In 2013 I wrote about leaderless jihad and the “Stand Alone Complex” Now we are seeing this type of leaderless, “inspired by” thought virus playing itself out on the national stage. Last nights attack using a lorrie was something that was presaged by two issues of Inspire Magazine back in 2010 and 2014. There isn’t much to it really to gather some weapons, steal a truck, and then plow it into a crowd but it has taken this long for the insidious idea to take root in the collective unconscious of the would be jihadi’s. The days of a more rigid and trained “jihad” are being eclipsed by would be unbalanced individuals seeking attention and reinforcement of their sick ideas through the media, the internet, and our collective inability to look away from a tragic scene on a glowing screen.
Soft targets were always the preferred avenue of attack but now they are becoming seen as a top priority for security forces since the attacks in France and other places like Bangladesh. While Dahka on the face of it had a contingent of more trained individuals the attack last night is as simplistic as they come. This is what is really scaring the populace and the security services because now it seems that the authors and actors of these acts are in fact just one guy and not a cabal that they could perhaps track using pervasive surveillance. A cell of one is hard to track and certainly if they self radicalize by just downloading Inspire magazine and watching YouTube, well, what can one do? There are no easy answers here in the world of detection and prevention.
So here we have it, I have been pointing this out for a while and at first it was AQAP trying to inspire “OSJ” or Open Source Jihad. Now Dabiq and Da’esh are carrying it on and furthering it with the media zeitgeist that ensues with each attack. The net effect here is that these people are selfradicalizing with the help of the media’s obsession on covering ad nauseum these acts. The pervasive hand wringing and talking heads only serve to whet the appetite of the would be jihobbyist into action. Forget the Inspire magazines and the videos, just watch CNN and that is enough it seems. This all is very much like the plot line to “The Laughing Man” arc of Ghost In The Shell. An act carried out on the media instilled others to carry out like acts to be on the media and further the idea(l) as well as serve as a means to self fulfil the actors need for attention and satisfaction.
This is pure psychology at work and there are a host of reasons and syndromes that could likely be pointed at to rationalize it’s happening. The fact of the matter is that now we are seeing it play out rather bloodily on the streets of the world in furtherance of an idea and ideal set that lends itself to the like minded.. Or should I say mentally ill? Yes, I would say mentally ill. These actors are acting out and likely have some borderline tendencies to start with. These people feel outcast in their societies or out of place within the societies they are living in as a second generation citizen. It is a complex thing to nail down and I suggest that anyone who might want to delve into it further read “Leaderless Jihad” by Marc Sageman.
We need a more nuanced approach to the GWOT and I am afraid we won’t get that…
While traversing the darknets, as one does today, I came across a constellation of sites hawking counterfeit currency, particularly American twenty and hundred dollar bills. It is not uncommon to see counterfeit currency on offer on the darknet markets but in this case these were stand alone sites by a proud group of counterfeiters offering on the face of it, almost superbill quality notes. Stuff that has not been seen in a while since the take down of the DPRK’s efforts to not only manufacture currency for their own purposes, but also to potentially be used in a larger scheme of currency destabilization.
The notes in this case however, aren’t the old hundred dollar notes of yesterday but instead today’s counterfeit protected notes that the US rolled out in 2013 to the masses. With color as well as new inks that fluoresce, have metal in them, and hidden tech to stop fakes, the new bills were supposed to be incredibly hard to create. Well, it seems that these guys on the darknet have done a pretty good job at creating a passable facsimile as seen below;
That’s right kids, this can pass the UV light test, it has the fiber/metal strip, it has the holographs, and has the look of a real bill. In fact I have at least one alleged user who has passed the hundo’s at a local establishment without issue. Of course it is common practice to use smaller bills than this, some devil may care types will buy the hundreds and pass them in gas stations and other low end brick and mortar stores in hopes that the teller’s there will not know the difference nor have the technology to test the bill for authenticity.
So someone has been passing these already if you are to believe the Reddit post. I should think that it is quite possible and while I did not check out “mrexpat” to see if he is a shill, I know just by looking at the site and the language they use, they make a “quality” product. The site(s) are all by the same maker and or brand if you will. They call themselves USD4U and they are pretty brazen in their advertising including telling the client not to haggle with them, the price is the price! That price being as follows for varying denominations and weights;
As you can see they offer anything from ten dollar bills all the way up to the hundred dollar bills seen at the top. They are dealing only in Bitcoin and they offer FREE SHIPPING with an order over $250.00 and over. Of course now if you look at the prices they are pretty cheap for the main part. However, in larger operations it is not by the note but by the pound (weight) that you buy bills in with serious folks. These guys have the niceties as well of an “affiliate” program and an earnings program, which I am not sure exactly how that would work but ok…
Another interesting note is that they say they ship from the US, which makes me wonder a bit about these guys. For the most part my digging has shown that in their photos the players are Asian but that could just mean it is a Tong or another group doing this. They certainly though spent big bucks on the printing process and seem to be using quality materials as well to make these notes… So is this just a sideline or what? The brazen behaviour I alluded to above is that they have taken photo’s of their Flexo Printer that they “heavily modded” in order to make these bills.
For those not in the know, and do not want to go read more in the link above, a “Flexographic Printer” is a specialized piece of machinery that can print things on many types of material with rubber “plates” that can carry high rez scans. So, if you ever had print shop back in the day (as I did) you make a flexible plate and then run that on your media with the flexo and you can get crisp images with texture. Texture is a key here, see, when you just laser print a note you don’t have the right feel and you may not be able to run high fiber content paper through an inkjet in some cases. No, these are printed on cotton stock and have raised ink feel to them as well like the real deal.
(I know what you’re thinking here.. “What has he been up to?” No, I am not a counterfeiter… No really!.. Ask me at DEFCON and buy me a drink maybe I will tell you more…)
This modded rig as they call it can run jobs fast, multi color, and handle the iridescent ink that they need to make a passable note. I would have to really get my hands on a note to say more about the quality of the paper and the strip and all so I will just leave it there but were one to pass one of these at the local gas-n-sip without the little pen check, I am pretty sure you would walk away with change.
A Little Investigation
Anyway, looking at this site I decided to dig a bit and see if they done fucked up somewhere on the OPSEC. I ganked the sites down using WGET Torrify and checked for metadata etc. What I found was pretty much nothing to write home about. They have done a good job at securing the site and using ToR to obfuscate who they are but those photo’s just had me thinking they must have left some clues there. So I took a closer look at them.
Asian Man 2
Asian Man 3
So yeah, Asians unloading the Flexo. Are they the owners? Are they minions? I really cannot say, but I will say that the Asian gangs have been known to be involved with this activity in the past as well as DPRK. Slick professional operations like this means to me that these guys have been at this for a while. Their versatility in making old and new bills, the use of the Flexo and the right materials… It all leads me to believe they are pro’s…
Or… It’s a trap!
The images though had no metadata to use so we have to go on the IMINT itself. The biggest tell to me is the number on the forklift. Someone may be able to get a lock on where this thing is sitting because they unloaded it in these photos in some industrial area and that machine did the work. A long shot really but hey, it is what it is right? That’s all the attribution I am willing to state here on this. Maybe Los Feds (USSS) can do a better job?
So What’s It All Mean?
Welp, I for one an impressed with what I see here. From a forgery perspective these guys have a legit *cough* act here. Yes yes yes, criminal but interesting! So many places on the darknet are just poorly put together craptastic sites with a barker at the front door yelling “BUY SHIT!” This though is more subtle, straight forward, in a crooked way, and merits the attention of both me and perhaps the federal authorities that handle such things as fake currency. They must be doing a good job because they also claim at the top to look out for a cloned site as well! Imitation being the most sincere form of flattery is it?
I also think it very telling that they offer no bitcoin wallet on the site as well. This to me says that they are being careful with the OPSEC, and frankly that is a smart play. You have to order with your email address and they will contact you. It could all just be a scam… It could be a sting operation… I am not going to go any further to find out though. I just surf the darkest parts of the darknets and chortle.
Oh darknet.. I lurv you!
I have decided to carry out a little insidious game with those who wish to play at DEFCON24. The prize of this little game is a two thousand year old Roman coin that I have selected out of my stash of cleaned coins. All you have to do is solve my puzzle and follow the instructions therein. I will be posting the puzzle just before DEFCON24 (August 4th 2016) so keep an eye out on the Twitter feed and the blog.
Recently, a reporter that I know came to me asking if I would look at this ICIT-Brief-The-Anatomy-of-Cyber-Jihad1 and give input on it. They wanted to have my opinion because the firm that wrote it was seeking a reporter to flog it on their news site. I told the reporter after looking at the “analysis” this exact quote; “This report is the marketing equivalent of yelling fire in a crowded theater” Well, it seems that CNBC bought it though and my hand has been forced to write about this travesty. ( CNBC Report that forced my hand ) I told the reporter to back away slowly and to their credit they did. CNBC not so much. So here I am going to outline how this report is full of marketing and cognitive bias and wild assumptions. Oh, and that is if you can get past the hyperbolic language in the first graph…
I shit you not..
Cyber Caliphate & Junaid Hussain:
The report goes on a long time talking about Da’esh and their origins. While much of that data is right on the report starts to go off the rails once they begin talking about the “cyber” part of the picture. They start off by talking about Juny and his cybering, the defacements out there, and the propaganda war that is still ongoing by the likes of Da’esh, AQAP, Boko Haram, etc. Which is all fine, mostly accurate, but then they start to talk about “possible capabilities” after they just pretty much said “They aren’t that capable” Cognitive dissonance much there guys? The truth of the matter is that to date, the propaganda war is the biggest and most dangerous war here, not the so called cyber war that this “analysis” is pimping. I have been following this stuff since 2001 and Juny is the new Younis Tsouli really, both were/are moderately skilled in hacking but not much more than that. Both were much more a propaganda figures, and more dangerous in that capacity than any of their hacking skills. In fact, in the case of Younis, he got the heat and popped for that very reason, he was making a splash and attracting followers. Juny had that very same skill set and became much bigger a deal because he caught the zeitgeist for the jihobbyists out there with his mouth on Twitter. This is why he was killed with a hellfire, not because he hacked any big databases or got the real dope from some hack. In short, both were a danger because they had followers, and those followers were radicalising off of their jihadi bluster online and caches of propaganda from the main marketing teams of their respective terrorism groups. (AQ for Younis and Da’esh for Juny)
Of course the report would not be scary enough without the “Cyber Caliphate” an operation that Juny lamented was just him, no one else, before he got whacked on Telegram. That’s right kids, Juny was pimping something and making shit up. Once Juny got whacked you know what happened? Groups of guys like Team Fallaga took up the mantle and went on to deface pages like the dickens! “OOH SCARY DEFACEMENT BRO” While the report states this, and some of the other information I just mentioned, they then go on to analyse and say that these guys aren’t capable now but someday… SOMEDAY they could be. Oh really? You don’t say! Sure it is possible but it is not likely. Given that most APT activity takes money, time, and cohesion, the jihadi’s are all over the place and usually small disparate groups of skiddies, not solid hackers. So, the scare tactic of analysis is way off the mark in this report and this is why I told the reporter to step back slowly from their pitch. If this group had left it at that, it could happen but it is not likely I would have had some respect for them. Instead they chose the other scare the client into buying shit route. As for Cyber Caliphate and all their other silly acronyms, none have shown that they are a credible threat to much else than an insecure web page. No real data has been hacked and their “data drops” of enemies to kill have all come from open sources on the internet. Sure, is it problematic that they are doing this? Sure. Is it a clear and present danger of cyber capabilities that they could strike the grid next?
I need not say more right?
… But I will.
DO YOUR GOD DAMNED HOMEWORK AND QUITE THE FEAR MONGERING FOR MONEY!
CYBER JIHADI DARKNETS
Of course these guys could not miss an opportunity to scare and of course they had to use the scary “Dark Net” or “Deep Web” I have been on the dark net for a long time and I will tell you I have found a few sites but nothing there is that scary. In fact, to date, the sites either have been hacked soon after and taken down, or just sit unused. So really, the dark net is no threat here. Sure, the jihadi’s are using technology to obfuscate their chats now and trying to hide in the “deep web” of un-spidered content but the reality is most of this stuff is non operational. What the jihad today (Da’esh) wants mostly is to radicalize and activate those in the US like Omar Mateen without even really having contact with them.
So, the darknet… Not so much a terrorist haven kids. Sorry
Overall Analysis of Scare Marketing and Cognitive Bias
This report is a travesty of a tissue of what if’s that really is just a pulp thriller wannabe disguised thinly as a marketing piece cum serious analysis of Jihad online.
Please believe none of it.
I grow more and more weary of the attribution games being played in INFOSEC and the DNC hack is just another in a cavalcade of epic missing the point parades. Since the “scoop” given to WaPo by Crowdstrike, there has been a flurry of allegations, revelations, and throwing of attribution dice akin to a basement game of Magic The Gathering repleate with summoning!
“I summon the Russian GRU!”
“I summon the LONE ACTOR!”
“I summon the KGB!”
*slaps down cards on table* TAKE THAT!
The reality here is that there are more than a few games going on here. Think about it, Crowdstrike gets a media coup by selling this story to WaPo, who just happens to have been banned by the Orange Julius of our time, presidential candidate Donald Trump! WaPo jumps on this like a child on a fresh tit and runs with the attribution story and sets the world on fire for Donny boy with the release that the DNC not only was hacked but that his dirty laundry may be in the hands of Kommisar Putin!
So, first let’s set aside the whole issue of marketing, which is akin for me, to choking on a hairball left from that chick in “Ringu” and move on to the veracity of the attribution as well as the real need to name and shame here. I for one can believe that the two nation state actors software and activities were found by Crowdstrike on the DNC systems. The fact that there are two disparate groups from the same nation state is interesting in itself. I guess they are not really talking to each other and given the state of affairs there in Russia I can see this as being a true accounting. However, I can also see my way to there being third, fourth, fith, sixtieth actors also in the network or having had been in the past as well. Face it, these are government systems who usually go to the lowest bidder right? This was likely the Diagon Alley of Democratic networks.
So, to say that it was only these two actors might be a stretch. There is room for doubt and after the dump by “Guccifer2” as they are calling themselves, it is easier to think that perhaps there is more to the story than what we have been given by the media, the DNC, and Crowdstrike. That the documents are legit on the wordpress site by Gucci and that they seem to be pretty well stamped down on metadata, one can’t make too many assumptions.. Oh, yeah, but everyone is! At the end of the day for me, even though I will play the game a little bit below the fold here, the real issues should be how the hackers did it, and fixing the behaviors of the DNC to stop it from happening for a year or two at a time in the future. Not so much pointing at Russia and yelling; “YOU TOOK OUR SHIT! BAD POOTY! BAD!”
Put another way… I eagerly await the FBI warrants and 10 most wanted cyber listings for the Russian actors they have all this attribution on … I suspect I will be waiting the rest of my life for that one kids… Just sayin. This was mostly about marketing as far as I am concerned and I have to give them props for working that one. Sales must be up in the government area now because of this caper right?
Metadata and Cyrillic:
Meanwhile, after the WaPo story hit the wires the “lone hacker” created his wordpress site and dropped dox as we say on the intertubes. Shortly after the drop people were inspecting, detecting, infecting, and making circles and arrows with captions on the back to describe what you were seeing! … And the conspiracy theory machine went into overdrive. Pwnallthethings made some good comments on the metadata in the dropped dox but really, concluding that this is a Russian disinformation operation from metadata stripped documents on the idea that the machine name was cyrillic for Felix Dzerzhinsky (Феликс Эдмундович) Really? Now that is fucking SOLID work man! Stellar! FUCK LET’S GO BOMB RUSSIA NOW!
You know at least Crowdstrike has like actual data, ya know, C2’s, malware, and shit like that. Anything else is totally speculative, I mean even more speculative than most attribution that these companies make with real data! Anyway, I took a look at the metadata on the documents and here is what I have found…
- Much of the data was stamped out in saving from format to format
- Emails of users though were still embedded in the excel files
- The word docs have no more metadata than the Iron Felix machine name save, which, gee, kinda leads one to wonder…
- The image files have no metadata.. none.. niente clean.
- Grizzli777 is just someone who pirates
Yep, not a lot to see there and people are hanging their collective hats on the deliberate placement of Феликс Эдмундович as the machine name to it’s quite OBVIOUSLY being Mother Russia’s exclusive secret services.
*squint.. takes drag of cigarette*
So here’s my assessment…. Maybe Russia did it… OR Maybe this actor is the real thing and happens to want to take credit. The facts that this person(s) reads, writes, has, cyrillic on their machine and names it after the founder of the KGB is as reliable a means to saying it was Russia as it is to say that aliens built the pyramid because people just were fucking too stupid back then!
All of this hoo ha really means nothing. The fact of the matter is that now Donny’s dirty dirt is open source!
Wait.. I read it.. What the shit people? REALLY? THAT’S ALL YOU HAD HILLARY? COME ON!
It doesn’t matter who did it really.. Horse is out of the barn and the barn is on fire kids. So please, stop with all the wankery and move on to the next hack ok?
Motivation Analysis and Hypothesis
RIGHT! Well now I want to play the attribution/motivation/game of clue too! So here goes…
Imagine if you will that Russia did do it. Imagine also that Gucci2 is still Russia’s services performing a disinfo campain against Crowdstrike. Now imagine why would they be doing that? Why would they drop Donny’s dox AND all the other fun stuff for the Clinton campaign, which is in trouble already over the cybers! What effects would this have? Let’s list it out for you…
- Dropped dox of the dirt —-> Blows all Hill had on him unless there is a double secret probation file somewhere
- Dropped dox yet to be releast on Wikileaks —> Let’s say, as Gucci2 alluded, they were also in Hill’s mail server, ya know, the one that wasn’t supposed to be? Oh yeah…
- If that server was popped by the Russians and Gucci1 those criminal charges could be much more deleterious right? *waves at FBI*
- Dropping of dox and general hackery causes DNC and the election process to be even more fractious than it already is
- Dropping dox makes Hill’s candidacy potentially weaker (hint hint server –> Russians–>PWN wink wink nudge nudge!
So all those effects would do what possibly? Why would they want to do this? WHO WOULD WANT A TRUMP PRESIDENCY?????
Why Pooty of course!
Think about it kids. Given your knowledge of Teeny Tiny Baby Hands Trump, do you think he could stand up to a bearish Putin? *sorry had to use that one* Do you think that perhaps Donald is easily.. Shall we say.. Distracted or led? Come on, I know you can all reason this out. A Trump presidency would be sweet sweet love for Putin. He would have a friend, and someone he can sit on his knee to play ventriloquist with! … Well, until he has to polonium enema him that is.
That’s my theory and I am sticking with it… For all the fucks that it is worth.
I will say though.. I am waiting on those documents to show up in Wikileaks. That’s when the shit is really gonna hit the fan.
See you all in INFOSEC attribution Hell.
The Irrational Actor:
EVERYONE has lost their shit over the attack on Pulse in Orlando. The media is in a feeding frenzy, Twitter is lit up with rhetoric and those flogging their points of view, and even I had a moment of “SOMEONE ON THE INTERNET IS WRONG!” which some of you probably will say is just par for the course with me. I am trying to stay out of it as much as possible after yesterday and it has even led me to look at the Twitter feed much less because it just drags you into the collective mass hysteria when you do, but I thought it appropriate to have a moment of clarity and maybe introspection here and leave the arena altogether.
Many of the reports on the news and the tweets in the feeds are verbally gesticulating about how this attacker was inspired by or a lone wolf for Da’esh and arguing about this fact or that that really have yet to be categorically proven. I would like you all to just take what is known as of today and step back a moment from the whole jihad angle and look at the actor as one might in a profiling situation that the FBI might carry out. What motivated this guy? How did he carry things out? What are his past actions?
- The FBI looked into him three times because he was pegged by others as being a potential terrorist from comments he made
- The FBI talked to him and found out that he did not know about the groups in any real in depth way and that he seemed to be attention seeking or perhaps a bit unbalanced
- As of late yesterday reports have surfaced that this man was a closeted individual (wife and others reporting this)
Now, if you removed all of the surface content of jihad and da’esh all you have is that this guy seemed to have some internal struggles from his upbringing and his proclivities. He was raised in a household that may have adhered to a more strict interpretations of right and wrong (in their minds about perhaps sexuality) and by indications today, may have caused a fair bit of self loathing for his own desires. Suffice to say this guy had issues and that perhaps was the stressor that lead to this incident. What I want you all to consider here is that without the jihad angle, this guy is what is termed as a “Spree Killer” what has everyone bent is the fear of terrorism on American soil but they are failing to see the forest for the trees in this case.
Now this brings me to the irrational actor part of the title to this post. Everyone and their brother is going on and on about terrorism, lone wolves, and planning while I would suggest that we consider that this guy was an irrational actor with an organized personality. What this in fact means is that he was stressed, he was unbalanced, perhaps delusional, but he was also an organized killer. He planned this attack out and carried it off, but he was not what I would consider a rational actor motivated by an ethos of Radical Islam. I would instead really like to say he was a troubled individual who used Da’esh as much as they used him after he carried out this heinous crime. Each served their purpose for rationalizing their irrational and malevolent behaviour.
So, please take a step back and consider that this spree killer did what he did and blamed it all on an ethos that he may not have wholly understood nor believed in. Had he really been a true believer then he might have gone to Syria or been a under more prevalent scrutiny by the authorities. Instead he was taken off the watch list because he wasn’t seen as a real threat in the sense of being a true jihadi. Of course perhaps he should have been considered a threat under the rubric of being an unbalanced individual who may act out.. But we really do not have that option here do we?
The Asymmetric Propaganda Jiahd:
On the other side of this issue we have much being bandied about by the media and the bevy of former CT/Security darlings who get air time about how the paradigm has changed since this attack was carried out. Has it really? How long has “Open Source Jihad” been around anyway? Oh yeah, years. Inspire was the first magazine to coin the term and since its inception there have been more than a few attacks in various places around the world that I would equate with the teachings of OSJ as being a source of inspiration. So now that someone has killed 49 people on US soil it is suddenly a paradigm change?
The fact of the matter is this, this asymmetric propaganda war has been being waged for years first by AQ/AQAP and perfected with Da’esh’s tweaks that made it more appealing to the unbalanced amongst us. As we have seen over the last few years the government finally started to understand the problem and so too have companies like Twitter who is trying to fight it with account banishments. Of course nothing has worked so far and the message keeps getting through over a medium that is the internet as a whole. Communication at the speed of light is the medium and there is no putting that genie back in the bottle. We must come up with more thoughtful and meaningful approaches on how to fight it but so far the US government has only half heartedly attempted a counter propaganda campaign “Think again look away” that frankly seems to have been written by advertising reps from the 50’s.
The reality is this; In the last year there have been one hundred and thirty three mass shootings in the US since January first 2016. Two of these to my knowledge have been at all related to jihad. When are we going to look at the larger issue of the spree killings and the psychology of irrational actors perpetrating them instead of focusing on the jihadi aspect of only two? This is the crux of the issue and I have to tell you all here that like psychological profiling, it is an art, not a science. What I am trying to really say here is that there is no way to really stop these things from happening. In the case of Omar Mateen, he said things and was investigated but unless he was put under complete surveillance 24/7 there were no solid ways to determine his actions to come. Hell, for that matter, the stressor of being under scrutiny could have been the straw that breaks the camels back and caused an attack!
Everyone needs to understand that life is random. The universe is random, and there is no sure way to stop these attacks.
No guns… Sure, someone will get a katana and hack people to death
Surveillance of everything in drift-net unstructured data…. Still won’t help if you aren’t analysing it all and even then you miss things.
Investigations like the FBI carried out and being put on watch lists… Nope as we can see it did not work.
All of you need to understand that you could die slipping in your shower just as much as being killed by a spree killer with an AR-15. It’s just the roll of the cosmic dice. I am of course not saying that we don’t need to try, but let’s not react the way I have been seeing in the media, the net, and the everywhere after this attack. It does no one any good. Was what Omar did terrorism? Yes, it was because his goal was achieved, just look around you now.