Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Fancy Bears, CyberCaliphates, and Reporters

leave a comment »

Recently the AP put out a story that links the GRU (Fancy Bear/APT28, whatever you want to call them) to a spate of threats made to five military wives back in 2015 and alleged to have been carried out by Da’esh or the CyberCaliphate. Caliphate is/was/kinda was a loose group of hackers in the Muslim community who carried out a bunch of web defacement’s with slogans like “we love ISIS” etc. Now this isn’t very scary and the group finally got a titular leader in Junaid Hussain, a Brit who went to Jihad after being popped for hacking with an Anonymous group. These disaparate groups of skids are still out there today defacing pages and causing a nuisance but none of them ever rose to the level of being a clear and present danger hacking wise, but Juny, well, Juny became a mouthpiece for da’esh and his popularity got him whacked with a missile in Raqqa.

From AP News

The AP story though, is only tangentially about the CyberCaliphate in that the claims made by the AP are that the five wives who were threatened were in fact not threatened by Caliphate, but instead the GRU carrying out a “False Flag” to make it look like it was the skids. While Juny and whoever else he was working with did in fact dump some military data back in 2015, there were other hacks that went on that people think wasn’t him and the brothers at all but their sophistication means that they had help if not outright wasn’t them at all. The fact of the matter is that finding open source lists of military and other’s details is easy with Google Fu today and no hacking may have been needed for many of these dumps that the ISHD dropped. There were some righteous hacks though and I can easily go with the idea that the Russians and others perhaps had been leveraging these guys names to carry out their own attacks for their own ends,but, this threatening of five military people’s families is a bit of a stretch for me to say is definitively the GRU and not in fact the real ISHD or Caliphate hackers.

My biggest problem with this AP report is that there is little to no details on how they came to the conclusion they reported. In asking the reporter, Raphael Satter, on Twitter I only got sketchy replies on how he/they got this grand conclusion. Basically, his story is that he asked SecureWorks for their data (including personal information it seems of those who got hacked/attacked) and went through all of the phishing emails that were carried out by APT 28 using the bit.ly links to avoid Google filters. Out of all those 4k emails they then saw that the five families were recipients of the phishing emails that APT 28 carried out on the everyone in their large drift net attacks to gather intelligence. AP/Satter then went and rummaged in their closet for the JUMP TO CONCLUSIONS MAT and laid it out to finalize their cognitive bias. From this, and it seems bothering a bunch of military wives previously on the 4k emails that went out they came to the conclusion somehow, that the five were in fact attacked by the GRU because they got those phish. Satter and AP give no details or evidence on this and in my chat with Satter on Twitter he was too busy pub crawling to answer my questions fully on this.

While it is not inconceivable that these families may have been harassed by the GRU for some reason, it is also not a conclusive fact given what has been presented by the AP that they did in fact do this and it was not really the actual ISHD or CyberCaliphate or even just Juny himself. What really needs to happen though, is when a reporter and an agency makes an assertion, but provides little to no evidence of it, it kinda comes off as a grab for attention without truth to back it up, in effect, they did it for the clicks. Now if Satter and AP can provide more conclusive data then I will concede that they are in the right here, but so far they have not. I see no direct connections in the story to anything more than the fact that these ladies got messages on Facebook that were threatening and claimed to be from ISIS. When I asked if Satter had tried to pull the data together to see if these families all had members in FOB’s (Forward Operating Bases) he did not even know what that meant, so I enlightened him. My point being is that if those five members of families were in an area that the Russians wanted to effect some outcome at the time of the attacks, then maybe I could see my way to believing it, but if it was only five, and there is no evidence that they were in positions that the Russians would want to effect, then why do this at all? Why only five? Am I missing something? It all comes back to “Cui bono” or “Who benefits?”

Certainly the AP story is splashy and makes for clicks but I have these concerns as well as I now have to wonder about SecureWorks giving up this data with PERSONAL DATA ATTACHED to the AP. Say, isn’t giving personal data of military and government people to the AP a violation of law somehow? Even of the AP says they are protecting the data, this isn’t really kosher to me, but who am I huh? Maybe just someone with data out there huh? It also makes me wonder how SecureWorks is feeling about all this too. I mean, they had all this data and they did not report this. As Satter said to me; he and a team of people pulled all this together. Well, unless you provide your work it’s just another story and may be in fact incorrect. But back to SecureWorks, why did you guys give this data to the media? What were you thinking?

Screenshot from 2018-05-14 09-12-55

All in all I have had this story sticking in my craw for a while now and I had to get this out. I have worked on the Caliphate and ISHD tracking so I know the players and I know the game. I am certain that in some cases the attacks carried out were more sophisticated and coherent for them to be the actors involved but to make these wild leaps of logic like AP did and then publish them without supporting evidence is bad journalism. In a time when the media want’s to be above board because we have a liar in chief in office who is daily attacking our institutions like the Fifth Estate with disinformation, we need you reporters to do a better job than this. If Satter and AP can provide more than I will be happy. Until then, this story is just that and just adds to the cacophony of fake news and clickbait that I deplore.

K.

UPDATE: One last thought I thought I should add. There is a definite difference between actors here where it comes to ISHD and CyberCaliphate. Two different manners of attacks/hacks and ways of speaking. Look at the image above and look at the language as opposed to most of the defacements and posturing by the UCC. So if you want to say anyone GRU may have done this you would want to call them out as ISHD (Islamic State Hacking Division) as opposed to CyberCaliphate.

Just Sayin.

Written by Krypt3ia

2018/05/14 at 12:33

Posted in Da'esh, ISIL, jihad

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: