Spitfire List Web site and blog of anti-fascist researcher and radio personality Dave Emory.

For The Record  

FTR #960 Update on the High Profile Hacks

WFMU-FM is pod­cast­ing For The Record–You can sub­scribe to the pod­cast HERE.

You can sub­scribe to e‑mail alerts from Spitfirelist.com HERE.

You can sub­scribe to RSS feed from Spitfirelist.com HERE.

You can sub­scribe to the com­ments made on pro­grams and posts–an excel­lent source of infor­ma­tion in, and of, itself HERE.

This broad­cast was record­ed in one, 60-minute seg­ment.

Intro­duc­tion: As indi­cat­ed by the title, this broad­cast updates the high-pro­file hacks, at the epi­cen­ter of “Rus­sia Gate,” the bru­tal polit­i­cal fan­ta­sy that is at the core of Amer­i­can New Cold War pro­pa­gan­da and that may well lead to World War III.

(Oth­er pro­grams deal­ing with this sub­ject include: FTR #‘s 917, 923, 924, 940, 943, 958, 959.)

As we have not­ed in many pre­vi­ous broad­casts and posts, cyber attacks are eas­i­ly dis­guised. Per­pe­trat­ing a “cyber false flag” oper­a­tion is dis­turbing­ly easy to do. In a world where the ver­i­fi­ably false and phys­i­cal­ly impos­si­ble “con­trolled demolition”/Truther non­sense has gained trac­tion, cyber false flag ops are all the more threat­en­ing and sin­is­ter.

Now, we learn that the CIA’s hack­ing tools are specif­i­cal­ly craft­ed to mask CIA author­ship of the attacks. Most sig­nif­i­cant­ly, for our pur­pos­es, is the fact that the Agen­cy’s hack­ing tools are engi­neered in such a way as to per­mit the authors of the event to rep­re­sent them­selves as Russ­ian.

This is of para­mount sig­nif­i­cance in eval­u­at­ing the increas­ing­ly neo-McCarthyite New Cold War pro­pa­gan­da about “Russ­ian inter­fer­ence” in the U.S. elec­tion.

We then high­light the recent con­clu­sions of the French cyber­in­tel­li­gence chief (Guil­laume Poupard) and his warn­ings about the incred­i­ble dan­gers of cyber-misattribution–the ease with which any ran­dom hack­er could car­ry­ing out a spear-phish­ing attack, and his baf­fle­ment at the NSA’s recent Russ­ian attri­bu­tion to the spear-phish­ing French elec­tion hacks.

Char­ac­ter­is­tic of the disin­gen­u­ous, pro­pa­gan­dis­tic spin of Amer­i­can news media on Putin/Russia/the high pro­file hacks is a New York Times arti­cle that accus­es Putin of lay­ing down a pro­pa­gan­da veil to cov­er for alleged Russ­ian hack­ing, omit­ting his remarks that–correctly–note that con­tem­po­rary tech­nol­o­gy eas­i­ly per­mits the mis­at­tri­bu­tion of cyber espionage/hacking.

We then review the grotesque­ly dark com­ic nature of the Macron hacks (sup­pos­ed­ly done by “Russ­ian intel­li­gence”.)

Those “Russ­ian gov­ern­ment hack­ers” real­ly need an OPSEC refresh­er course. The hacked doc­u­ments in the “Macron hack” not only con­tained Cyril­lic text in the meta­da­ta, but also con­tained the name of the last per­son to mod­i­fy the doc­u­ments. That name, “Rosh­ka Georgiy Petro­vichan”, is an employ­ee at Evri­ka, a large IT com­pa­ny that does work for the Russ­ian gov­ern­ment, includ­ing the FSB (Russ­ian intel­li­gence.)

Also found in the meta­da­ta is the email of the per­son who uploaded the files to “archive.org”, and that email address, frankmacher1@gmx.de, is reg­is­tered with a Ger­man free web­mail provider used pre­vi­ous­ly in 2016 phish­ing a

ttacks against the CDU in Ger­many that have been attrib­uted to APT28. It would appear that the “Russ­ian hack­ers” not only left clues sug­gest­ing it was Russ­ian hack­ers behind the hack, but they decid­ed to name names this time–their own names.

In relat­ed news, a group of cyber­se­cu­ri­ty researchers study­ing the Macron hack has con­clud­ed that the mod­i­fied doc­u­ments were doc­tored by some­one asso­ci­at­ed with The Dai­ly Stormer neo-Nazi web­site and Andrew “the weev” Auern­heimer.

Aueren­heimer was a guest at Glenn Green­wald and Lau­ra Poitras’s par­ty cel­e­brat­ing their receipt of the Polk award.

“ ‘We strong­ly believe that the fake off­shore doc­u­ments were cre­at­ed by some­one with con­trol of the Dai­ly Stormer serv­er,” said Tord Lund­ström, a com­put­er foren­sics inves­ti­ga­tor at Virtualroad.org.’ . . .”

The  pub­lic face, site pub­lish­er of The Dai­ly Stormer is Andrew Anglin. But look who the site is reg­is­tered to: Andrew Auern­heimer (the site archi­tect) who appar­ent­ly resided in Ukraine as of the start of this year.

The analy­sis from the web-secu­ri­ty firm Virtualroad.org. indi­cates that some­one asso­ci­at­ed with the Dai­ly Stormer mod­i­fied those faked documents–very pos­si­bly a high­ly skilled neo-Nazi hack­er like “the weev”.

Based on analy­sis of how the doc­u­ment dump unfold­ed, it’s look­ing like the inex­plic­a­bly self-incrim­i­nat­ing “Russ­ian hack­ers” may have been a bunch of Amer­i­can neo-Nazis. Imag­ine that.

In FTR #917, we under­scored the gen­e­sis of the Seth Rich mur­der con­spir­a­cy the­o­ry with Wik­iLeaks and Julian Assange, who was in touch with Roger Stone dur­ing the 2016 cam­paign. (Stone func­tioned as the unof­fi­cial dirty tricks spe­cial­ist for the Trump cam­paign, a role he has played–with relish–since Water­gate.

The far-right Seth Rich mur­der con­spir­a­cy the­o­ry acquired new grav­i­tas, thanks in part to Kim Schmitz, aka “Kim Dot­com.” We exam­ined Schmitz at length in FTR #812. A syn­op­tic overview of the polit­i­cal and pro­fes­sion­al ori­en­ta­tion of Kim Dot­com is excerpt­ed from that broad­cast’s descrip­tion: “A col­league of Eddie the Friend­ly Spook [Snow­den], Julian Assange and Glenn Green­wald, Kim Schmitz, aka “Kim Dot­com”] espous­es the same libertarian/free mar­ket ide­ol­o­gy under­ly­ing the “cor­po­ratism” of Ben­i­to Mus­soli­ni. With an exten­sive crim­i­nal record in Ger­many and else­where, “Der Dot­com­man­dant” has elud­ed seri­ous pun­ish­ment for his offens­es, includ­ing exe­cut­ing the largest insid­er trad­ing scheme in Ger­man his­to­ry.

Embraced by the file-shar­ing com­mu­ni­ty and ele­ments of the so-called pro­gres­sive sec­tor, Dot­com actu­al­ly allied him­self with John Banks and his far-right ACT Par­ty in New Zealand. His embrace of the so-called pro­gres­sive sec­tor came lat­er and is viewed as hav­ing dam­aged left-lean­ing par­ties at the polls. Dot­com is enam­ored of Nazi mem­o­ra­bil­ia and owns a rare, author-auto­graphed copy of ‘Mein Kampf.’ . . .”

Pro­gram High­lights Include:

  • The dis­sem­i­na­tion of the Seth Rich dis­in­for­ma­tion by Fox News and Rush Lim­baugh, gen­er­at­ed by Wik­iLeaks, Roger Stone and Kim Dot­com.
  • Kim Dot­com’s tweet­ing of an admit­ted­ly pho­ny doc­u­ment about the Seth Rich BS.
  • Dot­com’s refusal to retract his tweet of the pho­ny doc­u­ment.
  • Review of the Shad­ow Bro­kers non-hack of the NSA.
  • Review of the Shad­ow Bro­kers use of white suprema­cist pro­pa­gan­da.
  • Review of the role of Crowd­strike’s Dim­itri Alper­ovitch in the dis­sem­i­na­tion of the “Rus­sia did it” pro­pa­gan­da.
  • Review of the role of Ukrain­ian fas­cist Alexan­dra Chalu­pa in the dis­sem­i­na­tion of the “Rus­sia did it” pro­pa­gan­da.

1a. As we have not­ed in many pre­vi­ous broad­casts and posts, cyber attacks are eas­i­ly dis­guised. Per­pe­trat­ing a “cyber false flag” oper­a­tion is dis­turbing­ly easy to do. In a world where the ver­i­fi­ably false and phys­i­cal­ly impos­si­ble “con­trolled demolition”/Truther non­sense has gained trac­tion, cyber false flag ops are all the more threat­en­ing and sin­is­ter.

Now, we learn that the CIA’s hack­ing tools are specif­i­cal­ly craft­ed to mask CIA author­ship of the attacks. Most sig­nif­i­cant­ly, for our pur­pos­es, is the fact that the Agen­cy’s hack­ing tools are engi­neered in such a way as to per­mit the authors of the event to rep­re­sent them­selves as Russ­ian.

This is of para­mount sig­nif­i­cance in eval­u­at­ing the increas­ing­ly neo-McCarthyite New Cold War pro­pa­gan­da about “Russ­ian inter­fer­ence” in the U.S. elec­tion.

“Wik­iLeaks Vault 7 Part 3 Reveals CIA Tool Might Mask Hacks as Russ­ian, Chi­nese, Ara­bic” by Stephanie Dube Dwil­son; Heavy; 4/3/2017.

This morn­ing, Wik­iLeaks released part 3 of its Vault 7 series, called Mar­ble. Mar­ble reveals CIA source code files along with decoy lan­guages that might dis­guise virus­es, tro­jans, and hack­ing attacks. These tools could make it more dif­fi­cult for anti-virus com­pa­nies and foren­sic inves­ti­ga­tors to attribute hacks to the CIA. Could this call the source of pre­vi­ous hacks into ques­tion? It appears that yes, this might be used to dis­guise the CIA’s own hacks to appear as if they were Russ­ian, Chi­nese, or from spe­cif­ic oth­er coun­tries. These tools were in use in 2016, Wik­iLeaks report­ed.

 It’s not known exact­ly how this Mar­ble tool was actu­al­ly used. How­ev­er, accord­ing to Wik­iLeaks, the tool could make it more dif­fi­cult for inves­ti­ga­tors and anti-virus com­pa­nies to attribute virus­es and oth­er hack­ing tools to the CIA. Test exam­ples weren’t just in Eng­lish, but also Russ­ian, Chi­nese, Kore­an, Ara­bic, and Far­si. This might allow a mal­ware cre­ator to not only look like they were speak­ing in Russ­ian or Chi­nese, rather than in Eng­lish, but to also look like they tried to hide that they were not speak­ing Eng­lish, accord­ing to Wik­iLeaks. This might also hide fake error mes­sages or be used for oth­er pur­pos­es. . . .

1b. We then review the recent con­clu­sions of the French cyber­in­tel­li­gence chief and his warn­ings about the incred­i­ble dan­gers of cyber-misattribution–the ease with which any ran­dom hack­er could car­ry­ing out a spear-phish­ing attack, and his baf­fle­ment at the NSA’s recent Russ­ian attri­bu­tion to the spear-phish­ing French elec­tion hacks.

“French Secu­ri­ty Chief Warns of Risk for “Per­ma­nent War” in Cyber­space”; CBS News; 06/02/2017

Cyber­space faces an approach­ing risk of “per­ma­nent war” between states and crim­i­nal or extrem­ist orga­ni­za­tions because of increas­ing­ly destruc­tive hack­ing attacks, the head of the French government’s cyber­se­cu­ri­ty agency warned Thurs­day.

In a wide-rang­ing inter­view in his office with The Asso­ci­at­ed Press, Guil­laume Poupard lament­ed a lack of com­mon­ly agreed rules to gov­ern cyber­space and said: “We must work col­lec­tive­ly, not just with two or three West­ern coun­tries, but on a glob­al scale.”

“With what we see today – attacks that are crim­i­nal, from states, often for espi­onage or fraud but also more and more for sab­o­tage or destruc­tion – we are get­ting clos­er, clear­ly, to a state of war, a state of war that could be more com­pli­cat­ed, prob­a­bly, than those we’ve known until now,” he said.

His com­ments echoed tes­ti­mo­ny from the head of the U.S. Nation­al Secu­ri­ty Agency, Adm. Michael Rogers, to the Sen­ate Armed Ser­vices Com­mit­tee on May 9. Rogers spoke of “cyber effects” being used by states “to main­tain the ini­tia­tive just short of war” and said: “‘Cyber war’ is not some future con­cept or cin­e­mat­ic spec­ta­cle, it is real and here to stay.”

Poupard said “the most night­mare sce­nario, the point of view that Rogers expressed and which I share” would be “a sort of per­ma­nent war — between states, between states and oth­er orga­ni­za­tions, which can be crim­i­nal and ter­ror­ist orga­ni­za­tions — where every­one will attack each oth­er, with­out real­ly know­ing who did what. A sort of gen­er­al­ized chaos that could affect all of cyber­space.

Poupard is direc­tor gen­er­al of the gov­ern­ment cyber-defense agency known in France by its acronym, ANSSI. Its agents were imme­di­ate­ly called to deal with the after­math of a hack and mas­sive doc­u­ment leak that hit the elec­tion cam­paign of Pres­i­dent Emmanuel Macron just two days before his May 7 vic­to­ry.

Macron’s polit­i­cal move­ment said the uniden­ti­fied hack­ers accessed staffers’ per­son­al and pro­fes­sion­al emails and leaked cam­paign finance mate­r­i­al and con­tracts — as well as fake decoy doc­u­ments — online.

Con­trary to Rogers, who said the U.S. warned France of “Russ­ian activ­i­ty” before Macron’s win, Poupard didn’t point the fin­ger at Rus­sia. He told the AP that ANSSI’s inves­ti­ga­tion found no trace behind the Macron hack of the noto­ri­ous hack­ing group APT28 — iden­ti­fied by the U.S. gov­ern­ment as a Russ­ian intel­li­gence out­fit and blamed for hacks of the U.S. elec­tion cam­paign, anti-dop­ing agen­cies and oth­er tar­gets. The group also is known by oth­er names, includ­ing “Fan­cy Bear.”

Poupard described the Macron cam­paign hack as “not very tech­no­log­i­cal” and said: “The attack was so gener­ic and sim­ple that it could have been prac­ti­cal­ly any­one.”

With­out rul­ing out the pos­si­bil­i­ty that a state might have been involved, he said the attack’s sim­plic­i­ty “means that we can imag­ine that it was a per­son who did this alone. They could be in any coun­try.”

“It real­ly could be any­one. It could even be an iso­lat­ed indi­vid­ual,” he said.

Poupard con­trast­ed the “Macron Leaks” hack with anoth­er far more sophis­ti­cat­ed attack that took French broad­cast­er TV5 Monde off the air in 2015. There, “very spe­cif­ic tools were used to destroy the equip­ment” in the attack that “resem­bles a lot what we call col­lec­tive­ly APT28,” he said.

“To say ‘Macron Leaks’ was APT28, I’m absolute­ly inca­pable today of doing that,” he said. “I have absolute­ly no ele­ment to say whether it is true or false.”

Rogers, the NSA direc­tor, said in his Sen­ate Armed Ser­vices hear­ing that U.S. author­i­ties gave their French coun­ter­parts “a heads-up” before the Macron doc­u­ments leaked that: “‘We are watch­ing the Rus­sians. We are see­ing them pen­e­trate some of your infra­struc­ture. Here is what we have seen. What can we do to try to assist?’”

Poupard said Rogers’ com­ments left him per­plexed and that the French had long been on alert about poten­tial threats to their pres­i­den­tial elec­tion.

“Why did Admi­ral Rogers say that, like that, at that time? It real­ly sur­prised me. It real­ly sur­prised my Euro­pean allies. And to be total­ly frank, when I spoke about it to my NSA coun­ter­parts and asked why did he say that, they didn’t real­ly know how to reply either,” he said. “Per­haps he went fur­ther than what he real­ly want­ed to say.”

Still, Poupard said the attack high­light­ed the cyber-threat to demo­c­ra­t­ic process­es. “Unfor­tu­nate­ly, we now know the real­i­ty that we are going to live with for­ev­er, prob­a­bly,” he said.

The attack on TV5 was a rare pub­lic exam­ple. In 2016, oth­ers tar­get­ed gov­ern­ment admin­is­tra­tions and big com­pa­nies quot­ed on the bench­mark French stock mar­ket index, the CAC-40, he said.

Point­ing fin­gers at sus­pect­ed authors is fraught with risk, because sophis­ti­cat­ed attack­ers can mask their activ­i­ties with false trails, he said.

“We suf­fered attacks that were attrib­uted to Chi­na, that we think came from Chi­na. Among them, some came from Chi­na. Chi­na is big, I don’t know if it was the state, crim­i­nals,” he said. “What I am cer­tain of is that among these attacks, some strange­ly resem­bled Chi­nese attacks but in fact didn’t come from Chi­na.”

“If you start to accuse one coun­try when in fact it was anoth­er coun­try … we’ll get inter­na­tion­al chaos,” he said. “We’ll get what we all fear, which is to say a sort of per­ma­nent con­flict where every­one is attack­ing every­one else.”

1c. Mr. Poupard denied the NSA/U.S. asser­tion that APT28 aka “Cozy Bear/Fancy Bear/Russia” hacked the French elec­tion.

“French Cyber Secu­ri­ty Leader: No Trace of Russ­ian Hack­ing Group in Emmanuel Macron Cam­paign Leaks”; Asso­ci­at­ed Press; 06/01/2017

The head of the French government’s cyber secu­ri­ty agency, which inves­ti­gat­ed leaks from Pres­i­dent Emmanuel Macron’s elec­tion cam­paign, says they found no trace of a noto­ri­ous Russ­ian hack­ing group behind the attack.

In an inter­view in his office Thurs­day with The Asso­ci­at­ed Press, Guil­laume Poupard said the Macron cam­paign hack “was so gener­ic and sim­ple that it could have been prac­ti­cal­ly any­one.”

He said they found no trace that the Russ­ian hack­ing group known as APT28, blamed for oth­er attacks includ­ing on the U.S. pres­i­den­tial cam­paign, was respon­si­ble.

Poupard is direc­tor gen­er­al of the gov­ern­ment cyber-defense agency known in France by its acronym, ANSSI. Its experts were imme­di­ate­ly dis­patched when doc­u­ments stolen from the Macron cam­paign leaked online on May 5 in the clos­ing hours of the pres­i­den­tial race.

Poupard says the attack’s sim­plic­i­ty “means that we can imag­ine that it was a per­son who did this alone. They could be in any coun­try.”

2. A New York Times arti­cle by Andrew Hig­gins (one of the more fla­grant­ly pro­pa­gan­diz­ing NYT writ­ers vis a vis Russia/Ukraine) spins Vladimir Putin’s com­ments about Russ­ian hack­ing. Where­as the Times por­trayed his com­ments as “giv­ing an out” to the non­sense about Rus­sia hack­ing U.S. elec­tions. What the Times eclipsed (along with oth­er U.S. media) was the con­clu­sion of Putin’s com­ments. He not­ed that hack­ing is very eas­i­ly dis­guised and mis­rep­re­sent­ed.

“Maybe Pri­vate Russ­ian Hack­ers Med­dled in Elec­tion, Putin Says” by Andrew Hig­gins; The New York Times; 06/01/2017

. . . . An expert at mud­dy­ing the waters and cre­at­ing con­fu­sion, Mr. Putin advanced a num­ber of alter­na­tive the­o­ries that could help Moscow address any firm evi­dence that might emerge as a trail lead­ing to Rus­sia.

Stat­ing that mod­ern tech­nol­o­gy can eas­i­ly be manip­u­lat­ed to cre­ate a false trail, he said, “I can imag­ine that some­one is doing this pur­pose­ful­ly — build­ing the chain of attacks so that the ter­ri­to­ry of the Russ­ian Fed­er­a­tion appears to be the source of that attack.” He added, “Mod­ern tech­nolo­gies allow to do that kind of thing; it’s rather easy to do.”

Mr. Putin appeared to be repeat­ing an argu­ment he first made ear­li­er in the week in an inter­view with the French news­pa­per Le Figaro.

“I think that he was total­ly right when he said it could have been some­one sit­ting on their bed or some­body inten­tion­al­ly insert­ed a flash dri­ve with the name of a Russ­ian nation­al, or some­thing like that,” Mr. Putin told the French news­pa­per, refer­ring to Mr. Trump. “Any­thing is pos­si­ble in this vir­tu­al world. Rus­sia nev­er engages in activ­i­ties of this kind, and we do not need it. It makes no sense for us to do such things. What for?” . . .

3. Those “Russ­ian gov­ern­ment hack­ers” real­ly need a OPSEC refresh­er course. The hacked doc­u­ments in the “Macron hack” not only con­tained Cyril­lic text in the meta­da­ta, but also con­tained the name of the last per­son to mod­i­fy the doc­u­ments. And that name, “Rosh­ka Georgiy Petro­vichan”, is an employ­ee at Evri­ka, a large IT com­pa­ny that does work for the Russ­ian gov­ern­ment, includ­ing the FSB.

Also found in the meta­da­ta is the email of the per­son who uploaded the files to “archive.org”, and that email address, frankmacher1@gmx.de, is reg­is­tered with a Ger­man free web­mail provider used pre­vi­ous­ly in 2016 phish­ing attacks against the CDU in Ger­many that have been attrib­uted to APT28. It would appear that the ‘Russ­ian hack­ers’ not only left clues sug­gest­ing it was Russ­ian hack­ers behind the hack, but they decid­ed name names this time–their own names.

Not sur­pris­ing­ly, giv­en the fas­cist nature of Wik­iLeaks, they con­clud­ed that Rus­sia was behind the hacks. (For more on the fas­cist nature of Wik­iLeaks, see FTR #‘s 724, 725, 732, 745, 755, 917.)

“Evi­dence Sug­gests Rus­sia Behind Hack of French Pres­i­dent-Elect” by Sean Gal­lagher; Ars Tech­ni­ca; 5/8/2017.

Russ­ian secu­ri­ty firms’ meta­da­ta found in files, accord­ing to Wik­iLeaks and oth­ers.

Late on May 5 as the two final can­di­dates for the French pres­i­den­cy were about to enter a press black­out in advance of the May 7 elec­tion, nine giga­bytes of data alleged­ly from the cam­paign of Emmanuel Macron were post­ed on the Inter­net in tor­rents and archives. The files, which were ini­tial­ly dis­trib­uted via links post­ed on 4Chan and then by Wik­iLeaks, had foren­sic meta­da­ta sug­gest­ing that Rus­sians were behind the breach—and that a Russ­ian gov­ern­ment con­tract employ­ee may have fal­si­fied some of the dumped doc­u­ments.

Even Wik­iLeaks, which ini­tial­ly pub­li­cized the breach and defend­ed its integri­ty on the organization’s Twit­ter account, has since acknowl­edged that some of the meta­da­ta point­ed direct­ly to a Russ­ian com­pa­ny with ties to the gov­ern­ment:

#Macron­Leaks: name of employ­ee for Russ­ian govt secu­ri­ty con­trac­tor Evri­ka appears 9 times in meta­da­ta for “xls_cendric.rar” leak archive pic.twitter.com/jyhlmldlbL— Wik­iLeaks (@wikileaks) May 6, 2017

Evri­ka (“Eure­ka”) ZAO is a large infor­ma­tion tech­nol­o­gy com­pa­ny in St. Peters­burg that does some work for the Russ­ian gov­ern­ment, and the group includes the Fed­er­al Secu­ri­ty Ser­vice of the Russ­ian Fed­er­a­tion (FSB) among its acknowl­edged cus­tomers (as not­ed in this job list­ing). The com­pa­ny is a sys­tems inte­gra­tor, and it builds its own com­put­er equip­ment and pro­vides “inte­grat­ed infor­ma­tion secu­ri­ty sys­tems.” The meta­da­ta in some Microsoft Office files shows the last per­son to have edit­ed the files to be “Rosh­ka Georgiy Petro­vich,” a cur­rent or for­mer Evri­ka ZAO employ­ee.

Accord­ing to a Trend Micro report on April 25, the Macron cam­paign was tar­get­ed by the Pawn Storm threat group (also known as “Fan­cy Bear” or APT28) in a March 15 “phish­ing” cam­paign using the domain onedrive-en-marche.fr. The domain was reg­is­tered by a “Johny Pinch” using a Mail.com web­mail address. The same threat group’s infra­struc­ture and mal­ware was found to be used in the breach of the Demo­c­ra­t­ic Nation­al Com­mit­tee in 2016, in the phish­ing attack tar­get­ing mem­bers of the pres­i­den­tial cam­paign of for­mer Sec­re­tary of State Hillary Clin­ton, and in a num­ber of oth­er cam­paigns against polit­i­cal tar­gets in the US and Ger­many over the past year.

The meta­da­ta attached to the upload of the Macron files also includes some iden­ti­fy­ing data with an e‑mail address for the per­son upload­ing the con­tent to archive.org:

Well this is fun pic.twitter.com/oXsH83snCS— Pwn All The Things (@pwnallthethings) May 6, 2017

The e‑mail address of the uploader, frankmacher1@gmx.de, is reg­is­tered with a Ger­man free web­mail provider used pre­vi­ous­ly in 2016 Pawn Storm / APT28 phish­ing attacks against the Chris­t­ian Demo­c­ra­t­ic Union, Ger­man Chan­cel­lor Angela Merkel’s polit­i­cal par­ty.

The involve­ment of APT28, the edit­ing of some doc­u­ments leaked by some­one using a Russ­ian ver­sion of Microsoft Office, and the attempt to spread the data through ampli­fi­ca­tion in social media chan­nels such as 4Chan, Twit­ter, and Facebook—where a num­ber of new accounts post­ed links to the data—are all char­ac­ter­is­tics of the infor­ma­tion oper­a­tions seen dur­ing the 2016 US pres­i­den­tial cam­paign.

Andrew Auerenheimer: Guest at Glenn Greenwald's party

Andrew Aueren­heimer aka “Weev”: Guest at Glenn Green­wald’s par­ty

4. In relat­ed news, a group of cyber­se­cu­ri­ty researchers study­ing the Macron hack has con­clud­ed that the mod­i­fied doc­u­ments were doc­tored by some­one asso­ci­at­ed with The Dai­ly Stormer neo-Nazi web­site and Andrew “the weev” Auern­heimer.

Aueren­heimer was a guest at Glenn Green­wald and Lau­ra Poitras’s par­ty cel­e­brat­ing their receipt of the Polk award.

“ ‘We strong­ly believe that the fake off­shore doc­u­ments were cre­at­ed by some­one with con­trol of the Dai­ly Stormer serv­er,” said Tord Lund­ström, a com­put­er foren­sics inves­ti­ga­tor at Virtualroad.org.’ . . .”

Who is in con­trol of the Dai­ly Stormer? Well, its pub­lic face and pub­lish­er is Andrew Anglin. But look who the site is reg­is­tered to: Andrew Auern­heimer, who appar­ent­ly resided in Ukraine as of the start of this year:

The analy­sis from the web-secu­ri­ty firm Virtualroad.org. indi­cates that some­one asso­ci­at­ed with the Dai­ly Stormer mod­i­fied those faked doc­u­ments. Like, per­haps a high­ly skilled neo-Nazi hack­er like “the weev”.

Based on an analy­sis of how the doc­u­ment dump unfold­ed it’s look­ing like the inex­plic­a­bly self-incrim­i­nat­ing ‘Russ­ian hack­ers’ may have been a bunch of Amer­i­can neo-Nazis. Imag­ine that.

“U.S. Hack­er Linked to Fake Macron Doc­u­ments, Says Cyber­se­cu­ri­ty Firm” by David Gau­thi­er-Vil­lars; The Wall Street Jour­nal; 5/16/2017.

Ties between an American’s neo-Nazi web­site and an inter­net cam­paign to smear Macron before French elec­tion are found

A group of cyber­se­cu­ri­ty experts has unearthed ties between an Amer­i­can hack­er who main­tains a neo-Nazi web­site and an inter­net cam­paign to smear Emmanuel Macron days before he was elect­ed pres­i­dent of France.

Short­ly after an anony­mous user of the 4chan.org dis­cus­sion forum post­ed fake doc­u­ments pur­port­ing to show Mr. Macron had set up an undis­closed shell com­pa­ny in the Caribbean, the user direct­ed peo­ple to vis­it nouveaumartel.com for updates on the French elec­tion.

That web­site, accord­ing to research by web-secu­ri­ty provider Virtualroad.org, is reg­is­tered by “Wee­v­los,” a known online alias of Andrew Auern­heimer, an Amer­i­can hack­er who gained noto­ri­ety three years ago when a U.S. appeals court vacat­ed his con­vic­tion for com­put­er fraud. The site also is host­ed by a serv­er in Latvia that hosts the Dai­ly Stormer, a neo-Nazi news site that iden­ti­fies its admin­is­tra­tor as “Weev,” anoth­er online alias of Mr. Aeurn­heimer, Virtualroad.org says.

“We strong­ly believe that the fake off­shore doc­u­ments were cre­at­ed by some­one with con­trol of the Dai­ly Stormer serv­er,” said Tord Lund­ström, a com­put­er foren­sics inves­ti­ga­tor at Virtualroad.org.

Through Tor Eke­land, the lawyer who rep­re­sent­ed him in the com­put­er-fraud case in the U.S., Mr. Auern­heimer said he “doesn’t have any­thing to say.”

A French secu­ri­ty offi­cial said a probe into the fake doc­u­ments was look­ing into the role of far-right and neo-Nazi groups but declined to com­ment on the alleged role of Mr. Auern­heimer.

In the run-up to the French elec­tion, cyber­se­cu­ri­ty agen­cies warned Mr. Macron’s aides that Russ­ian hack­ers were tar­get­ing his pres­i­den­tial cam­paign, accord­ing to peo­ple famil­iar with the mat­ter. On May 5, nine giga­bytes of cam­paign doc­u­ments and emails were dumped on the inter­net. The Macron cam­paign and French author­i­ties have stopped short of pin­ning blame for the hack on the Krem­lin.

Intel­li­gence and cyber­se­cu­ri­ty inves­ti­ga­tors exam­in­ing the flur­ry of social-media activ­i­ty lead­ing up to the hack fol­lowed a trail of com­put­er code they say leads back to the Amer­i­can far-right.

Con­tact­ed by email over the week­end, the pub­lish­er of the Dai­ly Stormer, Andrew Anglin, said he and Mr. Auern­heimer had used their news site to write about the fake doc­u­ments because “We fol­low 4chan close­ly and have a more mod­ern edi­to­r­i­al process than most sites.”

When asked if he or Mr. Auern­heimer were behind the fake doc­u­ments, Mr. Anglin stopped reply­ing.

Mr. Auern­heimer was sen­tenced to 41 months in prison by a U.S. court in late 2012 for obtain­ing the per­son­al data of thou­sands of iPad users through an AT&T web­site. In April 2014, an appeals court vacat­ed his con­vic­tion on the grounds that the venue of the tri­al, in New Jer­sey, was improp­er.

Asked if Mr. Auern­heimer resided in Ukraine, as a Jan­u­ary post on a per­son­al blog indi­cates, his lawyer said: “I think this is about right.”

The day after the data dump, French secu­ri­ty offi­cials sum­moned their U.S. coun­ter­parts sta­tioned in Paris to for­mal­ly request a probe of the role Amer­i­can far-right web­sites might have played in dis­sem­i­nat­ing the stolen data, accord­ing to a West­ern secu­ri­ty offi­cial. A U.S. secu­ri­ty offi­cial had no com­ment.

Mounir Mahjoubi, who was in charge of com­put­er secu­ri­ty for Mr. Macron’s cam­paign said far-right groups, or “an inter­na­tion­al col­lec­tive of con­ser­v­a­tives,” may have coor­di­nat­ed to dis­rupt the French elec­tion.

“We will take time to do analy­sis, to decon­struct who real­ly runs these groups,” Mr. Mahjoubi told French radio last week. He couldn’t be reached for com­ment.

French pros­e­cu­tors have launched for­mal probes into both the fake doc­u­ments and the data dump.

The pho­ny doc­u­ments intend­ed to smear Mr. Macron were post­ed to 4chan.org twice by an anony­mous user, first on May 3 and again on May 5 using high­er-res­o­lu­tion files.

Soon after the sec­ond post, sev­er­al 4chan.org users in the same online con­ver­sa­tion below the post appeared to con­grat­u­late Mr. Auern­heimer.

“Weev… you’re doing the lord’s work,” wrote one of the anony­mous users.


That web­site, accord­ing to research by web-secu­ri­ty provider Virtualroad.org, is reg­is­tered by “Wee­v­los,” a known online alias of Andrew Auern­heimer, an Amer­i­can hack­er who gained noto­ri­ety three years ago when a U.S. appeals court vacat­ed his con­vic­tion for com­put­er fraud. The site also is host­ed by a serv­er in Latvia that hosts the Dai­ly Stormer, a neo-Nazi news site that iden­ti­fies its admin­is­tra­tor as “Weev,” anoth­er online alias of Mr. Aeurn­heimer, Virtualroad.org says.

When asked if he or Mr. Auern­heimer were behind the fake doc­u­ments, Mr. Anglin stopped reply­ing.

Asked if Mr. Auern­heimer resided in Ukraine, as a Jan­u­ary post on a per­son­al blog indi­cates, his lawyer said: “I think this is about right.”

5. The far-right Seth Rich mur­der con­spir­a­cy the­o­ry acquired new grav­i­tas, thanks in part to Kim Schmitz, aka “Kim Dot­com.” We exam­ined Schmitz at length in FTR #812. A syn­op­tic overview of the polit­i­cal and pro­fes­sion­al ori­en­ta­tion of Kim Dot­com is excerpt­ed from that broad­cast’s descrip­tion: “A col­league of Eddie the Friend­ly Spook [Snow­den], Julian Assange and Glenn Green­wald, Kim Schmitz, aka “Kim Dot­com”] espous­es the same libertarian/free mar­ket ide­ol­o­gy under­ly­ing the “cor­po­ratism” of Ben­i­to Mus­soli­ni. With an exten­sive crim­i­nal record in Ger­many and else­where, “Der Dot­com­man­dant” has elud­ed seri­ous pun­ish­ment for his offens­es, includ­ing exe­cut­ing the largest insid­er trad­ing scheme in Ger­man his­to­ry.

Embraced by the file-shar­ing com­mu­ni­ty and ele­ments of the so-called pro­gres­sive sec­tor, Dot­com actu­al­ly allied him­self with John Banks and his far-right ACT Par­ty in New Zealand. His embrace of the so-called pro­gres­sive sec­tor came lat­er and is viewed as hav­ing dam­aged left-lean­ing par­ties at the polls. Dot­com is enam­ored of Nazi mem­o­ra­bil­ia and owns a rare, author-auto­graphed copy of ‘Mein Kampf.’ . . .”

6. Right-wing media is going to keep bit­ing on Dotcom’s nuggets of ‘tes­ti­mo­ny’, giv­en its seem­ing­ly insa­tiable appetite for this sto­ry­line already and the long-held appetite for seem­ing­ly any sto­ry­line that pro­motes the ‘Clin­ton Body Count’ nar­ra­tive and por­trays Hillary and ‘Kil­lary’.

“The Bonkers Seth Rich Con­spir­a­cy The­o­ry, Explained” by Jeff Guo; Vox; 05/24/2017

The life of Seth Rich, a 27-year-old Demo­c­ra­t­ic Nation­al Com­mit­tee staffer, end­ed near­ly a year ago when he was shot to death near his house in Wash­ing­ton, DC. Then came the trag­ic and bizarre after­life: Since July, Rich has been the focus of intense right-wing con­spir­a­cy the­o­ries that have only esca­lat­ed as the Trump administration’s scan­dals have deep­ened.

As the police have repeat­ed­ly stat­ed, there is no evi­dence that Rich’s death was any­thing oth­er than the con­se­quence of a botched rob­bery. But some peo­ple, espe­cial­ly on the right, believe Rich was mur­dered by the Clin­tons for know­ing too much about some­thing. The most recent the­o­ries claim that Rich, not the Rus­sians, was respon­si­ble for leak­ing the emails, pub­lished in Wik­iLeaks, that revealed Demo­c­ra­t­ic par­ty lead­ers had talked dis­parag­ing­ly about Bernie Sanders.

Thanks to an erro­neous Fox News sto­ry last week, which was final­ly retract­ed on Tues­day, Rich recent­ly became the focus of an intense media blitz from con­ser­v­a­tive out­lets — many of which were eager for some­thing to talk about besides the scan­dals swirling around Don­ald Trump.

Fox News’s Sean Han­ni­ty was one of the most enthu­si­as­tic rumor­mon­gers, devot­ing seg­ments on three sep­a­rate occa­sions last week to Rich. Even after Fox News retract­ed its sto­ry, Han­ni­ty promised he would con­tin­ue to inves­ti­gate. “I retract­ed noth­ing,” he said defi­ant­ly on his radio show Tues­day.

Rich’s fam­i­ly has been beg­ging right-wing news out­lets to stop spread­ing unfound­ed rumors about him, but by now the sit­u­a­tion seems to have got­ten out of con­trol.

In death, Rich has become a mar­tyr to the right, buoyed by a host of char­ac­ters each with their own ulte­ri­or motives: There is Wik­iLeaks founder Julian Assange, who wants to down­play the con­nec­tions between Wik­iLeaks and the Rus­sians; there are the Clin­ton haters, who want to spread the idea that the Clin­tons are mur­der­ers; there are the Trump sup­port­ers, who want to min­i­mize the idea that Russ­ian hack­ers helped deliv­er the elec­tion to their can­di­date; and there are the talk­ing heads on Fox News, who last week need­ed some­thing oth­er than neg­a­tive Trump sto­ries to make con­ver­sa­tion about.

We might not know who killed Seth Rich, but we do know who turned his lega­cy into a text­book study of where fake news comes from, how it spreads, and the vic­tims it cre­ates.

Seth Rich was mur­dered in a sense­less act of vio­lence

Seth Rich worked in Demo­c­ra­t­ic pol­i­tics for most of his career. He grew up and went to col­lege in Oma­ha, Nebras­ka, where as a stu­dent he vol­un­teered on two Demo­c­ra­t­ic Sen­ate cam­paigns. After grad­u­at­ing, he moved to Wash­ing­ton, DC, for a job at Green­berg Quin­lan Ros­ner, a pro­gres­sive opin­ion research and con­sult­ing firm. He was lat­er hired by the Demo­c­ra­t­ic Nation­al Com­mit­tee, where he worked on a project to help peo­ple find where to vote.

On Sun­day, July 10, Rich was shot to death about a block from where he lived in the Bloom­ing­dale neigh­bor­hood of DC. Gun­shot detec­tion micro­phones place the time of the shoot­ing at around 4:20 am. Rich had last been seen at around 1:30 am leav­ing Lou’s City Bar in Colum­bia Heights, about a 40-minute walk from where he lived.

It is unclear exact­ly what hap­pened dur­ing those three inter­ven­ing hours. The Wash­ing­ton Post report­ed that, accord­ing to his par­ents, cell­phone records show that Rich called his girl­friend at 2:05 am and talked to her for more than two hours. He hung up just min­utes before he was shot.

The police found Rich on the side­walk with mul­ti­ple gun­shot wounds, at least two in the back. He still had his watch, his cell­phone, and his wal­let. There were signs of a strug­gle: bruis­es on his hands, knees, and face, and a torn wrist­watch strap. Accord­ing to the police report, he was still “con­scious and breath­ing.” Fam­i­ly mem­bers say they were told that Rich was “very talk­a­tive,” though it is not pub­licly known if he was able to describe his assailant or assailants. Rich died a few hours lat­er in the hos­pi­tal.

The police sus­pect­ed Rich had been the vic­tim of an attempt­ed rob­bery. Bloom­ing­dale is a gen­tri­fy­ing part of Wash­ing­ton that still suf­fers from vio­lent crime. In 2016, there were 24 report­ed rob­beries with a gun that occurred with­in a quar­ter-mile of the street cor­ner where Rich was shot.

The first con­spir­a­cy the­o­ries grew out of the “Clin­ton body count” rumor

Almost imme­di­ate­ly after news of Rich’s death, con­spir­a­cy the­o­ries began cir­cu­lat­ing on social media. A few fac­tors helped make Rich a tar­get of spec­u­la­tion:

* The mur­der­ers left behind Rich’s valu­ables. (Though, by that same para­noid log­ic, wouldn’t a pro­fes­sion­al hit­man have tak­en Rich’s wal­let and phone in order to make it look like a reg­u­lar mug­ging?)
* Rich worked at the DNC, where in Decem­ber there had been a minor scan­dal involv­ing a soft­ware glitch that allowed the Bernie Sanders cam­paign to access pri­vate vot­er data col­lect­ed by the Clin­ton cam­paign.
* Hillary Clin­ton had just clinched the nom­i­na­tion after a sur­pris­ing­ly bruis­ing pri­ma­ry, and there were still sore feel­ings in the air.
* There’s a long-run­ning con­spir­a­cy the­o­ry that the Clin­tons have assas­si­nat­ed dozens of their polit­i­cal ene­mies.

If those facts don’t seem to add up to a coher­ent sto­ry, well, you’re think­ing too hard. Con­spir­a­cy the­o­ries don’t oper­ate log­i­cal­ly. They start from an assump­tion — for instance, “the Clin­tons are shady” — and spi­ral out­ward in search of cor­rob­o­ra­tion.

On Red­dit, for instance, one user wrote a 1,400-word post list­ing things that he found “sus­pi­cious.” Here were some of the stray facts the red­di­tor claimed were evi­dence of a hit job by the DNC or the Clin­tons:

* Rich’s for­mer employ­er, Green­berg Quin­lan Ros­ner, once did some con­sult­ing work for British Petro­le­um. (“Is it pos­si­ble that Mr. Rich was aware of the public’s dis­dain for oil industry/fracking?”)
* Rich once worked on Ben Nelson’s cam­paign for sen­a­tor. (“[Nel­son] con­tributed a cru­cial vote to help pass Oba­macare back in 2009.”)
* The polit­i­cal con­ven­tions were com­ing up. (“The TIMING of this tragedy seems too ‘coin­ci­den­tal’”)

It’s unclear what any of these facts have to do with the Clin­tons, but some­how the Red­dit user con­clud­ed: “giv­en his posi­tion & tim­ing in pol­i­tics, I believe Seth Rich was mur­dered by cor­rupt politi­cians for know­ing too much infor­ma­tion on elec­tion fraud.”

Oth­ers on Twit­ter and the trolling web­site 4chan also spec­u­lat­ed that Rich might have crossed the Clin­tons in some way. Rich’s death seemed to fit in with the “Clin­ton body count” the­o­ry, which dates to the 1990s and claims that the Clin­tons are so vin­dic­tive that they hire hit­men to mur­der peo­ple they don’t like.

Peo­ple who believe the Clin­tons are mur­der­ers often point to deputy White House coun­sel Vince Fos­ter, who suf­fered from clin­i­cal depres­sion and died of a gun­shot wound to the mouth in 1993. Sev­er­al inves­ti­ga­tions all ruled Foster’s death a sui­cide, but some con­ser­v­a­tives insist­ed there must have been foul play. They claimed that Fos­ter, who was look­ing into the Clin­tons’ tax­es, may have uncov­ered evi­dence of cor­rup­tion in con­nec­tion to the White­wa­ter con­tro­ver­sy, a guilt-by-asso­ci­a­tion scan­dal involv­ing friends of the Clin­tons’.

The “Clin­ton body count” the­o­ry has endured over the years sim­ply because peo­ple don’t live for­ev­er. Any time some­one dies who was con­nect­ed to the Clin­tons — and since Bill Clin­ton was the pres­i­dent of the Unit­ed States, lit­er­al­ly thou­sands of peo­ple were in his orbit — this the­o­ry is dredged up again by the tin­foil hat crowd. And then it slow­ly fades.

At first it seemed the spec­u­la­tion about Seth Rich would die down quick­ly as well. But then 12 days lat­er, on July 22, Wik­iLeaks pub­lished thou­sands of pri­vate emails from the DNC, and Rich became a polit­i­cal­ly use­ful dis­trac­tion.

Julian Assange and Wik­iLeaks super­charged the Seth Rich rumors

A month before Rich was mur­dered, the DNC admit­ted that Russ­ian hack­ers had bro­ken into its com­put­er net­work, gain­ing access to all of the DNC’s emails. The thought of Russ­ian inter­fer­ence in Amer­i­can pol­i­tics was infu­ri­at­ing to Rich, accord­ing to one per­son “who was very close” to him, the Wash­ing­ton Post report­ed: “It was crazy. Espe­cial­ly for Seth. He said, ‘Oh, my God. We have a for­eign enti­ty try­ing to get involved in our elec­tions?’ That made him so angry.”

When Wik­iLeaks released its dump of DNC emails on July 22, the obvi­ous expla­na­tion was that it had obtained those emails from the Russ­ian hack­ers. This con­nec­tion was lat­er con­firmed by top US intel­li­gence agen­cies, who con­clud­ed “with high con­fi­dence” that DNC servers were hacked by top Russ­ian gov­ern­ment hack­ers, who had then giv­en the emails to Wik­iLeaks. “Moscow most like­ly chose Wik­iLeaks because of its self-pro­claimed rep­u­ta­tion for authen­tic­i­ty,” the US intel­li­gence report explained, as well as for its con­nec­tion to the Russ­ian pro­pa­gan­da out­let Rus­sia Today.

But Wik­iLeaks has repeat­ed­ly denied its ties to Rus­sia, and ever since last sum­mer it has used Seth Rich as a way to dis­tract from claims that it abet­ted Russ­ian inter­fer­ence in the US elec­tion. Wik­iLeaks founder Julian Assange had his own rea­sons to fear a Clin­ton pres­i­den­cy — as sec­re­tary of state, Clin­ton want­ed to indict Assange for his involve­ment in releas­ing the mil­lions of US diplo­mat­ic cables leaked by Chelsea Man­ning.

On Dutch tele­vi­sion in August 2016, Assange hint­ed that Rich, not Rus­sia, may have been the source for the Wik­iLeaks emails. “Whistle­blow­ers go to sig­nif­i­cant efforts to get us mate­r­i­al, and often very sig­nif­i­cant risks,” he said. “As a 27-year-old, works for the DNC, was shot in the back, mur­dered just a few weeks ago for unknown rea­sons as he was walk­ing down the street in Wash­ing­ton.”

“Was he one of your sources then?” the anchor asked.

“We don’t com­ment on who our sources are,” Assange replied.

“Then why make the sug­ges­tion about a young guy being shot in the streets of Wash­ing­ton?” the anchor replied.

Pressed repeat­ed­ly for clar­i­fi­ca­tion, Assange con­clud­ed that “oth­ers, oth­ers have sug­gest­ed that. We’re inves­ti­gat­ing to under­stand what hap­pened in that sit­u­a­tion with Seth Rich. I think it’s a con­cern­ing sit­u­a­tion; there’s not a con­clu­sion yet.”

As part of its “inves­ti­ga­tion,” Wik­iLeaks offered a $20,000 prize in August for infor­ma­tion about Rich’s mur­der.

This is the point where Seth Rich became a prop in a game of inter­na­tion­al espi­onage.

Trump sup­port­ers and the alt-right ampli­fied the the­o­ry that Rich was some kind of Demo­c­ra­t­ic whistle­blow­er or leak­er, even though the facts didn’t real­ly fit this pat­tern. He didn’t have access to the DNC emails, and he had nev­er shown any prowess at hack­ing — being a data ana­lyst involves a very dif­fer­ent set of skills. Besides, the DNC wasn’t the only orga­ni­za­tion that was hacked: Clin­ton cam­paign chair John Podesta’s per­son­al emails, for instance, were stolen sep­a­rate­ly, as were the emails at the Demo­c­ra­t­ic Con­gres­sion­al Cam­paign Com­mit­tee.

Nev­er­the­less, many on the right were inspired by the Wik­iLeaks insin­u­a­tions and start­ed to con­coct their own con­spir­a­cy the­o­ries about Rich’s mur­der. In August, for­mer House speak­er and pres­i­den­tial can­di­date Newt Gin­grich told a con­ser­v­a­tive talk show host that Rich’s death was sus­pi­cious. “First of all, of course it’s worth talk­ing about,” he said. “And if Assange says he is the source, Assange may know. That’s not com­pli­cat­ed.”

That same month, Trump advis­er Roger Stone claimed, with­out evi­dence, that Rich was mur­dered “on his way to meet with the FBI to dis­cuss elec­tion fraud.”

To Trump sup­port­ers, the claim that Rich had been mur­dered by the Clin­tons had twofold appeal: It rein­forced the rumor that the Clin­tons were shady oper­a­tives, and it dis­tract­ed from the mount­ing evi­dence that Rus­sia had inter­fered with the US elec­tion — pos­si­bly in col­lu­sion with the Trump cam­paign.

In the pres­i­den­tial debate on Sep­tem­ber 26, Trump famous­ly sug­gest­ed that it could have been a lone hack­er who was respon­si­ble for the stolen DNC emails. “It could be Rus­sia, but it could also be Chi­na. It could also be lots of oth­er peo­ple. It also could be some­body sit­ting on their bed that weighs 400 pounds,” he said.

Thanks to a weird mis­com­mu­ni­ca­tion, the con­spir­a­cy the­o­ry comes back in May

After the elec­tion, the con­spir­a­cy the­o­ries about Seth Rich fad­ed from pub­lic con­scious­ness, as the focus turned instead to the FBI’s inves­ti­ga­tion of con­nec­tions between Trump staffers and Russ­ian agents. Sus­pi­cions still bub­bled in right-wing cor­ners of Red­dit and on alt-right web­sites like Gate­way Pun­dit, and Assange con­tin­ued to claim that it wasn’t the Rus­sians who pro­vid­ed the hacked emails — but most of Amer­i­ca had moved on.

But Rich returned to the news last week, when the local TV sta­tion FOX 5 DC aired an inter­view with pri­vate inves­ti­ga­tor Rod Wheel­er, who claimed that sources in the FBI told him there was evi­dence of a con­nec­tion between Rich and Wik­iLeaks:

FOX 5 DC: You have sources at the FBI say­ing that there is infor­ma­tion…

WHEELER: For sure…

FOX 5 DC: …that could link Seth Rich to Wik­iLeaks?

WHEELER: Absolute­ly. Yeah. That’s con­firmed.

Con­ser­v­a­tive media out­lets jumped on the sto­ry, which aired the night of Mon­day, May 15. By Tues­day morn­ing, con­ser­v­a­tive out­lets like Bre­it­bart, the Blaze, and the Dai­ly Caller all had their own pieces relay­ing Wheeler’s claims.

On Tues­day, Fox News added its own rev­e­la­tion: It claimed that an unnamed “fed­er­al inves­ti­ga­tor” had con­firmed that Rich had been in con­tact with Wik­iLeaks. “I have seen and read the emails between Seth Rich and Wik­ileaks,” the source said, accord­ing to Fox News. Fox News addi­tion­al­ly claimed this source had evi­dence that Rich had giv­en thou­sands of DNC emails to Wik­iLeaks.

This was a two-source sto­ry: The report also said that Wheel­er had inde­pen­dent­ly cor­rob­o­rat­ed what the anony­mous “fed­er­al inves­ti­ga­tor” had told Fox News.

But here’s where it gets con­fus­ing. By Tues­day after­noon, Wheel­er told CNN that he had mis­spo­ken. It turns out he didn’t have any evi­dence of his own.

What had hap­pened, appar­ent­ly, was that ear­li­er in the week, Fox News had con­tact­ed Wheel­er for its own sto­ry on Rich. That was when Wheel­er learned that Fox News had a source alleg­ing there was con­tact between Rich and Wik­iLeaks. When Wheel­er went on local TV on Mon­day night to talk about Rich, he believed he was giv­ing view­ers a “pre­view” of the Fox News sto­ry set to run on Tues­day.

That, at least, is how Wheel­er explained the sit­u­a­tion to CNN last Tues­day. Some­how, through mis­com­mu­ni­ca­tion or slop­py report­ing, the Fox News report used Wheel­er to back up its claims about the Rich-Wik­iLeaks con­nec­tion. This was incor­rect, Wheel­er said. He had no inde­pen­dent knowl­edge.

“I only got that [infor­ma­tion] from the reporter at Fox News,” he told CNN.

Yes­ter­day, after leav­ing it up for a week, Fox News final­ly retract­ed its Seth Rich sto­ry, which was down to one anony­mous source. “The arti­cle was not ini­tial­ly sub­ject­ed to the high degree of edi­to­r­i­al scruti­ny we require for all our report­ing,” an editor’s note explained. “Upon appro­pri­ate review, the arti­cle was found not to meet those stan­dards and has since been removed.”

Con­ser­v­a­tive media has a field day

It’s unlike­ly that any of this would have been a big deal had there not been a stun­ning series of dam­ag­ing reports about Don­ald Trump last week.

Among oth­er things, it was revealed that Trump had shared state secrets with the Rus­sians, that he had pres­sured FBI Direc­tor James Comey to drop his inves­ti­ga­tion into ties between Trump affil­i­ates and Rus­sia, and that the Rus­sia probe had reached a cur­rent high-lev­el White House offi­cial, who many sus­pect is Trump’s son-in-law, Jared Kush­n­er.

One way the con­ser­v­a­tive media min­i­mized all the bad news was to focus on oth­er sto­ries. The lat­est Seth Rich alle­ga­tions became a wel­come dis­trac­tion from the con­stant rev­e­la­tions com­ing out of the Wash­ing­ton Post and the New York Times.

For instance, while most out­lets were cov­er­ing the rev­e­la­tion that Trump had vol­un­teered clas­si­fied infor­ma­tion to Rus­sians, the alt-right web­site Bre­it­bart devot­ed its front page to the Seth Rich con­spir­a­cy. Bre­it­bart even slammed the main­stream media for ignor­ing the rumors about Rich: “Silence from Estab­lish­ment Media over Seth Rich Wik­iLeaks Report” was the title of one sto­ry.

Fox News in par­tic­u­lar devot­ed out­size atten­tion to the Rich sto­ry, repeat­ed­ly rehash­ing the con­spir­a­cy the­o­ry. On his 10 pm show, Fox pun­dit Sean Han­ni­ty devot­ed seg­ments to Rich on Tues­day, Thurs­day, and Fri­day last week. “I’m not back­ing off ask­ing ques­tions even though there is an effort that nobody talk about Seth Rich,” he said on Fri­day night.

On Tues­day, even after Fox News retract­ed the sto­ry that ignit­ed the lat­est round of spec­u­la­tion, Han­ni­ty remained con­vinced that the Seth Rich con­spir­a­cy the­o­ry had legs. “I am not Fox.com or FoxNews.com,” he said on his radio show. “I retract­ed noth­ing.”

Lat­er that evening, on his tele­vi­sion show, Han­ni­ty said that for now, he would stop talk­ing about Rich “out of respect for the family’s wish­es.” On Twit­ter, though, he was defi­ant, claim­ing that “lib­er­al fas­cism” was try­ing to silence his voice.

“Ok TO BE CLEAR, I am clos­er to the TRUTH than ever,” he tweet­ed. “Not only am I not stop­ping, I am work­ing hard­er.”

“Please retweet,” he added.

Rich was an unlucky vic­tim of the con­ser­v­a­tive media

The recent atten­tion has reignit­ed the old Seth Rich con­spir­a­cy the­o­ries, bring­ing forth even more unsub­stan­ti­at­ed claims.

On Fox News’s Sun­day morn­ing talk show, Newt Gin­grich repeat­ed his belief that Rich, not Rus­sia, was respon­si­ble for the DNC hack. “It turns out, it wasn’t the Rus­sians,” he said. “It was this young guy who, I sus­pect, was dis­gust­ed by the cor­rup­tion of the Demo­c­ra­t­ic Nation­al Com­mit­tee.”

On Mon­day, Assange issued a cryp­tic tweet using the hash­tag “#SethRich” which fanned the flames even fur­ther: “Wik­iLeaks has nev­er dis­closed a source. Sources some­times talk to oth­er par­ties but iden­ti­ties nev­er emerge from Wik­iLeaks. #SethRich.”

And on Tues­day, New Zealand file-shar­ing entre­pre­neur Kim Dot­com, who is want­ed by the US gov­ern­ment for copy­right infringe­ment and rack­e­teer­ing, claimed that Rich had per­son­al­ly con­tact­ed him in 2014, and that the two had talked about “a num­ber of top­ics includ­ing cor­rup­tion and the influ­ence of cor­po­rate mon­ey in pol­i­tics.”

“I know that Seth Rich was involved in the DNC leak,” Dot­com wrote in a state­ment. . . .

Kim Dotcom manifesting the lifestyle of the politically and economically oppressed.

Kim Dot­com man­i­fest­ing the lifestyle of the polit­i­cal­ly and eco­nom­i­cal­ly oppressed.

7. Kim Dot­com just tweet­ed out a doc­u­ment that’s alleged­ly from the FBI demon­strat­ing that Seth Rich was indeed the source of the hacked DNC emails. The twist is that the doc­u­ment is a bla­tant fraud and Kim Dot­com acknowl­edges as much. Ol’ Kim decid­ed to tweet it out any­way, Dotcom’s assert­ing that there’s no need to delete the tweet pro­mot­ing the fake doc­u­ment because, hey, he put up some sub­se­quent tweets ques­tion­ing their authen­tic­i­ty. Twist & spin.

How­ev­er, there was anoth­er rather intrigu­ing admis­sion by Dot­com in the fol­low­ing inter­view ask­ing him why he tweet­ed out doc­u­ments he knew were fake: Dot­com is con­tin­u­ing to assert that he has evi­dence Rich was the source of the DNC hacks.

He’s just not ready to reveal it yet but he strong­ly hints that the evi­dence has to do with his close ties to Wik­ileaks. And then he refers back to a Bloomberg TV inter­view he did on May 13th, 2015, where Dot­com pre­dicts that Julian Assange is going to be Hillary Clinton’s “worst night­mare” in the upcom­ing elec­tion. How so? Because, says Dot­com, Assange “has access to infor­ma­tion,” with­out going into specifics.

Of fun­da­men­tal impor­tance to out under­stand­ing is the asser­tion by Craig Mur­ray, for­mer UK ambas­sador to Uzbek­istan, that the infor­ma­tion giv­en to Wik­iLeaks was­n’t a hack at all, but infor­ma­tion from a flash dri­ve giv­en to him by a DNC insid­er.

There may well have been hacks into the DNC and e‑mail of John D. Podes­ta, but they were NOT Russ­ian.

Dot­com refers to a May 2015 inter­view – long before Seth Rich would have been in a posi­tion to pass along emails. It is before Rich would have had a motive if he real­ly was a dis­il­lu­sioned Bernie-crat but short­ly before Crowd­strike “con­clud­ed” the DNC was ini­tial­ly hacked – where Dot­com con­fi­dent­ly asserts that Julian Assange already had a bunch of dirt on Hillary and was going to be her worst night­mare. And yet we didn’t real­ly see any old embar­rass­ing emails emerge from Wik­ileaks dur­ing the cam­paign. Along with being incred­i­bly sleazy it’s all rather curi­ous:

“Kim Dot­com Says FBI File About Seth Rich Is Fake, But He Won’t Delete It From Twit­ter” by Matt Novak; Giz­mo­do; 5/20/2017

Have you seen that FBI file, pur­port­ing to be about the death of DNC staffer Seth Rich? Kim Dot­com, who thrust him­self into the sto­ry recent­ly by telling Sean Han­ni­ty that he had evi­dence Rich had sent doc­u­ments to Wik­ileaks, pub­lished the doc­u­ment on Twit­ter, help­ing to spread it online. Dot­com now acknowl­edges that the doc­u­ment is fake. But he told Giz­mo­do that he’s not going to delete it.

The fake FBI doc­u­ment was first pub­lished on a web­site called Bor­der­land Alter­na­tive Media and it wasn’t long before it start­ed to spread on social media, includ­ing by Kim Dot­com. Alex Jones’ Prison Plan­et picked it up, but has since delet­ed its own ver­sion of the sto­ry.

The internet’s inter­est in the July 2016 mur­der of Seth Rich revolves around claims that he leaked Demo­c­ra­t­ic Par­ty doc­u­ments to Wik­ileaks, an idea that Julian Assange has hint­ed at repeat­ed­ly. The police say that Seth Rich’s mur­der was a rob­bery gone bad. But inter­net con­spir­a­cy the­o­rists believe that Rich was killed as ret­ri­bu­tion for leak­ing emails about the DNC. What­ev­er the case, the FBI file is com­plete bull­shit.

“I was skep­ti­cal. I tweet­ed that the doc­u­ment could be a fake and that the FBI has to weigh in about it,” Dot­com told me over direct mes­sage on Twit­ter.

The doc­u­ment is obvi­ous­ly fake to any­one who’s looked at real FBI files. For one thing, the FBI doesn’t use black to redact infor­ma­tion, it uses white box­es. And much more damn­ing­ly, the redac­tions include par­tial words and par­tial dates, as well as the par­tial redac­tion of its clas­si­fi­ca­tion stamp, things that would nev­er be done.

[see pics of hoax FBI doc­u­ments]

You can see the com­par­i­son between the fake FBI file on Seth Rich (above left) with a recent­ly obtained FBI file on mil­i­tary his­to­ri­an Robert Dorr (above right). It’s a slop­py fake.

“After doing some foren­sic analy­sis of the doc­u­ment I came to believe it is not authen­tic. And I have retweet­ed Wik­ileaks which came to the same con­clu­sion,” Dot­com told me.

But as any Twit­ter user knows, tweets with incor­rect infor­ma­tion spread much faster than cor­rec­tions. So I asked Dot­com why he didn’t delete the tweets with the fake FBI file.

“There is no need to delete those tweets because I have been very cau­tious and warned with­in an hour of the release of that doc­u­ment that it could be a fake,” Dot­com told me.

That all seemed rea­son­able, if mis­guid­ed, to me. But then I asked Dot­com for evi­dence of his claims that he knows Rich was involved in the DNC leak. Dur­ing our back and forth on Twit­ter DM, Dot­com sent me a mes­sage say­ing that he knew I wasn’t going to write a bal­anced piece, and insin­u­at­ed that he sim­ply knows because of his close ties to Wik­ileaks.

I just had a look at your twit­ter feed and it looks like your are very much anti-trump. And that’s ok. I already know that your sto­ry wont be bal­anced. But this is not a Trump issue. Seth was a Sanders sup­port­er. The pro­gres­sives should ask what real­ly hap­pened to Seth. He’s one of yours. And they should be inter­est­ed that the mat­ters I have raised are prop­er­ly inves­ti­gat­ed.

Please have a look at my Bloomberg inter­view in which I announced long before the elec­tion that Julian is going to be a prob­lem for Clin­ton. My rela­tions to Wik­ileaks are well known. I have said many times in the past that I have been a major donor and Julian has been a guest at my moment of Truth event.

How do you think I knew?

The Bloomberg inter­view Dot­com is refer­ring to is from May 13, 2015, where­in he said that Assange would be “Clinton’s worst night­mare.” At this point, Clin­ton had just announced her can­di­da­cy a month ear­li­er and Don­ald Trump hadn’t even entered the race yet.

Inter­view­er: You’re say­ing Julian Assange is going to be Hillary’s worst night­mare?

Dot­com: I think so, yeah.

Inter­view­er: How so?

Dot­com: Well, he has access to infor­ma­tion.

Inter­view­er: What infor­ma­tion?

Dot­com: I don’t know the specifics.

Inter­view­er: Why Hillary in par­tic­u­lar?

Dot­com: Hillary hates Julian. She’s just an adver­sary, I think, of inter­net free­dom.

Inter­view­er: And she signed your extra­di­tion request.

Dot­com: Yeah.

Inter­view­er: So, you have a bone to pick with her.

Dot­com: You know what the cra­zi­est thing is? I actu­al­ly like Hillary. I like Oba­ma. So it’s so crazy that all of this hap­pened.

Dur­ing the course of our con­ver­sa­tion over Twit­ter DM, Dot­com point­ed me to numer­ous links online, but none of them answered my basic ques­tion: How do you know that Seth Rich was involved in the DNC leak?

One of the links Dot­com sent me con­tained his open let­ter to the fam­i­ly of Seth Rich, who have asked Dot­com to stop spread­ing con­spir­a­cy the­o­ries about the mur­der of their son.

In that let­ter, Dot­com says “I sim­ply wish to make sure that the inves­ti­ga­tors have the ben­e­fit of my evi­dence.” Again, I asked Dot­com for that evi­dence and he said that he would only show such things to the Rich fam­i­ly, at the advice of his lawyers and “out of respect for the Rich fam­i­ly.”

But Dotcom’s most recent pub­lic com­ment on the mat­ter, a let­ter post­ed today direct­ed to the FBI Spe­cial Coun­sel who are inves­ti­gat­ing the Trump regime’s ties to Rus­sia, makes it look like Dotcom’s inter­est in the Seth Rich case may not be alto­geth­er altru­is­tic.

Dot­com is orig­i­nal­ly from Ger­many but moved to New Zealand from Hong Kong in 2009, and is cur­rent­ly want­ed in the Unit­ed States for run­ning the file host­ing and shar­ing site Megau­pload, which was accused of sys­tem­at­i­cal­ly vio­lat­ing copy­right. His extra­di­tion to the US has been blocked repeat­ed­ly and he’s been in a state of legal lim­bo for years.

But Dotcom’s new let­ter to the FBI Spe­cial Coun­sel says that he’d be will­ing to share his evi­dence that Seth Rich was involved in leak­ing infor­ma­tion to Wik­ileaks pro­vid­ed he’s giv­en safe pas­sage to the US:

Mr Dot­com is also com­mit­ted to achiev­ing an out­come where his evi­dence can be prop­er­ly received and reviewed by you as part of the Inves­ti­ga­tion. You will, how­ev­er, appre­ci­ate that, giv­en his cur­rent sta­tus, he is not in a posi­tion to vol­un­tar­i­ly leave New Zealand’s juris­dic­tion. Fur­ther, he is con­cerned that, should he trav­el to the Unit­ed States vol­un­tar­i­ly, he would be arrest­ed and detained in cus­tody on the cur­rent counts on which he has been indict­ed.

The let­ter goes on to say that after “spe­cial arrange­ments” have been made, he’ll be glad to trav­el to the US to give his evi­dence. One imag­ines that those spe­cial arrange­ments would involve drop­ping the case against him.

Accord­ing­ly, for Mr Dot­com to attend in per­son in the Unit­ed States to make a state­ment, and/or give oral evi­dence at any sub­se­quent hear­ing, spe­cial arrange­ments would need to be dis­cussed and agreed between all rel­e­vant par­ties. Such arrange­ments would need to include arrange­ments for his safe pas­sage from New Zealand and return. This is because Mr Dot­com is deter­mined to clear his name in New Zealand.

So make of that what you will. Kim Dot­com clear­ly has rea­son to be angry at the US Jus­tice Depart­ment, but if he real­ly had evi­dence prov­ing that a man was mur­dered for polit­i­cal rea­sons, it seems a bit shady to use it as a bar­gain­ing chip for your own free­dom. It seems unlike­ly that the FBI would grant Dotcom’s request, so if he real­ly does have any infor­ma­tion on the Seth Rich case, we may nev­er get to see it.

But giv­en the fact that there’s vir­tu­al­ly no evi­dence out­side of the wildest con­spir­a­cy the­o­ry boards that Seth Rich was killed by any­one con­nect­ed to the Clin­ton cam­paign, I wouldn’t hold my breath any­way.

8. The Shad­ow Bro­kers, released some more NSA hack­ing tools, along with a list of IP address­es the NSA was tar­get­ing. All of this was appar­ent­ly in response to a sense of betray­al. Betray­al by Don­ald Trump. Yes, when Don­ald Trump launched a cruise mis­sile attack against Syr­ia this so upset The Shad­ow Bro­kers that they wrote anoth­er long bro­ken Eng­lish rant (with a white nation­al­ist theme) about Trump liv­ing up to his promis­es and then released some more hack­ing tools.

We ana­lyzed the Shad­ow­Bro­kers in FTR #923.

Suf­fice it to say, that this group is, in all prob­a­bil­i­ty, not Russ­ian at all.

“Mys­te­ri­ous Group Posts More Alleged NSA Hack­ing Tools; Rus­sia Link Sus­pect­ed” by Tim John­son; McClatchy DC; 4/10/2017.

In the lat­est in a drum­beat of intel­li­gence leaks, a hack­ing group known as the Shad­ow Bro­kers has released anoth­er set of tools it said were designed by the top-secret Nation­al Secu­ri­ty Agency to pen­e­trate com­put­er sys­tems world­wide.

In a rant-filled state­ment over the week­end, Shad­ow Bro­kers also released a list of servers it said the tools had infect­ed.

One doc­u­ment appeared to show that NSA spy­ware had been placed on servers in South Korea, Rus­sia, Japan, Chi­na, Mex­i­co, Tai­wan, Spain, Venezuela and Thai­land, among oth­er coun­tries. The dump includ­ed details of how the NSA pur­port­ed­ly had gained access to Pakistan’s main mobile net­work.

The release marked the most recent in a steady stream of dis­clo­sures of pur­port­ed hack­ing tools devel­oped by the NSA and the CIA. Shad­ow Bro­kers made a sim­i­lar release in August, and in March the anti-secre­cy group Wik­iLeaks released sev­er­al batch­es of files that pur­port­ed to show how the CIA spies on its tar­gets. Wik­iLeaks has dubbed those leaks Vault7.

Cyber­se­cu­ri­ty experts dif­fered in their assess­ment of the leaked mate­r­i­al but sev­er­al agreed that it would give glob­al foes cru­cial infor­ma­tion about Amer­i­can hack­ing abil­i­ties and plans.

In its state­ment, Shad­ow Bro­kers said the lat­est leak, fol­low­ing one eight months ago, “is our form of protest” to goad Pres­i­dent Don­ald Trump into stay­ing loy­al to his fol­low­ers and pro­mot­ing anti-glob­al­ism. The screed includ­ed pro­fan­i­ty, some white suprema­cist com­men­tary and a pass­word to the cache of tools. . . .

8. CrowdStrike–at the epi­cen­ter of the sup­posed Russ­ian hack­ing con­tro­ver­sy is note­wor­thy. Its co-founder and chief tech­nol­o­gy offi­cer, Dmit­ry Alper­ovitch is a senior fel­low at the Atlantic Coun­cil, financed by ele­ments that are at the foun­da­tion of fan­ning the flames of the New Cold War.

 “Is Skep­ti­cism Trea­son?” by James Car­den; The Nation; 1/3/2017.

. . . In this respect, it is worth not­ing that one of the com­mer­cial cyber­se­cu­ri­ty com­pa­nies the gov­ern­ment has relied on is Crowd­strike, which was one of the com­pa­nies ini­tial­ly brought in by the DNC to inves­ti­gate the alleged hacks. . . . Dmitri Alper­ovitch is also a senior fel­low at the Atlantic Coun­cil. . . . The con­nec­tion between [Crowd­strike co-founder and chief tech­nol­o­gy offi­cer Dmitri] Alper­ovitch and the Atlantic Coun­cil has gone large­ly unre­marked upon, but it is rel­e­vant giv­en that the Atlantic Coun­cil—which is is fund­ed in part by the US State Depart­ment, NATO, the gov­ern­ments of Latvia and Lithua­nia, the Ukrain­ian World Con­gress, and the Ukrain­ian oli­garch Vic­tor Pinchuk—has been among the loud­est voic­es call­ing for a new Cold War with Rus­sia. As I point­ed out in the pages of The Nation in Novem­ber, the Atlantic Coun­cil has spent the past sev­er­al years pro­duc­ing some of the most vir­u­lent spec­i­mens of the new Cold War pro­pa­gan­da. . . . 

9. Next, the pro­gram high­lights a top­ic that was ini­tial­ly broached in the last pro­gram. The OUN/B milieu in the U.S. has appar­ent­ly been instru­men­tal in gen­er­at­ing the “Rus­sia did it” dis­in­for­ma­tion about the high-pro­file hacks. A Ukrain­ian activist named Alexan­dra Chalu­pa has been instru­men­tal in dis­trib­ut­ing this dis­in­for­ma­tion to Hillary Clin­ton and influ­enc­ing the progress of the dis­in­for­ma­tion in the media. 

“The Anony­mous Black­list Quot­ed by the Wash­ing­ton Post Has Appar­ent Ties to Ukrain­ian Fas­cism and CIA Spy­ing” by Mark Ames; Alternet.org; 12/7/2016.

. . . . One of the key media sources [46] who blamed the DNC hacks on Rus­sia, ramp­ing up fears of cryp­to-Putin­ist infil­tra­tion, is a Ukrain­ian-Amer­i­can lob­by­ist work­ing for the DNC. She is Alexan­dra Chalupa—described as the head of the Demo­c­ra­t­ic Nation­al Committee’s oppo­si­tion research on Rus­sia and on Trump, and founder and pres­i­dent of the Ukrain­ian lob­by group ‘US Unit­ed With Ukraine Coali­tion’ [47], which lob­bied hard to pass a 2014 bill increas­ing loans and mil­i­tary aid to Ukraine, impos­ing sanc­tions on Rus­sians, and tight­ly align­ing US and Ukraine geostrate­gic inter­ests. . . . In one leaked DNC email [50] ear­li­er this year, Chalu­pa boasts to DNC Com­mu­ni­ca­tions Direc­tor Luis Miran­da that she brought Isikoff to a US-gov­ern­ment spon­sored Wash­ing­ton event fea­tur­ing 68 Ukrain­ian jour­nal­ists, where Chalu­pa was invit­ed ‘to speak specif­i­cal­ly about Paul Man­afort.’ In turn, Isikoff named her as the key inside source [46] ‘prov­ing’ that the Rus­sians were behind the hacks, and that Trump’s cam­paign was under the spell of Krem­lin spies and sor­cer­ers. . . .

 

 

 

 

Discussion

15 comments for “FTR #960 Update on the High Profile Hacks”

  1. Now that Don­ald Trump appears to be intent on liv­ing up to the phrase “it’s not the crime, it’s the coverup” regard­ing the inves­ti­ga­tion into pos­si­ble Russ­ian col­lu­sion, hope­ful­ly one of the out­comes of the shift of Trump’s cul­pa­bil­i­ty from “did he col­lude with the Rus­sians?” to “did he obstruct jus­tice in to the inves­ti­ga­tion into his col­lu­sion with the Russ­ian?” will be a will­ing­ness to ask the oth­er obvi­ous ques­tion, “did the Trump cam­paign car­ry out the hack attacks and make it look like the Russ­ian, regard­less of whether or not there was any oth­er col­lu­sion?” Because, you know, it seems like pulling off such a stunt and pro­pelling US/Russian rela­tions to a new low and threat­en­ing to spark future con­flicts in order to cov­er up a cam­paign crime would be an incred­i­bly big deal. As big a deal, if not big­ger, than out­right col­lu­sion giv­en the destruc­tive capa­bil­i­ty of a Russ­ian con­flict and the obvi­ous poten­tial for such dis­as­trous results that could result from such an oper­a­tion. Would­n’t that be trea­son too?

    So, in the spir­it of hop­ing the lat­ter ques­tion gets asked, here’s the lat­est reminder that cyber-attri­bu­tion is far more neb­u­lous than most US cov­er­age of this issue would like to admit: you know the now-infa­mous Qatari news arti­cle that trashed Trump, praised Iran, and end­ed up trig­ger­ing a sev­er­ing of rela­tions with Qatar’s Sun­ni neigh­bors? And you know how the FBI has already said that Russ­ian hack­ers did it? Well, there was a sec­ond big hack that rat­tled Mid­dle East gov­ern­ments just a few days lat­er. A hack of the emails of the UAE’s influ­en­tial ambas­sador to the US, Yousef Al Otai­ba. A hack that appears to be a kind of counter-point to the Qatari hack and intend­ed to cre­ate dif­fi­cul­ties between the US and UAE and reveal an ongo­ing UAE cam­paign to encour­age the US to move its mas­sive air­base out of the Qatar (pre­sum­ably to a near­by place like the UAE). And as the attri­bu­tion to that hack unfolds, it’s look­ing like a now-famil­iar sto­ry: Russ­ian hack­ers did it hack­ers that could have been any­one did it...hackers who decid­ed to use a “.ru” email address to dis­sem­i­nate their hacked mate­r­i­al.

    First, here’s an overview of the al Otai­ba hack which is most­ly a peek behind the US/UAE diplo­mat­ic cur­tain:

    The Huff­in­g­ton Post

    Some­one Is Using These Leaked Emails To Embar­rass Washington’s Most Pow­er­ful Ambas­sador
    Huff­Post con­firmed eight inflam­ma­to­ry D.C. insid­er email exchanges, includ­ing between Yousef Al Otai­ba and for­mer Defense Sec­re­tary Robert Gates.

    By Akbar Shahid Ahmed
    06/03/2017 10:01 am ET | Updat­ed

    WASHINGTON — A mys­te­ri­ous source con­tact­ed mul­ti­ple news out­lets this week to share emails between the influ­en­tial ambas­sador of the Unit­ed Arab Emi­rates, Yousef Al Otai­ba, and top fig­ures in the Amer­i­can for­eign pol­i­cy com­mu­ni­ty, includ­ing for­mer Defense Sec­re­tary Robert Gates.

    In pri­vate cor­re­spon­dence, Otai­ba — an extreme­ly pow­er­ful fig­ure in Wash­ing­ton, D.C., who is report­ed­ly in “in almost con­stant phone and email con­tact” with Jared Kush­n­er, Pres­i­dent Don­ald Trump’s advis­er and son-in-lawis seen push­ing for the U.S. to close down its mil­i­tary base in Qatar and oth­er­wise pok­ing at issues that could dri­ve a wedge between the U.S. and that Arab nation. He also says that his country’s de fac­to ruler is sup­port­ive of a wave of anti-Qatar crit­i­cism in the U.S. that the Gulf state last month called a smear cam­paign and that has prompt­ed behind-the-scenes alarm inside the U.S. gov­ern­ment.

    The anony­mous leak­ers told Huff­Post they sought to expose the UAE’s efforts to manip­u­late the U.S. gov­ern­ment, and denied any alle­giance to Qatar or any oth­er gov­ern­ment.

    Regard­less of the leak­ers’ intent, the rev­e­la­tions promise to height­en ten­sions between the two U.S. part­ners. If the UAE suc­ceeds in dam­ag­ing America’s decades-old rela­tion­ship with Qatar, the result could dra­mat­i­cal­ly under­mine U.S. goals in the Mid­dle East. The two Amer­i­can part­ners’ esca­lat­ing rival­ry could wors­en con­flict in war zones where they sup­port dif­fer­ent proxy forces — notably in Libya, which has become a haven for smug­glers, war­lords, and ter­ror­ists — while dis­tract­ing atten­tion from big­ger inter­na­tion­al pri­or­i­ties, like restor­ing sta­bil­i­ty in Syr­ia and Iraq after the expect­ed bat­tle­field defeat of the Islam­ic State. And the UAE strat­e­gy could leave the U.S. more wed­ded to that government’s whims, includ­ing its pol­i­cy of main­tain­ing brit­tle auto­crat­ic rule across the region instead of try­ing to secure long-term sta­bil­i­ty by hav­ing some lev­el of pop­u­lar par­tic­i­pa­tion.

    The UAE and Qatar have tak­en their rival­ry pub­lic in recent days fol­low­ing a con­tro­ver­sial report in Qatari media. Qatari author­i­ties soon claimed that the May 23 sto­ry — which sug­gest­ed that the country’s ruler, Sheikh Tamim bin Hamad Al Thani, gave a speech describ­ing his respect for Iran, his sup­port for the Pales­tin­ian mil­i­tant group Hamas and his ties with Israel — was a fake prod­uct of a hack. But news sources based in the UAE and Sau­di Ara­bia still sug­gest that it exposed his true feel­ings.

    Though Qatar and the Emi­rates are puta­tive allies, they have drift­ed apart since 2011 because of their dif­fer­ing reac­tions to the Arab Spring protests that year. As the large­ly non-vio­lent Mus­lim Broth­er­hood move­ment gained pow­er across the region, Qatar sup­port­ed it, see­ing it as a vehi­cle for the Mid­dle East’s demo­c­ra­t­ic aspi­ra­tions. The UAE calls the group a ter­ror front. With a new U.S. admin­is­tra­tion in pow­er, the time is ripe for one or the oth­er to push for Amer­i­can action in its own inter­ests.

    Otai­ba, who has been the UAE’s ambas­sador to the Unit­ed States since 2008, is known as one of the best-con­nect­ed diplo­mats in Wash­ing­ton, D.C. He makes fre­quent high-pro­file appear­ances around the city and the U.S. speak­ing cir­cuit, and he’s ensured that the Trump admin­is­tra­tion has already cozied up to the Emi­rates, which hosts a recent­ly opened Trump golf course.

    The leak­ers pro­vid­ed Huff­Post with three batch­es of emails from Otai­ba, some as recent as May and oth­ers from as far back as 2014, the last time the UAE sup­port­ed a major effort to spread skep­ti­cism about Qatar in the Unit­ed States. Huff­Post con­tact­ed eight of the indi­vid­u­als who’d exchanged mes­sages with the ambas­sador and shared the con­tents of those emails; none denied that the exchanges took place. Though Otai­ba did not respond to repeat­ed Huff­Post requests for com­ment, a UAE Embassy spokes­woman con­firmed to the Dai­ly Beast that the Hot­mail address used for the mes­sages belongs to him.

    Otaiba’s emails show an effort to build alliances and a focus on Qatar.

    The night before for­mer U.S. Defense Sec­re­tary Robert Gates was sched­uled to speak at a high-pro­file Wash­ing­ton con­fer­ence on Qatar, for instance, Otai­ba wrote him an art­ful­ly word­ed note. “The sub­ject of the con­fer­ence has been a neglect­ed issue in U.S. for­eign pol­i­cy despite all the trou­ble it’s caus­ing,” the diplo­mat wrote. “Com­ing from you, folks will lis­ten care­ful­ly.”

    Gates emailed back that he thought he had “the chance to put some folks on notice.”

    Otai­ba offered to buy the for­mer Cab­i­net offi­cial lunch and passed along a mes­sage from his boss back home. “MBZ sends his best from Abu Dhabi,” the ambas­sador wrote, using a nick­name for UAE Crown Prince Muhammed bin Zayed. “He says ‘give them hell tomor­row.’”

    The next day, Gates offered a scathing assault on Qatar, exco­ri­at­ing its sup­port for Islamists, at an event host­ed by the hawk­ish Foun­da­tion for Defense of Democ­ra­cies. “The Unit­ed States mil­i­tary doesn’t have any irre­place­able facil­i­ty,” he said. “Tell Qatar to choose sides or we will change the nature of the rela­tion­ship, to include down­scal­ing the base.”

    The inci­dent wor­ried U.S. offi­cials. The Amer­i­can ambas­sador to Qatar, expe­ri­enced career diplo­mat Dana Shell Smith, con­tact­ed many of the con­fer­ence speak­ers before­hand to try to tone down the rhetoric. It appears that her attempt back­fired: foun­da­tion offi­cials have pub­licly crit­i­cized and ques­tioned her efforts.

    The pow­er­ful Wash­ing­ton-based foun­da­tion fea­tures heav­i­ly in the Otai­ba emails. While many of those mes­sages show the ambas­sador help­ing its ana­lysts plan trips to the UAE, they also con­tain two of the most strik­ing rev­e­la­tions about Otai­ba: He explic­it­ly advo­cat­ed for mov­ing the U.S. base out of Qatar — some­thing he hasn’t done pub­licly — and he dis­cussed the idea of pres­sur­ing com­pa­nies in U.S.-friendly coun­tries to avoid busi­ness oppor­tu­ni­ties in Iran.

    An Arab’s Favorite Pro-Israel Group

    The Foun­da­tion for Defense of Democ­ra­cies spends much of its time try­ing to strength­en ties between Wash­ing­ton and con­ser­v­a­tive polit­i­cal forces in Israel. But despite the UAE’s refusal to estab­lish diplo­mat­ic ties with Israel, the think tank and oth­ers in the pro-Israel lob­by have found com­mon ground with the Emi­rates on two major issues: Both want to con­tain Iran and polit­i­cal Islam. Both suf­fered a high-pro­file defeat when the U.S. and oth­er nations reached a nuclear deal with Iran in 2015. And for the past year or so, both have been push­ing to make the future of U.S. rela­tions with Qatar a debate in D.C.

    Emi­rati cri­tiques of Qatar often raise the same points the foundation’s schol­ars bring up in their fre­quent appear­ances before Con­gress and in the media: The Qatari gov­ern­ment pro­vides, in the words of the U.S. Trea­sury Depart­ment, a “per­mis­sive juris­dic­tion” for fundrais­ers and donors hop­ing to aid vio­lent Mus­lim extrem­ists. In sup­port­ing the rights of pro­test­ers and democ­ra­cy activists (at least com­pared to its neigh­bors), Qatar is accused of pro­mot­ing Islamists who claim to be peace­ful but real­ly seek to impose bru­tal Shari­ah law. And it fre­quent­ly offers a plat­form to hate­mon­gers tar­get­ing Israel, Jews, the minor­i­ty Shi­ite com­mu­ni­ty with­in Islam, LGBTQ indi­vid­u­als and oth­ers — gen­er­al­ly on its mar­quee media prop­er­ty, the Ara­bic edi­tion of Al-Jazeera.

    But experts on the region note that Qatar’s flaws as an Amer­i­can part­ner are not unique: Kuwait has also been called a “per­mis­sive juris­dic­tion,” and Sau­di Ara­bia and the UAE also host ter­ror financiers and cler­ics who spread hate speech. The vendet­ta against Qatar, then, appears to be dri­ven by more defen­sive con­cerns, name­ly the pro-Israel side’s focus on Hamas and any­one who sup­ports that group, and the UAE’s wor­ry that the Mus­lim Broth­er­hood could threat­en its own rul­ing regime.

    Otai­ba made his views about the U.S. base in Qatar clear in an April 28 mes­sage this year to John Han­nah, a senior coun­selor at the Foun­da­tion for Defense of Democ­ra­cies and a for­mer aide to Vice Pres­i­dent Dick Cheney.

    Han­nah had emailed the ambas­sador a Forbes arti­cle not­ing that an Emi­rati-owned hotel would actu­al­ly be host­ing a Hamas con­fer­ence in “Mus­lim Broth­er­hood-lov­ing” Qatar. Otai­ba appeared tak­en aback by the jab; the UAE is rarely crit­i­cized in Washington’s pol­i­cy com­mu­ni­ty.

    “Shouldn’t we be try­ing to move the base?” he wrote. “I don’t think it’s fair to point the fin­ger at an Emi­rati com­pa­ny on this one.”

    Han­nah respond­ed by say­ing he agreed about the mil­i­tary base. But he said crit­i­cism of the deci­sion to host Hamas was fair no mat­ter who owned the hotel. Otai­ba snapped back that the UAE would move its hotel when the U.S. moved its base.

    “Don’t move the hotel,” Han­nah answered. “Just force Hamas to resched­ule at a dif­fer­ent venue not owned by Emi­ratis.”

    On Fri­day, Han­nah told Huff­Post that the com­mu­ni­ca­tions were busi­ness as usu­al.

    “As a lead­ing Wash­ing­ton think tank, [the foun­da­tion] is engaged in pol­i­cy dis­cus­sions with a range of actors across the Mid­dle East and else­where. My own rela­tion­ship with Ambas­sador Otai­ba goes back years, includ­ing both my time in gov­ern­ment and out,” he wrote in an email.

    ...

    Although the broad­er for­eign pol­i­cy con­ver­sa­tion is only now not­ing the align­ment of inter­ests between pro-Israel hawks and anti-Iran, anti-Broth­er­hood forces in the Gulf, like the UAE, informed ana­lysts have rec­og­nized it for years.

    In a Feb. 5, 2014, email to Otai­ba, lob­by­ist and for­mer Clin­ton aide Rich Mintz directs him to note com­ments by for­mer Oba­ma admin­is­tra­tion offi­cial Den­nis Ross at a pub­lic think tank event.

    Ross, a for­mer senior advis­er to Pres­i­dent Barack Oba­ma, is well respect­ed among Mid­dle East pol­i­cy-mak­ers. In a sum­ma­ry pre­pared by Mintz’s lob­by­ing firm, Ross appeared to say that “as opposed to a few years ago, the talk­ing points in the Gulf were almost iden­ti­cal to the ones he heard in speak­ing to Israeli offi­cials.”

    (Mintz did not respond to a Huff­Post request for com­ment; Huff­Post was not able to inde­pen­dent­ly con­firm that exchange.)

    In recent weeks, Ross has pub­licly joined the cho­rus of Qatar crit­ics and Emi­rates boost­ers. “The Qataris should know we have alter­na­tives and are pre­pared to devel­op them in the UAE and else­where unless Qatar is pre­pared to be a gen­uine part­ner and not a par­ty that con­tributes to the very threats we need to counter,” he wrote in USA Today on May 8.

    ———-

    “Some­one Is Using These Leaked Emails To Embar­rass Washington’s Most Pow­er­ful Ambas­sador” by Akbar Shahid Ahmed; The Huff­in­g­ton Post; 06/03/2017

    “In pri­vate cor­re­spon­dence, Otai­ba — an extreme­ly pow­er­ful fig­ure in Wash­ing­ton, D.C., who is report­ed­ly in “in almost con­stant phone and email con­tact” with Jared Kush­n­er, Pres­i­dent Don­ald Trump’s advis­er and son-in-law — is seen push­ing for the U.S. to close down its mil­i­tary base in Qatar and oth­er­wise pok­ing at issues that could dri­ve a wedge between the U.S. and that Arab nation. He also says that his country’s de fac­to ruler is sup­port­ive of a wave of anti-Qatar crit­i­cism in the U.S. that the Gulf state last month called a smear cam­paign and that has prompt­ed behind-the-scenes alarm inside the U.S. gov­ern­ment.”

    And all these Otabia emails were released just days after the Qatari hack by some­one claim­ing to not work for the Qataris but who mere­ly wants to expose UAE/US lob­by­ing efforts:

    ...
    The anony­mous leak­ers told Huff­Post they sought to expose the UAE’s efforts to manip­u­late the U.S. gov­ern­ment, and denied any alle­giance to Qatar or any oth­er gov­ern­ment.
    ...

    So was this a Qatari counter-hack? Some oth­er actor who would like to add to the diplo­mat­ic ten­sion in the region? At this point we don’t know.

    And as the arti­cle below notes, a group going around dis­trib­ut­ing these hacked emails calls itself “Glob­al­Leaks” and uses a .ru email. Which would sug­gests these were Russ­ian hackers...if you take every­thing at face val­ue. But as a group of cyber­se­cu­ri­ty researchers who have ana­lyzed the Otai­ba hack point out, any­one could have done it and just tried to make it look like Russ­ian hack­ers (it’s not like .ru email address­es can’t be obtained by non-Rus­sians). And while these researchers can’t attribute the hack to any gov­ern­ment or group with pre­ci­sion, they do note that it looks like the meth­ods used by what appears to be a mer­ce­nary hack­er group that’s been oper­at­ing in the region. A group that’s been hired by a num­ber of Gulf states to hack oth­er Gulf offi­cials:

    The New York Times

    Hack­ing in Qatar High­lights a Shift Toward Espi­onage-for-Hire

    By DAVID D. KIRKPATRICK and SHEERA FRENKEL
    June 8, 2017

    DOHA, Qatar — The report appeared just after mid­night on the offi­cial Qatari news agency’s web­site, and its con­tents were stun­ning: The emir of Qatar was quot­ed as describ­ing “ten­sions” with Pres­i­dent Trump and spec­u­lat­ing he may not last in office, rec­om­mend­ing friend­ship with Iran, prais­ing the Pales­tin­ian mil­i­tants of Hamas, and then attest­ing to his own “good” rela­tions with Israel.

    The con­tra­dic­to­ry state­ments could hard­ly have been bet­ter con­trived to alien­ate the Unit­ed States and Arab coun­tries around the Gulf, and Qatar imme­di­ate­ly began to deny the report, ear­ly on May 24. But with­in 20 min­utes, satel­lite net­works con­trolled by Sau­di Ara­bia and the Unit­ed Arab Emi­rates had seized on the damn­ing news flash and began inter­view­ing long lines of well-pre­pared com­men­ta­tors to expound on the per­fidy of Qatar.

    The Qatari gov­ern­ment said the news agency had been hacked, a claim now sup­port­ed by the F.B.I. and British law enforce­ment offi­cials. Though they would not say so pub­licly, Qatari offi­cials blamed the Saud­is and Emi­ratis.

    Prob­a­bly not coin­ci­den­tal­ly, a few days lat­er, emails hacked from the Emi­rates’ ambas­sador to Wash­ing­ton began turn­ing up in the West­ern news media and then the Qatari news net­work Al Jazeera.

    The cyber-intrigue was the open­ing skir­mish in a pitched bat­tle among osten­si­ble Gulf allies this week. Sau­di Ara­bia and the U.A.E. ral­lied depen­dent Arab states to cut off diplo­mat­ic rela­tions, trav­el and trade with Qatar, and the uni­ty of the Amer­i­can-backed alliance against the Islam­ic State and Iran has been frac­tured.

    But the dirty tricks also her­ald­ed a broad­er trans­for­ma­tion in inter­na­tion­al espi­onage. The dust-up in the Gulf is the clear­est sign yet that cyber­at­tacks cou­pled with dis­in­for­ma­tion cam­paigns are no longer the exclu­sive domain of sophis­ti­cat­ed pow­ers like Rus­sia. Any coun­try can get in the game for the rel­a­tive­ly low price of a few free­lance hack­ers.

    The F.B.I. and oth­er experts con­clud­ed the hack of Qatar’s news agency was the result of a com­put­er break-in, and was most like­ly car­ried out by Russ­ian hack­ers for hire, accord­ing to Amer­i­can and Qatari offi­cials briefed on the inves­ti­ga­tion. F.B.I. offi­cials told The New York Times that Russ­ian mer­ce­nary hack­ers have fre­quent­ly come up in inves­ti­ga­tions of attacks spon­sored by nation-states.

    In fact, the hack­ing war in the Gulf region has like­ly been going on for years, though it has nev­er played out on such a pub­lic stage. In 2015, for exam­ple, an Arab inter­me­di­ary with ties to Qatar pro­vid­ed The Times with inter­nal emails from the Emi­rati For­eign Min­istry which stat­ed that the U.A.E. was know­ing­ly vio­lat­ing a Unit­ed Nations res­o­lu­tion by ship­ping weapons to Libyan mili­tias.

    “The fact of the mat­ter is that the U.A.E. vio­lat­ed the U.N. Secu­ri­ty Coun­cil Res­o­lu­tion on Libya and con­tin­ues to do so,” Ahmed al-Qasi­mi, a senior Emi­rati diplo­mat, wrote in an inter­nal email that was dat­ed Aug. 4, 2015, and pro­vid­ed to The Times. Oth­er inter­nal Emi­rati emails about Libyan deal­ings and North Kore­an arms deals sur­faced through Qatari-linked web­sites and the Guardian news­pa­per.

    Qatar has, at times, backed its own Libyan client mili­tias on the oth­er side of a three-year proxy war against the U.A.E — with both sides con­found­ing West­ern attempts to bro­ker a uni­ty gov­ern­ment in Libya.

    In a report sched­uled to be released on Fri­day, two inde­pen­dent cyber­se­cu­ri­ty researchers claim that at least one group of hack­ers can be found work­ing as free­lancers for a num­ber of Gulf states, and that their meth­ods bear a strik­ing resem­blance to the meth­ods used to hack the Emi­rati ambas­sador.

    “They seem to be hack­ers-for-hire, free­lanc­ing for all sorts of dif­fer­ent clients, and adapt­ing their skills as need­ed,” said Collin Ander­son, who is one of the researchers. Mr. Ander­son and his part­ner, Clau­dio Guarnieri, have nick­named the group Bahamut, after a mon­strous fish float­ing in the Ara­bi­an Sea in the Jorge Luis Borges nov­el “Book of Imag­i­nary Beings.”

    The group reg­u­lar­ly uses spear phish­ing attacks — emails designed to look inno­cent but con­tain mali­cious soft­ware appli­ca­tions. While it is not yet clear if Bahamut was behind the hack of the ambassador’s email, the group tar­get­ed a num­ber of Emi­rati diplo­mats as well as oth­er pub­lic fig­ures in the Gulf region.

    Oth­er news orga­ni­za­tions have report­ed receiv­ing leaked Emi­rati emails from a group call­ing itself Glob­al­Leaks and using email address­ing end­ing in .ru, sug­gest­ing the mer­ce­nary hack­ers may be Rus­sians or wish to pose as Russ­ian.

    The Emi­rati ambas­sador, Yousef al-Otai­ba, is well known for his assid­u­ous efforts to con­vince Amer­i­can think tanks and gov­ern­ment offi­cials that Qatar had threat­ened the sta­bil­i­ty of the region by cheer­ing the Arab upris­ings of 2011 and, in par­tic­u­lar, by back­ing the Mus­lim Broth­er­hood.

    Mr. Otai­ba, a charis­mat­ic fig­ure who speaks near­ly native-sound­ing Eng­lish, has also served as a per­son­al tutor in region­al pol­i­tics to Jared Kush­n­er, the son-in-law and a senior advis­er to Pres­i­dent Trump.

    Sev­er­al of the new­ly leaked emails appear to include exam­ples of Mr. Otai­ba press­ing anti-Qatari argu­ments with Amer­i­can offi­cials, who ban­ter with him like old friends.

    ...

    In fact, on Thurs­day, the gov­ern­ment of Qatar list­ed the hack­ing attack as part of a broad­er pub­lic influ­ence cam­paign that has been appear­ing in Amer­i­can news­pa­pers and think tank con­fer­ences. A time­line the gov­ern­ment dis­trib­uted to reporters, iden­ti­fied a series of 14 op-ed arti­cles that appeared across the Amer­i­can media in a sud­den flur­ry begin­ning around the same time — late April — all sin­gling out Qatar for sup­port­ing Islamist mil­i­tants or extrem­ists.

    Pres­i­dent Trump arrived in the region on May 20, weeks after the bar­rage of crit­i­cism began, for an Arab sum­mit in Sau­di Ara­bia. “He told us exact­ly: ‘We have to work togeth­er in stop­ping the fund­ing of extrem­ist groups in the region and when­ev­er I read reports about this region I read about Qatar and Sau­di,’ ” the Qatari for­eign min­is­ter, Sheikh Mohammed bin Abdul­rah­man Al Thani, recalled on Thurs­day.

    “Mr. Pres­i­dent,” the for­eign min­is­ter said he replied, “are the reports based on media reports or intel­li­gence reports? If it is based on media reports, then this is some­thing we can­not answer.”

    “We assured them that we have strong coop­er­a­tion with our secu­ri­ty agen­cies,” the for­eign min­is­ter added.

    Then, three days after the Trump meet­ing in Riyadh, the Foun­da­tion for the Defense of Democ­ra­cies held a con­fer­ence in Wash­ing­ton ded­i­cat­ed to crit­i­cism of Qatar, titled “Qatar and the Mus­lim Brotherhood’s Glob­al Affil­i­ates.”

    Robert M. Gates, the for­mer defense sec­re­tary and a friend of Mr. Otai­ba, gave the keynote. Atten­dees includ­ed many of the authors of the crit­i­cal op-ed arti­cles and senior Oba­ma admin­is­tra­tion offi­cials. Orga­niz­ers encour­aged Mr. Otai­ba to attend, and his staff sent Abu Dhabi, the Emi­rati cap­i­tal, a detailed report.

    No rep­re­sen­ta­tive of Qatar was invit­ed. The hack of the Qatari news agency took place after mid­night that night.

    Mr. Ander­son, the cyber secu­ri­ty researcher, said the low cost and rel­a­tive ease of hir­ing hack­ers meant that more such attacks would sure­ly fol­low.

    “This is the future for what coun­tries all around the world can do,” he said, “if they have the mon­ey and the resources.”

    By Thurs­day night, Qatar’s Al Jazeera net­work report­ed that hack­ers were attempt­ing to over­load and crash its inter­net servers.

    ———–

    “Hack­ing in Qatar High­lights a Shift Toward Espi­onage-for-Hire” by DAVID D. KIRKPATRICK and SHEERA FRENKEL; The New York Times; 06/08/2017

    “In a report sched­uled to be released on Fri­day, two inde­pen­dent cyber­se­cu­ri­ty researchers claim that at least one group of hack­ers can be found work­ing as free­lancers for a num­ber of Gulf states, and that their meth­ods bear a strik­ing resem­blance to the meth­ods used to hack the Emi­rati ambas­sador.”

    And as these cyber­se­cu­ri­ty researchers not, not only are the meth­ods in the Otai­ba hack sim­i­lar ito a group of mer­ce­nary hack­ers they assert are work­ing for a num­ber of Gulf states, but that this is the sign of a broad­er trans­for­ma­tion in the acces­si­bil­i­ty of hacking/disinformation capa­bil­i­ties that were once thought to be rel­a­tive­ly exclu­sive.

    ...
    But the dirty tricks also her­ald­ed a broad­er trans­for­ma­tion in inter­na­tion­al espi­onage. The dust-up in the Gulf is the clear­est sign yet that cyber­at­tacks cou­pled with dis­in­for­ma­tion cam­paigns are no longer the exclu­sive domain of sophis­ti­cat­ed pow­ers like Rus­sia. Any coun­try can get in the game for the rel­a­tive­ly low price of a few free­lance hack­ers.

    ...

    “They seem to be hack­ers-for-hire, free­lanc­ing for all sorts of dif­fer­ent clients, and adapt­ing their skills as need­ed,” said Collin Ander­son, who is one of the researchers. Mr. Ander­son and his part­ner, Clau­dio Guarnieri, have nick­named the group Bahamut, after a mon­strous fish float­ing in the Ara­bi­an Sea in the Jorge Luis Borges nov­el “Book of Imag­i­nary Beings.”

    The group reg­u­lar­ly uses spear phish­ing attacks — emails designed to look inno­cent but con­tain mali­cious soft­ware appli­ca­tions. While it is not yet clear if Bahamut was behind the hack of the ambassador’s email, the group tar­get­ed a num­ber of Emi­rati diplo­mats as well as oth­er pub­lic fig­ures in the Gulf region.

    Oth­er news orga­ni­za­tions have report­ed receiv­ing leaked Emi­rati emails from a group call­ing itself Glob­al­Leaks and using email address­ing end­ing in .ru, sug­gest­ing the mer­ce­nary hack­ers may be Rus­sians or wish to pose as Russ­ian.
    ...

    “Oth­er news orga­ni­za­tions have report­ed receiv­ing leaked Emi­rati emails from a group call­ing itself Glob­al­Leaks and using email address­ing end­ing in .ru, sug­gest­ing the mer­ce­nary hack­ers may be Rus­sians or wish to pose as Russ­ian.”

    Yep, unless the hack­ers were Russ­ian hack­ers who want­ed to adver­tise for some rea­son that they’re Russ­ian hack­ers, the use of a .ru email address by the group dis­trib­ut­ing these emails basi­cal­ly tells us noth­ing about who did it. And while these cyber­se­cu­ri­ty researchers are sus­pect­ing that the “Bahamut” group of mer­ce­nar­ies is behind the hack, if their meth­ods involve spear-phish­ing emails it’s not like oth­er skill hack­ers famil­iar with the cyber­se­cu­ri­ty indus­try’s track­ing of the Bahamut group could­n’t mim­ic their meth­ods. That’s the fun of our new dig­i­tal cold war.

    So at this point it sounds like we have no real idea who did the hack, but who­ev­er did it appears to want to send a “Hi! I’m a Russ­ian hack­er!” sig­nal to the world. Of course.

    Posted by Pterrafractyl | June 12, 2017, 8:30 pm
  2. @Pterrafractyl–

    In assess­ing this, one should not lose sight of the fact that the CIA’s hack­ing code enables the author­ship of the deed to assume an Ara­bic lan­guage cov­er, as well as Russ­ian, Chi­nese or Far­si.

    Or, as we might say “Farce-ey.”

    Don’t for­get that the Shad­ow Bro­kers have seen to it that the entire glob­al hack­ing com­mu­ni­ty has the NSA’s hack­ing tools.

    Katy, bar the door!

    Best,

    Dave

    Posted by Dave Emory | June 12, 2017, 8:57 pm
  3. One of the curi­ous aspects of the Kim ‘Dot­com’ Schmitz’s claims about being in con­tact with Seth Rich is how long he wait­ed to make his big claim that he was in con­tact with Rich all along. Because that claim did­n’t come out until May 19th of this year, a few days after the big Fox News disinformation/hoax piece on Rich. Why did­n’t Dot­com make these claims soon­er? Like, in the mid­dle of the 2016 cam­paign? Would­n’t that have been the opti­mal time for such a stunt?

    But here’s what adds to the curi­ous tim­ing: Check out this tweet from Dot­com he back in Sep­tem­ber 28, 2016, and direct­ed to Don­ald Trump:

    Hey @realDonaldTrump, I’m not 400 pounds and I have nev­er hacked from inside my bed. How­ev­er, you owe me ??— Kim Dot­com (@KimDotcom) Sep­tem­ber 28, 2016

    And don’t for­get that this tweet came two days after the first Pres­i­den­tial Debate between Don­ald Trump and Hillary Clin­ton on Sep­tem­ber 26, 2017, dur­ing which Trump made his infa­mous “the hack­er could have been a 400 pound guy sit­ting his bed” com­ment. So Schmitz/‘Dotcom’ was clear­ly respond­ing to Trump’s com­ment about the hack­ing. And he’s clear­ly claim­ing attri­bu­tion for some­thing that helped Trump. And yet no claims from Dot­com at the time that Seth Rich was the DNC leak­er. Despite how the tim­ing would have been per­fect for such a claim...especially if Dot­com has the evi­dence he claims he has. And yet all we get from Dot­com before his Seth Rich claims last month was a very mys­te­ri­ous tweet that appears to be telling Trump he “owes” Dot­com over the DNC hacks.

    Also keep in mind that if Dot­com, or some­one close­ly asso­ci­at­ed with him, was the actu­al hack­er, draw­ing atten­tion to him­self back when the elec­tion was still going on by mak­ing claims about his con­tacts with Seth Rich could have brought much clos­er scruti­ny to Dot­com with poten­tial­ly huge impli­ca­tions for the elec­tion if sus­pi­cions fell on Dot­com. Espe­cial­ly giv­en Dot­com’s pre­dic­tions back in May of 2015 that Julian Assange was going to be Hillary Clin­ton’s worst night­mare. So if Dot­com was con­cerned about get­ting impli­cat­ed in the hack, wait­ing until after the elec­tion does kind of make sense.

    But for some­one who clear­ly want­ed Hillary to lose to Trump, wait­ing until now to make these claims instead of last fall real­ly is rather curi­ous. Espe­cial­ly giv­en Dot­com’s Sep­tem­ber 28th mys­tery tweet. Unless, of course, mak­ing these claims ear­li­er would have been poten­tial­ly even more dam­ag­ing to Trump. Which could have been the case if Dot­com was indeed the hack­er.

    Posted by Pterrafractyl | June 13, 2017, 2:45 pm
  4. It sounds like the hack­ing of state elec­tion sys­tems in the 2016 elec­tion was a lot more exten­sive than pre­vi­ous­ly report­ed: Up to 39 states were hacked to one degree or anoth­er in a giant spear-phish­ing cam­paign accord­ing to a recent report in Bloomberg. And while there was no indi­ca­tion that the hack­ers were attempt­ing to manip­u­late actu­al vote tal­lies, there were some signs that hack­ers tried, but failed, to manip­u­late the vot­er reg­istry data­bas­es in Illi­nois, which could have the effect of chang­ing vote totals by throw­ing some peo­ple off the vot­er rolls. And since Illi­nois was one of only a hand­ful of states to give fed­er­al inves­ti­ga­tors full access to their sys­tems it’s unclear how many oth­er states had sim­i­lar attempts.

    As of now, offi­cials appear to be extreme­ly wor­ried that this mass hack­ing oper­a­tion is going to hap­pen in the 2018 or 2020 elec­tions. And, of course, as of now, offi­cials are char­ac­ter­iz­ing the entire thing as an oper­a­tion of Russ­ian mil­i­tary intel­li­gence, point­ing to evi­dence like the IP address used. Yep, the GRU appar­ent­ly does­n’t know how to use VPNs, prox­ies, or TOR and instead decid­ed to use known GRU IP address­es to car­ry out this incred­i­bly inflam­ma­to­ry hack­ing oper­a­tion.

    The arti­cle also dis­cuss­es how the exten­sive nature of the hacks so alarmed the Oba­ma White House that a spe­cial ‘cyber Red Phone’ in Octo­ber that was set up between Wash­ing­ton and Moscow to defuse poten­tial cyber con­flicts was used for the very first time. The Russ­ian gov­ern­ment denied respon­si­bil­i­ty, asked for more infor­ma­tion, and said they would inves­ti­gate it. All while the hack­ing con­tin­ued.

    So either the Russ­ian gov­ern­ment was exe­cut­ing an unprece­dent­ed high-pro­file self-incrim­i­nat­ing wave of incred­i­bly inflam­ma­to­ry hacks and con­tin­ued to do so even after the ‘cyber Red Phone’ got used for the first time with appar­ent­ly no con­cern for the con­se­quences, or some­one (like the GOP) was hack­ing the US elec­toral sys­tems and try­ing to frame the Rus­sians. Either way, those state elec­tion sys­tems could prob­a­bly use an over­haul soon:

    Bloomberg Pol­i­tics

    Russ­ian Cyber Hacks on U.S. Elec­toral Sys­tem Far Wider Than Pre­vi­ous­ly Known

    by Michael Riley and Jor­dan Robert­son

    June 13, 2017, 4:00 AM CDT

    * Attack­ers said to take mea­sure of vot­ing sys­tems, data­bas­es
    * A ‘red phone’ warn­ing to the Krem­lin from Oba­ma White House

    Russia’s cyber­at­tack on the U.S. elec­toral sys­tem before Don­ald Trump’s elec­tion was far more wide­spread than has been pub­licly revealed, includ­ing incur­sions into vot­er data­bas­es and soft­ware sys­tems in almost twice as many states as pre­vi­ous­ly report­ed.

    In Illi­nois, inves­ti­ga­tors found evi­dence that cyber intrud­ers tried to delete or alter vot­er data. The hack­ers accessed soft­ware designed to be used by poll work­ers on Elec­tion Day, and in at least one state accessed a cam­paign finance data­base. Details of the wave of attacks, in the sum­mer and fall of 2016, were pro­vid­ed by three peo­ple with direct knowl­edge of the U.S. inves­ti­ga­tion into the mat­ter. In all, the Russ­ian hack­ers hit sys­tems in a total of 39 states, one of them said.

    The scope and sophis­ti­ca­tion so con­cerned Oba­ma admin­is­tra­tion offi­cials that they took an unprece­dent­ed step — com­plain­ing direct­ly to Moscow over a mod­ern-day “red phone.” In Octo­ber, two of the peo­ple said, the White House con­tact­ed the Krem­lin on the back chan­nel to offer detailed doc­u­ments of what it said was Russia’s role in elec­tion med­dling and to warn that the attacks risked set­ting off a broad­er con­flict.

    The new details, but­tressed by a clas­si­fied Nation­al Secu­ri­ty Agency doc­u­ment recent­ly dis­closed by the Inter­cept, show the scope of alleged hack­ing that fed­er­al inves­ti­ga­tors are scru­ti­niz­ing as they look into whether Trump cam­paign offi­cials may have col­lud­ed in the efforts. But they also paint a wor­ri­some pic­ture for future elec­tions: The newest por­tray­al of poten­tial­ly deep vul­ner­a­bil­i­ties in the U.S.’s patch­work of vot­ing tech­nolo­gies comes less than a week after for­mer FBI Direc­tor James Comey warned Con­gress that Moscow isn’t done med­dling.

    “They’re com­ing after Amer­i­ca,” Comey told the Sen­ate Intel­li­gence Com­mit­tee inves­ti­gat­ing Russ­ian inter­fer­ence in the elec­tion. “They will be back.”

    A spokes­woman for the Fed­er­al Bureau of Inves­ti­ga­tion in Wash­ing­ton declined to com­ment on the agency’s probe.

    Krem­lin Denials

    Russ­ian offi­cials have pub­licly denied any role in cyber attacks con­nect­ed to the U.S. elec­tions, includ­ing a mas­sive “spear phish­ing” effort that com­pro­mised Hillary Clinton’s cam­paign and the Demo­c­ra­t­ic Nation­al Com­mit­tee, among hun­dreds of oth­er groups. Pres­i­dent Vladimir Putin said in recent com­ments to reporters that crim­i­nals inside the coun­try could have been involved with­out hav­ing been sanc­tioned by the Russ­ian gov­ern­ment.

    One of the mys­ter­ies about the 2016 pres­i­den­tial elec­tion is why Russ­ian intel­li­gence, after gain­ing access to state and local sys­tems, didn’t try to dis­rupt the vote. One pos­si­bil­i­ty is that the Amer­i­can warn­ing was effec­tive. Anoth­er for­mer senior U.S. offi­cial, who asked for anonymi­ty to dis­cuss the clas­si­fied U.S. probe into pre-elec­tion hack­ing, said a more like­ly expla­na­tion is that sev­er­al months of hack­ing failed to give the attack­ers the access they need­ed to mas­ter America’s dis­parate vot­ing sys­tems spread across more than 7,000 local juris­dic­tions.

    Such oper­a­tions need not change votes to be effec­tive. In fact, the Oba­ma admin­is­tra­tion believed that the Rus­sians were pos­si­bly prepar­ing to delete vot­er reg­is­tra­tion infor­ma­tion or slow vote tal­ly­ing in order to under­mine con­fi­dence in the elec­tion. That effort went far beyond the care­ful­ly timed release of pri­vate com­mu­ni­ca­tions by indi­vid­u­als and par­ties.

    One for­mer senior U.S. offi­cial expressed con­cern that the Rus­sians now have three years to build on their knowl­edge of U.S. vot­ing sys­tems before the next pres­i­den­tial elec­tion, and there is every rea­son to believe they will use what they have learned in future attacks.

    Secure Chan­nel

    As the first test of a com­mu­ni­ca­tion sys­tem designed to de-esca­late cyber con­flict between the two coun­tries, the cyber “red phone” — not a phone, in fact, but a secure mes­sag­ing chan­nel for send­ing urgent mes­sages and doc­u­ments — didn’t quite work as the White House had hoped. NBC News first report­ed that use of the red phone by the White House last Decem­ber.

    The White House pro­vid­ed evi­dence gath­ered on Russia’s hack­ing efforts and rea­sons why the U.S. con­sid­ered it dan­ger­ous­ly aggres­sive. Rus­sia respond­ed by ask­ing for more infor­ma­tion and pro­vid­ing assur­ances that it would look into the mat­ter even as the hack­ing con­tin­ued, accord­ing to the two peo­ple famil­iar with the response.

    “Last year, as we detect­ed intru­sions into web­sites man­aged by elec­tion offi­cials around the coun­try, the admin­is­tra­tion worked relent­less­ly to pro­tect our elec­tion infra­struc­ture,” said Eric Schultz, a spokesman for for­mer Pres­i­dent Barack Oba­ma. “Giv­en that our elec­tion sys­tems are so decen­tral­ized, that effort meant work­ing with Demo­c­ra­t­ic and Repub­li­can elec­tion admin­is­tra­tors from all across the coun­try to bol­ster their cyber defens­es.”

    Illi­nois Data­base

    Illi­nois, which was among the states that gave the FBI and the Depart­ment of Home­land Secu­ri­ty almost full access to inves­ti­gate its sys­tems, pro­vides a win­dow into the hack­ers’ suc­cess­es and fail­ures.

    In ear­ly July 2016, a con­trac­tor who works two or three days a week at the state board of elec­tions detect­ed unau­tho­rized data leav­ing the net­work, accord­ing to Ken Men­zel, gen­er­al coun­sel for the Illi­nois board of elec­tions. The hack­ers had gained access to the state’s vot­er data­base, which con­tained infor­ma­tion such as names, dates of birth, gen­ders, driver’s licens­es and par­tial Social Secu­ri­ty num­bers on 15 mil­lion peo­ple, half of whom were active vot­ers. As many as 90,000 records were ulti­mate­ly com­pro­mised.

    But even if the entire data­base had been delet­ed, it might not have affect­ed the elec­tion, accord­ing to Men­zel. Coun­ties upload records to the state, not the oth­er way around, and no data moves from the data­base back to the coun­ties, which run the elec­tions. The hack­ers had no way of know­ing that when they attacked the state data­base, Men­zel said.

    The state does, how­ev­er, process online vot­er reg­is­tra­tion appli­ca­tions that are sent to the coun­ties for approval, Men­zel said. When vot­ers are added to the coun­ty rolls, that infor­ma­tion is then sent back to the state and added to the cen­tral data­base. This process, which is com­mon across states, does present an oppor­tu­ni­ty for attack­ers to manip­u­late records at their incep­tion.

    Patient Zero

    Illi­nois became Patient Zero in the government’s probe, even­tu­al­ly lead­ing inves­ti­ga­tors to a hack­ing pan­dem­ic that touched four out of every five U.S. states.

    Using evi­dence from the Illi­nois com­put­er banks, fed­er­al agents were able to devel­op dig­i­tal “sig­na­tures” — among them, Inter­net Pro­to­col address­es used by the attack­ers — to spot the hack­ers at work.

    The sig­na­tures were then sent through Home­land Secu­ri­ty alerts and oth­er means to every state. Thir­ty-sev­en states report­ed find­ing traces of the hack­ers in var­i­ous sys­tems, accord­ing to one of the peo­ple famil­iar with the probe. In two oth­ers — Flori­da and Cal­i­for­nia — those traces were found in sys­tems run by a pri­vate con­trac­tor man­ag­ing crit­i­cal elec­tion sys­tems.

    (An NSA doc­u­ment report­ed­ly leaked by Real­i­ty Win­ner, the 25-year-old gov­ern­ment con­tract work­er arrest­ed last week, iden­ti­fies the Flori­da con­trac­tor as VR Sys­tems, which makes an elec­tron­ic vot­er iden­ti­fi­ca­tion sys­tem used by poll work­ers.)

    In Illi­nois, inves­ti­ga­tors also found evi­dence that the hack­ers tried but failed to alter or delete some infor­ma­tion in the data­base, an attempt that wasn’t pre­vi­ous­ly report­ed. That sug­gest­ed more than a mere spy­ing mis­sion and poten­tial­ly a test run for a dis­rup­tive attack, accord­ing to the peo­ple famil­iar with the con­tin­u­ing U.S. coun­ter­in­tel­li­gence inquiry.

    States’ Response

    That idea would obsess the Oba­ma White House through­out the sum­mer and fall of 2016, out­weigh­ing wor­ries over the DNC hack and pri­vate Demo­c­ra­t­ic cam­paign emails giv­en to Wik­ileaks and oth­er out­lets, accord­ing to one of the peo­ple famil­iar with those con­ver­sa­tions. The Home­land Secu­ri­ty Depart­ment dis­patched spe­cial teams to help states strength­en their cyber defens­es, and some states hired pri­vate secu­ri­ty com­pa­nies to aug­ment those efforts.

    In many states, the extent of the Russ­ian infil­tra­tion remains unclear. The fed­er­al gov­ern­ment had no direct author­i­ty over state elec­tion sys­tems, and some states offered lim­it­ed coop­er­a­tion. When then-DHS Sec­re­tary Jeh John­son said last August that the depart­ment want­ed to declare the sys­tems as nation­al crit­i­cal infra­struc­ture — a des­ig­na­tion that gives the fed­er­al gov­ern­ment broad­er pow­ers to inter­vene — Repub­li­cans balked. Only after the elec­tion did the two sides even­tu­al­ly reach a deal to make the des­ig­na­tion.

    ...

    After the Oba­ma admin­is­tra­tion trans­mit­ted its doc­u­ments and Rus­sia asked for more infor­ma­tion, the hack­ers’ work con­tin­ued. Accord­ing to the leaked NSA doc­u­ment, hack­ers work­ing for Russ­ian mil­i­tary intel­li­gence were try­ing to take over the com­put­ers of 122 local elec­tion offi­cials just days before the Nov. 8 elec­tion.

    While some inside the Oba­ma admin­is­tra­tion pressed at the time to make the full scope of the Russ­ian activ­i­ty pub­lic, the White House was ulti­mate­ly unwill­ing to risk pub­lic con­fi­dence in the election’s integri­ty, peo­ple famil­iar with those dis­cus­sions said.

    ———-

    “Russ­ian Cyber Hacks on U.S. Elec­toral Sys­tem Far Wider Than Pre­vi­ous­ly Known” by Michael Riley and Jor­dan Robert­son; Bloomberg Pol­i­tics; 06/13/2017

    “In Illi­nois, inves­ti­ga­tors also found evi­dence that the hack­ers tried but failed to alter or delete some infor­ma­tion in the data­base, an attempt that wasn’t pre­vi­ous­ly report­ed. That sug­gest­ed more than a mere spy­ing mis­sion and poten­tial­ly a test run for a dis­rup­tive attack, accord­ing to the peo­ple famil­iar with the con­tin­u­ing U.S. coun­ter­in­tel­li­gence inquiry.”

    So in Illi­nois, one of a hand­ful of states that gave fed­er­al inves­ti­ga­tors the most com­plete access to their sys­tems and appar­ent­ly one of the first states hacked since the hack was first detect­ed in July, inves­ti­ga­tors found evi­dence of at least attempts at manip­u­lat­ing vot­er roll data. That’s cer­tain­ly a big deal and the kind of find­ing that poten­tial­ly rais­es ques­tions about the integri­ty of a lot more than just the votes for Pres­i­dent. ALL races in a state could be impact­ed by manip­u­lat­ing the vot­er rolls.

    How about the rest of the states? That’s unclear. Thanks, in part, to the GOP’s block­ing of an attempt by DHS to declare the nation’s vot­ing sys­tems as “nation­al crit­i­cal infra­struc­ture” that would have giv­en fed­er­al inves­ti­ga­tors great access to the oth­er states’ vot­ing sys­tems:

    ...
    In many states, the extent of the Russ­ian infil­tra­tion remains unclear. The fed­er­al gov­ern­ment had no direct author­i­ty over state elec­tion sys­tems, and some states offered lim­it­ed coop­er­a­tion. When then-DHS Sec­re­tary Jeh John­son said last August that the depart­ment want­ed to declare the sys­tems as nation­al crit­i­cal infra­struc­ture — a des­ig­na­tion that gives the fed­er­al gov­ern­ment broad­er pow­ers to inter­vene — Repub­li­cans balked. Only after the elec­tion did the two sides even­tu­al­ly reach a deal to make the des­ig­na­tion.
    ...

    And at this point fed­er­al inves­ti­ga­tors appar­ent­ly can’t real­ly say how many oth­er states expe­ri­enced sim­i­lar attempts. Still, based on the dig­i­tal “sig­na­tures” that inves­ti­ga­tors have iden­ti­fied (because the ‘Russ­ian hack­ers’ appar­ent­ly did­n’t both­er try­ing to obscure them), “traces” of the hack­ers were found in the sys­tems of 39 states:

    ...
    Patient Zero

    Illi­nois became Patient Zero in the government’s probe, even­tu­al­ly lead­ing inves­ti­ga­tors to a hack­ing pan­dem­ic that touched four out of every five U.S. states.

    Using evi­dence from the Illi­nois com­put­er banks, fed­er­al agents were able to devel­op dig­i­tal “sig­na­tures” — among them, Inter­net Pro­to­col address­es used by the attack­ers — to spot the hack­ers at work.

    The sig­na­tures were then sent through Home­land Secu­ri­ty alerts and oth­er means to every state. Thir­ty-sev­en states report­ed find­ing traces of the hack­ers in var­i­ous sys­tems, accord­ing to one of the peo­ple famil­iar with the probe. In two oth­ers — Flori­da and Cal­i­for­nia — those traces were found in sys­tems run by a pri­vate con­trac­tor man­ag­ing crit­i­cal elec­tion sys­tems.

    (An NSA doc­u­ment report­ed­ly leaked by Real­i­ty Win­ner, the 25-year-old gov­ern­ment con­tract work­er arrest­ed last week, iden­ti­fies the Flori­da con­trac­tor as VR Sys­tems, which makes an elec­tron­ic vot­er iden­ti­fi­ca­tion sys­tem used by poll work­ers.)
    ...

    And it sounds like a large num­ber of those hacks (or hack attempts) took place in the last week of the cam­paign:

    ...
    After the Oba­ma admin­is­tra­tion trans­mit­ted its doc­u­ments and Rus­sia asked for more infor­ma­tion, the hack­ers’ work con­tin­ued. Accord­ing to the leaked NSA doc­u­ment, hack­ers work­ing for Russ­ian mil­i­tary intel­li­gence were try­ing to take over the com­put­ers of 122 local elec­tion offi­cials just days before the Nov. 8 elec­tion.
    ...

    So, over­all, if we take this report at face val­ue, the Russ­ian gov­ern­ment brazen­ly hacked into the Illi­nois state vot­ing sys­tems, tried to manip­u­late vot­er roll data, and then con­tin­ued to brazen­ly hack — or attempt to hack — into at least 38 oth­er states. All using dig­i­tal “sig­na­tures”, like IP address, that were traced back to the GRU. And the real­ly big wave of attacks hap­pened in the last week of the cam­paign, after Pres­i­dent Oba­ma used the “cyber Red Phone” for the first time ever in Octo­ber. And the Russ­ian gov­ern­ment ignored those calls to stop the hack­ing with­out any appar­ent fear of reprisal. And just kept hack­ing away with­out both­er­ing to change those dig­i­tal “sig­na­tures” from the July Illi­nois hack. Are we sure “Lazy Bear” isn’t a more appro­pri­ate moniker for this alleged GRU hack­ing group? “Fan­cy Bear” does­n’t quite cap­ture their main attribute.

    Of course, since dig­i­tal “sig­na­tures” are the kind of things hack­ers can often spoof and a dec­la­ra­tion of cyber war would be an insane move by the Russ­ian gov­ern­ment, there’s the very obvi­ous pos­si­bil­i­ty that some­one else made all these hack­ing attempts. So it’s worth not­ing that in The Inter­cept report about the leaked NSA doc­u­ment show­ing the analy­sis of the hack­ing of a Flori­da vot­ing sys­tems com­pa­ny they inter­view Jake Williams — a for­mer mem­ber of NSA’s elite hack­ing Tai­lored Access Oper­a­tions team — and ask him about the spear-phish­ing cam­paign used against those 122 offi­cials in the last week of the cam­paign. Accord­ing to Williams, that spear-phish­ing oper­a­tion was of “medi­um sophis­ti­ca­tion” that “prac­ti­cal­ly any hack­er can pull off”:

    The Inter­cept

    Top-Secret NSA Report Details Russ­ian Hack­ing Effort Days Before 2016 Elec­tion

    Matthew Cole, Richard Espos­i­to, Sam Bid­dle, Ryan Grim

    June 5 2017, 2:44 p.m.

    Russ­ian mil­i­tary intel­li­gence exe­cut­ed a cyber­at­tack on at least one U.S. vot­ing soft­ware sup­pli­er and sent spear-phish­ing emails to more than 100 local elec­tion offi­cials just days before last November’s pres­i­den­tial elec­tion, accord­ing to a high­ly clas­si­fied intel­li­gence report obtained by The Inter­cept.

    The top-secret Nation­al Secu­ri­ty Agency doc­u­ment, which was pro­vid­ed anony­mous­ly to The Inter­cept and inde­pen­dent­ly authen­ti­cat­ed, ana­lyzes intel­li­gence very recent­ly acquired by the agency about a months-long Russ­ian intel­li­gence cyber effort against ele­ments of the U.S. elec­tion and vot­ing infra­struc­ture. The report, dat­ed May 5, 2017, is the most detailed U.S. gov­ern­ment account of Russ­ian inter­fer­ence in the elec­tion that has yet come to light.

    While the doc­u­ment pro­vides a rare win­dow into the NSA’s under­stand­ing of the mechan­ics of Russ­ian hack­ing, it does not show the under­ly­ing “raw” intel­li­gence on which the analy­sis is based. A U.S. intel­li­gence offi­cer who declined to be iden­ti­fied cau­tioned against draw­ing too big a con­clu­sion from the doc­u­ment because a sin­gle analy­sis is not nec­es­sar­i­ly defin­i­tive.

    The report indi­cates that Russ­ian hack­ing may have pen­e­trat­ed fur­ther into U.S. vot­ing sys­tems than was pre­vi­ous­ly under­stood. It states unequiv­o­cal­ly in its sum­ma­ry state­ment that it was Russ­ian mil­i­tary intel­li­gence, specif­i­cal­ly the Russ­ian Gen­er­al Staff Main Intel­li­gence Direc­torate, or GRU, that con­duct­ed the cyber attacks described in the doc­u­ment:

    Russ­ian Gen­er­al Staff Main Intel­li­gence Direc­torate actors … exe­cut­ed cyber espi­onage oper­a­tions against a named U.S. com­pa­ny in August 2016, evi­dent­ly to obtain infor­ma­tion on elec­tions-relat­ed soft­ware and hard­ware solu­tions. … The actors like­ly used data obtained from that oper­a­tion to … launch a vot­er reg­is­tra­tion-themed spear-phish­ing cam­paign tar­get­ing U.S. local gov­ern­ment orga­ni­za­tions.

    This NSA sum­ma­ry judg­ment is sharply at odds with Russ­ian Pres­i­dent Vladimir Putin’s denial last week that Rus­sia had inter­fered in for­eign elec­tions: “We nev­er engaged in that on a state lev­el, and have no inten­tion of doing so.” Putin, who had pre­vi­ous­ly issued blan­ket denials that any such Russ­ian med­dling occurred, for the first time float­ed the pos­si­bil­i­ty that free­lance Russ­ian hack­ers with “patri­ot­ic lean­ings” may have been respon­si­ble. The NSA report, on the con­trary, dis­plays no doubt that the cyber assault was car­ried out by the GRU.

    ...

    The Spear-Phish­ing Attack

    As described by the clas­si­fied NSA report, the Russ­ian plan was sim­ple: pose as an e‑voting ven­dor and trick local gov­ern­ment employ­ees into open­ing Microsoft Word doc­u­ments invis­i­bly taint­ed with potent mal­ware that could give hack­ers full con­trol over the infect­ed com­put­ers.

    But in order to dupe the local offi­cials, the hack­ers need­ed access to an elec­tion soft­ware vendor’s inter­nal sys­tems to put togeth­er a con­vinc­ing dis­guise. So on August 24, 2016, the Russ­ian hack­ers sent spoofed emails pur­port­ing to be from Google to employ­ees of an unnamed U.S. elec­tion soft­ware com­pa­ny, accord­ing to the NSA report. Although the doc­u­ment does not direct­ly iden­ti­fy the com­pa­ny in ques­tion, it con­tains ref­er­ences to a prod­uct made by VR Sys­tems, a Flori­da-based ven­dor of elec­tron­ic vot­ing ser­vices and equip­ment whose prod­ucts are used in eight states.

    The spear-phish­ing email con­tained a link direct­ing the employ­ees to a mali­cious, faux-Google web­site that would request their login cre­den­tials and then hand them over to the hack­ers. The NSA iden­ti­fied sev­en “poten­tial vic­tims” at the com­pa­ny. While mali­cious emails tar­get­ing three of the poten­tial vic­tims were reject­ed by an email serv­er, at least one of the employ­ee accounts was like­ly com­pro­mised, the agency con­clud­ed. The NSA notes in its report that it is “unknown whether the afore­men­tioned spear-phish­ing deploy­ment suc­cess­ful­ly com­pro­mised all the intend­ed vic­tims, and what poten­tial data from the vic­tim could have been exfil­trat­ed.”

    VR Sys­tems declined to respond to a request for com­ment on the spe­cif­ic hack­ing oper­a­tion out­lined in the NSA doc­u­ment. Chief Oper­at­ing Offi­cer Ben Mar­tin replied by email to The Intercept’s request for com­ment with the fol­low­ing state­ment:

    Phish­ing and spear-phish­ing are not uncom­mon in our indus­try. We reg­u­lar­ly par­tic­i­pate in cyber alliances with state offi­cials and mem­bers of the law enforce­ment com­mu­ni­ty in an effort to address these types of threats. We have poli­cies and pro­ce­dures in effect to pro­tect our cus­tomers and our com­pa­ny.

    Although the NSA report indi­cates that VR Sys­tems was tar­get­ed only with login-steal­ing trick­ery, rather than com­put­er-con­trol­ling mal­ware, this isn’t nec­es­sar­i­ly a reas­sur­ing sign. Jake Williams, founder of com­put­er secu­ri­ty firm Ren­di­tion Infos­ec and for­mer­ly of the NSA’s Tai­lored Access Oper­a­tions hack­ing team, said stolen logins can be even more dan­ger­ous than an infect­ed com­put­er. “I’ll take cre­den­tials most days over mal­ware,” he said, since an employee’s login infor­ma­tion can be used to pen­e­trate “cor­po­rate VPNs, email, or cloud ser­vices,” allow­ing access to inter­nal cor­po­rate data. The risk is par­tic­u­lar­ly height­ened giv­en how com­mon it is to use the same pass­word for mul­ti­ple ser­vices. Phish­ing, as the name implies, doesn’t require every­one to take the bait in order to be a suc­cess — though Williams stressed that hack­ers “nev­er want just one” set of stolen cre­den­tials.

    In any event, the hack­ers appar­ent­ly got what they need­ed. Two months lat­er, on Octo­ber 27, they set up an “oper­a­tional” Gmail account designed to appear as if it belonged to an employ­ee at VR Sys­tems, and used doc­u­ments obtained from the pre­vi­ous oper­a­tion to launch a sec­ond spear-phish­ing oper­a­tion “tar­get­ing U.S. local gov­ern­ment orga­ni­za­tions.” These emails con­tained a Microsoft Word doc­u­ment that had been “tro­janized” so that when it was opened it would send out a bea­con to the “mali­cious infra­struc­ture” set up by the hack­ers.

    The NSA assessed that this phase of the spear-fish­ing oper­a­tion was like­ly launched on either Octo­ber 31 or Novem­ber 1 and sent spear-fish­ing emails to 122 email address­es “asso­ci­at­ed with named local gov­ern­ment orga­ni­za­tions,” prob­a­bly to offi­cials “involved in the man­age­ment of vot­er reg­is­tra­tion sys­tems.” The emails con­tained Microsoft Word attach­ments pur­port­ing to be benign doc­u­men­ta­tion for VR Sys­tems’ EViD vot­er data­base prod­uct line, but which were in real­i­ty mali­cious­ly embed­ded with auto­mat­ed soft­ware com­mands that are trig­gered instant­ly and invis­i­bly when the user opens the doc­u­ment. These par­tic­u­lar weaponized files used Pow­er­Shell, a Microsoft script­ing lan­guage designed for sys­tem admin­is­tra­tors and installed by default on Win­dows com­put­ers, allow­ing vast con­trol over a system’s set­tings and func­tions. If opened, the files “very like­ly” would have instruct­ed the infect­ed com­put­er to begin down­load­ing in the back­ground a sec­ond pack­age of mal­ware from a remote serv­er also con­trolled by the hack­ers, which the secret report says could have pro­vid­ed attack­ers with “per­sis­tent access” to the com­put­er or the abil­i­ty to “sur­vey the vic­tims for items of inter­est.” Essen­tial­ly, the weaponized Word doc­u­ment qui­et­ly unlocks and opens a target’s back door, allow­ing vir­tu­al­ly any cock­tail of mal­ware to be sub­se­quent­ly deliv­ered auto­mat­i­cal­ly.

    Accord­ing to Williams, if this type of attack were suc­cess­ful, the per­pe­tra­tor would pos­sess “unlim­it­ed” capac­i­ty for siphon­ing away items of inter­est. “Once the user opens up that email [attach­ment],” Williams explained, “the attack­er has all the same capa­bil­i­ties that the user does.” Vikram Thakur, a senior research man­ag­er at Symantec’s Secu­ri­ty Response Team, told The Inter­cept that in cas­es like this the “quan­ti­ty of exfil­trat­ed data is only lim­it­ed by the con­trols put in place by net­work admin­is­tra­tors.” Data theft of this vari­ety is typ­i­cal­ly encrypt­ed, mean­ing any­one observ­ing an infect­ed net­work wouldn’t be able to see what exact­ly was being removed but should cer­tain­ly be able to tell some­thing was afoot, Williams added. Over­all, the method is one of “medi­um sophis­ti­ca­tion,” Williams said, one that “prac­ti­cal­ly any hack­er can pull off.”

    The NSA, how­ev­er, is uncer­tain about the results of the attack, accord­ing to the report. “It is unknown,” the NSA notes, “whether the afore­men­tioned spear-phish­ing deploy­ment suc­cess­ful­ly com­pro­mised the intend­ed vic­tims, and what poten­tial data could have been accessed by the cyber actor.”

    ...

    ———-

    “Top-Secret NSA Report Details Russ­ian Hack­ing Effort Days Before 2016 Elec­tion” by Matthew Cole, Richard Espos­i­to, Sam Bid­dle, Ryan Grim; The Inter­cept; 06/05/2017

    The NSA assessed that this phase of the spear-fish­ing oper­a­tion was like­ly launched on either Octo­ber 31 or Novem­ber 1 and sent spear-fish­ing emails to 122 email address­es “asso­ci­at­ed with named local gov­ern­ment orga­ni­za­tions,” prob­a­bly to offi­cials “involved in the man­age­ment of vot­er reg­is­tra­tion sys­tems.” The emails con­tained Microsoft Word attach­ments pur­port­ing to be benign doc­u­men­ta­tion for VR Sys­tems’ EViD vot­er data­base prod­uct line, but which were in real­i­ty mali­cious­ly embed­ded with auto­mat­ed soft­ware com­mands that are trig­gered instant­ly and invis­i­bly when the user opens the doc­u­ment...”

    A spear-phish­ing attacks using doc­u­ments from the Flori­da-based “VR Sys­tems” as the bait. That’s what the alleged Russ­ian hack­ers did in the last week of the cam­paign. And how sophis­ti­cat­ed was this spear-phish­ing attack? Almost any hack­er could have done it. That’s how sophis­ti­cat­ed:

    ...
    Accord­ing to Williams, if this type of attack were suc­cess­ful, the per­pe­tra­tor would pos­sess “unlim­it­ed” capac­i­ty for siphon­ing away items of inter­est. “Once the user opens up that email [attach­ment],” Williams explained, “the attack­er has all the same capa­bil­i­ties that the user does.” Vikram Thakur, a senior research man­ag­er at Symantec’s Secu­ri­ty Response Team, told The Inter­cept that in cas­es like this the “quan­ti­ty of exfil­trat­ed data is only lim­it­ed by the con­trols put in place by net­work admin­is­tra­tors.” Data theft of this vari­ety is typ­i­cal­ly encrypt­ed, mean­ing any­one observ­ing an infect­ed net­work wouldn’t be able to see what exact­ly was being removed but should cer­tain­ly be able to tell some­thing was afoot, Williams added. Over­all, the method is one of “medi­um sophis­ti­ca­tion,” Williams said, one that “prac­ti­cal­ly any hack­er can pull off.”
    ...

    “Over­all, the method is one of “medi­um sophis­ti­ca­tion,” Williams said, one that “prac­ti­cal­ly any hack­er can pull off.””

    So accord­ing to fed­er­al inves­ti­ga­tors, ‘the GRU’ used a spear-phish­ing tech­nique that any hack­er could have pulled off, and did it in a man­ner that left dig­i­tal “sig­na­tures”, like IP address, that appar­ent­ly led back to the GRU. And kept the same dig­i­tal sig­na­tures in the July 2016 hack on the Illi­nois vot­ing sys­tem that were found in the wave of spear-phish­ing attacks in the last week of the cam­paign. Even after get­ting a “cyber Red Phone” call from the White House in for the first time ever in Octo­ber, thus open­ing Rus­sia to poten­tial revenge attacks for years to come and poi­son-pilling the pos­si­ble util­i­ty of hav­ing a Russ­ian-friend­ly Pres­i­dent Trump in the White House. It’s as if the cost-ben­e­fit analy­sis did­n’t fac­tor in the costs. That’s the sto­ry we’re sup­posed to accept.

    And, amaz­ing­ly, based on the first report, it sounds the bulk of the 39 hacked states got hacked by this spear-phish­ing cam­paign in the last week of the cam­paign despite the intense focus around poten­tial hack­ing in the pri­or months. Those must have been some pret­ty com­pelling phish­ing emails. It rais­es the ques­tion as to whether or not some of the those 122 tar­get­ed offi­cials were try­ing to get their sys­tems hacked. Keep in mind one of the very inter­est­ing things about a spear-phish­ing attack in a sce­nario like these one one of the hacked par­ties (the GOP) just might want to get hacked: Spear-phish­ing a great way for an insid­er to invite in a hack­er while main­tain­ing plau­si­ble deni­a­bil­i­ty. Oops! I was tricked! ;)

    It’s pret­ty clear that US state vot­ing sys­tems have a num­ber of seri­ous vul­ner­a­bil­i­ties. Specif­i­cal­ly, peo­ple who fall for phish­ing emails and what­ev­er mal­ware is now install on those sys­tems after those hacks. Also note one of the main things pro­tect­ing these sys­tems from a much big­ger hack: the decen­tral­ized nature of US vot­ing sys­tems, which dif­fer­ent locales use dif­fer­ent tech­nolo­gies. It’s a lot hard­er to pull off a big hack in a decen­tral­ized sys­tem. And let’s also not for­get that one of the giant vot­ing vul­ner­a­bil­i­ties today is a direct con­se­quence of the US’s response to the 2000 elec­tion vot­ing deba­cle in Flori­da. Fol­low­ing that, Con­gress gave states gobs of cash to replace their paper bal­lot sys­tems with hack­able elec­tron­ic vot­ing machines. And now we a prob­lem with hack­able elec­tron­ic vot­ing machines. Still.

    So if there is a big push to over­haul and improve US vot­ing sys­tems in antic­i­pa­tion of the 2016 hack­ers return­ing in future elec­tions keep in mind that it’s a lot hard­er to hack paper bal­lots.

    Posted by Pterrafractyl | June 14, 2017, 10:21 pm
  5. Here’s an arti­cle that reminds us of some­thing to keep in mind when assess­ing the curi­ous case of the appar­ent hack­ing of Qatar’s news agency fol­lowed by the email hack of the UAE’s ambas­sador to the US that some sus­pect was done by a mer­ce­nary hack­er group: Mid­dle East­ern gov­ern­ments prob­a­bly don’t need to hire rogue hack­er mer­ce­nary groups to car­ry out very sophis­ti­cat­ed hacks:

    BBC

    How BAE sold cyber-sur­veil­lance tools to Arab states

    15 June 2017

    A year-long inves­ti­ga­tion by BBC Ara­bic and a Dan­ish news­pa­per has uncov­ered evi­dence that the UK defence giant BAE Sys­tems has made large-scale sales across the Mid­dle East of sophis­ti­cat­ed sur­veil­lance tech­nol­o­gy, includ­ing to many repres­sive gov­ern­ments.

    These sales have also includ­ed decryp­tion soft­ware which could be used against the UK and its allies.

    While the sales are legal, human rights cam­paign­ers and cyber-secu­ri­ty experts have expressed seri­ous con­cerns these pow­er­ful tools could be used to spy on mil­lions of peo­ple and thwart any signs of dis­sent.

    The inves­ti­ga­tion began in the small Dan­ish town of Nor­re­sund­by, home to ETI, a com­pa­ny spe­cial­is­ing in high-tech sur­veil­lance equip­ment.

    ETI devel­oped a sys­tem called Evi­dent, which enabled gov­ern­ments to con­duct mass sur­veil­lance of their cit­i­zens’ com­mu­ni­ca­tions.

    A for­mer employ­ee, speak­ing to the BBC anony­mous­ly, described how Evi­dent worked.

    “You’d be able to inter­cept any inter­net traf­fic,” he said. “If you want­ed to do a whole coun­try, you could. You could pin-point peo­ple’s loca­tion based on cel­lu­lar data. You could fol­low peo­ple around. They were quite far ahead with voice recog­ni­tion. They were capa­ble of decrypt­ing stuff as well.”

    One ear­ly cus­tomer of the new sys­tem was the Tunisian gov­ern­ment.

    The BBC tracked down a for­mer Tunisian intel­li­gence offi­cial who oper­at­ed Evi­dent for the coun­try’s vet­er­an leader, Pres­i­dent Zine al-Abidine Ben Ali.

    “ETI installed it and engi­neers came for train­ing ses­sions,” he explained. “[It] works with key­words. You put in an oppo­nen­t’s name and you will see all the sites, blogs, social net­works relat­ed to that user.”

    The source says Pres­i­dent Ben Ali used the sys­tem to crack down on oppo­nents until his over­throw in Jan­u­ary 2011, in the first pop­u­lar upris­ing of the Arab Spring.

    Cam­paign­ers ‘van­ished’

    As protests spread across the Arab world, social media became a key tool for organ­is­ers.

    Gov­ern­ments began shop­ping around for more sophis­ti­cat­ed cyber-sur­veil­lance sys­tems — open­ing up a lucra­tive new mar­ket for com­pa­nies like BAE Sys­tems.

    In 2011, BAE bought ETI and the com­pa­ny became part of BAE Sys­tems Applied Intel­li­gence.

    Over the next five years, BAE used its Dan­ish sub­sidiary to sup­ply Evi­dent sys­tems to many Mid­dle East­ern coun­tries with ques­tion­able human rights records.

    Free­dom of infor­ma­tion requests sub­mit­ted by the BBC and the Dag­bladet Infor­ma­tion news­pa­per in Den­mark revealed exports to Sau­di Ara­bia, the UAE, Qatar, Oman, Moroc­co and Alge­ria.

    While it is not pos­si­ble to link indi­vid­ual cas­es direct­ly to the Evi­dent sys­tem, increased lev­els of cyber-sur­veil­lance since the start of the Arab Spring have had a direct and dev­as­tat­ing impact on the activ­i­ties of human rights and democ­ra­cy cam­paign­ers in many of the states that acquired it.

    “I would­n’t be exag­ger­at­ing if I said more than 90% of the most active cam­paign­ers in 2011 have now van­ished,” says Yahya Assiri, a for­mer Sau­di air force offi­cer who fled the coun­try after post­ing pro-democ­ra­cy state­ments online.

    “It used to be that ‘the walls have ears’, but now it’s ‘smart­phones have ears,’ ” says Man­al al-Sharif, a Sau­di wom­en’s rights activist who also now lives abroad.

    “No coun­try mon­i­tors its own peo­ple the way they do in the Gulf coun­tries. They have the mon­ey, so they can buy advanced sur­veil­lance soft­ware.”

    The sit­u­a­tion has led cam­paign­ers to voice deep con­cerns about the future of civ­il soci­ety in the Mid­dle East.

    “Sur­veil­lance will destroy peo­ple’s con­fi­dence in organ­is­ing, express­ing and shar­ing ideas, try­ing to cre­ate a polit­i­cal move­ment,” warns Gus Hosein of Lon­don-based Pri­va­cy Inter­na­tion­al.

    ‘Respon­si­ble trad­ing’

    The BBC has also asked for respons­es from the gov­ern­ments of Sau­di Ara­bia, Oman and the UAE. It has not yet received any replies.

    All sales of Evi­dent were made entire­ly legal­ly under Dan­ish gov­ern­ment export licences, issued by the Dan­ish Busi­ness Author­i­ty.

    BAE Sys­tems in the UK declined a BBC request for an inter­view on the issue, say­ing it was against com­pa­ny pol­i­cy to com­ment on spe­cif­ic con­tracts. But in a writ­ten state­ment the com­pa­ny said: “BAE sys­tems works for a num­ber of organ­i­sa­tions around the world with­in the reg­u­la­to­ry frame­work of all rel­e­vant coun­tries and with­in our respon­si­ble trad­ing prin­ci­ples.”

    Dur­ing the course of the BBC inves­ti­ga­tion, it emerged that sales of Evi­dent could also poten­tial­ly have an impact on nation­al secu­ri­ty in the UK.

    An upgrad­ed ver­sion of the sys­tem now offers anoth­er capa­bil­i­ty — decryp­tion or, to use the tech­ni­cal term, crypt­analy­sis.

    This enables users to read com­mu­ni­ca­tions even if they have been secu­ri­ty encrypt­ed.

    Crypt­analy­sis is such a pow­er­ful tool that its export is tight­ly con­trolled.

    Export autho­ri­sa­tions

    The BBC has obtained a 2015 email exchange between the British and Dan­ish export author­i­ties in which the British side clear­ly express­es con­cern about this capa­bil­i­ty with ref­er­ence to an Evi­dent sale to the Unit­ed Arab Emi­rates.

    “We would refuse a licence to export this crypt­analy­sis soft­ware from the UK because of Cri­te­ria 5 con­cerns,” says the email.

    “Cri­te­ria 5” refers to the nation­al secu­ri­ty of the UK and its allies.

    The wor­ry is that the soft­ware could give users access to the UK’s own com­mu­ni­ca­tions.

    “Once you’ve sold the equip­ment to some­one they can prob­a­bly do what they want with it,” says Ross Ander­son, pro­fes­sor of Secu­ri­ty Engi­neer­ing at Cam­bridge Uni­ver­si­ty.

    “An Arab coun­try wants to buy crypt­analy­sis equip­ment sup­pos­ed­ly for its own law enforce­ment. They have embassies in Lon­don, Wash­ing­ton, Paris and Berlin. What’s to stop them putting bulk sur­veil­lance equip­ment in our cities and then using the crypt­analy­sis equip­ment to deci­pher all the mobile phone calls they hear?”

    Despite British objec­tions, the Dan­ish author­i­ties approved the Evi­dent export.

    The Dan­ish for­eign min­istry declined to be inter­viewed but in state­ment said the Dan­ish Busi­ness Author­i­ty would not grant export autho­ri­sa­tion if an EU mem­ber state request­ed that it did not because of secu­ri­ty con­cerns.

    Defence experts argue that at a time when coun­tries around the world face height­ened ter­ror­ist threats, there is a clear jus­ti­fi­ca­tion for sales of sur­veil­lance equip­ment.

    “It’s a trade-off,” says Jonathan Shaw, for­mer head of Cyber-Secu­ri­ty at the UK Min­istry of Defence.

    “I would imag­ine the con­sid­er­a­tion that plays in peo­ple’s minds is not so much the eco­nom­ic advan­tage... but it’s that the secu­ri­ty of the state we’re talk­ing to is close­ly linked to ours. Or they are track­ing peo­ple who are a direct threat to Britain and we need their assis­tance.”

    Accord­ing to a 2016 UK Home Office report, mass sur­veil­lance tech­nol­o­gy has played a sig­nif­i­cant role in every major counter-ter­ror­ism inves­ti­ga­tion in the last decade.

    “The more ter­ror­ist inci­dents there are, the more peo­ple will start to see the ben­e­fits of favour­ing secu­ri­ty over pri­va­cy,” Mr Shaw adds.

    ...

    ‘Unac­cept­able’

    Dutch MEP Mari­et­je Schaake is one of the few Euro­pean politi­cians pre­pared to dis­cuss con­cerns about sur­veil­lance tech­nol­o­gy exports.

    She says Euro­pean coun­tries will ulti­mate­ly pay a price for the com­pro­mis­es now being made.

    “Each and every case where some­one is silenced or ends up in prison with the help of EU-made tech­nolo­gies I think is unac­cept­able,” she told the BBC.

    “I think the fact that these com­pa­nies are com­mer­cial play­ers, devel­op­ing these high­ly sophis­ti­cat­ed tech­nolo­gies that could have a deep impact on our nation­al secu­ri­ty, on peo­ple’s lives, requires us to look again at what kind of restric­tions maybe be need­ed, what kind of trans­paren­cy and account­abil­i­ty is need­ed in this mar­ket before it turns against our own inter­est and our own prin­ci­ples.”

    ———-

    “How BAE sold cyber-sur­veil­lance tools to Arab states”; BBC; 06/15/2017

    ““You’d be able to inter­cept any inter­net traf­fic,” he said. “If you want­ed to do a whole coun­try, you could. You could pin-point peo­ple’s loca­tion based on cel­lu­lar data. You could fol­low peo­ple around. They were quite far ahead with voice recog­ni­tion. They were capa­ble of decrypt­ing stuff as well.””

    That sounds like some pret­ty advanced hack­ing capa­bil­i­ties. Advanced hack­ing capa­bil­i­ties in a lot of gov­ern­ment hands:

    ...
    As protests spread across the Arab world, social media became a key tool for organ­is­ers.

    Gov­ern­ments began shop­ping around for more sophis­ti­cat­ed cyber-sur­veil­lance sys­tems — open­ing up a lucra­tive new mar­ket for com­pa­nies like BAE Sys­tems.

    In 2011, BAE bought ETI and the com­pa­ny became part of BAE Sys­tems Applied Intel­li­gence.

    Over the next five years, BAE used its Dan­ish sub­sidiary to sup­ply Evi­dent sys­tems to many Mid­dle East­ern coun­tries with ques­tion­able human rights records.

    Free­dom of infor­ma­tion requests sub­mit­ted by the BBC and the Dag­bladet Infor­ma­tion news­pa­per in Den­mark revealed exports to Sau­di Ara­bia, the UAE, Qatar, Oman, Moroc­co and Alge­ria.
    ...

    And it’s not like these advanced hack­ing capa­bil­i­ties only work in the Mid­dle East:

    ...
    The BBC has obtained a 2015 email exchange between the British and Dan­ish export author­i­ties in which the British side clear­ly express­es con­cern about this capa­bil­i­ty with ref­er­ence to an Evi­dent sale to the Unit­ed Arab Emi­rates.

    “We would refuse a licence to export this crypt­analy­sis soft­ware from the UK because of Cri­te­ria 5 con­cerns,” says the email.

    “Cri­te­ria 5” refers to the nation­al secu­ri­ty of the UK and its allies.

    The wor­ry is that the soft­ware could give users access to the UK’s own com­mu­ni­ca­tions.

    “Once you’ve sold the equip­ment to some­one they can prob­a­bly do what they want with it,” says Ross Ander­son, pro­fes­sor of Secu­ri­ty Engi­neer­ing at Cam­bridge Uni­ver­si­ty.

    “An Arab coun­try wants to buy crypt­analy­sis equip­ment sup­pos­ed­ly for its own law enforce­ment. They have embassies in Lon­don, Wash­ing­ton, Paris and Berlin. What’s to stop them putting bulk sur­veil­lance equip­ment in our cities and then using the crypt­analy­sis equip­ment to deci­pher all the mobile phone calls they hear?”
    ...

    So when the next big ‘who­dun­nit?’ hack attack hap­pens and peo­ple start assem­bling a sus­pect list and ask­ing ‘cui bono?’, don’t for­get that BAE already sold these capa­bil­i­ties to a num­ber of the gov­ern­ments across the Mid­dle East.

    Also don’t for­get that sell­ing advanced hack­ing tools to Mid­dle East­ern gov­ern­ments isn’t some BAE monop­oly. It’s a com­pet­i­tive mar­ket.

    Posted by Pterrafractyl | June 16, 2017, 2:34 pm
  6. You know that report about how the elec­tion sys­tems of 39 US states were “hit” by ‘Russ­ian hack­ers’, most of them just a week, before the 2016 Novem­ber elec­tion? Well, the Nation­al Asso­ci­a­tion of Sec­re­taries of State, an orga­ni­za­tion that rep­re­sents the chief elec­tion offi­cials in 40 states, has a rebut­tal: They have no idea what this report was talk­ing about and believe it’s a mat­ter of cyber­se­cu­ri­ty firms being over­ly aggres­sive to earn state con­tracts to pro­tect elec­tion sys­tems:

    Ben­zin­ga

    State Elec­tion Offi­cials Baf­fled By Report 39 States ‘Hit’ By Russ­ian Hack­ers

    Mark Fritz , Ben­zin­ga Staff Writer
    June 15, 2017 1:16pm

    State elec­tion offi­cials are baf­fled by a Bloomberg report alleg­ing that Russ­ian hack­ers com­pro­mised the vot­ing sys­tems in 39 states, adding that cyber­se­cu­ri­ty firms were engag­ing in scare tac­tics to win state and local con­tracts to pro­tect elec­tion sys­tems.

    The June 13 Bloomberg sto­ry said that hack­ers staged incur­sions last year into vot­er data­bas­es and soft­ware sys­tems in almost twice as many states as pre­vi­ous­ly report­ed.

    “In Illi­nois, inves­ti­ga­tors found evi­dence that cyber intrud­ers tried to delete or alter vot­er data. The hack­ers accessed soft­ware designed to be used by poll work­ers on Elec­tion Day, and in at least one state accessed a cam­paign finance data­base,” the report said.

    It cit­ed three unnamed sources with direct knowl­edge of “the U.S. inves­ti­ga­tion into the mat­ter.”

    “In all, the Russ­ian hack­ers hit sys­tems in a total of 39 states, one of them said,” the report said.

    The Nation­al Secu­ri­ty Agency, the FBI and the U.S. Home­land Secu­ri­ty Depart­ment all are look­ing into var­i­ous aspects of what intel­li­gence offi­cials said was Russ­ian med­dling into the U.S. elec­tion sys­tems.

    Kay Stim­son, spokes­woman for the Nation­al Asso­ci­a­tion of Sec­re­taries of State, said the mem­bers of her group — which rep­re­sents the chief elec­tion offi­cials in 40 states — were tak­en aback by the alle­ga­tion that 39 states were hacked.

    “We can­not ver­i­fy any infor­ma­tion in that report,” Stim­son told Ben­zin­ga. “It has some claims that have raised some red flags. I don’t know where they’re get­ting it. We’re not able to assess to the cred­i­bil­i­ty.”

    Cyber Secu­ri­ty Firms Cap­i­tal­iz­ing On Russ­ian Scare

    She said that some cyber­se­cu­ri­ty firms were engag­ing in scare tac­tics at the state and local lev­els.

    “There are cyber­se­cu­ri­ty firms mak­ing some wild claims,” she said. “It is a very aggres­sive indus­try.”

    Bloomberg attrib­uted the num­ber of states “hit” — Stim­son ques­tioned the mean­ing of the word — to the sys­tems in 39 states. “It’s hard to say how they ‘hit’ 39 states,” she said.

    Home­land Secu­ri­ty also issued a report about the Bloomberg report, say­ing: “While we are not going to get into specifics of activ­i­ty at the state lev­el, the vast major­i­ty of what we saw was scan­ning — not attempts to intrude — and unsuc­cess­ful attempts to steal data held in vot­er reg­is­tra­tion data­bas­es.”

    Lit­tle Doubt Russ­ian Med­dling In Elec­tion

    Despite the reac­tion to the Bloomberg report, there is lit­tle doubt that Russ­ian actors attempt­ed to access U.S. elec­tion sys­tems. Spe­cial inves­ti­ga­tor Robert Mueller has been tasked with spear­head­ing the inves­ti­ga­tion into whether the Trump cam­paign col­lud­ed with Krem­lin affil­i­ates to leak dam­ag­ing emails and rig the elec­tion.

    ...

    ———-

    “State Elec­tion Offi­cials Baf­fled By Report 39 States ‘Hit’ By Russ­ian Hack­ers” by Mark Fritz; Ben­zin­ga; 06/15/2017

    ““We can­not ver­i­fy any infor­ma­tion in that report,” Stim­son told Ben­zin­ga. “It has some claims that have raised some red flags. I don’t know where they’re get­ting it. We’re not able to assess to the cred­i­bil­i­ty.””

    Yeah, that’s quite a rebut­tal. So none of the infor­ma­tion from that Bloomberg report can be ver­i­fied. And the way the spokesper­son for the asso­ci­a­tion rep­re­sent­ing 40 state elec­tion chiefs puts it, this report was like­ly hype cre­at­ed by a cyber­se­cu­ri­ty indus­try intent on cre­at­ing a pan­ic over future Russ­ian hack­ers for the pur­pose of basi­cal­ly cre­at­ing demand for their ser­vices:

    ...
    Cyber Secu­ri­ty Firms Cap­i­tal­iz­ing On Russ­ian Scare

    She said that some cyber­se­cu­ri­ty firms were engag­ing in scare tac­tics at the state and local lev­els.

    “There are cyber­se­cu­ri­ty firms mak­ing some wild claims,” she said. “It is a very aggres­sive indus­try.”

    Bloomberg attrib­uted the num­ber of states “hit” — Stim­son ques­tioned the mean­ing of the word — to the sys­tems in 39 states. “It’s hard to say how they ‘hit’ 39 states,” she said.
    ...

    And the Depart­ment of Home­land Secu­ri­ty down­played the report too:

    ...
    Home­land Secu­ri­ty also issued a report about the Bloomberg report, say­ing: “While we are not going to get into specifics of activ­i­ty at the state lev­el, the vast major­i­ty of what we saw was scan­ning — not attempts to intrude — and unsuc­cess­ful attempts to steal data held in vot­er reg­is­tra­tion data­bas­es.”
    ...

    That cer­tain­ly sup­ports the notion that the “39 states were hacked by the Rus­sians” was, at a min­i­mum, an exag­ger­a­tion. And when DHS talks about the “vast major­i­ty” of what they saw was “scan­ning”, keep in mind that “scan­ning” com­put­ers con­nect­ed to the inter­net is ubiq­ui­tous and if they were using IP address­es to attribute this scan­ning to “Russ­ian hack­ers”, if the US intel­li­gence report on the evi­dence for ‘Russ­ian hack­ers’ in the DNC serv­er hack is any indi­ca­tion of the way IP address­es are being used to assess cul­pa­bil­i­ty for these state sys­tem scan­ning attempts, IP address­es aren’t the most com­pelling evi­dence in this case:

    Counter Punch

    Did the Rus­sians Real­ly Hack the DNC?

    by Gre­go­ry Elich
    Jan­u­ary 13, 2017

    Rus­sia, we are told, breached the servers of the Demo­c­ra­t­ic Nation­al Com­mit­tee (DNC), swiped emails and oth­er doc­u­ments, and released them to the pub­lic, to alter the out­come of the U.S. pres­i­den­tial elec­tion.

    How sub­stan­tial is the evi­dence back­ing these asser­tions?

    ...

    Com­mand-and-con­trol servers remote­ly issue mali­cious com­mands to infect­ed machines. Odd­ly, for such a key com­po­nent of the oper­a­tion, the com­mand-and-con­trol IP address in both attacks was hard-cod­ed in the mal­ware. This seems like anoth­er inex­plic­a­ble choice, giv­en that the point of an advanced per­sis­tent threat is to oper­ate for an extend­ed peri­od with­out detec­tion. A more suit­able approach would be to use a Domain Name Sys­tem (DNS) address, which is a decen­tral­ized com­put­er nam­ing sys­tem. That would pro­vide a more covert means of iden­ti­fy­ing the com­mand-and-con­trol serv­er. [13] More­over, one would expect that address to be encrypt­ed. Using a DNS address would also allow the com­mand-and-con­trol oper­a­tion to eas­i­ly move to anoth­er serv­er if its loca­tion is detect­ed, with­out the need to mod­i­fy and rein­stall the code.

    One of the IP address­es is claimed to be a “well-known APT 28” com­mand-and-con­trol address, while the sec­ond is said to be linked to Russ­ian mil­i­tary intel­li­gence. [14] The first address points to a serv­er locat­ed in San Jose, Cal­i­for­nia, and is oper­at­ed by a serv­er host­ing ser­vice. [15] The sec­ond serv­er is sit­u­at­ed in Paris, France, and owned by anoth­er serv­er host­ing ser­vice. [16] Clear­ly, these are servers that have been com­pro­mised by hack­ers. It is cus­tom­ary for hack­ers to route their attacks through vul­ner­a­ble com­put­ers. The IP address­es of com­pro­mised com­put­ers are wide­ly avail­able on the Deep Web, and typ­i­cal­ly a hacked serv­er will be used by mul­ti­ple threat actors. These two par­tic­u­lar servers may or may not have been reg­u­lar­ly uti­lized by Russ­ian Intel­li­gence, but they were not unique­ly so used. Almost cer­tain­ly, many oth­er hack­ers would have used the same machines, and it can­not be said that these IP address­es unique­ly iden­ti­fy an infil­tra­tor. Indeed, the sec­ond IP address is asso­ci­at­ed with the com­mon Tro­jan virus­es Agent-APPR and Shun­nael. [17]

    “Every­one is focused on attri­bu­tion, but we may be miss­ing the big­ger truth,” says Joshua Cro­man, Direc­tor of the Cyber State­craft Ini­tia­tive at the Atlantic Coun­cil. “[T]he lev­el of sophis­ti­ca­tion required to do this hack was so low that near­ly any­one could do it.” [18]

    ...

    ———-

    “Did the Rus­sians Real­ly Hack the DNC?” by Gre­go­ry Elich; Counter Punch; 01/13/2017

    “One of the IP address­es is claimed to be a “well-known APT 28” com­mand-and-con­trol address, while the sec­ond is said to be linked to Russ­ian mil­i­tary intel­li­gence. [14] The first address points to a serv­er locat­ed in San Jose, Cal­i­for­nia, and is oper­at­ed by a serv­er host­ing ser­vice. [15] The sec­ond serv­er is sit­u­at­ed in Paris, France, and owned by anoth­er serv­er host­ing ser­vice. [16] Clear­ly, these are servers that have been com­pro­mised by hack­ers. It is cus­tom­ary for hack­ers to route their attacks through vul­ner­a­ble com­put­ers. The IP address­es of com­pro­mised com­put­ers are wide­ly avail­able on the Deep Web, and typ­i­cal­ly a hacked serv­er will be used by mul­ti­ple threat actors. These two par­tic­u­lar servers may or may not have been reg­u­lar­ly uti­lized by Russ­ian Intel­li­gence, but they were not unique­ly so used. Almost cer­tain­ly, many oth­er hack­ers would have used the same machines, and it can­not be said that these IP address­es unique­ly iden­ti­fy an infil­tra­tor. Indeed, the sec­ond IP address is asso­ci­at­ed with the com­mon Tro­jan virus­es Agent-APPR and Shun­nael. [17]

    So were IP address­es of the “scans” of these state elec­tion sys­tems the pri­ma­ry evi­dence used to deter­ine that the Russ­ian gov­ern­ment attempt­ed a stun­ning­ly brazen last-minute mas­sive hack­ing oper­a­tion against US elec­tion sys­tems? That’s a ques­tion that needs answer­ing now that there’s mas­sive alarm raised over future Russ­ian gov­ern­ment hack attacks. Espe­cial­ly now that state elec­tion offi­cials refuse to val­i­date any part of that Bloomberg report and sug­gest it an instance of cyber­se­cu­ri­ty indus­try hype.

    Of course, if the report was true, it’s pos­si­ble these state elec­tion offi­cials are cov­er­ing their back­sides by down­play­ing the extent that their defen­sive mea­sures (or lack there­of) had been breached. It’s some­thing we can’t rule out. But note how the Bloomberg report sources claim that the “dig­i­tal sig­na­tures” col­lect­ed from the ini­tial Illi­nois sys­tems hack were dis­trib­uted to the rest of the states and 39 of them report­ed find­ing “traces” of the same hack­ers. So there’s a sig­nif­i­cant con­flict in the claims because the Bloomberg report sources and stance by the State elec­tion chiefs. Also don’t for­get that the Bloomberg report was based on three anony­mous sources, and only one of them made the claim about 39 states get­ting hit:

    Bloomberg Pol­i­tics

    Russ­ian Cyber Hacks on U.S. Elec­toral Sys­tem Far Wider Than Pre­vi­ous­ly Known

    by Michael Riley
    and Jor­dan Robert­son
    June 13, 2017, 4:00 AM CDT

    * Attack­ers said to take mea­sure of vot­ing sys­tems, data­bas­es
    * A ‘red phone’ warn­ing to the Krem­lin from Oba­ma White House

    Russia’s cyber­at­tack on the U.S. elec­toral sys­tem before Don­ald Trump’s elec­tion was far more wide­spread than has been pub­licly revealed, includ­ing incur­sions into vot­er data­bas­es and soft­ware sys­tems in almost twice as many states as pre­vi­ous­ly report­ed.

    In Illi­nois, inves­ti­ga­tors found evi­dence that cyber intrud­ers tried to delete or alter vot­er data. The hack­ers accessed soft­ware designed to be used by poll work­ers on Elec­tion Day, and in at least one state accessed a cam­paign finance data­base. Details of the wave of attacks, in the sum­mer and fall of 2016, were pro­vid­ed by three peo­ple with direct knowl­edge of the U.S. inves­ti­ga­tion into the mat­ter. In all, the Russ­ian hack­ers hit sys­tems in a total of 39 states, one of them said.

    ...

    Illi­nois Data­base

    Illi­nois, which was among the states that gave the FBI and the Depart­ment of Home­land Secu­ri­ty almost full access to inves­ti­gate its sys­tems, pro­vides a win­dow into the hack­ers’ suc­cess­es and fail­ures.

    ...

    Patient Zero

    Illi­nois became Patient Zero in the government’s probe, even­tu­al­ly lead­ing inves­ti­ga­tors to a hack­ing pan­dem­ic that touched four out of every five U.S. states.

    Using evi­dence from the Illi­nois com­put­er banks, fed­er­al agents were able to devel­op dig­i­tal “sig­na­tures” — among them, Inter­net Pro­to­col address­es used by the attack­ers — to spot the hack­ers at work.

    The sig­na­tures were then sent through Home­land Secu­ri­ty alerts and oth­er means to every state. Thir­ty-sev­en states report­ed find­ing traces of the hack­ers in var­i­ous sys­tems, accord­ing to one of the peo­ple famil­iar with the probe. In two oth­ers — Flori­da and Cal­i­for­nia — those traces were found in sys­tems run by a pri­vate con­trac­tor man­ag­ing crit­i­cal elec­tion sys­tems.

    ...

    ———-

    “Russ­ian Cyber Hacks on U.S. Elec­toral Sys­tem Far Wider Than Pre­vi­ous­ly Known” by Michael Riley and Jor­dan Robert­son; Bloomberg Pol­i­tics; 06/13/2017

    “In Illi­nois, inves­ti­ga­tors found evi­dence that cyber intrud­ers tried to delete or alter vot­er data. The hack­ers accessed soft­ware designed to be used by poll work­ers on Elec­tion Day, and in at least one state accessed a cam­paign finance data­base. Details of the wave of attacks, in the sum­mer and fall of 2016, were pro­vid­ed by three peo­ple with direct knowl­edge of the U.S. inves­ti­ga­tion into the mat­ter. In all, the Russ­ian hack­ers hit sys­tems in a total of 39 states, one of them said.”

    So just one of the three anony­mous sources actu­al­ly made the “39 states were hit” claim and that appeared to be based on the “dig­i­tal sig­na­tures” from the Illi­nois hack. And the only exam­ple sig­na­ture was IP address­es:

    ...
    Using evi­dence from the Illi­nois com­put­er banks, fed­er­al agents were able to devel­op dig­i­tal “sig­na­tures” — among them, Inter­net Pro­to­col address­es used by the attack­ers — to spot the hack­ers at work.

    The sig­na­tures were then sent through Home­land Secu­ri­ty alerts and oth­er means to every state. Thir­ty-sev­en states report­ed find­ing traces of the hack­ers in var­i­ous sys­tems, accord­ing to one of the peo­ple famil­iar with the probe. In two oth­ers — Flori­da and Cal­i­for­nia — those traces were found in sys­tems run by a pri­vate con­trac­tor man­ag­ing crit­i­cal elec­tion sys­tems.
    ...

    So, all in all, it does look like the claims by State elec­tion chiefs that this report was hyped bogus do have some weight behind them. In which case we just had a high pro­file and high­ly provoca­tive claim by some­one, pre­sum­ably from the cyber­se­cu­ri­ty indus­try, that is in seri­ous doubt.

    This does­n’t mean that US elec­tion sys­tems don’t have seri­ous poten­tial vul­ner­a­bil­i­ties to hack­ing. After all, if there’s one thing we’ve learned from all this is that’s spear-phish­ing can hit any large orga­ni­za­tion and it’s not some­thing eas­i­ly defend­ed against by IT staff because all that’s required is an email that fools one per­son in an orga­ni­za­tion.

    But if there is going to be a mean­ing­ful attempt to secure US vot­ing sys­tems, it’s prob­a­bly best that we don’t co-min­gle that effort was a mas­sive pub­lic rela­tions cam­paign that por­trays Rus­sia as a coun­try that’s aggres­sive­ly attack­ing US elec­tion sys­tems. Unless, of course, the Russ­ian gov­ern­ment did actu­al­ly order this, in which case we are all in per­il because it would imply the Russ­ian gov­ern­ment went insane and decid­ed to start pro­vok­ing the US into a seri­ous future con­flict by attack­ing US elec­tion sys­tems in a man­ner intend­ed to be iden­ti­fied as a Russ­ian gov­ern­ment hack. But since the evi­dence for that case con­tin­ues to grow weak­er with each ques­tion­able and/or debunked ‘rev­e­la­tion’ of ‘Russ­ian hack­ing’, it’s going to be impor­tant to rec­og­nize that, yes, hack­ers, even Russ­ian hack­ers poten­tial­ly, could threat­ened US vot­ing sys­tems and they real­ly do need to be bet­ter secured, but the Russ­ian gov­ern­ment prob­a­bly isn’t the pri­ma­ry elec­toral threat Amer­i­cans need to wor­ry about going for­ward. After all, bla­tant­ly hack­ing US elec­tion sys­tems is some­thing that goes far beyond an Russ­ian media cam­paign and treads into war ter­ri­to­ry if the Russ­ian gov­ern­ment does it right before the elec­tion after get­ting the “cyber Red Phone” call to stop it. It would be like a psy­op designed to inflame ten­sions to dan­ger­ous lev­els. But for the GOP, mess­ing with elec­tron­ic vot­ing machines is expect­ed at this point. With no mean­ing­ful con­se­quences. Espe­cial­ly now that any­one can just blame the Rus­sians and no one will ques­tion the evi­dence at all appar­ent­ly.

    Posted by Pterrafractyl | June 17, 2017, 4:12 pm
  7. Well look at that: As inves­ti­ga­tors explore the more than three dozen com­pa­nies and indi­vid­u­als that Michael Fly­nn worked for — as a con­sul­tant, advis­er, board mem­ber, or speak­er — while advis­ing the Trump cam­paign last year. And two of those enti­ties are rais­ing some extra eye­brows. Fly­nn was an advi­so­ry board mem­ber of Lux­em­bourg-based OSY Tech­nolo­gies and con­sult­ed for the US-based pri­vate equi­ty firm Fran­cis­co Part­ners. What’s so ques­tion­able about these enti­ties? Well, Fran­cis­co Part­ners owns NSO Group — a secre­tive Israel-based cyber­weapons deal­er that sells advanced hack­ing tools to gov­ern­ments around the world — and OSY Tech­nolo­gies is an NSO Group off­shoot. Fly­nn joined OSY in May of last year Yep, Michael Fly­nn worked for both the own­er of an advanced cyber­weapons deal­er and one of its off­shoots through­out the 2016 cam­paign:

    The Huff­in­g­ton Post

    Michael Fly­nn Worked With For­eign Cyber­weapons Group That Sold Spy­ware Used Against Polit­i­cal Dis­si­dents
    While serv­ing as a top cam­paign advis­er to Don­ald Trump, Fly­nn worked with firms linked to NSO Group — which devel­ops spy­ware and sells it to gov­ern­ments.

    By Paul Blu­men­thal , Jes­si­ca Schul­berg
    06/19/2017 03:55 pm ET | Updat­ed

    WASHINGTON — While serv­ing as a top cam­paign aide to Don­ald Trump, for­mer nation­al secu­ri­ty advis­er Michael Fly­nn made tens of thou­sands of dol­lars on the side advis­ing a com­pa­ny that sold sur­veil­lance tech­nol­o­gy that repres­sive gov­ern­ments used to mon­i­tor activists and jour­nal­ists.

    Fly­nn, who resigned in Feb­ru­ary after mis­char­ac­ter­iz­ing his con­ver­sa­tions with the Russ­ian ambas­sador to the U.S., has already come under scruti­ny for tak­ing mon­ey from for­eign out­fits. Fed­er­al inves­ti­ga­tors began prob­ing Flynn’s lob­by­ing efforts on behalf of a Dutch com­pa­ny led by a busi­ness­man with ties to the Turk­ish gov­ern­ment ear­li­er this year. Flynn’s moon­light­ing wasn’t typ­i­cal: Most peo­ple at the top lev­el of major pres­i­den­tial cam­paigns do not simul­ta­ne­ous­ly lob­by for any enti­ty, espe­cial­ly not for­eign gov­ern­ments. It’s also unusu­al for for­mer U.S. intel­li­gence offi­cials to work with for­eign cyber­se­cu­ri­ty out­fits.

    Nor was Flynn’s work with for­eign enti­ties while he was advis­ing Trump lim­it­ed to his Ankara deal. He earned near­ly $1.5 mil­lion last year as a con­sul­tant, advis­er, board mem­ber, or speak­er for more than three dozen com­pa­nies and indi­vid­u­als, accord­ing to finan­cial dis­clo­sure forms released ear­li­er this year.

    Two of those enti­ties are direct­ly linked to NSO Group, a secre­tive Israeli cyber­weapons deal­er found­ed by Omri Lavie and Shalev Hulio, who are rumored to have served in Unit 8200, the Israeli equiv­a­lent of the Nation­al Secu­ri­ty Agency.

    Fly­nn received $40,280 last year as an advi­so­ry board mem­ber for OSY Tech­nolo­gies, an NSO Group off­shoot based in Lux­em­bourg, a favorite tax haven for major cor­po­ra­tions. OSY Tech­nolo­gies is part of a cor­po­rate struc­ture that runs from Israel, where NSO Group is locat­ed, through Lux­em­bourg, the Cay­man Islands, the British Vir­gin Islands, and the U.S.

    Fly­nn also worked as a con­sul­tant last year for Fran­cis­co Part­ners, a U.S.-based pri­vate equi­ty firm that owns NSO Group, but he did not dis­close how much he was paid. At least two Fran­cis­co Part­ners exec­u­tives have sat on OSY’s board.

    Flynn’s finan­cial dis­clo­sure forms do not spec­i­fy the work he did for com­pa­nies linked to NSO Group, and his lawyer did not respond to requests for com­ment. For­mer col­leagues at Flynn’s con­sult­ing firm declined to dis­cuss Flynn’s work with NSO Group. Exec­u­tives at Fran­cis­co Part­ners who also sit on the OSY Tech­nolo­gies board did not respond to emails. Lavie, the NSO Group co-founder, told Huff­Post he is “not inter­est­ed in speak­ing to the press” and referred ques­tions to a spokesman, who did not respond to queries.

    Many gov­ern­ment and mil­i­tary offi­cials have moved through the revolv­ing door between gov­ern­ment agen­cies and pri­vate cyber­se­cu­ri­ty com­pa­nies. The major play­ers in the cyber­se­cu­ri­ty con­tract­ing world — SAIC, Booz Allen Hamil­ton, CACI Fed­er­al and KeyW Cor­po­ra­tion — all have for­mer top gov­ern­ment offi­cials in lead­er­ship roles or on their boards, or have for­mer top exec­u­tives work­ing in gov­ern­ment.

    But it’s less com­mon for for­mer U.S. intel­li­gence offi­cials to work with for­eign cyber­se­cu­ri­ty out­fits. “There is a lot of oppor­tu­ni­ty in the U.S. to do this kind of work,” said Ben John­son, a for­mer NSA employ­ee and the co-founder of Obsid­i­an Secu­ri­ty. “It’s a lit­tle bit unex­pect­ed going over­seas, espe­cial­ly when you com­bine that with the fact that they’re doing things that might end up in hands of ene­mies of the U.S. gov­ern­ment. It does seem ques­tion­able.”

    What is clear is that dur­ing the time Fly­nn was work­ing for NSO’s Lux­em­bourg affil­i­ate, one of the company’s main prod­ucts — a spy soft­ware sold exclu­sive­ly to gov­ern­ments and mar­ket­ed as a tool for law enforce­ment offi­cials to mon­i­tor sus­pect­ed crim­i­nals and ter­ror­ists — was being used to sur­veil polit­i­cal dis­si­dents, reporters, activists, and gov­ern­ment offi­cials. The soft­ware, called Pega­sus, allowed users to remote­ly break into a target’s cel­lu­lar phone if the tar­get respond­ed to a text mes­sage.

    Last year, sev­er­al peo­ple tar­get­ed by the spy­ware con­tact­ed Cit­i­zen Lab, a cyber­se­cu­ri­ty research team based out of the Uni­ver­si­ty of Toron­to. With the help of experts at the com­put­er secu­ri­ty firm Look­out, Cit­i­zen Lab researchers were able to trace the spy­ware hid­den in the texts back to NSO Group spy­ware. After Cit­i­zen Lab pub­li­cized its find­ings, Apple intro­duced patch­es to fix the vul­ner­a­bil­i­ty. It is not known how many activists in oth­er coun­tries were tar­get­ed and failed to report it to experts.

    NSO Group told Forbes in a state­ment last year that it com­plies with strict export con­trol laws and only sells to autho­rized gov­ern­ment agen­cies. “The com­pa­ny does NOT oper­ate any of its sys­tems; it is strict­ly a tech­nol­o­gy com­pa­ny,” NSO Group told Forbes.

    But once a sale is com­plete, for­eign gov­ern­ments are free to do what they like with the tech­nol­o­gy.

    “The gov­ern­ment buys [the tech­nol­o­gy] and can use it how­ev­er they want,” Bill Mar­czak, one of the Cit­i­zen Lab researchers, told Huff­Post. “They’re basi­cal­ly dig­i­tal arms mer­chants.”

    The month before Fly­nn joined the advi­so­ry board of OSY Tech­nolo­gies, NSO Group opened up a new arm called West­Bridge Tech­nolo­gies, Inc., in the D.C. region. (The com­pa­ny was orig­i­nal­ly reg­is­tered in Delaware in 2014, but formed in Mary­land in April 2016.) Led by NSO Group co-founder Lavie, West­Bridge is vying for fed­er­al gov­ern­ment con­tracts for NSO Group’s prod­ucts. Hir­ing Fly­nn would pro­vide NSO Group with a well-con­nect­ed fig­ure in Wash­ing­ton, to help get its foot in the door of the noto­ri­ous­ly insu­lar world of secret intel­li­gence bud­get­ing.

    “When you’re try­ing to build up your busi­ness, you need some­one who has con­nec­tions, some­one who is seen as an author­i­ty and a legit­i­mate pres­ence,” John­son said. Hir­ing some­one with Flynn’s back­ground in intel­li­gence would “open up doors that they wouldn’t have had access to,” John­son said.

    Through­out 2016, Fly­nn worked for a num­ber of cyber­se­cu­ri­ty firms per­son­al­ly and through his con­sult­ing firm, Fly­nn Intel Group. In addi­tion to his advi­so­ry board seat at OSY Tech­nolo­gies, he sat on the board of Adobe Sys­tems, a large soft­ware com­pa­ny with Pen­ta­gon con­tracts, and the boards of the cyber­se­cu­ri­ty com­pa­nies Green­Zone Sys­tems and HALO Pri­va­cy. (Though Fly­nn described him­self as an Adobe advi­so­ry board mem­ber in his finan­cial dis­clo­sure paper­work, the group said in a state­ment that he pro­vid­ed only “peri­od­ic coun­sel to Adobe’s pub­lic sec­tor team.”)

    Promi­nent human rights activists and polit­i­cal dis­si­dents have report­ed being tar­get­ed by NSO’s tech­nol­o­gy. On August 10, 2016, Ahmed Man­soor, an inter­na­tion­al­ly rec­og­nized Emi­rati human rights activist, received a text mes­sage prompt­ing him to click a link to read “new secrets” about detainees abused in UAE pris­ons. He got a sim­i­lar text the next day. But Man­soor, who had already been repeat­ed­ly tar­get­ed by hack­ers, knew bet­ter than to click the links. Instead, he for­ward­ed the mes­sages to Cit­i­zen Lab.

    Cit­i­zen Lab soon deter­mined that NSO Group’s mal­ware exploit­ed an undis­closed mobile phone vul­ner­a­bil­i­ty, known as a zero-day exploit, that enabled its cus­tomers — that is, for­eign gov­ern­ments — to sur­veil a target’s phone after the tar­get clicked the link includ­ed in the phish­ing text mes­sage. If Man­soor had clicked that link, his “phone would have become a dig­i­tal spy in his pock­et, capa­ble of employ­ing his phone cam­era and micro­phone to snoop on activ­i­ty in the vicin­i­ty of the device, record­ing his What­sApp and Viber calls, log­ging mes­sages sent in mobile chat apps, and track­ing his move­ments,” Cit­i­zen Lab wrote in a report.

    Across the globe in Mex­i­co, where Coca-Cola and Pep­si­Co were work­ing to repeal a tax on sodas imposed in 2014, two activists and a gov­ern­ment-employed sci­en­tist, all of whom sup­port­ed the soda tax, received a series of sus­pi­cious text mes­sages. The texts, which became increas­ing­ly aggres­sive and threat­en­ing, came as the sci­en­tist and the activists were prepar­ing a pub­lic rela­tions cam­paign in sup­port of rais­ing the soda tax and pro­mot­ing aware­ness of the health risks linked to sug­ary bev­er­ages.

    Dr. Simón Bar­quera, researcher at Mexico’s Nation­al Insti­tute for Pub­lic Health, received a text on July 11, 2016, invit­ing him to click a link the sender said would lead him to a detailed inves­ti­ga­tion of his clin­ic. When Bar­quera didn’t fol­low through, the texts esca­lat­ed. On the 12th, he got a text with a link to a pur­port­ed court doc­u­ment, which the sender claimed men­tioned Bar­quera by name. On the 13th, yet anoth­er text includ­ed a link that sup­pos­ed­ly con­tained infor­ma­tion about a funer­al. The day after that, the sender wrote, “You are an ass­hole Simon, while you are work­ing I’m fuc king your old lady here is a pho­to.” The final text Bar­quera received in August said that his daugh­ter was in “grave con­di­tion” after an acci­dent, and includ­ed a link that would sup­pos­ed­ly tell him where she was being treat­ed.

    Ale­jan­dro Calvil­lo, direc­tor of the con­sumer rights non­prof­it El Poder del Con­sum­i­dor, received a text with a link claim­ing to be from a man who want­ed to know if Calvil­lo could attend the man’s father’s funer­al. Anoth­er text sent to Calvil­lo includ­ed a link that the sender said was a viral news sto­ry that men­tioned him. The final tar­get, Luis Encar­nación, a coor­di­na­tor for the obe­si­ty pre­ven­tion group Coa­li­cion Con­traPE­SO, also received a text with a link claim­ing that he was named in a news arti­cle.

    The tar­gets quick­ly got in touch with Cit­i­zen Lab and for­ward­ed their text mes­sages to the researchers. In Feb­ru­ary 2017, Cit­i­zen Lab released a new report link­ing NSO Group’s tech­nol­o­gy to the phish­ing attempts tar­get­ing the pro-soda tax cam­paign­ers.

    Cit­i­zen Lab researchers have also iden­ti­fied texts sent last sum­mer to Mex­i­can jour­nal­ist Rafael Cabr­era that they believe were an attempt to infect his phone with NSO Group’s Pega­sus spy­ware. Cabr­era, who now works for Buz­zFeed Mex­i­co, was tar­get­ed by hack­ers after he broke a sto­ry reveal­ing a poten­tial con­flict of inter­est with the Mex­i­can first fam­i­ly and a Chi­nese com­pa­ny.

    Cit­i­zen Lab believes NSO Group may have also sold its mobile phone spy­ing tech­nol­o­gy to many gov­ern­ments, includ­ing those of Kenya, Mozam­bique, Yemen, Qatar, Turkey, Sau­di Ara­bia, Uzbek­istan, Thai­land, Moroc­co, Hun­gary, Nige­ria and Bahrain.

    Work­ing with repres­sive regimes is stan­dard prac­tice in the cyber­weapons indus­try. The Ital­ian sur­veil­lance mal­ware firm Hack­ing Team has worked with dozens of coun­tries known to jail dis­si­dents, accord­ing to emails uploaded to Wik­iLeaks. The FBI and the Drug Enforce­ment Agency were among the company’s cus­tomers, accord­ing to the doc­u­ments.

    Despite recent scruti­ny over Mansoor’s case, NSO Group’s val­ue has explod­ed in recent years. Fran­cis­co Part­ners bought the cyber­weapons deal­er in 2014 for $120 mil­lion. It is now report­ed­ly val­ued at over $1 bil­lion.

    ...

    ———-

    “Michael Fly­nn Worked With For­eign Cyber­weapons Group That Sold Spy­ware Used Against Polit­i­cal Dis­si­dents” by Paul Blu­men­thal, Jes­si­ca Schul­berg; The Huff­in­g­ton Post; 06/19/2017

    “The month before Fly­nn joined the advi­so­ry board of OSY Tech­nolo­gies, NSO Group opened up a new arm called West­Bridge Tech­nolo­gies, Inc., in the D.C. region. (The com­pa­ny was orig­i­nal­ly reg­is­tered in Delaware in 2014, but formed in Mary­land in April 2016.) Led by NSO Group co-founder Lavie, West­Bridge is vying for fed­er­al gov­ern­ment con­tracts for NSO Group’s prod­ucts. Hir­ing Fly­nn would pro­vide NSO Group with a well-con­nect­ed fig­ure in Wash­ing­ton, to help get its foot in the door of the noto­ri­ous­ly insu­lar world of secret intel­li­gence bud­get­ing.

    Yep, not only was Fly­nn work­ing for NSO Group’s OSY Tech­nolo­gies and its own­ers at Fran­cis­co Part­ners, but NSO Group was also ini­ti­at­ing plans to get more US gov­ern­ment contracts...something that would pre­sum­ably be much like­li­er to hap­pen if Don­ald Trump won the White House and brought Fly­nn into the gov­ern­ment.

    And note how NSO Group was­n’t the only cyber­se­cu­ri­ty firm Fly­nn was work­ing for:

    ...
    “When you’re try­ing to build up your busi­ness, you need some­one who has con­nec­tions, some­one who is seen as an author­i­ty and a legit­i­mate pres­ence,” John­son said. Hir­ing some­one with Flynn’s back­ground in intel­li­gence would “open up doors that they wouldn’t have had access to,” John­son said.

    Through­out 2016, Fly­nn worked for a num­ber of cyber­se­cu­ri­ty firms per­son­al­ly and through his con­sult­ing firm, Fly­nn Intel Group. In addi­tion to his advi­so­ry board seat at OSY Tech­nolo­gies, he sat on the board of Adobe Sys­tems, a large soft­ware com­pa­ny with Pen­ta­gon con­tracts, and the boards of the cyber­se­cu­ri­ty com­pa­nies Green­Zone Sys­tems and HALO Pri­va­cy. (Though Fly­nn described him­self as an Adobe advi­so­ry board mem­ber in his finan­cial dis­clo­sure paper­work, the group said in a state­ment that he pro­vid­ed only “peri­od­ic coun­sel to Adobe’s pub­lic sec­tor team.”)
    ...

    Now, in terms of assess­ing the sig­nif­i­cance of these busi­ness rela­tion­ships, on the one hand, cyber­se­cu­ri­ty is one of the areas where one should expect the for­mer head of the US Defense Intel­li­gence Agency to go into after leav­ing gov­ern­ment. On the oth­er hand, we just wit­nessed the most hack-inten­sive US cam­paign in his­to­ry and all the hack­ing was done in favor of Don­ald Trump. So, you know, some sus­pi­cions that maybe, just maybe, one of the pri­vate elite hack­ing firms Fly­nn worked for has some­thing to do with these hacks.

    It’s impor­tant to note that, in terms of the tim­ing, both the DNC serv­er hacks and John Podesta’s email hack were already car­ried out by the time Fly­nn joined OSY in May (the same month the hacks were end­ed for both the DNC and Podes­ta emails), so it’s not like Fly­nn joined OSY and then the hack­ing start­ed (not that Fly­nn would­n’t have like­ly been in con­tact with them well before May). Still, due to the rel­a­tive lack of sophis­ti­ca­tion required to car­ry­ing out a spear-phish­ing — the method behind both the DNC serv­er hack and Podesta’s emails and, alleged­ly, the attempts to hack 39 state elec­tion sys­tems a week before the elec­tion — it real­ly is the case that almost any­one could have pulled these hacks off if they had ade­quate hack­ing skills and want­ed to hide their tracks and make it look like ‘the Rus­sians’ did it. And the NSO Group’s soft­ware spe­cial­izes in cre­ate spear-phish­ing cam­paigns designed to trick peo­ple into click­ing on the bad links using a vari­ety of dif­fer­ent tricks and insert spy­ing mal­ware in the vic­tims’ sys­tems:

    The New York Times

    Using Texts as Lures, Gov­ern­ment Spy­ware Tar­gets Mex­i­can Jour­nal­ists and Their Fam­i­lies

    By AZAM AHMED and NICOLE PERLROTH
    JUNE 19, 2017

    MEXICO CITY — Mexico’s most promi­nent human rights lawyers, jour­nal­ists and anti-cor­rup­tion activists have been tar­get­ed by advanced spy­ware sold to the Mex­i­can gov­ern­ment on the con­di­tion that it be used only to inves­ti­gate crim­i­nals and ter­ror­ists.

    The tar­gets include lawyers look­ing into the mass dis­ap­pear­ance of 43 stu­dents, a high­ly respect­ed aca­d­e­m­ic who helped write anti-cor­rup­tion leg­is­la­tion, two of Mexico’s most influ­en­tial jour­nal­ists and an Amer­i­can rep­re­sent­ing vic­tims of sex­u­al abuse by the police. The spy­ing even swept up fam­i­ly mem­bers, includ­ing a teenage boy.

    Since 2011, at least three Mex­i­can fed­er­al agen­cies have pur­chased about $80 mil­lion worth of spy­ware cre­at­ed by an Israeli cyber­arms man­u­fac­tur­er. The soft­ware, known as Pega­sus, infil­trates smart­phones to mon­i­tor every detail of a person’s cel­lu­lar life — calls, texts, email, con­tacts and cal­en­dars. It can even use the micro­phone and cam­era on phones for sur­veil­lance, turn­ing a target’s smart­phone into a per­son­al bug.

    The com­pa­ny that makes the soft­ware, the NSO Group, says it sells the tool exclu­sive­ly to gov­ern­ments, with an explic­it agree­ment that it be used only to bat­tle ter­ror­ists or the drug car­tels and crim­i­nal groups that have long kid­napped and killed Mex­i­cans.

    But accord­ing to dozens of mes­sages exam­ined by The New York Times and inde­pen­dent foren­sic ana­lysts, the soft­ware has been used against some of the government’s most out­spo­ken crit­ics and their fam­i­lies, in what many view as an unprece­dent­ed effort to thwart the fight against the cor­rup­tion infect­ing every limb of Mex­i­can soci­ety.

    “We are the new ene­mies of the state,” said Juan E. Par­di­nas, the gen­er­al direc­tor of the Mex­i­can Insti­tute for Com­pet­i­tive­ness, who has pushed anti-cor­rup­tion leg­is­la­tion. His iPhone, along with his wife’s, was tar­get­ed by the soft­ware, accord­ing to an inde­pen­dent analy­sis. “Ours is a soci­ety where democ­ra­cy has been erod­ed,” he said.

    The deploy­ment of sophis­ti­cat­ed cyber­weapon­ry against cit­i­zens is a snap­shot of the strug­gle for Mex­i­co itself, rais­ing pro­found legal and eth­i­cal ques­tions for a gov­ern­ment already fac­ing severe crit­i­cism for its human rights record. Under Mex­i­can law, only a fed­er­al judge can autho­rize the sur­veil­lance of pri­vate com­mu­ni­ca­tions, and only when offi­cials can demon­strate a sound basis for the request.

    It is high­ly unlike­ly that the gov­ern­ment received judi­cial approval to hack the phones, accord­ing to sev­er­al for­mer Mex­i­can intel­li­gence offi­cials. Instead, they said, ille­gal sur­veil­lance is stan­dard prac­tice.

    “Mex­i­can secu­ri­ty agen­cies wouldn’t ask for a court order, because they know they wouldn’t get one,” said Eduar­do Guer­rero, a for­mer ana­lyst at the Cen­ter for Inves­ti­ga­tion and Nation­al Secu­ri­ty, Mexico’s intel­li­gence agency and one of the gov­ern­ment agen­cies that use the Pega­sus spy­ware. “I mean, how could a judge autho­rize sur­veil­lance of some­one ded­i­cat­ed to the pro­tec­tion of human rights?”

    “There, of course, is no basis for that inter­ven­tion, but that is besides the point,” he added. “No one in Mex­i­co ever asks for per­mis­sion to do so.”

    The hack­ing attempts were high­ly per­son­al­ized, strik­ing crit­ics with mes­sages designed to inspire fear — and get them to click on a link that would pro­vide unfet­tered access to their cell­phones.

    Car­men Aris­tegui, one of Mexico’s most famous jour­nal­ists, was tar­get­ed by a spy­ware oper­a­tor pos­ing as the Unit­ed States Embassy in Mex­i­co, instruct­ing her to click on a link to resolve an issue with her visa. The wife of Mr. Par­di­nas, the anti-cor­rup­tion activist, was tar­get­ed with a mes­sage claim­ing to offer proof that he was hav­ing an extra­mar­i­tal affair.

    For oth­ers, immi­nent dan­ger was the entry point, like a mes­sage warn­ing that a truck filled with armed men was parked out­side Mr. Pardinas’s home.

    “I think that any com­pa­ny that sells a prod­uct like this to a gov­ern­ment would be hor­ri­fied by the tar­gets, of course, which don’t seem to fall into the tra­di­tion­al role of crim­i­nal­i­ty,” said John Scott-Rail­ton, a senior researcher at Cit­i­zen Lab at the Munk School of Glob­al Affairs at the Uni­ver­si­ty of Toron­to, which exam­ined the hack­ing attempts.

    The Mex­i­can gov­ern­ment acknowl­edges gath­er­ing intel­li­gence against legit­i­mate sus­pects in accor­dance with the law. “As in any demo­c­ra­t­ic gov­ern­ment, to com­bat crime and threats against nation­al secu­ri­ty the Mex­i­can gov­ern­ment car­ries out intel­li­gence oper­a­tions,” it said in a state­ment.

    But the gov­ern­ment “cat­e­gor­i­cal­ly denies that any of its mem­bers engages in sur­veil­lance or com­mu­ni­ca­tions oper­a­tions against defend­ers of human rights, jour­nal­ists, anti-cor­rup­tion activists or any oth­er per­son with­out pri­or judi­cial autho­riza­tion.”

    The Mex­i­can government’s deploy­ment of spy­ware has come under sus­pi­cion before, includ­ing hack­ing attempts on polit­i­cal oppo­nents and activists fight­ing cor­po­rate inter­ests in Mex­i­co.

    Still, there is no iron­clad proof that the Mex­i­can gov­ern­ment is respon­si­ble. The Pega­sus soft­ware does not leave behind the hacker’s indi­vid­ual fin­ger­prints. Even the soft­ware mak­er, the NSO Group, says it can­not deter­mine who, exact­ly, is behind spe­cif­ic hack­ing attempts.

    But cyber­ex­perts can ver­i­fy when the soft­ware has been used on a target’s phone, leav­ing them with few doubts that the Mex­i­can gov­ern­ment, or some rogue actor with­in it, was involved.

    “This is pret­ty much as good as it gets,” said Bill Mar­czak, anoth­er senior researcher at Cit­i­zen Lab, who con­firmed the pres­ence of NSO code on sev­er­al phones belong­ing to Mex­i­can jour­nal­ists and activists.

    More­over, it is extreme­ly unlike­ly that cyber­crim­i­nals some­how got their hands on the soft­ware, the NSO Group says, because the tech­nol­o­gy can be used only by the gov­ern­ment agency where it is installed.

    The com­pa­ny is part of a grow­ing num­ber of dig­i­tal spy­ing busi­ness­es that oper­ate in a loose­ly reg­u­lat­ed space. The mar­ket has picked up in recent years, par­tic­u­lar­ly as com­pa­nies like Apple and Face­book start encrypt­ing their cus­tomers’ com­mu­ni­ca­tions, mak­ing it hard­er for gov­ern­ment agen­cies to con­duct sur­veil­lance.

    Increas­ing­ly, gov­ern­ments have found that the only way to mon­i­tor mobile phones is by using pri­vate busi­ness­es like the NSO Group that exploit lit­tle-known vul­ner­a­bil­i­ties in smart­phone soft­ware. The com­pa­ny has, at times, oper­at­ed its busi­ness­es under dif­fer­ent names. One of them, OSY Tech­nolo­gies, paid Michael T. Fly­nn, Pres­i­dent Trump’s for­mer nation­al secu­ri­ty advis­er, more than $40,000 to be an advi­so­ry board mem­ber from May 2016 until Jan­u­ary, accord­ing to his pub­lic finan­cial dis­clo­sures.

    Before sell­ing to gov­ern­ments, the NSO Group says, it vets their human rights records. But once the com­pa­ny licens­es the soft­ware and installs its hard­ware inside intel­li­gence and law enforce­ment agen­cies, the com­pa­ny says, it has no way of know­ing how its spy tools are used — or whom they are used against.

    The com­pa­ny sim­ply bills gov­ern­ments based on the total num­ber of sur­veil­lance tar­gets. To spy on 10 iPhone users, for exam­ple, the com­pa­ny charges $650,000 on top of a flat $500,000 instal­la­tion fee, accord­ing to NSO mar­ket­ing pro­pos­als reviewed by The New York Times.

    Even when the NSO Group learns that its soft­ware has been abused, there is only so much it can do, the com­pa­ny says, argu­ing that it can­not sim­ply march into intel­li­gence agen­cies, remove its hard­ware and take back its spy­ware.

    “When you’re sell­ing AK-47s, you can’t con­trol how they’ll be used once they leave the load­ing docks,” said Kevin Mahaf­fey, chief tech­nol­o­gy offi­cer at Look­out, a mobile secu­ri­ty com­pa­ny.

    Rather, the NSO Group relies on its cus­tomers to coop­er­ate in a review, then turns over the find­ings to the appro­pri­ate gov­ern­men­tal author­i­ty — in effect, leav­ing gov­ern­ments to police them­selves.

    Typ­i­cal­ly, the company’s only recourse is to slow­ly cut off a government’s access to the spy tools over the course of months, or even years, by ceas­ing to pro­vide new soft­ware patch­es, fea­tures and updates. But in the case of Mex­i­co, the NSO Group has not con­demned or even acknowl­edged any abuse, despite repeat­ed evi­dence that its spy tools have been deployed against ordi­nary cit­i­zens and their fam­i­lies.

    ...

    ———-

    “Using Texts as Lures, Gov­ern­ment Spy­ware Tar­gets Mex­i­can Jour­nal­ists and Their Fam­i­lies” by AZAM AHMED and NICOLE PERLROTH; The New York Times; 06/19/2017

    “Increas­ing­ly, gov­ern­ments have found that the only way to mon­i­tor mobile phones is by using pri­vate busi­ness­es like the NSO Group that exploit lit­tle-known vul­ner­a­bil­i­ties in smart­phone soft­ware. The com­pa­ny has, at times, oper­at­ed its busi­ness­es under dif­fer­ent names. One of them, OSY Tech­nolo­gies, paid Michael T. Fly­nn, Pres­i­dent Trump’s for­mer nation­al secu­ri­ty advis­er, more than $40,000 to be an advi­so­ry board mem­ber from May 2016 until Jan­u­ary, accord­ing to his pub­lic finan­cial dis­clo­sures.”

    And note how even when a phone is known to be hacked by some­one using the NSO Group mal­ware after a suc­cess­ful spear-phish­ing attempt, there’s still no way to know which NSO Group client did it. Even NSO Group claims it can’t deter­mine who did it:

    ...
    The Mex­i­can government’s deploy­ment of spy­ware has come under sus­pi­cion before, includ­ing hack­ing attempts on polit­i­cal oppo­nents and activists fight­ing cor­po­rate inter­ests in Mex­i­co.

    Still, there is no iron­clad proof that the Mex­i­can gov­ern­ment is respon­si­ble. The Pega­sus soft­ware does not leave behind the hacker’s indi­vid­ual fin­ger­prints. Even the soft­ware mak­er, the NSO Group, says it can­not deter­mine who, exact­ly, is behind spe­cif­ic hack­ing attempts.

    But cyber­ex­perts can ver­i­fy when the soft­ware has been used on a target’s phone, leav­ing them with few doubts that the Mex­i­can gov­ern­ment, or some rogue actor with­in it, was involved.

    “This is pret­ty much as good as it gets,” said Bill Mar­czak, anoth­er senior researcher at Cit­i­zen Lab, who con­firmed the pres­ence of NSO code on sev­er­al phones belong­ing to Mex­i­can jour­nal­ists and activists.

    More­over, it is extreme­ly unlike­ly that cyber­crim­i­nals some­how got their hands on the soft­ware, the NSO Group says, because the tech­nol­o­gy can be used only by the gov­ern­ment agency where it is installed.
    ...

    ““This is pret­ty much as good as it gets,” said Bill Mar­czak, anoth­er senior researcher at Cit­i­zen Lab, who con­firmed the pres­ence of NSO code on sev­er­al phones belong­ing to Mex­i­can jour­nal­ists and activists.”

    Yes, “this” is pret­ty much as good as it gets in terms of estab­lish­ing evi­dence of who was behind a hack of this nature, where “this” is “cir­cum­stan­tial evi­dence”. And that cir­cum­stan­tial evi­dence is pret­ty good if you’re talk­ing about a Mex­i­can dis­si­dent with mal­ware traced back to the NGO Group on their phone. Sure, maybe some oth­er NSO Group client did the hack in that cir­cum­stance but it’s a pret­ty good bet it was the Mex­i­can gov­ern­ment in such a cir­cum­stance sim­ply due to a lack of oth­er NSO Group clients who would care about a Mex­i­can dis­si­dent.

    And yet for the DNC/Podesta hacks, which were also spear-phish­ing cam­paigns but against tar­gets with a wide vari­ety of poten­tial ene­mies across the globe, the pri­ma­ry evi­dence we’re giv­en that the Russ­ian gov­ern­ment was real­ly behind the hacks was the amaz­ing­ly slop­py hack­er ‘mis­takes’ like Cyril­lic char­ac­ters in the hacked doc­u­ment meta-data and leav­ing the Bit­ly accounts they were using to cre­ate the links used in the spear-phish­ing emails pub­lic so Cyber-secu­ri­ty researchers could watch their entire hack­ing cam­paign list of tar­gets. In oth­er words, ‘evi­dence’ that could have eas­i­ly be left to be found.

    So that all adds to the mys­tery of Michael Fly­nn and the poten­tial role he played in the Trump cam­paign. The for­mer head of the US mil­i­tary’s spy agency worked for a com­pa­ny that makes advanced soft­ware designed to first con­duct a suc­cess­ful spear-phish­ing cam­paign and then gives the vic­tim NSO Group’s spe­cial spy­ing mal­ware, the same kind of cam­paign that attacked the DNC, John Podes­ta, and the 39 state elec­tion sys­tems. And yet almost no one seems to raise the ques­tion as to whether or not Fly­nn and his deep ties to the hack­ing world could have had any­thing to do with those high-pro­file hacks. Only con­sid­er­a­tion of Russ­ian hack­ers is allowed. It’s a pret­ty mys­te­ri­ous mys­tery, although per­haps not as mys­te­ri­ous as the inves­ti­ga­tion.

    Posted by Pterrafractyl | June 21, 2017, 2:55 pm
  8. https://www.theguardian.com/technology/2017/jun/16/facebook-moderators-identity-exposed-terrorist-groups#img‑2

    Revealed: Face­book exposed iden­ti­ties of mod­er­a­tors to sus­pect­ed ter­ror­ists

    A secu­ri­ty lapse that affect­ed more than 1,000 work­ers forced one mod­er­a­tor into hid­ing – and he still lives in con­stant fear for his safe­ty

    Olivia Solon in San Fran­cis­co

    Fri­day 16 June 2017 03.09 EDT
    First pub­lished on Fri­day 16 June 2017 03.00 EDT

    Face­book put the safe­ty of its con­tent mod­er­a­tors at risk after inad­ver­tent­ly expos­ing their per­son­al details to sus­pect­ed ter­ror­ist users of the social net­work, the Guardian has learned.

    The secu­ri­ty lapse affect­ed more than 1,000 work­ers across 22 depart­ments at Face­book who used the company’s mod­er­a­tion soft­ware to review and remove inap­pro­pri­ate con­tent from the plat­form, includ­ing sex­u­al mate­r­i­al, hate speech and ter­ror­ist pro­pa­gan­da.

    A bug in the soft­ware, dis­cov­ered late last year, result­ed in the per­son­al pro­files of con­tent mod­er­a­tors auto­mat­i­cal­ly appear­ing as noti­fi­ca­tions in the activ­i­ty log of the Face­book groups, whose admin­is­tra­tors were removed from the plat­form for breach­ing the terms of ser­vice. The per­son­al details of Face­book mod­er­a­tors were then view­able to the remain­ing admins of the group.

    Of the 1,000 affect­ed work­ers, around 40 worked in a counter-ter­ror­ism unit based at Facebook’s Euro­pean head­quar­ters in Dublin, Ire­land. Six of those were assessed to be “high pri­or­i­ty” vic­tims of the mis­take after Face­book con­clud­ed their per­son­al pro­files were like­ly viewed by poten­tial ter­ror­ists.

    The Guardian spoke to one of the six, who did not wish to be named out of con­cern for his and his family’s safe­ty. The Iraqi-born Irish cit­i­zen, who is in his ear­ly twen­ties, fled Ire­land and went into hid­ing after dis­cov­er­ing that sev­en indi­vid­u­als asso­ci­at­ed with a sus­pect­ed ter­ror­ist group he banned from Face­book – an Egypt-based group that backed Hamas and, he said, had mem­bers who were Islam­ic State sym­pa­thiz­ers – had viewed his per­son­al pro­file.

    Face­book con­firmed the secu­ri­ty breach in a state­ment and said it had made tech­ni­cal changes to “bet­ter detect and pre­vent these types of issues from occur­ring”.

    “We care deeply about keep­ing every­one who works for Face­book safe,” a spokesman said. “As soon as we learned about the issue, we fixed it and began a thor­ough inves­ti­ga­tion to learn as much as pos­si­ble about what hap­pened.”

    The mod­er­a­tor who went into hid­ing was among hun­dreds of “com­mu­ni­ty oper­a­tions ana­lysts” con­tract­ed by glob­al out­sourc­ing com­pa­ny Cpl Recruit­ment. Com­mu­ni­ty oper­a­tions ana­lysts are typ­i­cal­ly low-paid con­trac­tors tasked with polic­ing Face­book for con­tent that breach­es its com­mu­ni­ty stan­dards.

    Over­whelmed with fear that he could face retal­i­a­tion, the mod­er­a­tor, who first came to Ire­land as an asy­lum seek­er when he was a child, quit his job and moved to east­ern Europe for five months.

    “It was get­ting too dan­ger­ous to stay in Dublin,” he said, explain­ing that his fam­i­ly had already expe­ri­enced the hor­ri­fy­ing impact of ter­ror­ism: his father had been kid­napped and beat­en and his uncle exe­cut­ed in Iraq.

    “The only rea­son we’re in Ire­land was to escape ter­ror­ism and threats,” he said.

    The mod­er­a­tor said that oth­ers with­in the high-risk six had their per­son­al pro­files viewed by accounts with ties to Isis, Hezbol­lah and the Kur­dis­tan Work­ers Par­ty. Face­book com­plies with the US state department’s des­ig­na­tion of ter­ror­ist groups.

    “When you come from a war zone and you have peo­ple like that know­ing your fam­i­ly name you know that peo­ple get butchered for that,” he said. “The pun­ish­ment from Isis for work­ing in counter-ter­ror­ism is behead­ing. All they’d need to do is tell some­one who is rad­i­cal here.”

    Face­book mod­er­a­tors like him first sus­pect­ed there was a prob­lem when they start­ed receiv­ing friend requests from peo­ple affil­i­at­ed with the ter­ror­ist orga­ni­za­tions they were scru­ti­niz­ing.
    An urgent inves­ti­ga­tion by Facebook’s secu­ri­ty team estab­lished that per­son­al pro­files belong­ing to con­tent mod­er­a­tors had been exposed. As soon as the leak was iden­ti­fied in Novem­ber 2016, Face­book con­vened a “task force of data sci­en­tists, com­mu­ni­ty oper­a­tions and secu­ri­ty inves­ti­ga­tors”, accord­ing to inter­nal emails seen by the Guardian, and warned all the employ­ees and con­tract­ed staff it believed were affect­ed. The com­pa­ny also set-up an email address, nameleak@fb.com, to field queries from those affect­ed.

    Face­book then dis­cov­ered that the per­son­al Face­book pro­files of its mod­er­a­tors had been auto­mat­i­cal­ly appear­ing in the activ­i­ty logs of the groups they were shut­ting down.

    Craig D’Souza, Facebook’s head of glob­al inves­ti­ga­tions, liaised direct­ly with some of the affect­ed con­trac­tors, talk­ing to the six indi­vid­u­als con­sid­ered to be at the high­est risk over video con­fer­ence, email and Face­book Mes­sen­ger.

    In one exchange, before the Face­book inves­ti­ga­tion was com­plete, D’Souza sought to reas­sure the mod­er­a­tors that there was “a good chance” any sus­pect­ed ter­ror­ists noti­fied about their iden­ti­ty would fail to con­nect the dots.

    “Keep in mind that when the per­son sees your name on the list, it was in their activ­i­ty log, which con­tains a lot of infor­ma­tion,” D’Souza wrote, “there is a good chance that they asso­ciate you with anoth­er admin of the group or a hack­er ...”

    “I under­stand Craig,” replied the mod­er­a­tor who end­ed up flee­ing Ire­land, “but this is tak­ing chances. I’m not wait­ing for a pipe bomb to be mailed to my address until Face­book does some­thing about it.”

    The bug in the soft­ware was not fixed for anoth­er two weeks, on 16 Novem­ber 2016. By that point the glitch had been active for a month. How­ev­er, the bug was also retroac­tive­ly expos­ing the per­son­al pro­files of mod­er­a­tors who had cen­sored accounts as far back as August 2016.

    Face­book offered to install a home alarm mon­i­tor­ing sys­tem and pro­vide trans­port to and from work to those in the high risk group. The com­pa­ny also offered coun­sel­ing through Facebook’s employ­ee assis­tance pro­gram, over and above coun­sel­ing offered by the con­trac­tor, Cpl.

    The mod­er­a­tor who fled Ire­land was unsat­is­fied with the secu­ri­ty assur­ances received from Face­book. In an email to D’Souza, he wrote that the high-risk six had spent weeks “in a state of pan­ic and emer­gency” and that Face­book need­ed to do more to “address our press­ing con­cerns for our safe­ty and our fam­i­lies”.
    He told the Guardian that the five months he spent in east­ern Europe felt like “exile”. He kept a low pro­file, rely­ing on sav­ings to sup­port him­self. He spent his time keep­ing fit and liais­ing with his lawyer and the Dublin police, who checked up on his fam­i­ly while he was away. He returned to Ire­land last month after run­ning out of mon­ey, although he still lives in fear.

    “I don’t have a job, I have anx­i­ety and I’m on anti­de­pres­sants,” he said. “I can’t walk any­where with­out look­ing back.”

    This month he filed a legal claim against Face­book and Cpl with the Injuries Board in Dublin. He is seek­ing com­pen­sa­tion for the psy­cho­log­i­cal dam­age caused by the leak.

    Cpl did not respond to a request to com­ment. The state­ment pro­vid­ed by Face­book said its inves­ti­ga­tion sought to deter­mine “exact­ly which names were pos­si­bly viewed and by whom, as well as an assess­ment of the risk to the affect­ed per­son”.

    The social media giant played down the threat posed to the affect­ed mod­er­a­tors, but said that it con­tact­ed each of them indi­vid­u­al­ly “to offer sup­port, answer their ques­tions, and take mean­ing­ful steps to ensure their safe­ty”.

    “Our inves­ti­ga­tion found that only a small frac­tion of the names were like­ly viewed, and we nev­er had evi­dence of any threat to the peo­ple impact­ed or their fam­i­lies as a result of this mat­ter,” the spokesman said.

    Details of Facebook’s secu­ri­ty blun­der will once again put a spot­light on the gru­el­ing and con­tro­ver­sial work car­ried out by an army of thou­sands of low-paid staff, includ­ing in coun­tries like the Philip­pines and India.
    0:00
    The Guardian recent­ly revealed the secret rules and guide­lines Face­book uses to train mod­er­a­tors to police its vast net­work of almost two bil­lion users, includ­ing 100 inter­nal train­ing man­u­als, spread­sheets and flow­charts.

    The mod­er­a­tor who fled Ire­land worked for a 40-strong spe­cial­ist team tasked with inves­ti­gat­ing reports of ter­ror­ist activ­i­ty on Face­book. He was hired because he spoke Ara­bic, he said.

    He felt that con­tract­ed staff were not treat­ed as equals to Face­book employ­ees but “sec­ond-class cit­i­zens”. He was paid just €13 ($15) per hour for a role that required him to devel­op spe­cial­ist knowl­edge of glob­al ter­ror net­works and scour through often high­ly-dis­turb­ing mate­r­i­al.

    “You come in every morn­ing and just look at behead­ings, peo­ple get­ting butchered, stoned, exe­cut­ed,” he said.

    Facebook’s poli­cies allow users to post extreme­ly vio­lent images pro­vid­ed they don’t pro­mote or cel­e­brate ter­ror­ism. This means mod­er­a­tors may be repeat­ed­ly exposed to the same haunt­ing pic­tures to deter­mine whether the peo­ple shar­ing them were con­demn­ing or cel­e­brat­ing the depict­ed acts.

    The mod­er­a­tor said that when he start­ed, he was giv­en just two weeks train­ing and was required to use his per­son­al Face­book account to log into the social media giant’s mod­er­a­tion sys­tem.
    “They should have let us use fake pro­files,” he said, adding: “They nev­er warned us that some­thing like this could hap­pen.”

    Face­book told the Guardian that as a result of the leak it is test­ing the use of admin­is­tra­tive accounts that are not linked to per­son­al pro­files.

    Mod­er­a­tion teams were con­tin­u­al­ly scored for the accu­ra­cy and speed of their deci­sions, he said, as well as oth­er fac­tors such as their abil­i­ty to stay updat­ed train­ing mate­ri­als. If a moderator’s score dropped below 90% they would receive a for­mal warn­ing.
    In an attempt to boost morale among agency staff, Face­book launched a month­ly award cer­e­mo­ny to cel­e­brate the top qual­i­ty per­form­ers. The prize was a Face­book-brand­ed mug. “The mug that all Face­book employ­ees get,” he not­ed.

    Con­tact the author: olivia.solon@theguardian.com

    Posted by Michelle Zucker | June 21, 2017, 6:52 pm
  9. This arti­cle from “The Hill” express­es con­cern because an RNC data­base was not secure in an Ama­zon cloud serv­er. The ques­tion not asked is why does the RNC need files of invor­ma­tion address­ing 46 issues for near­ly 200 Mil­lion Amer­i­cans. The most impor­tant para­graphs from the arti­cle are these three:

    1. For exam­ple, a 50-giga­byte file of “Post Elect 2016” infor­ma­tion, last updat­ed in mid-Jan­u­ary, con­tained mod­eled data about a voter’s like­ly posi­tions on 46 dif­fer­ent issues rang­ing from “how like­ly it is the indi­vid­ual vot­ed for Oba­ma in 2012, whether they agree with the Trump for­eign pol­i­cy of ‘Amer­i­ca First’ and how like­ly they are to be con­cerned with auto man­u­fac­tur­ing as an issue, among oth­ers.”
    2. Accord­ing to Ad Age, the RNC spent $983,000 between Jan­u­ary 2015 and Novem­ber 2016 for Deep Root’s ser­vices and $4.2 mil­lion for Tar­get­Point’s.
    3. The Deep Root Ana­lyt­ics expo­sure con­tains infor­ma­tion on more than half of the Amer­i­can pop­u­la­tion.

    http://thehill.com/policy/cybersecurity/338383-data-on-198-million-us-voters-left-exposed-to-the-internet-by-rnc-data

    Data on 198M vot­ers exposed by GOP con­trac­tor
    BY JOE UCHILL — 06/19/17 09:00 AM EDT
    Fullscreen
    A data ana­lyt­ics con­trac­tor employed by the Repub­li­can Nation­al Com­mit­tee (RNC) left data­bas­es con­tain­ing infor­ma­tion on near­ly 200 mil­lion poten­tial vot­ers exposed to the inter­net with­out secu­ri­ty, allow­ing any­one who knew where to look to down­load it with­out a pass­word. 

    “We take full respon­si­bil­i­ty for this sit­u­a­tion,” said the con­trac­tor, Deep Root Ana­lyt­ics, in a state­ment.  

    The data­bas­es were part of 25 ter­abytes of files con­tained in an Ama­zon cloud account that could be browsed with­out log­ging in. The account was dis­cov­ered by researcher Chris Vick­ery of the secu­ri­ty firm UpGuard. The files have since been secured. 

    Vick­ery is a promi­nent researcher in uncov­er­ing improp­er­ly secured files online. But, he said, this expo­sure is of a mag­ni­tude he has nev­er seen before
     
    “In terms of the disc space used, this is the biggest expo­sure I’ve found. In terms of the scope and depth, this is the biggest one I’ve found,” said Vick­ery. 
    The acces­si­ble files, accord­ing to UpGuard, con­tain a main 198 mil­lion-entry data­base with names, address­es of vot­ers and an “RNC ID” that can be used with oth­er exposed files to research indi­vid­u­als.

    For exam­ple, a 50-giga­byte file of “Post Elect 2016” infor­ma­tion, last updat­ed in mid-Jan­u­ary, con­tained mod­eled data about a voter’s like­ly posi­tions on 46 dif­fer­ent issues rang­ing from “how like­ly it is the indi­vid­ual vot­ed for Oba­ma in 2012, whether they agree with the Trump for­eign pol­i­cy of ‘Amer­i­ca First’ and how like­ly they are to be con­cerned with auto man­u­fac­tur­ing as an issue, among oth­ers.”

    That file appears in a fold­er titled “target_point,” an appar­ent ref­er­ence to anoth­er firm con­tract­ed by the RNC to crunch data. UpGuard spec­u­lates that the fold­er may imply that the firm Tar­get­Point com­piled and shared the data with Deep Root. Anoth­er fold­er appears to ref­er­ence Data Trust, anoth­er con­tract­ed firm. 

    UpGuard ana­lyst Dan O’Sul­li­van looked him­self up in the data­base and writes in the offi­cial report that the cal­cu­lat­ed pref­er­ences were, at least for him, right on the mon­ey. 

    “It is a tes­ta­ment both to their tal­ents, and to the real dan­ger of this expo­sure, that the results were astound­ing­ly accu­rate,” he said. 

    The Deep Root Ana­lyt­ics cloud serv­er had 25 ter­abytes of data exposed, includ­ing 1.1 ter­abytes avail­able for down­load. 

    Over the 2016 elec­tion sea­son, the RNC was a major client of Deep Root, one of a hand­ful firms it con­tact­ed for big data analy­sis. Firms like Deep Root Ana­lyt­ics use data from a vari­ety of sources to extrap­o­late social and polit­i­cal pref­er­ences of vot­ers to deter­mine how best to mar­ket to them. 

    Accord­ing to Ad Age, the RNC spent $983,000 between Jan­u­ary 2015 and Novem­ber 2016 for Deep Root’s ser­vices and $4.2 mil­lion for Tar­get­Point’s. 

    “Deep Root Ana­lyt­ics builds vot­er mod­els to help enhance adver­tis­er under­stand­ing of TV view­er­ship. The data accessed was not built for or used by any spe­cif­ic client. It is our pro­pri­etary analy­sis to help inform local tele­vi­sion ad buy­ing,” said Deep Root Ana­lyt­ics in their state­ment. 
    Mis­con­fig­ured cloud servers and online data­bas­es are a com­mon way for data to be acci­den­tal­ly left exposed to the pub­lic. Vick­ery has found every­thing from mil­i­tary engi­neer­ing plans to data­bas­es of believed ter­ror­ists in exact­ly this way.

    What is uncom­mon in this case is the size and scope of this expo­sure. If its records are accu­rate, the Deep Root Ana­lyt­ics expo­sure con­tains infor­ma­tion on more than half of the Amer­i­can pop­u­la­tion. It dwarfs the sec­ond-largest expo­sure of vot­er infor­ma­tion — 93.4 mil­lion records of Mex­i­can cit­i­zens — by more than 100 mil­lion vot­ers and tops the largest data breach of vot­er infor­ma­tion — 55 mil­lion records of Philip­pine vot­ers — by more than 140 mil­lion. 

    Any­one who knew the files’ web address could have accessed them. But with­out that knowl­edge, they are much hard­er to find. Even armed with a search for unse­cured data­bas­es, find­ing expo­sures of any mag­ni­tude is tough work. Vick­ery sifts through a large num­ber of unse­cured data­bas­es to find ones that inter­est­ing enough to pub­lish research.

    Deep Root has con­tract­ed the secu­ri­ty firm Stroz Fried­berg to per­form a thor­ough inves­ti­ga­tion of the expo­sure.]

    The expo­sure, between June 1 and June 14, was sealed shut short­ly after Vick­ery made the dis­cov­ery dur­ing the night of June 12 and noti­fied rel­e­vant reg­u­la­to­ry bod­ies. 

    Posted by Michelle Zucker | June 21, 2017, 7:00 pm
  10. @Michelle Zuck­er–

    Pter­rafractyl con­tributed this infor­ma­tion, plus some addi­tion­al, edi­fy­ing points that you might want to peruse.

    Best,

    Dave

    Posted by Dave Emory | June 21, 2017, 7:42 pm
  11. The Wash­ing­ton Post has a big new piece on US’s inves­ti­ga­tion into the 2016 elec­tion hacks that con­tains a num­ber of inter­est­ing rev­e­la­tions, both in terms of how the US gov­ern­ment came to the . And over­all, per­haps the biggest rev­e­la­tions is how lit­tle the tech­ni­cal evi­dence of the hack had to do with the final con­clu­sion that the Russ­ian gov­ern­ment was behind the attacks. Instead, it sounds like that con­clu­sion was based on a CIA source in the Krem­lin. And even when that intel­li­gence was deliv­ered oth­er agen­cies weren’t ready to accept the CIA’s con­clu­sion and it took intel­li­gence from anoth­er nation (not named) to pro­vide the final intel­li­gence tip­ping point that led to a broad-based con­clu­sion the not only was the Russ­ian gov­ern­ment behind the cyber­at­tacks but that Vladimir Putin him­self ordered it. And that ally’s intel­li­gence is described as “the most crit­i­cal tech­ni­cal intel­li­gence on Rus­sia” and the NSA still was­n’t con­vinced based on what sounds like a lack of con­fi­dence in that source. So it looks like a CIA Krem­lin source and an unnamed for­eign intel­li­gence agency with ques­tion­able cre­den­tials are the basis of what appears to be a like­ly future full-scale US/Russian cyber­war.

    Beyond that, the piece describes the fears of those top US offi­cials exam­in­ing this issue over the sum­mer of 2016 and it sounds like many were con­cerned that the DNC hacks real­ly were just a warm up to a much broad­er full-scale cyber­war against the US elec­tion that would have includ­ed hack­ing the elec­tion sys­tems and dis­rupt­ing the vote. So that gives is a sense of the mind­set (or at least pro­ject­ed mind­set) of top gov­ern­ment offi­cials: at least some were con­vince that Putin was so pissed off at the prospect of Hillary Clin­ton becom­ing Pres­i­dent that he was will­ing to launch a cyber­war. A cyber­war that would undoubt­ed­ly pro­voke a seri­ous response and obvi­ous­ly be very dif­fi­cult to con­tain.

    Final­ly, the piece ends with a descrip­tion what appears to be the most sig­nif­i­cant US response to the alleged Russ­ian gov­ern­ment role in the hacks: the US has already plant­ed a num­ber of ‘cyber­bombs’ on Russ­ian net­works intend­ed to be very painful if used and capa­ble of being remote­ly trig­gered in response to a future Russ­ian cyber­at­tack. It could be an attack on the US elec­tri­cal grid or a future elec­tion. But those ‘cyber­bombs’ are appar­ent­ly being put in place now and the order has been giv­en to trig­ger them in the future with­out a pres­i­den­tial order. Unless Don­ald Trump rescinds that order.

    So based on a CIA Krem­lin source and the intel­li­gence from a mys­tery ally the US is open­ly plant­i­ng retal­ia­to­ry cyber­bombs on Russ­ian net­works. What could pos­si­bly go wrong:

    The Wash­ing­ton Post

    Obama’s secret strug­gle to pun­ish Rus­sia for Putin’s elec­tion assault

    By Greg Miller, Ellen Nakashima and Adam Entous
    June 23, 2017

    Ear­ly last August, an enve­lope with extra­or­di­nary han­dling restric­tions arrived at the White House. Sent by couri­er from the CIA, it car­ried “eyes only” instruc­tions that its con­tents be shown to just four peo­ple: Pres­i­dent Barack Oba­ma and three senior aides.

    Inside was an intel­li­gence bomb­shell, a report drawn from sourc­ing deep inside the Russ­ian gov­ern­ment that detailed Russ­ian Pres­i­dent Vladimir Putin’s direct involve­ment in a cyber cam­paign to dis­rupt and dis­cred­it the U.S. pres­i­den­tial race.

    But it went fur­ther. The intel­li­gence cap­tured Putin’s spe­cif­ic instruc­tions on the operation’s auda­cious objec­tives — defeat or at least dam­age the Demo­c­ra­t­ic nom­i­nee, Hillary Clin­ton, and help elect her oppo­nent, Don­ald Trump.

    At that point, the out­lines of the Russ­ian assault on the U.S. elec­tion were increas­ing­ly appar­ent. Hack­ers with ties to Russ­ian intel­li­gence ser­vices had been rum­mag­ing through Demo­c­ra­t­ic Par­ty com­put­er net­works, as well as some Repub­li­can sys­tems, for more than a year. In July, the FBI had opened an inves­ti­ga­tion of con­tacts between Russ­ian offi­cials and Trump asso­ciates. And on July 22, near­ly 20,000 emails stolen from the Demo­c­ra­t­ic Nation­al Com­mit­tee were dumped online by Wik­iLeaks.

    But at the high­est lev­els of gov­ern­ment, among those respon­si­ble for man­ag­ing the cri­sis, the first moment of true fore­bod­ing about Russia’s inten­tions arrived with that CIA intel­li­gence.

    The mate­r­i­al was so sen­si­tive that CIA Direc­tor John Bren­nan kept it out of the President’s Dai­ly Brief, con­cerned that even that restrict­ed report’s dis­tri­b­u­tion was too broad. The CIA pack­age came with instruc­tions that it be returned imme­di­ate­ly after it was read. To guard against leaks, sub­se­quent meet­ings in the Sit­u­a­tion Room fol­lowed the same pro­to­cols as plan­ning ses­sions for the Osama bin Laden raid.

    It took time for oth­er parts of the intel­li­gence com­mu­ni­ty to endorse the CIA’s view. Only in the administration’s final weeks in office did it tell the pub­lic, in a declas­si­fied report, what offi­cials had learned from Bren­nan in August — that Putin was work­ing to elect Trump.

    Over that five-month inter­val, the Oba­ma admin­is­tra­tion secret­ly debat­ed dozens of options for deter­ring or pun­ish­ing Rus­sia, includ­ing cyber­at­tacks on Russ­ian infra­struc­ture, the release of CIA-gath­ered mate­r­i­al that might embar­rass Putin and sanc­tions that offi­cials said could “crater” the Russ­ian econ­o­my.

    But in the end, in late Decem­ber, Oba­ma approved a mod­est pack­age com­bin­ing mea­sures that had been drawn up to pun­ish Rus­sia for oth­er issues — expul­sions of 35 diplo­mats and the clo­sure of two Russ­ian com­pounds — with eco­nom­ic sanc­tions so nar­row­ly tar­get­ed that even those who helped design them describe their impact as large­ly sym­bol­ic.

    Oba­ma also approved a pre­vi­ous­ly undis­closed covert mea­sure that autho­rized plant­i­ng cyber weapons in Russia’s infra­struc­ture, the dig­i­tal equiv­a­lent of bombs that could be det­o­nat­ed if the Unit­ed States found itself in an esca­lat­ing exchange with Moscow. The project, which Oba­ma approved in a covert-action find­ing, was still in its plan­ning stages when Oba­ma left office. It would be up to Pres­i­dent Trump to decide whether to use the capa­bil­i­ty.

    In polit­i­cal terms, Russia’s inter­fer­ence was the crime of the cen­tu­ry, an unprece­dent­ed and large­ly suc­cess­ful desta­bi­liz­ing attack on Amer­i­can democ­ra­cy. It was a case that took almost no time to solve, traced to the Krem­lin through cyber-foren­sics and intel­li­gence on Putin’s involve­ment. And yet, because of the diver­gent ways Oba­ma and Trump have han­dled the mat­ter, Moscow appears unlike­ly to face pro­por­tion­ate con­se­quences.

    Those clos­est to Oba­ma defend the administration’s response to Russia’s med­dling. They note that by August it was too late to pre­vent the trans­fer to Wik­iLeaks and oth­er groups of the troves of emails that would spill out in the ensu­ing months. They believe that a series of warn­ings — includ­ing one that Oba­ma deliv­ered to Putin in Sep­tem­ber — prompt­ed Moscow to aban­don any plans of fur­ther aggres­sion, such as sab­o­tage of U.S. vot­ing sys­tems.

    Denis McDo­nough, who served as Obama’s chief of staff, said that the admin­is­tra­tion regard­ed Russia’s inter­fer­ence as an attack on the “heart of our sys­tem.”

    “We set out from a first-order prin­ci­ple that required us to defend the integri­ty of the vote,” McDo­nough said in an inter­view. “Impor­tant­ly, we did that. It’s also impor­tant to estab­lish what hap­pened and what they attempt­ed to do so as to ensure that we take the steps nec­es­sary to stop it from hap­pen­ing again.”

    But oth­er admin­is­tra­tion offi­cials look back on the Rus­sia peri­od with remorse.

    “It is the hard­est thing about my entire time in gov­ern­ment to defend,” said a for­mer senior Oba­ma admin­is­tra­tion offi­cial involved in White House delib­er­a­tions on Rus­sia. “I feel like we sort of choked.”

    ...

    This account of the Oba­ma administration’s response to Russia’s inter­fer­ence is based on inter­views with more than three dozen cur­rent and for­mer U.S. offi­cials in senior posi­tions in gov­ern­ment, includ­ing at the White House, the State, Defense and Home­land Secu­ri­ty depart­ments, and U.S. intel­li­gence ser­vices. Most agreed to speak only on the con­di­tion of anonymi­ty, cit­ing the sen­si­tiv­i­ty of the issue.

    The White House, the CIA, the FBI, the Nation­al Secu­ri­ty Agency and the Office of the Direc­tor of Nation­al Intel­li­gence declined to com­ment.

    ‘Deeply con­cerned’

    The CIA break­through came at a stage of the pres­i­den­tial cam­paign when Trump had secured the GOP nom­i­na­tion but was still regard­ed as a dis­tant long shot. Clin­ton held com­fort­able leads in major polls, and Oba­ma expect­ed that he would be trans­fer­ring pow­er to some­one who had served in his Cab­i­net.

    The intel­li­gence on Putin was extra­or­di­nary on mul­ti­ple lev­els, includ­ing as a feat of espi­onage.

    For spy agen­cies, gain­ing insights into the inten­tions of for­eign lead­ers is among the high­est pri­or­i­ties. But Putin is a remark­ably elu­sive tar­get. A for­mer KGB offi­cer, he takes extreme pre­cau­tions to guard against sur­veil­lance, rarely com­mu­ni­cat­ing by phone or com­put­er, always run­ning sen­si­tive state busi­ness from deep with­in the con­fines of the Krem­lin.

    The Wash­ing­ton Post is with­hold­ing some details of the intel­li­gence at the request of the U.S. gov­ern­ment.

    In ear­ly August, Bren­nan alert­ed senior White House offi­cials to the Putin intel­li­gence, mak­ing a call to deputy nation­al secu­ri­ty advis­er Avril Haines and pulling nation­al secu­ri­ty advis­er Susan E. Rice aside after a meet­ing before brief­ing Oba­ma along with Rice, Haines and McDo­nough in the Oval Office.

    Offi­cials described the president’s reac­tion as grave. Oba­ma “was deeply con­cerned and want­ed as much infor­ma­tion as fast as pos­si­ble,” a for­mer offi­cial said. “He want­ed the entire intel­li­gence com­mu­ni­ty all over this.”

    Con­cerns about Russ­ian inter­fer­ence had gath­ered through­out the sum­mer.

    Rus­sia experts had begun to see a trou­bling pat­tern of pro­pa­gan­da in which fic­ti­tious news sto­ries, assumed to be gen­er­at­ed by Moscow, pro­lif­er­at­ed across social-media plat­forms.

    Offi­cials at the State Depart­ment and FBI became alarmed by an unusu­al spike in requests from Rus­sia for tem­po­rary visas for offi­cials with tech­ni­cal skills seek­ing per­mis­sion to enter the Unit­ed States for short-term assign­ments at Russ­ian facil­i­ties. At the FBI’s behest, the State Depart­ment delayed approv­ing the visas until after the elec­tion.

    Mean­while, the FBI was track­ing a flur­ry of hack­ing activ­i­ty against U.S. polit­i­cal par­ties, think tanks and oth­er tar­gets. Rus­sia had gained entry to DNC sys­tems in the sum­mer of 2015 and spring of 2016, but the breach­es did not become pub­lic until they were dis­closed in a June 2016 report by The Post.

    Even after the late-July Wik­iLeaks dump, which came on the eve of the Demo­c­ra­t­ic con­ven­tion and led to the res­ig­na­tion of Rep. Deb­bie Wasser­man Schultz (D‑Fla.) as the DNC’s chair­woman, U.S. intel­li­gence offi­cials con­tin­ued to express uncer­tain­ty about who was behind the hacks or why they were car­ried out.

    At a pub­lic secu­ri­ty con­fer­ence in Aspen, Colo., in late July, Direc­tor of Nation­al Intel­li­gence James R. Clap­per Jr. not­ed that Rus­sia had a long his­to­ry of med­dling in Amer­i­can elec­tions but that U.S. spy agen­cies were not ready to “make the call on attri­bu­tion” for what was hap­pen­ing in 2016.

    “We don’t know enough ... to ascribe moti­va­tion,” Clap­per said. “Was this just to stir up trou­ble or was this ulti­mate­ly to try to influ­ence an elec­tion?”

    Bren­nan con­vened a secret task force at CIA head­quar­ters com­posed of sev­er­al dozen ana­lysts and offi­cers from the CIA, the NSA and the FBI.

    The unit func­tioned as a sealed com­part­ment, its work hid­den from the rest of the intel­li­gence com­mu­ni­ty. Those brought in signed new non-dis­clo­sure agree­ments to be grant­ed access to intel­li­gence from all three par­tic­i­pat­ing agen­cies.

    They worked exclu­sive­ly for two groups of “cus­tomers,” offi­cials said. The first was Oba­ma and few­er than 14 senior offi­cials in gov­ern­ment. The sec­ond was a team of oper­a­tions spe­cial­ists at the CIA, NSA and FBI who took direc­tion from the task force on where to aim their sub­se­quent efforts to col­lect more intel­li­gence on Rus­sia.

    Don’t make things worse

    The secre­cy extend­ed into the White House.

    Rice, Haines and White House home­land-secu­ri­ty advis­er Lisa Mona­co con­vened meet­ings in the Sit­u­a­tion Room to weigh the mount­ing evi­dence of Russ­ian inter­fer­ence and gen­er­ate options for how to respond. At first, only four senior secu­ri­ty offi­cials were allowed to attend: Bren­nan, Clap­per, Attor­ney Gen­er­al Loret­ta E. Lynch and FBI Direc­tor James B. Comey. Aides ordi­nar­i­ly allowed entry as “plus-ones” were barred.

    Grad­u­al­ly, the cir­cle widened to include Vice Pres­i­dent Biden and oth­ers. Agen­das sent to Cab­i­net sec­re­taries — includ­ing John F. Ker­ry at the State Depart­ment and Ash­ton B. Carter at the Pen­ta­gon — arrived in envelopes that sub­or­di­nates were not sup­posed to open. Some­times the agen­das were with­held until par­tic­i­pants had tak­en their seats in the Sit­u­a­tion Room.

    Through­out his pres­i­den­cy, Obama’s approach to nation­al secu­ri­ty chal­lenges was delib­er­ate and cau­tious. He came into office seek­ing to end wars in Iraq and Afghanistan. He was loath to act with­out sup­port from allies over­seas and firm polit­i­cal foot­ing at home. He was drawn only reluc­tant­ly into for­eign crises, such as the civ­il war in Syr­ia, that pre­sent­ed no clear exit for the Unit­ed States.

    Obama’s approach often seemed reducible to a sin­gle imper­a­tive: Don’t make things worse. As brazen as the Russ­ian attacks on the elec­tion seemed, Oba­ma and his top advis­ers feared that things could get far worse.

    They were con­cerned that any pre-elec­tion response could pro­voke an esca­la­tion from Putin. Moscow’s med­dling to that point was seen as deeply con­cern­ing but unlike­ly to mate­ri­al­ly affect the out­come of the elec­tion. Far more wor­ri­some to the Oba­ma team was the prospect of a cyber-assault on vot­ing sys­tems before and on Elec­tion Day.

    They also wor­ried that any action they took would be per­ceived as polit­i­cal inter­fer­ence in an already volatile cam­paign. By August, Trump was pre­dict­ing that the elec­tion would be rigged. Oba­ma offi­cials feared pro­vid­ing fuel to such claims, play­ing into Russia’s efforts to dis­cred­it the out­come and poten­tial­ly con­t­a­m­i­nat­ing the expect­ed Clin­ton tri­umph.

    Before depart­ing for an August vaca­tion to Martha’s Vine­yard, Oba­ma instruct­ed aides to pur­sue ways to deter Moscow and pro­ceed along three main paths: Get a high-con­fi­dence assess­ment from U.S. intel­li­gence agen­cies on Russia’s role and intent; shore up any vul­ner­a­bil­i­ties in state-run elec­tion sys­tems; and seek bipar­ti­san sup­port from con­gres­sion­al lead­ers for a state­ment con­demn­ing Moscow and urg­ing states to accept fed­er­al help.

    The admin­is­tra­tion encoun­tered obsta­cles at every turn.

    Despite the intel­li­gence the CIA had pro­duced, oth­er agen­cies were slow­er to endorse a con­clu­sion that Putin was per­son­al­ly direct­ing the oper­a­tion and want­ed to help Trump. “It was def­i­nite­ly com­pelling, but it was not defin­i­tive,” said one senior admin­is­tra­tion offi­cial. “We need­ed more.”

    Some of the most crit­i­cal tech­ni­cal intel­li­gence on Rus­sia came from anoth­er coun­try, offi­cials said. Because of the source of the mate­r­i­al, the NSA was reluc­tant to view it with high con­fi­dence.

    Bren­nan moved swift­ly to sched­ule pri­vate brief­in­gs with con­gres­sion­al lead­ers. But get­ting appoint­ments with cer­tain Repub­li­cans proved dif­fi­cult, offi­cials said, and it was not until after Labor Day that Bren­nan had reached all mem­bers of the “Gang of Eight” — the major­i­ty and minor­i­ty lead­ers of both hous­es and the chair­men and rank­ing Democ­rats on the Sen­ate and House intel­li­gence com­mit­tees.

    Jeh John­son, the home­land-secu­ri­ty sec­re­tary, was respon­si­ble for find­ing out whether the gov­ern­ment could quick­ly shore up the secu­ri­ty of the nation’s archa­ic patch­work of vot­ing sys­tems. He float­ed the idea of des­ig­nat­ing state mech­a­nisms “crit­i­cal infra­struc­ture,” a label that would have enti­tled states to receive pri­or­i­ty in fed­er­al cyber­se­cu­ri­ty assis­tance, putting them on a par with U.S. defense con­trac­tors and finan­cial net­works.

    On Aug. 15, John­son arranged a con­fer­ence call with dozens of state offi­cials, hop­ing to enlist their sup­port. He ran into a wall of resis­tance.

    The reac­tion “ranged from neu­tral to neg­a­tive,” John­son said in con­gres­sion­al tes­ti­mo­ny Wednes­day.

    Bri­an Kemp, the Repub­li­can sec­re­tary of state of Geor­gia, used the call to denounce Johnson’s pro­pos­al as an assault on state rights. “I think it was a polit­i­cal­ly cal­cu­lat­ed move by the pre­vi­ous admin­is­tra­tion,” Kemp said in a recent inter­view, adding that he remains uncon­vinced that Rus­sia waged a cam­paign to dis­rupt the 2016 race. “I don’t nec­es­sar­i­ly believe that,” he said.

    Stung by the reac­tion, the White House turned to Con­gress for help, hop­ing that a bipar­ti­san appeal to states would be more effec­tive.

    In ear­ly Sep­tem­ber, John­son, Comey and Mona­co arrived on Capi­tol Hill in a car­a­van of black SUVs for a meet­ing with 12 key mem­bers of Con­gress, includ­ing the lead­er­ship of both par­ties.

    The meet­ing devolved into a par­ti­san squab­ble.

    “The Dems were, ‘Hey, we have to tell the pub­lic,’?” recalled one par­tic­i­pant. But Repub­li­cans resist­ed, argu­ing that to warn the pub­lic that the elec­tion was under attack would fur­ther Russia’s aim of sap­ping con­fi­dence in the sys­tem.

    Sen­ate Major­i­ty Leader Mitch McConnell (R‑Ky.) went fur­ther, offi­cials said, voic­ing skep­ti­cism that the under­ly­ing intel­li­gence tru­ly sup­port­ed the White House’s claims. Through a spokes­woman, McConnell declined to com­ment, cit­ing the secre­cy of that meet­ing.

    Key Democ­rats were stunned by the GOP response and exas­per­at­ed that the White House seemed will­ing to let Repub­li­can oppo­si­tion block any pre-elec­tion move.

    On Sept. 22, two Cal­i­for­nia Democ­rats — Sen. Dianne Fein­stein and Rep. Adam B. Schiff — did what they couldn’t get the White House to do. They issued a state­ment mak­ing clear that they had learned from intel­li­gence brief­in­gs that Rus­sia was direct­ing a cam­paign to under­mine the elec­tion, but they stopped short of say­ing to what end.

    A week lat­er, McConnell and oth­er con­gres­sion­al lead­ers issued a cau­tious state­ment that encour­aged state elec­tion offi­cials to ensure their net­works were “secure from attack.” The release made no men­tion of Rus­sia and empha­sized that the law­mak­ers “would oppose any effort by the fed­er­al gov­ern­ment” to encroach on the states’ author­i­ties.

    When U.S. spy agen­cies reached unan­i­mous agree­ment in late Sep­tem­ber that the inter­fer­ence was a Russ­ian oper­a­tion direct­ed by Putin, Oba­ma direct­ed spy chiefs to pre­pare a pub­lic state­ment sum­ma­riz­ing the intel­li­gence in broad strokes.

    With Oba­ma still deter­mined to avoid any appear­ance of pol­i­tics, the state­ment would not car­ry his sig­na­ture.

    On Oct. 7, the admin­is­tra­tion offered its first pub­lic com­ment on Russia’s “active mea­sures,” in a three-para­graph state­ment issued by John­son and Clap­per. Comey had ini­tial­ly agreed to attach his name, as well, offi­cials said, but changed his mind at the last minute, say­ing that it was too close to the elec­tion for the bureau to be involved.

    “The U.S. intel­li­gence com­mu­ni­ty is con­fi­dent that the Russ­ian gov­ern­ment direct­ed the recent com­pro­mis­es of e‑mails from U.S. per­sons and insti­tu­tions, includ­ing from U.S. polit­i­cal orga­ni­za­tions,” the state­ment said. “We believe, based on the scope and sen­si­tiv­i­ty of these efforts, that only Russia’s senior-most offi­cials could have autho­rized these activ­i­ties.”

    Ear­ly drafts accused Putin by name, but the ref­er­ence was removed out of con­cern that it might endan­ger intel­li­gence sources and meth­ods.

    The state­ment was issued around 3:30 p.m., timed for max­i­mum media cov­er­age. Instead, it was quick­ly drowned out. At 4 p.m., The Post pub­lished a sto­ry about crude com­ments Trump had made about women that were cap­tured on an “Access Hol­ly­wood” tape. Half an hour lat­er, Wik­iLeaks pub­lished its first batch of emails stolen from Clin­ton cam­paign chair­man John Podes­ta.

    ...

    ‘Ample time’ after elec­tion

    The Sit­u­a­tion Room is actu­al­ly a com­plex of secure spaces in the base­ment lev­el of the West Wing. A video feed from the main room cours­es through some Nation­al Secu­ri­ty Coun­cil offices, allow­ing senior aides sit­ting at their desks to see — but not hear — when meet­ings are under­way.

    As the Rus­sia-relat­ed ses­sions with Cab­i­net mem­bers began in August, the video feed was shut off. The last time that had hap­pened on a sus­tained basis, offi­cials said, was in the spring of 2011 dur­ing the run-up to the U.S. Spe­cial Oper­a­tions raid on bin Laden’s com­pound in Pak­istan.

    The blacked-out screens were seen as an omi­nous sign among low­er-lev­el White House offi­cials who were large­ly kept in the dark about the Rus­sia delib­er­a­tions even as they were tasked with gen­er­at­ing options for retal­i­a­tion against Moscow.

    Much of that work was led by the Cyber Response Group, an NSC unit with rep­re­sen­ta­tives from the CIA, NSA, State Depart­ment and Pen­ta­gon.

    The ear­ly options they dis­cussed were ambi­tious. They looked at sec­tor­wide eco­nom­ic sanc­tions and cyber­at­tacks that would take Russ­ian net­works tem­porar­i­ly offline. One offi­cial infor­mal­ly sug­gest­ed — though nev­er for­mal­ly pro­posed — mov­ing a U.S. naval car­ri­er group into the Baltic Sea as a sym­bol of resolve.

    What those low­er-lev­el offi­cials did not know was that the prin­ci­pals and their deputies had by late Sep­tem­ber all but ruled out any pre-elec­tion retal­i­a­tion against Moscow. They feared that any action would be seen as polit­i­cal and that Putin, moti­vat­ed by a seething resent­ment of Clin­ton, was pre­pared to go beyond fake news and email dumps.

    The FBI had detect­ed sus­pect­ed Russ­ian attempts to pen­e­trate elec­tion sys­tems in 21 states, and at least one senior White House offi­cial assumed that Moscow would try all 50, offi­cials said. Some offi­cials believed the attempts were meant to be detect­ed to unnerve the Amer­i­cans. The patch­work nature of the Unit­ed States’ 3,000 or so vot­ing juris­dic­tions would make it hard for Rus­sia to swing the out­come, but Moscow could still sow chaos.

    “We turned to oth­er sce­nar­ios” the Rus­sians might attempt, said Michael Daniel, who was cyber­se­cu­ri­ty coor­di­na­tor at the White House, “such as dis­rupt­ing the vot­er rolls, delet­ing every 10th vot­er [from reg­istries] or flip­ping two dig­its in everybody’s address.”

    The White House also wor­ried that they had not yet seen the worst of Russia’s cam­paign. Wik­iLeaks and DCLeaks, a web­site set up in June 2016 by hack­ers believed to be Russ­ian oper­a­tives, already had troves of emails. But U.S. offi­cials feared that Rus­sia had more explo­sive mate­r­i­al or was will­ing to fab­ri­cate it.

    “Our pri­ma­ry inter­est in August, Sep­tem­ber and Octo­ber was to pre­vent them from doing the max they could do,” said a senior admin­is­tra­tion offi­cial. “We made the judg­ment that we had ample time after the elec­tion, regard­less of out­come, for puni­tive mea­sures.”

    The assump­tion that Clin­ton would win con­tributed to the lack of urgency.

    Instead, the admin­is­tra­tion issued a series of warn­ings.

    Bren­nan deliv­ered the first on Aug. 4 in a blunt phone call with Alexan­der Bort­nikov, the direc­tor of the FSB, Russia’s pow­er­ful secu­ri­ty ser­vice.

    A month lat­er, Oba­ma con­front­ed Putin direct­ly dur­ing a meet­ing of world lead­ers in Hangzhou, Chi­na. Accom­pa­nied only by inter­preters, Oba­ma told Putin that “we knew what he was doing and [he] bet­ter stop or else,” accord­ing to a senior aide who sub­se­quent­ly spoke with Oba­ma. Putin respond­ed by demand­ing proof and accus­ing the Unit­ed States of inter­fer­ing in Russia’s inter­nal affairs.

    In a sub­se­quent news con­fer­ence, Oba­ma allud­ed to the exchange and issued a veiled threat. “We’re mov­ing into a new era here where a num­ber of coun­tries have sig­nif­i­cant capac­i­ties,” he said. “Frankly, we’ve got more capac­i­ty than any­body both offen­sive­ly and defen­sive­ly.”

    There were at least two oth­er warn­ings.

    On Oct. 7, the day that the Clap­per-John­son state­ment was released, Rice sum­moned Russ­ian Ambas­sador Sergey Kislyak Sergey Kislyak to the White House and hand­ed him a mes­sage to relay to Putin.

    Then, on Oct. 31, the admin­is­tra­tion deliv­ered a final pre-elec­tion mes­sage via a secure chan­nel to Moscow orig­i­nal­ly cre­at­ed to avert a nuclear exchange. The mes­sage not­ed that the Unit­ed States had detect­ed mali­cious activ­i­ty, orig­i­nat­ing from servers in Rus­sia, tar­get­ing U.S. elec­tion sys­tems and warned that med­dling would be regard­ed as unac­cept­able inter­fer­ence. Rus­sia con­firmed the next day that it had received the mes­sage but replied only after the elec­tion through the same chan­nel, deny­ing the accu­sa­tion.

    As Elec­tion Day approached, pro­po­nents of tak­ing action against Rus­sia made final, futile appeals to Obama’s top aides: McDo­nough, Rice and Haines. Because their offices were part of a suite of spaces in the West Wing, secur­ing their sup­port on any nation­al secu­ri­ty issue came to be known as “mov­ing the suite.”

    One of the last to try before the elec­tion was Ker­ry. Often per­ceived as reluc­tant to con­front Rus­sia, in part to pre­serve his attempts to nego­ti­ate a Syr­ia peace deal, Ker­ry was at crit­i­cal moments one of the lead­ing hawks.

    In Octo­ber, Kerry’s top aides had pro­duced an “action memo” that includ­ed a pack­age of retal­ia­to­ry mea­sures includ­ing eco­nom­ic sanc­tions. Know­ing the White House was not will­ing to act before the elec­tion, the plan called for the mea­sures to be announced almost imme­di­ate­ly after votes had been secure­ly cast and count­ed.

    Ker­ry signed the memo and urged the White House to con­vene a prin­ci­pals meet­ing to dis­cuss the plan, offi­cials said. “The response was basi­cal­ly, ‘Not now,’” one offi­cial said.

    Elec­tion Day arrived with­out penal­ty for Moscow.

    ...

    A U.S. cyber-weapon

    The most dif­fi­cult mea­sure to eval­u­ate is one that Oba­ma allud­ed to in only the most oblique fash­ion when announc­ing the U.S. response.

    “We will con­tin­ue to take a vari­ety of actions at a time and place of our choos­ing, some of which will not be pub­li­cized,” he said in a state­ment released by the White House.

    He was refer­ring, in part, to a cyber oper­a­tion that was designed to be detect­ed by Moscow but not cause sig­nif­i­cant dam­age, offi­cials said. The oper­a­tion, which entailed implant­i­ng com­put­er code in sen­si­tive com­put­er sys­tems that Rus­sia was bound to find, served only as a reminder to Moscow of the Unit­ed States’ cyber reach.

    But Oba­ma also signed the secret find­ing, offi­cials said, autho­riz­ing a new covert pro­gram involv­ing the NSA, CIA and U.S. Cyber Com­mand.

    Oba­ma declined to com­ment for this arti­cle, but a spokesman issued a state­ment: “This sit­u­a­tion was tak­en extreme­ly seri­ous­ly, as is evi­dent by Pres­i­dent Oba­ma rais­ing this issue direct­ly with Pres­i­dent Putin; 17 intel­li­gence agen­cies issu­ing an extra­or­di­nary pub­lic state­ment; our home­land secu­ri­ty offi­cials work­ing relent­less­ly to bol­ster the cyber defens­es of vot­ing infra­struc­ture around the coun­try; the Pres­i­dent direct­ing a com­pre­hen­sive intel­li­gence review, and ulti­mate­ly issu­ing a robust response includ­ing shut­ting down two Russ­ian com­pounds, sanc­tion­ing nine Russ­ian enti­ties and indi­vid­u­als, and eject­ing 35 Russ­ian diplo­mats from the coun­try.”

    The cyber oper­a­tion is still in its ear­ly stages and involves deploy­ing “implants” in Russ­ian net­works deemed “impor­tant to the adver­sary and that would cause them pain and dis­com­fort if they were dis­rupt­ed,” a for­mer U.S. offi­cial said.

    The implants were devel­oped by the NSA and designed so that they could be trig­gered remote­ly as part of retal­ia­to­ry cyber-strike in the face of Russ­ian aggres­sion, whether an attack on a pow­er grid or inter­fer­ence in a future pres­i­den­tial race.

    Offi­cials famil­iar with the mea­sures said that there was con­cern among some in the admin­is­tra­tion that the dam­age caused by the implants could be dif­fi­cult to con­tain.

    As a result, the admin­is­tra­tion request­ed a legal review, which con­clud­ed that the devices could be con­trolled well enough that their deploy­ment would be con­sid­ered “pro­por­tion­al” in vary­ing sce­nar­ios of Russ­ian provo­ca­tion, a require­ment under inter­na­tion­al law.

    The oper­a­tion was described as long-term, tak­ing months to posi­tion the implants and requir­ing main­te­nance there­after. Under the rules of covert action, Obama’s sig­na­ture was all that was nec­es­sary to set the oper­a­tion in motion.

    U.S. intel­li­gence agen­cies do not need fur­ther approval from Trump, and offi­cials said that he would have to issue a coun­ter­mand­ing order to stop it. The offi­cials said that they have seen no indi­ca­tion that Trump has done so.

    ———-

    “Obama’s secret strug­gle to pun­ish Rus­sia for Putin’s elec­tion assault” by Greg Miller, Ellen Nakashima and Adam Entous; The Wash­ing­ton Post; 06/23/2017

    “Inside was an intel­li­gence bomb­shell, a report drawn from sourc­ing deep inside the Russ­ian gov­ern­ment that detailed Russ­ian Pres­i­dent Vladimir Putin’s direct involve­ment in a cyber cam­paign to dis­rupt and dis­cred­it the U.S. pres­i­den­tial race.”

    So a CIA deep Russ­ian gov­ern­ment source is the pri­ma­ry source of the ‘Putin ordered it’ con­clu­sion. Well, at least that’s bet­ter than the bad joke tech­ni­cal evi­dence that’s been pro­vid­ed thus far. But even that source’s claims appar­ent­ly weren’t enough to con­vinced oth­er parts of the intel­li­gence com­mu­ni­ty. It took the intel­li­gence from the unnamed ally to do that:

    ...
    But it went fur­ther. The intel­li­gence cap­tured Putin’s spe­cif­ic instruc­tions on the operation’s auda­cious objec­tives — defeat or at least dam­age the Demo­c­ra­t­ic nom­i­nee, Hillary Clin­ton, and help elect her oppo­nent, Don­ald Trump.

    At that point, the out­lines of the Russ­ian assault on the U.S. elec­tion were increas­ing­ly appar­ent. Hack­ers with ties to Russ­ian intel­li­gence ser­vices had been rum­mag­ing through Demo­c­ra­t­ic Par­ty com­put­er net­works, as well as some Repub­li­can sys­tems, for more than a year. In July, the FBI had opened an inves­ti­ga­tion of con­tacts between Russ­ian offi­cials and Trump asso­ciates. And on July 22, near­ly 20,000 emails stolen from the Demo­c­ra­t­ic Nation­al Com­mit­tee were dumped online by Wik­iLeaks.

    But at the high­est lev­els of gov­ern­ment, among those respon­si­ble for man­ag­ing the cri­sis, the first moment of true fore­bod­ing about Russia’s inten­tions arrived with that CIA intel­li­gence.

    ...

    It took time for oth­er parts of the intel­li­gence com­mu­ni­ty to endorse the CIA’s view. Only in the administration’s final weeks in office did it tell the pub­lic, in a declas­si­fied report, what offi­cials had learned from Bren­nan in August — that Putin was work­ing to elect Trump.

    ...

    Despite the intel­li­gence the CIA had pro­duced, oth­er agen­cies were slow­er to endorse a con­clu­sion that Putin was per­son­al­ly direct­ing the oper­a­tion and want­ed to help Trump. “It was def­i­nite­ly com­pelling, but it was not defin­i­tive,” said one senior admin­is­tra­tion offi­cial. “We need­ed more.”

    Some of the most crit­i­cal tech­ni­cal intel­li­gence on Rus­sia came from anoth­er coun­try, offi­cials said. Because of the source of the mate­r­i­al, the NSA was reluc­tant to view it with high con­fi­dence.
    ...

    “Some of the most crit­i­cal tech­ni­cal intel­li­gence on Rus­sia came from anoth­er coun­try, offi­cials said. Because of the source of the mate­r­i­al, the NSA was reluc­tant to view it with high con­fi­dence.”

    That sure sounds like a ‘slam dunk’ case. And not the good kind. And based on these intel­li­gence sources, the US is open­ly plant­i­ng retal­ia­to­ry cyber­bombs on Russ­ian net­works:

    ...
    But Oba­ma also signed the secret find­ing, offi­cials said, autho­riz­ing a new covert pro­gram involv­ing the NSA, CIA and U.S. Cyber Com­mand.

    ...

    The cyber oper­a­tion is still in its ear­ly stages and involves deploy­ing “implants” in Russ­ian net­works deemed “impor­tant to the adver­sary and that would cause them pain and dis­com­fort if they were dis­rupt­ed,” a for­mer U.S. offi­cial said.

    The implants were devel­oped by the NSA and designed so that they could be trig­gered remote­ly as part of retal­ia­to­ry cyber-strike in the face of Russ­ian aggres­sion, whether an attack on a pow­er grid or inter­fer­ence in a future pres­i­den­tial race.

    Offi­cials famil­iar with the mea­sures said that there was con­cern among some in the admin­is­tra­tion that the dam­age caused by the implants could be dif­fi­cult to con­tain.

    As a result, the admin­is­tra­tion request­ed a legal review, which con­clud­ed that the devices could be con­trolled well enough that their deploy­ment would be con­sid­ered “pro­por­tion­al” in vary­ing sce­nar­ios of Russ­ian provo­ca­tion, a require­ment under inter­na­tion­al law.

    The oper­a­tion was described as long-term, tak­ing months to posi­tion the implants and requir­ing main­te­nance there­after. Under the rules of covert action, Obama’s sig­na­ture was all that was nec­es­sary to set the oper­a­tion in motion.

    U.S. intel­li­gence agen­cies do not need fur­ther approval from Trump, and offi­cials said that he would have to issue a coun­ter­mand­ing order to stop it. The offi­cials said that they have seen no indi­ca­tion that Trump has done so.

    Keep in mind that such a response from the US would be entire­ly pre­dictable if the Russ­ian gov­ern­ment real­ly did order this hack attack. Rus­sia would be at a height­ened risk for years or decades to come if Putin real­ly did order this attack and there’s no rea­son to assume that the Russ­ian gov­ern­ment would­n’t be well aware of this con­se­quence. So if Putin real­ly did order this hack he would have to have gone insane. That’s how stu­pid this attack was if Putin actu­al­ly ordered it. But accord­ing to a CIA spy in the Krem­lin, along with a ques­tion­able for­eign ally, that’s exact­ly what Putin did. Because he appar­ent­ly went insane and pre­emp­tive­ly launched a cyber­war know­ing full well how dev­as­tat­ing the long-term con­se­quences could be. Because he real­ly, real­ly, real­ly hates Hillary. That’s the nar­ra­tive we’re being giv­en.

    And now, any future attacks on US elec­tions or the US elec­tri­cal grid that can some­how be pinned on the Rus­sians is going to trig­ger some sort of painful wave or retal­ia­to­ry cyber­bombs. Which, of course, will like­ly trig­ger a way of counter-retal­ia­to­ry cyber­bombs in the US. And a full-scale cyber­war will be born and we’ll just have to hope it stays in the cyber domain. That’s were we are now based on a CIA spy in the Krem­lin and an unnamed for­eign intel­li­gence agency.

    Posted by Pterrafractyl | June 23, 2017, 2:48 pm
  12. Here’s a pair of sto­ries that are only tan­gen­tial­ly relat­ed to the high pro­file 2016 DNC hacks and is real­ly more a pre­lude to some yet-to-hap­pen hacks of sen­si­tive gov­ern­ment. It’s also excit­ing news for peo­ple who like to rou­tine­ly scan the Ama­zon Cloud search­ing for servers left acci­den­tal­ly vul­ner­a­ble to the pub­lic: The Ama­zon Cloud is join­ing IBM and Microsoft as one of three pri­vate com­pa­nies avail­able for host­ing the US Depart­ment of Defense’s most sen­si­tive unclas­si­fied data:

    NextGov

    Ama­zon Web Ser­vices Can Now Host the Defense Department’s Most Sen­si­tive Data

    By Frank Konkel
    Sep­tem­ber 13, 2017

    Ama­zon Web Ser­vices has a new mar­ket for its cloud com­put­ing, ana­lyt­ics, and stor­age ser­vices.

    This week, the Defense Depart­ment grant­ed the cloud com­put­ing giant a pro­vi­sion­al autho­riza­tion to host Impact Lev­el 5 work­loads, which are the mil­i­tary and Pentagon’s most sen­si­tive, unclas­si­fied infor­ma­tion.

    “This fur­ther bol­sters AWS as an indus­try leader in help­ing sup­port the DoD’s crit­i­cal mis­sion in pro­tect­ing our secu­ri­ty,” the com­pa­ny said in a state­ment. “The AWS ser­vices sup­port a vari­ety of DoD work­loads, includ­ing work­loads con­tain­ing sen­si­tive con­trolled unclas­si­fied infor­ma­tion and Nation­al Secu­ri­ty Sys­tems infor­ma­tion.”

    Already, DoD is using AWS to host sen­si­tive, mis­sion-crit­i­cal work­loads, includ­ing the oper­a­tional con­trol sys­tem for the Glob­al Posi­tion­ing Sys­tem. The pro­vi­sion­al autho­riza­tion allows mil­i­tary cus­tomers an eas­i­er route to use AWS for a vari­ety of oth­er IT ser­vices.

    In total, three com­mer­cial companies—AWS, IBM and Microsoft—are now able to host and store the military’s most sen­si­tive unclas­si­fied data. AWS has expand­ed its defense busi­ness, it remains the dom­i­nant cloud ser­vice provider in the intel­li­gence com­mu­ni­ty by virtue of its its $600 mil­lion con­tract with the Cen­tral Intel­li­gence Agency. AWS’ C2S cloud hosts clas­si­fied infor­ma­tion for the 17 intel­li­gence agen­cies.

    ...

    ———-

    “Ama­zon Web Ser­vices Can Now Host the Defense Department’s Most Sen­si­tive Data” by Frank Konkel; NextGov; 09/13/2017

    “In total, three com­mer­cial companies—AWS, IBM and Microsoftare now able to host and store the military’s most sen­si­tive unclas­si­fied data. AWS has expand­ed its defense busi­ness, it remains the dom­i­nant cloud ser­vice provider in the intel­li­gence com­mu­ni­ty by virtue of its $600 mil­lion con­tract with the Cen­tral Intel­li­gence Agency. AWS’ C2S cloud hosts clas­si­fied infor­ma­tion for the 17 intel­li­gence agen­cies.”

    Yep, the Ama­zon Web Ser­vices (AWS) are already being host­ing clas­si­fied infor­ma­tion for 17 US intel­li­gence agen­cies, led by a $600 mil­lion con­tract with the CIA. A con­tract that involved Ama­zon devel­op­ing a com­plete­ly sep­a­rate cloud infra­struc­ture with extra lay­ers of secu­ri­ty, includ­ing being com­plete­ly sep­a­rate from the rest of the inter­net and extra encryp­tion.

    But it sounds like this recent rule change that allows for unclas­si­fied, but still high­ly sen­si­tive, data does­n’t involve that sep­a­rate extra secure cloud. It’s just the reg­u­lar Ama­zon AWS. What could pos­si­bly go wrong? Well, here’s a sto­ry from back in May star­ring Booz Allen Hamil­ton (Edward Snow­den’s brief employ­er) that’s a pret­ty good exam­ple of what could go wrong:

    Giz­mo­do

    Top Defense Con­trac­tor Left Sen­si­tive Pen­ta­gon Files on Ama­zon Serv­er With No Pass­word [Updat­ed]

    Dell Cameron
    5/31/17 9:40am

    Sen­si­tive files tied to a US mil­i­tary project were leaked by a mul­ti-bil­lion dol­lar firm once described as the world’s most prof­itable spy oper­a­tion, Giz­mo­do has con­firmed.

    A cache of more than 60,000 files was dis­cov­ered last week on a pub­licly acces­si­ble Ama­zon serv­er, includ­ing pass­words to a US gov­ern­ment sys­tem con­tain­ing sen­si­tive infor­ma­tion, and the secu­ri­ty cre­den­tials of a lead senior engi­neer at Booz Allen Hamil­ton, one of the nation’s top intel­li­gence and defense con­trac­tors. What’s more, the rough­ly 28GB of data con­tained at least a half dozen unen­crypt­ed pass­words belong­ing to gov­ern­ment con­trac­tors with Top Secret Facil­i­ty Clear­ance.

    The exposed cre­den­tials could poten­tial­ly grant their hold­ers fur­ther access to repos­i­to­ries hous­ing sim­i­lar­ly sen­si­tive gov­ern­ment data.

    Count­less ref­er­ences are made in the leaked files to the US Nation­al Geospa­tial-Intel­li­gence Agency (NGA), which in March award­ed Booz Allen an $86 mil­lion defense con­tract. Often referred to as the Pentagon’s “map­mak­ers,” the com­bat sup­port agency works along­side the Cen­tral Intel­li­gence Agency, the Nation­al Recon­nais­sance Office, and the Defense Intel­li­gence Agency to col­lect and ana­lyze geospa­tial data gath­ered by spy satel­lites and aer­i­al drones.

    The NGA on Tues­day con­firmed the leak to Giz­mo­do while stress­ing that no clas­si­fied infor­ma­tion had been dis­closed. “NGA takes the poten­tial dis­clo­sure of sen­si­tive but unclas­si­fied infor­ma­tion seri­ous­ly and imme­di­ate­ly revoked the affect­ed cre­den­tials,” an agency spokesper­son said. The Ama­zon serv­er from which the data was leaked was “not direct­ly con­nect­ed to clas­si­fied net­works,” the spokesper­son not­ed.

    UpGuard cyber risk ana­lyst Chris Vick­ery dis­cov­ered the Booz Allen serv­er last week while at his San­ta Rosa home run­ning a scan for pub­licly acces­si­ble s3 buck­ets (what Ama­zon calls its cloud stor­age devices). At first there was no rea­son to sus­pect it con­tained sen­si­tive mil­i­tary data. Typ­i­cal­ly, US gov­ern­ment servers host­ed by Ama­zon are seg­re­gat­ed into what’s called the Gov­Cloud—a “gat­ed com­mu­ni­ty” pro­tect­ed by advanced cryp­tog­ra­phy and phys­i­cal secu­ri­ty. Instead, the Booz Allen buck­et was found in region “US-East­‑1,” chiefly com­prised of pub­lic and com­mer­cial data.

    Yet the files bore some hall­marks of a gov­ern­ment project. First, Vick­ery spot­ted the pub­lic and pri­vate SSH keys of a Booz Allen employ­ee, iden­ti­fied by his LinkedIn page as a lead senior engi­neer in Virginia—also home to the NGA’s Fort Belvoir cam­pus. “Expos­ing a pri­vate key belong­ing to a Booz Allen IT engi­neer is poten­tial­ly cat­a­stroph­ic for mali­cious intru­sion possibilities,”he said.

    SSH keys employ what’s called pub­lic-key cryp­tog­ra­phy and chal­lenge-response authen­ti­ca­tion. Essen­tial­ly, Booz Allen stores sen­si­tive data in the cloud, and before the engi­neer can access it, his pri­vate key must pair suc­cess­ful­ly with a pub­lic key on Booz Allen’s serv­er. This pro­to­col only real­ly works, how­ev­er, so long as the employee’s pri­vate key remains a secret.

    “Booz Allen takes any alle­ga­tion of a data breach very seri­ous­ly, and prompt­ly began an inves­ti­ga­tion into the acces­si­bil­i­ty of cer­tain secu­ri­ty keys in a cloud envi­ron­ment,” a Booz Allen spokesman told Giz­mo­do on Tues­day. “We secured those keys, and are con­tin­u­ing with a detailed foren­sic inves­ti­ga­tion. As of now, we have found no evi­dence that any clas­si­fied infor­ma­tion has been com­pro­mised as a result of this mat­ter.”

    Mark Zaid, a Wash­ing­ton lawyer who spe­cial­izes in nation­al secu­ri­ty cas­es, said the inci­dent is like­ly to dredge up bad mem­o­ries of the com­pa­ny. “The first thing that jumps to mind,” he said, is “Oh, no. It’s Booz Allen again.”
    The NGA on Tues­day con­firmed the leak to Giz­mo­do while stress­ing that no clas­si­fied infor­ma­tion had been dis­closed. “NGA takes the poten­tial dis­clo­sure of sen­si­tive but unclas­si­fied infor­ma­tion seri­ous­ly and imme­di­ate­ly revoked the affect­ed cre­den­tials,” an agency spokesper­son said. The Ama­zon serv­er from which the data was leaked was “not direct­ly con­nect­ed to clas­si­fied net­works,” the spokesper­son not­ed.
    Zaid was refer­ring to Edward Snow­den, the for­mer NSA con­trac­tor who worked for Booz Allen when he fled to Hong Kong in 2013 with a trove of clas­si­fied mate­r­i­al. Anoth­er of the firm’s employ­ees, Harold Mar­tin III, was arrest­ed last year and charged under the Espi­onage Act after fed­er­al agents dis­cov­ered over 50 ter­abytes of clas­si­fied data in his res­i­dence, the trunk of his car and in an unlocked out­door shed.

    “Obvi­ous­ly, Booz Allen is a large com­pa­ny and a well-respect­ed defense con­trac­tor,” Zaid added. “And none of these cas­es are nec­es­sar­i­ly relat­ed to one anoth­er. But it still rais­es some real seri­ous con­cerns about what’s going on with Booz Allen’s secu­ri­ty pro­to­cols.”

    In addi­tion to keys, the Booz Allen serv­er con­tained mas­ter cre­den­tials to a dat­a­cen­ter oper­at­ing system—and oth­ers used to access the GEOAx­IS authen­ti­ca­tion por­tal, a pro­tect­ed Pen­ta­gon sys­tem that usu­al­ly requires an ID card and spe­cial com­put­er to use. Yet anoth­er file con­tained the login cre­den­tials of a sep­a­rate Ama­zon buck­et, the con­tents of which remain a mys­tery; there’s no way to ver­i­fy the con­tents legal­ly since the buck­et is secured by a pass­word, and thus not open to the pub­lic.

    More­over, a cat­e­go­riza­tion script found in one of the Booz Allen files indi­cates the sys­tem under con­struc­tion is at least designed to han­dle clas­si­fied infor­ma­tion. And while Vick­ery didn’t real­ize its sig­nif­i­cance at the time, the leaked files also appear con­nect­ed to a third serv­er he found open last month.

    In April, he dis­cov­ered an Ama­zon buck­et with no pass­word con­tain­ing a review of what he now believes is the same NGA sys­tem. An “appli­ca­tion secu­ri­ty risk assess­ment,” car­ried out using HP soft­ware called For­ti­fy, detailed 3039 issues with­in the program’s source code (only 7 were described as crit­i­cal). “I’m read­ing the report,” he says, “and the code snip­pets line up with code from the sec­ond buck­et.”

    The mis­sion of UpGuard’s Cyber Risk Team is to locate and secure leaked sen­si­tive records, so Vickery’s first email on Wednes­day was to Joe Mahaf­fee, Booz Allen’s chief infor­ma­tion secu­ri­ty offi­cer. But after receiv­ing no imme­di­ate response, he went direct­ly the agency. “I emailed the NGA at 10:33am on Thurs­day. Pub­lic access to the leak was cut off nine min­utes lat­er,” he said.

    “You can have fan­tas­tic cyber­se­cu­ri­ty, but if you’re using IT sys­tems to share infor­ma­tion with a part­ner whose cyber­se­cu­ri­ty isn’t up to snuff, then your pro­tec­tion mea­sures don’t mean very much,” says Paulo Shakar­i­an, a cyber­se­cu­ri­ty fel­low at the Wash­ing­ton think-tank New Amer­i­ca. The big unre­solved ques­tion, he says, is whether Booz Allen had prop­er secu­ri­ty pro­to­cols in place for its con­trac­tors work­ing on the NGA project. “And like­wise, what has NGA done to ensure that the prop­er pro­tec­tive mea­sures were in place.”

    NGA informed Giz­mo­do that it was still eval­u­at­ing the inci­dent and had yet to deter­mine a prop­er course of action. “It’s impor­tant to note that a mis­con­fig­u­ra­tion, prop­er­ly report­ed and addressed, does not dis­qual­i­fy indus­try part­ners from doing busi­ness with NGA,” the agency said, adding that it reserves the right to “address any vio­la­tions or pat­terns of non-com­pli­ance appro­pri­ate­ly.”

    ...

    Update: June 1st, 6:04pm ET: Booz Allen Hamil­ton sent Giz­mo­do the fol­low­ing state­ment:

    Both our client and Booz Allen have con­firmed that no clas­si­fied data was avail­able on the impact­ed unclas­si­fied cloud envi­ron­ments. And we have con­firmed that none of those user­names and pass­words could have been used to access clas­si­fied infor­ma­tion. This appears to be a case in which an employ­ee unin­ten­tion­al­ly left a key with­in an unclas­si­fied cloud envi­ron­ment where mul­ti­ple users can devel­op soft­ware in an open envi­ron­ment. As soon as we learned of this mis­take, we took action to secure the areas and alert­ed our client and began an inves­ti­ga­tion. Again, the impor­tant point here is that the affect­ed cloud areas were not designed to con­tain any clas­si­fied infor­ma­tion. Our client has said they’ve found no evi­dence that clas­si­fied data was involved, and so far our foren­sics have indi­cat­ed the same. While any inci­dent of this nature is unac­cept­able and we hope to learn from it, so far we see this event as hav­ing lim­it­ed impact.

    ———-

    “Top Defense Con­trac­tor Left Sen­si­tive Pen­ta­gon Files on Ama­zon Serv­er With No Pass­word [Updat­ed]” by Dell Cameron; Giz­mo­do; 05/31/17

    UpGuard cyber risk ana­lyst Chris Vick­ery dis­cov­ered the Booz Allen serv­er last week while at his San­ta Rosa home run­ning a scan for pub­licly acces­si­ble s3 buck­ets (what Ama­zon calls its cloud stor­age devices). At first there was no rea­son to sus­pect it con­tained sen­si­tive mil­i­tary data. Typ­i­cal­ly, US gov­ern­ment servers host­ed by Ama­zon are seg­re­gat­ed into what’s called the Gov­Cloud—a “gat­ed com­mu­ni­ty” pro­tect­ed by advanced cryp­tog­ra­phy and phys­i­cal secu­ri­ty. Instead, the Booz Allen buck­et was found in region “US-East­‑1,” chiefly com­prised of pub­lic and com­mer­cial data.”

    Fun times ahead for all the peo­ple who rou­tine­ly scan pub­licly acces­si­ble AWS “buck­ets” for vul­ner­a­bil­i­ties. You just might stum­ble upon unpro­tect­ed files from the US Nation­al Geospa­tial-Intel­li­gence Agency (NGA). Or maybe you’ll find a bunch of pass­words and pri­vate SSH keys that will allow you to break into oth­er sen­si­tive sys­tems:

    ...
    Yet the files bore some hall­marks of a gov­ern­ment project. First, Vick­ery spot­ted the pub­lic and pri­vate SSH keys of a Booz Allen employ­ee, iden­ti­fied by his LinkedIn page as a lead senior engi­neer in Virginia—also home to the NGA’s Fort Belvoir cam­pus. “Expos­ing a pri­vate key belong­ing to a Booz Allen IT engi­neer is poten­tial­ly cat­a­stroph­ic for mali­cious intru­sion possibilities,”he said.

    SSH keys employ what’s called pub­lic-key cryp­tog­ra­phy and chal­lenge-response authen­ti­ca­tion. Essen­tial­ly, Booz Allen stores sen­si­tive data in the cloud, and before the engi­neer can access it, his pri­vate key must pair suc­cess­ful­ly with a pub­lic key on Booz Allen’s serv­er. This pro­to­col only real­ly works, how­ev­er, so long as the employee’s pri­vate key remains a secret.
    ...

    And maybe you’ll even find files asso­ci­at­ed with a vul­ner­a­ble “buck­et” you dis­cov­ered months ear­li­er:

    ...
    More­over, a cat­e­go­riza­tion script found in one of the Booz Allen files indi­cates the sys­tem under con­struc­tion is at least designed to han­dle clas­si­fied infor­ma­tion. And while Vick­ery didn’t real­ize its sig­nif­i­cance at the time, the leaked files also appear con­nect­ed to a third serv­er he found open last month.

    In April, he dis­cov­ered an Ama­zon buck­et with no pass­word con­tain­ing a review of what he now believes is the same NGA sys­tem. An “appli­ca­tion secu­ri­ty risk assess­ment,” car­ried out using HP soft­ware called For­ti­fy, detailed 3039 issues with­in the program’s source code (only 7 were described as crit­i­cal). “I’m read­ing the report,” he says, “and the code snip­pets line up with code from the sec­ond buck­et.”
    ...

    Yes, this same secu­ri­ty ana­lyst dis­cov­ered an Ama­zon buck­et months ear­li­er with no pass­word con­tain­ing an “appli­ca­tion secu­ri­ty risk assess­ment” reveal­ing soft­ware vul­ner­a­bil­i­ties. And the ana­lyst is pret­ty sure that the appli­ca­tion secu­ri­ty risk assess­ment was an assess­ment for the same sys­tem that was being devel­oped on the vul­ner­a­ble buck­et he dis­cov­ered back in May. And it appears to be a sys­tem designed to han­dle clas­si­fied infor­ma­tion.

    So while this pub­licly avail­able Ama­zon buck­et did­n’t con­tain clas­si­fied infor­ma­tion, it did appear to be the devel­op­ment envi­ron­ment for a sys­tem designed to han­dle clas­si­fied infor­ma­tion. And that’s a sto­ry from months before the DoD grant­ed Ama­zon a pro­vi­sion­al autho­riza­tion to host Impact Lev­el 5 work­loads, the mil­i­tary and Pentagon’s most sen­si­tive, unclas­si­fied infor­ma­tion, on its cloud.

    And that all means we should get ready for lots of fun future sto­ries about how a bunch of sen­si­tive data was stolen off a pub­licly acces­si­ble Ama­zon web serv­er used by a nation­al secu­ri­ty con­trac­tor fol­lowed up with a bunch of assur­ances that no one should wor­ry because it was just unclas­si­fied data that was stolen.

    Posted by Pterrafractyl | September 19, 2017, 2:53 pm
  13. Here’s a pair of sto­ries that, at best, are a reminder of the poten­tial for algo­rithms and AI sys­tems to acquire the hate and big­otry of their human cre­ators. And, at worst, are a reminder that the poten­tial for algo­rithms and AI sys­tems to acquire the hate and big­otry of their human cre­ators might be a great excuse for com­pa­nies like Face­book to push a far-right agen­da and just go “oops!” when they get caught.

    The sec­ond arti­cle is also a reminder of what we wit­nessed fol­low­ing the hack of the French elec­tion: that the US and Europe remain dan­ger­ous­ly hyper­fo­cused on the poten­tial for Russ­ian elec­tion med­dling to the exclu­sion of almost any oth­er force on the world stage (like the far-right move­ments that exist in every coun­try on the plan­et and clear­ly want to med­dle in elec­tions.

    But first, check out the adver­tis­ing cat­e­gories Face­book’s algo­rithms auto-gen­er­at­ed:

    Prop­ub­li­ca

    Face­book Enabled Adver­tis­ers to Reach ‘Jew Haters’
    After being con­tact­ed by ProP­ub­li­ca, Face­book removed sev­er­al anti-Semit­ic ad cat­e­gories and promised to improve mon­i­tor­ing.

    by Julia Angwin, Madeleine Varn­er and Ari­ana Tobin
    Sept. 14, 4 p.m. EDT

    Want to mar­ket Nazi mem­o­ra­bil­ia, or recruit marchers for a far-right ral­ly? Facebook’s self-ser­vice ad-buy­ing plat­form had the right audi­ence for you.

    Until this week, when we asked Face­book about it, the world’s largest social net­work enabled adver­tis­ers to direct their pitch­es to the news feeds of almost 2,300 peo­ple who expressed inter­est in the top­ics of “Jew hater,” “How to burn jews,” or, “His­to­ry of ‘why jews ruin the world.’”

    To test if these ad cat­e­gories were real, we paid $30 to tar­get those groups with three “pro­mot­ed posts” — in which a ProP­ub­li­ca arti­cle or post was dis­played in their news feeds. Face­book approved all three ads with­in 15 min­utes.

    After we con­tact­ed Face­book, it removed the anti-Semit­ic cat­e­gories — which were cre­at­ed by an algo­rithm rather than by peo­ple — and said it would explore ways to fix the prob­lem, such as lim­it­ing the num­ber of cat­e­gories avail­able or scru­ti­niz­ing them before they are dis­played to buy­ers.

    “There are times where con­tent is sur­faced on our plat­form that vio­lates our stan­dards,” said Rob Leath­ern, prod­uct man­age­ment direc­tor at Face­book. “In this case, we’ve removed the asso­ci­at­ed tar­get­ing fields in ques­tion. We know we have more work to do, so we’re also build­ing new guardrails in our prod­uct and review process­es to pre­vent oth­er issues like this from hap­pen­ing in the future.”

    Facebook’s adver­tis­ing has become a focus of nation­al atten­tion since it dis­closed last week that it had dis­cov­ered $100,000 worth of ads placed dur­ing the 2016 pres­i­den­tial elec­tion sea­son by “inau­then­tic” accounts that appeared to be affil­i­at­ed with Rus­sia.

    Like many tech com­pa­nies, Face­book has long tak­en a hands off approach to its adver­tis­ing busi­ness. Unlike tra­di­tion­al media com­pa­nies that select the audi­ences they offer adver­tis­ers, Face­book gen­er­ates its ad cat­e­gories auto­mat­i­cal­ly based both on what users explic­it­ly share with Face­book and what they implic­it­ly con­vey through their online activ­i­ty.

    Tra­di­tion­al­ly, tech com­pa­nies have con­tend­ed that it’s not their role to cen­sor the Inter­net or to dis­cour­age legit­i­mate polit­i­cal expres­sion. In the wake of the vio­lent protests in Char­lottesville by right-wing groups that includ­ed self-described Nazis, Face­book and oth­er tech com­pa­nies vowed to strength­en their mon­i­tor­ing of hate speech.

    Face­book CEO Mark Zucker­berg wrote at the time that “there is no place for hate in our com­mu­ni­ty,” and pledged to keep a clos­er eye on hate­ful posts and threats of vio­lence on Face­book. “It’s a dis­grace that we still need to say that neo-Nazis and white suprema­cists are wrong — as if this is some­how not obvi­ous,” he wrote.

    But Face­book appar­ent­ly did not inten­si­fy its scruti­ny of its ad buy­ing plat­form. In all like­li­hood, the ad cat­e­gories that we spot­ted were auto­mat­i­cal­ly gen­er­at­ed because peo­ple had list­ed those anti-Semit­ic themes on their Face­book pro­files as an inter­est, an employ­er or a “field of study.” Facebook’s algo­rithm auto­mat­i­cal­ly trans­forms people’s declared inter­ests into adver­tis­ing cat­e­gories.

    Here is a screen­shot of our ad buy­ing process on the company’s adver­tis­ing por­tal:
    [see screen­shot]

    This is not the first con­tro­ver­sy over Facebook’s ad cat­e­gories. Last year, ProP­ub­li­ca was able to block an ad that we bought in Facebook’s hous­ing cat­e­gories from being shown to African-Amer­i­cans, His­pan­ics and Asian-Amer­i­cans, rais­ing the ques­tion of whether such ad tar­get­ing vio­lat­ed laws against dis­crim­i­na­tion in hous­ing adver­tis­ing. After ProPublica’s arti­cle appeared, Face­book built a sys­tem that it said would pre­vent such ads from being approved.

    Last year, ProP­ub­li­ca also col­lect­ed a list of the adver­tis­ing cat­e­gories Face­book was pro­vid­ing to adver­tis­ers. We down­loaded more than 29,000 ad cat­e­gories from Facebook’s ad sys­tem — and found cat­e­gories rang­ing from an inter­est in “Hun­gar­i­an sausages” to “Peo­ple in house­holds that have an esti­mat­ed house­hold income of between $100K and $125K.”

    At that time, we did not find any anti-Semit­ic cat­e­gories, but we do not know if we cap­tured all of Facebook’s pos­si­ble ad cat­e­gories, or if these cat­e­gories were added lat­er. A Face­book spokesman didn’t respond to a ques­tion about when the cat­e­gories were intro­duced.

    Last week, act­ing on a tip, we logged into Facebook’s auto­mat­ed ad sys­tem to see if “Jew hater” was real­ly an ad cat­e­go­ry. We found it, but dis­cov­ered that the cat­e­go­ry — with only 2,274 peo­ple in it — was too small for Face­book to allow us to buy an ad pegged only to Jew haters.

    Facebook’s auto­mat­ed sys­tem sug­gest­ed “Sec­ond Amend­ment” as an addi­tion­al cat­e­go­ry that would boost our audi­ence size to 119,000 peo­ple, pre­sum­ably because its sys­tem had cor­re­lat­ed gun enthu­si­asts with anti-Semi­tes.

    Instead, we chose addi­tion­al cat­e­gories that popped up when we typed in “jew h”: “How to burn Jews,” and “His­to­ry of ‘why jews ruin the world.’” Then we added a cat­e­go­ry that Face­book sug­gest­ed when we typed in “Hitler”: a cat­e­go­ry called “Hitler did noth­ing wrong.” All were described as “fields of study.”

    These ad cat­e­gories were tiny. Only two peo­ple were list­ed as the audi­ence size for “how to burn jews,” and just one for “His­to­ry of ‘why jews ruin the world.’”” Anoth­er 15 peo­ple com­prised the view­er­ship for “Hitler did noth­ing wrong.”

    Facebook’s auto­mat­ed sys­tem told us that we still didn’t have a large enough audi­ence to make a pur­chase. So we added “Ger­man Schutzstaffel,” com­mon­ly known as the Nazi SS, and the “Nazi Par­ty,” which were both described to adver­tis­ers as groups of “employ­ers.” Their audi­ences were larg­er: 3,194 for the SS and 2,449 for Nazi Par­ty.

    Still, Face­book said we need­ed more — so we added peo­ple with an inter­est in the Nation­al Demo­c­ra­t­ic Par­ty of Ger­many, a far-right, ultra­na­tion­al­ist polit­i­cal par­ty, with its much larg­er view­er­ship of 194,600.

    Once we had our audi­ence, we sub­mit­ted our ad — which pro­mot­ed an unre­lat­ed ProP­ub­li­ca news arti­cle. With­in 15 min­utes, Face­book approved our ad, with one change. its approval screen, Face­book described the ad tar­get­ing cat­e­go­ry “Jew hater” as “Anty­semi­tyzm,” the Pol­ish word for anti-Semi­tism. Just to make sure it was refer­ring to the same cat­e­go­ry, we bought two addi­tion­al ads using the term “Jew hater” in com­bi­na­tion with oth­er terms. Both times, Face­book changed the ad tar­get­ing cat­e­go­ry “Jew hater” to “Anti­semi­tyzm” in its approval.

    Here is one of our approved ads from Face­book:
    [see screen­shot]

    A few days lat­er, Face­book sent us the results of our cam­paigns. Our three ads reached 5,897 peo­ple, gen­er­at­ing 101 clicks, and 13 “engage­ments” — which could be a “like” a “share” or a com­ment on a post.

    Since we con­tact­ed Face­book, most of the anti-Semit­ic cat­e­gories have dis­ap­peared.

    Face­book spokesman Joe Osborne said that they didn’t appear to have been wide­ly used. “We have looked at the use of these audi­ences and cam­paigns and it’s not com­mon or wide­spread,” he said.

    ...

    ———-

    “Face­book Enabled Adver­tis­ers to Reach ‘Jew Haters’” by Julia Angwin, Madeleine Varn­er and Ari­ana Tobin; Prop­ub­li­ca; 09/14/2017

    “To test if these ad cat­e­gories were real, we paid $30 to tar­get those groups with three “pro­mot­ed posts” — in which a ProP­ub­li­ca arti­cle or post was dis­played in their news feeds. Face­book approved all three ads with­in 15 min­utes.”

    $30 to adver­tise to Face­book’s “Jew Haters”. And it was approved in 15 min­utes. But it was­n’t just the “Jew Haters” tar­get­ed with his $30 ad buy because there were enough to meet the min­i­mum num­ber of peo­ple Face­book requires for these kinds of pur­chas­es. So oth­er cat­e­gories had to be added. Cat­e­gories appar­ent­ly gen­er­at­ed auto­mat­i­cal­ly based on user activ­i­ty:

    ...
    After we con­tact­ed Face­book, it removed the anti-Semit­ic cat­e­gories — which were cre­at­ed by an algo­rithm rather than by peo­ple — and said it would explore ways to fix the prob­lem, such as lim­it­ing the num­ber of cat­e­gories avail­able or scru­ti­niz­ing them before they are dis­played to buy­ers.
    ...

    And it was­n’t until Prop­ub­li­ca added the cat­e­go­ry for Ger­many’s neo-Nazi Nation­al Demo­c­ra­t­ic Par­ty (NDP) that they final­ly had enough peo­ple in their col­lec­tion of hate cat­e­gories to meet the min­i­mum num­ber of tar­get Face­book users required for the ad buy to be placed:

    ...
    Last week, act­ing on a tip, we logged into Facebook’s auto­mat­ed ad sys­tem to see if “Jew hater” was real­ly an ad cat­e­go­ry. We found it, but dis­cov­ered that the cat­e­go­ry — with only 2,274 peo­ple in it — was too small for Face­book to allow us to buy an ad pegged only to Jew haters.

    Facebook’s auto­mat­ed sys­tem sug­gest­ed “Sec­ond Amend­ment” as an addi­tion­al cat­e­go­ry that would boost our audi­ence size to 119,000 peo­ple, pre­sum­ably because its sys­tem had cor­re­lat­ed gun enthu­si­asts with anti-Semi­tes.

    Instead, we chose addi­tion­al cat­e­gories that popped up when we typed in “jew h”: “How to burn Jews,” and “His­to­ry of ‘why jews ruin the world.’” Then we added a cat­e­go­ry that Face­book sug­gest­ed when we typed in “Hitler”: a cat­e­go­ry called “Hitler did noth­ing wrong.” All were described as “fields of study.”

    These ad cat­e­gories were tiny. Only two peo­ple were list­ed as the audi­ence size for “how to burn jews,” and just one for “His­to­ry of ‘why jews ruin the world.’”” Anoth­er 15 peo­ple com­prised the view­er­ship for “Hitler did noth­ing wrong.”

    Facebook’s auto­mat­ed sys­tem told us that we still didn’t have a large enough audi­ence to make a pur­chase. So we added “Ger­man Schutzstaffel,” com­mon­ly known as the Nazi SS, and the “Nazi Par­ty,” which were both described to adver­tis­ers as groups of “employ­ers.” Their audi­ences were larg­er: 3,194 for the SS and 2,449 for Nazi Par­ty.

    Still, Face­book said we need­ed more — so we added peo­ple with an inter­est in the Nation­al Demo­c­ra­t­ic Par­ty of Ger­many, a far-right, ultra­na­tion­al­ist polit­i­cal par­ty, with its much larg­er view­er­ship of 194,600.
    ...

    “Still, Face­book said we need­ed more — so we added peo­ple with an inter­est in the Nation­al Demo­c­ra­t­ic Par­ty of Ger­many, a far-right, ultra­na­tion­al­ist polit­i­cal par­ty, with its much larg­er view­er­ship of 194,600.”

    In a way it’s at least a lit­tle reliev­ing that cat­e­gories like “Hitler did noth­ing wrong” only had 15 users Face­book iden­ti­fied as a tar­get audi­ence for that cat­e­go­ry. It could be worse! Like, say 194,600 users, which is the num­ber of peo­ple in the NPD tar­get audi­ence. But it’s also pret­ty dis­turb­ing that Face­book made it so cheap and easy to tar­get this glob­al hate audi­ence.

    And, again, at best this real­ly was just an algo­rith­mic ‘oops’ but we can’t rule out the pos­si­bil­i­ty that a cor­po­rate giant like Face­book which the far-right fig­ure­head Peter Thiel on its board, is qui­et­ly try­ing to cap­ture and fos­ter far-right audi­ences.

    But accord­ing to Face­book this was all an inno­cent mis­take. Let’s hope so. And let’s also hope the sud­den dis­cov­ery that Face­book in Ger­many has pri­or­i­tiz­ing far-right polit­i­cal par­ties like the AfD when peo­ple do a search for polit­i­cal dis­cus­sions was also just an inno­cent mis­take. As the fol­low­ing arti­cle notes, it’s one of the many dis­cov­er­ies about the role the ‘Alt-Right’ is play­ing in Ger­many’s cur­rent elec­tions and it’s a role that does­n’t appear to include a Krem­lin coun­ter­part. Despite wide­spread fears that all sorts of Russ­ian dirty tricks were inevitably going to be inject­ed into the race. But as far as observers can tell, it’s just the ‘Alt-Right’ that’s flood­ing Ger­man social media sites with far-right mes­sages and it specif­i­cal­ly appears to be Amer­i­can ‘Alt-Right’ peo­ple doing this. Apparnt­ly with the help of anoth­er Face­book pro-far-right ‘whoops! How did that hap­pen?’:

    USA Today

    There is med­dling in Ger­many’s elec­tion — not by Rus­sia, but by U.S. right wing

    Kim Hjelm­gaard, Pub­lished 11:31 a.m. ET Sept. 20, 2017

    Less than a week before Sun­day’s vote that is like­ly to hand Ger­man Chan­cel­lor Angela Merkel a fourth term, evi­dence of antic­i­pat­ed Russ­ian med­dling has yet to mate­ri­al­ize, but U.S. right-wing groups have inter­fered, accord­ing to Ger­man researchers.

    “So far we have not been able to track down any spe­cif­ic Russ­ian activ­i­ty,” said Simon Hegelich,” a pro­fes­sor of polit­i­cal sci­ence data at the Tech­ni­cal Uni­ver­si­ty of Munich who has advised the Ger­man gov­ern­ment about the threat of hack­ing and fake news.

    Instead, Hegelich and oth­ers point to an alliance of most­ly anony­mous online trolls and extrem­ist agi­ta­tors who are dis­sem­i­nat­ing right-wing mate­ri­als through YouTube; mes­sag­ing board sites like 4chan and red­dit; and Gab.ai, a tex­ting ser­vice.

    “A lot of the stuff we are see­ing in Ger­many can be linked to, or is at least inspired by, the ‘alt-right’ move­ment in the U.S.,” Hegelich said, refer­ring to a loose­ly defined group whose far-right ide­ol­o­gy includes racism, pop­ulism and white nation­al­ism.

    He said prov­ing con­nec­tions among sym­pa­thiz­ers is extreme­ly dif­fi­cult and may nev­er be con­clu­sive. But an analy­sis of 300 mil­lion tweets over the past six months by Hegelich and researchers at the Tech­ni­cal Uni­ver­si­ty of Munich shows Ger­many is a hotspot for posts that use the hash­tag “#AltRight.”

    Many den­i­grate both lead­ing can­di­dates — Merkel and her con­ser­v­a­tive Chris­t­ian Demo­c­ra­t­ic Union par­ty, and her chief rival, Mar­tin Schulz of the left-of-cen­ter Social Demo­c­ra­t­ic Par­ty — with the hash­tags #Merkel and #Schulz.

    And many of those posts orig­i­nate in the U.S., adding to the impres­sion that right-wing social media users in both coun­tries may be try­ing to sway Ger­man pub­lic opin­ion. It’s pos­si­ble that some of this alt-right mes­sag­ing com­ing out of the U.S. may be con­nect­ed to Russ­ian inter­fer­ence; that, too, is dif­fi­cult to deter­mine, Hegelich said.

    “There will nev­er be an elec­tion again in which trolling, hack­ing and extreme far-right pol­i­tics do not play a role,” Andrew Auern­heimer, a hack­er and blog­ger for the U.S. neo-Nazi Dai­ly Stormer web­site wrote after Don­ald Trump’s elec­tion vic­to­ry last year.

    The Dai­ly Stormer has been avail­able inter­mit­tent­ly since August after major tech­nol­o­gy firms includ­ing Google forced the site offline for com­ments about the death of Heather Hey­er by an alt-right pro­test­er in Char­lottesville, Va. Nev­er­the­less, the web­site con­tin­ues to pub­lish com­men­taries about the Ger­man elec­tion.

    “There is essen­tial­ly no chance that the AfD (Alter­na­tive for Ger­many par­ty) can win this elec­tion,” Adri­an Sol wrote Sun­day on the site, refer­ring to Ger­many’s far-right anti-immi­gra­tion and anti-Euro­pean Union par­ty.

    “How­ev­er, if they can keep putting pres­sure on the estab­lish­ment and change the nar­ra­tive, (there) may be hope yet that Ger­many can some day be saved.”

    A report pub­lished Wednes­day by Hope Not Hate, a British anti-racism watch­dog, con­clud­ed that the alt-right move­ment has “breathed life and youth back into for­mer­ly declin­ing and dor­mant parts of the Euro­pean extreme right.”

    The report, based on an under­cov­er inves­ti­ga­tion of far-right fig­ure­heads, found that extrem­ist indi­vid­u­als, orga­ni­za­tions, web­sites and forums on both sides of the Atlantic are increas­ing­ly engag­ing with each anoth­er and “weaponiz­ing” the Inter­net.

    San­dro Gay­ck­en, the founder and direc­tor of the Berlin-based Dig­i­tal Soci­ety Insti­tute, said right-wing voic­es are try­ing to infil­trate con­ver­sa­tions about the Ger­man elec­tion on Face­book and oth­er social media plat­forms.

    One exam­ple: Gay­ck­en said for the past two months, new and exist­ing Face­book users in Ger­many who search for polit­i­cal dis­cus­sion groups on the social media plat­form have been auto­mat­i­cal­ly giv­en rec­om­men­da­tions that pri­or­i­tize right-wing par­ties such as AfD, expect­ed to enter the coun­try’s nation­al par­lia­ment for the first time after Sun­day’s vote.

    “It’s real­ly strange because Face­book says this should be impos­si­ble because you are only sup­posed to get rec­om­men­da­tions based on your own ‘friends,’ ‘groups’ and ‘likes.’ But every­one in Ger­many is get­ting these right-wing par­ty rec­om­men­da­tions,” he said.

    “Even left-wing jour­nal­ists.”

    In a state­ment, Face­book said it was aware of the issue report­ed in Ger­many and that it was relat­ed to its “Groups Dis­cov­er” fea­ture, and that it has now tem­porar­i­ly turned off the cat­e­go­ry “news and pol­i­tics” in the “Dis­cov­er” tab while it inves­ti­gates the mat­ter.

    Face­book said it was also exam­in­ing the accounts of appar­ent­ly fake users who pur­chased Face­book ads dur­ing the U.S. elec­tion. These accounts were sub­se­quent­ly linked to the pro-Krem­lin troll farm known as the Inter­net Research Agency. Face­book said that it has not yet uncov­ered sim­i­lar ad pur­chas­es relat­ed to the Ger­man vote.

    “We haven’t seen any trace of the Rus­sians, just right-wingers,” Gay­ck­en added.

    Accord­ing to polls pub­lished by Ger­man media Sun­day, Merkel’s par­ty is pro­ject­ed to win 36% of the vote, well ahead of Schulz’s SPD on 22%. AfD is fore­cast to come in third, with 11%. If Merkel wins, she could forge ahead with plans to pur­sue clos­er polit­i­cal and eco­nom­ic union with EU mem­bers, a pol­i­cy as deeply unpop­u­lar with AfD’s sup­port­ers as her deci­sion to open Ger­many’s bor­ders to 1 mil­lion refugees since 2015.

    Ger­many’s vul­ner­a­bil­i­ty to polit­i­cal hack­ers, Inter­net trolls and bots linked to Rus­sia is hard to gauge. Plus, there may not be much point doing so, accord­ing to Mark Gale­ot­ti, who runs the Cen­ter for Euro­pean Secu­ri­ty, a research insti­tute in Prague.

    “There is no ‘pro-Putin’ can­di­date,” he said.

    “Any inter­fer­ence would be unlike­ly to have any sub­stan­tive impact on the elec­tion result and only hard­en Ger­many’s posi­tion against Moscow.”

    Merkel has nev­er­the­less sought to blunt poten­tial Russ­ian inter­fer­ence through aggres­sive pub­lic infor­ma­tion cam­paigns, by estab­lish­ing addi­tion­al cyber­se­cu­ri­ty agen­cies and strate­gies and by ush­er­ing in the Net­work Enforce­ment Act, a law that come this Octo­ber will fine social media com­pa­nies up to $57 mil­lion if they do not remove hate speech, defama­tion and incite­ments to vio­lence with­in 24 hours.

    Ger­man polit­i­cal par­ties also pledged not to use social bots in the elec­tion cam­paign, and inde­pen­dent media mon­i­tor­ing orga­ni­za­tions such as Cor­rec­tiv, which debunk fake news and call out dis­in­for­ma­tion, have been estab­lished recent­ly.

    The gov­ern­ment has insist­ed the soft­ware used to tab­u­late votes — paper bal­lots are hand-count­ed and then passed to region­al author­i­ties — is secure despite a study pub­lished Sept. 7. by the Chaos Com­put­er Club, a Ger­man tech­nol­o­gy watch­dog, show­ing the sys­tem’s encryp­tion method was out­dat­ed and vul­ner­a­ble to manip­u­la­tion.

    But what may seem like a lack of inter­est from Moscow may just be a sign of suc­cess.

    “I think there is more Russ­ian activ­i­ty than meets the eye,” said Joerg For­brig, a Berlin-based polit­i­cal affairs expert at the Ger­man Mar­shall Fund of the Unit­ed States, a pub­lic pol­i­cy think tank whose Alliance for Secur­ing Democ­ra­cy unit built an online tool that tracks Russ­ian pro­pa­gan­da and dis­in­for­ma­tion efforts. Its “Hamil­ton 68” dash­board ana­lyzes about 600 Twit­ter accounts direct­ly con­trolled by Rus­sia, by users who pro­mote Russ­ian themes, and by users and top­ics Rus­sia seeks to dis­cred­it or attack.

    “In the past we have seen a very sys­tem­at­ic and skilled out­reach pro­gram into Ger­many’s Russ­ian-speak­ing pop­u­la­tion. This was first test­ed in state elec­tions in Berlin last Sep­tem­ber. In those areas where there are very high num­bers of Russ­ian speak­ers liv­ing in Berlin, the AfD’s vote share was up to 35%,” For­brig said.

    He said these cam­paigns involved cir­cu­lat­ing posters and leaflets with mes­sages that were inim­i­cal to the Ger­man gov­ern­men­t’s posi­tion on Russ­ian sanc­tions or NATO.

    For­brig said there could be forms of Russ­ian sup­port for the AfD not yet rec­og­nized.

    The Alliance for Secur­ing Democ­ra­cy has con­clud­ed that Rus­sia has med­dled in the affairs of at least 27 Euro­pean and North Amer­i­can coun­tries since 2004 with inter­fer­ence that ranges from cyber­at­tacks to dis­in­for­ma­tion cam­paigns.

    In 2015, a Russ­ian-intel­li­gence-linked hack­ing group called Fan­cy Bear stole data from Ger­man par­lia­men­tar­i­ans, includ­ing Merkel. This data has yet to be released to the pub­lic. Fan­cy Bear is the same group thought to be behind the hacks of the Demo­c­ra­t­ic Nation­al Com­mit­tee in the run up to the U.S. elec­tion. Moscow repeat­ed­ly has dis­missed alle­ga­tions it inter­venes in elec­tions as anti-Russ­ian pro­pa­gan­da.

    Still, For­brig added the Ger­man elec­tion may be less sus­cep­ti­ble to out­side influ­ence for three rea­sons: Vot­ers watched alleged Russ­ian med­dling take place in the U.S. and French elec­tions, which has led to high lev­els of aware­ness; Ger­many’s mul­ti-par­ty elec­toral sys­tem makes it more dif­fi­cult to pre­dict how mes­sages and infor­ma­tion tar­get­ed at one group might impact oth­ers; and Ger­many’s media is, For­brig said, gen­er­al­ly more “bal­anced and calm” and lacks “shrill voic­es” com­pared to its coun­ter­parts else­where. Fur­ther, its media is still viewed as a trust­ed source of infor­ma­tion — not always the case in Pres­i­dent Trump’s Wash­ing­ton.

    ...

    ———–

    “There is med­dling in Ger­many’s elec­tion — not by Rus­sia, but by U.S. right wing” by Kim Hjelm­gaard; USA Today; 09/20/2017

    ““So far we have not been able to track down any spe­cif­ic Russ­ian activ­i­ty,” said Simon Hegelich,” a pro­fes­sor of polit­i­cal sci­ence data at the Tech­ni­cal Uni­ver­si­ty of Munich who has advised the Ger­man gov­ern­ment about the threat of hack­ing and fake news.”

    No Russ­ian nefar­i­ous­ness to be find. Phew! Oh wait:

    ...
    Instead, Hegelich and oth­ers point to an alliance of most­ly anony­mous online trolls and extrem­ist agi­ta­tors who are dis­sem­i­nat­ing right-wing mate­ri­als through YouTube; mes­sag­ing board sites like 4chan and red­dit; and Gab.ai, a tex­ting ser­vice.

    “A lot of the stuff we are see­ing in Ger­many can be linked to, or is at least inspired by, the ‘alt-right’ move­ment in the U.S.,” Hegelich said, refer­ring to a loose­ly defined group whose far-right ide­ol­o­gy includes racism, pop­ulism and white nation­al­ism.

    He said prov­ing con­nec­tions among sym­pa­thiz­ers is extreme­ly dif­fi­cult and may nev­er be con­clu­sive. But an analy­sis of 300 mil­lion tweets over the past six months by Hegelich and researchers at the Tech­ni­cal Uni­ver­si­ty of Munich shows Ger­many is a hotspot for posts that use the hash­tag “#AltRight.”

    Many den­i­grate both lead­ing can­di­dates — Merkel and her con­ser­v­a­tive Chris­t­ian Demo­c­ra­t­ic Union par­ty, and her chief rival, Mar­tin Schulz of the left-of-cen­ter Social Demo­c­ra­t­ic Par­ty — with the hash­tags #Merkel and #Schulz.

    And many of those posts orig­i­nate in the U.S., adding to the impres­sion that right-wing social media users in both coun­tries may be try­ing to sway Ger­man pub­lic opin­ion. It’s pos­si­ble that some of this alt-right mes­sag­ing com­ing out of the U.S. may be con­nect­ed to Russ­ian inter­fer­ence; that, too, is dif­fi­cult to deter­mine, Hegelich said.
    ...

    Yep, the Alt-Right does­n’t need the Krem­lin’s troll farm to get its mes­sage out. The ‘Alt-Right’ is a troll farm. A vir­tu­al troll farm that has its sites set on ensur­ing the AfD and oth­er far-right par­ties do as well as pos­si­ble.

    And this vir­tu­al troll farm has had some big help appar­ent­ly. From Face­book of course:

    ...
    San­dro Gay­ck­en, the founder and direc­tor of the Berlin-based Dig­i­tal Soci­ety Insti­tute, said right-wing voic­es are try­ing to infil­trate con­ver­sa­tions about the Ger­man elec­tion on Face­book and oth­er social media plat­forms.

    One exam­ple: Gay­ck­en said for the past two months, new and exist­ing Face­book users in Ger­many who search for polit­i­cal dis­cus­sion groups on the social media plat­form have been auto­mat­i­cal­ly giv­en rec­om­men­da­tions that pri­or­i­tize right-wing par­ties such as AfD, expect­ed to enter the coun­try’s nation­al par­lia­ment for the first time after Sun­day’s vote.

    “It’s real­ly strange because Face­book says this should be impos­si­ble because you are only sup­posed to get rec­om­men­da­tions based on your own ‘friends,’ ‘groups’ and ‘likes.’ But every­one in Ger­many is get­ting these right-wing par­ty rec­om­men­da­tions,” he said.

    “Even left-wing jour­nal­ists.”

    In a state­ment, Face­book said it was aware of the issue report­ed in Ger­many and that it was relat­ed to its “Groups Dis­cov­er” fea­ture, and that it has now tem­porar­i­ly turned off the cat­e­go­ry “news and pol­i­tics” in the “Dis­cov­er” tab while it inves­ti­gates the mat­ter.

    Face­book said it was also exam­in­ing the accounts of appar­ent­ly fake users who pur­chased Face­book ads dur­ing the U.S. elec­tion. These accounts were sub­se­quent­ly linked to the pro-Krem­lin troll farm known as the Inter­net Research Agency. Face­book said that it has not yet uncov­ered sim­i­lar ad pur­chas­es relat­ed to the Ger­man vote.

    “We haven’t seen any trace of the Rus­sians, just right-wingers,” Gay­ck­en added.
    ...

    ““It’s real­ly strange because Face­book says this should be impos­si­ble because you are only sup­posed to get rec­om­men­da­tions based on your own ‘friends,’ ‘groups’ and ‘likes.’ But every­one in Ger­many is get­ting these right-wing par­ty rec­om­men­da­tions,” he said. ”

    Every­one in Ger­many is get­ting right-wing par­ties rec­om­mend­ed to them on Face­book. And appar­ent­ly this is only the case for right-wing par­ties. Anoth­er algo­rith­mic ‘oops!’? Is the vir­tu­al troll farm some­how gam­ing the sys­tem? Or is Face­book actu­al­ly qui­et­ly try­ing to use its immense pow­er to pro­mote the far-right? It’s a ques­tion we’re once again forced to ask.

    Anoth­er thing we should keep in mind relat­ed to the the Bun­destag hack of 2015 as an exam­ple of a high pro­file polit­i­cal hack from Russ­ian that Ger­many has already had to deal with:

    ...
    In 2015, a Russ­ian-intel­li­gence-linked hack­ing group called Fan­cy Bear stole data from Ger­man par­lia­men­tar­i­ans, includ­ing Merkel. This data has yet to be released to the pub­lic. Fan­cy Bear is the same group thought to be behind the hacks of the Demo­c­ra­t­ic Nation­al Com­mit­tee in the run up to the U.S. elec­tion. Moscow repeat­ed­ly has dis­missed alle­ga­tions it inter­venes in elec­tions as anti-Russ­ian pro­pa­gan­da.
    ...

    That 2015 hack isn’t just relat­ed to the DNC hack because Fan­cy Bear was attrib­uted with the hack in both cas­es. They’re also relat­ed by the fact that the same com­mand and con­trol serv­er was used in both hacks. And we know this because both hacks uti­lized unen­crypt­ed mal­ware that inex­plic­a­bly hard cod­ed the I.P. address of the com­mand and con­trol serv­er and that com­mand and con­trol serv­er was appar­ent­ly uti­liz­ing a ver­sion of OpenSSL that would have made it vul­ner­a­ble to the Heart­bleed attack. In oth­er words, that com­mand and con­trol serv­er that was used for both the Bun­destag hack of 2015 and DNC hack of 2016 was vul­ner­a­ble to effec­tive­ly being hijacked and shared by mul­ti­ple hack­ing groups.

    Thus far there does­n’t appear to be a big hack impact­ing Ger­many’s elec­tion and there isn’t much time left if it’s going to hap­pen (the vote is on Sun­day). But if there is, let’s not for­get that, despite the fact that the big Macron hack in France’s elec­tions con­tin­ues to be rou­tine­ly attrib­uted to Rus­sia in the US media and the NSA even said it was sure it was Rus­sia, the French chief of cyber­se­cu­ri­ty said France had no evi­dence Russ­sia did the hack, and the NSA refused to pro­vide France evi­dence of Russ­ian attri­bu­tion, and the pubicly avail­able evi­dence of how the hacked doc­u­ments were leaked online strong­ly sug­gests that it was neo-Nazi hack­er Andrew “the weev” Auern­heimer who actu­al­ly car­ried out the hack. So when you read the com­ment about how the French elec­tions were hack by Rus­sians like this one...

    ...
    Still, For­brig added the Ger­man elec­tion may be less sus­cep­ti­ble to out­side influ­ence for three rea­sons: Vot­ers watched alleged Russ­ian med­dling take place in the U.S. and French elec­tions, which has led to high lev­els of aware­ness; Ger­many’s mul­ti-par­ty elec­toral sys­tem makes it more dif­fi­cult to pre­dict how mes­sages and infor­ma­tion tar­get­ed at one group might impact oth­ers; and Ger­many’s media is, For­brig said, gen­er­al­ly more “bal­anced and calm” and lacks “shrill voic­es” com­pared to its coun­ter­parts else­where. Fur­ther, its media is still viewed as a trust­ed source of infor­ma­tion — not always the case in Pres­i­dent Trump’s Wash­ing­ton.
    ...

    ...don’t for­get that the big Macron hack also appears to have Amer­i­can ‘Alt-Right’ neo-Nazi ori­gins.

    Also note that, while the far-right troll army aggres­sive­ly try­ing to get Marine Le Pen elect­ed real­ly was indeed com­prised of French far-right­ist, the Nation­al Front was using an ‘Alt-Right’ “For­eign Legion” on social media too.

    Which should­n’t be too sur­pris­ing. As Andrew Auern­heimer told the world after Don­ald Trump’s vic­to­ry:

    ...
    “There will nev­er be an elec­tion again in which trolling, hack­ing and extreme far-right pol­i­tics do not play a role,” Andrew Auern­heimer, a hack­er and blog­ger for the U.S. neo-Nazi Dai­ly Stormer web­site wrote after Don­ald Trump’s elec­tion vic­to­ry last year.
    ...

    Trag­i­cal­ly, Yep.

    Posted by Pterrafractyl | September 20, 2017, 11:09 pm
  14. Here’s a set of arti­cles relat­ed to the ongo­ing ten­sions between the West and Rus­sia and the risk of a much larg­er con­flict being sparked:

    The US Depart­ment of Home­land Secu­ri­ty (DHS) issued an alarm­ing memo over the week­end warn­ing US states and local­i­ties about the threat of Rus­sia crit­i­cal infra­struc­ture cyber attacks. It’s not espe­cial­ly sur­pris­ing that DHS would issue a warn­ing like this. If any­thing it’s to be expect­ed. But as we’re going to see, part of what makes this alarm so dis­turb­ing is how it is couched in the frame­work of a kind of cyber Mutu­al­ly Assured Destruc­tion real­i­ty. Cyber-MAD­ness. Because the con­cern isn’t just that the US is high­ly vul­ner­a­ble to cyber attacks. The main con­cern is that the US would respond with offen­sive attacks of its own, cre­at­ing the kind of sit­u­a­tion that could quick­ly esca­late.

    And as we’re going to see in the sec­ond arti­cle below, from June 2021, while Joe Biden brought up with Vladimir Putin the idea of cre­at­ing some sort of crit­i­cal infra­struc­ture cyber-treaty, those nego­ti­a­tions are ongo­ing. In oth­er words, such an agree­ment does­n’t exist. Crit­i­cal infra­struc­ture is fair game.

    As we’re going to see in the third arti­cle below, from June 2019, the US has been mak­ing it eas­i­er and eas­i­er for a cyber­war to start. Specif­i­cal­ly, in 2018, then-Pres­i­dent Trump issued a secret order grant­i­ng the head of US Cyber Com­mand greater lenien­cy in launch­ing offen­sive cyber strikes with­out pres­i­den­tial author­i­ty. That same year, Con­gress slipped a pro­vi­sion into the mil­i­tary autho­riza­tion bill that gave a sim­i­lar author­i­ty to the defense secret­ly. So in addi­tion to Biden there’s at least two oth­er peo­ple in the US gov­ern­ment with the author­i­ty to launch dev­as­tat­ing cyber attacks. And not nec­es­sar­i­ly just defen­sive retal­ia­to­ry attacks.

    Final­ly, it’s worth recall what we learned in June of 2017: that Pres­i­dent Oba­ma ordered the implan­ta­tion of cyber-bombs on Russ­ian net­works in response to the hack­ing of the DNC in 2016. The pub­li­ca­tion of this secret pro­gram was pre­sum­ably done to turn these plant­ed cyber-bombs into cred­i­ble threats the Rus­sians had to fear. Again, more cyber-MAD­ness at work.

    That’s all part con­text of the DHS warn­ing to US crit­i­cal infra­struc­ture oper­a­tors over the week­end. The kind of warn­ing that’s going to become a lot more preva­lent as the new nor­mal of cyber-MAD­ness plays out:

    USA TODAY

    Home­land Secu­ri­ty warns that Rus­sia could launch cyber­at­tack against US

    Josh Mey­er
    Pub­lished 6:07 p.m. ET Jan. 24, 2022
    Updat­ed 7:35 p.m. ET Jan. 24, 2022

    WASHINGTON – A new Depart­ment of Home­land Secu­ri­ty bul­letin warns that Rus­sia could launch a cyber­at­tack against U.S. tar­gets on Amer­i­can soil if it believes Washington’s response to its poten­tial inva­sion of Ukraine threat­ens its long-term nation­al secu­ri­ty.

    DHS blast­ed out the memo Sun­day to U.S. crit­i­cal infra­struc­ture oper­a­tors and state and local gov­ern­ments around the coun­try, warn­ing that “Rus­sia main­tains a range of offen­sive cyber tools that it could employ against U.S. net­works” that make every­thing from planes to hos­pi­tals to dams and bridges oper­ate.

    Sep­a­rate­ly, a well-respect­ed pri­vate cyber­se­cu­ri­ty firm leader warns that while “cyber espi­onage is already a reg­u­lar facet of glob­al activ­i­ty, as the sit­u­a­tion dete­ri­o­rates, we are like­ly to see more aggres­sive infor­ma­tion oper­a­tions and dis­rup­tive cyber­at­tacks with­in and out­side of Ukraine.”

    “The cri­sis in Ukraine has already proven to be a cat­a­lyst for addi­tion­al aggres­sive cyber activ­i­ty that will like­ly increase as the sit­u­a­tion dete­ri­o­rates,” wrote John Hultquist, vice pres­i­dent of threat intel­li­gence for Man­di­ant, a cyber­se­cu­ri­ty firm that pro­vides ser­vices to pri­vate enter­pris­es, gov­ern­ments and law enforce­ment agen­cies world­wide.

    “At Man­di­ant, we have been antic­i­pat­ing this activ­i­ty, and we are con­cerned that, unlike the recent deface­ments and destruc­tive attacks, future activ­i­ty will not be restrict­ed to Ukrain­ian tar­gets or the pub­lic sec­tor,” Hultquist wrote in his Jan. 20 online report.

    Paul Rosen­zweig, a for­mer senior Home­land Secu­ri­ty offi­cial, said the DHS Intel­li­gence and Analy­sis bul­letin under­scores how even U.S. efforts to help avert a poten­tial mil­i­tary con­flict thou­sands of miles away has the poten­tial to cause real harm to Amer­i­cans here at home.

    “In a glob­al­ly con­nect­ed world, con­flicts are no longer geo­graph­i­cal­ly iso­lat­ed. As DHS is warn­ing, Rus­sia may respond to U.S. actions in sup­port of Ukraine by using offen­sive cyber tools against U.S. net­works,” Rosen­zweig told USA TODAY. “We have seen how vul­ner­a­ble Amer­i­can sys­tems are – think of the crim­i­nals who dis­rupt­ed gas pipelines and meat pack­ing last year. Now imag­ine that an angry Rus­sia decides to take it to the next lev­el – waste­water treat­ment; agri­cul­ture; trans­porta­tion are all poten­tial tar­gets.”

    If Rus­sia were to launch such a cyber­at­tack against U.S. tar­gets, Wash­ing­ton would like­ly retal­i­ate with defense or even offen­sive cyber­weapons of its own. And that could trig­ger a poten­tial­ly dan­ger­ous esca­la­tion that could threat­en to draw the Unit­ed States direct­ly into the con­flict between Rus­sia and its neigh­bor Ukraine.

    “That’s why the Russ­ian attack on Ukraine is so dan­ger­ous,” Rosen­zweig said. “It seems quite pos­si­ble that the con­flict will spin out of con­trol – both on the ground and in the cyber uni­verse.”

    In its memo, DHS said Russ­ian gov­ern­ment cyber actors have spent years tar­get­ing and gain­ing access to crit­i­cal infra­struc­ture in the Unit­ed States. In one par­tic­u­lar­ly alarm­ing cam­paign, Russ­ian hack­ers have com­pro­mised U.S. ener­gy net­works since at least 2016, con­duct­ed net­work recon­nais­sance and col­lect­ed the kind of infor­ma­tion need­ed to gain con­trol of those sys­tems if they want­ed to, it said.

    “Sep­a­rate­ly, Russ­ian state-spon­sored cyber actors have suc­cess­ful­ly com­pro­mised routers, glob­al­ly, and U.S. state and local gov­ern­ment net­works, accord­ing to a CISA alert and a joint US-UK report,” the new DHS memo said.

    Despite those capa­bil­i­ties, the DHS memo said U.S. intel­li­gence offi­cials believe that Rus­si­a’s thresh­old for con­duct­ing dis­rup­tive or destruc­tive cyber attacks in the home­land “prob­a­bly remains very high,” in part because Moscow has­n’t engaged in such con­fronta­tion­al behav­ior in the past.

    ...

    The DHS bul­letin is just the lat­est indi­ca­tion that the U.S. gov­ern­ment is wor­ried about Russ­ian cyber­at­tacks, even as Wash­ing­ton says it’s ready to deploy mil­i­tary and intel­li­gence assets to the region in antic­i­pa­tion of a Krem­lin mil­i­tary incur­sion.

    A joint Cyber­se­cu­ri­ty Advi­so­ry – authored by CISA, the FBI and the Nation­al Secu­ri­ty Agency – was sent out nation­wide on Jan. 11 in an effort to pre­pare state, local and pri­vate sec­tor offi­cials of Russ­ian cyber­at­tack capa­bil­i­ties, includ­ing “com­mon­ly observed tac­tics, tech­niques, and pro­ce­dures.” It also includ­ed detailed instruc­tions on how poten­tial vic­tims could response to such cyber­at­tacks and reduce their expo­sure.

    And a month ear­li­er, on Dec. 15, the Home­land Secu­ri­ty cyber agency sent out anoth­er report with the omi­nous title, “Prepar­ing For and Mit­i­gat­ing Poten­tial Cyber Threats” that warned of sophis­ti­cat­ed threat actors, includ­ing nation-states like Rus­sia and their prox­ies, that have proven their abil­i­ty to com­pro­mise U.S. net­works and devel­op “long-term per­sis­tence mech­a­nisms” that can lurk in their sys­tems even after the most inten­sive efforts to root them out.

    Offi­cials warn that efforts to stop such cyber­at­tacks on U.S. tar­gets are vir­tu­al­ly impos­si­ble, giv­en their sophis­ti­ca­tion – and the rel­a­tive­ly lax secu­ri­ty pro­to­cols that most U.S. com­pa­nies use. Many, if not most, ele­ments of U.S. crit­i­cal infra­struc­ture are also vul­ner­a­ble, and have been vic­tim­ized by Russ­ian cyber­crim­i­nals in recent years.

    There are 16 crit­i­cal infra­struc­ture sec­tors whose assets, sys­tems, and net­works, whether phys­i­cal or vir­tu­al, are con­sid­ered so vital to the Unit­ed States that their inca­pac­i­ta­tion or destruc­tion would have a debil­i­tat­ing effect on U.S. secu­ri­ty, includ­ing the eco­nom­ic well-being and health and safe­ty of Amer­i­cans.

    Last year, Rus­sia-based cyber­crim­i­nals were behind two of the most destruc­tive cyber­at­tacks in recent his­to­ry, includ­ing a ran­somware attack that caused the oper­a­tors of the mas­sive Colo­nial Pipeline to shut down in May 2021, lead­ing to wide­spread gas short­ages. Soon after, hack­ers linked to Rus­sia tar­get­ed the meat sup­pli­er JBS. In both cas­es, the com­pa­nies paid mil­lions of dol­lars in ran­som in order to get their sys­tems up and run­ning again.

    Rus­sia was also respon­si­ble for one of the most dev­as­tat­ing hacks involv­ing U.S. gov­ern­ment agen­cies in late 2020. Known as the Solar­Winds breach, U.S. offi­cials say Russ­ian-backed cyber­crim­i­nals gained access to 10 U.S. gov­ern­ment agen­cies includ­ing DHS and the Depart­ment of Com­merce.

    ...

    ———-

    “Home­land Secu­ri­ty warns that Rus­sia could launch cyber­at­tack against US” by Josh Mey­er; USA TODAY; 01/24/2022

    “DHS blast­ed out the memo Sun­day to U.S. crit­i­cal infra­struc­ture oper­a­tors and state and local gov­ern­ments around the coun­try, warn­ing that “Rus­sia main­tains a range of offen­sive cyber tools that it could employ against U.S. net­works” that make every­thing from planes to hos­pi­tals to dams and bridges oper­ate.”

    A warn­ing to crit­i­cal infra­struc­ture oper­a­tors around the US of a loom­ing Russ­ian cyber­at­tack. That was the alarm raised in this DHS memo over the week. But as experts warn, the great­est alarm should­n’t be focused on the pos­si­bil­i­ty of a Russ­ian cyber attack. It’s the dan­ger of a US response, cre­at­ing an esca­lat­ing sit­u­a­tion that can spi­ral out of con­trol as each side unleash­es attacks that are effec­tive­ly impos­si­ble for each side to stop:

    ...
    Paul Rosen­zweig, a for­mer senior Home­land Secu­ri­ty offi­cial, said the DHS Intel­li­gence and Analy­sis bul­letin under­scores how even U.S. efforts to help avert a poten­tial mil­i­tary con­flict thou­sands of miles away has the poten­tial to cause real harm to Amer­i­cans here at home.

    ...

    If Rus­sia were to launch such a cyber­at­tack against U.S. tar­gets, Wash­ing­ton would like­ly retal­i­ate with defense or even offen­sive cyber­weapons of its own. And that could trig­ger a poten­tial­ly dan­ger­ous esca­la­tion that could threat­en to draw the Unit­ed States direct­ly into the con­flict between Rus­sia and its neigh­bor Ukraine.

    “That’s why the Russ­ian attack on Ukraine is so dan­ger­ous,” Rosen­zweig said. “It seems quite pos­si­ble that the con­flict will spin out of con­trol – both on the ground and in the cyber uni­verse.”

    ...

    Offi­cials warn that efforts to stop such cyber­at­tacks on U.S. tar­gets are vir­tu­al­ly impos­si­ble, giv­en their sophis­ti­ca­tion – and the rel­a­tive­ly lax secu­ri­ty pro­to­cols that most U.S. com­pa­nies use. Many, if not most, ele­ments of U.S. crit­i­cal infra­struc­ture are also vul­ner­a­ble, and have been vic­tim­ized by Russ­ian cyber­crim­i­nals in recent years.

    There are 16 crit­i­cal infra­struc­ture sec­tors whose assets, sys­tems, and net­works, whether phys­i­cal or vir­tu­al, are con­sid­ered so vital to the Unit­ed States that their inca­pac­i­ta­tion or destruc­tion would have a debil­i­tat­ing effect on U.S. secu­ri­ty, includ­ing the eco­nom­ic well-being and health and safe­ty of Amer­i­cans.
    ...

    Also, just note regard­ing the his­toric hacks on the Colo­nial Pipeline in May of 2021, recall how the attack­er appeared to be uti­liz­ing sophis­ti­cat­ed hack­ing soft­ware that was being licensed out ot inde­pen­dent hack­ers who would pay a cut to the “Dark Side” core group who devel­oped the tools. So while that core group appears to be based in Rus­sia, the full crim­i­nal oper­a­tion asso­ci­at­ed with that hack looks more like a glob­al oper­a­tion. Also recall how cir­cum­stan­tial evi­dence in that hack sug­gest­ed the hack­er was based in the US since the hack­ers used servers in North­ern Cal­i­for­nia to receive their cryp­to-ran­som pay­ments. Final­ly, regard­ing the Solar­Winds hack, recall how Rus­sia was almost imme­di­ate­ly blamed for the Solar­Winds hack by both pri­vate secu­ri­ty firms and the US gov­ern­ment and yet no real evi­dence was ever pub­licly revealed for this charge. Rus­sia remains one of the default cul­prit to be blamed for cyber­at­tacks:

    ...
    Last year, Rus­sia-based cyber­crim­i­nals were behind two of the most destruc­tive cyber­at­tacks in recent his­to­ry, includ­ing a ran­somware attack that caused the oper­a­tors of the mas­sive Colo­nial Pipeline to shut down in May 2021, lead­ing to wide­spread gas short­ages. Soon after, hack­ers linked to Rus­sia tar­get­ed the meat sup­pli­er JBS. In both cas­es, the com­pa­nies paid mil­lions of dol­lars in ran­som in order to get their sys­tems up and run­ning again.

    Rus­sia was also respon­si­ble for one of the most dev­as­tat­ing hacks involv­ing U.S. gov­ern­ment agen­cies in late 2020. Known as the Solar­Winds breach, U.S. offi­cials say Russ­ian-backed cyber­crim­i­nals gained access to 10 U.S. gov­ern­ment agen­cies includ­ing DHS and the Depart­ment of Com­merce.
    ...

    So what’s to pre­vent an esca­la­tion of the tit-for-tat attacks should a cyber attack tran­spire? Hope­ful­ly a mutu­al­ly held sense of self-preser­va­tion. But it’s worth not­ing that Biden actu­al­ly pro­posed last year that the US and Rus­sia declare the 16 forms of crit­i­cal infra­struc­ture as “off lim­its” dur­ing cyber­wars. It’s unclear how far those nego­ti­a­tions ever got, but it sounds like there was at least plans to begin some sort of mutu­al dis­cus­sion. In oth­er words, maybe there will be some sort of treaty pre­vent­ing a tit-for-tat esca­la­tion of hit­ting crit­i­cal infra­struc­ture. Maybe some­day. But not today

    Reuters

    Biden tells Putin cer­tain cyber­at­tacks should be ‘off-lim­its’

    By Vladimir Sol­datkin and Humeyra Pamuk
    June 17, 2021 12:24 AM UTC Updat­ed

    GENEVA, June 16 (Reuters) — U.S. Pres­i­dent Joe Biden told Russ­ian Pres­i­dent Vladimir Putin on Wednes­day that cer­tain crit­i­cal infra­struc­ture should be “off-lim­its” to cyber­at­tacks, but ana­lysts said his efforts were unlike­ly to be more suc­cess­ful than pre­vi­ous attempts to carve out safe zones online.

    Biden was­n’t explic­it about which areas he want­ed out of bounds, but spoke of 16 kinds of infra­struc­ture — an appar­ent ref­er­ence to the 16 sec­tors des­ig­nat­ed as crit­i­cal by the U.S. Home­land Secu­ri­ty Depart­ment, includ­ing telecom­mu­ni­ca­tions, health­care, food and ener­gy.

    “We agreed to task experts in both our coun­tries to work on spe­cif­ic under­stand­ings about what is off-lim­its,” Biden said fol­low­ing a lake­side sum­mit with Putin in Gene­va. “We’ll find out whether we have a cyber­se­cu­ri­ty arrange­ment that begins to bring some order.”

    A senior admin­is­tra­tion offi­cial said that the pro­pos­al was focused on “destruc­tive” hacks, as opposed to the con­ven­tion­al dig­i­tal espi­onage oper­a­tions car­ried out by intel­li­gence agen­cies world­wide.

    Putin’s response to the idea was­n’t imme­di­ate­ly clear. In a sep­a­rate press con­fer­ence, he said the two lead­ers had agreed to “begin con­sul­ta­tions” on cyber­se­cu­ri­ty issues but did­n’t direct­ly refer to Biden’s pro­pos­al.

    The threat of destruc­tive hacks aimed at crit­i­cal infra­struc­ture, a sta­ple of dis­as­ter movies where rene­gade hack­ers trig­ger black­outs and may­hem, have long wor­ried experts.

    The Unit­ed States had its first seri­ous taste of what that might mean last month, when ran­som-seek­ing cyber­crim­i­nals briefly trig­gered the clo­sure of a major U.S. pipeline net­work, inter­rupt­ing gaso­line deliv­er­ies and spark­ing pan­ic-buy­ing up and down the East Coast.

    Ear­li­er cyber­at­tacks aimed at the Ukrain­ian pow­er grid and a Sau­di petro­chem­i­cal plant have also drawn con­cern.

    In all those cas­es, the hack­ers involved are accused by the Unit­ed States of either work­ing direct­ly for the Russ­ian gov­ern­ment or from Russ­ian ter­ri­to­ry.

    “We need to throw out all kinds of insin­u­a­tions, sit down at the expert lev­el and start work­ing in the inter­ests of the Unit­ed States and Rus­sia,” Putin told reporters.

    He then made an insin­u­a­tion of his own, say­ing that Russ­ian offi­cials had tracked mali­cious dig­i­tal activ­i­ty com­ing from the Unit­ed States.

    “We cer­tain­ly see where the attacks are com­ing from. We see that this work is coor­di­nat­ed from U.S. cyber­space,” Putin said.

    ...

    ———-

    “Biden tells Putin cer­tain cyber­at­tacks should be ‘off-lim­its’ ” by Vladimir Sol­datkin and Humeyra Pamuk; Reuters; 06/17/2021

    “Biden was­n’t explic­it about which areas he want­ed out of bounds, but spoke of 16 kinds of infra­struc­ture — an appar­ent ref­er­ence to the 16 sec­tors des­ig­nat­ed as crit­i­cal by the U.S. Home­land Secu­ri­ty Depart­ment, includ­ing telecom­mu­ni­ca­tions, health­care, food and ener­gy.”

    That’s quite a broad range of infra­struc­ture Joe Biden was try­ing to take ‘off the table’: telecom­mu­ni­ca­tions, health­care, food, ener­gy, and a dozen oth­er cat­e­gories. Was some sort of agree­ment reached? Sort of. They agreed to begin talks:

    ...
    “We agreed to task experts in both our coun­tries to work on spe­cif­ic under­stand­ings about what is off-lim­its,” Biden said fol­low­ing a lake­side sum­mit with Putin in Gene­va. “We’ll find out whether we have a cyber­se­cu­ri­ty arrange­ment that begins to bring some order.”

    A senior admin­is­tra­tion offi­cial said that the pro­pos­al was focused on “destruc­tive” hacks, as opposed to the con­ven­tion­al dig­i­tal espi­onage oper­a­tions car­ried out by intel­li­gence agen­cies world­wide.

    Putin’s response to the idea was­n’t imme­di­ate­ly clear. In a sep­a­rate press con­fer­ence, he said the two lead­ers had agreed to “begin con­sul­ta­tions” on cyber­se­cu­ri­ty issues but did­n’t direct­ly refer to Biden’s pro­pos­al.
    ...

    Let’s hope the two sides man­age to work out a deal. Fast. Because as the fol­low­ing arti­cle from June 2019 reminds us, it’s not as if the US has only been pub­licly warn­ing about Russ­ian cyber attacks. Pub­lic brag­ging about how cyber-bombs have already been plant­ed inside Rus­si­a’s ener­gy grid has also been part of the US’s anti-hack­ing tool­box.

    The US’s pre­emp­tive hacks of Rus­si­a’s ener­gy grid report­ed­ly took place in the lead up to the 2018 US mid-term elec­tions and includ­ed attacks on the Inter­net Research Agency. So this isn’t just a mat­ter of plant­i­ng cyber weapons that could be used at a lat­er date. Some were used already.

    But here’s the part of this sto­ry that poten­tial­ly has the biggest impli­ca­tions as the US and Rus­sia con­tin­ue the cur­rent show­down: In 2018, two indi­vid­u­als grant­ed the author­i­ty to con­duct offen­sive cyber attacks with­out pri­or pres­i­den­tial author­i­ty. The head of Cyber Com­mand was grant­ed that author­i­ty in a 2018 clas­si­fied doc­u­ment known as Nation­al Secu­ri­ty Pres­i­den­tial Mem­o­ran­da 13. Then the defense sec­re­tary was also grant­ed the author­i­ty for rou­tine con­duct of “clan­des­tine mil­i­tary activ­i­ty” in cyber­space, to “deter, safe­guard or defend against attacks or mali­cious cyber­ac­tiv­i­ties against the Unit­ed States,” with­out spe­cial pres­i­den­tial approval. And those are just the moves to make it eas­i­er to launch an offen­sive cyber attack that we’ve been told about. Who knows how many oth­er peo­ple were qui­et­ly grant­ed those kinds of author­i­ties in recent years. And that’s why it’s going to be impor­tant to keep in mind that a cyber show­down isn’t just a show­down between Biden and Putin. There are a range of actors with the author­i­ty to uni­lat­er­al­ly trig­ger a full blown cyber­war:

    The New York Times

    U.S. Esca­lates Online Attacks on Russia’s Pow­er Grid

    By David E. Sanger and Nicole Perl­roth
    June 15, 2019

    WASHINGTON — The Unit­ed States is step­ping up dig­i­tal incur­sions into Russia’s elec­tric pow­er grid in a warn­ing to Pres­i­dent Vladimir V. Putin and a demon­stra­tion of how the Trump admin­is­tra­tion is using new author­i­ties to deploy cyber­tools more aggres­sive­ly, cur­rent and for­mer gov­ern­ment offi­cials said.

    In inter­views over the past three months, the offi­cials described the pre­vi­ous­ly unre­port­ed deploy­ment of Amer­i­can com­put­er code inside Russia’s grid and oth­er tar­gets as a clas­si­fied com­pan­ion to more pub­licly dis­cussed action direct­ed at Moscow’s dis­in­for­ma­tion and hack­ing units around the 2018 midterm elec­tions.

    Advo­cates of the more aggres­sive strat­e­gy said it was long over­due, after years of pub­lic warn­ings from the Depart­ment of Home­land Secu­ri­ty and the F.B.I. that Rus­sia has insert­ed mal­ware that could sab­o­tage Amer­i­can pow­er plants, oil and gas pipelines, or water sup­plies in any future con­flict with the Unit­ed States.

    But it also car­ries sig­nif­i­cant risk of esca­lat­ing the dai­ly dig­i­tal Cold War between Wash­ing­ton and Moscow.

    The admin­is­tra­tion declined to describe spe­cif­ic actions it was tak­ing under the new author­i­ties, which were grant­ed sep­a­rate­ly by the White House and Con­gress last year to Unit­ed States Cyber Com­mand, the arm of the Pen­ta­gon that runs the military’s offen­sive and defen­sive oper­a­tions in the online world.

    But in a pub­lic appear­ance on Tues­day, Pres­i­dent Trump’s nation­al secu­ri­ty advis­er, John R. Bolton, said the Unit­ed States was now tak­ing a broad­er view of poten­tial dig­i­tal tar­gets as part of an effort “to say to Rus­sia, or any­body else that’s engaged in cyber­op­er­a­tions against us, ‘You will pay a price.’”

    Pow­er grids have been a low-inten­si­ty bat­tle­ground for years.

    Since at least 2012, cur­rent and for­mer offi­cials say, the Unit­ed States has put recon­nais­sance probes into the con­trol sys­tems of the Russ­ian elec­tric grid.

    But now the Amer­i­can strat­e­gy has shift­ed more toward offense, offi­cials say, with the place­ment of poten­tial­ly crip­pling mal­ware inside the Russ­ian sys­tem at a depth and with an aggres­sive­ness that had nev­er been tried before. It is intend­ed part­ly as a warn­ing, and part­ly to be poised to con­duct cyber­strikes if a major con­flict broke out between Wash­ing­ton and Moscow.

    The com­man­der of Unit­ed States Cyber Com­mand, Gen. Paul M. Naka­sone, has been out­spo­ken about the need to “defend for­ward” deep in an adversary’s net­works to demon­strate that the Unit­ed States will respond to the bar­rage of online attacks aimed at it.

    “They don’t fear us,” he told the Sen­ate a year ago dur­ing his con­fir­ma­tion hear­ings.

    But find­ing ways to cal­i­brate those respons­es so that they deter attacks with­out incit­ing a dan­ger­ous esca­la­tion has been the source of con­stant debate.

    Mr. Trump issued new author­i­ties to Cyber Com­mand last sum­mer, in a still-clas­si­fied doc­u­ment known as Nation­al Secu­ri­ty Pres­i­den­tial Mem­o­ran­da 13, giv­ing Gen­er­al Naka­sone far more lee­way to con­duct offen­sive online oper­a­tions with­out receiv­ing pres­i­den­tial approval.

    But the action inside the Russ­ian elec­tric grid appears to have been con­duct­ed under lit­tle-noticed new legal author­i­ties, slipped into the mil­i­tary autho­riza­tion bill passed by Con­gress last sum­mer. The mea­sure approved the rou­tine con­duct of “clan­des­tine mil­i­tary activ­i­ty” in cyber­space, to “deter, safe­guard or defend against attacks or mali­cious cyber­ac­tiv­i­ties against the Unit­ed States.”

    Under the law, those actions can now be autho­rized by the defense sec­re­tary with­out spe­cial pres­i­den­tial approval.

    “It has got­ten far, far more aggres­sive over the past year,” one senior intel­li­gence offi­cial said, speak­ing on the con­di­tion of anonymi­ty but declin­ing to dis­cuss any spe­cif­ic clas­si­fied pro­grams. “We are doing things at a scale that we nev­er con­tem­plat­ed a few years ago.”

    The crit­i­cal ques­tion — impos­si­ble to know with­out access to the clas­si­fied details of the oper­a­tion — is how deep into the Russ­ian grid the Unit­ed States has bored. Only then will it be clear whether it would be pos­si­ble to plunge Rus­sia into dark­ness or crip­ple its mil­i­tary — a ques­tion that may not be answer­able until the code is acti­vat­ed.

    Both Gen­er­al Naka­sone and Mr. Bolton, through spokes­men, declined to answer ques­tions about the incur­sions into Russia’s grid. Offi­cials at the Nation­al Secu­ri­ty Coun­cil also declined to com­ment but said they had no nation­al secu­ri­ty con­cerns about the details of The New York Times’s report­ing about the tar­get­ing of the Russ­ian grid, per­haps an indi­ca­tion that some of the intru­sions were intend­ed to be noticed by the Rus­sians.

    Speak­ing on Tues­day at a con­fer­ence spon­sored by The Wall Street Jour­nal, Mr. Bolton said: “We thought the response in cyber­space against elec­toral med­dling was the high­est pri­or­i­ty last year, and so that’s what we focused on. But we’re now open­ing the aper­ture, broad­en­ing the areas we’re pre­pared to act in.”

    He added, refer­ring to nations tar­get­ed by Amer­i­can dig­i­tal oper­a­tions, “We will impose costs on you until you get the point.”

    Two admin­is­tra­tion offi­cials said they believed Mr. Trump had not been briefed in any detail about the steps to place “implants” — soft­ware code that can be used for sur­veil­lance or attack — inside the Russ­ian grid.

    Pen­ta­gon and intel­li­gence offi­cials described broad hes­i­ta­tion to go into detail with Mr. Trump about oper­a­tions against Rus­sia for con­cern over his reac­tion — and the pos­si­bil­i­ty that he might coun­ter­mand it or dis­cuss it with for­eign offi­cials, as he did in 2017 when he men­tioned a sen­si­tive oper­a­tion in Syr­ia to the Russ­ian for­eign min­is­ter.

    Because the new law defines the actions in cyber­space as akin to tra­di­tion­al mil­i­tary activ­i­ty on the ground, in the air or at sea, no such brief­ing would be nec­es­sary, they added.

    The intent of the oper­a­tions was described in dif­fer­ent ways by sev­er­al cur­rent and for­mer nation­al secu­ri­ty offi­cials. Some called it “sig­nal­ing” Rus­sia, a sort of dig­i­tal shot across the bow. Oth­ers said the moves were intend­ed to posi­tion the Unit­ed States to respond if Mr. Putin became more aggres­sive.

    So far, there is no evi­dence that the Unit­ed States has actu­al­ly turned off the pow­er in any of the efforts to estab­lish what Amer­i­can offi­cials call a “per­sis­tent pres­ence” inside Russ­ian net­works, just as the Rus­sians have not turned off pow­er in the Unit­ed States. But the place­ment of mali­cious code inside both sys­tems revives the ques­tion of whether a nation’s pow­er grid — or oth­er crit­i­cal infra­struc­ture that keeps homes, fac­to­ries, and hos­pi­tals run­ning — con­sti­tutes a legit­i­mate tar­get for online attack.

    Already, such attacks fig­ure in the mil­i­tary plans of many nations. In a pre­vi­ous post, Gen­er­al Naka­sone had been deeply involved in design­ing an oper­a­tion code-named Nitro Zeus that amount­ed to a war plan to unplug Iran if the Unit­ed States entered into hos­til­i­ties with the coun­try.

    How Mr. Putin’s gov­ern­ment is react­ing to the more aggres­sive Amer­i­can pos­ture described by Mr. Bolton is still unclear.

    “It’s 21st-cen­tu­ry gun­boat diplo­ma­cy,” said Robert M. Ches­ney, a law pro­fes­sor at the Uni­ver­si­ty of Texas, who has writ­ten exten­sive­ly about the shift­ing legal basis for dig­i­tal oper­a­tions. “We’re show­ing the adver­sary we can inflict seri­ous costs with­out actu­al­ly doing much. We used to park ships with­in sight of the shore. Now, per­haps, we get access to key sys­tems like the elec­tric grid.”

    Russ­ian intru­sion on Amer­i­can infra­struc­ture has been the back­ground noise of super­pow­er com­pe­ti­tion for more than a decade.

    A suc­cess­ful Russ­ian breach of the Pentagon’s clas­si­fied com­mu­ni­ca­tions net­works in 2008 prompt­ed the cre­ation of what has become Cyber Com­mand. Under Pres­i­dent Barack Oba­ma, the attacks accel­er­at­ed.

    But Mr. Oba­ma was reluc­tant to respond to such aggres­sion by Rus­sia with coun­ter­at­tacks, part­ly for fear that the Unit­ed States’ infra­struc­ture was more vul­ner­a­ble than Moscow’s and part­ly because intel­li­gence offi­cials wor­ried that by respond­ing in kind, the Pen­ta­gon would expose some of its best weapon­ry.

    At the end of Mr. Obama’s first term, gov­ern­ment offi­cials began uncov­er­ing a Russ­ian hack­ing group, alter­nate­ly known to pri­vate secu­ri­ty researchers as Ener­getic Bear or Drag­on­fly. But the assump­tion was that the Rus­sians were con­duct­ing sur­veil­lance, and would stop well short of actu­al dis­rup­tion.

    That assump­tion evap­o­rat­ed in 2014, two for­mer offi­cials said, when the same Russ­ian hack­ing out­fit com­pro­mised the soft­ware updates that reached into hun­dreds of sys­tems that have access to the pow­er switch­es.

    “It was the first stage in long-term prepa­ra­tion for an attack,” said John Hultquist, the direc­tor of intel­li­gence analy­sis at Fire­Eye, a secu­ri­ty com­pa­ny that has tracked the group.

    In Decem­ber 2015, a Russ­ian intel­li­gence unit shut off pow­er to hun­dreds of thou­sands of peo­ple in west­ern Ukraine. The attack last­ed only a few hours, but it was enough to sound alarms at the White House.

    A team of Amer­i­can experts was dis­patched to exam­ine the dam­age, and con­clud­ed that one of the same Russ­ian intel­li­gence units that wreaked hav­oc in Ukraine had made sig­nif­i­cant inroads into the Unit­ed States ener­gy grid, accord­ing to offi­cials and a home­land secu­ri­ty advi­so­ry that was not pub­lished until Decem­ber 2016.

    “That was the cross­ing of the Rubi­con,” said David J. Wein­stein, who pre­vi­ous­ly served at Cyber Com­mand and is now chief secu­ri­ty offi­cer at Claroty, a secu­ri­ty com­pa­ny that spe­cial­izes in pro­tect­ing crit­i­cal infra­struc­ture.

    In late 2015, just as the breach­es of the Demo­c­ra­t­ic Nation­al Com­mit­tee began, yet anoth­er Russ­ian hack­ing unit began tar­get­ing crit­i­cal Amer­i­can infra­struc­ture, includ­ing the elec­tric­i­ty grid and nuclear pow­er plants. By 2016, the hack­ers were scru­ti­niz­ing the sys­tems that con­trol the pow­er switch­es at the plants.

    Until the last few months of the Oba­ma admin­is­tra­tion, Cyber Com­mand was large­ly lim­it­ed to con­duct­ing sur­veil­lance oper­a­tions inside Russia’s net­works. At a con­fer­ence this year held by the Hewlett Foun­da­tion, Eric Rosen­bach, a for­mer chief of staff to the defense sec­re­tary and who is now at Har­vard, cau­tioned that when it came to offen­sive oper­a­tions “we don’t do them that often.” He added, “I can count on one hand, lit­er­al­ly, the num­ber of offen­sive oper­a­tions that we did at the Depart­ment of Defense.”

    But after the elec­tion breach­es and the pow­er grid incur­sions, the Oba­ma admin­is­tra­tion decid­ed it had been too pas­sive.

    Mr. Oba­ma secret­ly ordered some kind of mes­sage-send­ing action inside the Russ­ian grid, the specifics of which have nev­er become pub­lic. It is unclear whether much was accom­plished.

    “Offen­sive cyber is not this, like, mag­ic cyber­nuke where you say, ‘O.K., send in the air­craft and we drop the cyber­nuke over Rus­sia tomor­row,’” Mr. Rosen­bach said at the con­fer­ence, declin­ing to dis­cuss spe­cif­ic oper­a­tions.

    After Mr. Trump’s inau­gu­ra­tion, Russ­ian hack­ers kept esca­lat­ing attacks.

    Mr. Trump’s ini­tial cyberteam decid­ed to be far more pub­lic in call­ing out Russ­ian activ­i­ty. In ear­ly 2018, it named Rus­sia as the coun­try respon­si­ble for “the most destruc­tive cyber­at­tack in human his­to­ry,” which par­a­lyzed much of Ukraine and affect­ed Amer­i­can com­pa­nies includ­ing Mer­ck and FedEx.

    When Gen­er­al Naka­sone took over both Cyber Com­mand and the N.S.A. a year ago, his staff was assess­ing Russ­ian hack­ings on tar­gets that includ­ed the Wolf Creek Nuclear Oper­at­ing Cor­po­ra­tion, which runs a nuclear pow­er plant near Burling­ton, Kan., as well as pre­vi­ous­ly unre­port­ed attempts to infil­trate Nebras­ka Pub­lic Pow­er District’s Coop­er Nuclear Sta­tion, near Brownville. The hack­ers got into com­mu­ni­ca­tions net­works, but nev­er took over con­trol sys­tems.

    In August, Gen­er­al Naka­sone used the new author­i­ty grant­ed to Cyber Com­mand by the secret pres­i­den­tial direc­tive to over­whelm the com­put­er sys­tems at Russia’s Inter­net Research Agency — the group at the heart of the hack­ing dur­ing the 2016 elec­tion in the Unit­ed States. It was one of four oper­a­tions his so-called Rus­sia Small Group orga­nized around the midterm elec­tions. Offi­cials have talked pub­licly about those, though they have pro­vid­ed few details.

    But the recent actions by the Unit­ed States against the Russ­ian pow­er grids, whether as sig­nals or poten­tial offen­sive weapons, appear to have been con­duct­ed under the new con­gres­sion­al author­i­ties.

    As it games out the 2020 elec­tions, Cyber Com­mand has looked at the pos­si­bil­i­ty that Rus­sia might try selec­tive pow­er black­outs in key states, some offi­cials said. For that, they said, they need a deter­rent.

    ...

    The ques­tion now is whether plac­ing the equiv­a­lent of land mines in a for­eign pow­er net­work is the right way to deter Rus­sia. While it par­al­lels Cold War nuclear strat­e­gy, it also enshrines pow­er grids as a legit­i­mate tar­get.

    “We might have to risk tak­ing some bro­ken bones of our own from a coun­ter­re­sponse, just to show the world we’re not lying down and tak­ing it,” said Robert P. Sil­vers, a part­ner at the law firm Paul Hast­ings and for­mer Oba­ma admin­is­tra­tion offi­cial. “Some­times you have to take a bloody nose to not take a bul­let in the head down the road.”

    ————

    “U.S. Esca­lates Online Attacks on Russia’s Pow­er Grid” by David E. Sanger and Nicole Perl­roth; The New York Times; 06/15/2019

    “It’s 21st-cen­tu­ry gun­boat diplo­ma­cy,” said Robert M. Ches­ney, a law pro­fes­sor at the Uni­ver­si­ty of Texas, who has writ­ten exten­sive­ly about the shift­ing legal basis for dig­i­tal oper­a­tions. “We’re show­ing the adver­sary we can inflict seri­ous costs with­out actu­al­ly doing much. We used to park ships with­in sight of the shore. Now, per­haps, we get access to key sys­tems like the elec­tric grid.””

    Pub­lic dec­la­ra­tions that you have pre­emp­tive­ly hacked your adver­sary and will uti­lize the implant­ed cyber­bombs if attacked. It’s 21st-cen­tu­ry cyber gun­boat diplo­ma­cy. The kind of gun­boat diplo­ma­cy that simul­ta­ne­ous­ly works to pro­tect domes­tic crit­i­cal infra­struc­ture from attacks while simul­ta­ne­ous­ly enshrin­ing that infra­struc­ture as legit­i­mate tar­gets. So it’s kind of like gun­boat diplo­ma­cy in a world where you can’t stop your adver­sary for field­ing their own gun­boats and run­ning them up into your own har­bors. Counter-threats are seen as the only option. Pre­emp­tive counter-threats:

    ...
    In inter­views over the past three months, the offi­cials described the pre­vi­ous­ly unre­port­ed deploy­ment of Amer­i­can com­put­er code inside Russia’s grid and oth­er tar­gets as a clas­si­fied com­pan­ion to more pub­licly dis­cussed action direct­ed at Moscow’s dis­in­for­ma­tion and hack­ing units around the 2018 midterm elec­tions.

    ...

    The ques­tion now is whether plac­ing the equiv­a­lent of land mines in a for­eign pow­er net­work is the right way to deter Rus­sia. While it par­al­lels Cold War nuclear strat­e­gy, it also enshrines pow­er grids as a legit­i­mate tar­get.

    “We might have to risk tak­ing some bro­ken bones of our own from a coun­ter­re­sponse, just to show the world we’re not lying down and tak­ing it,” said Robert P. Sil­vers, a part­ner at the law firm Paul Hast­ings and for­mer Oba­ma admin­is­tra­tion offi­cial. “Some­times you have to take a bloody nose to not take a bul­let in the head down the road.”
    ...

    And note how the range of the US’s cyber options was­n’t just expand­ed by then-Pres­i­dent Trump’s clas­si­fied Nation­al Secu­ri­ty Pres­i­den­tial Mem­o­ran­da 13 order that gave the head of the US Cyber Com­mand far more lee­way to offen­sive online oper­a­tions with­out receiv­ing pres­i­den­tial approval. There was also a lit­tle-noticed new legal author­i­ty slipped into the 2018 mil­i­tary autho­riza­tion bill passed by Con­gress that grants the to the defense sec­re­tary the author­i­ty to launch these kinds of attacks with­out pres­i­den­tial author­i­ty. So it sounds like both the head of Cyber Com­mand and the defense sec­re­tary were grant­ed the pow­er to launch dev­as­tat­ing cyber attacks with­out pres­i­den­tial author­i­ty in 2018:

    ...
    But find­ing ways to cal­i­brate those respons­es so that they deter attacks with­out incit­ing a dan­ger­ous esca­la­tion has been the source of con­stant debate.

    Mr. Trump issued new author­i­ties to Cyber Com­mand last sum­mer, in a still-clas­si­fied doc­u­ment known as Nation­al Secu­ri­ty Pres­i­den­tial Mem­o­ran­da 13, giv­ing Gen­er­al Naka­sone far more lee­way to con­duct offen­sive online oper­a­tions with­out receiv­ing pres­i­den­tial approval.

    But the action inside the Russ­ian elec­tric grid appears to have been con­duct­ed under lit­tle-noticed new legal author­i­ties, slipped into the mil­i­tary autho­riza­tion bill passed by Con­gress last sum­mer. The mea­sure approved the rou­tine con­duct of “clan­des­tine mil­i­tary activ­i­ty” in cyber­space, to “deter, safe­guard or defend against attacks or mali­cious cyber­ac­tiv­i­ties against the Unit­ed States.”

    Under the law, those actions can now be autho­rized by the defense sec­re­tary with­out spe­cial pres­i­den­tial approval.

    “It has got­ten far, far more aggres­sive over the past year,” one senior intel­li­gence offi­cial said, speak­ing on the con­di­tion of anonymi­ty but declin­ing to dis­cuss any spe­cif­ic clas­si­fied pro­grams. “We are doing things at a scale that we nev­er con­tem­plat­ed a few years ago.”

    ...

    In August, Gen­er­al Naka­sone used the new author­i­ty grant­ed to Cyber Com­mand by the secret pres­i­den­tial direc­tive to over­whelm the com­put­er sys­tems at Russia’s Inter­net Research Agency — the group at the heart of the hack­ing dur­ing the 2016 elec­tion in the Unit­ed States. It was one of four oper­a­tions his so-called Rus­sia Small Group orga­nized around the midterm elec­tions. Offi­cials have talked pub­licly about those, though they have pro­vid­ed few details.
    ...

    While many of point­ed out that Biden has already said he has no inten­tion of mov­ing US troops into Ukraine even if Rus­sia invades the coun­try, keep in mind that a dev­as­tat­ing cyber­at­tack would poten­tial­ly be a great way to change pub­lic opin­ion. The kind of cyber­at­tack that enrages the pub­lic. Like tak­ing down a sub­stan­tial por­tion of the pow­er grid at a crit­i­cal time. The threat of dev­as­tat­ing cyber attacks may be the 21st Cen­tu­ry ver­sion of gun­boat diplo­ma­cy. But an actu­al dev­as­tat­ing cyber attack would be clos­er to Pearl Har­bor. And few events could more effec­tive­ly get the US into a mood for an apoc­a­lyp­tic war with Rus­sia than a new Pearl Har­bor.

    It’s all gen­uine­ly alarm­ing. Espe­cial­ly when you con­sid­er how alarm­ing­ly easy a ‘new Pearl Harbor’-style cyber-false flag event could be. So let’s hope the US avoids any nasty cyber inci­dents as these ten­sions with Rus­sia play out. And should such an inci­dent hap­pen, let’s hope that’s the end of it. And not the begin­ning of the end.

    Posted by Pterrafractyl | January 26, 2022, 12:06 pm
  15. It appears the Vault 7 hack might be approach­ing a final legal res­o­lu­tion: fol­low­ing the mis­tri­al of for­mer CIA coder Joshua Schulte, a new tri­al is set for next week. And as the fol­low­ing piece in the New York­er describes, the US gov­ern­ment has a pret­ty com­pelling cir­cum­stan­tial case against Schulte, includ­ing evi­dence show­ing Schulte log­ging into the CIA’s net­works and access­ing the exact ver­sion of hack­ing tools that were even­tu­al­ly leaked. Notably, Schulte did this after he had his admin­is­tra­tive priv­i­leges revoked fol­low­ing a series of intra-office dis­putes with co-work­ers and his deci­sion to reas­sign him­self to a project he was pulled from. That’s the over­all con­text in which this hack appears to have hap­pened: Schulte, one of the mem­bers of the CIA’s cod­ing team, became dis­grun­tled fol­low­ing a dis­pute with a co-work­er, got even more dis­grun­tled based on how the dis­pute was resolved by supe­ri­ors, and then had his admin­is­tra­tive priv­i­leges revoked fol­low­ing more trou­bling behav­ior, at which point he stole the tools and leaked them. Schulte did­n’t ulti­mate­ly write a res­ig­na­tion let­ter for anoth­er two month, on June 28, 2016, and did­n’t leave the agency for anoth­er five months.

    So it appears the US gov­ern­ment has pret­ty con­clu­sive­ly caught the leak­er. But major ques­tions remain. For starters, it’s still not entire­ly clear if ide­ol­o­gy played a role in Schul­te’s motive. On the sur­face, the guy is report­ed­ly an Ayn Rand-lov­ing lib­er­tar­i­an. But as we’re going to see, he has a more trou­bling back­ground. Accord­ing to friends dur­ing his teen years, Schulte was noto­ri­ous for draw­ing swastikas. One friend claims he just did this for the atten­tion and was­n’t a real Nazi. But that brings us to the date of the appar­ent theft of the code set that was ulti­mate­ly leaked: accord­ing to pros­e­cu­tors, that hap­pened on April 20, 2016. So is it just a coin­ci­dence that Schulte chose the date that is noto­ri­ous for Hitler’s birth­day to log in and steal that code? Sure, it’s pos­si­ble, but that’s the kind of cir­cum­stan­tial evi­dence that con­tin­ues to raise ques­tions about this case.

    But then we get to the oth­er dis­turb­ing aspect of this inves­ti­ga­tion into Schulte: the dis­cov­ery of a trove of child porn on one of this com­put­ers. And in case you’re tempt­ed to sus­pect that the ille­gal con­tent was placed on his com­put­er by a mali­cious gov­ern­ment, Schulte him­self has more or less already admit­ted to it, decry­ing it as a vic­tim­less crime. Beyond that, Schulte was accused of host­ing child porn on a serv­er had man­aged dur­ing his col­lege years.

    So it appears that the guy who leaked Vault7 was­n’t just a CIA coder. He wa a CIA coder who might also known to draw swasti­ka and a his­to­ry of col­lect­ing child porn. And that’s why the ques­tions swirling around this sto­ry should real­ly include mas­sive ques­tions about the CIA’s vet­ting process:

    The New York­er

    The Sur­re­al Case of a C.I.A. Hacker’s Revenge
    A hot-head­ed coder is accused of expos­ing the agency’s hack­ing arse­nal. Did he betray his coun­try because he was pissed off at his col­leagues?

    By Patrick Rad­den Keefe
    June 6, 2022

    Nes­tled west of Wash­ing­ton, D.C., amid the bland north­ern Vir­ginia sub­urbs, are gener­ic-look­ing office parks that hide secret gov­ern­ment instal­la­tions in plain sight. Employ­ees in civil­ian dress get out of their cars, clutch­ing their Star­bucks, and dis­ap­pear into the build­ings. To the casu­al observ­er, they resem­ble anony­mous cor­po­rate drones. In fact, they hold Top Secret clear­ances and work in defense and intel­li­gence. One of these build­ings, at an address that is itself a secret, hous­es the cyber­in­tel­li­gence divi­sion of the Cen­tral Intel­li­gence Agency. The facil­i­ty is sur­round­ed by a high fence and mon­i­tored by guards armed with mil­i­tary-grade weapons. When employ­ees enter the build­ing, they must badge in and pass through a full-body turn­stile. Inside, on the ninth floor, through anoth­er door that requires badge access, is a C.I.A. office with an osten­ta­tious­ly bland name: the Oper­a­tions Sup­port Branch. It is the agency’s secret hack­er unit, in which a cadre of élite engi­neers cre­ate cyber­weapons.

    “O.S.B. was focussed on what we referred to as ‘phys­i­cal-access oper­a­tions,’ ” a senior devel­op­er from the unit, Jere­my Weber—a pseudonym—explained. This is not drag­net mass sur­veil­lance of the kind more often asso­ci­at­ed with the Nation­al Secu­ri­ty Agency. These are hacks, or “exploits,” designed for indi­vid­ual tar­gets. Some­times a for­eign ter­ror­ist or a finance min­is­ter is too sophis­ti­cat­ed to be hacked remote­ly, and so the agency is oblig­ed to seek “phys­i­cal access” to that person’s devices. Such oper­a­tions are incred­i­bly dan­ger­ous: a C.I.A. offi­cer or an asset recruit­ed to work secret­ly for the agency—a couri­er for the ter­ror­ist; the finance minister’s per­son­al chef—must sur­rep­ti­tious­ly implant the mal­ware by hand. “It could be some­body who was will­ing to type on a key­board for us,” Weber said. “It often was some­body who was will­ing to plug a thumb dri­ve into the machine.” In this man­ner, human spies, armed with the secret dig­i­tal pay­loads designed by the Oper­a­tions Sup­port Branch, have been able to com­pro­mise smart­phones, lap­tops, tablets, and even TVs: when Sam­sung devel­oped a set that respond­ed to voice com­mands, the wiz­ards at the O.S.B. exploit­ed a soft­ware vul­ner­a­bil­i­ty that turned it into a lis­ten­ing device.

    The mem­bers of the O.S.B. “built quick-reac­tion tools,” Antho­ny Leo­nis, the chief of anoth­er cyber­in­tel­li­gence unit of the C.I.A., said. “That branch was real­ly good at tak­ing ideas and pro­to­types and turn­ing them into tools that could be used in the mis­sion, very quick­ly.” Accord­ing to the man who super­vised the O.S.B., Sean, the unit could be “a high-stress envi­ron­ment,” because it was sup­port­ing life-or-death oper­a­tions. (With a few excep­tions, this piece refers to agency employ­ees by pseu­do­nyms or by their first names.)

    ...

    On March 7, 2017, the Web site Wik­iLeaks launched a series of dis­clo­sures that were cat­a­stroph­ic for the C.I.A. As much as thir­ty-four ter­abytes of data—more than two bil­lion pages’ worth—had been stolen from the agency. The trove, billed as Vault 7, rep­re­sent­ed the sin­gle largest leak of clas­si­fied infor­ma­tion in the agency’s his­to­ry. Along with a sub­se­quent install­ment known as Vault 8, it exposed the C.I.A.’s hack­ing meth­ods, includ­ing the tools that had been devel­oped in secret by the O.S.B., com­plete with some of the source code. “This extra­or­di­nary col­lec­tion . . . gives its pos­ses­sor the entire hack­ing capac­i­ty of the C.I.A.,” Wik­iLeaks announced. The leak dumped out the C.I.A.’s tool­box: the cus­tom-made tech­niques that it had used to com­pro­mise Wi-Fi net­works, Skype, antivirus soft­ware. It exposed Bru­tal Kan­ga­roo and AngerQuake. It even exposed McNugget.

    ...

    Giv­en that the soft­ware exposed in Vault 7 had been main­tained on a pro­pri­etary C.I.A. com­put­er net­work that was not con­nect­ed to the Inter­net, the spec­tre of espi­onage raised anoth­er alarm­ing pos­si­bil­i­ty. Might a for­eign adver­sary have obtained “phys­i­cal access”—smuggling a taint­ed thumb dri­ve into the C.I.A.? Had the agency’s own modus operan­di been used against it?

    ...

    The Bureau was pur­su­ing what it calls an “unsub”—or “unknown subject”—investigation. “A crime had been com­mit­ted; we didn’t yet know who had com­mit­ted it,” one of the lead inves­ti­ga­tors, Richard Evanchec, lat­er tes­ti­fied. Fair­ly quick­ly, the agents ruled out a for­eign pow­er as the cul­prit, decid­ing that the unsub must be a C.I.A. insid­er. They zeroed in on the clas­si­fied com­put­er net­work from which the data had been stolen—and on the agency employ­ees who had access to that net­work. Among those who did were the O.S.B. hack­ers on the ninth floor of the agency’s secret cyber instal­la­tion in Vir­ginia.

    This was a befud­dling prospect: the O.S.B. engi­neers devot­ed their pro­fes­sion­al lives to con­coct­ing clan­des­tine dig­i­tal weapons. Mak­ing pub­lic the source code would ren­der their inven­tions use­less. Why destroy your own work? As the F.B.I. inter­viewed mem­bers of the team, a sus­pect came into focus: Joshua Schulte. Volde­mort. He had left the agency in Novem­ber, 2016, and was said to have been dis­grun­tled. He now lived in Man­hat­tan, where he worked as a soft­ware engi­neer at Bloomberg. As Schulte was leav­ing the office one evening, Evanchec and anoth­er F.B.I. agent inter­cept­ed him. When they explained that they were inves­ti­gat­ing the leak, he agreed to talk. They went to a near­by restau­rant, Per­sh­ing Square, oppo­site Grand Cen­tral Ter­mi­nal. Schulte may not have real­ized it, but the oth­er patrons seat­ed around them were actu­al­ly plain­clothes F.B.I. agents, who were there to mon­i­tor the situation—and to inter­vene if he made any sud­den moves. Schulte was ami­able and chat­ty. But, when Evanchec looked down, he noticed that Schulte’s hands were shak­ing.

    Schulte was born in 1988 and grew up in Lub­bock, Texas. He was the old­est of four boys; his father, Roger, is a finan­cial advis­er; his moth­er, Dean­na, is a high-school guid­ance coun­sel­lor. Schulte was a bright child, and in ele­men­tary school he was fas­ci­nat­ed when one of his teach­ers took apart a com­put­er in front of the class. By the time he was in high school, his par­ents told me, he was build­ing com­put­ers him­self. “Some peo­ple are born with cer­tain tal­ents,” Dean­na said. While Schulte was study­ing engi­neer­ing at the Uni­ver­si­ty of Texas at Austin, he did an intern­ship at I.B.M., and anoth­er at the N.S.A. On a blog that he main­tained in col­lege, he espoused lib­er­tar­i­an views. He was a devo­tee of Ayn Rand, and came to believe that, as he put it, “there is noth­ing evil about ratio­nal self­ish­ness.” He also had a cer­tain intel­lec­tu­al arro­gance. “Most Amer­i­cans, most peo­ple in gen­er­al, are idiots,” he wrote in 2008.

    ...

    Like drone pilots who destroy vil­lages in Afghanistan from an air-con­di­tioned trail­er in Neva­da, the engi­neers of the O.S.B. expe­ri­enced an uncan­ny incon­gruity between the safe­ty of their sur­round­ings and the knowl­edge that their work sup­port­ed high-stakes covert oper­a­tions abroad. “We were very mis­sion-focussed,” Jere­my Weber recalled. “But, you know, we had fun at work, too.” Schulte proved to be a capa­ble pro­gram­mer, and in 2015 he was grant­ed a spe­cial dis­tinc­tion when he was made a sys­tem admin­is­tra­tor for the C.I.A.’s devel­op­er net­work, or DevLAN. Now he could con­trol which employ­ees had access to the net­work that held the source code for the group’s many projects. Being a sys­tem admin­is­tra­tor was regard­ed, Weber said, as “a priv­i­leged posi­tion.” Schulte made good friends at work; he became par­tic­u­lar­ly close with anoth­er mem­ber of the O.S.B. team, named Michael. They played video games togeth­er after hours, or went to the gym.

    ...

    Schulte could get “a lit­tle off the hinge,” Sean remem­bered. At one point, agency offi­cials decid­ed to assign a con­trac­tor a project, Almost Meat, that was based in part on Schulte’s code. “Josh was offend­ed,” Weber recalled. He protest­ed that his hard work would be hand­ed to a third par­ty, then sold back to the gov­ern­ment at a markup. He threat­ened to file a com­plaint with the C.I.A.’s inspec­tor gen­er­al, claim­ing “fraud, waste, and abuse.” Frank Sted­man, who worked on Almost Meat, felt that the episode illus­trat­ed Schulte’s ten­den­cy to react with a “dis­pro­por­tion­ate response.” The man known as Bad Ass and Volde­mort accrued anoth­er office nick­name: the Nuclear Option.

    Schulte had been on the job for about three years when a new pro­gram­mer named Amol joined the O.S.B. He sat near Schulte, and they were part­nered on a project code-named Drift­ing Dead­line. Accord­ing to Weber, Amol and Schulte “didn’t get along, and from the get-go.” Ini­tial­ly, peo­ple ribbed Amol because he behaved in a pro­fes­sion­al man­ner that was at odds with the pre­vail­ing frat-house vibe. Schulte liked to shoot Amol with his Nerf gun. As Amol grew more accus­tomed to the O.S.B.’s rau­cous cul­ture, he start­ed fight­ing back. He would col­lect Schulte’s Nerf darts and stash them behind his desk. He began trolling oth­ers in the office, malign­ing their skills as coders and devis­ing his own cru­el nick­names. He referred to Schulte as Bald Ass­hole. Amol was heavy, and Schulte rec­i­p­ro­cat­ed by mak­ing fun of his weight. Their bick­er­ing inten­si­fied.

    In Octo­ber, 2015, Amol com­plained to Sean, the hack­ing-unit super­vi­sor. “I have had enough of Schulte and his child­ish behav­ior,” he wrote. “Last night, he shot me in the face with his nerf gun and it could have eas­i­ly hit me in the eye.” Schulte also wrote to Sean, say­ing that Amol was “very deroga­to­ry and abu­sive to every­one.” Accord­ing to Schulte, Amol had told him, “I wish you were dead,” “I want to piss on your grave,” and “I wish you’d die in a fiery car crash.” Such rhetoric, Schulte not­ed, “does lit­tle to fos­ter col­lab­o­ra­tion.”

    Weber sub­se­quent­ly con­firmed that Amol had indeed said some of these things. But he point­ed out that Amol had done so only after pro­tract­ed argu­ments with Schulte, and that the attri­tion­al ver­bal com­bat Schulte seemed to favor could “exhaust” a per­son. In March, 2016, the dis­cord between the two hack­ers reached a new lev­el, when Schulte lodged a for­mal com­plaint with secu­ri­ty offi­cials at the C.I.A., report­ing that Amol had told him, “I wish you were dead, and that’s not a threat, it’s a fuc king promise.” Schulte char­ac­ter­ized this as a cred­i­ble death threat that had left him fear­ing for his life. He sug­gest­ed that Amol was “upset and unsta­ble,” and pos­si­bly bipo­lar.

    Schulte felt that his supe­ri­ors weren’t tak­ing his accu­sa­tions seri­ous­ly. He nei­ther liked nor respect­ed Karen, his ulti­mate boss, refer­ring to her as a “dumb bitch.” One C.I.A. secu­ri­ty offi­cial respond­ed to the dis­pute by say­ing that he couldn’t play “high school coun­selor,” which only exac­er­bat­ed Schulte’s anger. Schulte esca­lat­ed the mat­ter by com­plain­ing to the direc­tor of the cyber­in­tel­li­gence divi­sion, Bon­nie Stith—an agency vet­er­an who over­saw sev­er­al thou­sand employ­ees. One might sup­pose that she had more press­ing mat­ters to con­tend with, but she offered to sit down with Schulte and Amol and try to bro­ker peace. Ini­tial­ly, Schulte refused, say­ing that he was afraid to be in the same room with Amol. But she insist­ed, and at the meet­ing she urged both men to con­sid­er the “hon­or” of being C.I.A. employ­ees, and to remem­ber their oblig­a­tions to their coun­try. Amol, she thought, seemed embar­rassed to have been hauled before the school prin­ci­pal. Stith decid­ed that the coders should be phys­i­cal­ly sep­a­rat­ed. “Our nation depend­ed on us,” she point­ed out lat­er. “I need­ed them to be focussed.”

    Schulte was furi­ous to learn that he had to switch desks. He said that he would relo­cate only if his man­agers issued the direc­tive in writ­ing. So they did. Even then, he refused to ful­ly move. He didn’t like the new loca­tion. It had no win­dow. It was an “intern desk,” he scoffed; Amol, mean­while, had been “ ‘pro­mot­ed’ to a bet­ter desk,” leav­ing Schulte “exposed to ques­tions and ridicule about why I was demot­ed.”

    Up to this point, though Schulte could be vex­ing and obstreper­ous, he was work­ing with­in the broad bureau­crat­ic para­me­ters of the agency. Oth­ers might have found his vendet­ta against Amol irra­tional, but he had con­fined it to tra­di­tion­al chan­nels, push­ing his appeal up the chain of com­mand. Now he embarked on a more deci­sive esca­la­tion, con­clud­ing, as he lat­er explained, that “since the Agency wouldn’t help me, per­haps the state would.” Cit­ing fears for his safe­ty, Schulte filed for a restrain­ing order against Amol in Vir­ginia state court.

    This was a star­tling depar­ture from nor­mal con­duct for the C.I.A. The agency has an esti­mat­ed twen­ty thou­sand employ­ees, and, because of the sen­si­tiv­i­ty of its work, it enjoys remark­able auton­o­my with­in the fed­er­al gov­ern­ment, some­times appear­ing to oper­ate as a self-gov­ern­ing fief. The notion of allow­ing an inter­nal squab­ble to spill into the unclas­si­fied realm was anath­e­ma. “It was so unusu­al to have agency employ­ees in a local court,” Stith lat­er said.

    Amol was oblig­ed to appear at an open hear­ing at a Loudoun Coun­ty cour­t­house. Inside the agency, a secu­ri­ty organ known as the Threat Man­age­ment Unit was acti­vat­ed, and a deci­sion was made to sep­a­rate the war­ring O.S.B. pro­gram­mers even fur­ther, mov­ing Schulte to a dif­fer­ent branch alto­geth­er, on the eighth floor. Schulte fired off an intem­per­ate e‑mail: “I just want to con­firm this pun­ish­ment of removal from my cur­rent branch is for report­ing to secu­ri­ty an inci­dent in which my life was threat­ened.” Of course, it was also pos­si­ble to read this relo­ca­tion as a log­i­cal bureau­crat­ic response to the restrain­ing order that Schulte had obtained, which com­pelled Amol to avoid any con­tact with him—even cross­ing paths in the hall­way.

    ...

    Next, Schulte appealed to sev­er­al of the most senior offi­cials at the C.I.A., includ­ing Meroë Park, the exec­u­tive direc­tor. “I know you don’t deal with per­son­nel issues and like­ly won’t spend much time on this, but management’s abuse of pow­er and con­sis­tent retal­i­a­tion against me has forced me to resign,” he wrote, on June 28, 2016. Schulte hung on a lit­tle longer, but by Novem­ber he was gone. At Bloomberg, he would make more than two hun­dred thou­sand dol­lars a year—a sig­nif­i­cant increase from his gov­ern­ment salary. Though he was legal­ly bound to pro­tect the con­fi­den­tial­i­ty of his C.I.A. work, he could tell peo­ple he had been at the agency, and he dis­cov­ered that in the pri­vate sec­tor this con­ferred a cer­tain cachet. Reflect­ing on Schulte’s good for­tune, Sted­man not­ed that some­times “good things hap­pen to bad peo­ple.”

    Before Schulte’s depar­ture, there had been one final fra­cas. Schulte was, in his own telling, try­ing “to make the best of my sit­u­a­tion and move for­ward,” but after relo­cat­ing to the eighth floor he attempt­ed to work on Bru­tal Kangaroo—only to find that his access had been denied. “Imag­ine my shock,” he lat­er recalled, not­ing that Bru­tal Kan­ga­roo had been his project; he felt a huge pro­pri­etary invest­ment in the pro­gram. Schulte con­sult­ed the audit logs on the sys­tem, and deter­mined that Weber had stripped him of his access. Weber lat­er explained that his rea­son­ing had been sim­ple: in Schulte’s new branch, he “was going to be work­ing on new projects,” and there­fore wouldn’t need access to the old ones. But Schulte saw it as ret­ri­bu­tion. He had devel­oped a spe­cial resent­ment for Weber. At the Loudoun Coun­ty court hear­ing on the restrain­ing order, Weber had shown up—as a show of sol­i­dar­i­ty with Amol. Schulte regard­ed Weber as a bureau­crat­ic toady, Karen’s “loy­al pawn.” Weber, he felt, “had played pol­i­tics to over­throw me from my own project.”

    And so Schulte, with­out ask­ing for autho­riza­tion, reas­signed him­self access to his old project. When his man­agers learned of this, they were so alarmed that they stripped Schulte of his admin­is­tra­tor priv­i­leges. Weber lat­er said of Schulte’s trans­gres­sion, “The agency exists in a world of trust. We are grant­ed access to clas­si­fied infor­ma­tion, and we are trust­ed to only use that infor­ma­tion for the expressed rea­sons we’re giv­en access to it.” If you can’t “trust the per­son that you’re work­ing with,” he point­ed out, you’re in trou­ble. (Schulte has dis­put­ed Weber’s account of these events.)

    ...

    Unlike oth­er promi­nent dig­i­tal leak­ers, Schulte did not seem like an ide­o­log­i­cal whis­tle-blow­er. Ayn Rand fan­boys are not exact­ly famous for their doc­tri­nal con­sis­ten­cy, and Schulte’s con­cerns about “Big Broth­er” don’t appear to have occa­sioned much soul-search­ing in the years he spent build­ing sur­veil­lance weapons for a spy agency. On an anony­mous Twit­ter account that Schulte main­tained, he report­ed­ly expressed the view (in a since-delet­ed tweet) that Chelsea Man­ning should be exe­cut­ed. Weber recalled Schulte say­ing that Snow­den deserved the same. Could it be that Schulte had leaked the C.I.A.’s dig­i­tal arse­nal not because of any prin­ci­pled oppo­si­tion to the poli­cies of the U.S. gov­ern­ment but because he was pissed off at his col­leagues? There are pri­or exam­ples of C.I.A. employ­ees who have been dri­ven to betray their coun­try out of a sense of pro­fes­sion­al griev­ance: after an agency offi­cer named Edward Lee Howard was fired, in 1983, because he had lied about drug use and oth­er minor trans­gres­sions dur­ing a poly­graph exam, he began feed­ing the K.G.B. sen­si­tive intel­li­gence; when the agency dis­cov­ered the breach, Howard fled to Rus­sia, where he lived until his death, in 2002. After Ells­berg made the moral deci­sion to leak the Pen­ta­gon Papers, it took him weeks of com­pli­cat­ed work to make good on that objec­tive. But with dig­i­tal tech­nol­o­gy the win­dow between impulse and con­sum­ma­tion shrinks con­sid­er­ably, and, as every­one who worked with Josh Schulte knew all too well, when he was mad he had poor impulse con­trol.

    ...

    Soon after the F.B.I. began its inves­ti­ga­tion, agents placed Schulte under sur­veil­lance, and they learned that he was about to leave for Mex­i­co. Edward Snow­den had fled to Hong Kong and then to Rus­sia, where he remains, beyond the reach of U.S. author­i­ties. Faced with the pos­si­bil­i­ty that Schulte might abscond in sim­i­lar fash­ion, inves­ti­ga­tors made their move, with Agent Evanchec stop­ping him as he left work at Bloomberg and tak­ing him to Per­sh­ing Square. It had emerged that when Schulte left the C.I.A. he had not returned his spe­cial black gov­ern­ment pass­port, which assured the hold­er offi­cial sta­tus when trav­el­ling abroad. Schulte even­tu­al­ly acknowl­edged that he still had the pass­port, but main­tained that the trip to Mex­i­co was sim­ply a spring-break excur­sion with his broth­er. (Roger Schulte told me that the broth­ers had pur­chased round-trip tick­ets for a short vis­it to Can­cún.)

    The inves­ti­ga­tors had a war­rant to search Schulte’s apart­ment, so they all went togeth­er to his build­ing, on Thir­ty-ninth Street. It was full of com­put­er equip­ment. When F.B.I. agents obtained a war­rant for Schulte’s search his­to­ry from Google, they dis­cov­ered that, start­ing in August, 2016—when he was prepar­ing to leave the C.I.A.—he had con­duct­ed thir­ty-nine search­es relat­ed to Wik­iLeaks. In the hours after Wik­iLeaks post­ed Vault 7, he searched for “F.B.I.,” and read arti­cles with such titles as “F.B.I. Joins C.I.A. in Hunt for Leak­er.” For a guy who was a sup­posed expert in infor­ma­tion war­fare, Schulte seemed shock­ing­ly slop­py when it came to his own oper­a­tional secu­ri­ty. Even so, the F.B.I. hadn’t found a smok­ing gun. It had amassed cir­cum­stan­tial evi­dence tying Schulte to the Vault 7 leak, but it hadn’t found any record of him trans­mit­ting data to WikiLeaks—or, indeed, any proof that the secret files had ever been in his pos­ses­sion.

    Schulte was not under arrest, so he got a room at a hotel while the search of his apart­ment con­tin­ued. The F.B.I. seized his com­put­er hard­ware, for foren­sic analy­sis. When com­put­er sci­en­tists at the Bureau exam­ined Schulte’s desk­top, they dis­cov­ered a “vir­tu­al machine”—an entire oper­at­ing sys­tem nest­ed with­in the computer’s stan­dard oper­at­ing sys­tem. The vir­tu­al machine was locked with strong encryp­tion, mean­ing that, unless they could break the code or get the key from Schulte—both of which seemed unlikely—they couldn’t access it. But they also had Schulte’s cell phone, and when they checked it they dis­cov­ered anoth­er star­tling lapse in oper­a­tional secu­ri­ty: he had stored a bunch of pass­words on his phone.

    One of the pass­words let the inves­ti­ga­tors bypass the encryp­tion on the vir­tu­al machine. Inside, they found a home directory—also encrypt­ed. They con­sult­ed Schulte’s phone again, and, sure enough, anoth­er stored pass­word unlocked the direc­to­ry. Next, they found an encrypt­ed dig­i­tal lockbox—a third line of defense. But, using encryp­tion soft­ware and the same pass­word that had unlocked the vir­tu­al machine, they man­aged to access the con­tents. Inside was a series of fold­ers. When the inves­ti­ga­tors opened them, they found an enor­mous trove of child pornog­ra­phy.

    When the news broke that Schulte was a sus­pect in the Vault 7 leak, Chris­sy Cov­ing­ton, a d.j. and a radio per­son­al­i­ty in Lub­bock who had attend­ed junior high school with him, took to Face­book to express her sur­prise. “The grav­i­ty of his crimes? OMG. Y’all,” she wrote, in a group chat with sev­er­al class­mates who had also known Schulte. Cov­ing­ton and Schulte had been friend­ly; as teen-agers, they chat­ted on AOL Instant Mes­sen­ger. She was sur­prised to learn not only that he might be the leak­er but also that the C.I.A. had giv­en him a job in the first place. “How could you hire Josh Schulte?” she said when I spoke to her recent­ly. “007 he’s not.” Schulte had always struck Cov­ing­ton as an “odd­ball,” but most­ly harm­less. On Face­book, how­ev­er, she start­ed to hear from class­mates who shared unpleas­ant mem­o­ries of Schulte cross­ing bound­aries and mak­ing oth­ers uncom­fort­able. Sev­er­al for­mer class­mates recalled to me that Schulte was infa­mous for draw­ing swastikas in school, and that, on at least one occa­sion, he did so on the year­book of a Jew­ish stu­dent.

    Oth­er class­mates recalled sex­u­al­ly inap­pro­pri­ate behav­ior. One woman told me that he had repeat­ed­ly exposed his penis to stu­dents when they were both in the junior-high band. “He would try and touch peo­ple, or get peo­ple to touch him—that was a dai­ly occur­rence,” she said. She loved music, but she was so intent on get­ting away from Schulte that she asked her par­ents to let her quit the band. She was too uncom­fort­able to explain to her par­ents exact­ly what had tran­spired. “It’s hard to put it into words,” she recalled. “You’re twelve. It’s just ‘Hey, this kid is super gross, and it makes me want to not be part of this school right now.’ ” Her par­ents, not grasp­ing the grav­i­ty of what had hap­pened, insist­ed that she remain in the band. “I was trau­ma­tized,” she told me. I also spoke to a friend of the woman, who remem­bered her recount­ing this behav­ior by Schulte at the time. A third woman told me that Schulte and some of his friends got in trou­ble at school after try­ing to stick their hands into her pants while she slept on the bus dur­ing a field trip. Schulte, she said, took revenge by send­ing her an AOL mes­sage loaded with a virus, destroy­ing her com­put­er. He boast­ed about the hack after­ward, the woman said.

    Schulte’s friend Kavi Patel acknowl­edged that Schulte would “draw swastikas all over the place.” He wasn’t anti-Semit­ic, Patel con­tend­ed; he just rel­ished get­ting a rise out of peo­ple. He recalled Schulte telling him, “I don’t real­ly care one way or the oth­er, but it’s fun to see the shock on people’s faces.” Patel was also in the junior-high band. When I asked him if he remem­bered Schulte expos­ing him­self, he said that he nev­er wit­nessed it, but had heard about it hap­pen­ing “two or three times.” Accord­ing to Patel, Schulte seemed to con­firm it to him on one occa­sion: “I was, like, ‘Dude, did you do this?’ And he was, like, ‘Heh, heh.’ ” Patel added, “It’s not some­thing that’s out of his char­ac­ter. At all.” (Pre­sent­ed with these alle­ga­tions, sev­er­al attor­neys who have rep­re­sent­ed Schulte had no com­ment. Dean­na recalled learn­ing that Joshua had drawn a swasti­ka in his notes for a les­son on the Sec­ond World War, but she and Roger said that they were not aware of oth­er inci­dents involv­ing swastikas or the junior-high band. They dis­pute the classmate’s rec­ol­lec­tion of the inci­dent on the school bus.)

    When Schulte was in col­lege, he argued on his blog that pornog­ra­phy is a form of free expres­sion which “is not degrad­ing to women” and “does not incite vio­lence.” He went on, “Porn stars obvi­ous­ly enjoy what they do, and they make quite a bit of mon­ey off it.” Of course, some women are coerced into pornog­ra­phy, and if you mis­take the sim­u­lat­ed enjoy­ment in a porn per­for­mance for the real thing then you don’t under­stand much about the indus­try. But more to the point: child pornog­ra­phy is not free expres­sion; it’s a crime. After Schulte real­ized that the illic­it archive had been dis­cov­ered, he claimed that the collection—more than ten thou­sand images and videos—didn’t belong to him. In col­lege, he had main­tained a serv­er on which friends and acquain­tances could store what­ev­er they want­ed. Unbe­knownst to him, he con­tend­ed, peo­ple had used the serv­er to hide con­tra­band. He “had so many peo­ple access­ing it he didn’t care what peo­ple put on it,” Roger Schulte told the Times.

    But, accord­ing to the F.B.I., as agents gath­ered more evi­dence they unearthed chat logs in which Schulte con­versed about child pornog­ra­phy with fel­low-enthu­si­asts. “Where does one get kid­die porn any­ways?” Schulte asked, in a 2009 exchange. This was anoth­er instance in which Schulte seemed reck­less­ly dis­in­clined to cov­er his tracks. His Google search his­to­ry revealed numer­ous queries about images of under­age sex. In the chat logs, peo­ple seek­ing or dis­cussing child pornog­ra­phy tend­ed to use pseu­do­nyms. One per­son Schulte inter­act­ed with went by “hbp.” Anoth­er went by “Sturm.” Josh’s user­name was “Josh.” At one point, he vol­un­teered to grant his new friends access to the child-porn archive on his serv­er. He had titled it /home/josh/http/porn. Sturm, tak­en aback, warned Schulte to “rename these things for god’s sake.”

    When F.B.I. inves­ti­ga­tors searched Schulte’s phone, they found some­thing espe­cial­ly alarm­ing: a pho­to­graph that looked as though it had been tak­en inside the house in Ster­ling, Vir­ginia, where he had lived while work­ing for the C.I.A. The pho­to­graph was of a woman who looked like she was passed out on the bath­room floor. Her under­wear appeared to have been removed and the hand of an unseen per­son was touch­ing her gen­i­tals. State inves­ti­ga­tors in Loudoun Coun­ty sub­se­quent­ly iden­ti­fied the woman and inter­viewed her. She has not been pub­licly named, but she told them that she had been Schulte’s room­mate and had passed out one night, with no mem­o­ry of what had hap­pened. The encounter in the pho­to­graph was not con­sen­su­al, she assured them. Accord­ing to sub­se­quent legal fil­ings, the inves­ti­ga­tors con­clud­ed, after con­sult­ing the vic­tim, that the hand in the pho­to­graph belonged to Schulte.

    On August 24, 2017, at 5:30 a.m., a dozen armed fed­er­al agents ham­mered on the door of his apart­ment in Man­hat­tan, star­tling him awake. Once inside, they bel­lowed, “Turn around and put your hands behind your back!” Accord­ing to an account writ­ten by Schulte, he was led “like a prized dog” into the fed­er­al cour­t­house in low­er Man­hat­tan, where he was cuffed and shack­led, then turned over to the U.S. Mar­shals. At this point, the F.B.I. and fed­er­al pros­e­cu­tors had been inves­ti­gat­ing Schulte’s pos­si­ble role in the Vault 7 leak for five months, but they still hadn’t indict­ed him. Instead, they now charged him with “receipt, pos­ses­sion, and trans­porta­tion” of child pornog­ra­phy. Schulte plead­ed not guilty. When he heard that the gov­ern­ment was push­ing to keep him detained pend­ing tri­al, his stom­ach dropped. “The crime I am charged with is in fact a non-vio­lent, vic­tim­less crime,” he object­ed, dis­play­ing an obdu­rate heed­less­ness when it comes to how child pornog­ra­phy is made. (In a recent court fil­ing, Schulte assert­ed that he has been “false­ly accused” of acquir­ing child pornog­ra­phy.)

    A judge ulti­mate­ly ruled that Schulte could be released on bail, on the ground that he posed no imme­di­ate threat to soci­ety. But his release came with strin­gent con­di­tions. He would be under house arrest, unable to leave his apart­ment except for court dates. And he could not access the Inter­net. Schulte bri­dled at this, observ­ing, “Today, every­thing is done online so it’s incred­i­bly dif­fi­cult.” Nev­er one to meek­ly adhere to a direc­tive that he found objec­tion­able, Schulte chose to ignore the con­di­tion. In Decem­ber, the gov­ern­ment pre­sent­ed evi­dence that he had defied court orders by going online, and on sev­er­al occa­sions had even logged on to the Inter­net using Tor—a sys­tem that enables users to access Web sites anony­mous­ly. Mean­while, author­i­ties in Vir­ginia charged him with sex­u­al assault, cit­ing as evi­dence the pho­to­graph dis­cov­ered on his phone. Schulte was tak­en into cus­tody once again and locked up at the Met­ro­pol­i­tan Cor­rec­tion­al Cen­ter, in Man­hat­tan. He was still there in the sum­mer of 2018, when the gov­ern­ment filed a super­sed­ing indict­ment with ten new counts and charged him with leak­ing Vault 7.

    ...

    First, he would need a phone. At the prison, he could make calls on pay phones—but they were mon­i­tored and did not offer Inter­net access. Luck­i­ly, black-mar­ket smart­phones were easy to come by: Luna had a side­line in smug­gling them into the facil­i­ty. Accord­ing to a for­mer inmate who did time at the M.C.C. along­side Schulte, the going rate there for a con­tra­band smart­phone was sev­er­al thou­sand dol­lars. Schulte fig­ured out a way to hot-wire a light switch in his cell so that it worked as a cell-phone charg­er. (The per­son who knew Schulte dur­ing this peri­od praised his inno­va­tion, say­ing, “After that, all M.C.C. phones were charged that way.”) Schulte and Amanat, who had also obtained a phone, would meet in the cell of a guy named Chi­no, and Luna would serve as look­out while the oth­ers used their clan­des­tine devices. On an encrypt­ed Sam­sung phone, Schulte cre­at­ed an anony­mous Face­book page called John Galt’s Legal Defense Fund and post­ed some of his prison writ­ings. He set up a Twit­ter account, @FreeJasonBourne, and, in a drafts fold­er, he saved a tweet that said, “The @Department of Jus­tice arrest­ed the wrong man for Vault 7. I per­son­al­ly know exact­ly what hap­pened, as do many oth­ers. Why are they cov­er­ing it up?” Schulte also con­tact­ed Shane Har­ris, a jour­nal­ist at the Wash­ing­ton Post. In mes­sages to Har­ris, Schulte pre­tend­ed to be oth­er people—a cousin, or one of his three brothers—and promised to share explo­sive infor­ma­tion. In this sock-pup­pet guise, he sent Har­ris what the gov­ern­ment alleges was clas­si­fied infor­ma­tion about his case.

    Aston­ish­ing­ly, it appears that Schulte may have even made con­tact with Wik­iLeaks dur­ing this peri­od. In a Twit­ter post on June 19, 2018, Wik­iLeaks released sev­en install­ments of Schulte’s prison writ­ings, billing them as an account in which the “Alleged CIA #Vault7 whistle­blow­er” would final­ly speak out in “his own words.” Schulte seems to have envis­aged these essays, which com­bined diaris­tic accounts of prison life with a broad­er cri­tique of the crim­i­nal-jus­tice sys­tem, as a sort of “Let­ter from a Birm­ing­ham Jail.” He titled them “Pre­sump­tion of Inno­cence.” Per­haps Wik­iLeaks sim­ply stum­bled on the Face­book page where these essays appeared—or per­haps it was in touch with Schulte. If indeed Schulte man­aged to con­tact Wik­iLeaks from prison, he was adopt­ing a curi­ous strat­e­gy: it would be patho­log­i­cal­ly self-sab­o­tag­ing to counter alle­ga­tions that he had shared a set of doc­u­ments with Wik­iLeaks by shar­ing anoth­er set of doc­u­ments with Wik­iLeaks.

    ...

    The crim­i­nal tri­al of Joshua Schulte, which com­menced on Feb­ru­ary 4, 2020, at the fed­er­al cour­t­house in Man­hat­tan, was unlike any oth­er in U.S. his­to­ry. A deci­sion had been made to post­pone the child-pornog­ra­phy indict­ment and the Vir­ginia sex­u­al-assault charge; both cas­es could be pur­sued at a lat­er date. For now, the gov­ern­ment focussed on Vault 7, issu­ing ten charges, rang­ing from lying to the F.B.I. to ille­gal trans­mis­sion of clas­si­fied infor­ma­tion. It had tak­en fed­er­al pros­e­cu­tors three years to assem­ble the evi­dence that they would present in court, in part because of the offi­cial secre­cy involved and in part because they intend­ed to sum­mon more than a dozen C.I.A. offi­cers to tes­ti­fy, under oath, about Schulte’s tenure at the O.S.B. This was a del­i­cate and high­ly unusu­al strat­e­gy. To speak in pub­lic about what hap­pens on the job is to vio­late one of the sig­na­ture pro­hi­bi­tions of an agency career. It was an indi­ca­tion of how seri­ous­ly C.I.A. offi­cials took Schulte’s alleged offens­es that they were pre­pared to for­go this tra­di­tion­al ret­i­cence for the pur­pos­es of a tri­al.

    ...

    One mem­ber of Schulte’s defense team was Sab­ri­na Shroff, a feisty and tena­cious fed­er­al pub­lic defend­er who grew up in Islam­abad. “You’re going to have to take this as a given—I don’t dwell on Mr. Schulte’s short­com­ings,” she said, when I asked her about his volatil­i­ty. “He’s my client.” We met at a cof­fee shop near Gramer­cy Park. Shroff is diminu­tive and intense, and quick to chuck­le at the Kafkaesque predica­ments of this case. But she was also severe­ly con­strained in what she could say to me. “We don’t have the abil­i­ty to cross-exam­ine the clas­si­fi­ca­tion author­i­ty,” she point­ed out; when the gov­ern­ment des­ig­nates some­thing Secret, she can­not appeal the deci­sion. Before the tri­al began, Shroff already pos­sessed a Top Secret secu­ri­ty clearance—she had need­ed one to defend oth­er clients fac­ing nation­al-secu­ri­ty charges—but in order to rep­re­sent Schulte she had to be “read in” to even high­er lev­els of fetishis­ti­cal­ly com­part­men­tal­ized secre­cy. All the clas­si­fied mate­r­i­al she would need to con­sult could be accessed only in a room on the ninth floor of the courthouse—a Sen­si­tive Com­part­ment­ed Infor­ma­tion Facil­i­ty, or scif, designed to house clas­si­fied infor­ma­tion. The defense team felt ham­strung in its efforts to rep­re­sent its client. Nor­mal­ly, defense attor­neys receive the names of pros­e­cu­tion wit­ness­es in advance, and can research their back­grounds while prepar­ing for cross-exam­i­na­tion. When Shroff and her fel­low-attor­neys got the names, how­ev­er, they were pro­hib­it­ed from per­form­ing any Google search­es that might in any way link these indi­vid­u­als to the C.I.A. Because some wit­ness­es had com­mon names, and Shroff and her team could not add the let­ters “C.I.A.” to their search terms, it was occa­sion­al­ly impos­si­ble to gath­er any infor­ma­tion. “These are shad­ows to us,” one of Shroff’s part­ners, Edward Zas, protest­ed to the judge in the case, Paul Crot­ty. “We are com­plete­ly blind.”

    ...

    The parade of wit­ness­es from the C.I.A. offered a rare glimpse of the office dynam­ics in a Top Secret unit. It was sober­ing. The descrip­tions of Schulte’s work­place called to mind not the steely com­pe­tence of “The Bourne Iden­ti­ty” but, rather, the tire­some high jinks and pet­ty schem­ing of “Office Space.” This was the para­dox of the pro­ceed­ings: there was no way for the C.I.A. to exact ret­ri­bu­tion against Schulte with­out, in the process, reveal­ing a great deal of unflat­ter­ing infor­ma­tion about itself. Jurors would be told the sto­ry of an élite nation­al-secu­ri­ty divi­sion that had become con­sumed by juve­nile name-call­ing and recrim­i­na­tion; senior C.I.A. offi­cials would have to sub­mit to cross-exam­i­na­tion about the fre­quen­cy and the sever­i­ty of Nerf-gun fights, or about the lax secu­ri­ty that had made the breach pos­si­ble. Schulte’s for­mer col­leagues por­trayed him as thin-skinned and vol­cani­cal­ly mali­cious, and this proved to be the core of the government’s case. “He’s not some kind of whis­tle-blow­er,” one of the pros­e­cu­tors, David Den­ton, told the jury. “He did it out of spite. He did it because he was angry and dis­grun­tled at work.”

    But Shroff’s defense strat­e­gy rest­ed on a sly piv­ot: she read­i­ly con­ced­ed that Schulte was an ass­hole. “He antag­o­nized his col­leagues,” she said. “He antag­o­nized man­age­ment. He real­ly was a dif­fi­cult employ­ee.” Nev­er­the­less, she added, “being a dif­fi­cult employ­ee does not make you a crim­i­nal.”

    Shroff fur­ther sug­gest­ed that the sto­ry of Vault 7 was a para­ble not about the rash deci­sion of one trai­tor but about the sys­temic inep­ti­tude of the C.I.A. The agency didn’t even real­ize that it had been robbed, she point­ed out, until Wik­iLeaks began post­ing the dis­clo­sures. “For God’s sakes,” Shroff said in court. “They went a whole year with­out know­ing that their super-secure sys­tem had been hacked.” Then the agency embarked on a witch hunt, she con­tin­ued, and quick­ly set­tled on an “easy tar­get”: Schulte. With­in this nar­ra­tive, the string of pros­e­cu­tion wit­ness­es recount­ing hor­ror sto­ries about Schulte’s work­place behav­ior almost seemed to play in Shroff’s favor. Her client was a scape­goat, she insisted—the guy nobody liked.

    The gov­ern­ment had amassed a pow­er­ful case indi­cat­ing that Schulte was the leak­er. It was abun­dant­ly clear that he had moti­va­tions for tak­ing revenge on the C.I.A. The pro­fes­sion­al biog­ra­phy that emerged at tri­al was so damn­ing that a deci­sion to leak ter­abytes of clas­si­fied data seemed almost like a log­i­cal dénoue­ment: the final explo­sion of a man whose nick­name was lit­er­al­ly the Nuclear Option. Schulte’s incrim­i­nat­ing Google search­es fur­ther deep­ened his appear­ance of guilt. And, on the sixth day of the tri­al, pros­e­cu­tors laid out what they regard­ed as a coup de grâce—the dig­i­tal equiv­a­lent of fin­ger­prints at a crime scene. Even after Schulte was stripped of his admin­is­tra­tive priv­i­leges, he had secret­ly retained the abil­i­ty to access the O.S.B. net­work through a back door, by using a spe­cial key that he had set up. The pass­word was KingJosh3000. The gov­ern­ment con­tend­ed that on April 20, 2016, Schulte had used his key to enter the sys­tem. The files were backed up every day, and while he was logged on Schulte accessed one par­tic­u­lar backup—not from that day but from six weeks ear­li­er, on March 3rd. The O.S.B. files released by Wik­iLeaks were iden­ti­cal to the back­up from March 3, 2016. As Den­ton told the jurors, it was the “exact back­up, the exact secrets, put out by Wik­iLeaks.”

    But all this was quite a com­plex fact pat­tern to present to a jury, involv­ing vir­tu­al machines and admin­is­tra­tive priv­i­leges and back­ups and logs; much of the expert tes­ti­mo­ny pre­sent­ed by the pros­e­cu­tors was bewil­der­ing­ly tech­ni­cal. Shroff, mean­while, insist­ed that Schulte hadn’t stolen the data. Per­haps some­one else in the office—or at the agency—had done it. The real out­rage was that a cru­cial C.I.A. com­put­er net­work, DevLAN, had been unpro­tect­ed. Hun­dreds of peo­ple had access to DevLAN, includ­ing not just C.I.A. employ­ees but con­trac­tors. The C.I.A.’s hack­ers appear to have dis­re­gard­ed even the kinds of ele­men­tary infor­ma­tion-secu­ri­ty pro­to­cols that any civil­ian work­er bee can recite from manda­to­ry cor­po­rate train­ing. Coders exchanged pass­words with one anoth­er, and some­times shared sen­si­tive details on Post-it notes. They used pass­words that were laugh­ably weak, includ­ing 123ABCdef. (A clas­si­fied dam­age assess­ment con­duct­ed by the C.I.A. after the Vault 7 expo­sure con­clud­ed that secu­ri­ty pro­ce­dures had indeed been “woe­ful­ly lax,” and that the agency’s hack­ers “pri­or­i­tized build­ing cyber weapons at the expense of secur­ing their own sys­tems.”)

    Nev­er­the­less, the pros­e­cu­tors pre­sent­ed strik­ing cir­cum­stan­tial evi­dence indi­cat­ing that Schulte had prob­a­bly trans­mit­ted the mate­r­i­al to Wik­iLeaks. On April 24th, he down­loaded Tails, an oper­at­ing sys­tem that Wik­iLeaks rec­om­mends for sub­mit­ting data to the orga­ni­za­tion; on April 30th, he stayed up all night, fre­quent­ly check­ing his com­put­er, and at 3:21 a.m. he con­sult­ed a Web page that offered guid­ance on how to make sure that a ter­abyte of data has been “trans­ferred cor­rect­ly.” That evening, he also searched for tips on how to wipe a device of its con­tents. What the gov­ern­ment could not prove was any direct com­mu­ni­ca­tion between Schulte and Wik­iLeaks.

    ...

    As the jurors began delib­er­a­tions, they sent out a series of notes with ques­tions that seemed to indi­cate some gen­uine con­fu­sion about the tech­ni­cal aspects of the government’s case. On March 9th, they con­vict­ed Schulte of two less­er charges—contempt of court and lying to the F.B.I.—but hung on the eight more seri­ous counts, includ­ing those accus­ing him of trans­mit­ting nation­al-secu­ri­ty secrets to Wik­iLeaks. Judge Crot­ty declared a mis­tri­al.

    ...

    The mis­tri­al was a dev­as­tat­ing turn for the gov­ern­ment, but Schulte’s father, who came from Texas with Dean­na to attend the pro­ceed­ings and staunch­ly believed in his inno­cence, was dis­ap­point­ed. Roger Schulte, who didn’t know what a hung jury was, asked Shroff, “You mean he wasn’t acquit­ted?” The child-pornog­ra­phy and sex­u­al-assault cas­es have still not been resolved. When I asked Roger and Dean­na about those charges, they said that, though they believe in Josh’s inno­cence, they haven’t spo­ken to him about the par­tic­u­lars of either case, or exam­ined the avail­able evi­dence them­selves, so they were not in a posi­tion to offer any pre­view of his defense. But the U.S. gov­ern­ment, rather than push for­ward with these oth­er cases—which might have result­ed in an eas­i­er conviction—instead announced that it would put Schulte on tri­al again for Vault 7.

    ...

    The new tri­al is sched­uled to begin on June 13th. The gov­ern­ment seems unlike­ly to present quite as much evi­dence of Schulte’s anti­so­cial behav­ior this time. It may abbre­vi­ate the tech­ni­cal evi­dence, too. The pro­ceed­ings, how­ev­er, will remain blan­ket­ed in secre­cy: Matthew Rus­sell Lee, an inde­pen­dent jour­nal­ist who cov­ered the first tri­al, recent­ly filed an objec­tion to the government’s motion to seal the court­room dur­ing tes­ti­mo­ny from C.I.A. offi­cers, but it appears that that con­di­tion will again apply. Schulte, mean­while, has sought to call no few­er than forty-eight cur­rent or for­mer C.I.A. employ­ees as wit­ness­es. One of the peo­ple he has tried to sum­mon is Amol. At a recent hear­ing, Schulte sug­gest­ed that, if the evi­dence he requests is too sen­si­tive to trans­port to the scif, per­haps “they should take me to the C.I.A.” Judge Fur­man respond­ed flat­ly, “You are not going to the C.I.A.”

    We live in an era that has been pro­found­ly warped by the head­strong impuls­es of men who are tech­ni­cal­ly sophis­ti­cat­ed but emo­tion­al­ly imma­ture. From the whoop­ie-cush­ion antics of Elon Musk to the Pan­gloss­ian impla­ca­bil­i­ty of Mark Zucker­berg, a par­tic­u­lar per­son­al­i­ty pro­file dom­i­nates these times: the boy emper­or. While report­ing this arti­cle, I often won­dered how the C.I.A. could have missed the obvi­ous com­bustibil­i­ty of this pro­file when it hired Schulte and gave him a secu­ri­ty clear­ance. In order to get an agency job, Schulte had been sub­ject­ed to a bat­tery of tests—but, when his lawyers tried to obtain the psy­cho­log­i­cal pro­file that the agency had pro­duced on him, the C.I.A. would not turn it over. Per­haps, as the agency took up dig­i­tal spy­ing and sought to bol­ster its hack­ing capa­bil­i­ty, it deëm­pha­sized qual­i­ties like emo­tion­al sta­bil­i­ty and sang-froid, and turned a blind eye to the sorts of errat­ic or anti­so­cial ten­den­cies that are wide­ly accept­ed in Sil­i­con Val­ley (and even embraced as the price of genius). The agency may have been blink­ered about Schulte’s destruc­tive poten­tial because it had con­clud­ed that this was sim­ply how coders behave. I some­times found myself won­der­ing whether Schulte was more idiot or savant.

    ...

    ———

    “The Sur­re­al Case of a C.I.A. Hacker’s Revenge” by Patrick Rad­den Keefe; The New York­er; 06/06/2022

    “The Bureau was pur­su­ing what it calls an “unsub”—or “unknown subject”—investigation. “A crime had been com­mit­ted; we didn’t yet know who had com­mit­ted it,” one of the lead inves­ti­ga­tors, Richard Evanchec, lat­er tes­ti­fied. Fair­ly quick­ly, the agents ruled out a for­eign pow­er as the cul­prit, decid­ing that the unsub must be a C.I.A. insid­er. They zeroed in on the clas­si­fied com­put­er net­work from which the data had been stolen—and on the agency employ­ees who had access to that net­work. Among those who did were the O.S.B. hack­ers on the ninth floor of the agency’s secret cyber instal­la­tion in Vir­ginia.”

    They did­n’t know who leaked Vault 7, but inves­ti­ga­tors were pret­ty con­fi­dent it was an inside job based on cir­cum­stan­tial evi­dence. And that cir­cum­stan­tial evi­dence point­ed at a recent­ly depart­ed dis­grun­tled for­mer mem­ber of the CIA’s O.S.B. team: Joshua Schulte. Fol­low­ing an inves­ti­ga­tion, the cir­cum­stan­tial evi­dence is pret­ty over­whelm­ing: After stripped of admin­is­tra­tive priv­i­leges, Schulte appeared to use a back door in the CIA’s net­work to steal the hack­ing tools that were ulti­mate­ly released. And note the date of this theft: April 20, 2016. Per­haps it’s a coin­ci­dence, but it’s hard to ignore that Schulte appar­ent­ly did that act on 4/20, Hitler’s birth­day:

    ...
    The crim­i­nal tri­al of Joshua Schulte, which com­menced on Feb­ru­ary 4, 2020, at the fed­er­al cour­t­house in Man­hat­tan, was unlike any oth­er in U.S. his­to­ry. A deci­sion had been made to post­pone the child-pornog­ra­phy indict­ment and the Vir­ginia sex­u­al-assault charge; both cas­es could be pur­sued at a lat­er date. For now, the gov­ern­ment focussed on Vault 7, issu­ing ten charges, rang­ing from lying to the F.B.I. to ille­gal trans­mis­sion of clas­si­fied infor­ma­tion. It had tak­en fed­er­al pros­e­cu­tors three years to assem­ble the evi­dence that they would present in court, in part because of the offi­cial secre­cy involved and in part because they intend­ed to sum­mon more than a dozen C.I.A. offi­cers to tes­ti­fy, under oath, about Schulte’s tenure at the O.S.B. This was a del­i­cate and high­ly unusu­al strat­e­gy. To speak in pub­lic about what hap­pens on the job is to vio­late one of the sig­na­ture pro­hi­bi­tions of an agency career. It was an indi­ca­tion of how seri­ous­ly C.I.A. offi­cials took Schulte’s alleged offens­es that they were pre­pared to for­go this tra­di­tion­al ret­i­cence for the pur­pos­es of a tri­al.

    ...

    The gov­ern­ment had amassed a pow­er­ful case indi­cat­ing that Schulte was the leak­er. It was abun­dant­ly clear that he had moti­va­tions for tak­ing revenge on the C.I.A. The pro­fes­sion­al biog­ra­phy that emerged at tri­al was so damn­ing that a deci­sion to leak ter­abytes of clas­si­fied data seemed almost like a log­i­cal dénoue­ment: the final explo­sion of a man whose nick­name was lit­er­al­ly the Nuclear Option. Schulte’s incrim­i­nat­ing Google search­es fur­ther deep­ened his appear­ance of guilt. And, on the sixth day of the tri­al, pros­e­cu­tors laid out what they regard­ed as a coup de grâce—the dig­i­tal equiv­a­lent of fin­ger­prints at a crime scene. Even after Schulte was stripped of his admin­is­tra­tive priv­i­leges, he had secret­ly retained the abil­i­ty to access the O.S.B. net­work through a back door, by using a spe­cial key that he had set up. The pass­word was KingJosh3000. The gov­ern­ment con­tend­ed that on April 20, 2016, Schulte had used his key to enter the sys­tem. The files were backed up every day, and while he was logged on Schulte accessed one par­tic­u­lar backup—not from that day but from six weeks ear­li­er, on March 3rd. The O.S.B. files released by Wik­iLeaks were iden­ti­cal to the back­up from March 3, 2016. As Den­ton told the jurors, it was the “exact back­up, the exact secrets, put out by Wik­iLeaks.”
    ...

    That 4/20 appar­ent date of the code theft brings us to anoth­er puz­zling aspect of this case: Schulte does­n’t real­ly appear to have any overt ide­o­log­i­cal moti­va­tions. Although he is described as an Ayn Rand-lov­ing lib­er­tar­i­an. And that brings us to the accounts from teenage asso­ciates to recount of Schulte was noto­ri­ous for draw­ing swastikas. Now, being a teen, it’s not incon­ceiv­able that this was just atten­tion-get­ting behav­ior. But con­sid­er­ing the extreme nature of Schul­te’s per­son­al­i­ty, you have to won­der if we’re deal­ing with a clos­et Nazi here. And that brings up the broad­er issue raised by this sto­ry: so what kind of peo­ple is the CIA hir­ing in its ques­tion for tech­ni­cal skill?

    ...
    When the news broke that Schulte was a sus­pect in the Vault 7 leak, Chris­sy Cov­ing­ton, a d.j. and a radio per­son­al­i­ty in Lub­bock who had attend­ed junior high school with him, took to Face­book to express her sur­prise. “The grav­i­ty of his crimes? OMG. Y’all,” she wrote, in a group chat with sev­er­al class­mates who had also known Schulte. Cov­ing­ton and Schulte had been friend­ly; as teen-agers, they chat­ted on AOL Instant Mes­sen­ger. She was sur­prised to learn not only that he might be the leak­er but also that the C.I.A. had giv­en him a job in the first place. “How could you hire Josh Schulte?” she said when I spoke to her recent­ly. “007 he’s not.” Schulte had always struck Cov­ing­ton as an “odd­ball,” but most­ly harm­less. On Face­book, how­ev­er, she start­ed to hear from class­mates who shared unpleas­ant mem­o­ries of Schulte cross­ing bound­aries and mak­ing oth­ers uncom­fort­able. Sev­er­al for­mer class­mates recalled to me that Schulte was infa­mous for draw­ing swastikas in school, and that, on at least one occa­sion, he did so on the year­book of a Jew­ish stu­dent.

    ...

    Schulte’s friend Kavi Patel acknowl­edged that Schulte would “draw swastikas all over the place.” He wasn’t anti-Semit­ic, Patel con­tend­ed; he just rel­ished get­ting a rise out of peo­ple. He recalled Schulte telling him, “I don’t real­ly care one way or the oth­er, but it’s fun to see the shock on people’s faces.” Patel was also in the junior-high band. When I asked him if he remem­bered Schulte expos­ing him­self, he said that he nev­er wit­nessed it, but had heard about it hap­pen­ing “two or three times.” Accord­ing to Patel, Schulte seemed to con­firm it to him on one occa­sion: “I was, like, ‘Dude, did you do this?’ And he was, like, ‘Heh, heh.’ ” Patel added, “It’s not some­thing that’s out of his char­ac­ter. At all.” (Pre­sent­ed with these alle­ga­tions, sev­er­al attor­neys who have rep­re­sent­ed Schulte had no com­ment. Dean­na recalled learn­ing that Joshua had drawn a swasti­ka in his notes for a les­son on the Sec­ond World War, but she and Roger said that they were not aware of oth­er inci­dents involv­ing swastikas or the junior-high band. They dis­pute the classmate’s rec­ol­lec­tion of the inci­dent on the school bus.)

    ...

    We live in an era that has been pro­found­ly warped by the head­strong impuls­es of men who are tech­ni­cal­ly sophis­ti­cat­ed but emo­tion­al­ly imma­ture. From the whoop­ie-cush­ion antics of Elon Musk to the Pan­gloss­ian impla­ca­bil­i­ty of Mark Zucker­berg, a par­tic­u­lar per­son­al­i­ty pro­file dom­i­nates these times: the boy emper­or. While report­ing this arti­cle, I often won­dered how the C.I.A. could have missed the obvi­ous com­bustibil­i­ty of this pro­file when it hired Schulte and gave him a secu­ri­ty clear­ance. In order to get an agency job, Schulte had been sub­ject­ed to a bat­tery of tests—but, when his lawyers tried to obtain the psy­cho­log­i­cal pro­file that the agency had pro­duced on him, the C.I.A. would not turn it over. Per­haps, as the agency took up dig­i­tal spy­ing and sought to bol­ster its hack­ing capa­bil­i­ty, it deëm­pha­sized qual­i­ties like emo­tion­al sta­bil­i­ty and sang-froid, and turned a blind eye to the sorts of errat­ic or anti­so­cial ten­den­cies that are wide­ly accept­ed in Sil­i­con Val­ley (and even embraced as the price of genius). The agency may have been blink­ered about Schulte’s destruc­tive poten­tial because it had con­clud­ed that this was sim­ply how coders behave. I some­times found myself won­der­ing whether Schulte was more idiot or savant.
    ...

    Then there’s the oth­er mas­sive­ly dis­turb­ing, and yet puz­zling, aspect of this sto­ry: Schulte was in pos­ses­sion of a large trove child pornog­ra­phy. The trove was dis­cov­ered by inves­ti­ga­tors dur­ing their search of Schul­te’s com­put­ers. So did Schulte seri­ous­ly steal and leak the CIA’s hack­ing tools while it was simul­ta­ne­ous­ly col­lect­ing child porn? It appears so. Schulte even seemed to admit it in his state­ments that dis­missed the dis­cov­ery, declar­ing that “The crime I am charged with is in fact a non-vio­lent, vic­tim­less crime.” It points towards the extreme nature of Schul­te’s psy­chol­o­gy:

    ...
    The inves­ti­ga­tors had a war­rant to search Schulte’s apart­ment, so they all went togeth­er to his build­ing, on Thir­ty-ninth Street. It was full of com­put­er equip­ment. When F.B.I. agents obtained a war­rant for Schulte’s search his­to­ry from Google, they dis­cov­ered that, start­ing in August, 2016—when he was prepar­ing to leave the C.I.A.—he had con­duct­ed thir­ty-nine search­es relat­ed to Wik­iLeaks. In the hours after Wik­iLeaks post­ed Vault 7, he searched for “F.B.I.,” and read arti­cles with such titles as “F.B.I. Joins C.I.A. in Hunt for Leak­er.” For a guy who was a sup­posed expert in infor­ma­tion war­fare, Schulte seemed shock­ing­ly slop­py when it came to his own oper­a­tional secu­ri­ty. Even so, the F.B.I. hadn’t found a smok­ing gun. It had amassed cir­cum­stan­tial evi­dence tying Schulte to the Vault 7 leak, but it hadn’t found any record of him trans­mit­ting data to WikiLeaks—or, indeed, any proof that the secret files had ever been in his pos­ses­sion.

    ...

    One of the pass­words let the inves­ti­ga­tors bypass the encryp­tion on the vir­tu­al machine. Inside, they found a home directory—also encrypt­ed. They con­sult­ed Schulte’s phone again, and, sure enough, anoth­er stored pass­word unlocked the direc­to­ry. Next, they found an encrypt­ed dig­i­tal lockbox—a third line of defense. But, using encryp­tion soft­ware and the same pass­word that had unlocked the vir­tu­al machine, they man­aged to access the con­tents. Inside was a series of fold­ers. When the inves­ti­ga­tors opened them, they found an enor­mous trove of child pornog­ra­phy.

    ...

    When Schulte was in col­lege, he argued on his blog that pornog­ra­phy is a form of free expres­sion which “is not degrad­ing to women” and “does not incite vio­lence.” He went on, “Porn stars obvi­ous­ly enjoy what they do, and they make quite a bit of mon­ey off it.” Of course, some women are coerced into pornog­ra­phy, and if you mis­take the sim­u­lat­ed enjoy­ment in a porn per­for­mance for the real thing then you don’t under­stand much about the indus­try. But more to the point: child pornog­ra­phy is not free expres­sion; it’s a crime. After Schulte real­ized that the illic­it archive had been dis­cov­ered, he claimed that the collection—more than ten thou­sand images and videos—didn’t belong to him. In col­lege, he had main­tained a serv­er on which friends and acquain­tances could store what­ev­er they want­ed. Unbe­knownst to him, he con­tend­ed, peo­ple had used the serv­er to hide con­tra­band. He “had so many peo­ple access­ing it he didn’t care what peo­ple put on it,” Roger Schulte told the Times.

    But, accord­ing to the F.B.I., as agents gath­ered more evi­dence they unearthed chat logs in which Schulte con­versed about child pornog­ra­phy with fel­low-enthu­si­asts. “Where does one get kid­die porn any­ways?” Schulte asked, in a 2009 exchange. This was anoth­er instance in which Schulte seemed reck­less­ly dis­in­clined to cov­er his tracks. His Google search his­to­ry revealed numer­ous queries about images of under­age sex. In the chat logs, peo­ple seek­ing or dis­cussing child pornog­ra­phy tend­ed to use pseu­do­nyms. One per­son Schulte inter­act­ed with went by “hbp.” Anoth­er went by “Sturm.” Josh’s user­name was “Josh.” At one point, he vol­un­teered to grant his new friends access to the child-porn archive on his serv­er. He had titled it /home/josh/http/porn. Sturm, tak­en aback, warned Schulte to “rename these things for god’s sake.”

    ...

    On August 24, 2017, at 5:30 a.m., a dozen armed fed­er­al agents ham­mered on the door of his apart­ment in Man­hat­tan, star­tling him awake. Once inside, they bel­lowed, “Turn around and put your hands behind your back!” Accord­ing to an account writ­ten by Schulte, he was led “like a prized dog” into the fed­er­al cour­t­house in low­er Man­hat­tan, where he was cuffed and shack­led, then turned over to the U.S. Mar­shals. At this point, the F.B.I. and fed­er­al pros­e­cu­tors had been inves­ti­gat­ing Schulte’s pos­si­ble role in the Vault 7 leak for five months, but they still hadn’t indict­ed him. Instead, they now charged him with “receipt, pos­ses­sion, and trans­porta­tion” of child pornog­ra­phy. Schulte plead­ed not guilty. When he heard that the gov­ern­ment was push­ing to keep him detained pend­ing tri­al, his stom­ach dropped. “The crime I am charged with is in fact a non-vio­lent, vic­tim­less crime,” he object­ed, dis­play­ing an obdu­rate heed­less­ness when it comes to how child pornog­ra­phy is made. (In a recent court fil­ing, Schulte assert­ed that he has been “false­ly accused” of acquir­ing child pornog­ra­phy.)
    ...

    Despite this pret­ty com­pelling cir­cum­stan­tial evi­dence, Schul­te’s first tri­al end­ed in a mis­tri­al, attrib­uted in part to the high­ly tech­ni­cal nature of the evi­dence against him. A new tri­al is sched­uled to start next week. Note part of the pre­sumed rea­son for the mis­tri­al: Schul­te’s defense appeared to have suc­cess­ful­ly argued to the jury that the CIA’s net­works were so unpro­tect­ed there’s no rea­son to assume Schulte was the cul­prit:

    ...
    But all this was quite a com­plex fact pat­tern to present to a jury, involv­ing vir­tu­al machines and admin­is­tra­tive priv­i­leges and back­ups and logs; much of the expert tes­ti­mo­ny pre­sent­ed by the pros­e­cu­tors was bewil­der­ing­ly tech­ni­cal. Shroff, mean­while, insist­ed that Schulte hadn’t stolen the data. Per­haps some­one else in the office—or at the agency—had done it. The real out­rage was that a cru­cial C.I.A. com­put­er net­work, DevLAN, had been unpro­tect­ed. Hun­dreds of peo­ple had access to DevLAN, includ­ing not just C.I.A. employ­ees but con­trac­tors. The C.I.A.’s hack­ers appear to have dis­re­gard­ed even the kinds of ele­men­tary infor­ma­tion-secu­ri­ty pro­to­cols that any civil­ian work­er bee can recite from manda­to­ry cor­po­rate train­ing. Coders exchanged pass­words with one anoth­er, and some­times shared sen­si­tive details on Post-it notes. They used pass­words that were laugh­ably weak, includ­ing 123ABCdef. (A clas­si­fied dam­age assess­ment con­duct­ed by the C.I.A. after the Vault 7 expo­sure con­clud­ed that secu­ri­ty pro­ce­dures had indeed been “woe­ful­ly lax,” and that the agency’s hack­ers “pri­or­i­tized build­ing cyber weapons at the expense of secur­ing their own sys­tems.”)

    ...

    As the jurors began delib­er­a­tions, they sent out a series of notes with ques­tions that seemed to indi­cate some gen­uine con­fu­sion about the tech­ni­cal aspects of the government’s case. On March 9th, they con­vict­ed Schulte of two less­er charges—contempt of court and lying to the F.B.I.—but hung on the eight more seri­ous counts, includ­ing those accus­ing him of trans­mit­ting nation­al-secu­ri­ty secrets to Wik­iLeaks. Judge Crot­ty declared a mis­tri­al.

    ...

    The new tri­al is sched­uled to begin on June 13th. The gov­ern­ment seems unlike­ly to present quite as much evi­dence of Schulte’s anti­so­cial behav­ior this time. It may abbre­vi­ate the tech­ni­cal evi­dence, too. The pro­ceed­ings, how­ev­er, will remain blan­ket­ed in secre­cy: Matthew Rus­sell Lee, an inde­pen­dent jour­nal­ist who cov­ered the first tri­al, recent­ly filed an objec­tion to the government’s motion to seal the court­room dur­ing tes­ti­mo­ny from C.I.A. offi­cers, but it appears that that con­di­tion will again apply. Schulte, mean­while, has sought to call no few­er than forty-eight cur­rent or for­mer C.I.A. employ­ees as wit­ness­es. One of the peo­ple he has tried to sum­mon is Amol. At a recent hear­ing, Schulte sug­gest­ed that, if the evi­dence he requests is too sen­si­tive to trans­port to the scif, per­haps “they should take me to the C.I.A.” Judge Fur­man respond­ed flat­ly, “You are not going to the C.I.A.”
    ...

    We’ll find out how the gov­ern­ments sec­ond attempt at pros­e­cut­ing Schulte goes. We’ll pre­sum­ably find out rea­son­ably soon with the tri­al about to get under­way. But whether or not we’ll ever get an sat­is­fac­to­ry answers for the numer­ous major out­stand­ing ques­tions sur­round­ing this sto­ry is very much an open ques­tion. Includ­ing the open ques­tion of whether or the exis­tence of these hack­ing toolk­its that are built to mim­ic hacks from rival pow­ers will ever be mean­ing­ful­ly acknowl­edged in our col­lec­tive analy­sis of these events.

    Posted by Pterrafractyl | June 7, 2022, 4:45 pm

Post a comment