Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘Active Measures’ Category

Russian Phish on Hudson Institute & IRI Org: Filling In The Gaps

leave a comment »

So Microsoft proclaimed that they had taken down some domains and stopped the GRU/SVR from carrying out some more active measures against the US election cycle. Now, they obviously have some more intel than they are letting us all know about because while the domains are definitely set up for some gov spearphishing, we don’t have any emails or data to show they actively had a campaign running. The domains (see below) are concerned with two think tanks that have a plethora of data that the Russians would want to have and perhaps tinker with but the government domains are aimed squarely at the Senate.

 

While the domains that are meant to typo-squat the think tanks are around one hundred days old, the senate domains are much older. In fact, these domains have been creepin around anywhere nearly a year to just over a year. So you can see where the Russian services were aiming and have been planning for at least a year plus on the senate campaign. The think tanks are a newer though and as such I have to wonder about the thought process by the GRU/SVR on these. Were the Russians looking to simply gain access to these think tanks and gather intel not just on their Russian stances but also around the world as the Russians have done before (mostly by the SVR collections missions) or was their plan to somehow steal their data and leak it as part of the larger active measures campaigns?

It seems though from my searching that the domains never had any real pages attached to them but for one having an IIS front end with nothing else. Wayback machine fails on all of them as does Google, so I am going to assume that these were all just domains used as C2 for traffic and perhaps a drive by attack in the case of one that showed up in VT and Hybrid (see above) but I could find no malware being attached to these domains with these tools. This is not to say that they didn’t and that people clicked on links and got infected at the Senate or these think tanks. I guess we will have to wait for Microsoft to elucidate some more on these.

 

But, back to these think tanks and the phishing that likely was to come or already happened. I am going to assume they already happened and that is how these domains were picked up because something happened internally and got reported? I MS paying that much attention to domains or is it they were seeing O365 traffic (phish) and caught on? As I remember reading so far they really don’t tell us how they got the tip off but they must have had evidence because they took over the domains. In this section though, I want to focus on the why and the what of the active measures here by the Russians. Why these two think tanks? What were they going to do with the access one wonders. Or would this have been in tandem with the senate domains luring those being phished to an IRI report? It turns out that IRI (International Republican Institute) put out a press release on the revelations on their domain squat.

I guess that either IRI could be phished itself as well as this as well as the other org squatted (Hudson Institute) could be not only the targets of phish using these domains but also used as fodder to entice Republicans as well as perhaps Democrats to click on a tasty link and either get a drive by or be linked to a credential phishing site. As the DNC attacks I believe were credential harvesting sites, it is likely that this would be the case for all these entities were the Russians looking to gain a foothold on any of them. I am gonna say though, that the domain my-iri.org and the sharepoint domain for hudson.org  says that they were looking to fool internal folks into clicking on something. As to the other domains it looks straight up like internal users being targeted.

So what would the goals be here with these? If you were to go after their internal systems and the fellows there what would you be looking for? I am going to say this too would have been a fishing expedition for information that the Russian government could use to destabilize all kinds of places as well as to understand how the think tanks were approaching Russia. If you look at the image at the top of the page you can even see how Hudson has a paper on countering the Kleptocracy. My concern here would be that not only would the adversaries be looking to steal information but also to pull the same kind of job on these orgs that they did to the DNC. Basically, I think it would be a disinformation campaign against these orgs to cause instability in their content and their following. I could also see tinkering with their reports as well as a means to make them untrustworthy. An added bonus to this also would be collection on any collaborators that the Russians might want to eliminate in country if the emails have source conversations too.

Of course now we are hearing that the Russians are attacking not only Dems but also Republicans and it is important to remember that their goal is to sow chaos and cause division. This is because if they can cause these things, the outcome is to have inaction as well as possibly traction for those like Trump that they are actively supporting with these kinds of active measures as we saw in 2016. So, there you have it, unless Microsoft and others care to give us some more information to work from this is pretty much all you can glean from their motives by proxy of their domains. You can see though, that they have been working on these plans for some time, at least a year for the think tanks and over a year for the senate campaigns.

 

In closing though, I want to just say that it would be real easy for the Russians to get the conventions of the email addresses as well as who to target at these institutions just by using LinkedIN. I did some cursory searches in Google and LI and came up with shovels full of names and email addresses to use. It’s phishing season kids! I do wonder just how much security training these people have….

Hmmmm…

K.

Written by Krypt3ia

2018/08/21 at 18:28

QAnon and Qclearancearchive: Another False Flag Influence Campaign by Russia?

leave a comment »

Recently the bowels of 4chan erupted with an ongoing thread’s dire warnings from an anonymous poster named “Q” into the real world. The posts, consisting of word jumbles and conspiracy wet dreams began to take on a new life in the real world at protests over Trump, MAGA, and the fight against all that is sane. I had looked at the original posts on Reddit in 2017 when they started and just shrugged it off as just another conspiracy hoax cum disinformation campaign by person’s unknown. How it would become an issue today just before the mid-term elections few could have conceived.

As you can see the posts are little more than bad haiku but, the conspiracy nuts on Reddit and 4chan and now a couple other aggregation sites (more on that later) have been busily using their cognitive dissonance to make crazy connections from these posts to a globalist conspiracy the likes of which even Alex Jones could not come up with himself! Basically the stories all lead to an overarching New World Order conspiracy that has everything, Illuminati, NWO, Soros, Pizzagate, and other crazy ideas all wrapped up in a bow being spoon fed crumbs about by someone allegedly inside the government with what is known as a “Q” clearance (DOE clearance) Of course Q cannot give just a straight narrative or a drop of classified data, no, it has to be this whack haiku as you see above.

I have tried to read more of this than a few pages but literally I started to go insane from reading this drivel, so I moved on to reading the output from a QAnon conspiracy site that archives and “makes sense” for the lay reader all the juicy secret conspiracies that are in the Q “archives” and man, it is full of cognitive bias, mental illness, and fantasy. I will not make you read it all here but if you do want to look for yourselves you can check the links at the bottom I will gift you all with. More interestingly though, I wanted to cover the movement as it stands today and to show you some of the information I was able to wrest from the archive site itself. The data that I got actually show’s real names of people involved (well, real I guess) that perhaps can be drilled down on some more later on.

Seen above are just some of the crazy ideas these people have about hidden codes in Q posts as well as the interaction of Trump on his Twitter feed. It seems these idiots believe that “Q” is in contact with Trump over Twitter and they are working together to destroy the globalist NWO conspiracy of lizard people ruling the world!

I shit you not.

So yeah, it’s a fair bit insane so please medicate if you plan on wading any further into the nutbaggery. However, I want to direct you to the site that this stuff came from and in particular the guy(s) who created it and are running it. At the top of this post you can see the image of a Twitter account for a “Iambecauseweare” which it turns out is the owner/operator (self proclaimed) of the irc.qclearancearchive.net a clearinghouse of all things Q and a primer of sorts for those who want to know the great truth and get involved.

This site is a font of Q information but, when you start to look under the hood, then you can see that there are some interesting threads to tug on. The site has a lot of information but what I was more interested in was that they have a penchant for creating pdf’s for the masses to conveniently download. Using Foca, I aggregated all the pdf’s and then ripped out all their metadata to see who was creating these things.

Out of about 200 pdf’s I have come up with 8 user names in the metadata. In this group one of them is a known conspiracy author (William Milton Cooper) but the others are all unknown people to me. Four of the accounts are just short names and no help but the other two, Mark C. Duncan and Martin Jr. Donald, seem to be legit names on the face of it. Now since they were all pdf’s there was not as much rich metadata as there would have been had they been Word files but at the very least we have some names to work with here.

The domain qclearancearchive.net was registered 225 days ago and done so anonymously, and with GDPR now, you get fuck all when you are trying to do OSINT on these kinds of things (thanks EU) so I am gonna have to rely on these names and some digging to get anywhere else. I started some cursory searches on these names and did not find much in the way of data. A second pass has yielded some information on Mark C. Duncan;

This Mark C. Duncan has two reviews in his Amazon list for books on conspiracy theories. One on the Mason’s and the other on Alien abductions. Well, this could very well be the guy but I have yet to get much else on him which makes me want to keep searching and I will. The other name that came out of the metadata was “Martin Jr. Donald” which is an interesting way to put that in your system’s metadata. I am going to assume that the name is Donald Martin Jr. and a search of this name is just as obtuse. The hits that come up first for this name are all about a 400lb guy in Ohio that asphyxiated his nephew by sitting on him…

Which, yeah, anything is possible here. I see no other digital bread crumbs (snerk look it up in the archives) to go on with this. So I am kinda at a dead end here unless they make some more mistakes. However, I would like to direct you to the language of the posts and pdf’s. Either these people are the most illiterate of sorts, or, English is not their first language.

All in all this is a nightmare to read and I would not recommend anyone do so. However, given recent events in Ohio and other places where QAnon’s have started showing up (including Trump rallies) I would suggest that we pay a little more attention to this movement. I suspect that at the very least this is yet another Russian active measure that is at best supported by the GRU and at worst, run by the GRU. Given that the movement has self realized and is now in the real world, I would think that if the GRU wasn’t already supporting or running this campaign, they soon will be as well.

I will leave you with the links here and move on from here. I will take a peek at their site intermittently to see if they leak anything else. There was no Cyrillic this time in the data, no keyboard layout, no language packs. Just some names that could be crazies in the states here who are just acting out because Trump has given them the air they need to do so. At worst though, here we go again with the active measures just before the mid terms.

Kinda convenient though huh?

K.

https://8ch.net/qresearch/index.html

https://8ch.net/qresearch/welcome.html

https://8ch.net/qresearch/archive/index.html

Q_s_posts_-_CBTS_-_7.2.0

UPDATE:

It seems that some are buying into the coincidences that QAnon may be a new take on another Q, a book called Q by “Luther Bisset” a nome de plume for a couple authors of this Italian novel

Screenshot from 2018-08-06 16-39-05

While this is a close comparison I am doubtful that this is a giant prank against the Alt-right/Nazi/Trumpistanians. If it is in fact a prank, it has now gone way past that into action and terrible possible repercussions. The fact that these idiots are now showing up in the Trump Nuremberg rallies and elsewhere, and that he has tacitly accepted it all to his repertoire should scare the alleged pranksters greatly.

After looking into this whole debacle I have to say that this story doesn’t quite wash for me. This whole story isn’t just all about boomers to start. How many boomers are on fucking reddit? Fuck, for that matter how many are out there actively on 8chan or 4chan?

COME ON!

Nope, this is something else. Maybe, if it was a prank, it took on a life of it’s own but if Q is still posting, then these guys are about to get into a world of pain as I am sure now the federal authorities are interested in this because it has become a real world issue. Even if it was a prank to start, it may also be that the Russians decided to take this on and amplify this to their own ends. The whole dialog is very Trumpian and adds to the chaos.

Meh.

You guys decide for yourselves.

K.

Written by Krypt3ia

2018/08/05 at 15:34

USA Really: New IRA Troll Farm Site and Twitter Account

with 2 comments

So this morning I saw a tweet come across the feed by RVAWonk that was proclaiming that the IRA was back with a new site and the fuckery was pretty much just naked on their part. In the article she goes over the salient technical details of the site and the accounts. It also has another nice linked post that does a bit more in that area as well and I recommend you all read that too. However, I took a bit of a deeper dive looking at the site itself and it’s coding as well as did some Maltego mapping of it and the Twitter account. My overall take on all of that is pretty much “meh” … What really intrigues me and has been bothering me for some time now is that everyone is busy mapping all this shit but the fact of the matter is that mapping does not stop the cognitive dissonance that the Russians are playing on to win this game.

The Russians here are basically at a point where they aren’t even trying to hide the fact that the site is a Russian propaganda/disinformation effort and this is the important fact we all seem to be missing in this community. This shit works and even though most people do not have the technical abilities to look deeper into the code and the domains, it is pretty plain when you look at the site itself where they use Cyrillic and Russian in their image names and such that it is in fact a Russian operation.

We will all likely go down the rabbit hole on the how many followers they have on Twitter and who they follow. We will collate all the data and sift it and parse it all to put out reports on how they did this. My problem though is that we can investigate the shit out of this all we want but unless we come up with strategies to deny, degrade, or destroy the content, it will reach those tribalists out there who want it and the damage of 2016 will continue on unabated. What’s even more galling here is that the Russians have basically pulled a Babe Ruth by announcing this site and putting it out there so flagrantly with cyrillic in it and on domains owned by a russian domain hosting service. In reality they just gave us the bird and we are now going to just have to sit by and watch as they inflame the Trumpists to hopefully affect the mid terms with this crap.

 

Of course maybe Twitter will catch on here and swat this account offline? You hear me Jack? … *tap tap* this thing on?

 

Oh well, so there’s a new site and it seems they have also employed an SEO in there as well. The site has a lot of means to track posts, likes, geolocations etc as well. I have mirrored the whole site and am still poking through the code. The SEO is a new old site too with an anonymous domain resister back in April of this year that likely is also the Russian’s doing as well. I am sure many of the community will keep an eye on it as we go along so someone will eventually write about this as well with rapt verbiage not really doing anything about the problem as well.

 

So here’s my thing, we are all spending all this time nattering on about it but what can we do to stop such propaganda sites and Twitter accounts from spreading the mind virus? If we cannot stop them, how can we innoculate the general public from the effects of such mental plagues? These are the questions we should be asking and I just don’t hear it happening. I know that it is a rich and difficult problem dealing with the psyche and cognitive dissonance but we really need to lay off all the techno babble and focus on real solutions. Solutions that conern the human animal, not the technology kids. The Russians already know this and they are leveraging it. I mean, how much more blatant do they have to be? How about they just post billboards now in Cyrillic for Trump in all those Trump states?

Focus people.

K.

Written by Krypt3ia

2018/06/06 at 13:38

Russia Insider: How A Connecticut Gold Coast Boy Grows Up To Be A Russian Troll

leave a comment »

I was recently looking at some stuff online about the Skripal case and came across this guy and his site through a link from an article. The article was on a guy who also has been evidently poisoned by Russia (biotoxin this time) in France but they make reference to Inside-Russia as they wrote about the case evidently. Anyway, the Inside Russia thing intrigued me because the guy who started the site and still runs it is from my neck of the woods (Greenwich Connecticut) on the gold coast as we call it here. Evidently Charles J. Bausman, a 53 year old American (ex… Patriot?) who now evidently lives in Russia, runs the propaganda site known as “Inside-Russia” and works in finance, or agro-business finance. At any rate, the site is quite the nest of pro Putin propagandist and antisemitism. In looking around I had to wonder just how a kid from Connecticut who went to a swank prep school here and Wesleyan University (somewhere I went for a summer) ended up a Russian propagandist front and allied with a couple oligarchs close to the Kremlin?

Bausman’s Resume in Cyrillic sent to an Oligarch in hopes of getting financing

Bausman say’s he was born in Germany in 64 and travelled a lot including a long stint in Russia (Moscow) when his father was on a “long business trip” which is to say that his father was bureau chief for the AP back in the old Sov days. John Bausman III was all over the place as an AP reporter but that time in Russia seems to have affected Charles quite a bit. I am not sure just when and how Charles became a Putin propagandist but the site he set up started in August 2014 and has been gaining momentum ever since. In doing all the background on Charles I had to wonder about his father, which, I could not find too much on other than his obit’s online.

I have to wonder just how his father felt about his son’s Soviet/Putin leanings after he started the site, which by the way, was registered with the house in Greenwich where they Bausman’s lived in Greenwich CT. As John was older, perhaps he did not really get to see the site or know much about it. Maybe he did and approved of his son’s leanings? I am not sure, but suffice to say that it may be their travels in the Baltics during the old days might have affected his young son profoundly. I can imagine that if he wasn’t home schooled, he may have been indoctrinated by the Soviet state in some way in his youth. I just don’t really know, but, the other thing that kinda crossed my mind again and again was what were John’s leanings on all this? Like father like son?

At any rate, the son is an out and out Putin “Praetorian” as the book “Putin’s Praetorians” claims and evidently Charles could not resist writing a review of it on Amazon. In fact Charles enjoys his titles as even on his Twitter feed, he boasts of being one of Louise Mensch’s “Russian Trolls” which is I have to say Amusing as I myself am blocked by her because she is an idiot hanger on of the jester. Anyway, if not a troll, what Charles is is, a propagandist tool. Or, I should really say a “would be” tool because he is not trying to hide his identity and is fairly open with his propaganda claptrap he is trying to sell the the conspiracy masses. His site is a “collective” of writers he says, but in looking at them only a few are named and one of them, Anatoly Karlin, is a straight out conspiracy Nazi connected apparatchik for Putin.

Now, on the account of this site being akin to the IRA, well, no that is not the case. However, the Twitter feed and the content is pretty popular and has been rising over the last couple years, peaking in January this year as everything went to hell concerning the RussiaGate story. I would not be surprised if anyone were to do some more mining and find that accounts proximal to the IRA Twitter accounts might have this on their feeds as well. While all of this spin and energy has been building though, Charles has been hungry for funds to continue his work, even though he is some kind of finance wizard according to all his degree work and jobs over the years with Russian banks and the like.

 

You can donate to Russia-Insider on their site and they take bitcoin and paypal as well as a couple other more obscure payment schemes. Evidently “citizen journalism” costs the big bucks! While his bitcoin wallet has had no transactions at all, I have to wonder just who is paying for his site and activities. In 2014, just after launching the site he exhorted Alexey Komov and Konstantin Malofeev that “I still need money!” which can be seen in the screen shots above from emails that I got from Shaltai Boltai’s dump of Malofeev’s email spool. I went through all seven hundred plus emails and found no more than those you see above. So it is unclear whether or not the Kremlin connected Komov and Malofeev ponied up money but they seemed amenable to it in the emails that I saw. I am going to assume that since the site is still up and that Bausman has added a slew of other domains, he has more plans and that he also got the funding to start. Only time will tell if he moves further and activates the other sites that he owns.

As you can see, if he had it his way, perhaps Russia-Insider would not be the only “insider” site that he could be spreading propaganda with. It is interesting to note that the countries he has chosen to create domains for are all ones that the Russian state would be interested in targeting propaganda at. I am not really sure what the “Cadmus” site would be all about but if you know your history, Cadmus was a slayer of monsters in the Greek pantheon. So far none of these sites has ever had content on them so there is nothing to see.. yet. Maybe if Charles gets his money he will someday have a media empire eh?

Overall, this guy is no clear and present danger but he is one of the lights in the constellation that is RU apologist propaganda. He isn’t RT or Sputnik just yet but he has ambitions to be I think. What really just makes me wonder is, as I said at the top, how does this kid go from US citizen to Russian propagandist? So many unanswered questions on this one for me. Was his father enamored with the Soviet state in the 60’s and 70’s? I mean it was no pleasure dome out there at that time no matter what the Soviet state would like you to think. Of course some might see Wesleyan and think that the left leaning’s of the school would only entice a youth to become more liberal, but jeez, I mean this guy is full on nutbaggy! Also, this guy still has everything listed in America as ownership goes! The Russia-Insider site before being set to privacy still has his parents place listed as the address! Choose a country dude.

Well, that’s about it on this one. Just a little heads up on this guy and a bit of background. I kind of have a yen to drive down to Greenwich and visit the Russia-Insider HQ just for shits and giggles. If anyone else has any tidbits they care to drop on me use the Protonmail acct. Until next time, keep watching these whacknuts.

Dos vidanya,

K.

Written by Krypt3ia

2018/03/19 at 18:46

Why I don’t Allow Reporters On My Feed

leave a comment »

Recently I posted about the Russian Troll Farm’s data being on sale for more than a year on joker.buzz, an auction site for RU hackers most likely to be affiliated with Shaltai Boltai (humpy dumpty). I went through the dump looking for metadata and to backstop the screen shots that were on the site as part of the proofs that the data was legit. In doing so I managed to find out quite a bit more on the infrastructure, players, and accounts that the SVR had set up to carry out the active measures campaign against the US election in 2016. Now having been a security researcher blogger all these years I certainly expect that others may see a story and write their own and often times this happens with a link back to my post if it is germane. However, in this case it kinda seems like Beast and the reporters who wrote the two pieces on their site saw my post and decided that they would just say they had “discovered” the joker.buzz site and the data for their own clickbait desires.

Post 1

Post 2

The fact of the matter is that Beast didn’t discover anything, if anyone discovered the story it was insider.ru who posted the story in Russia on the 21st of February. I cited them in my post as well as the joker.buzz url that the Insider piece had linked in the article February 21st. So no Daily Beast and “reporters” thereof, you did not discover this nor did you even have the decency to link back to either pieces in your story. I find it funny how I post on February 26th and four days later the Beast is claiming to have “found” this site and the juicy data. What’s even worse is that Beast just goes on about accounts and tracking them back to people while the real story should be that the data is genuine, it shows more of the inner workings of the troll farm aside from the accounts on Reddit and other places, and that either an insider had been selling the data or they had been hacked for over a year and we all missed it.

At first I griped a bit on Twitter about this but I was willing to let it go until one of the editors at Beast wanted in on my Twitter feed all of a sudden. I allowed it and watched for a couple days. They did not attempt to reach out at all so now I am pretty sure they were fishing for more to rip off of my site or my feed and possibly claim it as their own “investigative journalism” cum click bait. This was the last straw, and with a word from another reporter who exhorted me to do a write up about this.. Well here I am writing this piece that I am kind of ambivalent about. I don’t want to come off as just some asshole saying “I DID IT FIRST!” but the fact of the matter is that this has happened on more than one occasion and of late more so (looking at you Franklin Foer on that Atlantic article on Manafort)

So, Beast, at least credit the Russian’s (insider.ru) for seeing this first and reporting on it even if you can’t bring yourselves to link back to my post which I am pretty sure was the tip off to what you claimed you “discovered” In fact, you should really do your own research and stop leeching off of others you yellow journalism hacks. Shit, you even really didn’t do a good job at parsing all the data in those screen shots! You really have not added to the knowledge base here on the Russia investigation.. But you sure did re-create the “Penny Dreadfuls” of the 19th century!

K.

Written by Krypt3ia

2018/03/05 at 17:43

The Insider and The IRA Data That’s Been On Auction For Over A Year

leave a comment »

Today a tweet was directed at me concerning some new information posted on a Russian news site back on February 21st that no one in the US media seems to have noticed nor the NATSEC community. In fact, I had not seen this and I kinda have chided myself for not paying better attention to the Joker Buzz site that the data was for sale on, for a year! I had actually been on their site(s) in the clearnet and darknet and thought I had posted a blog about the notion of the site and what they sell but I can’t seem to locate it. I guess maybe I just tweeted about it and moved on …My bad.

Anyway, the post on The Insider has the skinny on how a user there named “AlexDA” had ALL of the IRA’s internal documents on the active measures campaign for sale for over a year and no one really took notice. This means that we could have bought the data and had all of the actors, their data, and their METADATA if we had only seen or purchased them back in January/February 2017. What’s more is that had we had this intelligence in the open much more could have been easily available for the general public to be aware of how this was all working and what to look for. Of course now after the Indictment by Mueller of the 13 entities the op has been completely blown and the infrastructure is likely not to be operational, but, we could see operational details and OPSEC mistakes that the players made and extend that to the upcoming years election cycle and Russian influence and active measures campaigns to come right?

Even so, big things are in the small details even within the offering itself that AlexDA is making on JokerBuzz. I have been going through the images from the auction site that Alex put up to entice and prove that they are legit and here is what I have found by doing my thing as usual mining:

Proxy IP Space Used:

In the offering images you can see that AlexDA tried to obfuscate the last couple octets but if you look real hard you can see the numbers pop up. Of course if you just take the first two or three octets and you put that into Google you can see what pops right up. So, the first thing to see is that the service mentioned in the indictment is actually Total Server Solutions LLC out of Plano Texas. I would like to call your attention to how much “Texas” was involved in many of the Twitter and facebook accounts that were super patriotic. It was mentioned in the indictment that they rented the server space to appear that they were in the US. Well, there you have it kids. The data fits and it makes sense that they would try to do this to appear as if they were in the US to fool first pass looking right? I ran an Nmap of the /24 and as you can see if you look, there are some proxies, port 80 and 22 open but none are available to access at this time, so maybe they went back to being just space owned by Total server… I would hope though that those there servers had been, ya know, collected on by subpoena by the FBI right?

Wink wink nudge nudge.

 

Meanwhile, there’s a bunch of servers/IP’s listed in the images as well that are in Russia using port 8888. I haven’t looked at those with Nmap but they are VPS as well so maybe they are still in play. Suffice to say though, it is interesting data and could lead to more things coming to light if you look into them a little further. If you want to play the home game please feel free. I will be circling back over this stuff in the near future and enlightenment will be posted here when I have it for you all.

Alias and Users To Search:

Gee, look at all those aliases man! I have yet to dig into these and I am sure some are already known but you now too can play the home game! Take a look and see what histories you can find on these accounts/nicks. I am willing to bet we can put together quite the timeline and then use that as data to look at future attacks as well. All those Blacktivist accounts though were the appetizer to what I saw next in the screen shots. Alex gives us a whole thing to work with in the image below and if you start digging on that you can get some good stuff.

 

http://aktivnyye.com/t/20171013-blackmattersus.html

Nolan Hack, a name that I believe others have seen in the press accounts, has a Facebook page, a phone number, and a site blackmattersus.com that is in fact still live but not updated since 2017 it seems. His Facebook is live still as well (Why no take down Facecult?) I looked up his details on there and the blackmatersus site and what I came back with was a cell phone out of california marked as a bad number and a site that has been around since 2015 that was registered anonymously and kept so throughout the time it has been up.

http://aktivnyye.com/t/20171013-blackmattersus.html

I am sure with more digging on the name (Nolan Hack *amusing*) I can put together more of the breadcrumb trail to show the cutout’s actions. Maybe in a post to come, but suffice to say that this data also is legit and tracks with everything we have been told by the IC and the news up to today on the active measures by the IRA.

Passwords:

Amazingly enough in the screen shots given on the jokerbuzz site you can also see where Alex tried to remove at least half the passwords in a couple posts. I immediately knew what the password was because, I mean, come on! The phrase “Greed is good” is a classic line from Wall Street and Gordon Gekko. If you look close enough at these images though you can make out the lower part of the G so you know it is that. Now we have to work backwords on those accounts and get the full data in order to attempt top maybe log into them and see what intel we can gather from them (see below for lower part of the g) It also amusing to see that these guys were sloppy and re-using passwords in various accounts. If we get the accounts right I am betting we could own them all and gather much more insight.

Greedisgood…. You guys amuse me.

Illegals Names and drop sites:

In amongst all the stuff is also an address and name where drops were made in NV used by the IRA and more likely the illegals who were in country. The address comes back to a known bad drop/company in NV that has a history of being used for Ebay scams. The cutout name of Gneeda Harris has zero history on first pass but I will look again and dig a little more. Maybe I can turn up something more on this ID but at the very least we have something more to work with than what the special counsel decided to drop on us.

Maybe the FBI can check this place out and see if they have had DVR’d video surveillance? Maybe this dead drop is still live? Are there still illegals in country that have been told to sleep? I wonder…

Metadata:

Lastly, or near the last thing I will cover here on this is the metadata. I used wget to pull down the jokerbuzz site and in the folder for the page of the auction are the screen caps used. Pulling those down and then running them through the old EXIF scan you can see that these captures were done September 28th and 29th 2016. The time stamp says +3hrs and that as of today they were done 1 year 4 months 28 days ago. So, back in September 2016, this data was in the hands of AlexDA and ostensibly about to be put up on Jokerbuzz. This means that either someone on the INSIDE decided to sell out the operation because they knew they were blown and wanted some cash, OR, someone hacked them and downloaded all this shit making the screen shots in September for the jokerbuzz auction. This in tandem with all the backstopping I just did shows that this data is legit and it has been on sale for at least a year and no one knew or was clued in enough to say anything about it.

Who is AlexDA?

Lastly, who is AlexDA? How did they get this data and what is the motive here other than money? Money mind you that they did not get in over a year as the auction timed out and NO ONE bought it. Now, I have been looking at who this may be and there is a case to be made that this dump came from Shaltai Boltai (humpty dumpty) a group that is now broken up due to arrests but has one last player on the loose. That player is in fact a guy named Alexander Glazastikov who has not been caught and may in fact be AlexDA. I will also point to the fact that if you look at the Jokerbuzz auctions there are a number of them from Shaltai Boltai offering all kinds of interesting data leaked from Russian operations. So, it is my guess that this is the case but just an educated one. I for one would like to have a conversation with AlexDA and see just how much he wants for the dump now that it has not sold in over a year. Maybe we all can crowdsource it?

Summing Up:

Anywho, this is what I found just by looking at the details here in the auction post. Imagine what we could have if we actually had all the documents? Hell, I would love to get my hands on them, prize out all the details and then pass it along to the feds. The data is legit, it has been around for a year online, and we all missed it man!

Hey AlexDA, you wanna just gimme that data for free feel free to reach out to my protonmail acct!

More stuff when I have it kids.

K.

Written by Krypt3ia

2018/02/26 at 22:55

Russian Active Measures: Propaganda, Targeted Ad’s, and The Mob

leave a comment »

Handbook of Russian Information Warfare 2016

 

With all the talking heads on CNN expounding on the ad buy’s in Rubles and the oblique presentments by the senators yesterday on the Russia collusion investigation on C-Span, I felt the needs to drop some knowledge. All of these measures are not new but it seems like the general populace, the government, and the media all cannot comprehend that fact. Propaganda has been around since the dawn of civitas and today it is just more able to be used more nimbly in our hyper-connected society. With the advent of social media, the use of propaganda has been been turned into a more precision tool using demographics, analytics, and a medium that engenders itself as a new asymmetric warfare tool and this should be no surprise to anyone.

Propaganda has long been a tool for the radio, print, and television media to be paid and or tricked into releasing content that serves one of the political masters out there. However, the new wrinkle is the heuristics of computing and social dynamics data thereof of all the data points that we now collect on everyone who is using the internet or sites like Facebook, Google, or Twitter. So much information is collected today that it is possible to accurately determine how a person thinks and acts given their preferences and their secret activities that are seen by the algorithms inside these systems. Unless someone today takes greater pains to obfuscate their activities, companies, and governments can easily mine that data for ammunition to create such things as the black propaganda we saw used in the 2016 election cycle here. Since people really don’t pay attention to the other countries out there, they too would have seen the same measures used in places like Ukraine if they had been paying attention.

Previously I had posted about such measures in Ukraine that included the whole cloth creation of a media company to manipulate the populace there with propaganda as well as the use of malware to spy on the populace. Today I am covering the precepts of the use of our own systems of social media as well as our collective group psychologies to sow chaos. Given the outcomes in the 2016 elections and the continued attacks on our psyche’s by Russia post election we now have a pretty good idea of how the dynamic works. One must though take into account that human nature plays the largest roll in this type of warfare for it is the base of the equation that the Russians are trying to manipulate. The targeting of ads to key states and cities was just a targeting mechanism to the overall more targeted PSYOPS operation that was at play. The Russians parlayed the divisions within the US by creating echoes within already nascent echo chambers for those who are of like minds on social media systems. Once the psychology was worked out it was just a matter of locating those pockets of people and then creating the media (e.g. fake news) to feed into those systems and agitate those people into a frenzy.

Once again, human nature was keenly leveraged to sow chaos as well as being a vehicle for those noise to signal messages (dog whistles) for the believers and I can appreciate that. Frankly I am in awe of the techniques used while at the same time I am concerned that there are no real ways to mitigate these kinds of attacks due to that said same human nature. We all have our bias’ and we all ascribe to our own echo chambers whether we do so consciously or not. Social media in itself is the perfect medium for this and we just fall into place as the lizard brain takes over. So when people today ask the questions around how to combat this type of thing I often say that there is no real way to stop it. We can of course use people to look at ads like Facebook is doing now, having hired or in the process of hiring thousands to do so. Or we could just look at the ad buys and insure that they are not being paid for in Rubles… But these means are clunky and the adversary has many other options so in the end it will not work.

The ongoing Senate investigation into collusion and the Russian active measures campaign in 2016 has many people also asking specifically about the targeting data. Did the targeting data come from the Trump organization? Well, yeah, it may well have come from them or it could have just been collated from online searches and a working knowledge of the electoral system. You see, this attack was simple enough to calculate if you wanted to attempt to win the electoral college. One can Google the states that are key to winning the electoral vote but it is the fact that it seems the targeting went down to actual names and addresses that matters. I for one would be asking Cambridge Analytica about that data and how it may have come into the possession of the Russians. Now it is possible that the Russians had their own parallel program for this, or it is also possible they hacked into Analytica for it, and as far as I am aware of no one has asked for a forensic analysis of CA’s security there. Of course the data could have been handed off by someone like Paul Manafort as a quid pro quo (black caviar) right? Or perhaps it was Jared as a means of paying off his Russian friends in hopes of a loan to cover his bad real estate debts? I also think that it is possible that the rolls hacking that happened in the same time frame could also be the answer to this. It is possible that all those rolls were copied, sifted, and used for targeting of propaganda at the final stage of the race to the White House.

At the end of the day though, the problems of social media, cognitive biases within the populace and the mob mentality that humans tend to fall into (Republican/Democrat/TeaParty) will not be going away. We are creatures of habit and limited by our own brain biology. Do not expect that knowing that there is a propaganda campaign will stop those willing to receive it from buying into it whole heartedly. Social media isn’t going away anytime soon and the idea of algorithms being the key to stopping this is a falsehood. It all really just matters how you consume this media and how you react to it. If you fall into the echo chamber of cognitive bias or bent, then you will likely become a part of that machine and not be able to separate the truths from the bias truths that you personally ascribe to. So when you all ask how this happened remember that we are the culprits, the people.

K.

Written by Krypt3ia

2017/10/05 at 14:51