Spitfire List Web site and blog of anti-fascist researcher and radio personality Dave Emory.

For The Record  

FTR #943 The Gehlen Gang, the High-Profile Hacks and the New Cold War

Dave Emory’s entire life­time of work is avail­able on a flash dri­ve that can be obtained HERE. The new dri­ve is a 32-giga­byte dri­ve that is cur­rent as of the pro­grams and arti­cles post­ed by ear­ly win­ter of 2016. The new dri­ve (avail­able for a tax-deductible con­tri­bu­tion of $65.00 or more.) (The pre­vi­ous flash dri­ve was cur­rent through the end of May of 2012.)

WFMU-FM is pod­cast­ing For The Record–You can sub­scribe to the pod­cast HERE.

You can sub­scribe to e‑mail alerts from Spitfirelist.com HERE.

You can sub­scribe to RSS feed from Spitfirelist.com HERE.

You can sub­scribe to the com­ments made on pro­grams and posts–an excel­lent source of infor­ma­tion in, and of, itself HERE.

This broad­cast was record­ed in one, 60-minute seg­ment.

Intro­duc­tion: One of the foun­da­tion­al ele­ments of Mr. Emory’s work over the decades has been the Rein­hard Gehlen “Org.”

Begin­ning as the East­ern Front intel­li­gence orga­ni­za­tion of the Third Reich under Gen­er­al Rein­hard Gehlen, the orga­ni­za­tion then jumped to the CIA, becom­ing its depart­ment of Russ­ian and East­ern affairs. It became the de-fac­to NATO intel­li­gence orga­ni­za­tion and, ulti­mate­ly the BND.

Incor­po­rat­ing large num­bers of SS and Gestapo vet­er­ans, it man­i­fest­ed con­ti­nu­ity with the Third Reich chain of com­mand and was ulti­mate­ly respon­si­ble to the remark­able and dead­ly Bor­mann cap­i­tal net­work.

In this pro­gram, we exam­ine the role of Ukrain­ian fas­cists evolved from the milieu of the OUN/B and oth­er ele­ments ulti­mate­ly asso­ci­at­ed with, and/or evolved from the “Org” in the devel­op­ment of the meme of “Russia/Putin/Kremlin did it. The “it” in ques­tion are the high-pro­file hacks: the hack­ing of the DNC and Podes­ta com­put­ers and e‑mail accounts, the “non-hack” of the NSA by the so-called Shad­ow Bro­kers and ear­li­er hacks of the Ger­man Bun­destag.

First, we review for the con­ve­nience of the listener/reader, key points of analy­sis pre­sent­ed in pre­vi­ous pro­grams about the high-pro­file hacks:

Points of infor­ma­tion reviewed include:

  • Evi­dence sug­gest­ing that Rus­sia was NOT behind the DNC hacks. ” . . . . None of the tech­ni­cal evi­dence is con­vinc­ing. It would only be con­vinc­ing if the attack­ers used entire­ly nov­el, unique, and sophis­ti­cat­ed tools with unmis­tak­able indi­ca­tors point­ing to Rus­sia sup­port­ed by human intel­li­gence, not by mal­ware analy­sis.The DNC attack­ers also had very poor, almost com­i­cal, oper­a­tional secu­ri­ty (OPSEC). State actors tend to have a qual­i­ty assur­ance review when devel­op­ing cyber­at­tack tools to min­i­mize the risk of dis­cov­ery and leav­ing obvi­ous crumbs behind. Russ­ian intel­li­gence ser­vices are espe­cial­ly good. They are high­ly capa­ble, tac­ti­cal­ly and strate­gi­cal­ly agile, and ratio­nal. They ensure that offen­sive tools are tai­lored and pro­por­tion­ate to the sig­nal they want to send, the pos­si­bil­i­ty of dis­clo­sure and pub­lic per­cep­tion, and the odds of esca­la­tion. The shod­dy OPSEC just doesn’t fit what we know about Russ­ian intel­li­gence. . . . Giv­en these argu­ments, blam­ing Rus­sia is not a slam dunk. Why would a coun­try with some of the best intel­li­gence ser­vices in the world com­mit a whole series of real­ly stu­pid mis­takes in a high­ly sen­si­tive oper­a­tion? Why pick a tar­get that has a strong chance of lead­ing to esca­la­to­ry activ­i­ty when Rus­sia is known to pre­fer incre­men­tal actions over dras­tic ones? Why go through the trou­ble of a false flag when doing noth­ing would have been arguably bet­ter?. . . .”
  • Infor­ma­tion indi­cat­ing that the NSA “hack” may well not have been a hack at all, but the work of an insid­er down­load­ing the infor­ma­tion onto a USB dri­ve. “. . . Their claim to have ‘hacked’ a serv­er belong­ing to the NSA is fishy. Accord­ing to ex-NSA insid­ers who spoke with Busi­ness Insid­er, the agency’s hack­ers don’t just put their exploits and toolk­its online where they can poten­tial­ly be pil­fered. The more like­ly sce­nario for where the data came from, says ex-NSA research sci­en­tist Dave Aitel, is an insid­er who down­loaded it onto a USB stick. . . . When hack­ers gain access to a serv­er, they keep qui­et about it so they can stay there. . . .One of the many strange things about this inci­dent is the very pub­lic nature of what tran­spired. When a hack­er takes over your com­put­er, they don’t start acti­vat­ing your web­cam or run­ning weird pro­grams because you’d fig­ure out pret­ty quick­ly that some­thing was up and you’d try to get rid of them. . . . . . . If the Shad­ow Bro­kers owned the NSA’s com­mand and con­trol serv­er, then it would prob­a­bly be a much bet­ter approach to just sit back, watch, and try to piv­ot to oth­er inter­est­ing things that they might be able to find. . . Peo­ple sell exploits all the time, but they hard­ly ever talk about it. . . . Most of the time, an exploit is either found by a secu­ri­ty research firm, which then writes about it and reports it to the com­pa­ny so it can fix the prob­lem. Or, a hack­er look­ing for cash will take that found exploit and sell it on the black mar­ket. So it would make sense for a group like Shad­ow Bro­kers to want to sell their trea­sure trove, but going pub­lic with it is beyond strange. . . .”
  • Eddie the Friend­ly Spook endorsed the cov­er sto­ry of the Shad­ow Bro­kers’ NSA “hack”–that the event was a hack (despite indi­ca­tors to the con­trary) and that Rus­sia did it.  . . . If you ask ex-NSA con­trac­tor Edward Snow­den, the pub­lic leak and claims of the Shad­ow Bro­kers seem to have Russ­ian fin­ger­prints all over them, and it serves as a warn­ing from Moscow to Wash­ing­ton. The mes­sage: If your pol­i­cy­mak­ers keep blam­ing us for the DNC hack, then we can use this hack to impli­cate you in much more.‘That could have sig­nif­i­cant for­eign pol­i­cy con­se­quences,’ Snow­den wrote on Twit­ter. ‘Par­tic­u­lar­ly if any of those oper­a­tions tar­get­ed US allies. Par­tic­u­lar­ly if any of those oper­a­tions tar­get­ed elec­tions. . . .” 
  • The code in the files was from 2013, when Snow­den under­took his “op.”  “. . . . The code released by the Shad­ow Bro­kers dates most recent­ly to 2013, the same year Edward Snow­den leaked clas­si­fied infor­ma­tion about the NSA’s sur­veil­lance pro­grams.. . . Snow­den also not­ed that the released files end in 2013. ‘When I came for­ward, NSA would have migrat­ed offen­sive oper­a­tions to new servers as a pre­cau­tion,’ he sug­gest­ed — a move that would have cut off the hack­ers’ access to the serv­er. . . . ”
  • Author James Bam­ford high­light­ed cir­cum­stan­tial evi­dence that Wik­iLeak­er Jacob Appelbaum–who appears to have facil­i­tat­ed Snow­den’s jour­ney from Hawaii to Hong Kong–may have been behind the Shad­ow Bro­kers non-hack. “. . . . There also seems to be a link between Assange and the leak­er who stole the ANT cat­a­log, and the pos­si­ble hack­ing tools. Among Assange’s close asso­ciates is Jacob Appel­baum, a cel­e­brat­ed hack­tivist and the only pub­licly known Wik­iLeaks staffer in the Unit­ed States – until he moved to Berlin in 2013 in what he called a “polit­i­cal exile” because of what he said was repeat­ed harass­ment by U.S. law enforce­ment per­son­nel. In 2010, a Rolling Stone mag­a­zine pro­file labeled him “the most dan­ger­ous man in cyber­space.”In Decem­ber 2013, Appel­baum was the first per­son to reveal the exis­tence of the ANT cat­a­log, at a con­fer­ence in Berlin, with­out iden­ti­fy­ing the source. That same month he said he sus­pect­ed the U.S. gov­ern­ment of break­ing into his Berlin apart­ment. He also co-wrote an arti­cle about the cat­a­log in Der Spiegel. But again, he nev­er named a source, which led many to assume, mis­tak­en­ly, that it was Snow­den. . . .”
  • Apple­baum was anti-Clin­ton, sen­ti­ments expressed in the clum­sy Boris and Natasha-like bro­ken Eng­lish that accom­pa­nied announce­ment of the Shad­ow Bro­kers’ gam­bit. . . . . Short­ly there­after, he [Apple­baum] turned his atten­tion to Hillary Clin­ton. At a screen­ing of a doc­u­men­tary about Assange in Cannes, France, Appel­baum accused her of hav­ing a grudge against him and Assange, and that if she were elect­ed pres­i­dent, she would make their lives dif­fi­cult. ‘It’s a sit­u­a­tion that will pos­si­bly get worse’ if she is elect­ed to the White House, he said, accord­ing to Yahoo News. . . .. . . . In hack­tivist style, and in what appears to be pho­ny bro­ken Eng­lish, this new release of cyber­weapons also seems to be tar­get­ing Clin­ton. It ends with a long and angry ‘final mes­sage’ against ‘Wealthy Elites . . . break­ing laws’ but ‘Elites top friends announce, no law bro­ken, no crime commit[ed]. . . Then Elites run for pres­i­dent. Why run for pres­i­dent when already con­trol coun­try like dic­ta­tor­ship?’ . . .” 

We con­tin­ue our analy­sis with infor­ma­tion about the stun­ning, unsub­stan­ti­at­ed alle­ga­tion that Rus­sia was behind the hacks:

  • The joint CIA/FBI/NSA declas­si­fied ver­sion of the Intel­li­gence Report on Russ­ian hack­ing came out. There is no sub­stan­tive detail in the report:“ . . . . To sum­ma­rize, the report says that the CIA, FBI, and Nation­al Secu­ri­ty Agency believe that Russ­ian hackers—directed ulti­mate­ly by Vladimir Putin—hacked email accounts belong­ing to the Demo­c­ra­t­ic Nation­al Com­mit­tee and to Clin­ton cam­paign chair­man John Podes­ta and then passed the mate­r­i­al they obtained on to Wik­iLeaks through a third par­ty. This was done, the report asserts, because the Rus­sians believed that Don­ald Trump would be friend­lier to their country’s inter­ests, as pres­i­dent, than Hillary Clin­ton. And … that’s about it. Not count­ing intro pages or appen­dices, the report is five pages long and does not include any descrip­tion of the actu­al evi­dence that Russ­ian actors were respon­si­ble for the DNC/Podesta hacks (an asser­tion that’s sup­port­ed by pub­licly avail­able evi­dence ana­lyzed by third par­ties) or the asser­tion that Putin ulti­mate­ly direct­ed the release of hacked mate­r­i­al in order to help elect Don­ald Trump (an asser­tion that’s hard­er to ver­i­fy inde­pen­dent­ly). . . . .”
  • The Bit­ly tech­nol­o­gy used in the hacks enabled the entire world to see what was going on! This strong­ly indi­cates a cyber-false flag oper­a­tion: ” . . . . Using Bit­ly allowed ‘third par­ties to see their entire cam­paign includ­ing all their tar­gets— some­thing you’d want to keep secret,’ Tom Finney, a researcher at Secure­Works, told Moth­er­board. It was one of Fan­cy Bear’s ‘gravest mis­takes,’ as Thomas Rid, a pro­fes­sor at King’s Col­lege who has close­ly stud­ied the case, put it in a new piece pub­lished on Thurs­day in Esquire, as it gave researchers unprece­dent­ed vis­i­bil­i­ty into the activ­i­ties of Fan­cy Bear, link­ing dif­fer­ent parts of its larg­er cam­paign togeth­er. . . .”
  • It should be not­ed that while this report is signed off on by the CIA, NSA, and FBI, the FBI nev­er exam­ined the DNC’s hacked serv­er. Instead, accord­ing to the DNC, the job was out­sourced to Crowd­Strike! Nei­ther the FBI, nor any oth­er U.S. gov­ern­ment enti­ty has run an inde­pen­dent foren­sic analy­sis on the sys­tem! ” . . . Six months after the FBI first said it was inves­ti­gat­ing the hack of the Demo­c­ra­t­ic Nation­al Committee’s com­put­er net­work, the bureau has still not request­ed access to the hacked servers, a DNC spokesman said. No US gov­ern­ment enti­ty has run an inde­pen­dent foren­sic analy­sis on the sys­tem, one US intel­li­gence offi­cial told Buz­zFeed News. . . .The FBI has instead relied on com­put­er foren­sics from a third-par­ty tech secu­ri­ty com­pa­ny, Crowd­Strike, which first deter­mined in May of last year that the DNC’s servers had been infil­trat­ed by Rus­sia-linked hack­ers, the U.S. intel­li­gence offi­cial told Buz­zFeed News. . .‘Crowd­Strike is pret­ty good. There’s no rea­son to believe that any­thing that they have con­clud­ed is not accu­rate,’ the intel­li­gence offi­cial said, adding they were con­fi­dent Rus­sia was behind the wide­spread hacks. . . It’s unclear why the FBI didn’t request access to the DNC servers, and whether it’s com­mon prac­tice when the bureau inves­ti­gates the cyber­at­tacks against pri­vate enti­ties by state actors, like when the Sony Cor­po­ra­tion was hacked by North Korea in 2014. Buz­zFeed News spoke to three cyber­se­cu­ri­ty com­pa­nies who have worked on major breach­es in the last 15 months, who said that it was “par for the course” for the FBI to do their own foren­sic research into the hacks. None want­ed to com­ment on the record on anoth­er cyber­se­cu­ri­ty company’s work, or the work being done by a nation­al secu­ri­ty agency. . . .”
  • The FBI claims that the DNC denied them access to the servers! Right! Note the promi­nence of Crowd­Strike in this imbroglio. More about them below. ” . . . . The FBI struck back at the Demo­c­ra­t­ic Nation­al Com­mit­tee on Thurs­day, accus­ing it of deny­ing fed­er­al inves­ti­ga­tors access to its com­put­er sys­tems and ham­string­ing its inves­ti­ga­tion into the infil­tra­tion of DNC servers by Rus­sia-backed hack­ers. ‘The FBI repeat­ed­ly stressed to DNC offi­cials the neces­si­ty of obtain­ing direct access to servers and data, only to be rebuffed until well after the ini­tial com­pro­mise had been mit­i­gat­ed. This left the FBI no choice but to rely upon a third par­ty for infor­ma­tion,’ a senior law enforce­ment offi­cial told Buz­zFeed News in a state­ment. ‘These actions caused sig­nif­i­cant delays and inhib­it­ed the FBI from address­ing the intru­sion ear­li­er.’ . . . The war­ring state­ments are the lat­est twists in an extra­or­di­nary stand­off between the Democ­rats and fed­er­al inves­ti­ga­tors that reached a fever pitch over the bureau’s probe into Demo­c­ra­t­ic nom­i­nee Hillary Clinton’s pri­vate email serv­er. . . . The FBI announced it was inves­ti­gat­ing the hack of the DNC’s servers in July, after a third-par­ty com­put­er secu­ri­ty firm, Crowd­strike, said it had evi­dence of Krem­lin-backed hack­ers infil­trat­ing its sys­tem. . . .”
  • The DNC respond­ed to the FBI’s counter-asser­tion by reassert­ing that it’s giv­ing the FBI full access to what­ev­er it request­ed. If there’s a prob­lem with the FBI get­ting access to that serv­er, it’s a prob­lem between the FBI and Crowd­strike: ” . . . The FBI had pre­vi­ous­ly told law­mak­ers on the Hill that the DNC had not allowed fed­er­al inves­ti­ga­tors to access their servers. After Buz­zFeed News report­ed on Wednes­day that the DNC claimed FBI agents had nev­er asked for the servers, con­gres­sion­al offi­cials pres­sured the FBI for answers. A senior law enforce­ment offi­cial issued a pub­lic state­ment on the mat­ter Thurs­day night. ‘Some­one is lying their ass off,’ a US intel­li­gence offi­cial said of the war­ring state­ments. But offi­cials with the DNC still assert they’ve ‘coop­er­at­ed with the FBI 150%.They’ve had access to any­thing they want. Any­thing that they desire. Any­thing they’ve asked, we’ve coop­er­at­ed,’ the DNC offi­cial said. ‘If any­body con­tra­dicts that it’s between Crowd­strike and the FBI.’ . . .With­out direct access to the com­put­er net­work, anoth­er US intel­li­gence offi­cial told Buz­zFeed, fed­er­al inves­ti­ga­tors had been forced to rely on the find­ings of the pri­vate cyber­se­cu­ri­ty firm Crowd­strike for com­put­er foren­sics. From May through August of 2016, the Demo­c­ra­t­ic Nation­al Com­mit­tee paid Crowd­strike $267,807 dol­lars for main­te­nance, data ser­vices and con­sult­ing, among oth­er things, accord­ing to fed­er­al records. . . .”
  • An impor­tant arti­cle under­scores that many tech experts dis­agree with the gov­ern­men­t’s so-called analy­sis: ” . . . . Yet despite the scores of breath­less media pieces that assert that Russia’s inter­fer­ence in the elec­tion is ‘case closed,‘might some skep­ti­cism be in order? Some cyber experts say ‘yes.’ . . . Cyber-secu­ri­ty experts have also weighed in. The secu­ri­ty edi­tor at Ars Tech­ni­ca observed that ‘Instead of pro­vid­ing smok­ing guns that the Russ­ian gov­ern­ment was behind spe­cif­ic hacks,’ the gov­ern­ment report ‘large­ly restates pre­vi­ous pri­vate sec­tor claims with­out pro­vid­ing any sup­port for their valid­i­ty.’ Robert M. Lee of the cyber-secu­ri­ty com­pa­ny Dra­gos not­ed that the report ‘reads like a poor­ly done ven­dor intel­li­gence report string­ing togeth­er var­i­ous aspects of attri­bu­tion with­out evi­dence.’ Cyber­se­cu­ri­ty con­sul­tant Jef­frey Carr not­ed that the report ‘mere­ly list­ed every threat group ever report­ed on by a com­mer­cial cyber­se­cu­ri­ty com­pa­ny that is sus­pect­ed of being Russ­ian-made and lumped them under the head­ing of Russ­ian Intel­li­gence Ser­vices (RIS) with­out pro­vid­ing any sup­port­ing evi­dence that such a con­nec­tion exists.’ . . .”
  • CrowdStrike–at the epi­cen­ter of the sup­posed Russ­ian hack­ing con­tro­ver­sy is note­wor­thy. Its co-founder and chief tech­nol­o­gy offi­cer, Dmit­ry Alper­ovitch is a senior fel­low at the Atlantic Coun­cil, financed by ele­ments that are at the foun­da­tion of fan­ning the flames of the New Cold War: “In this respect, it is worth not­ing that one of the com­mer­cial cyber­se­cu­ri­ty com­pa­nies the gov­ern­ment has relied on is Crowd­strike, which was one of the com­pa­nies ini­tial­ly brought in by the DNC to inves­ti­gate the alleged hacks. . . . Dmitri Alper­ovitch is also a senior fel­low at the Atlantic Coun­cil. . . . The con­nec­tion between [Crowd­strike co-founder and chief tech­nol­o­gy offi­cer Dmitri] Alper­ovitch and the Atlantic Coun­cil has gone large­ly unre­marked upon, but it is rel­e­vant giv­en that the Atlantic Coun­cil—which is is fund­ed in part by the US State Depart­ment, NATO, the gov­ern­ments of Latvia and Lithua­nia, the Ukrain­ian World Con­gress, and the Ukrain­ian oli­garch Vic­tor Pinchuk—has been among the loud­est voic­es call­ing for a new Cold War with Rus­sia. As I point­ed out in the pages of The Nation in Novem­ber, the Atlantic Coun­cil has spent the past sev­er­al years pro­duc­ing some of the most vir­u­lent spec­i­mens of the new Cold War pro­pa­gan­da. . . .
  • There was an update back in Decem­ber from the Ger­man gov­ern­ment regard­ing its assess­ment of the 2015 Bundgestag hacks (attrib­uted to “Fan­cy Bear” and “Cozy Bear,” as men­tioned in the San­dro Gay­ck­en post above) that it attrib­uted to APT28 and Rus­sia: while it asserts the hacks did indeed take place, the leaked doc­u­ments were lat­er deter­mined to be an insid­er leak (via Google trans­late). “ . . . . Accord­ing to the report, fed­er­al secu­ri­ty author­i­ties are con­vinced that not hack­ers had stolen the 2420 doc­u­ments pub­lished by the Inter­net plat­form Wik­ileaks in ear­ly Decem­ber. There was cer­tain­ly no evi­dence that the mate­r­i­al had been stolen in the cyber attack on the Bun­destag in 2015, it was called into secu­ri­ty crises. . . . ”
  • Anoth­er arti­cle details at length the skep­ti­cism and out­right scorn many cyber­se­cu­ri­ty experts feel con­cern­ing the report. ” . . . . Did the Russ­ian gov­ern­ment hack the DNC and feed doc­u­ments to Wik­iLeaks? There are real­ly two ques­tions here: who hacked the DNC, and who released the DNC doc­u­ments? These are not nec­es­sar­i­ly the same. An ear­li­er intru­sion into Ger­man par­lia­ment servers was blamed on the Rus­sians, yet the release of doc­u­ments to Wik­iLeaks is thought to have orig­i­nat­ed from an insid­er. [35] Had the Rus­sians hacked into the DNC, it may have been to gath­er intel­li­gence, while anoth­er actor released the doc­u­ments. But it is far from cer­tain that Russ­ian intel­li­gence ser­vices had any­thing to do with the intru­sions. Julian Assange says that he did not receive the DNC doc­u­ments from a nation-state. It has been point­ed out that Rus­sia could have used a third par­ty to pass along the mate­r­i­al. Fair enough, but for­mer UK diplo­mat Craig Mur­ray asserts: ‘I know who the source is… It’s from a Wash­ing­ton insid­er. It’s not from Rus­sia.’ [We won­der if it might have been Tul­si Gabbard–D.E.] [36] . . . .”
  • Exem­pli­fy­ing some of the points of dis­sen­sion in the above-linked sto­ry: ” . . . . Cyber­se­cu­ri­ty ana­lyst Robert Gra­ham was par­tic­u­lar­ly blis­ter­ing in his assess­ment of the government’s report, char­ac­ter­iz­ing it as “full of garbage.” The report fails to tie the indi­ca­tors of com­pro­mise to the Russ­ian gov­ern­ment. ‘It con­tains sig­na­tures of virus­es that are pub­licly avail­able, used by hack­ers around the world, not just Rus­sia. It con­tains a long list of IP address­es from per­fect­ly nor­mal ser­vices, like Tor, Google, Drop­box, Yahoo, and so forth. Yes, hack­ers use Yahoo for phish­ing and mal­ad­ver­tis­ing. It doesn’t mean every access of Yahoo is an ‘indi­ca­tor of com­pro­mise’.’ Gra­ham com­pared the list of IP address­es against those accessed by his web brows­er, and found two match­es. ‘No,’ he con­tin­ues. ‘This doesn’t mean I’ve been hacked. It means I just had a nor­mal inter­ac­tion with Yahoo. It means the Griz­zly Steppe IoCs are garbage. . . .”
  • The source code used in the attacks traces back to Ukraine! ” . . . . In con­junc­tion with the report, the FBI and Depart­ment of Home­land Secu­ri­ty pro­vid­ed a list of IP address­es it iden­ti­fied with Russ­ian intel­li­gence ser­vices. [22] Word­fence ana­lyzed the IP address­es as well as a PHP mal­ware script pro­vid­ed by the Depart­ment of Home­land Secu­ri­ty. In ana­lyz­ing the source code, Word­fence dis­cov­ered that the soft­ware used was P.A.S., ver­sion 3.1.0. It then found that the web­site that man­u­fac­tures the mal­ware had a site coun­try code indi­cat­ing that it is Ukrain­ian. [Note this!–D.E.] The cur­rent ver­sion of the P.A.S. soft­ware is 4.1.1, which is much new­er than that used in the DNC hack, and the lat­est ver­sion has changed ‘quite sub­stan­tial­ly.’ Word­fence notes that not only is the soft­ware ‘com­mon­ly avail­able,’ but also that it would be rea­son­able to expect ‘Russ­ian intel­li­gence oper­a­tives to devel­op their own tools or at least use cur­rent mali­cious tools from out­side sources.’ To put it plain­ly, Word­fence con­cludes that the mal­ware sam­ple ‘has no appar­ent rela­tion­ship with Russ­ian intel­li­gence.’ . . .”

The pro­gram con­cludes with a fright­en­ing piece of leg­is­la­tion signed into law by Barack Oba­ma in Decem­ber. It is an omi­nous por­tent of the use of gov­ern­ment and mil­i­tary pow­er to sup­press dis­sent­ing views as being “Russ­ian” pro­pa­gan­da tools! “. . . . The new law is remark­able for a num­ber of rea­sons, not the least because it merges a new McCarthy­ism about pur­port­ed dis­sem­i­na­tion of Russ­ian ‘pro­pa­gan­da’ on the Inter­net with a new Orwellian­ism by cre­at­ing a kind of Min­istry of Truth – or Glob­al Engage­ment Cen­ter – to pro­tect the Amer­i­can peo­ple from ‘for­eign pro­pa­gan­da and dis­in­for­ma­tion.’ . . . As part of the effort to detect and defeat these unwant­ed nar­ra­tives, the law autho­rizes the Cen­ter to: ‘Facil­i­tate the use of a wide range of tech­nolo­gies and tech­niques by shar­ing exper­tise among Fed­er­al depart­ments and agen­cies, seek­ing exper­tise from exter­nal sources, and imple­ment­ing best prac­tices.’ (This sec­tion is an appar­ent ref­er­ence to pro­pos­als that Google, Face­book and oth­er tech­nol­o­gy com­pa­nies find ways to block or brand cer­tain Inter­net sites as pur­vey­ors of ‘Russ­ian pro­pa­gan­da’ or ‘fake news.’) . . .”

Pro­gram High­lights Include:

  • Review of key points point­ing to the milieu of the OUN/B in Ukraine in the gen­er­a­tion of the “Rus­sia did it” meme. Note sim­i­lar­i­ties between: the Pro­pOrNot list of sup­posed “Russ­ian” fake news out­lets, the list of “Russ­ian” jour­nal­ists and web­sites and the Glob­al Engage­ment Cen­ter cre­at­ed by Oba­ma in the wan­ing days of his admin­is­tra­tion.
  • The “Pro­pOrNot” group quot­ed in a Wash­ing­ton Post sto­ry tag­ging media out­lets, web­sites and blogs as “Russian/Kremlin stooges/propaganda tools/agents” is linked to the OUN/B heirs now in pow­er in Ukraine. ” . . . One Pro­pOrNot tweet, dat­ed Novem­ber 17, invokes a 1940s Ukrain­ian fas­cist salute “Hero­iam Sla­va!!” [17] to cheer a news item on Ukrain­ian hack­ers fight­ing Rus­sians. The phrase means “Glo­ry to the heroes” and it was for­mal­ly intro­duced by the fas­cist Orga­ni­za­tion of Ukrain­ian Nation­al­ists (OUN) at their March-April 1941 con­gress in Nazi occu­pied Cra­cow, as they pre­pared to serve as Nazi aux­il­iaries in Oper­a­tion Bar­barossa. . . . ‘the OUN‑B intro­duced anoth­er Ukrain­ian fas­cist salute at the Sec­ond Great Con­gress of the Ukrain­ian Nation­al­ists in Cra­cow in March and April 1941. This was the most pop­u­lar Ukrain­ian fas­cist salute and had to be per­formed accord­ing to the instruc­tions of the OUN‑B lead­er­ship by rais­ing the right arm ‘slight­ly to the right, slight­ly above the peak of the head’ while call­ing ‘Glo­ry to Ukraine!’ (Sla­va Ukraїni!) and respond­ing ‘Glo­ry to the Heroes!’ (Hero­iam Sla­va!). . . .”
  • The OUN/B heirs rul­ing Ukraine com­piled a list of jour­nal­ists who were “Russian/Kremlin stooges/propaganda tools/agents,” includ­ing per­son­al data and con­tact infor­ma­tion (like that made pub­lic in the Wik­iLeaks data dump of DNC e‑mails). This list was com­piled by the Ukrain­ian intel­li­gence ser­vice, inte­ri­or min­istry and–ahem–hackers: “. . . . One of the more fright­en­ing poli­cies enact­ed by the cur­rent oli­garch-nation­al­ist regime in Kiev is an online black­list [42] of jour­nal­ists accused of col­lab­o­rat­ing with pro-Russ­ian ‘ter­ror­ists.’ [43]  The web­site, ‘Myrotvorets’ [43] or ‘Peacemaker’—was set up by Ukrain­ian hack­ers work­ing with state intel­li­gence and police, all of which tend to share the same ultra­na­tion­al­ist ide­olo­gies as Paru­biy and the new­ly-appoint­ed neo-Nazi chief of the Nation­al Police. . . . Ukraine’s jour­nal­ist black­list website—operated by Ukrain­ian hack­ers work­ing with state intel­li­gence—led to a rash of death threats against the doxxed jour­nal­ists, whose email address­es, phone num­bers and oth­er pri­vate infor­ma­tion was post­ed anony­mous­ly to the web­site. Many of these threats came with the wartime Ukrain­ian fas­cist salute: ‘Sla­va Ukrai­ni!’ [Glo­ry to Ukraine!] So when PropOrNot’s anony­mous ‘researchers’ reveal only their Ukrainian(s) iden­ti­ty, it’s hard not to think about the spy-linked hack­ers who post­ed the dead­ly ‘Myrotvorets’ black­list of ‘trea­so­nous’ jour­nal­ists. . . .”
  • A Ukrain­ian activist named Alexan­dra Chalu­pa has been instru­men­tal in dis­trib­ut­ing the “Rus­sia did it” dis­in­for­ma­tion to Hillary Clin­ton and influ­enc­ing the progress of the dis­in­for­ma­tion in the media. ” . . . . One of the key media sources [46] who blamed the DNC hacks on Rus­sia, ramp­ing up fears of cryp­to-Putin­ist infil­tra­tion, is a Ukrain­ian-Amer­i­can lob­by­ist work­ing for the DNC. She is Alexan­dra Chalupa—described as the head of the Demo­c­ra­t­ic Nation­al Committee’s oppo­si­tion research on Rus­sia and on Trump, and founder and pres­i­dent of the Ukrain­ian lob­by group ‘US Unit­ed With Ukraine Coali­tion’ [47], which lob­bied hard to pass a 2014 bill increas­ing loans and mil­i­tary aid to Ukraine, impos­ing sanc­tions on Rus­sians, and tight­ly align­ing US and Ukraine geostrate­gic inter­ests. . . . In one leaked DNC email [50] ear­li­er this year, Chalu­pa boasts to DNC Com­mu­ni­ca­tions Direc­tor Luis Miran­da that she brought Isikoff to a US-gov­ern­ment spon­sored Wash­ing­ton event fea­tur­ing 68 Ukrain­ian jour­nal­ists, where Chalu­pa was invit­ed ‘to speak specif­i­cal­ly about Paul Man­afort.’ In turn, Isikoff named her as the key inside source [46] ‘prov­ing’ that the Rus­sians were behind the hacks, and that Trump’s cam­paign was under the spell of Krem­lin spies and sor­cer­ers. . . .”

1a. An inter­est­ing piece by Dr. San­dro Gay­ck­en, a Berlin-based for­mer ‘hack­tivist’ who now advis­es NATO and the Ger­man gov­ern­ment on cyber-secu­ri­ty mat­ters, makes the case that the evi­dence impli­cat­ing Rus­sia was very much the type of evi­dence a tal­ent­ed team could spoof. He also notes that some of the tools used in the hack were the same used last year when Angela Merkel’s com­put­er was hacked and used to infect oth­er com­put­ers at the Bun­destag. That hack was also blamed on Russ­ian hack­ers. But, again, as the arti­cle below points out, when the evi­dence for who is respon­si­ble is high­ly spoofa­ble, con­fi­dent­ly assign­ing blame is almost too easy.

Dr. Gay­ck­en’s obser­va­tions will be expand­ed upon in mate­r­i­al pre­sent­ed lat­er in the pro­gram.

 “Blam­ing Rus­sia For the DNC Hack Is Almost Too Easy” by Dr. San­dro Gay­ck­en; Coun­cil on For­eign Rela­tions Blog; 8/01/2016.

Dr. San­dro Gay­ck­en is the Direc­tor of the Dig­i­tal Soci­ety Insti­tute, a for­mer hack­tivist, and a strate­gic advi­sor to NATO, some Ger­man DAX-com­pa­nies and the Ger­man gov­ern­ment on cyber mat­ters.

The hack of the Demo­c­ra­t­ic Nation­al Com­mit­tee (DNC) def­i­nite­ly looks Russ­ian. The evi­dence is com­pelling. The tools used in the inci­dent appeared in pre­vi­ous cas­es of alleged Russ­ian espi­onage, some of which appeared in the Ger­man Bun­destag hack. The attack­ers, dubbed Cozy Bear and Fan­cy Bear, have been known for years and have long been rumored to have a Russ­ian con­nec­tion. Oth­er indi­ca­tors such as IP address­es, lan­guage and loca­tion set­tings in the doc­u­ments’ meta­da­ta and code com­pi­la­tion point to Rus­sia. The Krem­lin is also known to prac­tice influ­ence oper­a­tions, and a leak before the Democ­rats’ con­ven­tion fits that pro­file as does laun­der­ing the infor­ma­tion through a third par­ty like Wik­ileaks. Final­ly, the cui bono makes sense as well; Rus­sia may favor Don­ald Trump giv­en his Putin-friend­ly state­ments and his views on NATO.

Alto­geth­er, it looks like a clean-cut case. But before accus­ing a nuclear pow­er like Rus­sia of inter­fer­ing in a U.S. elec­tion, these argu­ments should be thor­ough­ly and skep­ti­cal­ly scru­ti­nized.

A crit­i­cal look expos­es the sig­nif­i­cant flaws in the attri­bu­tion. First, all of the tech­ni­cal evi­dence can be spoofed. Although some argue that spoof­ing the mound of uncov­ered evi­dence is too much work, it can eas­i­ly be done by a small team of good attack­ers in three or four days. Sec­ond, the tools used by Cozy Bear appeared on the black mar­ket when they were first dis­cov­ered years ago and have been recy­cled and used against many oth­er tar­gets, includ­ing against Ger­man indus­try. The reuse and fine-tun­ing of exist­ing mal­ware hap­pens all the time. Third, the lan­guage, loca­tion set­tings, and com­pi­la­tion meta­da­ta can eas­i­ly be altered by chang­ing basic set­tings on the attacker’s com­put­er in five min­utes with­out the need of spe­cial knowl­edge. None of the tech­ni­cal evi­dence is con­vinc­ing. It would only be con­vinc­ing if the attack­ers used entire­ly nov­el, unique, and sophis­ti­cat­ed tools with unmis­tak­able indi­ca­tors point­ing to Rus­sia sup­port­ed by human intel­li­gence, not by mal­ware analy­sis.

The DNC attack­ers also had very poor, almost com­i­cal, oper­a­tional secu­ri­ty (OPSEC). State actors tend to have a qual­i­ty assur­ance review when devel­op­ing cyber­at­tack tools to min­i­mize the risk of dis­cov­ery and leav­ing obvi­ous crumbs behind. Russ­ian intel­li­gence ser­vices are espe­cial­ly good. They are high­ly capa­ble, tac­ti­cal­ly and strate­gi­cal­ly agile, and ratio­nal. They ensure that offen­sive tools are tai­lored and pro­por­tion­ate to the sig­nal they want to send, the pos­si­bil­i­ty of dis­clo­sure and pub­lic per­cep­tion, and the odds of esca­la­tion. The shod­dy OPSEC just doesn’t fit what we know about Russ­ian intel­li­gence.

The claim that Guc­cifer 2.0 is a Russ­ian false flag oper­a­tion may not hold up either. If Rus­sia want­ed to cov­er up the fact it had hacked the DNC, why cre­ate a pseu­do­nym that could only attract more atten­tion and pub­lish emails?Dump­ing a trove of doc­u­ments all at once is less valu­able than cher­ry pick­ing the most dam­ag­ing infor­ma­tion and strate­gi­cal­ly leak­ing it in a craft­ed and tar­get­ed fash­ion, as the FSB, SVR or GRU have prob­a­bly done in the past. Also, leak­ing to Wik­ileaks isn’t hard. They have a sub­mis­sion form.

Giv­en these argu­ments, blam­ing Rus­sia is not a slam dunk. Why would a coun­try with some of the best intel­li­gence ser­vices in the world com­mit a whole series of real­ly stu­pid mis­takes in a high­ly sen­si­tive oper­a­tion?Why pick a tar­get that has a strong chance of lead­ing to esca­la­to­ry activ­i­ty when Rus­sia is known to pre­fer incre­men­tal actions over dras­tic ones? Why go through the trou­ble of a false flag when doing noth­ing would have been arguably bet­ter? Last­ly, how does Rus­sia ben­e­fit from pub­licly back­ing Don­ald Trump giv­en that Repub­li­cans have been skep­ti­cal of improv­ing rela­tions?

The evi­dence and infor­ma­tion in the pub­lic domain strong­ly sug­gests Rus­sia was behind the DNC hack, even though Russ­ian intel­li­gence ser­vices would have had the choice of not mak­ing it so clear cut giv­en what we know about their tools, tac­tics, pro­ce­dures, and think­ing.

The DNC hack leads to at least four “what if” ques­tions, each with its own sig­nif­i­cant pol­i­cy con­se­quences. First, if Rus­sia had poor oper­a­tional secu­ri­ty and mis­judged its tar­get, it needs to be edu­cat­ed about the sen­si­tiv­i­ty of cer­tain tar­gets in its favorite adver­sary coun­tries to avoid a repeat of this dis­as­ter. Sec­ond, if Rus­sia delib­er­ate­ly hacked the DNC to leak con­fi­den­tial infor­ma­tion, it would rep­re­sent a strate­gic esca­la­tion on behalf of the Krem­lin and the world would need to pre­pare for dif­fi­cult times ahead. Third, if the breach and leak were per­pe­trat­ed by a bunch of ran­dom activists using the pseu­do­nym “Guc­cifer 2.0“, it would be the first instance of non-state actors suc­ceed­ing in cre­at­ing a glob­al inci­dent with severe strate­gic impli­ca­tions, demand­ing more con­trol of such enti­ties and a much bet­ter design of esca­la­to­ry process­es among nations. Final­ly, it is entire­ly pos­si­ble that this was a false flag oper­a­tion by an unknown third par­ty to esca­late ten­sions between nuclear super­pow­ers. If this is the case, this par­ty has to be uncov­ered. . . .

1b.  The joint CIA/FBI/NSA declas­si­fied ver­sion of the Intel­li­gence Report on Russ­ian hack­ing came out. There is no sub­stan­tive detail in the report:

“ . . . . To sum­ma­rize, the report says that the CIA, FBI, and Nation­al Secu­ri­ty Agency believe that Russ­ian hackers—directed ulti­mate­ly by Vladimir Putin—hacked email accounts belong­ing to the Demo­c­ra­t­ic Nation­al Com­mit­tee and to Clin­ton cam­paign chair­man John Podes­ta and then passed the mate­r­i­al they obtained on to Wik­iLeaks through a third par­ty. This was done, the report asserts, because the Rus­sians believed that Don­ald Trump would be friend­lier to their country’s inter­ests, as pres­i­dent, than Hillary Clin­ton. And … that’s about it. Not count­ing intro pages or appen­dices, the report is five pages long and does not include any descrip­tion of the actu­al evi­dence that Russ­ian actors were respon­si­ble for the DNC/Podesta hacks (an asser­tion that’s sup­port­ed by pub­licly avail­able evi­dence ana­lyzed by third par­ties) or the asser­tion that Putin ulti­mate­ly direct­ed the release of hacked mate­r­i­al in order to help elect Don­ald Trump (an asser­tion that’s hard­er to ver­i­fy inde­pen­dent­ly). . . . .”

Five pages of no evi­dence. Alto­geth­er uncon­vinc­ing.

The charge that Russ­ian gov­ern­ment actors were respon­si­ble for the DNC/Podesta hacks is …an asser­tion that’s sup­port­ed by pub­licly avail­able evi­dence ana­lyzed by third par­ties.

We note that the evi­dence that John Podes­ta spearphish­ing cam­paign was part of a broad­er attack against the DNC, like so much evi­dence in this case, based on the inex­plic­a­ble and mas­sive secu­ri­ty mis­take made by the hack­ers when they left their Bit­ly pro­file used to exe­cute their spearphis­ph­ing attack open to the pub­lic so every in the world could see that these hack­ers set up spe­cial spearphish­ing attacks against a large num­ber of Demo­c­ra­t­ic offi­cials. One of many inex­plic­a­ble and mas­sive secu­ri­ty mis­takes that these Russ­ian hack­ers made.

“The Declas­si­fied Intel­li­gence Report on Russ­ian Hack­ing Tells Us Very Lit­tle We Don’t Already Know” by Ben Math­is-Lil­ley; Slate; 1/06/2017.

 On Thurs­day, Direc­tor of Nation­al Intel­li­gence James Clap­per told the Sen­ate Armed Ser­vices Com­mit­tee that an unclas­si­fied ver­sion of a joint “intel­li­gence com­mu­ni­ty” report about Russ­ian hack­ing would be released next week. Said report was in fact post­ed online this after­noon, and after read­ing it, the “Fri­day news dump” tim­ing makes sense: The top-line take­aways in the doc­u­ment are most­ly con­clu­sions that have already been leaked or dis­cussed pub­licly by fig­ures such as Clap­per him­self. More­over, since the release is an unclas­si­fied ver­sion of a report that pre­sum­ably involves mate­r­i­al obtained through intel­li­gence-gath­er­ing oper­a­tions that are still active, no infor­ma­tion about the “sources and meth­ods” sup­port­ing its con­clu­sions is includ­ed.

To sum­ma­rize, the report says that the CIA, FBI, and Nation­al Secu­ri­ty Agency believe that Russ­ian hackers—directed ulti­mate­ly by Vladimir Putin—hacked email accounts belong­ing to the Demo­c­ra­t­ic Nation­al Com­mit­tee and to Clin­ton cam­paign chair­man John Podes­ta and then passed the mate­r­i­al they obtained on to Wik­iLeaks through a third par­ty. This was done, the report asserts, because the Rus­sians believed that Don­ald Trump would be friend­lier to their country’s inter­ests, as pres­i­dent, than Hillary Clin­ton. And … that’s about it. Not count­ing intro pages or appen­dices, the report is five pages long and does not include any descrip­tion of the actu­al evi­dence that Russ­ian actors were respon­si­ble for the DNC/Podesta hacks (an asser­tion that’s sup­port­ed by pub­licly avail­able evi­dence ana­lyzed by third par­ties) or the asser­tion that Putin ulti­mate­ly direct­ed the release of hacked mate­r­i­al in order to help elect Don­ald Trump (an asser­tion that’s hard­er to ver­i­fy inde­pen­dent­ly).

The report’s final para­graph does involve what I believe is a new, omi­nous tid­bit about ongo­ing hack attempts:

Imme­di­ate­ly after Elec­tion Day, we assess Russ­ian intel­li­gence began a spearphish­ing cam­paign tar­get­ing US Gov­ern­ment employ­ees and indi­vid­u­als asso­ci­at­ed with US think tanks and NGOs in nation­al secu­ri­ty, defense, and for­eign pol­i­cy fields. This cam­paign could pro­vide mate­r­i­al for future influ­ence efforts as well as for­eign intel­li­gence col­lec­tion on the incom­ing administration’s goals and plans.

In oth­er words: More fun times ahead!

2a. One of many remark­able aspects of this inves­ti­ga­tion, and one which argues strong­ly against Rus­sia being the cul­prit, con­cerns the fact that the hack­ers used Bit­ly tech­nol­o­gy that enabled the whole world to see what they were doing!

How Hack­ers Broke Into John Podes­ta and Col­in Pow­ell’s Gmail Accounts” by Loren­zo Franceschi-Bic­chierai; Vice Moth­er­board; 10/30/2016.

. . . . Secure­Works was track­ing known Fan­cy Bear com­mand and con­trol domains. One of these lead to a Bit­ly short­link, which led to the Bit­ly account, which led to the thou­sands of Bit­ly URLs that were lat­er con­nect­ed to a vari­ety of attacks, includ­ing on the Clin­ton cam­paign. With this priv­i­leged point of view, for exam­ple, the researchers saw Fan­cy Bear using 213 short links tar­get­ing 108 email address­es on the hillaryclinton.com domain, as the com­pa­ny explained in a some­what over­looked report ear­li­er this sum­mer, and as Buz­zFeed report­ed last week.

Using Bit­ly allowed “third par­ties to see their entire cam­paign includ­ing all their tar­gets— some­thing you’d want to keep secret,” Tom Finney, a researcher at Secure­Works, told Moth­er­board.

It was one of Fan­cy Bear’s “gravest mis­takes,” as Thomas Rid, a pro­fes­sor at King’s Col­lege who has close­ly stud­ied the case, put it in a new piece pub­lished on Thurs­day in Esquire, as it gave researchers unprece­dent­ed vis­i­bil­i­ty into the activ­i­ties of Fan­cy Bear, link­ing dif­fer­ent parts of its larg­er cam­paign togeth­er. . . .

2b. The hack of John Podesta’s e‑mail–alleged to have been per­formed by Russia–originated with a phish­ing attack from Ukraine.

 Although it may not be sig­nif­i­cant, the hack into Clin­ton cam­paign man­ag­er John D. Podesta’s gmail account orig­i­nat­ed with Ukraine.

NB: such infor­ma­tion can be eas­i­ly spoofed by a skilled hack­er.

“The Phish­ing Email that Hacked the Account of John Podes­ta;” CBS News; 10/28/2016.

This appears to be the phish­ing email that hacked Clin­ton cam­paign chair­man John Podesta’s Gmail account. Fur­ther, The Clin­ton campaign’s own com­put­er help desk thought it was real email sent by Google, even though the email address had a sus­pi­cious “googlemail.com” exten­sion. . . .

. . . . The email, with the sub­ject line “*Some­one has your pass­word,*” greet­ed Podes­ta, “Hi John” and then said, “Some­one just used your pass­word to try to sign into your Google Account john.podesta@gmail.com.” Then it offered a time stamp and an IP address in “Loca­tion: Ukraine.” . . .”

3.  It should be not­ed that while this report is signed off on by the CIA, NSA, and FBI, the FBI nev­er exam­ined the DNC’s hacked serv­er. Instead, accord­ing to the DNC, the job was out­sourced to Crowd­Strike!

Nei­ther the FBI, nor any oth­er U.S. gov­ern­ment enti­ty has run an inde­pen­dent foren­sic analy­sis on the sys­tem!

” . . . Six months after the FBI first said it was inves­ti­gat­ing the hack of the Demo­c­ra­t­ic Nation­al Committee’s com­put­er net­work, the bureau has still not request­ed access to the hacked servers, a DNC spokesman said. No US gov­ern­ment enti­ty has run an inde­pen­dent foren­sic analy­sis on the sys­tem, one US intel­li­gence offi­cial told Buz­zFeed News. . . .The FBI has instead relied on com­put­er foren­sics from a third-par­ty tech secu­ri­ty com­pa­ny, Crowd­Strike, which first deter­mined in May of last year that the DNC’s servers had been infil­trat­ed by Rus­sia-linked hack­ers, the U.S. intel­li­gence offi­cial told Buz­zFeed News. . .‘Crowd­Strike is pret­ty good. There’s no rea­son to believe that any­thing that they have con­clud­ed is not accu­rate,’ the intel­li­gence offi­cial said, adding they were con­fi­dent Rus­sia was behind the wide­spread hacks. . . It’s unclear why the FBI didn’t request access to the DNC servers, and whether it’s com­mon prac­tice when the bureau inves­ti­gates the cyber­at­tacks against pri­vate enti­ties by state actors, like when the Sony Cor­po­ra­tion was hacked by North Korea in 2014. Buz­zFeed News spoke to three cyber­se­cu­ri­ty com­pa­nies who have worked on major breach­es in the last 15 months, who said that it was “par for the course” for the FBI to do their own foren­sic research into the hacks. None want­ed to com­ment on the record on anoth­er cyber­se­cu­ri­ty company’s work, or the work being done by a nation­al secu­ri­ty agency. . . .”

“The FBI Nev­er Asked For Access To Hacked Com­put­er Servers” by Ali Watkins; Buz­zFeed; 1/4/2017.

The Demo­c­ra­t­ic Nation­al Com­mit­tee tells Buz­zFeed News that the bureau “nev­er request­ed access” to the servers the White House and intel­li­gence com­mu­ni­ty say were hacked by Rus­sia.

The FBI did not exam­ine the servers of the Demo­c­ra­t­ic Nation­al Com­mit­tee before issu­ing a report attribut­ing the sweep­ing cyber­in­tru­sion to Rus­sia-backed hack­ers, Buz­zFeed News has learned.

Six months after the FBI first said it was inves­ti­gat­ing the hack of the Demo­c­ra­t­ic Nation­al Committee’s com­put­er net­work, the bureau has still not request­ed access to the hacked servers, a DNC spokesman said. No US gov­ern­ment enti­ty has run an inde­pen­dent foren­sic analy­sis on the sys­tem, one US intel­li­gence offi­cial told Buz­zFeed News.

“The DNC had sev­er­al meet­ings with rep­re­sen­ta­tives of the FBI’s Cyber Divi­sion and its Wash­ing­ton (DC) Field Office, the Depart­ment of Justice’s Nation­al Secu­ri­ty Divi­sion, and U.S. Attorney’s Offices, and it respond­ed to a vari­ety of requests for coop­er­a­tion, but the FBI nev­er request­ed access to the DNC’s com­put­er servers,” Eric Walk­er, the DNC’s deputy com­mu­ni­ca­tions direc­tor, told Buz­zFeed News in an email.

The FBI has instead relied on com­put­er foren­sics from a third-par­ty tech secu­ri­ty com­pa­ny, Crowd­Strike, which first deter­mined in May of last year that the DNC’s servers had been infil­trat­ed by Rus­sia-linked hack­ers, the U.S. intel­li­gence offi­cial told Buz­zFeed News.

“Crowd­Strike is pret­ty good. There’s no rea­son to believe that any­thing that they have con­clud­ed is not accu­rate,” the intel­li­gence offi­cial said, adding they were con­fi­dent Rus­sia was behind the wide­spread hacks.

The FBI declined to com­ment.

“Begin­ning at the time the intru­sion was dis­cov­ered by the DNC, the DNC coop­er­at­ed ful­ly with the FBI and its inves­ti­ga­tion, pro­vid­ing access to all of the infor­ma­tion uncov­ered by Crowd­Strike — with­out any lim­its,” said Walk­er, whose emails were stolen and sub­se­quent­ly dis­trib­uted through­out the cyber­at­tack.

It’s unclear why the FBI didn’t request access to the DNC servers, and whether it’s com­mon prac­tice when the bureau inves­ti­gates the cyber­at­tacks against pri­vate enti­ties by state actors, like when the Sony Cor­po­ra­tion was hacked by North Korea in 2014.

Buz­zFeed News spoke to three cyber­se­cu­ri­ty com­pa­nies who have worked on major breach­es in the last 15 months, who said that it was “par for the course” for the FBI to do their own foren­sic research into the hacks. None want­ed to com­ment on the record on anoth­er cyber­se­cu­ri­ty company’s work, or the work being done by a nation­al secu­ri­ty agency. . . .

4. The FBI claims that the DNC denied them access to the servers! ” . . . . The FBI struck back at the Demo­c­ra­t­ic Nation­al Com­mit­tee on Thurs­day, accus­ing it of deny­ing fed­er­al inves­ti­ga­tors access to its com­put­er sys­tems and ham­string­ing its inves­ti­ga­tion into the infil­tra­tion of DNC servers by Rus­sia-backed hack­ers. ‘The FBI repeat­ed­ly stressed to DNC offi­cials the neces­si­ty of obtain­ing direct access to servers and data, only to be rebuffed until well after the ini­tial com­pro­mise had been mit­i­gat­ed. This left the FBI no choice but to rely upon a third par­ty for infor­ma­tion,’ a senior law enforce­ment offi­cial told Buz­zFeed News in a state­ment. ‘These actions caused sig­nif­i­cant delays and inhib­it­ed the FBI from address­ing the intru­sion ear­li­er.’ . . . The war­ring state­ments are the lat­est twists in an extra­or­di­nary stand­off between the Democ­rats and fed­er­al inves­ti­ga­tors that reached a fever pitch over the bureau’s probe into Demo­c­ra­t­ic nom­i­nee Hillary Clinton’s pri­vate email serv­er. . . . The FBI announced it was inves­ti­gat­ing the hack of the DNC’s servers in July, after a third-par­ty com­put­er secu­ri­ty firm, Crowd­strike, said it had evi­dence of Krem­lin-backed hack­ers infil­trat­ing its sys­tem. . . .”

Note the ambi­gu­i­ty in the FBI’s state­ment. It’s not say­ing that the DNC rebuffed the FBI for­ev­er. It said the DNC rebuffed the FBI “until well after the ini­tial com­pro­mise had been mit­i­gat­ed”. And the ini­tial com­pro­mise was pre­sum­ably “mit­i­gat­ed” by May of 2016 since that’s as far as the leaked emails go up to. So has the FBI, or any oth­er gov­ern­ment agency, request­ed access to the DNC servers after that point? How about since the elec­tion? If that request hasn’t been made, that adds to the strange­ness of of the affair.

“The FBI Now Says Democ­rats Were Behind Hack Inves­ti­ga­tion Delay” by Ali Watkins; Buz­zFeed; 1/5/2017.

The Demo­c­ra­t­ic Nation­al Com­mit­tee refused to give FBI inves­ti­ga­tors access to their hacked servers, accord­ing to an FBI state­ment, a con­clu­sion the pres­i­dent-elect was quick to embrace.

The FBI struck back at the Demo­c­ra­t­ic Nation­al Com­mit­tee on Thurs­day, accus­ing it of deny­ing fed­er­al inves­ti­ga­tors access to its com­put­er sys­tems and ham­string­ing its inves­ti­ga­tion into the infil­tra­tion of DNC servers by Rus­sia-backed hack­ers.

“The FBI repeat­ed­ly stressed to DNC offi­cials the neces­si­ty of obtain­ing direct access to servers and data, only to be rebuffed until well after the ini­tial com­pro­mise had been mit­i­gat­ed. This left the FBI no choice but to rely upon a third par­ty for infor­ma­tion,” a senior law enforce­ment offi­cial told Buz­zFeed News in a state­ment. ‘These actions caused sig­nif­i­cant delays and inhib­it­ed the FBI from address­ing the intru­sion ear­li­er.’

The DNC said the FBI had nev­er asked for access to their hacked servers, Buz­zFeed News report­ed on Wednes­day.

A DNC source famil­iar with the inves­ti­ga­tion tried to down­play that report on Thurs­day, hours before the FBI state­ment was issued. The fact that the FBI didn’t have direct access to the servers was not “sig­nif­i­cant,” the source said.

“I just don’t think that that’s real­ly mate­r­i­al or an impor­tant thing,” the source con­tin­ued. “They had what they need­ed. There are always haters out here.”

The DNC source also brushed off the idea that it was the DNC that refused to let FBI access the serv­er. When Buz­zFeed News attempt­ed to reach the offi­cial after the FBI state­ment came out, he declined to com­ment.

The war­ring state­ments are the lat­est twists in an extra­or­di­nary stand­off between the Democ­rats and fed­er­al inves­ti­ga­tors that reached a fever pitch over the bureau’s probe into Demo­c­ra­t­ic nom­i­nee Hillary Clinton’s pri­vate email serv­er. That inves­ti­ga­tion saw FBI Direc­tor James Comey break long-stand­ing tra­di­tion against poten­tial­ly influ­enc­ing elec­tions, issu­ing a pub­lic let­ter to Con­gress 10 days before the elec­tion announc­ing poten­tial new evi­dence in the case. The review end­ed with the FBI main­tain­ing its Julyonclu­sion that Clin­ton should not face  crim­i­nal charges, a fact that was declared only two days before polls opened. The tim­ing fueled spec­u­la­tion over Clinton’s poten­tial wrong­do­ing and tipped the scales in Trump’s favor, Democ­rats say.

The FBI announced it was inves­ti­gat­ing the hack of the DNC’s servers in July, after a third-par­ty com­put­er secu­ri­ty firm, Crowd­strike, said it had evi­dence of Krem­lin-backed hack­ers infil­trat­ing its sys­tem. That hack — which fed­er­al offi­cials have for­mal­ly attrib­uted to Russ­ian hack­ers cleared by senior Russ­ian offi­cials — and sub­se­quent release of stolen emails was part of a broad­er effort by Rus­sia to influ­ence the US elec­tion and push Don­ald Trump into the White House, accord­ing to FBI and CIA analy­sis.

A US intel­li­gence offi­cial, request­ing anonymi­ty to dis­cuss the inves­ti­ga­tion, said that because the FBI did not have access to the DNC servers, inves­ti­ga­tors had been forced to rely on com­put­er foren­sics from the Crowd­strike analy­sis. Crowd­strike was orig­i­nal­ly hired by the DNC to inves­ti­gate the hacks in the spring of 2016.

In a state­ment sent to Buz­zFeed News Wednes­day, the DNC said it coop­er­at­ed ful­ly with the FBI inves­ti­ga­tion and shared all of the Crowd­strike infor­ma­tion with the FBI.

The DNC declined to com­ment on the FBI’s state­ment.

The FBI and the Depart­ment of Home­land Secu­ri­ty, in a report released in the last week of Decem­ber, pub­licly accused Rus­sia of being behind the sweep­ing cyber­at­tacks. The White House sub­se­quent­ly expelled 35 Russ­ian diplo­mats from the US, issued sanc­tions against Russ­ian intel­li­gence offi­cials, and cut off access to two Russ­ian diplo­mat­ic facil­i­ties in the US.

A sep­a­rate report on the wide­spread Russ­ian influ­ence oper­a­tion, com­piled by the Direc­tor of Nation­al Intel­li­gence, was briefed to the White House on Thurs­day. A declas­si­fied ver­sion is expect­ed to be pub­licly released on Mon­day.

5. The DNC respond­ed to the FBI’s counter-asser­tion by reassert­ing that it’s giv­ing the FBI full access to what­ev­er it request­ed. If there’s a prob­lem with the FBI get­ting access to that serv­er, it’s a prob­lem between the FBI and Crowd­strike:

” . . . The FBI had pre­vi­ous­ly told law­mak­ers on the Hill that the DNC had not allowed fed­er­al inves­ti­ga­tors to access their servers. After Buz­zFeed News report­ed on Wednes­day that the DNC claimed FBI agents had nev­er asked for the servers, con­gres­sion­al offi­cials pres­sured the FBI for answers. A senior law enforce­ment offi­cial issued a pub­lic state­ment on the mat­ter Thurs­day night. ‘Some­one is lying their ass off,’ a US intel­li­gence offi­cial said of the war­ring state­ments. But offi­cials with the DNC still assert they’ve ‘coop­er­at­ed with the FBI 150%.They’ve had access to any­thing they want. Any­thing that they desire. Any­thing they’ve asked, we’ve coop­er­at­ed,’ the DNC offi­cial said. ‘If any­body con­tra­dicts that it’s between Crowd­strike and the FBI.’ . . . ”

” . . . . With­out direct access to the com­put­er net­work, anoth­er US intel­li­gence offi­cial told Buz­zFeed, fed­er­al inves­ti­ga­tors had been forced to rely on the find­ings of the pri­vate cyber­se­cu­ri­ty firm Crowd­strike for com­put­er foren­sics. From May through August of 2016, the Demo­c­ra­t­ic Nation­al Com­mit­tee paid Crowd­strike $267,807 dol­lars for main­te­nance, data ser­vices and con­sult­ing, among oth­er things, accord­ing to fed­er­al records. . . .”

“DNC: That Fight With FBI Over Hacked Servers Was All A Mis­un­der­stand­ing” by Ali WatkinsBuz­zFeed; 1/6/2017.

The Demo­c­ra­t­ic Nation­al Com­mit­tee down­played its pub­lic spat with the FBI on Fri­day over why fed­er­al inves­ti­ga­tors did not inde­pen­dent­ly exam­ine their servers breached by Russ­ian cyber­spies, say­ing it was a mis­un­der­stand­ing that didn’t have any­thing to do with lin­ger­ing polit­i­cal ten­sions between the two.“There’s no fight between the Bureau and the DNC,” a high-lev­el DNC offi­cial told Buz­zFeed News, request­ing anonymi­ty to dis­cuss the inves­ti­ga­tion. “I don’t know how this has hap­pened, I don’t know where this is com­ing from.”

The FBI announced in July it was inves­ti­gat­ing a sweep­ing cyber­at­tack against the DNC, lat­er attrib­uted to Rus­sia-backed hack­ers. That intru­sion, and sub­se­quent release of stolen DNC emails, was part of a broad­er Krem­lin-direct­ed effort to under­mine the US elec­tion, smear­ing Democ­rats and bol­ster­ing Don­ald Trump, accord­ing to an intel­li­gence assess­ment released Fri­day.

The FBI’s inves­ti­ga­tion of the hack, launched in July, came under sharp scruti­ny Wednes­day after Buz­zFeed News revealed that the FBI had nev­er had direct access to the committee’s hacked servers, and that no US Gov­ern­ment enti­ty had yet run an inde­pen­dent foren­sic analy­sis on the sys­tem. Instead, fed­er­al inves­ti­ga­tors had relied on com­put­er foren­sics from a third-par­ty DNC con­trac­tor, Crowd­strike.

“How and why are they so sure about hack­ing if they nev­er even request­ed an exam­i­na­tion of the com­put­er servers?” Pres­i­dent-elect Don­ald Trump tweet­ed on Thurs­day about the scan­dal. “What is going on?”

A spokesman for the DNC did not respond when asked what had led to the com­mu­ni­ca­tions break­down between their orga­ni­za­tion and the FBI by Fri­day night. The FBI did not respond to a request for com­ment.

The DNC said Wednes­day that the FBI had nev­er asked for access to the servers. On Thurs­day, in a stun­ning coun­ter­punch, the FBI said it had not only asked, but had con­sis­tent­ly and repeat­ed­ly been denied access by DNC offi­cials, who the bureau said had “inhib­it­ed” the inves­ti­ga­tion.

It was a star­tling twist in a tense sto­ry­line that’s emerged between the DNC and the FBI, who top Democ­rats say tor­pe­doed Hillary Clinton’s pres­i­den­tial prospects by mis­han­dling its whol­ly sep­a­rate inves­ti­ga­tion into the Demo­c­ra­t­ic pres­i­den­tial nominee’s use of a pri­vate email serv­er while she was Sec­re­tary of State.

The FBI had pre­vi­ous­ly told law­mak­ers on the Hill that the DNC had not allowed fed­er­al inves­ti­ga­tors to access their servers. After Buz­zFeed News report­ed on Wednes­day that the DNC claimed FBI agents had nev­er asked for the servers, con­gres­sion­al offi­cials pres­sured the FBI for answers. A senior law enforce­ment offi­cial issued a pub­lic state­ment on the mat­ter Thurs­day night.

“Some­one is lying their ass off,” a US intel­li­gence offi­cial said of the war­ring state­ments.

But offi­cials with the DNC still assert they’ve “coop­er­at­ed with the FBI 150%.”

“They’ve had access to any­thing they want. Any­thing that they desire. Any­thing they’ve asked, we’ve coop­er­at­ed,” the DNC offi­cial said. “If any­body con­tra­dicts that it’s between Crowd­strike and the FBI.”

DNC offi­cials planned to reach out to the FBI Fri­day to try and clar­i­fy both insti­tu­tions’ posi­tions, the offi­cial said.

With­out direct access to the com­put­er net­work, anoth­er US intel­li­gence offi­cial told Buz­zFeed, fed­er­al inves­ti­ga­tors had been forced to rely on the find­ings of the pri­vate cyber­se­cu­ri­ty firm Crowd­strike for com­put­er foren­sics. From May through August of 2016, the Demo­c­ra­t­ic Nation­al Com­mit­tee paid Crowd­strike $267,807 dol­lars for main­te­nance, data ser­vices and con­sult­ing, among oth­er things, accord­ing to fed­er­al records. . . .

6. A key ele­ment of analy­sis is an impor­tant arti­cle in The Nation by James Car­den. This sto­ry points out that a num­ber of cyber-secu­ri­ty experts are skep­ti­cal of the offi­cial find­ings.

Fur­ther­more the sto­ry points out that Crowd­strike is head­ed by Dmitri Alper­ovitch a senior fel­low at the Atlantic Coun­cil, which is fund­ed, in part, by the State Depart­ment, NATO, Lithua­nia, Latvia, the Ukrain­ian World Con­gress and Ukrain­ian oli­garch Vic­tor Pinchuk!

” . . . . Yet despite the scores of breath­less media pieces that assert that Russia’s inter­fer­ence in the elec­tion is ‘case closed,‘might some skep­ti­cism be in order? Some cyber experts say ‘yes.’ . . . Cyber-secu­ri­ty experts have also weighed in. The secu­ri­ty edi­tor at Ars Tech­ni­ca observed that ‘Instead of pro­vid­ing smok­ing guns that the Russ­ian gov­ern­ment was behind spe­cif­ic hacks,’ the gov­ern­ment report ‘large­ly restates pre­vi­ous pri­vate sec­tor claims with­out pro­vid­ing any sup­port for their valid­i­ty.’ Robert M. Lee of the cyber-secu­ri­ty com­pa­ny Dra­gos not­ed that the report ‘reads like a poor­ly done ven­dor intel­li­gence report string­ing togeth­er var­i­ous aspects of attri­bu­tion with­out evi­dence.’ Cyber­se­cu­ri­ty con­sul­tant Jef­frey Carr not­ed that the report ‘mere­ly list­ed every threat group ever report­ed on by a com­mer­cial cyber­se­cu­ri­ty com­pa­ny that is sus­pect­ed of being Russ­ian-made and lumped them under the head­ing of Russ­ian Intel­li­gence Ser­vices (RIS) with­out pro­vid­ing any sup­port­ing evi­dence that such a con­nec­tion exists.’ . . .”

“In this respect, it is worth not­ing that one of the com­mer­cial cyber­se­cu­ri­ty com­pa­nies the gov­ern­ment has relied on is Crowd­strike, which was one of the com­pa­nies ini­tial­ly brought in by the DNC to inves­ti­gate the alleged hacks.”

” . . . . Dmitri Alper­ovitch is also a senior fel­low at the Atlantic Coun­cil. . . . The con­nec­tion between [Crowd­strike co-founder and chief tech­nol­o­gy offi­cer Dmitri] Alper­ovitch and the Atlantic Coun­cil has gone large­ly unre­marked upon, but it is rel­e­vant giv­en that the Atlantic Coun­cil—which is is fund­ed in part by the US State Depart­ment, NATO, the gov­ern­ments of Latvia and Lithua­nia, the Ukrain­ian World Con­gress, and the Ukrain­ian oli­garch Vic­tor Pinchuk—has been among the loud­est voic­es call­ing for a new Cold War with Rus­sia. As I point­ed out in the pages of The Nation in Novem­ber, the Atlantic Coun­cil has spent the past sev­er­al years pro­duc­ing some of the most vir­u­lent spec­i­mens of the new Cold War pro­pa­gan­da. . . .

 “Is Skep­ti­cism Trea­son?” by James Car­den; The Nation; 1/3/2017.

Despite the scores of media pieces which assert that Russia’s inter­fer­ence in the elec­tion is “case closed,” some cyber experts say skep­ti­cism is still in order.

The final days of 2016 were filled with more developments—some real, some not—in the ongo­ing sto­ry of Russia’s alleged inter­fer­ence in the US pres­i­den­tial elec­tion. On Decem­ber 29, the FBI and the Depart­ment of Home­land Secu­ri­ty released a joint report that pro­vid­ed “tech­ni­cal details regard­ing the tools and infra­struc­ture used by the Russ­ian civil­ian and mil­i­tary intel­li­gence Ser­vices (RIS) to com­pro­mise and exploit net­works and end­points asso­ci­at­ed with the U.S. elec­tion.”

In retal­i­a­tion, the Oba­ma admin­is­tra­tion announced that it was expelling 35 Russ­ian diplo­mats, clos­ing 2 diplo­mat­ic com­pounds in Mary­land and New York, and apply­ing sanc­tions on Russia’s intel­li­gence ser­vice. A day lat­er, Decem­ber 30, The Wash­ing­ton Post report­ed that an elec­tri­cal util­i­ty in Ver­mont had been infil­trat­ed by the same Russ­ian mal­ware that used to hack the DNC.

Tak­en togeth­er, these events set off a wave of media con­dem­na­tion not just of the Russ­ian gov­ern­ment, but of Pres­i­dent-elect Don­ald J. Trump for what is wide­ly believed to be his over­ly accom­moda­tive pos­ture toward Russ­ian Pres­i­dent Vladimir Putin.

Yet despite the scores of breath­less media pieces that assert that Russia’s inter­fer­ence in the elec­tion is “case closed,” might some skep­ti­cism be in order? Some cyber experts say “yes.”

As was quick­ly point­ed out by the Burling­ton Free Press, The Wash­ing­ton Post’s sto­ry on the Ver­mont pow­er grid was inac­cu­rate. The mal­ware was detect­ed on a lap­top that belonged to the util­i­ty but was not con­nect­ed to the pow­er plant. “The grid is not in dan­ger,” said a spokesman for the Burling­ton util­i­ty. The Post has since amend­ed its sto­ry with an editor’s note (as it did when its Novem­ber 24 sto­ry on Russ­ian “fake news” by reporter Craig Tim­berg was wide­ly refut­ed) dial­ing back its orig­i­nal claims of Russ­ian infil­tra­tion.

Cyber-secu­ri­ty experts have also weighed in. The secu­ri­ty edi­tor at Ars Tech­ni­ca observed that “Instead of pro­vid­ing smok­ing guns that the Russ­ian gov­ern­ment was behind spe­cif­ic hacks,” the gov­ern­ment report “large­ly restates pre­vi­ous pri­vate sec­tor claims with­out pro­vid­ing any sup­port for their valid­i­ty.” Robert M. Lee of the cyber-secu­ri­ty com­pa­ny Dra­gos not­ed that the report “reads like a poor­ly done ven­dor intel­li­gence report string­ing togeth­er var­i­ous aspects of attri­bu­tion with­out evi­dence.” Cyber­se­cu­ri­ty con­sul­tant Jef­frey Carr not­ed that the report “mere­ly list­ed every threat group ever report­ed on by a com­mer­cial cyber­se­cu­ri­ty com­pa­ny that is sus­pect­ed of being Russ­ian-made and lumped them under the head­ing of Russ­ian Intel­li­gence Ser­vices (RIS) with­out pro­vid­ing any sup­port­ing evi­dence that such a con­nec­tion exists.”

In this respect, it is worth not­ing that one of the com­mer­cial cyber­se­cu­ri­ty com­pa­nies the gov­ern­ment has relied on is Crowd­strike, which was one of the com­pa­nies ini­tial­ly brought in by the DNC to inves­ti­gate the alleged hacks.

In late Decem­ber, Crowd­strike released a large­ly debunked report claim­ing that the same Russ­ian mal­ware that was used to hack the DNC has been used by Russ­ian intel­li­gence to tar­get Ukrain­ian artillery posi­tions. Crowdstrike’s co-founder and chief tech­nol­o­gy offi­cer, Dmitri Alper­ovitch, told PBS, “Ukraine’s artillery men were tar­get­ed by the same hackers…that tar­get­ed DNC, but this time they were tar­get­ing cell­phones [belong­ing to the Ukrain­ian artillery men] to try to under­stand their loca­tion so that the Russ­ian artillery forces can actu­al­ly tar­get them in the open bat­tle.”

Dmitri Alper­ovitch is also a senior fel­low at the Atlantic Coun­cil.

The con­nec­tion between Alper­ovitch and the Atlantic Coun­cil has gone large­ly unre­marked upon, but it is rel­e­vant giv­en that the Atlantic Council—which is is fund­ed in part by the US State Depart­ment, NATO, the gov­ern­ments of Latvia and Lithua­nia, the Ukrain­ian World Con­gress, and the Ukrain­ian oli­garch Vic­tor Pinchuk—has been among the loud­est voic­es call­ing for a new Cold War with Rus­sia. As I point­ed out in the pages of The Nation in Novem­ber, the Atlantic Coun­cil has spent the past sev­er­al years pro­duc­ing some of the most vir­u­lent spec­i­mens of the new Cold War pro­pa­gan­da.

It would seem then that a healthy amount of skep­ti­cism toward a gov­ern­ment report that relied, in part, on the find­ings of pri­vate-sec­tor cyber secu­ri­ty com­pa­nies like Crowd­strike might be in order. And yet skep­tics have found them­selves in the unen­vi­able posi­tion of being accused of being Krem­lin apol­o­gists, or worse.

 7. The OUN/B milieu in the U.S. has appar­ent­ly been instru­men­tal in gen­er­at­ing the “Rus­sia did it” dis­in­for­ma­tion about the high-pro­file hacks. In the Alternet.org arti­cle, Mark Ames high­lights sev­er­al points:

“The Anony­mous Black­list pro­mot­ed by the Wash­ing­ton Post Has Appar­ent Ties to Ukrain­ian Fas­cism and CIA Spy­ing” by Mark Ames; Alternet.org; 12/7/2016.

  • The “Pro­pOrNot” group quot­ed in a Wash­ing­ton Post sto­ry tag­ging media out­lets, web­sites and blogs as “Russian/Kremlin stooges/propaganda tools/agents” is linked to the OUN/B heirs now in pow­er in Ukraine. ” . . . One Pro­pOrNot tweet, dat­ed Novem­ber 17, invokes a 1940s Ukrain­ian fas­cist salute “Hero­iam Sla­va!!” [17] to cheer a news item on Ukrain­ian hack­ers fight­ing Rus­sians. The phrase means “Glo­ry to the heroes” and it was for­mal­ly intro­duced by the fas­cist Orga­ni­za­tion of Ukrain­ian Nation­al­ists (OUN) at their March-April 1941 con­gress in Nazi occu­pied Cra­cow, as they pre­pared to serve as Nazi aux­il­iaries in Oper­a­tion Bar­barossa. . . . ‘the OUN‑B intro­duced anoth­er Ukrain­ian fas­cist salute at the Sec­ond Great Con­gress of the Ukrain­ian Nation­al­ists in Cra­cow in March and April 1941. This was the most pop­u­lar Ukrain­ian fas­cist salute and had to be per­formed accord­ing to the instruc­tions of the OUN‑B lead­er­ship by rais­ing the right arm ‘slight­ly to the right, slight­ly above the peak of the head’ while call­ing ‘Glo­ry to Ukraine!’ (Sla­va Ukraїni!) and respond­ing ‘Glo­ry to the Heroes!’ (Hero­iam Sla­va!). . . .”
  • The OUN/B heirs rul­ing Ukraine com­piled a list of jour­nal­ists who were “Russian/Kremlin stooges/propaganda tools/agents,” includ­ing per­son­al data and con­tact infor­ma­tion (like that made pub­lic in the Wik­iLeaks data dump of DNC e‑mails). This list was com­piled by the Ukrain­ian intel­li­gence ser­vice, inte­ri­or min­istry and–ahem–hackers: “. . . . One of the more fright­en­ing poli­cies enact­ed by the cur­rent oli­garch-nation­al­ist regime in Kiev is an online black­list [42] of jour­nal­ists accused of col­lab­o­rat­ing with pro-Russ­ian ‘ter­ror­ists.’ [43]  The web­site, ‘Myrotvorets’ [43] or ‘Peacemaker’—was set up by Ukrain­ian hack­ers work­ing with state intel­li­gence and police, all of which tend to share the same ultra­na­tion­al­ist ide­olo­gies as Paru­biy and the new­ly-appoint­ed neo-Nazi chief of the Nation­al Police. . . . Ukraine’s jour­nal­ist black­list website—operated by Ukrain­ian hack­ers work­ing with state intel­li­gence—led to a rash of death threats against the doxxed jour­nal­ists, whose email address­es, phone num­bers and oth­er pri­vate infor­ma­tion was post­ed anony­mous­ly to the web­site. Many of these threats came with the wartime Ukrain­ian fas­cist salute: “Sla­va Ukrai­ni!” [Glo­ry to Ukraine!] So when PropOrNot’s anony­mous “researchers” reveal only their Ukrainian(s) iden­ti­ty, it’s hard not to think about the spy-linked hack­ers who post­ed the dead­ly ‘Myrotvorets’ black­list of “trea­so­nous” jour­nal­ists. . . .”
  • A Ukrain­ian activist named Alexan­dra Chalu­pa has been instru­men­tal in dis­trib­ut­ing the “Rus­sia did it” dis­in­for­ma­tion to Hillary Clin­ton and influ­enc­ing the progress of the dis­in­for­ma­tion in the media. ” . . . . One of the key media sources [46] who blamed the DNC hacks on Rus­sia, ramp­ing up fears of cryp­to-Putin­ist infil­tra­tion, is a Ukrain­ian-Amer­i­can lob­by­ist work­ing for the DNC. She is Alexan­dra Chalupa—described as the head of the Demo­c­ra­t­ic Nation­al Committee’s oppo­si­tion research on Rus­sia and on Trump, and founder and pres­i­dent of the Ukrain­ian lob­by group ‘US Unit­ed With Ukraine Coali­tion’ [47], which lob­bied hard to pass a 2014 bill increas­ing loans and mil­i­tary aid to Ukraine, impos­ing sanc­tions on Rus­sians, and tight­ly align­ing US and Ukraine geostrate­gic inter­ests. . . . In one leaked DNC email [50] ear­li­er this year, Chalu­pa boasts to DNC Com­mu­ni­ca­tions Direc­tor Luis Miran­da that she brought Isikoff to a US-gov­ern­ment spon­sored Wash­ing­ton event fea­tur­ing 68 Ukrain­ian jour­nal­ists, where Chalu­pa was invit­ed ‘to speak specif­i­cal­ly about Paul Man­afort.’ In turn, Isikoff named her as the key inside source [46] ‘prov­ing’ that the Rus­sians were behind the hacks, and that Trump’s cam­paign was under the spell of Krem­lin spies and sor­cer­ers. . . .”

8a. There was an update back in Decem­ber from the Ger­man gov­ern­ment regard­ing its assess­ment of the 2015 Bundgestag hacks (attrib­uted to “Fan­cy Bear” and “Cozy Bear,” as men­tioned in the San­dro Gay­ck­en post above) that it attrib­uted to APT28 and Rus­sia: while it asserts the hacks did indeed take place, the leaked doc­u­ments were lat­er deter­mined to be an insid­er leak (via Google trans­late).

“ . . . . Accord­ing to the report, fed­er­al secu­ri­ty author­i­ties are con­vinced that not hack­ers had stolen the 2420 doc­u­ments pub­lished by the Inter­net plat­form Wik­ileaks in ear­ly Decem­ber. There was cer­tain­ly no evi­dence that the mate­r­i­al had been stolen in the cyber attack on the Bun­destag in 2015, it was called into secu­ri­ty crises. . . . ”

The Bun­destagspolizei is still look­ing for the appar­ent leak­er.

The Wik­iLeaks leak of doc­u­ments from the DNC was alleged by for­mer UK diplo­mat Craig Mur­ray to have come from a dis­sat­is­fied DNC insid­er, who gave him the infor­ma­tion from a thumb dri­ve.

The sit­u­a­tion vis a vis the hack of the Bun­destag is strik­ing­ly sim­i­lar.

“Wik­ileaks Source for Rev­e­la­tions in the Bun­destag Sus­pects;” Frank­furter All­ge­meine Poli­tik ; 12/17/2016.

After the pub­li­ca­tion of con­fi­den­tial files from the NSA inves­ti­ga­tion com­mit­tee the Bun­destagspolizei is look­ing for the per­pe­tra­tors in par­lia­ment, as the news mag­a­zine “Spiegel” reports. “A vio­la­tion of secre­cy and a spe­cial duty of secre­cy” is con­firmed, a Bun­destag spokesman con­firmed to the mag­a­zine. Bun­destag Pres­i­dent Nor­bert Lam­mert (CDU) had approved the inves­ti­ga­tion against unknown. The Ger­man Bun­destag is a sep­a­rate police zone.Accord­ing to the report, fed­er­al secu­ri­ty author­i­ties are con­vinced that not hack­ers had stolen the 2420 doc­u­ments pub­lished by the Inter­net plat­form Wik­ileaks in ear­ly Decem­ber. There was cer­tain­ly no evi­dence that the mate­r­i­al had been stolen in the cyber attack on the Bun­destag in 2015, it was called into secu­ri­ty crises.

The “mir­ror” point­ed out that the Wik­ileaks mate­r­i­al cov­ered 90 giga­bytes, but the infil­trat­ed Bun­destagsrech­n­ern only 16 giga­bytes of data were stolen. The Cyber­at­tacke appar­ent­ly also had no mem­bers of the Bun­destag or employ­ees from the envi­ron­ment of the NSA inves­ti­ga­tion com­mit­tee affect­ed.

The “Frank­furter All­ge­meine Son­ntagszeitung” had cit­ed a high secu­ri­ty offi­cer a week ago with the words that there was “high plau­si­bil­i­ty” for the fact that the secrets pub­lished by Wik­ileaks were cap­tured in the cyber attack on the Bun­destag. Russ­ian hack­ers are respon­si­ble for the attack. Also the com­mit­tee chair­man Patrick Sens­burg (CDU) had not exclud­ed a for­eign hack­er attack imme­di­ate­ly after the pub­li­ca­tion of the doc­u­ments.

Accord­ing to Wik­iLeaks, the approx­i­mate­ly 2400 doc­u­ments come from var­i­ous fed­er­al agen­cies such as the Bun­desnachrich­t­en­di­enst and the fed­er­al offices for con­sti­tu­tion­al pro­tec­tion and secu­ri­ty in infor­ma­tion tech­nol­o­gy. The doc­u­ments are intend­ed to pro­vide evi­dence of coop­er­a­tion between the US Nation­al Secu­ri­ty Agency (NSA) and the BND.

After the pub­li­ca­tion of con­fi­den­tial files from the NSA inves­ti­ga­tion com­mit­tee the Bun­destagspolizei is look­ing for the per­pe­tra­tors in par­lia­ment, as the news mag­a­zine “Spiegel” reports. “A vio­la­tion of secre­cy and a spe­cial duty of secre­cy” is con­firmed, a Bun­destag spokesman con­firmed to the mag­a­zine. Bun­destag Pres­i­dent Nor­bert Lam­mert (CDU) had approved the inves­ti­ga­tion against unknown. The Ger­man Bun­destag is a sep­a­rate police zone.

8b. The monikers Fan­cy Bear and Cozy Bear have been applied to “APT 28” and “APT 29,” abbre­vi­a­tions stand­ing for “advanced per­sis­tent threat.”

As the arti­cle below also points out, it’s entire­ly pos­si­ble that “APT28” and “APT29” aren’t dis­tinct enti­ties at all. Why? Because the con­clu­sion by firms like Fire­Eye and Crowd­strike that there are two groups, “APT28” and “APT29”, that were leav­ing years of elec­tron­ic trails from all their hack­ing activ­i­ties isn’t based on any dis­tinct “APT28” or “APT29” call­ing card. It’s based on the tool sets of hack­ing tools and infra­struc­ture (like servers) used by these groups. And those tool sets used by APT28 and APT29 are read­i­ly avail­able on the Dark Web and cir­cu­lat­ing among hack­er com­mu­ni­ties as was the infra­struc­ture.

In oth­er words, a wide vari­ety of skilled hack­ers have access to the exact same hack­ing tools that were used by groups like Fire­Eye and Crowd­strike to unique­ly iden­ti­fy APT28/29 and the same sets of cor­rupt­ed servers. Since so much of the rest of the evi­dence that was used to attribute the hack­ing evi­dence to Russ­ian hack­ers is based on read­i­ly spoofa­ble infor­ma­tion – like the cyril­lic char­ac­ters in a hacked doc­u­ment or that the hack­ing tool set code appeared to be com­piled dur­ing Moscow work­ing hours…all spoofa­ble evi­dence – the evi­dence used to attribute these hacks to Krem­lin-backed hack­ers could have been spoofed by a wide vari­ety of pos­si­ble cul­prits.

” . . . . Did the Russ­ian gov­ern­ment hack the DNC and feed doc­u­ments to Wik­iLeaks? There are real­ly two ques­tions here: who hacked the DNC, and who released the DNC doc­u­ments? These are not nec­es­sar­i­ly the same. An ear­li­er intru­sion into Ger­man par­lia­ment servers was blamed on the Rus­sians, yet the release of doc­u­ments to Wik­iLeaks is thought to have orig­i­nat­ed from an insid­er. [35] Had the Rus­sians hacked into the DNC, it may have been to gath­er intel­li­gence, while anoth­er actor released the doc­u­ments. But it is far from cer­tain that Russ­ian intel­li­gence ser­vices had any­thing to do with the intru­sions. Julian Assange says that he did not receive the DNC doc­u­ments from a nation-state. It has been point­ed out that Rus­sia could have used a third par­ty to pass along the mate­r­i­al. Fair enough, but for­mer UK diplo­mat Craig Mur­ray asserts: ‘I know who the source is… It’s from a Wash­ing­ton insid­er. It’s not from Rus­sia.’ [We won­der if it might have been Tul­si Gabbard–D.E.] [36] . . . .”

“Did the Rus­sians Real­ly Hack the DNC?” by Gre­go­ry Elich; Counter Punch; 1/13/2017.

Rus­sia, we are told, breached the servers of the Demo­c­ra­t­ic Nation­al Com­mit­tee (DNC), swiped emails and oth­er doc­u­ments, and released them to the pub­lic, to alter the out­come of the U.S. pres­i­den­tial elec­tion.

How sub­stan­tial is the evi­dence back­ing these asser­tions?

Hired by the Demo­c­ra­t­ic Nation­al Com­mit­tee to inves­ti­gate unusu­al net­work activ­i­ty, the secu­ri­ty firm Crowd­strike dis­cov­ered two sep­a­rate intru­sions on DNC servers. Crowd­strike named the two intrud­ers Cozy Bear and Fan­cy Bear, in an allu­sion to what it felt were Russ­ian sources. Accord­ing to Crowd­strike, “Their trade­craft is superb, oper­a­tional secu­ri­ty sec­ond to none,” and “both groups were con­stant­ly going back into the envi­ron­ment” to change code and meth­ods and switch com­mand and con­trol chan­nels.

On what basis did Crowd­strike attribute these breach­es to Russ­ian intel­li­gence ser­vices? The secu­ri­ty firm claims that the tech­niques used were sim­i­lar to those deployed in past secu­ri­ty hack­ing oper­a­tions that have been attrib­uted to the same actors, while the pro­file of pre­vi­ous vic­tims “close­ly mir­rors the strate­gic inter­ests of the Russ­ian gov­ern­ment. Fur­ther­more, it appeared that the intrud­ers were unaware of each other’s pres­ence in the DNC sys­tem. “While you would vir­tu­al­ly nev­er see West­ern intel­li­gence agen­cies going after the same tar­get with­out de-con­flic­tion for fear of com­pro­mis­ing each other’s oper­a­tions,” Crowd­strike reports, “in Rus­sia this is not an uncom­mon sce­nario.” [1]

Those may be indi­ca­tors of Russ­ian gov­ern­ment cul­pa­bil­i­ty. But then again, per­haps not. Regard­ing the point about sep­a­rate intrud­ers, each oper­at­ing inde­pen­dent­ly of the oth­er, that would seem to more like­ly indi­cate that the sources have noth­ing in com­mon.

Each of the two intru­sions act­ed as an advanced per­sis­tent threat (APT), which is an attack that resides unde­tect­ed on a net­work for a long time. The goal of an APT is to exfil­trate data from the infect­ed sys­tem rather than inflict dam­age. Sev­er­al names have been giv­en to these two actors, and most com­mon­ly Fan­cy Bear is known as APT28, and Cozy Bear as APT29.

The fact that many of the tech­niques used in the hack resem­bled, in vary­ing degrees, past attacks attrib­uted to Rus­sia may not nec­es­sar­i­ly car­ry as much sig­nif­i­cance as we are led to believe. Once mal­ware is deployed, it tends to be picked up by cyber­crim­i­nals and offered for sale or trade on Deep Web black mar­kets, where any­one can pur­chase it. Exploit kits are espe­cial­ly pop­u­lar sell­ers. Quite often, the code is mod­i­fied for spe­cif­ic uses. Secu­ri­ty spe­cial­ist Josh Pitts demon­strat­ed how easy that process can be, down­load­ing and mod­i­fy­ing nine sam­ples of the Onion­Duke mal­ware, which is thought to have first orig­i­nat­ed with the Russ­ian gov­ern­ment. Pitts reports that this exer­cise demon­strates “how easy it is to repur­pose nation-state code/malware.” [2]

In anoth­er exam­ple, when Senti­nalOne Research dis­cov­ered the Gyges mal­ware in 2014, it report­ed that it “exhibits sim­i­lar­i­ties to Russ­ian espi­onage mal­ware,” and is “designed to tar­get gov­ern­ment orga­ni­za­tions. It comes as no sur­prise to us that this type of intel­li­gence agency-grade mal­ware would even­tu­al­ly fall into cyber­crim­i­nals’ hands.” The secu­ri­ty firm explains that Gyges is an “exam­ple of how advanced tech­niques and code devel­oped by gov­ern­ments for espi­onage are effec­tive­ly being repur­posed, mod­u­lar­ized and cou­pled with oth­er mal­ware to com­mit cyber­crime.” [3]

Attri­bu­tion is hard, cyber­se­cu­ri­ty spe­cial­ists often point out. “Once an APT is released into the wild, its spread isn’t con­trolled by the attack­er,” writes Mark McAr­dle. “They can’t pre­vent some­one from ana­lyz­ing it and repur­pos­ing it for their own needs.” Adapt­ing mal­ware “is a well-known real­i­ty,” he con­tin­ues. “Find­ing irrefutable evi­dence that links an attack­er to an attack is vir­tu­al­ly unat­tain­able, so every­thing boils down to assump­tions and judg­ment.” [4]

Secu­ri­ty Alliance regards secu­ri­ty firm FireEye’s analy­sis that tied APT28 to the Russ­ian gov­ern­ment as based “large­ly on cir­cum­stan­tial evi­dence.” FireEye’s report “explic­it­ly dis­re­gards tar­gets that do not seem to indi­cate spon­sor­ship by a nation-state,” hav­ing exclud­ed var­i­ous tar­gets because they are “not par­tic­u­lar­ly indica­tive of a spe­cif­ic sponsor’s inter­ests.” [5] Fire­Eye report­ed that the APT28 “vic­tim set is nar­row,” which helped lead it to the con­clu­sion that it is a Russ­ian oper­a­tion. Cyber­se­cu­ri­ty con­sul­tant Jef­frey Carr reacts with scorn: “The vic­tim set is nar­row because the report’s authors make it nar­row! In fact, it wasn’t nar­row­ly tar­get­ed at all if you take into account the tar­gets men­tioned by oth­er cyber­se­cu­ri­ty com­pa­nies, not to men­tion those that Fire­Eye delib­er­ate­ly exclud­ed for being ‘not par­tic­u­lar­ly indica­tive of a spe­cif­ic sponsor’s inter­ests’.” [6]

FireEye’s report from 2014, on which much of the DNC Russ­ian attri­bu­tion is based, found that 89 per­cent of the APT28 soft­ware sam­ples it ana­lyzed were com­piled dur­ing reg­u­lar work­ing hours in St. Peters­burg and Moscow. [7]

But com­pile times, like lan­guage set­tings, can be eas­i­ly altered to mis­lead inves­ti­ga­tors. Mark McAr­dle won­ders, “If we think about the very high lev­el of design, engi­neer­ing, and test­ing that would be required for such a sophis­ti­cat­ed attack, is it rea­son­able to assume that the attack­er would leave these kinds of bread­crumbs? It’s pos­si­ble. But it’s also pos­si­ble that these things can be used to mis­di­rect atten­tion to a dif­fer­ent par­ty. Poten­tial­ly anoth­er adver­sary. Is this evi­dence the result of slop­pi­ness or a care­ful mis­di­rec­tion?” [8]

“If the guys are real­ly good,” says Chris Finan, CEO of Man­i­fold Tech­nol­o­gy, “they’re not leav­ing much evi­dence or they’re leav­ing evi­dence to throw you off the scent entire­ly.” [9] How plau­si­ble is it that Russ­ian intel­li­gence ser­vices would fail even to attempt such a fun­da­men­tal step?

James Scott of the Insti­tute for Crit­i­cal Infra­struc­ture Tech­nol­o­gy points out that the very vul­ner­a­bil­i­ty of the DNC servers con­sti­tutes a mud­died basis on which deter­mine attri­bu­tion. “Attri­bu­tion is less exact in the case of the DNC breach because the mail servers com­pro­mised were not well-secured; the orga­ni­za­tion of a few hun­dred per­son­nel did not prac­tice prop­er cyber-hygiene; the DNC has a glob­al rep­u­ta­tion and is a valu­able tar­get to script kid­dies, hack­tivists, lone-wolf cyber-threat actors, cyber-crim­i­nals, cyber-jihadists, hail-mary threats, and nation-state spon­sored advanced per­sis­tent threats; and because the mal­ware dis­cov­ered on DNC sys­tems were well-known, pub­licly dis­closed, and vari­ants could be pur­chased on Deep Web mar­kets and forums.” [10]

Some­one, or some group, oper­at­ing under the pseu­do­nym of Guc­cifer 2.0, claimed to be a lone actor in hack­ing the DNC servers. It is unclear what rela­tion – if any – Guc­cifer 2.0 has to either of the two APT attacks on the DNC. In a PDF file that Guc­cifer 2.0 sent to Gawker.com, meta­da­ta indi­cat­ed that it was it was last saved by some­one hav­ing a user­name in Cyril­lic let­ters. Dur­ing the con­ver­sion of the file from Microsoft Word to PDF, invalid hyper­link error mes­sages were auto­mat­i­cal­ly gen­er­at­ed in the Russ­ian lan­guage. [11]

This would seem to present rather damn­ing evi­dence. But who is Guc­cifer 2.0? A Russ­ian gov­ern­ment oper­a­tion? A pri­vate group? Or a lone hack­tivist? In the poor­ly secured DNC sys­tem, there were almost cer­tain­ly many infil­tra­tors of var­i­ous stripes. Nor can it be ruled out that the meta­da­ta indi­ca­tors were inten­tion­al­ly gen­er­at­ed in the file to mis­di­rect attri­bu­tion. The two APT attacks have been not­ed for their sophis­ti­ca­tion, and these mis­takes – if that is what they are – seem ama­teur­ish. To change the lan­guage set­ting on a com­put­er can be done in a mat­ter of sec­onds, and that would be stan­dard pro­ce­dure for advanced cyber-war­riors. On the oth­er hand, slop­pi­ness on the part of devel­op­ers is not entire­ly unknown. How­ev­er, one would expect a nation-state to enforce strict soft­ware and doc­u­ment han­dling pro­ce­dures and imple­ment rig­or­ous review process­es.

At any rate, the doc­u­ments post­ed to the Guc­cifer 2.0 blog do not nec­es­sar­i­ly orig­i­nate from the same source as those pub­lished by Wik­iLeaks. Cer­tain­ly, none of the doc­u­ments post­ed to Wik­iLeaks pos­sess the same meta­da­ta issues. And one hack­ing oper­a­tion does not pre­clude anoth­er, let alone an insid­er leak.

APT28 relied on XTun­nel, repur­posed from open source code that is avail­able to any­one, to open net­work ports and siphon data. The inter­est­ing thing about the soft­ware is its fail­ure to match the lev­el of sophis­ti­ca­tion claimed for APT28. The strings in the code quite trans­par­ent­ly indi­cate its intent, with no attempt at obfus­ca­tion. [12] It seems an odd over­sight for a nation-state oper­a­tion, in which plau­si­ble deni­a­bil­i­ty would be essen­tial, to over­look that glar­ing point dur­ing soft­ware devel­op­ment.

Com­mand-and-con­trol servers remote­ly issue mali­cious com­mands to infect­ed machines. Odd­ly, for such a key com­po­nent of the oper­a­tion, the com­mand-and-con­trol IP address in both attacks was hard-cod­ed in the mal­ware. This seems like anoth­er inex­plic­a­ble choice, giv­en that the point of an advanced per­sis­tent threat is to oper­ate for an extend­ed peri­od with­out detec­tion. A more suit­able approach would be to use a Domain Name Sys­tem (DNS) address, which is a decen­tral­ized com­put­er nam­ing sys­tem. That would pro­vide a more covert means of iden­ti­fy­ing the com­mand-and-con­trol serv­er. [13]More­over, one would expect that address to be encrypt­ed. Using a DNS address would also allow the com­mand-and-con­trol oper­a­tion to eas­i­ly move to anoth­er serv­er if its loca­tion is detect­ed, with­out the need to mod­i­fy and rein­stall the code.

One of the IP address­es is claimed to be a “well-known APT 28” com­mand-and-con­trol address, while the sec­ond is said to be linked to Russ­ian mil­i­tary intel­li­gence. [14] The first address points to a serv­er locat­ed in San Jose, Cal­i­for­nia, and is oper­at­ed by a serv­er host­ing ser­vice. [15] The sec­ond serv­er [16] Clear­ly, these are servers that have been com­pro­mised by hack­ers. It is cus­tom­ary for hack­ers to route their attacks through vul­ner­a­ble com­put­ers. The IP address­es of com­pro­mised com­put­ers are wide­ly avail­able on the Deep Web, and typ­i­cal­ly a hacked serv­er will be used by mul­ti­ple threat actors. These two par­tic­u­lar servers may or may not have been reg­u­lar­ly uti­lized by Russ­ian Intel­li­gence, but they were not unique­ly so used. Almost cer­tain­ly, many oth­er hack­ers would have used the same machines, and it can­not be said that these IP address­es unique­ly iden­ti­fy an infil­tra­tor. Indeed, the sec­ond IP address is asso­ci­at­ed with the com­mon Tro­jan virus­es Agent-APPR and Shun­nael. [17]

“Every­one is focused on attri­bu­tion, but we may be miss­ing the big­ger truth,” says Joshua Cro­man, Direc­tor of the Cyber State­craft Ini­tia­tive at the Atlantic Coun­cil. “[T]he lev­el of sophis­ti­ca­tion required to do this hack was so low that near­ly any­one could do it.”[18]

In answer to crit­ics, the Depart­ment of Home­land Secu­ri­ty and the FBI issued a joint analy­sis report, which pre­sent­ed “tech­ni­cal details regard­ing the tools and infra­struc­ture used” by Russ­ian intel­li­gence ser­vices “to com­pro­mise and exploit net­works” asso­ci­at­ed with the U.S. elec­tion, U.S. gov­ern­ment, polit­i­cal, and pri­vate sec­tor enti­ties. The report code-named these activ­i­ties “Griz­zly Steppe.” [19]

For a doc­u­ment that pur­ports to offer strong evi­dence on behalf of U.S. gov­ern­ment alle­ga­tions of Russ­ian cul­pa­bil­i­ty, it is strik­ing how weak and slop­py the con­tent is. Includ­ed in the report is a list of every threat group ever said to be asso­ci­at­ed with the Russ­ian gov­ern­ment, most of which are unre­lat­ed to the DNC hack. It appears that var­i­ous gov­ern­men­tal orga­ni­za­tions were asked to send a list of Russ­ian threats, and then an offi­cial lack­ing IT back­ground com­piled that infor­ma­tion for the report, and the result is a mish­mash of threat groups, soft­ware, and tech­niques. “Pow­er­Shell back­door,” for instance, is a method used by many hack­ers, and in no way describes a Russ­ian oper­a­tion.

Indeed, one must take the list on faith, because nowhere in the doc­u­ment is any evi­dence pro­vid­ed to back up the claim of a Russ­ian con­nec­tion. Indeed, as the major­i­ty of items on the list are unre­lat­ed to the DNC hack, one won­ders what the point is. But it bears repeat­ing: even where soft­ware can be traced to Russ­ian orig­i­na­tion, it does not nec­es­sar­i­ly indi­cate exclu­sive usage. Jef­frey Carr explains: “Once mal­ware is deployed, it is no longer under the con­trol of the hack­er who deployed it or the devel­op­er who cre­at­ed it. It can be reverse-engi­neered, copied, mod­i­fied, shared and rede­ployed again and again by any­one.” Carr quotes secu­ri­ty firm ESET in regard to the Sed­nit group, one of the items on the report’s list, and which is anoth­er name for APT28: “As secu­ri­ty researchers, what we call ‘the Sed­nit group’ is mere­ly a set of soft­ware and the relat­ed infra­struc­ture, which we can hard­ly cor­re­late with any spe­cif­ic orga­ni­za­tion.” Carr points out that X‑Agent soft­ware, which is said to have been uti­lized in the DNC hack, was eas­i­ly obtained by ESET for analy­sis. “If ESET could do it, so can oth­ers. It is both fool­ish and base­less to claim, as Crowd­strike does, that X‑Agent is used sole­ly by the Russ­ian gov­ern­ment when the source code is there for any­one to find and use at will.” [20]

The salient impres­sion giv­en by the government’s report is how devoid of evi­dence it is. For that mat­ter, the major­i­ty of the con­tent is tak­en up by what secu­ri­ty spe­cial­ist John Hin­der­ak­er describes as “pedes­tri­an advice to IT pro­fes­sion­als about com­put­er secu­ri­ty.” As for the report’s indi­ca­tors of com­pro­mise (IoC), Hin­der­ak­er char­ac­ter­izes these as “tools that are freely avail­able and IP address­es that are used by hack­ers around the world.” [21]

In con­junc­tion with the report, the FBI and Depart­ment of Home­land Secu­ri­ty pro­vid­ed a list of IP address­es it iden­ti­fied with Russ­ian intel­li­gence ser­vices. [22] Word­fence ana­lyzed the IP address­es as well as a PHP mal­ware script pro­vid­ed by the Depart­ment of Home­land Secu­ri­ty. In ana­lyz­ing the source code, Word­fence dis­cov­ered that the soft­ware used was P.A.S., ver­sion 3.1.0. It then found that the web­site that man­u­fac­tures the mal­ware had a site coun­try code indi­cat­ing that it is Ukrain­ian. The cur­rent ver­sion of the P.A.S. soft­ware is 4.1.1, which is much new­er than that used in the DNC hack, and the lat­est ver­sion has changed “quite sub­stan­tial­ly.” Word­fence notes that not only is the soft­ware “com­mon­ly avail­able,” but also that it would be rea­son­able to expect “Russ­ian intel­li­gence oper­a­tives to devel­op their own tools or at least use cur­rent mali­cious tools from out­side sources.” To put it plain­ly, Word­fence con­cludes that the mal­ware sam­ple “has no appar­ent rela­tion­ship with Russ­ian intel­li­gence.” [23]

Word­fence also ana­lyzed the government’s list of 876 IP address­es includ­ed as indi­ca­tors of com­pro­mise. The sites are wide­ly dis­persed geo­graph­i­cal­ly, and of those with a known loca­tion, the Unit­ed States has the largest num­ber. A large num­ber of the IP address­es belong to low-cost serv­er host­ing com­pa­nies. “A com­mon pat­tern that we see in the indus­try,” Word­fence states, “is that accounts at these hosts are com­pro­mised and those hacked sites are used to launch attacks around the web.” Fif­teen per­cent of the IP address­es are cur­rent­ly Tor exit nodes. “These exit nodes are used by any­one who wants to be anony­mous online, includ­ing mali­cious actors.” [24]

If one also takes into account the IP address­es that not only point to cur­rent Tor exits, but also those that once belonged to Tor exit nodes, then these com­prise 42 per­cent of the government’s list. [25] “The fact that so many of the IPs are Tor address­es reveals the true slop­pi­ness of the report,” con­cludes net­work secu­ri­ty spe­cial­ist Jer­ry Gam­blin. [26]

Cyber­se­cu­ri­ty ana­lyst Robert Gra­ham was par­tic­u­lar­ly blis­ter­ing in his assess­ment of the government’s report, char­ac­ter­iz­ing it as “full of garbage.” The report fails to tie the indi­ca­tors of com­pro­mise to the Russ­ian gov­ern­ment. “It con­tains sig­na­tures of virus­es that are pub­licly avail­able, used by hack­ers around the world, not just Rus­sia. It con­tains a long list of IP address­es from per­fect­ly nor­mal ser­vices, like Tor, Google, Drop­box, Yahoo, and so forth. Yes, hack­ers use Yahoo for phish­ing and mal­ad­ver­tis­ing. It doesn’t mean every access of Yahoo is an ‘indi­ca­tor of com­pro­mise’.” Gra­ham com­pared the list of IP address­es against those accessed by his web brows­er, and found two match­es. “No,” he con­tin­ues. “This doesn’t mean I’ve been hacked. It means I just had a nor­mal inter­ac­tion with Yahoo. It means the Griz­zly Steppe IoCs are garbage.” Gra­ham goes on to point out that “what real­ly hap­pened” with the sup­posed Russ­ian hack into the Ver­mont pow­er grid “is that some­body just checked their Yahoo email, there­by access­ing one of the same IP address­es I did. How they get from the facts (one per­son accessed Yahoo email) to the sto­ry (Rus­sians hacked pow­er grid)” is U.S. gov­ern­ment “mis­in­for­ma­tion.” [27]

The indi­ca­tors of com­pro­mise, in Graham’s assess­ment, were “pub­lished as a polit­i­cal tool, to prove they have evi­dence point­ing to Rus­sia.” As for the P.A.S. web shell, it is “used by hun­dreds if not thou­sands of hack­ers, most­ly asso­ci­at­ed with Rus­sia, but also through­out the rest of the world.” Rely­ing on the government’s sam­ple for attri­bu­tion is prob­lem­at­ic: “Just because you found P.A.S. in two dif­fer­ent places doesn’t mean it’s the same hack­er.” A web shell “is one of the most com­mon things hack­ers use once they’ve bro­ken into a serv­er,” Gra­ham observes. [28]

Although cyber­se­cu­ri­ty ana­lyst Robert M. Lee is inclined to accept the government’s posi­tion on the DNC hack, he feels the joint analy­sis report “reads like a poor­ly done ven­dor intel­li­gence report string­ing togeth­er var­i­ous aspects of attri­bu­tion with­out evi­dence.” The report’s list “detracts from the con­fi­dence because of the inter­weav­ing of unre­lat­ed data.” The infor­ma­tion pre­sent­ed is not sourced, he adds. “It’s a ran­dom col­lec­tion of infor­ma­tion and in that way, is most­ly use­less.” Indeed, the indi­ca­tors of com­pro­mise have “a high rate of false pos­i­tives for defend­ers that use them.” [29]

The intent of the joint analy­sis report was to pro­vide evi­dence of Russ­ian state respon­si­bil­i­ty for the DNC hack. But nowhere does it do so. Mere asser­tions are meant to per­suade. How much evi­dence does the gov­ern­ment have? The Demo­c­ra­t­ic Par­ty claims that the FBI nev­er request­ed access to DNC servers. [32] The FBI, for its part, says it made “mul­ti­ple requests” for access to the DNC servers and was repeat­ed­ly turned down. [33] Either way, it is a remark­able admis­sion. In a case like this, the FBI would typ­i­cal­ly con­duct its own inves­ti­ga­tion. Was the DNC afraid the FBI might come to a dif­fer­ent con­clu­sion than the DNC-hired secu­ri­ty firm Crowd­strike? The FBI was left to rely on what­ev­er evi­dence Crowd­strike chose to sup­ply. Dur­ing its analy­sis of DNC servers, Crowd­strike reports that it found evi­dence of APT28 and APT29 intru­sions with­in two hours. Did it stop there, sat­is­fied with what it had found? Or did it con­tin­ue to explore whether addi­tion­al intru­sions by oth­er actors had tak­en place?

In an attempt to fur­ther inflame the hys­te­ria gen­er­at­ed from accu­sa­tions of Russ­ian hack­ing, the Office of the Direc­tor of Nation­al Intel­li­gence pub­lished a declas­si­fied ver­sion of a doc­u­ment briefed to U.S. offi­cials. The infor­ma­tion was sup­plied by the CIA, FBI, and Nation­al Secu­ri­ty Agency, and was meant to cement the government’s case. Not sur­pris­ing­ly, the report received a warm wel­come in the main­stream media, but what is notable is that it offers not a sin­gle piece of evi­dence to sup­port its claim of “high con­fi­dence” in assess­ing that Rus­sia hacked the DNC and released doc­u­ments to Wik­iLeaks. Instead, the bulk of the report is an unhinged dia­tribe against Russ­ian-owned RT media. The con­tent is rife with inac­cu­ra­cies and absur­di­ties. Among the heinous actions RT is accused of are hav­ing run “anti-frack­ing pro­gram­ming, high­light­ing envi­ron­men­tal issues and the impacts on health issues,” air­ing a doc­u­men­tary on Occu­py Wall Street, and host­ing third-par­ty can­di­dates dur­ing the 2012 elec­tion.[34] . . .

. . . . Main­stream media start with the premise that the Russ­ian gov­ern­ment was respon­si­ble, despite a lack of con­vinc­ing evi­dence. They then leap to the fal­la­cious con­clu­sion that because Rus­sia hacked the DNC, only it could have leaked the doc­u­ments.

So, did the Russ­ian gov­ern­ment hack the DNC and feed doc­u­ments to Wik­iLeaks? There are real­ly two ques­tions here: who hacked the DNC, and who released the DNC doc­u­ments? These are not nec­es­sar­i­ly the same. An ear­li­er intru­sion into Ger­man par­lia­ment servers was blamed on the Rus­sians, yet the release of doc­u­ments to Wik­iLeaks is thought to have orig­i­nat­ed from an insid­er. [35] Had the Rus­sians hacked into the DNC, it may have been to gath­er intel­li­gence, while anoth­er actor released the doc­u­ments. But it is far from cer­tain that Russ­ian intel­li­gence ser­vices had any­thing to do with the intru­sions. Julian Assange says that he did not receive the DNC doc­u­ments from a nation-state. It has been point­ed out that Rus­sia could have used a third par­ty to pass along the mate­r­i­al. Fair enough, but for­mer UK diplo­mat Craig Mur­ray asserts: “I know who the source is… It’s from a Wash­ing­ton insid­er. It’s not from Rus­sia.” [36]

There are too many incon­sis­ten­cies and holes in the offi­cial sto­ry. In all like­li­hood, there were mul­ti­ple intru­sions into DNC servers, not all of which have been iden­ti­fied. The pub­lic ought to be wary of quick claims of attri­bu­tion. It requires a long and involved process to arrive at a plau­si­ble iden­ti­fi­ca­tion, and in many cas­es the source can nev­er be deter­mined. As Jef­frey Carr explains, “It’s impor­tant to know that the process of attribut­ing an attack by a cyber­se­cu­ri­ty com­pa­ny has noth­ing to do with the sci­en­tif­ic method. Claims of attri­bu­tion aren’t testable or repeat­able because the hypoth­e­sis is nev­er proven right or wrong.” [37]

Rus­sia-bash­ing is in full swing, and there does not appear to be any let­up in sight. We are plung­ing head­long into a new Cold War, rid­ing on a wave of pro­pa­gan­da-induced hys­te­ria. The self-serv­ing claims fuel­ing this cam­paign need to be chal­lenged every step of the way. Sur­ren­der­ing to evi­dence-free emo­tion­al appeals would only serve those who arro­gant­ly advo­cate con­fronta­tion and geopo­lit­i­cal dom­i­na­tion.

 9. The high-pro­file hacks have helped spawn an Orwellian creation–the “Coun­ter­ing For­eign Pro­pa­gan­da and Dis­in­for­ma­tion Act.”

“The War Against Alter­na­tive Infor­ma­tion” by Rick Ster­ling; Con­sor­tium News; 1/1/2017.

The U.S. estab­lish­ment is not con­tent sim­ply to have dom­i­na­tion over the media nar­ra­tives on crit­i­cal for­eign pol­i­cy issues, such as Syr­ia, Ukraine and Rus­sia. It wants total dom­i­na­tion. Thus we now have the “Coun­ter­ing For­eign Pro­pa­gan­da and Dis­in­for­ma­tion Act” that Pres­i­dent Oba­ma signed into law on Dec. 23 as part of the Nation­al Defense Autho­riza­tion Act for 2017, set­ting aside $160 mil­lion to com­bat any “pro­pa­gan­da” that chal­lenges Offi­cial Washington’s ver­sion of real­i­ty.

The leg­is­la­tion was ini­ti­at­ed in March 2016, as the demo­niza­tion of Russ­ian Pres­i­dent Vladimir Putin and Rus­sia was already under­way and was enact­ed amid the alle­ga­tions of “Russ­ian hack­ing” around the U.S. pres­i­den­tial elec­tion and the main­stream media’s furor over sup­pos­ed­ly “fake news.” . . . .

. . . . The new law is remark­able for a num­ber of rea­sons, not the least because it merges a new McCarthy­ism about pur­port­ed dis­sem­i­na­tion of Russ­ian “pro­pa­gan­da” on the Inter­net with a new Orwellian­ism by cre­at­ing a kind of Min­istry of Truth – or Glob­al Engage­ment Cen­ter – to pro­tect the Amer­i­can peo­ple from “for­eign pro­pa­gan­da and dis­in­for­ma­tion.”

As part of the effort to detect and defeat these unwant­ed nar­ra­tives, the law autho­rizes the Cen­ter to: “Facil­i­tate the use of a wide range of tech­nolo­gies and tech­niques by shar­ing exper­tise among Fed­er­al depart­ments and agen­cies, seek­ing exper­tise from exter­nal sources, and imple­ment­ing best prac­tices.” (This sec­tion is an appar­ent ref­er­ence to pro­pos­als that Google, Face­book and oth­er tech­nol­o­gy com­pa­nies find ways to block or brand cer­tain Inter­net sites as pur­vey­ors of “Russ­ian pro­pa­gan­da” or “fake news.”)

Jus­ti­fy­ing this new bureau­cra­cy, the bill’s spon­sors argued that the exist­ing agen­cies for “strate­gic com­mu­ni­ca­tions” and “pub­lic diplo­ma­cy” were not enough, that the infor­ma­tion threat required “a whole-of-gov­ern­ment approach lever­ag­ing all ele­ments of nation­al pow­er.”

The law also is rife with irony since the U.S. gov­ern­ment and relat­ed agen­cies are among the world’s biggest pur­vey­ors of pro­pa­gan­da and dis­in­for­ma­tion – or what you might call evi­dence-free claims, such as the recent accu­sa­tions of Rus­sia hack­ing into Demo­c­ra­t­ic emails to “influ­ence” the U.S. elec­tion.

Despite these accu­sa­tions — leaked by the Oba­ma admin­is­tra­tion and embraced as true by the main­stream U.S. news media — there is lit­tle or no pub­lic evi­dence to sup­port the charges. There is also a con­tra­dic­to­ry analy­sis by vet­er­an U.S. intel­li­gence pro­fes­sion­als as well as state­ments by Wik­ileaks founder Julian Assange and an asso­ciate, for­mer British Ambas­sador Craig Mur­ray, that the Rus­sians were not the source of the leaks. Yet, the main­stream U.S. media has vir­tu­al­ly ignored this counter-evi­dence, appear­ing eager to col­lab­o­rate with the new “Glob­al Engage­ment Cen­ter” even before it is offi­cial­ly formed. . . .

 

 

 

 

 

 

 

Discussion

17 comments for “FTR #943 The Gehlen Gang, the High-Profile Hacks and the New Cold War”

  1. What would George Orwell think of the Trump pres­i­den­cy thus far? Hope­ful­ly a great deal of dis­gust. But as the fol­low­ing arti­cle sug­gests, that dis­gust would prob­a­bly be paired with a very dif­fer­ent sen­ti­ment: ‘ka-ching!’:

    The Dai­ly Dot

    Sales of ‘1984’ sky­rock­et after Kellyanne Con­way cites ‘alter­na­tive facts’

    Andrew Couts —

    Jan 24 at 7:33PM | Last updat­ed Jan 24 at 7:34PM

    “Life imi­tates Art far more than Art imi­tates Life,” Oscar Wilde wrote in his 1889 essay The Decay of Lying. Now, in the ear­ly days of Pres­i­dent Don­ald Trump’s admin­is­tra­tion, an increas­ing num­ber of Amer­i­cans are self-inves­ti­gat­ing to see if that is true.

    Sales of George Orwell’s sem­i­nal nov­el 1984 have swelled this week fol­low­ing White House advis­er Kellyanne Con­way’s claim that the Trump admin­is­tra­tion oper­ates on a set of “alter­na­tive facts”—a phrase many have deemed down­right Orwellian.

    As of Mon­day after­noon, 1984 sat at No. 6 on Ama­zon’s week­ly best-sell­er list. The dystopi­an nov­el, which envi­sions an inescapable author­i­tar­i­an gov­ern­ment defined by its omnipresent sur­veil­lance that intrudes even into cit­i­zens’ minds, birthed phras­es that have come to define oppres­sion, includ­ing: “newspeak,” “dou­ble­think,” “thought­crime,” and “Thought­Po­lice,” among oth­ers.

    Con­way deliv­ered her infa­mous “alter­na­tive facts” quote dur­ing an inter­view with NBC’s Meet the Press host Chuck Todd on Sun­day while she attempt­ed to defend White House Press Sec­re­tary Sean Spicer’s false claim that Trump’s inau­gu­ra­tion audi­ence was the “largest” in his­to­ry. Spicer lat­er stood by that claim.

    ...

    “Con­way deliv­ered her infa­mous “alter­na­tive facts” quote dur­ing an inter­view with NBC’s Meet the Press host Chuck Todd on Sun­day while she attempt­ed to defend White House Press Sec­re­tary Sean Spicer’s false claim that Trump’s inau­gu­ra­tion audi­ence was the “largest” in his­to­ry. Spicer lat­er stood by that claim.

    While “alter­na­tive facts”, oth­er­wise known as “lies”, are noth­ing new to pol­i­tics, attempt­ing to reframe your lies as “alter­na­tive facts” dur­ing a tele­vised interview...that’s kind of a new one. At least for incom­ing pres­i­den­tial admin­is­tra­tions.

    But if this is going to be a ‘Big Lie’ kind of admin­is­tra­tion engag­ing in epic lev­els of cor­rup­tion and loot­ing, it’s not like it’s going to have a lot of options in terms of bla­tant­ly and aggres­sive­ly lying to the pub­lic. So maybe their best option real­ly is to just going with the “alter­na­tive facts” brand and hope that Team Trump can suc­cess­ful­ly sell his base even more deeply on the notion that every­thing is a lie except what Trump tells them. It’s worth a shot! Sure, not lying and loot­ing is worth more of a shot, but if that’s not an option “alter­na­tive facts” might be the next best route for Team Trump. And as the arti­cle below makes clear, not con­stant­ly lying is not going to be an option:

    The Wash­ing­ton Post

    With­out evi­dence, Trump tells law­mak­ers 3 mil­lion to 5 mil­lion ille­gal bal­lots cost him the pop­u­lar vote

    By Abby Phillip and Mike DeBo­nis
    Jan­u­ary 23, 2017 at 8:05 PM

    Days after being sworn in, Pres­i­dent Trump insist­ed to con­gres­sion­al lead­ers invit­ed to a recep­tion at the White House that he would have won the pop­u­lar vote had it not been for mil­lions of ille­gal votes, accord­ing to peo­ple famil­iar with the meet­ing.

    Trump has repeat­ed­ly claimed, with­out evi­dence, that wide­spread vot­er fraud caused him to lose the pop­u­lar vote to Hillary Clin­ton, even while he clinched the pres­i­den­cy with an elec­toral col­lege vic­to­ry.

    Two peo­ple famil­iar with the meet­ing said Trump spent about 10 min­utes at the start of the bipar­ti­san gath­er­ing rehash­ing the cam­paign. He also told them that between 3 mil­lion and 5 mil­lion ille­gal votes caused him to lose the pop­u­lar vote.

    The dis­cus­sion about Trump’s elec­tion vic­to­ry and his claim that he would have won the pop­u­lar vote was con­firmed by a third per­son famil­iar with the meet­ing.

    The claim is not sup­port­ed by any ver­i­fi­able facts, and analy­ses of the elec­tion found vir­tu­al­ly no con­firmed cas­es of vot­er fraud, let alone mil­lions.

    Clin­ton won the pop­u­lar vote by more than 2.8 mil­lion votes. Trump won 304 elec­toral col­lege votes to Clin­ton’s 227.

    House Major­i­ty Leader Kevin McCarthy (R‑Calif.) allud­ed to Trump’s com­ments as he returned to the Capi­tol from the meet­ing Mon­day night.

    “We talked about dif­fer­ent elec­toral col­lege, pop­u­lar votes, going through the dif­fer­ent ones,” McCarthy said. “Well, we talked about going back through past elec­tions. Every­one in there goes through elec­tions and stuff, so every­body’s giv­ing their dif­fer­ent his­to­ries of dif­fer­ent parts.”

    ...

    “Two peo­ple famil­iar with the meet­ing said Trump spent about 10 min­utes at the start of the bipar­ti­san gath­er­ing rehash­ing the cam­paign. He also told them that between 3 mil­lion and 5 mil­lion ille­gal votes caused him to lose the pop­u­lar vote.”

    It’s worth not­ing that while it seems like that Trump knows he’s spew­ing out bla­tant lies when he keeps say­ing mil­lions of ille­gal vot­ers for vot­ing in the elec­tion, keep in mind that it does­n’t have to be an actu­al lie. It’s entire­ly pos­si­ble that Trump is so divorced from real­i­ty that he real­ly does believe this stuff. And that’s some­thing to keep in mind dur­ing our “offi­cial alter­na­tive facts” era: these are nec­es­sar­i­ly part of a ‘Big Lie’ agen­da. It could also be a ‘Big Lies but also Big Delu­sions’ agen­da.

    Some­thing else to keep in mind in all this: The Ger­man gov­ern­ment recent­ly cre­at­ed an ini­tia­tive to hunt down and erad­i­cate fake news on the inter­net due to fears of a Russ­ian mis­in­for­ma­tion cam­paign in the upcom­ing 2017 Ger­man elec­tions. So...is that going to include the hunt­ing down and erad­i­cat­ing Trump’s “alter­na­tive facts”? Or are some alter­na­tive facts going to be more accept­able than oth­ers? We’ll find out:

    Chris­t­ian Sci­ence Mon­i­tor

    Ger­many’s plan to fight fake news

    Warn­ing that Russ­ian dis­in­for­ma­tion cam­paigns are the new nor­mal, Ger­man offi­cials have pro­posed efforts to hunt down and erad­i­cate fake news and oth­er defam­a­to­ry infor­ma­tion from the inter­net.

    Rachel Stern

    Jan­u­ary 9, 2017 —In May 2015, hack­ers infect­ed some 20,000 com­put­ers in Germany’s par­lia­ment with mali­cious soft­ware designed to steal sen­si­tive data. The vast and dam­ag­ing cyber­at­tack was the most expan­sive in the government’s his­to­ry.

    The cul­prits? Experts and offi­cials blamed the hack­ing group “APT 28,” the same out­fit that the US gov­ern­ment says hacked the Demo­c­ra­t­ic Nation­al Con­ven­tion in July 2015 and helped Rus­sia exe­cute an exten­sive influ­ence oper­a­tion to dis­cred­it Hillary Clin­ton’s pres­i­den­tial cam­paign.

    Now, a grow­ing num­ber of Ger­man politi­cians are deeply con­cerned that Rus­sia will inter­fere in their own elec­tions this com­ing fall, seek­ing to dis­cred­it pro-Euro­pean Chan­cel­lor Angela Merkel as she runs for a fourth term, and strength­en sup­port for the bur­geon­ing pop­ulist par­ty Alter­na­tive for Ger­many (AFD). In response, Berlin is con­sid­er­ing new ways of blunt­ing any attempt from Moscow to influ­ence its polit­i­cal process through cyber­at­tacks and mis­in­for­ma­tion.

    In Decem­ber, the Ger­man Inte­ri­or Min­istry pro­posed cre­at­ing a Cen­ter of Defense Against Mis­in­for­ma­tion, to help hunt down and erad­i­cate fake news or oth­er false infor­ma­tion from the inter­net. The min­istry has already told polit­i­cal par­ties to dis­able bots, tech­nol­o­gy that auto­mat­i­cal­ly shares news, tweets, and Face­book posts, say­ing those can be eas­i­ly tricked into dis­trib­ut­ing pro­pa­gan­da.

    In fact, one Ger­man offi­cial has pro­posed fin­ing Face­book 500,000 euros ($528,700) for fail­ing to delete fake news sto­ries and hate mes­sages with­in 24 hours, describ­ing the social media giant as a “val­ue chain of dig­i­tal pro­pa­gan­da.”

    Else­where in Europe, offi­cials are also tak­ing steps to defend against dis­in­for­ma­tion cam­paigns. The Czech Repub­lic, set to hold its gen­er­al elec­tions in Octo­ber, plans to open a fake news cen­ter ahead of the vote. Offi­cials there say Rus­sia is behind 40 extrem­ist web­sites. These new efforts will build on a broad­er Euro­pean Union task force that relies on native Russ­ian speak­ers to comb through the web for Russ­ian-lan­guage fake news sto­ries.

    “We have to learn how to deal with it,” said Ms. Merkel recent­ly, warn­ing that Russ­ian cyber­at­tacks and pro­pa­gan­da cam­paigns have become the norm in Ger­many.

    Rus­sia is wag­ing “aggres­sive and increased cyber­spy­ing and cyber­op­er­a­tions that could poten­tial­ly endan­ger Ger­man gov­ern­ment offi­cials, mem­bers of par­lia­ment and employ­ees of demo­c­ra­t­ic par­ties,” Hans-Georg Maasen, head of Germany’s domes­tic secu­ri­ty agency, said in a recent state­ment.

    Yet crit­ics say it may be too late to short cir­cuit hack­ers’ attempts to dis­rupt the Ger­man elec­tions and dis­cred­it Merkel and her allies.

    In light of the Ger­man par­lia­ment hack, “there is a strong expec­ta­tion that Rus­sia has already col­lect­ed mate­r­i­al that will be released clos­er to the elec­tions,” says Joerg For­brig, a Senior Transat­lantic Fel­low for Cen­tral and East­ern Europe at the Ger­man Mar­shall Fund in Berlin. “My hunch is that at some point in late spring or ear­ly sum­mer, as the cam­paign reach­es its peak and when every­one goes on hol­i­days, that we will see releas­es on Wik­ileaks, per­haps else­where.”

    In Ger­many, where pri­va­cy is con­sid­ered a nation­al right, there are already mech­a­nisms in place to safe­guard vot­er infor­ma­tion from hack­ers. Inter­fer­ence in the vot­ing process itself is pro­hib­i­tive­ly dif­fi­cult, as the coun­try legal­ly requires the use of paper bal­lots in fed­er­al elec­tions.

    In order to increase infor­ma­tion shar­ing about cyber­at­tacks, Germany’s Inte­ri­or Min­istry cre­at­ed a Nation­al Cyber Defense Cen­ter in 2011 that has dis­cussed or exam­ined over 3,700 cas­es, accord­ing to a gov­ern­ment state­ment. It plans to increase its num­ber of staffers this year.

    ...

    In a recent arti­cle cowrit­ten with his col­league Mirko Hohmann, he rec­om­mend­ed that the Ger­man gov­ern­ment incen­tivize polit­i­cal par­ties to improve their dig­i­tal secu­ri­ty, either through rely­ing on gov­ern­ment agen­cies or hir­ing pri­vate secu­ri­ty com­pa­nies, in part to bet­ter trace the ori­gins of cyber­at­tacks.

    Fur­ther­more, if secret ser­vices iden­ti­fied Russ­ian gov­ern­ment offi­cials autho­riz­ing dig­i­tal attacks, Russ­ian diplo­mats would have to be expelled or new sanc­tions intro­duced, writes Mr. Ben­ner. “Polit­i­cal response is key,” he says, “since it is now too late to up the cyber­se­cu­ri­ty game in time for the elec­tions in the fall.”

    One of the most promi­nent case of fake news in Ger­many, says Euro­pean Jour­nal­ism Obser­va­to­ry Direc­tion Stephan Russ-Mohl, was last year’s “Lisa case” in which Russ­ian media report­ed on a Ger­man-Russ­ian girl alleged­ly sex­u­al­ly abused by refugees. By the time the sto­ry was revealed to be false, it had already caused polit­i­cal harm.

    Last month, Social Demo­c­ra­t­ic Par­ty Chair­man Thomas Opper­mann sug­gest­ed leg­is­la­tion that would fine Face­book if the com­pa­ny did­n’t take step to remove fake sto­ries and news from its plat­form. The com­pa­ny would be respon­si­ble for set­ting up new offices to respond to com­plaints about defam­a­to­ry posts.

    Yet free speech advo­cates are skep­ti­cal of a strat­e­gy that makes a pri­vate com­pa­ny respon­si­ble for decid­ing what’s good for the pub­lic inter­est.

    Face­book will be dri­ven to remove con­tent only if it could hurt its prof­it mar­gin, says Joe McNamee, exec­u­tive direc­tor of Euro­pean Dig­i­tal Rights in Brus­sels. Face­book, through the trade group Com­put­er and Com­mu­ni­ca­tion Indus­try Asso­ci­a­tion is lob­by­ing for pro­tec­tion from lia­bil­i­ty for delet­ing legal con­tent.

    Accord­ing to Face­book, the com­pa­ny is already tak­ing steps to min­i­mize the spread of fake news such as work­ing with third-par­ty fact check­ing orga­ni­za­tions to flag sus­pi­cious sto­ries and stop­ping fake news sites from pur­chas­ing ad space.

    Polit­i­cal­ly, Mr. Opper­man­n’s strat­e­gy to force Face­book to delete sus­pi­cious or fake news could back­fire, says Mr. McNamee. “It is entire­ly imag­in­able that ‘banned by Face­book’ or ‘the sto­ry Face­book did­n’t want you to read’ could become a badge of hon­or for a pop­ulist cam­paign.”

    In Decem­ber, the Ger­man Inte­ri­or Min­istry pro­posed cre­at­ing a Cen­ter of Defense Against Mis­in­for­ma­tion, to help hunt down and erad­i­cate fake news or oth­er false infor­ma­tion from the inter­net. The min­istry has already told polit­i­cal par­ties to dis­able bots, tech­nol­o­gy that auto­mat­i­cal­ly shares news, tweets, and Face­book posts, say­ing those can be eas­i­ly tricked into dis­trib­ut­ing pro­pa­gan­da.”

    Well, that cer­tain­ly sounds like a plan by the Ger­man gov­ern­ment to counter almost every­thing com­ing out of the Trump admin­is­tra­tion. Unless the new Cen­ter of Defense Against Mis­in­for­ma­tion is only going to be focused on Russ­ian mis­in­for­ma­tion.

    Posted by Pterrafractyl | January 24, 2017, 8:29 pm
  2. The head of GCHQ resigned on Mon­day, much to every­one’s sur­prise. And while per­son­al rea­sons and fam­i­ly health issues were stressed as the only rea­son for the sud­den res­ig­na­tion, it’s hard to ignore the fact that this hap­pened on the first full day of Don­ald Trump’s pres­i­den­cy. So the tim­ing of this sur­prise res­ig­na­tion with the mas­sive shift in the char­ac­ter and loy­al­ties of the peo­ple run­ning the US gov­ern­ment was either unin­ten­tion­al­ly coin­ci­den­tal or inten­tion­al­ly coin­ci­den­tal. Either way it’s a hell of a coin­ci­dence:

    The Guardian

    GCHQ chief Robert Han­ni­gan quits

    Han­ni­gan over­saw a more open approach at GCHQ after the Snow­den rev­e­la­tions exposed mass sur­veil­lance by the agency

    Ewen MacAskill

    Mon­day 23 Jan­u­ary 2017 12.57 EST

    The direc­tor of GCHQ, Robert Han­ni­gan, is to stand down ear­ly for per­son­al rea­sons, main­ly health issues involv­ing his wife and oth­er fam­i­ly mem­bers.

    Han­ni­gan only took over at the UK’s sur­veil­lance agency in Novem­ber 2014 to over­see a more open approach after rev­e­la­tions by the Nation­al Secu­ri­ty Agency whistle­blow­er Edward Snow­den put GCHQ on the defen­sive in 2013.

    His sud­den res­ig­na­tion – he informed staff just hours before mak­ing this deci­sion pub­lic – prompt­ed spec­u­la­tion that it might be relat­ed to British con­cerns over shared intel­li­gence with the US in the wake of Don­ald Trump becom­ing pres­i­dent.

    But the GCHQ press release stressed his deci­sion was exclu­sive­ly for fam­i­ly rea­sons. As well as his ill wife, Han­ni­gan has two elder­ly par­ents to look after. He will remain in post until a suc­ces­sor is appoint­ed.

    ...

    In a press state­ment, he said: “I have been lucky enough to have some extra­or­di­nary roles in pub­lic ser­vice over the last 20 years, from North­ern Ire­land to No 10, the Cab­i­net Office and the For­eign Office. But they have all demand­ed a great deal of my ever patient and under­stand­ing fam­i­ly and now is the right time for a change in direc­tion.”

    Appli­ca­tions will be invit­ed from with­in GCHQ and else­where in gov­ern­ment. The salary last year was between £160,00 and £165,000.

    At GCHQ, Han­ni­gan had led a push to make the agency more trans­par­ent, a process that includ­ed a major speech in the US last year on encryp­tion and tech com­pa­nies. He also pressed to try to put GCHQ at the fore­front of dig­i­tal chal­lenges, lead­ing to the cre­ation of the Nation­al Cyber Secu­ri­ty Cen­tre in Octo­ber last year.

    ...

    Hannigan’s back­ground was not ini­tial­ly in intel­li­gence. Born in Glouces­ter in 1965 and brought up in York­shire, he had been a high-fly­ing civ­il ser­vant at the North­ern Ire­land Office, where he was head of com­mu­ni­ca­tions and lat­er polit­i­cal direc­tor. He was involved in the peace process, cred­it­ed with com­ing up with the idea for a dia­mond-shaped table in order to get over objec­tions by the oppos­ing sides about seat­ing arrange­ments.

    He trans­ferred to Lon­don where he became involved in a series of intel­li­gence jobs, includ­ing defence and liai­son with the US, before going on to GCHQ, where he worked for six months as part of the han­dover before tak­ing con­trol.

    At the time, GCHQ, in spite of many of its secrets spilled by Snow­den, remained the most secre­tive of the three intel­li­gence agen­cies: the oth­ers being MI6 and MI5. But Han­ni­gan expand­ed the press team, invit­ed more jour­nal­ists to vis­it GCHQ and encour­aged a stream of news sto­ries aimed at bring­ing the agency into the pub­lic eye.

    In his first week in office, he cre­at­ed con­tro­ver­sy with a col­umn pub­lished in the Finan­cial Times accus­ing US tech­nol­o­gy com­pa­nies of becom­ing the com­mand and con­trol net­works of choice” for ter­ror­ists.

    In March last year, he soft­ened his crit­i­cism in a speech to the Mass­a­chu­setts Insti­tute of Tech­nol­o­gy, call­ing for a new rela­tion­ship between the intel­li­gence agen­cies and the tech com­pa­nies, part of a cam­paign to try to secure the help of the com­pa­nies in pro­vid­ing access to sup­pos­ed­ly encrypt­ed mes­sages.

    It is under­stood that the expla­na­tion for his sud­den depar­ture was rein­forced in an inter­nal mes­sage to GCHQ staff, acknowl­edg­ing that many mem­bers faced enor­mous per­son­al pres­sures and that he had opt­ed to make his fam­i­ly his pri­or­i­ty.

    “His sud­den res­ig­na­tion – he informed staff just hours before mak­ing this deci­sion pub­lic – prompt­ed spec­u­la­tion that it might be relat­ed to British con­cerns over shared intel­li­gence with the US in the wake of Don­ald Trump becom­ing pres­i­dent.

    Well, if Han­ni­gan’s res­ig­na­tion real­ly was a kind of pub­lic cryp­to-protest it’s going to be inter­est­ing if his replace­ment ends up qui­et­ly scal­ing back the US/UK intel­li­gence shar­ing oper­a­tions. But it’s not like the UK is the only coun­try exten­sive­ly shar­ing intel­li­gence with the US, so it’s also going to be quite inter­est­ing to see if there are any oth­er actions by high-lev­el intel­li­gence offi­cials from the rest of the 5‑Eyes/9‑Eyes/What­ev­er-Eyes nations that appear to be some sort of protest about intel­li­gence shar­ing with the US. Espe­cial­ly after the reports that Trump is still using an unse­cured Android phone:

    New York Mag­a­zine

    Why It Mat­ters That Trump Is Still Using an Inse­cure Phone

    By Bri­an Feld­man

    Jan­u­ary 25, 2017 5:01 p.m.

    Last week, just ahead of the inau­gu­ra­tion, a nation’s fears were put to rest when it was report­ed that Don­ald Trump had giv­en up the old, unse­cured Android phone he used to accept unscreened phone calls and com­pose deranged tweets, and been issued a new mobile phone approved by the Secret Ser­vice. Only: This morn­ing, the New York Times report­ed that Trump has not relin­quished his old phone, despite hav­ing been issued a secure one. But what does this real­ly mean, besides the fact that the pres­i­dent clear­ly doesn’t real­ly care what the Secret Ser­vice wants?

    ...

    Tech­ni­cal secu­ri­ty should be pret­ty sim­ple to under­stand, though, for obvi­ous rea­sons, the detailed specs of the president’s Secret Service–approved phone are kept under wraps. That phone has a mil­i­tary-grade lev­el of encryp­tion that is much high­er than that of the stan­dard con­sumer device, mak­ing it more dif­fi­cult to break into and extract data from.

    The agency in charge of the president’s phone is the Defense Infor­ma­tion Sys­tems Agency, which is part of the Depart­ment of Defense. Let’s assume that what­ev­er Trump has been issued is sim­i­lar to the phone Oba­ma was issued last June when he final­ly relin­quished his dat­ed Black­Ber­ry for an Android phone. The phone is report­ed­ly a Sam­sung Galaxy S4, the only phone that was sup­port­ed by the DOD Mobil­i­ty Clas­si­fied Capa­bil­i­ty-Secret (DMCC‑S) pro­gram. The DMCC‑S fact sheet dis­plays three Galaxy S4 mod­els, brand­ing removed.

    When Oba­ma described it to Jim­my Fal­lon, he not­ed a few draw­backs. The phone could not take pic­tures, pre­sum­ably so the cam­era couldn’t be accessed remote­ly (and so that Oba­ma wouldn’t be able to take pic­tures that might lat­er be stolen).

    The phone couldn’t send text mes­sages (SMS mes­sages are noto­ri­ous­ly easy to inter­cept), only email, and couldn’t make reg­u­lar phone calls, only VoIP (voice over inter­net pro­to­col, like Skype). Pre­sum­ably, this was so all of his com­mu­ni­ca­tions could be rout­ed through secure chan­nels.

    He also couldn’t load music onto it — because if you can load files onto the phone, you can load mal­ware onto the phone. A user can’t down­load apps from the Google Play store­front onto a DMCC‑S phone.

    The point of all of this secu­ri­ty, frus­trat­ing as it may be, is that it makes the pres­i­dent dif­fi­cult to reach, and dif­fi­cult to hack. It makes it almost impos­si­ble for him to con­duct dig­i­tal diplo­ma­cy through any­thing but the most offi­cial chan­nels, even while on the go.

    Trump, on the oth­er hand, is using a phone with none of these pro­tec­tions. Texts he sends and calls he makes could eas­i­ly be inter­cept­ed by a device called a Stingray, cur­rent­ly in use by law enforce­ment, that mim­ics a cell tow­er. A per­son giv­en access to his phone, phys­i­cal­ly or remote­ly, could quick­ly and eas­i­ly steal files or down­load mal­ware. And if Trump is using the phone as often as the New York Times reports — that is, every night — there’s like­ly lots of infor­ma­tion on it that pry­ing eyes would like to see.

    But what use to Trump is a phone that can’t send tweets and can’t receive calls? He’s not able to yell at straw men on Twit­ter, or receive the praise he thrives on, with a pared-down device, secure as it may be. Trump’s con­sumer-grade Android is too tech­ni­cal­ly inse­cure for the Secret Ser­vice, but it’s also being wield­ed by an inse­cure man with a high­ly pub­lic Twit­ter account, and that’s what makes it tru­ly dan­ger­ous.

    Trump, on the oth­er hand, is using a phone with none of these pro­tec­tions. Texts he sends and calls he makes could eas­i­ly be inter­cept­ed by a device called a Stingray, cur­rent­ly in use by law enforce­ment, that mim­ics a cell tow­er. A per­son giv­en access to his phone, phys­i­cal­ly or remote­ly, could quick­ly and eas­i­ly steal files or down­load mal­ware. And if Trump is using the phone as often as the New York Times reports — that is, every night — there’s like­ly lots of infor­ma­tion on it that pry­ing eyes would like to see.”

    Yeah, reports like that prob­a­bly don’t do much to allay con­cerns from the US’s clos­est allies about intel­li­gence shar­ing with a Trump-run gov­ern­ment. But there is one argu­ment that could be made to the US’s allies that might at least reduce any Trump-spe­cif­ic con­cerns: there’s a good chance that what­ev­er sen­si­tive intel­li­gence that gets shared with the US won’t actu­al­ly be seen be Trump since Trump still does­n’t seem to actu­al­ly care about intel­li­gence:

    MSNBC
    The Mad­dow Blog

    In intel­li­gence brief­in­gs, Trump prefers ‘as lit­tle as pos­si­ble’

    01/18/17 12:50 PM—Updated 01/18/17 01:06 PM
    By Steve Benen

    One of the unex­pect­ed devel­op­ments of the tran­si­tion peri­od has been Don­ald Trump’s dis­in­ter­est in dai­ly intel­li­gence brief­in­gs. Pres­i­dent Oba­ma, imme­di­ate­ly after the elec­tion, ordered the rel­e­vant agen­cies to make avail­able to the pres­i­dent-elect the same infor­ma­tion that’s deliv­ered to the Oval Office, but in a bit of a sur­prise, Trump large­ly blew off the infor­ma­tion.

    Last month, Fox News’ Chris Wal­lace not­ed reports that the Repub­li­can was only receiv­ing one brief­ing a week, instead of sev­en. Trump didn’t deny the accounts, but said it didn’t mat­ter because he’s “like, a smart per­son.” He added, “I get it when I need it.”

    A month lat­er, with his inau­gu­ra­tion draw­ing clos­er, Trump sat down with Axios yes­ter­day, and refer­ring to the intel­li­gence he’s seen, the pres­i­dent-elect said, “I’ve had a lot of brief­in­gs that are very … I don’t want to say ‘scary,’ because I’ll solve the prob­lems.” The exceed­ing­ly con­fi­dent Repub­li­can added this in ref­er­ence to the PDB:

    Trump said he likes his brief­in­gs short, ide­al­ly one-page if it’s in writ­ing. “I like bul­lets or I like as lit­tle as pos­si­ble. I don’t need, you know, 200-page reports on some­thing that can be han­dled on a page. That I can tell you.”

    Hmm. Pres­i­dent Oba­ma likes to read dai­ly intel­li­gence brief­in­gs and pose fol­low-up ques­tions in writ­ing. Bill Clin­ton had a sim­i­lar approach. George W. Bush, dur­ing his two terms, changed the brief­ing process, pre­fer­ring oral reports from intel­li­gence pro­fes­sion­als.

    Trump, appar­ent­ly, has in mind some­thing akin to Pow­er­point slides.

    ...

    “Trump said he likes his brief­in­gs short, ide­al­ly one-page if it’s in writ­ing. “I like bul­lets or I like as lit­tle as pos­si­ble. I don’t need, you know, 200-page reports on some­thing that can be han­dled on a page. That I can tell you.””

    Well there we go: while it’s prob­a­bly the case that Trump’s admin­is­tra­tion is going to flood the intel­li­gence agen­cies with far-right cryp­to-fas­cists intent on dis­sem­i­nat­ing as many secrets to far-right gov­ern­ments and groups around the world as they can, at least if Trump’s phone gets hacked he’s unlike­ly to have many sen­si­tive doc­u­ments on there since he does­n’t actu­al­ly care about such top­ics. Phew!

    Posted by Pterrafractyl | January 25, 2017, 3:42 pm
  3. So, uh, ‘Russ­ian hack­ers’ appar­ent­ly hacked a num­ber of Wis­con­sin coun­ty Demo­c­ra­t­ic Par­ty web­sites. The hacks did­n’t actu­al­ly do any dam­age oth­er than redi­rect­ing peo­ple to a ran­dom web­site and no data was suc­cess­ful­ly har­vest­ed from the serv­er accord­ing to inves­ti­ga­tors. And why are Russ­ian hack­ers sus­pect­ed? Because the hack­ers cre­at­ed two new admin accounts on the first serv­er where the hack was detect­ed and, lo and behold, these new accounts had “.ru” email address­es. They also cre­at­ed pro­files for the admin accounts that includ­ed Russ­ian char­ac­ters in the “About” and “Bio” sec­tions. So while it’s unclear what exact­ly the pur­pose of the hack was, it’s pret­ty clear that one of the pri­ma­ry goals of the hack was to make sure the Democ­rats found out they were hacked and make sure it looked like Russ­ian hack­ers did it:

    Green Bay Press-Gazette

    Rus­sians sus­pect­ed of hack­ing local Dems

    Paul Srubas , USA TODAY NET­WORK-Wis­con­sin
    8:56 p.m. CT Jan. 23, 2017

    GREEN BAY — Coun­ty web­sites of the Demo­c­ra­t­ic Par­ty in the area have been under attack, at least one appar­ent­ly by Russ­ian hack­ers, an offi­cer of the par­ty says.

    What appears to have been Russ­ian hack­ers com­pro­mised the web­site of the 8th Con­gres­sion­al Dis­trict Demo­c­ra­t­ic Par­ty as well as the sites of sev­en coun­ty Demo­c­ra­t­ic par­ty orga­ni­za­tions, said Mary Gin­nebaugh, who chairs the con­gres­sion­al dis­trict as well as the Brown Coun­ty Demo­c­ra­t­ic par­ties.

    ...

    While no one can prove beyond doubt that Rus­sians also were involved in the local hack job, two hack­ers left “call­ing cards” with Russ­ian email address­es on the local web­sites in an appar­ent ges­ture of con­tempt or brag­gado­cio, Gin­nebaugh said. Green Bay police were noti­fied and have for­ward­ed infor­ma­tion to the FBI, she said.

    Gin­nebaugh said she was stunned when a com­put­er secu­ri­ty con­sul­tant told her that Rus­sians may have been involved.

    “It was ‘Wait a minute, we’re lit­tle bit­ty Green Bay, not some pow­er­house,’” she said. “I was like, ‘Real­ly?’”

    The hack­ers may have been tar­get­ing the state site and stum­bled onto the 8th Con­gres­sion­al Dis­trict site, Gin­nebaugh said. “We’re one let­ter off,” she said. “We’re wiscdems.com and the state is wisdems.com.”

    The 8th Con­gres­sion­al domain name wiscdems.com serves as an umbrel­la for coun­ty demo­c­ra­t­ic orga­ni­za­tions with­in the dis­trict, Gin­nebaugh said. Vis­i­tors can get to the indi­vid­ual sites from the umbrel­la site or vice ver­sa. How­ev­er, the sites are inde­pen­dent of the state and nation­al sites, she said.

    The Win­neba­go Coun­ty Demo­c­ra­t­ic Par­ty first noticed a prob­lem with its web­site in Novem­ber, short­ly after the elec­tion. Peo­ple try­ing to get into that web­site were being abrupt­ly redi­rect­ed to some ran­dom web­site and couldn’t get to the party’s site, Gin­nebaugh said.

    Offi­cers from the Win­neba­go Coun­ty par­ty, part of whose coun­ty lies in the 8th Dis­trict, noti­fied the 8th Dis­trict par­ty. Staff looked into it and deter­mined the prob­lem appeared to be iso­lat­ed to the Win­neba­go Coun­ty site, Gin­nebaugh said.

    But when tech­ni­cians from the 8th Dis­trict couldn’t fix it, they con­tact­ed Jane Ben­son of Main Jane Designs of Green Bay. Ben­son is a web design­er and does online mar­ket­ing, but she also often works as an IT con­sul­tant for the local Demo­c­ra­t­ic par­ties.

    Ben­son found the prob­lem was wider than 8th Dis­trict staffers thought. Sev­en coun­ty sites, includ­ing Brown County’s, and the umbrel­la site all were com­pro­mised, Ben­son said. Aside from Win­neba­go Coun­ty notic­ing the prob­lem with its link, they also were noti­fied by Google that their search­es were reveal­ing a cor­rup­tion. Google demand­ed the cor­rup­tion be fixed or the site would be black­list­ed from Google search­es.

    Shawano, Marinette, Ocon­to, Kewaunee and Calumet coun­ty par­ty sites were hacked, as were Brown and Win­neba­go and the over­all 8th dis­trict site, Gin­nebaugh said. Door, Out­agamie, Menom­i­nee and Wau­paca coun­ties were not affect­ed.

    No clear answer

    At Benson’s direc­tion, the par­ty hired Sucuri, an inter­na­tion­al­ly known cyber secu­ri­ty com­pa­ny. It cleaned their sites of all mal­ware and took a vari­ety of oth­er pro­tec­tive steps, Ben­son said.

    All web­sites are made up of code that often turns out to have a secu­ri­ty weak­ness that can make a web­site vul­ner­a­ble, Ben­son said. Patch­es are sent out and admin­is­tra­tors must update each web­site to keep it pro­tect­ed. With the elec­tion over and the hol­i­days in full gear, peo­ple were on vaca­tion, few were vis­it­ing the web­sites and atten­tive­ness appar­ent­ly lapsed, allow­ing hack­ers to get back in, Ben­son said.

    “Some­how, some­body was able to dis­able one of the Sucuri secu­ri­ty fea­tures on the wiscdems.com web­site,” Ben­son said. “There’s an expec­ta­tion that the plu­g­ins and plat­form code will be updat­ed, and if they’re not, it can leave an open­ing for hack­ers to get in.”

    Two new users showed up as reg­is­tered admin­is­tra­tors of the web­site: larisa@steamreal.ru and ewartumba@mail.ru. The “.ru” suf­fix indi­cates a Russ­ian ori­gin, Ben­son said. The pro­file pages of the users had char­ac­ters in the Russ­ian alpha­bet in “Address” and “About Me” fields, she said.

    Code was entered, appar­ent­ly through a back door, to add two reg­is­tered users, but the web­site is set up to auto­mat­i­cal­ly block new reg­is­trants, so the intrud­ers could do no dam­age. “It’s not clear how they got there,” Ben­son said.

    The intrud­ers could just as eas­i­ly have removed all trace of hav­ing been there and just backed qui­et­ly out, but they chose to leave their names “as if to say ‘we can get in when­ev­er we want,’” Ben­son said.

    She said she can’t say whether Rus­sians were real­ly involved or whether the address­es could have been faked by some­one mim­ic­k­ing a con­nec­tion based on what had been in the news. But it was impor­tant that police and the FBI become involved, to “make this infor­ma­tion part of the body of infor­ma­tion police and the FBI are com­pil­ing from the nation­al inves­ti­ga­tion,” she said.

    A call to Green Bay police detec­tives was not returned Mon­day.

    Ben­son said it was impor­tant for the pub­lic to know the hack­ers did not suc­ceed in “har­vest­ing infor­ma­tion,” that breach­es in the sites have been repaired and that every­thing is being pro­fes­sion­al­ly mon­i­tored to keep it secure.

    Gin­nebaugh said the state Demo­c­ra­t­ic Par­ty also has been noti­fied and would pre­sum­ably be pass­ing the infor­ma­tion on to nation­al lev­els.

    “Two new users showed up as reg­is­tered admin­is­tra­tors of the web­site: larisa@steamreal.ru and ewartumba@mail.ru. The “.ru” suf­fix indi­cates a Russ­ian ori­gin, Ben­son said. The pro­file pages of the users had char­ac­ters in the Russ­ian alpha­bet in “Address” and “About Me” fields, she said.

    The self-incrim­i­nat­ing Rus­sians strike again! It’s the only pos­si­bil­i­ty. Or not:

    ...
    She said she can’t say whether Rus­sians were real­ly involved or whether the address­es could have been faked by some­one mim­ic­k­ing a con­nec­tion based on what had been in the news. But it was impor­tant that police and the FBI become involved, to “make this infor­ma­tion part of the body of infor­ma­tion police and the FBI are com­pil­ing from the nation­al inves­ti­ga­tion,” she said.
    ...

    Well, at least we’ve hit a point where peo­ple are open to the idea that these “I’m Russ­ian!” call­ing card hacks are maybe, just maybe, not actu­al­ly done by Rus­sians. At least not all of them. Unless the hacks real­ly are being done by Rus­sians using a reverse psy­chol­o­gy to sow doubts about the Russ­ian hack­ing cam­paign by being so bla­tant­ly Russ­ian about it. It’s also pos­si­ble that it real­ly was Russ­ian hack­ers who are real­ly try­ing to send a “ha, ha, we can hack you” kind of mes­sage, but if so it’s a very strange deci­sion for Rus­sia to inten­tion­al­ly piss off Amer­i­cans dur­ing a peri­od when Trump might be will­ing to warm US/Russian rela­tions.

    This is all part of the weird nature of crime in the dig­i­tal age: a skilled hack­er could, in the­o­ry, get away with the ‘per­fect crime’ by leav­ing no trace of who did it, but that does­n’t stop peo­ple from spec­u­lat­ing about who did it (unless the hack is nev­er detect­ed). So leav­ing lit­tle ‘call­ing cards’ has poten­tial val­ue to a hack­er, but only if it’s not assumed that the evi­dence left behind isn’t evi­dence of who the hack­er wants peo­ple to assume pulled off the hack. So leav­ing behind self-incrim­i­nat­ing evi­dence is a poten­tial­ly effec­tive defense. It’s sort of an “any­one smart enough to pull off this hack would­n’t be stu­pid enough to leave this kind of obvi­ous evi­dence” defense. And it’s a viable defense since fram­ing some­one else (or some nation­al­i­ty) for the hack is one way to car­ry out that ‘per­fect crime’. But only if it’s assumed that some­one would­n’t inten­tion­al­ly self-incrim­i­nate.

    It’s also worth not­ing that this kind of self-incrim­i­nat­ing evi­dence isn’t mean­ing­less evi­dence from a propaganda/disinfo per­spec­tive unless the pub­lic inter­prets this evi­dence as spoofa­ble and mean­ing­less. And the Amer­i­can pub­lic in gen­er­al is still clear­ly very will­ing to take the “I’m Russ­ian!” evi­dence at face val­ue and that pub­lic learn­ing curb is part of what’s so fas­ci­nat­ing about the pos­si­bil­i­ty that we could be look­ing at a peri­od where hack­ers of all stripes start leav­ing Russ­ian call­ing cards, whether its for inten­tion­al pro­pa­gan­da, reverse psy­chol­o­gy, or just for the LOLs: If this goes on long enough with enough bla­tant­ly self-incrim­i­nat­ing “I’m Russ­ian!” hacks of this nature it’s pos­si­ble we’re going to even­tu­al­ly get to a point where it’s just assumed that any hack blamed on the Rus­sians due to self-incrim­i­nat­ing evi­dence is prob­a­bly some­one try­ing to make it look like the Rus­sians (as opposed to assum­ing that self-incrim­i­nat­ing evi­dence is mean­ing­less and could come for Russ­ian hack­ers or non-Russ­ian hack­ers). And that would allow for a near­ly ‘per­fect crime’, specif­i­cal­ly for Russ­ian hack­ers, because while you can’t stop peo­ple from spec­u­lat­ing about who did a hack it’s still pos­si­ble for the pub­lic to devel­op a “this is spoofed to make it look Russ­ian” reflex­ive response.

    So one of the pos­si­ble blow­backs of an extend­ed spoofed ‘Russ­ian’ hack­ing cam­paign (or suc­cess­es of a clever reverse-psy­chol­o­gy self-incrim­i­nat­ing hack­ing cam­paign actu­al­ly car­ried out by the Krem­lin) could be the cre­ation of ingrained skep­ti­cism against future Russ­ian hacks...specifically those hacks with self-incrim­i­nat­ing evi­dence. And if that hap­pens for Rus­sia, a whole bunch of oth­er coun­tries might start think­ing, “hey, maybe we need a self-incrim­i­nat­ing hack­ing cam­paign!”, and then pro­ceed to launch waves of self-incrim­i­nat­ing nui­sance attacks that hope­ful­ly aren’t enough to start a war between nations but still enough to get a lot of pub­lic atten­tion about all the bla­tant­ly self-incrim­i­nat­ing evi­dence. Who knows if that will hap­pen but it’s a fas­ci­nat­ing pos­si­bil­i­ty. And kind of scary.

    Posted by Pterrafractyl | January 27, 2017, 4:10 pm
  4. Slight­ly off top­ic
    Btw DE in case you did­n’t know,
    Bib­lio­ma­nia book­store in Oak­land
    has an expand­ed Fas­cism sec­tion
    with many “clas­sics” Bor­mann Broth­er­hood, Amer­i­can Swasti­ka, Trade with Ene­my, Old Nazis New Ger­many, Con­trol of Can­dy Jones (in Espi­onage), Sko­rzeny Infield, Sko­rzeny Mem­oirs, Gehlen The Gen­er­al was a Spy, and many more. Also high­ly rec­om­mend the his­tor­i­cal fic­tion of Philip Kerr;especially “Hitler’s Peace” and “A Qui­et Flame” lat­ter draws heav­i­ly from “The Real Odessa” by Uki Goni.

    Posted by Wasabi | January 30, 2017, 12:16 pm
  5. Check out the lat­est twist in mys­te­ri­ous DNC hacks: mal­ware said to belong to “Fan­cy Bear” appeared online ear­li­er this week by a pair of secu­ri­ty firms. And fol­low­ing some analy­sis of the code by an ex-NSA staffer run­ning his own secu­ri­ty firm, a large amount of the spy­ware tar­get­ing Macs look an awful lot like the code sold by Ital­ian “law­ful inter­cept” spy­ware ven­dor Hack­ing Team, based on a com­par­i­son of the leaked code to Hack­ing Team’s code that was pub­lished by Wik­ileaks back in 2015. And while the Russ­ian gov­ern­ment was indeed known a cus­tomer of Hack­ing Team, guess who report­ed­ly bought the same code: Israel, the FBI, DEA, and the US Depart­ment of Defense:

    Forbes

    The Lit­tle Black Book of Bil­lion­aire Secrets
    DNC Hack­ers Are Using Apple Mac Spy­ware Code From FBI Sur­veil­lance Ven­dor, Claims Ex-NSA Researcher

    Thomas Fox-Brew­ster
    Forbes Staff
    Feb 16, 2017 @ 11:00 AM

    Ear­li­er this week, mal­ware said to belong to the Russ­ian group behind the hack of the Demo­c­ra­t­ic Nation­al Com­mit­tee, known as APT28 or Fan­cy Bear, leaked online. Though nov­el both for its tar­get­ing of Apple Macs and iPhone back­ups, the sur­veil­lance tool’s real intrigue lies under­neath the hood. Accord­ing to Patrick War­dle, an ex-NSA staffer and head of research at bug hunt­ing firm Synack, a sig­nif­i­cant chunk of the APT28 Mac spy­ware looks much like that shipped by Ital­ian spy­ware ven­dor Hack­ing Team, which sold to both Russ­ian and U.S. gov­ern­ment agen­cies.

    War­dle com­pared the Hack­ing Team Mac mal­ware, avail­able on Wik­ileaks after a 2015 breach of the sur­veil­lance com­pa­ny, to that pub­lished ear­li­er this week by secu­ri­ty firms Bit­De­fend­er and Palo Alto Net­works. He claimed the APT28 code resem­bled Hack­ing Team’s mal­ware in numer­ous ways. In par­tic­u­lar, War­dle noticed that the two mal­ware sam­ples used the same tech­niques for inject­ing code onto a tar­get sys­tem, a fea­ture that’s quite rare on Apple Macs, he told FORBES.

    After explor­ing fur­ther, he now believes the Russ­ian crew “may have copied and past­ed” that entire code injec­tion func­tion of the mal­ware, which could explain some of the “weird­ness” War­dle saw. That weird­ness includ­ed what appeared to be mis­takes, or “wrong log­ic” as War­dle put it, where the code that appeared to have some func­tion would do noth­ing oth­er than return failed.

    “[I’m] 100 per cent sure this is the same code,” War­dle added.

    Hack­ing Team’s sells to adver­saries

    Hack­ing Team, a so-called “law­ful inter­cept” com­pa­ny whose emails and files were dumped on Wik­ileaks after a breach in 2015, sold to both Amer­i­ca and Rus­sia. It was a provider for the FBI from 2011, sell­ing as much as $775,000 in sur­veil­lance tools, though the feds found lim­it­ed use for them. The DEA and the DoD were also cus­tomers, spend­ing $567,000 and $190,000 respec­tive­ly. Emails indi­cat­ed it demoed and sold kit to the FSB too, spend­ing as much as $450,000 via research cen­ter Kvant. And in leaked emails an employ­ee from Hack­ing Team’s chief Israeli sur­veil­lance part­ner NICE not­ed the FSB was par­tic­u­lar­ly inter­est­ed in infect­ing Apple Macs.

    Whilst intrigu­ing, the fact that a slice of APT28’s Mac mal­ware looks like Hack­ing Team’s does not mean it was pur­chased from the Milan-based firm. It could be that APT28 did what oth­er cyber­crim­i­nals did after Hack­ing Team’s files were spilled online, copy­ing and reusing the mal­ware from Wik­ileaks. Fur­ther­more, the FSB was not the Russ­ian orga­ni­za­tion linked by the U.S. gov­ern­ment to the DNC hack; the mil­i­tary intel­li­gence arm, known as the GRU, was instead blamed by the FBI and DHS. Putin him­self was said to have direct involve­ment in Fan­cy Bear’s spy oper­a­tions.

    “Now whether the Rus­sians bought it from Hack­ing Team direct­ly, or sim­ply copied and past­ed from the leaks, who knows,” War­dle added. “But I’m lean­ing towards the copy and paste with remov­ing some of log­ic that they didn’t need, but leav­ing in some oth­er code that then did­n’t real­ly make sense.

    “Hack­ing Team could have done that them­selves and then sold it to the Rus­sians. But if so, the removal of the unneed­ed code ... was done in a real­ly shit­ty way.” War­dle plans to pub­lish his full tech­ni­cal analy­sis on his own blog Thurs­day. He is unsure if the code injec­tion fea­ture cre­at­ed by Hack­ing Team works on the most recent Mac OS.

    ...

    Even Hack­ing Team had pre­vi­ous­ly warned that ter­ror­ists would use its leaked tools, in con­demn­ing the 2015 breach. It may not have antic­i­pat­ed the hack­er group linked to the most sig­nif­i­cant breach in his­to­ry would bor­row its code for their own machi­na­tions.

    “Hack­ing Team, a so-called “law­ful inter­cept” com­pa­ny whose emails and files were dumped on Wik­ileaks after a breach in 2015, sold to both Amer­i­ca and Rus­sia. It was a provider for the FBI from 2011, sell­ing as much as $775,000 in sur­veil­lance tools, though the feds found lim­it­ed use for them. The DEA and the DoD were also cus­tomers, spend­ing $567,000 and $190,000 respec­tive­ly. Emails indi­cat­ed it demoed and sold kit to the FSB too, spend­ing as much as $450,000 via research cen­ter Kvant. And in leaked emails an employ­ee from Hack­ing Team’s chief Israeli sur­veil­lance part­ner NICE not­ed the FSB was par­tic­u­lar­ly inter­est­ed in infect­ing Apple Macs.”

    So if the Russ­ian gov­ern­ment real­ly was behind the hacks, it appar­ent­ly used code from a “law­ful inter­cept” mal­ware firm that was known to have sold to the FSB, along with mul­ti­ple US gov­ern­ment agen­cies and the Israelis. And, of course, might also be used by any­one who hap­pened to decide to reuse the code from the 2015 Wik­ileaks release:

    ...
    Whilst intrigu­ing, the fact that a slice of APT28’s Mac mal­ware looks like Hack­ing Team’s does not mean it was pur­chased from the Milan-based firm. It could be that APT28 did what oth­er cyber­crim­i­nals did after Hack­ing Team’s files were spilled online, copy­ing and reusing the mal­ware from Wik­ileaks. Fur­ther­more, the FSB was not the Russ­ian orga­ni­za­tion linked by the U.S. gov­ern­ment to the DNC hack; the mil­i­tary intel­li­gence arm, known as the GRU, was instead blamed by the FBI and DHS. Putin him­self was said to have direct involve­ment in Fan­cy Bear’s spy oper­a­tions.
    ...

    So if the code released this week by those secu­ri­ty firms real­ly is from a Russ­ian gov­ern­ment hack­ing enti­ty, it’s anoth­er indi­ca­tion that that enti­ty appears to use read­i­ly avail­able code that could be attrib­uted to numer­ous dif­fer­ent actors. Which makes sense. Except for all the things the DNC hack­ers did to ensure that the hacks would be attrib­uted back to Rus­sians.

    So if tran­scripts of the calls between Don­ald Trump’s cam­paign offi­cials and Russ­ian gov­ern­ment offi­cials are ever released, you have to won­der if the top­ic of “why are the hack­ers impli­cat­ing Rus­sia?” ever came up. And giv­en the ambigu­ous and spoofa­ble nature of the tech­ni­cal evi­dence, you also have to won­der which side will be ask­ing that ques­tion.

    Posted by Pterrafractyl | February 16, 2017, 4:37 pm
  6. Here is right wing blog’s expla­na­tion of the Russ­ian Hacks — it was actu­al­ly the CIA.  There obvi­ous­ly was not any men­tion that this could be a black oper­a­tion cre­at­ed by the Under­ground Reich’s intel­li­gence Oper­a­tion.

    The Rus­sians hack as much US infor­ma­tion as they can, as do the Chi­nese, Pak­ista­nis, and oth­ers. How­ev­er, no Russ­ian Intel­li­gence Agency Hack­ing Oper­a­tion would have a han­dle name which even remote­ly could be tied to Rus­sia such as “Fan­cy Bear”. This was an obvi­ous­ly cho­sen name by the per­pet­u­a­tor of this hack to disced­it US pub­lic opin­ion against Rus­sia. This is sim­i­lar to how the Nazis per­pet­u­at­ed the cold war to serve their own pur­pos­es.

    https://jonrappoport.wordpress.com/2017/03/07/wikileaks-cia-hackers-can-pose-as-russians-ring-a-bell/

    Wik­iLeaks: CIA hack­ers can pose as Russians—ring a bell?
    by Jon Rap­poport
    March 7, 2017
    (Part‑2, here)

    Let’s see. The CIA claims that Russ­ian gov­ern­ment hack­ers inter­fered in the US elec­tion, on the side of Trump.

    But sup­pose CIA hack­ers fab­ri­cat­ed an oper­a­tion to make it look like a Russ­ian hack? Too far-fetched?

    Not any­more.

    In con­junc­tion with their new data-dump of CIA mate­r­i­al, Wik­iLeaks issues this state­ment:
    “The CIA’s Remote Devices Branch’s UMBRAGE group col­lects and main­tains a sub­stan­tial library of attack tech­niques ‘stolen’ from mal­ware pro­duced in oth­er states includ­ing the Russ­ian Fed­er­a­tion. With UMBRAGE and relat­ed projects the CIA can­not only increase its total num­ber of attack types but also mis­di­rect attri­bu­tion by leav­ing behind the ‘fin­ger­prints’ of the groups that the attack tech­niques were stolen from.”
    Spy games.

    A group with­in the CIA want­ed to shift blame for Hillary Clinton’s defeat? How about point­ing at the Rus­sians? “Easy. We can use Russ­ian hack­ing tools and fab­ri­cate a sce­nario. We can say we dis­cov­ered ‘fin­ger­prints’ that point to the Russ­ian gov­ern­ment.”

    Here is what the CNN Wire Ser­vice report­ed on Jan­u­ary 2, 2017: “…even as Pres­i­dent-elect Don­ald Trump and his aides cast doubt on the links between Rus­sia and recent hacks against Democ­rats, US intel­li­gence offi­cials say that new­ly iden­ti­fied ‘dig­i­tal fin­ger­prints’ indi­cate Moscow was behind the intru­sions.”

    “One offi­cial told CNN the admin­is­tra­tion has traced the hack to the spe­cif­ic key­boards — which fea­tured Cyril­lic char­ac­ters — that were used to con­struct the mal­ware code, adding that the equip­ment leaves ‘dig­i­tal fin­ger­prints’ and, in the case of the recent hacks, those prints point to the Russ­ian gov­ern­ment.”
    Real­ly? We live in a world where spies and their cronies are con­stant­ly fix­ing real­i­ty to suit them­selves.

    So now all this brava­do about dis­cov­er­ing how the Rus­sians hacked and stole the elec­tion blows up like a cream puff with a fire­crack­er inside.

    Who orig­i­nal­ly hacked/accessed the Demo­c­ra­t­ic Nation­al Com­mit­tee (DNC) email files and hand­ed them to Wik­iLeaks for pub­li­ca­tion? That appeared to be an insid­er at the DNC. But the cov­er story—“the Rus­sians did it”—floated by the CIA oth­er US intel­li­gence agen­cies now takes on a new hue.

    The CIA has worked, over the years, to refine its abil­i­ty to fake a hack-trace to all sorts of peo­ple, includ­ing the Russ­ian gov­ern­ment.

    This gives peo­ple yet anoth­er oppor­tu­ni­ty to real­ize that employ­ees of intel­li­gence agen­cies are trained to lie. It’s their bread and but­ter. A day with­out lying is a mis­spent day.

    They pur­pose­ly lie in their inves­ti­ga­tions, in their reports, in their tes­ti­mo­ny, in their leaks to the press, in their bud­get requests, in their clan­des­tine oper­a­tions, in their state­ments about the cir­cum­scribed lim­its of their activ­i­ties.

    In their minds, they lie in order to tell the truth.

    They will, when it suits them, also tell the truth in a way that sup­ports a larg­er lie.

    Some CIA agents even­tu­al­ly for­get which way is up and what they’re doing. This is a

    Posted by Roger McDonald | March 8, 2017, 6:17 pm
  7. While this isn’t new news, it’s worth not­ing that Roger Stone once again con­firmed that he has a back chan­nel to Julian Assange. A “per­fect­ly legal back chan­nel” as Stone put it:

    Ther Guardian

    Roger Stone claims he has ‘per­fect­ly legal back chan­nel’ to Julian Assange

    The for­mer polit­i­cal advis­er to Trump, with whom he main­tains close ties, lat­er deletes tweet that was part of series of pro­fane chal­lenges to president’s crit­ics

    Alan Yuhas
    Sun­day 5 March 2017 14.29 EST

    Roger Stone, a for­mer advis­er to Don­ald Trump, wrote on Sat­ur­day night that he had a “per­fect­ly legal back chan­nel” to Julian Assange, whose orga­ni­za­tion Wik­iLeaks pub­lished emails relat­ed to Hillary Clinton’s pres­i­den­tial cam­paign that intel­li­gence agen­cies say were hacked by Russ­ian intel­li­gence. Stone then delet­ed the mes­sage.

    While tweet­ing his sup­port of the president’s unsub­stan­ti­at­ed claims that Barack Oba­ma tried to under­mine the Trump cam­paign, Stone direct­ed a series of angry and abu­sive mes­sages at a sci­en­tist who ques­tioned him.

    In one post, lat­er delet­ed, Stone said he had “nev­er denied per­fect­ly legal back chan­nel to Assange who indeed had the goods on #Crooked­Hillary”.

    He also invit­ed chal­lengers to file libel suits against him, say­ing: “Bring it! Would enjoy crush u in court and forc­ing you to eat shit – you stu­pid igno­rant ugly bitch!”

    Stone sent sim­i­lar, pro­fan­i­ty-laced mes­sages to oth­er crit­ics of the pres­i­dent, includ­ing author JK Rowl­ing, whom he sug­gest­ed should take refugees and migrants into her own home. Stone then delet­ed the tweets.

    Hours lat­er, he added: “Just noth­ing bet­ter than call­ing out lib­er­al jerk offs on Twit­ter. We won, you lost. You’re done!”

    Here are the tweets Roger Stone delet­ed. pic.twitter.com/2S0mFvKcsu— Lili Loof­bourow (@Millicentsomer) March 5, 2017

    A polit­i­cal oper­a­tive whose work with the Repub­li­can par­ty dates back to the days of Richard Nixon – whose face is tat­tooed on Stone’s back – Stone report­ed­ly retains ties to the pres­i­dent, though he offi­cial­ly left Trump’s cam­paign in late 2015.

    In an inter­view last week with Bre­it­bart News, the site pre­vi­ous­ly run by Steve Ban­non, now Trump’s chief strate­gist, Stone was described as one of Trump’s “polit­i­cal men­tors” and some­one who “remains one of his clos­est con­fi­dantes”.

    Last fall, US intel­li­gence agen­cies for­mal­ly accused the Krem­lin of try­ing to inter­fere in the 2016 elec­tion, and in Jan­u­ary report­ed that Russia’s intent was to help Trump’s cam­paign defeat Clin­ton.

    Part of that covert effort, the agen­cies said, was to hack into the emails of the Demo­c­ra­t­ic par­ty and Clinton’s cam­paign chair­man, John Podes­ta. Those emails were then released by Wik­iLeaks over sev­er­al months of the cam­paign.

    ...

    Dur­ing the cam­paign last August, Stone was record­ed on video telling a group of Flori­da Repub­li­cans: “I actu­al­ly have com­mu­ni­cat­ed with Assange.”

    “I believe the next tranche of his doc­u­ments per­tain to the Clin­ton Foun­da­tion, but there’s no telling what the Octo­ber sur­prise may be,” he said.

    He then seemed to pre­view the Wik­iLeaks dump of Podes­ta emails, writ­ing on Twit­ter: “Trust me, it will soon the Podesta’s time in the bar­rel.”

    In Octo­ber, he told a local CBS reporter about “a back-chan­nel com­mu­ni­ca­tion with Assange, because we have a good mutu­al friend”.

    “That friend trav­els back and forth from the Unit­ed States to Lon­don and we talk,” Stone said.

    In an inter­view with CBS last week, Stone denied hav­ing any “direct con­ver­sa­tions” with Assange and added: “Nor did I have advance knowl­edge of either the mat­ter of his sub­se­quent dis­clo­sures, or who he did or did not hack.”

    The FBI is report­ed­ly inves­ti­gat­ing Stone, along with for­mer Trump cam­paign chief Paul Man­afort, for­mer advis­er Carter Page and for­mer nation­al secu­ri­ty advis­er Michael Fly­nn, for pos­si­ble con­tacts with Russ­ian offi­cials.

    In an inter­view with the Guardian last month, Stone called for an unbi­ased inves­ti­ga­tion into such alleged links, say­ing: “The pres­i­dent should tell his attor­ney gen­er­al that either he finds proof of this, or he puts it to bed and announces none of it hap­pened.”

    He added: “I would rel­ish the oppor­tu­ni­ty to tes­ti­fy in pub­lic under oath on this issue.”

    Stone also denied that he had any con­tact with Russ­ian offi­cials dur­ing or after the cam­paign. “There was no col­lu­sion,” he said. “I have had no con­nec­tion with the Rus­sians. If the gov­ern­ment has evi­dence that I was col­lud­ing with the Rus­sians in Don­ald Trump’s cam­paign, they should indict me imme­di­ate­ly.”

    ...

    “In one post, lat­er delet­ed, Stone said he had “nev­er denied per­fect­ly legal back chan­nel to Assange who indeed had the goods on #Crooked­Hillary”.”

    It’s not hard to par­tic­u­lar­ly sur­pris­ing that Stone would have delet­ed that par­tic­u­lar tweet since it was part of a tweet­storm that made him seem like a psy­cho, although it’s a lit­tle hard to see what exact­ly Stone thought he was accom­plish­ing since his psy­cho sta­tus has been long estab­lished and it’s not like he’s ever mind­ed com­ing off as a psy­cho in the past.

    So who knows what Stone thought he was accom­plish­ing by delete those tweets includ­ing the tweet where he once again acknowl­edg­ing hav­ing a back chan­nel with Assange, but if the lat­est report by The Smok­ing Gun is accu­rate, there might be some tweets Stone real­ly wish­es he could delete right now. His pri­vate tweets with “Guc­cifer 2.0”:

    Raw­Sto­ry

    FBI has records of Trump trick­ster Roger Stone com­mu­ni­cat­ing with Rus­sians behind DNC hacks: report

    Travis Get­tys
    09 Mar 2017 at 07:46 ET

    Roger Stone, a Don­ald Trump con­fi­dante and long­time Repub­li­can dirty trick­ster, com­mu­ni­cat­ed pri­vate­ly with a Russ­ian hack­ing group iden­ti­fied by U.S. intel­li­gence offi­cials as the cul­prit in the theft of emails relat­ed to the Demo­c­ra­t­ic pres­i­den­tial cam­paign.

    Stone, who is under FBI inves­ti­ga­tion for his alleged ties to Rus­sia, com­mu­ni­cat­ed through pri­vate Twit­ter mes­sages with the “hack­tivist” known as Guc­cifer 2.0 dur­ing the pres­i­den­tial cam­paign, report­ed The Smok­ing Gun.

    Guc­cifer 2.0 claimed to be a lone activist com­mit­ted to “fight all those illu­mi­nati,” and Stone pro­mot­ed those claims, but U.S. intel­li­gence offi­cials believe with “high con­fi­dence” that Russia’s intel­li­gence ser­vice, GRU, oper­at­ed the hacker’s Twit­ter, Word­Press and “burn­er” emails used to com­mu­ni­cate with the media — includ­ing The Smok­ing Gun — and oth­er indi­vid­u­als.

    A source told the web­site that Stone, who admit­ted over the week­end to back-chan­nel com­mu­ni­ca­tions with Wik­iLeaks founder Julian Assange, exchanged pri­vate direct mes­sages with Guc­cifer 2.0, in addi­tion to exchanges on their pub­lic Twit­ter accounts.

    Stone said, in a series of pro­fane and com­bat­ive tweets defend­ing Trump’s base­less claims that Barack Oba­ma had wire­tapped his cam­paign, that he had “nev­er denied per­fect­ly legal back chan­nel to Assange who indeed had the goods on #Crooked­Hillary.”

    He made a sim­i­lar claim in August to a group of Flori­da Repub­li­cans and in Octo­ber to CBS News, and he seemed to know ahead of time that Wik­iLeaks would release emails stolen from John Podes­ta, Hillary Clinton’s cam­paign chair­man.

    Last week, Stone denied any hav­ing “direct con­ver­sa­tions” with Assange and advance knowl­edge of hacked data dumped online by Wik­Leaks.

    The Smok­ing Gun, which has report­ed exten­sive­ly on its own com­mu­ni­ca­tions with the hack­ers, asked Stone whether he had exchanged pri­vate mes­sages with Guc­cifer 2.0, to which he replied via text: “don’t recall.”

    Stone, who was paid $50,000 for two months of work at the start of the Trump cam­paign, told the web­site that “numer­ous peo­ple who work for me have access to my twit­ter feed.”

    The FBI is report­ed­ly inves­ti­gat­ing Stone, as well as for­mer Trump cam­paign chair­man Paul Man­afort, for­mer advis­er Carter Page and for­mer nation­al secu­ri­ty advis­er Michael Fly­nn, for alleged con­tacts with Russ­ian offi­cials dur­ing the pres­i­den­tial cam­paign.

    The Smok­ing Gun revealed that inves­ti­ga­tion was being run out of the FBI’s San Fran­cis­co office, and two sources told the web­site report­ed that agents had obtained detailed records for the Guc­cifer 2.0 Twit­ter and Word­Press accounts.

    The sources did not say whether the records were obtained through a search war­rant or grand jury sub­poe­na, and the sources weren’t sure whether inves­ti­ga­tors had gath­ered enough evi­dence to seek an indict­ment against any­one con­nect­ed to the Guc­cifer 2.0 hacks.

    Both Twit­ter and Word­Press are based in San Fran­cis­co, and any records obtained by FBI agents would include IP address­es, which The Smok­ing Gun report­ed would not like­ly iden­ti­fy where Guc­cifer 2.0 was based because the hack­ers took steps to cov­er their tracks.

    But agents would have obtained tweets and direct mes­sages sent by the Guc­cifer 2.0 account, which would include any pri­vate com­mu­ni­ca­tions with Stone — who has known Trump for decades and is con­nect­ed with both Bre­it­bart News and Alex Jones’ InfoWars web­site.

    ...

    “A source told the web­site that Stone, who admit­ted over the week­end to back-chan­nel com­mu­ni­ca­tions with Wik­iLeaks founder Julian Assange, exchanged pri­vate direct mes­sages with Guc­cifer 2.0, in addi­tion to exchanges on their pub­lic Twit­ter accounts.”

    So accord­ing to one source, Stone exchanged pri­vate direct mes­sage over Twit­ter with Guc­cifer 2.0, although Stone claims he does­n’t recall whether or not that hap­pened:

    ...
    The Smok­ing Gun, which has report­ed exten­sive­ly on its own com­mu­ni­ca­tions with the hack­ers, asked Stone whether he had exchanged pri­vate mes­sages with Guc­cifer 2.0, to which he replied via text: “don’t recall.”
    ...

    But if two of The Smok­ing Gun’s sources are cor­rect, the FBI might be in a posi­tion to help Stone recall:

    ...
    “The Smok­ing Gun revealed that inves­ti­ga­tion was being run out of the FBI’s San Fran­cis­co office, and two sources told the web­site report­ed that agents had obtained detailed records for the Guc­cifer 2.0 Twit­ter and Word­Press accounts.
    ...

    So we’ll see if the FBI inves­ti­ga­tion into Stone’s links with Rus­sia ends up charg­ing him with any­thing, but it’s impor­tant to recall that one of the rea­sons Guc­cifer 2.0 was assumed to be Russ­ian is because the hacked files they released kept leav­ing lit­tle hints in the doc­u­ments there were leak­ing that strong­ly sug­gest­ed they were Russ­ian:

    Counter Punch

    Did the Rus­sians Real­ly Hack the DNC?

    by Gre­go­ry Elich
    Jan­u­ary 13, 2017

    ...

    Some­one, or some group, oper­at­ing under the pseu­do­nym of Guc­cifer 2.0, claimed to be a lone actor in hack­ing the DNC servers. It is unclear what rela­tion – if any – Guc­cifer 2.0 has to either of the two APT attacks on the DNC. In a PDF file that Guc­cifer 2.0 sent to Gawker.com, meta­da­ta indi­cat­ed that it was it was last saved by some­one hav­ing a user­name in Cyril­lic let­ters. Dur­ing the con­ver­sion of the file from Microsoft Word to PDF, invalid hyper­link error mes­sages were auto­mat­i­cal­ly gen­er­at­ed in the Russ­ian lan­guage. [11]

    This would seem to present rather damn­ing evi­dence. But who is Guc­cifer 2.0? A Russ­ian gov­ern­ment oper­a­tion? A pri­vate group? Or a lone hack­tivist? In the poor­ly secured DNC sys­tem, there were almost cer­tain­ly many infil­tra­tors of var­i­ous stripes. Nor can it be ruled out that the meta­da­ta indi­ca­tors were inten­tion­al­ly gen­er­at­ed in the file to mis­di­rect attri­bu­tion. The two APT attacks have been not­ed for their sophis­ti­ca­tion, and these mis­takes – if that is what they are – seem ama­teur­ish. To change the lan­guage set­ting on a com­put­er can be done in a mat­ter of sec­onds, and that would be stan­dard pro­ce­dure for advanced cyber-war­riors. On the oth­er hand, slop­pi­ness on the part of devel­op­ers is not entire­ly unknown. How­ev­er, one would expect a nation-state to enforce strict soft­ware and doc­u­ment han­dling pro­ce­dures and imple­ment rig­or­ous review process­es.

    At any rate, the doc­u­ments post­ed to the Guc­cifer 2.0 blog do not nec­es­sar­i­ly orig­i­nate from the same source as those pub­lished by Wik­iLeaks. Cer­tain­ly, none of the doc­u­ments post­ed to Wik­iLeaks pos­sess the same meta­da­ta issues. And one hack­ing oper­a­tion does not pre­clude anoth­er, let alone an insid­er leak.

    ...

    And don’t for­get that the name signed in Cyril­lic was that of Felix Dzerzhinksy, the founder of the Sovi­et secret police.

    It rais­es the ques­tion: if the FBI inves­ti­ga­tion iden­ti­fies Guc­cifer 2.0 and also reveals that Stone was indeed coor­di­nat­ing the hacks (or coor­di­nat­ing how to dis­sem­i­nate the infor­ma­tion after the hacks took place), but it’s also learned that Guc­cifer 2.0 was­n’t actu­al­ly a Russ­ian agent, will the FBI drop the case against Stone? We’ll see. Or prob­a­bly not see since there’s a good chance we’ll nev­er find out what the FBI learned about Stone’s activ­i­ties if it can’t find any con­clu­sive Stone/Russia con­nec­tions.

    But at least it was nice to learn that it’s the FBI’s San Fran­cis­co office doing this inves­ti­ga­tion and not the New York office.

    So that’s part of the lat­est update on the Trump cam­paign’s col­lu­sion with Wik­ileaks and pos­si­ble col­lu­sion with the Demo­c­ra­t­ic Par­ty hack­ers. But it’s not the only recent update of that nature:

    Talk­ing Points Memo
    Edi­tor’s Blog

    The Fuse Is Burn­ing

    By Josh Mar­shall
    Pub­lished March 9, 2017, 2:37 PM EDT

    Let’s walk through this chain of events today that mix­es togeth­er Julian Assange, Pres­i­dent Trump, Nigel Farage and Sean Spicer.

    1. Yes­ter­day, Wik­ileaks released a trove of doc­u­ments which pur­port to doc­u­ment numer­ous hack­ing tools used by the CIA. The authen­tic­i­ty of these doc­u­ments has­n’t been for­mal­ly con­firmed. But all signs sug­gest they are real. Knowl­edgable observers say it is a huge set­back for the CIA.

    2. Around noon today, some­one tipped off Buz­zfeed (tip is my sur­mise but how else would they know to be there?) that Nigel Farage was meet­ing with Julian Assange at the Ecuadore­an Embassy in Lon­don where Assange been holed up since 2012 to avoid ques­tion­ing and pos­si­ble arrest on a sex­u­al assault accu­sa­tion in Swe­den. Farage is a close ally and advi­sor to Pres­i­dent Trump. He has been reg­u­lar­ly vis­it­ing Wash­ing­ton and New York since Trump’s elec­tion and meets with Trump reg­u­lar­ly. We don’t know what the two men were dis­cussing. But Farage’s whole world right now is Trump, Trump and break­ing apart the EU.

    3. Some time after noon in Lon­don, Farage emerged from the Embassy. Buz­zfeed pho­tographed him and asked what he was doing there. Farage refused to say. “I nev­er dis­cuss where I go or who I see.”

    4. A short time lat­er, a source with the UK Inde­pen­dence Par­ty, the par­ty Farage until recent­ly led, con­firmed to The Inde­pen­dent that Farage was meet­ing with Assange and had met with him for about 40 min­utes.

    5. This after­noon UK time, Assange holds a press con­fer­ence dis­cussing his new batch of CIA doc­u­ments and promis­ing more rev­e­la­tions.

    6. Dur­ing Sean Spicer’s dai­ly press brief­ing, an AP reporter asks Spicer about the Farage/Assange meet­ing and whether he car­ry­ing a mes­sage from Pres­i­dent Trump. Spicer basi­cal­ly ducked the ques­tion. But when asked specif­i­cal­ly whether Farage was “deliv­er­ing a mes­sage” from Trump, Spicer replied: “I have no idea.”

    “A short time lat­er, a source with the UK Inde­pen­dence Par­ty, the par­ty Farage until recent­ly led, con­firmed to The Inde­pen­dent that Farage was meet­ing with Assange and had met with him for about 40 min­utes”

    Is Nigel Farage a new Trump admin­is­tra­tion back chan­nel to Wik­ileaks? Sean Spicer was­n’t ready to deny it. And could Farage be Stone’s back chan­nel? Well, keep in mind that Stone pre­vi­ous­ly assert­ed that his go-between was an Amer­i­can lib­er­tar­i­an on the “opin­ion side” of the US media. Also keep in mind that there’s basi­cal­ly no rea­son to believe any­thing com­ing out of Stone’s mouth so who knows. But Trump’s clos­est ally in the UK just met with Julian Assange days after the big CIA hack­ing tool leak and right before Assange holds a press con­fer­ence promis­ing more rev­e­la­tions so one thing we can say with increas­ing cer­tain­ty is that Don­ald Trump has a lot of friends who are friend­ly with Wik­ileaks.

    Posted by Pterrafractyl | March 9, 2017, 4:50 pm
  8. So Nixon hagiog­ra­ph­er Mon­i­ca Crow­ley, who for­feit­ed a job with Trumps“s Nation­al Secu­ri­ty Coun­cil
    due to charges of pla­gia­rism, is now a reg­is­tered lob­by­ist for the Ukrain­ian steel bil­lion­aire who funds
    the Atlantic Coun­cil: Vic­tor Pinchuk!
    Pinchuk appears to be quite the art­ful dodger hav­ing donat­ed to both the Clin­ton and Trump Foun­da­tions pri­or to the US elec­tion.
    How­ev­er it was the op-ed he wrote in Decem­ber for the Wall Street Jour­nal that thrust Pinchuk into the
    spot­light while anger­ing Ukrain­ian Poroshenko at the same time. It read “Ukraine Must Make Painful
    Com­pro­mise for Peace With Rus­sia.” Pinchuk rec­om­mend­ed Ukraine defer any plans to join the EU
    and NATO. In return he indi­cat­ed Kiev might approve the lift­ing of sanc­tions imposed on Rus­sia.
    Nat­u­ral­ly Poroshenko now views Pinchuk as an appeas­er and prob­a­bly a con­tender for his job.
    Ah yes the Art of the Deal!

    Posted by Dennis | March 15, 2017, 11:50 am
  9. With the House Intel­li­gence Com­mit­tee pub­lic hear­ings over the inves­ti­ga­tion into Russ­ian inter­fer­ence in the 2016 elec­tion now under­way, one of the more inter­est­ing ques­tions from a polit­i­cal sh#t‑storm per­spec­tive is whether or not Roger Stone is going to be called to tes­ti­fy. John McCain said Stone should be called to tes­ti­fy before the Sen­ate Intel­li­gence Com­mit­tee just last week, so it cer­tain­ly seems pos­si­ble he’ll be tes­ti­fy­ing before at least one con­gres­sion­al body at some point soon. And while it’s unclear what Stone will say if he does end up tes­ti­fy­ing, based on the pre­view he gave us in a series of tweets it sounds like Stone is char­ac­ter­ize the sus­pi­cions that he was col­lud­ing with Russ­ian gov­ern­ment assets on a con­spir­a­cy of US intel­li­gence ser­vices and George Soros:

    Talk­ing Points Memo
    Livewire

    Roger Stone: Talk Of My ‘Col­lu­sion’ With Rus­sia Made Up By Intel Com­mu­ni­ty

    By Caitlin Mac­Neal
    Pub­lished March 20, 2017, 3:28 PM EDT

    Long­time Trump con­fi­dante Roger Stone lashed out at the rank­ing mem­ber on the House Intel­li­gence Com­mit­tee Mon­day, say­ing that his claims that Stone had con­tact with Rus­sians were “man­u­fac­tured by the intel­li­gence com­mu­ni­ty.”

    Dur­ing a hear­ing on Rus­si­a’s elec­tion med­dling, Rep. Adam Schiff (D‑CA) not­ed that Stone com­mu­ni­cat­ed with Guc­cifer 2.0, a hack­er that U.S. offi­cials believe is asso­ci­at­ed with the Russ­ian gov­ern­ment and that pub­lished stolen Demo­c­ra­t­ic Nation­al Com­mit­tee emails online.

    Stone said on a Mon­day tweet that it would only be “fair” if he could respond to alle­ga­tions of col­lu­sion with Rus­sia dur­ing the hear­ing.

    It’s only fair that I have a chance to respond 2 any smears or half truths about alleged “Col­lu­sion with Rus­sians” from 2day’s Intel Hear­ing— Roger Stone (@RogerJStoneJr) March 20, 2017

    Stone then said in an inter­view with Sir­iusXM radio’s “The Wilkow Major­i­ty” that his con­tact with Guc­cifer 2.0 was “benign” and slammed Schiff for men­tion­ing it at the hear­ing. The inter­view was first flagged by CNN’s KFILE.

    ...

    He insist­ed that his inter­ac­tion with Guc­cifer 2.0 was “benign in its con­tent” and said that it took place after the DNC had been hacked.

    “This is does not con­sti­tute col­lu­sion,” Stone said. “I had no con­tacts with Rus­sians. This one has been man­u­fac­tured by the intel­li­gence ser­vice with a nice assist from [bil­lion­aire phil­an­thropist George] Soros and [David] Brock. I’m not gonna stop fight­ing for Don­ald Trump, nor are they going to silence me. I am anx­ious to go to the com­mit­tee. Let’s see if they can han­dle the truth.”

    “This is does not con­sti­tute collusion...I had no con­tacts with Rus­sians. This one has been man­u­fac­tured by the intel­li­gence ser­vice with a nice assist from [bil­lion­aire phil­an­thropist George] Soros and [David] Brock. I’m not gonna stop fight­ing for Don­ald Trump, nor are they going to silence me. I am anx­ious to go to the com­mit­tee. Let’s see if they can han­dle the truth.”

    Are sus­pi­cions about Roger Stone’s col­lu­sion with Russ­ian assets pure­ly a fab­ri­ca­tion of US intel­li­gence ser­vices and George Soros? Well, it’s cer­tain­ly pos­si­ble that the US intel­li­gence com­mu­ni­ty is hyp­ing the strength of any evi­dence that it was indeed the Russ­ian gov­ern­ment behind the “Fan­cy Bear” and “Cozy Bear” hacks, espe­cial­ly since much of the tech­ni­cal evi­dence point­ing towards Russ­ian gov­ern­ment hack­ers is evi­dence pred­i­cat­ed on the assump­tion that these Russ­ian gov­ern­ment hack­ers either had incred­i­bly poor oper­a­tional secu­ri­ty for this oper­a­tion or active­ly want the US to know it was the Russ­ian gov­ern­ment doing the hack­ing and open­ly invit­ed the kind of broad pub­lic uproar in the after­math. But it’s pret­ty unde­ni­able that either Russ­ian hack­ers or hack­ers who want­ed every­one to think they were Russ­ian hack­ers did the hack­ing. That’s not real­ly dis­putable.

    So if Stone wants to prove that the sus­pi­cions that he was coor­di­nat­ing with Russ­ian assets were just a fab­ri­ca­tion of US intel­li­gence he’ll need to help every­one deter­mine who the hack­ers actu­al­ly were. And he just might be in a posi­tion to do exact­ly that since so much of the inter­est sur­round­ing Roger Stone’s col­lu­sion with the hack­ers has to do with the fact that he open­ly com­mu­ni­cat­ed with “Guc­cifer 2.0”, open­ly bragged about a “back chan­nel” with Wik­ileaks, and open­ly pre­dict­ed the nature of upcom­ing hacks (like the hacks of John Podesta’s emails) before any­one knew they were com­ing. So it will be inter­est­ing to see what he has to say about all those top­ics should he be called to tes­ti­fy before Con­gress, although as Stone has already indi­cat­ed, he’s going to take the stance that he just ran­dom­ly guessed John Podesta’s emails were going to get hacked based on his per­son­al research and nev­er actu­al­ly had any direct or indi­rect com­mu­ni­ca­tion with Wik­ileaks (despite now-delet­ed tweets to the con­trary):

    CNN

    Sen­ate Intel­li­gence Com­mit­tee asks Roger Stone to pre­serve records

    By Kevin Bohn and Glo­ria Borg­er

    Updat­ed 2:53 PM ET, Sun March 19, 2017

    (CNN)The Sen­ate Intel­li­gence Com­mit­tee has asked Roger Stone, the flam­boy­ant polit­i­cal advis­er who has been con­nect­ed to Don­ald Trump for years, to pre­serve any records he might have that could be relat­ed to the pan­el’s inves­ti­ga­tion into Russ­ian actions tar­get­ing the U.S. elec­tion, Stone con­firmed to CNN.

    One avenue of inter­est for the com­mit­tee could be con­tacts Stone had with “Guc­cifer 2.0”– the online per­sona who claims respon­si­bil­i­ty for hack­ing the Demo­c­ra­t­ic Nation­al Com­mit­tee — which he char­ac­ter­ized as an innocu­ous “brief exchange” of a few direct mes­sages that he says amount to noth­ing.

    Any sug­ges­tion oth­er­wise, he told CNN, is “a fab­ri­ca­tion.”

    Stone said his few exchanges with Guc­cifer 2.0 occurred in August after Twit­ter briefly banned the hack­er for post­ing DNC infor­ma­tion. He says he did not com­mu­ni­cate in any way before­hand. The time­line, he insists, proves he did not col­lude in the hack itself.

    “I have this brief exchange with him on Twit­ter,” he recalled. “To col­lude, I would have to have writ­ten him before. ... We would need a time machine to col­lude.”

    Stone told CNN he would like to tes­ti­fy before the com­mit­tees inves­ti­gat­ing the alle­ga­tions of Russ­ian ties so long as it is in pub­lic. “I am anx­ious to rebut alle­ga­tions that I had any improp­er or nefar­i­ous con­tact with any agent of the Rus­sia state based on facts — not mis­lead­ing and sala­cious head­lines,” Stone told CNN. “I am will­ing to appear vol­un­tar­i­ly if the com­mit­tee isn’t look­ing for the head­line of issu­ing a sub­poe­na.”

    ...

    Burr told CNN’s Manu Raju last week that Stone’s con­tacts were part of the “ongo­ing inves­ti­ga­tion,” and Warn­er raised con­cerns about Stone say­ing the com­mit­tee might bring him in for ques­tions.

    The New York Times first report­ed the records preser­va­tion request as sev­er­al con­gres­sion­al com­mit­tees look to see if there was any col­lu­sion between Trump asso­ciates and indi­vid­u­als con­nect­ed to Rus­sia.

    “The intel­li­gence agen­cies push­ing this false Russ­ian nar­ra­tive through a series of ille­gal hacks have hurt my abil­i­ty to make a liv­ing and are soil­ing my rep­u­ta­tion,” Stone said. “The gov­ern­ment is in pos­ses­sion of no evi­dence what­so­ev­er that I col­lud­ed with the Russ­ian State. Any infer­ence that my innocu­ous ful­ly dis­closed Twit­ter exchange and tweets with a hack­er known as Gruc­cifer 2.0 (sic), who may not may not be a Russ­ian asset, con­sti­tutes ‘col­lu­sion’ is dis­proved by the con­tent, the facts and the time­line of events.”

    The Smok­ing Gun web­site and then The Wash­ing­ton Times report­ed the direct mes­sages between Stone and Guc­cifer 2.0.

    After­ward, Stone released screen shots of the pur­port­ed mes­sages him­self, post­ing them online in a blog. In those mes­sages, he said he was “delight­ed” to see Guc­cifer 2.0 rein­stat­ed after the hack­ing per­son­a’s brief ban­ning by Twit­ter.

    Stone also said in the blog post that he not­ed pub­licly on his Twit­ter account when the social media site rein­stat­ed the Guc­cifer 2.0 “because I abhor cen­sor­ship.”

    While Stone says his mes­sages to the hack­er alias are of no con­se­quence, this is the first time any­one in Trump’s orbit has acknowl­edged any con­tact with a hack­er — not to men­tion one that claimed respon­si­bil­i­ty for hack­ing the DNC.

    US offi­cials may well be inter­est­ed in Stone’s com­mu­ni­ca­tions with Guc­cifer 2.0, whom they believe with “high con­fi­dence” was actu­al­ly a front for Russ­ian mil­i­tary intel­li­gence and was part of the effort to influ­ence Amer­i­ca’s elec­tions.

    Stone claims to be the sub­ject of a war­rant under the For­eign Intel­li­gence Sur­veil­lance Act, say­ing his knowl­edge of that comes from “cred­i­ble sources” that he can­not reveal. His com­mu­ni­ca­tions with oth­ers — by phone and email — are being mon­i­tored, he claims to CNN.

    Stone vig­or­ous­ly denies that any mon­i­tor­ing would be pro­duc­tive. You might get “a lot of funky cam­paign stuff, noth­ing that’s ille­gal ... [and] no Rus­sians,” he said, deny­ing any con­tact with Rus­sia.

    US offi­cials have not con­firmed any such war­rant.

    Ques­tions have also been raised about Stone’s cryp­tic tweets last August that John Podes­ta, Hillary Clin­ton’s cam­paign man­ag­er, would endure his “time in the bar­rel,” which he post­ed after Wik­iLeaks began pub­lish­ing oth­er Democ­rats’ hacked emails. The web­site post­ed thou­sands of emails it said were from Podesta’s account in the clos­ing weeks of the cam­paign.

    Stone offers a “sim­ple” expla­na­tion for his Podes­ta tweet: He was refer­ring to “my own research” about Podes­ta and his fam­i­ly. He also says that tweet “does not in any way prove I was fore­shad­ow­ing” the Wik­iLeaks release.

    And what of Stone’s omi­nous tweet in ear­ly Octo­ber, “Wednesday@HillaryClinton is done. #Wik­ileaks”? He tells CNN that is the result of infor­ma­tion from a source he would not reveal.

    Stone says he has nev­er com­mu­ni­cat­ed with Wik­iLeaks founder Julian Assange “either direct­ly or indi­rect­ly.” Rather, the tweet was based on infor­ma­tion from a friend who had spo­ken with Assange, he said. Ear­li­er this month, how­ev­er, Stone tweet­ed that he had a “back chan­nel” to Wik­iLeaks dur­ing the pres­i­den­tial cam­paign only to delete the post a short time lat­er.

    “[N]ever denied per­fect­ly legal back chan­nel to Assange, who indeed had the goods on #Crooked­Hillary,” Stone tweet­ed. The post was gone after about 40 min­utes.

    Stone adds that he does not believe Assange works for the Rus­sians, although the US intel­li­gence com­mu­ni­ty con­clud­ed in a report on Jan­u­ary 6 that Wik­iLeaks did, in fact, work with Russ­ian intel­li­gence dur­ing the US elec­tion.

    Instead, Stone offers that all of this could be “dis­in­for­ma­tion” dis­sem­i­nat­ed by what he calls “rogue intel­li­gence agen­cies,” a line that is becom­ing increas­ing­ly pop­u­lar in some far-right cir­cles.

    “Stone claims to be the sub­ject of a war­rant under the For­eign Intel­li­gence Sur­veil­lance Act, say­ing his knowl­edge of that comes from “cred­i­ble sources” that he can­not reveal. His com­mu­ni­ca­tions with oth­ers — by phone and email — are being mon­i­tored, he claims to CNN.”

    Stone is con­fi­dent he’s under a FISA war­rant but won’t reveal the “cred­i­ble sources”. Huh. So does Stone legal­ly have to reveal the “cred­i­ble sources” telling him that he’s under a FISA war­rant if Con­gress asks? Isn’t that a very high-lev­el leak some­one like Stone should­n’t have any access to? Hope­ful­ly he’ll be asked to tes­ti­fy and we can find out. Along with what Stone will final­ly say about all this:

    ...
    Ques­tions have also been raised about Stone’s cryp­tic tweets last August that John Podes­ta, Hillary Clin­ton’s cam­paign man­ag­er, would endure his “time in the bar­rel,” which he post­ed after Wik­iLeaks began pub­lish­ing oth­er Democ­rats’ hacked emails. The web­site post­ed thou­sands of emails it said were from Podesta’s account in the clos­ing weeks of the cam­paign.

    Stone offers a “sim­ple” expla­na­tion for his Podes­ta tweet: He was refer­ring to “my own research” about Podes­ta and his fam­i­ly. He also says that tweet “does not in any way prove I was fore­shad­ow­ing” the Wik­iLeaks release.

    And what of Stone’s omi­nous tweet in ear­ly Octo­ber, “Wednesday@HillaryClinton is done. #Wik­ileaks”? He tells CNN that is the result of infor­ma­tion from a source he would not reveal.

    Stone says he has nev­er com­mu­ni­cat­ed with Wik­iLeaks founder Julian Assange “either direct­ly or indi­rect­ly.” Rather, the tweet was based on infor­ma­tion from a friend who had spo­ken with Assange, he said. Ear­li­er this month, how­ev­er, Stone tweet­ed that he had a “back chan­nel” to Wik­iLeaks dur­ing the pres­i­den­tial cam­paign only to delete the post a short time lat­er.

    “[N]ever denied per­fect­ly legal back chan­nel to Assange, who indeed had the goods on #Crooked­Hillary,” Stone tweet­ed. The post was gone after about 40 min­utes.
    ...

    Aha. So Stone admits beint in con­tact with “Guc­cifer 2.0” in August, but he asserts that it was all out in the open and it’s just a coin­ci­dence that Stone also pre­dict­ed late in August that John Podesta’s “time in the bar­rel” was com­ing. A coin­ci­dence brought about by Stone’s “own research” into Podes­ta. And all those admis­sions about a back chan­nel to Wik­ileaks were wrong...instead he was mere­ly speak­ing to a friend who had spo­ken with Assange and some­how this does­n’t con­sti­tute a back chan­nel. Nope.

    Posted by Pterrafractyl | March 20, 2017, 2:58 pm
  10. Now that Don­ald Trump’s for­mer nation­al secu­ri­ty advis­er Michael Fly­nn has request­ed immu­ni­ty in return for his tes­ti­mo­ny in the var­i­ous inves­ti­ga­tions swirling around the Trump admin­is­tra­tion and its ties to Rus­sia, it’s worth not­ing that Fly­nn and his pos­si­ble ille­gal actions are a great exam­ple of why any inves­ti­ga­tion into for­eign influ­ence of the Trump admin­is­tra­tion must extend far being Rus­sia if it’s going to be a com­pre­hen­sive inves­ti­ga­tion. Yes, Fly­nn may have vio­lat­ed the Logan Act dur­ing his con­ver­sa­tion the Russ­ian ambas­sador in late Decem­ber. But what about pos­si­ble improp­er Turk­ish influ­ences?

    The Inde­pen­dent

    Don­ald Trump’s for­mer nation­al secu­ri­ty advis­er ‘dis­cussed remov­ing Gulen from US’, for­mer CIA direc­tor says

    Michael Flynn’s spokesman denies issue was dis­cussed with Turk­ish offi­cials

    Lizzie Dear­den
    March 25, 2017 14:33 GMT

    Don­ald Trump’s for­mer nation­al secu­ri­ty advis­er has denied dis­cussing the removal of an exiled cler­ic from the US to face charges over an attempt­ed coup in Turkey.

    Michael Fly­nn was forced to resign from his post after giv­ing “incom­plete infor­ma­tion” on dis­cus­sions over sanc­tions with the Russ­ian ambas­sador and is one of sev­er­al fig­ures being inves­ti­gat­ed over ties with the Krem­lin.

    James Woolsey Jr, the for­mer direc­tor of the CIA, said Mr Fly­nn had met with senior rep­re­sen­ta­tives of Recep Tayyip Erdogan’s gov­ern­ment in the run-up to the US elec­tion on behalf of his Fly­nn Intel Group.

    Mr Woolsey, who was a Trump cam­paign advis­er at the time, advised late to the meet­ing to find Mr Fly­nn and Turk­ish offi­cials alleged­ly dis­cussing Fethul­lah Gulen.

    “It looks as if there was at least some strong sug­ges­tion by one or more of the Amer­i­cans present at the meet­ing that the Unit­ed States would be able, through them, to be able to get hold of Gulen,” he told CNN.

    Mr Woolsey told The Wall Street Jour­nal he arrived in the mid­dle of the con­ver­sa­tion but described the basic plan as a “covert step in the dead of night to whisk this guy away”.

    He said he alert­ed Amer­i­can offi­cials to the alleged con­ver­sa­tion, which he called “sus­pi­cious and con­cern­ing”.

    Mr Gulen, a Penn­syl­va­nia-based Turk­ish cler­ic has been accused of foment­ing a vio­lent attempt­ed coup against Pres­i­dent Erdo­gan in July but denies the charge, although his “Hizmet” move­ment admits some of its sup­port­ers may have been involved.

    A lack of evi­dence caused Barack Obama’s admin­is­tra­tion to refuse Ankara’s calls to extra­dite Mr Gulen but there has been spec­u­la­tion that Mr Trump may not share the posi­tion.

    A spokesper­son for Mr Fly­nn denied he or any­one else at the meet­ing had “dis­cussed phys­i­cal removal of Mr Gulen from the Unit­ed States”.

    “No such dis­cus­sion occurred,” Price Floyd added in a state­ment. “Nor did Mr Woolsey ever inform Gen­er­al Fly­nn that he had any con­cerns what­so­ev­er regard­ing the meet­ing, either before he chose to attend, or after­wards.”

    Mr Fly­nn heav­i­ly crit­i­cised Mr Gulen in an arti­cle pub­lished on elec­tion day in Novem­ber, argu­ing the US should not give him a “safe haven” and treat Turkey as a pri­or­i­ty and a friend.

    Jus­tice Depart­ment doc­u­ments lat­er revealed that the arti­cle was linked to research con­duct­ed for a Turk­ish-owned com­pa­ny whose own­er is an ally of Mr Erdo­gan.

    Ino­vo BV paid Fly­nn Intel Group $530,000 (£425,000) for work he admit­ted may have “prin­ci­pal­ly ben­e­fit­ted” the Turk­ish gov­ern­ment in offi­cial fil­ings.

    Sean Spicer, the White House spokesman, said Mr Trump did not know Mr Fly­nn was act­ing as a “for­eign agent when he was hired after the doc­u­ments emerged.

    Any­one rep­re­sent­ing the inter­ests of for­eign pow­ers in a polit­i­cal capac­i­ty must declare their inter­est to the US gov­ern­ment under the For­eign Agents Reg­is­tra­tion Act.

    Refusals by the Amer­i­can gov­ern­ment and much of Europe to recog­nise the Ankara’s accu­sa­tions against Mr Gulen has wors­ened rela­tions with Turkey amid Mr Erdogan’s anger over inter­na­tion­al crit­i­cism of secu­ri­ty crack­downs and purges in the mil­i­tary, gov­ern­ment and media since the coup.

    A report by the House of Com­mons For­eign Affairs Com­mit­tee found that evi­dence of the Gulen movement’s involve­ment in the group was “anec­do­tal and cir­cum­stan­tial”, as was evi­dence used for its ter­ror­ist des­ig­na­tion by the Turk­ish gov­ern­ment.

    “While some of the indi­vid­u­als involved in the coup may have been Gülenists, giv­en the large num­ber of Gülenist sup­port­ers and organ­i­sa­tions in Turkey, it does not nec­es­sar­i­ly fol­low that the Gülenists were respon­si­ble for the coup or that their lead­er­ship direct­ed the coup,” MPs con­clud­ed last week.

    The Turk­ish Pres­i­dent hit out at the head of Germany’s BND for­eign intel­li­gence ser­vice on Fri­day for sug­gest­ing Berlin is not con­vinced that Mr Gulen orches­trat­ed July’s coup.

    Bruno Kahl told Der Spiegel mag­a­zine that Turkey tried to “con­vince us on a num­ber of dif­fer­ent lev­els. But they haven’t yet been suc­cess­ful”.

    ...

    “Mr Woolsey told The Wall Street Jour­nal he arrived in the mid­dle of the con­ver­sa­tion but described the basic plan as a “covert step in the dead of night to whisk this guy away”.”

    Extra­or­di­nary ren­di­tion by the US. With­in the US. On behalf of Erdo­gan. Yeah, that’s pret­ty extra­or­di­nary. And a pret­ty good rea­son for request­ing immu­ni­ty. Along with the Turk­ish lob­by­ing:

    ...
    Mr Fly­nn heav­i­ly crit­i­cised Mr Gulen in an arti­cle pub­lished on elec­tion day in Novem­ber, argu­ing the US should not give him a “safe haven” and treat Turkey as a pri­or­i­ty and a friend.

    Jus­tice Depart­ment doc­u­ments lat­er revealed that the arti­cle was linked to research con­duct­ed for a Turk­ish-owned com­pa­ny whose own­er is an ally of Mr Erdo­gan.

    Ino­vo BV paid Fly­nn Intel Group $530,000 (£425,000) for work he admit­ted may have “prin­ci­pal­ly ben­e­fit­ted” the Turk­ish gov­ern­ment in offi­cial fil­ings.

    Sean Spicer, the White House spokesman, said Mr Trump did not know Mr Fly­nn was act­ing as a “for­eign agent when he was hired after the doc­u­ments emerged.

    Any­one rep­re­sent­ing the inter­ests of for­eign pow­ers in a polit­i­cal capac­i­ty must declare their inter­est to the US gov­ern­ment under the For­eign Agents Reg­is­tra­tion Act.
    ...

    “Any­one rep­re­sent­ing the inter­ests of for­eign pow­ers in a polit­i­cal capac­i­ty must declare their inter­est to the US gov­ern­ment under the For­eign Agents Reg­is­tra­tion Act.”

    So there’s plen­ty of in-your-face poten­tial­ly crim­i­nal Turk­ish gov­ern­ment influ­ences. And then there’s all those busi­ness-relat­ed con­flicts of inter­est that Trump him­self has in Turkey. And, of course, there’s the ide­o­log­i­cal ties a far-right rogue admin­is­tra­tion like the Trump’s will have with a far-right rogue admin­is­tra­tion like Erdo­gan’s as part of the gen­er­al far-right glob­al move­ment to destroy all that which is non-far-right. Is that going to be part of these var­i­ous inves­ti­ga­tions into for­eign influ­ences of the Trump admin­is­tra­tion? Espe­cial­ly giv­en the spoofa­ble nature of the Russ­ian hack­ing evi­dence? Of course not, since ties to Rus­sia are appar­ent­ly the only for­eign influ­ences that mat­ter and not the Trump admin­is­tra­tion’s ties to the glob­al far-right. For some mys­te­ri­ous rea­son.

    So if Fly­nn tes­ti­fies it’s pret­ty clear that the inves­ti­ga­tions are going to be exclu­sive­ly inter­est­ed in Rus­sia and only Rus­sia. So hope­ful­ly some of the inves­ti­ga­tors can get Fly­nn to shed light on why it is that the ‘Russ­ian hack­ers’ keep going out of their way to ensure they are iden­ti­fied as Russ­ian hack­ers:

    Talk­ing Points Memo
    DC

    Rubio Reveals Russ­ian Hack­ers Tar­get­ed His Pres­i­den­tial Cam­paign Staff

    By Alice Oll­stein
    Pub­lished March 30, 2017, 3:14 PM EDT

    In the Sen­ate Intel­li­gence Com­mit­tee’s first open hear­ing on Russ­ian med­dling in the 2016 elec­tion, Sen. Mar­co Rubio (R‑FL) revealed that Russ­ian hack­ers may have tar­get­ed his for­mer pres­i­den­tial cam­paign staffers—as recent­ly as this week.

    In the morn­ing ses­sion of the hear­ing, for­mer FBI agent Clint Watts said he believed Rubio was among the can­di­dates from both par­ties that Rus­sia aimed to dis­cred­it due in par­tic­u­lar to their “adver­sar­i­al views towards the Krem­lin.” Rubio did not respond to the alle­ga­tion in that morn­ing ses­sion, and his office did not respond to TPM’s request for com­ment.

    But when the hear­ing recon­vened in the after­noon, Rubio said that while he could­n’t com­ment on the for­mer agen­t’s alle­ga­tion that he was tar­get­ed dur­ing his bid for the Repub­li­can pres­i­den­tial nom­i­na­tion, he could con­firm he has been tar­get­ed at least twice since bow­ing out.

    “In July of 2016, short­ly after I announced I would seek re-elec­tion to the Unit­ed States Sen­ate, for­mer mem­bers of my pres­i­den­tial cam­paign team who had access to the inter­nal infor­ma­tion of my pres­i­den­tial cam­paign were tar­get­ed by I.P. address­es with an unknown loca­tion with­in Rus­sia,” he said. “That effort was unsuc­cess­ful.”

    I’d also inform the com­mit­tee that with­in the last 24 hours, at 10:45 a.m. yes­ter­day, a sec­ond attempt was made, again against for­mer mem­bers of my pres­i­den­tial cam­paign team who had access to our inter­nal infor­ma­tion, again tar­get­ed from an I.P. address from an unknown loca­tion in Rus­sia,” he con­tin­ued. “That effort was also unsuc­cess­ful.”

    The Sen­ate Intel­li­gence Com­mit­tee is exam­in­ing, among oth­er fac­tors, Rus­si­a’s use of hack­ing, selec­tive leak­ing and social media bots to spread dis­in­for­ma­tion and cre­ate polit­i­cal divi­sions to weak­en con­fi­dence in the Amer­i­can elec­toral sys­tem.

    ...

    I’d also inform the com­mit­tee that with­in the last 24 hours, at 10:45 a.m. yes­ter­day, a sec­ond attempt was made, again against for­mer mem­bers of my pres­i­den­tial cam­paign team who had access to our inter­nal infor­ma­tion, again tar­get­ed from an I.P. address from an unknown loca­tion in Rus­sia,” he con­tin­ued. “That effort was also unsuc­cess­ful.”

    Yep, on the same day Vladimir Putin uses a bun­gled “Read my lips” line to deny Russ­ian involve­ment in the hacks, Mar­co Rubio informs that world that Russ­ian hack­ers made their sec­ond attempt to hack Rubio’s staff with­in the last 24 hours. And how do they know it was Russ­ian hack­ers? Because their I.P. address­es led back to Rus­sia. So of course it was Rus­sians. And specif­i­cal­ly the Russ­ian gov­ern­ment. And def­i­nite­ly not some­one else.

    And since all these inves­ti­ga­tions are appar­ent­ly exclu­sive­ly inter­est­ed in Russ­ian ties, and only Russ­ian ties, hope­ful­ly Fly­nn will at least shed some light on that strange ‘Russ­ian hack­er’ behav­ior. After all, if those ‘Russ­ian hack­ers’ had­n’t been so bla­tant­ly Russ­ian there’s a good chance Fly­nn would­n’t be in this sit­u­a­tion in the first place. Sure, he would still have the Turk­ish gov­ern­ment lob­by­ing con­flicts of inter­est even if these ‘Russ­ian hack­ers’ did­n’t frame them­selves as Russ­ian hack­ers, but as is abun­dant­ly clear at this point, if it’s not a Russ­ian-relat­ed for­eign con­flict of inter­est — like a con­flict of inter­est that could poten­tial­ly moti­vate a for­eign gov­ern­ment (or inter­na­tion­al far-right net­work) to hack the DNC and make it look like the Rus­sians did it — nobody real­ly cares. At least not enough to inves­ti­gate it. Or even con­sid­er the pos­si­bil­i­ty.

    Posted by Pterrafractyl | March 31, 2017, 3:22 pm
  11. One of the ques­tions that’s been loom­ing over Wik­ileaks ever since the orga­ni­za­tion chose Don­ald Trump’s side in the 2016 US elec­tions and played a key spoil­er role by strate­gi­cal­ly drib­bling out new anti-Hillary leaks for the final months of the cam­paign was the ques­tion of whether or not Wik­ileaks had a bunch of dirt on Trump that it was strate­gi­cal­ly not leak­ing. Well, if they do have such infor­ma­tion on Trump, they’re prob­a­bly at least a lit­tle tempt­ed to dump it now:

    CNN

    Sources: US pre­pares charges to seek arrest of Wik­iLeaks’ Julian Assange

    By Evan Perez, Pamela Brown, Shi­mon Proku­pecz and Eric Brad­ner
    Updat­ed 0230 GMT (1030 HKT) April 21, 2017

    Wash­ing­ton (CNN)US author­i­ties have pre­pared charges to seek the arrest of Wik­iLeaks founder Julian Assange, US offi­cials famil­iar with the mat­ter tell CNN.

    The Jus­tice Depart­ment inves­ti­ga­tion of Assange and Wik­iLeaks dates to at least 2010, when the site first gained wide atten­tion for post­ing thou­sands of files stolen by the for­mer US Army intel­li­gence ana­lyst now known as Chelsea Man­ning.

    Pros­e­cu­tors have strug­gled with whether the First Amend­ment pre­clud­ed the pros­e­cu­tion of Assange, but now believe they have found a way to move for­ward.

    Dur­ing Pres­i­dent Barack Oba­ma’s admin­is­tra­tion, Attor­ney Gen­er­al Eric Hold­er and offi­cials at the Jus­tice Depart­ment deter­mined it would be dif­fi­cult to bring charges against Assange because Wik­iLeaks was­n’t alone in pub­lish­ing doc­u­ments stolen by Man­ning. Sev­er­al news­pa­pers, includ­ing The New York Times, did as well. The inves­ti­ga­tion con­tin­ued, but any pos­si­ble charges were put on hold, accord­ing to US offi­cials involved in the process then.

    Going after Assange

    The US view of Wik­iLeaks and Assange began to change after inves­ti­ga­tors found what they believe was proof that Wik­iLeaks played an active role in help­ing Edward Snow­den, a for­mer NSA ana­lyst, dis­close a mas­sive cache of clas­si­fied doc­u­ments.

    Assange remains holed up in the Ecuado­ri­an embassy in Lon­don, seek­ing to avoid an arrest war­rant on rape rape alle­ga­tions in Swe­den. In recent months, US offi­cials had focused on the pos­si­bil­i­ty that a new gov­ern­ment in Ecuador would expel Assange and he could be arrest­ed. But the left-lean­ing pres­i­den­tial can­di­datewon the recent elec­tion in the South Amer­i­can nation has promised to con­tin­ue to har­bor Assange.

    Last week in a speech at the Cen­ter for Strate­gic and Inter­na­tion­al Stud­ies in Wash­ing­ton, CIA Direc­tor Mike Pom­peo went fur­ther than any US gov­ern­ment offi­cial in describ­ing a role by Wik­iLeaks that went beyond First Amend­ment activ­i­ty.

    He said Wik­iLeaks “direct­ed Chelsea Man­ning to inter­cept spe­cif­ic secret infor­ma­tion, and it over­whelm­ing­ly focus­es on the Unit­ed States.”

    “It’s time to call out Wik­iLeaks for what it real­ly is: A non-state hos­tile intel­li­gence ser­vice often abet­ted by state actors like Rus­sia,” Pom­peo said.

    US intel­li­gence agen­cies have also deter­mined that Russ­ian intel­li­gence used Wik­iLeaks to pub­lish emails aimed at under­min­ing the cam­paign of Hillary Clin­ton, as part of a broad­er oper­a­tion to med­dle in the US 2016 pres­i­den­tial elec­tion. Hack­ers work­ing for Russ­ian intel­li­gence agen­cies stole thou­sands of emails from the Demo­c­ra­t­ic Nation­al Com­mit­tee and offi­cials in the Clin­ton cam­paign and used inter­me­di­aries to pass along the doc­u­ments to Wik­iLeaks, accord­ing to a pub­lic assess­ment by US intel­li­gence agen­cies.

    Still, the move could be viewed as polit­i­cal, since Assange is untouch­able as long as he remains in the Ecuado­ri­an embassy, and Ecuador has not changed its stance on Assange’s extra­di­tion.

    Step­ping up efforts
    Attor­ney Gen­er­al Jeff Ses­sions said at a news con­fer­ence Thurs­day that Assange’s arrest is a “pri­or­i­ty.”

    “We are going to step up our effort and already are step­ping up our efforts on all leaks,” he said. “This is a mat­ter that’s gone beyond any­thing I’m aware of. We have pro­fes­sion­als that have been in the secu­ri­ty busi­ness of the Unit­ed States for many years that are shocked by the num­ber of leaks and some of them are quite seri­ous. So yes, it is a pri­or­i­ty. We’ve already begun to step up our efforts and when­ev­er a case can be made, we will seek to put some peo­ple in jail.”

    “We’ve had no com­mu­ni­ca­tion with the Depart­ment of Jus­tice and they have not indi­cat­ed to me that they have brought any charges against Mr. Assange,” said Assange’s lawyer, Bar­ry Pol­lack. “They’ve been unwill­ing to have any dis­cus­sion at all, despite our repeat­ed requests, that they let us know what Mr. Assange’s sta­tus is in any pend­ing inves­ti­ga­tions. There’s no rea­son why Wik­iLeaks should be treat­ed dif­fer­ent­ly from any oth­er pub­lish­er.”

    Pol­lack said Wik­iLeaks is just like the Wash­ing­ton Post and the New York Times, which rou­tine­ly pub­lish sto­ries based on clas­si­fied infor­ma­tion. Wik­iLeaks, he says, pub­lish­es infor­ma­tion that is in “the pub­lic’s inter­est to know not just about the Unit­ed States but oth­er gov­ern­ments around the world.”

    Free­dom of speech?
    Assange has also com­pared Wik­iLeaks to a news media orga­ni­za­tion that uses doc­u­ments pro­vid­ed by whistle­blow­ers to expose the actions of gov­ern­ments and pow­er­ful cor­po­ra­tions.

    “Quite sim­ply, our motive is iden­ti­cal to that claimed by the New York Times and The Post — to pub­lish news­wor­thy con­tent,” Assange wrote in a a recent op-ed in The Wash­ing­ton Post. “Con­sis­tent with the U.S. Con­sti­tu­tion, we pub­lish mate­r­i­al that we can con­firm to be true irre­spec­tive of whether sources came by that truth legal­ly or have the right to release it to the media. And we strive to mit­i­gate legit­i­mate con­cerns, for exam­ple by using redac­tion to pro­tect the iden­ti­ties of at-risk intel­li­gence agents.”

    In his speech last week, Pom­peo reject­ed that char­ac­ter­i­za­tion and said Assange should not be afford­ed con­sti­tu­tion­al free speech pro­tec­tions.

    “Julian Assange has no First Amend­ment free­doms. He’s sit­ting in an Embassy in Lon­don. He’s not a US cit­i­zen,” Pom­peo said.

    ...

    But Ben Wiz­n­er, direc­tor of the Amer­i­can Civ­il Lib­er­ties Union’s Speech, Pri­va­cy and Tech­nol­o­gy Project, argued that US pros­e­cu­tion of Assange sets a dan­ger­ous prece­dent.

    “Nev­er in the his­to­ry of this coun­try has a pub­lish­er been pros­e­cut­ed for pre­sent­ing truth­ful infor­ma­tion to the pub­lic,” Wiz­n­er told CNN. “Any pros­e­cu­tion of Wik­iLeaks for pub­lish­ing gov­ern­ment secrets would set a dan­ger­ous prece­dent that the Trump admin­is­tra­tion would sure­ly use to tar­get oth­er news orga­ni­za­tions.”

    ““It’s time to call out Wik­iLeaks for what it real­ly is: A non-state hos­tile intel­li­gence ser­vice often abet­ted by state actors like Rus­sia,” Pom­peo said.”

    Well, while Wik­ileaks prob­a­bly isn’t thrilled by this announce­ment, they’re prob­a­bly pret­ty please about how CIA direc­tor Mike Pom­peo is mak­ing no effort to high­light Wik­ileaks’ exten­sive con­nec­tions to neo-Nazis and the far-right. The far-right is prob­a­bly pret­ty pleased by that too, as they must be in gen­er­al with the cur­rent char­ac­ter­i­za­tion in the West on Rus­sia as the main sponsor/backer for all things far-right. It’s a great nar­ra­tive! For the far-right.

    So is Wik­ileaks going to retal­i­ate with some sort of embar­rass­ing data dump? Could it all be the­atrics? We’ll see. And don’t for­get that if the pros­e­cu­tion of Assange real­ly does estab­lish a legal prece­dent that could be used to silence oth­er pub­lish­ers of leaked doc­u­ments, as groups like the ACLU are claim­ing, that could also be a big incen­tive for the leak-prone Trump admin­is­tra­tion to pur­sue this case. Chill­ing the press would be a huge incen­tive for Team Trump. It’s a reminder that this case could have impli­ca­tions that go far beyond Wik­ileaks so learn­ing more about what exact­ly they’re going to charge Assange with is going to some­thing to watch.

    But note one of the oth­er big com­pli­ca­tions with this declared desire to arrest Assange: Ecuador’s new gov­ern­ment has no inter­est in let­ting that hap­pen:

    ...
    Still, the move could be viewed as polit­i­cal, since Assange is untouch­able as long as he remains in the Ecuado­ri­an embassy, and Ecuador has not changed its stance on Assange’s extra­di­tion.
    ...

    And that’s part of what makes the tim­ing of this announce­ment so inter­est­ing. It comes just after Ecuador’s close­ly con­test­ed elect­ed held a recount that the right-wing can­di­date, who said he would kick Assange out of Ecuador’s embassy, con­tin­ues to con­test as unfair:

    BBC

    Ecuador recount con­firms Lenín Moreno won pres­i­den­tial poll

    19 April 2017

    Fol­low­ing a recount of almost 1.3 mil­lion votes in Ecuador, the elec­toral coun­cil has con­firmed left-wing can­di­date Lenín Moreno as the win­ner of the pres­i­den­tial poll held on 2 April.

    The recount slight­ly boost­ed Mr Moreno’s mar­gin over his con­ser­v­a­tive rival, Guiller­mo Las­so.

    Mr Las­so had demand­ed a full recount cit­ing alle­ga­tions of fraud but the nation­al elec­toral coun­cil only agreed to a recount of 10% of the votes.

    Mr Moreno will be sworn in on 24 May.

    Increased lead

    The Nation­al Elec­toral Coun­cil said that fol­low­ing the recount Lenín Moreno had increased his lead over Mr Las­so by 0.01 per­cent­age points.

    Mr Moreno won with 51.16% against Mr Las­so’s 48.84%, Nation­al Elec­toral Coun­cil Pres­i­dent Juan Pablo Pozo said.

    Mr Las­so dis­missed the par­tial recount as a “show” and a “manoeu­vre” by the gov­ern­ing par­ty of Mr Moreno “to legit­imise a process which has been less than trans­par­ent”.

    But mon­i­tors from the Orga­ni­za­tion of Amer­i­can States said they con­sid­ered “a recount of this mag­ni­tude and under these norms to be an exer­cise in trans­paren­cy”.

    Mr Las­so said he would give a news con­fer­ence on Wednes­day to announce how he will pro­ceed next.

    Mr Moreno will take over from Pres­i­dent Rafael Cor­rea, who has been in pow­er since 2007.

    He is expect­ed to con­tin­ue many of his pre­de­ces­sor’s poli­cies, includ­ing allow­ing Wik­ileaks founder Julian Assange to remain at the Ecuadore­an embassy in Lon­don.

    Mr Las­so had said that if he was elect­ed he would kick out Mr Assange, who has been liv­ing at the Ecuadore­an embassy since 2012 to avoid extra­di­tion to Swe­den.

    ...

    “Mr Las­so had demand­ed a full recount cit­ing alle­ga­tions of fraud but the nation­al elec­toral coun­cil only agreed to a recount of 10% of the votes.”

    And these alle­ga­tions by Ecuador’s right-wing fol­lowed sim­i­lar alle­ga­tions of vot­ing rig­ging after the first vote. So it’s going to be very inter­est­ing to see what the US’s stance is toward Ecuador if Las­so con­tin­ues to con­test the recount out­come. The fact that the Orga­ni­za­tion of Amer­i­can States val­i­dat­ed the recount sug­gests we won’t be see­ing some sort of covert regime-change pol­i­cy. But let’s not for­get about one of the more dis­turb­ing poten­tial Trump admin­is­tra­tion appoint­ments that almost hap­pened: Elliot Abrams was about to be named deputy sec­re­tary of State, and only lost the post after Trump learned Abrams trashed him dur­ing the cam­paign. So while Abrams did­n’t get the job, he almost got the job. Either way, it does­n’t bode well for the US’s regime change poli­cies towards Cen­tral and South Amer­i­can left-wing gov­ern­ments:

    New York Mag­a­zine
    Dai­ly Intel­li­gencer

    Trump Nix­es Plan to Appoint a War Crim­i­nal to the State Depart­ment

    By Eric Levitz

    Feb­ru­ary 10, 2017 2:25 pm

    Until Fri­day, Elliott Abrams was expect­ed to be named the Trump administration’s deputy sec­re­tary of State — a pow­er­ful posi­tion, par­tic­u­lar­ly in a depart­ment head­ed by a for­mer oil exec­u­tive with no diplo­mat­ic expe­ri­ence.

    Abrams’s appar­ent selec­tion was not treat­ed as a scan­dal. But in a less degen­er­ate repub­lic, it would have been: The last time Abrams worked at the State Depart­ment, he helped the Rea­gan White House covert­ly sell weapons to Iran — in defi­ance of an embar­go — so as to fund reac­tionary rebels in Nicaragua, in defi­ance of a fed­er­al law that Con­gress had passed 411 to 0.

    After his crime against the rule of law was exposed, Abrams lied to Con­gress about what he had done. He even­tu­al­ly pled guilty for that last offense, but was prompt­ly par­doned by our first Pres­i­dent Bush.

    When Abrams wasn’t under­min­ing demo­c­ra­t­ic rule at home, he pro­mot­ed geno­cide abroad. As the Nation’s Eric Alter­man writes:

    As assis­tant sec­re­tary of state for human rights, Abrams sought to ensure that Gen­er­al Efraín Ríos Montt, Guatemala’s then-dic­ta­tor, could car­ry out “acts of genocide”—those are the legal­ly bind­ing words of Guatemala’s Unit­ed Nations–backed Com­mis­sion for His­tor­i­cal Clarification—against the indige­nous peo­ple in the Ixil region of the depart­ment of Quiché, with­out any pesky inter­fer­ence from human-rights orga­ni­za­tions, much less the US gov­ern­ment.

    As the mass killings were tak­ing place, Abrams fought in Con­gress for mil­i­tary aid to Ríos Montt’s bloody regime. He cred­it­ed the mur­der­ous dic­ta­tor with hav­ing “brought con­sid­er­able progress” on human-rights issues … When The New York Times pub­lished an op-ed chal­leng­ing the offi­cial State Depart­ment count of the mass mur­ders under way—by a woman who had wit­nessed a death-squad-style assas­si­na­tion in broad day­light in Guatemala City with­out ever see­ing it men­tioned in the press—Abrams lied out­right in a let­ter to the edi­tor, even cit­ing an imag­i­nary sto­ry in a nonex­is­tent news­pa­per to insist that the man’s mur­der had, in fact, been report­ed.

    Nev­er­the­less, Abrams per­sist­ed. A decade after George H.W. Bush par­doned his crime against Con­gress, Abrams was plot­ting coups against demo­c­ra­t­i­cal­ly elect­ed South Amer­i­can gov­ern­ments — as an advis­er to George W.

    Lat­er, Abrams over­saw the Nation­al Secu­ri­ty Coun­cil direc­torate respon­si­ble for pro­mot­ing Democ­ra­cy, Human Rights — which is a bit like hav­ing Han­ni­bal Lecter over­see the direc­torate of Homi­cide Reduc­tion and Veg­an­ism.

    Dur­ing his cam­paign, Trump pledged not to sur­round him­self “with those who have per­fect résumés but very lit­tle to brag about except respon­si­bil­i­ty for a long his­to­ry of failed poli­cies and con­tin­ued loss­es at war.”

    “We have to look to new peo­ple because many of the old peo­ple frankly don’t know what they’re doing,” the GOP nom­i­nee con­tin­ued, “even though they may look awful­ly good writ­ing in the New York Times or being watched on tele­vi­sion.”

    This is a (gen­er­ous) descrip­tion of Elliott Abrams. But the pres­i­dent did not hold that against him.

    Rex Tiller­son and Jared Kush­n­er both lob­bied the pres­i­dent on Abrams’s behalf. And, after a meet­ing with the war crim­i­nal, Trump was pre­pared to make the neo­con­ser­v­a­tive his num­ber-two diplo­mat.

    And then, Trump came upon a col­umn Abrams had writ­ten in May 2016, titled “When You Can’t Stand Your Can­di­date.”

    “The par­ty has nom­i­nat­ed some­one who can­not win and should not be pres­i­dent of the Unit­ed States,” Abrams wrote. “Do not allow the Repub­li­can con­ven­tion to be a coro­na­tion where­in Trump and Trump­ism are unchal­lenged … The par­ty needs to be remind­ed that there are deep divi­sions, and Trump needs to be remind­ed of how many in the par­ty oppose and even fear his nom­i­na­tion.”

    Now, Trump has per­son­al­ly vetoed Abrams appoint­ment, accord­ing to sources who spoke with CNN.

    ...

    “Nev­er­the­less, Abrams per­sist­ed. A decade after George H.W. Bush par­doned his crime against Con­gress, Abrams was plot­ting coups against demo­c­ra­t­i­cal­ly elect­ed South Amer­i­can gov­ern­ments — as an advis­er to George W.

    Yep, we almost had a for­mer South Amer­i­can coup-plot­ter as the new deputy Sec­re­tary of State. Almost. But then Trump found out Abrams dissed him. That was the deal-break­er. But the coup-plot­ting was fine.

    So that’s all some­thing to keep in mind with the announce­ment by Mike Pom­peo that they’re going to seek­ing Assange’s arrest: mak­ing left-wing South and Cen­tral Amer­i­can gov­ern­ments was a spe­cial­ty of the guy Trump almost made the deputy sec­re­tary of State and Assange’s arrest is only going to hap­pen if Ecuador’s new­ly elect­ed left-wing gov­ern­ment is sud­den­ly gone.

    Well, ok, there are oth­er options for get­ting Assange.

    Posted by Pterrafractyl | April 21, 2017, 3:23 pm
  12. Wow, those Russ­ian gov­ern­ment hack­ers real­ly need a OPSEC refresh­er course. So it turns out that the hacked doc­u­ments in the ‘Macron hack’ not only con­tained Cyril­lic text in the meta­da­ta, but also con­tained the name of the last per­son to mod­i­fy the doc­u­ments. And that name, “Rosh­ka Georgiy Petro­vichan”, is an employ­ee at Evri­ka, a large IT com­pa­ny that does work for the Russ­ian gov­ern­ment, includ­ing the FSB. Also found in the meta­da­ta is the email of the per­son who uploaded the files to “archive.org”, and that email address, frankmacher1@gmx.de, is reg­is­tered with a Ger­man free web­mail provider used pre­vi­ous­ly in 2016 phish­ing attacks against the CDU in Ger­many that have been attrib­uted to APT28. So it would appear that the ‘Russ­ian hack­ers’ not only left clues sug­gest­ing it was Russ­ian hack­ers behind the hack, but they decid­ed name names this time. Their own names. And even Wik­ileaks con­clud­ed that it was the result of Russ­ian hack­ers:

    Ars Tech­ni­ca

    Evi­dence sug­gests Rus­sia behind hack of French pres­i­dent-elect
    Russ­ian secu­ri­ty firms’ meta­da­ta found in files, accord­ing to Wik­iLeaks and oth­ers.

    Sean Gal­lagher — 5/8/2017, 1:18 PM

    Late on May 5 as the two final can­di­dates for the French pres­i­den­cy were about to enter a press black­out in advance of the May 7 elec­tion, nine giga­bytes of data alleged­ly from the cam­paign of Emmanuel Macron were post­ed on the Inter­net in tor­rents and archives. The files, which were ini­tial­ly dis­trib­uted via links post­ed on 4Chan and then by Wik­iLeaks, had foren­sic meta­da­ta sug­gest­ing that Rus­sians were behind the breach—and that a Russ­ian gov­ern­ment con­tract employ­ee may have fal­si­fied some of the dumped doc­u­ments.

    Even Wik­iLeaks, which ini­tial­ly pub­li­cized the breach and defend­ed its integri­ty on the orga­ni­za­tion’s Twit­ter account, has since acknowl­edged that some of the meta­da­ta point­ed direct­ly to a Russ­ian com­pa­ny with ties to the gov­ern­ment:

    #Macron­Leaks: name of employ­ee for Russ­ian govt secu­ri­ty con­trac­tor Evri­ka appears 9 times in meta­da­ta for “xls_cendric.rar” leak archive pic.twitter.com/jyhlmldlbL— Wik­iLeaks (@wikileaks) May 6, 2017

    Evri­ka (“Eure­ka”) ZAO is a large infor­ma­tion tech­nol­o­gy com­pa­ny in St. Peters­burg that does some work for the Russ­ian gov­ern­ment, and the group includes the Fed­er­al Secu­ri­ty Ser­vice of the Russ­ian Fed­er­a­tion (FSB) among its acknowl­edged cus­tomers (as not­ed in this job list­ing). The com­pa­ny is a sys­tems inte­gra­tor, and it builds its own com­put­er equip­ment and pro­vides “inte­grat­ed infor­ma­tion secu­ri­ty sys­tems.” The meta­da­ta in some Microsoft Office files shows the last per­son to have edit­ed the files to be “Rosh­ka Georgiy Petro­vich,” a cur­rent or for­mer Evri­ka ZAO employ­ee.

    Accord­ing to a Trend Micro report on April 25, the Macron cam­paign was tar­get­ed by the Pawn Storm threat group (also known as “Fan­cy Bear” or APT28) in a March 15 “phish­ing” cam­paign using the domain onedrive-en-marche.fr. The domain was reg­is­tered by a “Johny Pinch” using a Mail.com web­mail address. The same threat group’s infra­struc­ture and mal­ware was found to be used in the breach of the Demo­c­ra­t­ic Nation­al Com­mit­tee in 2016, in the phish­ing attack tar­get­ing mem­bers of the pres­i­den­tial cam­paign of for­mer Sec­re­tary of State Hillary Clin­ton, and in a num­ber of oth­er cam­paigns against polit­i­cal tar­gets in the US and Ger­many over the past year.

    The meta­da­ta attached to the upload of the Macron files also includes some iden­ti­fy­ing data with an e‑mail address for the per­son upload­ing the con­tent to archive.org:

    Well this is fun pic.twitter.com/oXsH83snCS— Pwn All The Things (@pwnallthethings) May 6, 2017

    The e‑mail address of the uploader, frankmacher1@gmx.de, is reg­is­tered with a Ger­man free web­mail provider used pre­vi­ous­ly in 2016 Pawn Storm / APT28 phish­ing attacks against the Chris­t­ian Demo­c­ra­t­ic Union, Ger­man Chan­cel­lor Angela Merkel’s polit­i­cal par­ty.

    The involve­ment of APT28, the edit­ing of some doc­u­ments leaked by some­one using a Russ­ian ver­sion of Microsoft Office, and the attempt to spread the data through ampli­fi­ca­tion in social media chan­nels such as 4Chan, Twit­ter, and Facebook—where a num­ber of new accounts post­ed links to the data—are all char­ac­ter­is­tics of the infor­ma­tion oper­a­tions seen dur­ing the 2016 US pres­i­den­tial cam­paign.

    ...

    “The involve­ment of APT28, the edit­ing of some doc­u­ments leaked by some­one using a Russ­ian ver­sion of Microsoft Office, and the attempt to spread the data through ampli­fi­ca­tion in social media chan­nels such as 4Chan, Twit­ter, and Facebook—where a num­ber of new accounts post­ed links to the data—are all char­ac­ter­is­tics of the infor­ma­tion oper­a­tions seen dur­ing the 2016 US pres­i­den­tial cam­paign.”

    Yes, indeed, leav­ing seem­ing­ly self-incrim­i­nat­ing data in the meta­da­ta is pret­ty char­ac­ter­is­tic of the hack­ing of 2016 pres­i­den­tial cam­paign. Char­ac­ter­is­tic of the inex­plic­a­ble oper­a­tional secu­ri­ty over­sights be alleged­ly pro­fes­sion­al Russ­ian gov­ern­ment hackers...whose oper­a­tional secu­ri­ty appears to be get­ting worse with each hack. This time they uploaded mod­i­fied faked doc­u­ments that could eas­i­ly be deter­mine was mod­i­fied by “Rosh­ka Georgiy Petro­vich”. Bra­vo! What a sneaky hack by those pro­fes­sion­al Russ­ian gov­ern­ment hack­ers.

    And in relat­ed news, a group of cyber­se­cu­ri­ty researchers study­ing the Macron hack has con­clud­ed the the mod­i­fied doc­u­ments were mod­i­fied by some­one asso­ci­at­ed with The Dai­ly Stormer neo-Nazi web­site and Andrew “the weev” Auern­heimer:

    The New York Times

    U.S. Hack­er Linked to Fake Macron Doc­u­ments, Says Cyber­se­cu­ri­ty Firm
    Ties between an American’s neo-Nazi web­site and an inter­net cam­paign to smear Macron before French elec­tion are found

    By David Gau­thi­er-Vil­lars
    May 16, 2017 6:05 a.m. ET

    A group of cyber­se­cu­ri­ty experts has unearthed ties between an Amer­i­can hack­er who main­tains a neo-Nazi web­site and an inter­net cam­paign to smear Emmanuel Macron days before he was elect­ed pres­i­dent of France.

    Short­ly after an anony­mous user of the 4chan.org dis­cus­sion forum post­ed fake doc­u­ments pur­port­ing to show Mr. Macron had set up an undis­closed shell com­pa­ny in the Caribbean, the user direct­ed peo­ple to vis­it nouveaumartel.com for updates on the French elec­tion.

    That web­site, accord­ing to research by web-secu­ri­ty provider Virtualroad.org, is reg­is­tered by “Wee­v­los,” a known online alias of Andrew Auern­heimer, an Amer­i­can hack­er who gained noto­ri­ety three years ago when a U.S. appeals court vacat­ed his con­vic­tion for com­put­er fraud. The site also is host­ed by a serv­er in Latvia that hosts the Dai­ly Stormer, a neo-Nazi news site that iden­ti­fies its admin­is­tra­tor as “Weev,” anoth­er online alias of Mr. Aeurn­heimer, Virtualroad.org says.

    “We strong­ly believe that the fake off­shore doc­u­ments were cre­at­ed by some­one with con­trol of the Dai­ly Stormer serv­er,” said Tord Lund­ström, a com­put­er foren­sics inves­ti­ga­tor at Virtualroad.org.

    Through Tor Eke­land, the lawyer who rep­re­sent­ed him in the com­put­er-fraud case in the U.S., Mr. Auern­heimer said he “doesn’t have any­thing to say.”

    A French secu­ri­ty offi­cial said a probe into the fake doc­u­ments was look­ing into the role of far-right and neo-Nazi groups but declined to com­ment on the alleged role of Mr. Auern­heimer.

    In the run-up to the French elec­tion, cyber­se­cu­ri­ty agen­cies warned Mr. Macron’s aides that Russ­ian hack­ers were tar­get­ing his pres­i­den­tial cam­paign, accord­ing to peo­ple famil­iar with the mat­ter. On May 5, nine giga­bytes of cam­paign doc­u­ments and emails were dumped on the inter­net. The Macron cam­paign and French author­i­ties have stopped short of pin­ning blame for the hack on the Krem­lin.

    Intel­li­gence and cyber­se­cu­ri­ty inves­ti­ga­tors exam­in­ing the flur­ry of social-media activ­i­ty lead­ing up to the hack fol­lowed a trail of com­put­er code they say leads back to the Amer­i­can far-right.

    Con­tact­ed by email over the week­end, the pub­lish­er of the Dai­ly Stormer, Andrew Anglin, said he and Mr. Auern­heimer had used their news site to write about the fake doc­u­ments because “We fol­low 4chan close­ly and have a more mod­ern edi­to­r­i­al process than most sites.”

    When asked if he or Mr. Auern­heimer were behind the fake doc­u­ments, Mr. Anglin stopped reply­ing.

    Mr. Auern­heimer was sen­tenced to 41 months in prison by a U.S. court in late 2012 for obtain­ing the per­son­al data of thou­sands of iPad users through an AT&T web­site. In April 2014, an appeals court vacat­ed his con­vic­tion on the grounds that the venue of the tri­al, in New Jer­sey, was improp­er.

    Asked if Mr. Auern­heimer resided in Ukraine, as a Jan­u­ary post on a per­son­al blog indi­cates, his lawyer said: “I think this is about right.”

    The day after the data dump, French secu­ri­ty offi­cials sum­moned their U.S. coun­ter­parts sta­tioned in Paris to for­mal­ly request a probe of the role Amer­i­can far-right web­sites might have played in dis­sem­i­nat­ing the stolen data, accord­ing to a West­ern secu­ri­ty offi­cial. A U.S. secu­ri­ty offi­cial had no com­ment.

    Mounir Mahjoubi, who was in charge of com­put­er secu­ri­ty for Mr. Macron’s cam­paign said far-right groups, or “an inter­na­tion­al col­lec­tive of con­ser­v­a­tives,” may have coor­di­nat­ed to dis­rupt the French elec­tion.

    “We will take time to do analy­sis, to decon­struct who real­ly runs these groups,” Mr. Mahjoubi told French radio last week. He couldn’t be reached for com­ment.

    French pros­e­cu­tors have launched for­mal probes into both the fake doc­u­ments and the data dump.

    ...

    The pho­ny doc­u­ments intend­ed to smear Mr. Macron were post­ed to 4chan.org twice by an anony­mous user, first on May 3 and again on May 5 using high­er-res­o­lu­tion files.

    Soon after the sec­ond post, sev­er­al 4chan.org users in the same online con­ver­sa­tion below the post appeared to con­grat­u­late Mr. Auern­heimer.

    “Weev… you’re doing the lord’s work,” wrote one of the anony­mous users.

    ““We strong­ly believe that the fake off­shore doc­u­ments were cre­at­ed by some­one with con­trol of the Dai­ly Stormer serv­er,” said Tord Lund­ström, a com­put­er foren­sics inves­ti­ga­tor at Virtualroad.org.”

    And who is in con­trol of the Dai­ly Stormer? Well, its pub­lic face and pub­lish­er is Andrew Anglin. But look who the site is reg­is­tered to: Andrew Auern­heimer, was appar­ent­ly resided in Ukraine as of the start of this year:

    ...
    That web­site, accord­ing to research by web-secu­ri­ty provider Virtualroad.org, is reg­is­tered by “Wee­v­los,” a known online alias of Andrew Auern­heimer, an Amer­i­can hack­er who gained noto­ri­ety three years ago when a U.S. appeals court vacat­ed his con­vic­tion for com­put­er fraud. The site also is host­ed by a serv­er in Latvia that hosts the Dai­ly Stormer, a neo-Nazi news site that iden­ti­fies its admin­is­tra­tor as “Weev,” anoth­er online alias of Mr. Aeurn­heimer, Virtualroad.org says.

    ...

    When asked if he or Mr. Auern­heimer were behind the fake doc­u­ments, Mr. Anglin stopped reply­ing.

    ...

    Asked if Mr. Auern­heimer resided in Ukraine, as a Jan­u­ary post on a per­son­al blog indi­cates, his lawyer said: “I think this is about right.”
    ...

    That’s the analy­sis from the web-secu­ri­ty firm Virtualroad.org. Some­one asso­ci­at­ed with the Dai­ly Stormer mod­i­fied those faked doc­u­ments. Like, per­haps a high­ly skilled neo-Nazi hack­er like “the weev”.

    So based on an analy­sis of how the doc­u­ment dump unfold­ed it’s look­ing like the inex­plic­a­bly self-incrim­i­nat­ing ‘Russ­ian hack­ers’ may have been a bunch of Amer­i­can neo-Nazis. Imag­ine that.

    Posted by Pterrafractyl | May 16, 2017, 7:17 pm
  13. With the appoint­ment of for­mer FBI chief Robert Mueller as spe­cial coun­sel in an inves­ti­ga­tion into the Trump team’s pos­si­ble col­lu­sion with the Russ­ian gov­ern­ment mov­ing ahead along side both the House and Sen­ate inves­ti­ga­tions, cou­pled with one instance after anoth­er of behav­ior by the Trump admin­is­tra­tion, or Trump him­self, that looks an awful lot like obstruc­tion of jus­tice intend­ed to thwart these inves­ti­ga­tions, it’s pret­ty clear that the even­tu­al out­come of these inves­ti­ga­tions is seen by all polit­i­cal sides in the US as being ‘make or break’ in nature. If some sort of col­lu­sion is firm­ly estab­lished, so firm­ly that the pub­lic starts turn­ing deci­sive­ly and over­whelm­ing against Trump, that’s most like­ly the end of Trump administration...and pos­si­ble the sub­se­quent Pence admin­is­tra­tion. But if noth­ing is con­clu­sive­ly estab­lished and Trump declares vic­to­ry, it’s entire­ly pos­si­ble that not only will Trump be able to shrug off the Russ­ian col­lu­sion charges but able to deflect just about any oth­er non-Russ­ian charges his admin­is­tra­tion faces too.
    So giv­en the incred­i­bly high stakes involved with these inves­ti­ga­tions, here’s an arti­cle by cyber­se­cu­ri­ty expert Bruce Schneier from back in Jan­u­ary that high­lights one of the most impor­tant aspects of all this that the Democ­rats are going to have to keep in mind: Giv­en the fact that cyber­at­tacks are noto­ri­ous­ly easy to spoof and attri­bu­tion often comes down to edu­cat­ed guess­ing, com­ing to any sort of con­fi­dent con­clu­sion as to who car­ried out the hack­ing of the DNC and sub­se­quent hack of John Podes­ta prob­a­bly requires the use of the kind of intel­li­gence and meth­ods that intel­li­gence agen­cies and the pub­lic are faced with a sig­nif­i­cant dilem­ma that isn’t going away. Should sources and meth­ods be revealed that can help con­clu­sive­ly estab­lish who con­duct­ed the hacks if, by reveal­ing them, those sources and meth­ods end up get­ting burned and/or killed. Or is sim­ply say­ing “trust us” by the intel­li­gence com­mu­ni­ty going to be ade­quate proof. That’s the dilem­ma fac­ing the cur­rent inves­ti­ga­tion and future inves­ti­ga­tions of this nature so, at a min­i­mum, it’s prob­a­bly pret­ty impor­tant for peo­ple to rec­og­nize that the cen­ter­piece of the Trump/Russian inves­ti­ga­tion — those noto­ri­ous hacks — might end up being a con­test between the Trump team and a bunch of spies all say­ing “trust us”:

    CNN

    Why prov­ing the source of a cyber­at­tack is so damn dif­fi­cult

    By Bruce Schneier

    Updat­ed 6:50 PM ET, Fri Jan­u­ary 6, 2017

    (CNN)President Barack Oba­ma’s pub­lic accu­sa­tion of Rus­sia as the source of the hacks in the US pres­i­den­tial elec­tion and the leak­ing of sen­si­tive emails through Wik­iLeaks and oth­er sources has opened up a debate on what con­sti­tutes suf­fi­cient evi­dence to attribute an attack in cyber­space. The answer is both com­pli­cat­ed and inher­ent­ly tied up in polit­i­cal con­sid­er­a­tions.

    The admin­is­tra­tion is bal­anc­ing polit­i­cal con­sid­er­a­tions and the inher­ent secre­cy of elec­tron­ic espi­onage with the need to jus­ti­fy its actions to the pub­lic. These issues will con­tin­ue to plague us as more inter­na­tion­al con­flict plays out in cyber­space.

    It’s true that it’s easy for an attack­er to hide who he is in cyber­space. We are unable to iden­ti­fy par­tic­u­lar pieces of hard­ware and soft­ware around the world pos­i­tive­ly. We can’t ver­i­fy the iden­ti­ty of some­one sit­ting in front of a key­board through com­put­er data alone. Inter­net data pack­ets don’t come with return address­es, and it’s easy for attack­ers to dis­guise their ori­gins. For decades, hack­ers have used tech­niques such as jump hosts, VPNs, Tor and open relays to obscure their ori­gin, and in many cas­es they work. I’m sure that many nation­al intel­li­gence agen­cies route their attacks through Chi­na, sim­ply because every­one knows lots of attacks come from Chi­na.

    On the oth­er hand, there are tech­niques that can iden­ti­fy attack­ers with vary­ing degrees of pre­ci­sion. It’s rarely just one thing, and you’ll often hear the term “con­stel­la­tion of evi­dence” to describe how a par­tic­u­lar attack­er is iden­ti­fied. It’s anal­o­gous to tra­di­tion­al detec­tive work. Inves­ti­ga­tors col­lect clues and piece them togeth­er with known mode of oper­a­tions. They look for ele­ments that resem­ble oth­er attacks and ele­ments that are anom­alies. The clues might involve ones and zeros, but the tech­niques go back to Sir Arthur Conan Doyle.

    The Uni­ver­si­ty of Toron­to-based orga­ni­za­tion Cit­i­zen Lab rou­tine­ly attrib­ut­es attacks against the com­put­ers of activists and dis­si­dents to par­tic­u­lar Third World gov­ern­ments. It took months to iden­ti­fy Chi­na as the source of the 2012 attacks against The New York Times. While it was uncon­tro­ver­sial to say that Rus­sia was the source of a cyber­at­tack against Esto­nia in 2007, no one knew if those attacks were autho­rized by the Russ­ian gov­ern­ment — until the attack­ers explained them­selves. And it was the Inter­net secu­ri­ty com­pa­ny Crowd­Strike, which first attrib­uted the attacks against the Demo­c­ra­t­ic Nation­al Com­mit­tee to Russ­ian intel­li­gence agen­cies in June, based on mul­ti­ple pieces of evi­dence gath­ered from its foren­sic inves­ti­ga­tion.

    Attri­bu­tion is eas­i­er if you are mon­i­tor­ing broad swaths of the Inter­net. This gives the Nation­al Secu­ri­ty Agency a sin­gu­lar advan­tage in the attri­bu­tion game. The prob­lem, of course, is that the NSA does­n’t want to pub­lish what it knows.

    Regard­less of what the gov­ern­ment knows and how it knows it, the deci­sion of whether to make attri­bu­tion evi­dence pub­lic is anoth­er mat­ter. When Sony was attacked, many secu­ri­ty experts — myself includ­ed — were skep­ti­cal of both the gov­ern­men­t’s attri­bu­tion claims and the flim­sy evi­dence asso­ci­at­ed with it. I only became con­vinced when The New York Times ran a sto­ry about the gov­ern­men­t’s attri­bu­tion, which talked about both secret evi­dence inside the NSA and human intel­li­gence assets inside North Korea. In con­trast, when the Office of Per­son­nel Man­age­ment was breached in 2015, the US gov­ern­ment decid­ed not to accuse Chi­na pub­licly, either because it did­n’t want to esca­late the polit­i­cal sit­u­a­tion or because it did­n’t want to reveal any secret evi­dence.

    ...

    It’s one thing for the gov­ern­ment to know who attacked it. It’s quite anoth­er for it to con­vince the pub­lic who attacked it. As attri­bu­tion increas­ing­ly relies on secret evi­dence — as it did with North Kore­a’s attack of Sony in 2014 and almost cer­tain­ly does regard­ing Rus­sia and the pre­vi­ous elec­tion — the gov­ern­ment is going to have to face the choice of mak­ing pre­vi­ous­ly secret evi­dence pub­lic and burn­ing sources and meth­ods, or keep­ing it secret and fac­ing per­fect­ly rea­son­able skep­ti­cism.

    If the gov­ern­ment is going to take pub­lic action against a cyber­at­tack, it needs to make its evi­dence pub­lic. But releas­ing secret evi­dence might get peo­ple killed, and it would make any future con­fi­den­tial­i­ty assur­ances we make to human sources com­plete­ly non-cred­i­ble. This prob­lem isn’t going away; secre­cy helps the intel­li­gence com­mu­ni­ty, but it wounds our democ­ra­cy.

    The con­stel­la­tion of evi­dence attribut­ing the attacks against the DNC, and sub­se­quent release of infor­ma­tion, is com­pre­hen­sive. It’s pos­si­ble that there was more than one attack. It’s pos­si­ble that some­one not asso­ci­at­ed with Rus­sia leaked the infor­ma­tion to Wik­iLeaks, although we have no idea where that some­one else would have obtained the infor­ma­tion. We know that the Russ­ian actors who hacked the DNC — both the FSB, Rus­si­a’s prin­ci­pal secu­ri­ty agency, and the GRU, Rus­si­a’s mil­i­tary intel­li­gence unit — are also attack­ing oth­er polit­i­cal net­works around the world.

    In the end, though, attri­bu­tion comes down to whom you believe. When Cit­i­zen Lab writes a report out­lin­ing how a Unit­ed Arab Emi­rates human rights defend­er was tar­get­ed with a cyber­at­tack, we have no trou­ble believ­ing that it was the UAE gov­ern­ment. When Google iden­ti­fies Chi­na as the source of attacks against Gmail users, we believe it just as eas­i­ly.

    Oba­ma decid­ed not to make the accu­sa­tion pub­lic before the elec­tion so as not to be seen as influ­enc­ing the elec­tion. Now, after­ward, there are polit­i­cal impli­ca­tions in accept­ing that Rus­sia hacked the DNC in an attempt to influ­ence the US pres­i­den­tial elec­tion. But no amount of evi­dence can con­vince the incon­vin­ci­ble.

    The most impor­tant thing we can do right now is deter any coun­try from try­ing this sort of thing in the future, and the polit­i­cal nature of the issue makes that hard­er. Right now, we’ve told the world that oth­ers can get away with manip­u­lat­ing our elec­tion process as long as they can keep their efforts secret until after one side wins. Oba­ma has promised both secret retal­i­a­tions and pub­lic ones. We need to hope they’re enough.

    ———-

    “>Why prov­ing the source of a cyber­at­tack is so damn dif­fi­cult” by Bruce Schneier; CNN; 01/06/2017

    “If the gov­ern­ment is going to take pub­lic action against a cyber­at­tack, it needs to make its evi­dence pub­lic. But releas­ing secret evi­dence might get peo­ple killed, and it would make any future con­fi­den­tial­i­ty assur­ances we make to human sources com­plete­ly non-cred­i­ble. This prob­lem isn’t going away; secre­cy helps the intel­li­gence com­mu­ni­ty, but it wounds our democ­ra­cy.”

    Yep, the inves­ti­ga­tion into the Demo­c­ra­t­ic Par­ty hacks isn’t just a mega-headache. It’s a meta-mega-headache. There’s going to be a lot more sit­u­a­tions like this where pro­vid­ing evi­dence for attri­bu­tion isn’t going to be easy. Espe­cial­ly if doing so might get a source killed. And unless the Trump/Russia inves­ti­ga­tions come across some very con­clu­sive evi­dence that can be revealed in pub­lic, “trust us” is prob­a­bly going to be a major ele­ment of any final con­clu­sion from these inves­ti­ga­tions. So with that word of cau­tion in mind, it’s also going to be crit­i­cal for the Democ­rats to keep in mind that the gen­er­al sen­ti­ment that we often hear these days that “all 17 US intel­li­gence agen­cies” signed on to the report con­clud­ing that Rus­sia was behind the hacks isn’t actu­al­ly true. Only four agen­cies were involved in the report:

    Con­sor­tium News

    New Cracks in Rus­sia-gate ‘Assess­ment’

    Exclu­sive: Pres­i­dent Obama’s ex-intel­li­gence chiefs admit they lim­it­ed input into the Rus­sia-gate “assess­ment,” which was han­dled by “hand-picked” ana­lysts, rais­ing the specter of politi­cized intel­li­gence, Robert Par­ry reports.

    By Robert Par­ry
    May 23, 2017

    At the cen­ter of the Rus­sia-gate scan­dal is a curi­ous U.S. intel­li­gence “assess­ment” that was pulled togeth­er in less than a month and exclud­ed many of the agen­cies that would nor­mal­ly weigh in on such an impor­tant top­ic as whether Rus­sia tried to influ­ence the out­come of a U.S. pres­i­den­tial elec­tion.

    The Jan. 6 report and its alle­ga­tion that Rus­sia “hacked” Demo­c­ra­t­ic emails and pub­li­cized them through Wik­iLeaks have been treat­ed as gospel by the main­stream U.S. media and many politi­cians of both par­ties, but two senior Oba­ma admin­is­tra­tion intel­li­gence offi­cials have pro­vid­ed new infor­ma­tion that rais­es fresh doubts about the find­ings.

    On Tues­day, for­mer CIA Direc­tor John Bren­nan told the House Intel­li­gence Com­mit­tee that only four of the 17 U.S. intel­li­gence agen­cies took part in the assess­ment, rely­ing on ana­lysts from the Cen­tral Intel­li­gence Agency, the Nation­al Secu­ri­ty Agency and the Fed­er­al Bureau of Inves­ti­ga­tion, under the over­sight of the Office of the Direc­tor of Nation­al Intel­li­gence.

    Bren­nan said the report “fol­lowed the gen­er­al mod­el of how you want to do some­thing like this with some notable excep­tions. It only involved the FBI, NSA and CIA as well as the Office of the Direc­tor of Nation­al Intel­li­gence. It wasn’t a full inter-agency com­mu­ni­ty assess­ment that was coor­di­nat­ed among the 17 agen­cies, and for good rea­son because of the nature and the sen­si­tiv­i­ty of the infor­ma­tion try­ing, once again, to keep that tight­ly com­part­ment­ed.”

    But Brennan’s excuse about “tight­ly com­part­ment­ed” infor­ma­tion was some­what disin­gen­u­ous because oth­er intel­li­gence agen­cies, such as the State Department’s Bureau of Intel­li­gence and Research (INR), could have been con­sult­ed in a lim­it­ed fash­ion, based on their areas of exper­tise. For instance, INR could have weighed in on whether Russ­ian Pres­i­dent Vladimir Putin would have tak­en the risk of try­ing to sab­o­tage Hillary Clinton’s cam­paign, know­ing that – if she won as expect­ed and learned of the oper­a­tion – she might have sought revenge against him and his coun­try.

    The Jan. 6 report argued one side of the case – that Putin had a motive for under­min­ing Clin­ton because he object­ed to her work as Sec­re­tary of State when she encour­aged anti-Putin protests inside Rus­sia – but the report ignored the counter-argu­ment that the usu­al­ly cau­tious Putin might well have feared infu­ri­at­ing the incom­ing U.S. Pres­i­dent if the anti-Clin­ton ploy failed to block her elec­tion.

    A bal­anced intel­li­gence assess­ment would have includ­ed not just argu­ments for believ­ing that the Rus­sians did sup­ply the Demo­c­ra­t­ic emails to Wik­iLeaks but the rea­sons to doubt that they did.

    Pre-Cooked Intel­li­gence

    How­ev­er, the restrict­ed nature of the Jan. 6 report – lim­it­ing it to ana­lysts from CIA, NSA and FBI – blocked the kind of exper­tise that the State Depart­ment, the Defense Depart­ment, the Depart­ment of Home­land Secu­ri­ty and oth­er agen­cies might have pro­vid­ed. In oth­er words, the Jan. 6 report has the look of pre-cooked intel­li­gence.

    That impres­sion was fur­ther strength­ened by the admis­sion of for­mer Direc­tor of Nation­al Intel­li­gence James Clap­per before a Sen­ate Judi­cia­ry sub­com­mit­tee on May 8 that “the two dozen or so ana­lysts for this task were hand-picked, sea­soned experts from each of the con­tribut­ing agen­cies.”

    Yet, as any intel­li­gence expert will tell you, if you “hand-pick” the ana­lysts, you are real­ly hand-pick­ing the con­clu­sion. For instance, if the ana­lysts were known to be hard-lin­ers on Rus­sia or sup­port­ers of Hillary Clin­ton, they could be expect­ed to deliv­er the one-sided report that they did.

    In the his­to­ry of U.S. intel­li­gence, we have seen how this approach has worked, such as the deter­mi­na­tion of the Rea­gan admin­is­tra­tion to pin the attempt­ed assas­si­na­tion of Pope John Paul II and oth­er acts of ter­ror on the Sovi­et Union.

    CIA Direc­tor William Casey and Deputy Direc­tor Robert Gates shep­herd­ed the desired find­ings through the process by putting the assess­ment under the con­trol of pli­able ana­lysts and sidelin­ing those who object­ed to this politi­ciza­tion of intel­li­gence.

    The point of enlist­ing the broad­er intel­li­gence com­mu­ni­ty – and incor­po­rat­ing dis­sents into a final report – is to guard against such “stove-pip­ing” of intel­li­gence that deliv­ers the polit­i­cal­ly desired result but ulti­mate­ly dis­torts real­i­ty.

    Anoth­er painful exam­ple of politi­cized intel­li­gence was Pres­i­dent George W. Bush’s 2002 Nation­al Intel­li­gence Esti­mate on Iraq’s WMD that removed INR’s and oth­er dis­sents from the declas­si­fied ver­sion that was giv­en to the pub­lic.

    Lack­ing Evi­dence

    The Jan. 6 report – tech­ni­cal­ly called an Intel­li­gence Com­mu­ni­ty Assess­ment (or ICA) – avoid­ed the need to remove any dis­sents by exclud­ing the intel­li­gence agen­cies that might have dis­sent­ed and by hand-pick­ing the ana­lysts who com­piled the report.

    How­ev­er, like the declas­si­fied ver­sion of the Iraq NIE, the Rus­sia-gate ICA lacked any sol­id evi­dence to sup­port the con­clu­sions. The ICA basi­cal­ly demand­ed that the Amer­i­can pub­lic “trust us” and got away with that bluff because much of the main­stream U.S. news media want­ed to believe any­thing neg­a­tive about then-Pres­i­dent-elect Trump.

    Because of that, the Amer­i­can peo­ple were repeat­ed­ly – and false­ly – informed that the find­ings about Russ­ian “hack­ing” reflect­ed the col­lec­tive judg­ment of all 17 U.S. intel­li­gence agen­cies, mak­ing any­one who dared ques­tion the con­clu­sion seem like a crack­pot or a “Russ­ian apol­o­gist.”

    Yet, based on the tes­ti­monies of Clap­per and Bren­nan, we now know that the ICA rep­re­sent­ed only a hand-picked selec­tion of the intel­li­gence com­mu­ni­ty – four, not 17, agen­cies.

    ...

    But the Jan. 6 report has served as the foun­da­tion for a series of inves­ti­ga­tions that have hob­bled the Trump admin­is­tra­tion and could lead to the nega­tion of a U.S. pres­i­den­tial elec­tion via the impeach­ment or forced res­ig­na­tion of Pres­i­dent Trump.

    The seri­ous­ness of that pos­si­bil­i­ty would seem to demand the most thor­ough exam­i­na­tion and the fullest vet­ting of the evi­dence. Even just the appear­ance that the ICA might be one more case of politi­cized intel­li­gence would do more to destroy Amer­i­cans’ faith in their demo­c­ra­t­ic sys­tem than any­thing that Putin might dream up.

    ———-

    “New Cracks in Rus­sia-gate ‘Assess­ment’” by Robert Par­ry; Con­sor­tium News; 05/23/2017

    “On Tues­day, for­mer CIA Direc­tor John Bren­nan told the House Intel­li­gence Com­mit­tee that only four of the 17 U.S. intel­li­gence agen­cies took part in the assess­ment, rely­ing on ana­lysts from the Cen­tral Intel­li­gence Agency, the Nation­al Secu­ri­ty Agency and the Fed­er­al Bureau of Inves­ti­ga­tion, under the over­sight of the Office of the Direc­tor of Nation­al Intel­li­gence.”

    The CIA, NSA, and FBI, work­ing under the ODNI. That’s it. While there isn’t any­thing inher­ent­ly wrong with an intel­li­gence assess­ment from 4 out of 17 of the US’s intel­li­gence agen­cies, it’s also not 17. And then there’s the poten­tial prob­lems with an intel­li­gence assess­ment con­duct­ed by hand-picked ana­lysts. It’s just not a good look. So it’s going to be impor­tant that the Democ­rats don’t back them­selves into a rhetor­i­cal cor­ner and give the Trump team free­bie counter-attacks by repeat­ing the claim that all 17 intel­li­gence agen­cies par­tic­i­pat­ed in that intel­li­gence assess­ment since any final report involv­ing the hacks will prob­a­bly rely on a “trust us” com­po­nent in the place of evi­dence made avail­able to the pub­lic.

    Of course, giv­en the abun­dance of evi­dence sug­gest­ing that the hacks weren’t actu­al­ly done by the Russ­ian gov­ern­ment, cou­pled with the abun­dance of obstruc­tion of jus­tice by Don­ald Trump into this inves­ti­ga­tion, it’s very pos­si­ble that Trump is hid­ing some­thing, even if it’s not the big Trump/Russian con­spir­a­cy. Some sort of inves­ti­ga­tion is clear­ly in order. Just not an inves­ti­ga­tion focused exclu­sive­ly on Rus­sia. Which rais­es a rather fas­ci­nat­ing ques­tion: If Trump was giv­en the offer of hav­ing all 17 intel­li­gence agen­cies reat­tempt that Jan­u­ary 6th intel­li­gence assess­ment but also change its focus to sim­ply ask­ing who did the hacks (not just, “did the Rus­sians do it?”) and whether or not any sort of for­eign col­lu­sion took place, includ­ing the inter­na­tion­al far-right and not just Russ­ian col­lu­sion, would he do it? If not, why not? Hope­ful­ly that ques­tion is asked at some point. Not that we should expect a coher­ent answer.

    Posted by Pterrafractyl | May 24, 2017, 11:34 pm
  14. Vladimir Putin added an unsur­pris­ing new defense to the charges that the Russ­ian gov­ern­ment ordered the 2016 DNC hacks dur­ing a recent inter­view: Maybe it was “patri­ot­ic Rus­sians” that did it inde­pen­dent­ly. This, of course, led to all sort of com­men­tary that Putin was basi­cal­ly admit­ting that Russ­ian hack­ers were behind the hack with­out ful­ly admit­ting it, which ignores the rest of what he said in the inter­view about the mat­ter like how the hacks also could have been orches­trat­ed to look like they came from Rus­sia.

    And while the “patri­ot­ic Rus­sians” defense isn’t unrea­son­able (could­n’t the Trump team or any­one else hire some ‘patri­ot­ic’ Russ­ian hack­ers?), it’s still a pret­ty risky defense for Putin to put for­ward since it basi­cal­ly pre­emp­tive­ly jus­ti­fies the hack­ing of Russ­ian offi­cials by “patri­ot­ic [insert coun­try here]s” much like how Trump’s cheer­lead­ing of the hacks pre­emp­tive­ly jus­ti­fies any future hack­ing of Trump. So if we do end up see some sort of high-pro­file counter-hacks against Putin or oth­er Russ­ian VIPs in the not too dis­tant future, expect a ‘patri­ot­ic hack­er’ to be behind it (who may or may not be 400 pounds and sit­ting in bed):

    The New York Times

    Maybe Pri­vate Russ­ian Hack­ers Med­dled in Elec­tion, Putin Says

    By ANDREW HIGGINS
    JUNE 1, 2017

    MOSCOW — Shift­ing from his pre­vi­ous blan­ket denials, Pres­i­dent Vladimir V. Putin of Rus­sia sug­gest­ed on Thurs­day that “patri­ot­i­cal­ly mind­ed” pri­vate Russ­ian hack­ers could have been involved in cyber­at­tacks last year that med­dled in the Unit­ed States pres­i­den­tial elec­tion.

    While Mr. Putin con­tin­ued to deny any state role in the hack­ing, his com­ments, made to reporters in St. Peters­burg, Rus­sia, depart­ed from the Kremlin’s pre­vi­ous posi­tion: that Rus­sia had played no role what­so­ev­er in the hack­ing of the Demo­c­ra­t­ic Nation­al Com­mit­tee and that, after Don­ald J. Trump’s vic­to­ry, the Unit­ed States had become the vic­tim of anti-Rus­sia hys­te­ria among crest­fall­en Democ­rats.

    Asked about sus­pi­cions that Rus­sia might try to inter­fere in the com­ing elec­tions in Ger­many, Mr. Putin raised the pos­si­bil­i­ty of attacks on for­eign votes by what he por­trayed as free-spir­it­ed Russ­ian patri­ots. Hack­ers, he said, “are like artists” who choose their tar­gets depend­ing how they feel “when they wake up in the morn­ing.” Any such attacks, he added, could not alter the result of elec­tions in Europe, Amer­i­ca or else­where.

    Artists, he said, paint if they wake up feel­ing in good spir­its while hack­ers respond if “they wake up and read that some­thing is going on in inter­state rela­tions” that prompts them to take action. “If they are patri­ot­i­cal­ly mind­ed, they start mak­ing their con­tri­bu­tions — which are right, from their point of view — to the fight against those who say bad things about Rus­sia,” Mr. Putin added, appar­ent­ly refer­ring to Hillary Clin­ton.

    The Krem­lin took a dim view of Mrs. Clin­ton, con­sid­er­ing her far less friend­ly toward Rus­sia than a Pres­i­dent Trump would be because of her blunt crit­i­cism of Mr. Putin and his poli­cies in Syr­ia and else­where.

    Mr. Putin’s remarks stopped far short of accept­ing the con­clu­sions of Amer­i­can intel­li­gence agen­cies that the Krem­lin was behind the elec­tion cam­paign cyber­at­tacks. But they opened room for ver­bal maneu­ver­ing by Moscow — and also by Mr. Trump — amid mul­ti­ple inves­ti­ga­tions in the Unit­ed States into Russ­ian med­dling, includ­ing one by the F.B.I. about the fir­ing of its direc­tor, James B. Comey.

    Per­haps wor­ried that, as the inves­ti­ga­tions make head­way, evi­dence will come to light that the Russ­ian state or at least Rus­sians were clear­ly involved in the hack­ing, Mr. Putin appeared to be set­ting up a pre-emp­tive line of defense, as the Krem­lin did when it became dif­fi­cult to sim­ply deny ini­tial­ly secret Russ­ian deploy­ments to Ukraine in 2014, and to Syr­ia in late 2015.

    Swamped by evi­dence of Russ­ian mil­i­tary involve­ment in Ukraine and then Syr­ia, the Krem­lin retreat­ed from cat­e­gor­i­cal denials to claims that Rus­sians fight­ing in east­ern Ukraine were Russ­ian “vaca­tion­ers” and that burly Rus­sians who appeared in Syr­ia were human­i­tar­i­an aid work­ers. It lat­er acknowl­edged that the sup­posed aid work­ers were Russ­ian sol­diers.

    The ques­tions of Russ­ian hack­ing, and inter­ac­tion between Russ­ian offi­cials and mem­bers of Mr. Trump’s inner cir­cle, includ­ing his son-in-law, Jared Kush­n­er, have been a huge thorn in the side of the new admin­is­tra­tion. The furor has led to the dis­missal of Michael T. Fly­nn as Mr. Trump’s nation­al secu­ri­ty advis­er, forced his attor­ney gen­er­al, Jeff Ses­sions, to recuse him­self from any Rus­sia-tied elec­tion inves­ti­ga­tion and ham­pered the admin­is­tra­tion in ful­fill­ing Mr. Trump’s agen­da to “make Amer­i­ca great again.”

    Mr. Putin’s com­ments on Thurs­day about Russ­ian hack­ing echoed those of Mr. Trump, who has dis­missed accu­sa­tions of Russ­ian med­dling in the elec­tion and said the per­son respon­si­ble for the attack on the Demo­c­ra­t­ic Nation­al Com­mit­tee “could be some­body sit­ting on their bed that weighs 400 pounds.”

    Mr. Putin stuck firm­ly to ear­li­er denials that Russ­ian state bod­ies or employ­ees had been involved, an accu­sa­tion lev­eled by Unit­ed States intel­li­gence agen­cies. They con­clud­ed in Jan­u­ary that Mr. Putin him­self had direct­ed a Russ­ian “influ­ence cam­paign” involv­ing cyber­at­tacks and dis­in­for­ma­tion intend­ed to tilt the Novem­ber elec­tion in Mr. Trump’s favor.

    “We’re not doing this on the state lev­el,” Mr. Putin said on Thurs­day.

    The bound­ary between state and pri­vate action, how­ev­er, is often blur­ry in Rus­sia, par­tic­u­lar­ly in mat­ters relat­ing to the pro­jec­tion of Russ­ian influ­ence abroad. This pro­vides a mea­sure of plau­si­ble deni­a­bil­i­ty for actions that the Krem­lin does not want to be linked to pub­licly.

    Nom­i­nal­ly pri­vate Russ­ian cit­i­zens have fought along­side Russ­ian-speak­ing rebels in east­ern Ukraine and tak­en part in var­i­ous cam­paigns to advance Moscow’s agen­da in East­ern and Cen­tral Europe.

    ...

    An expert at mud­dy­ing the waters and cre­at­ing con­fu­sion, Mr. Putin advanced a num­ber of alter­na­tive the­o­ries that could help Moscow address any firm evi­dence that might emerge as a trail lead­ing to Rus­sia.

    Stat­ing that mod­ern tech­nol­o­gy can eas­i­ly be manip­u­lat­ed to cre­ate a false trail, he said, “I can imag­ine that some­one is doing this pur­pose­ful­ly — build­ing the chain of attacks so that the ter­ri­to­ry of the Russ­ian Fed­er­a­tion appears to be the source of that attack.” He added, “Mod­ern tech­nolo­gies allow to do that kind of thing; it’s rather easy to do.”

    Mr. Putin appeared to be repeat­ing an argu­ment he first made ear­li­er in the week in an inter­view with the French news­pa­per Le Figaro.

    “I think that he was total­ly right when he said it could have been some­one sit­ting on their bed or some­body inten­tion­al­ly insert­ed a flash dri­ve with the name of a Russ­ian nation­al, or some­thing like that,” Mr. Putin told the French news­pa­per, refer­ring to Mr. Trump. “Any­thing is pos­si­ble in this vir­tu­al world. Rus­sia nev­er engages in activ­i­ties of this kind, and we do not need it. It makes no sense for us to do such things. What for?”

    ...

    ———-

    “Maybe Pri­vate Russ­ian Hack­ers Med­dled in Elec­tion, Putin Says” by ANDREW HIGGINS; The New York Times; 06/01/2017

    “Asked about sus­pi­cions that Rus­sia might try to inter­fere in the com­ing elec­tions in Ger­many, Mr. Putin raised the pos­si­bil­i­ty of attacks on for­eign votes by what he por­trayed as free-spir­it­ed Russ­ian patri­ots. Hack­ers, he said, “are like artists” who choose their tar­gets depend­ing how they feel “when they wake up in the morn­ing.” Any such attacks, he added, could not alter the result of elec­tions in Europe, Amer­i­ca or else­where.”

    Could a free-spir­it­ed Russ­ian patri­ot have been behind the hacks? We can’t rule it out. And if it was indeed a ‘Russ­ian patri­ot’ they clear­ly need­ed the prac­tice giv­en the shock­ing num­ber of mis­takes these patri­ot­ic Russ­ian made to impli­cate a Russ­ian on the hack, some­thing Putin hint­ed at when point­ed out the abil­i­ty of hack­ers to obscure the ori­gin of a hack:

    ...
    Mr. Putin’s com­ments on Thurs­day about Russ­ian hack­ing echoed those of Mr. Trump, who has dis­missed accu­sa­tions of Russ­ian med­dling in the elec­tion and said the per­son respon­si­ble for the attack on the Demo­c­ra­t­ic Nation­al Com­mit­tee “could be some­body sit­ting on their bed that weighs 400 pounds.”

    ...

    An expert at mud­dy­ing the waters and cre­at­ing con­fu­sion, Mr. Putin advanced a num­ber of alter­na­tive the­o­ries that could help Moscow address any firm evi­dence that might emerge as a trail lead­ing to Rus­sia.

    Stat­ing that mod­ern tech­nol­o­gy can eas­i­ly be manip­u­lat­ed to cre­ate a false trail, he said, “I can imag­ine that some­one is doing this pur­pose­ful­ly — build­ing the chain of attacks so that the ter­ri­to­ry of the Russ­ian Fed­er­a­tion appears to be the source of that attack.” He added, “Mod­ern tech­nolo­gies allow to do that kind of thing; it’s rather easy to do.”
    ...

    But that part was large­ly left out of the media cov­er­age and instead the entire thing was char­ac­ter­ized as a sly admis­sion of guilt.

    And if it was a sly admis­sion of guilt, wow, was the tim­ing ever amaz­ing. Because on the same day we get the reports about an appar­ent Putin *wink wink* admis­sion of Russ­ian involve­ment in the hacks, we also get this report:

    Asso­ci­at­ed Press

    French Cyber Secu­ri­ty Leader: No Trace of Russ­ian Hack­ing Group in Emmanuel Macron Cam­paign Leaks

    Jun 01, 2017

    (ST.PETERSBURG, Rus­sia) —The head of the French gov­ern­men­t’s cyber secu­ri­ty agency, which inves­ti­gat­ed leaks from Pres­i­dent Emmanuel Macron’s elec­tion cam­paign, says they found no trace of a noto­ri­ous Russ­ian hack­ing group behind the attack.

    In an inter­view in his office Thurs­day with The Asso­ci­at­ed Press, Guil­laume Poupard said the Macron cam­paign hack “was so gener­ic and sim­ple that it could have been prac­ti­cal­ly any­one.”

    He said they found no trace that the Russ­ian hack­ing group known as APT28, blamed for oth­er attacks includ­ing on the U.S. pres­i­den­tial cam­paign, was respon­si­ble.

    Poupard is direc­tor gen­er­al of the gov­ern­ment cyber-defense agency known in France by its acronym, ANSSI. Its experts were imme­di­ate­ly dis­patched when doc­u­ments stolen from the Macron cam­paign leaked online on May 5 in the clos­ing hours of the pres­i­den­tial race.

    Poupard says the attack­’s sim­plic­i­ty “means that we can imag­ine that it was a per­son who did this alone. They could be in any coun­try.”

    ———-

    “French Cyber Secu­ri­ty Leader: No Trace of Russ­ian Hack­ing Group in Emmanuel Macron Cam­paign Leaks”; Asso­ci­at­ed Press; 06/01/2017

    “The head of the French gov­ern­men­t’s cyber secu­ri­ty agency, which inves­ti­gat­ed leaks from Pres­i­dent Emmanuel Macron’s elec­tion cam­paign, says they found no trace of a noto­ri­ous Russ­ian hack­ing group behind the attack.

    Yep, the big hack of Emmanuel Macron’s cam­paign team right before the French elec­tion had no trace of Russ­ian gov­ern­ment involve­ment. In par­tic­u­lar, no trace of “APT28”, a.k.a Fan­cy Bear:

    ...
    He said they found no trace that the Russ­ian hack­ing group known as APT28, blamed for oth­er attacks includ­ing on the U.S. pres­i­den­tial cam­paign, was respon­si­ble.
    ...

    That’s the word of the French gov­ern­men­t’s cyber secu­ri­ty agency. Of course, this should­n’t real­ly be a sur­prise at this point giv­en all the pre­vi­ous­ly report­ed signs point­ing towards this hack being the hand­i­work of the noto­ri­ous neo-Nazi hack­er Andrew “the weev” Auer­heimer, or at least that Auer­heimer was involved with mod­i­fy­ing and dis­trib­ut­ing the hacked doc­u­ments and insert­ing the name of a Russ­ian FSB IT con­trac­tor in the doc­u­ment meta-data.

    Still, the fact that the French gov­ern­ment is report­ing no trace of Russ­ian gov­ern­ment involve­ment is pret­ty remark­able dur­ing this peri­od of the high-pro­file polit­i­cal hacks where the hacked doc­u­ments keep leav­ing lit­tle “fin­ger­prints” of Russ­ian involve­ment. Espe­cial­ly

    And yet it was wide­ly report­ed soon after the attack to be the work of the Russ­ian gov­ern­ment due to an abun­dance of evi­dence. Tech­ni­cal evi­dence point­ing indi­cat­ing it was the same group that con­duct­ed the DNC hacks. And it was­n’t just pri­vate secu­ri­ty firms mak­ing this charge. The NSA made the same charge too:

    Wired

    The NSA Con­firms It: Rus­sia Hacked French Elec­tion ‘Infra­struc­ture’

    Andy Green­berg
    05.09.17 12:36 pm

    Two days before France’s recent pres­i­den­tial elec­tion, hack­ers leaked nine giga­bytes of emails from can­di­date Emmanuel Macron’s cam­paign onto the web. Since then, the Krem­lin has once again emerged as the like­li­est cul­prit. But while pub­lic evi­dence can’t defin­i­tive­ly prove Russia’s involve­ment, NSA direc­tor Michael Rogers sug­gest­ed to Con­gress today that America’s most pow­er­ful cyber­se­cu­ri­ty agency has pinned at least some elec­toral inter­fer­ence on Moscow.

    In a hear­ing of the Senate’s Armed Forces Com­mit­tee, Rogers indi­cat­ed that the NSA had warned French cyber­se­cu­ri­ty offi­cials ahead of the country’s pres­i­den­tial runoff that Russ­ian hack­ers had com­pro­mised some ele­ments of the elec­tion. For skep­tics, that state­ment may help tip the bal­ance towards cred­i­bly blam­ing Rus­sia for the attacks.

    “If you take a look at the French elec­tion … we had become aware of Russ­ian activ­i­ty,” Rogers said in response to ques­tions from sen­a­tor Kirsten Gilli­brand about the alle­ga­tions of Rus­sia hack­ing the Macron cam­paign. “We had talked to our French coun­ter­parts pri­or to the pub­lic announce­ments of the events pub­licly attrib­uted this past week­end and gave them a heads-up: ‘Look, we’re watch­ing the Rus­sians, we’re see­ing them pen­e­trate some of your infra­struc­ture.’

    It’s not clear what “infra­struc­ture” means in this con­text, but it seems like­ly to refer to the very pub­lic email dump. On Fri­day, Macron’s En Marche polit­i­cal par­ty issued a state­ment say­ing that it had “been the vic­tim of a mas­sive, coor­di­nat­ed act of hack­ing,” but didn’t name Rus­sia or any oth­er cul­prit behind that attack. Ana­lysts already sus­pect­ed Rus­sia of at least attempt­ing to breach Macron’s par­ty: Secu­ri­ty firm Trend Micro not­ed in a report late last month that the same Russ­ian group that hacked the US Demo­c­ra­t­ic Nation­al Com­mit­tee and the Clin­ton cam­paign had also cre­at­ed a phish­ing domain intend­ed to spoof a Microsoft stor­age web­site used by Macron. And the trove of Macron’s par­ty emails pub­lished as tor­rent files Fri­day includ­ed meta­da­ta in Cyril­lic, sug­gest­ing that they had been edit­ed on a com­put­er run­ning soft­ware with Russ­ian-lan­guage con­fig­u­ra­tions. That meta­da­ta even includ­ed the name Rosh­ka Georgiy Petro­vich, report­ed­ly an employ­ee of the Russ­ian intel­li­gence con­trac­tor Eure­ka.

    But at the time of the Trend Micro report, the Macron cam­paign denied it had been breached. And for some cyber­se­cu­ri­ty ana­lysts, the Russ­ian meta­da­ta includ­ed in the leak was so bla­tant that it raised sus­pi­cions that someone—perhaps anoth­er coun­try or hack­er group—was intend­ing to cre­ate a “fall guy” for the attack.

    Rogers’ tes­ti­mo­ny Tues­day, though vague, har­bored no such doubts. Ear­ly in the hear­ing, John McCain not­ed that “we’ve seen anoth­er Russ­ian attempt to affect the out­come of an elec­tion in France,” and asked Rogers, “Have you seen any reduc­tion in Russ­ian behav­ior?” Rogers answered flat­ly “No, I do not.” Lat­er in the hear­ing, sen­a­tor Eliz­a­beth War­ren stat­ed plain­ly that Russ­ian hack­ers had attempt­ed to shift the French elec­tion by hack­ing and releas­ing one of the candidate’s party’s emails, just as they had in the 2016 US pres­i­den­tial elec­tion. Sen­a­tor Tim Kaine described the last week’s events as a Russ­ian cyber­at­tack “aimed at desta­bi­liz­ing the democ­ra­cy of an ally.” Rogers offered no cor­rec­tion to either legislator’s com­ments.

    Rogers’ state­ment could dis­pel doubt around Russia’s con­tin­ued involve­ment in hack­ing oper­a­tions aimed at influ­enc­ing West­ern democ­ra­cies. Trend Micro and the Ger­man gov­ern­ment have both said, for instance, that Russ­ian hack­ers have attempt­ed to tar­get the par­ty of Ger­man chan­cel­lor Angela Merkel, and suc­cess­ful­ly stolen data from the Ger­man par­lia­ment. In the hear­ing Tues­day, Rogers said that the NSA has also had con­ver­sa­tions with Ger­man offi­cials and British offi­cials about pro­tect­ing their upcom­ing elec­tions. “We’re all try­ing to fig­ure how we can learn from each oth­er,” Rogers said.

    Rogers empha­sized that stop­ping Russ­ian elec­tion inter­fer­ence will require a strat­e­gy of deter­rence. “We need to make it very clear to nation-states that engage in this behav­ior that it’s unac­cept­able,” Rogers said, “and there’s a price to pay for doing this.”

    ...

    ———-

    “The NSA Con­firms It: Rus­sia Hacked French Elec­tion ‘Infra­struc­ture’” by Andy Green­berg; Wired; 05/09/17

    ““If you take a look at the French elec­tion … we had become aware of Russ­ian activ­i­ty,” Rogers said in response to ques­tions from sen­a­tor Kirsten Gilli­brand about the alle­ga­tions of Rus­sia hack­ing the Macron cam­paign. “We had talked to our French coun­ter­parts pri­or to the pub­lic announce­ments of the events pub­licly attrib­uted this past week­end and gave them a heads-up: ‘Look, we’re watch­ing the Rus­sians, we’re see­ing them pen­e­trate some of your infra­struc­ture.’””

    That was the analy­sis from the NSA. Despite, you know, the jaw-drop­ping appar­ent mis­takes that these Russ­ian gov­ern­ment hack­ers were mak­ing and warn­ings from some ana­lysts:

    ...
    It’s not clear what “infra­struc­ture” means in this con­text, but it seems like­ly to refer to the very pub­lic email dump. On Fri­day, Macron’s En Marche polit­i­cal par­ty issued a state­ment say­ing that it had “been the vic­tim of a mas­sive, coor­di­nat­ed act of hack­ing,” but didn’t name Rus­sia or any oth­er cul­prit behind that attack. Ana­lysts already sus­pect­ed Rus­sia of at least attempt­ing to breach Macron’s par­ty: Secu­ri­ty firm Trend Micro not­ed in a report late last month that the same Russ­ian group that hacked the US Demo­c­ra­t­ic Nation­al Com­mit­tee and the Clin­ton cam­paign had also cre­at­ed a phish­ing domain intend­ed to spoof a Microsoft stor­age web­site used by Macron. And the trove of Macron’s par­ty emails pub­lished as tor­rent files Fri­day includ­ed meta­da­ta in Cyril­lic, sug­gest­ing that they had been edit­ed on a com­put­er run­ning soft­ware with Russ­ian-lan­guage con­fig­u­ra­tions. That meta­da­ta even includ­ed the name Rosh­ka Georgiy Petro­vich, report­ed­ly an employ­ee of the Russ­ian intel­li­gence con­trac­tor Eure­ka.

    But at the time of the Trend Micro report, the Macron cam­paign denied it had been breached. And for some cyber­se­cu­ri­ty ana­lysts, the Russ­ian meta­da­ta includ­ed in the leak was so bla­tant that it raised sus­pi­cions that someone—perhaps anoth­er coun­try or hack­er group—was intend­ing to cre­ate a “fall guy” for the attack.
    ...

    And let’s not for­get that if there’s one agency on the plan­et that should have the tools at its dis­pos­al to poten­tial­ly track down the ori­gin of a pro­fes­sion­al hack where the hack­ers are try­ing to obscure their iden­ti­ty, it’s the NSA. We’re basi­cal­ly forced to trust them on a lot of these kinds of things.

    So is there going to be any fol­lowup from the NSA, Trend Micro, or any oth­er cyber­se­cu­ri­ty ana­lysts to try to make sense of this rather dra­mat­ic dis­agree­ment with the French gov­ern­ment? Prob­a­bly not. We’ll see. But if there isn’t some sort of pub­lic clar­i­fi­ca­tion from the cyber­se­cu­ri­ty indus­try and gov­ern­ments about the grow­ing dif­fi­cul­ty in attribut­ing the ori­gin of hacks it’s only a mat­ter of time before that dif­fi­cult con­ver­sa­tion takes place. Because thanks, in part, to the dis­tri­b­u­tion of cut­ting-edge hack­ing tool kits like those leaked by the “Shad­ow­Bro­kers”, it’s becom­ing increas­ing­ly dif­fi­cult to dis­tin­guish between a sophis­ti­cat­ed hack­ing oper­a­tion con­duct­ed by a nation­al intel­li­gence ser­vice or just some ran­dom guy:

    Reuters

    Blame game for cyber attacks grows murki­er as spy­ing, crime tools mix

    By Eric Auchard | TALLINN, Esto­nia
    Wed May 31, 2017 | 12:03pm EDT

    Vet­er­an espi­onage researcher Jon DiMag­gio was hot on the trail three months ago of what on the face of it looked like a men­ac­ing new indus­tri­al espi­onage attack by Russ­ian cyber spies.

    All the hall­marks were there: tar­get­ed phish­ing emails com­mon to gov­ern­ment espi­onage, an advanced Tro­jan horse for steal­ing data from inside orga­ni­za­tions, covert com­mu­ni­ca­tion chan­nels for grab­bing doc­u­ments and clues in the pro­gram­ming code indi­cat­ing its authors were Russ­ian speak­ers.

    It took weeks before the lead cyber spy­ing inves­ti­ga­tor at Syman­tec, a top U.S. com­put­er secu­ri­ty firm, fig­ured out instead he was track­ing a lone-wolf cyber crim­i­nal.

    DiMag­gio won’t iden­ti­fy the name of the cul­prit, whom he has nick­named Igor, say­ing the case is a run-of-the-mill exam­ple of increas­ing dif­fi­cul­ties in sep­a­rat­ing nation­al spy agency activ­i­ty from cyber crime. The hack­er comes from Trans­d­nies­tria, a dis­put­ed, Russ­ian-speak­ing region of Moldo­va, he said.

    “The mal­ware in ques­tion, Trojan.Bachosens, was so advanced that Syman­tec ana­lysts ini­tial­ly thought they were look­ing at the work of nation-state actors,” DiMag­gio told Reuters in a phone inter­view on Wednes­day. “Fur­ther inves­ti­ga­tion revealed a 2017 equiv­a­lent of the hob­by­ist hack­ers of the 1990s.”

    Reuters could not con­tact the alleged hack­er.

    The exam­ple high­lights the dan­gers of jump­ing to con­clu­sions in the murky world of cyber attack and defense, as tools once only avail­able to gov­ern­ment intel­li­gence ser­vices find their way into the com­put­er crim­i­nal under­ground.

    Secu­ri­ty experts refer to this as “the attri­bu­tion prob­lem”, using tech­ni­cal evi­dence to assign blame for cyber attacks in order to take appro­pri­ate legal and polit­i­cal respons­es.

    These ques­tions echo through the debate over whether Rus­sia used cyber attacks to influ­ence last year’s U.S. pres­i­den­tial elec­tions and whether Moscow may be attempt­ing to dis­rupt nation­al elec­tions tak­ing place in com­ing months across Europe.

    The top­ic is a big talk­ing point for mil­i­tary offi­cials and pri­vate secu­ri­ty researchers at the Inter­na­tion­al Con­fer­ence on Cyber Con­flict in Tallin this week. It has been held each year since Esto­nia was swamped in 2007 by cyber attacks that took down gov­ern­ment, finan­cial and media web­sites amid a dis­pute with Rus­sia. Attri­bu­tion for those attacks remains dis­put­ed.

    THE SMOKING GUN

    “Attri­bu­tion is almost nev­er a clean, smok­ing-gun,” said Paul Vix­ie, cre­ator of the first com­mer­cial anti-spam ser­vice, whose lat­est firm, Far­sight Secu­ri­ty, helps firms track down cyber attack­ers to iden­ti­fy and block them.

    Rais­ing the stakes, a mys­tery group call­ing itself Shad­ow­Bro­kers has tak­en cred­it for leak­ing cyber-spy­ing tools that are now being turned to crim­i­nal use, includ­ing ones used in the recent Wan­naCry glob­al ran­somware attack, ratch­et­ing up cyber secu­ri­ty threats to a whole new lev­el.

    In recent weeks, Shad­ow­Bro­kers has threat­ened to sell more such tools, believed to have been stolen from the U.S. Nation­al Secu­ri­ty Agency, to enable hack­ing into the world’s most used com­put­ers, soft­ware and phones. (reut.rs/2rmTZmm)

    “The bar for what’s con­sid­ered advanced is low­ered as time goes by,” said Sean Sul­li­van, a secu­ri­ty researcher with Finnish cyber firm F‑Secure.

    ...

    “I think those days are over when we can say in black and white: We know this is an espi­onage group,” DiMag­gio said.

    The Syman­tec researcher has not report­ed Igor to local author­i­ties, cal­cu­lat­ing that expos­ing the meth­ods of the attack will be enough to neu­tral­ize them.

    ———-

    “Blame game for cyber attacks grows murki­er as spy­ing, crime tools mix” by Eric Auchard; Reuters; 05/31/2017

    ““I think those days are over when we can say in black and white: We know this is an espi­onage group,” DiMag­gio said”

    The age of easy attri­bu­tion, if it ever exist­ed, is over thanks to not the grow­ing avail­abil­i­ty of leaked intel­li­gence ser­vice hack­ing tool kits but also just the grow­ing sophis­ti­ca­tion of inde­pen­dent­ly devel­oped tools. And even for the NSA in some cas­es apparently...unless the NSA was just mak­ing stuff up. Either way, yikes. At least ‘yikes’ for most folks. ‘Patri­ot­ic’ hack­ers are prob­a­bly ok with the sit­u­a­tion. Non-patri­ot­ic hack­ers too.

    Posted by Pterrafractyl | June 2, 2017, 3:38 pm
  15. Were US vot­ing machines hacked dur­ing the 2016 elec­tion? That’s the ques­tion raised by a new report based on a leaked clas­si­fied NSA doc­u­ment stat­ing that hack­ers (declared to be Russ­ian gov­ern­ment hack­ers in the doc­u­ment although no raw intel­li­gence is pro­vid­ed) suc­cess­ful­ly exe­cut­ed a spear-phish­ing attack on elec­tion sys­tems com­pa­ny about a month before the Novem­ber elec­tion. While not named, the doc­u­ment ref­er­ences to a prod­uct made by a Flori­da-based VR Sys­tems, an elec­tron­ic vot­ing ser­vices and equip­ment ven­dor with prod­ucts used in eight states.

    And the leak­er appears to already be caught due, in part, to the Inter­cept hand­ing the leaked doc­u­ment back to the NSA which pro­vid­ed the clues nec­es­sary to deter­mine its ori­gin. And with the Trump admin­is­tra­tion already look­ing to make an exam­ple out of the leak­er — a 25 yr old pri­vate con­trac­tor named Real­i­ty Win­ner who is report­ed­ly not at all a fan of Don­ald Trump — we’ll see whether or not Win­ner’s even­tu­al sen­tence sends a chill through the gov­ern­ment or ends up pro­vok­ing even more leaks. Giv­en the scope of Win­ner’s leak — a sin­gle doc­u­ment that does­n’t reveal sources and meth­ods or endan­ger lives in any way — it’s hard to say how a harsh con­vic­tion will be received by poten­tial leak­ers.

    Either way, with Win­ner hav­ing already admit­ted to the act and fac­ing 10 years in prison we prob­a­bly should­n’t expect many more leaks on this top­ic any time soon:

    The Guardian

    Russ­ian agents hacked US vot­ing sys­tem man­u­fac­tur­er before US elec­tion – report

    * Fed­er­al con­trac­tor arrest­ed and charged with remov­ing clas­si­fied mate­r­i­al
    * NSA report: cyber-attack on soft­ware sup­pli­er and phish­ing emails hit offi­cials

    David Smith in Wash­ing­ton and Jon Swaine in New York
    Mon­day 5 June 2017 18.47 EDT

    Russ­ian intel­li­gence agents hacked a US vot­ing sys­tems man­u­fac­tur­er in the weeks lead­ing up to last year’s pres­i­den­tial elec­tion, accord­ing to the Inter­cept, cit­ing what it said was a high­ly clas­si­fied Nation­al Secu­ri­ty Agency (NSA) report.

    The rev­e­la­tion coin­cid­ed with the arrest of Real­i­ty Leigh Win­ner, 25, a fed­er­al con­trac­tor from Augus­ta, Geor­gia, who was charged with remov­ing clas­si­fied mate­r­i­al from a gov­ern­ment facil­i­ty and mail­ing it to a news out­let.

    The hack­ing of senior Democ­rats’ email accounts dur­ing the cam­paign has been well chron­i­cled, but vote-count­ing was thought to have been unaf­fect­ed, despite con­cert­ed Russ­ian efforts to pen­e­trate it.

    Russ­ian mil­i­tary intel­li­gence car­ried out a cyber-attack on at least one US vot­ing soft­ware sup­pli­er and sent spear-phish­ing emails to more than a hun­dred local elec­tion offi­cials days before the poll, the Inter­cept report­ed on Mon­day.

    The web­site, which spe­cialis­es in nation­al secu­ri­ty issues, said the NSA doc­u­ment had been pro­vid­ed to it anony­mous­ly and inde­pen­dent­ly authen­ti­cat­ed. “The report, dat­ed May 5, 2017, is the most detailed US gov­ern­ment account of Russ­ian inter­fer­ence in the elec­tion that has yet come to light,” it con­tin­ued.

    On Mon­day after­noon, the jus­tice depart­ment said Win­ner had been arrest­ed by the FBI at her home on Sat­ur­day and appeared in fed­er­al court in Augus­ta on Mon­day. She is a con­trac­tor with Pluribus Inter­na­tion­al Cor­po­ra­tion, assigned to a US gov­ern­ment agency facil­i­ty in Geor­gia, it added. She has been employed at the facil­i­ty since on or about 13 Feb­ru­ary and held a top-secret clear­ance dur­ing that time.

    Winner’s moth­er, Bil­lie Win­ner-Davis, told the Guardian that her daugh­ter was a for­mer lin­guist in the US air force who spoke Far­si, Pash­to and Dari.

    “I nev­er thought this would be some­thing she would do,” said Win­ner-Davis. “She’s expressed to me that she’s not a fan of Trump, but she’s not some­one that goes and riots and pick­ets or stuff.”

    The NSA report makes clear that, despite recent denials by the Russ­ian pres­i­dent, Vladimir Putin, the NSA is con­vinced that the Russ­ian Gen­er­al Staff Main Intel­li­gence Direc­torate (GRU) was respon­si­ble for inter­fer­ing in the 2016 pres­i­den­tial elec­tion.

    The doc­u­ment report­ed­ly states: “Russ­ian Gen­er­al Staff Main Intel­li­gence Direc­torate actors … exe­cut­ed cyber espi­onage oper­a­tions against a named U.S. com­pa­ny in August 2016, evi­dent­ly to obtain infor­ma­tion on elec­tions-relat­ed soft­ware and hard­ware solu­tions. … The actors like­ly used data obtained from that oper­a­tion to … launch a vot­er reg­is­tra­tion-themed spear-phish­ing cam­paign tar­get­ing US local gov­ern­ment orga­ni­za­tions.”

    On Tues­day Putin’s spokesman Dmit­ry Peskov said the Krem­lin did not see “any evi­dence to prove this infor­ma­tion is true”, adding that Moscow cat­e­gor­i­cal­ly denied “the pos­si­bil­i­ty” of the Russ­ian gov­ern­ment being respon­si­ble.

    The Inter­cept not­ed that, although the doc­u­ment does not direct­ly iden­ti­fy the com­pa­ny in ques­tion, it con­tains ref­er­ences to a prod­uct made by VR Sys­tems, a Flori­da-based ven­dor of elec­tron­ic vot­ing ser­vices and equip­ment whose prod­ucts are used in eight states.

    The Inter­cept said the NSA request­ed a num­ber of redac­tions in its pub­li­ca­tion of the doc­u­ment and that it agreed to some that were not clear­ly in the pub­lic inter­est.

    The intel­li­gence assess­ment acknowl­edges that there is still a great deal of uncer­tain­ty over how suc­cess­ful the Russ­ian oper­a­tives were and does not reach a con­clu­sion about whether it affect­ed the out­come of the elec­tion, in which Don­ald Trump’s vic­to­ry over Hillary Clin­ton hinged on three close­ly con­test­ed states.

    But the sug­ges­tion that Russ­ian hack­ers may gained at least a foothold in elec­tron­ic vot­ing sys­tems is like­ly to add even more pres­sure to spe­cial coun­sel and con­gres­sion­al inves­ti­ga­tions. The Oba­ma admin­is­tra­tion main­tained that it took pre­ven­tive mea­sures to suc­cess­ful­ly guard against breach­es of the sys­tems in all 50 states.

    The for­mer FBI direc­tor James Comey is set to tes­ti­fy before the Sen­ate intel­li­gence com­mit­tee on Thurs­day regard­ing Russ­ian med­dling in the elec­tion.

    The FBI is han­dling the inves­ti­ga­tion into Winner’s alleged breach of nation­al secu­ri­ty. In a depo­si­tion in sup­port of the Winner’s arrest war­rant, the jus­tice depart­ment said: “On or about May 9, Win­ner print­ed and improp­er­ly removed clas­si­fied intel­li­gence report­ing, which con­tained clas­si­fied nation­al defense infor­ma­tion from an intel­li­gence com­mu­ni­ty agency, and unlaw­ful­ly retained it. Approx­i­mate­ly a few days lat­er, Win­ner unlaw­ful­ly trans­mit­ted by mail the intel­li­gence report­ing to an online news out­let.”

    ...

    ———-

    “Russ­ian agents hacked US vot­ing sys­tem man­u­fac­tur­er before US elec­tion – report” by David Smith and Jon Swaine; The Guardian; 06/05/2017

    “Russ­ian mil­i­tary intel­li­gence car­ried out a cyber-attack on at least one US vot­ing soft­ware sup­pli­er and sent spear-phish­ing emails to more than a hun­dred local elec­tion offi­cials days before the poll, the Inter­cept report­ed on Mon­day.”

    So it does appear that some­one was not only try­ing to hack US elec­tion sys­tem com­pa­nies (which isn’t sur­pris­ing) but actu­al­ly suc­ceed­ed in one instance (not par­tic­u­lar­ly sur­pris­ing, but still dis­turb­ing). It’s not hard to imag­ine why Win­ner thought this was worth the risk giv­en the poten­tial­ly explo­sive nature of this find­ing.

    At the same time, again, keep in mind that when the leaked doc­u­ment states “Russ­ian mil­i­tary intel­li­gence” was behind the spear-phish­ing attacks, there was no actu­al raw intel­li­gence pro­vid­ed explain­ing why the NSA was con­fi­dent this was Russ­ian mil­i­tary intel­li­gence:

    The Inter­cept

    Top-Secret NSA Report Details Russ­ian Hack­ing Effort Days Before 2016 Elec­tion

    Matthew Cole, Richard Espos­i­to, Sam Bid­dle, Ryan Grim

    June 5 2017, 2:44 p.m.

    Russ­ian mil­i­tary intel­li­gence exe­cut­ed a cyber­at­tack on at least one U.S. vot­ing soft­ware sup­pli­er and sent spear-phish­ing emails to more than 100 local elec­tion offi­cials just days before last November’s pres­i­den­tial elec­tion, accord­ing to a high­ly clas­si­fied intel­li­gence report obtained by The Inter­cept.

    The top-secret Nation­al Secu­ri­ty Agency doc­u­ment, which was pro­vid­ed anony­mous­ly to The Inter­cept and inde­pen­dent­ly authen­ti­cat­ed, ana­lyzes intel­li­gence very recent­ly acquired by the agency about a months-long Russ­ian intel­li­gence cyber effort against ele­ments of the U.S. elec­tion and vot­ing infra­struc­ture. The report, dat­ed May 5, 2017, is the most detailed U.S. gov­ern­ment account of Russ­ian inter­fer­ence in the elec­tion that has yet come to light.

    While the doc­u­ment pro­vides a rare win­dow into the NSA’s under­stand­ing of the mechan­ics of Russ­ian hack­ing, it does not show the under­ly­ing “raw” intel­li­gence on which the analy­sis is based. A U.S. intel­li­gence offi­cer who declined to be iden­ti­fied cau­tioned against draw­ing too big a con­clu­sion from the doc­u­ment because a sin­gle analy­sis is not nec­es­sar­i­ly defin­i­tive.

    ...

    ———-

    “Top-Secret NSA Report Details Russ­ian Hack­ing Effort Days Before 2016 Elec­tion” by Matthew Cole, Richard Espos­i­to, Sam Bid­dle, Ryan Grim; The Inter­cept; 06/05/2017

    “While the doc­u­ment pro­vides a rare win­dow into the NSA’s under­stand­ing of the mechan­ics of Russ­ian hack­ing, it does not show the under­ly­ing “raw” intel­li­gence on which the analy­sis is based. A U.S. intel­li­gence offi­cer who declined to be iden­ti­fied cau­tioned against draw­ing too big a con­clu­sion from the doc­u­ment because a sin­gle analy­sis is not nec­es­sar­i­ly defin­i­tive.”

    So what we can say with con­fi­dence from this leak is that the NSA’s inter­nal lan­guage is just as con­clu­sive about the Russ­ian gov­ern­ment ori­gin of these hacks as the pub­lic lan­guage. Still, it does­n’t actu­al­ly tell us what that con­fi­dence is based on. And while it would be nice to assume that the NSA could­n’t pos­si­bly be jump­ing to — or intenti­nal­ly arriv­ing at — erro­neous con­clu­sions, this is prob­a­bly a good to review the recent con­clu­sions of the French cyber­in­tel­li­gence chief and his recent warn­ings about the incred­i­ble dan­gers of cyber-mis­at­tri­bu­tion, the ease with which any ran­dom hack­er could car­ry­ing out a spear-phish­ing attack, and his baf­fle­ment at the NSA’s recent Russ­ian attri­bu­tion to the spear-phish­ing French elec­tion hacks:

    CBS News

    French secu­ri­ty chief warns of risk for “per­ma­nent war” in cyber­space

    June 1, 2017, 5:01 PM

    PARIS — Cyber­space faces an approach­ing risk of “per­ma­nent war” between states and crim­i­nal or extrem­ist orga­ni­za­tions because of increas­ing­ly destruc­tive hack­ing attacks, the head of the French gov­ern­men­t’s cyber­se­cu­ri­ty agency warned Thurs­day.

    In a wide-rang­ing inter­view in his office with The Asso­ci­at­ed Press, Guil­laume Poupard lament­ed a lack of com­mon­ly agreed rules to gov­ern cyber­space and said: “We must work col­lec­tive­ly, not just with two or three West­ern coun­tries, but on a glob­al scale.”

    “With what we see today — attacks that are crim­i­nal, from states, often for espi­onage or fraud but also more and more for sab­o­tage or destruc­tion — we are get­ting clos­er, clear­ly, to a state of war, a state of war that could be more com­pli­cat­ed, prob­a­bly, than those we’ve known until now,” he said.

    His com­ments echoed tes­ti­mo­ny from the head of the U.S. Nation­al Secu­ri­ty Agency, Adm. Michael Rogers, to the Sen­ate Armed Ser­vices Com­mit­tee on May 9. Rogers spoke of “cyber effects” being used by states “to main­tain the ini­tia­tive just short of war” and said: “ ‘Cyber war’ is not some future con­cept or cin­e­mat­ic spec­ta­cle, it is real and here to stay.”

    Poupard said “the most night­mare sce­nario, the point of view that Rogers expressed and which I share” would be “a sort of per­ma­nent war — between states, between states and oth­er orga­ni­za­tions, which can be crim­i­nal and ter­ror­ist orga­ni­za­tions — where every­one will attack each oth­er, with­out real­ly know­ing who did what. A sort of gen­er­al­ized chaos that could affect all of cyber­space.

    Poupard is direc­tor gen­er­al of the gov­ern­ment cyber-defense agency known in France by its acronym, ANSSI. Its agents were imme­di­ate­ly called to deal with the after­math of a hack and mas­sive doc­u­ment leak that hit the elec­tion cam­paign of Pres­i­dent Emmanuel Macron just two days before his May 7 vic­to­ry.

    Macron’s polit­i­cal move­ment said the uniden­ti­fied hack­ers accessed staffers’ per­son­al and pro­fes­sion­al emails and leaked cam­paign finance mate­r­i­al and con­tracts — as well as fake decoy doc­u­ments — online.

    Con­trary to Rogers, who said the U.S. warned France of “Russ­ian activ­i­ty” before Macron’s win, Poupard did­n’t point the fin­ger at Rus­sia. He told the AP that ANSSI’s inves­ti­ga­tion found no trace behind the Macron hack of the noto­ri­ous hack­ing group APT28 — iden­ti­fied by the U.S. gov­ern­ment as a Russ­ian intel­li­gence out­fit and blamed for hacks of the U.S. elec­tion cam­paign, anti-dop­ing agen­cies and oth­er tar­gets. The group also is known by oth­er names, includ­ing “Fan­cy Bear.”

    Poupard described the Macron cam­paign hack as “not very tech­no­log­i­cal” and said: “The attack was so gener­ic and sim­ple that it could have been prac­ti­cal­ly any­one.”

    With­out rul­ing out the pos­si­bil­i­ty that a state might have been involved, he said the attack­’s sim­plic­i­ty “means that we can imag­ine that it was a per­son who did this alone. They could be in any coun­try.”

    “It real­ly could be any­one. It could even be an iso­lat­ed indi­vid­ual,” he said.

    Poupard con­trast­ed the “Macron Leaks” hack with anoth­er far more sophis­ti­cat­ed attack that took French broad­cast­er TV5 Monde off the air in 2015. There, “very spe­cif­ic tools were used to destroy the equip­ment” in the attack that “resem­bles a lot what we call col­lec­tive­ly APT28,” he said.

    “To say ‘Macron Leaks’ was APT28, I’m absolute­ly inca­pable today of doing that,” he said. “I have absolute­ly no ele­ment to say whether it is true or false.”

    Rogers, the NSA direc­tor, said in his Sen­ate Armed Ser­vices hear­ing that U.S. author­i­ties gave their French coun­ter­parts “a heads-up” before the Macron doc­u­ments leaked that: “ ‘We are watch­ing the Rus­sians. We are see­ing them pen­e­trate some of your infra­struc­ture. Here is what we have seen. What can we do to try to assist?’ ”

    Poupard said Rogers’ com­ments left him per­plexed and that the French had long been on alert about poten­tial threats to their pres­i­den­tial elec­tion.

    “Why did Admi­ral Rogers say that, like that, at that time? It real­ly sur­prised me. It real­ly sur­prised my Euro­pean allies. And to be total­ly frank, when I spoke about it to my NSA coun­ter­parts and asked why did he say that, they did­n’t real­ly know how to reply either,” he said. “Per­haps he went fur­ther than what he real­ly want­ed to say.”

    Still, Poupard said the attack high­light­ed the cyber-threat to demo­c­ra­t­ic process­es. “Unfor­tu­nate­ly, we now know the real­i­ty that we are going to live with for­ev­er, prob­a­bly,” he said.

    ...

    The attack on TV5 was a rare pub­lic exam­ple. In 2016, oth­ers tar­get­ed gov­ern­ment admin­is­tra­tions and big com­pa­nies quot­ed on the bench­mark French stock mar­ket index, the CAC-40, he said.

    Point­ing fin­gers at sus­pect­ed authors is fraught with risk, because sophis­ti­cat­ed attack­ers can mask their activ­i­ties with false trails, he said.

    “We suf­fered attacks that were attrib­uted to Chi­na, that we think came from Chi­na. Among them, some came from Chi­na. Chi­na is big, I don’t know if it was the state, crim­i­nals,” he said. “What I am cer­tain of is that among these attacks, some strange­ly resem­bled Chi­nese attacks but in fact did­n’t come from Chi­na.”

    “If you start to accuse one coun­try when in fact it was anoth­er coun­try ... we’ll get inter­na­tion­al chaos,” he said. “We’ll get what we all fear, which is to say a sort of per­ma­nent con­flict where every­one is attack­ing every­one else.”

    ———-

    “French secu­ri­ty chief warns of risk for “per­ma­nent war” in cyber­space”; CBS News; 06/02/2017

    “Poupard said “the most night­mare sce­nario, the point of view that Rogers expressed and which I share” would be “a sort of per­ma­nent war — between states, between states and oth­er orga­ni­za­tions, which can be crim­i­nal and ter­ror­ist orga­ni­za­tions — where every­one will attack each oth­er, with­out real­ly know­ing who did what. A sort of gen­er­al­ized chaos that could affect all of cyber­space.””

    That’s quite a night­mare sce­nario from Guil­laume Poupard, head of France’s cyber­se­cu­ri­ty: every­one hack­ing every­one with­out any­one real­ly know­ing who did. Pret­ty scary. And appar­ent­ly already real­i­ty. Espe­cial­ly when basic attacks like spear-phish­ing cam­paigns get inter­pret­ed as hack attacks so sophis­ti­cat­ed that only a nation-state could do it:

    ...
    Poupard described the Macron cam­paign hack as “not very tech­no­log­i­cal” and said: “The attack was so gener­ic and sim­ple that it could have been prac­ti­cal­ly any­one.”

    With­out rul­ing out the pos­si­bil­i­ty that a state might have been involved, he said the attack­’s sim­plic­i­ty “means that we can imag­ine that it was a per­son who did this alone. They could be in any coun­try.”

    “It real­ly could be any­one. It could even be an iso­lat­ed indi­vid­ual,” he said.
    ...

    “It real­ly could be any­one. It could even be an iso­lat­ed indi­vid­ual”

    Just an iso­lat­ed indi­vid­ual could have been behind the Macron hack? Huh.

    And yet, as Poupard describes, the NSA was very con­fi­dent that this was the work of Russ­ian gov­ern­ment hackers...despite the inabil­i­ty to actu­al­ly explain the basis of that con­fi­dence when Poupard direct­ly asked for it:

    ...
    Con­trary to Rogers, who said the U.S. warned France of “Russ­ian activ­i­ty” before Macron’s win, Poupard did­n’t point the fin­ger at Rus­sia. He told the AP that ANSSI’s inves­ti­ga­tion found no trace behind the Macron hack of the noto­ri­ous hack­ing group APT28 — iden­ti­fied by the U.S. gov­ern­ment as a Russ­ian intel­li­gence out­fit and blamed for hacks of the U.S. elec­tion cam­paign, anti-dop­ing agen­cies and oth­er tar­gets. The group also is known by oth­er names, includ­ing “Fan­cy Bear.”

    ...

    “To say ‘Macron Leaks’ was APT28, I’m absolute­ly inca­pable today of doing that,” he said. “I have absolute­ly no ele­ment to say whether it is true or false.”

    Rogers, the NSA direc­tor, said in his Sen­ate Armed Ser­vices hear­ing that U.S. author­i­ties gave their French coun­ter­parts “a heads-up” before the Macron doc­u­ments leaked that: “ ‘We are watch­ing the Rus­sians. We are see­ing them pen­e­trate some of your infra­struc­ture. Here is what we have seen. What can we do to try to assist?’ ”

    Poupard said Rogers’ com­ments left him per­plexed and that the French had long been on alert about poten­tial threats to their pres­i­den­tial elec­tion.

    “Why did Admi­ral Rogers say that, like that, at that time? It real­ly sur­prised me. It real­ly sur­prised my Euro­pean allies. And to be total­ly frank, when I spoke about it to my NSA coun­ter­parts and asked why did he say that, they did­n’t real­ly know how to reply either,” he said. “Per­haps he went fur­ther than what he real­ly want­ed to say.”
    ...

    ““Why did Admi­ral Rogers say that, like that, at that time? It real­ly sur­prised me. It real­ly sur­prised my Euro­pean allies. And to be total­ly frank, when I spoke about it to my NSA coun­ter­parts and asked why did he say that, they did­n’t real­ly know how to reply either,” he said. “Per­haps he went fur­ther than what he real­ly want­ed to say.””

    So what can we con­clude from all this after? Well, that some­one spear-phished a US vot­ing sys­tems com­pa­ny. With con­se­quence that have yet to be deter­mined. That’s pret­ty much it. Still, on its own that’s a pret­ty big rev­e­la­tion. If it sug­gests that who­ev­er was behind the oth­er DNC and Podes­ta hacks was prob­a­bly behind this hack too, that’s strong evi­dence point­ing in the direc­tion of direct elec­tion manip­u­la­tion. And if it turns out Russ­ian ran one of the most incom­pe­tent self-incrim­i­nat­ing hack­ing cam­paign in his­to­ry by exe­cut­ing those DNC/Podesta hacks...well, that would sug­gest Rus­sia was plan­ning on doing some­thing as wild­ly inflam­ma­to­ry as hav­ing their eas­i­ly-iden­ti­fied hack­ers try to direct­ly manip­u­late elec­tion results. But if the self-incrimat­ing “Russ­ian hack­ers” were actu­al­ly, say, hack­ers work­ing for the Trump cam­paign mask­ing them­selves as Russians...well, that tells as that the Trump cam­paign was inter­est­ed in manip­u­lat­ing elec­tion results. Either way, that’s a pret­ty big rev­e­la­tion.

    It’s a reminder that, giv­en the com­mon assump­tion that Trump keeps try­ing to shut down the Russ­ian probe over fears that it will dis­cov­er Russian/Trump team col­lu­sion, don’t for­get that the dis­cov­ery that the Trump team hired hack­ers to pre­tend to be Russ­ian (or maybe hired Russ­ian hack­ers) would also be a mas­sive­ly scan­dalous deal. Espe­cial­ly if it involved the attempt­ed (or suc­cess­ful) manip­u­la­tion of the vote.

    Posted by Pterrafractyl | June 6, 2017, 8:27 pm
  16. @Pterrafractyl–

    Inter­est­ing, isn’t it, that “The Inter­cept,” which was a repos­i­to­ry for the NSA files pur­loined by Snow­den, hands the doc­u­ment back to NSA.

    I strong­ly sus­pect this is part of the “op” to remove funky Trump in favor of arch reac­tionary Pence, who does­n’t have Trump’s bag­gage, while at the same time ramp­ing up Cold War II.

    Even as Ger­many and EU are mov­ing past the fail­ing US and imple­ment­ing an EU army (with the French nuclear capa­bil­i­ty at its cen­ter), the US is attempt­ing to reforge the Atlantic Alliance.

    I am of the opin­ion that the Under­ground Reich is in con­trol of both factions–the US right-wing Atlanti­cist fac­tion and the post US, post NATO German/EU future.

    Look for pres­sure on Putin, per­haps remov­ing him, per­haps not. Ulti­mate­ly I expect this will result in accom­mo­da­tion between Rus­sia and EU/Germany.

    Rus­sia agrees to EU nuclear-armed mil­i­tary union and Ukrain­ian admis­sion to EU, with EU join­ing with Eurasian eco­nom­ic union cre­at­ing an eco­nom­ic com­mu­ni­ty (dom­i­nat­ed by Ger­many) stretch­ing from Lis­bon to Vladis­to­vok.

    The Caligulized Amer­i­ca, with lousy pub­lic edu­ca­tion, poi­soned envi­ron­ment, no health care and vir­u­lent, racist igno­rance and eth­nic Balka­niza­tion being the dom­i­nant fea­tures of US soci­ety slides into sec­ondary sta­tus.

    Ulti­mate­ly, I expect the U.S. to split up into small­er coun­tries, par­tic­u­lar after earth­quakes and oth­er nat­ur­al and eco­log­i­cal dis­as­ters and mass casu­al­ty ter­ror attacks dec­i­mate the nation.

    Cheers!

    Ms. Win­ner is, in my opin­ion, the James McCord of this “New Water­gate.”

    Ain’t we got fun?!

    Cheers,

    Dave Emory

    Posted by Dave Emory | June 6, 2017, 10:53 pm
  17. The New York Times had a recent report on the ongo­ing inves­ti­ga­tion into the Shad­ow Bro­kers leak and strug­gles the NSA has had in iden­ti­fy­ing the source. One of the key points in the arti­cle is that agency inves­ti­ga­tors and staff con­tin­ue to fear that the source was an insid­er who has yet to be found based on all the evi­dence point­ing towards it being an inside job. And yet, despite that, one of the oth­er key points is that the agency is also pret­ty sure Rus­sia was behind it. Of course:

    The New York Times

    Secu­ri­ty Breach and Spilled Secrets Have Shak­en the N.S.A. to Its Core

    A ser­i­al leak of the agency’s cyber­weapons has dam­aged morale, slowed intel­li­gence oper­a­tions and result­ed in hack­ing attacks on busi­ness­es and civil­ians world­wide.

    By SCOTT SHANE, NICOLE PERLROTH and DAVID E. SANGER
    NOV. 12, 2017

    WASHINGTON — Jake Williams awoke last April in an Orlan­do, Fla., hotel where he was lead­ing a train­ing ses­sion. Check­ing Twit­ter, Mr. Williams, a cyber­se­cu­ri­ty expert, was dis­mayed to dis­cov­er that he had been thrust into the mid­dle of one of the worst secu­ri­ty deba­cles ever to befall Amer­i­can intel­li­gence.

    Mr. Williams had writ­ten on his com­pa­ny blog about the Shad­ow Bro­kers, a mys­te­ri­ous group that had some­how obtained many of the hack­ing tools the Unit­ed States used to spy on oth­er coun­tries. Now the group had replied in an angry screed on Twit­ter. It iden­ti­fied him — cor­rect­ly — as a for­mer mem­ber of the Nation­al Secu­ri­ty Agency’s hack­ing group, Tai­lored Access Oper­a­tions, or T.A.O., a job he had not pub­licly dis­closed. Then the Shad­ow Bro­kers aston­ished him by drop­ping tech­ni­cal details that made clear they knew about high­ly clas­si­fied hack­ing oper­a­tions that he had con­duct­ed.

    America’s largest and most secre­tive intel­li­gence agency had been deeply infil­trat­ed.

    “They had oper­a­tional insight that even most of my fel­low oper­a­tors at T.A.O. did not have,” said Mr. Williams, now with Ren­di­tion Infos­ec, a cyber­se­cu­ri­ty firm he found­ed. “I felt like I’d been kicked in the gut. Who­ev­er wrote this either was a well-placed insid­er or had stolen a lot of oper­a­tional data.

    The jolt to Mr. Williams from the Shad­ow Bro­kers’ riposte was part of a much broad­er earth­quake that has shak­en the N.S.A. to its core. Cur­rent and for­mer agency offi­cials say the Shad­ow Bro­kers dis­clo­sures, which began in August 2016, have been cat­a­stroph­ic for the N.S.A., call­ing into ques­tion its abil­i­ty to pro­tect potent cyber­weapons and its very val­ue to nation­al secu­ri­ty. The agency regard­ed as the world’s leader in break­ing into adver­saries’ com­put­er net­works failed to pro­tect its own.

    “These leaks have been incred­i­bly dam­ag­ing to our intel­li­gence and cyber capa­bil­i­ties,” said Leon E. Panet­ta, the for­mer defense sec­re­tary and direc­tor of the Cen­tral Intel­li­gence Agency. “The fun­da­men­tal pur­pose of intel­li­gence is to be able to effec­tive­ly pen­e­trate our adver­saries in order to gath­er vital intel­li­gence. By its very nature, that only works if secre­cy is main­tained and our codes are pro­tect­ed.”

    With a leak of intel­li­gence meth­ods like the N.S.A. tools, Mr. Panet­ta said, “Every time it hap­pens, you essen­tial­ly have to start over.”

    Fif­teen months into a wide-rang­ing inves­ti­ga­tion by the agency’s coun­ter­in­tel­li­gence arm, known as Q Group, and the F.B.I., offi­cials still do not know whether the N.S.A. is the vic­tim of a bril­liant­ly exe­cut­ed hack, with Rus­sia as the most like­ly per­pe­tra­tor, an insider’s leak, or both. Three employ­ees have been arrest­ed since 2015 for tak­ing clas­si­fied files, but there is fear that one or more leak­ers may still be in place. And there is broad agree­ment that the dam­age from the Shad­ow Bro­kers already far exceeds the harm to Amer­i­can intel­li­gence done by Edward J. Snow­den, the for­mer N.S.A. con­trac­tor who fled with four lap­tops of clas­si­fied mate­r­i­al in 2013.

    Mr. Snowden’s cas­cade of dis­clo­sures to jour­nal­ists and his defi­ant pub­lic stance drew far more media cov­er­age than this new breach. But Mr. Snow­den released code words, while the Shad­ow Bro­kers have released the actu­al code; if he shared what might be described as bat­tle plans, they have loosed the weapons them­selves. Cre­at­ed at huge expense to Amer­i­can tax­pay­ers, those cyber­weapons have now been picked up by hack­ers from North Korea to Rus­sia and shot back at the Unit­ed States and its allies.

    Mil­lions of peo­ple saw their com­put­ers shut down by ran­somware, with demands for pay­ments in dig­i­tal cur­ren­cy to have their access restored. Tens of thou­sands of employ­ees at Mon­delez Inter­na­tion­al, the mak­er of Oreo cook­ies, had their data com­plete­ly wiped. FedEx report­ed that an attack on a Euro­pean sub­sidiary had halt­ed deliv­er­ies and cost $300 mil­lion. Hos­pi­tals in Penn­syl­va­nia, Britain and Indone­sia had to turn away patients. The attacks dis­rupt­ed pro­duc­tion at a car plant in France, an oil com­pa­ny in Brazil and a choco­late fac­to­ry in Tas­ma­nia, among thou­sands of enter­pris­es affect­ed world­wide.

    Amer­i­can offi­cials had to explain to close allies — and to busi­ness lead­ers in the Unit­ed States — how cyber­weapons devel­oped at Fort Meade in Mary­land came to be used against them. Experts believe more attacks using the stolen N.S.A. tools are all but cer­tain.

    Inside the agency’s Mary­land head­quar­ters and its cam­pus­es around the coun­try, N.S.A. employ­ees have been sub­ject­ed to poly­graphs and sus­pend­ed from their jobs in a hunt for turn­coats allied with the Shad­ow Bro­kers. Much of the agency’s arse­nal is still being replaced, cur­tail­ing oper­a­tions. Morale has plunged, and expe­ri­enced spe­cial­ists are leav­ing the agency for bet­ter-pay­ing jobs — includ­ing with firms defend­ing com­put­er net­works from intru­sions that use the N.S.A.’s leaked tools.

    “It’s a dis­as­ter on mul­ti­ple lev­els,” Mr. Williams said. “It’s embar­rass­ing that the peo­ple respon­si­ble for this have not been brought to jus­tice.”

    In response to detailed ques­tions, an N.S.A. spokesman, Michael T. Hal­big, said the agency “can­not com­ment on Shad­ow Bro­kers.” He denied that the episode had hurt morale. “N.S.A. con­tin­ues to be viewed as a great place to work; we receive more than 140,000 appli­ca­tions each year for our hir­ing pro­gram,” he said.

    Com­pound­ing the pain for the N.S.A. is the attack­ers’ reg­u­lar online pub­lic taunts, writ­ten in ersatz bro­ken Eng­lish. Their posts are a pecu­liar mash-up of imma­tu­ri­ty and sophis­ti­ca­tion, laced with pro­fane jokes but also savvy cul­tur­al and polit­i­cal ref­er­ences. They sug­gest that their author — if not an Amer­i­can — knows the Unit­ed States well.

    “Is NSA chas­ing shad­ows­es?” the Shad­ow Bro­kers asked in a post on Oct. 16, mock­ing the agency’s inabil­i­ty to under­stand the leaks and announc­ing a price cut for sub­scrip­tions to its “month­ly dump ser­vice” of stolen N.S.A. tools. It was a typ­i­cal­ly wide-rang­ing screed, touch­ing on George Orwell’s “1984”; the end of the fed­er­al government’s fis­cal year on Sept. 30; Russia’s cre­ation of bogus accounts on Face­book and Twit­ter; and the phe­nom­e­non of Amer­i­can intel­li­gence offi­cers going to work for con­trac­tors who pay high­er salaries.

    One pas­sage, pos­si­bly hint­ing at the Shad­ow Bro­kers’ iden­ti­ty, under­scored the close rela­tion­ship of Russ­ian intel­li­gence to crim­i­nal hack­ers. “Russ­ian secu­ri­ty peo­ples,” it said, “is becom­ing Russ­ian hack­eres at nights, but only full moons.”

    Rus­sia is the prime sus­pect in a par­al­lel hem­or­rhage of hack­ing tools and secret doc­u­ments from the C.I.A.’s Cen­ter for Cyber Intel­li­gence, post­ed week after week since March to the Wik­iLeaks web­site under the names Vault7 and Vault8. That breach, too, is unsolved. Togeth­er, the flood of dig­i­tal secrets from agen­cies that invest huge resources in pre­vent­ing such breach­es is rais­ing pro­found ques­tions.

    Have hack­ers and leak­ers made secre­cy obso­lete? Has Russ­ian intel­li­gence sim­ply out­played the Unit­ed States, pen­e­trat­ing the most close­ly guard­ed cor­ners of its gov­ern­ment? Can a work force of thou­sands of young, tech-savvy spies ever be immune to leaks?

    Some vet­er­an intel­li­gence offi­cials believe a lop­sided focus on offen­sive weapons and hack­ing tools has, for years, left Amer­i­can cyberde­fense dan­ger­ous­ly porous.

    “We have had a train wreck com­ing,” said Mike McConnell, the for­mer N.S.A. direc­tor and nation­al intel­li­gence direc­tor. “We should have ratch­eted up the defense parts sig­nif­i­cant­ly.”

    America’s Cyber Spe­cial Forces

    At the heart of the N.S.A. cri­sis is Tai­lored Access Oper­a­tions, the group where Mr. Williams worked, which was absorbed last year into the agency’s new Direc­torate of Oper­a­tions.

    T.A.O. — the out­dat­ed name is still used infor­mal­ly — began years ago as a side project at the agency’s research and engi­neer­ing build­ing at Fort Meade. It was a cyber Skunk Works, akin to the spe­cial units that once built stealth air­craft and drones. As Washington’s need for hack­ing capa­bil­i­ties grew, T.A.O. expand­ed into a sep­a­rate office park in Lau­rel, Md., with addi­tion­al teams at facil­i­ties in Col­orado, Geor­gia, Hawaii and Texas.

    The hack­ing unit attracts many of the agency’s young stars, who like the thrill of inter­net break-ins in the name of nation­al secu­ri­ty, accord­ing to a dozen for­mer gov­ern­ment offi­cials who agreed to describe its work on the con­di­tion of anonymi­ty. T.A.O. ana­lysts start with a shop­ping list of desired infor­ma­tion and like­ly sources — say, a Chi­nese official’s home com­put­er or a Russ­ian oil company’s net­work. Much of T.A.O.’s work is labeled E.C.I., for “excep­tion­al­ly con­trolled infor­ma­tion,” mate­r­i­al so sen­si­tive it was ini­tial­ly stored only in safes. When the cumu­la­tive weight of the safes threat­ened the integri­ty of N.S.A.’s engi­neer­ing build­ing a few years ago, one agency vet­er­an said, the rules were changed to allow locked file cab­i­nets.

    The more expe­ri­enced T.A.O. oper­a­tors devise ways to break into for­eign net­works; junior oper­a­tors take over to extract infor­ma­tion. Mr. Williams, 40, a for­mer para­medic who served in mil­i­tary intel­li­gence in the Army before join­ing the N.S.A., worked in T.A.O. from 2008 to 2013, which he described as an espe­cial­ly long tenure. He called the work “chal­leng­ing and some­times excit­ing.”

    T.A.O. oper­a­tors must con­stant­ly renew their arse­nal to stay abreast of chang­ing soft­ware and hard­ware, exam­in­ing every Win­dows update and new iPhone for vul­ner­a­bil­i­ties. “The nature of the busi­ness is to move with the tech­nol­o­gy,” a for­mer T.A.O. hack­er said.

    Long known main­ly as an eaves­drop­ping agency, the N.S.A. has embraced hack­ing as an espe­cial­ly pro­duc­tive way to spy on for­eign tar­gets. The intel­li­gence col­lec­tion is often auto­mat­ed, with mal­ware implants — com­put­er code designed to find mate­r­i­al of inter­est — left sit­ting on the tar­get­ed sys­tem for months or even years, send­ing files back to the N.S.A.

    The same implant can be used for many pur­pos­es: to steal doc­u­ments, tap into email, sub­tly change data or become the launch­ing pad for an attack. T.A.O.’s most pub­lic suc­cess was an oper­a­tion against Iran called Olympic Games, in which implants in the net­work of the Natanz nuclear plant caused cen­trifuges enrich­ing ura­ni­um to self-destruct. The T.A.O. was also crit­i­cal to attacks on the Islam­ic State and North Korea.

    It was this arse­nal that the Shad­ow Bro­kers got hold of, and then began to release.

    Like cops study­ing a burglar’s oper­at­ing style and stash of stolen goods, N.S.A. ana­lysts have tried to fig­ure out what the Shad­ow Bro­kers took. None of the leaked files date from lat­er than 2013 — a relief to agency offi­cials assess­ing the dam­age. But they include a large share of T.A.O.’s col­lec­tion, includ­ing three so-called ops disks — T.A.O.’s term for tool kits — con­tain­ing the soft­ware to bypass com­put­er fire­walls, pen­e­trate Win­dows and break into the Lin­ux sys­tems most com­mon­ly used on Android phones.

    Evi­dence shows that the Shad­ow Bro­kers obtained the entire tool kits intact, sug­gest­ing that an insid­er might have sim­ply pock­et­ed a thumb dri­ve and walked out.

    But oth­er files obtained by the Shad­ow Bro­kers bore no rela­tion to the ops disks and seem to have been grabbed at dif­fer­ent times. Some were designed for a com­pro­mise by the N.S.A. of Swift, a glob­al finan­cial mes­sag­ing sys­tem, allow­ing the agency to track bank trans­fers. There was a man­u­al for an old sys­tem code-named UNITEDRAKE, used to attack Win­dows. There were Pow­er­Point pre­sen­ta­tions and oth­er files not used in hack­ing, mak­ing it unlike­ly that the Shad­ow Bro­kers had sim­ply grabbed tools left on the inter­net by slop­py N.S.A. hack­ers.

    Some offi­cials doubt that the Shad­ow Bro­kers got it all by hack­ing the most secure of Amer­i­can gov­ern­ment agen­cies — hence the search for insid­ers. But some T.A.O. hack­ers think that skilled, per­sis­tent attack­ers might have been able to get through the N.S.A.’s defens­es — because, as one put it, “I know we’ve done it to oth­er coun­tries.”

    The Shad­ow Bro­kers have ver­bal­ly attacked cer­tain experts, includ­ing Mr. Williams. When he con­clud­ed from their Twit­ter hints that they knew about some of his hacks while at the N.S.A., he can­celed a busi­ness trip to Sin­ga­pore. The Unit­ed States had named and crim­i­nal­ly charged hack­ers from the intel­li­gence agen­cies of Chi­na, Iran and Rus­sia. He feared he could be sim­i­lar­ly charged by a coun­try he had tar­get­ed and arrest­ed on an inter­na­tion­al war­rant.

    He has since resumed trav­el­ing abroad. But he says no one from the N.S.A. has con­tact­ed him about being sin­gled out pub­licly by the Shad­ow Bro­kers.

    “That feels like a betray­al,” he said. “I was tar­get­ed by the Shad­ow Bro­kers because of that work. I do not feel the gov­ern­ment has my back.”

    The Hunt for an Insid­er

    For decades after its cre­ation in 1952, the N.S.A. — No Such Agency, in the old joke — was seen as all but leakproof. But since Mr. Snow­den flew away with hun­dreds of thou­sands of doc­u­ments in 2013, that notion has been shat­tered.

    The Snow­den trau­ma led to the invest­ment of mil­lions of dol­lars in new tech­nol­o­gy and tougher rules to counter what the gov­ern­ment calls the insid­er threat. But N.S.A. employ­ees say that with thou­sands of employ­ees pour­ing in and out of the gates, and the abil­i­ty to store a library’s worth of data in a device that can fit on a key ring, it is impos­si­ble to pre­vent peo­ple from walk­ing out with secrets.

    The agency has active inves­ti­ga­tions into at least three for­mer N.S.A. employ­ees or con­trac­tors. Two had worked for T.A.O.: a still pub­licly uniden­ti­fied soft­ware devel­op­er secret­ly arrest­ed after tak­ing hack­ing tools home in 2015, only to have Russ­ian hack­ers lift them from his home com­put­er; and Harold T. Mar­tin III, a con­trac­tor arrest­ed last year when F.B.I. agents found his home, gar­den shed and car stuffed with sen­si­tive agency doc­u­ments and stor­age devices he had tak­en over many years when a work-at-home habit got out of con­trol, his lawyers say. The third is Real­i­ty Win­ner, a young N.S.A. lin­guist arrest­ed in June, who is charged with leak­ing to the news site The Inter­cept a sin­gle clas­si­fied report on a Russ­ian breach of an Amer­i­can elec­tion sys­tems ven­dor.

    Mr. Martin’s gar­gan­tu­an col­lec­tion of stolen files includ­ed much of what the Shad­ow Bro­kers have, and he has been scru­ti­nized by inves­ti­ga­tors as a pos­si­ble source for them. Offi­cials say they do not believe he delib­er­ate­ly sup­plied the mate­r­i­al, though they have exam­ined whether he might have been tar­get­ed by thieves or hack­ers.

    But accord­ing to for­mer N.S.A. employ­ees who are still in touch with active work­ers, inves­ti­ga­tors of the Shad­ow Bro­kers thefts are clear­ly wor­ried that one or more leak­ers may still be inside the agency. Some T.A.O. employ­ees have been asked to turn over their pass­ports, take time off their jobs and sub­mit to ques­tion­ing. The small num­ber of spe­cial­ists who have worked both at T.A.O. and at the C.I.A. have come in for par­tic­u­lar atten­tion, out of con­cern that a sin­gle leak­er might be respon­si­ble for both the Shad­ow Bro­kers and the C.I.A.’s Vault7 breach­es.

    Then there are the Shad­ow Bro­kers’ writ­ings, which betray a seem­ing immer­sion in Amer­i­can cul­ture. Last April, about the time Mr. Williams was dis­cov­er­ing their inside knowl­edge of T.A.O. oper­a­tions, the Shad­ow Bro­kers post­ed an appeal to Pres­i­dent Trump: “Don’t For­get Your Base.” With the ease of a sea­soned pun­dit, they tossed around details about Stephen K. Ban­non, the president’s now depart­ed advis­er; the Free­dom Cau­cus in Con­gress; the “deep state”; the Alien and Sedi­tion Acts; and white priv­i­lege.

    “The­Shad­ow­Bro­kers is want­i­ng to see you suc­ceed,” the post said, address­ing Mr. Trump. “The­Shad­ow­Bro­kers is want­i­ng Amer­i­ca to be great again.”

    The mole hunt is inevitably cre­at­ing an atmos­phere of sus­pi­cion and anx­i­ety, for­mer employ­ees say. While the attrac­tion of the N.S.A. for skilled oper­a­tors is unique — nowhere else can they hack with­out get­ting into legal trou­ble — the boom in cyber­se­cu­ri­ty hir­ing by pri­vate com­pa­nies gives T.A.O. vet­er­ans lucra­tive exit options.

    Young T.A.O. hack­ers are lucky to make $80,000 a year, while those who leave rou­tine­ly find jobs pay­ing well over $100,000, secu­ri­ty spe­cial­ists say. For many work­ers, the appeal of the N.S.A’s mis­sion has been more than enough to make up the dif­fer­ence. But over the past year, for­mer T.A.O. employ­ees say an increas­ing num­ber of for­mer col­leagues have called them look­ing for pri­vate-sec­tor work, includ­ing “gray­beards” they thought would be N.S.A. lif­ers.

    “Snow­den killed morale,” anoth­er T.A.O. ana­lyst said. “But at least we knew who he was. Now you have a sit­u­a­tion where the agency is ques­tion­ing peo­ple who have been 100 per­cent mis­sion-ori­ent­ed, telling them they’re liars.”

    Because the N.S.A. hack­ing unit has grown so rapid­ly over the past decade, the pool of poten­tial leak­ers has expand­ed into the hun­dreds. Trust has erod­ed as any­one who had access to the leaked code is regard­ed as the poten­tial cul­prit.

    Some agency vet­er­ans have seen projects they worked on for a decade shut down because implants they relied on were dumped online by the Shad­ow Bro­kers. The num­ber of new oper­a­tions has declined because the mal­ware tools must be rebuilt. And no end is in sight.

    “How much longer are the releas­es going to come?” a for­mer T.A.O. employ­ee asked. “The agency doesn’t know how to stop it — or even what ‘it’ is.”

    One N.S.A. offi­cial who almost saw his career end­ed by the Shad­ow Bro­kers is at the very top of the orga­ni­za­tion: Adm. Michael S. Rogers, direc­tor of the N.S.A. and com­man­der of its sis­ter mil­i­tary orga­ni­za­tion, Unit­ed States Cyber Com­mand. Pres­i­dent Barack Obama’s direc­tor of nation­al intel­li­gence, James R. Clap­per Jr., and defense sec­re­tary, Ash­ton B. Carter, rec­om­mend­ed remov­ing Admi­ral Rogers from his post to cre­ate account­abil­i­ty for the breach­es.

    But Mr. Oba­ma did not act on the advice, in part because Admi­ral Rogers’s agency was at the cen­ter of the inves­ti­ga­tion into Russia’s inter­fer­ence in the 2016 elec­tion. Mr. Trump, who again on Sat­ur­day dis­put­ed his intel­li­gence agen­cies’ find­ings on Rus­sia and the elec­tion, extend­ed the admiral’s time in office. Some for­mer intel­li­gence offi­cials say they are flab­ber­gast­ed that he has been able to hold on to his job.

    A Shad­ow War With Rus­sia?

    Lurk­ing in the back­ground of the Shad­ow Bro­kers inves­ti­ga­tion is Amer­i­can offi­cials’ strong belief that it is a Russ­ian oper­a­tion. The pat­tern of drib­bling out stolen doc­u­ments over many months, they say, echoes the slow release of Demo­c­ra­t­ic emails pur­loined by Russ­ian hack­ers last year.

    But there is a more spe­cif­ic back sto­ry to the Unit­ed States-Rus­sia rival­ry.

    Start­ing in 2014, Amer­i­can secu­ri­ty researchers who had been track­ing Russia’s state-spon­sored hack­ing groups for years began to expose them in a series of research reports. Amer­i­can firms, includ­ing Syman­tec, Crowd­Strike and Fire­Eye, report­ed that Moscow was behind cer­tain attacks and iden­ti­fied gov­ern­ment-spon­sored Russ­ian hack­ing groups.

    In the mean­time, Russia’s most promi­nent cyber­se­cu­ri­ty firm, Kasper­sky Lab, had start­ed work on a report that would turn the tables on the Unit­ed States. Kasper­sky hunt­ed for the spy­ing mal­ware plant­ed by N.S.A. hack­ers, guid­ed in part by the key­words and code names in the files tak­en by Mr. Snow­den and pub­lished by jour­nal­ists, offi­cials said.

    Kasper­sky was, in a sense, sim­ply doing to the N.S.A. what the Amer­i­can com­pa­nies had just done to Russ­ian intel­li­gence: expose their oper­a­tions. And Amer­i­can offi­cials believe Russ­ian intel­li­gence was pig­gy­back­ing on Kaspersky’s efforts to find and retrieve the N.S.A.’s secrets wher­ev­er they could be found. The T.A.O. hack­ers knew that when Kasper­sky updat­ed its pop­u­lar antivirus soft­ware to find and block the N.S.A. mal­ware, it could thwart spy­ing oper­a­tions around the world.

    So T.A.O. per­son­nel rushed to replace implants in many coun­tries with new mal­ware they did not believe the Russ­ian com­pa­ny could detect.

    In Feb­ru­ary 2015, Kasper­sky pub­lished its report on the Equa­tion Group — the company’s name for T.A.O. hack­ers — and updat­ed its antivirus soft­ware to uproot the N.S.A. mal­ware wher­ev­er it had not been replaced. The agency tem­porar­i­ly lost access to a con­sid­er­able flow of intel­li­gence. By some accounts, how­ev­er, N.S.A. offi­cials were relieved that the Kasper­sky report did not include cer­tain tools they feared the Russ­ian com­pa­ny had found.

    As it would turn out, any cel­e­bra­tion was pre­ma­ture.

    On Aug. 13 last year, a new Twit­ter account using the Shad­ow Bro­kers’ name announced with fan­fare an online auc­tion of stolen N.S.A. hack­ing tools.

    “We hack Equa­tion Group,” the Shad­ow Bro­kers wrote. “We find many many Equa­tion Group cyber weapons.”

    ...

    Mr. Williams said it may be years before the “full fall­out” of the Shad­ow Bro­kers breach is under­stood. Even the arrest of who­ev­er is respon­si­ble for the leaks may not end them, he said — because the sophis­ti­cat­ed per­pe­tra­tors may have built a “dead man’s switch” to release all remain­ing files auto­mat­i­cal­ly upon their arrest.

    “We’re obvi­ous­ly deal­ing with peo­ple who have oper­a­tional secu­ri­ty knowl­edge,” he said. “They have the whole law enforce­ment sys­tem and intel­li­gence sys­tem after them. And they haven’t been caught.”

    ———-

    “Secu­ri­ty Breach and Spilled Secrets Have Shak­en the N.S.A. to Its Core” by SCOTT SHANE, NICOLE PERLROTH and DAVID E. SANGER; The New York Times; 11/12/2017

    Fif­teen months into a wide-rang­ing inves­ti­ga­tion by the agency’s coun­ter­in­tel­li­gence arm, known as Q Group, and the F.B.I., offi­cials still do not know whether the N.S.A. is the vic­tim of a bril­liant­ly exe­cut­ed hack, with Rus­sia as the most like­ly per­pe­tra­tor, an insider’s leak, or both. Three employ­ees have been arrest­ed since 2015 for tak­ing clas­si­fied files, but there is fear that one or more leak­ers may still be in place. And there is broad agree­ment that the dam­age from the Shad­ow Bro­kers already far exceeds the harm to Amer­i­can intel­li­gence done by Edward J. Snow­den, the for­mer N.S.A. con­trac­tor who fled with four lap­tops of clas­si­fied mate­r­i­al in 2013.”

    So was it a leak­er, a Russ­ian hack, or both? Well, here’s the evi­dence we’re giv­en for it being an insid­er: For starters, they appear to have insid­er oper­a­tional insights based on their pub­lic taunts:

    Jake Williams awoke last April in an Orlan­do, Fla., hotel where he was lead­ing a train­ing ses­sion. Check­ing Twit­ter, Mr. Williams, a cyber­se­cu­ri­ty expert, was dis­mayed to dis­cov­er that he had been thrust into the mid­dle of one of the worst secu­ri­ty deba­cles ever to befall Amer­i­can intel­li­gence.

    Mr. Williams had writ­ten on his com­pa­ny blog about the Shad­ow Bro­kers, a mys­te­ri­ous group that had some­how obtained many of the hack­ing tools the Unit­ed States used to spy on oth­er coun­tries. Now the group had replied in an angry screed on Twit­ter. It iden­ti­fied him — cor­rect­ly — as a for­mer mem­ber of the Nation­al Secu­ri­ty Agency’s hack­ing group, Tai­lored Access Oper­a­tions, or T.A.O., a job he had not pub­licly dis­closed. Then the Shad­ow Bro­kers aston­ished him by drop­ping tech­ni­cal details that made clear they knew about high­ly clas­si­fied hack­ing oper­a­tions that he had con­duct­ed.

    America’s largest and most secre­tive intel­li­gence agency had been deeply infil­trat­ed.

    “They had oper­a­tional insight that even most of my fel­low oper­a­tors at T.A.O. did not have,” said Mr. Williams, now with Ren­di­tion Infos­ec, a cyber­se­cu­ri­ty firm he found­ed. “I felt like I’d been kicked in the gut. Who­ev­er wrote this either was a well-placed insid­er or had stolen a lot of oper­a­tional data.
    ...

    And then there’s the pub­lic rant­i­ngs that appear to reveal a sub­tle famil­iar­i­ty with Amer­i­can cul­ture and humor despite the bro­ken Eng­lish:

    ...
    Com­pound­ing the pain for the N.S.A. is the attack­ers’ reg­u­lar online pub­lic taunts, writ­ten in ersatz bro­ken Eng­lish. Their posts are a pecu­liar mash-up of imma­tu­ri­ty and sophis­ti­ca­tion, laced with pro­fane jokes but also savvy cul­tur­al and polit­i­cal ref­er­ences. They sug­gest that their author — if not an Amer­i­can — knows the Unit­ed States well.

    ...

    But accord­ing to for­mer N.S.A. employ­ees who are still in touch with active work­ers, inves­ti­ga­tors of the Shad­ow Bro­kers thefts are clear­ly wor­ried that one or more leak­ers may still be inside the agency. Some T.A.O. employ­ees have been asked to turn over their pass­ports, take time off their jobs and sub­mit to ques­tion­ing. The small num­ber of spe­cial­ists who have worked both at T.A.O. and at the C.I.A. have come in for par­tic­u­lar atten­tion, out of con­cern that a sin­gle leak­er might be respon­si­ble for both the Shad­ow Bro­kers and the C.I.A.’s Vault7 breach­es.

    Then there are the Shad­ow Bro­kers’ writ­ings, which betray a seem­ing immer­sion in Amer­i­can cul­ture. Last April, about the time Mr. Williams was dis­cov­er­ing their inside knowl­edge of T.A.O. oper­a­tions, the Shad­ow Bro­kers post­ed an appeal to Pres­i­dent Trump: “Don’t For­get Your Base.” With the ease of a sea­soned pun­dit, they tossed around details about Stephen K. Ban­non, the president’s now depart­ed advis­er; the Free­dom Cau­cus in Con­gress; the “deep state”; the Alien and Sedi­tion Acts; and white priv­i­lege.

    “The­Shad­ow­Bro­kers is want­i­ng to see you suc­ceed,” the post said, address­ing Mr. Trump. “The­Shad­ow­Bro­kers is want­i­ng Amer­i­ca to be great again.”
    ...

    But, of course, we should­n’t real­ly read too much into what’s pub­licly writ­ten by the Shad­ow Bro­kers since that’s obvi­ous­ly an area where they could be inten­tion­al­ly leav­ing mis­lead­ing clues.

    And then there’s the obser­va­tion the some, but not all, of the hack­ing tool kits they stole were stolen in their entire­ty, which sug­gests some­one with a thumb dri­ve might have just scooped them up and walked out with them. It’s not clear­ly why a hack­er could­n’t also scoop them up and extract entire tool kits but it’s pos­si­ble that the entire tool kits were only found in one place on servers not con­nect­ed to the inter­net (which is exact­ly what ex-NSA insid­er have said was the case). Any­way, the fact that entire tool kits were stolen is seen by the inves­ti­ga­tors as hint­ing at an insid­er:

    ...
    Like cops study­ing a burglar’s oper­at­ing style and stash of stolen goods, N.S.A. ana­lysts have tried to fig­ure out what the Shad­ow Bro­kers took. None of the leaked files date from lat­er than 2013 — a relief to agency offi­cials assess­ing the dam­age. But they include a large share of T.A.O.’s col­lec­tion, includ­ing three so-called ops disks — T.A.O.’s term for tool kits — con­tain­ing the soft­ware to bypass com­put­er fire­walls, pen­e­trate Win­dows and break into the Lin­ux sys­tems most com­mon­ly used on Android phones.

    Evi­dence shows that the Shad­ow Bro­kers obtained the entire tool kits intact, sug­gest­ing that an insid­er might have sim­ply pock­et­ed a thumb dri­ve and walked out.

    But oth­er files obtained by the Shad­ow Bro­kers bore no rela­tion to the ops disks and seem to have been grabbed at dif­fer­ent times. Some were designed for a com­pro­mise by the N.S.A. of Swift, a glob­al finan­cial mes­sag­ing sys­tem, allow­ing the agency to track bank trans­fers. There was a man­u­al for an old sys­tem code-named UNITEDRAKE, used to attack Win­dows. There were Pow­er­Point pre­sen­ta­tions and oth­er files not used in hack­ing, mak­ing it unlike­ly that the Shad­ow Bro­kers had sim­ply grabbed tools left on the inter­net by slop­py N.S.A. hack­ers.

    Some offi­cials doubt that the Shad­ow Bro­kers got it all by hack­ing the most secure of Amer­i­can gov­ern­ment agen­cies — hence the search for insid­ers. But some T.A.O. hack­ers think that skilled, per­sis­tent attack­ers might have been able to get through the N.S.A.’s defens­es — because, as one put it, “I know we’ve done it to oth­er coun­tries.”
    ...

    And that’s all part of why there’s ongo­ing fears that the leak­er is still in the agency:

    ...
    But accord­ing to for­mer N.S.A. employ­ees who are still in touch with active work­ers, inves­ti­ga­tors of the Shad­ow Bro­kers thefts are clear­ly wor­ried that one or more leak­ers may still be inside the agency. Some T.A.O. employ­ees have been asked to turn over their pass­ports, take time off their jobs and sub­mit to ques­tion­ing. The small num­ber of spe­cial­ists who have worked both at T.A.O. and at the C.I.A. have come in for par­tic­u­lar atten­tion, out of con­cern that a sin­gle leak­er might be respon­si­ble for both the Shad­ow Bro­kers and the C.I.A.’s Vault7 breach­es.
    ...

    But despite those fears of an unknown insid­er, Rus­sia appears to be one of the top sus­pects. Those sus­pi­cions appear to be part­ly based on inter­pre­ta­tions of their pub­lic rants:

    ...
    One pas­sage, pos­si­bly hint­ing at the Shad­ow Bro­kers’ iden­ti­ty, under­scored the close rela­tion­ship of Russ­ian intel­li­gence to crim­i­nal hack­ers. “Russ­ian secu­ri­ty peo­ples,” it said, “is becom­ing Russ­ian hack­eres at nights, but only full moons.”

    Rus­sia is the prime sus­pect in a par­al­lel hem­or­rhage of hack­ing tools and secret doc­u­ments from the C.I.A.’s Cen­ter for Cyber Intel­li­gence, post­ed week after week since March to the Wik­iLeaks web­site under the names Vault7 and Vault8. That breach, too, is unsolved. Togeth­er, the flood of dig­i­tal secrets from agen­cies that invest huge resources in pre­vent­ing such breach­es is rais­ing pro­found ques­tions.
    ...

    So a joke about “Russ­ian secu­ri­ty peo­ples” becom­ing hack­ers is one ‘clue’. What else? Well, there’s this back­sto­ry: In 2014 US secu­ri­ty firms (Syman­tec, Crowd­strike, and Fire­Eye) report­ed that Moscow was behind cer­tain hack­ing groups. Then Kasper­sky, a Russ­ian-based anti-virus firm, start­ed incor­po­rat­ing code into its anti-virus soft­war to stop the hacks revealed in the Snow­den leaks. The NSA worked to replace its now-detactable mal­ware with mal­ware that the NSA was hop­ing Kasper­sky had­n’t yet dis­cov­ered. In Feb­ru­ary of 2015, Kasper­sky issues a new round of updates based on its analy­sis of the “Equa­tion Group” (a named used for the NSA’s T.A.O. team) and the NSA is relieved to find that to find that Kasper­sky had­n’t includ­ed some tools the NSA feared Kasper­sky had already dis­cov­ered. The agency breathes a sigh of relief, until August of 2016, when the Shad­ow Bro­kers start their leaks. That’s the big back­sto­ry that’s appears to be sig­nif­i­cant part of why Rus­sia is a prime cul­prit for this hack...that there was an ongo­ing US/Russian rival­ry:

    ...
    Lurk­ing in the back­ground of the Shad­ow Bro­kers inves­ti­ga­tion is Amer­i­can offi­cials’ strong belief that it is a Russ­ian oper­a­tion. The pat­tern of drib­bling out stolen doc­u­ments over many months, they say, echoes the slow release of Demo­c­ra­t­ic emails pur­loined by Russ­ian hack­ers last year.

    But there is a more spe­cif­ic back sto­ry to the Unit­ed States-Rus­sia rival­ry.

    Start­ing in 2014, Amer­i­can secu­ri­ty researchers who had been track­ing Russia’s state-spon­sored hack­ing groups for years began to expose them in a series of research reports. Amer­i­can firms, includ­ing Syman­tec, Crowd­Strike and Fire­Eye, report­ed that Moscow was behind cer­tain attacks and iden­ti­fied gov­ern­ment-spon­sored Russ­ian hack­ing groups.

    In the mean­time, Russia’s most promi­nent cyber­se­cu­ri­ty firm, Kasper­sky Lab, had start­ed work on a report that would turn the tables on the Unit­ed States. Kasper­sky hunt­ed for the spy­ing mal­ware plant­ed by N.S.A. hack­ers, guid­ed in part by the key­words and code names in the files tak­en by Mr. Snow­den and pub­lished by jour­nal­ists, offi­cials said.

    Kasper­sky was, in a sense, sim­ply doing to the N.S.A. what the Amer­i­can com­pa­nies had just done to Russ­ian intel­li­gence: expose their oper­a­tions. And Amer­i­can offi­cials believe Russ­ian intel­li­gence was pig­gy­back­ing on Kaspersky’s efforts to find and retrieve the N.S.A.’s secrets wher­ev­er they could be found. The T.A.O. hack­ers knew that when Kasper­sky updat­ed its pop­u­lar antivirus soft­ware to find and block the N.S.A. mal­ware, it could thwart spy­ing oper­a­tions around the world.

    So T.A.O. per­son­nel rushed to replace implants in many coun­tries with new mal­ware they did not believe the Russ­ian com­pa­ny could detect.

    In Feb­ru­ary 2015, Kasper­sky pub­lished its report on the Equa­tion Group — the company’s name for T.A.O. hack­ers — and updat­ed its antivirus soft­ware to uproot the N.S.A. mal­ware wher­ev­er it had not been replaced. The agency tem­porar­i­ly lost access to a con­sid­er­able flow of intel­li­gence. By some accounts, how­ev­er, N.S.A. offi­cials were relieved that the Kasper­sky report did not include cer­tain tools they feared the Russ­ian com­pa­ny had found.

    As it would turn out, any cel­e­bra­tion was pre­ma­ture.

    On Aug. 13 last year, a new Twit­ter account using the Shad­ow Bro­kers’ name announced with fan­fare an online auc­tion of stolen N.S.A. hack­ing tools.

    “We hack Equa­tion Group,” the Shad­ow Bro­kers wrote. “We find many many Equa­tion Group cyber weapons.”
    ...

    Lurk­ing in the back­ground of the Shad­ow Bro­kers inves­ti­ga­tion is Amer­i­can offi­cials’ strong belief that it is a Russ­ian oper­a­tion. The pat­tern of drib­bling out stolen doc­u­ments over many months, they say, echoes the slow release of Demo­c­ra­t­ic emails pur­loined by Russ­ian hack­ers last year.”

    As we can see, while the actu­al evi­dence does­n’t appear to real­ly toward this being a Russ­ian hack, there’s a “strong belief” that this is all a Russ­ian oper­a­tion. And that strong belief appears to be based on a con­vic­tion that is just has to be the Rus­sians, because of course it’s them.

    It’s a reminder that one of the most dam­ag­ing aspects of the cur­rent cyber-Cold War between the US and Russ­ian gov­ern­ments is that fact that it appears to have obscured in the minds of US offi­cials the far-right lib­er­tar­i­an Cypher­punk Cold War against gov­ern­ment every­where.

    Posted by Pterrafractyl | November 15, 2017, 4:39 pm

Post a comment