Spitfire List Web site and blog of anti-fascist researcher and radio personality Dave Emory.

News & Supplemental  

Cyber Attribution, the Macron hacks, and the Existential Threat of Unwarranted Certainty

Did you hear the big new hacking news? The news about ‘Fancy Bear’ already getting ready to wage a new hacking campaign against US politicians? If not, here’s a brief summary: Trend Micro, a Japanese cybersecurity firm, just issued a new report purporting to show that ‘Fancy Bear’ has already set up multiple phishing websites intended to capture the login credentials to the US Senate’s email system. And Trend Micro is 100 percent confident this is the work of ‘Fancy Bear’, the Russian military intelligence hacking team.

And what led to Trend Micro’s 100 percent certainty that these phishing sites were set up by ‘Fancy Bear’? Well, that conclusion appears to be based on the similarity of this operation to the Macron email hack that impacted hit French election last year. You know, the same hack that the French cybersecurity agency said was so unsophisticated that any reasonably skilled hackers could have pulled them off. And the same hacks comically included the name of a Russian government security contractor in the meta-data and were traced back to Andrew ‘weev’ Auernheimer. That’s the hack that this current Senate phishing operation strongly mimics that led to Trend Micro’s 100 percent certainty that this is the work of ‘Fancy Bear.’ So how credible is this 100 percent certain cyber attribution? Well, that’s going to be the topic if this post. And as we’re going to see:

1. Contemporary cyber attribution is fraught with peril, relying heavily on “pattern recognition” that make it ripe for misattributions and false flags.

2. The move to employ “pattern recognition” and use that for nation-state-on-nation-state public attributions of hacks is a relatively new trend in the cybersecurity industry, and it was pioneered by one of the founders of CrowdStrike.

3. When you look at the recent history of the cybersecurity industry, there are A LOT of questions of whether or not these attributions are really be made with certainty.

4. If this mode of cyber attribution turns out to be a bad idea, it could result in international chaos. Seriously, international chaos. Those were the words of France’s top cybersecurity officer following the Macron email hacks.

In other words, beyond not wanting to get a particular instance of cyber attribution wrong, society really doesn’t want to get the whole approach to cyber attribution wrong. Because, again, that could be an invitation for international chaos.

So with that in mind, let’s take a look at that new Trend Micro report and the cyber attribution made with 100 percent certainty:

Associated Press

Cybersecurity firm: US Senate in Russian hackers’ crosshairs

RAPHAEL SATTER
01/12/2018

PARIS (AP) — The same Russian government-aligned hackers who penetrated the Democratic Party have spent the past few months laying the groundwork for an espionage campaign against the U.S. Senate, a cybersecurity firm said Friday.

The revelation suggests the group often nicknamed Fancy Bear, whose hacking campaign scrambled the 2016 U.S. electoral contest, is still busy trying to gather the emails of America’s political elite.

“They’re still very active — in making preparations at least — to influence public opinion again,” said Feike Hacquebord, a security researcher at Trend Micro Inc., which published the report . “They are looking for information they might leak later.”

The Senate Sergeant at Arms office, which is responsible for the upper house’s security, declined to comment.

Hacquebord said he based his report on the discovery of a clutch of suspicious-looking websites dressed up to look like the U.S. Senate’s internal email system. He then cross-referenced digital fingerprints associated with those sites to ones used almost exclusively by Fancy Bear, which his Tokyo-based firm dubs “Pawn Storm.”

Trend Micro previously drew international attention when it used an identical technique to uncover a set of decoy websites apparently set up to harvest emails from the French presidential candidate Emmanuel Macron’s campaign in April 2017. The sites’ discovery was followed two months later by a still-unexplained publication of private emails from several Macron staffers in the final days of the race.

Hacquebord said the rogue Senate sites — which were set up in June and September of 2017 — matched their French counterparts.

“That is exactly the way they attacked the Macron campaign in France,” he said.

Attribution is extremely tricky in the world of cybersecurity, where hackers routinely use misdirection and red herrings to fool their adversaries. But Tend Micro, which has followed Fancy Bear for years, said there could be no doubt.

“We are 100 percent sure that it can attributed to the Pawn Storm group,” said Rik Ferguson, one of the Hacquebord’s colleagues.

Like many cybersecurity companies, Trend Micro refuses to speculate publicly on who is behind such groups, referring to Pawn Storm only as having “Russia-related interests.” But the U.S. intelligence community alleges that Russia’s military intelligence service pulls the hackers’ strings and a months-long Associated Press investigation into the group, drawing on a vast database of targets supplied by the cybersecurity firm Secureworks, has determined that the group is closely attuned to the Kremlin’s objectives.

If Fancy Bear has targeted the Senate over the past few months, it wouldn’t be the first time. An AP analysis of Secureworks’ list shows that several staffers there were targeted between 2015 and 2016.

Among them: Robert Zarate, now the foreign policy adviser to Florida Senator Marco Rubio; Josh Holmes, a former chief of staff to Senate Majority Leader Mitch McConnell who now runs a Washington consultancy; and Jason Thielman, the chief of staff to Montana Senator Steve Daines. A Congressional researcher specializing in national security issues was also targeted.

Fancy Bear’s interests aren’t limited to U.S. politics; the group also appears to have the Olympics in mind.

Trend Micro’s report said the group had set up infrastructure aimed at collecting emails from a series of Olympic winter sports federations, including the International Ski Federation, the International Ice Hockey Federation, the International Bobsleigh & Skeleton Federation, the International Luge Federation and the International Biathlon Union.

The targeting of Olympic groups comes as relations between Russia and the International Olympic Committee are particularly fraught. Russian athletes are being forced to compete under a neutral flag in the upcoming Pyeongchang Olympics following an extraordinary doping scandal that has seen 43 athletes and several Russian officials banned for life. Amid speculation that Russia could retaliate by orchestrating the leak of prominent Olympic officials’ emails, cybersecurity firms including McAfee and ThreatConnect have picked up on signs that state-backed hackers are making moves against winter sports staff and anti-doping officials.

On Wednesday, a group that has brazenly adopted the Fancy Bear nickname began publishing what appeared to be Olympics and doping-related emails from between September 2016 and March 2017. The contents were largely unremarkable but their publication was covered extensively by Russian state media and some read the leak as a warning to Olympic officials not to press Moscow too hard over the doping scandal.

Whether any Senate emails could be published in such a way isn’t clear. Previous warnings that German lawmakers’ correspondence might be leaked by Fancy Bear ahead of last year’s election there appear to have come to nothing.

On the other hand, the group has previously dumped at least one U.S. legislator’s correspondence onto the web.

One of the targets on Secureworks’ list was Colorado State Senator Andy Kerr, who said thousands of his emails were posted to an obscure section of the website DCLeaks — a web portal better known for publishing emails belonging to retired Gen. Colin Powell and various members of Hillary Clinton’s campaign — in late 2016.

———-

“Cybersecurity firm: US Senate in Russian hackers’ crosshairs” by RAPHAEL SATTER; Associated Press; 01/12/2018

“Hacquebord said he based his report on the discovery of a clutch of suspicious-looking websites dressed up to look like the U.S. Senate’s internal email system. He then cross-referenced digital fingerprints associated with those sites to ones used almost exclusively by Fancy Bear, which his Tokyo-based firm dubs “Pawn Storm.”

So after cross-referencing the digital fingerprints associated with the Senate email phishing websites, Trend Micro found that these fingerprints were almost exclusively used by ‘Fancy Bear’. That appears to be at the core of Trend Micro’s 100 percent certainty in attributing these websites to Fancy Bear.

And it sounds like those digital fingerprints point back to the Macron hack, which is presumably part of the basis of their 100 percent level of certainty. Although it’s unclear because Trend Micro relates the US Senate phishing attempt back to the Macron hacks merely by stating that the US Senate phishing websites matched their French counterparts. “That is exactly the way they attacked the Macron campaign in France,” said Trend Micro:


Hacquebord said the rogue Senate sites — which were set up in June and September of 2017 — matched their French counterparts.

“That is exactly the way they attacked the Macron campaign in France,” he said.

Attribution is extremely tricky in the world of cybersecurity, where hackers routinely use misdirection and red herrings to fool their adversaries. But Tend Micro, which has followed Fancy Bear for years, said there could be no doubt.

“We are 100 percent sure that it can attributed to the Pawn Storm group,” said Rik Ferguson, one of the Hacquebord’s colleagues.

“We are 100 percent sure that it can attributed to the Pawn Storm group.” That’s the message from Trend Micro following the release of this report.

And then Trend Micro touts its previous big attribution score when it drew international attention by attributing the phishing sites set up in the Macron hacks back to ‘Fancy Bear’/APT28/Pawn Storm:


Trend Micro previously drew international attention when it used an identical technique to uncover a set of decoy websites apparently set up to harvest emails from the French presidential candidate Emmanuel Macron’s campaign in April 2017. The sites’ discovery was followed two months later by a still-unexplained publication of private emails from several Macron staffers in the final days of the race.

“The sites’ discovery was followed two months later by a still-unexplained publication of private emails from several Macron staffers in the final days of the race.”

You have to love the phrasing of the “still-unexplained publication of private emails.” Yeah, it’s still unexplained because the whole world appeared to drop that line of inquiry after the reports pointing back to Auernheimer’s involvement in the hack.

So that’s the public reporting on these new US Senate phishing sites and the 100 percent certain attribution of them back to APT28. And if we take it face value we would have to conclude that Russia’s government hackers executed this phishing attempt while leaving digital fingerprints that unique tie back to prior phishing campaigns which, if true, sure sounds like “I’m a Russian hacker! Please blame it on me!” kind of behavior.

The Trend Micro US Senate Phishing Report: An Evidentiary Tributary Vague Trickle of ‘Digital Fingerprints’ Tells the Story

But if the digital fingerprints do indeed point back to prior hacking campaigns carried out by APT28/Fancy Bear/Pawn Storm, what’s actual evidence provided by Trend Micro? Did Trend Micro found that the phishing websites were literally hosted on the same servers as previously identified phishing sites and/or shared some other physical infrastructure that were used in previous hacks. And if so, which hacks?

Well, when you read the Trend Micro report, it does explicitly say that they can “uniquely relate” the phishing websites set up for this US Senate hack attempt back to two attacks by Fancy Bear a.k.a Pawn Storm. One in 2016 and one in 2017. But they don’t clarify which particular hacks they were referring to. The 2017 hack they refer to might be the Macron hack, but the report mentions a number of different 2017 campaigns they attributed to APT28.

The report also makes a rather notable observation about the behavior of ‘Fancy Bear’: they appear to follow largely the same script over and over. Trend Micro attributes this behavior to ‘Fancy Bear’ having both a large volume of targets but also a large box of hacking tools so few updates to its techniques are required. And this is true in terms of reusing the same methodology in the sense that relatively unsophisticated phishing campaigns probably can largely all follow the same script. But it’s also the case that reusing the same digital infrastructure – like same malware – over and over is a great way to make your hacking group relatively easy to identify by investigators and, more importantly, relatively easy to frame by third parties.

Now, it’s true that reuse of malware shouldn’t actually be seen as strong evidence that two separate attacks are related, unless it’s very unique malware and there’s no evidence of it being ‘in the wild’ and available to other hackers. But in today’s context, reuse of malware, including malware ‘in the wild’, is routinely used by the cybersecurity industry as evidence that different attacks were carried out by the same group. Take, for example, the bogus claim made by CrowdStrike that the “X-Agent” malware found in the DNC server attack is used solely by the Russian government.

Similarly, seeing the same ISP being used in two separate attacks shouldn’t actually be seen as strong evidence that two separate attacks are related because you can easily have different hacking groups sharing the same hacker-friendly ISPs. But in today’s context, reusing things like the same ISP over and over is basically asking to having your various hacking campaigns attributed to each other. And it’s also asking to have a third party frame you.

In other words, reusing methodologies is understandable when you’re relying on unsophisticated techniques. But reusing the same digital infrastructure is a very different kind of lack of sophistication….unless, of course, a group like ‘Fancy Bear’ wants to have all of its various hacking campaigns attributed back to them. That’s something to keep in mind when reading the following Trend Micro report.

The report also includes a note on other hackers copying Fancy Bear’s technique, warning that “actors from developing countries will learn and probably adapt similar methods quickly in the near future.” And that warning raises the obvious question of why we shouldn’t assume all sorts of actors, in any country, haven’t already adapted similar methods already, including using the same digital infrastructure when information on that is available.

So there are a number of questions raised by the Trend Micro report, and not a lot of answers on how exactly they arrived at their conclusions:

Trend Micro

Update on Pawn Storm: New Targets and Politically Motivated Campaigns

Posted on:January 12, 2018 at 5:00 am

In the second half of 2017 Pawn Storm, an extremely active espionage actor group, didn’t shy away from continuing their brazen attacks. Usually, the group’s attacks are not isolated incidents, and we can often relate them to earlier attacks by carefully looking at both technical indicators and motives.

Pawn Storm has been attacking political organizations in France, Germany, Montenegro, Turkey, Ukraine, and the United States since 2015. We saw attacks against political organizations again in the second half of 2017. These attacks don’t show much technical innovation over time, but they are well prepared, persistent, and often hard to defend against. Pawn Storm has a large toolset full of social engineering tricks, malware and exploits, and therefore doesn’t need much innovation apart from occasionally using their own zero-days and quickly abusing software vulnerabilities shortly after a security patch is released..

In summer and fall of 2017, we observed Pawn Storm targeting several organizations with credential phishing and spear phishing attacks. Pawn Storm’s modus operandi is quite consistent over the years, with some of their technical tricks being used repeatedly. For example, tabnabbing was used against Yahoo! users in August and September 2017 in US politically themed email. The method, which we first discussed in 2014, involves changing a browser tab to point to a phishing site after distracting the target.

We can often closely relate current and old Pawn Storm campaigns using data that spans more than four years, possibly because the actors in the group follow a script when setting up an attack. This makes sense, as the sheer volume of their attacks requires careful administration, planning, and organization to succeed. The screenshots below show two typical credential phishing emails that targeted specific organizations in October and November 2017. One type of email is supposedly a message from the target’s Microsoft Exchange server about an expired password. The other says there is a new file on the company’s OneDrive system.

While these emails might not seem to be advanced in nature, we’ve seen that credential loss is often the starting point of further attacks that include stealing sensitive data from email inboxes. We have worked with one of the targets, an NGO in the Netherlands targeted twice, in late October and early November 2017. We successfully prevented both attacks from causing any harm. In one case we were able to warn the target within two hours after a dedicated credential phishing site was set up. In an earlier attack, we were able to warn the organization 24 hours before the actual phishing emails were sent.

Political targets

In the week of the 2017 presidential elections in Iran, Pawn Storm set up a phishing site targeting chmail.ir webmail users. We were able to collect evidence that credential phishing emails were sent to chmail.ir users on May 18, 2017, just one day before the presidential elections in Iran. We have previously reported similar targeted activity against political organizations in France, Germany, Montenegro, Turkey, Ukraine, and the United States.

Beginning in June 2017, phishing sites were set up mimicking the ADFS (Active Directory Federation Services) of the U.S. Senate. By looking at the digital fingerprints of these phishing sites and comparing them with a large data set that spans almost five years, we can uniquely relate them to a couple of Pawn Storm incidents in 2016 and 2017. The real ADFS server of the U.S. Senate is not reachable on the open internet, however phishing of users’ credentials on an ADFS server that is behind a firewall still makes sense. In case an actor already has a foothold in an organization after compromising one user account, credential phishing could help him get closer to high profile users of interest.

The future of politically motivated campaigns

Rogue political influence campaigns are not likely to go away in the near future. Political organizations have to be able to communicate openly with their voters, the press and the general public. This makes them vulnerable to hacking and spear phishing. On top of that, it’s also relatively easy to influence public opinion via social media. Social media platforms continue to form a substantial part of users’ online experience, and they let advertisers reach consumers with their message.

This makes social media algorithms susceptible to abuse by various actors with bad intentions. Publishing stolen data together with spreading fake news and rumors on social media gives malicious actors powerful tools. While a successful influence campaign might seem relatively easy to do, it needs a lot of planning, persistence, and resources to be successful. Some of the basic tools and services, like ones used to spread fake news on social media, are already being offered as a service in the underground economy..

As we have mentioned in our overview paper on Pawn Storm, other actors may also start their own campaigns that aim to influence politics and issues of interest domestically and abroad. Actors from developing countries will learn and probably adapt similar methods quickly in the near future. In 2016, we published a report on C Major, an espionage group that primarily targets the Indian military. By digging deeper into C Major’s activities, we found that this actor group not only attacks the Indian military, but also has dedicated botnets for compromised targets in Iranian universities, Afghanistan, and Pakistan. Recently, we have witnessed C Major also showing some interest in compromising military and diplomatic targets in the West. It is only a matter of time before actors like C Major begin attempting to influence public opinion in foreign countries, as well.

With the Olympics and several significant global elections taking place in 2018, we can be sure Pawn Storm’s activities will continue. We at Trend Micro will keep monitoring their targeted activities, as well as activities of similar actors, as cyberpropaganda and digital extortion remain in use.

———-

“Update on Pawn Storm: New Targets and Politically Motivated Campaigns”; Trend Micro; 01/12/2018

Beginning in June 2017, phishing sites were set up mimicking the ADFS (Active Directory Federation Services) of the U.S. Senate. By looking at the digital fingerprints of these phishing sites and comparing them with a large data set that spans almost five years, we can uniquely relate them to a couple of Pawn Storm incidents in 2016 and 2017. The real ADFS server of the U.S. Senate is not reachable on the open internet, however phishing of users’ credentials on an ADFS server that is behind a firewall still makes sense. In case an actor already has a foothold in an organization after compromising one user account, credential phishing could help him get closer to high profile users of interest.”

So in June 2017, phishing sites get set up to mimic the US Senate’s email site. And the digital fingerprints on these sites “uniquely relates” them to them to a couple of Pawn Storm incidents in 2016 and 2017. That appears to be the primary line of evidence leading them to conclude that ‘Fancy Bear’/’Pawn Storm’ is indeed the entity behind this Senate phishing attempt. And none of that evidence is actually given. It is solely a “Trust Us” attribution.

And note how the lack of technical innovation over time appears to be a key element in allowing Trend Micro to search through its database of attacks and match the ‘digital fingerprints’ of present day attacks with prior attacks:


Pawn Storm has been attacking political organizations in France, Germany, Montenegro, Turkey, Ukraine, and the United States since 2015. We saw attacks against political organizations again in the second half of 2017. These attacks don’t show much technical innovation over time, but they are well prepared, persistent, and often hard to defend against. Pawn Storm has a large toolset full of social engineering tricks, malware and exploits, and therefore doesn’t need much innovation apart from occasionally using their own zero-days and quickly abusing software vulnerabilities shortly after a security patch is released..

We can often closely relate current and old Pawn Storm campaigns using data that spans more than four years, possibly because the actors in the group follow a script when setting up an attack. This makes sense, as the sheer volume of their attacks requires careful administration, planning, and organization to succeed. The screenshots below show two typical credential phishing emails that targeted specific organizations in October and November 2017. One type of email is supposedly a message from the target’s Microsoft Exchange server about an expired password. The other says there is a new file on the company’s OneDrive system.

So ‘Fancy Bear’ keeps using the same methodology and seemingly follows a script, leaving a growing digital trail over the years that can be used for attribution of future attacks. And yet as Trend Micro warns, there’s reason to assume other actors are going to adopt similar methods “in the near future” to sway elections in other countries:


As we have mentioned in our overview paper on Pawn Storm, other actors may also start their own campaigns that aim to influence politics and issues of interest domestically and abroad. Actors from developing countries will learn and probably adapt similar methods quickly in the near future. In 2016, we published a report on C Major, an espionage group that primarily targets the Indian military. By digging deeper into C Major’s activities, we found that this actor group not only attacks the Indian military, but also has dedicated botnets for compromised targets in Iranian universities, Afghanistan, and Pakistan. Recently, we have witnessed C Major also showing some interest in compromising military and diplomatic targets in the West. It is only a matter of time before actors like C Major begin attempting to influence public opinion in foreign countries, as well.

And, of course, just as third parties might use the same methodology, they also might decide to try to leave the same digital fingerprints as ‘Fancy Bear’ if that’s an option because why not? If the malware or server hosts that ‘Fancy Bear’, or any other high profile hacking group, keeps getting reused and this becomes publicly known, why wouldn’t other hackers use the same malware and server hosts if that’s an option? This is probably a good time to remind ourselves that one of the key ‘digital fingerprints’ found in the 2016 DNC hack used to attribute that hack to ‘Fancy Bear’ was the reuse of a command and control server’s IP address (176.31.112.10) made public in 2015 following the Bundestag hack of May 2015.

And note how there are actually a number of 2017 hacks attributed to ‘Fancy Bear’ that Trend Micro references in this report. So if it “uniquely” traced the US Senate phishing sites (which were actually set up in June of 2017…a month after the French elections) back to another 2017 attack, it’s not clear which 2017 attack Trend Micro was uniquely tying the US Senate phishing sites back to.

But again, the overall message from Trend Micro in this report is “Trust Us, we got this covered…look at what a great job we did identifying the Macron hacks.”

About Those Macron Hack Attributions…

So Trend Micro found that two prior attacks, one in 2017 and one in 2016, shared the same digital fingerprints that they found after investigating the websites associated this new US Senate phishing campaign. And the 2017 attack they referred to was maybe the Macron email hack, although that’s very ambiguous. And we’re basically expected to just trust them on this attribution.

So how much blind trust should we place in Trend Micro’s – or any other cybersecurity firm’s – attribution when basically no technical evidence is given. Well, to explore this topic, let’s take an extended look at the Macron hacks. And not just Trend Micro’s work on those hacks, because there were a number of different cybersecurity firms, along with the US government, who weighed in on that hack and concluded with near certainty that it was ‘Fancy Bear’ behind it.

And as we look into this, note that, if the 2017 hack Trend Micro related the US Senate phishing sites back to was indeed the Macron hack, then we can make an educated guess that the 2016 hack Trend Micro uniquely related back to the US Senate phishing attack was actually the 2016 DNC server attack. Because as we’ll see in the following article, when Trend Micro first reported on the Macron email hack back in April of 2017, there was one particular 2016 hack that Trend Micro claimed had a number of ‘digital similarities’ to the Macron hack. And those ‘digital similarities’ included similarities in the IP address involved and malware used: The 2016 DNC server hack:

The Washington Post

Cyberattack on French presidential front-runner bears Russian ‘fingerprints,’ research group says

By Rick Noack
April 25, 2017

PARIS — A security firm claimed Tuesday that new cyberattacks on the campaign offices of the front-runner in France’s presidential race carried digital “fingerprints” similar to the suspected Russian hacking of the Democratic National Committee and others in the 2016 U.S. election.

The report, by the Trend Micro research group, did not disclose the potential fallout of the infiltration on the campaign of Emmanuel Macron, a centrist who faces far-right leader Marine Le Pen in a May 7 runoff.

If a Russian connection is proved, the hacking would add to mounting allegations that Moscow is backing attempts to influence Western elections in favor of candidates with policies potentially more friendly to the Kremlin. Le Pen has voiced opposition to the powers of the European Union and has called for better ties with Russia, echoing some of the campaign rhetoric of President Trump.

Tokyo-based Trend Micro said Macron’s campaign was targeted in March and April by a cyberspying group called Pawn Storm. The group has allegedly used phishing and malware to infiltrate other political organizations, as well, such as German Chancellor Angela Merkel’s Christian Democratic Union and the U.S. Democratic National Committee.

“There are several things which suggest that the group behind the Macron hacking was also responsible for the DNC breach, for example. We found similarities in the IP addresses and malware used in the attacks,” said Rik Ferguson, vice president of Trend Micro’s security research program.

“We cannot say for sure whether this was directed by the Russian government, but the group behind the attacks certainly appears to pursue Russian interests,” added Ferguson, speaking from the company’s London offices.

According to the research firm, the hackers created several email addresses on a fake server with the URL onedrive-en-marche.fr, operating from computers with IP addresses in multiple European nations, including Britain.

ANSSI, the French government’s cybersecurity agency, confirmed the more recent cyberattacks against Macron but left open the possibility that they could be the work of “other high-level” hackers trying to point the blame at Pawn Storm.


———-

“Cyberattack on French presidential front-runner bears Russian ‘fingerprints,’ research group says” by Rick Noack; The Washington Post; 04/25/2018

““There are several things which suggest that the group behind the Macron hacking was also responsible for the DNC breach, for example. We found similarities in the IP addresses and malware used in the attacks,” said Rik Ferguson, vice president of Trend Micro’s security research program.”

The same IP addresses and same malware used in the Macron and DNC attacks. Or, at least, similar IP addresses and malware. That’s what Trend Micro found when it looked into Macron email hacks back in 2017.

So what does it mean to “similar IP addresses between two hacks? Well, that’s probably a reference to two hacks sharing the same IP blocks. And sharing IP blocks with previous attacks merely suggests the use of the same Internet Service Provider (ISP), since ISPs will get set a block of IP addresses to use. And sharing ISP with previous hackers is fairly weak evidence. Of course hackers are going to gravitate towards hacker friendly ISPs! Especially if they want to misdirect the attribution of the attack!

And neither is “similar malware” compelling evidence…unless there’s reason to believe that malware isn’t available outside hackers. But if ‘Fancy Bear’ has been reusing the same, or similar, malware for years, what are the odds that its malware collection isn’t already ‘in the wild’? As we saw with the ‘X-Agent’ malware, assuming this malware is unique to one group is a bad idea. And even if the malware ‘Fancy Bear’ keeps reusing has somehow avoided ended up ‘in the wild’, why does this group continue to reuse the same unique collection of malware over and over? It just make attribution that much easier!

Where the Beef Evidence? Seriously, Where is It?

But let’s not focus exclusively on Trend Micro when it comes to the Macron hack. Because a lot of different cybersecurity companies made exactly the same attribution, along with the US government too. Curiously, all of these sources appeared to be extremely confident that the phishing sites targeting the Macron campaign and identified by Trend Micro in its April 25th, 2017, were indeed attributable to ‘Fancy Bear’, and they even referred back to their big reports in a number of cases. And yet, when you look at the actual reports, there is no evidence listed and, in the case of the US government report, there’s no reference to the Macron hacks at all. It’s bizarre.

First, let’s take a look at this Defense One article from May 6, 2017. That’s one day after the BIG document dump of Macron campaign emails. Recall that there was a May 3rd document dump of a few documents that appeared to be tampered with and the a much larger May 5th dump.

Also recall, and as we’ll examiner in more detail later, both of these document dumps appeared to originate from within the American ‘Alt-Right’, with Andrew Auernheimer a central figure.

So this article was written one day after a very big last minute document dump and the way these documents were dumped did not at all fit the ‘Russia did it’ pattern. That’s why when you read this article you’ll see parallel discussions of the phishing sites that Trend Micro reported on a couple weeks earlier paired with acknowledgments from Trend Micro that there’s no evidence conclusively pinning the hack on ‘Fancy Bear’. In other words, there’s an implicit acknowledgement that the phishing sites set up to target the Macron campaign may not have been the source of these hacked documents.

But when it comes to who set up those phishing sites, the article include more than just Trend Micro making near certain conclusions that Fancy Bear was behind it. A representative from Flashpoint, another cybersecurity firm, is also quoted as basically treating it as a foregone conclusion that ‘Fancy Bear’ set up the phishing sites, and the article links back to the US government’s “Grizzly Steppe” report, which was updated to include that evidence. But as we’ll see, Flashpoint never actually explains anywhere how it arrived at this conclusion and the US government report contains no reference at all to the Macron hacks. It was “Trust Us” attribution at work all around:

Defense One

France’s Macron Hack Likely By Same Russian Group That Hit DNC, Sources Say

By Patrick Tucker
Technology Editor

May 6, 2017

The same Putin-backed hacking group that targeted the Democratic National Committee last year has been targeting French presidential candidate Emmanuel Macron, according to multiple cybersecurity groups.

On Friday, Macron claimed that his campaign had suffered a “massive and coordinated” data theft and smear campaign, some 9 gigabytes of data stolen and published to an anonymous sharing site called Pastebin.

No hard evidence has yet emerged linking the targeting to the doc dump. But over several weeks leading to the attack on Macron’s campaign, several firms in the private security community issued warnings. On April 25, cybersecurity group Trend Micro claimed a group known as APT 28, or Fancy Bear and Pawn Storm, was actively targeting the Macron campaign with bogus emails to convince campaign higher-ups to click on links.

The evidence: On March 15, operators working from IP addresses associated with APT 28 were registering domain names that were related to the Macron campaign, such as onedrive-en-marche.fr. Registering phony email domains would allow the operatives to send emails to targeted campaign workers that appear to be from the campaign. A cybersecurity professional with direct knowledge of the hack told Defense One that the same Putin-backed hacking group that targeted the DNC had also been targeting Macron. But they could not say with certainty that those actors were the same individuals who put the documents on the Pastebin site, (or if the documents on Pastebin were even authentic.)

Of particular interest in the Macron case is a new tactic: rather than luring the victim to a link and then trying to convince them to give up his or her password, APT 28 was targeting the Macron campaign with a lure to fake computer applications that looked like they actually came from Google.This time the victims weren’t prompted to give up their passwords. Instead they could simply authorize a program that looked like it came from a trusted provider to do what that program (looks like) it is supposed to do. The scam is called Open Authentication or an OAuth attack. “The big advantage is that users don’t have to reveal their password to the third party. Instead the third party applications get a token that can be used for authentication,” Trend Micro says in their report.

Greg Martin, CEO of the firm JASK, told Business Insider that this represented a clear escalation of tactics. “It’s a new style of attack … very deadly and unprecedented … It’s the first time we have seen this in the wild.”

Vitali Kremez, director of research at the cybersecurity firm Flashpoint, also offered cautious analysis to the New York Times on Friday. “The key goals and objectives of the campaign appear to be to undermine Macron’s presidential candidacy and cast doubt on the democratic electoral process in general.”

He later told Reuters that APT 28 was indeed behind the attack after determining that APT 28 related entities had “registered decoy internet addresses to mimic the name of En Marche … including onedrive-en-marche.fr and mail-en-marche.fr.”

The event follows months of warnings about Kremlin influence and information operations allegedly targeting the French election for the benefit Marine Le Pen’s National Front Party. On January 8, France’s Minister of Defense Jean-Yves Le Drian told French newspapers that “one cannot be naive,” about the likelihood of Kremlin involvement to aid Le Pen, who has supported a closer relationship with Putin and a weakening of the EU.

Defense One first reported in January that the group sometimes known as Fancy Bear, APT 28, and by other names was actively targeting the French election with the same email tactics that they employed against previous targets, including, most famously the DNC.

It’s not the first time Kremlin-backed hackers have targeted France. In April of 2015, the same group, posing as ISIS-linked Islamic extremists and calling itself the Cyber Caliphate also attacked French television station TV5 Monde. The intent of that attack remains unclear.

Authorities and investigators have yet to make public hard forensic evidence linking the group to the hack on Macron’s campaign.

Today, in response to Macron’s claim, Trend Micro offered a clarifying statement. “Trend Micro does not have evidence that this is associated with the group known as Pawn Storm (also APT28 and other names). The techniques used in this case seem to be similar to previous attacks. Without further evidence, it is extremely difficult to attribute this hack to any particular person or group.”

In the meantime, some analysis suggests that portions of the 9 gigabyte document dump, or at least portions of it that are spreading on social media, may be forged.

@wikileaks Two documents purporting to show that Macron has offshore accounts were created yesterday, the day of the debate #MacronLeaks pic.twitter.com/cxqZnZmNTh
— Nathan Patin (@NathanPatin) May 6, 2017

The mixing of fake documents with stolen real documents, and then dumping both on the public to achieve a better political or market effect, is something that members of the intelligence community have worried about publicly for years.. Kremlin-backed actors have done it before, but not through Wikileaks. Last August, hackers dumped a series of documents on the sites CyberBerkut and DC Leaks, both of which the intelligence community has linked to Putin’s government. It was an attempt to smear a Putin political opponent by connecting him to George Soros. Problem is, the docs didn’t match, suggesting a forgery.

———-

“France’s Macron Hack Likely By Same Russian Group That Hit DNC, Sources Say” by Patrick Tucker; Defense One; 05/06/2017

No hard evidence has yet emerged linking the targeting to the doc dump. But over several weeks leading to the attack on Macron’s campaign, several firms in the private security community issued warnings. On April 25, cybersecurity group Trend Micro claimed a group known as APT 28, or Fancy Bear and Pawn Storm, was actively targeting the Macron campaign with bogus emails to convince campaign higher-ups to click on links.”

No hard evidence has yet emerged linking the targeting of the Macron camp with the phishing sites to the actual document dump. That was the assessment one day after the big Macron document dump. And that’s not unreasonable since it was just one day. That’s not a lot of time to gather evidence.

And yet the attribution of the phishing sites to ‘Fancy Bear’ is treated like a certainty. And that includes linking to the US government’s Grizzly Steppe report that purportedly ties the registration of the phishing site domain names to APT28/Fancy Bear:


The evidence: On March 15, operators working from IP addresses associated with APT 28 were registering domain names that were related to the Macron campaign, such as onedrive-en-marche.fr. Registering phony email domains would allow the operatives to send emails to targeted campaign workers that appear to be from the campaign. A cybersecurity professional with direct knowledge of the hack told Defense One that the same Putin-backed hacking group that targeted the DNC had also been targeting Macron. But they could not say with certainty that those actors were the same individuals who put the documents on the Pastebin site, (or if the documents on Pastebin were even authentic.)

Here’s the problem with that Grizzly Steppe report’s attribution. If you look at the Grizzly Steppe report, there is indeed an April 6, 2017 update listed on the home page of that report. It’s one line, “April 6, 2017: Updated AR-17-20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity with Section 508 Remediation.” The problem is that if you look at the AR-17-20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity report, there is no actual update with that information. If you search though the document, there no “Section 508”. You won’t even find the words “France”, or “Macron” or “onedrive”. There also isn’t any reference to the April 6, 2017 date. It’s as if the only update was the update on the homepage saying the report was updated.

And that’s not the only example of the assertion that ‘Fancy Bear’ was behind the registration of these Macron-targeted phishing domains. The Trend Micro report on “Pawn Storm” (Fancy Bear/APT28) released on April 25th, 2017, purporting to demonstrate that Fancy Bear was behind the phishing sites contains a single reference to the Macron email hack in the list of domains Trend Micro has attributed to APT28. Go to page 13 of the report and you see the “Emmanuel Macron campaign” listed as the target and “onedrive-en-marche.fr” listed as the phishing domain in a table that lists the domains Trend Micro has concluded was registered by Pawn Storm/Fancy Bear/APT28. That’s it. No description of how that attribution was made. And there is no other reference to France or the Macron campaign or anything else in the document. And that means we have no idea what ‘digital fingerprints’ Trend Micro used to make that attribution. In other words, “Trust Us.”

And note that there’s no explanation for how all the other domain names listed in that table were conclusively attributed to Fancy Bear in the report, so there’s a lot of ambiguity about how Trend Micro arrived at ANY of its conclusions. “Trust Us Bigly.”

Similarly, when you read about how Flashpoint, another cybersecurity firm, also concluded that APT28/Fancy Bear/Pawn Storm was the entity that set up these phishing domains, it refers back to a Reuters report where Flashpoint tells Reuters that APT28 set up those domains. But, again, there’s absolutely no indication of how that attribution was made and no link to a publicly available report:


Vitali Kremez, director of research at the cybersecurity firm Flashpoint, also offered cautious analysis to the New York Times on Friday. “The key goals and objectives of the campaign appear to be to undermine Macron’s presidential candidacy and cast doubt on the democratic electoral process in general.”

He later told Reuters that APT 28 was indeed behind the attack after determining that APT 28 related entities had “registered decoy internet addresses to mimic the name of En Marche … including onedrive-en-marche.fr and mail-en-marche.fr.”

And if you read the Reuters article, Flashpoint’s Vitali Kremez simply tells Reuters that, “his review indicated that APT 28, a group tied to the GRU, the Russian military intelligence directorate, was behind the leak.” That’s it. If there’s a public report someone explaining how they arrived at this attribution it’s unclear where to find it.

So we have this odd situation where the US government GRIZZLEY STEPPE report claims to be updated with evidence that the Macron phishing campaign was operated by Fancy Bear but that update doesn’t actually exist in the report. And Trend Micro’s and Flashpoint’s attributions are made without any explanation at all. Perhaps this evidence is publicly available elsewhere from these three sources?

Found Some Evidence! Or, Rather, Found Some ‘Evidence’!

That said, there are some reports that do give at least a bit of the technical evidence Trend Micro used to attribute these phishing domains to Fancy Bear/APT28/Pawn Storm. For example, the following April 24th, 2017, article in the Wall Street Journal about the Trend Micro report contains the following pieces of information: On March 15, someone used the name Johny Pinch and a fake Paris street address to register the name onedrive-en-marche.fr, according to public internet records. On April 12, someone using the same information registered mail-en-marche.fr, the records show. And those addresses were both hosted on IP address blocks previously associated with Pawn Storm, according to Trend Micro. There’s no further explanation, like a listing of those IP addresses or which previous attacks associated with them, and none of this information actually shows up in the report Trend Micro released, but at the time of the report’s release Trend Micro was asserting to journalists that IP address blocks associated with the onedrive-en-marche.fr and mail-en-marche.fr domains were previously attributed to Fancy Bear:

The Wall Street Journal

Macron Campaign Wards Off Hacking Attempts Linked to Russia

Presidential candidate’s campaign suffers multipronged phishing attack beginning in mid-March

By Sam Schechner
April 24, 2017 1:17 p.m. ET

PARIS—Hackers matching the profile of a pro-Kremlin group have tried in recent weeks to access campaign email accounts of French presidential candidate Emmanuel Macron, a cybersecurity firm said Monday, raising fears of election interference in the final two weeks of the France’s presidential campaign.

In a report set to be published Tuesday, security-research firm Trend Micro identified a pro-Kremlin hacking group it calls Pawn Storm as the likely source of a multipronged phishing attack that started in mid-March against Mr. Macron’s campaign.

As part of the attack, hackers set up multiple internet addresses that mimicked those of the campaign’s own servers in an attempt to lure Mr. Macron’s staffers into turning over their network passwords, said Feike Hacquebord, a senior threat researcher for Tokyo-based Trend Micro and the author of the report, a copy of which was reviewed by The Wall Street Journal.

On March 15, someone used the name Johny Pinch and a fake Paris street address to register the name onedrive-en-marche.fr, according to public internet records. On April 12, someone using the same information registered mail-en-marche.fr, the records show.

Those addresses were both hosted on internet protocol address blocks associated with Pawn Storm, Trend Micro’s Mr. Hacquebord said.

Mr. Hacquebord added that other clues, such as related addresses and the creation of security certificates to make the fake sites look authentic mirror techniques used by the group in several dozen other cases identified in he report, including the hacks of the Christian Democratic Union and the Democratic National Committee.

“I cannot say for sure, but the fingerprints match,” Mr. Hacquebord said.

———-

“Macron Campaign Wards Off Hacking Attempts Linked to Russia” by Sam Schechner; The Wall Street Journal; 04/24/2017

“I cannot say for sure, but the fingerprints match”

That was the statement from the author of Trend Micro’s report. So what were these ‘fingerprints’? The IP address blocks of the phishing domains onedrive-en-marche.fr and were mail-en-marche.fr were associated with attacks that were previously attributed to Fancy Bear/APT28/Pawn Storm. Also, the use of the technique of creating fake security certificates to make the fake sites look real was something Fancy Bear has done before. That appears to be the technical evidence Trend Micro relied on:


On March 15, someone used the name Johny Pinch and a fake Paris street address to register the name onedrive-en-marche.fr, according to public internet records. On April 12, someone using the same information registered mail-en-marche.fr, the records show.

Those addresses were both hosted on internet protocol address blocks associated with Pawn Storm, Trend Micro’s Mr. Hacquebord said.

Mr. Hacquebord added that other clues, such as related addresses and the creation of security certificates to make the fake sites look authentic mirror techniques used by the group in several dozen other cases identified in he report, including the hacks of the Christian Democratic Union and the Democratic National Committee.

And, as with so much if this, the evidence is actually quite weak. Sharing IP blocks with previous attacks merely suggests the use of the same Internet Service Provider (ISP), since ISPs will get set a block of IP addresses to use. And sharing ISP with previous hackers is fairly weak evidence. Of course hackers are going to gravitate towards hacker friendly ISPs!

But the weakest evidence is pointing towards the use of fake security certificates to make the phishing sites appear to be real so your browser doesn’t pop up with a warning. Because of course you would do that if you set up a fake phishing site. Any hacker would do that if they know how do to it.

Also recall that the Trend Micro report makes absolutely no reference to any of the above ‘evidence’ described by the report’s author. It also doesn’t list the mail-en-marche.fr phishing domain at all. The ONLY reference to the Macron campaign is listing the onedrive-en-marche.fr domain in a table of domains Trend Micro has associated with Pawn Storm on page 13. That’s it.

So we have reports on April 24th, 2017, with interview of the Trend Micro report’s author about the evidence they’ve found that Fancy Bear is behind these new phishing domains targeting Macron’s campaign. The evidence laid out in the article is both inherently vague and weak. And then the actual report issued the next day doesn’t even contain any of that evidence. So very, very odd.

How Certain Was Trend Micro Based on This Weak Evidence? 99 percent

And, surprise!, it gets odder. Or perhaps sadder. Because if you look at the various reports from Trend Micro back in April-May of 2017 about the Macron hacks, Trend Micro’s own representative, Loïc Guézo, starts off being 99 percent certain that Fancy Bear was behind the phishing domains when Trend Micro first issued its April 25, 2017 report. But after the reports about how US ‘Alt-Right’ neo-Nazis appeared to be behind the leaked documents, Guézo suddenly makes it very clear that the dump of stolen emails was very amateurish and it’s very ambiguous as to who was behind the hack and it could have been US neo-Nazis behind it. So Trend Micro went from 99 percent certain Fancy Bear was behind the phishing domains targeting the Macron hacking campaign (without providing any actual evidence) to being very open about the possibility that it was a bunch of neo-Nazis who actually carried out the hack. And yet this sudden change in certainty seems to have completely fallen down the memory hole now that the US Senate phishing domains have emerged.

And now, in January of 2018, we have Trend Micro making a 100 percent conclusion that the US Senate phishing domains were ‘Fancy Bear’ and this 100 percent attribution is based on shared ‘digital fingerprints’ that uniquely tie back to two two prior hacking campaigns that Trend Micro had previously attributed to Pawn Storm/Fancy Bear/APT28, one in 2017 and one in 2016. So, unless that 2017 hacking incident with shared ‘digital fingerprints’ that Trend Micro is referring to wasn’t the Macron campaign hack, we have to reconcile how on Earth Trend Micro is concluding with 100 percent certainty that these US Senate phishing sites were actually set up by Fancy Bear/APT28/Pawn Storm. It’s all really, really odd.

So let’s flesh out this oddness. First, here’s a look at an April 26 article where Trend Micro’s Loïc Guézo claiming 99 percent certainty that the phishing domains targeting the Macron campaign was the work of Fancy Bear/APT28/Pawn Storm. And note how the cybersecurity expert hired by the Macron campaign, Mounir Mahjoubi, was far less sure about this attribution:

France24

Cyber experts ‘99% sure’ Russian hackers are targeting Macron

Text by Sébastian SEIBT
Date created : 2017-04-26
Latest update : 2017-04-27

The Russian cyber-spying group Pawn Storm (also known as Fancy Bear) has targeted French presidential front-runner Emmanuel Macron, according to Japanese cyber-security experts. Macron campaign officials, however, say the group has so far failed.

Barely two weeks before the critical second round of the French presidential election, fears of Russian meddling in the 2017 campaign mounted with the publication of a report accusing Pawn Storm of targeting Macron’s En Marche! (Forward!) movement, employing identical tactics used to attack the Hillary Clinton campaign during the US presidential race.

A 41-page report, “Two Years of Pawn Storm,” by the Japanese cyber-security firm Trend Micro detailed a long list of the group’s targets, including German Chancellor Angela Merkel’s Christian Democratic Union party ahead of the September German general elections.

Reports of Russian cyber attackers targeting Macron’s campaign have been circulating for months, but the publication of the Trend Micro report provided details of the dates and domains targeted. They included a March 15 attempt to acquire sensitive information and passwords, a process known as “phishing” among cyber-security experts.

Campaign meets cyber-security officials

In January, a team of digital security officials from the Macron campaign visited the French cyber counter-espionage agency, ANSSI, to express concerns that their candidate was the “No. 1” target for fake news sites and cyber attacks, according to French media reports.

ANSSI is a government agency under the French defence ministry that advises public and private sector organisations about cyber-security measures.

The meeting between En Marche! and ANSSI officials followed a spate of rumours published on fake news sites as well as slanted coverage of Macron on Russian state media such as RT (formerly Russia Today) and the Sputnik news agency.

The concerns within the Macron camp led to the hiring of Mounir Mahjoubi, the former head of the French National Digital Council (CNNum), a council that advises on digital technologies.

In an interview with French weekly Journal du Dimanche in February, Mahjoubi was more cautious than his Macron campaign colleagues about cyber attacks emanating from Russian-linked groups. “There is no doubt about the frontal attacks of Sputnik and Russia Today, two Russia-funded media outlets. But for the rest, we do not know where they come from,” he said.

Russia has consistently denied reports of interfering in the election campaigns of other countries.

“What [hacking] groups? From where? Why Russia? This slightly reminds me of accusations from Washington, which have been left hanging in mid-air until now and do not do their authors any credit,” Kremlin spokesman Dmitry Peskov told reporters on Monday.

‘99 percent sure’ attacks are from Russia

But the authors of the latest Trend Micro report have no doubt about the origins of the phishing campaigns targeting Macron. “We are 99 percent sure that it is attacks from Russia,” Loïc Guézo, Trend Micro’s strategy director for southern Europe, told FRANCE 24.

Pawn Storm – an aggressive cyber-espionage group also known as Fancy Bear, Sednit, APT28, Sofacy or Strontium – is engaged in much more than “just espionage activities”, the report notes. Over the past year, “the group attempted to influence public opinion, to influence elections, and sought contact with mainstream media with some success”.

When it came to targeting the Macron campaign, Pawn Storm’s goal appeared to be to get into the email accounts of senior campaign officials to retrieve information about the candidate – a modus operandi familiar to members of the Clinton campaign.

Stealing passwords

Cyber-security specialists at Trend Micro found four phishing domains created to try to extract information. The domain names feature plausible versions of Macron’s political movement, designed to catch campaign officials off guard. They include onedrive-en-marche.fr, portal-office.fr, mail-en-marche.fr and accounts-office.fr.

“This group set up a specific infrastructure to target Emmanuel Macron’s movement in March and April 2017,” Guézo explained.

A cyber Cold War

In a December 2016 report, the US Department of Homeland Security’s cyber-security unit accused Pawn Storm – under the alternate name APT 28 – of acting on the Kremlin’s orders.

The APT 28 footprint has been on so many major cyber attacks in recent years – including an April 2015 shutdown of French media giant TV5 Monde – that experts view the group as a symbol of a cyber Cold War, combining computer piracy and online propaganda. A Financial Times report noted that US, UK, Israeli and German officials have all said they believe APT 28 is run by Russia’s sprawling military intelligence arm, the GRU.

Officials at Trend Micro, however, refuse to implicate the Kremlin directly: “All we can say is that the activities of this group are systematically aligned with the interests of the Russian authorities,” said Guézo.

Mahjoubi has reiterated that the attempts to target the Macron campaign so far have not succeeded. In his interviews with French media, Mahjoubi has admitted that traces to attack attempts have been found but that “none of the mailboxes have been hacked”.

En Marche! officials do not use email to share confidential information, according to the statement released Wednesday.

Mahjoubi has also refused to accuse a particular group for the attack attempts. “The procedure is very similar to [Pawn Storm], but you cannot rule out a very competent group trying to imitate them,” he warned.

But this hedging has not shaken Guézo’s conviction. The Macron campaign, he believes, is not willing to take the gloves off over this issue to avoid ruffling the Kremlin’s feathers if Macron is elected president next month.

———-

“Cyber experts ‘99% sure’ Russian hackers are targeting Macron” by Sébastian SEIBT; France24; 04/26/2017

“Mahjoubi has also refused to accuse a particular group for the attack attempts. “The procedure is very similar to [Pawn Storm], but you cannot rule out a very competent group trying to imitate them,” he warned.

That was the word of caution from Mounir Mahjoubi, the the former head of the French National Digital Council (CNNum) hired by the Macron campaign: “The procedure is very similar to [Pawn Storm], but you cannot rule out a very competent group trying to imitate them”. And it was a word of caution he issued not just to this Trend Micro report attributing the phishing domains to Fancy Bear. He had those same words of caution about the entire hacking campaign the Macron team had been experiencing throughout early 2017:


The concerns within the Macron camp led to the hiring of Mounir Mahjoubi, the former head of the French National Digital Council (CNNum), a council that advises on digital technologies.

In an interview with French weekly Journal du Dimanche in February, Mahjoubi was more cautious than his Macron campaign colleagues about cyber attacks emanating from Russian-linked groups. “There is no doubt about the frontal attacks of Sputnik and Russia Today, two Russia-funded media outlets. But for the rest, we do not know where they come from,” he said.

Mahjoubi has also refused to accuse a particular group for the attack attempts. “The procedure is very similar to [Pawn Storm], but you cannot rule out a very competent group trying to imitate them,” he warned.

But this hedging has not shaken Guézo’s conviction. The Macron campaign, he believes, is not willing to take the gloves off over this issue to avoid ruffling the Kremlin’s feathers if Macron is elected president next month.

But this hedging has not shaken Guézo’s conviction. The Macron campaign, he believes, is not willing to take the gloves off over this issue to avoid ruffling the Kremlin’s feathers if Macron is elected president next month.”

And as we can see, Mahjoubi was issuing words of cyber attribution caution back in February 2017 when the Macron campaign was already talking about getting attacked by Russian hackers. And Trend Micro’s analyst commenting on their report, Loïc Guézo, viewed those words of caution as politically motivated ‘hedging’, as opposed to simply acknowledging the inherent ambiguities associated with digital forensic attribution. Guézo, instead, was “99 percent sure that it is attacks from Russia” and that certainty was based on the attribution of who set up those phishing domains:


‘99 percent sure’ attacks are from Russia

But the authors of the latest Trend Micro report have no doubt about the origins of the phishing campaigns targeting Macron. “We are 99 percent sure that it is attacks from Russia,” Loïc Guézo, Trend Micro’s strategy director for southern Europe, told FRANCE 24.

Stealing passwords

Cyber-security specialists at Trend Micro found four phishing domains created to try to extract information. The domain names feature plausible versions of Macron’s political movement, designed to catch campaign officials off guard. They include onedrive-en-marche.fr, portal-office.fr, mail-en-marche.fr and accounts-office.fr.

“This group set up a specific infrastructure to target Emmanuel Macron’s movement in March and April 2017,” Guézo explained.

And again, note how it’s implied that the evidence of this attribution is laid out in Trend Micro’s 41 page report:


A 41-page report, “Two Years of Pawn Storm,” by the Japanese cyber-security firm Trend Micro detailed a long list of the group’s targets, including German Chancellor Angela Merkel’s Christian Democratic Union party ahead of the September German general elections.

Yes, this report does in “detail a long list of the group’s targets.” It just doesn’t give any details on how these attributions were made. And while we saw in the above Wall Street Journal article that the attribution was based on shared IP blocks between two of the phishing domains and previous IP addresses attributed to Fancy Bear, that’s also really weak evidence and the report doesn’t list anything more.

And while it’s not outlandish that some elements of the analysis of these hacking campaigns won’t be publicly shared, there is basically no indication at all in that report of how any of the long list of phishing domains was attributed to Fancy Bear/Pawn Storm. It’s like a black box of analysis.

And it’s not like cybersecurity companies don’t ever issue reports detailing their attribution evidence. For instance, when you look at the report issued by the cybersecurity researchers linking the hacked documents back to Andrew Auernheimer and US neo-Nazis, they give all sorts of very specific technical evidence of how they arrived at their conclusion. And that evidence is pretty damn convincing. So convincing that Loïc Guézo of Trend Micro admitted that the attribution for the hacking (as opposed to setting up the phishing sites) is a very open question after seeing that evidence:

EUObserver

US neo-Nazis linked to Macron hack

By Andrew Rettman
BRUSSELS, 12. May 2017, 09:23

The spread of stolen emails designed to harm Emmanuel Macron was linked to US-based neo-Nazis, according to a French investigation.

France’s Le Monde newspaper reported on Thursday (11 May) that a website called nouveaumartel.com, which was named as a go-to place for the purloined emails, shared the same digital infrastructure as dailystormer.com, a website created by the US neo-Nazi activist Andrew Auernheimer.

The emails were dumped online on 5 May, shortly before Macron won the French presidential election by a landslide.

The dump came two days after an anonymous user of an online message board called 4chan.org published fake documents purporting to show that Macron had an offshore fund.

“The French scene will be at nouveaumartel.com later”, the anonymous 4chan.org user said.

The dailystormer.com’s Auernheimer is a white supremacist convicted of cyber crimes in the US.

His website often popularises the work of Nathan Damigo, another US far-right activist who gained notoriety after physically assaulting an anti-fascist protester.

Auernheimer, in a posting on his site on 4 May, suggested that Damigo was about to publish anti-Macron material.

“The prophet of the white sharia Nathan Damigo is about to release the frogs from pederasty”, he wrote.

Frogs could be a derogatory reference to French people or to a cartoon frog, Pepe, adopted as a symbol by US neo-Nazis.

Pederasty could be a homophobic allusion to unsubstantiated claims, first spread by Russian media, that Macron was gay, or to the fact that he fell in love with an older woman in his adolescence.

The stolen Macron emails were eventually dumped on the website Pastebin and were popularised online by other US-based far-right conspiracy theorists such as William Craddick and Jack Posobiec.

The National Security Agency in the US said earlier this week that the Russian regime stole the Macron emails.

Trend Micro, a Japanese-based cyber security firm, said in April that the Russian regime had previously tried to hack Macron’s team.

But one of the firm’s experts, Loic Guezo, told EUobserver this week that the 5-May dump of stolen Macron emails was more amateurish than the Russian state’s modus operandi.

“It could even have been some alt-right activist in the US hacking Macron’s team. It’s fully open”, he said.

The links between US far-right activists, the Russian state, and the campaign team of US president Donald Trump are the subject of an FBI investigation in the US.

Meanwhile, Jack Posobiec, who has previously said that Macron is controlled by telepathy and by drugs, has obtained a White House press badge.

He attended a press briefing on 11 May on the FBI affair and later broadcast a video from the White House grounds praising the FBI chief’s sacking.

———-

“US neo-Nazis linked to Macron hack” by Andrew Rettman; EUObserver; 05/12/2017

“France’s Le Monde newspaper reported on Thursday (11 May) that a website called nouveaumartel.com, which was named as a go-to place for the purloined emails, shared the same digital infrastructure as dailystormer.com, a website created by the US neo-Nazi activist Andrew Auernheimer.”

Ok, let’s break this down, because it’s somewhat confusing:

1. So on May 3rd, 2017, hacked Macron documents that appear to have been tampered with show up on 4chan.org, an ‘Alt-Right’ stomping ground. The user posting these documents then tells everyone that there’s going to be a bunch more documents showing up on nouveaumartel.com.

2. Cybersecurity researchers discover that the digital infrastructure behind nouveaumartel.com shares a heavy overlap with the Daily Stormer, a site managed by neo-Nazi hacker extraordinaire Andrew Auernheimer.

3. On May 4th, Andrew Auernheimer posts on his site that Nathan Damigo, another US far-right activist, is about to dump a whole bunch of Macron files.

4. On May 5th, the big document dump happens. Although it doesn’t show up on nouveaumartel.com. Instead, it shows up on Pastebin, a neutral site where people can just people documents and text.

5. After the second, much larger document dump on Pastebin, the documents quickly get spread around by Alt-Right figures.

That’s the summary of what happend:


The emails were dumped online on 5 May, shortly before Macron won the French presidential election by a landslide.

The dump came two days after an anonymous user of an online message board called 4chan.org published fake documents purporting to show that Macron had an offshore fund.

“The French scene will be at nouveaumartel.com later”, the anonymous 4chan.org user said.

The dailystormer.com’s Auernheimer is a white supremacist convicted of cyber crimes in the US.

His website often popularises the work of Nathan Damigo, another US far-right activist who gained notoriety after physically assaulting an anti-fascist protester.

Auernheimer, in a posting on his site on 4 May, suggested that Damigo was about to publish anti-Macron material.

“The prophet of the white sharia Nathan Damigo is about to release the frogs from pederasty”, he wrote.

Frogs could be a derogatory reference to French people or to a cartoon frog, Pepe, adopted as a symbol by US neo-Nazis.

Pederasty could be a homophobic allusion to unsubstantiated claims, first spread by Russian media, that Macron was gay, or to the fact that he fell in love with an older woman in his adolescence.

The stolen Macron emails were eventually dumped on the website Pastebin and were popularised online by other US-based far-right conspiracy theorists such as William Craddick and Jack Posobiec.

It’s obviously some pretty compelling evidence that, at a minimum, a bunch of ‘Alt-Right’ neo-Nazis played some sort of role in this hack. And, sure enough, Trend Micro’s Loïc Guézo, who was 99 percent sure the phishing domains were set up by Fancy Bear, was suddenly very open to the possibility that the ‘Alt-Right’ could have been behind the hack:


Trend Micro, a Japanese-based cyber security firm, said in April that the Russian regime had previously tried to hack Macron’s team.

But one of the firm’s experts, Loic Guezo, told EUobserver this week that the 5-May dump of stolen Macron emails was more amateurish than the Russian state’s modus operandi.

“It could even have been some alt-right activist in the US hacking Macron’s team. It’s fully open”, he said.

“It could even have been some alt-right activist in the US hacking Macron’s team. It’s fully open”

It’s fully open. That was Loïc Guézo’s take on the situation after this revelation about the apparent ‘Alt-Right’ foreknowledge of these hacks. And yet here we are, almost a year later, and the Macron hack is being treated as if it’s an open-and-shut case that ‘the Russians did it’ and there is no mention at all of the role of Auernheimer and the ‘Alt-Right’.

Self-implicating “I’m a Russian Hacker!” Meta-Data Strikes Again

Now, it’s important to note that it’s entirely possible that you could have a situation where Fancy Bear (or another group trying to mimic Fancy Bear) did indeed set up a bunch of phishing sites while a bunch of neo-Nazis conduct a completely separate hacking operation. It’s also possible that Fancy Bear (or a third party pretending to be them) could have successfully pulled off a hack using their phishing domains and then handed the documents to Auernheimer or his associates. And yet these possibilities are never even mentioned. It’s as if any story that raises the mere possibility that some of these hacks are being done non-Russian hackers or might involve the cooperation of non-Russian hackers is completely ignored by almost everyone. What’s the explanation for this?

Well, part of the explanation probably has to do with the fact that metadata found in the dumped Macron documents just happened to contain identifying information of a Russian security contractor at a company that does work for the FSB. It was reminiscent of the “I’m a Russian hacker” metadata discovered literally one day after Guccifer 2.0 initially released some hacked DNC documents in June of 2015. Except even more self-implicating because the meta-data contained an actual name of an actual employee.

Another bit of metadata used to attribute the hacked Macron documents to Fancy Bear was the metadata of who uploaded the hacked documents, which led to an email address on a German free webmail provider. And this was declared to be further proof that this was the work of Fancy Bear because that same free webmail provider was used in some earlier attacks attributed to Fancy Bear. Which is horribly weak evidence. Of course hackers are going to a free German webmail provider. Germany has branded itself as a data privacy haven. All sort of hackers probably using free German webmail providers. It’s just silly to use that as evidence for attribution. And yet it happened.

So after this metadata hysteria was used to ‘conclusively’ prove that Russia really was behind the hack, the question of what role Andrew Auernheimer and the ‘Alt Right’ neo-Nazis played in the hack stopped getting asked. The desired ‘answer’ was achieved:

Ars Technica

Evidence suggests Russia behind hack of French president-elect

Russian security firms’ metadata found in files, according to WikiLeaks and others.

Sean Gallagher – 5/8/2017, 1:18 PM

Late on May 5 as the two final candidates for the French presidency were about to enter a press blackout in advance of the May 7 election, nine gigabytes of data allegedly from the campaign of Emmanuel Macron were posted on the Internet in torrents and archives. The files, which were initially distributed via links posted on 4Chan and then by WikiLeaks, had forensic metadata suggesting that Russians were behind the breach—and that a Russian government contract employee may have falsified some of the dumped documents.

Even WikiLeaks, which initially publicized the breach and defended its integrity on the organization’s Twitter account, has since acknowledged that some of the metadata pointed directly to a Russian company with ties to the government:

Evrika (“Eureka”) ZAO is a large information technology company in St. Petersburg that does some work for the Russian government, and the group includes the Federal Security Service of the Russian Federation (FSB) among its acknowledged customers (as noted in this job listing). The company is a systems integrator, and it builds its own computer equipment and provides “integrated information security systems.” The metadata in some Microsoft Office files shows the last person to have edited the files to be “Roshka Georgiy Petrovich,” a current or former Evrika ZAO employee.

[see screenshot of metadata showing the name of Evrika ZAO employee “Roshka Georgiy Petrovich”]

The metadata attached to the upload of the Macron files also includes some identifying data with an e-mail address for the person uploading the content to archive.org:

The e-mail address of the uploader, frankmacher1@gmx.de, is registered with a German free webmail provider used previously in 2016 Pawn Storm / APT28 phishing attacks against the Christian Democratic Union, German Chancellor Angela Merkel’s political party.

The involvement of APT28, the editing of some documents leaked by someone using a Russian version of Microsoft Office, and the attempt to spread the data through amplification in social media channels such as 4Chan, Twitter, and Facebook—where a number of new accounts posted links to the data—are all characteristics of the information operations seen during the 2016 US presidential campaign.

———-

“Evidence suggests Russia behind hack of French president-elect” by Sean Gallagher; Ars Technica; 05/08/2017

Evrika (“Eureka”) ZAO is a large information technology company in St. Petersburg that does some work for the Russian government, and the group includes the Federal Security Service of the Russian Federation (FSB) among its acknowledged customers (as noted in this job listing). The company is a systems integrator, and it builds its own computer equipment and provides “integrated information security systems.” The metadata in some Microsoft Office files shows the last person to have edited the files to be “Roshka Georgiy Petrovich,” a current or former Evrika ZAO employee

Yep, a Russian contractor apparently screwed up big time and left modified a hacked Word Document on a version of Word registered to his personal name. That’s what we’re expected to believe. And while it’s certainly possible a mistake of that nature happened, when you factor this into the larger context of ‘Alt-Right’ fingerprints all over the actual distribution of the documents and the fact that metadata was used to attribute the DNC hacks to Russian hackers, it seems like an outrageous conclusion to assume with certainty that this metadata was indeed strong evidence of Russian hackers at work.

Similarly, the fact that the uploader’s email address used the same free German web mail service that previous attacks attributed to Fancy Bear is basically no evidence at all. And yet it’s treated as such:


The metadata attached to the upload of the Macron files also includes some identifying data with an e-mail address for the person uploading the content to archive.org:

The e-mail address of the uploader, frankmacher1@gmx.de, is registered with a German free webmail provider used previously in 2016 Pawn Storm / APT28 phishing attacks against the Christian Democratic Union, German Chancellor Angela Merkel’s political party.

And that metadata appears to be the ‘evidence’ that more or less put to rest any questions about who actually hacked those documents. It was Fancy Bear.

Seriously, once this metadata was discovered, the news reports treated it as case closed. For instance, check out this New York Times article from May 9th, 2017, where the attribution is almost entirely based on the metadata and other ‘digital fingerprints’ in the documents suggesting that the documents were modified on Russian language computers using Russian version of software like Microsoft Word.

And there’s one particularly revealing comment from John Hultquist, the director of cyberespionage from FireEye, another US cybersecurity company: “There was a time when Russian hackers were characterized by their lack of sloppiness,” Mr. Hultquist said. “When they made mistakes, they burned their entire operation and started anew. But since the invasion of Ukraine and Crimea we’ve seen them carry out brazen, large scale attacks, [perhaps because] there have been few consequences for their actions.”

There was a time when Russian hackers were “burn down their entire operation and start anew” if they were caught. But now? It’s sloppiness and mistakes and reuse of the same digital infrastructure with almost every hack. Apparently:

The New York Times

Hackers Came, but the French Were Prepared

By ADAM NOSSITER, DAVID E. SANGER and NICOLE PERLROTH
MAY 9, 2017

PARIS — Everyone saw the hackers coming.

The National Security Agency in Washington picked up the signs. So did Emmanuel Macron’s bare-bones technology team. And mindful of what happened in the American presidential campaign, the team created dozens of false email accounts, complete with phony documents, to confuse the attackers.

The Russians, for their part, were rushed and a bit sloppy, leaving a trail of evidence that was not enough to prove for certain they were working for the government of President Vladimir V. Putin but which strongly suggested they were part of his broader “information warfare” campaign.

Testifying in front of the Senate Armed Services Committee in Washington on Tuesday, Adm. Michael S. Rogers, the director of the National Security Agency, said American intelligence agencies had seen the attack unfolding, telling their French counterparts, “Look, we’re watching the Russians. We’re seeing them penetrate some of your infrastructure. Here’s what we’ve seen. What can we do to try to assist?”

But the staff at Mr. Macron’s makeshift headquarters in the 15th Arrondissement at the edge of Paris didn’t need the N.S.A. to tell them they were being targeted: In December, after the former investment banker and finance minister had emerged as easily the most anti-Russian, pro-NATO and pro-European Union candidate in the presidential race, they began receiving phishing emails.

Oddly, the Russians did a poor job of covering their tracks. That made it easier for private security firms, on alert after the efforts to manipulate the American election, to search for evidence.

In mid-March, researchers with Trend Micro, the cybersecurity giant based in Tokyo, watched the same Russian intelligence unit behind some of the Democratic National Committee hacks start building the tools to hack Mr. Macron’s campaign. They set up web domains mimicking those of Mr. Macron’s En Marche! Party, and began dispatching emails with malicious links and fake login pages designed to bait campaign staffers into divulging their usernames and passwords, or to click on a link that would give the Russians a toehold onto the campaign’s network.

It was the classic Russian playbook, security researchers say, but this time the world was prepared. “The only good news is that this activity is now commonplace, and the general population is so used to the idea of a Russian hand behind this, that it backfired on them,” said John Hultquist, the director of cyberespionage analysis at FireEye, the Silicon Valley security firm.

Mr. Hultquist noted that the attack was characterized by haste, and a trail of digital mistakes. “There was a time when Russian hackers were characterized by their lack of sloppiness,” Mr. Hultquist said. “When they made mistakes, they burned their entire operation and started anew. But since the invasion of Ukraine and Crimea,” he said, “we’ve seen them carry out brazen, large scale attacks,” perhaps because “there have been few consequences for their actions.”

The hackers also made the mistake of releasing information that was, by any campaign standard, pretty boring. The nine gigabytes worth of purportedly stolen emails and files from the Macron campaign was spun as scandalous material, but turned out to be almost entirely the humdrum of campaign workers trying to conduct ordinary life in the midst of the election maelstrom.

One of the leaked emails details a campaign staffer’s struggle with a broken down car. Another documents how a campaign worker was reprimanded for failure to invoice a cup of coffee.

That is when the hackers got sloppy. The metadata tied to a handful of documents — code that shows the origins of a document — show some passed through Russian computers and were edited by Russian users. Some Excel documents were modified using software unique to Russian versions of Microsoft Windows.

Other documents had last been modified by Russian usernames, including one person that researchers identified as a 32-year-old employee of Eureka CJSC, based in Moscow, a Russian technology company that works closely with the Russian Ministry of Defense and intelligence agencies. The company has received licenses from Russia’s Federal Security Service, or FSB, to help protect state secrets. The company did not return emails requesting comment.

Other leaked documents appear to have been forged, or faked. One purported to detail the purchase of the stimulant mephedrone, sometimes sold as “bath salts,” by a Macron campaign staffer who allegedly had the drugs shipped to the address of France’s National Assembly. But Henk Van Ess, a member of the investigations team at Bellingcat, a British investigations organization, and others discovered that the transaction numbers in the receipt were not in the public ledger of all Bitcoin transactions.

“It’s clear they were rushed,” Mr. Hultquist said. “If this was APT28,” he said, using the name for a Russian group believed to be linked to the GRU, a military intelligence agency, “they have been caught in the act, and it has backfired for them.”

Now, he said, the failure of the Macron hacks could just push Russian hackers to improve their methods.

“They may have to change their playbook entirely,” Mr. Hultquist said.

———-

“Hackers Came, but the French Were Prepared” by ADAM NOSSITER, DAVID E. SANGER and NICOLE PERLROTH; The New York Times; 05/09/2017

Oddly, the Russians did a poor job of covering their tracks. That made it easier for private security firms, on alert after the efforts to manipulate the American election, to search for evidence.”

Yes, it is quite odd how poorly the Russians did of covering their tracks, if indeed this was a Russian government operation. Ahistorically odd:


It was the classic Russian playbook, security researchers say, but this time the world was prepared. “The only good news is that this activity is now commonplace, and the general population is so used to the idea of a Russian hand behind this, that it backfired on them,” said John Hultquist, the director of cyberespionage analysis at FireEye, the Silicon Valley security firm.

Mr. Hultquist noted that the attack was characterized by haste, and a trail of digital mistakes. “There was a time when Russian hackers were characterized by their lack of sloppiness,” Mr. Hultquist said. “When they made mistakes, they burned their entire operation and started anew. But since the invasion of Ukraine and Crimea,” he said, “we’ve seen them carry out brazen, large scale attacks,” perhaps because “there have been few consequences for their actions.”

“When they made mistakes, they burned their entire operation and started anew.”

So until the conflict broke out in Ukraine, Russian hackers were intelligent enough to ‘burn their entire operation’ and switch up their methodology after gettin caught. But ever since the conflict with Ukraine, Russian hackers have suddenly decided to keep leaving the same ‘digital fingerprints’ over and over despite ‘getting caught’. And they’ve started leaving self-implicating metadata. It’s all quite odd.

And notice how the narrative of that article made no distinction between the phishing sites that Trend Micro and others attributed to Fancy Bear and the actual hacking and distribution of the documents that appeared to come from US ‘Alt-Right’ neo-Nazis. Recall how even Trend Micro’s analysts considered the case of who did the actual hacking as a ‘very open’ question one day after the hacks. But then this “I’m a Russian hacker!” metadata is discovered and the ‘Alt-Right’ neo-Nazi angle of entire affair is suddenly forgotten. of the In fact, if you read the full article, there was no mention of the ‘Alt-Right’ neo-Nazis at all. It was like it never happened.

Everyone Says it Was Fancy Bear. Except the French Cybersecurity Agency

So pretty much everyone in the cybersecurity arena has concluded that this hack was indeed done by Fancy Bear, right? Well, not quite. There are plenty of cybersecurity professionsals who have been critical of the contemporary cyber attribution standards. And as the following article from June of 2017, about a month after the actual hack, makes clear, there was one very notable dissenter from Dmitri Alpovertich’s attribution standards: The head of the French cybersecurity agency, Guillaume Poupard, viewed the hack as so unsophisticated that a lone individual could have pulled it off.

And Poupard had another critical warning: false flag cyberattacks designed to pit one nation against another could be used to create “international chaos”:

EU Observer

Macron Leaks could be ‘isolated individual’, France says

By Andrew Rettman
BRUSSELS, 2. Jun 2017, 09:20

France has found no evidence that Russia was behind Macron Leaks, but Russian leader Vladimir Putin has warned that “patriotic” hackers could strike the German election.

Guillaume Poupard, the head of the French cyber security agency, Anssi, told the AP news agency on Thursday (1 June) that the Macron hack resembled the actions of “an isolated individual”.

“The attack was so generic and simple that it could have been practically anyone”, he said. “It really could be anyone. It could even be an isolated individual”.

The Macron Leaks saw a hacker steal and publish internal emails from the campaign of Emmanuel Macron 48 hours before the French vote last month, which Macron went on to win.

Some security experts blamed it on a hacker group called APT28, which is said by the US to be a front for Russian intelligence.

But Poupard said on Thursday: “To say Macron Leaks was APT28, I’m absolutely incapable today of doing that … I have absolutely no element to say whether it’s true or false”..

Macron’s campaign was also targeted by hackers earlier in March in a more sophisticated attack blamed on APT28.

‘Patriotic’ threat

US and German intelligence chiefs have been more bold in their accusations.

Hans-Georg Maassen, the director of Germany’s BfV intelligence service, said in May that Kremlin-linked hackers had stolen information on German MPs in the run-up to the German election in September.

“We recognise this as a campaign being directed from Russia”, he said.

But Russia has denied the allegations.

Its president, Vladimir Putin, told media in Moscow on Thursday: “We do not engage in this activity at the government level and are not going to engage in it”.

He warned at the same time that independent hackers might target the German or other EU elections for “patriotic” reasons if they felt leaders were “speaking ill of Russia”.

“Hackers are free people like artists. If artists get up in the morning feeling good, all they do all day is paint”, Putin said.

“The same goes for hackers. They got up today and read that something is going on internationally. If they are feeling patriotic they will start contributing, as they believe, to the justified fight against those speaking ill of Russia”.

With Macron having won despite the leaks, Putin said: “I am deeply convinced that no hackers can have a real impact on an election campaign in another country”.

Macron, at a meeting with Putin in Paris on Monday, said Russian state media tried to influence the vote with fake news, but Putin said on Thursday: “Nothing, no information can be imprinted in voters’ minds, in the minds of a nation, and influence the final outcome and the final result”.

False flags

Poupard and Putin said false flag attacks were easier in cyberspace than in real life.

Poupard said France had in the past been hacked by groups “attributed to China … I don’t know if it was the state, criminals”. But he added that: “What I’m certain of is that among these attacks, some strangely resembled Chinese attacks but in fact didn’t come from China”.

Putin said: “I can image a scenario when somebody develops a chain of attacks in a manner that would show Russia as the source of these attacks. Modern technology allows that. It’s very easy”.

Poupard said if states wrongly accused each other of cyber strikes it could lead to “international chaos”.

“We’ll get what we all fear, which is to say a sort of permanent conflict where everyone is attacking everyone else”, he said.

The “nightmare scenario” would be “a sort of permanent war, between states and other organisations, which can be criminal and terrorist organisations, where everyone will attack each other, without really knowing who did what”, he said.

———-

“Macron Leaks could be ‘isolated individual’, France says” by Andrew Rettman; EU Observer; 06/02/2017

“The attack was so generic and simple that it could have been practically anyone…It really could be anyone. It could even be an isolated individual”.

That was what Guillaume Poupard, the head of the French cyber security agency, Anssi, told the AP news. The attack was so generic and simple that it could have been done by an isolated individual. It’s a big reminder of why similarities in methodology between attacks is a bad idea for so many of the hacking campaigns we’re seeing: you don’t need a super sophisticated hacking campaign when all you’re doing is spear-phishing. Sure, you need to seet up convincing fake login websites or convincing emails that trick at least one person into downloading malware, but that’s the kind of thing a skilled isolated individual can do:


Some security experts blamed it on a hacker group called APT28, which is said by the US to be a front for Russian intelligence.

But Poupard said on Thursday: “To say Macron Leaks was APT28, I’m absolutely incapable today of doing that … I have absolutely no element to say whether it’s true or false”..

“To say Macron Leaks was APT28, I’m absolutely incapable today of doing that … I have absolutely no element to say whether it’s true or false”

That seems like a pretty important point to publicly make in this kind of situation. After all, if major high-profile hack are taking place – hacks that appear to coming from nation states due to all the sloppy clues being left – and those hacks could indeed be carried out by individuals who would like to sow international choas, it seems like the public should know this. And yet the head of French cybersecurity is largely only cybersecurity public official in making this point, which is dangerously odd:


Poupard said France had in the past been hacked by groups “attributed to China … I don’t know if it was the state, criminals”. But he added that: “What I’m certain of is that among these attacks, some strangely resembled Chinese attacks but in fact didn’t come from China”.

Poupard said if states wrongly accused each other of cyber strikes it could lead to “international chaos”.

“We’ll get what we all fear, which is to say a sort of permanent conflict where everyone is attacking everyone else”, he said.

The “nightmare scenario” would be “a sort of permanent war, between states and other organisations, which can be criminal and terrorist organisations, where everyone will attack each other, without really knowing who did what”, he said.

“The “nightmare scenario” would be p, he said.”

Yeah, “a sort of permanent war, between states and other organisations, which can be criminal and terrorist organisations, where everyone will attack each other, without really knowing who did what” that sounds like quite a nightmare scenario.

But it’s a scenario that the US and German intelligence chiefs clearly do not fear. At least not when it comes to contemporary wave of hacks Russia:


US and German intelligence chiefs have been more bold in their accusations.

Hans-Georg Maassen, the director of Germany’s BfV intelligence service, said in May that Kremlin-linked hackers had stolen information on German MPs in the run-up to the German election in September.

“We recognise this as a campaign being directed from Russia”, he said.

Alarmingly, Vladimir Putin also had a take on the situation that, if anything, made a bad situation much worse. First, he warned that the hacking attacks might in fact be ‘patriotic’ independent Russian hackers were might wake up in the morning feeling patrioci and “start contributing, as they believe, to the justified fight against those speaking ill of Russia.”:


Its president, Vladimir Putin, told media in Moscow on Thursday: “We do not engage in this activity at the government level and are not going to engage in it”.

He warned at the same time that independent hackers might target the German or other EU elections for “patriotic” reasons if they felt leaders were “speaking ill of Russia”.

“Hackers are free people like artists. If artists get up in the morning feeling good, all they do all day is paint”, Putin said.

“The same goes for hackers. They got up today and read that something is going on internationally. If they are feeling patriotic they will start contributing, as they believe, to the justified fight against those speaking ill of Russia”.

“The same goes for hackers. They got up today and read that something is going on internationally. If they are feeling patriotic they will start contributing, as they believe, to the justified fight against those speaking ill of Russia”.

That was an absolutely insane comment for someone in Putin’s position to make publicly. Because while it is absolutely true that you could have ‘patriotic hackers’ doing all sorts of hacks, you don’t want national leaders encouraging and validating that. It’s the kind of comment that could easily be interpreted as an open invitation for Russian hackers to do exactly that and an open invitation for any other hacker around the world to wage a “I’m a Russian hacker!” hacking campaign. It was a dumb comment on multiple levels.

And then Putin made the insane comment that, “I am deeply convinced that no hackers can have a real impact on an election campaign in another country.” And this is after the obvious signficant impact the DNC hacks had on the 2016 campaign and the near-miss in the French election with faked documents. It wasn’t a good look:


With Macron having won despite the leaks, Putin said: “I am deeply convinced that no hackers can have a real impact on an election campaign in another country”.

Macron, at a meeting with Putin in Paris on Monday, said Russian state media tried to influence the vote with fake news, but Putin said on Thursday: “Nothing, no information can be imprinted in voters’ minds, in the minds of a nation, and influence the final outcome and the final result”.

So we have this remarkable situation where Western governments like the US and Germany have rejected the long-standing hesitancy in attributing cyber attacks due to the inherent ambiguity in making these kinds of attributions. And Vladimir Putin was making a nonsense comment about hackers not being able to sway elections while he appeared to be egging hackers and simultaneously making Russia an easier target for false flag attribution. In other words, the we have leaders on both sides of this ‘cyber Cold War’ helping to make the situation ripe for exactly the kind of “international chaos” France’s cyber chief was warning about.

The Other Side of the “Internation Chaos” Coin

At the same time, let’s not forget that a staus quo where cyberattribution is made very hesitantly due to these ambiguities and the ability to wage false flag attacks, is potentially another form of “international chaos.” A situation were nations and private entities can effective hack each other with relative impunity as long as they are reasonably competent in executing the hack without leaving self-implicating mistakes. In other words, the issue of how to address cyberattribution is one of those situations were there really is no ‘clean’ answer. Each approach has its own downsides.

For instance, imagine the NSA has secret intelligence that does actually allow it to confidently attribute a hack to Russia or China or Germany or whoever. But that evidence can’t be publicly revealed and the evidence that can be publicly revealed, like the IP addressed used in the hack, is too ambiguous to make a solid attribution. What is US government going to do in that situation? Especially if the hacks are very high-profile? Does it just throw its hands up and say, “oh well, we know it’s the Russians (or Chinese or Germans or whoever) pulling these hacks off, but we just can’t prove it”? Because that is an option. Another options is trying to address these topics on a government-to-government level and hoping it can get worked out that way. If it that avenue doesn’t yield results, what’s a government going to do if it really can confidently make an attribution but can’t publicly reveal the evidence?

Or let’s consider another scenario: a government can’t conclusively prove who is behind a hack, but it’s pretty sure it knows who’s behind it given the circumstances. What’s a government going to do in that situation when the inherent ambiguities in cyberattribution basically make presenting a public case proving their suspicions impossible? Especially if the hacks keep coming? What’s a government going to do?

And then there’s the other obvious scenario: a government can’t conclusively prove who is behind a hack, but it really wants to pin it on a particular adversary and the hackers just happened to make all sort of ‘mistakes’ that could be interpretted as real digital evidence but could also easily be interpretted as intentionally placed false flag decoy mistakes. What’s a government going to do when it’s handed that kind of ‘gift’ if it happens in the middle of a wave of brazen hacks?

These kinds of scenarios are all totally feasible and probably playing out around the globe all the time: a hack happens, a government has suspicions and hunches, maybe even some intelligence suggested that an adversary was probably behind it, but nothing can be conclusively proven based on the technical evidence. On one level, these are situations where a government can appear to be seemingly helpless and that really is a kind of “international chaos” situation. So what does a government do in this case?

This is probably a good point to re-read the comments we saw above from John Hultquist, the director of cyberespionage analysis at FireEye, about the sudden change in Russian hacking behavior that started in 2014 following the conflict in Ukraine:


Mr. Hultquist noted that the attack was characterized by haste, and a trail of digital mistakes. “There was a time when Russian hackers were characterized by their lack of sloppiness,” Mr. Hultquist said. “When they made mistakes, they burned their entire operation and started anew. But since the invasion of Ukraine and Crimea,” he said, “we’ve seen them carry out brazen, large scale attacks,” perhaps because “there have been few consequences for their actions.”

We have the sudden change in ‘Russian hacker’ behavior, where tensions flare up between Russian the West and then there’s all sort of “I’m a Russian hacker” attacks over an over where the evidence might be spoofed by a third party but also might be intentionally left be the Russian hackers to achieve some sort of psychological warfare objectives. And it’s possible the NSA has secret evidence tying all this back to actual Russian government hackers that it can’t reveal, or maybe not and the Western governments are merely ‘pretty sure’ it’s really a Russian government campaign and don’t want to let them ‘get away with it’?

So what’s the appropriate approach to a situation like this? Well, it turns out the current round of Western governments directly attributing these hacks to the Russian government is both historically very unusually and actually a reflection of a choice that was made at the government level and within the cybersecurity industry on how to address these situations: Make public attribution a priority because that’s seen as the best defense against future attacks. Yep, for the past 5 years or so, the cybersecurity industry has seen a revolution in how it treats cyberattribution based on a one-man campaign. And that man is Dmitri Alperovitch, the co-founder of CrowdStrike, the company that led the investigation of the 2016 DNC hack and made the initial ‘Russia did it’ attribution. As the following Esquire article about Alperovitch note, making a public attribution directly blaming other nation states and doing it fast and forefully used to be seen as heresy within the cybersecurity industry. But as Alpoveritch saw it, that hesitancy of cybersecurity firms was only encouraging nation-state hacking groups and the only solution was aggressive public attribution campaigns. And as the article makes clear, Alperovitch’s views won out, and the whole industry of cyberattribution has undergone a radical revolution:

Esquire

The Russian Expat Leading the Fight to Protect America

In a war against hackers, Dmitri Alperovitch and CrowdStrike are our special forces (and Putin’s worst nightmare).

By Vicky Ward
Oct 24, 2016

At six o’clock on the morning of May 6, Dmitri Alperovitch woke up in a Los Angeles hotel to an alarming email. Alperovitch is the thirty-six-year-old cofounder of the cybersecurity firm CrowdStrike, and late the previous night, his company had been asked by the Democratic National Committee to investigate a possible breach of its network. A CrowdStrike security expert had sent the DNC a proprietary software package, called Falcon, that monitors the networks of its clients in real time. Falcon “lit up,” the email said, within ten seconds of being installed at the DNC: Russia was in the network.

Alperovitch, a slight man with a sharp, quick demeanor, called the analyst who had emailed the report. “Are we sure it’s Russia?” he asked.

The analyst said there was no doubt. Falcon had detected malicious software, or malware, that was stealing data and sending it to the same servers that had been used in a 2015 attack on the German Bundestag. The code and techniques used against the DNC resembled those from earlier attacks on the White House and the State Department. The analyst, a former intelligence officer, told Alperovitch that Falcon had identified not one but two Russian intruders: Cozy Bear, a group CrowdStrike’s experts believed was affiliated with the FSB, Russia’s answer to the CIA; and Fancy Bear, which they had linked to the GRU, Russian military intelligence.

Alperovitch then called Shawn Henry, a tall, bald fifty-four-year-old former executive assistant director at the FBI who is now CrowdStrike’s president of services. Henry led a forensics team that retraced the hackers’ steps and pieced together the pathology of the breach. Over the next two weeks, they learned that Cozy Bear had been stealing emails from the DNC for more than a year. Fancy Bear, on the other hand, had been in the network for only a few weeks. Its target was the DNC research department, specifically the material that the committee was compiling on Donald Trump and other Republicans. Meanwhile, a CrowdStrike group called the Overwatch team used Falcon to monitor the hackers, a process known as shoulder-surfing.

Hacking, like domestic abuse, is a crime that tends to induce shame. Companies such as Yahoo usually publicize their breaches only when the law requires it. For this reason, Alperovitch says, he expected that the DNC, too, would want to keep quiet.

By the time of the hack, however, Donald Trump’s relationship to Russia had become an issue in the election. The DNC wanted to go public. At the committee’s request, Alperovitch and Henry briefed a reporter from The Washington Post about the attack. On June 14, soon after the Post story publicly linked Fancy Bear with the Russian GRU and Cozy Bear with the FSB for the first time, Alperovitch published a detailed blog post about the attacks.

Alperovitch told me he was thrilled that the DNC decided to publicize Russia’s involvement. “Having a client give us the ability to tell the full story” was a “milestone in the industry,” he says. “Not just highlighting a rogue nation-state’s actions but explaining what was taken and how and when. These stories are almost never told.”

In the five years since Alperovitch cofounded CrowdStrike, he and his company have played a critical role in the development of America’s cyberdefense policy. Frank Cilluffo, the former special assistant to the president for homeland security, likens Alperovitch to Paul Revere: “Dmitri, as an individual, has played a significant role in elevating cybersecurity policy not only inside the private sector but more generally.”

When I met Alperovitch in late September, at his open-plan offices outside Washington, D.C., he explained that CrowdStrike was created to take advantage of a simple but central lesson he’d learned about stopping hackers. It’s not enough, he says, to play defense with technology: “Otherwise the adversary will scale up and it becomes a game of numbers, which they will win.” Instead, attribution is crucial: First you need to identify the perpetrator, then you need to discover what motivates the crime, and finally—most important—you need to figure out how to fight back.

Before Alperovitch founded CrowdStrike, the idea that attribution ought to be a central defense against hackers was viewed as heresy. In 2011, he was working in Atlanta as the chief threat officer at the antivirus software firm McAfee. While sifting through server logs in his apartment one night, he discovered evidence of a hacking campaign by the Chinese government. Eventually he learned that the campaign had been going on undetected for five years, and that the Chinese had compromised at least seventy-one companies and organizations, including thirteen defense contractors, three electronics firms, and the International Olympic Committee.

That the Chinese government had been stealing information from the private sector was a shock to the security industry and to many U. S. officials. Almost no one thought that foreign governments used the Internet for anything other than old-fashioned espionage. “This was not spy versus spy,” says John Carlin, who was until recently the assistant attorney general for national security. The hacking was economic sabotage.

While Alperovitch was writing up his report on the breach, he received a call from Renee James, an executive at Intel, which had recently purchased McAfee. According to Alperovitch, James told him, “Dmitri, Intel has a lot of business in China. You cannot call out China in this report.”

Alperovitch removed the word China from his analysis, calling the operation Shady Rat instead. He told me that James’s intervention accelerated his plans to leave Intel. (James declined to comment.) He felt that he was “now being censored because I’m working for a company that’s not really an American company.”

Alperovitch and George Kurtz, a former colleague, founded CrowdStrike as a direct response. The cybersecurity industry at the time, Alperovitch says, was “terrified of losing their ability to market products in China.” Their new company would push the idea that hacking was a means, not an end. “We saw that no one’s really focused on the adversary,” Alperovitch told me. “No one’s focusing exclusively on how can we actually identify them, attribute them, deter them from taking this action again.” CrowdStrike’s tagline encapsulated its philosophy: “You don’t have a malware problem, you have an adversary problem.”

Alperovitch studied computer science at Georgia Tech and went on to work at an antispam software firm. There he met a striking dark-haired computer geek named Phyllis Schneck. As a teenager, Schneck once showed her father that she could hack into the company where he worked as an engineer. Appalled, Dr. Schneck made his daughter promise never to do something like that again.

Fighting email spam taught Alperovitch a second crucial lesson. He discovered that every time he blocked a server, the spammers deployed a hundred new servers to take its place. Alperovitch realized that defense was about psychology, not technology.

To better understand his adversaries, Alperovitch posed as a Russian gangster on spam discussion forums, an experience he wrote up in a series of reports. One day he returned from lunch to a voice mail telling him to call the FBI immediately. He was terrified. “I was not a citizen yet,” he told me.

As it happened, the bureau was interested in his work. The government was slowly waking up to the realization that the Internet was ripe for criminal exploitation: “the great price of the digital age,” in John Carlin’s words. In 2004, the bureau was hacked by Joseph Colon, a disgruntled IT consultant who gained “god-level” access to FBI files. Colon was eventually indicted, but his attack showed the government how vulnerable it was to cybercrime.

In 2005, Alperovitch flew to Pittsburgh to meet an FBI agent named Keith Mularski, who had been asked to lead an undercover operation against a vast Russian credit-card-theft syndicate. Mularski had no prior experience with the Internet; he relied on Alperovitch, whom he calls “a good guy and a friend,” to teach him how to get into the forum and speak the lingo. Mularski’s sting operation took two years, but it ultimately brought about fifty-six arrests.

Alperovitch’s first big break in cyberdefense came in 2010, while he was at McAfee. The head of cybersecurity at Google told Alperovitch that Gmail accounts belonging to human-rights activists in China had been breached. Google suspected the Chinese government. Alperovitch found that the breach was unprecedented in scale; it affected more than a dozen of McAfee’s clients.

Three days after his discovery, Alperovitch was on a plane to Washington. He’d been asked to vet a paragraph in a speech by the secretary of state, Hillary Clinton. She’d decided, for the first time, to call out another country for a cyberattack. “In an interconnected world,” she said, “an attack on one nation’s networks can be an attack on all.”

Despite Clinton’s announcement, Alperovitch believed that the government, paralyzed by bureaucracy and politics, was still moving too slowly. In 2014, Sony called in CrowdStrike to investigate a breach of its network. The company needed just two hours to identify North Korea as the adversary. Executives at Sony asked Alperovitch to go public with the information immediately, but it took the FBI another three weeks before it confirmed the attribution.

The delay still frustrates Alperovitch, who saw the long silence as a kind of disinformation. “Yesterday you had no idea. Today you’re 100 percent certain. It wasn’t credible.” From the perspective of the government, however, the handling of the Sony hack was a triumph. “In twenty-six days we figured out it was North Korea,” John Carlin told me. The attribution changed the focus, he said, from what Sony did wrong to how the government was going to respond to North Korea. As Phyllis Schneck, who now works at the Department of Homeland Security, told me, the government moves slowly because it cannot afford to be wrong: “Vendors like to be first. Government must be right.”

The government’s attitude toward attribution moved closer to Alperovitch’s in September 2015, in the run-up to a state visit by Chinese president Xi Jinping. A year earlier, five members of the Chinese People’s Liberation Army had been indicted by a grand jury in Pennsylvania for stealing economic secrets from the computers of U. S. firms in the nuclear, solar, and metals industries. Carlin told me that the indictments were meant as “a giant No Trespass sign: Get off our lawn.” But the indictment didn’t stop the hackers. Alperovitch went on television to call for a stronger response. In April 2015, after President Obama signed an executive order threatening sanctions against the Chinese, Alperovitch received a call from the White House. “You should be happy,” he was told. “You’re the one who’s been pushing for this.”

Six months later, just before the state visit, The Washington Post reported that the U. S. was considering making good on the executive order. A senior State Department official told me that Xi did not want to be embarrassed by an awkward visit. The Chinese sent over a negotiating team, and diplomats from both countries stayed up all night working out an agreement. During the state visit, Obama and Xi announced that “neither country’s government will conduct or knowingly support cyber-enabled theft of intellectual property” for the purpose of economic espionage. Since then, the Chinese burglaries have slowed dramatically.

The government’s reluctance to name the Russians as the authors of the DNC and DCCC hacks made Alperovitch feel that the lessons of the war game—call out your enemy and respond swiftly—had been wasted. He continued to be told by his friends in government that it was politically impossible for the United States to issue an official response to Russia. Some, especially in the State Department, argued that the United States needed Russia’s help in Syria and could not afford to ratchet up hostilities. Others said an attribution without a concrete response would be meaningless. Still others insisted that classified security concerns demanded consideration.

Alperovitch was deeply frustrated: He thought the government should tell the world what it knew. There is, of course, an element of the personal in his battle cry. “A lot of people who are born here don’t appreciate the freedoms we have, the opportunities we have, because they’ve never had it any other way,” he told me. “I have.”

The government’s hesitation was soon overtaken by events. During the first week of October, while Alperovitch was on a rare vacation, in Italy, Russia pulled out of an arms-reduction pact after being accused by the U. S. of bombing indiscriminately in Syria. The same day, the U. S. halted talks with Russia about a Syrian ceasefire. On October 7, two days before the second presidential debate, Alperovitch got a phone call from a senior government official alerting him that a statement identifying Russia as the sponsor of the DNC attack would soon be released. (The statement, from the office of the director of national intelligence and the Department of Homeland Security, appeared later that day.) Once again, Alperovitch was thanked for pushing the government along.

He got the news just after leaving the Sistine Chapel. “It kind of put things in perspective,” he told me. Though pleased, he wished the statement had warned that more leaks were likely. “It’s nice that you have the DHS and DNI jointly putting the statement out on a Friday night, but the president coming out and saying, ‘Mr. Putin, we know you’re doing this, we find it unacceptable, and you have to stop’ would be beneficial.”

Less than a week later, after WikiLeaks released another cache of hacked emails—this time from John Podesta, Hillary Clinton’s campaign chair—the White House announced that the president was considering a “proportional” response against Russia. Administration officials asked Alperovitch to attend a meeting to consider what to do. He was the only native Russian in the room. “You have to let them save face,” he told the group. “Escalation will not end well.”

———-

“The Russian Expat Leading the Fight to Protect America” by Vicky Ward; Esquire; 10/24/2016

“Alperovitch, a slight man with a sharp, quick demeanor, called the analyst who had emailed the report. “Are we sure it’s Russia?” he asked.

That was reportedly Alperovitch’s initial response to the conclusion his company’s analyst that Russia was behind the DNC hack: Are we sure it’s Russia? And that’s a very reasonable question to ask at that point. A note the analyst’s response: There was no doubt. Why? Because the malware used in the DNC hack was sending data back to the same servers used in the Bundestag hack of 2015 and the malware code was similar to earlier hacks:


The analyst said there was no doubt. Falcon had detected malicious software, or malware, that was stealing data and sending it to the same servers that had been used in a 2015 attack on the German Bundestag. The code and techniques used against the DNC resembled those from earlier attacks on the White House and the State Department. The analyst, a former intelligence officer, told Alperovitch that Falcon had identified not one but two Russian intruders: Cozy Bear, a group CrowdStrike’s experts believed was affiliated with the FSB, Russia’s answer to the CIA; and Fancy Bear, which they had linked to the GRU, Russian military intelligence.

So this is a good time to remind ourselves that the IP address found in the malware used in that DNC hack and the Bundestag hack was published in 2015 and Germany’s BfV government issued a newsletter attributed that Budestag hack to the Russian governent in January of 2016, meaning it would have been an incredibly brazen for Russian government hackers to execute a hack using the same command & control server with the same IP address unless Russia wanted to get caught. But from CrowdStrike’s perspective, this was the kind of ‘digital fingerprint’ that could lead to a conclusion with “no doubt.”

And as the rest of the article made clear, arriving at a culprit for cyber attacks and then make a very public complaint about the attack is at the heart of the strategy that Alperovitch has been advocating for years. And advocating with great success:


Alperovitch told me he was thrilled that the DNC decided to publicize Russia’s involvement. “Having a client give us the ability to tell the full story” was a “milestone in the industry,” he says. “Not just highlighting a rogue nation-state’s actions but explaining what was taken and how and when. These stories are almost never told.”

In the five years since Alperovitch cofounded CrowdStrike, he and his company have played a critical role in the development of America’s cyberdefense policy. Frank Cilluffo, the former special assistant to the president for homeland security, likens Alperovitch to Paul Revere: “Dmitri, as an individual, has played a significant role in elevating cybersecurity policy not only inside the private sector but more generally.”

When I met Alperovitch in late September, at his open-plan offices outside Washington, D.C., he explained that CrowdStrike was created to take advantage of a simple but central lesson he’d learned about stopping hackers. It’s not enough, he says, to play defense with technology: “Otherwise the adversary will scale up and it becomes a game of numbers, which they will win.” Instead, attribution is crucial: First you need to identify the perpetrator, then you need to discover what motivates the crime, and finally—most important—you need to figure out how to fight back.

“It’s not enough, he says, to play defense with technology: “Otherwise the adversary will scale up and it becomes a game of numbers, which they will win.” Instead, attribution is crucial: First you need to identify the perpetrator, then you need to discover what motivates the crime, and finally—most important—you need to figure out how to fight back.

That’s Alperovitch’s philosophy: You can’t simply deal with hacking by playing defense. You have to play offense and that requires public attribution. And it’s a philosophy that was viewed as heresy in the cybersecurity industry not too long ago. The article characterizes this industry disposition as be in part due to concerns within the industry about losing clients in the nations they publicly attribute an attack to, but it seems like the inherent ambiguity in making these attributions would have also been a factor in why that was viewed as heresy. Either way, CrowdStrike was formed in response to this industry bias against public attribution of hacks against other governments:


Before Alperovitch founded CrowdStrike, the idea that attribution ought to be a central defense against hackers was viewed as heresy. In 2011, he was working in Atlanta as the chief threat officer at the antivirus software firm McAfee. While sifting through server logs in his apartment one night, he discovered evidence of a hacking campaign by the Chinese government. Eventually he learned that the campaign had been going on undetected for five years, and that the Chinese had compromised at least seventy-one companies and organizations, including thirteen defense contractors, three electronics firms, and the International Olympic Committee.

That the Chinese government had been stealing information from the private sector was a shock to the security industry and to many U. S. officials. Almost no one thought that foreign governments used the Internet for anything other than old-fashioned espionage. “This was not spy versus spy,” says John Carlin, who was until recently the assistant attorney general for national security. The hacking was economic sabotage.

While Alperovitch was writing up his report on the breach, he received a call from Renee James, an executive at Intel, which had recently purchased McAfee. According to Alperovitch, James told him, “Dmitri, Intel has a lot of business in China. You cannot call out China in this report.”

Alperovitch removed the word China from his analysis, calling the operation Shady Rat instead. He told me that James’s intervention accelerated his plans to leave Intel. (James declined to comment.) He felt that he was “now being censored because I’m working for a company that’s not really an American company.”

Alperovitch and George Kurtz, a former colleague, founded CrowdStrike as a direct response. The cybersecurity industry at the time, Alperovitch says, was “terrified of losing their ability to market products in China.” Their new company would push the idea that hacking was a means, not an end. “We saw that no one’s really focused on the adversary,” Alperovitch told me. “No one’s focusing exclusively on how can we actually identify them, attribute them, deter them from taking this action again.” CrowdStrike’s tagline encapsulated its philosophy: “You don’t have a malware problem, you have an adversary problem.”

“”No one’s focusing exclusively on how can we actually identify them, attribute them, deter them from taking this action again.” CrowdStrike’s tagline encapsulated its philosophy: “You don’t have a malware problem, you have an adversary problem.””

And that encapsulates much of CrowdStrike’s approach to stopping hacks:
Step 1. Determine a culprit.

Step 2. Make a big public stink about it.

And this approach appears to have been by a conclusion Alperovitch arrived while working at an antispam software firm where he met his future CrowdStike partner Phyllis Schneck: cyber defense was about psychology, not technology:


Alperovitch studied computer science at Georgia Tech and went on to work at an antispam software firm. There he met a striking dark-haired computer geek named Phyllis Schneck. As a teenager, Schneck once showed her father that she could hack into the company where he worked as an engineer. Appalled, Dr. Schneck made his daughter promise never to do something like that again.

Fighting email spam taught Alperovitch a second crucial lesson. He discovered that every time he blocked a server, the spammers deployed a hundred new servers to take its place. Alperovitch realized that defense was about psychology, not technology.

And that psychological strategy is part of why making a public attribution is so important, according to this strategy. From Alperovitch’s perspective, intimidating your cyber adversary is basically the only realistic way to stop the hacks.

It’s a strategy that he first employed in 2010, when his analysis was used by the US government to publicly accuse China of cyber attacks on Google Gmail accounts. The strategy was used again 2014 to attributed the Sony hacks on North Korea and in 2015 once again against China. And that 2015 attribution against China, which included a the threat of an executive order by President Obama that would punish China over the hacks, apparently resulted in a bi-lateral agreement where “neither country’s government will conduct or knowingly support cyber-enabled theft of intellectual property” for the purpose of economic espionage. Chinese cyber burglaries have slowed dramatically since them:


Alperovitch’s first big break in cyberdefense came in 2010, while he was at McAfee. The head of cybersecurity at Google told Alperovitch that Gmail accounts belonging to human-rights activists in China had been breached. Google suspected the Chinese government. Alperovitch found that the breach was unprecedented in scale; it affected more than a dozen of McAfee’s clients.

Three days after his discovery, Alperovitch was on a plane to Washington. He’d been asked to vet a paragraph in a speech by the secretary of state, Hillary Clinton. She’d decided, for the first time, to call out another country for a cyberattack. “In an interconnected world,” she said, “an attack on one nation’s networks can be an attack on all.”

Despite Clinton’s announcement, Alperovitch believed that the government, paralyzed by bureaucracy and politics, was still moving too slowly. In 2014, Sony called in CrowdStrike to investigate a breach of its network. The company needed just two hours to identify North Korea as the adversary. Executives at Sony asked Alperovitch to go public with the information immediately, but it took the FBI another three weeks before it confirmed the attribution.

The delay still frustrates Alperovitch, who saw the long silence as a kind of disinformation. “Yesterday you had no idea. Today you’re 100 percent certain. It wasn’t credible.” From the perspective of the government, however, the handling of the Sony hack was a triumph. “In twenty-six days we figured out it was North Korea,” John Carlin told me. The attribution changed the focus, he said, from what Sony did wrong to how the government was going to respond to North Korea. As Phyllis Schneck, who now works at the Department of Homeland Security, told me, the government moves slowly because it cannot afford to be wrong: “Vendors like to be first. Government must be right.”

The government’s attitude toward attribution moved closer to Alperovitch’s in September 2015, in the run-up to a state visit by Chinese president Xi Jinping. A year earlier, five members of the Chinese People’s Liberation Army had been indicted by a grand jury in Pennsylvania for stealing economic secrets from the computers of U. S. firms in the nuclear, solar, and metals industries. Carlin told me that the indictments were meant as “a giant No Trespass sign: Get off our lawn.” But the indictment didn’t stop the hackers. Alperovitch went on television to call for a stronger response. In April 2015, after President Obama signed an executive order threatening sanctions against the Chinese, Alperovitch received a call from the White House. “You should be happy,” he was told. “You’re the one who’s been pushing for this.”

Six months later, just before the state visit, The Washington Post reported that the U. S. was considering making good on the executive order. A senior State Department official told me that Xi did not want to be embarrassed by an awkward visit. The Chinese sent over a negotiating team, and diplomats from both countries stayed up all night working out an agreement. During the state visit, Obama and Xi announced that “neither country’s government will conduct or knowingly support cyber-enabled theft of intellectual property” for the purpose of economic espionage. Since then, the Chinese burglaries have slowed dramatically.

So that all sounds like a great success of Alperovitch’s public attribution strategy, right? A bi-lateral agreement with China that slowed Chinese cyber burglaries dramatically is quite an achievement.

Except, of course, there’s a rather significant problem with this approach and it relates directly to the warnings by France’s cyber security chief about “international chaos” from false flags: What if the dramatic slow down in Chinese cyber burglaries merely reflects a shift in strategy by Chinese hackers to make their hacks look like, say, Russian hackers? Or American hackers? Why isn’t this ‘new normal’ of aggressively making public attributions exactly the kind of ‘defensive’ tactic that makes false flag attacks even more tempting? And why wouldn’t third-parties who want to sow chaos, like neo-Nazi hackers, LOVE this new attribution paradigm?

And note the comment for Alperovitch’s former CrowdStrike partner, Phyllis Schneck, who is now at DHS, about how the cybersecurity industry’s predilection for “being first” on making an attribution now:


The delay still frustrates Alperovitch, who saw the long silence as a kind of disinformation. “Yesterday you had no idea. Today you’re 100 percent certain. It wasn’t credible.” From the perspective of the government, however, the handling of the Sony hack was a triumph. “In twenty-six days we figured out it was North Korea,” John Carlin told me. The attribution changed the focus, he said, from what Sony did wrong to how the government was going to respond to North Korea. As Phyllis Schneck, who now works at the Department of Homeland Security, told me, the government moves slowly because it cannot afford to be wrong: “Vendors like to be first. Government must be right.”

“Vendors like to be first. Government must be right.”

In other worlds, market forces have now been unleashed to encourage the cybersecurity industry to rush to attribution conclusions. After all, think about the incredible free advertising Trend Micro got for its report on the US Senate phishing sites and the Macron hacks. The profit-motive encourages this. Isn’t that wildly dangerous when those rushed attributions have geo-strategic implications? It sure sounds like a recipe for “international chaos”.

Still, let’s keep in mind that a world where Chinese government hackers can pilfer intellectual property rights with impunity and North Korea and attack corporations over movies it doesn’t like is another form of “international chaos”. Although probably not nearly as chaotic as the kind of world where conflicts break out as a result of cyber attacks and false flag campaigns, but it’s still a very non-ideal situation.

What’s the Cybersecurity Industry’s Secret to Cyber Attribution? Pattern Recognition. Hopefully Perfect Pattern Recognition (Because Otherwise it’s International Chaos)

So what’s the cybersecurity industry’s response to criticism that this new aggressive approach to attribution is vulnerable to false flag attacks an incorrect attributions? Well, according that describes the techniques the industry uses to arrive at its conclusions, the industry responds by stating false flag attacks just aren’t feasible because hackers make mistakes that reveal their true origin. Yep, that’s the response.

And this response is in an article that describes the primary technique for attribution as “pattern recognition”: looking at a hack’s ‘digital fingerprints’ and comparing them to past attacks. If you think about it, if you’re a hacker, and the digital fingerprints in your hacks allow analysts to trace your work back to previous attacks, that’s a mistake. Recall the comments from FireEye’s analyst about how the Russian hackers used to completely burn their digital infrastructure after getting caught (and then mysteriously stopped doing that around 2014). High quality government hackers shouldn’t actually be leaving an extensive trail of reused digit fingerprints. They apparently used to be able to operate without making so many conspicuous mistakes. And yet the cybersecurity industry is predicating its attributions on basically detecting mistakes hackers make and the deep conviction that hackers make mistakes and these mistakes can be used for high confidence attributions. Which seems like a massive mistake:

CNET

How US cybersleuths decided Russia hacked the DNC

Digital clues led security pros to agencies in Putin’s government. It’s as close as we’ll ever get to proof that Russia did it.

by Laura Hautala

May 3, 2017 9:13 AM PD

It was a bombshell.

Operatives from two Russian spy agencies had infiltrated computers of the Democratic National Committee, months before the US national election.

One agency — nicknamed Cozy Bear by cybersecurity company CrowdStrike — used a tool that was “ingenious in its simplicity and power” to insert malicious code into the DNC’s computers, CrowdStrike’s Chief Technology Officer Dmitri Alperovitch wrote in a June blog post. The other group, nicknamed Fancy Bear, remotely grabbed control of the DNC’s computers.

By October, the Department of Homeland Security and the Office of the Director of National Intelligence on Election Security agreed that Russia was behind the DNC hack. On Dec. 29, those agencies, together with the FBI, Department of Homeland Security and the Office of the Director of National Intelligence on Election Security agreed that Russia.

And a week later, the Office of the Director of National Intelligence summarized its findings ((PDF)) in a declassified (read: scrubbed) report. Even President Donald Trump acknowledged, “It was Russia,” a few days later — although he told “Face the Nation” earlier this week it “could’ve been China.”

We’ll probably never really find out what the US intelligence community or CrowdStrike know or how they know it. This is what we do know:

CrowdStrike and other cyberdetectives had spotted tools and approaches they’d seen Cozy Bear and Fancy Bear use for years. Cozy Bear is believed to be either Russia’s Federal Security Service, known as the FSB, or its Foreign Intelligence Service, the SVR. Fancy Bear is thought to be Russia’s military intel agency, GRU.

It was the payoff of a long game of pattern recognition — piecing together hacker groups’ favorite modes of attack, sussing out the time of day they’re most active (hinting at their locations) and finding signs of their native language and the internet addresses they use to send or receive files.

“You just start to weigh all these factors until you get near 100 percent certainty,” says Dave DeWalt, former CEO of McAfee and FireEye, who now sits on the boards of five security companies. “It’s like having enough fingerprints in the system.”

Watching the cyberdetectives

CrowdStrike put that knowledge to use in April, when the DNC’s leadership called in its digital forensics experts and custom software — which spots when someone takes control of network accounts, installs malware or steals files — to find out who was mucking around in their systems, and why.

“Within minutes, we were able to detect it,” Alperovitch said in an interview the day the DNC revealed the break-in. CrowdStrike found other clues within 24 hours, he said.

Those clues included small fragments of code called PowerShell commands. A PowerShell command is like a Russian nesting doll in reverse. Start with the smallest doll, and that’s the PowerShell code. It’s only a single string of seemingly meaningless numbers and letters. Open it up, though, and out jumps a larger module that, in theory at least, “can do virtually anything on the victim system,” Alperovitch wrote.

One of the PowerShell modules inside the DNC system connected to a remote server and downloaded more PowerShells, adding more nesting dolls to the DNC network. Another opened and installed MimiKatz, malicious code for stealing login information. That gave hackers a free pass to move from one part of the DNC’s network to another by logging in with valid usernames and passwords. These were Cozy Bear’s weapons of choice.

Fancy Bear used tools known as X-Agent and X-Tunnel to remotely access and control the DNC network, steal passwords and transfer files. Other tools let them wipe away their footprints from network logs.

CrowdStrike had seen this pattern many times before.

“You could never go into the DNC as a single event and come up with that [conclusion],” said Robert M. Lee, CEO of cybersecurity firm Dragos.

Pattern recognition

Alperovitch compares his work to that of Johnny Utah, the character Keanu Reeves played in the 1991 surfing-bank-heist flick “Point Break.” In the movie, Utah identified the mastermind of a robbery by looking at habits and methods. “He’s already analyzed 15 bank robbers. He can say, ‘I know who this is,'” Alperovitch said in an interview in February.

“The same thing applies to cybersecurity,” he said.

One of those tells is consistency. “The people behind the keyboards, they don’t change that much,” said DeWalt. He thinks nation-state hackers tend to be careerists, working in either the military or intelligence operations.

Pattern recognition is how Mandiant, owned by FireEye, figured out that North Korea broke into Sony Pictures’ networks.

The government stole Social Security numbers from 47,000 employees and leaked embarrassing internal documents and emails. That’s because the Sony attackers left behind a favorite hacking tool that wiped, and then wrote over, hard drives. The cybersecurity industry had previously traced that tool to North Korea, which had been using it for at least four years, including in a massive campaign against South Korean banks the year before.

It’s also how researchers from McAfee figured out Chinese hackers were behind Operation Aurora in 2009, when hackers accessed the Gmail accounts of Chinese human rights activists and stole source code from more than 150 companies, according to DeWalt, who was CEO of McAfee at the time of the investigation. Investigators found malware written in Mandarin, code that had been compiled in a Chinese operating system and time-stamped in a Chinese time zone, and other clues investigators had previously seen in attacks originating from China, DeWalt said.

Tell us more

One of the most common complaints about the evidence CrowdStrike presented is that the clues could have been faked: Hackers could have used Russian tools, worked during Russian business hours and left bits of Russian language behind in malware found on DNC computers.

It doesn’t help that, almost as soon as the DNC revealed it had been hacked, someone calling himself Guccifer 2.0 and claiming to be Romanian took credit as the sole hacker penetrating the political party’s network.

That set off a seemingly endless debate about who did what, even as additional hacks of former Hillary Clinton campaign chairman John Podesta and others led to more leaked emails.

Cybersecurity experts say it would be too difficult for hackers to consistently make it look like an attack was coming from a different group of hackers. One mistake could blow their cover.

Critics probably won’t be getting definitive answers anytime soon, since neither CrowdStrike nor US intelligence agencies plan to provide more details to the public, “as the release of such information would reveal sensitive sources or methods and imperil the ability to collect critical foreign intelligence in the future,” the Office of the Director of National Intelligence said in its report.

“The declassified report does not and cannot include the full supporting information, including specific intelligence and sources and methods.”

The debate has taken Alperovitch by surprise.

“Our industry has been doing attribution for 30 years,” although such work on focused on criminal activity, he said. “The minute it went out of cybercrime, it became controversial.”

———-

“How US cybersleuths decided Russia hacked the DNC” by Laura Hautala; CNET; 05/03/2017

Alperovitch compares his work to that of Johnny Utah, the character Keanu Reeves played in the 1991 surfing-bank-heist flick “Point Break.” In the movie, Utah identified the mastermind of a robbery by looking at habits and methods. “He’s already analyzed 15 bank robbers. He can say, ‘I know who this is,'” Alperovitch said in an interview in February.”

Yep, Dmitri Alperovitch compares his work to a Keanu Reeves movie character who can just look at the evidence left in a robbery and deduce who did it. That’s the underlying technique at work. And while that’s a perfectly reasonable technique for making a cautious guess about the culprits, it’s apparently being treated as a technique that can allow for near 100 percent certainty:


CrowdStrike and other cyberdetectives had spotted tools and approaches they’d seen Cozy Bear and Fancy Bear use for years. Cozy Bear is believed to be either Russia’s Federal Security Service, known as the FSB, or its Foreign Intelligence Service, the SVR. Fancy Bear is thought to be Russia’s military intel agency, GRU.

It was the payoff of a long game of pattern recognition — piecing together hacker groups’ favorite modes of attack, sussing out the time of day they’re most active (hinting at their locations) and finding signs of their native language and the internet addresses they use to send or receive files.

“You just start to weigh all these factors until you get near 100 percent certainty,” says Dave DeWalt, former CEO of McAfee and FireEye, who now sits on the boards of five security companies. “It’s like having enough fingerprints in the system.”

“You just start to weigh all these factors until you get near 100 percent certainty”

Pattern recognition leading to near 100 percent certainty. And as we saw with the Trend Micro reports, 99-100 percent certainty is indeed something the industry is arriving at with these very consequential attributions.

And this pattern recognition technique is partially predicated on the assumption that hackers don’t actually change their methods very much. Even government hackers:


One of those tells is consistency. “The people behind the keyboards, they don’t change that much,” said DeWalt. He thinks nation-state hackers tend to be careerists, working in either the military or intelligence operations.

So is it true that careerist government hackers tend to be consistent and don’t really bother switching up their techniques and ‘digital fingerprints’? Well, if so, yes, that would allow for pattern recognition to be used for attribution…except for the fact that government hackers behaving consistently makes them easy marks for a false flag attack. How is this not recognized?!

Also note that even if government hackers are consistent in their methods, that might not matter if they are consistently using malware and server hosting companies that other hackers use and leave ambiguous digitial fingerprints. The consistency might also not matter if they are consistently running their hacks by impersonating other hacking groups, although the cybersecurity industry appears to think that would be impossible for a government hacking group to do consistently without accidentally blowing their cover. Which, again, is an odd assumption to make.

What’s the industry response to these kinds of concerns? Don’t worry about false flags because, the hackers will make mistakes that reveal themselves:


Tell us more

One of the most common complaints about the evidence CrowdStrike presented is that the clues could have been faked: Hackers could have used Russian tools, worked during Russian business hours and left bits of Russian language behind in malware found on DNC computers.

Cybersecurity experts say it would be too difficult for hackers to consistently make it look like an attack was coming from a different group of hackers. One mistake could blow their cover.

“Cybersecurity experts say it would be too difficult for hackers to consistently make it look like an attack was coming from a different group of hackers.”

WHAT?!! How is such an conclusion arrived at?

Now, it’s true that the longer a third party tries to impersonate another hacking group, the more likely they are to make a mistake. There’s just more opportunity to mistakes when the false flag attacks on consistently attempted. But what about an inconsistent attempt? Like just one or a few? Would that be very difficult?

Also keep in mind that if a false flag attack is successful, and cybersecurity researchers fall for the trick, that false flag group’s mode of operation will become the evidence used for future attributions. In other words, this “pattern recognition” technique is only as good as the quality of the past attributions. For all we know, a huge chunk of the past hacks attributed by the cybersecurity industry to Russia or China or any other country could be misattributed attacks and the digital paper trail is a mix of tracks left by actual Russian and Chinese government hackers plus a bunch of false flag third parties. There’s no reason to not assume this is the case unless the 5-Eyes has far, far more information about who is hacking who than they let on.

For instance, look at some of the evidence used to attribute attacks to the Chinese government: Mandarin in the code that was compiled on Chinese operating systems, and Chinese work day compile times in the malware:


It’s also how researchers from McAfee figured out Chinese hackers were behind Operation Aurora in 2009, when hackers accessed the Gmail accounts of Chinese human rights activists and stole source code from more than 150 companies, according to DeWalt, who was CEO of McAfee at the time of the investigation. Investigators found malware written in Mandarin, code that had been compiled in a Chinese operating system and time-stamped in a Chinese time zone, and other clues investigators had previously seen in attacks originating from China, DeWalt said.

Now, on the one hand, that sure seems like the signs of a Chinese hacker. On the other hand, if you were a non-Chinese skilled hacker who didn’t want to get be a suspect and decided to pretend to be a Chinese hacker, wouldn’t those be be exactly the kinds of ‘digital fingerprints’ you would try to leave?

And while the hacks on Chinese human rights activists seems like the kinds of targets Chinese hackers would specifically be interested in, the source code from those 150 companies seems like the kinds of things all sorts of parties would be interested in. So if you were, say, Russian or Brazillian hackers who had an interest in hacking those companies, waging that hacking campaign with Chinese ‘digital fingerprints’ and then target some Chinese human rights activists to lend credence to it. Do skilled professional hackers do such things? Who knows, but getting caught stealing source code from 150 companies seems like the kind of thing a hacking group would really, really, really not want to get caught doing, whether its a Chinese hacking group or any other hacking group. Or lone hacker. So we can’t rule the possiblity out. And yes, this is very unfortunate because that’s the kind of ambiguity that encourages “international chaos” on some level, but it is what it is.

At the same time, let’s remember that it’s entirely possible that the NSA and 5-Eyes really does have much more information on who is carrying out various hacks – perhaps by storing almost all internet traffic and decrypting it – but they can’t reveal it and shoddy public attribution cases are made to provide public cover for an attribution that was really made with evidence they can’t reveal. So would that situation make it all ok if the cybersecurity industry just standardizes ‘pattern recognition’ as a gold standard for conclusive attribution if they were really just acting as proxy for attributions that were made by the NSA or some other government agency with access to secret evidence that they can’t reveal? Well, that seems like a massive risk because once that attribution standard is established it’s going to be useable by all sorts of companies and governments for whatever reasons they choose. Heck, you could have governments hack themselves and frame an adversary simply by leaving a bunch of ‘digital fingerprints’. For all we know that’s already happening.

And that’s why making attribution the key to cyber defense is such a risky ‘new normal’. The exploitation of the weaknesses in the “pattern recognition” approach to hacks is the ultimate weapon for “international chaos”.

Sure, the ‘old normal’ of refraining from attribution when the evidence is ambiguous is also a recipe for “international chaos” in the form of lots of hacking that’s difficult to stop. But when you compare that kind of ‘chaos’ to the risk of international conflicts getting sparked by doing things a false flag election hack, it seems like the ‘old normal’ should be the preferred ‘normal’. This ‘new normal’ is pretty scary.

And yet, when read the final comments for Alperovitch in the above article, he expresses surprise that there’s been so much debate over whether or not his “pattern recognition” approach to attribution is appropriate for government hack attribution:


The debate has taken Alperovitch by surprise.

“Our industry has been doing attribution for 30 years,” although such work on focused on criminal activity, he said. “The minute it went out of cybercrime, it became controversial.”

“Our industry has been doing attribution for 30 years,” although such work on focused on criminal activity, he said. “The minute it went out of cybercrime, it became controversial.”

The minute pattern recognition attribution went out of cybercrime and got used for government hacking group attribution and high-profile political hacks, it become controversial. And for some reason this is surpising. Despite the fact that false flag hacks in the realm of cyber crime is a completely different story from false flag attacks for the purpose of framing a country in terms of the capabilities of the likely perpretrators and the motivations. And it’s also wildly different in terms of the need for accuracy. It’s not great if you screw up the attribution of a cyber burglarly by a common hacker, but you really don’t want to misattribute something like an election hack.

And let’s not forget that hack attacks can get a lot more disruptive than an election attack. Imagine a hack that takes down a national power grid. Maybe one that takes it down for an extended period of time. What’s the better attribution ‘normal’ in that situation? The ‘old normal’, where public attribution of government hacks was rare, which could conceivably encourage governments that they can get away for such an attack? Or the ‘new normal’, where you could conceivably incentive a devastating cyber false flag attack that takes down a power grid? Or maybe triggers a nuclear plant meltdown?

Which ‘normal’ is worse? It seems like the ‘old normal’ is probably safer since there’s still the implicit threat of mutually assured retaliation without incentizing false flags. But if there’s one ‘permanent normal’, it’s the fact that humanity is going to always need to struggle with the appropriate approach to cyber attribution as long as ‘perfect crime’ false flags are a technical possibility. This debate isn’t going away. Nor should it. It’s similar to the debate over the balance between security vs privacy for things like end-to-end strong encryption. It’s a debate that shouldn’t actually be concluded. Sure, policy decisions need to be made, but debate we shouldn’t assume policies reflect a conclusion the debate.

It’s also similar to the encryption debate in that high-quality government agencies and officials that the public can reasonably trust is probably one of the most important tools for navigating this risk minefield.

So we have this horrible situation where it’s ‘international chaos’ one way or another. And yet the message we’re hearing from US and German (and other) cyber chiefs is that they are 100 percent sure all these hacks being attributed to ‘sloppy’ Russian hackers really are Russian hackers. And the message from Putin in basically, “that wasn’t us, but if it was that would be ok and justified.” On top of that, we had the Macron hack take place last year with ‘Alt-Right’ neo-Nazi fingerprints all over it and that fact is almost entirely ignored and there was never a real attempt to explain it. This situation is an international cyber-tinderbox.

And as a consequence of this environment, we have stories like the one Trend Micro just issued about the US Senate phishing sites made with 100 percent confidence based on “pattern recognition”. And that conclusion is international news and largely accepted without any meaningful consideration of the possibility that, say, neo-Nazi hacker extraordinaire Andrew ‘weev’ Auernheimer or perhaps another government set up those site and left a bunch of ‘digital fingerprints’ designed to make it look like a ‘Fancy Bear’ operation. And no recognition that, if this was indeed a ‘Fancy Bear’ operation, it was conspicuously leaving digital fingerprints leading back to previous hacks, making this the latest incident of Russian hackers apparently suddenly getting super sloppy even since the conflict in Ukraine broke out. Instead, it’s just blanket acceptance of the report and that means it’s a situation ripe for all sorts of ‘international chaos’. Think about how many different entities probably want to run their own ‘Russian hacker’ false flag operations now.

Who knows, maybe the sudden change in Russian hacker behavior starting in 2014 – where digital infrastructure keeps getting re-used hack after hack, allowing the cybersecurity industry to go on a ‘pattern recognition’-spree – really is a Kremlin operation designed to entice hackers and government around the world to pretend to be Russian hackers in order to have a bunch of false flag operations expose and poison the well of ‘Russian hacker’ attribution. That would an incredibly risky operation but the rewards could be handsome. And very sneaky.

So let’s consider some basic scenarios:

A. Putin really has ordered a high-profile trollish hacking campaign following the outbreak of the Ukraine conflict as part of a strategy where Russia getting the blame is either seen as desirable or inconsequential. They’re self-implicating for a reason.

B. Putin really has ordered a hacking campaign following the outbreak of the Ukraine conflict and they keep leaving digital evidence because there’s been a degredation in the quality of Russian hacking personel. And for some reason the issue of reusing compromised digital infrastructure hasn’t been adequately addressed.

C. Putin really has ordered a high-profile trollish hacking campaign following the outbreak of the Ukraine conflict to be carried about by mafia hackers or some other proxies and they keep screwing up and leaving fingerprints. And the Kremlin keeps using them for some reason despite all the screw ups.

D. It really is ‘patriotic hackers’ operating on their own and the Russian government isn’t keen on stopping them despite all the blame they direct back to Russia.

E. One or more third parties, recognizing the opportunity the Ukraine conflict created for pushing a false flag ‘Russian hacker’ campaign, decided to wage such a campaign over the last few years, waging one high-profile hack after another with the full confidence that Western powers and the cybersecurity industry is strongly biased towards making attributions of Russian hackings.

F. Some mix of A thru E.

A range of possibilities is a basic element of this hacking situation and it’s almost never acknowledged these days. For any hack. Why isn’t that considered extremely dangerou

And it’s entirely possible that we’re seeing a situation where Putin is laying a trap based on the observation that the cybersecurity industry appears to be ready and willing to build 100 percent attribution narratives for public consumption for hire:

1. Have Russian hackers carry out a conspicuous wave of hacks filled with digital evidence that points back to Russia but could easily be planet.

2. Infuriate Western governments that know it’s Russian hackers because they have means of detection that can’t be publicly revealed. Like super-secret NSA/5-Eyes evidence.

3. The cybersecurity industry basically offers to create a narrative ‘proving’ Russia did it using a shoddily constructed case based on guesswork and a refusal to accept the possibility of false flag hacks. And we effectively have to take their word for much of this. This is seen as acceptable in order to not allow Russian to get away with it’s flagrant hacking campaign.

4. Eventually the shoddiness of that attribution method is revealed and used to discredit past and present attributions against Russian. Putin smiles.

Might that explain the sudden sloppy aggressiveness of ‘Russian hackers’ over the past few years? Who knows, but something very odd is happening with all these ‘Russian hackers’ and there’s virtually no interest in understanding why.

Of course, two very obvious reasons there might be so much resistance to the idea of false flag attacks:

1. The fear that such talk might end up helping President Trump avoid culpability for colluding with Russia during the 2016 campaign

2. The fear that it might help take the heat off Putin in the midst of a Russian trollish hacking campaign targeting Western democracies.

But those aren’t great reasons. Even if Putin really has ordered a high-profile trollish destabilizing hacking campaigns, not acknowledging the false flag angle just invites in third parties to participate and create more chaos. And while you might be tempted to think, “oh good, all those false flag attacks will get attributed to Putin and this will apply even more international pressure on Russia to [insert demand here],” that’s an insane attitude. What if the false flag is much nastier, like a grid attack? That’s a flirtation with WWIII-started-by-third-party scenario.

And it’s not like the introduction of the possibility that the DNC server hacks could have involved a false flag third party has to be all that disruptiuve to the #TrumpRussia investigation. At this point that investigation is filled with so much evidence of the Trump campaign’s active desire to collude with Russia based on all the other incidents of Russian footsie that the investigation could go on almost without a hitch even if it was determined a 400 pound guy in bed (or a neo-Nazi hacker like Andrew Auernheimer sitting in bed) did the hacks DNC hacks alone. The DNC hacks were central to the #TrumpRussia investigation at the beginning of Trump’s term, but this is a year into the investigation. Just look at a sampling of what we’ve learned:

1. Trump is basically a mobbed up celebrity businessman.

2. Donald Trump Jr., Paul Manafort, and Jared Kushner held a meeting in Trump Tower after Rob Goldstone promises him Russian government help in the form of dirt on Hillary. Whether or not they actually colluding with Russian, they certaintly wanted to. None other than Steve Bannon reportedly called this “treasonous” behavior.

3. Trump’s campaign foreign advisor, George Papadopoulos,told Australia’s top diplomat in the UK that the Russians told him they had thousands of Hillary Clinton’s emails.

4. GOP financier Peter Smith ran an operation to find Hillary’s hacked emails. They admit they were fine if the came from Russian government hackers. Much of the Trump team was reportedly involved – Steve Bannon, Kellyanne Conway, Sam Clovis, and Michael Flynn.

5. Peter Smith’s email-hunting expedition inquired with ‘Alt-Right’ troll-journalist Charles “Chuck” C. Johnson about who might know how to contact hackers on the Dark Web with Hillary Clinton’s emails. Johnson told Smith’s team that they should contact Andrew Auernheimer. Johnson also told Smith’s team that there were other ‘Alt-Right’ teams also looking for Hillary’s emails on the Dark Web. Which kind of sounds like the team that distributed the Macron emails.

6. Peter Smith’s email-hunting expedition also inquired with “Guccifer 2.0” about who might know how to contact hackers on the Dark Web with Hillary Clinton’s emails. Guccifer 2.0 told Smith’s team that they should contact Andrew Auernheimer.

7. Barbara Ledeen, wife of Michael – who was the co-author of a book on foreign policy with Michael Flynn – started her own Dark Web expedition with Newt Gingrich in 2015 hunting for Hillary’s emails.

8. All the other crazy crap Michael Flynn did.

9. All of Trump’s blatant obstruction of justice already known to the public. Even if he’s innocent of everything else, he’s still pretty clearly guilty of obstruction of justice. He talks about.

10. Paul Manafort is super shady. And may have been involved in the Ukraine sniper attacks according to his daughter’s hacked text messages.

11. Felix Sater’s Russian Mobster/FBI/CIA informant past. A past Trump claimed to not know about.

12. Felix Sater and Trump Org attorney Michael Cohen tried to contact the Kremlin for a Trump Tower Moscow deal during the campaign.

13. Cambridge Analytica is own by SCL. SCL employed military-grade psychological warfare specialists for managing big opinion-changing campaigns targeting nations. And they’ve psychologically profiled most of the US.

14. Donald Trump, Jr. and Julian Assange were chatting with each other over Twitter’s direct messaging system during the campaign.

15. The Trump campaign had embeds from Facebook, Google, and Twitter. These embeds helped the Trump campaign to effectively wage an unprecedented microtargeting campaign and sophisticated social media personal profiling campaigns using highly personally customized messaging strategies that these social media giants made available to the Trump campaign.

16. The Russian ‘troll farm’ Internet Research Agency had its own weird social media campaigns. This wasn’t remotely as big or significant as the Trump campaign’s social media presence, and a lot of the troll farm’s activity appeared to be experiments in seeing if they can initiate real-world action through social media enticement, but it’s certainly worth investigating. Especially since it’s entirely possible someone other than the Kremlin hired their services. Although if it was someone like Paul Manafort hiring their services for a dirty tricks team for the Trump campaign that would presumably be done with Putin’s approval since that’s pretty sensitive and the Internet Research Agency is a close ally of Putin.

17. US intelligence officials acknowledged back in July of 2016, a week after the big DNC email batch was leaked by Wikileaks, that the hack was signficantly less sophisticated and sloppy than previous Russian government hacks. And the hackers left Cyrillic character data on the hacked DNC servers. Intelligence sources acknowledge that the attribution was based on dedection and not hard technical evidence, and deduced the sloppiness was intentional trollish signalling meant to show it was Russia. And if that’s true, when you factor in all the footsie Kremlin operatives (or people posing to be Kremlin operatives) were playing with the Trump campaign during the time of this unusually sloppy hack, it suggests the Kremlin could have been trying to get caught and have their ties with the Trump campaign exposed in the subsequent investigation. And that’s a somewhat hilarious scenario that could help with de-escalating US/Russian tensions.

18. The final conclusive attribution by the US intelligence community that Putin ordered the DNC hacks was based on an intelligence source deep within the Kremlin who claimed Putin ordered the attacks and not the “pattern recognition” analysis by CrowdStrike or other cybersecurity companies. So, assuming you believe this Kremlin source, it’s not as if standing behind the “pattern recognition” methodology is critical to any case against the Trump campaign anyway.

19. Trump might be insane.

And that’s just a sampling of the revelations that are now available for any investigators into Trump’s fitness for office.

So when you look at the full scope of all the evidence made public so far of the Trump campaign’s willingness and desire to collude with the Russian government, whether or not Russian carried it out the DNC hack is almost beside the point at this point. All the footsie the Trump campaign and Trump organization was playing with apparent Kremlin operatives throughout the campaign – George Papadopoulos, Felix Sater and Michael Cohen, the Trump Tower meeting – opens up the potential for blackmail anyway, with or without Russian government hackers being behind the DNC server hack. And the mobster-ish past of Trump and so many figures in his orbit is all the more reason to worry about things like blackmail. Who actually hacked the DNC is like an interesting side note when put in the broader context of whether or not Trump is fit for office.

And that creates a marvelous potential opening for addressing two critical goals the US should have at this point:
1. De-escalating the situation with Russia. De-escalation of US-Russian tensions really should be a priority even if you’re pissed at Putin over the 2016 election meddling. The longer there’s this cyber-standoff/trolling situation between the US and Russian the more time there is for third party false flag attacks or things spiralling out of control. Especially with Trump in place. The strategy of racheting international pressure on Russia until some ‘Russian Spring’ happens is high risk and could result in a Russian ultra-nationalist far more dangerous than Putin replacing him. That would be a catastrophe. A ‘Russian-Reset’ based on collective marveling at the corruption of Trump and the GOP would be a much better response.

And…

2. Addressing the “international chaos” risks that a “pattern recognition” standard of cyber attribution techniques introduce into world affairs. These techniques are vulnerable to spoofing and incentivize false flags. If an agency like the NSA wants to declare that it knows something using its superior knowledge, that’s one thing. But granting credibility to random cybersecurity firms using “pattern recognition” techniques for attribution in cases like nation-state-on-nation-state hacking is wildly dangerous. Don’t forget that the approach to stopping hacks advocated by Dmitri Alperovitch – that publicly naming and shaming the hacker is key to to defense – doesn’t necessarily dissuade hackers. It might just make them more intent on pretending to be someone else.

So what’s the opening the US should make to address these twin goals? The US should openly entertain the possibility that some of these high-profile Russian hacks might actually be false flags. Just get that idea out there so the public isn’t lulled into thinking “pattern recognition” is really the kind of gold standard we should accept for nation-state-on-nation-state hacking attributions. At the same time, the US should simultaneously suggest that, if these hacks are indeed ordered by the Russian government, running a high-profile self-implicating hacking campaign – a hacking campaign that’s seemingly designed to raise questions about whether or not it’s a false flag attack because it’s so over the top – is incredibly dangerous and irresponsible and a recipe for international chaos. If Putin actually ordered the years-long self-incriminating hacking campaign we’ve seen from Russian hackers since the outbreak of the conflict in Ukraine in 2014, that is simultaneously kind of clever and wildly irresponsible. And stupid. Because now any random hacker can frame Russia for all sorts of hacks against all sorts of countries and interests. All they’d have to do is run a sloppy, seemingly intentionally self-incriminating hacking campaign intended to trigger a “pattern recognition” match with previous ‘Russian hacks’. And while Putin and the Russian government could have determined that getting framed for hacks like, say, the Macron election hack are acceptable, what about an attack blamed on Russian take takes a Western power’s power-grid down? Or an attack that triggers a nuclear meltdown? That might not be the kind of thing you want to get framed for even if you’re a nuclear power. If Putin really did this launch the kind of hacking campaign we’ve seen since 2014 that was a desperate and dangerous move that really does risk triggering “international chaos” and he needs to stop.

Why can’t the US make that argument without feeling like some sort of major concession was made that helps Putin? It’s an argument that raises the degree of the crime if the Kremlin really is behind this high-profile “I’m a Russian hacker!” campaign by making it clear to the world that this is creating a real risk to the world. And it’s an argument that also makes it clear to the Russian people that it’s incredibly dangerous to them if the Kremlin is really doing this. Do the Russian people want a neo-Nazi elite hacker liek Andrew ‘weev’ Auernheimer framing them for something a lot more horrific than hacked political emails? That seems like a massive national risk.

And the above argument helps head off the risk to the world presented by vulnerable cyber attribution standards too. Don’t forget, the US intelligence communities conclusion Putin was behind the hacks was based on intelligence from a single source deep within the Kremlin who claimed Putin ordered the attacks and was not based on the “pattern recognition” analysis by CrowdStrike or other cybersecurity companies. Not the initial pattern recognition guesswork because that was inconclusive even though it led to the initial hunch that Russian was behind it. Also don’t forget that there are a lot more high-profile hacks attributed to the Russians in recent years so acknowledging the possibility that some of these hacks could be false flags doesn’t solely raise this question about the DNC hack. What about the ‘Alt-Right’ fingerprints all over the Macron hack? Aren’t people interested in resolving that mystery? And if a bunch of ‘Alt-Right’ neo-Nazis turned out to be behind the DNC hack instead of the Kremlin is that somehow good news for Trump and the GOP? Even if a 400 pound hacker in bed did the DNC hack there’s still all the evidence of the Trump campaign’s desire to collude with the Russians and the subsequent blatant obstruction of justice.

Don’t forget that impeaching Trump is a political decision in the end and, not a criminal one. Even if raising the possibility of non-Kremlin source behind the DNC hack complicated Robert Mueller investigation’s ability to criminal charge in relation to the election hack, it’s not like that criminal charge is a deciding factor for impeachment purposes. That’s a political choice. What if the Trump campaign and the GOP arranged for their own ‘Russian hackers’? Or perhaps a bunch of ‘Alt-Right’ hackers were behind the DNC hack and Macron hacks and the Trump team had extensive contact with? Those kinds of scenarios wouldn’t exactly help their case against impeachment, would they? Is it politically acceptable to collude with ‘Alt-Right’ hackers now?

Impeaching Trump is also an act fraught with great peril and probably shouldn’t be considered the top priority for Democrats. Mike Pence could bring a level of competency to the White House that could be far more damaging than Trump’s daily whirlwind of chaotic corruption. And even if Mike Pence is impeached, next in line is the Koch-puppet House Speaker Paul Ryan. There isn’t really a ‘happy ending’ impeachment scenario here. If Trump gets impeached, a huge chunk of the the American conservative base is going to go more insane and develop an even more malignant grievance complex and that psychological wound will be nursed for decades. So is it worth impeaching the blatantly crazy fascist who might blow up the world only to have him replaced by a far more competent fascist? Both scenarios feel like existential risks. In other words, even if you could impeach Trump tomorrow over the Russian hacking and replace his dangerous chaos with a President Pence or Ryan are you sure you want to do that? Super sure? It’s another example of a contemporary catastrophic ‘no-win’ situation. A classical non-technological ‘no-win’ situation: do we try to replace an unpredictable extreme danger with a more predictable extreme danger? Who knows. And that ambiguity over whether or not impeaching Trump is even a desireable scenario is another reason not to fear letting Trump ‘off the hook’ by acknowledging the possibility that these hacks being attributed to Russia might include false flags.

Given all the catastrophic no-win situations swirling around this issue of cyber attribution, how is a society to proceed? Well, here’s something to keep in mind: the future of hacking attribution is probably going to depend on the credibility of the authority making the attribution since authoritative attribution will probably depend on information that can’t be publicly revealed. That’s basically the situation today, where an agency like the NSA is often left to make the final ‘call’ on attribution. But we could become more reliant on trusting an authority with access to secret information in the future, especially if we acknowledge the reality of false flags, and that’s going to raise the question of whether or not that authority can be trusted. And in a world of false flag cybercrimes at a nation-state level, that adds one more reason to have a very credible government. And how do we get credible governments? By creating societies that seem really nice and run by people that seem very unlikely to engage in malicious false accusations. Being really, really, really nice and non-aggressive could be a key element national cyber-defense in the future because the country with the most credibility could end up with the final word in the court of public opinion. And the court of public opinion matters in the realm of international cyber warfare.

Look at it this way: the catastrophic no-win situations around cyber attacks and attribution makes having a high-quality, trust-worthy government with a formidable intelligence capacity whose word is respected around the globe a national security priority. And the only way to realistically accomplish that feat is for a society to develop a track record of actually being really nice and compassionate and trustworthy and not agressively ambitious. Sure, on one level this is utopian thinking. But when you think about the array of new technologies that will allow for devastating attacks that could be carried out without clear attribution – false flag biowarfare, false flag nuclear attacks, false flag assassin drone attacks, false flag [insert technological horror show here] – it’s hard to see why false flag attacks aren’t going to be a popular mode for waging both warfare and terrorism, and that all makes having a really well-respected society all the more important in the future. Good! It’s one more reason for building good, decent societies populated by honorable and trustworthy individuals? How do we accomplish that? Good question! Let’s figure that out. It probably involves a nation carrying out the duel focus of being really decent to its citizens while constantly trying to make the world at large a better place for nation. Which is something that shouldn’t be considered utopian thinking and instead should be seen as a basic survival for a high-tech future. Plus, it’s not like this is the only technological nightmare situation that calls for a dedication to very good, trustworthy societies and governments.

And there’s one key aspect to being a well-like, trustworthy, nation with the kind of international credibility to make an attribution that will be believed, and it’s an ironic one: the capacity to ‘turn the other cheek’ and not respond in kind after an attack even after a public attribution is made. Yep, shaming the blamed attacker while simultaneously de-escalating the situation even after an attribution is made could be a great way for a society to build up ‘attribution cred’. And it might actually avoid situations from spiraling out of control. Because if we apply the ‘mutually assured destruction’ mode of dissuading attacks that’s been successfully employed with nuclear strikes to future technologies where attribution is far more difficult than a nuclear strike, we’re just asking for third parties to pick fights between nations with false flag attacks. Don’t forget that a third party could conceivably wage a false flag attack and a false flag counter-attack. That’s the kind of craziness that’s going to be unleashed by technology that potentially enables individuals to carry out devastating non-attributable attacks. That’s the future. The ‘400 pound hacker in his bed’ really might start WWIII in future. And WWIV after that. So our future had better involved quite a bit of ‘turning the other cheek’ if it’s going to avoid being a smoldering future. Utopian thinking might be a basic survival strategy going forward.

And if ‘being a really, really nice and trustworthy country’ feels like a high-risk solution for how to address the threat of technological false flags, don’t forget: international chaos. That’s the future we invite when technological false flags and mutually assured destruction is the norm. So when you read stories about cyber attributions being made with near certainty in these high-profile hacks based on circumstantial evidence and guesswork, keep in mind that the only thing you should be 100 percent certain about is that this level of certainty is a really bad idea for a lot of reasons

Discussion

8 comments for “Cyber Attribution, the Macron hacks, and the Existential Threat of Unwarranted Certainty”

  1. @Pterrafractyl–

    Conspicuous in its glaring absence from this story is the fact that the CIA’s cyber-weaponry is specifically designed to mimic Russian cyber-espionage and warfare software.

    Best,

    Dave Emory

    Posted by Dave Emory | January 16, 2018, 9:55 pm
  2. @Dave: Lol, yeah, the cybersecurity industry isn’t super keen on talking about that. But in terms of the CIA’s hacking tools specifically set up to mimic a Russian hacking operation, part of what makes that angle so in this story interesting is how the ‘Russian hackers’ – hacks attributed to the Russia government – appear to have suddenly changed their behavior after the outbreak of the conflict in Ukraine 2014 and the big “Vault 7” batch of CIA hacking tools the Shadow Brokers developed released had files that were from no later than 2013.

    So a number of questions that need to be answered about the CIA’s Russian-mimicking hacking tools is whether or not the kind of ‘Russian hacker’ fingerprints it leaves are more closely mimicking the behavior attributed to ‘Russian hackers’ before or after the change in Russian hacking behavior that started after the 2014 Ukraine crisis. Because if the CIA hacking tools from 2013 mimicked more closely the ‘Russian hacker’ behavior starting in 2014 that would be quite something.

    And based on the pattern recognition methodology the cybersecurity industry has adopted, there are all sorts of ways a hacking tool might leave a Russian hacker digital fingerprint. Maybe it simply does graffiti-like acts like inserting Cyrillic characters into the ‘digital fingerprints’ left behind? Or perhaps there’s something more specific like leaving trails back to digital infrastructure previously attributed to Russia (previously attributed malware, IP bands, etc)? That’s unclear because there hasn’t really been much detailed reporting on how that ‘Russian hacker’ CIA tool set operates.

    But there has been some reporting on the tool kit. Leonid Bershidsky had a piece in Bloomberg shortly after the Vault 7 release that contained a bit on the tools used to impersonate a foreign intelligence service, and it sounds like the mimickry tools largely involved leaving foreign languages in the malware and a library of malware that is either publicly available or previously attributed to foreign intelligence services. Bershidsky goes on to suggest that this wouldn’t really be an adequate set of tools required to really pull off a false flag hack because the cybersecurity industry wouldn’t accept such low standards, which is kind of funny because the the above OP was about how the industry just might accepts such low standards. He then points to how a the DNC hack attribution was based on the use of specific command and control servers known to be used by Russian intelligence and suggests that this is the kind of higher standard used for serious attribution (this is the same command and control server that was later revealed to be publicly known since 2015 and vulnerable to the Heartbleed attack). So it sounds like, at a minimum, the Vault 7 hacking tools would facilitate some of the more overt “I’m a Russian hacker” digital graffiti:

    Bloomberg View

    Wikileaks’ CIA Revelations Look Like a Dud for Now
    No, the CIA probably hasn’t hacked your instant messengers or your smart TV.

    by Leonid Bershidsky
    March 8, 2017, 6:54 AM CST

    Wikileaks’ latest data dump, the “Vault 7,” purporting to reveal the Central Intelligence Agency’s hacking tools, appears to be something of a dud. If you didn’t know before that spy agencies could apply these tools and techniques, you’re naive, and if you think it undermines the attribution of hacker attacks on the Democratic National Committee and other targets, you’ll be disappointed.

    The obfuscation story is similarly unimpressive. The Wikileaks cache contains a manual for CIA hackers on making their malware harder to trace, for example, by adding foreign languages. Wikileaks also said that the CIA “collects and maintains a substantial library of attack techniques ‘stolen’ from malware produced in other states including the Russian Federation.” The library, however, contains all sorts of publicly available malware, as well as samples tentatively attributed to foreign intelligence services; all that does is confirm that hackers, including CIA ones, aren’t picky about the origins of the products they use. The important thing is that the malware should work.

    This shouldn’t affect serious attempts to attribute hacker attacks. I’m not sure this is fully understood within the U.S. intelligence community itself — at any rate, the declassified report on Russian hacking it released late last year appeared to base attribution on the use of specific publicly available malware. But industry experts usually need much more evidence. A number of possible Russian attacks were attributed to Moscow’s intelligence services because the attackers used specific command and control centers — servers — to collect information from various Russia adversaries. To set up a false flag operation, the CIA would need to go much further than obfuscating the origins of its malicious code.

    ———-

    “Wikileaks’ CIA Revelations Look Like a Dud for Now” by Leonid Bershidsky; Bloomberg View; 03/08/2017

    “The obfuscation story is similarly unimpressive. The Wikileaks cache contains a manual for CIA hackers on making their malware harder to trace, for example, by adding foreign languages. Wikileaks also said that the CIA “collects and maintains a substantial library of attack techniques ‘stolen’ from malware produced in other states including the Russian Federation.” The library, however, contains all sorts of publicly available malware, as well as samples tentatively attributed to foreign intelligence services; all that does is confirm that hackers, including CIA ones, aren’t picky about the origins of the products they use. The important thing is that the malware should work.”

    A manual recommending foreign languages and library of previously attributed malware. That’s at least part of what’s in Vault 7’s toolkit for identity obfuscation.

    And as Bershidsky ironically puts it, This shouldn’t affect serious attempts to attribute hacker attacks. And he’s correct that it shouldn’t affect serious attempts to attribute hacker attacks. But these kinds of ‘clues’ clearly do affect serious attempts at attributed because we’ve seen such ‘clues’ pointed to as evidence over and over since the advent of these high-profile hacks:


    This shouldn’t affect serious attempts to attribute hacker attacks. I’m not sure this is fully understood within the U.S. intelligence community itself — at any rate, the declassified report on Russian hacking it released late last year appeared to base attribution on the use of specific publicly available malware. But industry experts usually need much more evidence. A number of possible Russian attacks were attributed to Moscow’s intelligence services because the attackers used specific command and control centers — servers — to collect information from various Russia adversaries. To set up a false flag operation, the CIA would need to go much further than obfuscating the origins of its malicious code.

    So it will be interesting to see if there are more detailed reports on those capabilities somewhere and how many of them were obvious things lots of hackers must know like “insert foreign language and reuse malware” and how many were novel techniques. It certainly seems like topical set of questions. Especially now that this toolkit is ‘in the wild’.

    Posted by Pterrafractyl | January 17, 2018, 12:27 am
  3. Uh oh: It looks like the potential consequence of incorrect cyber attribution just went thermonuclear. And not metaphorically ‘thermonuclear’. The consequences could literally be thermonuclear in nature: The Pentagon has reportedly sent a nuclear strategy to President Trump for approval that would permit the use of nuclear weapons in response to a wide range of non-nuclear attacks on American infrastructure, including devastating cyber attacks:

    The New York Times

    Pentagon Suggests Countering Devastating Cyberattacks With Nuclear Arms

    By DAVID E. SANGER and WILLIAM J. BROAD
    JAN. 16, 2018

    WASHINGTON — A newly drafted United States nuclear strategy that has been sent to President Trump for approval would permit the use of nuclear weapons to respond to a wide range of devastating but non-nuclear attacks on American infrastructure, including what current and former government officials described as the most crippling kind of cyberattacks.

    For decades, American presidents have threatened “first use” of nuclear weapons against enemies in only very narrow and limited circumstances, such as in response to the use of biological weapons against the United States. But the new document is the first to expand that to include attempts to destroy wide-reaching infrastructure, like a country’s power grid or communications, that would be most vulnerable to cyberweapons.

    The draft document, called the Nuclear Posture Review, was written at the Pentagon and is being reviewed by the White House. Its final release is expected in the coming weeks and represents a new look at the United States’ nuclear strategy. The draft was first published last week by HuffPost.

    It called the strategic picture facing the United States quite bleak, citing not only Russian and Chinese nuclear advances but advances made by North Korea and, potentially, Iran.

    “We must look reality in the eye and see the world as it is, not as we wish it to be,” the draft document said. The Trump administration’s new initiative, it continued, “realigns our nuclear policy with a realistic assessment of the threats we face today and the uncertainties regarding the future security environment.”

    But three current and former senior government officials said large cyberattacks against the United States and its interests would be included in the kinds of foreign aggression that could justify a nuclear response — though they stressed there would be other, more conventional options for retaliation. The officials spoke on the condition of anonymity because they are not authorized to discuss the proposed policy.

    Gary Samore, who was a top nuclear adviser to President Barack Obama, said much of the draft strategy “repeats the essential elements of Obama declaratory policy word for word” — including its declaration that the United States would “only consider the use of nuclear weapons in extreme circumstances to defend the vital interests of the United States or its allies and partners.”

    But the biggest difference lies in new wording about what constitutes “extreme circumstances.”

    In the Trump administration’s draft, those “circumstances could include significant non-nuclear strategic attacks.” It said that could include “attacks on the U.S., allied, or partner civilian population or infrastructure, and attacks on U.S. or allied nuclear forces, their command and control, or warning and attack assessment capabilities.”

    The draft does not explicitly say that a crippling cyberattack against the United States would be among the extreme circumstances. But experts called a cyberattack one of the most efficient ways to paralyze systems like the power grid, cellphone networks and the backbone of the internet without using nuclear weapons.

    “In 2001, we struggled with how to establish deterrence for terrorism because terrorists don’t have populations or territory to hold at risk. Cyber poses a similar quandary,” said Kori Schake, a senior National Security Council and State Department official during President George W. Bush’s administration, who is now the deputy director general of the International Institute for Strategic Studies in London.

    “So if cyber can cause physical malfunction of major infrastructure resulting in deaths,” Ms. Schake said, the Pentagon has now found a way “to establish a deterrent dynamic.”

    The draft review also cites “particular concern” about “expanding threats in space and cyberspace” to the command-and-control systems of the American nuclear arsenal that the review identifies as a “legacy of the Cold War.” It was the latest warning in a growing chorus that the nuclear response networks could themselves be disabled or fed false data in a cyberattack.

    So far, all of the United States’ leading adversaries — including Russia, China, North Korea and Iran — have stopped well short of the kind of cyberattacks that could prompt a larger, and more violent response.

    The Russians have placed malware called “Black Energy” in American utility systems, but never tried to cause a major blackout. They have sent cable-cutting submarines along the path of undersea fiber optic lines that connect the continents, but not cut them. North Korea has attacked companies like Sony, and used cyberweapons to cause chaos in the British health care system, but never directly taken on the United States.

    Still, the document recognizes that American, Russian and Chinese strategies have all been updated in recent years to reflect the reality that any conflict would begin with a lightning strike on space and communications systems. During the Obama administration, for example, a secret program, code-named “Nitro Zeus,” called for a blinding cyberattack on Iran in the event negotiations over its nuclear program failed and Washington found itself going to war with Tehran.

    There are other differences with the Obama administration policy.

    The draft strategy embraces the American production of a new generation of small, low-yield nuclear weapons — some of which were under development during the Obama administration. Some experts warn that such smaller weapons can blur the distinction between nuclear and non-nuclear weapons, and, as a result, be more tempting to use.

    And it states outright that Russia is testing its first autonomous nuclear torpedo, one that American officials believe would be guided largely by artificial intelligence to strike the United States even if communications with Moscow were terminated. It was Washington’s first public acknowledgment of such an undersea weapon, a prototype of which was first envisioned in the 1960s by Andrei Sakharov, the physicist who later ranked among the Soviet Union’s most famous dissidents.

    The torpedo’s development was detected by the Obama administration and has been widely discussed in defense circles, but never publicly referred to by the Pentagon as a significant future threat.

    Mr. Trump has rarely publicly criticized President Vladimir V. Putin of Russia for Russia’s aggressions around the world. But the Pentagon document describes Moscow’s actions as so destabilizing that the United States may be forced to reverse Mr. Obama’s commitment to reduce the role and size of the American nuclear arsenal.

    Russia is adopting “military strategies and capabilities that rely on nuclear escalation for their success,” Defense Secretary Jim Mattis wrote in an introduction to the report. “These developments, coupled with Russia’s invasion of Crimea and nuclear threats against our allies, mark Moscow’s unabashed return to Great Power competition.”

    In most cases, the Trump administration plan would simply move forward nuclear weapons that Mr. Obama had endorsed, such as a new generation of nuclear cruise missiles — low-flying weapons with stubby wings that, when dropped from a bomber, hug the ground to avoid enemy radars and air defenses.

    But the strategy envisions other new nuclear weapons. The draft policy calls for “the rapid development” of a cruise missile to be fired from submarines. Mr. Obama had retired that class. It also calls for the development of a low-yield warhead for ballistic missiles fired from submarines.

    It is relatively easy for presidents to change the country’s declaratory policy on the use of nuclear arms and quite difficult for them to reshape its nuclear arsenal, which takes not only vast sums of money but many years and sometimes decades of planning and implementation.

    The price tag for a 30-year makeover of the United States’ nuclear arsenal was put last year at $1.2 trillion. Analysts said the expanded Trump administration plan would push the bill much higher, noting that firm estimates will have to wait until the proposed federal budget for the 2019 fiscal year is made public.

    “Almost everything about this radical new policy will blur the line between nuclear and conventional,” said Andrew C. Weber, an assistant defense secretary during the Obama administration who directed an interagency panel that oversaw the country’s nuclear arsenal.

    If adopted, he added, the new policy “will make nuclear war a lot more likely.”

    One of the document’s edgiest conclusions involves the existence of a deadly new class of Russian nuclear torpedo — a cigar-shaped underwater missile meant to be fired from a submarine.

    Torpedoes tipped with nuclear arms were common during the Cold War, with the Soviet Union pioneering the weapons and developing them most vigorously. One Soviet model had a range of miles and a large warhead.

    Mr. Sakharov, a famous Russian dissident in the 1970s and 1980s, envisioned a giant torpedo able to travel several hundred miles and incur heavy casualties with a warhead thousands of times more powerful than the Hiroshima bomb. Though his vision was rejected at the time, the new review discloses that Moscow has resurrected a weapon along the same lines.

    The document calls it “a new intercontinental, nuclear-armed undersea autonomous torpedo.” In a diagram labeled “New Nuclear Delivery Vehicles over the Past Decade,” it identifies the torpedo by its code name, Status-6.

    News stories have reported the possible existence of such a weapon since at least 2015, but the document’s reference appears to be the first time the federal government has confirmed its existence. The long-range torpedo with a monster warhead is apparently meant to shower coastal regions with deadly radioactivity, leaving cities uninhabitable.

    ———-

    “Pentagon Suggests Countering Devastating Cyberattacks With Nuclear Arms” by DAVID E. SANGER and WILLIAM J. BROAD; The New York Times; 01/16/2018

    “For decades, American presidents have threatened “first use” of nuclear weapons against enemies in only very narrow and limited circumstances, such as in response to the use of biological weapons against the United States. But the new document is the first to expand that to include attempts to destroy wide-reaching infrastructure, like a country’s power grid or communications, that would be most vulnerable to cyberweapons.”

    So America’s nuclear trigger-finger is about to get a lot ‘itchier’. And that’s going to happen by the defining-down what constitutes “extreme circumstance” to include paralyzing attacks on thins like the power grid, cellphone networks and the internet, and that’s why a big cyber attack just might get a nuclear response: if you want to take down the power grid, cellphone networks and the internet, you’ll probably want to use a cyber attack:


    Gary Samore, who was a top nuclear adviser to President Barack Obama, said much of the draft strategy “repeats the essential elements of Obama declaratory policy word for word” — including its declaration that the United States would “only consider the use of nuclear weapons in extreme circumstances to defend the vital interests of the United States or its allies and partners.”

    But the biggest difference lies in new wording about what constitutes “extreme circumstances.”

    In the Trump administration’s draft, those “circumstances could include significant non-nuclear strategic attacks.” It said that could include “attacks on the U.S., allied, or partner civilian population or infrastructure, and attacks on U.S. or allied nuclear forces, their command and control, or warning and attack assessment capabilities.”

    The draft does not explicitly say that a crippling cyberattack against the United States would be among the extreme circumstances. But experts called a cyberattack one of the most efficient ways to paralyze systems like the power grid, cellphone networks and the backbone of the internet without using nuclear weapons.

    “In 2001, we struggled with how to establish deterrence for terrorism because terrorists don’t have populations or territory to hold at risk. Cyber poses a similar quandary,” said Kori Schake, a senior National Security Council and State Department official during President George W. Bush’s administration, who is now the deputy director general of the International Institute for Strategic Studies in London.

    “So if cyber can cause physical malfunction of major infrastructure resulting in deaths,” Ms. Schake said, the Pentagon has now found a way “to establish a deterrent dynamic.”

    ““So if cyber can cause physical malfunction of major infrastructure resulting in deaths,” Ms. Schake said, the Pentagon has now found a way “to establish a deterrent dynamic.””

    Yes, the Pentagon has indeed found a “deterrent dynamic.” A deterrent dynamic that makes false flag cyber attacks even more tempting than ever before. Yay.

    And this change is nuclear policy is coming at teh same time the US is poised to embrace small, low-yield nukes. And the threat from Russia is being framed as the key driver for this new policy:


    There are other differences with the Obama administration policy.

    The draft strategy embraces the American production of a new generation of small, low-yield nuclear weapons — some of which were under development during the Obama administration. Some experts warn that such smaller weapons can blur the distinction between nuclear and non-nuclear weapons, and, as a result, be more tempting to use.

    And it states outright that Russia is testing its first autonomous nuclear torpedo, one that American officials believe would be guided largely by artificial intelligence to strike the United States even if communications with Moscow were terminated. It was Washington’s first public acknowledgment of such an undersea weapon, a prototype of which was first envisioned in the 1960s by Andrei Sakharov, the physicist who later ranked among the Soviet Union’s most famous dissidents.

    The torpedo’s development was detected by the Obama administration and has been widely discussed in defense circles, but never publicly referred to by the Pentagon as a significant future threat.

    Mr. Trump has rarely publicly criticized President Vladimir V. Putin of Russia for Russia’s aggressions around the world. But the Pentagon document describes Moscow’s actions as so destabilizing that the United States may be forced to reverse Mr. Obama’s commitment to reduce the role and size of the American nuclear arsenal.

    Russia is adopting “military strategies and capabilities that rely on nuclear escalation for their success,” Defense Secretary Jim Mattis wrote in an introduction to the report. “These developments, coupled with Russia’s invasion of Crimea and nuclear threats against our allies, mark Moscow’s unabashed return to Great Power competition.”

    The price tag for a 30-year makeover of the United States’ nuclear arsenal was put last year at $1.2 trillion. Analysts said the expanded Trump administration plan would push the bill much higher, noting that firm estimates will have to wait until the proposed federal budget for the 2019 fiscal year is made public.

    “Almost everything about this radical new policy will blur the line between nuclear and conventional,” said Andrew C. Weber, an assistant defense secretary during the Obama administration who directed an interagency panel that oversaw the country’s nuclear arsenal.

    If adopted, he added, the new policy “will make nuclear war a lot more likely.”.

    “If adopted, he added, the new policy “will make nuclear war a lot more likely.””

    Yep, in addition to adopting a policy that encourages false flag cyber attacks that can cause your adversaries to nuke each other, the US is set to move full steam ahead on low-yield nukes that will obviously make the use of nuclear weapons a lot more likely.

    But perhaps the most chilling part of this reports is the particular Russian nuclear weapon that the Pentagon was focused on: A nuclear torpedo that could travel hundreds of miles and make a coastline uninhabitable:


    One of the document’s edgiest conclusions involves the existence of a deadly new class of Russian nuclear torpedo — a cigar-shaped underwater missile meant to be fired from a submarine.

    Torpedoes tipped with nuclear arms were common during the Cold War, with the Soviet Union pioneering the weapons and developing them most vigorously. One Soviet model had a range of miles and a large warhead.

    Mr. Sakharov, a famous Russian dissident in the 1970s and 1980s, envisioned a giant torpedo able to travel several hundred miles and incur heavy casualties with a warhead thousands of times more powerful than the Hiroshima bomb. Though his vision was rejected at the time, the new review discloses that Moscow has resurrected a weapon along the same lines.

    The document calls it “a new intercontinental, nuclear-armed undersea autonomous torpedo.” In a diagram labeled “New Nuclear Delivery Vehicles over the Past Decade,” it identifies the torpedo by its code name, Status-6.

    News stories have reported the possible existence of such a weapon since at least 2015, but the document’s reference appears to be the first time the federal government has confirmed its existence. The long-range torpedo with a monster warhead is apparently meant to shower coastal regions with deadly radioactivity, leaving cities uninhabitable.

    News stories have reported the possible existence of such a weapon since at least 2015, but the document’s reference appears to be the first time the federal government has confirmed its existence. The long-range torpedo with a monster warhead is apparently meant to shower coastal regions with deadly radioactivity, leaving cities uninhabitable.”

    Get for the upcoming nuclear torpedo arms race. You have to wonder if that kind of technology is going to make a submarine-based false flag nuclear attack more feasible. Because nuclear armed bombers or ICBMs are probably pretty easy to attribute to a specific enemy, sub attacks are potentially more difficult to attribute if you can’t determine who actually launched it. So a very long-range nuclear torpedo seems like the kind of technology that could be launched in secret by all sorts of different interests in the future if they can get their hands on one – Russia, China, North Korea, Jihadists, the Underground Reich, a crazy billionaire who happens to own a private sub with nuclear torpoedo launching capabilities – and it’s not clear a country could determine who launched it. So that’s rather disturbing. Especially since the disturbing nature of this technology is apparently going to be used to spark a nuclear arms race with Russia.

    And it gets more disturbing. Much, much more disturbing. According to a new report on the GOP’s concerns over their political prospects in the 2018 mid-term elections, President Trump isn’t so concerned. Why? Because he apparently has been telling people in the White House that he doesn’t think the 2018 election has to be as bad as others are predicting. And then he references how the GOP did better in the 2002 midterms following the the Sept. 11 terrorist attacks. *gulp*:

    The Washington Post

    New alarm among Republicans that Democrats could win big this year

    By Michael Scherer, Josh Dawsey and Sean Sullivan
    January 14, 2018

    A raft of retirements, difficulty recruiting candidates and President Trump’s continuing pattern of throwing his party off message have prompted new alarm among Republicans that they could be facing a Democratic electoral wave in November.

    The concern has grown so acute that Trump received what one congressional aide described as a “sobering” slide presentation about the difficult midterm landscape at Camp David last weekend, leading the president to pledge a robust schedule of fundraising and campaign travel in the coming months, White House officials said.

    Republicans hold the advantage of a historically favorable electoral map, with more House seats than ever benefiting from Republican-friendly redistricting and a Senate landscape that puts 26 Democratic seats in play, including 10 states that Trump won in 2016, and only eight Republican seats.

    But other indicators are clearly flashing GOP warning signs. Democrats have benefited from significant recruitment advantages — there are at least a half dozen former Army Rangers and Navy SEALs running as Democrats this year, for example — as Republicans struggle to convince incumbents to run for reelection.

    At least 29 House seats held by Republicans will be open in November following announced retirements, a greater number for the majority party than in each of the past three midterm elections when control of Congress flipped.

    The president’s own job approval, a traditional harbinger of his party’s midterm performance, is at record lows as he approaches a year in office, according to Gallup. Polls asking which party Americans want to see control Congress in 2019 show a double-digit advantage for Democrats.

    “When the wave comes, it’s always underestimated in the polls,” said a conservative political strategist who has met with GOP candidates. “That is the reason that Republicans are ducking for cover.”

    Amid the onslaught, Republican strategists say they continue to pin their party’s electoral hopes on the nation’s still-rising economic indicators, the potential effects of the recent tax-reform bill and Trump’s ability to rally the conservative base.

    “The monthly metrics are bad, from the generic ballot to the Republican retirements to the number of Democratic recruits with money,” said one Republican political consultant, who works with major conservative donors involved in the midterms and asked for anonymity to speak frankly. “The big question is: Is everything different with Trump? Because the major metrics point to us losing at least one house of Congress.”

    In private conversations, Trump has told advisers that he doesn’t think the 2018 election has to be as bad as others are predicting. He has referenced the 2002 midterms, when George W. Bush and Republicans fared better after the Sept. 11 terrorist attacks, these people said.

    ———-

    “New alarm among Republicans that Democrats could win big this year” by Michael Scherer, Josh Dawsey and Sean Sullivan; The Washington Post; 01/14/2018

    “In private conversations, Trump has told advisers that he doesn’t think the 2018 election has to be as bad as others are predicting. He has referenced the 2002 midterms, when George W. Bush and Republicans fared better after the Sept. 11 terrorist attacks, these people said.”

    Uhh…it sure sounds like President Trump is betting on a massive attack. In 2018. And he seems to be looking forward to this.

    So if you’re the type of person who thrives on living every day like it’s your last day on Earth, this should be a good year for you. At least until it really is your last day. The rest of the year won’t be very good for you after that.

    Posted by Pterrafractyl | January 17, 2018, 4:50 pm
  4. @Dave: One quick correction: when I stated that the Vault 7 trove of CIA hacking tools only went until 2013, I was mixing that up with the Shadow Brokers NSA toolkit. The dates on the files in Vault 7 trove went from 2013 – 2016. So that Vault 7 toolkit spans the period before and after the ‘Russian hackers’ started getting super sloppy and leaving “I’m a Russian hacker!” clues following the outbreak of the conflict in Ukraine. That makes the content of things like the library of malware that’s been used by foreign governments to obscure the CIA hacker’s identity potentially quite interesting. For instance, was either “X-Agent” – the malware that was found in the DNC hack that was incorectly described as exclusively used by ‘Fancy Bear’/APT28 – part of that malware library?

    Along those lines, check out this fascinating story related to the ‘X-Agent’ malware and who it may have originated with: Remember when “Hacking Team” – the private Italian ‘lawful hacking group’ that’s hired by governments around the world – got hacked and had its toolkit released back in July of 2015? Well, guess what: It appears that X-Agent was part of Hacking Team’s toolkit that was released to the world in July of 2015:

    Malwarebytes
    Blog

    Two new Mac backdoors discovered

    Posted: March 1, 2017 by Thomas Reed

    On Valentine’s Day, Mac users got a special “treat” in the form of new malware. Then, later that same week, there were signs of yet another piece of malware looming. These threats were overshadowed a bit by the discovery last week of the second ransomware app to ever appear on the Mac, but they’re still worthy of consideration.

    The first malware, named XAgent, was analyzed by Palo Alto Networks. XAgent, it turns out, is related to the Komplex malware discovered by Palo Alto last year, as can be seen by comparing some of the strings to those found in Komplex.

    At that time, Palo Alto tied Komplex to the Sofacy Group – also known by the names Fancy Bear and APT28, among others – a Russian hacking organization that has since been linked to such things as the hack of the Democratic National Convention.

    XAgent is a backdoor that provides a number of powerful remote access features, including keylogging, screenshots, remote shell access, and file exfiltration. Of particular interest is a command that provides the hacker with information about iOS backups stored on the infected Mac. iPhones (and other iOS devices) are notoriously difficult to hack, but by targeting backups instead, this malware could access potentially sensitive iPhone data.

    Interestingly, Patrick Wardle, Director of Research at Synack, had another interesting revelation about this malware. He shows quite convincingly that the Sofacy Group used code copied from the Hacking Team. (Hacking Team is the creator of the Remote Control System backdoor, which it sells to governments and law enforcement, among other organizations.)

    Hacking Team was itself the victim of a hack in 2015, and all their source code was made public. Wardle was able to demonstrate key similarities, such as identical bugs, in the decompiled XAgent code and the leaked Hacking Team code. It appears that Sofacy used Hacking Team code in their malware, most likely obtained from the Hacking Team breach.

    According to a whitepaper released by Bitdefender, the malware installs itself into the following folder, where it is given one of a set of hard-coded names:

    ~/Library/Assistants/.local/

    At the time of its discovery, the XAgent command & control servers were down, meaning that this variant of the malware is no longer a threat.

    On the heels of the XAgent discovery came an intriguing glance at another piece of Mac malware, a sample of which has not yet been found. Three days after Palo Alto released their analysis of XAgent, Apple released an update to XProtect – the built-in anti-malware software in macOS – that added detection of XAgent.

    However, that update also included a signature for something Apple called OSX.Proton.A, which ignited a storm of questions in the security community, who had never heard of any such malware for the Mac.

    A little digging by Arnaud Abbati, a researcher at Ninja, Inc, turned up a page from the Sixgill website with a terse description of a remote access tool (RAT) called Proton. The page has been taken down, but can still be found in Google’s cache here.

    Apparently, the malware is being sold on a Russian cybercrime forum, among other places. Sixgill also provided a link to a YouTube video from December, apparently made to promote the malware by demonstrating its capabilities. Another YouTube video, posted on February 8, showed additional capabilities.

    Unfortunately, thus far, no samples of the malware have been found. It does not appear to be in the VirusTotal database, and neither of the sites that appear to be associated with Proton (ptn[dot]is or protonsolutions[dot]net) are responding. Even Sixgill’s analysis seemed to be done entirely from online sources, and had no information to suggest that they had seen a copy of the malware. For now, this is a completely unknown threat with rather frightening apparent capabilities.

    ———-

    “Two new Mac backdoors discovered” by Thomas Reed; Malwarebytes Blog; 03/01/2017

    “Interestingly, Patrick Wardle, Director of Research at Synack, had another interesting revelation about this malware. He shows quite convincingly that the Sofacy Group used code copied from the Hacking Team. (Hacking Team is the creator of the Remote Control System backdoor, which it sells to governments and law enforcement, among other organizations.)”

    So, uh, wow! X-Agent, one of the pieces of malware that seen as a key “digital fingerprint” in the DNC hack of 2016 pointing back to APT28 was in the July 2017 release of “Hacking Team’s” unit? That’s quite something.

    And just to get a taste of how the presence of X-Agent was used by CrowdStrike to attribute the DNC hack to ‘Fancy Bear’, here’s the opening paragraph of CrowdStike’s December 2016 report that tried to use the X-Agent to erroneously claim that ‘Fancy Bear’ create malware used to infect the smartphones of Ukrainian artillery troops so they could be located and neutralized:

    CrowdStrike
    Blog

    Danger Close: Fancy Bear Tracking of Ukrainian Field Artillery Units

    December 22, 2016
    Adam Meyers

    Update – As of March 2017, the estimated losses of D-30 howitzer platform have been amended. According to an update provided by the International Institute for Strategic Studies (IISS) Research Associate for Defence and Military Analysis, Henry Boyd, their current assessment is as follows: “excluding the Naval Infantry battalion in the Crimea which was effectively captured wholesale, the Ukrainian Armed Forces lost between 15% and 20% of their pre-war D–30 inventory in combat operations.”

    In June CrowdStrike identified and attributed a series of targeted intrusions at the Democratic National Committee (DNC), and other political organizations that utilized a well known implant commonly called X-Agent. X-Agent is a cross platform remote access toolkit, variants have been identified for various Windows operating systems, Apple’s iOS, and likely the MacOS. Also known as Sofacy, X-Agent has been tracked by the security community for almost a decade, CrowdStrike associates the use of X-Agent with an actor we call FANCY BEAR. This actor to date is the exclusive operator of the malware, and has continuously developed the platform for ongoing operations which CrowdStrike assesses is likely tied to Russian Military Intelligence (GRU). The source code to this malware has not been observed in the public domain and appears to have been developed uniquely by FANCY BEAR.

    ———-

    “Danger Close: Fancy Bear Tracking of Ukrainian Field Artillery Units” by Adam Meyers; CrowdStrike Blog; December 22, 2016;

    “Also known as Sofacy, X-Agent has been tracked by the security community for almost a decade, CrowdStrike associates the use of X-Agent with an actor we call FANCY BEAR. This actor to date is the exclusive operator of the malware

    Jeffrey Carr did a great take down of why that CrowdStrike ‘attribution’ was bogus. It was bogus for a lot of reasons, and one of those included the fact that X-Agent is already ‘in the wild’.

    Here’s something else to keep in mind: The security analyst who discovered that the X-Agent code appears to be extremely similar to the leak Hacking Team code and concludes that X-Agent did indeed come from the Hacking Team leak also notes in their post [it’s very technical] that there’s the question of whether or not ‘Fancy Bear’ created X-Agent using based on the Hacking Team leak or whether the Russian government simply purchased the malware from Hacking Team since Hacking Team reportedly sold its services and tools to the Russian government. And while either of those are possibilities, we can’t forget that Hacking Team sold its malware to governments around the world:

    Forbes

    Wikileaks Release: Hacking Team Says It Sold Spyware To FSB, Russia’s Secret Police

    Thomas Fox-Brewster , FORBES STAFF
    JUL 9, 2015 @ 01:47 PM

    Now that Wikileaks has released the emails included in the 415GB leaked by the hackers who breached Italian “lawful intercept” provider Hacking Team, the world has easy access to a trove of information blowing open the inner workings of the private surveillance industry. Amongst the files seen by FORBES so far are emails detailing Hacking Team’s sales to Russia’s secret police, the FSB.

    Previous analysis of the leaks had sold its Galileo Remote Control System (RCS) to KVANT, a Russian state-owned military research and development organisation that works with the FSB. This inspired questions from Dutch politician and European Member of Parliament Marietje Shaake about the potential breach of European Union sanctions about the sale of such goods to Russia, which has been put on blacklists for its operations in war-torn Ukraine. Selling to the FSB would likely concern onlookers more, given the agency’s widespread access to communications in Russia.

    Hacking Team has repeatedly denied it sells its technology, which surreptitiously siphons off communications data from PCs, iPhones and Android devices, to regimes which it believes commit human rights abuses.

    Hacking Team appeared to have taken an interest in the FSB initially through NICE, an Israeli company with links to the country’s surveillance industrial complex, in particular signals intelligence agency Unit 8200. NICE seems to have acted as a reseller for Hacking Team’s tools. In May 2011, a member of NICE’s sales team boasted about some successful RCS demos with the FSB.

    “The feedback was very good, and we’ve been asked with many questions regarding the solution and its capabilities. It was clear that their questions implies that they have a background in the lawful hacking area, however that their existing solution may lack some of the capabilities, especially in infecting [Apple] Mac devices, and mobile devices,” the NICE employee said.

    After numerous demonstrations, progress seemed stymied, but in December 2012, a NICE employee asked Hacking Team whether it had sold directly to the FSB rather than via the Israeli company.

    “Yes we did,” the Hacking Team employee responded. “We discussed this opportunity in the past and you were aware of the fact we were working there. I’d like to take advantage of this conversation to ask you a feedback about Azerbaijan.”

    Asked about working in Russia, Hacking Team head of communications Eric Rabe said: “We have not sold to blacklisted countries — at least when they were actually on a blacklist. As you know these things can change and a country, that is considered respectable, may later on turn out not to be.” Hacking Team may have stopped providing services once the sanctions were imposed, just as it’s claimed it did for Sudan.

    FORBES also spoke with Vitaliy Toropov a Moscow-based researcher who sold zero-days – previously unknown, unpatched vulnerabilities – to Hacking Team. He was surprised the FSB needed outside help with exploits. “I’ve never heard that FSB openly buys zero-days. I thought either they have their internal talents or they outsource it somewhere,” Toropov said over email.

    Another email, relating to correspondence from your reporter about an article for The Guardian about the use of Hacking Team technology in Ethiopia, appeared to indicate neither Rabe nor CEO David Vincenzetti were aware of a deal with the country, which has a poor track record when it comes to human rights abuses. According to the leaked documents, Ethiopia signed on in 2012.

    It’s now known that Hacking Team was selling to a vast number of governments, including Sudan, Saudi Arabia, UAE, Bahrain, Morocco and Egypt. The US is also a customer via the FBI, the military and the Drug Enforcement Agency.

    ———-

    “Wikileaks Release: Hacking Team Says It Sold Spyware To FSB, Russia’s Secret Police” by Thomas Fox-Brewster; Forbes; 07/09/2015

    “It’s now known that Hacking Team was selling to a vast number of governments, including Sudan, Saudi Arabia, UAE, Bahrain, Morocco and Egypt. The US is also a customer via the FBI, the military and the Drug Enforcement Agency.”

    So we have companies like CrowdStrike treating X-Agent as uniquely used by the Russian government, a tool that appears to be part of the Hacking Team toolkit that they were selling to governments around the world. Talk about being ‘in the wild’.

    And notice how the the FBI, US military, and DEA are all Hacking Team customers. It’s something that would make the absence of something like X-Agent in Vault 7 kind of surprising. It seems like it would be a great piece of malware for obscuring your identity given that Hacking Team has probably been selling to clients for years.

    Posted by Pterrafractyl | January 18, 2018, 3:38 pm
  5. With the “March for our Lives” march in DC in response to the Parkland, FL, shooting at Marjory Stoneman Douglas High School by Nikolas Cruz, a neo-Nazi-inspired former student, turning into a major political event, it’s worth asking what it was about the shooting in Parkland, Florida, that elicited such an exceptionally strong response. And it’s hard to avoid the conclusion that the “law of truly large numbers” played a role: the statistical adage that that even improbable events will happen given a large enough sample size. And in the case of the US, if a country has one school shooting after another after another, at some point that “sample” of shot up schools will include a school that has a number of exceptionally articulate students with the charisma necessary to shift the debate and change the public conversation. In other words, the students of Marjory Stoneman Douglas were an inevitability. Thanks to the law of truly large numbers and the truly shockingly large number of school shootings America regularly experiences.

    So given that a plucky band of teenagers has shifted the conversation around gun regulations (or the lack thereof) in the US and led a mass march, perhaps it’s worth noting that the gun debate in the US has a number of eerie parallels with another life and death topic that impacts not just the US but the entire world: the logic of mutually assured destruction and the flaws in that logic that continues to threaten life on Earth.

    Yes, guns and nuclear weapons are pretty much at opposite ends of the ‘tools for violence’ spectrum, but it’s hard to ignore the fact that the arguments used by the most rabid gun proponents from groups like the NRA – arguments like ‘a well armed society is a polite society’ – has a lot in common with the mutually assured destruction (MAD) logic behind the nuclear arms race that continues to this day.

    And tragically, the topic of the perils of mutually assured destruction have become perilously topical now that President Trump has chosen the uber-war hawk John Bolton – a man who never met a preemptive military strike he didn’t like – to become his national security advisor. When John Bolton is the lead guy providing the president of the United States advice on national security matters you can be assured that mutually assured destruction is a lot more likely to actually happen. Or, if not the exchange of nukes, some sort of horrible conventional war, which is, itself, a form of mutually assured destruction when it’s war between military powers.

    And it’s the concerns over someone like John Bolton pushing the US into a major conflict that highlights the fact that, as the following article notes, the logic of mutually assured destruction with weapons of mass destruction is filled with a series of self-destructive paradoxes that undermine that logic. Self-destabilizing dynamics like how the need to assure nuclear second-strike capability inherently leads to an arms race that threatens that second-strike capability. Analogously, the logic behind ‘more guns = less shootings’ is undermined by both the logic that more guns also clearly creates the opportunity for more shootings – especially by suicidal people who don’t care about return fire – and the observation that the US has a gun death epidemic not seen in countries with stronger gun regulations.

    In other words, for both nukes and guns, there is indeed a logic that says ‘more is more’, i.e. more nukes/guns lead to greater overall safety. But there is simultaneously logic that tells use that ‘more is less’ (more guns/nukes makes everyone less safe by creating an endless arms race), ‘less is less’ (fewer guns/nukes makes everyone less safe by encouraging aggressors), and ‘less is more'(fewer guns/nukes makes everyone safer). All four of this logical conclusions co-exist simultaneously. It’s a genuine paradox.

    And as the article also notes, we are increasingly living in a world governed by paradoxes and where overcoming these paradoxes can only happen with we both acknowledge these paradox and accept that the ‘less is more’ logic really is the only sustainable dynamic that can work in the long run. There’s no risk-free path forward for humanity when it comes to how we collective ‘keep the peace’, whether it’s at an interpersonal level or international level. An endless arms race carries obvious risks for humanity. But so does mass disarmament simply become one or more parties might suddenly arm themselves and take over or just wipe their adversaries out. ‘More is more’ and ‘less is more’. Paradoxically.

    But that doesn’t mean the very different paths forward inherent in that paradox have equal risks, especially when you consider the kinds of scenarios that become ever more likely when you think about the ‘law of truly large numbers’ and highly improbably events becoming just a matter of time. And that means we need to deal with this paradox inherent for dealing with both guns and weapons of mass destruction by asking ourselves which highly improbably events do we want to risk happening: for guns in the US, where ‘defending against a tyrannical government’ is often used as a justification for civilians owning military-grade weapons, do we want to continue flooding the US with weapons – which guarantees a steady rate of gun deaths – and risk an armed civil conflict or an insurrection by heavily armed reactionary forces? Because that’s the risk being courted by current gun policies. Or is it better to dramatically reduce or eliminated civilian access to guns and run the risk that some future tyrannical government will subjugate the populace? Part of dealing with the paradoxes inherent in the gun debate is asking which of those risks is the bigger risk.

    Similarly, for weapons of mass destruction, which risk is greater: the risk that mutually assured destruction actually happens if humanity continues down the path of this endless arms race of ever more powerful offensive and defensive capabilities? Or is it a greater risk for countries to collectively ban weapons of mass destruction, risking the possibility of a rogue actor obtaining them and effectively blackmailing the world? Which of those risks does humanity want to court?

    These are the kinds of paradoxes that humanity has to increasingly deal with as technology injects more and more destructive into societies and into global geopolitical realities. And if humanity is going to survive this age of ‘rule by paradox’ we’re going to have to come to grips with the fact that these paradoxes exist and that the ‘less is more’ logic really is the lowest risk approach in the long run, whether we’re talking about guns or nukes:

    The Huffington Post

    Regulating Guns: The Social Equivalent of MAD (Mutually Assured Destruction)

    By Ian I. Mitroff
    01/19/2016 03:38 pm ET Updated Jan 19, 2017

    In the 1950s, at the height of the cold war, the U.S. and the Soviet Union realized that their huge nuclear arsenals gave rise to a fundamental paradox: they existed for the prime purpose of preventing their use.

    To protect their missiles, both sides loaded them on submarines that were capable of hiding indefinitely in the vast oceans of the world. In this way, the side that was attacked first would always have enough missiles to retaliate, if not destroy, the other side. Since the situation was completely symmetrical, nuclear weapons existed for the prime purpose of assuring that neither side would start a nuclear war that no one could win. This was enshrined in the doctrine of Mutually Assured Destruction, or MAD, an apt acronym if there ever was one.

    Unfortunately, MAD was not the only paradox that enveloped nuclear weapons.

    Both sides protected their land-based nuclear missiles by putting them in silos buried in the ground. Covering the silos with massive amounts of concrete offered further protection. More concrete led to greater or more felt security. In pithy terms, More Led to More.

    But putting more concrete only encouraged both sides to load multiple warheads onto their missiles so they could more easily penetrate the silos. More concrete threatened the other side more and led to an arms race, i.e., More Led to Less.

    It occurred that less concrete would threaten one’s adversary less and thus lead to greater felt security, i.e., Less Leads to More.

    But, since it made no sense to have zero or fewer numbers of nuclear missiles than one’s adversaries, less missiles led to less felt security, i.e., Less Led to Less.

    More Leads to More and Less Leads to Less are the two primary modes of thinking that have prevailed for thousands of years. An army with greater numbers of soldiers could generally defeat an army with fewer. But because of their enormous destructive power, nuclear weapons altered these long standing tenets. The side with more nukes was not necessarily superior.

    The biggest paradox of all was due to the fact that thinking about nuclear weapons was constantly cycling through all four modes simultaneously. Underlying all of them is the fact that at some point what’s good in the small becomes bad in the large. That is, bigness turns back on itself.

    Consider the highly contentious issue of guns. The U.S. has roughly 5 percent of the world’s population, but 40 percent of the guns. If more guns were the answer, then the U.S. would be the safest planet on the globe, which it is not, i.e., More Has Led to Less. More Guns Has Led to More Mass Shootings (i.e., Less). We are in the grips of a self-imposed form of MAD.

    Increasingly, we live in a world where every aspect is governed by paradox. To survive, let alone prosper, means not only recognizing the basic existence of paradox, but that In many cases, Less Is More. How many more mass shootings will it take for us to finally realize that More Is Not Always Better, and to act on this fundamental realization?

    ———-

    “Regulating Guns: The Social Equivalent of MAD (Mutually Assured Destruction)” by Ian I. Mitroff; The Huffington Post; 01/19/2016

    “Unfortunately, MAD was not the only paradox that enveloped nuclear weapons.”

    It is indeed unfortunate. The paradoxes of mutual assured destruction – where the necessity of assuring destruction leads to an endless arms race – aren’t the only paradoxes associated with nuclear weapons. There are also the paradoxes associated with not have doomsday weapons. And these paradoxes are mutually justifying. The risks of world peace are used to justify global militarization and vice versa. It’s a fascinating moral conundrum that could destroy us all if mishandled:


    Both sides protected their land-based nuclear missiles by putting them in silos buried in the ground. Covering the silos with massive amounts of concrete offered further protection. More concrete led to greater or more felt security. In pithy terms, More Led to More.

    But putting more concrete only encouraged both sides to load multiple warheads onto their missiles so they could more easily penetrate the silos. More concrete threatened the other side more and led to an arms race, i.e., More Led to Less.

    It occurred that less concrete would threaten one’s adversary less and thus lead to greater felt security, i.e., Less Leads to More.

    But, since it made no sense to have zero or fewer numbers of nuclear missiles than one’s adversaries, less missiles led to less felt security, i.e., Less Led to Less.

    More Leads to More and Less Leads to Less are the two primary modes of thinking that have prevailed for thousands of years. An army with greater numbers of soldiers could generally defeat an army with fewer. But because of their enormous destructive power, nuclear weapons altered these long standing tenets. The side with more nukes was not necessarily superior.

    We need nukes because if we don’t have them we’ll be helpless towards nuclear blackmail. But once one nation has nukes, every other one is going to want them and there will be an endless arms race that can only end in doom. It’s a grim nest of intertwined paradoxes that happens to be a major test for humanity.

    And as the article noted at the end, recognizing these nested, mutually-justifying


    Increasingly, we live in a world where every aspect is governed by paradox. To survive, let alone prosper, means not only recognizing the basic existence of paradox, but that In many cases, Less Is More. How many more mass shootings will it take for us to finally realize that More Is Not Always Better, and to act on this fundamental realization?

    The ability to recognize situations where Less is More and collectively give us access to a technology might be a basic ingredient for surviving technology. And acquiring that ability requires humanity collectively acknowledge such paradoxes exist. But at that point we have to make a choice. A fateful choice because these paradoxes point in VERY different directions. Peace through endless arms races? Or peace through endless mutual commitments to peace and the mutual reduction in the the tools of violence that are available to everyone coupled with creating the kind of world where only the insane would feel the need to resort to violence. Build a great world or build a lot of bombs and guns. That’s one of the fundamental question at the heart of the guns and nukes policy debates. It’s the same nest of paradoxes.

    And as the article suggests, when you look at all the ways ‘more (tools of mass violence is more (peace and prosperity’ break down, it’s hard to avoid the conclusion that ‘less (tools of mass violence) is more (peace and prosperity)’ is clearly the best path forward. Yes, it’s not a perfect path. There are still risks associated with mutual disarmament. But they are preferable risks compared to the alternative, whether it’s nukes or guns.

    Yes, mutually assured destruction has ‘kept the WMD peace’ so far. The US and the Soviets didn’t nuke each other. But let’s not forget that there have been quite a few near misses over the decades, where simple mistakes and human error almost lead to a full-scale nuclear exchange. That really almost happened. Repeatedly. How’s that kind of dynamic going to turn out when the ‘law of truly large numbers’ takes effect?

    And as the United States, which owns 40 percent of the world’s guns, has amply demonstrated to the world on the gun issue, more guns has most assuredly result in more deaths. It’s been mutually assured destruction on an interpersonal scale and the result has been a lot of destruction:


    Consider the highly contentious issue of guns. The U.S. has roughly 5 percent of the world’s population, but 40 percent of the guns. If more guns were the answer, then the U.S. would be the safest planet on the globe, which it is not, i.e., More Has Led to Less. More Guns Has Led to More Mass Shootings (i.e., Less). We are in the grips of a self-imposed form of MAD.

    So, with that parallel paradox between guns and weapons of mass destruction in mind, it’s worth noting that the kind of focus the US suddenly has on the gun issue really needs to happen on the WMD issue too. They’re part of the same meta-issue of how we deal with our capacity for violence. It’s ‘the talk’ for a society with free will. And that talk needs to collectively happen for both guns and nukes because as the following article describes, there is growing concern in the national security sector that the paradoxical logic of mutually assured destruction that has kind of kept the peace in the nuclear age is about to fall apart.

    What’s breaking the logic of MADness? Well, that has to do with the fact that the doctrine of mutually assured destruction has long co-existed with the goals of individual nuclear powers to achieve nuclear dominance, i.e. the capabilities to carrying out nuclear strike without fear of reprisal. Or the capability of simply stopping a lone missile from a rogue regime. Those kinds of defensive capabilities that inevitably disrupt the logic of MADness appear to have reached the point where it’s very possible that mutually assured destruction might not be mutually assured in the future.

    Thanks to emerging defensive technologies – like functional missile defense, Conventional Prompt Global Strike program, a US initiative to develop missiles tipped with conventional weapons designed to take down nuclear facilities anywhere in the world in under and hour, and cyber capabilities that incapacitate or take over the command-and-control infrastructure of adversaries – it’s going to be feasible for a nuclear power to cripple an adversary’s second-strike capabilities. And if an adversary can’t guarantee a retaliatory second strike there’s no longer any mutual assurance of destruction. And when there’s no mutually assured destruction, the law or truly large numbers starts getting very scary in a heavily armed world. Effective nuclear defenses make the use of nukes more and more likely. It’s a reminder that one of the greatest risks of relying on mutually assured destruction to avoid mutually assured destruction is that those mutual assurances can’t necessarily be assured, which is why MADness in a world where nuclear dominance is also a goal is truly madness in the long run:

    The Economist

    Why nuclear stability is under threat

    Mutually assured destruction has served as the ultimate deterrent, but for how much longer?

    Jan 25th 2018

    NUCLEAR WEAPONS, LIKE the poor, seem likely always to be with us. Even though arms-control agreements between America and the Soviet Union, and then Russia, have drastically reduced overall numbers, both countries are committed to costly long-term modernisation programmes for their strategic nuclear forces that should ensure their viability for the rest of the century.

    Russia is about halfway through recapitalising its strategic forces, which include a soon-to-be-deployed road-mobile intercontinental ballistic missile (ICBM); a new heavy ICBM; eight new ballistic-missile submarines (SSBNs), most of which will be in service by 2020; upgraded heavy bombers; and a new stealth bomber able to carry hypersonic cruise missiles. America will replace every leg of its nuclear triad over the next 30 years, at an estimated cost of $1.2trn. There will be 12 new SSBNs; a new penetrating strike bomber, the B21; a replacement for the Minuteman III ICBMs; and a new long-range air-launched cruise missile. As Tom Plant, a nuclear expert at RUSI, a think-tank, puts it: “For both Russia and the US, nukes have retained their primacy. You only have to look at how they are spending their money.”

    Other states with nuclear weapons, such as China, Pakistan, India and, particularly, North Korea, are hard at work to improve both the quality and the size of their nuclear forces. Iran’s long-term intentions remain ambiguous, despite the deal in 2015 to constrain its nuclear programme. Nuclear weapons have lost none of their allure or their unique ability to inspire dread. Whether or not they are ever used in anger, they are very much part of the future of warfare.

    So far, the best argument for nuclear weapons has been that the fear of mutually assured destruction (MAD) has deterred states that possess them from going to war with each other. MAD rests on the principle of a secure second-strike capability, which means that even if one side is subjected to the most wide-ranging first strike conceivable, it will still have more than enough nuclear weapons left to destroy the aggressor. When warheads became accurate enough to obliterate most of an adversary’s missiles in their silos, America and Russia turned to submarines and mobile launchers to keep MAD viable.

    A more dangerous world

    It still is, and is likely to remain so for some time. But disruptive new technologies, worsening relations between Russia and America and a less cautious Russian leadership than in the cold war have raised fears that a new era of strategic instability may be approaching. James Miller, who was under-secretary of defence for policy at the Pentagon until 2014, thinks that the deployment of increasingly advanced cyber, space, missile-defence, long-range conventional strike and autonomous systems “has the potential to threaten both sides’ nuclear retaliatory strike capabilities, particularly their command-and-control apparatuses”, and that “the potential of a dispute leading to a crisis, of a crisis leading to a war, and of a war escalating rapidly” is growing.

    In a new report, Mr Miller and Richard Fontaine, the president of the Centre for a New American Security (CNAS), identify cyber and counter-space (eg, satellite jammers, lasers and high-power microwave-gun systems) attacks as possible triggers for an unplanned conflict. Other new weapons may threaten either side’s capability for nuclear retaliation, particularly their strategic command-and-control centres. James Acton, a nuclear-policy expert at the Carnegie Endowment for International Peace, lists three trends that could undermine stability in a future crisis: advanced technology that can threaten the survivability of nuclear attacks; command-and-control systems that are used for both nuclear and conventional weapons, leaving room for confusion; and an increased risk of cyber attacks on such systems because of digitisation.

    Both America and Russia rely heavily on digital networks and space-based systems for command, control, communications, intelligence, surveillance and reconnaissance (C3ISR) to run almost every aspect of their respective military enterprises. Cyber space and outer space therefore offer attackers tempting targets in the very early stages of a conflict. In the utmost secrecy, both sides have invested heavily in offensive cyber capabilities. In 2013 the Defence Science Board advised the Pentagon that: “The benefits to an attacker using cyber exploits are potentially spectacular. Should the United States find itself in a full-scale conflict with a peer adversary, attacks would be expected to include denial of service, data corruption, supply-chain corruption, traitorous insiders, kinetic and related non-kinetic attacks at all altitudes from under water to space. US guns, missiles and bombs may not fire, or may be directed against our own troops. Resupply, including food, water, ammunition and fuel, may not arrive when or where needed. Military commanders may rapidly lose trust in the information and ability to control US systems and forces.”

    One problem with this is that the space architecture on which America depends for its nuclear command and control, including missile early warning, is also used for conventional warfare. That means a conventional attack might be mistaken for a pre-emptive nuclear strike, which could lead to rapid escalation. Another difficulty is that an aggressor may be tempted to go after cyber and space assets in the hope of causing major damage to a target’s defences without actually killing anybody. That would raise doubts over whether nuclear retaliation could be justified. A third worry is that because of the potential speed and surprise of such attacks, some responses might be delegated to autonomous systems that can react in milliseconds. Lastly, there is the possibility of “false flag” cyber operation by a rogue state or non-state hacker group.

    Don’t worry just yet

    For now, the prospects of a successful disarming strike remain sufficiently remote to leave the strategic balance intact. Mr Miller argues that it would require a “fundamental transformation in the military-technological balance…enabled by the development and integration of novel military capabilities” to upset the balance.

    Ominously, he thinks that such a fundamental transformation may now be on the horizon, in the shape of conventional prompt global strike (CPGS) and new missile-defence systems. Both China and Russia fear that new American long-range non-nuclear strike capabilities could be used to deliver a disarming attack on a substantial part of their strategic forces or decapitate their nuclear command and control. Although they would still launch their surviving nuclear missiles, improved missile-defence systems would mop up most of the remainder before their warheads could do any damage.

    Still, Michael Elleman, a missile expert at the International Institute for Strategic Studies, reckons that for now those concerns are overblown. As much as anything, he says, they are talked up to restrain investment in the enabling technologies: “They [the Russians and the Chinese] are saying to the US, the trouble with you guys is that you never know when to stop.”

    CPGS would involve a hypersonic missile at least five times faster than the speed of sound and a range of more than 1,000 miles. This could be achieved in several ways. One would be to stick a conventional warhead on an ICBM or a submarine-launched ballistic missile—a cheap solution but a dangerous one, because defenders would not know whether they were under conventional or nuclear attack, so they might overreact.

    Current American missile-defence systems, such as Patriot, THAAD (terminal high-altitude area defence) and Aegis, provide quite effective regional defence but are not designed to cope with a salvo of ICBMs. The Ground-based Midcourse Defence system in Alaska and California is supposed to provide some defence of the homeland against a few missiles launched by a North Korea or an Iran, but it was never designed to defeat a massive salvo attack by a major adversary.

    However, substantial improvements are on their way. Mr Elleman describes the SM-3 IIA interceptors, which could be deployed as soon as next year on Aegis-class destroyers, as a “big deal”. They are much faster than their predecessors, and Mr Miller thinks that if hundreds of them were put on ships close to America, they might support a late midcourse defence against Russian ICBMs.

    More exotic missile defences are not far behind. Mr Elleman says that in about five years’ time it may be possible to put solid-state lasers on large numbers of unmanned aerial vehicles (UAVs) orbiting at very high altitude. Small missiles could also be put on UAVs as boost-phase interceptors, firing a minute or so after launch. Interception at that stage is technically much easier than later on because the target is much larger when all its stages are still intact, and moving more slowly.

    Mr Elleman believes that for now the advantage is likely to remain with the attacker rather than the defender, but like Mr Miller he fears that emerging technologies could “undermine crisis stability very rapidly”. Yet if arms-control agreements could be reached at the height of the cold war, it should surely be possible for America, Russia and China to talk to each other now to avoid persistent instability.

    ———-

    “Why nuclear stability is under threat”; The Economist; 01/25/2018

    “So far, the best argument for nuclear weapons has been that the fear of mutually assured destruction (MAD) has deterred states that possess them from going to war with each other. MAD rests on the principle of a secure second-strike capability, which means that even if one side is subjected to the most wide-ranging first strike conceivable, it will still have more than enough nuclear weapons left to destroy the aggressor. When warheads became accurate enough to obliterate most of an adversary’s missiles in their silos, America and Russia turned to submarines and mobile launchers to keep MAD viable.”

    The entire premise of MAD rests on the principle of a secure second-strike capability. And yet there’s reason to assume that second-strike capability can be assured because there’s no assurances that a technology that subverts that second-strike capability won’t be developed. Especially when the major nuclear powers are constantly working on developing those capabilties. Capabilities that increasingly include cyber attacks taking over command-and-control systems thanks to the increasingly digitisation of the systems that control nuclear arsenals:


    A more dangerous world

    It still is, and is likely to remain so for some time. But disruptive new technologies, worsening relations between Russia and America and a less cautious Russian leadership than in the cold war have raised fears that a new era of strategic instability may be approaching. James Miller, who was under-secretary of defence for policy at the Pentagon until 2014, thinks that the deployment of increasingly advanced cyber, space, missile-defence, long-range conventional strike and autonomous systems “has the potential to threaten both sides’ nuclear retaliatory strike capabilities, particularly their command-and-control apparatuses”, and that “the potential of a dispute leading to a crisis, of a crisis leading to a war, and of a war escalating rapidly” is growing.

    In a new report, Mr Miller and Richard Fontaine, the president of the Centre for a New American Security (CNAS), identify cyber and counter-space (eg, satellite jammers, lasers and high-power microwave-gun systems) attacks as possible triggers for an unplanned conflict. Other new weapons may threaten either side’s capability for nuclear retaliation, particularly their strategic command-and-control centres. James Acton, a nuclear-policy expert at the Carnegie Endowment for International Peace, lists three trends that could undermine stability in a future crisis: advanced technology that can threaten the survivability of nuclear attacks; command-and-control systems that are used for both nuclear and conventional weapons, leaving room for confusion; and an increased risk of cyber attacks on such systems because of digitisation.

    And this risk of cyber attacks is so great that that the Defence Science Board advised the Pentagon in 2013 that “The benefits to an attacker using cyber exploits are potentially spectacular,” potentially including the possibility of turning a nation’s nuclear arsenal against itself:


    Both America and Russia rely heavily on digital networks and space-based systems for command, control, communications, intelligence, surveillance and reconnaissance (C3ISR) to run almost every aspect of their respective military enterprises. Cyber space and outer space therefore offer attackers tempting targets in the very early stages of a conflict. In the utmost secrecy, both sides have invested heavily in offensive cyber capabilities. In 2013 the Defence Science Board advised the Pentagon that: “The benefits to an attacker using cyber exploits are potentially spectacular. Should the United States find itself in a full-scale conflict with a peer adversary, attacks would be expected to include denial of service, data corruption, supply-chain corruption, traitorous insiders, kinetic and related non-kinetic attacks at all altitudes from under water to space. US guns, missiles and bombs may not fire, or may be directed against our own troops. Resupply, including food, water, ammunition and fuel, may not arrive when or where needed. Military commanders may rapidly lose trust in the information and ability to control US systems and forces.”

    And, or course, this 2013 study also recognized the possibility that these cyber vulnerabilities could be exploited by a third-party as part of a false flag attack. Imagine a false flag cyber attack involving turning a nation’s nuclear forces are turned against itself. Or against another nation. That’s the kind of situation we have to worry about. Increasingly:


    One problem with this is that the space architecture on which America depends for its nuclear command and control, including missile early warning, is also used for conventional warfare. That means a conventional attack might be mistaken for a pre-emptive nuclear strike, which could lead to rapid escalation. Another difficulty is that an aggressor may be tempted to go after cyber and space assets in the hope of causing major damage to a target’s defences without actually killing anybody. That would raise doubts over whether nuclear retaliation could be justified. A third worry is that because of the potential speed and surprise of such attacks, some responses might be delegated to autonomous systems that can react in milliseconds. Lastly, there is the possibility of “false flag” cyber operation by a rogue state or non-state hacker group.

    But it’s not just the risk of cyber attacks that have some national security experts increasingly concerned that the balance of MADness might be breaking down. Defensive capabilities like the conventional prompt global strike (CPGS) program don’t just threaten rogue regimes like North Korea. It also potentially threatens the second-strike capabilities of nations with large nuclear forces like Russia and China:


    Don’t worry just yet

    For now, the prospects of a successful disarming strike remain sufficiently remote to leave the strategic balance intact. Mr Miller argues that it would require a “fundamental transformation in the military-technological balance…enabled by the development and integration of novel military capabilities” to upset the balance.

    Ominously, he thinks that such a fundamental transformation may now be on the horizon, in the shape of conventional prompt global strike (CPGS) and new missile-defence systems. Both China and Russia fear that new American long-range non-nuclear strike capabilities could be used to deliver a disarming attack on a substantial part of their strategic forces or decapitate their nuclear command and control. Although they would still launch their surviving nuclear missiles, improved missile-defence systems would mop up most of the remainder before their warheads could do any damage.

    Still, Michael Elleman, a missile expert at the International Institute for Strategic Studies, reckons that for now those concerns are overblown. As much as anything, he says, they are talked up to restrain investment in the enabling technologies: “They [the Russians and the Chinese] are saying to the US, the trouble with you guys is that you never know when to stop.”

    CPGS would involve a hypersonic missile at least five times faster than the speed of sound and a range of more than 1,000 miles. This could be achieved in several ways. One would be to stick a conventional warhead on an ICBM or a submarine-launched ballistic missile—a cheap solution but a dangerous one, because defenders would not know whether they were under conventional or nuclear attack, so they might overreact.

    And if that capability to rapidly taken out nuclear launch strikes fails, the technology to take even waves of ICBMs out after they’re launched is also improving:


    Current American missile-defence systems, such as Patriot, THAAD (terminal high-altitude area defence) and Aegis, provide quite effective regional defence but are not designed to cope with a salvo of ICBMs. The Ground-based Midcourse Defence system in Alaska and California is supposed to provide some defence of the homeland against a few missiles launched by a North Korea or an Iran, but it was never designed to defeat a massive salvo attack by a major adversary.

    However, substantial improvements are on their way. Mr Elleman describes the SM-3 IIA interceptors, which could be deployed as soon as next year on Aegis-class destroyers, as a “big deal”. They are much faster than their predecessors, and Mr Miller thinks that if hundreds of them were put on ships close to America, they might support a late midcourse defence against Russian ICBMs.

    More exotic missile defences are not far behind. Mr Elleman says that in about five years’ time it may be possible to put solid-state lasers on large numbers of unmanned aerial vehicles (UAVs) orbiting at very high altitude. Small missiles could also be put on UAVs as boost-phase interceptors, firing a minute or so after launch. Interception at that stage is technically much easier than later on because the target is much larger when all its stages are still intact, and moving more slowly.

    And yet, as the article concludes, as much as the situation appears to point towards increasingly destabilization of the current MAD status quo, there is one very obvious answer: arms-control treaties designed to break the arms race cycle. And if arms-control treaties could be reached at the height of the cold war, surely it should be possible today:


    Mr Elleman believes that for now the advantage is likely to remain with the attacker rather than the defender, but like Mr Miller he fears that emerging technologies could “undermine crisis stability very rapidly”. Yet if arms-control agreements could be reached at the height of the cold war, it should surely be possible for America, Russia and China to talk to each other now to avoid persistent instability.

    Arms-control to end the otherwise endless arms race. It’s pretty much the only answer. Less is more. At least, arms control treaties the only realistic answer when it comes to dealing with the arms race.

    But as we saw, even if a global arms control treaty was miraculously established and the nuclear arms race that threatens the stability of mutually assured destruction was ended, and even of the major nuclear powers miraculously agreed to not develop capabilities like the conventional prompt global strike system or advanced missile defense – systems whose existence is hard to keep a secret – there’s still the possibility that nations will secretly develop those cyber capabilities to neutralize an adversaries command-and-control systems. In other words, arms control treaties are no replacement for disarmament. Yes, arms-control treaties are still clearly a big step in the right direction, but significant risks remain as long as humanity is still pointing a giant collection of nuclear weapons at each other.

    And yet we have to acknowledge that even if all of the nuclear powers agreed to completely disarm themselves there’s no guarantee everyone will agree to abide by it. Especially rogue governments or private parties. The Underground Reich and other terror groups would presumably like a nuclear arsenal of their own. Disarmament doesn’t preclude rearmament. Or secret arsenals. Or the emergence of future technologies of mass destruction that are unimaginable. In other words, less is potentially less. At least under some worst case scenarios.

    It’s also worth considering a world that contains ample nuclear defensive measures paired with a commitment to disarmament. Imagine a world where every nation agrees to both destroy their nuclear arsenals while simultaneously agreeing to build a really, really comprehensive global missile defense system. Literally a globally administered anti-missile system set up just in case someone breaks the treaty. Less is clearly more in that situation. Especially because no arms race makes it a lot harder for rogue actors to develop their own weapons of mass destruction since they’re generally going to be just trying to copy technology developed by others.

    But there’s still no denying that missiles are the only way to deliver a nuclear device or some other weapon of mass destruction. As long as the technological know-how exists to develop nuclear weapons its hard to imagine a system that truly guarantees nuclear security. MADness can break down, but so can World Peace. There are no guarantees. Only educated guesses about risk profiles.

    So perhaps it’s worth acknowledging that collective disarming is a form of mutual assurance too. But it’s not a guaranteed assurance, just like mutually assured destruction. No path is perfect and all contains existential risks. It’s a question of which existential risks you want to collectively incur.
    Mutually assured destruction just might result in mutual destruction. And mutually assured peace might result in treachery, betrayal, and the takeover of societies committed to non-violence by the kind of people that would use violence to control or destroy the non-violent (i.e. the worst kind of people). Again, it’s part of the paradox. A paradox that extends from guns to nukes and beyond. And a paradox that gets very difficult to wrap your head around when you start factoring in the law of truly large numbers. Improbably things happen. Including improbable catastrophes. There’s no perfect path. And it’s really hard to change paths and the longer you remain on that path the more the law of truly large numbers comes in, so you better choose that path wisely. Mutually assured destruction might blow up the world and mutually assured peace might result in the takeover by very horrible violent people.

    It’s all a reminder that the gun regulation debate current gripping the US is inextricably tied to the much larger debate of how on earth we live with that paradox. The ‘more is more’ and ‘more is less’ and ‘less is less’ and ‘less is more’ paradox. A paradox that includes the question of are we live with the future super weapons of mass destruction that haven’t even been conceived of yet. How are we to best protect against that? Create super-duper anti-WMD defense systems?

    It’s also a reminder that we don’t just need world peace. We need very well thought out systems for maintaining world peace and keeping EVERYONE satisfied. Everyone, with the exception of inevitable people who are going to try to break the peace for whatever reason.

    How do we build sustainable world peace? It’s a question that’s at the heart of both the gun debate and WMD policy debate. Even if we aren’t asking it, that question really is at the heart of it. Because weapons of mass destruction and guns and all other tools for killing fall into the category of things where, in a better world, we would ask, “shouldn’t these be banned? Yeah, let’s ban these because this is just obscenely dangerous,” and then all happily give up our guns and nukes and demilitarize and sings the Whoville song. In a better world we would have done that by now. But we’re still an extremely violent species. And still extremely unequal and dominating. And often unempathetic and dangerously misinformed. Which is a reminder that setting the collective goal of creating a society focused on building highly informed citizens for the purpose of making the world operating better for everyone. Maximizing global welfare by striving for an awesome existence for everyone. Non-violently. It’s not just some pie and the sky vision for heaven on Earth. It’s also a great policy solution for how humanity is supposed to deal with guns and doomsday weapons and everything in between. Which would probably look a lot like high-quality socialism. Everywhere.

    So it’s important to remember that if we’re going to have all these guns and nukes we had better have a lot of great socialism for the guns and world peace and prosperity and a global pacifism pact. And eventually global demilitarization because wouldn’t that be awesome. We can create Starfleet Academy at that point.
    Building a better and just world that works for every country and is great for everyone is clearly part of the policy solution for both guns and WMDs for every country. It’s a collective policy solution.

    Is humanity capable of that? Who knows? Humanity is still a confused hominid and prone to all sorts of behavior that becomes catastrophically self-destructive when fueled through technology. Technology really is a blessing and curse for us in large part because we are very prone towards violence and collective stupidity as a species. And that’s a reminder that the ultimate paradox humanity needs to overcome regarding guns, nukes, violence in general and the risk of self-destruction is the question of whether or not humanity can overcome its own nature. We haven’t figured that out yet.

    It’s also all a reminder that one of the fundamental goals of social structures is keeping the peace. Peace is sort of a basic ingredient for a lot stuff people generally want to do. And you shouldn’t expect security and ‘keeping the peace’ if the social structure intended to do that is widely viewed as lacking legitimacy. That’s why government and society that works for everyone really is critical for violence control. Guns safety at a national level requires progressive politics, inclusivity, a strong saftey-net, and opportunity for everyone. And nuke safety requires world peace and a commitment to maintaining it. How do we do that? It’s a good question, but high-quality socialism with a progressive, inclusive society is most assuredly a big part of the answer.

    And yes, there is a risk that world peace won’t be taken seriously, but it’s also very possible that not taking it seriously is the greatest risk of all. Is humanity capable of overcoming its own violent domineering nature? We’ll see. Plucky bands of charismatic teenagers may be required.

    Posted by Pterrafractyl | March 24, 2018, 9:49 pm
  6. Here’s a pair of article that should be factored into any hacking stories going forward: Remember Hacking Team, the Italian offensive malware firm that was licensed to sell powerful hacking tools to governments around the world, including a number of oppressive governments in the Middle East? And remember how Hacking Team was, itself, hacked in 2015 and had all of its offensive hacking tools released to the public? And remember that story about a security researcher at MalwareBytes who observed that Hacking Team’s leaked code contained some malware with a number of similarities to “X-Agent”, a piece of malware oddly found in the “Fancy Bear” hack of the DNC (odd because X-Agent had previously been found in hacks attributed to “Fancy Bear”, making it a kind of ‘calling card’ if used again in a high-profile hack)?

    Well, here are a couple updates on what become of Hacking Team after it got hacked and had all its source released: The company did indeed see an exodus of clients, as one might expect. But it didn’t shut down. Instead, it found a new investor. And while the identity this investor isn’t entirely clear, it’s pretty clear that this mystery investor is the government of Saudi Arabia or someone very close to the government of Saudi Arabia:

    Vice Motherboard

    Hacking Team Is Still Alive Thanks to a Mysterious Investor From Saudi Arabia
    An investor from Saudi Arabia is apparently behind a company that bought a stake in the controversial spyware vendor.

    Lorenzo Franceschi-Bicchierai
    Jan 31 2018, 12:43pm

    The 2015 breach of spyware vendor Hacking Team seemed like it should have ended the company. Hacking Team was thoroughly owned, with its once-secret list of customers, internal emails, and spyware source code leaked online for anyone to see. But nearly three years later, the company trudges on, in large part thanks to a cash influx in 2016 from a mysterious investor who had been publicly unknown until now.

    The hack hurt the company’s reputation and bottom line: Hacking Team lost customers, was struggling to make new ones, and several key employees left. Three years later—after the appearance of this new investor—the company appears to have stopped the bleeding. The company registered around $1 million in losses in 2015, but bounced back with around $600,000 in profits in 2016.

    Motherboard has learned that this apparent recovery is in part thanks to the new investor, who appears to be from Saudi Arabia—and whose lawyer’s name matches that of a prominent Saudi attorney who regularly works for the Saudi Arabian government and facilitates deals between the government and international companies.

    Hacking Team sells hacking and surveillance technologies exclusively to government authorities. And it became infamous for selling its wares to authoritarian regimes such as Ethiopia, Sudan, Kazakhstan, and Bahrain, among others.

    According to financial records obtained by Motherboard, a company based in Cyprus called Tablem Limited took control of 20 percent of the equity of Hacking Team as of 2016, equivalent to around 44,000 euros (about $55,000) of the company’s total nominal share value, which at the time was 223,572 euros (around $280,000). This investment came a few months after the damaging hack, when the 15-year-old company was hitting rock bottom and its enduring survival seemed unlikely.

    Hacking Team co-founder David Vincenzetti owns the other 80 percent of the company, according to the records.

    WHO IS BEHIND TABLEM LIMITED?

    The reason why Saudi investors, and by proxy, the Saudi Arabian government might have still been interested in Hacking Team’s surveillance technology even after the hack can be explained by the geopolitics of the region. The Saudi government is in the middle of a messy transition, and its rulers are worried about terrorism, Iran, and dissidents among their own citizens, giving them plenty of reason to seek surveillance tools.

    Ever since the Arab Spring, the country’s ruling class has expanded its crackdown on freedom of expression, according to Amnesty International’s researcher May Romanos.

    “What drives this crackdown is fear of dissent, fear of political opponents and fear of freedom of expression,” Romanos told me in a phone call, adding that Amnesty has heard reports of activists having their email accounts hacked.

    Lucie Krahulcova, a policy analyst at Access, a digital rights NGO, told me that “there is evidence that Saudi Arabia imported internet surveillance systems capable of carrying out mass surveillance,” and Access has lobbied for stronger controls to stop European companies from exporting tech to countries like Saudi Arabia, who target journalists and human rights defenders.

    “They are even more at risk when the authorities have access to technologies that can turn people’s devices into tools of repression,” she added in an email.

    In November of last year, the Saudi government set up a new cybersecurity authority, and government officials have stepped up their rhetoric against dissidents and in favor of online monitoring.

    In mid 2016, Italian media reported that several Hacking Team investors had stepped away, and that Tablem Limited had stepped in. But at that time no one knew exactly who was behind this company.

    Hacking Team’s end of year statement from 2016 (the last financial cycle available online) is accompanied by a copy of the minutes of the shareholders meeting of May 8, 2017. This document, provided to the Italian government and reviewed by Motherboard, finally reveals the names behind the mysterious company.

    The document mentions someone named Abdullah Al-Qahtani (spelled both that way, as well as “Alghatani” in a different section of the documents) as the director of Tablem Limited.

    According to the document, Abdullah Al-Qahtani was not present for the May meeting at Hacking Team’s headquarters in Milan, but he appointed a lawyer named Khalid Al-Thebity to act as a representative of Tablem Limited. Al-Thebity is a prominent Saudi lawyer who has done work for the Saudi Arabian government for years. Though the Italian government documents name Al-Thebity as Abdullah Al-Qahtani’s lawyer, Motherboard tried multiple times to reach Al-Thebity and his law firm, Squire Patton Boggs, to discuss his involvement but received no response.

    Al-Thebity’s public bio and resume, as well as quotes he’s given to other publications, suggest that he regularly works with the Saudi Arabian government to facilitate the entry of international companies into the country.

    “Our strategy’s to continue to represent the government and to focus on representing major Saudi corporations,” Al-Thebity told The Lawyer magazine in a 2011 article. “We work closely with international corporations entering the market.”

    Al-Thebity has “been representing the Government of Saudi Arabia on several international law matters since 1996,” reads his online bio. According to Squire Patton Boggs, his law firm, Al-Thebity has “represented the Ministry of Communications and Information Technology on the drafting of privacy and data protection legislation.”

    Using open-source online information, it’s difficult to tell exactly who Abdullah Al-Qahtani is, or even where he’s from. But people familiar with Hacking Team and business records point to his association with Saudi Arabia’s government.

    “The Saudi government wanted tools to do espionage on its own citizens,” said a former Hacking Team employee who asked to remain anonymous because he was still barred from talking about his ex-employer. “There’s the Saudi government behind it, the money comes from them.”

    “They were on the brink of bankruptcy, and that’s when David [Vincenzetti] sold his soul to the Saudis to save the company,” he added.

    Vincenzetti told me in a text message that he isn’t sure who Adbullah Al-Qahtani or Khalid Al-Thebity really are.

    “The Saudi government is opaque even for me,” Vincenzetti told me. “I don’t have visibility in the role nor the activities of this person in Saudi [Arabia].”

    He then declined to answer any further questions: “I can’t release any comment about this,” he said.

    The Al-Qahtani who appears in Hacking Team’s documents is working for the Al-Qahtani Group, also known as Abdel Hadi Abdullah Al-Qahtani & Sons Co., a conglomerate based in Dammam, Saudi Arabia, according to a source who’s familiar with the Italian spyware market. Emails sent to the Al-Qahtani group bounced back.

    Abdullah Al-Qahtani could not be reached for comment at the phone number listed on Tablem Limited’s public records, which notes that the company specializes in “exports.” The number appeared to belong to a company called Nobel Trust Limited, a financial consulting firm. When we called, a woman identified herself as working for Nobel Trust. When asked if we could speak with a representative of Tablem Limited, she hung up and put through a voicemail message saying Nobel Trust was closed at the moment.

    SAUDI ARABIA AND HACKING TEAM

    Saudi Arabian interest in Hacking Team is well documented.

    Saudi government agencies have purchased Hacking Team’s spyware since 2010, according to documents leaked by the hacker who broke into the company in 2015.

    H.E. Saud Al-Qahtani, the country’s royal court advisor who specializes in online surveillance, was directly in touch with Hacking Team’s top brass in 2015, according to leaked emails.

    “Considering your esteemed reputation and professionalism, we here at the Center for Media Monitoring and Analysis at the Saudi Royal Court (THE King Office) would like to be in productive cooperation with you and develop a long and strategic partnership,” H.E. Saud Al-Qahtani wrote in an email to Hacking Team.

    H.E. Saud Al-Qahtani is reportedly close to the controversial young crown prince Mohammed bin Salman. H.E. Saud Al-Qahtani has been accused by a prominent local journalist of being an internet troll who tries to frighten dissidents online, and he recently tweeted a veiled threat to put anyone who conspires against the Arab countries on a “blacklist.”

    “The man has transgressed a lot,” Saudi writer Turki al-Ruqi, the founder of Al-Wi’am newspaper, wrote in an article last year that H.E. Saud Al-Qahtani has used hackers to target critics of the royal family. “Many of the country’s young men have been his victims.”

    We were unable to establish any link between H.E. Saud Al-Qahtani and the Abdullah Al-Qahtani who heads Tablem Limited and invested in Hacking Team.

    H.E. Saud Al-Qahtani was recently named head of the Saudi Federation for Cybersecurity and Programming. He did not respond to multiple requests for comment sent over the course of a week.

    After the Hacking Team hack, news reports indicated that the Saudi government—through local businessmen—was interested in acquiring a majority stake in Hacking Team as early as 2013.

    Then, in early 2016, there were new talks for a potential acquisition, but just like the first ones, the investment didn’t go through. Then, later in 2016, the long-time Italian investors who had shares in the company stepped out, and Vincenzetti increased his shares while also welcoming a new investment from Abdullah Al-Qahtani’s Tablem Limited.

    After Abdullah Al-Qahtani’s investment, employees all of a sudden got a salary increase, which was designed to stop them from leaving the company, as many had done after the hack, according to former Hacking Team employees who are still aware of goings on at the company. In 2015, at the time of the hack, the company had 45 employees, according to an undated leaked document that lists all the company’s employees. As of September of 2017, the company has 31 employees, up from 26 at the beginning of last year, according to the financial documents.

    Abdulah Al-Qahtani’s investment in Hacking Team might have been a way to go from being simple customers to having a voice in shaping the direction of the company. Hacking Team’s financial woes might have worked to the investor’s advantage, proving to be a cheap opportunity to acquire technology that still works to spy in many cases, people familiar with Hacking Team’s products told me.

    The Saudi Arabia government might have seen in Hacking Team an opportunity to step up its capabilities, as other gulf states are also heavily investing in internet surveillance and hacking.

    “Given how much the United Arab Emirates have invested in the technology, the Saudis wanted to do the same,” the second former Hacking Team employee told me, referring to Dark Matter, a fledgling—and controversial—Dubai-based surveillance and hacking company that’s been hiring former CIA agents and NSA hackers to bolster the country’s surveillance apparatus.

    ———-

    “Hacking Team Is Still Alive Thanks to a Mysterious Investor From Saudi Arabia” by Lorenzo Franceschi-Bicchierai; Vice Motherboard; 01/31/2018

    “The hack hurt the company’s reputation and bottom line: Hacking Team lost customers, was struggling to make new ones, and several key employees left. Three years later—after the appearance of this new investor—the company appears to have stopped the bleeding. The company registered around $1 million in losses in 2015, but bounced back with around $600,000 in profits in 2016.

    Three years after getting hacked and humiliated, Hacking Team has stopped the bleeding and is once again profitable. And that sudden turn around appears to largely be thanks to mysterious new investors. And while it’s unclear who exactly these mystery investors are, documents do include the name “Abdullah Al-Qahtani” (also spelled “Alghatani” in the documents). And the lawyer for Abdullah Al-Qahtani’s investment firm, Cyprus based Tablem Limited, matches the name of a prominent Saudi attorney who regularly works for the Saudi Arabian government and facilitates deals between the government and international companies: Khalid Al-Thebity:


    Motherboard has learned that this apparent recovery is in part thanks to the new investor, who appears to be from Saudi Arabia—and whose lawyer’s name matches that of a prominent Saudi attorney who regularly works for the Saudi Arabian government and facilitates deals between the government and international companies.

    Hacking Team sells hacking and surveillance technologies exclusively to government authorities. And it became infamous for selling its wares to authoritarian regimes such as Ethiopia, Sudan, Kazakhstan, and Bahrain, among others.

    According to financial records obtained by Motherboard, a company based in Cyprus called Tablem Limited took control of 20 percent of the equity of Hacking Team as of 2016, equivalent to around 44,000 euros (about $55,000) of the company’s total nominal share value, which at the time was 223,572 euros (around $280,000). This investment came a few months after the damaging hack, when the 15-year-old company was hitting rock bottom and its enduring survival seemed unlikely.

    Hacking Team co-founder David Vincenzetti owns the other 80 percent of the company, according to the records.

    In mid 2016, Italian media reported that several Hacking Team investors had stepped away, and that Tablem Limited had stepped in. But at that time no one knew exactly who was behind this company.

    Hacking Team’s end of year statement from 2016 (the last financial cycle available online) is accompanied by a copy of the minutes of the shareholders meeting of May 8, 2017. This document, provided to the Italian government and reviewed by Motherboard, finally reveals the names behind the mysterious company.

    The document mentions someone named Abdullah Al-Qahtani (spelled both that way, as well as “Alghatani” in a different section of the documents) as the director of Tablem Limited.

    According to the document, Abdullah Al-Qahtani was not present for the May meeting at Hacking Team’s headquarters in Milan, but he appointed a lawyer named Khalid Al-Thebity to act as a representative of Tablem Limited. Al-Thebity is a prominent Saudi lawyer who has done work for the Saudi Arabian government for years. Though the Italian government documents name Al-Thebity as Abdullah Al-Qahtani’s lawyer, Motherboard tried multiple times to reach Al-Thebity and his law firm, Squire Patton Boggs, to discuss his involvement but received no response.

    Al-Thebity’s public bio and resume, as well as quotes he’s given to other publications, suggest that he regularly works with the Saudi Arabian government to facilitate the entry of international companies into the country.

    Al-Thebity has “been representing the Government of Saudi Arabia on several international law matters since 1996,” reads his online bio. According to Squire Patton Boggs, his law firm, Al-Thebity has “represented the Ministry of Communications and Information Technology on the drafting of privacy and data protection legislation.”

    So it appears that Khalid Al-Thebity has been largely identified. But it’s still unclear who Abdullah Al-Qahtani is or where he’s from. Even the owner of Hacking Team, who still owns 80 percent of the firm, claims he doesn’t know that actual identify of Abdullah Al-Qahtani:


    Using open-source online information, it’s difficult to tell exactly who Abdullah Al-Qahtani is, or even where he’s from. But people familiar with Hacking Team and business records point to his association with Saudi Arabia’s government.

    Vincenzetti told me in a text message that he isn’t sure who Adbullah Al-Qahtani or Khalid Al-Thebity really are.

    “The Saudi government is opaque even for me,” Vincenzetti told me. “I don’t have visibility in the role nor the activities of this person in Saudi [Arabia].”

    That’s right, a major offensive hacking firm sold a 20 percent stake to a mystery investors that’s so mysterious even the owners of this offensive hacking firm don’t know the real identity. That seems like a security risk, no?

    Still, all signs do indicate that Al-Qahtani really is a representative for the Saudi government. Al-Qahtani appears to be the same Al-Qahtani who works for the Al-Qahtani Group, also known as Abdel Hadi Abdullah Al-Qahtani & Sons Co., a Saudi congomerate. And the phone number listed on Talbem Limited’s public records belongs to another firm, Nobel Trust Limited. So there does appear to be quite a bit of information about Al-Qahtani, just not enough to know who he actually is:


    The Al-Qahtani who appears in Hacking Team’s documents is working for the Al-Qahtani Group, also known as Abdel Hadi Abdullah Al-Qahtani & Sons Co., a conglomerate based in Dammam, Saudi Arabia, according to a source who’s familiar with the Italian spyware market. Emails sent to the Al-Qahtani group bounced back.

    Abdullah Al-Qahtani could not be reached for comment at the phone number listed on Tablem Limited’s public records, which notes that the company specializes in “exports.” The number appeared to belong to a company called Nobel Trust Limited, a financial consulting firm. When we called, a woman identified herself as working for Nobel Trust. When asked if we could speak with a representative of Tablem Limited, she hung up and put through a voicemail message saying Nobel Trust was closed at the moment.

    Interestingly, Abdullah Al-Qahtani also shares the same surname with H.E. Saud Al-Qahtani, royal court advisor who specializes in online surveillance. And H.E. Saud Al-Qahtani was known to be directly in touch with Hacking Team in 2015 according to leaked emails. H.E. Saud Al-Qahtani is also reportedly close to crown prince Mohammed bin Salman and was recently named the head of the Saudi Federal for Cybersecurity and Programming:


    Saudi Arabian interest in Hacking Team is well documented.

    Saudi government agencies have purchased Hacking Team’s spyware since 2010, according to documents leaked by the hacker who broke into the company in 2015.

    H.E. Saud Al-Qahtani, the country’s royal court advisor who specializes in online surveillance, was directly in touch with Hacking Team’s top brass in 2015, according to leaked emails.

    “Considering your esteemed reputation and professionalism, we here at the Center for Media Monitoring and Analysis at the Saudi Royal Court (THE King Office) would like to be in productive cooperation with you and develop a long and strategic partnership,” H.E. Saud Al-Qahtani wrote in an email to Hacking Team.

    H.E. Saud Al-Qahtani is reportedly close to the controversial young crown prince Mohammed bin Salman. H.E. Saud Al-Qahtani has been accused by a prominent local journalist of being an internet troll who tries to frighten dissidents online, and he recently tweeted a veiled threat to put anyone who conspires against the Arab countries on a “blacklist.”

    “The man has transgressed a lot,” Saudi writer Turki al-Ruqi, the founder of Al-Wi’am newspaper, wrote in an article last year that H.E. Saud Al-Qahtani has used hackers to target critics of the royal family. “Many of the country’s young men have been his victims.”

    We were unable to establish any link between H.E. Saud Al-Qahtani and the Abdullah Al-Qahtani who heads Tablem Limited and invested in Hacking Team.

    H.E. Saud Al-Qahtani was recently named head of the Saudi Federation for Cybersecurity and Programming. He did not respond to multiple requests for comment sent over the course of a week.

    So we have a “Abdullah Al-Qahtani” listed on the documents of Tablem Limited, the Cyprus-based firm, and a H.E. Saud Al-Qahtani who is close to the crown prince and recently named the head of the Saudi Federal for Cybersecurity and Programming. Are they related? That’s still unclear. But what is clear is that the Saudi government has been trying to invest in Hacking Team for years, going back to 2010, making it just one of a number of gulf states investing heavily of hacking technology:


    After the Hacking Team hack, news reports indicated that the Saudi government—through local businessmen—was interested in acquiring a majority stake in Hacking Team as early as 2013.

    Then, in early 2016, there were new talks for a potential acquisition, but just like the first ones, the investment didn’t go through. Then, later in 2016, the long-time Italian investors who had shares in the company stepped out, and Vincenzetti increased his shares while also welcoming a new investment from Abdullah Al-Qahtani’s Tablem Limited.

    The Saudi Arabia government might have seen in Hacking Team an opportunity to step up its capabilities, as other gulf states are also heavily investing in internet surveillance and hacking.

    “Given how much the United Arab Emirates have invested in the technology, the Saudis wanted to do the same,” the second former Hacking Team employee told me, referring to Dark Matter, a fledgling—and controversial—Dubai-based surveillance and hacking company that’s been hiring former CIA agents and NSA hackers to bolster the country’s surveillance apparatus.

    So that’s our update on Hacking Team: it’s tragically alive and well. And presumably run by and for Saudi Arabia at this point.

    And that’s not all. Because it turns out Hacking Team appears to have spawned a competitor: Grey Heron, a company that seemingly came out of nowhere this year and is suddenly advertising its ability hacking strongly-encrypted messaging platforms like Signal and Telegram. But those hacking capabilities aren’t Grey Heron’s key feature it offers its clients. Instead, the key feature is that Grey Heron isn’t called Hacking Team, which became a very important feature after Hacking Team was hacked and had its reputation destroyed:

    Vice Motherboard

    New Spyware Company ‘Grey Heron’ Is Linked to Hacking Team
    Grey Heron emerged from the controversial spyware vendor Hacking Team, and is looking to break into the European and North American markets.

    By Joseph Cox and Lorenzo Franceschi-Bicchierai
    Mar 26 2018, 10:35am

    In early March, Motherboard reported that a new, mysterious government-malware company called Grey Heron is advertising malware designed to steal data from Signal and Telegram messaging apps. The company seemingly came out of nowhere, suddenly advertising its wares at surveillance fairs over the last few months.

    But Grey Heron does have a history: The company emerged from controversial spyware firm Hacking Team, despite Grey Heron not mentioning these links publicly, Motherboard has learned. The move, it appears, may be to distance Grey Heron from the notorious, and perhaps damaged, brand of Hacking Team.

    “Grey Heron’s mission is to provide to law enforcement the strong tools to balance the capabilities of those who wish to do harm,” a copy of Grey Heron’s brochure previously published by Motherboard reads.

    Grey Heron was formed from other players in the government hacking space, including Hacking Team, a source familiar with the company said. In private conversations within the surveillance industry that were later detailed to Motherboard, Grey Heron has suggested it sees distancing itself from Hacking Team and its history as a benefit.

    Indeed, Hacking Team may be the most high-profile government malware provider in the world due to its bold, public facing marketing, and because it sold surveillance products to a host of authoritarian regimes, including Sudan, Ethiopia, Bahrain. It also suffered a massive data breach, exposing many of the company’s secrets. In 2015, a pseudonymous hacker known as Phineas Fisher broke into the servers of the company, and went unnoticed for weeks. The hacker stole more than 400 gigabytes of internal data, including emails, customer records, and—worse—the spyware’s source code. On July 5, 2015, he revealed the hack from Hacking Team’s own, hacked, Twitter account, and dumped all the data online.

    After a couple of years of struggles, an investor linked to the Saudi government bought a stake in Hacking Team, giving the company new cash to grow again, Motherboard recently reported,

    Although the exact contours of the relationship between Hacking Team and Grey Heron are still fuzzy, an ex-Hacking Team employee, who spoke on condition of anonymity because he’s not allowed to talk about his former employer, said that it would “make sense to use a different name to continue to sell to those clients who weren’t happy after the hack.”

    “Except those customers who don’t care because they buy spyware without thinking twice,” the former employee, who had no direct knowledge of Grey Heron, told Motherboard. “I imagine that there’s a lot of them who don’t see Hacking Team favorably anymore, including the reselling partners, perhaps even more so than the final customers.”

    Grey Heron has said privately that the Italian government has given the company permission to export its products throughout the European Union, and that Grey Heron has particular interest in selling to European and North American clients.

    The firm has exhibited at two recent UK surveillance shows, the Home Office sponsored Security & Policing event, and the International Security Expo, according to the shows’ websites. At the latter, Eric Rabe, who handles Grey Heron’s marketing and communication and is also Hacking Team’s longtime spokesperson, gave a talk on “privacy and the encryption threat.”

    Rabe did not respond to multiple requests for comment concerning connections between the two Milan-based companies. David Vincenzetti, Hacking Team’s CEO, did not respond either.

    The idea that those linked to Hacking Team can rebrand themselves under a new company may irk those pushing for accountability in the surveillance industry.

    “The surveillance sector clearly needs further regulation to stop bad actors selling the means to crush dissent to any authoritarian afraid of their own society,” Lloyd Russell-Moyle MP, member of the UK Committees on Arms Export Controls (CAEC), told Motherboard in a statement. “It is vital that export licensing regimes across Europe apply these laws and crucially talk to one another to ensure human rights are not trampled over.”

    ———-

    “New Spyware Company ‘Grey Heron’ Is Linked to Hacking Team” by Joseph Cox and Lorenzo Franceschi-Bicchierai; Vice Motherboard; 03/26/2018

    “In early March, Motherboard reported that a new, mysterious government-malware company called Grey Heron is advertising malware designed to steal data from Signal and Telegram messaging apps. The company seemingly came out of nowhere, suddenly advertising its wares at surveillance fairs over the last few months.

    *Poof* A company appears seemingly out of no where this year offering a number of tantalizing hacking capabilities. And, of course, it doesn’t come out of nowhere. It emerged from Hacking Team, although Grey Heron doesn’t mention this publicly which makes sense since distancing itself from Hacking Team is a highly desirable service the governments who used to be Hacking Team clients and were forced to leave after the bad press from the 2015 Hacking Team hack:


    But Grey Heron does have a history: The company emerged from controversial spyware firm Hacking Team, despite Grey Heron not mentioning these links publicly, Motherboard has learned. The move, it appears, may be to distance Grey Heron from the notorious, and perhaps damaged, brand of Hacking Team.

    “Grey Heron’s mission is to provide to law enforcement the strong tools to balance the capabilities of those who wish to do harm,” a copy of Grey Heron’s brochure previously published by Motherboard reads.

    Grey Heron was formed from other players in the government hacking space, including Hacking Team, a source familiar with the company said. In private conversations within the surveillance industry that were later detailed to Motherboard, Grey Heron has suggested it sees distancing itself from Hacking Team and its history as a benefit.

    Like the phoenix, Gery Heron rose from Hacking Team’s ashes. Of course, Hacking Team also rose from its own ashes thanks to that Saudi money. But Hacking Team is still going to have a much harder time getting outside clients thanks to its damaged reputation. Grey Heron, on the other hand, appears to be licensed to export its hacking products throughout the EU and has a particular interest in selling to North American clients:


    Grey Heron has said privately that the Italian government has given the company permission to export its products throughout the European Union, and that Grey Heron has particular interest in selling to European and North American clients.

    So that’s what happened to Hacking Team following its devastating 2015 hack: it’s once again profitable thanks to mysterious Saudi investors and has also indirectly spawned an entirely new firm that appears to be offering the same kinds of hacking products under a non-‘Hacking Team’ brand. It’s something to keep in mind that next time we see a high-profile hack…especially if the hack once again involves X-Agent.

    Posted by Pterrafractyl | March 29, 2018, 3:59 pm
  7. Well, that’s quite an indictment, even by #TrumpRussia standards: The Mueller team issued an indictment against 12 GRU officers over the 2016 hacks of the Democrats. The indictment doesn’t just name names but actually described the roles they played in the teams that carried out the hacks. It was by far the most details we’ve seen thus far, including information like ‘Person A searched for terms XYZ a day before those terms showed up in a message from Guccifer 2.0’. From a cyber-attribution standpoint the indictment avoids one of the biggest flaws in the attribution we’ve seen thus far: it’s not simply based on highly spoofable “pattern recognition”. There is evidence that purportedly links directly back to computers known to be managed and used by the GRU. Although, as we’re going to see, there’s actually only one piece of evidence in the indictment that purports to link directly back to the GRU, but it’s a pretty big piece of evidence if real. The rest of the details in the indictment may or may not link back directly to the GRU. It’s ambiguously worded so we don’t know if the rest of the details are speculative (it’s what the Mueller team thinks happened) vs authoritative (it’s what the Mueller team conclusively knows happened).

    Separately, we also just learned that Trump was reportedly informed by the government two weeks before his January 2016 inauguration about specific, highly classified evidence from a Kremlin source claiming that, yes, the Kremlin was behind it all. This is going to be important to keep in mind in relation to the many details in the indictment because, again, a large number of those details are assertions of specific GRU officers carrying out specific actions on particular dates, but it’s never clear if it’s conclusively know that the GRU officers carried out these acts of if it’s merely suspected that they did so based on their known roles within the GRU and the assumption that the GRU was behind the hacks. So knowing that the testimony of this Kremlin insider was important in arriving at the conclusion that the GRU really was behind the hack further raises the questions about whether or not the many details in the indictment are based on conclusive direct evidence or inferences and suspicions.

    The details are plentiful in the indictment. The indictment charges two specific GRU units with the hack, each playing different roles: Unit 26165 carried out the hacks and Unit 74445 distributed the hacked materials by creating websites like DCleaks.com and the Guccifer 2.0 persona. The specific people in these units are named and their roles in the operation are given. Some details include actual searches online that specific GRU officers did at specific times that include phrases found in Guccifer 2.0’s first message to the world.

    Then there’s the one detail that, if true, would appear to conclusively link the “Guccifer 2.0” persona to the GRU’s Unit 74455: In the indictment we find the following assertion that someone on a Moscow-based server managed and used by Unit 74455 made a bunch of search queries for phrases that showed up in Guccifer 2.0’s first messages to the world later that day:

    41. On or about June 15, 2016, the Conspirators logged into a Moscow-based server used and
    managed by Unit 74455 and, between 4:19 PM and 4:56 PM Moscow Standard Time, searched
    for certain words and phrases
    , including
    :

    page 15

    Search Terms(s):
    “some hundred sheets”
    “some hundreds of sheets”
    dcleaks
    illuminati
    mnpono useec’rnm? nepeaon
    [widely known translation]
    “worldwide known”
    “think twice about”
    “company’s competence”

    42. Later that day, at 7:02 PM Moscow Standard Time, the online persona Guccifer 2.0
    published its first post on a blog site created through WordPress
    . Titled “DNC’s servers hacked
    by a lone hacker,” the post used numerous English words and phrases that the Conspirators had
    searched for earlier that day (bolded below):

    Worldwide known cyber security company [Company 1] announced that
    the Democratic National Committee (DNC) servers had been hacked by
    “sophisticated” hacker groups.

    I’m very pleased the company appreciated my skills so highly)))[…]

    Here are just a few docs from many thousands I extracted when hacking
    into DNC’s network. […]

    Some hundred sheets! This’s a serious case, isn’t it? […]

    I guess [Company 1] customers should think twice about company’s
    competence.

    F[***] the Illuminati and their conspiracies!!!!!!!! F[***]
    [Company 1]!!!!!!!!

    This is the sole part of the indictment that stands out for referring to a server known to be operated by the GRU. There are numerous allegations in the indictment where one of the GRU agents is alleged to have done something on a server leased by the GRU, and in the indictment we learn about the use of bitcoins to some of the servers used bitcoin wallets managed by email accounts assumed to be managed by the GRU, but it’s never made clear how conclusive the evidence is that the GRU specifically managing those email account and leasing. But in this one instance with the Moscow-based server it is specifically stated that it’s a server known to be managed and used by the GRU. It will be interesting to see if we get to learn more about this server.

    It’s also worth noting that the indictment specifically says someone logged into the GRU managed server from 4:19 to 4:56 PM on the day of Guccifer 2.0’s first message to the world. This raises the question of whether or not US investigators were given legal access to that server. If so, that would be an impressive level of cooperation from a Moscow-based company used by the GRU. Because if the US didn’t gain legal access to this Moscow-based server, that raises the question of whether or not the evidence was gathered by hacking the server by the US or an ally, which would obviously color the interpretation of this evidence.

    It’s also possible the server login evidence is based on general internet traffic information that show someone communicating with server coupled with information from Google or another search engine about search traffic from that server shortly after. There are a range of possibilities. But if there’s real evidence of someone logging into a GRU managed server and making those search term queries before those terms showed up in Guccifer’s first post to the world, that’s pretty conclusive evidence of the GRU being behind the hack. And that’s why this is really the key piece of evidence in the indictment that purports to directly link the GRU to the hacking operations. So the details of that particular piece of evidence is going to be important.

    And if this Moscow-based server really was a GRU managed server and a GRU agent really did make those searches the day of the Guccifer 2.0 first message to the world, it also raises the question of whether or not the GRU had reason to believe that server was known as a GRU server. Because if so, that would be another remarkable example of brazen “I’m a Russian hacker” sloppiness by the GRU in this operation. Using a know GRU server for an operation of this nature seems like an extraordinarily unnecessary risk to take.

    Unless, of course, getting caught and blamed was always part of the plan. And let’s not forget that one of the initial conclusions of US investigators to explain all of the unusual sloppiness of ‘mistakes’ in the hack coupled with the aggressive use of advanced exploits in order to stay on the DNC’s server was that Russian government hackers were ‘showing off’.

    And if if Putin really did order a hacking campaign where Russia intends to get caught and blamed, that means the Trump campaign was colluding with someone trying to get caught, which is pretty funny. Whoops! The Kremlin may not have been the best collusion partner, unless the Trump campaign wanted Russia to get itself implicated in order to take the suspicions for the hacks off the Trump campaign. In which case, whoops again, because that would be a crazy plan.

    The financing of the operation is also described in detail in the indictment, with bitcoin mining and laundering providing the funds used to purchase things like servers and VPNs (like Crookserver company that provided the command-and-control server with the 176.31.112.10 IP address, which was paid in bitcoins).

    One interesting new set of details involves the location of some of the servers used. One allegedly GRU-controlled server was in Arizona and another in Illinois. At first, the malware was communicating with the Arizona server, but at some point they decided to relay the data to a foreign server and then back to the Arizona server. It would be interesting to know what led to that decision.

    Another interesting new detail involves a fourth command-and-control server that was never mentioned in Crowdstrike’s report. The initial CrowdStrike mentioned three command-and-control server addresses that was found in the malware, including the server with the same 176.31.112.10 IP address found in the malware used in the 2015 Bundestag hack. But it never mentioned linuxkrnl.net, the address of the new fourth command-and-control server that is referenced in the Mueller indictment. This is leading to speculation that Crowdstrike never actually found the malware with the linuxkrnl.net command-and-control server and that was the malware that was left on the server until October of 2016.

    Also recall how one of the more eyebrow-raising aspects of how the hacks were initially described by the cybersecurity contractors who actually work on containing the infection on the DNC’s servers was that the hackers were unusually aggressive in maintaining a foothold on the system and the battle to disinfect the DNC’s network went on for six weeks starting in June of 2016. So it wouldn’t be surprising if the malware that managed to stay hidden until October was placed on the network during that period when the hackers were battling with the cybersecurity contractors and used the linuxkrnl.net command-and-control server (the linuxkrnl.net IP address for outbound traffic would look a lot less suspicious than a string of numbers).

    So this indictment is certainly a highly provocative new development in this case, and one that purports to fill in numerous details. But the veracity of some of these new details remains a mystery, especially the details about specific GRU officers carrying out specific actions.

    The number of specific details about individuals carrying out specific acts on specific days listed in the indictment were so numerous that it raises the question of how so much was known, on top of the question raised by the Moscow server Guccifer 2.0 claim. Were Western intelligence agencies spying on the GRU at the time of the hacks? Or was this information obtained by US authorities and allies after the fact? And that mystery on the timing of the collection of this intelligence is part of what makes the indictment rather remarkable: there are a number of details about ‘who did what’, and almost no details at all about how this information was obtained or the level of confidence behind the allegations. It’s not clear if the assertions in the indictment are descriptions of what the Mueller team thinks happened and is planning on proving did happen, or if the allegations are based on very strong evidence that ‘person X did Y on date Z’. We are left with no idea, with the notable exception of the Moscow-based server that’s said to be known to be managed by the GRU.

    There’s also a remarkable admission that malware from the hack remained on the DNC’s network until October of 2016, long after Crowdstrike assured the world that the malware was removed. Now, a DNC official assures us that the lingering piece of malware was quarantined and effectively disable, which is plausible.

    But perhaps the most eyebrow-raising aspect of the indictment is how much detail and emphasis it places on one of the most inexplicable aspects of the entire hacking story: X-Agent. There is A LOT of details in the indictment about these GRU agents and their development, testing, and eventual use of X-Agent.

    Recall how X-Agent was used as a key piece of evidence by Crowdstrike early on to pin the blame on the Russian government, based on the assertion by Crowdstrike that X-Agent was exclusively used by Russian government hackers. As security expert Jeffrey Carr pointed out, this conclusion that X-Agent was exclusive developed and used by Russian hackers was subsequently proven to be erroneous. The cybersecurity firm ESET managed to get its hands on X-Agent source code from 2015 along with an anti-Russian Ukrainian hacker. So the X-Agent source was clearly in ‘the wild’ at the time of the hacks.

    But the big ‘WTF’ aspect of the X-Agent angle is the fact that the IP address of the command-and-control server used to remotely control the X-Agent malware installed on the Democrats’ servers was the same IP address hard coded into the X-Agent malware found on the Bundestag servers in 2015 following the Bundestag hack and that IP address was literally published in 2015. And that same command-and-control server was also found to be vulnerable to the ‘Heartbleed’ attack, meaning the command-and-control server whose IP address was hard-coded into the X-Agent malware found on the Democrats’ servers might have itself been hacked. When the same IP address shows up in two separate high profile hacks, and that IP address happens to be made publicly available during the time between the two hacks, that either points towards a set up job, hackers trying to get caught, or incredibly incompetent hackers who didn’t want to be caught and accidentally left a massive clue.

    Beyond that, in March of 2017, a security researcher at Malwarebytes wrote about how X-Agent source code appears to be based on hacking code created by “Hacking Team”, the Italy-based legal hacking entity that sold powerful hacking tools to governments around the world, including Russia. In other words, not only was the X-Agent code likely ‘in the wild’ at the time of the hack, but versions of it may have actually been sold to governments around the world for years. That’s why the central role X-Agent allegedly played in both carrying out the hack and attributing that hack to the Russian government was always a ‘WTF’ aspect of the entire investigation. If the GRU really was using X-Agent and NOT trying to get caught it would have been a mistake of stunning proportions.

    And yet much of the new indictment describes a focus by the GRU on developing, testing, and deploying X-Agent. So while there are certainly many substantive details in the indictment, a large number of those details turn out to be the kind of details that increase the argument that the GRU was either incredibly incompetent or trying to get caught. The inexplicable X-Agent angle doesn’t leave too many other plausible explanations.

    But that’s also all why the specific details in this indictment about GRU officers working on X-Agent are actually quite crucial for Mueller’s case: The Crowdstrike argument that the presence of X-Agent on the Democrats’ servers pointed the finger at Russia was always a bad argument and an example of the dangers of relying on pattern recognition for attribution in the cyber-realm. And if X-Agent was never actually exclusive to Russian government hackers, providing evidence that Russian government hackers specifically deployed X-Agent in this hack was actually quite crucial to Mueller’s case. This indictment purports to show exactly that.

    At this point its a collection of assertions about GRU agents carrying out the specific actions known to be done by whoever carried out the hacks and the release of the documents. Assertions that make the GRU appear extremely competent at evading CrowdStrike’s counter-intrusion specialists but really incompetent at the ‘covering your tracks’ angle and/or really interested in getting credit:

    The Daily Beast

    Russian Hackers Kept DNC Backdoor Longer Than Anyone Knew
    The Democrats swore in the summer of 2016 that they had banished all outside intrusions from their networks. They were wrong.

    Kevin Poulsen
    07.13.18 10:00 PM ET

    The indictment Friday of 12 Russian military officers for the election hacks against the DNC and Hillary Clinton’s campaign lends a surprising new detail to the 2016 election interference timeline: The Kremlin’s hackers apparently still maintained a foothold in the DNC’s network four months after the Democrats announced that they’d locked the intruders out.

    Until today, the story of the DNC hack ended promptly on June 14, 2016, when the Democrats went public with the intrusion in the pages of the Washington Post, and Crowdstrike, the security firm hired to respond to the breach, published a detailed technical account.

    Today’s indictment confirms every aspect of the DNC’s and Crowdstrike’s account, with one exception. Both the DNC and Crowdstrike have said repeatedly that they went public only after expelling all the Russian hackers.

    But buried in the new indictment is language suggesting that Crowdstrike missed a spot, and one computer infected with the GRU’s malware “remained on the DNC network until in or around October 2016.”

    If Mueller’s right, it raises the possibility that the Russians gathered months and months of additional intelligence on the DNC—right as the campaign was in its final, most important stretch. The hackers may have even had a front row seat on the DNC’s network that July, when Wikileaks published the hacked emails and the DNC was thrown into upheaval.

    The new indictment also rips the covers off the hidden workings of the GRU’s hacking apparatus, putting names, ranks and even street addresses to the elite computer intrusion unit that security experts have known for a decade under monikers like “APT28” and “Fancy Bear.”

    Fancy Bear, as described by Mueller, is split between two departments within the GRU’s Unit 26165. Boris Alekseevich Antonov, a major in the Russian military, controls the pointy end of the stick, heading the team of hackers that carry out Fancy Bear’s network intrusions and signature spear phishing attacks. They craft the fake websites and bogus emails, gather information on their targets, and, once successful, deploying GRU’s arsenal of custom malware.

    Lt. Col Sergey Morgachev allegedly oversees the GRU’s geek squad, heading the department that codes the most infamous malware on the Internet, like the backdoor programs X-Agent and Sedreco, and the stealth VPN known as X-Tunnel. That latter group is also responsible for monitoring the malware once it’s in place on a target’s network. They draw down the intelligence haul and send it upstream into the Russian military.

    Atop it all is the lead defendant in the indictment, Viktor Borisovich Netyksho, the alleged head of Unit 26165 and the man who oversaw the election interference campaign.

    The operation began with Antonov’s hackers staging a bulk phishing attack in March 2016 that targeted the Gmail accounts of more than 300 people affiliated with the Clinton campaign and the Democratic party. It was this attack that claimed the GRU’s first big trophy, the entire Gmail archive for Clinton campaign chief John Podesta.

    The next month another phishing attack gave the GRU login credentials for the network of the Democratic Congressional Campaign Committee. A Fancy Bear hacker named Ivan Yermakov allegedly established a beachhead on the network on April 12th. The GRU began moving laterally, installing X-Agents everywhere, capturing covert screenshots and monitoring DCCC workers keystroke as they typed in their passwords.

    Six days later, they found a DCCC worker who also had access to the DNC’s network. They used the worker’s password to breach the DNC, where they were quickly siphoning gigabytes of stolen data over X-Tunnel to a leased server in Illinois. By May they’d saturated the DNC with X-Agent implants and penetrated the Microsoft Exchange server, where they sucked down the 40,000 DNC emails destined for Wikileaks.

    The GRU already had a plan lined up to release the stolen material through a fake whistleblower site. The first step in March was to use Bitcoin to sign up with a Russian VPN provider, so they could anonymize their Internet connection as they set up the infrastructure for the leaks. They used the same Bitcoin wallet to register the domain name dcleaks.com on April 19, and set up hosting at a Malaysian server farm nine days later.

    But in May, before the GRU could execute the faux whistleblower leaks, the DCCC and the DNC figured out they’d been hacked and brought in Crowdstrike. The weekend of June 11th, Crowdstrike moved to purge the DNC of the Fancy Bear infection.

    Immediately afterwards, the Washington Post story appeared, and Crowdstrike CTO Dmitri Alperovitch published a technical account of the breach that left little room for doubt that Russia was behind the hacks. The blog post also ran down a list of the malware used in the intrusions, including the GRU’s signature backdoor program X-Agent.

    The indictment, though, raises the first doubts that the purge was a complete success.

    “By in or around June 2016, [Crowdstrike] took steps to exclude intruders from the networks,” the indictment reads. “Despite these efforts, a Linux-based version of X-Agent, programmed to communicate with the GRU-registered domain linuxkrnl[.]net, remained on the DNC network until in or around October 2016.”

    The reference to the command-and-control server “linuxkrnl[.]net” is noteworthy for its complete absence from Crowdstrike’s blog post. The company’s report listed three command-and-control servers used by the GRU to control their DNC malware, and that domain name was not on the list, and has never been publicly linked before to Fancy Bear. It’s unclear whether Crowdstrike omitted it, or never discovered it.

    Mueller’s assertion that the hacking tools persisted for months on the Democrats’ networks roughly matches what former interim DNC chief Donna Brazille’s account in her book, Hacks: The Inside Story of the Break-Ins and Breakdowns that Put Donald Trump in the White House. In it, she wrote that “the intruders had been sitting in our voter data files for months” after their supposed ouster.

    Crowdstrike referred the Daily Beast’s inquiry to the DNC, which acknowledged the lingering X-Agent infection, but said it wasn’t a threat, and never made contact with the GRU.

    “This Linux based version of X-agent malware was a remnant of the original hack and had been quarantined during the remediation process in June 2016,” said Adrienne Watson, the DNC’s deputy communications director. “While programmed to communicate with a GRU-registered domain, we do not have any information to suggest that it successfully communicated, exfiltrated data, corrupted our newly built systems, or breached our voter file following the remediation process.”

    At least one security expert says the DNC’s answer is plausible. “You usually don’t remove all adversary components until you’re sure they’re out in all other means,” says Sergio Caltagirone, director of threat intelligence at Dragos. “These things can go on for a long time.”

    What’s certain is that when the DNC and Crowdstrike went public on June 14, Fancy Bear was caught off guard. The GRU’s whistleblower narrative was still in the can, and the truth about Russia’s attack was in all the newspapers.

    “In response, the Conspirators created the online persona Guccifer 2.0, and falsely claimed to be a lone Romanian hacker to undermine the allegations of Russian responsibility for the intrusion,” according to Mueller’s indictment.

    Managing the Guccifer personal fell to a completely different group in a separate GRU facility called Unit 74455, which appears from the indictment to serve as a more-sophisticated version of the Internet Research Agency, maintaining fake social media profiles to extend Russia’s covert influence around the world.

    Guccifer 2.0 claimed that he, and he alone, was responsible for the DNC breach. The intelligence community and security experts weren’t fooled, but others were. Helped by Trump adviser Roger Stone and other high-profile figures, Unit 74455 managed to sow doubt on the margins about Russia’s involvement in the election hacks.

    ———-

    “Russian Hackers Kept DNC Backdoor Longer Than Anyone Knew” by Kevin Poulsen; The Daily Beast; 07/13/2018

    “The indictment Friday of 12 Russian military officers for the election hacks against the DNC and Hillary Clinton’s campaign lends a surprising new detail to the 2016 election interference timeline: The Kremlin’s hackers apparently still maintained a foothold in the DNC’s network four months after the Democrats announced that they’d locked the intruders out.

    While there’s been no shortage of new details as the #TrumpRussia investigation unfolds, not all new details are equal and learning that the hackers may have maintained a foothold on the Democrats’ network for months later after Crowdstrike assured the world that the infection was purged is quite a significant new detail. Maybe. If the hackers had access to the Democrats network through October of 2016 that would have given the Trump campaign and GOP potentially extremely valuable real-time campaign information. But it’s said that only one computer remained infected until October 2016 so it’s possible that computer didn’t yield much useful information. It’s also possible that computer had access to an abundance of information, especially if it could access the broader DNC network. At this point we don’t know:


    Until today, the story of the DNC hack ended promptly on June 14, 2016, when the Democrats went public with the intrusion in the pages of the Washington Post, and Crowdstrike, the security firm hired to respond to the breach, published a detailed technical account.

    Today’s indictment confirms every aspect of the DNC’s and Crowdstrike’s account, with one exception. Both the DNC and Crowdstrike have said repeatedly that they went public only after expelling all the Russian hackers.

    But buried in the new indictment is language suggesting that Crowdstrike missed a spot, and one computer infected with the GRU’s malware “remained on the DNC network until in or around October 2016.”

    If Mueller’s right, it raises the possibility that the Russians gathered months and months of additional intelligence on the DNC—right as the campaign was in its final, most important stretch. The hackers may have even had a front row seat on the DNC’s network that July, when Wikileaks published the hacked emails and the DNC was thrown into upheaval.

    The DNC, however, assures us that the lingering X-Agent infection was quarantined and harmless. Which is possible:


    Crowdstrike referred the Daily Beast’s inquiry to the DNC, which acknowledged the lingering X-Agent infection, but said it wasn’t a threat, and never made contact with the GRU.

    “This Linux based version of X-agent malware was a remnant of the original hack and had been quarantined during the remediation process in June 2016,” said Adrienne Watson, the DNC’s deputy communications director. “While programmed to communicate with a GRU-registered domain, we do not have any information to suggest that it successfully communicated, exfiltrated data, corrupted our newly built systems, or breached our voter file following the remediation process.”

    At least one security expert says the DNC’s answer is plausible. “You usually don’t remove all adversary components until you’re sure they’re out in all other means,” says Sergio Caltagirone, director of threat intelligence at Dragos. “These things can go on for a long time.”

    And yet Donna Brazille wrote in her book that the hackers were sitting on the DNC’s voter files for months after their supposed ouster. So if they had access to DNC voter files that’s potentially some of the most useful information they could have had that point in the campaign. Especially for micro-targeting applications:


    Mueller’s assertion that the hacking tools persisted for months on the Democrats’ networks roughly matches what former interim DNC chief Donna Brazille’s account in her book, Hacks: The Inside Story of the Break-Ins and Breakdowns that Put Donald Trump in the White House. In it, she wrote that “the intruders had been sitting in our voter data files for months” after their supposed ouster.

    So that will be something to watch as more information comes out. Especially because, while the DNC hack story has largely focused on release of Democratic Party emails, there was undoubtedly plenty of information gathered that would be best exploited quietly and not plastered on the internet. Like DNC voter information.

    But the biggest overall revelation in this indictment is the naming of names and roles within the two GRU units that purportedly pulled off the hack. At least, it’s a revelation assuming there is indeed conclusive evidence implicating these individuals and it’s not just prosecutorial assertions:


    The new indictment also rips the covers off the hidden workings of the GRU’s hacking apparatus, putting names, ranks and even street addresses to the elite computer intrusion unit that security experts have known for a decade under monikers like “APT28” and “Fancy Bear.”

    Fancy Bear, as described by Mueller, is split between two departments within the GRU’s Unit 26165. Boris Alekseevich Antonov, a major in the Russian military, controls the pointy end of the stick, heading the team of hackers that carry out Fancy Bear’s network intrusions and signature spear phishing attacks. They craft the fake websites and bogus emails, gather information on their targets, and, once successful, deploying GRU’s arsenal of custom malware.

    Lt. Col Sergey Morgachev allegedly oversees the GRU’s geek squad, heading the department that codes the most infamous malware on the Internet, like the backdoor programs X-Agent and Sedreco, and the stealth VPN known as X-Tunnel. That latter group is also responsible for monitoring the malware once it’s in place on a target’s network. They draw down the intelligence haul and send it upstream into the Russian military.

    Atop it all is the lead defendant in the indictment, Viktor Borisovich Netyksho, the alleged head of Unit 26165 and the man who oversaw the election interference campaign.

    Adding the ‘wow’ factor of the indictment is how much emphasis there was on the X-Agent malware. Of course, a big part of that ‘wow’ factor is due to the fact that the X-Agent malware was one of the most conspicuously appallingly ‘I’m a Russian hacker’ left by the hackers. One of the big obvious questions about the hacker from the very begging was the general question of whether or not Russian government hackers be that stupid or if they trying to get caught…or was it someone else trying to make it look like Russian hackers. And according to this indictment, this GRU team did choose X-Agent at their primary malware for carrying out the attack (which still leave the ‘stupid or trying to get caught’ question unaddressed):


    The operation began with Antonov’s hackers staging a bulk phishing attack in March 2016 that targeted the Gmail accounts of more than 300 people affiliated with the Clinton campaign and the Democratic party. It was this attack that claimed the GRU’s first big trophy, the entire Gmail archive for Clinton campaign chief John Podesta.

    The next month another phishing attack gave the GRU login credentials for the network of the Democratic Congressional Campaign Committee. A Fancy Bear hacker named Ivan Yermakov allegedly established a beachhead on the network on April 12th. The GRU began moving laterally, installing X-Agents everywhere, capturing covert screenshots and monitoring DCCC workers keystroke as they typed in their passwords.

    Six days later, they found a DCCC worker who also had access to the DNC’s network. They used the worker’s password to breach the DNC, where they were quickly siphoning gigabytes of stolen data over X-Tunnel to a leased server in Illinois. By May they’d saturated the DNC with X-Agent implants and penetrated the Microsoft Exchange server, where they sucked down the 40,000 DNC emails destined for Wikileaks.

    Beyond the specifics on the malware, the indictment included quite a bit of information on how the infrastructure used in the hack (servers, VPNs) was paid for: with bitcoins, of course. And US investigators appear to have quite a bit of information on those Bitcoin transactions, including the Bitcoin wallet used to purchase the dcleaks.com domain. According to investigators, the initial GRU plan was to use a fake whistleblower persona and the dcleaks.com website to distribute the hacked materials, but they were taken by surprise with the June announcement by Crowdstrike and the Democrats that they had concluded that the DNC was hacked and Russian hackers were the culprits. The alleged exclusivity of X-Agent was one of the key pieces of evidence used for that early attribution:


    The GRU already had a plan lined up to release the stolen material through a fake whistleblower site. The first step in March was to use Bitcoin to sign up with a Russian VPN provider, so they could anonymize their Internet connection as they set up the infrastructure for the leaks. They used the same Bitcoin wallet to register the domain name dcleaks.com on April 19, and set up hosting at a Malaysian server farm nine days later.

    But in May, before the GRU could execute the faux whistleblower leaks, the DCCC and the DNC figured out they’d been hacked and brought in Crowdstrike. The weekend of June 11th, Crowdstrike moved to purge the DNC of the Fancy Bear infection.

    Immediately afterwards, the Washington Post story appeared, and Crowdstrike CTO Dmitri Alperovitch published a technical account of the breach that left little room for doubt that Russia was behind the hacks. The blog post also ran down a list of the malware used in the intrusions, including the GRU’s signature backdoor program X-Agent.

    The indictment makes no mention of the command-and-control server with the 176.31.112.10 IP address, the same IP address found in the Bundestag hack malware which was highly suspicious. But it does mention a previously unknown command-and-control server address, linuxkrnl[.]net. And the fact that the malware that remained on the Democrats’ network until October of 2016 was configured to the communicate with this linuxkrnl[.]net server and the fact that Crowdstrike never mention this in its initial blog post suggests that Crowdstrike didn’t actually find the malware during the initial purge, which in keeping with what Donna Brazille wrote in her book about the hackers having access to the Democrats’ voter files months after the malware was allegedly removed:


    The indictment, though, raises the first doubts that the purge was a complete success.

    “By in or around June 2016, [Crowdstrike] took steps to exclude intruders from the networks,” the indictment reads. “Despite these efforts, a Linux-based version of X-Agent, programmed to communicate with the GRU-registered domain linuxkrnl[.]net, remained on the DNC network until in or around October 2016.”

    The reference to the command-and-control server “linuxkrnl[.]net” is noteworthy for its complete absence from Crowdstrike’s blog post. The company’s report listed three command-and-control servers used by the GRU to control their DNC malware, and that domain name was not on the list, and has never been publicly linked before to Fancy Bear. It’s unclear whether Crowdstrike omitted it, or never discovered it.

    The indictment also asserts that the creation of the “Guccifer 2.0” persona was a hasty forced response to the June 2016 reports about the DNC hack that fingered the Russians. And it was Unit 74455 that was tasked with putting together the Guccifer 2.0 persona to try to take the blame off of the Russian government:


    What’s certain is that when the DNC and Crowdstrike went public on June 14, Fancy Bear was caught off guard. The GRU’s whistleblower narrative was still in the can, and the truth about Russia’s attack was in all the newspapers.

    “In response, the Conspirators created the online persona Guccifer 2.0, and falsely claimed to be a lone Romanian hacker to undermine the allegations of Russian responsibility for the intrusion,” according to Mueller’s indictment.

    Managing the Guccifer personal fell to a completely different group in a separate GRU facility called Unit 74455, which appears from the indictment to serve as a more-sophisticated version of the Internet Research Agency, maintaining fake social media profiles to extend Russia’s covert influence around the world.

    Guccifer 2.0 claimed that he, and he alone, was responsible for the DNC breach. The intelligence community and security experts weren’t fooled, but others were. Helped by Trump adviser Roger Stone and other high-profile figures, Unit 74455 managed to sow doubt on the margins about Russia’s involvement in the election hacks.

    Recall that one of the initial clues that Guccifer 2.0 wasn’t actually a lone Romanian hacker was the fact that the Guccifer 2.0 persona didn’t actually talk like a Romanian. So if Unit 74455, the GRU’s crack team for social media influence operations, was unable to come up with a persona that actually spoke fluent Romanian that’s a pretty horrible crack team. But that’s what the Mueller indictment specifically says happened.

    So as we can see, the indictment purports to answer a number of questions that have been swirling around the investigation, while leaving a number of open questions. And the question of “why would the Russians be so utterly incompetent” remains unasked entirely. But the indictment does raise one very massive new question, and it’s a question the Russian government must be asking itself rather earnestly at this point: did the US hack the GRU?

    Bloomberg Opinion

    Russia Hacker Indictments Should Make the Kremlin Squirm

    Mueller’s knowledge of individual Russian intelligence officers should make the Kremlin uncomfortable.

    By Leonid Bershidsky
    July 16, 2018, 8:05 AM CDT

    The real bombshell in Special Counsel Robert Mueller’s latest indictment is the investigators’ apparent ability to link specific actions, such as searches and technical queries, to specific officers of the GRU, Russia’s military intelligence service. By making these connections, Mueller’s team has made an enormous leap from the U.S. intelligence community’s previous disclosures. They draw the first straight line from the hacking and spearphishing of U.S. Democrats to the Russian government — and pose some further questions for the media and the public to ask about this bizarre affair.

    The indictment blames the Democratic National Committee hack and the spearphishing of Clinton campaign chairman John Podesta on Military Unit 26165, located at Komsomolsky Prospekt 20 in Moscow — in former hussar barracks which also house the Russian Defense Ministry’s Military University. Another military unit, 74445, allegedly only helped maintain the infrastructure and helped distribute the stolen data.

    Unit 26165 is a highbrow one: It does cryptography for the GRU, and many of its officers are mathematicians and computer programmers. Its commander until January 2018, Viktor Netyksho, named in the indictment, is a mathematician and neural network expert. Netyksho’s predecessor, Sergey Gizunov, received a prestigious government prize for technological innovation; he is now deputy head of the GRU.

    It’s plausible that Unit 26165 could have taken part in cyberattacks on the Democrats. The Russian investigative site The Insider, also known for unmasking GRU officers involved in Russia’s hybrid war in eastern Ukraine, discovered that Georgy Roshka, one of the unit’s officers, was involved in hacking French President Emmanuel Macron’s election campaign in the spring of 2017. Roshka’s name showed up in the metadata of several financial documents stolen from the campaign — a slip-up that allowed The Insider to trace the name to Unit 26165 by analyzing participant lists of a secretive regular conference called Parallel Computing Technologies.

    No similar slip-ups took place during the Democratic National Committee hack or the theft of Podesta’s emails. While researchers found Russian language traces in metadata, they did not include any of the 12 names listed in the Mueller indictment. But Mueller appears to know which one of them performed which specific task linked to the hacks.

    The indictment says, for example, that Nikolai Kozachek, a “lieutenant captain” (a non-existent rank in the Russian army so perhaps this is roughly translated into the American equivalent), developed X-Agent, the malware used to hack the DNC network, with the help of other officers, including Pavel Yershov. It says that Lieutenant Colonel Sergey Morgachev oversaw the development and that “Second Lieutenant” (another non-existent rank) Artem Malyshev monitored the specific installation of X-Agent at the DNC. It identifies Senior Lieutenant Aleksey Lukashev as the person who spearphished Podesta. It says Ivan Yermakov (rank not specified) ran specific technical queries to research the DNC’s computer network.

    This level of detail is a major leap from the U.S. intelligence community’s January 2017 assessment concerning Russian interference in the 2016 election. That document merely said the GRU “probably began cyber operations aimed at the U.S. election by March 2016,” penetrated the Democrats’ networks and stole their documents. There is no longer any “probably” to the specific description of the GRU operation.

    How were investigators able to get the real names and ranks (such as they are) of people behind specific actions? One possibility is that the U.S. had a mole within the GRU, who had to be protected until last Friday, so U.S. intelligence didn’t release the specifics or even hint at them before. In that case, which would suggest a recent defection, we may only find out what happened years from now — or earlier, if either the Russian or the U.S. side leaks.

    Another scenario is that the U.S. or an ally penetrated the GRU network and watched the operation in real time. In January, Dutch journalists reported that the Dutch intelligence agency AIVD managed to hack into the network of a Russian government-connected hacking group located in a “university building next to Red Square in Moscow,” and watched it launch an attack on the DNC; it even identified the group’s members by watching the feed from a security camera in their space. Unit 26165 is, indeed, located in a university building (though not next to Red Square), but the Dutch scoop pointed to a different hacking group, APT-28 or Cozy Bear, linked to the SVR, Russia’s foreign intelligence, not to the GRU.

    The Dutch story, however, also contained this tidbit: “According to one American source, in late 2015, the NSA hackers manage to penetrate the mobile devices of several high ranking Russian intelligence officers. They learn that right before a hacking attack, the Russians search the internet for any news about the oncoming attack.” This could explain the level of detail in the indictment.

    If, however, the U.S. or its allies watched the attacks in real time, it’s not clear why the GRU was allowed to steal and distribute the Democrats’ information without the U.S. government’s interfering. Was the information the U.S. was receiving about the GRU’s methods so valuable that any effect the hacks could have had on the campaign were of secondary importance to U.S. intelligence? Were the campaigns, Democratic and Republican ones, briefed as U.S. intelligence watched the Russian hacking operation unfold? Was the Obama administration briefed? These questions arise inevitably if one believes the hacks were monitored.

    ———-

    “Russia Hacker Indictments Should Make the Kremlin Squirm” by Leonid Bershidsky; Bloomberg Opinion; 07/16/2018

    “The real bombshell in Special Counsel Robert Mueller’s latest indictment is the investigators’ apparent ability to link specific actions, such as searches and technical queries, to specific officers of the GRU, Russia’s military intelligence service. By making these connections, Mueller’s team has made an enormous leap from the U.S. intelligence community’s previous disclosures. They draw the first straight line from the hacking and spearphishing of U.S. Democrats to the Russian government — and pose some further questions for the media and the public to ask about this bizarre affair.”

    As Leonid Bershidsky puts it, the biggest bombshell in this new indictment is all the details. The ability to link actions like web searches to specific GRU officiers hints at the possibility that the GRU was, itself, hacked and monitored as the hacks were carried out.

    Bershidsky then reminds us one of the most inexplicably stupid alleged hacking mistakes of the GRU as additional evidence that the GRU’s Unit 26165 was directly involved in the hacks: The name of the Russian employee of a company believed to contract with the Russian intelligence services was found in the metadata of one of the documents released in the Macron hack in the lead up to the 2017 French elections (also recall that the release of those hacked documents was tracked back to US neo-Nazi Andrew ‘weev’ Auernheimer). And as Bershidsky notes, that same Russian employee, Georgy Roshka/Roshka Georgiy Petrovichan, was identified as an officer of Unit 26165 by the Russian invesatigative site The Insider:


    It’s plausible that Unit 26165 could have taken part in cyberattacks on the Democrats. The Russian investigative site The Insider, also known for unmasking GRU officers involved in Russia’s hybrid war in eastern Ukraine, discovered that Georgy Roshka, one of the unit’s officers, was involved in hacking French President Emmanuel Macron’s election campaign in the spring of 2017. Roshka’s name showed up in the metadata of several financial documents stolen from the campaign — a slip-up that allowed The Insider to trace the name to Unit 26165 by analyzing participant lists of a secretive regular conference called Parallel Computing Technologies.

    And the fact that Georgy Roshka’s membership wasn’t known to be a member Unit 26165 until after his name showed up in the metadata is quite notable. Because if Georgy Roshka really did accidentally leave his name in the metadata of the Macron files that’s just a stunning mistake. But, on the other hand, if his name was planted in those documents that would suggest that whoever did the planting had knowledge of Unit 26165 membership. So, given that neo-Nazi Andrew ‘weev’ Auernheimer appeared to be involved in the distribution of those hacked documents, if he was working with the GRU it would suggest it was the GRU who modified the documents and then gave them to Auernheimer to distribute. But if he wasn’t working with the GRU it suggests working with a group that has knowledge of Unit 26165 membership. That’s all worth keeping in mind.

    Bershidsky goes on to point out the surprising level of detail the Mueller team apparently has about who did what, while noting the ranks for these GRU members listed in the indictment aren’t actually real Russian army ranks (presumably the ranks were effectively translated to American military ranks?):


    No similar slip-ups took place during the Democratic National Committee hack or the theft of Podesta’s emails. While researchers found Russian language traces in metadata, they did not include any of the 12 names listed in the Mueller indictment. But Mueller appears to know which one of them performed which specific task linked to the hacks.

    The indictment says, for example, that Nikolai Kozachek, a “lieutenant captain” (a non-existent rank in the Russian army so perhaps this is roughly translated into the American equivalent), developed X-Agent, the malware used to hack the DNC network, with the help of other officers, including Pavel Yershov. It says that Lieutenant Colonel Sergey Morgachev oversaw the development and that “Second Lieutenant” (another non-existent rank) Artem Malyshev monitored the specific installation of X-Agent at the DNC. It identifies Senior Lieutenant Aleksey Lukashev as the person who spearphished Podesta. It says Ivan Yermakov (rank not specified) ran specific technical queries to research the DNC’s computer network.

    This level of detail is a major leap from the U.S. intelligence community’s January 2017 assessment concerning Russian interference in the 2016 election. That document merely said the GRU “probably began cyber operations aimed at the U.S. election by March 2016,” penetrated the Democrats’ networks and stole their documents. There is no longer any “probably” to the specific description of the GRU operation.

    He then asks the obvious question: so how did the US obtain this level of detail about the hacking operation? Did it come from a mole inside the Russian government? Or was the GRU already hacked and was it being watched during the hacking operation? Bershidsky then recalls the remarkable report from February about how Dutch government hackers had apparently hacked Cozy Bear (the FSB hackers) and actually observed the online searches high rank Russian intelligence officers made and notes that the Mueller indictment also included online searches attributed to GRU officers. So was both the FSB and GRU hacking teams hacked?


    How were investigators able to get the real names and ranks (such as they are) of people behind specific actions? One possibility is that the U.S. had a mole within the GRU, who had to be protected until last Friday, so U.S. intelligence didn’t release the specifics or even hint at them before. In that case, which would suggest a recent defection, we may only find out what happened years from now — or earlier, if either the Russian or the U.S. side leaks.

    Another scenario is that the U.S. or an ally penetrated the GRU network and watched the operation in real time. In January, Dutch journalists reported that the Dutch intelligence agency AIVD managed to hack into the network of a Russian government-connected hacking group located in a “university building next to Red Square in Moscow,” and watched it launch an attack on the DNC; it even identified the group’s members by watching the feed from a security camera in their space. Unit 26165 is, indeed, located in a university building (though not next to Red Square), but the Dutch scoop pointed to a different hacking group, APT-28 or Cozy Bear, linked to the SVR, Russia’s foreign intelligence, not to the GRU.

    The Dutch story, however, also contained this tidbit: “According to one American source, in late 2015, the NSA hackers manage to penetrate the mobile devices of several high ranking Russian intelligence officers. They learn that right before a hacking attack, the Russians search the internet for any news about the oncoming attack.” This could explain the level of detail in the indictment.

    Bershidsky then asks the obvious followup question: if the GRU was indeed hacked and watched in real time by US intelligence agencies or its allies, why was the GRU allowed to carry out these attacks without the Democrats being informed about it?


    If, however, the U.S. or its allies watched the attacks in real time, it’s not clear why the GRU was allowed to steal and distribute the Democrats’ information without the U.S. government’s interfering. Was the information the U.S. was receiving about the GRU’s methods so valuable that any effect the hacks could have had on the campaign were of secondary importance to U.S. intelligence? Were the campaigns, Democratic and Republican ones, briefed as U.S. intelligence watched the Russian hacking operation unfold? Was the Obama administration briefed? These questions arise inevitably if one believes the hacks were monitored.

    This is a question that the Mueller indictment makes more relevant because when you read the chronology of the hacks found in the indictment it’s clear that the hacking of the Democrats was the a multi-stage event. As we saw in the first article, the first hack took place in March of 2016 when John Podesta’s email got hacked. It was in April that a DCCC employee got hacked, with the DNC hack taking place almost a week later. So if the GRU was being watched this whole time there were plenty of opportunities to warn the Democrats that they were once again being hacked (recall the inexplicable seven month delays in the FBI warning the Democrats about the Cozy Bear hack of 2015).

    Along those lines, it’s worth keeping in mind the report from August of 2016 about how some members of congress had known about the initial 2015 hack (the ‘Cozy Bear’ hack) of the DNC in 2015 for over a year as of August 2016, and the reason the Democratic party was never informed was due to the highly sensitive nature of the intelligence. So if it really was the case that the GRU was hacked by the US or its allies it would appear that US policy is to err on the side of watching and not doing anything that would tip off the hack.

    But, again, that’s all assuming that the stunning level of detail in this indictment actually reflects real evidence the US government possesses vs just being a series of assertions about what the Mueller team thinks happened. And at this point we have no idea. Even for the assertions that are quite specific, with the notable exception of the Moscow-based server searches of the Guccifer 2.0 phrases. We don’t know if the underlying evidence is simply linked to a computer assumed to be used by a specific GRU officer was used to make a search, or if the evidence is convincingly linked back to that GRU officer’s computers.

    Alright, now let’s take a look at the actual indictment. Be sure to note the following the extensive references to the X-Agent malware. X-Agent, said by CrowdStrike to be exclusive to the GRU (even though that doesn’t appear to be true), was central to the technical execution of the hack and the. And the story of the GRU officers working on developing, testing, and deploying, and managing X-Agent is central to the indictment. But the key piece of evidence is on paragraph 41 which states that someone at a Mosow-based server known to be managed by the GRU made searches of phrases that showed up in Guccifer 2.0’s first message to the world:

    IN THE UNITED STATES DISTRICT COURT
    FOR THE DISTRICT OF COLUMBIA

    CRIMINAL NO.
    (18 U.S.C. 2, 1956,
    and 3551 et seq.)

    UNITED STATES OF AMERICA
    V.

    VIKTOR BORIS OVICH
    BORIS ALEKSEYEVICH ANTONOV,
    DMITRIY SERGEYEVICH BADIN,
    IVAN SERGEYEVICH YERMAKOV,
    ALEKSEY VIKTOROVICH
    LUKASI-IEV,
    SERGEY ALEKSANDROVICH JUL 13 2018
    Clark. 0.5 IDistrict B’mkru )tr
    NIKOLAY YURYEVICH KOZACHEK, ‘lourts for the District oi
    PAVEL VYACHESLAVOVICH
    YERSHOV,
    ARTEM ANDREYEVICH
    MALYSHEV,
    ALEKSANDR VLADIMIROVICH
    OSAD CHUK,
    ALEKSEY ALEKSANDROVICH
    POTEMKIN, and
    ANATOLIY SERGEYEVICH
    KOVALEV,

    Defendants.

    *******

    INDICTMENT

    The Grand Jury for the District of Columbia charges:

    COUNT ONE
    (Conspiracy to Commit an Offense Against the United States)

    1. In or around 2016, the Russian Federation (“Russia”) operated a military intelligence
    agency called the Main Intelligence Directorate of the General Staff (“GRU”). The GRU had
    multiple units, including Units 26165 and 74455, engaged in cyber operations that involved the
    staged releases of documents stolen through computer intrusions. These units conducted large-
    scale cyber operations to interfere with the 2016 US. presidential election.

    page 2

    2. Defendants VIKTOR BORISOVICH BORIS ALEKSEYEVICH
    ANTONOV, DMITRIY SERGEYEVICH IVAN SERGEYEVICH YERMAKOV,
    ALEKSEY VIKTOROVICH LUKASHEV, SERGEY ALEKSANDROVICH MORGACHEV,
    NIKOLAY YURYEVICH KOZACHEK, PAVEL VYACHESLAVOVICH YERSHOV, ARTEM
    ANDREYEVICH ALEKSANDR VLADIMIROVICH OSADCHUK, and
    ALEKSEY ALEKSANDROVICH POTEMKIN were GRU officers who knowingly and
    intentionally conspired with each other, and with persons known and unknown to the Grand Jury
    (collectively the “Conspirators”), to gain unauthorized access (to “hack”) into the computers of
    U.S. persons and entities involved in the 2016 U.S. presidential election, steal documents from
    these computers, and stage releases of the stolen documents to interfere with the 2016 U.S.
    presidential election.

    3. Starting in at least March 2016, the Conspirators used a variety of means to hack the email
    accounts of Volunteers and employees of the U.S. presidential campaign of Hillary Clinton (the
    “Clinton Campaign”), including the email account of the Clinton Campaign’s chairman.

    4. By in or around April 2016, the Conspirators also hacked into the computer networks of
    the Democratic Congressional Campaign Committee (“DCCC”) and the Democratic National
    Committee (“DNC”). The Conspirators covertly monitored the computers of dozens of DCCC
    and DNC employees, implanted hundreds of files containing malicious computer code
    (“malware”), and stole emails and other documents from the DCCC and DNC.

    5. By in or around April 2016, the Conspirators began to plan the release of materials stolen
    from the Clinton Campaign, DCCC, and DNC.

    6. Beginning in or around June 2016, the Conspirators staged and released tens of thousands
    of the stolen emails and documents. They did so using fictitious online personas, including

    page 3

    “DCLeaks” and “Guccifer 2.0.”

    7. The Conspirators also used the Guccifer 2.0 persona to release additional stolen documents
    through a website maintained by an organization (“Organization 1”), that had previously posted
    documents stolen from U.S. persons, entities, and the U.S. government. The Conspirators
    continued their U.S. election-interference operations through in or around November 2016.

    8. To hide their connections to Russia and the Russian government, the Conspirators used
    false identities and made false statements about their identities. To further avoid detection, the
    Conspirators used a network of computers located across the world, including in the United States,
    and paid for this infrastructure using cryptocurrency.

    Defendants

    9. Defendant VIKTOR BORISOVICH (HBTLIKDJO Brucrop Bopnconnu) was
    the Russian military officer in command of Unit 26165, located at 20 Komsomolskiy Prospekt,
    Moscow, Russia. Unit 26165 had primary responsibility for hacking the and DNC, as well
    as the email accounts of individuals affiliated with the Clinton Campaign.

    10. Defendant BORIS ALEKSEYEVICH ANTONOV (AHTOHOB Bopnc) was a
    Major in the Russian military assigned to Unit 26165. ANTONOV oversaw a department within
    Unit 26165 dedicated to targeting military, political, governmental, and non-governmental
    organizations with spearphishing emails and other computer intrusion activity. ANTONOV held
    the title “Head of Department.
    ” In or around 2016, ANTONOV supervised other co-conspirators
    who targeted the DNC, and individuals affiliated with the Clinton Campaign.

    11. Defendant DMITRIY SERGEYEVICH BADIN (Sauna Cepreennu) was a
    Russian military officer assigned to Unit 26165 who held the title “Assistant Head of Department.”
    In or around 2016, BADIN, along with AN TONOV, supervised other co-conspirators who targeted
    the DNC, and individuals affiliated with the Clinton Campaign.

    page 4

    12. Defendant IVAN SERGEYEVICH YERMAKOV (Epmanon Cepreeanu) was a
    Russian military officer assigned to department within Unit 26165. Since in or
    around 2010, YERMAKOV used various online personas, including “Kate S. Milton,” “James
    McMorgans,” and “Karen W. Millen,” to conduct hacking operations on behalf of Unit 26165. In
    or around March 2016, YERMAKOV participated in hacking at least two email accounts from
    which campaign-related documents were released through DCLeaks. In or around May 2016,
    YERMAKOV also participated in hacking the DNC email server and stealing DNC emails that
    were later released through Organization 1.

    13. Defendant ALEKSEY VIKTOROVICH LUKASHEV Anercceii BKKToponntI)
    was a Senior Lieutenant in the Russian military assigned to department within Unit
    26165. LUKASHEV used various online personas, including “Den Katenberg” and “Yuliana
    Martynova.” In or around 2016, LUKASHEV sent spearphishing emails to members of the
    Clinton Campaign and affiliated individuals, including the chairman of the Clinton Campaign.

    14. Defendant SERGEY ALEKSANDROVICH MORGACHEV (MopraIIeB Cepreii
    Anencanponm) was a Lieutenant Colonel in the Russian military assigned to Unit 26165.
    MORGACHEV oversaw a department within Unit 26165 dedicated to developing and managing
    malware, including a hacking tool used by the GRU known as “X-Agent.” During the hacking of
    the DC CC and DNC networks, MORGACI-IEV supervised the co-conspirators who developed and
    monitored the X-Agent malware implanted on those computers.

    15. Defendant NIKOLAY YURYEVICH KOZACHEK (Koaaqert) was a
    Lieutenant Captain in the Russian military assigned to MORGACHEV’s department within Unit
    26165. KOZACHEK used a variety of monikers, including “kazak” and “blablabla1234565.”
    KOZACHEK developed, customized, and monitored X-Agent malware used to hack the DCCC

    page 5

    and DNC networks beginning in or around April 2016.

    16. Defendant PAVEL VYACHESLAVOVICH YERSHOV (Eprnoa Banecnasosna)
    was a Russian military officer assigned to department within Unit 26165. In or
    around 2016, . YERSHOV assisted KOZACHEK and other co-conspirators in testing and
    customizing X-Agent malware before actual deployment and use.

    17. Defendant ARTEM ANDREYEVICH MALYSHEV (Annpeenntr) was
    a Second Lieutenant in the Russian military assigned to MORGACHEV’s department within Unit
    26165. MALYSHEV used a variety of monikers, including “djangomagicdev” and “realblatr.” In
    or around 2016, MALYSHEV monitored X-Agent malware implanted on the and DNC
    networks.

    18. Defendant ALEKSANDR VLADIMJROVICH OSADCHUK (Ocanayx Anerccannp)
    was a Colonel in the Russian military and the commanding officer of Unit 74455.
    Unit 74455 was located at 22 Kirova Street, Khimki, Moscow, a building referred to within the
    GRU as the “Tower.” Unit 74455 assisted in the release of stolen documents through the DCLeaks
    and Guccifer 2.0 personas, the promotion of those releases, and the publication of anti-Clinton
    content on social media accounts operated by the GRU.

    19. Defendant ALEKSEY ALEKSANDROVICH POTEMKIN (?oreMKnn Anerccefi)
    was an officer in the Russian military assigned to Unit 74455. POTEMKIN was
    a supervisor in a department within Unit 74455 responsible for the administration of computer
    infrastructure used in cyber operations. Infrastructure and social media accounts administered by
    department were used, among other things, to assist in the release of stolen
    documents through the DCLeaks and Guccifer 2.0 personas.

    page 6

    Object of the Conspiracy

    20. The object of the conspiracy was to hack into the computers of U.S. persons and entities
    involved in the 2016 U.S. presidential election, steal documents from those computers, and stage
    releases of the stolen documents to interfere with the 2016 U.S. presidential election.

    Manner and Means of the Conspiracv

    Spearphishing Operations

    21. ANTONOV, BADIN, YERMAKOV, LUKASHEV, and their co-conspirators targeted
    victims using a technique known as spearphishing to steal victims’ passwords or otherwise gain
    access to their computers. Beginning by at least March 2016, the Conspirators targeted over 300
    individuals affiliated with the Clinton Campaign, and DNC,

    a. For example, on or about March 19, 2016, LUKASHEV and his co-conspirators
    created and sent a spearphishing email to the chairman of the Clinton Campaign.
    LUKASHEV used the account “john356gh” at an online service that abbreviated
    website addresses (referred to as a “URL-shortening service”).
    LUKASHEV used the account to mask a link contained in the spearphishin email,
    which directed the recipient to a GRU-created website. LUKASHEV altered the
    appearance of the sender email address in order to make it look like the email was
    a security notification from Google (a technique known as “spoofing”), instructing
    the user to change his password by clicking the embedded link. Those instructions
    Were followed. On or about March 21, 2016, LUKASHEV, YERMAKOV, and
    their co-conspirators stole the contents of the chairman’s email account, which
    consisted of over 50,000 emails.

    b. Starting on or about March 19, 2016, LUKASHEV and his co-conspirators sent
    spearphishing emails to the personal accounts of other individuals affiliated with

    page 7

    the Clinton Campaign, including its campaign manager and a senior foreign policy
    adviser. On or about March 25, 2016, LUKASHEV used the same john356gh
    account to mask additional links included in spearphishing emails sent to numerous
    individuals affiliated with the Clinton Campaign, including Victims 1 and 2.
    LUKASHEV sent these emails from the Russia-based email account
    hi.mymail@yandex.com that he spoofed to appear to be from Google.

    c. On or about March 28, 2016, YERMAKOV researched the names of Victims 1 and
    2 and their association with Clinton on various social media sites
    . Through their
    spearphishing operations, LUKASHEV, YERMAKOV, and their co-conspirators
    successfully stole email credentials and thousands of emails from numerous
    individuals affiliated with the Clinton Campaign. Many of these stolen emails,
    including those from Victims 1 and 2, were later released by the Conspirators
    through DCLeaks.

    d. On or about April 6, 2016, the Conspirators created an email account in the name
    (with a one-letter deviation from the actual spelling) of a known member of the
    Clinton Campaign. The Conspirators then used that account to send spearphishing
    emails to the work accounts of more than thirty different Clinton Campaign
    employees. In the spearphishing emails, LUKASHEV and his co-conspirators
    embedded a link purporting to direct the recipient to a document titled “hillary-
    clinton-favorable-rating.xlsx.” In fact, this link directed the recipients’ computers
    to a GRU-created website.

    22. The Conspirators spearphished individuals affiliated with the Clinton Campaign
    throughout the summer of 2016. For example, on or about July 27, 2016, the Conspirators

    page 8

    attempted after hours to spearphish for the first time email accounts at a domain hosted by a third-
    party provider and used by Clinton’s personal office
    . At or around the same time, they also
    targeted seventy-six email addresses at the domain for the Clinton Campaign.

    Hacking into the DCCC Network

    23. Beginning in or around March 2016, the Conspirators, in addition to their spearphishing
    efforts, researched the DCCC and DNC computer networks to identify technical specifications and
    vulnerabilities.

    a. For example, beginning on or about March 15, 2016, YERMAKOV ran a technical
    query for the internet protocol configurations to identify connected devices.

    b. On or about the same day, YERMAKOV searched for open-source information
    about the DNC network, the Democratic Party, and Hillary Clinton.

    c. On or about April 7, 2016, YERMAKOV ran a technical query for the DCCC
    internet protocol configurations to identify connected devices.

    24. By in or around April 2016, Within days of searches regarding the DCCC,
    the Conspirators hacked into the DCCC computer network. Once they gained access, they
    installed and managed different types of malware to explore the DCCC network and steal data.

    a. On or about April 12, 2016, the Conspirators used the stolen credentials of a
    Employee (“DCCC Employee 1”) to access the DCCC network. DCCC
    Employee 1 had received a spearphishing email from the Conspirators on or about
    April 6, 2016, and entered her password after clicking on the link.

    b. Between in or around April 2016 and June 2016, the Conspirators installed multiple
    versions of their X-Agent malware on at least ten computers, which allowed
    them to monitor individual employees’ computer activity, steal passwords, and
    maintain access to the DCCC network.

    page 9

    c. X-Agent malware implanted on the DCCC network transmitted information from
    the victims’ computers to a GRU-leased server located in Arizona. The
    Conspirators referred to this server as their “AMS” panel. KOZACHEK,
    MALYSHEV, and their co-conspirators logged into the AMS panel to use
    X-Agent’s keylog and screenshot functions in the course of monitoring and
    surveilling activity on the computers. The keylog function allowed the
    Conspirators to capture keystrokes entered by employees. The screenshot
    function allowed the Conspirators to take pictures of the employees?
    computer screens.

    d. For example, on or about April 14, 2016, the Conspirators repeatedly activated
    X-Agent’s keylog and screenshot functions to surveil DCCC Employee 1’s
    computer activity over the course of eight hours. During that time, the Conspirators
    captured DCCC Employee 1’s communications with co-workers and the passwords
    she entered while working on fundraising and voter outreach projects. Similarly,
    on or about April 22, 2016, the Conspirators activated X-Agent’s keylog and
    screenshot functions to capture the discussions of another DCCC Employee
    (“DCCC Employee 2”) about the DCCC’s finances, as well as her individual
    banking information and other personal topics.

    25. On or about April 19, 2016, KOZACHEK, YERSHOV, and their co-conspirators remotely
    configured an overseas computer to relay communications between X-Agent malware and the
    AMS panel and then tested X-Agent’s ability to connect to this computer. The Conspirators
    referred to this computer as a “middle server.” The middle server acted as a proxy to obscure the
    connection between malware at the DCCC and the Conspirators’ AMS panel
    . On or about April

    page 10

    20, 2016, the Conspirators directed X-Agent malware on the computers to connect to this
    middle server and receive directions from the Conspirators.

    Hacking into the DNC Network

    26. On or about April 18, 2016, the Conspirators hacked into the DNC’s computers through
    their access to the DCCC network. The Conspirators then installed and managed different types
    of malware (as they did in the DCCC network) to explore the DNC network and steal documents.

    a. On or about April 18, 2016, the Conspirators activated X-Agent’s keylog and
    screenshot functions to steal credentials of a employee who was authorized
    to access the DNC network. The Conspirators hacked into the DNC network from
    the DCCC network using stolen credentials. By in or around June 2016, they
    gained access to approximately thirty-three DNC computers.

    b. In or around April 2016, the Conspirators installed X-Agent malware on the DNC
    network, including the same versions installed on the DCCC network.
    MALYSHEV and his co-conspirators monitored the X-Agent malware from the
    AMS panel and captured data from the victim computers. The AMS panel collected
    thousands of keylog and screenshot results from the DCCC and DNC computers,
    such as a screenshot and keystroke capture of DCCC Employee 2 viewing the
    DCCC’s online banking information.

    Theft of DCCC and DNC Documents

    27. The Conspirators searched for and identified computers within the DCCC and DNC
    networks that stored information related to the 2016 US. presidential election. For example, on
    or about April 15, 2016, the Conspirators searched one hacked DCCC computer for terms that
    included “hillary,” “cruz,” and “trump.” The Conspirators also copied select folders,
    including “Benghazi Investigations.” The Conspirators targeted computers containing information

    page 11

    such as opposition research and field operation plans for the 2016 elections.

    28. To enable them to steal a large number of documents at once without detection, the
    Conspirators used a publicly available tool to gather and compress multiple documents on the
    DCCC and DNC networks. The Conspirators then used other GRU malware, known as
    “X-Tunnel,” to move the stolen documents outside the DCCC and DNC networks through
    encrypted channels.

    a. For example, on or about April 22, 2016, the Conspirators compressed gigabytes
    of data from DNC computers, including opposition research. The Conspirators
    later moved the compressed DNC data using X-Tunnel to a GRU-leased computer
    located in Illinois.

    b. On or about April 28, 2016, the Conspirators connected to and tested the same
    computer located in Illinois. Later that day, the Conspirators used X-Tunnel to
    connect to that computer to steal additional documents from the DCCC network.

    29. Between on or about May 25, 2016 and June 1, 2016, the Conspirators hacked the DNC
    Microsoft Exchange Server and stole thousands of emails from the work accounts of DNC
    employees. During that time, YERMAKOV researched PowerShell commands related to
    accessing and managing the Microsoft Exchange Server.

    30. On or about May 30, 2016, MALYSHEV accessed the AMS panel in order to upgrade
    custom AMS software on the server
    . That day, the AMS panel received updates from
    approximately thirteen different X-Agent malware implants on DCCC and DNC computers.

    31. During the hacking of the DCCC and DNC networks, the Conspirators covered their tracks
    by intentionally deleting logs and computer files
    . For example, on or about May 13, 2016, the
    Conspirators cleared the event logs from a DNC computer. On or about June 20, 2016, the

    page 12

    Conspirators deleted logs from the AMS panel that documented their activities on the panel,
    including the login history.

    Efforts to Remain on the DCCC and DNC Networks

    32. Despite the Conspirators’ efforts to hide their activity, beginning in or around May 2016,
    both the DCCC and DNC became aware that they had been hacked and hired a security company
    (“Company 1”) to identify the extent of the intrusions. By in or around June 2016, Company 1
    took steps to exclude intruders from the networks. Despite these efforts, a Linux-based version of
    X-Agent, programmed to communicate with the GRU-registered domain linuxkrnl.net, remained
    on the DNC network until in or around October 2016
    .

    33. In response to Company 1’s efforts, the Conspirators took countermeasures to maintain
    access to the and DNC networks.

    a. On or about May 31, 2016, YERMAKOV searched for open~source information
    about Company 1 and its reporting on X-Agent and X-Tunnel
    . On or about June
    1, 2016, the Conspirators attempted to delete traces of their presence on the DCCC
    network using the computer program CCleaner.

    b. On or about June 14, 2016, the Conspirators registered the domain actblues.com,
    which mimicked the domain of a political fundraising platform that included a
    DCCC donations page. Shortly thereafter, the Conspirators used stolen DCCC
    credentials to modify the DCCC website and redirect Visitors to the actblues.com
    domain.

    c. On or about June 20, 2016, after Company 1 had disabled X-Agent on the DCCC
    network, the Conspirators spent over seven hours unsuccessfully trying to connect
    to X-Agent. The Conspirators also tried to access the DCCC network using
    previously stolen credentials.

    page 13

    34. In or around September 2016, the Conspirators also successfully gained access to DNC
    computers hosted on a third-party cloud-computing service. These computers contained test
    applications related to the DNC’s analytics. After conducting reconnaissance, the Conspirators
    gathered data by creating backups, or “snapshots,” of the cloud-based systems using the
    cloud provider’s own technology. The Conspirators then moved the snapshots to cloud-based
    accounts they had registered with the same service, thereby stealing the data from the DNC.

    Stolen Documents Released through DCLeaks

    35. More than a month before the release of any documents, the Conspirators constructed the
    online persona DCLeaks to release and publicize stolen election-related documents. On or about
    April 19, 2016, after attempting to register the domain electionleaks.com, the Conspirators
    registered the domain dcleaks.com through a service that anonymized the registrant. The funds
    used to pay for the dcleaks.com domain originated from an account at an online
    service that the Conspirators also used to fund the lease of a virtual private server registered with
    the operational email account dirbinsaabol@mail.com. The dirbinsaabol email account was also
    used to register the john356gh URL-shortening account used by LUKASHEV to spearphish the
    Clinton Campaign chairman and other campaign-related individuals
    .

    36. On or about June 8, 2016, the Conspirators launched the public website dcleaks.com, which
    they used to release stolen emails. Before it shut down in or around March 2017, the site received
    over one million page Views. The Conspirators falsely claimed on the site that DCLeaks was
    started by a group of “American hacktivists,” when in fact it was started by the Conspirators.

    37. Starting in or around June 2016 and continuing through the 2016 US. presidential election,
    the Conspirators used DCLeaks to release emails stolen from individuals affiliated with the Clinton
    Campaign. The Conspirators also released documents they had stolen in other spearphishing
    operations, including those they had conducted in 2015 that collected emails from individuals

    page 14

    affiliated with the Republican Party.

    38. On or about June 8, 2016, and at approximately the same time that the dcleakscom website
    was launched, the Conspirators created a DCLeaks Facebook page using a preexisting social media
    account under the fictitious name “Alice Donovan.” In addition to the DCLeaks acebook page,
    the Conspirators used other social media accounts in the names of fictitious U.S. persons such as
    “Jason Scott” and “Richard Gingrey” to promote the DCLeaks website. The Conspirators accessed
    these accounts from computers managed by POTEMKIN and his co-conspirators.

    39. On or about June 8, 2016, the Conspirators created the Twitter account @dcleaks_. The
    Conspirators operated the @dcleaks_ Twitter account from the same computer used for other
    efforts to interfere with the 2016 U.S. presidential election. For example, the Conspirators used
    the same computer to operate the Twitter account @BaltimoreIsWhr, through which they
    encouraged U.S. audiences to “[i]oin our flash mob” opposing Clinton and to post images with the
    hashtag #BlacksAgainstHillary.

    Stolen Documents Released through Guccifer 2.0

    40. On or about June 14, 2016, the DNC-through Company 1-publicly announced that it
    had been hacked by Russian government actors. In response, the Conspirators created the online
    persona Guccifer 2.0 and falsely claimed to be a lone Romanian hacker to undermine the
    allegations of Russian responsibility for the intrusion.

    41. On or about June 15, 2016, the Conspirators logged into a Moscow-based server used and
    managed by Unit 74455 and, between 4:19 PM and 4:56 PM Moscow Standard Time, searched
    for certain words and phrases
    , including
    :

    page 15

    Search Terms(s):
    “some hundred sheets”
    “some hundreds of sheets”
    dcleaks
    illuminati
    mnpono useec’rnm? nepeaon
    [widely known translation]
    “worldwide known”
    “think twice about”
    “company’s competence”

    42. Later that day, at 7:02 PM Moscow Standard Time, the online persona Guccifer 2.0
    published its first post on a blog site created through WordPress
    . Titled “DNC’s servers hacked
    by a lone hacker,” the post used numerous English words and phrases that the Conspirators had
    searched for earlier that day (bolded below):

    Worldwide known cyber security company [Company 1] announced that
    the Democratic National Committee (DNC) servers had been hacked by
    “sophisticated” hacker groups.

    I’m very pleased the company appreciated my skills so highly)))[…]

    Here are just a few docs from many thousands I extracted when hacking
    into DNC’s network. […]

    Some hundred sheets! This’s a serious case, isn’t it? […]

    I guess [Company 1] customers should think twice about company’s
    competence.

    F[***] the Illuminati and their conspiracies!!!!!!!! F[***]
    [Company 1]!!!!!!!!

    43. Between in or around June 2016 and October 2016, the Conspirators used Guccifer 2.0 to
    release documents through WordPress that they had stolen from the DCCC and DNC. The
    Conspirators, posing as Guccifer 2.0, also shared stolen documents with certain individuals.

    a. On or about August 15, 2016, the Conspirators, posing as Guccifer 2.0, received a

    page 16

    request for stolen documents from a candidate for the U.S. Congress. The
    Conspirators responded using the Guccifer 2.0 persona and sent the candidate
    stolen documents related to the candidate’s opponent.

    b. On or about August 22, 2016, the Conspirators, posing as Guccifer 2.0, transferred
    approximately 2.5 gigabytes of data stolen from the DCCC to a then-registered state
    lobbyist and online source of political news. The stolen data included donor records
    and personal identifying information for more than 2,000 Democratic donors.

    c. On or about August 22, 2016, the Conspirators, posing as Guccifer 2.0, sent a
    reporter stolen documents pertaining to the Black Lives Matter movement. The
    reporter responded by discussing when to release the documents and offering to
    write an alticle about their release.

    44. The Conspirators, posing as Guccifer 2.0, also communicated with US. persons about the
    release of stolen documents. On or about August 15, 2016, the Conspirators, posing as Guccifer
    2.0, wrote to a person who was in regular contact with senior members of the presidential campaign
    of Donald J. Trump, “thank u for writing back … do u find anyt[h]ing interesting in the docs i
    posted?” On or about August 17, 2016, the Conspirators added, “please tell me if i can help
    anyhow … it would be a great pleasure to me.” On or about September 9, 2016, the Conspirators,
    again posing as Guccifer 2.0, referred to a stolen document posted online and asked the
    person, “what do think of the info on the turnout model for the democrats entire presidential
    campaign.” The person responded, “[p]retty standard.”

    45. The Conspirators conducted operations as Guccifer 2.0 and DCLeaks using overlapping
    computer infrastructure and financing.

    a. For example, between on or about March 14, 2016 and April 28, 2016, the

    page 17

    Conspirators used the same pool of bitcoin funds to purchase a virtual private
    network (“VPN”) account and to lease a server in Malaysia. In or around June
    2016, the Conspirators used the Malaysian server to host the dcleaks.com website.
    On or about July 6, 2016, the Conspirators used the VPN to log into the
    @Guccifer_2 Twitter account. The Conspirators opened that VPN account from
    the same server that was also used to register malicious domains for the hacking of
    the DCCC and DNC networks.

    b. On or about June 27, 2016, the Conspirators, posing as Guccifer 2.0, contacted a
    U.S. reporter with an offer to provide stolen emails from “Hillary Clinton’s staff.”
    The Conspirators then sent the reporter the password to access a nonpublic,
    password-protected portion of dcleaks.com containing emails stolen from Victim 1
    by LUKASHEV, YERMAKOV, and their co-conspirators in or around March
    2016.

    46. On or about January 12, 2017, the Conspirators published a statement on the Guccifer 2.0
    WordPress blog, falsely claiming that the intrusions and release of stolen documents had “totally
    no relation to the Russian government.”

    Use of Organization 1

    47. In order to expand their interference in the 2016 U.S. presidential election, the Conspirators
    transferred many of the documents they stole from the DNC and the chairman of the Clinton
    Campaign to Organization 1. The Conspirators, posing as Guccifer 2.0, discussed the release of
    the stolen documents and the timing of those releases with Organization 1 to heighten their impact
    on the 2016 U.S. presidential election.

    a. On or about June 22, 2016, Organization I sent a private message to Guccifer 2.0
    to “[s]end any new material [stolen from the dnc] here for us to review and it will

    page 18

    have a much higher impact than what you are doing.” On or about July 6, 2016,
    Organization 1 added, “if you have anything hillary related we want it in the next
    tweo [sic] days prefable [sic] because the DNC [Democratic National Convention]
    is approaching and she will solidify bernie supporters behind her after.” The
    Conspirators responded, “0k . . . i see.” Organization 1 explained, “we think trump
    has only a 25% chance of winning against hillary … so conflict between bernie
    and hillary is interesting.”

    b. After failed attempts to transfer the stolen documents starting in late June 2016, on
    or about July 14, 2016, the Conspirators, posing as Guccifer 2.0, sent
    Organization 1 an email with an attachment titled “wk linkl.txt.gpg.” The
    Conspirators explained to Organization 1 that the encrypted file contained
    instructions on how to access an online archive of stolen DNC documents. On or
    about July 18, 2016, Organization 1 confirmed it had “the 1Gb or so archive” and
    would make a release of the stolen documents “this week.”

    48. On or about July 22, 2016, Organization 1 released over 20,000 emails and other
    documents stolen from the DNC network by the Conspirators. This release occurred
    approximately three days before the start of the Democratic National Convention. Organization 1
    did not disclose Guccifer 2.0’s role in providing them. The latest-in-time email released through
    Organization 1 was dated on or about May 25, 2016, approximately the same day the Conspirators
    hacked the DNC Microsoft Exchange Server.

    49. On or about October 7, 2016, Organization 1 released the first set of emails from the
    chairman of the Clinton Campaign that had been stolen by LUKASHEV and his co-conspirators.
    Between on or about October 7, 2016 and November 7, 2016, Organization 1 released

    page 19

    approximately thirty-three tranches of documents that had been stolen from the chairman of the
    Clinton Campaign. In total, over 50,000 stolen documents were released.

    Statutory Allegations

    50. Paragraphs 1 through 49 of this Indictment are re-alleged and incorporated by reference as
    if fully set forth herein.

    51. From at least in or around March 2016 through November 2016, in the District of Columbia
    and elsewhere, Defendants ANTONOV, YERMAKOV, LUKASHEV,
    MORGACHIEV, KOZACHEK, YERSHOV, MALYSHEV, OSADCHUK, and POTEMKIN,
    together with others known and unknown to the Grand Jury, knowingly and intentionally conspired
    to commit offenses against the United States, namely:

    a. To knowingly access a computer without authorization and exceed authorized
    access to a computer, and to obtain thereby information from a protected computer,
    where the value of the information obtained exceeded $5,000, in Violation of Title
    18, United States Code, Sections 1030(a)(2)(C) and 1030(c)(2)(B); and

    b. To knowingly cause the transmission of a program, information, code, and
    command, and as a result of such conduct, to intentionally cause damage without
    authorization to a protected computer, and where the offense did cause and, if
    completed, would have caused, loss aggregating $5,000 in iralue to at least one
    person during a one-year period from a related course of conduct affecting a
    protected computer, and damage affecting at least ten protected computers during
    a one-year period, in Violation of Title 18, United States Code, Sections
    1030(a)(5)(A) and 1030(c)(4)(B).

    52. In furtherance of the Conspiracy and to effect its illegal objects, the Conspirators
    committed the overt acts set forth in paragraphs 1 through 19, 21 through 49, 55, and 57 through

    page 20

    64, which are re-alleged and incorporated by reference as if fully set forth herein.

    53. In furtherance of the Conspiracy, and as set forth in paragraphs 1 through 19, 21 through
    49, 55, and 57 through 64, the Conspirators knowingly falsely registered a domain name and
    knowingly used that domain name in the course of committing an offense, namely, the
    Conspirators registered domains, including dcleaks.com and actblues.com, with false names and
    addresses, and used those domains in the course of committing the felony offense charged in Count
    One.

    All in Violation of Title 18, United States Code, Sections 371 and 3559(g)(1).

    COUNTS TWO THROUGH NINE
    (Aggravated Identity Theft)

    54. Paragraphs 1 through 19, 21 through 49, and 57 through 64 of this Indictment are re-alleged
    and incorporated by reference as if fully set forth herein.

    55. On or about the dates specified below, in the District of Columbia and elsewhere,
    Defendants BORISOVICH BORIS ALEKSEYEVICH ANTONOV,
    DMITRIY SERGEYEVICH IVAN SERGEYEVICH YERMAKOV, ALEKSEY
    VIKTOROVICH LUKASHEV, SERGEY ALEKSANDROVICH MORGACHEV, NIKOLAY
    YURYEVICH KOZACHEK, PAVEL VYACHESLAVOVICH YERSHOV, ARTEM
    ANDREYEVICH MALYSHEV, ALEKSANDR VLADIMTROVICH OSADCHUK, and
    ALEKSEY ALEKSANDROVICH POTEMKIN did knowingly transfer, possess, and use, without
    lawful authority, a means of identification of another person during and in relation to a felony
    Violation enumerated in Title 18, United States Code, Section 1028A(c), namely, computer fraud
    in Violation of Title 18, United States Code, Sections 1030(a)(2)(C) and 1030(c)(2)(B), knowing
    that the means of identification belonged to another real person:

    page 21

    Count | Approximate Date | Victim | Means of Identification
    2 | March 21, 2016 | Victim 3 | Username and password for personal email account
    3 | March 25, 2016 | Victim 1 | Username and password for personal email account
    4 | April 12, 2016 | Victim 4 | Username and password for DCCC computer network
    5 | April 15, 2016 | Victim 5 | Username and password for DCCC computer network
    6 | April 18, 2016 | Victim 6 | Username and password for DCCC computer network
    7 | May 10, 2016 | Victim 7 | Username and password for DNC computer network
    8 | June 2, 2016 | Victim 2 | Username and password for personal email account
    9 | July 6, 2016 | Victim 8 | Username and password for personal email account

    All in violation of Title 18, United States Code, Sections 1028A(a)(1) and 2.

    COUNT TEN
    (Conspiracy to Launder Money)

    56. Paragraphs 1 through 19, 21 through 49, and 55 are re-alleged and incorporated by reference
    as if fully set forth herein.

    57. To facilitate the purchase of infrastructure used in their hacking activity-including hacking
    into the computers of U.S. persons and entities involved in the 2016 U.S. presidential election and
    releasing the stolen documents-the Defendants conspired to launder the equivalent of more than
    $95,000 through a web of transactions structured to capitalize on the perceived anonymity of
    such as bitcoin
    .

    58. Although the Conspirators caused transactions to be conducted in a variety of currencies,
    including U.S. dollars, they principally used bitcoin when purchasing servers, registering domains,
    and otherwise making payments in furtherance of hacking activity. Many of these payments were

    page 22

    processed by companies located in the United States that provided payment processing services to
    hosting companies, domain registrars, and other vendors both international and domestic. The use
    of bitcoin allowed the Conspirators to avoid direct relationships with traditional financial
    institutions, allowing them to evade greater scrutiny of their identities and sources of funds.

    59. All bitcoin transactions are added to a public ledger called the Blockchain, but the
    Blockchain identifies the parties to each transaction only by alpha-numeric identifiers known as
    bitcoin addresses. To further avoid creating a centralized paper trail of all of their purchases, the
    Conspirators purchased infrastructure using hundreds of different email accounts, in some cases
    using a new account for each purchase. The Conspirators used fictitious names and addresses in
    order to obscure their identities and their links to Russia and the Russian government. For
    example, the dcleaks.com domain was registered and paid for using the fictitious name “Carrie
    Feehan” and an address in New York. In some cases, as part of the payment process, the
    Conspirators provided vendors with nonsensical addresses such as “usa Denver AZ,” “gfhgh
    ghfhgfh fdgfdg WA,” and “1 2 dwd District of Columbia.”

    60. The Conspirators used several dedicated email accounts to track basic bitcoin transaction
    information and to facilitate bitcoin payments to vendors. One of these dedicated accounts,
    registered with the username “gfadel47,” received hundreds of bitcoin payment requests from
    approximately 100 different email accounts. For example, on or about February 1, 2016, the
    gfadel47 account received the instruction to “[p]lease send exactly 0.026043 bitcoin to” a certain
    thirty-four character bitcoin address. Shortly thereafter, a transaction matching those exact
    instructions was added to the Blockchain.

    61. On occasion, the Conspirators facilitated bitcoin payments using the same computers that
    they used to conduct their hacking activity, including to create and send test spearphishing emails.

    page 23

    Additionally, one of these dedicated accounts was used by the Conspirators in or around 2015 to
    renew the registration of a domain (linuxkrnl.net) encoded in certain X-Agent malware installed
    on the DNC network.

    62. The Conspirators funded the purchase of computer infrastructure for their hacking activity
    in part by “mining” bitcoin. Individuals and entities can mine bitcoin by allowing their computing
    power to be used to verify and record payments on the bitcoin public ledger, a service for which
    they are rewarded with freshly-minted bitcoin. The pool of bitcoin generated from the GRU’s
    mining activity was used, for example, to pay a Romanian company to register the domain
    dcleaks.com through a payment processing company located in the United States.

    63. In addition to mining bitcoin, the Conspirators acquired bitcoin through a variety of means
    designed to obscure the origin of the funds. This included purchasing bitco in through peer-to-peer
    exchanges, moving funds through other digital currencies, and using pre-paid cards. They also
    enlisted the assistance of one or more third-party exchangers who facilitated layered transactions
    through digital currency exchange platforms providing heightened anonymity.

    64. The Conspirators used the same funding structure-and in some cases, the very same pool
    of funds-to purchase key accounts, servers, and domains used in their election-related hacking
    activity.

    a. The bitcoin mining operation that funded the registration payment for dcleaks.com
    also sent newly-minted bitcoin to a bitcoin address controlled by “Daniel Farell,”
    the persona that was used to renew the domain linuxkrnl.net.
    The bitcoin mining
    operation also funded, through the same bitcoin address, the purchase of servers
    and domains used in the spearphishing operations, including accounts-
    qooqle.com and account-gooogle.com

    page 24

    b. On or about March 14, 2016, using funds in a bitcoin address, the Conspirators
    purchased a VPN account, which they later used to log into the @Guccifer_2
    Twitter account. The remaining funds from that bitcoin address were then used on
    or about April 28, 2016, to lease a Malaysian server that hosted the dcleaks.com
    website.

    c. The Conspirators used a different set of fictitious names (including “Ward
    DeClaur” and “Mike Long”) to send bitcoin to a company in order to lease a
    server used to administer X-Tunnel malware implanted on the and DNC
    networks, and to lease two servers used to hack the cloud network.

    Statutory Allegations

    65. From at least in or around 2015 through 2016, within the District of Columbia and
    elsewhere, Defendants VIKTOR BORISOVICH BORIS ALEKSEYEVICH
    ANTONOV, DMITRIY SERGEYEVICH IVAN SERGEYEVICH YERMAKOV,
    ALEKSEY VIKTOROVTCH LUKASHEV, SERGEY ALEKSANDROVICH MORGACHEV,
    NIKOLAY YURYEVICH KOZACHEK, PAVEL VYACHESLAVOVICH YERSHOV, ARTEM
    ANDREYEVICH MALYSHEV, ALEKSANDR VLADIMIROVICH OSADCHUK, and
    ALEKSEY ALEKSANDROVICH POTEMKIN, together with others, known and unknown to the
    Grand Jury, did knowingly and intentionally conspire to transport, transmit, and transfer monetary
    instruments and funds to a place in the United States from and through a place outside the United
    States and from a place in the United States to and through a place outside the United States, with
    the intent to promote the carrying on of specified unlawful activity, namely, a Violation of Title
    18, United States Code, Section 1030, contrary to Title 18, United States Code, Section
    1956(a)(2)(A).

    All in Violation of Title 18, United States Code, Section 1956(h).

    page 25

    COUNT ELEVEN
    (Conspiracy to Commit an Offense Against the United States)

    66. Paragraphs 1 through 8 of this Indictment are re-alleged and incorporated by reference as
    if fully set forth herein.

    Defendants

    67. Paragraph 18 of this Indictment relating to ALEKSANDR VLADIMIROVICH
    OSADCHUK is re-alleged and incorporated by reference as if fully set forth herein.

    68. Defendant ANATOLIY SERGEYEVICH KOVALEV (Koaanea AHaTonnii CepreeBnLr)
    was an officer in the Russian military assigned to Unit 74455 who worked in the GRU’s 22 Kirova
    Street building (the Tower).

    69. Defendants OSADCHUK and KOVALEV were GRU officers who knowingly and
    intentionally conspired with each other and with persons, known and unknown to the Grand Jury,
    to hack into the computers of US. persons and entities responsible for the administration of 2016
    US. elections, such as state boards of elections, secretaries of state, and US. companies that
    supplied software and other technology related to the administration of US. elections.

    Object of the Conspiracy

    70. The object of the conspiracy was to hack into protected computers of persons and entities
    charged with the administration of the 2016 US. elections in order to access these computers and
    steal voter data and other information stored on these computers.

    Manner and Means of the Conspiracy

    71. In or around June 2016, KOVALEV and his co-conspirators researched domains used by
    US. state boards of elections, secretaries of state, and other election-related entities for website
    vulnerabilities. KOVALEV and his co-conspirators also searched for state political party email
    addresses, including filtered queries for email addresses listed on state Republican Party websites.

    page 26

    72. In or around July 2016, KOVALEV and his co-conspirators hacked the website of a state
    board of elections (“SBOE 1”) and stole information related to approximately 500,000 voters,
    including names, addresses, partial social security numbers, dates of birth, and driver’s license
    numbers.

    73. In or around August 2016, KOVALEV and his co-conspirators hacked into the computers
    of a U.S. vendor (“Vendor 1”) that supplied software used to verify voter registration information
    for the 2016 U.S. elections. KOVALEV and his co-conspirators used some of the same
    infrastructure to hack into Vendor 1 that they had used to hack into SBOE 1.

    74. In or around August 2016, the Federal Bureau of Investigation issued an alert about the
    hacking of SBOE 1 and identified some of the infrastructure that was used to conduct the hacking.
    In response, KOVALEV deleted his search history. KOVALEV and his co-conspirators also
    deleted records from accounts used in their operations targeting state boards of elections and
    similar election-related entities.

    75. In or around October 2016, KOVALEV and his co-conspirators further targeted state and
    county offices responsible for administering the 2016 U.S. elections. For example, on or about
    October 28, 2016, KOVALEV and his co-conspirators visited the websites of certain counties in
    I Georgia, Iowa, and Florida to identify vulnerabilities.

    76. In or around November 2016 and prior to the 2016 U.S. presidential election, KOVALEV
    and his co-conspirators used an email account designed to look like a Vendor 1 email address to
    send over 100 spearphishing emails to organizations and personnel involved in administering
    elections in numerous Florida counties. The spearphishing emails contained malware that the
    Conspirators embedded into Word documents bearing Vendor 1’s logo.

    Statutory Allegations

    77. Between in or around June 2016 and November 2016, in the District of Columbia and

    page 27

    elsewhere, Defendants OSADCHUK and KOVALEV, together with others known and unknown
    to the Grand Jury, knowingly and intentionally conspired to commit offenses against the United
    States, namely:

    a. To knowingly access a computer without authorization and exceed authorized
    access to a computer, and to obtain thereby information from a protected computer,
    where the value of the information obtained exceeded $5,000, in violation of Title
    18, United States Code, Sections 1030(a)(2)(C) and 1030(c)(2)(B); and

    b. To knowingly cause the transmission of a program, information, code, and
    command, and as a result of such conduct, to intentionally cause damage without
    authorization to a protected computer, and where the offense did cause and, if
    completed, would have caused, loss aggregating $5,000 in value to at least one
    person during a one-year period from a related course of conduct affecting a
    protected computer, and damage affecting at least ten protected computers during
    a one-year period, in violation of Title 18, United States Code, Sections
    1030(a)(5)(A) and 1030(c)(4)(B).

    78. In furtherance of the Conspiracy and to effect its illegal objects, OSADCHUK,
    KOVALEV, and their co-conspirators committed the overt acts set forth in paragraphs 67 through
    69 and 71 through 76, which are re-alleged and incorporated by reference as if fully set forth
    herein.

    All in violation of Title 18, United States Code, Section 371.

    FORFEITURE ALLEGATION

    79. Pursuant to Federal Rule of Criminal Procedure 32.2, notice is hereby given to Defendants
    that the United States will seek forfeiture as part of any sentence in the event of Defendants’
    convictions under Counts One, Ten, and Eleven of this Indictment. Pursuant to Title 18, United

    page 28

    States Code, Sections 982(a)(2) and 1030(i), upon conviction of the offenses charged in Counts
    One and Eleven, Defendants ANTONOV, BADIN, YERMAKOV, LUKASHEV,
    MORGACHEV, KOZACHEK, YERSHOV, MALYSHEV, OSADCHUK, POTEMKIN, and
    KOVALEV shall forfeit to the United States any property, real or personal, which constitutes or
    is derived from proceeds obtained directly or indirectly as a result of such violation, and any
    personal property that was used or intended to be usedito commit or to facilitate the commission
    of such offense. Pursuant to Title 18, United States Code, Section 982(a)(l), upon conviction of
    the offense charged in Count Ten, Defendants ANTONOV, BADIN,
    YERMAKOV, LUKASHEV, MORGACHEV, KOZACHEK, YERSHOV, MALYSHEV,
    OSADCHUK, and POTEMKIN shall forfeit to the United States any property, real or personal,
    involved in such offense, and any property traceable to such prOperty. Notice is further given that,
    upon conviction, the United States intends to seek a judgment against each Defendant for a sum
    of money representing the property described in this paragraph, as applicable to each Defendant
    (to be offset by the forfeiture of any specific property).

    Substitute Assets

    80. If any of the property described above as being subject to forfeiture, as a result of any act or

    omission of any Defendant —

    a. cannot be located upon the exercise of due diligence;

    b. has been transferred or sold to, or deposited with, a third party;

    c. has been placed beyond the jurisdiction of the court;

    d. has been substantially diminished in value; or

    e. has been commingled with other property that cannot be subdivided without
    difficulty;

    it is the intent of the United States of America, pursuant to Title 18, United States Code, Section

    page 29

    982(b) and Title 28, United States Code, Section 2461(0), incorporating Title 21, United States
    Code, Section 853, to seek forfeiture of any other property of said Defendant.
    Pursuant to 18 U.S.C. 982 and 1030(i); 28 U.S.C. 2461(0).

    Rodbert S. Mueller, 111
    Special Counsel

    US. Department of Justice

    A TRUE BILL:

    Foreperson

    Date: July 13, 2018
    ———-

    Ok, so that was a lot of legalese, but notably easy to read legalese. It was a story of what happened. With lots of specific details. And lots of vague details. And no indication whether or not the specific technical details have been associated with the GRU agents in the indictment or whether it’s merely being asserted that these individuals were the people behind the technical details. That’s very unclear.

    Also keep in mind that the fact that the Mueller team a lots of specific technical evidence – like email accounts or VPNs or bitcoin wallets used in the hacks – is what we should expect at this point. What’s surprising is the linking of this techinical evidence to specific GRU officers.

    But, at a minimum, the indictment indicates the Mueller team might have evidence that conclusively links these GRU units the hacks. Let review those details. First, the indictment lists the GRU members and gives a brief chronology of the initial hacks. What’s noteworthy is that chronology starts at March of 2016 and the language indicates that the GRU units started working on hacking the Democrats “starting in at least March 2016”. So the evidence this indictment is based on appears to start from March of 2016, which is interesting given all the hacking activity that preceded this (the ‘Cozy Bear’ hacks of 2015) and the indications that GRU units were, themselves, hacked and monitored by the US and/or its allies:


    INDICTMENT

    The Grand Jury for the District of Columbia charges:

    COUNT ONE
    (Conspiracy to Commit an Offense Against the United States)

    1. In or around 2016, the Russian Federation (“Russia”) operated a military intelligence
    agency called the Main Intelligence Directorate of the General Staff (“GRU”). The GRU had
    multiple units, including Units 26165 and 74455, engaged in cyber operations that involved the
    staged releases of documents stolen through computer intrusions. These units conducted large-
    scale cyber operations to interfere with the 2016 US. presidential election.

    page 2

    2. Defendants VIKTOR BORISOVICH BORIS ALEKSEYEVICH
    ANTONOV, DMITRIY SERGEYEVICH IVAN SERGEYEVICH YERMAKOV,
    ALEKSEY VIKTOROVICH LUKASHEV, SERGEY ALEKSANDROVICH MORGACHEV,
    NIKOLAY YURYEVICH KOZACHEK, PAVEL VYACHESLAVOVICH YERSHOV, ARTEM
    ANDREYEVICH ALEKSANDR VLADIMIROVICH OSADCHUK, and
    ALEKSEY ALEKSANDROVICH POTEMKIN were GRU officers who knowingly and
    intentionally conspired with each other, and with persons known and unknown to the Grand Jury
    (collectively the “Conspirators”), to gain unauthorized access (to “hack”) into the computers of
    U.S. persons and entities involved in the 2016 U.S. presidential election, steal documents from
    these computers, and stage releases of the stolen documents to interfere with the 2016 U.S.
    presidential election.

    3. Starting in at least March 2016, the Conspirators used a variety of means to hack the email
    accounts of Volunteers and employees of the U.S. presidential campaign of Hillary Clinton (the
    “Clinton Campaign”), including the email account of the Clinton Campaign’s chairman.

    4. By in or around April 2016, the Conspirators also hacked into the computer networks of
    the Democratic Congressional Campaign Committee (“DCCC”) and the Democratic National
    Committee (“DNC”). The Conspirators covertly monitored the computers of dozens of DCCC
    and DNC employees, implanted hundreds of files containing malicious computer code
    (“malware”), and stole emails and other documents from the DCCC and DNC.

    5. By in or around April 2016, the Conspirators began to plan the release of materials stolen
    from the Clinton Campaign, DCCC, and DNC.

    6. Beginning in or around June 2016, the Conspirators staged and released tens of thousands
    of the stolen emails and documents. They did so using fictitious online personas, including

    page 3

    “DCLeaks” and “Guccifer 2.0.”

    7. The Conspirators also used the Guccifer 2.0 persona to release additional stolen documents
    through a website maintained by an organization (“Organization 1”), that had previously posted
    documents stolen from U.S. persons, entities, and the U.S. government. The Conspirators
    continued their U.S. election-interference operations through in or around November 2016.

    8. To hide their connections to Russia and the Russian government, the Conspirators used
    false identities and made false statements about their identities. To further avoid detection, the
    Conspirators used a network of computers located across the world, including in the United States,
    and paid for this infrastructure using cryptocurrency.

    Next, the indictment gives details on the defendents in Unit 26165, the unit that allegedly did the actual hacking:

    ..
    Defendants

    9. Defendant VIKTOR BORISOVICH (HBTLIKDJO Brucrop Bopnconnu) was
    the Russian military officer in command of Unit 26165, located at 20 Komsomolskiy Prospekt,
    Moscow, Russia. Unit 26165 had primary responsibility for hacking the and DNC, as well
    as the email accounts of individuals affiliated with the Clinton Campaign
    .

    10. Defendant BORIS ALEKSEYEVICH ANTONOV (AHTOHOB Bopnc) was a
    Major in the Russian military assigned to Unit 26165. ANTONOV oversaw a department within
    Unit 26165 dedicated to targeting military, political, governmental, and non-governmental
    organizations with spearphishing emails and other computer intrusion activity. ANTONOV held
    the title “Head of Department.” In or around 2016, ANTONOV supervised other co-conspirators
    who targeted the DNC, and individuals affiliated with the Clinton Campaign
    .

    11. Defendant DMITRIY SERGEYEVICH BADIN (Sauna Cepreennu) was a
    Russian military officer assigned to Unit 26165 who held the title “Assistant Head of Department.”
    In or around 2016, BADIN, along with ANTONOV, supervised other co-conspirators who targeted
    the DNC, and individuals affiliated with the Clinton Campaign.

    page 4

    12. Defendant IVAN SERGEYEVICH YERMAKOV (Epmanon Cepreeanu) was a
    Russian military officer assigned to department within Unit 26165. Since in or
    around 2010, YERMAKOV used various online personas, including “Kate S. Milton,” “James
    McMorgans,” and “Karen W. Millen,” to conduct hacking operations on behalf of Unit 26165. In
    or around March 2016, YERMAKOV participated in hacking at least two email accounts from
    which campaign-related documents were released through DCLeaks
    . In or around May 2016,
    YERMAKOV also participated in hacking the DNC email server and stealing DNC emails that
    were later released through Organization 1.

    13. Defendant ALEKSEY VIKTOROVICH LUKASHEV Anercceii BKKToponntI)
    was a Senior Lieutenant in the Russian military assigned to department within Unit
    26165. LUKASHEV used various online personas, including “Den Katenberg” and “Yuliana
    Martynova.” In or around 2016, LUKASHEV sent spearphishing emails to members of the
    Clinton Campaign and affiliated individuals, including the chairman of the Clinton Campaign.

    And note how the following four members of Unit 26165 are specifically said to have worked with the X-Agent malware. Again, one of the big ‘WTF’ questions about the hacks has always been how on earth could the GRU have been so incompetent as to use malware that was ‘known’ to be ‘exclusive’ to the ‘Fancy Bear’/APT28 hacking group (even though that appears to be untrue) and contained the same command-and-control IP address had previously been publicly attributed hack blamed on the Russian government. Was it a slip up that a single individual at the GRU made? Well, according to this indictment, there were at least four people dedicated to developing, testing, and deploying the X-Agent malware. The ‘WTF’ aspect of this remains unaddrssed:


    14. Defendant SERGEY ALEKSANDROVICH MORGACHEV (MopraIIeB Cepreii
    Anencanponm) was a Lieutenant Colonel in the Russian military assigned to Unit 26165.
    MORGACHEV oversaw a department within Unit 26165 dedicated to developing and managing
    malware, including a hacking tool used by the GRU known as “X-Agent.” During the hacking of
    the DC CC and DNC networks, MORGACI-IEV supervised the co-conspirators who developed and
    monitored the X-Agent malware implanted on those computers.

    15. Defendant NIKOLAY YURYEVICH KOZACHEK (Koaaqert) was a
    Lieutenant Captain in the Russian military assigned to MORGACHEV’s department within Unit
    26165. KOZACHEK used a variety of monikers, including “kazak” and “blablabla1234565.”
    KOZACHEK developed, customized, and monitored X-Agent malware used to hack the DCCC

    page 5

    and DNC networks beginning in or around April 2016.

    16. Defendant PAVEL VYACHESLAVOVICH YERSHOV (Eprnoa Banecnasosna)
    was a Russian military officer assigned to department within Unit 26165. In or
    around 2016, . YERSHOV assisted KOZACHEK and other co-conspirators in testing and
    customizing X-Agent malware before actual deployment and use.

    17. Defendant ARTEM ANDREYEVICH MALYSHEV (Annpeenntr) was
    a Second Lieutenant in the Russian military assigned to MORGACHEV’s department within Unit
    26165. MALYSHEV used a variety of monikers, including “djangomagicdev” and “realblatr.” In
    or around 2016, MALYSHEV monitored X-Agent malware implanted on the and DNC
    networks.

    Next, the indictment covers the members of Unit 74455, which allegedly created the “Guccifer 2.0” persona and set up the dcleaks.com website that the hacked documents were initially distributed through. The Unit also allegedly operated social media campaigns to promote the hacked materials. This was the unit that used the Moscow-based server to make searches for phrases that showed up Guccifer 2.0’s first message to the world:


    18. Defendant ALEKSANDR VLADIMJROVICH OSADCHUK (Ocanayx Anerccannp)
    was a Colonel in the Russian military and the commanding officer of Unit 74455.
    Unit 74455 was located at 22 Kirova Street, Khimki, Moscow, a building referred to within the
    GRU as the “Tower.” Unit 74455 assisted in the release of stolen documents through the DCLeaks
    and Guccifer 2.0 personas, the promotion of those releases, and the publication of anti-Clinton
    content on social media accounts operated by the GRU
    .

    19. Defendant ALEKSEY ALEKSANDROVICH POTEMKIN (?oreMKnn Anerccefi)
    was an officer in the Russian military assigned to Unit 74455. POTEMKIN was
    a supervisor in a department within Unit 74455 responsible for the administration of computer
    infrastructure used in cyber operations. Infrastructure and social media accounts administered by
    department were used, among other things, to assist in the release of stolen
    documents through the DCLeaks and Guccifer 2.0 personas.

    The indictment then goes into some specifics of the spearphishing operation. Recall that this spearphishing operation was another one of the aspects of this hacking operation that involved the hackers making a massive mistake: the spearphishing emails used the Bit.ly URL-shortening service and the hackers forgot to set their Bit.ly account to private, which allowed investigators to uncover ALL of the targeted addresses in this spearphishing campaign. It’s just one of the many incredible mistakes allegedly made by the GRU:


    page 6

    Object of the Conspiracy

    20. The object of the conspiracy was to hack into the computers of U.S. persons and entities
    involved in the 2016 U.S. presidential election, steal documents from those computers, and stage
    releases of the stolen documents to interfere with the 2016 U.S. presidential election.

    Manner and Means of the Conspiracv

    Spearphishing Operations

    21. ANTONOV, BADIN, YERMAKOV, LUKASHEV, and their co-conspirators targeted
    victims using a technique known as spearphishing to steal victims’ passwords or otherwise gain
    access to their computers. Beginning by at least March 2016, the Conspirators targeted over 300
    individuals affiliated with the Clinton Campaign, and DNC,

    a. For example, on or about March 19, 2016, LUKASHEV and his co-conspirators
    created and sent a spearphishing email to the chairman of the Clinton Campaign.
    LUKASHEV used the account “john356gh” at an online service that abbreviated
    website addresses (referred to as a “URL-shortening service”).
    LUKASHEV used the account to mask a link contained in the spearphishin email,
    which directed the recipient to a GRU-created website
    . LUKASHEV altered the
    appearance of the sender email address in order to make it look like the email was
    a security notification from Google (a technique known as “spoofing”), instructing
    the user to change his password by clicking the embedded link. Those instructions
    Were followed. On or about March 21, 2016, LUKASHEV, YERMAKOV, and
    their co-conspirators stole the contents of the chairman?s email account, which
    consisted of over 50,000 emails.

    b. Starting on or about March 19, 2016, LUKASHEV and his co-conspirators sent
    spearphishing emails to the personal accounts of other individuals affiliated with

    page 7

    the Clinton Campaign, including its campaign manager and a senior foreign policy
    adviser. On or about March 25, 2016, LUKASHEV used the same john356gh
    account to mask additional links included in spearphishing emails sent to numerous
    individuals affiliated with the Clinton Campaign, including Victims 1 and 2.
    LUKASHEV sent these emails from the Russia-based email account
    hi.mymail@yandex.com that he spoofed to appear to be from Google.

    Here, we see that one GRU individual is identified as researching on social media sites the names of some of the spearphishing victims on March 28, 2016. This is a good example of the kind of technical detail that is both specific and vague. Because we don’t know if the actual evidence about those searches was simply evidence from a social media company, like Facebook, that someone using particular computer that is assumed to have been used by those GRU individuals researched the victims’ names on that day or if investigators tracked those searches down to a computer that they know was used by these GRU agents. But the fact that investigators apparently know which computers (or IP addresses) were associated with specific social media searches of the victims does indicate that investigators do know quite a bit about which computers were directly used in the attacks and how they were used:


    c. On or about March 28, 2016, YERMAKOV researched the names of Victims 1 and
    2 and their association with Clinton on various social media sites
    . Through their
    spearphishing operations, LUKASHEV, YERMAKOV, and their co-conspirators
    successfully stole email credentials and thousands of emails from numerous
    individuals affiliated with the Clinton Campaign. Many of these stolen emails,
    including those from Victims 1 and 2, were later released by the Conspirators
    through DCLeaks.

    Next, the indictment includes a fact that’s received quite a bit of attention: On July 27, 2016, the hackers made their very first attempt to hack the private email server used by Hillary Clinton’s home office. Now, this is presumably not the private email server that was the subject of so much intense scrutiny by the GOP and FBI since Clinton turned that over to the FBI in 2015. But the fact that this new private email server allegedly experienced its first spearphishing attempt on July 27, 2016, remains notable since that is the same day Donald Trump made his infamous public plea to ‘Russia’ to hack find and release Hillary’s emails. And this hacking attempt is described as taking place “after hours” on that day, suggesting the hacking attempt came after, not before, Trump’s public call for the hack. It’s just one more example of an action that the hackers that almost appears to be intended to send an “I’m a Russian hacker!” message to the world. Because while we’re only learning about this detail now in this indictment, the private email company presumably connected the dots during the time of the phishing attempt:


    d. On or about April 6, 2016, the Conspirators created an email account in the name
    (with a one-letter deviation from the actual spelling) of a known member of the
    Clinton Campaign. The Conspirators then used that account to send spearphishing
    emails to the work accounts of more than thirty different Clinton Campaign
    employees. In the spearphishing emails, LUKASHEV and his co-conspirators
    embedded a link purporting to direct the recipient to a document titled “hillary-
    clinton-favorable-rating.xlsx.” In fact, this link directed the recipients’ computers
    to a GRU-created website.

    22. The Conspirators spearphished individuals affiliated with the Clinton Campaign
    throughout the summer of 2016. For example, on or about July 27, 2016, the Conspirators

    page 8

    attempted after hours to spearphish for the first time email accounts at a domain hosted by a third-
    party provider and used by Clinton’s personal office. At or around the same time
    , they also
    targeted seventy-six email addresses at the domain for the Clinton Campaign.

    Next, the indictment gives more details about the hacking of the DCCC and DNC networks. Once again, it attributes specific web searches to specific GRU agents. In this case they were searches related to the technical asspects of the DNC and DCCC computer networks. Again, we have no idea if these searchers are simply tracked to computers that are assumed to have been operated by these GRU agents pp+ if they were directly tracked back to these individuals:


    Hacking into the DCCC Network

    23. Beginning in or around March 2016, the Conspirators, in addition to their spearphishing
    efforts, researched the DCCC and DNC computer networks to identify technical specifications and
    vulnerabilities.

    a. For example, beginning on or about March 15, 2016, YERMAKOV ran a technical
    query for the internet protocol configurations to identify connected devices.

    b. On or about the same day, YERMAKOV searched for open-source information
    about the DNC network, the Democratic Party, and Hillary Clinton.

    c. On or about April 7, 2016, YERMAKOV ran a technical query for the DCCC
    internet protocol configurations to identify connected devices.

    Next, the indictment once again discusses the use of the X-Agent malware. Of note is how multiple versions of X-Agent were found. One interesting question regarding this is whether or not ALL of the version of the X-Agent malware contained the 176.31.112.10 command-and-control server IP address previously attributed to ‘Fancy Bear’ or it only some of the X-Agent versions contained that conspicuous clue. The indictment also asserts that specific GRU individuals logged into the X-Agent “AMS” control panel on specific dates. Once again, we have no idea if the underlying evidence is that someone logged into these command-and-control servers on that date and it’s assumed to be these GRU agents or if if the evidence directly ties back to these individuals. Interestingly, that AMS control panel server was located in Arizona. So one of the servers the GRU allegedly chose to run this operation was in the United States, thus guaranteeing that it would be left for US investigators to pore over and gather forensic evidence. It’s one more rather odd tactical choice by these Russian government hackers:


    24. By in or around April 2016, Within days of searches regarding the DCCC,
    the Conspirators hacked into the DCCC computer network. Once they gained access, they
    installed and managed different types of malware to explore the DCCC network and steal data.

    a. On or about April 12, 2016, the Conspirators used the stolen credentials of a
    Employee (“DCCC Employee 1”) to access the DCCC network. DCCC
    Employee 1 had received a spearphishing email from the Conspirators on or about
    April 6, 2016, and entered her password after clicking on the link.

    b. Between in or around April 2016 and June 2016, the Conspirators installed multiple
    versions of their X-Agent malware on at least ten computers, which allowed
    them to monitor individual employees’ computer activity, steal passwords, and
    maintain access to the DCCC network.

    page 9

    c. X-Agent malware implanted on the DCCC network transmitted information from
    the victims’ computers to a GRU-leased server located in Arizona. The
    Conspirators referred to this server as their “AMS” panel. KOZACHEK,
    MALYSHEV, and their co-conspirators logged into the AMS panel to use
    X-Agent’s keylog and screenshot functions in the course of monitoring and
    surveilling activity on the computers. The keylog function allowed the
    Conspirators to capture keystrokes entered by employees. The screenshot
    function allowed the Conspirators to take pictures of the employees?
    computer screens.

    d. For example, on or about April 14, 2016, the Conspirators repeatedly activated
    X-Agent’s keylog and screenshot functions to surveil DCCC Employee 1’s
    computer activity over the course of eight hours. During that time, the Conspirators
    captured DCCC Employee 1’s communications with co-workers and the passwords
    she entered while working on fundraising and voter outreach projects. Similarly,
    on or about April 22, 2016, the Conspirators activated X-Agent’s keylog and
    screenshot functions to capture the discussions of another DCCC Employee
    (“DCCC Employee 2”) about the DCCC’s finances, as well as her individual
    banking information and other personal topics.

    Relating to the odd location choice of a command-and-control server in Arizona, one might assume that the choice had to do with not creating outbound traffic from the Democrats’ servers that would arouse suspicions (like outbound traffic to a server in Russia). So, in that sense, using an Arizona server might reduce the risk of getting caught in the act even if it enhances the risk after the fact. But that’s what makes this other detail so odd: On April 19, 2016, the hackers apparently set up an overseas “middleman” server that would relay the traffic out of the Democrats’ networks back to the Arizona server. In other words, the initial configuration for the X-Agent malware was to directly send traffic to the Arizona server. Then, about a month into the hacking operation, the X-Agent malware starts sending traffic to this overseas middleman server which relays the data back to the Arizona server. Recall that the 176.31.112.10 server was indeed operated by the UK-based Crookserver company, along with the 91.121.108.153 command-and-control server that was also used by the Malware. So might this “middleman” server have been one of the Crookserver computers? If so, that’s extra intresting since, was we also previously saw, the hackers who were previously associated with using that 176.31.112.10 server in the 2015 Bundestag hack reportedly lost control of the server in July of 2015 when that server itself was hacked and found to be used by four different hacking operations (recall that the server was vulnerable to the Heartbleed attack). So learning more about this middleman server and which particular IP address it used seems like a key factor in this investigation. Unfortunately, the details on the middleman server aren’t given in the indictment:


    25. On or about April 19, 2016, KOZACHEK, YERSHOV, and their co-conspirators remotely
    configured an overseas computer to relay communications between X-Agent malware and the
    AMS panel and then tested X-Agent’s ability to connect to this computer. The Conspirators
    referred to this computer as a “middle server.” The middle server acted as a proxy to obscure the
    connection between malware at the DCCC and the Conspirators’ AMS panel
    . On or about April

    page 10

    20, 2016, the Conspirators directed X-Agent malware on the computers to connect to this
    middle server and receive directions from the Conspirators.

    Next, the indictment again makes assertions that specific GRU agents remotely logged into the Arizona server during the month of April to manage the X-Agent malware. Once again, we have no idea if this is based on technical evidence showing someone logged into the server and it’s assumed to be these GRU agents or if there’s evidence directly linking that command-and-control server usage back to these individuals:


    Hacking into the DNC Network

    26. On or about April 18, 2016, the Conspirators hacked into the DNC’s computers through
    their access to the DCCC network. The Conspirators then installed and managed different types
    of malware (as they did in the DCCC network) to explore the DNC network and steal documents.

    a. On or about April 18, 2016, the Conspirators activated X-Agent’s keylog and
    screenshot functions to steal credentials of a employee who was authorized
    to access the DNC network. The Conspirators hacked into the DNC network from
    the DCCC network using stolen credentials. By in or around June 2016, they
    gained access to approximately thirty-three DNC computers.

    b. In or around April 2016, the Conspirators installed X-Agent malware on the DNC
    network, including the same versions installed on the DCCC network.
    MALYSHEV and his co-conspirators monitored the X-Agent malware from the
    AMS panel and captured data from the victim computers
    . The AMS panel collected
    thousands of keylog and screenshot results from the DCCC and DNC computers,
    such as a screenshot and keystroke capture of DCCC Employee 2 viewing the
    DCCC’s online banking information.

    Theft of DCCC and DNC Documents

    27. The Conspirators searched for and identified computers within the DCCC and DNC
    networks that stored information related to the 2016 US. presidential election. For example, on
    or about April 15, 2016, the Conspirators searched one hacked DCCC computer for terms that
    included “hillary,” “cruz,” and “trump.” The Conspirators also copied select folders,
    including “Benghazi Investigations.” The Conspirators targeted computers containing information

    page 11

    such as opposition research and field operation plans for the 2016 elections.

    Next, the indictment mentions one of piece of malware used in the hacks: X-Tunnel. The malware is also described as “GRU malware”. So it’s worth recalling that the June 19, 2015, article in netzpolitik.org that covers the Bundestag hack of 2015 and mentions the 176.31.112.10 IP address, also discusses the use of X-Tunnel in that hack! So if X-Tunnel was malware that GRU was exclusively using up until that point it in 2015 would be particularly brazen of them to continue using X-Tunnel in the 2016 hack of the Democrats:


    28. To enable them to steal a large number of documents at once without detection, the
    Conspirators used a publicly available tool to gather and compress multiple documents on the
    DCCC and DNC networks. The Conspirators then used other GRU malware, known as
    “X-Tunnel,” to move the stolen documents outside the DCCC and DNC networks through
    encrypted channels.

    a. For example, on or about April 22, 2016, the Conspirators compressed gigabytes
    of data from DNC computers, including opposition research. The Conspirators
    later moved the compressed DNC data using X-Tunnel to a GRU-leased computer
    located in Illinois.

    And note how we learn about another server located in the United States that was used by the hacker: a server in Illinois that was communicating with the X-Tunnel malware:


    b. On or about April 28, 2016, the Conspirators connected to and tested the same
    computer located in Illinois. Later that day, the Conspirators used X-Tunnel to
    connect to that computer to steal additional documents from the DCCC network
    .

    Next, the indictment specifically asserts one of the GRU agents researched PowerShell commands related to managing the Microsoft Exchange Server used by the DNC. The indictment then asserts a specific GRU agent logged into the Arizona command-and-control server on May 30, 2016, to upgrade some of the command-and-control software. To reiterate, we have no idea if these claims are based on technical evidence showing someone did these things and it’s assumed to be these GRU agents or if there’s evidence directly linking these searchers back to these individuals:


    29. Between on or about May 25, 2016 and June 1, 2016, the Conspirators hacked the DNC
    Microsoft Exchange Server and stole thousands of emails from the work accounts of DNC
    employees. During that time, YERMAKOV researched PowerShell commands related to
    accessing and managing the Microsoft Exchange Server.

    30. On or about May 30, 2016, MALYSHEV accessed the AMS panel in order to upgrade
    custom AMS software on the server
    . That day, the AMS panel received updates from
    approximately thirteen different X-Agent malware implants on DCCC and DNC computers.

    Next, the indictment notes how the hackers apparently tried to cover their tracks on both the hacked Democrats’ network and the Arizona command-and-control server. Keep in mind that one of the signature aspects of this hacking operation is how brazen the hackers were and how little they appeared to care about getting caught and were trying to show off and it was assumed by US officials that they were trying to send a message from the Russian government. So while the hackers may have made some efforts to cover their tracks, they also appeared to be interested in getting caught eventually and sending an “I’m a Russian hacker” message in the process:


    31. During the hacking of the DCCC and DNC networks, the Conspirators covered their tracks
    by intentionally deleting logs and computer files
    . For example, on or about May 13, 2016, the
    Conspirators cleared the event logs from a DNC computer. On or about June 20, 2016, the

    page 12

    Conspirators deleted logs from the AMS panel that documented their activities on the panel,
    including the login history.

    Next, the indictment includes the remarkable revelation that at least one piece of the X-Agent malware remained on the Democrats’ networks until Octover of 2016, months after Crowdstrike assured the world they removed all the infections. This version of X-Agent was configured to communicate with a command-and-control server at the linuxkrnl.net address. Recall what we saw above about how the linuxkrnl.net address wasn’t included in Crowdstike’s initial report, suggesting they never found it. DNC asserted that it was found and quarantined and unable to communicate with the hackers, while Donna Brazille wrote in her book that malware was stealing voter information files for months after Crowdstrike gave the all clear:


    Efforts to Remain on the DCCC and DNC Networks

    32. Despite the Conspirators’ efforts to hide their activity, beginning in or around May 2016,
    both the DCCC and DNC became aware that they had been hacked and hired a security company
    (“Company 1”) to identify the extent of the intrusions. By in or around June 2016, Company 1
    took steps to exclude intruders from the networks. Despite these efforts, a Linux-based version of
    X-Agent, programmed to communicate with the GRU-registered domain linuxkrnl.net, remained
    on the DNC network until in or around October 2016
    .

    Next, the indictment includes another allegation about a specific GRU agent searching for information about Crowdstrike (“Company 1”) and its reporting on X-Agent and X-Tunnel. So, again, don’t forget that X-Agent and X-Tunnel were both reported in June of 2015 in netzpolitik.org’s article about the Bundestag hack, where the 176.31.112.10 IP address was specifically mentioned as a key piece of evidence linking the Bundestag hack to earlier hacks attributed to the APT-28/Sofacy group. X-Agent is the “Artifact #1” in the report and X-Tunnel “Artifact #2” and it is noted that the name “XTunnel” shows up in the unobscured source code. So if it has just occured to the GRU at the end of May 2016 to check and see if there were any reports on the internet talking about X-Agent and X-Tunnel that would be one more remarkable instance of incompetence. If, on the other hand, they were doing that search to get an idea of whether or not Crowdstrike had issued a recent report on their then-ongoing hack of the Democrats that would indicate they were well aware of the conspicuous nature of using X-Agent and X-Tunnel:


    33. In response to Company 1’s efforts, the Conspirators took countermeasures to maintain
    access to the and DNC networks.

    a. On or about May 31, 2016, YERMAKOV searched for open~source information
    about Company 1 and its reporting on X-Agent and X-Tunnel
    . On or about June
    1, 2016, the Conspirators attempted to delete traces of their presence on the DCCC
    network using the computer program CCleaner.

    b. On or about June 14, 2016, the Conspirators registered the domain actblues.com,
    which mimicked the domain of a political fundraising platform that included a
    DCCC donations page. Shortly thereafter, the Conspirators used stolen DCCC
    credentials to modify the DCCC website and redirect Visitors to the actblues.com
    domain.

    c. On or about June 20, 2016, after Company 1 had disabled X-Agent on the DCCC
    network, the Conspirators spent over seven hours unsuccessfully trying to connect
    to X-Agent. The Conspirators also tried to access the DCCC network using
    previously stolen credentials.

    Next, the indictment notes a September 2016 hack of DNC computers hosted on a cloud computing platform. The stolen data included the DNC’s analytics software. This is the kind of information that would have been extremely helpful for the Trump campaign’s social-media micro-targeting operations, so it’s notable for being the kind of information that the Trump campaign would have found extremely useful to obtain quietly:


    page 13

    34. In or around September 2016, the Conspirators also successfully gained access to DNC
    computers hosted on a third-party cloud-computing service. These computers contained test
    applications related to the DNC’s analytics
    . After conducting reconnaissance, the Conspirators
    gathered data by creating backups, or “snapshots,” of the cloud-based systems using the
    cloud provider’s own technology. The Conspirators then moved the snapshots to cloud-based
    accounts they had registered with the same service, thereby stealing the data from the DNC.

    Next, the indictment notes that the same email address, dirbinsaabol@mail.com, was used to pay for the dcleaks.com domain registration and sign up for the URL-shortening account (the URL-shortening account they apparently accidently left publicly accesible). It’s also worth noting that using the same email address for different aspects of this hack is kind of lazy if you’re trying to hinder investigators. But it’s also consistent with the amaturish execution of this hack. So amaturish that it begs the question of whether or not it was professionally amaturish. A question that is almost never asked:


    Stolen Documents Released through DCLeaks

    35. More than a month before the release of any documents, the Conspirators constructed the
    online persona DCLeaks to release and publicize stolen election-related documents. On or about
    April 19, 2016, after attempting to register the domain electionleaks.com, the Conspirators
    registered the domain dcleaks.com through a service that anonymized the registrant. The funds
    used to pay for the dcleaks.com domain originated from an account at an online
    service that the Conspirators also used to fund the lease of a virtual private server registered with
    the operational email account dirbinsaabol@mail.com. The dirbinsaabol email account was also
    used to register the john356gh URL-shortening account used by LUKASHEV to spearphish the
    Clinton Campaign chairman and other campaign-related individuals
    .

    Next, the indictment gives some details on the management and promotion of the dcleaks.com website that was initially used to distribute hacked documents. It notes that Facebook accounts were set up by fake personas to promote the DCLeaks site at approximately the same time the dcleaks.com domain was registered and these Facebook accounts were used by computers managed by “POTEMKIN”, who, as we saw above, is described as “a supervisor in a department within Unit 74455 responsible for the administration of computer infrastructure used in cyber operations”. This is noteworthy because one of the questions regarding the specificity of these allegations is whether or not they are based on specific evidence that ties back to computers known to be used by the GRU or if it’s assumed to be the case based on circumstantial evidence and conjecture. So when we see that this Potemkin individual is apparently known as the administrator of Unit 74455’s cyber operations infrastructure it again raises the question of whether or not the evidence is based on technical evidence that specifically ties back to computers known to be used by Potemkin’s unit or if it’s inference based on the conclucsion that ‘Unit 74455 did this so therefore these are the computers that must have done it it and Potemkin manages them’. Again, the nature of the evidence is left completely ambiguous in the indictment:


    36. On or about June 8, 2016, the Conspirators launched the public website dcleaks.com, which
    they used to release stolen emails. Before it shut down in or around March 2017, the site received
    over one million page Views. The Conspirators falsely claimed on the site that DCLeaks was
    started by a group of “American hacktivists,” when in fact it was started by the Conspirators.

    37. Starting in or around June 2016 and continuing through the 2016 US. presidential election,
    the Conspirators used DCLeaks to release emails stolen from individuals affiliated with the Clinton
    Campaign. The Conspirators also released documents they had stolen in other spearphishing
    operations, including those they had conducted in 2015 that collected emails from individuals

    page 14

    affiliated with the Republican Party.

    38. On or about June 8, 2016, and at approximately the same time that the dcleakscom website
    was launched, the Conspirators created a DCLeaks Facebook page using a preexisting social media
    account under the fictitious name “Alice Donovan.” In addition to the DCLeaks acebook page,
    the Conspirators used other social media accounts in the names of fictitious U.S. persons such as
    “Jason Scott” and “Richard Gingrey” to promote the DCLeaks website. The Conspirators accessed
    these accounts from computers managed by POTEMKIN and his co-conspirators.

    Next, the indictment notes how the @decleaks_ Twitter account was managed from the same computer “used for other
    efforts to interfere with the 2016 U.S. presidential election”. And the example of another effort this computer was used for is the management of the @BaltimoreIsWhr Twitter account that ran anti-Hillary #BlacksAgainstHillary trolling operations. It would be interesting to learn about whether what other trolling operations the @BaltimoreIsWhr social media persona interacted with. And, again, what this tells us is that the same computer was used for those two Twitter accounts and some other stuff presumably involving social media trolling operations. Since that computer that directly ran the Twitter accounts was presumably a VPN which could be difficult to trace back to particular end-user computers (VPNs routed through more VPNs, etc), we don’t know whether or not there is technical evidence that ties the computer that managed these Twitter accounts back to the GRU hacker computers or if it’s assumed to be the GRU based on circumstantial evidence based on the Kremlin source and other intelligence:


    39. On or about June 8, 2016, the Conspirators created the Twitter account @dcleaks_. The
    Conspirators operated the @dcleaks_ Twitter account from the same computer used for other
    efforts to interfere with the 2016 U.S. presidential election
    . For example, the Conspirators used
    the same computer to operate the Twitter account @BaltimoreIsWhr, through which they
    encouraged U.S. audiences to “[i]oin our flash mob” opposing Clinton and to post images with the
    hashtag #BlacksAgainstHillary.

    Ok, now we get to paragraph 41, the point in the document that mentions someone logging into a Moscow-based server used and managed by Unit 74455 from 4:19 to 4:56 PM and searched for a number of phrases that showed up in Guccifer 2.0’s opening message to world:


    Stolen Documents Released through Guccifer 2.0

    40. On or about June 14, 2016, the DNC-through Company 1-publicly announced that it
    had been hacked by Russian government actors. In response, the Conspirators created the online
    persona Guccifer 2.0 and falsely claimed to be a lone Romanian hacker to undermine the
    allegations of Russian responsibility for the intrusion.

    41. On or about June 15, 2016, the Conspirators logged into a Moscow-based server used and
    managed by Unit 74455 and, between 4:19 PM and 4:56 PM Moscow Standard Time, searched
    for certain words and phrases
    , including:

    page 15

    Search Terms(s):
    “some hundred sheets”
    “some hundreds of sheets”
    dcleaks
    illuminati
    mnpono useec’rnm? nepeaon
    [widely known translation]
    “worldwide known”
    “think twice about”
    “company’s competence”

    42. Later that day, at 7:02 PM Moscow Standard Time, the online persona Guccifer 2.0
    published its first post on a blog site created through WordPress
    . Titled “DNC’s servers hacked
    by a lone hacker,” the post used numerous English words and phrases that the Conspirators had
    searched for earlier that day (bolded below):

    Worldwide known cyber security company [Company 1] announced that
    the Democratic National Committee (DNC) servers had been hacked by
    “sophisticated” hacker groups.

    I’m very pleased the company appreciated my skills so highly)))[…]

    Here are just a few docs from many thousands I extracted when hacking
    into DNC’s network. […]

    Some hundred sheets! This’s a serious case, isn’t it? […]

    I guess [Company 1] customers should think twice about company’s
    competence.

    F[***] the Illuminati and their conspiracies!!!!!!!! F[***]
    [Company 1]!!!!!!!!

    Next, the indictment includes an allegation that’s bad news for someone in the GOP but it’s unclear who: On August 15, 2016, an unnamed GOP candidate contacted Guccifer 2.0 requesting any documents on their Democratic opponent and Guccifer 2.0 supplied them with documents. And this is different from the story we already knew about that Florida GOP operatives Aaron Nevins asked for and received 2.5 gigabyes of data from Guccifer 2.0 which is also listed below. So if that GOP candidate won their race this indictment is a big deal for them:


    43. Between in or around June 2016 and October 2016, the Conspirators used Guccifer 2.0 to
    release documents through WordPress that they had stolen from the DCCC and DNC. The
    Conspirators, posing as Guccifer 2.0, also shared stolen documents with certain individuals.

    a. On or about August 15, 2016, the Conspirators, posing as Guccifer 2.0, received a

    page 16

    request for stolen documents from a candidate for the U.S. Congress. The
    Conspirators responded using the Guccifer 2.0 persona and sent the candidate
    stolen documents related to the candidate’s opponent.

    b. On or about August 22, 2016, the Conspirators, posing as Guccifer 2.0, transferred
    approximately 2.5 gigabytes of data stolen from the DCCC to a then-registered state
    lobbyist and online source of political news
    . The stolen data included donor records
    and personal identifying information for more than 2,000 Democratic donors.

    The indictment then mentions a reporter who apparently recieved documents about Black Lives Matters from Guccifer 2.0 and discussed with Guccifer 2.0 the timing of releasing the documents, suggesting that this reporter was almost certainly a right-wing reporter who was happy to work with Guccifer 2.0. It’s a reminder that Guccifer 2.0’s chattiness probably ended up implicating a lot of different people:


    c. On or about August 22, 2016, the Conspirators, posing as Guccifer 2.0, sent a
    reporter stolen documents pertaining to the Black Lives Matter movement. The
    reporter responded by discussing when to release the documents and offering to
    write an alticle about their release.

    Next, the indictment notes that Guccifer 2.0 communicated with someone who was in regular contact with senior members of the Trump campaign. Roger Stone’s admitted to communications with Guccifer 2.0 starting in mid-August 2016 so this is likely a reference to that. One of those communications with Stone involve a discussion of the Democrats’ turnout model, which indicates Guccifer 2.0 was in possession of the Democrats voter analytics files. Recall how Donna Brazille complained about the hackers have access to the Democrats voter files months after Crowdstrike said the infection was contained, so this discussion with Roger Stone suggests the malware left on the DNC’s networks until October of 2016 may have been actively sending information back to the hackers:


    44. The Conspirators, posing as Guccifer 2.0, also communicated with US. persons about the
    release of stolen documents. On or about August 15, 2016, the Conspirators, posing as Guccifer
    2.0, wrote to a person who was in regular contact with senior members of the presidential campaign
    of Donald J. Trump, “thank u for writing back … do u find anyt[h]ing interesting in the docs i
    posted?” On or about August 17, 2016, the Conspirators added, “please tell me if i can help
    anyhow … it would be a great pleasure to me.” On or about September 9, 2016, the Conspirators,
    again posing as Guccifer 2.0, referred to a stolen document posted online and asked the
    person, “what do think of the info on the turnout model for the democrats entire presidential
    campaign.” The person responded, “[p]retty standard.”

    Next, the indictment mentions that the computer infrastructure used to manage the Guccifer 2.0 persona and DCLeaks website used the same pool of bitcoins to lease the Malaysian server used to host the dcleaks.com website and open up a VPN account. That VPN was used to log into the Guccifer_2 Twitter accont and also register domains used in the spearphishing operations. This isn’t particularly remarkable given that the Guccifer 2.0 persona always maintained that they were a lone hacker operating alone so it would make sense to use the same bitcoins for things involving the hacks and distribution of hacked documents:


    45. The Conspirators conducted operations as Guccifer 2.0 and DCLeaks using overlapping
    computer infrastructure and financing.

    a. For example, between on or about March 14, 2016 and April 28, 2016, the

    page 17

    Conspirators used the same pool of bitcoin funds to purchase a virtual private
    network (“VPN”) account and to lease a server in Malaysia. In or around June
    2016, the Conspirators used the Malaysian server to host the dcleaks.com website.
    On or about July 6, 2016, the Conspirators used the VPN to log into the
    @Guccifer_2 Twitter account. The Conspirators opened that VPN account from
    the same server that was also used to register malicious domains for the hacking of
    the DCCC and DNC networks
    .

    b. On or about June 27, 2016, the Conspirators, posing as Guccifer 2.0, contacted a
    U.S. reporter with an offer to provide stolen emails from “Hillary Clinton’s staff.”
    The Conspirators then sent the reporter the password to access a nonpublic,
    password-protected portion of dcleaks.com containing emails stolen from Victim 1
    by LUKASHEV, YERMAKOV, and their co-conspirators in or around March
    2016.

    46. On or about January 12, 2017, the Conspirators published a statement on the Guccifer 2.0
    WordPress blog, falsely claiming that the intrusions and release of stolen documents had “totally
    no relation to the Russian government.”

    Next, the indictment describes Guccifer 2.0’s interactions with Wikileaks (Organization 1). Intrestingly, it mentions that the Guccifer 2.0 persona discussed with Wikileak the timing of releasing the documents, which raises the question of how those communications were bobtained. Recall the earlier reports about Julian Assange communicating with Donald Trump Jr. over Twitter direct messages and how Assange was reportedly known to communicate quite a bit using Twitter’s DMs. And when Roger Stone communicated with Guccifer 2.0 that was also over Twitter direct messages. So it seems likely that Guccifer 2.0 was communicating with Assange over Twitter, in which case it seems like there’s a good chance all of these communiations are available to investigators. It’s also just a remarkable security decision of Assange, Stone, and Guccifer 2.0 to use Twitter to carry out their ostensibly secret coordination. You almost have to wonder if there wasn’t a more secret backchannel that was employed as the real communications channel, because it doesn’t seem like Twitter DMs is the most secure form of communication from the standpoint of avoiding having your messages seized by authorities:


    Use of Organization 1

    47. In order to expand their interference in the 2016 U.S. presidential election, the Conspirators
    transferred many of the documents they stole from the DNC and the chairman of the Clinton
    Campaign to Organization 1. The Conspirators, posing as Guccifer 2.0, discussed the release of
    the stolen documents and the timing of those releases with Organization 1 to heighten their impact
    on the 2016 U.S. presidential election
    .

    a. On or about June 22, 2016, Organization I sent a private message to Guccifer 2.0
    to “[s]end any new material [stolen from the dnc] here for us to review and it will

    page 18

    have a much higher impact than what you are doing.” On or about July 6, 2016,
    Organization 1 added, “if you have anything hillary related we want it in the next
    tweo [sic] days prefable [sic] because the DNC [Democratic National Convention]
    is approaching and she will solidify bernie supporters behind her after.” The
    Conspirators responded, “0k . . . i see.” Organization 1 explained, “we think trump
    has only a 25% chance of winning against hillary … so conflict between bernie
    and hillary is interesting.”

    b. After failed attempts to transfer the stolen documents starting in late June 2016, on
    or about July 14, 2016, the Conspirators, posing as Guccifer 2.0, sent
    Organization 1 an email with an attachment titled “wk linkl.txt.gpg.” The
    Conspirators explained to Organization 1 that the encrypted file contained
    instructions on how to access an online archive of stolen DNC documents. On or
    about July 18, 2016, Organization 1 confirmed it had “the 1Gb or so archive” and
    would make a release of the stolen documents “this week.”

    48. On or about July 22, 2016, Organization 1 released over 20,000 emails and other
    documents stolen from the DNC network by the Conspirators. This release occurred
    approximately three days before the start of the Democratic National Convention. Organization 1
    did not disclose Guccifer 2.0’s role in providing them. The latest-in-time email released through
    Organization 1 was dated on or about May 25, 2016, approximately the same day the Conspirators
    hacked the DNC Microsoft Exchange Server.

    49. On or about October 7, 2016, Organization 1 released the first set of emails from the
    chairman of the Clinton Campaign that had been stolen by LUKASHEV and his co-conspirators.
    Between on or about October 7, 2016 and November 7, 2016, Organization 1 released

    page 19

    approximately thirty-three tranches of documents that had been stolen from the chairman of the
    Clinton Campaign. In total, over 50,000 stolen documents were released.

    Next, the indictment formally lays out the hacking charges in terms of some formal criminal allegations like knowiingly accessing a computer with authorization, and stealing people’s credentials, etc:


    Statutory Allegations

    50. Paragraphs 1 through 49 of this Indictment are re-alleged and incorporated by reference as
    if fully set forth herein.

    51. From at least in or around March 2016 through November 2016, in the District of Columbia
    and elsewhere, Defendants ANTONOV, YERMAKOV, LUKASHEV,
    MORGACHIEV, KOZACHEK, YERSHOV, MALYSHEV, OSADCHUK, and POTEMKIN,
    together with others known and unknown to the Grand Jury, knowingly and intentionally conspired
    to commit offenses against the United States, namely:

    a. To knowingly access a computer without authorization and exceed authorized
    access to a computer, and to obtain thereby information from a protected computer,
    where the value of the information obtained exceeded $5,000, in Violation of Title
    18, United States Code, Sections 1030(a)(2)(C) and 1030(c)(2)(B); and

    b. To knowingly cause the transmission of a program, information, code, and
    command, and as a result of such conduct, to intentionally cause damage without
    authorization to a protected computer, and where the offense did cause and, if
    completed, would have caused, loss aggregating $5,000 in iralue to at least one
    person during a one-year period from a related course of conduct affecting a
    protected computer, and damage affecting at least ten protected computers during
    a one-year period, in Violation of Title 18, United States Code, Sections
    1030(a)(5)(A) and 1030(c)(4)(B).

    52. In furtherance of the Conspiracy and to effect its illegal objects, the Conspirators
    committed the overt acts set forth in paragraphs 1 through 19, 21 through 49, 55, and 57 through

    page 20

    64, which are re-alleged and incorporated by reference as if fully set forth herein.

    53. In furtherance of the Conspiracy, and as set forth in paragraphs 1 through 19, 21 through
    49, 55, and 57 through 64, the Conspirators knowingly falsely registered a domain name and
    knowingly used that domain name in the course of committing an offense, namely, the
    Conspirators registered domains, including dcleaks.com and actblues.com, with false names and
    addresses, and used those domains in the course of committing the felony offense charged in Count
    One.

    All in Violation of Title 18, United States Code, Sections 371 and 3559(g)(1).

    COUNTS TWO THROUGH NINE
    (Aggravated Identity Theft)

    54. Paragraphs 1 through 19, 21 through 49, and 57 through 64 of this Indictment are re-alleged
    and incorporated by reference as if fully set forth herein.

    55. On or about the dates specified below, in the District of Columbia and elsewhere,
    Defendants BORISOVICH BORIS ALEKSEYEVICH ANTONOV,
    DMITRIY SERGEYEVICH IVAN SERGEYEVICH YERMAKOV, ALEKSEY
    VIKTOROVICH LUKASHEV, SERGEY ALEKSANDROVICH MORGACHEV, NIKOLAY
    YURYEVICH KOZACHEK, PAVEL VYACHESLAVOVICH YERSHOV, ARTEM
    ANDREYEVICH MALYSHEV, ALEKSANDR VLADIMTROVICH OSADCHUK, and
    ALEKSEY ALEKSANDROVICH POTEMKIN did knowingly transfer, possess, and use, without
    lawful authority, a means of identification of another person during and in relation to a felony
    Violation enumerated in Title 18, United States Code, Section 1028A(c), namely, computer fraud
    in Violation of Title 18, United States Code, Sections 1030(a)(2)(C) and 1030(c)(2)(B), knowing
    that the means of identification belonged to another real person:

    page 21

    Count | Approximate Date | Victim | Means of Identification
    2 | March 21, 2016 | Victim 3 | Username and password for personal email account
    3 | March 25, 2016 | Victim 1 | Username and password for personal email account
    4 | April 12, 2016 | Victim 4 | Username and password for DCCC computer network
    5 | April 15, 2016 | Victim 5 | Username and password for DCCC computer network
    6 | April 18, 2016 | Victim 6 | Username and password for DCCC computer network
    7 | May 10, 2016 | Victim 7 | Username and password for DNC computer network
    8 | June 2, 2016 | Victim 2 | Username and password for personal email account
    9 | July 6, 2016 | Victim 8 | Username and password for personal email account

    All in violation of Title 18, United States Code, Sections 1028A(a)(1) and 2.

    Next, the indictment includes more allegations regarding the use of bitcoins to pay for the infrastructure (servers and web domains) used in the hack and distribution of the documents. The indictment notes that literally hundreds of emails addresses were set up to carrying out the various purchases made with the bitcoins, with some email addresses being used for a single purchase. It’s said that this was done to avoid “a centralized paper trail of all of their purchases,” but there was also several dedicated email accounts used to track these bitcoin transaction and the investigators appear to have access to those email accounts. One of the email accounts received hundreds of requests from approximately 100 different email accounts for specific amounts of bitcoins to be sent to particular bitcoin wallets. And that all raises the question: why were there hundreds of purchases being made by these GRU units. Dozens, ok, that might be plausible. But hundreds of payments? Wow:


    COUNT TEN
    (Conspiracy to Launder Money)

    56. Paragraphs 1 through 19, 21 through 49, and 55 are re-alleged and incorporated by reference
    as if fully set forth herein.

    57. To facilitate the purchase of infrastructure used in their hacking activity-including hacking
    into the computers of U.S. persons and entities involved in the 2016 U.S. presidential election and
    releasing the stolen documents-the Defendants conspired to launder the equivalent of more than
    $95,000 through a web of transactions structured to capitalize on the perceived anonymity of
    such as bitcoin
    .

    58. Although the Conspirators caused transactions to be conducted in a variety of currencies,
    including U.S. dollars, they principally used bitcoin when purchasing servers, registering domains,
    and otherwise making payments in furtherance of hacking activity. Many of these payments were

    page 22

    processed by companies located in the United States that provided payment processing services to
    hosting companies, domain registrars, and other vendors both international and domestic. The use
    of bitcoin allowed the Conspirators to avoid direct relationships with traditional financial
    institutions, allowing them to evade greater scrutiny of their identities and sources of funds.

    59. All bitcoin transactions are added to a public ledger called the Blockchain, but the
    Blockchain identifies the parties to each transaction only by alpha-numeric identifiers known as
    bitcoin addresses. To further avoid creating a centralized paper trail of all of their purchases, the
    Conspirators purchased infrastructure using hundreds of different email accounts, in some cases
    using a new account for each purchase. The Conspirators used fictitious names and addresses in
    order to obscure their identities and their links to Russia and the Russian government
    . For
    example, the dcleaks.com domain was registered and paid for using the fictitious name “Carrie
    Feehan” and an address in New York. In some cases, as part of the payment process, the
    Conspirators provided vendors with nonsensical addresses such as “usa Denver AZ,” “gfhgh
    ghfhgfh fdgfdg WA,” and “1 2 dwd District of Columbia.”

    60. The Conspirators used several dedicated email accounts to track basic bitcoin transaction
    information and to facilitate bitcoin payments to vendors
    . One of these dedicated accounts,
    registered with the username “gfadel47,” received hundreds of bitcoin payment requests from
    approximately 100 different email accounts
    . For example, on or about February 1, 2016, the
    gfadel47 account received the instruction to “[p]lease send exactly 0.026043 bitcoin to” a certain
    thirty-four character bitcoin address. Shortly thereafter, a transaction matching those exact
    instructions was added to the Blockchain.

    The indictment then notes that, on occaision, the hackers used the same computer to send bitcoins that they used to carrying out the hacks like sending spearphishing emails or register the linuxkrnl.net domain. That sounds like one more example of the surprising sloppiness of these hackers if they really did care about not getting caught:


    61. On occasion, the Conspirators facilitated bitcoin payments using the same computers that
    they used to conduct their hacking activity, including to create and send test spearphishing emails.

    page 23

    Additionally, one of these dedicated accounts was used by the Conspirators in or around 2015 to
    renew the registration of a domain (linuxkrnl.net) encoded in certain X-Agent malware installed
    on the DNC network.

    Next, the indictment notes that some of the bitcoins used by the hackers were generated with GRU-run mining operations, whil other bitcoins were purchased on exchanges that obscure the origin of the bitcoin (bitcoin ‘laundering’ exchanges). And a newly minted bitcoin from the pool of GRU-mined bitcoins was apparently used to purchase the dcleaks.com domain! While purchasing bitcoins on a bitcoin laundering exchange makes a lot of sense, the use of bitcoins that were directly mined from a GRU mining operation seems like a potentially big risk for the GRU. Why take that kind of risk unless you don’t care about getting caught? Why not at least run those bitcoins generated by the GRU mining operations through a laundering operation first? It’s one more example of the GRU allegedly playing dumb:


    62. The Conspirators funded the purchase of computer infrastructure for their hacking activity
    in part by “mining” bitcoin.
    Individuals and entities can mine bitcoin by allowing their computing
    power to be used to verify and record payments on the bitcoin public ledger, a service for which
    they are rewarded with freshly-minted bitcoin. The pool of bitcoin generated from the GRU’s
    mining activity was used, for example, to pay a Romanian company to register the domain
    dcleaks.com through a payment processing company located in the United States.

    63. In addition to mining bitcoin, the Conspirators acquired bitcoin through a variety of means
    designed to obscure the origin of the funds
    . This included purchasing bitco in through peer-to-peer
    exchanges, moving funds through other digital currencies, and using pre-paid cards. They also
    enlisted the assistance of one or more third-party exchangers who facilitated layered transactions
    through digital currency exchange platforms providing heightened anonymity.

    64. The Conspirators used the same funding structure-and in some cases, the very same pool
    of funds-to purchase key accounts, servers, and domains used in their election-related hacking
    activity.

    a. The bitcoin mining operation that funded the registration payment for dcleaks.com
    also sent newly-minted bitcoin to a bitcoin address controlled by “Daniel Farell,”
    the persona that was used to renew the domain linuxkrnl.net.
    The bitcoin mining
    operation also funded, through the same bitcoin address, the purchase of servers
    and domains used in the spearphishing operations, including accounts-
    qooqle.com and account-gooogle.com

    page 24

    b. On or about March 14, 2016, using funds in a bitcoin address, the Conspirators
    purchased a VPN account, which they later used to log into the @Guccifer_2
    Twitter account. The remaining funds from that bitcoin address were then used on
    or about April 28, 2016, to lease a Malaysian server that hosted the dcleaks.com
    website.

    c. The Conspirators used a different set of fictitious names (including “Ward
    DeClaur” and “Mike Long”) to send bitcoin to a company in order to lease a
    server used to administer X-Tunnel malware implanted on the and DNC
    networks, and to lease two servers used to hack the cloud network.

    Next, the indictment lays out the charges regarding alleged attempts to hack into US election systems as well as the vendor of US software election systems. It specifically blames two GRU officers from Unit 74455 with these state election system intrusion attempts. It states that in July of 2016, the GRU hacked into a particular state board of electon systems and stole information on 500,000 voters. This is a reference to the Illinois state board of elections. The indictment then mentions that the FBI issued an alert in August of 2016 over the hacking of the Illinois state board of elections, and in response to that alert one of the GRU agents “delted his search history” and “deleted records from accounts used in their operations targeting state boards of elections. But the indictment goes on to say they continued trying to hack state election systems through October and even early November. It’s another example of evidence that would indicate a surprising level of detail about the actions of specific GRU agents because knowing about the deletiion of search history implies access to the server used. It’s also an example of the hackers allegedly being concerned about getting caught while demonstrating a brazen lack of concern, which is the theme of this entire story:


    page 25

    COUNT ELEVEN
    (Conspiracy to Commit an Offense Against the United States)

    66. Paragraphs 1 through 8 of this Indictment are re-alleged and incorporated by reference as
    if fully set forth herein.

    Defendants

    67. Paragraph 18 of this Indictment relating to ALEKSANDR VLADIMIROVICH
    OSADCHUK is re-alleged and incorporated by reference as if fully set forth herein.

    68. Defendant ANATOLIY SERGEYEVICH KOVALEV (Koaanea AHaTonnii CepreeBnLr)
    was an officer in the Russian military assigned to Unit 74455 who worked in the GRU’s 22 Kirova
    Street building (the Tower).

    69. Defendants OSADCHUK and KOVALEV were GRU officers who knowingly and
    intentionally conspired with each other and with persons, known and unknown to the Grand Jury,
    to hack into the computers of US. persons and entities responsible for the administration of 2016
    US. elections, such as state boards of elections, secretaries of state, and US. companies that
    supplied software and other technology related to the administration of US. elections.

    Object of the Conspiracy

    70. The object of the conspiracy was to hack into protected computers of persons and entities
    charged with the administration of the 2016 US. elections in order to access these computers and
    steal voter data and other information stored on these computers.

    Manner and Means of the Conspiracy

    71. In or around June 2016, KOVALEV and his co-conspirators researched domains used by
    US. state boards of elections, secretaries of state, and other election-related entities for website
    vulnerabilities. KOVALEV and his co-conspirators also searched for state political party email
    addresses, including filtered queries for email addresses listed on state Republican Party websites.

    page 26

    72. In or around July 2016, KOVALEV and his co-conspirators hacked the website of a state
    board of elections (“SBOE 1”) and stole information related to approximately 500,000 voters,
    including names, addresses, partial social security numbers, dates of birth, and driver’s license
    numbers
    .

    73. In or around August 2016, KOVALEV and his co-conspirators hacked into the computers
    of a U.S. vendor (“Vendor 1”) that supplied software used to verify voter registration information
    for the 2016 U.S. elections
    . KOVALEV and his co-conspirators used some of the same
    infrastructure to hack into Vendor 1 that they had used to hack into SBOE 1.

    74. In or around August 2016, the Federal Bureau of Investigation issued an alert about the
    hacking of SBOE 1 and identified some of the infrastructure that was used to conduct the hacking.
    In response, KOVALEV deleted his search history. KOVALEV and his co-conspirators also
    deleted records from accounts used in their operations targeting state boards of elections and
    similar election-related entities
    .

    75. In or around October 2016, KOVALEV and his co-conspirators further targeted state and
    county offices responsible for administering the 2016 U.S. elections
    . For example, on or about
    October 28, 2016, KOVALEV and his co-conspirators visited the websites of certain counties in
    I Georgia, Iowa, and Florida to identify vulnerabilities.

    76. In or around November 2016 and prior to the 2016 U.S. presidential election, KOVALEV
    and his co-conspirators used an email account designed to look like a Vendor 1 email address to
    send over 100 spearphishing emails to organizations and personnel involved in administering
    elections in numerous Florida counties
    . The spearphishing emails contained malware that the
    Conspirators embedded into Word documents bearing Vendor 1’s logo.

    So that’s a review of the actual contents of the indictment. As we can see, there’s quite an abundance of detail about how the hackers carried out the actual hacks and set up and managed the infrastructure used to carry out the hacks and distribute the documents. The indictment also includes an abundance of detailed allegations about specific GRU agents carrying out specific roles in the operation and carrying out specific acts on specific dates. And yet of all the allegations, only one allegation – about someone logging in and out of a Moscow-based server managed by the GRU to search for phrases that showed up in Guccifer’s first message – suggested there was evidence that conclusively determines that a known GRU server was used to in this operation. And as we saw, it’s unclear how that evidence was obtained without that server itself being hacked.

    So with a single seemingly conclusive piece of evidence, how should we interpret the rest of this indictment? Well, it’s important to note that there was one other reported instance of evidence that was directly linked back to the GRU. Interestingly, while this story purports to give strong evidence of the GRU being actually behind the hacks, the article notes how, without this one piece of evidence, the investigators were having a very difficult time actually tracking the technical evidence back to the GRU. The evidence would lead to servers in France owned by Elite VPN (a Moscow-based VPN service), but the trail would go cold from there (which is why VPNs are useful for hackers).

    According to the report, there was one instance when a GRU officer forgot to log into this VPN service while logging into one of the social media accounts used by Guccifer 2.0. This resulted in the logs of this social media company having a login from Moscow. And the IP address of that login led directly back to a computer used by a GRU officer at the agency’s headquarters on Grizodubovoy Street in Moscow.

    Yep, we are told that the GRU is so casual about their high stakes hacking operation that they literally sit at their offices headquarters in Moscow and hack away! The only thing obscuring their identities is the use of a VPN service. If true, it would be one more example of the stunningly casual security measures apparently used by the GRU. But if not true, and this story is puffery, it would indicate that investigators actually lack any technical evidence leading back to the GRU since this was apparently the one critical slip-up that allowed investigators to conclusively link it back to the GRU.

    Of course, this story is from March of 2018, so it’s possible investigators collected some new information over that last few months. Like, for instance, the information about login times and searches made on the Moscow-based server that the Mueller team included in the indictment. But when we’re trying to make sense of how to interpret the numerous highly specific, yet vague sourced, allegations in the indictment, the fact that there was allegedly only one key piece of evidence investigators had linking the hacks back to the GRU as of March of this year seems important to keep in mind. Did investigators have another set of breakthroughs in recent months?

    The article includes another allegation that’s worth keeping in mind regarding the evidence in the indictment about the Moscow-based serer and the Guccifer 2.0 search terms: The GRU agent who was initially in charge of the Guccifer 2.0 persona was replaced at some point by a more experienced GRU officer. It’s not known when exactly this replacement occured but it’s assumed to happen based on noticeable improvements in Guccifer 2.0’s english over time. Given that the Guccifer 2.0 persona described itself as being a lone Romanian hacker, it’s kind of remarkable that they wouldn’t maintain the same style of English even if they handed switched with particular GRU officer was working on the case. Again, wow, that is some sloppy tradecraft:

    The Daily Beast

    EXCLUSIVE: ‘Lone DNC Hacker’ Guccifer 2.0 Slipped Up and Revealed He Was a Russian Intelligence Officer
    Robert Mueller’s team has taken over the investigation of Guccifer 2.0, who communicated with (and was defended by) longtime Trump adviser Roger Stone.
    Kevin Poulsen
    Spencer Ackerman
    03.22.18 7:00 PM ET

    Update, 7/13/2018: Special counsel Robert Mueller’s office identified Guccifer 2.0 as a Russian intelligence officer and indicted him along with 11 other officers for crimes related to the alleged hacking of Democrats in 2016.

    Guccifer 2.0, the “lone hacker” who took credit for providing WikiLeaks with stolen emails from the Democratic National Committee, was in fact an officer of Russia’s military intelligence directorate (GRU), The Daily Beast has learned. It’s an attribution that resulted from a fleeting but critical slip-up in GRU tradecraft.

    That forensic determination has substantial implications for the criminal probe into potential collusion between President Donald Trump and Russia. The Daily Beast has learned that the special counsel in that investigation, Robert Mueller, has taken over the probe into Guccifer and brought the FBI agents who worked to track the persona onto his team.

    While it’s unclear what Mueller plans to do with Guccifer, his last round of indictments charged 13 Russians tied to the Internet Research Agency troll farm with a conspiracy “for the purpose of interfering with the U.S. political and electoral processes, including the presidential election of 2016.” It was Mueller’s first move establishing Russian interference in the election within a criminal context, but it stopped short of directly implicating the Putin regime.

    Mueller’s office declined to comment for this story. But the attribution of Guccifer 2.0 as an officer of Russia’s largest foreign intelligence agency would cross the Kremlin threshold—and move the investigation closer to Trump himself.

    Trump’s longtime political adviser Roger Stone admitted being in touch with Guccifer over Twitter’s direct messaging service. And in August 2016, Stone published an article on the pro-Trump-friendly Breitbart News calling on his political opponents to “Stop Blaming Russia” for the hack. “I have some news for Hillary and Democrats—I think I’ve got the real culprit,” he wrote. “It doesn’t seem to be the Russians that hacked the DNC, but instead a hacker who goes by the name of Guccifer 2.0.”

    Five months later, in January 2017, the CIA, NSA, and FBI assessed “with high confidence” that “Russian military intelligence (General Staff Main Intelligence Directorate or GRU) used the Guccifer 2.0 persona and DCLeaks.com to release US victim data.” But the assessment did not directly call Guccifer a Russian intelligence officer. Nor did it provide any evidence for its assertions.

    It turns out there is a powerful reason to connect Guccifer to the GRU.

    ——

    Guccifer 2.0 sprang into existence on June 15, 2016, hours after a report by a computer security firm forensically tied Russia to an intrusion at the Democratic National Committee. In a series of blog posts and tweets over the following seven months—conspicuously ending right as Trump took office and not resuming—the Guccifer persona published a smattering of the DNC documents while gamely projecting an image as an independent Romanian hacktivist who’d breached the DNC on a lark. As Stone’s Breitbart piece demonstrated, Guccifer provided Moscow with a counter-narrative for the election interference.

    Guccifer famously pretended to be a “lone hacker” who perpetrated the digital DNC break-in. From the outset, few believed it. Motherboard conducted a devastating interview with Guccifer that exploded the account’s claims of being a native Romanian speaker. Based on forensic clues in some of Guccifer’s leaks, and other evidence, a consensus quickly formed among security experts that Guccifer was completely notional.

    “Almost immediately various cyber security companies and individuals were skeptical of Guccifer 2.0 and the backstory that he had generated for himself,” said Kyle Ehmke, an intelligence researcher at the cyber security firm ThreatConnect. “We started seeing these inconsistencies that led back to the idea that he was created hastily… by the individual or individuals that affected the DNC compromise.”

    Proving that link definitively was harder. Ehmke worked on an investigation at ThreatConnect that tried to track down Guccifer from the metadata in his emails. But the trail always ended at the same data center in France. Ehmke eventually uncovered that Guccifer was connecting through an anonymizing service called Elite VPN, a virtual private networking service that had an exit point in France but was headquartered in Russia.

    But on one occasion, The Daily Beast has learned, Guccifer failed to activate the VPN client before logging on. As a result, he left a real, Moscow-based Internet Protocol address in the server logs of an American social media company, according to a source familiar with the government’s Guccifer investigation. Twitter and WordPress were Guccifer 2.0’s favored outlets. Neither company would comment for this story, and Guccifer did not respond to a direct message on Twitter.

    Working off the IP address, U.S. investigators identified Guccifer 2.0 as a particular GRU officer working out of the agency’s headquarters on Grizodubovoy Street in Moscow. (The Daily Beast’s sources did not disclose which particular officer worked as Guccifer.)

    Security firms and declassified U.S. intelligence findings previously identified the GRU as the agency running “Fancy Bear,” the ten-year-old hacking organization behind the DNC email theft, as well as breaches at NATO, Obama’s White House, a French television station, the World Anti-Doping Agency, and countless NGOs, and militaries and civilian agencies in Europe, Central Asia, and the Caucasus.

    Timestamps in Guccifer 2.0’s first leaks show they were packaged for release over the course of a single day in June 2016, beginning just hours after the DNC intrusion and its attribution to Russia were made public. The moniker was an homage to Romanian hacker Marcel Lazar Lehel, who as “Guccifer” achieved notoriety in 2013 for a string of hacks against celebrities and politicians.

    In his inaugural blog post, Guccifer 2.0 disputed Russia’s involvement and claimed credit personally for the DNC breach, positioning himself as a one-time hacking operation working to expose “the Illuminati.” The post included the world’s first glimpse of the enormous cache of documents siphoned from the DNC’s network, including the Democrats’ opposition research report on Trump. Presaging the leaks that would roil the election, Guccifer 2.0 declared that he’d already sent the bulk of the stolen material to WikiLeaks—which has spent the time since obfuscating whether Guccifer was its source.

    On July 22, 2016, WikiLeaks began releasing its cache of approximately 19,000 emails and 8,000 attachments stolen in the hack. While Trump promoted the leak on Twitter and in rallies, his surrogate Roger Stone pushed back against the Kremlin attribution. In his August 2016 article for Breitbart, he argued that Guccifer 2.0 was the Romanian hacktivist he claimed to be. “Guccifer 2.0 is the real deal,” he wrote.

    Last May, Stone admitted that he’d also exchanged direct messages with the Guccifer 2.0 persona, and he released what he claimed was a complete transcript of his communications with the account. The transcript is brief and banal, showing Stone congratulating Guccifer 2.0 on returning to Twitter after a brief suspension, and then mostly ignoring him. Then and since, Stone has consistently denied that Guccifer was connected to the Kremlin.

    “I myself had no contacts or communications with the Russian State, Russian Intelligence or anyone fronting for them or acting as intermediaries for them,” he wrote.

    Guccifer 2.0 maintained a sporadic online presence throughout the election, posting to his dedicated WordPress blog and on Twitter, and spilling more DNC documents, sometimes in private emails to journalists.

    While the national election clearly interested him (“Democrats prepare new provocation against Trump,” he thundered in October 2016), Guccifer 2.0 reached down the ballot as well, posting documents from the Democrats’ national campaign committee on his WordPress blog. There, readers could find internal Democratic candidate assessments relevant to battleground states like Pennsylvania and Florida; internal aassessments of key congressional districts, with granular analyses of their demographics; and campaign recruitment material.

    The GRU officer was eager to share this trove, as well. A GOP political operative in Florida, Aaron Nevins, DM’d Guccifer 2.0 a request for “any Florida based information” and received 2.5 gigabytes’ worth, according to The Wall Street Journal. The data, he enthused to Guccifer 2.0, was “probably worth millions of dollars.” A consultant for a successful Florida Republican congressional candidate told the paper, “I did adjust some voting targets based on some data I saw from the leaks.”

    ———-

    Sometime after its hasty launch, the Guccifer persona was handed off to a more experienced GRU officer, according to a source familiar with the matter. The timing of that handoff is unclear, but Guccifer 2.0’s last blog post, from Jan. 12, 2017, evinced a far greater command of English than the persona’s earlier efforts.

    “It’s obvious that the intelligence agencies are deliberately falsifying evidence,” the post read. “In my opinion, they’re playing into the hands of the Democrats who are trying to blame foreign actors for their failure.”

    (Contrast that with the language from a June 2016 post: “I made some conclusions from the Marcel’s story and decided not to put all eggs in one basket. Moreover, other cases weren’t so successful and didn’t bring me the glory.”)

    ———–

    “EXCLUSIVE: ‘Lone DNC Hacker’ Guccifer 2.0 Slipped Up and Revealed He Was a Russian Intelligence Officer” Kevin Poulsen; Spencer Ackerman; The Daily Beast; 03/22/2018

    “Guccifer 2.0, the “lone hacker” who took credit for providing WikiLeaks with stolen emails from the Democratic National Committee, was in fact an officer of Russia’s military intelligence directorate (GRU), The Daily Beast has learned. It’s an attribution that resulted from a fleeting but critical slip-up in GRU tradecraft.

    Yep, the conclusive attribution linking the hack back to the GRU was based on this one slip-up in GRU tradecraft. Which, at this point, is less of a slip-up and more like the actual tradecraft given the rate of these slip-ups. But this was a particularly big slip-up if real. Logging directly into Guccifer 2.0’s social media account from your computer at the GRU headquarters in Moscow seems like a big no-no. And that’s why this slip-up had such big implications for the investigation: without the slip-up, there apparently wasn’t actually any technical evidence linking this back to the GRU. At least, as of March of this year:


    That forensic determination has substantial implications for the criminal probe into potential collusion between President Donald Trump and Russia. The Daily Beast has learned that the special counsel in that investigation, Robert Mueller, has taken over the probe into Guccifer and brought the FBI agents who worked to track the persona onto his team.

    Trump’s longtime political adviser Roger Stone admitted being in touch with Guccifer over Twitter’s direct messaging service. And in August 2016, Stone published an article on the pro-Trump-friendly Breitbart News calling on his political opponents to “Stop Blaming Russia” for the hack. “I have some news for Hillary and Democrats—I think I’ve got the real culprit,” he wrote. “It doesn’t seem to be the Russians that hacked the DNC, but instead a hacker who goes by the name of Guccifer 2.0.”

    Five months later, in January 2017, the CIA, NSA, and FBI assessed “with high confidence” that “Russian military intelligence (General Staff Main Intelligence Directorate or GRU) used the Guccifer 2.0 persona and DCLeaks.com to release US victim data.” But the assessment did not directly call Guccifer a Russian intelligence officer. Nor did it provide any evidence for its assertions.

    It turns out there is a powerful reason to connect Guccifer to the GRU.

    The article then notes how Guccifer 2.0’s claims of being a lone Romanian hacker were quickly exploded when Vice Motherboard issued a report about how Guccifer didn’t actually talk like a native Romanian speaker. Which, again, is a reminder of what a joke this operation was. We don’t know the exact nature of that joke and whether or not it was an intentional joke. But it was definitely a joke:


    Guccifer 2.0 sprang into existence on June 15, 2016, hours after a report by a computer security firm forensically tied Russia to an intrusion at the Democratic National Committee. In a series of blog posts and tweets over the following seven months—conspicuously ending right as Trump took office and not resuming—the Guccifer persona published a smattering of the DNC documents while gamely projecting an image as an independent Romanian hacktivist who’d breached the DNC on a lark. As Stone’s Breitbart piece demonstrated, Guccifer provided Moscow with a counter-narrative for the election interference.

    Guccifer famously pretended to be a “lone hacker” who perpetrated the digital DNC break-in. From the outset, few believed it. Motherboard conducted a devastating interview with Guccifer that exploded the account’s claims of being a native Romanian speaker. Based on forensic clues in some of Guccifer’s leaks, and other evidence, a consensus quickly formed among security experts that Guccifer was completely notional.

    “Almost immediately various cyber security companies and individuals were skeptical of Guccifer 2.0 and the backstory that he had generated for himself,” said Kyle Ehmke, an intelligence researcher at the cyber security firm ThreatConnect. “We started seeing these inconsistencies that led back to the idea that he was created hastily… by the individual or individuals that affected the DNC compromise.”

    And while Guccifer 2.0 was assumed by virtually no one to be a lone Romanian hacker, the technical evidence just kept leading back to the Elite VPN server in France. Except once, when a GRU officer working out of the GRU headquarters in Moscow forgot to use the VPN service and directly logged into one of Guccifer 2.0’s social media accounts. This led directly back to a computer at the GRU’s headquarters:


    Proving that link definitively was harder. Ehmke worked on an investigation at ThreatConnect that tried to track down Guccifer from the metadata in his emails. But the trail always ended at the same data center in France. Ehmke eventually uncovered that Guccifer was connecting through an anonymizing service called Elite VPN, a virtual private networking service that had an exit point in France but was headquartered in Russia.

    But on one occasion, The Daily Beast has learned, Guccifer failed to activate the VPN client before logging on. As a result, he left a real, Moscow-based Internet Protocol address in the server logs of an American social media company, according to a source familiar with the government’s Guccifer investigation. Twitter and WordPress were Guccifer 2.0’s favored outlets. Neither company would comment for this story, and Guccifer did not respond to a direct message on Twitter.

    Working off the IP address, U.S. investigators identified Guccifer 2.0 as a particular GRU officer working out of the agency’s headquarters on Grizodubovoy Street in Moscow. (The Daily Beast’s sources did not disclose which particular officer worked as Guccifer.)

    So that’s one hell of a fun fact: the GRU was running this hacking operation out of its Moscow headquarters. Literally. They didn’t, like, go to an internet cafe or something.

    Finally, we learn that Guccifer 2.0’s initial persona was eventually handed off to a more experienced officer, as evidenced by the change in Guccifer 2.0’s English skills:


    Sometime after its hasty launch, the Guccifer persona was handed off to a more experienced GRU officer, according to a source familiar with the matter. The timing of that handoff is unclear, but Guccifer 2.0’s last blog post, from Jan. 12, 2017, evinced a far greater command of English than the persona’s earlier efforts.

    “It’s obvious that the intelligence agencies are deliberately falsifying evidence,” the post read. “In my opinion, they’re playing into the hands of the Democrats who are trying to blame foreign actors for their failure.”

    (Contrast that with the language from a June 2016 post: “I made some conclusions from the Marcel’s story and decided not to put all eggs in one basket. Moreover, other cases weren’t so successful and didn’t bring me the glory.”)

    Again, while the non-fluent use of Romanian in the initial Guccifer 2.0 posts was certainly amateurish, the more experienced GRU officer who allegedly took over apparently made the highly amateurish move of changine Guccifer 2.0’s use of English.

    And that was the Daily Beast report from back in March about the other piece of evidence possessed by the investigators that purportedly linked straight back to the GRU. And it’s a remark piece of evidence given what it allegedly shows about GRU tradecraft, which is that the GRU is so lazy they running their high profile hacking operations out of their headquarters.

    It’s also noteworthy that this piece of evidence wasn’t cited in the indictment. It seems like it would be a lynchpin for the case.

    So, at this point, we can summarize the technical evidence made public so far as “tenuously conclusive.” It generally sounds conclusive given the way the indictments confidently state who did what when in the execution of the hacking campaign and broader trolling effort. But we generally have no idea if the allegations are speculative or authoritative in nature. And when it’s unclear if the allegations are speculative or authoritative in nature, it’s tenuously conclusive at best. With the notable exceptions of the Moscow-based server allegation and this forgot-to-VPN allegation from back in March.

    And the evidence is perhaps understandably vague if the evidence comes from highly classified sources, like the hacking of a GRU server. But that just highlights how the nature of this investigation creates a “trust us” situation because a lot of the most conclusive evidence for cyber investigations is probably going to be highly classified in nature. Like evidence gathered from hacked GRU servers. It’s pretty understandable if there’s a strong restance to revealing something like that and saying “trust us” instead. But the more the evidence relies on a “trust us” dynamic, the more tenuous it inherently becomes. There’s no avoiding it.

    But if we accept the “trust us” evidence in the indictment, it is conclusive. The GRU did it. The Moscow-based server allegation in the indictment alone is conclusive if real. And the forgot-to-VPN Guccifer login allegation in the above Daily Beast article is conclusive too if true. Either one basically nails the case.

    And if the technical lynchpins come down to “trust us” evidence, it’s going to be a reminder of why all of the entire history of past intelligence community abuses and lying to the public – the entire history of it – is extra unhelpful in the age of cyberwarfare. Because “trust us” situations are going to always come up and all those past abuses will inevitably be factored into the that public decision to trust the “trust us”-based evidence. We need highly credible intelligence agencies and you can’t change the past.

    But while these two key pieces of critical technical evidence might be conclusive if accepted, there’s no getting around the fact that the bulk of the circumstantial evidence pointing towards GRU involvement all along has involved amazing mistakes and slip-ups and general incompetence. The screw-ups were there from the beginning. So did the GRU want to get caught or what? That seems like a really relevant question in this case.

    Let’s also not forget that there was apparently a highly placed Kremlin informant that says Putin ordered the whole thing. That’s the other key piece of evidence that would appear to conclusively establish culpability. It’s sort of a ‘trust us and trust the informant’ piece of evidence.

    So we’re at the point in the #TrumpRussia investigation where we know a lot of details about the nature of the conclusive evidence that we are told exists but have yet to see the actual evidence. It’s a significant advancement of Mueller’s case in terms of the specifics of the claims, but the evidence is all ‘yet-to-be-revealed’. And given that the accused GRU officers are unlikely to ever face trial, it’s unclear that the claimed evidence will ever be revealed. Although they really just need to conclusively prove that Moscow-based server or forgot-to-VPN allegations are true in order to make the case.

    That’s all part of what makes Mueller’s latest indictments so intriguing. It claims to be conclusive but it’s issued against people who will almost certainly not face the indictment in court so it’s unclear if the evidence behind these allegations is ever going to be fleshed out. And it will be exceptionally unfortunate if they aren’t fleshed out because these were the most important indictments the Mueller team has made thus far in terms of understanding how the hack took place and who carried it out. If they can prove these allegations they proved the case. But if they can’t prove these allegation the core assertion of US government that the GRU was behind the hacks will forever remain in the ‘trust us’ category and, at this point, we have no compelling reason to believe that conclusive evidence is going to be revealed. It’s almost a worst-case scenario for the case to end in a situation where the US government is essentially arguing, ‘we have the evidence, and it’s conclusive, but we can’t actually show it so you just have to trust that we have it’.

    Although the worst worst-case senario is if the the indictment is true. Because if there is conclusive evidence the GRU did the hacking we have to face the awful possible that Putin basically went mad and decided to unleash an international hacking spree using hackers who leave all sorts of “I’m a Russian hacker” amaturish clues. That’s really bad. It’s one of the reasons the “I’m a Russian hacker” amaturish nature of the hacks was always such a big red flag about this hacking. If it’s true, that’s really bad and we really are in peril. Because that’s the kind of cyber-showdown dynamic that potentially any third-party can exacerbate with false-flag operations. And those false-flag operations will be exceptionally easy to pull off thanks to the inexplicably amaturish track-record of Russia’s hackers in recent years. Just today, we got the latest report from the US about Russian hackers infilitrating the control systems of US utilities. And given the apparently amaturish ‘brand’ that Russia’s hackers have adopted, all sorts of other actors can now easily impersonate ‘Russian hackers’ while pulling off those kinds of devastating hacks. Hacks that would guarantee a major response. And when that’s the dynamic, it’s a situation that’s out of Putin’s control and out of anyone else’s, which is why this was such an insane move if Putin actually ordered this. The metaphorical ‘400 pound guy from New Jersey’ in his basement really could spark a major conflict someday.

    But the peril that comes from potential cyber false-flags designed to spark a conflict between the two main nuclear powers is also why the purportedly conclusive nature of the evidence in this indictment is potentially good news and also an important precedent. Because, while Russia’s government has been blamed for the hacks all along almost exclusively based on circumstantial evidence/pattern recogition (and, we later learn, the claims of the Kremlin mole), it’s inherently dangerous if the technical evidence in the indictment was also just based on circumstantial evidence and pattern recognition. If it’s good enough for Crowdstrike, that doesn’t mean it’s good enough for a government, especially when the consequences are an escalation of a cyberwar and false-flag setups.

    But, again, the value of basing the indictment on at least one instance of specific evidence tied to the GRU is also why it will be very damaging to the Mueller case if the evidence conclusively tying this hack back to the GRU is never revealed and left in the ‘trust us’ category forever. And yet we have to face the reality that the evidence of that nature – the searches of a GRU server in Moscow – might be from a source that’s so sensitive that it can’t be revealed.

    More generally, this is going to keep happening in real cases for governments everywhere because governments are definitely going forced into ‘trust us’ situations in evidence in the cyber arena. Over and over. It’s unavoidable. Especially when the evidence was gathered from a hacker server run by the suspect rival intelligence agency. That’s the kind of evidence that potentially compromises the source by merely mentioning it exists. So even if the Mueller team ends up revealing conclusive evidence tying this back to the GRU and it’s not all left in the ‘trust us’ realm, there’s still the inherent problem that ‘trust us’ situations are going to come up in the future. Over and over.

    Plus, even if the Mueller team does eventually reveal the conslusive evidence – like a GRU server was searching for phrases that showed up in Guccifer 2.0’s posts – there’s still going to be a ‘trust us’ dynamic given the inherently spoofable nature of cyber evidence. That’s just comes with the territory. The US government can release search logs and the Russian government can say they were faked. And that’s the case for almost all cyber evidence. It’s digital. It can be faked. Trusting the investigators and sources of evidence is inherently important in solving these kinds of cybercrimes far more than other crimes. And there’s going to be a lot more cybercrimes with geopolitical consequences in the future. That’s more or less guaranteed.

    That ‘trust us, we have conclusive evidence’ aspect of this latest indictment is a reminder that one of the key lessons we should take from this entire #TrumpRussia nightmare experience is that it is very imperative that countries build governments people can trust. And not just the trust of domestic audiences but also international audiences. How can societies build trustworthy national security states? It was always an incredibly important question, but now it’s even more important thanks to our mass embrace of information technolgy and the legal and evidentiary peculiaries of the cyberlandscape.

    So, while the latest Mueller indictment is one of the first and only hacking indictments ever of this nature – where a government formally charges another governments hackers with a cyber attack (Obama did it to Chinese government hackers in 2014) – it’s also just one of the first in what is inevitably going to be a long line of future goverment-to-government hacking charges. In other words, it’s setting a precedent. And that’s why it’s nice that the indictment appears to be based on some very specific evidence. But that evidence is all in the ‘trust us’ realm and might remain there indefinitely if the indictment never leads to the extradition of the GRU members. And that’s not actually a great precedent.

    And if it turns out the evidence is BS and/or faked and that that’s obviously very catastrophic. But it it turns out to be real evidence, that’s even more catastrophic in the sense that it means Putin went mad and just decided to blatantly hack the shit out of the West and not hide it by leaving stunningly amaturish clues on each hack. So it’s an overall castastrophic situation, we just don’t quite know yet the nature of the catastrophe. And may not ever know. Which will perhaps be unavoidable due to the nature of the evidence. We’re going to be asked to national security states in the realm of cyber-evidence. It’s that’s kind of catastrophe.

    On the plus side, there’s no doubt more indictments to come from the Mueller team for US citizens who will actually have to face trial (like Roger Stone), so hopefully the variously allegations against the GRU gets fleshed out during those trials.

    Posted by Pterrafractyl | July 23, 2018, 10:25 pm
  8. There was a pair of new ‘Russian hacker’ stories this week that direct relate to the the Trend Micro report issued back in January. That was the report where Trend Micro claimed with 100 percent certainty that ‘Fancy Bear’/APT28 was behind a series of fake websites and a phishing campaign designed to mimic ADFS (Active Directory Federation Services) websites that handle the US Senate’s email system based on finding digital fingerprints that uniquely tie the attackers back to two previous hacks attributed to Fancy Bear.

    Also recall that Trend Micro attributed the Macron hack to Fancy Bear with 99 percent certainty based on shared digital fingerprints for that hack with previous hacks attributed to Fancy Bear, but it turns out those shared digital fingerprints were sharing the same IP address blocks and similarities in malware used, especially relying on shared IP blocks which is extremely weak evidence. So the confidence that Trend Micro has in its attributions appears to be rather questionable. And if Trend Micro is correct about these Senate email hacks and it really was Russia’s GRU hackers behind it, it was another instance where they apparently aren’t trying to hide it at all and instead just reusing the same ‘digital fingerprints’ over and over in a manner that guarantees attribution will be tied back to ‘Fancy Bear’. It’s another one of those kinds of stories.

    And now, thanks to some comments by a Microsoft executive Tom Burt during a security conference panel in Aspen last week (Burt’s comments are at ~12:00-19:00 in the YouTube video the panel), the story of those Senate email phishing sites are back in the news. But it was actually treated as new news and a new phishing attempt against the US Senate because Burt actually misstates what happened and makes it sounds like some new phishing sites were discovered earlier this year (as opposed to be publicly disclosed earlier this year after being found last year).

    That mistake aside, Burt reveal something new: it was apparently three specific Senate offices that were targeted in the phishing attempt, although he doesn’t reveal which Senators were targeted

    BBC News

    Hackers ‘targeting US mid-term elections’

    By Chris Baraniuk Technology reporter
    20 July 2018

    At least three congressional candidates have been targeted by hackers ahead of the US mid-term elections, according to Microsoft.

    Tom Burt, an executive at the firm, made the revelation during a security conference panel in Colorado.

    The three candidates appear to have been targeted by phishing attacks, he told the audience.

    One cybersecurity expert said the hacking was probably an attempt to “undermine the democratic process”.

    US voters will go to the polls on 6 November to elect a swathe of new members of Congress, senators and state governors.

    Phishing attacks

    The tech giant discovered the apparent foul play after checking fake Microsoft web domains that had been associated with espionage in 2016.

    A group exploiting the domains is known by many as “Fancy bear” but has been dubbed “Strontium” by Microsoft.

    Some cybersecurity firms, including SecureWorks and Mandiant, believe the hackers are linked to Russian intelligence.

    Russia has consistently denied allegations of hacking.

    Mr Burt told the Aspen Security Forum attendees: “Earlier this year, we did discover that a fake Microsoft domain had been established as the landing page for phishing attacks and we saw metadata that suggested those phishing attacks were being directed at three candidates who were all standing for election in the mid-term elections.”

    In other words, the hackers tried to trick the candidates into visiting a bogus Microsoft web page.

    Mr Burt did not name the affected candidates but said they were all potentially “interesting targets from an espionage standpoint”.

    He added that the hackers were not successful in accessing the three candidates and that the fake Microsoft domain had been taken down.

    The hackers might have been trying to gain access to the candidates’ personal messages or emails, for example, said cybersecurity expert Prof Alan Woodward at the University of Surrey.

    “If you can grab emails… you can start making people look bad,” he said.

    “I think the primary motive is to undermine the democratic process so it doesn’t matter which candidate they manage to subvert.”

    Last week, the US Director of National Intelligence said Russian attempts at hacking US targets remained “persistent… regardless of whether it is election time or not”.

    Prof Woodward told the BBC: “Every single intelligence agency, including the British ones, have said it’s ongoing, it’s an ongoing onslaught and the finger seems to point at Russia.”

    ———-

    “Hackers ‘targeting US mid-term elections'” by Chris Baraniuk; BBC News.; 07/20/2018

    “Mr Burt told the Aspen Security Forum attendees: “Earlier this year, we did discover that a fake Microsoft domain had been established as the landing page for phishing attacks and we saw metadata that suggested those phishing attacks were being directed at three candidates who were all standing for election in the mid-term elections.””

    So, according to Burt, Microsoft discovered a fake domain set up for phishing passwords from three US candidates. And this was earlier this year. As we’ll see, this was a mistake and he’s referring to the domains that were discovered last year and publicly revealed earlier this year.

    But Burt wouldn’t say which candidates:


    The tech giant discovered the apparent foul play after checking fake Microsoft web domains that had been associated with espionage in 2016.

    A group exploiting the domains is known by many as “Fancy bear” but has been dubbed “Strontium” by Microsoft.

    Some cybersecurity firms, including SecureWorks and Mandiant, believe the hackers are linked to Russian intelligence.

    Russia has consistently denied allegations of hacking.

    In other words, the hackers tried to trick the candidates into visiting a bogus Microsoft web page.

    Mr Burt did not name the affected candidates but said they were all potentially “interesting targets from an espionage standpoint”.

    He added that the hackers were not successful in accessing the three candidates and that the fake Microsoft domain had been taken down.

    Ok, so how do we know that Burt wasn’t referring to a new set of domains discovered this year phishing for credentials to the Senate email system? Well, as the following article makes clear, Mr Burt mispoke and was actually referring to the phishing sites taken down last year.

    The article also reveals the identity of one of the targets of the phishing campaign: Democratic Senator Claire McCaskill, who is up for reelection this year and considered one of the most vulnerable Democrats up for reelection.

    The article also informs us that the attribution to Fancy Bear was important for allowing Microsoft to actually thwart the hack. Thanks to a lawsuit Microsoft filed against Fancy Bear, Microsoft now has the legal right in the US to seize any domains used by Fancy Bear intended to spoof a Microsoft domain. This is what allowed Microsoft to legally seize the domains used the Senate email phishing in October rapidly and redirect the traffic to a Microsoft-controlled server. Time was of the essence and it was that successful lawsuit against Fancy Bear that enabled Microsoft to act fast in taking down the phishing site.

    And that points towards a rather disturbing new dimension to the current hyper-focused on Russian hacking to the near exclusion of all other sources of hacking: if rapidly and legally taking control of phishing domains can only be done against when the hack is attributed to a previously sued hacking group like Fancy Bear, that’s going to create a powerful incentive to attribute future hacks those past culprits regardless of the real strength of the evidence:

    The Daily Beast

    Russian Hackers’ New Target: a Vulnerable Democratic Senator

    Andrew Desiderio
    Kevin Poulsen
    07.26.18 5:22 PM ET

    The Russian intelligence agency behind the 2016 election cyberattacks targeted Sen. Claire McCaskill as she began her 2018 re-election campaign in earnest, a Daily Beast forensic analysis reveals. That makes the Missouri Democrat the first identified target of the Kremlin’s 2018 election interference.

    McCaskill, who has been highly critical of Russia over the years, is widely considered to be among the most vulnerable Senate Democrats facing re-election this year as Republicans hope to hold their slim majority in the Senate. In 2016, President Donald Trump defeated Hillary Clinton by almost 20 points in the senator’s home state of Missouri.

    There’s no evidence to suggest that this attempt to lure McCaskill staffers was successful. The precise purpose of the approach was also unclear. Asked about the hack attempt by Russia’s GRU intelligence agency, McCaskill told The Daily Beast on Thursday that she wasn’t yet prepared to discuss it.

    “I’m not going to speak of it right now,” she said. “I think we’ll have something on it next week. I’m not going to speak about it right now. I can’t confirm or do anything about it right now.”

    The senator later released a statement asserting that the cyberattack was unsuccessful.

    “Russia continues to engage in cyber warfare against our democracy. I will continue to speak out and press to hold them accountable,” McCaskill said. “While this attack was not successful, it is outrageous that they think they can get away with this. I will not be intimidated. I’ve said it before and I will say it again, Putin is a thug and a bully.”

    In August 2017, around the time of the hack attempt, Trump traveled to Missouri and chided McCaskill, telling the crowd to “vote her out of office.” Just this last week, however, Trump said, on Twitter, that he feared Russians would intervene in the 2018 midterm elections on behalf of Democrats.

    The revelations of the attempted hack of McCaskill staffers comes just weeks after Special Counsel Robert Mueller indicted 12 Russian intelligence officers, accusing them of orchestrating cyberattacks that targeted the Democratic National Committee, the Democratic Congressional Campaign Committee, and Clinton’s campaign in 2016.

    On Friday, Trump is scheduled to chair a meeting of the National Security Council on election vulnerabilities facing the midterm elections—amid persistent criticism, particularly after his Helsinki meeting with Russian President Vladimir Putin, that he isn’t taking Russian interference seriously.

    The attempt against McCaskill’s office was a variant of the password-stealing technique used by Russia’s so-called “Fancy Bear” hackers against Clinton’s campaign chairman, John Podesta, in 2016.

    The hackers sent forged notification emails to Senate targets claiming the target’s Microsoft Exchange password had expired, and instructing them to change it. If the target clicked on the link, he or she was taken to a convincing replica of the U.S. Senate’s Active Directory Federation Services (ADFS) login page, a single sign-on point for e-mail and other services.

    As with the Podesta phishing, each Senate phishing email had a different link coded with the recipient’s email address. That allowed the fake password-change webpage to display the user’s email address when they arrived, making the site more convincing.

    In October, Microsoft wrested control of one of the spoofed website addresses—adfs.senate.qov.info. Seizing the Russians’ malicious domain names has been easy for Microsoft since August 2017, when a federal judge in Virginia issued a permanent injunction against the GRU hackers, after Microsoft successfully sued them as unnamed “John Doe” defendants. The court established a process that lets Microsoft take over any web addresses the hackers use that includes a Microsoft trademark.

    Microsoft redirected the traffic from the fake Senate site to its own sinkhole server, putting it in a prime position to view targets trying to click through to change their passwords.

    The Daily Beast identified McCaskill as a target while investigating statements made by Microsoft VP Tom Burt last week in an appearance at the Aspen Security Forum. Burton discussed the Virginia injunction, and told the audience that it allowed Microsoft to thwart a phishing campaign against three midterm election candidates, who he declined to name.

    “We did discover that a fake Microsoft domain had been established as the landing page for phishing attacks, and we saw metadata that suggested those phishing attacks were being directed at three candidates who are all standing for elections in the midterm elections,” said Burt, Microsoft’s corporate vice president for customer security and trust. “We took down that domain and working with the government actually were able to avoid anybody being infected by that particular attack.”

    The most recent domain seizures recorded in the Virginia case took place between August and December of last year, when Microsoft grabbed seven malicious web addresses, including the “qov.info” address. A report from the security company Trend Micro released in January listed that address and the role it played in a Senate phishing campaign against unnamed targets.

    A snapshot of a deep link on the phishing site taken September 26th by a website security scanner showed the fake password-change page with the Senate email address of a McCaskill policy aide on display.

    There is a notable divide between Congress and the Trump administration over the vulnerability of the 2018 election to Russian election interference.

    In March, the Senate Intelligence Committee warned state election officials to make cybersecurity a “high priority” for their election systems, particularly over voter databases, and urged the states to bolster their coordination with the Department of Homeland Security. But the secretary of Homeland Security, Kirstjen Nielsen, appeared earlier this month to downplay the threat. While “adversaries and nonstate actors” consider U.S. elections a persistent target, Nielsen said there are “no indications that Russia is targeting the 2018 U.S. midterms at a scale or scope to match their activities in 2016.”

    By contrast, Dan Coats, the embattled director of national intelligence, testified in February that Russia considered its 2016 election hacking a success. Putin “views the 2018 U.S. midterm elections as a potential target for Russian influence operations,” Coats told the Senate intelligence panel. Last week, after being rebuked by Trump beside Putin in Helsinki, Coats reiterated his concern about Russia’s “ongoing, pervasive efforts to undermine our democracy.”

    Earlier this year, Congress appropriated $380 million, as part of a broader spending package, to individual states for election security. The Senate is currently weighing whether to authorize an additional $250 million in similar grants.

    A spokesperson for the Senate Intelligence Committee declined to comment, as did a spokesperson for Mark Warner, the top Democrat on the panel.

    McCaskill is one of 10 Senate Democrats facing re-election this year in states that Trump won in 2016. Her likely Republican challenger is Josh Hawley, who currently serves as the state’s attorney general. Outside groups and campaign committees have spent more than $15.5 million against McCaskill so far.

    McCaskill has spoken out forcefully against Moscow, likening Russian election-meddling to “a form of warfare” and calling Putin a “thug and a bully.” She was also caught up in the Podesta hack, which was revealed when WikiLeaks released the Clinton campaign chair’s private email communications. The document dump showed that McCaskill called Podesta to inform him that she had “info” about an individual working in the State Department’s inspector general’s office, which at the time was investigating Clinton’s private email server. The “info” was that a top aide at the inspector general’s office once worked for a Republican senator, Chuck Grassley of Iowa.

    McCaskill’s criticisms of WikiLeaks stretch back nearly a decade. In 2010, she and Sen. Lindsey Graham (R-S.C.) called for prosecutions of individuals who send classified information to WikiLeaks. Earlier this month, Mueller’s GRU indictment included Russian intelligence officers who, through the Guccifer2.0 persona, are accused of funnelling the hacked 2016 data to WikiLeaks.

    ———–

    “Russian Hackers’ New Target: a Vulnerable Democratic Senator
    ” by Andrew Desiderio and Kevin Poulsen; The Daily Beast; 07/26/2018

    “The Russian intelligence agency behind the 2016 election cyberattacks targeted Sen. Claire McCaskill as she began her 2018 re-election campaign in earnest, a Daily Beast forensic analysis reveals. That makes the Missouri Democrat the first identified target of the Kremlin’s 2018 election interference.”

    It’s a Daily Beast “forensic analysis”. Is that hyperbole or is the Daily Beast actually doing forensic analysis of hacks now? Regardless, the conclusions of the Daily Beast forensic analysis appears to be identical to Trend Micro’s analysis of Senate email phishing sites when they were discovered last year: it was Fancy Bear.

    The specific phishing attempt against McCaskill’s office appears to have started around August of 2017. The phishing emails were pretty standard: they claimed to be from the Senate Microsoft Exchange server indicating a password expiration and if people clicked on the link they were go to a fake version of the Senate’s Active Directory Federation Services (ADFS) login page:


    In August 2017, around the time of the hack attempt, Trump traveled to Missouri and chided McCaskill, telling the crowd to “vote her out of office.” Just this last week, however, Trump said, on Twitter, that he feared Russians would intervene in the 2018 midterm elections on behalf of Democrats.

    The attempt against McCaskill’s office was a variant of the password-stealing technique used by Russia’s so-called “Fancy Bear” hackers against Clinton’s campaign chairman, John Podesta, in 2016.

    The hackers sent forged notification emails to Senate targets claiming the target’s Microsoft Exchange password had expired, and instructing them to change it. If the target clicked on the link, he or she was taken to a convincing replica of the U.S. Senate’s Active Directory Federation Services (ADFS) login page, a single sign-on point for e-mail and other services.

    As with the Podesta phishing, each Senate phishing email had a different link coded with the recipient’s email address. That allowed the fake password-change webpage to display the user’s email address when they arrived, making the site more convincing.

    It’s worth recalling how the Trend Micro report on this phishing campaign described it as not being “advanced in nature” and in keeping with a pattern of Fancy Bear (which Trend Micro calls “PawnStorm”) using the same ‘script’ over and over.

    And to make it clear that Mr Burt was incorrect when he claimed that Microsoft discovered these Senate email phishing domains earlier this year, the article notes that Microsoft actually obtained control of one of the spoofed domains for the ADFS server in October. And Microsoft was able to seize those domains so rapidly thanks to its successful lawsuit against Fancy Bear that made it possible for Microsoft to rapidly seize fake domains spoofing Microsoft domains if it’s Fancy Bear doing the spoofing:


    In October, Microsoft wrested control of one of the spoofed website addresses—adfs.senate.qov.info. Seizing the Russians’ malicious domain names has been easy for Microsoft since August 2017, when a federal judge in Virginia issued a permanent injunction against the GRU hackers, after Microsoft successfully sued them as unnamed “John Doe” defendants. The court established a process that lets Microsoft take over any web addresses the hackers use that includes a Microsoft trademark.

    Microsoft redirected the traffic from the fake Senate site to its own sinkhole server, putting it in a prime position to view targets trying to click through to change their passwords.

    And it sounds like the period when Microsoft was seizing domains assumed to be run by Fancy Bear was from August to December of 2017. This is based on the records of the legal case Microsoft has against Fancy Bear:


    The most recent domain seizures recorded in the Virginia case took place between August and December of last year, when Microsoft grabbed seven malicious web addresses, including the “qov.info” address. A report from the security company Trend Micro released in January listed that address and the role it played in a Senate phishing campaign against unnamed targets.

    A snapshot of a deep link on the phishing site taken September 26th by a website security scanner showed the fake password-change page with the Senate email address of a McCaskill policy aide on display.

    And that all clarifies that there wasn’t a new set of phishing sites identified by Microsoft in early 2018. When Microsoft executive Tom Burt told the audience as the security conference in Aspen last week that Microsoft discovered phishing sites targeting three US candidates earlier this year he was erroneously referring to the public disclosure about this phishing campaign that was made in January of 2018 with Trend Micro’s report where they attributed this phishing campaign to Fancy Bear with 100 percent certainty. And Microsoft took control of those domains form August – December of 2017 using its lawsuit against Fancy Bear. A lawsuit that required the phishing sites be attributed to Fancy Bear to allow for the rapid takeover of the phishing domains.

    And that’s all why the 100 percent certainty of Trend Micro’s attribution of the Senate email phishing campaign should probably be expected for a lot more cyber attack attributions going forward. Certainty will help in overcoming legal obstacle to actions required to stop the phishing campaigns like seizing domains. It’s just an inherent aspect of how implementing the rule of law is going to create some biases in the cyber-attribution realm. When cybersecurity firms are attributing a hack, it’s going to be convenient to attribute it to an entity your client has a court order against for a previous hacking attempt when seizing domains is an option. And that’s also an additional incentive for third parties to leave ‘Fancy Bear’ digital fingerprints (like using the same web hosting service with the same IP address blocks).
    And if Trend Micro and Microsoft are correct in their Fancy Bear attribution for this phishing campaign, it’s just one more high profile incident of Fancy Bear trying to get caught. Because think about it: imagine ‘Fancy Bear’ deciding to leave the same digital ‘fingerprints’ in a US Senate email spearphishing campaign that tie the hack back to previous hacks already attributed to Fancy Bear in 2015 and 2016. With every hack it’s seeming easier to attribute it because it’s like a growing trail of previous hacks. The same malware and same command and control servers or VPNs or whatever the particular ‘digital fingerprints’ that got previous attributed to Fancy Bear. That’s asking to get caught, which is what Fancy Bear apparently tries to do over and over. This Senate email phishing campaign is just one piece of a much larger puzzle. That puzzle being the exactly strategy of blatant self-attributing hacking that Putin is apparently employing. It seems like a strategy designed to turn Russia into some sort of hacking pariah so that’s really scary if this is actually Putin’s hacking project.

    It’s also really scary if it’s the GOP pretending to be Fancy Bear. Or neo-Nazis or whatever. That’s a different kind of really scary and much, much scarier given the current context.

    Posted by Pterrafractyl | July 29, 2018, 9:23 pm

Post a comment