Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Reality: Spearphishing Campaigns and Election Systems

leave a comment »

 

So Bloomberg has a story out today concerning allegations that the hack on the election was larger than first admitted to by authorities and the leak of a document by Reality Winner. This of course started the Twitterati to start making noises and got me to thinking about the whole thing. People have been asking about whether or not the hack was successful and to what end would the hacks be if they were successful or not. I myself have held the idea that the success or failure of the hacks isn’t as important as the notion that the systems had been tainted by hacking or manipulation. As you all may remember there were news stories of how the hackers attacked the systems before the elections before Reality dropped her document on the Intercept and then promptly went to jail for her stellarly bad OPSEC. Those stories seem to have been largely forgotten by the general populace but not so much with the IC given the snips of the document given to the Intercept. The snips show how the adversaries used common phishing exploits to “spearphish” the users at particular companies in a credential harvesting operation. Once I really took a close look at these though I began to question some things and thought maybe you all should too.

Why doesn’t the NSA know whether or not the attacks were successful?

So yeah, why doesn’t the NSA know whether or not things worked for the adversaries attacking these systems? Were there no forensics? Were the NSA not allowed to see anything? One begins to wonder why all this is in the report marked TS and such. Of course something in the markings also says “To US” so would this imply that the data came from FIVEEYE to the us? Once you begin to ponder all these things you start down the dark path of the game of shadows and we don’t need that. All of this said though, once again, the document here is showing only that they know attacks happened but they have no evidence of the attacks working and to what extent.

Why is that?

Where are the C2’s and other IOC’s?

Given that we don’t have the information on whether or not these attacks worked, then I guess it is a foregone conclusion to ask for, ya know, evidence right? Well I am gonna ask anyway, where is the evidence of the attacks other than the email address given in the report? No C2’s no infrastructures outlined. Are they in another compartment somewhere? In fact Reality had made mention of another document in her jailhouse tapes so are these bits in there? Without these one cannot conclude much of anything as to the adversary we are dealing with. After all, you all in the business know that these kinds of phishing attacks are quite common. How many of you blue team folks who read me have seen these same kinds of Google Drive/WP/PHP sites that harvest creds then pass you to the site you wanted?

This is not advanced

This is not uncommon

This is not a lock on any adversary in particular

Yet here they are saying it was the GRU… Why? What other evidence do they have? HUMINT? SIGINT? None of this is mentioned in what we have been given by the Intercept.

Why is this all marked TS if there is no real sources and methods here to burn?

Back to the whole TS/FVEY/ORCON alphabet soup, why is this being held so closely? Now, I have my own particular bent here that I have written about in the past which goes something like this;

  • We don’t want to admit the hacks happened because if we did it would cast doubt on the election
  • If we admit they happened people will doubt the system and it will erode the democracy
  • If we admit they happened AND they actually got in and they manipulated the system… Well… HOLY SHIT there’s goes the election system and the democracy
  • If we admit it happened and it worked then how much trust would there be in the government anymore?

In fact in articles circulating today, and I think it was in the Bloomberg piece, the case was made by President Obama that they would not want to admit to a hack for these very reasons…

So, there is that huh? If the scope of the hack is proven then it will in fact have the effects above and it would give Putin the satisfaction that his goals of active measures are still bearing him smelly fruit. I can then see them wanting to keep all of this stuff super secret couldn’t you? I guess Reality, though an idiot, perhaps had the same feeling and decided to do this in some warped view on trying to get rid of the current president. Another reason may be, and this is a tenuous one, that all of this is now part of the investigation into Russian meddling that the Congress is carrying out. I doubt that is the reason though. I really think it is just the IC being the IC and that the government has a reason to keep this all secret because it would erode things further where the government and our system of elections are concerned.

GRU or Patriot Hackers? (A Team versus B Team)

Alrighty, now we get on to the whole whodunnit thing. The documents sure do say that it is the GRU but like I said they don’t give you enough proof to do anything in a court of law for sure. While I was pondering this I had a flash on what Pooty said recently about “patriot hackers” and how the NSA document here alludes to klunky attacks. Like I said above, these phishing exploits are not uncommon. I see these every god damned day so it is really a measure of how well they were put together and whether or not escalation and pivoting happened to show another kind of actor here. Oh, and yeah, that information is conveniently not in the report here and once again, the NSA does not know if the attacks succeeded.

Think about that.

Then they go on to say it was Russia.

Ok, so maybe, just maybe it was Russia but it was the patriotic hacker B team eh? What if Pooty was telling a truth there and we all just scoffed and moved on? Given what the documents say I can see that maybe some talented amateurs or a B team decided to carry out a moonlighting operation to amplify things. Hey crazier things have happened right? What I am saying is open your minds to the idea that this was not the GRU but other actors like cyber patriots who may have gotten in but then failed to really do damage to the systems.

Maybe.

Without ya know like evidence though… Meep Meep.

Conclusion:

Welp, the cat is out of the bag NSA. It’s time to fess up. I think you and the government need to start producing evidence, forensic evidence, or GTFO. If the election data was hacked and manipulated then let us all know and then FUCKING FIX THE SYSTEMS AND MAKE THEM CRITICAL FUCKING INFRASTRUCTURE!

Dr. K.

Written by Krypt3ia

2017/06/13 at 16:31

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: