Did you hear the big new hacking news? The news about ‘Fancy Bear’ already getting ready to wage a new hacking campaign against US politicians? If not, here’s a brief summary: Trend Micro, a Japanese cybersecurity firm, just issued a new report purporting to show that ‘Fancy Bear’ has already set up multiple phishing websites intended to capture the login credentials to the US Senate’s email system. And Trend Micro is 100 percent confident this is the work of ‘Fancy Bear’, the Russian military intelligence hacking team.
And what led to Trend Micro’s 100 percent certainty that these phishing sites were set up by ‘Fancy Bear’? Well, that conclusion appears to be based on the similarity of this operation to the Macron email hack that impacted hit French election last year. You know, the same hack that the French cybersecurity agency said was so unsophisticated that any reasonably skilled hackers could have pulled them off. And the same hacks comically included the name of a Russian government security contractor in the meta-data and were traced back to Andrew ‘weev’ Auernheimer. That’s the hack that this current Senate phishing operation strongly mimics that led to Trend Micro’s 100 percent certainty that this is the work of ‘Fancy Bear.’ So how credible is this 100 percent certain cyber attribution? Well, that’s going to be the topic if this post. And as we’re going to see:
1. Contemporary cyber attribution is fraught with peril, relying heavily on “pattern recognition” that make it ripe for misattributions and false flags.
2. The move to employ “pattern recognition” and use that for nation-state-on-nation-state public attributions of hacks is a relatively new trend in the cybersecurity industry, and it was pioneered by one of the founders of CrowdStrike.
3. When you look at the recent history of the cybersecurity industry, there are A LOT of questions of whether or not these attributions are really be made with certainty.
4. If this mode of cyber attribution turns out to be a bad idea, it could result in international chaos. Seriously, international chaos. Those were the words of France’s top cybersecurity officer following the Macron email hacks.
In other words, beyond not wanting to get a particular instance of cyber attribution wrong, society really doesn’t want to get the whole approach to cyber attribution wrong. Because, again, that could be an invitation for international chaos.
So with that in mind, let’s take a look at that new Trend Micro report and the cyber attribution made with 100 percent certainty:
Associated Press
Cybersecurity firm: US Senate in Russian hackers’ crosshairs
RAPHAEL SATTER
01/12/2018PARIS (AP) — The same Russian government-aligned hackers who penetrated the Democratic Party have spent the past few months laying the groundwork for an espionage campaign against the U.S. Senate, a cybersecurity firm said Friday.
The revelation suggests the group often nicknamed Fancy Bear, whose hacking campaign scrambled the 2016 U.S. electoral contest, is still busy trying to gather the emails of America’s political elite.
“They’re still very active — in making preparations at least — to influence public opinion again,” said Feike Hacquebord, a security researcher at Trend Micro Inc., which published the report . “They are looking for information they might leak later.”
The Senate Sergeant at Arms office, which is responsible for the upper house’s security, declined to comment.
Hacquebord said he based his report on the discovery of a clutch of suspicious-looking websites dressed up to look like the U.S. Senate’s internal email system. He then cross-referenced digital fingerprints associated with those sites to ones used almost exclusively by Fancy Bear, which his Tokyo-based firm dubs “Pawn Storm.”
Trend Micro previously drew international attention when it used an identical technique to uncover a set of decoy websites apparently set up to harvest emails from the French presidential candidate Emmanuel Macron’s campaign in April 2017. The sites’ discovery was followed two months later by a still-unexplained publication of private emails from several Macron staffers in the final days of the race.
Hacquebord said the rogue Senate sites — which were set up in June and September of 2017 — matched their French counterparts.
“That is exactly the way they attacked the Macron campaign in France,” he said.
Attribution is extremely tricky in the world of cybersecurity, where hackers routinely use misdirection and red herrings to fool their adversaries. But Tend Micro, which has followed Fancy Bear for years, said there could be no doubt.
“We are 100 percent sure that it can attributed to the Pawn Storm group,” said Rik Ferguson, one of the Hacquebord’s colleagues.
Like many cybersecurity companies, Trend Micro refuses to speculate publicly on who is behind such groups, referring to Pawn Storm only as having “Russia-related interests.” But the U.S. intelligence community alleges that Russia’s military intelligence service pulls the hackers’ strings and a months-long Associated Press investigation into the group, drawing on a vast database of targets supplied by the cybersecurity firm Secureworks, has determined that the group is closely attuned to the Kremlin’s objectives.
If Fancy Bear has targeted the Senate over the past few months, it wouldn’t be the first time. An AP analysis of Secureworks’ list shows that several staffers there were targeted between 2015 and 2016.
Among them: Robert Zarate, now the foreign policy adviser to Florida Senator Marco Rubio; Josh Holmes, a former chief of staff to Senate Majority Leader Mitch McConnell who now runs a Washington consultancy; and Jason Thielman, the chief of staff to Montana Senator Steve Daines. A Congressional researcher specializing in national security issues was also targeted.
Fancy Bear’s interests aren’t limited to U.S. politics; the group also appears to have the Olympics in mind.
Trend Micro’s report said the group had set up infrastructure aimed at collecting emails from a series of Olympic winter sports federations, including the International Ski Federation, the International Ice Hockey Federation, the International Bobsleigh & Skeleton Federation, the International Luge Federation and the International Biathlon Union.
The targeting of Olympic groups comes as relations between Russia and the International Olympic Committee are particularly fraught. Russian athletes are being forced to compete under a neutral flag in the upcoming Pyeongchang Olympics following an extraordinary doping scandal that has seen 43 athletes and several Russian officials banned for life. Amid speculation that Russia could retaliate by orchestrating the leak of prominent Olympic officials’ emails, cybersecurity firms including McAfee and ThreatConnect have picked up on signs that state-backed hackers are making moves against winter sports staff and anti-doping officials.
On Wednesday, a group that has brazenly adopted the Fancy Bear nickname began publishing what appeared to be Olympics and doping-related emails from between September 2016 and March 2017. The contents were largely unremarkable but their publication was covered extensively by Russian state media and some read the leak as a warning to Olympic officials not to press Moscow too hard over the doping scandal.
Whether any Senate emails could be published in such a way isn’t clear. Previous warnings that German lawmakers’ correspondence might be leaked by Fancy Bear ahead of last year’s election there appear to have come to nothing.
On the other hand, the group has previously dumped at least one U.S. legislator’s correspondence onto the web.
One of the targets on Secureworks’ list was Colorado State Senator Andy Kerr, who said thousands of his emails were posted to an obscure section of the website DCLeaks — a web portal better known for publishing emails belonging to retired Gen. Colin Powell and various members of Hillary Clinton’s campaign — in late 2016.
...
———-
“Hacquebord said he based his report on the discovery of a clutch of suspicious-looking websites dressed up to look like the U.S. Senate’s internal email system. He then cross-referenced digital fingerprints associated with those sites to ones used almost exclusively by Fancy Bear, which his Tokyo-based firm dubs “Pawn Storm.””
So after cross-referencing the digital fingerprints associated with the Senate email phishing websites, Trend Micro found that these fingerprints were almost exclusively used by ‘Fancy Bear’. That appears to be at the core of Trend Micro’s 100 percent certainty in attributing these websites to Fancy Bear.
And it sounds like those digital fingerprints point back to the Macron hack, which is presumably part of the basis of their 100 percent level of certainty. Although it’s unclear because Trend Micro relates the US Senate phishing attempt back to the Macron hacks merely by stating that the US Senate phishing websites matched their French counterparts. “That is exactly the way they attacked the Macron campaign in France,” said Trend Micro:
...
Hacquebord said the rogue Senate sites — which were set up in June and September of 2017 — matched their French counterparts.“That is exactly the way they attacked the Macron campaign in France,” he said.
Attribution is extremely tricky in the world of cybersecurity, where hackers routinely use misdirection and red herrings to fool their adversaries. But Tend Micro, which has followed Fancy Bear for years, said there could be no doubt.
“We are 100 percent sure that it can attributed to the Pawn Storm group,” said Rik Ferguson, one of the Hacquebord’s colleagues.
...
“We are 100 percent sure that it can attributed to the Pawn Storm group.” That’s the message from Trend Micro following the release of this report.
And then Trend Micro touts its previous big attribution score when it drew international attention by attributing the phishing sites set up in the Macron hacks back to ‘Fancy Bear’/APT28/Pawn Storm:
...
Trend Micro previously drew international attention when it used an identical technique to uncover a set of decoy websites apparently set up to harvest emails from the French presidential candidate Emmanuel Macron’s campaign in April 2017. The sites’ discovery was followed two months later by a still-unexplained publication of private emails from several Macron staffers in the final days of the race.
...
“The sites’ discovery was followed two months later by a still-unexplained publication of private emails from several Macron staffers in the final days of the race.”
You have to love the phrasing of the “still-unexplained publication of private emails.” Yeah, it’s still unexplained because the whole world appeared to drop that line of inquiry after the reports pointing back to Auernheimer’s involvement in the hack.
So that’s the public reporting on these new US Senate phishing sites and the 100 percent certain attribution of them back to APT28. And if we take it face value we would have to conclude that Russia’s government hackers executed this phishing attempt while leaving digital fingerprints that unique tie back to prior phishing campaigns which, if true, sure sounds like “I’m a Russian hacker! Please blame it on me!” kind of behavior.
The Trend Micro US Senate Phishing Report: An Evidentiary Tributary Vague Trickle of ‘Digital Fingerprints’ Tells the Story
But if the digital fingerprints do indeed point back to prior hacking campaigns carried out by APT28/Fancy Bear/Pawn Storm, what’s actual evidence provided by Trend Micro? Did Trend Micro found that the phishing websites were literally hosted on the same servers as previously identified phishing sites and/or shared some other physical infrastructure that were used in previous hacks. And if so, which hacks?
Well, when you read the Trend Micro report, it does explicitly say that they can “uniquely relate” the phishing websites set up for this US Senate hack attempt back to two attacks by Fancy Bear a.k.a Pawn Storm. One in 2016 and one in 2017. But they don’t clarify which particular hacks they were referring to. The 2017 hack they refer to might be the Macron hack, but the report mentions a number of different 2017 campaigns they attributed to APT28.
The report also makes a rather notable observation about the behavior of ‘Fancy Bear’: they appear to follow largely the same script over and over. Trend Micro attributes this behavior to ‘Fancy Bear’ having both a large volume of targets but also a large box of hacking tools so few updates to its techniques are required. And this is true in terms of reusing the same methodology in the sense that relatively unsophisticated phishing campaigns probably can largely all follow the same script. But it’s also the case that reusing the same digital infrastructure — like same malware — over and over is a great way to make your hacking group relatively easy to identify by investigators and, more importantly, relatively easy to frame by third parties.
Now, it’s true that reuse of malware shouldn’t actually be seen as strong evidence that two separate attacks are related, unless it’s very unique malware and there’s no evidence of it being ‘in the wild’ and available to other hackers. But in today’s context, reuse of malware, including malware ‘in the wild’, is routinely used by the cybersecurity industry as evidence that different attacks were carried out by the same group. Take, for example, the bogus claim made by CrowdStrike that the “X‑Agent” malware found in the DNC server attack is used solely by the Russian government.
Similarly, seeing the same ISP being used in two separate attacks shouldn’t actually be seen as strong evidence that two separate attacks are related because you can easily have different hacking groups sharing the same hacker-friendly ISPs. But in today’s context, reusing things like the same ISP over and over is basically asking to having your various hacking campaigns attributed to each other. And it’s also asking to have a third party frame you.
In other words, reusing methodologies is understandable when you’re relying on unsophisticated techniques. But reusing the same digital infrastructure is a very different kind of lack of sophistication....unless, of course, a group like ‘Fancy Bear’ wants to have all of its various hacking campaigns attributed back to them. That’s something to keep in mind when reading the following Trend Micro report.
The report also includes a note on other hackers copying Fancy Bear’s technique, warning that “actors from developing countries will learn and probably adapt similar methods quickly in the near future.” And that warning raises the obvious question of why we shouldn’t assume all sorts of actors, in any country, haven’t already adapted similar methods already, including using the same digital infrastructure when information on that is available.
So there are a number of questions raised by the Trend Micro report, and not a lot of answers on how exactly they arrived at their conclusions:
Trend Micro
Update on Pawn Storm: New Targets and Politically Motivated Campaigns
Posted on:January 12, 2018 at 5:00 am
In the second half of 2017 Pawn Storm, an extremely active espionage actor group, didn’t shy away from continuing their brazen attacks. Usually, the group’s attacks are not isolated incidents, and we can often relate them to earlier attacks by carefully looking at both technical indicators and motives.
Pawn Storm has been attacking political organizations in France, Germany, Montenegro, Turkey, Ukraine, and the United States since 2015. We saw attacks against political organizations again in the second half of 2017. These attacks don’t show much technical innovation over time, but they are well prepared, persistent, and often hard to defend against. Pawn Storm has a large toolset full of social engineering tricks, malware and exploits, and therefore doesn’t need much innovation apart from occasionally using their own zero-days and quickly abusing software vulnerabilities shortly after a security patch is released..
In summer and fall of 2017, we observed Pawn Storm targeting several organizations with credential phishing and spear phishing attacks. Pawn Storm’s modus operandi is quite consistent over the years, with some of their technical tricks being used repeatedly. For example, tabnabbing was used against Yahoo! users in August and September 2017 in US politically themed email. The method, which we first discussed in 2014, involves changing a browser tab to point to a phishing site after distracting the target.
We can often closely relate current and old Pawn Storm campaigns using data that spans more than four years, possibly because the actors in the group follow a script when setting up an attack. This makes sense, as the sheer volume of their attacks requires careful administration, planning, and organization to succeed. The screenshots below show two typical credential phishing emails that targeted specific organizations in October and November 2017. One type of email is supposedly a message from the target’s Microsoft Exchange server about an expired password. The other says there is a new file on the company’s OneDrive system.
While these emails might not seem to be advanced in nature, we’ve seen that credential loss is often the starting point of further attacks that include stealing sensitive data from email inboxes. We have worked with one of the targets, an NGO in the Netherlands targeted twice, in late October and early November 2017. We successfully prevented both attacks from causing any harm. In one case we were able to warn the target within two hours after a dedicated credential phishing site was set up. In an earlier attack, we were able to warn the organization 24 hours before the actual phishing emails were sent.
...
Political targets
In the week of the 2017 presidential elections in Iran, Pawn Storm set up a phishing site targeting chmail.ir webmail users. We were able to collect evidence that credential phishing emails were sent to chmail.ir users on May 18, 2017, just one day before the presidential elections in Iran. We have previously reported similar targeted activity against political organizations in France, Germany, Montenegro, Turkey, Ukraine, and the United States.
Beginning in June 2017, phishing sites were set up mimicking the ADFS (Active Directory Federation Services) of the U.S. Senate. By looking at the digital fingerprints of these phishing sites and comparing them with a large data set that spans almost five years, we can uniquely relate them to a couple of Pawn Storm incidents in 2016 and 2017. The real ADFS server of the U.S. Senate is not reachable on the open internet, however phishing of users’ credentials on an ADFS server that is behind a firewall still makes sense. In case an actor already has a foothold in an organization after compromising one user account, credential phishing could help him get closer to high profile users of interest.
The future of politically motivated campaigns
Rogue political influence campaigns are not likely to go away in the near future. Political organizations have to be able to communicate openly with their voters, the press and the general public. This makes them vulnerable to hacking and spear phishing. On top of that, it’s also relatively easy to influence public opinion via social media. Social media platforms continue to form a substantial part of users’ online experience, and they let advertisers reach consumers with their message.
This makes social media algorithms susceptible to abuse by various actors with bad intentions. Publishing stolen data together with spreading fake news and rumors on social media gives malicious actors powerful tools. While a successful influence campaign might seem relatively easy to do, it needs a lot of planning, persistence, and resources to be successful. Some of the basic tools and services, like ones used to spread fake news on social media, are already being offered as a service in the underground economy..
As we have mentioned in our overview paper on Pawn Storm, other actors may also start their own campaigns that aim to influence politics and issues of interest domestically and abroad. Actors from developing countries will learn and probably adapt similar methods quickly in the near future. In 2016, we published a report on C Major, an espionage group that primarily targets the Indian military. By digging deeper into C Major’s activities, we found that this actor group not only attacks the Indian military, but also has dedicated botnets for compromised targets in Iranian universities, Afghanistan, and Pakistan. Recently, we have witnessed C Major also showing some interest in compromising military and diplomatic targets in the West. It is only a matter of time before actors like C Major begin attempting to influence public opinion in foreign countries, as well.
With the Olympics and several significant global elections taking place in 2018, we can be sure Pawn Storm’s activities will continue. We at Trend Micro will keep monitoring their targeted activities, as well as activities of similar actors, as cyberpropaganda and digital extortion remain in use.
...
———-
“Beginning in June 2017, phishing sites were set up mimicking the ADFS (Active Directory Federation Services) of the U.S. Senate. By looking at the digital fingerprints of these phishing sites and comparing them with a large data set that spans almost five years, we can uniquely relate them to a couple of Pawn Storm incidents in 2016 and 2017. The real ADFS server of the U.S. Senate is not reachable on the open internet, however phishing of users’ credentials on an ADFS server that is behind a firewall still makes sense. In case an actor already has a foothold in an organization after compromising one user account, credential phishing could help him get closer to high profile users of interest.”
So in June 2017, phishing sites get set up to mimic the US Senate’s email site. And the digital fingerprints on these sites “uniquely relates” them to them to a couple of Pawn Storm incidents in 2016 and 2017. That appears to be the primary line of evidence leading them to conclude that ‘Fancy Bear’/‘Pawn Storm’ is indeed the entity behind this Senate phishing attempt. And none of that evidence is actually given. It is solely a “Trust Us” attribution.
And note how the lack of technical innovation over time appears to be a key element in allowing Trend Micro to search through its database of attacks and match the ‘digital fingerprints’ of present day attacks with prior attacks:
...
Pawn Storm has been attacking political organizations in France, Germany, Montenegro, Turkey, Ukraine, and the United States since 2015. We saw attacks against political organizations again in the second half of 2017. These attacks don’t show much technical innovation over time, but they are well prepared, persistent, and often hard to defend against. Pawn Storm has a large toolset full of social engineering tricks, malware and exploits, and therefore doesn’t need much innovation apart from occasionally using their own zero-days and quickly abusing software vulnerabilities shortly after a security patch is released.....
We can often closely relate current and old Pawn Storm campaigns using data that spans more than four years, possibly because the actors in the group follow a script when setting up an attack. This makes sense, as the sheer volume of their attacks requires careful administration, planning, and organization to succeed. The screenshots below show two typical credential phishing emails that targeted specific organizations in October and November 2017. One type of email is supposedly a message from the target’s Microsoft Exchange server about an expired password. The other says there is a new file on the company’s OneDrive system.
...
So ‘Fancy Bear’ keeps using the same methodology and seemingly follows a script, leaving a growing digital trail over the years that can be used for attribution of future attacks. And yet as Trend Micro warns, there’s reason to assume other actors are going to adopt similar methods “in the near future” to sway elections in other countries:
...
As we have mentioned in our overview paper on Pawn Storm, other actors may also start their own campaigns that aim to influence politics and issues of interest domestically and abroad. Actors from developing countries will learn and probably adapt similar methods quickly in the near future. In 2016, we published a report on C Major, an espionage group that primarily targets the Indian military. By digging deeper into C Major’s activities, we found that this actor group not only attacks the Indian military, but also has dedicated botnets for compromised targets in Iranian universities, Afghanistan, and Pakistan. Recently, we have witnessed C Major also showing some interest in compromising military and diplomatic targets in the West. It is only a matter of time before actors like C Major begin attempting to influence public opinion in foreign countries, as well.
...
And, of course, just as third parties might use the same methodology, they also might decide to try to leave the same digital fingerprints as ‘Fancy Bear’ if that’s an option because why not? If the malware or server hosts that ‘Fancy Bear’, or any other high profile hacking group, keeps getting reused and this becomes publicly known, why wouldn’t other hackers use the same malware and server hosts if that’s an option? This is probably a good time to remind ourselves that one of the key ‘digital fingerprints’ found in the 2016 DNC hack used to attribute that hack to ‘Fancy Bear’ was the reuse of a command and control server’s IP address (176.31.112.10) made public in 2015 following the Bundestag hack of May 2015.
And note how there are actually a number of 2017 hacks attributed to ‘Fancy Bear’ that Trend Micro references in this report. So if it “uniquely” traced the US Senate phishing sites (which were actually set up in June of 2017...a month after the French elections) back to another 2017 attack, it’s not clear which 2017 attack Trend Micro was uniquely tying the US Senate phishing sites back to.
But again, the overall message from Trend Micro in this report is “Trust Us, we got this covered...look at what a great job we did identifying the Macron hacks.”
About Those Macron Hack Attributions...
So Trend Micro found that two prior attacks, one in 2017 and one in 2016, shared the same digital fingerprints that they found after investigating the websites associated this new US Senate phishing campaign. And the 2017 attack they referred to was maybe the Macron email hack, although that’s very ambiguous. And we’re basically expected to just trust them on this attribution.
So how much blind trust should we place in Trend Micro’s — or any other cybersecurity firm’s — attribution when basically no technical evidence is given. Well, to explore this topic, let’s take an extended look at the Macron hacks. And not just Trend Micro’s work on those hacks, because there were a number of different cybersecurity firms, along with the US government, who weighed in on that hack and concluded with near certainty that it was ‘Fancy Bear’ behind it.
And as we look into this, note that, if the 2017 hack Trend Micro related the US Senate phishing sites back to was indeed the Macron hack, then we can make an educated guess that the 2016 hack Trend Micro uniquely related back to the US Senate phishing attack was actually the 2016 DNC server attack. Because as we’ll see in the following article, when Trend Micro first reported on the Macron email hack back in April of 2017, there was one particular 2016 hack that Trend Micro claimed had a number of ‘digital similarities’ to the Macron hack. And those ‘digital similarities’ included similarities in the IP address involved and malware used: The 2016 DNC server hack:
The Washington Post
Cyberattack on French presidential front-runner bears Russian ‘fingerprints,’ research group says
By Rick Noack
April 25, 2017PARIS — A security firm claimed Tuesday that new cyberattacks on the campaign offices of the front-runner in France’s presidential race carried digital “fingerprints” similar to the suspected Russian hacking of the Democratic National Committee and others in the 2016 U.S. election.
The report, by the Trend Micro research group, did not disclose the potential fallout of the infiltration on the campaign of Emmanuel Macron, a centrist who faces far-right leader Marine Le Pen in a May 7 runoff.
If a Russian connection is proved, the hacking would add to mounting allegations that Moscow is backing attempts to influence Western elections in favor of candidates with policies potentially more friendly to the Kremlin. Le Pen has voiced opposition to the powers of the European Union and has called for better ties with Russia, echoing some of the campaign rhetoric of President Trump.
Tokyo-based Trend Micro said Macron’s campaign was targeted in March and April by a cyberspying group called Pawn Storm. The group has allegedly used phishing and malware to infiltrate other political organizations, as well, such as German Chancellor Angela Merkel’s Christian Democratic Union and the U.S. Democratic National Committee.
“There are several things which suggest that the group behind the Macron hacking was also responsible for the DNC breach, for example. We found similarities in the IP addresses and malware used in the attacks,” said Rik Ferguson, vice president of Trend Micro’s security research program.
“We cannot say for sure whether this was directed by the Russian government, but the group behind the attacks certainly appears to pursue Russian interests,” added Ferguson, speaking from the company’s London offices.
According to the research firm, the hackers created several email addresses on a fake server with the URL onedrive-en-marche.fr, operating from computers with IP addresses in multiple European nations, including Britain.
...
ANSSI, the French government’s cybersecurity agency, confirmed the more recent cyberattacks against Macron but left open the possibility that they could be the work of “other high-level” hackers trying to point the blame at Pawn Storm.
...
———-
““There are several things which suggest that the group behind the Macron hacking was also responsible for the DNC breach, for example. We found similarities in the IP addresses and malware used in the attacks,” said Rik Ferguson, vice president of Trend Micro’s security research program.”
The same IP addresses and same malware used in the Macron and DNC attacks. Or, at least, similar IP addresses and malware. That’s what Trend Micro found when it looked into Macron email hacks back in 2017.
So what does it mean to “similar IP addresses between two hacks? Well, that’s probably a reference to two hacks sharing the same IP blocks. And sharing IP blocks with previous attacks merely suggests the use of the same Internet Service Provider (ISP), since ISPs will get set a block of IP addresses to use. And sharing ISP with previous hackers is fairly weak evidence. Of course hackers are going to gravitate towards hacker friendly ISPs! Especially if they want to misdirect the attribution of the attack!
And neither is “similar malware” compelling evidence...unless there’s reason to believe that malware isn’t available outside hackers. But if ‘Fancy Bear’ has been reusing the same, or similar, malware for years, what are the odds that its malware collection isn’t already ‘in the wild’? As we saw with the ‘X‑Agent’ malware, assuming this malware is unique to one group is a bad idea. And even if the malware ‘Fancy Bear’ keeps reusing has somehow avoided ended up ‘in the wild’, why does this group continue to reuse the same unique collection of malware over and over? It just make attribution that much easier!
Where the Beef Evidence? Seriously, Where is It?
But let’s not focus exclusively on Trend Micro when it comes to the Macron hack. Because a lot of different cybersecurity companies made exactly the same attribution, along with the US government too. Curiously, all of these sources appeared to be extremely confident that the phishing sites targeting the Macron campaign and identified by Trend Micro in its April 25th, 2017, were indeed attributable to ‘Fancy Bear’, and they even referred back to their big reports in a number of cases. And yet, when you look at the actual reports, there is no evidence listed and, in the case of the US government report, there’s no reference to the Macron hacks at all. It’s bizarre.
First, let’s take a look at this Defense One article from May 6, 2017. That’s one day after the BIG document dump of Macron campaign emails. Recall that there was a May 3rd document dump of a few documents that appeared to be tampered with and the a much larger May 5th dump.
Also recall, and as we’ll examiner in more detail later, both of these document dumps appeared to originate from within the American ‘Alt-Right’, with Andrew Auernheimer a central figure.
So this article was written one day after a very big last minute document dump and the way these documents were dumped did not at all fit the ‘Russia did it’ pattern. That’s why when you read this article you’ll see parallel discussions of the phishing sites that Trend Micro reported on a couple weeks earlier paired with acknowledgments from Trend Micro that there’s no evidence conclusively pinning the hack on ‘Fancy Bear’. In other words, there’s an implicit acknowledgement that the phishing sites set up to target the Macron campaign may not have been the source of these hacked documents.
But when it comes to who set up those phishing sites, the article include more than just Trend Micro making near certain conclusions that Fancy Bear was behind it. A representative from Flashpoint, another cybersecurity firm, is also quoted as basically treating it as a foregone conclusion that ‘Fancy Bear’ set up the phishing sites, and the article links back to the US government’s “Grizzly Steppe” report, which was updated to include that evidence. But as we’ll see, Flashpoint never actually explains anywhere how it arrived at this conclusion and the US government report contains no reference at all to the Macron hacks. It was “Trust Us” attribution at work all around:
Defense One
France’s Macron Hack Likely By Same Russian Group That Hit DNC, Sources Say
By Patrick Tucker
Technology EditorMay 6, 2017
The same Putin-backed hacking group that targeted the Democratic National Committee last year has been targeting French presidential candidate Emmanuel Macron, according to multiple cybersecurity groups.
On Friday, Macron claimed that his campaign had suffered a “massive and coordinated” data theft and smear campaign, some 9 gigabytes of data stolen and published to an anonymous sharing site called Pastebin.
No hard evidence has yet emerged linking the targeting to the doc dump. But over several weeks leading to the attack on Macron’s campaign, several firms in the private security community issued warnings. On April 25, cybersecurity group Trend Micro claimed a group known as APT 28, or Fancy Bear and Pawn Storm, was actively targeting the Macron campaign with bogus emails to convince campaign higher-ups to click on links.
The evidence: On March 15, operators working from IP addresses associated with APT 28 were registering domain names that were related to the Macron campaign, such as onedrive-en-marche.fr. Registering phony email domains would allow the operatives to send emails to targeted campaign workers that appear to be from the campaign. A cybersecurity professional with direct knowledge of the hack told Defense One that the same Putin-backed hacking group that targeted the DNC had also been targeting Macron. But they could not say with certainty that those actors were the same individuals who put the documents on the Pastebin site, (or if the documents on Pastebin were even authentic.)
Of particular interest in the Macron case is a new tactic: rather than luring the victim to a link and then trying to convince them to give up his or her password, APT 28 was targeting the Macron campaign with a lure to fake computer applications that looked like they actually came from Google.This time the victims weren’t prompted to give up their passwords. Instead they could simply authorize a program that looked like it came from a trusted provider to do what that program (looks like) it is supposed to do. The scam is called Open Authentication or an OAuth attack. “The big advantage is that users don’t have to reveal their password to the third party. Instead the third party applications get a token that can be used for authentication,” Trend Micro says in their report.
Greg Martin, CEO of the firm JASK, told Business Insider that this represented a clear escalation of tactics. “It’s a new style of attack … very deadly and unprecedented … It’s the first time we have seen this in the wild.”
Vitali Kremez, director of research at the cybersecurity firm Flashpoint, also offered cautious analysis to the New York Times on Friday. “The key goals and objectives of the campaign appear to be to undermine Macron’s presidential candidacy and cast doubt on the democratic electoral process in general.”
He later told Reuters that APT 28 was indeed behind the attack after determining that APT 28 related entities had “registered decoy internet addresses to mimic the name of En Marche … including onedrive-en-marche.fr and mail-en-marche.fr.”
The event follows months of warnings about Kremlin influence and information operations allegedly targeting the French election for the benefit Marine Le Pen’s National Front Party. On January 8, France’s Minister of Defense Jean-Yves Le Drian told French newspapers that “one cannot be naive,” about the likelihood of Kremlin involvement to aid Le Pen, who has supported a closer relationship with Putin and a weakening of the EU.
Defense One first reported in January that the group sometimes known as Fancy Bear, APT 28, and by other names was actively targeting the French election with the same email tactics that they employed against previous targets, including, most famously the DNC.
It’s not the first time Kremlin-backed hackers have targeted France. In April of 2015, the same group, posing as ISIS-linked Islamic extremists and calling itself the Cyber Caliphate also attacked French television station TV5 Monde. The intent of that attack remains unclear.
Authorities and investigators have yet to make public hard forensic evidence linking the group to the hack on Macron’s campaign.
Today, in response to Macron’s claim, Trend Micro offered a clarifying statement. “Trend Micro does not have evidence that this is associated with the group known as Pawn Storm (also APT28 and other names). The techniques used in this case seem to be similar to previous attacks. Without further evidence, it is extremely difficult to attribute this hack to any particular person or group.”
In the meantime, some analysis suggests that portions of the 9 gigabyte document dump, or at least portions of it that are spreading on social media, may be forged.
@wikileaks Two documents purporting to show that Macron has offshore accounts were created yesterday, the day of the debate #MacronLeaks pic.twitter.com/cxqZnZmNTh
— Nathan Patin (@NathanPatin) May 6, 2017The mixing of fake documents with stolen real documents, and then dumping both on the public to achieve a better political or market effect, is something that members of the intelligence community have worried about publicly for years.. Kremlin-backed actors have done it before, but not through Wikileaks. Last August, hackers dumped a series of documents on the sites CyberBerkut and DC Leaks, both of which the intelligence community has linked to Putin’s government. It was an attempt to smear a Putin political opponent by connecting him to George Soros. Problem is, the docs didn’t match, suggesting a forgery.
...———-
“No hard evidence has yet emerged linking the targeting to the doc dump. But over several weeks leading to the attack on Macron’s campaign, several firms in the private security community issued warnings. On April 25, cybersecurity group Trend Micro claimed a group known as APT 28, or Fancy Bear and Pawn Storm, was actively targeting the Macron campaign with bogus emails to convince campaign higher-ups to click on links.”
No hard evidence has yet emerged linking the targeting of the Macron camp with the phishing sites to the actual document dump. That was the assessment one day after the big Macron document dump. And that’s not unreasonable since it was just one day. That’s not a lot of time to gather evidence.
And yet the attribution of the phishing sites to ‘Fancy Bear’ is treated like a certainty. And that includes linking to the US government’s Grizzly Steppe report that purportedly ties the registration of the phishing site domain names to APT28/Fancy Bear:
...
The evidence: On March 15, operators working from IP addresses associated with APT 28 were registering domain names that were related to the Macron campaign, such as onedrive-en-marche.fr. Registering phony email domains would allow the operatives to send emails to targeted campaign workers that appear to be from the campaign. A cybersecurity professional with direct knowledge of the hack told Defense One that the same Putin-backed hacking group that targeted the DNC had also been targeting Macron. But they could not say with certainty that those actors were the same individuals who put the documents on the Pastebin site, (or if the documents on Pastebin were even authentic.)
...
Here’s the problem with that Grizzly Steppe report’s attribution. If you look at the Grizzly Steppe report, there is indeed an April 6, 2017 update listed on the home page of that report. It’s one line, “April 6, 2017: Updated AR-17–20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity with Section 508 Remediation.” The problem is that if you look at the AR-17–20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity report, there is no actual update with that information. If you search though the document, there no “Section 508”. You won’t even find the words “France”, or “Macron” or “onedrive”. There also isn’t any reference to the April 6, 2017 date. It’s as if the only update was the update on the homepage saying the report was updated.
And that’s not the only example of the assertion that ‘Fancy Bear’ was behind the registration of these Macron-targeted phishing domains. The Trend Micro report on “Pawn Storm” (Fancy Bear/APT28) released on April 25th, 2017, purporting to demonstrate that Fancy Bear was behind the phishing sites contains a single reference to the Macron email hack in the list of domains Trend Micro has attributed to APT28. Go to page 13 of the report and you see the “Emmanuel Macron campaign” listed as the target and “onedrive-en-marche.fr” listed as the phishing domain in a table that lists the domains Trend Micro has concluded was registered by Pawn Storm/Fancy Bear/APT28. That’s it. No description of how that attribution was made. And there is no other reference to France or the Macron campaign or anything else in the document. And that means we have no idea what ‘digital fingerprints’ Trend Micro used to make that attribution. In other words, “Trust Us.”
And note that there’s no explanation for how all the other domain names listed in that table were conclusively attributed to Fancy Bear in the report, so there’s a lot of ambiguity about how Trend Micro arrived at ANY of its conclusions. “Trust Us Bigly.”
Similarly, when you read about how Flashpoint, another cybersecurity firm, also concluded that APT28/Fancy Bear/Pawn Storm was the entity that set up these phishing domains, it refers back to a Reuters report where Flashpoint tells Reuters that APT28 set up those domains. But, again, there’s absolutely no indication of how that attribution was made and no link to a publicly available report:
...
Vitali Kremez, director of research at the cybersecurity firm Flashpoint, also offered cautious analysis to the New York Times on Friday. “The key goals and objectives of the campaign appear to be to undermine Macron’s presidential candidacy and cast doubt on the democratic electoral process in general.”He later told Reuters that APT 28 was indeed behind the attack after determining that APT 28 related entities had “registered decoy internet addresses to mimic the name of En Marche … including onedrive-en-marche.fr and mail-en-marche.fr.”
...
And if you read the Reuters article, Flashpoint’s Vitali Kremez simply tells Reuters that, “his review indicated that APT 28, a group tied to the GRU, the Russian military intelligence directorate, was behind the leak.” That’s it. If there’s a public report someone explaining how they arrived at this attribution it’s unclear where to find it.
So we have this odd situation where the US government GRIZZLEY STEPPE report claims to be updated with evidence that the Macron phishing campaign was operated by Fancy Bear but that update doesn’t actually exist in the report. And Trend Micro’s and Flashpoint’s attributions are made without any explanation at all. Perhaps this evidence is publicly available elsewhere from these three sources?
Found Some Evidence! Or, Rather, Found Some ‘Evidence’!
That said, there are some reports that do give at least a bit of the technical evidence Trend Micro used to attribute these phishing domains to Fancy Bear/APT28/Pawn Storm. For example, the following April 24th, 2017, article in the Wall Street Journal about the Trend Micro report contains the following pieces of information: On March 15, someone used the name Johny Pinch and a fake Paris street address to register the name onedrive-en-marche.fr, according to public internet records. On April 12, someone using the same information registered mail-en-marche.fr, the records show. And those addresses were both hosted on IP address blocks previously associated with Pawn Storm, according to Trend Micro. There’s no further explanation, like a listing of those IP addresses or which previous attacks associated with them, and none of this information actually shows up in the report Trend Micro released, but at the time of the report’s release Trend Micro was asserting to journalists that IP address blocks associated with the onedrive-en-marche.fr and mail-en-marche.fr domains were previously attributed to Fancy Bear:
The Wall Street Journal
Macron Campaign Wards Off Hacking Attempts Linked to Russia
Presidential candidate’s campaign suffers multipronged phishing attack beginning in mid-March
By Sam Schechner
April 24, 2017 1:17 p.m. ETPARIS—Hackers matching the profile of a pro-Kremlin group have tried in recent weeks to access campaign email accounts of French presidential candidate Emmanuel Macron, a cybersecurity firm said Monday, raising fears of election interference in the final two weeks of the France’s presidential campaign.
In a report set to be published Tuesday, security-research firm Trend Micro identified a pro-Kremlin hacking group it calls Pawn Storm as the likely source of a multipronged phishing attack that started in mid-March against Mr. Macron’s campaign.
As part of the attack, hackers set up multiple internet addresses that mimicked those of the campaign’s own servers in an attempt to lure Mr. Macron’s staffers into turning over their network passwords, said Feike Hacquebord, a senior threat researcher for Tokyo-based Trend Micro and the author of the report, a copy of which was reviewed by The Wall Street Journal.
...
On March 15, someone used the name Johny Pinch and a fake Paris street address to register the name onedrive-en-marche.fr, according to public internet records. On April 12, someone using the same information registered mail-en-marche.fr, the records show.
Those addresses were both hosted on internet protocol address blocks associated with Pawn Storm, Trend Micro’s Mr. Hacquebord said.
Mr. Hacquebord added that other clues, such as related addresses and the creation of security certificates to make the fake sites look authentic mirror techniques used by the group in several dozen other cases identified in he report, including the hacks of the Christian Democratic Union and the Democratic National Committee.
“I cannot say for sure, but the fingerprints match,” Mr. Hacquebord said.
———-
“I cannot say for sure, but the fingerprints match”
That was the statement from the author of Trend Micro’s report. So what were these ‘fingerprints’? The IP address blocks of the phishing domains onedrive-en-marche.fr and were mail-en-marche.fr were associated with attacks that were previously attributed to Fancy Bear/APT28/Pawn Storm. Also, the use of the technique of creating fake security certificates to make the fake sites look real was something Fancy Bear has done before. That appears to be the technical evidence Trend Micro relied on:
...
On March 15, someone used the name Johny Pinch and a fake Paris street address to register the name onedrive-en-marche.fr, according to public internet records. On April 12, someone using the same information registered mail-en-marche.fr, the records show.Those addresses were both hosted on internet protocol address blocks associated with Pawn Storm, Trend Micro’s Mr. Hacquebord said.
Mr. Hacquebord added that other clues, such as related addresses and the creation of security certificates to make the fake sites look authentic mirror techniques used by the group in several dozen other cases identified in he report, including the hacks of the Christian Democratic Union and the Democratic National Committee.
...
And, as with so much if this, the evidence is actually quite weak. Sharing IP blocks with previous attacks merely suggests the use of the same Internet Service Provider (ISP), since ISPs will get set a block of IP addresses to use. And sharing ISP with previous hackers is fairly weak evidence. Of course hackers are going to gravitate towards hacker friendly ISPs!
But the weakest evidence is pointing towards the use of fake security certificates to make the phishing sites appear to be real so your browser doesn’t pop up with a warning. Because of course you would do that if you set up a fake phishing site. Any hacker would do that if they know how do to it.
Also recall that the Trend Micro report makes absolutely no reference to any of the above ‘evidence’ described by the report’s author. It also doesn’t list the mail-en-marche.fr phishing domain at all. The ONLY reference to the Macron campaign is listing the onedrive-en-marche.fr domain in a table of domains Trend Micro has associated with Pawn Storm on page 13. That’s it.
So we have reports on April 24th, 2017, with interview of the Trend Micro report’s author about the evidence they’ve found that Fancy Bear is behind these new phishing domains targeting Macron’s campaign. The evidence laid out in the article is both inherently vague and weak. And then the actual report issued the next day doesn’t even contain any of that evidence. So very, very odd.
How Certain Was Trend Micro Based on This Weak Evidence? 99 percent
And, surprise!, it gets odder. Or perhaps sadder. Because if you look at the various reports from Trend Micro back in April-May of 2017 about the Macron hacks, Trend Micro’s own representative, Loïc Guézo, starts off being 99 percent certain that Fancy Bear was behind the phishing domains when Trend Micro first issued its April 25, 2017 report. But after the reports about how US ‘Alt-Right’ neo-Nazis appeared to be behind the leaked documents, Guézo suddenly makes it very clear that the dump of stolen emails was very amateurish and it’s very ambiguous as to who was behind the hack and it could have been US neo-Nazis behind it. So Trend Micro went from 99 percent certain Fancy Bear was behind the phishing domains targeting the Macron hacking campaign (without providing any actual evidence) to being very open about the possibility that it was a bunch of neo-Nazis who actually carried out the hack. And yet this sudden change in certainty seems to have completely fallen down the memory hole now that the US Senate phishing domains have emerged.
And now, in January of 2018, we have Trend Micro making a 100 percent conclusion that the US Senate phishing domains were ‘Fancy Bear’ and this 100 percent attribution is based on shared ‘digital fingerprints’ that uniquely tie back to two two prior hacking campaigns that Trend Micro had previously attributed to Pawn Storm/Fancy Bear/APT28, one in 2017 and one in 2016. So, unless that 2017 hacking incident with shared ‘digital fingerprints’ that Trend Micro is referring to wasn’t the Macron campaign hack, we have to reconcile how on Earth Trend Micro is concluding with 100 percent certainty that these US Senate phishing sites were actually set up by Fancy Bear/APT28/Pawn Storm. It’s all really, really odd.
So let’s flesh out this oddness. First, here’s a look at an April 26 article where Trend Micro’s Loïc Guézo claiming 99 percent certainty that the phishing domains targeting the Macron campaign was the work of Fancy Bear/APT28/Pawn Storm. And note how the cybersecurity expert hired by the Macron campaign, Mounir Mahjoubi, was far less sure about this attribution:
France24
Cyber experts ’99% sure’ Russian hackers are targeting Macron
Text by Sébastian SEIBT
Date created : 2017-04-26
Latest update : 2017-04-27The Russian cyber-spying group Pawn Storm (also known as Fancy Bear) has targeted French presidential front-runner Emmanuel Macron, according to Japanese cyber-security experts. Macron campaign officials, however, say the group has so far failed.
Barely two weeks before the critical second round of the French presidential election, fears of Russian meddling in the 2017 campaign mounted with the publication of a report accusing Pawn Storm of targeting Macron’s En Marche! (Forward!) movement, employing identical tactics used to attack the Hillary Clinton campaign during the US presidential race.
A 41-page report, “Two Years of Pawn Storm,” by the Japanese cyber-security firm Trend Micro detailed a long list of the group’s targets, including German Chancellor Angela Merkel’s Christian Democratic Union party ahead of the September German general elections.
Reports of Russian cyber attackers targeting Macron’s campaign have been circulating for months, but the publication of the Trend Micro report provided details of the dates and domains targeted. They included a March 15 attempt to acquire sensitive information and passwords, a process known as “phishing” among cyber-security experts.
...
Campaign meets cyber-security officials
In January, a team of digital security officials from the Macron campaign visited the French cyber counter-espionage agency, ANSSI, to express concerns that their candidate was the “No. 1” target for fake news sites and cyber attacks, according to French media reports.
ANSSI is a government agency under the French defence ministry that advises public and private sector organisations about cyber-security measures.
The meeting between En Marche! and ANSSI officials followed a spate of rumours published on fake news sites as well as slanted coverage of Macron on Russian state media such as RT (formerly Russia Today) and the Sputnik news agency.
The concerns within the Macron camp led to the hiring of Mounir Mahjoubi, the former head of the French National Digital Council (CNNum), a council that advises on digital technologies.
In an interview with French weekly Journal du Dimanche in February, Mahjoubi was more cautious than his Macron campaign colleagues about cyber attacks emanating from Russian-linked groups. “There is no doubt about the frontal attacks of Sputnik and Russia Today, two Russia-funded media outlets. But for the rest, we do not know where they come from,” he said.
Russia has consistently denied reports of interfering in the election campaigns of other countries.
“What [hacking] groups? From where? Why Russia? This slightly reminds me of accusations from Washington, which have been left hanging in mid-air until now and do not do their authors any credit,” Kremlin spokesman Dmitry Peskov told reporters on Monday.
‘99 percent sure’ attacks are from Russia
But the authors of the latest Trend Micro report have no doubt about the origins of the phishing campaigns targeting Macron. “We are 99 percent sure that it is attacks from Russia,” Loïc Guézo, Trend Micro’s strategy director for southern Europe, told FRANCE 24.
Pawn Storm – an aggressive cyber-espionage group also known as Fancy Bear, Sednit, APT28, Sofacy or Strontium – is engaged in much more than “just espionage activities”, the report notes. Over the past year, “the group attempted to influence public opinion, to influence elections, and sought contact with mainstream media with some success”.
When it came to targeting the Macron campaign, Pawn Storm’s goal appeared to be to get into the email accounts of senior campaign officials to retrieve information about the candidate – a modus operandi familiar to members of the Clinton campaign.
Stealing passwords
Cyber-security specialists at Trend Micro found four phishing domains created to try to extract information. The domain names feature plausible versions of Macron’s political movement, designed to catch campaign officials off guard. They include onedrive-en-marche.fr, portal-office.fr, mail-en-marche.fr and accounts-office.fr.
“This group set up a specific infrastructure to target Emmanuel Macron’s movement in March and April 2017,” Guézo explained.
...
A cyber Cold War
In a December 2016 report, the US Department of Homeland Security’s cyber-security unit accused Pawn Storm – under the alternate name APT 28 – of acting on the Kremlin’s orders.
The APT 28 footprint has been on so many major cyber attacks in recent years – including an April 2015 shutdown of French media giant TV5 Monde – that experts view the group as a symbol of a cyber Cold War, combining computer piracy and online propaganda. A Financial Times report noted that US, UK, Israeli and German officials have all said they believe APT 28 is run by Russia’s sprawling military intelligence arm, the GRU.
Officials at Trend Micro, however, refuse to implicate the Kremlin directly: “All we can say is that the activities of this group are systematically aligned with the interests of the Russian authorities,” said Guézo.
...
Mahjoubi has reiterated that the attempts to target the Macron campaign so far have not succeeded. In his interviews with French media, Mahjoubi has admitted that traces to attack attempts have been found but that “none of the mailboxes have been hacked”.
En Marche! officials do not use email to share confidential information, according to the statement released Wednesday.
Mahjoubi has also refused to accuse a particular group for the attack attempts. “The procedure is very similar to [Pawn Storm], but you cannot rule out a very competent group trying to imitate them,” he warned.
But this hedging has not shaken Guézo’s conviction. The Macron campaign, he believes, is not willing to take the gloves off over this issue to avoid ruffling the Kremlin’s feathers if Macron is elected president next month.
———-
“Mahjoubi has also refused to accuse a particular group for the attack attempts. “The procedure is very similar to [Pawn Storm], but you cannot rule out a very competent group trying to imitate them,” he warned.”
That was the word of caution from Mounir Mahjoubi, the the former head of the French National Digital Council (CNNum) hired by the Macron campaign: “The procedure is very similar to [Pawn Storm], but you cannot rule out a very competent group trying to imitate them”. And it was a word of caution he issued not just to this Trend Micro report attributing the phishing domains to Fancy Bear. He had those same words of caution about the entire hacking campaign the Macron team had been experiencing throughout early 2017:
...
The concerns within the Macron camp led to the hiring of Mounir Mahjoubi, the former head of the French National Digital Council (CNNum), a council that advises on digital technologies.In an interview with French weekly Journal du Dimanche in February, Mahjoubi was more cautious than his Macron campaign colleagues about cyber attacks emanating from Russian-linked groups. “There is no doubt about the frontal attacks of Sputnik and Russia Today, two Russia-funded media outlets. But for the rest, we do not know where they come from,” he said.
...
Mahjoubi has also refused to accuse a particular group for the attack attempts. “The procedure is very similar to [Pawn Storm], but you cannot rule out a very competent group trying to imitate them,” he warned.
But this hedging has not shaken Guézo’s conviction. The Macron campaign, he believes, is not willing to take the gloves off over this issue to avoid ruffling the Kremlin’s feathers if Macron is elected president next month.
...
“But this hedging has not shaken Guézo’s conviction. The Macron campaign, he believes, is not willing to take the gloves off over this issue to avoid ruffling the Kremlin’s feathers if Macron is elected president next month.”
And as we can see, Mahjoubi was issuing words of cyber attribution caution back in February 2017 when the Macron campaign was already talking about getting attacked by Russian hackers. And Trend Micro’s analyst commenting on their report, Loïc Guézo, viewed those words of caution as politically motivated ‘hedging’, as opposed to simply acknowledging the inherent ambiguities associated with digital forensic attribution. Guézo, instead, was “99 percent sure that it is attacks from Russia” and that certainty was based on the attribution of who set up those phishing domains:
...
‘99 percent sure’ attacks are from RussiaBut the authors of the latest Trend Micro report have no doubt about the origins of the phishing campaigns targeting Macron. “We are 99 percent sure that it is attacks from Russia,” Loïc Guézo, Trend Micro’s strategy director for southern Europe, told FRANCE 24.
...
Stealing passwords
Cyber-security specialists at Trend Micro found four phishing domains created to try to extract information. The domain names feature plausible versions of Macron’s political movement, designed to catch campaign officials off guard. They include onedrive-en-marche.fr, portal-office.fr, mail-en-marche.fr and accounts-office.fr.
“This group set up a specific infrastructure to target Emmanuel Macron’s movement in March and April 2017,” Guézo explained.
...
And again, note how it’s implied that the evidence of this attribution is laid out in Trend Micro’s 41 page report:
...
A 41-page report, “Two Years of Pawn Storm,” by the Japanese cyber-security firm Trend Micro detailed a long list of the group’s targets, including German Chancellor Angela Merkel’s Christian Democratic Union party ahead of the September German general elections.
...
Yes, this report does in “detail a long list of the group’s targets.” It just doesn’t give any details on how these attributions were made. And while we saw in the above Wall Street Journal article that the attribution was based on shared IP blocks between two of the phishing domains and previous IP addresses attributed to Fancy Bear, that’s also really weak evidence and the report doesn’t list anything more.
And while it’s not outlandish that some elements of the analysis of these hacking campaigns won’t be publicly shared, there is basically no indication at all in that report of how any of the long list of phishing domains was attributed to Fancy Bear/Pawn Storm. It’s like a black box of analysis.
And it’s not like cybersecurity companies don’t ever issue reports detailing their attribution evidence. For instance, when you look at the report issued by the cybersecurity researchers linking the hacked documents back to Andrew Auernheimer and US neo-Nazis, they give all sorts of very specific technical evidence of how they arrived at their conclusion. And that evidence is pretty damn convincing. So convincing that Loïc Guézo of Trend Micro admitted that the attribution for the hacking (as opposed to setting up the phishing sites) is a very open question after seeing that evidence:
EUObserver
US neo-Nazis linked to Macron hack
By Andrew Rettman
BRUSSELS, 12. May 2017, 09:23The spread of stolen emails designed to harm Emmanuel Macron was linked to US-based neo-Nazis, according to a French investigation.
France’s Le Monde newspaper reported on Thursday (11 May) that a website called nouveaumartel.com, which was named as a go-to place for the purloined emails, shared the same digital infrastructure as dailystormer.com, a website created by the US neo-Nazi activist Andrew Auernheimer.
The emails were dumped online on 5 May, shortly before Macron won the French presidential election by a landslide.
The dump came two days after an anonymous user of an online message board called 4chan.org published fake documents purporting to show that Macron had an offshore fund.
“The French scene will be at nouveaumartel.com later”, the anonymous 4chan.org user said.
The dailystormer.com’s Auernheimer is a white supremacist convicted of cyber crimes in the US.
His website often popularises the work of Nathan Damigo, another US far-right activist who gained notoriety after physically assaulting an anti-fascist protester.
Auernheimer, in a posting on his site on 4 May, suggested that Damigo was about to publish anti-Macron material.
“The prophet of the white sharia Nathan Damigo is about to release the frogs from pederasty”, he wrote.
Frogs could be a derogatory reference to French people or to a cartoon frog, Pepe, adopted as a symbol by US neo-Nazis.
Pederasty could be a homophobic allusion to unsubstantiated claims, first spread by Russian media, that Macron was gay, or to the fact that he fell in love with an older woman in his adolescence.
The stolen Macron emails were eventually dumped on the website Pastebin and were popularised online by other US-based far-right conspiracy theorists such as William Craddick and Jack Posobiec.
The National Security Agency in the US said earlier this week that the Russian regime stole the Macron emails.
Trend Micro, a Japanese-based cyber security firm, said in April that the Russian regime had previously tried to hack Macron’s team.
But one of the firm’s experts, Loic Guezo, told EUobserver this week that the 5‑May dump of stolen Macron emails was more amateurish than the Russian state’s modus operandi.
“It could even have been some alt-right activist in the US hacking Macron’s team. It’s fully open”, he said.
The links between US far-right activists, the Russian state, and the campaign team of US president Donald Trump are the subject of an FBI investigation in the US.
...
Meanwhile, Jack Posobiec, who has previously said that Macron is controlled by telepathy and by drugs, has obtained a White House press badge.
He attended a press briefing on 11 May on the FBI affair and later broadcast a video from the White House grounds praising the FBI chief’s sacking.
———-
“US neo-Nazis linked to Macron hack” by Andrew Rettman; EUObserver; 05/12/2017
“France’s Le Monde newspaper reported on Thursday (11 May) that a website called nouveaumartel.com, which was named as a go-to place for the purloined emails, shared the same digital infrastructure as dailystormer.com, a website created by the US neo-Nazi activist Andrew Auernheimer.”
Ok, let’s break this down, because it’s somewhat confusing:
1. So on May 3rd, 2017, hacked Macron documents that appear to have been tampered with show up on 4chan.org, an ‘Alt-Right’ stomping ground. The user posting these documents then tells everyone that there’s going to be a bunch more documents showing up on nouveaumartel.com.
2. Cybersecurity researchers discover that the digital infrastructure behind nouveaumartel.com shares a heavy overlap with the Daily Stormer, a site managed by neo-Nazi hacker extraordinaire Andrew Auernheimer.
3. On May 4th, Andrew Auernheimer posts on his site that Nathan Damigo, another US far-right activist, is about to dump a whole bunch of Macron files.
4. On May 5th, the big document dump happens. Although it doesn’t show up on nouveaumartel.com. Instead, it shows up on Pastebin, a neutral site where people can just people documents and text.
5. After the second, much larger document dump on Pastebin, the documents quickly get spread around by Alt-Right figures.
That’s the summary of what happend:
...
The emails were dumped online on 5 May, shortly before Macron won the French presidential election by a landslide.The dump came two days after an anonymous user of an online message board called 4chan.org published fake documents purporting to show that Macron had an offshore fund.
“The French scene will be at nouveaumartel.com later”, the anonymous 4chan.org user said.
The dailystormer.com’s Auernheimer is a white supremacist convicted of cyber crimes in the US.
His website often popularises the work of Nathan Damigo, another US far-right activist who gained notoriety after physically assaulting an anti-fascist protester.
Auernheimer, in a posting on his site on 4 May, suggested that Damigo was about to publish anti-Macron material.
“The prophet of the white sharia Nathan Damigo is about to release the frogs from pederasty”, he wrote.
Frogs could be a derogatory reference to French people or to a cartoon frog, Pepe, adopted as a symbol by US neo-Nazis.
Pederasty could be a homophobic allusion to unsubstantiated claims, first spread by Russian media, that Macron was gay, or to the fact that he fell in love with an older woman in his adolescence.
The stolen Macron emails were eventually dumped on the website Pastebin and were popularised online by other US-based far-right conspiracy theorists such as William Craddick and Jack Posobiec.
...
It’s obviously some pretty compelling evidence that, at a minimum, a bunch of ‘Alt-Right’ neo-Nazis played some sort of role in this hack. And, sure enough, Trend Micro’s Loïc Guézo, who was 99 percent sure the phishing domains were set up by Fancy Bear, was suddenly very open to the possibility that the ‘Alt-Right’ could have been behind the hack:
...
Trend Micro, a Japanese-based cyber security firm, said in April that the Russian regime had previously tried to hack Macron’s team.But one of the firm’s experts, Loic Guezo, told EUobserver this week that the 5‑May dump of stolen Macron emails was more amateurish than the Russian state’s modus operandi.
“It could even have been some alt-right activist in the US hacking Macron’s team. It’s fully open”, he said.
...
“It could even have been some alt-right activist in the US hacking Macron’s team. It’s fully open”
It’s fully open. That was Loïc Guézo’s take on the situation after this revelation about the apparent ‘Alt-Right’ foreknowledge of these hacks. And yet here we are, almost a year later, and the Macron hack is being treated as if it’s an open-and-shut case that ‘the Russians did it’ and there is no mention at all of the role of Auernheimer and the ‘Alt-Right’.
Self-implicating “I’m a Russian Hacker!” Meta-Data Strikes Again
Now, it’s important to note that it’s entirely possible that you could have a situation where Fancy Bear (or another group trying to mimic Fancy Bear) did indeed set up a bunch of phishing sites while a bunch of neo-Nazis conduct a completely separate hacking operation. It’s also possible that Fancy Bear (or a third party pretending to be them) could have successfully pulled off a hack using their phishing domains and then handed the documents to Auernheimer or his associates. And yet these possibilities are never even mentioned. It’s as if any story that raises the mere possibility that some of these hacks are being done non-Russian hackers or might involve the cooperation of non-Russian hackers is completely ignored by almost everyone. What’s the explanation for this?
Well, part of the explanation probably has to do with the fact that metadata found in the dumped Macron documents just happened to contain identifying information of a Russian security contractor at a company that does work for the FSB. It was reminiscent of the “I’m a Russian hacker” metadata discovered literally one day after Guccifer 2.0 initially released some hacked DNC documents in June of 2015. Except even more self-implicating because the meta-data contained an actual name of an actual employee.
Another bit of metadata used to attribute the hacked Macron documents to Fancy Bear was the metadata of who uploaded the hacked documents, which led to an email address on a German free webmail provider. And this was declared to be further proof that this was the work of Fancy Bear because that same free webmail provider was used in some earlier attacks attributed to Fancy Bear. Which is horribly weak evidence. Of course hackers are going to a free German webmail provider. Germany has branded itself as a data privacy haven. All sort of hackers probably using free German webmail providers. It’s just silly to use that as evidence for attribution. And yet it happened.
So after this metadata hysteria was used to ‘conclusively’ prove that Russia really was behind the hack, the question of what role Andrew Auernheimer and the ‘Alt Right’ neo-Nazis played in the hack stopped getting asked. The desired ‘answer’ was achieved:
Ars Technica
Evidence suggests Russia behind hack of French president-elect
Russian security firms’ metadata found in files, according to WikiLeaks and others.
Sean Gallagher — 5/8/2017, 1:18 PM
Late on May 5 as the two final candidates for the French presidency were about to enter a press blackout in advance of the May 7 election, nine gigabytes of data allegedly from the campaign of Emmanuel Macron were posted on the Internet in torrents and archives. The files, which were initially distributed via links posted on 4Chan and then by WikiLeaks, had forensic metadata suggesting that Russians were behind the breach—and that a Russian government contract employee may have falsified some of the dumped documents.
Even WikiLeaks, which initially publicized the breach and defended its integrity on the organization’s Twitter account, has since acknowledged that some of the metadata pointed directly to a Russian company with ties to the government:
#MacronLeaks: name of employee for Russian govt security contractor Evrika appears 9 times in metadata for “xls_cendric.rar” leak archive pic.twitter.com/jyhlmldlbL
— WikiLeaks (@wikileaks) May 6, 2017
Evrika (“Eureka”) ZAO is a large information technology company in St. Petersburg that does some work for the Russian government, and the group includes the Federal Security Service of the Russian Federation (FSB) among its acknowledged customers (as noted in this job listing). The company is a systems integrator, and it builds its own computer equipment and provides “integrated information security systems.” The metadata in some Microsoft Office files shows the last person to have edited the files to be “Roshka Georgiy Petrovich,” a current or former Evrika ZAO employee.
...
The metadata attached to the upload of the Macron files also includes some identifying data with an e‑mail address for the person uploading the content to archive.org:
Well this is fun pic.twitter.com/oXsH83snCS
— Pwn ¦¦ ¦¦ ¦¦¦ (@pwnallthethings) May 6, 2017
The e‑mail address of the uploader, frankmacher1@gmx.de, is registered with a German free webmail provider used previously in 2016 Pawn Storm / APT28 phishing attacks against the Christian Democratic Union, German Chancellor Angela Merkel’s political party.
The involvement of APT28, the editing of some documents leaked by someone using a Russian version of Microsoft Office, and the attempt to spread the data through amplification in social media channels such as 4Chan, Twitter, and Facebook—where a number of new accounts posted links to the data—are all characteristics of the information operations seen during the 2016 US presidential campaign.
...
———-
“Evrika (“Eureka”) ZAO is a large information technology company in St. Petersburg that does some work for the Russian government, and the group includes the Federal Security Service of the Russian Federation (FSB) among its acknowledged customers (as noted in this job listing). The company is a systems integrator, and it builds its own computer equipment and provides “integrated information security systems.” The metadata in some Microsoft Office files shows the last person to have edited the files to be “Roshka Georgiy Petrovich,” a current or former Evrika ZAO employee”
Yep, a Russian contractor apparently screwed up big time and left modified a hacked Word Document on a version of Word registered to his personal name. That’s what we’re expected to believe. And while it’s certainly possible a mistake of that nature happened, when you factor this into the larger context of ‘Alt-Right’ fingerprints all over the actual distribution of the documents and the fact that metadata was used to attribute the DNC hacks to Russian hackers, it seems like an outrageous conclusion to assume with certainty that this metadata was indeed strong evidence of Russian hackers at work.
Similarly, the fact that the uploader’s email address used the same free German web mail service that previous attacks attributed to Fancy Bear is basically no evidence at all. And yet it’s treated as such:
...
The metadata attached to the upload of the Macron files also includes some identifying data with an e‑mail address for the person uploading the content to archive.org:Well this is fun pic.twitter.com/oXsH83snCS
— Pwn ¦¦ ¦¦ ¦¦¦ (@pwnallthethings) May 6, 2017
The e‑mail address of the uploader, frankmacher1@gmx.de, is registered with a German free webmail provider used previously in 2016 Pawn Storm / APT28 phishing attacks against the Christian Democratic Union, German Chancellor Angela Merkel’s political party.
...
And that metadata appears to be the ‘evidence’ that more or less put to rest any questions about who actually hacked those documents. It was Fancy Bear.
Seriously, once this metadata was discovered, the news reports treated it as case closed. For instance, check out this New York Times article from May 9th, 2017, where the attribution is almost entirely based on the metadata and other ‘digital fingerprints’ in the documents suggesting that the documents were modified on Russian language computers using Russian version of software like Microsoft Word.
And there’s one particularly revealing comment from John Hultquist, the director of cyberespionage from FireEye, another US cybersecurity company: “There was a time when Russian hackers were characterized by their lack of sloppiness,” Mr. Hultquist said. “When they made mistakes, they burned their entire operation and started anew. But since the invasion of Ukraine and Crimea we’ve seen them carry out brazen, large scale attacks, [perhaps because] there have been few consequences for their actions.”
There was a time when Russian hackers were “burn down their entire operation and start anew” if they were caught. But now? It’s sloppiness and mistakes and reuse of the same digital infrastructure with almost every hack. Apparently:
The New York Times
Hackers Came, but the French Were Prepared
By ADAM NOSSITER, DAVID E. SANGER and NICOLE PERLROTH
MAY 9, 2017PARIS — Everyone saw the hackers coming.
The National Security Agency in Washington picked up the signs. So did Emmanuel Macron’s bare-bones technology team. And mindful of what happened in the American presidential campaign, the team created dozens of false email accounts, complete with phony documents, to confuse the attackers.
The Russians, for their part, were rushed and a bit sloppy, leaving a trail of evidence that was not enough to prove for certain they were working for the government of President Vladimir V. Putin but which strongly suggested they were part of his broader “information warfare” campaign.
...
Testifying in front of the Senate Armed Services Committee in Washington on Tuesday, Adm. Michael S. Rogers, the director of the National Security Agency, said American intelligence agencies had seen the attack unfolding, telling their French counterparts, “Look, we’re watching the Russians. We’re seeing them penetrate some of your infrastructure. Here’s what we’ve seen. What can we do to try to assist?”
But the staff at Mr. Macron’s makeshift headquarters in the 15th Arrondissement at the edge of Paris didn’t need the N.S.A. to tell them they were being targeted: In December, after the former investment banker and finance minister had emerged as easily the most anti-Russian, pro-NATO and pro-European Union candidate in the presidential race, they began receiving phishing emails.
...
Oddly, the Russians did a poor job of covering their tracks. That made it easier for private security firms, on alert after the efforts to manipulate the American election, to search for evidence.
In mid-March, researchers with Trend Micro, the cybersecurity giant based in Tokyo, watched the same Russian intelligence unit behind some of the Democratic National Committee hacks start building the tools to hack Mr. Macron’s campaign. They set up web domains mimicking those of Mr. Macron’s En Marche! Party, and began dispatching emails with malicious links and fake login pages designed to bait campaign staffers into divulging their usernames and passwords, or to click on a link that would give the Russians a toehold onto the campaign’s network.
It was the classic Russian playbook, security researchers say, but this time the world was prepared. “The only good news is that this activity is now commonplace, and the general population is so used to the idea of a Russian hand behind this, that it backfired on them,” said John Hultquist, the director of cyberespionage analysis at FireEye, the Silicon Valley security firm.
Mr. Hultquist noted that the attack was characterized by haste, and a trail of digital mistakes. “There was a time when Russian hackers were characterized by their lack of sloppiness,” Mr. Hultquist said. “When they made mistakes, they burned their entire operation and started anew. But since the invasion of Ukraine and Crimea,” he said, “we’ve seen them carry out brazen, large scale attacks,” perhaps because “there have been few consequences for their actions.”
The hackers also made the mistake of releasing information that was, by any campaign standard, pretty boring. The nine gigabytes worth of purportedly stolen emails and files from the Macron campaign was spun as scandalous material, but turned out to be almost entirely the humdrum of campaign workers trying to conduct ordinary life in the midst of the election maelstrom.
One of the leaked emails details a campaign staffer’s struggle with a broken down car. Another documents how a campaign worker was reprimanded for failure to invoice a cup of coffee.
That is when the hackers got sloppy. The metadata tied to a handful of documents — code that shows the origins of a document — show some passed through Russian computers and were edited by Russian users. Some Excel documents were modified using software unique to Russian versions of Microsoft Windows.
Other documents had last been modified by Russian usernames, including one person that researchers identified as a 32-year-old employee of Eureka CJSC, based in Moscow, a Russian technology company that works closely with the Russian Ministry of Defense and intelligence agencies. The company has received licenses from Russia’s Federal Security Service, or FSB, to help protect state secrets. The company did not return emails requesting comment.
Other leaked documents appear to have been forged, or faked. One purported to detail the purchase of the stimulant mephedrone, sometimes sold as “bath salts,” by a Macron campaign staffer who allegedly had the drugs shipped to the address of France’s National Assembly. But Henk Van Ess, a member of the investigations team at Bellingcat, a British investigations organization, and others discovered that the transaction numbers in the receipt were not in the public ledger of all Bitcoin transactions.
“It’s clear they were rushed,” Mr. Hultquist said. “If this was APT28,” he said, using the name for a Russian group believed to be linked to the GRU, a military intelligence agency, “they have been caught in the act, and it has backfired for them.”
Now, he said, the failure of the Macron hacks could just push Russian hackers to improve their methods.
“They may have to change their playbook entirely,” Mr. Hultquist said.
———-
“Oddly, the Russians did a poor job of covering their tracks. That made it easier for private security firms, on alert after the efforts to manipulate the American election, to search for evidence.”
Yes, it is quite odd how poorly the Russians did of covering their tracks, if indeed this was a Russian government operation. Ahistorically odd:
...
It was the classic Russian playbook, security researchers say, but this time the world was prepared. “The only good news is that this activity is now commonplace, and the general population is so used to the idea of a Russian hand behind this, that it backfired on them,” said John Hultquist, the director of cyberespionage analysis at FireEye, the Silicon Valley security firm.Mr. Hultquist noted that the attack was characterized by haste, and a trail of digital mistakes. “There was a time when Russian hackers were characterized by their lack of sloppiness,” Mr. Hultquist said. “When they made mistakes, they burned their entire operation and started anew. But since the invasion of Ukraine and Crimea,” he said, “we’ve seen them carry out brazen, large scale attacks,” perhaps because “there have been few consequences for their actions.”
...
“When they made mistakes, they burned their entire operation and started anew.”
So until the conflict broke out in Ukraine, Russian hackers were intelligent enough to ‘burn their entire operation’ and switch up their methodology after gettin caught. But ever since the conflict with Ukraine, Russian hackers have suddenly decided to keep leaving the same ‘digital fingerprints’ over and over despite ‘getting caught’. And they’ve started leaving self-implicating metadata. It’s all quite odd.
And notice how the narrative of that article made no distinction between the phishing sites that Trend Micro and others attributed to Fancy Bear and the actual hacking and distribution of the documents that appeared to come from US ‘Alt-Right’ neo-Nazis. Recall how even Trend Micro’s analysts considered the case of who did the actual hacking as a ‘very open’ question one day after the hacks. But then this “I’m a Russian hacker!” metadata is discovered and the ‘Alt-Right’ neo-Nazi angle of entire affair is suddenly forgotten. of the In fact, if you read the full article, there was no mention of the ‘Alt-Right’ neo-Nazis at all. It was like it never happened.
Everyone Says it Was Fancy Bear. Except the French Cybersecurity Agency
So pretty much everyone in the cybersecurity arena has concluded that this hack was indeed done by Fancy Bear, right? Well, not quite. There are plenty of cybersecurity professionsals who have been critical of the contemporary cyber attribution standards. And as the following article from June of 2017, about a month after the actual hack, makes clear, there was one very notable dissenter from Dmitri Alpovertich’s attribution standards: The head of the French cybersecurity agency, Guillaume Poupard, viewed the hack as so unsophisticated that a lone individual could have pulled it off.
And Poupard had another critical warning: false flag cyberattacks designed to pit one nation against another could be used to create “international chaos”:
EU Observer
Macron Leaks could be ‘isolated individual’, France says
By Andrew Rettman
BRUSSELS, 2. Jun 2017, 09:20France has found no evidence that Russia was behind Macron Leaks, but Russian leader Vladimir Putin has warned that “patriotic” hackers could strike the German election.
Guillaume Poupard, the head of the French cyber security agency, Anssi, told the AP news agency on Thursday (1 June) that the Macron hack resembled the actions of “an isolated individual”.
“The attack was so generic and simple that it could have been practically anyone”, he said. “It really could be anyone. It could even be an isolated individual”.
The Macron Leaks saw a hacker steal and publish internal emails from the campaign of Emmanuel Macron 48 hours before the French vote last month, which Macron went on to win.
Some security experts blamed it on a hacker group called APT28, which is said by the US to be a front for Russian intelligence.
But Poupard said on Thursday: “To say Macron Leaks was APT28, I’m absolutely incapable today of doing that … I have absolutely no element to say whether it’s true or false”..
Macron’s campaign was also targeted by hackers earlier in March in a more sophisticated attack blamed on APT28.
...
‘Patriotic’ threat
US and German intelligence chiefs have been more bold in their accusations.
Hans-Georg Maassen, the director of Germany’s BfV intelligence service, said in May that Kremlin-linked hackers had stolen information on German MPs in the run-up to the German election in September.
“We recognise this as a campaign being directed from Russia”, he said.
But Russia has denied the allegations.
Its president, Vladimir Putin, told media in Moscow on Thursday: “We do not engage in this activity at the government level and are not going to engage in it”.
He warned at the same time that independent hackers might target the German or other EU elections for “patriotic” reasons if they felt leaders were “speaking ill of Russia”.
“Hackers are free people like artists. If artists get up in the morning feeling good, all they do all day is paint”, Putin said.
“The same goes for hackers. They got up today and read that something is going on internationally. If they are feeling patriotic they will start contributing, as they believe, to the justified fight against those speaking ill of Russia”.
With Macron having won despite the leaks, Putin said: “I am deeply convinced that no hackers can have a real impact on an election campaign in another country”.
Macron, at a meeting with Putin in Paris on Monday, said Russian state media tried to influence the vote with fake news, but Putin said on Thursday: “Nothing, no information can be imprinted in voters’ minds, in the minds of a nation, and influence the final outcome and the final result”.
False flags
Poupard and Putin said false flag attacks were easier in cyberspace than in real life.
Poupard said France had in the past been hacked by groups “attributed to China … I don’t know if it was the state, criminals”. But he added that: “What I’m certain of is that among these attacks, some strangely resembled Chinese attacks but in fact didn’t come from China”.
Putin said: “I can image a scenario when somebody develops a chain of attacks in a manner that would show Russia as the source of these attacks. Modern technology allows that. It’s very easy”.
Poupard said if states wrongly accused each other of cyber strikes it could lead to “international chaos”.
“We’ll get what we all fear, which is to say a sort of permanent conflict where everyone is attacking everyone else”, he said.
The “nightmare scenario” would be “a sort of permanent war, between states and other organisations, which can be criminal and terrorist organisations, where everyone will attack each other, without really knowing who did what”, he said.
———-
“The attack was so generic and simple that it could have been practically anyone...It really could be anyone. It could even be an isolated individual”.
That was what Guillaume Poupard, the head of the French cyber security agency, Anssi, told the AP news. The attack was so generic and simple that it could have been done by an isolated individual. It’s a big reminder of why similarities in methodology between attacks is a bad idea for so many of the hacking campaigns we’re seeing: you don’t need a super sophisticated hacking campaign when all you’re doing is spear-phishing. Sure, you need to seet up convincing fake login websites or convincing emails that trick at least one person into downloading malware, but that’s the kind of thing a skilled isolated individual can do:
...
Some security experts blamed it on a hacker group called APT28, which is said by the US to be a front for Russian intelligence.But Poupard said on Thursday: “To say Macron Leaks was APT28, I’m absolutely incapable today of doing that … I have absolutely no element to say whether it’s true or false”..
...
“To say Macron Leaks was APT28, I’m absolutely incapable today of doing that … I have absolutely no element to say whether it’s true or false”
That seems like a pretty important point to publicly make in this kind of situation. After all, if major high-profile hack are taking place — hacks that appear to coming from nation states due to all the sloppy clues being left — and those hacks could indeed be carried out by individuals who would like to sow international choas, it seems like the public should know this. And yet the head of French cybersecurity is largely only cybersecurity public official in making this point, which is dangerously odd:
...
Poupard said France had in the past been hacked by groups “attributed to China … I don’t know if it was the state, criminals”. But he added that: “What I’m certain of is that among these attacks, some strangely resembled Chinese attacks but in fact didn’t come from China”....
Poupard said if states wrongly accused each other of cyber strikes it could lead to “international chaos”.
“We’ll get what we all fear, which is to say a sort of permanent conflict where everyone is attacking everyone else”, he said.
The “nightmare scenario” would be “a sort of permanent war, between states and other organisations, which can be criminal and terrorist organisations, where everyone will attack each other, without really knowing who did what”, he said.
...
“The “nightmare scenario” would be p, he said.”
Yeah, “a sort of permanent war, between states and other organisations, which can be criminal and terrorist organisations, where everyone will attack each other, without really knowing who did what” that sounds like quite a nightmare scenario.
But it’s a scenario that the US and German intelligence chiefs clearly do not fear. At least not when it comes to contemporary wave of hacks Russia:
...
US and German intelligence chiefs have been more bold in their accusations.Hans-Georg Maassen, the director of Germany’s BfV intelligence service, said in May that Kremlin-linked hackers had stolen information on German MPs in the run-up to the German election in September.
“We recognise this as a campaign being directed from Russia”, he said.
...
Alarmingly, Vladimir Putin also had a take on the situation that, if anything, made a bad situation much worse. First, he warned that the hacking attacks might in fact be ‘patriotic’ independent Russian hackers were might wake up in the morning feeling patrioci and “start contributing, as they believe, to the justified fight against those speaking ill of Russia.”:
...
Its president, Vladimir Putin, told media in Moscow on Thursday: “We do not engage in this activity at the government level and are not going to engage in it”.He warned at the same time that independent hackers might target the German or other EU elections for “patriotic” reasons if they felt leaders were “speaking ill of Russia”.
“Hackers are free people like artists. If artists get up in the morning feeling good, all they do all day is paint”, Putin said.
“The same goes for hackers. They got up today and read that something is going on internationally. If they are feeling patriotic they will start contributing, as they believe, to the justified fight against those speaking ill of Russia”.
...
“The same goes for hackers. They got up today and read that something is going on internationally. If they are feeling patriotic they will start contributing, as they believe, to the justified fight against those speaking ill of Russia”.
That was an absolutely insane comment for someone in Putin’s position to make publicly. Because while it is absolutely true that you could have ‘patriotic hackers’ doing all sorts of hacks, you don’t want national leaders encouraging and validating that. It’s the kind of comment that could easily be interpreted as an open invitation for Russian hackers to do exactly that and an open invitation for any other hacker around the world to wage a “I’m a Russian hacker!” hacking campaign. It was a dumb comment on multiple levels.
And then Putin made the insane comment that, “I am deeply convinced that no hackers can have a real impact on an election campaign in another country.” And this is after the obvious signficant impact the DNC hacks had on the 2016 campaign and the near-miss in the French election with faked documents. It wasn’t a good look:
...
With Macron having won despite the leaks, Putin said: “I am deeply convinced that no hackers can have a real impact on an election campaign in another country”.Macron, at a meeting with Putin in Paris on Monday, said Russian state media tried to influence the vote with fake news, but Putin said on Thursday: “Nothing, no information can be imprinted in voters’ minds, in the minds of a nation, and influence the final outcome and the final result”.
...
So we have this remarkable situation where Western governments like the US and Germany have rejected the long-standing hesitancy in attributing cyber attacks due to the inherent ambiguity in making these kinds of attributions. And Vladimir Putin was making a nonsense comment about hackers not being able to sway elections while he appeared to be egging hackers and simultaneously making Russia an easier target for false flag attribution. In other words, the we have leaders on both sides of this ‘cyber Cold War’ helping to make the situation ripe for exactly the kind of “international chaos” France’s cyber chief was warning about.
The Other Side of the “Internation Chaos” Coin
At the same time, let’s not forget that a staus quo where cyberattribution is made very hesitantly due to these ambiguities and the ability to wage false flag attacks, is potentially another form of “international chaos.” A situation were nations and private entities can effective hack each other with relative impunity as long as they are reasonably competent in executing the hack without leaving self-implicating mistakes. In other words, the issue of how to address cyberattribution is one of those situations were there really is no ‘clean’ answer. Each approach has its own downsides.
For instance, imagine the NSA has secret intelligence that does actually allow it to confidently attribute a hack to Russia or China or Germany or whoever. But that evidence can’t be publicly revealed and the evidence that can be publicly revealed, like the IP addressed used in the hack, is too ambiguous to make a solid attribution. What is US government going to do in that situation? Especially if the hacks are very high-profile? Does it just throw its hands up and say, “oh well, we know it’s the Russians (or Chinese or Germans or whoever) pulling these hacks off, but we just can’t prove it”? Because that is an option. Another options is trying to address these topics on a government-to-government level and hoping it can get worked out that way. If it that avenue doesn’t yield results, what’s a government going to do if it really can confidently make an attribution but can’t publicly reveal the evidence?
Or let’s consider another scenario: a government can’t conclusively prove who is behind a hack, but it’s pretty sure it knows who’s behind it given the circumstances. What’s a government going to do in that situation when the inherent ambiguities in cyberattribution basically make presenting a public case proving their suspicions impossible? Especially if the hacks keep coming? What’s a government going to do?
And then there’s the other obvious scenario: a government can’t conclusively prove who is behind a hack, but it really wants to pin it on a particular adversary and the hackers just happened to make all sort of ‘mistakes’ that could be interpretted as real digital evidence but could also easily be interpretted as intentionally placed false flag decoy mistakes. What’s a government going to do when it’s handed that kind of ‘gift’ if it happens in the middle of a wave of brazen hacks?
These kinds of scenarios are all totally feasible and probably playing out around the globe all the time: a hack happens, a government has suspicions and hunches, maybe even some intelligence suggested that an adversary was probably behind it, but nothing can be conclusively proven based on the technical evidence. On one level, these are situations where a government can appear to be seemingly helpless and that really is a kind of “international chaos” situation. So what does a government do in this case?
This is probably a good point to re-read the comments we saw above from John Hultquist, the director of cyberespionage analysis at FireEye, about the sudden change in Russian hacking behavior that started in 2014 following the conflict in Ukraine:
...
Mr. Hultquist noted that the attack was characterized by haste, and a trail of digital mistakes. “There was a time when Russian hackers were characterized by their lack of sloppiness,” Mr. Hultquist said. “When they made mistakes, they burned their entire operation and started anew. But since the invasion of Ukraine and Crimea,” he said, “we’ve seen them carry out brazen, large scale attacks,” perhaps because “there have been few consequences for their actions.”
...
We have the sudden change in ‘Russian hacker’ behavior, where tensions flare up between Russian the West and then there’s all sort of “I’m a Russian hacker” attacks over an over where the evidence might be spoofed by a third party but also might be intentionally left be the Russian hackers to achieve some sort of psychological warfare objectives. And it’s possible the NSA has secret evidence tying all this back to actual Russian government hackers that it can’t reveal, or maybe not and the Western governments are merely ‘pretty sure’ it’s really a Russian government campaign and don’t want to let them ‘get away with it’?
So what’s the appropriate approach to a situation like this? Well, it turns out the current round of Western governments directly attributing these hacks to the Russian government is both historically very unusually and actually a reflection of a choice that was made at the government level and within the cybersecurity industry on how to address these situations: Make public attribution a priority because that’s seen as the best defense against future attacks. Yep, for the past 5 years or so, the cybersecurity industry has seen a revolution in how it treats cyberattribution based on a one-man campaign. And that man is Dmitri Alperovitch, the co-founder of CrowdStrike, the company that led the investigation of the 2016 DNC hack and made the initial ‘Russia did it’ attribution. As the following Esquire article about Alperovitch note, making a public attribution directly blaming other nation states and doing it fast and forefully used to be seen as heresy within the cybersecurity industry. But as Alpoveritch saw it, that hesitancy of cybersecurity firms was only encouraging nation-state hacking groups and the only solution was aggressive public attribution campaigns. And as the article makes clear, Alperovitch’s views won out, and the whole industry of cyberattribution has undergone a radical revolution:
Esquire
The Russian Expat Leading the Fight to Protect America
In a war against hackers, Dmitri Alperovitch and CrowdStrike are our special forces (and Putin’s worst nightmare).
By Vicky Ward
Oct 24, 2016At six o’clock on the morning of May 6, Dmitri Alperovitch woke up in a Los Angeles hotel to an alarming email. Alperovitch is the thirty-six-year-old cofounder of the cybersecurity firm CrowdStrike, and late the previous night, his company had been asked by the Democratic National Committee to investigate a possible breach of its network. A CrowdStrike security expert had sent the DNC a proprietary software package, called Falcon, that monitors the networks of its clients in real time. Falcon “lit up,” the email said, within ten seconds of being installed at the DNC: Russia was in the network.
Alperovitch, a slight man with a sharp, quick demeanor, called the analyst who had emailed the report. “Are we sure it’s Russia?” he asked.
The analyst said there was no doubt. Falcon had detected malicious software, or malware, that was stealing data and sending it to the same servers that had been used in a 2015 attack on the German Bundestag. The code and techniques used against the DNC resembled those from earlier attacks on the White House and the State Department. The analyst, a former intelligence officer, told Alperovitch that Falcon had identified not one but two Russian intruders: Cozy Bear, a group CrowdStrike’s experts believed was affiliated with the FSB, Russia’s answer to the CIA; and Fancy Bear, which they had linked to the GRU, Russian military intelligence.
Alperovitch then called Shawn Henry, a tall, bald fifty-four-year-old former executive assistant director at the FBI who is now CrowdStrike’s president of services. Henry led a forensics team that retraced the hackers’ steps and pieced together the pathology of the breach. Over the next two weeks, they learned that Cozy Bear had been stealing emails from the DNC for more than a year. Fancy Bear, on the other hand, had been in the network for only a few weeks. Its target was the DNC research department, specifically the material that the committee was compiling on Donald Trump and other Republicans. Meanwhile, a CrowdStrike group called the Overwatch team used Falcon to monitor the hackers, a process known as shoulder-surfing.
...
Hacking, like domestic abuse, is a crime that tends to induce shame. Companies such as Yahoo usually publicize their breaches only when the law requires it. For this reason, Alperovitch says, he expected that the DNC, too, would want to keep quiet.
By the time of the hack, however, Donald Trump’s relationship to Russia had become an issue in the election. The DNC wanted to go public. At the committee’s request, Alperovitch and Henry briefed a reporter from The Washington Post about the attack. On June 14, soon after the Post story publicly linked Fancy Bear with the Russian GRU and Cozy Bear with the FSB for the first time, Alperovitch published a detailed blog post about the attacks.
Alperovitch told me he was thrilled that the DNC decided to publicize Russia’s involvement. “Having a client give us the ability to tell the full story” was a “milestone in the industry,” he says. “Not just highlighting a rogue nation-state’s actions but explaining what was taken and how and when. These stories are almost never told.”
In the five years since Alperovitch cofounded CrowdStrike, he and his company have played a critical role in the development of America’s cyberdefense policy. Frank Cilluffo, the former special assistant to the president for homeland security, likens Alperovitch to Paul Revere: “Dmitri, as an individual, has played a significant role in elevating cybersecurity policy not only inside the private sector but more generally.”
When I met Alperovitch in late September, at his open-plan offices outside Washington, D.C., he explained that CrowdStrike was created to take advantage of a simple but central lesson he’d learned about stopping hackers. It’s not enough, he says, to play defense with technology: “Otherwise the adversary will scale up and it becomes a game of numbers, which they will win.” Instead, attribution is crucial: First you need to identify the perpetrator, then you need to discover what motivates the crime, and finally—most important—you need to figure out how to fight back.
Before Alperovitch founded CrowdStrike, the idea that attribution ought to be a central defense against hackers was viewed as heresy. In 2011, he was working in Atlanta as the chief threat officer at the antivirus software firm McAfee. While sifting through server logs in his apartment one night, he discovered evidence of a hacking campaign by the Chinese government. Eventually he learned that the campaign had been going on undetected for five years, and that the Chinese had compromised at least seventy-one companies and organizations, including thirteen defense contractors, three electronics firms, and the International Olympic Committee.
That the Chinese government had been stealing information from the private sector was a shock to the security industry and to many U. S. officials. Almost no one thought that foreign governments used the Internet for anything other than old-fashioned espionage. “This was not spy versus spy,” says John Carlin, who was until recently the assistant attorney general for national security. The hacking was economic sabotage.
While Alperovitch was writing up his report on the breach, he received a call from Renee James, an executive at Intel, which had recently purchased McAfee. According to Alperovitch, James told him, “Dmitri, Intel has a lot of business in China. You cannot call out China in this report.”
Alperovitch removed the word China from his analysis, calling the operation Shady Rat instead. He told me that James’s intervention accelerated his plans to leave Intel. (James declined to comment.) He felt that he was “now being censored because I’m working for a company that’s not really an American company.”
Alperovitch and George Kurtz, a former colleague, founded CrowdStrike as a direct response. The cybersecurity industry at the time, Alperovitch says, was “terrified of losing their ability to market products in China.” Their new company would push the idea that hacking was a means, not an end. “We saw that no one’s really focused on the adversary,” Alperovitch told me. “No one’s focusing exclusively on how can we actually identify them, attribute them, deter them from taking this action again.” CrowdStrike’s tagline encapsulated its philosophy: “You don’t have a malware problem, you have an adversary problem.”
...
Alperovitch studied computer science at Georgia Tech and went on to work at an antispam software firm. There he met a striking dark-haired computer geek named Phyllis Schneck. As a teenager, Schneck once showed her father that she could hack into the company where he worked as an engineer. Appalled, Dr. Schneck made his daughter promise never to do something like that again.
Fighting email spam taught Alperovitch a second crucial lesson. He discovered that every time he blocked a server, the spammers deployed a hundred new servers to take its place. Alperovitch realized that defense was about psychology, not technology.
To better understand his adversaries, Alperovitch posed as a Russian gangster on spam discussion forums, an experience he wrote up in a series of reports. One day he returned from lunch to a voice mail telling him to call the FBI immediately. He was terrified. “I was not a citizen yet,” he told me.
As it happened, the bureau was interested in his work. The government was slowly waking up to the realization that the Internet was ripe for criminal exploitation: “the great price of the digital age,” in John Carlin’s words. In 2004, the bureau was hacked by Joseph Colon, a disgruntled IT consultant who gained “god-level” access to FBI files. Colon was eventually indicted, but his attack showed the government how vulnerable it was to cybercrime.
In 2005, Alperovitch flew to Pittsburgh to meet an FBI agent named Keith Mularski, who had been asked to lead an undercover operation against a vast Russian credit-card-theft syndicate. Mularski had no prior experience with the Internet; he relied on Alperovitch, whom he calls “a good guy and a friend,” to teach him how to get into the forum and speak the lingo. Mularski’s sting operation took two years, but it ultimately brought about fifty-six arrests.
Alperovitch’s first big break in cyberdefense came in 2010, while he was at McAfee. The head of cybersecurity at Google told Alperovitch that Gmail accounts belonging to human-rights activists in China had been breached. Google suspected the Chinese government. Alperovitch found that the breach was unprecedented in scale; it affected more than a dozen of McAfee’s clients.
Three days after his discovery, Alperovitch was on a plane to Washington. He’d been asked to vet a paragraph in a speech by the secretary of state, Hillary Clinton. She’d decided, for the first time, to call out another country for a cyberattack. “In an interconnected world,” she said, “an attack on one nation’s networks can be an attack on all.”
Despite Clinton’s announcement, Alperovitch believed that the government, paralyzed by bureaucracy and politics, was still moving too slowly. In 2014, Sony called in CrowdStrike to investigate a breach of its network. The company needed just two hours to identify North Korea as the adversary. Executives at Sony asked Alperovitch to go public with the information immediately, but it took the FBI another three weeks before it confirmed the attribution.
The delay still frustrates Alperovitch, who saw the long silence as a kind of disinformation. “Yesterday you had no idea. Today you’re 100 percent certain. It wasn’t credible.” From the perspective of the government, however, the handling of the Sony hack was a triumph. “In twenty-six days we figured out it was North Korea,” John Carlin told me. The attribution changed the focus, he said, from what Sony did wrong to how the government was going to respond to North Korea. As Phyllis Schneck, who now works at the Department of Homeland Security, told me, the government moves slowly because it cannot afford to be wrong: “Vendors like to be first. Government must be right.”
The government’s attitude toward attribution moved closer to Alperovitch’s in September 2015, in the run-up to a state visit by Chinese president Xi Jinping. A year earlier, five members of the Chinese People’s Liberation Army had been indicted by a grand jury in Pennsylvania for stealing economic secrets from the computers of U. S. firms in the nuclear, solar, and metals industries. Carlin told me that the indictments were meant as “a giant No Trespass sign: Get off our lawn.” But the indictment didn’t stop the hackers. Alperovitch went on television to call for a stronger response. In April 2015, after President Obama signed an executive order threatening sanctions against the Chinese, Alperovitch received a call from the White House. “You should be happy,” he was told. “You’re the one who’s been pushing for this.”
Six months later, just before the state visit, The Washington Post reported that the U. S. was considering making good on the executive order. A senior State Department official told me that Xi did not want to be embarrassed by an awkward visit. The Chinese sent over a negotiating team, and diplomats from both countries stayed up all night working out an agreement. During the state visit, Obama and Xi announced that “neither country’s government will conduct or knowingly support cyber-enabled theft of intellectual property” for the purpose of economic espionage. Since then, the Chinese burglaries have slowed dramatically.
...
The government’s reluctance to name the Russians as the authors of the DNC and DCCC hacks made Alperovitch feel that the lessons of the war game—call out your enemy and respond swiftly—had been wasted. He continued to be told by his friends in government that it was politically impossible for the United States to issue an official response to Russia. Some, especially in the State Department, argued that the United States needed Russia’s help in Syria and could not afford to ratchet up hostilities. Others said an attribution without a concrete response would be meaningless. Still others insisted that classified security concerns demanded consideration.
Alperovitch was deeply frustrated: He thought the government should tell the world what it knew. There is, of course, an element of the personal in his battle cry. “A lot of people who are born here don’t appreciate the freedoms we have, the opportunities we have, because they’ve never had it any other way,” he told me. “I have.”
The government’s hesitation was soon overtaken by events. During the first week of October, while Alperovitch was on a rare vacation, in Italy, Russia pulled out of an arms-reduction pact after being accused by the U. S. of bombing indiscriminately in Syria. The same day, the U. S. halted talks with Russia about a Syrian ceasefire. On October 7, two days before the second presidential debate, Alperovitch got a phone call from a senior government official alerting him that a statement identifying Russia as the sponsor of the DNC attack would soon be released. (The statement, from the office of the director of national intelligence and the Department of Homeland Security, appeared later that day.) Once again, Alperovitch was thanked for pushing the government along.
He got the news just after leaving the Sistine Chapel. “It kind of put things in perspective,” he told me. Though pleased, he wished the statement had warned that more leaks were likely. “It’s nice that you have the DHS and DNI jointly putting the statement out on a Friday night, but the president coming out and saying, ‘Mr. Putin, we know you’re doing this, we find it unacceptable, and you have to stop’ would be beneficial.”
Less than a week later, after WikiLeaks released another cache of hacked emails—this time from John Podesta, Hillary Clinton’s campaign chair—the White House announced that the president was considering a “proportional” response against Russia. Administration officials asked Alperovitch to attend a meeting to consider what to do. He was the only native Russian in the room. “You have to let them save face,” he told the group. “Escalation will not end well.”
———-
“The Russian Expat Leading the Fight to Protect America” by Vicky Ward; Esquire; 10/24/2016
“Alperovitch, a slight man with a sharp, quick demeanor, called the analyst who had emailed the report. “Are we sure it’s Russia?” he asked.”
That was reportedly Alperovitch’s initial response to the conclusion his company’s analyst that Russia was behind the DNC hack: Are we sure it’s Russia? And that’s a very reasonable question to ask at that point. A note the analyst’s response: There was no doubt. Why? Because the malware used in the DNC hack was sending data back to the same servers used in the Bundestag hack of 2015 and the malware code was similar to earlier hacks:
...
The analyst said there was no doubt. Falcon had detected malicious software, or malware, that was stealing data and sending it to the same servers that had been used in a 2015 attack on the German Bundestag. The code and techniques used against the DNC resembled those from earlier attacks on the White House and the State Department. The analyst, a former intelligence officer, told Alperovitch that Falcon had identified not one but two Russian intruders: Cozy Bear, a group CrowdStrike’s experts believed was affiliated with the FSB, Russia’s answer to the CIA; and Fancy Bear, which they had linked to the GRU, Russian military intelligence.
...
So this is a good time to remind ourselves that the IP address found in the malware used in that DNC hack and the Bundestag hack was published in 2015 and Germany’s BfV government issued a newsletter attributed that Budestag hack to the Russian governent in January of 2016, meaning it would have been an incredibly brazen for Russian government hackers to execute a hack using the same command & control server with the same IP address unless Russia wanted to get caught. But from CrowdStrike’s perspective, this was the kind of ‘digital fingerprint’ that could lead to a conclusion with “no doubt.”
And as the rest of the article made clear, arriving at a culprit for cyber attacks and then make a very public complaint about the attack is at the heart of the strategy that Alperovitch has been advocating for years. And advocating with great success:
...
Alperovitch told me he was thrilled that the DNC decided to publicize Russia’s involvement. “Having a client give us the ability to tell the full story” was a “milestone in the industry,” he says. “Not just highlighting a rogue nation-state’s actions but explaining what was taken and how and when. These stories are almost never told.”In the five years since Alperovitch cofounded CrowdStrike, he and his company have played a critical role in the development of America’s cyberdefense policy. Frank Cilluffo, the former special assistant to the president for homeland security, likens Alperovitch to Paul Revere: “Dmitri, as an individual, has played a significant role in elevating cybersecurity policy not only inside the private sector but more generally.”
When I met Alperovitch in late September, at his open-plan offices outside Washington, D.C., he explained that CrowdStrike was created to take advantage of a simple but central lesson he’d learned about stopping hackers. It’s not enough, he says, to play defense with technology: “Otherwise the adversary will scale up and it becomes a game of numbers, which they will win.” Instead, attribution is crucial: First you need to identify the perpetrator, then you need to discover what motivates the crime, and finally—most important—you need to figure out how to fight back.
...
“It’s not enough, he says, to play defense with technology: “Otherwise the adversary will scale up and it becomes a game of numbers, which they will win.” Instead, attribution is crucial: First you need to identify the perpetrator, then you need to discover what motivates the crime, and finally—most important—you need to figure out how to fight back.”
That’s Alperovitch’s philosophy: You can’t simply deal with hacking by playing defense. You have to play offense and that requires public attribution. And it’s a philosophy that was viewed as heresy in the cybersecurity industry not too long ago. The article characterizes this industry disposition as be in part due to concerns within the industry about losing clients in the nations they publicly attribute an attack to, but it seems like the inherent ambiguity in making these attributions would have also been a factor in why that was viewed as heresy. Either way, CrowdStrike was formed in response to this industry bias against public attribution of hacks against other governments:
...
Before Alperovitch founded CrowdStrike, the idea that attribution ought to be a central defense against hackers was viewed as heresy. In 2011, he was working in Atlanta as the chief threat officer at the antivirus software firm McAfee. While sifting through server logs in his apartment one night, he discovered evidence of a hacking campaign by the Chinese government. Eventually he learned that the campaign had been going on undetected for five years, and that the Chinese had compromised at least seventy-one companies and organizations, including thirteen defense contractors, three electronics firms, and the International Olympic Committee.That the Chinese government had been stealing information from the private sector was a shock to the security industry and to many U. S. officials. Almost no one thought that foreign governments used the Internet for anything other than old-fashioned espionage. “This was not spy versus spy,” says John Carlin, who was until recently the assistant attorney general for national security. The hacking was economic sabotage.
While Alperovitch was writing up his report on the breach, he received a call from Renee James, an executive at Intel, which had recently purchased McAfee. According to Alperovitch, James told him, “Dmitri, Intel has a lot of business in China. You cannot call out China in this report.”
Alperovitch removed the word China from his analysis, calling the operation Shady Rat instead. He told me that James’s intervention accelerated his plans to leave Intel. (James declined to comment.) He felt that he was “now being censored because I’m working for a company that’s not really an American company.”
Alperovitch and George Kurtz, a former colleague, founded CrowdStrike as a direct response. The cybersecurity industry at the time, Alperovitch says, was “terrified of losing their ability to market products in China.” Their new company would push the idea that hacking was a means, not an end. “We saw that no one’s really focused on the adversary,” Alperovitch told me. “No one’s focusing exclusively on how can we actually identify them, attribute them, deter them from taking this action again.” CrowdStrike’s tagline encapsulated its philosophy: “You don’t have a malware problem, you have an adversary problem.”
...
““No one’s focusing exclusively on how can we actually identify them, attribute them, deter them from taking this action again.” CrowdStrike’s tagline encapsulated its philosophy: “You don’t have a malware problem, you have an adversary problem.””
And that encapsulates much of CrowdStrike’s approach to stopping hacks:
Step 1. Determine a culprit.
Step 2. Make a big public stink about it.
And this approach appears to have been by a conclusion Alperovitch arrived while working at an antispam software firm where he met his future CrowdStike partner Phyllis Schneck: cyber defense was about psychology, not technology:
...
Alperovitch studied computer science at Georgia Tech and went on to work at an antispam software firm. There he met a striking dark-haired computer geek named Phyllis Schneck. As a teenager, Schneck once showed her father that she could hack into the company where he worked as an engineer. Appalled, Dr. Schneck made his daughter promise never to do something like that again.Fighting email spam taught Alperovitch a second crucial lesson. He discovered that every time he blocked a server, the spammers deployed a hundred new servers to take its place. Alperovitch realized that defense was about psychology, not technology.
...
And that psychological strategy is part of why making a public attribution is so important, according to this strategy. From Alperovitch’s perspective, intimidating your cyber adversary is basically the only realistic way to stop the hacks.
It’s a strategy that he first employed in 2010, when his analysis was used by the US government to publicly accuse China of cyber attacks on Google Gmail accounts. The strategy was used again 2014 to attributed the Sony hacks on North Korea and in 2015 once again against China. And that 2015 attribution against China, which included a the threat of an executive order by President Obama that would punish China over the hacks, apparently resulted in a bi-lateral agreement where “neither country’s government will conduct or knowingly support cyber-enabled theft of intellectual property” for the purpose of economic espionage. Chinese cyber burglaries have slowed dramatically since them:
...
Alperovitch’s first big break in cyberdefense came in 2010, while he was at McAfee. The head of cybersecurity at Google told Alperovitch that Gmail accounts belonging to human-rights activists in China had been breached. Google suspected the Chinese government. Alperovitch found that the breach was unprecedented in scale; it affected more than a dozen of McAfee’s clients.Three days after his discovery, Alperovitch was on a plane to Washington. He’d been asked to vet a paragraph in a speech by the secretary of state, Hillary Clinton. She’d decided, for the first time, to call out another country for a cyberattack. “In an interconnected world,” she said, “an attack on one nation’s networks can be an attack on all.”
Despite Clinton’s announcement, Alperovitch believed that the government, paralyzed by bureaucracy and politics, was still moving too slowly. In 2014, Sony called in CrowdStrike to investigate a breach of its network. The company needed just two hours to identify North Korea as the adversary. Executives at Sony asked Alperovitch to go public with the information immediately, but it took the FBI another three weeks before it confirmed the attribution.
The delay still frustrates Alperovitch, who saw the long silence as a kind of disinformation. “Yesterday you had no idea. Today you’re 100 percent certain. It wasn’t credible.” From the perspective of the government, however, the handling of the Sony hack was a triumph. “In twenty-six days we figured out it was North Korea,” John Carlin told me. The attribution changed the focus, he said, from what Sony did wrong to how the government was going to respond to North Korea. As Phyllis Schneck, who now works at the Department of Homeland Security, told me, the government moves slowly because it cannot afford to be wrong: “Vendors like to be first. Government must be right.”
The government’s attitude toward attribution moved closer to Alperovitch’s in September 2015, in the run-up to a state visit by Chinese president Xi Jinping. A year earlier, five members of the Chinese People’s Liberation Army had been indicted by a grand jury in Pennsylvania for stealing economic secrets from the computers of U. S. firms in the nuclear, solar, and metals industries. Carlin told me that the indictments were meant as “a giant No Trespass sign: Get off our lawn.” But the indictment didn’t stop the hackers. Alperovitch went on television to call for a stronger response. In April 2015, after President Obama signed an executive order threatening sanctions against the Chinese, Alperovitch received a call from the White House. “You should be happy,” he was told. “You’re the one who’s been pushing for this.”
Six months later, just before the state visit, The Washington Post reported that the U. S. was considering making good on the executive order. A senior State Department official told me that Xi did not want to be embarrassed by an awkward visit. The Chinese sent over a negotiating team, and diplomats from both countries stayed up all night working out an agreement. During the state visit, Obama and Xi announced that “neither country’s government will conduct or knowingly support cyber-enabled theft of intellectual property” for the purpose of economic espionage. Since then, the Chinese burglaries have slowed dramatically.
...
So that all sounds like a great success of Alperovitch’s public attribution strategy, right? A bi-lateral agreement with China that slowed Chinese cyber burglaries dramatically is quite an achievement.
Except, of course, there’s a rather significant problem with this approach and it relates directly to the warnings by France’s cyber security chief about “international chaos” from false flags: What if the dramatic slow down in Chinese cyber burglaries merely reflects a shift in strategy by Chinese hackers to make their hacks look like, say, Russian hackers? Or American hackers? Why isn’t this ‘new normal’ of aggressively making public attributions exactly the kind of ‘defensive’ tactic that makes false flag attacks even more tempting? And why wouldn’t third-parties who want to sow chaos, like neo-Nazi hackers, LOVE this new attribution paradigm?
And note the comment for Alperovitch’s former CrowdStrike partner, Phyllis Schneck, who is now at DHS, about how the cybersecurity industry’s predilection for “being first” on making an attribution now:
...
The delay still frustrates Alperovitch, who saw the long silence as a kind of disinformation. “Yesterday you had no idea. Today you’re 100 percent certain. It wasn’t credible.” From the perspective of the government, however, the handling of the Sony hack was a triumph. “In twenty-six days we figured out it was North Korea,” John Carlin told me. The attribution changed the focus, he said, from what Sony did wrong to how the government was going to respond to North Korea. As Phyllis Schneck, who now works at the Department of Homeland Security, told me, the government moves slowly because it cannot afford to be wrong: “Vendors like to be first. Government must be right.”
...
“Vendors like to be first. Government must be right.”
In other worlds, market forces have now been unleashed to encourage the cybersecurity industry to rush to attribution conclusions. After all, think about the incredible free advertising Trend Micro got for its report on the US Senate phishing sites and the Macron hacks. The profit-motive encourages this. Isn’t that wildly dangerous when those rushed attributions have geo-strategic implications? It sure sounds like a recipe for “international chaos”.
Still, let’s keep in mind that a world where Chinese government hackers can pilfer intellectual property rights with impunity and North Korea and attack corporations over movies it doesn’t like is another form of “international chaos”. Although probably not nearly as chaotic as the kind of world where conflicts break out as a result of cyber attacks and false flag campaigns, but it’s still a very non-ideal situation.
What’s the Cybersecurity Industry’s Secret to Cyber Attribution? Pattern Recognition. Hopefully Perfect Pattern Recognition (Because Otherwise it’s International Chaos)
So what’s the cybersecurity industry’s response to criticism that this new aggressive approach to attribution is vulnerable to false flag attacks an incorrect attributions? Well, according that describes the techniques the industry uses to arrive at its conclusions, the industry responds by stating false flag attacks just aren’t feasible because hackers make mistakes that reveal their true origin. Yep, that’s the response.
And this response is in an article that describes the primary technique for attribution as “pattern recognition”: looking at a hack’s ‘digital fingerprints’ and comparing them to past attacks. If you think about it, if you’re a hacker, and the digital fingerprints in your hacks allow analysts to trace your work back to previous attacks, that’s a mistake. Recall the comments from FireEye’s analyst about how the Russian hackers used to completely burn their digital infrastructure after getting caught (and then mysteriously stopped doing that around 2014). High quality government hackers shouldn’t actually be leaving an extensive trail of reused digit fingerprints. They apparently used to be able to operate without making so many conspicuous mistakes. And yet the cybersecurity industry is predicating its attributions on basically detecting mistakes hackers make and the deep conviction that hackers make mistakes and these mistakes can be used for high confidence attributions. Which seems like a massive mistake:
CNET
How US cybersleuths decided Russia hacked the DNC
Digital clues led security pros to agencies in Putin’s government. It’s as close as we’ll ever get to proof that Russia did it.
by Laura Hautala
May 3, 2017 9:13 AM PD
It was a bombshell.
Operatives from two Russian spy agencies had infiltrated computers of the Democratic National Committee, months before the US national election.
One agency — nicknamed Cozy Bear by cybersecurity company CrowdStrike — used a tool that was “ingenious in its simplicity and power” to insert malicious code into the DNC’s computers, CrowdStrike’s Chief Technology Officer Dmitri Alperovitch wrote in a June blog post. The other group, nicknamed Fancy Bear, remotely grabbed control of the DNC’s computers.
By October, the Department of Homeland Security and the Office of the Director of National Intelligence on Election Security agreed that Russia was behind the DNC hack. On Dec. 29, those agencies, together with the FBI, Department of Homeland Security and the Office of the Director of National Intelligence on Election Security agreed that Russia.
And a week later, the Office of the Director of National Intelligence summarized its findings ((PDF)) in a declassified (read: scrubbed) report. Even President Donald Trump acknowledged, “It was Russia,” a few days later — although he told “Face the Nation” earlier this week it “could’ve been China.”
...
We’ll probably never really find out what the US intelligence community or CrowdStrike know or how they know it. This is what we do know:
CrowdStrike and other cyberdetectives had spotted tools and approaches they’d seen Cozy Bear and Fancy Bear use for years. Cozy Bear is believed to be either Russia’s Federal Security Service, known as the FSB, or its Foreign Intelligence Service, the SVR. Fancy Bear is thought to be Russia’s military intel agency, GRU.
It was the payoff of a long game of pattern recognition — piecing together hacker groups’ favorite modes of attack, sussing out the time of day they’re most active (hinting at their locations) and finding signs of their native language and the internet addresses they use to send or receive files.
“You just start to weigh all these factors until you get near 100 percent certainty,” says Dave DeWalt, former CEO of McAfee and FireEye, who now sits on the boards of five security companies. “It’s like having enough fingerprints in the system.”
Watching the cyberdetectives
CrowdStrike put that knowledge to use in April, when the DNC’s leadership called in its digital forensics experts and custom software — which spots when someone takes control of network accounts, installs malware or steals files — to find out who was mucking around in their systems, and why.
“Within minutes, we were able to detect it,” Alperovitch said in an interview the day the DNC revealed the break-in. CrowdStrike found other clues within 24 hours, he said.
Those clues included small fragments of code called PowerShell commands. A PowerShell command is like a Russian nesting doll in reverse. Start with the smallest doll, and that’s the PowerShell code. It’s only a single string of seemingly meaningless numbers and letters. Open it up, though, and out jumps a larger module that, in theory at least, “can do virtually anything on the victim system,” Alperovitch wrote.
One of the PowerShell modules inside the DNC system connected to a remote server and downloaded more PowerShells, adding more nesting dolls to the DNC network. Another opened and installed MimiKatz, malicious code for stealing login information. That gave hackers a free pass to move from one part of the DNC’s network to another by logging in with valid usernames and passwords. These were Cozy Bear’s weapons of choice.
Fancy Bear used tools known as X‑Agent and X‑Tunnel to remotely access and control the DNC network, steal passwords and transfer files. Other tools let them wipe away their footprints from network logs.
CrowdStrike had seen this pattern many times before.
“You could never go into the DNC as a single event and come up with that [conclusion],” said Robert M. Lee, CEO of cybersecurity firm Dragos.
Pattern recognition
Alperovitch compares his work to that of Johnny Utah, the character Keanu Reeves played in the 1991 surfing-bank-heist flick “Point Break.” In the movie, Utah identified the mastermind of a robbery by looking at habits and methods. “He’s already analyzed 15 bank robbers. He can say, ‘I know who this is,’ ” Alperovitch said in an interview in February.
“The same thing applies to cybersecurity,” he said.
One of those tells is consistency. “The people behind the keyboards, they don’t change that much,” said DeWalt. He thinks nation-state hackers tend to be careerists, working in either the military or intelligence operations.
Pattern recognition is how Mandiant, owned by FireEye, figured out that North Korea broke into Sony Pictures’ networks.
The government stole Social Security numbers from 47,000 employees and leaked embarrassing internal documents and emails. That’s because the Sony attackers left behind a favorite hacking tool that wiped, and then wrote over, hard drives. The cybersecurity industry had previously traced that tool to North Korea, which had been using it for at least four years, including in a massive campaign against South Korean banks the year before.
It’s also how researchers from McAfee figured out Chinese hackers were behind Operation Aurora in 2009, when hackers accessed the Gmail accounts of Chinese human rights activists and stole source code from more than 150 companies, according to DeWalt, who was CEO of McAfee at the time of the investigation. Investigators found malware written in Mandarin, code that had been compiled in a Chinese operating system and time-stamped in a Chinese time zone, and other clues investigators had previously seen in attacks originating from China, DeWalt said.
Tell us more
One of the most common complaints about the evidence CrowdStrike presented is that the clues could have been faked: Hackers could have used Russian tools, worked during Russian business hours and left bits of Russian language behind in malware found on DNC computers.
It doesn’t help that, almost as soon as the DNC revealed it had been hacked, someone calling himself Guccifer 2.0 and claiming to be Romanian took credit as the sole hacker penetrating the political party’s network.
That set off a seemingly endless debate about who did what, even as additional hacks of former Hillary Clinton campaign chairman John Podesta and others led to more leaked emails.
Cybersecurity experts say it would be too difficult for hackers to consistently make it look like an attack was coming from a different group of hackers. One mistake could blow their cover.
Critics probably won’t be getting definitive answers anytime soon, since neither CrowdStrike nor US intelligence agencies plan to provide more details to the public, “as the release of such information would reveal sensitive sources or methods and imperil the ability to collect critical foreign intelligence in the future,” the Office of the Director of National Intelligence said in its report.
“The declassified report does not and cannot include the full supporting information, including specific intelligence and sources and methods.”
The debate has taken Alperovitch by surprise.
“Our industry has been doing attribution for 30 years,” although such work on focused on criminal activity, he said. “The minute it went out of cybercrime, it became controversial.”
———-
“How US cybersleuths decided Russia hacked the DNC” by Laura Hautala; CNET; 05/03/2017
“Alperovitch compares his work to that of Johnny Utah, the character Keanu Reeves played in the 1991 surfing-bank-heist flick “Point Break.” In the movie, Utah identified the mastermind of a robbery by looking at habits and methods. “He’s already analyzed 15 bank robbers. He can say, ‘I know who this is,’ ” Alperovitch said in an interview in February.”
Yep, Dmitri Alperovitch compares his work to a Keanu Reeves movie character who can just look at the evidence left in a robbery and deduce who did it. That’s the underlying technique at work. And while that’s a perfectly reasonable technique for making a cautious guess about the culprits, it’s apparently being treated as a technique that can allow for near 100 percent certainty:
...
CrowdStrike and other cyberdetectives had spotted tools and approaches they’d seen Cozy Bear and Fancy Bear use for years. Cozy Bear is believed to be either Russia’s Federal Security Service, known as the FSB, or its Foreign Intelligence Service, the SVR. Fancy Bear is thought to be Russia’s military intel agency, GRU.It was the payoff of a long game of pattern recognition — piecing together hacker groups’ favorite modes of attack, sussing out the time of day they’re most active (hinting at their locations) and finding signs of their native language and the internet addresses they use to send or receive files.
“You just start to weigh all these factors until you get near 100 percent certainty,” says Dave DeWalt, former CEO of McAfee and FireEye, who now sits on the boards of five security companies. “It’s like having enough fingerprints in the system.”
...
“You just start to weigh all these factors until you get near 100 percent certainty”
Pattern recognition leading to near 100 percent certainty. And as we saw with the Trend Micro reports, 99–100 percent certainty is indeed something the industry is arriving at with these very consequential attributions.
And this pattern recognition technique is partially predicated on the assumption that hackers don’t actually change their methods very much. Even government hackers:
...
One of those tells is consistency. “The people behind the keyboards, they don’t change that much,” said DeWalt. He thinks nation-state hackers tend to be careerists, working in either the military or intelligence operations.
...
So is it true that careerist government hackers tend to be consistent and don’t really bother switching up their techniques and ‘digital fingerprints’? Well, if so, yes, that would allow for pattern recognition to be used for attribution...except for the fact that government hackers behaving consistently makes them easy marks for a false flag attack. How is this not recognized?!
Also note that even if government hackers are consistent in their methods, that might not matter if they are consistently using malware and server hosting companies that other hackers use and leave ambiguous digitial fingerprints. The consistency might also not matter if they are consistently running their hacks by impersonating other hacking groups, although the cybersecurity industry appears to think that would be impossible for a government hacking group to do consistently without accidentally blowing their cover. Which, again, is an odd assumption to make.
What’s the industry response to these kinds of concerns? Don’t worry about false flags because, the hackers will make mistakes that reveal themselves:
...
Tell us moreOne of the most common complaints about the evidence CrowdStrike presented is that the clues could have been faked: Hackers could have used Russian tools, worked during Russian business hours and left bits of Russian language behind in malware found on DNC computers.
...
Cybersecurity experts say it would be too difficult for hackers to consistently make it look like an attack was coming from a different group of hackers. One mistake could blow their cover.
...
“Cybersecurity experts say it would be too difficult for hackers to consistently make it look like an attack was coming from a different group of hackers.”
WHAT?!! How is such an conclusion arrived at?
Now, it’s true that the longer a third party tries to impersonate another hacking group, the more likely they are to make a mistake. There’s just more opportunity to mistakes when the false flag attacks on consistently attempted. But what about an inconsistent attempt? Like just one or a few? Would that be very difficult?
Also keep in mind that if a false flag attack is successful, and cybersecurity researchers fall for the trick, that false flag group’s mode of operation will become the evidence used for future attributions. In other words, this “pattern recognition” technique is only as good as the quality of the past attributions. For all we know, a huge chunk of the past hacks attributed by the cybersecurity industry to Russia or China or any other country could be misattributed attacks and the digital paper trail is a mix of tracks left by actual Russian and Chinese government hackers plus a bunch of false flag third parties. There’s no reason to not assume this is the case unless the 5‑Eyes has far, far more information about who is hacking who than they let on.
For instance, look at some of the evidence used to attribute attacks to the Chinese government: Mandarin in the code that was compiled on Chinese operating systems, and Chinese work day compile times in the malware:
...
It’s also how researchers from McAfee figured out Chinese hackers were behind Operation Aurora in 2009, when hackers accessed the Gmail accounts of Chinese human rights activists and stole source code from more than 150 companies, according to DeWalt, who was CEO of McAfee at the time of the investigation. Investigators found malware written in Mandarin, code that had been compiled in a Chinese operating system and time-stamped in a Chinese time zone, and other clues investigators had previously seen in attacks originating from China, DeWalt said.
...
Now, on the one hand, that sure seems like the signs of a Chinese hacker. On the other hand, if you were a non-Chinese skilled hacker who didn’t want to get be a suspect and decided to pretend to be a Chinese hacker, wouldn’t those be be exactly the kinds of ‘digital fingerprints’ you would try to leave?
And while the hacks on Chinese human rights activists seems like the kinds of targets Chinese hackers would specifically be interested in, the source code from those 150 companies seems like the kinds of things all sorts of parties would be interested in. So if you were, say, Russian or Brazillian hackers who had an interest in hacking those companies, waging that hacking campaign with Chinese ‘digital fingerprints’ and then target some Chinese human rights activists to lend credence to it. Do skilled professional hackers do such things? Who knows, but getting caught stealing source code from 150 companies seems like the kind of thing a hacking group would really, really, really not want to get caught doing, whether its a Chinese hacking group or any other hacking group. Or lone hacker. So we can’t rule the possiblity out. And yes, this is very unfortunate because that’s the kind of ambiguity that encourages “international chaos” on some level, but it is what it is.
At the same time, let’s remember that it’s entirely possible that the NSA and 5‑Eyes really does have much more information on who is carrying out various hacks — perhaps by storing almost all internet traffic and decrypting it — but they can’t reveal it and shoddy public attribution cases are made to provide public cover for an attribution that was really made with evidence they can’t reveal. So would that situation make it all ok if the cybersecurity industry just standardizes ‘pattern recognition’ as a gold standard for conclusive attribution if they were really just acting as proxy for attributions that were made by the NSA or some other government agency with access to secret evidence that they can’t reveal? Well, that seems like a massive risk because once that attribution standard is established it’s going to be useable by all sorts of companies and governments for whatever reasons they choose. Heck, you could have governments hack themselves and frame an adversary simply by leaving a bunch of ‘digital fingerprints’. For all we know that’s already happening.
And that’s why making attribution the key to cyber defense is such a risky ‘new normal’. The exploitation of the weaknesses in the “pattern recognition” approach to hacks is the ultimate weapon for “international chaos”.
Sure, the ‘old normal’ of refraining from attribution when the evidence is ambiguous is also a recipe for “international chaos” in the form of lots of hacking that’s difficult to stop. But when you compare that kind of ‘chaos’ to the risk of international conflicts getting sparked by doing things a false flag election hack, it seems like the ‘old normal’ should be the preferred ‘normal’. This ‘new normal’ is pretty scary.
And yet, when read the final comments for Alperovitch in the above article, he expresses surprise that there’s been so much debate over whether or not his “pattern recognition” approach to attribution is appropriate for government hack attribution:
...
The debate has taken Alperovitch by surprise.“Our industry has been doing attribution for 30 years,” although such work on focused on criminal activity, he said. “The minute it went out of cybercrime, it became controversial.”
...
“Our industry has been doing attribution for 30 years,” although such work on focused on criminal activity, he said. “The minute it went out of cybercrime, it became controversial.”
The minute pattern recognition attribution went out of cybercrime and got used for government hacking group attribution and high-profile political hacks, it become controversial. And for some reason this is surpising. Despite the fact that false flag hacks in the realm of cyber crime is a completely different story from false flag attacks for the purpose of framing a country in terms of the capabilities of the likely perpretrators and the motivations. And it’s also wildly different in terms of the need for accuracy. It’s not great if you screw up the attribution of a cyber burglarly by a common hacker, but you really don’t want to misattribute something like an election hack.
And let’s not forget that hack attacks can get a lot more disruptive than an election attack. Imagine a hack that takes down a national power grid. Maybe one that takes it down for an extended period of time. What’s the better attribution ‘normal’ in that situation? The ‘old normal’, where public attribution of government hacks was rare, which could conceivably encourage governments that they can get away for such an attack? Or the ‘new normal’, where you could conceivably incentive a devastating cyber false flag attack that takes down a power grid? Or maybe triggers a nuclear plant meltdown?
Which ‘normal’ is worse? It seems like the ‘old normal’ is probably safer since there’s still the implicit threat of mutually assured retaliation without incentizing false flags. But if there’s one ‘permanent normal’, it’s the fact that humanity is going to always need to struggle with the appropriate approach to cyber attribution as long as ‘perfect crime’ false flags are a technical possibility. This debate isn’t going away. Nor should it. It’s similar to the debate over the balance between security vs privacy for things like end-to-end strong encryption. It’s a debate that shouldn’t actually be concluded. Sure, policy decisions need to be made, but debate we shouldn’t assume policies reflect a conclusion the debate.
It’s also similar to the encryption debate in that high-quality government agencies and officials that the public can reasonably trust is probably one of the most important tools for navigating this risk minefield.
So we have this horrible situation where it’s ‘international chaos’ one way or another. And yet the message we’re hearing from US and German (and other) cyber chiefs is that they are 100 percent sure all these hacks being attributed to ‘sloppy’ Russian hackers really are Russian hackers. And the message from Putin in basically, “that wasn’t us, but if it was that would be ok and justified.” On top of that, we had the Macron hack take place last year with ‘Alt-Right’ neo-Nazi fingerprints all over it and that fact is almost entirely ignored and there was never a real attempt to explain it. This situation is an international cyber-tinderbox.
And as a consequence of this environment, we have stories like the one Trend Micro just issued about the US Senate phishing sites made with 100 percent confidence based on “pattern recognition”. And that conclusion is international news and largely accepted without any meaningful consideration of the possibility that, say, neo-Nazi hacker extraordinaire Andrew ‘weev’ Auernheimer or perhaps another government set up those site and left a bunch of ‘digital fingerprints’ designed to make it look like a ‘Fancy Bear’ operation. And no recognition that, if this was indeed a ‘Fancy Bear’ operation, it was conspicuously leaving digital fingerprints leading back to previous hacks, making this the latest incident of Russian hackers apparently suddenly getting super sloppy even since the conflict in Ukraine broke out. Instead, it’s just blanket acceptance of the report and that means it’s a situation ripe for all sorts of ‘international chaos’. Think about how many different entities probably want to run their own ‘Russian hacker’ false flag operations now.
Who knows, maybe the sudden change in Russian hacker behavior starting in 2014 — where digital infrastructure keeps getting re-used hack after hack, allowing the cybersecurity industry to go on a ‘pattern recognition’-spree — really is a Kremlin operation designed to entice hackers and government around the world to pretend to be Russian hackers in order to have a bunch of false flag operations expose and poison the well of ‘Russian hacker’ attribution. That would an incredibly risky operation but the rewards could be handsome. And very sneaky.
So let’s consider some basic scenarios:
A. Putin really has ordered a high-profile trollish hacking campaign following the outbreak of the Ukraine conflict as part of a strategy where Russia getting the blame is either seen as desirable or inconsequential. They’re self-implicating for a reason.
B. Putin really has ordered a hacking campaign following the outbreak of the Ukraine conflict and they keep leaving digital evidence because there’s been a degredation in the quality of Russian hacking personel. And for some reason the issue of reusing compromised digital infrastructure hasn’t been adequately addressed.
C. Putin really has ordered a high-profile trollish hacking campaign following the outbreak of the Ukraine conflict to be carried about by mafia hackers or some other proxies and they keep screwing up and leaving fingerprints. And the Kremlin keeps using them for some reason despite all the screw ups.
D. It really is ‘patriotic hackers’ operating on their own and the Russian government isn’t keen on stopping them despite all the blame they direct back to Russia.
E. One or more third parties, recognizing the opportunity the Ukraine conflict created for pushing a false flag ‘Russian hacker’ campaign, decided to wage such a campaign over the last few years, waging one high-profile hack after another with the full confidence that Western powers and the cybersecurity industry is strongly biased towards making attributions of Russian hackings.
F. Some mix of A thru E.
A range of possibilities is a basic element of this hacking situation and it’s almost never acknowledged these days. For any hack. Why isn’t that considered extremely dangerou
And it’s entirely possible that we’re seeing a situation where Putin is laying a trap based on the observation that the cybersecurity industry appears to be ready and willing to build 100 percent attribution narratives for public consumption for hire:
1. Have Russian hackers carry out a conspicuous wave of hacks filled with digital evidence that points back to Russia but could easily be planet.
2. Infuriate Western governments that know it’s Russian hackers because they have means of detection that can’t be publicly revealed. Like super-secret NSA/5‑Eyes evidence.
3. The cybersecurity industry basically offers to create a narrative ‘proving’ Russia did it using a shoddily constructed case based on guesswork and a refusal to accept the possibility of false flag hacks. And we effectively have to take their word for much of this. This is seen as acceptable in order to not allow Russian to get away with it’s flagrant hacking campaign.
4. Eventually the shoddiness of that attribution method is revealed and used to discredit past and present attributions against Russian. Putin smiles.
Might that explain the sudden sloppy aggressiveness of ‘Russian hackers’ over the past few years? Who knows, but something very odd is happening with all these ‘Russian hackers’ and there’s virtually no interest in understanding why.
Of course, two very obvious reasons there might be so much resistance to the idea of false flag attacks:
1. The fear that such talk might end up helping President Trump avoid culpability for colluding with Russia during the 2016 campaign
2. The fear that it might help take the heat off Putin in the midst of a Russian trollish hacking campaign targeting Western democracies.
But those aren’t great reasons. Even if Putin really has ordered a high-profile trollish destabilizing hacking campaigns, not acknowledging the false flag angle just invites in third parties to participate and create more chaos. And while you might be tempted to think, “oh good, all those false flag attacks will get attributed to Putin and this will apply even more international pressure on Russia to [insert demand here],” that’s an insane attitude. What if the false flag is much nastier, like a grid attack? That’s a flirtation with WWIII-started-by-third-party scenario.
And it’s not like the introduction of the possibility that the DNC server hacks could have involved a false flag third party has to be all that disruptiuve to the #TrumpRussia investigation. At this point that investigation is filled with so much evidence of the Trump campaign’s active desire to collude with Russia based on all the other incidents of Russian footsie that the investigation could go on almost without a hitch even if it was determined a 400 pound guy in bed (or a neo-Nazi hacker like Andrew Auernheimer sitting in bed) did the hacks DNC hacks alone. The DNC hacks were central to the #TrumpRussia investigation at the beginning of Trump’s term, but this is a year into the investigation. Just look at a sampling of what we’ve learned:
1. Trump is basically a mobbed up celebrity businessman.
2. Donald Trump Jr., Paul Manafort, and Jared Kushner held a meeting in Trump Tower after Rob Goldstone promises him Russian government help in the form of dirt on Hillary. Whether or not they actually colluding with Russian, they certaintly wanted to. None other than Steve Bannon reportedly called this “treasonous” behavior.
3. Trump’s campaign foreign advisor, George Papadopoulos,told Australia’s top diplomat in the UK that the Russians told him they had thousands of Hillary Clinton’s emails.
4. GOP financier Peter Smith ran an operation to find Hillary’s hacked emails. They admit they were fine if the came from Russian government hackers. Much of the Trump team was reportedly involved — Steve Bannon, Kellyanne Conway, Sam Clovis, and Michael Flynn.
6. Peter Smith’s email-hunting expedition also inquired with “Guccifer 2.0” about who might know how to contact hackers on the Dark Web with Hillary Clinton’s emails. Guccifer 2.0 told Smith’s team that they should contact Andrew Auernheimer.
7. Barbara Ledeen, wife of Michael — who was the co-author of a book on foreign policy with Michael Flynn — started her own Dark Web expedition with Newt Gingrich in 2015 hunting for Hillary’s emails.
8. All the other crazy crap Michael Flynn did.
9. All of Trump’s blatant obstruction of justice already known to the public. Even if he’s innocent of everything else, he’s still pretty clearly guilty of obstruction of justice. He talks about.
10. Paul Manafort is super shady. And may have been involved in the Ukraine sniper attacks according to his daughter’s hacked text messages.
11. Felix Sater’s Russian Mobster/FBI/CIA informant past. A past Trump claimed to not know about.
12. Felix Sater and Trump Org attorney Michael Cohen tried to contact the Kremlin for a Trump Tower Moscow deal during the campaign.
13. Cambridge Analytica is own by SCL. SCL employed military-grade psychological warfare specialists for managing big opinion-changing campaigns targeting nations. And they’ve psychologically profiled most of the US.
14. Donald Trump, Jr. and Julian Assange were chatting with each other over Twitter’s direct messaging system during the campaign.
16. The Russian ‘troll farm’ Internet Research Agency had its own weird social media campaigns. This wasn’t remotely as big or significant as the Trump campaign’s social media presence, and a lot of the troll farm’s activity appeared to be experiments in seeing if they can initiate real-world action through social media enticement, but it’s certainly worth investigating. Especially since it’s entirely possible someone other than the Kremlin hired their services. Although if it was someone like Paul Manafort hiring their services for a dirty tricks team for the Trump campaign that would presumably be done with Putin’s approval since that’s pretty sensitive and the Internet Research Agency is a close ally of Putin.
17. US intelligence officials acknowledged back in July of 2016, a week after the big DNC email batch was leaked by Wikileaks, that the hack was signficantly less sophisticated and sloppy than previous Russian government hacks. And the hackers left Cyrillic character data on the hacked DNC servers. Intelligence sources acknowledge that the attribution was based on dedection and not hard technical evidence, and deduced the sloppiness was intentional trollish signalling meant to show it was Russia. And if that’s true, when you factor in all the footsie Kremlin operatives (or people posing to be Kremlin operatives) were playing with the Trump campaign during the time of this unusually sloppy hack, it suggests the Kremlin could have been trying to get caught and have their ties with the Trump campaign exposed in the subsequent investigation. And that’s a somewhat hilarious scenario that could help with de-escalating US/Russian tensions.
18. The final conclusive attribution by the US intelligence community that Putin ordered the DNC hacks was based on an intelligence source deep within the Kremlin who claimed Putin ordered the attacks and not the “pattern recognition” analysis by CrowdStrike or other cybersecurity companies. So, assuming you believe this Kremlin source, it’s not as if standing behind the “pattern recognition” methodology is critical to any case against the Trump campaign anyway.
19. Trump might be insane.
And that’s just a sampling of the revelations that are now available for any investigators into Trump’s fitness for office.
So when you look at the full scope of all the evidence made public so far of the Trump campaign’s willingness and desire to collude with the Russian government, whether or not Russian carried it out the DNC hack is almost beside the point at this point. All the footsie the Trump campaign and Trump organization was playing with apparent Kremlin operatives throughout the campaign — George Papadopoulos, Felix Sater and Michael Cohen, the Trump Tower meeting — opens up the potential for blackmail anyway, with or without Russian government hackers being behind the DNC server hack. And the mobster-ish past of Trump and so many figures in his orbit is all the more reason to worry about things like blackmail. Who actually hacked the DNC is like an interesting side note when put in the broader context of whether or not Trump is fit for office.
And that creates a marvelous potential opening for addressing two critical goals the US should have at this point:
1. De-escalating the situation with Russia. De-escalation of US-Russian tensions really should be a priority even if you’re pissed at Putin over the 2016 election meddling. The longer there’s this cyber-standoff/trolling situation between the US and Russian the more time there is for third party false flag attacks or things spiralling out of control. Especially with Trump in place. The strategy of racheting international pressure on Russia until some ‘Russian Spring’ happens is high risk and could result in a Russian ultra-nationalist far more dangerous than Putin replacing him. That would be a catastrophe. A ‘Russian-Reset’ based on collective marveling at the corruption of Trump and the GOP would be a much better response.
And...
2. Addressing the “international chaos” risks that a “pattern recognition” standard of cyber attribution techniques introduce into world affairs. These techniques are vulnerable to spoofing and incentivize false flags. If an agency like the NSA wants to declare that it knows something using its superior knowledge, that’s one thing. But granting credibility to random cybersecurity firms using “pattern recognition” techniques for attribution in cases like nation-state-on-nation-state hacking is wildly dangerous. Don’t forget that the approach to stopping hacks advocated by Dmitri Alperovitch — that publicly naming and shaming the hacker is key to to defense — doesn’t necessarily dissuade hackers. It might just make them more intent on pretending to be someone else.
So what’s the opening the US should make to address these twin goals? The US should openly entertain the possibility that some of these high-profile Russian hacks might actually be false flags. Just get that idea out there so the public isn’t lulled into thinking “pattern recognition” is really the kind of gold standard we should accept for nation-state-on-nation-state hacking attributions. At the same time, the US should simultaneously suggest that, if these hacks are indeed ordered by the Russian government, running a high-profile self-implicating hacking campaign — a hacking campaign that’s seemingly designed to raise questions about whether or not it’s a false flag attack because it’s so over the top — is incredibly dangerous and irresponsible and a recipe for international chaos. If Putin actually ordered the years-long self-incriminating hacking campaign we’ve seen from Russian hackers since the outbreak of the conflict in Ukraine in 2014, that is simultaneously kind of clever and wildly irresponsible. And stupid. Because now any random hacker can frame Russia for all sorts of hacks against all sorts of countries and interests. All they’d have to do is run a sloppy, seemingly intentionally self-incriminating hacking campaign intended to trigger a “pattern recognition” match with previous ‘Russian hacks’. And while Putin and the Russian government could have determined that getting framed for hacks like, say, the Macron election hack are acceptable, what about an attack blamed on Russian take takes a Western power’s power-grid down? Or an attack that triggers a nuclear meltdown? That might not be the kind of thing you want to get framed for even if you’re a nuclear power. If Putin really did this launch the kind of hacking campaign we’ve seen since 2014 that was a desperate and dangerous move that really does risk triggering “international chaos” and he needs to stop.
Why can’t the US make that argument without feeling like some sort of major concession was made that helps Putin? It’s an argument that raises the degree of the crime if the Kremlin really is behind this high-profile “I’m a Russian hacker!” campaign by making it clear to the world that this is creating a real risk to the world. And it’s an argument that also makes it clear to the Russian people that it’s incredibly dangerous to them if the Kremlin is really doing this. Do the Russian people want a neo-Nazi elite hacker liek Andrew ‘weev’ Auernheimer framing them for something a lot more horrific than hacked political emails? That seems like a massive national risk.
And the above argument helps head off the risk to the world presented by vulnerable cyber attribution standards too. Don’t forget, the US intelligence communities conclusion Putin was behind the hacks was based on intelligence from a single source deep within the Kremlin who claimed Putin ordered the attacks and was not based on the “pattern recognition” analysis by CrowdStrike or other cybersecurity companies. Not the initial pattern recognition guesswork because that was inconclusive even though it led to the initial hunch that Russian was behind it. Also don’t forget that there are a lot more high-profile hacks attributed to the Russians in recent years so acknowledging the possibility that some of these hacks could be false flags doesn’t solely raise this question about the DNC hack. What about the ‘Alt-Right’ fingerprints all over the Macron hack? Aren’t people interested in resolving that mystery? And if a bunch of ‘Alt-Right’ neo-Nazis turned out to be behind the DNC hack instead of the Kremlin is that somehow good news for Trump and the GOP? Even if a 400 pound hacker in bed did the DNC hack there’s still all the evidence of the Trump campaign’s desire to collude with the Russians and the subsequent blatant obstruction of justice.
Don’t forget that impeaching Trump is a political decision in the end and, not a criminal one. Even if raising the possibility of non-Kremlin source behind the DNC hack complicated Robert Mueller investigation’s ability to criminal charge in relation to the election hack, it’s not like that criminal charge is a deciding factor for impeachment purposes. That’s a political choice. What if the Trump campaign and the GOP arranged for their own ‘Russian hackers’? Or perhaps a bunch of ‘Alt-Right’ hackers were behind the DNC hack and Macron hacks and the Trump team had extensive contact with? Those kinds of scenarios wouldn’t exactly help their case against impeachment, would they? Is it politically acceptable to collude with ‘Alt-Right’ hackers now?
Impeaching Trump is also an act fraught with great peril and probably shouldn’t be considered the top priority for Democrats. Mike Pence could bring a level of competency to the White House that could be far more damaging than Trump’s daily whirlwind of chaotic corruption. And even if Mike Pence is impeached, next in line is the Koch-puppet House Speaker Paul Ryan. There isn’t really a ‘happy ending’ impeachment scenario here. If Trump gets impeached, a huge chunk of the the American conservative base is going to go more insane and develop an even more malignant grievance complex and that psychological wound will be nursed for decades. So is it worth impeaching the blatantly crazy fascist who might blow up the world only to have him replaced by a far more competent fascist? Both scenarios feel like existential risks. In other words, even if you could impeach Trump tomorrow over the Russian hacking and replace his dangerous chaos with a President Pence or Ryan are you sure you want to do that? Super sure? It’s another example of a contemporary catastrophic ‘no-win’ situation. A classical non-technological ‘no-win’ situation: do we try to replace an unpredictable extreme danger with a more predictable extreme danger? Who knows. And that ambiguity over whether or not impeaching Trump is even a desireable scenario is another reason not to fear letting Trump ‘off the hook’ by acknowledging the possibility that these hacks being attributed to Russia might include false flags.
Given all the catastrophic no-win situations swirling around this issue of cyber attribution, how is a society to proceed? Well, here’s something to keep in mind: the future of hacking attribution is probably going to depend on the credibility of the authority making the attribution since authoritative attribution will probably depend on information that can’t be publicly revealed. That’s basically the situation today, where an agency like the NSA is often left to make the final ‘call’ on attribution. But we could become more reliant on trusting an authority with access to secret information in the future, especially if we acknowledge the reality of false flags, and that’s going to raise the question of whether or not that authority can be trusted. And in a world of false flag cybercrimes at a nation-state level, that adds one more reason to have a very credible government. And how do we get credible governments? By creating societies that seem really nice and run by people that seem very unlikely to engage in malicious false accusations. Being really, really, really nice and non-aggressive could be a key element national cyber-defense in the future because the country with the most credibility could end up with the final word in the court of public opinion. And the court of public opinion matters in the realm of international cyber warfare.
Look at it this way: the catastrophic no-win situations around cyber attacks and attribution makes having a high-quality, trust-worthy government with a formidable intelligence capacity whose word is respected around the globe a national security priority. And the only way to realistically accomplish that feat is for a society to develop a track record of actually being really nice and compassionate and trustworthy and not agressively ambitious. Sure, on one level this is utopian thinking. But when you think about the array of new technologies that will allow for devastating attacks that could be carried out without clear attribution — false flag biowarfare, false flag nuclear attacks, false flag assassin drone attacks, false flag [insert technological horror show here] — it’s hard to see why false flag attacks aren’t going to be a popular mode for waging both warfare and terrorism, and that all makes having a really well-respected society all the more important in the future. Good! It’s one more reason for building good, decent societies populated by honorable and trustworthy individuals? How do we accomplish that? Good question! Let’s figure that out. It probably involves a nation carrying out the duel focus of being really decent to its citizens while constantly trying to make the world at large a better place for nation. Which is something that shouldn’t be considered utopian thinking and instead should be seen as a basic survival for a high-tech future. Plus, it’s not like this is the only technological nightmare situation that calls for a dedication to very good, trustworthy societies and governments.
And there’s one key aspect to being a well-like, trustworthy, nation with the kind of international credibility to make an attribution that will be believed, and it’s an ironic one: the capacity to ‘turn the other cheek’ and not respond in kind after an attack even after a public attribution is made. Yep, shaming the blamed attacker while simultaneously de-escalating the situation even after an attribution is made could be a great way for a society to build up ‘attribution cred’. And it might actually avoid situations from spiraling out of control. Because if we apply the ‘mutually assured destruction’ mode of dissuading attacks that’s been successfully employed with nuclear strikes to future technologies where attribution is far more difficult than a nuclear strike, we’re just asking for third parties to pick fights between nations with false flag attacks. Don’t forget that a third party could conceivably wage a false flag attack and a false flag counter-attack. That’s the kind of craziness that’s going to be unleashed by technology that potentially enables individuals to carry out devastating non-attributable attacks. That’s the future. The ‘400 pound hacker in his bed’ really might start WWIII in future. And WWIV after that. So our future had better involved quite a bit of ‘turning the other cheek’ if it’s going to avoid being a smoldering future. Utopian thinking might be a basic survival strategy going forward.
And if ‘being a really, really nice and trustworthy country’ feels like a high-risk solution for how to address the threat of technological false flags, don’t forget: international chaos. That’s the future we invite when technological false flags and mutually assured destruction is the norm. So when you read stories about cyber attributions being made with near certainty in these high-profile hacks based on circumstantial evidence and guesswork, keep in mind that the only thing you should be 100 percent certain about is that this level of certainty is a really bad idea for a lot of reasons
@Pterrafractyl–
Conspicuous in its glaring absence from this story is the fact that the CIA’s cyber-weaponry is specifically designed to mimic Russian cyber-espionage and warfare software.
Best,
Dave Emory
@Dave: Lol, yeah, the cybersecurity industry isn’t super keen on talking about that. But in terms of the CIA’s hacking tools specifically set up to mimic a Russian hacking operation, part of what makes that angle so in this story interesting is how the ‘Russian hackers’ — hacks attributed to the Russia government — appear to have suddenly changed their behavior after the outbreak of the conflict in Ukraine 2014 and the big “Vault 7” batch of CIA hacking tools the Shadow Brokers developed released had files that were from no later than 2013.
So a number of questions that need to be answered about the CIA’s Russian-mimicking hacking tools is whether or not the kind of ‘Russian hacker’ fingerprints it leaves are more closely mimicking the behavior attributed to ‘Russian hackers’ before or after the change in Russian hacking behavior that started after the 2014 Ukraine crisis. Because if the CIA hacking tools from 2013 mimicked more closely the ‘Russian hacker’ behavior starting in 2014 that would be quite something.
And based on the pattern recognition methodology the cybersecurity industry has adopted, there are all sorts of ways a hacking tool might leave a Russian hacker digital fingerprint. Maybe it simply does graffiti-like acts like inserting Cyrillic characters into the ‘digital fingerprints’ left behind? Or perhaps there’s something more specific like leaving trails back to digital infrastructure previously attributed to Russia (previously attributed malware, IP bands, etc)? That’s unclear because there hasn’t really been much detailed reporting on how that ‘Russian hacker’ CIA tool set operates.
But there has been some reporting on the tool kit. Leonid Bershidsky had a piece in Bloomberg shortly after the Vault 7 release that contained a bit on the tools used to impersonate a foreign intelligence service, and it sounds like the mimickry tools largely involved leaving foreign languages in the malware and a library of malware that is either publicly available or previously attributed to foreign intelligence services. Bershidsky goes on to suggest that this wouldn’t really be an adequate set of tools required to really pull off a false flag hack because the cybersecurity industry wouldn’t accept such low standards, which is kind of funny because the the above OP was about how the industry just might accepts such low standards. He then points to how a the DNC hack attribution was based on the use of specific command and control servers known to be used by Russian intelligence and suggests that this is the kind of higher standard used for serious attribution (this is the same command and control server that was later revealed to be publicly known since 2015 and vulnerable to the Heartbleed attack). So it sounds like, at a minimum, the Vault 7 hacking tools would facilitate some of the more overt “I’m a Russian hacker” digital graffiti:
“The obfuscation story is similarly unimpressive. The Wikileaks cache contains a manual for CIA hackers on making their malware harder to trace, for example, by adding foreign languages. Wikileaks also said that the CIA “collects and maintains a substantial library of attack techniques ‘stolen’ from malware produced in other states including the Russian Federation.” The library, however, contains all sorts of publicly available malware, as well as samples tentatively attributed to foreign intelligence services; all that does is confirm that hackers, including CIA ones, aren’t picky about the origins of the products they use. The important thing is that the malware should work.”
A manual recommending foreign languages and library of previously attributed malware. That’s at least part of what’s in Vault 7’s toolkit for identity obfuscation.
And as Bershidsky ironically puts it, This shouldn’t affect serious attempts to attribute hacker attacks. And he’s correct that it shouldn’t affect serious attempts to attribute hacker attacks. But these kinds of ‘clues’ clearly do affect serious attempts at attributed because we’ve seen such ‘clues’ pointed to as evidence over and over since the advent of these high-profile hacks:
So it will be interesting to see if there are more detailed reports on those capabilities somewhere and how many of them were obvious things lots of hackers must know like “insert foreign language and reuse malware” and how many were novel techniques. It certainly seems like topical set of questions. Especially now that this toolkit is ‘in the wild’.
Uh oh: It looks like the potential consequence of incorrect cyber attribution just went thermonuclear. And not metaphorically ‘thermonuclear’. The consequences could literally be thermonuclear in nature: The Pentagon has reportedly sent a nuclear strategy to President Trump for approval that would permit the use of nuclear weapons in response to a wide range of non-nuclear attacks on American infrastructure, including devastating cyber attacks:
“For decades, American presidents have threatened “first use” of nuclear weapons against enemies in only very narrow and limited circumstances, such as in response to the use of biological weapons against the United States. But the new document is the first to expand that to include attempts to destroy wide-reaching infrastructure, like a country’s power grid or communications, that would be most vulnerable to cyberweapons.”
So America’s nuclear trigger-finger is about to get a lot ‘itchier’. And that’s going to happen by the defining-down what constitutes “extreme circumstance” to include paralyzing attacks on thins like the power grid, cellphone networks and the internet, and that’s why a big cyber attack just might get a nuclear response: if you want to take down the power grid, cellphone networks and the internet, you’ll probably want to use a cyber attack:
““So if cyber can cause physical malfunction of major infrastructure resulting in deaths,” Ms. Schake said, the Pentagon has now found a way “to establish a deterrent dynamic.””
Yes, the Pentagon has indeed found a “deterrent dynamic.” A deterrent dynamic that makes false flag cyber attacks even more tempting than ever before. Yay.
And this change is nuclear policy is coming at teh same time the US is poised to embrace small, low-yield nukes. And the threat from Russia is being framed as the key driver for this new policy:
“If adopted, he added, the new policy “will make nuclear war a lot more likely.””
Yep, in addition to adopting a policy that encourages false flag cyber attacks that can cause your adversaries to nuke each other, the US is set to move full steam ahead on low-yield nukes that will obviously make the use of nuclear weapons a lot more likely.
But perhaps the most chilling part of this reports is the particular Russian nuclear weapon that the Pentagon was focused on: A nuclear torpedo that could travel hundreds of miles and make a coastline uninhabitable:
“News stories have reported the possible existence of such a weapon since at least 2015, but the document’s reference appears to be the first time the federal government has confirmed its existence. The long-range torpedo with a monster warhead is apparently meant to shower coastal regions with deadly radioactivity, leaving cities uninhabitable.”
Get for the upcoming nuclear torpedo arms race. You have to wonder if that kind of technology is going to make a submarine-based false flag nuclear attack more feasible. Because nuclear armed bombers or ICBMs are probably pretty easy to attribute to a specific enemy, sub attacks are potentially more difficult to attribute if you can’t determine who actually launched it. So a very long-range nuclear torpedo seems like the kind of technology that could be launched in secret by all sorts of different interests in the future if they can get their hands on one — Russia, China, North Korea, Jihadists, the Underground Reich, a crazy billionaire who happens to own a private sub with nuclear torpoedo launching capabilities — and it’s not clear a country could determine who launched it. So that’s rather disturbing. Especially since the disturbing nature of this technology is apparently going to be used to spark a nuclear arms race with Russia.
And it gets more disturbing. Much, much more disturbing. According to a new report on the GOP’s concerns over their political prospects in the 2018 mid-term elections, President Trump isn’t so concerned. Why? Because he apparently has been telling people in the White House that he doesn’t think the 2018 election has to be as bad as others are predicting. And then he references how the GOP did better in the 2002 midterms following the the Sept. 11 terrorist attacks. *gulp*:
“In private conversations, Trump has told advisers that he doesn’t think the 2018 election has to be as bad as others are predicting. He has referenced the 2002 midterms, when George W. Bush and Republicans fared better after the Sept. 11 terrorist attacks, these people said.”
Uhh...it sure sounds like President Trump is betting on a massive attack. In 2018. And he seems to be looking forward to this.
So if you’re the type of person who thrives on living every day like it’s your last day on Earth, this should be a good year for you. At least until it really is your last day. The rest of the year won’t be very good for you after that.
@Dave: One quick correction: when I stated that the Vault 7 trove of CIA hacking tools only went until 2013, I was mixing that up with the Shadow Brokers NSA toolkit. The dates on the files in Vault 7 trove went from 2013 — 2016. So that Vault 7 toolkit spans the period before and after the ‘Russian hackers’ started getting super sloppy and leaving “I’m a Russian hacker!” clues following the outbreak of the conflict in Ukraine. That makes the content of things like the library of malware that’s been used by foreign governments to obscure the CIA hacker’s identity potentially quite interesting. For instance, was either “X‑Agent” — the malware that was found in the DNC hack that was incorectly described as exclusively used by ‘Fancy Bear’/APT28 — part of that malware library?
Along those lines, check out this fascinating story related to the ‘X‑Agent’ malware and who it may have originated with: Remember when “Hacking Team” — the private Italian ‘lawful hacking group’ that’s hired by governments around the world — got hacked and had its toolkit released back in July of 2015? Well, guess what: It appears that X‑Agent was part of Hacking Team’s toolkit that was released to the world in July of 2015:
“Interestingly, Patrick Wardle, Director of Research at Synack, had another interesting revelation about this malware. He shows quite convincingly that the Sofacy Group used code copied from the Hacking Team. (Hacking Team is the creator of the Remote Control System backdoor, which it sells to governments and law enforcement, among other organizations.)”
So, uh, wow! X‑Agent, one of the pieces of malware that seen as a key “digital fingerprint” in the DNC hack of 2016 pointing back to APT28 was in the July 2017 release of “Hacking Team’s” unit? That’s quite something.
And just to get a taste of how the presence of X‑Agent was used by CrowdStrike to attribute the DNC hack to ‘Fancy Bear’, here’s the opening paragraph of CrowdStike’s December 2016 report that tried to use the X‑Agent to erroneously claim that ‘Fancy Bear’ create malware used to infect the smartphones of Ukrainian artillery troops so they could be located and neutralized:
“Also known as Sofacy, X‑Agent has been tracked by the security community for almost a decade, CrowdStrike associates the use of X‑Agent with an actor we call FANCY BEAR. This actor to date is the exclusive operator of the malware”
Jeffrey Carr did a great take down of why that CrowdStrike ‘attribution’ was bogus. It was bogus for a lot of reasons, and one of those included the fact that X‑Agent is already ‘in the wild’.
Here’s something else to keep in mind: The security analyst who discovered that the X‑Agent code appears to be extremely similar to the leak Hacking Team code and concludes that X‑Agent did indeed come from the Hacking Team leak also notes in their post [it’s very technical] that there’s the question of whether or not ‘Fancy Bear’ created X‑Agent using based on the Hacking Team leak or whether the Russian government simply purchased the malware from Hacking Team since Hacking Team reportedly sold its services and tools to the Russian government. And while either of those are possibilities, we can’t forget that Hacking Team sold its malware to governments around the world:
“It’s now known that Hacking Team was selling to a vast number of governments, including Sudan, Saudi Arabia, UAE, Bahrain, Morocco and Egypt. The US is also a customer via the FBI, the military and the Drug Enforcement Agency.”
So we have companies like CrowdStrike treating X‑Agent as uniquely used by the Russian government, a tool that appears to be part of the Hacking Team toolkit that they were selling to governments around the world. Talk about being ‘in the wild’.
And notice how the the FBI, US military, and DEA are all Hacking Team customers. It’s something that would make the absence of something like X‑Agent in Vault 7 kind of surprising. It seems like it would be a great piece of malware for obscuring your identity given that Hacking Team has probably been selling to clients for years.
With the “March for our Lives” march in DC in response to the Parkland, FL, shooting at Marjory Stoneman Douglas High School by Nikolas Cruz, a neo-Nazi-inspired former student, turning into a major political event, it’s worth asking what it was about the shooting in Parkland, Florida, that elicited such an exceptionally strong response. And it’s hard to avoid the conclusion that the “law of truly large numbers” played a role: the statistical adage that that even improbable events will happen given a large enough sample size. And in the case of the US, if a country has one school shooting after another after another, at some point that “sample” of shot up schools will include a school that has a number of exceptionally articulate students with the charisma necessary to shift the debate and change the public conversation. In other words, the students of Marjory Stoneman Douglas were an inevitability. Thanks to the law of truly large numbers and the truly shockingly large number of school shootings America regularly experiences.
So given that a plucky band of teenagers has shifted the conversation around gun regulations (or the lack thereof) in the US and led a mass march, perhaps it’s worth noting that the gun debate in the US has a number of eerie parallels with another life and death topic that impacts not just the US but the entire world: the logic of mutually assured destruction and the flaws in that logic that continues to threaten life on Earth.
Yes, guns and nuclear weapons are pretty much at opposite ends of the ‘tools for violence’ spectrum, but it’s hard to ignore the fact that the arguments used by the most rabid gun proponents from groups like the NRA — arguments like ‘a well armed society is a polite society’ — has a lot in common with the mutually assured destruction (MAD) logic behind the nuclear arms race that continues to this day.
And tragically, the topic of the perils of mutually assured destruction have become perilously topical now that President Trump has chosen the uber-war hawk John Bolton — a man who never met a preemptive military strike he didn’t like — to become his national security advisor. When John Bolton is the lead guy providing the president of the United States advice on national security matters you can be assured that mutually assured destruction is a lot more likely to actually happen. Or, if not the exchange of nukes, some sort of horrible conventional war, which is, itself, a form of mutually assured destruction when it’s war between military powers.
And it’s the concerns over someone like John Bolton pushing the US into a major conflict that highlights the fact that, as the following article notes, the logic of mutually assured destruction with weapons of mass destruction is filled with a series of self-destructive paradoxes that undermine that logic. Self-destabilizing dynamics like how the need to assure nuclear second-strike capability inherently leads to an arms race that threatens that second-strike capability. Analogously, the logic behind ‘more guns = less shootings’ is undermined by both the logic that more guns also clearly creates the opportunity for more shootings — especially by suicidal people who don’t care about return fire — and the observation that the US has a gun death epidemic not seen in countries with stronger gun regulations.
In other words, for both nukes and guns, there is indeed a logic that says ‘more is more’, i.e. more nukes/guns lead to greater overall safety. But there is simultaneously logic that tells use that ‘more is less’ (more guns/nukes makes everyone less safe by creating an endless arms race), ‘less is less’ (fewer guns/nukes makes everyone less safe by encouraging aggressors), and ‘less is more’(fewer guns/nukes makes everyone safer). All four of this logical conclusions co-exist simultaneously. It’s a genuine paradox.
And as the article also notes, we are increasingly living in a world governed by paradoxes and where overcoming these paradoxes can only happen with we both acknowledge these paradox and accept that the ‘less is more’ logic really is the only sustainable dynamic that can work in the long run. There’s no risk-free path forward for humanity when it comes to how we collective ‘keep the peace’, whether it’s at an interpersonal level or international level. An endless arms race carries obvious risks for humanity. But so does mass disarmament simply become one or more parties might suddenly arm themselves and take over or just wipe their adversaries out. ‘More is more’ and ‘less is more’. Paradoxically.
But that doesn’t mean the very different paths forward inherent in that paradox have equal risks, especially when you consider the kinds of scenarios that become ever more likely when you think about the ‘law of truly large numbers’ and highly improbably events becoming just a matter of time. And that means we need to deal with this paradox inherent for dealing with both guns and weapons of mass destruction by asking ourselves which highly improbably events do we want to risk happening: for guns in the US, where ‘defending against a tyrannical government’ is often used as a justification for civilians owning military-grade weapons, do we want to continue flooding the US with weapons — which guarantees a steady rate of gun deaths — and risk an armed civil conflict or an insurrection by heavily armed reactionary forces? Because that’s the risk being courted by current gun policies. Or is it better to dramatically reduce or eliminated civilian access to guns and run the risk that some future tyrannical government will subjugate the populace? Part of dealing with the paradoxes inherent in the gun debate is asking which of those risks is the bigger risk.
Similarly, for weapons of mass destruction, which risk is greater: the risk that mutually assured destruction actually happens if humanity continues down the path of this endless arms race of ever more powerful offensive and defensive capabilities? Or is it a greater risk for countries to collectively ban weapons of mass destruction, risking the possibility of a rogue actor obtaining them and effectively blackmailing the world? Which of those risks does humanity want to court?
These are the kinds of paradoxes that humanity has to increasingly deal with as technology injects more and more destructive into societies and into global geopolitical realities. And if humanity is going to survive this age of ‘rule by paradox’ we’re going to have to come to grips with the fact that these paradoxes exist and that the ‘less is more’ logic really is the lowest risk approach in the long run, whether we’re talking about guns or nukes:
“Unfortunately, MAD was not the only paradox that enveloped nuclear weapons.”
It is indeed unfortunate. The paradoxes of mutual assured destruction — where the necessity of assuring destruction leads to an endless arms race — aren’t the only paradoxes associated with nuclear weapons. There are also the paradoxes associated with not have doomsday weapons. And these paradoxes are mutually justifying. The risks of world peace are used to justify global militarization and vice versa. It’s a fascinating moral conundrum that could destroy us all if mishandled:
We need nukes because if we don’t have them we’ll be helpless towards nuclear blackmail. But once one nation has nukes, every other one is going to want them and there will be an endless arms race that can only end in doom. It’s a grim nest of intertwined paradoxes that happens to be a major test for humanity.
And as the article noted at the end, recognizing these nested, mutually-justifying
The ability to recognize situations where Less is More and collectively give us access to a technology might be a basic ingredient for surviving technology. And acquiring that ability requires humanity collectively acknowledge such paradoxes exist. But at that point we have to make a choice. A fateful choice because these paradoxes point in VERY different directions. Peace through endless arms races? Or peace through endless mutual commitments to peace and the mutual reduction in the the tools of violence that are available to everyone coupled with creating the kind of world where only the insane would feel the need to resort to violence. Build a great world or build a lot of bombs and guns. That’s one of the fundamental question at the heart of the guns and nukes policy debates. It’s the same nest of paradoxes.
And as the article suggests, when you look at all the ways ‘more (tools of mass violence is more (peace and prosperity’ break down, it’s hard to avoid the conclusion that ‘less (tools of mass violence) is more (peace and prosperity)’ is clearly the best path forward. Yes, it’s not a perfect path. There are still risks associated with mutual disarmament. But they are preferable risks compared to the alternative, whether it’s nukes or guns.
Yes, mutually assured destruction has ‘kept the WMD peace’ so far. The US and the Soviets didn’t nuke each other. But let’s not forget that there have been quite a few near misses over the decades, where simple mistakes and human error almost lead to a full-scale nuclear exchange. That really almost happened. Repeatedly. How’s that kind of dynamic going to turn out when the ‘law of truly large numbers’ takes effect?
And as the United States, which owns 40 percent of the world’s guns, has amply demonstrated to the world on the gun issue, more guns has most assuredly result in more deaths. It’s been mutually assured destruction on an interpersonal scale and the result has been a lot of destruction:
So, with that parallel paradox between guns and weapons of mass destruction in mind, it’s worth noting that the kind of focus the US suddenly has on the gun issue really needs to happen on the WMD issue too. They’re part of the same meta-issue of how we deal with our capacity for violence. It’s ‘the talk’ for a society with free will. And that talk needs to collectively happen for both guns and nukes because as the following article describes, there is growing concern in the national security sector that the paradoxical logic of mutually assured destruction that has kind of kept the peace in the nuclear age is about to fall apart.
What’s breaking the logic of MADness? Well, that has to do with the fact that the doctrine of mutually assured destruction has long co-existed with the goals of individual nuclear powers to achieve nuclear dominance, i.e. the capabilities to carrying out nuclear strike without fear of reprisal. Or the capability of simply stopping a lone missile from a rogue regime. Those kinds of defensive capabilities that inevitably disrupt the logic of MADness appear to have reached the point where it’s very possible that mutually assured destruction might not be mutually assured in the future.
Thanks to emerging defensive technologies — like functional missile defense, Conventional Prompt Global Strike program, a US initiative to develop missiles tipped with conventional weapons designed to take down nuclear facilities anywhere in the world in under and hour, and cyber capabilities that incapacitate or take over the command-and-control infrastructure of adversaries — it’s going to be feasible for a nuclear power to cripple an adversary’s second-strike capabilities. And if an adversary can’t guarantee a retaliatory second strike there’s no longer any mutual assurance of destruction. And when there’s no mutually assured destruction, the law or truly large numbers starts getting very scary in a heavily armed world. Effective nuclear defenses make the use of nukes more and more likely. It’s a reminder that one of the greatest risks of relying on mutually assured destruction to avoid mutually assured destruction is that those mutual assurances can’t necessarily be assured, which is why MADness in a world where nuclear dominance is also a goal is truly madness in the long run:
“So far, the best argument for nuclear weapons has been that the fear of mutually assured destruction (MAD) has deterred states that possess them from going to war with each other. MAD rests on the principle of a secure second-strike capability, which means that even if one side is subjected to the most wide-ranging first strike conceivable, it will still have more than enough nuclear weapons left to destroy the aggressor. When warheads became accurate enough to obliterate most of an adversary’s missiles in their silos, America and Russia turned to submarines and mobile launchers to keep MAD viable.”
The entire premise of MAD rests on the principle of a secure second-strike capability. And yet there’s reason to assume that second-strike capability can be assured because there’s no assurances that a technology that subverts that second-strike capability won’t be developed. Especially when the major nuclear powers are constantly working on developing those capabilties. Capabilities that increasingly include cyber attacks taking over command-and-control systems thanks to the increasingly digitisation of the systems that control nuclear arsenals:
And this risk of cyber attacks is so great that that the Defence Science Board advised the Pentagon in 2013 that “The benefits to an attacker using cyber exploits are potentially spectacular,” potentially including the possibility of turning a nation’s nuclear arsenal against itself:
And, or course, this 2013 study also recognized the possibility that these cyber vulnerabilities could be exploited by a third-party as part of a false flag attack. Imagine a false flag cyber attack involving turning a nation’s nuclear forces are turned against itself. Or against another nation. That’s the kind of situation we have to worry about. Increasingly:
But it’s not just the risk of cyber attacks that have some national security experts increasingly concerned that the balance of MADness might be breaking down. Defensive capabilities like the conventional prompt global strike (CPGS) program don’t just threaten rogue regimes like North Korea. It also potentially threatens the second-strike capabilities of nations with large nuclear forces like Russia and China:
And if that capability to rapidly taken out nuclear launch strikes fails, the technology to take even waves of ICBMs out after they’re launched is also improving:
And yet, as the article concludes, as much as the situation appears to point towards increasingly destabilization of the current MAD status quo, there is one very obvious answer: arms-control treaties designed to break the arms race cycle. And if arms-control treaties could be reached at the height of the cold war, surely it should be possible today:
Arms-control to end the otherwise endless arms race. It’s pretty much the only answer. Less is more. At least, arms control treaties the only realistic answer when it comes to dealing with the arms race.
But as we saw, even if a global arms control treaty was miraculously established and the nuclear arms race that threatens the stability of mutually assured destruction was ended, and even of the major nuclear powers miraculously agreed to not develop capabilities like the conventional prompt global strike system or advanced missile defense — systems whose existence is hard to keep a secret — there’s still the possibility that nations will secretly develop those cyber capabilities to neutralize an adversaries command-and-control systems. In other words, arms control treaties are no replacement for disarmament. Yes, arms-control treaties are still clearly a big step in the right direction, but significant risks remain as long as humanity is still pointing a giant collection of nuclear weapons at each other.
And yet we have to acknowledge that even if all of the nuclear powers agreed to completely disarm themselves there’s no guarantee everyone will agree to abide by it. Especially rogue governments or private parties. The Underground Reich and other terror groups would presumably like a nuclear arsenal of their own. Disarmament doesn’t preclude rearmament. Or secret arsenals. Or the emergence of future technologies of mass destruction that are unimaginable. In other words, less is potentially less. At least under some worst case scenarios.
It’s also worth considering a world that contains ample nuclear defensive measures paired with a commitment to disarmament. Imagine a world where every nation agrees to both destroy their nuclear arsenals while simultaneously agreeing to build a really, really comprehensive global missile defense system. Literally a globally administered anti-missile system set up just in case someone breaks the treaty. Less is clearly more in that situation. Especially because no arms race makes it a lot harder for rogue actors to develop their own weapons of mass destruction since they’re generally going to be just trying to copy technology developed by others.
But there’s still no denying that missiles are the only way to deliver a nuclear device or some other weapon of mass destruction. As long as the technological know-how exists to develop nuclear weapons its hard to imagine a system that truly guarantees nuclear security. MADness can break down, but so can World Peace. There are no guarantees. Only educated guesses about risk profiles.
So perhaps it’s worth acknowledging that collective disarming is a form of mutual assurance too. But it’s not a guaranteed assurance, just like mutually assured destruction. No path is perfect and all contains existential risks. It’s a question of which existential risks you want to collectively incur.
Mutually assured destruction just might result in mutual destruction. And mutually assured peace might result in treachery, betrayal, and the takeover of societies committed to non-violence by the kind of people that would use violence to control or destroy the non-violent (i.e. the worst kind of people). Again, it’s part of the paradox. A paradox that extends from guns to nukes and beyond. And a paradox that gets very difficult to wrap your head around when you start factoring in the law of truly large numbers. Improbably things happen. Including improbable catastrophes. There’s no perfect path. And it’s really hard to change paths and the longer you remain on that path the more the law of truly large numbers comes in, so you better choose that path wisely. Mutually assured destruction might blow up the world and mutually assured peace might result in the takeover by very horrible violent people.
It’s all a reminder that the gun regulation debate current gripping the US is inextricably tied to the much larger debate of how on earth we live with that paradox. The ‘more is more’ and ‘more is less’ and ‘less is less’ and ‘less is more’ paradox. A paradox that includes the question of are we live with the future super weapons of mass destruction that haven’t even been conceived of yet. How are we to best protect against that? Create super-duper anti-WMD defense systems?
It’s also a reminder that we don’t just need world peace. We need very well thought out systems for maintaining world peace and keeping EVERYONE satisfied. Everyone, with the exception of inevitable people who are going to try to break the peace for whatever reason.
How do we build sustainable world peace? It’s a question that’s at the heart of both the gun debate and WMD policy debate. Even if we aren’t asking it, that question really is at the heart of it. Because weapons of mass destruction and guns and all other tools for killing fall into the category of things where, in a better world, we would ask, “shouldn’t these be banned? Yeah, let’s ban these because this is just obscenely dangerous,” and then all happily give up our guns and nukes and demilitarize and sings the Whoville song. In a better world we would have done that by now. But we’re still an extremely violent species. And still extremely unequal and dominating. And often unempathetic and dangerously misinformed. Which is a reminder that setting the collective goal of creating a society focused on building highly informed citizens for the purpose of making the world operating better for everyone. Maximizing global welfare by striving for an awesome existence for everyone. Non-violently. It’s not just some pie and the sky vision for heaven on Earth. It’s also a great policy solution for how humanity is supposed to deal with guns and doomsday weapons and everything in between. Which would probably look a lot like high-quality socialism. Everywhere.
So it’s important to remember that if we’re going to have all these guns and nukes we had better have a lot of great socialism for the guns and world peace and prosperity and a global pacifism pact. And eventually global demilitarization because wouldn’t that be awesome. We can create Starfleet Academy at that point.
Building a better and just world that works for every country and is great for everyone is clearly part of the policy solution for both guns and WMDs for every country. It’s a collective policy solution.
Is humanity capable of that? Who knows? Humanity is still a confused hominid and prone to all sorts of behavior that becomes catastrophically self-destructive when fueled through technology. Technology really is a blessing and curse for us in large part because we are very prone towards violence and collective stupidity as a species. And that’s a reminder that the ultimate paradox humanity needs to overcome regarding guns, nukes, violence in general and the risk of self-destruction is the question of whether or not humanity can overcome its own nature. We haven’t figured that out yet.
It’s also all a reminder that one of the fundamental goals of social structures is keeping the peace. Peace is sort of a basic ingredient for a lot stuff people generally want to do. And you shouldn’t expect security and ‘keeping the peace’ if the social structure intended to do that is widely viewed as lacking legitimacy. That’s why government and society that works for everyone really is critical for violence control. Guns safety at a national level requires progressive politics, inclusivity, a strong saftey-net, and opportunity for everyone. And nuke safety requires world peace and a commitment to maintaining it. How do we do that? It’s a good question, but high-quality socialism with a progressive, inclusive society is most assuredly a big part of the answer.
And yes, there is a risk that world peace won’t be taken seriously, but it’s also very possible that not taking it seriously is the greatest risk of all. Is humanity capable of overcoming its own violent domineering nature? We’ll see. Plucky bands of charismatic teenagers may be required.
Here’s a pair of article that should be factored into any hacking stories going forward: Remember Hacking Team, the Italian offensive malware firm that was licensed to sell powerful hacking tools to governments around the world, including a number of oppressive governments in the Middle East? And remember how Hacking Team was, itself, hacked in 2015 and had all of its offensive hacking tools released to the public? And remember that story about a security researcher at MalwareBytes who observed that Hacking Team’s leaked code contained some malware with a number of similarities to “X‑Agent”, a piece of malware oddly found in the “Fancy Bear” hack of the DNC (odd because X‑Agent had previously been found in hacks attributed to “Fancy Bear”, making it a kind of ‘calling card’ if used again in a high-profile hack)?
Well, here are a couple updates on what become of Hacking Team after it got hacked and had all its source released: The company did indeed see an exodus of clients, as one might expect. But it didn’t shut down. Instead, it found a new investor. And while the identity this investor isn’t entirely clear, it’s pretty clear that this mystery investor is the government of Saudi Arabia or someone very close to the government of Saudi Arabia:
“The hack hurt the company’s reputation and bottom line: Hacking Team lost customers, was struggling to make new ones, and several key employees left. Three years later—after the appearance of this new investor—the company appears to have stopped the bleeding. The company registered around $1 million in losses in 2015, but bounced back with around $600,000 in profits in 2016.”
Three years after getting hacked and humiliated, Hacking Team has stopped the bleeding and is once again profitable. And that sudden turn around appears to largely be thanks to mysterious new investors. And while it’s unclear who exactly these mystery investors are, documents do include the name “Abdullah Al-Qahtani” (also spelled “Alghatani” in the documents). And the lawyer for Abdullah Al-Qahtani’s investment firm, Cyprus based Tablem Limited, matches the name of a prominent Saudi attorney who regularly works for the Saudi Arabian government and facilitates deals between the government and international companies: Khalid Al-Thebity:
So it appears that Khalid Al-Thebity has been largely identified. But it’s still unclear who Abdullah Al-Qahtani is or where he’s from. Even the owner of Hacking Team, who still owns 80 percent of the firm, claims he doesn’t know that actual identify of Abdullah Al-Qahtani:
That’s right, a major offensive hacking firm sold a 20 percent stake to a mystery investors that’s so mysterious even the owners of this offensive hacking firm don’t know the real identity. That seems like a security risk, no?
Still, all signs do indicate that Al-Qahtani really is a representative for the Saudi government. Al-Qahtani appears to be the same Al-Qahtani who works for the Al-Qahtani Group, also known as Abdel Hadi Abdullah Al-Qahtani & Sons Co., a Saudi congomerate. And the phone number listed on Talbem Limited’s public records belongs to another firm, Nobel Trust Limited. So there does appear to be quite a bit of information about Al-Qahtani, just not enough to know who he actually is:
Interestingly, Abdullah Al-Qahtani also shares the same surname with H.E. Saud Al-Qahtani, royal court advisor who specializes in online surveillance. And H.E. Saud Al-Qahtani was known to be directly in touch with Hacking Team in 2015 according to leaked emails. H.E. Saud Al-Qahtani is also reportedly close to crown prince Mohammed bin Salman and was recently named the head of the Saudi Federal for Cybersecurity and Programming:
So we have a “Abdullah Al-Qahtani” listed on the documents of Tablem Limited, the Cyprus-based firm, and a H.E. Saud Al-Qahtani who is close to the crown prince and recently named the head of the Saudi Federal for Cybersecurity and Programming. Are they related? That’s still unclear. But what is clear is that the Saudi government has been trying to invest in Hacking Team for years, going back to 2010, making it just one of a number of gulf states investing heavily of hacking technology:
So that’s our update on Hacking Team: it’s tragically alive and well. And presumably run by and for Saudi Arabia at this point.
And that’s not all. Because it turns out Hacking Team appears to have spawned a competitor: Grey Heron, a company that seemingly came out of nowhere this year and is suddenly advertising its ability hacking strongly-encrypted messaging platforms like Signal and Telegram. But those hacking capabilities aren’t Grey Heron’s key feature it offers its clients. Instead, the key feature is that Grey Heron isn’t called Hacking Team, which became a very important feature after Hacking Team was hacked and had its reputation destroyed:
“In early March, Motherboard reported that a new, mysterious government-malware company called Grey Heron is advertising malware designed to steal data from Signal and Telegram messaging apps. The company seemingly came out of nowhere, suddenly advertising its wares at surveillance fairs over the last few months.”
*Poof* A company appears seemingly out of no where this year offering a number of tantalizing hacking capabilities. And, of course, it doesn’t come out of nowhere. It emerged from Hacking Team, although Grey Heron doesn’t mention this publicly which makes sense since distancing itself from Hacking Team is a highly desirable service the governments who used to be Hacking Team clients and were forced to leave after the bad press from the 2015 Hacking Team hack:
Like the phoenix, Gery Heron rose from Hacking Team’s ashes. Of course, Hacking Team also rose from its own ashes thanks to that Saudi money. But Hacking Team is still going to have a much harder time getting outside clients thanks to its damaged reputation. Grey Heron, on the other hand, appears to be licensed to export its hacking products throughout the EU and has a particular interest in selling to North American clients:
So that’s what happened to Hacking Team following its devastating 2015 hack: it’s once again profitable thanks to mysterious Saudi investors and has also indirectly spawned an entirely new firm that appears to be offering the same kinds of hacking products under a non-‘Hacking Team’ brand. It’s something to keep in mind that next time we see a high-profile hack...especially if the hack once again involves X‑Agent.
Well, that’s quite an indictment, even by #TrumpRussia standards: The Mueller team issued an indictment against 12 GRU officers over the 2016 hacks of the Democrats. The indictment doesn’t just name names but actually described the roles they played in the teams that carried out the hacks. It was by far the most details we’ve seen thus far, including information like ‘Person A searched for terms XYZ a day before those terms showed up in a message from Guccifer 2.0’. From a cyber-attribution standpoint the indictment avoids one of the biggest flaws in the attribution we’ve seen thus far: it’s not simply based on highly spoofable “pattern recognition”. There is evidence that purportedly links directly back to computers known to be managed and used by the GRU. Although, as we’re going to see, there’s actually only one piece of evidence in the indictment that purports to link directly back to the GRU, but it’s a pretty big piece of evidence if real. The rest of the details in the indictment may or may not link back directly to the GRU. It’s ambiguously worded so we don’t know if the rest of the details are speculative (it’s what the Mueller team thinks happened) vs authoritative (it’s what the Mueller team conclusively knows happened).
Separately, we also just learned that Trump was reportedly informed by the government two weeks before his January 2016 inauguration about specific, highly classified evidence from a Kremlin source claiming that, yes, the Kremlin was behind it all. This is going to be important to keep in mind in relation to the many details in the indictment because, again, a large number of those details are assertions of specific GRU officers carrying out specific actions on particular dates, but it’s never clear if it’s conclusively known that the GRU officers carried out these acts or if it’s merely suspected that they did so based on their known roles within the GRU and the assumption that the GRU was behind the hacks. So knowing that the testimony of this Kremlin insider was important in arriving at the conclusion that the GRU really was behind the hack further raises the questions about whether or not the many details in the indictment are based on conclusive direct evidence or inferences and suspicions.
The details are plentiful in the indictment. The indictment charges two specific GRU units with the hack, each playing different roles: Unit 26165 carried out the hacks and Unit 74445 distributed the hacked materials by creating websites like DCleaks.com and the Guccifer 2.0 persona. The specific people in these units are named and their roles in the operation are given. Some details include actual searches online that specific GRU officers did at specific times that include phrases found in Guccifer 2.0’s first message to the world.
Then there’s the one detail that, if true, would appear to conclusively link the “Guccifer 2.0” persona to the GRU’s Unit 74455: In the indictment we find the following assertion that someone on a Moscow-based server managed and used by Unit 74455 made a bunch of search queries for phrases that showed up in Guccifer 2.0’s first messages to the world later that day:
This is the sole part of the indictment that stands out for referring to a server known to be operated by the GRU. There are numerous allegations in the indictment where one of the GRU agents is alleged to have done something on a server leased by the GRU, and in the indictment we learn about the use of bitcoin wallets managed by email accounts assumed to be managed by the GRU, but it’s never made clear how conclusive the evidence is that the GRU specifically managing those email accounts and leasing. But in this one instance with the Moscow-based server it is specifically stated that it’s a server known to be managed and used by the GRU. It will be interesting to see if we get to learn more about this server.
It’s also worth noting that the indictment specifically says someone logged into the GRU managed server from 4:19 to 4:56 PM on the day of Guccifer 2.0’s first message to the world. This raises the question of whether or not US investigators were given legal access to that server. If so, that would be an impressive level of cooperation from a Moscow-based company used by the GRU. Because if the US didn’t gain legal access to this Moscow-based server, that raises the question of whether or not the evidence was gathered by hacking the server by the US or an ally, which would obviously color the interpretation of this evidence.
It’s also possible the server login evidence is based on general internet traffic information that show someone communicating with server coupled with information from Google or another search engine about search traffic from that server shortly after. There are a range of possibilities. But if there’s real evidence of someone logging into a GRU managed server and making those search term queries before those terms showed up in Guccifer’s first post to the world, that’s pretty conclusive evidence of the GRU being behind the hack. And that’s why this is really the key piece of evidence in the indictment that purports to directly link the GRU to the hacking operations. So the details of that particular piece of evidence is going to be important.
And if this Moscow-based server really was a GRU managed server and a GRU agent really did make those searches the day of the Guccifer 2.0 first message to the world, it also raises the question of whether or not the GRU had reason to believe that server was known as a GRU server. Because if so, that would be another remarkable example of brazen “I’m a Russian hacker” sloppiness by the GRU in this operation. Using a know GRU server for an operation of this nature seems like an extraordinarily unnecessary risk to take.
Unless, of course, getting caught and blamed was always part of the plan. And let’s not forget that one of the initial conclusions of US investigators to explain all of the unusual sloppiness of ‘mistakes’ in the hack coupled with the aggressive use of advanced exploits in order to stay on the DNC’s server was that Russian government hackers were ‘showing off’.
And if Putin really did order a hacking campaign where Russia intends to get caught and blamed, that means the Trump campaign was colluding with someone trying to get caught, which is pretty funny. Whoops! The Kremlin may not have been the best collusion partner, unless the Trump campaign wanted Russia to get itself implicated in order to take the suspicions for the hacks off the Trump campaign. In which case, whoops again, because that would be a crazy plan.
The financing of the operation is also described in detail in the indictment, with bitcoin mining and laundering providing the funds used to purchase things like servers and VPNs (like the Crookserver company that provided the command-and-control server with the 176.31.112.10 IP address, which was paid in bitcoins).
One interesting new set of details involves the location of some of the servers used. One allegedly GRU-controlled server was in Arizona and another in Illinois. At first, the malware was communicating with the Arizona server, but at some point they decided to relay the data to a foreign server and then back to the Arizona server. It would be interesting to know what led to that decision.
Another interesting new detail involves a fourth command-and-control server that was never mentioned in Crowdstrike’s report. The initial CrowdStrike mentioned three command-and-control server addresses that was found in the malware, including the server with the same 176.31.112.10 IP address found in the malware used in the 2015 Bundestag hack. But it never mentioned linuxkrnl.net, the address of the new fourth command-and-control server that is referenced in the Mueller indictment. This is leading to speculation that Crowdstrike never actually found the malware with the linuxkrnl.net command-and-control server and that was the malware that was left on the server until October of 2016.
Also recall how one of the more eyebrow-raising aspects of how the hacks were initially described by the cybersecurity contractors who actually work on containing the infection on the DNC’s servers was that the hackers were unusually aggressive in maintaining a foothold on the system and the battle to disinfect the DNC’s network went on for six weeks starting in June of 2016. So it wouldn’t be surprising if the malware that managed to stay hidden until October was placed on the network during that period when the hackers were battling with the cybersecurity contractors and used the linuxkrnl.net command-and-control server (the linuxkrnl.net IP address for outbound traffic would look a lot less suspicious than a string of numbers).
So this indictment is certainly a highly provocative new development in this case, and one that purports to fill in numerous details. But the veracity of some of these new details remains a mystery, especially the details about specific GRU officers carrying out specific actions.
The number of specific details about individuals carrying out specific acts on specific days listed in the indictment were so numerous that it raises the question of how so much was known, on top of the question raised by the Moscow server Guccifer 2.0 claim. Were Western intelligence agencies spying on the GRU at the time of the hacks? Or was this information obtained by US authorities and allies after the fact? And that mystery on the timing of the collection of this intelligence is part of what makes the indictment rather remarkable: there are a number of details about ‘who did what’, and almost no details at all about how this information was obtained or the level of confidence behind the allegations. It’s not clear if the assertions in the indictment are descriptions of what the Mueller team thinks happened and is planning on proving did happen, or if the allegations are based on very strong evidence that ‘person X did Y on date Z’. We are left with no idea, with the notable exception of the Moscow-based server that’s said to be known to be managed by the GRU.
There’s also a remarkable admission that malware from the hack remained on the DNC’s network until October of 2016, long after Crowdstrike assured the world that the malware was removed. Now, a DNC official assures us that the lingering piece of malware was quarantined and effectively disable, which is plausible.
But perhaps the most eyebrow-raising aspect of the indictment is how much detail and emphasis it places on one of the most inexplicable aspects of the entire hacking story: X‑Agent. There is A LOT of details in the indictment about these GRU agents and their development, testing, and eventual use of X‑Agent.
Recall how X‑Agent was used as a key piece of evidence by Crowdstrike early on to pin the blame on the Russian government, based on the assertion by Crowdstrike that X‑Agent was exclusively used by Russian government hackers. As security expert Jeffrey Carr pointed out, this conclusion that X‑Agent was exclusive developed and used by Russian hackers was subsequently proven to be erroneous. The cybersecurity firm ESET managed to get its hands on X‑Agent source code from 2015 along with an anti-Russian Ukrainian hacker. So the X‑Agent source was clearly in ‘the wild’ at the time of the hacks.
But the big ‘WTF’ aspect of the X‑Agent angle is the fact that the IP address of the command-and-control server used to remotely control the X‑Agent malware installed on the Democrats’ servers was the same IP address hard coded into the X‑Agent malware found on the Bundestag servers in 2015 following the Bundestag hack and that IP address was literally published in 2015. And that same command-and-control server was also found to be vulnerable to the ‘Heartbleed’ attack, meaning the command-and-control server whose IP address was hard-coded into the X‑Agent malware found on the Democrats’ servers might have itself been hacked. When the same IP address shows up in two separate high profile hacks, and that IP address happens to be made publicly available during the time between the two hacks, that either points towards a set up job, hackers trying to get caught, or incredibly incompetent hackers who didn’t want to be caught and accidentally left a massive clue.
Beyond that, in March of 2017, a security researcher at Malwarebytes wrote about how X‑Agent source code appears to be based on hacking code created by “Hacking Team”, the Italy-based legal hacking entity that sold powerful hacking tools to governments around the world, including Russia. In other words, not only was the X‑Agent code likely ‘in the wild’ at the time of the hack, but versions of it may have actually been sold to governments around the world for years. That’s why the central role X‑Agent allegedly played in both carrying out the hack and attributing that hack to the Russian government was always a ‘WTF’ aspect of the entire investigation. If the GRU really was using X‑Agent and NOT trying to get caught it would have been a mistake of stunning proportions.
And yet much of the new indictment describes a focus by the GRU on developing, testing, and deploying X‑Agent. So while there are certainly many substantive details in the indictment, a large number of those details turn out to be the kind of details that increase the argument that the GRU was either incredibly incompetent or trying to get caught. The inexplicable X‑Agent angle doesn’t leave too many other plausible explanations.
But that’s also all why the specific details in this indictment about GRU officers working on X‑Agent are actually quite crucial for Mueller’s case: The Crowdstrike argument that the presence of X‑Agent on the Democrats’ servers pointed the finger at Russia was always a bad argument and an example of the dangers of relying on pattern recognition for attribution in the cyber-realm. And if X‑Agent was never actually exclusive to Russian government hackers, providing evidence that Russian government hackers specifically deployed X‑Agent in this hack was actually quite crucial to Mueller’s case. This indictment purports to show exactly that.
At this point its a collection of assertions about GRU agents carrying out the specific actions known to be done by whoever carried out the hacks and the release of the documents. Assertions that make the GRU appear extremely competent at evading CrowdStrike’s counter-intrusion specialists but really incompetent at the ‘covering your tracks’ angle and/or really interested in getting credit:
“The indictment Friday of 12 Russian military officers for the election hacks against the DNC and Hillary Clinton’s campaign lends a surprising new detail to the 2016 election interference timeline: The Kremlin’s hackers apparently still maintained a foothold in the DNC’s network four months after the Democrats announced that they’d locked the intruders out.”
While there’s been no shortage of new details as the #TrumpRussia investigation unfolds, not all new details are equal and learning that the hackers may have maintained a foothold on the Democrats’ network for months later after Crowdstrike assured the world that the infection was purged is quite a significant new detail. Maybe. If the hackers had access to the Democrats network through October of 2016 that would have given the Trump campaign and GOP potentially extremely valuable real-time campaign information. But it’s said that only one computer remained infected until October 2016 so it’s possible that computer didn’t yield much useful information. It’s also possible that computer had access to an abundance of information, especially if it could access the broader DNC network. At this point we don’t know:
The DNC, however, assures us that the lingering X‑Agent infection was quarantined and harmless. Which is possible:
And yet Donna Brazille wrote in her book that the hackers were sitting on the DNC’s voter files for months after their supposed ouster. So if they had access to DNC voter files that’s potentially some of the most useful information they could have had that point in the campaign. Especially for micro-targeting applications:
So that will be something to watch as more information comes out. Especially because, while the DNC hack story has largely focused on release of Democratic Party emails, there was undoubtedly plenty of information gathered that would be best exploited quietly and not plastered on the internet. Like DNC voter information.
But the biggest overall revelation in this indictment is the naming of names and roles within the two GRU units that purportedly pulled off the hack. At least, it’s a revelation assuming there is indeed conclusive evidence implicating these individuals and it’s not just prosecutorial assertions:
Adding the ‘wow’ factor of the indictment is how much emphasis there was on the X‑Agent malware. Of course, a big part of that ‘wow’ factor is due to the fact that the X‑Agent malware was one of the most conspicuously appallingly ‘I’m a Russian hacker’ left by the hackers. One of the big obvious questions about the hacker from the very begging was the general question of whether or not Russian government hackers be that stupid or if they trying to get caught...or was it someone else trying to make it look like Russian hackers. And according to this indictment, this GRU team did choose X‑Agent at their primary malware for carrying out the attack (which still leave the ‘stupid or trying to get caught’ question unaddressed):
Beyond the specifics on the malware, the indictment included quite a bit of information on how the infrastructure used in the hack (servers, VPNs) was paid for: with bitcoins, of course. And US investigators appear to have quite a bit of information on those Bitcoin transactions, including the Bitcoin wallet used to purchase the dcleaks.com domain. According to investigators, the initial GRU plan was to use a fake whistleblower persona and the dcleaks.com website to distribute the hacked materials, but they were taken by surprise with the June announcement by Crowdstrike and the Democrats that they had concluded that the DNC was hacked and Russian hackers were the culprits. The alleged exclusivity of X‑Agent was one of the key pieces of evidence used for that early attribution:
The indictment makes no mention of the command-and-control server with the 176.31.112.10 IP address, the same IP address found in the Bundestag hack malware which was highly suspicious. But it does mention a previously unknown command-and-control server address, linuxkrnl[.]net. And the fact that the malware that remained on the Democrats’ network until October of 2016 was configured to the communicate with this linuxkrnl[.]net server and the fact that Crowdstrike never mention this in its initial blog post suggests that Crowdstrike didn’t actually find the malware during the initial purge, which in keeping with what Donna Brazille wrote in her book about the hackers having access to the Democrats’ voter files months after the malware was allegedly removed:
The indictment also asserts that the creation of the “Guccifer 2.0” persona was a hasty forced response to the June 2016 reports about the DNC hack that fingered the Russians. And it was Unit 74455 that was tasked with putting together the Guccifer 2.0 persona to try to take the blame off of the Russian government:
Recall that one of the initial clues that Guccifer 2.0 wasn’t actually a lone Romanian hacker was the fact that the Guccifer 2.0 persona didn’t actually talk like a Romanian. So if Unit 74455, the GRU’s crack team for social media influence operations, was unable to come up with a persona that actually spoke fluent Romanian that’s a pretty horrible crack team. But that’s what the Mueller indictment specifically says happened.
So as we can see, the indictment purports to answer a number of questions that have been swirling around the investigation, while leaving a number of open questions. And the question of “why would the Russians be so utterly incompetent” remains unasked entirely. But the indictment does raise one very massive new question, and it’s a question the Russian government must be asking itself rather earnestly at this point: did the US hack the GRU?
“The real bombshell in Special Counsel Robert Mueller’s latest indictment is the investigators’ apparent ability to link specific actions, such as searches and technical queries, to specific officers of the GRU, Russia’s military intelligence service. By making these connections, Mueller’s team has made an enormous leap from the U.S. intelligence community’s previous disclosures. They draw the first straight line from the hacking and spearphishing of U.S. Democrats to the Russian government — and pose some further questions for the media and the public to ask about this bizarre affair.”
As Leonid Bershidsky puts it, the biggest bombshell in this new indictment is all the details. The ability to link actions like web searches to specific GRU officiers hints at the possibility that the GRU was, itself, hacked and monitored as the hacks were carried out.
Bershidsky then reminds us one of the most inexplicably stupid alleged hacking mistakes of the GRU as additional evidence that the GRU’s Unit 26165 was directly involved in the hacks: The name of the Russian employee of a company believed to contract with the Russian intelligence services was found in the metadata of one of the documents released in the Macron hack in the lead up to the 2017 French elections (also recall that the release of those hacked documents was tracked back to US neo-Nazi Andrew ‘weev’ Auernheimer). And as Bershidsky notes, that same Russian employee, Georgy Roshka/Roshka Georgiy Petrovichan, was identified as an officer of Unit 26165 by the Russian invesatigative site The Insider:
And the fact that Georgy Roshka’s membership wasn’t known to be a member Unit 26165 until after his name showed up in the metadata is quite notable. Because if Georgy Roshka really did accidentally leave his name in the metadata of the Macron files that’s just a stunning mistake. But, on the other hand, if his name was planted in those documents that would suggest that whoever did the planting had knowledge of Unit 26165 membership. So, given that neo-Nazi Andrew ‘weev’ Auernheimer appeared to be involved in the distribution of those hacked documents, if he was working with the GRU it would suggest it was the GRU who modified the documents and then gave them to Auernheimer to distribute. But if he wasn’t working with the GRU it suggests working with a group that has knowledge of Unit 26165 membership. That’s all worth keeping in mind.
Bershidsky goes on to point out the surprising level of detail the Mueller team apparently has about who did what, while noting the ranks for these GRU members listed in the indictment aren’t actually real Russian army ranks (presumably the ranks were effectively translated to American military ranks?):
He then asks the obvious question: so how did the US obtain this level of detail about the hacking operation? Did it come from a mole inside the Russian government? Or was the GRU already hacked and was it being watched during the hacking operation? Bershidsky then recalls the remarkable report from February about how Dutch government hackers had apparently hacked Cozy Bear (the FSB hackers) and actually observed the online searches high rank Russian intelligence officers made and notes that the Mueller indictment also included online searches attributed to GRU officers. So was both the FSB and GRU hacking teams hacked?
Bershidsky then asks the obvious followup question: if the GRU was indeed hacked and watched in real time by US intelligence agencies or its allies, why was the GRU allowed to carry out these attacks without the Democrats being informed about it?
This is a question that the Mueller indictment makes more relevant because when you read the chronology of the hacks found in the indictment it’s clear that the hacking of the Democrats was the a multi-stage event. As we saw in the first article, the first hack took place in March of 2016 when John Podesta’s email got hacked. It was in April that a DCCC employee got hacked, with the DNC hack taking place almost a week later. So if the GRU was being watched this whole time there were plenty of opportunities to warn the Democrats that they were once again being hacked (recall the inexplicable seven month delays in the FBI warning the Democrats about the Cozy Bear hack of 2015).
Along those lines, it’s worth keeping in mind the report from August of 2016 about how some members of congress had known about the initial 2015 hack (the ‘Cozy Bear’ hack) of the DNC in 2015 for over a year as of August 2016, and the reason the Democratic party was never informed was due to the highly sensitive nature of the intelligence. So if it really was the case that the GRU was hacked by the US or its allies it would appear that US policy is to err on the side of watching and not doing anything that would tip off the hack.
But, again, that’s all assuming that the stunning level of detail in this indictment actually reflects real evidence the US government possesses vs just being a series of assertions about what the Mueller team thinks happened. And at this point we have no idea. Even for the assertions that are quite specific, with the notable exception of the Moscow-based server searches of the Guccifer 2.0 phrases. We don’t know if the underlying evidence is simply linked to a computer assumed to be used by a specific GRU officer was used to make a search, or if the evidence is convincingly linked back to that GRU officer’s computers.
Alright, now let’s take a look at the actual indictment. Be sure to note the following the extensive references to the X‑Agent malware. X‑Agent, said by CrowdStrike to be exclusive to the GRU (even though that doesn’t appear to be true), was central to the technical execution of the hack and the. And the story of the GRU officers working on developing, testing, and deploying, and managing X‑Agent is central to the indictment. But the key piece of evidence is on paragraph 41 which states that someone at a Mosow-based server known to be managed by the GRU made searches of phrases that showed up in Guccifer 2.0’s first message to the world:
Ok, so that was a lot of legalese, but notably easy to read legalese. It was a story of what happened. With lots of specific details. And lots of vague details. And no indication whether or not the specific technical details have been associated with the GRU agents in the indictment or whether it’s merely being asserted that these individuals were the people behind the technical details. That’s very unclear.
Also keep in mind that the fact that the Mueller team a lots of specific technical evidence — like email accounts or VPNs or bitcoin wallets used in the hacks — is what we should expect at this point. What’s surprising is the linking of this techinical evidence to specific GRU officers.
But, at a minimum, the indictment indicates the Mueller team might have evidence that conclusively links these GRU units the hacks. Let review those details. First, the indictment lists the GRU members and gives a brief chronology of the initial hacks. What’s noteworthy is that chronology starts at March of 2016 and the language indicates that the GRU units started working on hacking the Democrats “starting in at least March 2016”. So the evidence this indictment is based on appears to start from March of 2016, which is interesting given all the hacking activity that preceded this (the ‘Cozy Bear’ hacks of 2015) and the indications that GRU units were, themselves, hacked and monitored by the US and/or its allies:
Next, the indictment gives details on the defendents in Unit 26165, the unit that allegedly did the actual hacking:
And note how the following four members of Unit 26165 are specifically said to have worked with the X‑Agent malware. Again, one of the big ‘WTF’ questions about the hacks has always been how on earth could the GRU have been so incompetent as to use malware that was ‘known’ to be ‘exclusive’ to the ‘Fancy Bear’/APT28 hacking group (even though that appears to be untrue) and contained the same command-and-control IP address had previously been publicly attributed hack blamed on the Russian government. Was it a slip up that a single individual at the GRU made? Well, according to this indictment, there were at least four people dedicated to developing, testing, and deploying the X‑Agent malware. The ‘WTF’ aspect of this remains unaddrssed:
Next, the indictment covers the members of Unit 74455, which allegedly created the “Guccifer 2.0” persona and set up the dcleaks.com website that the hacked documents were initially distributed through. The Unit also allegedly operated social media campaigns to promote the hacked materials. This was the unit that used the Moscow-based server to make searches for phrases that showed up Guccifer 2.0’s first message to the world:
The indictment then goes into some specifics of the spearphishing operation. Recall that this spearphishing operation was another one of the aspects of this hacking operation that involved the hackers making a massive mistake: the spearphishing emails used the Bit.ly URL-shortening service and the hackers forgot to set their Bit.ly account to private, which allowed investigators to uncover ALL of the targeted addresses in this spearphishing campaign. It’s just one of the many incredible mistakes allegedly made by the GRU:
Next, the indictment gives more details about the hacking of the DCCC and DNC networks. Once again, it attributes specific web searches to specific GRU agents. In this case they were searches related to the technical asspects of the DNC and DCCC computer networks. Again, we have no idea if these searchers are simply tracked to computers that are assumed to have been operated by these GRU agents pp+ if they were directly tracked back to these individuals:
Next, the indictment once again discusses the use of the X‑Agent malware. Of note is how multiple versions of X‑Agent were found. One interesting question regarding this is whether or not ALL of the version of the X‑Agent malware contained the 176.31.112.10 command-and-control server IP address previously attributed to ‘Fancy Bear’ or it only some of the X‑Agent versions contained that conspicuous clue. The indictment also asserts that specific GRU individuals logged into the X‑Agent “AMS” control panel on specific dates. Once again, we have no idea if the underlying evidence is that someone logged into these command-and-control servers on that date and it’s assumed to be these GRU agents or if if the evidence directly ties back to these individuals. Interestingly, that AMS control panel server was located in Arizona. So one of the servers the GRU allegedly chose to run this operation was in the United States, thus guaranteeing that it would be left for US investigators to pore over and gather forensic evidence. It’s one more rather odd tactical choice by these Russian government hackers:
Relating to the odd location choice of a command-and-control server in Arizona, one might assume that the choice had to do with not creating outbound traffic from the Democrats’ servers that would arouse suspicions (like outbound traffic to a server in Russia). So, in that sense, using an Arizona server might reduce the risk of getting caught in the act even if it enhances the risk after the fact. But that’s what makes this other detail so odd: On April 19, 2016, the hackers apparently set up an overseas “middleman” server that would relay the traffic out of the Democrats’ networks back to the Arizona server. In other words, the initial configuration for the X‑Agent malware was to directly send traffic to the Arizona server. Then, about a month into the hacking operation, the X‑Agent malware starts sending traffic to this overseas middleman server which relays the data back to the Arizona server. Recall that the 176.31.112.10 server was indeed operated by the UK-based Crookserver company, along with the 91.121.108.153 command-and-control server that was also used by the Malware. So might this “middleman” server have been one of the Crookserver computers? If so, that’s extra intresting since, was we also previously saw, the hackers who were previously associated with using that 176.31.112.10 server in the 2015 Bundestag hack reportedly lost control of the server in July of 2015 when that server itself was hacked and found to be used by four different hacking operations (recall that the server was vulnerable to the Heartbleed attack). So learning more about this middleman server and which particular IP address it used seems like a key factor in this investigation. Unfortunately, the details on the middleman server aren’t given in the indictment:
Next, the indictment again makes assertions that specific GRU agents remotely logged into the Arizona server during the month of April to manage the X‑Agent malware. Once again, we have no idea if this is based on technical evidence showing someone logged into the server and it’s assumed to be these GRU agents or if there’s evidence directly linking that command-and-control server usage back to these individuals:
Next, the indictment mentions one of piece of malware used in the hacks: X‑Tunnel. The malware is also described as “GRU malware”. So it’s worth recalling that the June 19, 2015, article in netzpolitik.org that covers the Bundestag hack of 2015 and mentions the 176.31.112.10 IP address, also discusses the use of X‑Tunnel in that hack! So if X‑Tunnel was malware that GRU was exclusively using up until that point it in 2015 would be particularly brazen of them to continue using X‑Tunnel in the 2016 hack of the Democrats:
Next, the indictment specifically asserts one of the GRU agents researched PowerShell commands related to managing the Microsoft Exchange Server used by the DNC. The indictment then asserts a specific GRU agent logged into the Arizona command-and-control server on May 30, 2016, to upgrade some of the command-and-control software. To reiterate, we have no idea if these claims are based on technical evidence showing someone did these things and it’s assumed to be these GRU agents or if there’s evidence directly linking these searchers back to these individuals:
Next, the indictment notes how the hackers apparently tried to cover their tracks on both the hacked Democrats’ network and the Arizona command-and-control server. Keep in mind that one of the signature aspects of this hacking operation is how brazen the hackers were and how little they appeared to care about getting caught and were trying to show off and it was assumed by US officials that they were trying to send a message from the Russian government. So while the hackers may have made some efforts to cover their tracks, they also appeared to be interested in getting caught eventually and sending an “I’m a Russian hacker” message in the process:
Next, the indictment includes the remarkable revelation that at least one piece of the X‑Agent malware remained on the Democrats’ networks until Octover of 2016, months after Crowdstrike assured the world they removed all the infections. This version of X‑Agent was configured to communicate with a command-and-control server at the linuxkrnl.net address. Recall what we saw above about how the linuxkrnl.net address wasn’t included in Crowdstike’s initial report, suggesting they never found it. DNC asserted that it was found and quarantined and unable to communicate with the hackers, while Donna Brazille wrote in her book that malware was stealing voter information files for months after Crowdstrike gave the all clear:
Next, the indictment includes another allegation about a specific GRU agent searching for information about Crowdstrike (“Company 1”) and its reporting on X‑Agent and X‑Tunnel. So, again, don’t forget that X‑Agent and X‑Tunnel were both reported in June of 2015 in netzpolitik.org’s article about the Bundestag hack, where the 176.31.112.10 IP address was specifically mentioned as a key piece of evidence linking the Bundestag hack to earlier hacks attributed to the APT-28/Sofacy group. X‑Agent is the “Artifact #1” in the report and X‑Tunnel “Artifact #2” and it is noted that the name “XTunnel” shows up in the unobscured source code. So if it has just occured to the GRU at the end of May 2016 to check and see if there were any reports on the internet talking about X‑Agent and X‑Tunnel that would be one more remarkable instance of incompetence. If, on the other hand, they were doing that search to get an idea of whether or not Crowdstrike had issued a recent report on their then-ongoing hack of the Democrats that would indicate they were well aware of the conspicuous nature of using X‑Agent and X‑Tunnel:
Next, the indictment notes a September 2016 hack of DNC computers hosted on a cloud computing platform. The stolen data included the DNC’s analytics software. This is the kind of information that would have been extremely helpful for the Trump campaign’s social-media micro-targeting operations, so it’s notable for being the kind of information that the Trump campaign would have found extremely useful to obtain quietly:
Next, the indictment notes that the same email address, dirbinsaabol@mail.com, was used to pay for the dcleaks.com domain registration and sign up for the URL-shortening account (the URL-shortening account they apparently accidently left publicly accesible). It’s also worth noting that using the same email address for different aspects of this hack is kind of lazy if you’re trying to hinder investigators. But it’s also consistent with the amaturish execution of this hack. So amaturish that it begs the question of whether or not it was professionally amaturish. A question that is almost never asked:
Next, the indictment gives some details on the management and promotion of the dcleaks.com website that was initially used to distribute hacked documents. It notes that Facebook accounts were set up by fake personas to promote the DCLeaks site at approximately the same time the dcleaks.com domain was registered and these Facebook accounts were used by computers managed by “POTEMKIN”, who, as we saw above, is described as “a supervisor in a department within Unit 74455 responsible for the administration of computer infrastructure used in cyber operations”. This is noteworthy because one of the questions regarding the specificity of these allegations is whether or not they are based on specific evidence that ties back to computers known to be used by the GRU or if it’s assumed to be the case based on circumstantial evidence and conjecture. So when we see that this Potemkin individual is apparently known as the administrator of Unit 74455’s cyber operations infrastructure it again raises the question of whether or not the evidence is based on technical evidence that specifically ties back to computers known to be used by Potemkin’s unit or if it’s inference based on the conclucsion that ‘Unit 74455 did this so therefore these are the computers that must have done it it and Potemkin manages them’. Again, the nature of the evidence is left completely ambiguous in the indictment:
Next, the indictment notes how the @decleaks_ Twitter account was managed from the same computer “used for other
efforts to interfere with the 2016 U.S. presidential election”. And the example of another effort this computer was used for is the management of the @BaltimoreIsWhr Twitter account that ran anti-Hillary #BlacksAgainstHillary trolling operations. It would be interesting to learn about whether what other trolling operations the @BaltimoreIsWhr social media persona interacted with. And, again, what this tells us is that the same computer was used for those two Twitter accounts and some other stuff presumably involving social media trolling operations. Since that computer that directly ran the Twitter accounts was presumably a VPN which could be difficult to trace back to particular end-user computers (VPNs routed through more VPNs, etc), we don’t know whether or not there is technical evidence that ties the computer that managed these Twitter accounts back to the GRU hacker computers or if it’s assumed to be the GRU based on circumstantial evidence based on the Kremlin source and other intelligence:
Ok, now we get to paragraph 41, the point in the document that mentions someone logging into a Moscow-based server used and managed by Unit 74455 from 4:19 to 4:56 PM and searched for a number of phrases that showed up in Guccifer 2.0’s opening message to world:
Next, the indictment includes an allegation that’s bad news for someone in the GOP but it’s unclear who: On August 15, 2016, an unnamed GOP candidate contacted Guccifer 2.0 requesting any documents on their Democratic opponent and Guccifer 2.0 supplied them with documents. And this is different from the story we already knew about that Florida GOP operatives Aaron Nevins asked for and received 2.5 gigabyes of data from Guccifer 2.0 which is also listed below. So if that GOP candidate won their race this indictment is a big deal for them:
Next, the indictment notes that Guccifer 2.0 communicated with someone who was in regular contact with senior members of the Trump campaign. Roger Stone’s admitted to communications with Guccifer 2.0 starting in mid-August 2016 so this is likely a reference to that. One of those communications with Stone involve a discussion of the Democrats’ turnout model, which indicates Guccifer 2.0 was in possession of the Democrats voter analytics files. Recall how Donna Brazille complained about the hackers have access to the Democrats voter files months after Crowdstrike said the infection was contained, so this discussion with Roger Stone suggests the malware left on the DNC’s networks until October of 2016 may have been actively sending information back to the hackers:
Next, the indictment mentions that the computer infrastructure used to manage the Guccifer 2.0 persona and DCLeaks website used the same pool of bitcoins to lease the Malaysian server used to host the dcleaks.com website and open up a VPN account. That VPN was used to log into the Guccifer_2 Twitter accont and also register domains used in the spearphishing operations. This isn’t particularly remarkable given that the Guccifer 2.0 persona always maintained that they were a lone hacker operating alone so it would make sense to use the same bitcoins for things involving the hacks and distribution of hacked documents:
Next, the indictment describes Guccifer 2.0’s interactions with Wikileaks (Organization 1). Intrestingly, it mentions that the Guccifer 2.0 persona discussed with Wikileak the timing of releasing the documents, which raises the question of how those communications were bobtained. Recall the earlier reports about Julian Assange communicating with Donald Trump Jr. over Twitter direct messages and how Assange was reportedly known to communicate quite a bit using Twitter’s DMs. And when Roger Stone communicated with Guccifer 2.0 that was also over Twitter direct messages. So it seems likely that Guccifer 2.0 was communicating with Assange over Twitter, in which case it seems like there’s a good chance all of these communiations are available to investigators. It’s also just a remarkable security decision of Assange, Stone, and Guccifer 2.0 to use Twitter to carry out their ostensibly secret coordination. You almost have to wonder if there wasn’t a more secret backchannel that was employed as the real communications channel, because it doesn’t seem like Twitter DMs is the most secure form of communication from the standpoint of avoiding having your messages seized by authorities:
Next, the indictment formally lays out the hacking charges in terms of some formal criminal allegations like knowiingly accessing a computer with authorization, and stealing people’s credentials, etc:
Next, the indictment includes more allegations regarding the use of bitcoins to pay for the infrastructure (servers and web domains) used in the hack and distribution of the documents. The indictment notes that literally hundreds of emails addresses were set up to carrying out the various purchases made with the bitcoins, with some email addresses being used for a single purchase. It’s said that this was done to avoid “a centralized paper trail of all of their purchases,” but there was also several dedicated email accounts used to track these bitcoin transaction and the investigators appear to have access to those email accounts. One of the email accounts received hundreds of requests from approximately 100 different email accounts for specific amounts of bitcoins to be sent to particular bitcoin wallets. And that all raises the question: why were there hundreds of purchases being made by these GRU units. Dozens, ok, that might be plausible. But hundreds of payments? Wow:
The indictment then notes that, on occaision, the hackers used the same computer to send bitcoins that they used to carrying out the hacks like sending spearphishing emails or register the linuxkrnl.net domain. That sounds like one more example of the surprising sloppiness of these hackers if they really did care about not getting caught:
Next, the indictment notes that some of the bitcoins used by the hackers were generated with GRU-run mining operations, whil other bitcoins were purchased on exchanges that obscure the origin of the bitcoin (bitcoin ‘laundering’ exchanges). And a newly minted bitcoin from the pool of GRU-mined bitcoins was apparently used to purchase the dcleaks.com domain! While purchasing bitcoins on a bitcoin laundering exchange makes a lot of sense, the use of bitcoins that were directly mined from a GRU mining operation seems like a potentially big risk for the GRU. Why take that kind of risk unless you don’t care about getting caught? Why not at least run those bitcoins generated by the GRU mining operations through a laundering operation first? It’s one more example of the GRU allegedly playing dumb:
Next, the indictment lays out the charges regarding alleged attempts to hack into US election systems as well as the vendor of US software election systems. It specifically blames two GRU officers from Unit 74455 with these state election system intrusion attempts. It states that in July of 2016, the GRU hacked into a particular state board of electon systems and stole information on 500,000 voters. This is a reference to the Illinois state board of elections. The indictment then mentions that the FBI issued an alert in August of 2016 over the hacking of the Illinois state board of elections, and in response to that alert one of the GRU agents “delted his search history” and “deleted records from accounts used in their operations targeting state boards of elections. But the indictment goes on to say they continued trying to hack state election systems through October and even early November. It’s another example of evidence that would indicate a surprising level of detail about the actions of specific GRU agents because knowing about the deletiion of search history implies access to the server used. It’s also an example of the hackers allegedly being concerned about getting caught while demonstrating a brazen lack of concern, which is the theme of this entire story:
So that’s a review of the actual contents of the indictment. As we can see, there’s quite an abundance of detail about how the hackers carried out the actual hacks and set up and managed the infrastructure used to carry out the hacks and distribute the documents. The indictment also includes an abundance of detailed allegations about specific GRU agents carrying out specific roles in the operation and carrying out specific acts on specific dates. And yet of all the allegations, only one allegation — about someone logging in and out of a Moscow-based server managed by the GRU to search for phrases that showed up in Guccifer’s first message — suggested there was evidence that conclusively determines that a known GRU server was used to in this operation. And as we saw, it’s unclear how that evidence was obtained without that server itself being hacked.
So with a single seemingly conclusive piece of evidence, how should we interpret the rest of this indictment? Well, it’s important to note that there was one other reported instance of evidence that was directly linked back to the GRU. Interestingly, while this story purports to give strong evidence of the GRU being actually behind the hacks, the article notes how, without this one piece of evidence, the investigators were having a very difficult time actually tracking the technical evidence back to the GRU. The evidence would lead to servers in France owned by Elite VPN (a Moscow-based VPN service), but the trail would go cold from there (which is why VPNs are useful for hackers).
According to the report, there was one instance when a GRU officer forgot to log into this VPN service while logging into one of the social media accounts used by Guccifer 2.0. This resulted in the logs of this social media company having a login from Moscow. And the IP address of that login led directly back to a computer used by a GRU officer at the agency’s headquarters on Grizodubovoy Street in Moscow.
Yep, we are told that the GRU is so casual about their high stakes hacking operation that they literally sit at their offices headquarters in Moscow and hack away! The only thing obscuring their identities is the use of a VPN service. If true, it would be one more example of the stunningly casual security measures apparently used by the GRU. But if not true, and this story is puffery, it would indicate that investigators actually lack any technical evidence leading back to the GRU since this was apparently the one critical slip-up that allowed investigators to conclusively link it back to the GRU.
Of course, this story is from March of 2018, so it’s possible investigators collected some new information over that last few months. Like, for instance, the information about login times and searches made on the Moscow-based server that the Mueller team included in the indictment. But when we’re trying to make sense of how to interpret the numerous highly specific, yet vague sourced, allegations in the indictment, the fact that there was allegedly only one key piece of evidence investigators had linking the hacks back to the GRU as of March of this year seems important to keep in mind. Did investigators have another set of breakthroughs in recent months?
The article includes another allegation that’s worth keeping in mind regarding the evidence in the indictment about the Moscow-based serer and the Guccifer 2.0 search terms: The GRU agent who was initially in charge of the Guccifer 2.0 persona was replaced at some point by a more experienced GRU officer. It’s not known when exactly this replacement occured but it’s assumed to happen based on noticeable improvements in Guccifer 2.0’s english over time. Given that the Guccifer 2.0 persona described itself as being a lone Romanian hacker, it’s kind of remarkable that they wouldn’t maintain the same style of English even if they handed switched with particular GRU officer was working on the case. Again, wow, that is some sloppy tradecraft:
“Guccifer 2.0, the “lone hacker” who took credit for providing WikiLeaks with stolen emails from the Democratic National Committee, was in fact an officer of Russia’s military intelligence directorate (GRU), The Daily Beast has learned. It’s an attribution that resulted from a fleeting but critical slip-up in GRU tradecraft.”
Yep, the conclusive attribution linking the hack back to the GRU was based on this one slip-up in GRU tradecraft. Which, at this point, is less of a slip-up and more like the actual tradecraft given the rate of these slip-ups. But this was a particularly big slip-up if real. Logging directly into Guccifer 2.0’s social media account from your computer at the GRU headquarters in Moscow seems like a big no-no. And that’s why this slip-up had such big implications for the investigation: without the slip-up, there apparently wasn’t actually any technical evidence linking this back to the GRU. At least, as of March of this year:
The article then notes how Guccifer 2.0’s claims of being a lone Romanian hacker were quickly exploded when Vice Motherboard issued a report about how Guccifer didn’t actually talk like a native Romanian speaker. Which, again, is a reminder of what a joke this operation was. We don’t know the exact nature of that joke and whether or not it was an intentional joke. But it was definitely a joke:
And while Guccifer 2.0 was assumed by virtually no one to be a lone Romanian hacker, the technical evidence just kept leading back to the Elite VPN server in France. Except once, when a GRU officer working out of the GRU headquarters in Moscow forgot to use the VPN service and directly logged into one of Guccifer 2.0’s social media accounts. This led directly back to a computer at the GRU’s headquarters:
So that’s one hell of a fun fact: the GRU was running this hacking operation out of its Moscow headquarters. Literally. They didn’t, like, go to an internet cafe or something.
Finally, we learn that Guccifer 2.0’s initial persona was eventually handed off to a more experienced officer, as evidenced by the change in Guccifer 2.0’s English skills:
Again, while the non-fluent use of Romanian in the initial Guccifer 2.0 posts was certainly amateurish, the more experienced GRU officer who allegedly took over apparently made the highly amateurish move of changine Guccifer 2.0’s use of English.
And that was the Daily Beast report from back in March about the other piece of evidence possessed by the investigators that purportedly linked straight back to the GRU. And it’s a remark piece of evidence given what it allegedly shows about GRU tradecraft, which is that the GRU is so lazy they running their high profile hacking operations out of their headquarters.
It’s also noteworthy that this piece of evidence wasn’t cited in the indictment. It seems like it would be a lynchpin for the case.
So, at this point, we can summarize the technical evidence made public so far as “tenuously conclusive.” It generally sounds conclusive given the way the indictments confidently state who did what when in the execution of the hacking campaign and broader trolling effort. But we generally have no idea if the allegations are speculative or authoritative in nature. And when it’s unclear if the allegations are speculative or authoritative in nature, it’s tenuously conclusive at best. With the notable exceptions of the Moscow-based server allegation and this forgot-to-VPN allegation from back in March.
And the evidence is perhaps understandably vague if the evidence comes from highly classified sources, like the hacking of a GRU server. But that just highlights how the nature of this investigation creates a “trust us” situation because a lot of the most conclusive evidence for cyber investigations is probably going to be highly classified in nature. Like evidence gathered from hacked GRU servers. It’s pretty understandable if there’s a strong restance to revealing something like that and saying “trust us” instead. But the more the evidence relies on a “trust us” dynamic, the more tenuous it inherently becomes. There’s no avoiding it.
But if we accept the “trust us” evidence in the indictment, it is conclusive. The GRU did it. The Moscow-based server allegation in the indictment alone is conclusive if real. And the forgot-to-VPN Guccifer login allegation in the above Daily Beast article is conclusive too if true. Either one basically nails the case.
And if the technical lynchpins come down to “trust us” evidence, it’s going to be a reminder of why all of the entire history of past intelligence community abuses and lying to the public — the entire history of it — is extra unhelpful in the age of cyberwarfare. Because “trust us” situations are going to always come up and all those past abuses will inevitably be factored into the that public decision to trust the “trust us”-based evidence. We need highly credible intelligence agencies and you can’t change the past.
But while these two key pieces of critical technical evidence might be conclusive if accepted, there’s no getting around the fact that the bulk of the circumstantial evidence pointing towards GRU involvement all along has involved amazing mistakes and slip-ups and general incompetence. The screw-ups were there from the beginning. So did the GRU want to get caught or what? That seems like a really relevant question in this case.
Let’s also not forget that there was apparently a highly placed Kremlin informant that says Putin ordered the whole thing. That’s the other key piece of evidence that would appear to conclusively establish culpability. It’s sort of a ‘trust us and trust the informant’ piece of evidence.
So we’re at the point in the #TrumpRussia investigation where we know a lot of details about the nature of the conclusive evidence that we are told exists but have yet to see the actual evidence. It’s a significant advancement of Mueller’s case in terms of the specifics of the claims, but the evidence is all ‘yet-to-be-revealed’. And given that the accused GRU officers are unlikely to ever face trial, it’s unclear that the claimed evidence will ever be revealed. Although they really just need to conclusively prove that Moscow-based server or forgot-to-VPN allegations are true in order to make the case.
That’s all part of what makes Mueller’s latest indictments so intriguing. It claims to be conclusive but it’s issued against people who will almost certainly not face the indictment in court so it’s unclear if the evidence behind these allegations is ever going to be fleshed out. And it will be exceptionally unfortunate if they aren’t fleshed out because these were the most important indictments the Mueller team has made thus far in terms of understanding how the hack took place and who carried it out. If they can prove these allegations they proved the case. But if they can’t prove these allegation the core assertion of US government that the GRU was behind the hacks will forever remain in the ‘trust us’ category and, at this point, we have no compelling reason to believe that conclusive evidence is going to be revealed. It’s almost a worst-case scenario for the case to end in a situation where the US government is essentially arguing, ‘we have the evidence, and it’s conclusive, but we can’t actually show it so you just have to trust that we have it’.
Although the worst worst-case senario is if the the indictment is true. Because if there is conclusive evidence the GRU did the hacking we have to face the awful possible that Putin basically went mad and decided to unleash an international hacking spree using hackers who leave all sorts of “I’m a Russian hacker” amaturish clues. That’s really bad. It’s one of the reasons the “I’m a Russian hacker” amaturish nature of the hacks was always such a big red flag about this hacking. If it’s true, that’s really bad and we really are in peril. Because that’s the kind of cyber-showdown dynamic that potentially any third-party can exacerbate with false-flag operations. And those false-flag operations will be exceptionally easy to pull off thanks to the inexplicably amaturish track-record of Russia’s hackers in recent years. Just today, we got the latest report from the US about Russian hackers infilitrating the control systems of US utilities. And given the apparently amaturish ‘brand’ that Russia’s hackers have adopted, all sorts of other actors can now easily impersonate ‘Russian hackers’ while pulling off those kinds of devastating hacks. Hacks that would guarantee a major response. And when that’s the dynamic, it’s a situation that’s out of Putin’s control and out of anyone else’s, which is why this was such an insane move if Putin actually ordered this. The metaphorical ‘400 pound guy from New Jersey’ in his basement really could spark a major conflict someday.
But the peril that comes from potential cyber false-flags designed to spark a conflict between the two main nuclear powers is also why the purportedly conclusive nature of the evidence in this indictment is potentially good news and also an important precedent. Because, while Russia’s government has been blamed for the hacks all along almost exclusively based on circumstantial evidence/pattern recogition (and, we later learn, the claims of the Kremlin mole), it’s inherently dangerous if the technical evidence in the indictment was also just based on circumstantial evidence and pattern recognition. If it’s good enough for Crowdstrike, that doesn’t mean it’s good enough for a government, especially when the consequences are an escalation of a cyberwar and false-flag setups.
But, again, the value of basing the indictment on at least one instance of specific evidence tied to the GRU is also why it will be very damaging to the Mueller case if the evidence conclusively tying this hack back to the GRU is never revealed and left in the ‘trust us’ category forever. And yet we have to face the reality that the evidence of that nature — the searches of a GRU server in Moscow — might be from a source that’s so sensitive that it can’t be revealed.
More generally, this is going to keep happening in real cases for governments everywhere because governments are definitely going forced into ‘trust us’ situations in evidence in the cyber arena. Over and over. It’s unavoidable. Especially when the evidence was gathered from a hacker server run by the suspect rival intelligence agency. That’s the kind of evidence that potentially compromises the source by merely mentioning it exists. So even if the Mueller team ends up revealing conclusive evidence tying this back to the GRU and it’s not all left in the ‘trust us’ realm, there’s still the inherent problem that ‘trust us’ situations are going to come up in the future. Over and over.
Plus, even if the Mueller team does eventually reveal the conslusive evidence — like a GRU server was searching for phrases that showed up in Guccifer 2.0’s posts — there’s still going to be a ‘trust us’ dynamic given the inherently spoofable nature of cyber evidence. That’s just comes with the territory. The US government can release search logs and the Russian government can say they were faked. And that’s the case for almost all cyber evidence. It’s digital. It can be faked. Trusting the investigators and sources of evidence is inherently important in solving these kinds of cybercrimes far more than other crimes. And there’s going to be a lot more cybercrimes with geopolitical consequences in the future. That’s more or less guaranteed.
That ‘trust us, we have conclusive evidence’ aspect of this latest indictment is a reminder that one of the key lessons we should take from this entire #TrumpRussia nightmare experience is that it is very imperative that countries build governments people can trust. And not just the trust of domestic audiences but also international audiences. How can societies build trustworthy national security states? It was always an incredibly important question, but now it’s even more important thanks to our mass embrace of information technolgy and the legal and evidentiary peculiaries of the cyberlandscape.
So, while the latest Mueller indictment is one of the first and only hacking indictments ever of this nature — where a government formally charges another governments hackers with a cyber attack (Obama did it to Chinese government hackers in 2014) — it’s also just one of the first in what is inevitably going to be a long line of future goverment-to-government hacking charges. In other words, it’s setting a precedent. And that’s why it’s nice that the indictment appears to be based on some very specific evidence. But that evidence is all in the ‘trust us’ realm and might remain there indefinitely if the indictment never leads to the extradition of the GRU members. And that’s not actually a great precedent.
And if it turns out the evidence is BS and/or faked and that that’s obviously very catastrophic. But it it turns out to be real evidence, that’s even more catastrophic in the sense that it means Putin went mad and just decided to blatantly hack the shit out of the West and not hide it by leaving stunningly amaturish clues on each hack. So it’s an overall castastrophic situation, we just don’t quite know yet the nature of the catastrophe. And may not ever know. Which will perhaps be unavoidable due to the nature of the evidence. We’re going to be asked to national security states in the realm of cyber-evidence. It’s that’s kind of catastrophe.
On the plus side, there’s no doubt more indictments to come from the Mueller team for US citizens who will actually have to face trial (like Roger Stone), so hopefully the variously allegations against the GRU gets fleshed out during those trials.
There was a pair of new ‘Russian hacker’ stories this week that direct relate to the the Trend Micro report issued back in January. That was the report where Trend Micro claimed with 100 percent certainty that ‘Fancy Bear’/APT28 was behind a series of fake websites and a phishing campaign designed to mimic ADFS (Active Directory Federation Services) websites that handle the US Senate’s email system based on finding digital fingerprints that uniquely tie the attackers back to two previous hacks attributed to Fancy Bear.
Also recall that Trend Micro attributed the Macron hack to Fancy Bear with 99 percent certainty based on shared digital fingerprints for that hack with previous hacks attributed to Fancy Bear, but it turns out those shared digital fingerprints were sharing the same IP address blocks and similarities in malware used, especially relying on shared IP blocks which is extremely weak evidence. So the confidence that Trend Micro has in its attributions appears to be rather questionable. And if Trend Micro is correct about these Senate email hacks and it really was Russia’s GRU hackers behind it, it was another instance where they apparently aren’t trying to hide it at all and instead just reusing the same ‘digital fingerprints’ over and over in a manner that guarantees attribution will be tied back to ‘Fancy Bear’. It’s another one of those kinds of stories.
And now, thanks to some comments by a Microsoft executive Tom Burt during a security conference panel in Aspen last week (Burt’s comments are at ~12:00–19:00 in the YouTube video the panel), the story of those Senate email phishing sites are back in the news. But it was actually treated as new news and a new phishing attempt against the US Senate because Burt actually misstates what happened and makes it sounds like some new phishing sites were discovered earlier this year (as opposed to be publicly disclosed earlier this year after being found last year).
That mistake aside, Burt reveal something new: it was apparently three specific Senate offices that were targeted in the phishing attempt, although he doesn’t reveal which Senators were targeted
“Mr Burt told the Aspen Security Forum attendees: “Earlier this year, we did discover that a fake Microsoft domain had been established as the landing page for phishing attacks and we saw metadata that suggested those phishing attacks were being directed at three candidates who were all standing for election in the mid-term elections.””
So, according to Burt, Microsoft discovered a fake domain set up for phishing passwords from three US candidates. And this was earlier this year. As we’ll see, this was a mistake and he’s referring to the domains that were discovered last year and publicly revealed earlier this year.
But Burt wouldn’t say which candidates:
Ok, so how do we know that Burt wasn’t referring to a new set of domains discovered this year phishing for credentials to the Senate email system? Well, as the following article makes clear, Mr Burt mispoke and was actually referring to the phishing sites taken down last year.
The article also reveals the identity of one of the targets of the phishing campaign: Democratic Senator Claire McCaskill, who is up for reelection this year and considered one of the most vulnerable Democrats up for reelection.
The article also informs us that the attribution to Fancy Bear was important for allowing Microsoft to actually thwart the hack. Thanks to a lawsuit Microsoft filed against Fancy Bear, Microsoft now has the legal right in the US to seize any domains used by Fancy Bear intended to spoof a Microsoft domain. This is what allowed Microsoft to legally seize the domains used the Senate email phishing in October rapidly and redirect the traffic to a Microsoft-controlled server. Time was of the essence and it was that successful lawsuit against Fancy Bear that enabled Microsoft to act fast in taking down the phishing site.
And that points towards a rather disturbing new dimension to the current hyper-focused on Russian hacking to the near exclusion of all other sources of hacking: if rapidly and legally taking control of phishing domains can only be done against when the hack is attributed to a previously sued hacking group like Fancy Bear, that’s going to create a powerful incentive to attribute future hacks those past culprits regardless of the real strength of the evidence:
“The Russian intelligence agency behind the 2016 election cyberattacks targeted Sen. Claire McCaskill as she began her 2018 re-election campaign in earnest, a Daily Beast forensic analysis reveals. That makes the Missouri Democrat the first identified target of the Kremlin’s 2018 election interference.”
It’s a Daily Beast “forensic analysis”. Is that hyperbole or is the Daily Beast actually doing forensic analysis of hacks now? Regardless, the conclusions of the Daily Beast forensic analysis appears to be identical to Trend Micro’s analysis of Senate email phishing sites when they were discovered last year: it was Fancy Bear.
The specific phishing attempt against McCaskill’s office appears to have started around August of 2017. The phishing emails were pretty standard: they claimed to be from the Senate Microsoft Exchange server indicating a password expiration and if people clicked on the link they were go to a fake version of the Senate’s Active Directory Federation Services (ADFS) login page:
It’s worth recalling how the Trend Micro report on this phishing campaign described it as not being “advanced in nature” and in keeping with a pattern of Fancy Bear (which Trend Micro calls “PawnStorm”) using the same ‘script’ over and over.
And to make it clear that Mr Burt was incorrect when he claimed that Microsoft discovered these Senate email phishing domains earlier this year, the article notes that Microsoft actually obtained control of one of the spoofed domains for the ADFS server in October. And Microsoft was able to seize those domains so rapidly thanks to its successful lawsuit against Fancy Bear that made it possible for Microsoft to rapidly seize fake domains spoofing Microsoft domains if it’s Fancy Bear doing the spoofing:
And it sounds like the period when Microsoft was seizing domains assumed to be run by Fancy Bear was from August to December of 2017. This is based on the records of the legal case Microsoft has against Fancy Bear:
And that all clarifies that there wasn’t a new set of phishing sites identified by Microsoft in early 2018. When Microsoft executive Tom Burt told the audience as the security conference in Aspen last week that Microsoft discovered phishing sites targeting three US candidates earlier this year he was erroneously referring to the public disclosure about this phishing campaign that was made in January of 2018 with Trend Micro’s report where they attributed this phishing campaign to Fancy Bear with 100 percent certainty. And Microsoft took control of those domains form August — December of 2017 using its lawsuit against Fancy Bear. A lawsuit that required the phishing sites be attributed to Fancy Bear to allow for the rapid takeover of the phishing domains.
And that’s all why the 100 percent certainty of Trend Micro’s attribution of the Senate email phishing campaign should probably be expected for a lot more cyber attack attributions going forward. Certainty will help in overcoming legal obstacle to actions required to stop the phishing campaigns like seizing domains. It’s just an inherent aspect of how implementing the rule of law is going to create some biases in the cyber-attribution realm. When cybersecurity firms are attributing a hack, it’s going to be convenient to attribute it to an entity your client has a court order against for a previous hacking attempt when seizing domains is an option. And that’s also an additional incentive for third parties to leave ‘Fancy Bear’ digital fingerprints (like using the same web hosting service with the same IP address blocks).
And if Trend Micro and Microsoft are correct in their Fancy Bear attribution for this phishing campaign, it’s just one more high profile incident of Fancy Bear trying to get caught. Because think about it: imagine ‘Fancy Bear’ deciding to leave the same digital ‘fingerprints’ in a US Senate email spearphishing campaign that tie the hack back to previous hacks already attributed to Fancy Bear in 2015 and 2016. With every hack it’s seeming easier to attribute it because it’s like a growing trail of previous hacks. The same malware and same command and control servers or VPNs or whatever the particular ‘digital fingerprints’ that got previous attributed to Fancy Bear. That’s asking to get caught, which is what Fancy Bear apparently tries to do over and over. This Senate email phishing campaign is just one piece of a much larger puzzle. That puzzle being the exactly strategy of blatant self-attributing hacking that Putin is apparently employing. It seems like a strategy designed to turn Russia into some sort of hacking pariah so that’s really scary if this is actually Putin’s hacking project.
It’s also really scary if it’s the GOP pretending to be Fancy Bear. Or neo-Nazis or whatever. That’s a different kind of really scary and much, much scarier given the current context.
Well that’s interesting: The National Republican Congressional Committee (NRCC) just revealed that it suffered a serious hack this year. Recall how the Republicans actually suffered a hack in 2016 when Smartech, a GOP IT firm, was hacked and several hundred emails were stolen (but never released). This 2018 hack sounds more serious, although it’s still just limited to stolen emails.
The hack was discovered in April and it was determined that the email accounts of four NRCC senior aides were surveilled for several months. It sounds like it was just a hack involving the theft of the email passwords for these four individuals and didn’t involve malware on the NRCC network, so it’s not nearly as serious as what the Democrats experienced in 2015/2016. But it still sounds like thousands of emails described as “sensitive” were indeed taken by the hacker.
Adding to the intrigue is that the NRCC apparently didn’t tell anyone until now, even senior House Republicans. House Speaker Paul Ryan, Majority Leader Kevin McCarthy, and Majority Whip Steve Scalise reportedly all had no idea about this hack until a Politico reported contacted them about it to get a comment for the following article.
And here’s the extra intriguing part: the explanation for why the NRCC didn’t even inform the House Republican leadership is that they feared revealing the hack would compromise efforts to find the culprit. And that sounds a lot like there were suspicions that that this was an inside job. The fact that there’s been no blackmail attempts or use of the hacked information further points towards a possible inside job.
Not surprisingly, the suspects at this point are some foreign hacker. What are those suspicions based on? We are only told that the suspicions are based on “the nature of the attack”.
Oh, and guess which company that NRCC alerted to help investigate the hack back in April: Crowdstrike! As we’ll see, Crowdstrike already had a contract with the NRCC to protect their networks. The particular cybersecurity firm that discovered the hack was MSSP, which was hired to monitor the NRCC’s networks. Crowdstrike was involved with assisting MSSP’s job of monitor the NRCC network. MSSP contacted Crowdstrike and the FBI after discovering the hack and Crowdstrike is taking part in the investigation, so we should probably expect either Russia or China to end up getting the official blame at some point.
And note that there’s no mention of “spearphishing” in all of this. Given that it sounds like the only thing the hackers obtained was the passwords of four email accounts, that would normally point towards a successful spearphishing attack if this really was an outside hacker. So the lack of any mention of spearphishing also points towards a possible inside job since Republican insiders would be the ones most likely to be able to obtain passwords through some other means.
As we’re also going to see, the NRCC began negotiations with Democrats in May of this year (so following the discovery of the hack) to negotiate an agreement on the use of hacked materials in elections. NRCC chairman Steve Stivers led the Republican side of the negotiations. The negotiations were proceeding along and it sounds like the two parties were close to reaching an agreement. But then, at the last minute, the Stivers pulled out of the negotiations. This was in September, just two months before the mid-term elections. Also keep in mind that one of the four senior aides was likely Stivers’s senior aide. We don’t know that’s the case, but if there are four senior aides with their emails hacked it seems likely that one of them is going to be an aide to the chairman
What was the basis for the GOP pulling out of these negotiations in September? Well, the Stivers agreed to language that would reject “(promoting) or (disseminating) hacked materials to the press, regardless of the source.” The Democrats tried to add language that “neither committee will use known stolen or hacked information”. It was after the Democrats added that language about agreeing not to use hacked information that Stivers pulled out of the negotiations. Stivers is on record opposing the idea of agreeing to not use released hacked documents. Back in June, Stivers said he would not “run down one of my candidates for using something that’s in the public domain,” and that, “once something is in the public domain, I’m not sure you can say, ‘Let’s ignore this,’ ” during an event.
But Stivers gives a different explanation for why he pulled out of the negotiations. It basically makes no sense. A week before Stivers pulled out of the negotiations, the Democrats’ negotiator told the Wall Street Journal that he “would hope that Steve and I are able to roll something out that we agree on this week,” adding, “I think that we’re close.” Stivers said this was the latest attempt by Democrats to pressure the NRCC through the media, saying it “was sort of the straw that broke the camel’s back on trust.”
So the NRCC found out about a hack in April, and informed Crowdstrike and the FBI, but didn’t inform the House Leadership or rank-and-file GOPers ostensibly because they were concerned about tipping off the hackers, suggesting concerns of an inside job. Then, in May, the chairman of the NRCC, Steve Stivers, entered into negotiations with the Democrats over an anti-hack-exploitation agreement. The negotiations went on for about four months until Stivers suddenly pulled out in September after the Democrats tried to add an agreement that would ban the use of hacked materials in campaign ads. Yes, two months before the mid-terms, the NRCC pulled out of an agreement with the Democrats to not use hacked documents in campaign ads at the same time the NRCC was apparently very concerned about the hacking of four if its senior aides months earlier. And, of course, they are leaning towards this being foreign hackers, although we aren’t given any explanation why they arrived at that conclusion other than the ‘nature of the attack’:
“The email accounts of four senior aides at the National Republican Congressional Committee were surveilled for several months, the party officials said. The intrusion was detected in April by an NRCC vendor, who alerted the committee and its cybersecurity contractor. An internal investigation was initiated, and the FBI was alerted to the attack, said the officials, who requested anonymity to discuss the incident.”
So back in April, an NRCC cybersecurity vendor detects an intrusion and the NRCC starts an internal investigation and alerts the FBI. Curiously, almost no one else was alerted, included House Republican leadership. Why? Well, according to the NRCC, they feared revealing the hack could make it harder to find the culprit:
And while not revealing the hack to the public over concerns about tipping off the hacker is a legitimate concern, that doesn’t explain whey they wouldn’t have quietly alerted Republican House leaders like Paul Ryan...unless the hacker suspect list included Republican leaders. Otherwise it’s just bizarre to keep that a secret from the party leadership. But that’s the official line from the NRCC.
And while none of the emails have emerged in the public domain and no blackmail attempts have been made, the NRCC claim they privately believe it was a foreign agent ‘because of the nature of the attack’, which is a remarkably vague description of the basis for that attribution. But when we learn who did the investigating, it’s not a surprise that a foreign agent at the top of the suspect list: Crowdstrike, which had already been retained by the NRCC for cybersecurity services:
Recall how Crowdstrike’s co-founder, Dmitri Alperovitch, played a critical role in recent year in a significant change in how the US response to hacks. In particular, recall how the cybersecurity industry traditionally didn’t make declarations about which particular nation-state might be behind a hack due to the highly ambiguous nature of cyberattribution that is based on ‘pattern recognition’ (i.e. matching up the malware, servers, techniques, etc. used in new hacks to previous hacks and looking for patterns) and the fact that such evidence is inherently spoofable by third-parties. But Alperovitch, a Russian ex-pat, has long advocated for the US to address this challenge by arriving at a hard conclusion of culpability and simply openly declaring that a particular country is the guilty party and warn of future consequence. Alperovtich was reportedly delighted that the US decided to do so in the case of the DNC hack. Also recall how Alperovitch is a senior fellow at the Atlantic Council. Given that background, it’s important to keep in mind that Crowdstrike is a company that is ideologically driven to arrive at the conclusion of “foreign agents” (especially foreign agents the Atlantic Council doesn’t like) are behind high profile hacks. The fact that the NRCC and the DNC hire Crowdstrike is an example about how the company is considered to be a very US national security state-friendly company.
Now, let’s take a look at the following article that gives a few more fun facts about the NRCC’s hack. It sounds like the hackers did not get access to the actual NRCC networks but instead just got the email passwords of those four senior NRCC aides. No information is given about how those passwords were obtained. Keep in mind that if the hackers just got the email passwords that would normally point towards a successful spearphishing operation. But the NRCC is refusing to give any information about how the passwords were obtained. And if it wasn’t a spearphishing operation behind this, that would again point towards the possibility of an inside job because getting email passwords without using sprearphishing is the kind of thing one can imagine a fellow GOPer carrying out through all sorts of means.
And as the article also notes, the NRCC and DNC had actually been in the middle of negotiations this year over a treaty to not use hacked materials in elections, but those negotiations broke down months before the mid-terms:
“The attackers could have signed into those officials’ accounts as if they were the officials themselves, the source said. To do this, the source said the attackers had obtained the passwords belonging to the officials. The source would not say how the attackers obtained the passwords.”
So we know attackers only got the passwords, but no talk of spearphishing. Again, that hints as a possible inside job.
Also note how it sounds like Crowdstrike was informed of the hack before the FBI got involved:
And amazingly, at the same time the NRCC was quietly and secretly freaking out about these hacked emails, the heads of the NRCC and DNC were engaged in prolonged negotiations over not using hacked materials in election ads during the 2018 mid-terms, but the talks broke down due to “an erosion of trust”:
“We are not seeking stolen or hacked material, we do not want stolen or hacked material, we have no intention of using stolen or hacked material.” That was the statement by then NRCC chairman Steve Stivers after the collapse the negotiations.
So what exactly cause that erosion of trust between the NRCC and DNC? Well, as the following article from back in September describes, it turns out the NRCC broke off the talks. Also, the talks started in May, the month following the NRCC’s discovery of this email hack. Given the timing it would be interesting to know if the NRCC initially reached out to the DNC for these negotiations but we aren’t told which side started them.
The Democrats point to the fact right before the talks broke down they had added language to a proposed agreement about not using hacked materials in election ads and the NRCC balked at that as the reason for the collapse in the talks. They also point out that NRCC chairman Steve Stivers, who led the negotiations, had argued back in July that it would be too much to expect candidates to not use hacked material once it’s ‘out there’. In other words, when Stivers assures the world that the NRCC has no intention of using hacked materials, he’s presumably only talking about the NRCC itself, not individual Republican candidates.
Stivers counters that the reason he broke off the negotiations is that he was allegedly very upset that the Democrats had given an interview with the Wall Street Journal and said they were optimistic that an agreement could be reached soon. That, according to Stivers, was an attempt to pressure the NRCC into making the agreement. Democrats counter that it was Stivers who made the secret negotiations public in the first place back in June when he talked about it with reporters.
Yep, the NRCC/DNC negotiations over an agreement to not used hacked materials in election ads broke down when the Democrats attempted to add language to the agreement about not using hacked materials in election ads the NRCC wants to assure us that it broke down because the Democrats were publicly optimistic that an agreement could be reached:
“The head of House Republicans’ campaign arm defended abruptly pulling out of late-stage negotiations with Democrats on a pledge to reject using hacked materials in election ads, citing an erosion of trust between the parties.”
Yes, as we can see, it was the NRCC who pulled out of these negotiations back in September, two months before the mid-terms. And yet Stivers wants to assure us that the NRCC has absolutely no interest in politically exploiting any hacked materials. Instead, Stivers makes a bizarre case that it was the Democrats trying to pressure the NRCC through the media that led to an erosion of trust. And what did the Democrats do to pressure the NRCC through the media? The DNC negotiator told the Wall Street Journal that he “would hope that Steve and I are able to roll something out that we agree on this week,” adding, “I think that we’re close.” That was apparently was causes the erosion trust:
The Democrats counter that the talks broke down right after they added language that “neither committee will use known stolen or hacked information” on top of Republican language to reject “(promoting) or (disseminating) hacked materials to the press, regardless of the source.” So at the time of the negotiation break down, the NRCC merely wanted to agree that it wouldn’t promote the use of hacked materials:
Democrats also point out that it was Stivers himself who initially made these talks public. And during that WSJ/NBC News event back in June when Stivers made these talks public, he said he would not “run down one of my candidates for using something that’s in the public domain,” adding, “Once something is in the public domain, I’m not sure you can say, ‘Let’s ignore this’ ”:
And note the month the talks started: May, which just happens to shortly follow the April discovery of the NRCC hack:
It will be interesting to learn which side started the talks.
So how is it that the NRCC discovered thousands of “sensitive” emails were hacked and it was a topic of serious consternation for the NRCC in the lead up to the mid-terms, and yet the NRCC apparently pulled out of the negotiations at the last minute when the Democrats tried to ad language to the agreement that neither side would use hacked materials in ads? Wouldn’t such an agreement have been a dream come true for the NRCC? Were there expectations of a hack against the Democrats?
Might it be that the NRCC had already determined that the hack was likely an inside job done by someone who had no intention of release the emails to the public and that’s why Stivers was so cavalier about it? Or might it be the case that the GOP has already got many more caches of hacked documents on Democrats that its planning on using in 2020? At this point we don’t know. But given that the NRCC refused to an agreement of this nature at a time when it had every incentive to make such an agreement it’s hard to avoid the conclusion that the Republican Party has big plans for the use of hacked materials in the future.
But hey, at least the NRCC was willing to go as far as agreeing to not promote the use of hacked emails or the hacking of its opponents. Baby steps.
Here’s an article in Vice from back in October that relates to a number of different stories: It’s a story about the the Saudi government’s lead hacker Saud Al-Qahtani and his history of seeking how hacking tools for the Saudi government.
First, recall how Al-Qahtani is close to Mohammed bin Salman and the same figure who is believed to have orchestrated the murder of Jamal Khashoggi. He also basically became the Saudi government’s official fall guy after in the wake of the international outcry.
Next, recall how Al-Qahtani was previously identified as the point of contact between the Saudi government and Hacking Team, the Italian company that made malware tools for governments. Hacking Team itself got hacked by in 2015 and according to the released hacked documents the Saudi government had been a client of Hacking Team since 2010. By May of 2016, when Hacking Team was losing clients following the embarrassment of getting hacked, a mysterious investor who appears to be close to the Saudi government, Abdullah Al-Qahtani, invested in the company (20 percent of the shares).
And don’t forget the important potential tie in between the leak of the hacked Hacking Team malware and the March 2016 ‘Fancy Bear’ hack of the Democrats: a key part of the basis for the attribution of that hack to the GRU was the discovery of the X‑Agent malware on the hacked server. It was basically assumed by Crowd Strike that X‑Agent was exclusively a GRU tool But in March of 2017, a security researcher at Malwarebytes wrote about how X‑Agent source code appears to be based on hacking code created by Hacking Team. In other words, not only was the X‑Agent code likely ‘in the wild’ at the time of the hack, but versions of it may have actually been sold to governments around the world for years.
But it’s important to note that Hacking Team isn’t the only company that specializes in selling hacking tools to governments that that Saudi government has been purchasing from. Recall how the murder of Jamal Khashoggi was preceded by the hacking of his phone using what appeared to be malware purchased from NSO Group. Also recall how Michael Flynn was on the advisory board of Luxembourg-based OSY Technologies and consulted for the US-based private equity firm Francisco Partners and it turns out Francisco Partners owns NSO Group and OSY is an NSO offshoot. Flynn joined OSY in May of 2016 and was paid more than $40,000 to be an advisory board member from May 2016 to January 2017. NSO Group’s approach to ensuring governments don’t abuse its software was to largely rely on governments to police themselves.
And that brings us to the following Vice article from back in October because it’s in this article that we about how the Saudi government, specifically Saud Al-Qahtani, was trawling a popular hacking forum, called “Hack Forums”, in search of malware, advice, and even hiring people from the forums for various services. It turns out he used the same email address, saudq1978@gmail.comm to register for Hack Forums that he used to contact Hacking Team for technical support. Forum user report that they assumed he was working for the Saudi government at the time.
There’s one detail in the article that’s especially notable in relation to the ‘Fancy Bear’ hack of the Democrats in March of 2016: Al-Qahtani’s activity on Hack Forum started in 2009 with the username Nokia2mon2. And Nokia2mon2 continued to post on the forum until in April of 2016. So Al-Qahtani was comfortable posting on this forum for around seven years and then suddenly, right after the ‘Fancy Bear’ hack of the Democrats’ servers, he stops posting there.
At the same time, given the fact that it sounds like the Saudi investment into Hacking Team took place in May of 2016, it’s entirely possible that the reason Al-Qahtani stopped posting on Hack Forums a month earlier is that the Saudi government basically purchased a bunch of the Hacking Team staff/expertise and someone else got to take over at that point for Al-Qahtani when the hacking forums needed to be trawled. Plus, its sounds like a lot of Al-Qahtani’s posts on the Hack Forums were asking relatively basic questions that Hacking Team’s experts presumably wouldn’t need to ask.
So the April 2016 timing of the end of Al-Qahtani’s postings on Hack Forums is potentially suspicious in relation to the hack of the Democrats’ servers but it might simply indicate that the Saudi investment in Hacking Team gave the government the expertise that made most of those Hack Forum posts unnecessary. Also don’t forget that the Saudi government hired Joel Zomen’s Psy Group in 2016 to plot a digital dirty tricks campaign to help Trump defeat Hillary. So the Saudi government may have simply not needed much outside hacking technical expertise starting in 2016 for their digital dirty tricks. The elite hacking commercial space may have simply made Saud Al-Qantani’s Hack Forums trawling unnecessary.
Either way, that Hacking Team investment undoubtedly made Saudi Arabia a more potent entity in the hacking space. There’s a big global market in hacking tools for governments and the Saudi kingdom is clearly a big customer so we should probably expect a lot more Saudi-related hack stories going forward.
Finally, it’s worth noting the timing of the article and how it relates to the emerging story of the blackmail attempt against against Jeff Bezos by AMI, the publisher of the National Enquirer. First, recall how Bezos’s private investigators are hinting at a government being behind the hack and that strongly points in the direction of the Saudi government given the reports that David Pecker was apopletic over the Washington Post’s investigation of AMI expanding its operations in Saudi Arabia. Then the Wall Street Journal just reported that the Saudi government has been secretly paying off a number of US media outlets for positive coverage, including Vice Media. Well, it turns out that, back in October while the outrage over the Khashoggi murder was at a peak, Vice announced that it was reviewing its contract with SRMG, a Saudi publishing group with close ties to the government, to make some documentaries about Saudi Arabia.
And then a week later Vice published the following report on Saud Al-Qahtani trawling hacker forums. Although we shouldn’t assume that Vice wasn’t previously reporting on the Saudi Hacking Team story due to its Saudi media contract. In January of 2018, Vice’s Motherboard broke the story on the Saudi investment in Hacking Team. It’s contract was to make documentaries. But it sounds like Vice was far from the only media company hired by the Saudi government in recent years to get one form of positive coverage or another and that means we should definitely assume that A LOT of there’s a lot of Saudi money sloshing around the US media and think tanks and anywhere else where money might buy better coverage for the kingdom.
Vice’s decision to review its documentary contract also points at one of the ways the outcry over the murder of Jamal Khashoggi seriously harmed the Saudi government’s global image: the murder of Khashoggi looked so bad the media companies hired to give them a good look considered canceling their contracts. Contracts that are probably paying a premium these days.
So that’s all part of why this story from October about Saud Al-Qahtani’s hacking history relates to so many different major stories: There’s just a lot of hacking stories and media manipulation stories these days that tie back to Saudi Arabia:
“Saudi Arabia has become a sophisticated hacking machine, able to target dissidents living on the other side of the world with expensive spyware. The regime has long focused on surveillance; the country bought hacking tools from Italian spyware vendor Hacking Team, according to emails that became public after the company was hacked in 2015. Several Saudi agencies paid Hacking Team almost 5 million euros in five years, according to spreadsheets leaked as part of the 2015 Hacking Team breach. In 2016, a year after Hacking Team’s embarrassing breach, a mysterious Saudi investor acquired 20 percent of the company, saving it from going under, as Motherboard reported earlier this year.”
Hacking Team, the Italian government hacking toolkit firm, gets hacked in 2015, starts losing clients, and a mysterious Saudi investor acquires a 20 percent stake in 2016 (likely May of 2016). And it turns out Hacking Team’s contact with the Saudi government going back to 2012 was Saud Al-Qahtani, the same government official close to Mohammed bin Salman who led the Jamal Khashoggi murder operation and became the official fall guy by the Saudi government to cover bin Salman ordering the operation. Al-Qahtani is also Saudi Arabia’s social media operations guy. So he’s a pretty busy guy. Or was busy before the Khashoggi murder:
Yes, Al-Qahtani was seen as MBS’s ‘Steve Bannon’. It’s a profoundly chilling description.
And MBS’s ‘Steve Bannon’ was in charge of trawling the internet looking for hacking tools to use against dissidents and interfacing with companies like Hacking Team for technical support and meetings:
When the Saudi government’s hacking expert needed hacking expertise he went to Hacking Team. And who knows how many other hacking firms too. We know the Saudi government is a client of NSO Group too.
According to Hacking Team’s hacked email, Al-Qahtani reached out to Hacking Team in 2012 for the purpose of buying spyware. But despite Hacking Team’s services, Al-Qahtani was posting on Hack Forums for years for expertise. Using the same saudq1978@gmail.com email address to create his Hack Forum profile that he used to communicate with Hacking Team:
Interestingly, the only reason we know that saudq1978@gmail.com was used by Al-Qahtani to register for the Hack Forums is because those forums got hacked in 2011. Which is kind of ironic and kind of fitting. Either way, Al-Qahtani’s Nokia2mon2 account was described as “prolific” in its requests for help:
A potentially important detail in relation to the DNC hack is that Al-Qahtani made 501 posts as Nokia2mo2 between 2009 and April of 2016, when the account went inactive. So right around the time of the DNC server hack, Al-Qahtani stops posting in the hacker forum:
But the was that Saudi investment in Hacking Team in May of 2016, so perhaps that explains Saud Al-Qahtani’s Nokia2mon2 account going quiet a month earlier after seven years of posting. Maybe the investment just got the kingdom much better on call hacking tech support that made the Hack Forums posts unnecessary.
But whan Al-Qahtani was posting on the Hack Forum, it sounds like he was willing to hire strangers over the internet he met on these cybercrime forums for help and would hire people to target other people. But he was remembered as paying a lot for relatively simple services:
Overpaying strangers on the cybercrime forums to target political opponents and dissidents. It’s all in a days work for MBS’s ‘Steve Bannon’.
And that all gives a much better idea of Saudi Arabia’s hacking capabilities from around 2009–2016: the chief of hacking capabilities was on hacker forums asking for technical support and offering to pay for people to carry out basic hack attacks on the kingdom’s opponents.
And the Hack Forums posts all end in April of 2016, a month after the DNC hack and a month before the Saudi investment in Hacking Team. It explains why the Hacking Team investment was probably a pretty good investment and why we should expect a lot more Saudi investments in hacking expertise. Far fewer cybercrime forum posts are required.
And don’t forget that the Saudi government is just one many governments around the world that would probably like to buy themselves some elite hacking capabilities, which is why ‘government hacker for hire’ is probably going to be a pretty good job market for the foreseeable future.
As the US 2020 presidential election cycle gets underway one of that many horrible looming questions is whether or not we’re going to see a repeat of the 2016 #TrumpRussia dynamic. Specifically, whether or not we’re going to see a major political hack that, based on the technical evidence, could have been pulled off by anyone but gets reflexively blamed on the Russian government by default regardless of the strength of the evidence. And are we going to see a repeat of the massive social media right-wing disinformation campaign that is also almost reflexively blamed on Russia despite the fact that the available evidence of the Kremlin troll farm activity indicate it was insignificant in 2016 compared to the Republican Party’s massive disinformation apparatus. And as the following articles suggest, yes, we are poised to see a repeat of both of those phenomena.
For starters, as the following Daily Beast article highlights, it’s becoming increasingly clear that the Trump campaign and the Republican Party in general are actively planning on exploiting political hacks. Or at least are very open to it if the opportunity arises. And they aren’t hiding it. That’s the picture that emerges after the Daily Beast asked all of the Democratic campaigns that have already announced and the Trump campaign whether or not they would pledge to not use hacked materials in the 2020 campaign. The only campaign that wouldn’t take the pledge is, of course, the Trump campaign.
Now, in fairness, we have to note that the nature of an ‘anti-hack’ pledge can somewhat vague. Is it a pledge to not actively seek out hacked materials? If so, that’s definitely a pledge we would want the Trump campaign to make given that the campaign was deeply involved in with the entire Peter Smith operation to make contact with hackers they believed had previously hacked Hillary Clinton’s private email server. An operation that included multiple Trump people (Michael Flynn, Steve Bannon, Kellyanne Conway, and Sam Clovis).
Or is the pledge to not actively work with entities like Wikileaks to maximize the political impact of a hack? If so, that’s also a pledge we would definitely want the Trump campaign to make given the multiple campaign contacts with Wikileaks. There was Roger Stone’s apparent contacts with Wikileaks. Contacts that allegedly took place in the spring of 2016. And Roger Stone’s admitted contacts with “Guccifer 2.0”. Plus Don Jr’s contact with Assange in the fall of 2016. And we can’t forget Cambridge Analytica’s offer to Wikileaks to help index the hacked emails to make them easier to search. In other words, we have every reason to believe that the Trump team is more than happy to actively working with hackers because they repeatedly attempted to so already.
But this ‘no hacking’ pledge could be a far more general pledge to not even make reference to hacked materials even if they are independently released by hackers who have nothing to do with the campaign. And that’s the pledge the Daily Beast asked the campaigns if they were willing to make: A pledge to not use or reference hacked materials that get released. This is a much trickier pledge to take simply because once information is released it’s much harder to expect campaigns to totally ignore that information if it becomes part of the media coverage. Plus, if it turns out the Trump campaign gets hacked and documents released it would almost be wrong from the Democrats to ignore that information after the Trump campaign’s 2016 behavior. Especially after the Trump campaign refuses to make any sort of pledge for 2020.
And it turns out all of the Democratic campaigns agreed to make that pledge. If the Trump campaign gets hacked and the materials are released, all of the Democrats agreed to not even reference it.
And as the following article notes, the Democratic and Republican parties had actually been working on an anti-hacking agreement between the two parties, but the Republican Party eventually backed out the talks, citing the idea of agreeing to not even refer to released hacked materials as going too far.
So we have the Democrats already pledging to not even reference hacked materials at the same time the Republican party refuses and the Trump campaign refuses any pledge at all. Not even a much weaker pledge to not seek out hacked materials. That raises the obvious question of whether or not the Democrats will be expected to stick to those pledges if the Republicans never return the favor. But at this point there should be little question as to whether or not the Republican party and the Trump campaign are planning on relying on political hacks are part of their 2020 campaign strategies:
“The Daily Beast asked each presidential campaign either up-and-running or in its exploratory phase whether they would commit to not knowingly using or referencing hacked material that appears online on grounds that it may have been obtained illegally.”
That was the question the Daily Beast asked each campaign: will you pledge to not use or reference hacked materials. And only the Trump campaign refused to make that commitment:
And the Trump campaign isn’t alone in refusing to make such a commitment. As the article notes, when the Democratic and Republican parties tried to make a no-hacking pact, the Republicans balked at the idea of not even referencing hacked materials once they’re released. And while it’s a somewhat valid argument that it would be virtually impossible to ignore information that’s already in the public domain, it’s also a very valid counter-argument to point out that we have every reason to suspect the GOP of planning on exploiting future hacks and that’s why the party if refusing the pledge:
So that’s all one reason we should expect a repeat of the 2016 hacks. Next, the following two articles highlight why we should expect any 2020 hacks to be reflexively attributed to Russia regardless of the strength of the evidence.
First, here’s a Politico article about a “sustained and ongoing” disinformation campaign being waged against the Democratic candidates on social media. The article describes a study that was done on behalf of Politico by the group Guardians.ai, a firm that specializes in protecting pro-democracy groups from cyberattacks and disinformation campaigns. Guardians.ai had previously studied how a Twitter network of 200 core profiles were responsible for a highly prolific social media disinformation campaign in promoting false memes around voter fraud in the 2018 US mid-terms. And that same core group of 200 twitter profiles is now aggressively promoting all sorts of disinformation about the 2020 Democratic candidates.
It’s an interesting study. But as we’re going to see, the fact that this twitter disinformation network is already running disinformation operations in 2020 is being cited as an example of state actors, in particular Russia but also North Korea and Iran, are already meddling in the 2020 election. And this assertion is being made despite the fact that the Guardians.ai study in no way attributes that twitter network of 200 users to Russia or any government at all and despite the fact that the analysts make clear that much of the disinformation activity appears to be “organic”, as in, it’s real people just pumping out right-wing disinformation on their own. So why are state actors suspected to be behind this network? Because some of the disinformation activity is also clearly organized and “shares characteristics” with the Kremlin’s Internet Research Agency activity from 2016. What are those shared characteristics? We aren’t told. We’re just informed that there are “shared characteristics” and that’s the basis for the conclusion that state actors are behind at least some of this disinformation activity
“A wide-ranging disinformation campaign aimed at Democratic 2020 candidates is already underway on social media, with signs that foreign state actors are driving at least some of the activity.”
So there’s a big disinformation campaign directed against the Democrats that’s already been detected. No one knows who exactly is behind it, but there are “signs” that foreign state actors are driving some of the activity. That’s the conclusion that Politico’s analysis arrived at which was conducted by Guardians.ai.
What are the signs of foreign state actors, and not simply Republicans and American right-wingers, being behind these detected misinformation networks? Well, the disinformation networks shares similar characteristics to the Internet Research Agency’s Kremlin trolling operations. What are those shared characteristics? How do these shared characteristics establish that this really is a Kremlin disinformation network identified by Guardian.ai as pushing a right-wing voter fraud disinformation campaign in the 2018 mid-terms and is now attacking Democratic primary candidates and not a GOP/‘Alt Right’/4chan troll network? We aren’t told. We are just told that this identified network of 200 Twitter bots share characteristics with a Kremlin campaign which is used to justify the claim that some, but not all, of the the disinformation activity they’ve been detecting is directed by the Kremlin.
And some of disinformation activity detected by the analysts as Guardians.ai is indeed probably directed by the Kremlin since there’s clear evidence of Kremlin-directed internet trolling and disinformation campaigns. The problem has always been that the evidence directly connected o the Internet Research Agency was evidence of an unfocused and largely insignificant and incidental collection of experimental internet trolling and disinformation campaigns. Nothing major and all miniscule compared to the scale of American political influence operations.
In other words, the Kremlin online disinformation campaigns are very real, but just a tiny echo of dissonance in a much larger disinformation cacaphony that is dominated by the Western right-wing’s myriad of disinformation networks. The collection of disinformation networks routinely bombarding US audiences with disinformation range from ‘Alt Right’ neo-Nazi and grassroots right-wing trolls voluntarily running organized and disorganized disinformation campaigns (for the lulz) to paid dirty tricks operations run by the GOP run by professional. Then there’s the combined efforts of all the right-wing financiers like Peter Smith who pay for dirty tricks operations and run their own private fund-raising networks for such operations. And we can’t forget the massive online personalized micro-targeting operation run by the Trump campaign that’s getting upgraded for 2020. That’s going to include Brad Parscale’s newly formed firm, Data Propria, that’s run by four key Cambridge Analytica employees who were involved with the 2016 Trump campaign’s psychological profiling of voters. These entities are all vastly more influential in American politics than the Internet Research Agency by all indications. They certainly share characteristics with the Kremlin trolls, but they’re aren’t Kremlin trolls and all have incentives to cover their tracks by passing themselves off as Kremlin trolls.
This reliance on “shared characteristics” is important to keep in mind with this story because Guardians.ai it highlights how it’s just an extension of the broader issue in the cybersecurity industry of relying on pattern-recognition techniques for making attribution conclusions that can be easily gamed and spoofed. Some shared characteristics are spotted and it’s just assumed that the Kremlin is behind some of it and then insinuated that the Kremlin is probably behind A LOT of it. But based on the available evidence, the Kremlin is just a bit player in the online US disinformation campaigns compared to American right-wing disinformation sources. So even if the Kremlin’s disinformation campaigns share characteristics with right-wing disinformation campaigns, if a given disinformation campaign looks like it might be either a right-wing campaign or a Russian campaign, it’s far more likely to be a right-wing campaign simply because the right-wing is pumping out vastly more disinformation:
Also note that the Oxford study describing the “computational propaganda” attacks launched by the Internet Research Agency in the 2016 presidential campaign the article referred to was one of two studies commissioned by the Senate Intelligence Committee. The other study commissioned by the Senate was the now notorious study by New Knowledge, the firm discovered to have created fake ‘Russian Twitter bots’ and intentionally used them to successfully wage a false flag campaign designed to generate news reports about Roy Moore was getting Russian bot support. It highlights one of the key facts to keep in mind with all of this: the attribution of Twitter bot accounts to the Kremlin is largely based on guesswork and can therefore be easily faked and when we ignore this basic fact we’re inviting all sorts of third-party actors to run ‘Russian bot’ false flag operations. Maybe it’s a firm like New Knowledge, maybe it’s the Republican Party, maybe it’s the Trump campaign, or maybe it’s some random neo-Nazi that will run the false flag. The list of parties that would be tempted to create an easily detected ‘Russia bot’ network is pretty much everyone but Russia. And by accepting low grade attribution standards for who is behind an online propaganda network we’re encouraging almost everyone to engage in exactly that behavior. The lower the standards the more team Trump and the GOP and the ‘Alt Right’ trolls are going to going to want to create their own ‘Russian bot’ networks to join in on the fun.
This core group of 200 twitter accounts behind the disinformation network Guardians.ai studied is the exact group of 200 twitter user network they they found being behind a voter fraud disinformation campaign in the 2018 mid-terms. But as we’re going to see below, that earlier report on the voter fraud disinformation network explicitly says it makes no claims about these twitter accounts being directed by the Kremlin. So noting that this Twitter network that Guardians.ai found running disinformation about Democratic primary candidates is the same Twitter network that Guardians.ai researchers studied in their voter fraud disinformation project should be seen as a sign that this Twitter network is being run by the Kremlin:
According to these Guardians.ai analysts, this core group of twitter users represents an evolution in misinformation tactics from 2016 and is harder to identify as bots. Some of the accounts are believed to be highly sophisticated fake accounts while others are real individuals. And that, of course, raises the question if these “highly sophisticated synthetic accounts” are, in fact, real people. It’s possible. This attribution business is all guesswork, after all. But at some point there are inevitably really are going to be highly sophisticated bots and they probably already exist today. At some point these bots are going to pass the Turing test and that point has probably already arrived. So we shouldn’t be surprised if these 200 super-influencer Twitter accounts are sophisticated realistic bots or be surprised if they’re real. That point in the ‘bot wars’ has arrived:
The article also notes another disinformation analysis done by the social media intelligence firm Storyful that found that a number of fringe sites were responsible spikes in misinformation in the days following the announcements of Democratic candidates. 4Chan and 8Chan were two of the fringe sites listed in the report which is not at all surprising. Recall how 4chan was where hacked Macron emails surfaced and how that hacking was blamed on the Kremlin by the US government but the French government refuted those assertions and evidence suggests the neo-Nazi hacker Andrew ‘weev’ Auernheimer was behind it. Organizing a disinformation campaign against Democrats (and Republicans) is exactly the kind of thing we should expect on those sites and there’s no compelling reason to assuming Kremlin agents are behind it. They could be, but it could easily be any of the numerous real posters. The forums are also wildly popular and invariably have large numbers of real posters and those are exactly the kinds of real posters that would revel in spreading disinformation campaigns about someone like Elizabeth Warren. Again, ‘for the lulz’ if nothing else:
Finally, the article notes that NONE of the researchers interviewed for the article claim to have conclusively proven that state actors are involved with these detected disinformation campaigns. It’s a critical point given that the thrust of the article is that studies are showing Russian influence operations are already in effect for the 2020 campaign:
So we have an article about how there are “signs” of state actors already being involved with a 2020 disinformation campaign when those signs appear to be largely limited to the shared characteristic of spreading disinformation in a coordinated manner. And yet none of the people interviewed said they could conclusively point to state actors being behind any of the disinformation networks they examined. It’s troubling. Not the idea of state actors ramping up for 2020 influence campaigns. That’s a reasonable assumption. But the evidence is a bunch of Twitter disinformation networks that merely vaguely share characteristics with Internet Research Agency organized disinformation campaigns which is a really low standard for assuming you’re looking at a Kremlin-directed network. That’s what’s so troubling.
And it’s important to note that in the 2018 Guardians.ai study on the voter fraud disinformation network of 200 super-influence accounts, they explicitly point out that they have no evidence that this network has anything to do with state actors or that the accounts are necessarily bots. It’s all based on hunches:
“* We’re not concluding that all these accounts are bots
* We’re not concluding that these accounts are Russian or originating from one source
* We’re not concluding that all of these accounts are intentionally involved in an influence operation”
There was no evidence the network of 200 twitter accounts that Guardians.ai studied as part of their voter fraud disinformation research were Russian or originated from any one source and they might have been real people. It’s a In other words, based on the evidence these groups have at their disposal, they can’t make any conclusions about who is actually behind these accounts. It’s a rather important caveat: And that’s the analysis that is being latched onto as evidence of possible state actor interference already underway in the 2020 election cycle. Again, the troubling part isn’t the speculation of state actor interference. There’s probably going to be all sorts of governments involved in 2020, especially after 2016. What’s troubling is that this Twitter network is being pointed to as evidence of state actor involvement.
So with all that in mind, it’s briefly worth recalling how the 2017 elections in Germany were impacted by large misinformation networks that were run not by Russians but by American right-wingers. As the article notes, the discovery that it was primarily American far right disinformation networks meddling in the German elections, and not Russian networks, was a reminder of now warning Andrew Auernheimer had for the world in 2016 following Trump’s victory: “There will never be an election again in which trolling, hacking and extreme far-right politics do not play a role”:
““So far we have not been able to track down any specific Russian activity,” said Simon Hegelich,” a professor of political science data at the Technical University of Munich who has advised the German government about the threat of hacking and fake news.”
No Russian activity was detected. But plenty of American far right activity! That was the conclusion of Simon Hegelich, a professor of political science data at the Technical University of Munich who was advising the German government about hacks and ‘fake news’:
And this large far right, largely American-based, network of trolls were so organized that they managed to successfully game Facebook’s algorithms so everyone in Germany was getting links encouraging them to read about the far right AfD party:
““It’s really strange because Facebook says this should be impossible because you are only supposed to get recommendations based on your own ‘friends,’ ‘groups’ and ‘likes.’ But everyone in Germany is getting these right-wing party recommendations,” he said. ”
And one of the top trolls who is appears to have been behind the Macron hacks, Andrew Auernheimer, pledged that never again will there be an election that doesn’t involve “trolling, hacking and extreme far-right politics”:
But despite the fact that no Russian activity was detected, that that didn’t stop Joerg Forbrig, an analyst at the German Marshall Fund of the United States which is behind the “Hamilton 68” project — the initiative started to identify alleged Russian election interference that’s manned by a number of extremely conservative, highly questionable, and highly hawkish figures — from concluding that “there is more Russian activity than meets the eye”. The way Forbrig saw it, the fact that the AfD did best in parts of Germany with the highest Russian-speaking populations (which East Germany where the AfD is wildly popular) is possible sign of success of some sort of Kremlin influence operation targeting Russian speakers. Even when the German government was actively watching for Russian influence operations and didn’t find any but did find American far right disinformation campaigns, Forbrig was pretty sure there was still some hidden Russian connection to the success of the AfD:
Again, in fairness, it’s entirely possible that the Kremlin could have been meddling in the Germany election and simply not leaving tracks, as Forbrig seemed to be speculating. It’s not an unreasonable possibility. But it’s really more of a conviction and mantra at this point which is the underlying problem.
And that all underscores the other part of why we should expect a repeat of #TrumpRussia in 2020: The Trump campaign and Republican Party are making it very clear that they are planning on more hacking scheming/opportunism. And the social media disinformation campaign that will be blamed on the Kremlin is virtually guaranteed to happen thanks to a blossoming anti-disinformation industry that is making it clear to the Trump campaign and GOP and the rest of the affiliated troll armies that all they’ll have to do is leave a few ‘Russian bot’ clues in their disinformation campaigns and this anti-disinformation industry will almost surely attribute the disinformation networks to the Kremlin if they’re ever uncovered. And even if the disinformation networks don’t bother leaving ‘Russian bot’ clues behind, it will still be assumed that it could be a very sophisticated Kremlin campaign that didn’t leave clues. The Republican secret teams that will arrange for hacks and/or scour the dark web for hacked materials are probably already in place. And the other Republican secret teams for running mass disinformation operations are basically always operating whether or not there’s an election. The Republican Party is basically a giant disinformation operation these days anyway so there should be no question as to whether or not there’s going to be extensive right-wing disinformation campaigns. And based on what we’ve seen, there should be no question as to whether or not those 2020 right-wing disinformation operations will be blamed on Russia. Of course they will be.
And that all raises a rather ominous question: since the the GOP and the right-wing know that their dirty tricks operations are invariably going to be attributed to Russia, is this going to make them go extra with the disinfo crazy for 2020? Let’s not forget that one of the key lessons of the 2018 mid-terms was that the GOP was still more than happy to blatantly base the party’s national campaign strategy lies and disinformation (like panicking over ‘the Caravan’) and there’s no reason at all to assume that won’t be the case in 2020. So how extensively will dirty tricks — whether it’s hackings, micro-targeting, or disinformation operations — play in the GOP’s overall strategy when the party knows its dirtiest tricks will probably get blamed on Russia.
How dirty will the GOP get when it knows the dirtiest dirt will probably get blamed on Russia? It’s the kind of question that would ideally remain rhetorical. But here we are. It’s a real question for 2020 and perhaps one of the most important looming questions for 2020 given the right-wings’s incredible capacity for dirty politics. #TrumpRussia2020 here we come.
Here’s a story from back in January that’s worth noting as a reminder that we should probably expect political hacks to play a role in the US 2020 elections and we should probably expect the hackers to leave lots of ‘Russian hacker’ fingerprints: The Democratic National Committee announced in late January that it had concluded that it was once again a victim of a wave of phishing attempts by APT29 a.k.a ‘Cozy Bear’ a.k.a ‘the Dukes’. The DNC also filed documents about this in federal court as part of an amended complaint where the claimed it DNC was the victim of a conspiracy by Russian intelligence agents, President Trump’s 2016 campaign and WikiLeaks to damage Hillary Clinton’s presidential run that was filed in April 2018.
First, recall that APT29/‘Cozy Bear’ was blamed for the initial May 2015 hack of the DNC’s servers which was part of a larger phishing campaign targeting numerous US and European entities. According to cybersecurity experts, that phishing campaign was unusually ‘noisy’ (i.e. not trying to hide what they were doing) for presumed Russian government hackers, making it the starting point of new ‘noisy’ ‘Russian hacker’ campaigns that have now become the norm.
This latest phishing campaign that the DNC was targeted by was also part of a larger ‘noisy’ phishing campaign that targeted a number of US entities. The phishing attempts took place in November of 2018, shortly after the US midterms and used emails impersonating the US State Department, targeting government agencies, think tanks, law enforcement officials, journalists, military personnel, defense contractors, pharmaceutical companies and transportation officials.
The cybersecurity firm FireEye wrote a blog post in November that concluded that Cozy Bear was the likely culprit. CrowdStrike arrived at the same conclusion. It was in January that the DNC announced that they too were targeted in this phishing campaign.
So what was it that made FireEye and CrowdStrike conclude Cozy Bear was behind the phishing campaign? This is where things start sounding eerily familiar: The tactics, techniques, and procedures (TTPs) used in the November 2018 phishing campaign was very similar to the TTPS used in a phishing campaign from November 2016, shortly after the 2016 election. And that November 2016 phishing campaign was, in turn, attributed to Cozy Bear by Volexity, another cybersecurity firm, based on the similarity of TTPs to some phishing attacks that Volexity observed in August of 2016 that it attributed to APT29. So Volexity attributes the November 2016 phishing to APT29 and, two years later, FireEye and CrowdStrike base their attribution that APT29 was behind the November 2018 phishing campaign on the fact that there are a number of similarities to the 2016 phishing campaign that Volexity already attributed to APT29. It’s an example of how new attributions are based on a chain of previous attributions that build on each other and make the accuracy of previous attributions paramount for the accuracy of new attributions.
And what kinds of similarities in TTPs were found linking the November 2016 phishing campaign to the November 2018 campaign? In both cases, the phishing emails would try to trick the recipient into clicking on a link that leads to a ZIP archive that contains a Windows shortcut file hosted on a compromised server. When clicked, the windows shortcut file executes a PowerShell command that deploys the malware.
A notable difference between the 2016 and 2018 phishing campaigns is that the malware deployed in the 2016 campaign was custom malware which Volexity dubbed “PowerDukes”. But in the 2018 phishing campaign the commercially available malware Cobalt Strike was used instead. FireEye notes in its report that sophisticated hackers will frequently use off-the-shelf malware for reasons like plausible deniability.
And that’s where things get absurd: A key area of similarities between the 2016 and 2018 phishing campaign used for FirEye’s attribution was the heavy overlap in the metadata found in the windows shortcut link used to download malware. That overlap included the metadata for the windows shortcut link containing the same MAC address that was found in the 2016 phishing attack. MAC addresses are unique identifier for a piece of hardware, so by leaving in the same MAC address in the metadata the hackers were sending the signal that the exactly same computer was used in both the 2016 and 2018 phishing attacks. According to FireEye, the similarities in metadata were SO similar that FireEye concluded that it may have been deliberate.
Keep in mind that spoofing a MAC address is technically possible, so if it was the same hackers behind the 2016 and 2018 phishing attacks and they used the exact same machine to construct the windows shortcut links they still could have modified the MAC metadata if they wanted to. Similarly, if someone wanted to spoof the MAC address to make it look like the same one used in the 2016 phishing attack they could do that too. It’s an example of why looking at similarities in TTPs for attribution is potentially so problematic.
Also recall how the initial attribution of the 2016 hack of the Democrats to APT28/‘Fancy Bear’ was heavily based on the fact that the malware deployed on the DNC’s servers had the same IP hardcoded into the malware (176.31.112.10) that was found in the 2015 hack of the Bundestag that was attributed to APT28. And the fact that the command and controls server’s 176.31.112.10 IP address was found in the Bundestag hack’s malware was published in 2015 and therefore publicly knowable by the time of the March 2016 ‘Fancy Bear’ hack of the Democrats. It was another example of how wildly provocative metadata ‘clues’ keep popping up in these ‘Russian hacker’ hacks and keep getting taken at face value and used for attribution.
So in the same report where FireEye notes that commercially available Cobalt Strike malware may have been used for reasons of plausible deniability, they also have to note that the overlap in metadata between the 2016 and 2018 attacks were so similar that it may have been intentional. That’s a little contradictory, isn’t it?
In fairness, both FireEye and CrowdStrike added caveats to their initial attribution by noting that they couldn’t make this attribution with 100 percent certainty, but that didn’t stop almost everyone from broadly treating it as a 100 percent certain attribution.
Ok, let’s start off with the New York Times story about the DNC announcing that it too was targeting in the November 2018 wave of phishing attacks. The article describes how FireEye observed so heavy overlap in the metadata between the 2016 and 2018 phishing attacks that it might constitute a “deliberate reuse” of old phishing tactics. As the article also notes, both FireEye and CrowdStrike acknowledged that they could could not say definitively that ‘Cozy Bear’ was to blame:
“The new court filings say the time stamps and contents of the spearphishing emails received in November were consistent with separate cyberattacks around the same time tied to the Russian hacking group known as Cozy Bear, one of the two Russian groups suspected of breaching D.N.C. computers in 2016.”
Right around the same time all of these other entities were getting hit with the November 2018 phishing attack, the DNC got hit with a similar attack. And since the attack was attributed to APT29/Cozy Bear, the DNC added this attack to its ongoing lawsuit against Russia:
And yet the attribution of this phishing attack to APT29/Cozy Bear was based ‘clues’ that were so similar to the 2016 phishing attack that had previously been attributed to APT29/Cozy Bear that FireEye concluded this might constitute “deliberate reuse”. In other words, FireEye concluded the hackers were intentionally trying to strongly tie this attack to the 2016 attack:
Another example of why this attack was attributed to APT29/Cozy Bear is that they launched their attack using a compromised hospital email server and that’s apparently a common tactic of Cozy Bear. And that’s no doubt true because using compromised servers to launch attack is a common tactic of hackers in general, so it’s not exactly a compelling clue:
But FireEye and CrowdStrike both acknowledge that they couldn’t firmly conclude that APT29/Cozy Bear was truly to blame. In other words, both FireEye and CrowdStrike are acknowledging that the spoofing of this seemingly conclusive evidence is entirely possible, which is a pretty huge admission in the context of the larger #TrumpRussia investigation:
Ok, now let’s take a quick look at the actual report FireEye published in November of 2018 where they tentatively concluded that it was APT29/Cozy Bear behind it while acknowledging that the metadata overlap between the 2016 and 2018 phishing attacks were so similar that it could have been deliberate:
“Several elements from this campaign – including the resources invested in the phishing email and network infrastructure, the metadata from the weaponized shortcut file payload, and the specific victim individuals and organizations targeted – are directly linked to the last observed APT29 phishing campaign from November 2016. This blog post explores those technical breadcrumbs and the possible intentions of this activity.”
As FireEye makes clear, their attribution is based on looking for patterns that link new attacks back to old attacks. If the similarities are strong enough, an attribution is made and it’s concluded that it’s the same group behind the past and current attacks which, again, highlights how mistakes in past attributions can strongly impact future attributions.
And yet the patterns linking this phishing attack with the November 2016 attack were so suspicious that FireEye characterized this as “seemingly deliberate reuse” of the same actics, techniques and procedures (TTPs). Most notably, the MAC address for the windows shortcut link IS THE SAME, sending the signal that literally the same computer was used to create those links in both attacks. As FireEye puts it, “APT29 is a sophisticated actor, and while sophisticated actors are not infallible, seemingly blatant mistakes are cause for pause when considering historical uses of deception by Russian intelligence services”:
And yet, despite those ‘seemingly deliberate mistakes’, the report notes that the use of commercially available malware instead of custom malware may have been done for reasons of plausible deniability. It’s quite a juxtaposition of tactics:
Finally, the report notes another area of overlap between the phishing campaign and past phishing campaigns attributed to APT29/Cozy Bear: they used large waves of emails:
Again, don’t forget that this behavior of sending large waves of emails to numerous institutions at the same time is exactly the kind of ‘noisy’ behavior that cybersecurity analysts first observed in the 2015 phishing attacks that hit the Bundestag and the DNC server in the May 2015 hack. And analysts noted how this was very atypical of known Russian government hacker behavior. Volexity made the same observation in its November 2016 report that attributed the November 2016 phishing attacks to APT29/Cozy Bear (see the “Background” section). So when FireEye notes that APT29 has leveraged large waves of emails in previous campaigns, it’s specifically the previous campaigns starting in 2015 when the behavior of APT29 (and APT28) suddenly changed and became very “noisy” while leaving all sorts of “I’m a Russian hacker!” metadata clues.
So what can we conclude about who is behind these attacks? Well, we can conclude that someone is very interested in hacking the Democrats and making sure that Russia gets the blame. And, sure, it could be the Russian government doing this as a trolling tactic that achieves some sort of strategic objective. But it could obviously be someone else. At this point that’s basically the only attribution we can make conclusively.
CrowdStrike’s Kurtz has been appointed to HP’s BOD:
https://www.hpe.com/us/en/newsroom/press-release/2019/06/hewlett-packard-enterprise-announces-george-kurtz-ceo-of-crowdstrike-to-join-board-of-directors.html
With President Trump continuing with his ominous refusal to agree to respect the upcoming election results should he lose despite broadly trailing in the polls, here’s a pair of articles that highlight one particular avenue of hacking out a victory that remains very much an option for the Trump team:
First, recall the disturbingly plausible legal strategy that involves the Trump’s campaign simply alleging that a number of state elections were with marred by voter fraud. At that point, the Trump team simply needs to tie the cases up in the courts until the December 14 deadline when the electoral college needs to choose a winner. It’s that December 14 deadline that could prompt the Supreme Court to make the decision to kick the question of who should be president to the House of Representatives. But if that happens the House doesn’t make a one-representative-one-vote. Instead it makes a one-state-one-vote decision, which would almost certainly result in a Trump victory. Now, given how Trump continues to gaslight the public with alarmist warnings of widespread mail-in vote fraud, it’s been claims of mail-in vote fraud that have been near the top of the list of scenarios that could trigger this scenario. But as the following article from August of 2019 makes clear, there’s no reason hackers can’t be the reason the electoral college can’t make a decision by December 14th. In particular, ransomware hitting a few key state election systems could be enough effectively invalidate the final electoral college vote and force the issue to the Supreme Court which could force the issue to the House and a one-state-one-vote reelection victory for Trump.
And as the second article from February of this year also makes clear, almost nothing has been done at the state-level to address the threat of ransomware attacks hitting election systems despite the Cybersecurity Infrastructure Security Agency (CISA) — a division of the Homeland Security Department — announcing in August of 2019 that ransomware attacks on state election systems was one of the agency’s top concerns heading into 2020. In other words, at this point the main thing standing in the way of this nightmare one-state-one-vote gimmick scenario that could get Trump reelected is the ability of some pro-Trump hacker group to hack a few key states. And since the blame for the hacks can basically be made up by the cyber-defense industry players like CrowdStrike the blame for the hacks that put Trump back in office can be directed at Russia or China or whatever group the cyber-professionals decide to implicate. Yes, the Republicans could break the election and blame it on China. So this ‘hack-to-force-a-one-state-one-vote-election’ scenario isn’t just very plausible but also very tempting.
Ok, here’s an August 2019 article describing how ransomware attacks on state election systems like voter rolls that could invalidate election results was one of the top concerns of CISA heading into the 2020 elections. And CISA pointed out at the time, while it can warn states to prepare for ransomware attacks, it can’t force the states to actually make preparations:
“These systems, which are widely used to validate the eligibility of voters before they cast ballots, were compromised in 2016 by Russian hackers seeking to collect information. Intelligence officials are concerned that foreign hackers in 2020 not only will target the databases but attempt to manipulate, disrupt or destroy the data, according to current and former U.S. officials.”
Be on the lookout for foreign hackers planning on not only manipulating state election databases but also disrupting or destroying the data, an act that would obviously be done with the intent on raising questions about the validity of the vote. That was the warning from intelligence officials last August, along with a pledge from CISA to warn the states of this impending threat. It’s the kind of warning that ignores the obvious threat of ‘foreign’ hackers who decide to pretend to be Chinese or Russian hackers knowing full well that if they make even a half-assed attempt to leave ‘Chinese’ or ‘Russian’ hacker breadcrumbs the US national security state will happily blame it on one of those two adversaries. That’s part of why this threat is so serious: playing dumb about ‘foreign’ hackers only incentives the Trump campaign in this context. Imagine how convenient it would be for Trump if there was a hacking attack on the 2020 elections and the digital ‘evidence’ pointed towards China. That’s kind of the Trump campaign’s dream scenario and it’s a scenario that can be unilaterally executed by the campaign as long as its hackers can successfully pretend to working for China:
Will election-day ransomware hackers actually ask for a ransom? And will states pay it? That’s one of the questions in store for democracies in the age of internet-connected voting systems. A question that most states probably haven’t bothered to ask themselves yet. At least that’s what we can infer based on the following article from February of 2020 that describes the steps taken by states by that point to address electoral cyber-threats, in particular ransomware. And based on a survey of city and county employees conducted in January, half of the local government offices in the US have done nothing to address these ransomware election warnings and a quarter of respondents had received no cyber-defense training all. 9 percent of respondents said they had no in-house or hired cybersecurity team at all. So one in ten local government computer networks have no security specialists working to maintain them according to this survey in January. Keep in mind that the Trump administration would obviously have the most detailed understanding of the specific technical vulnerabilities of different municipalities so if that knowledge was leaked to private actors the hacking of those state systems would be like taking candy from a baby.
Also keep in mind that in states with closely contested votes it would only take the hackings of one or two municipalities’ voting systems to make it impossible for the states to report a winner so hacking a single large city could potentially block a state from reporting its electoral college votes. That’s how technically plausible this nightmare scenario really is and with the ability to blame it on Russia or China we have to assume to the Trump team has at least pondered the possibility of pulling a stunt like this because it’s the kind of ‘Plan B’ that’s so technically plausible it’s a viable ‘Plan A’ as long as Trump keeps trailing in the polls:
“A Harris-IBM survey of 690 city and county employees interviewed since January found that half of all respondents “have not seen any change in preparedness by their employer” in the last year, and that more than a quarter haven’t received any cybersecurity training whatsoever.”
That was the update from back on February on the steps taken by local governments to prepare for the electoral ransomware attacks federal cyber officials were so freaked out about back in August: half of US localities haven’t increased their preparedness at all and a quarter have received no cybersecurity training whatsoever:
So the joint state and federal cybersecurity policy for electoral ransomware at this point is basically, “Katie, bar the door. Or not. Meh.” And as long as that “meh” posture is maintained the nightmare scenario that allows Trump to get reelected and blame it on China is still completely plausible. That’s the general state of the US’s election cybersecurity stance at the federal and local levels at this point. Meh. A very cold and calculating ‘meh’ that spells doom for democracy. ‘Meh’ is generally toxic for democracy for this is the extra lethal kind of meh.
It’s that time again for the US. Time for a seemingly endless slew ‘Russian hacker’ stories, where any and all political hacking attempts are attributed to either ‘Cozy Bear’ or ‘Fancy Bear’ with extremely high degrees based on vague ‘Russian hacker fingerprints’. In this case it’s Microsoft making the ‘Russian hacker’ claim. Specifically, a claim that ‘Fancy Bear’/APT28 (named “Strontium” by Microsoft) made an unsuccessful hacking attempt targeting SKDK, a Democrat-affiliated IT firm. While the Biden campaign uses SKDK’s services other Democrats also use the company and Microsoft can’t confirm that the attack was targeting the Biden campaign. What’s clear is that it was targeting Democrats. Although not exclusively Democrats. In a blog post about its findings, Microsoft stated over 200 organizations across the world were targeted by Strontium...
A massive phishing campaign that wasn’t targeting any one group in particular. That’s appears to be the phishing operation uncovered by Microsoft.
So what was the basis for Microsoft concluding that “Fancy Bear” was the culprit? Well, we’re told that Microsoft made its conclusion based on based on an analysis of the hacking techniques and network infrastructure. Yep, that’s that’s the extent of the details we’re given. Vague references to “hacking techniques” and “network infrastructure” (which probably means there was a server in Russia involved) and that’s it. Although the did mention one particular hacking technique used: phishing, the simplest technique that can be deployed by anyone. Interestingly, Microsoft’s blog report also indicates that it has been monitoring this phishing campaign for several months, but only recently in its investigation did it reach the point where it can attribute the campaign “Fancy Bear” with high confidence. And yet in that same paragraph in the report is states that Fancy Bear (Strontium) has been using all sorts of new techniques of late and has been evolving its infrastructure. So it sounds like Microsoft based its attribution on hacking techniques and infrastructure...new techniques and infrastructure:
Since this is Microsoft making a “Fancy Bear” attribution, it’s worth recalling one of the interesting anti-hacking legal techniques pioneer by Microsoft back in 2017 when the company successfully sued in US courts over trademark infringement to legally take control of any web addresses mimicking Microsoft’s websites used by a group of hackers as part of a phishing campaign. Crucial to that legal process was explicitly suing “Fancy Bear” over the hacks in 2017 and winning a permanent injunction against the group from a federal court. It’s a legal technique that Microsoft subsequently used in 2019 to take control of web domains operated by accused Iranian-backed hacker group Phosphorus/ATP35 and accused North Korean hacker group Thallium. But in that 2017 it was a legal precedent that not only incentivizes the naming of specific hacking groups — and therefore increases the incentive to engage in questionable inferential attributions based on vague patterns in hacking techniques or network infrastructure — but also incentivizes the attribution of future hacks to ‘Fancy Bear’ thanks to that permanent injunction. And here we are in 2020 with Microsoft making another “Fancy Bear” attribution based on typically vague “hacking technique” and “network infrastructure” clues, although there’s no reporting yet on whether or not Microsoft used that permanent injunction to seize the phishing domains in this case so that’s going to be something to watch:
“Microsoft believes Fancy Bear is behind the attacks based on an analysis of the group’s hacking techniques and network infrastructure, one of the sources said.”
An analysis of the group’s hacking techniques and network infrastructure. That’s the extent of the what we’re told about the evidence Microsoft based this attribution on other than to tell us that it included a failed phishing attack:
And yet as we saw above, the Microsoft report specifically states that Fancy Bear has been updating and evolving its hacking techniques and infrastructure recently and yet it was only recently that they gathered enough information confidently attribute the campaign to Fancy Bear. An attribution based on an analysis of the group’s hacking techniques and infrastructure. It’s all rather odd.
But at least the phishing attack failed. Hopefully we aren’t going to have a repeat of 2016’s endless Democratic email leaks. Still, it’s important to keep in mind that whenever we see a story about hacking attempts targeting Democrats that are vaguely attributed to Russia that story doubles as a incentive to the Trump campaign, Republicans, and anyone else on the planet to carry out hacking campaigns against Democrats. All they have to do is find a server is Russia or something to operate from and their hacking campaign will be attributed to Russia. That’s the actual message that’s sent out to the hacker world. A hacker world that, as we’ve seen, includes a number of Republicans and affiliated far right activists who were fixated on obtaining hacked Democratic emails like the group centered around Newt Gingrich and Barbara Ledeen or Peter Smith’s operation with Steve Bannon and Michael Flynn that worked with Charles Johnson’s group of ‘Alt Right’ allies. And then there’s operations like Cambridge Analytica, which had its own history of offering political hack services, and the Saudi/UAE/(Israeli?) PsyGroup offer of help to the Trump administration that implicitly included hacking capabilities. All of these groups were just given another green light to proceed with any ongoing hacking operations they might be running this year. Operations from 2016 that could be were never really interrupted or meaningfully explored thanks to the near-exclusive focus on ‘Russian hackers’.
We got reports of a significant escalation of tensions today between Russia and the West as the invasion of Ukraine continues to unfold: Russia just ordered Russia’s nuclear forces onto high alert. It was the latest grim reminder of just how wildly the situation could spiral out of control. All it takes is one wrong move. From either side. Or rather, from any side in this conflict. There’s more than just two sides if we really think about it, after all. All sorts of parties have an interest in how this crisis develops and not everyone is necessarily going to be interested in minimizing the scale of the resulting damage.
And that lack of situational stability that brings us to another pair of very disturbing articles that also serve as a reminder of how easily the situation could deteriorate further: It sounds like NATO is very seriously pondering cyber-responses to the war in Ukraine. And not just retaliatory cyber attacks in response to Russian cyber attacks. Preemptive cyber attacks — carried out ostensibly in response to the invasion of Ukraine — are reportedly being debated inside the US government right now.
And that means are ‘tit-for-tat’ cyberattack scenario between Russia and the West is becoming more and more plausible with each passing day. To get an idea of what the potential consequences are to a ‘tit-for-tat’ scenario, recall how the Pentagon announced in January of 2018 that the US could potentially respond with nuclear weapons to a devastating cyberattack. Now, ideally, in a tit-for-tat scenario, you’re not going to see either side engage in devastating attacks, following the doctrine of Mutually Assured Destruction. But as we’ve seen, cyberattacks aren’t like nukes. It’s not easy executing an anonymous nuclear attack. Nor are nuclear weapons widely held across the world. Cyberattacks, on the other hand, are accessible to teenage hacker in their basement anyone on the planet.
It’s also worth noting at this point that this whole situation is acting as powerful lesson in the perils of the contemporary cyberattribution framework. Recall how the the US, under the guidance of Dmitri Alperovitch, blazed the trail of modern day cyber-responses by adopting a strategy of having governments simply vocally declare who they think the culprit for the attacks are and threatening nasty responses if the attacks continue. This new strategy was intended to get around the fact that governments typically couldn’t really respond forcefully to cyberattacks because actually proving who carried out a cyberattack is exceptionally difficult and often impossible. And now we’re in a situation where a range of actors around the world — governments and private actors — can potentially provide the trigger for a major escalation in this crisis.
Interestingly, as we’ll see, Alperovitch is actually one of the voices of reason in this debate, warning that any plans of a ‘tit-for-tat’ cycle of cyber attacks and counter-attacks could easily spiral out of control and result in full blown military conflict between Russia and NATO. It’s a sign of how dangerous the situation has become. And don’t forget that the US government is just one of the NATO members. The rest of NATO has cyber-capabilities too:
“As the West ponders further coercive measures, there is growing public discussion of state-backed cyberattacks as a response to Russian aggression. On Thursday, an NBC News report stated that U.S. President Joe Biden had been presented with options for cyberattacks against Russian critical infrastructure, including taking out internet access and power. The White House strongly pushed back against the NBC report, with a spokesperson for the National Security Council telling POLITICO that the report was “wildly off base.”
Is the US going to launch cyberattacks in response to the invasion of Ukraine? We’ll see, but the US is clearly thinking about it, along with the rest of NATO. And while the US government is refuting the recent reporting as “wildly off base”, there doesn’t appears to be a shortage of sources familiar with the US intelligence community who are willing to talk about the debate currently underway inside the US government. Nor is this debate limited to The US. NATO has plenty of other members with significant cyber-capabilities:
And then there’s the fact that numerous NATO members have the capacity to launch their own attacks anonymously. We could end up facing a situation where someone launches a cyberattack on Russia but the culprit remains silent. How is Russia going to respond when it knows a member of NATO launched a cyberattack but doesn’t know which member?
And as should be obvious by now, there’s no guarantee that an escalation in the cyber space is going to remain a tit-for-tat situation. Military responses can’t be ruled out. Beyond that, a devastating enough attack by Russia on any one of the NATO members states could potentially trigger Article 5 of NATO. That’s basically a WWIII scenario:
Also keep in mind that concerns about “spillover” from an attack should also include “spillover” in the form of an attack that ends up accidentally being far more devastating against the target than the attacker intended. Part of what makes that kind of scenario such a real possibility is the simple fact that we’re in relatively uncharted territory here. The world doesn’t have a large amount of experience at this kind of nation-state-level military-grade cyberattack. And that lack of experience means we don’t really know just how many things can go wrong in the execution of these attacks.
These are the kinds of dangers we had better hope military planners are seriously thinking about. Because as we’ll see when we read the NBC News report that initially prompted the White House’s downplaying of this story, it sounds like part of the debate inside the White House includes whether or not to engage in preemptive cyberattacks.
Notably, in that same article, we find a voice of caution from perhaps an unexpected source: Crowdstrike founder Dmitri Alperovitch. As we’ve seen, Alperovitch is one of the biggest anti-Kremlin hawks you’re going to find pioneered the (highly questionable) strategy of the US responding to hacks by loudly declaring a suspect nation was behind it and threatening major reprisals if the attacks continue. Alperovitch’s strategy was apparently an attempt to address the reality that cyberattacks really can be executed completely anonymously. And now Alperovitch is publicly warning that this situation could easily spiral out of control, potentially trigger a full-scale war between Russia and NATO:
“Two U.S. intelligence officials, one Western intelligence official and another person briefed on the matter say no final decisions have been made, but they say U.S. intelligence and military cyber warriors are proposing the use of American cyberweapons on a scale never before contemplated. Among the options: disrupting internet connectivity across Russia, shutting off electric power, and tampering with railroad switches to hamper Russia’s ability to resupply its forces, three of the sources said.”
Again, this is uncharted territory, where cyberattacks are going to be used on a scale never before contemplated. That sounds like there are some extremely devastating attacks being proposed. Including preemptive attacks in retaliation for the attack on Ukraine:
And here we have Dmitri Alperovitch — the individual who pioneered the approach of forcefully threatening an overwhelming response in retaliation to cyberattacks — acting as a voice of reason in this debate. It’s a sign of hair-trigger nature of this situation when even Alperovitch is advising greater caution:
So let’s hope we don’t actually see any ‘tit-for-tat’ cyber-nightmare scenario develop. But should your nation’s internet get cutoff in an unexplained incident, try not to be shocked if headlines are a lot worse when it comes back on. Assuming it comes back on at all.