WFMU-FM is podcasting For The Record–You can subscribe to the podcast HERE.
You can subscribe to e‑mail alerts from Spitfirelist.com HERE.
You can subscribe to RSS feed from Spitfirelist.com HERE.
You can subscribe to the comments made on programs and posts–an excellent source of information in, and of, itself HERE.
This broadcast was recorded in one, 60-minute segment.
Introduction: As indicated by the title, this broadcast updates the high-profile hacks, at the epicenter of “Russia Gate,” the brutal political fantasy that is at the core of American New Cold War propaganda and that may well lead to World War III.
(Other programs dealing with this subject include: FTR #‘s 917, 923, 924, 940, 943, 958, 959.)
As we have noted in many previous broadcasts and posts, cyber attacks are easily disguised. Perpetrating a “cyber false flag” operation is disturbingly easy to do. In a world where the verifiably false and physically impossible “controlled demolition”/Truther nonsense has gained traction, cyber false flag ops are all the more threatening and sinister.
Now, we learn that the CIA’s hacking tools are specifically crafted to mask CIA authorship of the attacks. Most significantly, for our purposes, is the fact that the Agency’s hacking tools are engineered in such a way as to permit the authors of the event to represent themselves as Russian.
This is of paramount significance in evaluating the increasingly neo-McCarthyite New Cold War propaganda about “Russian interference” in the U.S. election.
We then highlight the recent conclusions of the French cyberintelligence chief (Guillaume Poupard) and his warnings about the incredible dangers of cyber-misattribution–the ease with which any random hacker could carrying out a spear-phishing attack, and his bafflement at the NSA’s recent Russian attribution to the spear-phishing French election hacks.
Characteristic of the disingenuous, propagandistic spin of American news media on Putin/Russia/the high profile hacks is a New York Times article that accuses Putin of laying down a propaganda veil to cover for alleged Russian hacking, omitting his remarks that–correctly–note that contemporary technology easily permits the misattribution of cyber espionage/hacking.
We then review the grotesquely dark comic nature of the Macron hacks (supposedly done by “Russian intelligence”.)
Those “Russian government hackers” really need an OPSEC refresher course. The hacked documents in the “Macron hack” not only contained Cyrillic text in the metadata, but also contained the name of the last person to modify the documents. That name, “Roshka Georgiy Petrovichan”, is an employee at Evrika, a large IT company that does work for the Russian government, including the FSB (Russian intelligence.)
Also found in the metadata is the email of the person who uploaded the files to “archive.org”, and that email address, frankmacher1@gmx.de, is registered with a German free webmail provider used previously in 2016 phishing a
ttacks against the CDU in Germany that have been attributed to APT28. It would appear that the “Russian hackers” not only left clues suggesting it was Russian hackers behind the hack, but they decided to name names this time–their own names.
In related news, a group of cybersecurity researchers studying the Macron hack has concluded that the modified documents were doctored by someone associated with The Daily Stormer neo-Nazi website and Andrew “the weev” Auernheimer.
Auerenheimer was a guest at Glenn Greenwald and Laura Poitras’s party celebrating their receipt of the Polk award.
“ ‘We strongly believe that the fake offshore documents were created by someone with control of the Daily Stormer server,” said Tord Lundström, a computer forensics investigator at Virtualroad.org.’ . . .”
The public face, site publisher of The Daily Stormer is Andrew Anglin. But look who the site is registered to: Andrew Auernheimer (the site architect) who apparently resided in Ukraine as of the start of this year.
The analysis from the web-security firm Virtualroad.org. indicates that someone associated with the Daily Stormer modified those faked documents–very possibly a highly skilled neo-Nazi hacker like “the weev”.
Based on analysis of how the document dump unfolded, it’s looking like the inexplicably self-incriminating “Russian hackers” may have been a bunch of American neo-Nazis. Imagine that.
In FTR #917, we underscored the genesis of the Seth Rich murder conspiracy theory with WikiLeaks and Julian Assange, who was in touch with Roger Stone during the 2016 campaign. (Stone functioned as the unofficial dirty tricks specialist for the Trump campaign, a role he has played–with relish–since Watergate.
The far-right Seth Rich murder conspiracy theory acquired new gravitas, thanks in part to Kim Schmitz, aka “Kim Dotcom.” We examined Schmitz at length in FTR #812. A synoptic overview of the political and professional orientation of Kim Dotcom is excerpted from that broadcast’s description: “A colleague of Eddie the Friendly Spook [Snowden], Julian Assange and Glenn Greenwald, Kim Schmitz, aka “Kim Dotcom”] espouses the same libertarian/free market ideology underlying the “corporatism” of Benito Mussolini. With an extensive criminal record in Germany and elsewhere, “Der Dotcommandant” has eluded serious punishment for his offenses, including executing the largest insider trading scheme in German history.
Embraced by the file-sharing community and elements of the so-called progressive sector, Dotcom actually allied himself with John Banks and his far-right ACT Party in New Zealand. His embrace of the so-called progressive sector came later and is viewed as having damaged left-leaning parties at the polls. Dotcom is enamored of Nazi memorabilia and owns a rare, author-autographed copy of ‘Mein Kampf.’ . . .”
Program Highlights Include:
- The dissemination of the Seth Rich disinformation by Fox News and Rush Limbaugh, generated by WikiLeaks, Roger Stone and Kim Dotcom.
- Kim Dotcom’s tweeting of an admittedly phony document about the Seth Rich BS.
- Dotcom’s refusal to retract his tweet of the phony document.
- Review of the Shadow Brokers non-hack of the NSA.
- Review of the Shadow Brokers use of white supremacist propaganda.
- Review of the role of Crowdstrike’s Dimitri Alperovitch in the dissemination of the “Russia did it” propaganda.
- Review of the role of Ukrainian fascist Alexandra Chalupa in the dissemination of the “Russia did it” propaganda.
1a. As we have noted in many previous broadcasts and posts, cyber attacks are easily disguised. Perpetrating a “cyber false flag” operation is disturbingly easy to do. In a world where the verifiably false and physically impossible “controlled demolition”/Truther nonsense has gained traction, cyber false flag ops are all the more threatening and sinister.
Now, we learn that the CIA’s hacking tools are specifically crafted to mask CIA authorship of the attacks. Most significantly, for our purposes, is the fact that the Agency’s hacking tools are engineered in such a way as to permit the authors of the event to represent themselves as Russian.
This is of paramount significance in evaluating the increasingly neo-McCarthyite New Cold War propaganda about “Russian interference” in the U.S. election.
This morning, WikiLeaks released part 3 of its Vault 7 series, called Marble. Marble reveals CIA source code files along with decoy languages that might disguise viruses, trojans, and hacking attacks. These tools could make it more difficult for anti-virus companies and forensic investigators to attribute hacks to the CIA. Could this call the source of previous hacks into question? It appears that yes, this might be used to disguise the CIA’s own hacks to appear as if they were Russian, Chinese, or from specific other countries. These tools were in use in 2016, WikiLeaks reported.
It’s not known exactly how this Marble tool was actually used. However, according to WikiLeaks, the tool could make it more difficult for investigators and anti-virus companies to attribute viruses and other hacking tools to the CIA. Test examples weren’t just in English, but also Russian, Chinese, Korean, Arabic, and Farsi. This might allow a malware creator to not only look like they were speaking in Russian or Chinese, rather than in English, but to also look like they tried to hide that they were not speaking English, according to WikiLeaks. This might also hide fake error messages or be used for other purposes. . . .
1b. We then review the recent conclusions of the French cyberintelligence chief and his warnings about the incredible dangers of cyber-misattribution–the ease with which any random hacker could carrying out a spear-phishing attack, and his bafflement at the NSA’s recent Russian attribution to the spear-phishing French election hacks.
“French Security Chief Warns of Risk for “Permanent War” in Cyberspace”; CBS News; 06/02/2017
Cyberspace faces an approaching risk of “permanent war” between states and criminal or extremist organizations because of increasingly destructive hacking attacks, the head of the French government’s cybersecurity agency warned Thursday.
In a wide-ranging interview in his office with The Associated Press, Guillaume Poupard lamented a lack of commonly agreed rules to govern cyberspace and said: “We must work collectively, not just with two or three Western countries, but on a global scale.”
“With what we see today – attacks that are criminal, from states, often for espionage or fraud but also more and more for sabotage or destruction – we are getting closer, clearly, to a state of war, a state of war that could be more complicated, probably, than those we’ve known until now,” he said.
His comments echoed testimony from the head of the U.S. National Security Agency, Adm. Michael Rogers, to the Senate Armed Services Committee on May 9. Rogers spoke of “cyber effects” being used by states “to maintain the initiative just short of war” and said: “‘Cyber war’ is not some future concept or cinematic spectacle, it is real and here to stay.”
Poupard said “the most nightmare scenario, the point of view that Rogers expressed and which I share” would be “a sort of permanent war — between states, between states and other organizations, which can be criminal and terrorist organizations — where everyone will attack each other, without really knowing who did what. A sort of generalized chaos that could affect all of cyberspace.“
Poupard is director general of the government cyber-defense agency known in France by its acronym, ANSSI. Its agents were immediately called to deal with the aftermath of a hack and massive document leak that hit the election campaign of President Emmanuel Macron just two days before his May 7 victory.
Macron’s political movement said the unidentified hackers accessed staffers’ personal and professional emails and leaked campaign finance material and contracts — as well as fake decoy documents — online.
Contrary to Rogers, who said the U.S. warned France of “Russian activity” before Macron’s win, Poupard didn’t point the finger at Russia. He told the AP that ANSSI’s investigation found no trace behind the Macron hack of the notorious hacking group APT28 — identified by the U.S. government as a Russian intelligence outfit and blamed for hacks of the U.S. election campaign, anti-doping agencies and other targets. The group also is known by other names, including “Fancy Bear.”
Poupard described the Macron campaign hack as “not very technological” and said: “The attack was so generic and simple that it could have been practically anyone.”
Without ruling out the possibility that a state might have been involved, he said the attack’s simplicity “means that we can imagine that it was a person who did this alone. They could be in any country.”
“It really could be anyone. It could even be an isolated individual,” he said.
Poupard contrasted the “Macron Leaks” hack with another far more sophisticated attack that took French broadcaster TV5 Monde off the air in 2015. There, “very specific tools were used to destroy the equipment” in the attack that “resembles a lot what we call collectively APT28,” he said.
“To say ‘Macron Leaks’ was APT28, I’m absolutely incapable today of doing that,” he said. “I have absolutely no element to say whether it is true or false.”
Rogers, the NSA director, said in his Senate Armed Services hearing that U.S. authorities gave their French counterparts “a heads-up” before the Macron documents leaked that: “‘We are watching the Russians. We are seeing them penetrate some of your infrastructure. Here is what we have seen. What can we do to try to assist?’”
Poupard said Rogers’ comments left him perplexed and that the French had long been on alert about potential threats to their presidential election.
“Why did Admiral Rogers say that, like that, at that time? It really surprised me. It really surprised my European allies. And to be totally frank, when I spoke about it to my NSA counterparts and asked why did he say that, they didn’t really know how to reply either,” he said. “Perhaps he went further than what he really wanted to say.”
Still, Poupard said the attack highlighted the cyber-threat to democratic processes. “Unfortunately, we now know the reality that we are going to live with forever, probably,” he said.
…
The attack on TV5 was a rare public example. In 2016, others targeted government administrations and big companies quoted on the benchmark French stock market index, the CAC-40, he said.
Pointing fingers at suspected authors is fraught with risk, because sophisticated attackers can mask their activities with false trails, he said.
“We suffered attacks that were attributed to China, that we think came from China. Among them, some came from China. China is big, I don’t know if it was the state, criminals,” he said. “What I am certain of is that among these attacks, some strangely resembled Chinese attacks but in fact didn’t come from China.”
“If you start to accuse one country when in fact it was another country … we’ll get international chaos,” he said. “We’ll get what we all fear, which is to say a sort of permanent conflict where everyone is attacking everyone else.”
1c. Mr. Poupard denied the NSA/U.S. assertion that APT28 aka “Cozy Bear/Fancy Bear/Russia” hacked the French election.
The head of the French government’s cyber security agency, which investigated leaks from President Emmanuel Macron’s election campaign, says they found no trace of a notorious Russian hacking group behind the attack.
In an interview in his office Thursday with The Associated Press, Guillaume Poupard said the Macron campaign hack “was so generic and simple that it could have been practically anyone.”
He said they found no trace that the Russian hacking group known as APT28, blamed for other attacks including on the U.S. presidential campaign, was responsible.
Poupard is director general of the government cyber-defense agency known in France by its acronym, ANSSI. Its experts were immediately dispatched when documents stolen from the Macron campaign leaked online on May 5 in the closing hours of the presidential race.
Poupard says the attack’s simplicity “means that we can imagine that it was a person who did this alone. They could be in any country.”
2. A New York Times article by Andrew Higgins (one of the more flagrantly propagandizing NYT writers vis a vis Russia/Ukraine) spins Vladimir Putin’s comments about Russian hacking. Whereas the Times portrayed his comments as “giving an out” to the nonsense about Russia hacking U.S. elections. What the Times eclipsed (along with other U.S. media) was the conclusion of Putin’s comments. He noted that hacking is very easily disguised and misrepresented.
. . . . An expert at muddying the waters and creating confusion, Mr. Putin advanced a number of alternative theories that could help Moscow address any firm evidence that might emerge as a trail leading to Russia.
Stating that modern technology can easily be manipulated to create a false trail, he said, “I can imagine that someone is doing this purposefully — building the chain of attacks so that the territory of the Russian Federation appears to be the source of that attack.” He added, “Modern technologies allow to do that kind of thing; it’s rather easy to do.”
Mr. Putin appeared to be repeating an argument he first made earlier in the week in an interview with the French newspaper Le Figaro.
“I think that he was totally right when he said it could have been someone sitting on their bed or somebody intentionally inserted a flash drive with the name of a Russian national, or something like that,” Mr. Putin told the French newspaper, referring to Mr. Trump. “Anything is possible in this virtual world. Russia never engages in activities of this kind, and we do not need it. It makes no sense for us to do such things. What for?” . . .
3. Those “Russian government hackers” really need a OPSEC refresher course. The hacked documents in the “Macron hack” not only contained Cyrillic text in the metadata, but also contained the name of the last person to modify the documents. And that name, “Roshka Georgiy Petrovichan”, is an employee at Evrika, a large IT company that does work for the Russian government, including the FSB.
Also found in the metadata is the email of the person who uploaded the files to “archive.org”, and that email address, frankmacher1@gmx.de, is registered with a German free webmail provider used previously in 2016 phishing attacks against the CDU in Germany that have been attributed to APT28. It would appear that the ‘Russian hackers’ not only left clues suggesting it was Russian hackers behind the hack, but they decided name names this time–their own names.
Not surprisingly, given the fascist nature of WikiLeaks, they concluded that Russia was behind the hacks. (For more on the fascist nature of WikiLeaks, see FTR #‘s 724, 725, 732, 745, 755, 917.)
Russian security firms’ metadata found in files, according to WikiLeaks and others.
Late on May 5 as the two final candidates for the French presidency were about to enter a press blackout in advance of the May 7 election, nine gigabytes of data allegedly from the campaign of Emmanuel Macron were posted on the Internet in torrents and archives. The files, which were initially distributed via links posted on 4Chan and then by WikiLeaks, had forensic metadata suggesting that Russians were behind the breach—and that a Russian government contract employee may have falsified some of the dumped documents.
Even WikiLeaks, which initially publicized the breach and defended its integrity on the organization’s Twitter account, has since acknowledged that some of the metadata pointed directly to a Russian company with ties to the government:
#MacronLeaks: name of employee for Russian govt security contractor Evrika appears 9 times in metadata for “xls_cendric.rar” leak archive pic.twitter.com/jyhlmldlbL— WikiLeaks (@wikileaks) May 6, 2017
Evrika (“Eureka”) ZAO is a large information technology company in St. Petersburg that does some work for the Russian government, and the group includes the Federal Security Service of the Russian Federation (FSB) among its acknowledged customers (as noted in this job listing). The company is a systems integrator, and it builds its own computer equipment and provides “integrated information security systems.” The metadata in some Microsoft Office files shows the last person to have edited the files to be “Roshka Georgiy Petrovich,” a current or former Evrika ZAO employee.
According to a Trend Micro report on April 25, the Macron campaign was targeted by the Pawn Storm threat group (also known as “Fancy Bear” or APT28) in a March 15 “phishing” campaign using the domain onedrive-en-marche.fr. The domain was registered by a “Johny Pinch” using a Mail.com webmail address. The same threat group’s infrastructure and malware was found to be used in the breach of the Democratic National Committee in 2016, in the phishing attack targeting members of the presidential campaign of former Secretary of State Hillary Clinton, and in a number of other campaigns against political targets in the US and Germany over the past year.
The metadata attached to the upload of the Macron files also includes some identifying data with an e‑mail address for the person uploading the content to archive.org:
Well this is fun pic.twitter.com/oXsH83snCS— Pwn All The Things (@pwnallthethings) May 6, 2017
The e‑mail address of the uploader, frankmacher1@gmx.de, is registered with a German free webmail provider used previously in 2016 Pawn Storm / APT28 phishing attacks against the Christian Democratic Union, German Chancellor Angela Merkel’s political party.
The involvement of APT28, the editing of some documents leaked by someone using a Russian version of Microsoft Office, and the attempt to spread the data through amplification in social media channels such as 4Chan, Twitter, and Facebook—where a number of new accounts posted links to the data—are all characteristics of the information operations seen during the 2016 US presidential campaign.
…
4. In related news, a group of cybersecurity researchers studying the Macron hack has concluded that the modified documents were doctored by someone associated with The Daily Stormer neo-Nazi website and Andrew “the weev” Auernheimer.
Auerenheimer was a guest at Glenn Greenwald and Laura Poitras’s party celebrating their receipt of the Polk award.
“ ‘We strongly believe that the fake offshore documents were created by someone with control of the Daily Stormer server,” said Tord Lundström, a computer forensics investigator at Virtualroad.org.’ . . .”
Who is in control of the Daily Stormer? Well, its public face and publisher is Andrew Anglin. But look who the site is registered to: Andrew Auernheimer, who apparently resided in Ukraine as of the start of this year:
The analysis from the web-security firm Virtualroad.org. indicates that someone associated with the Daily Stormer modified those faked documents. Like, perhaps a highly skilled neo-Nazi hacker like “the weev”.
Based on an analysis of how the document dump unfolded it’s looking like the inexplicably self-incriminating ‘Russian hackers’ may have been a bunch of American neo-Nazis. Imagine that.
Ties between an American’s neo-Nazi website and an internet campaign to smear Macron before French election are found
A group of cybersecurity experts has unearthed ties between an American hacker who maintains a neo-Nazi website and an internet campaign to smear Emmanuel Macron days before he was elected president of France.
Shortly after an anonymous user of the 4chan.org discussion forum posted fake documents purporting to show Mr. Macron had set up an undisclosed shell company in the Caribbean, the user directed people to visit nouveaumartel.com for updates on the French election.
That website, according to research by web-security provider Virtualroad.org, is registered by “Weevlos,” a known online alias of Andrew Auernheimer, an American hacker who gained notoriety three years ago when a U.S. appeals court vacated his conviction for computer fraud. The site also is hosted by a server in Latvia that hosts the Daily Stormer, a neo-Nazi news site that identifies its administrator as “Weev,” another online alias of Mr. Aeurnheimer, Virtualroad.org says.
“We strongly believe that the fake offshore documents were created by someone with control of the Daily Stormer server,” said Tord Lundström, a computer forensics investigator at Virtualroad.org.
Through Tor Ekeland, the lawyer who represented him in the computer-fraud case in the U.S., Mr. Auernheimer said he “doesn’t have anything to say.”
A French security official said a probe into the fake documents was looking into the role of far-right and neo-Nazi groups but declined to comment on the alleged role of Mr. Auernheimer.
In the run-up to the French election, cybersecurity agencies warned Mr. Macron’s aides that Russian hackers were targeting his presidential campaign, according to people familiar with the matter. On May 5, nine gigabytes of campaign documents and emails were dumped on the internet. The Macron campaign and French authorities have stopped short of pinning blame for the hack on the Kremlin.
Intelligence and cybersecurity investigators examining the flurry of social-media activity leading up to the hack followed a trail of computer code they say leads back to the American far-right.
Contacted by email over the weekend, the publisher of the Daily Stormer, Andrew Anglin, said he and Mr. Auernheimer had used their news site to write about the fake documents because “We follow 4chan closely and have a more modern editorial process than most sites.”
When asked if he or Mr. Auernheimer were behind the fake documents, Mr. Anglin stopped replying.
Mr. Auernheimer was sentenced to 41 months in prison by a U.S. court in late 2012 for obtaining the personal data of thousands of iPad users through an AT&T website. In April 2014, an appeals court vacated his conviction on the grounds that the venue of the trial, in New Jersey, was improper.
Asked if Mr. Auernheimer resided in Ukraine, as a January post on a personal blog indicates, his lawyer said: “I think this is about right.”
The day after the data dump, French security officials summoned their U.S. counterparts stationed in Paris to formally request a probe of the role American far-right websites might have played in disseminating the stolen data, according to a Western security official. A U.S. security official had no comment.
Mounir Mahjoubi, who was in charge of computer security for Mr. Macron’s campaign said far-right groups, or “an international collective of conservatives,” may have coordinated to disrupt the French election.
“We will take time to do analysis, to deconstruct who really runs these groups,” Mr. Mahjoubi told French radio last week. He couldn’t be reached for comment.
French prosecutors have launched formal probes into both the fake documents and the data dump.
…
The phony documents intended to smear Mr. Macron were posted to 4chan.org twice by an anonymous user, first on May 3 and again on May 5 using higher-resolution files.
Soon after the second post, several 4chan.org users in the same online conversation below the post appeared to congratulate Mr. Auernheimer.
“Weev… you’re doing the lord’s work,” wrote one of the anonymous users.
…
That website, according to research by web-security provider Virtualroad.org, is registered by “Weevlos,” a known online alias of Andrew Auernheimer, an American hacker who gained notoriety three years ago when a U.S. appeals court vacated his conviction for computer fraud. The site also is hosted by a server in Latvia that hosts the Daily Stormer, a neo-Nazi news site that identifies its administrator as “Weev,” another online alias of Mr. Aeurnheimer, Virtualroad.org says.…
When asked if he or Mr. Auernheimer were behind the fake documents, Mr. Anglin stopped replying.
…
Asked if Mr. Auernheimer resided in Ukraine, as a January post on a personal blog indicates, his lawyer said: “I think this is about right.”
…
5. The far-right Seth Rich murder conspiracy theory acquired new gravitas, thanks in part to Kim Schmitz, aka “Kim Dotcom.” We examined Schmitz at length in FTR #812. A synoptic overview of the political and professional orientation of Kim Dotcom is excerpted from that broadcast’s description: “A colleague of Eddie the Friendly Spook [Snowden], Julian Assange and Glenn Greenwald, Kim Schmitz, aka “Kim Dotcom”] espouses the same libertarian/free market ideology underlying the “corporatism” of Benito Mussolini. With an extensive criminal record in Germany and elsewhere, “Der Dotcommandant” has eluded serious punishment for his offenses, including executing the largest insider trading scheme in German history.
Embraced by the file-sharing community and elements of the so-called progressive sector, Dotcom actually allied himself with John Banks and his far-right ACT Party in New Zealand. His embrace of the so-called progressive sector came later and is viewed as having damaged left-leaning parties at the polls. Dotcom is enamored of Nazi memorabilia and owns a rare, author-autographed copy of ‘Mein Kampf.’ . . .”
6. Right-wing media is going to keep biting on Dotcom’s nuggets of ‘testimony’, given its seemingly insatiable appetite for this storyline already and the long-held appetite for seemingly any storyline that promotes the ‘Clinton Body Count’ narrative and portrays Hillary and ‘Killary’.
“The Bonkers Seth Rich Conspiracy Theory, Explained” by Jeff Guo; Vox; 05/24/2017
The life of Seth Rich, a 27-year-old Democratic National Committee staffer, ended nearly a year ago when he was shot to death near his house in Washington, DC. Then came the tragic and bizarre afterlife: Since July, Rich has been the focus of intense right-wing conspiracy theories that have only escalated as the Trump administration’s scandals have deepened.
As the police have repeatedly stated, there is no evidence that Rich’s death was anything other than the consequence of a botched robbery. But some people, especially on the right, believe Rich was murdered by the Clintons for knowing too much about something. The most recent theories claim that Rich, not the Russians, was responsible for leaking the emails, published in WikiLeaks, that revealed Democratic party leaders had talked disparagingly about Bernie Sanders.
Thanks to an erroneous Fox News story last week, which was finally retracted on Tuesday, Rich recently became the focus of an intense media blitz from conservative outlets — many of which were eager for something to talk about besides the scandals swirling around Donald Trump.
Fox News’s Sean Hannity was one of the most enthusiastic rumormongers, devoting segments on three separate occasions last week to Rich. Even after Fox News retracted its story, Hannity promised he would continue to investigate. “I retracted nothing,” he said defiantly on his radio show Tuesday.
Rich’s family has been begging right-wing news outlets to stop spreading unfounded rumors about him, but by now the situation seems to have gotten out of control.
In death, Rich has become a martyr to the right, buoyed by a host of characters each with their own ulterior motives: There is WikiLeaks founder Julian Assange, who wants to downplay the connections between WikiLeaks and the Russians; there are the Clinton haters, who want to spread the idea that the Clintons are murderers; there are the Trump supporters, who want to minimize the idea that Russian hackers helped deliver the election to their candidate; and there are the talking heads on Fox News, who last week needed something other than negative Trump stories to make conversation about.
We might not know who killed Seth Rich, but we do know who turned his legacy into a textbook study of where fake news comes from, how it spreads, and the victims it creates.
Seth Rich was murdered in a senseless act of violence
Seth Rich worked in Democratic politics for most of his career. He grew up and went to college in Omaha, Nebraska, where as a student he volunteered on two Democratic Senate campaigns. After graduating, he moved to Washington, DC, for a job at Greenberg Quinlan Rosner, a progressive opinion research and consulting firm. He was later hired by the Democratic National Committee, where he worked on a project to help people find where to vote.
On Sunday, July 10, Rich was shot to death about a block from where he lived in the Bloomingdale neighborhood of DC. Gunshot detection microphones place the time of the shooting at around 4:20 am. Rich had last been seen at around 1:30 am leaving Lou’s City Bar in Columbia Heights, about a 40-minute walk from where he lived.
It is unclear exactly what happened during those three intervening hours. The Washington Post reported that, according to his parents, cellphone records show that Rich called his girlfriend at 2:05 am and talked to her for more than two hours. He hung up just minutes before he was shot.
The police found Rich on the sidewalk with multiple gunshot wounds, at least two in the back. He still had his watch, his cellphone, and his wallet. There were signs of a struggle: bruises on his hands, knees, and face, and a torn wristwatch strap. According to the police report, he was still “conscious and breathing.” Family members say they were told that Rich was “very talkative,” though it is not publicly known if he was able to describe his assailant or assailants. Rich died a few hours later in the hospital.
The police suspected Rich had been the victim of an attempted robbery. Bloomingdale is a gentrifying part of Washington that still suffers from violent crime. In 2016, there were 24 reported robberies with a gun that occurred within a quarter-mile of the street corner where Rich was shot.
The first conspiracy theories grew out of the “Clinton body count” rumor
Almost immediately after news of Rich’s death, conspiracy theories began circulating on social media. A few factors helped make Rich a target of speculation:
* The murderers left behind Rich’s valuables. (Though, by that same paranoid logic, wouldn’t a professional hitman have taken Rich’s wallet and phone in order to make it look like a regular mugging?)
* Rich worked at the DNC, where in December there had been a minor scandal involving a software glitch that allowed the Bernie Sanders campaign to access private voter data collected by the Clinton campaign.
* Hillary Clinton had just clinched the nomination after a surprisingly bruising primary, and there were still sore feelings in the air.
* There’s a long-running conspiracy theory that the Clintons have assassinated dozens of their political enemies.If those facts don’t seem to add up to a coherent story, well, you’re thinking too hard. Conspiracy theories don’t operate logically. They start from an assumption — for instance, “the Clintons are shady” — and spiral outward in search of corroboration.
On Reddit, for instance, one user wrote a 1,400-word post listing things that he found “suspicious.” Here were some of the stray facts the redditor claimed were evidence of a hit job by the DNC or the Clintons:
* Rich’s former employer, Greenberg Quinlan Rosner, once did some consulting work for British Petroleum. (“Is it possible that Mr. Rich was aware of the public’s disdain for oil industry/fracking?”)
* Rich once worked on Ben Nelson’s campaign for senator. (“[Nelson] contributed a crucial vote to help pass Obamacare back in 2009.”)
* The political conventions were coming up. (“The TIMING of this tragedy seems too ‘coincidental’”)It’s unclear what any of these facts have to do with the Clintons, but somehow the Reddit user concluded: “given his position & timing in politics, I believe Seth Rich was murdered by corrupt politicians for knowing too much information on election fraud.”
Others on Twitter and the trolling website 4chan also speculated that Rich might have crossed the Clintons in some way. Rich’s death seemed to fit in with the “Clinton body count” theory, which dates to the 1990s and claims that the Clintons are so vindictive that they hire hitmen to murder people they don’t like.
People who believe the Clintons are murderers often point to deputy White House counsel Vince Foster, who suffered from clinical depression and died of a gunshot wound to the mouth in 1993. Several investigations all ruled Foster’s death a suicide, but some conservatives insisted there must have been foul play. They claimed that Foster, who was looking into the Clintons’ taxes, may have uncovered evidence of corruption in connection to the Whitewater controversy, a guilt-by-association scandal involving friends of the Clintons’.
The “Clinton body count” theory has endured over the years simply because people don’t live forever. Any time someone dies who was connected to the Clintons — and since Bill Clinton was the president of the United States, literally thousands of people were in his orbit — this theory is dredged up again by the tinfoil hat crowd. And then it slowly fades.
At first it seemed the speculation about Seth Rich would die down quickly as well. But then 12 days later, on July 22, WikiLeaks published thousands of private emails from the DNC, and Rich became a politically useful distraction.
Julian Assange and WikiLeaks supercharged the Seth Rich rumors
A month before Rich was murdered, the DNC admitted that Russian hackers had broken into its computer network, gaining access to all of the DNC’s emails. The thought of Russian interference in American politics was infuriating to Rich, according to one person “who was very close” to him, the Washington Post reported: “It was crazy. Especially for Seth. He said, ‘Oh, my God. We have a foreign entity trying to get involved in our elections?’ That made him so angry.”
When WikiLeaks released its dump of DNC emails on July 22, the obvious explanation was that it had obtained those emails from the Russian hackers. This connection was later confirmed by top US intelligence agencies, who concluded “with high confidence” that DNC servers were hacked by top Russian government hackers, who had then given the emails to WikiLeaks. “Moscow most likely chose WikiLeaks because of its self-proclaimed reputation for authenticity,” the US intelligence report explained, as well as for its connection to the Russian propaganda outlet Russia Today.
But WikiLeaks has repeatedly denied its ties to Russia, and ever since last summer it has used Seth Rich as a way to distract from claims that it abetted Russian interference in the US election. WikiLeaks founder Julian Assange had his own reasons to fear a Clinton presidency — as secretary of state, Clinton wanted to indict Assange for his involvement in releasing the millions of US diplomatic cables leaked by Chelsea Manning.
On Dutch television in August 2016, Assange hinted that Rich, not Russia, may have been the source for the WikiLeaks emails. “Whistleblowers go to significant efforts to get us material, and often very significant risks,” he said. “As a 27-year-old, works for the DNC, was shot in the back, murdered just a few weeks ago for unknown reasons as he was walking down the street in Washington.”
“Was he one of your sources then?” the anchor asked.
“We don’t comment on who our sources are,” Assange replied.
“Then why make the suggestion about a young guy being shot in the streets of Washington?” the anchor replied.
Pressed repeatedly for clarification, Assange concluded that “others, others have suggested that. We’re investigating to understand what happened in that situation with Seth Rich. I think it’s a concerning situation; there’s not a conclusion yet.”
As part of its “investigation,” WikiLeaks offered a $20,000 prize in August for information about Rich’s murder.
This is the point where Seth Rich became a prop in a game of international espionage.
Trump supporters and the alt-right amplified the theory that Rich was some kind of Democratic whistleblower or leaker, even though the facts didn’t really fit this pattern. He didn’t have access to the DNC emails, and he had never shown any prowess at hacking — being a data analyst involves a very different set of skills. Besides, the DNC wasn’t the only organization that was hacked: Clinton campaign chair John Podesta’s personal emails, for instance, were stolen separately, as were the emails at the Democratic Congressional Campaign Committee.
Nevertheless, many on the right were inspired by the WikiLeaks insinuations and started to concoct their own conspiracy theories about Rich’s murder. In August, former House speaker and presidential candidate Newt Gingrich told a conservative talk show host that Rich’s death was suspicious. “First of all, of course it’s worth talking about,” he said. “And if Assange says he is the source, Assange may know. That’s not complicated.”
That same month, Trump adviser Roger Stone claimed, without evidence, that Rich was murdered “on his way to meet with the FBI to discuss election fraud.”
To Trump supporters, the claim that Rich had been murdered by the Clintons had twofold appeal: It reinforced the rumor that the Clintons were shady operatives, and it distracted from the mounting evidence that Russia had interfered with the US election — possibly in collusion with the Trump campaign.
In the presidential debate on September 26, Trump famously suggested that it could have been a lone hacker who was responsible for the stolen DNC emails. “It could be Russia, but it could also be China. It could also be lots of other people. It also could be somebody sitting on their bed that weighs 400 pounds,” he said.
Thanks to a weird miscommunication, the conspiracy theory comes back in May
After the election, the conspiracy theories about Seth Rich faded from public consciousness, as the focus turned instead to the FBI’s investigation of connections between Trump staffers and Russian agents. Suspicions still bubbled in right-wing corners of Reddit and on alt-right websites like Gateway Pundit, and Assange continued to claim that it wasn’t the Russians who provided the hacked emails — but most of America had moved on.
But Rich returned to the news last week, when the local TV station FOX 5 DC aired an interview with private investigator Rod Wheeler, who claimed that sources in the FBI told him there was evidence of a connection between Rich and WikiLeaks:
FOX 5 DC: You have sources at the FBI saying that there is information…
WHEELER: For sure…
FOX 5 DC: …that could link Seth Rich to WikiLeaks?
WHEELER: Absolutely. Yeah. That’s confirmed.
Conservative media outlets jumped on the story, which aired the night of Monday, May 15. By Tuesday morning, conservative outlets like Breitbart, the Blaze, and the Daily Caller all had their own pieces relaying Wheeler’s claims.
On Tuesday, Fox News added its own revelation: It claimed that an unnamed “federal investigator” had confirmed that Rich had been in contact with WikiLeaks. “I have seen and read the emails between Seth Rich and Wikileaks,” the source said, according to Fox News. Fox News additionally claimed this source had evidence that Rich had given thousands of DNC emails to WikiLeaks.
This was a two-source story: The report also said that Wheeler had independently corroborated what the anonymous “federal investigator” had told Fox News.
But here’s where it gets confusing. By Tuesday afternoon, Wheeler told CNN that he had misspoken. It turns out he didn’t have any evidence of his own.
What had happened, apparently, was that earlier in the week, Fox News had contacted Wheeler for its own story on Rich. That was when Wheeler learned that Fox News had a source alleging there was contact between Rich and WikiLeaks. When Wheeler went on local TV on Monday night to talk about Rich, he believed he was giving viewers a “preview” of the Fox News story set to run on Tuesday.
That, at least, is how Wheeler explained the situation to CNN last Tuesday. Somehow, through miscommunication or sloppy reporting, the Fox News report used Wheeler to back up its claims about the Rich-WikiLeaks connection. This was incorrect, Wheeler said. He had no independent knowledge.
“I only got that [information] from the reporter at Fox News,” he told CNN.
Yesterday, after leaving it up for a week, Fox News finally retracted its Seth Rich story, which was down to one anonymous source. “The article was not initially subjected to the high degree of editorial scrutiny we require for all our reporting,” an editor’s note explained. “Upon appropriate review, the article was found not to meet those standards and has since been removed.”
Conservative media has a field day
It’s unlikely that any of this would have been a big deal had there not been a stunning series of damaging reports about Donald Trump last week.
Among other things, it was revealed that Trump had shared state secrets with the Russians, that he had pressured FBI Director James Comey to drop his investigation into ties between Trump affiliates and Russia, and that the Russia probe had reached a current high-level White House official, who many suspect is Trump’s son-in-law, Jared Kushner.
One way the conservative media minimized all the bad news was to focus on other stories. The latest Seth Rich allegations became a welcome distraction from the constant revelations coming out of the Washington Post and the New York Times.
For instance, while most outlets were covering the revelation that Trump had volunteered classified information to Russians, the alt-right website Breitbart devoted its front page to the Seth Rich conspiracy. Breitbart even slammed the mainstream media for ignoring the rumors about Rich: “Silence from Establishment Media over Seth Rich WikiLeaks Report” was the title of one story.
Fox News in particular devoted outsize attention to the Rich story, repeatedly rehashing the conspiracy theory. On his 10 pm show, Fox pundit Sean Hannity devoted segments to Rich on Tuesday, Thursday, and Friday last week. “I’m not backing off asking questions even though there is an effort that nobody talk about Seth Rich,” he said on Friday night.
On Tuesday, even after Fox News retracted the story that ignited the latest round of speculation, Hannity remained convinced that the Seth Rich conspiracy theory had legs. “I am not Fox.com or FoxNews.com,” he said on his radio show. “I retracted nothing.”
Later that evening, on his television show, Hannity said that for now, he would stop talking about Rich “out of respect for the family’s wishes.” On Twitter, though, he was defiant, claiming that “liberal fascism” was trying to silence his voice.
“Ok TO BE CLEAR, I am closer to the TRUTH than ever,” he tweeted. “Not only am I not stopping, I am working harder.”
“Please retweet,” he added.
Rich was an unlucky victim of the conservative media
The recent attention has reignited the old Seth Rich conspiracy theories, bringing forth even more unsubstantiated claims.
On Fox News’s Sunday morning talk show, Newt Gingrich repeated his belief that Rich, not Russia, was responsible for the DNC hack. “It turns out, it wasn’t the Russians,” he said. “It was this young guy who, I suspect, was disgusted by the corruption of the Democratic National Committee.”
On Monday, Assange issued a cryptic tweet using the hashtag “#SethRich” which fanned the flames even further: “WikiLeaks has never disclosed a source. Sources sometimes talk to other parties but identities never emerge from WikiLeaks. #SethRich.”
And on Tuesday, New Zealand file-sharing entrepreneur Kim Dotcom, who is wanted by the US government for copyright infringement and racketeering, claimed that Rich had personally contacted him in 2014, and that the two had talked about “a number of topics including corruption and the influence of corporate money in politics.”
“I know that Seth Rich was involved in the DNC leak,” Dotcom wrote in a statement. . . .
7. Kim Dotcom just tweeted out a document that’s allegedly from the FBI demonstrating that Seth Rich was indeed the source of the hacked DNC emails. The twist is that the document is a blatant fraud and Kim Dotcom acknowledges as much. Ol’ Kim decided to tweet it out anyway, Dotcom’s asserting that there’s no need to delete the tweet promoting the fake document because, hey, he put up some subsequent tweets questioning their authenticity. Twist & spin.
However, there was another rather intriguing admission by Dotcom in the following interview asking him why he tweeted out documents he knew were fake: Dotcom is continuing to assert that he has evidence Rich was the source of the DNC hacks.
He’s just not ready to reveal it yet but he strongly hints that the evidence has to do with his close ties to Wikileaks. And then he refers back to a Bloomberg TV interview he did on May 13th, 2015, where Dotcom predicts that Julian Assange is going to be Hillary Clinton’s “worst nightmare” in the upcoming election. How so? Because, says Dotcom, Assange “has access to information,” without going into specifics.
Of fundamental importance to out understanding is the assertion by Craig Murray, former UK ambassador to Uzbekistan, that the information given to WikiLeaks wasn’t a hack at all, but information from a flash drive given to him by a DNC insider.
There may well have been hacks into the DNC and e‑mail of John D. Podesta, but they were NOT Russian.
Dotcom refers to a May 2015 interview – long before Seth Rich would have been in a position to pass along emails. It is before Rich would have had a motive if he really was a disillusioned Bernie-crat but shortly before Crowdstrike “concluded” the DNC was initially hacked – where Dotcom confidently asserts that Julian Assange already had a bunch of dirt on Hillary and was going to be her worst nightmare. And yet we didn’t really see any old embarrassing emails emerge from Wikileaks during the campaign. Along with being incredibly sleazy it’s all rather curious:
Have you seen that FBI file, purporting to be about the death of DNC staffer Seth Rich? Kim Dotcom, who thrust himself into the story recently by telling Sean Hannity that he had evidence Rich had sent documents to Wikileaks, published the document on Twitter, helping to spread it online. Dotcom now acknowledges that the document is fake. But he told Gizmodo that he’s not going to delete it.
The fake FBI document was first published on a website called Borderland Alternative Media and it wasn’t long before it started to spread on social media, including by Kim Dotcom. Alex Jones’ Prison Planet picked it up, but has since deleted its own version of the story.
The internet’s interest in the July 2016 murder of Seth Rich revolves around claims that he leaked Democratic Party documents to Wikileaks, an idea that Julian Assange has hinted at repeatedly. The police say that Seth Rich’s murder was a robbery gone bad. But internet conspiracy theorists believe that Rich was killed as retribution for leaking emails about the DNC. Whatever the case, the FBI file is complete bullshit.
“I was skeptical. I tweeted that the document could be a fake and that the FBI has to weigh in about it,” Dotcom told me over direct message on Twitter.
The document is obviously fake to anyone who’s looked at real FBI files. For one thing, the FBI doesn’t use black to redact information, it uses white boxes. And much more damningly, the redactions include partial words and partial dates, as well as the partial redaction of its classification stamp, things that would never be done.
[see pics of hoax FBI documents]
You can see the comparison between the fake FBI file on Seth Rich (above left) with a recently obtained FBI file on military historian Robert Dorr (above right). It’s a sloppy fake.
“After doing some forensic analysis of the document I came to believe it is not authentic. And I have retweeted Wikileaks which came to the same conclusion,” Dotcom told me.
But as any Twitter user knows, tweets with incorrect information spread much faster than corrections. So I asked Dotcom why he didn’t delete the tweets with the fake FBI file.
“There is no need to delete those tweets because I have been very cautious and warned within an hour of the release of that document that it could be a fake,” Dotcom told me.
That all seemed reasonable, if misguided, to me. But then I asked Dotcom for evidence of his claims that he knows Rich was involved in the DNC leak. During our back and forth on Twitter DM, Dotcom sent me a message saying that he knew I wasn’t going to write a balanced piece, and insinuated that he simply knows because of his close ties to Wikileaks.
I just had a look at your twitter feed and it looks like your are very much anti-trump. And that’s ok. I already know that your story wont be balanced. But this is not a Trump issue. Seth was a Sanders supporter. The progressives should ask what really happened to Seth. He’s one of yours. And they should be interested that the matters I have raised are properly investigated.
Please have a look at my Bloomberg interview in which I announced long before the election that Julian is going to be a problem for Clinton. My relations to Wikileaks are well known. I have said many times in the past that I have been a major donor and Julian has been a guest at my moment of Truth event.
How do you think I knew?
The Bloomberg interview Dotcom is referring to is from May 13, 2015, wherein he said that Assange would be “Clinton’s worst nightmare.” At this point, Clinton had just announced her candidacy a month earlier and Donald Trump hadn’t even entered the race yet.
Interviewer: You’re saying Julian Assange is going to be Hillary’s worst nightmare?
Dotcom: I think so, yeah.
Interviewer: How so?
Dotcom: Well, he has access to information.
Interviewer: What information?
Dotcom: I don’t know the specifics.
Interviewer: Why Hillary in particular?
Dotcom: Hillary hates Julian. She’s just an adversary, I think, of internet freedom.
Interviewer: And she signed your extradition request.
Dotcom: Yeah.
Interviewer: So, you have a bone to pick with her.
Dotcom: You know what the craziest thing is? I actually like Hillary. I like Obama. So it’s so crazy that all of this happened.
During the course of our conversation over Twitter DM, Dotcom pointed me to numerous links online, but none of them answered my basic question: How do you know that Seth Rich was involved in the DNC leak?
One of the links Dotcom sent me contained his open letter to the family of Seth Rich, who have asked Dotcom to stop spreading conspiracy theories about the murder of their son.
In that letter, Dotcom says “I simply wish to make sure that the investigators have the benefit of my evidence.” Again, I asked Dotcom for that evidence and he said that he would only show such things to the Rich family, at the advice of his lawyers and “out of respect for the Rich family.”
But Dotcom’s most recent public comment on the matter, a letter posted today directed to the FBI Special Counsel who are investigating the Trump regime’s ties to Russia, makes it look like Dotcom’s interest in the Seth Rich case may not be altogether altruistic.
Dotcom is originally from Germany but moved to New Zealand from Hong Kong in 2009, and is currently wanted in the United States for running the file hosting and sharing site Megaupload, which was accused of systematically violating copyright. His extradition to the US has been blocked repeatedly and he’s been in a state of legal limbo for years.
But Dotcom’s new letter to the FBI Special Counsel says that he’d be willing to share his evidence that Seth Rich was involved in leaking information to Wikileaks provided he’s given safe passage to the US:
Mr Dotcom is also committed to achieving an outcome where his evidence can be properly received and reviewed by you as part of the Investigation. You will, however, appreciate that, given his current status, he is not in a position to voluntarily leave New Zealand’s jurisdiction. Further, he is concerned that, should he travel to the United States voluntarily, he would be arrested and detained in custody on the current counts on which he has been indicted.
The letter goes on to say that after “special arrangements” have been made, he’ll be glad to travel to the US to give his evidence. One imagines that those special arrangements would involve dropping the case against him.
Accordingly, for Mr Dotcom to attend in person in the United States to make a statement, and/or give oral evidence at any subsequent hearing, special arrangements would need to be discussed and agreed between all relevant parties. Such arrangements would need to include arrangements for his safe passage from New Zealand and return. This is because Mr Dotcom is determined to clear his name in New Zealand.
So make of that what you will. Kim Dotcom clearly has reason to be angry at the US Justice Department, but if he really had evidence proving that a man was murdered for political reasons, it seems a bit shady to use it as a bargaining chip for your own freedom. It seems unlikely that the FBI would grant Dotcom’s request, so if he really does have any information on the Seth Rich case, we may never get to see it.
But given the fact that there’s virtually no evidence outside of the wildest conspiracy theory boards that Seth Rich was killed by anyone connected to the Clinton campaign, I wouldn’t hold my breath anyway.
…
8. The Shadow Brokers, released some more NSA hacking tools, along with a list of IP addresses the NSA was targeting. All of this was apparently in response to a sense of betrayal. Betrayal by Donald Trump. Yes, when Donald Trump launched a cruise missile attack against Syria this so upset The Shadow Brokers that they wrote another long broken English rant (with a white nationalist theme) about Trump living up to his promises and then released some more hacking tools.
We analyzed the ShadowBrokers in FTR #923.
Suffice it to say, that this group is, in all probability, not Russian at all.
In the latest in a drumbeat of intelligence leaks, a hacking group known as the Shadow Brokers has released another set of tools it said were designed by the top-secret National Security Agency to penetrate computer systems worldwide.
In a rant-filled statement over the weekend, Shadow Brokers also released a list of servers it said the tools had infected.
One document appeared to show that NSA spyware had been placed on servers in South Korea, Russia, Japan, China, Mexico, Taiwan, Spain, Venezuela and Thailand, among other countries. The dump included details of how the NSA purportedly had gained access to Pakistan’s main mobile network.
The release marked the most recent in a steady stream of disclosures of purported hacking tools developed by the NSA and the CIA. Shadow Brokers made a similar release in August, and in March the anti-secrecy group WikiLeaks released several batches of files that purported to show how the CIA spies on its targets. WikiLeaks has dubbed those leaks Vault7.
Cybersecurity experts differed in their assessment of the leaked material but several agreed that it would give global foes crucial information about American hacking abilities and plans.
In its statement, Shadow Brokers said the latest leak, following one eight months ago, “is our form of protest” to goad President Donald Trump into staying loyal to his followers and promoting anti-globalism. The screed included profanity, some white supremacist commentary and a password to the cache of tools. . . .
8. CrowdStrike–at the epicenter of the supposed Russian hacking controversy is noteworthy. Its co-founder and chief technology officer, Dmitry Alperovitch is a senior fellow at the Atlantic Council, financed by elements that are at the foundation of fanning the flames of the New Cold War.
“Is Skepticism Treason?” by James Carden; The Nation; 1/3/2017.
. . . In this respect, it is worth noting that one of the commercial cybersecurity companies the government has relied on is Crowdstrike, which was one of the companies initially brought in by the DNC to investigate the alleged hacks. . . . Dmitri Alperovitch is also a senior fellow at the Atlantic Council. . . . The connection between [Crowdstrike co-founder and chief technology officer Dmitri] Alperovitch and the Atlantic Council has gone largely unremarked upon, but it is relevant given that the Atlantic Council—which is is funded in part by the US State Department, NATO, the governments of Latvia and Lithuania, the Ukrainian World Congress, and the Ukrainian oligarch Victor Pinchuk—has been among the loudest voices calling for a new Cold War with Russia. As I pointed out in the pages of The Nation in November, the Atlantic Council has spent the past several years producing some of the most virulent specimens of the new Cold War propaganda. . . .
9. Next, the program highlights a topic that was initially broached in the last program. The OUN/B milieu in the U.S. has apparently been instrumental in generating the “Russia did it” disinformation about the high-profile hacks. A Ukrainian activist named Alexandra Chalupa has been instrumental in distributing this disinformation to Hillary Clinton and influencing the progress of the disinformation in the media.
. . . . One of the key media sources [46] who blamed the DNC hacks on Russia, ramping up fears of crypto-Putinist infiltration, is a Ukrainian-American lobbyist working for the DNC. She is Alexandra Chalupa—described as the head of the Democratic National Committee’s opposition research on Russia and on Trump, and founder and president of the Ukrainian lobby group ‘US United With Ukraine Coalition’ [47], which lobbied hard to pass a 2014 bill increasing loans and military aid to Ukraine, imposing sanctions on Russians, and tightly aligning US and Ukraine geostrategic interests. . . . In one leaked DNC email [50] earlier this year, Chalupa boasts to DNC Communications Director Luis Miranda that she brought Isikoff to a US-government sponsored Washington event featuring 68 Ukrainian journalists, where Chalupa was invited ‘to speak specifically about Paul Manafort.’ In turn, Isikoff named her as the key inside source [46] ‘proving’ that the Russians were behind the hacks, and that Trump’s campaign was under the spell of Kremlin spies and sorcerers. . . .
Now that Donald Trump appears to be intent on living up to the phrase “it’s not the crime, it’s the coverup” regarding the investigation into possible Russian collusion, hopefully one of the outcomes of the shift of Trump’s culpability from “did he collude with the Russians?” to “did he obstruct justice in to the investigation into his collusion with the Russian?” will be a willingness to ask the other obvious question, “did the Trump campaign carry out the hack attacks and make it look like the Russian, regardless of whether or not there was any other collusion?” Because, you know, it seems like pulling off such a stunt and propelling US/Russian relations to a new low and threatening to spark future conflicts in order to cover up a campaign crime would be an incredibly big deal. As big a deal, if not bigger, than outright collusion given the destructive capability of a Russian conflict and the obvious potential for such disastrous results that could result from such an operation. Wouldn’t that be treason too?
So, in the spirit of hoping the latter question gets asked, here’s the latest reminder that cyber-attribution is far more nebulous than most US coverage of this issue would like to admit: you know the now-infamous Qatari news article that trashed Trump, praised Iran, and ended up triggering a severing of relations with Qatar’s Sunni neighbors? And you know how the FBI has already said that Russian hackers did it? Well, there was a second big hack that rattled Middle East governments just a few days later. A hack of the emails of the UAE’s influential ambassador to the US, Yousef Al Otaiba. A hack that appears to be a kind of counter-point to the Qatari hack and intended to create difficulties between the US and UAE and reveal an ongoing UAE campaign to encourage the US to move its massive airbase out of the Qatar (presumably to a nearby place like the UAE). And as the attribution to that hack unfolds, it’s looking like a now-familiar story:
Russian hackers did ithackers that could have been anyone did it...hackers who decided to use a “.ru” email address to disseminate their hacked material.First, here’s an overview of the al Otaiba hack which is mostly a peek behind the US/UAE diplomatic curtain:
“In private correspondence, Otaiba — an extremely powerful figure in Washington, D.C., who is reportedly in “in almost constant phone and email contact” with Jared Kushner, President Donald Trump’s adviser and son-in-law — is seen pushing for the U.S. to close down its military base in Qatar and otherwise poking at issues that could drive a wedge between the U.S. and that Arab nation. He also says that his country’s de facto ruler is supportive of a wave of anti-Qatar criticism in the U.S. that the Gulf state last month called a smear campaign and that has prompted behind-the-scenes alarm inside the U.S. government.”
And all these Otabia emails were released just days after the Qatari hack by someone claiming to not work for the Qataris but who merely wants to expose UAE/US lobbying efforts:
So was this a Qatari counter-hack? Some other actor who would like to add to the diplomatic tension in the region? At this point we don’t know.
And as the article below notes, a group going around distributing these hacked emails calls itself “GlobalLeaks” and uses a .ru email. Which would suggests these were Russian hackers...if you take everything at face value. But as a group of cybersecurity researchers who have analyzed the Otaiba hack point out, anyone could have done it and just tried to make it look like Russian hackers (it’s not like .ru email addresses can’t be obtained by non-Russians). And while these researchers can’t attribute the hack to any government or group with precision, they do note that it looks like the methods used by what appears to be a mercenary hacker group that’s been operating in the region. A group that’s been hired by a number of Gulf states to hack other Gulf officials:
“In a report scheduled to be released on Friday, two independent cybersecurity researchers claim that at least one group of hackers can be found working as freelancers for a number of Gulf states, and that their methods bear a striking resemblance to the methods used to hack the Emirati ambassador.”
And as these cybersecurity researchers not, not only are the methods in the Otaiba hack similar ito a group of mercenary hackers they assert are working for a number of Gulf states, but that this is the sign of a broader transformation in the accessibility of hacking/disinformation capabilities that were once thought to be relatively exclusive.
“Other news organizations have reported receiving leaked Emirati emails from a group calling itself GlobalLeaks and using email addressing ending in .ru, suggesting the mercenary hackers may be Russians or wish to pose as Russian.”
Yep, unless the hackers were Russian hackers who wanted to advertise for some reason that they’re Russian hackers, the use of a .ru email address by the group distributing these emails basically tells us nothing about who did it. And while these cybersecurity researchers are suspecting that the “Bahamut” group of mercenaries is behind the hack, if their methods involve spear-phishing emails it’s not like other skill hackers familiar with the cybersecurity industry’s tracking of the Bahamut group couldn’t mimic their methods. That’s the fun of our new digital cold war.
So at this point it sounds like we have no real idea who did the hack, but whoever did it appears to want to send a “Hi! I’m a Russian hacker!” signal to the world. Of course.
@Pterrafractyl–
In assessing this, one should not lose sight of the fact that the CIA’s hacking code enables the authorship of the deed to assume an Arabic language cover, as well as Russian, Chinese or Farsi.
Or, as we might say “Farce-ey.”
Don’t forget that the Shadow Brokers have seen to it that the entire global hacking community has the NSA’s hacking tools.
Katy, bar the door!
Best,
Dave
One of the curious aspects of the Kim ‘Dotcom’ Schmitz’s claims about being in contact with Seth Rich is how long he waited to make his big claim that he was in contact with Rich all along. Because that claim didn’t come out until May 19th of this year, a few days after the big Fox News disinformation/hoax piece on Rich. Why didn’t Dotcom make these claims sooner? Like, in the middle of the 2016 campaign? Wouldn’t that have been the optimal time for such a stunt?
But here’s what adds to the curious timing: Check out this tweet from Dotcom he back in September 28, 2016, and directed to Donald Trump:
And don’t forget that this tweet came two days after the first Presidential Debate between Donald Trump and Hillary Clinton on September 26, 2017, during which Trump made his infamous “the hacker could have been a 400 pound guy sitting his bed” comment. So Schmitz/‘Dotcom’ was clearly responding to Trump’s comment about the hacking. And he’s clearly claiming attribution for something that helped Trump. And yet no claims from Dotcom at the time that Seth Rich was the DNC leaker. Despite how the timing would have been perfect for such a claim...especially if Dotcom has the evidence he claims he has. And yet all we get from Dotcom before his Seth Rich claims last month was a very mysterious tweet that appears to be telling Trump he “owes” Dotcom over the DNC hacks.
Also keep in mind that if Dotcom, or someone closely associated with him, was the actual hacker, drawing attention to himself back when the election was still going on by making claims about his contacts with Seth Rich could have brought much closer scrutiny to Dotcom with potentially huge implications for the election if suspicions fell on Dotcom. Especially given Dotcom’s predictions back in May of 2015 that Julian Assange was going to be Hillary Clinton’s worst nightmare. So if Dotcom was concerned about getting implicated in the hack, waiting until after the election does kind of make sense.
But for someone who clearly wanted Hillary to lose to Trump, waiting until now to make these claims instead of last fall really is rather curious. Especially given Dotcom’s September 28th mystery tweet. Unless, of course, making these claims earlier would have been potentially even more damaging to Trump. Which could have been the case if Dotcom was indeed the hacker.
It sounds like the hacking of state election systems in the 2016 election was a lot more extensive than previously reported: Up to 39 states were hacked to one degree or another in a giant spear-phishing campaign according to a recent report in Bloomberg. And while there was no indication that the hackers were attempting to manipulate actual vote tallies, there were some signs that hackers tried, but failed, to manipulate the voter registry databases in Illinois, which could have the effect of changing vote totals by throwing some people off the voter rolls. And since Illinois was one of only a handful of states to give federal investigators full access to their systems it’s unclear how many other states had similar attempts.
As of now, officials appear to be extremely worried that this mass hacking operation is going to happen in the 2018 or 2020 elections. And, of course, as of now, officials are characterizing the entire thing as an operation of Russian military intelligence, pointing to evidence like the IP address used. Yep, the GRU apparently doesn’t know how to use VPNs, proxies, or TOR and instead decided to use known GRU IP addresses to carry out this incredibly inflammatory hacking operation.
The article also discusses how the extensive nature of the hacks so alarmed the Obama White House that a special ‘cyber Red Phone’ in October that was set up between Washington and Moscow to defuse potential cyber conflicts was used for the very first time. The Russian government denied responsibility, asked for more information, and said they would investigate it. All while the hacking continued.
So either the Russian government was executing an unprecedented high-profile self-incriminating wave of incredibly inflammatory hacks and continued to do so even after the ‘cyber Red Phone’ got used for the first time with apparently no concern for the consequences, or someone (like the GOP) was hacking the US electoral systems and trying to frame the Russians. Either way, those state election systems could probably use an overhaul soon:
“In Illinois, investigators also found evidence that the hackers tried but failed to alter or delete some information in the database, an attempt that wasn’t previously reported. That suggested more than a mere spying mission and potentially a test run for a disruptive attack, according to the people familiar with the continuing U.S. counterintelligence inquiry.”
So in Illinois, one of a handful of states that gave federal investigators the most complete access to their systems and apparently one of the first states hacked since the hack was first detected in July, investigators found evidence of at least attempts at manipulating voter roll data. That’s certainly a big deal and the kind of finding that potentially raises questions about the integrity of a lot more than just the votes for President. ALL races in a state could be impacted by manipulating the voter rolls.
How about the rest of the states? That’s unclear. Thanks, in part, to the GOP’s blocking of an attempt by DHS to declare the nation’s voting systems as “national critical infrastructure” that would have given federal investigators great access to the other states’ voting systems:
And at this point federal investigators apparently can’t really say how many other states experienced similar attempts. Still, based on the digital “signatures” that investigators have identified (because the ‘Russian hackers’ apparently didn’t bother trying to obscure them), “traces” of the hackers were found in the systems of 39 states:
And it sounds like a large number of those hacks (or hack attempts) took place in the last week of the campaign:
So, overall, if we take this report at face value, the Russian government brazenly hacked into the Illinois state voting systems, tried to manipulate voter roll data, and then continued to brazenly hack — or attempt to hack — into at least 38 other states. All using digital “signatures”, like IP address, that were traced back to the GRU. And the really big wave of attacks happened in the last week of the campaign, after President Obama used the “cyber Red Phone” for the first time ever in October. And the Russian government ignored those calls to stop the hacking without any apparent fear of reprisal. And just kept hacking away without bothering to change those digital “signatures” from the July Illinois hack. Are we sure “Lazy Bear” isn’t a more appropriate moniker for this alleged GRU hacking group? “Fancy Bear” doesn’t quite capture their main attribute.
Of course, since digital “signatures” are the kind of things hackers can often spoof and a declaration of cyber war would be an insane move by the Russian government, there’s the very obvious possibility that someone else made all these hacking attempts. So it’s worth noting that in The Intercept report about the leaked NSA document showing the analysis of the hacking of a Florida voting systems company they interview Jake Williams — a former member of NSA’s elite hacking Tailored Access Operations team — and ask him about the spear-phishing campaign used against those 122 officials in the last week of the campaign. According to Williams, that spear-phishing operation was of “medium sophistication” that “practically any hacker can pull off”:
“The NSA assessed that this phase of the spear-fishing operation was likely launched on either October 31 or November 1 and sent spear-fishing emails to 122 email addresses “associated with named local government organizations,” probably to officials “involved in the management of voter registration systems.” The emails contained Microsoft Word attachments purporting to be benign documentation for VR Systems’ EViD voter database product line, but which were in reality maliciously embedded with automated software commands that are triggered instantly and invisibly when the user opens the document...”
A spear-phishing attacks using documents from the Florida-based “VR Systems” as the bait. That’s what the alleged Russian hackers did in the last week of the campaign. And how sophisticated was this spear-phishing attack? Almost any hacker could have done it. That’s how sophisticated:
“Overall, the method is one of “medium sophistication,” Williams said, one that “practically any hacker can pull off.””
So according to federal investigators, ‘the GRU’ used a spear-phishing technique that any hacker could have pulled off, and did it in a manner that left digital “signatures”, like IP address, that apparently led back to the GRU. And kept the same digital signatures in the July 2016 hack on the Illinois voting system that were found in the wave of spear-phishing attacks in the last week of the campaign. Even after getting a “cyber Red Phone” call from the White House in for the first time ever in October, thus opening Russia to potential revenge attacks for years to come and poison-pilling the possible utility of having a Russian-friendly President Trump in the White House. It’s as if the cost-benefit analysis didn’t factor in the costs. That’s the story we’re supposed to accept.
And, amazingly, based on the first report, it sounds the bulk of the 39 hacked states got hacked by this spear-phishing campaign in the last week of the campaign despite the intense focus around potential hacking in the prior months. Those must have been some pretty compelling phishing emails. It raises the question as to whether or not some of the those 122 targeted officials were trying to get their systems hacked. Keep in mind one of the very interesting things about a spear-phishing attack in a scenario like these one one of the hacked parties (the GOP) just might want to get hacked: Spear-phishing a great way for an insider to invite in a hacker while maintaining plausible deniability. Oops! I was tricked! ;)
It’s pretty clear that US state voting systems have a number of serious vulnerabilities. Specifically, people who fall for phishing emails and whatever malware is now install on those systems after those hacks. Also note one of the main things protecting these systems from a much bigger hack: the decentralized nature of US voting systems, which different locales use different technologies. It’s a lot harder to pull off a big hack in a decentralized system. And let’s also not forget that one of the giant voting vulnerabilities today is a direct consequence of the US’s response to the 2000 election voting debacle in Florida. Following that, Congress gave states gobs of cash to replace their paper ballot systems with hackable electronic voting machines. And now we a problem with hackable electronic voting machines. Still.
So if there is a big push to overhaul and improve US voting systems in anticipation of the 2016 hackers returning in future elections keep in mind that it’s a lot harder to hack paper ballots.
Here’s an article that reminds us of something to keep in mind when assessing the curious case of the apparent hacking of Qatar’s news agency followed by the email hack of the UAE’s ambassador to the US that some suspect was done by a mercenary hacker group: Middle Eastern governments probably don’t need to hire rogue hacker mercenary groups to carry out very sophisticated hacks:
““You’d be able to intercept any internet traffic,” he said. “If you wanted to do a whole country, you could. You could pin-point people’s location based on cellular data. You could follow people around. They were quite far ahead with voice recognition. They were capable of decrypting stuff as well.””
That sounds like some pretty advanced hacking capabilities. Advanced hacking capabilities in a lot of government hands:
And it’s not like these advanced hacking capabilities only work in the Middle East:
So when the next big ‘whodunnit?’ hack attack happens and people start assembling a suspect list and asking ‘cui bono?’, don’t forget that BAE already sold these capabilities to a number of the governments across the Middle East.
Also don’t forget that selling advanced hacking tools to Middle Eastern governments isn’t some BAE monopoly. It’s a competitive market.
You know that report about how the election systems of 39 US states were “hit” by ‘Russian hackers’, most of them just a week, before the 2016 November election? Well, the National Association of Secretaries of State, an organization that represents the chief election officials in 40 states, has a rebuttal: They have no idea what this report was talking about and believe it’s a matter of cybersecurity firms being overly aggressive to earn state contracts to protect election systems:
““We cannot verify any information in that report,” Stimson told Benzinga. “It has some claims that have raised some red flags. I don’t know where they’re getting it. We’re not able to assess to the credibility.””
Yeah, that’s quite a rebuttal. So none of the information from that Bloomberg report can be verified. And the way the spokesperson for the association representing 40 state election chiefs puts it, this report was likely hype created by a cybersecurity industry intent on creating a panic over future Russian hackers for the purpose of basically creating demand for their services:
And the Department of Homeland Security downplayed the report too:
That certainly supports the notion that the “39 states were hacked by the Russians” was, at a minimum, an exaggeration. And when DHS talks about the “vast majority” of what they saw was “scanning”, keep in mind that “scanning” computers connected to the internet is ubiquitous and if they were using IP addresses to attribute this scanning to “Russian hackers”, if the US intelligence report on the evidence for ‘Russian hackers’ in the DNC server hack is any indication of the way IP addresses are being used to assess culpability for these state system scanning attempts, IP addresses aren’t the most compelling evidence in this case:
“One of the IP addresses is claimed to be a “well-known APT 28” command-and-control address, while the second is said to be linked to Russian military intelligence. [14] The first address points to a server located in San Jose, California, and is operated by a server hosting service. [15] The second server is situated in Paris, France, and owned by another server hosting service. [16] Clearly, these are servers that have been compromised by hackers. It is customary for hackers to route their attacks through vulnerable computers. The IP addresses of compromised computers are widely available on the Deep Web, and typically a hacked server will be used by multiple threat actors. These two particular servers may or may not have been regularly utilized by Russian Intelligence, but they were not uniquely so used. Almost certainly, many other hackers would have used the same machines, and it cannot be said that these IP addresses uniquely identify an infiltrator. Indeed, the second IP address is associated with the common Trojan viruses Agent-APPR and Shunnael. [17]”
So were IP addresses of the “scans” of these state election systems the primary evidence used to deterine that the Russian government attempted a stunningly brazen last-minute massive hacking operation against US election systems? That’s a question that needs answering now that there’s massive alarm raised over future Russian government hack attacks. Especially now that state election officials refuse to validate any part of that Bloomberg report and suggest it an instance of cybersecurity industry hype.
Of course, if the report was true, it’s possible these state election officials are covering their backsides by downplaying the extent that their defensive measures (or lack thereof) had been breached. It’s something we can’t rule out. But note how the Bloomberg report sources claim that the “digital signatures” collected from the initial Illinois systems hack were distributed to the rest of the states and 39 of them reported finding “traces” of the same hackers. So there’s a significant conflict in the claims because the Bloomberg report sources and stance by the State election chiefs. Also don’t forget that the Bloomberg report was based on three anonymous sources, and only one of them made the claim about 39 states getting hit:
“In Illinois, investigators found evidence that cyber intruders tried to delete or alter voter data. The hackers accessed software designed to be used by poll workers on Election Day, and in at least one state accessed a campaign finance database. Details of the wave of attacks, in the summer and fall of 2016, were provided by three people with direct knowledge of the U.S. investigation into the matter. In all, the Russian hackers hit systems in a total of 39 states, one of them said.”
So just one of the three anonymous sources actually made the “39 states were hit” claim and that appeared to be based on the “digital signatures” from the Illinois hack. And the only example signature was IP addresses:
So, all in all, it does look like the claims by State election chiefs that this report was hyped bogus do have some weight behind them. In which case we just had a high profile and highly provocative claim by someone, presumably from the cybersecurity industry, that is in serious doubt.
This doesn’t mean that US election systems don’t have serious potential vulnerabilities to hacking. After all, if there’s one thing we’ve learned from all this is that’s spear-phishing can hit any large organization and it’s not something easily defended against by IT staff because all that’s required is an email that fools one person in an organization.
But if there is going to be a meaningful attempt to secure US voting systems, it’s probably best that we don’t co-mingle that effort was a massive public relations campaign that portrays Russia as a country that’s aggressively attacking US election systems. Unless, of course, the Russian government did actually order this, in which case we are all in peril because it would imply the Russian government went insane and decided to start provoking the US into a serious future conflict by attacking US election systems in a manner intended to be identified as a Russian government hack. But since the evidence for that case continues to grow weaker with each questionable and/or debunked ‘revelation’ of ‘Russian hacking’, it’s going to be important to recognize that, yes, hackers, even Russian hackers potentially, could threatened US voting systems and they really do need to be better secured, but the Russian government probably isn’t the primary electoral threat Americans need to worry about going forward. After all, blatantly hacking US election systems is something that goes far beyond an Russian media campaign and treads into war territory if the Russian government does it right before the election after getting the “cyber Red Phone” call to stop it. It would be like a psyop designed to inflame tensions to dangerous levels. But for the GOP, messing with electronic voting machines is expected at this point. With no meaningful consequences. Especially now that anyone can just blame the Russians and no one will question the evidence at all apparently.
Well look at that: As investigators explore the more than three dozen companies and individuals that Michael Flynn worked for — as a consultant, adviser, board member, or speaker — while advising the Trump campaign last year. And two of those entities are raising some extra eyebrows. Flynn was an advisory board member of Luxembourg-based OSY Technologies and consulted for the US-based private equity firm Francisco Partners. What’s so questionable about these entities? Well, Francisco Partners owns NSO Group — a secretive Israel-based cyberweapons dealer that sells advanced hacking tools to governments around the world — and OSY Technologies is an NSO Group offshoot. Flynn joined OSY in May of last year Yep, Michael Flynn worked for both the owner of an advanced cyberweapons dealer and one of its offshoots throughout the 2016 campaign:
“The month before Flynn joined the advisory board of OSY Technologies, NSO Group opened up a new arm called WestBridge Technologies, Inc., in the D.C. region. (The company was originally registered in Delaware in 2014, but formed in Maryland in April 2016.) Led by NSO Group co-founder Lavie, WestBridge is vying for federal government contracts for NSO Group’s products. Hiring Flynn would provide NSO Group with a well-connected figure in Washington, to help get its foot in the door of the notoriously insular world of secret intelligence budgeting.”
Yep, not only was Flynn working for NSO Group’s OSY Technologies and its owners at Francisco Partners, but NSO Group was also initiating plans to get more US government contracts...something that would presumably be much likelier to happen if Donald Trump won the White House and brought Flynn into the government.
And note how NSO Group wasn’t the only cybersecurity firm Flynn was working for:
Now, in terms of assessing the significance of these business relationships, on the one hand, cybersecurity is one of the areas where one should expect the former head of the US Defense Intelligence Agency to go into after leaving government. On the other hand, we just witnessed the most hack-intensive US campaign in history and all the hacking was done in favor of Donald Trump. So, you know, some suspicions that maybe, just maybe, one of the private elite hacking firms Flynn worked for has something to do with these hacks.
It’s important to note that, in terms of the timing, both the DNC server hacks and John Podesta’s email hack were already carried out by the time Flynn joined OSY in May (the same month the hacks were ended for both the DNC and Podesta emails), so it’s not like Flynn joined OSY and then the hacking started (not that Flynn wouldn’t have likely been in contact with them well before May). Still, due to the relative lack of sophistication required to carrying out a spear-phishing — the method behind both the DNC server hack and Podesta’s emails and, allegedly, the attempts to hack 39 state election systems a week before the election — it really is the case that almost anyone could have pulled these hacks off if they had adequate hacking skills and wanted to hide their tracks and make it look like ‘the Russians’ did it. And the NSO Group’s software specializes in create spear-phishing campaigns designed to trick people into clicking on the bad links using a variety of different tricks and insert spying malware in the victims’ systems:
“Increasingly, governments have found that the only way to monitor mobile phones is by using private businesses like the NSO Group that exploit little-known vulnerabilities in smartphone software. The company has, at times, operated its businesses under different names. One of them, OSY Technologies, paid Michael T. Flynn, President Trump’s former national security adviser, more than $40,000 to be an advisory board member from May 2016 until January, according to his public financial disclosures.”
And note how even when a phone is known to be hacked by someone using the NSO Group malware after a successful spear-phishing attempt, there’s still no way to know which NSO Group client did it. Even NSO Group claims it can’t determine who did it:
““This is pretty much as good as it gets,” said Bill Marczak, another senior researcher at Citizen Lab, who confirmed the presence of NSO code on several phones belonging to Mexican journalists and activists.”
Yes, “this” is pretty much as good as it gets in terms of establishing evidence of who was behind a hack of this nature, where “this” is “circumstantial evidence”. And that circumstantial evidence is pretty good if you’re talking about a Mexican dissident with malware traced back to the NGO Group on their phone. Sure, maybe some other NSO Group client did the hack in that circumstance but it’s a pretty good bet it was the Mexican government in such a circumstance simply due to a lack of other NSO Group clients who would care about a Mexican dissident.
And yet for the DNC/Podesta hacks, which were also spear-phishing campaigns but against targets with a wide variety of potential enemies across the globe, the primary evidence we’re given that the Russian government was really behind the hacks was the amazingly sloppy hacker ‘mistakes’ like Cyrillic characters in the hacked document meta-data and leaving the Bitly accounts they were using to create the links used in the spear-phishing emails public so Cyber-security researchers could watch their entire hacking campaign list of targets. In other words, ‘evidence’ that could have easily be left to be found.
So that all adds to the mystery of Michael Flynn and the potential role he played in the Trump campaign. The former head of the US military’s spy agency worked for a company that makes advanced software designed to first conduct a successful spear-phishing campaign and then gives the victim NSO Group’s special spying malware, the same kind of campaign that attacked the DNC, John Podesta, and the 39 state election systems. And yet almost no one seems to raise the question as to whether or not Flynn and his deep ties to the hacking world could have had anything to do with those high-profile hacks. Only consideration of Russian hackers is allowed. It’s a pretty mysterious mystery, although perhaps not as mysterious as the investigation.
https://www.theguardian.com/technology/2017/jun/16/facebook-moderators-identity-exposed-terrorist-groups#img‑2
Revealed: Facebook exposed identities of moderators to suspected terrorists
A security lapse that affected more than 1,000 workers forced one moderator into hiding – and he still lives in constant fear for his safety
Olivia Solon in San Francisco
Friday 16 June 2017 03.09 EDT
First published on Friday 16 June 2017 03.00 EDT
Facebook put the safety of its content moderators at risk after inadvertently exposing their personal details to suspected terrorist users of the social network, the Guardian has learned.
The security lapse affected more than 1,000 workers across 22 departments at Facebook who used the company’s moderation software to review and remove inappropriate content from the platform, including sexual material, hate speech and terrorist propaganda.
A bug in the software, discovered late last year, resulted in the personal profiles of content moderators automatically appearing as notifications in the activity log of the Facebook groups, whose administrators were removed from the platform for breaching the terms of service. The personal details of Facebook moderators were then viewable to the remaining admins of the group.
Of the 1,000 affected workers, around 40 worked in a counter-terrorism unit based at Facebook’s European headquarters in Dublin, Ireland. Six of those were assessed to be “high priority” victims of the mistake after Facebook concluded their personal profiles were likely viewed by potential terrorists.
The Guardian spoke to one of the six, who did not wish to be named out of concern for his and his family’s safety. The Iraqi-born Irish citizen, who is in his early twenties, fled Ireland and went into hiding after discovering that seven individuals associated with a suspected terrorist group he banned from Facebook – an Egypt-based group that backed Hamas and, he said, had members who were Islamic State sympathizers – had viewed his personal profile.
Facebook confirmed the security breach in a statement and said it had made technical changes to “better detect and prevent these types of issues from occurring”.
“We care deeply about keeping everyone who works for Facebook safe,” a spokesman said. “As soon as we learned about the issue, we fixed it and began a thorough investigation to learn as much as possible about what happened.”
The moderator who went into hiding was among hundreds of “community operations analysts” contracted by global outsourcing company Cpl Recruitment. Community operations analysts are typically low-paid contractors tasked with policing Facebook for content that breaches its community standards.
Overwhelmed with fear that he could face retaliation, the moderator, who first came to Ireland as an asylum seeker when he was a child, quit his job and moved to eastern Europe for five months.
“It was getting too dangerous to stay in Dublin,” he said, explaining that his family had already experienced the horrifying impact of terrorism: his father had been kidnapped and beaten and his uncle executed in Iraq.
“The only reason we’re in Ireland was to escape terrorism and threats,” he said.
The moderator said that others within the high-risk six had their personal profiles viewed by accounts with ties to Isis, Hezbollah and the Kurdistan Workers Party. Facebook complies with the US state department’s designation of terrorist groups.
“When you come from a war zone and you have people like that knowing your family name you know that people get butchered for that,” he said. “The punishment from Isis for working in counter-terrorism is beheading. All they’d need to do is tell someone who is radical here.”
Facebook moderators like him first suspected there was a problem when they started receiving friend requests from people affiliated with the terrorist organizations they were scrutinizing.
An urgent investigation by Facebook’s security team established that personal profiles belonging to content moderators had been exposed. As soon as the leak was identified in November 2016, Facebook convened a “task force of data scientists, community operations and security investigators”, according to internal emails seen by the Guardian, and warned all the employees and contracted staff it believed were affected. The company also set-up an email address, nameleak@fb.com, to field queries from those affected.
Facebook then discovered that the personal Facebook profiles of its moderators had been automatically appearing in the activity logs of the groups they were shutting down.
Craig D’Souza, Facebook’s head of global investigations, liaised directly with some of the affected contractors, talking to the six individuals considered to be at the highest risk over video conference, email and Facebook Messenger.
In one exchange, before the Facebook investigation was complete, D’Souza sought to reassure the moderators that there was “a good chance” any suspected terrorists notified about their identity would fail to connect the dots.
“Keep in mind that when the person sees your name on the list, it was in their activity log, which contains a lot of information,” D’Souza wrote, “there is a good chance that they associate you with another admin of the group or a hacker ...”
“I understand Craig,” replied the moderator who ended up fleeing Ireland, “but this is taking chances. I’m not waiting for a pipe bomb to be mailed to my address until Facebook does something about it.”
The bug in the software was not fixed for another two weeks, on 16 November 2016. By that point the glitch had been active for a month. However, the bug was also retroactively exposing the personal profiles of moderators who had censored accounts as far back as August 2016.
Facebook offered to install a home alarm monitoring system and provide transport to and from work to those in the high risk group. The company also offered counseling through Facebook’s employee assistance program, over and above counseling offered by the contractor, Cpl.
The moderator who fled Ireland was unsatisfied with the security assurances received from Facebook. In an email to D’Souza, he wrote that the high-risk six had spent weeks “in a state of panic and emergency” and that Facebook needed to do more to “address our pressing concerns for our safety and our families”.
He told the Guardian that the five months he spent in eastern Europe felt like “exile”. He kept a low profile, relying on savings to support himself. He spent his time keeping fit and liaising with his lawyer and the Dublin police, who checked up on his family while he was away. He returned to Ireland last month after running out of money, although he still lives in fear.
“I don’t have a job, I have anxiety and I’m on antidepressants,” he said. “I can’t walk anywhere without looking back.”
This month he filed a legal claim against Facebook and Cpl with the Injuries Board in Dublin. He is seeking compensation for the psychological damage caused by the leak.
Cpl did not respond to a request to comment. The statement provided by Facebook said its investigation sought to determine “exactly which names were possibly viewed and by whom, as well as an assessment of the risk to the affected person”.
The social media giant played down the threat posed to the affected moderators, but said that it contacted each of them individually “to offer support, answer their questions, and take meaningful steps to ensure their safety”.
“Our investigation found that only a small fraction of the names were likely viewed, and we never had evidence of any threat to the people impacted or their families as a result of this matter,” the spokesman said.
Details of Facebook’s security blunder will once again put a spotlight on the grueling and controversial work carried out by an army of thousands of low-paid staff, including in countries like the Philippines and India.
0:00
The Guardian recently revealed the secret rules and guidelines Facebook uses to train moderators to police its vast network of almost two billion users, including 100 internal training manuals, spreadsheets and flowcharts.
The moderator who fled Ireland worked for a 40-strong specialist team tasked with investigating reports of terrorist activity on Facebook. He was hired because he spoke Arabic, he said.
He felt that contracted staff were not treated as equals to Facebook employees but “second-class citizens”. He was paid just €13 ($15) per hour for a role that required him to develop specialist knowledge of global terror networks and scour through often highly-disturbing material.
“You come in every morning and just look at beheadings, people getting butchered, stoned, executed,” he said.
Facebook’s policies allow users to post extremely violent images provided they don’t promote or celebrate terrorism. This means moderators may be repeatedly exposed to the same haunting pictures to determine whether the people sharing them were condemning or celebrating the depicted acts.
The moderator said that when he started, he was given just two weeks training and was required to use his personal Facebook account to log into the social media giant’s moderation system.
“They should have let us use fake profiles,” he said, adding: “They never warned us that something like this could happen.”
Facebook told the Guardian that as a result of the leak it is testing the use of administrative accounts that are not linked to personal profiles.
Moderation teams were continually scored for the accuracy and speed of their decisions, he said, as well as other factors such as their ability to stay updated training materials. If a moderator’s score dropped below 90% they would receive a formal warning.
In an attempt to boost morale among agency staff, Facebook launched a monthly award ceremony to celebrate the top quality performers. The prize was a Facebook-branded mug. “The mug that all Facebook employees get,” he noted.
Contact the author: olivia.solon@theguardian.com
This article from “The Hill” expresses concern because an RNC database was not secure in an Amazon cloud server. The question not asked is why does the RNC need files of invormation addressing 46 issues for nearly 200 Million Americans. The most important paragraphs from the article are these three:
1. For example, a 50-gigabyte file of “Post Elect 2016” information, last updated in mid-January, contained modeled data about a voter’s likely positions on 46 different issues ranging from “how likely it is the individual voted for Obama in 2012, whether they agree with the Trump foreign policy of ‘America First’ and how likely they are to be concerned with auto manufacturing as an issue, among others.”
2. According to Ad Age, the RNC spent $983,000 between January 2015 and November 2016 for Deep Root’s services and $4.2 million for TargetPoint’s.
3. The Deep Root Analytics exposure contains information on more than half of the American population.
http://thehill.com/policy/cybersecurity/338383-data-on-198-million-us-voters-left-exposed-to-the-internet-by-rnc-data
Data on 198M voters exposed by GOP contractor
BY JOE UCHILL — 06/19/17 09:00 AM EDT
Fullscreen
A data analytics contractor employed by the Republican National Committee (RNC) left databases containing information on nearly 200 million potential voters exposed to the internet without security, allowing anyone who knew where to look to download it without a password.
“We take full responsibility for this situation,” said the contractor, Deep Root Analytics, in a statement.
The databases were part of 25 terabytes of files contained in an Amazon cloud account that could be browsed without logging in. The account was discovered by researcher Chris Vickery of the security firm UpGuard. The files have since been secured.
Vickery is a prominent researcher in uncovering improperly secured files online. But, he said, this exposure is of a magnitude he has never seen before
“In terms of the disc space used, this is the biggest exposure I’ve found. In terms of the scope and depth, this is the biggest one I’ve found,” said Vickery.
The accessible files, according to UpGuard, contain a main 198 million-entry database with names, addresses of voters and an “RNC ID” that can be used with other exposed files to research individuals.
For example, a 50-gigabyte file of “Post Elect 2016” information, last updated in mid-January, contained modeled data about a voter’s likely positions on 46 different issues ranging from “how likely it is the individual voted for Obama in 2012, whether they agree with the Trump foreign policy of ‘America First’ and how likely they are to be concerned with auto manufacturing as an issue, among others.”
That file appears in a folder titled “target_point,” an apparent reference to another firm contracted by the RNC to crunch data. UpGuard speculates that the folder may imply that the firm TargetPoint compiled and shared the data with Deep Root. Another folder appears to reference Data Trust, another contracted firm.
UpGuard analyst Dan O’Sullivan looked himself up in the database and writes in the official report that the calculated preferences were, at least for him, right on the money.
“It is a testament both to their talents, and to the real danger of this exposure, that the results were astoundingly accurate,” he said.
The Deep Root Analytics cloud server had 25 terabytes of data exposed, including 1.1 terabytes available for download.
Over the 2016 election season, the RNC was a major client of Deep Root, one of a handful firms it contacted for big data analysis. Firms like Deep Root Analytics use data from a variety of sources to extrapolate social and political preferences of voters to determine how best to market to them.
According to Ad Age, the RNC spent $983,000 between January 2015 and November 2016 for Deep Root’s services and $4.2 million for TargetPoint’s.
“Deep Root Analytics builds voter models to help enhance advertiser understanding of TV viewership. The data accessed was not built for or used by any specific client. It is our proprietary analysis to help inform local television ad buying,” said Deep Root Analytics in their statement.
Misconfigured cloud servers and online databases are a common way for data to be accidentally left exposed to the public. Vickery has found everything from military engineering plans to databases of believed terrorists in exactly this way.
What is uncommon in this case is the size and scope of this exposure. If its records are accurate, the Deep Root Analytics exposure contains information on more than half of the American population. It dwarfs the second-largest exposure of voter information — 93.4 million records of Mexican citizens — by more than 100 million voters and tops the largest data breach of voter information — 55 million records of Philippine voters — by more than 140 million.
Anyone who knew the files’ web address could have accessed them. But without that knowledge, they are much harder to find. Even armed with a search for unsecured databases, finding exposures of any magnitude is tough work. Vickery sifts through a large number of unsecured databases to find ones that interesting enough to publish research.
Deep Root has contracted the security firm Stroz Friedberg to perform a thorough investigation of the exposure.]
The exposure, between June 1 and June 14, was sealed shut shortly after Vickery made the discovery during the night of June 12 and notified relevant regulatory bodies.
@Michelle Zucker–
Pterrafractyl contributed this information, plus some additional, edifying points that you might want to peruse.
Best,
Dave
The Washington Post has a big new piece on US’s investigation into the 2016 election hacks that contains a number of interesting revelations, both in terms of how the US government came to the . And overall, perhaps the biggest revelations is how little the technical evidence of the hack had to do with the final conclusion that the Russian government was behind the attacks. Instead, it sounds like that conclusion was based on a CIA source in the Kremlin. And even when that intelligence was delivered other agencies weren’t ready to accept the CIA’s conclusion and it took intelligence from another nation (not named) to provide the final intelligence tipping point that led to a broad-based conclusion the not only was the Russian government behind the cyberattacks but that Vladimir Putin himself ordered it. And that ally’s intelligence is described as “the most critical technical intelligence on Russia” and the NSA still wasn’t convinced based on what sounds like a lack of confidence in that source. So it looks like a CIA Kremlin source and an unnamed foreign intelligence agency with questionable credentials are the basis of what appears to be a likely future full-scale US/Russian cyberwar.
Beyond that, the piece describes the fears of those top US officials examining this issue over the summer of 2016 and it sounds like many were concerned that the DNC hacks really were just a warm up to a much broader full-scale cyberwar against the US election that would have included hacking the election systems and disrupting the vote. So that gives is a sense of the mindset (or at least projected mindset) of top government officials: at least some were convince that Putin was so pissed off at the prospect of Hillary Clinton becoming President that he was willing to launch a cyberwar. A cyberwar that would undoubtedly provoke a serious response and obviously be very difficult to contain.
Finally, the piece ends with a description what appears to be the most significant US response to the alleged Russian government role in the hacks: the US has already planted a number of ‘cyberbombs’ on Russian networks intended to be very painful if used and capable of being remotely triggered in response to a future Russian cyberattack. It could be an attack on the US electrical grid or a future election. But those ‘cyberbombs’ are apparently being put in place now and the order has been given to trigger them in the future without a presidential order. Unless Donald Trump rescinds that order.
So based on a CIA Kremlin source and the intelligence from a mystery ally the US is openly planting retaliatory cyberbombs on Russian networks. What could possibly go wrong:
“Inside was an intelligence bombshell, a report drawn from sourcing deep inside the Russian government that detailed Russian President Vladimir Putin’s direct involvement in a cyber campaign to disrupt and discredit the U.S. presidential race.”
So a CIA deep Russian government source is the primary source of the ‘Putin ordered it’ conclusion. Well, at least that’s better than the bad joke technical evidence that’s been provided thus far. But even that source’s claims apparently weren’t enough to convinced other parts of the intelligence community. It took the intelligence from the unnamed ally to do that:
“Some of the most critical technical intelligence on Russia came from another country, officials said. Because of the source of the material, the NSA was reluctant to view it with high confidence.”
That sure sounds like a ‘slam dunk’ case. And not the good kind. And based on these intelligence sources, the US is openly planting retaliatory cyberbombs on Russian networks:
Keep in mind that such a response from the US would be entirely predictable if the Russian government really did order this hack attack. Russia would be at a heightened risk for years or decades to come if Putin really did order this attack and there’s no reason to assume that the Russian government wouldn’t be well aware of this consequence. So if Putin really did order this hack he would have to have gone insane. That’s how stupid this attack was if Putin actually ordered it. But according to a CIA spy in the Kremlin, along with a questionable foreign ally, that’s exactly what Putin did. Because he apparently went insane and preemptively launched a cyberwar knowing full well how devastating the long-term consequences could be. Because he really, really, really hates Hillary. That’s the narrative we’re being given.
And now, any future attacks on US elections or the US electrical grid that can somehow be pinned on the Russians is going to trigger some sort of painful wave or retaliatory cyberbombs. Which, of course, will likely trigger a way of counter-retaliatory cyberbombs in the US. And a full-scale cyberwar will be born and we’ll just have to hope it stays in the cyber domain. That’s were we are now based on a CIA spy in the Kremlin and an unnamed foreign intelligence agency.
Here’s a pair of stories that are only tangentially related to the high profile 2016 DNC hacks and is really more a prelude to some yet-to-happen hacks of sensitive government. It’s also exciting news for people who like to routinely scan the Amazon Cloud searching for servers left accidentally vulnerable to the public: The Amazon Cloud is joining IBM and Microsoft as one of three private companies available for hosting the US Department of Defense’s most sensitive unclassified data:
“In total, three commercial companies—AWS, IBM and Microsoft—are now able to host and store the military’s most sensitive unclassified data. AWS has expanded its defense business, it remains the dominant cloud service provider in the intelligence community by virtue of its $600 million contract with the Central Intelligence Agency. AWS’ C2S cloud hosts classified information for the 17 intelligence agencies.”
Yep, the Amazon Web Services (AWS) are already being hosting classified information for 17 US intelligence agencies, led by a $600 million contract with the CIA. A contract that involved Amazon developing a completely separate cloud infrastructure with extra layers of security, including being completely separate from the rest of the internet and extra encryption.
But it sounds like this recent rule change that allows for unclassified, but still highly sensitive, data doesn’t involve that separate extra secure cloud. It’s just the regular Amazon AWS. What could possibly go wrong? Well, here’s a story from back in May starring Booz Allen Hamilton (Edward Snowden’s brief employer) that’s a pretty good example of what could go wrong:
“UpGuard cyber risk analyst Chris Vickery discovered the Booz Allen server last week while at his Santa Rosa home running a scan for publicly accessible s3 buckets (what Amazon calls its cloud storage devices). At first there was no reason to suspect it contained sensitive military data. Typically, US government servers hosted by Amazon are segregated into what’s called the GovCloud—a “gated community” protected by advanced cryptography and physical security. Instead, the Booz Allen bucket was found in region “US-East‑1,” chiefly comprised of public and commercial data.”
Fun times ahead for all the people who routinely scan publicly accessible AWS “buckets” for vulnerabilities. You just might stumble upon unprotected files from the US National Geospatial-Intelligence Agency (NGA). Or maybe you’ll find a bunch of passwords and private SSH keys that will allow you to break into other sensitive systems:
And maybe you’ll even find files associated with a vulnerable “bucket” you discovered months earlier:
Yes, this same security analyst discovered an Amazon bucket months earlier with no password containing an “application security risk assessment” revealing software vulnerabilities. And the analyst is pretty sure that the application security risk assessment was an assessment for the same system that was being developed on the vulnerable bucket he discovered back in May. And it appears to be a system designed to handle classified information.
So while this publicly available Amazon bucket didn’t contain classified information, it did appear to be the development environment for a system designed to handle classified information. And that’s a story from months before the DoD granted Amazon a provisional authorization to host Impact Level 5 workloads, the military and Pentagon’s most sensitive, unclassified information, on its cloud.
And that all means we should get ready for lots of fun future stories about how a bunch of sensitive data was stolen off a publicly accessible Amazon web server used by a national security contractor followed up with a bunch of assurances that no one should worry because it was just unclassified data that was stolen.
Here’s a pair of stories that, at best, are a reminder of the potential for algorithms and AI systems to acquire the hate and bigotry of their human creators. And, at worst, are a reminder that the potential for algorithms and AI systems to acquire the hate and bigotry of their human creators might be a great excuse for companies like Facebook to push a far-right agenda and just go “oops!” when they get caught.
The second article is also a reminder of what we witnessed following the hack of the French election: that the US and Europe remain dangerously hyperfocused on the potential for Russian election meddling to the exclusion of almost any other force on the world stage (like the far-right movements that exist in every country on the planet and clearly want to meddle in elections.
But first, check out the advertising categories Facebook’s algorithms auto-generated:
“To test if these ad categories were real, we paid $30 to target those groups with three “promoted posts” — in which a ProPublica article or post was displayed in their news feeds. Facebook approved all three ads within 15 minutes.”
$30 to advertise to Facebook’s “Jew Haters”. And it was approved in 15 minutes. But it wasn’t just the “Jew Haters” targeted with his $30 ad buy because there were enough to meet the minimum number of people Facebook requires for these kinds of purchases. So other categories had to be added. Categories apparently generated automatically based on user activity:
And it wasn’t until Propublica added the category for Germany’s neo-Nazi National Democratic Party (NDP) that they finally had enough people in their collection of hate categories to meet the minimum number of target Facebook users required for the ad buy to be placed:
“Still, Facebook said we needed more — so we added people with an interest in the National Democratic Party of Germany, a far-right, ultranationalist political party, with its much larger viewership of 194,600.”
In a way it’s at least a little relieving that categories like “Hitler did nothing wrong” only had 15 users Facebook identified as a target audience for that category. It could be worse! Like, say 194,600 users, which is the number of people in the NPD target audience. But it’s also pretty disturbing that Facebook made it so cheap and easy to target this global hate audience.
And, again, at best this really was just an algorithmic ‘oops’ but we can’t rule out the possibility that a corporate giant like Facebook which the far-right figurehead Peter Thiel on its board, is quietly trying to capture and foster far-right audiences.
But according to Facebook this was all an innocent mistake. Let’s hope so. And let’s also hope the sudden discovery that Facebook in Germany has prioritizing far-right political parties like the AfD when people do a search for political discussions was also just an innocent mistake. As the following article notes, it’s one of the many discoveries about the role the ‘Alt-Right’ is playing in Germany’s current elections and it’s a role that doesn’t appear to include a Kremlin counterpart. Despite widespread fears that all sorts of Russian dirty tricks were inevitably going to be injected into the race. But as far as observers can tell, it’s just the ‘Alt-Right’ that’s flooding German social media sites with far-right messages and it specifically appears to be American ‘Alt-Right’ people doing this. Apparntly with the help of another Facebook pro-far-right ‘whoops! How did that happen?’:
““So far we have not been able to track down any specific Russian activity,” said Simon Hegelich,” a professor of political science data at the Technical University of Munich who has advised the German government about the threat of hacking and fake news.”
No Russian nefariousness to be find. Phew! Oh wait:
Yep, the Alt-Right doesn’t need the Kremlin’s troll farm to get its message out. The ‘Alt-Right’ is a troll farm. A virtual troll farm that has its sites set on ensuring the AfD and other far-right parties do as well as possible.
And this virtual troll farm has had some big help apparently. From Facebook of course:
““It’s really strange because Facebook says this should be impossible because you are only supposed to get recommendations based on your own ‘friends,’ ‘groups’ and ‘likes.’ But everyone in Germany is getting these right-wing party recommendations,” he said. ”
Everyone in Germany is getting right-wing parties recommended to them on Facebook. And apparently this is only the case for right-wing parties. Another algorithmic ‘oops!’? Is the virtual troll farm somehow gaming the system? Or is Facebook actually quietly trying to use its immense power to promote the far-right? It’s a question we’re once again forced to ask.
Another thing we should keep in mind related to the the Bundestag hack of 2015 as an example of a high profile political hack from Russian that Germany has already had to deal with:
That 2015 hack isn’t just related to the DNC hack because Fancy Bear was attributed with the hack in both cases. They’re also related by the fact that the same command and control server was used in both hacks. And we know this because both hacks utilized unencrypted malware that inexplicably hard coded the I.P. address of the command and control server and that command and control server was apparently utilizing a version of OpenSSL that would have made it vulnerable to the Heartbleed attack. In other words, that command and control server that was used for both the Bundestag hack of 2015 and DNC hack of 2016 was vulnerable to effectively being hijacked and shared by multiple hacking groups.
Thus far there doesn’t appear to be a big hack impacting Germany’s election and there isn’t much time left if it’s going to happen (the vote is on Sunday). But if there is, let’s not forget that, despite the fact that the big Macron hack in France’s elections continues to be routinely attributed to Russia in the US media and the NSA even said it was sure it was Russia, the French chief of cybersecurity said France had no evidence Russsia did the hack, and the NSA refused to provide France evidence of Russian attribution, and the pubicly available evidence of how the hacked documents were leaked online strongly suggests that it was neo-Nazi hacker Andrew “the weev” Auernheimer who actually carried out the hack. So when you read the comment about how the French elections were hack by Russians like this one...
...don’t forget that the big Macron hack also appears to have American ‘Alt-Right’ neo-Nazi origins.
Also note that, while the far-right troll army aggressively trying to get Marine Le Pen elected really was indeed comprised of French far-rightist, the National Front was using an ‘Alt-Right’ “Foreign Legion” on social media too.
Which shouldn’t be too surprising. As Andrew Auernheimer told the world after Donald Trump’s victory:
Tragically, Yep.
Here’s a set of articles related to the ongoing tensions between the West and Russia and the risk of a much larger conflict being sparked:
The US Department of Homeland Security (DHS) issued an alarming memo over the weekend warning US states and localities about the threat of Russia critical infrastructure cyber attacks. It’s not especially surprising that DHS would issue a warning like this. If anything it’s to be expected. But as we’re going to see, part of what makes this alarm so disturbing is how it is couched in the framework of a kind of cyber Mutually Assured Destruction reality. Cyber-MADness. Because the concern isn’t just that the US is highly vulnerable to cyber attacks. The main concern is that the US would respond with offensive attacks of its own, creating the kind of situation that could quickly escalate.
And as we’re going to see in the second article below, from June 2021, while Joe Biden brought up with Vladimir Putin the idea of creating some sort of critical infrastructure cyber-treaty, those negotiations are ongoing. In other words, such an agreement doesn’t exist. Critical infrastructure is fair game.
As we’re going to see in the third article below, from June 2019, the US has been making it easier and easier for a cyberwar to start. Specifically, in 2018, then-President Trump issued a secret order granting the head of US Cyber Command greater leniency in launching offensive cyber strikes without presidential authority. That same year, Congress slipped a provision into the military authorization bill that gave a similar authority to the defense secretly. So in addition to Biden there’s at least two other people in the US government with the authority to launch devastating cyber attacks. And not necessarily just defensive retaliatory attacks.
Finally, it’s worth recall what we learned in June of 2017: that President Obama ordered the implantation of cyber-bombs on Russian networks in response to the hacking of the DNC in 2016. The publication of this secret program was presumably done to turn these planted cyber-bombs into credible threats the Russians had to fear. Again, more cyber-MADness at work.
That’s all part context of the DHS warning to US critical infrastructure operators over the weekend. The kind of warning that’s going to become a lot more prevalent as the new normal of cyber-MADness plays out:
“DHS blasted out the memo Sunday to U.S. critical infrastructure operators and state and local governments around the country, warning that “Russia maintains a range of offensive cyber tools that it could employ against U.S. networks” that make everything from planes to hospitals to dams and bridges operate.”
A warning to critical infrastructure operators around the US of a looming Russian cyberattack. That was the alarm raised in this DHS memo over the week. But as experts warn, the greatest alarm shouldn’t be focused on the possibility of a Russian cyber attack. It’s the danger of a US response, creating an escalating situation that can spiral out of control as each side unleashes attacks that are effectively impossible for each side to stop:
Also, just note regarding the historic hacks on the Colonial Pipeline in May of 2021, recall how the attacker appeared to be utilizing sophisticated hacking software that was being licensed out ot independent hackers who would pay a cut to the “Dark Side” core group who developed the tools. So while that core group appears to be based in Russia, the full criminal operation associated with that hack looks more like a global operation. Also recall how circumstantial evidence in that hack suggested the hacker was based in the US since the hackers used servers in Northern California to receive their crypto-ransom payments. Finally, regarding the SolarWinds hack, recall how Russia was almost immediately blamed for the SolarWinds hack by both private security firms and the US government and yet no real evidence was ever publicly revealed for this charge. Russia remains one of the default culprit to be blamed for cyberattacks:
So what’s to prevent an escalation of the tit-for-tat attacks should a cyber attack transpire? Hopefully a mutually held sense of self-preservation. But it’s worth noting that Biden actually proposed last year that the US and Russia declare the 16 forms of critical infrastructure as “off limits” during cyberwars. It’s unclear how far those negotiations ever got, but it sounds like there was at least plans to begin some sort of mutual discussion. In other words, maybe there will be some sort of treaty preventing a tit-for-tat escalation of hitting critical infrastructure. Maybe someday. But not today
“Biden wasn’t explicit about which areas he wanted out of bounds, but spoke of 16 kinds of infrastructure — an apparent reference to the 16 sectors designated as critical by the U.S. Homeland Security Department, including telecommunications, healthcare, food and energy.”
That’s quite a broad range of infrastructure Joe Biden was trying to take ‘off the table’: telecommunications, healthcare, food, energy, and a dozen other categories. Was some sort of agreement reached? Sort of. They agreed to begin talks:
Let’s hope the two sides manage to work out a deal. Fast. Because as the following article from June 2019 reminds us, it’s not as if the US has only been publicly warning about Russian cyber attacks. Public bragging about how cyber-bombs have already been planted inside Russia’s energy grid has also been part of the US’s anti-hacking toolbox.
The US’s preemptive hacks of Russia’s energy grid reportedly took place in the lead up to the 2018 US mid-term elections and included attacks on the Internet Research Agency. So this isn’t just a matter of planting cyber weapons that could be used at a later date. Some were used already.
But here’s the part of this story that potentially has the biggest implications as the US and Russia continue the current showdown: In 2018, two individuals granted the authority to conduct offensive cyber attacks without prior presidential authority. The head of Cyber Command was granted that authority in a 2018 classified document known as National Security Presidential Memoranda 13. Then the defense secretary was also granted the authority for routine conduct of “clandestine military activity” in cyberspace, to “deter, safeguard or defend against attacks or malicious cyberactivities against the United States,” without special presidential approval. And those are just the moves to make it easier to launch an offensive cyber attack that we’ve been told about. Who knows how many other people were quietly granted those kinds of authorities in recent years. And that’s why it’s going to be important to keep in mind that a cyber showdown isn’t just a showdown between Biden and Putin. There are a range of actors with the authority to unilaterally trigger a full blown cyberwar:
““It’s 21st-century gunboat diplomacy,” said Robert M. Chesney, a law professor at the University of Texas, who has written extensively about the shifting legal basis for digital operations. “We’re showing the adversary we can inflict serious costs without actually doing much. We used to park ships within sight of the shore. Now, perhaps, we get access to key systems like the electric grid.””
Public declarations that you have preemptively hacked your adversary and will utilize the implanted cyberbombs if attacked. It’s 21st-century cyber gunboat diplomacy. The kind of gunboat diplomacy that simultaneously works to protect domestic critical infrastructure from attacks while simultaneously enshrining that infrastructure as legitimate targets. So it’s kind of like gunboat diplomacy in a world where you can’t stop your adversary for fielding their own gunboats and running them up into your own harbors. Counter-threats are seen as the only option. Preemptive counter-threats:
And note how the range of the US’s cyber options wasn’t just expanded by then-President Trump’s classified National Security Presidential Memoranda 13 order that gave the head of the US Cyber Command far more leeway to offensive online operations without receiving presidential approval. There was also a little-noticed new legal authority slipped into the 2018 military authorization bill passed by Congress that grants the to the defense secretary the authority to launch these kinds of attacks without presidential authority. So it sounds like both the head of Cyber Command and the defense secretary were granted the power to launch devastating cyber attacks without presidential authority in 2018:
While many of pointed out that Biden has already said he has no intention of moving US troops into Ukraine even if Russia invades the country, keep in mind that a devastating cyberattack would potentially be a great way to change public opinion. The kind of cyberattack that enrages the public. Like taking down a substantial portion of the power grid at a critical time. The threat of devastating cyber attacks may be the 21st Century version of gunboat diplomacy. But an actual devastating cyber attack would be closer to Pearl Harbor. And few events could more effectively get the US into a mood for an apocalyptic war with Russia than a new Pearl Harbor.
It’s all genuinely alarming. Especially when you consider how alarmingly easy a ‘new Pearl Harbor’-style cyber-false flag event could be. So let’s hope the US avoids any nasty cyber incidents as these tensions with Russia play out. And should such an incident happen, let’s hope that’s the end of it. And not the beginning of the end.
It appears the Vault 7 hack might be approaching a final legal resolution: following the mistrial of former CIA coder Joshua Schulte, a new trial is set for next week. And as the following piece in the New Yorker describes, the US government has a pretty compelling circumstantial case against Schulte, including evidence showing Schulte logging into the CIA’s networks and accessing the exact version of hacking tools that were eventually leaked. Notably, Schulte did this after he had his administrative privileges revoked following a series of intra-office disputes with co-workers and his decision to reassign himself to a project he was pulled from. That’s the overall context in which this hack appears to have happened: Schulte, one of the members of the CIA’s coding team, became disgruntled following a dispute with a co-worker, got even more disgruntled based on how the dispute was resolved by superiors, and then had his administrative privileges revoked following more troubling behavior, at which point he stole the tools and leaked them. Schulte didn’t ultimately write a resignation letter for another two month, on June 28, 2016, and didn’t leave the agency for another five months.
So it appears the US government has pretty conclusively caught the leaker. But major questions remain. For starters, it’s still not entirely clear if ideology played a role in Schulte’s motive. On the surface, the guy is reportedly an Ayn Rand-loving libertarian. But as we’re going to see, he has a more troubling background. According to friends during his teen years, Schulte was notorious for drawing swastikas. One friend claims he just did this for the attention and wasn’t a real Nazi. But that brings us to the date of the apparent theft of the code set that was ultimately leaked: according to prosecutors, that happened on April 20, 2016. So is it just a coincidence that Schulte chose the date that is notorious for Hitler’s birthday to log in and steal that code? Sure, it’s possible, but that’s the kind of circumstantial evidence that continues to raise questions about this case.
But then we get to the other disturbing aspect of this investigation into Schulte: the discovery of a trove of child porn on one of this computers. And in case you’re tempted to suspect that the illegal content was placed on his computer by a malicious government, Schulte himself has more or less already admitted to it, decrying it as a victimless crime. Beyond that, Schulte was accused of hosting child porn on a server had managed during his college years.
So it appears that the guy who leaked Vault7 wasn’t just a CIA coder. He wa a CIA coder who might also known to draw swastika and a history of collecting child porn. And that’s why the questions swirling around this story should really include massive questions about the CIA’s vetting process:
“The Bureau was pursuing what it calls an “unsub”—or “unknown subject”—investigation. “A crime had been committed; we didn’t yet know who had committed it,” one of the lead investigators, Richard Evanchec, later testified. Fairly quickly, the agents ruled out a foreign power as the culprit, deciding that the unsub must be a C.I.A. insider. They zeroed in on the classified computer network from which the data had been stolen—and on the agency employees who had access to that network. Among those who did were the O.S.B. hackers on the ninth floor of the agency’s secret cyber installation in Virginia.”
They didn’t know who leaked Vault 7, but investigators were pretty confident it was an inside job based on circumstantial evidence. And that circumstantial evidence pointed at a recently departed disgruntled former member of the CIA’s O.S.B. team: Joshua Schulte. Following an investigation, the circumstantial evidence is pretty overwhelming: After stripped of administrative privileges, Schulte appeared to use a back door in the CIA’s network to steal the hacking tools that were ultimately released. And note the date of this theft: April 20, 2016. Perhaps it’s a coincidence, but it’s hard to ignore that Schulte apparently did that act on 4/20, Hitler’s birthday:
That 4/20 apparent date of the code theft brings us to another puzzling aspect of this case: Schulte doesn’t really appear to have any overt ideological motivations. Although he is described as an Ayn Rand-loving libertarian. And that brings us to the accounts from teenage associates to recount of Schulte was notorious for drawing swastikas. Now, being a teen, it’s not inconceivable that this was just attention-getting behavior. But considering the extreme nature of Schulte’s personality, you have to wonder if we’re dealing with a closet Nazi here. And that brings up the broader issue raised by this story: so what kind of people is the CIA hiring in its question for technical skill?
Then there’s the other massively disturbing, and yet puzzling, aspect of this story: Schulte was in possession of a large trove child pornography. The trove was discovered by investigators during their search of Schulte’s computers. So did Schulte seriously steal and leak the CIA’s hacking tools while it was simultaneously collecting child porn? It appears so. Schulte even seemed to admit it in his statements that dismissed the discovery, declaring that “The crime I am charged with is in fact a non-violent, victimless crime.” It points towards the extreme nature of Schulte’s psychology:
Despite this pretty compelling circumstantial evidence, Schulte’s first trial ended in a mistrial, attributed in part to the highly technical nature of the evidence against him. A new trial is scheduled to start next week. Note part of the presumed reason for the mistrial: Schulte’s defense appeared to have successfully argued to the jury that the CIA’s networks were so unprotected there’s no reason to assume Schulte was the culprit:
We’ll find out how the governments second attempt at prosecuting Schulte goes. We’ll presumably find out reasonably soon with the trial about to get underway. But whether or not we’ll ever get an satisfactory answers for the numerous major outstanding questions surrounding this story is very much an open question. Including the open question of whether or the existence of these hacking toolkits that are built to mimic hacks from rival powers will ever be meaningfully acknowledged in our collective analysis of these events.