with respect to sen­ti­ment analy­sis,” said Gup­ta, who part­nered with Guardians.ai on a 2018 study.

    Accord­ing to the Guardians.ai analy­sis, Har­ris attract­ed the most over­all Twit­ter activ­i­ty among the 2020 can­di­dates it looked at, with more than 2.5 mil­lion men­tions over the 30-day peri­od.

    She was also among the most tar­get­ed. One wide­ly seen tweet employed racist and sex­ist stereo­types in an attempt to sen­sa­tion­al­ize Har­ris’ rela­tion­ship with for­mer San Fran­cis­co May­or Willie Brown. That tweet — and sub­se­quent retweets and men­tions tied to it — made 8.6 mil­lion “poten­tial impres­sions” online, accord­ing to Guardians.ai, an upper lim­it cal­cu­la­tion of the num­ber of peo­ple who might have seen it based on the accounts the clus­ter fol­lows, who fol­lows accounts with­in the clus­ter and who has engaged with the tweet.

    Anoth­er racial­ly charged tweet was direct­ed at O’Rourke. The Twit­ter pro­file of the user where it orig­i­nat­ed indi­cates the account was cre­at­ed in May 2018, but it had authored just one tweet since then — in Jan­u­ary, when the account announced it had break­ing news about the for­mer Texas con­gress­man leav­ing a mes­sage using racist lan­guage on an answer­ing machine in the 1990s. That tweet gar­nered 1.3 mil­lion poten­tial impres­sions on the plat­form, accord­ing to Guardians.ai.

    A sep­a­rate Guardians.ai study that looked at the focus of the 200 account group on vot­er fraud and false and/or mis­lead­ing nar­ra­tives about elec­tion integri­ty — pub­lished just before the midterm elec­tions and co-authored by Hor­vath, Zach Verdin and Ali­cia Ser­rani — report­ed that the accounts gen­er­at­ed or were men­tioned in more than 140 mil­lion tweets over the pri­or year.

    That clus­ter of accounts was the dri­ving force behind an effort to aggres­sive­ly advance con­spir­a­cy the­o­ries in the 2018 midterms, rang­ing from mis­in­for­ma­tion about vot­er fraud to nar­ra­tives involv­ing a car­a­van com­ing to the Unit­ed States, and even advo­ca­cy of vio­lence.

    Hor­vath asserts that the activ­i­ty sur­round­ing the clus­ter rep­re­sents an evo­lu­tion of mis­in­for­ma­tion and ampli­fi­ca­tion tac­tics that began in mid-to-late 2018. The ini­tial phase that began in 2016 was marked by the cre­ation of thou­sands of accounts that were more eas­i­ly detect­ed as bots or as coor­di­nat­ed activ­i­ty.

    The new activ­i­ty, how­ev­er, cen­ters on a refined group of core accounts — the very same accounts that sur­faced in the group’s 2018 vot­er fraud study. Some of the accounts are believed to be high­ly sophis­ti­cat­ed syn­thet­ic accounts oper­at­ed by peo­ple attempt­ing to influ­ence con­ver­sa­tions, while oth­ers are coor­di­nat­ed in some way by actors who have iden­ti­fied real indi­vid­u­als already tweet­ing out a desired mes­sage.

    Tens of thou­sands of oth­er accounts then work in con­cert to ampli­fy the core group through men­tions and retweets to dri­ve what appears, on the sur­face, to be organ­ic viral­i­ty.

    Oper­a­tives with dig­i­tal firms, polit­i­cal cam­paigns and oth­er social media mon­i­tor­ing groups also report see­ing a recent surge in false nar­ra­tives or neg­a­tive memes against 2020 can­di­dates.

    A recent analy­sis from the social media intel­li­gence firm Sto­ry­ful detect­ed spikes in mis­in­for­ma­tion activ­i­ty over social media plat­forms and online com­ment boards in the days after each of the 2020 can­di­dates launched their pres­i­den­tial bids, begin­ning with Warren’s announce­ment on Dec. 31.

    Fringe news web­sites and social media plat­forms, Sto­ry­ful found, played a sig­nif­i­cant role in spread­ing anti-War­ren sen­ti­ment in the days after she announced her can­di­da­cy on Dece. 31. Using a vari­ety of key­word search­es for men­tions of War­ren, the firm report­ed evi­dence of “spam or bot-like” activ­i­ty on Face­book and Twit­ter from some of the top posters.

    Kel­ly Jones, a researcher with Sto­ry­ful who tracked sus­pi­cious activ­i­ty in the three days after the cam­paign announce­ments of Har­ris, War­ren, Rep. Tul­si Gab­bard (D‑Hawaii), and Sen. Cory Book­er (D‑N.J.), said she’s seen a con­cert­ed push over sep­a­rate online mes­sage boards to build false or deroga­to­ry nar­ra­tives.

    Among the fringe plat­forms Sto­ry­ful iden­ti­fied were 4Chan and 8Chan, where mes­sages appeared call­ing on com­menters to qui­et­ly wreak hav­oc against War­ren on social media or in the com­ments sec­tion under news sto­ries.

    “Point out that she used to be Repub­li­can but switched sides and is a spy for them now. Use this quote out of con­text: ‘I was a Repub­li­can because I thought that those were the peo­ple who best sup­port­ed mar­kets,’” wrote one poster on the 4Chan mes­sage board.

    “We’re see­ing a lot of that rhetoric for near­ly each can­di­date that comes out,” Jones said. “There is a call to action on these fringe sites. The field is going to be so crowd­ed that they say ‘OK: Oper­a­tion Divide the Left.’”

    An offi­cial with the Har­ris cam­paign said they sus­pect bad actors push­ing mis­in­for­ma­tion and false nar­ra­tives about the Cal­i­for­nia Demo­c­rat are try­ing to divide African Amer­i­cans, or to get the media to pay out­sized atten­tion to crit­i­cism designed to fos­ter divi­sions among the Demo­c­ra­t­ic pri­ma­ry elec­torate.

    Researchers and oth­ers inter­viewed for this sto­ry say they can­not con­clu­sive­ly point to the actors behind the coor­di­nat­ed activ­i­ty. It’s unclear if they are rogue hack­ers, polit­i­cal activists or, as some con­tend, for­eign state actors such as Rus­sia, since it bears the hall­marks of ear­li­er for­eign attacks. One of the objec­tives of the activ­i­ty, they say, is to divide the left by mak­ing the Demo­c­ra­t­ic pres­i­den­tial pri­ma­ry as chaot­ic and tox­ic as pos­si­ble.

    Ted­dy Goff, who served as Oba­ma for America’s dig­i­tal direc­tor, broad­ly described the ongo­ing orga­nized efforts as the work of “a hodge­podge. It’s a bit of an unholy alliance.”

    “There are state sup­port­ers and fun­ders of this stuff. Rus­sia. North Korea is believed to be one, Iran is anoth­er,” he said. “In cer­tain cas­es it appears coor­di­nat­ed, but whether coor­di­nat­ed or not, there are clear­ly actors attempt­ing to influ­ence the pri­ma­ry by exac­er­bat­ing divi­sions with­in the par­ty, paint­ing more mod­er­ate can­di­dates as unpalat­able to pro­gres­sives and more pro­gres­sive can­di­dates as unpalat­able to more main­stream Dems.”

    A high-rank­ing offi­cial in the Sanders cam­paign expressed “seri­ous con­cerns” about the impact of mis­in­for­ma­tion on social media, call­ing it “a type of polit­i­cal cyber war­fare that’s clear­ly hav­ing an impact on the demo­c­ra­t­ic process.” The offi­cial said the Sanders cam­paign views the activ­i­ty it’s already see­ing as involv­ing actors that are both for­eign and domes­tic.

    Both Twit­ter and Face­book, which owns Insta­gram, have report­ed tak­ing sub­stan­tial mea­sures since 2016 to iden­ti­fy and block for­eign actors and oth­ers who vio­late plat­form rules.

    While Twit­ter would not specif­i­cal­ly respond to ques­tions about the Guardians.ai find­ings, last year the com­pa­ny report­ed chal­leng­ing mil­lions of sus­pect accounts every month, includ­ing those exhibit­ing “spam­my and auto­mat­ed behav­ior.” After attempts to authen­ti­cate the accounts through email or by phone, Twit­ter sus­pend­ed 75 per­cent of the accounts it chal­lenged from Jan­u­ary to June 2018.

    In Jan­u­ary 2019, Twit­ter pub­lished an account­ing of efforts to com­bat for­eign inter­fer­ence over polit­i­cal con­ver­sa­tions hap­pen­ing on the plat­form. Ear­li­er efforts includ­ed releas­ing data sets of poten­tial for­eign infor­ma­tion oper­a­tions that have appeared on Twit­ter, which were com­posed of 3,841 accounts affil­i­at­ed with the IRA, that orig­i­nat­ed in Rus­sia, and 770 oth­er accounts that poten­tial­ly orig­i­nat­ed in Iran.

    “Our inves­ti­ga­tions are glob­al and ongo­ing, but the data sets we recent­ly released are ones we’re able to reli­ably attribute and are dis­clos­ing now,” a Twit­ter spokesper­son said in a state­ment to POLITICO. “We’ll share more infor­ma­tion if and when it’s avail­able.”

    Face­book says it has 30,000 peo­ple work­ing on safe­ty and secu­ri­ty and that it is increas­ing­ly block­ing and remov­ing fake accounts. The com­pa­ny also says it has brought an unprece­dent­ed lev­el of trans­paren­cy to polit­i­cal adver­tis­ing on its plat­form.

    ...

    ————

    “‘Sus­tained and ongo­ing’ dis­in­for­ma­tion assault tar­gets Dem pres­i­den­tial can­di­dates” by NATASHA KORECKI; Politi­co; 02/20/2019

    “A wide-rang­ing dis­in­for­ma­tion cam­paign aimed at Demo­c­ra­t­ic 2020 can­di­dates is already under­way on social media, with signs that for­eign state actors are dri­ving at least some of the activ­i­ty.

    So there’s a big dis­in­for­ma­tion cam­paign direct­ed against the Democ­rats that’s already been detect­ed. No one knows who exact­ly is behind it, but there are “signs” that for­eign state actors are dri­ving some of the activ­i­ty. That’s the con­clu­sion that Politi­co’s analy­sis arrived at which was con­duct­ed by Guardians.ai.

    What are the signs of for­eign state actors, and not sim­ply Repub­li­cans and Amer­i­can right-wingers, being behind these detect­ed mis­in­for­ma­tion net­works? Well, the dis­in­for­ma­tion net­works shares sim­i­lar char­ac­ter­is­tics to the Inter­net Research Agen­cy’s Krem­lin trolling oper­a­tions. What are those shared char­ac­ter­is­tics? How do these shared char­ac­ter­is­tics estab­lish that this real­ly is a Krem­lin dis­in­for­ma­tion net­work iden­ti­fied by Guardian.ai as push­ing a right-wing vot­er fraud dis­in­for­ma­tion cam­paign in the 2018 mid-terms and is now attack­ing Demo­c­ra­t­ic pri­ma­ry can­di­dates and not a GOP/‘Alt Right’/4chan troll net­work? We aren’t told. We are just told that this iden­ti­fied net­work of 200 Twit­ter bots share char­ac­ter­is­tics with a Krem­lin cam­paign which is used to jus­ti­fy the claim that some, but not all, of the the dis­in­for­ma­tion activ­i­ty they’ve been detect­ing is direct­ed by the Krem­lin.

    And some of dis­in­for­ma­tion activ­i­ty detect­ed by the ana­lysts as Guardians.ai is indeed prob­a­bly direct­ed by the Krem­lin since there’s clear evi­dence of Krem­lin-direct­ed inter­net trolling and dis­in­for­ma­tion cam­paigns. The prob­lem has always been that the evi­dence direct­ly con­nect­ed o the Inter­net Research Agency was evi­dence of an unfo­cused and large­ly insignif­i­cant and inci­den­tal col­lec­tion of exper­i­men­tal inter­net trolling and dis­in­for­ma­tion cam­paigns. Noth­ing major and all minis­cule com­pared to the scale of Amer­i­can polit­i­cal influ­ence oper­a­tions.

    In oth­er words, the Krem­lin online dis­in­for­ma­tion cam­paigns are very real, but just a tiny echo of dis­so­nance in a much larg­er dis­in­for­ma­tion cacapho­ny that is dom­i­nat­ed by the West­ern right-wing’s myr­i­ad of dis­in­for­ma­tion net­works. The col­lec­tion of dis­in­for­ma­tion net­works rou­tine­ly bom­bard­ing US audi­ences with dis­in­for­ma­tion range from ‘Alt Right’ neo-Nazi and grass­roots right-wing trolls vol­un­tar­i­ly run­ning orga­nized and dis­or­ga­nized dis­in­for­ma­tion cam­paigns (for the lulz) to paid dirty tricks oper­a­tions run by the GOP run by pro­fes­sion­al. Then there’s the com­bined efforts of all the right-wing financiers like Peter Smith who pay for dirty tricks oper­a­tions and run their own pri­vate fund-rais­ing net­works for such oper­a­tions. And we can’t for­get the mas­sive online per­son­al­ized micro-tar­get­ing oper­a­tion run by the Trump cam­paign that’s get­ting upgrad­ed for 2020. That’s going to include Brad Parscale’s new­ly formed firm, Data Pro­pria, that’s run by four key Cam­bridge Ana­lyt­i­ca employ­ees who were involved with the 2016 Trump cam­paign’s psy­cho­log­i­cal pro­fil­ing of vot­ers. These enti­ties are all vast­ly more influ­en­tial in Amer­i­can pol­i­tics than the Inter­net Research Agency by all indi­ca­tions. They cer­tain­ly share char­ac­ter­is­tics with the Krem­lin trolls, but they’re aren’t Krem­lin trolls and all have incen­tives to cov­er their tracks by pass­ing them­selves off as Krem­lin trolls.

    This reliance on “shared char­ac­ter­is­tics” is impor­tant to keep in mind with this sto­ry because Guardians.ai it high­lights how it’s just an exten­sion of the broad­er issue in the cyber­se­cu­ri­ty indus­try of rely­ing on pat­tern-recog­ni­tion tech­niques for mak­ing attri­bu­tion con­clu­sions that can be eas­i­ly gamed and spoofed. Some shared char­ac­ter­is­tics are spot­ted and it’s just assumed that the Krem­lin is behind some of it and then insin­u­at­ed that the Krem­lin is prob­a­bly behind A LOT of it. But based on the avail­able evi­dence, the Krem­lin is just a bit play­er in the online US dis­in­for­ma­tion cam­paigns com­pared to Amer­i­can right-wing dis­in­for­ma­tion sources. So even if the Krem­lin’s dis­in­for­ma­tion cam­paigns share char­ac­ter­is­tics with right-wing dis­in­for­ma­tion cam­paigns, if a giv­en dis­in­for­ma­tion cam­paign looks like it might be either a right-wing cam­paign or a Russ­ian cam­paign, it’s far more like­ly to be a right-wing cam­paign sim­ply because the right-wing is pump­ing out vast­ly more dis­in­for­ma­tion:

    ...
    A POLITICO review of recent data extract­ed from Twit­ter and from oth­er plat­forms, as well as inter­views with data sci­en­tists and dig­i­tal cam­paign strate­gists, sug­gests that the goal of the coor­di­nat­ed bar­rage appears to be under­min­ing the nascent can­di­da­cies through the dis­sem­i­na­tion of memes, hash­tags, mis­in­for­ma­tion and dis­tor­tions of their posi­tions. But the divi­sive nature of many of the posts also hints at a broad­er effort to sow dis­cord and chaos with­in the Demo­c­ra­t­ic pres­i­den­tial pri­ma­ry.

    ...

    Not all of the activ­i­ty is orga­nized. Much of it appears to be organ­ic, a reflec­tion of the polit­i­cal­ly polar­iz­ing nature of some of the can­di­dates. But there are clear signs of a coor­di­nat­ed effort of unde­ter­mined size that shares sim­i­lar char­ac­ter­is­tics with the com­pu­ta­tion­al pro­pa­gan­da attacks launched by online trolls at Russia’s Inter­net Research Agency in the 2016 pres­i­den­tial cam­paign, which spe­cial coun­sel Robert Mueller accused of aim­ing to under­mine the polit­i­cal process and ele­vate Don­ald Trump.

    “It looks like the 2020 pres­i­den­tial pri­ma­ry is going to be the next bat­tle­ground to divide and con­fuse Amer­i­cans,” said Brett Hor­vath, one of the founders of Guardians.ai, a tech com­pa­ny that works with a con­sor­tium of data sci­en­tists, aca­d­e­mics and tech­nol­o­gists to dis­rupt cyber­at­tacks and pro­tect pro-democ­ra­cy groups from infor­ma­tion war­fare. “As it relates to infor­ma­tion war­fare in the 2020 cycle, we’re not on the verge of it — we’re already in the third inning.”
    ...

    Also note that the Oxford study describ­ing the “com­pu­ta­tion­al pro­pa­gan­da” attacks launched by the Inter­net Research Agency in the 2016 pres­i­den­tial cam­paign the arti­cle referred to was one of two stud­ies com­mis­sioned by the Sen­ate Intel­li­gence Com­mit­tee. The oth­er study com­mis­sioned by the Sen­ate was the now noto­ri­ous study by New Knowl­edge, the firm dis­cov­ered to have cre­at­ed fake ‘Russ­ian Twit­ter bots’ and inten­tion­al­ly used them to suc­cess­ful­ly wage a false flag cam­paign designed to gen­er­ate news reports about Roy Moore was get­ting Russ­ian bot sup­port. It high­lights one of the key facts to keep in mind with all of this: the attri­bu­tion of Twit­ter bot accounts to the Krem­lin is large­ly based on guess­work and can there­fore be eas­i­ly faked and when we ignore this basic fact we’re invit­ing all sorts of third-par­ty actors to run ‘Russ­ian bot’ false flag oper­a­tions. Maybe it’s a firm like New Knowl­edge, maybe it’s the Repub­li­can Par­ty, maybe it’s the Trump cam­paign, or maybe it’s some ran­dom neo-Nazi that will run the false flag. The list of par­ties that would be tempt­ed to cre­ate an eas­i­ly detect­ed ‘Rus­sia bot’ net­work is pret­ty much every­one but Rus­sia. And by accept­ing low grade attri­bu­tion stan­dards for who is behind an online pro­pa­gan­da net­work we’re encour­ag­ing almost every­one to engage in exact­ly that behav­ior. The low­er the stan­dards the more team Trump and the GOP and the ‘Alt Right’ trolls are going to going to want to cre­ate their own ‘Russ­ian bot’ net­works to join in on the fun.

    This core group of 200 twit­ter accounts behind the dis­in­for­ma­tion net­work Guardians.ai stud­ied is the exact group of 200 twit­ter user net­work they they found being behind a vot­er fraud dis­in­for­ma­tion cam­paign in the 2018 mid-terms. But as we’re going to see below, that ear­li­er report on the vot­er fraud dis­in­for­ma­tion net­work explic­it­ly says it makes no claims about these twit­ter accounts being direct­ed by the Krem­lin. So not­ing that this Twit­ter net­work that Guardians.ai found run­ning dis­in­for­ma­tion about Demo­c­ra­t­ic pri­ma­ry can­di­dates is the same Twit­ter net­work that Guardians.ai researchers stud­ied in their vot­er fraud dis­in­for­ma­tion project should be seen as a sign that this Twit­ter net­work is being run by the Krem­lin:

    ...
    An analy­sis con­duct­ed for POLITICO by Guardians.ai found evi­dence that a rel­a­tive­ly small clus­ter of accounts — and a broad­er group of accounts that ampli­fy them — drove a dis­pro­por­tion­ate amount of the Twit­ter con­ver­sa­tion about the four can­di­dates over a recent 30-day peri­od.

    Using pro­pri­etary tools that mea­sured the dis­cus­sion sur­round­ing the can­di­dates in the Demo­c­ra­t­ic field, Guardians.ai iden­ti­fied a cohort of rough­ly 200 accounts — includ­ing both unwit­ting real accounts and oth­er “sus­pi­cious” and auto­mat­ed accounts that coor­di­nate to spread their mes­sages — that pumped out neg­a­tive or extreme themes designed to dam­age the can­di­dates.

    This is the same core group of accounts the com­pa­ny first iden­ti­fied last year in a study as anchor­ing a wide-scale influ­ence cam­paign in the 2018 elec­tions.

    ...

    A sep­a­rate Guardians.ai study that looked at the focus of the 200 account group on vot­er fraud and false and/or mis­lead­ing nar­ra­tives about elec­tion integri­ty — pub­lished just before the midterm elec­tions and co-authored by Hor­vath, Zach Verdin and Ali­cia Ser­rani — report­ed that the accounts gen­er­at­ed or were men­tioned in more than 140 mil­lion tweets over the pri­or year.

    That clus­ter of accounts was the dri­ving force behind an effort to aggres­sive­ly advance con­spir­a­cy the­o­ries in the 2018 midterms, rang­ing from mis­in­for­ma­tion about vot­er fraud to nar­ra­tives involv­ing a car­a­van com­ing to the Unit­ed States, and even advo­ca­cy of vio­lence.
    ...

    Accord­ing to these Guardians.ai ana­lysts, this core group of twit­ter users rep­re­sents an evo­lu­tion in mis­in­for­ma­tion tac­tics from 2016 and is hard­er to iden­ti­fy as bots. Some of the accounts are believed to be high­ly sophis­ti­cat­ed fake accounts while oth­ers are real indi­vid­u­als. And that, of course, rais­es the ques­tion if these “high­ly sophis­ti­cat­ed syn­thet­ic accounts” are, in fact, real peo­ple. It’s pos­si­ble. This attri­bu­tion busi­ness is all guess­work, after all. But at some point there are inevitably real­ly are going to be high­ly sophis­ti­cat­ed bots and they prob­a­bly already exist today. At some point these bots are going to pass the Tur­ing test and that point has prob­a­bly already arrived. So we should­n’t be sur­prised if these 200 super-influ­encer Twit­ter accounts are sophis­ti­cat­ed real­is­tic bots or be sur­prised if they’re real. That point in the ‘bot wars’ has arrived:

    ...
    Hor­vath asserts that the activ­i­ty sur­round­ing the clus­ter rep­re­sents an evo­lu­tion of mis­in­for­ma­tion and ampli­fi­ca­tion tac­tics that began in mid-to-late 2018. The ini­tial phase that began in 2016 was marked by the cre­ation of thou­sands of accounts that were more eas­i­ly detect­ed as bots or as coor­di­nat­ed activ­i­ty.

    The new activ­i­ty, how­ev­er, cen­ters on a refined group of core accounts — the very same accounts that sur­faced in the group’s 2018 vot­er fraud study. Some of the accounts are believed to be high­ly sophis­ti­cat­ed syn­thet­ic accounts oper­at­ed by peo­ple attempt­ing to influ­ence con­ver­sa­tions, while oth­ers are coor­di­nat­ed in some way by actors who have iden­ti­fied real indi­vid­u­als already tweet­ing out a desired mes­sage.

    Tens of thou­sands of oth­er accounts then work in con­cert to ampli­fy the core group through men­tions and retweets to dri­ve what appears, on the sur­face, to be organ­ic viral­i­ty.

    Oper­a­tives with dig­i­tal firms, polit­i­cal cam­paigns and oth­er social media mon­i­tor­ing groups also report see­ing a recent surge in false nar­ra­tives or neg­a­tive memes against 2020 can­di­dates.
    ...

    The arti­cle also notes anoth­er dis­in­for­ma­tion analy­sis done by the social media intel­li­gence firm Sto­ry­ful that found that a num­ber of fringe sites were respon­si­ble spikes in mis­in­for­ma­tion in the days fol­low­ing the announce­ments of Demo­c­ra­t­ic can­di­dates. 4Chan and 8Chan were two of the fringe sites list­ed in the report which is not at all sur­pris­ing. Recall how 4chan was where hacked Macron emails sur­faced and how that hack­ing was blamed on the Krem­lin by the US gov­ern­ment but the French gov­ern­ment refut­ed those asser­tions and evi­dence sug­gests the neo-Nazi hack­er Andrew ‘weev’ Auern­heimer was behind it. Orga­niz­ing a dis­in­for­ma­tion cam­paign against Democ­rats (and Repub­li­cans) is exact­ly the kind of thing we should expect on those sites and there’s no com­pelling rea­son to assum­ing Krem­lin agents are behind it. They could be, but it could eas­i­ly be any of the numer­ous real posters. The forums are also wild­ly pop­u­lar and invari­ably have large num­bers of real posters and those are exact­ly the kinds of real posters that would rev­el in spread­ing dis­in­for­ma­tion cam­paigns about some­one like Eliz­a­beth War­ren. Again, ‘for the lulz’ if noth­ing else:

    ...
    A recent analy­sis from the social media intel­li­gence firm Sto­ry­ful detect­ed spikes in mis­in­for­ma­tion activ­i­ty over social media plat­forms and online com­ment boards in the days after each of the 2020 can­di­dates launched their pres­i­den­tial bids, begin­ning with Warren’s announce­ment on Dec. 31.

    Fringe news web­sites and social media plat­forms, Sto­ry­ful found, played a sig­nif­i­cant role in spread­ing anti-War­ren sen­ti­ment in the days after she announced her can­di­da­cy on Dece. 31. Using a vari­ety of key­word search­es for men­tions of War­ren, the firm report­ed evi­dence of “spam or bot-like” activ­i­ty on Face­book and Twit­ter from some of the top posters.

    Kel­ly Jones, a researcher with Sto­ry­ful who tracked sus­pi­cious activ­i­ty in the three days after the cam­paign announce­ments of Har­ris, War­ren, Rep. Tul­si Gab­bard (D‑Hawaii), and Sen. Cory Book­er (D‑N.J.), said she’s seen a con­cert­ed push over sep­a­rate online mes­sage boards to build false or deroga­to­ry nar­ra­tives.

    Among the fringe plat­forms Sto­ry­ful iden­ti­fied were 4Chan and 8Chan, where mes­sages appeared call­ing on com­menters to qui­et­ly wreak hav­oc against War­ren on social media or in the com­ments sec­tion under news sto­ries.

    “Point out that she used to be Repub­li­can but switched sides and is a spy for them now. Use this quote out of con­text: ‘I was a Repub­li­can because I thought that those were the peo­ple who best sup­port­ed mar­kets,’” wrote one poster on the 4Chan mes­sage board.
    ...

    Final­ly, the arti­cle notes that NONE of the researchers inter­viewed for the arti­cle claim to have con­clu­sive­ly proven that state actors are involved with these detect­ed dis­in­for­ma­tion cam­paigns. It’s a crit­i­cal point giv­en that the thrust of the arti­cle is that stud­ies are show­ing Russ­ian influ­ence oper­a­tions are already in effect for the 2020 cam­paign:

    ...
    Researchers and oth­ers inter­viewed for this sto­ry say they can­not con­clu­sive­ly point to the actors behind the coor­di­nat­ed activ­i­ty. It’s unclear if they are rogue hack­ers, polit­i­cal activists or, as some con­tend, for­eign state actors such as Rus­sia, since it bears the hall­marks of ear­li­er for­eign attacks. One of the objec­tives of the activ­i­ty, they say, is to divide the left by mak­ing the Demo­c­ra­t­ic pres­i­den­tial pri­ma­ry as chaot­ic and tox­ic as pos­si­ble.
    ...

    So we have an arti­cle about how there are “signs” of state actors already being involved with a 2020 dis­in­for­ma­tion cam­paign when those signs appear to be large­ly lim­it­ed to the shared char­ac­ter­is­tic of spread­ing dis­in­for­ma­tion in a coor­di­nat­ed man­ner. And yet none of the peo­ple inter­viewed said they could con­clu­sive­ly point to state actors being behind any of the dis­in­for­ma­tion net­works they exam­ined. It’s trou­bling. Not the idea of state actors ramp­ing up for 2020 influ­ence cam­paigns. That’s a rea­son­able assump­tion. But the evi­dence is a bunch of Twit­ter dis­in­for­ma­tion net­works that mere­ly vague­ly share char­ac­ter­is­tics with Inter­net Research Agency orga­nized dis­in­for­ma­tion cam­paigns which is a real­ly low stan­dard for assum­ing you’re look­ing at a Krem­lin-direct­ed net­work. That’s what’s so trou­bling.

    And it’s impor­tant to note that in the 2018 Guardians.ai study on the vot­er fraud dis­in­for­ma­tion net­work of 200 super-influ­ence accounts, they explic­it­ly point out that they have no evi­dence that this net­work has any­thing to do with state actors or that the accounts are nec­es­sar­i­ly bots. It’s all based on hunch­es:

    iwr.ai
    vot­er fraud

    Who Are They?

    The 200 accounts shown above are a sam­ple of a net­work on Twit­ter talk­ing about Vot­er Fraud and ampli­fy­ing false and/or mis­lead­ing nar­ra­tives about elec­tion integri­ty and the demo­c­ra­t­ic process. We dis­cov­ered that this group of 200 accounts either gen­er­at­ed or were men­tioned in over 140 mil­lion tweets over the last year. As you will see below, this net­work is not only grow­ing at an accel­er­at­ing rate but also coor­di­nat­ing with effec­tive tac­tics that appear to bypass many of the detec­tion meth­ods of exist­ing dis­in­for­ma­tion research.

    As you read through the rest of this sto­ry and the sub­se­quent report, you’ll prob­a­bly be left with more ques­tions than answers. We cer­tain­ly are. You might even be in awe of these net­works. We can relate to that too. Some days the size, scale, and effec­tive­ness of these mod­ern tac­tics to influ­ence con­ver­sa­tion have fueled our curios­i­ty. On oth­er days, how­ev­er, we’re left angry, sad, and frus­trat­ed at the con­tent these accounts push, and how we’ve all helped cre­ate an envi­ron­ment that allows peo­ple to weaponize par­tic­i­pa­tion and wield influ­ence over civic dia­logue so effec­tive­ly.

    We are a vol­un­teer team of researchers, tech­nol­o­gists, and artists that start­ed this project to explore the con­ver­sa­tion about Vot­er Fraud in US pol­i­tics on Twit­ter. We became inter­est­ed in this top­ic because it sits at the inter­sec­tion of the VoterID and Vot­er Sup­pres­sion con­ver­sa­tion, and while instances of Vot­er Fraud are sta­tis­ti­cal­ly infre­quent it is the sub­ject of con­sid­er­able debate online. We want­ed to know if there was a con­sis­tent con­ver­sa­tion hap­pen­ing, was it hap­pen­ing on Twit­ter, and was there some­thing behind the charged nature of the dia­logue that we should be con­cerned about. Here is what we’re not gonna say:
    * We’re not con­clud­ing that all these accounts are bots
    * We’re not con­clud­ing that these accounts are Russ­ian or orig­i­nat­ing from one source
    * We’re not con­clud­ing that all of these accounts are inten­tion­al­ly involved in an influ­ence oper­a­tion

    We are also not claim­ing that there have been no doc­u­ment­ed cas­es of Vot­er Fraud. We are won­der­ing if the real­i­ty war­rants the inten­si­ty and urgency of sto­ries that we see, or if the nar­ra­tives about Vot­er Fraud are in fact under­min­ing the Demo­c­ra­t­ic ideals they claim to be pro­tect­ing. In a brief titled Debunk­ing the Vot­er Fraud Myth the Bren­nan cen­ter used phras­es like “van­ish­ing­ly rare” and “near­ly non-exis­tent” to describe the results of research look­ing at doc­u­ment­ed cas­es of Vot­er Fraud on US elec­tions. If that research is thor­ough and accu­rate, then along with oth­er research we’ve seen on this issue it was clear that many of the nar­ra­tives relat­ed to Vot­er Fraud seem to at the very least be over­re­ac­tions, and at worst some kind of pro­pa­gan­da, dem­a­gog­ic mes­sag­ing, and/or a strat­e­gy to dis­tract peo­ple from real issues relat­ed to elec­tion integri­ty.

    Our hope is that by pre­sent­ing our work in this for­mat, we can dis­cuss what influ­ence looks like, and inves­ti­gate the roles we all play and the way coor­di­na­tion is being used against all of us online, right now. While we don’t know who these peo­ple are or why they’re doing this, we do know that they’re effec­tive, influ­en­tial, and coor­di­nat­ed in some way.

    We want to know more.

    ...

    ———-

    “/VoterFrauad”; iwr.ai

    “* We’re not con­clud­ing that all these accounts are bots
    * We’re not con­clud­ing that these accounts are Russ­ian or orig­i­nat­ing from one source
    * We’re not con­clud­ing that all of these accounts are inten­tion­al­ly involved in an influ­ence oper­a­tion”

    There was no evi­dence the net­work of 200 twit­ter accounts that Guardians.ai stud­ied as part of their vot­er fraud dis­in­for­ma­tion research were Russ­ian or orig­i­nat­ed from any one source and they might have been real peo­ple. It’s a In oth­er words, based on the evi­dence these groups have at their dis­pos­al, they can’t make any con­clu­sions about who is actu­al­ly behind these accounts. It’s a rather impor­tant caveat: And that’s the analy­sis that is being latched onto as evi­dence of pos­si­ble state actor inter­fer­ence already under­way in the 2020 elec­tion cycle. Again, the trou­bling part isn’t the spec­u­la­tion of state actor inter­fer­ence. There’s prob­a­bly going to be all sorts of gov­ern­ments involved in 2020, espe­cial­ly after 2016. What’s trou­bling is that this Twit­ter net­work is being point­ed to as evi­dence of state actor involve­ment.

    So with all that in mind, it’s briefly worth recall­ing how the 2017 elec­tions in Ger­many were impact­ed by large mis­in­for­ma­tion net­works that were run not by Rus­sians but by Amer­i­can right-wingers. As the arti­cle notes, the dis­cov­ery that it was pri­mar­i­ly Amer­i­can far right dis­in­for­ma­tion net­works med­dling in the Ger­man elec­tions, and not Russ­ian net­works, was a reminder of now warn­ing Andrew Auern­heimer had for the world in 2016 fol­low­ing Trump’s vic­to­ry: “There will nev­er be an elec­tion again in which trolling, hack­ing and extreme far-right pol­i­tics do not play a role”:

    USA Today

    There is med­dling in Ger­many’s elec­tion — not by Rus­sia, but by U.S. right wing

    Kim Hjelm­gaard, Pub­lished 11:31 a.m. ET Sept. 20, 2017

    Less than a week before Sun­day’s vote that is like­ly to hand Ger­man Chan­cel­lor Angela Merkel a fourth term, evi­dence of antic­i­pat­ed Russ­ian med­dling has yet to mate­ri­al­ize, but U.S. right-wing groups have inter­fered, accord­ing to Ger­man researchers.

    “So far we have not been able to track down any spe­cif­ic Russ­ian activ­i­ty,” said Simon Hegelich,” a pro­fes­sor of polit­i­cal sci­ence data at the Tech­ni­cal Uni­ver­si­ty of Munich who has advised the Ger­man gov­ern­ment about the threat of hack­ing and fake news.

    Instead, Hegelich and oth­ers point to an alliance of most­ly anony­mous online trolls and extrem­ist agi­ta­tors who are dis­sem­i­nat­ing right-wing mate­ri­als through YouTube; mes­sag­ing board sites like 4chan and red­dit; and Gab.ai, a tex­ting ser­vice.

    “A lot of the stuff we are see­ing in Ger­many can be linked to, or is at least inspired by, the ‘alt-right’ move­ment in the U.S.,” Hegelich said, refer­ring to a loose­ly defined group whose far-right ide­ol­o­gy includes racism, pop­ulism and white nation­al­ism.

    He said prov­ing con­nec­tions among sym­pa­thiz­ers is extreme­ly dif­fi­cult and may nev­er be con­clu­sive. But an analy­sis of 300 mil­lion tweets over the past six months by Hegelich and researchers at the Tech­ni­cal Uni­ver­si­ty of Munich shows Ger­many is a hotspot for posts that use the hash­tag “#AltRight.”

    Many den­i­grate both lead­ing can­di­dates — Merkel and her con­ser­v­a­tive Chris­t­ian Demo­c­ra­t­ic Union par­ty, and her chief rival, Mar­tin Schulz of the left-of-cen­ter Social Demo­c­ra­t­ic Par­ty — with the hash­tags #Merkel and #Schulz.

    And many of those posts orig­i­nate in the U.S., adding to the impres­sion that right-wing social media users in both coun­tries may be try­ing to sway Ger­man pub­lic opin­ion. It’s pos­si­ble that some of this alt-right mes­sag­ing com­ing out of the U.S. may be con­nect­ed to Russ­ian inter­fer­ence; that, too, is dif­fi­cult to deter­mine, Hegelich said.

    “There will nev­er be an elec­tion again in which trolling, hack­ing and extreme far-right pol­i­tics do not play a role,” Andrew Auern­heimer, a hack­er and blog­ger for the U.S. neo-Nazi Dai­ly Stormer web­site wrote after Don­ald Trump’s elec­tion vic­to­ry last year.

    The Dai­ly Stormer has been avail­able inter­mit­tent­ly since August after major tech­nol­o­gy firms includ­ing Google forced the site offline for com­ments about the death of Heather Hey­er by an alt-right pro­test­er in Char­lottesville, Va. Nev­er­the­less, the web­site con­tin­ues to pub­lish com­men­taries about the Ger­man elec­tion.

    “There is essen­tial­ly no chance that the AfD (Alter­na­tive for Ger­many par­ty) can win this elec­tion,” Adri­an Sol wrote Sun­day on the site, refer­ring to Ger­many’s far-right anti-immi­gra­tion and anti-Euro­pean Union par­ty.

    “How­ev­er, if they can keep putting pres­sure on the estab­lish­ment and change the nar­ra­tive, (there) may be hope yet that Ger­many can some day be saved.”

    A report pub­lished Wednes­day by Hope Not Hate, a British anti-racism watch­dog, con­clud­ed that the alt-right move­ment has “breathed life and youth back into for­mer­ly declin­ing and dor­mant parts of the Euro­pean extreme right.”

    The report, based on an under­cov­er inves­ti­ga­tion of far-right fig­ure­heads, found that extrem­ist indi­vid­u­als, orga­ni­za­tions, web­sites and forums on both sides of the Atlantic are increas­ing­ly engag­ing with each anoth­er and “weaponiz­ing” the Inter­net.

    San­dro Gay­ck­en, the founder and direc­tor of the Berlin-based Dig­i­tal Soci­ety Insti­tute, said right-wing voic­es are try­ing to infil­trate con­ver­sa­tions about the Ger­man elec­tion on Face­book and oth­er social media plat­forms.

    One exam­ple: Gay­ck­en said for the past two months, new and exist­ing Face­book users in Ger­many who search for polit­i­cal dis­cus­sion groups on the social media plat­form have been auto­mat­i­cal­ly giv­en rec­om­men­da­tions that pri­or­i­tize right-wing par­ties such as AfD, expect­ed to enter the coun­try’s nation­al par­lia­ment for the first time after Sun­day’s vote.

    “It’s real­ly strange because Face­book says this should be impos­si­ble because you are only sup­posed to get rec­om­men­da­tions based on your own ‘friends,’ ‘groups’ and ‘likes.’ But every­one in Ger­many is get­ting these right-wing par­ty rec­om­men­da­tions,” he said.

    “Even left-wing jour­nal­ists.”

    In a state­ment, Face­book said it was aware of the issue report­ed in Ger­many and that it was relat­ed to its “Groups Dis­cov­er” fea­ture, and that it has now tem­porar­i­ly turned off the cat­e­go­ry “news and pol­i­tics” in the “Dis­cov­er” tab while it inves­ti­gates the mat­ter.

    Face­book said it was also exam­in­ing the accounts of appar­ent­ly fake users who pur­chased Face­book ads dur­ing the U.S. elec­tion. These accounts were sub­se­quent­ly linked to the pro-Krem­lin troll farm known as the Inter­net Research Agency. Face­book said that it has not yet uncov­ered sim­i­lar ad pur­chas­es relat­ed to the Ger­man vote.

    “We haven’t seen any trace of the Rus­sians, just right-wingers,” Gay­ck­en added.

    Accord­ing to polls pub­lished by Ger­man media Sun­day, Merkel’s par­ty is pro­ject­ed to win 36% of the vote, well ahead of Schulz’s SPD on 22%. AfD is fore­cast to come in third, with 11%. If Merkel wins, she could forge ahead with plans to pur­sue clos­er polit­i­cal and eco­nom­ic union with EU mem­bers, a pol­i­cy as deeply unpop­u­lar with AfD’s sup­port­ers as her deci­sion to open Ger­many’s bor­ders to 1 mil­lion refugees since 2015.

    Ger­many’s vul­ner­a­bil­i­ty to polit­i­cal hack­ers, Inter­net trolls and bots linked to Rus­sia is hard to gauge. Plus, there may not be much point doing so, accord­ing to Mark Gale­ot­ti, who runs the Cen­ter for Euro­pean Secu­ri­ty, a research insti­tute in Prague.

    “There is no ‘pro-Putin’ can­di­date,” he said.

    “Any inter­fer­ence would be unlike­ly to have any sub­stan­tive impact on the elec­tion result and only hard­en Ger­many’s posi­tion against Moscow.”

    Merkel has nev­er­the­less sought to blunt poten­tial Russ­ian inter­fer­ence through aggres­sive pub­lic infor­ma­tion cam­paigns, by estab­lish­ing addi­tion­al cyber­se­cu­ri­ty agen­cies and strate­gies and by ush­er­ing in the Net­work Enforce­ment Act, a law that come this Octo­ber will fine social media com­pa­nies up to $57 mil­lion if they do not remove hate speech, defama­tion and incite­ments to vio­lence with­in 24 hours.

    Ger­man polit­i­cal par­ties also pledged not to use social bots in the elec­tion cam­paign, and inde­pen­dent media mon­i­tor­ing orga­ni­za­tions such as Cor­rec­tiv, which debunk fake news and call out dis­in­for­ma­tion, have been estab­lished recent­ly.

    The gov­ern­ment has insist­ed the soft­ware used to tab­u­late votes — paper bal­lots are hand-count­ed and then passed to region­al author­i­ties — is secure despite a study pub­lished Sept. 7. by the Chaos Com­put­er Club, a Ger­man tech­nol­o­gy watch­dog, show­ing the sys­tem’s encryp­tion method was out­dat­ed and vul­ner­a­ble to manip­u­la­tion.

    But what may seem like a lack of inter­est from Moscow may just be a sign of suc­cess.

    “I think there is more Russ­ian activ­i­ty than meets the eye,” said Joerg For­brig, a Berlin-based polit­i­cal affairs expert at the Ger­man Mar­shall Fund of the Unit­ed States, a pub­lic pol­i­cy think tank whose Alliance for Secur­ing Democ­ra­cy unit built an online tool that tracks Russ­ian pro­pa­gan­da and dis­in­for­ma­tion efforts. Its “Hamil­ton 68” dash­board ana­lyzes about 600 Twit­ter accounts direct­ly con­trolled by Rus­sia, by users who pro­mote Russ­ian themes, and by users and top­ics Rus­sia seeks to dis­cred­it or attack.

    “In the past we have seen a very sys­tem­at­ic and skilled out­reach pro­gram into Ger­many’s Russ­ian-speak­ing pop­u­la­tion. This was first test­ed in state elec­tions in Berlin last Sep­tem­ber. In those areas where there are very high num­bers of Russ­ian speak­ers liv­ing in Berlin, the AfD’s vote share was up to 35%,” For­brig said.

    He said these cam­paigns involved cir­cu­lat­ing posters and leaflets with mes­sages that were inim­i­cal to the Ger­man gov­ern­men­t’s posi­tion on Russ­ian sanc­tions or NATO.

    For­brig said there could be forms of Russ­ian sup­port for the AfD not yet rec­og­nized.

    The Alliance for Secur­ing Democ­ra­cy has con­clud­ed that Rus­sia has med­dled in the affairs of at least 27 Euro­pean and North Amer­i­can coun­tries since 2004 with inter­fer­ence that ranges from cyber­at­tacks to dis­in­for­ma­tion cam­paigns.

    In 2015, a Russ­ian-intel­li­gence-linked hack­ing group called Fan­cy Bear stole data from Ger­man par­lia­men­tar­i­ans, includ­ing Merkel. This data has yet to be released to the pub­lic. Fan­cy Bear is the same group thought to be behind the hacks of the Demo­c­ra­t­ic Nation­al Com­mit­tee in the run up to the U.S. elec­tion. Moscow repeat­ed­ly has dis­missed alle­ga­tions it inter­venes in elec­tions as anti-Russ­ian pro­pa­gan­da.

    Still, For­brig added the Ger­man elec­tion may be less sus­cep­ti­ble to out­side influ­ence for three rea­sons: Vot­ers watched alleged Russ­ian med­dling take place in the U.S. and French elec­tions, which has led to high lev­els of aware­ness; Ger­many’s mul­ti-par­ty elec­toral sys­tem makes it more dif­fi­cult to pre­dict how mes­sages and infor­ma­tion tar­get­ed at one group might impact oth­ers; and Ger­many’s media is, For­brig said, gen­er­al­ly more “bal­anced and calm” and lacks “shrill voic­es” com­pared to its coun­ter­parts else­where. Fur­ther, its media is still viewed as a trust­ed source of infor­ma­tion — not always the case in Pres­i­dent Trump’s Wash­ing­ton.
    ...

    ———–

    “There is med­dling in Ger­many’s elec­tion — not by Rus­sia, but by U.S. right wing” by Kim Hjelm­gaard; USA Today; 09/20/2017

    ““So far we have not been able to track down any spe­cif­ic Russ­ian activ­i­ty,” said Simon Hegelich,” a pro­fes­sor of polit­i­cal sci­ence data at the Tech­ni­cal Uni­ver­si­ty of Munich who has advised the Ger­man gov­ern­ment about the threat of hack­ing and fake news.”

    No Russ­ian activ­i­ty was detect­ed. But plen­ty of Amer­i­can far right activ­i­ty! That was the con­clu­sion of Simon Hegelich, a pro­fes­sor of polit­i­cal sci­ence data at the Tech­ni­cal Uni­ver­si­ty of Munich who was advis­ing the Ger­man gov­ern­ment about hacks and ‘fake news’:

    ...
    Instead, Hegelich and oth­ers point to an alliance of most­ly anony­mous online trolls and extrem­ist agi­ta­tors who are dis­sem­i­nat­ing right-wing mate­ri­als through YouTube; mes­sag­ing board sites like 4chan and red­dit; and Gab.ai, a tex­ting ser­vice.

    “A lot of the stuff we are see­ing in Ger­many can be linked to, or is at least inspired by, the ‘alt-right’ move­ment in the U.S.,” Hegelich said, refer­ring to a loose­ly defined group whose far-right ide­ol­o­gy includes racism, pop­ulism and white nation­al­ism.

    He said prov­ing con­nec­tions among sym­pa­thiz­ers is extreme­ly dif­fi­cult and may nev­er be con­clu­sive. But an analy­sis of 300 mil­lion tweets over the past six months by Hegelich and researchers at the Tech­ni­cal Uni­ver­si­ty of Munich shows Ger­many is a hotspot for posts that use the hash­tag “#AltRight.”

    Many den­i­grate both lead­ing can­di­dates — Merkel and her con­ser­v­a­tive Chris­t­ian Demo­c­ra­t­ic Union par­ty, and her chief rival, Mar­tin Schulz of the left-of-cen­ter Social Demo­c­ra­t­ic Par­ty — with the hash­tags #Merkel and #Schulz.

    And many of those posts orig­i­nate in the U.S., adding to the impres­sion that right-wing social media users in both coun­tries may be try­ing to sway Ger­man pub­lic opin­ion. It’s pos­si­ble that some of this alt-right mes­sag­ing com­ing out of the U.S. may be con­nect­ed to Russ­ian inter­fer­ence; that, too, is dif­fi­cult to deter­mine, Hegelich said.
    ...

    And this large far right, large­ly Amer­i­can-based, net­work of trolls were so orga­nized that they man­aged to suc­cess­ful­ly game Face­book’s algo­rithms so every­one in Ger­many was get­ting links encour­ag­ing them to read about the far right AfD par­ty:

    ...
    San­dro Gay­ck­en, the founder and direc­tor of the Berlin-based Dig­i­tal Soci­ety Insti­tute, said right-wing voic­es are try­ing to infil­trate con­ver­sa­tions about the Ger­man elec­tion on Face­book and oth­er social media plat­forms.

    One exam­ple: Gay­ck­en said for the past two months, new and exist­ing Face­book users in Ger­many who search for polit­i­cal dis­cus­sion groups on the social media plat­form have been auto­mat­i­cal­ly giv­en rec­om­men­da­tions that pri­or­i­tize right-wing par­ties such as AfD, expect­ed to enter the coun­try’s nation­al par­lia­ment for the first time after Sun­day’s vote.

    “It’s real­ly strange because Face­book says this should be impos­si­ble because you are only sup­posed to get rec­om­men­da­tions based on your own ‘friends,’ ‘groups’ and ‘likes.’ But every­one in Ger­many is get­ting these right-wing par­ty rec­om­men­da­tions,” he said.

    “Even left-wing jour­nal­ists.”

    In a state­ment, Face­book said it was aware of the issue report­ed in Ger­many and that it was relat­ed to its “Groups Dis­cov­er” fea­ture, and that it has now tem­porar­i­ly turned off the cat­e­go­ry “news and pol­i­tics” in the “Dis­cov­er” tab while it inves­ti­gates the mat­ter.

    Face­book said it was also exam­in­ing the accounts of appar­ent­ly fake users who pur­chased Face­book ads dur­ing the U.S. elec­tion. These accounts were sub­se­quent­ly linked to the pro-Krem­lin troll farm known as the Inter­net Research Agency. Face­book said that it has not yet uncov­ered sim­i­lar ad pur­chas­es relat­ed to the Ger­man vote.

    “We haven’t seen any trace of the Rus­sians, just right-wingers,” Gay­ck­en added.
    ...

    ““It’s real­ly strange because Face­book says this should be impos­si­ble because you are only sup­posed to get rec­om­men­da­tions based on your own ‘friends,’ ‘groups’ and ‘likes.’ But every­one in Ger­many is get­ting these right-wing par­ty rec­om­men­da­tions,” he said. ”

    And one of the top trolls who is appears to have been behind the Macron hacks, Andrew Auern­heimer, pledged that nev­er again will there be an elec­tion that does­n’t involve “trolling, hack­ing and extreme far-right pol­i­tics”:

    ...
    “There will nev­er be an elec­tion again in which trolling, hack­ing and extreme far-right pol­i­tics do not play a role,” Andrew Auern­heimer, a hack­er and blog­ger for the U.S. neo-Nazi Dai­ly Stormer web­site wrote after Don­ald Trump’s elec­tion vic­to­ry last year.
    ...

    But despite the fact that no Russ­ian activ­i­ty was detect­ed, that that did­n’t stop Joerg For­brig, an ana­lyst at the Ger­man Mar­shall Fund of the Unit­ed States which is behind the “Hamil­ton 68” project — the ini­tia­tive start­ed to iden­ti­fy alleged Russ­ian elec­tion inter­fer­ence that’s manned by a num­ber of extreme­ly con­ser­v­a­tive, high­ly ques­tion­able, and high­ly hawk­ish fig­ures — from con­clud­ing that “there is more Russ­ian activ­i­ty than meets the eye”. The way For­brig saw it, the fact that the AfD did best in parts of Ger­many with the high­est Russ­ian-speak­ing pop­u­la­tions (which East Ger­many where the AfD is wild­ly pop­u­lar) is pos­si­ble sign of suc­cess of some sort of Krem­lin influ­ence oper­a­tion tar­get­ing Russ­ian speak­ers. Even when the Ger­man gov­ern­ment was active­ly watch­ing for Russ­ian influ­ence oper­a­tions and did­n’t find any but did find Amer­i­can far right dis­in­for­ma­tion cam­paigns, For­brig was pret­ty sure there was still some hid­den Russ­ian con­nec­tion to the suc­cess of the AfD:

    ...
    But what may seem like a lack of inter­est from Moscow may just be a sign of suc­cess.

    “I think there is more Russ­ian activ­i­ty than meets the eye,” said Joerg For­brig, a Berlin-based polit­i­cal affairs expert at the Ger­man Mar­shall Fund of the Unit­ed States, a pub­lic pol­i­cy think tank whose Alliance for Secur­ing Democ­ra­cy unit built an online tool that tracks Russ­ian pro­pa­gan­da and dis­in­for­ma­tion efforts. Its “Hamil­ton 68” dash­board ana­lyzes about 600 Twit­ter accounts direct­ly con­trolled by Rus­sia, by users who pro­mote Russ­ian themes, and by users and top­ics Rus­sia seeks to dis­cred­it or attack.

    “In the past we have seen a very sys­tem­at­ic and skilled out­reach pro­gram into Ger­many’s Russ­ian-speak­ing pop­u­la­tion. This was first test­ed in state elec­tions in Berlin last Sep­tem­ber. In those areas where there are very high num­bers of Russ­ian speak­ers liv­ing in Berlin, the AfD’s vote share was up to 35%,” For­brig said.

    He said these cam­paigns involved cir­cu­lat­ing posters and leaflets with mes­sages that were inim­i­cal to the Ger­man gov­ern­men­t’s posi­tion on Russ­ian sanc­tions or NATO.

    For­brig said there could be forms of Russ­ian sup­port for the AfD not yet rec­og­nized.

    The Alliance for Secur­ing Democ­ra­cy has con­clud­ed that Rus­sia has med­dled in the affairs of at least 27 Euro­pean and North Amer­i­can coun­tries since 2004 with inter­fer­ence that ranges from cyber­at­tacks to dis­in­for­ma­tion cam­paigns.
    ...

    Again, in fair­ness, it’s entire­ly pos­si­ble that the Krem­lin could have been med­dling in the Ger­many elec­tion and sim­ply not leav­ing tracks, as For­brig seemed to be spec­u­lat­ing. It’s not an unrea­son­able pos­si­bil­i­ty. But it’s real­ly more of a con­vic­tion and mantra at this point which is the under­ly­ing prob­lem.

    And that all under­scores the oth­er part of why we should expect a repeat of #TrumpRus­sia in 2020: The Trump cam­paign and Repub­li­can Par­ty are mak­ing it very clear that they are plan­ning on more hack­ing scheming/opportunism. And the social media dis­in­for­ma­tion cam­paign that will be blamed on the Krem­lin is vir­tu­al­ly guar­an­teed to hap­pen thanks to a blos­som­ing anti-dis­in­for­ma­tion indus­try that is mak­ing it clear to the Trump cam­paign and GOP and the rest of the affil­i­at­ed troll armies that all they’ll have to do is leave a few ‘Russ­ian bot’ clues in their dis­in­for­ma­tion cam­paigns and this anti-dis­in­for­ma­tion indus­try will almost sure­ly attribute the dis­in­for­ma­tion net­works to the Krem­lin if they’re ever uncov­ered. And even if the dis­in­for­ma­tion net­works don’t both­er leav­ing ‘Russ­ian bot’ clues behind, it will still be assumed that it could be a very sophis­ti­cat­ed Krem­lin cam­paign that did­n’t leave clues. The Repub­li­can secret teams that will arrange for hacks and/or scour the dark web for hacked mate­ri­als are prob­a­bly already in place. And the oth­er Repub­li­can secret teams for run­ning mass dis­in­for­ma­tion oper­a­tions are basi­cal­ly always oper­at­ing whether or not there’s an elec­tion. The Repub­li­can Par­ty is basi­cal­ly a giant dis­in­for­ma­tion oper­a­tion these days any­way so there should be no ques­tion as to whether or not there’s going to be exten­sive right-wing dis­in­for­ma­tion cam­paigns. And based on what we’ve seen, there should be no ques­tion as to whether or not those 2020 right-wing dis­in­for­ma­tion oper­a­tions will be blamed on Rus­sia. Of course they will be.

    And that all rais­es a rather omi­nous ques­tion: since the the GOP and the right-wing know that their dirty tricks oper­a­tions are invari­ably going to be attrib­uted to Rus­sia, is this going to make them go extra with the dis­in­fo crazy for 2020? Let’s not for­get that one of the key lessons of the 2018 mid-terms was that the GOP was still more than hap­py to bla­tant­ly base the par­ty’s nation­al cam­paign strat­e­gy lies and dis­in­for­ma­tion (like pan­ick­ing over ‘the Car­a­van’) and there’s no rea­son at all to assume that won’t be the case in 2020. So how exten­sive­ly will dirty tricks — whether it’s hack­ings, micro-tar­get­ing, or dis­in­for­ma­tion oper­a­tions — play in the GOP’s over­all strat­e­gy when the par­ty knows its dirt­i­est tricks will prob­a­bly get blamed on Rus­sia.

    How dirty will the GOP get when it knows the dirt­i­est dirt will prob­a­bly get blamed on Rus­sia? It’s the kind of ques­tion that would ide­al­ly remain rhetor­i­cal. But here we are. It’s a real ques­tion for 2020 and per­haps one of the most impor­tant loom­ing ques­tions for 2020 giv­en the right-wings’s incred­i­ble capac­i­ty for dirty pol­i­tics. #TrumpRussia2020 here we come.

    Posted by Pterrafractyl | February 24, 2019, 3:34 am
  12. Here’s a sto­ry from back in Jan­u­ary that’s worth not­ing as a reminder that we should prob­a­bly expect polit­i­cal hacks to play a role in the US 2020 elec­tions and we should prob­a­bly expect the hack­ers to leave lots of ‘Russ­ian hack­er’ fin­ger­prints: The Demo­c­ra­t­ic Nation­al Com­mit­tee announced in late Jan­u­ary that it had con­clud­ed that it was once again a vic­tim of a wave of phish­ing attempts by APT29 a.k.a ‘Cozy Bear’ a.k.a ‘the Dukes’. The DNC also filed doc­u­ments about this in fed­er­al court as part of an amend­ed com­plaint where the claimed it DNC was the vic­tim of a con­spir­a­cy by Russ­ian intel­li­gence agents, Pres­i­dent Trump’s 2016 cam­paign and Wik­iLeaks to dam­age Hillary Clinton’s pres­i­den­tial run that was filed in April 2018.

    First, recall that APT29/‘Cozy Bear’ was blamed for the ini­tial May 2015 hack of the DNC’s servers which was part of a larg­er phish­ing cam­paign tar­get­ing numer­ous US and Euro­pean enti­ties. Accord­ing to cyber­se­cu­ri­ty experts, that phish­ing cam­paign was unusu­al­ly ‘noisy’ (i.e. not try­ing to hide what they were doing) for pre­sumed Russ­ian gov­ern­ment hack­ers, mak­ing it the start­ing point of new ‘noisy’ ‘Russ­ian hack­er’ cam­paigns that have now become the norm.

    This lat­est phish­ing cam­paign that the DNC was tar­get­ed by was also part of a larg­er ‘noisy’ phish­ing cam­paign that tar­get­ed a num­ber of US enti­ties. The phish­ing attempts took place in Novem­ber of 2018, short­ly after the US midterms and used emails imper­son­at­ing the US State Depart­ment, tar­get­ing gov­ern­ment agen­cies, think tanks, law enforce­ment offi­cials, jour­nal­ists, mil­i­tary per­son­nel, defense con­trac­tors, phar­ma­ceu­ti­cal com­pa­nies and trans­porta­tion offi­cials.

    The cyber­se­cu­ri­ty firm Fire­Eye wrote a blog post in Novem­ber that con­clud­ed that Cozy Bear was the like­ly cul­prit. Crowd­Strike arrived at the same con­clu­sion. It was in Jan­u­ary that the DNC announced that they too were tar­get­ed in this phish­ing cam­paign.

    So what was it that made Fire­Eye and Crowd­Strike con­clude Cozy Bear was behind the phish­ing cam­paign? This is where things start sound­ing eeri­ly famil­iar: The tac­tics, tech­niques, and pro­ce­dures (TTPs) used in the Novem­ber 2018 phish­ing cam­paign was very sim­i­lar to the TTPS used in a phish­ing cam­paign from Novem­ber 2016, short­ly after the 2016 elec­tion. And that Novem­ber 2016 phish­ing cam­paign was, in turn, attrib­uted to Cozy Bear by Volex­i­ty, anoth­er cyber­se­cu­ri­ty firm, based on the sim­i­lar­i­ty of TTPs to some phish­ing attacks that Volex­i­ty observed in August of 2016 that it attrib­uted to APT29. So Volex­i­ty attrib­ut­es the Novem­ber 2016 phish­ing to APT29 and, two years lat­er, Fire­Eye and Crowd­Strike base their attri­bu­tion that APT29 was behind the Novem­ber 2018 phish­ing cam­paign on the fact that there are a num­ber of sim­i­lar­i­ties to the 2016 phish­ing cam­paign that Volex­i­ty already attrib­uted to APT29. It’s an exam­ple of how new attri­bu­tions are based on a chain of pre­vi­ous attri­bu­tions that build on each oth­er and make the accu­ra­cy of pre­vi­ous attri­bu­tions para­mount for the accu­ra­cy of new attri­bu­tions.

    And what kinds of sim­i­lar­i­ties in TTPs were found link­ing the Novem­ber 2016 phish­ing cam­paign to the Novem­ber 2018 cam­paign? In both cas­es, the phish­ing emails would try to trick the recip­i­ent into click­ing on a link that leads to a ZIP archive that con­tains a Win­dows short­cut file host­ed on a com­pro­mised serv­er. When clicked, the win­dows short­cut file exe­cutes a Pow­er­Shell com­mand that deploys the mal­ware.

    A notable dif­fer­ence between the 2016 and 2018 phish­ing cam­paigns is that the mal­ware deployed in the 2016 cam­paign was cus­tom mal­ware which Volex­i­ty dubbed “Pow­er­Dukes”. But in the 2018 phish­ing cam­paign the com­mer­cial­ly avail­able mal­ware Cobalt Strike was used instead. Fire­Eye notes in its report that sophis­ti­cat­ed hack­ers will fre­quent­ly use off-the-shelf mal­ware for rea­sons like plau­si­ble deni­a­bil­i­ty.

    And that’s where things get absurd: A key area of sim­i­lar­i­ties between the 2016 and 2018 phish­ing cam­paign used for FirEye’s attri­bu­tion was the heavy over­lap in the meta­da­ta found in the win­dows short­cut link used to down­load mal­ware. That over­lap includ­ed the meta­da­ta for the win­dows short­cut link con­tain­ing the same MAC address that was found in the 2016 phish­ing attack. MAC address­es are unique iden­ti­fi­er for a piece of hard­ware, so by leav­ing in the same MAC address in the meta­da­ta the hack­ers were send­ing the sig­nal that the exact­ly same com­put­er was used in both the 2016 and 2018 phish­ing attacks. Accord­ing to Fire­Eye, the sim­i­lar­i­ties in meta­da­ta were SO sim­i­lar that Fire­Eye con­clud­ed that it may have been delib­er­ate.

    Keep in mind that spoof­ing a MAC address is tech­ni­cal­ly pos­si­ble, so if it was the same hack­ers behind the 2016 and 2018 phish­ing attacks and they used the exact same machine to con­struct the win­dows short­cut links they still could have mod­i­fied the MAC meta­da­ta if they want­ed to. Sim­i­lar­ly, if some­one want­ed to spoof the MAC address to make it look like the same one used in the 2016 phish­ing attack they could do that too. It’s an exam­ple of why look­ing at sim­i­lar­i­ties in TTPs for attri­bu­tion is poten­tial­ly so prob­lem­at­ic.

    Also recall how the ini­tial attri­bu­tion of the 2016 hack of the Democ­rats to APT28/‘Fancy Bear’ was heav­i­ly based on the fact that the mal­ware deployed on the DNC’s servers had the same IP hard­cod­ed into the mal­ware (176.31.112.10) that was found in the 2015 hack of the Bun­destag that was attrib­uted to APT28. And the fact that the com­mand and con­trols server’s 176.31.112.10 IP address was found in the Bun­destag hack­’s mal­ware was pub­lished in 2015 and there­fore pub­licly know­able by the time of the March 2016 ‘Fan­cy Bear’ hack of the Democ­rats. It was anoth­er exam­ple of how wild­ly provoca­tive meta­da­ta ‘clues’ keep pop­ping up in these ‘Russ­ian hack­er’ hacks and keep get­ting tak­en at face val­ue and used for attri­bu­tion.

    So in the same report where Fire­Eye notes that com­mer­cial­ly avail­able Cobalt Strike mal­ware may have been used for rea­sons of plau­si­ble deni­a­bil­i­ty, they also have to note that the over­lap in meta­da­ta between the 2016 and 2018 attacks were so sim­i­lar that it may have been inten­tion­al. That’s a lit­tle con­tra­dic­to­ry, isn’t it?

    In fair­ness, both Fire­Eye and Crowd­Strike added caveats to their ini­tial attri­bu­tion by not­ing that they could­n’t make this attri­bu­tion with 100 per­cent cer­tain­ty, but that did­n’t stop almost every­one from broad­ly treat­ing it as a 100 per­cent cer­tain attri­bu­tion.

    Ok, let’s start off with the New York Times sto­ry about the DNC announc­ing that it too was tar­get­ing in the Novem­ber 2018 wave of phish­ing attacks. The arti­cle describes how Fire­Eye observed so heavy over­lap in the meta­da­ta between the 2016 and 2018 phish­ing attacks that it might con­sti­tute a “delib­er­ate reuse” of old phish­ing tac­tics. As the arti­cle also notes, both Fire­Eye and Crowd­Strike acknowl­edged that they could could not say defin­i­tive­ly that ‘Cozy Bear’ was to blame:

    The New York Times

    D.N.C. Says It Was Tar­get­ed Again by Russ­ian Hack­ers After ’18 Elec­tion

    By Nicole Perl­roth

    Jan. 18, 2019

    SAN FRANCISCO — The Demo­c­ra­t­ic Nation­al Com­mit­tee believes it was tar­get­ed in a hack­ing attempt by a Russ­ian group in the weeks after the midterm elec­tions last year, accord­ing to court doc­u­ments filed late Thurs­day.

    On Nov. 14, the doc­u­ments say, dozens of D.N.C. email address­es were on the receiv­ing end of a so-called spearphish­ing cam­paign by one of two Russ­ian orga­ni­za­tions believed to be respon­si­ble for hack­ing into the committee’s com­put­ers dur­ing the 2016 pres­i­den­tial race. There is no evi­dence that the most recent attack was suc­cess­ful.

    The doc­u­ments, filed in fed­er­al court in New York, were part of an amend­ed com­plaint in a law­suit filed in April that claimed the com­mit­tee was the vic­tim of a con­spir­a­cy by Russ­ian intel­li­gence agents, Pres­i­dent Trump’s 2016 cam­paign and Wik­iLeaks to dam­age Hillary Clinton’s pres­i­den­tial run.

    The new court fil­ings say the time stamps and con­tents of the spearphish­ing emails received in Novem­ber were con­sis­tent with sep­a­rate cyber­at­tacks around the same time tied to the Russ­ian hack­ing group known as Cozy Bear, one of the two Russ­ian groups sus­pect­ed of breach­ing D.N.C. com­put­ers in 2016.

    Secu­ri­ty researchers believe the hack­ing attempt against the D.N.C. in Novem­ber was part of a broad­er cam­paign that used decoy emails that appeared to come from the State Depart­ment.

    That cam­paign had more than a dozen tar­gets, includ­ing gov­ern­ment agen­cies, think tanks, law enforce­ment offi­cials, jour­nal­ists, mil­i­tary per­son­nel, defense con­trac­tors, phar­ma­ceu­ti­cal com­pa­nies and trans­porta­tion offi­cials, accord­ing to a report by the cyber­se­cu­ri­ty firm Fire­Eye. Researchers believe the goal was to fer­ret out Amer­i­can for­eign pol­i­cy, par­tic­u­lar­ly relat­ed to Africa; Demo­c­ra­t­ic pol­i­cy posi­tions; and the plat­forms of 2020 Demo­c­ra­t­ic pres­i­den­tial hope­fuls.

    Fire­Eye said the attempt­ed hack­ing of the D.N.C. in Novem­ber resem­bled oth­er recent attacks attrib­uted to Cozy Bear, includ­ing in its “delib­er­ate reuse” of old phish­ing tac­tics and reliance on a sim­i­lar list of vic­tims. But there were a few new wrin­kles, includ­ing new decoy email address­es and dif­fer­ent obfus­ca­tion tech­niques.

    The hack­ers sent some tar­gets of the broad­er cam­paign three phish­ing emails at most. In oth­er instances, they were more aggres­sive, send­ing as many as 136 emails to a sin­gle orga­ni­za­tion. In some cas­es, the mal­ware-laced emails were suc­cess­ful. And once they gained access to a com­put­er net­work, it was only a mat­ter of hours before they were deploy­ing stealth­i­er hack­ing tools.

    The attack­ers in Novem­ber com­pro­mised a hos­pi­tal email serv­er to launch their phish­ing emails, a com­mon tac­tic of the Cozy Bear group, said Nick Carr, a senior man­ag­er at Fire­Eye.

    Cozy Bear hack­ers are skilled at rum­mag­ing through a net­work with­out draw­ing atten­tion, said Matthew Dun­woody, a Fire­Eye secu­ri­ty researcher. Once in, they often swap out their phish­ing tools for mal­ware that can be hard to detect, he said.

    Fire­Eye said that although Cozy Bear was the like­li­est cul­prit, the firm could not firm­ly estab­lish who was respon­si­ble for the 2018 cam­paign against the D.N.C. and oth­er tar­gets. Crowd­Strike, anoth­er cyber­se­cu­ri­ty firm, also not­ed an uptick in hack­ing activ­i­ty in Novem­ber, but it could not say defin­i­tive­ly that Cozy Bear was to blame.

    Cozy Bear, also known by secu­ri­ty firms as APT 29 or the Dukes, was one of two Russ­ian groups involved in the 2016 hack­ing of the D.N.C. It has not attract­ed the same scruti­ny as the oth­er group, Fan­cy Bear, or APT 28, which has been linked to a string of cyber­at­tacks against the D.N.C., the Inter­na­tion­al Olympic Com­mit­tee and oth­er inter­na­tion­al orga­ni­za­tions.

    Cozy Bear has been active since 2016, secu­ri­ty researchers say, and has been linked to a coor­di­nat­ed wave of hack­ing attacks on Demo­c­ra­t­ic Par­ty offi­cials.

    The D.N.C. says in the amend­ed com­plaint that the Novem­ber cam­paign was con­sis­tent with a con­tin­u­ing push by Russ­ian hack­ers to tar­get Demo­c­ra­t­ic can­di­dates and par­ty lead­ers. In 2017, Russ­ian hack­ers are believed to have attempt­ed a hack of the com­put­er net­work of for­mer Sen­a­tor Claire McCaskill of Mis­souri and the net­works of at least two oth­er can­di­dates in the midterm elec­tions.

    ...

    The Russ­ian gov­ern­ment has con­sis­tent­ly denied hack­ing the D.N.C. In a “state­ment of immu­ni­ty” from Russia’s Min­istry of Jus­tice, Russ­ian author­i­ties argued that even if it were respon­si­ble for the hack­ing, such a “sov­er­eign act” would be con­sid­ered a “mil­i­tary action” pro­tect­ed by a 1976 law that offers some immu­ni­ty from law­suits regard­ing for­eign gov­ern­ments’ actions in the Unit­ed States.

    ———-

    “D.N.C. Says It Was Tar­get­ed Again by Russ­ian Hack­ers After ’18 Elec­tion” by Nicole Perl­roth; The New York Times; 01/18/2019

    “The new court fil­ings say the time stamps and con­tents of the spearphish­ing emails received in Novem­ber were con­sis­tent with sep­a­rate cyber­at­tacks around the same time tied to the Russ­ian hack­ing group known as Cozy Bear, one of the two Russ­ian groups sus­pect­ed of breach­ing D.N.C. com­put­ers in 2016.”

    Right around the same time all of these oth­er enti­ties were get­ting hit with the Novem­ber 2018 phish­ing attack, the DNC got hit with a sim­i­lar attack. And since the attack was attrib­uted to APT29/Cozy Bear, the DNC added this attack to its ongo­ing law­suit against Rus­sia:

    ...
    The doc­u­ments, filed in fed­er­al court in New York, were part of an amend­ed com­plaint in a law­suit filed in April that claimed the com­mit­tee was the vic­tim of a con­spir­a­cy by Russ­ian intel­li­gence agents, Pres­i­dent Trump’s 2016 cam­paign and Wik­iLeaks to dam­age Hillary Clinton’s pres­i­den­tial run.
    ...

    And yet the attri­bu­tion of this phish­ing attack to APT29/Cozy Bear was based ‘clues’ that were so sim­i­lar to the 2016 phish­ing attack that had pre­vi­ous­ly been attrib­uted to APT29/Cozy Bear that Fire­Eye con­clud­ed this might con­sti­tute “delib­er­ate reuse”. In oth­er words, Fire­Eye con­clud­ed the hack­ers were inten­tion­al­ly try­ing to strong­ly tie this attack to the 2016 attack:

    ...
    Fire­Eye said the attempt­ed hack­ing of the D.N.C. in Novem­ber resem­bled oth­er recent attacks attrib­uted to Cozy Bear, includ­ing in its “delib­er­ate reuse” of old phish­ing tac­tics and reliance on a sim­i­lar list of vic­tims. But there were a few new wrin­kles, includ­ing new decoy email address­es and dif­fer­ent obfus­ca­tion tech­niques.
    ...

    Anoth­er exam­ple of why this attack was attrib­uted to APT29/Cozy Bear is that they launched their attack using a com­pro­mised hos­pi­tal email serv­er and that’s appar­ent­ly a com­mon tac­tic of Cozy Bear. And that’s no doubt true because using com­pro­mised servers to launch attack is a com­mon tac­tic of hack­ers in gen­er­al, so it’s not exact­ly a com­pelling clue:

    ...
    The attack­ers in Novem­ber com­pro­mised a hos­pi­tal email serv­er to launch their phish­ing emails, a com­mon tac­tic of the Cozy Bear group, said Nick Carr, a senior man­ag­er at Fire­Eye.
    ...

    But Fire­Eye and Crowd­Strike both acknowl­edge that they could­n’t firm­ly con­clude that APT29/Cozy Bear was tru­ly to blame. In oth­er words, both Fire­Eye and Crowd­Strike are acknowl­edg­ing that the spoof­ing of this seem­ing­ly con­clu­sive evi­dence is entire­ly pos­si­ble, which is a pret­ty huge admis­sion in the con­text of the larg­er #TrumpRus­sia inves­ti­ga­tion:

    ...
    Fire­Eye said that although Cozy Bear was the like­li­est cul­prit, the firm could not firm­ly estab­lish who was respon­si­ble for the 2018 cam­paign against the D.N.C. and oth­er tar­gets. Crowd­Strike, anoth­er cyber­se­cu­ri­ty firm, also not­ed an uptick in hack­ing activ­i­ty in Novem­ber, but it could not say defin­i­tive­ly that Cozy Bear was to blame.
    ...

    Ok, now let’s take a quick look at the actu­al report Fire­Eye pub­lished in Novem­ber of 2018 where they ten­ta­tive­ly con­clud­ed that it was APT29/Cozy Bear behind it while acknowl­edg­ing that the meta­da­ta over­lap between the 2016 and 2018 phish­ing attacks were so sim­i­lar that it could have been delib­er­ate:

    Fire­Eye
    Threat Research

    Not So Cozy: An Uncom­fort­able Exam­i­na­tion of a Sus­pect­ed APT29 Phish­ing Cam­paign

    Novem­ber 19, 2018 | by Matthew Dun­woody, Andrew Thomp­son, Ben With­nell, Jonathan Leath­ery, Michael Mato­nis, Nick Carr

    Intro­duc­tion

    * Fire­Eye devices detect­ed intru­sion attempts against mul­ti­ple indus­tries, includ­ing think tank, law enforce­ment, media, U.S. mil­i­tary, imagery, trans­porta­tion, phar­ma­ceu­ti­cal, nation­al gov­ern­ment, and defense con­tract­ing.
    * The attempts involved a phish­ing email appear­ing to be from the U.S. Depart­ment of State with links to zip files con­tain­ing mali­cious Win­dows short­cuts that deliv­ered Cobalt Strike Bea­con.
    * Shared tech­ni­cal arti­facts; tac­tics, tech­niques, and pro­ce­dures (TTPs); and tar­get­ing con­nect this activ­i­ty to pre­vi­ous­ly observed activ­i­ty sus­pect­ed to be APT29.
    * APT29 is known to tran­si­tion away from phish­ing implants with­in hours of ini­tial com­pro­mise.

    On Novem­ber 14, 2018, Fire­Eye detect­ed new tar­get­ed phish­ing activ­i­ty at more than 20 of our clients across mul­ti­ple indus­tries.

    (UPDATE) This cam­paign has tar­get­ed over 20 Fire­Eye cus­tomers across: Defense, Imagery, Law Enforce­ment, Local Gov­ern­ment, Media, Mil­i­tary, Phar­ma­ceu­ti­cal, Think Tank, Trans­porta­tion, & US Pub­lic Sec­tor indus­tries in mul­ti­ple geo­graph­ic regions.
    Fire­Eye (@FireEye) Novem­ber 15, 2018

    The attack­er appears to have com­pro­mised the email serv­er of a hos­pi­tal and the cor­po­rate web­site of a con­sult­ing com­pa­ny in order to use their infra­struc­ture to send phish­ing emails. The phish­ing emails were made to look like secure com­mu­ni­ca­tion from a Pub­lic Affairs offi­cial at the U.S. Depart­ment of State, host­ed on a page made to look like anoth­er Depart­ment of State Pub­lic Affairs offi­cial’s per­son­al dri­ve, and used a legit­i­mate Depart­ment of State form as a decoy. This infor­ma­tion could be obtained via pub­licly avail­able data, and there is no indi­ca­tion that the Depart­ment of State net­work was involved in this cam­paign. The attack­er used unique links in each phish­ing email and the links that Fire­Eye observed were used to down­load a ZIP archive that con­tained a weaponized Win­dows short­cut file, launch­ing both a benign decoy doc­u­ment and a Cobalt Strike Bea­con back­door, cus­tomized by the attack­er to blend in with legit­i­mate net­work traf­fic.

    Sev­er­al ele­ments from this cam­paign – includ­ing the resources invest­ed in the phish­ing email and net­work infra­struc­ture, the meta­da­ta from the weaponized short­cut file pay­load, and the spe­cif­ic vic­tim indi­vid­u­als and orga­ni­za­tions tar­get­ed – are direct­ly linked to the last observed APT29 phish­ing cam­paign from Novem­ber 2016. This blog post explores those tech­ni­cal bread­crumbs and the pos­si­ble inten­tions of this activ­i­ty.

    Attri­bu­tion Chal­lenges

    Con­clu­sive Fire­Eye attri­bu­tion is often obtained through our Man­di­ant con­sult­ing team’s inves­ti­ga­tion of inci­dents at com­pro­mised orga­ni­za­tions, to iden­ti­fy details of the attack and post-com­pro­mise activ­i­ty at vic­tims. Fire­Eye is still ana­lyz­ing this activ­i­ty.

    There are sev­er­al sim­i­lar­i­ties and tech­ni­cal over­laps between the 14 Novem­ber 2018, phish­ing cam­paign and the sus­pect­ed APT29 phish­ing cam­paign on 9 Novem­ber 2016, both of which occurred short­ly after U.S. elec­tions. How­ev­er, the new cam­paign includ­ed cre­ative new ele­ments as well as a seem­ing­ly delib­er­ate reuse of old phish­ing tac­tics, tech­niques and pro­ce­dures (TTPs), includ­ing using the same sys­tem to weaponize a Win­dows short­cut (LNK) file. APT29 is a sophis­ti­cat­ed actor, and while sophis­ti­cat­ed actors are not infal­li­ble, seem­ing­ly bla­tant mis­takes are cause for pause when con­sid­er­ing his­tor­i­cal uses of decep­tion by Russ­ian intel­li­gence ser­vices. It has also been over a year since we have con­clu­sive­ly iden­ti­fied APT29 activ­i­ty, which rais­es ques­tions about the tim­ing and the sim­i­lar­i­ties of the activ­i­ty after such a long inter­lude.

    Notable sim­i­lar­i­ties between this and the 2016 cam­paign include the Win­dows short­cut meta­da­ta, tar­get­ed orga­ni­za­tions and spe­cif­ic indi­vid­u­als, phish­ing email con­struc­tion, and the use of com­pro­mised infra­struc­ture. Notable dif­fer­ences include the use of Cobalt Strike, rather than cus­tom mal­ware; how­ev­er, many espi­onage actors do use pub­licly and com­mer­cial­ly avail­able frame­works for rea­sons such as plau­si­ble deni­a­bil­i­ty.

    Dur­ing the phish­ing cam­paign, there were indi­ca­tions that the site host­ing the mal­ware was selec­tive­ly serv­ing pay­loads. For exam­ple, requests using incor­rect HTTP head­ers report­ed­ly served ZIP archives con­tain­ing only the benign pub­licly avail­able Depart­ment of State form. It is pos­si­ble that the threat actor served addi­tion­al and dif­fer­ent pay­loads depend­ing on the link vis­it­ed; how­ev­er, Fire­Eye has only observed two: the benign and Cobalt Strike vari­a­tions.

    We pro­vide details of this in the activ­i­ty sum­ma­ry. Analy­sis of the cam­paign is ongo­ing, and we wel­come any addi­tion­al infor­ma­tion from the com­mu­ni­ty.

    Activ­i­ty Sum­ma­ry

    The threat actor craft­ed the phish­ing emails to mas­quer­ade as a U.S. Depart­ment of State Pub­lic Affairs offi­cial shar­ing an offi­cial doc­u­ment. The links led to a ZIP archive that con­tained a weaponized Win­dows short­cut file host­ed on a like­ly com­pro­mised legit­i­mate domain, jmj[.].com. The short­cut file was craft­ed to exe­cute a Pow­er­Shell com­mand that read, decod­ed, and exe­cut­ed addi­tion­al code from with­in the short­cut file.

    Upon exe­cu­tion, the short­cut file dropped a benign, pub­licly avail­able, U.S. Depart­ment of State form and Cobalt Strike Bea­con. Cobalt Strike is a com­mer­cial­ly avail­able post-exploita­tion frame­work. The BEACON pay­load was con­fig­ured with a mod­i­fied vari­a­tion of the pub­licly avail­able “Pan­do­ra” Mal­leable C2 Pro­file and used a com­mand and con­trol (C2) domain – pandorasong[.]com – assessed to be a mas­quer­ade of the Pan­do­ra music stream­ing ser­vice. The cus­tomiza­tion of the C2 pro­file may have been intend­ed to defeat less resilient net­work detec­tion meth­ods depen­dent on the default con­fig­u­ra­tions. The short­cut meta­da­ta indi­cates it was built on the same or very sim­i­lar sys­tem as the short­cut used in the Novem­ber 2016 cam­paign. The decoy con­tent is shown in Fig­ure 1.
    [see fig­ure 1]

    Sim­i­lar­i­ties to Old­er Activ­i­ty

    This activ­i­ty has TTP and tar­get­ing over­lap with pre­vi­ous activ­i­ty, sus­pect­ed to be APT29. The mali­cious LNK used in the recent spearphish­ing cam­paign, ds7002.lnk (MD5: 6ed0020b0851fb71d5b0076f4ee95f3c), has tech­ni­cal over­laps with a sus­pect­ed APT29 LNK from Novem­ber 2016, 37486-the-shocking-truth-about-election-rigging-in-america.rtf.lnk (MD5: f713d5df826c6051e65f995e57d6817d), which was pub­licly report­ed by Volex­i­ty. The 2018 and 2016 LNK files are sim­i­lar in struc­ture and code, and con­tain sig­nif­i­cant meta­da­ta over­lap, includ­ing the MAC address of the sys­tem on which the LNK was cre­at­ed.

    Addi­tion­al over­lap was observed in the tar­get­ing and tac­tics employed in the phish­ing cam­paigns respon­si­ble for dis­trib­ut­ing these LNK file. Pre­vi­ous APT29 activ­i­ty tar­get­ed some of the same recip­i­ents of this email cam­paign, and APT29 has lever­aged large waves of emails in pre­vi­ous cam­paigns.

    Out­look and Impli­ca­tions

    Analy­sis of this activ­i­ty is ongo­ing, but if the APT29 attri­bu­tion is strength­ened, it would be the first activ­i­ty uncov­ered from this sophis­ti­cat­ed group in at least a year. Giv­en the wide­spread nature of the tar­get­ing, orga­ni­za­tions that have pre­vi­ous­ly been tar­get­ed by APT29 should take note of this activ­i­ty. For net­work defend­ers, whether or not this activ­i­ty was con­duct­ed by APT29 should be sec­ondary to prop­er­ly inves­ti­gat­ing the full scope of the intru­sion, which is of crit­i­cal impor­tance if the elu­sive and decep­tive APT29 oper­a­tors indeed had access to your envi­ron­ment.

    ...

    ———-

    “Not So Cozy: An Uncom­fort­able Exam­i­na­tion of a Sus­pect­ed APT29 Phish­ing Cam­paign” by Matthew Dun­woody, Andrew Thomp­son, Ben With­nell, Jonathan Leath­ery, Michael Mato­nis, Nick Carr; Fire­Eye; 11/19/2018

    Sev­er­al ele­ments from this cam­paign – includ­ing the resources invest­ed in the phish­ing email and net­work infra­struc­ture, the meta­da­ta from the weaponized short­cut file pay­load, and the spe­cif­ic vic­tim indi­vid­u­als and orga­ni­za­tions tar­get­ed – are direct­ly linked to the last observed APT29 phish­ing cam­paign from Novem­ber 2016. This blog post explores those tech­ni­cal bread­crumbs and the pos­si­ble inten­tions of this activ­i­ty.”

    As Fire­Eye makes clear, their attri­bu­tion is based on look­ing for pat­terns that link new attacks back to old attacks. If the sim­i­lar­i­ties are strong enough, an attri­bu­tion is made and it’s con­clud­ed that it’s the same group behind the past and cur­rent attacks which, again, high­lights how mis­takes in past attri­bu­tions can strong­ly impact future attri­bu­tions.

    And yet the pat­terns link­ing this phish­ing attack with the Novem­ber 2016 attack were so sus­pi­cious that Fire­Eye char­ac­ter­ized this as “seem­ing­ly delib­er­ate reuse” of the same actics, tech­niques and pro­ce­dures (TTPs). Most notably, the MAC address for the win­dows short­cut link IS THE SAME, send­ing the sig­nal that lit­er­al­ly the same com­put­er was used to cre­ate those links in both attacks. As Fire­Eye puts it, “APT29 is a sophis­ti­cat­ed actor, and while sophis­ti­cat­ed actors are not infal­li­ble, seem­ing­ly bla­tant mis­takes are cause for pause when con­sid­er­ing his­tor­i­cal uses of decep­tion by Russ­ian intel­li­gence ser­vices”:

    ...
    Attri­bu­tion Chal­lenges

    Con­clu­sive Fire­Eye attri­bu­tion is often obtained through our Man­di­ant con­sult­ing team’s inves­ti­ga­tion of inci­dents at com­pro­mised orga­ni­za­tions, to iden­ti­fy details of the attack and post-com­pro­mise activ­i­ty at vic­tims. Fire­Eye is still ana­lyz­ing this activ­i­ty.

    There are sev­er­al sim­i­lar­i­ties and tech­ni­cal over­laps between the 14 Novem­ber 2018, phish­ing cam­paign and the sus­pect­ed APT29 phish­ing cam­paign on 9 Novem­ber 2016, both of which occurred short­ly after U.S. elec­tions. How­ev­er, the new cam­paign includ­ed cre­ative new ele­ments as well as a seem­ing­ly delib­er­ate reuse of old phish­ing tac­tics, tech­niques and pro­ce­dures (TTPs), includ­ing using the same sys­tem to weaponize a Win­dows short­cut (LNK) file. APT29 is a sophis­ti­cat­ed actor, and while sophis­ti­cat­ed actors are not infal­li­ble, seem­ing­ly bla­tant mis­takes are cause for pause when con­sid­er­ing his­tor­i­cal uses of decep­tion by Russ­ian intel­li­gence ser­vices. It has also been over a year since we have con­clu­sive­ly iden­ti­fied APT29 activ­i­ty, which rais­es ques­tions about the tim­ing and the sim­i­lar­i­ties of the activ­i­ty after such a long inter­lude.

    ...

    Activ­i­ty Sum­ma­ry

    The threat actor craft­ed the phish­ing emails to mas­quer­ade as a U.S. Depart­ment of State Pub­lic Affairs offi­cial shar­ing an offi­cial doc­u­ment. The links led to a ZIP archive that con­tained a weaponized Win­dows short­cut file host­ed on a like­ly com­pro­mised legit­i­mate domain, jmj[.].com. The short­cut file was craft­ed to exe­cute a Pow­er­Shell com­mand that read, decod­ed, and exe­cut­ed addi­tion­al code from with­in the short­cut file.

    Upon exe­cu­tion, the short­cut file dropped a benign, pub­licly avail­able, U.S. Depart­ment of State form and Cobalt Strike Bea­con. Cobalt Strike is a com­mer­cial­ly avail­able post-exploita­tion frame­work. The BEACON pay­load was con­fig­ured with a mod­i­fied vari­a­tion of the pub­licly avail­able “Pan­do­ra” Mal­leable C2 Pro­file and used a com­mand and con­trol (C2) domain – pandorasong[.]com – assessed to be a mas­quer­ade of the Pan­do­ra music stream­ing ser­vice. The cus­tomiza­tion of the C2 pro­file may have been intend­ed to defeat less resilient net­work detec­tion meth­ods depen­dent on the default con­fig­u­ra­tions. The short­cut meta­da­ta indi­cates it was built on the same or very sim­i­lar sys­tem as the short­cut used in the Novem­ber 2016 cam­paign. The decoy con­tent is shown in Fig­ure 1.
    [see fig­ure 1]

    Sim­i­lar­i­ties to Old­er Activ­i­ty

    This activ­i­ty has TTP and tar­get­ing over­lap with pre­vi­ous activ­i­ty, sus­pect­ed to be APT29. The mali­cious LNK used in the recent spearphish­ing cam­paign, ds7002.lnk (MD5: 6ed0020b0851fb71d5b0076f4ee95f3c), has tech­ni­cal over­laps with a sus­pect­ed APT29 LNK from Novem­ber 2016, 37486-the-shocking-truth-about-election-rigging-in-america.rtf.lnk (MD5: f713d5df826c6051e65f995e57d6817d), which was pub­licly report­ed by Volex­i­ty. The 2018 and 2016 LNK files are sim­i­lar in struc­ture and code, and con­tain sig­nif­i­cant meta­da­ta over­lap, includ­ing the MAC address of the sys­tem on which the LNK was cre­at­ed.
    ...

    And yet, despite those ‘seem­ing­ly delib­er­ate mis­takes’, the report notes that the use of com­mer­cial­ly avail­able mal­ware instead of cus­tom mal­ware may have been done for rea­sons of plau­si­ble deni­a­bil­i­ty. It’s quite a jux­ta­po­si­tion of tac­tics:

    ...
    Notable sim­i­lar­i­ties between this and the 2016 cam­paign include the Win­dows short­cut meta­da­ta, tar­get­ed orga­ni­za­tions and spe­cif­ic indi­vid­u­als, phish­ing email con­struc­tion, and the use of com­pro­mised infra­struc­ture. Notable dif­fer­ences include the use of Cobalt Strike, rather than cus­tom mal­ware; how­ev­er, many espi­onage actors do use pub­licly and com­mer­cial­ly avail­able frame­works for rea­sons such as plau­si­ble deni­a­bil­i­ty.
    ...

    Final­ly, the report notes anoth­er area of over­lap between the phish­ing cam­paign and past phish­ing cam­paigns attrib­uted to APT29/Cozy Bear: they used large waves of emails:

    ...
    Addi­tion­al over­lap was observed in the tar­get­ing and tac­tics employed in the phish­ing cam­paigns respon­si­ble for dis­trib­ut­ing these LNK file. Pre­vi­ous APT29 activ­i­ty tar­get­ed some of the same recip­i­ents of this email cam­paign, and APT29 has lever­aged large waves of emails in pre­vi­ous cam­paigns.
    ...

    Again, don’t for­get that this behav­ior of send­ing large waves of emails to numer­ous insti­tu­tions at the same time is exact­ly the kind of ‘noisy’ behav­ior that cyber­se­cu­ri­ty ana­lysts first observed in the 2015 phish­ing attacks that hit the Bun­destag and the DNC serv­er in the May 2015 hack. And ana­lysts not­ed how this was very atyp­i­cal of known Russ­ian gov­ern­ment hack­er behav­ior. Volex­i­ty made the same obser­va­tion in its Novem­ber 2016 report that attrib­uted the Novem­ber 2016 phish­ing attacks to APT29/Cozy Bear (see the “Back­ground” sec­tion). So when Fire­Eye notes that APT29 has lever­aged large waves of emails in pre­vi­ous cam­paigns, it’s specif­i­cal­ly the pre­vi­ous cam­paigns start­ing in 2015 when the behav­ior of APT29 (and APT28) sud­den­ly changed and became very “noisy” while leav­ing all sorts of “I’m a Russ­ian hack­er!” meta­da­ta clues.

    So what can we con­clude about who is behind these attacks? Well, we can con­clude that some­one is very inter­est­ed in hack­ing the Democ­rats and mak­ing sure that Rus­sia gets the blame. And, sure, it could be the Russ­ian gov­ern­ment doing this as a trolling tac­tic that achieves some sort of strate­gic objec­tive. But it could obvi­ous­ly be some­one else. At this point that’s basi­cal­ly the only attri­bu­tion we can make con­clu­sive­ly.

    Posted by Pterrafractyl | March 7, 2019, 11:26 pm
  13. Posted by Sampson | June 27, 2019, 12:06 pm

Post a comment